Modeling and analysis of non-functional properties, such as timing constraints, is crucial in automotive real-time embedded systems. East-adl is a domain specific architectural language dedicated to safety-critical automotive embedded system design. We have previously specified East-adl timing constraints in Clock Constraint Specification Language (Ccsl) and proved the correctness of specification by mapping the semantics of the constraints into Uppaal models amenable to model checking. In most cases, a bounded number of violations of timing constraints in automotive systems would not lead to system failures when the results of the violations are negligible, called Weakly-Hard (WH). Previous work is extended in this paper by including support for probabilistic analysis of timing constraints in the context of WH: Probabilistic extension of Ccsl, called PrCcsl, is defined and the East-adl timing constraints with stochastic properties are specified in PrCcsl. The semantics of the extended constraints in PrCcsl is translated into Uppaal-SMC models for formal verification. Furthermore, a set of mapping rules is proposed to facilitate guarantee of translation. Our approach is demonstrated on an autonomous traffic sign recognition vehicle case study.
Introduction
Model-driven development is rigorously applied in automotive systems in which the software controllers interact with physical environments. The continuous time behaviors (evolved with various energy rates) of those systems often rely on complex dynamics as well as on stochastic behaviors. Formal verification and validation (V&V) technologies are indispensable and highly recommended for development of safe and reliable automotive systems [3, 4] . Conventional V&V, i.e., testing and model checking have limitations in terms of assessing the reliability of hybrid systems due to both the stochastic and non-linear dynamical features. To ensure the reliability of safety critical hybrid dynamic systems, statistical model checking (SMC) techniques have been proposed [11, 12, 24] . These techniques for fully stochastic models validate probabilistic performance properties of given deterministic (or stochastic) controllers in given stochastic environments.
Conventional formal analysis of timing models addresses worst case designs, typically used for hard deadlines in safety critical systems, however, there is great incentive to include "less-than-worst-case" designs to improve efficiency but without affecting the quality of timing analysis in the systems. The challenge is the definition of suitable model semantics that provide reliable predictions of system timing, given the timing of individual components and their compositions. While the standard worst case models are well understood in this respect, the behavior and the expressiveness of "less-than-worst-case" models is far less investigated. In most cases, a bounded number of violations of timing constraints in systems would not lead to system failures when the results of the violations are negligible, called Weakly-Hard (WH) [8, 28] . In this paper, we propose a formal probabilistic modeling and analysis technique by extending the known concept of WH constraints to what is called "typical" worst case model and analysis.
East-adl (Electronics Architecture and Software Technology -Architecture Description Language) [5, 14] , aligned with AUTOSAR (Automotive Open System Architecture) standard [1] , is a concrete example of the MBD approach for the architectural modeling of safety-critical automotive embedded systems. A system in East-adl is described by Functional Architectures (FA) at different abstraction levels. The FA are composed of a number of interconnected functionprototypes (f p ), and the f p s have ports and connectors for communication. East-adl relies on external tools for the analysis of specifications related to requirements. For example, behavioral description in East-adl is captured in external tools, i.e., Simulink/Stateflow [31] . The latest release of East-adl has adopted the time model proposed in the Timing Augmented Description Language (Tadl2) [9] . Tadl2 expresses and composes the basic timing constraints, i.e., repetition rates, End-to-End delays, and synchronization constraints. The time model of Tadl2 specializes the time model of MARTE, the UML profile for Modeling and Analysis of Real-Time and Embedded systems [29] . MARTE provides Ccsl, a time model and a Clock Constraint Specification Language, that supports specification of both logical and dense timing constraints for MARTE models, as well as functional causality constraints [26] .
We have previously specified non-functional properties (timing and energy constraints) of automotive systems specified in East-adl and MARTE/Ccsl, and proved the correctness of specification by mapping the semantics of the constraints into Uppaal models for model checking [22] . Previous work is extended in this paper by including support for probabilistic analysis of timing constraints of automotive systems in the context WH: 1. Probabilistic extension of Ccsl, called PrCcsl, is defined and the East-adl/Tadl2 timing constraints with stochastic properties are specified in PrCcsl; 2. The semantics of the extended constraints in PrCcsl is translated into verifiable Uppaal-SMC [2] models for formal verification; 3. A set of mapping rules is proposed to facilitate guarantee of translation. Our approach is demonstrated on an autonomous traffic sign recognition vehicle (AV) case study.
The paper is organized as follows: Chapter 2 presents an overview of Ccsl and Uppaal-SMC. The AV is introduced as a running example in Chapter 3. Chapter 4 presents the formal definition of PrCcsl. The timing constraints that are applied on top of AV are specified using Ccsl in Chapter 5. Chapter 6 describes a set of translation patterns from Ccsl/PrCcsl to Uppaal-SMC models and how our approaches provide support for formal analysis at the design level. The behaviours of AV system and the stochastic behaviours of the environments are represented as a network of Stochastic Timed Automata presented in Chapter 7. The applicability of our method is demonstrated by performing verification on the AV case study in Chapter 8. Chapter 9 and Chapter 10 present related work and the conclusion.
Chapter 2 preliminary
In our framework, we consider a subset of Ccsl and its extension with stochastic properties that is sufficient to specify East-adl timing constraints in the context of WH. Formal Modeling and V&V of the East-adl timing constraints specified in Ccsl are performed using Uppaal-SMC. Clock Constraint Specification Language (Ccsl) [6, 26] is a UML profile for modeling and analysis of real-time systems (MARTE) [7, 25] . In Ccsl, a clock represents a sequence of (possibly infinite) instants. An event is a clock and the occurrences of an event correspond to a set of ticks of the clock. Ccsl provides a set of clock constraints that specifies evolution of clocks' ticks. The physical time is represented by a dense clock with a base unit. A dense clock can be discretized into a discrete/logical clock. idealClock is a predefined dense clock whose unit is second. We define a universal clock ms based on idealClock: ms = idealClock discretizedBy 0.001. ms representing a periodic clock that ticks every 1 millisecond in this paper. A step is a tick of the universal clock. Hence the length of one step is 1 millisecond.
