This paper presents an automatic approach to synthesizing schedulable timing constraints for real-time control systems. Given the performance speci cations and schedulability constraints of a real-time control system, the approach derives task-level timing constraints which can guarantee these requirements. The control performance is speci ed in terms of control output responses such as steady state error, maximum overshoot, settling time, and rise time, and the task-level timing constraints include task periods and deadlines. The approach consists of two components with a clean interface. The rst component translates the performance speci cations into a set of system-level timing constraints such as loop processing periods and input-to-output latency, via control theoretic modeling and optimization. The second then derives task-level timing constraints from the intermediate system-level timing constraints optimizing the system schedulability using period calibration method 4, 17, 9].
Introduction
With the maturity of real-time system technologies, embedded digital controllers are increasingly substituting analog controllers in many control systems. Examples of such systems include computerized numerical control (CNC) machines, avionics y-by-wire systems, and automotive control systems. As the application areas diversify and the controlled systems become more complex, the accompanying real-time systems are anticipated to carry out intricate control algorithms. Such systems must necessarily be built using a multi-tasking design with di erent tasks running at different rates sharing data resulting in many interacting and overlapping data paths from sensors to actuators.
The design of a digital controller involves many steps starting from a conceptual schematic diagram of the controller, and ending in a set of schedulable periodic tasks. During this process various design decisions are taken such as mapping the controller block diagram into a task graph structure, selection of synchronization and communication primitives, choosing task periods and deadlines, selecting a scheduling strategy, etc. These design decisions are often taken in an ad hoc way, albeit guided by engineering intuition, partly due to lack of information available at the design stage, and partly due to lack of tools available to help evaluate those design decisions. For example, a control engineer would select sampling periods based on controller performance requirements, largely ignoring the impact of the decision on schedulability. As a result, it becomes extremely di cult, if not impossible, to reach the \right" system design, as the controller structure moves towards higher complexity.
Many researchers have attacked the complexity of real-time system design from various points of view. Recently, several research groups have investigated interactions between system performance and real-time scheduling with a hope that the schedulable timing attributes of a system can be automatically generated from the system's performance requirements 4, 17, 19] . In particular in 4, 17], we developed a design methodology which allows system designers to consider the schedulability from the early stages of system design. The main contribution of this work was a systematic method to derive task-level timing constraints (periods and deadlines) from system-level timing constraints establishing temporal relationships between the system's external inputs and outputs. Such systemlevel timing constraints include maximum loop processing periods, and maximum allowable inputto-output latency. Since the tasks, and therefore their attributes, are artifacts of system design, we proposed that the task-level timing constraints could be derived to ensure that the derived task set is schedulable on a target platform, while meeting all the system-level constraints. We refer to this method as the period calibration method (PCM) 9].
While the period calibration method brings a much needed integration, it is only half a step since the system-level timing constraints are not a genuine starting point in system design, but another set of artifacts which are derived from the system's performance requirements. This is illustrated in Figure 1 , which shows how a design would proceed with the period calibration method. As shown in the gure, there is an ad hoc step of translating the performance speci cations for a given system model into a set of timing constraints. In 19], Seto, Lehoczky, Sha, and Shin addressed this problem. They proposed an algorithm that translates a given system performance index into sampling periods considering schedulability among tasks running with preemptive priority scheduling. In this approach they regard sampling periods as variables and attempt to determine the values such that the resultant system obtains the optimal control quality subject to the given schedulability constraint. They investigated the interaction between control performance and task scheduling by formulating an optimization problem. This is the rst approach that we know of, which relates control performance to real-time schedulability and computes sampling periods by way of an algorithm. On the other hand, their model has several limitations. First, they approximated the performance index to be an exponential function. This may lead to a model which cannot accurately describe real systems. Second, their approach does not consider the e ect of latency. In a feedback control system, the most important function of the controller is compensating output errors. To do so, the controller reads the state of the plant by sampling data, compares it with the reference input, and then generates a new control command for the plant. Since the plant undergoes changes in its state, while the controller is generating a new control command, the input-to-output latency has a critical e ect on control performance 9]. Thus, it is very important to simultaneously consider latency and sampling periods. In fact, there is a tradeo involved here; a high latency may be compensated by a tight sampling period, or alternatively, a large sampling period may be compensated by a tight latency.
