[5], which are also the subject of this paper. At the time, the three languages were well defined and had seen some industrial use, but were still under development. In the intervening years, the languages have been improved, gained a much larger user community, and have been successfully commercialized. Today, synchronous languages have been established as a technology of choice for modeling, specifying, validating, and implementing real-time embedded applications. The paradigm of synchrony has emerged as an engineer-friendly design method based on mathematically sound tools. This paper discusses the improvements, difficulties, and successes that have occured with the synchronous languages since 1991. It begins with a discussion of the synchronous philosophy and the challenge of maintaining functional, deterministic system behavior when combining the synchronous notion of instantaneous communication with deterministic concurrency. Section II describes successful uses of the languages in industry and how they have been commercialized. Section III discusses new technology that has been developed for compiling these languages, which has been substantially more difficult than first thought. Section IV describes some of the major lessons learned over the last 12 years. Section V discusses some future challenges, including the limitations of synchrony. Finally, Section VI concludes the paper with some discussion of where the synchronous languages will be in the future. Throughout this paper, we take the area of embedded control systems as the central target area of discussion, since this has been the area in which synchronous languages have best found their way today. These systems are typically safety critical, such as flight control systems in flight-by-wire avionics and antiskidding or anticollision equipment on automobiles.
I. THE SYNCHRONOUS APPROACHThe synchronous languages Signal, Esterel, and Lustre are built on a common mathematical framework that combines synchrony (i.e., time advances in lockstep with one or more clocks) with deterministic concurrency. This section explores the reasons for choosing such an approach and its ramifications.
A. Fundamentals of SynchronyThe primary goal of a designer of safety-critical embedded systems is convincing him-or herself, the customer, and certification authorities that the design and its implementation is correct. At the same time, he or she must keep development and maintenance costs under control and meet nonfunctional constraints on the design of the system, such as cost, power, weight, or the system architecture by itself (e.g., a physically distributed system comprising intelligent sensors and actuators, supervised by a central computer). Meeting these objectives demands design methods and tools that integrate seamlessly with existing design flows and are built on solid mathematical foundations.
