Handling Timing Constraints in Rapid Prototyping by Luqi
Calhoun: The NPS Institutional Archive
Faculty and Researcher Publications Faculty and Researcher Publications
1989




HandEng Timing Constraints in Rapid PrdotJphg 
ABSTRACT 
This paper plseato the cuacep~~ and l"s for baodling 
the real-time c o "  of embedded software systems in rapid proto- 
typing. Rapid prototyping of embedded systems can be accomplished 
using a Canpurer Aided Prototyping System (CAPS) and its assodated 
aid the designer in the emiy stages of software engkuing for bard 
real-time system. Sucb systems contain time critical m o o s  with 
niaxhnum execution times, m b u m  respwse times, and minimum 
cpuing periods. iocermpt hading, syncbrolriution, md periodic 
behavim are as0 -bed at a high l ed .  Tine uitical gwratiom in 
a real-time prototype are bmdkd by c a m h a i n g  Strtic and dynamic 
scheduks to coordinrte execution and to meet the quired pmtotype 
execution times. The mechanisms for expressing timing c o n s t "  m 
PSDL are described along with their effects on the scbedukrs. 
Prototyping Language (PSDL). Tbis system and lmguagc are used to 
1. Introduction 
Rapid prototyping can be used to duce  the risks of pmducing sya- 
tems that do not meet usef naeds [IO]. Tnditionrt rpproacbcp to software 
d e v e l o p "  produce working code only near the end of the proo*rs. The 
goal of rapid prototypiag is to develop an executabk modd of the itllended 
system early in the development process. A prototype is UI pilot version of 
a proposeJ system used as m aid to analysis and design. The code of apro- 
totype usually amnot be used as tbe fioal hnplwneotatioa because it may 
not realize aU aspects of the inceoded system. when utilized during the 
early stages of the development life cycle, rapid pmtotypiq allows vaIida- 
tion of the tegairemaaS, speci6catiot1, and idtial design, before valuable 
time and effort nre expended on implementaton software. 
With the de"J for hard real-time md embedded systems inmasing 
and their panidarly strict r s g h e n t s  on accuracy, safety and reliability, 
it is becoming critical &at new approaches be proposed for the development 
of such systems since it cam be very d B c &  to detenninc the liming 
constraints accurately or to understpnd their impficntions, even lbougb they 
are the most impurrmt aspects of bard real-time sys" [4,13]. An embed 
ded software. sysem is paxl of some larger sysmn. wbich it mwltws mi 
cootrds. The rsqohemeog of erabedded systems typialty have timing 
corrstraints for &tical real-time cootrd and high reliability. lEe bmibUity 
of these sysam depends 011 the ability to realiee the timing comasnts 
@veri hr the requimnalts even me worst possible operatiog condi- 
tioas,becrw miss@ atinrfngcomtrPiatcancam catmop& failurea ir: 
such systems. ReqUirrneot, for large anbedded systems are diaBcult lo 
meet without extemIve.pmtotypiog. 
Soliwpn wgineers and end-usas would bentlit han an automated 
requirements eady in tbe dcvelopmnt lift cycle [13). A b t ,  efEcient, 
easy-use set of software tools would iocrease designer pmductivhy and 
a h  d o w  the user to &mom cwfideoa tbptthe fioal wham prodectis 
feesible. The computer aided DrorotyPine system is a set of softwam tools 
which provides these capabiiitieS [I I]. It impkments the rapid prototyping 
prototyping IlRrhodology for Validdng desi@ specikatioos and funcciooal 
concept utilizing a high level prototypiag language called PSDL [12]. This 
Inpage is designed for prototyping bard real-time and large software sys- 
temsandisbasdonthecoacegtualmodeliqgofsotllsystaas 
Tbis paper uses PSDL lls a vehick to d y m  llmingrspec*r of hud 
real-time systems and funher desuibes the feasible paths to bridling tbesc 
hard real-time constraints by means of exemtion a€ software pm 
taypes. The approach dexrkd  ben mltes  p"l validation of (be dm- 
ing owstraints in the replimnents ofhr rdru la ime system via rapid pro- 
totyping possible. We cwcedcllte 00 timing rppds hue. Behavioral 
m ihratiw pocess between 
and 
The 
designer then coustmcts a model or piot~ype ofthe system inPSDL. The 
prototype is a partial represeMatim of h e  sysnm, indud@ onty &se sit- 
i d  attributes nuwsary for mectiag user quhmus. md is used as M 
aid in analysis and design mtber thm w produdion software. Duting 
demomtratiom of the prototype, the user vrlidrtts the protype 's  r a d  
behavior agaiapt its expeued behavior. If the prototype fails to execute 
prqpedy or to meet my critical timing coasmirrts, the -r idcotifies 
speciscations based on feedbad EFOm the user (Fig. I). Tbis procesn con- 
tinues until the user and the desigoer both llpee W he protolypc success- 
M y  ws the lime critical aspects of (be quinmeng. This iterative com- 
munication process should result in a model that ultimately meets the 
intended requirements of the U=. Fbllowing this fiopl vdidation, the 
designer uses the prototype as a basis for the design and evemud hand d- 
iDg of the production software. 
A good modding strategy is important for making the rnpid prototyp- 
ing nppwach wolk for real-time systems. Systems csn be desigocd amd 
analyzed quickly only if they can be readily understood by the designers. 
nus makes he ;tbility to decompose large proMMns into iadepakm sub- 
problems essential. Timing coos(raing complicate the design of real-time 
syslems becaase utilization of uniiputing resowes introduces interactions 
between otherwise unrelated paas oEthe system. A good modeling strategy 
should help to counteract this ef€eu. This c m  be done in the following 
ways: 
(I) by decoq~ling the bebav id  pspas of a system from its timing 
propertics to allow iodepeodurt uralysis of these two ~pptcts, and 
(2) by organizing timing constdm in a hienudid W o n .  to d o w  
indepmdem consideration of s m a k  subsets of timing axcu". 