In this paper, we built upon our previous work to address some of these problems. In particular, we take the approach presented in 9] of bringing real-time scheduling into the early stage of realtime controller design. More speci cally, we present our initial attempt at formalizing the ad hoc step shown in Figure 1 by considering a realistic controller model, and incorporating latency as a variable in addition to sampling periods. Given the analytical model of the system being built, our approach translates the system's performance requirements into a set of temporal constraints subject to the schedulability constraint. These intermediate temporal constraints correspond to the system-level timing constraints mentioned earlier, and they are processed further to derive tasklevel timing constraints using the period calibration method. Thus, the end result is an automatic design method which can aid real-time engineers in synthesizing task-level timing constraints of the system, as shown in Figure 1 .
We rst develop a generic real-time control system model with rigorous mathematical modeling, and then validate it through a case study on a CNC controller. The controller was implemented on top of our own real-time kernel called SNU-ARX (Seoul National University Advanced Real-time Kernel) 6], which a orded tight control over latencies and periods. This CNC controller was earlier used in our previous study 9] to validate the period calibration method. This study highlighted the bene ts of PCM, and showed the e ects of sampling period, output jitter, and input-to-output latency on control quality. Using this CNC controller, we compare the results of the analytical model with the simulated controller. Our experimental study shows that the real-time controller model is su ciently accurate to be usable in the design of practical real-time controllers.
We believe that our approach based on digital control theory contributes to both the control and real-time areas: (1) it allows control engineers to take into consideration the e ect of scheduling latency and sampling periods at the early stage of system design; and (2) it makes it possible to streamline the design of real-time control systems, since temporal constraints are derived in an automatic manner.
Related Work
There are two basic areas in real-time systems that come close to the approach presented here. The rst is in the area of real-time software design methods. A number of such methods focus on complex real-time programming. Speci cally, Gomaa 5 ] presents a method called DARTS (design method for real-time systems) which models a real-time system as a set of concurrent communicating tasks. DARTS shares the same task model as our task graph, and provides a diverse set of communication and synchronization primitives such as message queues, mail boxes, and semaphores. However, DARTS does not take into account system scheduling.
Recently, Selic 18 ] also proposed a design method called ROOM (real-time object oriented method) which supports high-level modular decomposition and interconnection between modules. Like DARTS, ROOM focuses only on the functional aspect of real-time system design, and does not consider real-time scheduling. However, these design methods can be used to generate the task graph design. The second area related to this work is real-time scheduling. It has been a fertile area in the past, and results are in abundance. The problem of scheduling periodic tasks was studied by Liu and Layland 11] as early as in 1973. In their paper, they proposed the optimal static and dynamic priority scheduling algorithms based on the critical instance analysis. They showed that, for a given task set, each algorithm has a schedulable utilization bound, thus the task set will be always schedulable, if the task set does not exceed the bound value. The schedulability test based on the utilization bound motivated us to take the system utilization as an important factor to optimize in our previous work 4]: PCM attempts to assign tasks as large periods as possible so that the overall utilization is minimized, and thus the chances of the system's being schedulable is maximized. In addition to Liu and Layland's work, there have been numerous results in real-time scheduling and its applications such as those found in 20, 22, 10, 2, 23] .
Unfortunately, there has been relatively limited e ort in the integration of real-time system design and scheduling. Audsley et al. 1] and Sha and Sathaye 21] took a problem of deriving task periods and deadlines from system-level timing constraints, and formulated it as a real-time database consistency problem. In 24], Vestal and Binns addressed real-time schedulability in the context of system design. They proposed an architectural description language MetaH and implemented a tool set based on it. Their goal was to provide a complete schedulability analysis for system designers at design time. However, the focus of these studies were more on the schedulability analysis and less on the derivation of task parameters.
