Visit ebookball.

com to download the full version and

explore more ebook or textbook

Real Time Systems and Programming Languages Ada 95

Real Time Java and Real Time POSIX 3rd Edition by
Alan Burns, Andy Wellings ISBN 0201729881
9780201729887
_____ Click the link below to download _____
https://ebookball.com/product/real-time-systems-and-
programming-languages-ada-95-real-time-java-and-real-time-
posix-3rd-edition-by-alan-burns-andy-wellings-
isbn-0201729881-9780201729887-15574/

Explore and download more ebook or textbook at ebookball.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.

Software Engineering for Real Time Systems 1st Edition by

Jim Cooling ISBN 0201596202 9780201596205

https://ebookball.com/product/software-engineering-for-real-time-
systems-1st-edition-by-jim-cooling-
isbn-0201596202-9780201596205-15548/

Real Time Embedded Systems Design Principles and

Engineering Practices 1st Edition by Xiaocong Fan
0128015071 9780128015070
https://ebookball.com/product/real-time-embedded-systems-design-
principles-and-engineering-practices-1st-edition-by-xiaocong-
fan-0128015071-9780128015070-17208/

Real time Linked Dataspaces Enabling Data Ecosystems for

Intelligent Systems 1st edition by Edward Curry ISBN
3030296644Â 978-3030296643
https://ebookball.com/product/real-time-linked-dataspaces-enabling-
data-ecosystems-for-intelligent-systems-1st-edition-by-edward-curry-
isbn-3030296644-978-3030296643-20292/

Texture Boundary Detection for Real Time Tracking 1st

edition by Ali Shahrokni, Tom Drummond, Pascal Fua ISBN
3540219835 9783540219835
https://ebookball.com/product/texture-boundary-detection-for-real-
time-tracking-1st-edition-by-ali-shahrokni-tom-drummond-pascal-fua-
isbn-3540219835-9783540219835-14004/
3D Game Engine Architecture Engineering Real-Time
Applications with Wild Magic 1st Edition by David Eberly
ISBN 0122290640 9780122290640
https://ebookball.com/product/3d-game-engine-architecture-engineering-
real-time-applications-with-wild-magic-1st-edition-by-david-eberly-
isbn-0122290640-9780122290640-24944/

3D Game Engine Design A Practical Approach to Real Time

Computer Graphics 2nd Edition by David Eberly ISBN
0122290631 9780122290633
https://ebookball.com/product/3d-game-engine-design-a-practical-
approach-to-real-time-computer-graphics-2nd-edition-by-david-eberly-
isbn-0122290631-9780122290633-23610/

(Ebook PDF) Real Time 3D Terrain Engines Using C and

DirectX 9 1st edition by Gregory Snook 1584502045
978-1584502043 full chapters
https://ebookball.com/product/ebook-pdf-real-time-3d-terrain-engines-
using-c-and-directx-9-1st-edition-by-gregory-
snook-1584502045-978-1584502043-full-chapters-22662/

Real Time Tracking of Multiple Skin Colored Objects with a

Possibly Moving Camera 1st edition by Antonis Argyros,
Manolis Lourakis ISBN 3540219828 9783540219828
https://ebookball.com/product/real-time-tracking-of-multiple-skin-
colored-objects-with-a-possibly-moving-camera-1st-edition-by-antonis-
argyros-manolis-lourakis-isbn-3540219828-9783540219828-13610/

An Artificial Immune System Based Visual Analysis Model

and Its Real Time Terrain Surveillance Application 1st
Edition by Gyorgy Cserey, Wolfgang Porod, Tamas Roska ISBN
9783540302209
https://ebookball.com/product/an-artificial-immune-system-based-
visual-analysis-model-and-its-real-time-terrain-surveillance-
application-1st-edition-by-gyorgy-cserey-wolfgang-porod-tamas-roska-
isbn-9783540302209-9652/
Real-Time Systems and Programming
Languages
INTERNATIONAL COMPUTER SCIENCE SERIES
Editor A D McGettrick University of Strathclyde
Consulting

SELECTED TITLES IN THE SERIES

Concurrent An
Integrated Approach to Operating Systems, Database,
Systems:
and Distributed Systems (2nd edn) J Bacon
Essentials H E Ba] and D Grnne
Programming Language
in Ada 95 (2nd edn) J G P Barnes
Programming
Java Gently (3rd edn) J Bishop
Software Design D Budgen.
Concurrent Programming A Burns and G Davies

Real—TimeSystems Ada 95, Real—Time Java and

and Programming Languages:
Real—TimePOSIX (3rd edn) A Burns and A J Wellings
(3rd edn) Wilson and Clark, updated by Clark
Comparative Programming Languages,
and (3rd edn) G Conlonris, J Dollimore
Distributed Systems: Concepts Design
and T Kindberg
Development (2nd edn) A Eliéns
Principles of Object—Oriented
Software
TM R Ellis, I R Philips and T M Lahey
Fortran 90 Programming
Program VerificationN Francez
SML M Hansen and H Rischel
Introduction to Programming using
Functional C P Hartel and H Muller
Ada 95 for C and C++ Programmers S Johnston
9:
2
J l
Algorithms and Data Structures: Design, Correctness, Analysis (2nd edn) Kingston
Computer Scientists N Nissanke
Introductory Logic and Sets for
et al.
Human—Computer Interaction J Preece
F Rabhi and G Lapalme
Algorithms: a Functional Programming Approach
Ada 95 From the Beginning (3rd edn) J Skansholm
C++ From the Beginning J Skansholm
Java From the Beginning J Skansholm
Software Engineering (6th edn) I Sonznzeiville
P Thomas and R Weedon
Object—Oriented Programming in Eiffel (2nd edn)
Miranda: The Craft of Functional Programming S Thompson
Haskell: The Craft of Functional Programming (2nd edn) S Thompson
Discrete Mathematics for Computer Scientists (2nd edn) J K Truss

Compiler Design R Wilhelm and D Maurer

S Williams and S Walmsley
Discover Delphi: Programming Principles Explained
Software Engineering with B J B Wordsworth
 Real—Time Systems and
Programming Languages

Ada, Rea|~Time Java and C/Real-Time POSIX

Fourth Edition

Alan Burns and Andy Wellings

University of York

A
ADDISON-WESLEY
VV
Animprint of Pearson Education
Harlow, England London
-
New York
-
Boston
- - San Francisco -
Toronto -
Sydney -
Singapore -
Hong Kong
Tokyo Seoul Taipei New Delhi Cape Town
- - - - - Madrid -
Mexico City Amsterdam
- -
Munich - Paris -
Milan
Pearson Education Limited
Edinburgh Gate
Harlow
Essex CM20 2JE
England
and Associated Companies throughout the world

Visit us on the World Wide Web at.‘

www.pearsoned.co.uk
First published 1989
Second edition 1997
Third edition 2001

Fourth edition published 2009

© Pearson Education Limited 1989, 2009

Andy Wellings to be identifiedas authors of this work have been

The rights of Alan Burns and
and Patents Act 1988.
asserted by them in accordance with the Copyright, Designs
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without either the prior written permission of the publisher or a licence permitting
restricted in the United Kingdom issued by the Copyright Licensing Agency Ltd, Saffron
copying
House, 6-10 Kirby Street, London EC1N 8TS.
used herein are the property of their respective owners. of any trademark
The use in
All trademarks
this text does not vest in the author or publisher any trademark ownership rights in such trademarks,
nor does the use of such trademarks imply any affiliation with or endorsement of this book by such
0Wl'lCI‘S.

ISBN: 978-0-321-41745-9

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library
of Congress Cataloging-in-Publication Data
Library
for this book be obtained from the Library of Congress
A catalogue record can

M
10987654321
1312111009

Typeset in Times Roman by 73

10/12
the Dorset Press, Dorchester, Dorset
Printed in Great Britain by Henry Ling Ltd., at

sustainable forests.
The publisher’s
policy is to use paper nzanufactured from
1

Contents

Preface xiii

1 Introduction to real-time systems 1

1.1 Definition of a real—timesystem . . . . . . . . . . . . . . . . . . . . . . . . . . .' . . . . . . . . . 2
1.2 Examples of real-time systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Characteristics of real—ti1ne
systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 I

1.4 Development cycle for real~time systems . . . . . . . . . . . . . . . . . . . . . .'. . . . 15

15 Languages for programming real-time systems . . . . . . . . . . . . . . . . . . . . . 20
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2 Reliability and fault tolerance 27

2.1 Reliability, failure and faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2 Failure modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3 Fault prevention and fault tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.4 N -version programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.5 Software dynamic redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.6 The recovery block approach to software fault tolerance . . . . . . . . . . . . . 46
2.7 A comparison between N -version programming and recovery blocks . . 49
2.8 Dynamic redundancy and exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.9 Measuring and predicting the reliability of software . . . . . . . . . . . . . . . . . 52
2.10 Safety, reliability and dependability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.A . . . . . . . . . . . . . . . . . . . . . . 57

3 Exceptions and exception handling 59

3.1 Exception handling in older real—timelanguages . . . . . . . . . . . . . . . . . . . . 60
3.2 Modern exception handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.3 Exception handling in Ada, Java and C . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.4 Recovery blocks and exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

v
Vi CONTENTS

88
Summary . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . .

Further 89
reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

95
Concurrent programming
4.1 Processes and tasks/threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

4.2 Concurrent execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Task 103
4.3 representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.4 Concurrent execution in Ada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

4.5 Concurrent in Java 111

execution . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .

4.6 Concurrent execution in C/Real—TimePOSIX . . . . . . . . . . . . . . . . . . . . . 116

4.7 and distributed systems 121

Multiprocessor . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.8 A simple embedded 125

system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.9 operating—system—supported
Language—supported concurrency 131 versus
132
Summary . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . .

Further 133
reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

and communication 137

Shared variable-based synchronization
5.1 Mutual exclusion and condition synchronization . . . . . . . . . . . . . . . . . . 138
139
5.2 Busy waiting . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .

5.3 and 142

Suspend resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5 .4 145
Semaphores . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . .

critical 156
5.5 Conditional regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5.6 Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

5.7 Mutexes and condition variables in C/Real—TimePOSIX . . . . . . . . . . . 160

Protected in Ada 163

5.8 objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5.9 methods in Java 171

Synchronized . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . .
.

179
5.10 Shared memory multiprocessors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

183
5.11 Simple embedded system revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

185
Summary . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . .

Further 186
reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

and communication 193

Message-based synchronization
193
6.1 Process synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.2 Task naming and message structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

196
6.3 Message passing in Ada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Selective 201
6.4 waiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.5 The Ada select statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

6.6 Non—determinism,
selective waiting and synchronization primitives 205

6.7 C/Real—TimePOSIX queues 206

message . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.8 Distributed 210

systems . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . .

219
6.9 Simple embedded system revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

220
Summary . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . .

Further 221
reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
 CONTENTS vii

7 Atomic actions, concurrent tasks and reliability 227

7.1 Atomic actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
7.2 Atomic actions in C/Real—TimePOSIX, Ada and Real—TimeJava 232
7.3 Recoverable atomic actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
7.4 Asynchronous notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
7.5 Asynchronous notification in C/Real—Time POSIX . . . . . . . . . . . . . . . . 247
7.6 Asynchronous notification in Ada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
7.7 Asynchronous notification in Real—Time Java . . . . . . . . . . . . . . . . . . . . . 266
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Resource control 285

8.1 Resource control and atomic actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
8.2 Resource management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
8.3 Expressive power and ease of use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
8.4 The requeuefacility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
8.5 Asymmetric naming and security . . . . . . . . . . . . . . . . . . . . . . . . . I . . . . . . 302
8.6 Resource usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
8.7 Deadlock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
‘

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r. . 304
Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Real-time facilities 307

9.1 The notion of time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
9.2 Access to a clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
9.3 Delaying a task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
9.4 Programming timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
9.5 Specifying timing requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
9.6 Temporal scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 . . . . . . . . . . . . . . . . . . 333

10 Programming real-time abstractions 335

10.1 Real-time tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
10.2 Programming periodic activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
10.3 Programming aperiodic and sporadic activities . . . . . . . . . . . . . . . . . . . . 341
10.4 The role of real-time events and their handlers . . . . . . . . . . . . . . . . . . . . 344
10.5 Controlling input and output jitter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
10.6 Other approaches for supporting temporal scopes . . . . . . . . . . . . . . . . . . 356
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
viii CONTENTS

11 real-time 365
Scheduling systems
executive 366
11.1 The cyclic approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11.2 Task~based scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

11.3 Fixed—priority scheduling (FPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

11.4 Utilization—based schedulability tests for FPS . . . . . . . . . . . . . . . . . . . . . 371

374
11.5 Response time analysis (RTA) for FPS . . . . . . . . . . . . . . .
., . . . . . . . . . . .

378
11.6 Sporadic and aperiodic tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11.7 Task with D < T 380

systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11.8 Task interactions and blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

386
11.9 Priority ceiling protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11.10 An extendible task model for FPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

11.11 Earliest deadline first (EDF) scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . 400

11.12 and online analysis 405

Dynamic systems . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11.13 Worst—caseexecution time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

408
11.14 Multiprocessor scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

413
11.15 Scheduling for power—awaresystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

414
11.16 Incorporating system overheads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

419
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Further 420
reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

12 systems schedulable 425

Programming
425
12.1 Programming cyclic executives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

426
12.2 Programming preemptive priority-based systems . . . . . . . . . . . . . . . . . .

12.3 Ada and fixed~priority scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

12.4 The Ada Ravenscar profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
434
12.5 Dynamic priorities and other Ada facilities . . . . . . . . . . . . . . . . . . . . . . .

12.6 C/Real-Time POSIX and fixed—priority scheduling . . . . . . . . . . . . . . . . 436

12.7 Real—TimeJava and fixed-priority scheduling . . . . . . . . . . . . . . . . . . . . . 438

443
12.8 Programming EDF systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

12.9 Mixed scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

454
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

13 faults 457
Tolerating timing
13.1 and timing faults 457
Dynamic redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . .

13.2 Deadline miss detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

13.3 Overrun of worst—case execution time . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
13.4 Overrun of events 471
sporadic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13.5 Overrun of resource usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

.

13.6 Damage confinement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

13.7 Error 485
recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . .

492
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Further 493
reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
 CONTENTS ix

14 Low-level programming 495

14.1 Hardware input/output mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
14.2 Language requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
14.3 Ada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
14.4 Real—Time Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
14.5 C and older real—timelanguages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
14.6 Scheduling device drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
14.7 Memory management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528

15 Mine control study case 533

15.1 Mine drainage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
15.2 The HRT—HOOD design method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
15.3 The logical architecture design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
15.4 The physical architecture design . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . . . . 545
15.5 Translation to Ada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
~
. . . . . . . 546
15.6 Translation to Real—TimeJava . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
15.7 Fault tolerance and distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.p.
. . 572 '

Further reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

16 Conclusions 575

References 579

Index 587

Supporting resources

Visit www.pearsoned.co.uk/burns to find valuable online resources

For instructors

0 Solutions to exercises

0
Example examination questions
0 Code fragments
o PowerPoint slides

For more information please contact your local Pearson Education sales
representative or visit www.pearsoned.co.uk/burns
List of Figures

1.1 A fluid control system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2 A process control system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 A production control system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 A command and control system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.5 A typical embedded system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.6 A simple controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.7 A simple computerized controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.8 Aspects of real—timesystems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.1 Fault, error, failure, fault chain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.2 Failure mode classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.3 Graceful degradation and recovery in an air traffic control system. . . . . 35
2.4 N -Version programming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.5 Consistent comparison problem with three versions. . . . . . . . . . . . . . . . . 40
2.6 The domino effect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.7 Recovery block mechanism. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2.8 An ideal fault—tolerant
component. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
2.9 Aspects of dependability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.10 Dependability terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.11 Concurrent execution of four processes for Exercise 2.5. . . . . . . . . . . . . 57

3.1 The resumption model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

3.2 The termination model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.3 The Java predefined
Throwable class hierarchy. . . . . . . . . . . . . . . . . . . 78

4.1 Simple state diagram for a task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

4.2 State diagram for a task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.3 Fork and join. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.4 Cobegin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
4.5 A simple embedded system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

5.1 State diagram for a task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

 LIST OF FIGURES xi

6.1 The relationship between client and server in an RPC. . . . . . . . . . . . . . 211

6.2 The Object Management Architecture Model. . . . . . . . . . . . . . . . . . . . . . 218

7.1 Nested atomic actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

7.2 The structure of an action controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
7.3 Using the action controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
7.4 An exception in a nested atomic action. . . . . . . . . . . . . . . . . . . . . . . . . . . 244
7.5 Simple state transition diagram for a conversation. . . . . . . . . . . . . . . . . . 262
7.6 Simple state transition diagram illustrating forward error recovery. 266

8.1 A network router. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

9.1 Delay times. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

9.2 Temporal scopes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

10.1 A simple task with input and output jitter constraints. . . . . . . . . . . . . . . 350
10.2 Three threads implementing input and output jitter constraints, . . . . . 352
10.3 The Logical Execution Time model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

11.1 Time—line for task set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 »

11.2 Time—linefor task set A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

11.3 Gantt chart for task set A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
11.4 Time—linefor task set C. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
11.5 Gantt chart for task set D. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
11.6 Example of priority inversion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
11.7 Example of priority inheritance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
11.8 Example of priority inheritance ~

OCPP. . . . . . . . . . . . . . . . . . . . . . . . . . 388
11.9 Example of priority inheritance —

ICPP. . . . . . . . . . . . . . . . . . . . . . . . . . . 389
11.10 Releases of sporadic tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
11.11 PDC example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
11.12 Overheads when executing tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
11.13 The behaviour of four periodic tasks in Exercise 11.4. . . . . . . . . . . . . . 422

14.1 Architecture with separate buses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

14.2 Mem0ry—mapped
architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

15.1 A mine drainage control system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

15.2 Graph showing external devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
15.3 First-level component decomposition of the control system. . . . . . . . . 540
15.4 Pumpcontrol 1 er related interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
15.5 Other defined interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
15.6 Hierarchical decomposition of the ?umpController object. . . . . . 542
15.7 Decomposition of the Highlowwatersensors. . . . . . . . . . . . . . . . . 543
15.8 Hierarchical decomposition of the iEnvironmentMonitor. . . . . . . 544
15.9 State transition diagram for the motor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
 Preface

In 1981, a software caused robot

error a stationary to move suddenly and with impressive
speed to the edge of its operational A worker crushed
area. nearby was to death.
This is just one
example of the hazards of embedded real—timesystems. It is
unfortunately not an isolated incident. Every month the newsletter Software Engineering
Notes has pages of examples of events in which the malfunctioning of real—timesystems
has put the public or the environment at risk. What these sobering descriptions illustrate
system—wide
'

is that there is a need to take a view of embedded Indeed it

systems. can
be argued that there is the requirement for real—timesystems
recognized as a to be
distinct engineering discipline. This book is a contribution towards the development of
this discipline. It cannot, of course, cover all the topics that are apposite to the study of
real-time systems engineering; it does, however, present a comprehensive description
and assessment of the programming languages and operating system standards used in
this domain. Particular emphasis is placed on language primitives and their role in the
production of reliable, safe and dependable software.

