Formal analysis of functional and non-functional requirements is crucial in automotive systems. The behaviors of those systems often rely on complex dynamics as well as on stochastic behaviors. We have proposed a probabilistic extension of Clock Constraint Specification Language, called PrCCSL, for specification of (non)-functional requirements and proved the correctness of requirements by mapping the semantics of the specifications into UPPAAL models. Previous work is extended in this paper by including an extension of PrCCSL, called PrCCSL * , for specification of stochastic and dynamic system behaviors, as well as complex requirements related to multiple events. To formally analyze the system behaviors/requirements specified in PrCCSL * , the PrCCSL * specifications are translated into stochastic UPPAAL models for formal verification. We implement an automatic translation tool, namely ProTL, which can also perform formal analysis on PrCCSL * specifications using UPPAAL-SMC as an analysis backend. Our approach is demonstrated on two automotive systems case studies.
I. INTRODUCTION
Model-based development (MBD) is rigorously applied in automotive systems in which the software controllers continuously interact with physical environments. The behaviors of automotive systems often involve complex hybrid dynamics as well as stochastic characteristics. Formal verification and validation (V&V) technologies are indispensable and highly recommended for development of safe and reliable automotive systems [1] , [2] . Statistical model checking (SMC) techniques have been proposed [3] - [5] to address the reliability of hybrid systems associated with the stochastic and nonlinear dynamical features. These techniques for fully stochastic models validate probabilistic properties of controllers in given environments under uncertainty.
EAST-ADL [6] , [7] is a concrete example of MBD approach for architectural modeling of automotive systems. The latest release of EAST-ADL has adopted the time model proposed in the Timing Augmented Description Language (TADL2) [8] , which expresses and composes the basic timing constraints, i.e., repetition rates, end-to-end delays, and synchronization constraints. TADL2 specializes the time model of MARTE, the UML profile for Modeling and Analysis of Real-Time and Embedded systems [9] . MARTE provides CCSL [10] , [11] , which is the clock constraint specification language for specification of temporal constraints and functional causality properties [12] . In CCSL, time can be either chronometric (i.e., associated with physical time) or logical (i.e., related to events occurrences), which are represented by dense clocks and logical clocks, respectively. Dense clocks can be multiform and attached with various rates, allowing to express the evolution of time-related quantities with different units, e.g., temperature degree and crankshaft angle [13] . The discrete and dense clocks in CCSL enable the specifications of hybrid system behaviors that incorporate both discrete phenomena and continuous dynamics [14] .
We have previously proposed a probabilistic extension of CCSL, i.e., PrCCSL [15] , [16] , to formally specify (non)functional properties in weakly-hard (WH) context [17] , i.e., a bounded number of constraints violations would not lead to system failures when the results of the violations are negligible. However, PrCCSL still lacks expressivity for describing critical system behaviors regarding to: 1) Continuous dynamic behaviors of physical plant, which are typically modeled by ordinary differential equations (ODE) containing functions and derivatives; 2) Discontinuous activities triggered by discrete events. For example, the velocity of an automotive system undertakes instantaneous changes when collisions occur; 3) Stochastic time spans of continuous activities (e.g., execution time of a component, response time for a spontaneous failure); 4) Nondeterministic behaviors regarding to exclusive activities. For instance, during the execution of an automotive system, multiple sensors can forward messages to the controller simultaneously and the order for the controller to receive the messages is nondeterministic.
Supporting formal specifications of dynamic and stochastic behaviors is crucial for effective analysis of automotive systems. In this paper, we propose an extension of PrCCSL, called PrCCSL * , to enable the specification of the aforementioned system behaviors. To allow the analysis of system behaviors specified in PrCCSL * , the PrCCSL * specifications are translated into UPPAAL-SMC models for formal verification. Furthermore, in PrCCSL, requirements are specified as binary clock constraints that describe temporal and causal relations between two events. To support the analysis of complex requirements associated with multiple events, we extend the binary clock constraints into n-ary constraints and provide the corresponding translation patterns in UPPAAL-SMC. The automatic translation from PrCCSL * specifications (of system behaviors/requirements) to UPPAAL-SMC models is implemented in a tool called ProTL (Probabilistic CCSL Translator). Formal analysis of the PrCCSL * specifications can be performed by ProTL using UPPAAL-SMC as an analysis backend. Our approach is demonstrated on two automotive systems case studies.
