# Integrating SysML and Timed Reo to Model and Verify Cyber-Physical Systems Interactions with Timing Constraints

Perla Tannoury<sup>1,2</sup> and Ahmed Hammad<sup>1,3</sup>

<sup>1</sup> University of Bourgogne Franche-Comté, France FEMTO-ST Institute - UMR CNRS 6174 <sup>2</sup> perla.tannoury@femto-st.fr <sup>3</sup> ahammad@femto-st.fr

Abstract. Modeling Cyber-Physical Systems (CPS) with timing constraints is challenging due to the complexity of their component behaviors. We propose "Timed SysReo", a novel modeling language that extends SysML with Timed Reo to capture CPS architecture and timed interactions. Timed SysReo uses Timed Reo Internal Block Diagrams (Timed Reo IBD) and Timed SysReo Sequence Diagrams (TSRSD) to detail component interactions and message flows. Since direct formal verification of requirements in TSRSD is impractical, we automate the transformation of TSRSD into Timed Constraint Automata (TCA) using ATL rules. Requirements are expressed in Timed Scheduled-Data-Stream Logic (TSDSL), enhancing precision and rigor in CPS verification. We illustrate the efficacy of our approach through a case study involving a Smart Medical Bed (SMB).

Keywords: CPS  $\cdot$  SysML  $\cdot$  Timed Reo  $\cdot$  Timed SysReo  $\cdot$  TCA  $\cdot$  ATL.

# 1 Introduction

Cyber-physical systems (CPSs) are composed of software and physical components that constantly interact with one another [14]. These systems find application across various domains such as smart cities, healthcare, and autonomous vehicles [5, 24, 20]. Efficient modeling of CPSs is crucial for understanding and verifying functional properties, particularly in critical domains. However, modeling CPS structures and interactions with timing constraints adds complexity and challenges, risking significant errors, especially in vital sectors like emergency response and healthcare.

Several languages and formalisms are used in CPS modeling [17, 6, 10]. In our study, we opted for the System Modeling Language (SysML) [19] due to its capability to model heterogeneous systems, integrating both software and hardware components. SysML enhances stakeholder understanding by modeling system architecture, behavior, and requirements. In SysML, interactions between components are modeled using Internal Block Diagram (IBD) and Sequence Diagram (SD). However, these interactions adopt an "endogenous" coordination approach which complicates design and reduces "reusability", increasing project costs. Moreover, while SysML proficiently models CPS, it may not fully address formal specification and verification of intricate component interactions with timing constraints.

Alternatively, the "exogenous" coordination approach, which embeds coordination logic within connectors, is gaining traction among researchers [2, 13, 16]. This method enhances reusability and simplifies design. Timed Reo, as employed by scholars in [3, 15], offers a circuit-like graphical representation and enables modeling interactions with timing constraints. It supports reusability, maintains synchrony during composition, and provides a formal representation through Timed Constraint Automata (TCA). However, its formal semantics may present challenges to stakeholders due to limited industrial adoption.

To our knowledge, no comprehensive study has integrated SysML and Timed Reo for CPS modelization. Previous research has focused on either SysML [12, 25] or Timed Reo [3, 15] separately. In our recent work, we introduced "Sys-Reo" [21–23], combining SysML and Reo to enhance CPS validation. While "SysReo" effectively models intricate CPS requirements, structure, behavior, and interactions, it falls short in handling CPS with timing constraints.

In this paper, we first introduce "Timed SysReo" by extending SysML with Timed Reo, introducing the "Timed Reo Internal Block Diagram" (Timed Reo IBD) and "Timed SysReo Sequence Diagram" (TSRSD). Then ,we propose an approach for verifying interactions and interoperability among CPS components, relying on meta-modeling [8] and transformations [7]. This involves defining meta-models for source and target models and establishing correspondences between them. To ensure accuracy and prevent errors, we develop automated ATL rules [1] for seamless TSRSD to TCA transformation. TCAs represent CPS component behavior and coordination, facilitating verification of Timed Scheduled-Data-Stream Logic (TSDSL) requirements.