Audience
The book is aimed at Final Year and Masters students in
Computer Science and related
disciplines. It has also been written with the professional software engineer, and real-
time systems engineer, in mind. Readers are assumed to have knowledge of sequential

programming languages and some prior experience of C, Java and Ada, and to be familiar
with the basic tenets of software engineering. The material presented reflectsthe content
of courses developed over a number of years by the authors at various universities and
for industry. These courses
specificallyaddress real—timesystems and programming
languages.

Structure and content

In order to give the chapters continuity, three in
programming languages are considered
detail: Ada, Java and C. These languages have been chosen because they are actually used

xiii
xiv PREFACE

for software As C is
sequential language, it is used in conjunction with the
production. a

POSIX family of operating system interfaces (in particular, the real-time extensions). To

this, it will be referred to as C/Real-Time POSIX. As Java was not originally

emphasize
intended to be used for real-time development it must be augmented with the
systems
facilities of the Real—Time Specification for Java (RTSJ). To emphasize this, it will be
referred to as Real—Time Java. Ada was designed for real-time systems development.
Other theoretical or experimental languages are discussed when they offer primitives
not available within the core languages. Practitioners who are primarily interested in

only one of these languages should find sufficient material for their needs. The authors
believe that a full appreciation of a language like Ada or Java, say, can only be obtained
through a comparative study of their facilities.
In all, the book contains 16 chapters, the first 8 of which are loosely organized
into the following three groups. Chapter l represents an extended introduction. The
characteristics and requirements of real-time systems are presented, then an overview
of the design of such systems is given. Design is not the primary focus of this book;
nevertheless, it is important to discuss implementation within an appropriate context.
Chapters 2 and 3 concern themselves with the production of reliable software

components. Although consideration is given to fault prevention, attention is primarily

focused on fault tolerance. Both forward and backward error recovery techniques are
considered. The use of an exception—handling facility is discussed in Chapter 3. Both

resumption and termination models are described, as are the language primitives found
in Ada and Java.
Real~time inherently concurrent,
systems are and therefore the study of this aspect
of programming languages is fundamental. Chapter 4 introduces the notions of process,
tasks and thread the many different
and reviews models that are used by language and

operating system designers. The term task is used generically to represent a concurrent
activity. Communication between tasks is considered in the following two chapters.

Firstly shared—variable
methods are including the use of semaphores, monitors,
described
mutexes and protected objects. Message—based models are also important in modern

languages; combining as they do communication and synchronization. These models are

covered in Chapter 6. Particular. attention is given to the rendezvous primitives of Ada.
It is debatable whether issues of reliability or concurrency should have been con-
sidered first within the book. Both authors have experimented with reversing the order
and have found little to choose between the two possible approaches. The book can in
fact be used in either mode with only one or two topics being ‘out of place’. The de-
cision to cover reliability first reflects the authors’ belief that safety is the predominant
requirement of real-time systems.
The next grouping incorporates Chapters 7 and 8. In general, the relationship
as either cooperating (to achieve a common
between system tasks can be described goal)
or competing (to acquire a shared resource). Chapter 7 extends the earlier discussions
on fault tolerance by describing how reliable task cooperation can be programmed.
Central to this discussion is the notion of an atomic action and asynchronous notification

techniques. Competing processes are considered in the following chapter. An assessment

is given of different language features. One important topic here is the distinction between
conditional and avoidance synchronization within the concurrency model.
Temporal requirements constitute the distinguishing characteristic of real-time

systems. It is therefore appropriate that a large portion of the book focuses on how to
 PREFACE XV

meet them. Chapter 9 introduces the notions of time and clocks, along with the role of
temporal scopes for specifying timing constraints. Chapter 10 then shows the common
programming abstractions that are used to represent these constraints. Ensuring that
timing constraints can be met at run-time requires real-time scheduling. Hard real-time
systems have timing constraints that must be satisfied; soft systems can occasionally fail
to perform adequately. The mathematical
analysis that underpins real-time scheduling is
covered in Chapter 11: both priority and deadline—based
scheduling is considered. The
support provided for programming schedulable system is then covered in Chapter 12.
Chapter 13 brings together fault tolerance and real-time, focusing on the options available
to the programmer when timing faults occur at run—time.
One important requirement of many real-time systems is that they incorporate ex-
ternal devices that must be programmed (that is, controlled) as part of the application
software. This low—levelprogramming is at variance with the abstract approach to soft-
ware production that characterizes software engineering. Chapter I4 considers ways in
which low—levelfacilities can be successfully incorporated into high-level languages.
The final major chapter of the book is a case
study.AAn example from a mine
control system is used. Inevitably a single scaled down study cannot illustrate all the
issues covered in the previous chapters; in particular factors such as size and
complexity
are not addressed. Nevertheless, the case study does cover many important aspects of
real-time systems.
All chapters have summaries and further reading lists. Most also have lists of
"

exercises. These have been chosenhelp readers consolidate

to their understanding of the
material presented in each chapter. They mostly represent exercises that have been used
by the authors for assessment purposes.

Ada, Java and C

The Ada examples in this book conform to the Ada 2005 ISO/AN SI standard. The Java
examples conform to the Java 5 platform along with the Real—Time Specification
for
Java extensions (Version 1.0.2). The C examples conform to ANSI C, and the POSIX
primitives are those given in the IEEE Std 1003.1, 2004 Edition.
To facilitate easy identificationof the three languages, different presentation styles
are used. Ada is presented with keywords in bold lower case; program identifiersare given
in mixed case. C has keywords unbolded and identifiers in lower case. To distinguish
Java from C, Java keywords are bolded and identifiersare mixed case.

Changes from the Third Edition

Over the last 20 years, real-time technology has advanced considerably. Consequently
this book has been creeping up in size. The fourth edition has added significant new

material, and, as a result, we have restructured the book to remove some of the material
that can be found elsewhere.

0 The material on design has been pruned and incorporated into the Introduction.
The advent of the UML real-time profilemeant that we could no longer give this
xvi PREFACE

topic the attention it deserved. As design issues are not our focus, we decided it
was best to cover less.

a The material programming in the small

on and large, which provided the introduc-
tion to sequential programming in C, Java and Ada has been removed completely.
We felt that the material is best served by specialist books on programming in
these languages.
c We have removed discussions of occam2 and Modulaappendix that can to an be
obtained from the book’s web page. Although these languages are no longer in

widespread use, we believe they are historically important.

o The chapter Systems has been removed, and the
on Distributed main topics have
been distributed throughout other chapters in the book. Again, we felt that we were

unable to do justice to this topic, but did not want to lose some of the important
real—timeissues.

0 The removal of occam2 from the book left the Execution Environment chap—
ter weak, so again we have removed it and distributed the remaining material

throughout the book, mainly to Chapter 14.

o The main new material has been introduced into the part of the book that focuses
on timing issues. What was previously two chapters has now been expanded into
five chapters.

We have also update throughout our treatment of Ada, Real—TimeJava and C/Real-
Time POSIX to reflect the recent revisions to the associated definitions and standards.

Teaching Aids

This text is supported by further material available via the following WWW site:

http: //www .
pearsoned . co . uk/burns

Overhead projection foil layouts are available for many parts of the book. Also available
are solutions to some of the exercises. We will, over time, add further exercises, and
where appropriate new examples and additional teaching material. Teachers/lecturers
who make us of this book are invited to contribute to these web pages.

Real-Time Systems Research at York

Alan Burns Andy Wellings are members

and of the Real—Time Systems Research Group
in the Department of Computer Science at University of York (UK). This
the group
undertakes research into all aspects of the design, implementation and analysis of real-
time systems.
Specifically, the group is addressing: formal and structured methods for develop-

ment, scheduling theories, reuse, language design, kernel design, communication pro—
tocols, distributed and parallel architectures, and program code analysis. The aim of the
 PREFACE xvii

is to undertake fundamental research, and to

bring into mod-
group engineering practice
ern techniques, methods and tools. Areas of application of our work include space and
avionic systems, engine controllers, vehicle control and multi-media systems. Further
information about the group’s activities can be found via:

http://www.cs.york.ac.uk/rts

Acknowledgements for the First Edition

The material in this book has been developed over the last five years andpresented to many
third year and MSC students at the Universities of Bradford and York, taking Computer
Science or Electronics degrees. We would like to acknowledge their contribution to the
end product, for without them this book would never have been written.
Many people have read and commented on a first draft of the book. In particular
we would like to thank: Martin Atkins, Chris Hoggarth, Andy Hutcheon, Andrew Lister
and Jim Welsh. We would also like to thank
respective Universities
our colleagues at our

for providing us with a stimulating environment and for many enlightening discussions,
particularly Lj erka Beus—Dukic, Geoff Davies, John McDermid, Gary Morgan, Rick
Pack, Rob Stone and Hussein Zedan.
During 1988 Alan Burns was on sabbatical at the Universities of Queensland and
’

Houston. We would like to thank all staff at these institutions particularly Andrew Lister,
Charles McKay and Pat Rogers.
This book would not have been possible without the use of electronic mail over

JANET. We would like to thank the Computer Board of the United Kingdom University
Grants Council and the Science and Engineering Research Council for providing this
invaluable service.
Finally we would like to give special thanks
Sylvia Holmes and Carol Burns. to

Sylvia for the many hours she has spent painstakingly proof reading the final manuscript,
and Carol for the many evenings she has tolerated our meetings and discussions.

Acknowledgements for the Second Edition

Many people have helped in the production of the Second Edition of this book. In
particular we would like to thank: Alejandro Alonso, Angel Alvarez, Sergio Arevalo,
Neil Audsley, Martin Dorey, Michael Gonzalez Harbour, Stuart Mitchell, Gary Morgan,
Offer Pazy and Juan de la Puente.

Acknowledgements for the Third Edition

We would like to thank the Real—TimeJava
Expert Group for the open manner in which
they have developed the Real—Time Java Specification. Thanks are also due to Angel
Alvarez, Jose Alvarez, Neil Audsley, Iain Bate, Jorge Diaz-Herrera, David Duke, Alan
Grigg, Ian Hayes, George Lima, Greg Murphy, Peter Puschner and Pat Rogers who all
provided us with help, of one form on another, during the writing of this edition.
xviii PREFACE

We also wish to acknowledge the very helpful comments given by the technical

reviewers, Jorge D1’az—Herrera,

J orgen Hansson and Robert Holton, on the first draft of

this edition.
would like to thank all those people who us comments on the
Finally, we gave
Second Edition of the book.

Acknowledgements for the Fourth Edition

We would like to thank all those people who gave us comments on the Third Edition of
thebook, particularly Yolande Berbers. the other members of the
We also wish to thank
Ada Rapporteur Group, the Technical Interpretation Committee for the Real—TimeSpec-
ification for Java (particularly Peter Dibble), and the Java Expert Groups (J SR 282 and
301) for their help in understanding the nuances of Ada and Real—TimeJava. Sanjoy Ba-

rauh, Michael Gonzalez Harbour and Bev Littlewood have also given us invaluable help
with multiprocessor scheduling, Real—TimePOSIX and software reliability estimations,
respectively.
We would like to acknowledge the past and present members of the Real—Time
at York for their continuing contribution
presented.
to the material
Systems Group
Finally, a special thanks go to all the students who have taken our Real—Time
module of their degree course at York. Their continuous comments and
Systems as part
criticisms have helped keep us on our toes!

Alan Burns & Andy Wellings

April 2009
Chapter 1
Introduction to real-time systems

1.1 Definition of a real-time 1.4 for

Development cycle
system real-time systems
1.2 Examples of real—time ‘
1.5 Languages for programming
systems real-time systems
1.3 Characteristics of real-time Summary
systems Further reading
Exercises

As computers become smaller, faster, reliable and

more cheaper,
'

so
their range
of application widens. Built
initially as equation solvers, their influence has ex-
tended into all walks of life, from washing machines to air traffic control. One
of the fastest expanding areas of computer exploitation is that involving appli-
cations whose prime function is not that of information processing, but which
nevertheless require information processing in order to carry out their prime
function. A microprocessor-controlled washing machine is a good example of
such a system. Here, the prime function is to wash clothes; however, depending
on the type of clothes to be washed, different ‘wash programs’ must be exe-
cuted. These types of computer applications are generically called real-time or
embedded. It has been estimated that 99% of the worldwide production of mi-
croprocessors is used in embedded systems. These embedded systems place
particular requirements on the computer languages needed to program them,
as they have different characteristics from the more traditional information pro-
cessing systems.
This book is concerned with embedded computer and their
systems pro-
gramming languages. It studies the
particular characteristics of these systems
and discusses how modern real-time and
programming languages operating
systems have evolved. in order to give the chapters continuity, three program-
ming languages are considered in detail: Ada, Java and
languages C. These
have been chosen because they are actually used for software production. As
C is a sequential language, it is used in conjunction with the POSIX
family of
operating system interfaces (in particular, the real-time extensions). To empha-
size this, it will be referred to a C/Flea/-Time POSIX. As Java was not originally
intended to be used for real-time systems development it must be augmented
with the facilities of the Real-Time Specification for Java (RTSJ). To emphasize
2 INTRODUCTION TO REAL-TIME SYSTEMS

it will be referred to as Rea/-Time Java. Ada was designed for systems

this,
development; however, some of its libraries (for example, the Real_Time pack-
Here assume these libraries are supported.
age) are optional. we

1.1 Definition of a real-time system

Before proceeding further, it is worth trying to define the phrase ‘real-time system’
There interpretations of the exact nature of a real—timesystem;
more precisely. are many
all have in common the notion of response time —

the time taken for

however, they
the from some associated input. The Oxford Dictionary of
system to generate output
Computing gives the following definitionof a real-time system:

Any system in which the time at which output is produced significant.

is This

is usually because the input corresponds to some movement in the physical

world, and the output has to relate to that same movement. The lag from input

time to output time must be sufficiently small for acceptable timeliness.

Here, the word ‘timeliness’ is taken in the context of the total

system. For example,
in missile is required within a few milliseconds, whereas
a guidance system, output
in a computer—controlled
car the response
assembly line, may be required only within
a second. To illustrate the various ways in which ‘real-time’ systems are defined, two

further definitions will be given. Young (1982) defines a real-time system to be:

system which has

respond to to ex-
any information processing activity or

ternally generated input stimuli within a finite and specified

period.

Another definition is (Randell et al., 1995):

A real-time is a system that is required to react to stimuli from the

system
environment (including the passage of physical time) within time intervals
dictated by the environment.

In their most general sense, all these definitions cover a very wide range of com-
activities. For example, an operating system like Windows may be considered
puter
real-time in that when a user enters a command he or she will expect a response within
few seconds. it is usually not a disaster if the response is not forthcoming.
a Fortunately,
These of system can be distinguished from those where failure to respond can
types
be considered bad Indeed, for some, it is this aspect that
just as as wronga response.
others where response time is important but not
distinguishes a real-time system from
of real-time depends not only on the
crucial. Consequently, the correctness a system
also the time which the results produced.
logical result of the computation, but on at are

Practitioners in the field of real-time system design often distinguish between

computer
hard and soft real-time Hard real-time systems are those where it is absolutely
systems.
imperative that responses occur within the specified deadline. Soft real-time systems are

those where response times are important but the system will still function correctly if
missed. Soft systems can themselves be distinguished from
deadlines are occasionally
 DEFINITION OF A REAL-TIME SYSTEM 3

interactive in which there

ones are no explicit deadlines. For example, the flightcontrol
system of a combat aircraft is a hard real—timesystem because a missed deadline could
lead to a catastrophe, whereas a data
acquisition system for a process control application
is soft, as it may be defined to sample an input sensor at regular intervals but to tolerate
intermittent delays. Of course, many systems will have both hard and soft real—time
sub-
systems. Indeed, some services may have both a soft and a hard deadline. For
example,
a response to some warning event have soft deadline of 50
may a ms (for an optimally
efficient reaction) and a hard deadline of 200 (to guarantee that
ms no damage to equip-
ment or personnel takes place). Between 50 ms and 200 ms, the ‘value’ (or utility) of
the output decreases.
As these definitions and examples illustrate, the use of the term ‘soft’ does not
imply a single type of requirement, but incorporates a number of different properties.
For example:

0 the deadline can be missed occasionally (typically with an limit of misses

upper
within a defined interval);
0 the service occasionally be delivered late
can
(again, with an upper limit on

tardiness). ‘

A deadline that can be missed occasionally, but in which there is no benefit from late
delivery, is called firm. In some real—timesystems, optional firm be
‘

components may
given probabilistic requirements (for example, a hard service must produce an output
every 300 ms; at least 80% of the time this output will be produced by a firm component,
X; on other occasions, a hard, but functionally much simpler component, Y, will be used).
In this book, the term ‘real—timesystem’
is used to mean both soft and hard real-
time. Where discussion is concerned specifically
with hard real—timesystems, the term
‘hard real—time’will be used explicitly.
In a hard or soft real—timesystem,
usually interfaced directly to the computer is
some physical equipment and is dedicated to monitoring or controlling the operation of
that equipment. A key feature of all these applications is the role of the computer as

an information processing component within a larger engineering system. It is for this

reason that such applications have become known as embedded computer systems.
Another means of classifying the role that time has in real—timesystems is to
distinguish between reactive systems and time-aware systems. Time—awaresystems
make explicit references to the time frame of the
enclosing environment. For example,
if a bank safe’sdoors are to be locked from
midnight to nine o’clock in the morning then
these absolute time values must be available to the system. By comparison, a reactive

system is typically concerned with relative times: an output has to be produced within 50
ms of an associated input. The key requirement of a reactive system is that it ‘keeps up
with the environment’.Often reactive systems are also control systems and hence they
need to be synchronized with their environment. In particular, input sampling and output
signalling must be done very regularly with controlled variability there is a need to —

bound what is called input jitter and output jitter.

