Scheduling of Time-Triggered Real-Time Systems

Constraints, 5, 335–357 (2000)c© 2000 Kluwer Academic Publishers, Boston. Manufactured in The Netherlands.

Scheduling of Time-Triggered Real-Time Systems

KLAUS SCHILD [email protected] AG, Research and Technology, Alt-Moabit 96a, D-10559 Berlin, Germany

JORG WURTZ [email protected] Germany, Postfach 1380, D-71003 Boblingen, Germany

Abstract. This paper introduces a new class of applications for constraint programming. This new type ofapplication originates out of a special class of real-time systems, enjoying increasing popularity in areas such asautomotive electronics and aerospace industry. Real-time systems of this kind are time triggered in the sense thattheir overall behavior is globally controlled by a recurring clock tick. Being able to compute an appropriate pre-runtime schedule automatically is the major challenge for such an architecture. What makes this specific off-linescheduling problem somewhat untypical is that a potentially indefinite, periodic processing has to be mapped ontoa single time window. In this article we will show how this problem can be solved by constraint programming andwe will describe which techniques from traditional scheduling and real-time computing led to success and whichfailed when confronted with a large-scale application of this type. The techniques that proved to be the mostsuccessful were special global constraints and an elaborate search heuristics from Operations Research. Also forfinding a valid schedule mere serialization is shown to be sufficient. The actual implementation was done in theconcurrent constraint programming language Oz.

Keywords: real-time systems, off-line scheduling, global constraints, Oz

1. Introduction

Today there is a growing number of distributed real-time applications whose processing,along with their attendant communications, must obey a strictly regular pattern. For thistype of application, a particular class of architectures has been devised, known as the so-calledtime-triggered architecture[15]. The termtime triggeredrefers to the fact that theoverall behavior of the system is controlled by a recurring clock tick, the only event withinthe system which can trigger an action. Time-triggered architectures especially fit the needsof safety-critical applications. This special type of architecture proved to be successful insuch diverse areas as automotive electronics and aerospace industry.

Being able to compute an appropriate pre-runtime schedule automatically is the majorchallenge for time-triggered architectures. What makes this specific off-line schedulingproblem somewhat untypical is that a potentially indefinite, periodic processing has to bemapped onto a single time window. This time window determines the overall behavior of thesystem. For example, let us consider a thermostat processT10 transmitting at a frequencyof 10Hz the current temperature to a controllerC10 of a device; then, let this controllerrespond with exactly the same frequency reporting potential malfunctioning. This willclearly induce a cyclic dependency. If two application processes are allocated to differentprocessors, then the only way for them to communicate with each other is a common databus. All inter-processor messages must therefore be broadcast through this data bus. Afurther restriction is that this bus is not able to transmit more than one message at a time.

336 K. SCHILD AND J. WURTZ

Figure 1. A sample repetition window.

Let us furthermore assume that there is a second controller, call itC20, which gets, ata frequency of 20Hz, fresh data from another sensor calledS20. In this case, however,the communication is only one-way. We assume thatS20 andC20 are hosted by differentprocessors. In particular, letS20 reside on the same processor asT10, while C20 sharesits host withC10. The off-line scheduling problem then consists in mapping these quitedifferent communication patterns onto a single time window with no pre-emption beingallowed. When repeated indefinitely, this time window should produce the intended overallbehavior. Fig. 1 depicts a proper time window which achieves this.

There may also be relative timing constraints between processes allocated to differentresources. Constraints of this sort are calledlatencies. Fig. 1 includes such a latencybetweenS20 andC20. This latency is an admissible upper bound on the time which maypass between the start ofS20 and the termination ofC20 with the actual message passing inbetween. This is to guarantee that the relevant information processing is completed withinthe time constraint specified.

These uncommon characteristics make this off-line scheduling problem a challengingnew application domain. Only a few approaches exist to tackle similar problems. Foran overview, especially on applications in the automotive industry, see [7]. The real-timeapplications tackled by constraint techniques are usually small on-line scheduling problemsrather than off-line problems; see e.g. [25].

To the authors’ knowledge, however, it is the first time that constraint techniques are ap-plied to a time-triggered architecture. We modeled the relevant off-line scheduling problemwith the help of the constraint programming language Oz, developed at the DFKI [23],[21], [27]. The actual problem that we solved was part of a large-scale application ofDaimler-Benz AG. It involves a finite domain of 6 million different starting times, over3,500 processes and messages, and more than one million constraints created during thesolution search.

The main contributions of this paper are as follows. We will compare different techniquesused in solving traditional scheduling problems and real-time applications and show for thepresent case which techniques lead to success and which fail. In particular, we will considerspecial global constraints implemented as single computational agents that constrain up

TIME-TRIGGERED REAL-TIME SYSTEMS 337

to more than a thousand variables simultaneously. These global constraints significantlyreduce the number of constraints that are active at a given time. Search strategies comingfrom traditional real-time applications and Operations Research are also tested. Onlya recent strategy from Operations Research has proven to be successful in solving theactual application. Later, we will show how it is possible to establish a complete schedulejust by fixing a total ordering among all process executions and message transmissions.Furthermore, we will explain how the usual criterion of utilization (or load) is inadequatehere for a bottleneck analysis.

The paper begins with giving the details of the specific off-line scheduling problem to betackled. First we will confine ourselves to the synchronous case where all the receivers havethe same frequency as the sender. Section 3 is then specifically devoted to the asynchronouscase. The computational complexity of the problem is investigated in Section 4. Thefollowing sections describe how this problem can be solved with the help of constraintprogramming, an approach briefly introduced in Section 5. Section 6 then shows howthe scheduling problem can be captured by finite-domain constraints. The next sectiondescribes various search heuristics with which we experimented. Section 8 demonstratesthat one of these heuristics enables us to solve even large-scale industrial applications. Thepaper closes with a brief discussion of the results obtained.

2. The Scheduling Problem

This section gives a description of the scheduling problem that we solved. First we willignore the possibility of asynchronous communication. Asynchronousness refers to allthose cases where the sender’s frequency is different from that of the receiver. An in-depthtreatment of this topic can be found in the following section.

The whole problem is about off-line scheduling of a special class of multi-processorsystems with only a single data bus. For the present purpose, it suffices to treat amulti-processor systemjust as a finite number of processors—the data bus will be considered lateron. Allocated to each processor there is a finite number of differentapplication processes(or processesfor short). Each process is allocated to exactly one processor, called thehostof the process. A process can be executed by its host only. It may, of course, be executedmore than once. A particular execution of a process,P, is denoted byPi , for an indexi ≥ 1.Every such process execution has a non-negativestarting time, start(Pi ). The duration ofdifferent executions of a particular process is always the same. Thus each particular processP has a specific non-negative numberdur(P) allocated to it.dur(P) is called theexecutiontimeof P. The execution times of two processes may, of course, differ. Thecompletiontimeof an execution,Pi , is then uniquely determined by a simple calculation:

compl(Pi ) = start(Pi )+ dur(P). (1)

We thereby implicitly assume that no execution of a process may ever be pre-empted.A specific process,P, can either beperiodic or aperiodic. If it is periodic, it must be

invoked at a certain frequency. The reciprocal value of this frequency is called theperiodof P, or simplyperiod(P). A frequency of 10Hz, for instance, results in a period of exactly0.1 seconds. The distance in time between the starting points of two consecutive executions


Figure 2. The wrapping over the repetition window.

of a particular process must always agree with the period of that process. Therefore, wehave the following isochronousness condition:

start(Pi ) = start(Pi−1)+ period(P), for i ≥ 2. (2)

This condition, however, does make sense only when

period(P) ≥ dur(P). (3)

In practice, the period of a process is not only expected to be always greater than its executiontime, but it is also expected to be greater by a large degree.