An elfective modeling strategy should therefore support a set of abstraG 
tions useful for simplifying the timing aspeas of systems witb had red- 
time conslraiols. 
Peopk me best at analyzing sltuatiom witb a limited aumbu of com- 
ponents and conslraints, end tend to have diliicdy in undedltandfng non- 
local interactions in complex systems. Since shared Canpuling IESOU~XS 
introduce unavoidable giobd C O " ~  on the set of lirne-criricp1 compll- 
tations in a real-time system, mecbmicrl analysis of cboee C- is 
desirable. This ~00sidUMioa motivates the ne-ed for a modeling strategy 
which allows the global Wing ~OOBtrdats to be SepataId from the 
behavioral aspects of the system, and Rpnsenped in a way hat is amenable 
to " i d  processing. PSDL provides such a aparation of timing tmd 
behavioral aspec~~, and suppoa~ compute~aided pForotyping of both 
aspects. 
pspeas of PSDL are desctibed in 1121. 
the user aod tbe designer to l x " d y  ddioe rrptinmeds 
specilications for the critical aspeds of the mviploned system. 
Rapid prototyping hitially 
quiped modificatims and ddines  the nitical- and 
417 
0073-1129/89/0000/0417$01.00 Q 1989 EEE 
d e t e r "  
requirenients 
I 1 I 







Fig. 1 Process of Requirements Determination and Validation 
The modeling stntegy used in the rapid prototyping of real-time sys- 
tems should be integrated with a language supporting the modeling strategy 
and a systematic prototyping method for applying the strategy. A formal 
notation is essential for achieving a significant level of computer-aided 
design [3]. The prototyping language PSDL [I21 supports a modeling stra- 
tegy based on dataflow graphs augmented with non-procedural timing aud 
control constraints. The language was designed together wilh the associ- 
ated prototyping method [I31 and the set of software tools in CAPS for sup- 
porting the niethd [l I]. 
Section 2 discusses several approaclxs to modeling rea-time sys- 
tems. The real-time aspects of PSDL are described in section 3, and the 
associated software tools are described in sedoa 4. Section 5 presents 
some conclusions. 
2. Models for Real-Time Systems 
The treatment of real-time constraints in this paper results from a fun- 
damental analysis of hard real-time systems. Understanding the modeling 
strategies for such systems is essential for effectively h a d i n g  riming con- 
straints in the prototyping process. Methods for modeling real-time systems 
are essential for requirements analysis, specification, and design of systems 
with hard real-time constraints. A coherent framewodc for classifying real- 
time constraints can be used to organize complex sets of timing require- 
ments and to guide the process of discovering the timing requirements asso- 
cirted with an embedded software system. 
The framework presented in [4] classifies timing requirements as 
maxiniuni or minimum constraints on the lengths of time intervals between 
pairs of events, where the endpoints of the intervals are classKied as one of 
the following types: (1) stimulus-stimulus, (2) stimulus-response, (3) 
response-stimulus, and (4) response-response. A third kind of timing con- 
straint identified in [4] is the durational cwwaint, which states that an 
event must occur for a time interval of the specified length. This frame- 
work treats events as signals rather than as instants of time. and t ies  to treat 
both digital and malog systems in the same terms. In particular. events are 
not required to be instantaneous, although events without durational con- 
strains are ilrsmntaneous by default. -lis feature introduces an ambiguity 
in tlle definitions of the four kinds of time intervals, because it is not 
specified whether the intervals are delimited by the beginning or the ends of 
the events forming the endpoints of the intervals. It also introduces an 
df i c i a l  distinction between durations of signals and other kinds of time 
intervals. 
Another weakness of this framework is the implicit assumption that 
every timing constraint involves just a single pair of events. This implicit 
assumption is undesirable because it does not allow simple descriptions of 
periodic processes, which are an important aspect of real-time systems. 
A different framework for describing real-time constrahts is pro- 
vided by RTL (Real Time Logic) [7]. RTL makes a distinction between 
actions and events. Actions require a bounded nowzero amount of system 
resources, such as CPU time. Events are instantaneous. requiring no system 
resources and serving only as temporal markers. Four kinds of eveuts are 





Extemal events, such as an operator pushing a button. 
Stan events marking the initiation of an action. 
Stop events marking the completion of an action. 
State variable transition events marking a change in some attribute 
of the system. 
The durdtional events of [4] c'an be expressed in RTL in terms of the 
duration of an interval delimited by two state variable transition events, 
marking the appearance and disappearance of the signal. RTL also pro- 
vides a way to index all of the occurrences of each type of event in the 
order in which they occur, via the occurrence function "@". This facility is 
important because it allows the description of periodic processca. RTL is a 
powerful notation which can be used to mechanically check whether a 
given safety assertion follows from RTL system specifications via a deci- 
sion procedure for €"burger arithmetic [7]. The primitives of RTL are 
very simple and provide the ability to describe timing constraints in detail. 
RTL is a good choice for defining the semantic$ of notations at higher lev- 
els of abstraction, because a scheme for m l a t i n g  a notation into RTL 
allows the application of the RTL decision procedure to the other ootntiom. 
