Specification and performance analysis of embedded systems with coloured petri nets  by Benders, L.P.M.
M Inlenmlle~ J~ml  
computers & 
mathematics 
PERGAMON Computers and Mathematics with Applications 37 (1999) 177-190 
Specif ication and Performance Analysis 
of Embedded Systems 
with Coloured Petri Nets 
L. P .  M. BENDERS 
Eindhoven University of Technology and Open University Heerlen 
Eindhoven University of Technology, Department ofElectrical Engineering 
Digital Information Systems Group 
EH 10.35, P.O. Box 513, 5600 MB Eindhoven, The Netherlands 
benders©natlab,  research, phil ips, tom 
Abst ract - -To  analyze synchronization, concurrency, communication protocols and system perfor- 
mance, a system level specification is modelled in a coloured Petri net. A toolbox collects information 
for the implementation, e.g., processing times, waiting times, idle times, data accesses, processing 
requests. This is illustrated with a data-link protocol system, where the disturbance on the commu-  
nication channels is modelled, too. (~) 1999 Elsevier Science Ltd. All rights reserved. 
Keywords--Embedded systems design, Coloured Petri nets. 
1. INTRODUCTION 
Many digital systems consist of general purpose processors, memory and application specific 
hardware circuits. These embedded systems very often respect constraints related to the relative 
timing of their functions. Designers make trade-offs in designing hardware and software com- 
ponents for these systems, given the set of performance goals and the hardware implementation 
technology. This design process is often called codesign, and when hardware and software are 
synthesized it is cosynthesis. 
In the beginning of the design process a designer just has a few intuitive ideas about which 
parts of the functionality have to be implemented with application specific hardware. How several 
concurrent parts of the system will synchronize and communicate is still unclear. The partitioning 
of the functionality into several concurrent parts by the designer influences the performance and 
the temporal properties. To accelerate application software, parts of the specification may be 
implemented in hardware. Programmable hardware, nowadays available on the market, makes 
this implementation easy and cheap. Design and analysis of real-time mbedded systems require 
performance estimation, and verification of functional and temporal properties to select he part 
of the specification to implement with application specific hardware. A trade-off exists between 
concurrency, implementation costs, performance and the constraints. A satisfying methodology 
and tools have yet to be developed to help make trade-offs. We are developing such a methodology. 
This methodology specifies hardware and software, but the first specification does not distin- 
guish between hardware and software [1-4]. Before starting to partition the complex embedded 
0898-1221/99/$ - see front matter. (~) 1999 Elsevier Science Ltd. All rights reserved. Typeset by .A~4S-TF_ ~
PII: S0898-1221(99)00156-X 
178 L.P.M. BENDERS 
system, it is desirable to form an idea of how to divide the system into concurrent parts and how 
to define their synchronization. Knowledge of the influence of communication patterns, of the 
communication protocol, and of the use of channels on the performance is necessary to make a 
satisfactory embedded system design. To analyze a specification, a specification language should 
model concurrent structures, synchronization, and communication easily and should be capable 
changing them easily. 
Since most embedded real-time systems are developed by designers working in the electronics 
department, we decided to tackle the trade-off problem from the electronic designer's point of 
view, to stimulate the acceptance ofour methodology. Many hardware designers specify dedicated 
hardware with VHDL, the IEEE hardware description language standard. We developed a model 
and methodology for hardware/software codesign which uses a specification language for real- 
time embedded systems based on VHDL. The methodology uses an analyzer tool based on timed 
coloured Petri net simulation. The main advantages of our approach are that the designer can 
use a structured methods, tools supporting those methods, and that he can focus on properties 
of the specification while hiding details. 
We will discuss the language TL that we developed for specification, the timed coloured Petri 
net model, the information gathered uring analysis of the specification, and an example. 
