# Model Checking FMI Co-simulation Using Timed Automata

Kaiqiang Jiang, Chunlin Guan, Jiahui Wang, Dehui Du\* Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai, 200062, China Email: dhdu@sei.ecnu.edu.cn

Abstract—Cyber-physical Systems(CPSs) focus on the coupling of cyber part viewed as distributed computation units and physical part covering the environment affecting the running of the system. CPSs are often treated modularly to tackle both complexity and heterogeneity. The verification of CPSs may be done modularly by Functional Mock-up Interface (FMI) cosimulation. However, the master algorithm for co-simulation may be livelock or deadlock. The architectural modelling of CPSs may introduce an algebraic loop which is a feedback loop resulting in instantaneous cyclic dependencies. To solve these problems, we propose a novel approach for model checking several properties of FMI co-simulation such as deadlock, liveness, reachability. We model the architecture of CPSs with SysML block diagrams, which captures the dependence of Functional Mock-up units (FMUs) and the orchestration of the master algorithm. Next, we encode FMU components and three various master algorithms with timed automata separately. Finally, we verify the correctness of the co-simulation and the absence of algebraic loops in the architecture with UPPAAL. To illustrate the feasibility of our approach, the case study water tank is presented. The results show that our approach helps model checking FMI co-simulation.

Keywords—Co-simulation, Master algorithm, Functional Mockup Interface, Timed automata, Model checking.

## I. INTRODUCTION

Cyber-physical systems (CPSs) are integration of computation with physical processes whose behavior is defined by both computational and physical parts of the system [1]. Embedded computers and networks monitor and control the physical processes, usually with feedback loops where physical processes affect computations and vice versa. The heterogeneity is one of the main characteristics of CPSs. The components of CPSs are of various types, requiring interfacing and interoperability across multiple platforms and different models of computation. Verification of CPSs as a whole requires the use of heterogeneous simulation environments. One emerging industry standard is the Functional Mock-up Interface (FMI) [2]. It is a standard designed to support simulation of complex systems comprising heterogeneous components, by coupling the different models with their own solver in a co-simulation environment.

FMI [9] defines an standard applied to composing model components which are designed with different modeling tools. The FMI standard was first developed in the MODELISAR project started in 2008 and supported by a large number of software companies and research centers. FMI offers

the means for model based development of systems and is particularly appropriate way to develop complex CPSs. The FMI standard supports both co-simulation and model exchange. However, in this paper, we focus on the co-simulation in FMI 2.0. Compared with the FMI 1.0, there are two important additions: fmiGetFMUstate and fmiSetFMUstate, which allow the master to copy and later restore the complete state of an FMU slave. The two functions provide an ordinary mechanism for rollback, however, they are not practical for the reason that it's infeasible to restore so many states for a huge system. The function fmiDoStep is to control the computation of time steps, called by the MA to orchestrate the exchange of data among the FMUs during the entire co-simulation.

fmiStatus fmiDoStep(
fmiComponent c,
fmiReal currentCommunicationPoint,
fmiReal communicationStepSize,
fmiBoolean noSetFMUStatePriorToCurrentPoint);

The currentCommunicationPoint argument is the current communication time of the master. The communicationStepSize is the time step that the master proposes to the slave. Given a time step, the slave may accept or reject the step. For example, it may reject it because the step size is so large that causes a discrete event within the step. If the argument noSetFMUStatePriorToCurrentPoint is true, the master will no longer call fmiSetFMUstate for time instants prior to currentCommunic

tionPoint in this simulation run. A master algorithm(MA) [3] provides the orchestration of the entire co-simulation. However, the master algorithm is not part of the FMI standard. This implies that the user or tool vendor needs to develop a sophisticated orchestration algorithm for the problem at hand. The correctness of the master algorithm also needs to be analysed. In this paper we explicitly model the co-simulation of CPSs to model check several properties of co-simulation such as deadlock, liveness, and reachability. To achieve the goal, we present a novel approach to model and verify the properties of co-simulation with timed automata [4]. The schematic view of our approach is shown in Fig.I. At the design phase, we construct the architecture of CPSs with SysML block diagrams [5]. Each block represents a component and the communication between components is modeled with SysML connector. To simulate the whole system with co-simulation techniques, the block can be modeled with a Functional Mock-up (FMU) and the connector can be

modeled with a master algorithm. The MA orchestrate FMUs to accomplish the communication between FMUs. To verify the correctness of the architecture, we encode the FMU and the master algorithm by timed automata, which facilitates the verification livelock or deadlock with the model checker UPPAAL [6].



Fig. 1. A schematic view of our approach.

### Contributions. Our contributions are as follows:

- We present a novel approach to model checking several properties of the co-simulation, such as livelock, deadlock and reachability. Moreover, we propose to check the absence of algebraic loops of SysML architectural model.
- We model the master algorithms for co-simulation with timed automata. Three various master algorithms are analysed with model checking. Besides, FMU is also modeled with timed automata and the orchestration between FMUs is modeled with a network of timed automata. With the help of UPPAAL, we analyse the reachability, livelock and deadlock of the architecture.
- We present how to model the architecture of CPSs with SysML block diagrams. We deal with the heterogeneity of CPSs by supporting multi-modelling and co-simulation based on FMI standard.
- The prototype for model checking co-simulation of CPSs is developing, which is integrated in our Mondana platform [7](https://github.com/ECNU-MODANA/AL-Modana.git). We have developed the SysML modelling environment and the *co-simulator* for simulating CPSs [8].