Spec, a powemtl specilication language for large and real-time sys- 
tems based on quantifiers and predicate logic, uses anoIher framework for 
timing constrahts called the event model of computation [l]. In the event 
model, computations are described in terms of modules, messages, and 
events. A module is a black box that interacts with other modules only by 
sending and receiving messages. A message is a data packet that is sent 
from one module to another. An event occurs when a message is received 
by a module at a pwicular inslant of time. The events al a module occll~ 
one at a time in a well d e W  order, while events at different modules need 
not be ordered. 
Modnles can be used to model eaemal systems such as users and 
peripheral hardware devices, as well as software coniponents. Modules are 
active black boxes, which have no visible intemal structure. The behavior 
of a module i.3 specified by describing its interface. 'Ihe interface of a 
module consists of the set of stimuli it recognizes and the associated 
responses. A stimulus is an event, and the asponse is the set of events 
directly triggered by the stimulus. The events in the response coadst of the 
arrivals of the messages sent out by the module because of the stin~ulus. 
As in RlZ, events in the Spec event model are instantaneous and 
serve to d e r i  points in time. Every event is associated with the instant of 
time when an incoming message crosses the boundary of a module. An 
event macks !he time when a module accepts a message and stads the cm- 
putation of the module's response. 'Ihe Spec event model does not distin- 
guish a completion event for an action, since the events in which the mes- 
sages sent out in response to an event arrive at their destinatiom serve this 
purpose. The event model treats the environment of a system as a set of 
modules, so that there is no formal distinction between intemal and extemal 
events, as is the case in RTL. In the Spec event model all state changes are 
itwtantaneous and localired to some module. The time of the state change 
is taken to be the same as the time of the event at which the message 
triggering the state change anived at the module containing the state. An 
implementation may take a nowzero time interval to realize a state change, 
but all state changes triggered by an event at a module must be complete 
before the module can accept another message. Since all interactiom 
between two modules occur via the transmission of messages, the exact 
iilstant at which a state change takes place cannot affect the observable 
behavior of the system until the module accepts its next message. Since \he 
delays between events and the completion of the state cbanges they tr&r 
are not extemally ob.servable, they are abstracted out in the Spec model. 
Spec events thus unib the four types of events distinguished in RTL. 
Spec allows the use of arbitrary predicates in first order logic to 
express comicrainis on the delay and period associated with each type of 
event. The dehy  is the interval between an event representing a stiniulus to 
a niodule and another event representing a response of the module to ha t  
stimulus. Constraints on the delay correspood to the stimulus-response and 
respnnse-stimulus constraints of (41. The period is the interval between two 
consecutive events of the same type at the same module. Constraints on the 
period correspond to the stimulus-stimulus and response-response COD 
straints of [4]. 
418 
The Spec language suppotts the defit ion of temporal events as well 
as events triggered by external stunuli. Each module can send messages to 
itself at absolute times determined by its local clock. The arrival of such a 
message is called a ternporul event. Temporal events allow modules to ini- 
tiate actions in addition to just responding to external stimuli. 
The time at which a temporal event occurs can be constrained by an 
atbitrary predicate in first order logic. Such predicates can easily describe 
periodic processes, the most common kind of temporal events, as well as 
other kinds of temporal events. Like RTL, Spec provides primitives for 
defining riming constraints at a detailed level. Spec also has facilities 
allowing users to define high level timing constraints, but high level 
abstractions for timing are not built into the language or pre-delhed. 
The modeling method used in PSDL, which is the basis for the 
approach to handling timing constraints presented in this paper, is described 
in the next section. 
3. Timing Constraints in Rapid Prototyping 
PSDL is a language designed for clarifying the requirements of com- 
plex real-time systems, and for determining propeaies of proposed designs 
for such systems by means of prototype execution. The language was 
designed to simplify the description of such systems [I21 and to support a 
prototyping method that relies on a novel decomposition criterion [13]. 
PSDL is also the basis for a computer-aided prototyping system [ I l l  that 
speeds up the prototyping process by exploiting reusable software com- 
ponentv [IO] and providing execution support [9,15,18] for high level con- 
structs appropriate for describing large real-time systems in teniis of an 
appropriate set of abstractions [Z]. The execution support system c o n l a b  a 
static scheduler for scheduling operators with hard real-time constraints, a 
dynanuc scheduler for scheduling operators without timing constrahts, and 
a translator for generating executable code. 
An important goal of PSDL is to simplify the design of systems with 
hard real-time constnints. The need for meetiig real-time deadlines often 
~ .su l t s  in designs where code for conceptually unrelated tasks must be inter- 
leaved, complicating the design of such systems, and making their imple- 
mentations hard to understand [6]. PSDL handles this problem by present- 
ing a high-level description in terms of networks of independent operators, 
and allowing the interleaving of the code to be handled by an automatic 
tmvlator that generates lower level code. High-level synchronization is 
handled by using dataflow streams to coordioate the arrival of correspond- 
ing data values from different sources. Static scheduling of time-critical 
operators [8] eliminates the wed for other kinds of explicit synchronization 
by the system designer. Low-level synchronization primitives are needed in 
the implementation of PSDL only for ensuring that the read and write 
operations on data streams are performed as atomic operations. Since those 
primitives are needed in just one small and simple part of the code in the 
PSDL execution support system, PSDL can be effectively supported by any 
of the common mutual exclusion mechanisms provided by operating sys- 
tems. 
The PSDL language is baqed on a computation model which treats 
software systems as networks of operators communicating via data streams. 
The computational model is an augmented directed graph 
where V is the set of vertices, E is the set of edges, T(v) is the se1 of timing 
constnints for each vertex v, and C(v) is the set of control cons;traints for 
each vertex v. Each vertex is an operator and each edge is a data path. 
Each of the tour coniponents of the graph are described in more detail 
below. The semantics of a PSDL system description is determined by the 
associated augmented graph and the semantics of the operators appearing in 
the diagram. 
