0018-9162/05/$20.00 © 2005 IEEE November 2005 23

P E R S P E C T I V E S

P u b l i s h e d b y t h e I E E E C o m p u t e r S o c i e t y

Opportunitiesand Obligationsfor PhysicalComputingSystems

The recent confluence of embedded and real-time systems withwireless, sensor, and networking technologies is creating a nascentinfrastructure for a technical, economic, and social revolution.Based on the seamless integration of computing with the physi-cal world via sensors and actuators, this revolution will accrue

many benefits. Potentially, its impact could be similar to that of the currentInternet.

We envision data and services that will be available any place, any time,to all people, not just technically sophisticated organizations and individu-als. Major systems such as those in transportation, manufacturing, infra-structure protection, process control, and electricity distribution networkswill become more efficient and capable. People will be safer and experiencean improved standard of living. New applications not even imagined todaywill become a reality.

Although ingredients of this vision have existed for several years and theconcept of pervasive computing does not differ radically from the work wedescribe, we believe developers must focus on the physical, real-time, andembedded aspects of pervasive computing. We refer to this domain as phys-ical computing systems. For pervasive computing to achieve its promise,developers must create not only high-level system software and applicationsolutions, but also low-level embedded systems solutions.

To better understand physical computing’s advantages, we consider threeapplication areas: assisted living, emergency response systems for natural orman-made disasters, and protecting critical infrastructures at the nationallevel.

SISALProjections of world population indicate that many countries, especially

in the West, face a decline in population and in the home care and healthworkforce. There is also a simultaneous and unprecedented global surge in

Seamlessly integratingcomputing with thephysical world via sensors and actuators,physical computing systems promise to givesociety an improved living standard, greatersecurity, andunparalleledconvenience andefficiency.

John A. StankovicUniversity of Virginia

Insup LeeUniversity of Pennsylvania

Aloysius MokUniversity of Texas at Austin

Raj RajkumarCarnegie Mellon University

24 Computer

the percentage of older people. Many seniorcitizens will live alone in the future. If they fallor become sick, the ability to monitor theirwell-being remotely will not only save livesbut also provide peace of mind for their lovedones. Even under nonemergency conditions,their living quality would improve signifi-cantly if their food consumption and medica-tion could be monitored and adjustedautomatically. Groceries and health suppliescould be automatically tracked and replen-

ished as well. Sensor information systems forassisted living (SISAL) specifically target this grow-ing need.

Such systems will likely have as significant aneffect on societal well-being as any application ofembedded, real-time, wireless-network, sensor-information-system, and e-commerce technologies.Broadly, SISAL encompasses intelligent monitors,smart devices, autonomous appliances, sensor net-works, and information systems designed to helpelderly and disabled individuals live independently,enhance their safety and quality of life, ease theburden of their caretakers, and reduce home carecosts. Low-cost and dependable, SISAL will notonly help decrease care costs for the elderly anddisabled, but will also benefit people of all agesdirectly, much as ramps for handicap access in air-ports now let all travelers pull their carry-onseffortlessly.

Devices and appliances for assisted living mustbe easy to use and highly dependable. A majority ofthem will be mission- and safety-critical. Ideally,they should have self-diagnostic and -healing capa-bilities. SISAL must be affordable by people of allincome levels. Further, users who have little or notechnical skills, knowledge, or discipline must beable to maintain and upgrade these systems.

Many SISAL components cannot be effective asstand-alone devices, but must be integrated seam-lessly into a ubiquitous system. Typical SISALs cancontain a few thousand to tens of millions of devicesand appliances. SISAL components will likely varywidely in functionality, size, complexity, and cost.They will likely be produced by hundreds or eventhousands of companies, big and small, worldwide.

SISAL component examples include the follow-ing:

• smart prescription dispensers that a caregivercan program, monitor, and validate remotely;

• heartbeat monitors that can record heartbeatsamples, detect irregular patterns, and sendnotifications or alarms;

• robotic helpers designed to enhance accessi-bility, mobility, and safety; and

• smart pantries that inventory grocery and fooditems and notify designated suppliers for just-in-time replenishments.

