# Synthesis of Timed Behavior From Scenarios in the Fujaba Real-Time Tool Suite \*

Stefan Henkler, Joel Greenyer, Martin Hirsch, Wilhelm Schäfer,
Kahtan Alhawash, Tobias Eckardt, Christian Heinzemann, Renate Löffler
Software Engineering Group
University of Paderborn, Germany
{shenkler,jgreen,mahirsch,wilhelm,alhawash,tobie,chris227,renate}@uni-paderborn.de

Andreas Seibel and Holger Giese System Analysis and Modeling Group Hasso Plattner Insitute, University of Potsdam, Germany {andreas.seibel,holger.giese}@hpi.uni-potsdam.de

### **Abstract**

Based on a well-defined component architecture the tool supports the synthesis of so-called real-time statecharts from timed sequence diagrams. The two step synthesis process addresses the existing scalability problems by a proper decomposition and allows the user to define particular restrictions on the resulting statecharts.

#### 1. Introduction

The current and even more so next generation of so-called embedded or mechatronic systems will behave more intelligently than todays systems by building communities of autonomous components (or agents) that exploit local and global networking to enhance their functionality [16].

Typical examples of this type of systems are advanced transportation systems like driver assistance systems in cars, which can inform the driver about accidents and also take appropriate actions in case of an emergency, or as another example, cooperative illumination of roads. In either case, cars communicate with each other extensively. Another example of this type of system is the Paderborn RailCab system, which is used to illustrate the approach described here.

The complexity of these systems as well as the inability to test them sufficiently enough to guarantee crucial safety properties demands a model driven approach. Our approach, called MECHATRONIC UML, which is implemented by the FUJABA Real-Time Tool Suite, is based

on specifying components by a refined UML 2.0 component model. Refinement concerns in particular the detailed definition of ports and connectors which specify a peer to peer communication between components by using real-time statecharts<sup>1</sup>. Each single port-to-port connection is defined by a single statechart that specifies the roles of the two ports and the corresponding connector properties. Such a port-to-port communication is called a coordination pattern in our approach [8]. Further refinement of the component model concerns a proper integration between the discrete parts specifying the component interaction and continous control specifying individual controllers by differential equations.

While our tool demonstration at ICSE 07 [3] presented the latter part and especially illustrated real-time simulation of components in a 3D environment, this paper and the corresponding tool is about specifying the coordination patterns and the individual component communication behavior. The precise definition of the coordination patterns is synthesized from a scenario-based specification. This specification especially supports the definition of time constraints as it is required for the communication of hard realtime systems. The synthesis algorithm generates a real-time statechart specifying a single coordination pattern from a number of given scenarios. In a second synthesis step, a complete component behavior concerning its interaction with other components is automatically derived from the statecharts generated by the first step. These two synthesis steps (see Figure 1) and especially their corresponding tool support are the subject of this paper. Please note that the definition of coordination patterns is also the key to a compositional formal verification approach which is how-

<sup>\*</sup>This work was developed in the course of the Special Research Initiative 614 – Self-optimizing Concepts and Structures in Mechanical Engineering – University of Paderborn, and was published on its behalf and funded by the Deutsche Forschungsgemeinschaft.

<sup>&</sup>lt;sup>1</sup>Real-time statecharts are an extension of timed automata

ever beyond the scope of this paper and has been described elsewhere [8, 4].

Key original contributions of the two synthesis steps are (1) the use of parameterized timing constraints in the definition of the sequence diagrams which are input to the first synthesis step and (2) the not necessarily only parallel composition of the different statecharts in the second step, i.e. the algorithm accepts additional so-called state restrictions as input which may exclude certain (timed) state sequences from the parallel product of the statecharts (roles). The algorithm however checks whether those restrictions do not violate the specifications of the sequence diagrams from which the statecharts have been derived, i.e. restrictions do not change the observable behavior of the roles.



