Software-based control of life-critical embedded systems has become increasingly complex, and to a large extent has come to determine the safety of the human being. For example, implantable cardiac pacemakers have over 80,000 lines of code which are responsible for maintaining the heart within safe operating limits. As firmware-related recalls accounted for over 41% of the 600,000 devices recalled in the last decade, there is a need for rigorous model-driven design tools to generate verified code from verified software models. To this effect, we have developed the UPP2SF model-translation tool, which facilitates automatic conversion of verified models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). We describe the translation rules that ensure correct model conversion, applicable to a large class of models. We demonstrate how UPP2SF is used in the model-driven design of a pacemaker whose model is (a) designed and verified in UPPAAL (using timed automata), (b) automatically translated to Stateflow for simulation-based testing, and then (c) automatically generated into modular code for hardware-level integration testing of timing-related errors. In addition, we show how UPP2SF may be used for worst-case execution time estimation early in the design stage. Using UPP2SF, we demonstrate the value of integrated end-to-end modeling, verification, code-generation and testing process for complex software-controlled embedded systems.
INTRODUCTION
During the last decade, Model-Driven Development (MDD) has been widely used for design of real-time and cyber-physical systems (CPS). In the case of safety-critical systems, this methodology advocates for design procedures that start with formal This research was supported in part by NSF CNS-0720518, NSF CNS-1035715, NSF MRI-0923518, and NSF CAREER-1253842 grants. A preliminary version of this article appeared in . Authors' addresses: M. Pajic and R. Mangharam, Department of Electrical & Systems Engineering, University of Pennsylvania, 200 South 33rd Street, Philadelphia, PA 19104; email: {pajic, rahulm}@seas.upenn.edu; Z. Jiang, I. Lee, and O. Sokolsky, Department of Computer & Information Science, University of Pennsylvania, 3330 Walnut Street, Philadelphia, PA 19104; email: {zhihaoj, lee, sokolsky}@cis.upenn.edu . Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies show this notice on the first page or initial screen of a display along with the full citation. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212) 869-0481, or permissions@acm.org. modeling of the system, followed by the model's verification at an early stage. Since the initial input to the system designers is usually a set of informal specifications, this approach enables early detection of the specification and modeling errors.
For real-time systems, timed-automata [Alur 1999 ] are a commonly used modeling formalism, allowing designers to exhaustively explore the possible behaviors of the system and prove its safety. Design of CPS is more complex, since these systems feature a tight coupling between the real-time discrete controller and (usually) continuous physical environment. For the systems' verification, it is necessary to provide the model of the closed-loop system, which also takes into account the interaction between the controller and the environment. Although in the general case this interaction can be modeled as a hybrid system, the complexity of this approach usually renders it out of reach of current verification tools [Alur et al. 1995] . Thus, in the initial design stage, timed-automata models that abstract away complex system dynamics, replacing it with timing constraints, are commonly used for verification of CPS (e.g., Pajic et al. [2012c] ).
Since parts of the verified models represent overapproximations of the realistic models, in the later stages of MDD, detailed models of the environment and its interaction with the controller are developed. These models enable high-fidelity system simulation with real system dynamics, and are used to validate the initial assumptions used in the verification stage. During the validation procedure, it is necessary to ensure equivalence between the controller models used for verification and simulation. Therefore, it is essential to provide guarantees that the properties verified in the early stage are still satisfied, as the system model gets complex and more refined.
Finally, the verified model must be translated into executable code for physical implementation, which is then validated using different testing procedures that have been built on the initial system's specification. However, since the verification is performed on a closed-loop system model, the verified model usually has the structure as the one shown in Figure 1 (a), meaning that, besides the controller model, it contains model of the environment (which includes the interface controller ↔ environment). Hence, to obtain valid controller code, it is necessary to decouple the controller code from the code synthesized for the whole closed-loop model. In scenarios with complex interfaces between the controller and environment, this can be a very tedious and error-prone process. Consequently, to prevent introduction of errors during the decoupling, it is necessary to provide a procedure for modular code synthesis.
In this work, we present a model-translation tool, UPP2SF, and show how it enables a model-driven design framework for safety-critical real-time embedded systems (Figure 1(b) ). UPP2SF facilitates automatic conversion of verified models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow). By using Simulink support for code generation, this allows for automatic end-to-end model translation across multiple levels of abstraction to modular code synthesis. Consequently, the proposed framework ensures that successive models are consistent through the development process: (a) a timed-automata-based UPPAAL modeling of the controller software, the model verification and model-based worst-case execution time (WCET) estimation; (b) automatic translation of the model to Stateflow using the developed UPP2SF tool; (c) testing of the Stateflow model; and (d) automatic modular code generation, test generation and testing of timing related errors on the hardware platform.
UPPAAL [Larsen et al. 1997; Behrmann et al. 2004 ] is a standard free tool for modeling and verification of real-time systems, based on networks of timed automata. Thus, it does not support simulation of continuous-time dynamics. Although there exists some work on code generation from timed-automata models (e.g., Altisen and Tripakis [2005] ; Amnell et al. [2004] ), there are only few tools [Amnell et al. 2004; Hendriks 2001] with limited capabilities in generating C code from UPPAAL models (see Section 2.2). Furthermore, none of these tools supports modular code generation from UPPAAL models. On the other hand, Simulink is a commercially available tool, used for modeling and simulation of CPS, while its toolbox, Stateflow, supports design and simulation of state machines and control logic. Simulink provides full support for C, C++, VHDL and Verilog code generation. However, Simulink has had a limited success with model verification [Leitner and Leue 2008; Schürenberg 2012] , and (more importantly), due to Simulink's deterministic execution semantics, it currently does not support verification of nondeterministic systems; this is a significant limitation in closed-loop CPS, where behavior of the environment is usually nondeterministic.
In this article, we demonstrate the use of the framework on a detailed case study for the development of a safety-critical system medical system -an implantable cardiac pacemaker. We focus on the pacemaker case study as there is a need to develop a methodology for the design and analysis of safety critical closed-loop medical device software and systems [Lee et al. 2006] . From 1990-2000, firmware issues resulted in over 200,000 implantable device recalls [US FDA 2010] . From 1996 From -2006 , the percentage of software-related causes in medical device recalls have grown from 10% to 21% [US FDA 2010] . Furthermore, during the period January-June of 2010, at least six recalls of defective devices, issued by the US Food and Drug Administration (FDA), were caused by some sort of software issues [Sandler et al. 2010] . These recalls were categorized as Class I, which means that there is a "reasonable probability that use of these products will cause serious adverse health consequences or death."