In 4], we rst addressed the problem of systematically translating a set of system-level timing constraints into a set of task-level timing constraints, while maximizing schedulability. This approach assumed that system performance speci cations could be easily translated into a set of system-level timing constraints. However, the derivation of system-level timing constraints itself makes a very di cult optimization problem which requires an extensive tradeo analysis, as we will show in the paper. Seto et al. proposed a systematic method that can integrate task scheduling and system design, but in a slightly di erent way 19] from our previous work. They attempted to directly derive task periods from system's performance indices, not from the system-level timing constraints. Their method focused on obtaining optimal control balancing task periods and computing resources. Our approach described here was, in large part, inspired by their method.
Remainder of the Paper
The rest of the paper is organized as follows. Section 2 gives an overview of the control system model including the task graph model. Then, it characterizes the performance of real-time controllers and de nes system-level and task-level timing constraints. It also brie y describes the solution approach we take in the paper. Section 3 presents the main contribution of the paper. It describes the generic real-time controller model we develop using the discrete-time control theory. It then presents a heuristic optimization algorithm which can derive task-level timing constraints using PCM. In Section 4 we demonstrate our approach through the design of a CNC controller. In Section 5 we validate the CNC controller we design in Section 4 through a simulation study. We rst describe the experiment setup including the hardware/software platform, and then present the results of the experimental study. Finally, we conclude the paper with the discussion of our contributions and future research directions in Section 6.
The System Model and Solution Overview
In this section we present the task graph structure of real-time controllers and characterize what control performance is. Then, we de ne system-level and task-level timing constraints. Finally, we give a brief overview of our solution approach.
The Control System Model and Task Graph
A traditional multi-rate control system possesses multiple control loops C 1 ; C 2 ; : : : ; C m with di erent loop processing periods. A control loop C i is often composed of a sequence of tasks following the producer/consumer model. For example, control loop C i may include a sampling task, an input task which generates reference inputs, a computation task which executes the control algorithm, and an output task which issues output commands to the controlled system. They form a chain of tasks, as shown in Figure 2 In order to represent a complex digital control system consisting of multiple control loops which interact with each other and share common intermediate tasks, we have to use a more general task graph structure, as shown in Figure 2 (B), than a simple task chain. In a task graph, shaded oval objects denote tasks and white rectangular objects denote data bu ers for inter-task communication. In Figure 2 (B), there are two control loops C 1 and C 2 . Control loop C 1 is composed of tasks h 1 ; 2 ; 3 ; 4 i, and C 2 is composed of tasks h 7 ; 8 ; 9 ; 10 i. Note that there are tasks 5 and 6 which are not included in either of these control loops; they are tasks performing non-control operations such as I/O processing, system monitoring, and man-machine interfaces. 
Performance Speci cations of Control Systems
The rst step in the design of a real-time control system is to specify the performance of the system. Often, the functional requirements of a given application system translate into the performance speci cations. For example, in a vehicle speed control system, the functional requirements would state that the vehicle should be accelerated to a preset speed in 1 sec and to stay within a certain range of the preset speed. It is often necessary to describe system performance in a greater detail depending on which state the system is in. A physical system behaves di erently whether it is in a transient state or a steady state. Figure 3 illustrates how the transient and steady states are de ned. The straight line (a step function) denotes the controller input (the desired response), and the dotted line denotes the output (the actual response). In the vehicle speed control system, the input and the output are the desired and the actual vehicle speeds, respectively. In an ideal controller, there should be no di erence between the input and the output. In reality, however, two factors make a di erence: transient state error and steady state error. Transient state error occurs, since a physical system cannot react su ciently fast to an abrupt and instantaneous change in its input, and only makes gradual state changes. After the transient state, the system approaches a steady state where it makes close approximations to the desired speed resulting in much smaller error. Steady state error occurs due to various factors such as the inherent structure of the physical system, disturbance, jitter, digitization e ects, etc. In control engineering, the transient state response is characterized by maximum overshoot M peak , rise time T rise and settling time T set 14]. The maximum overshoot M peak is de ned as the maximum peak value measured from the reference input. It is common to use the maximum percent overshoot expressed as a percentage of the input value. Rise time T rise is the time required for the output response to reach from the beginning to 90% (or 99%) of its input value. Settling time T set is the time required for the output response to approach and stay within a certain range of the input value (usually 2%). Figure 3 shows these parameters.
