From Verification to Implementation: A Model Translation Tool and a Pacemaker Case Study by Pajic, Miroslav et al.
University of Pennsylvania
ScholarlyCommons
Real-Time and Embedded Systems Lab (mLAB) School of Engineering and Applied Science
2012
From Verification to Implementation: A Model
Translation Tool and a Pacemaker Case Study
Miroslav Pajic
University of Pennsylvania, pajic@seas.upenn.edu
Zhihao Jiang
University of Pennsylvania, zhihaoj@seas.upenn.edu
Insup Lee
University of Pennsylvania, lee@cis.upenn.edu
Oleg Sokolsky
University of Pennsylvania, sokolsky@cis.upenn.edu
Rahul Mangharam
University of Pennsylvania, rahulm@seas.upenn.edu
Follow this and additional works at: http://repository.upenn.edu/mlab_papers
Part of the Electrical and Electronics Commons, Other Computer Engineering Commons, and
the VLSI and Circuits, Embedded and Hardware Systems Commons
The 18th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS 2012) was held in Beijing, China, April 17-19 2012.
This paper is posted at ScholarlyCommons. http://repository.upenn.edu/mlab_papers/45
For more information, please contact libraryrepository@pobox.upenn.edu.
Recommended Citation
Miroslav Pajic, Zhihao Jiang, Insup Lee, Oleg Sokolsky, and Rahul Mangharam, "From Verification to Implementation: A Model
Translation Tool and a Pacemaker Case Study", Proceedings of the 18th IEEE Real-Time and Embedded Technology and Applications
Symposium (RTAS 2012) , 173-184. January 2012. http://dx.doi.org/10.1109/RTAS.2012.25
From Verification to Implementation: A Model Translation Tool and a
Pacemaker Case Study
Abstract
Model-Driven Design (MDD) of cyber-physical systems advocates for design procedures that start with
formal modeling of the real-time system, followed by the model’s verification at an early stage. The verified
model must then be translated to a more detailed model for simulation-based testing and finally translated
into executable code in a physical implementation. As later stages build on the same core model, it is essential
that models used earlier in the pipeline are valid approximations of the more detailed models developed
downstream. The focus of this effort is on the design and development of a model translation tool, UPP2SF,
and how it integrates system modeling, verification, model-based WCET analysis, simulation, code generation
and testing into an MDD based framework. UPP2SF facilitates automatic conversion of verified timed
automata-based models (in UPPAAL) to models that may be simulated and tested (in Simulink/Stateflow).
We describe the design rules to ensure the conversion is correct, efficient and applicable to a large class of
models. We show how the tool enables MDD of an implantable cardiac pacemaker. We demonstrate that
UPP2SF preserves behaviors of the pacemaker model from UPPAAL to Stateflow. The resultant Stateflow
chart is automatically converted into C and tested on a hardware platform for a set of requirements.
Keywords
Model-based development, model translation, medical devices, validation & verification, real-time systems
Disciplines
Electrical and Electronics | Other Computer Engineering | VLSI and Circuits, Embedded and Hardware
Systems
Comments
The 18th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS 2012) was held
in Beijing, China, April 17-19 2012.
This conference paper is available at ScholarlyCommons: http://repository.upenn.edu/mlab_papers/45
From Verification to Implementation:
A Model Translation Tool and a Pacemaker Case Study
Miroslav Pajic∗, Zhihao Jiang†, Insup Lee†, Oleg Sokolsky† and Rahul Mangharam∗†
∗Department of Electrical and Systems Engineering
University of Pennsylvania
†Department of Computer and Information Science
University of Pennsylvania
{pajic, zhihaoj, lee, sokolsky, rahulm}@seas.upenn.edu
Abstract—Model-Driven Design (MDD) of cyber-physical
systems advocates for design procedures that start with formal
modeling of the real-time system, followed by the model’s
verification at an early stage. The verified model must then
be translated to a more detailed model for simulation-based
testing and finally translated into executable code in a physical
implementation. As later stages build on the same core model,
it is essential that models used earlier in the pipeline are
valid approximations of the more detailed models developed
downstream. The focus of this effort is on the design and
development of a model translation tool, UPP2SF, and how it
integrates system modeling, verification, model-based WCET
analysis, simulation, code generation and testing into an MDD-
based framework. UPP2SF facilitates automatic conversion of
verified timed automata-based models (in UPPAAL) to models
that may be simulated and tested (in Simulink/Stateflow). We
describe the design rules to ensure the conversion is correct,
efficient and applicable to a large class of models. We show how
the tool enables MDD of an implantable cardiac pacemaker.
We demonstrate that UPP2SF preserves behaviors of the
pacemaker model from UPPAAL to Stateflow. The resultant
Stateflow chart is automatically converted into C and tested
on a hardware platform for a set of requirements.
I. INTRODUCTION
Model-Driven Development (MDD) of real-time and con-
trol systems can be conducted in four steps: 1) modeling
a plant, 2) design and verification of a controller for the
plant, 3) simulating the closed-loop system as a basis for
testing, and 4) synthesizing the controller code for platform
testing and deployment. These models, when used with
model checking and simulation tools, can lead to rapid
prototyping, software testing, and verification. In the case
of safety-critical systems, the methodology advocates for
design procedures that start with formal modeling of the
real-time system, followed by the model’s verification at
an early stage. This allows specification, requirements, and
modeling errors with the core model to be found early in the
design pipeline. The verified model must then be translated
to a more detailed model for simulation-based testing and
finally translated into executable code. As later stages of
MDD build on the same core model, it is essential that
This research was partially supported by NSF research grants
MRI 0923518, CNS 0931239, CNS-1035715 and CNS-0834524.
models used earlier in the pipeline are valid approximations
of the more detailed models developed downstream.
Timed automata [1] are standard modeling formalism
for real-time systems that enables efficient system verifi-
cation. Due to the limitations of the verification process
(e.g., restricted model size), some parts of the models used
for verification represent over-approximations of the more
‘realistic’ models. For example, for verification of Cyber-
Physical Systems (CPS) that feature a tight coupling between
the real-time controller and (usually) continuous physical
environment, it is necessary to model the closed-loop sys-
tem as a whole. In addition to the plant and controller
models, this includes a model of interaction between the
controller and the environment. Although in the general case
this interaction can be modeled using hybrid systems, the
complexity of this approach usually renders it out of reach
of current verification tools [2]. Thus, CPS designers often
strive to describe the interaction using a set of timing related
properties. This results in a combination of model checking
of a more abstract timed automata model with a simulation-
based analysis of a detailed model with continuous-time
dynamics of the environment.
The focus of this effort is on the design and development
of a model translation tool, UPP2SF, and how it enables
an MDD-based framework. UPP2SF facilitates automatic
conversion of verified models (in UPPAAL) to models that
may be simulated and tested (in Simulink/Stateflow). This
allows for automatic end-to-end model translation across
multiple levels of abstraction to generated code. We describe
the design rules to ensure the conversion is correct, efficient
and applicable to a large class of models. We show how the
tool enables MDD of an implantable cardiac pacemaker. The
detailed case study highlights the design process (see Fig. 1)
from (a) a timed automata model of the pacemaker software,
the model verification and model-based worst case execution
time estimation; (b) automatic translation of the model to
Stateflow using the developed UPP2SF tool; (c) testing of
the Stateflow model; and (d) automatic code generation, test
generation and testing of timing related errors on the hard-
ware platform. We focus on the pacemaker design as there is
a strong need for verification and testing of medical device
	A

	A
BC	BDE
F	F

DD	A
	A
	
 	BA
	
 	B!"#$
%A
%AD
BCDE	A
FE	C
A
Figure 1. MDD-based framework: From UPPAAL to Stateflow to
generated code; This covers model verification, simulation-based testing
and platform testing.
software [3]. From 1990-2000, firmware issues resulted in
over 200,000 implantable device recalls [4].
UPPAAL [5], [6] is a standard tool for modeling and
verification of real-time systems, based on networks of timed
automata. As it does not support simulation of continuous-
time dynamics, there is a need to translate models verified
in UPPAAL into a tool such as Simulink/Stateflow which
allows for such simulation. Although there exists some
work on code generation from timed-automata models (e.g.,
[7], [8]), there are only a few tools [8], [9] with limited
capabilities in generating C code from UPPAAL models.
Simulink is a commercially available tool that is used
for modeling and simulation of CPS, while its toolbox,
Stateflow, supports design and simulation of state machines
and control logic. Simulink provides full support for C, C++,
VHDL and Verilog code generation. However, Simulink has
had a very limited success with model verification [10].
Thus, one of our goals is to provide a tool for translation
of UPPAAL models to Stateflow. This allows the use of
Simulink toolboxes for simulation and code synthesis for
controllers verified in UPPAAL, and is a step towards a
modular code synthesis. Although there exist different tools
for translation of Stateflow models into various frameworks
(e.g., [11]), to the best of our knowledge, this is the first
tool for translation of UPPAAL models into Stateflow.
