Analysis of a Clock Synchronization Protocol for Wireless Sensor Networks by Heydarian, Faranak et al.
PDF hosted at the Radboud Repository of the Radboud University
Nijmegen
 
 
 
 
The following full text is a preprint version which may differ from the publisher's version.
 
 
For additional information about this publication click this link.
http://hdl.handle.net/2066/75195
 
 
 
Please be advised that this information was generated on 2017-12-06 and may be subject to
change.
A nalysis o f a Clock Synchronization P rotoco l for 
W ireless Sensor Networks*
Faranak Heidarian**, Julien Schmaltz, and Frits Vaandrager
Institute for Computing and Information Sciences 
Radboud University Nijmegen 
P.O. Box 9010, 6500 GL Nijmegen, The Netherlands 
{F.Heidarian,J.Schmaltz,F.Vaandrager}@cs.ru.nl
A bstract. We study a clock synchronization protocol for the Chess 
WSN. First, we model the protocol as a network of timed automata 
and verify various instances using the Uppaal model checker. Next, we 
present a full parametric analysis of the protocol for the special case of 
cliques (networks with full connectivity), that is, we give constraints on 
the parameters that are both necessary and sufficient for correctness.
These results have been checked using the proof assistant Isabelle. Fi­
nally, we present a negative result for the special case of line topologies: 
for any instantiation of the parameters, the protocol will eventually fail 
if the network grows. This result suggests a variation of the fundamen­
tal result of Fan and Lynch on gradient clock synchronization, where 
the synchronization eventually fails as the network diameter grows, for 
a setting with logical clocks whose value may also decrease.
Key words: industrial application, clock synchronization, timed au­
tomata, model checking, theorem proving, wireless sensor networks
1 In troduction
Wireless sensor networks (WSNs) consist of potentially thousands of autonomous 
devices th a t communicate via radio and use sensors to cooperatively monitor 
physical or environmental conditions, such as tem perature, sound or motion, 
at different locations. WSNs have numerous exciting applications, ranging from 
monitoring of dikes to sm art kindergartens, and from forest fire detection to 
monitoring of the M atterhorn. It is an active research area with numerous work­
shops and conferences arranged each year.
The Dutch company Chess is currently developing a WSN architecture using 
an epidemic (gossip) communication model [15]. Gossiping in distributed sys­
tems refers to the repeated probabilistic exchange of information between two
* Research supported by the European Community’s Seventh Framework Programme 
under grant agreement no 214755 (QUASIMODO). A preliminary version of the 
model presented in this paper appeared in [14].
** Research supported by NWO/EW project 612.064.610 Abstraction Refinement for 
Timed Systems (ARTS).
2 Analysis of Clock Synchronization for Wireless Sensor Networks
members [8 , 6 ]. The effect is that information can spread within a group just 
as it would in real life. Their simplicity, robustness and flexibility make gossip 
based algorithms attractive for data dissemination and aggregation in wireless 
sensor networks. However, formal analysis of gossip algorithms is a challenging 
research problem [2 ]. The Chess WSN currently distinguishes three protocol lay­
ers: the M edium Access Control (M AC ) layer, which is responsible for regulating 
the access to the wireless shared channel,the intermediate Gossip layer, which 
is responsible for insertion of new messages, forwarding of current messages and 
deletion of old messages, and the Application layer, which has the business logic 
that interprets messages and may generate new messages. In our research we 
focus on the MAC layer of the Chess WSN. Characteristics of the other layers 
influence the design decisions for the MAC layer. For instance, the redundant 
nature of the Gossip layer justifies occasional message loss in the MAC layer.
The MAC layer uses a Time Division Multiple Access (TDMA) protocol. 
Time is divided in fixed length fram es, and each frame is subdivided into slots 
(see Figure 1). Slots can be either active or idle. During active slots, a node is
Time as a Sequence of “Time Frame”s
RX TX RX RX idle idle idle idle idle idle 
A time frame is divided to C “Time Slot”s
___ guard time____
TX slotfh—  g — j SENDING
.____ I________I__ .
RX slot RECEIVING
F ig .1. The structure of a time frame Fig. 2. TX and RX slots
either listening for incoming messages from neighboring nodes (“R X ”) or it is 
sending a message (“T X ” ). During idle slots a node is switched to energy saving 
mode. These are battery operated devices with an expected uninterrupted field 
deployment of several years. Hence, energy efficiency is a major concern in the 
design of WSNs, the number of active slots is typically much smaller than the 
total number of slots (less than 1% in the current implementation [15]). The 
active slots are placed in one contiguous sequence which currently is placed at 
the beginning of the frame. A node can only transm it a message once per time 
frame in its TX slot. The MAC protocol takes care that neighboring nodes have 
different TX slots.