On the other hand, the steady state response is characterized by steady state error E ss which is de ned as the maximum di erence between the desired input and the actual output in the steady state. In most real-time controllers, the system performance is speci ed in terms of the four output response characteristics we de ned above.
System-Level Timing Constraints
System-level timing constraints are the intermediate form of temporal requirements that we use in translating a system's performance speci cations into task-level timing constraints. Note that control performance is described with the relationships between control inputs and responses, while task-level timing constraints dictate the timing behaviors of intermediate tasks. Since system-level timing constraints state the timing relationships of the system's external inputs and outputs, it is bene cial to use them as an intermediate form, rather than deriving task-level constraints directly from the performance speci cations.
In this paper, we use two types of systems-level timing constraints de ned below.
(1) Maximum input-to-output latency: This constraint denoted MaxL( ) bounds the response time from a sensor to an output. Consider a path from 1 to 4 in Figure 2 (B). The maximum input-to-output latency denoted MaxL( 1 jj 4 ) dictates that the response time from 1 to 4 should be no greater than MaxL( 1 jj 4 ).
(2) Maximum loop processing period: The maximum loop processing period denoted MaxP( ) ensures that the control loop is executed often enough to maintain the quality of control.
Maximum loop processing period \MaxP ( 1 jj 4 ) = t ms" requires that the execution period of control loop C 1 in Figure 2 (B) should be no larger than t ms.
Task-Level Timing Attributes
Tasks in our approach are implemented as periodic tasks which are invoked and executed repeatedly at a xed rate. Thus, a periodic task i has three timing attributes, namely a period, a deadline, and an execution time which are denoted T i , D i , and e i , respectively. Among these, task periods and deadlines are timing constraints which need to be derived from the performance speci cation for the purpose of the schedulability analysis and system implementation. Task execution times are an important attribute of tasks which should be given to our approach as an input. In order to derive tight task execution times, we measure them using a built-in event counting capability of the Intel Pentium processor running with a 133 MHz clock 3].
Overview of the Solution Approach
Our solution approach to the timing constraint synthesis problem is a two-step process. In the rst step, it accepts as inputs the analytical model of the real-time controller being built and its performance speci cations, and then derives a set of constraints possessing MaxL( ) and MaxP( ) as variables. Solving these constraints, it generates intermediate system-level timing constraints. The analytical model of the real-time controller is represented with a set of functions mapping loop processing periods and latencies onto control responses. In the second step, our approach makes use of PCM to derive task-level timing constraints from the intermediate system-level timing constraints, while minimizing the system utilization. As shown in Figure 1 , when PCM fails to synthesize schedulable timing constraints, our approach recomputes a di erent set of system-level timing constraints, and repeats the second step.
The Solution Approach
In this section, we present our approach to the problem of synthesizing task-level timing constraints. We rst develop a generic real-time controller model which relates latencies and loop processing periods to control performance. Such a real-time controller model is based on the control theoretic analysis and lays a foundation for formulating the analytical model of an application system. Then, we present a heuristic algorithm which can derive task-level timing constraints subject to the given performance speci cations and the schedulability constraint. Since the algorithm makes use of PCM, we give a brief overview of the method.