Ccsl provides two types of clock constraints, relation and expression: A relation limits the occurrences among different events/clocks. Let C be a set of clocks, c1, c2 ∈ C, coincidence relation (c1 ≡ c2) specifies that two clocks must tick simultaneously. Precedence relation (c1 ≺ c2) delimits that c1 runs faster than c2, i.e., ∀k ∈ N + , where N + is the set of positive natural numbers, the k th tick of c1 must occur prior to the k th tick of c2. Causality relation (c1 c2) represents a relaxed version of precedence, allowing the two clocks to tick at the same time. Subclock (c1 ⊆ c2) indicates the relation between two clocks, superclock (c1) and subclock (c2), s.t. each tick of the subclock must correspond to a tick of its superclock at the same step. Exclusion (c1 # c2) prevents the instants of two clocks from being coincident. An expression derives new clocks from the already defined clocks: periodicOn builds a new clock based on a base clock and a period parameter, s.t., the instants of the new clock are separated by a number of instants of the base clock. The number is given as period. DelayFor results in a clock by delaying the base clock for a given number of ticks of a reference clock. Infimum, denoted inf, is defined as the slowest clock that is faster than both c1 and c2. Supremum, denoted sup, is defined as the fastest clock that is slower than c1 and c2. UPPAAL-SMC performs the probabilistic analysis of properties by monitoring simulations of complex hybrid systems in a given stochastic environment and using results from the statistics to determine whether the system satisfies the property with some degree of confidence. Its clocks evolve with various rates, which are specified with ordinary differential equations (ODE). Uppaal-SMC provides a number of queries related to the stochastic interpretation of Timed Automata (STA) [12] and they are as follows, where N and bound indicate the number of simulations to be performed and the time bound on the simulations respectively:
1. Probability Estimation estimates the probability of a requirement property φ being satisfied for a given STA model within the time bound: P r[bound] φ.
2.
Hypothesis Testing checks if the probability of φ being satisfied is larger than or equal to a certain probability P 0 : P r[bound] φ P 0 . An autonomous vehicle (AV) [20, 21] application using Traffic Sign Recognition is adopted to illustrate our approach. The AV reads the road signs, e.g., "speed limit" or "right/left turn", and adjusts speed and movement accordingly. The functionality of AV, augmented with timing constraints and viewed as Functional Design Architecture (FDA) (designFunctionTypes), consists of the following f p s in Fig. 3 .1: System function type contains four f p s, i.e., the Camera captures sign images and relays the images to SignRecognition periodically. SignRecognition analyzes each frame of the detected images and computes the desired images (sign types). Controller determines how the speed of the vehicle is adjusted based on the sign types and the current speed of the vehicle. VehicleDynamic specifies the kinematics behaviors of the vehicle. Environment function type consists of three f p s, i.e., the information of traffic signs, random obstacles, and speed changes caused by environmental influence described in TrafficSign, Obstacle, and Speed f p s respectively. We consider the Periodic, Execution, End-to-End, Synchronization, Sporadic, and Comparison timing constraints on top of the AV East-adl model, which are sufficient to capture the constraints described in Fig. 3.1 . Furthermore, we extend East-adl/Tadl2 with an Exclusion timing constraint (R27 -R31) that integrates relevant concepts from the Ccsl constraint, i.e., two events cannot occur simultaneously.
R1. The camera must capture an image every 50ms. In other words, a Periodic acquisition of Camera must be carried out every 50ms. R2. The captured image must be recognized by an AV every 200ms, which can be interpreted as a Periodic constraint on SignRecognition f p . R3. The obstacle will be detected by vehicle every 40ms, i.e., a Periodic timing constraint should be applied on the obstacle input port of Controller. R4. The speed of the vehicle should be updated periodically with the period as 30ms, i.e., a Periodic timing constraint should be applied on the speed input port of Controller. R5. The detected image should be computed within [100, 150]ms in order to generate the desired sign type, the SignRecognition must complete its execution within [100, 150]ms. R6. After the Camera is triggered, the captured image should be sent out from Camera within 20 -30ms, i.e., the execution time of Camera should be between 20 and 30ms. R7. After an obstacle is detected, the Controller should send out a request to brake the vehicle within 100 -150ms, i.e., the execution time for Controller should be in the range [100, 150]ms. R8. After the command/request from controller is arrived at VehicleDynamic, the speed should be updated within 50 -100ms. That is, the Execution timing constraint applied on VehicleDynamic is 50 -100ms. R9. If the mode of AV switches to "emergency stop" due to the certain obstacle, it should not revert back to "automatic running" mode within a specific time period. That is interpreted as a Sporadic constraint, i.e., the mode of AV is changed to "stop" because of the encounter of obstacle, it should not revert back to "run" mode within 500ms. R10. If the mode of AV switches to "emergency stop" due to the certain obstacle, it should not revert back to "accelerate " mode within a specific time period. That is interpreted as a Sporadic constraint, i.e., the mode of AV is changed to "stop" because of the encounter of obstacle, it should not revert back to "accelerate" mode within 500ms. R11. If the mode of AV switches to "emergency stop" due to the certain obstacle, it should not revert back to "turn left" mode within a specific time period. That is interpreted as a Sporadic constraint, i.e., the mode of AV is changed to "stop" because of the encounter of obstacle, it should not revert back to "turn left" mode within 500ms. R12. If the mode of AV switches to "emergency stop" due to the certain obstacle, it should not revert back to "turn right" mode within a specific time period. That is interpreted as a Sporadic constraint, i.e., the mode of AV is changed to "stop" because of the encounter of obstacle, it should not revert back to "turn