The paper is organized as follows: in Sec. II and III we
start with an overview of UPPAAL and Stateflow, and show
that for a large class of UPPAAL models an execution trace
can be obtained by evaluating transitions only at integer time
points.1 In Sec. IV, we present the model translation proce-
dure. Sec. V presents the pacemaker case study, where the
pacemaker model was developed and verified in UPPAAL,
translated into Stateflow by UPP2SF (Sec. VI), implemented
on an RTOS (Sec. VII) and tested (Sec. VIII). We show how
the Stateflow chart generated by the UPP2SF simplifies code
synthesis and implementation on an RTOS, and testing for
1Unlike existing work (e.g., [12]), we do not consider the verification of
a digitized model, which uses integral model of time.
specified properties. This allows for worst case execution
time (WCET) estimation at the UPPAAL model level, thus,
considerably simplifying the design process at an early stage.
II. SYSTEM MODELING IN UPPAAL
UPPAAL supports networks of timed automata. Each
automaton is a state machine, equipped with special real-
valued variables called clocks. Clocks spontaneously in-
crease their values with time, at the same fixed rate. Lo-
cations (i.e., states) in automata have invariants that are
predicates over clocks. A location in an automaton can be
active as long as its invariant is satisfied. Transitions in
automata have guards that are predicates over clocks and
variables. A transition can be taken only if its guard is
true. Because clock values increase, an initially false guard
can eventually become true, allowing us to model time-
dependent behaviors, such as delays and timeouts. When
a transition is taken, an associated action is executed, which
can update variable values and reset clocks.
Automata in the network execute concurrently. They can
communicate via shared variables, as well as via events
over synchronous channels. If c is a channel, c? represents
receiving an event from c, while c! stands for sending an
event on c. In the general case, an edge from location l1 to
location l2 can be described in a form l1
g,τ,r
−−−→ l2, if there
is no synchronization over channels (τ denotes an ’empty’
action), or l1
g,c∗,r
−−−−→ l2. Here, c∗ denotes a synchronization
label over channel c (i.e., ∗ ∈ {!, ?}), g represents a guard
for the edge and r denotes the reset operations performed
when the transition occurs.
A. Semantics of Networks of Timed Automata
To define the semantics of a network of timed-automata
we introduce the following terms from [6]. With C we
denote the set of all clocks. A clock valuation is a function
u : C → R+, and we use RC to denote the set of all clock
valuations. A simple valuation is the function u0(x) = 0, for
all x ∈ C. For valuation u, u+d denotes the valuation where
(u + d)(x) = u(x) + d, for x ∈ C. Furthermore, let B(C)
denote the set of conjunctions over simple clock conditions
of the form x ⊲⊳ n or x− y ⊲⊳ n, where n ∈ N0, x, y ∈ C,
and ⊲⊳∈ {≤,≥,=, <,>}. Finally, we use K to denote the
set of all channels and A = {α?|α ∈ K}∪{α!|α ∈ K}∪{τ}
the set of all actions.
Definition 1 ([6]). An automaton A is a tuple
(L, l0, A, C,E, I), where L denotes the set of locations in
the timed automaton, l0 is the initial location, A is a set of of
actions, C a set of clocks, and E ⊆ L×A×B(C)×2C×L
denotes the set of edges (between locations, with an action
l2l1
t<=2
l0
t<=10
c?
t=2
t>=10
c?t=0
t>=0 l2l1l0 b!
c?c!
Figure 2. UPPAAL model example; (a) P0 automaton; (b) P1 automaton.
(a ∈ A), a guard (g ∈ B(C)) and a subset of clocks to be
reset), while I : L→ B(C) assigns invariants to locations.
A network of n timed automata is obtained by composing
automata Ai = (Li, l
0
i , A, C,Ei, Ii), i ∈ {1, ..., n}. In this
case, a location vector is defined as l¯ = (l1, l2, ..., ln). In
addition, an invariant for location vector l¯ is defined as
I(l¯) = ∧iIi(li). To denote the vector where i
th element of
vector l¯ (i.e., li) is substituted with l
′
i we use notation l¯[l
′
i/li].
If clock valuation u satisfies the invariants at locations from
l, we abuse the notation and write u ∈ I(l). Similarly, if
valuation u satisfies condition g ∈ B(C), we write u ∈ g.
Finally, r(u) denotes the clock valuation obtained from u
when all clocks from the set r ⊆ C are reset to zero.
Definition 2 ([6]). Let A = {A1,A2...,An} be a network
of n timed automata, and let l¯0 = (l01, l
0
2, ..., l
0
n) be the initial
location vector. The semantics is defined as a transition
system 〈S, s0,→〉, where S = (L1 × L2 × ... × Ln) × R
C
is the set of states, s0 = (l¯0, u0) is the initial state, and
→⊆ S × S is the transition relation defined by:
1) (l¯, u)→ (l¯, u+ d) if ∀d′, 0 ≤ d′ ≤ d⇒ u+ d′ ∈ I(l¯).
2) (l¯, u) → (l¯[l′i/li], u
′) if there exists li
g,τ,r
−−−→ l′i s.t. u ∈ g,
u′ = r(u) and u′ ∈ I(l¯[l′i/li]).
3) (l¯, u) → (l¯[l′j/lj , l
′
i/li], u
′) if exist li
gi,c?,ri
−−−−−→ l′i and
lj
gj ,c!,rj
−−−−→ l′j , s.t. u ∈ (gi ∧ gj), u
′ = (ri ∪ rj)(u),
u′ ∈ I(l¯[l′j/lj , l
′
i/li]).
For semantics 〈S, s0,→〉, a sequence R defined as
R := (l¯0, u0) → (l¯1, u1) → ... → (l¯i, ui) → ..., is called a
run, and we use notation uRk := uk, l¯
R
k := l¯k, for all k ≥ 0.
For example, a run for the UPPAAL model from Fig. 2 is:([
P0.l0
P1.l0
]
,
[
t=0
t1=0
])
→
([
P0.l0
P1.l0
]
,
[
t=10
t1=10
])
→
([
P0.l2
P1.l0
]
,
[
t=10
t1=10
])
→([
P0.l2
P1.l0
]
,
[
t=11.7
t1=11.7
])
→
([
P0.l1
P1.l1
]
,
[
t=2
t1=11.7
])
...
B. UPPAAL Extensions of Timed-Automata
UPPAAL extends the standard framework of timed-
automata [1], as it allows use of bounded integer variables,
and reset operations that can update variable values and reset
clocks to integer values (possibly non-zero). Variables can
be used in guard conditions, and guards can be described
as conjunction of clock conditions and simple conditions
over variables. UPPAAL also extends timed-automata with
committed and urgent locations where time is not allowed
to pass (i.e., no delay is allowed) [6]. Committed locations
are more restrictive and they are usually used to model
atomic sequences of actions in UPPAAL. In a network of
timed automata, if some automata are in committed locations
then only transitions outgoing from the committed locations
are allowed. UPPAAL also introduces broadcast channels,
where one sender can synchronize with multiple receivers.
We focus on a large class of UPPAAL models without
clock conditions of the form x > E, where x is a clock
and E an expression. The restriction, while not limiting in
real control system models, guarantees that all invariants
and guards are expressed as intersections of left semi-closed
intervals. Thus, we refer to this class as Class LSC. Unless
otherwise specified, in the rest of the paper we consider only
this type of models.
Theorem 1. For each UPPAAL model from the Class LSC,
and for every run R of the model, there exists a run R′ such
that:
1) l¯Rk = l¯
R
′
k , ∀k ≥ 0 (untimed runs of R and R
′ are equal),
2) for all k ≥ 0, 0 ≤ uRk − u
R
′
k < 1,
3) for each clock x ∈ C and for all k ≥ 0, clock valuation
uR
′
k (x) ∈ N0 (all events of R
′ occur at integer time points).
The theorem allows for the use of discrete-time based
tools for simulation of UPPAAL models, as it shows that it
is enough to evaluate all guards and invariants at the integer
time points in order to find execution traces for the models.
The theorem is the basis for the translation procedure used in
UPP2SF. Due to space limitations, the proof of the theorem
is omitted. It can be obtained from the report [13].
III. BRIEF OVERVIEW OF STATEFLOW
A Stateflow chart employs a concept of finite state ma-
chines extended with additional features, including support
for different variable types and events that trigger actions
in a part or the whole chart. In this section, we describe a
small subset of the Stateflow features used in the translation
procedure. A detailed description can be found in [14], [11].
