Towards Readability Aspects of Probabilistic Mode Automata by Schmidt, Heinz & Spichkova, Maria
Towards Readability Aspects of Probabilistic Mode Automata
Heinz Schmidt, Maria Spichkova
School of Science, RMIT University
Melbourne, Australia
{heinz.schmidt, maria.spichkova}@rmit.edu.au
Keywords: Software Engineering, Formal methods, Petri Nets
Abstract: This paper presents a new approach and design model targeting hybrid designer- and operator-defined perfor-
mance budgets for timing and energy consumption. The approach is based on Petri Nets formalism. As the
cognitive load is typically high while using formal methods, this increases the chances of mistakes. Our ap-
proach is focused on the readability aspects and aims to decrease the cognitive load of developers. We illustrate
the proposed approach on example of a sample embedded multi-media system, a modern digital camera.a
aPreprint. Accepted to 14th International Conference on Evaluation of Novel Approaches to Software
Engineering (ENASE 2019). Final version published by SciTePress.
1 INTRODUCTION
In the domain of embedded systems, the trend
to enhance more and more system functionalities
through software solution is constantly increasing.
This makes the design of these systems and the corre-
sponding quality assurance more and more challeng-
ing [35]. Real-time and dependability constrains pro-
vide additional challenges, which also lead to neces-
sity of probabilistic analysis within the phases of de-
sign and verification of these systems. Also, some
constraints within embedded systems are mutually
dependent, for example, timing and energy consump-
tion constraints cannot be analysed independently of
each other, see [31, 36, 47].
One of the successfully applied paradigms is
Component-based software development, which was
initially introduced many decades ago (CBSD, see
[2, 14]). However, CBSD cannot solve directly is-
sues related to the constraints on safety, timing, en-
ergy consumption, etc. [22, 41], but can provide a
solid basis for extended approaches.
In recent work [32] we have extended our rich ar-
chitecture definition language (RADL, see [37]) and
underlying theory [38] to meet such industrial re-
quirements, aiming at a scalable and compositional
(component-based) approach to soft dependability
guarantees: with probability, guarantee risk, execu-
tion time, cost etc. Industrial practice requires the ca-
pability to compose a variety of heterogeneous mod-
els and components, specified and designed using dif-
ferent methods and frameworks. Many real-world
engineering environments are not locked into a sin-
gle model, single framework or single-language en-
vironment. While we abstract from the programming
languages underlying such an heterogeneous software
engineering approach, we hope to show that, and how,
our design-oriented model-based approach links with
concrete programming by means of elementary mod-
elling blocks providing abstractions directly for code
blocks. This is natural and perhaps more appropriate
in design of embedded systems than in other fields, as
component models in this context often use architec-
tural elements to abstract from software and hardware
blocks at the same time. However we expect that this
approach carries across to other domains.
In our current work, we targeting hybrid designer-
and operator-defined performance budgets for timing
and energy consumption. We propose an approach
that is on Petri Nets formalism. Our approach is fo-
cused on the readability aspects and aims to decrease
the cognitive load of developers, as having high cog-
nitive load increases the chances of mistakes in sys-
tem design and quality assurance process. We also
aim to keep the method lightweight, following the
classification presented in [49].
To illustrate the proposed approach, we use an ex-
ample of a sample embedded multi-media system, a
modern digital camera. This allows us to demon-
strate how the time (and the ensuing synchronisa-
tion) and energy constraints can be analysed taking
into account their mutual dependencies. We pro-
pose that extra-functional properties have to be con-
sidered from early performance requirement specifi-
ar
X
iv
:1
91
0.
05
00
3v
1 
 [c
s.S
E]
  1
1 O
ct 
20
19
cation through to model-based testing and run-time
verification. Beside the compositional approach to
reasoning about and testing such properties in a hy-
brid modelling environment, our contribution is in
the separation of concern of different aspects of mod-
elling and in context-dependent methods of reasoning
about such properties. Notably we have developed
methods which allow automated contextual resource
allocation strategies, under dynamically varying, and
suitably parameterised, architectural configurations.