The remainder of this paper is organized as follows. In Section II, we briefly review the technical background including FMI, FMU and timed automata, and then provide encoding FMU by timed automata. Section III encodes three versions of master algorithms with timed automata and verify the livelock and deadlock of three master algorithms. Section IV presents the architecture modelling with SysML block diagrams. Section V presents the model checking FMI co-simulation with the example water tank. The experimental results show that our approach is feasible and useful. Finally we position our work with respect to related work before concluding and discussing possible future extensions.

## II. ENCODING FMUS BY TIMED AUTOMATA

We give the syntax and semantics of FMU and timed automata. In order to verify the execution of FMUs. We propose to encode FMUs by timed automata. In next section, we verify the network of timed automata in UPPAAL.

## A. FMU

FMU is the model component which implements the methods defined in the FMI API [10]. Here, we present the syntax and semantics of FMU. The aim is to encode FMU into timed automata based on their semantics.

**Definition II.1. FMU syntax** We recall the definition of FMU. An FMU is a tuple  $F = (L, U, Y, D, l_0, set, get, doStep)$ , where:

- L denotes the set of locations of F.
- U denotes the set of input port variables of F. Note that an element  $u \in U$  is a variable, not a value, which ranges over a set of values  $\mathbb{V}$ .
- Y denotes the set of output port variables of F. Each  $y \in Y$  ranges over the same set of values  $\mathbb{V}$ .
- D ⊆ U × Y denotes a set of input-output dependencies. (u, y) ∈ D means that the output y is directly dependent on the value of u. The I/O dependency information is used to ensure that a network of FMUs does not contain cyclic dependencies, and also to identify the order in which all variables are computed during a step.
- $l_0 \in L$  denotes the initial location of F.
- $set: L \times U \times \mathbb{V} \to L$  denotes the function that sets the value of an input variable. Given current location  $l \in L$ , input variable  $u \in U$ , and value  $v \in \mathbb{V}$ , it returns the new location obtained by setting u to v.
- $get: L \times Y \to \mathbb{V}$  denotes the function that returns the value of an output variable. Given location  $l \in L$  and output variable  $y \in Y$ , get(l,y) returns the value of y in l.
- $doStep: L \times \mathbb{R}_{\geqslant 0} \to L \times \mathbb{R}_{\geqslant 0}$  denotes the function that implements one simulation step. Given current location l, and a non-negative real value  $h \in \mathbb{R}_{\geqslant 0}$ , doStep(l,h) returns a pair (l',h') such that: When h' = h, it indicates that F accepts the time step h and reaches the new location l'; When  $0 \leqslant h' < h$ , this means that F rejects the time step h, but making partial progress up to h', and reach the new location l'.

**Definition II.2. FMU semantics** Given the FMU  $F = (L, U, Y, D, l_0, set, get, doStep),$ 

The behavior of F depends on the functions doStep, which is a function of a timed input sequence (TIS). A TIS is an infinite sequence  $v_0h_1v_1h_2v_2h_3...$  of alternating input assignments  $v_i$ , and time delays  $h_i$ . An input assignment is the value of function  $v: U \to \mathbb{V}$ . That is, v assigns a value to every input variable in U. A TIS denotes a running of FMU, which is an infinite sequence of quadruples (t, l, v, v'), where  $t \in \mathbb{R}_{\geq 0}$  is a

time instant,  $l \in L$  is a location of F, v is an input assignment, and  $v': Y \to \mathbb{V}$  is an output assignment

TIS :=  $(t_0, l_0, v_0, v_0')(t_1, l_1, v_1, v_1')(t_2, l_2, v_2, v_2')...$  is defined as follows:

- $t_0 = 0$  and  $l_0$  is the initial location of F.
- For each  $i \geqslant 1$ ,  $t_i = t_0 + \sum_{k=1}^{i} h_k$
- Given the current location  $l_i$ , the function set is used to set all input variables to the values specified by v. Then F reaches a new location  $l'_i$ . The function get is used to get the values of all output variables  $v'_i$ .
- We assume that  $doStep(l'_i, h_{i+1}) = (l_{i+1}, h_{i+1})$  based on the assumption that every  $h_i$  is accepted by F, F will reach the next location  $l_{i+1}$ .

#### B. Timed Automata

Timed automata (TA) [6] is a theory to model the behavior of real-time systems. Its definition provides a powerful way to annotate state-transition graphs with many real-valued clocks. In this section, we introduce the syntax and semantics of timed automata. In section V, we will model our case study with TA, so that we can use the model checker UPPAAL to analyse models.