One of the greatest challenges in the design of the MAC layer is to find 
suitable mechanisms for clock synchronization: we must ensure that whenever 
some node is sending all its neighbors are listening. In this paper, we study clock 
synchronization in the Chess WSN. Each wireless sensor node comes equipped 
with a low-cost 32 KHz crystal oscillator that drives an internal clock that is 
used to determine the start and end of each slot. This may cause the TDMA 
time slot boundaries to drift and thus lead to situations in which nodes get out 
of sync. To overcome this problem, the notion of guard tim e  is introduced: at the 
beginning of its TX slot, a sender, ready with its transmission, waits a certain
Analysis of Clock Synchronization for Wireless Sensor Networks 3
amount of time for the receiver to be ready to receive messages, and it also waits 
for some time period at the end of its TX slot (see Figure 2). In the current
Balter life of a MyriaNode
Guard time in clock cycles 
Fig. 3. battery life as a function of guard time
implementation, each slot consists of 29 clock cycles, out of which 18 cycles are 
used as guard time. Assegei [1] calculated how the battery  life of a wireless sensor 
node is influenced by the guard time. Figure 3, taken from [1], summarizes these 
results. Clearly, it is of vital importance to reduce the guard time as much as 
possible, since this directly affects the battery  life, which is a key characteristics 
of WSNs. Reduction of the guard time is possible if the hardware clocks are 
properly synchronized.
Many clock synchronization protocols have been proposed for WSNs. In most 
of these protocols, clocks are synchronized to an accurate real-time standard like 
Universal Coordinated Time (UTC). We refer to [18] for an overview of this type 
of protocols. However, these protocols are based on the exchange of time stamp 
messages, and for the Chess WSN this creates an unacceptable computation 
and communication overhead. It is possible to come up with more efficient algo­
rithms since for the MAC layer a weak form of clock synchronization suffices: a 
node only needs to be synchronized to its immediate neighbors, not to faraway 
nodes or to UTC. Fan and Lynch [7] study the gradient clock synchronization  
( GCS) problem, in which the difference between any two network nodes’ clocks 
must be bounded from above by a non-decreasing function. Thus nearby nodes 
must be closely synchronized but faraway nodes are allowed to be more loosely 
synchronized. In the approach of [7], nodes compute logical clock values based 
on their hardware clocks and message exchanges, and the goal is to synchronize 
the nodes’ logical clocks as closely as possible, while satisfying certain validity 
conditions. Logical clocks have been introduced by Lamport [9] to totally order 
the events in a distributed system. A key property of Lam port’s logical clocks 
is tha t they never run backwards: their value can only increase. In fact, Fan 
and Lynch [7] assume tha t the rate of increase of each node’s logical clock is 
at least at all times. Also Meier and Thiele [11], who adapt the work of Fan 
and Lynch to the setting of wireless sensor networks, make this assumption, but
4 Analysis of Clock Synchronization for Wireless Sensor Networks
then Pussente and Barbosa [13] assume this rate to be at least where D is 
the network diameter. For certain applications of WSNs it is im portant to have 
Lam port style logical clocks. For example, if two sensor nodes observe a moving 
object, then logical clocks allow one to establish the object’s direction by deter­
mining which node observed the object first [11]. However, for the MAC layer 
there is no need to compute a total order on events: we only need to ensure that 
whenever one node is sending all neighbors are listening. If we are willing to set 
back clocks now and then, we obtain even more efficient clock synchronization 
protocols.
The current implementation of the Chess WSN uses M edian , an extension 
of an algorithm proposed by Tjoa et al [19]. The idea is tha t in every frame 
each node computes its phase error to any of its direct neighbors. After the last 
active slot, each node adjust their clock by the median of the phase error of 
their immediate neighbors. Assegei [1] points out th a t the performance of the 
Median algorithm decreases if the network becomes more dynamic, and proposes 
a variation of this algorithm th a t uses Kalman filters. In this paper, we use formal 
methods to analyze another variation of the Chess algorithm in which a node 
adjusts its clock whenever a message arrives. Advantages of this algorithm are 
(a) unlike the Median approach and its variants we need almost no guard time 
at the end of a sending slot (2 clock ticks suffice instead of 9 ticks in the current 
implementation), and (b) the computational overhead becomes essentially zero. 
However, robustness of our algorithm still needs to be explored further.
In Section 2, we model the algorithm using timed autom ata. Section 3 de­
scribes the use of the timed autom ata model checker U p p a a l[4 , 3] to analyze 
WSNs with full connectivity. We verify various instances and identify three dif­
ferent scenarios th a t may lead to situations where the network is out of sync, 
Section 4 presents a full param etric analysis of the protocol for cliques (net­
works with a connection between every pair of nodes), tha t is, we give con­
straints on the parameters tha t are both necessary and sufficient for correct­
ness. We have checked our results using the proof assistent Isabelle [12]. Sec­
tion 5 presents some result for the special case of line topologies: for any in­
stantiation of the parameters, the protocol will eventually fail if the network 
grows. This result suggests a variation of the fundamental result of Fan and 
Lynch [7] on gradient clock synchronization for a setting with logical clocks 
whose value may also decrease. Section 6 , finally, discusses related work and 
draws conclusions. U p p a a l  models and proofs for our paper are available at 
h t t p : / /w w w .i ta .c s . r u .n l /p u b l ic a t io n s /p a p e r s / fvaan/HSV09/.