2 EXAMPLE: DIGITAL CAMERA
Consider the design of a modern digital camera
from the perspective of different types of use:
Scenario 1: A busy professional sports photogra-
pher requires the ability to capture many hundreds or
thousands of high quality images rapidly, with mini-
mal shutter lag, in rapid bursts of up to 100 photos.
Within the given price point afforded by budget, she
is prepared to sacrifice “convenience” features, ac-
cepting shorter battery life and fewer shots per mem-
ory card while carrying extra battery packs, memory
cards or even a laptop for frequent uploads, as well as
extra lenses, and manage reconfiguration as needed.
Scenario 2: One weekend a family member is get-
ting married, and as the de facto camera expert she
has agreed to act as a semi-official or backup pho-
tographer for the wedding. In this capacity she aims
for simplicity and convenience, so she can still en-
joy the day and mingle without being conspicuous or
weighed down by equipment. The couple insist they
prefer photos in a standard compressed consumer for-
mat (JPEG), which at least eliminates extra effort later
at her workstation, and maximises memory card ca-
pacity. She selects what she can carry easily—a sin-
gle camera body and lens and perhaps a single addi-
tional memory card, but no extra battery pack. She is
unwilling to spend anything like her usual time and
effort on camera configuration, instead often (perhaps
not always) relying on camera to automatically select
exposure, focus and aperture. Occasionally, for par-
ticularly important shots she takes full control again.
In this second case, battery life is paramount.
The specific challenge is to design a camera which
is capable of flexible reconfiguration to suit multiple
contexts, including for example these. The generic
challenge is to:
(i) Characterise context in terms of user con-
figuration choices, usage (e.g. selected
modes/operations/functions) and user-visible
desired properties.
(ii) Reason in a context-sensitive way about system
properties and manage internal configuration to
ensure consistency between configuration/profiles
and desired properties. For example, to make the
camera battery last longer, the camera must some-
how sacrifice quality and/or performance in an ac-
ceptable way.
However the true usage context is often hard to pre-
dict. What exactly are the user’s requirements and
intentions? Even the user may not know exactly what
she intends beyond the immediate moment. Con-
textual uncertainty extends to environmental condi-
tions, which may have a non-trivial impact on perfor-
mance. For example ambient temperature may affect
performance (e.g., energy consumption) of key cam-
era components significantly, including batteries [33],
sensors and actuators such as lenses. This has impli-
cations for the design not only of embedded systems,
but also at a macroscopic level. Thus, large-scale
computing centres have significant inter-dependency
on their local environment; such facilities are already
planned with environmental conditions such as tem-
perature in mind to be able to maximise performance
and performance per cost while minimising cooling
and energy consumption.
We extend the camera design presented by
Lee [27]. In our example, the camera has the follow-
ing logical components:
• a general purpose processor (GPP),
• a digital signal processor (DSP),
• actuators to control, e.g., mirror and shutter cur-
tain, lens focus and aperture,
• sensors, e.g., for auto-focus,
• a buffer to store images temporarily, and
• a flash memory as a long-term storage media.
To keep the example small enough for a conference
paper, we abstract from other typical functions such
as USB driver for photo download, LCD user inter-
face, camera flashbulb, and various advanced settings.
In high performance scenarios a dedicated GPP-
flash memory link is possible. We focus on the in-
terplay of functionality relevant for taking a range of
different shots involving real-time physical control, as
well as selecting tradeoffs between timing and energy
consumption.
As presented in Figure 1, the system has three
modes, each with different resource requirements:
• IDLE mode covers waiting for shutter half/full
press and pre-focusing.
• In single frame (SF) mode, the camera returns to
the idle mode after shooting is completed, while
• in multi frame (MF) mode, shooting is contin-
ued as long as the shutter release button is kept
pressed.
MF contains two sub-modes, high-speed (HS) and
low-speed (LS). MF starts with HS and switches to
LS if/when the image buffer gets full, where shooting
of the consequent frame is delayed until enough space
is freed in the buffer by writing to the flash memory.
With these mode abstractions in mind, from a design
perspective it is expected that refinements to compo-
nents used in these modes may enable new features
(for example smart/continuous save in HS at a perfor-
mance penalty).