2. RELATED RESEARCH 
Several techniques are considered for system level specification: VHSIC Hardware Descrip- 
tion Language (VHDL) [5,6], SpecCharts [7], Structured Analysis, StateChart [8], Lotos, Estelle, 
SDL [9], Petri nets [10]. Usually analysis is restricted to input-output simulation, e.g., State- 
Mate [11], SDL --* VHDL [12,13], SpecChart --* VHDL [7], CSF --* VHDL [14], SA ~ VHDL [15], 
VI-IDL --* Petri nets [10] VHDL is powerful anguage for register transfer design, but lacks im- 
portant features for the system design level [16,17]. Other work on system specification can 
be found in [16,18,19]. We restrict ourselves to specification and partitioning from a hardware 
system designer's viewpoint. We have defined a specification language and a formal model. We 
try to combine the advantages of abstract synchronization-communication primitives, high level 
specification constructs, the VHDL behavior constructs and the power of coloured Petri nets, to 
build a tool to analyze specifications with respect o communication, concurrency and synchro- 
nization. The designer makes his own partitioning using this information. Then, the hardware 
description is generated in VHDL. The software specification has not yet been translated into 
another language, but since TL and VHDL are partly based on ADA, ADA would be a good 
choice. 
3. THE SPECIF ICAT ION LANGUAGE 
The main goal of our language TL (Task Level) is to simplify writing, analyzing and rear- 
ranging specifications. Therefore, we introduced several specific objects, primitives and implicit 
declarations without introducing ambiguities. The language uses different objects for every dif- 
ferent communication function and synchronization function. By distinguishing these functions, 
it is easier to analyze communication and synchronization i teractions and performance. It is 
also always clear what the function of an object is. The language uses primitives to describe 
communication or synchronization actions. A communication primitive identifies the communi- 
cation partners. They exchange their information on a channel that can be shared with several 
users. The communication on a channel is performed according to a user-specified protocol or 
one of the default protocols. The language allows easy selection of a new protocol for every 
communication channel without rewriting the specification. If no protocol is specified, a simple 
handshake protocol which prevents the loss of information, is used because of the asynchronous 
nature of the specification. The synchronization primitives lose no synchronization action unless 
Embedded Systems 179 
specified. A time-out may be specified for every execution of a communication or synchronization 
primitive. 
Synchronization objects are called events and actions. Communication objects are called 
com_data (communication data, buffer) and me_data (mutual exclusion data). Local data are 
represented by the object of class variable. The primitives to manipulate a me_data object used 
by several users assure correct access and protection of the data. Unless otherwise specified, the 
access requests for mutual exclusion data objects are granted randomly. 
We call a set of actions a task. TL has concurrent, branch, leaf, shared and interrupt asks. 
A TL concurrent task models repetitive sequential behavior. The body of a TL concurrent task 
is a sequence of sequential tasks. A sequential task is a leaf task or a branch task. These 
sequential tasks are executed one after another. After execution of the last task in the sequence 
of a concurrent task, the first task in the sequence is re-started. Since a TL leaf task models 
nonrepetitive, nonparallel sequential behavior, it is the basic design unit and consists of a block 
of sequential statements with one TL synchronization-communication primitive, usually the first 
or last statement of the block. The execution time of every leaf task is specified. 
A leaf task can call a shared task to execute a dedicated functionality. A shared task is a 
shared resource and can only service one caller at a time. The purpose of a shared task is to 
allow the designer to specify dedicated hardware. The difference between a shared task and a 
procedure call or function call is that during the execution of the shared task, the caller executes 
other tasks. 
To describe real-time features TL uses an interrupt ask, which is executed when an interrupt 
occurs. The interrupt starts a specific task called interrupt ask. The specification can describe 
several ways to handle an interrupt. An interrupt can halt the interrupted task after task com- 
pletion or immediately. After the interrupt ask execution either the interrupted task is restarted 
or some new tasks are started. The interrupt ask also describes the handling of time-outs. If 
a time-out of a communication or synchronization primitive expires, the execution of the task 
containing the primitive is halted and an interrupt ask is started. The specification tells whether 
to skip or to execute again the timed-out primitive after execution of the interrupt ask. 
A branch task models parallel sequential behavior. This task type consists of a set of branches. 
