{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,26]],"date-time":"2025-09-26T13:19:27Z","timestamp":1758892767851,"version":"3.41.0"},"reference-count":39,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2022,7,31]],"date-time":"2022-07-31T00:00:00Z","timestamp":1659225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000161","name":"NIST","doi-asserted-by":"crossref","award":["70NANB19H144"],"award-info":[{"award-number":["70NANB19H144"]}],"id":[{"id":"10.13039\/100000161","id-type":"DOI","asserted-by":"crossref"}]},{"name":"National Science Foundation","award":["1525855, CPS 1645578, and CPS 1646235"],"award-info":[{"award-number":["1525855, CPS 1645578, and CPS 1646235"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Cyber-Phys. Syst."],"published-print":{"date-parts":[[2022,7,31]]},"abstract":"<jats:p>Many Cyber-Physical Systems (CPS) have timing constraints that must be met by the cyber components (software and the network) to ensure safety. It is a tedious job to check if a CPS meets its timing requirement especially when it is distributed and the software and\/or the underlying computing platforms are complex. Furthermore, the system design is brittle since a timing failure can still happen (e.g., network failure, soft error bit flip). In this article, we propose a new design methodology called<jats:italic>Plan B<\/jats:italic>where timing constraints of the CPS are monitored at runtime, and a proper backup routine is executed when a timing failure happens to ensure safety. We provide a model on how to express the desired timing behavior using a set of timing constructs in a C\/C++ code and how to efficiently monitor them at the runtime. We showcase the effectiveness of our approach by conducting experiments on three case studies: (1) the full software stack for autonomous driving (Apollo), (2) a multi-agent system with 1\/10th-scale model robots, and (3) a quadrotor for search and rescue application. We show that the system remains safe and stable even when intentional faults are injected to cause a timing failure. We also demonstrate that the system can achieve graceful degradation when a less extreme timing failure happens.<\/jats:p>","DOI":"10.1145\/3516449","type":"journal-article","created":{"date-parts":[[2022,3,8]],"date-time":"2022-03-08T16:40:10Z","timestamp":1646757610000},"page":"1-39","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Plan B: Design Methodology for Cyber-Physical Systems Robust to Timing Failures"],"prefix":"10.1145","volume":"6","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4134-5008","authenticated-orcid":false,"given":"Mohammad","family":"Khayatian","sequence":"first","affiliation":[{"name":"San Jose State University, Tempe, AZ"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9081-9049","authenticated-orcid":false,"given":"Mohammadreza","family":"Mehrabian","sequence":"additional","affiliation":[{"name":"University of the Pacific, Stockton, CA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Edward","family":"Andert","sequence":"additional","affiliation":[{"name":"Arizona State University, Tempe, AZ"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Reese","family":"Grimsley","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kyle","family":"Liang","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5010-2377","authenticated-orcid":false,"given":"Yi","family":"Hu","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ian","family":"McCormack","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Carlee","family":"Joe-Wong","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jonathan","family":"Aldrich","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bob","family":"Iannucci","sequence":"additional","affiliation":[{"name":"Google Inc., Mountain View, CA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Aviral","family":"Shrivastava","sequence":"additional","affiliation":[{"name":"Arizona State University, Tempe, AZ"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2022,9,7]]},"reference":[{"key":"e_1_3_3_2_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-13050-3"},{"key":"e_1_3_3_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISORC.2008.25"},{"key":"e_1_3_3_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/1837274.1837462"},{"key":"e_1_3_3_5_2","volume-title":"Proceedings of the High-Confidence Software Platforms for Cyber-Physical Systems Workshop (HCSP-CPS\u201906)","volume":"6","author":"Mueller Frank","year":"2006","unstructured":"Frank Mueller. 