1

Quantitative Modelling and Automated Analysisof a Cooperative Congestion Control Protocol

for Dynamic Vehicular Ad-hoc NetworksOana Andrei, Muffy Calder, Michael Fisher, Savas Konur

Abstract—Vehicular Ad-hoc Networks (VANETs) arecritical, self-configurable wireless networks for communi-cation among vehicles and between vehicles and roadsideequipment. VANET communication protocols must ensuresafe and efficient communication among all network nodeswithin the signal range, in the context of high node mobilityand rapidly changing network topology.

In this paper we carry out a formal analysis of acooperative congestion control protocol for VANETs, pro-viding the first use of formal verification incorporatingmore realistic traffic models. We use Markov PopulationProcesses to formalise and quantify message generation,rescheduling, and transmission, and vehicles joining andleaving the signal range. We analyse Quality of Servicemetrics concerning communication reliability and delays asfunctions of various parameters such as mean message size,vehicle density, road topology and traffic conditions. Themodelling and verification approach is based on a counterabstraction technique that permits a full exploration of allpossible behaviours by stochastic model-checking.

Index Terms—Vehicular ad-hoc networks, Formal meth-ods, Model validation and verification, Stochastic modelchecking

I. INTRODUCTION

Vehicular Ad-hoc Networks (VANETs) are critical,self-configuring wireless networks that allow vehiclesto communicate with each other. They are increasinglyimportant as vehicles need a broader range of infor-mation in order to advise the driver and act safely,effectively, and efficiently. Vehicles act as nodes thatdrop in and out a network when they are within/outwith

This research was supported by the UK’s Engineeringand Physical Sciences Research Council within the VerifyingInteroperability Requirements in Pervasive Systems project undergrants EP/F033206/1 and EP/F033567/1.

Oana Andrei and Muffy Calder are with the School ofComputing Science, University of Glasgow, UK. [e-mail:muffy.calder@glasgow.ac.uk]

Savas Konur is with the Department of Computer Science,University of Sheffield, UK.

Michael Fisher is with the Department of Computer Science,University of Liverpool, UK.

signal range. Vehicles transmit messages with differentlevels of priority, which can depend on a number offactors including the type of the message, the speedof vehicle, the size of the communication range, etc.Broadly, there are two types of message: periodic servicemessages that exchange status information (e.g. speed,position), and high priority messages that are eitherperiodic control messages or event-driven emergencymessages (e.g. hard-braking, accident notification). Mes-sages are communicated via prioritised channels: low-priority service channel for periodic service messages,and control channel for high-priority messages.

The key aspect of VANETs we examine is the dynamicscheduling and transmission of messages according tothe cooperative congestion control protocol (or CCCprotocol) proposed by Boussida and Shawky [10]. Theaim of that protocol is to ensure that the high-prioritymessages are delivered reliably, and so scheduling hasto take into account variability in vehicle density andlimited bandwidth for message transmission and con-gestion control. In [10] the authors developed a TimedAutomata [1] model for the protocol and attemptedto analyse it using model-checking techniques in UP-PAAL [7]. However their attempt at model-checkingbased analysis failed due to state-space explosion andinstead they carried out analysis by simulation. Thus,the result was an incomplete analysis of the protocol.

The aim of our work is to present and analyse aformal model of the protocol, operating over differenttraffic models, that permits exhaustive exploration of thestate space. Further, we propose that a faithful modelfor the CCC protocol is inherently stochastic becauseof the stochastic properties of traffic flow, message gen-eration and message transmission. We therefore employContinuous-Time Markov Chains (CTMCs), which arefrequently used in performance analysis; in particular weuse Markov Population Processes (MPPs) where statesrecord the count of individuals in the colonies of apopulation [6], [2]. Such quantitative models permit theexpression of rates of vehicles joining and leaving thesignal range, as well as the rates of messages being

2

generated and transmitted. We carry out the analysissuggested in [10] with respect to the Quality of Service(QoS) metrics concerning communication reliability andlatency as a function of a number of parameters such asmean message size, vehicle density and traffic conditionsand transmission error rates. Additionally, we considernew parameters referring to different road topologies,traffic flows and traffic incidences, and we reason aboutthe stochastic model validation in terms of increas-ing/decreasing trends in populations of vehicles andmessages. Analysis is carried out using stochastic modelchecking [17] in the form of the PRISM probabilisticmodel checker [18]: we express functional behaviouras temporal logic formulae and evaluate quantitativeproperties related to network performance as propertyrewards and stochastic trends [2]. Our approach buildson earlier work on a discrete time model [16], butwhereas that model was based on vehicles and messagessampled from uniform distributions, here we considerexplicit rates of vehicles traffic flows (e.g. the ratesof vehicles joining and leaving the signal range), andrates of the generation and transmission of messages ofdifferent priorities. Thus the models are more faithful tothe original proposal of [10].

The contributions of this paper are the following:

• A parameterised MPP counter abstraction approachfor modelling the CCC protocol with three pop-ulations: vehicles, control messages, and servicemessages. The population of control messages hastwo colonies consisting of (event-driven) emergencymessages and (periodic) safety messages. We as-sume mass action kinetics for all population events.Parameters include mean message size, mean num-ber of communicating vehicles, mean generationrate for service messages.

• An encoding of quality of service metrics for re-liability (message loss rate) and latency (waitingdelay) in the PRISM model checker using bothrewards and temporal properties.

• Definition and analysis of a static vehicle popu-lation model in which the number of vehicles isconstant.

• Definition and analysis of a number of dynamicvehicle population models in which the number ofvehicles varies according to different traffic flows(high-speed, low-speed), incident rates (associatedwith traffic flows), and road topologies (one way-single lane, one way-double lane, single carriage-way).

• A more comprehensive analysis than the simu-lations given in [10] and, by adopting an MPP

approach, we are additionally able to study trafficflows and trends of population movement.

• To the best of our knowledge, this is the first paperthat attempts to analyse formally VANET protocolsin the context of various (stochastic) models oftraffic flow.

The paper is organised as follows. In the next section wepresent an overview of background concepts related tostochastic modelling and stochastic model checking andin Section III we give an overview of the protocol. InSection IV we provide an overview of the static anddynamic vehicle population models, including detailsof the encoding of the protocol as a MPP while, inSection V, we consider validation of the models bystochastic trend analysis for MPPs using a temporallogic. In Section VI we consider transient properties,such as “occurrence of an incident causes congestionof the service queue”, while in Section VII we verifyreliability in terms of the proportion of lost messages andmessage latency; in each case we use the PRISM model-checker for automated reasoning and experimentation.Discussion and related work is provided Section VIIIand we present concluding remarks in Section IX.

II. PRELIMINARY NOTIONS

In this section we review basic concepts and defi-nitions concerning continuous-time Markov chains, theparticular case of Markov population processes, stochas-tic model checking and the probabilistic symbolic modelchecker PRISM.