A state in a Stateflow chart can be active or inactive,
and the activity dynamically changes based on events and
conditions. There is a hierarchy between states and a state
can contain other states (referred to as substates). A decom-
position of a chart (state) determines if its states (substates)
are exclusive or parallel states. Within a chart (or a state),
no two exclusive states can be active at the same time, while
any number of parallel states can be simultaneously activate.
Unlike in UPPAAL, transitions between states in State-
flow are taken as soon as enabled. They are described as:
Event[condition]{condition action}/{transition action} (1)
where each part of the transition is optional. Event specifies
the event that enables the transition, if the condition (if
specified) is valid. The condition is described using basic
logical operations on simple conditions over design variables
and Stateflow operators. Actions in condition action and
transition action include event broadcasting and opera-
tions on data variables. There is a subtle difference between
these two types of actions. The former are executed if the
condition is satisfied, while the outgoing state is still active.
The latter actions are executed after the transition occurs,
but before the incoming state is activated [14].
A Stateflow chart runs on a single thread and it is
executed only when an event occurs. All actions that occur
during an execution triggered by an event are atomic to
that event. After all activities that take place based on
the event are finished, the execution returns to its prior
activity (i.e., activity before receiving the event). All parallel
states within a chart (or a state) are assigned with a unique
execution order. Furthermore, all outgoing transitions from
a state have different execution indices. Thus, the execution
of a Stateflow chart is fully deterministic – active states
are scheduled, and state transitions are evaluated in the
execution order (starting from the lowest).
1) Notion of Time in Stateflow Charts: Stateflow tem-
poral logic can be used to control execution of a discrete-
time chart in terms of time.2 It defines time periods using
absolute-time operators based on the chart’s simulation time,
or event-based operators that use the number of event
occurrences. Absolute-time logic defines operators after,
before:
after(n, sec) =
{
0, if t < n
1, if t ≥ n
(2)
before(n, sec) = not(after(n, sec)) (3)
where t denotes the time that has elapsed since the activation
of the associated state (i.e., from the last transition to
the state - including self-transitions). The value for time t
can be obtained using the operator temporalCount(sec).
Finally, for event-based temporal logic, the aforementioned
temporal operators are used for event counting. For example,
after(n, clk) returns 1 if the event clk has occurred more
than (n− 1) times after the state has been activated.
IV. MODEL TRANSLATION PROCEDURE
We now describe the translation procedure, along with
the features used in the pacemaker model – broadcast chan-
nels, committed states and local clocks. We first describe
the UPP2SF procedure for translation of UPPAAL edges
without synchronization, followed by the procedure used
to preserve semantics of broadcast channels. Finally, we
show how UPP2SF maps urgent and committed locations.
A detailed description of the full translation procedure is
provided in [13].
A. Overview of UPP2SF
Consider an UPPAAL model that contains automata
P0, ..., Pn. The translation results in a two-level model (see
Fig. 3). The top level Stateflow chart corresponds to the
UPPAAL network of automata, with the predefined global
variables. Since all automata in UPPAAL are simultaneously
active, the chart is a collection of parallel states, and for
each automaton Pi a parallel state with the same name
Pi and a unique execution order
3 is created in the chart.
We will refer to the parallel states in the Stateflow chart
as the parent states. In an UPPAAL automaton, only a
single location can be active at a time. Thus, each of the
parent states is a collection of exclusive states, extracted
2Although ‘temporal logic’ has a different meaning in the real-time
literature, we use the term in this context, as it is part of Stateflow
terminology.
3Different assignments of the execution orders (for the parallel states)
could result in different runs. Since each of these runs is a run of the
initial UPPAAL model, current version of the UPP2SF assigns the execution
orders in the order in which UPPAAL automata are parsed.
 	
A
BCDEF

 
C
FEEF
AFDC
FEEF
Figure 3. Structure of Stateflow charts obtained using UPP2SF.
from locations in the UPPAAL automaton (e.g., Fig. 7 and
Fig. 8 present the pacemaker model in UPPAAL and the
extracted Stateflow chart). Furthermore, for each transition
between locations in the UPPAAL automaton, a transition
between the corresponding Stateflow states is introduced.
Input event clk is added to the chart to guarantee that the
extracted chart is executed at each integer time step. Also,
a signal generator block is added to the parent Simulink
model to create the event at every integer-time point. Hence,
to measure time we employ the event-based temporal logic
that utilizes the number of clk event appearances, rather than
the chart’s simulation time (e.g., instead of after(n, sec),
we use after(n, clk)). The execution of the chart from the
moment the chart is triggered by a clk event, until processing
of the event has been finished, is referred to as clk execution.
In the general case, the chart can (re)activate itself (or some
of its states) by transmitting local events. Processing of the
events triggered during a clk execution is considered a part
of the clk execution. Since processing of events is atomic in
Stateflow, no time elapses during a clk execution, regardless
how many additional event broadcasts have occurred.
Based on Stateflow semantics, at most one transition can
occur per parent state upon a chart activation (i.e., within a
clk execution), unless the chart is reactivated by sending a
local event. On the other hand, there is no upper bound
on the number of transitions in an UPPAAL automaton,
while time does not pass. In some cases more than one
transition has to occur within a single UPPAAL automaton.
For example, in the automaton from Fig. 2(a), after transition
P0.l2 → P0.l1 occurs, time t is reset to 2. Due to the
invariant at P0.l1, no time elapses at the state because the
transition P0.l1→ P0.l0 has to be immediately taken.
To ensure the UPPAAL model semantics are not violated
during the translation, we add a parallel state Eng to the
chart to serve as the control execution engine. The state
reactivates the chart when necessary, and is also used for
event broadcasting. With this approach, a single activation of
the chart triggers all transitions enabled at that integer time
point. This simplifies implementation of the code extracted
from the Stateflow chart, because the generated procedure
should be invoked only once at every integer time step.
B. Translating UPPAAL Edges Without Synchronization
Consider an UPPAAL edge li
g,τ,r
−−−→ lj . Since the guard
can be split into a conjunction of data and clock conditions,
from the semantics of timed-automata (Def. 2), an equivalent
Stateflow transition between the states li and lj has the form:
[GC(I(li)∧g)∧GV (g)∧GC(r, I(lj))]/{RV (r);RC(r);RS(r); } (4)
where:
1) GC(h) (GV (h)) maps the clock (data) conditions from an
UPPAAL condition h into an equivalent Stateflow condition,
2) RC(r) (RV (r)) translates the clock (data) resets from r
into an equivalent Stateflow assignment (see Section IV-B1),
3) GC(r, I(lj)) maps the condition that the clock valuation
after the reset satisfies the invariant at the ‘new’ location lj ,
4) RS(r) controls execution of the chart (Section IV-B2).
Data reset operations, RV (r), and data guard conditions,
GV (g), are directly mapped using the same Stateflow op-
erations. Mapping of resets and guards that use only local
clocks is described below (for full procedure see [13]).
1) Mapping Clock Conditions and Resets: Stateflow tem-
poral logic always resets time when a transition occurs.
This forces us to explicitly model each local clock x by
introducing the accounting variable nx. To enable the correct
expression of clock constraints used in the UPPAAL model,
as part of each transition the variable is updated to maintain
the clock value from the moment of the state’s activation.
This is done using RC(r) defined for each local clock x as:
[RC(r)](x) :=
{
nx = nx + temporalCount(clk), if x /∈ r
nx = r(x), if x ∈ r
(5)
Here, if clock x is reset to n as a part of the UPPAAL
transition (even if n denotes an expression and not only a
constant), variable nx is set to n on the Stateflow transition
(i.e., nx = n is added to data reset). However, if the clock is
not reset in the transition (x /∈ r), then the accounting vari-
able has to be increased by the value temporalCount(clk).
As described in Section II, each clock condition h is
specified as h = h1 ∧ ... ∧ hM , where hi is a basic
clock condition. Therefore, an equivalent clock condition in
Stateflow, GC(h), can be expressed as GC(h) = GC(h1)∧
... ∧ GC(hM ). The transformation of the basic clock con-
ditions presented in Fig. 4 employs event-based temporal
logic operators, while taking into account the values of the
accounting variables. Note that since we consider UPPAAL
automata where clocks progress at the same rate, for all
clocks x, y the difference between the clock values while a
state is active is equal to the clock differential upon entering
the state. Thus,
GC(x− y ⊲⊳ n) := (nx − ny ⊲⊳ n).