right" mode within 500ms. R13. The required environmental information should arrive to the controller within 40ms. That is input signals (speed, signType, direct, gear and torque ports) must be detected by Controller within a given time window, i.e., the tolerated maximum constraint is 40ms. R14. After the execution of Controller is finished, all the requests of controller should be updated within 30ms. That is output signals (on reqTorq, reqDirect, reqGear, reqBrake ports) must be sent within a given time window, i.e., the tolerated maximum constraint is 30ms. R15. The requests from the controller should be arrived to VehicleDynamic within 30ms. That is input signals (reqTorq, reqDirect, reqGear, reqBrake) must be detected by VehicleDynamic within a given time window, i.e., the tolerated maximum constraint is 30ms. R16. After execution of VehicleDynamic is finished, the information of vehicle should be updated within 40ms, i.e., the Synchronization applied on the output ports (speed, direct, gear, torque) is 40ms. R17. When a traffic sign is recognized, the speed of AV should be updated within [150, 250] ms. An End-to-End constraint on Controller and VehicleDynamic, i.e., the time interval measured from the input arrival of Controller to the instant at which the corresponding output is sent out from VehicleDynamic must be within [150, 250] ms. R18. After the camera is triggered to capture the image, the computation of the traffic sign should be finished within [120, 180]ms, i.e., the End-to-End timing constraint applied on Camera and SignRecognition should be between 120ms and 180ms. R19. The time interval measured from the instant at which the camera captures an image of traffic sign, to the instant at which the status of AV (i.e., speed, direction) is updated, should be within [270, 430] ms. That is, End-to-End timing constraint applied on Camera and VehicleDynamic should be between 270 and 430ms.
R20. When a left turn sign is recognized, the vehicle should turn towards left within 500ms, which can be interpreted as an End-to-End timing constraint applied on the event DetectLeftSign and StartTurnLeft. R21. When a right turn sign is recognized, the vehicle should turn towards right within 500ms, which can be interpreted as an End-to-End timing constraint applied on the event DetectRightSign and StartTurnRight. R22. When a stop sign is recognized, the vehicle should start to brake within 200ms, which can be interpreted as an End-to-End timing constraint applied on the event DetectStopSign and StartBrake. R23. When a stop sign is recognized, the vehicle should be stop completely within 3000ms, which can be interpreted as an End-to-End timing constraint applied on the event DetectStopSign and Stop. R24. The execution time interval from Controller to VehicleDynamic should be less than or equal to the sum of the worst case execution time interval of each f p . R25. The execution time interval from Camera to SignRecognition should be less than or equal to the sum of the worst case execution time interval of each f p . R26. The execution time interval from Camera to VehicleDynamic should be less than or equal to the sum of the worst case execution time interval of each f p . R27. While AV turns left, the "turning right" mode should not be activated. The events of turning left and right considered as exclusive and specified as an Exclusion constraint. R28. While AV is braking, the "accelerate" mode should not be activated. The events of braking and accelerating are considered as exclusive and specified as an Exclusion constraint. R29. When AV is in the emergency mode because of the obstacle occurrence, "turn left" mode must not be activated, i.e., the events of handling emergency and turning left are exclusive and specified as a Exclusion constraint. R30. When AV is in the emergency mode because of the encounter of an obstacle, "turn right" mode must not be activated, i.e., the events of handling emergency and turning right are exclusive and specified as an Exclusion constraint. R31. When AV is in the emergency mode because of the encounter of an obstacle, "accelerate" mode must not be activated, i.e., the events of handling emergency and accelerating are exclusive and specified as an Exclusion constraint.
Delay constraint gives duration bounds (minimum and maximum) between two events source and target. This is specified using lower, upper values given as either Execution constraint (R5 -R8) or End-to-End constraint (R17 -R23). Synchronization constraint (R13 -R16) describes how tightly the occurrences of a group of events follow each other. All events must occur within a sliding window, specified by the tolerance attribute, i.e., the maximum time interval allowed between events. Periodic constraint states that the period of successive occurrences of a single event must have a time interval (R1 -R4). Sporadic constraint states that events can arrive at arbitrary points in time, but with defined minimum inter-arrival times between two consecutive occurrences (R9 -R12). Comparison constraint delimits that two consecutive occurrences of an event should have a minimum inter-arrival time (R24 -R26). Exclusion constraint refers that two events must not occur at the same time (R27 -R31). Those timing constraints are formally specified (see as R. IDs in Fig. 3 .1) using the subset of clock relations and expressions (see Chapter 2) in the context of WH. The timing constraints are then verified utilizing Uppaal-SMC and are described further in the following chapters.
Probabilistic Extension of Relation in CCSL
To perform the formal specification and probabilistic verification of East-adl timing constraints (R1 -R31 in Sec 3.), Ccsl relations are augmented with probabilistic properties, called PrCcsl, based on WH [8] . More specifically, in order to describe the bound on the number of permitted timing constraint violations in WH, we extend Ccsl relations with a probabilistic parameter p, where p is the probability threshold. PrCcsl is satisfied if and only if the probability of relation constraint being satisfied is greater than or equal to p. As illustrated in Fig. 3 .1, East-adl/Tadl2 timing constraints (R. IDs in Fig. 3 .1) can be specified (Spec. R. IDs) using the PrCcsl relations and the conventional Ccsl expressions.
A time system is specified by a set of clocks and clock constraints. An execution of the time system is a run where the occurrences of events are clock ticks.