A. Continuous-time Markov Chains

A labelled continuous-time Markov chain (CTMC) isa tuple (S, s0, R,AP , L) where S is a countable set ofstates, s0 ∈ S the initial state, R : S × S → R≥0the transition rate matrix, AP a finite set of atomicpropositions, and L : S → 2AP the labelling function as-sociating to each state in S the set of atomic propositionsfrom AP that are valid in that state. The transition ratesdetermine the probability of transitions to be completedwithin a certain amount of time following the negativeexponential distribution: when R(s, s′) > 0, then theprobability of this transition to be triggered within ttime units equals 1 − e−R(s,s′)·t. The time spent instate s before any transition is triggered is exponentiallydistributed with parameter E(s) =

∑s′∈S R(s, s′) called

the exit rate of state s. For a given state s, there is arace between outgoing transitions from s if there aremore than one state s′ such that R(s, s′) > 0. If the exitrate of a state is equal to 0 then no transition can be

3

fired from it and the state is called absorbing. The time-abstract probability of a state s′ being the next state towhich a transition is made from state s is computed bya transition probability function P : S × S → [0, 1] asfollows:

P(s, s′) =

R(s,s′)E(s) if E(s) 6= 0

1 if E(s) = 0 and s = s′

0 otherwise

An infinite path of a CTMC is a sequence s0t0s1t1 . . .where R(si, si+1) > 0 and ti ∈ R>0 denotes the timespent in state si for all i ≥ 0. A finite path is a sequences0t0s1t1 . . . sk−1tk−1sk where sk is an absorbing state.

B. Markov Population Processes

A population is a collection of individuals groupedinto colonies or categories based on common features. Asingle-colony population is simply a population. Marko-vian population processes (MPPs) [6] are CTMCs thatexpress demographic processes such as birth and im-migration (addition of individuals), death (removal ofindividuals) or emigration (transfer of individuals be-tween colonies). MPPs are used for modelling in a widevariety of application domains, including, for example,computer networks, chemical reactions networks, andecology networks. The characteristic feature of MPPsis given by their states which enumerate the countsof individuals in every colony. A Markov populationprocess (MPP) is a CTMC (S, s0, R,AP , L) where Sis defined as a set of n-dimensional states of the forms = (s1, . . . , sn) with n ≥ 1 the total number ofcolonies in all populations and si a non-negative integerrepresenting the number of individuals in colony i, forall i, 1 ≤ i ≤ n.

C. Stochastic Model Checking

Model checking [5] is a formal verification techniquethat allows for the entire state space of a finite statesystem model to be explored in order to analyse whethera temporal logic formula holds. If the modelled systemexhibits probabilistic aspects in continuous real time,and so the models are CTMCs, then we can specifyproperties about their stochastic behaviour as temporalproperties in Continuous Stochastic Logic (CSL) [4],[17]. CSL is a stochastic extension of the ComputationalTree Logic [13] allowing one to express a probabilitymeasure on the satisfaction of a temporal property ineither transient or in steady-state behaviours. The for-mulae of CSL are state formulae and their syntax is thefollowing:

State formula:Φ ::= true | a | ¬Φ | Φ ∧ Φ | P./ p[Ψ] | S./ p[Ψ]

Path formula:Ψ ::= XΦ | ΦUI Φ

where a ranges over a set of atomic propositions AP ,./∈ {≤, <,≥, >}, p ∈ [0, 1], and I ⊆ R≥0.

There are two types of CSL properties: transient (ofthe form P./ p[Ψ]) and steady-state (of the form S./ p[Ψ]).A formula P./ p[Ψ] is true in state s, denoted by s |=P./ p[Ψ], if the probability that Ψ is satisfied by the pathsstarting from state s meets the bound ./ p. A formulaS./ p[Ψ] is true in a state s if the steady-state (long-run)probability of being in a state which satisfies Ψ meetsthe bound ./ p. The path formulae are constructed usingthe X (next) operator and the UI (time-bounded until)operator. Informally, the path formula XΦ is true ona path starting in s if Φ is satisfied in the next statefollowing s in the path, whereas Φ1U

I Φ2 is true on apath ω if Φ2 holds at some time instant in the intervalI in a state s′ in ω and at all preceding time instantsΦ1 holds. This is a minimal set of operators for CSL.The operators false, disjunction and implication can bederived using basic logical equivalences. Two more pathoperators are available as syntactic sugar:• the eventually operator F (future)

where FI Φ ≡ trueUI Φ, and• the always operator G (globally)

where GI Φ ≡ ¬(FI ¬Φ).If I = [0,∞), then the temporal operators U, F, Gare no longer time-bounded, hence we omit the intervalsuperscript notation in this situation.

The model checking problem of a state formula Φbeing satisfied in an MPP M is denoted by M, s0 |= Φ.We omit the initial state s0 when it is obvious. Essen-tially, model checking exhaustively assesses which paths,starting from s0, satisfy the CSL formula Φ.

The PRISM probabilistic model checker [18] has aproperty specification language based on the temporallogics PCTL, CSL, LTL and PCTL∗, including exten-sions for quantitative specifications and rewards. PRISMallows one to express a probability measure that atemporal formula is satisfied. The bound ./ p may notbe specified, in which case a probability is calculatedin PRISM. Thus these two additional properties P=?[Ψ]and S=?[Ψ] are available: the results of the verificationof such formulae are the expected probabilities for thesatisfaction of the path formula denoted by Ψ.

PRISM also allows for the augmentation of modelswith rewards (or, equivalently, costs) that are associatedwith states or transitions. The model checker can analyseproperties that relate to the expected values of these re-wards by using the R operator, which works in a similar

4

fashion to the P and S operators, except that it dependson the name of a reward structure. Reward structures are(named) transition rewards or state rewards. Reachabilityreward properties associate a reward with each path ofa model. For MPPs, the total reward for a path is thesum of the state rewards for each state along the pathplus the sum of the transition rewards for each transitionbetween these states.

We employ two types of reachability reward proper-ties: cumulative and instantaneous. Cumulative rewardproperties are based on transition rewards and theyassociate a reward with each path of a model, but onlyup to a given time bound. For example, the property

R{reward_1} =? [C<=t]

corresponds to the reward named reward_1 accumu-lated along all paths until t time units have elapsed.

Instantaneous reward properties are based on staterewards and they refer to the reward at a particular instantin time. For example,

R{reward_2} =? [I=100]

corresponds to the (state) reward named reward_2 attime 100 (assuming starting from initial state).

D. Stochastic trendsStochastic trends [2] allow us to investigate properties

that involve increasing or decreasing trends in colonycounts within the MPP approach.

Definition 1: Let M = (S, s0, R,AP , L) be an MPP.The probability of making a transition from a state s to astate where the count of individuals in colony i increasesis a function Pi↑ : S → [0, 1] defined as the sum of alli-increasing transition rates divided by the exit rate instate s:

Pi↑(s) =

1

E(s) ·∑{R(s, s′) | s′ ∈ S, si < s′i}

if E(s) 6= 0,

0 otherwise

The functions Pi↓ : S → [0, 1] and Pi= : S → [0, 1],representing the probability of making a transition froma state s to a state where the count of individuals incolony i decreases or stays constant, are defined in asimilar way:

Pi↓(s) =

1

E(s) ·∑{R(s, s′) | s′ ∈ S, si > s′i}

if E(s) 6= 0,

0 otherwise

Pi=(s) =

1

E(s) ·∑{R(s, s′) | s′ ∈ S, si = s′i}

if E(s) 6= 0,

0 otherwise

As expected, we have Pi↑(s) +Pi↓(s) +Pi=(s) = 1 forany s ∈ S with E(s) 6= 0.

Definition 2 (Trend formulae): A trend formula θ isa boolean predicate over Pi↑(s), Pi↓(s) and Pi=(s),where s ∈ S, of one of the following forms:

θ ::= f(s) = p | f(s) > p | f(s) = f ′(s) | f(s) > f ′(s)

| ¬ θ | θ ∧ θ∀f, f ′ ∈ {Pi↑,Pi↓,Pi=},∀s ∈ S,∀p ∈ [0, 1]

Using the above elementary trend formulae, we candefine a derived set of trend formulae. Two usefulformulae we will employ for analysis in this paper aredefined as follows.