A branch is a block of sequential tasks (i.e., a sequence of leaf tasks and branch tasks). Branch 
tasks can model several types of task scheduling. The following excerpt illustrates a branch task 
called task2 with three branches. 
task l  : seq_s ta t  ; 
task2: SELECT_EXE 
-- context and declaration 
msg 
task2.1: TASK 
-- context and declaration 
BEGIN 
RECEIVE msg FROM proc_partner; 
END TASK; 
WHEN res 
task2.2: TASK 
-- context and declaration 
BEGIN 
ACCEPT res FROM proc_shared; 
END TASK; 
180 L .P .M.  BENDERS 
WHEN ev_a 
task2.3: TASK 
-- context and declaration 
BEGIN 
WAIT_EVENT ev_a; 
END TASK; 
END SELECT_EXE; 
task3 : seq_stat; 
The task2.1, the first branch, can be executed when the task proc_partner has sent a message 
to task2.1. The task2.2, the second branch, can be executed when the result of the shared task 
called proc_shared is present. The third branch is started when the event ev_a has occurred. The 
control statement select_exe checks the conditions of all three branches and starts those branches 
whose conditions are true. If none of the conditions is true, the task task3 is started. 
We conclude this section with the time semantics of TL. Each sequential data processing 
statement is executed in delta time. The result of the leaf task is given to its successor after a delay 
specified with the execution time of the leaf task. The total execution time of a task is different 
from the specified execution time, because a task may have been waiting for a synchronization r
a communication action. All TL communication and synchronization statements ake a certain 
amount of execution time, which is specified in a library. These times do not include idle or waiting 
time. A time-out is relative to the communication a d synchronization statement invocation time. 
4. THE S IMULATION MODEL 
After having written a specification we analyze timing constraints, performance, concurrency, 
sharing capabilities of the specification. Therefore, we model the specification with a timed 
coloured Petri net. The TL specification is automatically translated into Petri net descriptions• 
The Coloured Petri net (CP-net) representation allows the application of some Petri net analysis 
techniques. In Section 5 we discuss information that the tool collects during a simulation of the 
net. 
4.1. Co loured  Pet r i  Nets  in our  Mode l  
Petri nets consist of places and transitions that are connected. Places can contain tokens, 
that are processed by transitions• Petri nets [20] model concurrency, are easy to visualize, and 
have defined semantics. We use coloured Petri nets [21], because they also model dataflow, data 
transformation and make a distinction between tokens in one place. Figure 1 contains an example 
of a Petri net (circles represent places, lines transitions, underlining markings). 
PC) Q(  D 
Figure 1. An example of a coloured Pe~ri net. 
Coloured Petri nets, where tokens have a color (a type, written beside the place in Figure 1), also 
result in more compact nets than regular Petri nets. Coloured tokens have .a value that allows 
Embedded Systems 181 
one not only to model pure synchronization, but also data communication a d data processing. 
More tokens with an identical color may be in one place expressing multiple processing requests. 
Each place has its own associated color constraining the tokens allowed to occupy the place. 
The transition arc expressions describe the multi-set of tokens to pass through the arc when 
the transition fires. Arc expressions contain variables, constants, functions and operations. An 
expression must evaluate to the color belonging to the place connected to the arc. An expression 
may be conditional. Transitions can have guards (coloring functions, between square brackets 
in Figure 1), which restrict he bindings of variables in the arc expressions. A transition fires 
immediately when it is enabled. A transition is enabled, when all preceding places have tokens 
and the arc expressions evaluate to true. For the example net of Figure 1, the following colors 
and expressions are defined: 
colour  T = Integer; 
colour C -- wi th nlm[o; 
colour I = Integer; 
colour D = wi th  d; 
colour Q = with vlw; 
colour P -- product  C*I*T; 
variable x: C; 
variable i : I ; 
variable t: T; 
expl: case x of n ~ d 
m ~ 2d; --token consumption 
exp2: (x, i+t, t+l) - -data manipulat ion 
exp3: case x of n ~ 2v + 2w 
m =~ 2v + w; --multi  set expression 
exp4: if x--n then d else empty; --token production 
The Petri net that our tool builds from the TL specification visualizes the control and data 
flows. A token's presence in our model represents he control trigger or data trigger, while its 
contents represent the data processed by statements (tasks) or the state of a control trigger. We 
modeled the environment of tasks (the data objects in the scope of a task) and the state of the 
environment with color functions. The environment binds names to objects and the state binds 
objects to values. Our coloured Petri nets are extended to model temporal behavior in real-time 
system [22]. 