Definition 1 (Run) A run R consists of a finite set of consecutive steps where a set of clocks tick at each step i. The set of clocks ticking at step i is denoted as R(i), i.e., for all i, 0 i n, R(i) ∈ R, where n is the number of steps of R. Fig. 4 .1 presents a run R consisting of 10 steps and three clocks c1, c2 and c3. The ticks of the three clocks along with steps are shown as "cross" symbols (x). For instance, c1, c2 and c3 tick at the first step, hence R(1) = {c1, c2, c3}. The history of a clock c presents the number of times the clock c has ticked prior to the current step.
Definition 2 (History) For c ∈ C, the history of c in a run R is a function:
indicates the number of times the clock c has ticked prior to step i in run R, which is initialized as 0 at step 0. It is defined as:
Definition 3 (PrCCSL) Let c1, c2 and R be two logical clocks and a run. The probabilistic extension of relation constraints, denoted c1∼ p c2, is satisfied if the following condition holds:
where ∼ ∈ {⊆, ≡, ≺, , #}, P r(c1∼c2) is the probability of the relation c1∼c2 being satisfied, and p is the probability threshold.
The five Ccsl relations, subclock, coincidence, exclusion, causality and precedence, are considered and their probabilistic extensions are defined.
Definition 4 (Probabilistic Subclock) Let c1, c2 and M be two logical clocks and a system model. Given k runs = {R 1 , . . . , R k }, the probabilistic extension of subclock relation between c1 and c2, denoted c1⊆ p c2, is satisfied if the following condition holds:
.e., the ratio of runs that satisfies the subclock relation out of k runs.
A run R j satisfies the subclock relation between c1 and c2 "if c1 ticks, c2 must tick" holds at every step
Coincidence relation delimits that two clocks must always tick at the same step, i.e, if c1 and c2 are coincident, then c1 and c2 are subclocks of each other.
Definition 5 (Probabilistic Coincidence)
The probabilistic coincidence relation between c1 and c2, denoted c1≡ p c2, is satisfied over M if the following condition holds:
{R j |= c1≡c2} is determined by the number of runs satisfying the coincidence relation out of k runs.
A run, R j satisfies the coincidence relation on c1 and c2 if the assertion holds:
. In other words, the satisfaction of coincidence relation is established when the two conditions "if c1 ticks, c2 must tick" and "if c2 ticks, c1 must tick" hold at every step.
The inverse of coincidence relation is exclusion, which specifies two clocks cannot tick at the same step.
Definition 6 (Probabilistic Exclusion) For all k runs over M, the probabilistic exclusion relation between c1 and c2, denoted c1# p c2, is satisfied if the following condition holds:
{R j |= c1#c2} is the ratio of the runs satisfying the exclusion relation out of k runs.
A run, R j , satisfies the exclusion relation on c1 and c2 if ∀i, 0 i n,
, for every step, if c1 ticks, c2 must not tick and vice versa.
The probabilistic extension of causality and precedence relations are defined based on the history of clocks.
Definition 7 (Probabilistic Causality) The probabilistic causality relation between c1 and c2 (c1 is the cause and c2 is the effect), denoted c1 p c2, is satisfied if the following condition holds:
{R j |= c1 c2}, i.e., the ratio of runs satisfying the causality relation among the total number of k runs.
A run R j satisfies the causality relation on c1 and c2 if the condition holds: ∀i,
A tick of c1 satisfies causality relation if c2 does not occur prior to c1, i.e., the history of c2 is less than or equal to the history of c1 at the current step i.
The strict causality, called precedence, constrains that one clock must always tick faster than the other.
Definition 8 (Probabilistic Precedence)
The probabilistic precedence relation between c1 and c2, denoted c1≺ p c2, is satisfied if the following condition holds:
{R j |= c1≺c2} is determined by the number of runs satisfying the precedence relation out of the k runs.
A run R j satisfies the precedence relation if the condition (expressed as (1)∧(2)) holds: ∀i, 0 i n,
(1) The history of c1 is greater than or equal to the history of c2; (2) c1 and c2 must not be coincident, i.e., when the history of c1 and c2 are equal, c2 must not tick.
Specification of Timing Constraints in PrCCSL
To describe the property that a timing constraint is satisfied with the probability greater than or equal to a given threshold, Ccsl and its extension PrCcsl are employed to capture the semantics of probabilistic timing constraints in the context of WH. Below, we show the Ccsl/PrCcsl specification of East-adl timing constraints, including Execution, Periodic, End-to-End, Sporadic, Synchronization, Exclusion and Comparison timing constraints. In the system, events are represented as clocks with identical names. The ticks of clocks correspond to the occurrences of the events.
Periodic timing constraints (R1 -R4) can be specified using periodicOn expression and probabilistic coincident relation. R1 states that the camera must be triggered periodically with a period 50ms. We first construct a periodic clock prd_50 which ticks after every 50 ticks of ms (the universal clock). Then the property that the periodic timing constraint is satisfied with probability no less than the threshold p can be interpreted as the probabilistic coincidence relation between cmrT rig (the event that Camera f p being triggered) and prd_50. The corresponding specification is given below, where means "is defined as":
By combining (1) and (2), we can obtain the the specification of R1:
In similar, the Ccsl/PrCcsl specification of R2 -R4 can be derived:
where signT rig is the event/clock that SignRecognition f p is triggered, obsDetect represents the event that the object detection is activated by the vehicle and spU pdate denotes the event that the speed is updated (i.e., recieved by Controller) from the environment.