Finally, we illustrate our approach using a Smart Medical Bed (SMB) case study, showcasing the benefits of Timed SysReo and formal verification for developing robust medical CPS systems.

The paper follows this structure: Section 2 provides an overview of SysML, Timed Reo, and TCA. Section 3 outlines the proposed modeling approach using Timed SysReo models. The transformation of TSRSD into TCA using ATL is given in Section 4. Section 5 presents the SMB system case study. The paper concludes in Section 6, with a brief discussion on future work.

# 2 Background

This section provides a concise overview of SysML, Timed Reo, and Timed Constraint Automata (TCA).

#### 2.1 Brief Overview of SysML

SysML [11], a profile of UML2.0 [18], facilitates the modeling of complex systems across industries by aligning stakeholder inputs. It offers nine diagram types for modeling CPS requirements, structure, and behavior. In our Smart Medical Bed (SMB) system modeling, we focus on the Requirement Diagram (RD), Block Definition Diagram (BDD), Internal Block Diagram (IBD), and Sequence Diagram (SD).

**Requirement Diagram (RD):** Illustrates system requirements and their relationships with other model elements.

Block Definition Diagram (BDD): Represents system components and their relationships, distinguishing between atomic and composite blocks.

**Internal Block Diagram (IBD):** Depicts the static state of the system, detailing internal arrangements through sub-blocks.

Sequence Diagram (SD): Visualizes component interactions and event sequences during specific use cases.

### 2.2 Timed Reo

Timed Reo [3] expands upon Reo [2], is a channel-based coordination language for concurrent and distributed systems. It introduces channels with timing constraints to regulate communication in CPS, aiming to specify exogenous protocols governing timed interactions among components. Timed Reo's formal semantics are captured by Timed Constraint Automata (TCA), extending Constraint Automata (CA) to describe behavior incorporating timing constraints. **Definition of TCA:** A Timed Constraint Automaton (TCA) denoted by  $A = (L, L_0, N, \rightarrow, C, ic)$  comprises:

- L: set of locations (or states).
- $L_0$ : initial location where  $L_0 \in L$ .
- N: set of port names.
- $\rightarrow$ : transition relation  $\rightarrow \subseteq L \times 2^N \times DC \times CC \times 2^C \times L$ , where DC represents Data Constraints over a finite data domain, ensuring specific conditions for data exchange between components and CC represents Clock Constraints.
- C: set of clocks.
- $ic: L \to CC$  is a function assigning to each location an invariance condition, ensuring specific timing constraints.

**Example:** Consider the expiring timed FIFO channel depicted in Fig. 1. This channel extends from FIFO with a maximum time constraint for data residing in the buffer, after which the data is discarded. In the Timed Reo circuit, a clock t is declared in TCA. A time constraint  $t \leq 1$  under the buffer indicates the expiration time aspect, denoted by a clock constraint CC(t) as an invariance condition for location l'(d) in TCA. The two edges from l'(d) to l represent the event where a data item is discarded upon timer expiration and the event where Y reads the data out of the buffer, respectively.

4 Perla et al.



Fig. 1. Timed Reo circuit and TCA for an expiring timed FIFO channel.

# 3 Modeling Approach

In this section, we present our model-based design approach. We begin by outlining the steps for efficiently designing CPS using Timed SysReo. Then, we describe the Timed SysReo meta-models employed in the initial design phase.

# 3.1 Approach steps



Fig. 2. Modeling and V&V processes using Timed SysReo.

This section outlines our modeling methodology, as illustrated in Fig. 2, which consists of two main processes: the modeling process and the validation

and verification (V & V) process. Initially, we comprehensively model CPS components' requirements, structure, timed interaction protocols, and behavior to address critical timing constraints. Subsequently, we verify timed interactions and interoperability among CPS components.

