Probabilistic Analysis of Weakly-Hard Real-Time Systems by Kang, Eun-Young et al.
Probabilistic Analysis of Weakly-Hard Real-Time
Systems
Eun-Young Kang12 and Dongrui Mu2 and Li Huang2
1University of Namur, Belgium
2School of Data & Computer Science, Sun Yat-Sen University, China
eykang@fundp.ac.be
{mudr, huangl223}@mail2.sysu.edu.cn
ar
X
iv
:1
80
7.
00
00
3v
1 
 [c
s.S
E]
  2
9 J
un
 20
18
ABSTRACT
Modeling and analysis of non-functional properties, such as timing constraints,
is crucial in automotive real-time embedded systems. East-adl is a domain
specific architectural language dedicated to safety-critical automotive embedded
system design. We have previously specified East-adl timing constraints in
Clock Constraint Specification Language (Ccsl) and proved the correctness of
specification by mapping the semantics of the constraints into Uppaal models
amenable to model checking. In most cases, a bounded number of violations of
timing constraints in automotive systems would not lead to system failures when
the results of the violations are negligible, called Weakly-Hard (WH). Previous
work is extended in this paper by including support for probabilistic analysis of
timing constraints in the context of WH: Probabilistic extension of Ccsl, called
PrCcsl, is defined and the East-adl timing constraints with stochastic prop-
erties are specified in PrCcsl. The semantics of the extended constraints in
PrCcsl is translated into Uppaal-SMC models for formal verification. Further-
more, a set of mapping rules is proposed to facilitate guarantee of translation.
Our approach is demonstrated on an autonomous traffic sign recognition vehicle
case study.
Keywords: East-adl, Uppaal-SMC, Probabilistic Ccsl, Weakly-Hard
System, Statistical Model Checking
Contents
1 Introduction 1
2 preliminary 3
3 Running Example: Traffic Sign Recognition Vehicle 5
4 Probabilistic Extension of Relation in CCSL 10
5 Specification of Timing Constraints in PrCCSL 14
6 Translating CCSL & PrCCSL into UPPAAL-SMC 21
6.1 Mapping CCSL to UPPAAL-SMC . . . . . . . . . . . . . . . . . 21
6.2 Representation of PrCCSL in UPPAAL-SMC . . . . . . . . . . . 24
7 Modeling the Behaviors of AV and its Environment in UPPAAL-
SMC 28
8 Experiments: Verification & Validation 34
9 Related work 38
10 Conclusion 39
References 40
List of Figures
3.1 AV in East-adl augmented with Tadl2 constraints (R. IDs)
specified in PrCcsl (Spec. R. IDs) . . . . . . . . . . . . . . . 6
4.1 Example of a Run . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.1 Uppaal-SMC model of clock tick and history . . . . . . . . . . 21
6.2 STA of Ccsl expressions . . . . . . . . . . . . . . . . . . . . . . 22
6.3 Observer STA of Subclock and Coincidence . . . . . . . . . . . 26
7.1 STAs of fps in Environment ft . . . . . . . . . . . . . . . . . . . 29
7.2 Modeling system behaviors in Uppaal-SMC . . . . . . . . . . . 30
7.3 Periodically triggered ports speed and obstacle . . . . . . . . . 31
7.4 Internal behaviours of Controller in UPPAAL-SMC . . . . . . 31
7.5 Representation of substates of Normal state in UPPAAL-SMC . . 32
7.6 STAs utilized to verify R3 . . . . . . . . . . . . . . . . . . . . . 33
8.1 Simulation Result of R13 . . . . . . . . . . . . . . . . . . . . . . 36
8.2 Frequency Histogram of End-to-End timing constraint (R17) . . 37
8.3 Performance analysis of verifying R5 with Expected Value and Sim-
ulation. The number of runs ranges from 100 to 500 with increment
as 100. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Chapter 1
Introduction
Model-driven development is rigorously applied in automotive systems in which
the software controllers interact with physical environments. The continuous
time behaviors (evolved with various energy rates) of those systems often rely
on complex dynamics as well as on stochastic behaviors. Formal verification and
validation (V&V) technologies are indispensable and highly recommended for de-
velopment of safe and reliable automotive systems [3,4]. Conventional V&V, i.e.,
testing and model checking have limitations in terms of assessing the reliability of
hybrid systems due to both the stochastic and non-linear dynamical features. To
ensure the reliability of safety critical hybrid dynamic systems, statistical model
checking (SMC) techniques have been proposed [11, 12, 24]. These techniques
for fully stochastic models validate probabilistic performance properties of given
deterministic (or stochastic) controllers in given stochastic environments.
Conventional formal analysis of timing models addresses worst case designs,
typically used for hard deadlines in safety critical systems, however, there is great
incentive to include “less-than-worst-case” designs to improve efficiency but with-
out affecting the quality of timing analysis in the systems. The challenge is the
definition of suitable model semantics that provide reliable predictions of sys-
tem timing, given the timing of individual components and their compositions.
While the standard worst case models are well understood in this respect, the
behavior and the expressiveness of “less-than-worst-case” models is far less inves-
tigated. In most cases, a bounded number of violations of timing constraints in
systems would not lead to system failures when the results of the violations are
negligible, called Weakly-Hard (WH) [8, 28]. In this paper, we propose a formal
probabilistic modeling and analysis technique by extending the known concept of
WH constraints to what is called “typical” worst case model and analysis.
East-adl (Electronics Architecture and Software Technology - Architec-
ture Description Language) [5, 14], aligned with AUTOSAR (Automotive Open
System Architecture) standard [1], is a concrete example of the MBD approach
for the architectural modeling of safety-critical automotive embedded systems. A
system in East-adl is described by Functional Architectures (FA) at dif-
ferent abstraction levels. The FA are composed of a number of interconnected
1
Probabilistic Analysis of Weakly-Hard Real-Time Systems
functionprototypes (fp), and the fps have ports and connectors for communica-
tion. East-adl relies on external tools for the analysis of specifications related
to requirements. For example, behavioral description in East-adl is captured in
external tools, i.e., Simulink/Stateflow [31]. The latest release of East-adl
has adopted the time model proposed in the Timing Augmented Description Lan-
guage (Tadl2) [9]. Tadl2 expresses and composes the basic timing constraints,
i.e., repetition rates, End-to-End delays, and synchronization constraints. The
time model of Tadl2 specializes the time model of MARTE, the UML profile for
Modeling and Analysis of Real-Time and Embedded systems [29]. MARTE pro-
vides Ccsl, a time model and a Clock Constraint Specification Language, that
supports specification of both logical and dense timing constraints for MARTE
models, as well as functional causality constraints [26].
We have previously specified non-functional properties (timing and energy
constraints) of automotive systems specified in East-adl and MARTE/Ccsl,
and proved the correctness of specification by mapping the semantics of the con-
straints into Uppaal models for model checking [22]. Previous work is extended
in this paper by including support for probabilistic analysis of timing constraints
of automotive systems in the context WH: 1. Probabilistic extension of Ccsl,
called PrCcsl, is defined and the East-adl/Tadl2 timing constraints with
stochastic properties are specified in PrCcsl; 2. The semantics of the extended
constraints in PrCcsl is translated into verifiable Uppaal-SMC [2] models for
formal verification; 3. A set of mapping rules is proposed to facilitate guaran-
tee of translation. Our approach is demonstrated on an autonomous traffic sign
recognition vehicle (AV) case study.
The paper is organized as follows: Chapter 2 presents an overview of Ccsl
and Uppaal-SMC. The AV is introduced as a running example in Chapter 3.
Chapter 4 presents the formal definition of PrCcsl. The timing constraints that
are applied on top of AV are specified using Ccsl in Chapter 5. Chapter 6 de-
scribes a set of translation patterns from Ccsl/PrCcsl to Uppaal-SMC models
and how our approaches provide support for formal analysis at the design level.
The behaviours of AV system and the stochastic behaviours of the environments
are represented as a network of Stochastic Timed Automata presented in Chapter
7. The applicability of our method is demonstrated by performing verification on
the AV case study in Chapter 8. Chapter 9 and Chapter 10 present related work
and the conclusion.
2
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Chapter 2
preliminary
In our framework, we consider a subset of Ccsl and its extension with stochastic
properties that is sufficient to specify East-adl timing constraints in the context
of WH. Formal Modeling and V&V of the East-adl timing constraints specified
in Ccsl are performed using Uppaal-SMC.
Clock Constraint Specification Language (Ccsl) [6, 26] is a UML profile
for modeling and analysis of real-time systems (MARTE) [7, 25]. In Ccsl, a
clock represents a sequence of (possibly infinite) instants. An event is a clock
and the occurrences of an event correspond to a set of ticks of the clock. Ccsl
provides a set of clock constraints that specifies evolution of clocks’ ticks. The
physical time is represented by a dense clock with a base unit. A dense clock
can be discretized into a discrete/logical clock. idealClock is a predefined dense
clock whose unit is second. We define a universal clock ms based on idealClock:
ms = idealClock discretizedBy 0.001. ms representing a periodic clock that
ticks every 1 millisecond in this paper. A step is a tick of the universal clock.
Hence the length of one step is 1 millisecond.
Ccsl provides two types of clock constraints, relation and expression: A
relation limits the occurrences among different events/clocks. Let C be a set of
clocks, c1, c2 ∈ C, coincidence relation (c1 ≡ c2) specifies that two clocks must
tick simultaneously. Precedence relation (c1 ≺ c2) delimits that c1 runs faster
than c2, i.e., ∀k ∈ N+, where N+ is the set of positive natural numbers, the kth
tick of c1 must occur prior to the kth tick of c2. Causality relation (c1  c2)
represents a relaxed version of precedence, allowing the two clocks to tick at
the same time. Subclock (c1 ⊆ c2) indicates the relation between two clocks,
superclock (c1) and subclock (c2), s.t. each tick of the subclock must correspond
to a tick of its superclock at the same step. Exclusion (c1 # c2) prevents the
instants of two clocks from being coincident. An expression derives new clocks
from the already defined clocks: periodicOn builds a new clock based on a base
clock and a period parameter, s.t., the instants of the new clock are separated by
a number of instants of the base clock. The number is given as period. DelayFor
results in a clock by delaying the base clock for a given number of ticks of a
reference clock. Infimum, denoted inf, is defined as the slowest clock that is
3
Probabilistic Analysis of Weakly-Hard Real-Time Systems
faster than both c1 and c2. Supremum, denoted sup, is defined as the fastest
clock that is slower than c1 and c2.
UPPAAL-SMC performs the probabilistic analysis of properties by monitoring
simulations of complex hybrid systems in a given stochastic environment and
using results from the statistics to determine whether the system satisfies the
property with some degree of confidence. Its clocks evolve with various rates,
which are specified with ordinary differential equations (ODE). Uppaal-SMC
provides a number of queries related to the stochastic interpretation of Timed
Automata (STA) [12] and they are as follows, where N and bound indicate the
number of simulations to be performed and the time bound on the simulations
respectively:
1. Probability Estimation estimates the probability of a requirement property φ
being satisfied for a given STA model within the time bound: Pr[bound] φ.
