# Statistical Model Checking of a Clock Synchronization Protocol for Sensor Networks

## Abstract.

This paper uses the statistical model checking tool in the UPPAAL toolset to test the robustness of a distributed clock synchronization algorithm for wireless sensor networks (WSN), in the case of lossy communication, i.e., when the WSN is deployed in an environment with significant multi-path propagation, leading to interference. More precisely, the robustness of the gMAC protocol included in the Chess WSN platform is tested on two important classes of regular network topologies: cliques (networks with full connectivity) and small grids (where all nodes have the same degree). The paper extends previous work by Hedaraian et al. that only analyzed this algorithm in the ideal case of non-lossy communication, and only in the case of cliques and line topologies. The main contribution is to show that the original clock synchronization algorithm is not robust to changing the quality of communication between sensors. More precisely, with high probability the algorithm fails to synchronize the nodes when considering lossy communication over cliques of arbitrary size, as well as over small grid topologies.

## 1 Introduction

Wireless sensor networks (WSNs) are (possibly large-scale) networks of sensor nodes deployed in strategic areas to gather data. Sensor nodes collaborate using wireless communications with an asymmetric many-to-one data transfer model. Typically, they send their sensed data to a sink node which collects the relevant information. WSNs are primarily designed for monitoring environments that humans cannot easily reach (e.g., motion, target tracking, fire detection, chemicals, temperature); they are used as embedded systems (e.g., biomedical sensor engineering, smart homes) or mobile applications (e.g., when attached to robots, soldiers, or vehicles).

In wireless sensor networks, the basic operation is *data fusion*, whereby data from each sensor is agglomerated to form a single meaningful result. The fusion of individual sensor readings is possible only by exchanging messages that are timestamped by each sensor’s local clock. This mandates the need for a common notion of time among the sensors which is achieved by means of so called *clock synchronization protocols* [13, 15].

In this paper we do model checking of a distributed algorithm of clock synchronization for WSNs that has been developed by the Dutch company CHESS [12]. In order to realize an energy efficient communication mechanism, CHESS developed a gossip-based MAC algorithm [14] (abbreviated gMAC) which is responsible for regulating the access to the wireless shared channel. Here we are interested in verifying the robustness of the gMAC algorithm in the presence of *packet loss*. Packet loss is particularly relevant in wireless sensor networks which are deployed in environments with significant multi-path distortion (when part of the signal goes to the destination while another part bounces off an obstruction and then goes on to the destination). Most of sensor platforms do not have enough frequency diversity to reject multi-path propagation.

Our work has been strongly inspired by a recent analysis [8] of the gMAC synchronization protocol on clique and line topologies, in the ideal case of non-lossy communication. In the case of line topologies, paper [8] shows that the protocol fails to synchronize all nodes, when the number of nodes grows. On the other hand, on clique topologies the protocol behaves quite well and the paper provides constraints on *guard times* (delays added before and after the transmission of sync messages) to guarantee clock synchronization, independently on the clique size. In [8] the protocol is modeled as a network of timed automata and verified using the UPPAAL model checker [2, 3]. However, the model in [8] does not incorporate several features such as dynamic slot allocation, uncertain communication delays, and unreliable radio communication. In the current paper we extend their analysis by adopting a *probabilistic model* of radio communication that takes into account message loss according to the measurement of packet delivery suggested in [17]. As our model is a network of probabilistic timed automata, we decided to do our analysis by applying *Statistical Model Checking* (SMC) [7] within the UPPAAL toolset [2, 3]. SMC consists in monitoring a proper number of runs of the system and then applying a statistical algorithm to obtain an estimate of the result of the desired query.

Our analysis shows that low guard times (within the safety range proposed in [8]) are not sufficient to guarantee clock synchronization in clique topologies of arbitrary size. More precisely, in the case of lossy communication, the size of the clique *does* play a crucial role in the effectiveness of the protocol: the bigger is the clique the higher must be the guard time to ensure clock synchronization with high probability. Here it is important to notice that guard times cannot be arbitrary increased without dramatically affecting the duration of the battery life of the sensor nodes [1]. Finally, we move our analysis on grid topologies, with increasing neighbor degree, to better simulate a uniform node distribution of sensor nodes in a given area. Our simulations show that high values of the guard times may be not sufficient to guarantee clock synchronization in the presence of message loss, even in small \(5 \times 5\) grid networks. On the other hand, we observe that the efficiency of the protocol improves when the number of neighbours, and hence node connectivity, increases.