Figure 1: Digital Camera: Modes
Furthermore, in each mode the user can select lens
focusing and exposure metering to be performed au-
tomatically or manually, i.e. each mode has four sub-
modes. More precisely, in the case of multi frame
shooting, each of the MF submodes, HS and LS, has
four further submodes:
• FE: automatic operations are fully enabled: both
autofocus AF and automatic exposure AE are en-
abled;
• F: only the autofocus AF operation is enabled;
• E: only the automatic exposure AE operation is
enabled;
• 0: neither autofocus AF nor automatic exposure
AE are enabled.
In the IDLE mode the user may perform AF , AE or
both, while composing a picture. During this time
DSP cannot be activated and AF and AE operations
are performed on GPP to reduce energy consumption.
When the user presses the shutter release button, first,
AF and AE operations that are being executed are
completed, then the idle mode is terminated and the
system switches to SF or MF depending on the user
selection.
Another way to represent system modes (which
can be related to the same submodes hierarchy as in-
troduced in Figure 2) is to work parallel with on mode
variables, because the choice to activate AF and AE
operations is highly independent of whether the cam-
era is in the IDLE, SFor one of the multi frame modes.
Let call them CameraMode and AutoMode defined
over enumeration types
{IDLE, SF, HS, LS}
and
{FE, F, E, 0}
respectively. We can also see this as a feature compo-
sition/interaction, see e.g., [12, 4, 10]. Thus, one fea-
ture is responsible for the choice of the current value
of CameraMode and for the processes in the corre-
sponding mode, where the second feature solely deals
with the AF and AE operations.
Figure 2: Digital Camera: Submodes Hierarchy
Figure 3: Digital Camera: Parallel Model for the Submodes
Hierarchy
Table 1 lists some of the relevant software com-
ponents, their descriptions and their implementa-
tion platform (GPP/DSP). Some components are im-
plemented in both processors to allow dynamic re-
configuration of the system in order to provide opti-
mal resource usage. Within these constraints, a key
challenge is allocating computing resources for the
software elements to best suit partly predictable us-
age conditions. The DSP is especially suited to im-
age processing operations, yet the DSP has signifi-
cant energy overheads. We characterise the main de-
sign problems for the camera as follows. (i) Given an
overall objective (e.g. minimise time consumption),
satisfy that objective at run time. (ii) Given a usage
profile, minimise energy and time consumption at run
time.
Description GPP DSP
Operatoions
AF AutoFocus: X X
Automatic lens focusing
AE Automatic Exposure metering X X
IP Image Processing on local - X
buffer, red-eye reduction, etc.
IB Image Buffering: - X
Transfer image
from sensor to local buffer
IS Image Storage: X -
Transfer images
from buffer to flash card
AS Activate Shutter etc. X X
(e.g. aperture adjust)
BC Buffer check: - X
Check if buffer is full
Modes
IDLE Idle mode - X
SF Single-Frame shutter X X
MF Multi-Frame shutter X X
Submodes
FE AF and AE enabled X X
F AF only enabled X X
E AE only enabled X X
0 AF&AE disabled X X
Table 1: Software Components
3 PROPOSED VISUALISATION
APPROACH
One of the problems using formal representation
is that often only two factors are considered as im-
portant: the method must be sound and give such a
representation, which is concise and beautiful from
the mathematical point of view, without taking into
account any question of readability, usability, etc.,
but even small syntactical changes of a method can
make it more understandable and usable for engineers
[15, 16, 25, 40]. Figure 4 presents an the example of
Petri net specifying HS mode details for the digital
camera, which provides a typical representation of a
coloured Petri net. Within our approach, we propose
the following enhancements: To make representation
more readable, first of all we should take into account
the human factor. Thus, if a path (in this case a colour
marked path, green or red) starts on the left/right of
the net, we should proceed to draw it on the same side
if possible and avoid cross moving the paths without
any important reason.
Thus, on Figure 4 two paths are switched after
the operation do AS, which can confuse some readers.
