Probabilistic Verification of Discrete Event Systems using Acceptance Sampling

Håkan L. S. Younes Reid G. SimmonsCarnegie Mellon University

Introduction

Verify properties of discrete event systems

Model independent approach Probabilistic real-time properties

expressed using CSL Acceptance sampling Guaranteed error bounds

DES Example

Triple modular redundant system Three processors Single majority voter

CPU 1 CPU 2 CPU 3

Voter

DES Example

CPU 1 CPU 2 CPU 3

Voter

3 CPUs upvoter up

DES Example

CPU 1 CPU 2 CPU 3

Voter

3 CPUs upvoter up

2 CPUs upvoter up

CPU fails

40

DES Example

CPU 1 CPU 2 CPU 3

Voter

3 CPUs upvoter up

2 CPUs upvoter up

2 CPUs uprepairing CPU

voter up

CPU fails repair CPU

40 19.2

DES Example

CPU 1 CPU 2 CPU 3

Voter

3 CPUs upvoter up

2 CPUs upvoter up

2 CPUs uprepairing CPU

voter up

1 CPU uprepairing CPU

voter up

CPU fails repair CPU CPU fails

40 19.2 11

DES Example

CPU 1 CPU 2 CPU 3

Voter

3 CPUs upvoter up

2 CPUs upvoter up

2 CPUs uprepairing CPU

voter up

1 CPU uprepairing CPU

voter up

2 CPUs upvoter up

CPU fails repair CPU CPU fails CPU repaired

40 19.2 11 4 …

Sample Execution Paths

3 CPUs upvoter up

2 CPUs upvoter up

2 CPUs uprepairing CPU

voter up

1 CPU uprepairing CPU

voter up

2 CPUs upvoter up

CPU fails repair CPU CPU fails CPU repaired

40 19.2 11 4 …

3 CPUs upvoter up

2 CPUs upvoter up

2 CPUs uprepairing CPU

voter up

3 CPUs upvoter up

3 CPUs upvoter down

CPU fails repair CPU CPU repaired

voter fails

82 13 16 4 …

Properties of Interest

Probabilistic real-time properties “The probability is at least 0.1 that

the voter fails within 120 time units while at least 2 CPUs have continuously remained up”

Properties of Interest

Probabilistic real-time properties “The probability is at least 0.1 that

the voter fails within 120 time units while at least 2 CPUs have continuously remained up”

Pr≥0.1(“2 CPUs up” “3 CPUs up” U≤120 “voter down”)

CSL formula:

Continuous Stochastic Logic (CSL)

State formulas Truth value is determined in a single

state Path formulas

Truth value is determined over an execution path

State Formulas

Standard logic operators: ¬, 1 2 …

Probabilistic operator: Pr≥() True iff probability is at least that

holds

Path Formulas

Until: 1 U≤t 2

Holds iff 2 becomes true in some state along the execution path before time t, and 1 is true in all prior states

Verifying Real-time Properties “2 CPUs up” “3 CPUs up” U≤120 “voter down”

3 CPUs upvoter up

2 CPUs upvoter up

2 CPUs uprepairing CPU

voter up

1 CPU uprepairing CPU

voter up

2 CPUs upvoter up

CPU fails repair CPU CPU fails CPU repaired

40 19.2 11 4 …

False!

Verifying Real-time Properties “2 CPUs up” “3 CPUs up” U≤120 “voter down”

3 CPUs upvoter up

2 CPUs upvoter up

2 CPUs uprepairing CPU

voter up

3 CPUs upvoter up

3 CPUs upvoter down

CPU fails repair CPU CPU repaired

voter fails

82 13 16 4 …

True!

