This article deals with the formal validation of STIMAP, a medium access protocol that has been designed to meet the specific requirements of an implantable network-based neuroprosthesis. This article presents the modeling and the validation of its medium access, using model checking on Time Petri Nets. Doing so, we show that existent formal methods and tools are not perfectly suitable for the validation of real systems, especially when some hardware parameters have to be considered. This article then presents how these difficulties have been managed during the modeling and verification phases, and gives the validation results for STIMAP, providing constraints to respect.
INTRODUCTION
In order to improve the daily life living of para-and quadriplegic patients, Functional Electrical Stimulation (FES) is a palliative solution. FES has been successfully used to face functional deficiencies, in well-known applications such as: pacemaker, deep brain stimulation, pain control or hearing restoration. Implanted FES is also studied for movement rehabilitation such as foot droop for hemiplegic patients or even more complex movements, as well as for restoration of bladder function. Nevertheless, effective solutions for implanted FES are actually mainly based on centralized architectures. Since it is not conceivable to address all possible functional deficiencies in only one surgical operation, the architecture must be extensible. That means that once implanted the evolution of the neuroprosthesis should be possible, i.e., it must be possible to add new sites of stimulation and/or measurement of electrical activities on nerves and/or muscles. This is not possible with existing implantable neuroprostheses. Moreover, centralized implants lead to complex surgery, high risk of failure during and after surgery, and global infection problems, which can be limited with a distributed architecture.
So we designed and developed a new architecture for such implantable FES system based on technological advances in networks and micro-electronics domains. This new architecture relies on a network of small distributed units in charge of activating and monitoring the peripheral nervous system [Andreu et al. 2009 ]. Thus, the network constitutes the backbone of our neuroprosthesis and it must be managed in a reliable and deterministic way in such critical embedded system. The medium access mechanism used in this architecture must be deeply studied since it plays a major role regarding the communication between artificial devices that control natural organs. To fulfill the context specific requirements and constraints, we designed a new MAC protocol, presented in Section 2. Taking early into account validation preoccupations, the behavior of this MAC protocol, called STIMAP (Sliding Time Interval based Medium Access Protocol), has been modeled using Time Petri nets (TPN). Both TPN-based simulation and experimentations contributed to the validation of STIMAP but they did not provide exhaustive guarantees of determinism.
Some particularities of STIMAP could not be validated without applying a validation methodology based on formal methods. As a consequence, we went further in the validation process, applying a model checking based validation methodology, briefly mentioned in Section 3. It allows verifying properties through an exhaustive analysis of the whole states space (all possible states) of a formal model of the system. Therefore, the formal approach gives more confident validation results thanks to the exhaustive verification of properties on the STIMAP protocol. We applied it to the validation of the Time Petri net (TPN) based STIMAP model: that constitutes the focus of this paper. Sections 4, 5, and 6 expose the modeling and the validation of STIMAP. They show difficulties we encountered in both the identification of time parameters that guaranty the respect of communication time constraints, and their integration in the validation process. This article is concluded by our ongoing works on formal analysis methods and tools.
THE STIMAP MAC PROTOCOL
In order to explain the expected characteristics of the MAC protocol to be formally validated, we first briefly introduce our network-based FES architecture. Then the STIMAP protocol that has been designed to manage the medium access within this architecture is presented.
Communication in the FES Architecture
The whole FES architecture relies on an implanted part and some external devices like for instance the patient's remote controller. The implanted architecture comprises a global controller and several distributed units (DU) that are connected together via an intrabody asynchronous communication network. These distributed units are stimulation units (DSU) and measurement units (DMU) . The global controller is in charge of coordinating the activities of distributed units. The link between the intrabody architecture and extrabody device(s), for data and energy transmission, is ensured by means of an transcutaneous inductive link. In this architecture the global controller also ensures the "gateway" between those two worlds.
Each implanted device embeds a 3-layer protocol stack corresponding to the reduced OSI model.
-Physical layer. The network is based on an implantable bus we developed as there
is not yet available wireless technology for intra-body communication with deeply implanted devices taking into account both data and energy transmission. Our bus is based on a medical 2-wire cable (35N LT metal implantable 2-wire cable), transmitting data and energy . Whatever is the medium, the bus topology of the network is essential. Indeed, for the approach to remain valid for both wired and wireless technologies (implanted and external devices), we assume that the medium fundamentally corresponds to one shared domain of not detectable collision. -MAC layer. On the implanted network, two types of logical addresses are required, allowing unicast, multicast and broadcast communications: individual addresses (one for each DU) and group addresses (for different groups of DUs, and all DUs). These addressing modes are necessary since the controller can communicate for example with a single DSU to program it, or with a group of DSUs to start a stimulation, or with all DSU to stop any stimulation. The notion of group is significant in our context since at a given instant of time the movement control only concerns a subset of muscles (simultaneous stimulation of agonistic and antagonistic muscles for example) and thus a subset of DSUs (those associated to these muscles). This implies that it is possible to dynamically impose to a DSU to subscribe/unsubscribe to one or several groups. The possibility to dynamically unsubscribe a DSU from a group is also important, particularly for medium sharing efficiency purposes. Consequently, basic functionalities of the MAC layer are to filter incoming packets, since at the physical layer we systematically broadcast frames, and to manage subcription/unsubscription to groups. But the most important functionality is to ensure a reliable, deterministic and efficient medium sharing. It must ensure that solely one node of the network uses the medium at any instant of time, to avoid any collision. The risk of collision must be avoided to be sure that no error notification neither any request can be lost, even if for reliability purpose acknowledgments can be used. Two types of acknowledgments are provided: frame reception (MAC layer) and request execution (Application layer) acknowledgments. -Application layer. Payloads of the application protocol correspond to configuration and control of DUs. Let's consider DSU for example; these payloads correspond to configuration, download/upload of micro-programs (stimulation profiles to be executed on a DSU), remote control by means of start/stop requests and stimulation parameter modifications (modulation of the stimulus magnitude, duration and frequency), and also acknowledgments and errors notified by DSUs.
