Handling Timing Constraints in Rapid Prototyping by Luqi
Calhoun: The NPS Institutional Archive
DSpace Repository
Reports and Technical Reports All Technical Reports Collection
1988
Handling Timing Constraints in Rapid Prototyping
Luqi
Naval Postgraduate School
Luqi, "Handling Timing Constraints in Rapid Prototyping'', Technical Report NPS
52-88-036, Computer Science Department, Naval Postgraduate School, 1988.
http://hdl.handle.net/10945/65288
This publication is a work of the U.S. Government as defined in Title 17, United
States Code, Section 101. Copyright protection is not available for this work in the
United States.





HANDLING TIMING CONSTRAINTS IN RAPID PROTOTYPING 
Luqi 
September 1988 
Approved for public release; distribution is unlimited. 
Prepared for: 
Navel Postgraduate School 
Monterey~ CA 93943 
NAVAL POSTGRADUATE SCHOOL 
Monterey, California 




The work reported herein was supported in part by the National Science Foundation 
and the Naval Postgraduate School Research Foundation. 
Reproduction of all or part of this report is authorized. 
This report was prepared by: 
Reviewed by: 
WC1.0L 
ROBERT B. MCGHEE 
Chairman 
Department of Computer Science 
LUQIH 
Assistant Professor 
of Computer Science 
Released by: 
KNEALE T. ~:::::ttt-i-H-Aitd,-1--, 
Dean of Information 
and Policy Science 
... .. 
UNCLASSIFIED 
SECURITY CLASSIFICATION OF THIS PAGE 
REPORT DOCUMENTATION PAGE 
1a. REPORT SECURITY CLASSIFICATION 1 b RESTRICTIVE MARKINGS 
UNCLASSIFIED 
2a. SECURITY CLASSIFICATION AUTHORITY 3. DISTRl~UTION / AVAILABILITY OF REPORT 
Approved for public release; . 2b. DECLASSIFICATION/ DOWNGRADING SCHEDULE distribution is unlimited. 
4. PERFORMING ORGANIZATION REPORT NUMBER(S) 5. MONITORING ORGANIZATION REPORT NUMBER($) 
. 
NPS52-88-36 
6a. NAME OF PERFORMING ORGANIZATION 6b. OFFICE SYMBOL 7a. NAME OF MONITORING ORGANIZATION 
(If applicable) 
Naval Postgraduate School 52 National Science Foundation 
6c. ADDRESS (City, State, and ZIP Code) 7b. ADDRESS (City, State, and ZIP Code) 
Monterey, CA. 93941 Washington, DC 20550 
Sa. NAME OF FUNDING/ SPONSORING 8b . OFFICE SYMBOL 9. PROCUREMENT INSTRUMENT IDENTIFICATION NUMBER 
ORGANIZATION (If applicable) 
Naval Postgraduate School O&MN, Direct funding 
Sc. ADDRESS (City, State, and ZIP Code) 10. SOURCE OF FUNDING NUMBERS 
PROGRAM PROJECT TASK WORK UNIT 
ELEMENT NO. NO. NO. ACCESSION NO. 
Monterey, CA. 93943 
11 . TITLE (Include Security Classification) 
HANDLING TIMING CONSTRAINTS IN RAPID PROTOTYPING (U) 
12. PERSONAL AUTHOR(S) 
LUQI 
13a. TYPE OF REPORT 113b. TIME COVERED 114. DATE ·oF REPORT (Year, Month, Day) ,, s . PAGE COUNT 
Progress FROM 87 / 10 TO 88/09 1988, Sept 30 
16. SUPPLEMENTARY NOTATION 
17. COSA Tl CODES 18. SUBJECT TERMS (Continue on reverse if necessary and identify by block number) 
FIELD GROUP SUB-GROUP specification, rapid prototyping, computer aided software 
engineering, real-time embedded system, ada, software 
design 
19. ABSTRACT (Continue on reverse if necessary and identify by block number) 
This paper presents the concepts and mechanisms for handling the real-time constraints 
of embedded systems in rapid prototyping. Rapid prototyping of embedded systems can 
be accomplished using a Computer Aided Prototyping System (CAPS) and its associated 
Prototyping Language (PSDL). This system and language are used to aid the designer in 
the early stages of software engineering for hard real-time systems. Time critical 
operations have maximum execution times, maximum response times, and minimum calling 
periods. Interrupt handling, synchronization, and periodic behavior are also described 
at a high level. Time critical operations in a real-time prototype are handled by con-
structing static and dynamic schedules to coordinate execution and to meet the required 
prototype execution times. The mechanisms for expressing timing constraints in PSDL 
are described along with their effects on the schedulers. 
20. DISTRIBUTION/ AVAILABILITY OF ABSTRACT 21 . ABSTRACT SECURITY CLASSIFICATION 
(ii UNCLASSIFIED/UNLIMITED Gil SAME AS RPT. 0 DTIC USERS UNCLASSIFIED 
22a. NAME OF RESPONSIBLE INDIVIDUAL 22b. TELEPHONE (Include Area Code) 122c. OFFICE SYMBOL 
Luai (408)646-2735 52Lq 
DD FORM 1473, 84 MAR 83 APR edition may be used until exhausted. SECURITY CLASSIFICATION OF THIS PAGE 
All other editions are obsolete 
~ U.S. Government Printing Office: 19811-606•243 
UNCLASSIFIED 

Handling Timing Constraints in Rapid Prototyping 
Luqi 
Computer Science Department 
Naval Postgraduate School 
Monterey, CA 93943 
ABSTRACT 
This paper presents the concepts and mechanisms for handling the real-time constraints of 
embedded systems in rapid prototyping. Rapid prototyping of embedded systems can be accomplished 
using a Computer Aided Prototyping System (CAPS) and its associated Prototyping Language 
(PSDL). 'This system and language are used to aid the designer in the early stages of software 
engineering for hard real-time systems. Time critical operations have maximum execution times, max-
imum response times, and minimum calling periods. Interrupt handling, synchronization, and periodic 
behavior are also described at a high level. Time critical operations in a real-time prototype are han-
dled by constructing static and dynamic schedules to coordinate execution and to meet the required 
prototype execution times. The mechanisms for expressing timing constraints in PSDL are described 
along with their effects on the schedulers. 