The paper is organized as follows: Sec. II presents an overview of PrCCSL and UPPAAL-SMC. The definition of PrCCSL * is presented in Sec. III. Sec. IV describes the mapping rules from PrCCSL * specifications into stochastic UPPAAL models. The applicability of our approach is demonstrated by performing verification on two automotive systems in Sec. V. Sec. VI and Sec. VII present related works and conclusion.
II. PRELIMINARY
In this section, we first introduce the notations and formalisms in PrCCSL that are employed in the rest of the paper. Then, we give an overview of UPPAAL-SMC, which is utilized as the analysis backend of ProTL. PrCCSL [15] is a probabilistic extension of CCSL (Clock Constraint Specification Language) [10] , which specifies temporal and causal constraints with stochastic characteristics in weakly-hard context [17] . In PrCCSL, a clock is a basic element that represents a sequence of (possibly infinite) instants. A clock in PrCCSL can be either dense or discrete/logical. A dense clock represents physical time, which is considered as a continuous and unbounded progression of time instants. ideal-Clk is a predefined dense clock in CCSL, which represents the ideal physical time whose unit is second. A dense clock can be discretized into a discrete/logical clock. For example, a clock ms can be defined based on idealClock: ms = idealClock discretizedBy 0.001, i.e., ms ticks every 1 millisecond. A logical clock represents an event and the clock instants correspond to the event occurrences. A clock represents an instance of ClockType characterized by a set of attributes. The keyword DenseClockType (DiscreteClockType) defines a new dense (discrete) clock type.
PrCCSL provides two types of clock constraints to describe the occurrences of different events (logical clocks), i.e., clock expressions and clock relations. Expressions derive new clocks from the already defined clocks. Table I presents a set of clock expressions, where c1, c2, ref, res, base are clocks and " " means "is defined as". We only list a subset of clock expressions here due to the page limit and the full set of expressions can be found in [10] .
A clock relation limits occurrences among different clocks/events, which are defined based on run and history. A run corresponds to an execution of the system model where the clocks tick/progress. The history of a clock c represents the number of times c has ticked (excluding the current time). A probabilistic relation in PrCCSL is satisfied if and only if the probability of the relation constraint being satisfied is greater than or equal to a user-defined probability threshold p ∈ [0, 1]. Given k runs = {R 1 , . . . , R k }, the probabilistic relations in PrCCSL, including subclock, coincidence, exclusion, precedence and causality are defined in Table II . UPPAAL-SMC [18] performs the probabilistic analysis of properties by monitoring simulations of complex hybrid systems in a given stochastic environment and using results from the statistics to determine whether the system satisfies the property with some degree of confidence. Its clocks evolve with various rates, which are specified with ordinary differential equations (ODE). UPPAAL-SMC provides a number of queries related to the stochastic interpretation of Timed Automata (STA) [5] and they are as follows, where N and bound indicate the number of simulations to be performed and the time bound on the simulations respectively: 1) Probability Estimation estimates the probability of a requirement property φ being satisfied for a given STA model within the time bound: P r[ bound] φ. 
III. EXTENSION OF PRCCSL
To improve the expressiveness of PrCCSL for specifying dynamic and stochastic system behaviors (i.e., the four types of behaviors mentioned in Sec. I), we present an extension of PrCCSL, called PrCCSL * , which is augmented res is generated by filtering the instants of base based on a binary word w=u(v), where u is prefix and v is period. "(v)" denotes the infinite repetition of v. ∀i ∈ N + , if the i th bit of w is 1, res ticks at the i th tick of base. PeriodicOn res base ∝ n Any two consecutive instants of res are separated by n instants of base. Infimum res c1 ∧ c2 res is the slowest clock faster than c1 and c2. Supremum res c1 ∨ c2 res is the fastest clock slower than c1 and c2. {R j |= c1 c2}, i.e., the ratio of runs satisfying the causality relation among the total number of k runs. A run R j satisfies the causality relation c1 c2 if the history of c2 is always less than or equal to the history of c1.
with notations of interval-based DelayFor, Clock Action, Probabilistic Clock Action and DenseClockType. Furthermore, to allow specification of complex requirements involving multiple events, the binary clock relations in PrCCSL are extended into n-ary clock relations.