Although the life cycles of some SISAL compo-nents could stretch as long as 10 to 20 years, thecomputing and communication platforms com-prising their support infrastructure should be ableto evolve more rapidly. Further, given the mission-critical nature of their role, there must be no glitchesthat interrupt service to the user while SISAL com-ponents and infrastructure evolve independently.Building systems with these characteristics andrequired qualities poses multiple research and prac-tical challenges.

EMERGENCY RESPONSE SYSTEMSPhysical computing systems in the form of wire-

less sensor networks have great potential to enablefast response to emergency situations such as earth-quakes, chemical spills, forest fires, and terroristattacks. Responding effectively to such emergen-cies would require rapidly deploying thousands ofsensor nodes in the region, possibly from aircraft.Each node must be cheap and, therefore, will likelyhave limited capacity. However, the nodes couldcollectively assess the situation, detect the presenceof possible survivors, send vital information to thenearest rescue teams, identify a safe exit path, andmonitor any subsequent events of interest in thearea. Because such emergencies can last for severalhours to days and are highly dynamic, the systemmust adapt to the changing environment, be robust,utilize the limited available resources efficiently, andmeet timing requirements.

While these systems have great potential, manytechnical challenges must be addressed before theycan be implemented. For example, because sensornetworks deal with real-world situations, theirdata services must meet timing constraints. Givensensor networks’ limited resources and unpre-dictability, guaranteeing hard real-time constraintsis infeasible. Solutions that provide certain prob-abilistic guarantees for timing constraints are more practical.

Novel approaches to constructing sensor net-works with event services for emergency responseare also necessary. These services must consider sev-eral fundamental requirements, including efficientenergy consumption and robust and timely deliveryof data and events. Ultimately, these systems willprovide a facility that lets the application specify

Devices andappliances forassisted living must be easy

to use and highly dependable.

November 2005 25

the desirable data and events, then deliver them ina timely manner.

PROTECTING CRITICAL INFRASTRUCTURESProtecting and improving critical infrastructures

require long-range research in physical systems tech-nology. We need new concepts for implementingrobust and secure infrastructures for complex net-works of highly interactive physical systems such asthe power grid, telecommunications, banking, andtransportation. These often dynamically reconfig-ured networks must deal with the physical world.

Current infrastructures are vulnerable becausetraditional digital control systems and supervisorycontrol and data acquisition systems have not beenseamlessly integrated with computer networking,information technology, computer security, andother key aspects of physical computing systems.

These infrastructure systems are increasinglyinterdependent. For example, an air traffic controlsystem could be challenged by physical or cyber-space attacks. Millions of people fly every day.About 500 FAA-managed ATC towers, along with180 low-altitude radar control systems and 20 en-route centers, control the US’s air space and its10,000 or so airports.

All these locations depend on power. Attacks onthe power grid could affect air traffic control,telecommunications, and all sectors that depend onpower. Solutions developed in physical-computing-systems research could be applied to critical infra-structures to make them reliable, safe, and moreefficient. For example, security and isolation solu-tions could decouple critical aspects of these sys-tems from easy external access. Physical securitycould be enhanced by surrounding the physicalinfrastructure with a wireless sensor network.

RESEARCH QUESTIONS AND ISSUESThe fundamental research question developers

must answer involves understanding how to cost-effectively develop reliable large-scale real-timeembedded systems. Building these RTESs requiresa deep understanding of how to model and analyzelarge-scale systems’ aggregate behaviors, whichnecessitates large-scale coordination and coopera-tion. Such understanding is necessary to predict andcontrol system behavior and robustness and to effi-ciently build and maintain such desirable traits asease of composition, analysis, testing, diagnostics,quality of service, and usability properties. We clas-sify this work into the following categories: theory,modeling, and analysis; programming abstractions;embedded systems software and hardware; system

integration; security and privacy; and vali-dation and certification.

