SMT-based Probabilistic Analysis of Timing Constraints in Cyber-Physical
  Systems by Huang, Li & Kang, Eun-Young
SMT-based Probabilistic Analysis of Timing
Constraints in Cyber-Physical Systems
Li Huang∗ and Eun-Young Kang∗†
∗School of Data & Computer Science, Sun Yat-Sen University, Guangzhou, China
huangl223@mail2.sysu.edu.cn
†PReCISE Research Centre, University of Namur, Belgium
eykang@fundp.ac.be
Abstract—Modeling and analysis of timing constraints is cru-
cial in cyber-physical systems (CPS). EAST-ADL is an archi-
tectural language dedicated to safety-critical embedded system
design. SIMULINK/STATEFLOW (S/S) is a widely used industrial
tool for modeling and analysis of embedded systems. In most
cases, a bounded number of violations of timing constraints in
systems would not lead to system failures when the results of
the violations are negligible, called Weakly-Hard (WH). We have
previously defined a probabilistic extension of Clock Constraint
Specification Language (CCSL), called PrCCSL, for formal speci-
fication of EAST-ADL timing constraints in the context of WH. In
this paper, we propose an SMT-based approach for probabilistic
analysis of EAST-ADL timing constraints in CPS modeled in
S/S: an automatic transformation from S/S models to the input
language of SMT solver is provided; timing constraints specified
in PrCCSL are encoded into SMT formulas and the probabilistic
analysis of timing constraints is reduced to the validity checking
of the resulting SMT encodings. Our approach is demonstrated
a cooperative automotive system case study.
Index Terms—EAST-ADL, Timing Constraints, Probabilistic
CCSL, SMT-based model checking, SIMULINK/STATEFLOW.
I. INTRODUCTION
Cyber-Physical Systems (CPS) are real-time embedded sys-
tems where the software controllers interact with physical en-
vironments. The continuous time behaviors of CPS often rely
on complex dynamics as well as on stochastic behaviors. Mod-
eling and analysis of timing constraints is essential to ensure
the correctness of CPS. EAST-ADL1 is an architectural descrip-
tion language for safety-critical embedded systems design. The
latest release of EAST-ADL has adopted the time model, which
composes the basic timing constraints, i.e., repetition rates,
end-to-end delays, and synchronization constraints. EAST-ADL
relies on external tools, e.g., SIMULINK/STATEFLOW2 (S/S),
for system behaviors description. SIMULINK (SL) is a block-
diagram based formalism used to model continuous dynamics
while STATEFLOW (SF) is used to specify control logic and
state-based model behaviors of systems. Despite its strength
in system modeling and simulation, S/S lacks of formal
semantics to support rigorous verification of specifications.
To tackle this shortcoming, efforts have been devoted into
formal analysis of S/S models by using formal methods, e.g.,
model-checking, satisfiability modulo theory (SMT) solving.
1EAST-ADL. https://www.maenad.eu/public/EAST-ADL-Specification M2.1.9.1.pdf
2Simulink and Stateflow. https://www.mathworks.com/products.html
However, the conventional formal analysis of real-time sys-
tems addresses worst case designs, typically used for hard
deadlines in safety-critical systems. The “Less-than-worst-
case” models are far less investigated. In fact, in most cases, a
bounded number of violations of timing constraints in systems
would not lead to system failures when the results of the
violations are negligible, called Weakly-Hard (WH) [1]. In this
paper, we propose an SMT-based approach to support formal
probabilistic analysis of EAST-ADL timing constraints in CPS
modeled in S/S in the context of WH.
Clock Constraint Specification Language (CCSL) is a formal
language for specification of both logical and dense timing
constraints. We have previously defined a probabilistic ex-
tension of CCSL, called PrCCSL [2], which states that the
relations (e.g., coincidence, causality and precedence) between
events (e.g., input/output triggering, state changes) must hold
with probability greater than or equal to a given probability
threshold. Previous work is extended by including the supports
of probabilistic analysis of timing constraints using SMT-
based model checking: 1) S/S models, which describe the
behaviors of systems, are transformed into the input language
of SMT solver; 2) EAST-ADL timing constraints with stochastic
properties are specified in PrCCSL and encoded into SMT
formulas; 3) The probabilistic analysis of timing constraints is
reduced into validity checking of the resulting SMT encodings.
Our approach is demonstrated on a cooperative automotive
system case study.
II. METHODOLOGY & EXPERIMENT
The overview of our approach is shown in Fig. 1. In our
approach, S/S models are stored in ‘.mdl’ files, which contain
textual descriptions of the compositions of the models. Z3
SMT solver3 is employed as our verification engine. To trans-
Fig. 1. Overview of our approach
3Z3 SMT Solver. https://github.com/Z3Prover/z3
ar
X
iv
:1
90
4.