All PSDL operators are state machines. Some PSDL operators are 
functions, i.e. machiiles with only one state. When an operator fires, it 
reads one data value from each of its input streams, undergoes a state transi- 
tion, and writes at most one data value into each of its output streams. The 
output values can depend only on the current set of input values and the 
current state of Ihe operator. State transitions and input/output operations 
on data streams can occur only when the associated operator fires. The 
firing of an operator is controlled by the associated timing and control con- 
straints. Operators can be triggered by the arrival of a set of input data 
values or by a periodic temporal event. 
PSDL operators communicate by means of nanied data streams. All 
G = (V, E, T(v), 
PSDL data streams can carry both normal data values and tokens represent- 
ing exceptions. AU of the normal data values carried by a stream must be 
instances of a specified abstract data type associated with the stream. 
There are two different kinds of data streams in PSDL, dataflow 
streams and sampled streams. Dataflow streams are used in applications 
where the values in the stream must not be lost or replicated and the firing 
rates of the prntiucers and consumer are the same, while sampled streams 
are used in applications where a value must be available at all times and 
values can be replicated without affecting their meaning. 
Any PSDL operator can have timing constraints associated with it. 
An operator is time-critical if it has at lea.st one riming constraint associ- 
ated with it, and is non time-critical otherwise. The timing comtraints 
together with the control constraints determine when the operator can be 
fired, and when it must be fired. AU PSDL tinling conscraiutS can be 
represented by constants denoting lengths of time intervals. There are 
several different k i d  of timing comtraints, which can be classified into 
those that apply to all time-critical operators, those that apply only to opera- 
tors triggered by periodic temporal events, and those that apply only to 
operators triggered by the arrival of new data. Temporal events occur at 
specified sets of absolute times. 
Every time-critical operator must have a maximum execution time 
(MET) to allow the construction of a static schedule. The MET of an 
operator is an upper bound on the length of the execution interval (EI) for 
the operator. AU of the actions that may be required to fire an operator once 
must fit into tlte execution interval. These actions are listed below. 
( I )  
(2) Evaluating triggering conditions. 
(3) Calculating output values. 
(4) Evaluating output guards. 
( 5 )  
Reading values from input data streams. 
Writing values into output streams. 
The execution interval for an operator does not include scheduling delays. 
A scheduling delay is the time between the writing of a value into a data 
stremi by a producer operator and the reading of that value by the consu- 
mer operator. 
Operators triggered by tenipord events are periodic in PSDL. Every 
periodic operator niust have a period (PERIOD) and may have a deadline 
(FINISH-WITHIN). These two timing constraints partially determine the 
set of scheduling intervals (SI) for the operator. Each periodic operator 
must be fired exactly once in each scheduling interval, and must complete 
execution before the end of the scheduling interval. The period is the 
length of tinie between the start of any scheduling interval and the start of 
the next scheduling interval. The deadline is the len@ of each scheduling 
interval. 'Ihe starting time of the first scheduling interval for each operator 
is deteniiined by the static scheduler, subject to the scheduling constraints 
described below. 
There is an implicit constraint on the order in which PSDL operators 
CNI be scheduled to fire, known as the dataflow precedence constraint. The 
datallow precedence constraint requires the initial firings of all operators 
will1 tinting constraints to occur in an order consistent with the dataflow 
ordering, which is defied in terms of the PSDL computational model as 
follows. Convtruct the precedence graph by taking all of the nodes in the 
augmented graph G defined above, and taking only the edges of G that do 
not have explicitly declared initial values. Since any cycle of G must con- 
tain at least one edge with a declared initial value in a well formed PSDL 
program, the precedence graph is acyclic. The dataflow ordering is the 
transitive closure of the precedence graph, which results in a strict partial 
ordering. For any pair of operators (a, b), if a precedes b in the dataflow 
ordering then a must be scheduled to fire before b is scheduled to fire for 
the first time. 
The relation between the timing constraints, scheduling intervals, and 
execution intervals for a periodic operator is illustrated in Fig. 2. The exe- 
cution intervals and scheduling intervals in h e  diagram are indexed by 
integers in the order of their occurrence. Thus SI[n] denotes the n-th 
scheduling interval for the operator and EI[n] denotes the n-th execution 
interval for the operator. The static scheduler takes ihe length of each exe- 
cution interval to be equal to the maximum execution time to allow for 
worst case conditions. If a time-critical operator completes before the end 
of the execution interval reserved for it by the static scheduler, the remain- 
ing time in the execution interval is used by the dynamic scheduler for the 
4 I9 
W n l  
I I 
execution of a non time-critical operator. 
Since each execution interval must be a subset of the corresponding 
scheduling interval, every well-formed periodic operator must satisfy the 
constraint 
MET <= FINISH-WlTHlN. 
The degree of freedom enjoyed by the static scheduler is characterized by 
the slack, which is defied by 
slack = FLNISH-WlTH3N - ht€T. 
The length of time between the start of an execution interval and the start of 
the next execution interval can vary between 
PERIOD - slack 
and 
PERIOD +slack, 
as illustrated in Fig. 3. If “ISH_WITHIN is not specilied explicitly then 
“ISH-WITHIN = MET, 
slack = 0, 
and the time between the starring points of each pair of consecutive execu- 
tion intervals is exactly equal to the period. 
Operators triggered by the arrival of new data values are sporadic. 