Modeling Discrete-Time Control Systems
After the desired system performance is speci ed, the rst step in the design of a real-time control system is to derive its mathematical model in continuous time. A mathematical model is de ned as a set of equations that collectively describe the dynamics of the system with a known accuracy. Figure 4 shows a schematic diagram of a typical feedback control system. In the gure, r(t) and c(t) denote input and output signals, respectively. The \?" sign denotes that the sampled actual output is fed back, and compared to the reference input by subtraction. The controller and the plant are described by two Laplace transforms G c (s) and G p (s), respectively. The next step is to convert the continuous system to a discrete system. The major di erence between these two types of control systems is that a continuous controller uses continuous time inputs, while a digital controller uses digitized inputs sampled at a predetermined frequency. Figure 5 shows the schematic diagram of the digital control system corresponding to the continuous system shown in Figure 4 15 ]. The most noticeable di erence between those two schematic diagrams is the existence of ZOH (zero order hold). Whereas the plant needs continuous data, a digital controller periodically produces only discrete data. Thus, the ZOH constantly holds data for an entire sampling period. In order to model the e ect of latency, we add a delay block to the schematic diagram in Figure 5 . Now we analyze the controller model shown in Figure 6 using the z-transform Z( ). We rst take the z-transform of the chain of blocks from the input to the output. (1), we obtain closed loop transfer function G(z) which represents the whole system dynamics including the feedback.
From Eqs. (1) and (2), we can obtain the digitized output of c(t) by taking the inverse ztransform. Using the z-transform method, we can also derive the steady state error E ss , maximum overshoot M peak , settling time T set , and rise time T rise . In general, they are represented as increasing functions of the sampling period T loop and the latency L loop , as summarized below. Note that we did not develop the above controller model (functions in (3)) with any speci c feedback control system in mind. Thus, if the analytical model of a feedback control system is given { which is derived anyway to build a controller, our framework can help us derive functions like the above.
A Heuristic Algorithm
After the performance requirements of an application system are speci ed as inequalities in (4), we have to optimize T loop and L loop subject to these inequalities and the schedulability constraint.
This makes a typical nonlinear optimization problem with a large search space. Solving this problem requires us to nd a balance between sampling periods and latencies, since there is a tradeo involved between them; in some cases, a tight period and a large latency make a desirable combination, or alternatively, a large period and a small latency do in others. Here, we propose a heuristic search algorithm for this problem.
Assume that we are given a set of control loops fC 1 ; C 2 ; : : : ; C m g, and the performance specications on them. In order to derive loop processing period T loop j and latency L loop j of a control loop C j , we use a search algorithm based on iterative improvement. The algorithm is described below.
Algorithm 3.1 Derive task-level timing constraints.
Step 1 Equate loop processing period T loop j and latency L loop j of each controller in the system.
Eliminate the latency variables in inequalities (4), by substituting them with T loop j .
Step 2 Compute the largest T loop j from inequalities in (4).
Step 3 Plug back the derived values of T loop j into inequalities in (4), and then compute the largest latency values from inequalities in (4).
Step 4 Derive the periods and deadlines of all the tasks in the system from the derived endto-end timing constraints using PCM.
Step 5 If PCM fails to derive them, increase loop processing period T loop k of the bottleneck 
The iterative design procedure of a real-time control system. control loop C k . Go back to step 3.
Step 6 Terminate the algorithm.
Since the performance parameters are monotonically increasing functions of T loop and L loop , there are many equi-performance points. We restrict the solution space such that L loop T loop as in many practical scheduling algorithms. Thus, the algorithms begins with equating T loop and L loop in step 1. In step 2 and step 3, it derives the system-level timing constraints. Then, it determines task-level timing constraints via PCM in step 4. In step 5, it checks the results if they are schedulable. If not, it identi es a bottleneck control loop, where a bottleneck control loop is the one with the largest utilization among the control loops. After a bottleneck loop is selected, its T loop is increased by a unit that can be tuned according to the application. The algorithm determines a new value for L loop in step 3. The procedure is repeated until the resultant system is found schedulable. The algorithm is also shown pictorially in Figure 7 
Overview of Period Calibration Method
The period calibration method derives task-level timing constraints from a given task graph design of a system and the speci ed system-level timing constraints. Here we give a brief overview of PCM. For a more comprehensive discussion of PCM, readers are referred to 4, 9].
Steps for the Period Calibration Method. For a given task graph design possessing n tasks f 1 ; 2 ; : : : ; n g and the system-level timing constraints, PCM derives T i and D i in two steps, as below.