Theory, modeling, and analysisTraditionally, practicing engineers and pro-

grammers have taken an ad hoc approach tocreating embedded software systems. Thedomain-expert designer alone retains knowl-edge of the system’s behavior and function-ality, which can only be imperfectly capturedand translated into system products by thedevelopment engineer and programmer.Design based on mathematical modelingplays a critical role in other engineering dis-ciplines, such as structural engineering. Thecomplexity of embedded software systemshas increased to the point where envisioning thedevelopment of high-quality embedded softwaresystems without using such techniques has becomeimpossible.

Developers need new theoretical and analyticaltechniques to deal with aspects that have not beenconsidered traditionally. For example, basic resultsexist on capacity bounds for wireless sensor net-works. This important work is based on severeassumptions, however. New throughput and capac-ity bounds that relax assumptions and match real-world systems would be extremely valuable. Onepossibility, the use of hybrid system models,1 wouldlet developers model both discrete and continuousbehaviors to describe dynamic aspects of wirelesssensor networks’ environmental effects and thusrelax static assumptions.

Refined analysis. Given that they are in an earlydevelopment stage, few analytical results have beenrecorded for these networks so far. Researchers arebusy inventing new protocols and applications forwireless sensor networks. They build solutions,then test and evaluate them through simulations ortestbeds. Occasionally, developers deploy an actualsystem. Thus, some empirical evidence has begunto accumulate. However, the field requires a morescientific approach in which researchers can designand analyze a system before deployment. Theanalysis must accurately reflect the system’s effi-ciency and performance and determine that the sys-tem will meet its requirements. To achieve this,researchers must determine the

• node density required to meet the system’s life-time requirements;

• sensing and communication ranges needed todetect, classify, and report a target to a basestation by a deadline;

Solutionsdeveloped in

physical-computing-systems researchcould be applied

to criticalinfrastructuresto make themreliable, safe,

and more efficient.

26 Computer

• sensing range and percentage of awake nodes needed to guarantee a certain degree of sensing coverage for a system;

• possibility of designing different and bet-ter wireless sensor network topologies to monitor the health and safety of physical infrastructures such as buildings, bridges and campuses; and

• assurance that all traffic will meet its deadlines given n streams of periodic sensing traffic characterized by a start time, period, message size, deadline, source location, and destination location for a given network.

To resolve this final requirement, re-searchers must take into account the interferencepatterns of wireless communication. Once theydevelop analysis techniques and solutions for thesetypes of questions, they must validate them withreal systems.

Group management. A topic well-studied in dis-tributed computing, group management providesa set of definitions, an associated theory as a func-tion of different fault models, and many protocolsthat meet the various semantics associated with thetheory. Researchers now require a new and similartheory for group management in wireless sensornetworks. This theory would center on a new setof fundamental premises such as

• it is not reasonable to know all members of agroup,

• approximation is the best accuracy level thatcan be achieved, and

• protocols must scale to large systems com-posed of thousands of nodes.

Dealing effectively with large-scale RTESs re-quires applying the notion of composition. Themodels used should be composable to facilitatereuse and sharing and to allow the construction ofa complex system that uses simpler components.The composition can be for either homogeneous orheterogeneous models.

Traditionally, research on formal methods has con-centrated on composing specifications in the samemodeling language or paradigm. To elevate this mod-eling, researchers must investigate how to composemodels with different purposes—such as choosingone design for the physical layout of a sensor net-work and another for the protocol used between sen-sor nodes—to determine interaction betweendifferent views and to understand the overall design.

Partial and local failures in large-scale physicalcomputing systems will probably be unavoidable.The challenge at the system level will be to containany such failures within a well-known perimeterand dynamically reconfigure the system to bypassthe affected region. Large-scale optimization ofquality-of-service parameters and resource alloca-tion must be carried out to maximize the func-tioning components’ benefits. The system must beable to make such decisions even under adverseenvironmental factors, such as noise and hostileagents, that operate beyond the system’s direct control.