2. Hypothesis Testing checks if the probability of φ being satisfied is larger than
or equal to a certain probability P0: Pr[bound] φ > P0.
3. Probability Comparison compares the probabilities of two properties being
satisfied in certain time bounds: Pr[bound1] φ1 > Pr[bound2] φ2.
4. Expected Value evaluates the minimal or maximal value of a clock or an inte-
ger value while Uppaal-SMC checks the STA model: E[bound;N ](min : φ)
or E[bound;N ](max : φ).
5. Simulations : Uppaal-SMC runsN simulations on the STA model and mon-
itors k (state-based) properties/expressions φ1, ..., φk along the simulations
within simulation bound bound: simulate N [6 bound]{φ1, ..., φk}.
4
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Chapter 3
Running Example: Traffic Sign
Recognition Vehicle
An autonomous vehicle (AV) [20, 21] application using Traffic Sign Recognition
is adopted to illustrate our approach. The AV reads the road signs, e.g., “speed
limit” or “right/left turn”, and adjusts speed and movement accordingly. The func-
tionality of AV, augmented with timing constraints and viewed as Functional
Design Architecture (FDA) (designFunctionTypes), consists of the follow-
ing fps in Fig. 3.1: System function type contains four fps, i.e., the Camera
captures sign images and relays the images to SignRecognition periodically.
SignRecognition analyzes each frame of the detected images and computes the
desired images (sign types). Controller determines how the speed of the ve-
hicle is adjusted based on the sign types and the current speed of the vehicle.
VehicleDynamic specifies the kinematics behaviors of the vehicle. Environment
function type consists of three fps, i.e., the information of traffic signs, ran-
dom obstacles, and speed changes caused by environmental influence described
in TrafficSign, Obstacle, and Speed fps respectively.
We consider the Periodic, Execution, End-to-End, Synchronization,
Sporadic, and Comparison timing constraints on top of the AV East-adl
model, which are sufficient to capture the constraints described in Fig. 3.1. Fur-
thermore, we extend East-adl/Tadl2 with an Exclusion timing constraint
(R27 – R31) that integrates relevant concepts from the Ccsl constraint, i.e., two
events cannot occur simultaneously.
R1. The camera must capture an image every 50ms. In other words, a Periodic
acquisition of Camera must be carried out every 50ms.
R2. The captured image must be recognized by an AV every 200ms, which can
be interpreted as a Periodic constraint on SignRecognition fp.
R3. The obstacle will be detected by vehicle every 40ms, i.e., a Periodic timing
constraint should be applied on the obstacle input port of Controller.
R4. The speed of the vehicle should be updated periodically with the period as
30ms, i.e., a Periodic timing constraint should be applied on the speed input
port of Controller.
5
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Figure 3.1: AV in East-adl augmented with Tadl2 constraints (R. IDs) specified in PrCcsl
(Spec. R. IDs)
R5. The detected image should be computed within [100, 150]ms in order to
generate the desired sign type, the SignRecognitionmust complete its execution
within [100, 150]ms.
R6. After the Camera is triggered, the captured image should be sent out from
Camera within 20 – 30ms, i.e., the execution time of Camera should be between
20 and 30ms.
R7. After an obstacle is detected, the Controller should send out a request to
brake the vehicle within 100 – 150ms, i.e., the execution time for Controller
should be in the range [100, 150]ms.
R8. After the command/request from controller is arrived at VehicleDynamic,
the speed should be updated within 50 – 100ms. That is, the Execution timing
constraint applied on VehicleDynamic is 50 – 100ms.
R9. If the mode of AV switches to “emergency stop” due to the certain obstacle, it
should not revert back to “automatic running” mode within a specific time period.
That is interpreted as a Sporadic constraint, i.e., the mode of AV is changed to
“stop” because of the encounter of obstacle, it should not revert back to “run”
mode within 500ms.
R10. If the mode of AV switches to “emergency stop” due to the certain obstacle,
it should not revert back to “accelerate ” mode within a specific time period. That
is interpreted as a Sporadic constraint, i.e., the mode of AV is changed to “stop”
6
Probabilistic Analysis of Weakly-Hard Real-Time Systems
because of the encounter of obstacle, it should not revert back to “accelerate”
mode within 500ms.
R11. If the mode of AV switches to “emergency stop” due to the certain obstacle,
it should not revert back to “turn left” mode within a specific time period. That
is interpreted as a Sporadic constraint, i.e., the mode of AV is changed to “stop”
because of the encounter of obstacle, it should not revert back to “turn left” mode
within 500ms.
R12. If the mode of AV switches to “emergency stop” due to the certain obstacle,
it should not revert back to “turn right” mode within a specific time period. That
is interpreted as a Sporadic constraint, i.e., the mode of AV is changed to “stop”
because of the encounter of obstacle, it should not revert back to “turn right”
mode within 500ms.
R13. The required environmental information should arrive to the controller
within 40ms. That is input signals (speed, signType, direct, gear and torque
ports) must be detected by Controller within a given time window, i.e., the
tolerated maximum constraint is 40ms.
R14. After the execution of Controller is finished, all the requests of controller
should be updated within 30ms. That is output signals (on reqTorq, reqDirect,
reqGear, reqBrake ports) must be sent within a given time window, i.e., the
tolerated maximum constraint is 30ms.
R15. The requests from the controller should be arrived to VehicleDynamic
within 30ms. That is input signals (reqTorq, reqDirect, reqGear, reqBrake)
must be detected by VehicleDynamic within a given time window, i.e., the tol-
erated maximum constraint is 30ms.
R16. After execution of VehicleDynamic is finished, the information of vehicle
should be updated within 40ms, i.e., the Synchronization applied on the output
ports (speed, direct, gear, torque) is 40ms.
R17. When a traffic sign is recognized, the speed of AV should be updated within
[150, 250]ms. An End-to-End constraint on Controller and VehicleDynamic,
i.e., the time interval measured from the input arrival of Controller to the
instant at which the corresponding output is sent out from VehicleDynamic
must be within [150, 250]ms.
R18. After the camera is triggered to capture the image, the computation of the
traffic sign should be finished within [120, 180]ms, i.e., the End-to-End timing
constraint applied on Camera and SignRecognition should be between 120ms
and 180ms.
R19. The time interval measured from the instant at which the camera captures
an image of traffic sign, to the instant at which the status of AV (i.e., speed,
direction) is updated, should be within [270, 430]ms. That is, End-to-End timing
constraint applied on Camera and VehicleDynamic should be between 270 and
430ms.
7
Probabilistic Analysis of Weakly-Hard Real-Time Systems
R20. When a left turn sign is recognized, the vehicle should turn towards left
within 500ms, which can be interpreted as an End-to-End timing constraint
applied on the event DetectLeftSign and StartTurnLeft.
R21. When a right turn sign is recognized, the vehicle should turn towards right
within 500ms, which can be interpreted as an End-to-End timing constraint
applied on the event DetectRightSign and StartTurnRight.
R22. When a stop sign is recognized, the vehicle should start to brake within
200ms, which can be interpreted as an End-to-End timing constraint applied on
the event DetectStopSign and StartBrake.
R23. When a stop sign is recognized, the vehicle should be stop completely within
3000ms, which can be interpreted as an End-to-End timing constraint applied
on the event DetectStopSign and Stop.
R24. The execution time interval from Controller to VehicleDynamic should
be less than or equal to the sum of the worst case execution time interval of each
fp.
R25. The execution time interval from Camera to SignRecognition should be
less than or equal to the sum of the worst case execution time interval of each fp.
R26. The execution time interval from Camera to VehicleDynamic should be less
than or equal to the sum of the worst case execution time interval of each fp.
R27. While AV turns left, the “turning right” mode should not be activated.
The events of turning left and right considered as exclusive and specified as an
Exclusion constraint.
R28. While AV is braking, the “accelerate” mode should not be activated. The
events of braking and accelerating are considered as exclusive and specified as an
Exclusion constraint.
R29. When AV is in the emergency mode because of the obstacle occurrence,
“turn left” mode must not be activated, i.e., the events of handling emergency
and turning left are exclusive and specified as a Exclusion constraint.
R30. When AV is in the emergency mode because of the encounter of an obstacle,
“turn right” mode must not be activated, i.e., the events of handling emergency
and turning right are exclusive and specified as an Exclusion constraint.
R31. When AV is in the emergency mode because of the encounter of an obstacle,
“accelerate” mode must not be activated, i.e., the events of handling emergency
and accelerating are exclusive and specified as an Exclusion constraint.
Delay constraint gives duration bounds (minimum and maximum) between
two events source and target. This is specified using lower, upper values given as
either Execution constraint (R5 – R8) or End-to-End constraint (R17 – R23).
Synchronization constraint (R13 – R16) describes how tightly the occurrences
of a group of events follow each other. All events must occur within a sliding
window, specified by the tolerance attribute, i.e., the maximum time interval
allowed between events. Periodic constraint states that the period of successive
8
Probabilistic Analysis of Weakly-Hard Real-Time Systems
occurrences of a single event must have a time interval (R1 – R4). Sporadic
constraint states that events can arrive at arbitrary points in time, but with
defined minimum inter-arrival times between two consecutive occurrences (R9
– R12). Comparison constraint delimits that two consecutive occurrences of
an event should have a minimum inter-arrival time (R24 – R26). Exclusion
constraint refers that two events must not occur at the same time (R27 – R31).
Those timing constraints are formally specified (see as R. IDs in Fig. 3.1) using
the subset of clock relations and expressions (see Chapter 2) in the context of
WH. The timing constraints are then verified utilizing Uppaal-SMC and are
described further in the following chapters.
9
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Chapter 4
Probabilistic Extension of Relation in
CCSL
To perform the formal specification and probabilistic verification of East-adl
timing constraints (R1 – R31 in Sec 3.), Ccsl relations are augmented with prob-
abilistic properties, called PrCcsl, based on WH [8]. More specifically, in order
to describe the bound on the number of permitted timing constraint violations in
WH, we extend Ccsl relations with a probabilistic parameter p, where p is the
probability threshold. PrCcsl is satisfied if and only if the probability of relation
constraint being satisfied is greater than or equal to p. As illustrated in Fig. 3.1,
East-adl/Tadl2 timing constraints (R. IDs in Fig. 3.1) can be specified (Spec.
R. IDs) using the PrCcsl relations and the conventional Ccsl expressions.
A time system is specified by a set of clocks and clock constraints. An
execution of the time system is a run where the occurrences of events are clock
ticks.
Definition 1 (Run) A run R consists of a finite set of consecutive steps where
a set of clocks tick at each step i. The set of clocks ticking at step i is denoted as
R(i), i.e., for all i, 0 6 i 6 n, R(i) ∈ R, where n is the number of steps of R.
Fig. 4.1 presents a run R consisting of 10 steps and three clocks c1, c2 and c3.