07
01
1v
1 
 [c
s.S
E]
  1
5 A
pr
 20
19
late the stochastic functions (e.g., random number generation)
in SL, we adapt Z3PY (the Z3 API in PYTHON) as encoding
interface, in which the add-on modules for description of
probability distributions can be leveraged. Given a system
model in S/S and an EAST-ADL timing constraint φ (specified
in PrCCSL), the goal of our approach is to verify whether
the probability of the constraint is greater than or equal to a
probability threshold p, i.e., Pr(φ) ≥ p. To achieved this, we
perform the following steps: 1) Extract necessary information
(see Fig. 1) of S/S from .mdl file and translate S/S into Z3PY
encodings based on the extracted information; 2) Encode
PrCCSL specifications of EAST-ADL timing constraints (ETC)
in Z3PY and check the validity of the encodings using Z3.
Translation of S/S into Z3PY: Fig. 2 shows an excerpt of
S/S model in .mdl file, in which each object (e.g., block, data
or state) has a unique identifier named id. The data/variables
in discrete-time S/S model are updated at sample time
steps, which are translated into vectors (i.e., bounded lists)
of appropriate sorts (e.g., integer, real and boolean). The
index of the vectors represent the number of time steps have
proceeded during simulation. For instance, an integer signal
a is mapped to an integer list, with a[i] (i∈N) representing
the value of signal a at ith step during simulation. In SL,
lines are used for data transmission. During simulation, the
data of ports connected by the same line are identical, which
is interpreted as the equivalence of the data in Z3PY. The
blocks of linear math/logic functions in SL are mapped to the
same arithmetic/logical operations in Z3PY straightforwardly.
Fig. 2. S/S information in .mdl file
States in SF can be either active or inactive during simu-
lation, declared as integer vectors whose elements are either
1 (active) or 0 (inactive) in Z3PY. The information of state
in .mdl file can be divided into three classes (see Fig. 2):
Hierarchy includes decomposition, history junction and the
relation between superstates and their substates (indicated by
treeNode). Transition represents the passage of the system
from one state to another when the condition (i.e., a boolean
expression) on the transition is true. State action refers to
the operations (e.g., assignments) executed when the state is
active, entered or exited. After the information of hierarchy,
transitions and actions (HTA) is extracted from the .mdl file,
the translation of SF becomes the interpretation of HTA of
each state in Z3PY, as presented in Algorithm 1.
Experiment: Our approach is demonstrated on a cooperative
automotive system (CAS) [3], which includes distributed and
coordinated sensing, control, and actuation over two vehicles
Algorithm 1: Translation of STATEFLOW into Z3PY
Input: Simulation bound N , states s0, ..., sj , ..., sn (sj is the
state with id j), information of hierarchy, actions and
transitions of each state;
Output: E: the Z3PY encodings of STATEFLOW chart;
1 E ← ∅
2 for j = 0; j < n; j ++ do
3 sj ← IntegerVector(N )
4 if sj .substate 6= ∅ then
5 E ← E ∪ Encode(sj .hierarchy)
6 if sj .action 6= ∅ then
7 E ← E ∪ Encode(sj .action)
8 if sj .transition 6= ∅ then
9 E ← E ∪ Encode(sj .transition)
10 return E
running in the same lane. We consider seven types of timing
constraints of CAS system, i.e., End-to-End, Periodic,
Sporadic, Execution, Synchronization, Comparison
and Exclusion constraints. The timing constraints are spec-
ified in PrCCSL, whose semantics is specified in the form of
SMT formulas [2] that can be expressed in Z3PY naturally.
In our experiment, the simulation bound and the probability
threshold are set to 3000 steps and 95% respectively. The ex-
periment results are listed in Table I and all timing constraints
are established as valid.
TABLE I
VERIFICATION RESULTS OF TIMING CONSTRAINTS IN Z3
Timing Constraint Results Time (Min) Mem (Mb) CPU (%)
End-to-End valid 70.3 1710.75 23.81
Periodic valid 12.7 2639.25 24.86
Sporadic valid 202.4 1869.02 24.89
Execution valid 12.7 2516.13 24.89
Synchronization valid 63.6 2299.83 20.36
Comparison valid 65.7 2005.06 23.63
Exclusion valid 112.4 2569.08 20.47
III. CONCLUSION AND FUTURE WORK
We present an SMT-based approach to perform probabilistic
analysis of EAST-ADL timing constraints in CPS described
in SIMULINK/STATEFLOW. The practicality of our approach
is demonstrated on a CAS case study. As ongoing work,
the application of our approach in larger-scale case stud-
ies will be investigated and an automatic translator from
SIMULINK/STATEFLOW (.mdl file) to Z3PY will be developed.
REFERENCES
[1] G. Bernat, A. Burns, and A. Llamosi, “Weakly hard real-time systems,”
Transactions on Computers, vol. 50, no. 4, pp. 308 – 321, 2001.
[2] E. Kang and L. Huang, “Probabilistic analysis of timing constraints
in autonomous automotive systems using Simulink Design Verifier,” in
SETTA, 2018.
[3] E. Kang, L. Huang, and D. Mu, “Formal verification of energy and timed
requirements for a cooperative automotive system,” in SAC. ACM, 2018,
pp. 1492 – 1499.