Timing constraints for sporadic operators are optional. Sporadic operators 
with timing constraints must have both a maximum response time (MRT) 
and a minimum calling period (MCP) in addition to an MET. The MRT is 
an upper bound on the response time, while the MCP is a lower bound on 
the calling period. The relation between these quantities is illusmted in 
Fig. 4. Sl[n] denotes the n-th scheduling interval for the consumer operator, 
which is sporadic and tinie-critical. CEI[n] denotes the n-th execution 
interval for the condunier operator, and PEILn] denotes the n-th execution 
interval for the producer operator, which is assumed here to be time-critical 
also. n i e  response tinie asociated with a consunier operator is measured 
from the end of the execution interval for the producer operator of the 
triggering data value to the end of the execution interval for the consumer 
operator of the triggering data value. 
Unlike UK MET, the MRT includes a scheduling delay. The MRT 
gives the length of the scheduling interval. The static scheduler may not be 
able to use the entire scheduling interval if the producer is non time-CritiCal, 
because the eliding time of the producer’s execution interval is not known 
to h e  static scheduler in that case. 
EI[n+l] 
I 1 




C W n l  PEI[n+l] 
1 1 I l &  
Slack = FINISH-WITHIN - MET 
a = period - slack 
b =period + slack 
a <=x <= b 
Fig. 3 Scheduling Freedom for a Periodic Operator 
The calling period of an operator is the length of time between the 
end of the execution interval for the producer of the triggering data value 
and the end of the execution interval for the producer of the next triggering 
data value. 7he d i n g  period must not be less than the MCP. The MCP of 
an operator constrains the behavior of the producers of the triggering data 
values rather than constrabing the behavior of the operator itself. An MCP 
constraint is needed to allow the realization of a maximum response time 
constraint with a fixed anioulit of coniputational resources, via a limit on e 
frequeucy with which new data can arrive. Violation of an MCP constraint 
should result in a waming message. The absence of such violations can be 
guaranteed a priori only if the producer of each triggering data value is 
scheduled statically. An important case where such a guarantee is not pos- 
sible occurs when the producer of the triggering data value is an asynchro- 
nous active sensor controlled by factors external to Ihe system. In such 
cases data may be lost if it arrives too frequently. 
PSDL provides a siniple framework for describing real-time systems 
at a level convenient both for the designer of a prototype and for a set of 
sofiware tools. The apparent simplicity of the designer’s view stems from 
the following properties. 
Localin, ofinfomation. %re is no hidden data coupling between 
operators due to nonlocal data references and no hidden control 
coupling between operators due to interrupts or exceptions. 
Locality of tiniirig constraints. All PSDL timing conmaints are 
asociated with individual operators, and are defined in terms or 
events and intervals that can be defined in terms of a black-box 
view of the operator. The small number of concepts involved 
induces a simple and regular structure on the timing constraints of 
the system which allows the constraints to be organized in a 
coherent fashion amenable to localized understanding and analysis. 
Hierarchical Organiration. The timing constraints in PSDL are 
organized hierarchically as well as the data and control aspeds of 
the system. This allows the lower level timing constraints used to 
implement an operator at a higher level of abstraction to be ignored 
when analyzing the interactiom of the abstract operator with its 
neighbors in the high level data Bow network. This allows the tim- 
ing constraint? in the system to be parlitioned into independent units 
that can be designed and analyzed in isolation from each &er. 
Despite their simplicity, the primitives of PSDL an? well suited to 
modeling practical real-time systems. Both periodic and data driven 
processes are describable directly, by defining either a period or a data 
trigger for the corresponding operator. Synchronous interactions between 
operators or system coniponents are modeled ay datallow streams while 
asynchronous interactions are modeled by sampled streams. Systems con- 
taining both synchronous and asynchronous components can be described 
easily and safely, since the stream types are automatically derived f m  the 
context in which the streani is used, and need not be explicitly considered 
by Ihe designer. 
The timing constraints of PSDL am also amenable to automatic 
analysis and realization, as described below. 
4. Computer-Aided Handling of Timing Constraints 





Fig. 5 MIjor Software Tools of CAPS 
[ne a.v"alecl protoypmg metnod and support environment. 'RE support 
environment reduces the efforts of the designer by automahg sonie of the 
tasks involved in prototype coastruaion. 
The Computer Aided Prototyping System (CAPS) relies on three 
major software tools, as illustrated in Fig. 5 ,  to assist the designer in con- 
structing and executing a PSDL prototype. First, the computer-aided 
environnient includes a software base management system which creates 
uniform retrieval specifications for Ada sofiware modules in the software 
database and later retrieves these reusable modules for assembling the exe- 
cutable prototype. Second, a graphics-capable user interface k luding  a 
syntax-directed editor expedites the designer's data entry at a terminal and 
prevents syntax errors in the design. F d y ,  an execution support system 
demonstrates and measures the prototype's performance and analyzes the 
accuracy of the design specificatim. 
The execution of PSDL prototype models is made possible through 
the use of an automated Execution Suppod System which consists of three 
parts, the translator, the static scheduler, and the dynamic scheduler. We 
will h t  exynine the translator [15]. Its basic function is to convert the 
prototyping model input by the designer in the form of PSDL source code 
into A& source code. Output from the translator is provided to the Ada 
cornpilerflinker along with some additional infomation from the static 
scheduler to produce Ada object code. The object code is then exported to 
the operating system and can be run for test and demonstration purposes. 
The translator creates code to implement the PSDL operators as procedures 
which will be called by the main subprogram/schedule created by the static 
scheduler. The iranslator does not generate any code from PSDL real-time 
COnStnints. 