We assume that the overall control of a multi-processor system is organizeda priori as afixed time window. It is exactly this time window which, when invoked indefinitely, willdeterministically control the behavior of the overall system. This time window is called therepetition window. The length of the repetition window is called thecycle time CT. Thislength should, of course, be chosen so that every periodic process fits into the repetitionwindow without running out of phase. Not only the isochronousness condition (2) has to bemetwithin the repetition window itself, but the unraveled version of the repetition windowmust obey a similar condition as well (see Fig. 2). There is a simple way to accomplishthis: just identify the cycle time with the least common multiple of all periods used. Thisis not an unusual approach to off-line scheduling of periodic processes, see e.g. [5]. Theapproach works as follows. A periodic process,P, has to be executed exactlyn = CT

period(P)times within the repetition window. Let the relevant executions beP1, . . . , Pn. If allthese executions meet the isochronousness condition (2), then the distance in time betweenstart(P1) andstart(Pn) is exactly(n−1)·period(P). But then, the distance in time betweenstart(Pn) within the current repetition window andstart(P1) within the subsequent cycle isCT− (n− 1) · period(P). This yields exactlyperiod(P) if n = CT

period(P) . This proves thatalso the unraveled version of the repetition window satisfies the isochronousness conditiononly if, within the repetition window itself, (2) holds and there is a number ofCT

period(P)

executions ofP. We henceforth denote CTperiod(P) by #P.

An aperiodic process,P, is treated as if it had a period ofperiod(P) = CT, that is,#P = 1. This means that during every invocation of the repetition window an aperiodicprocess gets the opportunity to work only once.

We require all executions of a process, whether periodic or aperiodic, to be scheduledwithin the repetition window. This is what we have implicitly assumed so far. We thusimpose the following general upper bound:

compl(Pi ) ≤ CT. (4)


If two processes share a common host, none of their executions may overlap in time.This means that two process executions may work in parallel only if they are hosted bydifferent processors. A single processor, however, does allow only sequential executions,all executions running on it must therefore be serialized in the following way:

compl(Pi ) ≤ start(Qj ) or compl(Qj ) ≤ start(Pi ) (5)

wheneverP andQ (P 6= Q) have the same host.

Note that the isochronousness condition (2) already guarantees the serialization of a singleprocess. The disjunctive constraint above, therefore, does not include the case whereP andQ are identical.

Perhaps it is worthwhile noting that this type of serialization constraint is not as harmlessas one might think. This is because the number of constraints (5) increases quadraticallyin the number of application processes.

2.1. Inter-Processor Communication

If two processes have different hosts, the only way for them to communicate with eachother is to broadcast amessagethrough a common data bus. There is only one such databus available and all processors are connected to it. Two processes sharing the same hostare able to communicate directly with each other.

Any message has exactly onesenderbut may have multiplereceivers. In each particularcase, the sender is a process just like all the receivers. If at least one of the receivershas another host than the sender, then the relevant message is aninter-processor message;otherwise it is anintra-processor message.

Associated with each messageM , there is a non-negative numberdur(M), the transfertimeof M . If M is an intra-processor message, thendur(M) is always 0.

There is a special type of inter-processor message which has neither any sender nor aparticular receiver. It is a broadcast message to adjust the local clocks of the processors,called aresynchronization message. For convenience, we assume a dummy sender and adummy receiver for this special kind of message. Both the sender and the receiver can behosted by any processor if only they are not hosted by the same processor. Their relevantexecution times are set to 0. The transfer time of this special broadcast message is very short,while its frequency—that is, the frequency of its dummy sender—is very high, typicallyabout 1.000Hz.

An actual transmission of a single message,M , is denoted byMi , for an indexi ≥ 1.Each such transmission has a particular starting time and a completion time,start(Mi ) andcompl(Mi ) for short. Similar to process executions, the completion time of a messagetransmission depends on its starting time and the relevant transfer time:

compl(Mi ) = start(Mi )+ dur(M). (6)

If S is the sender ofM , then there must be a sequence of transmissionsM1, . . . ,Mn with#S= n, no matter whether it is an inter-processor or an intra-processor message. This, ofcourse, applies to the synchronous case only. In this case, a message is always transferred


Figure 3. Postponing the receiver of a message.

at exactly the same frequency as its sender is invoked. For asynchronous communications,this is not necessarily the case. In the synchronous case, however, the frequency of themessage does always coincide with that of its sender:

start(Mi ) = start(Mi−1)+ period(S), for i ≥ 2. (7)

Any message, of course, must be transferred within the cycle time:

compl(Mi ) ≤ CT. (8)

It is not necessary for a message to be transferredimmediatelyafter the sender termi-nates; rather, a single message can be buffered as long as no fresh version of this messagearrives. However, whatisnecessary is that a message is never transferred before the relevantexecution of the sender terminated:

compl(Si ) ≤ start(Mi ). (9)

There is no similar precedence constraint between the message transmission and its actualreceiver. That is to say, ifRj is one of the actual receivers ofMi , then no constraint ofthe formcompl(Mi ) ≤ start(Rj ) is imposed. This is becauseRj may be postponed untilthe subsequent invocation of the repetition window, in which caseRj would typicallyoccur at the beginning of the repetition window. In a cyclic communication pattern thisis necessarily so. Let us look at the particular cyclic communication pattern depicted inFig. 3. Here,P sends a message toQ, which in turn sends a second message back toP. Ifthe two processes have the same frequency, then the actual receiver of the second messagecannotbe scheduled after the message transmission, at least within the current cycle of therepetition window. In this case,P would occur twice within the repetition window and,therefore, would have twice the frequency ofQ. This is why the second message will bereceived only within the subsequent cycle of the repetition window. As a matter of fact,there is no precedence relation between a message transmission and the potential receivers.They may even overlap in time, in which case theactualreceivers are again postponed untilthe subsequent repetition cycle.

What is required is that a transmission of a message must be scheduled before the nextexecution of its sender (if there is any):

compl(Mi ) ≤ start(Si+1).


However, there is no need to impose this condition explicitly. This is because it alreadyfollows from (7)–(9) along with the fact that there are always as many transmissions ofMas there are executions ofS. For, if the latter condition were violated, then the sequenceof #S transmissions ofM could no longer be scheduled isochronously within the repetitionwindow. In particular, the starting time of the very last transmission ofM would thennecessarily exceedCT, thus violating (8).

The data bus can always transfer only one message at a time. Thus all transmissionsthrough the data bus have to be serialized:

compl(Mi ) ≤ start(Nj ) or compl(Nj ) ≤ start(Mi ) (10)

(M andN (M 6= N) are inter-processor messages)

For intra-process messages, it is not necessary to explicitly rule out any mutual overlappingin time. This is because their transfer time is always 0.