The context is thus characterized by the following.
-The topology is fixed: no mobility neither dynamic node insertion.
-The application needs two kinds of logical addresses: unicast and multicast (broadcast being a particular multicast address). The set of nodes (group of DSU for instance) that communicates at the different phases of the stimulation is dynamically set. Moreover it must be possible to exclude or suspend members of the communicating group, at any time. -The application obviously requires a reliable and efficient communication medium.
For reactivity, and security purposes the global controller of the application (master unit of the architecture) must have the possibility to quickly react, i.e., the possibility to quickly emit its requests without waiting for a long time before acceding to the medium. Indeed, for safety purposes the controller must be able for example to stop the stimulation at any time. Since it remotely pilots the distributed stimulators (DSUs), this requires to ensure that the controller can send a stop request at any time. In terms of network that means that it can access to the medium in a deterministic way, i.e., that the MAC protocol ensures: i/ that none of the units are or will be emitting at this time, and ii/ that even if data gathering is under way with a set of units (DMUs), there is a way to take the control of the medium rapidly (i.e., without waiting for the end of data gathering). The first point concerns reliability in terms of guaranteed collision-free access, and the second one is relative to reactivity in terms of taking back the control of the medium access. -Finally, the context imposes the solution to be simple as it must be embedded in small implantable electronic devices. Moreover this solution must be based on independent communication devices, to facilitate the system evolutivity.
The STIMAP Medium Access
In the given context, contention-based solutions are not adequate. Schedule-based solutions, considering that election and TDMA based methods belong to this family, are possible solutions as they favor collision-free and deterministic medium access. However, TDMA solutions are often static and periodic ones, i.e., requiring regular time synchronization and sometimes regular timing information sending. This increases energy consumption and decreases efficiency in case of passives nodes (nothing to emit). In our architecture, the topology is that of a centralized controller and stimulation units distributed over a bus. The controller, being the master, is the central point of the system, initiating all the communications with the distributed units, i.e., the slaves. The method is simple, as one slave transmits a frame only if the master has demanded or authorized it. The master/slave approach is appropriated, nevertheless the limited efficiency due to the protocol overhead must be improved, taking into account the multicast possibility. Indeed, this model of cooperation is not really efficient when dealing with a group of slaves as it requires to poll slaves, i.e., to individually communicate with each one. Time sharing (TDMA) can be a good solution to avoid polling, if clock drift problem and time-slots losses can be faced. However, a "static" TDMA is not adequate since the controller needs to communicate with a subset of slaves only when stimulation is performed, and moreover this subset of slaves can be dynamically defined. So the combination of time sharing and master/slave relation are the basis of the STIMAP protocol we propose. In short, we defined a method, adequate to our decentralized architecture, which is simple to implement, which allows TDMA to be contextually used, providing dynamic time-slots assignement and limiting time-slots losses.
STIMAP uses a method based on the master-slave model that has been modified for efficiency considerations. It obviously allows basic individual master-slave and slavemaster communications, but also offers a way to manage the communications with a group of slaves without polling all the members of the group. The master manages the access of the slaves to the medium by means of a "Speaking Right", similar to a token, it allocates to the members of the network. We distinguish Individual Speaking Right (ISR, individual token) and TDMA-based Group Speaking Right (GSR, group token). The ISR based mode is trivial: the DSU that receives an ISR has the authorization to emit one packet (practically, there is no payload requiring to send more than one packet). On the contrary, the GSR based mode is more complex and will be explained in the following section.
Group Medium Access Principles: The GSR Based Mode
In order to avoid polling of slaves, we define a TDMA-based group medium access sharing. TDMA is only contextually used, i.e., only when the master has to communicate with a group of slaves. This section outlines the principles of the STIMAP medium access mechanism, assuming the existence of a global time. Indeed, the TDMA sequence begins with the emission of a master frame on which all the DSUs are synchronized. The influence of the clock drift is limited as the TDMA sequence is not a long period. The GSR frame reception can be seen as a logical synchronization; every slave timeslot is positioned relatively to this frame. When dealing with a group of slaves (DSU), each group member (each DSU) knows the size of the group and its position in that group as this position is defined in term of priority: the lower is the position the higher is the priority. A DSU can be member of different groups and can have different positions in these groups. When the master allocates a GSR to a given group, it sends only one frame, which can be compared to a beacon. This frame is physically broadcasted, but only dedicated to the members of the indicated group. In this frame, it also indicates which member must begin the communication. Indeed, it is not necessarily the member of highest priority that begins to send its packet.
Example. Figure 1 represents two basic GSR communications for a group of 5 DSUs (group size GS = 5). In the first scenario of Figure 1 (a), the DSUa with priority 0 begins to emit after the reception of the GSR frame sent by the controller. The others DSUs then emit one after the other on their turn, according to their priority. In the second scenario of Figure 1(b) , all the members of the group emit one after the other but the first DSU to emit is the one with priority 2 (DSUc).
Time-Slot Positioning Mechanism
Knowing its position in the group, the group size and the member who must begin the communication, each member determines when it will have the right to emit its packet, i.e. the position of its time-slot. Each member can speak during the time-slot duration, a given time interval D that has been automatically computed by the master or explicitly specified in an initial phase. The positioning, in terms of member's position in the communication round, is given by the variable Pos P , which corresponds to the position of the member of priority P:
where:
-P is the priority number of the slave, -BP is the priority number of the DSU that begins the communication, -GS is the group size, -and α p = 1 if P < BP else α p = 0.