Finally, the requirement that the new clock valuation
satisfies the invariant at the (new) location lj (i.e., I(lj)) is
equivalent to the condition that both the reset and non-reset
clock values satisfy I(lj). Therefore, for I(lj) = h1∧...∧hk
it follows that GC(r, I(lj)) = GC(r, h1) ∧ ... ∧ GC(r, hk)
where:
GC(r, x ⊲⊳ n) :=
{
r(x) ⊲⊳ n, x ∈ r
(nx + temporalCount(clk)) ⊲⊳ n, x /∈ r
(6)
GC(r, x− y ⊲⊳ n) := (7)

r(x)− r(y) ⊲⊳ n, if x, y ∈ r
r(x)− (ny + temporalCount(clk)) ⊲⊳ n, if x ∈ r, y /∈ r
(nx + temporalCount(clk))− r(y) ⊲⊳ n, if x /∈ r, y ∈ r
nx − ny ⊲⊳ n if x, y /∈ r
UPPAAL condition Stateflow condition
(x, y ∈ C, n ∈ N0) (nx, ny clock accounting variables)
x ≤ n before(n− nx, clk)||(temporalCount(clk) == n− nx)
x < n before(n− nx, clk)
x = n (temporalCount(clk) == n− nx)
x ≥ n after(n− nx, clk)
x− y ⊲⊳ n nx − ny ⊲⊳ n
Figure 4. Mapping UPPAAL conditions over clocks into Stateflow – only
clock conditions that specify left-closed intervals are considered.
The expression for GC(r, I(lj)) can be significantly sim-
plified. If r(x) resets the clock x to a constant (which is the
prevailing case in UPPAAL), conditions from Eq. (6), (7)
can be evaluated during the translation and can be replaced
with fixed terms 0 or 1 (i.e., false or true).
2) Control of the Chart’s Execution: To allow that more
than a single transition per parent state can occur during
a clk execution, in the obtained Stateflow chart UPP2SF
introduces the state Eng, which is executed last among the
parent states. Eng is designed to reactivate the chart when
transitions occur (Fig. 3). To achieve this additional event tt
and flag act are defined in the chart, and as a part of each
transition act is set to 1. This is done within RS(r) from
Eq. (4), defined as RS(r) := (act = 1; ). In addition, Eng
contains a single state and it broadcasts event tt to the chart
if act has been set to 1, using a self-transition (see Fig. 8)
of the form:
[act == 1]/{act = 0; send(tt); } (8)
C. Translating Broadcast Channels
Events in Stateflow are a good semantic match for broad-
cast channels in UPPAAL. Therefore, for each broadcast
channel c, UPP2SF defines a Stateflow event c assigned
with a unique positive integer ID(c). Consider an UPPAAL
edge of the form li
g,c!,r
−−−→ lj from automaton P , where
c is a broadcast channel. To preserve UPPAAL semantics
(Def. 2), the translation of the edge into Stateflow, along
with all edges with receiving over channels c, has to satisfy
the following requirements:
R1) After the transition occurs, no other ‘non-receiving’
transition should be taken until all of the transitions con-
ditioned with the event’s receiving are taken.
R2) After the event is broadcast, the incoming state lj
has to be activated, so that enabled transitions from lj can
occur at the same (simulation) time. For example, consider
automaton P1 from Fig. 2(b). After l1 is reached, if without
any delay b! occurs, the transition between l1 and l0 has to
be taken.
R3) After the event is broadcast, no transition should occur
in the parent state P while receiving the event. This ensures
that a parent state does not synchronize with itself.
In report [13] we show that, due to Stateflow semantics,
events can not be broadcast from the transitions within the
parent states derived from UPPAAL automata. Broadcasting
events as part of condition actions might result in infinite
cycle behavior. Similarly, broadcasting events as a part of
transition actions would result in the chart activation where
UPPAAL edge Stateflow transition
li
g,τ,r
−−−→ lj [(sent == 0) ∧GC,V (li, g, r, lj)]/{RC,V (r);RS(r); }
li
gj ,c!,rj
−−−−−→ lj [(sent == 0) ∧GC,V (li, g, r, lj)]/{RC,V (r); sent = ID(c); }
li
gi,c?,ri−−−−−→ lj c[(sent ∼= −ExO(P )) ∧GC,V (li, g, r, lj)]/{RC,V (r); }
Figure 5. Mapping UPPAAL edges from automaton P into Stateflow
transitions; GC,V (li, g, r, lj) and RC,V (r) denote the terms GC(I(li)∧
g) ∧GV (g) ∧GC(r, I(lj)) and RV (r);RC(r); from Eq. (4).
the incoming state (i.e., lj) is not active, which violates R2.
Thus, we use a centralized approach where the Eng state
sends events and controls execution of the chart. To achieve
this we employ additional variable sent that can have the
following values:
sent =


ID(c), event c is scheduled for broadcast
0, no event scheduled for broadcast
−ExO(P ), an event is broadcast and only
receiving edges should be activated
(9)
where ExO(P ) > 0 is a constant that denotes the execution
order of the Stateflow parent state P (note that ID(c) > 0).4
Fig. 5 shows translation of UPPAAL edges into Stateflow.
Action c! is mapped into sent = ID(C) assignment, which
disables all ‘non-receiving’ transitions due to their condition
(sent == 0). Similarly, condition (sent ∼= −ExO(P ))
disables all ‘receiving’ transitions in the parent state P
(satisfying R3). For example, consider the model from
Fig. 2(b). Since events are broadcast outside of parent states
(i.e., from Eng), after the state P1.l1 is reached, sending
event c from outside of the parent state P1 would enable
transition P1.l1 → P1.l2 (if the condition is not used),
which violates the requirement R3.
Finally, the Eng state is used to broadcast events, by
adding for each event c the following self-transition in the
state:
[(sent == ID(c))]{sent = −ExO(P ); send(c); }5 (10)
In addition, to reset sent, and to ensure that all previously
disabled transitions are reevaluated by reactivating the chart
after the event is processed (i.e., after all parent states are
re-executed), UPP2SF adds the following self-transition in
the state Eng:
[(sent < 0)]{sent = 0; send(tt); } (11)
For the Eng state to operate correctly, the transi-
tions (10), (11) have precedence (i.e., lower execution order)
over the transition from Eq. (8). An example of Eng state is
shown in Fig. 8. In the general case, UPPAAL allows more
than one automaton to transmit over a broadcast channel.
This requires a simple extension of the procedure and is
described in [13].
4Stateflow requires that each parent state has a different execution order,
i.e., ExO(Pi) 6= ExO(Pj) if Pi 6= Pj .
5Although the events are sent as a part of condition actions, infinite cycle
does not occur, since sent (used in the transition guard) changes its value
before broadcasts. This disables the transition in the next activation.
D. Translating Urgent and Committed States
UPP2SF also preserves semantics of urgent and commit-
ted states. Adding act = 1 to transitions to an urgent state,
triggers broadcast of the event tt to reactivate the chart. This
enables evaluation of outgoing transitions from the urgent
state. However, if these transitions are disabled (e.g., due
to event receiving), broadcasting tt before the end of clk
executions ensures that all states will be activated at least
one more time. Therefore, in the derived Stateflow chart no
time passes in the states extracted from urgent states in the
UPPAAL model.
If some automata in UPPAAL are in committed locations,
then only transitions outgoing from one of the committed
locations are allowed. Thus, to deal with committed lo-
cations we introduce a new ‘control’ variable comm that
always contains the number of active committed states. For
all transitions incoming to a committed state expression
comm = comm+1; act = 1; is added to the reset operations
(i.e., RS(r) from Eq. (4)). Similarly, for all outgoing transi-
tions from a committed state comm = comm− 1; act = 1;
is added to the reset. To disable transitions from non-
committed states when there exists an active committed
state, guard condition (comm == 0) is added to all ‘non-
receiving’ transitions outgoing from a committed state. Note
that setting act to 1 reactivates the chart to ensure that all
transitions are reevaluated, including transitions that have
been disabled due to (comm == 0) condition.
E. Optimization
Stateflow chart obtained using the aforementioned rules
can be significantly simplified. For example, clock guards
and invariants are conjunctions of the basic clock condi-
tions, and thus specify fixed left-closed intervals if only
conditions from Fig. 4 are used where n is a constant.
These intervals can be expressed in Stateflow with maximum
two terms from Fig. 4 (e.g., invariant t ≤ n and guard
t ≥ n can be combined into a single Stateflow condition
temporalCount(clk) == n−nt). In addition, it is possible
to remove clock resets defined in Eq. (5) from transitions
incoming to a state, if on all paths from the state there exists
a clock reset (i.e., reset of the corresponding accounting
variable of the form nx = r(x)) before the clock is used
in a transition guard.
Similarly, due to Eq. (11) there is no need to reactivate
the chart with the act = 1 reset on transitions to a commit-
ted/urgent state that are conditioned with event receiving.
The same holds if outgoing transitions from a new state are
disabled (which is a common case) at the time of activation.
For example, in the buffer from Fig. 7(d), for dL a > 0,
after l1 is entered the clock guard disables the outgoing
transition. Thus, the assignment act = 1 does not have to
be added to the Stateflow transitions from l1 to l0. The
assignment can be removed from all edges incoming to a
state if: 1) the state is not urgent or committed; 2) all clocks
used in the state’s invariant and outgoing guards from the
state are reset on the incoming transition; 3) all outgoing
guards and the state’s invariant are clock conditions (without
data conditions), specifying a fixed time interval that is not
a point.