2006. Challenges for cyber-physical systems: Security, timing analysis and soft error protection. In Proceedings of the High-Confidence Software Platforms for Cyber-Physical Systems Workshop (HCSP-CPS\u201906), Vol. 6."},{"key":"e_1_3_3_6_2","volume-title":"PTIDES: A Programming Model for Distributed Real-Time Embedded Systems","author":"Derler Patricia","year":"2008","unstructured":"Patricia Derler, Thomas Huining Feng, Edward A. Lee, Slobodan Matic, Hiren D. Patel, Yang Zhao, and Jia Zou. 2008. PTIDES: A Programming Model for Distributed Real-Time Embedded Systems. Technical Report. UC Berkeley."},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45449-7_12"},{"issue":"3","key":"e_1_3_3_8_2","first-page":"36","article-title":"The worst-case execution-time problem\u2014Overview of methods and survey of tools","volume":"7","author":"Bernat Reinhard Wilhelm, Jakob Engblom, Andreas Ermedahl, Niklas Holsti, Stephan Thesing, David Whalley, Guillem","year":"2008","unstructured":"Reinhard Wilhelm, Jakob Engblom, Andreas Ermedahl, Niklas Holsti, Stephan Thesing, David Whalley, Guillem Bernat, et\u00a0al. 2008. The worst-case execution-time problem\u2014Overview of methods and survey of tools. ACM Transactions on Embedded Computing Systems 7, 3 (2008), 36.","journal-title":"ACM Transactions on Embedded Computing Systems"},{"key":"e_1_3_3_9_2","article-title":"Many Cars Have a Hundred Million Lines of Code: Who Gets to Write It?","author":"Review MIT Technology","year":"2019","unstructured":"MIT Technology Review. 2019. Many Cars Have a Hundred Million Lines of Code: Who Gets to Write It? Retrieved October 10, 2019 from https:\/\/tinyurl.com\/zwczp55.","journal-title":"Retrieved October 10, 2019 from https:\/\/tinyurl.com\/zwczp55."},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-95246-8"},{"key":"e_1_3_3_11_2","article-title":"Apollo: An Open Autonomous Driving Platform","author":"Auto Apollo","year":"2019","unstructured":"Apollo Auto. 2019. Apollo: An Open Autonomous Driving Platform. Retrieved October 14, 2019 from https:\/\/github.com\/ApolloAuto\/apollo.","journal-title":"https:\/\/github.com\/ApolloAuto\/apollo."},{"key":"e_1_3_3_12_2","volume-title":"Proceedings of the 2nd International Workshop on Worst-Case Execution Time Analysis","author":"Mitra Tulika","year":"2002","unstructured":"Tulika Mitra and Abhik Roychoudhury. 2002. A framework to model branch prediction for worst case execution time analysis. In Proceedings of the 2nd International Workshop on Worst-Case Execution Time Analysis."},{"key":"e_1_3_3_13_2","volume-title":"Proceedings of the 5th International Workshop on Worst-Case Execution Time Analysis (WCET\u201905)","author":"Deverge Jean-Fran\u00e7ois","year":"2007","unstructured":"Jean-Fran\u00e7ois Deverge and Isabelle Puaut. 2007. Safe measurement-based WCET estimation. In Proceedings of the 5th International Workshop on Worst-Case Execution Time Analysis (WCET\u201905)."},{"key":"e_1_3_3_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/ECRTS.2007.38"},{"key":"e_1_3_3_15_2","first-page":"8","article-title":"Using measurements as a complement to static worst-case execution time analysis","volume":"2","author":"Kirner Raimund","year":"2005","unstructured":"Raimund Kirner, Ingomar Wenzel, Bernhard Rieder, and Peter Puschner. 2005. Using measurements as a complement to static worst-case execution time analysis. Intelligent Systems at the Service of Mankind 2 (2005), 8.","journal-title":"Intelligent Systems at the Service of Mankind"},{"key":"e_1_3_3_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/1289816.1289853"},{"key":"e_1_3_3_17_2","doi-asserted-by":"crossref","unstructured":"Yau-Tsun Steven Li and Sharad Malik. 1995. Performance analysis of embedded software using implicit path enumeration. ACM SIGPLAN Notices 30 (1995) 88\u201398.","DOI":"10.1145\/216633.216666"},{"key":"e_1_3_3_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/2435227.2435236"},{"key":"e_1_3_3_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/SEUS.2005.12"},{"key":"e_1_3_3_20_2","first-page":"26","volume-title":"Proceedings of the Conference on Design, Automation, and Test in Europe Conference and Exhibition (DATE\u201914)","author":"Altmeyer Sebastian","year":"2014","unstructured":"Sebastian Altmeyer and Robert I. Davis. 