And then, from a time point of view, the time-slot position of the DSU with priority P is given by:
-D is the time-slot duration, -and RefTime corresponds to the reference instant of time for every node. The reference time mechanism is described in Section 2.6.
Example: Scenario of Figure 1 (a) . This scenario is used to illustrate the time-slot positioning mechanism. It represents a GSR communication of 5 DSUs (GS = 5), beginning with the DSUa emission. DSUa's priority is Pa = 0, then we have BP = Pa = 0.
If we are interested in the determination of the time-slot position of DSUb (Pb = 1), we have Pb > BP then α Pb = 0. Then we can calculate the time-slot position of DSUb using Equations (1) and (2):
In the same way, we can calculate the time-slot position of DSUd (Pd = 3):
Then the DSUb must emits its frame one D interval after the RefTime instant, as shown in Figure 1(a) . Similarly, DSUd must wait 3 D intervals before emitting. Figure 1 (b) . This scenario illustrates the time-slot positioning when the first emitter is not the one with the lowest priority. Indeed, the communication in this case is begun by DSUc, then we have BP = Pc = 2.
Example: Scenario of
As in the previous example, we want to determine the time-slot position of DSUb and DSUd, with respective priority Pb = 1 and Pd = 3. The calculation of their time-slot positions using Equations (1) and (2) gives:
So the DSUb must wait 4 D intervals after the reference time instant, whereas DSUd emits its frame 1 D interval after RefTime.
Sliding Time Interval Mechanism
The time-slot attributed to a slave is in fact constituted by two half time-intervals: the first half-interval is dedicated to the slave communication, and the second one is reserved for a potential reaction of the master. For instance, if the slave notifies a significant error the master could have to immediately react, to stop the stimulation for example. So, to be sure that the master will have access to the medium without any collision risk, this second half-interval is reserved. This contributes to the reactivity of the distributed stimulation architecture and is very important in our context. However, if a slave has nothing to transmit, its half-interval is free and the halfinterval reserved for the master is then unused and wasted. To avoid that, i.e. to reach better performances, the MAC method integrates a sliding time interval mechanism. When waiting for its time-slot, every slave listens to the medium: if the previous member of the group did not emit a packet then it brings backward its own time-slot by a half time-interval. In other words, it recovers the half time-interval that was reserved for the master but that will never be used.
In fact, the master can dynamically configure the sliding strategy. Three possibilities, named sliding rules, which must be exploited in a coherent way by the master, are proposed.
-No sliding. The master wants to always be able to react. It inhibits the sliding mechanism. -Sliding in case of "unused time interval". It corresponds to the case previously exposed. For example, this rule is selected when the master asks a DSU group to notify their potential error detection. So, if a DSU does not have any error to notify, it does not emit a frame and the next group member can recover the second half time-interval because the master will not have to react. An example is given in Figure 2 (a) showing that DSUd begins to emit its frame after 2.5 time-intervals (after Reftime) instead of 3 time-intervals in the normal case (Figure 1(a) ). -Sliding in case of "used time interval". It corresponds to a situation in which the master must not respond if the DSU emits a frame. For example, this rule is selected when the master performs a test of presence on a DSU group. If a DSU responds, the second half time-interval can be recovered since the master will not have to react. An example is given in Figure 2 (b) showing that DSUb and DSUe begin to emit their frames after respectively 0,5 and 2,5 time-interval (instead of respectively 1 and 4 time-intervals in Figure 1 (a)).
With this sliding mechanism, the time-slot positioning becomes more complex. It can be represented by the following equation:
where Pos P is computed according to Equation (1), and δ k depends on the selected sliding rule:
-in case of "no sliding" rule, δ k = 1 ∀k, -in case of "unused time interval" rule, δ k = 1 if the previous member (ie. the member at position k -1) sent a frame, else δ k = 0, -in case of "used time interval" rule, δ k = 0 if the previous member sent a frame, else
This equation is of cause valid ∀Pos P > 0, as for the first emitter (with Pos P = 0) there is no sliding possibility.
Example: Scenario of Figure 2(a).
We can illustrate the sliding mechanism calculating the time-slot position of the DSUb and DSUd. This scenario represents a GSR communication with the unused time interval sliding rule, when the DSUc does not emit its frame.
Remember that in Section 2.4 we have calculated Pos Pb = 1 and Pos Pd = 3, which do not change regardless the sliding rule value if GS and BP are still the same (GS = 5 and BP = 0). Then Equation (3) gives:
With the "unused time interval" rule we have in this scenario:
-δ 1 = 1 because the DSUa at position 0 has emitted a frame; -δ 2 = 1 because the DSUb at position 1 has emitted a frame; -δ 3 = 0 because DSUc at position 2 did not emit.
Then:
As shown in Figure 2 (a), and confirmed by these calculations, the time-slot position value for DSUb does not change compared with the scenario of Figure 1 . However, since DSUc did not emit any frame, its follower DSUd has slided and its time-slot position is different than in the normal scenario: 2,5 D intervals instead of 3.
Example: Scenario of Figure 2(b).
We finally illustrate the sliding mechanism with the used time interval rule, calculating the DSUb and DSUd time-slot positions:
-we still have Pos Pb = 1 and Pos Pd = 3; -with this new sliding rule, δ 1 = δ 2 = 0 since the predecessors DSUa and DSUb emit their frames, and δ 3 = 1 since DSUc did not emit.
Then we have:
DSUb slides and emits its frame 0,5 D interval after RefTime. On the contrary, DSUd does not slide, it emits 2 D intervals after RefTime.