In order for a reactive systems to ‘keep up with its environment’ they are often
structured to be time-triggered. All computation activities are periodic in that they have
a defined cycle time, for
example 50 ms, and are released for execution by an internal
clock. The alternative to time—triggered is event-triggered in which the environment
4 INTRODUCTION TO REAL—TIME SYSTEMS

via the release for execution of some software

explicitly controls (perhaps interrupt)
an

termed aperiodic if there is a bound on how often the

activity. These activities are or,

event occur sporadic.

in any time interval, Many systems will contain
releasing can

activities. design
However, some approaches restrict the software
periodic and sporadic
ti1ne—triggered activities; ‘events’ must be polled for
architecture so that there are only
(that is, examined via a periodic activity).
Again, in this book a broad definition of ‘real—time system’ is assumed. The term

is taken to include reactive and time—awaresystems that may have both time—triggered
and event—triggered invocations of work. Periodic, aperiodic and sporadic activities are

all likely to be present in the same system.

1.2 Examples of real-time systems

Having defined what is meant by a real—timesystems, some examples of their use are

now given.

1.2.1 Process control

larger engineering
in system occurred in the
The first use of
computer
a componentas a a

in the 1960s. Nowadays, the use of microprocessors is the

process control industry early
norm. Consider the simple example shown in Figure 1.1, where the computer performs
a single activity: that of ensuring an even flow of liquid in a pipe by controlling a valve.

On detecting an increase in flow,the computer must respond by altering the valve angle;
this response must occur within a finite period if the equipment at the receiving end of

ineler
Flbw

Processing

Output valve
angle

Time
. Valve
Computer

Figure 1.1 A fluid control system.

 EXAMPLES OF REAL-TIME SYSTEMS 5

Operator
console

Process
control
computer

ab

Chemicals
and
materials

’ Valve Temperature Stirrer

transducer

Figure 1.2 A process control system.

thepipe is not to become overloaded. Note that the actual involve

response may quite a

complex computation in order to calculate the new angle. valve

This example shows just one of a larger control
component system. Figure l.2
illustrates the role of a real—timecomputer embedded in a complete process control
environment. The computer interacts with the equipment using sensors and actuators. A
Valve is an example of an actuator, and a temperature or pressure transducer is an example
of a sensor. (A transducer is a device that generates an electrical signal that is proportional
to the physical quantity being measured.) The
computer controls the operation of the
sensors and actuators to ensure that the correct plant operations are performed at the
appropriate times. Where necessary, analog—to-digital (and digital—to—analog) converters
must be inserted between the controlled process and the computer.

1.2.2 Manufacturing
The use of computers in manufacturing has become essential in order that production
costs can be kept low andproductivity increased. Computers have enabled the integration
of the entire manufacturing process from product design to fabrication. It is in the area
of production control that embedded systems are best illustrated. Figure 1.3 diagram-
matically represents the role of the production control computer in the manufacturing
process. The physical system consists of a variety of mechanical devices such as ma- —

chine tools, manipulators and conveyor belts all of which need to be controlled
——

and
coordinated by the computer.
A modern manufacturing control system will employ a wide
range of robots. These
will again need to be controlled and coordinated, but they are also autonomous real-time
6 INTRODUCTION TO REAL—TIME SYSTEMS

Operator
console

Production
control
computer

’ Machine tools Manipulators Conveyor belts

Figure 1.3 A production control system.

in their own right. They have large numbers of sensors (for example proximity
systems
that need controlling and often vision subsystems that
indicators), many moving parts
require considerable computational power. When mobile robots and humans operate in
the then there are considerable safety issues that dictate that at least
same physical
space
part of the robots’ functions are hard real-time.

1.2.3 Communication, command and control

command and control is a military term, there is a wide
Although communication,
of disparate applications which exhibit similar characteristics; for example, air~
range
line seat reservation, medical facilities patient care, air traffic control,
for automatic
remote bank accounting and large—scale manufacturing plants. Each of these time~aware
consists of a complex set of policies, information gathering devices and admin-
systems
istrative which enable decisions to be supported, and provide the means by
procedures
which they can be implemented. Often, the information gathering devices and the instru-
for decisions distributed over a wide geographical area.
ments required implementing are

Figure 1.4 diagrammatically represents such a system.

1.2.4 A typical embedded real-time system

In each of the shown above, the computer is interfaced directly to physical
examples
world,
in the real reacting changes
and is in this environment. In
to order
equipment
to control these real-world devices, the computer will need to sample the measurement
devices at regular intervals (i.e. periodic activities); a real—timeclock is therefore required.
 EXAMPLES OF REAL-TIME SYSTEMS 7

Command
and control
computer

E [Temperature, pressure, power and so on

Terminals Sensors/actuators

Figure 1.4 A command and control system.

Usually there is also an operator’s

console to allow for manual intervention. The human
operator is
kept constantly informed of the state of the system by displays of various
types, including graphical ones.
Records of the system’s state changes are also kept in a database which can be
interrogated by the operators, either for a postmortem (in the case of a system crash), or to
provide information for administrative purposes. Indeed, this information is increasingly
being used to support decision making in the day—to-day running of systems. For example,
in the chemical and process industries, plant monitoring is essential for maximizing
economic advantages rather than simply maximizing production. Decisions concerning
production at one plant may have serious repercussions for other plants at remote sites,
particularly when the products of one process are being used as raw material for another.
A typical large embedded real—timecomputer system can, therefore, be represented
by Figure l.5. The software which controls the operations of the system can be written
in modules which reflect the physical nature of the environment. Usually there will be a
module which contains the algorithms necessary for physically controlling the devices;
a module responsible for recording the system’s state changes; a module to retrieve and
display those changes; and a module to interact with the operator.

1.2.5 Multi-media systems

Entertainment systems such as radios, televisions, stereo systems, Video systems and
games of various kinds are all real—timesystems in which the temporal requirements are
8 INTRODUCTION TO REAL—TIME SYSTEMS

Engineering
lmerface
Algorithms for system
Reawme _"
digital control
clock

Remote
monitoring
Data logging System

Database

Data retrieval
and display

Operator
interface

Figure 1.5 A typical embedded system.

the and
cognition of human users. There are clear requirements
determined by perception
on visual frame rates, sound/picture synchronization and response times (to, for example,

joystick movements) that must be satisfied if the quality of the human experience is not to

be noticeably compromised. Multi—mediasystems in which many of these entertainment

media are integrated with each other and with services such as phone communications,
email interactions, news updates, and the streaming of audio and
internet searches,
video content from remote servers pose significant challenges for developers. There is

an economic to manufacture these systems at minimum cost, but the quality of

imperative
the user experience must be maintained and this means
—

that the temporal requirements

have to be central to the development process. From the design of special puipose on-

units video decoders) to the choice of communication subsystems

chip (for example,
and the implementation of the software control components, the need to manipulate
deadlines is the key engineering
significant volumes of digital data within tight timing
challenge.
The development of these mu1ti—media
home—based systems is one noticeable ap-

plication area for real-time systems, but such fixed systems are not the only commodities

under development. There is an increasing need to allow devices to be mobile whilst still

linked to communication services. phone is evolving into a general—purpose

The mobile
essential that most of the technologies of the fixed system together
accessory supports
with new emerging services such as providing a means of paying for goods in shops, an

aid to personal security and/or surveillance and of course a camera and general—purpose

recording device. The one single defining p roperty of all mobile systems is that they are

indeed mobile batteries for And batteries have finite life which
they rely
—

on power.
adds to the challenges of developing these complex real-time systems.
 CHARACTERISTICS OF REAL—TI_ME SYSTEMS 9

1.2.6 Cyber-physical systems

A relatively new application area for real—timesystems comes from the linking of digital
information systems, such as that furnished by the internet, and real—timedata collection
typified by networks of sensors. This coupling of what is usually called the cyber world
with the physical world has naturally led to the term Cyber-physical systems. An example
of a cyber-physical service is an adaptive navigation aid. Here there is a link between
a detailed digitalized (and static) road map and traffic flow information that is being
sensed at key locations on the roads. This traffic information is clearly real—timeand
dynamic. The navigational aid can potentially use sophisticated traffic flow models to
predict future problems and advise as to the least congested route. This advice will
diminish in usefulness as the data on which it is based becomes stale. Hence the need to

update the advice as new data becomes available.

Cyber-physical systems may operate over wide areas, perhaps even globally, in-
volve many computational elements and communication services, and have access to
enormous volumes of real—timedata. In the traffic system, consider the
quantity of data
generated if all junctions on all roads in Europe (or the USA or China) are sensing traffic
flow (in all directions) and feeding this data into the internet. The sensing component of
the Cyber-physical system may be quite simple, for example a temperature sensor, or be
a significant entity in its own right, such as a camera permanently viewing some scene.

The local sensory system must, in this case, decide whether raw data or a processed .

'
(simpler) form of the data is fed into the digital world.
A cyber—physical system is likely to have real—timerequirements that range from
the millisecond level for the sensing activity to n1inutes or even hours for the applications
that are built upon the amalgamation of the dynamic and static data. It should be clear
to all readers, who have presumably spent time ‘on the net’,that the current internet
with its simple protocols and architecture cannot guarantee real—timebehaviour. Future
enhancements (or alternatives) to the internet are, however, likely to respond to the
challenges of cyber—physical systems and provide QoS (Quality of Service) that does
provide real—timeguarantees even if the guarantees
—

are not absolute (hard) but have a

high level of probability associated with them.

1.3 Characteristics of real-time systems

A real—timesystem possesses special characteristics
many (either inherent or imposed)
which are identified in the following sections. Clearly, not all real—timesystems will
exhibit all these characteristics; however, any general—purpose language (and operating
system) which is to be used for the effective programming of real-time systems must
have facilities which support these characteristics.

1.3.1 Real-time facilities

Response time is crucial in any embedded system. Unfortunately, it is very difficult to

design and implement systems which will guarantee that the appropriate output will be
generated at the appropriate times under all possible conditions. It is often impossible to
do this, and make full use of all computing resources at all times. For this reason, real-
time systems are usually constructed using processors with considerable spare capacity,
10 INTRODUCTION TO REAL-TIME SYSTEMS

thereby ensuring that ‘worst—casebehaviour’ does not produce any unwelcome delays
during critical periods of the systems’
operations.
Given adequate processing power, language and 1un~time support are required to

enable the programmer to:

times at which actions to be performed;

o
specify are
times by which actions are to be completed;
o
specify
o
support repeating (periodic or aperiodic) work;
o control (i.e. bound) the jitter on input and output operations;
to situations where not all of the timing requirements can be met;
o
respond
a
respond to situations where the timing requirements are changed dynamically.

These are called real—timecontrol They enable the program to synchronize

facilities.
with time itself. For example, with direct digital control algorithms it is necessary to

from at certain periods of the day, for example, 2 p.m., 3 p.m.

sample readings sensors

and so on, or at regular intervals, for instance, every 5 seconds (with control systems,
rates from a few hundred hertz to several hundred megahertz). As a
sample can vary
result of these readings, other actions will need to be performed. In an electric power
station, it is necessary at 6 p.m. on Monday to Friday each week to increase the supply
of electricity to domestic consumers. This is in response to the peak in demand caused

families home from work, turning on lights, cooking dinner and so on. In
by returning
recent in the UK, the demand for domestic electricity reaches a peak immediately
years
after high—profile when millions of viewers leave their living rooms, turn
sporting events,
in the kitchen and switch on the kettle in order to make a cup of tea or coffee.
on lights
An example of a dynamic change to the timing requirements of a system can be
found in an aircraft flightcontrol system. If an aircraft has experienced depressurization,
there is an immediate need for all computing resources to be given over to handling the

More the from taxiing to taking off to climbing and then

emergency. normally, moves

to cruising all involve changes to the basic operation of the flight control system. These
known as mode changes, also have consequences for the
changes, which are generally
temporal characteristics of the executing software.
In order to meet response times, it is necessary for a system’s behaviour to be pre-

dictable. Chapters 9—l2 consider the facilities and techniques used to obtain predictable

program behaviour.

1.3.2 Concurrent control of separate system components

An embedded of
will tend to consist
computers and several coexisting external
system
elements with which the computer programs must interact simultaneously. It is the very
nature of these external real—worldelements that they exist in parallel. In our typical
embedded example, the program has to interact with an engineering system
computer
of many parallel activities such as robots, conveyor belts, sensors,
(which will consist
actuators and so on) and the computer’s display devices, the operator’s console, the
database and the real—timeclock. Fortunately, the speed of a modern computer is such

that these actions be carried outin sequence but give the illusion of being
usually may
simultaneous. In some embedded systems, however, this may not be the case, for example
 CHARACTERISTICS OF REAL-TIME SYSTEMS 11

where the data is to be collected and processed at various geographically distributed

sites, or where the response time of the individual components cannot be met by a
single computer. In these cases, it is necessary to consider distributed and multiprocessor
embedded systems.
A major problem associated with the production of software for systems which
exhibit concurrency is how to express that concurrency in the structure of the program.
One approach is to leave it all up to the programmer who must construct his/her system
so that it involves the cyclic execution of a program sequence to handle the various
concurrent tasks. There are several reasons, however, why this is inadvisable.

o It complicates the programmer’s

already difficult task and involves him or her in
considerations of structures which are irrelevant to the control of the tasks in hand.
o The resulting program is more obscure and inelegant.
o It makes proving program correctness more difficult.
o It makes decomposition of the problem more complex.
o Parallel execution of the program on more than one processor
is much more difficult
to achieve.

o The placement of code to deal with faults is more problematic.

Older real—timeprogramming example, RTL/2 and Coral 66, relied on

languages, for
operating system support for concurrency; and C is usually associated with Unix, Linux
or POSIX. However, the more modern languages, such as Ada and Java, have direct
support for general concurrent programming.
Although concurrency is a fundamental characteristic of real—timesystems, dif-
ferent types of systems need different facilities. For reactive control systems with hard
timing constraints, but relatively straightforward behaviour, it is sufficient to constrain
each concurrent activity to be of the form:

input data

required computations with no external interactions

output data

For complicated systems, the input and output activities cannot be separated
more

from the computational part. Only during the computation activity itself will it be possible
to determine the external data that is needed (for example from another activity, a shared
database or from some interface into the environment).
In Chapters 4, 5 and 6, various models of concurrent programming are considered
in detail. Attention is then focused, in the following two chapters, on achieving reliable
communication and synchronization between concurrent processes in the presence of
design errors.

1.3.3 Low-level programming

The nature of embedded systems requires the computer components to interact with the
external world. They need to monitor variety of
sensors and control actuators for a wide
real—worlddevices. These devices interface to the computer via input and output registers,
and their operational requirements are deVice—and computeizdependent. Devices may
12 INTRODUCTION TO REAL-TIME SYSTEMS

also interrupts to signal to the processor that certain operations have been
generate
performed or that error conditions have arisen.
In the interfacing to devices has either been left under the control of the oper-
past,
has the application to resort to assembly language
ating system, or required programmer
inserts to control and manipulate the registers and interrupts. Nowadays, because of the

variety of devices and the time—critical nature of their associated interactions, their control
must often be direct, and not through a layer of operating system functions. Furthermore,
reliability requirements argue against the use of low—level programming techniques.
Since real—timesystems are time~critical, efficiency of implementation will be
more important than in other systems. It is interesting that one of the main benefits
of using a high—level language is that it enables the programmer to abstract away from

details, and to concentrate on solving the problem at hand. Unfortunately,

implementation
the embedded computer systems programmer cannot afford this luxury. He or she must
be constantly concerned with the cost of using particular language features. For
example,
if a response to some input is required within a microsecond there is no point in using a
language feature whose execution takes a millisecond!
It was noted earlier that significant
a number of embedded systems are now mobile
and rely on batteries for power. Efficient implementation can reduce the load on the
processor, and memory, and lead to lowering of processor speed and the subsequent
reduction in
battery usage. Typically, halving of processor speed leads to a quadrupling
of the life of the battery.
In Chapter 14, the facilities provided by real—timeprogramming languages which
enable the specification
of device registers and interrupt control will be considered. The
role of the execution environment in providing efficient and predictable implementations
will also be examined.

1.3.4 Support for numerical computation

As was noted earlier, many real—timesystems involve the Control of some engineering
activity. Figure 1.6 exemplifies The
simple
system. controlled a control entity, the plant,
has a vector of output variables, y, that change over time, hence y(r). These outputs are

reference)
with the desired
(or signal 1' (t) to produce an error signal, e(t). The
compared
controller uses this error vector to change the input variables to the plant, u (r). For a very

the controller be an analog device working on a continuous signal.

simple system, can

Figure 1.6 illustrates a feedback controller. This is the most common form, but
feed—forwardcontrollers are also used. In order to calculate what changes must be made

Figure 1.6 A simple controller.

 CHARACTERISTICS OF REAL-TIME SYSTEMS 13

Controller \x90-\xC9

Figure 1.7 A simple computerized controller.

to the input variables, so that a desirable effect on the output vector takes place, it is
necessary to have a mathematical model of the plant. The derivation of these models is
the concern of the distinct discipline of control theory. Often a plant is modelled as a set
of first—orderdifferential equations. These link the output of the system with the internal
State of the plant and its input variables. Changing the output of the plant involves solving
these equations to give required input values. Most physical systems exhibit inertia, so ,

that change is not instantaneous. A real—timerequirement to move to a new Set point

within a fixed time period will add to the complexity of the manipulations needed, both
to the mathematical model and to the physical system. The fact that, in reality, linear
f1rst—order equations are only an approximation to the actual characteristics of the system
also presents complications.
Because of these difficulties, the complexity of the model, and the number of dis-
tinct (but not independent) inputs and outputs, most controllers are implemented as digital
computers. The introduction of a digital component into the system changes the nature of
the control cycle. Figure 1.7 is an adaptation of the earlier model. Items marked with a *
are now discrete values; the sample and hold operation being carried out by an analog-
to-digital converter, both converters being under the direct control of the computer.
Within the computer, the differential equations can be solved by numerical tech-
niques, although the algorithms themselves need to be adapted to take into account the
fact that plant outputs are now being sampled. The design of control algorithms is a
topic outside the scope of this book; the implementation of these algorithms is, however,
of direct concern. They can be mathematically complex and require a high degree of
precision. A fundamental requirement of a real—timeprogramming language, therefore,
is the ability to manipulate real or floating—point numbers. Fortunately most engineering
languages do provide the necessary abstractions in this area. There are standards for
floating—point arithmetic that fully specify the required output of floating—point compu-
tations even when there are overflows,
underflow,
etc.