Definition 3 (Auxiliary trend formulae): We say thatin a state s the stochastic trend of a colony i is:• weakly increasing if i ↑ (s) , Pi↑(s) >Pi↓(s) is true

• weakly decreasing if i ↓ (s) , Pi↓(s) >Pi↑(s) is true

E. Trend-based Properties in CSL

We use trend formulae in CSL to describe changes inparticular colony counts. Therefore, we extend the setof state formulae in CSL to include trend formulae asmodalities of arity 0. The definition of path formulaedoes not change.

State formula:Φ ::= true | a | θ | Φ ∧ Φ | P./ p[Ψ] | S./ p[Ψ]

Path formula:Ψ ::= XΦ | ΦUI Φ

The semantics of trend formulae is defined as s |= θ ifand only if θ(s) ≡ true.

F. Modelling MPPs in PRISM

The modelling language of PRISM has a guarded-command style. We adopt the following modelling ap-proach: the behaviour of each population is described bya module and modules synchronise on common actionsperformed by populations.

A module for an MPP has the following form: astate variable denoting the number of individuals in thecolony, some other additional variables, and (labelled)commands. Each command has the form:

[label] guard -> rate:update;

meaning that the module makes a transition to a statedescribed by the update at the given rate when theguard is true (the label is optional and usually used forsynchronisation purposes). If another module includesthe following command with the same label:

5

[label] guard_1 -> rate_1:update_1;

then by synchronising the two modules, if both condi-tions guard and guard_1 are true, then a transitioncorresponding to action label can take place withrate rate*rate_1 with the effects defined by theconjunction of update and update_1.

III. OVERVIEW OF THE COOPERATIVE CONGESTION

CONTROL PROTOCOL FOR VANETS

VANETs are an extension of Mobile Ad-Hoc Net-works with applications in traffic safety and efficiency, aswell as provision of information for onboard entertain-ment. VANETs are used for collision avoidance, safetywarnings, cooperative driving, and traffic efficiency andoptimisation (such as high-speed tolling, roadside servicefinder, and mobile infotainment). The nodes comprisingthe network are mobile, communicating vehicles: eachvehicle is, effectively, a wireless router. The commu-nication range (also referred to as interference range)is usually between 100 and 300 metres on the road.VANETs use a limited bandwidth for communication,shared among all applications and vehicles within thecommunication range. The sharing of limited band-width raises congestion issues and so Bouassida andShawky [10] proposed an algorithm to control networkcongestion in VANETs by dynamically scheduling mes-sages according to priorities that correspond to theirutility for the network. This approach was integratedwithin the IEEE 802.11p standard operating in a 10 MHzchannel as part of the SAFESPOT European IntegratedProject1.

In the main, VANETs use two different types ofwireless channels: the Control Channel (CCH) and theService Channel (SCH), as specified by the CAR-2-CAR Communication Consortium (C2C-CC). The mes-sages sent using the control channel are consideredhigh-priority and they are either network layer beaconssent periodically (called safety messages) or emergencymessages sent on an event basis. The service messagestransported via the service channel are medium or lowpriority and these are usually periodic messages used byforwarders of multi-hop and geocast messages for nor-mal, low priority, applications. The available bandwidthis shared equally between the two channels.

Each node of the network schedules its messagesaccording to their priorities. The scheduling process hastwo parts: first a static scheduling process based onthe type of message, followed by a dynamic schedulingprocess. The transmission of the high-priority messages

1SAFESPOT European Project http://www.safespot-eu.org

from the Control Channel queue is preemptive. There-fore messages from the Service Channel queue can betransmitted only if the Control Channel queue is empty.The dynamic scheduling process takes place periodicallywhen nodes scan the message queues and recomputethe priority of each message based on their validity(maximum duration of the message) in addition to theirutility and node speed. At this stage the approach of [10]adopts the following policy: if the Service Channel iscongested (the message queue length exceeds the con-gestion threshold) then messages with lower priority canbe dropped; if, in addition, the Control Channel queue isempty, then messages from the Service Channel queueare switched to the Control Channel queue and assigneda high priority. The Service Channel is overloaded orcongested if the number of the messages in the queueexceeds the Service Channel Congestion Threshold. Thetransmission process for both channels has an errorrate of 5%. The scheduling process and the messagetransmission process are summarised in Fig. 1.

Established Quality of Service (QoS) and performancemetrics [22] include reliability – (the minimum) proba-bility of receiving a message, and latency – (the maxi-mum) message delivery delay. Following [10], we definereliability as the ratio of messages lost to messagesgenerated and latency as the expected waiting delay formessages.

IV. STOCHASTIC MODELS OF THE CCC PROTOCOL

We define several stochastic models for the CCCprotocol, ranging from one similar to the original modelwithin [10] to new models including different trafficflows and topologies. All the models are based on thefollowing assumptions. There are three populations ofinterest: vehicles, control messages and service mes-sages. The control message population has two colonies,one for the emergency messages (non-periodic, incident-driven) and another for the safety messages (periodic).The other two populations are single-colony. Therefore astate is a vector recording the counts of vehicles, emer-gency messages, safety messages and service messages,denoted by the variables v, e, sf , and sv , respectively.Inter-arrival rates for messages and vehicles are modelledusing an exponential distribution.

We have developed a set of models and in the follow-ing we give an overview. First, we define a model witha static vehicle population (i.e. the number of vehiclesis fixed). Subsequently, we define a number of dynamicvehicle population models in which vehicles can dropin and out the communication range with rates (speeds)that correspond to different traffic flows. In all cases the

6

Control Messages Queue

Service Messages Queue

safety messages

service messages

messages transmitted with error rate 5%

messages transmitted with error rate 5%

service messages rescheduledas control message if CQ=0

messages dropped if the queue is congested

Vehicles

incidentemergengy messages

Fig. 1: The VANET protocol model.

models are parameterised by a number of attributes suchas bandwidth, mean message size etc.

A. Static vehicle population model

In the original formal model of [10] the number ofvehicles is fixed and is not affected by any transition;the velocity of the vehicles (sending messages) is notconsidered. For our static vehicle population model wealso assume a constant population of vehicles and as in-dicated above, states have four components (v, e, sf , sv)for vehicles, emergency messages, safety messages, andservice messages respectively.

1) Model transitions: The basic transitions in allMPP models of the protocol correspond to the followingactions: enqueue and dequeue and transmit messages toand from the Control Queue (CQ) or the Service Queue(SQ), transfer service messages to the CQ when thenthere are no control messages waiting in the CQ and thesize of the SQ is above the congestion threshold, discardservice messages if the SQ is congested. We describethese transitions on the populations of vehicles, controlmessages (emergency and safety), and service messagesinformally as follows: conditions concerning the queues(CQ, SQ) are given in natural language, transition ratesare indicated by the expressions above the transitionarrow, r1 . . . r5 are constants.• Vehicles generate emergency messages at rate r1 as

incidents occur; if CQ is full, the messages are lost:(v, e, sf , sv)

r1·v2

−−−→ (v, e+ 1, sf , sv)Note that the transition rate is proportional to v2.