Reference Time Positioning Mechanism
The previous mechanisms guaranty a deterministic access to the medium provided that the DSUs are synchronized on the master frame. This is the case in an ideal world where we do not consider hardware effects of the physical architecture: all the DSUs therefore receive the master frame at the same time and are synchronized. However, in our context, we can not consider the propagation time as negligible: if implanted, a wireless network is indeed a small range one but with potentially important propagation time variations, due to absorption coefficient differences within the body. Thus, we have implemented in STIMAP a synchronization mechanism: the reference time mechanism, to synchronize the DSUs at the beginning of the TDMA sequence.
2.6.1. Basic Principles. The goal of the reference time mechanism is to provide a common reference time for all the DSUs to begin the TDMA-based GSR communication. This communication begins with the emission of a master frame, similar to a beacon, holding a GSR token. As soon as it receives this frame, each node determines its reference time, which is the instant when it must start the TDMA sequence. We impose that the reference time is a constant duration after the GSR frame has been sent. The idea of the reference time mechanism is based on subtracting the transmission time from controller to slave to the previously mentioned common constant. The difference between the instant of time at which the DSUs receive the master frame will then be balanced by the subtraction of the different propagation times. Let's define:
-Beacon DSUi the reception instant of the beacon frame by DSUi; -Frame DSUi the transmission time of a frame from controller to DSUi; -RefTimeWait DSUi the duration DSUi has to wait after the beacon frame reception; -RefTime DSUi the reference time instant for DSUi. The reference time mechanism is then defined by:
We could estimate the transmission time from controller to slave to
, and we fix the constant value to D 2 . Equation (5) becomes:
As the RefTimeWait DSUi is a waiting duration, it can not has a negative value. So the D parameter has to respect the following reference time constraint:
where max RTT DSUi corresponds to the worst RTT of all DSUs.
Example. Figure 3 shows how this mechanism works illustrating it with two DSUs:
-DSU2 receives the master frame first, and begins to wait
-then DSU1 receives the master frame, and waits D 2 -
Supposing that the transmission time of the beacon from controller to DSUi is Beacon DSUi = RTT DSUi 2 , the reference time is then the same for both DSUs: This reference time mechanism theoretically guaranties a global reference time for all DSUs even if the propagation times are not the same for all the network members. However this supposes that transmission times between the controller and slaves are equal in both ways (controller to slave and slave to controller), which could be an unrealistic hypothesis.
Transmission Time Estimation, for Symmetric and Asymmetric Hardware Architectures.
The problem of the reference time mechanism should be based on the real transmission time of the GSR beacon from the controller to each slave. Let us introduce corresponding variables: T R DSUi for controller to DSUi transmission time, and T E DSUi for the opposite direction. This variable (parameter of the model) must be known to configure the protocol before the running phase. In the previously given reference time definition, this parameter was estimated to
. Indeed, the RTT parameter can easily be measured on the architecture, counting on the master side the time elapsed between the frame emission to the slave and the reception of the associated answer. In STIMAP, the RTT measurement is performed during the initialization phase, using a DPI mode: the duration of an individual communication is measured for each DSUi and considered as its RTT parameter value (RTT DSUi ). As previously noticed, the hy-
implies a strong constraint on the hardware: it supposes that the network boards have the same performances in reception than in emission. Supposing on the contrary that
, the reference time instant could differ depending on the DSUs and then the theoretical equation becomes:
Establishing that the RTT values can potentially be different for the all the DSUs, we can consider two hardware architecture types: the symmetric and the asymmetric ones. In a symmetric hardware architecture, the hardware couplers take the same time to emit and to receive a frame. and the reference time instants are not the same for each DSUi. Therefore the asymmetric case has to be taken into account in the validation process since this desynchronization impacts the protocol determinism. However, it is difficult to know the real duration of the one-way transmission of a frame in an asynchronous network; this requires specific material and experimentations, and it cannot be performed on our implanted network. Nevertheless, the aim of this study is to take into account the asymmetric case in a formal validation process to identify the limitations of the initial hypothesis.
VALIDATION METHODOLOGY
The validation of a system can be performed with different methods. Simulation of a model of the system, as well as test of the system behavior on a prototype, are wellknown and effective methods. Simulation has the advantages to allow the execution of big systems, whereas the design of a big system prototype is difficult from a practical and an economical point of view. For communication protocols validation, the simulation tools (OPNET or NS2 [Garrido et al. 2008] for example) offer the possibility to introduce dedicated problems to simulate the desired environment behavior. The system can then be validated in this simulated environment. Similarly, environment changes can be produced to validate the system prototype in a specific context. Fault injection campaigns [Hsueh et al. 1997 ] are a very common example of this method. Moreover, experimentation on prototype allows to test the implementation process, whereas simulation validates only a system model. But the simulation method, as well as the system test on prototype, are not exhaustive ones. For a given simulation run, not all the possible system states are considered. As the behavior is simulated in a random way, it is not possible to be sure that all the possible behaviors have been explored, even in a numerous simulation campaign. This problem is the same for the system test: the system is tested with an input data scenario, which is not exhaustive. It is not feasible to test all the possible input data values, as there is an infinite number of such scenarios. Furthermore, some specific values can not be tested as they can result from faults impossible to recreate. Therefore, all the more in some critical contexts, more formal methods are required to complete the validation process. Formal methods are based on mathematical concepts and provide more confidence on the validation results are they are exhaustive ones. This exhaustive validation is done by model checking [Berard et al. 2001; Clarke and Emerson 1982; Sifakis 1992] : verification of properties on the state space of the system model, i.e. all the possible behaviors. Furthermore, analysis of a model of the system allows detecting errors at an early step of the design process, before the implementation step. Then this validation method is the most appropriate one in our critical context, as this formal approach leads to a more accurate validation of the system reliability.
