Towards Readability Aspects of Probabilistic Mode Automata

Heinz Schmidt and Maria Spichkova

School of Science, RMIT University, Melbourne, Australia

Keywords:

Software Engineering, Formal Methods, Petri Nets.

Abstract:

This paper presents a new approach and design model targeting hybrid designer- and operator-deﬁned perfor-

mance budgets for timing and energy consumption. The approach is based on Petri Nets formalism. As the

cognitive load is typically high while using formal methods, this increases the chances of mistakes. Our ap-

proach is focused on the readability aspects and aims to decrease the cognitive load of developers. We illustrate

the proposed approach on example of a sample embedded multi-media system, a modern digital camera.

1 INTRODUCTION

In the domain of embedded systems, the trend to en-

hance more and more system functionalities through

software solution is constantly increasing. This

makes the design of these systems and the corre-

sponding quality assurance more and more challeng-

ing Sangiovanni-Vincentelli and Martin (2001). Real-

time and dependability constrains provide additional

challenges, which also lead to necessity of probabilis-

tic analysis within the phases of design and veriﬁca-

tion of these systems. Also, some constraints within

embedded systems are mutually dependent, for ex-

ample, timing and energy consumption constraints

cannot be analysed independently of each other, see

Mudge (2001); Saxe (2010); Wolf et al. (2008).

One of the successfully applied paradigms is

Component-based software development, which was

initially introduced many decades ago (CBSD, see

Adler (1995); Clements (1995)). However, CBSD

cannot solve directly issues related to the constraints

on safety, timing, energy consumption, etc. Henzinger

and Sifakis (2006); Spichkova et al. (2012), but can

provide a solid basis for extended approaches.

In recent work Peake and Schmidt (2011) we

have extended our rich architecture deﬁnition lan-

guage (RADL, see Schmidt (2003)) and underlying

theory Schmidt et al. (2003) to meet such indus-

trial requirements, aiming at a scalable and compo-

sitional (component-based) approach to soft depend-

ability guarantees: with probability, guarantee risk,

execution time, cost etc. Industrial practice requires

the capability to compose a variety of heterogeneous

models and components, speciﬁed and designed using

different methods and frameworks. Many real-world

engineering environments are not locked into a sin-

gle model, single framework or single-language en-

vironment. While we abstract from the programming

languages underlying such an heterogeneous software

engineering approach, we hope to show that, and how,

our design-oriented model-based approach links with

concrete programming by means of elementary mod-

elling blocks providing abstractions directly for code

blocks. This is natural and perhaps more appropriate

in design of embedded systems than in other ﬁelds, as

component models in this context often use architec-

tural elements to abstract from software and hardware

blocks at the same time. However we expect that this

approach carries across to other domains.

In our current work, we targeting hybrid designer-

and operator-deﬁned performance budgets for timing

and energy consumption. We propose an approach

that is on Petri Nets formalism. Our approach is fo-

cused on the readability aspects and aims to decrease

the cognitive load of developers, as having high cog-

nitive load increases the chances of mistakes in sys-

tem design and quality assurance process. We also

aim to keep the method lightweight, following the

classiﬁcation presented in Zamansky et al. (2018).

To illustrate the proposed approach, we use an ex-

ample of a sample embedded multi-media system, a

modern digital camera. This allows us to demon-

strate how the time (and the ensuing synchronisa-

tion) and energy constraints can be analysed taking

into account their mutual dependencies. We pro-

pose that extra-functional properties have to be con-

sidered from early performance requirement speciﬁ-

cation through to model-based testing and run-time

Schmidt, H. and Spichkova, M.

Towards Readability Aspects of Probabilistic Mode Automata.

DOI: 10.5220/0007781005550562

In Proceedings of the 14th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE 2019), pages 555-562

ISBN: 978-989-758-375-9

555

veriﬁcation. Beside the compositional approach to

reasoning about and testing such properties in a hy-

brid modelling environment, our contribution is in

the separation of concern of different aspects of mod-

elling and in context-dependent methods of reasoning

about such properties. Notably we have developed

methods which allow automated contextual resource

allocation strategies, under dynamically varying, and

suitably parameterised, architectural conﬁgurations.

