qualitative and quantitative analysis in automotive...
Post on 14-May-2021
11 Views
Preview:
TRANSCRIPT
Qualitative and Quantitative Analysisin Automotive Scenarios
– A preview of D8.6 –
Maurice ter Beek
ISTI-CNRPisa, Italy
SENSORIA workshopMünchen, 11–14 March 2008
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 1 / 21
Outline
1 Aim of SENSORIA Deliverable 8.6
2 This Presentation’s Origins
3 Logics for Qualitative and Quantitative Analysis
4 Qualitative Analysis of On Road Assistance Scenario
5 Towards Quantitative Analysis of Accident Assistance Scenario
6 Future Work
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 2 / 21
Aim of SENSORIA Deliverable 8.6 (due M36)
Relations between case studies and Theme 2 resultsD8.6 will describe the relations between the four SENSORIA casestudies of WP8 and the more technical work as carried out within theWPs of Theme 2: Mathematical analysis and verification techniquesand tools for system behaviour and quality of service properties
D8.6 will show how the theoretical approaches to qualitative andquantitative aspects of services (WP3 and WP4) are applied toscenarios of the automotive, finance, telecommunications and coursemanagement & e-learning case studies (WP8)
Preview of D8.6: two exemplary approachesQualitative analysis of the on road assistance scenarioTowards quantitative analysis of the accident assistance scenario
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 3 / 21
Aim of SENSORIA Deliverable 8.6 (due M36)
Relations between case studies and Theme 2 resultsD8.6 will describe the relations between the four SENSORIA casestudies of WP8 and the more technical work as carried out within theWPs of Theme 2: Mathematical analysis and verification techniquesand tools for system behaviour and quality of service properties
D8.6 will show how the theoretical approaches to qualitative andquantitative aspects of services (WP3 and WP4) are applied toscenarios of the automotive, finance, telecommunications and coursemanagement & e-learning case studies (WP8)
Preview of D8.6: two exemplary approachesQualitative analysis of the on road assistance scenarioTowards quantitative analysis of the accident assistance scenario
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 3 / 21
Analyses of Two Automotive Scenarios
UML 2.0 specification using a UML ProfileN. Koch and D. Berndl, Requirements Modelling and Analysis ofSelected Scenarios of the Automative Case Study. SENSORIADeliverable 8.2a, September 2007
Qualitative analysis: On road assistanceM.H. ter Beek, S. Gnesi, N. Koch and F. Mazzanti, Formal Verificationof an Automotive Scenario in Service-Oriented Computing. To appearin Proceedings of the 30th International Conference on SoftwareEngineering (ICSE’08) – Experience Track on Automotive Systems,Leipzig, Germany, ACM Press, New York, 2008
Towards quantitative analysis: Accident assistance (a.k.a. airbag)R. De Nicola, J.P. Katoen, D. Latella, M. Loreti and M. Massink,Stochastic logics. SENSORIA Deliverable 4.2a, February 2007
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 4 / 21
Analyses of Two Automotive Scenarios
UML 2.0 specification using a UML ProfileN. Koch and D. Berndl, Requirements Modelling and Analysis ofSelected Scenarios of the Automative Case Study. SENSORIADeliverable 8.2a, September 2007
Qualitative analysis: On road assistanceM.H. ter Beek, S. Gnesi, N. Koch and F. Mazzanti, Formal Verificationof an Automotive Scenario in Service-Oriented Computing. To appearin Proceedings of the 30th International Conference on SoftwareEngineering (ICSE’08) – Experience Track on Automotive Systems,Leipzig, Germany, ACM Press, New York, 2008
Towards quantitative analysis: Accident assistance (a.k.a. airbag)R. De Nicola, J.P. Katoen, D. Latella, M. Loreti and M. Massink,Stochastic logics. SENSORIA Deliverable 4.2a, February 2007
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 4 / 21
On Road Assistance Scenario
On the road, a vehicle’s diagnostic system reports a low oil levelTriggers in-vehicle diagnostic system to report problem withpressure of cylinder heads (car no longer driveable) and to sendthis diagnostic data and vehicle’s GPS coordinates to repair serverGiven driver’s preferences, service discovery system identifies andselects appropriate services (garage/tow truck/rental car) in areaWhen driver makes appointment with garage, results of in-vehiclediagnosis are automatically sent along, allowing garage to identifythe spare parts needed to repair carSimilarly, when driver orders tow truck and rental car, the vehicle’sGPS coordinates are sent alongObviously, driver is required to deposit a security payment beforebeing able to order any serviceEach service can be denied or cancelled, causing an appropriatecompensation activity
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 5 / 21
On Road Assistance Scenario
On the road, a vehicle’s diagnostic system reports a low oil levelTriggers in-vehicle diagnostic system to report problem withpressure of cylinder heads (car no longer driveable) and to sendthis diagnostic data and vehicle’s GPS coordinates to repair serverGiven driver’s preferences, service discovery system identifies andselects appropriate services (garage/tow truck/rental car) in areaWhen driver makes appointment with garage, results of in-vehiclediagnosis are automatically sent along, allowing garage to identifythe spare parts needed to repair carSimilarly, when driver orders tow truck and rental car, the vehicle’sGPS coordinates are sent alongObviously, driver is required to deposit a security payment beforebeing able to order any serviceEach service can be denied or cancelled, causing an appropriatecompensation activity