Then, we can try to find a solution to avoid a lot of
crossing arrows having different meanings: the blue
and maroon arrows indicate synchronisation of the
counters, and we can replace them by visual group-
ing of operations on the same counter. As result we
obtain an optimised coloured Petri net presented in
Figure 5, which is semantically equivalent to the rep-
resentation in Figure 4. This optimisation increases
ease of use by human readers (designers, testers etc.)
without decreasing simplicity for machine readability
and semi-automated support or expressiveness/power
(for the domain or domains of choice).
Figure 4: HS mode details presented as a coloured Petri net
Usability derives from the following aspects:
• Lowering the barrier between the simplified and
expressive language for the machine support and
that of the domain languages of the user(s) and
associated with the purpose, e.g., by using con-
trolled natural languages that try to avoid disad-
vantages of both natural and formal languages and
being a subset of a natural language with a well-
defined syntax and semantics, see [26, 17, 28].
• Applying an appropriate automatisation of a num-
ber of steps within the modelling and verification
process: this not only saves human time and al-
lows to get results much faster then humans can
produce manually, but also (partially) excludes
the human element as the most “unreliable in fail-
ure, see [34, 42]. For example, a formal speci-
fication can be generated from the corresponding
CASE tool representation which can be edited in
a more readable way also using predefined tem-
plates, see [43, 46].
• Supporting directly common and standard ab-
stractions that are well-established (and hence
part of the software engineering training), e.g.
Message Sequence Charts [18, 19]), or defined in
standards (such as UML, IEC-61131, etc):
• Unification of the representation of any informa-
tion we are dealing with (see, e.g., [40]);
1 2
1 2
4
7
5
3
8
12
10 11
1 2
do AS
ref AUTO
do IB
do IP
Shoot.eqShoot.lb
Shoot.inc(1) Shoot.inc(1)
BF.inc(1)
BF.inc(1)BF.inc(1)
BF.eq BF.lb
do IS
Figure 5: HS mode details: Another Visualisation
• Easing the use of novel compositional principles
and high-level tools, that are opening novel and
powerful methods to users of formal specification
or specification-based/model-driven methods.
Having a representation like presented on Fig-
ure 5, we can easily transform a Petri net to a hier-
archical MSC. In the case a component-based specifi-
cation of the system is need in addition to the pro-
cess representation, an MSC can be schematically
translated to the corresponding formal specification
as shown in [41, 39]. Let us also shortly discuss
translation/representation of the following modelling
artefacts: (global) parameters, local, time and counter
variables.
Local variable use can be translated into state and
transition label expansions for NF purposes [24], but
can also be intuitively understood in data types and
data structures that capture state. However for Petri
net normal form used in our approach and compo-
sitionality considerations restrictions need to be de-
signed along with such capabilities to limit the scopes
of these variables appropriately, viz. to FSM com-
ponents of nets, in terms of their use in guards and
assignments associated with transitions and states.
Global parameter use are of a similar nature with
respect to normalisation but needs to be limited to
achieve compositionally. For example, we could say
the global parameters may occur locally in guards
(i.e., they are read-only) as well as in initialisation
expressions (for the initial states when FSM objects
are created) or with re-assignments limited to higher-
level FSMs (such as mode automata) when submodes
are entered and before these branch out into rational
parallel processes. Another common example is the
use of iterator and bounded loop process constructs
that have a very structured use of local counter vari-
ables which never serve synchronisation but are pro-
viding a reasoning tool for local termination and per-
formance approximation, based on an interplay of lo-
cal (loop) invariants and loop control variables, which
implies strict monotonicity and boundedness.
Time variables (clocks) are a further example and
in some sense a special case of counter control above
– in the sense that all practical approaches to timed
automata and synchronous time models discretise an
infinite number of real-time points into a real-time in-
tervals with integer bounds and then solve a linear
convex hull problem to determine feasibility and/or
optimal schedules that meet time constraints. There
is also a significant difference here, that needs to be
considered, relative to counters. In general, counter
processes can be explained as a macro structure based
on sequence and choice, and hence are lower-level
automata (or process expressions) themselves, and
hence they do not add ’new’ semantics but can be ex-
plained in terms of existing semantics. For example
if we are in rational parallel processes, they are just
a syntactic sugar extension that does not take us out
of this class. Likewise with other classes of processes
(such as pushdown automata). In contrast, timed ex-
tension are true semantic extensions, in that they de-
fine a different class of behaviours and automata, be-
cause the define what the legitimate processes (occur-
rence nets) are that are traces of the give language (net
system or process expression).
