Oce National d' Etudes. et de Recherches Aerospatiales. Centre d' Etudes et de Recherche de l' Ecole Nationale Superieure

Transcription

1 Oce National d' Etudes et de Recherches Aerospatiales Centre d' Etudes et de Recherche de l' Ecole Nationale Superieure de l'aeronautique et de l'espace a Toulouse Programming Communicating Distributed Reactive Automata: the Weak Synchronous Paradigm Frederic Boniol Martin Adelantado Publication presentee a : FP WG10.3 nternational Conference on Decentralized and Distributed Systems CDDS'93, September 15-17, 1993, Palma de Mallorca, Spain. Departement d' Etudes et de Recherches en nformatique 2, avenue Edouard Belin - BP Toulouse Cedex Tel Fax

2

3 Programming Communicating Distributed Reactive Automata: the Weak Synchronous Paradigm Frederic Boniol and Martin Adelantado CERT-ONERA Dept. d'nformatique, BP4025, Toulouse cedex, France. Abstract The aim of this paper is to present a new paradigm for reactive and real-time distributed programming: weak synchronism. We dene a small language for communicating reactive automata, and characterize it by an operational semantics. We show that weak synchronism provides a deterministic semantics of concurrency and allows physical distributed implementations. This weak synchronous paradigm can then be extended to real-time programming, by dening a more general paradigm, a strong-weak synchronous coupling. Keyword codes: D.1.3; F.3.2; F.4.3 Keywords: Concurrent Programming; Semantics of Programming Languages; Formal Languages. 1. ntroduction: Real-Time and Reactive Systems The concept of reactive system was introduced by D. Harel and A. Pnueli in [8] to describe systems which maintain a continuous interaction with their environment. D. Harel and A. Pnueli propose a dichotomy between what they call transformational and reactive systems. On the one hand, a transformational system accepts inputs, performs transformations on them, and produces outputs. Globally speaking, transformational systems are well described by a relation between input and output values. They perform input/output operations, perhaps prompting a user from time to time to provide extra information. On the other hand, a reactive system is repeatedly prompted by the outside world and its role is to continuously respond to external inputs. More generally, a reactive system does not compute a function from initial to nal states, but it is supposed to maintain a permanent interaction with its environment, reacting to events coming from this environment by sending events and commands to it. The time at which each new event arrives is relevant to the behaviour. Such systems are said event-driven. Examples include digital watches, man/machine interfaces, silicon chips, robots, communication networks, video games, and more generally all kinds of real time process controllers. t is often convenient to consider real time systems as composed of three layers. The rst one is an interface with the environment that is in charge of input reception and output production. t transforms external physical events into internal logical ones and This research was carried out in the context of the project SATURNE (Synchronous Any-Time coupling for Real-time reasoning design) supported by the French Ministry of Defence.

