Real-Time Constraints in a Rapid Prototyping Language by Luqi
Calhoun: The NPS Institutional Archive
DSpace Repository
Faculty and Researchers Faculty and Researchers' Publications
1993
Real-Time Constraints in a Rapid Prototyping Language
Luqi
Luqi, "Real-Time Constraints in a Rapid Prototyping Language", Journal of Computer
Languages, Spring 1993, Vol. 18, No. 2, pp. 77-103.
http://hdl.handle.net/10945/65704
This publication is a work of the U.S. Government as defined in Title 17, United
States Code, Section 101. Copyright protection is not available for this work in the
United States.
Downloaded from NPS Archive: Calhoun
Comput. Lang. Vol. 18, No. 2, pp. 77-103, 1993 
Printed in Great Britain. All rights reserved 
0096-0551/93 $5.00 + 0.00 
Copyright © 1992 Pergamon Press Ltd 
REAL-TIME CONSTRAINTS IN A RAPID 
PROTOTYPING LANGUAGE 
LUQI 
Computer Science Department, Naval Postgraduate School, Monterey, CA 93943, U.S.A. 
(Received 6 June 1991; revision received 15 October 1991) 
Abstract-This paper presents real-time constraints of a prototyping language and some mechanisms for 
handling these constraints in rapidly prototying embedded systems. Rapid prototyping of embedded 
systems can be accomplished using a Computer Aided Prototyping System (CAPS) and its associated 
Prototyping Language (PSDL) to aid the designer in handling hard real-time constraints. The language 
models time critical operations with maximum execution times, maximum response times and minimum 
periods. The mechanisms for expressing timing constraints in PSDL are described along with their 
meanings relative to a series of hardware models which include multi-processor configurations. We also 






Computer Languages Executable Specifications 
Computer Aided Software Engineering 
I. INTRODUCTION 
Computer Aided Prototyping Systems* (CAPS) should. be used to prototype large, parallel, 
real-time and distributed systems because the requirements for such software systems are difficult 
to assess. Rapid prototyping can be used to reduce the risks of producing systems that do not meet 
customer needs [1]. Demonstrations of. proposed. system behavior can be effective for validating 
system requirements, especially for new or unfamiliar application areas. Traditional approaches to 
sqftware development produce working code only near the end of the process. When utilized during 
the early stages of the development life cycle, rapid prototyping allows validation of the 
requirements, sp_ecification and initial design, before valuable time and effort are expended on 
implementation software. 
A prototype is an executable pilot version of a proposed software system. Prototypes are used 
to-gain information that can guide analysis and design, and can support automatic generation of 
productio,n code. The code of a prototype usually cannot be used as the final implementation 
because it may not realize all aspects of the intended system, and it may not run on the same 
hardware configuration as the production version of the proposed system. 
Since the demand for hard real-time and embedded systems is increasing and these systems have 
particularly strict requirements on accuracy, safety and reliability, new approaches for the 
development of such systems are becoming critical. An embedded software system is part of some 
larger system, w4ich it monitors and controls. The control functions are usually subject to timing 
constraints that must be met even under the worst possible operating conditions, because missing 
a timing constraint can cause catastrophic failures in such systems. Feasible requirements for large 
embedded systems are difficult to formulate, understand and meet without extensive prototyping. 
Computer aid is the key to rapid construction, evaluation and evolution of such prototypes. 
Analysis and measurement of prototype designs provides upper bounds on the time required to 
execute particular functions and experiments with simulated environments provide information 
about the accuracies and response times required to keep external physical systems within desired 
operating regions. 
Software engineers and end-users would benefit from an automated prototyping methodology 
for validating functional requirements and verifying design specifications early in the development 
life cycle [1]. A fast, efficient, easy-to-use set of software tools·would 'increase designer productivity 











