Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink
  Design Verifier by Kang, Eun-Young & Huang, Li
Formal Specification & Analysis of Autonomous
Systems in PrCCSL/Simulink Design Verifier
Eun-Young Kang12, Li Huang2
1PReCISE Research Centre, University of Namur, Belgium
2School of Data and Computer Science,
Sun Yat-sen University, Guangzhou, China
eykang@fundp.ac.be
huangl223@mail2.sysu.edu.cn
ar
X
iv
:1
80
6.
07
70
2v
1 
 [c
s.S
E]
  2
0 J
un
 20
18
ABSTRACT
Modeling and analysis of timing constraints is crucial in automotive systems.
EAST-ADL is a domain specific architectural language dedicated to safety-critical
automotive embedded system design. In most cases, a bounded number of viola-
tions of timing constraints in systems would not lead to system failures when the re-
sults of the violations are negligible, called Weakly-Hard (WH). We have previously
specified EAST-ADL timing constraints in Clock Constraint Specification Language
(CCSL) and transformed timed behaviors in CCSL into formal models amenable to
model checking. Previous work is extended in this paper by including support for
probabilistic analysis of timing constraints in the context of WH: Probabilistic ex-
tension of CCSL, called PrCCSL, is defined and the EAST-ADL timing constraints
with stochastic properties are specified in PrCCSL. The semantics of the extended
constraints in PrCCSL is translated into Proof Objective Models that can be veri-
fied using SIMULINK DESIGN VERIFIER. Furthermore, a set of mapping rules is
proposed to facilitate guarantee of translation. Our approach is demonstrated on an
autonomous traffic sign recognition vehicle case study.
Keywords: CPS, EAST-ADL, UPPAAL-SMC, SIMULINK DESIGN VERIFIER,
Verification & Validation
Contents
1 Introduction 1
2 Preliminary 3
2.1 Clock Constraint Specification Language (CCSL) . . . . . . . . . . 3
2.2 Simulink and SDV . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3 Running Example: Traffic Sign Recognition Vehicle 5
4 Probabilistic Extension of Relations in CCSL 10
5 Specification of Timing Constraints in PrCCSL 13
6 Translation of CCSL & PrCCSL into SDV 20
6.1 Mapping CCSL Expressions into S/S . . . . . . . . . . . . . . . . . 20
6.2 Representation of PrCCSL in SDV . . . . . . . . . . . . . . . . . . 22
7 Modeling of AV System and its Environment in S/S 27
8 Experiments: Verification & Validation 30
9 Related work 32
10 Conclusion 33
References 34
List of Figures
2.1 General verification models in SDV . . . . . . . . . . . . . . . . . 4
3.1 AV in EAST-ADL augmented with TADL timing constraints (R.ID),
specified in PrCCSL (Spec.R.ID) . . . . . . . . . . . . . . . . . . 6
4.1 Example of subclock relation . . . . . . . . . . . . . . . . . . . . . 11
6.1 hc = His(c) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6.2 res , PeriodicOn base period p . . . . . . . . . . . . . . . . 21
6.3 res , Inf(c1, c2) (rep. Sup(c1, c2)) . . . . . . . . . . . . . . . . . 21
6.4 res , base DelayFor d on re f . . . . . . . . . . . . . . . . . 22
6.5 POM of Probabilistic Subclock . . . . . . . . . . . . . . . . . . . 22
6.6 POM of Probabilistic Coincidence and Exclusion . . . . . . . . 23
6.7 sup p {in f DelayFor 40 on ms} . . . . . . . . . . . . . . . . . . 24
6.8 POM of Probabilistic Coincidence and Exclusion . . . . . . . . 24
6.9 {signIn DelayFor 250 on ms} p {signIn DelayFor (Wctrl + Wvd)
on ms} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.10 {obstc DelayFor 500 on ms} ≺p veRun . . . . . . . . . . . . . . . 25
6.11 POM of End-to-End timing constraint . . . . . . . . . . . . . . . 26
7.1 Top-view of AV in S/S . . . . . . . . . . . . . . . . . . . . . . . . 27
7.2 Simulink model of Camera and SignRecognition . . . . . . . . . 28
7.3 Stateflow chart of Controller . . . . . . . . . . . . . . . . . . . . 28
7.4 Simulink model of VehicleDynamic fp . . . . . . . . . . . . . . . 29
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Chapter 1
Introduction
Software development for Cyber-Physical Systems (CPS) requires both functional
and non-functional quality assurance to guarantee that CPS operate in a safety-
critical context under timing constraints. Automotive electric/electronic systems are
ideal examples of CPS in which the software controllers interact with physical en-
vironments. The continuous time behaviors of those systems often rely on complex
dynamics as well as on stochastic behaviors. Formal verification and validation
(V&V) technologies are indispensable and highly recommended for development of
safe and reliable automotive systems [3, 4].
Conventional formal analysis of timing models addresses worst case designs,
typically used for hard deadlines in safety critical systems, however, there is great
incentive to include “less-than-worst-case” designs with a view to improving effi-
ciency without affecting the quality of timing analysis in the systems. The challenge
is the definition of suitable model semantics providing reliable predictions of system
timing, given the timing of individual components and their compositions. While
the standard worst case models are well understood in this respect, the behavior
and the expressiveness of “less-than-worst-case’ models is far less investigated. In
most cases, a bounded number of violations of timing constraints in systems would
not lead to system failures when the results of the violations are negligible, called
Weakly-Hard (WH) [8, 26]. In this paper, we propose a formal probabilistic mod-
eling and analysis technique by extending the known concept of WH constraints to
what is called “typical” worst case model and analysis.
EAST-ADL (Electronics Architecture and Software Technology- Architecture
Description Language) [5, 11], aligned with AUTOSAR (Automotive Open Sys-
tem Architecture) standard [1], is the model-based development approach for the
architectural modeling of safety-critical automotive embedded systems. A system
in EAST-ADL is described by Functional Architectures (FA) at different ab-
straction levels. The FA are composed of a number of interconnected functionpro-
totypes ( fp), and the fps have ports and connectors for communication. EAST-ADL
relies on external tools for the analysis of specifications related to requirements.
For example, behavioral description in EAST-ADL is captured in external tools, i.e.,
SIMULINK/STATEFLOW [30]. The latest release of EAST-ADL has adopted the time
1
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
model proposed in the Timing Augmented Description Language (TADL) [9]. TADL
expresses and composes the basic timing constraints, i.e., repetition rates, end-to-
end delays, and synchronization constraints. The time model of TADL specializes
the time model of MARTE, the UML profile for Modeling and Analysis of Real-
Time and Embedded systems [27]. MARTE provides CCSL, a time model and a
Clock Constraint Specification Language, that supports specification of both logical
and dense timing constraints for MARTE models, as well as functional causality
constraints [23].
We have previously specified non-functional properties (timing and energy con-
straints) of automotive systems specified in EAST-ADL and MARTE/CCSL, and
proved the correctness of specification by mapping the semantics of the constraints
into UPPAAL models for model checking [21]. Previous work is extended in this pa-
per by including support for probabilistic analysis of timing constraints of automo-
tive systems in the context WH: 1. Probabilistic extension of CCSL, called PrCCSL,
is defined and the EAST-ADL/TADL timing constraints with stochastic properties
are specified in PrCCSL; 2. The semantics of the extended constraints in PrCCSL
is translated into verifiable Proof Objective Models (POMs) for formal verification
using SIMULINK DESIGN VERIFIER (SDV) [2]; 3. A set of mapping rules is pro-
posed to facilitate guarantee of translation. Our approach is demonstrated on an
autonomous traffic sign recognition vehicle (AV) case study.
The paper is organized as follows: Sec. 2 presents an overview of CCSL,
SIMULINK/STATEFLOW and SDV. The AV is introduced as a running example in
Sec. 3. Sec. 4 presents the formal definition of PrCCSL and Sec. 5 demonstrates the
specification of EAST-ADL timing constraints in CCSL/PrCCSL. Sec. 6 describes
a set of translation patterns from CCSL/PrCCSL to POMs and how our approaches
provide support for formal analysis at the design level. The modeling of AV system
and its environments in S/S are illustrated in Sec. 7. The applicability of our method
is demonstrated by performing verification on the AV case study in Sec. 8. Sec. 9
and Sec. 10 present related work and the conclusion.
2
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Chapter 2
Preliminary
In our framework, we consider a subset of CCSL and its extension with stochastic
properties that is sufficient to specify EAST-ADL timing constraints in the context
of WH automotive systems. SIMULINK and EMBEDDED MATLAB (EML) are uti-
lized for modeling purposes, and V&V are performed by the SIMULINK built-in
verification tool, SIMULINK DESIGN VERIFIER (SDV).
