Model Checking for Probabilistic Timed Systems
description
Transcript of Model Checking for Probabilistic Timed Systems
![Page 1: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/1.jpg)
Model Checking for Probabilistic Timed
SystemsJeremy Sproston
Università di TorinoVOSS Dagstuhl seminar
9th December 2002
![Page 2: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/2.jpg)
The problem
• Model checking probabilistic timed systems– In probabilistic systems:
• Probabilistic choice between alternativesExample: electronic coin flipping in randomized algorithms
– In timed systems:• Timing parameters are critical for the correct
functioning of the systemExample: the system must meet a certain deadline
– In probabilistic timed systems:• Coexistence of probabilistic choice and timing
![Page 3: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/3.jpg)
The focus
• Probabilistic versions/extensions of timed automata (Alur and Dill 1994)
• Timed automaton = finite-state graph + clocks + clock constraints
• Clocks are an appropriate device for modelling time-dependent behaviour– A clock is a real-valued variable which increases at the
same rate as real timeClocks can be reset when system transitions occurTherefore, clocks can measure the exact amount of time elapsed since a particular transition
![Page 4: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/4.jpg)
Timed automata
• Finite-state graph + clocks + clock constraints (examples: x3, x-y>5)
• Example: light switch
off
x2
x3on {x:=0}
{x:=0}
![Page 5: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/5.jpg)
Timed CTL
• CTL: a request will always follow a response ⃞(request -> ( ⃟ response))
• TCTL: timed CTL– Alur, Courcoubetis and Dill (1993)– Henzinger et al. (1994)– A request will always follow a response within 5
milliseconds ⃞(request -> ( ⃟ 5 response))
– Use ⊨T for the satisfaction relation of TCTL
![Page 6: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/6.jpg)
Timed automata: semantics• Problem: underlying semantic model is
– infinite-state: (node space) x R(number of clocks)
– infinitely branching: for example
• Model checking classically assumes a finite state space
Off, x=3.5
Off, x=3.5 Off, x=3.7… …
![Page 7: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/7.jpg)
Model checking for timed automata
• Reduce to a finite state space: clock equivalence
• Partitioning bounded by the maximal constant used in the timed automaton or the TCTL formula
• Clock equivalent states satisfy the same clock constraints now and in the future
x
y
1
1
2
2
![Page 8: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/8.jpg)
Model checking for timed automata
• Region equivalent states have the same– node– clock equivalence class
• Construct finite-state region graph (transition system)– States: region equivalence classes– Transitions:
Timetransitions
DiscretetransitionsE.g. crossing an edgewith {x:=0}
![Page 9: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/9.jpg)
Model checking for timed automata
• Let: – TA be a timed automaton, T be a TCTL formula,– RG(TA, T) be the region graph of TA, T
• TA ⊨T T if and only if RG(TA, T) ⊨ – where ⊨ and are “untimed” versions of ⊨T and T
• Key result of Alur, Courcoubetis and Dill (1993)
![Page 10: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/10.jpg)
Real-time probabilistic processes
• Alur, Courcoubetis and Dill (1991:ICALP, 1991:Real-Time)
• Similar to Generalized Semi-Markov Processes (Whitt (1980), Glynn (1989))
• A fully probabilistic model
![Page 11: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/11.jpg)
Real-time probabilistic processes
• Finite-state graph+ clocks+ clock scheduling function+ probabilistic branching over edges+ probabilistic clock resetting
• Example: light switch
off
{x}
x,yon {y}
{y}
y
y:=Uniform(1,30)x:=3
![Page 12: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/12.jpg)
Timed CTL revisited
• Interpreting “branching-time” logic over fully probabilistic systems
s ⊨ means “the probability that the computations starting in s satisfy is > 0”
s ⊨ means “the probability that the computations starting in s satisfy is =1”
• Alur, Courcoubetis and Dill (1991:ICALP) interpret TCTL (branching-time) over real-time probabilistic processes
![Page 13: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/13.jpg)
Timed CTL revisited
• For example:
⃞(request -> ( ⃟ 5 response))
With probability 1, a request is followed by a response within 5 milliseconds
• Use R-TCTL to denote the logic, and ⊨R for its satisfaction relation
![Page 14: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/14.jpg)
Real-time probabilistic processes: semantics
• Real-time probabilistic processes use clocks, so are infinite-state Markov processes
• Clocks are set to negative values drawn from continuous probability distributions
• When at least one clock reaches 0, a transition is triggered
![Page 15: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/15.jpg)
Model checking for real-time probabilistic processes