2 EXAMPLE: DIGITAL CAMERA

Consider the design of a modern digital camera from

the perspective of different types of use:

Scenario 1: A busy professional sports photogra-

pher requires the ability to capture many hundreds or

thousands of high quality images rapidly, with mini-

mal shutter lag, in rapid bursts of up to 100 photos.

Within the given price point afforded by budget, she

is prepared to sacriﬁce “convenience” features, ac-

cepting shorter battery life and fewer shots per mem-

ory card while carrying extra battery packs, memory

cards or even a laptop for frequent uploads, as well as

extra lenses, and manage reconﬁguration as needed.

Scenario 2: One weekend a family member is get-

ting married, and as the de facto camera expert she

has agreed to act as a semi-ofﬁcial or backup pho-

tographer for the wedding. In this capacity she aims

for simplicity and convenience, so she can still en-

joy the day and mingle without being conspicuous or

weighed down by equipment. The couple insist they

prefer photos in a standard compressed consumer for-

mat (JPEG), which at least eliminates extra effort later

at her workstation, and maximises memory card ca-

pacity. She selects what she can carry easily—a sin-

gle camera body and lens and perhaps a single addi-

tional memory card, but no extra battery pack. She is

unwilling to spend anything like her usual time and

effort on camera conﬁguration, instead often (perhaps

not always) relying on camera to automatically select

exposure, focus and aperture. Occasionally, for par-

ticularly important shots she takes full control again.

In this second case, battery life is paramount.

The speciﬁc challenge is to design a camera which

is capable of ﬂexible reconﬁguration to suit multiple

contexts, including for example these. The generic

challenge is to:

(i) Characterise context in terms of user con-

ﬁguration choices, usage (e.g. selected

modes/operations/functions) and user-visible

desired properties.

(ii) Reason in a context-sensitive way about system

properties and manage internal conﬁguration to

ensure consistency between conﬁguration/proﬁles

and desired properties. For example, to make the

camera battery last longer, the camera must some-

how sacriﬁce quality and/or performance in an ac-

ceptable way.

However the true usage context is often hard to pre-

dict. What exactly are the user’s requirements and

intentions? Even the user may not know exactly what

she intends beyond the immediate moment. Con-

textual uncertainty extends to environmental condi-

tions, which may have a non-trivial impact on per-

formance. For example ambient temperature may af-

fect performance (e.g., energy consumption) of key

camera components signiﬁcantly, including batter-

ies Rao et al. (2003), sensors and actuators such as

lenses. This has implications for the design not only

of embedded systems, but also at a macroscopic level.

Thus, large-scale computing centres have signiﬁcant

inter-dependency on their local environment; such fa-

cilities are already planned with environmental condi-

tions such as temperature in mind to be able to max-

imise performance and performance per cost while

minimising cooling and energy consumption.

We extend the camera design presented by

Lee Lee (2006). In our example, the camera has the

following logical components:

• a general purpose processor (GPP),

• a digital signal processor (DSP),

• actuators to control, e.g., mirror and shutter cur-

tain, lens focus and aperture,

• sensors, e.g., for auto-focus,

• a buffer to store images temporarily, and

• a ﬂash memory as a long-term storage media.

To keep the example small enough for a conference

paper, we abstract from other typical functions such

as USB driver for photo download, LCD user inter-

face, camera ﬂashbulb, and various advanced settings.

In high performance scenarios a dedicated GPP-

ﬂash memory link is possible. We focus on the in-

terplay of functionality relevant for taking a range of

different shots involving real-time physical control, as

well as selecting tradeoffs between timing and energy

consumption.

As presented in Figure 1, the system has three

modes, each with different resource requirements:

• IDLE mode covers waiting for shutter half/full

press and pre-focusing.

• In single frame (SF) mode, the camera returns to

the idle mode after shooting is completed, while

• in multi frame (MF) mode, shooting is contin-

ued as long as the shutter release button is kept

pressed.

ENASE 2019 - 14th International Conference on Evaluation of Novel Approaches to Software Engineering

556

MF contains two sub-modes, high-speed (HS) and

low-speed (LS). MF starts with HS and switches to

LS if/when the image buffer gets full, where shooting

of the consequent frame is delayed until enough space

is freed in the buffer by writing to the ﬂash memory.

With these mode abstractions in mind, from a design

perspective it is expected that reﬁnements to compo-

nents used in these modes may enable new features

(for example smart/continuous save in HS at a perfor-

mance penalty).