2.1 Clock Constraint Specification Language (CCSL)
CCSL [7, 23] clocks describe events in a system and measure occurrences of the
events. The physical time is represented by a dense clock (with a base) and dis-
cretized into a logical clock. idealClock is a predefined dense clock whose unit
is second. We define a universal clock ms based on idealClock: ms = idealClock
discretizedBy 0.001, where ms is a periodic clock that ticks every 1 millisecond.
A step is a tick of the universal clock. Hence the length of one step is 1 millisecond
in this paper.
CCSL provides two types of clock constraints, relation and expression: A rela-
tion limits the occurrences among different events/clocks. Let C be a set of clocks,
c1,c2 ∈ C, Coincidence relation (c1 ≡ c2) specifies that two clocks must tick si-
multaneously. Precedence relation (c1≺ c2) limits that c1 runs faster than c2, i.e.,
∀k ∈ N+, where N+ is the set of positive natural numbers, the kth tick of c1 must
occur prior to the kth tick of c2. Causality relation (c1  c2) represents a relaxed
version of Precedence, allowing the two clocks to tick at the same time. Subclock
(c1 ⊆ c2) indicates the relation between two clocks, superclock (c1) and subclock
(c2), s.t. each tick of the subclock must correspond to a tick of its superclock at
the same step. Exclusion (c1 # c2) prevents the instants of two clocks from be-
ing coincident. An expression derives new clocks from the already defined clocks:
PeriodicOn builds a new clock found on a base clock and a period parameter, s.t.,
the instants of the new clocks are separated by a number of instants of the base clock.
The number is given as period. DelayFor results in a clock by delaying the base
clock for a given number of ticks of a reference clock. Infimum, denoted Inf, is
3
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
defined as the slowest clock that is faster than both c1 and c2. Supremum, denoted
Sup, is defined as the fastest clock that is slower than c1 and c2.
2.2 Simulink and SDV
SIMULINK [30] is a synchronous data flow language, which provides different types
of blocks for modeling and simulation of dynamic systems and code generation.
SIMULINK supports the definition of custom blocks via STATEFLOW diagrams or
user-defined function blocks written in EML, C, and C++. SDV is a formal verifica-
tion tool that performs reachability analysis on SIMULINK/STATEFLOW (S/S) model
with PROVER plugin. The satisfiability of each reachable state is determined by a
SAT solver. A proof objective model is specified in SIMULINK/SDV and illustrated
in Fig.2.1. A set of data (predicates) on the input flows of System is constrained
via Proof Assumption blocks during proof construction. A set of proof objectives
are constructed via a function F block and the output of F is specified as input to
a property P block. P passes its output signal to an Assertion block and returns
true when the predicates set on the input data flows of the outline model are sat-
isfied. Whenever Assertion is utilized, SDV verifies whether the specified input
data flow is always true. Any failed proof attempt ends in the generation of a coun-
terexample representing an execution path to an invalid state. A harness model is
generated to analyze the counterexample and refine the model.
Figure 2.1: General verification models in SDV
4
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Chapter 3
Running Example: Traffic Sign Recognition
Vehicle
An autonomous vehicle (AV) [19, 20] application using Traffic Sign Recognition is
adopted to illustrate our approach. The AV reads the road signs, e.g., “speed limit”
or “right/left turn”, and adjusts speed and movement accordingly. The functional-
ity of AV, augmented with timing constraints and viewed as Functional Design
Architecture (FDA) (designFunctionTypes), consists of the following fps in
Fig.3.1: System function type contains four fps, i.e., the Camera captures sign im-
ages and relays the images to SignRecognition periodically. Sign Recognition
analyzes each frame of the detected images and computes the desired images (sign
types). Controller determines how the speed of the vehicle is adjusted based on the
sign types and the current speed of the vehicle. VehicleDynamic specifies the kine-
matics behaviors of the vehicle. Environment function type consists of three fps,
i.e., the information of traffic signs, random obstacles, and speed changes caused
by environmental influences described in TrafficSign, Obstacle, and Speed fps
respectively.
We consider the Periodic, Execution, End-to-End, Synchronization,
Sporadic, and Comparison timing constraints on top of the AV EAST-ADL model,
which are sufficient to capture the constraints described in Fig.3.1. Furthermore, we
extend EAST-ADL/TADL with an Exclusion timing constraint that integrates rele-
vant concepts from the CCSL constraint, i.e., two events cannot occur simultaneously
(R27 – R31).
R1. The camera must capture an image every 50ms. In other words, a Periodic
acquisition of Camera must be carried out every 50ms.
R2. The captured image must be recognized by an AV every 200ms, i.e., a Periodic
constraint on SignRecognition fp.
R3. The obstacle must be detected by an AV every 40ms, i.e., the Periodic timing
constraint is applied on the input port of Controller.
R4. The speed of AV is updated periodically with the period of 30ms.
R5. The detected image must be computed within [100, 150]ms in order to generate
the desired sign type, SignRecognition must complete its execution within [100,
5
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Figure 3.1: AV in EAST-ADL augmented with TADL timing constraints (R.ID), specified in PrCCSL
(Spec.R.ID)
150]ms.
R6. Camera sends out captured images within [20, 30]ms to Controller, i.e., the
execution time of Camera should be between 20 and 30ms.
R7. If an obstacle is detected, Controller must send out a “brake request” signal to
VehicleDynamic in order to stop AV within [100, 150]ms, i.e., the execution time
of Controller should be in the range of [100, 150].
R8. After VehicleDynamic receives a command/request from Controller, the
speed of AV should be updated within [50, 100]ms, i.e., the Execution timing con-
straint applied on VehicleDynamic is within [50, 100]ms.
R9. If the mode of AV switches to “emergency stop” due to a certain obstacle, it
should not revert back to “automatic running” mode within a specific time period.
It is interpreted as a Sporadic constraint, i.e., the mode of AV is changed to Stop
because of the encounter with an obstacle, it should not revert back to Run mode
within 500ms.
R10. If the mode of AV switches to “emergency stop” due to a certain obstacle,
it should not revert back to “accelerate ” mode within a specific time period. It
is interpreted as a Sporadic constraint, i.e., the mode of AV is changed to Stop
because of the encounter with an obstacle, it should not revert back to accelerate
mode within 500ms.
R11. If the mode of AV switches to “emergency stop” due to a certain obstacle, it
6
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
should not revert back to “turn left” mode within a specific time period. It is inter-
preted as a Sporadic constraint, i.e., the mode of AV is changed to Stop because of
the encounter with an obstacle, it should not revert back to turn left mode within
500ms.
R12. If the mode of AV switches to “emergency stop” due to the certain obstacle,
it should not revert back to “turn right” mode within a specific time period. It is in-
terpreted as a Sporadic constraint, i.e., the mode of AV is changed to Stop because
of the encounter with an obstacle, it should not revert back to turn right mode
within 500ms.
R13. The necessary information from environment must be arrived to Controller
within 40ms, e.g., all the input signals arriving on the speed, signType, direct,
gear and torque ports of Controller must be within a given time window, i.e.,
the tolerated maximum constraint is 40ms. It is called Input Synchronization
constraint.
R14. Once the execution of Controller is completed, it sends out the computed
signals/values to VehicleDynamic within 30ms, e.g., all the ouput signals leaving
via reqTorq, reqDirect, reqGear, reqBrake ports of Controller must be within
a given time window, i.e., the tolerated maximum constraint is 30ms. It is called
Output Synchronization constraint.
R15. The necessary information from Controllermust be arrived to VehicleDyna-
mic within 30ms. The Input Synchronization constraint applied on the input
ports of VehicleDynamic (reqTorq, reqDirect, reqGear, reqBrake) should be
30ms.
R16. Once VehicleDynamic completes its execution, the information of AV must
be updated within 40ms. The Output Synchronization constraint applied on the
output ports of VehicleDynamic (speed, direct, gear, torque) should be 40ms.
R17. When a traffic sign is recognized, the speed of AV should be updated within
[150, 250]ms. An End-to-End constraint on Controller and VehicleDy-namic,
i.e., the time interval from the input of Controller to the output of VehicleDynamic
must be within a certain time.
R18. When Camera is triggered, the computation of image processing based on
the traffic signs captured by Camera must be finished within [120, 180]ms, i.e., the
End-to-End timing constraint applied on Camera and SignRecognition should be
between 120ms and 180ms.
R19. The time interval between Camera capturing an image of traffic sign and the
status of AV (i.e., speed, direction etc.) being updated according to the recognized
sign type should be within [270 , 430]ms, End-to-End timing constraint measured
from the input of Camera to the output of VehicleDynamic should be between 270
and 430ms.
R20. When a “left turn” sign is recognized, AV must turn left within 500ms, i.e., a
End-to-End timing constraint applied on the events DetectLeftSign and StartTurn-
7
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Left is 500ms.
R21. When a “right turn” sign is recognized, AV must turn right within 500ms,
i.e., a End-to-End timing constraint applied on the events DetectRightSign and
StartTurnRight is 500ms.