1. Introduction 
Rapid prototyping can be used to reduce the risks of producing systems that do not meet user needs 
[ 1 O]. Traditional approaches to software development produce working code only near the end of the pro-
cess. The goal of rapid prototyping is to develop an executable model of the intended system early in the 
development process. A prototype is an pilot version of a proposed system used as an aid to analysis and 
design. The code of a prototype usually cannot be used in the final implementation because it is not a com-
plete representation of the intended system. When utilized during the early stages of the development life 
cycle, rapid prototyping allows validation of the requirements, specification, and initial design, before valu-
able time and effort are expended on implementation software. 
With the demand for hard real-time and embedded systems increasing and their particularly strict 
requirements on accuracy, safety and reliability, it is becoming critical that new approaches be proposed 
for the development of such systems since it can be very difficult to determine the timing constraints accu-
rately or to understand their implications, even though they are the most important aspects of hard real-time 
systems [4, 13). Typically, these large embedded systems have requirements in terms of timing comtraints 
for critical real-time control and high reliability. The feasibility of these systems relies on the correctness 
1 
and accuracy in handing and implementing timing constraints given in the requirements. These require-
ments are difficult to meet without extensive prototyping. 
Software engineers and end-users would benefit from an automated prototyping methodology which 
allows validation of design specifications and functional requirements early in the development life cycle 
(13]. A fast, efficient, easy-to-use set of software tools would increase designer productivity and also allow 
the user to gain more confidence that the final software product is feasible. The computer aided prototyping 
system is a set of software tools which provides these capabilities (11]. It implements the rapid prototyping 
concept utilizing a high level prototyping language called PSDL (12]. This language is designed for proto-
typing hard real-time and large software systems and is based on the conceptual modeling of such systems. 
This paper uses PSDL as a vehicle to analyze the characteristics of hard real-time systems and 
further describes the feasible paths to handling these hard real-time constraints by means of execution of 
real-time software prototypes. The approach described here makes practical validation of the timing con-
straints in the requirements of hard real-time systems via rapid prototyping possible. 
Rapid prototyping initially establishes an iterative process between the user and the designer to con-
currently define specifications and requirements for the time critical aspects of the envisioned system. The 
designer then constructs a model or prototype of the system in PSDL. The prototype is a partial representa-
tion of the system, including only those critical attributes necessary for meeting user requirements, and is 
used as an aid in analysis and design rather than as production software. During demonstrations of the pro-
totype, the user validates the prototype's actual perfonnance against its expected perfonnance. If the proto-
type fails to execute properly or to meet any critical timing constraints, the user identifies required 
modifications and redefines the critical specifications and requirements (Fig. 1). This process continues 
until the user and the designer both agree that the prototype successfully meets the time critical aspects of 
the feedback from the user to the designer. This iterative communication process should result in a model 
that ultimately meets the intended requirements of the user. Following this final validation, the designer 
uses the prototype as a basis for the design and eventual hand coding of the production software. 
A good modeling sttategy is important for making the rapid prototyping approach work for real-time 
systems. Systems can be designed and analyzed quickly only if they can be readily understood by the 
















Fig. 1 Process of Requirements Determination and Validation 
Timing constraints complicate the design of real-time systems because utilization of computing resources 
introduces interactions between otherwise unrelated parts of the system. A good modeling strategy should 
help to counteract this effect. This can be done in the following ways: 
( 1) by decoupling the behavioral aspects of a system from its timing properties to allow independent 
analysis of these two aspects, and 
(2) by organizing timing constraints in a hierarchical fashion, to allow independent consideration of 
smaller subsets of timing constraints. 
An effective modeling strategy should therefore support a set of abstractions useful for simplifying the tim-
ing aspects of systems with hard real-time constraints. 
People are best at analyzing situations with a limited number of components and constraints, and 
tend to have difficulty in understanding non-local interactions in complex systems. Since shared comput-
ing resources introduce unavoidable global constraints on the set of time-critical computations in a real-
time system, mechanical analysis of those constraints is desirable. This consideration motivates the need 
for a modeling strategy which allows the global timing constraints to be separated from the behavioral 
3 
aspects of the system, and represented in a way that is amenable to mechanical processing. 
The modeling strategy used in the rapid prototyping of real-time systems should be integrated with a 
language supporting the modeling strategy and a systematic prototyping method for applying the strategy. 
A formal notation is essential for achieving a significant level of computer-aided design [3]. lbe prototyp-
ing language PSDL [12] supports a modeling strategy based on dataflow graphs augmented with non-
procedural timing and control constraints. The language was designed together with the associated proto-
typing method [13] and the set of software tools in CAPS for supporting the method [11]. 
Section 2 discusses several approaches to modeling real-time systems. The real-time aspects of 
PSDL are described in section 3, and the associated software tools are described in section 4. Section 5 
presents some conclusions. 
2. Models for Real-Time Systems 
The treatment of real-time constraints in this paper results from a fundamental analysis of hard real-
time systems. Understanding the modeling strategies for such systems is essential for effectively handling 
timing constraints in the prototyping process. Methods for modeling real-time systems are essential for 
requirements analysis, specification, and design of systems with hard real-time constraints. A coherent 
framework for classifying real-time constraints can be used to organize complex sets of timing require-
ments and to guide the process of discovering the timing requirements associated with an embedded 
software system. 
The framework presented in [4] classifies timing requirements as maximum or minimum constraints 
on the lengths of time intervals between pairs of events, where the endpoints of the intervals are classified 
as one of the following types: (1) stimulus-stimulus, (2) stimulus-response, (3) response-stimulus, and (4) 
response-response. A third kind of timing constraint identified in [4] is the durational constraint, which 
states that an event must occur for a time interval of the specified length. 1bis framework treats events as 
signals rather than as instants of time, and tries to tteat both digital and analog systems in the same tenns. 