Fig. 1. Prototyping life cycle. 
and also allow the customer to gain more confidence that the final software product is feasible. 
The computer aided prototyping system is a set of software tools which provides these capabilities 
[2]. It implements the rapid prototyping concept via a high-level prototyping language called PSDL 
[3]. This language is designed for prototyping hard real-time and large software systems, and 
supports conceptual modeling of such systems. 
This paper shows how PSDL can serve as a vehicle to analyze timing aspects of hard real-time 
systems and further describes the feasible paths for realizing these hard real-time constraints in 
multi-processor hardware configurations. The approach described here makes practical validation 
of the timing constraints in requirements of hard real-time systems via rapid prototyping possible. 
We concentrate on timing aspects here. Behavioral aspects of an earlier version of PSDL are 
described in [3], and scheduling aspects are described in [4-6]. 
A software development process using rapid prototyping has two stages: prototyping and code 
generation, as illustrated in Fig. 1. The prototyping stage firms up the requirements via iterative 
negotiations between customers and developers, guided by information gained via demonstrations 
of prototype execution. The customer and the designer concurrently define requirements and 
specifications for the critical aspects of the envisioned system. The designer then constructs a 
protoype of the system in PSDL and demonstrates the critical attributes necessary for meeting 
customer requirements. The designer adjusts the requirements and modifies the prototype based 
on feedback from the customer until the customer agrees on the requirements. The adjustments 
are speeded up via refining and relaxing transformations [7]. This iterative communication process 
should result in a design that ultimately meets the intended requirements of the customer. The code 
generation stage focuses on verifying the structure of the design and transforming it into a 
complete, efficient and reliable implementation. 
A good modeling strategy is important for making the rapid prototyping approach work for 
real-time systems. Systems can be designed and analyzed quickly only if they can be readily 
understood by the designers. This makes the ability to decompose large problems into independent 
subproblems essential. Timing constraints complicate the design of real-time systems because they 
introduce interactions between otherwise unrelated parts of the system [8]. A good modeling 
strategy should help to counteract this effect. This can be done in the following ways: 
(1) by decoupling the behavioral aspects of a system from its timing properties to allow 
independent analysis of these two aspects, and 
(2) by organizing timing constraints in a hierarchical fashion, to allow independent consideration 
of smaller subsets of timing consttaints. 
An effective modeling strategy should therefore support a set of abstractions useful for simplifying 
the timing aspects of systems with hard real-time constraints. 
The modeling strategy used in the rapid prototyping of real-time systems should be integrated 
with a language supporting the modeling strategy and a systematic prototyping method for 
Real-time constraints 79 
applying the strategy. A formal notation is essential for achieving a significant level of computer-
aided design [9]. The prototyping language PSDL [3] supports a modeling strategy based on 
dataftow graphs augmented with non-procedural timing and control constraints. 
People are best at analyzing situations with a limited number of components and constraints, 
and tend to have difficulty in understanding non-local interactions in complex systems. Since shared 
computing resources introduce unavoidable global constraints on the set of time-critical compu-
tations in a real-time system, mechanical analysis of those constraints is desirable. PSDL provides 
a separation of timing and behavioral aspects, and supports computer-aided prototyping of both 
aspects. 
Section 2 discusses several approaches to modeling real-time systems. The real-time aspects of 
PSDL are described in Section 3, with emphasis on their interpretation relative to multi-processor 
architectures, maximizing allowable concurrency, tools for speeding up the design decisions 
associated with timing constraints, and possible optimizations in scheduling. Section 3 also explains 
the class of hardware models associated with PSD L and how timing properties of software modules 
can be adapted to different configurations within these hardware models. An example illustrating 
how the features of PSDL simplify the design of real-time systems is presented in Section 4. 
Section 5 presents some conclusions. 
2. MODELS FOR REAL-TIME SYSTEMS 
Systems that must respond as fast as possible are sometimes informally called "real-time 
systems". This objective is rarely defined precisely, and is often interpreted as minimizing response 
time with respect to some performance measure, such as the average delay. In contrast, "hard 
real-time system" is a technical term with a specific meaning: the requirements of hard real-time 
systems include timing constraints that must be met in the worst case for the system to be 
considered correct. 
Models for hard real-time systems are used to 
(1) support automated analyses to determine whether specified real-time constraints can be met 
by a given design with respect to a given hardware configuration. 
(2) help the designer construct a design that will meet a set of hard real-time constraints, if such 
a design exists. 
(3) form a basis for the development of programming languages for hard real-time programming, 
for which it is possible to effectively determine whether a given program will always meet a 
given set of deadlines. 
A central question in the design of such languages is how to support concurrent processing 
without sacrificing the ability to predict whether deadlines will be met. Concurrent processing is 
essential because the only way to make some tight real-time constraints feasible is to use multiple 
processors, and because hard real-time systems often contain many different processes with 
real-time constraints that must all be executed on the same hardware. 
Providing guarantees of service in hard real-time is a difficult problem that is not solvable in 
general. Some of the assumptions that are commonly used to make this problem tractable are to 
impose fixed bounds on arrival rates of data, on sizes of input data values, and on the number 
of processes that can be active at the same time. 
The treatment of real-time constraints in this paper results from a fundamental analysis of hard 
real-time systems. Understanding the modeling strategies for such systems is essential for effectively 
handling timing constraints in the prototyping process. Models of real-time systems are essential 
for requirements analysis, specification and design of systems with hard real-time constraints. A 
coherent framework for classifying real-time constraints can be used to organize complex sets of 
timing requirements and to guide the process of discovering the timing requirements associated with 
an embedded software system. The rest of this section reviews some previous approaches to 
modeling real-time systems. 
The pioneering treatment of requirements for real-time systems in the context of the A 7E aircraft 
system [1 O] described external behavior of such systems in terms of events defined by transitions 
in the truth values of specified conditions or predicates, but did not explicitly formalize the timing 
80 LUQI 
constraints associated with the requirements. The framework presented in [11] classifies timing 
requirements as maximum or minimum constraints on the lengths of time intervals between pairs 
of events, where the endpoints of the intervals are classified as one of the following types: (1) 
stimulus-stimulus, (2) stimulus-response, (3) response-stimulus and (4) response-response. A third 
kind of timing constraint identified in [11] is the durational constraint, which states that an event 
must occur for a time interval of the specified length. This framework treats events as signals rather 
than as instants of time, and tries to treat both digital and analog systems in the same terms. In 
particular, events are not required to be instantaneous, although events without durational 
constraints are instantaneous by default. This feature introduces an ambiguity in the definitions 
of the four kinds of time intervals because it is not specified whether the intervals are delimited 
by the beginning or the ends of the events forming the endpoints of the intervals. It also introduces 
an artificial distinction between durations of signals and other kinds of time intervals. 
Another weakness of this framework is the implicit assumption that every timing constraint 
involves just a single pair of events. This implicit assumption is undesirable because it does not 
allow simple descriptions of phase-locked periodic processes, which are an important aspect of 
real-time systems. Phase-locked periodic processes are subject to global timing constraints that 
involve all of the activations of a periodic process simultaneously. In contrast, stimulus-stimulus 
formulations define independent local constraints on each pair of adjacent activations, which allow 
long-term drift unless the upper and lower bounds on the intervals are equal. As we shall see in 
Section 3, phased-locked periodic processes are useful for data synchronization. 
A different framework for describing real-time constraints is provided by RTL (Real Time Logic) 
[12]. RTL makes a distinction between actions and events. Actions require a bounded non-zero 
amount of system resources, such as CPU time. Events are instantaneous, requiring no system 
resources and serving only as temporal markers. Four kinds of events are distinguished in RTL 
for hard real-time systems: 
(1) External events, such as an operator pushing a button. 
(2) Start events marking the initition of an action. 
(3) Stop events marking the completion of an action. 
(4) State variable transition events marking a change in some attribute of the system. 
A more precisely defined version of the durational events of [11] can be expressed in RTL in 
terms of the duration of an interval delimited by two state variable transition events, marking the 
appearance and disappearance of the signal. RTL also provides a way to index all of the 
occurrences of each time of event in the order in which they occur, via the occurrence function 
"@". This facility is important because it allows the description of phase-locked periodic -processes. 
RTL is a powerful notation which can be used to mechanically check whether a given safety 
assertion follows from RTL system specifications via a decision procedure for Presburger arithmetic 
[12]. The primitives of RTL are very simple and provide the ability to describe timing constraints 
in detail. RTL is a good choice for defining the semantics of notations at higher levels of 
abstraction, because a scheme for translating a notation into RTL allows the application of the 
RTL decision procedure to the other notations [13]. 
Spec, a powerful specification language for large and real-time systems based on quantifiers and 
predicate logic, uses another framework for timing constraints called the event model of 
computation [14]. In the event model, computations are described in terms of modules, messages 
and events. A module is a black box that interacts with other modules only by sending and receiving 
messages. A message is a data packet that is sent from one module to another. An event occurs 
when a message is received by a module at a particular instant of time. The events at a module 
occur one at a time in a well defined order, while events at different modules need not be ordered. 
Modules can be used to model external systems such as users and peripheral hardware devices, 
as well as software components. Modules are active black boxes, which have no visible internal 
structure. The behavior of a module is specified by describing its interface. The interface of 
a module consists of the set of stimuli it recognizes and the associated responses. A stimulus 
is an event, and the response is the set of events directly triggered by the stimulus. The events 
in the response consist of the arrivals of the messages sent out by the module because of the 
stimulus. 
\ 
Real-time constraints 81 
As in RTL, events in the Spec event model are instantaneous and serve to define points in 
time. Every event is associated with the instant of time when an incoming message crosses 
the boundary of a module. An event marks the time when a module accepts a message and 
starts the computation of the module's response. The Spec event model does not distinguish 
a completion event for an action, since the events in which the messages sent out in response 
to an event arrive at their destinations serve this purpose. The event model treats the environment 
of a system as a set of modules, so that there is no formal distinction between internal and external 
events, as is the case in RTL. In the Spec event model all state changes are instantaneous 
and localized to some module. The ti111e of the state change is taken to be the same as the 
time of the event at which the message triggering the state change arrived at the module containing 
the state. An implementation may take a non-zero time interval to realize a state change, 
but all state changes triggered by an event at a module must be complete before the module 
can accept another message. Since all inte_ractions between two modules occur via the transmission 
of messages, the exact instant at which a state change takes place cannot affect the observable 
behavior of the system until the module accepts its next message. Since the delays between 
events and the completion of the state changes they trigger are not externally observable, they 
are abstracted out in the Spec model. Spec events thus unify the four types of events distinguished 
in RTL. 
Spec allows the use of arbitrary predicates in second order temporal logic to express constraints 
on the delay and period associated with each type of event. The delay is the interval between an 
event representing a stimulus to a module and another event representing a response of the module 
to that stimulus. Simple constraints on the delay correspond to the stimulus-response and 
response-stimulus constraints of [11]. The period is the interval between two consecutive events of 
the same type at the same module. Simple constraints on the period correspond to the 
stimulus-stimulus and response-response constraints of [11]. The temporal operators of the 
underlying logic can be used to express global phase-locked timing constraints, although this 
concept is not predefined in Spec. 
7'he Spec language supports the definition of temporal events as well as events triggered by 
external stimuli. Each module can send messages to itself at absolute times determined by its· local 
clock. The arrival of such a message, is called a temporal event. Temporal events allow modules 
to initiate actions in addition to just responding to external stimuli. 