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 5 / 21
On Road Assistance Scenario
On the road, a vehicle’s diagnostic system reports a low oil levelTriggers in-vehicle diagnostic system to report problem withpressure of cylinder heads (car no longer driveable) and to sendthis diagnostic data and vehicle’s GPS coordinates to repair serverGiven driver’s preferences, service discovery system identifies andselects appropriate services (garage/tow truck/rental car) in areaWhen driver makes appointment with garage, results of in-vehiclediagnosis are automatically sent along, allowing garage to identifythe spare parts needed to repair carSimilarly, when driver orders tow truck and rental car, the vehicle’sGPS coordinates are sent alongObviously, driver is required to deposit a security payment beforebeing able to order any serviceEach service can be denied or cancelled, causing an appropriatecompensation activity
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 5 / 21
On Road Assistance Scenario
On the road, a vehicle’s diagnostic system reports a low oil levelTriggers in-vehicle diagnostic system to report problem withpressure of cylinder heads (car no longer driveable) and to sendthis diagnostic data and vehicle’s GPS coordinates to repair serverGiven driver’s preferences, service discovery system identifies andselects appropriate services (garage/tow truck/rental car) in areaWhen driver makes appointment with garage, results of in-vehiclediagnosis are automatically sent along, allowing garage to identifythe spare parts needed to repair carSimilarly, when driver orders tow truck and rental car, the vehicle’sGPS coordinates are sent alongObviously, driver is required to deposit a security payment beforebeing able to order any serviceEach service can be denied or cancelled, causing an appropriatecompensation activity
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 5 / 21
On Road Assistance Scenario
On the road, a vehicle’s diagnostic system reports a low oil levelTriggers in-vehicle diagnostic system to report problem withpressure of cylinder heads (car no longer driveable) and to sendthis diagnostic data and vehicle’s GPS coordinates to repair serverGiven driver’s preferences, service discovery system identifies andselects appropriate services (garage/tow truck/rental car) in areaWhen driver makes appointment with garage, results of in-vehiclediagnosis are automatically sent along, allowing garage to identifythe spare parts needed to repair carSimilarly, when driver orders tow truck and rental car, the vehicle’sGPS coordinates are sent alongObviously, driver is required to deposit a security payment beforebeing able to order any serviceEach service can be denied or cancelled, causing an appropriatecompensation activity
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 5 / 21
On Road Assistance Scenario
On the road, a vehicle’s diagnostic system reports a low oil levelTriggers in-vehicle diagnostic system to report problem withpressure of cylinder heads (car no longer driveable) and to sendthis diagnostic data and vehicle’s GPS coordinates to repair serverGiven driver’s preferences, service discovery system identifies andselects appropriate services (garage/tow truck/rental car) in areaWhen driver makes appointment with garage, results of in-vehiclediagnosis are automatically sent along, allowing garage to identifythe spare parts needed to repair carSimilarly, when driver orders tow truck and rental car, the vehicle’sGPS coordinates are sent alongObviously, driver is required to deposit a security payment beforebeing able to order any serviceEach service can be denied or cancelled, causing an appropriatecompensation activity
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 5 / 21
On Road Assistance Scenario
On the road, a vehicle’s diagnostic system reports a low oil levelTriggers in-vehicle diagnostic system to report problem withpressure of cylinder heads (car no longer driveable) and to sendthis diagnostic data and vehicle’s GPS coordinates to repair serverGiven driver’s preferences, service discovery system identifies andselects appropriate services (garage/tow truck/rental car) in areaWhen driver makes appointment with garage, results of in-vehiclediagnosis are automatically sent along, allowing garage to identifythe spare parts needed to repair carSimilarly, when driver orders tow truck and rental car, the vehicle’sGPS coordinates are sent alongObviously, driver is required to deposit a security payment beforebeing able to order any serviceEach service can be denied or cancelled, causing an appropriatecompensation activity
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 5 / 21
Components of UML Specification
Engine: causes low oil level alertDiscovery engine: discovers services neededReasoner: selects best servicesOrchestrator: composes services to achieve goalDriver: calls garage, tow truck, rental car and bankGPS: sends vehicle’s current coordinates to servicesGarage: receives diagnostic data about vehicleTow truck: receives GPS coordinates of vehicleRental car: receives GPS coordinates of driverBank: receives deposit from driver