The methodology we used is a classic one from now for formal validation of communicating systems [David and Wang 2000; Godary et al. 2007; Stauner et al. 1997] . This methodology can be summarized in four main parts. The first step of the validation process is the modeling of the system. It is then necessary to choose a formal language that fits with the system to model and the properties to verify. The second step consists in abstracting the model to allow the analysis process. Indeed, combinatory explosion is a well-known problem of exhaustive analysis methods. The system model must then be reduced, keeping on only the relevant information. The desired properties must also be modeled, since they can be too complex to be expressed directly in temporal logic. Next, the properties can be verified, and, at last, validation results must be analyzed to conclude on the system reliability.
In our context, we used model checking on Petri Nets (PN) based system models. PN are a formalism allowing the expression of parallelism, synchronization, resource sharing and concurrency in a simple and natural way. They are then well-adapted for the modeling of distributed and communicating systems. At last, PN are associated to a mathematical formalism from which structural and behavioral analysis can be performed, including the model-checking analysis. Since we deal with nonautonomous systems, i.e. systems that interact with their environment via inputs (signals, sensors, etc.) and outputs (signals, actuators, etc.), we use extensions of PN that permit the description not only of the evolution of the model state but also when this occurs. Thus, we use the temporal extension introduced by Merlin [1974] : the Time Petri Nets (TPN). TPN allow modeling dense time as intervals associated to transitions. In the current article, the validation results have been obtained with the TINA toolbox 1 [Berthomieu et al. 2004 ]. The system is modeled and simulated using TINA, which also builds the analysis state graph [Berthomieu and Diaz 1991] . Finally, the selt model checker (a part of the TINA toolbox) is used for properties verification.
Validating some specific properties, as collision absence, we can be sure that it can never append in the system provided that the system implementation is faithful to the system model. This problem is resolved in our context as the STIMAP model has been implemented on a FPGA based prototype using an automatic VHDL code generator named HILECOP [Andreu et al. 2008] . HILECOP allows the automatic translation of Petri Nets into VHDL components. This guaranties that the properties verified on the system model remain true on the implemented system.
In the specific context of STIMAP, the validation process has two main goals. First, it must of course verify the behavior of all the protocol mechanisms verifying all the necessary properties, as for example the verification of collision absence. Indeed, collision detection being not ensured by the physical layer in use, collision avoidance must be guaranteed at MAC layer to avoid losing important frames (Section 2.1). Frame losses can be detected imposing the use of acknowledgments, but frame resending impacts both reactivity, since it induces a delay, and power consumption. But this validation process has a second purpose: improving the efficiency of the protocol, without losing the reliability. In our FES context, the communication efficiency directly impacts the FES control reactivity; the ability to keep stimulation under control at any time is a crucial issue (Section 2.1). This reactivity can notably be impacted by one particular parameter, named D, since it constitutes the basis of the temporal behavior of STIMAP. Fixing D as a too small value definitively leads to communication problems, as collisions. But fixing a too large D value implies an increase of the communication duration for each DSU and then unfavorably influences the protocol performances. Thus, this paper provides validation results as constraints on the STIMAP parameters that must be respected to verify the desired properties.
STIMAP MODEL
The whole system comprises several DSUs communicating with one master. But the combinatory explosion of the model checking method does not permit to analyze a complex model. Since the goal of the validation process is to validate the STIMAP mechanisms concepts, the analysis can be done on a limited number of DSUs. Indeed, the DSUs have all the same behavior, and the addition of one node on such a distributed system does not influence the local behavior of the other nodes. Then the properties are still verified whatever the number of DSUs is, provided that (i) we consider enough DSUs to deal with group of units and (ii) they all respect the protocol constraints. So the global model we consider in the following only represents three DSUs, the master and the medium of communication. Moreover, models of all these components are abstracted ones: parts of the models that support the mechanisms to be studied have been kept in details whereas parts that do not have any influence have been aggregated. It is for instance the case of the model of the application layer as it does not impact the MAC behavior. We particularly focus on the GSR mode so we represent the emission and the reception of the GSR frame, mentioning to all DSUs if the sliding is activated (Sliding place, Figures 4 and 5) , and in such case the selected sliding rule (Sliding Rule place, Figure 5 ).
DSU Model: Time-Slot Positioning Mechanism
First we only consider the model of the basic medium access strategy of STIMAP: the time-slot positioning mechanism in case of group communication (GSR mode) without the sliding time interval mechanism. In this simplified version of the MAC model, given in Figure 4 , we suppose that the GSR beacon is received at the same time for all DSUs. That corresponds to the symmetric hardware architecture case, for which the reference time positioning mechanism is not represented on the model. This model of the MAC behavior is the same for all the DSUs, except for the priority (each DSU having a different priority in the group). The priority mechanism, which is the basis of the TDMA principle, is represented by means of places priority DSUi and priorityComp DSUi. The first place is the priority of the DSU, which practically represents the number of slots the DSU has to wait before emitting. The second place is the complementary one: it represents the number of slots already waited. The DSU that is represented has a priority 1 (the first priority being equal to 0): it has to wait only one D interval before emitting.