We start the case study from informal pacemaker requirements [Boston Scientific 2007] , which we formalize, and use for verification by designing an appropriate set of monitors in UPPAAL. We also show how a WCET estimation can be done in the early stage in UPPAAL, before the verified model is translated to Simulink. Furthermore, we illustrate the approach used toward modular code synthesis -extracting the controller's Stateflow model by decoupling the controller (i.e., pacemaker) from environment (i.e., the heart). Finally, we extend the method for testing real-time requirements from Clarke and Lee [1995] to validate the physical implementation of the device.
This article is organized as follows: in Sections 2 and 4, we present brief overviews of UPPAAL and Stateflow. In Section 3, we show that for a large class of UPPAAAL models, a run can be obtained by evaluating transitions at integer time-points only. Section 5 presents the model translation procedure, while in Section 6 we show that the UPP2SF-derived chart has the execution trace that corresponds to one of the maximal progress assumption runs of the initial UPPAAL model. Section 7 introduces the pacemaker case study and presents a set of formal pacemaker specifications, which we verified in UPPAAL using the developed pacemaker model (Section 7.2). Finally, we present the obtained Stateflow closed-loop system model and the procedure used to decouple the controller and environment (Section 8), followed by device implementation on an RTOS (Section 9).
Notation. We use the standard notation where Z, N, N 0 denote the sets of integers, natural numbers and nonnegative integers, respectively, while R + is the set of nonnegative reals. Finally, z denotes the largest integer that is not larger than z.
A BRIEF OVERVIEW OF UPPAAL
In this section, we present an overview of the UPPAAL tool, including some of the UPPAAL extensions [Larsen et al. 1997; Behrmann et al. 2004; Bengtsson and Yi 2004] of the timed-automata formalism from [Alur 1999] . Also, to illustrate the need for a tool like UPP2SF, we survey existing tools for code synthesis from UPPAAL models.
UPPAAL Modeling of Real-Time Systems
UPPAAL supports networks of timed automata. Each automaton is a state machine, equipped with special real-valued variables called clocks. Clocks spontaneously increase their values with time, at the same fixed rate. Locations (i.e., states) in automata have invariants that are predicates over clocks. A location in an automaton can be active as long as its invariant is satisfied. Transitions in automata have guards that are predicates over clocks and variables. A transition can be taken only if its guard is true. Because clock values increase, an initially false guard can eventually become true, allowing us to model time-dependent behaviors, such as delays and timeouts. When a transition is taken, an associated action is executed, which can update variable values and reset clocks to integer values (possibly nonzero).
Automata in the network execute concurrently. They can communicate via shared variables, as well as via events over synchronous channels. If c is a channel, c? represents receiving an event from c, while c! stands for sending an event on c. In the general case, an edge from location l 1 to location l 2 can be described in a form l 1 g,τ,r −−→ l 2 , if there is no synchronization over channels (τ denotes an "empty" action), or l 1 g,c * ,r − −− → l 2 . Here, c * denotes a synchronization label over channel c (i.e., * ∈ {!, ?}), g represents a guard for the edge and r denotes the reset operations performed when the transition occurs.
2.1.1. Timed-Automata Semantics in UPPAAL. We denote with C the set of all clocks and with V the set of all data (i.e., Boolean and integer) variables. A clock valuation is a function u : C → R + , and we use R C to denote the set of all clock valuations. A simple valuation is the function u 0 (x) = 0, for all x ∈ C. Similarly, a data valuation is a function v : V → Z, while Z V denotes the set of all data valuations. A valuation w, denoted by
In the rest of the article, a clock valuation u that satisfies that for all x ∈ C, u(x) ∈ N 0 will be referred to as integer clock valuation, while a valuation w = (u, v), where u is an integer clock valuation will be referred to as an integer valuation.
Furthermore, let B(C, V ) denote the set of conjunctions over simple clock and variable conditions of the form x n, x − y n or i − j k, where n ∈ N, x, y ∈ C, i, j ∈ V , k ∈ Z and ∈ {≤, ≥, =, <, >}.
1 Similarly, B(C) denotes the set of all conjunctions over the clock variable conditions. Thus, a guard can be defined as an element of B(C, V ). x = n or i = c 1 * j + c 2 , where x ∈ C, i, j ∈ V , c 1 , c 2 ∈ Z and n ∈ N 0 . We use R to denote the set of all possible reset operations, and for a reset operation r ∈ R and valuation w, r(w) is the valuation obtained from w where all clocks and data variables specified in r are assigned to the values obtained from the appropriate expressions. Finally, we use K to denote the set of all channels, and A = {α?|α ∈ K} ∪ {α!|α ∈ K} ∪ {τ } to denote the set of all actions. Here, τ denotes an "empty" action -without synchronization.
) where L denotes the set of locations in the timed automaton, l 0 is the initial location, A is a set of of actions, C a set of clocks, V is a set of data variables, and E ⊆ L × A× B(C, V ) × R × L denotes the set of edges, while I assigns invariants to locations (i.e., I : L → B(C) is a mapping of each location to a constraint over some clocks).
If a clock valuation u satisfies the invariants at location l, we abuse the notation and write u ∈ I(l). Similarly, we denote with w ∈ I(l), if w = (u, v) and u ∈ I(l). Also, if a valuation w satisfies a condition g ∈ B(C, V ) we write w ∈ g.
A network of n timed automata is obtained by composing 
is the set of states, s 0 = (l 0 , w 0 ) is the initial state, where w 0 = (u 0 , v 0 ) and v 0 is any initial data valuation, and →⊆ S × S is the transition relation defined by:
Since the first type of transitions is the result of time-passing, unless otherwise stated, in the rest of this article, when we use the term UPPAAL transition we will refer to either case (2) or (3) of the previous definition.
To illustrate this definition, consider the model from Figure 2 , where both automata have separate local clocks t. Location P0.l0 has invariant t ≤ 10, while the edge P0.l0 → P0.l1 has the guard condition t ≥ 10, reset action t = 0, and transmission over channel e1. Hence, synchronization over the channel e1 ensures that the transitions P0.l0 → P0.l1 and P1.l0 → P1.l1 occur simultaneously. Finally, note that clocks do not have to be reset to zero (e.g., as on the edge P0.l1 → P0.l0).
For semantics S, (1) of Definition 2.2), since these transitions can be merged into a single transition of that type.
2.1.2. Additional UPPAAL Extensions of the Timed-Automata Formalism. Beside integer variables and synchronization channels, UPPAAL extends timed-automata with committed and urgent locations where time is not allowed to pass (i.e., no delay is allowed). Committed locations are more restrictive and they are usually used to model atomic sequences of actions. In a network of timed automata, if some automata are in committed locations then only transitions outgoing from the committed locations are allowed. UPPAAL also introduces broadcast channels, where one sender can synchronize with multiple receivers (e.g., zero, one, or more than one). Furthermore, urgent channels can be used for synchronization, to specify that if a transition with synchronization over an urgent channel is enabled, then the transition should occur without any delay.