During the initial phase, the CPS designer gathers system requirements and conducts thorough analysis. Using the "Timed SysReo" model, three main diagrams are created: (1) The requirement diagram, encompassing both functional and non-functional needs; (2.1) The ExtBDD diagram, illustrating the system's hierarchical structure through blocks, followed by (2.2) the Timed Reo IBD diagram, delineating internal structure and timed interaction protocols. Additionally, the Timed SysReo sequence diagram (TSRSD) models timed behavior and coordination of CPS components.

In the second phase, our focus shifts to the validation and verification process. We aim to accurately represent timed interactions among CPS components and verify their interoperability, modeled using TSRSD diagrams. To achieve this, we apply ATL rules to corresponding meta-models, as detailed in Section 4, to obtain their equivalents of Timed Constraint Automata (TCA). Additionally, we express predefined requirements in Time Scheduled Data Stream Logic (TSDSL) [3], providing a formal representation of these requirements.

Using TSDSL and TCA enhances precision and rigor in CPS verification procedures, ensuring seamless collaboration among components with timing constraints. This systematic approach guarantees the CPS system operates as intended, aligning with designer specifications. Verification results are evaluated, with any specification errors prompting a loop back to the Timed SysReo model specification phase until a precise CPS model is achieved.

### 3.2 Timed SysReo meta-models

In this section, we will present the meta-models of Timed Reo Internal Block Definition Diagram (Timed Reo IBD) and Timed SysReo Sequence Diagram (TSRSD) respectively.

**Timed Reo IBD meta-model:** In Fig. 3, we represent the meta-model that allows us to model Timed Reo IBD diagrams. The Timed Reo IBD serves to depict the inner structure of CPS components and the timed connections between CPS parts specified as exogenous Timed Reo protocols. These diagrams consist of parts and ports, where each part represents a CPS component. Parts are encapsulated black-box components equipped with ports for data exchange. Communication between parts is facilitated through Timed Reo connectors, which are depicted as channels. Various types of Timed Reo channels exist, each defining specific data behaviors: The Sync channel instantly transfers data from input to output. FIFO temporarily buffers data before transmission. SyncDrain receives data from two inputs simultaneously and discards them. Filter forwards data only if a specified condition is met. Additionally, Timed Reo connectors include nodes for data exchange between components and employ clocks to measure time (timeouts or delay) within the system.



Fig. 3. Meta-model of Timed Reo Internal Block Diagram (Timed Reo IBD) followed by an example.

**TSRSD meta-model:** In Fig. 4 A, we represent the meta-model that allows us to model Timed SysReo Sequence Diagrams, followed by an example in Fig. 4 B. The main class in this meta-model is the TSRSD Interaction, which encompasses



Fig. 4. Meta-model of Timed SysReo Sequence Diagram (TSRSD) followed by an example.

lifelines, Timed SysReo Messages (TSRMsg), and a Timed Reo Sequencer.

A LifeLine represents a CPS component involved in the interaction, handling event transmission and reception. TSRMsg defines the Timed SysReo Messages exchanged between objects, with each message having a sender and receiver connected via timed Reo connectors. The Timed Reo Sequencer serves as the superclass for TSRSD Interaction, Combined Fragment, Interaction Operand, and Occurrence Specification. A Combined Fragment contains interaction operands and an interaction operator chosen from a set of options. An Interaction Operand is linked to a combined fragment, potentially with a guard condition. The TSRMsg Occurrence Specification represents events on lifelines, marking the start or end of a timed SysReo message.

The classes Timed Reo Connectors, TSRMsg, and Timed Reo Sequencer inherit from NamedElement, which in turn inherits from Element. The 'owner' association retrieves the parent element, while 'ownedElement' retrieves child elements.

Timed SysReo, as compared to SysReo [22, 23], offers a more comprehensive approach to modeling CPS. By incorporating timing notations through "Timed Reo IBD" and "Timed SysReo SD", it enables a detailed representation of CPS interactions and inner structure within specified time constraints. This enhancement ensures that all facets of CPS, from requirements to behavior to structure, are accurately captured in the modeling process.