Figure 1. Overview of synthesis process

Next, we explain the parametrized timed scenario synthesis approach (cf. [7]). Afterward, we explain the synthesis approach of the component behavior (cf. [12]). Finally, we compare our approach with related work and we conclude with final remarks.

# 2. Coordination Behavior Synthesis

We use a restricted subset of UML 2.0 sequence diagrams [14, p. 435] to specify parametrized timed scenarios. UML 2.0 sequence diagrams allow us to specify durations for message transfers and lower and upper bounds for the time passed between two points on a lifeline. Upper bounds may be arbitrary sums of constants and parameters whereas lower bounds may only consist of constants (in contrast to UML 2.0 sequence diagrams).

Distinguishing optional and required behavior is another important aspect of scenarios. Triggers have first been proposed as a technique for expressing conditional behavior for live sequence charts (LSC) [11] and also appear in triggered message sequence charts (TMSCs) [17]. We use the assert block introduced by UML 2.0 sequence diagrams [14, p. 444] to describe the conditional behavior of parametrized timed scenarios. Such blocks indicate a mandatory sequence of behavior that needs to be executed once the preceding steps have been observed and the block has been entered. For dealing with cases where several assertions are in conflict, we assign priorities to scenarios.

In order to facilitate the transition to a state-based model, we explicitly add state labels to the lifelines, which represent states or sets of possible states [14, p. 442]. The labels allow us to use self-documenting state names in the generated statecharts and to enable the specification of configurations [5].



Figure 2. Overview synthesis of coordination pattern

The synthesis algorithm (see Figure 2) first checks whether the specified time constraints are consistent within a single scenario, e.g. that a deadline may not be earlier than the sum of the lower bounds of all required operations. Secondly, time constraints are checked across different scenarios and the algorithm checks assert blocks for correctness as they can lead to conflicts when two scenarios require mutually exclusive behavior.

In order to solve the synthesis problem, the parametrized time constraints are transformed into a system of linear inequalities. These are then passed to a constraint solver (either a free proprietary implementation of the simplex algorithm or the – much more efficient – commercial CPLEX library) which determines valid values, respectively ranges, for each parameter. If a configuration yielding a consistent specification exists, the scenarios can be transformed and combined in order to obtain role behavior in the form of a parametrized real-time statechart. These can then be turned into a regular real-time statechart by selecting parameter values from the computed ranges [6].

The "two step" approach sketched above addresses the usually intractable synthesis problem, at least in its most general form. Like other approaches [1] which also consider the parametrized case as well as mandatory behavior and not centralized behavior, the first step takes only local context into account. A second verification step checks whether the synthesis result is correct after valid parameter values have been selected.

In practice, specifying timing information such as worstcase execution times (WCET), deadlines, or timeouts early during the requirements definition phase is difficult. By starting from parametrized scenarios, we can set the parametrized constraints in a meaningful context (the requirement of a particular application) and identify the maximal possible timing constraint within the predefined ranges. This enables to specify more general timing constraints for supporting different target platforms instead of specifying absolute values for the timeouts.

This synthesis approach avoids scalability problems because, firstly, the synthesis is supported by providing details about the states involved in the communication behavior. Secondly, the synthesis problem for real-time patterns remains tractable because the single patterns limit the number of interacting roles so that only a moderate number of scenarios has to be synthesized by one run of the algorithm. In the next section we explain how restrictions can be considered when combining the synthesized patterns in a component architecture.

# 3. Component Behavior Synthesis

After the synthesis of the coordination patterns and their constituent parts, namely their roles, in a second step the different roles have to be mapped (manually) to the ports of a given component architecture. Our tool guarantees that connected ports in the component diagram are assigned the corresponding roles of a coordination pattern (see the example in the appendix for further details).

After each port of a component has been assigned a role (of a corresponding pattern), the overall component behavior is synthesized automatically. In a first step, our algorithm simply computes the parallel composition of all roles or, more technically speaking, of all statecharts.