2.2. Latencies

For a real-time system it is important that critical information is guaranteed to be processedwithin certain time limits. If a process sends a message to a second process, then it maybe important to guarantee that the overall information processing never exceeds a certainperiod of time. In particular, it is convenient to specify an upper bound for the admissibleperiod of time which may pass between the generation of the information by the senderand its full processing by the receiver along with the actual exchange of the information inbetween. An upper bound of this kind is called alatency. The specific value of a latencydepends not only on the message itself, but also on the particular receiver of that message.This is because the receivers might differ in their criticality as well. The particular value ofsuch a latency is henceforth denoted bylatency(M, R), whereR is one of the receivers ofM . If S is the sender of that message, we have the following relative timing constraint:

compl(Ri )− start(Si ) ≤ latency(M, R).

Fig. 4 shows a sample latency, constraining the admissible distance in time betweenstart(P1)

andcompl(Q1).Notice that this type of latency condition presupposes that thei th transmission ofM is

actually received by thei th execution ofR. This can only be guaranteed for a synchronouscommunication, for which the frequency of the sender does not differ from that of thereceiver.

The latency condition above, however, does not cover all relevant situations, even withonly the synchronous case taken into consideration. To see this, consider again Fig. 4. Notonly doesP send the messageM to Q, but Q also sendsN back toP. The actual receiverof M1 is Q1. Here, the above latency constraint works perfectly well. The actual receiverof N1 is P1. P1 does not occur afterN1 because the actual receiver ofN1 is postponed untilthe subsequent repetition cycle, a case which is not covered by the latency condition above.In this case, a proper latency condition should be thatCT − start(Q1)+ compl(P1) mustnot exceedlatency(N, Q) (see also Fig. 4). In the general case, a proper latency condition


Figure 4. Latencies.

has to take into account both cases. This works as follows. LetSbe the sender of a messageM . Then for every receiver,R, of this message, we have:

If start(Ri ) ≥ compl(Mi )

then compl(Ri )− start(Si ) ≤ latency(M, R)else CT − start(Si )+ compl(R1) ≤ latency(M, R).

(11)

Such a latency constraint is, of course, only imposed if the transferred information is critical.These are all the constraints we are considering. Now, suppose we are given a particular

multi-processor system. Thescheduling problemthen consists in finding for each singleprocess execution and message transmission a particular starting time such that the con-straints introduced above are simultaneously satisfied. In a time-triggered architecture, thetime scale is a discrete one, dictated by the recurring global clock tick. The frequency ofthe global clock coincides with that of the common data bus.

3. Asynchronous Communications

So far we have only considered synchronous communications. This restriction seems to bereasonable. Cases of asynchronous communication, that is, communications such that atleast one of the receivers of a message has a frequency different from that of the sender,might appear somewhat unusual. In our actual application, however, such cases occur ratherfrequently. So there is the question of how to deal with these cases. A common approach isto assumeundersampling, see e.g. [5]. Undersampling means that a message is always sentat the lower rate. If, for example, a process of 20Hz sends a specific message to a receiverof 10Hz, then that message is transmitted at 10Hz and not at 20Hz. This does make sense.If the message were sent at 20Hz, then for half of these messages transmitted through thedata bus there would not exist any receiver at all.

Now consider the case where it is the other way around, that is, the sender’s frequency is10Hz, while that of the receiver is 20Hz. In this case the relevant message is also only sentat 10Hz. This makes sense, too, because the only way for a sender of 10Hz to transmit a


Figure 5. Undersampling.

message at 20Hz is that a single execution transmits the message more than once. In thiscase, however, these additional messages would typically contain no fresh data, thus beingredundant.

The exact definition of what we understand by undersampling is as follows. Take anarbitrary message,M , the sender of which isS. LetR be the set of all receivers of thatmessage. Moreover, let #R be the largest number of executions of any of the receivers inR,i.e., #R = max{#R|R ∈ R}. If #M denotes the overall number of transmissions ofM to bescheduled within the repetition window, then undersampling means that #M is min{#R,#S}.For each of the receiversR ∈ R, we assume that eitherfreq(S) is a multiple offreq(R) or,vice versa,freq(R) is a multiple offreq(S).

3.1. Constraint (9) Again

Asynchronous communications do not affect the constraints given so far, with the notableexceptions of (9) and the latency constraint (11). The former states that thei th transmissionof a message,M , can not be scheduled before thei th execution ofM ’s sender terminated.It thereby implicitly presupposes that #M = #S, a situation that is not necessarily given foran asynchronous communication. A similar constraint, though, must be formulated for theasynchronous case. The only case that we have to consider is #M ≤ #S. This is because#M > #Swould only become a possibility if a single execution ofS transmitsM more thanonce; a case that we already explicitly ruled out. So let us consider the case #M ≤ #S. Atypical situation of this kind is depicted in Fig. 5. Here, #S is 2· #M . In this particular case,a proper version of (9) should include the following two statements:

(a) eithercompl(S1) ≤ start(M1) or compl(S2) ≤ start(M1),

(b) eithercompl(S3) ≤ start(M2) or compl(S4) ≤ start(M2).

This formulation leaves open whetherM1 is actually sent byS1 or by S2 and similarly forM2. The disjunctcompl(S1) ≤ start(M1) covers the first alternative, whilecompl(S2) ≤start(M1) is for the second alternative. Perhaps surprisingly, the second alternative is ineffect not needed. Not only this, but this alternative can be ignored without changing the


logical meaning of the overall expression. Why is this? What we know for sure is thatcompl(S1) ≤ start(S2). But then,compl(S2) ≤ start(M1) always impliescompl(S1) ≤start(M1). In other words, we have a disjunction whose first disjunct is always implied byits second disjunct. It is not too hard to prove that such a disjunction islogically equivalentto the first disjunct.1 A similar argument applies to (b). Here,compl(S4) ≤ start(M2)

always impliescompl(S3) ≤ start(M2). The overall expression from above thus reduces to

(a) compl(S1) ≤ start(M1),

(b) compl(S3) ≤ start(M2).

In the general case, we have:

for all i (1≤ i ≤ #M) : compl(S1+ (i−1)·#S#M) ≤ start(Mi ). (12)

The quotient#S#M can be thought of as the number of groups, each of which represents an

undersampled communication pattern. Fig. 5 contains two such groups. The first collectstogetherS1, S2 andM1, while the second consists ofS3, S4 andM2. Bearing this in mind, itshould become clear thatS1+ (i−1)·#S

#Mdenotes the first execution ofS in each of these groups.

A crucial point here is that#S#M always yields a natural number. This, in fact, is importantbecause otherwise the expression 1+ (i−1)·#S

#M would clearly not make much sense. Theproof that #S

#M is always a natural number requires some effort. LetR be the set of allreceivers ofM . Then #M is defined to be min{#R,#S}. If min{#R,#S} yields #S, then #S

#Mis obviously a natural number. If, otherwise, min{#R,#S} yields #R, then there exists atleast oneR ∈ R such that min{#R,#S} is #R. This particularR is exactly thatR ∈ R forwhich #R is largest. Now, according to our assumption above, either #S is a multiple of #Ror, vice versa, #R is a multiple of #S. As #M equals #R, we know that either #S is a multipleof #M or, vice versa, #M is a multiple of #S. We can rule out the second possibility in that#M ≤ #S. But then, #S must be a multiple of #M . This shows that#S#M yields a naturalnumber.