The reception of the GSR frame is modeled by the generation of a token in the place GSRReception DSUi. Then the medium access mechanism starts: the transition t BeginAccMed DSUi is fired and the place SlotPositioning DSUi is marked. In case of no sliding, the Sliding place is not marked and then transition t NotMyTurn NoSliding DSUi could be fired (inhibitor edge). The firing of the transitions t NotMyTurn NoSliding DSUi or t MyTurn DSUi depends on the priority of the DSU and on the number of already waited slots. If there is at least one token in the priorityComp DSUi place, transition t NotMyTurn NoSliding DSUi is fired and the DSU waits a D interval (here D = 500 time units). On the contrary, if the DSU has already waited all the expected slots, the DSU can access to the medium: transition t MyTurn DSUi is fired and the place t EmissionPermission DSUi is marked, representing the permission to emit. The behavior of the frame emission will be described in Section 4.3. 
DSU Model: Sliding Time Interval Mechanism
We now expose the model of the time-slot positioning with the sliding mechanism ( Figure 5 ). In case of sliding (place Sliding marked), the DSU slot D is shared into two half-intervals. If it is not its turn to emit, the DSU has to wait: transition NotMyTurn Sliding DSU2 is fired. After waiting the first half-interval (transition t Wait HalfD DSUi), the DSU verifies (in the TestRecept DSUi place) if it can slide or not, depending on the sliding rule and the reception (or not) of the preceding DSU frame. The reception of a frame is modeled by a token in place FRAMEReceived DSU2. In our context we suppose that it is not possible to detect a frame that is being emitted before the end of its emission. Then the MAC level considers there is no frame on the medium until a complete frame is received. Supposing that the sliding rule is "used time interval" (Sliding Rule is marked):
-if the DSU has received the preceding frame, it slides: t NoWaitG1 DSUi is fired and the DSU returns in the SlotPositioning DSUi place. -if not, t WaitG1 DSUi is fired and the DSU waits one more half-interval.
Medium Model
The medium is modeled in a simple way, using only one place to represent its occupation. This representation is well adapted to represent a shared medium where all the frames are sent in broadcast (like on wired bus as nonswitched Ethernet). For wireless medium, it depends on the broadcast range: we suppose here that all nodes are reachable. Modeling the medium in a global way is a convenient over-approximation: if there is no collision detected on the global medium model, we can be sure that collision will not actually occur. Figure 6 shows the medium model and its relation with DSU1: when DSU1 emits on the medium (transition t Emission DSU1), the place MEDIUM becomes marked representing that the medium is occupied. At the end of the frame emission (transition t End DSU1), this token is consumed and a token is generated at the MAC level of the receivers (the DSU2 and the Master for instance), representing the complete reception of a frame. This model supposes that all the DSUs (and the master) receive the emitted frame at the same time. This is an over-approximation of the reality, since all nodes do not necessarily receive the frame simultaneously (in the model they are all as slow as the slowest).
DSU Model: Reference Time Positioning Mechanism
In the symmetric architecture case, the reference time is supposed to provide a global synchronization time to all DSUs (see Section 2.6). To model that, we just have to integrate a waiting duration after the beacon reception (GSR master frame). On the model the transition t BeginMedAcc DSUi becomes the transition t RefTime DSUi to which is associated a fixed time interval equal to D 2 . In the asymmetric architecture case, the reference time mechanism has to be entirely modeled, and it is quite difficult to do so using Petri nets. Indeed, the reference time is not the same for all DSUs, as it depends on the value of the T E DSUi and T R DSUi parameters. The basic idea to model the reference time is to separately integrate T R
DSUi
and T E DSUi durations: the first one is taken into account in the RefTimeWait DSUi duration whereas the latter is taken into account in the FrameDuration DSUi duration. Of course the RefTimeWait DSUi calculation must be done in an off-line step, since in the TINA tool the firing interval of transitions can only be integer values (calculation are not possible). But this solution provides a model for fixed values of T E DSUi and T R DSUi . Since we want to study all the possible cases of the asymmetry, these values must not be constant ones: we want to represent them as random values taken in a given interval. Representing T R DSUi as a random value in a given interval, it is so impossible to separately represent the T R DSUi and RefTimeWait DSUi parameters. Indeed, the calculation of the RefTimeWait DSUi value depends on the exact value of T R DSUi and should then be dynamically determined taking into account the exact firing 
. This problem will be discussed in Section 6.
STIMAP FORMAL VALIDATION FOR A SYMMETRIC ARCHITECTURE
This section concerns the STIMAP validation process in a symmetric architecture case: the transmission duration of a frame (included the emission and reception time) is the same between the controller and the DSU than between the DSU and the controller. It then can be estimated with the RTT measurement (see Section 2.6.2). The reference time mechanism then provides a global reference time that is the same for all DSUs and permits the DSUs to be synchronized . The validation process concerns of course different properties, like the time-slot positioning and the respect of the emission order within the GSR mode. This article focuses on the "no collision" property. This property is verified if there is no more than one token in the place MEDIUM of the medium model ( Figure 6 ). The result of this verification is dependent on the relation between the D parameter and the FrameDuration DSUi and ReactionDuration DSUi ones. FrameDuration DSUi is the duration of the DSUi frame, whereas ReactionDuration DSUi is the duration of the master reaction frame (when it reacts in the dedicated DSUi slot), including frame treatment duration at the master application level. The validation has been done for each possible scenario: no sliding, sliding in case of used or unused interval, with or without DSU frame emission. This work is the continuation of the one presented in [Godary et al. 2007 ], which presents the validation results of a very simple model: the time-slot positioning without sliding, assuming a symmetric architecture. This first work permitted to verify basic concepts of the TDMA-based GSR communication. We want now to study and validate the full mechanism of STIMAP.
Setting the D parameter value, we find using dichotomy the maximal values for the parameters FrameDuration DSUi and ReactionDuration DSUi for which no collision can occur. We thus extract some basic constraints that the parametering of STIMAP has to respect to ensure a collision-free medium access in a symmetric hardware architecture case. These constraints confirm the theoretical behavior of STIMAP. They are summarized in Table I and explained in the following.