• Vehicles generate safety messages at rate r1; if CQis full, the messages are lost:(v, e, sf , sv)

r1·v−−→ (v, e, sf + 1, sv)• Both control messages and safety messages are

dequeued and transmitted at rate r2 with error rateerr :

(v, e, sf , sv)r2·e·err−−−−→ (v, e− 1, sf , sv) if e > 0

(v, e, sf , sv)r2·sf ·err−−−−−→ (v, e, sf − 1, sv) if sf > 0

• Vehicles generate service messages at rate r3; if SQis full, the messages are lost:(v, e, sf , sv)

r3·v−−→ (v, e, sf , sv + 1)• Service messages are dequeued and transmitted at

rate r2 with error rate err :(v, e, sf , sv)

r2·sv ·err−−−−−→ (v, e, sf , sv − 1) if sv > 0• Service messages are transferred to the CQ if the

SQ is congested and the CQ is empty:(v, 0, 0, sv)

r4·sv−−−→ (v, 0, 1, sv − 1) if sv > 0• Service messages are dropped and lost if the SQ is

congested:(v, e, sf , sv)

r5·sv−−−→ (v, e, sf , sv − 1) if sv > 0

2) Model parameters and transition rates: The pa-rameters of the static vehicle population model and theirassumed values or ranges are given in Fig. 2. As wechoose a time resolution of 1 ms, the parameters ofthe protocol as taken from [10], [16] are rescaled formilliseconds as the time unit.

The control message generation rate r1 is half therate of service message generation, i.e., r1 = (r2/2).The rate r4 for transferring service messages from acongested SQ to an empty CQ and the rate r5 ofdiscarding services messages from a congested SQ arenot made available in the original description of theprotocol. We therefore make the following design de-cisions. We model incidents as a stochastic process withexponentially distributed occurrence times which makesa Boolean variable incident true with rate ri. We madethe assumptions that r4 = 10·r2 and r5 = r2/4. Also, weassume that the incident rate ri takes values between 0.1to 5 incidents per minute, equivalent to 0.1/(60 · 1000)and 5/(60 · 1000) incidents per millisecond; the defaultvalue for the incident rate is 1 incident per minute.

7

Bandwidth 3000 bit/ms

Mean message size [100, 500] bytes

Mean service message generation rate (r3) [0.1, 1.5] messages/ms

Mean message transmission rate (r2) bandwidth/(8 ∗ avg message size)

Mean message transmission error 5%

Mean number of vehicles [10, 50] vehicles

Service queue length 20 messages

Control queue length 20 messages

Service queue congestion threshold 10 messages

Fig. 2: Parameters for the static vehicle population model of the CCC protocol.

3) PRISM implementation details: Each population isrepresented by a process that is implemented in PRISMby a module. Each module consists of a state vari-able(s) denoting the associated colony (or colonies in thecase of control messages) followed by labelled guardedcommands that implement the transitions affecting thecolonies. Thus, there are three modules: Vehicles withstate variable V, ControlQueue with state variablesSftyMsg and EmrgMsg, and ServiceQueue withstate variable SrvMsg. A key feature of PRISM isthat transitions are labelled according to the underlyingevents, which enables us to synchronise population ac-tions, and reason about different types of state changes.In PRISM, the rate of synchronised transitions is theproduct of component rates.

A command affects the count of at most one colonyin a population, and we assume mass action kinetics,which means that the rate of a transition is proportionalto the product of the size of the colonies triggering thetransition and to a rate coefficient (such as r1− r5 fromthe description of the static model transition above).

For example, consider the (event-driven) generationof emergency messages due to the occurrence of anincident: the first transition given in Section IV-A1.

The ControlQueue module contains the transition:

[gen_emrg_msg] (CtrlMsg < CQ_max) ->(1):(EmrgMsg’=EmrgMsg+1);

while the Vehicle module contains the transition:

[gen_emrg_msg] (V>0) & (incident) ->(V*V*rate_gen_ctrl_msg):(incident’=false);

Note that following an incident, the rate of emergencymessage generation is proportional to the square ofthe number of vehicles. We model incident occurrenceusing a Boolean variable incident, which is initiallyfalse, and takes the value true with rate i/(60·1000)incident per millisecond, where i is the average numberof incidents per minute. Thus the Vehicle module

contains the transition:

[incident] (i>0) ->(i/(60*1000)):(incident’=true);

The PRISM models and property files for both thestatic and dynamic vehicle population models are freelyavailable2.

B. Dynamic vehicle population models

Before we describe various types of dynamic vehiclepopulation models, we give some background concern-ing traffic flows and our assumptions. The flow is thenumber of vehicles passing a reference point per unit oftime; in our stochastic setting, the flow gives the rate ofthe stochastic process modelling the incoming/outgoingvehicles. The headway represents the time elapsed be-tween one vehicle passing a reference point on theroadway and the next vehicle passing the same point.The unit for headway is time per number of vehicles, asit is the inverse of the flow. The headway on motorwaysand main roads is given by the internationally acceptedtwo-second rule: this is the minimum safe followingdistance for collision avoidance (under ideal conditions).The density of vehicles is the number of vehicles per unitarea of the roadway.

We now consider two types of traffic flow (or classesof vehicle speed).• high-speed:

headway h1 = 2 sflow q1 = 0.5 vehicle

s = 0.0005 vehiclems

density d = 10mmaximum number of vehicles in the communi-cation range b 100

10+5c = 6 for an average vehiclelength of 5m and a communication range of100m

• low-speed:

2Available from http://dcs.gla.ac.uk/∼muffy/vanet

8

headway h2 = 4 sflow q2 = 0.25 vehicle

s = 0.00025 vehiclems

density d = 5mmaximum number of vehicles in the communi-cation range b 1005+5c = 10

Numerous road topologies and lane layouts are pos-sible. For the purpose of this paper we consider thethree combinations illustrated in Fig. 3. We assume onecolony of vehicles per road lane and the traffic flow ishomogeneous for all vehicles in the same lane. Thesethree topologies and different traffic flows lead to severaldynamic vehicle population models. In the following, weinvestigate 6 possible dynamic models, D1 . . . D6, eachof which is an extension of the static vehicle populationmodel.

Before outlining the detail of each, we note some com-mon features. First, when the population is subdividedinto colonies according to vehicle speed (e.g. D1 . . . D3),we use the variables vhigh and vlow to denote the coloniesof high-speed and low-speed vehicles respectively. Sec-ond, adding traffic flow involves adding new transitionsfor each type of traffic flow {qi}i∈{1,2}. Namely, for eachtraffic flow {qi}, and suitable vehicle colony variable v(e.g. vhigh or vlow ), we have

• for incoming vehicles increase the vehicle count ifthe road is not at maximum capacity:(v, e, sf , sv)

qi−→ (v + 1, e, sf , sv)• for outgoing vehicles decrease the vehicle count ifv > 0:(v, e, sf , sv)

qi·v−−→ (v − 1, e, sf , sv)

1) D1 and D2 — One-way single-lane road models:Let D1 and D2 be the dynamic vehicle populationmodels for a one-way single-lane (T1) with high-speedtraffic and low-speed traffic respectively. D1 is an MPPwith states of the form (vhigh , e, sf , sv), where vhighis a population of high-speed vehicles, and transitionsfor incoming and outgoing vehicles with traffic flow q1.D2 is an MPP with states of the form (vlow , e, sf , sv),where vlow is a population of low-speed vehicles, andtransitions for incoming and outgoing vehicles withtraffic flow q2.