In particular, events are not required to be instantaneous, although events without durational constraints are 
instantaneous by default. This feature introduces an ambiguity in the definitions of the four kinds of time 
intervals, because it is not specified whether the intervals are delimited by the beginning or the ends of the 
4 
events Conning the endpoints of the intervals. It also introduces an artificial distinction between durations 
of signals and other kinds of time intervals. 
Another weakness of this framework: is the implicit assumption that every timing constraint involves 
just a single pair of events. This implicit assumption is undesirable because it does not allow simple 
descriptions of periodic processes, which are an important aspect of real-time systems. 
A different framework for describing real-time constraints is provided by RlL (Real Time Logic) 
[7]. RTL makes a distinction between actions and events. Actions require a bounded non-zero amount of 
system resources, such as CPU time. Events are instantaneous, requiring no system resources and serving 
only as temporal markers. Four kinds of events are distinguished in RTL for hard real-time systems: 
( l) External events, such as an operator pushing a button. 
(2) Start events marking the initiation of an action. 
(3) Stop events marking the completion of an action. 
(4) State variable transition events maiking a change in some attribute of the system. 
The durational events of [4] can be expressed in RTL in tenns of the duration of an interval delimited 
by two state variable transition events, marking the appearance and disappearance of the signal. RTL also 
provides a way to index all of the occurrences of each type of event in the order in which they occur, via 
the occurrence function "@". This facility is important because it allows the description of periodic 
processes. RTI.., is a powerful notation which can be used to mechanically check whether a given safety 
assertion follows from RTL system specifications via a decision procedure for Presburger arithmetic [7]. 
The primitives of RTL are very simple and provide the ability to describe timing constraints in detail. RTL 
is a good choice for defining the semantics of notations at higher levels of abstraction, because a scheme 
for ttanslating a notation into RTL allows the application of the RTL decision procedure to the other nota-
tions. 
Spec, a powerful specification language for large and real-time systems based on quantifiers and 
predicate logic, uses another framework: for timing constraints called the event model of computation [1]. 
In the event model, computations are described in tenns of modules, messages, and events. A module is a 
black box that interacts with other modules only by sending and receiving messages. A message is a data 
packet that is sent from one module to another. An event occurs when a message is received by a module 
at a particular instant of time. The events at a module occur one at a time in a well defined order, while 
events at different modules need not be ordered 
Modules can be used to model external systems such as users and peripheral hardware devices, as 
well as software components. Modules are active black boxes, which have no visible internal structure. 
The behavior of a module is specified by describing its interface. The interface of a module consists of the 
set of stimuli it recognizes and the associated responses. A stimulus is an event, and the response is the set 
of events directly triggered by the stimulus. 1be events in the response consist of the arrivals of the mes-
sages sent out by the module because of the stimulus. 
As in R1L, events in the Spec event model are instantaneous and serve to define points in time. 
Every event is associated with the instant of time when an incoming message crosses the boundary of a 
module. An event marks the time when a module accepts a message and starts the computation of the 
module's response. The Spec event model does not distinguish a completion event for an action, since the 
events in which the messages sent out in response to an event arrive at their destinations serve this purpose. 
The event model treats the environment of a system as a set of modules, so that there is no fonnal distinc-
tion between internal and external events, as is the case in R1L. In the Spec event model all state changes 
are instantaneous and localized to some module. The time of the state change is taken to be the same as the 
time of the event at which the message b'iggering the state change arrived at the module containing the 
state. An implementation may take a non-zero time interval to realize a state change, but all state changes 
triggered by an event at a module must be complete before the module can accept another message. Since 
all interactions between two modules occur via the ttansmission of messages, the exact instant at which a 
state change takes place cannot affect the observable behavior of the system until the module accepts its 
next message. Since the delays between events and the completion of the state changes they trigger are not 
externally observable, they are abstracted out in the Spec model. Spec events thus unify the four types of 
events distinguished in RTI... 
Spec allows the use of arbittary predicates in first order logic to express constraints on the delay and 
period associated with each type of event The delay is the interval between an event representing a 
stimulus to a module and another event representing a response of the module to that stimulus. Constraints 
6 
... 
on the delay correspond to the stimulus-response and response-stimulus constraints of [4]. The period is 
the interval between two consecutive events of the same type at the same module. Constraints on the 
period correspond to the stimulus-stimulus and response-response constraints of [4]. 
The Spec language supports the definition of temporal events as well as events triggered by external 
stimuli. Each module can send messages to itself at absolute times determined by its local clock. The 
arrival of such a message is called a temporal event. Temporal events allow modules to initiate actions in 
addition to just responding to external stimuli. 
The time at which a temporal event occurs can be constrained by an arbitrary predicate in first order 
logic. Such predicates can easily describe periodic processes, the most common kind of temporal events, 
as well as other kinds of temporal events. Like RTL, Spec provides primitives for defining timing con-
straints at a detailed level. Spec also has facilities allowing users to define high level timing constraints, 
but high level abstractions for timing are not built into the language or pre-defined. 
The modeling method used in PSDL, which is the basis for the approach to handling timing con-
straints presented in this paper, is described in the next section. 
3. Timing Constraints in Rapid Prototyping 
PSDL is a language designed for clarifying the requirements of complex real-time systems, and for 
determining properties of proposed designs for such systems by means of prototype execution. 1be 
language was designed to simplify the description of such systems [12] and to support a prototyping 
method that relies on a novel decomposition criterion [13]. PSDL is also the basis for a computer-aided 
prototyping system [11] that speeds up the prototyping process by exploiting reusable software components 
[10] and providing execution support [9, 15, 18] for high level constructs appropriate for describing large 
real-time systems in terms of an appropriate set of abstractions [2] . 