4 conversely. The second one is a reactive subsystem that contains the logical and temporal control of the system. t handles the logical inputs and decides, with respect to the current time, what outputs and what actions must be generated in reacting to the environment. The last one is a set of transformational tasks that perform classical computations requested by the reactive subsystem. From this point of view, the reactive part is one of the most critical, and needs particular attention. Temporal and Logical Safety: by construction, the reactive part of a real time system contains the temporal and logical control of the whole application, and then requires logical properties, i.e. respect of the input/output specication, and (b) temporal properties, i.e. respect of the timing constraints. n this sense, the development of techniques that could help to design such reactive systems, and to prove their logical and temporal correctness, is one of the most relevant aims of real time programming. Concurrency: from an architectural point of view, the reactive part of a real time system is generally composed of concurrent communicating subunits, either for geographical requirements, or for safety and fault tolerance criteria. This requires concurrency expression means within specication and programming languages, and also within their execution model. Determinism: the behaviour of a critical real time application must be as predictable as possible. t means that the behaviour of its reactive part must be reproducible, and then deterministic. Purely sequential systems are obviously deterministic. However, determinism does not mean sequentiality. On the contrary, as noted above, reactivity often means concurrency. This requires a deterministic semantics of communication and concurrency within programming languages, and also within their execution model. The literature on real time systems is unanimous in recognizing the diculty in specifying complex and critical reactive systems. Transformational description techniques are not available for reactive systems. One needs more particular specication languages, tools and methods. Several asynchronous solutions have been proposed to this problem: Petri Nets, CSP (C.A.R. Hoare), CCS (R. Milner) : : : But, due to the asynchronous concurrency semantics generally based on an interleaving principle, most of these solutions are non-deterministic. The time at which outputs are delivered is not predictable. Reactivity and response time can not be guaranteed. Another approach involves strong synchronous languages: Esterel [4], Statecharts [7] : : :. They consider ideal reactive systems that produce outputs synchronously with inputs, their reactions taking no observable time. This approach is interesting in the sense that it tackles real time and reactive programming in a formal and deterministic way. Nevertheless, to take no time has to be understood in the sense that the environment remains invariant during reactions and communications. Such an hypothesis provides a powerful manner to produce centralized reactive processes. But it is rather more unrealistic in the area of distributed applications, where by denition, communication time cannot be neglected. However, as noted above, on the one hand, real time often means parallel or distributed programming. On the other hand, real-time requires predictable behaviours and then deterministic programming languages. n this 2

5 sense, both strong synchronism and asynchronism are not adequate answers for real time programming. We explore in this article a third approach to reactive and real-time programming: the weak synchronism. We consider reactive systems, (a) that have an internal clock, (b) that react exactly at each \tick" of the clock, and (c) that produce outputs exactly one time unit after inputs, their reactions taking one time unit exactly. This approach is interesting in that it provides another synchronous programming style, between pure synchronous and asynchronous languages. t provides a formal specication technique to critical reactive systems, avoiding the non-determinism diculties met within the asynchronous approach, and permitting distributed implementation, conversely to the strong synchronous one. We illustrate the weak synchronous paradigm by dening a small language, CoReA, for programming communicating and distributed reactive automata. n giving the semantics of CoReA, we show how a distributed reactive network may be designed, formally and deterministically, by a strong and weak synchronous coupling. This paper is organized as follows. Section 2 presents a brief state of the art of the reactive programming techniques. We discuss the advantages and the drawbacks of several asynchronous solutions, the strong one, and a more recent approach proposed by G. Berry in [5], coupling Esterel and CSP. Section 3 is devoted to an informal presentation of the weak synchronous paradigm. Section 4 denes the CoReA language, rst informally, and then by dening its abstract syntax and its operational semantics. We present in the following section the strong-weak synchronous paradigm as a generalization of CoReA, and discuss the relevance of this approach. 2. Reactive Programming: Related Work Asynchronous Approaches Several \asynchronous" solutions have been proposed to the problem of reactive programming: Deterministic automata are often used to program relatively small reactive kernels. They are mathematically well-known, and allow non-trivial correctness proofs by automatic tools (such as Model Checkers, or Bisimulation tools). However, the human design and maintenance of automata turns out to be very dicult. Furthermore, automata are purely sequential and do not support concurrency and hierarchy. Petri Nets or Petri-Net based formalism (such as GRAFCET) are widely used in the area of programmable controllers. They support concurrency. However, they often are characterized by a non-deterministic semantics of concurrency, and lack modular structure. They do not scale up well to big systems. Concurrent programming languages such as Ada or Occam are more elaborated. They permit hierarchical, modular and concurrent program developments. However, because of the asynchronous nature of tasks units, they are essentially asynchronous and non-deterministic. Although a communication is seen as a synchronization between two processes, the time taken between the possibility of communication and its actual achievement can be arbitrary. Furthermore when several communication can 3