Another interesting point is that (12) contains the original version (9) as the special caseof synchronous communications. For #M = #S, the general version (12), in fact, reducesto the synchronous version (9).

3.2. Latencies Again

The latency constraint (11) also works only for the synchronous case. It presupposes that, ifSsendsM to R, then everyi th execution ofStransmits thei th instance ofM , which in turnis always received by thei th execution ofR. As regards asynchronous communications, itis not clear which particular tripletSi ,Mj andRk forms the actual communication. Whatisclear, however, is that at least one of these triplets should satisfy a proper latency constraint.Take the case #S> #R, a situation that is present in Fig. 5. Undersampling means that notall executions ofS actually transmit a fresh version ofM . What is important here is thatfor every executionRk there exists at least one executionSi sending a fresh version ofMto Rk without violating a proper latency condition. It might, of course, happen that this


very triplet does not form the actual communication. This might indeed happen if thereis another triplet that fits into the original one. This should not matter though. This isbecause, whenever the original triplet satisfies the latency condition, then so does the actualcommunication pattern. As an example takeR2 in Fig. 5. Imagine that the tripletS2,M2, R2

does fulfill a specific latency constraint,i.e., compl(R2)−start(S2) ≤ latency(M, R). Thistriplet S2,M2, R2 clearly does not form the actual communication, in thatM2 is transmittedby S3 rather thanS2. If, however, the tripletS2,M2, R2 meets the latency constraint, then sodoes the actual communication patternS3,M2, R2. The mere existence of a proper tripletnot exceeding the relevant latency is thus sufficient, no matter whether this triplet representsthe actual flow of information or not. The accurate formulation for #S> #R is as follows.

For all k (1 ≤ k ≤ #R) there is at least onei (1 ≤ i ≤ #S) and at least onej(1≤ j ≤ #M) such thatstart(Mj ) ≥ compl(Si ) and

eitherstart(Rk) ≥ compl(Mj ) andcompl(Rk)− start(Si ) ≤ latency(M, R)

ork = 1 & CT − start(Si )+ compl(Rk) ≤ latency(M, R).

(13)

The first alternative covers all those situations in whichSi ,Mj and Rk occur in exactlythis sequence. The second alternative deals with the case whereRk is postponed to thesubsequent cycle of the repetition window, thus being the first execution ofR within therepetition window.

Let us finally consider the case #S ≤ #R. Here, the condition (13) itself can remainunchanged. The only thing that must be adopted is the quantification of the indices. Thisis due to the fact that for #S ≤ #R some executions ofR may not receive a fresh versionof M . This makes it necessary to formulate (13) from the viewpoint of the senderS ratherthan that of the receiverR. For #S≤ #R we thus have:

For all i (1 ≤ i ≤ #S) with j = i there is at least onek (1 ≤ k ≤ #R) such thatstart(Mj ) ≥ compl(Si ) and (13).

The explanation whyj is set toi rather than existentially quantified is as follows. If #S≤ #R,we know that #M is #S. But then the transmissionMi is sent bySi .

4. The Problem’s Inherent Complexity

Scheduling problems are typically NP-complete. A vast collection of NP-complete schedul-ing problems can be found in [9], pages 236–244. None of these results, however, directlyapply to the present problem. From the data bus point of the view, the problem of sequencingall the messages broadcast through the common data bus might be seen as what is commonlycalled a single machine problem. Asingle machine problemconsists in scheduling a finitenumber of tasks in such a way that each task’s individual release time and deadline is met.At a first glance, it seems that the execution time of the sender and that of the receiver spec-ify a release time and a deadline for each particular message transferred. If this were true,


the problem at hand would indeed give rise to a full-fledged single-machine problem. Inthis case, finding a proper schedule for the data bus would be NP-hard because full-fledgedsingle-machine problems are known to be NP-complete [8]. Although individual releasetimes can be simulated in this way perfectly well, deadlines cannot. This is because anyof the receivers might be postponed to the subsequent repetition window, thus there beingno more real deadline. It might be argued that the cycle timeCT states such a deadlineanyway. Note, however, that a full-fledged single-machine problem involves anindividualdeadline for each task rather than a single overall deadline.

The present scheduling problem might also be just a traditionaljob shop problem[10].A job consists of a finite a number of totally ordered tasks, each of which is to be executedon a specific machine (or resource). The problem then consists in finding for each machinea proper schedule. Each single schedule has to meet a specific overall deadline. In thiscase, there is only one single deadline, common to all machines. All machine schedulesmust also obey the total ordering given. It is, of course, not sufficient that each machineschedule—in isolation—meets this ordering, but that all machine schedules meet this totalordering collectively. Job shops are NP-complete, even when there are only 2 resources[10].

The question is whether the present scheduling problem is such a traditional job shop.The cycle timeCT can serve as the overall deadline common to all machines. However, theonly jobs that our scheduling problem involve are special jobs consisting of an execution of asender and the subsequent transmission of a message. The precedence constraint here is thatthe message may not be transferred before the relevant sender terminated; see (9). Theseare the only precedence relations that exist in our case. This means that in the present casethere are only jobs consisting of exactly 2 tasks where the second task is always allocatedto a specific resource, the data bus. The precedence relation thereby induced is not totaleither. There seems to be no result in the literature for this special case of a job shop. Whatis known, however, is that this special class of job shops is computable in polynomial timewhenever there are only two resources, even without the restriction that the second task isalways allocated to the same resource. In fact, Jackson [14] was able to prove that job shopproblems can be solved in polynomial time as long there are only two-tasks jobs allocatedto no more than two resources.

The question arises whether the present scheduling problem is nevertheless NP-hard. Itis. Not only this, but it is even NP-hard in thestrong sense, which can be understood asfollows. It is known that the hardness of some NP-complete problems only comes froma compact representation of numbers in the usual binary notation. If the numbers wererepresented in unary notation, however, these problems might be solvable in polynomialtime, thus being mere number problems. On the other hand, there also exists problemswhich are NP-complete, even with numbers represented in unary notation. This type ofproblem is calledNP-complete in the strong sense, see e.g. Chapter 4.2 of [9]. The presentscheduling problem is exactly of this type. This is because it encompasses, as a special case,another problem already known to be NP-complete in the strong sense, the so-calledbinpacking problem. Bin packing means distributing a finite number of items with individualsizes amongk bins with each having a uniform bin capacity ofB. Take an arbitrary set ofitemsU = {u1, . . . ,un}. The problem then consists in partitioningU into disjoint subsets


Figure 6. A reduction from bin packing.

U1, . . . ,Uk, each subset of which must not exceed the bin capacityB. This means that thesum of the sizes of all items in eachUi is B or less. This problem has been shown to beNP-complete in the strong sense, see page 226 of [9].