Code Synthesis from UPPAAL Models
There are only few tools that can be used for automatic implementation of timedautomata models designed in UPPAAL (e.g., Amnell et al. [2004] and Hendriks [2001] ). A commonly used tool is Times [Amnell et al. 2004 ] that supports code generation for general platforms, extended with task support for Lego Mindstorm TM platform. The code synthesized using Times has a very simple structure, where all transitions are stored in an array. Each transition is represented with four fields: an activity flag, source and destination location ids, and a synchronization id. The transitions are evaluated in automatically generated check trans function, and for the code to operate correctly the values for all clocks should be updated in a separate procedure, triggered by the system timers. Since check trans performs a single evaluation for each transition (in the order specified by the array structure), to ensure that no transitions are missed the check trans function has to be continuously invoked within an infinite loop, unless the code is executed on a LEGO Mindstorm RCX brick running brickOS. Thus, in the general case, the code generated with Times completely utilizes the CPU, disallowing instantiation of any other tasks. As we will show later in this article, this is not the case for the code that is synthesized using our development framework.
Due to this array-based structure, with the code obtained using Times it is not straightforward to decouple the controller (in our case the pacemaker) and the environment (e.g., the heart) in scenarios described in Figure 1 (a). For example, to facilitate the decoupling [Kim et al. 2011] propose a modification of the initial UPPAAL model by specifying the interaction between the controller and the environment using boolean shared variables. Although the solution preserves behaviors of the initial model, as pointed out by the authors, this type of manual modifications is effectively one of the most error prone aspects of the model-based development. Hence, to avoid this type of errors, it is necessary to provide modular code synthesis from verified UPPAAL models. We will later show that UPP2SF resolves this issue, since the obtained code has a modular structure (instead of maintaining an array of transitions).
Finally, the code generated from Times models does not guarantee that some aspects of the UPPAAL timed-automata semantics will be preserved [Ayoub et al. 2010] . For example, it does not ensure that the requirement for committed states is satisfied.
EXTRACTING RUNS FROM UPPAAL MODELS
To develop the UPP2SF model translation tool, we consider the problem of extracting runs for UPPAAL models. We focus on a large class of UPPAAL models without clock conditions of the form x > E, where x is a clock and E an expression. The restriction, while not limiting in modeling of real control system, guarantees that all invariants and guards are expressed as intersections of left semi-closed (LSC) intervals. Thus, we refer to this class as Class LSC, and in this work we consider only this type of models.
To obtain a run of an UPPAAL model, it is sufficient to simulate the model only at integer time points , which allows for the use of discrete-time based tools for model simulation. Since the execution of UPPAAL models is nondeterministic, a transition in UPPAAL can occur at any point at which it is enabled. However, at each time instance, it may not be straightforward to determine whether a currently enabled transition will still be enabled at the next integer-time point. Therefore, to simplify the translation procedure, we consider runs of UPPAAL models that are obtained using the maximal progress assumption (MPA).
A run that satisfies the MPA will be referred to as an MPA run. Note that from the definition, if some transitions in an MPA run are enabled, one of them should occur.
THEOREM 3.2. Consider an UPPAAL model from the Class LSC. For every MPA run R of the model and for all k
≥ 0, the clock valuation u R k satisfies that for each clock x, u R k (x) ∈ N 0 (i.e.,
all transitions of R occur at integer time points).
PROOF. Let's assume that the theorem does not holds -that is, there exists an MPA run R for which there exists k ≥ 0 and a clock x such that u R k (x) / ∈ N 0 . By k 0 we denote the first (i.e., lowest) such k. Since all clocks are initialized to zero, k 0 > 0 and
) of the run R. From Definition 2.2 one of the following cases is valid.
(1) ( (1) of Definition 2.2 (i.e., time passing). Then from the definition of a run, the transition (
satisfies the clock guard conditions of the form x n, where n ∈ N 0 and ∈ {≤, ≥, =, <}, then u k 0 (x) belongs to an intersection of left-closed intervals with integer boundaries. Thus, u k 0 (x) belongs to the same intersection of the intervals, meaning that u k 0 = u k 0 satisfies this type of clock constraints from g. Furthermore, if for some clocks x and y, valuation u k 0 satisfies constraints of the form x − y n, it follows that
is true, and all clock constraints of this form are also satisfied, implying that
(all reset clocks are equal, since clocks are reset to integer values). Therefore, as for the guard, it can be shown that w k 0 +1 ∈ I(l k 0 +1 ) implies that w k 0 +1 ∈ I(l k 0 +1 ), which proves that the transition
) was also enabled. Since w k 0 (x) < w k 0 (x) it follows that in this case R is not an MPA run, which violates our initial assumption.
A similar proof can be used in the latter case when ( (2) or (3) of Definition 2.2. Then, there exists a transition with reset r such that w k 0 = r(w k 0 −1 ), or a synchronized transition with resets r i , r j such that w k 0 = (r i ∪ r j )(w k 0 −1 ). However, since w k 0 −1 is an integer valuation, in both cases u k 0 (x) ∈ N because no clock can be reset to a noninteger value. This conflicts our initial assumption, and thus concludes the proof.
The theorem presents the basis for the translation procedure. It allows us to obtain an MPA run by evaluating transitions from active locations in each automaton only at integer time points. Note that each automaton may be evaluated more than once, as more than one transition could occur within a single automaton at any integer time.
Theorem 3.2 can be easily extended for UPPAAL models with committed and urgent locations, and urgent and broadcast channels. For example, urgent locations can be modeled by adding an extra clock x u that is reset to zero on all incoming edges to urgent locations, and adding condition x u ≤ 0 to invariants in all urgent locations. Yet, this does not affect the proof of Theorem 3.2, and thus the theorem is still valid. In addition, semantics for UPPAAL models that employ urgent channels is similar to the semantics from Definition 2.2, with an additional condition in case (1) of the definition. In this case (l, w) 
. Similarly, broadcast channels semantics does not require that exactly one transition with receiving channel occurs simultaneously with a transition that contains a transmission over the channel -with broadcast channels none, one or more than one "receiving" transitions could occur. Thus, Theorem 3.2 is also satisfied even if urgent and broadcast channels are used.
BRIEF OVERVIEW OF STATEFLOW
A Stateflow chart (i.e., model) employs a concept of finite state machines extended with additional features, including support for different data types and events that trigger actions in a part or the whole chart. Here, we present a small subset of the Stateflow features used in the translation procedure. Detailed descriptions of other features can be found in [Matlab 2012; Scaife et al. 2004; Hamon and Rushby 2007; Hamon 2005] .
A state in a Stateflow chart can be active or inactive, and the activity dynamically changes based on events and conditions. States can be defined hierarchically -that is, a state can contain other states (referred to as substates). A decomposition of a chart (or a state) determines if its states (substates) are exclusive or parallel states. Within a chart (or a state), no two exclusive states can be active at the same time, while any number of parallel states can be simultaneously activate (but executed sequentially).