1.3.5 Large and complex

It is often said that most of the
problems associated with developing software are those
related to size and complexity. Writing small programs presents no significant problems
14 INTRODUCTION TO REAL—TIME SYSTEMS

and understood by single person. If that

as they can be designed, coded, maintained a

leaves the company or institution using the software, then someone else can learn
person
the program in a relatively short period of time. Indeed, for these programs, there is an

art craft
or to their construction and small
beautiful. is
not all software exhibits this most desirable characteristic of small-
Unfortunately,
ness. Lehman and Belady (1985), in attempting to characterize large systems, reject the
and intuitive notion that largeness is simply proportional to attributes
simple perhaps
such as: the number of instructions, lines of code or modules making up a program and
to algorithmic complexity. Instead, they relate largeness to variety, and the degree of
to the amount of variety. Traditional indicators such as number of instructions
largeness
and development effort are, therefore, just symptoms of variety.

The is that of needs and activities in the real world and their reflection
variety
in a But continuously
the real world changing.
is It is evolving. So
program.
too are, therefore, the needs and activities of society. Thus large programs,
like all complex systems, must continuously evolve.

Embedded their definitionmust respond to real—worldevents. The va-

systems by
riety associated with these events must be catered for; the programs will, therefore, tend
exhibit the undesirable largeness. Inherent in
of the above definition of large-
to property
ness is the notion of continuous change. The cost of redesigning or rewriting software
to respond to the continuously changing requirements of the real world is prohibitive.

Therefore real—timesystems undergo constant maintenance and enhancements during

their lifetimes. They must be extensible. ,

real—timesoftware is often complex, features provided by real—timelan-

Although
and environments complex enable
systems to be broken
these down into smaller
guages
which can be managed effectively. The use of abstract data types, classes
components
and objects, generic components, Application Program Interfaces (APIs) and interfaces,
and separate compilation are all language features that engineering languages provide
to manage this software complexity.

1.3.6 Extremely reliable and safe

The more society relinquishes control of its vital functions computers, the more
to

it becomes that those computers do not fail. The failure of a system involved
imperative
in automatic fund transfer between banks can lead to millions of dollars being lost
in electricity generation could result in the failure of
irretrievablyg faulty component
a

and the shutdown of

a vital life—support system in an intensive care unit; premature
a chemical could expensive damage to equipment or environmental harm.
plant cause

These somewhat dramatic examples illustrate that computer hardware and software must

be reliable and safe. Even in hostile environments, such as those found in military
be to design and implement systems that will fail only in a
applications, it must possible
controlled Furthermore, where operator interaction is required, care must be taken
way.
in the design of the interface in order to minimize the possibility of human error.

The sheer size and complexity of real—timesystems exacerbate the reliability prob-

lem; not only must expected difficulties inherent in the application be taken into account,

but also those introduced by faulty software design.

 DEVELOPMENT CYCLE FOR REAL—TIME SYSTEMS 15

In
Chapters 2 and 3, the problems of producing reliable and safe software will be
considered along with the facilities that languages have introduced to with both
cope
expected and unexpected error conditions. The issue is examined further in Chapters 7
and 13.

1.3.7 Structure of the book

The characteristics of real—timesystems outlined in these short sections introduce the

topics that are covered in this book. In Chapters 2 and 3, the problems of producing
reliable and safe software will be considered along with the facilities that languages
have introduced to cope with both expected and unexpected error conditions. The issue
is examined further in Chapters 7 and 13.
In Chapters 4, 5 and 6, various models of concurrent programming are considered
in detail. Attention is then focused, in the following two chapters, on achieving reliable
communication and
synchronization between concurrent processes in the presence of
design errors. Support for real—timeabstractions is discussed in Chapters 9, l0 and 11,
together, in Chapter 12, with the language facilities that assist in the schedulin g of time-
critical operations. The techniques used to detect and recover from timing failures are

considered in Chapter 13.

In Chapter 14, the facilities provided by real—timeprogramming languages which
enable the specification of device registers and interrupt control are
considered,along
=

with the role of the execution environment in providing efficient and predictable imple-
mentations.
Finally in Chapter 15 a case Study, that brings together many of the key issues of
the book, is developed.
The remainder of this introductory chapter outlines number of other
important a

issues whose detailed consideration is nevertheless beyond the scope this book. In partic-
ular the development cycle (i.e. requirements specification, design, implementation and
testing) is introduced and a number of general language topics are summarized. These
discussions provide the backdrop to the detailed treatments in the following chapters and
help deal with the size and complexity problems inherent in the development of most
real—timesystems.

1.4 Development cycle for real-time systems

Clearly, the most important stage in the development of any real—timesystem is the gen-
eration of a consistent design that satisfiesan authoritative specificationof requirements.
In this, real—timesystems are no different from other computerapplications, although
their overall scale often
quite fundamental
generates design problems. The discipline
of software engineering is now widely accepted as the focus for the development of
methods, tools and techniques aimed at ensuring that the software production process is
manageable, and that reliable and correct programs are constructed. It is assumed here
that readers are familiar with the basic tenets of software
engineering and consideration
is thus restricted to the particular problems and requirements furnished
by real—timeem-
bedded systems. Even within this restriction, it is not possible to give a comprehensive
account of the many design methodologies proposed. Issues of design per se are not the
main focus of attention in this book. Rather, the investigation of language and operating
16 INTRODUCTION TO REAL—TIME SYSTEMS

which designs allow to be realized, is the central theme. Within this

system primitives,
context, the languages Ada, (Real—Time)
Java and (with Real—Time POSIX)
C will be

considered in detail. Readers should consult the further reading list at the end of this

chapter for additional material on the design process.

Although almost design approaches
all top—down, they are built are
upon an un-

what is feasible at lower levels. In essence, all design methods involve

derstanding of
a series of transformations from the initial statement of requirements to the executing

This section brief overview of some of the typical stages that are passed
code. gives a

through on this route, that is:

0
requirements specificationduring which —
an authoritative specification
of the

system’s required functional and meta—functional

behaviour is produced;

0 architectural design —

during which a top—level

description of the proposed system
is developed;
a detailed design —

during which the complete system design is specified;

o
coding —

during which the system is implemented;

o
testing ~

during which the efficacy

of the system is tested.

As different activities are isolated, notations are required that enable each stage
to be documented. Transformations from one stage nothingto another are, therefore,
more than translations from one notation to another. For example, a compiler produces

executable code from source code that is expressed in a programming language. Unfor—
other translations (further the design hierarchy) are less well defined; usually
tunately, up
because the notations employed are too vague and imprecise, and cannot fully capture
the semantics of the requirements or of the design.
Linked to notations are the models that can be expressed in these languages.

development approaches is focused on what is called model

The current emphasis on

driven architectures (MDA). Here formal notations are used to develop models of the
that can then be subject to verification.Techniques such as model—checlmodel—checl and
systems
mechanical used to increase the designer’s confidence that the systems once
proof are

will behave as expected in both the functional and temporal domains.

fully implemented
Advocates of the MDA approach argue that it will be possible to automatically generate
the executable code of the implementation from these higher—level models. This may well

be the right approach for the future for relatively straightforward systems. However, the
current state of these MDA approaches is not sufficiently advanced for general real—time

code-generation techniques. Hence in this book the focus is

systems to be developed by
on the abstractions and facilities provided by real—timeprogramming languages.

1.4.1 Requirement specification

description
start with of what is desired.
informal
Almost computing projects
all an

This should then be followed extensive analysis of requirements. It is at this stage

by an

that the functionality of the system is defined. In terms of specific real—timefactors, the
behaviour of the should be made quite explicit, as should the reliability
temporal system
and the desired behaviour of the software in the event of component failure.
requirements
The requirements phase will also define which acceptance tests should apply to the
software.
 DEVELOPMENT CYCLE FOR REAL-TIME SYSTEMS 17

In addition to the system itself, it is necessary to build a model of the environment

of the application. It is a characteristic of real—timesystems that they have important
interactions with their environment. Hence such issues maximum of
as rate interrupts,
maximum number of dynamic external objects (for example, aeroplanes in an air traffic
control system) and failure modes are all important.
The analysis phase provides an authoritative specification of requirements. It is
from this that the design will emerge. There is no more critical phase in the software
life cycle, and yet natural language documents are still the normal notation for this
specification. Nevertheless, formal methods can be applied to these specifications and
are increasing being required in safety—critical applications.

1.4.2 Design activities

The design of a large embedded system cannot be undertaken in one exercise. It must be
structured in some way. To manage the development of complex real-time systems, two
complementary approaches are often used: decomposition and abstraction. Together,
they form the basis of most software engineering methods.
Decomposition, as its name
suggests, involves the systematic breakdown of the complex system into smaller and
smaller parts until components are isolated that can be understood and engineered by
’

individuals or small groups. At each level of decomposition, there should be an appro—

priate level of description and a method of documenting (expressing) this description.
Abstraction enables the consideration of detail, particularly that appertaining to i1nple—
mentation, to be postponed. This allows a simplified view of the system and of the
objects contained within it to be taken, which nevertheless still contains the essential
properties and features. The use of abstraction and decomposition pervades the entire
engineering process and has influencedthe design of real—timeprogramming languages
and associated software design methods.
If a formal notation is used for the requirement specification then top—level designs
may use the same notation and can thus be proven to meet the specification. Many
structured notations are, however, advocated either to fill out the top—level design or
to replace the formal notation altogether. Indeed, a structured top-level design may, in
effect, be the authoritative specification of requirements.
The hierarchical development of software leads to the specification and subse-
quent development of program subcomponents. The needs of abstraction dictate that
these subcomponents should have well—definedroles, and clear and unambiguous inter-
connections and interfaces. If the specification of the entire software system can be
Verified just in terms of the specification of the immediate subcomponents then de-
composition is said to be compositional. This is an important property when formally
analysing programs.
Sequential programs are particularly amenable to compositional methods, and
a number of techniques have been used to encapsulate and represent
subcomponents.
Simula introduced the significant class construct. More recently object-0riem‘ed lan-
guages, such as C++, Java and Eiffel, have emerged to build upon the class construct.
Ada uses a combination of packages, type extensions and interfaces to support object-
oriented programming.
Objects, while providing an abstract interface, require extra facilities if they are
to be used in a concurrent environment. Typically, this involves the addition of some
18 INTRODUCTION TO REAL-TIME SYSTEMS

form of task (process). The task abstraction is, therefore, the abstraction on which this
book will focus. In Chapter 4, the notion of task is introduced, Chapter 5 then con-

siders shared—variable
based tasks interaction. A more controlled and abstract interface

is, however, provided by message—based

process communication. This is discussed in

Chapter 6.
Both object and task abstractions are important in the design and implementation
of reliable embedded systems. These forms of encapsulation lead to the use of modules
with well—defined(and abstract) interfaces. From the definition of modules, more sizeable

components be defined that may even

can be re—usablein subsequent designs. But how
should a large system be decomposed into components and modules? To a large extent,

the answer to this question lies at the heart of all software design activities. Cohesion
and coupling are two metrics that are often used to describe the relationships between
entities within a design (in the following, the term ‘module’ is used for a distinct software

entity).
Cohesion is concerned with how well a module holds together —

its internal
Allworth and Zobel (1987) give six measures of cohesion that from
strength. range
the very poor to the strong.

0 Coincidental —

elements of the module are not linked other than in a very super-
ficial way; for example, written in the same month.

0
Logical —

elements of the module are related in terms of the overall system, but
not in terms of the actual software; for example all output device drivers.

o
Temporal —

elements of the module are executed at similar times; for example,

start—up
routines.

o Procedural ~

elements of the module are used together in the same section of the

program; for example, user interface components.

o Communicational (sic) ~—

elements of the module work on the same data structure;

for example, algorithms used to analyse an input signal.
o Functional —

elements of the module work together to contribute to the perfor-

mance of a single system function; for example, the provision of a distributed file

system.

Coupling, by comparison, is
interdependence
a measure of program modules.
of the
If two modules pass control information between them, they are said to possess high
(or tight) coupling. Alternatively, the coupling is loose if only data is communicated.
Another way of looking at coupling is to consider how easy it would be to remove a

module (from a completed system) and replace it with an alternative one.

Within all design methods, a good decomposition is one that has strong cohesion
and loose coupling. This principle is equally true in sequential and concurrent program-
ming domains.
It was noted earlier that most real-time practitioners advocate the use of ob-
and task (process) abstractions. Formal techniques do exist that enable concurrent
ject
time-constrained systems to be specified and analysed. Nevertheless, these techniques
are not yet sufficiently mature to constitute ‘tried and tested’ design methods. Rather, the
real-time industry uses, at best, structured methods and software engineering approaches
that are applicable to all information processing systems. They do not give specific
 DEVELOPMENT CYCLE FOR REAL-TIME SYSTEMS 19

support to the real—timedomain, and they lack the richness that is needed if the full
power of implementation languages is to be exploited.

1.4.3 Testing and simulation

With thehigh reliability requirements that are the essence of most real—timesystems, it
is clear that testing must be extremely stringent. A comprehensive strategy for testing
involves many techniques, most of which are applicable to all software products. It is,
therefore, assumed that the reader is familiar with these techniques.
The difficulty with real—timeconcurrent programs is that the most intractable sys-
tem errors are usually the result of subtle interactions between tasks. Often the errors are

also time-dependent and will only manifest themselves in rare states. Murphy’s Law dic-
tates that these rare states are also crucially important and only occur when the controlled
system is, in some sense, critical.
Testing is, of course, not restricted to the final assembled system. The decom-
position incorporated in the design and manifest within program modules (including
tasks) forms a natural architecture for component testing. Of particular importance (and
difficulty) within real—timesystems is that not only must correct behaviour in a correct
environment be tested, but dependable behaviour in an arbitrarily incorrect environ-
ment must be catered for. All error recovery paths must be exercised and the effects of
simultaneous errors investigated. ,
To assist in any complex testing activity, a realistic test bed presents attrac-
many
tions. For software, such a test environment is called a simulator.
A simulator is a program which imitates the actions of theengineering system in
which the real—timesoftware is embedded. It simulates the generation of interrupts and
performs other I/O actions in real—time.
Using a simulator, abnormal as well as ‘normal’
system behaviour can be created. Even the final system has been completed, certain
when
error states may only
safely be experimented with via a simulator. The meltdown of
a

nuclear reactor is an obvious example.

Simulators able to reproduce accurately the sequence of events
are
expected in the
real system. In addition, they can repeat experiments in a way that is
usually impossible in
a live operation. However, to faithfully recreate simultaneous actions it may be necessary
to have a very powerful computational platform. And even then with Very complicated
applications it may not be possible to build an appropriate emulation of the system.
Simulators are clearly non—trivialand expensive systems to develop. They may
even require special hardware. In the NASA Space Shuttle project, the simulators cost
more than the real—time software itself. This turned be well
money out to spent, with
many system errors being found during hours of simulator ‘flight’.

1.4.4 Postscript
In many ways, this discussion
design issues has been a divergent one. It has introduced
on

more problem areas and engineering issues than can possibly be tackled in just one book.
This broad sweep across the ‘design process’ is aimed at setting the restof the book in
context. By now focusing on language issues and programming activities, the reader
will be able to understand the ‘end product’ of design, and judge to what extent current

methodologies, techniques and tools are appropriate.

20 INTRODUCTION TO REAL—TIME SYSTEMS

1.5 Languages for programming real-time systems

An important plateau top-level
between the
requirements specification and the execut-

is the language. The development of implementation

ing machine code programming
languages for real—time systems is the central theme of this book. Language design is

still a very active research area. Although systems design should lead naturally into
the expressive of most modern languages is not matched by
implementation, power
methodologies. Only by understanding what is possible at the implemen-
current design
tation stage can appropriate design approaches be developed.
It is possible to identify three classes of programming languages which are, or have
been, used in the development of real—time systems. These are assembly languages, se-

quential systems implementation languages and high—level concurrent languages. These

of will shortly be reviewed, but first some general language design

types languages
criteria will be introduced.

1.5.1 General language design criteria

Although a real—timelanguage designed primarily

may to meet
be the requirements of
its is rarely limited to that area. Most
embedded computer system programming, use

real—timelanguages are also used as general—purpose systems implementation languages

for applications such as compilers and operating systems.
Young (1982) lists the following six (sometimes confiicting) criteria as the basis of

a real—timelanguage design: security, readability, flexibility, simplicity, portability and

A similar list also in the original requirements for Ada.
efficiency. appears

Security
The of language design is a measure of the extent to which programming errors
security a

can be detected automatically by the compiler or language iun—timesupport system. There

is limit to the type and number of errors that can be detected by a language
obviously a

system; for
example, errors in the programmer’s logic cannot be detected automatically.
well structured and readable that such
A secure language must, therefore, be so errors

can easily be spotted.

The benefits of security include:

o the detection of errors much earlier in the development of a program

—

generating
an overall reduction in cost;

run—time is executed much

compile—time
checks have overheads at a program
~

o no

more often than it is compiled.

The security is of that it may result in a more complicated language with

disadvantage
an increase in compilation time and compiler complexity.

Readability
The of language depends on a variety of factors including the appro-
readability a

priate choice of keywords, the ability to define types and the facilities for program
 LANGUAGES FOR PROGRAMMING REAL—TlME SYSTEMS 21

modularization. As Young points out:

the aim is to language notation with sufficient clarity to enable the

provide a

main concepts of a particular program’s operation to be assimilated easily

by reading the program’s text only, without resort to subsidiary flowcharts
and written descriptions. (Young, 1982)

The benefits of good readability include:

o reduced documentation costs;

o increased security;
o increased maintainability.

The main disadvantage is that it usually increases the length of any given program.

Flexibility
»

A language must be sufficiently flexible to allow the programmer to express all the
required operations in a straightforward and coherent fashion. Otherwise, as with older
sequential languages, the programmer will often have to resort to operating system ,

'
commands or machine code inserts to achieve the desired result.

Simplicity
Simplicity is a worthwhile aim of any design, be it of the international space station or

a simple calculator. In programming languages, simplicity has the advantages of:

o
minimizing the effort required to produce compilers;
o
reducing the cost associated with programmer training;
0
diminishing the possibility of making programming errors as a result of misinter-
pretation of the language features.

Flexibility and simplicity can also be related to the

expressive power (the ability to
express the solutions to a wide range of problems) and usability (ease of use) of the
language.

Portability
A program, to a certain extent, should be independent of the hardware on which it ex-

ecutes. One of the main claims of Java is that programs are compiled once and run

anywhere. For a real—timesystem, this is difficult to achieve (even with the advent of
portable binary codes, such as Java Byte Code and ANDF (Venners, 1999; X/Open
Company Ltd, 1996)), as a substantial part of any program will normally involve
manipulation of hardware resources. However, a language must be capable of isolat—
ing the maclzine—clependentpart of a program from the mac/zine—independenrpart.
22 INTRODUCTION TO REAL-TIME SYSTEMS

Efficiency
In real—timesystem, times must be guaranteed; therefore the language must
a response
efficient and to be produced. Mechanisms which lead to
allow programs predictable
run—timeoverheads should be avoided. Obviously, efficiency requirements
unpredictable
must be balanced against security, flexibility and readability requirements.