The coloured Petri net description is written in the language of the CP-net tool 'ExSpect', a
graphical simulation tool. Our translation tool 'TL2CPN' builds nets using a library containing 
CP-net models of all data or event processing TL statements. To simplify the measurement i  he 
analysis phase, the library CP-net models are extended with functions to calculate utilization, 
waiting times, execution times, etc. We will describe leaf and branch tasks to illustrate the 
modeling principles we have used, but first we will discuss ExSpect. 
4.2. The CP-Net  Toolset ExSpect 
ExSpect developed at Eindhoven University of Technology isa timed coloured Petri net toolbox, 
that uses a functional language to describe the nets [23,24,25]. All tokens have a time stamp. 
Besides transitions (called processors) and places (called channels) ExSpect uses systems and 
stores. An ExSpect system is a set of processors and (sub)systems, interconnected bychannels. 
ExSpect systems are used to introduce hierarchy in a specification. An ExSpect store is a special 
kind of channel that always contains one and only one token. In Figure 2 an example of a fictitious 
ExSpect specification is shown. ExSpect processors are represented by triangles, and ExSpect 
systems by squares. ExSpect channels are represented bycircles, tokens by black dots, and stores 
182 L .P .  )vl. BENDERS 
Figure 2. Coloured Petri net in ExSpect. 
(including token) by circles with a cross. The arc expressions are contained in the processors. 
An example of transition guards in ExSpect is shown in Figure 4. 
4.3. CP-Nets  Models of TL 
We restrict he discussion to the objects and the task structures of TL. Every communication, 
synchronization and me_exclusion object is represented in our model by a place that always 
contains a token. Such a token is inspected without increasing time. The color of such a place 
and thus its token defines a state field and information field. The color for a token representing 
an event has only a state field indicating the presence or absence of an event. The color for a 
mutual exclusion data token has a data field and a state field indicating whether the object is in 
use or free. When the mutually exclusion data are obtained after a request, the data are copied 
to the environment of the requester. The data contained in the token can thus be incorrect when 
the data are in use. 
The representation f a concurrent task has at least one flow token. This flow token contains 
the valid task environment and its state at that execution moment. A flow token color has several 
fields where all data objects in the task's scope are stored. The color changes when entering or 
exiting a task to update the environment. 
4.3.1. Leaf  tasks 
A TL leaf task specification is represented by an ExSpect system definition with equivalent 
behavior. The objects in the declarative part of the TL leaf task are represented by an ExSpect 
token (task-local token), that is contained in the S-channel, when the task is nonrunnable. Exe- 
cution of the instantiated system (the TL leaf task) is started when a task-global token is received 
through the interface. The task-global and the task-local token are merged into one token, the 
flow token by the EnterTask processor. 
Consider the following ExSpect code representing the system definition of TaskA. Assume that 
identifiers tTaskA represents he type of the task-local token and tProcA the task-global token. 