# 4 Transforming TSRSD into TCA using ATL

In this section, we introduce the Atlas Transformation Language (ATL) and explain how to convert TSRSD diagrams into Timed Constraint Automata (TCA).

### 4.1 ATL Overview

The Atlas Transformation Language (ATL) is a tool in Model-Driven Engineering (MDE) used to generate target models from source models [1]. An ATL program consists of rules that match elements in the source model and create corresponding elements in the target model. These rules include a "from" section specifying patterns and constraints in the source model, and a "to" section defining how target elements are created from the source elements.

#### 4.2 Timed Constraint Automata Meta-Model

Based on the formal definition of Timed Constraint Automata (TCA), we propose a meta-model depicted in Fig. 5. The main classes are: Timed Constraint Automata, the root class containing states and transitions; State, which includes a name, type (initial or not), and an invariance condition for the maximum duration; and Transition, which specifies source and target states, node names (input/output), data constraints, and clock constraints for firing time.

#### 4.3 ATL Transformation Rules

Several ATL rules are used to map TSRSD elements to TCA elements. Specifically, TSRMsgOccurrenceSpecification in TSRSD corresponds to State in TCA, and TSRMsg in TSRSD corresponds to Transition in TCA. Due to space constraints, we will illustrate only one rule here:

**Example Rule: TSRMsg2Transition** converts TSRMsg instances from TSRSD to Transition instances in TCA:



Fig. 5. Timed Constraint Automata meta-Model followed by an example.



This rule maps TSRMsg to Transition, indicating message transmission, sets node names, data constraints, and initializes clock constraints. It defines source and target states based on TSRMsg specifications, using a helper function to find subsequent occurrences on a lifeline.

#### $\mathbf{5}$ Smart Medical Bed Case Study

In this section, we present our case study on the Smart Medical Bed (SMB) system. We provide a brief overview of the SMB, gather relevant information for analysis, and use Timed SysReo models to specify requirements, design structure, and model behavior while accounting for timing constraints. The system is validated by generating TCAs from TSRSD using predefined ATL rules, enabling verification of timed properties through methods like Büchi automata [9], enhancing the validation and verification process.

#### 5.1**SMB** overview

A Smart Medical Bed (SMB) integrates sensors to monitor vital signs like temperature, transmitting data to a Remote Terminal Unit (RTU) within 1 Time

8



Fig. 6. Smart medical bed architecture.

Unit (TU), as shown in Fig.6. The RTU manages data flow between the Smart Bed (SB) and Nursing Station (NS), deciding whether to update patient information or alert healthcare teams within 3 TUs. The SMB system consists of the SB, RTU, and NS components.

Our study focuses on modeling and validating the SB-RTU interaction within the SMB. Using Timed SysReo, we analyze requirements and model architecture. We employ Timed Reo IBD and Timed SysReo SD to represent internal structure and manage timing constraints, enhancing efficiency in modeling complex components and interaction protocols within the SMB environment.

### 5.2 Modeling process using Timed SysReo

**Requirements** During the modeling process, it is vital to ensure system functionality and usability. This starts with identifying specific system needs, outlining functional requirements of the SMB system. For instance, requirement R1 in Table.1, emphasizes the necessity for the Smart Bed (SB) to send the collected patient vital signs data (e.g., heart rate, blood pressure, temperature, and oxygen saturation) to the Remote Terminal Unit (RTU) within a latency of no more than 1 Time Unit (TU). This requirement is satisfied by the Smart Bed (SB) component and verified by the "sendTempData()" message.