1.5.2 Assembly languages

Initially, most real—time programmed

systems assembly
were language of the em- in the
because high-level programming languages were not
bedded computer. This was mainly
well supported on most microcomputers and assembly language programming appeared
be the of achieving efficient implementations that could access‘ hardware
to only way
resources.

The main with the of assembly languages is that they are machine-
problem use

with
oriented rather than problem—oriented.
The programmer can become encumbered

details which are unrelated to the algorithms being programmed, with the result that the

themselves become obscure. This keeps development costs high and makes
algorithms
difficult to when errors are found or enhancements required.
it very modify programs
Further difficulties arise because programs cannot be moved from one machine to

another but must be rewritten. Also staff must be retrained if they are required to work

with other machines.

1.5.3 Sequential systems implementation languages

languages mature, and com-
As computers becamepowerful, programming
more more

the advantages of writing real—timesoftware in a high—level

piler technology progressed,
the disadvantages. To with deficiencies in languages like
language outweighed cope
FORTRAN, new languages were developed specifically for embedded programming. In

the United States Air Force, for example, Jovial was in common use. In the UK, the

of Defence standardized on Coral 66, and large industrial concerns like ICI
Ministry
standardized on RTL/2. Currently, the C and C++ programming languages are popular.
All these languages have one thing in common they are sequential. They also —

tend to be weak in the facilities they provide for real—time control and reliability. As a

result of these shortcomings, it is often necessary to rely on operating system support

and assembly code inserts.

1.5.4 High-level concurrent programming languages

In spite of the
increasing application—tailored
use languages,
of the production of com-

difficult during the 1970s as computer—based

puter software became progressively more

These problems to what became

systems became larger and more sophisticated. grew
the crisis. There are several symptoms of this crisis which have been
known software
as

recognized (Booch, l986).

have been automated often do not

o
Responsiveness -

production systems which

meet users’ needs.
 SUMMARY 23

o
Reliability software is unreliable and will often fail to perform to its specification.
~

0 Cost —

software costs are seldom predictable.

o
Modifiability software —

maintenance is complex, costly and error prone.

o Timeliness —

software is often delivered late.

0
Transportability —

software in one
system is seldom used in another.
o
Efficiency software —

development efforts do not make optimal use of the resources

involved.

Perhaps one of the best illustrations of the impact of the software crisis can be found in
the American Department of Defense’s (DOD) search for a common high-order program-
ming language for all its applications. As hardware prices began to fall during the 1970s,
the DoD’s attention was focused on the rising cost of its embedded software. It estimated
that, in 1973, three thousand million dollars were spent on software alone. A survey of
programming languages showed that at least 450 general-purpose programming lan-
guages and incompatible dialects were used in DoD embedded computer applications.
An evaluation of existing languages occurred in 1976 against an emerging set of require-
ments. These evaluations resulted in four main conclusions (Whitaker, 1978):

(1) No current language was suitable.

(2) A single language was a desirable goal. r

(3) The state-of-the-art of language design could meet the requirements.

(4) Development should start from a suitable language base; those recommended were

Pascal, PL/I and Algol 68.

The result was the birth of a new language in 1983 called Ada. In 1995, the language
was updated to reflect 10 years of use and modern advances in programming language
design. The same occurred in 2005 when a number of key features were added to Ada.
Other older
languages of note include PEARL, used extensively in Germany for
process control applications, Mesa (Xerox Corporation, 1985), used by Xerox in their of-
fice automation equipment, and CHILL (CCITT, 1980) which was developed in response
to CCITT requirements for programming telecommunication applications.
With the advent of the Internet, the Java programming language has become pop-
ular. Although initially not suitable for real—timeprogramming, recently much effort has
been dedicated to producing real—timeversions of Java this will be discussed at length —

later in the book.

Summary
In this chapter, a real—timesystem has been defined as:

any information
processing activity or system which has to respond to
externally generated input stimuli within a finite and specified delay.

Two main classes of such systems have been identified: hard real—timesys-
tems, where it is absolutely imperative that responses occur within the specified
24 INTRODUCTION TO REAL—TH\/IE SYSTEMS

Hard

Criticality of
80“
deadlines

Classification Firm
Time-aware

Role of time

Reactive

Dead|ine/latency

Tempered Input/output jitter

requirements

Periodic/sporadic/
aperiodic

Rea|~time —-—

Time-triggered

Structure

e—[ Event-triggered

Real-time facilities

Concurrent

Numerical computations

Interaction with
——-—

Characteristics
hardware devices

Efficient and predictable

Reliable and safe

Large and complex

Figure 1.8 Aspects of real-time systems.

deadline; and soft real-time systems, where response times are important, but
the system will still function correctly if deadlines are occasionally missed. Vari-
ous types of real-time systems have been introduced including reactive systems
and time-aware systems, also time-triggered and event-triggered systems.
 FURTHER READING 25

The basic characteristics of a general real-time or embedded computer

system have been considered. They are:

0 real-time control;
o concurrent control of separate system components;
o low-level programming;
o
support for numerical computation;
o
iargeness and complexity;
. extreme reliability and safety.

The main aspects associated with the term ‘real-time’ that have been
introduced in this chapter are illustrated
Figure 1.8 opposite. in
This chapter has also outlined the major stages involved in the design and
implementation of real—timesystems. These include requirements specification,
systems design, detailed design, coding and testing. The high reliability require-
ments of real-time systems dictate that, wherever possible, rigorous methods
should be employed. '

Implementation, which is the primary focus of attention in this book, neces-

sitates the use of a programming language. Early real-time languages lacked the ’

expressive power to deal adequately with this application domain. More recent
languages have attempted to incorporate concurrency and error-handling facil-
ities. A discussion of these features is contained in subsequent chapters. The
following general criteria were considered a useful basis for a real-time language
design: security, readability, flexibility, simplicity, portability and efficiency.

Further reading
Bailey, D. L. and Buhr, R. J. A. (1998) Introduction to Real-Time Systems: From Design.
to Networking with C/C++. Upper Saddle River, NJ: Prentice Hall.

Booch, G., Rumbaugh, J. and Jacobson, I. (1999) The Unified

Modeling Language User
Guide. Harlow: Addison—Wesley.
Burns, A. and Wellings, A. J. (1995) Hard Real—Tin1eHOOD: A Structured Design
Method for Hard Real—TimeAda Systems. New York: Elsevier.
Cooling, J. E. (1995) Software Design for Real—TimeSystems. London: International
Thompson Computer Press.
Douglass, B. P. (l999) Doing Hard Time: Developing Real—TimeSystems with UML,
Objects, Frameworks and Patterns. Harlow: Addison—Wesley.
Gomaa, H. (2000) Designing Concurrent, Distributed and Real-Time Applications in
UML. Reading, MA: Addison—Wesley.
Jacobson, 1., Booch, G. and Rumbaugh, J. (1999) The Unified
Software Development
Process. Harlow: Addison Wesley Longman.
Koptez, H. (1997) Real-time Systems. New York: Kluwer Academic.
26 INTRODUCTION TO REAL—TIME SYSTEMS

Laplante, P. (1997) Design and Application of Real—TimeSystems. New York: Institute

of Electrical & Electronic Engineers.
Liu, J. W. S. (2000) Real—TimeSystems. New York: Prentice Hall.

Schneider, S. (1998) Concurrent and Real-time Systems. New York: Wiley.

Schneider, S. (1999) C0ncm‘rent and Real—timeSystems: The CSP Approach. New York:

Wiley.

Exercises

1.1 To what extent should the choice of a design method for real-time systems be
influenced by:

(a) likely implementation language

(b) support tools
(c) reliability requirements of the application
(d) training requirements of staff
(e) marketing considerations
(f) previous experiences
(g) cost?

1.2 In addition given in this chapter,

to the criteria what other factors could be used in

assessing programming languages?

1.3 At what stage in the design process should the views of the end—userbe obtained?
1.4 Should software engineers be liable for the consequences of faulty real-time
systems?
1.5 New medicines cannot be introduced until appropriate tests and trials have been
carried out. Should real-timesystems be subject to similar legislation? If a proposed
application is too complicated to simulate, should it be constructed?

1.6 Should the Ada language be the only language used in the implementation of
embedded real-time systems?
1.7 To what extent does UML allow hard real-time systems to be designed and

analysed‘?
Chapter 2

Reliability and fault tolerance

2.1 Reliability, failureandfaults 2.8 Dynamic redundancyand

2.2 Failure modes exceptions
2.3 Fault prevention and fault 2.9 Measuring and predicting
tolerance the reliability of software
2.4 N-version programming 2.10 Safety, reliability and
2.5 Software dynamic dependability
redundancy Summary
2.6 The recovery block Further reading
approach to software fault Exercises
tolerance
2.7 A comparison between
N-version programming and
recovery blocks

Reliability and safety requirements usually much more stringent for real-time
are
and embedded systems than for other computer systems. For example, if an ap-
plication which computes the solution to some scientific problem fails then it may
be reasonable to abort the program, as only computer time has been lost. How-
ever, in the case of an embedded system, this may not be an acceptable action.
A process control computer, for instance, responsible for the operation of a large
gas furnace, cannot afford to close down the furnace as soon as a fault occurs.

Instead, it must try to provide a degraded service and prevent a costly shutdown
operation. More importantly, real-time computer systems may endanger human
lives if they abandon control of their application. An embedded computer con-
trolling a nuclear reactor must not let the reactor run out of control, as this may
result in a core meltdown and an emission of radiation. A military avionics system
should at least allow the pilot to eject before permitting the plane to crash!
it is now widely accepted that the society in which we live is totally depen-
dent on the use of computer~based systems to support its vital functions. It is,
therefore, imperative that these systems do not fail. Without wishing to define
precisely what is meant by a system failure or a fault (at the moment), there are,
in general, four sources of faults which can result in an embedded system failure.

(1) Inadequate specification. it has been

suggested that the great majority
of software faults stem from inadequate specification (Leveson, 1986).
27
28 RELIABILITY AND FAULT TOLERANCE

Included in this category are those faults that stem from misunderstanding
the interactions between the program and the environment.

Faults introduced from design errors in software components.

(2)
Faults introduced
by failure of one or more hardware components of the
(3)
embedded system (including processors).
Faults introduced by transient or permanent interference in the supporting
(4)
communication subsystem.

It is these last three impinge on the programming language

types of fault which
used in the implementation of an embedded system. The errors introduced by
faults in general, unanticipated (in terms of their consequences),
design are,
whereas those from processor and network failure are, in some senses, pre-
dictable. One of the main requirements, therefore, for any real-time program-
is that it must dependable
facilitate the construction of highly
ming language,
in this chapter, some of the general design techniques that can be
systems.
used to improve the overall reliability of embedded computer systems are con-
sidered. 3 will show how exception-handling facilities can be used to
Chapter
of these design philosophies, particularly those based on
help implement some

fault tolerance.

2.1 Reliability, failure and faults

Before proceeding, more precise definitionsof reliability, failures and faults are neces-

sary. Randell et al. (1978) define the reliability of a system to be:

a measure of the success with which the system conforms to some authori-
tative specification
of its behaviour.

Ideally, this specification

should be complete, consistent, comprehensible and
unambigu-
ous. It should that the response
also times of the system are
be noted an important part
of the specification, although discussion of the meeting of deadlines will be postponed
until Chapter 11. The above definition of reliability can now be used to define a system
failure. from Randell et al.:
Again, quoting

When the behaviour of a system deviates from that which is specified

for it,

this is called a failure.

Section 2.9 will deal with the metrics of reliability; for the time being, liiglily reliable
will be considered synonymous with a lowfailure rate.
The alert reader will have noticed that our definitions,
so far, have been concerned
with the behaviour of a system; that is, its external appearance. Failures result from
internal to the system which eventually manifest themselves in
unexpected problems
the system’s external behaviour. These problems are called errors and their mechanical
termed faults. A faulty component of a system is, therefore,
or algorithmic causes are

a component which, under a particular set of circumstances during the lifetime of the
will result in an error. Viewed in terms of state transitions, 21 system can be
system,
considered as a number of external and internal states. An external state‘ which is not
 RELIABILITY, FAILURE AND FAULTS 29

activation propagation causation

Figure 2.1 Fault, error, failure, fault chain.

specified
in the behaviour of the system is regarded as a failure of the system. The
system itself consists of a number of components, each with their own states, all of which
contribute to the system’s
external behaviour. The combined states of these components
termed the internal
are of the system. An internal
state state which is not specified
is
called an error and the component which produced the transition is said to
illegal state
be faulty.
A fault is active when it produces and until this
an error, point it is dormant. Once
produced, the error can be transformed into other errors via the computational process as
it propagates through the system. Eventually, the error manifests itself at the boundaries
of the system causing a service
delivery to fail (Avizienis et al., 2004).
Of course, is
usually composed of components; each of these may be
a system
considered as a system in its own
right. Hence a failure in one system will lead to a fault
in another which will result in an error and potential failure of that system. This in turn
will introduce a fault into any surrounding system and so on (as illustrated in Figure 2.1). »

There are many different classificationsof fault types depending on the aspect of
interest. For example, whether they are created during development or during operations,
whether they are intentionally or accidentally created, whether they are hardware or
software in origin, etc. From a real—timeperspective, the duration of the fault is one of
the most important aspects. Three types of fault can be
distinguished.

(1) Transient faults transient fault

a at particular time, remains in the
——

occurs a

system for some period and then

disappears. It will initially be dormant but can

become active at any time. Examples of such faults occur in hardware components
which have an adverse reaction to some external interference, such as electrical
fields or radioactivity. After the disturbance disappears does the fault
so (although
not necessarily the induced error). Many faults in communication systems are

transient.

(2) Permanent faults —

permanent faults start at a particular time and remain in the

system until they are repaired; for example, broken wire software
a or a design
error.

(3) Intermittent faults ~

transient faults that from time to time. An

occur
example
is a hardware component that is heat sensitive: it works for a time, stops working,
cools down and then starts to work again.

Software faults bugs and it can be notoriously difficult to isolate and

are usually called
identify them. Over the years, particular types of bugs have been given names in an infor-
mal classification. Originally two types of software bugs were identified (Gray, 1986).‘

‘The names come from analogies with physics. The assertion that software
most production bugs are

ephemeral ~

Heisenbugs that go away when you look at them —

is well known to systems programmers.

Bohrbugs, like the Bohr atom, are solid, easily detected by standard techniques.
30 RELIABILITY AND FAULT TOLERANCE

0 Bohrbugs —

these bugs are reproducible and usually identifiable. Hence they can
easily be removed during testing. If they cannot be removed, then design diversity
techniques can be employed during operation (see Section 2.4).
o Heisenbugs —

these are software bugs that only activate under certain rare cir-
cumstances. good example is code shared between
A concurrent tasks that is not
the code
properly synchronized. Only when two tasks happen to execute concur-

rently will the fault activate and even then the error may long way
propagate a

from its source before it is detected. Because of this, they often disappear when
investigated —

hence their name.

A particular type of Heisenbug is one that results from ‘software aging’

(Parnas,
1994). In one sense, software can be thought of as not deteriorating with age (unlike
Whilst this is faults can remain dormant for a long time, and only become
hardware). true,
active after significant continual use of the software. These faults are normally related to
resources: for
example in is constantly
dynamic application
memory
a allocated where
and freed, a fault that doesn’t free unused memory will result in a memory leak. If this
is small, the program may run for a significantperiod of time before memory becomes
exhausted.
A of the effects of software ageing can be found with the use of
good example
the US Patriot missile defence system in the Gulf War in 1991 (see GAO/IMTEC—92—26
Patriot Missile Software Problem at http://www.fas.org/spp/starwars/gao/im92026.htm).
The Patriot originally designed for mobile operations in Europe. The design
system was

assumed that it would only operate for a few hours at one location. During the Gulf
War it was used continuously for many hours. Its main battery could last for 100 hours.
After the Patriot’s radar detects an airborne object that has the characteristics of a Scud

missile, the range gate (an electronic detection device within the radar system) calculates
an area in the air space where the system should next look for the detected missile. The

range gate filters out information about airborne objects outside its calculated area and
the information needed for tracking, targeting and intercepting Scuds.
only processes
object within the calculated gate area confirms that it is a Scud missile. In
Finding an range
1991, Patriot missile defence system failed to track and intercept an incoming
February a

Scud. This Scud subsequently hit an Army barracks, killing 28 people.

The reason for the failure of the Patriot’ssystems is explained by considering the

range gate’s prediction software, which used the Scud’s velocity and the time of the last
radar detection. Time is kept continuously by the system’s internal clock in tenths of
seconds held as an integer variable. The longer the system has been running, the larger
the number representing time. To predict where the Scud will next appear, both time and
must be expressed as real numbers. The registers in the Patriot computer are
velocity
24 bits and the conversion of time results in a loss of precision causing a less
only long,
accurate time calculation. The effect of this inaccuracy on the range gate’s calculation is

directly proportional to the target’s velocity and the length of time the system has been

Consequently, performing the conversion after the Patriot has been running
running.
for extended periods causes the gate to shift away from the centre of
continuously range
the target, making it less likely that the target missile will be successfully intercepted.
Table 2.1 shows the effect of this inaccuracy. After 20 hours, the target becomes outside
the range gate. As with all software ageing problems, restarting the system (in this case
before 20 hours of continual operational time) would clear the problem.
 FAILURE MODES 31

Calculated time Inaccuracy Approximate shift in

Hours Seconds (seconds) (seconds) range gate (meters)
0 0 0 0 0
1 3600 3599.9966 .0034 7
8 28800 28799.9725 .0025 55
20 72000 71999.9313 .0687 137
48 172800 172799.8352 .1648 330
72 259200 259199.7528 .2472 494
100 360000 359999.6667 .3433 687

Table 2.1 Effect of extended run—timeon Patriot operation (taken from http://www.fas.org/
spp.starwars/gao/im92026.htm).

To create reliable systems, all types of fault must be prevented from causing erro—
neous system behaviour (that is failure). The difficulty this presents is compounded by
the indirect use of computers safety—critical
in the construction
systems. For example, of
in 1979 an error was discovered in a program used to design nuclear reactors and their
supporting cooling systems. The fault that this caused in the reactor design had not been
found during installation tests as it concerned the strength and structural support of pipes 2

and valves. The program had supposedly guaranteed the attainment of earthqual earthqual
safety
standards in operating reactors. The discovery of the bug led to the shutting down of five
nuclear power plants (Leveson, 1986).