**Definition II.3. Timed automata syntax** A timed automaton is a tuple  $A = (S, X, s_0, E, E_O, E_I, I)$ , where:

- S is a finite set of states;
- X is a finite set of clocks;
- $s_0 \in S$  is an initial state;
- The set of guards G(x) is defined by the grammar  $g := x \bowtie c \mid g \land g$ , where  $x \in X$ ,  $c \in \mathbb{N}$  and  $\bowtie \in \{<, \leq, >, >\}$ .  $E \subseteq S \times G(X) \times 2^X \times S$  is a set of edges labelled by guards and a set of clocks to be reset:
- $\bullet$   $E_O$  is a set of input events.
- $E_I$  is a set of output events.
- $I: S \to G(X)$  assigns invariants to clocks.

A clock valuation is a function  $v:X\to\mathbb{R}_{\geqslant 0}$ . If  $\delta\in\mathbb{R}_{\geqslant 0}$ , then  $v+\delta$  denotes the valuation such that for each clock  $x\in X$ ,  $(v+\delta)(x)=v(x)+\delta$ . If  $Y\subseteq X$ , then v[Y:=0] denotes the valuation such that for each clock  $x\in X$  Y, v[Y:=0](x)=v(x) and for each clock  $x\in Y$ , v[Y:=0](x)=0. The satisfaction relation  $v\models g$  for  $g\in G(x)$  is defined in the natural way.

**Definition II.4. Timed automata semantics** The semantics of a timed automaton  $A = (S, X, s_0, E, E_O, E_I, I)$  is defined by a transition system  $S_A = (S, s_0, \rightarrow)$ ,

where  $S = L \times \mathbb{R}^X_{\geqslant 0}$  is the set of states,  $s_0 = (l_0, v_0)$  is the initial state,  $v_0(x) = 0$  for all  $x \in X$ , and  $\rightarrow \subseteq S \times S$  is the set of transitions defined by :

 $\bullet \qquad (l,v) \xrightarrow{\in (\delta)} (l,v+\delta) \text{ if } \forall 0 \leqslant \delta' \leqslant \delta: (v+\delta') \models I(l);$ 

•  $(l,v) \rightarrow (l',v[Y:=0])$  if there exists  $(l,g,Y,l') \in E$  such that  $v \models g$  and  $v[Y:=0] \models I(l')$ .

The reachability problem for an automaton A and a location l is to decide whether there is a state (l,v) reachable from  $(l_0,v_0)$  in the transition system  $S_A$ . As usual, for verification purposes, we define a symbolic semantics for timed automata. For universality, the definition uses arbitrary sets of clock valuations.

## C. Encoding FMUs by timed automata

As we can see, there is a semantic gap between FMU and TA. The former focus on the execution sequence of FMU, which specifies the state change process with time passing. The simulation trace of TA is similar as the execution sequence of FMU. Therefore, we can encode FMU with TA to analyse the behavior of FMU component without explore its internal structure.

Given an FMU  $F = (L, U, Y, D, l_0, set, get, doStep)$ , we model this FMU by a timed automaton  $A = (S, X, s_0, E, E_O, E_I, I)$ , where:

- S is a set of finite locations. Note that a state of TA has the same form as a location of the F.
- The initial state  $s_0$  is such that l is set to  $l_0$ .
- Each input variable  $u \in U$  ranges over  $E_I \cup \{absent\}$ .
- Each output variable  $y \in Y$  ranges over  $E_O \cup \{absent\}$ .
- An input event in  $e \in E_O$  is such that the function set of F sets the input variable u to a given value.
- An output event in  $e \in E_I$  indicates that the function get of F gets the output variable y. The set of values in the  $E_I$  is the Y.
- The communication with input and output events in TA is the same as the I/O dependencies information in FMU. (u, y) ∈ D denotes that output y depend on input u. The output events also depend on the input events.
- For any e ∈ E of A, there is a transition l → l', which may be found after the function doStep is executing. For instance, if there is a transition s → s', at the same time doStep(l, h) may be called which indicates that F accepts the time step h and reaches the new location l'. However, F maybe rejects the time step for the reason which we have discussed above and this process can also be described in the TA. If there is a rollback behavior happens after the F rejects the time step h, the transition in TA could be a edge s → s, which denotes that a location travels to itself.

Although there are semantic gaps between FMUs and timed automata, we provide a appropriate transformation above to solve the problem. So, we believe that it's feasible to encode the FMUs by timed automata. In the following sections, we will model the FMUs with the timed automata in UPPAAL.

## III. CO-SIMULATION EXECUTION

The master algorithm provides the orchestration of FMUs, which denotes the co-simulation of various FMUs. To ensure the correctness of co-simulation execution process, it is necessary to verify certain properties of the master algorithm. In this section, we use timed automata to encode three versions of master algorithm and verify some expected properties of master algorithm such as deadlock, liveness and reachability with UPPAAL.

## A. I/O Dependency Information

When it comes to co-simulation, I/O dependency information [9] is inevitably required to be well considered. The master algorithm calls function Set to provide input value to an FMU and function Get to retrieve an output value. So it is essential to know which outputs of an FMU depend immediately on which inputs. In the design of a MA, the direct dependency information can be used to call the function Set and Get in a well-defined order. In FMI 2.0 this information can be provided using the element ModelStructure [11]. However, sometime there may be an algebraic loop in the dependency information, which may not converge. Since we are interested in non-diverging and deterministic composition of FMUs, we need to distinguish these two cases.