Nothing prevents us from viewing each itemui (1 ≤ i ≤ n) as a specific process,Pui ,whose execution time is interpreted as the size of that item. None of these processes sendany message, nor do they receive any. All these processes have a uniform period ofk·(B+1)and are allocated to the same processor. There is one more process; call it simplyP. Thisprocess is allocated to the same processor as the other processes. It does not send or receiveany message either; its execution time is 1. The crucial point is thatP has a frequencywhich is exactlyk times as high as the frequency of the other processes, that is,period(P)is B+ 1. There are no other processes, so that the overall cycle time is identified with thelonger of the two periods used, that is,CT = k · (B+ 1). But then the situation is exactlythe same as in the original bin packing problem: all processes butP are to be distributedamongk blocks (or bins) with each having a uniform length (or bin capacity) ofB, seeFig. 6.2 Finding a schedule for a single processor is therefore NP-hard in the strong sensebecause bin packing is NP-hard in the strong sense as well. Note that this proof exhibitsonly one single processor with no communication whatsoever involved. This means thatthere is only one single resource. For this special case, the job shop part of the presentscheduling problem is solvable in polynomial time, as is the two-resource case. Thus, atleast for the special case of at most 2 resources, the computational complexity of the presentproblem is proven not to stem from a job shop. The periods of the processes (and similar formessages) are thus an independent source of complexity, independent of any precedencerelation, latency, individual deadline, release time, or any other additional constraint.

5. Constraint Programming

The problem under investigation was solved with the help of finite-domain constraints. Thespecific constraint language we used is Oz [23].

A finite-domain constraintis a first-order formula over a number of variables, each ofwhich may take a specific value out of a finite set of non-negative integers, called afinitedomain. In Oz, a distinction is made between constraints which arebasicand those whichare not. Only basic constraints may reside in the globalconstraint store. This is to guaranteethat the satisfiability of the entire constraint store can always be decided efficiently, justlike the question whether an arbitrary basic constraint is entailed by the current store ornot [20]. The simplest form of a basic constraint isx ∈ D, whereD can be an arbitrary


finite domain. A basic constraint of this type is also referred to as adomain constraint. Inthis paper, we consider only two other types of basic constraints. These are of the formx = y andx = n, wheren can be an arbitrary non-negative integer.

As is well-known, deciding the satisfiability of nonbasic constraints likex + y = z iscomputationally intractable (because graph-coloring problems can be encoded, for exam-ple). This is why in Oz such nonbasic constraints do not reside in the global constraintstore. Instead, a nonbasic constraint is imposed by what is called apropagator. Thispropagator implements the effects of the relevant constraint. It is a computational agentthat tries to narrow down the domains of variables by adding appropriate basic constraintsto the constraint storeS. Take a propagator for a nonbasic constraint,α. This propagatormay impose a basic constraint not yet entailed byS, sayβ, if β is entailed byS ∪ {α}. Inaddition, of course,S ∪ {β} has to be satisfiable. If, for example,S consists of the basicconstraintsx ∈ {1, . . . ,10}, y ∈ {1, . . . ,10} andz ∈ {1, . . . ,10}, then a propagator forx + y = z might addx ∈ {1, . . . ,9}, y ∈ {1, . . . ,9}, as well asz ∈ {2, . . . ,10} to thecurrent constraint store. The termconstraint propagationrefers to advancing the constraintstore in this manner. A propagator for a constraint,α, signals inconsistency as soon as it isrealized thatα is inconsistent with the constraint store.

A finite-domain problemis a finite set of finite-domain constraints such that for eachvariable occurring in a constraint there exists at least one domain constraint. Asolutiontoa finite-domain problem is a specific mapping which assigns a single non-negative integerto each variable such that all constraints are satisfied simultaneously.

Constraint propagation alone is often not sufficient for determining a solution. A solutionfor a finite-domain problem,2, can be obtained, anyway, if a list of (not necessarilybasic) constraintsα1, . . . , αn is chosen. Instead of solving the original problem, it is thenimperative to try to solve at least one of the problems2∪ {α1}, . . . , 2∪ {αn}. In this case,we say thatwe branch withαi in 2. Examples forαi might bex = 1 andx > 1. Such amodification of the original problem is perfectly admissible, in that a solution for2∪{αi } isalways a solution for2 as well. The sequence of problems2∪{αi } can simply be examinedone after the other, so that2 ∪ {αi } is considered only if all preceding alternatives leadto an inconsistency. In general, the choice of the constraints to branch with, including thespecific ordering in which they are examined, is called abranching strategy. To maximizethe available information for any strategy, branching does not take place before constraintpropagation has reached a fixed point. Solving a constraint problem thus consists in asequence of interleaving propagation and branching steps.

In Oz, a propagator for a constraintα ceases to exist as soon as it is realized thatα

is entailed by the constraint store. The propagator becomes then automatically garbagecollected by the system itself. This will turn out to be an important feature for beingable to cope with the present problem (see Section 8). A detailed treatment of constraintprogramming in Oz can be found in [27].

6. A Solution to the Problem

This section explains how constraint programming can be used to solve the schedulingproblem at hand. Such a solution always has two parts to it. The starting point is to


recast the relevant problem in terms of formal constraints. This is not too difficult in thepresent case, but we have to consider efficiency and memory consumption. The next stepis to choose a particular branching strategy whichis difficult in the present case. We shallnot only describe the branching strategy which ultimately led to success, but also mentionsome of those that failed. It is difficult to say whether these results are specific to theactual constraint language that we used. Anyway, we hope that the results will give otherprogrammers some helpful hints how to tackle similar problems.

6.1. The Constraints

The starting time of a process execution,Pi , can well be captured by a finite-domainvariable and so can the starting time of a message transmission,Mj . For convenience, thesevariables are also denoted bystart(Pi ) andstart(Mj ) respectively. Because the cycle timeCT is typically only a fraction of a second, the initial domains should be chosen carefully.The smallest relevant time unit is the reciprocal of the frequencyρ of the global clock.This is exactly the general time unit that we use. The starting times are then initialized asfollows:

start(Pi ) ∈ {0, . . . ,CT − dur(P)},start(Mj ) ∈ {0, . . . ,CT − dur(M)}.

The completion times are not introduced explicitly; rather, the expressionsstart(Pi ) +dur(P) or start(Mj ) + dur(M) are used to replace them. This is to reduce the overallnumber of finite-domain variables.

The specific domains that we associated withstart(Pi ) andstart(Mj ) clearly guaranteethat neithercompl(Pi ) nor compl(Mj ) ever exceedCT, thus satisfying constraints (4) and(8). The remaining constraints of the second section then form ordinary finite-domainconstraints. The only exceptions are latency and serialization constraints.

6.2. Serialization Constraints

The constraint (5), pairwise serializing all process executions on a specific host, is adis-junctive constraint. It involves two possible alternatives. Of exactly the same nature is(10), serializing the communication through the data bus. Constraints of this sort can behandled, anyway, if the constraint language has the possibility to reflect the truth value of aconstraint into a 0/1 variable, see e.g. [19], [13], [12]. In Oz this kind of reflection is calledreification. For the disjunctive constraint (5) a proper reification is as follows. First let usdefine two 0/1 variables never taking the value 1 at the same time:B1 ∈ {0,1}, B2 ∈ {0,1},andB1+ B2 = 1. Then we can state the following constraint.

(B1 = 1) ↔ (start(Pi )+ dur(P) ≤ start(Qj )

),

(B2 = 1) ↔ (start(Qj )+ dur(Q) ≤ start(Pi )

).