(Step 1) It derives a set of nonlinear constraints on task attributes T i and D i such that the derived constraints imply the original system-level timing constraints. The task model of PCM is based on producer/consumer (P/C) model for basic communications between tasks 7]. Since the general P/C model incurs large blocking delay due to synchronization, we use harmonic periods between a producer and a consumer in PCM to reduce such blocking delay. If a consumer's period is an integer multiple of its producer's period, then the two tasks can stay \in phase" in time line possessing a common clock base. Harmonicity constraints as well as the derived inequalities form a nonlinear optimization problem.
Step 2 involves solving a nonlinear optimization problem which is conjectured to be an NPhard problem. In order to reduce the amount of computation needed for the optimization problem, we use a polynomial time approximation algorithm developed in 16]. We have shown that the algorithm computes a solution with the minimum utilization in most of the cases.
Controller Design and Timing Constraint Synthesis
In this section we demonstrate how our approach can be applied to a real world system through the design of a CNC controller. We rst give a brief overview of a CNC machine, and show its functional structure and task graph design. We then present the process of timing constraints derivation by way of Algorithm 3.1 and PCM.
The CNC Machine
A CNC machine is an automatic machining tool which is used to produce user-designed workpieces. As its name implies, it is equipped with a computer-based digital control system, and o ers consistent, accurate, and exible production of machine workpieces. Nowadays, CNC machines are found almost everywhere from a small rural job shop to a large manufacturing cell 13] . The most basic function of a CNC machine is motion control. A CNC machine controls several directions of motion, called axes. The CNC motion control subsystem should be able to position the cutter precisely and automatically along the reference trajectory of the machined workpiece.
The major components of the CNC motion control subsystem are controllers, servo packs, and servo motors. Of these, the controller component is the heart of a CNC machine. As plants need multiple control variables and have a high degree of performance and robustness requirements, associated control algorithms tend to be complex. Moreover, a CNC controller possesses very stringent hard real-time requirements: the sampling frequencies are very high and missed deadlines may cause over-cutting of a workpiece 13].
CNC machines have been traditionally implemented with a dedicated DSP (digital signal processing) board for the motion control subsystem. The controller is designed in a very simple fashion; a single scanning task is created which does all input readings, control law execution, and output updates in one scan. Since such an implementation involves multiple heterogeneous processors, it incurs hardware complexity, cost, and high communication overhead. With modern microprocessors o ering high performance computing support at a very low cost, it becomes viable to realize the multiple functionalities of a CNC machine such as spindle control, digital I/O processing, and man-machine interface all in a single high performance microprocessor system. However, this requires abandoning the simple controller design for a multi-rate, multi-tasking system making it a good candidate to apply our automatic method.
The CNC Controller Software
The schematic diagram of the CNC control system is shown in Figure 8 . The schematic diagram of the controller and the plant is based on the mathematical models developed in 13]. As shown in the gure, there are two inputs into the controller for each of the axes. These correspond to the desired reference position, and the actual cutter location which is sampled from the motors. The motion control is e ected by a controller for each of the axes. In addition, there is a disturbance estimation and monitoring subsystem, which issues a signal to the plant when the machine enters into either a large external torque or an over-cutting state.
We represent a controller design using a graph model as described in Section 2. Figure 9 (A) shows the task graph derived from the schematic diagram of Figure 8 . As shown in 4], the synchronization constraint is easily guaranteed by transforming the task graph such that the synchronized inputs are read together by a common sampling server task. The transformed task graph is shown in Figure 9 (B). Roughly speaking, each shaded oval object in the schematic diagram corresponds to a task in the task graph. The plant is also drawn inside a box to show the connection between the controller software and the plant simulator. The design consists of the following elements:
x pos and y pos denote the sampled cutter location of each axis. Tasks xsmp and ysmp denote the sampling tasks reading them.
x vel and y vel are the velocities of the X axis and the Y axis motors. Task calv computes these values using x pos and y pos.
Task stts monitors the state of the plant. It issues a signal to the plant when the machine enters into either a large external torque or an over-cutting state.
xctr and yctr are the controller tasks. They compute the control laws and update the controller outputs.