2) D3 — One-way double-lane road: Let D3 be thedynamic vehicle population model for a one-way double-lane road (T2) with high-speed traffic on one lane andlow-speed traffic on the other lane. High-speed vehiclesmay slow down and move into the slow lane if possible.D3 has a two vehicle colonies, one for each lane, denotedby variables vhigh and vlow and thus the states of D3

have the form (vhigh , vlow , e, sf , sv). The transitions ofD3 include similar ones to those for D1 and D2. Namely,there are transitions for incoming and outgoing vehicles

on each lane (colony), and one for high-speed vehicleschanging lanes with rate q1 if vhigh > 0 and there isspace on the slow-speed lane (i.e., vlow did not reachthe maximum capacity of the lane):

(vhigh , vlow , e, sf , sv)q1·vhigh−−−−→ (vhigh−1, vlow+1, e, sf , sv)

3) D4, D5 and D6 — Single carriageway: A singlecarriageway (T3) is a road with traffic lanes in oppositedirections. We consider vehicle populations consistingof two independent colonies v1 and v2, i.e., vehiclesdo not change lanes, and so states have the form(v1, v2, e, sf , sv). We consider all the combinations oftraffic flow for the two lanes: D4, the model of high-speed traffic in both lanes, D5, the model of low-speedtraffic in both lanes, and D6, the model of one high-speed lane and one low-speed lane. In each D4−6 theonly new transitions are those describing incoming andoutgoing vehicles on each lane.

C. PRISM implementation details of the dynamic models

The dynamic vehicle population models extend thestatic one with transitions modelling vehicles join-ing or leaving the vehicle population. More precisely,only the Vehicle module changes, while the modulesControlQueue and SrvQueue remain unchanged. Forinstance, the PRISM model for D1 has the following twoadditional transitions for incoming and outgoing vehiclesat high-speed:

[inVh] (Vh < Vh_max) ->(rate_in_high):(Vh’=Vh+1);

[outVh] (Vh > 0) ->(Vh*rate_out_high):(Vh’=Vh-1);

The PRISM model for D2 has similar transitions for low-speed vehicles. The Vehicle module implementing thevehicle population for model D3 has two state variablesVh and Vl for each colony of vehicles, high-speedand low-speed respectively. In addition to transitionsmodelling vehicles joining or leaving the communicationrange, we have a transition for high-speed vehiclesmoving from the high-speed lane to the low-speed lane,hence transforming into low-speed vehicles:

[change] (Vh > 0) & (Vl < Vl_max) ->(Vh*rate_change):(Vh’=Vh-1) & (Vl’=Vl+1);

As an example, the complete PRISM module for thevehicle population in model D3 is given in Fig. 4. ThePRISM modules for D4 and D5 have only one state vari-able for the count of vehicles in the population: althoughthe vehicle population consists of two colonies, one foreach lane, since they have the same behaviour (incomingand outgoing rate), we model only one population with

9

T1: One-way single-lane T2: One-way double-lane T3: Single carriageway

Fig. 3: Three road topologies and lane layouts that we consider.

formula V = Vh + Vl;module VehicleD3

Vh : [0..Vh_max] init floor(Vh_max/2);Vl : [0..Vl_max] init floor(Vl_max/2);incident : bool init false;

// vehicles entering the transmission range 100m-300m[inVl] (Vl < Vl_max) -> (rate_in_low):(Vl’=Vl+1);[inVh] (Vh < Vh_max) -> (rate_in_high):(Vh’=Vh+1);// vehicles dropping out of the transmission range[outVl] (Vl > 0) -> (Vl*rate_out_low):(Vl’=Vl-1);[outVh] (Vh > 0) -> (Vh*rate_out_high):(Vh’=Vh-1);

// high-speed vehicles can change lanes[change] (Vh > 0) & (Vl < Vl_max) -> (Vh*rate_change):(Vh’=Vh-1) & (Vl’=Vl+1);

// i incidents per minute average = i/(60*1000) incidents per millisecond[incident] (i>0) -> (i/(60*1000)):(incident’=true);

// event-driven generation of emergency messages due to incident[gen_emrg_msg] (V>0) & (incident) -> (V*V*rate_gen_ctrl_msg):(incident’=false);

[gen_emrg_msg_fail_max] (V>0) & (incident) ->(V*V*rate_gen_ctrl_msg):(incident’=false);

// periodic generation of control messages if CQ not full[gen_sft_msg] (V>0) -> (V*rate_gen_ctrl_msg):true;[gen_sft_msg_fail_max] (V>0) -> (V*rate_gen_ctrl_msg):true;

// periodic generation of a service messages if SQ not full[gen_srv_msg] (V>0) -> (V*rate_gen_srv_msg):true;[gen_srv_msg_fail_max] (V>0) -> (V*rate_gen_srv_msg):true;

endmodule

Fig. 4: PRISM module for vehicles in D3.

the total count equal to the sum of the vehicle counts ofthe two colonies. In D6 we add transitions for incomingand outgoing vehicles on each of the two lanes: high-speed and low-speed.

The analysis of [10] is based on the simulation ofa number of QoS metrics. Here, we consider similarmetrics, but additionally, we validate the models throughan analysis of various combinations of causal behaviour,

stochastic trends, and transient behaviours. In each case,we do not aim to give an exhaustive analysis, but toindicate how to formalise properties and to give theresults for various combinations of parameters.

V. STOCHASTIC TREND ANALYSIS

We consider causal behaviours and stochastic trendsconcerning the emergency messages (queue) and service

10

messages (queue). Specifically, we consider the (weaklyincreasing) trends e↑ and sv ↑ and (weakly decreasing)trends e ↓ and sv ↓, and some of the circumstanceswhich cause them. There are four properties, expressedin Continuous Stochastic Logic (CSL). The first threeexpress a tight form of causality that formalises theconcept that a specified effect is necessarily precededby a specified cause. We define this as follows.

Definition 4: Let ψ be a prospective cause and φa prospective effect. The following formula denotes ψcauses φ in the sense that there is an interval whereneither ψ nor φ holds, until ψ (the cause) holds (for aninterval) and then φ (the effect) becomes true:

P≥1F(¬φ ∧ ¬ψ)U(P≥1[(ψ ∧ ¬φ)UP>0[Xφ]

We denote this formula by ψ ⇒ φ and note that it is notto be confused with Boolean implication.

Unless otherwise stated, the default parameter valueswe use for model checking are: 25 vehicles for staticvehicles population models, 6 vehicles for high-speedlanes, 10 vehicles for low-speed lane, mean messagessize 250 bytes , mean service messages generation rate0.075 messages/ms , mean message transmission error1%, incident occurrence rate 1 incident/minute. Thefour properties can now be described.

1) The occurrence of an incident causes the numberof emergency messages to increase weakly:incident ⇒ e↑.

2) The occurrence of an incident causes the numberof services messages to decrease weakly:incident ⇒ sv ↓.This is not surprising, since when an incidentoccurs, more emergency messages are generated,thus decreasing the possibility for service mes-sages to be transferred to the control queue whenthe service queue is congested. In other words,service messages will be dropped.

3) If the number of control messages increases andthe service queue is not congested, then the effectis a weakly increasing service queue:(c↑ ∧ (sv < SQ threshold))⇒ sv ↑.

4) At some point in the future the control queueis empty and the service queue length is weaklyincreasing:P=?[F (c = 0 ∧ sv ↑)].

Verifying all of these properties via PRISM returnsprobability 1, in all our static and dynamic vehiclemodels. In other words, the above properties alwayshold.

VI. TRANSIENT PROPERTIES

We next verify the following transient properties forstatic and dyamic models. We refer again to the causalityformula and operator “⇒” defined in Definition 4.

1) The following are always true (i.e. probability 1),for all models.

a) Eventually, the service message queue is full:P=?[F (sv = SQ capacity)].

b) Eventually, the service message queue isempty (initially the queue is empty):P=?[F ((sv > 0)U (sv = 0))].

c) Eventually, the control queue will be full withemergency messages:P=?[F (e = CQ capacity)].

d) The occurrence of an incident causes conges-tion of the service queue, i.e.incident⇒ (sv ≥ SQ threshold).