2.2 Failure modes

A system can fail in many different A
designer who is using system X to implement
ways.
another system, Y, usually makes some assumptions about X’s expected failure modes.
If X fails differently from that which was
expected then system Y may fail as a result.
A system provides services. It is, therefore, possible to classify a system’s failure
modes according to the impact they have on the services it
delivers. Two general domains
of failure modes can be identified:

0 value failure —

the value associated with the service is in error;

o time failure —

the service is delivered at the wrong time.

Combinations of value and timing failures often termed

are arbitrary.
In general, a value error might still be within the correct of values or be
range
outside the range
expected from the service. The latter is
equivalent to a typing error in
programming languages and is called a constraint error. It is usually easy to recognize
this type of failure but its consequence can still be devastating. (Witness the cause of the
Arianne 5 disaster where an exception was caused during execution of a data conversion
from 64-bit floating point to 16-bit signed integer value. The floating point number
which was converted had a value greater than what could be represented
by a 16-bit
signed integer see ‘ARIANE 5, Flight 501 Failure, Report by the Inquiry Board’ at
—

http://klabs.org/richcontent/Reports/Failure_Reports/ariane/ariane501 .htm.)
32 RELIABILITY AND FAULT TOLERANCE

Failures in the time domain can result in the service being delivered:

too early —

the service is delivered earlier than required;

too late —

the service is delivered later than required (often called a performance

error);
infinitely
late the service is never delivered (often called an omission failure).
—

One further failure mode should be identified, which is where a service is delivered
that is not expected. This is often called a commission or impromptu failure. It is, of
course, often difficult to distinguish a failure in both the value and the time domain from
a commission failure followed by an omission failure. Figure 2.2 illustrates the failure
mode classification.
Given the above classification of failure modes, it is now possible to make some

assumptions about how a system might fail.

Fail uncontrolled —

a system which produce arbitrary

can errors in both the value
and the time domains (including impromptu errors).
Fail late ~

a system which produces correct services in the value domain but may
suffer from a ‘late’ timing error.

Fail silent system which produces correct

—

a services in both the value and time

domains until it fails; the only failure possible is an omission failure and when this
occurs all following services will also suffer an omission failure.

Fail which has all the properties of fail silent, but also permits
stop system —

other systems to detect that it has entered the fail—silentstate.

Fail controlled -«

a system which fails in a specified

controlled manner.

Fail never —

a system which always produces correct services in both the value

and the time domain.

Other assumptions and classificationsare clearly possible, but the above list will suffice
for this book.

Failure mode

Value domain Timing domain Arbitrary

(fail uncontrolled)

Constraint error Value error Early Omission Late

Fall silent Fail stop Fail controlled

Figure 2.2 Failure mode classification.

Other documents randomly have
different content
cases of idiopathic tetanus are produced by poison, perhaps
secreted by the body itself. As for the distinction between idiopathic
and strychnic tetanus, it is usually laid down (1) that the intervals in
the former are characterised by no relaxation of the muscles, but
that they continue contracted and hard; and (2) that there is a
notable rise of temperature in disease tetanus proper, and not in
strychnine tetanus. Both statements are misleading, and the latter is
not true, for in strychnic poisoning the relaxation is not constant,
and very high temperatures in animals have been observed.
§ 394. Physiological Action.—The tetanic convulsions are
essentially reflex, and to be ascribed to a central origin; the normal
reflex sensibility is exaggerated and unnaturally extended. If the
ischiatic plexus supplying the one leg of an animal is cut through,
that leg takes no part in the general convulsions, but if the artery of
the leg alone is tied, then the leg suffers from the muscular spasm,
as well as the limbs in which the circulation is unrestrained. In an
experiment by Sir B. W. Richardson, a healthy dog was killed, and,
as soon as practicable, a solution of strychnine was injected through
the systemic vessels by the aorta—the whole body became at once
stiff and rigid as a board. These facts point unmistakably to the
spinal marrow as the seat of the toxic influence. Strychnine is, par
excellence, a spinal poison. On physiological grounds the grey
substance of the cord is considered to have an inhibitory action upon
reflex sensibility, and this inhibitory power is paralysed by strychnine.
The spinal cord, it would appear, has the power of collecting
strychnine from the circulation and storing it up in its structure.[436]

[436] R. W. Lovett, Journ. Physiol., ix. 99-111.

Much light has been thrown upon the cause of death by Richet’s
experiments.[437] It would seem that, in some cases, death takes
place by a suffocation as complete as in drowning, the chest and
diaphragm being immovable, and the nervous respiratory centres
exhausted. In such a case, immediate death would be averted by a
tracheal tube, by the aid of which artificial respiration might be
carried on; but there is another asphyxia due to the enormous
interstitial combustion carried on by muscles violently tetanised. “If,”
says Richet, “after having injected into a dog a mortal dose of
strychnine, and employed artificial respiration according to the
classic method twenty or thirty times a minute, the animal dies
(sometimes at the end of ten minutes, and in every case at the end
of an hour or two), and during life the arterial blood is examined, it
will be ascertained that it is black, absolutely like venous blood.”

[437] Op. cit.

This view is also supported by the considerable rise of temperature

noticed: the blood is excessively poor in oxygen, and loaded with
carbon dioxide. That this state of the blood is produced by tetanus,
is proved by the fact that an animal poisoned by strychnine, and
then injected subcutaneously with curare in quantity just sufficient to
paralyse the muscular system, does not exhibit these phenomena.
By the aid of artificial respiration, together with the administration of
curare, an animal may live after a prodigious dose of strychnine.
Meyer[438] has investigated carefully the action of strychnine on the
blood-pressure—through a strong excitement of the vaso-motor
centre, the arteries are narrowed in calibre, and the blood-pressure
much increased; the action of the heart in frogs is slowed, but in the
warm-blooded animals quickened.

[438] Wiener Akad. Sitzungsber., 1871.

§ 395. Post-mortem Appearances.—There is but little

characteristic in the post-mortem appearances from strychnine
poisoning. The body becomes very stiff a short time after death, and
this rigidity remains generally a long time. In the notorious Palmer
case, the body was rigid two months after death, but, on the other
hand, the rigor mortis has been known to disappear within twenty-
four hours. If the convulsions have been violent, there may be
minute hæmorrhages in the brain and other parts. I have seen
considerable hæmorrhage in the trachea from this cause. When
death occurs from asphyxia, the ordinary signs of asphyxia will be
found in the lungs, &c. The heart mostly has its right side gorged
with blood, but in a few cases it is empty and contracted.
In a case which Schauenstein has recorded[439] he found strychnine
still undissolved, coating the stomach as a white powder; but this is
very unusual, and I believe unique. The bladder often contains
urine, which, it need scarcely be said, should be preserved for
chemical investigation.

[439] Op. cit.

§ 396. Treatment.—From the cases detailed, and from the

experiments on animals, the direction which treatment should take is
very clear. As a matter of course, if there is the slightest probability
of any of the poison remaining in the stomach, it should be
removed. It is doubtful whether the stomach pump can be ever
applied with benefit in strychnine poisoning, the introduction of the
tube is likely to aggravate the tetanus, but apomorphine can be
injected subcutaneously. Large and frequent doses of chloral should
be administered in order to lessen the frequency of convulsions, or
prevent their occurrence, and it may be necessary in a few cases,
where death threatens by suffocation, to perform tracheotomy, and
to use artificial respiration. Where chloral or chloroform is not at
hand, and in cases of emergency, where this may easily happen, the
medical man must administer in full doses the nearest narcotic at
hand.[440]

[440] It is certain that lutidine would be a valuable antidote for strychnine.

C. G. Williams found that lutidine injected into frogs already under the
influence of strychnine, arrested the convulsions, or if given first, and then
followed by a fatal dose of strychnine, it prevented the appearance of the
tetanus. (See ante, p. 276, footnote.)
§ 397. Separation of Strychnine from Organic Matters.—The
separation of strychnine from organic matters, &c., is undertaken
strictly on the general principles already detailed. It may happen,
however, that in cases of poisoning there is the strongest evidence
from symptoms in the person or animal that strychnine alone is to
be sought for. In an instance of the kind, if a complex organic liquid
(such as the contents of the stomach) is under examination, it is
best to remove the solid substances by filtration through glass, wool,
or linen, and evaporate nearly to dryness over the water-bath,
acidifying with acetic acid, and then exhausting the residue
repeatedly with boiling alcohol of 80 per cent. The alcoholic extract
is in its turn evaporated to dryness, and taken up with water; the
aqueous solution is passed through a wet filter, and then shaken up
with the usual succession of fluids, viz., petroleum ether, benzene,
chloroform, and amyl alcohol, which will remove a great number of
impurities, but will not dissolve the strychnine from the acid solution.
The amyl alcohol may lastly be removed by petroleum ether; and on
removal of the final extractive (which should be done as thoroughly
as possible) chloroform is added, and the fluid is alkalised by
ammonia, which precipitates the alkaloid in the presence of the
solvent. Should the reverse process be employed—that is, ammonia
added first, and then chloroform—the strychnine is not so perfectly
dissolved, since it has time to assume a crystalline condition. On
separation and evaporation of the chloroform, the residue (if much
discoloured, or evidently impure) may be dissolved in alcohol or
benzene, and recrystallised several times. Cushman has published an
improved method of separating strychnine, which, according to test
experiments, appears to give good results. He describes the method
as follows:[441]—

[441] “The post-mortem Detection and Estimation of Strychnine,” by

Allerton S. Cushman—Chem. News, vol. lxx. 28.

“The stomach contents or viscera properly comminuted are weighed, and an

aliquot part taken for analysis. The mass is digested in a beaker over night, at a
warm temperature, with water acidulated with acetic acid. The contents of the
beaker are filtered by pressing through muslin, and then passing through paper.
The clear filtrate is evaporated on the water-bath to soft dryness, an excess of
ordinary 80 per cent. alcohol added, and boiled ten minutes with stirring, and
allowed to stand one half hour at a warm temperature. This extraction is repeated,
the alcohol extracts united, filtered, evaporated to soft dryness, and the residue
taken up with a little water acidulated with acetic acid, and shaken out with pure
acetic ether in a separating funnel. Successive fresh portions of acetic ether are
used until the solvent shows by its colour, and by the evaporation of a few drops,
that it does not contain extractive matter. As many as twelve extractions are
sometimes necessary to accomplish this. Care should be taken in each case to
allow time for as complete separation as possible between the two layers. The
purified acid aqueous liquid, which need not exceed in bulk 50 c.c., is now
returned to the separator, an equal quantity of fresh acetic ether added, and
enough sodic carbonate in solution to render the mixture slightly alkaline, and the
separator is then thoroughly shaken for several minutes. All the alkaloid should
now be in solution in the acetic ether, but a second shaking of the alkaline liquid,
with acetic ether, is always made, the two extracts united, and evaporated in a
glass dish over hot water to dryness. It will now be found that the residue shows
the alkaloid fairly pure, but not pure enough for quantitative results. The residue is
dissolved in a few drops of dilute acetic acid, warmed to complete solution, filtered
if necessary, diluted to about 30 c.c., and the solution transferred to a small
separating funnel; 30 c.c. of ether-chloroform (1-1) are now added, and the
separator shaken. After separation the heavier ether-chloroform is allowed to run
off, another lot of 30 c.c. of ether-chloroform is added, the separator shaken, and
immediately enough ammonia-water added to render the mixture alkaline, and the
whole vigorously agitated for several minutes. After separation is complete, the
ether-chloroform layer is run out into a clean 50 c.c. glass-stoppered burette. The
alkaline water solution is agitated with 20 c.c. more of the ether-chloroform,
separated, and this extract added to that in the burette. The burette is now
supported over a small weighed glass dish, which is kept warm on a water-bath,
and the liquid allowed to evaporate gently, drop by drop, until a sufficient quantity
of the pure alkaloid has collected in the centre of the dish to render an accurate
weighing possible, or else all of the alkaloid may be collected and weighed at
once. After all possible tests have been made upon the weighed alkaloid, the
remainder is re-dissolved in a drop or two of acetic acid, a little water added, and
the dish exposed under a bell-glass to the fumes of ammonia. After standing some
time all the strychnine is found crystallised out in the beautiful characteristic
needle-formed crystals. The mother-liquor is drawn off with a small fine-pointed
tube and rubber bulb, the crystals carefully washed with a little water and dried
over sulphuric acid. The glass dish containing these crystals is kept as the final
exhibit, and is shown in evidence. Another convenient exhibit may be prepared by
moistening a small filter-paper with a solution of the alkaloid in dilute acetic acid,
then moistening with a solution of potassium dichromate: this paper, on being
dried, may be kept indefinitely. On moistening it, and touching it at any time with
a drop of strong sulphuric acid, a violet film, changing to cherry-red, is formed at
the place of contact.”

Should search be made for minute portions of strychnine in the

tissues, considering the small amount of the poison which may
produce death, it is absolutely necessary to operate on a very large
quantity of material. It would be advisable to take the whole of the
liver, the brain, spinal cord, spleen, stomach, duodenum, kidneys, all
the blood that can be obtained, and a considerable quantity of
muscular tissue, so as to make in all about one-eighth to one-tenth
of the whole body; this may be cut up into small pieces, and boiled
in capacious flasks with alcohol, acidified with acetic acid.
Evaporation must be controlled by adapting to the cork an upright
condenser.
Should the analyst not have apparatus of a size to undertake this at
one operation, it may be done in separate portions—the filtrate from
any single operation being collected in a flask, and the spirit distilled
off in order to be used for the next. In this way, a large quantity of
the organs and tissues can be exhausted by half a gallon of alcohol.
Finally, most of the alcohol is distilled off, and the remainder
evaporated at a gentle heat in a capacious dish, the final extract
being treated, evaporating to a syrup, and using Cushman’s process
(ante, p. 334) as just described. It is only by working on this large
scale that there is any probability of detecting absorbed strychnine in
those cases where only one or two grains have destroyed life, and
even then it is possible to miss the poison.
Strychnine is separated by the kidneys rapidly. In a suicidal case
recorded by Schauenstein,[442] death took place in an hour and a
half after taking strychnine, yet from 200 c.c. of the urine,
Schauenstein was able to separate nitrate of strychnine in well-
formed crystals. Dr. Kratter[443] has made some special researches
on the times within which strychnine is excreted by the kidneys. In
two patients, who were being treated by subcutaneous injection,
half an hour after the injection of 7·5 mgrms. of strychnine nitrate
the alkaloid was recognised in the urine. The strychnine treatment
was continued for eight to ten days, and then stopped; two days
after the cessation, strychnine was found in the urine, but none on
the third day, and the inference drawn is that the elimination was
complete within forty-eight hours.

[442] Maschka’s Handbuch, Band 2, p. 620.

[443] Ibid.

Strychnine has been detected in the blood of dogs and cats in

researches specially undertaken for that purpose, but sometimes a
negative result has been obtained, without apparent cause.
Dragendorff[444] gave dogs the largest possible dose of strychnine
daily. On the first few days no strychnine was found in the urine, but
later it was detected, especially if food was withheld. M’Adam was
the first who detected the absorbed poison, recognising it in the
muscles and urine of a poisoned horse, and also in the urine of a
hound. Dragendorff has found it in traces in the kidneys, spleen, and
pancreas; Gay, in different parts of the central nervous system, and
in the saliva. So far as the evidence goes, the liver is the best organ
to examine for strychnine; but all parts supplied with blood, and
most secretions, may contain small quantities of the alkaloid. At one
time it was believed that strychnine might be destroyed by
putrefaction, but the question of the decomposition of the poison in
putrid bodies may be said to be settled. So far as all evidence goes,
strychnine is an extremely stable substance, and no amount of
putrescence will destroy it. M’Adam found it in a horse a month after
death, and in a duck eight weeks after; Nunneley in 15 animals
forty-three days after death, when the bodies were much
decomposed; Roger in a body after five weeks’ interment; Richter in
putrid tissues exposed for eleven years to decomposition in open
vessels; and, lastly, W. A. Noyes[445] in an exhumed body after it had
been buried 308 days.
 [444]In an animal rapidly killed by a subcutaneous injection of acetate of
strychnine, no strychnine was detected either in the blood or liver.—
Dragendorff.
[445] Journ. Americ. Chem. Soc., xvi. 2.

It would appear from Ibsen’s[446] experiments that strychnine gets

dissolved in the fluids of the dead body—so that whether strychnine
remains or not, greatly depends as to whether the fluids are retained
or are allowed to soak away; it is, therefore, most important in
exhumations to save as much of the fluid as possible.

[446] Viertel. f. gericht. Med., Bd. viii.

§ 398. Identification of the Alkaloid.—A residue containing

strychnine, or strychnine mixed with brucine, is identified—
(1.) By its alkaline reaction and its bitter taste. No substance can
possibly be strychnine unless it tastes remarkably bitter.
(2.) By the extremely insoluble chromate of strychnine, already
described.[447] A fluid containing 1 : 1000 of strychnine gives with
chromate of potash (if allowed to stand over-night) a marked
precipitate, dissimilar to all others, except those of lead and baryta
chromates, neither of which can possibly occur if any of the
processes described are followed.

[447]1 grm. of strychnine gave 1·280 grms. of the chromate, = 78·1 per
cent. of strychnine; 3 gave 3·811 of the chromate, = 78·77 per cent. of
strychnine.—Mohr.