The identifier itTaskA represents he initial task-local token value. 
sys  TaskA [ in  Q l : tProcA,  out Q2:tProcA ] 
.= 
channel S:tTaskA init itTaskA, 
-- once-only initialisation 
EnterTask( in Q1, in S, out Pl ), 
channel PI : tProcA><tTaskA,  
-- translated TL sequential statement block -- 
channel Px:tProcA><tTaskA,  
LeaveTask( in Px, out Q2, out S ), 
where 
ProcA[ x : tProcA><tTaskA ] :- pit(x):tProcA; 
-- task-global token 
Embedded Systems 183 
TaskA[  x : tP rocA><tTaskA ] := p i2(x) : tTaskA;  
-- task - loca l  token  
-- t rans la ted  TL  express ions  -- 
end; 
As soon as a task-global token is added to interface-channel Q1, the processor EnterTask 
fires. As a result, the tokens in channels Q1 and S are removed, and the flow token is added 
to channel P1. When the flow token is added to channel P1, firing is started of a chain of 
processors representing TL leaf-task sequential statements. Functions modeling expressions in
TL statements are defined in a where-part of the ExSpect system. In the same where-part, 
functions are provided that reference the task-local and the task-global objects in the flow token. 
The where-part contains definitions, which are only valid in the processor or system that contains 
that where-part. 
When the execution of a leaf task is finished, the flow token is split again, by firing the processor 
LeaveTask. The task-global token is passed to the next task, with a delay equal to the specified 
TL leaf task execution time. The task-local token is added to the channel S, inside the leaf 
task. The S-channel now contains updated objects that will be used in the next execution. The 
S-channel initialization is only executed when the system's installation is executed for the first 
time. 
4.3.2. Branch tasks 
Parallelism for a branch task is modeled in a coloured Petri net by multiplying flow tokens to 
enable sequential tasks to be executed in parallel (Figure 3). Each branch of a branch task is 
represented by a square called Chain. At the end of branch task execution all tokens are merged 
into one token in channel P10, which is passed to the next sequential task to be executed. Branch 
task execution is started by firing the processor EnterTask, that causes merging of a task-global 
token and a task-local token into a flow token for channel P1. Then, the flow token is multiplied. 
As many tokens are generated as there are branches. Multiplying of tokens is done by several 
instantiations of the processor Branch. When the execution of all scheduled branches i finished, 
all flow tokens are merged into one flow token by several instantiations of the processor Merge. 
Unambiguous merging of flow tokens is only possible, if no field in the original flow token entering 
the branch task in P1 is assigned a new value by two or more branches. The TL semantics assure 
this. 
Figure 3. Branch task with three branches. 
The activation of the branch is modeled in the Chain. A selectoexe task executes those branches 
whose synchronization condition is true at the moment the branch task is entered. Other branches 
are simply skipped. Consider the following TL specification of a branch. The execution of tasks 
TaskA and TaskB depends on the event EvA: If event EvA equals true, then both tasks are 
executed, else they are skipped. 
184 L .P .M.  BENDERS 
EvA 
TaskA : TASK 
BEGIN 
WAIT_EVENT EvA; 
END TASK; 
TaskB : TASK 
BEGIN 
END TASK; 
Figure 4 shows the network of the Chain for a select_exe branch containing two instantiations 
of processor SyncCond. The preconditions cl and c2 implement the synchronization condition: 
e l [  EvA:bool ] := eq(EvA,true):bool; 
-- testing if EvA equals true 
c2[ EvA:boo1 ] := not(eq(EvA,true)) :boo1; 
-- testin E if false 
Each of the functions cl and c2 is passed as a parameter to a processor SyncCond. This 
processor only reads the token in channel EvA. The system TaskA changes the value of the token 
in channel EvA. 
Figure 4. Seleet_exe branch representation. 
For a TL wait.all task all branches are always executed. Execution of a branch is started as 
soon as the synchronization condition of that branch is true. The task following this branch task 
is started when all branches have been executed. For a wait_all branch, only one SyncCond is 
needed. Figure 5 contains the net of the Chain for a branch where the WAIT.EVENT EvA statement 
in the previous example of a branch is replaced by READY_IN Act statement• This action object 
Act use four states: idle, busy, ready, waiting• The precondition c is given by: 
c[ Act:num ] := eq(Act,ready):bool; 
-- test if Act state equals ready 
When channel P1 contains a flow token, while the state of action Act is not equal to ready, 
execution of processor SyncCond is suspended. As soon as the state of action Act equals ready, 
the flow token is moved to channel P2, and execution of system TaskA is started. 