Automating design. In the 1980s and 1990s, designautomation tools enabled the semiconductor rev-olution by separating design and test engineeringfrom fabrication and by significantly improvingdesign productivity. A similar revolution mustoccur in the design and development of physicalcomputing systems for our vision to become a real-ity.

The functional behaviors of software compo-nents must be separated from the system’s para-functional needs for timeliness, dependability,quality of service, and modalities.2 Embedded soft-ware components must be designed and reused atan abstraction level independent of the underlyinghardware platform, operating system, middleware,and even programming languages. Functionalitymust be specified using models of computation3—such as state machines, dataflow graphs, and hier-archical control flow—appropriate to the appli-cation domains at hand.

Researchers must use model-driven code gener-ation to integrate these functional components intothe deployment infrastructure. Design-time deci-sions about protocols and operating points to beused will result in inexpensive but relatively staticconfigurations. Flexible runtime infrastructures canreact to online changes and failures, but they mustbe supported by frameworks and architectures thatcan operate under the stringent resource constraintsof physical computing systems.

Current theoretical foundations for real-timeembedded systems are largely built on determinis-tic and worst-case parameters. Physical comput-ing systems will experience stochastic workloads,and worst-case characterization will force devel-opers to render service guarantees only at very low,average-case utilization levels.4 Analytical tech-niques and principles yielding nonzero but practi-cally negligible probabilities of timing and servicefailures will offer significantly efficient utilizationof system resources. Statistical resource manage-

Large-scaleoptimization of

quality-of-serviceparameters and

resource allocationmust be carried out

to maximize thefunctioning

components’benefits.

ment theory must be developed to work with thetiming and reliability constraints of physical com-puting systems.

Programming abstractionsRaising the level of abstraction for programmers

will be key to the growth of wireless sensor net-works. Currently, programmers deal with too manylow-level details regarding sensing and node-to-node communication. For example, programmerstypically deal with sensing individual pieces of data,fusing that data, and moving it outside the network.Raising the abstraction level to consider aggregatebehavior, application functionality, and direct sup-port for scaling issues will increase productivity.Current research in programming abstractions forwireless sensor networks can be categorized intoseven areas: environmental, middleware APIs, data-base-centric, event-based, virtual machines, scripts,and component-based.

For example, consider an environmental ab-straction called EnviroTrack.5 Here the program-mer deals with entities found in an application. Ifthe application tracks people and vehicles, the pro-grammer can define people and vehicle entities anduse library routines that support low-level sensingfunctions that detect and classify these object types.These routines can also easily specify the applica-tion-level processing associated with each entitytype. This lets programmers deal with application-level functionality rather than low-level details.

Given that wireless sensor networks deal pri-marily with collecting, analyzing, and acting ondata, many developers favor a database view ofsuch systems. In this view, a programmer deals withqueries written in an SQL-like format. However,real-world data issues—such as probabilistic avail-ability of data, various levels of confidence in data,and missing or late data—can make the SQL par-adigm insufficient. Thus, no one programmingabstraction for wireless sensor networks will belikely to predominate. Rather, several solutions willemerge, each better suited to certain domains.Results in this area will play a critical role inexpanding development and deployment of thesenetworks by general programmers.

Embedded systems softwareSoftware for RTESs poses some of the hardest

challenges for developers because these systemsmust interact with physical devices. Although muchwork has been done to support model-based devel-opment of software and middleware for large dis-tributed systems, the existing technology for RTES

design does not effectively support the devel-opment of reliable and robust embedded sys-tems.