Figure 1: Digital Camera: Modes.

Furthermore, in each mode the user can select lens

focusing and exposure metering to be performed au-

tomatically or manually, i.e. each mode has four sub-

modes. More precisely, in the case of multi frame

shooting, each of the MF submodes, HS and LS, has

four further submodes:

• FE: automatic operations are fully enabled: both

autofocus AF and automatic exposure AE are en-

abled;

• F: only the autofocus AF operation is enabled;

• E: only the automatic exposure AE operation is

enabled;

• 0: neither autofocus AF nor automatic exposure

AE are enabled.

In the IDLE mode the user may perform AF, AE or

both, while composing a picture. During this time

DSP cannot be activated and AF and AE operations

are performed on GPP to reduce energy consumption.

When the user presses the shutter release button, ﬁrst,

AF and AE operations that are being executed are

completed, then the idle mode is terminated and the

system switches to SF or MF depending on the user

selection.

Another way to represent system modes (which

can be related to the same submodes hierarchy as in-

troduced in Figure 2) is to work parallel with on mode

variables, because the choice to activate AF and AE

operations is highly independent of whether the cam-

era is in the IDLE, SFor one of the multi frame modes.

Let call them CameraMode and AutoMode deﬁned

over enumeration types

{IDLE, SF, HS, LS}

and

{FE, F, E, 0}

respectively. We can also see this as a feature compo-

sition/interaction, see e.g., Calder and Magill (2000);

Apel et al. (2010); Broy (2010). Thus, one feature

is responsible for the choice of the current value of

CameraMode and for the processes in the correspond-

ing mode, where the second feature solely deals with

the AF and AE operations.

Figure 2: Digital Camera: Submodes Hierarchy.

Figure 3: Digital Camera: Parallel Model for the Submodes

Hierarchy.

Table 1 lists some of the relevant software com-

ponents, their descriptions and their implementa-

tion platform (GPP/DSP). Some components are im-

plemented in both processors to allow dynamic re-

conﬁguration of the system in order to provide opti-

mal resource usage. Within these constraints, a key

challenge is allocating computing resources for the

software elements to best suit partly predictable us-

age conditions. The DSP is especially suited to im-

age processing operations, yet the DSP has signiﬁ-

cant energy overheads. We characterise the main de-

sign problems for the camera as follows. (i) Given an

overall objective (e.g. minimise time consumption),

satisfy that objective at run time. (ii) Given a usage

proﬁle, minimise energy and time consumption at run

time.

3 PROPOSED VISUALISATION

APPROACH

One of the problems using formal representation is

that often only two factors are considered as impor-

tant: the method must be sound and give such a

representation, which is concise and beautiful from

the mathematical point of view, without taking into

account any question of readability, usability, etc.,

Towards Readability Aspects of Probabilistic Mode Automata

557

Table 1: Software Components.

Description GPP DSP

Operatoions

AF AutoFocus: X X

Automatic lens focusing

AE Automatic Exposure metering X X

IP Image Processing on local - X

buffer, red-eye reduction, etc.

IB Image Buffering: - X

Transfer image

from sensor to local buffer

IS Image Storage: X -

Transfer images

from buffer to ﬂash card

AS Activate Shutter etc. X X

(e.g. aperture adjust)

BC Buffer check: - X

Check if buffer is full

Modes

IDLE Idle mode - X

SF Single-Frame shutter X X

MF Multi-Frame shutter X X

Submodes

FE AF and AE enabled X X

F AF only enabled X X

E AE only enabled X X

0 AF&AE disabled X X

but even small syntactical changes of a method can

make it more understandable and usable for engineers

Constantine (2003); Dhillon (2004); Klare (2000);

Spichkova (2013). Figure 4 presents an the example

of Petri net specifying HS mode details for the digital

camera, which provides a typical representation of a

coloured Petri net. Within our approach, we propose

the following enhancements: To make representation

more readable, ﬁrst of all we should take into account

the human factor. Thus, if a path (in this case a colour

marked path, green or red) starts on the left/right of

the net, we should proceed to draw it on the same side

if possible and avoid cross moving the paths without

any important reason.

Thus, on Figure 4 two paths are switched after

the operation do AS, which can confuse some readers.