Acknowledgement Many thanks to Frits van der Wateren, Marcel Verhoef and 
Bert Bos from Chess for explaining their WSN algorithms to us.
2 U ppaal M odel
In this section, we describe the U p p a a l  model th a t we constructed of the Chess 
protocol. For a detailed account of the timed autom ata model checking tool 
U p p a a l ,  we refer to [4,3] and to h ttp ://w w w .uppaa l.com .
Analysis of Clock Synchronization for Wireless Sensor Networks 5
We assume a finite, fixed set of wireless nodes Nodes =  { 0 , . . . ,  N — 1}. 
The behavior of an individual node i G Nodes is described by three timed au­
tom ata C lock(i) (Section 2.1), W S N (i) (Section 2.2) and S ynch ro n izer(i) 
(Section 2.3). Automaton C lock(i) models the hardware clock of node i, the 
W S N (i) autom aton takes care of sending messages, and the S ynch ro n izer(i) 
autom aton resynchronizes the hardware clock of i upon receipt of a message. 
The complete protocol is modeled as a network tha t consists of timed autom ata 
C lock(i), W S N (i) and S y n ch ro n izer(i), for each i G Nodes.
Table 1 lists the parameters tha t are used in the model (constants in U p p a a l  
terminology), together with some basic constraints. The domain of all parameters 
is the set of natural numbers.
Parameter Description Constraints
N number of nodes 0 < N
C number of slots in a time frame 0 < C
n number of active slots in a time frame 0 < n < C
tsn[¿] TX slot number for node i G Nodes 0  < tsn[ï] < n
ko number of clock ticks in a time slot 0  < ko
g guard time 0  < g
t tail time 0 < g , g +  t +  2 < k 0
min minimal time between two clock ticks 0  < min
max maximal time between two clock ticks min < max
Table 1. Protocol parameters
2.1 C lock
Timed autom aton C lock(i) (Fig. 4) models behavior of the hardware clock of 
node i. It has a single location and a single transition. It comes equipped with 
a local clock variable x, which is initially 0 , tha t is used to measure the time 
between clock ticks. Whenever x reaches the value min, the autom aton enables 
an action tick[i]!. Broadcast channel tick[i] is used to  synchronize all activities 
within node i. The tick[i]! event must occur before x has reached value max. Then 
x is reset to 0  and the (integer) value of i ’s hardware clock clk[i] is incremented by 
1. For convenience and in order to enable model checking, we reset the hardware 
clock after k0 ticks, th a t is, the clock takes integer values modulo k0 (we use 
U p p a a l ’s modulo operator %). This is not an essential modeling assumption 
and we can easily change this.
2.2 W ire le ss  S enso r N o d e
The W S N (i) automaton, displayed in Figure 6 , is the most im portant automa­
ton in our model. It has three locations and four transitions. The autom aton
6 Analysis of Clock Synchronization for Wireless Sensor Networks
X0
©
x<=ma
x >= min
tick[i]!
x:=0,
clk[i]:=(clk[i]+1)%k0
j:Nodes 
csn[i] < n
start_message[j]?-
] ?
tick[i]? 
clk[i]:= g+1
Fig. 4. Timed automaton Clock(i) Fig. 5 . Timed automaton Synchronizer(i)
uses an integer variable csn[i], initially 0, to record its current slot number. The 
autom aton stays in initial location WAIT until the current slot number of i equals 
the TX slot number of i (csn[i] =  tsn[i]) and the gth clock tick in this slot oc­
curs. It then jumps to location GO_SEND. This is an urgent location tha t is left 
immediately via a start_message[*]!-transition to location SENDING. Broadcast 
channel start_message[*] is used to inform all neigboring nodes th a t a new mes­
sage transmission has started. The autom aton stays in location SENDING until 
the start of the tail interval, tha t is, until the (k0 — t ) th tick in the current slot, 
and then jumps back to location WAIT. At the end of each slot, i.e., when the 
k0th tick occurs, the autom aton increments its current slot number (modulo C).
clk[i]==k0-1 clk[i]==k0-1
tick[i]? tick[i]?
csn[i] := (csn[i]+1) % C csn[i] := (csn[i]+1) % C
Fig. 6 . Timed automaton W SN(i) Fig. 7. W SN(i) with history variables
2.3 S y n ch ro n ize r
The S y n ch ro n izer(i) autom aton (Fig. 5) is the last component of our model. It 
performs the role of the clock synchronizer in the TDMA protocol. The autom a­
ton has two locations and two transitions. The autom aton waits in its initial 
location S0 until some node j  starts to transm it a new message, tha t is, until a
Analysis of Clock Synchronization for Wireless Sensor Networks 7
start_m essage[j]? event occurs. We use the U p p a a l  select statem ent to nondeter- 
ministically select j .  The autom aton then moves to location S1, provided node i 
is active (csn[*] <  n). Remember tha t at the moment when the start_m essage[j]?  
event occurs, the hardware clock of node j ,  clk[j], has value g. Therefore, node i 
resets its own hardware clock clk[i] to g + 1  upon occurrence of the first clock tick 
following the start_m essage[j]? event. The autom aton then returns to its initial 
location S0.