6 take place, their actual order is also arbitrary. Then semantics of the time-handling primitives of these languages is non-deterministic and somewhat vague. Execution times are unpredictable, implying diculties in proving correctness properties. More generally, asynchronous techniques force the user to choose between determinism and concurrency, for they base concurrency on asynchronous implementation models where processes non-deterministically compete for computing resources. This leads to the problem of temporal interpretation of programs. Temporal primitives such as watchdogs (e.g. \do a task in less than 3 seconds") have only tentative meanings, for nothing forces them to be accurately executed. n this sense, temporal correctness cannot be rigorously proved, and reactivity can not be guaranteed. The Strong Synchronous Approach n order to avoid the previously mentioned problems, a more recent approach called \strong synchronism", has been proposed by D. Harel et G. Berry in respectively Statecharts [7], and Esterel [4]. This approach is based on the strong synchronous hypothesis [3]: each reaction of a reactive system is assumed to be instantaneous, i.e. takes no time. Such ideal reactive systems produce outputs synchronously with their inputs, their reactions taking no observable time. To \take no time" has to be understood in two ways. First, a reaction takes no time with respect to the external environment, i.e. the environment remains invariant during the reaction. Second, each subprocess also takes no time with respect to any other subprocesses; all subprocesses react instantly at the same time. Then, inter-process communication is performed by instantly broadcasting, and all subprocesses share the same environment. t provides a deterministic semantics of concurrence, and a formal straightforward interpretation of temporal statement. The watchdog \await 10 SECOND" lasts exactly 10 seconds. n the same way, a sequence of two processes \P 1 ; P 2 " means that P 2 begins exactly when P 1 ends. Thus, the statement \await 10 METER ; P 1 " (written in the Esterel style) means that the subprocess P 1 starts exactly when the 10th occurrence of event \METER" arrives. However, in order to guarantee as much as possible the strong synchronous hypothesis, synchronous programs are compiled into deterministic sequential automata. This yields excellent run-time eciency and predictability. Performance is often as good as that of carefully hand-written code. Nevertheless, such results are not available in the area of distributed reactive programming. Reactive systems we are interested in, are potentially loosely coupled and then cannot be implemented by a single sequential automaton. Asynchronous-Synchronous Coupling: Esterel+CSP A third approach based on a coupling between the two approaches above has been proposed recently by G. Berry [5]. The general idea is to describe a distributed reactive system as a network of communicating reactive kernels. Each kernel is a strong synchronous program (Esterel), while communication rules between kernels follow the CSP style, i.e. are based on the \one to one" rendezvous paradigm. Nevertheless, because of the asynchronous semantics of communication and concurrency in CSP, the Esterel+CSP approach yields again non-deterministic semantics, and then non-predictable temporal behaviours for the whole system. We propose in this article another approach to reactive programming, the weak syn- 4

7 chronous paradigm, between asynchronism and strong synchronism, and preserving two of the most important features of these two latter: determinism and concurrency. We show then, like Esterel+CSP, that a distributed reactive system can be described as a network of strong synchronous communicating reactive kernels, but unlike it, communication between kernels being based on the weak synchronous paradigm, yielding predictability. The next parts are devoted to the description of the weak synchronous paradigm. 3. The Weak Synchronous Paradigm The idea of weak synchronism has been initially proposed by R. Milner in his synchronous calculus SCCS [9], and more recently by Clarke et al. in the area of hardware controllers and digital circuits [6]. n this article we adapt this approach to real time distributed programming. The main idea we develop is, as well as the strong synchronous one, to control the physical time by controlling communication and execution time. But, contrary to the strong one, we assume in our model that reactions take exactly a constant strictly positive duration. n other words, inputs and outputs are separated by one constant time unit. For instance, execution at time t of the broadcast statement \emit E" performs exactly at time t + 1 an occurrence of event E. Consequently, we consider weak reactive systems, (a) that have an explicit notion of time, i.e. an internal clock, (b) that exactly react at each \tick" of the clock, and (c) that broadcast outputs exactly one time unit after receiving inputs. At a clock transition, the system examines its input signals and computes its new internal state and outputs accordingly that it will perform at next tick. n that sense, the system operates exactly the same as an abstract machine in which the next state is computed instantaneously and in which changing state and broadcasting outputs require waiting for the next clock tick. As well as the strong synchronous hypothesis, the weak synchronism provides a deterministic semantics of concurrency. By denition, parallel subprocesses of a reactive system share the same internal clock. They react simultaneously at each clock transition and perform at the next tick a global internal state and a global output by adding the results of their respective reactions. 4. Weak Synchronous Communicating Reactive Automata We dene formally a small calculus, called CoReA, for programming communicating reactive automata, and extending the classical formalism of nite state machine in two directions: concurrency, and communication by broadcast. CoReA is a weak synchronous subset of Statecharts, a concurrent event-driven language proposed by D. Harel in [7] nformal deas At the highest level, a CoReA program is seen as a parallel composition of sequential automata. Specication of evolutions is described by transitions between states of each automata. A transition is labelled by a guard, and by an action which is executed just after the transition has been taken. A transition is taken if and only if its guard holds and its original state is occupied. ts action is then executed, its original state is left, and its goal state is reached. Let us consider, for example, the specication of a process controlling a simple level crossing system described in gure 1. An event train is emitted whenever the train enters 5