An important goal of PSDL is to simplify the design of systems with hard real-time constraints. The 
need for meeting real-time deadlines often results in designs where code for conceptually unrelated tasks 
must be interleaved, complicating the design of such systems, and making their implementations hard to 
understand [6]. PSDL handles this problem by presenting a high-level description in tenns of networks of 
independent operators, and allowing the interleaving of the code to be handled by an automatic translator 
7 
that generates lower level code. High-level synchronization is handled by using dataflow streams to coor-
dinate the arrival of corresponding data values from different sources. Static scheduling of time-critical 
operators [8] eliminates the need for other kinds of explicit synchronization by the system designer. Low-
level synchronization primitives are needed in the implementation of PSDL only for ensuring that the read 
and write operations on data streams are performed as atomic opercitions. Since those primitives are 
needed in just one small and simple part of the code in the PSDL execution support system, PSDL can be 
effectively supported by any of the common mutual exclusion mechanisms provided by operating systems. 
The PSDL language is based on a computation model which treats software systems as networks of 
operators communicating via data streams. The computational model is an augmented directed graph 
G = (V, E, T(v), C(v)) 
where Vis the set of vertices, Eis the set of edges, T(v) is the set of timing constraints for each vertex v, 
and C(v) is the set of control constraints for each vertex v. Each vertex is an operator and each edge is a 
data path. Each of the four components of the graph are described in more detail below. The semantics 
of a PSDL system description is determined by the associated augmented graph and the semantics of the 
operators appearing in the diagram. 
All PSDL operators are state machines. Some PSDL operators are functions, i.e. machines with only 
one state. When an operator fires, it reads one data value from each of its input streams, undergoes a state 
transition, and writes at most one data value into each of its output streams. The output values can depend 
only on the current set of input values and the current state of the operator. State ttansitions and 
input/output operations on data streams can occur only when the associated operator fires. The firing of an 
operator is controlled by the associated timing and control constraints. Operators can be triggered by the 
arrival of a set of input data values or by a periodic temporal event. 
PSDL operators communicate by means of named data streams. All PSDL data streams can cany 
both nonnal data values and tokens representing exceptions. All of the nonnal data values carried by a 
stream must be instances of a specified abstract data type associated with the stream. 
There are two different kinds of data streams in PSDL, dataftow streams and sampled streams. 
Dataflow streams are used in applications where the values in the stream must not be lost or replicated and 
8 
the firing rates of the producers and consumer are the same, while sampled streams are used in applications 
where a value must be available at all times and values can be replicated without affecting their meaning. 
Any PSDL operator can have timing constraints associated with it. An operator is time-critical if it 
has at least one timing constraint associated with it, and is non time-critical otherwise. The timing con-
straints together with the control constraints determine when the operator can be fired, and when it must be 
fired. All PSDL timing constraints can be represented by constants denoting lengths of time intervals. 
There are several different kinds of timing constraints, which can be classified into those that apply to all 
time-critical operators, those that apply only to operators triggered by periodic temporal events, and those 
that apply only to operators triggered by the arrival of new data. Temporal events occur at specified sets of 
absolute times. 
Every time-critical operator must have a maximum execution time (MET) to allow the construction 
of a static schedule. The 1-dET of an operator is an upper bound on the length of the execution inte"al 
(El) for the operator. All of the actions that may be required to fire an operator once must fit into the exe-
cution interval. These actions are listed below. 
( 1) Reading values from input data streams. 
(2) Evaluating triggering conditions. 
(3) Calculating output values. 
(4) Evaluating output guards. 
(5) Writing values into output streams. 
The execution interval for an operator does not include scheduling delays. A scheduling delay is the time 
between the writing of a value into a data stream by a producer operator and the reading of that value by 
the consumer operator. 
Operators triggered by temporal events are periodic in PSDL. Every periodic operator must have a 
period (PERIOD) and may have a deadline (FINISH_ wmnN). These two timing constraints partially 
determine the set of scheduling inte"als (SI) for the operator. Each periodic operator must be fired 
exactly once in each scheduling interval, and must complete execution before the end of the scheduling 
interval. The period is the length of time between the start of any scheduling interval and the start of the 
9 
next scheduling interval. The deadline is the length of each scheduling interval. The starting time of the 
first scheduling interval for each operator is determined by the static scheduler, subject to the scheduling 
constraints described below. 
There is an implicit constraint on the order in which PSDL operators can be scheduled to fire, known 
as the dataflow precedence constraint. The data.flow precedence constraint requires the initial firings of all 
operators with timing constraints to occur in an order consistent with the dataftow ordering, which is 
defined in terms of the PSDL computational model as follows. Construct the precedence graph by taking 
all of the nodes in the augmented graph G defined above, and taking only the edges of G that do not have 
explicitly declared initial values. Since any cycle of G must contain at least one edge with a declared initial 
.. 
value in a well formed PSDL program, the precedence graph is acyclic. The dataflow ordering is the tran-
sitive closure of the precedence graph, which results in a sttict partial ordering. For any pair of operators 
(a, b), if a precedes bin the data.flow ordering then a must be scheduled to fire before bis scheduled to fire 
for the first time. 
The relation between the timing constraints, scheduling intervals, and execution intervals for a 






SI[n] = n-th scheduling interval 
El[n] = n-th execution interval 
SI[n+l] 
EI[n+l] 
















are indexed by integers in the order of their occurrence. Thus SI[n] denotes then-th scheduling inteIVal for 
the operator and El[n] denotes the n-th execution inteIVal for the operator. The static scheduler talces the 
length of each execution inteIVal to be equal to the maximum execution time to allow for worst case condi-
tions. If a time-critical operator completes before the end of the execution interval reseIVed for it by the 
static scheduler, the remaining time in the execution interval is used by the dynamic scheduler for the exe-
cution of a non time-critical operator. 
Since each execution inteIVal must be a subset of the corresponding scheduling interval, every well-
formed periodic operator must satisfy the constraint 
.MET <= FINISH_ WITiilN. 
The degree of freedom enjoyed by the static scheduler is characterized by the slack, which is defined by 
slack= FINISH_ WITIIlN - ?vIE'r. 
1be length of time between the start of an execution inteIVal and the start of the next execution interval can 
vary between 
PERIOD - slack 
and 
PERIOD + slack, 
as illustrated in Fig. 3. If FINISH_ WITIUN is not specified explicitly then 
execution starting point 
a X 
slack= FINISH_ WITiilN - MET 
a = period - slack 
b = period + slack 
a<= x <= b 
b 
Fig. 3 Scheduling Freedom for a Periodic Operator 
11 
FINISH_ WITiilN = MET, 
slack= 0, 
and the time between the starting points of each pair of consecutive execution intervals is exactly equal to 
the period. 