In automotive systems, time delays between events/activities (e.g., message transmissions, execution of computational components) can be stochastic and fluctuate randomly in the environments under uncertainty. Those stochastic time delays can be described as random variables that uniformly distributed between the values of the best-case time and the worst-case time. To express the stochastic time delay between events, we define an interval-based DelayFor expression. The standard DelayFor operator (see Table I ) can be seen as a special interval-based DelayFor when lower = upper.
Since the base clock of the DelayFor operator can be either dense or discrete, the delay should conform to continuous or discrete probability distribution according to the clock type of base.
Automotive systems are event-driven systems that react to external/internal events, e.g., triggering of sensors/actuators or arrivals of input signals. Event occurrences can lead to execution of related actions, i.e., functions/operations on variables. The "event-action" relation can be specified by Clock Action.
Definition 3.2 (Clock Action):
Let V be a set of variables and C be a set of logical clocks. Assign denotes a set of assignments to V and F unc represents a set of mathematical functions on V . Clock action is a function A: C → 2 Assign∪F unc . Let c ∈ C, A(c) represents the set of assignments and functions that are invoked to execute when c ticks. The clock action of c is defined as:
where n ∈ N + is the number of assignments/functions related to c, λ i ∈ Assign ∪ F unc (i ∈ {1, 2, ..., n}) denotes an assignment or a function that is executed when an occurrence of c is detected.
In other words, the clock action relates a logical clock c with a set of operations that are performed to change the system behaviors. Note that the assignment of each variable in V must appear at most once in the clock action.
An event can be associated with multiple actions under uncertainty, i.e., it is uncertain which action out of a set of actions the system will take when the event occurs. In this case, the actions related to the same event can be assigned with probabilities and interpreted as probabilistic alternatives. We enrich clock actions with probabilities and define probabilistic clock action. The probabilistic clock action is a function A p : C × 2 Assign∪F unc → P . Let c ∈ C and Λ i ⊆ Assign ∪ F unc (i ∈ {1, 2, ..., n}), A p (c, Λ i ) represents the probability of Λ i being executed when c ticks. The probabilistic clock action is represented as:
where n ∈ N + is the number of sets of actions related to c, Λ i is a set of assignments/functions, and p i ∈ P represents the probability of actions in Λ i being executed when c occurs, i.e., p i = P r(A(c) = Λ i ) and
We express the probability distribution of the set of actions related to event c by a list of tuples in the form of "
} means that when c ticks, v is assigned the value 0, 1, 2 with probability 0.2, 0.3 and 0.5, respectively.
In automotive systems, variations of physical quantities (e.g., energy consumption, temperature) usually involve continuous dynamics described by ODE, as well as discrete changes activated by physical phenomena. For example, battery consumption of an automotive system increases continuously with a certain rate when the vehicle runs under certain modes (e.g., braking or turning) while undergoes discrete increments when the physical phenomena (e.g., turning on/off switches in circuits) take place. To allow the specification of the continuous/discrete variations of those physical quantities, we utilize dense clocks to represent those quantities and extend the attributes of DenseClockType, from which the dense clocks can be instantiated.
Definition 3.4 (DenseClockType): Let n and m be two positive integers. A dense clock type DT can be defined based on the following four attributes:
where reference specifies a referential dense clock, i.e., ref .
factor indicates the increase rate of instances of DT compared to ref . 
By utilizing the operators and notations in PrCCSL * , a system can be specified as a Probabilistic Clock Based System (PCBS), in which the continuous and discrete system behaviors can be described as the evolutions of a set of dense and logical clocks.
Definition 3.5 (Probabilistic Clock Based System (PCBS)): A probabilistic clock based system is a tuple:
where -T is a set of clock types; -C t is a set of dense clocks; -C n is a set of logical clocks; -Exp is a set of clock expressions; -A is a set of clock actions of clocks in C n ; -A p is a set of probabilistic clock actions of clocks in C n . Clocks in C t and C n are instances derived from clock types in T . C t and C n are two exclusive sets. Clock actions and probabilistic clock actions (see Definition 3.2 and 3.3) are employed to describe the actions activated by events (i.e., logical clocks). Since clock relations in PrCCSL * are applied in specifying requirements and not utilized in system behaviors specifications, a PCBS does not contain any clock relations.