**Outline**

Section 2 introduces the gMAC protocol. Section 3 illustrates the corresponding UPPAAL probabilistic model. Section 4 details our analysis on cliques and grid topologies. Section 5 concludes the paper with final remarks, future and related work.

## 2 The gMAC Protocol

*frames*, and each frame is subdivided into

*slots*. Slots can be either

*active*or

*idle*. During active slots, a node is either listening for incoming messages from neighbouring nodes (RX slot) or it is sending a message (TX slot). During idle slots a node is switched to energy saving mode. Active slots are gathered in a contiguous sequence placed at the beginning of each frame.Since energy efficiency is a major concern in the design of wireless sensor networks, the number of active slots is typically much smaller than the total number of slots. In the implementation of gMAC the number of slots within a frame is 1129 out of which 10 are active. A node can only transmit a message once per time frame in its TX slot. If two neighbouring nodes choose the same send slot then a communication collision will occur in the intersection of their transmission ranges preventing message delivery. In the original protocol a node randomly chooses an active slots as

*send slot*(TX slot) considering all other active slots as

*receive slots*(RX slots). However, for the sake of simplicity, as in [8], in our analysis we assume that the TX slots are fixed and have been chosen in such a way that no collision occurs.

In order to ensure that when a node is sending all its neighbours are listening, *guard times* are introduced. This means that each sender waits for some time (\(\mathsf g \) clock cycles) at the beginning of its TX slot to ensure that all its neighbours are ready to receive messages; similarly, a sender does not transmit for a certain amount of time (\(\mathsf t \) clock cycles) at the end of its TX slot. Guard times cannot be arbitrary increased without dramatically affecting the duration of the battery life of the sensor nodes [1]. So, the choice of proper guard time values is crucial in the protocol design. In the current implementation, each slot consists of 29 clock cycles, out of which 18 cycles are used as guard time.

The CHESS sensor nodes come equipped with a 32 kHz crystal oscillator that drives an internal clock used to determine the beginning and the end of each slot. Sensor nodes are also equipped with an ATMega64 micro-controller and a Nordic nRF24L01 [10] packet radio. Depending on the environment, the Nordic nRF24L01 radio has a transmission range between \(0.5m\) and \(50m\), For the sake of simplicity we assume that all nodes have the same transmission range; this means that the transmission between nodes is assumed to be symmetric.

## 3 UPPAAL Probabilistic Model for gMAC

In this section, we provide a small extension of the UPPAAL model for gMAC of [8] in which a probabilistic choice to model message loss is introduced. The model assumes a finite, fixed set of sensor nodes \(\mathsf {Nodes} = \{ 0, \ldots , \mathsf N -1 \}\). The behaviour of each individual node \(i \in \mathsf {Nodes} \) is described by means of three different timed automata: \(\mathbf {Clock} (i)\), \(\mathbf {WSN} (i)\), \(\mathbf {Synchronizer} (i)\). Automaton \(\mathbf {Clock} (i)\) models the hardware clock of the node, \(\mathbf {WSN} (i)\) takes care of sending messages, and \(\mathbf {Synchronizer} (i)\) re-synchronizes the hardware clock upon receipt of a message. The automaton \(\mathbf {Synchronizer} (i)\) is the only one where probabilities are introduced to model packet loss. The complete model consists of the composition of the three automata \(\mathbf {Clock} (i)\), \(\mathbf {WSN} (i)\) and \(\mathbf {Synchronizer} (i)\), for each \(i \in \mathsf {Nodes} \).

Protocol parameters

Parameter | Description | Constraints |
---|---|---|

\(\mathsf{ N} \) | number of nodes | \(0<\mathsf {N} \) |

\(\mathsf {C} \) | number of slots in a time frame | \(0<\mathsf {C} \) |

\(\mathsf {n} \) | number of active slots in a time frame | \(0<\mathsf {n} \le \mathsf {C} \) |

\(\mathsf {k _0}\) | number of clock ticks in a time slot | \(0<\mathsf {k _0}\) |

\(\mathsf {csn} [i]\) | current slot number for node \(i\) | \(0\le \mathsf {csn} [i] < \mathsf {n} \) |