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 6 / 21
Activity Diagram: Orchestration of Services
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 7 / 21
Activity Diagram: Orchestration of Services (cont’d)
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 8 / 21
Operational Model: Communicating State Machines
Subcomponent BankCommunication
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 9 / 21
Modelling Assumptions
We do not define a separate state machine for each component,but rather structure some of them as subcomponents of othersWe abstract altogether from a remote discovery state machine(to search for services in a remote repository)LocalDiscovery returns at most one choice of services for onroad assistanceCompensations are explicitly modelled as requests to canceloperations (viz. bankrevoke and garagerevoke)All communications between Car’s subcomponents, and thosebetween these subcomponents and Bank and RoadAssistance(i.e. all service invocations), are modelled as pairs ofrequest/response signals; whereas this is necessary for theformer (synchronous operation calls would deadlock), the lattermight equally well be modelled as synchronous operation calls
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 10 / 21
Modelling Assumptions
We do not define a separate state machine for each component,but rather structure some of them as subcomponents of othersWe abstract altogether from a remote discovery state machine(to search for services in a remote repository)LocalDiscovery returns at most one choice of services for onroad assistanceCompensations are explicitly modelled as requests to canceloperations (viz. bankrevoke and garagerevoke)All communications between Car’s subcomponents, and thosebetween these subcomponents and Bank and RoadAssistance(i.e. all service invocations), are modelled as pairs ofrequest/response signals; whereas this is necessary for theformer (synchronous operation calls would deadlock), the lattermight equally well be modelled as synchronous operation calls
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 10 / 21
Modelling Assumptions
We do not define a separate state machine for each component,but rather structure some of them as subcomponents of othersWe abstract altogether from a remote discovery state machine(to search for services in a remote repository)LocalDiscovery returns at most one choice of services for onroad assistanceCompensations are explicitly modelled as requests to canceloperations (viz. bankrevoke and garagerevoke)All communications between Car’s subcomponents, and thosebetween these subcomponents and Bank and RoadAssistance(i.e. all service invocations), are modelled as pairs ofrequest/response signals; whereas this is necessary for theformer (synchronous operation calls would deadlock), the lattermight equally well be modelled as synchronous operation calls
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 10 / 21
Modelling Assumptions
We do not define a separate state machine for each component,but rather structure some of them as subcomponents of othersWe abstract altogether from a remote discovery state machine(to search for services in a remote repository)LocalDiscovery returns at most one choice of services for onroad assistanceCompensations are explicitly modelled as requests to canceloperations (viz. bankrevoke and garagerevoke)All communications between Car’s subcomponents, and thosebetween these subcomponents and Bank and RoadAssistance(i.e. all service invocations), are modelled as pairs ofrequest/response signals; whereas this is necessary for theformer (synchronous operation calls would deadlock), the lattermight equally well be modelled as synchronous operation calls
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 10 / 21
Modelling Assumptions
We do not define a separate state machine for each component,but rather structure some of them as subcomponents of othersWe abstract altogether from a remote discovery state machine(to search for services in a remote repository)LocalDiscovery returns at most one choice of services for onroad assistanceCompensations are explicitly modelled as requests to canceloperations (viz. bankrevoke and garagerevoke)All communications between Car’s subcomponents, and thosebetween these subcomponents and Bank and RoadAssistance(i.e. all service invocations), are modelled as pairs ofrequest/response signals; whereas this is necessary for theformer (synchronous operation calls would deadlock), the lattermight equally well be modelled as synchronous operation calls
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 10 / 21
Modelling Assumptions
We do not define a separate state machine for each component,but rather structure some of them as subcomponents of othersWe abstract altogether from a remote discovery state machine(to search for services in a remote repository)LocalDiscovery returns at most one choice of services for onroad assistanceCompensations are explicitly modelled as requests to canceloperations (viz. bankrevoke and garagerevoke)All communications between Car’s subcomponents, and thosebetween these subcomponents and Bank and RoadAssistance(i.e. all service invocations), are modelled as pairs ofrequest/response signals; whereas this is necessary for theformer (synchronous operation calls would deadlock), the lattermight equally well be modelled as synchronous operation calls