Then, we can try to ﬁnd a solution to avoid a lot of

crossing arrows having different meanings: the blue

and maroon arrows indicate synchronisation of the

counters, and we can replace them by visual group-

ing of operations on the same counter. As result we

obtain an optimised coloured Petri net presented in

Figure 5, which is semantically equivalent to the rep-

resentation in Figure 4. This optimisation increases

ease of use by human readers (designers, testers etc.)

without decreasing simplicity for machine readability

and semi-automated support or expressiveness/power

(for the domain or domains of choice).

Usability derives from the following aspects:

Figure 4: HS mode details presented as a coloured Petri net.

1 2

10 11

1 2

do AS

ref AUTO

do IB

do IP

Shoot.eqShoot.lb

Shoot.inc(1) Shoot.inc(1)

BF.inc(1)

BF.inc(1)BF.inc(1)

BF.eq

BF.lb

do IS

Figure 5: HS mode details: Another Visualisation.

ENASE 2019 - 14th International Conference on Evaluation of Novel Approaches to Software Engineering

558

• Lowering the barrier between the simpliﬁed and

expressive language for the machine support and

that of the domain languages of the user(s) and

associated with the purpose, e.g., by using con-

trolled natural languages that try to avoid disad-

vantages of both natural and formal languages and

being a subset of a natural language with a well-

deﬁned syntax and semantics, see Kuhn (2010);

Fuchs and Schwitter (1995); Macias and Pulman

(1993).

• Applying an appropriate automatisation of a num-

ber of steps within the modelling and veriﬁcation

process: this not only saves human time and al-

lows to get results much faster then humans can

produce manually, but also (partially) excludes

the human element as the most “unreliable” in

failure, see Redmill and Rajan (1996); Spichkova

and Zamansky (2016). For example, a formal

speciﬁcation can be generated from the corre-

sponding CASE tool representation which can be

edited in a more readable way also using prede-

ﬁned templates, see Spichkova et al. (2013); Vo

and Spichkova (2016).

• Supporting directly common and standard ab-

stractions that are well-established (and hence

part of the software engineering training), e.g.

Message Sequence Charts Genest and Muscholl

(2008); Harel and Thiagarajan (2003)), or deﬁned

in standards (such as UML, IEC-61131, etc):

• Uniﬁcation of the representation of any informa-

tion we are dealing with (see, e.g., Spichkova

(2013));

• Easing the use of novel compositional principles

and high-level tools, that are opening novel and

powerful methods to users of formal speciﬁcation

or speciﬁcation-based/model-driven methods.

Having a representation like presented on Fig-

ure 5, we can easily transform a Petri net to a hier-

archical MSC. In the case a component-based speciﬁ-

cation of the system is need in addition to the pro-

cess representation, an MSC can be schematically

translated to the corresponding formal speciﬁcation as

shown in Spichkova et al. (2012); Spichkova (2010).

Let us also shortly discuss translation/representation

of the following modelling artefacts: (global) param-

eters, local, time and counter variables.

Local Variable: use can be translated into state

and transition label expansions for NF purposes Ka-

toen (2005), but can also be intuitively understood in

data types and data structures that capture state. How-

ever for Petri net normal form used in our approach

and compositionality considerations restrictions need

to be designed along with such capabilities to limit the

scopes of these variables appropriately, viz. to FSM

components of nets, in terms of their use in guards and

assignments associated with transitions and states.

Global Parameter: use are of a similar nature with

respect to normalisation but needs to be limited to

achieve compositionally. For example, we could say

the global parameters may occur locally in guards

(i.e., they are read-only) as well as in initialisation

expressions (for the initial states when FSM objects

are created) or with re-assignments limited to higher-

level FSMs (such as mode automata) when submodes

are entered and before these branch out into rational

parallel processes. Another common example is the

use of iterator and bounded loop process constructs

that have a very structured use of local counter vari-

ables which never serve synchronisation but are pro-

viding a reasoning tool for local termination and per-

formance approximation, based on an interplay of lo-

cal (loop) invariants and loop control variables, which

implies strict monotonicity and boundedness.

Time Variables (Clocks): are a further example

and in some sense a special case of counter control

above – in the sense that all practical approaches to

timed automata and synchronous time models discre-

tise an inﬁnite number of real-time points into a real-

time intervals with integer bounds and then solve a

linear convex hull problem to determine feasibility

and/or optimal schedules that meet time constraints.