Finally, transitions between two states with same condi-
tions and transition actions can be combined into a single
transition.
V. PACEMAKER CASE STUDY
In the remaining of the paper, on a pacemaker case
study we describe how the UPP2SF enables an MDD-based
framework. We start with an UPPAAL description of a
pacemaker before we present how the translation tool allows
for automatic code generation and implementation of the
implantable pacemaker.
The primary function of an implantable pacemaker is to
maintain an adequate heart rate and ensure safe and efficient
cardiac output. The pacemaker paces the heart when the
intrinsic heart rate is below a lower rate limit, it does not
pace the heart above an upper rate limit and maintains
synchrony between the atrial and ventricular activity. To
interact with the patient, the leads of a pacemaker that can
both sense and pace are implanted inside the patient’s heart.
In this work we describe the most commonly used mode
of pacemaker, the DDD mode that paces both the atrium
and ventricle, senses both, and sensing either activates or
inhibits further pacing [15]. We developed a basic DDD
dual chamber model according to [16]. In [17] we present a
thorough pacemaker modeling and verification in UPPAAL.
A. Pacemaker UPPAAL Design
The five basic timing cycles of the DDD mode pacemaker
are shown in Fig. 6, where AP and AS (VP and VS)
denote atrial (ventricular) pacing and sensing events. In our
pacemaker model we have designed the following software
components, shown in Fig. 7, where each automaton only
uses its own local clock.
1. Lowest Rate Interval (LRI) automaton (Fig. 7(b))
models the LRI requirement which is the basic timing cycle.
This component keeps the heart rate above a minimum value
by delivering atrial pace events (AP). The LRI timer is reset
after a ventricular event (VP or VS). For DDD mode, if no
Figure 6. Pacemaker timing cycles; Notation: VP - ventricular pace, VS
- ventricular sense, AP - atrial pace, AS - atrial sense [18].
atrial event has been sensed (AS) before the timer runs out,
the pacing event will be delivered from the atrial lead (AP).
2. Atrio-Ventricular Interval (AVI) automaton from
Fig. 7(c) models the AVI requirement. This component
mimics the intrinsic AV delay to synchronize the atrial
and ventricular events. The timer is started by a sensed or
paced atrial event (AP or AS) and can be terminated by
a sensed ventricular event (VS). If no ventricular event is
sensed before the timer times out, the pacemaker generates a
ventricular pace (VP) if the Upper Rate Limit is not violated.
Guarantees for this are provided by the URI component.
3. Upper Rate Interval (URI) automaton in Fig. 7(e)
limits the ventricular pacing rate by enforcing a lower bound
on the times between consecutive ventricle events.
4. PVARP and VRP automata are used to filter noise and
early events which could otherwise cause undesired pace-
maker behavior. The Post Ventricular Atrial Refractory Pe-
riod (PVARP) and the Ventricular Refractory Period (VRP)
automata generate atrial (AS) and ventricular (VS) sensing
events from the buffered atrial and ventricular inputs (AinB
and VinB, respectively). The PVARP automaton (Fig. 7(f))
models the blocking interval after each ventricular event
(VP or VS) where the atrial sensing (AS) cannot occur. The
VRP automaton (Fig. 7(g)) models the blocking interval for
ventricular events. The intervals follow ventricular events
and no ventricular sensing should occur during the interval.
5. Inputs buffers (Fig. 6(d),(h)) are used to model delays
imposed by processing inputs Ain and Vin from the heart.
For example, these delays can be introduced by the design
of the analog interface between the heart and device.
B. Pacemaker Stateflow Design
From the model shown in Fig. 7, using the UPP2SF
tool we obtained the pacemaker Stateflow chart presented
in Fig. 8. The chart contains 9 parallel states, one for each
automaton from the UPPAAL model, and the Eng state for
control of the chart’s execution. For closed-loop verification
in UPPAAL we modeled both the heart and pacemaker,
and thus the obtained chart contains both models of the
controller (i.e., pacemaker) and the environment (i.e., the
heart). Therefore, it is necessary to decouple the pacemaker
from the heart model.
Fig. 7(a) presents the interaction between the pacemaker
and the heart. Since the interaction corresponds to synchro-
nization over broadcast channels, the pacemaker model can
be easily extracted from the chart shown in Fig. 8. This
is done by removing the parent states that model the heart
and buffers (RH a, RH b, ASbuf, VSbuf), and by defining
AinB and V inB as input events. Also, the Eng state has
to be modified to remove the transitions used to broadcast
these input events. In our case we removed the transitions
that broadcast AinB or BinB (highlighted in red in Fig. 8).
Stateflow does not allow utilization of output events to
condition internal transitions. Hence, it is necessary to define
additional output events from the chart, and in our case for

	
ABC
DBC
EF
EF



E
ABC
DBC
E

 AD
C
DA D
(a) Interaction between the pacemaker and
heart
LRI_AS LRI
t<=LRId-AVId
v_s?
t=0
v_p?
t=0
a_s?
t>=LRId-AVId
a_p!
t=0
v_s?
t=0
v_p?
t=0
(b) LRI component
st3C st3
st2
t<=AVIdst1
v_p!
uri_s?
t>=AVId && (URIex==0)t>=AVId && (URIex==1)
v_p!
v_s?
a_p?
t=0
a_s?
t=0
(c) AVI component
l1 t<= dH_a
l0
t>=dL_a
AinB!
t=0
Ain?
t=0
(d) Atrial Buffer
URIst2
URIst1
t<=URId
t>=URId
uri_s!
URIex=1
v_s?
t=0
v_p?
t=0
v_p?
t=0, URIex=0
v_s?
t=0, URIex=0
(e) URI component
ARPst2
t<=ARPd
inter
ARPst1
a_s! v_s?t=0
v_p?
t=0
t>=ARPd
AinB?
(f) PVARP component
inter
VRPst2
t<=VRPdVRPst1
v_s!
t=0VinB?
t=0
t>=VRPd
v_p?
t=0
(g) VRP component
l1 t<= dH_v
l0
t>=dL_v
VinB!
t=0
Vin?
t=0
(h) Vent. Buffer
RH
t<=MaxW
Art_pace?
t=0
t>=MinWait
Pulse!
t=0
(i) Random Heart
Figure 7. UPPAAL model of a DDD pacemaker - each automaton uses its own local clock; Two Random Heart templates were instantiated for Atrium
(Pulse:=Ain, Art pace:=a p) and Ventricle (Pulse:=Vin, Art pace:=v p).
local events a p and v p two output events (AP and VP)
were defined. These events are broadcast as a part of the
same transitions used to broadcast a p and v p, respectively.
In addition, to deal with some implementation issues (details
are provided in Section VII), for each output Event an
empty C function sendHW_Event is added using Simulink
features for integrating custom C code. The function does
not affect simulations of the chart in Simulink, but allows for
the correct output generation from the synthesized code. For
example, the Eng transition highlighted with dotted green
rectangle was modified to
[(sent == 3)]{sent = −1; send(V P ); sendHW V P (); send(v p); }
VI. STATEFLOW CHART VALIDATION
We validated the Simulink chart by extending the pro-
cedure for testing real-time constraints described in [19].
Therefore, we first describe the set of timing requirements
used to extract the test vectors, followed by the simulation
results. In [17] we presented the UPPAAL model verification
of these properties.
A. Testing Requirements
We classify two types of real-time constraints for pace-
maker: behavioral constraints that describe time intervals
that end when the required input is applied, and performance
constraints describing intervals that end when the required
output is produced. For example, a behavioral constraint
is that a certain input E1 must occur within time interval
[t1, t2) and as a result it should produce output E2. Similarly,
a performance constraint is a requirement that output has to
occur within time interval [t1, t2).
As shown in Fig. 6, pacemakers exert a highly repetitive
behavior. Thus, we focus on a set of requirements that need
to be satisfied in each time interval between consecutive
ventricular and/or atrial events. To specify constraints for
DDD pacemaker it is necessary to consider two time axes, tv
and ta that measure the time since the last ventricular (VP or
VS) and the last atrial event (AP or AS), respectively. Using
the pacemaker specification [16], [15] we defined a set of
real-time pacemaker requirements (performance constraints
are denoted with P and behavioral with B):
1. Pacing in the atrium:
P1.1. AP cannot occur during the interval tv ∈ [0, LRId −
AV Id);
B1.1. If AS does not occur within interval tv ∈ [0, LRId −
AV Id), an AP should occur at tv = LRId −AV Id;
B1.2. If AS occurs at tv ∈ [0, LRId − AV Id), AP should
not be applied in the atrium within the interval tv ∈
[0, LRId −AV Id).