Note th a t in our model there is no delay between sending and receipt of 
messages. Following [11], we assume delay uncertainties to be negligible, and we 
therefore eliminate the delays themselves from our analysis. When communica­
tion is infrequent, this is reasonable since the impact of clock drift dominates 
over the influence of delay uncertainties.
Automaton S y n ch ro n izer(i) (Fig. 4) has no constraint on the value of j ,  
th a t is, we assume tha t node i can receive messages from all other nodes in the 
network. Hence the network has full connectivity. It is easy to generalize our 
model to a setting without full connectivity by adding a guard neighbor(i, j )  to 
the transition from SO to S1 tha t indicates tha t i is a direct neighbor of j . 1 For 
networks with full connectivity, we assume tha t all nodes have unique TX slot 
numbers:
(Vi,j G Nodes)(tsn[i] =  tsn[j] ^  i =  j) .
For networks th a t are not fully connected, this assumption can be relaxed to the 
requirement tha t neighboring nodes have distinct TX slot numbers.
3 U ppaal A nalysis R esu lts
A wireless sensor network is called synchronized  if whenever a node is sending all 
neighboring nodes have the same slot number as the sending node. For networks 
with full connectivity this means tha t all nodes in the network agree on the 
current slot. We obtain the following formal definition of correctness.
D e fin itio n  1. A network with fu ll connectivity is synchronized i f  and only i f  
fo r  call reachable states
(Vi, j  G Nodes)(SENDINGj ^  csn[i] =  csn[j]).
Our objective is to find necessary and sufficient constraints on the system pa­
rameters tha t ensure th a t a network with full connectivity is synchronized. To 
this end, we assign different values to the parameters of the model and use 
U p p a a l  to  verify the property of Definition 1. Based on the outcomes (and in 
particular the counterexamples generated by U p p a a l)  we try  to derive general 
constraints. For networks with up to 4 nodes, U p p a a l  is able to  explore the 
state space within a few seconds.
1 The neighbor(i, j) predicate does not have to be symmetric. In a wireless sensor 
network it may occur that i can receive messages from j, but not vice versa.
8 Analysis of Clock Synchronization for Wireless Sensor Networks
It turns out tha t there are essentially three different scenarios tha t may lead 
to  a state in which the network is not synchronized. In order to describe these 
scenarios at an abstract level, we need a bit of notation.
Let s £ { 0 , . . . ,  C — 1} be a slot. Then s is a transm itting  slot, notation TX(s), 
if there is some node i tha t is transm itting in s, tha t is,
TX(s) (3i £ Nodes)(tsn[i] =  s).
We let PREV(s) denote the nearest transm itting slot tha t precedes s (cyclically). 
Formally, function PREV : { 0 , . . . ,  C — 1} ^  { 0 , . . . ,  C — 1} is defined by
PREV« s  +  1>%C> =  { PREV(s) i i t o W L  (1)
We write D(s) to denote the number of slots visited when going from PREV(s) 
to  s, tha t is, D(s) =  (s — PREV(s))%C. We define M =  maxs D(s) to be the 
maximal distance between transm itting slots. As we will see, M plays a key role 
in defining correctness.
3.1 S cenario  1: F ast S en d er - Slow R ece iv er
In the first error scenario, a sending node is proceeding maximally fast whereas 
a receiving node runs maximally slow. The sender can then start with the trans­
mission of a message while the receiver is still in an earlier slot. The scenario 
is illustrated in Figure 8 . It starts when the fast and the slow node receive a
Fast Node 
S low  Node
pclk=g+1 M.ko-1
" k í g í  " g
ko-g ko
Cclk=g M.ko-g
Fig. 8 . Scenario 1: Fast Sender - Slow Receiver
synchronization message. Immediately following receipt of this message (at the 
same point in time), the hardware clock of fast node ticks and the synchronizer 
resets this clock to g + 1 .  Now, in the worst case, it may take M • k0 — 1 ticks 
before the fast node is in its TX slot with its hardware clock equal to g. Since 
the hardware clock of the fast node ticks maximally fast, the length of the cor­
responding time interval is (M • k0 — 1) • min. The slow node will reach the TX 
slot of the fast node after M • k0 — g ticks. W ith a clock tha t ticks maximally 
slow, this may take (M • k0 — g) • max time. To prevent the fast node from starting 
transmission before the slow node has moved to the same slot, we must have:
(M • ko — g) • max < (M • k0 — 1) • min (2 )
Analysis of Clock Synchronization for Wireless Sensor Networks 9
Rather than the lower bound min and the upper bound max on the time between 
clock ticks, we sometimes find it convenient to consider the ratio
min
^ max
Since 0 < min < max, it follows tha t p is contained in the interval (0,1]. The 
following elementary lemma turns out to be quite useful.