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 10 / 21
Structure Diagram of State Machines
⇒ Validation by hand is not feasible: 535 states and 814 transitions
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 11 / 21
Action/State-based Branching-time Temporal Logics
The emerging trend in industry is to use UML (state diagrams)
Ease of expressiveness w.r.t. pure action- or state-based logicsTheir use often leads to a reduced state space, small memoryneeds and less time spent for verification
UCTL defined as an extension of action-based CTL (ACTL [DNV90])UCTL includes both CTL and ACTLFormally represent all possible system evolutions by L2TS [DNV95]
states represent the various system configurationsedges represent the possible evolutions of a system configuration
The service-oriented logic SOCL is a recent [FASE’08] specializa-tion of UCTL meant to capture peculiar aspects of services
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 12 / 21
Action/State-based Branching-time Temporal Logics
To use the full potential of specification languages (like UML) thatallow both action and state changes to be modelled, various action-and state-based logics have been developed
Ease of expressiveness w.r.t. pure action- or state-based logicsTheir use often leads to a reduced state space, small memoryneeds and less time spent for verification
UCTL defined as an extension of action-based CTL (ACTL [DNV90])UCTL includes both CTL and ACTLFormally represent all possible system evolutions by L2TS [DNV95]
states represent the various system configurationsedges represent the possible evolutions of a system configuration
The service-oriented logic SOCL is a recent [FASE’08] specializa-tion of UCTL meant to capture peculiar aspects of services
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 12 / 21
Action/State-based Branching-time Temporal Logics
To use the full potential of specification languages (like UML) thatallow both action and state changes to be modelled, various action-and state-based logics have been developed
Ease of expressiveness w.r.t. pure action- or state-based logicsTheir use often leads to a reduced state space, small memoryneeds and less time spent for verification
UCTL defined as an extension of action-based CTL (ACTL [DNV90])UCTL includes both CTL and ACTLFormally represent all possible system evolutions by L2TS [DNV95]
states represent the various system configurationsedges represent the possible evolutions of a system configuration
The service-oriented logic SOCL is a recent [FASE’08] specializa-tion of UCTL meant to capture peculiar aspects of services
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 12 / 21
Action/State-based Branching-time Temporal Logics
To use the full potential of specification languages (like UML) thatallow both action and state changes to be modelled, various action-and state-based logics have been developed
Ease of expressiveness w.r.t. pure action- or state-based logicsTheir use often leads to a reduced state space, small memoryneeds and less time spent for verification
UCTL defined as an extension of action-based CTL (ACTL [DNV90])UCTL includes both CTL and ACTLFormally represent all possible system evolutions by L2TS [DNV95]
states represent the various system configurationsedges represent the possible evolutions of a system configuration
The service-oriented logic SOCL is a recent [FASE’08] specializa-tion of UCTL meant to capture peculiar aspects of services
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 12 / 21
Action/State-based Branching-time Temporal Logics
To use the full potential of specification languages (like UML) thatallow both action and state changes to be modelled, various action-and state-based logics have been developed
Ease of expressiveness w.r.t. pure action- or state-based logicsTheir use often leads to a reduced state space, small memoryneeds and less time spent for verification
UCTL defined as an extension of action-based CTL (ACTL [DNV90])UCTL includes both CTL and ACTLFormally represent all possible system evolutions by L2TS [DNV95]
states represent the various system configurationsedges represent the possible evolutions of a system configuration
The service-oriented logic SOCL is a recent [FASE’08] specializa-tion of UCTL meant to capture peculiar aspects of services
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 12 / 21
Action/State-based Branching-time Temporal Logics
To use the full potential of specification languages (like UML) thatallow both action and state changes to be modelled, various action-and state-based logics have been developed
Ease of expressiveness w.r.t. pure action- or state-based logicsTheir use often leads to a reduced state space, small memoryneeds and less time spent for verification
UCTL defined as an extension of action-based CTL (ACTL [DNV90])UCTL includes both CTL and ACTLFormally represent all possible system evolutions by L2TS [DNV95]
states represent the various system configurationsedges represent the possible evolutions of a system configuration
The service-oriented logic SOCL is a recent [FASE’08] specializa-tion of UCTL meant to capture peculiar aspects of services
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 12 / 21
Action/State-based Branching-time Temporal Logics
To use the full potential of specification languages (like UML) thatallow both action and state changes to be modelled, various action-and state-based logics have been developed