2. Pacing in Ventricle:
P2.1. VP cannot occur during the interval ta ∈ (0, AV Id);
P2.2. VP cannot be generated within tv ∈ (0, URIdef );
6
B2.1. If VS does not occur in intervals ta ∈ (0, AV Id) and
tv ≥ URId, VP should occur at ta = AV Id;
B2.2. If VS occurs at ta ∈ (0, AV Id), no VP should be
generated within the interval ta ∈ (0, AV Id).
3. Atrial Sensing (requirements for ARP):
P3.1. AS cannot occur within the interval tv ∈ (0, ARPd];
B3.1. If atrial input (Ain) occurs within interval tv ∈
(0, ARPd), it should be disregarded (no AS is generated
within tv ∈ (0, ARPd));
B3.2 If Ain occurs at tv ≥ ARPd, AS is to be created at tv .
4. Ventricular Sensing (requirements for VRP):
P4.1. A ventricular sense (VS) cannot be generated within
interval tv ∈ (0, V RPd);
B4.1. If a ventricular input (Vin) occurs at time tv ∈
(0, V RPd) it should be ignored (no VS is generated within
tv ∈ (0, V RPd));
B4.2 If Vin occurs at tv ≥ V RPd, VS is to be created at tv .
Using the above requirements, the testing procedure
6The requirement specifies a lower bound on intervals between consec-
utive events in ventricle – the requirement for URI component.
AVI 1
st1 st2
st3st3C_CC
LRI 2
LRI LRI_AS
URI 5
URIst2URIst1
PVARP 3ARPst1 ARPst2
inter_CC
ASbuf 6l0 l1
VRP 4VRPst2VRPst1
inter_CC
VSbuf 7l1l0
RH_a 8
RHEng 10
l0
RH_v 9
RH
a_p  || a_s  [(sent~=- 1)]/{n_t= 0;}
v_s  [(sent~=- 1)]/{}
3
[(sent== 0)&&(comm== 0)&&(URIex== 1)&&( temporalCount (clk)==AVId-n_t)]/{sent= 3;}
2
[(sent== 0)&&(comm== 0)&&(URIex== 0)&&...
(temporalCount (clk)==AVId-n_t)]/{}
1
[(sent== 0)]
/{sent= 3;comm=comm- 1;act=1;}
uri_s  [(sent~=- 1)]/{comm=comm+ 1;act=1;}
[(sent== 0)&&(comm== 0)&&( temporalCount (clk)==LRId-AVId-n_t)]
/{sent= 1; n_t=0;}
1
a_s  [(sent~=- 2)]/{}
3
v_p || v_s  [(sent~=- 2)]/{n_t= 0;}
v_p || v_s  [(sent~=- 2)]/{n_t= 0;}2
[(sent== 0)&&(comm== 0)&&( temporalCount (clk)==URId-n_t)]
/{sent= 9; act=1;URIex= 1}
2
v_p || v_s  [(sent~=- 5)]/{n_t= 0;act=1; URIex= 0}
v_p || v_s  [(sent~=- 5)]/{n_t= 0;}1
[(sent== 0)&&(comm== 0)&&( temporalCount (clk)==ARPd-n_t)]/{}
v_p || v_s  [(sent~=- 3)]/{n_t= 0;}
1AinB [(sent~=- 3)]
/{comm=comm+ 1;...
act=1;}
2
[(sent== 0)]/{sent= 2;comm=comm- 1;act=1;}
Ain [(sent~=- 6)]/{n_t= 0;act=1;}
[(sent== 0)&&(comm== 0)&&(after (dL_a-n_t, clk))&&...
((before (dH_a-n_t, clk)||(temporalCount (clk)==dH_a-n_t)))]
/{sent= 7; n_t=0;}
[(sent== 0)&&(comm== 0)&&( temporalCount (clk)==VRPd-n_t)]/{}
v_p [(sent~=- 4)]/{n_t= 0;}
2
VinB [(sent~=- 4)]
/{n_t= 0;comm=comm+ 1;act=1;}
1
[(sent== 0)]
/{sent= 4;n_t=0;comm=comm- 1;act=1;}
Vin [(sent~=- 7)]/{n_t= 0;act=1;}
[(sent== 0)&&(comm== 0)&&(after (dL_v-n_t, clk))&&...
((before (dH_v-n_t, clk)||(temporalCount (clk)==dH_v-n_t)))]
/{sent= 8; n_t=0;}
a_p  [(sent~=- 8)]/{n_t= 0;}2
[(sent== 0)&&(comm== 0)&&(after (MinA-n_t, clk))&&...
((before (MaxA-n_t,clk)||(temporalCount (clk)==MaxA-n_t)))]
/{sent= 6; n_t=0;}
1
[sent== 5]{sent=- 9;send (Vin);}
2
[sent== 6]{sent=- 8;send (Ain);}
9[sent== 4]{sent=- 4;send (v_s);}
1
[sent== 7]{sent=- 6;send (AinB);}
7
[sent== 8]{sent=- 7;send (VinB);}8[sent== 3]{sent=- 1;send (v_p);}
6 [sent== 9]{sent=- 5;send (uri_s );}3[sent== 2]{sent=- 3;send (a_s );}
5
[sent== 1]{sent=- 2;send (a_p );}
4 [act==1]{act=0;send (tt);}
10
[sent< 0]{sent= 0;send (tt);}
v_p [(sent~=- 9)]/{n_t= 0;}2
[(sent== 0)&&(comm== 0)&&(after (MinV-n_t,clk))&&...
((before (MaxV-n_t,clk)||(temporalCount (clk)==MaxV-n_t)))]
/{sent= 5; n_t=0;}
1
Execution order 
for AVI state 
2
9
5
8
Figure 8. Pacemaker Stateflow chart extracted using UPP2SF from the UPPAAL model in Fig. 7; The heart and buffer models are highlighted.
from [19] was employed to specify a set of tests used for
validation. For each performance constraint we create a test
to check if the appropriate output has been generated within
the required interval. Testing behavioral constraints is more
complex. For each interval boundary we generate two tests.
For closed boundaries we apply inputs that are exactly at the
boundary point and tests points that are outside the interval,
at the distance ǫ from the boundary point (Fig. 9). For open
boundaries we generate inputs that are inside and outside
the interval, at the distance ǫ from the boundary point.
The aforementioned set of requirements is referred to as
the ideal pacemaker requirements. As specified in [16], each
of the intervals is assigned with a certain level of tolerance.
Thus, we define ‘realistic’ requirements, where each of the
real-time constraints is modified to incorporate tolerance.
For example, we modify constraints P1.1 and B1.1 to:
P1.1: AP cannot occur during tv ∈ [0, LRId−AV Id−∆ap);
B1.1: If AS does not occur within interval tv ∈ [0, LRId −
AV Id − ∆ap), AP should occur at tv, tv ∈ [LRId −
AV Id, LRId −AV Id +∆ap];
In the above formulations ∆ap defines the tolerance for
the atrial pacing requirements. Similarly, we (re)define all
of the remaining requirements using the tolerances: ∆vp -
tolerance for ventricular pacing; ∆as - tolerance for atrial
sensing; ∆vs - tolerance for ventricular sensing.
 

  



 

Figure 9. Test points for behavioral real-time constraints.
A set of parameters values, along with their tolerances, is
specified in [16] for each of the aforementioned intervals.
B. Testing in Simulink
To perform evaluation of the Stateflow chart we used
the nominal values in clinical settings [17]: LRId =
1000ms,AV Id = 150ms,URId = 400ms, V RPd =
150ms,ARPd = 200ms. For testing in Simulink we consid-
ered only tests for the ideal system specifications. Since the
chart was activated every 1ms, and transitions in Stateflow
are instantaneous (all transition actions are atomic) we used
ǫ = 0.5ms for simulations. All 13 ‘ideal’ real-time con-
straints (and thus, the constraints with tolerances) were satis-
fied in Simulink. This was expected since all actions within a
clk execution are atomic to the event and no simulation time
elapses during them. In addition, the chart exhibited the same
behaviors as the initial UPPAAL model. For example, for
the aforementioned model parameters, when no inputs were
applied the chart generated AP and VP pulses at the same
time points as the UPPAAL model (i.e., AP were generated
at tapi = (850 + 1000(i − 1))ms, i = 1, 2, ..., and VP at
tvpi = (1000i)ms, i = 1, 2, ...). Similarly, no time was spent
in committed states st3C CC in AVI, and inter CC states
in PVARP and VRP parallel states. To illustrate a more
complex behavior: as in UPPAAL, when AVI component
was in st3 state when the transition URIst1 → URIst2
occurred (causing broadcast of uri s event), no time elapsed
in the URIst2, before the transition URIst2 → URIst1
conditioned with v p took place.