\(\mathsf {tsn} [i]\) | TX slot number for node \(i\) | \(0\le \mathsf {tsn} [i] < \mathsf n \) |

\(\mathsf {clk} [i]\) | clock value for node \(i\) | \(0\le \mathsf {clk} [i] < \mathsf k _0\) |

\(\mathsf g \) | guard time | \(0 < \mathsf g \) |

\(\mathsf t \) | tail time | \(0 < \mathsf t \) |

\(\mathsf {min} \) | minimal time between two clock ticks | \(0 < \mathsf {min} \) |

\(\mathsf {max} \) | maximal time between two clock ticks | \(\mathsf {min} \le \mathsf {max} \) |

\(\mathsf {loss} \) | | \(0\le \mathsf {loss} \le 100\) |

### **Definition 1.**

A network is said to be synchronized if for all reachable states \((\,\forall i, j \in \mathsf {Nodes} \,)(\,(\,\mathsf {SENDING} _i \wedge \mathsf {neighbor} (i,j)\,) \Longrightarrow (\,\mathsf {csn} [i] = \mathsf {csn} [j]\,)\,)\).

## 4 Our Analysis

In order to make feasible our analysis we try to understand if we can change some system parameters without affecting the quality of the analysis. In particular, we focus on the parameter \(\mathsf C \) that is the number of slots composing a frame. The effectiveness of any synchronization protocol is crucially based on the exchange of some timing information to synchronize neighbor nodes. Said in other words, the longer nodes remain silent the quicker they get out of sync, because they do not get enough information to synchronize with each other. As consequence, once fixed the number of active slots, if the system gets out of sync with probability \(p\), for a certain value of \(\mathsf C \), then the same system will get out of sync more quickly (or with higher probability) for a bigger value of \(\mathsf C \).

The parameter \(\mathsf {loss} \) expresses the probability of message loss at the physical level due to the unreliability of the wireless medium. In our analysis, we will instantiate \(\mathsf {loss} \) according to the results appeared in [17], where packet delivery performances of WSNs have been studied at physical layer under different transmission powers and physical-layer encodings. In that analysis, \(60\) Mica motes have been used to measure packet delivery under three different environmental settings: office building, open parking lot, habitat with moderate foliage. Under these settings, results show that the physical layer contributes to the packet-delivery performance, which is defined as the fraction of packets not successfully received by the receiver within a time window.

For the sake of simplicity, all nodes of our networks will be instantiated with the same value of the parameter \(\mathsf {loss} \). According to [17] this parameter will be set to: \(10\), to approximate the average message loss in a parking lot; \(20\), to model the average message loss in a office building; and \(30\), which represents the average message loss in an habitat setting with moderate foliage.

### 4.1 Verifying Clique Topologies

^{1}; they do not depend on the size \(\mathsf N \) of the network. They are:

Here we want to demonstrate that, in the presence of packet loss, the size of the clique network *does* play a crucial role. In particular, the bigger is the clique the higher must be the value of \(\mathsf g \) (and \(\mathsf t \)) to ensure clock synchronization. Said in other words: *in the presence of message loss, fixed a value of* \(\mathsf g \) *(and* \(\mathsf t \)), *there is always a clique which gets out of sync with high probability.*

For networks with full connectivity clock synchronization means that all nodes of the network agree on the current slot. As a consequence, Definition 1 can be rephrased as in [8] in the following manner:

### **Definition 2.**

A clique network is said to be synchronized if for all reachable states it holds the following: \((\forall i, j \in \mathsf {Nodes} )(\mathsf {SENDING} _i \Longrightarrow \mathsf {csn} [i] {=} \mathsf {csn} [j])\).

On the parameter \(\mathsf C \)

\(\mathsf g \) | \(\mathsf N \) | \(\mathsf C \) | \(\mathtt{bound }\) | frames | \(p\) | \(\varepsilon \) | \(\alpha \) |
---|---|---|---|---|---|---|---|

\(3\) | \(10\) | \(12\) | \(0.07\cdot 10^9\) | \(2\) | \(0.025\) | \(0.02\) | \(0.01\) |

\(3\) | \(10\) | \(48\) | \(0.28\cdot 10^9\) | \(2\) | \(0.029\) | \(0.02\) | \(0.01\) |