8 tyuy up_ack, down_ack % up, down Y train train train / up down up_ack sec/alarm up_ack sec train / down down_ack sec up sec/alarm sec/alarm down_ack Figure 1. level crossing or exits the level crossing area. The system sends then commands to the barriers, and waits for acknowledgments. Such a process could be seen as a parallel composition of two automata. The rst one describes the module listening to events train, and sending commands to barriers. The second one describes the module controlling that barriers obey the rst automaton. t is listening to commands sent to barriers, and waiting for acknowledgments. Whenever acknowledgments do not come back on time (at most two seconds after up or down), alarm messages are broadcast, warning that barriers are possibly in the wrong position. By denition, weak reactive systems are assumed to have an internal clock. nput events and output events are separated by one internal time unit. They react at each internal clock tick to all the external changes occurring during the one time unit elapsed since the last tick, and to events generated by the system itself during the last reaction. Assuming this general semantics, we present informally the semantics of the elements of the language. Transition Transitions of each automaton are labelled by guards and actions. A guard is a logic formula composed of events, using conjunction, disjunction and negation. Events are emitted by the environment or by the system itself. They are seen at each internal clock tick. A transition labelled with \a ^ b" (resp. \a _ b") is taken whenever a and b (resp. a or b) occur at the same tick. A transition labelled with \:a" can be taken whenever a does not occur. An action is a set of events broadcast simultaneously to the environment and to others automata one time unit after taking the transition. For instance, suppose that an event train is emitted at t = 0 (i.e. a train is entering the level crossing area), the rst automaton reacts by taking the rst transition and 6

9 by broadcasting at t = 1 the event down to the second automaton and to the external environment. Then at t = 1 the second automaton reacts by taking its rst transition and by waiting at t = 2 for events sec or down ack. Parallel Decomposition Parallel automata are executed synchronously. At each tick, all automata that can take a transition do it simultaneously. Events emitted by a transition taken at t, are broadcast to all others automata and to the environment at t + 1. Furthermore, for conciseness, we suppose in this article that each event emitted by transitions or by the environment is seen everywhere. Events are considered as output and input towards the whole system and its environment Abstract Syntax A program P is a parallel composition of sequential automata A, dened classically a la CCS by: P ::= A j A k P A ::= nil j X j g=o A j A + A j fix(x = A) s.t. A 6= X, A 6= X + A 0 and X free in A where, nil denotes an automaton which does nothing; + is the CCS non-deterministic fork operator; X is a variable for recursive denition belonging to a variable alphabet. The term g=o A denotes an automaton composed of one initial state and a transition leaving this state, labelled by g=o and leading to the new automaton A. The term fix(x = P ) stands for a program that behaves like P until the state variable X is reached, and then behaves like fix(x = P ) again. Let E be a nite alphabet of events. Labels of transitions are composed of a crossing guard g, and a set O E of events broadcast one time unit after taking the transition. Crossing guards g are formula of an event calculus. g is either (a) the constant event tick which is always present, or (b) an event 2 E, or (d) logical compositions of guards 2 : g ::= tick j j g ^ g j :g O E For example, the process controlling level crossing described gure 1 can be written in CoReA by: P = fix(x = train=fdowng train=fupg X) k fix(x = down=; ( (sec=; ( (down ack=; A) + (sec=falarmg A) ) ) + (down ack=; A) ) ) whith A = up=; ( (sec=; ((up ack=; X) + (sec=falarmg X))) + (up ack=; X) ) 2 For conciseness, we take the logical operator : and ^ as primitive. The others can be introduced as abbreviations in the usual way. 7