## B. Master Algorithm (MA)

The master algorithm is to orchestrate the execution of different subsystems. Each subsystems serves as an FMU block whose simulation is triggered by a particular MA. FMUs can be seen as black boxes comprising input. The process of simulation is divided into several steps where each FMU can be simulated independently until it needs to exchange data or implement synchronization. There are three versions of master algorithm, which is shown in Fig.2.



Fig. 2. Activity diagrams for three master algorithms

1) Fixed Step Algorithm: In fixed step algorithm, all FMUs have the same step size. When master algorithm calls doStep with the step size h, time will advance from a communication point t to the next communication point t+h. During the simulation step, an FMU with it's own solver will simulate independently according to its input value and generate a running result as output value. MA will wait until all FMUs finish their simulation step and then get their output values to exchange data for preparing next simulation step. The activity diagram of fixed step algorithm is illustrated in the top of

- Fig.2. There are mainly three activities in the control flow: *initialize*, *doStep* and *continue*. In the fixed step algorithm [9], the process can maintain correct when all FMUs are reliable. When some error happens during a simulation step, the process will be affected after the wrong simulation step. Then we need the FMU rollback mechanism.
- 2) Rollback Algorithm: There are some important features proposed in the FMI 2.0. We can save the FMU state if necessary and the state we saved in the process can be restored. For example, MA calls doStep on  $FMU_1$  and  $FMU_2$  while  $FMU_1$  can accept the request or  $FMU_2$  can reject it. If we save the state of  $FMU_1$  and  $FMU_2$  at the communicating point t, we can restore the scene after  $FMU_2$  rejects doStep. Under this circumstances, we need all FMUs support rollback. The activity diagram of rollback algorithm is clearly shown in Fig.2. Compared with the fixed step algorithm, all FMUs are required to support rollback mechanism, that is, all FMUs need to return to the previous state if the simulation step sizes of all FMUs are not equal.
- 3) Predictable Step Size Algorithm: To improve the efficiency of MA, it is important to predict step size. So predictable step size algorithm is proposed. The function GetMaxStepSize was introduced to optimize the performance of rollback algorithm. This function return the maximum step size and state flag of a predictable FMU. Maximum step is the largest step that a predictable FMU can perform. State flag includes ok, discard and error. OK denotes the predictable FMU can accept the simulation step size. Discard denotes the predictable FMU only implement partial step during simulation. Error denotes the predictable FMU can't continue the simulation because of its unacceptable state or unreasonable input value. Also, when discard and error happen, the FMU need to rollback to the previous state saved before. Whether an FMU is a predictable FMU or not should be indicated in FMU's xml file. Moreover, if an FMU supports rollback and predictable step size at the same time, the predictable step size algorithm only uses predictable ability to get the maximum step of a predictable FMU. On the other hand, a predictable FMU can accept any step size less than or equal to the maximum step returned by GetMaxStepSize.

First, the master algorithm chooses the maximum step size of all predictable FMUs and find the smallest communication step size h that all predictable step size can be accepted. Then, we save the states of all FMUs. MA calls doStep(h) on FMUs supporting rollback. The function doStep() will return the real performed step size. If all performed step sizes are equal to h, MA will call doStep(h) on FMUs. Otherwise, MA will find the smallest performed step  $h_{min}$ , then all FMUs will restore the state saved before the co-simulation. Finally, MA will invoke  $doStep(h_{min})$  on all FMUs. The control flow of predictable step size algorithm is shown in Fig.2. For example, getMinStepFromCP is an activity that MA will call GetMaxStepSize on all predictable FMUs to find their maximum simulation step size and then return the smallest one of them.

## C. Modelling and Analysis of MA

To verify the correctness of master algorithms, we model three master algorithms using timed automata in UPPAAL. The following Fig.3 shows the execution of three master algorithms in the form of timed automata respectively. Fixed step algorithm has  $Init,\ doStep$  states and synchronize with FMU by channel continue. Rollback algorithm has  $Init,\ isEqual,$  and con states. If all FMUs don't have the same step size, rollback algorithm will communicate with FMUs by rollback signal, otherwise, it will send continue signal and move to con state. Predictable step size algorithm has  $Init,\ findCP5,\ getCRh,\ writecp$  states. It obtains the minimal step size (i.e.step2) of FMUs supporting GetMaxStepSize function and the maximal step size (i.e.step1) of FMUs supporting rollback function. If step1 is greater than step2, FMUs receive rollback signal and return to getCRh state. Otherwise, FMUs receive continue signal and do the next step.



(a) Timed automata for (b) Timed automatixed step algorithm

(b) Timed automata for rollback algorithm



(c) Timed automata for predictable step sizes algorithm

Fig. 3. Timed automata for master algorithms.

We verify the properties of master algorithms including reachability, liveness and deadlock. Experimental results are shown in Table II, where:

- $E\langle\rangle$  master.dostep,  $E\langle\rangle$  master.con and  $E\langle\rangle$  master.writecp are reachability properties checking whether the model can reach these states;
- master.Init → master.dostep, master.Init →
  master.con and master.Init → master.con are
  liveness property. If the master algorithm arrives at
  former state, it eventually reaches the latter state;
- A[] not deadlock is safety property, it means whether the model will be deadlock.