4 RELATEDWORK
Component-based software engineering utilises a
well-defined composition theory to enable the pre-
diction of such properties. as performance and reli-
ability. This is one of the largest fields of software
and system engineering, there are many approaches
on component-based design (CBD) covering different
aspects and focusing on requirements, quality, tim-
ing properties etc. (see e.g., [1, 10, 9, 11]). Several
component-based prediction approaches, e.g. Palla-
dio [23, 30, 6], CB-SPE [7], ROBOCOP [8] (see
also a survey in [5]) derive the benefits of reusing
well-documented component specifications. In our
approach we focus on the questions of resource-
awareness and adaptivity of systems as well as on the
readability aspects of the formalism.
Mode automata have a long history motivated by
real-time design practices and methods used in in-
dustry in connection with statecharts. Maraninchi
et al. [29] capture the notion of modes formally for
a practical extension of the real-time synchronous
language Lustre and include elements of the well-
known I/O-automata. Mode automata define syn-
chronous mode automata as a hybrid between data-
flow and transition systems. Talpin et al. [44] ex-
tend this work to so-called polychronous mode au-
tomata to work with the multi-clock data-flow for-
malism SIGNAL. Both these types of automata are
non-deterministic and do not deal with probabilities.
The (bisimulation) equivalence and therefore com-
positional reasoning for mode automata is undecid-
able. However, Maranichi et al. introduce a synchro-
nised (lock-step) parallel product for modes in which
shared symbols (intersection of alphabets nonempty)
are synchronised while local symbols (the symmetric
difference of the alphabets) are independent. While
the modes of a single automaton are mutually ex-
clusive in their approach, and the behaviour of these
mode automata is fully abstract wrt. probabilistic test-
ing, the automata product suffers from combinatorial
explosion (state space explosion), due to the aim of al-
lowing arbitrary shared variables and interference of
parallel processes.
Cheung et al. [13] describe an architecture-level
method, SHARP, for predicting reliability (and tim-
ing) of concurrent systems. Whereas SHARP is
specifically designed for reliability and timing pre-
diction, our method is intended to be generic thus
also catering, e.g., for energy consumption. SHARP
models involve scenarios which are either basic (sim-
ilar to message sequence charts) or hierarchical, in-
volving sequential, conditional or concurrent compo-
sition. SHARP supports concurrent composition of fi-
nite numbers of instances of a particular scenario, cor-
responding to symmetrically replicated components.
SHARP derives completion time and reliability pre-
dictions from scenarios for use at higher levels of ab-
straction. For each basic scenario, SHARP requires
transition rates for all individual actions, then calcu-
lates a single continuous-time Markov model model
from which completion time and reliability are de-
rived. For an hierarchical scenario a system level
CTMC is constructed using abstraction techniques
such as queuing networks and abstraction of sequen-
tial components into single global states. In contrast,
our approach requires probabilities/rates at the system
level only. Our approach seeks to avoid or defer cal-
culation of monolithic models.
Our cost estimation is inspired by Valiant’s bulk
synchronous-parallel model [45] of parallel comput-
ing where global strong synchronisation conserva-
tively approximates systems which may in reality use
more fine grained synchronisation and indeed may al-
low for more asynchrony than the above approxima-
tion would suggest. In performance benchmarks re-
ported in [48], Yusuf et al. demonstrated that such
conservative predictions may still be accurate enough
if there is enough WCET variation and a large enough
number of activities/tasks scheduled on individual
processing elements. Thus adjacent modes may be
assumed to be strongly separated in the global model
while in fact such modes are partially interleaved with
respect each other (subject to restrictions on repetition
such as boundedness for message sequence graphs as
described by Alur [3] and star-connectivity in trace
languages). For conservative cost estimation purposes
this seems reasonable. We expect that (with diminish-
ing returns) such models can be refined selectively,
to bound costs of adjacent sequences of overlapping
modes, in a context-dependent way.