10 A reactive system is composed of two communicating agents: a reactive program and an environment. As dened above, programs are composed of parallel communicating automata broadcasting at each tick events to others automata. Then at each tick, each automaton A i reacts to its own input events. We call this set of input events the environment of A i. Denition 4.1 At each tick t and to each automaton A is associated a set E. is called the environment of A at t. 2 means that is an input event of A at t. Denition 4.2 Let P = A 1 k : : : k A n be a CoReA program, we dene a n-environment of P as a term Env = ( 1 j : : : j n ) composed of n subsets of E. For i = 1; : : : ; n i is the input environment of A i. Then we dene a reactive process as a term (Env P ) standing for program P reacting to an n-environment Env Operational Semantics We dene below the operational semantics of CoReA by a set of Plotkin rewrite rules Guards A guard is a logical composition of events. The truth of a guard g depends on the set of input events. We write j= g to mean that the guard g is valid over the environment. We dene j= inductively on the structure of guards: j= tick j= i 2 j= g 1 ^ g 2 i j= g 1 and j= g 2 j= :g i it is not the case that j= g Sequential Automata n giving meaning to our language, we dene rst the semantics of sequential automata A. n the following, we write A?! O A0 to mean that an automaton A react to a set input events by broadcasting a set of output events O, and becomes then a new automaton A 0. We write then A 6?! to mean that A does not react to. This relation characterizes the semantics of automata. t is dened below inductively on the syntactical structure of automata. Transition A transition is taken i its guard is valid over the set of input events. The automaton g=o A becomes then automaton A and output events O are broadcast: j= g??????????? g=o A?! O A (1) 3 One writes H 1 :::H n????????? C to mean that H 1 ^ ::: ^ H n ) C. 8

11 Fork For conciseness and in order to be as simple as possible we dene + by the CCS nondeterministic semantics 4 : A 1?! O A0 1????????????? A 1 + A 2?! O A0 1 (2) A 2?! O A0 2????????????? A 1 + A 2?! O A0 2 Recursion The automaton fix(x = A) reacts as A in which X is substituted by fix(x = A): Aff ix(x = A)=Xg?! O A0?????????????????????? f ix(x = A)?! O A Communicating Reactive Automata Accordingly to the weak synchronous paradigm, weak reactive systems react synchronously with a global clock. The operational semantics of whole CoReA is dened by a relation =). We write (Env P ) =)(Env O 0 P 0 ) to mean that the reactive process (Env P ) becomes at the next tick the reactive process (Env 0 P 0 ), and broadcasts at the next tick output events O. Conversely to the relation?! which describes instanstaneous reaction of sequential automata to input events, the relation =) characterizes the dynamic evolution of a reactive system when the time is runing. Then, for each reactive process (Env P ), there is always at least one reactive process (Env 0 P 0 ), such that (Env P ) =)(Env O 0 P 0 ); the time cannot stop. The relation =) is dened by the following rules. Single Automaton A reactive process composed only of one sequential automaton A reacts as this latter. f A reacts to a set of input events by becoming A 0, then ( A) becomes at the next tick ( 0 A 0 ) where 0 is a set of input events broadcast by the external world: (3) (4) 8 0 E; A?! O A0????????????????? O ( A) =) ( 0 A 0 ) (5) 4 We have claimed in previous sections that reactive systems must be as deterministic as possible. However, note that this non-determinism will disappear when considering deterministic strong synchronous programs instead of pure CoReA sequential automata (cf. next section). 9