-No sliding. In this case, the only condition is that the DSU must have finished to emit at the end of the D interval: FrameDuration DSUi must be shorter than D, for all DSUs. -Sliding in case of unused time interval. In this case, the master can react to the DSU frame, then a DSU must not slide if there is a DSU emission in its preceding timeslot. For this sliding rule, two constraints have to be respected. First, as illustrated at the left of Figure 7 , if the duration of the DSU1 frame is longer than D 2 , the next node (DSU2) and the master did not received this frame before the end of the first half-interval. Then they suppose that no frame has been emitted: the master does not react and DSU2 slides and begins to emit its frame, provoking a collision with that of DSU1. The second condition concerns the master reaction: if a DSU emits a frame and the master reacts to it (see the right of Figure 7 ), the next DSU does not slide and waits the end of the D interval. So the master frame must be finished before the end of the D interval. Then the sum of the DSU frame duration and the reaction duration must be lower than the D parameter. If the first DSU does not emit its frame, the master does not react, the next DSU slides, there is no additional condition.
-Sliding in case of used time interval. In this case, the master reacts if there is a passive DSU. In this sliding rule, two constraints must be respected: first if the DSU1 emits a too long frame (greater than D 2 ), the master supposes there is no frame and begins to react, provoking a collision with the DSU1 frame. Second, if the DSU1 does not emit its frame, the master reacts in the second half interval: this frame must be finished before the DSU2 begins to emit in its time-slot, then the reaction duration must be lower than D 2 .
Concluding on these validation results, we can say that the behavior of the medium access protocol STIMAP is valid (i.e., it verifies all the desired properties) provided that the D parameter respects the conditions summarized in Table I . However, this validation has been done assuming the hypothesis that all the DSUs have the same global reference time (symmetric architecture case). Thus the previous validation results are dependent on the reference time values of each DSU. So we have to study this mechanism and extend the validation process to the asymmetric architecture case. This validation is presented in the next section.
STIMAP FORMAL VALIDATION FOR AN ASYMMETRIC ARCHITECTURE
Experiments, performed both on Ethernet based platform and on RF one [Andreu et al. 2008] , showed that some hardware architectures can imply important variations between the different RTT durations, but most of all these experimental measurements proved that it is possible to have significant differences between the transmission duration from the master to a DSU named T R DSUi and the one from this DSU to the master named T E DSUi . This means that the system is not a perfect one and that the hypothesis on the synchronization of the DSUs must be reconsidered: a system is neither a perfect nor a symmetric one.
We have seen that the reference time mechanism in a symmetric hardware provides a global reference time on which all the DSUs are synchronized. An asymmetric hardware architecture, on the contrary, provokes a gap between the reference times of the different DSUs: they are not synchronized anymore. We then have to study the effect of the asymmetric hardware on the medium access mechanism, mainly the induced collision risks.
Values of the Model Parameters
On the STIMAP model, we fix the STIMAP model parameters, respecting the basic constraints of the protocol verified in the preceding section, and adding the asymmetric hypothesis. We have to use the two parameters T R DSUi and T E DSUi to model an asymmetric system. But as mentioned in Section 4.4, we can not represent dynamic calculations on the firing interval of the transitions. We can not introduce into the model the calculation of the parameters: we must introduce their values in a different way.
For the reference time parameter, we can represent it as a random duration in a [min RefTime, max RefTime] interval for all DSUs. So we have to calculate these two bounds, depending on the asymmetric hypotheses. Indeed, experimental results show that the asymmetry is always in the same way for a given technology. For example, Ethernet hardware couplers are always faster to emits than to receive, whereas the situation is inverse for a RF technology. The validation process of STIMAP for an asymmetric hardware architecture is then decomposed in two steps: with the fast emission hypothesis, i.e., when the DSU is faster in emission than in reception T E DSUi < T R DSUi ∀i , and with the opposite slow emission hypothesis.
But we also have to consider the relationship between the three parameters T E DSUi , T R DSUi and RTT DSUi . We want to explore all the possibilities of the parameters values, including the worst cases. The worst asymmetric solution is when T E DSUi and T R DSUi are the most different. For example, considering the T E < T R hypothesis, the worst case is when T E = 0 and T R = RTT. We can then supposed for this hypothesis that T E DSUi ∈ 0, Then we have to fix the D parameter value. We want to fix it as the best value, which is the lowest one to increase the protocol efficiency, but respecting all the protocol constraints: the ones of Table I , and also the reference time constraint of Equation (7):
The D value will depend on the direction of the asymmetry, as we will see in the two next sections.
We also suppose that FrameDuration DSUi = T E DSUi . In fact, this first parameter is supposed to represent the medium occupation duration when DSUi emits a frame, whereas T E DSUi also includes the reception duration of the master (i.e., the medium occupation plus the stack crossing on the master side). Therefore, supposing that FrameDuration DSUi = T E DSUi , the medium occupation duration is an overapproximation of the reality. So our validation results will be good even if the reception duration of the master is very low. (4) and (6), we have:
We can then explain the RefTime DSUi parameter as:
From these conclusions, we can calculate the maximal and minimal values of the RefTime DSUi parameter:
All these parameters values are summarized in Table II Table II , we detect that collisions are possible. In this section we will precisely analyze a situation that leads to a collision, with sliding in case of unused interval. The execution of this scenario is shown in Figure 8 , and its detailed behavior is as follows.