An interesting approach on integration of syn-
chronous and asynchronous communication was pre-
sented by Hennicker et al. [20, 21]. In this approach,
I/O-transition systems were used as the formal back-
ground for modelling of system behaviour. As result,
a refinement relation was defined, which is composi-
tional w.r.t. synchronous and asynchronous connec-
tions of components and which preserves connection-
safety, and next existing interface theories for modal
I/O-transition systems were extended to support as-
semblies, (greybox) assembly refinement and assem-
bly encapsulation, also showing that communication-
safety is preserved by assembly refinement, that
black-box refinement of component interfaces is com-
positional w.r.t. grey-box refinement of assemblies
and, conversely, that assembly encapsulation maps
grey-box to black-box refinement.
5 CONCLUSIONS
In this paper, we proposed a Petri-Nets-based
approach targeting hybrid designer- and operator-
defined performance budgets for timing and energy
consumption. The core focus of this approach is on
decreasing the cognitive load of the designers to de-
crease the chances of design mistakes. To achieve bet-
ter readability, we extended the coloured Petri Nets
formalism. To illustrate the proposed solution, we
presented an example of a sample embedded multi-
media system, a modern digital camera.
Future work: We are going to integrate the pre-
sented approach with the results of our prior work, a
probabilistic global behaviour analysis approach de-
veloped for reliability and fault-tolerance studies (in-
cluding fault injection) and a parallelism/concurrency
focused framework centred on partially ordered
traces, Petri nets and timing/energy costs.
REFERENCES
[1] In A. Cechich, M. Piattini, and A. Valle-
cillo, editors, Component-Based Software Qual-
ity: Methods and Techniques, volume 2693 of
LNCS. Springer, 2003.
[2] R. Adler. Emerging standards for component
software. IEEE Computer, 28(3):68 –77, March
1995.
[3] R. Alur and M. Yannakakis. Model checking of
message sequence charts. In J. C. M. Baeten and
S. Mauw, editors, CONCUR’99, volume 1664 of
LNCS, pages 114–129. Springer, 1999.
[4] S. Apel, C. Lengauer, B. Mo¨ller, and C. Ka¨stner.
An algebraic foundation for automatic feature-
based program synthesis. Science of Computer
Programming, 75(11):1022 – 1047, 2010. Spe-
cial Section on the Programming Languages
Track at the 23rd ACM Symposium on Applied
Computing.
[5] S. Becker, L. Grunske, R. Mirandola, and
S. Overhage. Performance prediction of
component-based systems: A survey from an
engineering perspective. In Architecting Sys-
tems with Trustworthy Components, volume
3938 of LNCS, pages 169–192. Springer, 2006.
[6] S. Becker, H. Koziolek, and R. Reussner.
Model-based performance prediction with the
palladio component model. In 6th international
workshop on Software and performance, pages
54–65. ACM, 2007.
[7] A. Bertolino and R. Mirandola. Cb-spe
tool: Putting component-based performance
engineering into practice. In I. Crnkovic,
J. Stafford, H. Schmidt, and K. Wallnau, editors,
Component-Based Software Engineering, vol-
ume 3054 of LNCS, pages 233–248. Springer,
2004.
[8] E. Bondarev, P. de With, and M. Chaudron. Pre-
dicting real-time properties of component-based
applications. In In Proc. of the 30the EUROMI-
CRO conference, pages 40–47, 2004.
[9] M. Broy. A logical basis for component-based
systems engineering. In Calculational System
Design. IOS. Press, 1999.
[10] M. Broy. Multifunctional software systems:
Structured modeling and specification of func-
tional requirements. Sci. Comput. Program.,
75(12):1193–1214, 2010.