2014. On the correctness, optimality and precision of static probabilistic timing analysis. In Proceedings of the Conference on Design, Automation, and Test in Europe Conference and Exhibition (DATE\u201914). 26."},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/ECRTS.2012.31"},{"key":"e_1_3_3_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/REAL.2002.1181582"},{"key":"e_1_3_3_23_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4020-8157-6_29"},{"key":"e_1_3_3_24_2","article-title":"Status of the Bound-T WCET Tool","author":"Holsti Niklas","year":"2002","unstructured":"Niklas Holsti and Sami Saarinen. 2002. Status of the Bound-T WCET Tool. Space Systems Finland Ltd.","journal-title":"Space Systems Finland Ltd."},{"key":"e_1_3_3_25_2","article-title":"RapiTime: WCET Analysis Tool","author":"Systems Rapita","unstructured":"Rapita Systems. n.d. RapiTime: WCET Analysis Tool. Retrieved March 27, 2019 from https:\/\/www.rapitasystems.com\/products\/rapitime.","journal-title":"https:\/\/www.rapitasystems.com\/products\/rapitime."},{"journal-title":"http:\/\/uppaal.org.","article-title":"Home Page","key":"e_1_3_3_26_2","unstructured":"UPPAAL. n.d. Home Page. Retrieved March 27, 2019 from http:\/\/uppaal.org."},{"key":"e_1_3_3_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/1629435.1629494"},{"key":"e_1_3_3_28_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2017.09.004"},{"key":"e_1_3_3_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/RTAS.2009.20"},{"key":"e_1_3_3_30_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-36580-X_4"},{"key":"e_1_3_3_31_2","doi-asserted-by":"publisher","DOI":"10.1145\/3302509.3311054"},{"key":"e_1_3_3_32_2","doi-asserted-by":"publisher","DOI":"10.23919\/ACC.2018.8430747"},{"key":"e_1_3_3_33_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-24743-2_32"},{"key":"e_1_3_3_34_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-39799-8_18"},{"key":"e_1_3_3_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACC.2012.6315384"},{"volume-title":"Network Time Protocol","year":"1985","key":"e_1_3_3_36_2","unstructured":"David Mills. 1985. Network Time Protocol. Technical ReportRFC 958. M\/A-COM Linkabit."},{"key":"e_1_3_3_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/SFICON.2002.1159815"},{"journal-title":"https:\/\/github.com\/lgsvl\/simulator.","article-title":"LG Simulator Group in Silicon Valley","key":"e_1_3_3_38_2","unstructured":"GitHub. n.d. LG Simulator Group in Silicon Valley. Retrieved November 10, 2019 from https:\/\/github.com\/lgsvl\/simulator."},{"key":"e_1_3_3_39_2","article-title":"ESP8266 Deauther Version 2.0","author":"Kremser Stefan","unstructured":"Stefan Kremser. n.d. ESP8266 Deauther Version 2.0. Retrieved October 31, 2018 from https:\/\/github.com\/spacehuhn\/esp8266_deauther.","journal-title":"https:\/\/github.com\/spacehuhn\/esp8266_deauther."},{"key":"e_1_3_3_40_2","doi-asserted-by":"crossref","unstructured":"Antonio Eduardo Carrilho da Cunha. 2015. Benchmark: Quadrotor attitude control. EPiC Series in Computer Science 34 (2015) 57\u201372.","DOI":"10.29007\/dc68"}],"container-title":["ACM Transactions on Cyber-Physical Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3516449","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3516449","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3516449","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:30:21Z","timestamp":1750188621000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3516449"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,7,31]]},"references-count":39,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2022,7,31]]}},"alternative-id":["10.1145\/3516449"],"URL":"https:\/\/doi.org\/10.1145\/3516449","relation":{},"ISSN":["2378-962X","2378-9638"],"issn-type":[{"type":"print","value":"2378-962X"},{"type":"electronic","value":"2378-9638"}],"subject":[],"published":{"date-parts":[[2022,7,31]]},"assertion":[{"value":"2021-06-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-01-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-09-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}