The static scheduler subsystem of the execution support system 
represents the single most important component of CAPS for meeting the 
basic requirement for computer-aided rapid prototyping of hard real-time 
systems [9]. The static scheduler specifically addresses only those PSDL 
operators with critical timing constraints. The performance of these opera- 
tors determines whether the system, as designed, will meet the required tim- 
ing specifications. The primary purpose of the static scheduler is the crea- 
tion of a static schedule which gives the precise execution order and timing 
of PSDL component operators with hard real-time constraints in such a 
manner that all timing constraints are guaranteed to be met [14]. Provided 
that such a schedule is feasible given the system speacations, the static 
schedule contains the preallocated slatting time and execution time for each 
critical operator. This structure implicitly denotes the precedence relation- 
ships between the operators. Rapid prototyping in g e w a l  would benefit 
from CAPS without a static scheduler, but such a facility is needed to real- 
ize systems with hard real-time constraints. The static scheduler contributes 
to increased gaim in designer productivity and system reliability in the 
development of hard real-time systems since the coostnrction and validation 
of a static schedule is a labor intensive process that cannot be carried out 
both rapidly and reliably without the benefit of automated sofiware tools. 
The third component of the execution support system is the dynamic 
scheduler. This scheduler operates at run-time along with the prototype 
model and is designed to control the execution of all non-critical operators 
in the program. A non-critical operator is one which is  not subject to hard 
real-time constraints. The dynamic scheduler is invoked whenever there is 
spare tune in the static r u n - h e  schedule created by the static scheduler. 
Progress of non-critical operators occurs at unpredictable rates, which 
implies that non-critical operators should be connected to critical operators 
using sampled streams rather than data flow streanis. At that time the 
dynamic scheduler conimences execution of the next available module in its 
set of operators and continues to invoke non-critical modules until the avail- 
able time is exhausted. At that point, operation of the dynamic scheduler is 
intempted and control is returned to the static scheduler to continue the 
time critical operations. This process is simplified by the locality of data 
references in PSDL, since this property allows the execution of an operator 
to be intempted at any time except during read or write operations on data 
streams. Future enhancements identified in the current design of the 
dynamic scheduler would provide debugging facilities and statistical infor- 
mation [ 5 ] .  
The remainder of INS section contains implementation guidelines 
describing how the static scheduler functions [9,18]. The design described 
in this paper addresses a single processor implementation only, and the 
modifications to this design needed to utilize multi-processors and con- 
current processing are not addressed explicitly. 
The initial input to the static scheduler is a text file containing the 
PSDL prototype program created jointly by the designer and user. An inter- 
mediate output to the dynamic scheduler is a file containing the non-time- 
critical operators in the PSDL program. The final output of the static 
scheduler to the cotiipilerflinker/exporter is an Ada source file containhig 
the static schedule. The compiler/Iinker/expoder compiles and links this 
program together with the compiled program produced by the translator. 
This combined program is the executable Ada program used by the 
dynaniic scheduler to demonstxate the prototype's perfmance. The data 
flow diagram shown io Fig. 6 illustrates the conceptual design of the static 
scheduler and outlines its five niajor functions [18]. The following subsec- 
tions describe each of these major functions. 
4.1. Read-PSDL 
Following initiation by the dynamic scheduler, the static scheduler's 
lirst major function is reading and processing the PSDL prototype program. 
The static scheduler requires only the information which identifies critical 
operators along with their timing constraints and the liok statements which 
syntactically describe PSDL implementation graphs. A special purpose 
translator identifies and extracts this information from the PSDL source pro- 
gram. This process creates a file containing operator idenmers. timing 
information, and link statements. 
4.2. Pre-Prwess File 
The static scheduler's next m+ior function is classifying the contents 
of this file and performing basic validity checks. The input Me contains all 
of information extracted from the PSDL program. This infomiation must 
be divided into three separate files based on its destination and the addi- 
tional processing required. The Non-Crits file contains a list of all non- 
time-critical operators for the dynamic scheduler. The Operator file con- 
taim all time-critical operators and their associated timing constraints. % 
Links file contains the link statements which syntactically describe the 
PSDL implementation graphs. 
Validity checks are performed on the timing information contained in 
the Operator file to increase the probability of successfully creating a feasi- 




Fig. 6 DFD for the Static Scheduler 
42 1 
stage. The Operator file contaias operator nanles, maximum execution 
times (MJZT), maximum response times (MRT), minimum calling periods 
(MCP), tixed periods, and deadlines (FINISH-M"). The first check 
verifies that each operator with a MCP also has a MRT, and if it is missing 
it is calculated as (MRT = FINISH-WITHIN) or (MRT = MET). The 
second check verifies that (MET <= period) for operators with fixed 
periods. ' Ihis constraint is imposed by the assumption that only a single 
processor is available. The third check verifies that (MET <= MRT) [171. 
Failure of any of these checks causes an error message to be submitted to 
the user interface. 
43. Sort-Topological 
The static scheduler's next major function is to perform a topological 
sort on the link statement.i in the Links file. The requirement for a topologi- 
cal sori implies that operators producing each data stream must be 
scheduled before the operators consuming that data stream. The output of 
this process is a precedence list of the time-critical operators deGning the 
exact order in which hey will be executed. Fig. 7 shows an augmented 
acyclic digraph and the corresponding topologically sorted sequence of link 
statements. In this type of digraph the order of the nodes is not completely 
determined In the example the decision to choose the "a.A link first and 
the "d.A link last was made arbitrarily. 