In PrCCSL, requirements are specified by clock relations (see Table II ) between two events. To describe the complex requirements associated with multiple events, we extend the binary relations into n-ary relations, which allow to describe the dependencies among a set of events.
Definition 3.6 (N-ary Relation): Let M be a PCBS and c 1 , c 2 , ..., c n are n clocks in M. An n-ary clock relation among clocks c 1 , c 2 , ..., c n , denoted as ∼(c 1 , c 2 , ..., c n ), is satisfied over M if the following condition holds:
where ∼ ∈ {⊆, ≡, ≺, , #}, n ≥ 2 is the number of clocks in the relation.
Note that the n clocks in the n-ary relations are partially ordered, e.g., ⊆(c 1 , c 2 , c 3 ) and ⊆(c 2 , c 1 , c 3 ) are different subclock relations. Informally, an n-ary relation, including coincidence, subclock, exclusion, precedence and causality relations, is satisfied if any order-preserving pair (i.e., the order relation i < j is maintained) of two clocks in the set of n clocks satisfy the corresponding (binary) clock relation. In other words, an n-ary clock relation can be seen as the conjunction of n(n−1) 2 corresponding binary relations. For example, the ternary causality relation among c 1 , c 2 and c 3 limits that the three binary relations, i.e., c 1 c 2 , c 1 c 3 and c 2 c 3 , must be satisfied at the same time.
The probabilistic n-ary relation is satisfied if the probability of the corresponding n-ary relation being satisfied is greater than or equal to a given probability threshold p. In PrCCSL * , an automotive system can be specified as a PCBS and the requirements of the system are specified as clock relations with necessary expressions. To enable the formal analysis of system behaviors/requirements specified in PrCCSL * , in this section, we first present how to translate PrCCSL * elements, including DenseClockType, expressions, (probabilistic) clock actions and relations, into verifiable UPPAAL models. Then, we introduce our developed tool ProTL for supporting automatic translation and formal verification of PrCCSL * specifications.
Clock and DenseClockType In PrCCSL * , a clock is either a logical clock or a dense clock. A logical clock c represents an event, which is represented as a Fig. 1 : whenever c occurs (c?), the value of its history is increased by 1 (i.e., h++). A dense clock in PrCCSL * represents the physical time, which is considered as a continuous and unbounded progression of time instants. A dense clock is represented as a "clock" variable in UPPAAL-SMC [18] , which is a real type variable increasing monotonically with a certain rate. For instance, the idealClk is mapped to a standard clock variable whose increase rate is 1 in UPPAAL-SMC.
To describe the continuous and instaneous variations of physical quantities (e.g., energy consumption, temperature), those quantities are represented as dense clocks instantiated by different DenseClockTypes. A DenseClockTypes DT is defined based on the reference, factor, offset and reset attributes (see Definition 3.4) . DT(c) STA in Fig. 1 Fig. 1 . Thus, c is changed continuously according to the differential equation "c= r * ref rate dt", where t ∈ [0, ∞] represents the physical time. Moreover, offset specifies the instantaneous changes of c activated by a set of events c 1 , c 2 , ..., c n . As shown in Fig. 1 , each tuple in offset corresponds to a selfloop transition where a discrete increment of c is performed. reset is a set of events whose occurrences reset the time value of c into 0, modeled as the transitions where c is reset.
Clock Expressions generate new clocks based on existed clocks. To model a clock expression in UPPAAL-SMC, the resulting clock of the expression is represented by a channel variable res and the semantics of the expression is modeled . The spawned STA is terminated when the calculation of the current tick of res is completed (denoted "exit()"). Here the base in DelayFor is a dense clock and r is the increase rate of base compared to idealClk. For the STA of DelayFor with discrete base clock and the STA of other expressions, refer to [19] . , v[1] = 1), (p [3] , v[2] = 2)}" is modeled as the pAction(c, p, v) STA, in which each element of the action is mapped to a probabilistic transition weighted by corresponding probability.
Based on the mapping patterns described above, a PCBS (that consists of a set of clocks, clock types, expressions and clock actions) can be represented as a network of STA (NSTA), which composes the STA of corresponding clock type, (probabilistic) clock actions and expressions.