R22. When a “stop” sign is recognized, AV must start to brake within 200ms,
i.e., a End-to-End timing constraint applied on the events DetectStopSign and
StartBrake is 20ms.
R23. When a “stop” sign is recognized, AV must be stop completely within 3000ms,
i.e., a End-to-End timing constraint applied on the events DetectStopSign and
Stop is 3000ms.
R24 The execution time interval between Controller and VehicleDynamic is less
than or equal to the sum of the worst case execution time interval of each fp.
R25. The execution time interval between Camera and SignRecognition is less
than or equal to the sum of the worst case execution time interval of each fp.
R26. The execution time interval between Camera and VehicleDynamic is less than
or equal to the sum of the worst case execution time interval of each fp.
R27. While AV turns left, the “turning right” mode should not be activated. The
events of turning left and right considered as exclusive and specified as an Exclusion
constraint.
R28. While AV is braking, the “accelerate” mode should not be activated. The
events of braking and accelerating are considered as exclusive and specified as an
Exclusion constraint.
R29. When AV is in the “emergency” mode because of encountering an obstacle,
“turning left” mode must not be activated, i.e., the events of handling “emergency”
and “turning left” are exclusive. It is specified as an Exclusion constraint.
R30. When AV is in the “emergency” mode because of encountering an obstacle,
“turning right” mode must not be activated, i.e., the events of handling “emergency”
and “turning right” are exclusive. It is specified as an Exclusion constraint.
R31. When AV is in the “emergency” mode because of encountering an obstacle,
“accelerating” mode must not be activated, i.e., the events of handling “emergency”
and “accelerating” are exclusive. It is specified as an Exclusion constraint.
Delay constraint gives duration bounds (minimum and maximum) between two
events source and target. This is specified using lower, upper values given as ei-
ther Execution constraints (R5 – R8) or End-to-End constraints (R17 – R23).
Synchronization constraint describes how tightly the occurrences of a group of
events follow each other. All events must occur within a sliding window, specified
by the tolerance attribute, i.e., the maximum time interval allowed between events
(R13 – R16). Periodic constraint states that the period of successive occurrences of
a single event must have a time interval (R1 – R4). Sporadic constraint states that
events can arrive at arbitrary points in time, but with defined minimum inter-arrival
times between two consecutive occurrences (R9 – R12). Comparison constraint
8
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
delimits that two consecutive occurrences of an event should have a minimum inter-
arrival time (R24 – R26). Exclusion constraint states that two events must not
occur at the same time (R27 – R31). Those timing constraints are formally specified
(seen as Spec. R. IDs in Fig.2) using clock relation and expression in the con-
text of WH then verified utilizing probabilistic analysis techniques that are described
further in the following sections.
9
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Chapter 4
Probabilistic Extension of Relations in CCSL
To perform the formal specification and probabilistic verification of EAST-ADL tim-
ing constraints (R1 – R31 in Sec 3.), CCSL relations are augmented with proba-
bilistic properties, called PrCCSL, based on WH [8]. To describe the bound on the
number of allowed constraint violations in WH, we extend CCSL relations with a
probabilistic parameter p, where p is the probability threshold. PrCCSL is satisfied
if and only if the probability of relation constraint being satisfied is greater than or
equal to p.
Definition 1 (PrCCSL) Let c1, c2 andM be two logical clocks and a system model.
The probabilistic extension of relation constraints, denoted c1∼pc2, is satisfied if the
following condition holds:
M  c1∼pc2⇐⇒ Pr(c1∼c2)≥ p
where∼∈{⊆,≡,≺,,#}, Pr(c1∼c2) is the probability of the relation c1∼c2 being
satisfied, and p ∈ [0,1] is the probability threshold.
Pr(c1∼c2) is calculated based on clock ticks: Pr(c1∼c2) = mk , where k is the total
number of ticks and m is a number of ticks satisfying the clock relation c1∼c2.
Definition 2 (Tick and History) For c ∈ C, the tick of c is indicated by a function
tc: N→{0,1}. For i∈N, tc(i) is a boolean variable that indicates whether c ticks at
the ith step, which is defined as: if c ticks at step i, tc(i) = 1; otherwise tc(i) = 0. The
history of c is a function hc: N→ N. hc(i) that represents the number of ticks of c
that have been fired prior to the ith step, which can be defined as: (1) hc(0) = 0; (2)
∀ i ∈ N+, tc(i) = 0 =⇒ hc(i+1) = hc(i); (3) ∀ i ∈ N+, tc(i) = 1 =⇒ hc(i+1) =
hc(i) + 1.
The five CCSL relations, Subclock, Coincidence, Exclusion, Causality
and Precedence, are considered and the related probabilistic extensions are defined.
Definition 3 (Probabilistic Subclock) The probability of subclock relation between
c1 and c2, denoted c1⊆pc2, is satisfied if the following conditions hold:
10
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Figure 4.1: Example of subclock relation
M  c1⊆pc2⇐⇒ Pr(c1⊆c2)≥ p
where Pr(c1⊆c2) = mk , k =
n
∑
i=0
tc1(i), m =
n
∑
i=0
{tc1(i)∧ (tc1(i) =⇒ tc2(i))}
n refers to the simulation bound (number of steps of an execution). k is the total
number of ticks of the subclock c1 during the execution. m is the number of ticks of
c1 satisfying the subclock relation. A tick of the subclock c1 satisfies the relation
if at the step it occurs, its superclock c2 ticks. An example is shown in Fig. 4.1:
among the 30 steps, c1 ticks seven times, and six of them (denoted by the arrows)
satisfy subclock relation. In this case, n=30, k = 7 and m = 6.
Coincidence relation states that two clocks should tick at the same step. i.e.,
they are subclocks of each other.
Definition 4 (Probabilistic Coincidence) The probability of coincidence relation
between c1 and c2, denoted c1≡pc2, is satisfied if the following conditions hold:
M  c1≡pc2⇐⇒ Pr(c1≡c2)≥ p
where Pr(c1≡c2) = mk , k =
n
∑
i=0
{tc1(i)∨ tc2(i)}, m =
n
∑
i=0
{tc1(i)∧ tc2(i)}
Pr(c1≡c2) represents the probability of the instants c1 that are coincident with the
instants of c2. Coincidence relation is bidirectional, which means that c1 and c2 are
equivalent in the relation. In this case, k is the total number of steps at which either
c1 or c2 ticks. m is the number of ticks of steps at which coincidence relation is
satisfied, i.e., the steps at which both c1 and c2 tick.
The inverse of coincidence relation, called exclusion, hinders two clocks
from ticking simultaneously.
Definition 5 (Probabilistic Exclusion) The probability of exclusion relation between
c1 and c2, denoted c1#pc2, is satisfied if the following conditions hold:
M  c1#pc2⇐⇒ Pr(c1#c2)≥ p, where Pr(c1#c2) = mk ,
k =
n
∑
i=0
{tc1(i)∨ tc2(i)},
m =
n
∑
i=0
{(tc1(i)∧¬tc2(i))∨ (¬tc1(i)∧ tc2(i))}
11
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
k is the total number of steps at which either c1 or c2 ticks. m indicates the number
of steps at which exclusion relation is satisfied, i.e., the steps at which only one of
the two clocks ticks.
The probabilistic extension of causality and precedence relations are de-
fined based on the history of the clocks. Recall that hc1(i) (hc2(i)) indicates how
many times c1 (c2) has ticked before the step i. If the history of c1 is greater than the
one of c2 at the same step, we say that c1 runs faster than c2 at that step. Causality
relation specifies that an event causes another one, i.e., the effect cannot occur if the
cause has not.
Definition 6 (Probabilistic Causality) The probabilistic causality relation between
c1 and c2 (c1 is the cause and c2 is the effect), denoted, c1pc2, is satisfied if the
following conditions hold:
M  c1pc2⇐⇒ Pr(c1c2)≥ p
where Pr(c1c2) = mk , k =
n
∑
i=0
tc1(i), m =
n
∑
i=0
{tc1(i)∧hc1(i)≥ hc2(i)}
k is the total number of ticks of c1. m is the number of ticks of c1 satisfying
causality relation. A tick of c1 satisfies causality relation if c2 does not oc-
cur prior to c1, i.e., the history of c2 is less than or equal to the history of c1 at the
current step.
The strict causality, called precedence, constrains that one clock must al-
ways run faster than the other.
Definition 7 (Probabilistic Precedence) The probabilistic precedence relation be-
tween c1 and c2, denoted, c1≺pc2, is satisfied if the following conditions hold:
M  c1≺pc2⇐⇒ Pr(c1≺c2)≥ p, where
Pr(c1≺c2) = m
k
, k =
n
∑
i=0
tc1(i),
m =
n
∑
i=0
tc1(i)∧hc1(i)≥ hc2(i)︸ ︷︷ ︸
(1)
∧(hc1(i) = hc2(i) =⇒¬tc2(i)︸ ︷︷ ︸
(2)
)
k indicates the total number of ticks of c1. m is the number of ticks of c1 satisfying
precedence and holding the two conditions: (1) the history of c1 is greater than or
equal to the history of c2 at the same step; (2) c1 and c2 must not be coincident, i.e.,
when the history of c1 and c2 are equal, c2 must not tick.