A TL wait_select task is a branch task, of which the execution is suspended until at least one 
synchronization condition is true• Next, those branches are executed of which the synchronization 
condition equals true at that moment. The other branches axe skipped. The representation f a 
TL wait_select task is identical to a select_exe task, except hat one more processor SyncCond 
is added where the branch task is entered (channel P1 in Figure 4). The processor precondition 
Embedded Systems 185 
Figure 5. Wait_all task branch. 
equals the union of all branch synchronization conditions. The precondition equals true if at least 
one of the conditions of the branches equals true. 
5. PERFORMANCE ANALYS IS  
The coloured Petri net representing the TL specification is simulated using the ExSpect ool. 
Using the time stamp of a token and measuring functions implemented in the net, we basically 
collect he following information: thread information, task utilization, channel utilization, event 
utilization, me_data utilization, requests equences for channels and for shared tasks. All this 
information with the exception of the threads is displayed in bar charts. Other matters displayed 
are: the periods that tasks wait to receive an event, the periods that tasks wait until the previously 
generated event is processed before a new event can be generated, the waiting period before a 
channel access is granted, etc. Figure 6 contains ome examples. Other kinds of analysis (liveness, 
deadlock, invariants) [26] may also be performed. 
Figure 6a (activity rates of concurrent tasks) displays the number of times a task is executed 
(index 1), the total processing time (index 0), the activity time (index 2) and the waiting time 
(index 3). The activity time is defined as the time that the task performs actions. The waiting 
time is defined as the time a task waits for synchronization/communication ctions. The total 
processing time is the sum of waiting and activity times. All times are accumulated for every 
new task execution, so only averages can be calculated. Figure 6b displays the time that a TL 
communication channel chl is free (index 0), the time that the TL communication channel is 
occupied (index 1, for every user and accumulated for all users labeled with the name of the TL 
communication channel) and the time that a request is pending (index 2, for every requester and 
accumulated for all users labeled with the name of the TL communication channel). The channel 
chl in Figure 6 is used by two tasks (task1 and task2). The consequences of the partitioning into 
several concurrent units are measured and bottlenecks can be identified. 
6. EXAMPLE:  A DATA-L INK PROTOCOL SYSTEM 
As an example, the results of an ExSpect analysis are presented for a TL specification of a 
simple data-link protocol system. TL also models the communication li ks. The specification 
uses message communication, event synchronization a d mutual exclusion. 
6.1. System Specification 
The data-link protocol system consists of a sender and a receiver. Two communication channels 
connect them (Figure 7). The sender sends messages on a communication channel to the receiver, 
which acknowledges the reception on the other communication channel. During transmission, 
messages and acknowledgments may be corrupted. The sender queues the messages when they are 
received from the input. Messages to be transmitted, are sequentially read from the queue. If the 
queue is empty, the sender will stop transmission till a new message is queued. When the oldest 
message in the queue is positively acknowledged, it is removed. If it is negatively acknowledged 
or a corrupted acknowledgment is received, transmission is restarted at the oldest message in 
15(o L .F .M.  BENDERS 
~='  chl' B ' task2 '  B ' task l '  
! ! 
28 
25 
20 
15 
0 l"- 
x l  
0 1 2 
(a) Utilization charts. TL  channel chart. 
48 
I 40 
35 
I 
30 
I 25 
20 
15 
i0 
5 ! 
0 
x l  
0 I 2 3 
(b) Utilization charts. Processing rate of concurrent tasks. 
Figure 6. 
the queue. The receiver acknowledges an uncorrupted message with a posit ive acknowledgment 
and forwards the message to the output. When it receives the uncorrupted message again, only 
a positive acknowledgment is returned. The receiver that gets a corrupted message returns a 
negative acknowledgment.  
Embedded Systems 187 
- \ Msg /  Msg / - 
Dataln ~ Req v~__~ DataOut 
(a) Specification f the data-link protocol system. 
Req 
Start 
Da 
(b) Specification of the sending entity. 
Figure 7. 