4.4. Build-Harmonic-Blocks 
The second output of the "Pre-Pmcesq-File" hnction, the Operator 
file, is the input to the "Build-Harmonic-Blocks" function. A hamionic 
block is a set of periodic operators, where the periods of all the operators in 
the set are exact multiples of a calculated base period [14]. This design 
approach treats each hannoiuc block as an independent scheduliug problem, 
which requires one processor for each hannonic block. Our approach util- 
izes the capabilities for concurrency and multi-processing which are 
2 ms 
5 m s  
5 m s  
a.A : 5 m8 --> B 
b.E : 4 ms --> C 
c.C : 5 ms --> D 
d.A : 5 ms --> D 
Fig. 7. PSDL Augmented Acyclic Digraph 
4 m s  
normally a requirement for complex, hard real-time systems. The imple- 
mentation described in lhis paper addresses a single processor environment 
only, and the procedures described for generating the final static schedule 
assume that only one harmonic block is created. The rest of this section 
describes how sporadic operators are converted to their periodic 
equivalents, how base periods and block periods are calculated, and how 
harmonic blocks are created. 
The operator f ie  contaim all the time-critical operators from the 
PSDL program together with their timing constrainls. This includes both 
periodic and sporadic operators. Periodic operators are triggered at regular 
intervals, while sporadic operators are triggered by the arrival of new data. 
In order to guarantee the execution of sporadic operators within the MRT, it 
is necessary to assume new data cannot arrive more often than once per the 
MCP. To enahle the execution of all operators in a predictable manner that 
can be described by a static schedule, sporadic operators are implemented 
by their calculated periodic equivalents 1141. The calculation of an 
equivalent period requires that all sporadic operators have values for MCP, 
MRT, and MET satisfying the following relationships. 
1. MET <= MRT 
2. MET <= MCP 
The first condition ensures (MRT - MET) is positive, while the second 
allows a single processor implementation. The equivalent period is given 
by [I41 
A single processor implementation also requires (MET c= P) to allow the 
operator to complete within the calwlated period. 
In the single processor case, all operators are allocated to the same 
harmonic block. In the multiple processor case, blocks are created one at a 
time by collecting all Operators whose periods are exact multiples of the 
minimum period for all the unallocated operators. The base period of a 
block is the GCD (greatest common divisor) of all periods in the block, 
while the block period is the LCM (least common multiple) of all the 
periods in the block. The base period is used to relieve scheduling couges- 
tion via a second pass which moves operators to the block with the longest 
base period that evenly divides h e  operator period. The block period 
d e t i s  the length of the static schedule for the block. 
4.5. Schedule-Operators 
The "Schedule-Operators" function uses the "Precedence-List" and 
"Harmonic-Block" files, which are generated by the "Sort-Topological" 
and "Build-harmonic-Blodts" functions, respectively. The 
Precedence-List file defines the required execution order, while the 
Harmonic-Block f ie  defines the set of operators to be scheduled and the 
length of the static schedule. The resulting static schedule is a linear table 
giving the exact execution start time for each time-critical operator and the 
reserved maximum execution time (MET) wihin which the operator must 
complete execution. 
The algorithm used in this implementation is a two step process. The 
first step allocates the initial execution interval for each operator [16]. in 
the order given by the Precedence-List, using the relation 
where the current-time i s  the beginning of the currently unallocated time 
interval in the block period. This step also creates a firing interval for each 
operator, during which the second step must schedule the next execution of 
the operator. The firing interval gives the lower and upper bound for the 
iiext possible s t d n g  time of the operator. For example, OP-2 in Fig. 8 is 
scheduled IO start execution at time 2 and to complete by time 3, based on 
i t s  MET of 1. Since OP-2 has a period of IO, it cannot fire again before 
time 12, tk lower bound for its firing interval. OP-2 must fire by time 21, 
the upper bound, in order to ensure completion by the end of the second 
period at time 22. 
The second step schedules subsequent firings of the operators, which 
'am allocated in earliest-lower-bound-first order. In the example of Fig. 8 
the operators are scheduled in the order [OP-1, OP-2, OP-41 during the 
first iteration of the second step. Since the period of OP-3 (20) is the same 
as the block period, it is scheduled to fm only Once in the static schedule. 
As each operator is scheduled, this process verifies that both 
P = minimum(MCP, MRT - hET). 
interval = (current-time, current-time +MET) 
1. current-tune + MET <= block period, and 






HARMONIC-BLOCK-LENGTH = 20 
OPERATOR-ID htET PERIOD 
OP-1 2 10 
OP-2 1 10 
OP-3 3 20 
OP-4 1 10 
result 
STATIC SCHEDULE 
OP-ID STARTEND RRMG 
TIME TIME INTERVAL 
OP-1 0 2 (10.18) 
OP-2 2 3 (12,21) 
OP-3 3 6 (23,40) 
OP-4 6 7 (16,25) 
and 
i d  
t i m e  
and 
i d  
t i m e  
HARMONIC BLOCK 
I 1 1 I I 
0 5 10 15 2 0  
Fig. 8 Static Schedule after First Process 
STATIC SCHEDULE 
OP-ID STARTEND FZRING 
TIME TIME INTERVAL 
OP-1 0 2 (10,18) 
OP-2 2 3 (12.21) 
0 9 3  3 6 (23,40) 
0 9 4  6 7 (16,25) 
OP- 1 10 12 (20,28) 
OP-2 12 13 (22,31) 
OP-4 16 17 (26.35) 
OP-I 20 22 (30,38) 
OP-2 22 23 (32.41) 
OP-3 23 26 (43.60) 
0 9 4  26 27 (36,45) 
OP- 1 30 32 (40,48) 
OP-2 32 33 (42,51) 
0 9 4  36 37 (46.55) 
HARMONIC BLOCK 
1 2 3  4 1 2  4 1 2 3  4 1 2  4 
I: 1 I : :  1 1 1  
I I I I I I I I I  
0 5 10 1 5  2 0  25 30  3 5  4 0  
Fig. 9 Static Schedule for 2 Block Periods 
Failure to meet either condition results in an infeasible schedule, resulting 
in an exception and an appropriate e m  message at the user interface. 