\(3\) | \(10\) | \(192\) | \(1.12\cdot 10^9\) | \(2\) | \(0.031\) | \(0.02\) | \(0.01\) |

\(3\) | \(10\) | \(336\) | \(2.00\cdot 10^9\) | \(2\) | \(0.031\) | \(0.02\) | \(0.01\) |

\(4\) | \(15\) | \(17\) | \(0.50\cdot 10^9\) | \(10\) | \(0.022\) | \(0.01\) | \(0.05\) |

\(4\) | \(15\) | \(34\) | \(1.00\cdot 10^9\) | \(10\) | \(0.027\) | \(0.01\) | \(0.05\) |

\(4\) | \(15\) | \(68\) | \(2.00\cdot 10^9\) | \(10\) | \(0.027\) | \(0.01\) | \(0.05\) |

#### 4.1.1 Simulation setting

In our simulations on cliques, all protocol parameters will satisfy the constraints in (2). As in [8], the guard time \(\mathsf t \) is chosen to be the same as \(\mathsf g \). Parameter \(\mathsf {tsn} [i]\) is chosen equal to \(i\), as fully connectivity implies a different TX slot for each node. We set \(\mathsf k _0=29\). Unfortunately, we cannot set \(\mathsf C =1129\), as in the real implementation, because the length of the runs that can be analyzed by UPPAAL is limited: in order to avoid integer overflow, the parameter \(\mathtt {bound} \) cannot overtake the value \(2\cdot 10^{9}\). This means that if we would keep \(\mathsf C \) close to the real value, then our execution runs would last for just a single time frame and they would be too short to provide any significant result. According to the discussion done in the preface of this section we perform our analysis for low values of the parameter \(\mathsf C \). This modification does not affect our analysis. As an example, in Table 2 we consider cliques with \(\mathsf N =10,15\), \(\mathsf {loss} =20\) and \(\mathsf g =3,4\). We then perform the quantitative check (3) by varying \(\mathsf C \) and keeping constant the number of observed time frames. The value \(p\) represents the center of the confidence interval computed by UPPAAL SMC. Every check required \(6623\) runs of the protocol and lasted for about four days on a Intel core i5-2420M CPU 2.30GHz with 6G RAM. We gradually increased the precision of the parameter \(\varepsilon \) in order to achieve an interval which does not include the value \(0\) as a reply; in other words we have looked for lower bounds \(p-\varepsilon > 0\).

*when the number of time frames is fixed then the probability of going out of sync for the system does not decrease when the parameter*\(\mathsf C \)

*increases*(similar results can be obtained for different values of \(\mathsf N \), \(\mathsf g \), \(\mathsf {loss} \) and for different topologies). As a consequence, our simulations provide a lower bound of the probability of getting out of sync in a setting with \(\mathsf C =1129\).

Cliques and node number. Maximal run length. \(\alpha = 0.05\), \(\varepsilon =0.025\)

The analysis provided in Table 3 says also that the protocol is certainly not suitable in certain scenarios. For instance, in a clique of at least \(10\) nodes with \(\mathsf g =3\) the system will get immediately out of sync with high probability if the loss probability is greater than \(0.2\). In other settings the results are not that strong. This is the case of a clique with \(10\) nodes, \(\mathsf g =4\) and \(\mathsf {loss} =20\). In this case, our analysis says that this system will get out of sync with probability \(0.025\). Such a value is ten times smaller than the loss probability, too small to conclude anything, at least in a so short run. Unfortunately, a priori, we cannot predict the behaviour of the system for longer runs as the probability \(p\) may increase or stabilize. In the following we will try to overcome this limitation.

*execution modules*. At the beginning of an execution module all nodes are in the same time slot and with the same value in their clock variables. At the end of an execution module, UPPAAL SMC computes an estimate of the probability \(p\) to reach a state which does not satisfy Definition 2. This definition does not identify a single state of the system: nodes may have different clock values while still being in the same time slot. We claim that

*the initial state, where all nodes begin the execution module with the same clock value, is the state which has the smallest probability to lead the system out of sync*. In order to support our argument, we provide an example in Table 4. We consider cliques of \(5\) and \(10\) nodes, with \(\mathsf g =4\), \(\mathsf C =7\) and \(\mathsf {loss} =20\). Table 4 shows experiments in which the system starts from a state that satisfies Definition 2 while internal clocks may have different values. The starting value of every internal clock is randomly chosen from a fixed interval \(\mathcal I \) of clock values. Runs are \(30\) time frames long. We set \(\alpha =0.05\). It can be noticed that the smallest desync probability is obtained when the execution module starts in the initial state where all nodes have the same clock value. Similar results can be obtained for other values of \(\mathsf N \), \(\mathsf g \), \(\mathsf C \) and \(\mathsf {loss} \).