Unlike in UPPAAL, transitions between states in Stateflow are taken as soon as enabled. They are described in the form (where each part of the description is optional)
Event identifies the event that enables the transition (which is enabled by default if Event is not stated), if the condition (if specified, by default it is true) is valid. The condition is described using basic logical operations on conditions over chart variables and Stateflow operators. Actions in condition actions and transition actions include event broadcasting and operations on data variables. The Stateflow semantics specifies that when a transition from a state s i to state s j occurs, then condition action are executed first, before the state s i becomes inactive. This is followed by the execution of transition actions, and finally activation of the state s j (i.e., during the execution of transition actions none of the states is active). A Stateflow chart runs on a single thread and it is executed only when an event occurs. All actions that occur during an execution triggered by an event are atomic to that event. After all activities that take place based on the event are finished, the execution returns to its prior activity (i.e., activity before receiving the event). All parallel states within a chart (and similarly, all parallel substates in a state) are assigned with a unique execution order. Furthermore, all outgoing transitions from a state have different execution indices. Thus, the execution of a Stateflow chart is fully deterministic -Stateflow semantics specifies that active states are scheduled, and state transitions are evaluated in the execution order (starting from the lowest execution index).
3
Notion of Time in Stateflow. Stateflow temporal logic can be used to control execution of a discrete-time chart in terms of time. It defines time periods using absolute-time operators based on the simulation time, or event-based operators that use the number of event occurrences. Absolute-time logic defines operators after, before as
where t denotes the time that has elapsed since the activation of the associated state (i.e., from the last transition to the state -including self-transitions). The value for time t can be obtained using the operator temporalCount(sec). Similarly, event-based temporal logic operators are used for event counting -for example, af ter(n, clk) returns 1 if the event clk has occurred more than (n− 1) times after the state has been activated.
UPP2SF: MODEL TRANSLATION PROCEDURE
In this section, we present an overview of the UPP2SF translation procedure. We also describe the translation rules for UPPAAL models with urgent and broadcast channels, urgent and committed locations, and local clocks, as these functionalities are used for the pacemaker modeling. For the full UPP2SF description, refer to .
Overview of UPP2SF
Consider an UPPAAL model with automata P 1 , . . . , P n . The UPP2SF translation procedure would produce a two-level Stateflow chart as in Figure 3 , with parallel states P 1 , . . . , P n (referred to as the parent states) derived from the automata, parallel states Gc x 1 , . . . , Gc x m (referred to as clock states) that model all global clocks x 1 , . . . , x m from the UPPAAL model, 4 and the state Eng that is used as the chart's control execution engine. In addition, the chart has predefined global data variables (and constants) with appropriate variable ranges and initial values obtained from the UPPAAL model. Since all automata in UPPAAL are simultaneously active, the obtained Stateflow chart is a collection of parallel states with unique execution orders. Also, in every UPPAAL automaton exactly one location is active at a time. Thus, each of the parent states is a collection of exclusive states, extracted from locations in the UPPAAL automaton.
To ensure that the extracted chart is simulated at integer time points, input trigger event clk is added to the chart and a signal generator block is added to the parent Simulink model. We call a clk execution the execution of the chart from the moment the chart is triggered by a clk event, until processing of the event has been finished. Since our goal is to derive a Stateflow chart whose execution is one of the MPA runs of the initial UPPAAL model, it is possible that more than one transition within the model (and even within a single automaton) occur at any time point. Therefore, the chart can (re)activate itself by transmitting local (within the scope of the chart) events from the additional parallel state Eng, which is executed last of all chart's parallel states. Processing of the events triggered during a clk execution is considered a part of the clk execution. Since event processing is atomic in Stateflow, no time elapses (in Simulink) during a clk execution regardless how many additional event broadcasts have occurred. With this approach, a single activation of the chart triggers all transitions enabled at that integer time point, effectively extracting an MPA execution trace of the model.
Finally, any UPPAAL edge from location l k i to l k j in any automaton P k , which does not use global clocks and synchronization over binary channels, is mapped into a Stateflow transition P k .l k i → P k .l k j between the corresponding substates in the parent state P k . In the rest of the section, we provide a description of the edge translation procedure.
Remark 5.1. In the general case, the edge l k i g,α,r −−→ l k j (where α ∈ {τ, c!, c?} and c is a binary or broadcast channel) is mapped into a more complex structure in Stateflow between the substates P k .l k i and P k .l k j . If the edge uses global clocks then a junction J ij and transition P k .l k i → P k .J ij are introduced to update global clock values used in the edge's guard and invariants. Also, if α does not use a binary channel, a single transition is introduced from J ij to P k .l k j . However, if α uses a binary channel, to preserve the semantics three edges and a junction are added between J ij and P k .l k j .
Mapping UPPAAL Edges without Synchronization
Consider an UPPAAL edge l k i g,τ,r −−→ l k j in automaton P k . The guard g can be split into a conjunction of data and clock conditions, and thus during the translation UPP2SF introduces a Stateflow transition P k .l k i → P k .l k j of the form:
]/{R V (r); R C (r);
where
translates the clock (data) conditions from UPPAAL condition h into an equivalent Stateflow condition, 
(2) R C (r) (R V (r)) maps clock (data) resets in r to an equivalent Stateflow assignment, (3) G C (r, I(l k j )) maps the condition that the clock valuation after the reset r satisfies the invariant at the "new" location l k j , (4) R S (r) controls execution of the chart.
Data resets (R V (r)) and guard conditions (G V (g)) are directly mapped into the identical Stateflow expressions. Mapping local clocks' resets and guards is described as follows:
5.2.1. Mapping Clock Conditions and Resets. In UPPAAL, each clock condition h ∈ B(C) is specified as h = h 1 ∧ h 2 ∧ · · · ∧ h M , where h i 's are basic clock conditions. Therefore,
, and it is only necessary to provide a set of rules for the translation of basic clock conditions of the form x n or x − y n, where x, y ∈ C and n ∈ Z (or an expression over integer variables and constants).