The time at which a temporal event occurs can be constrained by an arbitrary predicate in second 
order logic. Such predicates can easily describe periodic processes, the most common kind of 
temporal events, as well as other kinds of temporal events. Like RTL, Spec provides primitives 
for defining timing constraints at a detailed level. Spec also has facilities allowing designers to define 
high level timing constraints, but high level abstractions for timing are not built into the language 
or pre-defined. 
Other approaches to modeling real-time systems are based on timed Petri Nets [15] and 
interacting state machines [16]. 
3. TIMING CONSTRAINTS IN RAPID PROTOTYPING 
PSDL is a language designed for clarifying the requirements of complex embedded systems, and 
for determining properties of proposed designs for such systems via prototype execution and static 
analysis. The language was designed to simplify the description of such systems [3] and to support 
a prototyping method that relies on a novel decomposition criterion [1]. PSDL is also the basis 
for a computer-aided prototyping system [2] that speeds up the prototyping process by exploiting 
reusable software co)!lponents [17] and providjng execution support [18-20] for high level 
constructs appropriate
1 
for describing large real-time systems in terms of an appropriate set of 
abstractions [14]. 
PSDL simplifies the design of systems with hard real-time constraints by presenting a high-level 
description in terms of networks of independent operators to the designer, and automatically 
introducing any required interleaving of the code via an execution support system. The execution 
support system contains a static scheduler for pre-scheduling operators with hard reat-time 
constraints, a dynamic scheduler for scheduling operators without timing constraints at run-time, 
82 LUQI 
and a translator for generating executable code that interconnects and controls reusable software 
components. 
The encodings and explicit interactions with the schedule required to realize hard real-time 
constraints in conventional programming languages usually lead to complicated intertwined 
implementations that are very difficult to change or understand. Some more recent languages for 
real-time programming strive to improve on this situation without compromising on efficiency. 
Real-Time Euclid [21, 22] was the first language to support automated schedulability analysis. This 
was accomplished relative to a specific timing model and a particular queuing and scheduling 
strategy [23, 24]. The timing frame of Real-Time Euclid is equivalent to a combination of the 
maximumresponse and minimumcalling timing constraints of PSDL, under the assumption that 
both of these attributes are equal. Real-Time Euclid was designed to guarantee that programs can 
be executed in bounded space and time in the worst case, at the expense of eliminating recursions, 
dynamic process creation and dynamic data structures. Interprocess communication is modeled as 
a mutually exclusive access to a shared communications medium with bounded access time after 
a possible queuing delay. The language provides simple and efficient synchronization and exception 
handling primitives. Timing analysis is based on actual implementation code rather than on design 
information (as in PSDL). This has the advantage of accuracy, and the disadvantage of requiring 
a detailed implementation before feasibility assessment. RTC+ + [25] is a real-time extension of 
C + + that provides exception handlers which are invoked when the timing constraints associated 
with an operation cannot be met. Real-time Mentat [26] is a real-time programming language that 
supports both hard and soft deadlines-an operation with a soft deadline can be skipped if the 
deadline cannot be met. The Flex language is designed to support computations that can be 
interrupted to deliver approximate results, where the accuracy of the results improves as more 
computation time is allowed [27, 28]. 
The main differences between the treatment of real-time constraints in rapid prototyping and the 
corresponding treatment in the design and implementation of the production version of the 
software are the requirements for flexibility and simplicity. Flexibility is provided by automatic 
procedures for scheduling and code generation in CAPS. Simplicity is provided by the timing 
constraints of PSDL, which comprise a minimal orthogonal set of constructs sufficient to express 
most realistic embedded systems, as described in the next section. PSDL has been designed to help 
the analysts determine how to adjust the proposed functions of the system, the target architecture, 
or both to ensure that the requirements are feasible and provide the best service possible to the 
users of the proposed software. PSDL also provides a description of a proposed design that can 
be smoothly transformed into a final implementation after the requirements have been validated 
and the design has been verified. 
3.1. Real-time semantics of PSDL 
This section outlines the main features of PSDL, focusing on those related to the real-time 
behavior of concurrent operations. A denotational semantics for PSDL can be found in [29]. 
Examples of PSDL programs can be found in Section 4. 
A PSDL program is a set of basic units. The basic units of PSDL are operators and types, and 
both of these have a specification part and an implementation part. The specification parts are used 
for retrieval of reusable components, generating interface code and verification of designs. They 
are also used by designers to document the intended behavior of a prototype. The specification 
parts do not directly affect the execution semantics of a basic unit, but the semantics of the 
implementation part must be consistent with the attributes and constraints declared in the 
specification part for the unit to be correctly processed by the CAPS system. Each reusable 
component in the CAPS software base must have a PSDL specification part in addition to an 
implementation. For components in the critical parts of a design or in the trusted subset of the 
software base, the consistency between the specification parts and the implementation parts should 
be mechanically verified when both the specifications and implementations have stabilized. 
The implementation part of any unit can be either a PSDL decomposition or an external 
reference to a component implemented in another language. PSDL is based on a computation 
model which treats software systems as networks of operators communicating via data streams. 
A PSDL decomposition is an augmented directed graph (Q, S, T(o ), C(o )), where O is the set of 
Real-time constraints 83 
operators in the network, Sis the set of data streams in the. network, T(o) is the set of timing 
constraints for each operator o eO, and C(o) is the set of control constraints for each operator 
o eO. The graph (0, S) in a PSDL decomposition determines the possible interactions between 
the operators. The timing and control constraints determine the conditions under which the 
operators are activated. 
Every PSDL operator is a state machine. Functional operators are machines with only a single 
state. When an operator fires, it reads one data value from each of its input streams, undergoes 
a state transition, and writes at most one data value into each of its output streams. The action 
of a PSDL operator is local, since its output values can depend only on the current set of input 
values and the cur.rent state of the operator. Unlike other formulations based on finite state 
machines with globally visible states, the state variables of a PSDL operator are local to that 
operator unless they are explicitly output via outgoing data streams. State transitions and 
input/output operations on data streams can occur only when the operator fires. The firing of an 
operator can be triggered by the arrival of a specified subset of its input data values or by a periodic 
temporal event. 
A PSDL data stream carries instances of an abstract data type associated with the stream, which 
can be a special pre-defined type representing exceptions. There are two different kinds of data 
steams in PSDL, dataflow streams and sampled streams. A dataflow stream is a discrete sequence 
of values, each of which has an independent meaning. The values in a dataflow stream must be 
transmitted in FIFO order and must not be lost or replicated. A sampled stream represents a 
continuous source of data, for which only the most recent value is meaningful. The most recently 
written value in a sampled stream must be available at all times and may be read many times or 
ov.erwritten by more recent data before it is read without affecting the collective meaning of the 
stream. 
Existing i:eusable software components are linked into prototype designs via modules with an 
ordinary PSDL specification and a PSDL implementation part that gives just the name and the 
implementation language of the external component .. The CAPS system treats external components 
as entities without any substructure, and relies on the declarations in:their PSDL specification parts 
for all interfacing, scheduling and analysis functions. The PSDL resource model assumes that 
external components are executed with a single thread of control (i.e. they cannot be broken up 
into independent sub-computations that can be scheduled for parallel execution). 
Any PSDL operator can be subjected to timing constraints. PSDL timing constraints are 
specified by giving bounds on the durations of various kinds of time intervals. Durations are 
expressed in PSDL using abstract time units that are interpreted relative to a hardware model for 
scheduling and feasibility analysis (see Section 3.3). The types of timing constraints associated with 
PSDL operators are explained next. These constraints can be applied uniformly to operators 
associated with types and to independently defined operators. 
3.1.1. Maximum execution time. The most basic PSDL timing property is the maximum execution 
time. Reusable components can be used in contexts where they are subject to real ... time constraints 
only if their PSDL specification part defines a maximum execution time, because a correct 
implementation of a time-critical operator must provide a guarantee of service with respect to 
bounded computational resources. The maximum execution time attribute is used by CAPS 
(1) to realize the specified real-time behavior with respect to a linearly-scaled time reference 
during prototype execution, 
(2) to check feasibility with respect to given hardware configurations, or 
(3) to determine hardware requirements implied by real-time constraints. 
The maximum execution time is the maximum amount of serial CPU time required to execute an 
operator under worst-case conditions. For atomic components (those implemented by external 
references) the maximum execution time is the total CPU time needed. For composite components 
(those implemented by PSDL decompositions), the maximum execution time is the maximum CPU 
time needed along any single thread of control. The static scheduler must ensure that at least this 
much CPU time is allocated to an operator between each activation time (the earliest time an 
activation of the operator can start to fire) and its deadline (the latest titne the activation can 
complete firing). This CPU time need not be all in one contiguous interval and it need not be all 
84 LUQI 
on the same processor. However, schedules consisting of several disjoint time intervals must supply 
additional time slots between the disjoint intervals sufficient for context switching. Schedules that 
execute a single external component on several different processors must ensure that the time 
intervals allocated to different processors are disjoint and that context switching times include any 
interprocessor communications delays that could be required. The maximum execution time in the 
specification part of a component is a property of the component, and is independent of the context 
in which the component is used. 
A maximum execution time attribute can also appear in a PSDL decomposition, and in this 
context it has a slightly different interpretation. When decompositing a complex operator into a 
network of simpler operators, the designer of a real-time system must consider timing requirements 
as well as functional requirements. The nodes in a PSDL decomposition graph are labeled with 
maximum execution times so that the designer can specify time budgets for the subcomponents of 
a composite time-critical operator. The time budget for an operator represents the amount of time 
available for its execution, and is used as a rough guideline for establishing feasibility. The time 
budgets are constrained by different necessary conditions for feasibility, depending on the type of 
target hardware for the proposed system. 
For a target architecture with a single· processor, the sum of the maximum execution times of 
the components in a proposed decomposition must be less than or equal to the maximum execution 
time of the composite component. For a target architecture with a multiple processors, the sum 
of the maximum execution times of the components along every path from an external input to 
an external output in a proposed decomposition must be less than or equal to the maximum 
execution time of the composite component. One of the goals of a complete CAPS system is to 
automatically adjust the time budgets in the PSDL decomposition graph of a time-critical 
component so that the above constraints are met at all times, relative to the specified class of target 
architectures. This can be done by distributing the remaining time budget evenly among all of the 
subcomponents for which the designer has not made an explicit time allocation. In cases where 
a component belongs to multiple paths of a decomposition, the most restrictive of the time budget 
constraints for each path applies. This is illustrated in Fig. 2 (a, b), relative to the assumption that 
the target architecture has multiple processors. The figure shows the decomposition of a composite 
operator CO with met(CO)=300ms, where met(o) denotes the maximum execution time of the 
operator o. The decomposition has two paths (A, B, C) and (A, D), which induce the following 
constraints. 
met(A)~met(CO)/3 = 100 
met(B)~met(CO)/3 = 100 
met(C)~met(CO)/3 = 100 
met(A)~met(CO)/2 = 150 
met(D)~met(CO)/2 = 150 
Since there are multiple constraints affecting A, they are combined as follows. 
met(A)=min(lO0, 150)= 100 
This binding causes reallocation of the remaining constraints on the two paths. 
met(B)=met(C)=(300 - 100)/2 = 100 
met(D)=(300 - 100)=200 
The nodes in the initial version of the decomposition graph act as placeholders for subcompo-
nents that must be found or constructed. The constraints attached to the nodes in the graph serve 
two different purposes: 
(1) to define subgoals for retrieval or construction of subcomponents and 
(2) to adapt the behavior of a subcomponent to the context where it is used. 
The maximum execution time contributes to the first purpose. The second purpose is realized by 
the control constraints, which can have effects such as defining guard conditions on the execution 
of an operator, or guard conditions on the transmission of the results of an operator to its output 
stream. 