The ticks of the three clocks along with steps are shown as “cross” symbols (x).
For instance, c1, c2 and c3 tick at the first step, hence R(1) = {c1, c2, c3}.
Figure 4.1: Example of a Run
The history of a clock c presents the number of times the clock c has ticked
prior to the current step.
Definition 2 (History) For c ∈ C, the history of c in a run R is a function:
10
Probabilistic Analysis of Weakly-Hard Real-Time Systems
HcR: N → N. For all instances of step i, i ∈ N, HcR(i) indicates the number of
times the clock c has ticked prior to step i in run R, which is initialized as 0 at
step 0. It is defined as:
HcR(i) =

0, i = 0
HcR(i− 1), c /∈ R(i) ∧ i > 0
HcR(i− 1) + 1, c ∈ R(i) ∧ i > 0
Definition 3 (PrCCSL) Let c1, c2 and R be two logical clocks and a run. The
probabilistic extension of relation constraints, denoted c1∼pc2, is satisfied if the
following condition holds:
R  c1∼pc2⇐⇒ Pr(c1∼c2) > p
where ∼ ∈ {⊆,≡,≺,,#}, Pr(c1∼c2) is the probability of the relation c1∼c2
being satisfied, and p is the probability threshold.
The five Ccsl relations, subclock, coincidence, exclusion, causality
and precedence, are considered and their probabilistic extensions are defined.
Definition 4 (Probabilistic Subclock) Let c1, c2 andM be two logical clocks
and a system model. Given k runs = {R1, . . . , Rk}, the probabilistic extension of
subclock relation between c1 and c2, denoted c1⊆pc2, is satisfied if the following
condition holds:
M  c1⊆pc2⇐⇒ Pr[c1⊆c2] > p
where Pr[c1⊆c2] = 1k
k∑
j=1
{Rj |= c1⊆c2}, Rj ∈ {R1, . . . , Rk}, i.e., the ratio of
runs that satisfies the subclock relation out of k runs.
A run Rj satisfies the subclock relation between c1 and c2 “if c1 ticks, c2 must
tick” holds at every step i in Rj, s.t., (Rj |= c1⊆c2) ⇐⇒ (∀i 0 6 i 6 n, c1 ∈
R(i) =⇒ c2 ∈ R(i)). “Rj |= c1⊆c2” returns 1 if Rj satisfies c1⊆c2, otherwise
it returns 0.
Coincidence relation delimits that two clocks must always tick at the same
step, i.e, if c1 and c2 are coincident, then c1 and c2 are subclocks of each other.
Definition 5 (Probabilistic Coincidence) The probabilistic coincidence re-
lation between c1 and c2, denoted c1≡pc2, is satisfied over M if the following
condition holds:
M  c1≡pc2⇐⇒ Pr[c1≡c2] > p
where Pr[c1≡c2] = 1k
k∑
j=1
{Rj |= c1≡c2} is determined by the number of runs
satisfying the coincidence relation out of k runs.
11
Probabilistic Analysis of Weakly-Hard Real-Time Systems
A run, Rj satisfies the coincidence relation on c1 and c2 if the assertion holds:
∀i, 0 6 i 6 n, (c1 ∈ R(i) =⇒ c2 ∈ R(i)) ∧ (c2 ∈ R(i) =⇒ c1 ∈ R(i)).
In other words, the satisfaction of coincidence relation is established when the
two conditions “if c1 ticks, c2 must tick” and “if c2 ticks, c1 must tick” hold at
every step.
The inverse of coincidence relation is exclusion, which specifies two clocks
cannot tick at the same step.
Definition 6 (Probabilistic Exclusion) For all k runs overM, the proba-
bilistic exclusion relation between c1 and c2, denoted c1#pc2, is satisfied if the
following condition holds:
M  c1#pc2⇐⇒ Pr[c1#2] > p
where Pr[c1#c2] = 1k
k∑
j=1
{Rj |= c1#c2} is the ratio of the runs satisfying the
exclusion relation out of k runs.
A run, Rj, satisfies the exclusion relation on c1 and c2 if ∀i, 0 6 i 6 n,
(c1 ∈ R(i) =⇒ c2 /∈ R(i)) ∧ (c2 ∈ R(i) =⇒ c1 /∈ R(i)), i.e., for every step, if
c1 ticks, c2 must not tick and vice versa.
The probabilistic extension of causality and precedence relations are de-
fined based on the history of clocks.
Definition 7 (Probabilistic Causality) The probabilistic causality rela-
tion between c1 and c2 (c1 is the cause and c2 is the effect), denoted c1pc2, is
satisfied if the following condition holds:
M  c1pc2⇐⇒ Pr[c1c2] > p
where Pr[c1c2] = 1k
k∑
j=1
{Rj |= c1c2}, i.e., the ratio of runs satisfying the
causality relation among the total number of k runs.
A run Rj satisfies the causality relation on c1 and c2 if the condition holds: ∀i,
0 6 i 6 n, Hc1R (i) > Hc2R (i). A tick of c1 satisfies causality relation if c2 does
not occur prior to c1, i.e., the history of c2 is less than or equal to the history of
c1 at the current step i.
The strict causality, called precedence, constrains that one clock must
always tick faster than the other.
Definition 8 (Probabilistic Precedence) The probabilistic precedence re-
lation between c1 and c2, denoted c1≺pc2, is satisfied if the following condition
holds:
M  c1≺pc2⇐⇒ Pr[c1≺c2] > p
12
Probabilistic Analysis of Weakly-Hard Real-Time Systems
where Pr[c1≺c2] = 1k
k∑
j=1
{Rj |= c1≺c2} is determined by the number of runs
satisfying the precedence relation out of the k runs.
A run Rj satisfies the precedence relation if the condition (expressed as (1)∧(2))
holds: ∀i, 0 6 i 6 n,
(Hc1R (i) > Hc2R (i))︸ ︷︷ ︸
(1)
∧ (Hc2R (i) = Hc1R (i)) =⇒ (c2 /∈ R(i))︸ ︷︷ ︸
(2)
(1) The history of c1 is greater than or equal to the history of c2; (2) c1 and c2
must not be coincident, i.e., when the history of c1 and c2 are equal, c2 must not
tick.
13
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Chapter 5
Specification of Timing Constraints in
PrCCSL
To describe the property that a timing constraint is satisfied with the probability
greater than or equal to a given threshold, Ccsl and its extension PrCcsl are em-
ployed to capture the semantics of probabilistic timing constraints in the context
of WH. Below, we show the Ccsl/PrCcsl specification of East-adl timing con-
straints, including Execution, Periodic, End-to-End, Sporadic, Synchroniza-
tion, Exclusion and Comparison timing constraints. In the system, events are
represented as clocks with identical names. The ticks of clocks correspond to the
occurrences of the events.
Periodic timing constraints (R1 – R4) can be specified using periodicOn expres-
sion and probabilistic coincident relation. R1 states that the camera must
be triggered periodically with a period 50ms. We first construct a periodic clock
prd_50 which ticks after every 50 ticks of ms (the universal clock). Then the
property that the periodic timing constraint is satisfied with probability no less
than the threshold p can be interpreted as the probabilistic coincidence re-
lation between cmrTrig (the event that Camera fp being triggered) and prd_50.
The corresponding specification is given below, where , means “is defined as”:
prd_50 , periodicOn ms period 50 (5.1)
cmrTrig ≡p prd_50 (5.2)
By combining (1) and (2), we can obtain the the specification of R1:
cmrTrig ≡p {periodicOn ms period 50} (5.3)
In similar, the Ccsl/PrCcsl specification of R2 – R4 can be derived:
R2 : signTrig ≡p {periodicOn ms period 200} (5.4)
R3 : obsDetect ≡p {periodicOn ms period 40} (5.5)
R4 : spUpdate ≡p {periodicOn ms period 30} (5.6)
14
Probabilistic Analysis of Weakly-Hard Real-Time Systems
where signTrig is the event/clock that SignRecognition fp is triggered, obsDetect
represents the event that the object detection is activated by the vehicle and
spUpdate denotes the event that the speed is updated (i.e., recieved by Controller)
from the environment.
Since the period attribute of the Periodic timing constraint R2 is 200ms, which
is an integral multiple of the period of R1, R2 can be interpreted as a subclock
relation, i.e., the event signTrig should be a subclock of cmrTrig. The specifi-
cation is given below:
signTrig ⊆p cmrTrig (5.7)
Execution timing constraints (R5 – R8) can be specified using delayFor ex-
pression and probabilistic causality relation. To specify R5, which states
that the SignRecognition fp must finish execution within [100, 150]ms, i.e., the
interval measured from the input event of the fp (i.e., the event that the im-
age is received by the fp, denoted imIn) to the output event of the fp (denoted
imIn) must have a minimum value 100 and a maximum value 150. We divide
this property into two subproperties: R5(1) The time duration between imIn
and signOut should be greater than 100ms. R5(2) The time duration between
imIn and signOut should be less than 150ms. To specify property R5(1), we
first construct a new clock imIn_dly100 by delaying imIn (the input event of
SignRecognition) for 100ms. To check whether R5(1) is satisfied within a prob-
ability threshold is to verify whether the probabilistic causality between
imIn_dly100 and signOut is valid. The specification of R5(1) is given below:
imIn_dly100 , imIn delayFor 100 on ms (5.8)
imIn_dly100 p signOut (5.9)
By combining (7) and (8), we can obtain the the specification of R5(1):
{imIn delayFor 100 on ms} p signOut (5.10)
Similarly, to specify property R5(2), a new clock imIn_dly150 is generated
by delaying imIn for 150 ticks on ms. Afterwards, the property that R5(2)
is satisfied with a probability greater than or equal to p relies on whether the
probabilistic causality relation is satisfied. The specification is illustrated
as follows:
imIn_dly150 , imIn delayFor 150 on ms (5.11)
signOut p mIn_dly150 (5.12)
By combining (10) and (11), we can obtain the the specification of R5(2):
signOut p {imIn delayFor 150 on ms} (5.13)
15
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Analogously, the Ccsl/PrCcsl specification of R6 – R8 can be derived:
R6 : {cmrTrig delayFor 20 on ms} p cmrOut
cmrOut p {cmrTrig delayFor 30 on ms}
(5.14)
R7 : {ctrlIn delayFor 100 on ms} p ctrlOut
ctrlOut p {ctrlIn delayFor 150 on ms}
(5.15)
R8 : {vdIn delayFor 50 on ms} p vdOut
vdOut p {vdIn delayFor 100 on ms}
(5.16)
where cmrTrig is the event that the Camera fp being triggered, cmrOut repre-
sents the event that the captured image is sent out. ctrlIn (ctrlOut) represents
the input (resp. output) event of Controller fp. vdIn (vdOut) represents the
input (resp. output) event of VehicleDynamic fp.