2) The following have extremely rare (effectivelyzero) probability, for all models.

a) Within 1000 time-units (ms), the controlqueue will be full of emergency messages:P=?[F

[0,1000](e = CQ capacity)].In all models this is very unlikely. For ex-ample, in the static model, the likelihoodis 7.04 · 10−118 whereas in the dynamicmodels it ranges from 2.41 · 10−127 (D3) to3.65 · 10−132 (D2).

b) Within 1000 time-units (ms), the controlqueue is full of emergency messages and anincident occurred:P=?[F

[0,1000](e = CQ capacity) ∧(incident)]This is also very rare, for all models, rangingfrom 3.91 · 10−124 in the static populationmodel to 2.88 · 10−142 in D1.

3) The following has completely different likelihoodin the static model, as compared with its likelihoodin the dynamic models.The probability of the service queue being con-gested before an incident occurs (with rate 1 perminute):P=?[(sv ≥ SQ threshold)U (incident)].This is very unlikely in the static model (6.71 ·10−4) whereas in the dynamic models it rangesfrom 0.937 in model D5 to 0.993 in D1.

4) The probability of no incidents occurring until theservice queue becomes congested for the first timeis given by:P=?[(sv < SQ threshold ∧ ¬incident)U

(sv ≥ SQ threshold)].In the static model, if no incidents occur then the

11

probability is 1. Otherwise, as ri increases then theprobability decreases. For example, for 1 incidentper minute the probability is 0.999, while for 5incidents per minute it becomes 0.996. In dynamicmodels, the probability is very low: for 1 incidentper minute, it is 0.000079 in D1, 0.0005 in D2,0.024 in D3, 0.0007 in D4, 0.057 in D5 and 0.016in D6.

VII. QUALITY OF SERVICE

Further important dimensions to verify concern re-liability in terms of the proportion of lost messagesand message latency; we define the latter as being theexpected waiting time for messages. In [10], the effectsof three parameters on the QoS metrics are considered:the mean message size, the mean message generationrate, and the mean number of neighbours. We take asimilar approach, though in our case, we refer to themean service message generation rate and the meannumber of vehicles.

A. Message Loss

1) Message loss ratio: Reliability is measured asthe ratio between the number of lost messages and thenumber of generated messages. We define the messageloss ratio (a percentage) in PRISM using cumulativerewards as follows:

100*(R{"lostSrv"}=?[C<=T]/R{"generatedSrv"}=?[C<=T])

where the reward structures lostSrv andgeneratedSrv are defined as follows:

rewards "lost_srv"[gen_srv_msg_fail_max] true:1;[congested_srv_queue] true:1;[send_srv_msg_error] true:1;

endrewards

rewards "generated_srv"[gen_srv_msg] true:1;[gen_srv_msg_fail_max] true:1;

endrewards

For computing the expected count of lost service mes-sages, we associate a reward of 1 for all transitionscorresponding to (i) generating service messages whenthe service queue is full, (ii) discarding service messageswhen the service queue is congested, or (iii) losing ser-vice messages due to error transmission. For computingthe expected count of all generated service messages weassociate a reward of 1 for all transitions correspondingto generating messages, no matter if the queue is full ornot.

So far, in all dynamic vehicle population models weassumed equal vehicle inflow and outflow. We nowconsider two new scenarios where traffic flow changeson each lane:• D′1 is model D1 where vehicles arrive in the com-

munication range with high-speed and leave it withlow-speed.

• D′3 is model D3 where high-speed vehicles leavethe communication range with low-speed.

We verified the loss ratio for a variety of message types(e.g. control, emergency, etc.) when varying time and oneof: number of vehicles, message size, service messagegeneration rate, for each of the models. For brevity, wegive details of selected results only for the static modeland three dynamic models: D1 (one-way single lane,high speed traffic), D3 (one-way double lane, high andlow speed traffic), and D6 (single carriageway, one highspeed and one low speed lane). The value ranges for theparameters are:• the mean number of vehicles in the communication

range {10, 20, 30, 40, 50};• the mean size of messages{100, 200, 300, 400, 500};

• the mean service message generation rate of{0.01, 0.03, 0.05, . . . , 0.15} or {0.01, 0.07, 0.15}.

Selected results for the static model:1) Loss ratio for control messages and service mes-

sages wrt mean number of communicating vehiclesin Fig. 5 and Fig. 6,

2) Loss ratio for control messages and safey messageswrt mean message size in Fig. 7 and Fig. 8,

3) Loss ratio for control messages and emergencymessages wrt mean generation rate of servicemessages in Fig. 9 and Fig. 10.

Selected results for the dynamic models D1, D3 andD6:

1) Loss ratio for control messages and service mes-sages wrt mean message size in D1 in Fig. 11 andFig. 12,

2) Loss ratio for control messages and service mes-sages wrt mean message size in D3 in Fig. 13 andFig. 14,

3) Loss ratio for control messages and emergencymessages wrt mean generation rate of servicemessages in D3 in Fig. 15 and Fig. 16,

4) Loss ratio for messages for control messages andemergency messages wrt mean generation rate ofservice messages in D6 in Fig. 17 and Fig. 18.

Note that, in most dynamic models, the loss ratios foremergency, safety and service messages are very low

12

Fig. 5: Static model S: control messages loss ratio (%)w.r.t. the mean number of communicating vehicles andthe transmission error value

Fig. 6: Static model S: service messages loss ratio (%)w.r.t. the mean number of communicating vehicles andthe transmission error value

Fig. 7: Static model S: control messages loss ratio (%)w.r.t. the mean message size

Fig. 8: Static model S: safety messages loss ratio (%)w.r.t. the mean message size

(in the region of 1%). Compared to static model, theloss ratio of service messages is significantly reducedand shows, as one might expect, that in the dynamicmodels the protocol proves to be more reliable. Further,we note that the road topology and lane layouts havelittle effect on the losses, i.e. the differences in resultsfor D1, D3 and D6 were insignificant. We also note thatchanging the speed of inflow and outlow has little effect.For example, compare the loss for D1 and D′1 in Fig.19 and 20.

B. Message latency

We define message latency as the expected waitingdelay for messages. We use a state reward for computingthe mean time for messages to be transmitted from therespective queue as follows:

rewards "delay_srv"(CtrlMsg>0):SrvMsg/rate_send_srv_msg;(CtrlMsg=0)&(SrvMsg>0):

(SrvMsg-1)/rate_send_srv_msg;endrewards

We verified the expected waiting delay (in milliseconds(ms)) for control and service messages when varying

13

Fig. 9: Static model S: control messages loss ratio (%)w.r.t. the mean generation rate of service messages

Fig. 10: Static model S: emergency messages loss ratio(%) w.r.t. the mean generation rate of service messages

Fig. 11: Dynamic model D1: control messages lossratio (%) w.r.t. the mean message size

Fig. 12: Dynamic model D1: service messages lossratio (%) w.r.t. the mean message size

time and one of: number of vehicles, message size,service message generation rate, for each of the models,over the ranges of values given in Section VII-A1. Again,for brevity, we give details of selected results only for thestatic model and for one dynamic model: D1 (one-waysingle lane, high speed traffic).

Selected results for the static model:

1) Expected delay for control messages wrt meannumber of communicating vehicles in Fig. 21,

2) Expected delay for service messages wrt meanmessage size in Fig. 22,

3) Expected delay for control messages wrt meangeneration rate of service messages in Fig. 23.

Selected results for the dynamic model D1:

1) Expected delay for service messages wrt meannumber of communicating vehicles in Fig. 24,

2) Expected delay for service messages wrt meanmessage size: in Fig. 25,

3) Expected delay for control messages wrt meangeneration rate of service messages in Fig. 26.