• Again, reduce to a finite state space using (a version of) clock equivalence
• The set of clocks to reach 0 first is the same for all clock equivalent states
xy
-1-2-3
-1-2-3
![Page 16: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/16.jpg)
Model checking for real-time probabilistic processes
• Construct finite-state region graph (transition system)– States: region equivalence classes– Transitions:
Timetransitions
DiscretetransitionsE.g. crossing an edgetriggered by y; reset y within(1,2)
![Page 17: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/17.jpg)
Model checking for real-time probabilistic processes
• Let:– RTPP be a real-time probabilistic process R be a R-TCTL formula,– RG(RTPP, R) be the region graph of RTPP, R
• RTPP ⊨R R if and only if RG(RTPP, R) ⊨ – where ⊨ and are “untimed” versions of ⊨R and R
• Key result of Alur, Courcoubetis and Dill (1991:ICALP)
![Page 18: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/18.jpg)
Probabilistic timed automata
• Introduced by Jensen (1995), Kwiatkowska et al. (2002)
• Finite-state graph + clocks + clock constraints+ probabilistic branching over edges
• Example: light switch
off
x2
x3on
{x:=0}{x:=0}0.990.010.99
0.01
![Page 19: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/19.jpg)
Probabilistic timed CTL• PCTL (Probabilistic CTL): Hansson and Jonsson
(1994), Bianco and de Alfaro (1995)– The system will fail with probability < 0.01
P<0.01[⃟ failure]
• PTCTL (timed PCTL): Kwiatkowska et al. (2002) • The system will fail within 5 hours with
probability < 0.01P<0.01[ ⃟ 5 failure]
• Use ⊨P to denote the satisfaction relation of PTCTL
![Page 20: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/20.jpg)
Model checking probabilistic timed automata
• Probabilistic timed automaton semantics:– Infinite-state, infinite-branching Markov
decision process• Again, reduce to a finite state space
using clock equivalence
x
y
1
1
2
2
![Page 21: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/21.jpg)
Model checking probabilistic timed automata
• Construct finite-state region graph (Markov decision process)– States: region equivalence classes– Transitions:
• Time transitions are as standard• Discrete transitions: for example
on{x:=0}0.99 0.01
faily<3 x<7
on0.99 0.01
fail
![Page 22: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/22.jpg)
Model checking probabilistic timed automata
• Construct finite-state region graph (Markov decision process)– States: region equivalence classes– Transitions:
• Time transitions are as standard• Discrete transitions: for example
on{x:=0}0.99 0.01
faily<3 x<7
on
0.99
0.01
fail
{y:=0}
on
![Page 23: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/23.jpg)
Model checking probabilistic timed automata
• Let: – PTA be a probabilistic timed automaton, P be a PTCTL formula,– RG(PTA, P) be the region graph of PTA, P
• PTA ⊨P P if and only if RG(PTA, P) ⊨ – where ⊨ and are “untimed” versions of ⊨P
and p
• Key result of Kwiatkowska et al. (2002)
![Page 24: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/24.jpg)
Continuous probabilistic timed automata
• Introduced by Kwiatkowska et al. (2000)• Finite-state graph + clocks + clock constraints
+ probabilistic branching over edges+ probabilistic clock resetting
• Example: light switch
x20.990.01
0.990.01
off1 on off2y
y30x,y
x3 ∧ y30 y30
y=30y=30
y=30
y:=Uniform(0,29)x:=0
![Page 25: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/25.jpg)
Model checking continuous probabilistic timed automata• Continuous probabilistic timed
automata semantics– Infinite-state, infinitely branching
probabilistic-nondeterministic system with continuous probability distributions
• Again, reduce to a finite state space using clock equivalence
![Page 26: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/26.jpg)
Model checking continuous probabilistic timed automata• Problems with clock equivalence: an example by Alur
• Clock x is reset within (0,1) in node A; clock y is arbitrary• Some time elapses in node A• Then we move to node B; clock y is reset within (0,1)• 3 cases: (1) x<y, (2) x=y, (3) x>y• Probability of (2) is 0, but we do not know the probabilities
of (1) and (3) (clock equivalence abstracts from the duration of the time transition in node A)
xx=1
yx<1 y=1A B
![Page 27: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/27.jpg)
Model checking continuous probabilistic timed automata• A partial solution: change the granularity of the
time scale – For example, from granularity of 1 to granularity of 0.5
– Say we know that x (0,0.5)– Say that y is then set within (0.5,1)– We know that y>x
1
1 1
1
0.5
0.5
![Page 28: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/28.jpg)
Model checking continuous probabilistic timed automata• Given a time granularity, construct a
finite-state region graph (Markov decision process)– States: region equivalence classes– Transitions:
• Time transitions are standard• Handling of probabilistic branching over edges is
straightforward• But how do we deal with resetting clocks
according to continuous probability distributions?