Sporadic timing constraints (R9 – R12) can be specified using delayFor ex-
pression and probabilistic precedence relation. R9 states that there should
be a minimum delay between the event veRun (the event that the vehicle is
in the “run” mode) and the event obstc (the event that the vehicle detects an
obstacle), which is specified as 500ms. To specify R9, we first build a new
clock obstc_dly500 by delaying obstc for 500 ticks of ms. We then check the
probabilistic precedence relation between obst_dly500 and veRun:
obstc_dly500 , obstc delayFor 500 on ms (5.17)
obstc_dly500 ≺p veRun (5.18)
By combining (16) and (17), we can obtain the the specification of R9:
{obstc delayFor 500 on ms} ≺p veRun (5.19)
Analogously, the Ccsl/PrCcsl specification of R10 – R12 can be derived:
R10 : {obstc delayFor 500 on ms} ≺p veAcc (5.20)
R11 : {obstc delayFor 500 on ms} ≺p tLeft (5.21)
R12 : {obstc delayFor 500 on ms} ≺p tRight (5.22)
where veAcc is the event/clock that the vehicle is accelerating. tLeft and tRight
represent the event that the vehicle transits from the “emergency stop” mode to
“turn left” and “turn right” mode respectively.
Synchronization timing constraints (R13 – R16) can be specified using infimum
and supremum expression, together with probabilistic precedence relation.
R13 states that the five input events must be detected by Controller within the
maximum tolerated time, given as 40ms. The synchronization timing constraint
16
Probabilistic Analysis of Weakly-Hard Real-Time Systems
can be interpreted as: the time interval between the earliest/fastest and the
latest/slowest event among the five input events, i.e., speed , signType, direct ,
gear and torque, must not exceed 40ms. To specify the constraints, infimum is
utilized to express the fastest event (denoted infctrlIn) while supremum is utilized
to specify the slowest event supctrlIn. supctrlIn and infctrlIn are defined as:
supctrl , Sup(Sup(speed, signType), Sup(Sup(direct, gear), torque)) (5.23)
infctrl , Inf(Inf(speed, signType), Inf(Inf(direct, gear), torque)) (5.24)
where Inf(c1, c2) (resp. Sup(c1, c2)) is the infimum (resp. supremum) operator
returns the slowest clock faster than c1 and c2. Afterwards, we construct a new
clock infctrlIn_dly40 that is the infctrlIn delayed for 40 ticks of ms, which is
defined as:
infctrlIn_dly40 , infctrl delayFor 40 on ms (5.25)
Therefore, the synchronization constraint R13 can be represented as the proba-
bilistic causality relation between supctrlIn and infctrlIn_dly40, given as the
Ccsl/PrCcsl expression below:
supctrlIn p infctrlIn_dly40 (5.26)
By combining (24) and (25), we can obtain the the specification of R13:
supctrlIn p {infctrlIn delayFor 40 on ms} (5.27)
In similar, the Ccsl/PrCcsl specification of R14 – R16 can be derived. For R14,
we first construct the clocks that represent the fastest and slowest output even-
t/clock among the four output events of Controller fp, i.e., reqTorq, reqDirect,
reqGear and reqBrake. Then the property that the synchronization constraint
is satisfied with a probability greater than or equal to p can be interpreted as a
probabilistic causality relation:
R14 : supctrlOut , Sup(Sup(reqTorq, reqDirect), Sup(reqGear, reqBrake))
infctrlOut , Inf(Inf(reqTorq, reqDirect), Inf(reqGear, reqBrake))
supctrlOut p {infctrlOut delayFor 30 on ms}
(5.28)
For R15, we first construct the fastest and slowest input event/clock among the
four input events of VehicleDynamic , i.e., reqTorq, reqDirect, reqGear and re-
qBrake. Then the property that the synchronization constraint is satisfied with
a probability greater than or equal to p can be interpreted as a probabilistic
causality relation:
R15 : supvdIn , Sup(Sup(reqTorq, reqDirect), Sup(reqGear, reqBrake))
infvdIn , Inf(Inf(reqTorq, reqDirect), Inf(reqGear, reqBrake))
supvdIn p {infvdIn delayFor 40 on ms}
(5.29)
17
Probabilistic Analysis of Weakly-Hard Real-Time Systems
For R16, we first construct the fastest and slowest output event/clock among the
four output events of VehicleDynamic , i.e., speed, direct, torque and gear. Then
the property that the synchronization constraint is satisfied with a probability
greater than or equal to p can be interpreted as a probabilistic causality
relation:
R16 : supvdOut , Sup(Sup(speed, direct), Sup(gear, torque))
infvdOut , Inf(Inf(speed, direct), Inf(gear, torque))
supvdOut p {infvdOut delayFor 40 on ms}
(5.30)
End-to-End timing constraints (R17 – R23) can be specified using delayFor
expression and probabilistic precedence relation. To specify R17, which
limits that the time duration measured from the instant of the occurrence of the
event that Controller fp receive the traffic sign type information (denoted as
signIn), to the occurrence of event that the speed is sent out from the output port
of VehicleDynamic fp (denoted as spOut) should be between 150 and 250ms. We
divide this property into two subproperties: R17(1). The time duration between
signIn and spOut should be more than 150ms. R17(2). The time duration
between signIn and spOut should be less than 250ms. To specify property
R17(1), we first construct a new clock signIn_dly150 by delaying signIn for
150ms. To check whether R17(1) is satisfied within a probability threshold p is
to verify whether the probabilistic precedence between signIn_dly150 and
spOut is valid. The specification of R17(1) is given below:
signIn_dly150 , signIn delayFor 150 on ms (5.31)
signIn_dly150 ≺p spOut (5.32)
By combining (30) and (31), we can obtain the the specification of R17(1):
{signIn delayFor 150 on ms} ≺p spOut (5.33)
Similarly, to specify property R17(2), a new clock signIn_dly250 is generated
by delaying signIn for 250 ticks on ms. Afterwards, the property that R17(2)
is satisfied with a probability greater than or equal to p relies on whether the
probabilistic precedence relation is satisfied. The specification is illustrated
as follows:
signIn_dly250 , signIn delayFor 250 on ms (5.34)
spOut ≺p signIn_dly250 (5.35)
By combining (33) and (34), we can obtain the the specification of R17(2):
spOut ≺p {signIn delayFor 250 on ms} (5.36)
18
Probabilistic Analysis of Weakly-Hard Real-Time Systems
In similar, the Ccsl/PrCcsl specification of R18 – R23 can be derived:
R18 : {cmrTrig delayFor 120 on ms} ≺p signOut
signOut ≺p {cmrTrig delayFor 180 on ms}
(5.37)
R19 : {cmrTrig delayFor 270 on ms} ≺p spOut
spOut ≺p {cmrTrig delayFor 430 on ms}
(5.38)
R20 : {startTurnLeft ≺p DetectLeftSign delayFor 500 on ms} (5.39)
R21 : {startTurnRight ≺p DetectRightSign delayFor 500 on ms} (5.40)
R22 : {startBrake ≺p DetectStopSign delayFor 500 on ms} (5.41)
R23 : {Stop ≺p DetectStopSign delayFor 3000 on ms} (5.42)
Comparison timing constraints (R24 – R26) can be specified using delayFor ex-
pression and probabilistic causality relation. R24 states that the execution
time interval from Controller to VehicleDynamic should be less than or equal
to the sum of the worst case execution time of Controller and VehicleDynamic,
denoted asWctrl andWvd respectively. To specify comparison constraint, we first
construct a new clock signIn_dly250 by delaying signIn for 250 ticks ofms. Af-
terwards, we generate another new clock signIn_dlysw that is the signIn clock
delayed for sum of the worst case execution time of the two fps. The specification
is illustrated as follows:
signIn_dly250 , signIn delayFor 250 on ms (5.43)
signIn_dlysw , signIn delayFor (Wctrl +Wvd) on ms (5.44)
Therefore, the property that the probability of comparison constraint is satis-
fied should be greater than or equal to the threshold p can be interpreted as a
probabilistic causality relation between signIn_dly250 and signIn_dlysw:
signIn_dly250 p signIn_dlysw (5.45)
By combining (42), (43) and (44), we can obtain the the specification of R24:
{signIn delayFor 250 on ms} p {signIn delayFor (Wctrl +Wvd) on ms}
(5.46)
Analogously, the Ccsl/PrCcsl specification of R25 and R26 can be derived:
R25 : {cmrTrig delayFor 180 onms} p {cmrTrig delayFor (Wcmr+Wsr) onms}
(5.47)
R26 : {cmrTrig delayFor 430 on ms} p
{cmrTrig delayFor (Wcmr +Wsr +Wctrl +Wvd) on ms}
(5.48)
19
Probabilistic Analysis of Weakly-Hard Real-Time Systems
where Wcmr and Wvd represent the worst case execution time of Camera and
SignRecognition respectively.
Exclusion timing constraints (R27 – R31) can be specified using exclusion rela-
tion directly. R27 states that the two events turnLeft (the event that the vehicle
is turning left) and rightOn (the event that the turn right mode is activated)
should be exclusive, which can be expressed as:
turnLeft #p rightOn (5.49)
Analogously, the Exclusion timing constraints R28 – R31 can be specified using
exclusion relation:
R28 : veAcc #p veBrake (5.50)
R29 : emgcy #p turnLeft (5.51)
R30 : emgcy #p rightOn (5.52)
R31 : emgcy #p veAcc (5.53)
where emgcy is the event that the vehicle is in the emergency mode, veBrake and
veAcc represent the event that the vehicle is braking or accelerating, respectively.
20
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Chapter 6
Translating CCSL & PrCCSL into
UPPAAL-SMC
To formally verify the East-adl timing constraints given in Chapter 3 us-
ing Uppaal-SMC, we investigate how those constraints, specified in Ccsl ex-
pressions and PrCcsl relations, can be translated into STA and probabilistic
Uppaal-SMC queries [12]. Ccsl expressions construct new clocks and the re-
lations between the new clocks are specified using PrCcsl. We first provide
strategies that represent Ccsl expressions as STA. We then present how the
East-adl timing constraints defined in PrCcsl can be translated into the cor-
responding STAs and Uppaal-SMC queries based on the strategies.
6.1 Mapping CCSL to UPPAAL-SMC
We first describe how the universal clock (TimeUnit ms), tick and history of
Ccsl can be mapped to the corresponding STAs. Using the mapping, we then
demonstrate that Ccsl expressions can be modeled as STAs. The TimeUnit
is implicitly represented as a single step of time progress in Uppaal-SMC’s
clock [22]. The STA of TimeUnit (universal time defined as ms) consists of one
location and one outgoing transition whereby the physical time and the duration
of TimeUnit ms are represented by the clock variable t in Fig. 6.1.(a). clock
resets every time a transition is taken. The duration of TimeUnit is expressed
by the invariant t 6 1, and guard t > 1, i.e., a single step of the discrete time
progress (tick) of universal time.