To specify conditions over clocks, UPP2SF employs event based Stateflow temporal logic operators that (only) count the number of clk event occurrences. When the temporal logic operators are used in a chart with the two-level hierarchy shown in Figure 3 , Stateflow associates a unique counter with each parallel (i.e., parent) state. It is important to highlight here that Stateflow semantics specifies that when the appropriate event activates the chart (i.e., when clk triggers the chart) all these counters are incremented at the beginning of the chart's execution -that is, even before the first parallel state begins its execution. Consequently, when each of the parallel states is executed, the counter value is equal to the number of the event's appearances from the activation of its currently active substate. For each parent state P k , this values is temporalCount(clk), and thus we denote this value by tC P k . In addition, we define tC x = tC P k if x is a local clock defined in the automaton P k . Unlike in UPPAAL where clocks might not be reset to zero during a transition, for a parallel state in the Stateflow chart the aforementioned counter is always reset when a transition occurs (when the associated substate is activated). Thus, while mapping edges from the automaton P k , we explicitly model each local (from P k ) clock x by introducing the accounting variable n x that maintains the clock value from the moment of the last state activation. This is done using R C (r) from (3), which is specified as
Our goal is that at integer time points UPPAAL valuation u of the clock x (i.e., u(x)) is equal to the value u S (x) defined as u S (x) = n x + tC x (we will show this in the next section). Note that a single counter value is used for all local clocks defined within the same automaton (i.e., tC x = tC y if x, y are local clocks defined in automaton P k ). The transformation of the basic clock conditions presented in Table I employs eventbased temporal logic operators while taking into account the values of the accounting variables for all used clocks. In the mapping each clock x is replaced with the value u S (x). In addition, we used a relationship between Stateflow temporal logic operators from (2) to simplify the notation. For example, the condition x < n for a local clock x is mapped into n x + temporalCount(clk) < n, which is equivalent to before(n − n x , clk) (since before(n − n x , clk) = 1 ⇔ temporalCount(clk) < n − n x ).
Finally, as specified in Definition 2.2, the requirement that the new clock valuation satisfies the invariant at the (new) location l k j is equivalent to the condition that both the non-reset and the reset clock values satisfy the clock invariants at location l k j . h k ) ) where
The expression for G C (r, I(l k j )) can be significantly simplified. If r(x) resets the clock x to a constant (which is the prevailing case in UPPAAL), conditions from (5) can be evaluated during the translation and can be replaced with fixed terms ( f alse or true).
Obtaining an MPA Execution of the Chart
The execution semantics of Stateflow ensures that in each of the parent states transitions from the active state will be evaluated at least once during a clk execution. However, to obtain an MPA run of the model, after a transition occurs it is necessary that in each parent state transitions from the active state are reevaluated. We guarantee this by reactivating the chart if at least one transition has occurred. Thus, in the chart, UPP2SF introduces the parallel state Eng (Figure 3 ), which is executed last among the parent (and clock) states. Furthermore, additional chart event tt and flag act are defined, and as a part of each transition, by adding act = 1; to R S (r) from (3), act is set to 1. Finally, Eng contains a single substate and it broadcasts the event tt to the chart if act has been set to 1, using the lowest priority self-transition of the form
Translating Broadcast Channels
Events in Stateflow are a good semantic match for broadcast channels in UPPAAL.
Therefore, for each broadcast channel c, UPP2SF defines a Stateflow event c assigned with a unique positive integer I D(c). To translate edge l i g,c!,r
− −− → l j from automaton P k , UPP2SF uses a centralized approach where the Eng state broadcasts events and controls execution of the chart by using additional variable sent that can have the following values (here, ExO(P k ) > 0 is the execution order of the parent state
event c is scheduled for broadcast 0, no event scheduled for broadcast −ExO(P k ), an event is broadcast, only receiving edges are enabled. (7) Note that I D(c) > 0, and ExO(P i ) = ExO(P j ) if P i = P j . Table II shows the mapping of UPPAAL edges into Stateflow. Action c! is mapped into sent = I D(C) assignment, thus disabling all "nonreceiving" transitions due to their condition (sent == 0). Similarly, condition (sent ∼= −ExO(P k )) disables all "receiving" transitions in the parent state P k , ensuring that the parent state does not synchronize with itself. Finally, the Eng state is used to broadcast events by adding for each event c the following self-transition in the state:
In addition, to reset sent and to ensure that all previously disabled transitions are reevaluated by reactivating the chart after the event is processed (i.e., after all parent 
states are re-executed), UPP2SF adds the following self-transition in the state Eng
Transitions (8), (9) have precedence (i.e., lower execution order) over the transition (6).
Remark 5.2. In general, more than one UPPAAL automaton could transmit over a shared broadcast channel. In this case, Eng state would not always be able to determine the parent state P k that has initiated the event broadcast. Thus, variable ExOP would have to be defined along with additional reset action ExOP = ExO(P k ) in transitions with sent = I D(c); (from Table II ). Also, transition (8) would take the form [(sent == I D(c))]{sent = −ExOP; send(c); }. However, since this case does not occur in most UPPAAL models, due to the space limitation we present the simpler formulation.
Translating Urgent and Committed States
UPP2SF also preserves semantics of urgent and committed states, and urgent channels. By extracting MPA runs of the UPPAAL model we ensure that no time passes in the states from which there exists an enabled transitions. Thus, as a byproduct, semantics of urgent channels and locations are preserved. On the other hand, if some automata in UPPAAL are in committed locations, then only transitions outgoing from one of the committed locations are allowed. Thus, to deal with committed locations we introduce a new "control" variable comm that always contains the number of active committed states. For all transitions incoming to a committed state expression comm = comm + 1; is added to the reset operations (i.e., R S (r) from (3)). Similarly, for all outgoing transitions from a committed state comm = comm− 1; is added to the reset. To disable transitions from noncommitted states when there exists an active committed state, guard condition (comm == 0) is added to all "nonreceiving" transitions outgoing from a noncommitted state. Note that setting act to 1 (as specified in (6), for all transitions in parent states) reactivates the chart to ensure that all transitions are reevaluated, including the ones that have been disabled due to (comm == 0) condition.
Stateflow Chart Optimization
Stateflow charts obtained using the described set of rules can usually be significantly simplified. For example, clock guards and invariants specify fixed left-closed intervals if, in conditions from Table I , n denotes a constant. These intervals can be expressed in Stateflow with maximum two terms from Table I (e.g., invariant t ≤ n and guard t ≥ n can be combined into a single Stateflow condition temporalCount(clk) == n − n t ). In addition, it is possible to remove updates to an accounting variable n x from transitions incoming to a state, if on all paths from the state there exist resets of the clock x before the clock is used in a transition guard or invariant. Similarly, due to (9) there is no need to reactivate the chart with the act = 1 reset on transitions to a committed/urgent state that are conditioned with event receiving. The same holds if outgoing transitions from a new state are disabled (which is a common case) at the time of activation, and no shared variable has been updated on the incoming transition. For example, in the buffer from Figure 5 (f), for dL a > 0, after l 1 is entered the clock guard disables the outgoing transition. Thus, the assignment act = 1 does not have to be added to the Stateflow transitions from l1 to l0. Finally, transitions between two states with the same conditions and transition actions can be combined into a single transition.
CORRECTNESS OF THE TRANSLATION PROCEDURE
In this section, we show that the set of rules specified in the previous section preserves the UPPAAL semantics. Specifically, we show that the execution of the obtained Stateflow chart presents one of MPA runs of the initial UPPAAL model. However, since the Stateflow semantics is informally defined, formally proving correctness of the translation procedure is not possible. For a subset of Simulink features, there exist some attempts to derive formal semantics (e.g., Hamon and Rushby [2007] and Hamon [2005] ), which have been validated by testing on many examples. We follow a similar approach in this work. We start by formulating basic assumptions on the semantics of the Stateflow charts obtained by UPP2SF -that is, with the structure shown in Figure 3 and which utilize only a small subset of Stateflow functionalities.