Researchers must develop a better under-standing of how to use software and physi-cal models to design, analyze, validate, andimplement large-scale RTESs. Challengingissues for supporting such design paradigmsinclude the following:

• Model-based implementation and vali-dation. Developers must explore ways touse the various specification modelsthroughout all development phases sothat investments in modeling and analy-sis pay off directly in the final productdevelopment. Potentially promising areasinclude using models for automatic test andcode generation as well as using the logicalproperties proved at design time for runtimeverification.6

• Sharing of modeling artifacts. In theory, it iseasier to share design models than codebecause models function at a higher abstrac-tion level than code, thus, they are less con-nected to their target platforms. Little supportor effort has been devoted to open modeldevelopment so far. Correcting this situationshould help move software development basedon design models into the mainstream.

• Middleware. RTESs are increasingly being net-worked to form complex systems that needvarious quality-of-service requirements fromapplications such as automotive controllers,medical devices, and consumer electronics. Keyresearch challenges for middleware include sat-isfying real-world physical constraints whileproviding multidimensional quality of service;elevating the abstraction levels at which mid-dleware is developed and validated; develop-ing metrics and validation techniques forevaluation; and supporting the composition ofvarious quality-of-service properties.

HardwareTargeted advances in hardware will contribute

significantly to making physical computing systemscost-effective enough to be deployed ubiquitously.Challenges to achieving this include addressing thedisparity between processor and main memoryspeeds. This has historically led to the use of multi-ple caching levels and complex pipeline manage-ment techniques such as branch prediction. Al-though these techniques improve the average-case

November 2005 27

Targeted advancesin hardware will

contributesignificantly to

making physicalcomputing systems

cost-effectiveenough to be

deployedubiquitously.

28 Computer

performance of many applications, they alsohave adverse effects on the worst-case per-formance bounds that real-time applicationscan experience. Researchers must designcaching architectures that improve both aver-age-case throughput and worst-case boundsto incorporate into future processors.

Similarly, hyperthreading techniques inmodern processor architectures must beextended to satisfy the mission-critical andpredictability requirements of physical com-puting systems. Both caching and hyper-threading in RTESs must ensure thatresources available to real-time threads areboth predictable and controllable so that athread can be selectively given access to more

or fewer resources. Hardware support for resourcepartitioning, enforced separation of code fromdata, type checking, and tunable encryption anddecryption schemes will significantly improveefforts to ensure resistance to viruses and denial-of-service attacks and to enforce privacy rights.

Active power management is critical to maxi-mizing the life of batteries used in sensor nodes. Inparticular, we recommend multiple OS, middle-ware, and application-tunable power settings forprocessors, communication interfaces, and I/Odevices. Nodes must also be able to awaken onreception of authorized commands. Energy har-vesting from sources such as vibration, sunlight,and motion will lead to the deployment of newapplications in remote and relatively inaccessibleareas. Integrated sensors and miniaturized actua-tors will also reduce size and energy needs whilebringing down costs. Standardized interfaces thatallow plugging in multiple devices must be devel-oped as well.

Increasingly, researchers are developing novelsensor technologies. Taking advantage of these newdevices presents a major research opportunity. Newresearch must address the need for self-calibrationand relative calibration of many sensors in situ,rather than in a lab or at a manufacturing site.Meanwhile, ultrawideband capabilities are advanc-ing rapidly. Utilizing these capabilities in physicalsystems has spawned another active research area.

In short, conceptual and architectural innova-tions in hardware will benefit physical computingsystems significantly more than will raw perfor-mance improvements.

System integrationSystem integration has traditionally been a crit-

ical issue in military applications where mission

success depends on the trustworthiness of a systemof systems. With the proliferation of sensor andactuator networks in civilian applications, systemintegration will be even more critical because of theanticipated scaling required to adapt these systemsfor civilian use.

System-level composition. Consider, for example,the possibility of integrating the millions of GPSand mobile-communication-equipped embeddedsystems in automobiles with the metropolitanreal-time traffic-management systems that per-form traffic-control and emergency-responsefunctions. These diverse systems cannot possiblybe engineered in advance with the full knowledgeof all the systems they might have to interfacewith. If we consider the Internet to be the knowl-edge integrator for personal computing plat-forms, something equivalent or more powerfulwill be needed to integrate the future’s sensor-management-actuator system of systems. Thetechnical problems will be many times more dif-ficult because of the scale, and the stringency ofthe requirements for timely information, security,and fault tolerance.