12 8 0 E; A 6?!???????????????? ; ( A) =) ( 0 A) Weak Synchronous Concurrency Let P = (A 1 k : : : k A n ) be a CoReA program composed of n communicating sequential automata. Let Env = ( 1 j : : : j n ) an environment of P. At each tick, all automata react simultaneously to their own environment, broadcast output events to others automata and to external world, and share at the next tick the same input events 0 emitted by the external world. Concurrency is deterministic and communications between automata are simultaneous and take one time unit: ( 1 A 1 ) O 1 =) ( 0 A 0 1 ) : : : ( n A n ) =) On ( 0 A 0 n???????????????????????????????????????????????????????????????????? [ ) (( 1 j : : : j n ) (A 1 k : : : k A n )) O i j : : : j 0 [ O i ) (A 0 k 1 : : : k (7) A0 )) n S i O i =) (( 0 [ [ i6=1 We can then dene the whole behaviour of a program P = (A 1 k : : : k A n ) by a labelled def transition system [[P ]] W = (P n ; 2 E ; p 0 ; =)) where P n is the set of reactive processes composed of n sequential automata, 2 E the powerset of E, =) the relation dened above and p 0 the initial process: P n def = f(( 0 j : : : j 0 ) 1 n (A0 k : : : k 1 A0 )) s.t. 0 E and n i A0 sequential automatag i def p 0 = ((; j : : : j ;) (A 1 k : : : k A n )) E is nite, then [[P ]] W is a nite labelled transition system, and characterizes the whole semantics of CoReA. 5. Extension to a strong-weak synchronous coupling As noted in section 2, the human design and maintenance of sequential and at automata, such as CoReA sequential automata, turns out to be very dicult. Then we propose in this section to improve both weak and strong synchronism by dening a more relevant paradigm: strong-weak synchronism. CoReA is extended by considering strong synchronous programs (Esterel, Lustre : : : ) instead of sequential automata. Accordingly to this extension, a reactive system R is seen as a parallel composition of strong synchronous modules: R ::= Strong Synch Module j Strong Synch Module k R where Strong Synch Module (SSMs) are strong synchronous programs. Furthermore, by construction a compiler of a strong synchronous language is a function which transforms programs into nite deterministic sequential automata (see [3]). Let be [[:]] S this function: [[:]] S : Strong Synch Module ; CoReA sequential automata Consequently, reactive systems can be transformed into CoReA programs by the function [[:]] S extended to concurrent systems: i6=n (6) [[SSM 1 k : : : k SSM n ]] S def = [[SSM 1 ]] S k : : : k [[SSM n ]] S 10