Consider a deadlock-free UPPAAL model with automata P 1 , . . . , P n , where each automaton has at least one location, and the extracted two-level Stateflow chart as in Figure 3 , with parent states P 1 , . . . , P n and the parallel state Eng. Since none of the chart's parallel states has transitions, 5 the following proposition holds.
PROPOSITION 6.1. All parallel states in the chart will always be active.
The translation rules specify that all transitions in parent states do not have condition action (from (1)), and no event broadcasting is specified in transition actions. Thus, when a transition P k .l → P k .l occurs in a parent state P k , substate l will be directly activated (i.e., activity will be directly passed from l to l ). 6 In addition, transitions in the Eng state do not have transition actions and they broadcast events as part of condition actions.
7 That means that the state Eng.l0 will never be deactivated.
PROPOSITION 6.2. Each parallel state in the chart always has an active substate.
In the general case, event broadcasting to the whole chart introduces recursive behavior (we will also see this later, in Section 9.1, during the analysis of the pacemaker code -Listing 5, Figure 6 ). These recursions are in general very difficult to control and analyze, and [Hamon and Rushby 2007] restricted the use of events to the definition of sequencing behaviors. In UPP2SF-derived charts, only Eng can broadcast events, on self-transitions from the (only) substate Eng.l0. Since Eng state is executed last within each chart activation, and within its execution only a single transition may occur, local event broadcasts can only occur at the end of chart activations. Therefore, although event broadcasts from the self-transitions in Eng state introduce recursive behavior to the chart, we can consider these recursive runs as series of sequential chart activations with different active events -that is, we can disregard the recursive behavior.
Consequently, we can describe the state of the chart as [Matlab 2012; Hamon and Rushby 2007] . 6 Broadcasting events in transition actions would result in deactivation of the substate l and event broadcasting before the substate l is activated. Thus, during the event's processing (including processing events sent during the event's processing) the parent state P k would not have active substates and would be effectively removed from the execution. On the other hand, broadcasting events in condition actions would usually result in an infinite behavior (since in most cases the condition would still be satisfied) [Matlab 2012 denotes the value of w S after reset operations specified in
and all self-transitions in Eng state are described as [G We define the chart's execution trace R S as a sequence of consecutive chart states θ
, of the execution such that one of the following holds.
-The sequence does not contain any transitions mapped from UPPAAL edges, and
; in this case, we denote the sequence by θ
, since (as none of the transitions in parent states has occurred during the sequence) for some d ∈ N (when i > 0), for all x, y ∈ C, u
9 Here, φ denotes the case when no event is active -when the chart is sleeping, between consecutive clk executions, while SC E is the Simulink Call Event, an intrinsic way for Simulink to activate a Stateflow chart. 10 In general, f should also contain a transition index denoting the transition (from the active substate of the parallel state k) which is being evaluated. However, to simplify our notation, we have omitted this term.
prove then that j = j i for i = 0, . . . , m, and j p = j q for p, q = 0, . . . , m and p = q (i.e., an automaton cannot synchronize with itself, or synchronize twice with another automaton for a single broadcast). After showing these properties, using a similar approach as for Proposition 6.5, we show that the UPPAAL semantics for broadcast channels is preserved. Note that the chart's execution trace R S can be decomposed into a sequence of SFtransitions. Therefore, since the initial UPPAAL location vectorl 0 and valuation w 0 are equal to the initial Stateflow vector of active states and valuation w S , from these three propositions and Theorem 3.2, we have that the sequence of SF-transitions for the UPP2SF-derived chart corresponds to an MPA run of the initial UPPAAL model. Furthermore, it is worth noting that these proofs can be easily extended to show that the semantics of committed locations is also preserved by the translation rules (semantics of urgent channels and locations are guaranteed by the MPA-runs requirement).
In the rest of this article, we will demonstrate the use of the UPP2SF-based MDD framework on the pacemaker case study.
IMPLANTABLE CARDIAC PACEMAKERS
The primary function of an implantable pacemaker is to maintain an adequate heart rate, and ensure safe and efficient cardiac output. Pacemakers usually have two leads placed in the atrium and ventricle, capable of both sensing electrical activity in the heart and pacing the heart. To illustrate the UPP2SF-enabled MDD framework, we developed the most commonly used pacemaker mode, the DDD mode that paces both the atrium and ventricle, senses both, and employs the dual tracked response that synchronizes the chambers. We start by presenting DDD mode requirements from Boston Scientific [2007] , followed by the pacemaker modeling and verification in UPPAAL (UPPAAL modeling of more complex pacemaker modes can be found in Jiang et al. [2012b] ).
Pacemaker Specification
We use the term ventricular event to specify either a pace in the ventricle (denoted VP) or a sense of electrical pulse (i.e., ventricular sense -VS). Similarly, we use atrial event to denote either atrial sense (AS) or pace (AP). However, not every intrinsic electrical activity will be registered as a sense in a chamber because some of the intrinsic pulses might fall within time intervals where sensing is disabled (refractory periods).
For heart therapy in DDD mode, the following requirements are defined:
-Lowest Rate Interval (LRI) defines the longest allowable VP interval if no VS is detected; the interval should start when a ventricular event occurs. Figure 4(a) illustrates the pacemaker's basic timing cycles. Beside imposing limits on the heart-rate and the synchronization requirement between the atrium and ventricle, these specifications introduce refractory periods after ventricular events. These intervals are used to filter noise, ventricular signal reflections, and early events which could otherwise cause undesired pacemaker behavior. To achieve this, during a refractory interval sensing in the appropriate chamber (atrium for PVARP and ventricle for VRP) should be disabled. For example, in Figure 4 (a) AR denotes intrinsic atrial activity that is not taken into account since it occurs within the PVARP interval.
To be able to perform system verification, we used this (informal) system requirements to derive a set of formal specifications. Due to space constraint, the description of the formal pacemaker specifications can be found in Online Appendix A.
Pacemaker Modeling and Verification in UPPAAL
To obtain a pacemaker model in UPPAAL, we modeled each of the (informal) requirements from Section 7.1 as a separate timed-automaton. Furthermore, as described in the introduction, to enable closed-loop system verification in UPPAAL, it is necessary to provide models of the environment (i.e., the heart), along with the models of the interfaces (i.e., interaction) between the environment and controller (as shown in Figure 4(b) ). Thus, the UPPAAL pacemaker model contains the following software components, shown in Figure 5 , where each automaton only uses its own local clocks.