12
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Chapter 5
Specification of Timing Constraints in
PrCCSL
To describe the property that a timing constraint is satisfied with the probability
greater than or equal to a given threshold, CCSL and its extension PrCCSL are em-
ployed to capture the semantics of probabilistic timing constraints in the context
of WH. Below, we show how EAST-ADL timing constraints, including Execution,
Periodic, End-to-End, Sporadic, Synchronization, Exclusion and Comparison
timing constraints, can be specified in CCSL/PrCCSL. In the system, events are rep-
resented as clocks. The ticks of clocks correspond to the occurrences of the events.
Periodic timing constraints (R1 – R4) can be specified using PeriodicOn expression
and probabilistic coincident relation. For example, R1 states that the camera
must be triggered periodically with a period 50ms. We first construct a periodic clock
prd 50 which ticks every 50 ticks of ms (the universal clock). Then the property that
the periodic timing constraint is satisfied with probability no less than the threshold
p can be interpreted as the probabilistic coincidence relation between cmrTrig (the
event that Camera fp being triggered) and prd 50. The corresponding specification
is given below, where , means “is defined as”:
prd 50 , PeriodicOn ms period 50 (5.1)
cmrTrig ≡p prd 50 (5.2)
By combining (1) and (2), we can obtain the the specification of R1:
cmrTrig ≡p {PeriodicOn ms period 50} (5.3)
In similar, the CCSL/PrCCSL specification of R3 – R4 can be derived:
R3 : obsDetect ≡p {PeriodicOn ms period 40} (5.4)
R4 : spU pdate ≡p {PeriodicOn ms period 30} (5.5)
13
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
where signTrig is the event/clock that SignRecognition fp will be triggered, obsDetect
represents the event that the object detection is activated by the vehicle and spU pdate
denotes the event that the speed is updated (i.e., recieved by Controller) from the
environment.
Since the period attribute of the periodic timing constraint R2 is 200ms, which is a
integral multiple of the period of R1, R2 can be interpreted as a subclock relation,
i.e., the event signTrig should be a subclock of cmrTrig. The specification is given
below:
signTrig ⊆p cmrTrig (5.6)
Execution timing constraints (R5 – R8) can be specified using DelayFor expres-
sion and probabilistic causality relation. To specify R5, which states that
the SignRecognition fp must finish execution within [100, 150]ms, i.e., the in-
terval measured from the input event of the fp (i.e., the event that the image is
received by the fp, denoted imIn) to the output event of the fp (denoted signOut)
must have a minimum value 100 and a maximum value 150. We divide this prop-
erty into two sub-properties: R5(1). The time duration between imIn and signOut
should be greater than 100ms. R5(2). The time duration between imIn and signOut
should be less than 150ms. To specify property R5(1), we first construct a new clock
imIn dly100 by delaying imIn (the input event of SignRecognition) for 100ms. To
check whether R5(1) is satisfied within a probability threshold is to verify whether
the probabilistic causality between imIn dly100 and signOut is valid. The
specification of R5(1) is given below:
imIn dly100 , imIn DelayFor 100 on ms (5.7)
imIn dly100 p signOut (5.8)
By combining (7) and (8), we can obtain the the specification of R5(1):
{imIn DelayFor 100 on ms} p signOut (5.9)
Similarly, to specify property R5(2), a new clock imIn dly150 is generated by
delaying imIn for 150 ticks on ms. Afterwards, the property that R5(2) is satisfied
with a probability greater than or equal to p relies on whether the probabilistic
causality relation between imIn dly150 and signOut is satisfied. The specification
is illustrated as follows:
imIn dly150 , imIn DelayFor 150 on ms (5.10)
signOut p mIn dly150 (5.11)
By combining (10) and (11), we can obtain the the specification of R5(2):
signOut p {imIn DelayFor 150 on ms} (5.12)
14
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Analogously, the CCSL/PrCCSL specification of R6 – R8 can be derived:
R6 : {cmrTrig DelayFor 20 on ms} p cmrOut
cmrOut p {cmrTrig DelayFor 30 on ms}
(5.13)
R7 : {ctrlIn DelayFor 100 on ms} p ctrlOut
ctrlOut p {ctrlIn DelayFor 150 on ms}
(5.14)
R8 : {vdIn DelayFor 50 on ms} p vdOut
vdOut p {vdIn DelayFor 100 on ms}
(5.15)
where cmrTrig is the event that the Camera fp is triggered, cmrOut represents the
event that the captured image is sent out. ctrlIn (ctrlOut) represents the input (resp.
output) of Controller fp. vdIn (vdOut) represents the input (resp. output) of
VehicleDynamic fp.
Sporadic timing constraints (R9 – R12) can be specified using DelayFor expression
and probabilistic precedence relation. For instance, R9 states that there should
be a minimum delay between the event veRun (the event that the vehicle is in the Run
mode) and the event obstc (the event that the vehicle detects an obstacle), which is
specified as 500ms. To specify R9, we first build a new clock obstc dly500 by
delaying obstc for 500 ticks of ms. We then check whether the probabilistic
precedence relation between obst dly500 and veRun:
obstc dly500 , obstc DelayFor 500 on ms (5.16)
obstc dly500 ≺p veRun (5.17)
By combining (16) and (17), we can obtain the the specification of R9:
{obstc DelayFor 500 on ms} ≺p veRun (5.18)
Analogously, the CCSL/PrCCSL specification of R10 – R12 can be derived:
R10 : {obstc DelayFor 500 on ms} ≺p veAcc (5.19)
R11 : {obstc DelayFor 500 on ms} ≺p tLe f t (5.20)
R12 : {obstc DelayFor 500 on ms} ≺p tRight (5.21)
where veAcc is the event/clock that the vehicle is accelerating. tLe f t and tRight
represent the event that the vehicle transits from the emergency stop mode to turn
left and turn right mode respectively.
15
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Synchronization timing constraints (R13 – R16) can be specified using Infimum
and Supremum expression, together with probabilistic precedence relation. R13
states that the five input events must be detected by Controller within the maxi-
mum tolerated time, given as 40ms. The synchronization timing constraint can be
interpreted as: the time interval between the earliest/fastest and the latest/slowest
event among the five input events, i.e., speed, signType, direct, gear and torque,
must not exceed 40ms. To specify the constraints, Infimum is utilized to express
the fastest event (denoted in fctrlIn) while Supremum is utilized to specify the slowest
event supctrlIn. supctrlIn and in fctrlIn are defined as:
supctrl , Sup(Sup(speed, signType), Sup(Sup(direct, gear), toque)) (5.22)
in fctrl , Inf(Inf(speed, signType), Inf(Inf(direct, gear), toque)) (5.23)
where Inf(c1, c2) (resp. Sup(c1, c2)) is the Infimum (resp. Supremum) operator
returns the slowest (resp. fastest) clock faster (resp. slower) than c1 and c2. After-
wards, we construct a new clock in fctrlIn dly40 that is the in fctrlIn delayed for 40
ticks of ms, which is defined as:
in fctrlIn dly40 , in fctrlIn DelayFor 40 on ms (5.24)
Therefore, the synchronization constraint R13 can be represented as the probab-
ilistic causality relation between supctrlIn and in fctrlIn dly40, given as the
CCSL/PrCCSL expression below:
supctrlIn p in fctrlIn dly40 (5.25)
By combining (24) and (25), we can obtain the the specification of R13:
supctrlIn p {in fctrlIn DelayFor 40 on ms} (5.26)
In similar, the CCSL/PrCCSL specification of R14 – R16 can be derived. For R14,
we first construct the clocks that represent the fastest and slowest output event/clock
among the four output events of Controller fp, i.e., reqTorq, reqDirec, reqGear
and reqBrake. Then the property that the synchronization constraint is satisfied with
a probability greater than or equal to p can be interpreted as a probabilistic
causality relation:
R14 : supctrlOut , Sup(Sup(reqTorq, reqDirec), Sup(reqGear, reqBrake))
in fctrlOut , Inf(Inf(reqTorq, reqDirec), Inf(reqGear, reqBrake))
supctrlOut p {in fctrlOut DelayFor 30 on ms}
(5.27)
For R15, we first construct the fastest and slowest input event/clock among the four
input events of VehicleDynamic , i.e., reqTorq, reqDirec, reqGear and reqBrake.