L em m a 1. C onstraint (2) is equivalent to g > (1 — p) • M • k0 +  p.
This implies tha t the worst case scenario occurs when the distance between TX 
slots is maximal: if the constraint holds for M it also holds when we replace M 
by a smaller value.
Example 1 (The Chess im plem entation). Constraint (2) allows us to infer a lower 
bound on the guard time g. In the current implementation of the protocol by 
Chess [15], a quartz crystal oscillator is used with a clock drift rate 0 of at most 
20 ppm (parts per million). This means that
1 — 0  1 — 2 0  • 1 0 - 6
p =  ----- - =  ----------------^ «  0, 99996
1 1 + 6» 1 + 20-10-6 ’
In the Chess implementation, one time frame lasts for about 1 second. It consists 
of C =  1129 slots and each slot consists of k0 =  29 clock ticks. The number of 
active slots is small (n =  10). A typical value for M is C — n =  1119. Hence
g > (1 — p) • M • k0 +  p «  0, 00004 • 1119 • 29 +  0, 99996 =  2.298
Thus, according to our theoretical model, a value of g =  3 should suffice. Chess 
actually uses a guard time of 9. Of course one should realize here tha t our model 
is overly simplified and, for instance, does not take into account (uncertainty 
in) message delays and partial connectivity. We will see tha t these restrictions 
greatly influence the minimal guard time.
3.2 S cenario  2: F ast R ece iv er - Slow S en d er - b e fo re  tra n sm iss io n
In the second scenario, a receiving node runs maximally fast whereas a sending 
node proceeds maximally slow. The receiving node already leaves the slot in 
which it should receive a message from the sender before the sender has even 
started transmission. This scenario is illustrated in Figure 9. It when the fast 
and the slow node receive a synchronization message. But now the node tha t has 
to  send the next message runs maximally slow. It sends this message after M • k0 
ticks have occurred, which takes M • k0 • max time. Meanwhile, the fast node has 
made maximal progress: immediately after receipt of the first synchronization 
message (at the same point in time), the hardware clock of the fast node ticks 
and the synchronizer resets this clock to g + 1 .  Already after (k0 — g — 1) • min 
time the node proceeds to the next slot. Another (M • k0 — 1) • min time units
10 Analysis of Clock Synchronization for Wireless Sensor Networks
Fast Node 
Slow Node
rclk=g+ 1 (M+1 ).k0-g- 2  1 
r . ------- .
k)-g-1 k)-1
k0-g ^
-clk=g M .k
Fig. 9. Scenario 2: Fast Receiver - Slow Sender - before transmission
later the fast node sets its clock to k0 — 1 and is about to leave the slot in which 
the slow node will send a message. If the slow node starts transmission after 
this point it is too late: after the next clock tick the fast node will increment its 
slot counter and the network is no longer synchronized. In order to exclude the 
second scenario, the following constraint must hold:
M • k0 • max < ((M +  1) • k0 — g — 2) • min (3)
Also this constraint can be rewritten:
L em m a 2. C onstraint (3) is equivalent to g < (1 -  ^) • M • ko +  ko — 2.
Thus constraint (3) imposes an upper bound on guard time g. Since in practice 
one will always try  to minimize the guard time in order to save energy, this 
constraint is only of theoretical interest. If we fill in the values of Example 1, we 
obtain g < 25.8, which is close to the slot length k0 =  29.
3.3 S cenario  3: F ast R ece iv er - Slow S en d er - d u rin g  tra n sm iss io n
Our third scenario concerns a fast receiver and a slow sender. The receiver moves 
to  a new slot while the sender is still transm itting a message. Figure 10 illus­
trates the scenario. As usual, the hardware clock of the fast node is set to g +  1 
immediately after receipt of the synchronization message.
Fast Node 
Slow Node
ko-g-1
ko-g-t
g t
Fig. 10. Scenario 3:Fast Receiver- Slow Sender - during transmission
To exclude this scenario, the following condition should be satisfied:
(ko — g — t) • max < (ko — g — 1) • min (4)
Analysis of Clock Synchronization for Wireless Sensor Networks 11
Essentially, constraint (4) provides a lower bound on t: to rule out the scenario 
in Fig. 10, the sender should wait long enough before proceeding to the next 
slot.
L em m a 3. C onstraint (4) is equivalent to t > (1 — p)(ko — g) +  p.