| D | Requirement Description                       | Satisfied by                                                                                                                                                                                                                                                                                                                                                 | Verified By                                                                                                                                                                                                                                                                                                                                                                                      |
|---|-----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | The SB shall send the collected patient vital | SB.                                                                                                                                                                                                                                                                                                                                                          | sendTempData().                                                                                                                                                                                                                                                                                                                                                                                  |
|   | signs data to RTU within a latency of no more |                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                  |
|   | than 1 TU .                                   |                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                  |
| 2 | The RTU must send an "emergencyAlert()"       | RTU.                                                                                                                                                                                                                                                                                                                                                         | emergencyAlerts(),                                                                                                                                                                                                                                                                                                                                                                               |
|   | message to the NS within 3 TU for abnor-      |                                                                                                                                                                                                                                                                                                                                                              | updatePatientInfo().                                                                                                                                                                                                                                                                                                                                                                             |
|   | mal data or transmit an "updatePatientInfo()" |                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                  |
|   | message within the same time-frame for nor-   |                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                  |
|   | mal data.                                     |                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                  |
|   | )<br>,1<br>,2                                 | <ul> <li>D Requirement Description</li> <li>1 The SB shall send the collected patient vital signs data to RTU within a latency of no more than 1 TU .</li> <li>2 The RTU must send an "emergencyAlert()" message to the NS within 3 TU for abnormal data or transmit an "updatePatientInfo()" message within the same time-frame for normal data.</li> </ul> | D       Requirement Description       Satisfied by         1       The SB shall send the collected patient vital signs data to RTU within a latency of no more than 1 TU .       SB.         2       The RTU must send an "emergencyAlert()" message to the NS within 3 TU for abnormal data or transmit an "updatePatientInfo()" message within the same time-frame for normal data.       RTU. |

Table 1. Requirement table of SMB.



Fig. 7. The ExtBDD model of the SMB system.

**Extended Block Definition Diagram (ExtBDD)** The ExtBDD diagram displays the hierarchical structure of the SMB system, with each component from the requirement diagram (Table.1) depicted as a block. These blocks detail a component's internal operations, offered and required services, with input and output proxy ports. In Fig. 7 [A], we show an abstract overview of the system, featuring main components like "SMB", divided into "Smart Bed (SB)" and "Remote Terminal Unit (RTU)". In Fig. 7 [B], the concrete level illustrates sub-components within primary components. For instance, the smart bed includes "Temperature Sensor" and "Gateway", with the former responsible for data measurement and transmission to the latter.



Fig. 8. Timed Reo IBD of the SMB system.

**Timed Reo Internal Block Diagram (Timed Reo IBD)** Fig.8 presents the Timed Reo IBD of the smart medical bed system. The purpose of Timed Reo IBD is to enhance the modeling of system architecture by replacing the SysML Internal Block Diagram (IBD) with Timed Reo connectors, allowing for the precise specification and analysis of timing properties and synchronization patterns within the system. In Fig. 8(b,c), internal structures of SB and RTU components are illustrated, including their timed interaction protocols. For instance, the gateway (gtw) component sends "sendTempData()" to the medical database (MDB) component through a timed FIFO channel, constrained by @t1 <= 1 TU. This channel imposes a deadline, t1 <= 1, where data availability follows a structured pattern: each data item in the FIFO buffer has a maximum duration of t1 <= 1 before removal. Similarly, the MDB sends "analyzedData()" to the Exclusive router (EXR) via a timed FIFO channel with a deadline of @t2 <= 3 TU. Following that, the EXR determines whether to dispatch "emergencyAlerts()" via a sync channel for immediate transmission to the patient alert (PA) component, or to send "updatePatientInfo()" via a sync channel directly to the patient update (PU) component.



Fig. 9. Difference between traditional SysML SD and TSRSD of the SMB system.

**Timed SysReo Sequence Diagram (TSRSD)** The purpose of TSRSD is to enhance traditional SysML Sequence Diagrams (SD) by integrating Timed Reo, providing a comprehensive representation of complex timed interactions among CPS components. By extending SysML SD with Timed Reo, TSRSD effectively models both behavior and timed interaction protocols within CPS. TSRSD facilitates exogenous coordination among CPS components, enhancing flexibility, adaptability, and cost-efficiency in CPS modeling. Additionally, TSRSD enables the validation of predefined requirements, ensuring CPS interoperability and design precision through formal verification processes.