Ease of expressiveness w.r.t. pure action- or state-based logicsTheir use often leads to a reduced state space, small memoryneeds and less time spent for verification
UCTL defined as an extension of action-based CTL (ACTL [DNV90])UCTL includes both CTL and ACTLFormally represent all possible system evolutions by L2TS [DNV95]
states represent the various system configurationsedges represent the possible evolutions of a system configuration
The service-oriented logic SOCL is a recent [FASE’08] specializa-tion of UCTL meant to capture peculiar aspects of services
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 12 / 21
Model Checker for SOCL
On-the-fly model checker to verify SOCL formulae (specifying action-and state-based properties) over communicating UML state machinesCurrent experimentation via web interface at http://fmt.isti.cnr.it/{c/u}mc⇒ planned integration into the SENSORIA CASE tool
Service responsivenessA service is responsive if it guarantees a responseto each received request
SOCL propertyAG [ request(CardCharge, $carID) ]
AF {ResponseOK (CardCharge, %carID) ∨ResponseFail(CardCharge, %carID) } true
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 13 / 21
Model Checker for SOCL
On-the-fly model checker to verify SOCL formulae (specifying action-and state-based properties) over communicating UML state machinesCurrent experimentation via web interface at http://fmt.isti.cnr.it/{c/u}mc⇒ planned integration into the SENSORIA CASE tool
Service responsivenessA service is responsive if it guarantees a responseto each received request
SOCL propertyAG [ request(CardCharge, $carID) ]
AF {ResponseOK (CardCharge, %carID) ∨ResponseFail(CardCharge, %carID) } true
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 13 / 21
Model Checker for SOCL
On-the-fly model checker to verify SOCL formulae (specifying action-and state-based properties) over communicating UML state machinesCurrent experimentation via web interface at http://fmt.isti.cnr.it/{c/u}mc⇒ planned integration into the SENSORIA CASE tool
Service responsivenessA service is responsive if it guarantees a responseto each received request
SOCL propertyAG [ request(CardCharge, $carID) ]
AF {ResponseOK (CardCharge, %carID) ∨ResponseFail(CardCharge, %carID) } true
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 13 / 21
Model Checker for SOCL
On-the-fly model checker to verify SOCL formulae (specifying action-and state-based properties) over communicating UML state machinesCurrent experimentation via web interface at http://fmt.isti.cnr.it/{c/u}mc⇒ planned integration into the SENSORIA CASE tool
Service responsivenessA service is responsive if it guarantees a responseto each received request
SOCL propertyAG [ request(CardCharge, $carID) ]
AF {ResponseOK (CardCharge, %carID) ∨ResponseFail(CardCharge, %carID) } true
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 13 / 21
Model Checker for SOCL
On-the-fly model checker to verify SOCL formulae (specifying action-and state-based properties) over communicating UML state machinesCurrent experimentation via web interface at http://fmt.isti.cnr.it/{c/u}mc⇒ planned integration into the SENSORIA CASE tool
Service responsivenessIf Car requests Bank to charge a credit card, thenBank will reply by notifying either a successful or afailed attempt to charge the credit card
SOCL propertyAG [ request(CardCharge, $carID) ]
AF {ResponseOK (CardCharge, %carID) ∨ResponseFail(CardCharge, %carID) } true
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 13 / 21
Model Checker for SOCL
On-the-fly model checker to verify SOCL formulae (specifying action-and state-based properties) over communicating UML state machinesCurrent experimentation via web interface at http://fmt.isti.cnr.it/{c/u}mc⇒ planned integration into the SENSORIA CASE tool
Service responsivenessIf Car requests Bank to charge a credit card, thenBank will reply by notifying either a successful or afailed attempt to charge the credit card
SOCL propertyAG [ request(CardCharge, $carID) ]
AF {ResponseOK (CardCharge, %carID) ∨ResponseFail(CardCharge, %carID) } true
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 13 / 21
MOSL: Mobile Stochastic Logic (for STOKLAIM)
R. De Nicola, J.-P. Katoen, D. Latella, M. Loreti and M. Massink, Modelchecking mobile stochastic logic. Theoretical Computer Science 382, 1(2007), 42–70.
A temporal logic (dynamic evolution)
An action- and state-based logic
A real-time logic (real-time bounds)
A probabilistic logic (performance and dependability aspects)
A spatial logic (spatial structure of the network)
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 14 / 21
MOSL: Mobile Stochastic Logic (for STOKLAIM)
R. De Nicola, J.-P. Katoen, D. Latella, M. Loreti and M. Massink, Modelchecking mobile stochastic logic. Theoretical Computer Science 382, 1(2007), 42–70.
A temporal logic (dynamic evolution)
An action- and state-based logic
A real-time logic (real-time bounds)
A probabilistic logic (performance and dependability aspects)
A spatial logic (spatial structure of the network)
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 14 / 21
Origins of UCTL, MOSL and SOCL
[De Nicola et al.]
CTL
aCTL CSL
aCSL
asCSL
UCTL
SocL [Baier et al.]
[Hermanns et al.]
[Aziz et al., Baier et al.]
[Fantechi et al.]
[Gnesi et al.]
[De Nicola et al.]
[Clarke et al.]