Timing Constraint Synthesis
We now demonstrate how we can derive the task-level timing constraints of the CNC controller via intermediate system-level timing constraints such as loop processing periods and input-to-output latencies. In doing so, we make use of the mathematical model we developed in the previous section and PCM described in 4]. As we have discussed, a CNC controller is chosen for our case study, since it is a multi-rate control system possessing hard real-time properties. The CNC controller we design has two axes (X axis and Y axis) of motion which are controlled by two control loops C x and C y , respectively. The performance requirements of each control loop are speci ed as below. In this study we consider only steady state error and maximum overshoot.
X axis E ss 0:01 unit, M peak 10:60% Y axis E ss 0:01 unit, M peak 13:89% Given the above speci cations, we derive loop processing periods (T loop x , T loop y ) and latencies (L loop x , L loop y ) using Algorithm 3.1. The rst step in the design is to obtain the analytical models of the two control loops. However, we do not explain such an analysis in detail, since its discussion is beyond the scope of this paper. Interested readers are referred to Appendix A; we simply use the results derived there.
Using Eqs. (9) through (13) in Appendix A, we derive the loop processing periods and the latencies. Note that the steady state error is the constant value of 0:0091 in our example regardless of loop periods and latencies. Since it satis es the above requirement (0:01), we consider the maximum overshoot alone.
As described in Algorithm 3.1, we begin with letting T loop x = L loop x . We substitute both T loop and L loop in Eqs. (10) and (11) with T loop x , and then we solve Eqs. (10) On the other hand, there is the third loop in the CNC controller possessing three tasks calv , dist , and stts which monitor the system's malfunction. Since this loop does not a ect control performance in a normal operating mode, its timing constraints cannot be derived from the control performance; instead, they are derived from the emergency handling requirements. We assume that the following constraints are su cient to guarantee such emergency handling requirements.
MaxP( smp jj stts ) = MaxL( smp jj stts ) = 1200 s:
Then, in step 2 of PCM, we run the algorithm in 16]. The resultant timing constraints are given in Table I . The rst column of the table shows execution times of the tasks which were measured on the 133 MHz Pentium processor. The other two columns are the task periods and the task deadlines, respectively, which are derived by PCM. Since the PCM returns task periods which will lead to a system with the smallest utilization in most cases, as proved in 16], it is very likely that the task-level timing constraints are optimal for the given set of intermediate system-level timing constraints. Thus, we can assess the derived set of intermediate system-level timing constraints, simply by checking the schedulability of the system with resultant task-level timing constraints. Since PCM produces a system with task deadlines always being no greater than task periods, as shown in Table I , the deadline monotonic priority assignment is optimal for our task set. We can simply check the schedulability of the above timing constraints using the response time analysis given in 23]. If PCM failed to produce schedulable timing constraints, we would have to go back and recompute system-level timing constraints, as described in Algorithm 3.1.
Validation through Simulation
In order to validate the analytical model of our two-axis CNC controller { and eventually the generic real-time controller model we developed, we have performed a simulation study and made a close comparison between the simulation results and the control performance we computed using the analytical model. In this section we discuss about our simulation workbench, and then we present the results of our analyses.
Hardware and Software Overview
We have built a realistic CNC simulator with two Pentium PCs, as shown in Figure 10 . One PC runs the controller tasks on top of SNU- ARX 6] , and the other executes a plant simulator which emulates the CNC motor on MS-DOS. SNU-ARX is a light kernel which allows for fast context switches (5 s on the 133 MHz Pentium processor). It makes it possible for us to assign very short periods to tasks incurring a small scheduling overhead. The plant simulator was implemented as an in nite loop and models the servo packs and servo motors which comprise the CNC hardware. We implemented two I/O boards, one for each PC, for fast communication between the plant and the controller. We have used cyclic executive scheduling in our controller, since it allows us to easily control test variables such as input-to-output latencies. In fact, the CNC simulator is the same workbench as we used in our previous work 9].