In Table II, we can find that the properties such as deadlock, liveness and reachability are satisfied, which proves the correctness of three master algorithms. For an example, A[] not deadlock is satisfied, which means that the execution of the master algorithm will not be deadlock.  $master.Init \rightarrow master.doStep$  is satisfied, which means that if the model reach the former state Init, it will eventually reach the state

TABLE I. CHECKING PROPERTIES OF MASTER ALGORITHMS

| MA          | Property                                 | Result |
|-------------|------------------------------------------|--------|
| Fixed Step  | A[] not deadlock                         | True   |
|             | master.Init  ightarrow master.dostep     | True   |
|             | $E\langle\rangle$ master.dostep          | True   |
| Rollback    | A[] not deadlock                         | True   |
| Koliback    | master.Init  ightarrow master.con        | True   |
|             | $E\langle\rangle$ master.coninue         | True   |
| Predictable | A[] not deadlock                         | True   |
|             | $master.Init \rightarrow master.writecp$ | True   |
|             | $E\langle\rangle\ master.writecp$        | True   |

doStep.  $E\langle\rangle$  master.doStep is satisfied, which means that there exists a reachable state doStep.

### IV. ARCHITECTURAL MODELLING IN SYSML

To illustrate our approach, we take an example (water tank) inspired by [12]. According to the I/O dependency information between the FMUs, the architectural model for water tank is constructed using SysML. The aim of using SysML is to design the architecture of the system with a more high-level modeling language. It helps to show the components and their connection.

# A. Case Study: Water Tank

The water tank system, as shown in Fig.4(a), is our running example. A source of water flows into the water tank whose water flows into the drain, and the source is controlled by a valve; when the valve is open the water flows into the water tank. The valve, managed by a software controller, is opened or closed stochastically or depending on the water level. There are two variants of water tank system depending on the various connections between controller, valve and tank.

Figure 4(b) is the architecture connection of water tank. There are three connection cases between the FMUs. The first case contains three FMU components (Controller, Valve and TankI) and two channels( $v\_vin$ ,  $w\_win$ ). The controller and valve are connected with channel  $v\_vin$ . The valve and tank1 are connected with channel  $w\_win$ . For the second case, there could be a channel  $sout\_s$  between tank1 and controller, which means the water level of tank1 affecting the control strategy of the controller. It is denoted with the gray line. Besides, there could be another tank2 (the gray box). The tank1 and tank2 are connected by the channel  $w\_out$ . The orchestration of FMUs for water tank is modeled with SysML block diagram in the next subsection.



(a) Sketch map of water (b) FMUs connection of water tank system.

Fig. 4. Water tank system.

## B. Architecture Modelling in SysML

SysML is a general purpose domain-specific language (DSL) [13] for model-based systems engineering (MBSE) [14],



(a) SysML BDD



Fig. 5. The SysML block diagrams for water tank system.

which is originated as an initiative of the International Council on Systems Engineering (INCOSE) [15] in January 2001. SysML is implemented as a UML profile. The *Block Definition Diagram* (BDD) describes the system blocks and their features (structural and behavioural). The *Connection Diagram* (CD) describes the internal structure of blocks. The ports of blocks are connected by the connector. The I/O dependence of blocks describes the communication between blocks. SysML block diagrams are usually used to describe the architecture of systems.

Figure 7(a) shows the block definition diagram for the water tank system. The system consists of three blocks, i.e., *Valve*, *Tank* and *Controller*, in which *Valve* and *Tank* are physical components. *Controller* is the cyber component. Each component has its own input and output. For instance, the input interface of *Valve* is named as *vin*, which is used to input the *Open-Closed* signal.

Figure 7(b) shows the connection diagram for the system. There are three cases for connections. The first case is that the system has one valve, one controller and one tank. The controller sends stochastic signals to control the valve on/off leading to various rate of water flow. The second case is that the signal from the controller is affected by the water level of the tank. The last case is on the basis of the first case and adds

another tank2 which is affected by the flow rate of the tank1. How can we assure the correctness of the architecture models? We attempt to verify it with model checking based on timed automata. More details on verification process can be found in the next section.

## V. MODEL CHECKING CO-SIMULATION USING TIMED AUTOMATA

This section performs a formal analysis of the SysML architectures of water tank shown in Fig.7. First off, we model FMUs which are the components of the SysML architectures and the master algorithm which is the director of FMUs using timed automata in UPPAAL. Next, the verification and analysis checks whether the model is accurate and satisfies certain desired properties.

## A. Modelling FMU component in UPPAAL

UPPAAL [6] is a toolset for verification of real-time systems represented by (a network of) timed automata which is extended with integer variables, structured data types, and channel synchronization. The execution of FMU component and co-simulation is time-related, therefore it is convenient to model the FMU with timed automata in UPPAAL. In this subsection, we abstract the execution of FMU, and encode it with the states and transitions in timed automata. Besides, we also model the master algorithm as a timed automata to coordinate the execution between several FMU components. The timed automata template for FMU components and master algorithm are shown in Fig.6. Here, we choose rollback algorithm as the master algorithm to coordinate the FMU components. The other two master algorithms can be analyzed with the similar way.