If we fill in the values of Example 1 with g set to 3, we obtain t > 1.001. Hence 
a value of t =  2 should suffice. For the simple case of a static network with full 
connectivity and no uncertainty in message delays, we only need to reserve 5 
clock cycles for guard and tail time together. In Section 5, we will see tha t for 
different network topologies indeed much larger values are required.
4 P rovin g Sufficiency o f th e  C onstraints
In this section, We outline our proof tha t the three constrains derived in Section 3 
are sufficient to ensure synchronization in networks with full connectivity. We 
start our proof by stating some elementary invariants.
L em m a 4. For any network with fu ll connectivity the following invariant as­
sertions hold, fo r  all reachable states and fo r  all i G Nodes:
0  < x  < max (5)
0  < clk[i] < ko (6 )
0 < csn[i] < C (7)
GO_SENDj =>• Xj =  0 (8 )
GO_SENDj =>• csn[*] =  tsn [*] (9)
GO_SEND¿ =>• clk[*] G { g ,g + l} (1 0 )
SENDING* ^  csn[i] =  tsn]*] (1 1 )
SENDING* ^  g < clk[i] < ko - 1 (1 2 )
Invariants (5), (6 ) and (7) assert th a t the state variables indeed take values 
in their intended domains: clock variables stay within the (real-valued) range 
[0 , max], hardware clocks stay within the integer range [0 , k0), and current slot 
numbers stay within the integer range [0, C). Invariants (8)-(12) directly follow 
from the definitions of the autom ata in the network. For invariant (10), observe 
th a t since the tick?-transition from WAIT to G0_SEND may synchronize with 
the tick?-transition from SI to  SO, the value of clk[*] in G0_SENDj is potentially 
g +  1 -
To be able to state more interesting invariants, we introduce two auxiliary 
global history (or ghost) variables. Clock y records the time tha t has elapsed 
since the last synchronization message (or the beginning of the protocol). Vari­
able last records the last slot in which a synchronization message has been sent 
(initially last =  —1). Figure 7 shows the version of the W S N (i) autom aton ob­
tained after adding these variables. The only change is tha t upon occurrence of
12 Analysis of Clock Synchronization for Wireless Sensor Networks
a synchronization start_message[*]! clock y is reset to 0  and variable last is reset 
to  csn[i].
We first state a few basic invariants which restrict the values of the new 
variables.
L em m a 5. For any network with fu ll connectivity the following invariant as­
sertions hold, fo r  all reachable states and fo r  all i £ Nodes:
0 < y (13)
— 1 < last < C (14)
S1i ^  y < xi (15)
last =  —1 ^  SO* (16)
Invariant (13) says tha t y is always nonnegative and invariant (14) says that 
last takes values in the integer domain [—1, C — 1). If the system is in S1* then 
a synchronization occurred after the last clock tick (invariant (15)), and if the 
system is in SO* then no synchronization occurred yet (invariant (16)).
The key idea behind our correctness proof is that, given the local state of 
some node i and the value of last, we can compute the number c(i) of ticks of 
i ’s hardware clock th a t has occurred since the last synchronization. Since we 
know the minimal and maximal clock speeds, we can then derive an interval 
th a t contains the value of y, the amount of real-time tha t has elapsed since the 
last synchronization. Next, given the value of y, we can compute an interval that 
contains the value of c(j), for arbitrary node j .  Once we know the value of c(j), 
this gives us some information about the local state of node j .  Through these 
correspondences, we are able to infer tha t if node i is sending the slot number 
of i and j  must be equal.
Formally, for i £ Nodes, the state function c(i) is defined by
c(i) =  if  last =  — 1 th e n  clk[i] else 
if  S1* th e n  0 else
((csn[i] — last)%C) • k0 +  clk[i] — g
fi
fi
If there has been no synchronization yet (last =  —1) then c(i) is just equal to the 
hardware clock clk[i]. If the synchronizer is in location S1*, then we know that 
there has been no tick since the last synchronization, so c(i) is set to 0. Otherwise, 
c(i) is k0 times the number of slots since the last synchronization, incremented 
by the number of ticks in the current slot, minus g to take into account tha t the 
hardware clock has been reset to g + 1  after the last synchronization.
We can now state the main invariant result from this section.
T h e o re m  1. A ssum e constraints (2), (3) and (4) hold. Then fo r  any network 
with fu ll connectivity the following invariant assertions hold, fo r  all reachable
Analysis of Clock Synchronization for Wireless Sensor Networks 13
states and fo r  all i, j  £ Nodes:
y < c(*) • max +  x* (17)
c(i) > 0  ^  y > (c(i) — 1 ) • min +  x* (18)
csn[*] =  tsn[*] A (clk[*] < g V GO_SEND¿) => last ^  csn[*] (19)
csn[*] =  tsn[*] A clk[*] = g => (GO_SEND¿ V  SENDING*) (20)
csn[i] =  tsn[i] A clk[i] > g ^  last =  csn[i] (2 1 )
SENDING* ^  csn[i] =  csn[j] =  last (22)
GO_SENDj => csn[*] =  csn [j] A clk[*] =  g (23)
last =  —1 A last =  PREV(csn[*]) ^  (TX(csn[*]) A last =  csn[*]) (24)
TX(csn[*]) A clk[i] =  k0 — 1 ^  last =  csn[*] (25) 
SI* ^  clk[i] < k0 — 1 A last =  csn[*](26)
c(i) > 0 (27)
last =  — 1 ^  csn[*] =  0  (28)
Proof. By induction, using the auxiliary invariants from Lemma’s 4 and 5. The 
manual proof is about 14 pages long.