(a) Decomposition with a default time budget 
76 




(c) Final time budget 
Fig. 2. Example of automatically derived time budgets. 
After a PSDL decomposition is constructed, the software base is quered for reusable components 
matching the nodes in the PSDL decomposition graph. These queries are based on PSDL 
specifications which are mechanically derived from the PSDL decomposition graph and then 
augmented by the designer to include functional requirements. The maximum execution time in 
the query is taken from the maximum execution time in the decomposition graph, and adjusted 
for any time required for realizing the data stream IO operations and any control constraints 
associated with the operator. This overhead must be included in the time budget shown in the 
decomposition graph, but not in the query, because this time will be spent executing code 
generation by the PSDL translator rather than executing the body of the reusable component. A 
complete CAPS system should have the capability to make these adjustments automatically, based 
on the text of the control constraints. 
The initial time allocation developed by the designer allows the queries for the components 
in the decomposition to be processed independently. Exact match queries are satisfied only by 
reusable components whose maximum execution times are less than or equal to the maximum 
execution time given by the query, and whose functional specifications imply the functional 
specifications given in the query. Partial match queries can produce operators with larger maximum 
execution times and with functional specifications that only partially satisfy the constraints in the 
query. 
When the designer decides to incorporate a retrieved implementation for a subcomponent into 
the design, the maximum execution times in the decomposition graph must be updated to match 
those of the actual implementation, adjusted to include the overhead due to any control constraints. 
The new maximum execution time can be greater than the initial time budget in cases where the 
designer decides to reallocate execution times to make room for a component retrieved by a partial 
86 LUQI 
match retrieval. In such cases the control constraints and the structure of the decomposition graph 
will be redefined to adapt to the retrieved component, since it will not fit into the original design. 
These updates trigger adjustments to the time budgets for the subcomponents yet to be realized, 
and thus guide the search for their implementations. This is illustrated in Fig. 2 (b) assuming that 
an implementation of C was retrieved with the specification met(C) = 75 ms and assuming that the 
overhead for stream IO and control constraints is 1 ms. The resulting reallocations are determined 
as follows. 
met(A)=met(B)=(300- 75 - 1)/2 = 112 
met(D)=(300- 112)= 188 
When all the subcomponents in a PSDL decomposition are realized, then the maximum 
execution time of the composite component should be updated to match the maximum execution 
time of the implementation network. This enables any excess in the time budget initially allocated 
to the composite component to be redistributed to its siblings at higher levels of the design. This 
kind of constraint propagation should also be performed automatically by a complete CAPS. This 
is illustrated in Fig. 2 ( d), which shows the maximum execution times derived from the 
implementations of the subcomponents, and the assumption of a multi-processor target architec-
ture. 
met(CO)=max(14 + 20 + 76, 14 + 120)=max(l 10, 134)= 134 
The time budget constraints are necessary but not sufficient for guaranteeing feasibility of 
real-time constraints. A sufficient condition is provided by the static scheduler when it finds a 
feasible schedule for the time-critical operators. The scheduler may not be able to construct a 
schedule even if all components in the design do meet their time budgets. In such cases, the designer 
must either adjust the hardware requirements or make time-budget cuts in selected places in the 
design, guided by the diagnostics provided by the schedulers. Such cuts may require adjustments 
to the requirements and functional descriptions of the proposed system. 
3.1.2. Sporadic operators: maximum response time and minimum period. Operators triggered by 
the arrival of new data values are sporadic. Sporadic operators can be used to model asynchronous 
and unpredictable processes. The PSDL timing constraints for specifying time-critical sporadic 
operators are the maximum response time and the minimum period. Both the maximum response 
time and the minimum period of an operator depend on the context in which the operator is used. 
The maximum response time and the minimum period are defined in PSDL as part of the set of 
timing constraints T(o) associated with an operator o by a PSDL decomposition. This implies that 
copies of the same operator appearing in different contexts can have different maximum response 
times and different minimum periods. Operations with multiple occurrences in the same design are 
most commonly associated with PSDL types, such as numbers, sets, sequences, maps, or abstract 
data types defined by the designer. 
The maximum response time is a bound on the delay between the instant when the firing 
of an instance of the operator is activated and the instant when the firing of that instance 
is completed. A sporadic operator is triggered by the arrival of new data on a specified subset 
of its input streams. This triggering condition is declared in the control constraints associated 
with an occurrence of the operator in a PSDL decomposition graph. In general, a sporadic 
operator is triggered by new data values on a subset of the input streams which has n elements. 
The sporadic operator is activated when the last of these n new values becomes available for 
reading by the operator. On a shared-memory machine, this is the same as the completion 
time of the operation that wrote the last of the n new values into the data stream. On distributed 
architectures, there may be some intervening communication delay if the operator that 
wrote the value is allocated to a different processor than the sporadic operator that reads the 
value. 
The maximum response time is a constraint on the scheduler: it must provide enough CPU time 
to complete the firing of the operator within its deadline, regardless of when the instance of the 
operator is actually activated. Since the actual activation times may depend on unpredictable 
asynchronous events such as external IO, the scheduler must provide for the worst case possible. 
Such a requirement cannot be realized with bounded resources unless the activation rate of the 
Real-time constraints 87 
operator can be limited. This is the purpose of the minimum period. In a feasible design, every 
sporadic operator with a maximum response time must have a minimum period. 
The period of an operator is the length of time between one activation of the operator and the 
next consecutive activation. The period of a sporadic operator can vary, based on the actual arrival 
rates of the triggering data. The minimum period is a lower bound on the period of a sporadic 
operator. This lower bound defines the maximum input rate under which the sporadic operator 
must meet its deadline. Thus the minimum periods characterize the worst-case operating conditions 
under which a proposed design is guaranteed to meet its hard real-time constraints. 
Cases where the designer does not explicitly specify a minimum period represent situations where 
the requirements do not determine any safe maximum input rate. In such cases a perfect 
implementation is impossible, and the designer is interested in determining the largest input rate 
that can be supported by as proposed design. Consequently the scheduler should determine the 
smallest feasible minimum period. This problem does not have a unique solution when there is more 
than one time-critical sporadic operator in a proposed design. One way to make the solut~on unique 
is to specify the desired ratios between the derived minimum periods of the time-critical sporadic 
operators for which the designer has not explicitly specified minimum periods. A reasonable and 
easily computable default is to assume the ratios of the minimum periods should be the same as 
the ratios of the corresponding maximum response times. We expect these default values to be used 
in the early stages of prototyping, to get quick feedback without requiring a detailed analysis by 
the prototype designer. More accurate characterizations about relative input rate requirements can 
be specified by the designer as optional extra inputs to the scheduler. The best achievable minimum 
periods should be calculated by the scheduler based on this information to help the prototype 
designer assess adequacy of proposed hardware configurations. The refined maximum transaction 
rate requirements determined based on the information provided by the scheduler and measure-
ments based oh prototype execution are recorded as minimum periods in the final version of the 
PSDL prototype description. 
Violation of a minimum period constraint corresponds to an operational overload condition. The 
absence of such violations can be guaranteed a priori only if the producer of each triggering data 
value is scheduled statically. An important case where such a guarantee is not possible occurs when 
the producer of the triggering data value is an asynchronous active sensor controlled by factors 
external to the system. An overload occurs whenever two successive values are written into an input 
stream before the next value is read by the consumer operator. The behavior of a time-critical 
sporadic operator under overload conditions depends on the triggering condition of the operator, 
since the triggering condition determines the type of the input stream. If the input streams are data 
flow streams (TRIGGERED BY ALL), the streams will overflow and produce exception 
conditions. If the input streams are sampled streams (any other triggering condition), then some 
of the input data will be lost under over-load conditions, and the system will process as many of 
the input values as it can. These responses reflect the difference between the semantics of the two 
types of streams, and are reasonable from a localized point of view. However, neither alternative 
quite captures the most common system-level goal for critical embedded systems: under overload 
conditions, there should be some way to selectively abort the least important transactions. This 
is considered further in Section 3.2. 
3.1.3. Periodic operators: period and finish within. Operators triggered by temporal events are 
periodic in PSDL. The timing constraints associated with a periodic operator are defined by its 
period and its response time. The period and the r.esponse time of an operator depend on the 
context in which the operator is used. The period (PERIOD attribute) and the response time 
(FINISH WITHIN attribute) are defined in PSDL as part of the set of timing constraints T(o) 
associated with an operator o by a PSDL decomposition. Copies of the same operator appearing 
in different contexts can have different periods and response times. 
The period of an operator is the length of time between successive activations, as defined in the 
previous section. The differences between sporadic operators and periodic operators are that the 
period of a periodic operator is fixed and the activation events are defined based on the absolute 
time, but the period of a sporadic operator can vary and the activation events are defined based 
on the arrival of input data. An activation of a periodic operator is the earliest time at which a 
particular firing of the operator can begin. The response time associated with a periodic operator 
88 LUQI 
is an upper bound on the duration of the interval between each activation of the operator and the 
time that that corresponding firing of the operator is completed. The FINISH_ WITHIN attribute 
of a periodic operator is analogous to the MAXIMUM_RESPONSE_ TIME attribute of a sporadic 
operator. 
Periodic operators are activated at regular, predictable intervals: the time between one activation 
and the next is always exactly equal to the specified period. However, note that there is a distinction 
between the activation time and the starting time. Since the activation time is just a lower bound 
on the starting time, there can be a delay between the activation time, when firing is enabled, and 
the starting time, when firing actually begins. This delay, which is controlled by the scheduler, 
cannot exceed the bound (finish_within-maximum_execution_time). This bound is called the slack 
of the operator. 
The absolute times of all the activations of a periodic operator and the corresponding deadlines 
are determined by the time of the first activation as follows. 
activation_time(i) = activation_time(O) + i * period 
deadline(i) = activation_time(i) + finish_within 
The time of the first activation is not specified by the designer, but is determined implicitly via the 
following relations and the dataflow precedence constraints defined by the PSDL decomposition 
graphs. 
beginning_time ~ starting_time(O) = activation_time(O) ~ beginning_time + period 
Beginning_time is the time the first operator executed by the system begins to fire. The first 
activation time of a periodic operator in PSDL is by definition the same as the time the first firing 
of the operator actually begins. The static scheduler is free to choose the starting time for the first 
firing of the operator, subject to the constraint that the delay between the system's beginning time 
and the first starting time for the operator may not exceed the period of the operator. This choice 
determines the activation times and deadlines for all subsequent firings of the operator. 
3.1.4. Precedence constraints. Schedules for time-critical operators are influenced by the dataflow 
relations associated with each PSDL program. These dataflow relations affect the semantics of 
periodic operators, and determine the conditions under which the implementation of a composite 
operator can be pipelined in multi-processor target architectures. The dataflow precedence 
constraints associated with a PSDL program are defined as follows. 
Root Operator 
An operator is a root operator of a PSDL program if it has a specification in the program but 
it does not appear as a component in any of the decomposition graphs in the program. In a well 
formed PSDL program every root operator has no input streams or output streams, and has a 
closed decomposition graph. If this is not the case, the designer must add a higher level root 
operator that provides a decomposition graph connecting all the previous root nodes with input 
or output streams, and may have to add operators representing sources or destinations for the 
external streams of the previous root operator if the original program does not contain such 
operators. Such additional operators model the external data sources and destinations for the 
proposed software system. Root operators represent independent subsystems that must share the 
same hardware. Typically a PSDL program will have a single root operator. 
Global Data.flow Graph 
The global dataflow graph of a PSDL program expands and combines all of the PSDL 
decomposition graphs in the program according to the following construction. Start with the graph 
whose nodes are the root operators of the program, and which has no edges. The graph is expanded 
by repeatedly replacing a node representing a composite operator by the PSDL decomposition 
graph given in the implementation part of the operator. The edges attached to the composite 
operator are replaced by the corresponding external edges of its decomposition graph. The process 
stops when all of the nodes in the graph are atomic (i.e. are implemented by external references). 
The resulting graph is the global dataflow graph of the program. The intermediate graphs in this 
expansion process are called partial expansions of the global dataflow graph. 






~ .. c6-J 
V W 
A2 
(b) Global dataflow graph 
(c) Global precedence graph 
Fig. 3. Decompositions and precedence graphs. 
Global Precedence Graph 
The global precedence graph of a PSDL program is constructed from the global dataflow graph 
by removing all of the edges representing state variables, and taking the transitive closure. State 
variables are distinguished via declarations in the PSDL program, which must also provide initial 
values for the state variables. The global precedence graph should be acyclic. If it is not, the PSDL 
program is not well formed, and the designer must add some state variable declarations. 
The above concepts are ilfustrated in Fig. 3. The decompositions of the root operator and its 
component A are shown in Fig. 3 (a), the corresponding global dataflow graph is shown in 
Fig. 3 (b), and the global precedence graph is shown in Fig. 3 (c), under the assumption that the 
data streams y and v are declared to be state V?,riables. 
Precedence Constraints for Periodic Operators 
If o 1 and o2 are periodic operators, then instance i 1 of- o I precedes instance i2 of o2, written 
(ol, il)<(o2, i2), if and only ifthere is an edge from ol to o2 in the global precedence graph and 
ii* period(ol)=i2 * period(o2). The purpose of the second constraint is to define corresponding 
synchronization points for the operators, as explained below. 
Implied Scheduling Constraints for Periodic Operators 
If ( o 1, i 1) < ( o2, i2) then instance i I of operator o I must complete firing before instance i2 of 
operator o2 can start firing, and instance i2 of operator o2 must read its inputs before instance 
il + 1 of operator o 1 can start firing. The purpose of this constraint is to all,ow the instance ( o2, 