(a) Timed automata template for F- (b) Timed automata for FMU valve MU controller



(c) Timed automata for FMU (d) Tank1 rithm

(d) Timed automata for master algorithm

Fig. 6. Timed automata templates for connection case 1.

Figure 6(a), 6(b), 6(c) are the templates for controller, valve and tank1 respectively, they model FMU components which supports rollback function. These FMU components contain four main states, e.g., *start*, *dostep*, *isrollback* and *reset*.





- (a) Execution trace
- (b) Execution sequence diagram

Fig. 7. The execution fragment of the co-simulation in UPPAAL.

Figure 6(a) shows the template for controller which supports a random step size. It synchronizes with valve by signal v and jump to isrollback state, and then waits for a signal from the timed automata for the master algorithm. Until the controller receives the continue signal, it does data exchange, and return to start state. Otherwise it receives rollback signal, once it obtains the minimize step size of all FMU components, it travels to *isrollback* state. The states and transitions of valve and tank1 template are similar with the template of controller. Figure 6(d) shows the template for the master algorithm. Firstly, the master algorithm initialize the parameters, and then it get minimize step size of FMU components until all FMU components visit dostep. Next, the master algorithm decides which signal should be sent according to the guard. If the step sizes of all FMU components are equal, the master algorithm will send continue signal, otherwise, send rollback signal.

Figure 7 is the execution fragment of the co-simulation in UPPAAL, we can find that valve send a w signal to perform data exchange with tank1. After that tank1 move to dostep state. The master algorithm send a rollback signal to all templates, which leads to all of them arrive at reset state. Finally, the master algorithm send a continue signal to others. All templates return to start state, and then do next step. The execution process shows that our model performs correctly.

In order to compare the behavior of three connection cases of water tank presented in Section 4.2, we also model the other two connection cases in UPPAAL. We add a channel s to the templates for controller and tank1, which is the model of connection case 2 as shown in Fig.8. We add a template (tank2) and channel w2, which is the model of connection case 3 shown in Fig.9. In next subsection, we verify some properties of various connection cases to analyse the correctness of the architecture.

# B. Verification and Analysis

UPPAAL uses a simplified version of TCTL [16] to express the requirement specification. We verify the following TCTL properties of each connection case:

•  $E\langle\rangle$  WT1.isrollback and  $E\langle\rangle$  master.continue are reachability properties checking whether FMU tank1 can reach isrollback state and whether the master algorithm can reach continue state respectively.



(a) Timed automata for FMU controller (b) Timed automata for FMU tank1

Fig. 8. Timed automata for connection case 2.



Fig. 9. Timed automata for connection case 3.

- master.start → master.continue are liveness property. If the master algorithm arrive at start state, it eventually reaches continue state.
- A[] not deadlock is safety property checking whether the model will be deadlock.

The verification results are shown in TableII. We can find that all properties of connection case 1 and 3 are satisfied. It proves that our master algorithm is correct and the composition of FMU components is determinate. However, the liveness and reachability properties of connection case 2 are not satisfied. We find that there is a algebraic loop which may be introduced with the I/O dependency in this connection case. The experiments show that our approach is feasible and useful for model checking the FMI co-simulation. The approach facilitates the verification of the CPSs architecture models.

### VI. RELATED WORK

For simulating CPSs [17], distinct simulation domains need to be integrated for a comprehensive analysis of the interdependent subsystems. Co-simulation [18] can maintain all system models within their specialized simulators and synchronizes them in order to coherently integrate the simulation domains. FMI [2] [11] is an industry standard which enables cosimulation of complex heterogeneous systems using multiple simulation engines.

TABLE II. EXPERIMENTAL RESULTS

| Connection case | Property                                   | Result |
|-----------------|--------------------------------------------|--------|
| Case 1          | $E\langle\rangle\ WT1.isrollback$          | True   |
|                 | $E\langle\rangle$ master.continue          | True   |
|                 | $master.start \rightarrow master.continue$ | True   |
|                 | $A[] \ not \ deadlock$                     | True   |
| Case 2          | $E\langle\rangle\ WT1.isrollback$          | True   |
| Case 2          | $E\langle\rangle$ master.continue          | False  |
|                 | $master.start \rightarrow master.continue$ | False  |
|                 | $A[] \ not \ deadlock$                     | True   |
| Case 3          | $E\langle\rangle\ WT1.isrollback$          | True   |
| Case 3          | $E\langle\rangle$ master.continue          | True   |
|                 | $master.start \rightarrow master.continue$ | True   |
|                 | $A[] \ not \ deadlock$                     | True   |