(a) ms (b) Tick and History (c) Simulation of Tick (tc) and History (hc)
Figure 6.1: Uppaal-SMC model of clock tick and history
21
Probabilistic Analysis of Weakly-Hard Real-Time Systems
A clock c, considered as an event in Uppaal-SMC, and its tick, i.e., an
occurrence of the event, is represented by the synchronization channel c!. Since
Uppaal-SMC runs in chronometric semantics, in order to describe the discretized
steps of runs (Rs), we consider if c ticks in the time range of [i, i + 1) (i + 1 is
excluded), c ticks at step i. The STA of tick and history is shown in Fig. 6.1.(b).
hc is the history of c, and tc indicates whether c ticks at the current step. A
function upper() rounds the time instant (real number) up to the nearest greater
integer. When c ticks via c? at the current time step, tc is set to 1 prior to the
time of the next step (t < u). hc is then increased by 1 (hc++) at the successive
step (i.e., when t = u). For example, when c ticks at time = 1.5 (see Fig. 6.1.(c)),
upper() returns the value of 2 and tc becomes 1 during the time interval [1.5, 2),
followed by hc being increased by 1 at t = 2.
Based on the mapping patterns of ms, tick and history, we present how
periodicOn, delayFor, infimum and supremum expressions can be represented
as Uppaal-SMC models.
PeriodicOn: c , periodicOn ms period q, where , means “is defined as”.
PeriodicOn builds a new clock c based on ms and a period parameter q, i.e., c
ticks at every qth tick ofms. The STA of periodicOn is illustrated in Fig. 6.2.(a).
This STA initially stays in the loop location to detect q occurrences (ticks) of ms.
The value x counts the number of ms ticks. When ms occurs (ms?), the STA
takes the outgoing transition and increases x by 1. It “iterates” until ms ticks q
times (x == q), then it activates the tick of c (via c!). At the successive step
(ms?), it updates the history of c (hc++) and sets x = 1. The STA then returns
to loop and repeats the calculation. This periodicOn STA can be used for the
translation of East-adl Periodic timing constraint (R1 in Fig. 3.1) into its
Uppaal-SMC model.
(a) PeriodicOn (b) Source (c) DelayFor (d) Infimum
(e) Supremum
Figure 6.2: STA of Ccsl expressions
DelayFor: c , c1 delayFor d on c2. DelayFor defines a new clock c based
on c1 (base clock) and c2 (reference clock), i.e., each time c1 ticks, at the dth
22
Probabilistic Analysis of Weakly-Hard Real-Time Systems
tick of c2, c ticks (each tick of c corresponds to a tick of c1). Kang et al. [22]
and Suryadevara et al. [32] presented translation rules of delayFor into Uppaal
models. However, their approaches are not applicable in the case after c1 ticks,
and c1 ticks again before the dth tick of c2 occurs. For example (see Fig. 4.1),
assume that d is 3. After the 1st tick of c1 (at step 0) happens, if c1 ticks again (at
step 2) before the 3rd tick of c2 occurs (at step 4), the 2nd tick of c1 is discarded
in their approaches. To alleviate the restriction, we utilize spawnable STA [12]
as semantics denotation of delayFor expression and the STA of delayFor is
shown in Fig. 6.2.(c). As presented in Fig. 6.2.(b), when the vth tick of c1 occurs
(c1[v]?), its delayFor STA is spawned by source STA. The spawned STA stays
in the wait location until c2 ticks d times. When c2 ticks d times (x == d), it
transits to the tick location and triggers c (c!). At the next step (ms?), the STA
increases hc by 1 and moves to finish location and then becomes inactive, i.e.,
calculation of the vth tick of c is completed. This delayFor STA can be utilized
to construct the Uppaal-SMC models of East-adl timing requirements R5 –
R26 in Chapter 3.
Given two clocks c1 and c2, their infimum (resp. supremum) is informally
defined as the slowest (resp. fastest) clock faster (resp. slower) than both c1
and c2. infimum and supremum are useful in order to group events occurring
at the same time and decide which one occurs first and which one occurs last.
The representative STAs for both expressions are utilized for the translation
of East-adl Synchronization timing constraint (R13 in Chapter 3) into the
Uppaal-SMC model.
Infimum creates a new clock c, which is the slowest clock faster than c1 and c2.
The STA of infimum is illustrated in Fig. 6.2.(d). When c1 (c2) ticks via c1?
(c2?), the STA transits to the s1 (s2 ) location and compares the history of the
two clocks (h1 and h2) to check whether the current ticking clock c1 (c2) is faster
than c2 (c1). If so, i.e., the condition “h1 > h2 (h2 > h1)” holds, the STA takes
a transition to the tick location and activates the tick of c (c!). After updating
the history (hc++), it returns to the init location and repeats the calculation.
Supremum builds a new clock c, which is the fastest clock slower than c1 and
c2. It states that if c1 ticks at the current step and c1 is slower than c2, then
c ticks. The STA of supremum is shown in Fig. 6.2.(e). When c1 (c2) ticks via
c1? (c2?), the STA transits to the s1 (s2 ) location and compares the history of
the two clocks and decides whether c1 (c2) is slower than c2 (c1). If c1 (c2) ticks
slower than c2 (c1), i.e., h1 < h2 (h2 < h1), or c1 and c2 tick at the same rate,
i.e., “h1 == h2 && t2 == 1 (h1 == h2 && t1 == 1)” holds, the tick of c
is triggered. The STA then updates the history of c and goes back to init and
repeats the process.
23
Probabilistic Analysis of Weakly-Hard Real-Time Systems
6.2 Representation of PrCCSL in UPPAAL-SMC
In this section, the translation of East-adl timing constraints specified in PrCcsl
into STA and Hypothesis Testing query (refer to Chapter 2) is provided from the
view point of the analysis engine Uppaal-SMC.
Recall the definition of PrCcsl in Chapter 4. The probability of a relation
being satisfied is interpreted as a ratio of runs that satisfies the relation among all
runs. It is specified as Hypothesis Testing queries in Uppaal-SMC, H0: mk > P
against H1: mk < P , where m is the number of runs satisfying the given relation
out of all k runs. k is decided by strength parameters α (the probability of false
positives, i.e., accepting H1 when H0 holds) and β (probability of false negatives,
i.e., accepting H0 when H1 holds), respectively [10].
Based on the mapping patterns of tick and history in Chapter 6.1, the prob-
abilistic extension of exclusion, causality and precedence relations are ex-
pressed as Hypothesis Testing queries straightforwardly.
Probabilistic Exclusion is employed to specify East-adl Exclusion timing
constraint, turnLeft #p rightOn (Spec. R27 in Fig. 3.1). It states that the
two events, turnLeft and rightOn (the vehicle is turning left and right), must be
exclusive. The ticks of turnLeft and rightOn events are modeled using the STA
in Fig. 6.1.(b). Based on the definition of probabilistic exclusion (Chapter
4), R8 is expressed in Hypothesis Testing query: Pr[bound] ([ ]((tturnLeft =⇒ ¬
trightOn) ∧ (trightOn =⇒ ¬ tturnLeft))) > P , where tturnLeft and trightOn indicate
the ticks of turnLeft and rightOn, respectively. bound is the time bound of
simulation, in our setting bound = 3000.
Probabilistic Causality is used to specify East-adl Synchronization timing
constraint, sup p {inf delayFor 40 on ms} (Spec. R13 in Fig. 3.1), where sup
(inf ) is the fastest (slowest) event slower (faster) than five input events, speed,
signType, direct, gear and torque. Let SUP and INF denote the supremum and
infimum operator, i.e., SUP(c1, c2) (resp. INF(c1, c2)) returns the supremum
(resp. infimum) of clock c1 and c2. sup and inf can now be expressed with the
nested operators (where , means “is defined as”):
sup , SUP(speed, SUP(SUP(signType, direct), SUP(gear, torque)))
inf , INF(speed, INF(INF(signType, direct), INF(gear, torque)))
For the translation of sup (inf) into Uppaal-SMC model, we employ the
STA of supremum (resp. infimum) (Fig. 6.2.(d) and (e)) for each SUP (INF)
operator. A new clock dinf is generated by delaying inf for 40 ticks ofms: dinf ,
{inf delayFor 40 on ms}. The Uppaal-SMC model of dinf is achieved by
adapting the spawnable DelayFor STA (Fig. 6.2). Based on the probabilistic
causality definition, R13 is interpreted as: Pr[6 bound]([ ] hsup > hdinf) > P ,
where hsup and hdinf are the history of sup and dinf respectively.
24
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Similarly, Execution (R5) and Comparison (R25) timing constraints spec-
ified in probabilistic causality using delayFor can be translated into Hy-
pothesis Testing queries. R5 ({imIn delayFor 100 onms} p signOut, signOut
p {imIn delayFor 150 onms}) specifies that the execution time of SignRecog-
nition fp measured from input port imIn to output port signOut should be
limited within [100, 150]ms. To translate Execution timing constraint into
Uppaal-SMC STA, two new clocks SL and SU are constructed by delaying
imIn for 100 and 150 ticks of ms : SL , {imIn delayFor 100 on ms}, SU ,
{imIn delayFor 150 on ms}. According to the definition of probabilistic
causality, R5 can be specified as: Pr[6 bound]([ ] hSL > hS) > P ,
Pr[6 bound]([ ] hS > hSU) > P , where hSU and hSL represent the history of
SU and SL, and hS indicates the history of clock signOut.
Comparison constraint (R25) specified as {signIn delayFor 250 onms} p
{signIn delayFor ∑WCET on ms} can be model using the DelayFor STA.
Two new clocks CU , com are generated: CU , {signIn delayFor 250 on ms},
com , {signIn delayFor ∑WCET on ms}, where ∑WCET represents the
sum of worst case execution time of Controller and VehicleDynamics fps.
Therefore, R25 can be expressed as the query: Pr[6 bound]([ ] (excon ==
wcetcon ∧ exvd == wcetvd) =⇒ (hcon > hCU) > P , where excon ==
wcetcon ∧ exvd == wcetvd restricts that when the execution is the worst case
(i.e., the execution time is the longest), the probabilistic causality relation
between con and CU should be guaranteed.
Probabilistic Precedence is utilized to specify East-adl End-to-End timing
constraint (R17). It states that the time duration between the source event signIn
(input signal on the signType port of Controller) and the target event spOut
(output signal on the speed port of VehicleDynamic) must be within a time
bound of [150, 250], and that is specified as Uppaal-SMC quires (56) and (57):
{signIn delayFor 150 on ms} ≺p spOut (6.1)
spOut ≺p {signIn delayFor 250 on ms} (6.2)
Two clocks, lower and upper, are defined by delaying signIn for 150 and
250 ticks of ms respectively: lower , {signIn delayFor 150 on ms}, and
upper , {signIn delayFor 250 on ms}. The corresponding Uppaal-SMC
models of lower and upper are constructed based on the delayFor STA (shown
in Fig. 6.2). Finally, the R17 specified in PrCcsl is expressed as Uppaal-SMC
quires (3) and (4), where hlower, hupper and hspOut are the history of lower, upper
and spOut. tspOut and tupper represent the tick of upper and spOut respectively:
Pr[6 bound]([ ]hlower > hspOut ∧ ((hlower == hspOut) =⇒ tspOut == 0)) > P
(6.3)
Pr[6 bound]([ ]hspOut > hupper ∧ ((hspOut == hupper) =⇒ tupper == 0)) > P
(6.4)
25
Probabilistic Analysis of Weakly-Hard Real-Time Systems
In similar, East-adl Sporadic timing constraint (R9) specified in probabilistic
precedence can be translated intoHypothesis Testing query Pr[6 bound]([ ]ho >
hv ∧ ((hv == ho) =⇒ tva == 0)) > P , where ho represents the history of the
clock/event that obstacle occurs, and tva and hv indicates the ticks and history
of the clock that the vehicle starts to move.