(a, 0) < (b, 0), (a, 1) < (b, 1), (a, 2) < (b, 2), ... 
(a, 0) < (b, 0), (a, 3) < (b, 2), (a, 6) < (b, 4), .. . 
(a, 0) < (b, 0), (a, 2) < (b, 1), (a, 4) < (b, 2), .. . 
Fig. 4. Synchronization points for connected periodic operators. 
90 LUQI 
-0-
(a) An atomic operator without states 
(b) Decomposition of A by the scheduler 
P1 arO acO awO ar3 aw3 
P2 ar1 
P3 ar2 aw2 ar5 ____ __._ __,_ ____ _._ _ __,_ _ _._ ____ _,.. 
(c) A Three-processor pipelined schedule 
Fig. 5. Pipeline sequencing for an atomic operator. 
ensure the output of ( o 1, i l) has been produced before it is used by ( o2, i2), and the second 
constraint is needed to ensure that the output of (ol, il) is not over-written by the output of (ol, 
il + 1) before it can be read by (o2, i2). When such a dataflow relation is guaranteed between two 
instances of periodic operators, we say that the two instances are synchronized. The PSDL 
scheduling policy guarantees that the first instances of any two periodic operators connected by 
the global precedence graph must be synchronized, and that subsequent instances are synchronized 
at intervals corresponding to the least common multiple of the periods of the two operators. In 
particular, if both operators have the same period, then they are synchronized for every pair of 
corresponding instances. This is illustrated in Fig. 4. In distributed architectures, if two synchro-
nized instances of periodic operators are allocated to different processors then the scheduler must 
provide an additional time slot between their execution intervals sufficient to account for any 
possible interprocessor communication delays. 
Pipelining 
A time-critical operator whose period or minimum period is less than its maximum execution 
time can be realized only if it can be piplined (more than one instance of the operator can be firing 
at the same time). A PSDL operator can be pipelined if and only if the operator does not appear 
on a cycle in any partial expansion of the global dataflow graph defined above, and the operator 
has independent sub-computations. Since the substructure of atomic operators is unknown, PSDL 
assumes atomic operations have independent subcomputations if and only if they do not have 
internal states (i.e. if they do not have a ST A TES declaration in the specification part). A composite 
operator has independent subcomputations if and only if all of the components in its PSDL 
decomposition graph do not belong to a single cycle. 
If an operator can be piplined then successive executions of the operator can overlap in the 
schedule, provided that the sequence of successive output values corresponds to the sequence of 
input values. Some care in scheduling is necessary because PSDL operators do not have lower 
bounds on their execution times. Consequently, the stream input operations at the beginning of 
the firing sequence for an operator, the computation in the middle, and the stream output 
operations at the end of a firing sequence must be separated in a pipelined schedule to ensure the 
Real-time constraints 91 
(a) A Composite operator without external feedback 
(b) Decomposition by the scheduler 
P1 arO acO 
P2 bro 
(c) A Maximally-compressed pipelined schedule 
Fig. 6. Pipelining a composite operator with internal states. 
sequencing constraints are met. The decomposition performed by the scheduler and the schedule 
for a shared-memory target architecture with three processors is illustrated in Fig. 5. The 
assumption of a shared-memory configuration is interpreted to mean that interprocessor communi-
cation delays are zero. The ordering constraints between the events are shown as arrows in the 
timing diagram. For example, if the computation acl finishes early, then a gap in the schedule is 
created because the output process awl must wait for aw0 to complete. This gap is utilized by the 
dynamic scheduler for the execution of non-time-critical operators. 
If an operator appears in a cycle of the dataflow graph, then there is a dependency between the 
input values of an instance of the operator and the output values of the previous instance. In such 
a case, each firing of the operator must not start until the previous firing of the operator has 
completed firing, to avoid losing data. Operators that are part of a cycle in the dataflow graph are 
part of the implementation of a state machine, and the above scheduling constraint is needed to 
avoid losing updates to the state of the machine. This is the weakest constraint on the concurrency 
of a pipelined implementation that will guarantee the integrity of the machine state. The semantics 
of PSDL has been designed to seek such weakest restrictions, because implementations with the 
maximum allowable concurrency may be necessary to realize critical systems with tight real-time 
constraints. 
The semantics of PSDL allows executions of different subcomponents to overlap with each other 
even if the subcomponents are state machines. This is illustrated in Fig. 6. The ordering constraints 
due to the cycles associated with subcomponents a and b are shown by the arrows connecting 
activities aw(i) to ar(i + 1) and bw(i) to br(i + 1). The dataflow ordering constraints needed to avoid 
loss of data are shown by the arrows from aw(i) to br(i) and from br(i) to aw(i + I). In particular 
the arrow from brO to awl illustrates why the scheduler must separate the IO actions from the 
computations: unless the scheduler can establish that br(i) can never take longer than ar(i + I), it 
cannot overlap the activities b(i) and a(i + I) without decomposing them. As in the previous 
example, a gap in the schedule may be left for the dynamic scheduler if ac(i) finishes early, which 
is particularly likely if there is an input-guard control constraint associated with the operator a. 
The dataflow ordering constraints are implied by the precedence relations defined above if a and 
b are periodic. Absence of data loss is guaranteed only if a and b have the same period, which 
corresponds to the most common case as well as to the schedule shown. If the periods of a and 
b are different, then absence of data loss is guaranteed only at the synchronization points. Such 
CL 18/2-B 
92 LUQI 
~ o @@@4 X1 y1 P1: ... 
x2~y
2 P2: 02 1 o2 11 02 I o2 ... 
s2 
x3 o3 y3 P3: o3 o3 .. 
~ X4 y4 
Fig. 7. Mutual exclusion of operators affecting a common state variable. 
a design is plausible in the case where the period of bis a multiple of a, if a represents an iterative 
approximation calculation that must loop a fixed number of times for each invocation of the 
composite operator. If either or both of a and b are sporadic, then the above dataflow ordering 
constraints represent extra constraints that the scheduler must obey because of its choice of a 
pipelined implementation. 
Mutual Exclusion 
PSDL also enforces the following mutual exclusion constraint: for any two distinct atomic 
operators a and b on the same cycle of the global dataflow graph, b cannot be activated until all 
prior activations of a have been completed. The motivation for this constraint is avoiding loss of 
state information. The constraint is similar to the pipelining constraint, except that it defines the 
conditions under which firings of two distinct operators can overlap, rather than two firings of the 
same operator. There are some slight differences, however. PSDL assumes that the states of two 
different atomic operators are independent of each other, so that two distinct atomic operators 
never exclude each other based on internal considerations, although they may do so because of 
the constraints introduced by the global dataflow graph. Note that the constraint does not apply 
to composite operators, but only to the atomic subcomponents of those composite operators. Two 
composite operators arc not necessarily subject to a mutual exclusi0n restriction as a whole, because 
they can contain subcomponents that are not on a common cycle, and such subcomponents can 
overlap without loss of state inform_ation. 
The above mutual exclusion constraint does not require all of the operations of a state machine 
to be mutually exclusive. The effects of the PSDL mutual exclusion constraints are illustrated in 
Fig. 7, assuming the operations 01, 02, 03 and 04 are atomic components. Note that the state 
variables s I and s2 do not introduce any precedence constraints due to the precedence rules for 
periodic operators, because the edges due to state variables are removed from the global dataflow 
graph to construct the global precedence graph. The operators o 1 and o2 can overlap because they 
operate on independent state variables, and similarly for o I and o3, o2 and o4, and o3 and o4. 
The operators o2 and o3 can overlap because they do not update the same state variable, even 
though they read the same state variable. The operators o 1 and o4 must be mutually exclusive 
because they both read and write the common state variable sl. The common cycle ol-+sl-+o2 
-+sl-+ol is not shown graphically in the figure to avoid cluttering the diagram, and is implied 
because two of the arcs carry the same label s 1. The arrows in the three-processor schedule show 
the ordering constraints due to the mutual exclusion requirements. 
3.1.5. Timers. Durational constraints are represented in PSDL using timers [3]. Timers are 
software stopwatches that are used to measure cumulative durations of states in PSDL. The values 
of timers can be used in PSDL control constraints to determine the triggering conditions of 
operators. 
3.2. Advanced real-time constructs 
Timing constraints on streams. To express the behavior of distributed systems, PSDL has been 
extended to define optional LATENCY and MINIMUM PERIOD attributes. The latency of a 
stream is an upper bound on the duration of the time interval between the instant a data value 
is written into a stream and the instant that data value becomes available for reading from the 