Operators triggered by the arrival of new data values are sporadic. Timing constraints for sporadic 
operators are optional. Sporadic operators with timing constraints must have both a maximum response 
time (MRT) and a minimum calling period (MCP) in addition to an MET. The MRT is an upper bound 
on the response time, while the MCP is a lower bound on the calling period. The relation between these 
quantities is illustrated in Fig. 4. SI[n] denotes the n-th scheduling interval for the consumer operator, 
which is sporadic and time-critical. CEl[n] denotes then-th execution interval for the consumer operator, 
and PEI[n] denotes the n-th execution interval for the producer operator, which is assumed here to be 
time-critical also. The respome time associated with a comumer operator is measured from the end of the 
execution interval for the producer operator of the triggering data value to the end of the execution interval 
for the consumer operator of the triggering data value. 
Unlike the MET, the MRT includes a scheduling delay. The MRT gives the length of the scheduling 
interval. The static scheduler may not be able to use the entire scheduling interval if the producer is non 
time-critical, because the ending time of the producer's execution interval is not known to the static 
Sl[n] 





PEI[n] = n-th produce.r exe.cution interval 
CE)(n] = n-th consumer exe.cution interval 




Fig. 4 1iming Constraints for a Sporadic Operator 
12 
r 
scheduler in that case. 
The calling period of an operator is the length of time between the end of the execution interval for 
the producer of the triggering data value and the end of the execution interval for the producer of the next 
triggering data value. The calling period must not exceed the MCP. Toe MCP of an operator constrains 
the behavior of the producers of the triggering data values rather than consttaining the behavior of the 
operator itself. An MCP constraint is needed to allow the realization of a maximum response time con-
straint with a fixed amount of computational resources, via a limit on the frequency with which new data 
can arrive. Violation of an MCP constraint should result in a warning message. The absence of such viola-
tions can be guaranteed a priori only if the producer of each triggering data value is scheduled statically. 
An important case where such a guarantee is not possible occurs when the producer of the triggering data 
value is an asynchronous active sensor. 
PSDL provides a simple framewolk for describing real-time systems at a level convenient both for 
the designer of a prototype and for a set of software tools. The apparent simplicity of the designer's view 
stems from the following properties. 
(1) Locality of infonnation. There is no hidden data coupling between operators due to nonlocal data 
references and no hidden control coupling between operators due to interrupts or exceptions. 
(2) Locality of timing constraints. All PSDL timing constraints are associated with individual opera-
tors, and are defined in terms or events and intervals that can be defined in terms of a black-box 
view of the operator. The small number of concepts involved induces a simple and regular struc-
ture on the timing constraints of the system which allows the constraints to be organized in a 
coherent fashion amenable to localized understanding and analysis. 
(3) Hierarchical Organization. The timing constraints in PSDL are organized hierarchically as well as 
the data and control aspects of the system. This allows the lower level timing constraints used to 
implement an operator at a higher level of abstraction to be ignored when analyzing the interactions 
of the abstract operator with its neighbors in the high level data flow network. 1bis allows the tim-
ing constraints in the system to be partitioned into independent units that can be designed and 
analyzed in isolation from each other. 
13 
Despite their simplicity, the primitives of PSDL are well suited to modeling practical real-time sys-
tems. Both periodic and data driven processes are describable directly, by defining either a period or a data 
trigger for the corresponding operator. Synchronous interactions between operators or system components 
are modeled as dataflow streams while asynchronous interactions are modeled by _sampled streams. Sys-
tems containing both synchronous and asynchronous components can be described easily and safely, since 
the stream types are automatically derived from the context in which the stream is used, and need not be 
explicitly considered by the designer. 
The timing constraints of PSDL are also amenable to automatic analysis and realization, as described 
below. 
4. Computer-Aided Handling of Timing Constraints 
The rapid construction of a prototype in PSDL is made possible by the associated prototyping 
method and support environment. The support environment reduces the efforts of the designer by automat-
ing some of the tasks involved in prototype construction. 
The Computer Aided Prototyping System (CAPS) relies on three major software tools, as illustrated 
in Fig. 5, to assist the designer in constructing and executing a PSDL prototype. First, the computer-aided 
environment includes a software base management system which creates uniform retrieval specifications 
for Ada software modules in the software database and later retrieves these reusable modules for assem-












editor expedites the designer's data entry at a terminal and prevents syntax errors in the design. Finally, an 
execution support system demonstrates and measures the prototype's performance and analyzes the accu-
racy of the design specifications. 
The execution of PSDL prototype models is made possible through the use of an automated Execu-
tion Support System which consists of three parts, the translator, the static scheduler, and the dynamic 
scheduler. We will first examine the translator [15]. Its basic function is to convert the prototyping model 
input by the designer in the form of PSDL source code into Ada source code. Output from the translator is 
provided to the Ada compiler/linker along with some additional information from the static scheduler to 
produce Ada object code. The object code is then exported to the operating system and can be run for test 
and demonstration purposes. The translator creates code to implement the PSDL operators as procedures 
which will be called by the main subprogram/schedule created by the static scheduler. The translator does 
not generate any code from PSDL real-time constraints. 
The static scheduler subsystem of the execution support system represents the single most important 
component of CAPS for meeting the basic requirement for computer-aided rapid prototyping of hard real-
time systems [9]. The static scheduler specifically addresses only those PSDL operators with critical tim-
ing constraints. The performance of these operators determines whether the system, as designed, will meet 
the required timing specifications. The primary purpose of the static scheduler is the creation of a static 
schedule which gives the precise execution order and timing of PSDL component operators with hard real-
time constraints in such a manner that all timing constraints are guaranteed to be met [14]. Provided that 
such a schedule is feasible given the system specifications, the static schedule contains the preallocated 
starting time and execution time for each critical operator. This structure implicitly denotes the precedence 
relatiomhips between the operators. Without the benefit of a static scheduler, the execution of the proto-
type would rely on basic control flow and processor scheduling as currently utilized in most current 
software systems. Rapid prototyping in general would benefit from CAPS without a static schedule. 1be 
static scheduler contributes to increased gains in designer productivity and system reliability in the 
development of bard real-time systems since the construction and validation of a static schedule is a labor 
intemive process that cannot be carried out both rapidly and reliably without the benefit of automated 
software tools. 