CNC Controller
Plant Simulator 
MS-DOS

Board
Experimental Results
In our experiments, we had two test variables T loop x and L loop x . First, we observed how the maximum overshoot changed in both the analytical model and the simulated controller as the test variables These graphs prove that the analytical model is quite accurate if we take into account the experimental disturbances: the di erence between the two responses is within about 10% of the simulated response, and the two curves are very similar in their shape. The sources of such di erence are communication delay which contributes to the increase in actual latency, scheduling jitter which is not considered in our analysis, and the inaccuracy of the plant simulator. Most of all, the di erence is primarily due to the plant simulator. The state-updating loop of the plant simulator is invoked every 34 s { which is the best number we can give on a 100 MHz Pentium PC after optimizing the simulator code. However, 34 s is still too large for the digital simulator to re ect the continuous dynamics of the servo motor.
We also observed how the loop processing period and the latency a ect the output response. Figure 12 shows the controller responses of both the analytical model and the simulated controller, when L loop x is 0:5ms, 1:5ms, and 2:5ms, while T loop x is 3ms. Obviously, we see that the maximum overshoot and the settling time grow as the latency increases. Conversely, Figure 13 shows the controller responses, when the latency is xed and the loop processing periods vary. As expected, the maximum overshoot grows with the loop processing period.
There is an interesting point to make: the output response when T loop x = 3ms and L loop x = 1:5ms in Figure 12 is very close to when T loop x = 5ms and L loop x = 0:5ms in Figure 13 . As stated in Section 3, this implies that there is a tradeo between loop processing periods and latencies. The search algorithm in Section 3 can be improved if it can make use of the fact that there are equi-performance pairs of a loop processing period and a latency. For example, when the system is over-utilized, we may use (5ms, 0:5ms) pair to increase the period; or alternatively when the system is unschedulable due to a tight deadline, we may use (3ms, 1:5ms) to increase the deadline. We are currently improving the search algorithm based on this observation.
Conclusion
We have presented an automatic design approach to synthesizing schedulable timing constraints of real-time control systems. The approach is a two-step process: (1) in the rst step, it accepts the analytical model of a real-time controller and its performance speci cations, and then derives intermediate system-level timing constraints such as MaxP( ) and MaxL( ); (2) in the second step, the period calibration method is used to derive task-level timing constraints such as task periods and deadlines. In this paper, we put more emphasis on the rst step: we have presented a generic real-time controller model we developed based on the digital control theory, and proposed a heuristic search algorithm to optimize MaxP( ) and MaxL( ) subject to the performance speci cations and schedulability constraint. We applied the approach to the design of a CNC controller, and validated it through an experimental study using simulation. This study showed that the analytical model was su ciently accurate that it could be used to design practical real-time control systems. It also revealed that there was a tradeo between loop processing periods and input-to-output latencies, which needed a delicate balance for the optimal control performance. However, not much attention was paid to the optimization problem; we are currently investigating the e ectiveness of our heuristic method, and also looking at better strategy.
One aspect of control performance that we have not considered in this paper is the output jitter, even though it may signi cantly a ect control performance. Unfortunately, it is extremely di cult to mathematically analyze the output jitter. Jitter has a non-linear e ect on the behaviors of a real-time control system, while control theory is mostly based on the linear system model. We are investigating solutions to address this problem.
The approach can be easily implemented into a comprehensive tool set. We have already implemented a software tool for PCM, which generates task-level timing constraints. We are also currently working to extend the tool which combines the proposed approach with PCM. The result looks very promising.
A CNC Controller Modeling
A CNC machine is an automatic control system which produces user-designed workpieces. The input of the machine is a reference trajectory of the workpieces and the output is the trajectory of the cutter which carves metal pieces. The basic function of a CNC machine is moving the cutter through a desired trajectory. We develop a mathematical model of a CNC machine possessing two axes of motion. A control loop corresponding to an axis is modeled with a schematic diagram in Figure 14 and a set of parameters listed in Table II . These parameters obtained from the speci cations of the CNC hardware.
Given the analytical model of the CNC controller, we derive the steady state error when a unit ramp input is applied to the controller, while we derive the 100% rise time, 2% settling time, and maximum overshoot of the controller when a unit step input is applied. For the purpose of computation, we let From Eqs. (7) and (8) (%) (13) 