In the case of properties specified in either probabilistic subclock or
probabilistic coincidence, such properties can not be directly expressed as
Uppaal-SMC queries. Therefore, we construct an observer STA that captures
the semantics of standard subclock and coincidence relations. The observer
STA are composed to the system STA, namely a network STA NSTA, in par-
allel. Then, the probabilistic analysis is performed over the NSTA which en-
ables us to verify the East-adl timing constraints specified in probabilistic
subclock and probabilistic coincidence of the entire system using Uppaal-
SMC. Further details are given below.
Probabilistic Subclock is employed to specify East-adl Periodic timing
constraint, given as signRecTrig ⊆p cTrig (Spec. R2 in Fig.1). The standard
subclock relation states that superclock must tick at the same step where sub-
clock ticks. Its corresponding STA is shown in Fig. 6.3.(a). When signRevTrig
ticks (signRecTrig?), the STA transits to the wait location and detects the oc-
currence of cTrig until the time point of the subsequent step (u). If cTrig occurs
prior to the next step (tcTrig == 1), the STA moves to the success location,
i.e., the subclock relation is satisfied at the current step. Otherwise, it transits
to the fail location. R2 specified in probabilistic subclock is expressed as:
Pr[bound]([ ]¬ Subclock.fail) > P . Uppaal-SMC analyzes if the fail location
is never reachable from the system NSTA, and whether the probability of R2
being satisfied is greater than or equal to P .
(a) Subclock (b) Coincidence
Figure 6.3: Observer STA of Subclock and Coincidence
Probabilistic Coincidence is adapted to specify East-adl Periodic tim-
ing constraint, given as cTrig ≡p {periodicOn ms period 50} (Spec. R1 in
Fig.1). To express R1 in Uppaal-SMC, first, a periodic clock prdClk ticking ev-
ery 50th tick of ms is defined: prdClk , periodicOn ms period 50. The corre-
sponding Uppaal-SMC model of prdClk is generated based on the periodicOn
STA shown in Fig. 6.2.(a) by setting q as 50. Then, we check if cTrig and
prdClk are coincident by employing the coincidence STA shown in Fig. 6.3.(b).
When cTrig (prdClk) ticks via cTrig? (prdClk?), the STA checks if the other
26
Probabilistic Analysis of Weakly-Hard Real-Time Systems
clock, prdClk (cTrig), ticks prior to the next step, i.e., whether tprdClk == 1
(tcTrig == 1) holds or not when t 6 u. The STA then transits to either the
success or fail location based on the judgement. R1 specified in probabilistic
coincidence is expressed as: Pr[bound]([ ]¬ Coincidence.fail) > P . Uppaal-
SMC analyzes if the probability of R1 being satisfied is greater than or equal to
P .
27
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Chapter 7
Modeling the Behaviors of AV and its
Environment in UPPAAL-SMC
To capture the behaviours of the AV system and the stochastic behaviours of its
environments, e.g., random traffic signs, each fp in Fig. 3.1 is modeled as an STA
in Uppaal-SMC. The random traffic sign in the environment is recognised by
AV. The speed of the AV is influenced by the condition of the road. Obstacles
on the road occurs randomly. To model these stochastic behaviours, we model
the three fps in the Environment ft into three STAs, which are presented in
Fig. 7.1. In TrafficSign (Fig. 7.2.(b)) STA, sign_num represents the random
traffic sign type, which is generated every 4ms to 8ms. To represent the inte-
gration of the AV system and the environment, the speed of AV is equal to the
speed of in the environment, the Speed (shown in Fig. 7.1.(c)) STA updates the
speed of the vehicle in the environment from the by activating the execution of
update() function periodically. Obstacle STA generates a signal randomly based
on probability distribution to represent random obstacles.
The system model of AV is represented as the STAs shown in Fig. 7.2.
Camera STA is triggered periodically (Fig. 7.2.(a)). When the execution of
camera is finished, i.e., the transition from s4 to s5 is taken, the update() function
is triggered and the value of sign_num is assigned to signType. Since the input
ports (speed and obstacle) of Controller are triggered periodically, the AV
system obtains the speed of the vehicle and the road information by executing
the update() periodically (Fig. 7.3).
The internal behaviours of Controller fp is captured in Fig. 7.4. When the
vehicle is in the “normal” mode (Fig. 7.4.(c)) and it encounters an obstacle, the
“emergency stop” mode will be activated (Fig. 7.4.(b)) and the vehicle begins to
stop. In “normal” mode, the vehicle adjusts its movement according to the traffic
signs, e.g., when it detects a turn left sign, it will turn left (Fig. 7.5.(d)). The
Controller then sends out requests for VehicleDynamic to change the direction
or the speed of the four wheels.
To verify R1 to R31, STAs of Ccsl expressions periodicOn, infimum,
supremum and delayFor and STAs of PrCcsl relations coincidence and subclock
28
Probabilistic Analysis of Weakly-Hard Real-Time Systems
(a) Obstacle (b) Speed
(c) TrafficSign
Figure 7.1: STAs of fps in Environment ft
29
Probabilistic Analysis of Weakly-Hard Real-Time Systems
(a) Camera
(b) SignRecognition
(c) Controller
(d) VehicleDynamic
Figure 7.2: Modeling system behaviors in Uppaal-SMC
30
Probabilistic Analysis of Weakly-Hard Real-Time Systems
(a) speed (b) obstacle
Figure 7.3: Periodically triggered ports speed and obstacle
(a) Top View (b) Emergency
(c) Normal
Figure 7.4: Internal behaviours of Controller in UPPAAL-SMC
31
Probabilistic Analysis of Weakly-Hard Real-Time Systems
(a) Acceleration (b) Deceleration
(c) Stop
(d) TurnLeft
(e) TurnRight
Figure 7.5: Representation of substates of Normal state in UPPAAL-SMC
32
Probabilistic Analysis of Weakly-Hard Real-Time Systems
(a) Periodic STA with period 40ms (b) Coincidence STA
Figure 7.6: STAs utilized to verify R3
are utilized. For example, to verify R3, a periodicOn STA generates a new clock
c with period 40 (Fig. 7.6.(a)). When c ticks, the periodico will be assigned
to 1. The probabilistic coincidence relation between c and the triggering
of the obstacle port should hold. When the input port is triggered, obstrig
will become 1 in Fig. 7.3.(b). Coincidence STA (Fig. 7.6.(b)) is employed for
checking the coincidence relation between c and obstacle.
33
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Chapter 8
Experiments: Verification & Validation
We have formally analyzed over 30 properties (associated with timing constraints)
of the system including deadlock freedom. A list of selected properties (Chapter 3)
are verified using Uppaal-SMC and the results are listed in Table.8.1. Five types
of Uppaal-SMC queries are employed to specify R1 – R31, Hypothesis Testing
(HT), Probability Estimation (PE), Probability Comparison (PC), Expected Value
(EV) and Simulations (SI).
1. Deadlock Freedom: Because of the insufficient memory caused by the pe-
riodically triggered STA ms, the Deadlock Freedom property cannot be checked
successfully. 2. Hypothesis Testing : All properties are established as valid with
95% level of confidence; 3. Probability Estimation: The probability of each prop-
erty being satisfied is computed and its approximate interval is given as [0.902, 1];
4. Expected Value: The expected values of time durations of timing constraints
(R1, R2, R5, R9, R13, R15, R17, R24 – R25) are evaluated. For example, during
the analysis of R1, the time interval between two consecutive triggerings of the
Camera is evaluated as 50 and that validates R1. Furthermore, Uppaal-SMC
evaluates the expected maximum duration bound of End-to-End timing con-
straint by checking R17 and generates the frequency histogram of the expected
bound (see Fig. 8.2). It illustrates that the expected bound is always less than
250ms and 90% of the duration is within the range of [207, 249]; 5. Probabil-
ity Comparison: is applied to confirm that the probability of SignRecognition
fp completing its execution within [100, 125]ms is greater than the probability of
completion within [125, 150]ms (R5). The query results in a comparison probabil-
ity ratio greater than or equal to 1.1, i.e., the execution time of SignRecognition
fp is most likely less than 125ms. Similarly, R6 – R8 can be analyzed. 6. Sim-
ulation: The simulation result of Synchronization timing constraint (R13) is
demonstrated in Fig. 8.1. hinf , hsup and hdinf are history of inf , sup and dinf
respectively. Recall Spec. R13 (see Fig. 3.1), the causality relation between
dinf and sup is satisfied. As the simulation of R13 shows (Fig. 8.1), the rising
edge of hsup (in blue) always occurs prior to hdinf (in red). It indicates that sup
always runs faster than dinf , thus the causality relation is validated.