13 Accordingly to the CoReA operational semantics, we dene then the semantics of strong-weak synchronous programs by the function [[:]] SW dened by: [[R]] SW def = [[[[R]] S ]] W Strong synchronous programs being deterministic, the strong-weak synchronous coupling provides a deterministic semantics of concurrent and communicating reactive systems. The last problem is to show that such a semantics allows physical distribution. Let be a reactive process R composed of n communicating strong synchronous modules, and let be a network N composed of at least n communicating processors. Then, a way for implementing R on N could be: (a) to transform each strong synchronous module into a sequential automaton, and (b) to implement exactly one automaton on one processor. Each strong synchronous module is centralized on one single processor, and logical concurrency between strong synchronous modules is implemented by physical concurrency between processors. The problem is then to execute and to synchronize each processor accordingly to weak synchronous paradigm. Assuming that the real communication time from a processor to another is bounded, we dene in [1] an execution model of CoReA preserving the weak synchronous paradigm. The principles of this execution model are, (a) to schedule reactions of processors and the related communications such that they take minimal time, (b) to build a virtual clock such that reactions plus communications take less than one time unit of this clock, and (c) to synchronize processors with this clock. Then, such an execution model guarantees that each strong synchronous module reacts at each tick and communicates with others modules before next tick. We do not develop this point in this article. Please refer to [1] for more explanations. 6. Conclusion and Future Trends The starting point of the work presented in this paper is based upon the synchronous thesis: reactive systems play an important role in the real time programming. They dier strongly from transformational systems and require dierent approaches to their specication. Furthermore, an essential element in the specication or the programming of reactive systems is the need for clear, rigorous and formal behavioural description. These are the basic theses of the reactive theory developed by D. Harel and G. Berry. However, this reactive theory is essentially based on the strong synchronous paradigm. Adequate to centralized systems, strong synchronism is not relevant in the context of distributed systems, where by denition communication time cannot be neglected. Then rstly we have proposed in this article a new paradigm, weak synchronism, for distributed reactive programming yielding both determinism and distribution capabilities. Secondly we have shown that this paradigm can be easily extended to a strong-weak synchronous coupling, yielding determinism, distribution capabilities, and also all the advantages of strong synchronous languages (modularity, abstraction, : : : ). Future intelligent real-time systems will be large and complex, and will include monitoring and time bounded decision making capabilities. One of the most important aspects of such systems is predictability, and then determinism. We have developed in [1] a modular 11

14 and hierarchical language, called SATURNE (Synchronous Any-Time coupling for Realtime reasoning design), allowing the expression of intelligent real-time applications in terms of a distributed reactive network of strong synchronous modules written in Esterel, and a set of any-time transformational tasks (i.e. being assumed to return an answer for any allocation of computation time [2]). The semantics of the reactive network is based formally on the strong-weak synchronous coupling dened in this article. The next work to be planned is to extend formally this strong-weak synchronous paradigm to a more general paradigm for real-time: Real-Time = Strong-Weak Synchronism + Any-Time Programming The main problem will be then to dene concurrency and communication between synchronous and any-time parts preserving predictability and distribution capabilities. REFERENCES 1. M. Adelantado, F. Boniol, M. Cubero-Castan, N. Hifdi, B. Lecussan, V. David, and R. Porche. Projet SATURNE : Modele de Programmation et Modele d'execution pour un Systeme Temps-Reel d'aide a la Decision. Technical Report 1/ /DER, CERT-ONERA Deptartement d'nformatique, Toulouse, January M. Adelantado, F. Boniol, V. David, B. Lecussan, and R. Porche. Predictability in Distributed ntelligent Real-Time Systems. n First EEE Workshop on Parallel and Distributed Real-Time Systems, Newport Beach, California, April A. Benveniste and G. Berry. The synchronous Approach to Reactive and Real-Time Systems. Proceedings of EEE, Another Look at Real-time programming, 79(9):1270{ 1282, September G. Berry and G. Gonthier. The Esterel Synchronous Programming Language: Design, Semantics, mplementation. Technical Report 842, NRA, May G. Berry, S. Ramesh, and R.K. Shyamasundar. Communicating Reactive Processes. n Proc. of the 20th Annual Symp. on Principles of Programming Languages, E.M. Clarke, D.E. Long, and K.L. McMillan. A Language for Compositional Speci- cation and Verication of Finite State Hardware Controllers. Proceedings of EEE, Another Look at Real-time programming, 79(9), September D. Harel. Statecharts: a Visual Formalism for Complex Systems. Science of Computer Programming, 8(3):231{275, D. Harel and A. Pnueli. On the Development of Reactive Systems. n Logic and Models of Concurrent Systems. Proc NATO Advanced Study nstitute on Logics and Models for Verication and Specication of Concurrent Systems (NATO AS Series F vol. 13), R. Milner. Calculi for Synchrony and Asynchrony. Theoretical Computer Science, 25(3),