[11] M. Broy, J. Fox, F. Ho¨lzl, D. Koss,
M. Kuhrmann, M. Meisinger, B. Penzen-
stadler, S. Rittmann, B. Scha¨tz, M. Spichkova,
and D. Wild. Service-Oriented Modeling
of CoCoME with Focus and AutoFocus. In
The Common Component Modeling Example:
Comparing Software Component Models, pages
177–206. Springer, 2008.
[12] M. Calder and E. Magill, editors. Feature In-
teractions in Telecommunications and Software
Systems. IOS Press, 2000.
[13] L. Cheung, I. K. andd Leana Golubchik, and
N. Medvidovic. Architecture-level reliability
prediction of concurrent systems. In ICPE’12.
ACM, April 2012.
[14] P. C. Clements. From subroutines to subsys-
tems: Component-based software development.
The American Programmer, 8(11), November
1995.
[15] L. L. Constantine. Canonical abstract proto-
types for abstract visual and interaction design.
In J. A. Jorge, N. Jardim Nunes, and J. a.
Falca˜o e Cunha, editors, Interactive Systems.
Design, Specification, and Verification, volume
2844 of LNCS, pages 1–15. Springer, 2003.
[16] B. S. Dhillon, editor. Engineering Usability:
Fundamentals, Applications, Human Factors,
and Human Error. American Scientific Publish-
ers, 2004.
[17] N. E. Fuchs and R. Schwitter. Specifying logic
programs in controlled natural language. In
Proceedings of the Workshop on Computational
Logic for Natural Language Processing, pages
3–5, 1995.
[18] B. Genest and A. Muscholl. Pattern matching
and membership for hierarchical message se-
quence charts. Theory of Computing Systems,
42(4):536–567, 2008.
[19] D. Harel and P. S. Thiagarajan. Message Se-
quence Charts. In L. Lavagno, G. Martin, and
B. Selic, editors, UML for Real: Design of
Embedded Real-Time Systems, pages 77–105.
Kluwer Academic Publishers, 2003.
[20] R. Hennicker, S. Janisch, and A. Knapp. Refine-
ment of components in connection-safe assem-
blies with synchronous and asynchronous com-
munication. In Foundations of Computer Soft-
ware: future Trends and Techniques for Devel-
opment, Monterey’08, pages 154–180. Springer,
2010.
[21] R. Hennicker and A. Knapp. Modal interface
theories for communication-safe component as-
semblies. In 8th international conference on
Theoretical aspects of computing, ICTAC’11,
pages 135–153. Springer, 2011.
[22] T. A. Henzinger and J. Sifakis. The embedded
systems design challenge. In FM, pages 1–15,
2006.
[23] L. Kapova, B. Buhnova, A. Martens, J. Happe,
and R. Reussner. State dependence in perfor-
mance evaluation of component-based software
systems. In International conference on Perfor-
mance engineering, WOSP/SIPEW ’10, pages
37–48. ACM, 2010.
[24] J.-P. Katoen. Labelled transition systems. In
M. Broy, B. Jonsson, J.-P. Katoen, M. Leucker,
and A. Pretschner, editors, Model-Based Test-
ing of Reactive Systems, volume 3472 of Lec-
ture Notes in Computer Science, pages 615–616.
Springer, 2005.
[25] G. R. Klare. Readable computer documentation.
ACM J. Comput. Doc., 24(3):148–168, 2000.
[26] T. Kuhn. Controlled English for Knowledge
Representation. PhD thesis, Faculty of Eco-
nomics, Business Administration and Informa-
tion Technology of the University of Zurich,
2010.
[27] B. Lee. Optimizing heterogeneous architectures.
EDN, February 2006.
[28] B. Macias and S. G. Pulman. Natural Lan-
guage Processing for Requirements Specifica-
tion, pages 67–89. Chapman and Hall Ltd., Lon-
don, 1993.
[29] F. Maraninchi and Y. Re´mond. Mode-automata:
a new domain-specific construct for the devel-
opment of safe critical systems. Sci. Comput.
Program., 46(3):219–254, 2003.
[30] A. Martens, S. Becker, H. Koziolek, and
R. Reussner. An empirical investigation of
the effort of creating reusable, component-
based models for performance prediction. In
Component-Based Software Engineering, pages
16–31. Springer, 2008.