15 
The third component of the execution support system is the dynamic scheduler. This scheduler 
operates at runtime along with the prototype model and is designed to control the execution of all non-
critical operators in the program. A non-critical operator is one which is not subject to hard real-time con-
straints. The dynamic scheduler is invoked whenever there is spare time in the static runtime schedule 
created by the static scheduler. At that time the dynamic scheduler commences execution of the next avail-
able module in its set of operators and continues to invoke non-critical modules until the available time is 
exhausted. At that point, operation of the ~ynamic scheduler is interrupted and control is returned to the 
static scheduler to continue the time critical operations. 1bis process is simplified by the locality of data 
references in PSDL, since this property allows the execution of an operator to be interrupted at any time 
except during read or write operations on data streams. Future enhancements identified in the current 
design of the dynamic scheduler would provide debugging facilities and statistical information [5]. 
The remainder of this section contains implementation guidelines describing how the static scheduler 
functions [9, 18]. The design described in this paper addresses a single processor implementation only, and 
the modifications to this design needed to utilize multi-processors and concurrent processing are not 
addressed explicitly. 
The initial input to the static scheduler is a text file containing the PSDL prototype program created 
jointly by the designer and user. An intennediate output to the dynamic scheduler is a file containing the 
non-time-critical operators in the PSDL program. The final output of the static scheduler to the 
compiler/linker/exporter is an Ada source file containing the static schedule. The compiler/link.er/exporter 
compiles and links this program together with the compiled program produced by the translator. 'This com-
bined program is the executable Ada program used by the dynamic scheduler to demonsttate the 
prototype's performance. The data flow diagram shown in Fig. 6 illustrates the conceptual design of the 
static scheduler and outlines its five major functions [18]. The following subsections describe each of these 
major functions. 
4.1. Read_PSDL 
Following initiation by the dynamic scheduler, the static scheduler's first major function is reading 




Fig. 6 DFD for the Static Scheduler 
PRECEDENCE 
UST 
identifies critical operators along with their timing constraints and the link statements which syntactically 
describe PSDL implementation grapm. A special pmpose translator identifies and extracts this information 
from the PSDL source program. This process creates a file containing operator identifiers, timing informa-
tion, and link statements. 
4.2. Pre-Process File 
The static scheduler's next major function is classifying the contents of this file and performing basic 
validity checks. The input file contains all of information extracted from the PSDL program. This infor-
mation must be divided into three separate files based on its destination and the additional processing 
required. The Non-Crits file contains a list of all non-time-critical operators for the dynamic scheduler. 
17 
The Operator file contains all time-critical operators and their associated timing constraints. The Links file 
contains the link statements which syntactically describe the PSDL implementation graphs. 
V aliclity checks are performed on the timing information contained in the Operator file to increase 
the probability of successfully creating a feasible schedule. At a minimum three validity checks are per-
formed at this stage. The Operator file contains operator names, maximum execution times (MET), max-
imum response times (MRT), minimum calling periods (MCP), fixed periods, and deadlines 
{FINISH_ WITIIlN). The first check verifies that each operator with a MCP also has a MRT, and if it is 
missing it is calculated as (MRT = FINISH_ WITHIN) or (MRT = :MET). Toe second check verifies that 
(MET <= period) for operators with fixed periods. This constraint is imposed by the assumption that only a 
single processor is available. Toe third check verifies that (MET<= MRT) [17]. Failure of any of these 
checks causes an error message to be submitted to the user interface. 
4.3. Sort_ Topological 
The static scheduler's next major function is to perform a topological sort on the link statements in 
the Links file. Toe requirement for a topological sort implies that operators producing each data stream · 
must be scheduled before the operators consuming that data stream. The output of this process is a pre-
cedence list of the time-critical operators defining the exact order in which they will be executed. Fig. 7 
shows an augmented acyclic digraph and the corresponding topologically sorted sequenc.e of link state-
ments. In this type of digraph the order of the nodes is not completely determined. In the example the 
decision to choose the "a.A" link first and the "d.A" link last was made arbitrarily. 
4.4. Build_ Harmonic _Blocks 
The second output of the "Pre-Process_Fde" function, the Operator file, is the input to the 
"Build_Hannonic_Blocks" function. A harmonic block is a set of periodic operators, where the periods of 
all the operators in the set are exact multiples of a calculated base period [14]. This design approach treats 
each hannonic block as an independent scheduling problem, which requires one processor for each har-
monic block. Our approach utilizes the capabilities for concurrency and multi-processing which are nor-
mally a requirement for complex, hard real-time systems. The implementation described in this paper 




2 ms 4 ms 
5 ms 
~ "I 
a.A : 5 ms --> B 
b.B: 4 ms --> C 
c.c: s ms --> D 
d.A: 5 ms --> D 
~ ... 
Fig. 7 PSDL Augmented Acydic Digraph 
schedule assume that only one hannonic block is created. 1be rest of this section describes how sporadic 
operators are converted to their periodic equivalents, how base periods and block periods are calculated, 
and how hannonic blocks are created. 
The Operator file contains all the time-critical operators from the PSDL program together with their 
timing constraints. This includes both periodic and sporadic operators. Periodic operators are triggered at 
regular intervals, while sporadic operators are triggered by the arrival of new data. In order to guarantee 
19 
I , • ..- • 
the execution of sporadic operators within the MRT, it is necessary to assume new data cannot arrive more 
often than once per the MCP. To enable the execution of all operators in a predictable manner that can be 
described by a static schedule, sporadic operators are implemented by their calculated periodic equivalents 
(14). The calculation of an equivalent period requires that all sporadic operators have values for MCP, 
NIRT, and MET satisfying the following relationships. 