Integrating these diverse systems will require sys-tem-level composition techniques. Traditional com-puter science research has focused on procedure andmethod invocation as the principal interface betweensoftware entities. In physical computing, systemsmust coordinate with one another at much higherabstraction levels. For example, two systems mightneed to coordinate their state transitions underuncertainty regarding environmental response andtimeliness constraints. In such instances, the com-munication between systems resembles negotiationsaccompanying a statement of objectives rather thanimmutable requests for action. For engineering atthe level of a system of systems, developers mustimplement new techniques for goal and behaviorspecification, analysis, synthesis, monitoring, anddebugging.

Codesign challenges. The prevalence of hardwareand software codesign in the new physical com-puting systems will require more powerfuldesign tools for comodeling, coanalysis, co-simulation, coverification, and co-debugging.Current work on hybrid systems has taken a firststep in this direction, but developers have muchfurther to go before they can perform codesignroutinely.

For example, special hardware systems imple-mented in field-programmable gate arrays mightneed to work with software systems running onstock commercial processors. Given the divergence

Conceptual andarchitecturalinnovations in hardware will

benefit physicalcomputing systemssignificantly more

than will raw performance

improvements.

in speed between special hardware and stockprocessors, new approaches must be developed tosimulate both efficiently, while enabling the simu-lation to attain sufficient fidelity in both timing andlogical correctness. This is especially important insystem-on-chip architectures for which developersneed more advanced design tools to explore hard-ware and software tradeoffs and accommodateinteractions with the environment.

Given that physical computing systems mustintegrate different applications that interface withthe external world and are subject to externallyimposed timeliness requirements, there will be sub-stantial interference among the applications whenthey share resources. For example, the schedulingof tasks in one application could affect the timeli-ness of the tasks in another. Worse, the applicationsmight not be aware of each other’s timelinessrequirements, thus making resource-access coordi-nation problematic.

Research in open system architecture has shedsome light on this problem. Adopting an open sys-tem architecture facilitates programming individ-ual applications as if each runs on a dedicatedprocessor using dedicated resources. This well-known concept virtualizes a resource as an abstrac-tion for programming.

However, resource virtualization has tradition-ally attempted to hide parafunctional details suchas timing and fault tolerance from the applicationto achieve platform independence. With physicalcomputing, this approach loses its viability becauseapplications can now interfere with one anotherthrough resource-usage timing and interaction withthe physical environment.

Timeliness concerns. Regarding timeliness con-cerns, a large solution space must still be explored.The crucial issues involve how much task-specificinformation individual applications must makepublic for scheduling and when and how often thisinformation must be communicated between theoperating system and the applications to makeresource-scheduling decisions.

Although there have been advances in this area,7-9

much work must be done to develop a better under-standing of how to balance application isolationand coordination needs, craft open architecturesupport for middleware, and implement and adoptopen architectures that will advance incrementallytoward standardization. This is especially impor-tant for heterogeneous systems that combine every-thing from low-end devices—such as Berkeleymotes, PDAs, and laptops—with back-end data-bases and Internet interfaces.

Security and privacyWireless sensor networks have limited

energy, computation, and communicationcapabilities. In contrast to traditional net-works, sensor nodes often deploy in accessi-ble areas, which exposes them to physicalattacks. Sensor networks interact closely withtheir physical environment and with people,posing additional security problems. Hence,current security mechanisms are inadequatefor these networks.

The new constraints under which they mustoperate pose research challenges for areas suchas key establishment, secrecy and authentica-tion, privacy, robustness to denial-of-serviceattacks, secure routing, and node capture. Achievinga secure system requires integrating security solu-tions into every component, because componentsdesigned without security become a tempting pointof attack.