There is also a signiﬁcant difference here, that needs

to be considered, relative to counters. In general,

counter processes can be explained as a macro struc-

ture based on sequence and choice, and hence are

lower-level automata (or process expressions) them-

selves, and hence they do not add ’new’ semantics

but can be explained in terms of existing semantics.

For example if we are in rational parallel processes,

they are just a syntactic sugar extension that does not

take us out of this class. Likewise with other classes

of processes (such as pushdown automata). In con-

trast, timed extension are true semantic extensions,

in that they deﬁne a different class of behaviours and

automata, because the deﬁne what the legitimate pro-

cesses (occurrence nets) are that are traces of the give

language (net system or process expression).

4 RELATED WORK

Component-based software engineering utilises a

well-deﬁned composition theory to enable the pre-

diction of such properties. as performance and re-

liability. This is one of the largest ﬁelds of soft-

ware and system engineering, there are many ap-

proaches on component-based design (CBD) cover-

Towards Readability Aspects of Probabilistic Mode Automata

559

ing different aspects and focusing on requirements,

quality, timing properties etc. (see e.g., CBS (2003);

Broy (2010, 1999); Broy et al. (2008)). Several

component-based prediction approaches, e.g. Palla-

dio Kapova et al. (2010); Martens et al. (2008);

Becker et al. (2007), CB-SPE Bertolino and Miran-

dola (2004), ROBOCOP Bondarev et al. (2004) (see

also a survey in Becker et al. (2006)) derive the ben-

eﬁts of reusing well-documented component speciﬁ-

cations. In our approach we focus on the questions of

resource-awareness and adaptivity of systems as well

as on the readability aspects of the formalism.

Mode automata have a long history motivated by

real-time design practices and methods used in in-

dustry in connection with statecharts. Maraninchi et

al. Maraninchi and R

emond (2003) capture the no-

tion of modes formally for a practical extension of the

real-time synchronous language Lustre and include

elements of the well-known I/O-automata. Mode au-

tomata deﬁne synchronous mode automata as a hy-

brid between data-ﬂow and transition systems. Talpin

et al. Talpin et al. (2006) extend this work to so-

called polychronous mode automata to work with the

multi-clock data-ﬂow formalism SIGNAL. Both these

types of automata are non-deterministic and do not

deal with probabilities. The (bisimulation) equiva-

lence and therefore compositional reasoning for mode

automata is undecidable. However, Maranichi et al.

introduce a synchronised (lock-step) parallel prod-

uct for modes in which shared symbols (intersection

of alphabets nonempty) are synchronised while local

symbols (the symmetric difference of the alphabets)

are independent. While the modes of a single au-

tomaton are mutually exclusive in their approach, and

the behaviour of these mode automata is fully abstract

wrt. probabilistic testing, the automata product suffers

from combinatorial explosion (state space explosion),

due to the aim of allowing arbitrary shared variables

and interference of parallel processes.

Cheung et al. Cheung et al. (2012) describe an

architecture-level method, SHARP, for predicting re-

liability (and timing) of concurrent systems. Whereas

SHARP is speciﬁcally designed for reliability and

timing prediction, our method is intended to be

generic thus also catering, e.g., for energy consump-

tion. SHARP models involve scenarios which are ei-

ther basic (similar to message sequence charts) or hi-

erarchical, involving sequential, conditional or con-

current composition. SHARP supports concurrent

composition of ﬁnite numbers of instances of a partic-

ular scenario, corresponding to symmetrically repli-

cated components. SHARP derives completion time

and reliability predictions from scenarios for use at

higher levels of abstraction. For each basic sce-

nario, SHARP requires transition rates for all individ-

ual actions, then calculates a single continuous-time

Markov model model from which completion time

and reliability are derived. For an hierarchical sce-

nario a system level CTMC is constructed using ab-

straction techniques such as queuing networks and ab-

straction of sequential components into single global

states. In contrast, our approach requires probabili-

ties/rates at the system level only. Our approach seeks

to avoid or defer calculation of monolithic models.