Probabilistic Clock Relations
To represent PrCCSL * relations in UPPAAL-SMC, observer STA that capture the semantics of standard subclock, coincidence, exclusion, precedence and causality relations are constructed. In our earlier work [15] , we have shown the translation patterns from clock relations into STA. However, the patterns are given based on discrete time semantics, i.e., the continuous physical time line is discretized into a set of equalized steps. As a result, (in the extreme cases) two clock instants are still considered coincident even if they are one time step Coincidence relation c1 ≡p c2 delimits that two clocks must tick simultaneously. When c1 (c2) ticks via c1? (c2?), the STA judges if the other clock, c2 (c1) ticks at the same time. If there is no time elapsed between the corresponding occurrences of c1 and c2 (i.e., "t==0"), the STA transits to success location. Otherwise, it goes to f ail location.
Exclusion relation c1 #p c2 limits that two clocks must not occur at the same time. Contrary to the Coincidence(c1, c2) STA, when c1 (c2) ticks and if the other clock ticks simultaneously ("t==0"), the STA goes to the f ail location.
Subclock relation c1 ⊆p c2 states that c2 (superclock) must tick when c1 (subclock) ticks, which is interpreted as a conditional coincidence relation: when c1 ticks, c2 must coincides with c1. Similar to Coincidence(c1, c2) STA, when c1 (c2) occurs, the Subclock(c1, c2) STA checks whether the other clock also ticks at the same instant. If c1 ticks and c2 does not occur (denoted "t>0"), the relation is violated and the STA transits to f ail location.
Causality relation c1 p c2 states that c2 (effect) must not tick prior to c1 (cause). When c1 or c2 ticks, if the two clocks are coincident (represented by "t==0") or c1 ticks faster (denoted "h1 ≥ h2"), the relation is satisfied and the STA goes to success location. Otherwise, the STA goes to f ail location.
Precedence relation c1 ≺p c2 states that c1 must run faster than c2. When c1 or c2 ticks, if c2 ticks faster ("h1<h2") or c1 and c2 are coincident (represented by "h1==h2&&t==0") the relation is violated and f ail location is activated.
apart. In this paper, we refine the STA of relations in [15] to support the translation of relations conformed to continuous time semantics. The refined STA are illustrated in Table III , in which t represents the time delay between two consecutive instants of clock c1 and c2. c1 and c2 are simultaneous if t equals to 0. h1 and h2 represent the histories of c1 and c2, respectively. Each relation is mapped to an observer STA that contains a "f ail" location, which suggests the violation of corresponding relation. Recall the definition of probabilistic relations in Sec. II, the probability of a relation being satisfied is interpreted as a ratio of runs that satisfies the relation among all runs. It is specified as Hypothesis Testing query in UPPAAL-SMC, H 0 : m k ≥ p against H 1 : m k < p, where m is the number of runs satisfying the given relation out of all k runs. As a result, the probabilistic relations are interpreted as the query: P r[ bound]([ ] ¬ST A obs .f ail) ≥ p, which means that the probability of the "f ail" location of the observer STA (denoted ST A obs ) never being reached should be greater than or equal to threshold p.
Requirements associated with multiple clocks can be expressed by n-ary relations (see Definition 3.6) . According to the definition, an n-ary relation among n clocks c 1 , c 2 , ..., c n is satisfied if any pair of two clocks c i , c j (1 ≤ i < j ≤ n) satisfies the corresponding binary relation. Since an n-ary clock relation can be seen as the conjunction of n(n−1) 2 binary relations, we construct an STA for the relation of each pair c i , c j (1 ≤ i < j ≤ n) and an n-ary relation is represented as the synchronization product of the n(n−1) 2 STA. For instance, an n-ary exclusion can be represented as the composition of the n(n−1) 2 Exclusion(i, j) STA in Fig. 4(a) (similar to the Exclusion(c1, c2) STA in Table  III) , which represents the exclusion relation between c i and c j . The probabilistic n-ary exclusion is specified as:
The coincidence, subclock, precedence and causality relations are transitive relations, i.e., if both the relations between c i and c j and the relation between clock c j and c k are satisfied, then the relation between c i and c k is also satisfied. Thus, an n-ary transitive relation can be interpreted as the combination of n − 1 binary relations. For instance, the n-ary coincidence relation is interpreted as: ≡(c 1 , c 2 , ..., c n ) ⇐⇒
As illustrated in Fig. 4(b) , Coincidence(i) STA represents the coincidence relation between c i and c i+1 (similar to the Coincidence(c1, c2) STA in Table III ). The n-ary coincidence relation ([ ]f orall(i : int[1, n − 1])(not Coincidence(i).f ail)) ≥ p. Similarly, the other three transitive relations, i.e., subclock, precedence and causality relations, can be represented based on the STA in Fig. 4 .