This data-link protocol system is specified in the TL  tool with four entities: the sending entity, 
the receiving entity and the two communication channels. The sending entity contains three 
concurrent tasks with a mutual-exclusive message buffer (Figure 7). The task QueueMsg adds 
new messages to the queue, the task RequestMsg transmits messages out of the queue, and the 
task ConfirmMsg removes messages from the queue. 
6.2. Analysis Results 
The results were obtained with an execution cycle of three time-units for all tasks (simplifica- 
tion) and a communication channel delay of twelve time-units. Figure 9 shows the throughput 
as a function of the channel disturbance probability (1-10%), normalized to the throughput with 
the disturbance probability zero (one message per eight time-units). At a disturbance probability 
of 6%, the throughput is half the value compared to the disturbance probability zero (one message 
per 16 time-units). The results in Figure 9 (where the first bar is task QueueMsg, the second 
RequestMsg, and the third ConfirmMsg) were obtained with a channel disturbance probability 
equal to 6% (on both channels) and a messages input arrival rate of 1 message per 20 time-units. 
The processing rate (defined as the execution time of a task with respect o the total system 
execution time) suggests that the QueueMsg and ConfirmMsg can easily be allocated to one 
processing unit, without affecting the throughput. The access rates of the buffer (defined as the 
number of times that a task was granted access to the buffer with respect to the total number of 
times that access to the buffer was granted) in Figure 9 show that RequestMsg has about twice 
the access rate as the others, which should be taken into account when the control algorithm for 
buffer-access is designed. 
7. CONCLUDING REMARKS 
The TL specification language allows for flexible specification of embedded systems. The 
performance of the specified system can be analyzed with ExSpect, a coloured Petri net toolbox. 
188 L .P .M.  BENDERS 
~=Throughput 
i ! i . i i f i i i i a i i | I 
1 
0 
x0,1 
i0 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 
Figure 8: Normalized throughput as function of channel disturbance probability. 
l=QueueMsg i=Conf i rmMsg ~=RequestMsg 
62 
55 
5O 
45 
40 
35 
30 
25 
20 
15 
i0 
5 
(I.00 - 1.00) 
(a) Utilization charts. Buffer access rate (%). 
Figure 9. 
Embedded Systems 189 
BQueueMsg BConfirmMsg BRequestMsg 
56 
50 
45 
40 
35 
30 
25 
20 
15 
10 
5 
0 
(i.00 - 1.00) 
(b) Utilization charts. Processing rate (%). 
Figure 9. (cont.) 
The results guide the allocation of the tasks in hardware and also guide the design of a control 
algorithm for the mutual ly  exclusive message buffers. We presented a summary  of our real-time 
embedded system analysis methodology and tool. The specification language is based on VHDL 
and the analysis is based on t imed coloured Petri nets simulation. 
REFERENCES 
1. D.E. Thomas, J.K. Adams and H. Schmit, A model and methodology for hardware-software codesign, IEEE 
Design FA Test 20 (3), 6-15, (1993). 
2. M. Tabusse, System modelling with VHDL: Where hardware modelling meets oftware ngineering, In Proc. 
EDAC-EUROASIC 1993, (1993). 
3. M.P.J Stevens and F.P.M Budzelaar, System level VLSI design, In Proc. Euromicro '90, Amsterdam, pp. 321- 
329, (1990). 
4. P.T. Ward and S.J. Mellor, Structured Development of Real-Time SysSems, Volumes 1, 2 and 3, Prentice 
Hall, Englewood Cliffs, N J, (1985). 
5. M. Bauer and W. Ecker, Communication mechanism for VHDL specification and design starting at system 
level, In Proc, IFIP, VHDL Forum, Insbruck, Austria 1993, pp. 95-105, (1993). 
6. A. Jerraya, P.G. Paulin and S. Curry, Meta, VHDL for higher level controller modelling and synthesis, In 
Prec. VLSI 91, Edinburgh, (1991). 
7. F. Vahid, S. Narayan and D.D. Gajski, SpecCharts: A language for system level design, In Proc. CHDL 91, 
pp. 145-155, (1992). 