1. :MET <= NIRT 
2. :MET<= MCP 
The first condition ensures C:MRT - :MET) is positive, while the second allows a single processor implemen-
tation. The equivalent period is given by 
P = minimum(MCP,. MRT - :MET). 
A single processor implementation also requires (MET <= P) to allow the operator to complete within the 
calculated period. 
In the single processor case, all operators are allocated to the same harmonic block. In the multiple 
processor case, blocks are created one at a time by collecting all operators whose periods are exact multi-
ples of the minimum period for all the unallocated operators. The base period of a block is the GCD 
(greatest common divisor) of all periods in the block, while the block period is the LCM (least common 
multiple) of all the periods in the block. The base period is used to relieve scheduling congestion via a 
second pass which moves operators to the block with the longest base period that evenly divides the opera-
tor period. The block period defines the length of the static schedule for the block. 
4.5. Schedule_ Operators 
The "Schedule_ Operators" function uses the "Precedence_List" and "Hannonic_Block" files, which 
are generated by the "Sort_Topological" and "Build_harmonic_Blocks" functions, respectively. 1be 
Precedence_List file defines the required execution order, while the Hannonic_Block file defines the set of 
operators to be scheduled and the length of the static schedule. The resulting static schedule is a linear 
table giving the exact execution start time for each time-critical operator and the reserved maximmn execu-
tion time (MEn within which the operator must complete execution. 
20 
The algorithm used in this implementation is a two step process. The first step allocates the initial 
execution interval for each operator [16]. in the order given by the Precedence_List, using the relation 
interval = (current_time, current_time + .MET) 
whei:e the current_time is the beginning of the currently unallocated time interval in the block period. This 
step also creates a firing interval for each operator, during which the second step must schedule the next 
execution of the operator. The firing interval gives the lower and upper bound for the next possible starting 
time of the operator. For example, OP _2 in Fig. 8 is scheduled to start execution at time 2 and to complete 
by time 3, based on its MET of 1. Since OP _2 has a period of 10, it cannot fire again before time 12, the 
lower bound for its firing interval. OP _2 must fire by time 21, the upper bound, in order to ensure comple-
tion by the end of the second period at time 22. 
The second step schedules subsequent firings of the operators, which are allocated in earliest-Iower-
bound-first order. In the example of Fig. 8 the operators are scheduled in the order [OP _1, OP _2, OP_ 4] 
during the first iteration of the second step. Since the period of OP _3 (20) is the same as the block period, 
it is scheduled to fire only once in the static schedule. As each operator is scheduled, this process verifies 
that both 
1. current_time + MET <= block period, and 
2. current_time <= upper bound. 
Failure to meet either condition results in an infeasible schedule, resulting in an exception and an appropri-
ate error message at the user interface. These checks ensure that the process produces a feasible schedule 
whenever it terminates without an exception. 
The process also calculates new firing intervals for each process scheduled. Fig. 9 shows the static 
schedule after three iterations of the process, along with a timing chart for two block periods. This figure 
illustrates the importance of a robust static schedule. Once all operators are correctly scheduled for an 
entire block period, all subsequent schedules are delayed copies of the first, hence the term "static 
schedule". In the example shown, the static schedule is complete after only one iteration of the second 
step, since at that point the lower bounds of all the firing intervals are greater than or equal to the block: 
period. 
21 
PR£C[t)EJIC[_J_ISTS ( OP-1. OP-2. OP-3. Qp_4) 
HARHOJIIC-8l.OCI' I DIGTH ~ 2G 
. OPgATOR_JD .m:r. PglOD 
QP_1 2 10 
OP-2 1 10 
OP-3 3 20 
QP_4 1 10 
STATIC SCHEDULE: 
START END FIRING 
QPER AIQR-:P .1.!t!£. ~ JpITTRYAL 
OP-1 0 2 (10,18) 
OP--2 2 3 (12,21) 
OP-3 3 6 (23,40) 
QP_4 6 7 (16,2~) 
HARNOJIIIC BLOCX: 
1 2 3 4 
I ' I I I I ' ' ' ' I ' ' ' I • I 
0 , 10 1, 
Fig. 8 Static Schedule after First Process 
22 
' I I 
20 
STATJC SCHEDULE; 
START END FIRING 
OPERATOl?_JD TfME ~ INTERVAL 
DP-1 0 2 (10,18) 
OP..:Z 2 3 C12~1l 
OP...3 3 6 (23,40) 
QP_4 ' 7 (16~) 
OP-1 10 12 (20,28) 
OP..:Z 12 13 (22,31) 
QP_4 16 17 (26,3:5) 
DP-1 20 22 (30,38) 
OP..:Z 22 23 (32,41) 
OP-3 23 26 (43,60) 
QP_4 26 27 (36,•5) 
OP-1 30 32 (40,48) 
OP..:Z 32 D (42,~1) 
OP-4 36 37 (46,~) 
HARMONIC BLQCJC: 
1 2 3 4 1 2 4 1 2 3 4 1 2 4 f- ID 
j I I I 11 I I 11 [jTl, IO I 1f I I I 11 I I 11 r.n,, D, ,1 
0 ~ 10 15 20 ~ JO 35 40 f-rK 
Fig. 9 Static Schedule for 2 Block Periods 
5. Conclusions 
The mechanism discussed in this paper for handling timing constraints in rapid prototyping via PSDL 
offers the potential of serving as a valuable software development tool specifically for hard real-time sys-
tems. The prototyping process is speeded up by automation and by reducing the conceptual burden of the 
23 
analyst and prototype designer. PSDL has constructs for recording timing constraints, defining operator 
and data abstractions, and for specifying non-procedural control constraints. The most important aspects of 
real-time system design are enforcing maximum execution time, maximwn response time, minimum cal-
ling period, and data synchronization constraints. The details of how to handle these characteristics of hard 
real-time systems are discussed in this paper. The execution support system of CAPS described in section 
4 allows the designer to check the feasibility of a set of real-time constraints by monitoring and evaluating 
the execution of the prototype model. PSDL offers a software tool that is a practical way to support rapid 
prototyping of hard real-time software systems. We can validate hard real-time constraints by executing 
the constructed prototype. 