Tool Support To improve the efficiency and accuracy of translation, we implement a tool ProTL (Probabilistic CCSL TransLator) [19] , which provides a push-button transformation from PrCCSL * specifications into UPPAAL-SMC models. Moreover, to enable the formal verification of PrCCSL * specifications, ProTL brings the capability of verification for the translated UPPAAL-SMC models by employing UPPAAL-SMC as its verification backend. Furthermore, ProTL offers a configuration panel for customizable generation of five types of probabilistic queries (introduced in Sec. II). ProTL can also generate counter-examples that depict the evolutions of clocks related to the unsatisfied clock relations, which provide diagnosis information for further refinement of PrCCSL * specifications.
V. CASE STUDIES
We show the applicability of ProTL on two automotive systems case studies. We report only the verification on a list of representative requirements for each example and further details can be found in [19] .
Autonomous Vehicle (AV) [15] reads the road signs, e.g., "speed limits", "stop" or "right/left turn", and adjusts its speed and movements accordingly. To achieve traffic sign recognition, a camera is equipped in the vehicle to capture images. The camera relays the captured images to a sign recognition device periodically. The representative requirements on AV are listed below: A1. A periodic acquisition of camera must be carried out every 50ms with a jitter of 10ms. A2. If the vehicle detects a left turn sign, it should start to turn left within 300ms.
A3. The detected image should be computed within [20, 30] ms in order to generate the desired sign type. A4. When a traffic sign is recognized, the speed of vehicle should be updated within [50, 150]ms based on the sign type. A5. The required environmental information should arrive to the controller within 40 ms, i.e., the input signals (traffic sign type, speed, direction, gear and torque) must be detected by controller within 40 ms. A6. The execution time interval from the controller to the actuator must be less than or equal to the sum of the worst case execution time intervals of controller and actuator. A7. While the vehicle turns left, the "turning right" mode should not be activated. The events of turning left and right are considered as exclusive and specified as an exclusion constraint. We specify the system behaviors of AV as a PCBS and requirements as clock relations with necessary expressions in PrCCSL * . The PrCCSL * specifications of requirements (A1-A7) and the verification results are illustrated in Table IV . Let camera represent the triggering event of camera and camera[i] denote the i th occurrence of camera. A1 can be interpreted as: ∀i ∈ N + , camera[i+1] should occur later than camera[i] delaying for 40ms but prior to camera[i] delaying for 60ms, which is specified as a ternary precedence relation in Table IV . The "forall" query in UPPAAL is employed to verify the ternary relation.
In the specification of A2, detectLef tSign represents the event that a left turn sign is detected. startT urnLef t denotes the event that the vehicle starts to turn left. We construct a new clock lef tSignDe by delaying detectLef tSign for 300ms. A2 can be expressed as a precedence relation between startT urnLef t and lef tSignDe, i.e., startT urnLef t should occur no later than the occurrence of lef tSignDe. Similarly, A3-A6 can be specified. In the PrCCSL * specification of A7, always (never) represents a clock that always (never) ticks. Based on always and never, we generate two new clocks turnLef t and turnRight by using ITE expressions. turnLef t (turnRight) represents the event that the vehicle is turning left (right). A7 is specified as an exclusion relation Table V . In the PrCCSL * specification of B1, runAtXDir indicates that the vehicles are running at the positive x-direction ("direction=xDir"). overT ake represents the event that the position of follow on x-axis is greater than that of lead vehicle (x 1 ≥ x 0 ). B1 limits that runAtXDir and overT ake can not happen at the same time, which can be expressed by exclusion relation. In the specification of B2, leadBrake (f ollowBrake) denotes the event that the lead (follow) vehicle starts to brake. brakeDelay500 is built by delaying leadBrake for 500ms. Thus B2 can be specified as a precedence relation between f ollowBrake and brakeDelay500. Similarly, B3-B4 and B6-B7 can be specified. To specify B5, a periodic clock prdClk that ticks every 30 ms is generated by using PeriodicOn expression. leadSpeedT rig and f ollowSpeedT rig represent the triggering events of speed sensors of the lead and follow vehicles. B5 is specified as a ternary coincidence relation.