16
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Then the property that the synchronization constraint is satisfied with a probabil-
ity greater than or equal to p can be interpreted as a probabilistic causality
relation:
R15 : supvdIn , Sup(Sup(reqTorq, reqDirec), Sup(reqGear, reqBrake))
in fvdIn , Inf(Inf(reqTorq, reqDirec), Inf(reqGear, reqBrake))
supvdIn p {in fvdIn DelayFor 40 on ms}
(5.28)
For R16, we first construct the fastest and slowest output event/clock among the four
output events of VehicleDynamic , i.e., speed, direct, torque and gear. Then the
property that the synchronization constraint is satisfied with a probability greater
than or equal to p can be interpreted as a probabilistic causality relation:
R16 : supvdOut , Sup(Sup(speed, direct), Sup(gear, torq))
in fvdOut , Inf(Inf(speed, direct), Inf(gear, torque))
supvdOut p {in fvdOut DelayFor 40 on ms}
(5.29)
End-to-End timing constraints (R17 – R23) can be specified using DelayFor ex-
pression and probabilistic precedence relation. To specify R17, which limits
that the time duration measured from the instant of the occurrence of the event that
Controller fp receive the traffic sign type information (denoted as signIn), to the
occurrence of event that the speed is sent out from VehicleDynamic fp (denoted as
spOut) should be between 150 and 250ms. We divide this property into two subprop-
erties: R17(1). The time duration between signIn and spOut should be larger than
150ms. R17(2). The time duration between signIn and spOut should be less than
250ms. To specify property R17(1), we first construct a new clock signIn dly150
by delaying signIn for 150ms. To check whether R17(1) is satisfied within a prob-
ability threshold p is to verify whether the probabilistic precedence between
signIn dly150 and spOut is valid. The specification of R17(1) is given below:
signIn dly150 , signIn DelayFor 150 on ms (5.30)
signIn dly150 ≺p spOut (5.31)
By combining (30) and (31), we can obtain the the specification of R17(1):
{signIn DelayFor 150 on ms} ≺p spOut (5.32)
Similarly, to specify property R17(2), a new clock signIn dly250 is generated by
delaying signIn for 250 ticks of ms. Afterwards, the property that R17(2) is satisfied
with a probability greater than or equal to p relies on whether the probabilistic
precedence relation is satisfied. The specification is illustrated as follows:
signIn dly250 , signIn DelayFor 250 on ms (5.33)
17
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
spOut ≺p signIn dly250 (5.34)
By combining (33) and (34), we can obtain the the specification of R17(2):
spOut ≺p {signIn DelayFor 250 on ms} (5.35)
In similar, the CCSL/PrCCSL specification of R18 – R23 can be derived:
R18 : {cmrTrig DelayFor 120 on ms} ≺p signOut
signOut ≺p {cmrTrig DelayFor 180 on ms}
(5.36)
R19 : {cmrTrig DelayFor 270 on ms} ≺p spOut
spOut ≺p {cmrTrig DelayFor 430 on ms}
(5.37)
R20 : {startTurnLe f t ≺p DetectLe f tSign DelayFor 500 on ms} (5.38)
R21 : {startTurnRight ≺p DetectRightSign DelayFor 500 on ms} (5.39)
R22 : {startBrake ≺p DetectStopSign DelayFor 500 on ms} (5.40)
R23 : {Stop ≺p DetectStopSign DelayFor 3000 on ms} (5.41)
Comparison timing constraints (R24 – R26) can be specified using DelayFor ex-
pression and probabilistic causality relation. R24 states that the execution
time interval from Controller to VehicleDynamic should be less than or equal to
the sum of the worst case execution time of Controller and VehicleDy-namic,
denoted as Wctrl and Wvd respectively. To specify comparison constraint, we first
construct a new clock signIn dly250 by delaying signIn for 250 ticks of ms. After-
wards, we generate another new clock signIn dlysw that is the signIn clock delayed
for sum of the worst case execution time of the two fps. The specification is illus-
trated as follows:
signIn dly250 , signIn DelayFor 250 on ms (5.42)
signIn dlysw , signIn DelayFor (Wctrl +Wvd) on ms (5.43)
Therefore, the property that the probability of comparison constraint is satisfied
should be greater than or equal to the threshold p can be interpreted as a probabilistic
causality relation between signIn dly250 and signIn dlysw:
signIn dly250 p signIn dlysw (5.44)
18
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
By combining (42), (43) and (44), we can obtain the the specification of R24:
{signIn DelayFor 250 on ms} p {signIn DelayFor (Wctrl +Wvd) on ms} (5.45)
Analogously, the CCSL/PrCCSL specification of R25 and R26 can be derived:
R25 : {cmrTrig DelayFor 180 on ms} p
{cmrTrig DelayFor (Wcmr+Wsr) on ms}
(5.46)
R26 : {cmrTrig DelayFor 430 on ms} p
{cmrTrig DelayFor (Wcmr+Wsr+Wctrl +Wvd) on ms}
(5.47)
where Wcmr and Wvd represent the worst case execution time of Camera and SignRecognition
respectively.
Exclusion timing constraints (R27 – R31) can be specified using exclusion rela-
tion directly. R27 states that the two events turnLe f t (the event that the vehicle is
turning left) and rightOn (the event that the turn right mode is activated) should be
exclusive, which can be expressed as:
turnLe f t #p rightOn (5.48)
Analogously, the exclusion timing constraints R28 – R31 can be specified using
exclusion relation:
R27 : turnLe f t #p rightOn (5.49)
R28 : veAcc #p veBrake (5.50)
R29 : emgcy #p turnLe f t (5.51)
R30 : emgcy #p rightOn (5.52)
R31 : emgcy #p veAcc (5.53)
where emgcy is the event that the vehicle is in the emergency mode, veBrake and
veAcc represent the event that the vehicle is braking or accelerating, respectively.
19
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Chapter 6
Translation of CCSL & PrCCSL into SDV
In order to formally prove the EAST-ADL timing constraints (given in Sec. 3) using
SIMULINK DESIGN VERIFIER (SDV), we investigate how those constraints, spec-
ified in CCSL expressions and PrCCSL relations (Spec. R.ID in Fig. 3.1), can
be translated into Proof Objective Models (POM). CCSL expressions constructs new
clocks and the relations between the new clocks are specified using PrCCSL. We
first provide strategies that represent CCSL expressions in SIMULINK/STATEFLOW
(S/S). We then present how the EAST-ADL timing constraints defined in PrCCSL
can be translated into the corresponding POMs, which are integrated with the S/S
models of CCSL expressions, based on the strategies.
6.1 Mapping CCSL Expressions into S/S
We first describe how tick and history of CCSL can be mapped to corresponding S/S
models. Using the mapping, we show CCSL expressions can be modeled in S/S. A
“step” (defined in Sec. 2) is represented as a sample time in SIMULINK and set to
0.001 second. The clock ticks are expressed as boolean variables (1 “ticking” or
0 “non-ticking”) during simulation. The history of clock (expressed as integer) is
increased as the clock ticks and interpreted as a function His(c) in Fig.6.1: Since
hc, the history of clock c, is determined by the value of c at the immediate precedent
step, a Delay block is employed to delay c by one step. Whenever c ticks at the
prior step, ES is executed and increases hc by 1.
Figure 6.1: hc = His(c)
Based on the mapping patterns of tick and history, we present how PeriodicOn,
DelayFor, Infimum and Supremum expressions can be represented as S/S models.
PeriodicOn: res , PeriodicOn base period p, where , means “is defined as”,
20
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
builds a new clock res based on base clock and a period parameter p, i.e., res ticks at
every pth tick of base. The SIMULINK model of PeriodicOn is illustrated in Fig.6.2:
When base ticks, the Matlab Function (code is shown in the box), embedded in
the ES subsystem, is triggered and checks if the history of the base, His(base),
is an integral multiple of p. When base ticks and its history equals to the integral
multiple of p, res ticks. The PeriodicOn S/S model is employed for the translation
of EAST-ADL Periodic timing constraint (R1 – R4 in Fig.3.1) into its POM in
SDV.
Figure 6.2: res , PeriodicOn base period p
Infimum (resp. Supremum): res , Inf(c1, c2) (resp. Sup(c1, c2)), creates a
new clock res, which is the slowest (resp. fastest) clock faster (resp. slower) than
the two clocks, c1 and c2. In other words, res ticks at the step whereby the faster
(slower) clock between c1 and c2 ticks. The SIMULINK model of Infimum (resp.
Supremum) is depicted in Fig.6.3. When c1 or c2 ticks, the inf (resp. sup) function
embedded in ES is executed and decides which clock is faster (resp. slower) than
the other by comparing the history of c1 and c2 (h1 and h2). If the clock (either c1
or c2) ticking at the current step is the faster (resp. slower) clock, res ticks. The
Infimum and Supremum S/S models are utilized for the translation of EAST-ADL
Synchronization timing constraint (R13 – R16 in Sec. 3) into POM. DelayFor:
Figure 6.3: res , Inf(c1, c2) (rep. Sup(c1, c2))
res , base DelayFor d on re f , constructs a new clock res based on base clock
and reference clock (re f ), i.e., each time base ticks, res ticks at the dth tick of re f .