(3.) If the chromate just described is treated on a porcelain plate

with a drop of pure strong sulphuric acid, a deep rich blue colour,
passing through purple into red, rapidly makes its appearance. This
colour possesses an absorption spectrum (figured at p. 55). Dr. Guy,
neglecting intermediate colours, aptly compares the succession—(1)
to the rich blue of the Orleans plum; (2) to the darker purple of the
mulberry; and (3) to the bright clear red of the sweet orange. These
characters—viz., alkalinity, bitterness, and the property of
precipitation by potassic chromate in a definite crystalline form, the
crystals giving the colours detailed—belong to no other substance
known save strychnine, and for all purposes sufficiently identify the
alkaloid. The same colour is obtained by mixing a drop of sulphuric
acid with strychnine and a crystal, or speck, of any one of the
following substances:—Ferridcyanide of potash, permanganate of
potash, peroxide of lead, peroxide of manganese, and cerous
hydroxide.
Potassic permanganate and sulphuric acid is the most delicate, and
will detect 0·001 mgrm. of strychnine; cerous hydroxide is, on the
other hand, most convenient, for cerous hydroxide is white; all the
others have colours of their own. Cerous hydroxide is prepared
strychnine; 3 gave 3·811 of the chromate, = 78·77 per cent. of
strychnine.—Mohr. by dissolving cerium oxalate in dilute sulphuric
acid and precipitating with ammonia, filtering and well washing the
precipitate; and the latter may be used while moist, and responds
well to 1⁄100 mgrm. of strychnine.
The influence of mixtures on the colour reactions of strychnine have
been studied by Flückiger, who states:—
“No strychnine reaction appears with sulphuric acid containing
chromic acid (made by dissolving 0·02 grm. of pot. bichromate in 10
c.c. of water, and then adding 30 grms. strong sulphuric acid) when
brucine and strychnine mixed in equal parts are submitted to the
test; it succeeds, however, in this proportion with sulphuric acid
containing potassium permanganate (·02 grm. pot. permanganate in
10 c.c. of water, and 30 grms. of strong sulphuric acid).
“If the brucine is only one-tenth of the mixture, the blue-violet
colour is obtained. A large excess of atropine does not prevent or
obscure the strychnine reaction. A solution of 1 milligrm. atropine
sulphate evaporated to dryness, together with 5 c.c. of a solution of
strychnine (1 : 100,000) has no influence on the reaction, neither in
the proportion of 1 mgrm. to 1 c.c. of the same solution; neither has
cinchonine nor quinine any effect.
“Morphine obscures the reaction in the following proportions:—
“A solution of 0·01 mgrm. strychnine evaporated with a solution of 1
mgrm. of morphine sulphate on a water-bath, yields a blurred
strychnine reaction when the residue is dissolved in sulphuric acid,
and a crystal of potassic permanganate added. But still there is
evidence whereby to suspect the presence of strychnine.
“A solution of 2 mgrms. of morphine sulphate treated in like manner
with 0·01 mgrm. of strychnine yields like results.
“A solution of 3 mgrms. of morphine sulphate evaporated to dryness,
with a solution of 0·01 mgrm. strychnine yielded results with the
potassic permanganate test the same as if no strychnine was
present.
“A solution of 1 mgrm. of morphine sulphate, treated as above, with
a solution of 0·1 mgrm. strychnine, offered positive proof of the
presence of the latter.”[448]

[448] Flückiger’s Reactions, translated by Nagelvoort, Detroit, 1893.

Dragendorff was able to render evident ·025 mgrm. mixed with

twenty times its weight of quin. sulphate; the same observer
likewise recognised ·04 mgrm. of strychnine in thirty-three times its
weight of caffeine. Veratrine is likewise not injurious.
The physiological test consists in administering the substance to
some small animal (preferably to a frog), and inducing the ordinary
tetanic symptoms. It may be at once observed that if definite
chemical evidence of strychnine has been obtained, the physiological
test is quite unnecessary; and, on the other hand, should the
application of a liquid or substance to a frog induce tetanus, while
chemical evidence of the presence of strychnine was wanting, it
would be hazardous to assert that strychnine was present, seeing
that caffeine, carbolic acid, picrotoxin, certain of the opium alkaloids,
hypaphorine, some of the ptomaines, and many other substances
induce similar symptoms. The best method (if the test is used at all)
is to take two frogs,[449] and insert under the skin of the one the
needle of a subcutaneous syringe, previously charged with a solution
of the substance, injecting a moderate quantity. The other frog is
treated similarly with a very dilute solution of strychnine, and the
two are then placed under small glass shades, and the symptoms
observed and compared. It is not absolutely necessary to inject the
solution under the skin, for if applied to the surface the same effects
are produced; but, if accustomed to manipulation, the operator will
find the subcutaneous application more certain, especially in dealing
with minute quantities of the alkaloid.[450]

[449] A very practical disadvantage of the physiological test is the great

difficulty of obtaining frogs exactly when wanted.
[450]Methyl strychnine, as well as methyl brucine, has been shown by
Brown and Fraser to have an effect exactly the opposite to that of
strychnine, paralysing the muscles like curare. In the case, therefore, of
the methyl compounds, a physiological test would be very valuable, since
these compounds do not respond to the ordinary tests.

§ 399. Hypaphorine.—One substance is known which neither physiological test

nor the colour reactions suffice to distinguish from strychnine, viz., hypaphorine,
[451] the active matter of a papilionaceous tree growing in Java—the Hypaphorus
subumbrans; a small quantity of the alkaloid is in the bark, a larger quantity is in
the seed.

[451] Dr. C. Plugge, Arch. f. exp. Path. u. Ph., Bd. xxxii. 313.

Hypaphorine forms colourless crystals which brown, without melting, above 220°,
and exhale a vapour smelling like napththylamine. The free alkaloid is soluble in
water, but has no action on litmus. The salts are less soluble than the free alkaloid,
so that acids, such as nitric or hydrochloric, produce in a short time precipitates on
standing. Solutions of the salts are not precipitated by alkalies; chloroform, ether,
benzene, all fail to extract it from either alkaline or acid solutions. It gives no
precipitate with potassic chromate, but most general alkaloidal reagents
precipitate.
It gives a precipitate with iodine trichloride, and has therefore probably a pyridine
nucleus, it may be an acid anilide.[452] It gives the same colours as strychnine with
sulphuric acid and potassic permanganate or potassic chromate; it causes in frogs
tetanus, but the dose has to be much larger than that of strychnine. The duration
of life in doses of 15 mgrms. may extend to five days, and frogs may even recover
after 50 mgrms.

Julius Tafel (Ber., 1890, 412) has shown that the colour reactions with
[452]
H2SO4 and oxidising agents are the characteristic tests of an acid anilide.

The distinction between strychnine and hypaphorine is therefore easy; besides it

will not occur in a chloroform extract, and it will not give a precipitate with
potassic chromate.
§ 400. Quantitative Estimation of Strychnine.—The best process of
estimating the proportion of each alkaloid in a mixture of strychnine and brucine,
is to precipitate them as picrates, and to destroy the brucine picrate by nitric acid
after obtaining the combined weight of the mixed picrates; then to weigh the
undestroyed strychnine picrate.
To carry out the process, the solution of the mixed alkaloids must be as neutral as
possible. A saturated solution of picric acid is added drop by drop to complete
precipitation. A filter paper is dried and weighed, and the precipitate collected on
to this filter paper; the precipitate is washed with cold water, dried at 105°, and
weighed. This weight gives the combined weight of both strychnine and brucine
picrates.
The precipitate is now detached from the filter, washed into a small flask, and
heated on the water-bath for some time with nitric acid diluted to 1·056 gravity
(about 11 per cent. HNO3). This process destroys the brucine picrate, but leaves
the strychnine picrate untouched. The acid liquid is now neutralised with ammonia
or soda, and a trace of acetic acid added; the precipitate of strychnine picrate is
now collected and weighed. The weight of this subtracted from the first weight, of
course, gives that of the brucine picrate.
One part of strychnine picrate is equal to 0·5932 strychnine; and one part of
brucine picrate is equal to 0·6324 brucine.
From the strychnine picrate the picric acid may be recovered and weighed by
dissolving the picrate in a mineral acid and shaking out with ether; from the acid
liquid thus deprived of picric acid the alkaloid may be separated by alkalising with
ammonia and shaking out with chloroform.
§ 401. Brucine (C23H26N2O4 + 4H2O)[453] occurs associated with
strychnine in the plants already mentioned; its best source is the so-
called false angustura bark, which contains but little strychnine. Its
action is similar to that of strychnine. If crystallised out of dilute
alcohol it contains 4 atoms of water, easily expelled either in a
vacuum over sulphuric acid or by heat. Crystallised thus, it forms
transparent four-sided prisms, or arborescent forms, like boric acid.
If thrown down by ammonia from a solution of the acetate, it
presents itself in needles or in tufts.

[453] Sonnenschein has asserted that brucine may be changed into

strychnine by the action of NO3. This statement has been investigated by
A. J. Cownley, but not confirmed.—Pharm. Journ. (3), vi. p. 841.

The recently-crystallised alkaloid has a solubility different from that

which has effloresced, the former dissolving in 320 parts of cold, and
150 parts of boiling water; whilst the latter (according to Pelletier
and Caventou) requires 500 of boiling, and 850 parts of cold water
for solution. Brucine is easily soluble in absolute, as well as in
ordinary alcohol; 1 part dissolves in 1·7 of chloroform, in 60·2 of
benzene. Petroleum ether, the volatile and fatty oils and glycerine,
dissolve the alkaloid slightly, amyl alcohol freely; it is insoluble in
anhydrous ether. The behaviour of brucine in the subliming cell is
described at p. 260. Anhydrous brucine melts in a tube at 178°. The
alcoholic solution of brucine turns the plane of polarisation to the left
[α]r = -11·27°. The taste is bitter and acrid. Soubeiran maintains
that it can be recognised if 1 part is dissolved in 500,000 parts of
water. If nitric trioxide be passed into an alcoholic solution of
brucine, first brucine nitrate is formed; but this passes again into
solution, from which, after a time, a heavy, granular, blood-red
precipitate separates: it consists of dinitro-brucine
(C23H24(NO2)2N2O4). Brucine fully neutralises acids, and forms salts,
which are for the most part crystalline. The neutral sulphate
(C23H25N2O4SH2O4 + 31⁄2H2O) is in long needles, easily soluble in
water. The acetate is not crystalline, that of strychnine is so (p. 321).
Brucine is precipitated by ammonia, by the caustic and carbonated
alkalies, and by most of the group reagents. Ammonia does not
precipitate brucine, if in excess; on the other hand, strychnine
comes down if excess of ammonia is added immediately. This has
been proposed as a method of separation; if the two alkaloids are
present in acid solution, ammonia in excess is added, and the
solution is immediately filtered; the quantitative results are, however,
not good, the strychnine precipitate being invariably contaminated
by brucine.
Chromate and dichromate of potassium give no precipitate with
neutral salts of brucine; on the other hand, strychnine chromate is at
once formed if present. It might, therefore, be used to separate
strychnine from brucine. The author has attempted this method, but
the results were not satisfactory.
§ 402. Physiological Action.—The difference between the action
of strychnine and that of brucine on man or animals is not great.
Mays states that strychnine affects more the anterior, brucine the
posterior extremities. In strychnine poisoning, convulsions occur
early, and invariably take place before death; but death may occur
from brucine without any convulsions, and in any case they develop
late. Brucine diminishes local sensibility when applied to the skin;
strychnine does not.[454] In a physiological sense, brucine may be
considered a diluted strychnine. The lethality of brucine, especially
as compared with strychnine, has been investigated by F. A. Falck.
[455] He experimented on 11 rabbits, injecting subcutaneously
brucine nitrate, in doses of varying magnitude, from 100 mgrms.
down to 20 mgrms. per kilogram of body-weight. He found that
brucine presented three stages of symptoms. In the first, the
respiration is quickened; in 3 of the 11 cases a strange injection of
the ear was noticed; during this period the pupils may be dilated. In
the second stage, there are tetanic convulsions, trismus,
opisthotonus, oppressed respiration, and dilated pupils. In the third
stage, the animal is moribund. Falck puts the minimum lethal dose
for rabbits at 23 mgrms. per kilo. Strychnine kills 3·06 times more
quickly than brucine, the intensity of the action of strychnine relative
to that of brucine being as 1 : 117·4. Falck has also compared the
minimum lethal dose of strychnine and brucine with the tetanising
opium alkaloids, as shown in the following table:—

[454] Journ. Physiol., viii. 391-403.

[455]Brucin u. Strychnin; eine toxikologische Parallele, von Dr. F. A. Falck.
Vierteljahrsschr. f. gerichtl. Med., Band xxiii. p. 78.

TABLE SHOWING THE LETHAL DOSES OF VARIOUS TETANISING

POISONS.

Minimum Lethal
Dose for every Proportional
Kilogram Weight Strength.
of Rabbit.
Mgrms.
Strychnine nitrate, 0·6 ...
Thebaine nitrate, 14·4 24·0
Brucine nitrate, 23·0 38·33
Landanine nitrate, 29·6 49·33
Codeine nitrate, 51·2 85·33
Hydrocotarnine nitrate, 203·8 339·66

If these views are correct, it follows that the least fatal dose for an
adult man would be 1·64 grm. (about 24·6 grains) of brucine nitrate.
 Brucine Crystals. (From a Photograph.)

§ 403. Tests.—If to a solution of brucine in strong alcohol a little

methyl iodide is added, at the end of a few minutes circular rosettes
of crystal groups appear (see fig.): they are composed of methyl
brucine iodide (C23H25(CH3)N2O4HI). Crystals identical in shape are
also obtained if an alcoholic solution of iodine, or hydriodic acid with
iodine, is added to an alcoholic solution of brucine. A solution of
strychnine gives with methyl iodide no similar reaction. Strychnine in
alcoholic solution, mixed with, brucine in no way interferes with the
test. The methyl iodide test may be confirmed by the action of nitric
acid. With that reagent it produces a scarlet colour, passing into
blood-red, into yellow-red, and finally ending in yellow. This can be
made something more than a mere colour test, for it is possible to
obtain a crystalline body from the action of nitric acid on brucine. If
a little of the latter be put in a test-tube, and treated with nitric acid
of 1·4 specific gravity (immersing the test-tube in cold water to
moderate the action), the red colour is produced. On spectroscopic
examination of the blood-red liquid a broad, well-marked absorption
band is seen, the centre of which (see page 55) is between E. & F.
[W. L. about 500]. There is also a development of nitric oxide and
carbon dioxide, and the formation of methyl nitrite, oxalic acid, and
kakotelin (C23H26N2O4 + 5NHO3 = C20H22N4O9 + N(CH3)O2 + C2H2O4 +
2NO + 2H2O). On diluting abundantly with water, the kakotelin
separates in yellow flocks, and may be crystallised out of dilute
hydrochloric or dilute nitric acid in the form of yellow or orange-red
crystals, very insoluble in water, but dissolving readily in dilute acid.
On removal by dilution of the product just named, neutralisation with
ammonia, and addition of a solution of chloride of calcium, the
oxalate of lime is thrown down. The nitric acid test is, therefore, a
combined test, consisting of—the production by the action of nitric
acid (1) of a red colour; (2) of yellow scales or crystals insoluble in
water; (3) of oxalic acid. No alkaloid save brucine is known to give
this reaction.
There are other methods of producing the colour test. If a few drops
of nitric acid are mixed with the substance in a test-tube, and then
sulphuric acid cautiously added, so as to form a layer at the bottom,
at the junction of the liquids a red zone, passing into yellow, is seen.
A solution of brucine is also coloured red by chlorine gas, ammonia
changing the colour into yellow.
Flückiger[456] has proposed as a test mercurous nitrate, in aqueous
solution with a little free nitric acid. On adding this reagent to a
solution of brucine salt, and gently warming, a fine carmine colour is
developed.

[456] Archiv f. Pharm. (3), vi. 404.

In regard to the separation of brucine from organic fluids or tissues,

the process already detailed for strychnine suffices. It is of very
great importance to ascertain whether both strychnine and brucine
are present or not—the presence of both pointing to nux vomica or
one of its preparations. The presence of brucine may, of course, be
owing to impure strychnine; but if found in the tissues, that solution
of the question is improbable, the commercial strychnine of the
present day being usually pure, or at the most containing so small a
quantity of brucine as would hardly be separated from the tissues.
§ 404. Igasurine is an alkaloid as yet but little studied; it appears that it can be
obtained from the boiling-hot watery extract of nux vomica seeds, through
precipitating the strychnine and brucine by lime, and evaporation of the filtrate.
According to Desnoix,[457] it forms white crystals containing 10 per cent. of water
of crystallisation.

[457] Journ. Pharm. (3), xxv. 202.

It is said to be poisonous, its action being similar to that of strychnine and brucine,
and in activity standing midway between the two.
§ 405. Strychnic Acid.—Pelletier and Caventou obtained by boiling with spirit small,
hard, warty crystals of an organic acid, from S. ignatius, as well as from nux
vomica seeds. The seeds were first exhausted by ether, the alcohol solution was
filtered and evaporated, and the extract treated with water and magnesia, filtered,
and the residue first washed with cold water, then with hot spirit, and boiled lastly
with a considerable quantity of water. The solution thus obtained was precipitated
with acetate of lead, the lead thrown out by SH2, and the solution evaporated, the
acid crystallising out. It is a substance as yet imperfectly studied, and probably
identical with malic acid.

2. THE QUEBRACHO GROUP OF ALKALOIDS.

§ 406. The bark of the Quebracho Blanco[458] (Aspidosperma quebracho) contains,

according to Hesse’s researches, no fewer than six alkaloids—Quebrachine,
Aspidospermine, Aspidospermatine, Aspidosamine, and Hypoquebrachine. The
more important of these are Aspidospermine and Quebrachine.

[458] See Liebig’s Annal., 211, 249-282; Ber. der deutsch. Chem.
Gesellsch., 11, 2189; 12, 1560.

Aspidospermine (C22H30N2O2) forms colourless needles which melt at 206°.

They dissolve in about 6000 parts of water at 14°—48 parts of 90 per cent.
alcohol, and 106 parts of pure ether. The alkaloid gives a fine magenta colour with
perchloric acid.
Quebrachine (C21H26N2O3) crystallises in colourless needles, melting-point (with
partial decomposition) 215°. The crystals are soluble in chloroform, with difficulty
soluble in cold alcohol, but easily in hot. The alkaloid, treated with sulphuric acid,
and peroxide of lead, strikes a beautiful blue colour. It also gives with sulphuric
acid and potassic chromate the strychnine colours. Quebrachine, dissolved in
sulphuric acid containing iron, becomes violet-blue, passing into brown. The
alkaloid, treated with strong sulphuric acid, becomes brown; on adding a crystal of
potassic nitrate, a blue colour is developed; on now neutralising with caustic soda
no red coloration is perceived. Dragendorff has recently studied the best method
of extracting these alkaloids for toxicological purposes. He recommends extraction
of the substances with sulphuric acid holding water, and shaking up with solvents.
Aspidospermine is not extracted by petroleum ether or benzene from an acid
watery extract, but readily by chloroform or by amyl alcohol. It is also separated
from the same solution, alkalised by ammonia, by either amyl alcohol or
chloroform; with difficulty by petroleum ether; some is dissolved by benzene.
Quebrachine may be extracted from an acid solution by chloroform, but not by
petroleum ether. Alkalised by ammonia, it dissolves freely in chloroform and in
amyl alcohol. Traces are taken up by petroleum, somewhat more by benzene.
Aspidospermine is gradually decomposed in the body, but Quebrachine is more
resistant, and has been found in the stomach, intestines, blood, and urine. The
toxicological action of the bark ranks it with the tetanic class of poisons. In this
country it does not seem likely to attain any importance as a poison.