![Page 29: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/29.jpg)
Model checking continuous probabilistic timed automata• Representing continuously distributed clock
resets in the region graph:– Integrating over time-unit intervals gives the
probability of a clock being set within an interval• E.g. with a time granularity of 1, we integrate over
intervals such as (0,1), (1,2), …• E.g. with a time granularity of 0.5, we integrate over
intervals such as (0,0.5), (0.5, 1), …– But the relationship between the ordering on the
fractional parts of the newly set clocks and the clocks which keep their old values is not obtainable
– The probabilistic choice regarding this relationship is replaced with a nondeterministic choice
![Page 30: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/30.jpg)
Model checking continuous probabilistic timed automata• Let:
– CPTA be a probabilistic timed automaton, P be a PTCTL formula,– n1 be the chosen time granularity,– RG(CPTA, P, n) be the region graph of CPTA, P, n
• CPTA ⊨P P if RG(CPTA, P, n) ⊨ – where ⊨ and are “untimed” versions of ⊨P and p
• Key result of Kwiatkowska et al. (2000)
![Page 31: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/31.jpg)
Model checking continuous probabilistic timed automata• Replacing probabilistic choice with nondeterministic
choice introduces the possibility of an error in the computed probabilities
• But we know that the maximum probability that CPTA satisfies a path formula is bounded from above by the maximum probability that the RG(CPTA, P, n) satisfies the path formula (similar with minimum)
• For example: CPTA ⊨P P<0.01[⃟ failure]
ifRG(CPTA, P, n) ⊨ P<0.01[⃟ failure]
![Page 32: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/32.jpg)
Conclusions: model checking timed automata
• Achieved success in the form of the development of tools such as UPPAAL (Uppsala/Aalborg) and KRONOS (Grenoble)
• Use of zone-based algorithms– Manipulate sets of clock equivalence classes
![Page 33: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/33.jpg)
Conclusions: model checking real-time probabilistic
processes• Activity died off after Alur, Courcoubetis
and Dill’s 1991 papers
• Interest renewed by the development of process algebras with generally distributed delays (Bravetti et al., D’Argenio et al)
• Model checking of Semi-Markov Chains: Infante-Lopez et al. (2001)
![Page 34: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/34.jpg)
Conclusions: model checking probabilistic timed automata• Model checking using PRISM (Kwiatkowska,
Norman and Parker (2002)) and:– Region graphs– Discrete-time semantics (given restrictions on
clock constraints to xc and xc)• Based on discrete-time semantics for timed automata
developed by Henzinger et al. (1992), Asarin et al. (1998), Bozga et al. (1999)
• Case studies: FireWire (Kwiatkowska et al. (2002:FAC)), IEEE802.11 (Kwiatkowska et al. (2002:PAPM-PROBMIV))
![Page 35: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/35.jpg)
Conclusions: model checking probabilistic timed automata• Zone-based algorithms for probabilistic
timed automata:– Must carefully distinguish zones which have
different probabilities• Kwiatkowska et al. (2001:CONCUR, 2002:TCS)
– Case study: FireWire • Kwiatkowska et al. (2002:FAC), Daws et al. (2002)
![Page 36: Model Checking for Probabilistic Timed Systems](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816345550346895dd3d3a9/html5/thumbnails/36.jpg)
Conclusions: model checking continuous probabilistic
timed automata• Increasing the time granularity blows up
the state space
• Exists a need to concentrate on restricted subclasses