In our recent work [23], we enhanced traditional SysML SD by integrating Reo, creating SysReo SD. This effectively captures CPS component behavior and coordination but lacks adequate handling of timing constraints. Therefore, we introduced Timed SysReo SD (TSRSD), extending SysML SD with Timed Reo to enhance the representation of complex timed interactions among CPS components. Moreover, TSRSD serves as a starting point for the verification

phase. Using predefined ATL rules outlined in Section 4, we directly produce Timed Constraint Automata (TCA) from TSRSD. Subsequently, we formally verify predefined requirements, expressed in TSDSL logic, on the generated TCA to guarantee CPS interoperability and design precision.

In Fig. 9, we illustrate the contrast between traditional SysML SD and TSRSD, highlighting the detailed message flow with timing constraints among components. While SysML SD aids in understanding system behavior, it lacks explicit coordination details. TSRSD, adopting an exogenous approach, provides a precise representation of system behaviors and timed interactions. Exogenous methods like Timed Reo offer a modular approach to define protocols. In the scenario shown in Fig. 9 A, the GTW component sends the "sendTempData()" message to the MDB component. An endogenous approach would involve directly implementing the message within their respective code. However, Fig. 9 B illustrates a different strategy, where a separate component called the "Timed Reo sequencer" explicitly defines the message exchange protocol between GTW and MDB with a time constraint of  $t_1 \leq 1$ . For example, GTW sends "sendTempData()" to MDB using timed Reo ports {GTW, MDB} (depicted as orange circles), and the Timed Reo sequencer coordinates this message exchange. This decoupling allows for easier protocol modifications without affecting the implementation of GTW and MDB. Employing Timed Reo connectors in exogenous approaches provides more flexibility and simplifies the specification and adjustment of complex protocols in CPS. Another notable aspect of TSRSD is its capability to verify predefined requirements, as depicted in Table 1. For instance, the "R1" requirement is verified using a timed FIFO channel, coordinating the "sendTempData()" message within a time constraint of  $t_1 < 1$ .

The subsequent step involves formally representing TSRSD and outlining the method for automatic TCA generation.

#### 5.3 Validation and Verification Process

By applying ATL rules to the Timed SysReo sequence diagram (TSRSD) of SMB, we generate the corresponding Timed Constraint Automata (TCA) shown in Fig. 10. We chose ATL to automate the transformation of TSRSD to TCA due to its efficiency and ability to reduce user errors. For example, in Fig. 9 B, the "sendTempData()" message in TSRSD is translated into a transition "t" using the ATL rule "TSRMsg2Transition" from Section 4.3. This transition "t" involves nodes {GTW, MDB}, with data constraint  $d_{GTW} = d_{MDB} = d$  and clock constraint t1:=0. Applying ATL rule to TSRSD facilitates the creation of its corresponding TCA, depicted in Fig. 10.

Verification of TSDSL Properties on TCA To ensure the correctness of the SMB system's behavior and coordination, we express predefined requirements using Timed Scheduled-Data-Stream Logic (TSDSL) [3], which integrates temporal logic with timing constraints. These TSDSL specifications are verified against the Büchi automata [9] of the Timed Constraint Automata (TCA) using Arbab's method [4, 3].



Fig. 10. The generated TCA from the smart medical bed TSRSD.

For example, consider requirement R1 in Table 1, which specifies that if data transmission occurs from the Smart Bed (SB) within 1 time unit, it is always  $(\Box)$  accompanied by data reception at the Remote Terminal Unit (RTU) or no observable data transmission within the subsequent 1 time unit:

 $\Box [[SB]] (\langle \langle RTU \rangle^{\leq 1} \rangle) \lor \neg \langle \langle . \rangle^{\leq 1} \rangle$ 

Arbab's method, detailed in [3], ensures that a given TCA satisfies a specified TSDSL formula. It involves transforming the TSDSL formula into its negation, constructing a Büchi TCA for this negation, merging it with the original TCA, and checking the emptiness of the resulting combined TCA.