Jens Bastian et al. adopts fixed step size master algorithm to simulate heterogeneous systems in [19]. David Broman et al. discussed the determinate composition of FMUs for cosimulation. To do that, they extended the FMI standard to designs FMUs that enables deterministic execution for a broader class of models. Besides, rollback and predictable step size master algorithms are proposed in their work. In [20], Fabio Cremona et al. presents FIDE, an Integrated Development Environment (IDE) for building applications using FMUs. We also implemented the prototype co-simulator between continuous-time Markov chains (CTMCs) [21], discrete-time Markov chains (DTMCs) [22] and Modelica in [23]. We also have presented an improved co-simulation framework that focuses on the capture of nearest future event to reduce the number of running steps and the frequency of data exchange between models. In short, the existing work focus on how to achieve deterministic execution of FMUs and improve the efficiency of the master algorithms, however, there is few work to analysis the correctness of master algorithms. In this paper, our work focuses on the model and analyse I/O dependency information and master algorithms for FMI cosimulation. PG Larsen et al. [24] presented formal semantics of the FMI described in the formal specification language CSP. They formally analyse the CSP model with the FDR3 refinement checker. Nuno Amalio et al. [12] presented an approach to verify both healthiness and well-formedness of an architecture design modeled with SysML. They attempt to check the conformity of component connectors and the absence of algebraic loops to ensure the co-simulation convergence.

In [25], Mladen Skelin et al. reports on the translation of the FSM-SADF formalism to UPPAAL timed automata that enables a more general verification than currently supported by existing tools. Stavros Tripakis [10] discussed the principles for encoding different modeling formalisms, including state machines (both untimed and timed), discrete-event systems, and synchronous dataflow, as FMUs.

Compared with the existing work, the main advantage of our approach proposed in this paper is that it formally model the FMI co-simulation with timed automata. The correctness of the co-simulation between FMUs can be verified with the model checker. Moreover, our approach facilitates the detection the algebraic loop of CPSs architecture. These features make the proposed timed automata-based approach complementary to existing approaches to the formal analysis of the co-simulation.

# VII. CONCLUSION AND FUTURE WORK

This paper has presented our novel approach to check the FMI co-simulation, which facilitates the formal analysis of CPSs. This involves model checking the reachability, livelock and deadlock of three various master algorithms. Besides, the correctness and relevant system properties of the architecture are also analysed. To achieve the goal, we encode the FMU and master algorithms with timed automata. Then the properties of the co-simulation are verified with UPPAAL. We evaluate this approach using the example water tank. The results show that our approach is feasible and useful.

An interesting direction of future work is that we attempt to analyse and compare the performance of various master algorithms in the future. Besides, more complex case studies will be conducted to check the scalability of proposed approach. The tool support for our approach should be improved further.

#### ACKNOWLEDGEMENT

This work was supported by NSFC (Grant No.61472140, 61202104) and NSF of Shanghai (Grant No. 14ZR1412500).

#### REFERENCES

- S. Zanero, "Cyber-physical systems," *IEEE Computer*, vol. 50, no. 4, pp. 14–16, 2017. [Online]. Available: https://doi.org/10.1109/MC.2017.105
- [2] T. Blochwitz, "The functional mockup interface for tool independent exchange of simulation models," no. 2011-03-22, pp. 105-114, 2011.
- [3] B. V. Acker, J. Denil, H. Vangheluwe, and P. D. Meulenaere, "Generation of an optimised master algorithm for FMI co-simulation," in Proceedings of the Symposium on Theory of Modeling & Simulation: DEVS Integrative M&S Symposium, part of the 2015 Spring Simulation Multiconference, SpringSim '15, Alexandria, VA, USA, April 12-15, 2015, 2015, pp. 205-212. [Online]. Available: http://dl.acm.org/citation.cfm?id=2872993
- [4] R. Alur and D. L. Dill, "A theory of timed automata," *Theor. Comput. Sci.*, vol. 126, no. 2, pp. 183–235, 1994. [Online]. Available: http://dx.doi.org/10.1016/0304-3975(94)90010-8
- [5] M. Rahim, A. Hammad, and M. Ioualalen, "A methodology for verifying sysml requirements using activity diagrams," *ISSE*, vol. 13, no. 1, pp. 19–33, 2017. [Online]. Available: http: //dx.doi.org/10.1007/s11334-016-0281-y
- [6] G. Behrmann, A. David, K. G. Larsen, J. Håkansson, P. Pettersson, W. Yi, and M. Hendriks, "UPPAAL 4.0," in *Third International Conference on the Quantitative Evaluation of Systems (QEST 2006)*, 11-14 September 2006, Riverside, California, USA, 2006, pp. 125–126. [Online]. Available: http://dx.doi.org/10.1109/QEST.2006.59
- [7] B. Cheng, X. Wang, J. Liu, and D. Du, "Modana: An integrated framework for modeling and analysis of energy-aware cpss," in *IEEE Computer Software and Applications Conference*, 2015, pp. 127–136.
- [8] P. Fritzson and V. Engelson, "Modelica a unified object-oriented language for system modelling and simulation," *Lecture Notes in Computer Science*, vol. 1445, no. 1445, pp. 67–90, 1998.
- [9] D. Broman, C. X. Brooks, L. Greenberg, E. A. Lee, M. Masin, S. Tripakis, and M. Wetter, "Determinate composition of fmus for co-simulation," in *Proceedings of the International Conference* on *Embedded Software, EMSOFT 2013, Montreal, QC, Canada,* September 29 - Oct. 4, 2013, 2013, pp. 2:1–2:12. [Online]. Available: http://dx.doi.org/10.1109/EMSOFT.2013.6658580
- [10] S. Tripakis, "Bridging the semantic gap between heterogeneous modeling formalisms and FMI," in 2015 International Conference on Embedded Computer Systems: Architectures, Modeling, and Simulation, SAMOS 2015, Samos, Greece, July 19-23, 2015, 2015, pp. 60–69. [Online]. Available: http://dx.doi.org/10.1109/SAMOS.2015.7363660
- [11] T. Blochwitz, M. Otter, J. kesson, M. Arnold, C. Clauss, H. Elmqvist, M. Friedrich, A. Junghanns, J. Mauss, D. Neumerkel, H. Olsson, and A. Viel, "Functional mockup interface 2.0: The standard for tool independent exchange of simulation models," in *Proceedings of the 9th International Modelica Conference*. The Modelica Association, 2012, pp. 173–184. [Online]. Available: http://dx.doi.org/10.3384/ecp12076173
- [12] N. Amálio, R. Payne, A. Cavalcanti, and J. Woodcock, "Checking sysml models for co-simulation," in Formal Methods and Software Engineering - 18th International Conference on Formal Engineering Methods, ICFEM 2016, Tokyo, Japan, November 14-18, 2016, Proceedings, 2016, pp. 450–465. [Online]. Available: http://dx.doi.org/ 10.1007/978-3-319-47846-3\_28
- [13] O. Semeráth, Á. Barta, Á. Horváth, Z. Szatmári, and D. Varró, "Formal validation of domain-specific languages with derived features and well-formedness constraints," *Software and System Modeling*, vol. 16, no. 2, pp. 357–392, 2017. [Online]. Available: http://dx.doi.org/10.1007/s10270-015-0485-x
- [14] D. Dori, Model-Based Systems Engineering with OPM and SysML. Springer, 2016. [Online]. Available: http://dx.doi.org/10. 1007/978-1-4939-3295-5