Invariants (17) and (18) are the key invariants th a t relate the values of c(i) 
and y. Invariant (22) implies tha t the network is synchronized. This is the key 
correctness property we are interested in. All the other invariants in Theorem 1 
are auxiliary assertions, needed to make the invariant inductive.
5 Line T opologies
The line topology has the minimum connectivity. The number of clock syn­
chronization events per time frame is the least possible value for all (connected) 
topologies. To maintain synchronization, we need more accurate hardware clocks 
and a larger guard time. We assert tha t for a fixed value of the guard time, the 
network fails to synchronize if one keeps increasing the number of nodes. We 
claim th a t for a line network of size N , guard time g should be at least N.
To reduce the state space of the U p p a a l  analysis, we consider only networks 
with perfect clocks, in which clock drift is zero. In U p p a a l  concurrent events 
are non-deterministically ordered. Depending on this choice, clock misalignment 
and loss of synchronization are possible.
Figure 11 shows a scenario extracted from a U p p a a l  counter-example. This 
scenario shows tha t for a network of size N the guard time cannot be N — 1.
The scenario consists of two ” staircases” . One ” fast” staircase has stairs 
with the minimum width, where the sender transm its the synchronization signal 
immediately before the receiver experiences a tick event and the receiver resets 
its clock counter to g +  1 in no time as the transitions are urgent, while the 
other “slow” staircase has stairs with the maximum width, where the sender 
transm its the synchronization signal immediately after the receiver experienced
14 Analysis of Clock Synchronization for Wireless Sensor Networks
0 1 2  3 N-3 N-2 N-1
88 Fast Node
Slow Node
Start Transmission
X Collision
F ig .11. An error scenario for line topologies
a tick event, so the receiver should wait a the duration of a tick before resetting 
its clock counter to g + 1 .  The staircases start from the same point, viz. when 
node number 1 ,the second node, tries to send messages to its neighbors, nodes 
0 and 2 . After N — 1 steps, which takes a guard time period, the two staircases 
join again when node N — 2  tries to communicate with node N — 1 . At that point, 
node N — 2 has gone through g time units since its previous synchronization and 
is about to send a message to node N — 1. On the other hand, node N — 1 is 
about to make a clock tick and enter its new time slot, which is convenient for 
receiving the message from its neighbor. Synchronization is lost when node N — 2 
starts sending before node N — 1 ticks.
Analysis of Clock Synchronization for Wireless Sensor Networks 15
6 C onclusions and R elated  W ork
Using timed autom ata model checking, we discovered some interesting error 
scenarios for line topologies: for any instantiation of the parameters, the protocol 
will eventually fail if the network grows. We believe tha t this error scenario is 
generic and may serve as a basis for a variation of the fundamental result of 
Fan and Lynch [7], reasserted by Locher and Wattenhofer [10], on gradient clock 
synchronization in a setting with logical clocks whose value may also decrease. 
We also succeeded in presenting a param etric verification for the very restrictive 
case of cliques (network with full connectivity). We used model checking to find 
the key error scenarios th a t underly the param eter constraints for correctness, 
and theorem proving to check the correctness of our manual invariant proof. In 
practical applications of WSNs, cliques rarely occur and therefore our results 
should primarily be seen as a first step towards a correctness proof for arbitrary 
and dynamically changing network topologies. Nevertheless, these results could 
give us an upper bound on allowable clock drift of a generic WSN.
The use of simulations will be essential for providing additional insight into 
the robustness and usefulness of our algorithm, also because occasional flaws of 
the MAC layer protocol may be resolved by the redundancy of the gossip layer. 
However, we believe simulation techniques will not be able to produce worst case 
counterexamples, such as the example of Figure 11 tha t was produced by the 
model checker U p p a a l .
Methodologically, the approach of this paper is similar to our study of the 
Biphase Mark Protocol [21], which also uses U p p a a l  to  analyze instances of 
the protocol and a theorem prover for the full param etric analysis. Theorem 
provers have been frequently and successfully applied for the analysis of clock 
synchronization protocols, see for instance [16,17]. An interesting research chal­
lenge is to synthesize (or prove the correctness of) the param eter constraints 
for the Chess protocol fully automatically. Recently, some approaches have been 
presented by which, for instance, the (parametric) Biphase Mark Protocol can 
be verified fully automatically [5,20]. However, we think these approaches are 
not powerful enough (yet) to handle the Chess protocol.