Module comparison – \(\mathsf g =4\), \(\alpha =0.05\), run length \(30\) frames –

*at least*

Quantitative check on cliques with \(\mathsf {loss} = 20\) and \(\mathsf \alpha =0.05\)

\(\mathsf g \) | \(\mathsf N \) | \(\mathsf C \) | \(p-\varepsilon \) | \(300\) frames | \(600\) frames | \(900\) frames | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|

\(3\) | \(10\) | \(12\) | \(0.361\) | \(\ge 0.893\) | \(\ge 0.989\) | \(\ge 0.999\) | ||||||

\(3\) | \(15\) | \(17\) | \(0.535\) | \(\ge 0.998\) | \(\ge 0.999\) | \(\ge 0.999\) | ||||||

\(3\) | \(20\) | \(22\) | \(0.667\) | \(\ge 0.999\) | \(\ge 0.999\) | \(\ge 0.999\) | ||||||

\(3\) | \(30\) | \(32\) | \(0.826\) | \(\ge 0.999\) | \(\ge 0.999\) | \(\ge 0.999\) | ||||||

\(4\) | \(15\) | \(17\) | \(0.021\) | \(\ge 0.156\) | \(\ge 0.273\) | \(\ge 0.373\) | ||||||

\(4\) | \(20\) | \(22\) | \(0.038\) | \(\ge 0.321\) | \(\ge 0.539\) | \(\ge 0.687\) | ||||||

\(4\) | \(30\) | \(32\) | \(0.081\) | \(\ge 0.718\) | \(\ge 0.920\) | \(\ge 0.980\) |

As discussed at the beginning of this section, the values of Table 5 represent also lower bounds of the probability of desynchronization for the real implementation. In the real setting, with \(\mathsf C =1129\) and clock frequency of \(32\) kHz, a time frame lasts for about \(1\) *sec*. As a consequence, Table 5 expresses a lower bound of the probability of getting out of sync within \(5\), \(10\) and \(15\) *min*. Thus, when \(\mathsf g =3\) the probability of getting out of sync is high also for small networks enough for small networks (around \(10\) nodes), but when \(\mathsf N =15\) we have a probability of being out of sync of almost \(0.4\) in \(15\) *min*. When \(\mathsf N =20\) the probability reaches \(0.7\) in less than \(15\) *min*. When \(\mathsf N =30\) the probability reaches \(0.7\) in less than \(5\) *min*. These results outline an increasing of the desync probability when the number of nodes increases.

### 4.2 Verifying Grid Topologies

Clock synchronization in clique topologies has been studied in [8] as a first step towards more realistic topologies. Usually sensor nodes have a limited number of neighbours and do not have direct communication with the whole network. In this section, we study how the gMAC synchronization protocol behaves on regular topologies which better simulate a uniform node distribution in a given area^{2}. In particular, we will focus on grid topologies where nodes have a uniform number of neighbours. Unlike cliques, there are no theoretical results suggesting how to choose protocol parameters to guarantee the synchronization of grid networks in the case of non-lossy communication. The implementation of gMAC adopts an high guard time, \(\mathsf g =9\), to ensure synchronization in networks with arbitrary topologies. In this section, we study whether high values of \(\mathsf g \) guarantee node synchronization in grid-based networks, in the case of lossy communication.

In our simulations we focus on a small sensor network where nodes are placed in a \(5{\times }5\) grid, thus \(\mathsf N =25\). Unlike cliques, grid topologies do not need a different TX slot for each node: we can allocate the same TX slot to different nodes provided that when two nodes are neighbours or have a common neighbor then they get distinct TX slot numbers. According to the implementation of gMAC, where the number of TX slots is limited, we consider the minimum number of TX slots to be allocated to satisfy conditions (1). The number of transmission slots depends on the number of neighbours for each single node; if a node \(v\) has \(k\) neighbours then we need a TX slot in which \(v\) transmits and all its neighbours listen, and \(k\) distinct slots in which each neighbor transmits and \(v\) listens. Thus if \(k\) represents the maximum node degree, then we need at least \(k+1\) TX slots.