(1) LRI automaton ( Figure 5(a) ) models the LRI requirement that keeps the heart rate above a minimum value by delivering atrial pace events (AP). The LRI timer is reset after a ventricular event (VP or VS). Also, if no atrial event has been sensed (AS) before the timer runs out, the pacing event will be delivered from the atrial lead (AP). inputs Ain and Vin from the heart. For example, these delays can be introduced by the design of the analog interface between the heart and device. (6) Random Heart (RH) automata ( Figure 5(h) ) model the heart as two (for both chambers) uncorrelated random pulse generators with a single constraint that in each chamber the times between two consecutive events are within the predefined interval.
The descried pacemaker model was used to verify the formal pacemaker specifications in UPPAAL. We present the verification approach in Online Appendix B.
PACEMAKER STATEFLOW DESIGN
From the model shown in Figure 5 , using the UPP2SF tool we obtained the pacemaker Stateflow chart presented in Figure 6 . For closed-loop verification in UPPAAL we modeled both the heart and pacemaker, and therefore the obtained chart contains both models of the controller (i.e., pacemaker) and environment (i.e., the heart). To be able to use the obtained Stateflow chart for both simulation and code generation, it was necessary to decouple the pacemaker from the heart model.
Note that the verified UPPAAL model also contains several monitors used to specify verification queries. Since none of these monitors uses shared variables, and they only interact with the rest of the model by receiving synchronization over broadcast channels, they do not affect behavior of the basic automata from Figure 5 . Thus, to simplify Figure 6 , we did not show the parallel states that were obtained from them.
Decoupling the Controller and Environment
Here we present the approach used to decouple the pacemaker and heart. The same approach can be used to decouple models of the environment and controllers in most commonly used scenarios where they only interact by broadcasting events.
Figure 4(b) shows the interaction between the pacemaker and the heart. Since the interaction is modeled using synchronization over broadcast channels, the pacemaker model can be easily extracted from the chart shown in Figure 6 . This is done by removing the parent states that model the heart and buffers (RH a, RH b, ASbuf, VSbuf) , and by defining AinB and V inB as input events. Also, the Eng state has to be Fig. 6 . Pacemaker Stateflow chart extracted using UPP2SF from the UPPAAL model in Figure 5 ; the heart and buffer models are highlighted. modified to remove the transitions used to broadcast these input events. In our case we removed the transitions that broadcast AinB or BinB (highlighted in red in Figure 6 ).
Stateflow does not allow the use of output events to condition internal transitions. Hence, it is necessary to define additional output events from the chart, and in our case for local events a p and v p two output events (AP and VP) were defined. These events are broadcast on the same transitions used to broadcast a p and v p, respectively. In addition, to deal with some implementation issues (details are provided in Section 9), for each output Event an empty C function sendHW Event is added using Simulink features for integrating custom C code. The function does not affect Simulink chart simulations, but allows for the correct output generation from the synthesized code. For example, the Eng transition highlighted with dotted green rectangle was modified to [(sent == 3)]{sent = −1; send(V P); sendHW V P(); send(v p); }.
Note that if the user specifies all components that are part of the controller, UPP2SF can automatically perform these actions to decouple it from the environment.
It is interesting to compare the chart from Figure 6 with the manually designed Stateflow model of the DDD pacemaker [Jiang et al. 2010] , which is slightly simpler as it does not use event broadcasting. Thus, each clk execution has a single chart activation, causing a violation of several of the pacemaker requirements from Section 7.1 (and Appendix A). For example, the URI requirement is not satisfied because URI state is always scheduled after AVI state; since the chart is not reactivated within a clk execution, after URI period expires, AP will be generated late -in the next clk activation.
Since the UPP2SF mapping has been validated, we ensure that the chart's execution will be equivalent to one of the MPA runs of the initial UPPAAL model. However, the chart also contains the model the environment and has no inputs and outputs, and thus we performed validation of the pacemaker Stateflow chart after the decoupling, by extending the approach for testing real-time constraints by Clarke and Lee [1995] . Due to space limitations, more details can be found in Online Appendix C. 
PACEMAKER IMPLEMENTATION
We generated C code from the pacemaker Stateflow chart using the Simulink Real-Time Workshop Embedded Coder (RTWEC).
11,12 The code was generated for the general embedded real-time target and as a result we obtained the main procedure, rt OneStep, which processes the three input events, V inB, AinB, and clk. To ensure that the model semantics is preserved (modulo the execution time), clk input events should be created every 1ms, followed by the procedure's activation. 13 This makes it suitable for implementation on top of a real-time operating system (RTOS).
9.0.1. Code Structure. The structure of the code is straightforward. The current state of the procedure and all variables defined in the chart are maintained in the structure rtDWork, along with counter values used for temporal logic operators (i.e., a counter per parallel state). In addition, rtDWork contains a structure (Listing 1, Figure 7 ) that for each parent state specifies if it is active, along with which of its substates is active. For example, for the state AVI variable is active AVI describes whether the state is active, while is AVI specifies which of its exclusive substates is active. 14 The structure of rt OneStep is shown in Listing 2, Figure 7 . After detecting active input events, an execution of the chart procedure c1 ChartName is invoked for each active input event. The variable sf Event is used to denote the event that is processed during the chart execution. As in Stateflow, starting from input events with lower indices, the events are processed in a prespecified order (using c1 ChartName function). After all events are processed the procedure updates the outputs and event states in the prespecified order. This means that although we broadcast output events and the local events corresponding to them (e.g., VP and v p) as a part of same transitions, the outputs will be actually updated at the end of rt OneStep procedure. This can cause a couple of problems. First, ordering of the generated output events can differ from the order of the corresponding local events. Note that this does not affect simulations in Simulink, since all actions within a clk execution are atomic from perspective of the rest of the Simulink model. The second problem is that with this approach, for each output event only a single output trigger can be generated at the end of a clk execution.
11 Since Matlab 2011b, RTWEC toolbox is referred to as Simulink Embedded Coder. 12 Although we focus on a specific implementation, code with the same structure would be generated from all Stateflow charts obtained from UPPAAL models using UPP2SF (due to the derived charts' structure). 13 In this case, the procedure's execution corresponds to the clk execution. 14 Note that since all parent states are decomposed into exclusive states, activity status for all of the substates within a parent state can be specified with a single variable. However, in the general case, if a state consists of a group of parallel states, RTWEC would define a new variable for each of the parallel states. Thus, if an output event is broadcast more than once within a single clk execution, the corresponding output events will be actually generated one by one, at the end of the consecutive clk executions (i.e., separated by the duration of clk period).
These issues are resolved using the aforementioned SendHW EventName functions.