R eferences
1. F.A. Assegei. Decentralized frame synchronization of a TDMA-based wireless sen­
sor network. Master’s thesis, Eindhoven University of Technology, Department of 
Electrical Engineering, 2008.
2. R. Bakhshi, F. Bonnet, W. Fokkink, and B. Haverkort. Formal analysis techniques 
for gossiping protocols. SIGOPS Oper. Syst. Rev., 41(5):28-36, 2007.
3. G. Behrmann, A. David, K. G. Larsen, J. Hakansson, P. Pettersson, W. Yi, and 
M. Hendriks. Uppaal 4.0. In Third International Conference on the Quantitative 
Evaluation of SysTems (QEST 2006), 11-14 September 2006, Riverside, CA, USA, 
pages 125-126. IEEE Computer Society, 2006.
4. G. Behrmann, A. David, and K.G. Larsen. A tutorial on Uppaal. In M. Bernardo 
and F. Corradini, editors, Formal Methods for the Design of Rea,l-Tim,e Systems,
16 Analysis of Clock Synchronization for Wireless Sensor Networks
International School on Formal Methods for the Design of Computer, Communi­
cation and Software Systems, SFM -RT 2004, Bertinoro, Italy, September 13-18, 
2004, Revised Lectures, volume 3185 of LNCS, pages 200-236. Springer, 2004.
5. G. M. Brown and L. Pike. Easy parameterized verification of biphase mark and 
8n1 protocols. In Holger Hermanns and Jens Palsberg, editors, TACAS, volume 
3920 of LNCS, pages 58-72. Springer, 2006.
6 . A. Demers, D. Greene, C. Hauser, W. Irish, J. Larson, S. Shenker, H. Sturgis, 
D. Swinehart, and D. Terry. Epidemic algorithms for replicated database mainte­
nance. In PODC ’87: Proceedings of the sixth annual ACM  Symposium on Princi­
ples of distributed computing, pages 1-12, New York, NY, USA, 1987. ACM.
7. R. Fan and N.A. Lynch. Gradient clock synchronization. Distributed Computing, 
18(4):255-266, 2006.
8 . A.-M. Kermarrec and M. van Steen. Gossiping in distributed systems. SIGOPS 
Oper. Syst. Rev., 41(5):2-7, 2007.
9. L. Lamport. Time, clocks and the ordering of events in distributed systems. Com­
munications of the ACM, 21(7):558-564, 1978.
10. T. Locher and R. Wattenhofer. Oblivious gradient clock synchronization. In Dis­
tributed Computing, volume 4167 of LNCS, pages 520-533. Springer, 2006.
11. L. Meier and L. Thiele. Gradient clock synchronization in sensor networks. Tech­
nical Report 219, Computer Engineering and Networks Lab., ETH Zurich, 2005.
12. T. Nipkow, L.C. Paulson, and M. Wenzel. Isabelle/HOL - A Proof Assistant for 
Higher-Order Logic, volume 2283 of LNCS. Springer, 2002.
13. R.M. Pussente and V.C. Barbosa. An algorithm for clock synchronization with 
the gradient property in sensor networks. Parallel and Distributed Computing, 
69:261-265, 2009.
14. QUASIMODO. Case studies: Models, January 2009. Deliverable 5.5 from the FP7 
ICT STREP project 214755 (QUASIMODO).
15. QUASIMODO. Preliminary description of case studies, January 2009. Deliverable 
5.2 from the FP7 ICT STREP project 214755 (QUASIMODO).
16. J. Rushby. A formally verified algorithm for clock synchronization under a hybrid 
fault model. In PODC ’94: Thirteenth annual ACM  symposium on Principles of 
distributed computing, pages 304-313, New York, NY, USA, 1994. ACM.
17. J. Schmaltz. A formal model of clock domain crossing and automated verification 
of time-triggered hardware. In J. Baumgartner andM. Sheeran, editor, Formal 
methods in computer aided design, pages 223-230. IEEE Computer Society, 2007.
18. B. Sundararaman, U. Buy, and A.D. Kshemkalyani. Clock synchronization for 
wireless sensor networks: a survey. Ad Hoc Networks, 3(3):281 -  323, 2005.
19. R. Tjoa, K.L. Chee, P.K. Sivaprasad, S.V. Rao, and J.G Lim. Clock drift reduction 
for relative time slot tdma-based sensor networks. In Proceedings of the 15th IEEE  
International Symposium on Personal, Indoor and Mobile Radio Communications 
(PIMRC2004), pages 1042-1047, September 2004.
20. S. Umeno. Event order abstraction for parametric real-time system verification. 
In EM SOFT , pages 1-10. ACM, 2008.
21. F.W. Vaandrager and A.L. de Groot. Analysis of a biphase mark protocol with 
Uppaal and PVS. Formal Asp. Comput., 18(4):433-458, December 2006.