Since the period attribute of the Periodic timing constraint R2 is 200ms, which is an integral multiple of the period of R1, R2 can be interpreted as a subclock relation, i.e., the event signT rig should be a subclock of cmrT rig. The specification is given below:
Execution timing constraints (R5 -R8) can be specified using delayFor expression and probabilistic causality relation. To specify R5, which states that the SignRecognition f p must finish execution within [100, 150]ms, i.e., the interval measured from the input event of the f p (i.e., the event that the image is received by the f p , denoted imIn) to the output event of the f p (denoted imIn) must have a minimum value 100 and a maximum value 150. We divide this property into two subproperties: R5(1) The time duration between imIn and signOut should be greater than 100ms. R5(2) The time duration between imIn and signOut should be less than 150ms. To specify property R5(1), we first construct a new clock imIn_dly100 by delaying imIn (the input event of SignRecognition) for 100ms. To check whether R5(1) is satisfied within a probability threshold is to verify whether the probabilistic causality between imIn_dly100 and signOut is valid. The specification of R5(1) is given below: imIn_dly100 imIn delayFor 100 on ms (5.8)
By combining (7) and (8), we can obtain the the specification of R5(1):
{imIn delayFor 100 on ms} p signOut (5.10)
Similarly, to specify property R5(2), a new clock imIn_dly150 is generated by delaying imIn for 150 ticks on ms. Afterwards, the property that R5 (2) is satisfied with a probability greater than or equal to p relies on whether the probabilistic causality relation is satisfied. The specification is illustrated as follows: imIn_dly150 imIn delayFor 150 on ms (5.11)
By combining (10) and (11), we can obtain the the specification of R5 (2):
Analogously, the Ccsl/PrCcsl specification of R6 -R8 can be derived:
R6 : {cmrT rig delayFor 20 on ms} p cmrOut cmrOut p {cmrT rig delayFor 30 on ms} (5.14)
R7
where cmrT rig is the event that the Camera f p being triggered, cmrOut represents the event that the captured image is sent out. ctrlIn (ctrlOut) represents the input (resp. output) event of Controller f p . vdIn (vdOut) represents the input (resp. output) event of VehicleDynamic f p .
Sporadic timing constraints (R9 -R12) can be specified using delayFor expression and probabilistic precedence relation. R9 states that there should be a minimum delay between the event veRun (the event that the vehicle is in the "run" mode) and the event obstc (the event that the vehicle detects an obstacle), which is specified as 500ms. To specify R9, we first build a new clock obstc_dly500 by delaying obstc for 500 ticks of ms. We then check the probabilistic precedence relation between obst_dly500 and veRun: obstc_dly500 obstc delayFor 500 on ms (5.17)
By combining (16) and (17), we can obtain the the specification of R9:
Analogously, the Ccsl/PrCcsl specification of R10 -R12 can be derived:
R11 : {obstc delayFor 500 on ms} ≺ p tLef t (5.21)
where veAcc is the event/clock that the vehicle is accelerating. tLef t and tRight represent the event that the vehicle transits from the "emergency stop" mode to "turn left" and "turn right" mode respectively.
Synchronization timing constraints (R13 -R16) can be specified using infimum and supremum expression, together with probabilistic precedence relation. R13 states that the five input events must be detected by Controller within the maximum tolerated time, given as 40ms. The synchronization timing constraint can be interpreted as: the time interval between the earliest/fastest and the latest/slowest event among the five input events, i.e., speed , signType, direct, gear and torque, must not exceed 40ms. To specify the constraints, infimum is utilized to express the fastest event (denoted inf ctrlIn ) while supremum is utilized to specify the slowest event sup ctrlIn . sup ctrlIn and inf ctrlIn are defined as: 
Therefore, the synchronization constraint R13 can be represented as the probabilistic causality relation between sup ctrlIn and inf ctrlIn _dly40, given as the Ccsl/PrCcsl expression below:
By combining (24) and (25), we can obtain the the specification of R13:
In similar, the Ccsl/PrCcsl specification of R14 -R16 can be derived. For R14, we first construct the clocks that represent the fastest and slowest output event/clock among the four output events of Controller f p , i.e., reqTorq, reqDirect, reqGear and reqBrake. Then the property that the synchronization constraint is satisfied with a probability greater than or equal to p can be interpreted as a probabilistic causality relation:
Inf(Inf(reqTorq, reqDirect), Inf(reqGear, reqBrake)) sup ctrlOut p {inf ctrlOut delayFor 30 on ms} (5.28)
For R15, we first construct the fastest and slowest input event/clock among the four input events of VehicleDynamic , i.e., reqTorq, reqDirect, reqGear and reqBrake. Then the property that the synchronization constraint is satisfied with a probability greater than or equal to p can be interpreted as a probabilistic causality relation: End-to-End timing constraints (R17 -R23) can be specified using delayFor expression and probabilistic precedence relation. To specify R17, which limits that the time duration measured from the instant of the occurrence of the event that Controller f p receive the traffic sign type information (denoted as signIn), to the occurrence of event that the speed is sent out from the output port of VehicleDynamic f p (denoted as spOut) should be between 150 and 250ms. We divide this property into two subproperties: R17(1). The time duration between signIn and spOut should be more than 150ms. R17 (2) . The time duration between signIn and spOut should be less than 250ms. To specify property R17(1), we first construct a new clock signIn_dly150 by delaying signIn for 150ms. To check whether R17(1) is satisfied within a probability threshold p is to verify whether the probabilistic precedence between signIn_dly150 and spOut is valid. The specification of R17(1) is given below: signIn_dly150 signIn delayFor 150 on ms (5.31)
By combining (30) and (31), we can obtain the the specification of R17(1):
Similarly, to specify property R17(2), a new clock signIn_dly250 is generated by delaying signIn for 250 ticks on ms. Afterwards, the property that R17 (2) is satisfied with a probability greater than or equal to p relies on whether the probabilistic precedence relation is satisfied. The specification is illustrated as follows: signIn_dly250 signIn delayFor 250 on ms (5.34)
By combining (33) and (34), we can obtain the the specification of R17 (2):
In similar, the Ccsl/PrCcsl specification of R18 -R23 can be derived: Exclusion timing constraints (R27 -R31) can be specified using exclusion relation directly. R27 states that the two events turnLef t (the event that the vehicle is turning left) and rightOn (the event that the turn right mode is activated) should be exclusive, which can be expressed as:
Analogously, the Exclusion timing constraints R28 -R31 can be specified using exclusion relation:
where emgcy is the event that the vehicle is in the emergency mode, veBrake and veAcc represent the event that the vehicle is braking or accelerating, respectively.