Fig. 8. PSDL importance declaration. 
93 
successive write events on the stream. In the absence of explicit specifications, both the latency and 
the minimum period of a stream have the default value zero (no delay, unbounded data rate). The 
purpose of these additional constraints is to declare communication constraints due to hardware 
limitations imposed by external constraints on how the software functions must be allocated to 
different physical nodes of a distributed system. Explicit modeling of these constraints is sometimes 
also required to ensure feasibility, because the latency affects calculations of time budgets and 
maximum execution times for composite operators. The meaning of these constraints is that data 
cannot be read from a stream until a delay equal to the latency has elapsed, and that data cannot 
be written into a stream until the minimum period has elapsed. The latencies and minimum periods 
declared in PSDL are requirements that constrain an•implementation and the scheduler, rather than 
properties of a particular implementation. Additional constraints on latencies and minimum 
periods due to hardware constraints and resource allocations in a particular implementation are 
calculated by the scheduler and provided as feedback to the designer. 
Critical operators and streams. In order to distinguish between absolute guarantees of service, 
and guarantees relative to available computing resources, we introduce the concept of critical 
operators and data streams. Critical operators and streams are subject to total correctness 
requirements: the activations of the operator or stream must terminate in a state meeting the 
associated constraints, including both functional specifications and constraints. This implies an 
absolute guarantee of service under worst-case load conditions. Operators and streams without a 
critical declaration are non-critical. Non-critical operators and streams are subject to partial 
correctness requirements: the associated postconditions must be met whenever an activation 
terminates, but such termination is not guaranteed. 
Non-critical activities can be aborted under overload conditions. In particular, non-critical 
operators with deadlines must not produce any results if they cannot complete firing before 
the deadline. It is a goal of the schedulers to avoid wasting resources on partially executing 
such opera'tors if it is known they cannot complete on time. Similarly, a non-critical stream with 
a latency must discard values if they cannot be transmitted on time, and it is a goal of a network 
control system to avoid wasting channel capacity on messages that cannot be delivered on time. 
We believe that the concept of "hon-criticalness" for operators and streams provides a precise 
definition for "soft" real-time constraints that is useful in the context · of embedded software 
systems. 
Overload resolution: the importance attribute. We extend PSDL with an IMPORTANCE 
attribute to specify overload resolution policies: under conditions where all of the real-time 
constraints cannot be met, the least important activities must be canceled until the real-time 
constraints of the remaining activities can be met. This attribute has a meaning only under overload, 
which occurs whenever at least one of the declared minimum period constraints is violated. In the 
absence of overload conditions, an implementation must guarantee that all of the critical and 
non-critical realtime constraints are met. The concept of importance provides a basis for dynamic 
scheduling of operators with soft real-time constraints, and provides a simple way to define 
overload resolution policies as a consistent refinement of a prototype description that is decoupled 
from the specifications for the system requirements with respect to normal operating conditions. 
There has been a substantial amount of effort to develop more flexible scheduling methods that 
can respond to overload conditions in reasonable ways [30, 31]. 
The importance attribute can be represented by a partial ordering of the operators and streams 
with real-time constraints. The critical operators and streams are the maximal elements in this 
oi;dering. The importance ordering is represented in PSDL as illustrated in Fig. 8. The most 
important operators are listed first, and groups of operators that have equal importance are 
separated by semicolons. The critical operators are therefore ol, o2 and o3. The operator o4 has 
94 LUQI 
the next higher importance, and operators o5 and 06 share the third importance level. To keep 
the declarations short, PSDL adopts the following conventions. 
(1) The importance of each component of a composite operator is the same as the importance 
of the composite operator, unless explicity declared otherwise. 
(2) The importance of any operator that is not explicitly listed is less than the importance of any 
of the operators listed, unless the explicit declarations together with the above rule imply 
otherwise. 
(3) The importance of any operator with a real-time constraint is higher than the importance of 
any operator without any real-time constraints, unless the explicit declarations together with 
the above rules imply otherwise. 
( 4) The importance of any two operators connected by a dataflow stream (TRIGGERED BY 
ALL) must be the same. 
(5) The importance of a stream is equal to the highest importance level of any of the operators 
directly connected to the stream. 
(6) The importance of two operators or streams is equal unless an ordering is defined by the 
explicit declarations and the above rules. 
3.3. Feasibility model for real-time constraints 
PSDL is deliberately decoupled from the hardware model, and the semantics of the language 
is independent of such a model. However, the feasibility of real-time constraints cannot be 
completely separated from the architecture and characteristics of the hardware system on which 
the proposed system will run. In particular, methods for static scheduling are strongly influenced 
by the hardware model. 
Computer-aided analysis of feasibility can help to determine hardware requirements based on 
the software requirements, or to adjust software ·requirements to match external hardware 
constraints. In the first case, the static scheduler should determine the parameters of a minimal 
system configuratiqn on which the hard real-time constraints are feasible, and in the second case 
it should determine whether the real-time constraints are feasible with respect to a given set of 
hardware parameters. 
PSDL was designed to be combined with a series of increasingly detailed hardware models as 
more sophisticated scheduling tools become available. This was done because at the current state 
of the art real-time scheduling is not completely understood, and additional research is needed to 
determine the best approaches for achieving good hardware utilization within practical limits on 
the computation time and space that can be spent on resource allocation prior to execution. All 
of the hardware models associated with PSDL are based on the following assumptions. 
(1) The speed of a processor is independent of the type of program it is executing. 
(2) The entire capacity of the hardware is available for critical real-time computations. 
(3) The capacity of the hardware configuration is known before execution begins and does not 
change with time. 
The first assumption lets us treat the maximum execution time of a module as a property of the 
software alone, enabling performance analysis of the software that is independent of the target 
architecture. We use a single scaling parameter representing the processor speed to reflect 
differences between processor types. The product of the processor speed parameter and the PSDL 
maximum execution time provides an upper bound on the actual amount of CPU time required 
to execute a PSDL operator in each hardware configuration. The exact execution speed of a 
program on a particular processor depends on the relative frequency of different types of machine 
instructions the program executes. Our resource model provides a conservative approximation to 
processor capacity relative to an arbitrary set of benchmark execution times for each primitive 
construct of the programming language underlying PSDL (i.e. Ada for the initial version of CAPS). 
The processor speed factor relative to these benchmarks is determined for each combination of 
compiler/target hardware by taking the maximum of the ratios between the worst case execution 
time provided by the actual compiler/ha~dware and the benchmark execution time of each primitive 
construct in the underlying programming language. This approximation characterizes the execution 
Real-time constraints 95 
time on a compiler/hardware configuration for the worst-case instruction mix, so that actual 
execution times are guaranteed to be at least as fast as the worst-case estimates. We consider the 
compiler together with the hardware configu'ration to allow the processor speed parameter to be 
sensitive to the patterns of machine code generated by the compiler for each programming language 
construct. 
When a prototype is used to evaluate the real-time behavior of a proposed design, the intent is 
to do this relative to the target hardware for the proposed system. Usually the target hardware 
will be considerably different from the hardware configuration hosting the CAPS system. We use 
a conservative assumption and the processor speed factor defined above to bridge this gap for the 
case where the target hardware consists of a single processor: "real-time" for the proposed system 
relative to its target architecture is the .real time duration observed during prototype execution 
multiplied by the processor speed factor of the target hardware configuration relative to the 
hardware configuration used by the CAPS system. 
The easiest way to determine a set of benchmark execution times for each language construct 
is to use worst-case execution times for the particular combination of compiler and target hardware 
used to host the CAPS system, if this configuration is fixed. Our initial version of CAPS takes this 
approach because it is easy to implement. However, this approach can result in underutilization 
of available processing power if a proposed software system must be evaluated relative to a variety 
of different processors. We can reduce this effect by constructing a set of synthetic benchmark 
execution times based on expected execution frequencies of the language constructs and the actual 
execution times provided by a set of common processors if the effect turns out to be a significant 
factor. The advantage of using a synthetic set of benchmarks as a timing standard is better potential 
utilization of the hardware, and the corresponding disadvantage is a more complicated procedure 
for determining the maximum execution time of a program relative to the synthetic benchmark 
execution times. The above discussion assumes that the target architecture can vary, but the 
architecture of the host environment for CAPS is fixed. If it becomes necessary to consider multiple 
host environments as well, then the real-time ~caling factor for prototype execution must be the 
ratio between the worst-case processor speed of the target hardware relative to the synthetic 
benchmarks (maximum time ratio over the benchmark language constructs) and the best-case 
processor speed factor of the CAPS host hardware relative to the synthetic benchmarks (minimum 
time ratio over the benchmark language constructs). This will result in safe but possibly pessimistic 
assessments of feasibility. In cases where it is necessary to get the maximum possible utilization 
of the target architecture, it may be necessary to match the host architecture for CAPS to the target 
architecture for the proposed software system (i.e. choose a host architecture so that its vector of 
benchmark execution times is nearly proportional to the benchmark vector of the target 
architecture). CAPS has been designed to be portable to help make this feasible. Related goals of 
the prototyping effort are to assess the feasibility of a proposed set of timing constraints relative 
to a set of competing choices for a target architecture with sufficient accuracy for an initial 
evaluation, and to help identify the tight spots so that the implementors will know where to focus 
their optimization efforts for the final version. 
Our second assumption is needed to precisely characterize available resources. This assumption 
can be met either by dedicating the hardware entirely to the real-time system, or by ensuring that 
the priorities of all other applications and all operating system functions are lower than the 
priorities of the real-time computations. This includes the function of handling page faults, and 
implies that either the hardware must keep the code and data of the time-critical operations in main 
memory. at all times, or else that time-critical operators for loading overlays must be included in 
the PSDL model of the software and scheduled by the static scheduler along with all of the other 
time-critical operations. 
The third assumption is a temporary one that is needed to make progress. In real systems with 
multiple processors and communication links can fail, failed components can be repaired or 
replaced, and adq.itional components can be installed. The reconfiguration problem is to allow the 
software to continue to operate while such adjustments are made, and to minimize the impact of 
failing to meet real-time constraints while the reconfiguration is in progress. However, the problems 
in re-allocating resources when a system must operate in a reduced or enhanced hardware 
configuration are not significantly different than those of ~llocating resources for the initial 
96 LUQI 
configuration, and we believe the practical solutions for the static version of the problem are needed 
before it is useful to concentrate on the dynamic version. The new issue in reconfiguration is 
balancing effort spent on reallocation against the cost of reduced capabilities while the reconfigu-
ration is in progress. This may require automatic decisions about how to reduce the functionality 
of the software in cases where. the new hardware configuration does not have sufficient resources 
to meet all of the real-tim~ requirements. Such decisions can be based on the importance levels 
declared in the PSDL prototype. 
The series of hardware models associated with PSDL is characterized by increasingly detailed 
sets of parameters. The simplest hardware model in this series is a single processor, which is 
characterized by a single parameter: the processor speed. The initial prototype version of CAPS 
was based on this assumption. 
The next most sophisticated model is a set of identical processors. This model is characterized 
by two parameters: the processor speed and the number of processors. Current work on CAPS has 
addressed tools for scheduling PSDL programs relative to this model [4, 5]. This model assumes 
that interprocessor communications have zero delay, which is reasonable for shared-memory 
multiprocessors, but not for loosely coupled sets of independent processors connected by local area 
networks. 
The next refinement adds a third parameter, the worst-case delay associated with the communi-
cation between any two different processors. This model provides the simplest view of distributed 
target archite~tures. Conceptual"studies of CAPS tools for this model are under way. However, 
this model is insensitive to ·possible variations in the communication delays between different 
processors, and may result in underutilization of distributed machines for which these variations 
are significant. 
Our most refined hardware model allows different processor speeds for different processors and 
different latencies and data rates for links between different pairs of processors. This model is 
characterized by a vector of processor speeds, a matrix of latencies for communication, and a 
matrix of maximum data rates. The scheduling problems associated with this model are largely 
unexplored, but there is reason to believe that finding optimal solutions with respect to this model 
is computationally complex and that optimal solutions are tractable only for very small problems, 
One goal of our current research is to determine whether fast heuristic methods for determining 
good but non-optimal solutions relative to this model can utilize the hardware more efficiently than 
optimal solutions relative to more tractable but less accurate hardware models. A positive result 
appears likely because fast heuristic methods are known for some categories of real-time scheduling 
problems [32]. 
4. EXAMPLE 
This section presents an example to illustrate the application of PSDL to the design of real-time 
systems. The example we have chosen is a cruise control system for a car. The root operator for 
this example is shown in Fig. 9. The cruise control system has only one root operator. The 
decomposition shown in the implementation part of the root operator corresponds to the context 
diagram of the requirements for the proposed software system, which is called cruise_control. We 
have included operators for simulating the external systems, which include two window operators 
that provide a ·means for the designer to interactively control the environment of the cruise control 
system during prototype execution. 
The initial domain model implicit in the PSDL decomposition is that the speed of the car depends 
only on the throttle setting and the slope of the road (potentially including both current values and 
the sequence of past values for these quantities). This is a rough approximation because effects of 
wind speed, payload in the car, and other factors that could potentially affect the amount of power 
required to propel the car have not been included. The analyst decides that one parameter 
representing external factors affecting the connection between the throttle setting and the speed is 
sufficient to provide rapid feedback about the effectiveness of various control algorithms, and that 
a more accurate motion model can wait until the design has become more definite, and questions 
about the achievable accuracy in the speed control are posed. The prototype designer also notes 




STATES speed: real INITIALLY 0.0 
DESCRIPTION 
{Root node of a prototype cruise control system 















STREAMS accelerator, throttle, slope: real, 
set, brake, resume: boolean 
CONTROL CONSTRAINTS 
OPERATOR Cruise_control 
PERIOD 100 ms FINISH WITHIN 100 ms 
OPERATOR Motion_model 
PERIOD 100 ms FINISH WITHIN 100 ms 
END 
Fig. 9. Root operator of the cruise control system. 
97 
accuracy of the motion model, bec8:use customers are unlikely to want to pay the cost of additional 
sensors for detecting these factors just to gain small improvements in the accuracy of the cruise 
control. 
The state model in the specification part is used to document a conceptual model of the state 
of the system. In the example, the state of the entire system is the speed of the car, and this state is 
used in describing the purpose of the system. The conceptual state model defined in the specification 
part can be used in both formal and informal descriptions of the intended behavior of the system 
and it can also be used in the implementation, but it does not necessarily determine the internal 
structure of the implementation. To speed up the prototyping process, the state model in the 
specification part is assumed to be visible in the implementation part, but the state model can be 
explicitly redefined or extended in the implementation. This avoids unnecessary duplication of work: 
if the implementation is directly based on the same conceptual model as the abstract specification, as 
is usually the case in the initial version of the prototype, then the same declaration can be used for 
two different purposes. It is also important to note that the conceptual state model in the specification 
part is independent of the state model in the implementation pant. If it becomes necessary to propose 
a different encoding of the state model in the implementation part to meet performance goals, a 
new state declaration must be added in the implementation part, but the state model in the 
specification part need not be changed, as well as the descriptions and axioms based on the model. 
The initial version of the timing constraints is based on the capabilities of the speed sensor, which 
can. produce 10 readings a second. The initial purpose of the prototyping effort is to determine 
whether the available processing resources are sufficient to utilize all of the information that can 
be produced by the sensor, and to determine how accurately the speed of the car can be controlled 
if this is the case. Based on the results of this investigation, decisions may be made about possibly 
changing the type of sensor and/or processor hardware to be used, based on cost/performance 
tradeoffs. 
The analyst has the initial goal of achieving the most accurate control possible with the given 
sensor technology. This indicates that the speed sensor should be polled periodically at its 
98 LUQI 
OPERATOR environment window 
SPECIFICATION -