15
Using Simulink features for integrating custom C code with Stateflow charts in Simulink, we define empty C functions for each output event (e.g., for VP we define SendWH VP). When the code is implemented on a particular hardware platform, the user needs to define these functions. For example, the simplest implementation would include toggling a particular CPU pin every time the function is invoked. At the beginning of the chart execution procedure (Listing 3, Figure 7 ) all counters associated with the event (stored in sf Event ) are increased. Since the pacemaker code uses only clk event in temporal logic operators, the five counters will be incremented only when clk is processed. After this, the functions associated with each of the parallel states are called in the order specified by the execution order.
Listing 4 from Figure 7 presents a pseudocode for processing each of the parallel states. If the state is active, all transitions outgoing from its active substate are evaluated in the prespecified execution order. The first enabled transition is taken and associated transition actions are executed. In the generated code only Eng state, which is executed last, is used to broadcast events as part of its transition actions. As shown in Listing 5, Figure 7 , broadcasting an event associates the (current event) variable sf Event with the event, before it reactivates the chart (by calling c1 ChartName()).
Platform Implementation
The pacemaker code generated by the Simulink RTWEC was executed on nanoRK [Nano-RK 2013] , a fixed-priority preemptive RTOS that runs on a variety of resource constrained platforms. We tested the implementation on the TI MSP-EXP430F5438 Experimenter Board interfaced with a signal generator that provides inputs for the pacemaker code (Figure 8 ). The compiled (without optimization) pacemaker procedure uses 2536 B for code and additional 180 B for data. To interface the code with the environment, each of the inputs (AinB, V inB) triggers an interrupt routine used to set the appropriate event for rt OneStep function.
The pacemaker code was run as a task with period 1ms. Table III shows measured execution times for the pacemaker tasks, for two different CPU frequencies. As expected, an increase in CPU frequency scales into a reduction in the task's execution time. Note that the measurements from Table III can be mapped to CPU utilization for the pacemaker task. With the average utilization of 9.2% for an 8MHz CPU, we can run multiple tasks on the RTOS. More details about platform testing, including testing of the pacemaker formal requirements can be found in Online Appendix D.
Decoupling the Controller and the Environment
In Sections 8 and 9.1, we have described the method we used to decouple models of the pacemaker and the heart. The solution guarantees that the implemented code generates output events as soon as the corresponding local events are generated. However, our implementation introduces some problems regarding processing of input signals.
By introducing an interrupt routine that sets a flag if the input occurs, we effectively synchronize asynchronous input signals. This has a twofold effect on the implemented code. First, each input signal will be processed at most once even if it appears more than one time between consecutive task's activations. This is not a problem for the pacemaker, since in the initial UPPAAL model, due to the buffers, all inputs after the first input in a cycle are disregarded until at least dL a (or dL v) time. Second, it introduces a latency up to the task's period (i.e., clk interval, in our case 1ms) before the input signals are processed. To solve this issue, the extracted procedure could be activated as soon as an input appears. Beside problems with tasks scheduling, if the input signal could affect clock valuations in the initial UPPAAL model this would introduce a time measurement error in the code. For example, if Ain occurs 0.5ms before the next clk activation and the procedure is instantaneously activated as a result of the input, the clock in ASbuf would be reset to zero. Thus, the next clk activation of the procedure would set t to 1, although only 0.5 ms have passed since the input. This problem occurs even if the code has been generated using Times, or any other tool, since the number of clocks used in models is usually greater than the number of timers that CPU provides. To avoid these types of errors, we opted to use the aforementioned approach where input events only set a flag to indicate the need to process input events in the following procedure activation. To take this into account in the initial UPPAAL model, we reverified the safety properties for the model where input buffers increase the upper bound on the introduced delay (i.e., dH a, dH v). The bounds are increased to incorporate the maximal input latency introduced by synchronous processing of the input events (in our case 1ms).
Worst-Case Execution Time Estimation in UPPAAL
Correctness of the generated code relies on the assumption that execution of the code completes before the next external activation. To make sure that it does, we need to estimate the WCET of the code execution, taking into account that the c1 ChartName procedure (i.e., the chart) may be internally activated multiple times. We propose an approach that does not require translation from UPPAAL to Stateflow. Rather, it uses the initial UPPAAL model to calculate an upper bound on the maximal number of internal activations N i within an external activation (i.e., per clk execution). This enables a WCET estimation at an early stage, during system modeling in UPPAAL. Since the chart is reactivated with event broadcasts and some transitions, to determine the bound for N i we extend the model with the following accounting features:
-global variable tr cnt and the automaton TrMonitor (Figure 9 ) that resets the variable at integer time points, -in the controller part of the UPPAAL model, reset operation tr cnt = tr cnt +1 should be added to all edges with transmissions over a broadcast channel, or edges that would be translated into Stateflow transitions with act = 1 reset (i.e., the transition for which Eng state would reactivate the chart), -reset tr cnt = tr cnt +1 to the edges with transmissions over broadcast channels that present inputs to the controller, -introduce UPPAAL temporal formula A2 tr cnt ≤Ñ i .
With these changes, the variable tr cnt bounds the number of internal activations of the chart. Therefore, if this proposition is satisfied, the valueÑ i + 1 provides an upper bound for the number of chart executions within a single clk execution (1 is due to external activation). For the pacemaker UPPAAL model from Figure 5 , we added the reset operation to eight transitions. We proved that the formula holds forÑ i = 5. Note that since the UPPAAL model contains a model of the environment (i.e., the heart), N i takes into account chart activations caused by inputs. On the other hand, when we considered open-loop execution of the pacemaker (without input events from the heart), using the pacemaker model in Figure 5 without the model of the environment (i.e., RH automata) we proved that the formula holds forÑ ol i = 1. Thus, in this case, at most two chart executions can occur within a single clk execution (i.e., task activation).
If these results are compared with the execution time measurements from Table III, we can notice that for the open-loop experiments, the ratio between the maximal and minimal execution time is less than 3. Similarly, for the experiments with the test generator, the ratio is less than 5. Since in our case the minimal execution time corresponds to a single chart execution during the task's activation (which in general might not be the case), we can infer that N ol i = 1 and N i = 3. Therefore, our WCET analysis provided the exact bound for the open-loop scenario and a conservative bound for the closed-loop case.
The reason for this is that the transition monitor from Figure 9 (a) does not take into consideration the order of the input events processing, and if both AinB! and V inB! occur at the same time instance, the UPPAAL model might synchronize over the channel AinB first. On the other hand, the pacemaker model in Stateflow, and thus the obtained code, have a fixed input ordering, meaning that the inputs are always processed in the predefined order; in the pacemaker code V inB is always processed before AinB (and the clk event is processed last). To take this into account, we used the monitor from Figure 9 (b) and specified the proposition as A2 ((tr cnt ≤Ñ i ) || (T rMonitor.l2) ). This effectively disregards scenarios in which AinB is processed before V inB within a task execution. We proved that this formula holds forÑ i = 4, thus improving the bound. Note that if the obtained code has more than two inputs (beside clk) it is