MoSL
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 15 / 21
Exemplary Requirements Expressable in MOSLAvailability“Probability is larger than 0.99 that server X is not faulty in the long run”
S>0.99(¬(〈Fault〉@X))
S is the probabilistic steady-state operator and the fault is modelledwith the presence of token Fault at the server’s data repository
Reliability“Probability is less than 0.02 that a fault occurs within 3600 time unitsand when the system enters the faulty state, it’s due to the execution inserver X of an input operation from component Y ’s repository”
P<0.02(¬(〈Fault〉@X) U<3600{X:IN(z)@Y} 〈Fault〉@X)
P probabilistic path operator, U (dense) time-bounded until operator(its subscript indicates the specific action that causes the fault)
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 16 / 21
Exemplary Requirements Expressable in MOSLAvailability“Probability is larger than 0.99 that server X is not faulty in the long run”
S>0.99(¬(〈Fault〉@X))
S is the probabilistic steady-state operator and the fault is modelledwith the presence of token Fault at the server’s data repository
Reliability“Probability is less than 0.02 that a fault occurs within 3600 time unitsand when the system enters the faulty state, it’s due to the execution inserver X of an input operation from component Y ’s repository”
P<0.02(¬(〈Fault〉@X) U<3600{X:IN(z)@Y} 〈Fault〉@X)
P probabilistic path operator, U (dense) time-bounded until operator(its subscript indicates the specific action that causes the fault)
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 16 / 21
Accident Assistance Scenario (a.k.a. Airbag Scenario)
An accident occurs to a car registered with the AccidentAssistance Service and the airbag of the car deploysTriggers an automated message to the Accident AssistanceServer, containing the vehicle’s GPS data, the vehicleidentification number and a collection of sensor dataThe Accident Assistance Server calls the driver’s mobile phoneIf, due to injuries, the driver is unable to answer, and the severityof the accident is confirmed also by the sensor data, then theemergency services are alerted and the vehicle location iscommunicated to themOther cars approaching the accident are alerted as well
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 17 / 21
Accident Assistance Scenario (a.k.a. Airbag Scenario)
An accident occurs to a car registered with the AccidentAssistance Service and the airbag of the car deploysTriggers an automated message to the Accident AssistanceServer, containing the vehicle’s GPS data, the vehicleidentification number and a collection of sensor dataThe Accident Assistance Server calls the driver’s mobile phoneIf, due to injuries, the driver is unable to answer, and the severityof the accident is confirmed also by the sensor data, then theemergency services are alerted and the vehicle location iscommunicated to themOther cars approaching the accident are alerted as well
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 17 / 21
Accident Assistance Scenario (a.k.a. Airbag Scenario)
An accident occurs to a car registered with the AccidentAssistance Service and the airbag of the car deploysTriggers an automated message to the Accident AssistanceServer, containing the vehicle’s GPS data, the vehicleidentification number and a collection of sensor dataThe Accident Assistance Server calls the driver’s mobile phoneIf, due to injuries, the driver is unable to answer, and the severityof the accident is confirmed also by the sensor data, then theemergency services are alerted and the vehicle location iscommunicated to themOther cars approaching the accident are alerted as well
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 17 / 21
Accident Assistance Scenario (a.k.a. Airbag Scenario)
An accident occurs to a car registered with the AccidentAssistance Service and the airbag of the car deploysTriggers an automated message to the Accident AssistanceServer, containing the vehicle’s GPS data, the vehicleidentification number and a collection of sensor dataThe Accident Assistance Server calls the driver’s mobile phoneIf, due to injuries, the driver is unable to answer, and the severityof the accident is confirmed also by the sensor data, then theemergency services are alerted and the vehicle location iscommunicated to themOther cars approaching the accident are alerted as well
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 17 / 21
Accident Assistance Scenario (a.k.a. Airbag Scenario)
An accident occurs to a car registered with the AccidentAssistance Service and the airbag of the car deploysTriggers an automated message to the Accident AssistanceServer, containing the vehicle’s GPS data, the vehicleidentification number and a collection of sensor dataThe Accident Assistance Server calls the driver’s mobile phoneIf, due to injuries, the driver is unable to answer, and the severityof the accident is confirmed also by the sensor data, then theemergency services are alerted and the vehicle location iscommunicated to themOther cars approaching the accident are alerted as well
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 17 / 21
Modelling Assumptions
Simplifications
Airbag deployment is not considered
If the driver does not answer the phone call, the emergencyservices are alerted anyway
Alerting cars approaching the accident area are not considered
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 18 / 21
Modelling Assumptions
Simplifications
Airbag deployment is not considered
If the driver does not answer the phone call, the emergencyservices are alerted anyway
Alerting cars approaching the accident area are not considered
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 18 / 21
Modelling Assumptions
Simplifications
Airbag deployment is not considered
If the driver does not answer the phone call, the emergencyservices are alerted anyway