SP ECI Fl CATION 





INPUT slope, throttle, speed: real 
OUTPUT speed: real 
STATES speed : real INITIALLY 0.0 
MAXIMUM EXECUTION TIME 50 ms 
AXIOMS { new speed= old speed+ (throttle - slope)* 0.1} 
END 
Fig. 10. Specifications for subcomponents. 
maximum data rate, which leads to a period of 100 ms. The cruise_control and the motion_model 
are assigned the corresponding real-time constraints. Initially we use the default time budgets 
corresponding to the entire time available, by making the total of the maximum execution times 
of the time-critical operators equal to the period and making the total of their response times also 
equal to the period. The interactive windows do not have any real-time constraints. The 
computations associated with 'these windows will be scheduled by the dynamic scheduler in time 
intervals that are not used by the time-critical operators. 
Initial specification parts for subcomponents can be automatically derived from the decompo-
sition diagram, and augmented with additional semantic and timing constraints, as shown in 
Fig. 10. The two windows have the keyword "input_window" added by the designer. This keyword 
identifies a category of generic reusable components in the CAPS software base, and enables 
automatic retrieval and instantiation of these components. The analyst adds a simple axiom to the 
motion_model, which defines the intended behavior of the initial version. We are assuming that 
the throttle setting, the slope, and also the accelerator setting are represented in terms of the 
effective accelerations they produce. Operators whose behavior is defined by axioms can either be 
realized by manual implementation, or simulated directly. We are currently investigating several 
forms of axioms that can be simulated directly or can be automatically compiled into efficient code. 
The axiom in the example illustrates a situation in which this is possible. 
The analyst chooses to realize the cruise_control component via a PSDL decomposition, as 
shown in Fig. 11. The difference between the conceptual state model and implementation state 
model is illustrated in this example, where an output variable at the specification level (the throttle) 
becomes an additional state variable at the implementation level. 
The composite icon representing the components manuaLcontrol and automatic_control 
represents an implementation by case analysis. All of the components in such a composite icon have 
the same inputs and outputs by convention, thus helping to avoid diagrams cluttered with 
replicated arrows. An explicit representation of conditional groups also provides useful redundancy 
and guidance for the static scheduler. All of the component operators in a conditional group should 
have mutually exclusive input guards (enabled and not (enabled) in the example). This can be 
checked by the tools in a complete CAPS, and can be used to generate the guard condition 
associated with the last case automatically. The scheduler can use the information that the 
operators in a conditional group are mutually exclusive to schedule them all in the same time slot. 
This is the time-allocation analog to the usual technique used by compilers to allocate space for 
variant records: the time slot must be big enough to fit the largest of the alternatives (i.e. the 
maximum of the maximum execution times for all of the components in the conditional group). 
The maximum execution times for set_goaLspeed, give_up_control, and resume_control are 
assigned to be 1 ms each because the designer knows these operators do not do very much. These 
OPERATOR cruise_control 
SPECI Fl CATION 
Real-time constraints 
INPUT speed, accelerator: real, set, brake, resume: boolean 
OUTPUT throttle: real 
STATES goal_speed: real, enabled: boolean INITIALLY 0.0, false 
MAXIMUM EXECUTION TIME 50 ms 
DESCRIPTION 
{ The purpose of the cruise control is to set the throttle 
























OPERATOR automatic_control TRIGGERED IF enabled 
PERIOD 100 ms FINISH WITHIN 100 ms 
OPERATOR manual_control TRIGGERED IF not(enabled) 
PERIOD 100 ms FINISH WITHIN 100 ms 
OPERATOR set_goal_speed TRIGGERED BY ALL set IF set 
MAXIMUM RESPONSE TIME 100 ms MINIMUM PERIOD 1 sec 
OPERATOR give_up_control TRIGGERED BY ALL brake IF brake 
MAXIMUM RESPONSE TIME 1ms MINIMUM PERIOD 1 sec 
BY REQUIREMENTS safety requirement 
OPERATOR resume control TRIGGERED BY ALL resume IF resume 
MAXIMUM RESPONSE TIME 100 ms MINIMUM PERIOD 1 sec 
END 
Fig. 11. Decomposition of the cruise control. 
99 
operators are sporadic because they are triggered by external control signals that can arrive at 
unpredictable times. The maximum response times are set so that the effects of a control signal 
will be seen after no more than two periods, with the exception of the give_up_control operator, 
which has an associated safety requirement, and hence is given a tight maximum response time to 
ensure the effect will be seen in the very next period. The safety requirement says the cruise control 
must disengage as soon as the driver hits the brake. The minimum periods are determined by the 
analyst based on the expected behavior of the driver, who will not repeatedly brake and then resume 
the cruise control faster than once per second under any expected operating condition. The response 
times rather than the data rates dominate the real-time requirements for this system. 
Since the sporadic operators have a TRIGGERED BY ALL triggering condition, the input 
streams set, brake, and resume will be dataflow streams, guaranteeing that none of the signals are 
lost, even if they are present only for a short period of time. Such a situation could lead to stream 
overflow exceptions if the actual time between successive inputs was ever less than the period of the 
consumer operator, in this case 100 ms. The minimum period associated with the sporadic operators 
is well above this limit, leading the analyst to conclude that there is unlikely to be a problem. 
The specifications for the components of the cruise_control operator are shown in Fig. 12. The 





INPUT accelerator, speed, goal_speed, throttle: real, 
enabled: boolean 
OUTPUT throttle: real 
MAXIMUM EXECUTION TIME 46 ms 




INPUT accelerator, speed, goal_speed, throttle: real, 
enabled: boolean 
OUTPUT throttle: real 
MAXIMUM EXECUTION TIME 46 ms 




INPUT speed: real, set: boolean 
OUTPUT goal_speed: real, enabled: boolean 
MAXIMUM EXECUTION TIME 1 ms 




INPUT brake: boolean 
OUTPUT enabled: boolean 
MAXIMUM EXECUTION TIME 1 ms 
AXIOMS (enabled= false} 
END 
OPERATOR resume control 
SPECIFICATION -
INPUT resume: boolean 
OUTPUT enabled: boolean 
MAXIMUM EXECUTION TIME 1 ms 
AXIOMS ( enabled = true } 
END 
Fig. 12. Specifications for components of cruise control. 
Note that the specified maximum execution times of manuaLcontrol and automatic_control are 
a little less than the corresponding times in the PSDL decomposition shown in Fig. 11 to account 
for overhead associated with stream IO and input guards. 
The behaviors of the specified components are captured by the axioms, which convey enough 
information for implementation. We have provided a simple initial control strategy in the axioms 
associated with the automatic_control operator that attempts to correct any observed difference 
between observed speed and the goal speed within 30 seconds. We expect this part of the prototype 
to be subject to frequent adjustments as alternative designs for the cruise control are explored. The 
outputs of give_up_control and resume_control can be specified as constants because the outputs 
are produced only when the operators are triggered by new input data representing a positive 
control signal. The results of the most recent firing persist because enabled is a sampled stream 
(due to the triggering conditions associated with manuaLcontrol and automatic_control). 
It would at first appear that whenever a sporadic operator has its maximum response time equal 
to the maximum execution time, the static scheduler must allocate all of the CPU time of a 
processor to the operator, since there is no slack between an unpredictable activation time and the 
time the operator must begin execution. The example illustrates a situation in which this is not so: 
the give_up_control operator is sporadic and satisfies the conditions outlined above. However, the 
output of give_up_control is a sampled stream which is used only by the manuaLcontrol and 
Real-time constraints 
d 
0 1 2 3 
a = set_goal_speed 
b = give_up_control 
c = resume_control 
50 
e 
d = manual control or automatic control 
e = motion_.=-model -