The SIMULINK model of DelayFor is shown in Fig. 6.4: A STATEFLOW chart is
utilized to observe the ticks of base and re f . A queue, Q, whose enqueue/dequeue
operation is implemented in the function queue. y indicates whether re f has ticked
d times since base ticked. When base ticks (base == 1), an element with value d
is enqueued, and each time re f ticks, the value of the element is decreased by 1.
After d ticks of re f , the element becomes 0 and y becomes true. An And block
21
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
is applied to delimit that the tick of res must coincide with the tick of re f (i.e., res
is a subclock of re f ). The DelayFor S/S model is adapted to construct the POM
models of EAST-ADL timing requirements R5 – R26 in Sec. 3.
Figure 6.4: res , base DelayFor d on re f
6.2 Representation of PrCCSL in SDV
We present how the translation of EAST-ADL timing constraints (specified in PrCCSL
relations and CCSL expressions) can be interpreted as POMs in the view point of
analysis engine SDV. Recall the definitions of PrCCSL in Sec. 4. A PrCCSL rela-
tion is valid if the probability of a relation φ being satisfied is greater than or equal to
the given probability threshold p. It can be interpreted as a Hypothesis Testing [29]:
Decide whetherM  Pr(φ )≥ p (hypothesis H0) againstM  Pr(φ )< p (alternative
hypothesis H1).
Probabilistic Subclock is employed to specify EAST-ADL Periodic timing con-
straint, given as signRecTrig ⊆p cTrig (Spec. R2 in Fig.3.1). The correspond-
ing POM is shown in Fig.6.5: The STATEFLOW chart Obs in Fig.6.5.(b) is utilized
for Hypothesis Testing, where k is the total number of ticks of signRecTrig (sub-
clock) and m is the number of ticks satisfying the subclock relation. Whenever
(a) signRecTrig ⊆p cTrig (b) Obs Chart
Figure 6.5: POM of Probabilistic Subclock
signRecTrig ticks, k is increased by 1, and if the subclock relation holds on that tick
(i.e., the condition “signRecTrig =⇒ cTrig’ is true), m is increased by 1. When k is
increased to the sample size N, the STATEFLOW chart then judges whether the num-
ber of “success” ticks of signRecTrig is greater than or equal to “p∗k” (i.e., whether
22
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
m
k ≥ p is valid), and it activates either valid (“H0” is accepted) or fail state (“H1” is
accepted). A Proof Objective block with false value is employed to check whether
the probabilistic subclock relation is satisfied, i.e., the fail is never reached. In simi-
lar, using the Obs chart, other PrCCSL relations can be represented as POMs. Further
details are given below. Probabilistic Coincidence is adapted to specify EAST-ADL
Periodic timing constraint, given as cTrig≡p {PeriodicOn ms period 50} (Spec.
R1 in Fig.3.1). The representative POM is shown in Fig.6.6.(a): A PeriodicOn
subsystem (whose internal blocks are shown in Fig.6.2) is utilized to generates a
periodic clock res that ticks every 50ms. According to Definition 4 in Sec. 4, if
either cTrig or res ticks (“cTrig OR res” is true), c becomes true and k is increased
by 1. Meanwhile, if cTrig and res tick simultaneously (“cTrig AND res” is true), r
becomes true and m is increased by 1. Based on the value of m and k, Obs checks
whether the probability of coincidence relation being satisfied is greater than or
equal to p and activates either valid or f ail state. Proof Objective block checks
whether f ail state is always inactive, i.e., H0 is accepted.
(a) cTrig ≡p {PeriodicOn ms period 50}
(b) turnLe f t #p rightOn
Figure 6.6: POM of Probabilistic Coincidence and Exclusion
Probabilistic Exclusion is utilized to specify EAST-ADL Exclusion timing con-
straint, given as turnLe f t #p rightOn (Spec. R27 in Fig.3.1). The corresponding
POM is shown in Fig.6.6.(b): k is increased by 1 when either turnLe f t or rightOn
ticks. If only one of the two clocks ticks at the current step, i.e., r (the input of
Obs) is true, m is increased by 1. Proof Objective block with false value checks
whether f ail state is never reached, i.e., H0 is accepted.
Probabilistic Causality is employed to specify EAST-ADL Synchronization tim-
ing constraint, supp {in f DelayFor 40 on ms} (Spec. R13 in Fig.3.1)), where sup
(inf ) is the fastest (slowest) event slower (faster) than the five input events, speed,
signType, direct, gear and torque. sup and in f are defined as:
sup , Sup(Sup(speed, signType), Sup(Sup(direct, gear), toque)) (6.1)
in f , Inf(Inf(speed, signType), Inf(Inf(direct, gear), toque)) (6.2)
23
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
The representative POM is illustrated in Fig.6.7: The S/S models of Inf and Sup
(shown in Fig.6.3) are utilized in order to construct in f (54) and sup (55), modeled
as INF and SUP subsystems, respectively. A new clock dinf is generated by delaying
inf for 40 ticks of ms, i.e., din f , {in f DelayFor 40 on ms}, and it is represented
by using the S/S model of DelayFor (shown in Fig.6.4). Then Probabilistic
Causality relation between sup and din f is checked. According to Definition 6,
when sup ticks, k is increased by 1. At the same step, if the causality relation
between sup and din f is satisfied, i.e., the history of sup is greater than or equal
to the history of din f , m is increased by 1. Proof Objective block analyzes if
the Probabilistic Causality relation is satisfied , i.e., the f ail state is never
activated.
Figure 6.7: sup p {in f DelayFor 40 on ms}
In Similar, EAST-ADL Execution (R5) can be specified in Probabilistic Causality
using DelayFor and translated into corresponding POMs. The execution timing
constraint R5 can be divided into two sub-properties, given as R5(1) and R5(2)
in Sec.5. The POM models of R5(1) and R5(2) are illustrated in Fig.6.8.(a) and
Fig.6.8.(b) respectively. Two intermediate clocks are generated by delaying imIn
for 100 ticks and 150 ticks of ms (the output of the DelayFor subsystem). Then
the execution timing constraints, interpreted as the probabilistic causality
relation, can be modeled with Obs chart.
(a) {imIn DelayFor 100 on ms} p signOut
(b) signOut 0.95 {imIn DelayFor 150 on ms}
Figure 6.8: POM of Probabilistic Coincidence and Exclusion
Comparison (R24) timing constraint, specified in Probabilistic Causality and
DelayFor (see Sec. 5), can be translated into the POMs presented in Fig.6.9. Two
intermediate clocks are generated by using the S/S model of DelayFor, i.e., d1 is
the signIn clock delayed for 250 and d2 is the clock generated by delaying signIn
for (Wctrl + Wvd) ticks of ms. Afterwards, the Obs is applied to check whether the
24
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Probabilistic Causality relation between d1 and d2 is satisfied, i.e., whether
the history of d1 is always greater than or equal to the history of d2.
Figure 6.9: {signIn DelayFor 250 on ms} p {signIn DelayFor (Wctrl + Wvd) on ms}
Probabilistic Precedence is used to specify EAST-ADL Sporadic timing constraint,
given as {obstc DelayFor 500 on ms} ≺p veRun (Spec. R9 in Fig.3.1). The con-
straint delimits that two events obstc and veRun must have a minimum delay 500ms,
and its corresponding POM is illustrated in Fig.6.10: A new clock res is generated
by delaying obstc by 500 ticks of ms, i.e., res , {obstc DelayFor 500 on ms}, and
it is modeled by using the S/S model of DelayFor. Then R9 can be checked by ver-
ifying res ≺p veRun. As presented in Fig.6.10, whenever res ticks, c becomes true
and k is increased by 1. If the tick of obstc satisfies the precedence relation, i.e.,
the history of res is greater than or equal to the history of veRun (excludes res and
veRun are coincident), r becomes true and m is be increased by 1. Proof Objective
block checks whether Probabilistic Precedence is satisfied, i.e., the f ail state
is never activated.
Figure 6.10: {obstc DelayFor 500 on ms} ≺p veRun
Similarly, End-to-End timing constraint (R17) specified in Probabilistic Prec-
edence (see Sec.5) can be translated into its corresponding POM. The constraint
R17 can be divided into two sub-properties, R17(1) and R17(2) (see Sec.5). The
corresponding POM of R17(1) and R17(2) are presented in Fig.6.11. For R17(1), a
new clock v (the output of DelayFor subsystem) is generated by using the S/S model
of DelayFor such that the ticks of v is the ticks of signIn delayed for 150 ticks of ms.
To check whether R17(1) is satisfied is to verify whether v always precedes signOut.
For R17(2), a new clock u is constructed by delaying signIn for 250 ticks on ms.