From all the results we observe that all the delays(regardless of model type, message type, etc.) soon con-verges to a constant, which increases with the number ofvehicles/message size/message generation rate. However,the delays are much higher in the static model. Forexample, compare Fig. 25, the service message delaywith respect to the mean message size for D1, withFig. 22, the same but for the static model. The values are

14

Fig. 13: Dynamic model D3: control messages lossratio (%) w.r.t. the mean message size

Fig. 14: Dynamic model D3: service messages lossratio (%) w.r.t. the mean message size

Fig. 15: Dynamic model D3: control messages lossratio (%) w.r.t. the mean generation rate of servicemessages

Fig. 16: Dynamic model D3: emergency messages lossratio (%) w.r.t. the mean generation rate of servicemessages

about five times higher in the static model, for example,when the message size is 100, the delay is 0.0125 inD1 but 0.05 in the static model, and when the messagesize is 500, the delay is 0.18 in D1 but 0.8 in the staticmodel. In general, there is a similarity in delays for D3

and D6 (both comprise two lanes), with smaller delaysin D1 (which only has one lane). We note that [10] didnot consider delay as a function of time.

Finally, we can consider whether the expected waitingdelay for control messages is always smaller than theexpected waiting delay for service messages. To dothis, we compare control message delay and servicemessage delay in dynamic models, utilising the followinginstantaneous reward-based temporal property:

(R{"delay_srv"}=?[I=T])>(R{"delay_ctrl"}=?[I=T])

for T ≤ 50. In both models D′1 and D′3 the delay forcontrol messages is always smaller than the delay forservice messages. Recall, that these are the models wheretraffic flows change in each lane.

VIII. DISCUSSION AND RELATED WORK

Within typical vehicular ad hoc networks (VANETs),the available resources are limited, and the networktopology and node density change over time. Therefore,a fair sharing of resources becomes difficult. Applyingconventional congestion control protocols to VANETs

15

Fig. 17: Dynamic model D6: control messages lossratio (%) w.r.t. the mean generation rate of servicemessages

Fig. 18: Dynamic model D6: emergency messages lossratio (%) w.r.t. the mean generation rate of servicemessages

Fig. 19: Dynamic model D1: message loss ratio (%)in time

Fig. 20: Dynamic model D′1: message loss ratio (%)in time

can also be problematic, particularly if we require anefficient protocol that is also able to guarantee reli-able and safe communication. This has led to a rangeof recent studies which have focused on developingnew congestion protocols more suitable to the chal-lenges of VANETs: dynamic (and fast) network topologychanges; dynamic network density changes; networkscale problems; peculiar interference issues; limitedbandwidth; etc. Indeed, there are other improvementsand refinements to VANET-specific congestion controlprotocols [21], [20], [11], [9]. In most of these, however,the analysis of a proposed method relies on simulationsfor an evaluation of its efficacy. Yet, such simulations canexamine only a limited subset of all possible behaviours,

and so protocols analyzed in this way can have unpre-dictable behaviour due to an incomplete system analysis.Since a VANET can transmit both safety and emergencymessages, a more reliable method of analysis is clearlyessential.

Within computer science, a typical solution to thisproblem is to use formal verification techniques to carryout exhaustive analysis, such as model checking, ratherthan examining systems through simulation or testing.Although model-checking has been used extensively fornetwork protocols [15], it has been rarely used in the areaof congestion control. To the best of our knowledge thereare only three studies that focus on model checking forthe formal analysis of such control problems, as follows.

16

Fig. 21: Static model S: control messages expecteddelay (ms) w.r.t. number of vehicles

Fig. 22: Static model S: service messages expecteddelay (ms) w.r.t. mean message size

Fig. 23: Static model S: control messages expecteddelay (ms) w.r.t. mean generation rate of servicemessages

Fig. 24: Dynamic model D1: service messages ex-pected delay (ms) w.r.t. number of vehicles

In [9], the suggestion is to verify a congestion controlmethod via the UPPAAL [8] system. The Timed Au-tomata model of the CCC protocol defined in [9] is basedon the concurrent composition of four timed automatacorresponding to components in charge with messagegeneration, enqueueing, dequeueing, and transmission.However, model checking using UPPAAL was not suc-cessful due to the large state space of the model, andinstead the authors used simulation techniques. In [19] amodel-checking alternative to the use of “optimisationbased approaches” is proposed. The authors use theNUSMV model-checking tool [12] to evaluate a con-gestion control approach. However, neither of the aboveformal approaches address some of the more challenging

characteristics typical of VANETs such as stochastic-ity and non-determinism. For example, Boussida andShawky [10] consider discrete models based on vehiclesand messages sampled from uniform distributions, butdo not consider explicit rates of vehicles traffic flows(e.g. the rates of vehicles joining and leaving the signalrange), and rates of the generation and transmission ofmessages of different priorities.

Our work builds on the discrete time model and analy-sis of the VANET protocol using a population abstractionin [16]. Here, we have added more realistic details:(i) we model inter-arrival times using an exponentialdistribution, hence using continuous-time Markov chainsas models; and (ii) we consider stochastic processes

17

Fig. 25: Dynamic model D1: service messages ex-pected delay (ms) w.r.t. mean message size

Fig. 26: Dynamic model D1: control messages ex-pected delay (ms) w.r.t. mean generation rate of servicemessages

modelling different traffic flows and topologies. We alsoabstract away from the four components consideredin [9] and the communication between them. In otherwords, our approach is a counter-abstraction that ig-nores the identities of vehicles in the model (withoutjeopardising the traffic control since messages containtheir locations). Also, we do not differentiate betweenmessages of the same type, either control or serviceones; therefore, we consider two populations/categoriesof messages.

Our approach allows stochastic modelling and anal-ysis of the protocol, which is more realistic and, atthe same time, computationally efficient. We note thatour approach is not to be confused with populationprotocols, such as those for computations in cooperativenetwork of passively mobile finite-state sensors [3], orperformance analysis of peer to peer MANETs (mobilead hoc networks) in PRISM [14]. These are essentiallygraphical models, whereas we are fundamentally con-cerned with message congestion in limited bandwidthcommunication. The novelty is that both messages andvehicles are colonies in the population.

The results of our analysis indicate that the protocolperforms less well in the static vehicle population model.Namely, message losses are greater and delays are higherin the static model. In the dynamic population models,the losses are approximately 1% and delays at most0.7ms , which gives us some confidence in the qualityof service offered by the protocol under varying trafficconditions. Interestingly, in the dynamic models, thechosen road topology and lane layouts had mostly onlya small effect on the results.

Finally, we remark that we have not found it possibleto draw meaningful comparison between our resultsand [10] and [16]. Although we have taken many proto-col parameters from [10], our model is significantly moredetailed and realistic, with explicit velocities, includingrates of messages and traffic flows, mass action kinetics,and emergency message transmission rates proportionalto the square of (vehicle) velocity. Moreover, severalproperties cannot be compared (e.g. rate of message lossin [10]) because they are not defined explicitly (note,we define message loss as a ratio, not a rate). When wecompared for example delays, in some cases we foundour delays to be an order of magnitude smaller.

IX. CONCLUSIONS AND FUTURE WORK

In this paper we show how stochastic model checkingand the probabilistic model checker PRISM are usedeffectively for the analysis of a VANET congestion pro-tocol performance under varying parameters concerningmessage size, message generation and transmission, androad layout and traffic. We perform analysis of variouscombinations of causal behaviour, stochastic trends, andtransient behaviours and we inspected values for theparameters as functions of Quality of Service metricsconcerning the average loss-rate ratio for service mes-sages and the waiting delay for all types of messages.