Consequently, security and privacy pervade everyaspect of system design. Consider one of the mostdifficult attacks to defend against: Adversaries canseverely limit a wireless sensor network’s value bylaunching denial-of-service attacks.10 In the sim-plest form of DoS attack, an adversary attempts todisrupt operations by broadcasting a high-energysignal. Given a strong enough transmission, theattack could jam an entire system. More sophisti-cated attacks are also possible: The adversary couldinhibit communication through violation of theMAC protocol by, for example, transmitting whilea neighbor is also transmitting or by continuouslyrequesting channel access with a request-to-sendcommand.

Security analysts need new techniques for deal-ing with these simple yet potentially devastatingattacks. Many other security-related problems needfurther research,11 such as how to secure wirelesscommunication links against eavesdropping andtampering.

Overall, security presents a difficult challenge forany system. The severe constraints and demandingenvironments of wireless sensor networks makesecurity for these systems especially challenging.

Validation and certificationTo improve and ensure the quality of RTESs, it

must be possible to validate and certify them basedon sound scientific foundations. The certificationcan be done in two steps: first certify that a designhas the right properties, then certify that an imple-mentation conforms to the design. With proper sci-entific foundations, it should be possible to measure

November 2005 29

The severeconstraints and

demandingenvironments ofwireless sensor networks make

security for thesesystems especially

challenging.

30 Computer

quantitatively how well a system meets its require-ments. To achieve this, we need solutions to the fol-lowing issues:

• Eliciting formal models from informal require-ments. The development of most systems startswith informal requirements that specify howthe system’s hardware and software, and theuser and environment, are expected to behaveand interact. Researchers need to facilitate theelicitation of a design from such informalrequirements.

• Model validation. The design must be verifiedand validated to ensure it is correct and con-sistent with its intended purposes. Much workremains on how to validate that models cap-tured in design artifacts are indeed the onesdevelopers intended.

• Implementation validation. The ultimate goalis to check how well an implementation workswith respect to the requirements. Researchersmust develop metrics for evaluating the degreeof validation and the notion of incrementalvalidation. This task is significantly compli-cated by the noisy and dynamic environmentsin which the systems operate.

Advances in these areas will help improve relia-bility and user confidence in low-end RTESs, suchas medical devices and consumer electronics. It willalso improve the certification process of high-endRTESs, such as avionics and automotive software.This improved quality will result in insurableRTESs, which requires quantifiable reliability, lia-bility, and risk.

W e anticipate that physical computing willproduce revolutionary changes in thedesign, deployment, and control of trans-

portation systems, manufacturing, infrastructureprotection, power grids, and process control. Thebeneficial effects of physical computing will be vis-ible across multiple application domains. Agingsocieties across the world will reap enormous eco-nomic benefits by creating technologies for assistedliving, while senior citizens and their relatives willenjoy the improved quality of life and greater peaceof mind that will result from using these technolo-gies. Physical computing will lead to significantenhancements in the capabilities of emergencyresponders to save lives and reduce property dam-age and will better protect infrastructures from nat-ural and man-made disasters. �

AcknowledgmentsWe thank those who contributed to the white

paper on which we based this article by participat-ing in the preparatory workshop held in Cancunduring the IEEE Real-Time Systems Symposium2003 or by sending us their position statements.Although this article does not reflect all their posi-tions, these contributors include Tarek Abdelzaher,Sanjoy Baruah, Alan Burns, Kevin Jeffay, WaltHeimerdinger, Tom Henzinger, Gabor Karsai, C.M.Krishna, Tei-Wei Kuo, Ed Lee, Jane Liu, DanielMosse, John Regehr, Lui Sha, Janos Sztipanovits,Wayne Wolf, Hui Zhang, and Wei Zhao.

References1. R. Alur et al., “Hierarchical Modeling and Analysis

of Embedded Systems,” Proc. IEEE, Jan. 2003, pp.11-28.