automatic_control operators, both of which are periodic. Delays in the response of give_up_control 
cannot affect the behavior of the system unless they extend past the activation times of the periodic 
operators manuaLcontrol and automatic~control. A valid schedule can have longer delays than 
the specified maximum response time as long as the externally observable behavior of the system 
is exactly the same as if the maximum response time constraints were met at all times. Due to the 
semantics of a sampled stream, if the value in the stream is updated several times before it is read, 
then the value read is the most recent of the values written, so that write operations before the 
last one just before a read operation can be omitted without affecting the value read from the stream 
by the consumer operator. If the read operations are performeg by a periodic operator, then they 
can be predicted by the scheduler, and unnecessary write operatiops can be identified and left out. 
Consequently, it is sufficient to schedule an instance of give_up_control just before each firing of 
manuaLcontrol and automatic....,control. 
This optimization can be viewed as a transformation of a sporadic operator into an equivalent 
periodic operator. The transformation is applicable whenever the sporadic operator has a 
TRIGGERED BY ALL triggering conditions, the outputs of the sporadic operator are sampled 
streams, and all of the consumer operators for the outputs of the sporadic operator are periodic. 
The period of the transformed operator can be taken to be the greatest common divisor of the 
periods of all the consumer operators, regardless of the maximum response time and minimum 
period associated with the original sporadic operator. This period can be much longer than the 
period defined by the standard construction of an equivalent periodic operator, which is 
min(maximum_response_time maximum_execution_time, minimum_period). The precedence con-
straints associated with PSDL will ensure that there is no dat~ loss in such a situation, ensuring 
that the periodic operators will see the same sequence of input values as they would in a schedule 
where the maximum response time constraints are always met. A possible schedule for this system 
is shown in Fig. 13. This schedule shows that the proposed system should be feasible on a hardware 
configuration with a single processor. 
5. CONCLUSIONS 
Rapid prototyping via PSDL offers the potential of serving as a valuable software development 
tool specifically for hard real-time systems. The protopying process is speeded up by automation 
and by reducing the conceptual burden of the analyst and prototype designer. PSDL has constructs 
for recording timing constraints, defining operator and data abstractions, and for specifying 
non-procedural control constraints. The most important aspects of real-time system design are 
enforcing maximum execution time, maximum response time, minimum period and data synchro-
nization constraints. 
This paper explains the semantics of the real-time constraints assoc{ated with PSDL in the 
context of target architectures that can have multiple processors. We have refined the previously 
defined semantics of the language, which was originally explained relative to the assumption of a 
single-processor implementation. In particular, we have characterized the maximum degree of 
concurrency consistent with the semantics of PSDL, and have identified the conditions under which 
PSDL operators can be piplined and those under which operations of PSDL state machines can 
be scheduled concurrently. We have also identified two new optimizations for constructing static 
schedules for PSDL. 
102 LUQI 
We present some refinements to PSDL for stating and exploring overload resolution require-
ments in real,.time systems. These mechanisms are needed because there are few absolute real-time 
constraints in realistic systems. Instead, these systems have multiple goals that cannot be realized 
perfectly with finite computing resources, because they are driven by unpredictable external events. 
A realistic design goal is thus to maximize the input rates for which the system can meet its timing 
constraints. PSDL supports a design and analysis strategy that separates the hard real-time 
constraints applicable under normal operating conditions from the policies determining required 
behavior under operational overload conditions. A PSDL prototype documents the timing 
constraints that must be met whenever the actual arrival rates for input data are less than the limits 
specified in the design, and the CAPS tools provide a means for guaranteeing a design meets all 
its timing constraints under these conditions. The overload resolution policies determine which of 
the timing constraints must be met when these limits are exceeded and the system cannot 
simultaneously meet all of its goals. 
CAPS is designed to be portable, and does not rely on special operating system interfaces to 
provide special real-time services, such as [33]. Instead, it compensates for weaknesses of Ada by 
careful use of a constrained subset of the language, and a dedicated host configuration with enough 
memory to avoid paging. 
This paper explains the set of hardware models associated in PSDL, and justifies the previously 
implicit assumption that the maximum execution time of a software module can be defined 
independently of the target hardware. We describe a method for adapting the results of a generic 
timing analysis to different hardware configurations. This method is safe, in the sense that the actual 
maximum execution time will not exceed the calculated one. This allows timing properties for 
reusable software components to be determined once, and then rapidly adapted to different 
hardware architectures to assess feasibility of proposed software systems in a variety of candidate 
hardware configurations. 
CAPS will provide software designers with an automated tool allowing validation of prototypes 
for hard real-time or embedded systems before extensive time and money are invested in production 
software. Additional research projects are currectly underway to conceptualize, implement and 
integrate the handling of timing constraints in rapid prototyping and make the computer-aided 
design of hard real-time systems feasible, practical and reliable. Each of the hardware models 
associated with PSDL defines a set of real-time scheduling problems. Many of these problems have 
not been addressed by previous work on real-time scheduling. Methods for preemptive scheduling 
appear to be more tractable than those for non-preemptive scheduling, since optimal polynomial-
time algorithms are known for several versions of the preemptive scheduling problem [34--39] but 
most non-preemptive scheduling problems are NP-hard [40]. However, many of the known results 
do not take overheads due to context switching and interprocessor communication into account 
and hence may not be directly applicable to practical systems. Additional research is needed in this 
area to enable automatic methods for allocating time in real-time systems to achieve hardware 
utilizations near the optimal limits. 
REFERENCES 
1. Luqi and Berzins, V. Rapidly prototyping real-time systems. IEEE Softw. S: 25-36; 1988. 
2. Luqi and Ketabchi, M. A computer aided prototyping system. IEEE Softw. 5, 2: 66-72; 1988. 
3. Luqi, Berzins, V. and Yeh, R. A prototyping language for real-time software. IEEE Trans. Softw. Eng. 14, 10: 
1409-1423; 1988. 
4. Cervantes, J. An optimal static scheduling algorithm for hard real-time systems specified in a prototyping language. 
M. S. Thesis, Computer Science, Naval Postgraduate School, Monterey, CA; 1989. 
5. Hsu, L Multiprocessor scheduling for hard real-time software. M. S. Thesis, Computer Science, Naval Postgraduate 
School, Monterey, CA; June 1990. 
6. Luqi, Handling timing constraints in rapid prototyping. In Proceedings of the 22nd Annual Hawaii International 
Conference on System Sciences, I:eEE Computer Society, 417-424; 1989. 
7. Berzins, V., Kopas, B., Luqi and Yehudai, A. Using transformations in specification-based prototyping, IEEE Trans. 
Softw. Eng. 18, 7; 1992. 
8. Faulk, S. and Parnas, D. On synchronization in hard-real-time systems. Comm. ACM 31, 3: 274-287; 1988. 
9. Berzins, V. and Luqi. Languages for specification, design and prototyping. In Handbook of Computer-Aided Software 
Engineering. Van Nostrand Reinhold; 1989. 
10. Heninger, K. L. Specifying software requirements for complex systems: new techniques and their applications. IEEE 
Trans. Softw. Eng. 6, 1: 2-12; 1980. 
Real-time constraints 103 
11. Chandrasekharan, M., Dasarathy, B. and Kishimoto, Z. "Requirements-based testing of real-time systems: modeling 
for testability'. IEEE Comput. 18, 4: 71-80; 1985. 
12. Jahanian, F. and Mok, A. Safety analysis of timing properties in real-time systems. IEEE Trans. Softw. Eng. 12, 9: 
890-904; 1986. 
13. Jahanian, F., Lee, R. and Mok, A. Semantics of modechart in real time logic. In Proceedings Hawaii International 
Conference on System Science, 479-489; 1988. 
14. Berzins, V. and Luqi. Software Engineering with Abstractions. Reading, MA: Addison-Wesley; 1991. 
15. Carlier, J. and Chretienne, P. Timed petri net schedules. In Advances in Pertri Nets 1988, pp. 62-84. Springer Verlag; 
1988. 
16. Zave, P. An operational approach to requirements specifications for embedded systems. IEEE Trans. Softw. Eng. 8, 3: 
250-269; 1982. 
17. Luqi. Knowledge base support for rapid prototyping. IEEE Expert 3, 4: 9-18; 1988. 
18. Janson, D. A static scheduler for hard real-time constraints in the computer aided prototyping system, M. S. Thesis, 
Computer Science, Naval Postgraduate School, Monterey, CA; 1988. 
19. Moffitt, C. Development of a language translater for a computer aided prototyping system. M. S. Thesis, Computer 
Science, Naval Postgraduate School, Monterey, CA; 1988. 
20. O'Hern, J. A conceptual design of a static scheduler for hard real-time systems. M. S. Thesis, Computer Science, Naval 
Postgraduate School, Monterey, CA; 1988. 
21. Haland, W. and Stoyenko, A. Constructing Predictable Real-Time Systems, Kluwer Academic Publishers; 1991. 
22. Klingerman, E. and Stoyenko, A. Real-time Euclid: a language for reliable real-time systems. IEEE Trans. Softw. Eng. 
12, 9: 941-949; 1986. 
23. Leinbaugh, D. Guaranteed response times in a hard real-time environment. IEEE Trans. Softw. Eng. 6, 1: 85-91; 1980. 
24. Stoyenko, A., Hamacher, V. and Holt, R. Analyzing hard real-time programs for guaranteed schdulability. IEEE Trans. 
on Softw. Eng. 17, 8: 737-750; 1991. 
25. Ishikawa, Y., Tokuda, H. and Mercer, C. Object-oriented real-time language design: constructs for timing constraints. 
S/GPLAN Not. 25, No. 10: 289-298; 1990. 
26. Grimshaw, A., Silberman, A. and Liu, J. Real-time mentat, a data-driven, object-oriented system. In Proceedings IEEE 
Globecom, pp. 141-147 IEEE; 1989. 
27. Lin, K. and Natarjan, S. Expressing and maintaining timing constraints in FLEX. In Proceedings Real-Time Systems 
Symposium, pp. 96--105 IEEE; 1988. 
28. Natarajan, S. and Lin, K. FLEX: towards flexible real-time programs. In Proceedings 1988 International Conference 
on Programming Languages, pp. 272-279 IEEE; 1988. 
29. Kraemer, B., Luqi and Berzins, V. Compositional semantics of a real-time prototyping language, IEEE Trans. Softw. 
Eng. 18, 8; 1992. 
30. Chung, J., Liu, J. and Lin K. Scheduling periodic jobs that allow imprecise results, IEEE Trans. Comp. 39: 1156--1174; 
1990. 
31. Stankovic, J. Decentralized decision making for task reallocation in a hard real-time system. IEEE Trans. Comput. 38, 
3: 341-355; 1989. 
32. Ramamritham K., Stankovic, J. and Shiah, P. O(n) scheduling algorithms for real-time multiprocessor systems. In 
Proceedings International Conference on Parallel Processing Systems; 1989. 
33. Baker, T. and Jeffay, K. Corset and lace adapting ada runtime support to real-time systems real-time tasks with 
preemption constraints. Proceedings Real-Time Systems Symposium, pp. 158-167 IEEE; 1987. 
34. Davari, S. and Dhall, S. An on line algorithm for real-time task allocation. In Proceedings IEEE Real-Time Systems 
Symposium, pp. 194-200. New Orleans: IEEE Computer Society; 1986. 
35. Dertouzos, M. and Mok, A. Multiprocessor on-line scheduling of hard real-time tasks, IEEE Trans. Softw. Eng. 15, 
12: 1497-1506; 1989. 
36. Jeffay, K. Analysis of a synchronization and scheduling discipline for real-time tasks with preemption constraints. In 
Proceedings Real-Time Systems Symposium, pp. 295-305 IEEE; 1989. 
37. Liu, C. and Layland, J. Scheduling algorithms for multiprogramming in a hard real-time environment, J. ACM 20, 
1: 46--61; 1973. 
38. Martel, C. "Preemptive scheduling with release times, deadlines and due times", J. ACM 29, 3: 812-829; 1982. 
39. Zhao, W., Ramamritham, K. and Stankovic J. Preemptive scheduling under time and resource constraints. IEEE Trans. 
Comput. 36, 8: 949-960; 1987. 
40. Chang S., Stankovic J. and Ramamritham K. Scheduling algorithms for hard real-time systems. In Tutorial on Hard 
Real-Time Systems, pp. 150-173. IEEE; 1988. 
About the Author-LUQI received her B.S. degree from Jilin University, China and her M.S. and Ph.D 
degrees in Computer Science from University of Minnesota, and is currently an associate professor at the 
Naval Postgraduate School. She worked on software research and development for the Science Academy 
of China, Computer Center at University of Minnesota and International Software Systems Inc., etc. Her 
research interests include rapid prototyping, real-time systems, specifications and software development 
tools. Her research is supported by the National Science Foundation and the Office of Naval Research. 
Her current address is NPS CS/Lq, Monterey, CA 93943. 