Chapter 6 Translating CCSL & PrCCSL into UPPAAL-SMC
To formally verify the East-adl timing constraints given in Chapter 3 using Uppaal-SMC, we investigate how those constraints, specified in Ccsl expressions and PrCcsl relations, can be translated into STA and probabilistic Uppaal-SMC queries [12] . Ccsl expressions construct new clocks and the relations between the new clocks are specified using PrCcsl. We first provide strategies that represent Ccsl expressions as STA. We then present how the East-adl timing constraints defined in PrCcsl can be translated into the corresponding STAs and Uppaal-SMC queries based on the strategies.
Mapping CCSL to UPPAAL-SMC
We first describe how the universal clock (TimeUnit ms), tick and history of Ccsl can be mapped to the corresponding STAs. Using the mapping, we then demonstrate that Ccsl expressions can be modeled as STAs. The TimeUnit is implicitly represented as a single step of time progress in Uppaal-SMC's clock [22] . The STA of TimeUnit (universal time defined as ms) consists of one location and one outgoing transition whereby the physical time and the duration of TimeUnit ms are represented by the clock variable t in Fig. 6.1.(a) . clock resets every time a transition is taken. The duration of TimeUnit is expressed by the invariant t 1, and guard t 1, i.e., a single step of the discrete time progress (tick) of universal time. A clock c, considered as an event in Uppaal-SMC, and its tick, i.e., an occurrence of the event, is represented by the synchronization channel c!. Since Uppaal-SMC runs in chronometric semantics, in order to describe the discretized steps of runs (Rs), we consider if c ticks in the time range of [i, i + 1) (i + 1 is excluded), c ticks at step i. The STA of tick and history is shown in Fig. 6.1.(b) . hc is the history of c, and tc indicates whether c ticks at the current step. A function upper() rounds the time instant (real number) up to the nearest greater integer. When c ticks via c? at the current time step, tc is set to 1 prior to the time of the next step (t < u). hc is then increased by 1 (hc++) at the successive step (i.e., when t = u). For example, when c ticks at time = 1.5 (see Fig. 6.1.(c) ), upper() returns the value of 2 and tc becomes 1 during the time interval [1.5, 2), followed by hc being increased by 1 at t = 2.
Based on the mapping patterns of ms, tick and history, we present how periodicOn, delayFor, infimum and supremum expressions can be represented as Uppaal-SMC models. PeriodicOn: c periodicOn ms period q, where means "is defined as". PeriodicOn builds a new clock c based on ms and a period parameter q, i.e., c ticks at every q th tick of ms. The STA of periodicOn is illustrated in Fig. 6.2.(a) . This STA initially stays in the loop location to detect q occurrences (ticks) of ms.
The value x counts the number of ms ticks. When ms occurs (ms?), the STA takes the outgoing transition and increases x by 1. It "iterates" until ms ticks q times (x == q), then it activates the tick of c (via c!). At the successive step (ms?), it updates the history of c (hc++) and sets x = 1. The STA then returns to loop and repeats the calculation. This periodicOn STA can be used for the translation of East-adl Periodic timing constraint (R1 in Fig. 3.1) into its Uppaal-SMC model. c corresponds to a tick of c1) . Kang et al. [22] and Suryadevara et al. [32] presented translation rules of delayFor into Uppaal models. However, their approaches are not applicable in the case after c1 ticks, and c1 ticks again before the d th tick of c2 occurs. For example (see Fig. 4 .1), assume that d is 3. After the 1 st tick of c1 (at step 0) happens, if c1 ticks again (at step 2) before the 3 rd tick of c2 occurs (at step 4), the 2 nd tick of c1 is discarded in their approaches. To alleviate the restriction, we utilize spawnable STA [12] as semantics denotation of delayFor expression and the STA of delayFor is shown in Fig. 6.2.(c) . As presented in Fig. 6.2.(b) , when the v th tick of c1 occurs (c1[v]?), its delayFor STA is spawned by source STA. The spawned STA stays in the wait location until c2 ticks d times. When c2 ticks d times (x == d), it transits to the tick location and triggers c (c!). At the next step (ms?), the STA increases hc by 1 and moves to f inish location and then becomes inactive, i.e., calculation of the v th tick of c is completed. This delayFor STA can be utilized to construct the Uppaal-SMC models of East-adl timing requirements R5 -R26 in Chapter 3.
