1/18
Statistical Model Checking
Axel Legay
INRIA Rennes and Aalborg University
and
Alexandre David
Aalborg University
February 28, 2012
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 1/18
2/18
Today’s objectives
A brief introduction to priced timed stochastic automata
A presentation of Uppaal-SMC
Handling case studies in Uppaal-SMC
Stochastic Abstraction (if time permits)
The future of SMC
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 2/18
3/18
The Context
Previous lecture
SMC for pure stochastic systems
However ...
Many systems highly depend on timed features
Many systems are the composition of small independentsub-systems.
This lecture
SMC for component-based design of timed stochastic systems
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 3/18
3/18
The Context
Previous lecture
SMC for pure stochastic systems
However ...
Many systems highly depend on timed features
Many systems are the composition of small independentsub-systems.
This lecture
SMC for component-based design of timed stochastic systems
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 3/18
3/18
The Context
Previous lecture
SMC for pure stochastic systems
However ...
Many systems highly depend on timed features
Many systems are the composition of small independentsub-systems.
This lecture
SMC for component-based design of timed stochastic systems
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 3/18
4/18
The Objective
Verifying properties of networks of automata mixing bothcontinuous time and stochastic aspects
Is the probability of reaching q in less than c unit of timegreater than θ?
Clock rates should be general (energy problems, ...)
Observation: Most of these questions are undecidable
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 4/18
5/18
The challenges
How to combine stochastic and timed aspects?
Which semantic shall we give to the model?
How to overcome undecidability?
Solution
Statistical Model Checking for Networks of Priced TimedStochastic Automata
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 5/18
6/18
The Priced Timed Automata Model (1)
Formal definition
A Priced Timed Automaton (PTA) is a tuple A = (L, `0,X ,Σ,E ,R, I ) where: (i) L is a finite set of locations, (ii) `0 ∈ L is theinitial location, (iii) X is a finite set of clocks, (iv) Σ = Σi ] Σo isa finite set of actions partitioned into inputs (Σi ) and outputs(Σo), (v) E ⊆ L× L(X )× Σ× 2X × L is a finite set of edges, (vi)R : L→ NX assigns a rate vector to each location, and (viii)I : L→ U(X ) assigns an invariant to each location.
As a summary, Timed Automata with:
General clock constraints
Input and output actions on discrete transitions
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 6/18
7/18
Example of three PTA
A1
A0
x<=1
a!
B1
B0y<=2
b!T1
T3
T0
C’==2
C’==4
a?
b?
A B T
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 7/18
8/18
The Priced Timed Automata Model (2)
Definition
The semantics of NPTAs is a timed labeled transition systemwhose states are pairs (`, ν) ∈ L× RX
≥0 with ν |= I (`), and whose
transitions are either delay (`, ν)d−→ (`, ν ′) with d ∈ R≥0 and
ν ′ = ν + R(`) · d , or discrete (`, ν)a−→ (`′, ν ′) if there is an edge
(`, g , a,Y , `′) such that ν |= g and ν ′ = ν[Y ]. We write(`, ν) ; (`′, ν ′) if there is a finite sequence of delay and discretetransitions from (`, ν) to (`′, ν ′).
As a summary:
Classical infinite-state transition semantic from timed automata
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 8/18
9/18
Networks of Priced Timed Automata (1)
Compose Priced Timed Automata (component-based designof complex systems)
Input-enabled, deterministic, non-zeno
Disjoint sets of clocks
Disjoint sets of outputs
Inputs synchronize with Outputs
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 9/18
10/18
Networks of Priced Timed Automata (2)
Formal Definition
Let Aj = (Lj ,X j ,Σ,E j ,R j , I j) (with j = 1 . . . n) be composableNPTAs. Their composition (A1 | . . . | An) is the NPTAA = (L,X ,Σ,E ,R, L) where (i) L = ×jL
j , (ii) X = ∪jX j , (iii)R(`)(x) = R j(`j)(x) when x ∈ X j , (iv) I (`) = ∩j I (`j), and (v)(`,∩jgj , a,∪j rj , `′) ∈ E whenever (`j , gj , a, rj , `
′j) ∈ E j for
j = 1 . . . n.
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 10/18
11/18
Example of NPTA
A1
A0
x<=1
a!
B1
B0y<=2
b!
y<=2
ENDx<=1
x<=1 && y<=2
b!
a!
b!
a!
T1
T3
T0
C’==2
C’==4
a?
b?
Observation: composite systems (A|B|T ) and (AB|T ) are timed(and priced) bisimilar.
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 11/18
12/18
Stochastic Semantic
Independence between components
Race: all the components propose a delay and an output
Smallest delay is chosen
Uniform delays for bounded intervals
Exponential delays otherwise
Composition may lead to complex distributions
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 12/18
13/18
Properties in PWCTL
Cost-based Logic
ψ ::= P(3C≤cϕ
)∼ p | P
(2C≤cϕ
)∼ p
Conceptually:
Classical PLTL with cost-measure on executions.
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 13/18
14/18
Back to Example (1)
A1
A0
x<=1
a!
B1
B0y<=2
b!
y<=2
ENDx<=1
x<=1 && y<=2
b!
a!
b!
a!
T1
T3
T0
C’==2
C’==4
a?
b?
A B AB T
Illustration
(A|B|T ) |= P(3t≤2T3
)= 0.75 (A|B|T ) |= P
(3C≤6T3
)= 0.75,
(AB|T ) |= P(3t≤2T3
)= 0.50 and
(AB|T ) |= P(3C≤6T3
)= 0.50.
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 14/18
15/18
Back to Example (2)
A|Br|T
A|B|T
AB|T
Time
pro
ba
bili
ty
0
0.15
0.30
0.45
0.60
0.75
0 0.7 1.4 2.1
A|Br|T
A|B|T
AB|T
C
pro
ba
bili
ty
0
0.15
0.30
0.45
0.60
0.75
0 2.0 4.0 6.0
(a) (b)
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 15/18
16/18
SMC for NPTA
First, provide monitors and an engine to generate simulations
Second, implement SMC algorithms
Third, find a tool for timed systems in where you canimplement all that easily!
Our Solution
UPPAAL-SMC
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 16/18
17/18
UPPAAL-SMC
What is UPPAAL-SMC?
The first toolset for Statistical Model Checking of complexnetworks of timed stochastic automata
Features:
Friendly-user interface
Feedback procedures
Implements NPTAs
Implements Various monitoring algorithms for complex logics
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 17/18
17/18
UPPAAL-SMC
What is UPPAAL-SMC?
The first toolset for Statistical Model Checking of complexnetworks of timed stochastic automata
Features:
Friendly-user interface
Feedback procedures
Implements NPTAs
Implements Various monitoring algorithms for complex logics
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 17/18
18/18
The Future of SMC
Rare event systems
Handling non-determinism
Stochastic abstraction
Distributing single simulations
Bayesian Model Checking
Nested Probabilities
Runtime procedures
More statistics, learning, stochastic abstraction, ...
....
Axel Legay INRIA Rennes and Aalborg UniversityandAlexandre David Aalborg UniversityStatistical Model Checking 18/18