- [15] I. K. Pepper and R. Wolf, "International council on systems engineering," *Police Journal*, vol. 88, no. 3, pp. 7–7, 2015.
- [16] H. Boucheneb, G. Gardey, and O. H. Roux, "TCTL model checking of time petri nets," *J. Log. Comput.*, vol. 19, no. 6, pp. 1509–1540, 2009. [Online]. Available: http://dx.doi.org/10.1093/logcom/exp036
- [17] H. Georg, S. C. Müller, C. Rehtanz, and C. Wietfeld, "Analyzing cyber-physical energy systems: The INSPIRE cosimulation of power and ICT systems using HLA," *IEEE Trans. Industrial Informatics*, vol. 10, no. 4, pp. 2364–2373, 2014. [Online]. Available: http://dx.doi.org/10.1109/TII.2014.2332097
- [18] S. Bogomolov, M. Greitschus, P. G. Jensen, K. G. Larsen, M. Mikucionis, A. Podelski, T. Strump, and S. Tripakis, "Co-simulation of hybrid systems with spaceex and uppaal," 2015.
- [19] J. Bastian, C. Clau, S. Wolf, and P. Schneider, "Master for co-simulation using fmi," 2011.
- [20] F. Cremona, M. Lohstroh, S. Tripakis, C. X. Brooks, and E. A. Lee, "FIDE: an FMI integrated development environment," in *Proceedings* of the 31st Annual ACM Symposium on Applied Computing, Pisa, Italy, April 4-8, 2016, 2016, pp. 1759–1766. [Online]. Available: http://doi.acm.org/10.1145/2851613.2851677
- [21] V. Danos, T. Heindel, I. Garnier, and J. G. Simonsen, "Computing continuous-time markov chains as transformers of unbounded observables," in Foundations of Software Science and Computation Structures 20th International Conference, FOSSACS 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings, 2017, pp. 338–354. [Online]. Available: http://dx.doi.org/10.1007/978-3-662-54458-7\_20
- [22] M. Guerry, "On the embedding problem for discrete-time markov chains," J. Applied Probability, vol. 50, no. 4, pp. 918–930, 2013. [Online]. Available: http://dx.doi.org/10.1017/S002190020001370X
- [23] J. Liu, K. Jiang, X. Wang, B. Cheng, and D. Du, "Improved co-simulation with event detection for stochastic behaviors of cpss," in 40th IEEE Annual Computer Software and Applications Conference, COMPSAC 2016, Atlanta, GA, USA, June 10-14, 2016, 2016, pp. 209–214. [Online]. Available: http://dx.doi.org/10.1109/COMPSAC. 2016.133
- [24] P. G. Larsen, J. Fitzgerald, J. Woodcock, and P. Fritzson, "Integrated tool chain for model-based design of cyber-physical systems: The intocps project," in *International Workshop on Modelling, Analysis, and Control of Complex Cps*, 2016, pp. 1–6.
- [25] M. Skelin, E. R. Wognsen, M. C. Olesen, R. R. Hansen, and K. G. Larsen, "Model checking of finite-state machine-based scenarioaware dataflow using timed automata," in 10th IEEE International Symposium on Industrial Embedded Systems, SIES 2015, Siegen, Germany, June 8-10, 2015, 2015, pp. 235–244. [Online]. Available: http://dx.doi.org/10.1109/SIES.2015.7185065