However, the user may specify restrictions on sequences of states executions paths which should not occur in the synthesized component behavior, i.e. which restrict the component behavior [12]. These restrictions are given in the form of Boolean expressions or in the form of timed automata. The first possibility is used when a restriction does not include any timing constraints.

Our algorithm checks whether the given restrictions are not in conflict with the statechart behavior as synthesized in the first step from the specified sequence diagrams. If so, the user is informed and asked to resolve this conflict. If not, the statechart defining the component behavior is synthesized by changing the parallel composition of the role automata with respect to the defined state restrictions.

### 4. Related Work

For synthesizing statecharts from scenarios with timing constraints, only a number of limited approaches exist. The approach proposed in [18] synthesizes only global solutions in form of a single automaton for non-parametrized scenarios, which assumes angelic non-determinism and does



Figure 3. Overview component behavior synthesis

not support progress conditions [19]. The approach of [15] results in a global non-parametrized timed automaton which supports progress, but requires scenario descriptions in form of trees that already introduce some of the required operational behavior. The play-out engine [11] enables the play-out of live sequence charts (LSC) with timers, but also only constructs global behavior for non-parametrized LSCs.

All these approaches do not support the explicit annotation of states to scenarios which is of paramount importance for embedded or mechatronic systems to enable the specification of configurations [5]. Furthermore, our approach supports by the pattern based specification of the coordination behavior the decomposition of the system and therefore only synthesize the relevant composed behavior. In contrast the general LSC synthesis approach [10] results in a global automaton which is in a second step decomposed and deployed which makes formal verification approaches for LSC (with timers) like presented in [2, 20, 13] less scalable.

There exist some approaches which facilitate the synthesis of safe real-time component behavior [9]. But no one provides depending / non-orthogonal concerns.

# 5. Conclusion and Future Work

We have presented a synthesis approach for real-time component systems. We consider the complex real-time coordination behavior as well as the complex component behavior which results from the coordination behavior and the synchronization between the coordination behaviors if required.

In [3] we have shown the specification and simulation of reconfigurations. Based on this idea, we want to extend our synthesis approach to hybrid systems where the reconfigurations of controllers need to synchronized with respect to the communication behavior between the system components.

### References

- [1] Y. Bontemps and P. Heymans. As fast as sound (lightweight formal scenario synthesis and verification). In H. Giese and I. Krüger, editors, *Proc. of the 3rd Int. Workshop on "Scenarios and State Machines: Models, Algorithms and Tools"* (SCESM'04), pages 27–34, Edinburgh, May 2004. IEE.
- [2] A. Bunker, G. Gopalakrishnan, and K. Slind. Live sequence charts applied to hardware requirements specification and verification: A vci bus interface model. *Int. J. Softw. Tools Technol. Transf.*, 7(4):341–350, 2005.
- [3] S. Burmester, H. Giese, S. Henkler, M. Hirsch, M. Tichy, A. Gambuzza, E. Münch, and H. Vöcking. Tool support for developing advanced mechatronic systems: Integrating the fujaba real-time tool suite with camel-view. In *Proc.* of the 29th International Conference on Software Engineering (ICSE), Minneapolis, Minnesota, USA, pages 801–804. IEEE Computer Society Press, May 2007.
- [4] S. Burmester, H. Giese, M. Hirsch, D. Schilling, and M. Tichy. The Fujaba Real-Time Tool Suite: Model-Driven Development of Safety-Critical, Real-Time Systems. In Proc. of the 27th International Conference on Software Engineering (ICSE), St. Louis, Missouri, USA, pages 670–671, May 2005.
- [5] H. Giese, S. Burmester, W. Schäfer, and O. Oberschelp. Modular Design and Verification of Component-Based Mechatronic Systems with Online-Reconfiguration. In Proc. of 12th ACM SIGSOFT Foundations of Software Engineering 2004 (FSE 2004), Newport Beach, USA, pages 179–188. ACM, November 2004.
- [6] H. Giese, S. Henkler, M. Hirsch, and F. Klein. Nobody's perfect: Interactive Synthesis from Parametrized Real-Time Scenarios. In Proc. of the 5<sup>th</sup> ICSE 2006 Workshop on Scenarios and State Machines: Models, Algorithms and Tools (SCESM'06), Shanghai, China, pages 67–74. ACM Press, May 2006.
- [7] H. Giese, F. Klein, and S. Burmester. Pattern synthesis from multiple scenarios for parameterized real-timed uml models. In S. Leue and T. Systä, editors, *Scenarios: Models, Algo*rithms and Tools, volume 3466 of Lecture Notes in Computer Science (LNCS), pages 193–211. Springer Verlag, 0 2005.
- [8] H. Giese, M. Tichy, S. Burmester, W. Schäfer, and S. Flake. Towards the Compositional Verification of Real-Time UML Designs. In *Proc. of the European Software Engineering Conference (ESEC), Helsinki, Finland*, pages 38–47. ACM Press, September 2003.
- [9] G. Gössler and J. Sifakis. Component-based construction of deadlock-free systems. In FST TCS 2003: Foundations