3. PEREIRINE.
§ 407. Pereirine—an alkaloid from pereira bark—gives a play of colours with
sulphuric acid and potassic bichromate similar to but not identical with that of
strychnine. Fröhde’s reagent strikes with it a blue colour. On dissolving pereirine in
dilute sulphuric acid, and precipitating by gold chloride, the precipitate is a
beautiful red, which, on standing and warming, is deepened. Pereirine may be
extracted from an acid solution, after alkalising with ammonia, by ether or
benzene.

4. GELSEMINE.

§ 408. Gelsemine (C22H28N2O4) is an alkaloid[459] which has been separated from

Gelsemium sempervirens, the Carolina jessamine, a plant having affinities with
several natural orders, and placed by De Candolle among the Loganiaceæ, by
Chapman among the Rubiaceæ and by Decaisne among the Apocynaceæ. It
grows wild in Virginia and Florida.[460] Gelsemine is a strong base; it is yellowish
when impure, but a white amorphous powder when pure. It fuses below 100° into
a transparent vitreous mass, at higher temperatures it condenses on glass in
minute drops; its taste is extremely bitter; it is soluble in 25 parts of ether, in
chloroform, bisulphide of carbon, benzene, and in turpentine; it is not very soluble
in alcohol, and still less soluble in water, but it freely dissolves in acidulated water.
The caustic alkalies precipitate it, the precipitate being insoluble in excess; it is
first white, but afterwards brick-red. Tannin, picric acid, iodised potassic iodide,
platinic chloride, potassio-mercuric iodide, and mercuric chloride all give
precipitates. Fröhde’s reagent gives with gelsemine a brown changing to green.

[459] Dr. T. G. Wormley separated, in 1870, a non-nitrogenised remarkably

fluorescent body, which he named gelsemic acid (Amer. Journ. of Pharm.,
1870), but Sonnenschein and C. Robbins afterwards found gelsemic acid
to be identical with æsculin (Ber. der deutsch. Chem. Ges., 1876, 1182).
Dr. Wormley has, however, contested this, stating that there are
differences. (Amer. Journ. of Pharm., 1882, p. 337. Yearbook of Pharmacy,
1882, p. 169.)
[460]The following are its botanical characters:—Calyx five-parted, corolla
funnel-shaped, five-lobed, somewhat oblique, the lobes almost equal, the
posterior being innermost in bud; stamens five; anthers oblong sagittate,
style long and slender; stigmas two, each two-parted, the divisions being
linear; fruit elliptical, flattened contrary to the narrow partition, two-celled,
septicidally two-valved, the valves keeled; seeds five to six in each cell,
 large, flat, and winged; embryo straight in fleshy albumen; the ovate flat,
cotyledons much shorter than the slender radicle; stem smooth, twining
and shrubby; leaves opposite, entire, ovate, or lanceolate, shining on
short petioles, nearly persistent; flowers large, showy, very fragrant,
yellow, one to five in the axil of the leaves.

Sulphuric acid dissolves gelsemine with a reddish or brownish colour; after a time
it assumes a pinkish hue, and if warmed on the water-bath, a more or less purple
colour; if a small crystal of potassic bichromate be slowly stirred in the sulphuric
acid solution, reddish purple streaks are produced along the path of the crystal;
ceric oxide exhibits this better and more promptly, so small a quantity as ·001
grain showing the reaction. This reaction is something like that of strychnine, but
nitric acid causes gelsemine to assume a brownish-green, quickly changing to a
deep green—a reaction which readily distinguishes gelsemine from strychnine and
other alkaloids.
§ 409. Fatal Dose.—10 mgrms. killed a frog within four hours, and 8 mgrms. a
cat within fifteen minutes. A healthy woman took an amount of concentrated
tincture, which was equivalent to 11 mgrms. (1⁄6 grain), and died in seven and a
half hours.
§ 410. Effects on Animals—Physiological Action.—Gelsemine acts powerfully
on the respiration; for example, Drs. Sydney Ringer and Murrell[461] found, on
operating on the frog, that in two minutes the breathing had become distinctly
slower; in three and a half minutes, it had been reduced by one-third; and in six
minutes, by one-half; at the expiration of a quarter of an hour, it was only one-
third of its original frequency; and in twenty minutes, it was so shallow and
irregular that it could no longer be counted with accuracy. In all their experiments
they found that the respiratory function was abolished before reflex and voluntary
motion had become extinct. In several instances the animals could withdraw their
legs when their toes were pinched, days after the most careful observations had
failed to detect the existence of any respiratory movement. The heart was seen
beating through the chest wall long after the complete abolition of respiration.

[461] Lancet, vol. i., 1876, p. 415.

In their experiments on warm-blooded animals (cats), they noticed that in a few

minutes the respirations were slowed down to 12 and even to 8, and there was
loss of power of the posterior extremities, while at short intervals the upper half of
the body was convulsed. In about half an hour paralysis of the hind limbs was
almost complete, and the respiratory movements so shallow that they could not be
counted. In the case of a dog, after all respiration had ceased tracheotomy was
performed, and air pumped in: the animal recovered.
Ringer and Murrell consider that gelsemine produces no primary quickening of the
respiration, that it has no direct action on either the diaphragm or intercostal
muscles, that it paralyses neither the phrenic nor the intercostal nerves, and that it
diminishes the rate of respiration after both vagi have been divided. They do not
consider that gelsemine acts on the cord through Setschenow’s inhibitory centre,
but that it destroys reflex power by its direct action on the cord, and that probably
it has no influence on the motor nerves. Dr. Burdon Sanderson has also
investigated the action of gelsemine on the respiration, more especially in relation
to the movements of the diaphragm. He operated upon rabbits; the animal being
narcotised by chloral, a small spatula, shaped like a teaspoon, was introduced into
the peritoneal cavity through an opening in the linea alba, and passed upwards in
front of the liver until its convex surface rested against the under side of the
centrum tendineum. The stem of the spatula was brought into connection with a
lever, by means of which its to-and-fro movements (and consequently that of the
diaphragm) were inscribed. The first effect is to augment the depth but not the
frequency of the respiratory movements; the next is to diminish the action of the
diaphragm both in extent and frequency. This happens in accordance with the
general principle applicable to most cases of toxic action—viz., that paresis of a
central organ is preceded by over-action. The diminution of movement upon the
whole is progressive, but this progression is interrupted, because the blood is
becoming more and more venous, and, therefore, the phenomena of asphyxia are
mixed up with the toxical effects. Dr. Sanderson concludes that the drug acts by
paralysing the automatic respiratory centre; the process of extinction, which might
be otherwise expected to be gradual and progressive, is prevented from being so
by the intervention of disturbances of which the explanation is to be found in the
imperfect arterialisation of the circulating blood. Ringer and Murrell have also
experimented upon the action of gelsemine on the frog’s heart. In all cases it
decreased the number of beats; a small fatal dose produced a white contracted
heart, a large fatal dose, a dark dilated heart; in either case arrest of the
circulation of course followed.
§ 411. Effects on Man.—The preparations used in medicine are the fluid extract
and the tincture of gelsemine; the latter appears to contain the resin of the root as
well as the active principle. There are several cases on record of gelsemine, or the
plant itself, having been taken with fatal effect.[462] Besides a marked effect on the
respiration, there is an effect upon the eye, better seen in man than in the lower
animals; the motor nerves of the eye are attacked first, objects cannot be fixed,
apparently dodging their position, the eyelids become paralysed, droop, and
cannot be raised by an effort of the will; the pupils are largely dilated, and at the
same time a feeling of lightness has been complained of in the tongue; it ascends
gradually to the roof of the mouth, and the pronunciation is slurred. There is some
paresis of the extremities, and they refuse to support the body; the respiration
becomes laboured, and the pulse rises in frequency to 120 or 130 beats per
minute, but the mind remains clear. The symptoms occur in about an hour and a
half after taking an overdose of the drug, and, if not excessive, soon disappear,
leaving no unpleasantness behind. If, on the other hand, the case proceeds to a
fatal end, the respiratory trouble increases, and there may be convulsions, and a
course very similar to that seen in experimenting on animals. Large doses are
especially likely to produce tetanus, which presents some clinical differences
distinguishing it from strychnine tetanus. Gelsemine tetanus is always preceded by
a loss of voluntary reflex power, respiration ceases before the onset of
convulsions, the posterior extremities are most affected, and irritation fails to
excite another paroxysm till the lapse of some seconds, as if the exhausted cord
required time to renew its energy; finally, the convulsions only last a short time.

See Lancet, 1873, vol. ii. p. 475; Brit. Med. and Surg. Journ., April
[462]
1869; Phil. Med. and Surg. Reporter, 1861.

§ 412. Extraction from Organic Matters, or the Tissues of the Body.—Dragendorff

states that, from as little as half a grain of the root, both gelsemine and gelsemic
acid may be extracted with acid water, and identified. On extracting with water
acidified with sulphuric acid, and shaking up the acid liquid with chloroform, the
gelsemic acid (æsculin?) is dissolved, and the gelsemine left in the liquid. The
chloroform on evaporation leaves gelsemic acid in little micro-crystals; it may be
identified by (1) its crystallising in little tufts of crystals; (2) its strong fluorescent
properties, one part dissolved in 15,000,000 parts of water showing a marked
fluorescence, which is increased by the addition of an alkali; and (3) by splitting
up into sugar and another body on boiling with a mineral acid. After separation of
gelsemic acid, the gelsemine is obtained by alkalising the liquid, and shaking up
with fresh chloroform; on separation of the chloroform, gelsemine may be
identified by means of the reaction with nitric acid, and also the reaction with
potassic bichromate and sulphuric acid.

5. COCAINE.

§ 413. Cocaine (C17H21NO4).—There are two cocaines—the one rotating a ray of

polarised light to the left, the other to the right. The left cocaine is contained in
the leaves of Erythroxylon coca with other alkaloids, and is in commerce.
Cocaine has been used most extensively in medicine since the year 1884—its chief
use being as a local anæsthetic. Chemically cocaine is a derivative of ecgonin,
being ecgonin-methyl-ester. It has a pyridine nucleus, and may be written
C5H4N(CH3)—H3CHO—(COC6H5)—CH2COOCH3, or expressed graphically as
follows:—

Properties.—Cocaine is in the form of four- to six-sided prisms of the monoclinic

system. It is one of the few alkaloids which melt under the temperature of boiling
water, the melting-point being as low as 85° in water. It readily furnishes a
sublimate at 100°, partially decomposing. On boiling with hydrochloric acid cocaine
is decomposed into methyl alcohol, ecgonin, and benzoic acid, according to the
following reaction:—

Benzoic
Cocaine. acid. Ecgonin. Alcohol.
C17H21NO4 + 2H2O = C6H5COOH + C9H15NO3 + CH3OH.

Cocaine is but little soluble in water, but easily dissolves in ether, alcohol, benzene,
chloroform, and carbon disulphide; an aqueous solution is alkaline to methyl-
orange, but not to phenol-phthalein. It can be made synthetically by the reaction
of ecgonin-methyl-ester with benzoyl chloride.

§ 414. Cocaine Hydrochlorate (C17H21NO4HCl).—Crystallised from

alcohol, cocaine hydrochlorate appears in prismatic crystals; these
crystals, according to Hesse,[463] when perfectly pure, should melt at
186°, although the melting-point is generally given as 200° or even
202°. Cocaine hydrochlorate is soluble in half its weight of water,
insoluble in dry ether, but readily soluble in alcohol, amyl alcohol, or
chloroform.

[463] O. Hesse, Annalen, 276, 342-344.

§ 415. Pharmaceutical Preparations.—Cocaine hydrochlorate is
officinal. Gelatine discs, weighing 1·31 mgrms. (1⁄50 grain), and each
containing 0·33 mgrm. (1⁄200 grain) of the salt are officinal, and used
by ophthalmic surgeons. A solution of the hydrochlorate, containing
10 per cent. of cocaine hydrochlorate and (for the purposes of
preserving the solution) 0·15 per cent. of salicylic acid is also
officinal. Stronger solutions may also be met with; for instance, a 20
per cent. solution in oil of cloves for external application in cases of
neuralgia.
§ 416. Separation of Cocaine and Tests.—Cocaine may be
shaken out of solutions made slightly alkaline by ammonia by
treatment with benzene; it also passes into petroleum ether under
the same circumstances. The best method is to extract a solution,
made feebly alkaline, thoroughly by ether, and then shake it out by
benzene and evaporate the separated benzene at the ordinary air
temperature. The property of the alkaloid to melt at or below the
temperature of boiling water, and the ready decomposition into
benzoic acid and other products, render cocaine easy of
identification. If, for instance, a small particle of cocaine is put in a
tube, a drop of strong sulphuric acid added and warmed by the
water-bath, colourless crystals of benzoic acid sublime along the
tube, and an aromatic odour is produced.
Flückiger has recommended the production of benzoate of iron as a
useful test both for cocaine and for cocaine hydrochlorate.
One drop of a dilute solution of ferric chloride added to a solution of
20 mgrms. of cocaine hydrochlorate in 2 c.c. of water, gives a yellow
fluid, which becomes red on boiling from the production of iron
benzoate. This reaction is of little use unless a solution of the same
strength of ferric chloride, but to which the substance to be tested
has not been added, is boiled at the same time for comparison,
because all solutions of ferric chloride deepen in colour on heating.
A solution of the alkaloid evaporated to dryness on the water-bath,
after being acidulated with nitric acid, and then a few drops of
alcoholic solution of potash or soda added, develops an odour of
benzoic ethyl-ester. Cocaine hydrochlorate, when triturated with
calomel, blackens by the slightest humidity or by moistening it with
alcohol. Cocaine in solution is precipitated by most of the group
reagents, but is not affected by mercuric chloride, picric acid, nor
potassic bichromate.
Added to the tests above mentioned, there is the physiological
action; cocaine dilates the pupil, tastes bitter, and, for the time,
arrests sensation; hence the after-effect on the tongue is a sensation
of numbness.
§ 417. Symptoms.—A large number of accidents occur each year
from the external application of cocaine; few, however, end fatally.
Cocaine has thus produced poisonous symptoms when applied to
the eye, to the rectum, to the gums, to the urethra, and to various
other parts. There have been a few fatal cases, both from its
external and internal administration; Mannheim, for example, has
collected eleven of such instances.
The action of cocaine is twofold; there is an action on the central
and the peripheral nervous system. In small doses cocaine excites
the spinal cord and the brain; in large it may produce convulsions
and then paralysis. The peripheral action is seen in the numbing of
sensation. There is always interference with the accommodation of
vision, and dilatation of the pupil. The eyelids are wider apart than
normal, and there may be some protrusion of the eyeball.
The usual course of an acute case of poisoning is a feeling of
dryness in the nose and throat, difficulty of swallowing, faintness,
and there is often vomiting; the pulse is quickened; there is first
cerebral excitement, followed usually by great mental depression.
Occasionally there is an eruption on the skin. Hyperæsthesia of the
skin is followed by great diminution of sensation, the pupils, as
before stated, are dilated, the eyes protruding, the eyelids wide
open, the face is pale, and the perspiration profuse. Convulsions and
paralysis may terminate the scene. Death takes place from paralysis
of the breathing centre; therefore the heart beats after the cessation
of respiration. As an antidote, nitrite of amyl has apparently been
used with success.
There is a form of chronic poisoning produced from the taking of
small doses of cocaine daily. The symptoms are very various, and
are referable to disturbance of the digestive organs, and to the
effect on the nervous system. The patients become extremely
emaciated, and it seems to produce a special form of mania.
§ 418. Post-mortem Appearances.—The appearances found in
acute cases of poisoning have been hyperæmia of the liver, spleen,
and kidneys, as well as of the brain and spinal cord.
In the experimental poisoning of mice with cocaine Ehrlich[464] found
a considerable enlargement of the liver.

[464] Deutsche med. Wochens., 1890, No. 32.

§ 419. Fatal Dose.—The fatal dose, according to Mannheim,[465]

must be considered as about 1 grm. (15·4 grains); the smallest dose
known to have been fatal is 0·08 grm. (1·2 grain) for an adult, and
0·05 grm. (0·7 grain) for a child.

[465] Deutsch. Arch. f. klin. Med., Bd. viii., 1891, 380.

6. CORYDALINE.

§ 420. Corydaline (C22H28NO4) is an alkaloid discovered by Wackenroder (1826)

in the tubers of Corydalis tuberosa; crystallised in the cold and away from light,
out of a mixture of absolute alcohol and ether, corydaline forms colourless, flat,
prismatic crystals, which quickly turn yellow on exposure to light or heat. Pure
corydaline changes colour at about 125°, softens at about 133°, and melts finally
at 134° to 135°. It dissolves in ether, chloroform, carbon disulphide, and benzene,
but not so readily in alcohol. It is almost insoluble in cold water, and but slightly
soluble in boiling water. Water precipitates it from a solution in alcohol. It is also
soluble in dilute hydrochloric and sulphuric acids. It gives a precipitate with
potassium iodide if a solution of the hydrochloride be used. The precipitate
crystallises out of hot water in clusters of short lemon-yellow prismatic crystals,
and has the formula of C22H28NO4HI. Corydaline platinochloride has the
composition of (C22H28NO4)2H2PtCl6, containing Pt 16·94 per cent., and 2·44 per
cent. of N.—Dobbie & Lauder, Journ. Chem. Soc., March 1892, 244.
Corydaline in large doses causes epileptiform convulsions. Death takes place from
respiratory paralysis.

V.—The Aconite Group of Alkaloids.

§ 421. The officinal aconite is the Aconitum napellus—monkshood or

wolfsbane—a very common garden plant in this country, and one
cultivated for medicinal purposes. Many varieties of aconite exist in
other regions, which either are, or could be, imported. Of these the
most important is the Aconitum ferox, a native of the Himalayan
mountains, imported from India.
All the aconites, so far as known, are extremely poisonous, and it
appears probable that different species contain different alkaloids.
The root of A. napellus is from 2 to 4 inches long, conical in shape,
brown externally, and white internally. The leaves are completely
divided at the base into five wedge-shaped lobes, each of the five
lobes being again divided into three linear segments. The numerous
seeds are three-sided, irregularly twisted, wrinkled, of a dark-brown
colour, in length one-sixth of an inch, and weighing 25 to the grain
(Guy). The whole plant is one of great beauty, from 2 to 6 feet high,
and having a terminal spike of conspicuous blue flowers. The root
has been fatally mistaken for horse-radish, an error not easily
accounted for, since no similarity exists between them.
§ 422. Pharmaceutical Preparations of Aconite.—The
preparations of aconite used in medicine are—
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebookball.com