We utilise formal verification in the form of thePRISM model checker as it provides a much higher levelof confidence in the analysis that that produced by othertechniques. In contrast to simulation, the use of modelchecking allows a full state-space exploration, meaning

18

that all behaviour specified in the stochastic model isconsidered.

Although the results, in themselves, are useful foranalysing the particular CCC protocol, we believe thiswork is of broader importance, showing that the inher-ently stochastic nature of VANET protocols (and possi-bly VANET modelling in general) can be captured bya continuous-time Markov chain. Then, comprehensiveanalysis can be carried out by stochastic model checking.Further, the ability in PRISM to specify rewards andexpress stochastic trends allows for quite sophisticatedreward-based and trend-based analysis.

Future work concerning this protocol will includeconsidering more traffic scenarios and more prioritylevels for messages, and determining useful thresholdvalues for guidance concerning the application of theprotocol.

REFERENCES

[1] R. Alur and D. L. Dill. A theory of timed automata. Theoreticalcomputer science, 126(2):183–235, 1994.

[2] O. Andrei and M. Calder. Trend-based Analysis of a PopulationModel ofthe AKAP Scaffold Protein. Trans. on Computat. Syst.Biol. XIV, 7625:1–25, 2012.

[3] D. Angluin, J. Aspnes, Z. Diamadi, M. J. Fischer, and R. Per-alta. Computation in networks of passively mobile finite-statesensors. In S. Chaudhuri and S. Kutten, editors, PODC, pages290–299. ACM, 2004.

[4] C. Baier, B. R. Haverkort, H. Hermanns, and J.-P. Katoen.Model-Checking Algorithms for Continuous-Time MarkovChains. IEEE Trans. Software Eng., 29(6):524–541, 2003.

[5] C. Baier and J.-P. Katoen. Principles of Model Checking. TheMIT Press, 2008.

[6] M. S. Bartlett. An introduction to stochastic processes, withspecial reference to methods and applications. CambridgeUniversity Press, 3rd edition, 1978.

[7] G. Behrmann, A. David, K. G. Larsen, P. Pettersson, and W. Yi.Developing UPPAAL over 15 years. Softw., Pract. Exper.,41(2):133–142, 2011.

[8] J. Bengtsson, K. Larsen, F. Larsson, P. Pettersson, and W. Yi.UPPAAL—A Tool Suite for Automatic Verification of Real-time Systems. In Proc. DIMACS/SYCON Workshop on HybridSystems III: Verification and Control, pages 232–243, 1996.

[9] M. Bouassida and M. Shawky. A Cooperative and Fully-distributed Congestion Control Approach within VANETs. InProc. 9th ITST, pages 526–531, 2009.

[10] M. S. Bouassida and M. Shawky. A Cooperative CongestionControl Approach within VANETs: Formal Verification andPerformance Evaluation. EURASIP J. Wireless Comm. andNetworking, 2010, 2010.

[11] C. Campolo, A. Cortese, and A. Molinaro. CRaSCH:A Cooperative Scheme for Service Channel Reservation in802.11p/WAVE Vehicular Ad hoc Networks. In Proc. ICUMTWorkshops, pages 1–8, 2009.

[12] A. Cimatti, E. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pis-tore, M. Roveri, R. Sebastiani, and A. Tacchella. NuSMV 2:An OpenSource Tool for Symbolic Model Checking. In Proc.Conf. Computer Aided Verification, pages 241–268. Springer,2002.

[13] E. Clarke, O. Grumberg, and D. Peled. Model Checking. MITPress, 1999.

[14] L. Gallina, T. Han, M. Z. Kwiatkowska, A. Marin, S. Rossi,and A. Spano. Automatic energy-aware performance analysisof Mobile Ad-Hoc Networks. In Proc. of the IFIP WirelessDays Conference 2012, Ireland, November 21-23, 2012, pages1–6. IEEE, 2012.

[15] G. J. Holzmann. Design and Validation of Computer Protocols.Prentice-Hall, 1991.

[16] S. Konur and M. Fisher. Formal Analysis of a VANETCongestion Control Protocol through Probabilistic Verification.In Proceedings of the 73rd IEEE Vehicular Technology Confer-ence, VTC Spring 2011, Budapest, Hungary, pages 1–5. IEEE,2011.

[17] M. Z. Kwiatkowska, G. Norman, and D. Parker. StochasticModel Checking. In M. Bernardo and J. Hillston, editors, SFM,volume 4486 of Lecture Notes in Computer Science, pages 220–270. Springer, 2007.

[18] M. Z. Kwiatkowska, G. Norman, and D. Parker. PRISM4.0: Verification of Probabilistic Real-Time Systems. InG. Gopalakrishnan and S. Qadeer, editors, Proc. of the 23rdInternational Conference on Computer Aided Verification (CAV2011), Snowbird, UT, USA, July 14-20, 2011, volume 6806 ofLecture Notes in Computer Science, pages 585–591. Springer,2011.

[19] A. Lomuscio, B. Strulo, N. G. Walker, and P. Wu. ModelChecking Optimisation Based Congestion Control Models .Fundamenta Informaticae, 102(1):77–96, 2010.

[20] M. Torrent-Moreno, P. Santi, and H. Hartenstein. Fair Sharingof Bandwidth in VANETs. In Proc. 2nd ACM InternationalWorkshop on Vehicular Ad hoc Networks (VANET), pages 49–58. ACM Press, 2005.

[21] L. Wischhof and H. Rohling. Congestion Control in VehicularAd hoc Networks. In Proc. IEEE International Conference onVehicular Electronics and Safety, pages 58–63, 2005.

[22] W. Zhang, A. Festag, R. Baldessari, and L. Le. Congestion con-trol for safety messages in VANETs: Concepts and framework.In 8th International Conference on ITS Telecommunications,pages 199–203, 2008.

19

Oana Andrei is a post-doctoral research asso-ciate in Computing Science at the University ofGlasgow. Her research interests involve funda-mental aspects of theoretical computer science,mainly formal specification and verification ofconcurrent and stochastic systems, and com-positional reasoning. Application areas includenew theories and models for population basedanalysis of ubquitious systems and mobile

apps, component-based design, biochemical networks, systems bi-ology and autonomic computing.

Muffy Calder is Professor in ComputingScience at the University of Glasgow andChief Scientific Adviser to the Scottish Gov-ernment. Her research interests involve mod-elling and verification for concurrent, commu-nicating systems particularly model-checking,process algebras, probabilistic systems, tele-coms protocols, biochemical networks and cellsignalling, and safety-critical systems. She has

collaborated with scientists and engineers from a wide range ofdisciplines, from electrical and aerospace engineering, to cancer andcardiovascular medicine.

Michael Fisher is Professor of Com-puter Science and Director of the Cen-tre for Autonomous Systems Technology(http://www.liv.ac.uk/cast) at theUniversity of Liverpool. His research interestsinvolve logical methods in Computer Scienceand Artificial Intelligence, particularly tempo-ral reasoning, programming languages, prac-tical formal verification, and the development

and analysis of autonomous and agent-based systems. He authoredAn Introduction to Practical Formal Methods using Temporal Logic(Wiley) in 2011.

Savas Konur is a post-doctoral research as-sociate and a member of the Verification andTesting research group in the Department ofComputer Science, University of Sheffield;previously he worked at the University ofLiverpool.. His research interests include tem-poral reasoning, formal specification and ver-ification, model checking, and application offormal methods to real-time systems, pervasive

systems and systems and synthetic biology.