VII. PACEMAKER IMPLEMENTATION
We generated C code from the pacemaker Stateflow
chart using the Simulink Real-Time Workshop Embedded
Coder (RTWEC). The code was generated for the general
embedded real-time target and as a result we obtained the
main procedure, rt_OneStep, which processes the three
input events, V inB, AinB and clk. To ensure that the model
semantics is preserved (modulo the execution time), clk
events should be created every 1ms, followed by the proce-
dure’s activation. This makes it suitable for implementation
on top of a real-time operating system (RTOS).
1) Code Structure: The structure of the code is straight-
forward. The current state of the procedure and all vari-
ables defined in the chart are maintained in the structure
rtDWork. The structure also maintains counter values for
all temporal logic operators. As time in temporal logic
is measured by the number of events since the state’s
activation, for each of the parallel states an additional
counter is defined. Finally, rtDWork contains a structure
(List. 1, Fig. 10(a)) that for each parent state specifies if
it is active, along with which of its substates is active. For
example, is_active_AVI is 1 if AVI state is active, while
is_AVI specifies which of its exclusive substates is active.
The structure of rt_OneStep is shown in
List. 2, Fig. 10(a). After detecting the active input
events, for each active input event, starting from events
will lower indices, an execution of the chart procedure
c1_ChartName is invoked. The variable sfEvent is
used to denote the event that is processed during the chart
execution. As in Stateflow, starting from input events with
lower indices, the events are processed in a prespecified
order using c1_ChartName function. After all events
are processed the procedure updates the outputs and event
states in the prespecified order. This means that although we
broadcast output events and the local events corresponding
to them (e.g., VP and v p) as a part of same transitions, the
outputs will be actually updated at the end of rtOneStep.
This can cause a couple of problems. First, ordering of
the generated output events can be changed from the order
of the corresponding local events. Note that this does not
affect simulations in Simulink, since all actions within a
clk execution are atomic from perspective of the rest of
the Simulink model. The second problem is that with this
approach, for each output event only a single output trigger
can be generated at the end of a clk execution. Thus, if an
output event is broadcast more than once within a single clk
execution, the corresponding output events will be actually
generated one by one, at the end of the consecutive clk
executions (i.e., separated by the duration of clk period).
These issues are resolved using the aforementioned
SendHW_EventName functions.7 Using Simulink features
7These issues do not present a problem for the pacemaker design from
Fig. 8, since only a single AP or a single VP can be broadcast within one
clk execution. However, in this paper we describe the general approach
that allows utilization of the UPP2SF for all types of UPPAAL models.
for integrating custom C code with Stateflow charts in
Simulink, we define empty C functions for each output event
(e.g., for VP we define SendWH_VP). When the code is
implemented on a particular hardware platform, the user
needs to define these functions. For example, the simplest
implementation would include toggling a particular CPU pin
every time the function is invoked.
At the beginning of the chart procedure (List. 3,
Fig. 10(a)) all counters associated with the event (stored in
sfEvent ) are increased. Since the pacemaker code uses
only clk event in temporal logic operators, the five counters
will be incremented only when clk is processed. After this,
the functions associated with each of the parallel states are
called in the order specified by the execution order.
List. 4 from Fig. 10(a) presents a pseudo-code for pro-
cessing each of the parallel states. If the state is active, all
transitions outgoing from its active substate are evaluated in
the pre-specified execution order. The first enabled transition
is taken and associated transition actions are executed. In
the generated code only Eng state, which is executed
last, is used to broadcast events as part of its transition
actions. As shown in List. 5, Fig. 10(a), broadcasting an
event associates the (current event) variable sfEvent
with the event, before it reactivates the chart (by calling
c1_ChartName()).
A. Platform Implementation
The pacemaker code has been executed on nanoRK [20],
a fixed-priority preemptive RTOS that runs on a variety
of resource constrained platforms (e.g., 8-bit Atmel-AVR,
16-bit TI-MSP430). We tested the implementation on the
TI MSP-EXP430F5438 Experimenter Board interfaced with
a signal generator that provides inputs for the pacemaker
code (Fig. 10(b)). The compiled (without optimization)
pacemaker procedure uses 2536 B for code and additional
180 B for data. To interface the code with the environment,
each of the inputs (Ain, Vin) triggers an interrupt routine
used to set the appropriate event for rt_OneStep function.
The pacemaker code was run as a task with period 1ms.
Table I shows measured execution times for the pacemaker
tasks, for two different CPU frequencies. The measurements
from Table I can be mapped to CPU utilization for the
pacemaker task. With the average utilization of 9.2% for
an 8MHz CPU, we can run multiple tasks on the RTOS.
CPU Average Minimal Maximal Standard
frequency ex. time ex. time ex. time deviation
4MHz, OL 176.1µs 167.6µs 462.9µs 14.2µs
4MHz 180.9µs 167.6µs 738.2µs 17.3µs
8MHz, OL 89.5µs 84.7µs 234.6µs 7.2µs
8MHz 92.0µs 84.9µs 370.4µs 13.7µs
Table I
EXECUTION TIMES FOR THE PACEMAKER PROCEDURE; OL DENOTES
OPEN-LOOP, WITHOUT INPUTS FROM THE SIGNAL GENERATOR.
!!!"#$%#&'!()!broadcast_tt()!*+,-./0+.!
static void broadcast_tt(void) {!
  int16_T sf_previousEvent;!
  sf_previousEvent = _sfEvent_;!
  _sfEvent_ = event_tt;!
  c1_ChartName();!
  _sfEvent_ = sf_previousEvent;!
}!
!!!!!!!"#$%#&'!1)!Rt_OneStep!*+,-./0+. 
detect active inputs;!
for each of the input events {!
  if EventName is active   {!
    sf_previousEvent = _sfEvent_;!
    _sfEvent_ = EventName;!
    c1_ChartName();!
    _sfEvent_ = sf_previousEvent;!
  }!
}! 
update the outputs;!
update the input events states; 
!!!!"#$%#&'!2)!cl_ChartName()!*+,-./0+. 
increase counters for _sfEvent_;!
for each parallel state {!
  processState();!
} 
!!!!!!!!!!!!!!!!!!!!"#$%#&'!3)!processState()!*+,-./0+.!
if (rtDWork.bitsForTID0.is_active_NAME != 0) {!
  switch (rtDWork.bitsForTID0.is_NAME) {!
    case SubStateName1:!
      /* the loop below is - checkTrans();*/!
      for all transitions in ex. order {!
       if transition enabled {!
         execution transition actions;!
         reset corresponding temporal counters;!
         update rtDWork.bitsForTID0.is_NAME;!
         break for!
       }!
      }!
      break;!
    case SubStateName2:!
      checkTrans();!
      break;!
    ...   !
    default:!
     rtDWork.bitsForTID0.is_NAME=NoActiveChild;!
     break;!
   }!
  }!
!!!!!!"#$%#&'!4)!bitsForTID0!/.5#&#%#,&!
struct {!
    uint_T is_AVI:3;                  !
    uint_T is_LRI:2;                !
    uint_T is_PVARP:2;               !
    uint_T is_VRP:2;                  !
    uint_T is_URI:2;                  !
    uint_T is_active_AVI:1;          !
    uint_T is_active_LRI:1;           !
    uint_T is_active_PVARP:1;       !
    uint_T is_active_VRP:1;        !
    uint_T is_active_URI:1;          !
    uint_T is_active_Eng:1;       !
    uint_T is_Eng:1;                     !
    uint_T URI_ex:1;             !
  } bitsForTID0;!
(a) (b)
Figure 10. a) Structure of the pacemaker code obtained from the Stateflow chart shown in Fig. 8. b) Hardware setup, with MSP430F5438 experimenters
board. c) Transition monitor - TrMonitor automaton.
B. Worst Case Execution Time Estimation in UPPAAL
Correctness of the generated code relies on the assumption
that execution of the code completes before the next external
activation. To make sure that it does, we need to estimate
the WCET of the code execution, taking into account that
the c1_ChartName (i.e., the chart) may be internally
activated multiple times. We propose an approach that does
not require translation from UPPAAL to Stateflow. Rather it
uses the initial UPPAAL model to calculate an upper bound
on the maximal number of internal activations Ni within an
external activation (i.e., per clk execution).
To determine the bound for Ni we note that the chart
is reactivated with event broadcasts and some transitions.
Therefore, we extend the model with the following account-
ing features:
• Global variable tr cnt and the automaton TrMonitor
(Fig. 10(c)) that resets the variable at integer time points,
• In the controller part of the UPPAAL model (automata
AVI, LRI, URI, PVARP, ARP in the pacemaker model) reset
operation tr cnt = tr cnt + 1 is added to all edges with
transmissions over a broadcast channel, or edges that would
be translated into Stateflow transitions with act = 1 reset,
• Reset tr cnt = tr cnt+1 to the edges with transmissions
over broadcast channels that present inputs to the controller,
• Introduce UPPAAL temporal formula A[ ]tr cnt ≤ N˜i.