Checking the emptiness of the combined TCA involves determining if there exists a run (sequence of states and transitions) that satisfies the negated formula. For requirement R1, this means verifying if there is no sequence where data transmission from SB occurs within 1 time unit without either a corresponding reception at RTU within the same time or no transmission at all within the subsequent 1 time unit. If the combined TCA is empty, meaning no such run exists, then the original TCA satisfies the TSDSL formula for requirement R1. This verification step ensures that the CPS model adheres to the specified timing and temporal logic requirements, thus confirming its correctness and reliability.

### 6 Conclusion and Future Work

In this paper, we present a novel approach for modeling and verifying Cyber-Physical Systems (CPS) interactions with timing constraints using Timed Sys-Reo. Our method enhances CPS designs by incorporating precise timing considerations through the integration of Timed Reo into SysML diagrams. This allows for an accurate representation of system requirements, behaviors, and interactions under specified timing constraints. Timed SysReo uses two key diagrams: the Timed Reo Internal Block Diagram (IBD) and the Timed SysReo Sequence Diagram (TSRSD). The Timed Reo IBD focuses on the structural aspects of CPS, offering a static view of the system architecture. In contrast, the TSRSD emphasizes dynamic behaviors and timed interactions, providing a dynamic perspective on system operations. Together, these diagrams offer a comprehensive depiction of both the static and dynamic elements of CPS with

respect to timing constraints. Additionally, we demonstrate the automation of transforming TSRSD diagrams into Timed Constraint Automata (TCA) using ATL, which significantly enhances the precision and ease of verifying CPS requirements specified in TSDSL logic. Our approach is exemplified through a case study involving a Smart Medical Bed (SMB), highlighting the practical application and benefits of Timed SysReo in real-world scenarios.

In our future efforts, we will assess Timed SysReo's performance across diverse sectors like automotive and aerospace CPS, moving beyond its current focus on healthcare. This evaluation aims to determine its suitability and address specific challenges and opportunities in each domain. Additionally, we intend to enhance Timed SysReo by modeling both discrete and continuous CPS behaviors. Currently, the Timed SysReo framework primarily handles discrete behaviors, but our expansion will integrate parametric diagrams and incorporate Reo connectors to model differential equations for continuous dynamics. This approach will enable comprehensive modeling of CPS hardware components, considering physical constraints to ensure robust system designs across different operational scenarios.

## References

- 1. Eclipse ATL. https://eclipse.dev/atl/, accessed: May 02, 2024
- Arbab, F.: Reo: a channel-based coordination model for component composition. Mathematical Structures in Computer Science 14(3), 329–366 (2004). https://doi.org/10.1017/S0960129504004153
- Arbab, F., Baier, C., de Boer, F., Rutten, J.: Models and temporal logical specifications for timed component connectors. Software & Systems Modeling 6, 59–82 (2007)
- Arbab, F., Baier, C., De Boer, F., Rutten, J.: Models and temporal logics for timed component connectors. In: Proceedings of the Second International Conference on Software Engineering and Formal Methods, 2004. SEFM 2004. pp. 198–207. IEEE (2004)
- Barroso, S., Bustos, P., Nunez, P.: Towards a cyber-physical system for sustainable and smart building: a use case for optimising water consumption on a smartcampus. Journal of Ambient Intelligence and Humanized Computing 14(5), 6379–6399 (2023)
- Bouskela, D., Falcone, A., Garro, A., Jardin, A., Otter, M., Thuy, N., Tundis, A.: Formal requirements modeling for cyber-physical systems engineering: An integrated solution based on form-1 and modelica. Requirements Engineering 27(1), 1–30 (2022)
- Czarnecki, K., Helsen, S., et al.: Classification of model transformation approaches. In: Proceedings of the 2nd OOPSLA Workshop on Generative Techniques in the Context of the Model Driven Architecture. vol. 45, pp. 1–17. USA (2003)
- De Lara, J., Vangheluwe, H., Alfonseca, M.: Meta-modelling and graph grammars for multi-paradigm modelling in atom 3. Software & Systems Modeling 3, 194–209 (2004)
- Gastin, P., Oddoux, D.: Fast ltl to büchi automata translation. In: Computer Aided Verification: 13th International Conference, CAV 2001 Paris, France, July 18–22, 2001 Proceedings 13. pp. 53–65. Springer (2001)