This reification captures the meaning of (5) exactly . To see this, assume that one of thealternatives, say,start(Pi ) + dur(P) ≤ start(Qj ) becomes inconsistent with the current


constraint store.B1 is then set to 0 and, therefore,B2 to 1. But then, the second alternativeis immediately invoked.

In Oz this reification can also be phrased somewhat more succinctly:(start(Pi )+ dur(P) ≤ start(Qj )

)+ (start(Qj )+ dur(Q) ≤ start(Pi )) = 1

But even with the use of this succinct form, we need altogethern·(n−1)2 reified constraints to

serializen process executions or message transmissions. Such a naive approach works wellas long asn is comparatively small. With a number of about 3,000 message transmissionsthat we were faced with, this is no longer feasible.

Such an excessive memory consumption can be avoided by a special type of constraint,working on a large set of variables simultaneously. A constraint of this kind is calledglobal.In some cases, global constraints do not only save memory, but also improve the overallrun-time. This might even happen when a global constraint does nothing more than mimickthe propagation of a host of non-global constraints like the reified ones from above. Insteadof maintainingO(n2) propagators, only a single (global) propagator needs to be maintainedby the underlying run-time system. We dealt with the constraints (5) and (10) in exactly thisway. Given an arbitrary number of items, the relevant global propagator mimics the pairwiseserialization of these items without the full computational burden of the original pairwiseserialization. The global propagator essentially considers successively each pair of itemsand it checks whether any clause of the corresponding disjunction is disentailed. In thiscase it imposes the right basic constraints implied by the remaining clause. The propagatorwas created with the help of a special interface, the so-called constraint propagator interfaceof Oz [18] and is available asFD.schedule.serializedDisj. This interface makes it possible tocreate new propagators efficiently.

This serialization propagator does not employ any domain-specific information other thanthat of a linear time scale. Global constraints, however, may also employ more elaboratepropagation techniques for domain-specific purposes. Applegate and Cook [1] proposedsuch a technique, callededge finding, see also [3]. Variants of this technique enjoy a run-time which essentially grows quadratically in the number of items to be serialized [17].In computational terms, even these more efficient variants are yet more expensive than theglobal constraint described above. For certain problems, however, edge finding may leadto a drastic reduction of the search space, outweighing the additional computational costs.No such effect can be observed for the present problem. This is due to the fact that thedomains of the starting time variables are rather huge in comparison to the item’s duration,but edge finding works only with narrow domains. While the data bus is the real bottleneckof the current scheduling problem (see also below), this is not immediately mirrored in thedomains of the variables. Compared with the global constraints that we employed, edgefinding does not shorten the search for a solution at all. Edge finding even increased theoverall run-time by a factor of five.

6.3. Latency Constraints

The latency condition (11) distinguishes between communication patterns which arewrapped over the repetition window and those which are not. These two possibilities


might also be captured with the help of a reified constraint; however, this leads to weakconstraint propagation. An experiment showed that such an approach does not allow forthe solution of the present problem in one day of computation time. Propagation, however,can be improved by a specific preprocessing phase. If, for example,Pi sends a messageto Qj , this preprocessing phase can determine whether or notQj is to be postponed tothe subsequent repetition window. This works as follows. If the relevant communica-tion is not involved in a cycle, then it is assumed thatQj is not postponed. In this case,start(Qj ) ≥ compl(Pi ) is imposed. As a consequence, the following version of a latencycondition is sufficient.

start(Qj )+ dur(Q)− start(Pi ) ≤ latency(M, Q).

If, on the other hand, the communication betweenPi and Qj is part of a cycle, thenan ordering betweenPi and Qj can be chosen arbitrarily. Ifstart(Qj ) ≥ compl(Pi ) ischosen, then again the latency condition just given is sufficient. If, otherwise,start(Pi ) ≥compl(Qj ) is chosen, then the following condition must be met:

CT − start(Pi )+ start(Qj )+ dur(Q) ≤ latency(M, Q).

In this way, we can dispense with the disjunction of (11). This guarantees adequate propaga-tion. In principle, it might happen that this preprocessing phase cuts off the only admissiblesolution to the problem. This, however, seems to be very unlikely. At least it never happenedin any of our experiments.

7. Search Heuristics

7.1. A Strategy from Real-Time Applications

Branching strategies off the shelf (like first-fail) turned out to be too simple for the presentproblem. Branching strategies can be divided into two categories. The first class of strategiesbranches with basic constraints such asx = c. The second type of strategies branches withnon-basic constraints such asx + c ≤ y. In this case, new propagators are created duringrun-time. We experimented with strategies from either category.

The first branching strategy that we investigated was motivated by Liu and Layland’s[16] work on scheduling algorithms for hard real-time applications. This strategy worksas follows. The finite domain which models the starting time of a process execution or amessage transmission denotes the set of possible integer values for the starting time. Letlct(Pi ) andlct(Mi ) be the latest possible completion time ofPi andMi , respectively. Thevaluelct(Pi ), for example, is thus the maximal value of the domain ofPi plus the executiontime of Pi . Then let us select the pair(Pi ,Mi ) for which(lct(Pi ), lct(Mi )) is minimal withrespect to lexicographic order. In addition, a pair may be selected only if eitherstart(Pi )

or start(Mi ) is not already fixed to a single value. Ifstart(Pi ) stays unfixed, it is branchedwith basic constraints of the formstart(Pi ) = c. The enumeration of possible candidatesfor c begins with the smallest possible starting time ofPi . As soon as a consistent value forstart(Pi ) is found, the starting time ofMi is fixed by a similar procedure. As a result, the


process with the smallest of the latest possible completion times (usually a process with ahigh frequency) determines which starting time is fixed first. While this strategy works wellif no latency constraints are considered, no solution is obtained in one day of computationtime with latencies included.

7.2. Strategies from Operations Research

As an alternative, we investigated several strategies of the second category. These strategieswere motivated by similar strategies from Operations Research, which have recently beenused also in the field of constraint programming [2], [4]. Let us first explain what the keyidea of this strategy is. Consider a set,S, of items. The task is to schedule all elements ofSin a mutually non-overlapping manner. The branching strategy is divided into two phases,the determination of an appropriate serialization and the assignment of concrete startingtimes. Serializationin this case means that for alls, s′ ∈ S such thats 6= s′, it has to bedecided whethers is scheduled befores′ or vice versa. An appropriate total ordering ofScan be obtained by branching with one of the following propagators at run-time:

start(s)+ dur(s) ≤ start(s′)or

start(s′)+ dur(s′) ≤ start(s).

In the best case, a number of|S|·|S−1|2 branching steps is needed to serializeS completely.

This number may be reduced if some ordering decisions can be decided deterministically.For example, the strategy proposed in [4] avoids some branching steps by detecting orderingswhich must necessarily hold. The assignment of concrete starting times could then be donewith a branching strategy of the first category. But a number of branching steps whichcan grow quadratically inS might be, of course, not feasible for a large-scale problem.Nevertheless, we have tried the strategies suggested in [4] and [22]. These strategiesemploy one pairwise ordering decision at each branching step and have been shown to yieldgood results in the area of job-shop scheduling [9]. Unfortunately, both strategies failedeven after several hours of computation time for a small test problem. This means that thestrategies using local pairwise ordering decisions are too weak for the considered problem.Both strategies [4], [22] consider the size of the domains of starting time variables to makebranching decisions. But because these domains are rather wide compared to the item’sduration (especially in the beginning of the search), this heuristic might guide the searchin a wrong direction. Due to the size of the considered problems these wrong decisionscannot be recovered by simple backtracking.