[31] T. N. Mudge. Power: A first-class architectural
design constraint. IEEE Computer, 34(4):52–
58, 2001.
[32] I. D. Peake and H. W. Schmidt. Systematic
simplicity-accuracy tradeoffs in parameterised
contract models. In Seventh International ACM
Sigsoft Conference on the Quality of Software
Architectures (QoSA), Boulder, Colorado, USA,
June 2011.
[33] R. Rao, S. Vrudhula, and D. Rakhmatov. Battery
modeling for energy aware system design. IEEE
Computer, 36(12):77 – 87, December 2003.
[34] F. Redmill and J. Rajan. Human Fac-
tors in Safety-Critical Systems. Butterworth-
Heinemann, 1996.
[35] A. L. Sangiovanni-Vincentelli and G. Mar-
tin. Platform-based design and software design
methodology for embedded systems. IEEE De-
sign & Test of Computers, 18(6):23–33, 2001.
[36] E. Saxe. Power-efficient software. Commun.
ACM, 53(2), 2010.
[37] H. W. Schmidt. Trustworthy components - com-
positionality and prediction. Journal of Systems
and Software, 65(3):215–225, 2003.
[38] H. W. Schmidt, I. D. Peake, J. Xie, I. E.
Thomas, B. J. Kra¨mer, A. Fay, and P. Bort.
Modelling Predictable Component-Based Dis-
tributed Control Architectures. In Object-
Oriented Real-Time Dependable Systems, pages
339–346, 2003.
[39] M. Spichkova. From Semiformal Requirements
To Formal Specifications via MSCs. Technical
Report TUM-I1019, TU Mu¨nchen, 2010.
[40] M. Spichkova. Design of formal languages
and interfaces: “formal” does not mean “un-
readable”. In K. Blashki and P. Isaias, editors,
Emerging Research and Trends in Interactivity
and the Human-Computer Interface. IGI Global,
2013.
[41] M. Spichkova, F. Ho¨lzl, and D. Trachtenherz.
Verified system development with the autofocus
tool chain. Workshop on Formal Methods in the
Development of Software, (WS-FMDS), 2012.
[42] M. Spichkova and A. Zamansky. A human-
centred framework for combinatorial test de-
sign. In 11th International Conference on Eval-
uation of Novel Approaches to Software Engi-
neering (ENASE), pages 228–233. SciTePress,
2016.
[43] M. Spichkova, X. Zhu, and D. Mou. Do we
really need to write documentation for a sys-
tem? In International Conference on Model-
Driven Engineering and Software Development
(MODELSWARD’13), 2013.
[44] J.-P. Talpin, C. Brunette, T. Gautier, and
A. Gamatie´. Polychronous mode automata. In
Proceedings of the 6th ACM & IEEE Interna-
tional conference on Embedded software, EM-
SOFT ’06, pages 83–92, New York, NY, USA,
2006. ACM.
[45] L. G. Valiant. A Bridging Model for Paral-
lel Computation. Communications of the ACM,
33(8), August 1990.
[46] P. T. N. Vo and M. Spichkova. Model-based
generation of natural language specifications.
In Federation of International Conferences on
Software Technologies: Applications and Foun-
dations, pages 221–231. Springer, 2016.
[47] W. Wolf, A. A. Jerraya, and G. Martin. Multi-
processor system-on-chip (MPSoc) technology.
IEEE Transactions on Computer-Aided Design
of Integrated Circuits and Systems, 27(10), Oct
2008.
[48] I. I. Yusuf, H. W. Schmidt, and I. D. Peake.
Architecture-based fault tolerance support for
grid applications. In Quality of Software Archi-
tectures, QoSA’11, pages 177–181. ACM, 2011.
[49] A. Zamansky, M. Spichkova, G. Rodriguez-
Navas, P. Herrmann, and J. O. Blech. To-
wards classification of lightweight formal meth-
ods. In 13th International Conference on Eval-
uation of Novel Approaches to Software Engi-
neering (ENASE), pages 305–313. SciTePress,
2018.