- Genius, D., Apvrille, L.: Hierarchical design of cyber-physical systems. In: Modelsward (2023)
- 11. Hause, M., et al.: The sysml modelling language. In: Fifteenth European Systems Engineering Conference. vol. 9, pp. 1–12 (2006)
- Huang, P., Jiang, K., Guan, C., Du, D.: Towards modeling cyber-physical systems with sysml/marte/pccsl. In: 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC). vol. 1, pp. 264–269. IEEE (2018)
- Ivers, J., Clements, P.C., Garlan, D., Nord, R., Schmerl, B., Oviedo-Silva, J.: Documenting component and connector views with uml 2.0 (2004)
- Kim, K.D., Kumar, P.R.: Cyber-physical systems: A perspective at the centennial. Proceedings of the IEEE 100(Special Centennial Issue), 1287–1308 (2012). https://doi.org/10.1109/JPROC.2012.2189792
- Kokash, N., Jaghoori, M.M., Arbab, F.: From timed reo networks to networks of timed automata. Electronic Notes in Theoretical Computer Science 295, 11–29 (2013)
- Lau, K.K., Ornaghi, M., Wang, Z.: A software component model and its preliminary formalisation. In: International symposium on formal methods for components and objects. pp. 1–21. Springer (2005)
- Mallet, F.: Marte/ccsl for modeling cyber-physical systems. Formal Modeling and Verification of Cyber-Physical Systems: 1st International Summer School on Methods and Tools for the Design of Digital Systems, Bremen, Germany, September 2015 pp. 26–49 (2015)
- Miles, R., Hamilton, K.: Learning UML 2.0: a pragmatic introduction to UML. " O'Reilly Media, Inc." (2006)
- OMG: OMG System Modeling Languag. https://www.omg.org/spec/SysML/, accessed: 04-09-2024
- Panahi, V., Kargahi, M., Faghih, F.: Control performance analysis of automotive cyber-physical systems: A study on efficient formal verification. ACM Transactions on Cyber-Physical Systems (2022)
- Tannoury, P.: An Incremental Model-Based Design Methodology to Develop CPS with SysML/OCL/Reo. In: Journées du GDR GPL. Vannes, France (Jun 2022), https://hal.science/hal-03893454
- Tannoury, P., Chouali, S., Hammad, A.: Model driven approach to design an automotive cps with sysreo language. In: Proceedings of the 20th ACM International Symposium on Mobility Management and Wireless Access. pp. 97–104 (2022)
- Tannoury, P., Chouali, S., Hammad, A.: Joint use of sysml and reo to specify and verify the compatibility of cps components. In: International Conference on Formal Aspects of Component Software. pp. 84–102. Springer (2023)
- Tartarisco, G., Cicceri, G., Bruschetta, R., Tonacci, A., Campisi, S., Vitabile, S., Cerasa, A., Distefano, S., Pellegrino, A., Modesti, P.A., et al.: An intelligent medical cyber-physical system to support heart valve disease screening and diagnosis. Expert Systems with Applications 238, 121772 (2024)
- Xie, J., Tan, W., Yang, Z., Li, S., Xing, L., Huang, Z.: Sysml-based compositional verification and safety analysis for safety-critical cyber-physical systems. Connection Science pp. 1–31 (2021)