Real-Time System Development:

The Programming Model of MARS ?

H. Kopetz, G. Fohler, G. Gr?unsteidl, H. Kantz, G. Pospischil, P. Puschner,

J. Reisinger, R. Schlatterbeck, W. Sch?utz, A. Vrchoticky, R. Zainlinger

Institut f?ur Technische Informatik Technische Universit?at Wien

A-1040 Vienna, Austria E-mail: [email protected]

Abstract

The systematic development of fault-tolerant realtime systems with guaranteed timeliness requires an appropriate system architecture and a rigorous design methodology. The first part of this paper describes those services of the architecture that help to simplify the work of the real-time programmer, taking MARS as an example. The second part deals with the `programming in the large' activities, i.e., the systematic derivation of task timing parameters from the requirements specification. The following core section of the paper focuses on `programming to meet a time budget' and presents the programming interface, the programming environment, and the testing and support tools. The architecture and most of the presented tools have been implemented and can be demonstrated on a faulttolerant prototype application.

1 Introduction

Distributed real-time computer systems are replacing conventional mechanical or hydraulic control systems in many applications, e.g., flight control systems in airplanes, drive by wire" systems in automobiles, and industrial process control systems. In addition to the specified functional capabilities, these applications demand predictable timeliness and specified levels of non-functional attributes, such as reliability, safety, and maintainability.

At present, the process of designing real-time systems is tedious and often unsystematic. Frequently the primary focus during the design is on the functional capabilities of the planned control system. Concerns about timeliness and dependability are usually deferred until the final testing phases, when all parts of the system have to be integrated. The application code implementing the specified transformations in the data domain is most often intertwined with the code for the synchronization of concurrent tasks and the code for error handling and recovery. As a consequence, it is very difficult to establish the timeliness of these systems by formal reasoning or by a constructive test methodology. Furthermore, minor changes in

?This work was supported in part by the ESPRIT Basic Research Project 3092 `Predictably Dependable Computing Systems', by the Austrian Science Foundation (Fonds zur F?orderung der wissenschaftlichen Forschung) under contract P8002-TEC and by the ?ONB ( ?Osterreichische Nationalbank) under project 4128.

one part of the system can have a major effect on the timeliness of some other part.

We propose a system architecture|MARS [11]| which supports a strict separation of the issues of synchronization and timeliness, data transformation, and the dependability aspects (e.g., error detection, error handling and redundancy management). We denote the sequence of processing and communication steps between an observation of the environment and a response to the environment as a real-time transaction. During the design phase the real-time transactions are refined into a sequence of task executions and message exchanges. The task dependencies are analyzed and an execution time limit for each task is established, so that all transactions can be scheduled on the given hardware resources. In the programming phase, the application programmer can focus his attention on his primary task, i.e., writing correct application programs that meet a given time budget. Error detection, error handling, and redundancy management are services of the architecture.

In our view, such a separation of issues is only possible if the system architecture is time-triggered, i.e., all system activities are initiated as a consequence of the progression of real-time. Although the occurrence of events in the environment is outside the sphere of control of the computer system, the points in time when these events are to be recognized by the computer are predetermined in a time-triggered architecture. This is in contrast to event-triggered architectures, where the system activities are initiated as a consequence of the occurrence of external or internal events.

Event-triggered real-time architectures are assumed to provide a high degree of flexibility and have therefore received considerable attention in the literature (FTPP [4], ARTS [27], MAFT [7]). Because of their event triggered nature, however, an excessive number of possible behaviors must be analyzed in order to establish timeliness guarantees. Furthermore, the implementation of active redundancy by the replication of the components is hard because of the issue of replica determinism [28, 21]. DELTA4 [1] proposes the implementation of the rather complex leader-follower" model to overcome the latter difficulty. Other eventtriggered architectures, e.g., Spring [25], do not consider the issues of fault-tolerance at all.

This paper is organized as follows. In the next section we give a short overview of MARS and describe the services provided by the architecture, such as clock