We estimate the performance (i.e., time, memory and CPU consumption)
34
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Table 8.1: Verification Results in Uppaal-SMC
Type R.ID Q Expression Result Time Mem CPU
Periodic
R1
HT Pr[63000]([ ] ¬Coin.fail)>0.95 valid 48.7 32.7 31.3
PE Pr[63000]([ ] ¬Coin.fail) [0.902, 1] 12.6 35.6 29.8
EV E[63000; 500]([ ] max : cam.t) 50±0 83.3 33.3 31.7
SI simulate 500 [63000](camtrig, p1trig) valid 80.9 32.9 32.5
R2
HT Pr[63000]([ ] ¬Sub.fail)>0.95 valid 48.9 32.9 29.3
PE Pr[63000]([ ] ¬Sub.fail) [0.902, 1] 12.3 35.5 30.4
EV E[63000; 500]([ ] max : sf.t) 200±0 80.6 32.5 32.2
SI simulate 500 [63000](strig, p2trig) valid 85.5 33.1 32.3
R3
HT Pr[63000]([ ] ¬Coinobs.fail)>0.95 valid 57.6 40.5 34.6
PE Pr[63000]([ ] ¬Coinobs.fail) [0.902, 1] 13.8 40.4 31.1
R4
HT Pr[63000]([ ] ¬Coinsp.fail)>0.95 valid 56.7 40.4 32.4
PE Pr[63000]([ ] ¬Coinsp.fail) [0.902, 1] 13.6 35.9 34.0
Execution
R5
HT Pr[63000]([ ] hSU 6 hS) > 0.95 valid 76.5 40.4 32.3
PE Pr[63000]([ ] hSU 6 hS) [0.902, 1] 18.1 40.3 30.8
HT Pr[63000]([ ] hS 6 hSL) > 0.95 valid 77.6 37.7 31.7
PE Pr[63000]([ ] hS 6 hSL) [0.902, 1] 16.5 40.0 31.5
PC Pr[63000] ([ ] SR.exec =⇒ (SR.t > 100 ∧ SR.t 6 125)) >
Pr[63000] ([ ] SR.exec =⇒ (SR.t > 125 ∧ SR.t 6 150))
>1.1 8.3 31.7 32.3
EV E[63000; 500]([ ] max : checkexe.t) 147.2±0.7 85.8 32.4 36.0
SI simulate 500 [63000](hSU, hS, hSL) valid 89.5 34.0 34.0
R6
HT Pr[63000]([ ] hcamU 6 hC) > 0.95 valid 42.8 37.9 33.2
PE Pr[63000]([ ] hcamU 6 hC) [0.902, 1] 10.8 37.9 30.8
HT Pr[63000]([ ] hC 6 hcamL) > 0.95 valid 38.1 34.4 32.3
PE Pr[63000]([ ] hC 6 hcamL) [0.902, 1] 9.9 37.9 31.2
PC Pr[63000] ([ ] cam.exec =⇒ (cam.t > 20∧ cam.t 6 25)) >
Pr[63000] ([ ] cam.exec =⇒ (cam.t > 25 ∧ cam.t 6 30))
>1.1 4s 34.0 30.9
R7
HT Pr[63000]([ ] hconU 6 hCon)>0.95 valid 45.6 38.2 33.7
HT Pr[63000]([ ] hCon 6 hconL) > 0.95 valid 46.3 38.3 32.6
PC Pr[63000] ([ ] con.exec =⇒ (con.t > 100∧ con.t 6 125)) >
Pr[63000] ([ ] con.exec =⇒ (con.t > 125 ∧ con.t 6 150))
>1.1 6.9 34.0 29.3
SI simulate 100 [63000](hconU, hCon, hconL) valid 33.4 38.8 34.2
R8
PE Pr[63000]([ ] hvdU 6 hVD) [0.902, 1] 14.5 35.8 35.4
PE Pr[63000]([ ] hVD 6 hvdL) [0.902, 1] 15.4 35.9 33.1
PC Pr[63000] ([ ] V D.exec =⇒ (V D.t > 50 ∧ V D.t 6 75)) >
Pr[63000] ([ ] V D.exec =⇒ (V D.t > 75 ∧ V D.t 6 100))
>1.1 10.1 34.1 31.5
SI simulate 100 [63000](hvdU, hVD, hvdL) valid 35.8 39.2 33.3
Sporadic
R9
HT Pr[63000]([ ] hv 6 ho ∧ ((hv == ho) =⇒ tva == 0) >
0.95
valid 3h 33.1 30.0
PE Pr[63000]([ ] hv 6 ho ∧ ((hv == ho) =⇒ tva == 0) [0.902, 1] 45.4 33.1 29.4
EV E[63000; 500]([ ] max : obs.t) 667±79 80.8 29.7 31.7
SI simulate 500 [63000](hv, ho, v)) valid 88.6 29.5 31.0
R10
HT Pr[63000]([ ] ha 6 ho ∧ ((ha == ho) =⇒ tacc == 0)>0.95 valid 2.4h 44.7 29.2
PE Pr[63000]([ ] ha 6 ho ∧ ((ha == ho) =⇒ tacc == 0) [0.902, 1] 57.6 43.4 28.7
R11
HT Pr[63000]([ ] htl 6 ho ∧ ((htl == ho) =⇒ ttl == 0)>0.95 valid 1.8h 46.3 31.3
SI simulate 100 [63000](htl, ho, tl)) valid 56.2 42.4 30.7
R12
PE Pr[63000]([ ] htr 6 ho ∧ ((htr == ho) =⇒ ttr == 0) [0.902, 1] 52.9 44.1 31.0
SI simulate 100 [63000](htr, ho, tr)) valid 56.7 41.7 29.8
Synchronization
R13
HT Pr[63000]([ ] hdinf > hsup) > 0.95 valid 53.9 32.7 31.9
PE Pr[63000]([ ] hdinf > hsup) [0.902, 1] 13.7 35.5 30.4
EV E[63000; 500]([ ] max : checksync.t) 30.6±0.21 72.4 32.6 31.6
SI simulate 500 [63000](hdinf , hsup) valid 86.8 32.6 32.0
R14
PE Pr[63000]([ ] hcodinf > hcosup) [0.902, 1] 13.9 36.4 34.4
SI simulate 100 [63000](hcodinf , hcosup) valid 41.8 37.5 33.4
R15
PE Pr[63000]([ ] hvidinf > hvisup) [0.902, 1] 14.3 40.5 35.1
EV E[63000; 100]([ ] max : checksyncvd.t) 16.5±0.2 19.4 46.5 25.5
R16
HT Pr[63000]([ ] hvddinf > hvdsup)>0.95 valid 55.2 45.3 32.1
PE Pr[63000]([ ] hvddinf > hvdsup) [0.902, 1] 13.9 40.7 33.5
35
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Type R.ID Q Expression Result Time Mem CPU
End-to-End
R17
HT Pr[63000]([ ]hlower > hspOut ∧ ((hlower == hspOut) =⇒
tspOut == 0)) > 0.95
valid 54.2 32.9 31.4
PE Pr[63000]([ ]hlower > hspOut ∧ ((hlower == hspOut) =⇒
¬tspOut))
[0.902, 1] 13.1 35.3 29.4
HT Pr[63000]([ ]hspOut > hupper ∧ ((hspOut == hupper) =⇒
tupper == 0)) > 0.95
valid 1.3h 32.2 32.6
PE Pr[63000]([ ]hspOut > hupper ∧ ((hspOut == hupper) =⇒
¬tupper))
[0.902, 1] 19.8 34.1 32.0
EV E[63000; 500]([ ] max : checke2e.t) 229.7±0.9 83.3 32.5 30.6
SI simulate 500 [63000](hCU, hVD, hCL, tCU, tVD) valid 89.8 32.9 30.2
R18
HT Pr[63000]([ ]hcaml > hsignOut ∧ ((hconl == hsignOut) =⇒
tsignOut == 0)) > 0.95
valid 3.1h 45.33 31.3
HT Pr[63000]([ ]hcamu 6 hsignOut ∧ ((hconu == hsignOut) =⇒
tconu == 0)) > 0.95
valid 56.6 46.7 31.6
SI simulate 100 [63000](hcamu, hsignOut, tcaml) valid 50.5 39.9 28.6
R19
PE Pr[63000]([ ]hcaml > hvdOut ∧ ((hcaml == hvdOut) =⇒
tvdOut == 0))
[0.902, 1] 52.7 39.3 30.4
PE Pr[63000]([ ]hcamu 6 hvdOut ∧ ((hcamu == hvdOut) =⇒
tcamu == 0))
[0.902, 1] 2.4h 45.6 30.2
SI simulate 100 [63000](hcamu, hvdOut, tcaml) valid 1.9h 40.8 29.8
R20 HT Pr[63000]([ ]hL > htl ∧ ((htl == hL) =⇒ ttl == 0)) >0.95
valid 151.3 41.9 29.1
SI simulate 100 [63000](hL, htl, ttl) valid 58.4 37.3 24.5
R21 HT Pr[63000]([ ]hR > htr ∧ ((htl == hR) =⇒ ttr == 0)) >0.95
valid 75.9 46.8 31.3
SI simulate 100 [63000](hR, htr, ttr) valid 64.8 41.8 32.0
R22 PE Pr[63000]([ ]hSt > hst ∧ ((hSt == hst) =⇒ tst == 0)) [0.902, 1] 18.5 41.9 27.3SI simulate 100 [63000](hSt, hst, tst) valid 57.5 36.9 33.5
R23 PE Pr[63000]([ ]hStop > hstu ∧ ((hStop == hstu) =⇒ tstu ==
0))
[0.902, 1] 26.8 42.3 27.8
SI simulate 100 [63000](hStop, hstu, tstu) valid 73.6 42.4 27.9
Comparison
R24
HT Pr[63000]([ ] (excon == wcetcon ∧ exvd == wcetvd) =⇒
(hcu > hcom)) > 0.95
valid 57.4 36.7 28.4
PE Pr[63000]([ ] (excon == wcetcon ∧ exvd == wcetvd) =⇒
(hcu > hcom))
[0.902, 1] 14.7 35.5 26.7
EV E[63000; 500]([ ] max : control.t) 146.7±0.28 74.9 29.4 32.7
EV E[63000; 500]([ ] max : vd.t) 96.6±0.27 74.2 29.4 31.4
SI simulate 500 [63000](hcu, hcom)) valid 86.6 29.5 32.5
R25 EV E[63000; 100]([ ] max : camera.t) 29.8±0.02 18.7 39.6 29.9EV E[63000; 100]([ ] max : signreg.t) 143.5±0.7 16.5 33.2 28.7
SI simulate 100 [63000](hsigu, hsig)) valid 12.6 35.6 29.8
R26 HT Pr[63000]([ ] excon == wcetcon ∧ exvd == wcetvd ∧
excam == wcetcam ∧ exsign == wcetsign) =⇒ (hau >
ha)>0.95
valid 2.1h 42.5 30.1
PE Pr[63000]([ ] excon == wcetcon ∧ exvd == wcetvd ∧
excam == wcetcam ∧ exsign == wcetsign) =⇒ (hau > ha)
[0.902, 1] 56.9 40.7 29.7
Exclusion
R27
HT Pr[63000]([ ] ¬(tRight == 1 ∧ tLeft == 1)) > 0.95 valid 57.4 36.7 28.4
PE Pr[63000]([ ] ¬(tRight == 1 ∧ tLeft == 1)) [0.902, 1] 14.7 35.5 26.7
PC Pr[63000]([ ] ¬(tRight == 1 ∧ tLeft == 1)) > Pr[63000](<>
¬(¬(tRight == 1 ∧ tLeft == 1)))
>1.1 10.9 34.2 31.3
SI simulate 500 [63000](tRight, tLeft) valid 85.5 29.6 32.6
R28 HT Pr[63000]([ ] ¬(tb == 1 ∧ tacc == 1))>0.95 valid 57.5 44.6 35.9PE Pr[63000]([ ] ¬(tb == 1 ∧ tacc == 1)) [0.902, 1] 14.3 40.7 35.6
R29 HT Pr[63000]([ ] ¬(teme == 1 ∧ tLeft == 1))>0.95 valid 62.6 40.6 33.6SI simulate 100 [63000](teme, tLeft) valid 46.5 36.4 34.2
R30 HT Pr[63000]([ ] ¬(teme == 1 ∧ tRight == 1))>0.95 valid 63.8 36.3 34.2SI simulate 100 [63000](tRight, teme) valid 47.7 36.4 34.5
R31 HT Pr[63000]([ ] ¬(teme == 1 ∧ tacc == 1))>0.95 valid 59.1 36.3 35.2PE Pr[63000]([ ] ¬(teme == 1 ∧ tacc == 1)) [0.902, 1] 15.5 36.7 30.1
Figure 8.1: Simulation Result of R13
36
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Figure 8.2: Frequency Histogram of End-to-End timing constraint (R17)
(a) Simulation (b) Expected Value
Figure 8.3: Performance analysis of verifying R5 with Expected Value and Simulation. The number
of runs ranges from 100 to 500 with increment as 100.
of verifying R5 by using Expected Value and Simulation queries with different
numbers of runs assigned. As shown in Fig. 8.3, along with the increase of the
number of runs, for both queries, the verification time grows proportionally, while
the CPU and memory have no significant changes.