Alerting cars approaching the accident area are not considered
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 18 / 21
Modelling Assumptions
Simplifications
Airbag deployment is not considered
If the driver does not answer the phone call, the emergencyservices are alerted anyway
Alerting cars approaching the accident area are not considered
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 18 / 21
Modelling Assumptions
Each entity of interest is (assumed modelled as a STOKLAIM siteand is) provided with its physical address
Accident Assistance Server address: AccAssSrvPhone Server address: PhSrvEmergency Server address: EmSrvEach car has its own address
Each car uniquely identified by car identifier CarID ∈ CID, finiteAccident notification:storing (CarID, GPSData, SenData) @ AccAssSrvPhNr : CID → PhN;PhNr(carID) = carID driver’s mobile phone nr.Making a phone call: storing phone number to site PhSrvThe Accident Assistance Server alerts the Emergency Server byuploading the GPS data to site EmSrv
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 18 / 21
Modelling Assumptions
Each entity of interest is (assumed modelled as a STOKLAIM siteand is) provided with its physical address
Accident Assistance Server address: AccAssSrvPhone Server address: PhSrvEmergency Server address: EmSrvEach car has its own address
Each car uniquely identified by car identifier CarID ∈ CID, finiteAccident notification:storing (CarID, GPSData, SenData) @ AccAssSrvPhNr : CID → PhN;PhNr(carID) = carID driver’s mobile phone nr.Making a phone call: storing phone number to site PhSrvThe Accident Assistance Server alerts the Emergency Server byuploading the GPS data to site EmSrv
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 18 / 21
Modelling Assumptions
Each entity of interest is (assumed modelled as a STOKLAIM siteand is) provided with its physical address
Accident Assistance Server address: AccAssSrvPhone Server address: PhSrvEmergency Server address: EmSrvEach car has its own address
Each car uniquely identified by car identifier CarID ∈ CID, finiteAccident notification:storing (CarID, GPSData, SenData) @ AccAssSrvPhNr : CID → PhN;PhNr(carID) = carID driver’s mobile phone nr.Making a phone call: storing phone number to site PhSrvThe Accident Assistance Server alerts the Emergency Server byuploading the GPS data to site EmSrv
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 18 / 21
Modelling Assumptions
Each entity of interest is (assumed modelled as a STOKLAIM siteand is) provided with its physical address
Accident Assistance Server address: AccAssSrvPhone Server address: PhSrvEmergency Server address: EmSrvEach car has its own address
Each car uniquely identified by car identifier CarID ∈ CID, finiteAccident notification:storing (CarID, GPSData, SenData) @ AccAssSrvPhNr : CID → PhN;PhNr(carID) = carID driver’s mobile phone nr.Making a phone call: storing phone number to site PhSrvThe Accident Assistance Server alerts the Emergency Server byuploading the GPS data to site EmSrv
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 18 / 21
Modelling Assumptions
Each entity of interest is (assumed modelled as a STOKLAIM siteand is) provided with its physical address
Accident Assistance Server address: AccAssSrvPhone Server address: PhSrvEmergency Server address: EmSrvEach car has its own address
Each car uniquely identified by car identifier CarID ∈ CID, finiteAccident notification:storing (CarID, GPSData, SenData) @ AccAssSrvPhNr : CID → PhN;PhNr(carID) = carID driver’s mobile phone nr.Making a phone call: storing phone number to site PhSrvThe Accident Assistance Server alerts the Emergency Server byuploading the GPS data to site EmSrv
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 18 / 21
Modelling Assumptions
Each entity of interest is (assumed modelled as a STOKLAIM siteand is) provided with its physical address
Accident Assistance Server address: AccAssSrvPhone Server address: PhSrvEmergency Server address: EmSrvEach car has its own address
Each car uniquely identified by car identifier CarID ∈ CID, finiteAccident notification:storing (CarID, GPSData, SenData) @ AccAssSrvPhNr : CID → PhN;PhNr(carID) = carID driver’s mobile phone nr.Answering a phone call: removing phone number from site PhSrvThe Accident Assistance Server alerts the Emergency Server byuploading the GPS data to site EmSrv
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 18 / 21
Modelling Assumptions
Each entity of interest is (assumed modelled as a STOKLAIM siteand is) provided with its physical address
Accident Assistance Server address: AccAssSrvPhone Server address: PhSrvEmergency Server address: EmSrvEach car has its own address
Each car uniquely identified by car identifier CarID ∈ CID, finiteAccident notification:storing (CarID, GPSData, SenData) @ AccAssSrvPhNr : CID → PhN;PhNr(carID) = carID driver’s mobile phone nr.Answering a phone call: removing phone number from site PhSrvThe Accident Assistance Server alerts the Emergency Server byuploading the GPS data to site EmSrv
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 18 / 21
Performance Property
Response time
Guarantee acceptable timing for detecting anaccident that has seriously injured the driver as wellas for rescue alerting
First decompose the scenario’s requirements into simpler onesSubsequently make each of these more precise by
making time bounds explicit, using time-bounded until operatormaking statements realistic, using probabilistic operators
⇒ We now illustrate this process by applying it to one of the(sub-)requirements of the responsiveness requirement
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 19 / 21
Performance Property
Response time
Guarantee acceptable timing for detecting anaccident that has seriously injured the driver as wellas for rescue alerting
First decompose the scenario’s requirements into simpler onesSubsequently make each of these more precise by