The Obs chart is then utilized to check whether the Probabilistic Precedence
between signOut and u is satisfied.
25
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
(a) {signIn DelayFor 150 on ms} ≺p tqOut
(b) tqOut ≺p {signIn DelayFor 250 on ms}
Figure 6.11: POM of End-to-End timing constraint
26
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Chapter 7
Modeling of AV System and its Environment
in S/S
We have presented how the EAST-ADL timing constraints, specified in PrCCSL re-
lations and CCSL expressions are converted to POMs. To enable verification of the
timed and stochastic behaviors of AV using SDV, the behaviors of each fp is de-
scribed in S/S. The FASY S, consisting of a set of S/S is considered the entire behavior
model of AV. The top-view architecture of FASY S in S/S is shown in Fig.7.1.
Figure 7.1: Top-view of AV in S/S
Each fp in EAST-ADL model is modeled in a Subsystem with input and out-
put ports for communication with other fps. To describe the stochastic environments
of AV (modeled in the Environment subsystem in Fig.7.1), a pseudo random num-
ber generator, Mersenne Twister [25] implemented in MATLAB script is employed:
1. The traffic signs (6 types) are randomly recognized by AV and the probability
of each sign type occurred is equally set as 16.7%; 2. The probability of AV being
obstructed by any obstacles is set to maximum 5%; 3. Since AV runs under different
road conditions, speed variation influenced by the conditions ranges within [0, 2]
m/s.
27
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
(a) Camera
(b) SignRecognition
Figure 7.2: Simulink model of Camera and SignRecognition
(a) Top-view of Stateflow chart
(b) Internal behaviors of Normal state
Figure 7.3: Stateflow chart of Controller
28
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
The S/S model of Camera and SignRecognition are illustrated in Fig.7.2.(a)
and Fig.7.2.(b) respectively. Since Camera and SignRecognition are triggered to
execute periodically, ExeTime subsystem is utilized to generate a boolean signal
that becomes true periodically that can be the trigger signal of the Camera and
SignRecognition subsystem. In SignRecognition, the computation of traffic
sign type of the detected image is implemented in a Matlab Function block.
As shown in Fig.7.3, a Stateflow chart is employed to model the control logic
of Controller. Fig.7.3.(a) presents the top-view of the Controller, which con-
sists of two parallel states (in “AND” decomposition), Control and Sporadic. If the
vehicle is in the emergency mode because of encounter of obstacles, emg state will
be activated. Otherwise the Normal state will be activated. There are five substates
inside Normal states (see Fig.7.3.(b)), i.e., turnLeft (the vehicle is turning left), turn-
Right (the vehicle is turning right), Stop (the vehicle is braking to stop), dec (the
vehicle is decelerating) and acc (the vehicle is accelerating).
The inner behaviors of VehicleDynamic in S/S is illustrated in Fig.7.4. Vehic-
leDynamic updates the speed and running direction of the vehicle according to the
requests/commands of torque, gear and direction from Controller.
(a) Top view of VehicleDynamic (b) Internal behaviors of Subsystem
Figure 7.4: Simulink model of VehicleDynamic fp
29
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Chapter 8
Experiments: Verification & Validation
We have formally specified and analyzed over 30 properties (associated with timing
constraints) of the AV system. The properties (given in Sec. 3) are verified using
SDV and the results are listed in Table.8.1. The simulation bound and the proba-
bility threshold are set to 60000 steps and 95% respectively. Maximum 4 properties
per each EAST-ADL timing constraint are verified and all properties are established
as valid. For further details regarding the full POMs and S/S models used in the
experiment, refer to [6].
30
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Table 8.1: Consolidated Verification Results in SDV
Category R.ID Expression Result Time
(Min)
Mem
(Mb)
CPU
(%)
Periodic
R1 cTrig ≡0.95 {PeriodicOn ms period 50} valid 6.28 2491 24.7
R2 signTrig ≡0.95 {PeriodicOn ms period 200} valid 6.36 3920 24.13
R3 obsDetect ≡0.95 {PeriodicOn ms period 40} valid 6.35 2357 24.7
R4 spU pdate ≡0.95 {PeriodicOn ms period 30} valid 7 2218 24.01
Execution
R5 {imIn DelayFor 100 on ms} 0.95 signOut valid 38.20 4086 24.73
signOut 0.95 {imIn DelayFor 150 on ms} valid 33.96 16225 19.90
R6 {cmrTrig DelayFor 20 on ms} 0.95 cmrOut valid 44:26 14379 18.39
cmrOut 0.95 {cmrTrig DelayFor 30 on ms} valid 51.15 4428.6 24.89
R7 {ctrlIn DelayFor 100 on ms} 0.95 ctrlOut valid 62.83 18306 6.09
ctrlOut 0.95 {ctrlIn DelayFor 150 on ms} valid 63.88 10737 22.04
R8 -{vdIn DelayFor 50 on ms} 0.95 vdOut valid 49.13 17705 6.40
vdOut 0.95 {vdIn DelayFor 100 on ms} valid 34.05 18511 6.02
Sporadic
R9 {obstc DelayFor 500 on ms} ≺0.95 veRun valid 100.5 13961 18.05
R10 {obstc DelayFor 500 on ms} ≺0.95 veAcc valid 120.45 13873 17.99
R11 {obstc DelayFor 500 on ms} ≺0.95 tLe f t valid 106.89 13775 16.94
R12 {obstc DelayFor 500 on ms} ≺0.95 tRight valid 143.26 13775 16.07
Synchronization
R13 supctrlIn 0.95 {in fctrlIn DelayFor 40 on ms} valid 38.95 14135 16.85
R14 supctrlOut 0.95 {in fctrlOut DelayFor 30 on ms} valid 42.6 20616 18.32
R15 supvdIn 0.95 {in fvdIn DelayFor 40 on ms} valid 66.78 2196 23.36
R16 supvdOut 0.95 {in fvdOut DelayFor 40 on ms} valid 34.6 3164 24.07
End-to-End
R17 {signIn DelayFor 150 on ms} ≺0.95 tqOut valid 35.95 6307 24.31
tqOut ≺0.95 {signIn DelayFor 250 on ms} valid 24.95 3989 24.07
R18 {cmrTrig DelayFor 120 on ms} ≺0.95 signOut valid 33.96 6309 24.49
signOut ≺0.95 {cmrTrig DelayFor 180 on ms} valid 43.02 6308 24.29
R19 {cmrTrig DelayFor 270 on ms} ≺0.95 spOut valid 132.4 16287 9.53
spOut ≺0.95 {cmrTrig DelayFor 430 on ms} valid 163.8 16090 24.53
R20 startTurnLe f t ≺0.95 {DetectLe f tSign DelayFor 500
on ms}
valid 63.2 13052 12.74
R21 startTurnRight ≺0.95 {DetectRightSign DelayFor
500 on ms}
valid 76.5 15132 10.46
R22 startBrake ≺0.95 {DetectStopSign DelayFor 500 on
ms}
valid 69 15293 9.38
R23 Stop ≺0.95 {DetectStopSign DelayFor 3000 on ms} valid 95.7 15396 9.38
Comparison
R24 {signIn DelayFor 250 on ms} 0.95
{signIn DelayFor (Wctrl + Wvd) on ms}
valid 17.88 6309 24.61
R25 {cmrTrig DelayFor 180 on ms} 0.95
{cmrTrig DelayFor (Wcmr + Wsr) on ms}
valid 60.15 6410 24.43
R26 {cmrTrig DelayFor 430 on ms} 0.95
{cmrTrig DelayFor (Wcmr + Wsr + Wctrl + Wvd)
on ms}
valid 43.33 17370 14.15
Exclusion
R27 turnLe f t #0.95 rightOn valid 387.76 20987 8.25
R28 veAcc #0.95 veBrake valid 360.15 21168 18.15
R29 emgcy #0.95 turnLe f t valid 233.6 22861 11.98
R30 emgcy #0.95 turnRight valid 498.51 23245 9.97
R31 emgcy #0.95 veAcc valid 260.96 22257 8.85
31
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Chapter 9
Related work
Considerable research efforts have been devoted to formal analysis of CPS by ap-
plying SDV [12,14], which are however, limited to the functional properties without
consideration of non-functional properties, i.e., timing constraints. In the context
of EAST-ADL, efforts on the integration of EAST-ADL and formal techniques based
on timing constraints were investigated in several works [13, 16, 22, 28], which are
however, restricted to the executional aspects of system functions without address-
ing stochastic behaviors. Kang [21] and Suryadevara [31, 32] defined the execution
semantics of both the controller and the environment of industrial systems in CCSL
which are given as mapping to UPPAAL models amenable to model checking. In
contrast to our current work, those approaches lack precise probabilistic annotations
specifying stochastic properties. Zhang [33] transformed CCSL into first order log-
ics that are verifiable using SMT solver. However, this work is limited to functional
properties, and no timing constraints are addressed. Though, Kang et al. [15, 18]
and Marinescu et al. [24] presented both simulation and model checking approaches
of SIMULINK and UPPAAL-SMC on EAST-ADL models, neither formal specifica-
tion nor verification of extended EAST-ADL timing constraints with probability were
conducted. Our approach is a first application on the integration of EAST-ADL and
formal V&V techniques based on probabilistic extension of EAST-ADL/TADL con-
straints using SDV. An earlier study [17,19,20] defined a probabilistic extension of
EAST-ADL timing constraints and presented model checking approaches on EAST-
ADL models, which inspires our current work. Specifically, the techniques provided
in this paper define new operators of CCSL with stochastic extensions (PrCCSL) and
formally verify the extended EAST-ADL timing constraints of CPS. Du. et al. [10]
proposed the use of CCSL with probabilistic logical clocks to enable stochastic anal-
ysis of hybrid systems by limiting the possible solutions of clock ticks. Whereas, our
work is based on the probabilistic extension of EAST-ADL timing constraints with
the focus on probabilistic verification of the extended constraints, particularly, in the
context of WH.