Given two clocks c1 and c2, their infimum (resp. supremum) is informally defined as the slowest (resp. fastest) clock faster (resp. slower) than both c1 and c2. infimum and supremum are useful in order to group events occurring at the same time and decide which one occurs first and which one occurs last. The representative STAs for both expressions are utilized for the translation of East-adl Synchronization timing constraint (R13 in Chapter 3) into the Uppaal-SMC model. Infimum creates a new clock c, which is the slowest clock faster than c1 and c2. The STA of infimum is illustrated in Fig. 6.2.(d) . When c1 (c2) ticks via c1? (c2?), the STA transits to the s1 (s2 ) location and compares the history of the two clocks (h1 and h2) to check whether the current ticking clock c1 (c2) is faster than c2 (c1). If so, i.e., the condition "h1 h2 (h2 h1)" holds, the STA takes a transition to the tick location and activates the tick of c (c!). After updating the history (hc++), it returns to the init location and repeats the calculation. Supremum builds a new clock c, which is the fastest clock slower than c1 and c2. It states that if c1 ticks at the current step and c1 is slower than c2, then c ticks. The STA of supremum is shown in Fig. 6.2 .(e). When c1 (c2) ticks via c1? (c2?), the STA transits to the s1 (s2 ) location and compares the history of the two clocks and decides whether c1 (c2) is slower than c2 (c1). If c1 (c2) ticks slower than c2 (c1), i.e., h1 < h2 (h2 < h1), or c1 and c2 tick at the same rate, i.e., "h1 == h2 && t 2 == 1 (h1 == h2 && t 1 == 1)" holds, the tick of c is triggered. The STA then updates the history of c and goes back to init and repeats the process.
Representation of PrCCSL in UPPAAL-SMC
In this section, the translation of East-adl timing constraints specified in PrCcsl into STA and Hypothesis Testing query (refer to Chapter 2) is provided from the view point of the analysis engine Uppaal-SMC.
Recall the definition of PrCcsl in Chapter 4. The probability of a relation being satisfied is interpreted as a ratio of runs that satisfies the relation among all runs. It is specified as Hypothesis Testing queries in Uppaal-SMC, H 0 :
where m is the number of runs satisfying the given relation out of all k runs. k is decided by strength parameters α (the probability of false positives, i.e., accepting H 1 when H 0 holds) and β (probability of false negatives, i.e., accepting H 0 when H 1 holds), respectively [10] .
Based on the mapping patterns of tick and history in Chapter 6.1, the probabilistic extension of exclusion, causality and precedence relations are expressed as Hypothesis Testing queries straightforwardly. Probabilistic Exclusion is employed to specify East-adl Exclusion timing constraint, turnLef t # p rightOn (Spec. R27 in Fig. 3.1) . It states that the two events, turnLeft and rightOn (the vehicle is turning left and right), must be exclusive. The ticks of turnLef t and rightOn events are modeled using the STA in Fig. 6.1.(b) . Based on the definition of probabilistic exclusion (Chapter 4), R8 is expressed in Hypothesis Testing query: P r[bound] ([ ]((t turnLef t =⇒ ¬ t rightOn ) ∧ (t rightOn =⇒ ¬ t turnLef t ))) P , where t turnLef t and t rightOn indicate the ticks of turnLef t and rightOn, respectively. bound is the time bound of simulation, in our setting bound = 3000. Probabilistic Causality is used to specify East-adl Synchronization timing constraint, sup p {inf delayFor 40 on ms} (Spec. R13 in Fig. 3.1) , where sup (inf ) is the fastest (slowest) event slower (faster) than five input events, speed, signType, direct, gear and torque. Let SUP and INF denote the supremum and infimum operator, i.e., SUP(c1, c2) (resp. INF(c1, c2)) returns the supremum (resp. infimum) of clock c1 and c2. sup and inf can now be expressed with the nested operators (where means "is defined as"):
For the translation of sup (inf ) into Uppaal-SMC model, we employ the STA of supremum (resp. infimum) (Fig. 6.2.(d) and (e)) for each SUP (INF) operator. A new clock dinf is generated by delaying inf for 40 ticks of ms: dinf {inf delayFor 40 on ms}. The Uppaal-SMC model of dinf is achieved by adapting the spawnable DelayFor STA (Fig. 6.2) . Based on the probabilistic causality definition, R13 is interpreted as:
P , where h sup and h dinf are the history of sup and dinf respectively.
Similarly, Execution (R5) and Comparison (R25) timing constraints specified in probabilistic causality using delayFor can be translated into Hypothesis Testing queries. R5 ({imIn delayFor 100 on ms} p signOut, signOut p {imIn delayFor 150 on ms}) specifies that the execution time of SignRecognition f p measured from input port imIn to output port signOut should be limited within [100, 150]ms. To translate Execution timing constraint into Uppaal-SMC STA, two new clocks SL and SU are constructed by delaying imIn for 100 and 150 ticks of ms: SL {imIn delayFor 100 on ms}, SU {imIn delayFor 150 on ms}. According to the definition of probabilistic causality, R5 can be specified as:
P , where h SU and h SL represent the history of SU and SL, and h S indicates the history of clock signOut.
Comparison constraint (R25) specified as {signIn delayFor 250 on ms} p {signIn delayFor W CET on ms} can be model using the DelayFor STA. Two new clocks CU , com are generated: CU {signIn delayFor 250 on ms}, com {signIn delayFor W CET on ms}, where W CET represents the sum of worst case execution time of Controller and VehicleDynamics f p s. Therefore, R25 can be expressed as the query: P r[ bound]([ ] (ex con == wcet con ∧ ex vd == wcet vd ) =⇒ (h con h CU ) P , where ex con == wcet con ∧ ex vd == wcet vd restricts that when the execution is the worst case (i.e., the execution time is the longest), the probabilistic causality relation between con and CU should be guaranteed. Probabilistic Precedence is utilized to specify East-adl End-to-End timing constraint (R17). It states that the time duration between the source event signIn (input signal on the signType port of Controller) and the target event spOut (output signal on the speed port of VehicleDynamic) must be within a time bound of [150, 250] , and that is specified as Uppaal-SMC quires (56) and (57):
Two clocks, lower and upper, are defined by delaying signIn for 150 and 250 ticks of ms respectively: lower {signIn delayFor 150 on ms}, and upper {signIn delayFor 250 on ms}. The corresponding Uppaal-SMC models of lower and upper are constructed based on the delayFor STA (shown in Fig. 6.2) . Finally, the R17 specified in PrCcsl is expressed as Uppaal-SMC quires (3) and (4), where h lower , h upper and h spOut are the history of lower, upper and spOut. t spOut and t upper represent the tick of upper and spOut respectively:
In similar, East-adl Sporadic timing constraint (R9) specified in probabilistic precedence can be translated into Hypothesis Testing query P r[ bound]([ ]ho hv ∧ ((hv == ho) =⇒ t va == 0)) P , where ho represents the history of the clock/event that obstacle occurs, and t va and hv indicates the ticks and history of the clock that the vehicle starts to move.