- of Software Technology and Theoretical Computer Science, volume 2914/2003 of Lecture Notes in Computer Science, pages 420–433. Springer Berlin / Heidelberg, 2003.
- [10] D. Harel and H. Kugler. Synthesizing state-based object systems from LSC specifications. In *Implementation and Application of Automata*, volume 2088 of *Lecture Notes in Computer Science*, pages 1–33. Springer Berlin / Heidelberg, 2001.
- [11] D. Harel and R. Marelly. Playing with Time: On the Specification and Execution of Time-Enriched LSCs. In *Proc.* 10th IEEE/ACM Int. Symp. on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOTS 2002), Fort Worth, Texas, USA, 2002. (invited paper).
- [12] S. Henkler, T. Eckardt, A. Seibel, and H. Giese. Synthesis of real-time component behavior. Technical Report tr-ri-08-296, University of Paderborn, Paderborn, Germany, Dezember 2008.
- [13] J. Klose, T. Toben, B. Westphal, and H. Wittke. Check it out: On the efficient formal verification of live sequence charts. In *Computer Aided Verification*, volume 4144 of *Lecture Notes in Computer Science*, pages 219–233. Springer Berlin / Heidelberg, 2006.
- [14] Object Management Group. *UML 2.0 Superstructure Specification*, 2003. Document ptc/03-08-02.
- [15] A. Salah, R. Dssouli, and G. Lapalme. Implicit integration of scenarios into a reduced timed automaton. *Information* and Software Technology, 45:715–725, August 2003.
- [16] W. Schäfer and H. Wehrheim. The Challenges of Building Advanced Mechatronic Systems. In FOSE '07: 2007 Future of Software Engineering, pages 72–84. IEEE Computer Society, 2007.
- [17] B. Sengupta and R. Cleaveland. Triggered Message Sequence Charts. In W. G. Griswold, editor, *Proceedings of the Tenth ACM SIGSOFT Symposium on the Foundations of Softare Engineering (FSE-10)*, Charleston, South Carolina, USA, November 2002. ACM Press.
- [18] S. Somé, R. Dssouli, and J. Vaucher. From Scenarios to Timed Automata: Building Specifications from Users Requirements. In *Proceedings of the 1995 Asia Pacific Soft*ware Engineering Conference (APSEC '95), 1995.
- [19] M. Walicki and S. Meldal. Algebraic Approaches to Nondeterminism—an Overview. *ACM Computing Surveys*, 29(1):30–81, March 1997.
- [20] H. Wittke. A Framework for Specification Verification for Complex Embedded Systems. PhD thesis, C. v.O. Universität Oldenburg, 2005.