Our cost estimation is inspired by Valiant’s bulk

synchronous-parallel model Valiant (1990) of paral-

lel computing where global strong synchronisation

conservatively approximates systems which may in

reality use more ﬁne grained synchronisation and

indeed may allow for more asynchrony than the

above approximation would suggest. In performance

benchmarks reported in Yusuf et al. (2011), Yusuf

et al. demonstrated that such conservative predic-

tions may still be accurate enough if there is enough

WCET variation and a large enough number of ac-

tivities/tasks scheduled on individual processing el-

ements. Thus adjacent modes may be assumed to

be strongly separated in the global model while in

fact such modes are partially interleaved with respect

each other (subject to restrictions on repetition such

as boundedness for message sequence graphs as de-

scribed by Alur Alur and Yannakakis (1999) and star-

connectivity in trace languages). For conservative

cost estimation purposes this seems reasonable. We

expect that (with diminishing returns) such models

can be reﬁned selectively, to bound costs of adja-

cent sequences of overlapping modes, in a context-

dependent way.

An interesting approach on integration of syn-

chronous and asynchronous communication was pre-

sented by Hennicker et al. Hennicker et al. (2010);

Hennicker and Knapp (2011). In this approach, I/O-

transition systems were used as the formal back-

ground for modelling of system behaviour. As result,

a reﬁnement relation was deﬁned, which is composi-

tional w.r.t. synchronous and asynchronous connec-

tions of components and which preserves connection-

safety, and next existing interface theories for modal

I/O-transition systems were extended to support as-

semblies, (greybox) assembly reﬁnement and assem-

bly encapsulation, also showing that communication-

safety is preserved by assembly reﬁnement, that

black-box reﬁnement of component interfaces is com-

positional w.r.t. grey-box reﬁnement of assemblies

and, conversely, that assembly encapsulation maps

grey-box to black-box reﬁnement.

ENASE 2019 - 14th International Conference on Evaluation of Novel Approaches to Software Engineering

560

5 CONCLUSIONS

In this paper, we proposed a Petri-Nets-based ap-

proach targeting hybrid designer- and operator-

deﬁned performance budgets for timing and energy

consumption. The core focus of this approach is on

decreasing the cognitive load of the designers to de-

crease the chances of design mistakes. To achieve bet-

ter readability, we extended the coloured Petri Nets

formalism. To illustrate the proposed solution, we

presented an example of a sample embedded multi-

media system, a modern digital camera.

Future Work: We are going to integrate the pre-

sented approach with the results of our prior work, a

probabilistic global behaviour analysis approach de-

veloped for reliability and fault-tolerance studies (in-

cluding fault injection) and a parallelism/concurrency

focused framework centred on partially ordered

traces, Petri nets and timing/energy costs.

REFERENCES

(2003). In Cechich, A., Piattini, M., and Vallecillo, A., ed-

itors, Component-Based Software Quality: Methods

and Techniques, volume 2693 of LNCS. Springer.

Adler, R. (1995). Emerging standards for component soft-

ware. IEEE Computer, 28(3):68 –77.

Alur, R. and Yannakakis, M. (1999). Model checking of

message sequence charts. In Baeten, J. C. M. and

Mauw, S., editors, CONCUR’99, volume 1664 of

LNCS, pages 114–129. Springer.

Apel, S., Lengauer, C., M

oller, B., and K

astner, C. (2010).

An algebraic foundation for automatic feature-based

program synthesis. Science of Computer Program-

ming, 75(11):1022 – 1047. Special Section on the Pro-

gramming Languages Track at the 23rd ACM Sympo-

sium on Applied Computing.

Becker, S., Grunske, L., Mirandola, R., and Overhage, S.

(2006). Performance prediction of component-based

systems: A survey from an engineering perspective. In

Architecting Systems with Trustworthy Components,

volume 3938 of LNCS, pages 169–192. Springer.

Becker, S., Koziolek, H., and Reussner, R. (2007). Model-

based performance prediction with the palladio com-

ponent model. In 6th international workshop on Soft-

ware and performance, pages 54–65. ACM.

Bertolino, A. and Mirandola, R. (2004). Cb-spe tool:

Putting component-based performance engineering

into practice. In Crnkovic, I., Stafford, J., Schmidt, H.,

and Wallnau, K., editors, Component-Based Software

Engineering, volume 3054 of LNCS, pages 233–248.

Springer.

Bondarev, E., de With, P., and Chaudron, M. (2004). Pre-

dicting real-time properties of component-based ap-

plications. In In Proc. of the 30the EUROMICRO con-

ference, pages 40–47.