8. D. Drusinsky and D. Harel, Using StateCharts for hardware description and synthesis, IEEE trans on CAD 
8 (7), 789-807, (1989). 
9. W. Glunz, T. Rossel, T. Kruse and D. Manjou, Integrating SDL and VHDL for system level hardware design, 
In Proc. IFIP CHDL 1993, pp. 187-204, (1993). 
10. P. Eles, K. Kuchcinski, Z. Peng and M. Minea, Compiling VHDL into a high-level synthesis design represen- 
tation, In Proc. EURO-VHDL 92, Hamburg, Germany, pp. 604-109, (1992). 
11. D. Harel et al., StateMate: A working environment for the development of complex reactive systems, In Proc. 
of the Int. Conf. on Software Engineering, Vol. 16, pp. 403-413, (1988). 
190 L .P .M.  BENDERS 
12. B. Lutter, W. Glunz and F.J. Rammig, Using VHDL for simulation of SDL specifications, In Proc. Euro- 
VHDL 199,£, (1992). 
13. O. Pulkkinen and K. KronlSf, Integration of SDL and VHDL for high-level digital design, In Proc. Euro- 
VHDL I99P, pp. 624-630, (1992). 
14. lVI.T.L. Sch~ifer and W.U. Klein, Correctness verification of concurrent control specifications, In Proc. Euro- 
DAC 9P, pp. 706-712, (1992). 
15. M. Sipola, J.P. Soininen and J. Kivel~i, Systems real time analysis with VHDL generated from graphical 
SA-VHDL, In VHDL for Simulation, Synthesis and Formal Proofs of Hardware, (Edited by J. Mermet), 
pp. 73-86, Kluwer Academic, Amsterdam, (1992). 
16. M.B. Srivastava nd R.W. Broderson, Using VHDL for high-level mixed mode system simulation, IEEE 
Design ~ Test, Sept. 92, pp. 31-40, (1992). 
17. L.P.M. Benders and M.P.J. Stevens, Task level specification and communication, I  Proc. EuroMicro 199P, 
pp. 356-362, (1992). 
18. R.K. Gupta and G. De Micheli, Hardware-software cosynthesis for digital systems, IEEE Design ~ Test 20 
(3), 29--41, (1993). 
19. M.H. Salinas, B.W. Johnson and J.H. Aylor, Implementation-independent modelof an instruction set archi- 
tecture in VHDL, IEEE Design ~ Test 20 (3), 42-51, (1993). 
20. H.J Genrich and K. Lautenbach, System modelling with high-level Petri nets, Theoretical Computer Science 
13, 109-136, (1981). 
21. K. Jensen, Coloured Petri nets: A high level language for system design and analysis, In Advances in Petr~ 
Nets 1990, Lecture Notes in Computer Science, Vol. 2483, (Edited by G. Rozenberg), pp. 343-416, Springer- 
Verlag, (1991). 
22. T. Murata, Petri nets: Properties, analysis and applications, Proc. of the IEEE 77 (4), 541-580, (1989). 
23. W.M.P. Van der Aalst, Interval Timed Coloured Petri Nets and Their Analysis, Dept. of Computer Science 
and Mathematics, Eindhoven University of Technology, (1992). 
24. W.M.P. Van der Aalst, L. Somers, M. Voorhoeve and A.W. Waltmans, ExSpect 3.0 User Manual, Eindhoven, 
(1991). 
25. K.M. van Hee, L.J. Somers and M. Voorhoeve, A formal framework for distributed information systems, In 
Proc. of IFIP TC 8//WG 8.1 Working Conference on Information Systems Concepts: An In-Depth Anal- 
ysis, (Edited by E.D. Falkenberg and P. Lindgreen), Namur Belgium 1989, pp. 139-156, Elsevier Science, 
Amsterdam, (1989). 
26. K. Jensen, Coloured Petri Nets, Vol. P: Analysis Methods, Springer-Verlag, Berlin, (1995). 