Grids \(5\times 5\) and node degree. Maximal run length. \(\alpha = 0.05\), \(\varepsilon =0.03\)

The compositional reasoning on execution modules adopted for cliques can be easily generalized to grid topologies. Table 7 fixes \(\mathsf {loss} =20\) and \(\mathsf g =6\). It reports lower bounds to the probability of getting out of sync within \(900\), \(1800\), \(2700\) and \(3600\) time frames. As said before, in the real implementation a time frame lasts for around \(1\) *sec*. Thus, when considering \(\mathsf g =6\) and a message loss of \(20\%\), we observe that the desync probability exceeds \(0.5\) in less than \(15\) *min* for degree \(4\), in less than \(30\) *min* for degree \(6\), and in less than \(45\) *min* for degree \(8\). Table 7 outlines also how the performances of the protocol depend on the node degree: the probability of getting out of sync decreases for grid topologies with higher node degree.

*min*.

Quantitative check on \(5\times 5\) grids with \(\mathsf {loss} = 20\) and \(\mathsf g =6\)

degree | \(\mathsf C \) | \(p-\varepsilon \) | \(900\) frames | \(1800\) frames | \(2700\) frames | \(3600\) frames | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|

\(4\) | \(7\) | \(0.08\) | \(\ge 0.53\) | \(\ge 0.78\) | \(\ge 0.90\) | \(\ge 0.95\) | ||||||

\(6\) | \(9\) | \(0.04\) | \(\ge 0.39\) | \(\ge 0.61\) | \(\ge 0.76\) | \(\ge 0.84\) | ||||||

\(8\) | \(11\) | \(0.02\) | \(\ge 0.25\) | \(\ge 0.44\) | \(\ge 0.58\) | \(\ge 0.69\) |

In conclusion, in the case of lossy communication, *small grid topologies have a high probability of getting out of sync even for high values of the guard time* \(\mathsf g \) *and for low values of the loss probability. Moreover the probability of getting out of sync increases when decreasing the maximum node degree*.

## 5 Conclusions, Future and Related Work

Our work has been strongly inspired by a recent analysis [8] of the gMAC synchronization protocol on clique and line topologies, in the ideal case of non-lossy communication. That analysis provides constraints on the protocol parameters that are both necessary and sufficient for the correctness of the protocol for cliques of arbitrary size. Here we have carried on the work of [8] in the case of lossy communication. We have extended their model and obtained a network of probabilistic timed automata [6] which has been used for doing Statistical Model Checking within the UPPAAL toolset [7]. As a main result, we have showed that in the presence of message loss the constraints provided in [8] may be not sufficient to ensure clock synchronization of cliques of arbitrary size. Then, we have extended our analysis of the protocol to small grid topologies and again found that, in the case of lossy communication, the nodes of the grid may get out of sync with high probability. More interestingly, grid topologies with higher node degree have a smaller probability of desynchronization. This lets us to conjecture that higher connectivity helps synchronization protocols. In this respect, among the regular topologies, clique topologies are those with the best performances!

As in [8] we have assumed a fixed slot allocation. However, the implementation of gMAC includes a probabilistic dynamic slot allocation algorithm. The only analysis we are aware of the probabilistic gMAC algorithm appears in [16]. In that paper, mobile sensors do not use a fixed schedule to control medium access but instead employ gMAC’s full decentralized slot allocation: gossiping is introduced to allow each node to decide when to send. Paper [16] analyzes the energy-efficiency of gMAC under the assumption of perfect clock synchronization. The protocol, formalised in the MoDeST language [4], is evaluated using the discrete-event simulator of the M\(\ddot{\mathrm{o }}\)bius tool suite. We are planning to study the performance of the gMAC protocol with dynamic slot allocation in the case of lossy communication and realistic clock. In doing that, we intend to adopt either a (truncated) normal distribution or a (truncated) exponential distribution for modeling a more realistic delay between consecutive ticks.