2. D. de Niz and R. Rajkumar, “Time Weaver: A Soft-ware Through-Models Framework for EmbeddedReal-Time Systems,” Proc. 2003 Conf. Languages,Compilers, and Tools for Embedded Systems (LCTES2003), IEEE Press, pp. 133-143.

3. E. Lee, “Embedded Software,” Advances in Com-puters, M. Zelkowitz, ed., vol. 56, Academic Press,2002.

4. H. Zhu et al., “Design Tradeoffs in Networks withSoft End-to-End Timing Constraints,” Proc. IEEESymp. Real-Time and Embedded Technologies andApplications, IEEE Press, 2004, pp. 413-420.

5. T. Abdelzaher et al., “EnviroTrack: Towards an Envi-ronmental Computing Paradigm for Distributed Sen-sor Networks,” Proc. 24th Int’l Conf. DistributedComputing Systems (ICDCS 2004), IEEE Press,2004, pp. 582-589.

6. M. Kim et al., “Java-MaC: A Rigorous RuntimeAssurance Tool for Java Programs,” Formal Meth-ods in Systems Design, Mar. 2004, pp. 129-155.

7. Z. Deng and J. Liu, “Scheduling Real-Time Applica-tions in an Open Environment,” Proc. 1997 IEEEReal-Time Systems Symp., IEEE Press, 1997, pp. 308-319.

8. A. Mok and X. Feng, “Real-Time Virtual Resource:A Timely Abstraction for Embedded Systems,” LNCS2491, Springer, 2002, pp. 182-196.

9. I. Shin and I. Lee, “Periodic Resource Model for Com-positional Real-Time Guarantees,” Proc. IEEE Symp.Real-Time Systems, IEEE Press, 2003, pp. 2-13.

10. A. Wood and J. Stankovic, “Denial of Service in Sen-sor Networks,” Computer, Oct. 2002, pp. 54-62.

11. A. Perrig, J. Stankovic, and D. Wagner, “Security inWireless Sensor Networks,” Comm. ACM, June2004, pp. 53-57.

John A. Stankovic is the BP-America Professor inthe Department of Computer Science at the Uni-versity of Virginia. His research interests include dis-tributed computing, real-time systems, operatingsystems, and ad hoc sensor networks. Stankovic re-ceived a PhD in computer science from Brown Uni-versity. Contact him at stankovic@cs.virginia.edu.

Insup Lee is the Cecelia Fitler Moore Professor ofthe Department of Computer and Information Sci-ence at the University of Pennsylvania. His researchinterests include embedded systems, real-time sys-tems, formal methods and tools, medical device sys-tems, and software engineering. Lee received a PhDin computer science from the University of Wiscon-sin, Madison. Contact him at lee@cis.upenn.edu.

Aloysius Mok is the Quincy Lee Centennial Pro-fessor of Computer Science at the University ofTexas at Austin. His research interests include real-time and embedded systems, fault-tolerant andsecure system design, and network-centric com-puting. Mok received a PhD in computer sciencefrom the Massachusetts Institute of Technology.Contact him at mok@cs.utexas.edu.

Raj Rajkumar is a professor of electrical and com-puter engineering at Carnegie Mellon University.His research interests include embedded real-timesystems, operating systems, wireless networking,and automotive systems. Rajkumar received a PhDin computer engineering from Carnegie MellonUniversity. Contact him at raj@ece.cmu.edu.

November 2005 31

To submit a manuscript for peer review, see Computer’s author guidelines:

www.computer.org/computer/author.htm

Computermagazine

looks ahead to future

technologies

• Computer, the flagship publication of the IEEE Computer Society,

publishes peer-reviewed technical content that covers all aspects of

computer science, computer engineering, technology, and applications.

• Articles selected for publication in Computer are edited to enhance

readability for the nearly 100,000 computing professionals who

receive this monthly magazine.

• Readers depend on Computer to provide current, unbiased, thoroughly

researched information on the newest directions in computing technology.

Welcomes Your Contribution