In the case of properties specified in either probabilistic subclock or probabilistic coincidence, such properties can not be directly expressed as Uppaal-SMC queries. Therefore, we construct an observer STA that captures the semantics of standard subclock and coincidence relations. The observer STA are composed to the system STA, namely a network STA NSTA, in parallel. Then, the probabilistic analysis is performed over the NSTA which enables us to verify the East-adl timing constraints specified in probabilistic subclock and probabilistic coincidence of the entire system using Uppaal-SMC. Further details are given below. Probabilistic Subclock is employed to specify East-adl Periodic timing constraint, given as signRecT rig ⊆ p cT rig (Spec. R2 in Fig.1 ). The standard subclock relation states that superclock must tick at the same step where subclock ticks. Its corresponding STA is shown in Fig. 6.3.(a) . When signRevT rig ticks (signRecT rig?), the STA transits to the wait location and detects the occurrence of cT rig until the time point of the subsequent step (u). If cT rig occurs prior to the next step (tcT rig == 1), the STA moves to the success location, i.e., the subclock relation is satisfied at the current step. Otherwise, it transits to the f ail location. R2 specified in probabilistic subclock is expressed as: P r[bound]([ ]¬ Subclock.f ail) P . Uppaal-SMC analyzes if the f ail location is never reachable from the system NSTA, and whether the probability of R2 being satisfied is greater than or equal to P . Probabilistic Coincidence is adapted to specify East-adl Periodic timing constraint, given as cT rig ≡ p {periodicOn ms period 50} (Spec. R1 in Fig.1 ). To express R1 in Uppaal-SMC, first, a periodic clock prdClk ticking every 50 th tick of ms is defined: prdClk periodicOn ms period 50. The corresponding Uppaal-SMC model of prdClk is generated based on the periodicOn STA shown in Fig. 6.2.(a) by setting q as 50. Then, we check if cT rig and prdClk are coincident by employing the coincidence STA shown in Fig. 6.3.(b) . When cT rig (prdClk) ticks via cT rig? (prdClk?), the STA checks if the other clock, prdClk (cT rig), ticks prior to the next step, i.e., whether tprdClk == 1 (tcT rig == 1) holds or not when t u. The STA then transits to either the success or f ail location based on the judgement. R1 specified in probabilistic coincidence is expressed as: P r[bound]([ ]¬ Coincidence.f ail) P . Uppaal-SMC analyzes if the probability of R1 being satisfied is greater than or equal to P .
Modeling the Behaviors of AV and its Environment in UPPAAL-SMC
To capture the behaviours of the AV system and the stochastic behaviours of its environments, e.g., random traffic signs, each f p in Fig. 3 .1 is modeled as an STA in Uppaal-SMC. The random traffic sign in the environment is recognised by AV. The speed of the AV is influenced by the condition of the road. Obstacles on the road occurs randomly. To model these stochastic behaviours, we model the three f p s in the Environment f t into three STAs, which are presented in Fig. 7 .1. In TrafficSign (Fig. 7.2.(b) ) STA, sign_num represents the random traffic sign type, which is generated every 4ms to 8ms. To represent the integration of the AV system and the environment, the speed of AV is equal to the speed of in the environment, the Speed (shown in Fig. 7.1.(c) ) STA updates the speed of the vehicle in the environment from the by activating the execution of update() function periodically. Obstacle STA generates a signal randomly based on probability distribution to represent random obstacles.
The system model of AV is represented as the STAs shown in Fig. 7 .2. Camera STA is triggered periodically (Fig. 7.2.(a) ). When the execution of camera is finished, i.e., the transition from s4 to s5 is taken, the update() function is triggered and the value of sign_num is assigned to signT ype. Since the input ports (speed and obstacle) of Controller are triggered periodically, the AV system obtains the speed of the vehicle and the road information by executing the update() periodically (Fig. 7.3) .
The internal behaviours of Controller f p is captured in Fig. 7.4 . When the vehicle is in the "normal" mode ( Fig. 7.4.(c) ) and it encounters an obstacle, the "emergency stop" mode will be activated (Fig. 7.4.(b) ) and the vehicle begins to stop. In "normal" mode, the vehicle adjusts its movement according to the traffic signs, e.g., when it detects a turn left sign, it will turn left ( Fig. 7.5.(d) ). The Controller then sends out requests for VehicleDynamic to change the direction or the speed of the four wheels.
To verify R1 to R31, STAs of Ccsl expressions periodicOn, infimum, supremum and delayFor and STAs of PrCcsl relations coincidence and subclock are utilized. For example, to verify R3, a periodicOn STA generates a new clock c with period 40 (Fig. 7.6.(a) ). When c ticks, the periodico will be assigned to 1. The probabilistic coincidence relation between c and the triggering of the obstacle port should hold. When the input port is triggered, obstrig will become 1 in Fig. 7 .3.(b). Coincidence STA (Fig. 7.6 .(b)) is employed for checking the coincidence relation between c and obstacle. of verifying R5 by using Expected Value and Simulation queries with different numbers of runs assigned. As shown in Fig. 8 .3, along with the increase of the number of runs, for both queries, the verification time grows proportionally, while the CPU and memory have no significant changes.