Statistical Model Checking allows us to study networks of bigger size with respect to the state-of-the art model checking technology, such as PRISM [9, 11]. SMC can be seen as a trade off between testing and formal verification: its approach consists in performing an appropriate number of simulations which are elaborated with statistical algorithms to verify if a given property is satisfied with a certain probability. Unlike an exhaustive approach, a simulation-based solution does not guarantee a correct result with a \(100\%\) confidence. It is only possible to bound the probability of making an error. In order to study bigger systems with an higher confidence, paper [5] proposes a distributed implementation of UPPAAL SMC by means of a master/slave architecture where several computers are used to generate simulations and a single master process is used to collect those simulations and perform the statistical test. We are planning to employ this approach to extend the confidence of the results we obtained in this paper.

## Footnotes

## Notes

### Acknowledgments

The anonymous referees provided insightful comments.

## References

- Assegei, F.: Decentralized frame synchronization of a TDMA-based wireless sensor network. Master’s thesis, Eindhoven University of Technology, Department of Electrical Engineering (2008)Google Scholar
- Behrmann, G., David, A., Larsen, K.G.: c. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 200–236. Springer (2004)Google Scholar
- Behrmann, G., David, A., Larsen, K.G., Håkansson, J., Pettersson, P., Yi, W., Hendriks, M.: Uppaal 4.0. In: QEST 2006. pp. 125–126. IEEE Computer Society (2006)Google Scholar
- Bohnenkamp, H.C., D’Argenio, P.R., Hermanns, H., Katoen, J.P.: MODEST: A compositional modeling formalism for hard and softly timed systems. IEEE Trans. Software Eng. 32(10), 812–830 (2006)Google Scholar
- Bulychev, P.E., David, A., Larsen, K.G., Legay, A., Mikucionis, M., Poulsen, D.B.: Checking and distributing statistical model checking. In: Goodloe, A., Person, S. (eds.) NFM 2012. LNCS, vol. 7226. Springer (2012)Google Scholar
- David, A., Larsen, K.G., Legay, A., Mikucionis, M., Poulsen, D.B., van Vliet, J., Wang, Z.: Statistical model checking for networks of priced timed automata. In: Fahrenberg, U., Tripakis, S. (eds.) FORMATS 2011. LNCS, vol. 6919, pp. 80–96. Springer (2011)Google Scholar
- David, A., Larsen, K.G., Legay, A., Mikucionis, M., Wang, Z.: Time for statistical model checking of real-time systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 349–355. Springer (2011)Google Scholar
- Heidarian, F., Schmaltz, J., Vaandrager, F.W.: Analysis of a clock synchronization protocol for wireless sensor networks. Theor. Comput. Sci. 413(1), 87–105 (2012)Google Scholar
- Kwiatkowska, M., Norman, G., Parker, D.: PRISM 4.0: Verification of probabilistic real-time systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 585–591. Springer (2011)Google Scholar
- Nordic Semiconductors: nRF2401 Single-chip 2.4GHz Transceiver Data Sheet (2002)Google Scholar
- Norman, G., Parker, D., Sproston, J.: Model checking for probabilistic timed automata. Formal Methods in System Design (2012), to appearGoogle Scholar
- QUASIMODO: Preliminary description of case studies, deliverable 5.2 from the FP7 ICT STREP project 214755 (January 2009)Google Scholar
- Sundararaman, B., Buy, U., Kshemkalyani, A.D.: Clock synchronization for wireless sensor networks: a survey. Ad Hoc Networks 3(3), 281–323 (2005)Google Scholar
- van Vessem, I.: WSN gMAC protocol specifications. Tech. rep., CHESS B.V., Haarlem, NL (2008), version 1.1. Patent pending US 12 / 250,040Google Scholar
- Wu, Y.C., Chaudhari, Q.M., Serpedin, E.: Clock synchronization of wireless sensor networks. IEEE Signal Process. Mag. 28(1), 124–138 (2011)Google Scholar
- Yue, H., Bohnenkamp, H.C., Katoen, J.P.: Analyzing energy consumption in a gossiping mac protocol. In: Müller-Clostermann, B., Echtle, K., Rathgeb, E.P. (eds.) MMB &DFT 2010. LNCS, vol. 5987, pp. 107–119. Springer (2010)Google Scholar
- Zhao, J., Govindan, R.: Understanding packet delivery performance in dense wireless sensor networks. In: Akyildiz, I.F., Estrin, D., Culler, D.E., Srivastava, M.B. (eds.) SenSys 2003. pp. 1–13. ACM (2003)Google Scholar