probabilistic verification of discrete event systems håkan l. s. younes reid g. simmons (initial...

Probabilistic Verification of Discrete Event Systems

Håkan L. S. YounesReid G. Simmons

(initial work performed at HTC, Summer 2001)

May 30, 2002Carnegie Mellon

Introduction Goal: Verify temporal properties of

general discrete event systems Probabilistic, real-time properties Expressed using CSL

Approach: Acceptance sampling Guaranteed error bounds Any-time properties


“The Hungry Stork”

System

“The probability is at least 0.7 that the stork satisfies its hunger within 180 seconds”


“The Hungry Stork” as aDiscrete Event System

hungry



hungryhungry,hunting

40 sec

stork sees frog



hungry

40 sec

stork sees frog

hungry,hunting,

seen

hungry,hunting

19 sec

frog sees stork



hungry,hunting,

seennot hungry

hungry,hunting

hungry

40 sec 19 sec 2 sec

stork sees frog

frog sees stork

stork eats frog



hungry,hunting,

seennot hungry

hungry,hunting

hungry

40 sec 19 sec 2 sec

stork sees frog

frog sees stork

stork eats frog

For this execution path, at least, the property holds…(total time < 180 sec)


Verifying Probabilistic Properties Properties of the form: Pr≥(X)

Symbolic Methods+ Exact solutions- Works for a restricted class of

systems Sampling

+ Works for all systems that can be simulated

- Solutions not guaranteed


Our Approach: Acceptance Sampling Use simulation to generate

sample execution paths Samples based on stochastic

discrete event models

How many samples are “enough”? Probability of false negatives ≤ Probability of false positives ≤


Performance of Test

Actual probability of X holding

Pro

bab

ility

of

acc

ep

tin

gPr ≥

(X

) as

tru

e

1 –


Ideal Performance


Pro

bab

ility

of

acc

ep

tin

gPr ≥

(X

) as

tru

e

1 –

False negatives

False positives


Actual Performance

– +

Indifference region


Pro

bab

ility

of

acc

ep

tin

gPr ≥

(X

) as

tru

e

1 –

False negatives

False positives


SequentialAcceptance Sampling

True, false,or anothersample?

Hypothesis: Pr≥(X)


Graphical Representation of Sequential Test

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s



We can find an acceptance line and a rejection line given , , , and

Reject

Accept

Continue sampling

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s



Reject

Accept

Continue sampling

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s


Verifying Properties

Verify Pr≥() with error bounds and Generate sample execution paths using

simulation Verify over each sample execution path

If is true, then we have a positive sample If is false, then we have a negative sample

Use sequential acceptance sampling to test the hypothesis Pr≥() How to express probabilistic, real-time

temporal properties as acceptance tests?


Continuous Stochastic Logic (CSL)

State formulas Standard logic operators: ¬, 1 2 … Probabilistic operator: Pr≥()

Path formulas Time-bounded Until: 1 U≤t 2

Pr≥0.7(true U≤180 ¬hungry) Pr≥0.9(Pr≤0.1(queue-full) U≤60 served)


Verification of Conjunction Verify 1 2 … n with error

bounds and

What error bounds to choose for the i’s? Naïve: i = /n, i = /n

Accept if all conjuncts are true Reject if some conjunct is false


“Fast reject”

Verification of Conjunction Verify 1 2 … n with error

bounds and 1. Verify each i with error bounds and ’

2. Return false as soon as any i is verified to be false

3. If all i are verified to be true, verify each i again with error bounds and /n

4. Return true iff all i are verified to be true


Verification of Conjunction

“Rigorous accept”

Verify 1 2 … n with error bounds and

1. Verify each i with error bounds and ’

2. Return false as soon as any i is verified to be false

3. If all i are verified to be true, verify each i again with error bounds and /n

4. Return true iff all i are verified to be true


Verification of Path Formulas To verify 1 U≤t 2 with error

bounds and Convert to disjunction

1 U≤t 2 holds if 2 holds in the first state, or if 2 holds in the second state and 1 holds in all prior states, or …


More on Verifying Until Given 1 U≤t 2, let n be the index

of the first state more than t time units away from the current state

Disjunction of n conjunctions c1 through cn, each of size i

Simplifies if 1 or 2, or both, do not contain any probabilistic statements


Verification of Nested Probabilistic Statements

Suppose , in Pr≥(), contains probabilistic statements

True, false,or anothersample?


Verification of Nested Probabilistic Statements

Suppose , in Pr≥(), contains probabilistic statements Pr≥0.9(Pr≤0.1(queue-full) U≤60 served) How to specify the error bounds ’ and

’ when verifying ?


Modified Test find an acceptance line and a

rejection line given , , , , ’, and ’:

Reject

Accept

Continue sampling

With ’ and ’ = 0

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s


Modified Test find an acceptance line and a

rejection line given , , , , ’, and ’:

With ’ and ’ > 0

Reject

Accept

Continue sampling

Number of samples

Nu

mb

er

of

posi

tive s

am

ple

s


Performance

10

100

1000

10000

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

=0.9

=0.7=0.5

p

log E

p[n

]


Performance

10

100

1000

10000

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

p

log E

p[n

] =0.005=0.01

=0.02


Performance

p

log E

p[n

]

10

100

1000

10000

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

==0.001==0.01

==0.1


Summary Algorithm for probabilistic verification

of discrete event systems Sample execution paths generated

using simulation Probabilistic properties verified using

sequential acceptance sampling Properties specified using CSL


Future Work Apply to hybrid dynamic systems Develop heuristics for formula

ordering and parameter selection Use verification to aid policy

generation for real-time stochastic domains

probabilistic verification of discrete event systems håkan l. s. younes reid g. simmons (initial...

Documents

stork slide

carnegie mellon ve

hungry stork system

sec slide

pr x slide

seconds slide

storkstork eats frog

sec19 sec2 sec stork