Instead of ordering only a single pair of items at a time, many pairs can be ordered in asingle branching step. The number of branching steps can thus be significantly reduced byconsidering a number of propagators at one time. This proceeds as follows. First, selectan items ∈ S. Then it is branched with a number of constraints, altogether stating thatsprecedes each item inS, except fors itself:

start(s)+ dur(s) ≤ start(s′),


for all s′ ∈ S such thats′ 6= s. If this leads to an inconsistency, then the entire procedureis retried with anothers ∈ S; otherwises is deleted fromS. As soon as the subsequentconstraint propagation has reached a fixed point, the overall procedure is invoked again, aprocess which continues until all items are serialized. In the best case, no more than|S|−1branching steps are needed to serializeS completely. Of course, we still have a quadraticnumber of pairwise ordering decisions along with a corresponding number of propagators,but the depth of the search tree may be reduced significantly. The way that we deal withthis vast number of propagators is described in Section 8.

The question remains which of the potential candidates fors ∈ S should be consideredfirst. For this purpose, information on the possible starting times can be exploited. Inparticular, it is possible to extract those items amongS which may precede all others, seee.g. [3], [2], [26]. This subset ofS can be computed in timeO(|S|). Let F be this set ofitems which may precede all others inS. If F is empty, there clearly exists no serializationat all. If |F | = 1, no branching step is necessary becauseF ’s single element is the onlycandidate fors. If otherwise|F | > 1, those elements ofF are tried first whose earliestpossible starting time is minimal. This guarantees that for the remaining items there isas much free space on the time scale left as possible. This strategy is available in Oz asFD.schedule.firstsDist.

7.3. Order of Branchings

Now we have to decide which resource should be serialized first. It is common practiceto schedule the resource first which can be seen as the bottleneck of the problem. As anobvious criterion we have chosen first the utilization (load) values. Because the utilizationof the processors is up to 92%, whereas the utilization of the data bus is only about 11%,we have tried to serialize the processes first. Surprisingly, we could only solve a fewproblems. Analyzing the problem more carefully, we found out that the primary sourceof complexity is the different periods at which processes may be executed. What makesthe scheduling of the data bus so difficult is the fact that it is the only resource commonlyused by all inter-processor communications. Through the common data bus processeson different processors with different periods interact in a non-trivial way. Thus, thekind of branching described before is first applied to the messages sent through the databus. The serialization of the messages automatically narrows down the possible startingtimes of the sending processes. The process executions are then serialized by the samestrategy. Currently it is not necessary to impose a certain order which processor to serializefirst.

7.4. Assignment of Concrete Starting Times

The second phase is the assignment of concrete starting times. It turns out that a validschedule can be obtained just by simply assigning the starting times to theminimalvalueof those still remaining. This means that no further search is needed. This observationcan be gathered from a similar theorem of Van Hentenryck [24]. This theorem essentially


states that mere constraint propagation is indeed sufficient for detecting any inconsistencyif there are only constraints of the formx+ c ≤ y andx+ c = y such thatc is an arbitraryinteger. The theorem moreover states that a solution can be obtained in a way very similarto the one described in this section. Van Hentenryck’s theorem, however, does not includedisjunctive constraints of the sortx + c1 ≤ y ∨ y + c2 ≤ x. On the other hand, the kindof serialization that we described above leaves only one of the two disjuncts from eachdisjunctive constraint, so that Van Hentenryck’s theorem still applies.

8. Empirical Results

The constraint program described has been applied to several large-scale problems of theDaimler-Benz AG. Currently, we have the data from ten of such problems available. One ofthe smaller problems of this class is described in the following. The frequency of the globalclock leads to possible starting times ranging from 0 to 6 million. There are 10 processors,hosting altogether about 109 processes. Taking the executions of periodic processes intoaccount, there are about 180 process executions to be scheduled. The process executionstransfer about 983 inter-processor messages. With additional 648 resynchronization mes-sages, there are 1 631 messages to be transferred through the common data bus. Amongthese there are 780 that are transferred with a frequency higher than that of the repetitionwindow. There are exactly 106 different latency constraints. The overall utilization of thedata bus is about 7%, the maximal utilization of a processor is about 92%, with an averageof about 25%.

An appropriate program is implemented in Oz [18]. Running the program on a Pen-tium Pro 200 MHz will bring a solution within 10 minutes with 7.5 MB active data onthe heap. The number of backtracking steps (i.e. number of failures) is 8. In the courseof the computation, more than 1.4 million propagators are created, thereof about 23,000are created before the first branching step takes place. This huge number of propaga-tors is consistent with the moderate memory consumption. Many of those propagatorswhich are imposed during the branching are entailed very early and, thus, are garbagecollected. It is important that the entailment detection is not delayed until the constrainedvariables are determined (as it is the case forclp(FD) [6]). This would be insufficientbecause of the branching strategy used (only after all process executions and the messagesare serialized the starting times are fixed). Without a garbage collection as it is providedin Oz, the solution of the problem by a propagator-based approach would not be possi-ble.

Recomputation was used to keep the memory consumption as low as possible. This meansthat whenever an inconsistency occurs, previous computation states are reconstructed byrecomputation. Copying (trailing in other systems) earlier computation states is therebyavoided [11].

All applications have been solved successfully. The number of propagators involvedrange from 1.4 million to 9.3 million. The processing time needed to find an admissibleschedule ranges between 10 minutes and 2 hours and 3 minutes on Pentium Pro 200 MHz.Only 8 to 20 backtracking steps are needed for finding the first admissible solution. Theexact results are as follows.


Application Number of Number of Number of Processing timepropagators transmissions backtracking on a Pentium

to be scheduled steps Pro 200 MHz

1 9.3 · 106 2 401 20 2 800 secs2 1.4 · 106 1 631 8 600 secs3 5.1 · 106 2 863 9 4 900 secs4 1.4 · 106 1 633 12 600 secs5 5.5 · 106 2 942 8 5 400 secs6 1.4 · 106 1 637 13 600 secs7 5.9 · 106 2 998 8 6 700 secs8 1.4 · 106 1 637 13 600 secs9 6.5 · 106 3 001 11 7 400 secs

10 1.4 · 106 1 637 13 600 secs

9. Conclusions

We presented a solution to the off-line scheduling problem of time-triggered architectures.With the help of the concurrent constraint language Oz, we were able to solve several large-scale problems from this class. The specific problems that we solved involved finite domainsranging from 0 to 6 million and more than 3,000 message transmissions to be scheduledin a mutually non-overlapping manner. Up to 9.3 million propagators were created in thecourse of computing a valid schedule.