*se Checks ensure that the process produces a feasible schedule when- 
ever it terminates without an exception. 
The process also calculates new firing intervals for each process 
scheduled. Fig. 9 shows the static schedule after three iterations of the pro- 
cess, along with a timing chart for two block periods. 'Ibis figure illustrates 
the importance of a robust static schedule. Once all operators are comctly 
scheduled for an entire block period, all subsequent schedules are delayed 
copies of the k t ,  hence the term “static schedule”. In the example shown, 
the static schedule is complete after only one iteration of the second step, 
since at that point the lower bounds of all the firing intervals are greater 
than or equal to the block period. 
5. conclusions 
The mechanism discussed in this paper for handling timing con- 
strainis in rapid prototyping via PSDL offers the potential of serving as a 
valuable software development tool speci6cally for hard real-time systems. 
The prototyping process is speeded up by automation and by reducing the 
conceptual burden of the analyst and prototype designer. PSDL has con- 
structs for recording timing constraints, defining operator and data abstrac- 
tions, and for specifying nowprocedural control constraints. The most 
important aspects of real-time system design are enforcing maximum exe- 
cution time, maximum response time, minimum calling period, and data 
synchronization’constraints. The details of how to handle these characteris- 
tics of hard real-time systems are discussed in this paper. ‘zhe execution 
support system of CAPS described in section 4 allows the designer to check 
the feasibility of a set of real-time constraints by monitoring and evaluating 
the execution of the prototype model. PSDL offers a software tool that is a 
practical way to support rapid prototyping of hard real-time software sys- 
tems. We can validate hard real-tinie constraints by executing the con- 
structed prototype. 
Current research project9 to conceptualize components of the CAPS 
Execution Support System are reflected by the discussion of handling tim- 
ing constraints in rapid prototyping contained in this paper. %se efforts 
empirically demomtrate that the initial goal of providing an automated exe- 
cution environnient for hard real-time software design and specification 
prototypes is feasible. CAPS will provide software designers with au 
automated tool allowing validation of prototypes for hard real-time or 
embedded systenis before extemive t h e  and money are invested in produc- 
tion software. Additional research projects are currently underway to con- 
ceptu,*ze, implement, and integrate the. handling of timing constrain6 in 
rapid prototyping and make the computer-aided design of hard real-time 
systems feasible, practical, and reliable. 
4. 




V. Berzins and Luqi, Sofm~ure Engineering with Abstructions: An 
Integraled Approach to Sofhvare Development using Ada, Addison- 
Wesley, 1988. 
V. Berzins, “The Design of Software Interfaces in Spec”, in to 
appear. in Proceedings of the Internutiorrul Conference on Contputer 
Lunguuges, Miami, Oct. 1988. 
V. Benins and Luqi, “L.anguages for Specification, Design and 
Ptototyping”, in Hundbouk of Contputer-Aided Software 
Eirgirreeiing, Van Nostrand Reinhold, 1988. 
M. Chandnsekharan, B. Dasarathy and Z. Kishimoto, 
“Requirements-Based Testing of Real-Time Systems: Modeling for 
Testability”, IEEE Computer I8 ,4  (Apr. 1985), 71-80. 
S .  Eaton, “An Implementation Design of A Dynamic Scheduler for a 
Computer Aided Prototyping System”, M. S .  Thesis, Computer 
Science, Naval Postgraduate School, Monterey, CA, March 1988. 
S .  Faulk and D. Pamas, “On Synchronization in Hard-Real-Time 
Systems”, Comm. of the ACM31,3 (Mar. 1988). 274-187. 
F. Jahanian and A. Mok, “Safety Analysis of Timing Properties in 
Real-Time Systems”, IEEE Truns. on Software Eng. SE-12, 9 (Sep. 
I986), 890-904. 
D. Janson and Luqi, “A Static Scheduler for the Computer Aided 
Prototyping System”, in Proceedings of COMPASS 88, 












D. Janson, “A static Scheduler for Hard Real-Time Constraints in the 
Computer Aided Prolotyping System”, M. S. Tbesis, Computer 
Science, Naval Postgraduate School, Monterey, CA, Marc4 1988. 
Luqi, “Rapid Prolotyping for Large Software Syslem Design”, Ph. 
D. Thesis, Uuiversity of Miouesota, 1986. 
Luqi and M. Ketabchi, “A Computer Aided Prototyping System”, 
IEEE Sofrware 5 . 2  (March 1988), 66-72. 
Luqi, V. Benins and R. Yeh, “A Prototyping Language for Real- 
Tmie Software”, IEEE Trans. on Software Eng., October, 1988. 
Luqi and V. Berzins, “Rapidly Prototyping Real-Time Systems”, 
IEEE Sofrware, Sep. 1988.25-36. 
Luqi and V. Be&, “Execution of a High Level Real-Time 
Language”, in Proc. of the Real-Time System Symposium, Dec. 
1988. 
C. Moffitt, “Development of a Language Translator for a Computer 
Aided Prototyping System”, M. S. Thesis, Computer Science, Naval 
Postgraduate School, Monterey, CA, March 1988. 
A. K. Mok. “The Decomposition of Real-Time System RequiremeliIs 
into Process Models”, IEEE Proc. of the I984 Real Time Systems 
S.vtnposiuni, Dec. 1984, 125-133. 
A. K. Mok, The Design of Real-Time Programming System Based 
on Process Models, EEE, 1984. 
1. O’Hem, “A Conceptual Design of a Static Scheduler for Hard 
Real-Tune Systems”, M. S. Thesis, Computer Science, Naval 
Postgraduate School, Monterey, CA, March 1988. 
424 