Broy, M. (1999). A logical basis for component-based sys-

tems engineering. In Calculational System Design.

IOS. Press.

Broy, M. (2010). Multifunctional software systems: Struc-

tured modeling and speciﬁcation of functional re-

quirements. Sci. Comput. Program., 75(12):1193–

1214.

Broy, M., Fox, J., H

olzl, F., Koss, D., Kuhrmann,

M., Meisinger, M., Penzenstadler, B., Rittmann, S.,

Sch

atz, B., Spichkova, M., and Wild, D. (2008).

Service-Oriented Modeling of CoCoME with Focus

and AutoFocus. In The Common Component Model-

ing Example: Comparing Software Component Mod-

els, pages 177–206. Springer.

Calder, M. and Magill, E., editors (2000). Feature Inter-

actions in Telecommunications and Software Systems.

IOS Press.

Cheung, L., andd Leana Golubchik, I. K., and Medvidovic,

N. (2012). Architecture-level reliability prediction of

concurrent systems. In ICPE’12. ACM.

Clements, P. C. (1995). From subroutines to subsystems:

Component-based software development. The Ameri-

can Programmer, 8(11).

Constantine, L. L. (2003). Canonical abstract prototypes for

abstract visual and interaction design. In Jorge, J. A.,

Jardim Nunes, N., and Falc

ao e Cunha, J. a., editors,

Interactive Systems. Design, Speciﬁcation, and Veriﬁ-

cation, volume 2844 of LNCS, pages 1–15. Springer.

Dhillon, B. S., editor (2004). Engineering Usability: Fun-

damentals, Applications, Human Factors, and Human

Error. American Scientiﬁc Publishers.

Fuchs, N. E. and Schwitter, R. (1995). Specifying logic pro-

grams in controlled natural language. In Proceedings

of the Workshop on Computational Logic for Natural

Language Processing, pages 3–5.

Genest, B. and Muscholl, A. (2008). Pattern matching and

membership for hierarchical message sequence charts.

Theory of Computing Systems, 42(4):536–567.

Harel, D. and Thiagarajan, P. S. (2003). Message Sequence

Charts. In Lavagno, L., Martin, G., and Selic, B., ed-

itors, UML for Real: Design of Embedded Real-Time

Systems, pages 77–105. Kluwer Academic Publishers.

Hennicker, R., Janisch, S., and Knapp, A. (2010). Reﬁne-

ment of components in connection-safe assemblies

with synchronous and asynchronous communication.

In Foundations of Computer Software: future Trends

and Techniques for Development, Monterey’08, pages

154–180. Springer.

Hennicker, R. and Knapp, A. (2011). Modal interface the-

ories for communication-safe component assemblies.

In 8th international conference on Theoretical aspects

of computing, ICTAC’11, pages 135–153. Springer.

Henzinger, T. A. and Sifakis, J. (2006). The embedded sys-

tems design challenge. In FM, pages 1–15.

Kapova, L., Buhnova, B., Martens, A., Happe, J., and

Reussner, R. (2010). State dependence in perfor-

mance evaluation of component-based software sys-

tems. In International conference on Performance en-

gineering, WOSP/SIPEW ’10, pages 37–48. ACM.

Katoen, J.-P. (2005). Labelled transition systems. In

Broy, M., Jonsson, B., Katoen, J.-P., Leucker, M., and

Towards Readability Aspects of Probabilistic Mode Automata

561

Pretschner, A., editors, Model-Based Testing of Reac-

tive Systems, volume 3472 of Lecture Notes in Com-

puter Science, pages 615–616. Springer.

Klare, G. R. (2000). Readable computer documentation.

ACM J. Comput. Doc., 24(3):148–168.

Kuhn, T. (2010). Controlled English for Knowledge Rep-

resentation. PhD thesis, Faculty of Economics, Busi-

ness Administration and Information Technology of

the University of Zurich.

Lee, B. (2006). Optimizing heterogeneous architectures.

EDN.

Macias, B. and Pulman, S. G. (1993). Natural Language

Processing for Requirements Speciﬁcation, pages 67–

89. Chapman and Hall Ltd., London.

Maraninchi, F. and R

emond, Y. (2003). Mode-automata:

a new domain-speciﬁc construct for the development

of safe critical systems. Sci. Comput. Program.,

46(3):219–254.