+ + ≤ 120+

Verifying Probabilistic Properties

“The probability is at least 0.1 that ” Symbolic Methods

Pro: Exact solution Con: Works only for restricted class of systems

Sampling Pro: Works for any system that can be

simulated Con: Uncertainty in correctness of solution

Our Approach

Use simulation to generate sample execution paths

Use sequential acceptance sampling to verify probabilistic properties

Error Bounds

Probability of false negative: ≤ We say that is false when it is true

Probability of false positive: ≤ We say that is true when it is false

Acceptance Sampling

Hypothesis: Pr≥()

Performance of Test

Actual probability of holding

Pro

bab

ility

of

acc

ep

tin

gPr ≥

(

) as

tru

e

1 –

Ideal Performance

Actual probability of holding

Pro

bab

ility

of

acc

ep

tin

gPr ≥

(

) as

tru

e

1 –

False negatives

False positives

Actual Performance

– +

Indifference region

Actual probability of holding

Pro

bab

ility

of

acc

ep

tin

gPr ≥

(

) as

tru

e

1 –

False negatives

False positives

SequentialAcceptance Sampling

Hypothesis: Pr≥()

True, false,or anothersample?

Graphical Representation of Sequential Test

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s

Graphical Representation of Sequential Test

We can find an acceptance line and a rejection line given , , , and

Reject

Accept

Continue sampling

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s A,,,(n)

R,,,(n)

Graphical Representation of Sequential Test

Reject hypothesis

Reject

Accept

Continue sampling

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s

Graphical Representation of Sequential Test

Accept hypothesis

Reject

Accept

Continue sampling

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s

Verifying Probabilistic Properties

Verify Pr≥() with error bounds and Generate sample execution paths using

simulation Verify over each sample execution path

If is true, then we have a positive sample If is false, then we have a negative sample

Use sequential acceptance sampling to test the hypothesis Pr≥()

Verification of Nested Probabilistic Statements

Suppose , in Pr≥(), contains probabilistic statements Error bounds ’ and ’ when verifying

Verification of Nested Probabilistic Statements

Suppose , in Pr≥(), contains probabilistic statements

True, false,or anothersample?

Modified Test

Find an acceptance line and a rejection line given , , , , ’, and ’:

Reject

Accept

Continue sampling

With ’ and ’ = 0

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s A,,,(n)

R,,,(n)

Modified Test

Find an acceptance line and a rejection line given , , , , ’, and ’:

With ’ and ’ > 0

Reject

Accept

Continue sampling

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s

Modified Test

Find an acceptance line and a rejection line given , , , , ’, and ’:

Reject

Accept

Continue sampling

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s A’,’,,(n)

R’,’,,(n)

’ – ’ = 1 – (1 – ( – ))(1 – ’)

’ + ’ = ( + )(1 – ’)

Verification of Negation

To verify ¬ with error bounds and Verify with error bounds and

Verification of Conjunction

Verify 1 2 … n with error bounds and Verify each i with error bounds and

/n

Verification of Path Formulas

To verify 1 U≤t 2 with error bounds and Convert to disjunction

1 U≤t 2 holds if 2 holds in the first state, or if 2 holds in the second state and 1 holds in all prior states, or …

More on Verifying Until

Given 1 U≤t 2, let n be the index of the first state more than t time units away from the current state

Disjunction of n conjunctions c1 through cn, each of size i

Simplifies if 1 or 2, or both, do not contain any probabilistic statements

10

100

1000

10000

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Performance = 0.9

= = 10-1

Actual probability of holding

Avera

ge n

um

ber

of

sam

ple

s

= = 10-10

= 0.01

10

100

1000

10000

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Performance

=0.05

Actual probability of holding

Avera

ge n

um

ber

of

sam

ple

s

= 0.9 = = 10-2

=0.02=0.01=0.005

=0.002

=0.001

Summary

Model independent probabilistic verification of discrete event systems

Sample execution paths generated using simulation

Probabilistic properties verified using sequential acceptance sampling

Easy to trade accuracy for efficiency

Future Work

Develop heuristics for formula ordering and parameter selection

Use in combination with symbolic methods

Apply to hybrid dynamic systems Use verification to aid controller

synthesis for discrete event systems

ProVer: Probabilistic Verifier

http://www.cs.cmu.edu/~lorens/prover.html