37
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Chapter 9
Related work
In the context of East-adl, efforts on the integration of East-adl and for-
mal techniques based on timing constraints were investigated in several works
[15, 17, 23, 30], which are however, limited to the executional aspects of sys-
tem functions without addressing stochastic behaviors. Kang [22] and Suryade-
vara [32, 33] defined the execution semantics of both the controller and the en-
vironment of industrial systems in Ccsl which are also given as mapping to
Uppaal models amenable to model checking. In contrast to our current work,
those approaches lack precise stochastic annotations specifying continuous dy-
namics in particular regarding different clock rates during execution. Ling [34]
transformed a subset of Ccsl constraints to PROMELA models to perform for-
mal verification using SPIN. Zhang [35] transformed Ccsl into first order log-
ics that are verifiable using SMT solver. However, their works are limited to
functional properties, and no timing constraints are addressed. Though, Kang et
al. [16,19] and Marinescu et al. [27] presented both simulation and model checking
approaches of Simulink and Uppaal-SMC on East-adl models, neither for-
mal specification nor verification of extended East-adl timing constraints with
probability were conducted. Our approach is a first application on the integra-
tion of East-adl and formal V&V techniques based on probabilistic extension
of East-adl/Tadl2 constraints using PrCcsl and Uppaal-SMC. An earlier
study [18,20,21] defined a probabilistic extension of East-adl timing constraints
and presented model checking approaches on East-adl models, which inspires
our current work. Specifically, the techniques provided in this paper define new
operators of Ccsl with stochastic extensions (PrCcsl) and verify the extended
East-adl timing constraints of CPS (specified in PrCcsl) with statistical model
checking. Du. et al. [13] proposed the use of Ccsl with probabilistic logical clocks
to enable stochastic analysis of hybrid systems by limiting the possible solutions
of clock ticks. Whereas, our work is based on the probabilistic extension of East-
adl timing constraints with a focus on probabilistic verification of the extended
constraints, particularly, in the context of WH.
38
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Chapter 10
Conclusion
We present an approach to perform probabilistic verification on East-adl tim-
ing constraints of automotive systems based on WH at the early design phase:
1. Probabilistic extension of Ccsl, called PrCcsl, is defined and the East-
adl/Tadl2 timing constraints with stochastic properties are specified in PrCcsl;
2. The semantics of the extended constraints in PrCcsl is translated into ver-
ifiable Uppaal-SMC models for formal verification; 3. A set of mapping rules
is proposed to facilitate guarantee of translation. Our approach is demonstrated
on an autonomous traffic sign recognition vehicle (AV) case study. Although,
we have shown that defining and translating a subset of Ccsl with probabilis-
tic extension into Uppaal-SMC models is sufficient to verify East-adl timing
constraints, as ongoing work, advanced techniques covering a full set of Ccsl
constraints are further studied. Despite the fact that Uppaal-SMC supports
probabilistic analysis of the timing constraints of AV, the computational cost of
verification in terms of time is rather expensive. Thus, we continue to investigate
complexity-reducing design/mapping patterns for CPS to improve effectiveness
and scalability of system design and verification.
39
Probabilistic Analysis of Weakly-Hard Real-Time Systems
Acknowledgment
This work is supported by the NSFC, EASY Project: 46000-41030005.
40
Probabilistic Analysis of Weakly-Hard Real-Time Systems
References
[1] Automotive open system architecture. https://www.autosar.org/
[2] UPPAAL-SMC. http://people.cs.aau.dk/~adavid/smc/
[3] IEC 61508: Functional safety of electrical electronic programmable elec-
tronic safety related systems. International Organization for Standardization,
Geneva (2010)
[4] ISO 26262-6: Road vehicles functional safety part 6. Product development
at the software level. International Organization for Standardization, Geneva
(2011)
[5] MAENAD. http://www.maenad.eu/ (2011)
[6] André, C.: Syntax and semantics of the clock constraint specification lan-
guage (CCSL). Ph.D. thesis, INRIA (2009)
[7] André, C., Mallet, F.: Clock constraints in UML/MARTE CCSL. HAL -
INRIA (2008)
[8] Bernat, G., Burns, A., Llamosi, A.: Weakly hard real-time systems. Trans-
actions on Computers 50(4), 308 – 321 (2001)
[9] Blom, H., Feng, L., Lönn, H., Nordlander, J., Kuntz, S., Lisper, B., Quinton,
S., Hanke, M., Peraldi-Frati, M.A., Goknil, A., Deantoni, J., Defo, G.B.,
Klobedanz, K., Özhan, M., Honcharova, O.: TIMMO-2-USE Timing Model,
Tools, Algorithms, Languages, Methodology, Use Cases. Tech. rep., TIMMO-
2-USE (2012)
[10] Bulychev, P., David, A., Larsen, K.G., Mikučionis, M., Poulsen, D.B., Legay,
A., Wang, Z.: UPPAAL-SMC: Statistical model checking for priced timed
automata. In: QAPL. pp. 1–16. EPTCS (2012)
[11] David, A., Du, D., Larsen, K.G., Legay, A., Mikučionis, M., Poulsen, D.B.,
Sedwards, S.: Statistical model checking for stochastic hybrid systems. In:
HSB. pp. 122 – 136. EPTCS (2012)
[12] David, A., Larsen, K.G., Legay, A., Mikučionis, M., Poulsen, D.B.:
UPPAAL-SMC tutorial. STTT 17(4), 397 – 415 (2015)
41
Probabilistic Analysis of Weakly-Hard Real-Time Systems
[13] Du, D., Huang, P., Jiang, K., Mallet, F., Yang, M.: MARTE/pCCSL: Model-
ing and refining stochastic behaviors of CPSs with probabilistic logical clocks.
In: FACS. pp. 111 – 133. Springer (2016)
[14] EAST-ADL Consortium: EAST-ADL domain model specification v2.1.9.
Tech. rep., MAENAD European Project (2011)
[15] Goknil, A., Suryadevara, J., Peraldi-Frati, M.A., Mallet, F.: Analysis sup-
port for TADL2 timing constraints on EAST-ADL models. In: ECSA. pp.
89 – 105. Springer (2013)
[16] Kang, E.Y., Chen, J., Ke, L., Chen, S.: Statistical analysis of energy-aware
real-time automotive systems in EAST-ADL/Stateflow. In: ICIEA. pp. 1328
– 1333. IEEE (2016)
[17] Kang, E.Y., Enoiu, E.P., Marinescu, R., Seceleanu, C., Schobbens, P.Y., Pet-
tersson, P.: A methodology for formal analysis and verification of EAST-ADL
models. Reliability Engineering & System Safety 120(12), 127–138 (2013)
[18] Kang, E.Y., Huang, L., Mu, D.: Formal verification of energy and timed
requirements for a cooperative automotive system. In: SAC. pp. 1492 – 1499.
ACM (2018)
[19] Kang, E.Y., Ke, L., Hua, M.Z., Wang, Y.X.: Verifying automotive systems
in EAST-ADL/Stateflow using UPPAAL. In: APSEC. pp. 143 – 150. IEEE
(2015)
[20] Kang, E.Y., Mu, D., Huang, L., Lan, Q.: Model-based analysis of timing
and energy constraints in an autonomous vehicle system. In: QRS. pp. 525
– 532. IEEE (2017)
[21] Kang, E.Y., Mu, D., Huang, L., Lan, Q.: Verification and validation of a
cyber-physical system in the automotive domain. In: QRS. pp. 326 – 333.
IEEE (2017)
[22] Kang, E.Y., Schobbens, P.Y.: Schedulability analysis support for automotive
systems: from requirement to implementation. In: SAC. pp. 1080 – 1085.
ACM (2014)
[23] Kang, E.Y., Schobbens, P.Y., Pettersson, P.: Verifying functional behaviors
of automotive products in EAST-ADL2 using UPPAAL-PORT. In: SAFE-
COMP. pp. 243 – 256. Springer (2011)
[24] Legay, A., Viswanathan, M.: Statistical model checking: challenges and per-
spectives. STTT 17(4), 369 – 376 (2015)
42
Probabilistic Analysis of Weakly-Hard Real-Time Systems
[25] Mallet, F., Peraldi-Frati, M.A., Andre, C.: MARTE CCSL to execute EAST-
ADL timing requirements. In: ISORC. pp. 249 – 253. IEEE (2009)
[26] Mallet, F., De Simone, R.: Correctness issues on MARTE/CCSL constraints.
Science of Computer Programming 106, 78 – 92 (2015)
[27] Marinescu, R., Kaijser, H., Mikučionis, M., Seceleanu, C., Lönn, H., David,
A.: Analyzing industrial architectural models by simulation and model-
checking. In: FTSCS. pp. 189 – 205. Springer (2014)
[28] Nicolau, G.B.: Specification and analysis of weakly hard real-time systems.
Transactions on Computers pp. 308 – 321 (1988)
[29] Object Management Group: UML profile for MARTE: Modeling and analysis
of real-time embedded systems (2015)
[30] Qureshi, T.N., Chen, D.J., Persson, M., Törngren, M.: Towards the inte-
gration of UPPAAL for formal verification of EAST-ADL timing constraint
specification. In: TiMoBD workshop (2011)
[31] Simulink and Stateflow. https://www.mathworks.com/products.html
[32] Suryadevara, J.: Validating EAST-ADL timing constraints using UPPAAL.
In: SEAA. pp. 268 – 275. IEEE (2013)
[33] Suryadevara, J., Seceleanu, C., Mallet, F., Pettersson, P.: Verifying
MARTE/CCSL model behaviors using UPPAAL. In: SEFM. pp. 1 – 15.
Springer (2013)
[34] Yin, L., Mallet, F., Liu, J.: Verification of MARTE/CCSL time requirements
in PROMELA/SPIN. In: ICECCS. pp. 65 – 74. IEEE (2011)
[35] Zhang, M., Ying, Y.: Towards SMT-based LTL model checking of clock
constraint specification language for real-time and embedded systems. ACM
SIGPLAN Notices 52(4), 61 – 70 (2017)
43