Concurrent research projects to conceptualize components of the CAPS Execution Support System 
are complete and are reflected by the discussion of handling timing constraints in rapid prototyping con-
tained in this paper. These efforts empirically demonstrate that the initial goal of providing an automated 
execution environment for hard real-time software design and specification prototypes is feasible. It will 
provide software designers with an automated tool allowing validation of prototypes for hard real-time or 
embedded systems before extensive time and money are invested in production software. Additional 
research projects are currently underway to conceptualize, implement, and integrate the handling of timing 
constraints in rapid prototyping and make the computer-aided design of hard real-time systems possible, 
feasible, and reliable. 
1. V. Berzins and Luqi, Software Engineering with Abstractions: An Integrated Approach to Software 
Development using Ada, Addison-Wesley, 1988. 
2. V. Berzins, "'lbe Design of Software Interfaces in Spec", in to appear in Proceedings of tlze 
International Conference on Computer Languages, Miami, Oct. 1988. 
3. V. Berzins and Luqi, "Languages for Specification, Design and Prot~typing", in Handbook of 
Computer-Aided Software Engineering, Van Nostrand Reinbold, 1988. 
4. M. Chandrasekharan, B. Dasarathy and Z. Kishimoto, 11Requirements-Based Testing of Real-Time 
Systems: Modeling for Testability", IEEE Computer 18, 4 (Apr. 1985), 71-80. 
24 
5. S. Eaton, "An Implementation Design of A Dynamic Scheduler for a Computer Aided Prototyping 
System'', M. S. Thesis, Computer Science, Naval Postgraduate School, Monterey, CA, March 1988. 
6. S. Faulk and D. Parnas, "On Synchronization in Hard-Real-Time Systems", Comm. of the ACM 31, 
3 (Mar. 1988), 274-187. 
7. F. Jahanian and A. Mok, "Safety Analysis of Timing Properties in Real-Time Systems", IEEE 
Trans. on Software Eng. SE-12, 9 (Sep. 1986), 890-904. 
8. D. Janson and Luqi, "A Static Scheduler for the Computer Aided Prototyping System", in to appear 
in Proceedings of COMPASS 88, Gaithersburg, MD, Jtme 1988. 
9. D. Janson, ''A static Scheduler for Hard Real-Time Comtraints in the Computer Aided Prototyping 
System'', M. S. Thesis, Computer Science, Naval Postgraduate School, Monterey, CA, March 1988. 
10. Luqi, "Rapid Prototyping for Large Software System Design", Ph. D. Thesis, University of 
Minnesota, 1986. 
11. Luqi and M. Ketabchi, "A Computer Aided Prototyping System", IEEE Software, March 1988. 
12. Luqi, V. Berzins and R. Yeh, "A Prototyping Language for Real-Time Software", IEEE 
Transaction on Software Engineering, October, 1988. 
13. Luqi and V. Berzins, "Rapid Prototyping of Real-Time Systems", IEEE Software, Sep. 1988. 
14. Luqi and V. Berzins, "Execution of a High Level Real-Time Language", in submitted to the Real-
Time Systems Symposium, 1988. 
15. C. Moffitt, ''Development of a Language Translator for a Computer Aided Prototyping System'', M. 
S. Thesis, Computer Science, Naval Postgraduate School, Monterey, CA, March 1988. 
16. A. K. Mok, ''The Decomposition of Real-Time System Requirements into Process Models'', IEEE 
Proc. of the 1984 Real Time Systems Symposium, Dec. 1984, 125-133. 
17. A. K. Mok, The Design of Real-Time Programming Systems Based on Process Models, IEEE, 1984. 
18. J. O'Hem, "A Conceptual Design of a Static Scheduler for Hard Real-Time Systems", M. S. Thesis, 
Computer Science, Naval Postgraduate School, Monterey, CA, March 1988. 
25 

Initial Distribution List 
Defense Technical Information Center 
Cameron Station 
Alexandria, VA 22314 
Dudley Knox Library 
Code 0142 
Naval Postgraduate School 
Monterey, CA 93943 
Center for Naval Analysis 
4401 Ford Avenue 
Alexandria, VA 22302-0268 
Office of the Chief of Naval Operations 
Code OP-941 
Washington, D.C. 20350 
Office of the Chief of Naval Operations 
Code OP-945 
Washington, D.C. 20340 
Commander Naval Telecommunications Command 
Naval Telecommunications Command Headquarters 
4401 Massachusetts Avenue NW 
Washington, D.C. 20390-5290 
Commander Naval Data Automation Command 
Washington Navy Yard 
Washington, D.C. 20374-1662 
Office of Naval Research 
Office of the Chief of Naval Research 
Attn. CDR :Michael Gehl, Code 1224 
Arlington, VA 22217-5000 
Director, Naval Telecommunications System Integration Center 
NAVCOl\1:MUNIT Washington 
Washington, D.C. 20363-5100 
Space and Naval Warfare Systems Command 
Attn: Dr. Knudsen, Code PD50 











Ada Joint Program Office 
OUSDRE(R&AT) 
The Pentagon 
Washington, D.C. 230301 
Naval Sea Systems Command 
Attn: CAPT Joel Crandall 
National Center :/1=2, Suite 7N06 
Washington, D.C. 22202 
Office of the Secretary of Defense 
Attn: CDR Barber 
The Star Program 
Washington, D.C. 20301 
Naval Ocean Systems Center 
Attn: Linwood Sutton, Code 423 
San Diego, CA 92152-5000 
National Science Foundation 
Division of Computer and Computation Research 
Washington, D.C. 20550 
Director of Research Administration 
Code 012 
Naval Postgraduate School 
Monterey, CA 93943 
Chairman, Code 52 
Computer Science Department 
Naval Postgraduate School 
Monterey, CA 93943-5100 
LuQi 
Code 52Lq 
Computer Science Department 
Naval Postgraduate School 
Monterey, CA 93943-5100 
1 
1 
1 
1 
1 
1 
1 
150 
.. 