-t = 300μs. The DSU2's reference time is 300μs; as DSU2 is not the first DSU of the GSR sequence, it waits a half time-interval D 2 before emitting. -t = 450μs. The DSU1's reference time is 450μs; as DSU1 is the first DSU to emit, it begins to emit its frame. -t = 550μs. DSU2 has waited for its first D 2 interval, it has to decide if it must slide or not; if the frame of DSU1 is longer than = 100μs, this frame emission is not finished and DSU2 considers that it has not received a frame. With the "unused time interval" sliding rule, DSU2 then slides and begins to emit its frame, provoking a collision.
This scenario seems realistic, but we have to study the specific values of T E DSui and T R DSui parameters to verify if they respect their constraint. First, if 450 =
2 then we have:
= 400. In the same time, we must have:
So if the reference time value if DSU1 is 450μs, we must have a T E DSU1 value inferior to 50μs. But the collision occurs only if T E DSU1 > 100μs. Then this collision situation is not a real one, it corresponds to one of the overestimated states of the system. Figure 8 shows that to generate a collision with the sliding mechanism in case of unused interval, the hardware values must respect the following equations:
Generalization.
In summary, a collision can occur if the hardware parameters respect:
Calculating the maximal value of the left term with our hypothesis, we have:
So, as in the fast emission hypothesis D = max RTT DSUi , the left term should never be superior to D, and then a collision can never occur for an asymmetric architecture with sliding in case of unused interval.
Other Validation Results and STIMAP Constraints Summary
The preceding section analyses the results of the no-collision verification with sliding in case of unused interval, with the fast emission hypothesis. This analysis shows that in fact, the collision situations detected with the model checking validation correspond to some unrealistic states of the system, provided that the D parameter respects D > max RTT DSUi . Similar analyses of all the no-collision verification results (for each sliding rules, for both fast and slow emission hypotheses) show that collisions are never possible, but for the slow emission hardware architecture the minimal D value must be D > 2 × max RTT DSUi . Table I finally recalls all the constraints for the STIMAP parameters, for both symmetric and asymmetric hardware. But all these constraints can be summarized in the following one, which includes all the others:
CONCLUSION
This article deals with the validation of STIMAP, a deterministic medium access protocol. This protocol has been designed to meet the specific requirements of a FES distributed architecture. Thus the protocol must fit with real-time and reliability constraints, as well as embedded ones. It must be reactive, deterministic, reliable, with a simple and light implementation. STIMAP is based on a TDMA-based group communication with a sliding mechanism to improve the efficiency of the classic TDMA approach. This approach is mixed with a master/slave approach to initiate a TDMA communication for a given group of nodes. In such a critical context, we propose to complete classical validation methods as simulation and experimentation on prototypes, with a formal validation process, which provides more confident validation results. This article presents the Time Petri Nets (TPN) STIMAP model and its validation, focusing on the no-collision property verification. The STIMAP validation is proved with an analysis of model checking results. The TPN formalism has been chosen to guarantee the implementation process: the validated model is directly implemented, using the HILECOP tool, automatically generating VHDL code for a FPGA target. Moreover, the TPN formalism fits well with our modeling needs. However, the timed model checking for TPN is not as developed as required.
First, the verification process often implies the research of an a priori unknown duration value. It is then necessary to make several verification runs to find the suitable value. The solution could be to introduce this duration value as a parameter, and the validation process should provide the parameter values for which the desired behavior is guaranteed. This idea is the basis of the parameterized timed model checking that has been the subject of several research works in last decade [Bruyère and Raskin 2007; Hune et al. 2001; Traonouez et al. 2009 ]. But it is not yet mature, especially for the TPN formalism. The complexity introduced by the parameters leads to combinatory explosion that is not yet resolved (parameterized model checking has been proved undecidable by Alur et al. [1993] ). Thus, few works have been implemented in an analysis tool. To our knowledge, only Traonouez et al. [2009] have implemented, in their tool Romeo, an algorithm for the analysis of parameterized TPN. But this solution, as the one implemented in UPPAAL for parameterized timed automata [Hune et al. 2001] , is limited to very simple models. So our ongoing work is to optimize their method, proposing fusion rules of equivalent classes to reduce this complexity.
Second, the STIMAP validation is confronted to an even more complex modeling and verification problem: the firing interval of one transition is a calculation that depends of the firing date of a preceding transition. But this dynamical construction of the state space graph is not resolved for now. A solution could be to defined the dynamical time Petri nets, a new modeling formalism, extension of the Time Petri nets. Dynamical TPN could allow to express the dependence between firing intervals. The issue is to define an analysis algorithm for the state graph construction considering these dynamical constraints. But the complexity of such a solution is till now even more difficult to manage than the parameterized timed model checking, which is still unresolved.
Therefore, regarding these two limitations, this paper presents a validation of an overapproximation of the real possible states of the system. Then, a precise analysis of the results is done to conclude for the real states. So the whole validation process allows extracting constraints that must be respected to guaranty the STIMAP behavior. We conclude saying that, provided that these constraints are respected, the STIMAP protocol has a correct behavior for whatever hardware architectures.
More than the validation results, this study also shows that the model checking is not still fully well adapted to the modeling and the validation of real systems. For example, the STIMAP validation has been done without changing the basic mechanisms of the protocol and their associated constraints. Parameterized model checking, as well as (dynamic) calculation of transitions firing intervals, could help to find for instance the most suitable constraint for the reference time value to enhance the protocol efficiency without loosing the reliability. Therefore, an interesting continuation of this work should be the study and the improvement of the interface between the theoretical formal methods, and their associated tools, with the actual needs of systems validation. This could especially be interesting in specific contexts as embedded ones, where real-time constraints as well as hardware characteristics have to be jointly considered during the validation process. We currently work on the interfacing between the HILECOP tool and a validation tool suite, in order to closely link the system design process and the formal validation one.