making time bounds explicit, using time-bounded until operatormaking statements realistic, using probabilistic operators
⇒ We now illustrate this process by applying it to one of the(sub-)requirements of the responsiveness requirement
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 19 / 21
Performance Property
Response time
Guarantee acceptable timing for detecting anaccident that has seriously injured the driver as wellas for rescue alerting
First decompose the scenario’s requirements into simpler onesSubsequently make each of these more precise by
making time bounds explicit, using time-bounded until operatormaking statements realistic, using probabilistic operators
⇒ We now illustrate this process by applying it to one of the(sub-)requirements of the responsiveness requirement
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 19 / 21
Performance Property
Response time
Guarantee acceptable timing for detecting anaccident that has seriously injured the driver as wellas for rescue alerting
First decompose the scenario’s requirements into simpler onesSubsequently make each of these more precise by
making time bounds explicit, using time-bounded until operatormaking statements realistic, using probabilistic operators
⇒ We now illustrate this process by applying it to one of the(sub-)requirements of the responsiveness requirement
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 19 / 21
Performance Property
Response time
Guarantee acceptable timing for detecting anaccident that has seriously injured the driver as wellas for rescue alerting
First decompose the scenario’s requirements into simpler onesSubsequently make each of these more precise by
making time bounds explicit, using time-bounded until operatormaking statements realistic, using probabilistic operators
⇒ We now illustrate this process by applying it to one of the(sub-)requirements of the responsiveness requirement
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 19 / 21
Verifying Performance (Response Time)
Suppose it has been detected that an accident involving car caridhas taken place and that the driver is seriously injuredThen Accident Assistance Server is supposed to send, by meansof proper output action, an alert to the Emergency Service
Ideal requirementEmergency Service alerted within maximal time talert
MOSL property
P≥0.997(true >U<talert{AccAssSrv :O((carid ,gps),EmSrv)} true)
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 20 / 21
Verifying Performance (Response Time)
Suppose it has been detected that an accident involving car caridhas taken place and that the driver is seriously injuredThen Accident Assistance Server is supposed to send, by meansof proper output action, an alert to the Emergency Service
Ideal requirementEmergency Service alerted within maximal time talert
MOSL property
P≥0.997(true >U<talert{AccAssSrv :O((carid ,gps),EmSrv)} true)
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 20 / 21
Verifying Performance (Response Time)
Suppose it has been detected that an accident involving car caridhas taken place and that the driver is seriously injuredThen Accident Assistance Server is supposed to send, by meansof proper output action, an alert to the Emergency Service
Realistic requirementEmergency Service alerted within maximal timetalert in at least 99.7% of the cases
MOSL property
P≥0.997(true >U<talert{AccAssSrv :O((carid ,gps),EmSrv)} true)
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 20 / 21
Verifying Performance (Response Time)
Suppose it has been detected that an accident involving car caridhas taken place and that the driver is seriously injuredThen Accident Assistance Server is supposed to send, by meansof proper output action, an alert to the Emergency Service
Realistic requirementEmergency Service alerted within maximal timetalert in at least 99.7% of the cases
MOSL property
P≥0.997(true >U<talert{AccAssSrv :O((carid ,gps),EmSrv)} true)
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 20 / 21
Future Work
Relax modelling assumptions made w.r.t. requirements models
Verify more complex scenarios (drivers competing for tow trucks)
Quantitative analysis of on road assistance scenario (via MOSL?)
Perform quantitative analysis of accident assistance scenario
Integrate model checker for SOCL into the SENSORIA CASE tool
Collect your contributions for D8.6 through the SENSORIA website!
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 21 / 21
Future Work
Relax modelling assumptions made w.r.t. requirements models
Verify more complex scenarios (drivers competing for tow trucks)
Quantitative analysis of on road assistance scenario (via MOSL?)
Perform quantitative analysis of accident assistance scenario
Integrate model checker for SOCL into the SENSORIA CASE tool
Collect your contributions for D8.6 through the SENSORIA website!
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 21 / 21
Future Work
Relax modelling assumptions made w.r.t. requirements models
Verify more complex scenarios (drivers competing for tow trucks)
Quantitative analysis of on road assistance scenario (via MOSL?)
Perform quantitative analysis of accident assistance scenario
Integrate model checker for SOCL into the SENSORIA CASE tool
Collect your contributions for D8.6 through the SENSORIA website!
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 21 / 21
Future Work
Relax modelling assumptions made w.r.t. requirements models
Verify more complex scenarios (drivers competing for tow trucks)
Quantitative analysis of on road assistance scenario (via MOSL?)
Perform quantitative analysis of accident assistance scenario
Integrate model checker for SOCL into the SENSORIA CASE tool
Collect your contributions for D8.6 through the SENSORIA website!
M.H. ter Beek (ISTI-CNR) A preview of D8.6 Thursday 13 March 2008 21 / 21
top related