Despite its small load, the data bus turned out to be the bottleneck of the problem. This iscertainlynotwhat one would expect of a typical data bus load of 11% and a processor loadof up to 92%. What makes the scheduling of the data bus so difficult is the fact that it is theonly resource commonly used by all inter-processor communications. None of the commonbranching strategies was capable of cracking this bottleneck. We experimented with onewell-known strategy from real-time applications and several others from constraint-basedscheduling. One strategy was the serialization of a number of items by considering one pairafter the other. What ultimately led to success was a new strategy, minimizing the overallnumber of branching steps. This special branching strategy was implemented with the helpof the constraint propagator interface of Oz, just like the global constraint for serializing anarbitrary number of items simultaneously.

Another important observation was that after a complete serialization, no further searchwas needed in order to assign concrete starting times. It actually suffices to consider onlythe smallest value among those still remaining. This is due to a special characteristic ofthe problem under consideration. Another observation was that excessive memory con-sumption can be avoided by garbage collecting redundant propagators as early as possible,a characteristic that Oz enjoys.

Acknowledgments

The authors would like to thank Denys Duchier and the anonymous referees for their in-valuable comments on a draft version of this paper. The second author was partly supported


by the Bundesminister für Bildung, Wissenschaft, Forschung und Technologie (FKZ ITW9601), and the Esprit Working Group CCL-II (EP 22457).

Notes

1. What we have to show is thatα ∨ β is always equivalent toα wheneverβ entailsα. The proof is as follows.Assume thatβ entailsα. α certainly entailsα ∨ β, even without the assumption thatβ entailsα. It remainsto establish the reverse direction, that is, the claim thatα ∨ β entailsα. This can be shown byreductioad absurdum. In order to do so we assume ofα ∨ β and, then, show that the additional assumption of¬αnecessarily leads to a contradiction. We know thatβ entailsα or, equivalently,¬α entails¬β. The assumption¬α, therefore, necessarily leads to the conclusion¬β. But then,¬α ∧¬β holds and, therefore,α ∨ β cannothold, as was to be shown. q.e.d.

2. Thekth block might be split into two parts, one at the end of the repetition window, the remainder at thebeginning. If some of the executionsPu1, . . . , Pun fit into this block anyway, this does not matter though.

References

1. D. Applegate and W. Cook. (1991). A computational study of the job-shop scheduling problem.OperationsResearch Society of America, Journal on Computing, 3(2): 149–156.

2. P. Baptiste, C. Le Pape, and W. Nuijten. (1995). Constraint-based optimization and approximation for job-shop scheduling. InProceedings of the AAAI-SIGMAN Workshop on Intelligent Manufacturing Systems.

3. J. Carlier and E. Pinson. (1989). An algorithm for solving the job-shop problem.Management Science,35(2): 164–176.

4. Y. Caseau and F. Laburthe. (1995). Disjunctive scheduling with task intervals. LIENS Technical Report95–25, Laboratoire d’Informatique de l’Ecole Normale Superieure, Paris, France,

5. S. T. Cheng and A. K. Agrawala. (1995). Allocation and scheduling of real-time periodic tasks with relativetiming constraints. InProceedings of the Second International Workshop on Real-Time Computing Systemsand Applications.

6. P. Codognet and D. Diaz. (1996). Compiling constraints inclp(FD). Journal of Logic Programming,27(3): 185–226.

7. C. Eriksson. (1997),A framework for the design of distributed real-time systems. ISRN KTH/MMK/R–97/2-SE, Royal Institute of Technology, KTH, Stockholm, Sweden.

8. M. Garey and D. Johnson. (1977). Two-Processor scheduling with start-times and deadlines.SIAM Journalon Computing, 6: 416–426.

9. M. Garey and D. Johnson. (1979).Computers and Intractability—A Guide to the Theory of NP-Completeness.Freeman.

10. M. Garey, D. Johnson, and R. Sethi. (1976). The Complexity of flowshop and jobshop scheduling.Mathe-matics of Operations Research, 1: 117–129.

11. M. Henz, M. Muller, C. Schulte, and J. Würtz. (1997). The Oz standard modules. DFKI Oz DocumentationSeries, German Research Center for Artificial Intelligence (DFKI), Saarbrücken, Germany.

12. M. Henz and J. Würtz. (1996). Using Oz for college timetabling. InProceedings of the First InternationalConference on Practice and Theory of Automated Timetabling, Vol. 1153, ofLecture Notes in ComputerScience, pp. 162–178. Springer-Verlag, Berlin, Germany.

13. ILOG, URL: http://www.ilog.com (1996). ILOG SOLVER 3.2, User Manual.

14. J. R. Jackson. (1956). An Extension of Johnson’s result on job lot scheduling.Naval Research LogisticsQuarterly, 3: 201–203.


15. H. Kopetz. (1991). Event-Triggered versus time-triggered real-time systems. InProceedings of InternationalWorkshop on Operating Systems of the 90s and Beyond, Vol. 563 ofLecture Notes in Computer Science,pp. 87–101. Springer-Verlag, Berlin, Germany.

16. C. L. Liu and J. W. Layland. (1973). Scheduling algorithms for multiprogramming in a hard real-timeenvironment.Journal of the ACM, 20(1): 46–61.

17. P. Martin and D. B. Shmoys. (1996). A new approach to computing optimal schedules for the job shopscheduling problem. InInternational Conference on Integer Programming and Combinatorial Optimization,Vancouver, pp. 389–403.

18. T. Muller and J. Würtz. (1997). The constraint propagator interface of DFKI Oz. DFKI Oz DocumentationSeries, German Research Center for Artificial Intelligence (DFKI), Saarbrücken, Germany.

19. W. Older and F. Benhamou. (1993). Programming in CLP(BNR). InPosition Papers for the First Workshopon Principles and Practice of Constraint Programming, pp. 239–249.

20. C. Schulte, G. Smolka, and J. Würtz. (1994). Encapsulated search and constraint programming in Oz. InProceedings of Principles and Practice of Constraint Programming, Vol. 874 ofLecture Notes in ComputerScience, pp. 134–150. Springer-Verlag.

21. C. Schulte, G. Smolka, and J. Würtz. (1998). Finite Domain Constgraint Programming in Oz: A Tutorial.DFKI Oz documentation series, German Research Center for Artificial Intelligence (DFKI), Saarbrücken,Germany.

22. S. F. Smith and C.-C. Cheng. (1993). Slack-based heuristics for constraint satisfaction scheduling. InPro-ceedings of the 11th National Conference of the American Association for Artificial Intelligence, pp. 139–144.

23. G. Smolka. (1995). The Oz programming model. InComputer Science Today, Lecture Notes in ComputerScience, vol. 1000, pp. 324–343. Springer-Verlag.

24. P. Van Hentenryck and Y. Deville. (1991). Operational semantics of constraint logic programming over finitedomains. InProceedings of the AAAI Spring Symposium Series, pp. 128–146.

25. M. Wallace. (1996). Practical applications of constraint programming.Constraints, 1(1&2): 139–168.

26. J. Wurtz. (1996). Oz Scheduler: A workbench for scheduling problems. InProceedings of the EighthInternational Conference on Tools with Artificial Intelligence, pp. 149–156.

27. J. Wurtz. (1998).Losen kombinatorischer Probleme mit Constraintprogrammierung in Oz, Ph.D. thesis,Universitat des Saarlandes, Fachbereich Informatik, Saarbrücken, Germany. In German.

Documents

Scheduling of Time-Triggered Real-Time Systems