Martens, A., Becker, S., Koziolek, H., and Reussner, R.

(2008). An empirical investigation of the effort of

creating reusable, component-based models for per-

formance prediction. In Component-Based Software

Engineering, pages 16–31. Springer.

Mudge, T. N. (2001). Power: A ﬁrst-class architectural de-

sign constraint. IEEE Computer, 34(4):52–58.

Peake, I. D. and Schmidt, H. W. (2011). Systematic

simplicity-accuracy tradeoffs in parameterised con-

tract models. In Seventh International ACM Sigsoft

Conference on the Quality of Software Architectures

(QoSA), Boulder, Colorado, USA.

Rao, R., Vrudhula, S., and Rakhmatov, D. (2003). Battery

modeling for energy aware system design. IEEE Com-

puter, 36(12):77 – 87.

Redmill, F. and Rajan, J. (1996). Human Factors in Safety-

Critical Systems. Butterworth-Heinemann.

Sangiovanni-Vincentelli, A. L. and Martin, G. (2001).

Platform-based design and software design method-

ology for embedded systems. IEEE Design & Test of

Computers, 18(6):23–33.

Saxe, E. (2010). Power-efﬁcient software. Communications

of the ACM, 53(2).

Schmidt, H. W. (2003). Trustworthy components - com-

positionality and prediction. Journal of Systems and

Software, 65(3):215–225.

Schmidt, H. W., Peake, I. D., Xie, J., Thomas, I. E., Kr

amer,

B. J., Fay, A., and Bort, P. (2003). Modelling Pre-

dictable Component-Based Distributed Control Ar-

chitectures. In Object-Oriented Real-Time Depend-

able Systems, pages 339–346.

Spichkova, M. (2010). From Semiformal Requirements To

Formal Speciﬁcations via MSCs. Technical Report

TUM-I1019, TU M

unchen.

Spichkova, M. (2013). Design of formal languages and in-

terfaces: “formal” does not mean “unreadable”. In

Blashki, K. and Isaias, P., editors, Emerging Research

and Trends in Interactivity and the Human-Computer

Interface. IGI Global.

Spichkova, M., H

olzl, F., and Trachtenherz, D. (2012).

Veriﬁed system development with the autofocus tool

chain. Workshop on Formal Methods in the Develop-

ment of Software, (WS-FMDS).

Spichkova, M. and Zamansky, A. (2016). A human-centred

framework for combinatorial test design. In 11th In-

ternational Conference on Evaluation of Novel Ap-

proaches to Software Engineering (ENASE), pages

228–233. SciTePress.

Spichkova, M., Zhu, X., and Mou, D. (2013). Do we really

need to write documentation for a system? In Interna-

tional Conference on Model-Driven Engineering and

Software Development (MODELSWARD’13).

Talpin, J.-P., Brunette, C., Gautier, T., and Gamati

e, A.

(2006). Polychronous mode automata. In Proceed-

ings of the 6th ACM & IEEE International conference

on Embedded software, EMSOFT ’06, pages 83–92,

New York, NY, USA. ACM.

Valiant, L. G. (1990). A Bridging Model for Parallel Com-

putation. Communications of the ACM, 33(8).

Vo, P. T. N. and Spichkova, M. (2016). Model-based gener-

ation of natural language speciﬁcations. In Federation

of International Conferences on Software Technolo-

gies: Applications and Foundations, pages 221–231.

Springer.

Wolf, W., Jerraya, A. A., and Martin, G. (2008). Multi-

processor system-on-chip (MPSoc) technology. IEEE

Transactions on Computer-Aided Design of Integrated

Circuits and Systems, 27(10).

Yusuf, I. I., Schmidt, H. W., and Peake, I. D. (2011).

Architecture-based fault tolerance support for grid

applications. In Quality of Software Architectures,

QoSA’11, pages 177–181. ACM.

Zamansky, A., Spichkova, M., Rodriguez-Navas, G., Her-

rmann, P., and Blech, J. O. (2018). Towards classiﬁ-

cation of lightweight formal methods. In 13th Interna-

tional Conference on Evaluation of Novel Approaches

to Software Engineering (ENASE), pages 305–313.

SciTePress.

ENASE 2019 - 14th International Conference on Evaluation of Novel Approaches to Software Engineering

562