When designing complex distributed digital systems, a large number of components in the form of data processing program modules and/or electronic circuit modules are combined with one another, and may each have a different origin. The components of different development teams can thus be designed, or may be reused components as well as standard components. Such complex digital systems may be time-critical since not only one functional function capability, that is to say the calculation of correct values, but also compliance with given time boundary conditions must be guaranteed for the output of the calculated values. For example, maximum permissible latences (delays or propagation times) or reaction times, for example for initiating the airbag in a car, or a minimum guaranteed data throughput rate per unit time, for example for video processing with fixed frame repetition frequencies, must be ensured. Boundary conditions such as these must be taken into account in the design of the complex distributed digital systems.
The components which are used in a design are generally developed using widely differing methods and tools, which are chosen by the developers as a function of the primary design features as well as the feasible specification languages, specification models and design tools. A conventional design of a distributed digital system is thus inherently heterogeneous in terms of its components.
The individual program and circuit modules are used to implement processes, which may compete with other processes for a resource, for example a processor. This results in a high level of mutual coupling with respect to the time response of the system, so that a basic component having data processing program modules and/or electronic circuit modules must be regarded as an entity, taking into account the process, the scheduling strategy and the processor.
It is known for the processes to be investigated by means of process analysis relating to the latencies or delay times of individual processes. In this case, it is assumed that the resources are available exclusively to the process under consideration at that time. In order to make it possible to guarantee compliance with the time boundary conditions in real-time systems in all circumstances, the analysis is based on the identification of critical situations (worst case).
In addition, the communication response of the individual process can be evaluated by means of a local analysis. The local analysis is dependent on the tools which have been used to design a basic component. It is also governed by the time response of the basic components.
Global analysis is used to determine the time response of the overall system. In this case, causal relationships between individual local basic components are identified, providing a conclusion about the internal functional sequences in the overall system. These relationships may be extracted from the knowledge about the communication response of the individual processes. However, internal sequences are restricted not only to simple event and sequence chains, but often include the splitting and synchronization of the abstract system functions into parallel processes. The overall time response can thus not be formed by simple accumulation of the execution times for the individual processes.
The time response of the overall system is also influenced by the shared use of resources. If, for example, a number of processes are intended to be executed on one processor, the access by the processes to the processor must be controlled, since only one process can ever be processed at one time. This access control or sequence planning is referred to as scheduling and is an integral part of a basic component. Furthermore, the access to jointly used communications media, such as data buses, is controlled by arbitration mechanisms in distributed systems. The influences from the scheduling and the arbitration on the time response can be recorded only by means of complex mathematical time models.
A method for local analysis of systems with statistical priority assignments and which is restricted to strictly periodic process activations is described in C. L. Liu, J. W. Layland: Scheduling Algorithms for Multiprogramming in a Hard-Real-Time Environment in Journal of the Association for Computing Machinery, Vol. 20, No. 1, January 1973, pages 46-61. Each process has a time period which indicates the separation between two activations. The processes are regarded as being functionally independent, that is to say the processes do not communicate with one another and do not call one another. The method is based on calculation of the upper bounds (worst-case bounds) for the response times of processes. The response time of a process is in this case measured between the process call and the process end and, in addition to the core execution time which is governed by local analysis, also includes the interruptions by higher priority processes. The response time of a process is in this case the sum of the core execution time for the process and of the overall delay resulting from interruptions by other processes. The maximum response time and, in a corresponding manner, the minimum response time, can be determined mathematically by iterative solution of an appropriate equation system.
This analysis method has been extended in many ways in order to obtain guaranteed limits for other activation schemes as well. For example, K. W. Tindell: An Extendible Approach For Analyzing Fixed Priority Hard Real-Time Tasks, in: Journal of Real-Time Systems 6 (2), March 1994, pages 133 to 152 describes a local analysis method for processes with periodic activation with jitter, that is to say with a maximum permissible delay in the activation with respect to a fixed period, as well as for bundle activation with buffering.
Similar analyses for another scheduling strategy (time slice method) are described in K. Kopetz, G. Grünsteidl: TTP—A Protocol for Fault-Tolerance Real-time Systems: IEEE Trans. Computers, January 1994, pages 14 to 23, in which complex distributed systems are dealt with by means of a time-triggered protocol. The method is based on periodic event streams. The communication bandwidth is recorded statistically, and jitter nodes are analyzed in the time domain.
The activations of the processes in the basic components are based on data or events which are interchanged between the individual basic components. The event streams are represented as abstract event models, depending on the characteristic. The simplest abstract event model represents periodically recurring events by means of a single parameter, the period T (periodic). A somewhat more complex event model relates to the assumption that the events are generally cyclic, but with a varying restricted offset being permissible with respect to an exactly periodic event (jitter) Events which occur in groups are recorded using the so-called burst event model. The event model for sporadic events determines a minimum time interval between two successive events (sporadic).
These four event models which have been mentioned—cyclic, jitter, burst, sporadic—represent the most important event models. In a corresponding way, scheduling methods are known with statistical priorities, dynamic priority assignments as a function of maximum permissible response times, cyclic timeslot methods, in which the processor is available exclusively to each process for a certain time, etc, and analysis models exist for describing the time response (time models).
One problem that arises in the global analysis of complex distributed systems is that the local analysis methods are restricted to the individual basic components and predetermine the nature of the event models. Systems with different types of event models thus generally cannot be analyzed using a single analysis method.
Pai H. Chou, Gaetano Boriello: Synthesis and Optimization of Coordination Controllers for Distributed Embedded Systems, in: Proc. Design Automation Conference (DAC), 2000, Los Angeles, pages 410 et seq provides a standard description of an overall system for carrying out a global analysis, which is based on process states. Critical cases relating to the overall system, which is obtained from the cross-product of the individual process states, must be identified for analysis. With complex systems, this has the disadvantage that it leads to a state space explosion with the consequence that overall analysis is virtually impossible.