With the above changes the variable tr cnt bounds the
number of internal activations of the chart. Thus, if the above
proposition is satisfied, the value N˜i + 1 provides an upper
bound for the number of chart executions within a single clk
execution (1 is due to external activation). For the pacemaker
UPPAAL model from Fig. 7 we added the reset operation to
8 transitions. We proved that the formula holds for N˜i = 5.
VIII. TESTING OF THE PHYSICAL IMPLEMENTATION
We validated the physical implementation using the pro-
cedure from Section VI-A. Unlike validation of the Stateflow
chart, for physical testing we considered two types of tests.
For the ideal system specifications we used ǫ ≤ 80µs, since
84.9µs was the chart’s minimal execution time (Table I).
Similarly, since all the predefined tolerances are ±4ms, for
the second set of tests we used 4ms < ǫ ≤ 4.08ms.
Table II presents testing results for the pacemaker im-
plementation executed on the MSP430 experimenters board.
When the tolerances are not taken into account some of the
properties that were verified in UPPAAL and validated in
Simulink were violated during the tests. The reason is that
the UPPAAL semantics uses an unrealistic assumption that
the machine executing the code is infinitely fast (i.e., no
time elapses during transitions) and the system’s reaction
to synchronization is instantaneous. In the general case,
the execution delays can cause violation of the UPPAAL
semantics in the obtained physical implementation, which is
the main reason for violation of some of the verified safety
properties. However, when interval tolerances are taken into
account, all properties were satisfied, as shown in Table II.
For example, consider the property B4.2. Fig. 11 presents
one of the oscilloscope screenshots obtained during the
testing. The signals shown are Ain (top), AS (middle)
and clk (bottom). As shown, Ain appeared right after the
first clk occurrence. It sets the appropriate flag in the
interrupt routine, but the processing of the corresponding
event occurred with the next clk. The event processing
takes approximately 232µs before AS is generated. This,
along with the time (up to 1ms) between Ain and the
Requirement P1.1 B1.1 B1.2 P2.1 P2.2 B2.1 B2.2
Ideal Pass Fail Pass Pass Pass Fail Fail
With tolerance Pass Pass Pass Pass Pass Pass Pass
Requirement P3.1 B3.1 B3.2 P4.1 B4.1 B4.2
Ideal Pass Fail Fail Pass Fail Fail
With tolerance Pass Pass Pass Pass Pass Pass
Table II
RESULTS OF THE TESTS PERFORMED ON THE SETUP FROM FIG. 10(B).
Figure 11. A test screen shot for property B4.2; clk pulses are highlighted.
following clk, results in delay of up to 1.232ms. Thus, ideal
requirement B4.2 is violated. However, since the delay is
within the tolerance bound, the requirement is satisfied when
the tolerances are taken into account.
IX. DISCUSSION
We have presented the design of UPP2SF, a model
translation tool from UPPAAL to Simulink/Stateflow. The
tool enables an MDD-based framework, with the model
verification in UPPAAL, simulation and testing in Stateflow
and automated code generation to C, C++, VHDL and
Verilog. This has been demonstrated on a case study of an
implantable pacemaker. We now discuss some open issues.
1) Decoupling the Controller and the Environment: In
Section V-B we have described the method used to decouple
models of the heart and pacemaker. However, our imple-
mentation introduces some problems regarding processing
of input signals. By introducing an interrupt routine that
sets a flag if the input occurs, we effectively synchronize
asynchronous input signals. This has a twofold effect on the
implemented code. First, each input signal will be processed
at most once even if it appears more than one time between
consecutive task’s activations. This is not a problem with
the pacemaker, since in the initial UPPAAL model, due to
the buffers, all inputs after the first input in a cycle are
disregarded until at least dL a (or dL v) time. Second, it
introduces a latency of up to the task’s period (in our case
1ms) before the input signals are processed. This problem
occurs even if the code has been generated using Times or
any other tool, since the number of clocks used in models is
usually greater than the number of timers that CPU provides.
A solution that for verification relaxes upper bounds on the
buffer induced delays is proposed in [13].
2) Correctness of the UPP2SF Procedure: In this work
we have shown that UPP2SF preserves behavior of the
pacemaker model, and that the obtained Stateflow chart man-
ifests the same behavior as the UPPAAL model. Although
we developed UPP2SF using the ‘correct by construction’
approach, there is no formal proof of correctness for the
derived procedure. Since the Stateflow semantics is infor-
mally defined (although there exist some attempts to derive
formal semantics, e.g., [21]), establishing correctness of the
translation procedure is not possible. Therefore, as a part
of our ongoing work we use conformance testing to show
that the translation procedure preserves behaviors on a set
of representative examples.
REFERENCES
[1] R. Alur, “Timed Automata,” in Computer Aided Verification,
1999, vol. 1633, pp. 688–688.
[2] R. Alur et al., “The algorithmic analysis of hybrid systems,”
Theoretical Computer Science, vol. 138, no. 1, pp. 3–34,
1995.
[3] I. Lee et al., “High-Confidence Medical Device Software and
Systems,” IEEE Computer, vol. 39, no. 4, pp. 33–38, 2006.
[4] “List of Device Recalls, U.S. Food and Drug Admin., (last
visited Jul. 19, 2010).”
[5] K. G. Larsen, P. Pettersson, and W. Yi, “Uppaal in a nut-
shell,” International Journal on Software Tools for Technology
Transfer, vol. 1, no. 1, pp. 134–152, 1997.
[6] G. Behrmann, A. David, and K. Larsen, “A tutorial on
uppaal,” in Formal Methods for the Design of Real-Time
Systems, 2004, vol. 3185, pp. 33–35.
[7] K. Altisen and S. Tripakis, “Implementation of timed au-
tomata: An issue of semantics or modeling?” in Formal
Modeling and Analysis of Timed Systems, 2005, vol. 3829,
pp. 273–288.
[8] T. Amnell, E. Fersman, L. Mokrushin, P. Pettersson, and
W. Yi, “Times: A tool for schedulability analysis and code
generation of real-time systems,” in Formal Modeling and
Analysis of Timed Systems, 2004, vol. 2791, pp. 60–72.
[9] M. Hendriks, “Translating UPPAAL to Not Quite C,” Com-
puting Science Institute, Tech. Rep. CSI-R0108, 2001.
[10] F. Leitner and S. Leue, “Simulink Design Verifier vs. SPIN -
a Comparative Case Study,” in FMICS’08: ERCIM Workshop
on Formal Methods for Industrial Critical Systems, 2008.
[11] N. Scaife, C. Sofronis, P. Caspi, S. Tripakis, and F. Maran-
inchi, “Defining and Translating a ”Safe” Subset of
Simulink/Stateflow into Lustre,” in EMSOFT’04: ACM conf.
on Embedded software, 2004, pp. 259–268.
[12] T. Henzinger, Z. Manna, and A. Pnueli, “What good are
digital clocks?” in Automata, Languages and Programming,
1992, vol. 623, pp. 545–558.
[13] M. Pajic, I. Lee, R. Mangharam, and O. Sokolsky, “UPP2SF:
Translating UPPAAL models to Simulink,” University of
Pennsylvania, Tech. Rep., Oct 2011.
[14] “Matlab R2011a Documentation → Stateflow,”
http://www.mathworks.com/help/toolbox/stateflow.
[15] S. Barold, R. Stroobandt, and A. Sinnaeve, Cardiac Pacemak-
ers: Step by Step. Blackwell Futura, 2004.
[16] “PACEMAKER System Specification,” Boston Scientific,
2007.
[17] Z. Jiang, M. Pajic, S. Moarref, R. Alur, and R. Mangharam,
“Modeling and Verification of a Dual Chamber Implantable
Pacemaker,” in TACAS’12: 18th Conf. on Tools and Algo-
rithms for the Construction and Analysis of Systems, 2012.
[18] Z. Jiang, M. Pajic, and R. Mangharam, “Cyber-physical mod-
eling of implantable cardiac medical devices,” Proceedings of
the IEEE, vol. 100, no. 1, pp. 122–137, 2012.
[19] D. Clarke and I. Lee, “Testing real-time constraints in a
process algebraic setting,” in Proceedings of the International
Conference on Software Engineering, 1995, pp. 51–60.
[20] “nano-RK Sensor RTOS. http://nanork.org.”
[21] G. Hamon and J. Rushby, “An Operational Semantics for
Stateflow,” International Journal on Software Tools for Tech-
nology Transfer, vol. 9, no. 5, pp. 447–456, 2007.
