Probabilistic Verification of Discrete Event Systems
Håkan L. S. YounesReid G. Simmons
(initial work performed at HTC, Summer 2001)
May 30, 2002Carnegie Mellon
Introduction Goal: Verify temporal properties of
general discrete event systems Probabilistic, real-time properties Expressed using CSL
Approach: Acceptance sampling Guaranteed error bounds Any-time properties
May 30, 2002Carnegie Mellon
“The Hungry Stork”
System
“The probability is at least 0.7 that the stork satisfies its hunger within 180 seconds”
May 30, 2002Carnegie Mellon
“The Hungry Stork” as aDiscrete Event System
hungry
May 30, 2002Carnegie Mellon
“The Hungry Stork” as aDiscrete Event System
hungryhungry,hunting
40 sec
stork sees frog
May 30, 2002Carnegie Mellon
“The Hungry Stork” as aDiscrete Event System
hungry
40 sec
stork sees frog
hungry,hunting,
seen
hungry,hunting
19 sec
frog sees stork
May 30, 2002Carnegie Mellon
“The Hungry Stork” as aDiscrete Event System
hungry,hunting,
seennot hungry
hungry,hunting
hungry
40 sec 19 sec 2 sec
stork sees frog
frog sees stork
stork eats frog
May 30, 2002Carnegie Mellon
“The Hungry Stork” as aDiscrete Event System
hungry,hunting,
seennot hungry
hungry,hunting
hungry
40 sec 19 sec 2 sec
stork sees frog
frog sees stork
stork eats frog
For this execution path, at least, the property holds…(total time < 180 sec)
May 30, 2002Carnegie Mellon
Verifying Probabilistic Properties Properties of the form: Pr≥(X)
Symbolic Methods+ Exact solutions- Works for a restricted class of
systems Sampling
+ Works for all systems that can be simulated
- Solutions not guaranteed
May 30, 2002Carnegie Mellon
Our Approach: Acceptance Sampling Use simulation to generate
sample execution paths Samples based on stochastic
discrete event models
How many samples are “enough”? Probability of false negatives ≤ Probability of false positives ≤
May 30, 2002Carnegie Mellon
Performance of Test
Actual probability of X holding
Pro
bab
ility
of
acc
ep
tin
gPr ≥
(X
) as
tru
e
1 –
May 30, 2002Carnegie Mellon
Ideal Performance
Actual probability of X holding
Pro
bab
ility
of
acc
ep
tin
gPr ≥
(X
) as
tru
e
1 –
False negatives
False positives
May 30, 2002Carnegie Mellon
Actual Performance
– +
Indifference region
Actual probability of X holding
Pro
bab
ility
of
acc
ep
tin
gPr ≥
(X
) as
tru
e
1 –
False negatives
False positives
May 30, 2002Carnegie Mellon
SequentialAcceptance Sampling
True, false,or anothersample?
Hypothesis: Pr≥(X)
May 30, 2002Carnegie Mellon
Graphical Representation of Sequential Test
Number of samples
Nu
mb
er
of
posi
tive s
am
ple
s
May 30, 2002Carnegie Mellon
Graphical Representation of Sequential Test
We can find an acceptance line and a rejection line given , , , and
Reject
Accept
Continue sampling
Number of samples
Nu
mb
er
of
posi
tive s
am
ple
s
May 30, 2002Carnegie Mellon
Graphical Representation of Sequential Test
Reject
Accept
Continue sampling
Number of samples
Nu
mb
er
of
posi
tive s
am
ple
s
May 30, 2002Carnegie Mellon
Graphical Representation of Sequential Test
Reject
Accept
Continue sampling
Number of samples
Nu
mb
er
of
posi
tive s
am
ple
s
May 30, 2002Carnegie Mellon
Verifying Properties
Verify Pr≥() with error bounds and Generate sample execution paths using
simulation Verify over each sample execution path
If is true, then we have a positive sample If is false, then we have a negative sample
Use sequential acceptance sampling to test the hypothesis Pr≥() How to express probabilistic, real-time
temporal properties as acceptance tests?
May 30, 2002Carnegie Mellon
Continuous Stochastic Logic (CSL)
State formulas Standard logic operators: ¬, 1 2 … Probabilistic operator: Pr≥()
Path formulas Time-bounded Until: 1 U≤t 2
Pr≥0.7(true U≤180 ¬hungry) Pr≥0.9(Pr≤0.1(queue-full) U≤60 served)
May 30, 2002Carnegie Mellon
Verification of Conjunction Verify 1 2 … n with error
bounds and
What error bounds to choose for the i’s? Naïve: i = /n, i = /n
Accept if all conjuncts are true Reject if some conjunct is false
May 30, 2002Carnegie Mellon
“Fast reject”
Verification of Conjunction Verify 1 2 … n with error
bounds and 1. Verify each i with error bounds and ’
2. Return false as soon as any i is verified to be false
3. If all i are verified to be true, verify each i again with error bounds and /n
4. Return true iff all i are verified to be true
May 30, 2002Carnegie Mellon
Verification of Conjunction
“Rigorous accept”
Verify 1 2 … n with error bounds and
1. Verify each i with error bounds and ’
2. Return false as soon as any i is verified to be false
3. If all i are verified to be true, verify each i again with error bounds and /n
4. Return true iff all i are verified to be true
May 30, 2002Carnegie Mellon
Verification of Path Formulas To verify 1 U≤t 2 with error
bounds and Convert to disjunction
1 U≤t 2 holds if 2 holds in the first state, or if 2 holds in the second state and 1 holds in all prior states, or …
May 30, 2002Carnegie Mellon
More on Verifying Until Given 1 U≤t 2, let n be the index
of the first state more than t time units away from the current state
Disjunction of n conjunctions c1 through cn, each of size i
Simplifies if 1 or 2, or both, do not contain any probabilistic statements
May 30, 2002Carnegie Mellon
Verification of Nested Probabilistic Statements
Suppose , in Pr≥(), contains probabilistic statements
True, false,or anothersample?
May 30, 2002Carnegie Mellon
Verification of Nested Probabilistic Statements
Suppose , in Pr≥(), contains probabilistic statements Pr≥0.9(Pr≤0.1(queue-full) U≤60 served) How to specify the error bounds ’ and
’ when verifying ?
May 30, 2002Carnegie Mellon
Modified Test find an acceptance line and a
rejection line given , , , , ’, and ’:
Reject
Accept
Continue sampling
With ’ and ’ = 0
Number of samples
Nu
mb
er
of
posi
tive s
am
ple
s
May 30, 2002Carnegie Mellon
Modified Test find an acceptance line and a
rejection line given , , , , ’, and ’:
With ’ and ’ > 0
Reject
Accept
Continue sampling
Number of samples
Nu
mb
er
of
posi
tive s
am
ple
s
May 30, 2002Carnegie Mellon
Performance
10
100
1000
10000
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
=0.9
=0.7=0.5
p
log E
p[n
]
May 30, 2002Carnegie Mellon
Performance
10
100
1000
10000
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
p
log E
p[n
] =0.005=0.01
=0.02
May 30, 2002Carnegie Mellon
Performance
p
log E
p[n
]
10
100
1000
10000
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
==0.001==0.01
==0.1
May 30, 2002Carnegie Mellon
Summary Algorithm for probabilistic verification
of discrete event systems Sample execution paths generated
using simulation Probabilistic properties verified using
sequential acceptance sampling Properties specified using CSL
May 30, 2002Carnegie Mellon
Future Work Apply to hybrid dynamic systems Develop heuristics for formula
ordering and parameter selection Use verification to aid policy
generation for real-time stochastic domains
Top Related