The verification results in Table V show that B1-B3 and B5-B7 are established as valid while B4 is unsatisfied. The invalid property B4 is identified using ProTL which generates a counter-example (CE) presented in Fig. 5 . After analyzing CE, the cause of error was found: when the follow vehicle is decreasing its speed and the lead vehicle turns left, the follower keeps speeding down but does not turn left until the deceleration is completed. Based on the CE, the system model are refined: when the follower is under deceleration mode and it detects that the lead vehicle turns left, the follower first turns left and then continues to speed down after turning. After the modification, B4 becomes valid.
VI. RELATED WORK
In the context of EAST-ADL, efforts on the integration of EAST-ADL and formal techniques were investigated in several works [21] - [25] , which are however, limited to the executional aspects of system functions without addressing dynamic and stochastic behaviors. Kang [26] defined the execution semantics of both the controller and the environment of industrial systems in CCSL which are also given as mapping to UPPAAL models amenable to model checking. Du et al. [27] proposed a probabilistic extension of CCSL, called pCCSL, Fig. 5 : CE of B4: leadTurn-his (followTurn-his) represents the history of the clock (event) that the lead (follow) vehicle turns left. At Time=7739, the lead vehicle starts to turn left (leadTurn-his becomes 1), while the follow vehicle is under deceleration mode (represented by "followDec==1"). The follow does not turn until it finishes the deceleration at Time=8108 and starts to turn left at Time=8323 (followTurn-his becomes 1), which violates B4.
for specifying the stochastic behaviors of uncertain events in cyber-physical (CPS) and provided the transformation from pCCSL into Stochastic Hybrid Automata. In contrast to our current work, those approaches lack precise annotations specifying continuous dynamic behaviors in particular regarding different clock rates during execution.
Transformation of CCSL specifications into verifiable formalisms for formal analysis has been investigated in several works [28] , [29] . Yin et al. [28] translated CCSL specifications into Promela models amenable to model checking using SPIN [29] performed formal analysis of timed behaviors specified in CCSL by mapping the specifications into timed Input/Output automata. However, neither tool support for automatic transformation nor probabilistic analysis is provided in those works. Zhang et al. [30] implemented a tool clyzer for formal analysis of CCSL constraints through automated translation from CCSL specifications into SMT formulas amenable to SMT solving. Compared to their approach, we provide the tool support for probabilistic analysis of dynamic and stochastic systems behaviors based on the translation from PrCCSL * specifications into formal models.
VII. CONCLUSION
In this paper, we present a tool-supported approach for formal verification of dynamic and stochastic behaviors for automotive systems. To enable the formal specifications of stochastic behaviors and continuous dynamics in automotive systems, we propose an extension of PrCCSL, i.e., PrCCSL * , which is augmented with notations for descriptions of continuous/discrete variations of physical quantities, stochastic time delays, activations of actions and nondeterministic alternatives. Moreover, to support the specification of complex requirements involved with multiple events, we extend the binary relations into n-ary relations in PrCCSL * . To enable the formal verification of system behaviors/requirements specified in PrCCSL * , we provide the mapping rules to translate PrCCSL * specifications into verifiable UPPAAL-SMC models. Based on the proposed translation strategies, we implement an automatic translation tool, namely ProTL, which also supports verification of the translated models by leveraging UPPAAL-SMC as an analysis backend. The applicability of our approach and tool is demonstrated by conducting verification of (non)-functional properties on two automotive system case studies.
As ongoing work, formal validation of the correctness of translation rules from PrCCSL * into stochastic UPPAAL-SMC models is further investigated. Furthermore, new features of ProTL with respect to analysis of UPPAAL-SMC models involving wider range of variable/query types (e.g., urgent channels and bounded integers) are further developed.