32
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Chapter 10
Conclusion
We present an approach to perform probabilistic analysis of EAST-ADL timing con-
straints in automotive systems at the early design phase: 1. Probabilistic extension of
CCSL, called PrCCSL, is defined and the EAST-ADL/TADL timing constraints with
stochastic properties are specified in PrCCSL; 2. The semantics of the extended con-
straints in PrCCSL, captured in SIMULINK/STATEFLOW, is translated into verifiable
POMs for formal verification; 3. A set of mapping rules is proposed to facilitate
guarantee of translation. Our approach is demonstrated on an autonomous traffic
sign recognition vehicle (AV) case study. Although, we have shown that defining
and translating a subset of CCSL with probabilistic extension into POMs is suffi-
cient to verify EAST-ADL timing constraints, as ongoing work, advanced techniques
covering a full set of CCSL constraints are further studied. Despite the fact that SDV
supports probabilistic analysis of the timing constraints of AV, the computational
cost of verification in terms of time is rather expensive. Thus, we continuously
investigate complexity-reducing design/mapping patterns for CPS to improve effec-
tiveness and scalability of system design and verification.
33
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
Acknowledgment
This work is supported by the National Natural Science Foundation of China and In-
ternational Cooperation & Exchange Program (46000-41030005) within the project
EASY.
34
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
References
[1] Automotive open system architecture. https://www.autosar.org/
[2] Simulink Design Verifier. https://www.mathworks.com/help/sldv
[3] IEC 61508: Functional safety of electrical electronic programmable electronic
safety related systems. International Organization for Standardization, Geneva
(2010)
[4] ISO 26262-6: Road vehicles functional safety part 6. Product development
at the software level. International Organization for Standardization, Geneva
(2011)
[5] MAENAD. http://www.maenad.eu/ (2011)
[6] Simulink library of PrCCSL. https://github.com/huangl223/PrCCSL
[7] Andre´, C.: Syntax and semantics of the clock constraint specification language
(CCSL). Ph.D. thesis, INRIA (2009)
[8] Bernat, G., Burns, A., Llamosi, A.: Weakly hard real-time systems. Transac-
tions on Computers 50(4), 308 – 321 (2001)
[9] Blom, H., Feng, L., Lo¨nn, H., Nordlander, J., Kuntz, S., Lisper, B., Quinton, S.,
Hanke, M., Peraldi-Frati, M.A., Goknil, A., Deantoni, J., Defo, G.B., Klobe-
danz, K., O¨zhan, M., Honcharova, O.: TIMMO-2-USE Timing Model, Tools,
Algorithms, Languages, Methodology, Use Cases. Tech. rep., TIMMO-2-USE
(2012)
[10] Du, D., Huang, P., Jiang, K., Mallet, F., Yang, M.: MARTE/pCCSL: Modeling
and refining stochastic behaviors of CPSs with probabilistic logical clocks. In:
FACS. LNCS, pp. 111 – 133. Springer (2016)
[11] EAST-ADL: EAST-ADL specification v2.1.9. Tech. rep., MAENAD
(2011), https://www.maenad.eu/public/EAST-ADL-Specification_M2.
1.9.1.pdf
[12] Gholami, M.R.: Verifying Timed LTL Properties Using Simulink Design Veri-
fier. Ph.D. thesis, E´cole Polytechnique de Montre´al (2016)
35
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
[13] Goknil, A., Suryadevara, J., Peraldi-Frati, M.A., Mallet, F.: Analysis support
for TADL2 timing constraints on EAST-ADL models. In: ECSA. LNCS, pp.
89 – 105. Springer (2013)
[14] J-F. Etienne, S. Fechter, E.J.: Using Simulink Design Verifier for proving be-
havioral properties on a complex safety critical system in the ground transporta-
tion domain. Science of Computer Programming 77(10), 1151 – 1177 (2010)
[15] Kang, E.Y., Chen, J., Ke, L., Chen, S.: Statistical analysis of energy-aware
real-time automotive systems in EAST-ADL/Stateflow. In: ICIEA. pp. 1328 –
1333. IEEE (2016)
[16] Kang, E.Y., Enois, E.P., Marinescu, R., Seceleanu, C., Schobbens, P.Y., Pet-
tersson, P.: A methodology for formal analysis and verification of EAST-ADL
models. Reliability Engineering and System Safety, pp. 127 – 138 (2013)
[17] Kang, E.Y., Huang, L., Mu, D.: Formal verification of energy and timed re-
quirements for a cooperative automotive system. In: SAC. pp. 1492 – 1499.
ACM (2018)
[18] Kang, E.Y., Ke, L., Hua, M.Z., Wang, Y.X.: Verifying automotive systems in
EAST-ADL/Stateflow using UPPAAL. In: APSEC. pp. 143 – 150. IEEE (2015)
[19] Kang, E.Y., Mu, D., Huang, L., Lan, Q.: Model-based analysis of timing and
energy constraints in an autonomous vehicle system. In: QRS. pp. 525 – 532.
IEEE (2017)
[20] Kang, E.Y., Mu, D., Huang, L., Lan, Q.: Verification and validation of a cyber-
physical system in the automotive domain. In: QRS. pp. 326 – 333. IEEE
(2017)
[21] Kang, E.Y., Schobbens, P.Y.: Schedulability analysis support for automotive
systems: from requirement to implementation. In: SAC. pp. 1080 – 1085. ACM
(2014)
[22] Kang, E.Y., Schobbens, P.Y., Pettersson, P.: Verifying functional behaviors of
automotive products in EAST-ADL2 using UPPAAL-PORT. In: SAFECOMP.
LNCS, pp. 243 – 256. Springer (2011)
[23] Mallet, F., De Simone, R.: Correctness issues on MARTE/CCSL constraints.
Science of Computer Programming 106, 78 – 92 (2015)
[24] Marinescu, R., Kaijser, H., Mikucˇionis, M., Seceleanu, C., Lo¨nn, H., David, A.:
Analyzing industrial architectural models by simulation and model-checking.
In: FTSCS. LNCS, pp. 189 – 205. Springer (2014)
36
Formal Specification & Analysis of Autonomous Systems in PrCCSL/Simulink Design Verifier
[25] Matsumoto, M., Nishimura, T.: Mersenne Twister: a 623-dimensionally
equidistributed uniform pseudo-random number generator. TOMACS 8(1), 3–
30 (1998)
[26] Nicolau, G.B.: Specification and analysis of weakly hard real-time systems.
Transactions on Computers, pp. 308 – 321 (1988)
[27] Object Management Group: UML profile for MARTE: Modeling and analysis
of real-time embedded systems. Tech. rep. (2011)
[28] Qureshi, T.N., Chen, D.J., Persson, M., To¨rngren, M.: Towards the integration
of UPPAAL for formal verification of EAST-ADL timing constraint specifica-
tion. In: TiMoBD workshop (2011)
[29] Reijsbergen, D., Boer, P.T.D., Scheinhardt, W., Haverkort, B.: On hypothesis
testing for statistical model checking. STTT 17(4), 377–395 (2015)
[30] Simulink and Stateflow. https://www.mathworks.com/products.html
[31] Suryadevara, J.: Validating EAST-ADL timing constraints using UPPAAL. In:
SEAA. pp. 268 – 275. IEEE (2013)
[32] Suryadevara, J., Seceleanu, C., Mallet, F., Pettersson, P.: Verifying
MARTE/CCSL model behaviors using UPPAAL. In: SEFM. LNCS, pp. 1 –
15. Springer (2013)
[33] Zhang, M., Ying, Y.: Towards SMT-based LTL model checking of clock con-
straint specification language for real-time and embedded systems. ACM SIG-
PLAN Notices 52(4), 61 – 70 (2017)
37
