statistical model checking , refinement checking , optimization , .. for stochastic hybrid...

Kim G. Larsen Peter Bulychev, Alexandre David,

Dehui Du, Axel Legay, Guangyuan Li, Marius Mikucionis, Danny B. Poulsen,

Amalie Stainer, Zheng Wang

Statistical Model Checking, Refinement Checking,

Optimization, .. for Stochastic Hybrid Systems

FORMATS, Sep 2012

IDEA4CPS Foundations for CPS

Kim Larsen [2]

I

D

E

A

Inst. of Software Chinese Academy of Sciences, Beijing, China

Technical University of Denmark,Lyngby, Denmark

East China Normal University, Shanghai, China

Aalborg University, Denmark

FORMATS, Sep 2012

Cyber-Physical Systems

Complex systems that tightly integrate multiple, networked computing elements (hardware and software) with non-computing physical elements such as electrical or mechanical components.

Kim Larsen [3]

Smart XHybrid Systems

FORMATS, Sep 2012

Trustworthiness (TCPS) .. by which we

mean CPS on which reliance can justifiably be placed.

(wiki) .. of a component is .. defined by how well it secures a set of functional and non-functional properties, deriving from its architecture, construction, and environment, and evaluated as appropriate.Kim Larsen [4]

Probabilities

Confidence

Current State

FORMATS, Sep 2012 Kim Larsen [5]

StochasticHybrid Systems

ProbabilisticTemporal Logic

Statistical Model Checking

FORMATS, Sep 2012

Overview

Stochastic Hybrid Systems Weighted Metric Interval Temporal Logic UPPAAL SMC (Demo)

Energy Aware Buildings SMC and Refinement Checking SMC and Optimization

Conclusion

Kim Larsen [6]

FORMATS, Sep 2012

Stochastic Hybrid Systems

A Bouncing Ball

Kim Larsen [7/52]

Simulate 5 [<=20] {p}

Pr[<=20](<>(time >=12 && p >= 4))

FORMATS, Sep 2012

Hybrid AutomataH=(L, l0,§, X,E,F,Inv)where

L set of locations l0 initial location §=§i [ §o set of actions X set of continuous variables

valuation º: X!R (=RX)

E set of edges (l,g,a,Á,l’) with gµRX and

ÁµRX£RX and a2§ For each l a

delay function F(l): R>0£RX ! RX

For each l an invariant Inv(l)µRX

Kim Larsen [8]

FORMATS, Sep 2012

Hybrid Automata

Kim Larsen [9]

Semantics States

(l,º) where º2RX

Transitions (l,º) !d (l,º’) where º’=F(l)(d)(º) provided º’2 Inv(l)

(l,º) !a (l’,º’) if there exists (l,g,a,Á,l’)2E with º2g and (º,º’)2Á and º’2 Inv(l’)

(p= 10;v = 0) d! (p= 10¡ 9:81=2d2;v = ¡ 9:81d)bounce!! (p= 0;v = 14:02¢0:83) at d = 1:43

d! (p= 6:92;v = 0) at d = 1:18d! (p= 0;v = 11:51) at d = 1:18

bounce!! : : :

FORMATS, Sep 2012

Stochastic Hybrid Automata

Kim Larsen [10]

* Dirac’s delta functions for deterministic delays / next state

P [hit!] =Z t=1:43

t=0(2:5e¡ 2:5t)dt

= [¡ e¡ 2:5t]1:430 = 0:97

(p= 10;v = 0) d! (p= 10¡ 9:81=2d2;v = ¡ 9:81d)bounce!! (p= 0;v = 14:02¢0:83) at d = 1:43

Stochastic SemanticsFor each state s=(l,º)

Delay density function* ¹s: R>0! R

Output Probability Function°s: §o! [0,1]

Next-state density function*

´a s: St! R where a2§.

FORMATS, Sep 2012

Stochastic Hybrid Automata

Kim Larsen [11]

* Dirac’s delta functions for deterministic delays / next state

P [hit!] =Z t=1:43

t=0(2:5e¡ 2:5t)dt

= [¡ e¡ 2:5t]1:430 = 0:97

(p= 10;v = 0) d! (p= 10¡ 9:81=2d2;v = ¡ 9:81d)bounce!! (p= 0;v = 14:02¢0:83) at d = 1:43

Stochastic SemanticsFor each state s=(l,º)

Delay density function* ¹s: R>0! R

Output Probability Function°s: §o! [0,1]

Next-state density function*

´a s: St! R where a2§.

UPPAALUniform distributions (bounded delay)Exponential distributions (unbounded delay)Syntax for discrete probabilistic choiceDistribution on next state by use of randomHybrid flow by use of ODEs

NetworksRepeated races between components for outputting

FORMATS, Sep 2012

Pr[c<=C](<> T.T3) ?

Stochastic Semantics NTAs

Composition = Race between componentsfor outputting

Kim Larsen [12]

Pr[time<=2](<> T.T3) ?Pr[time<=T](<> T.T3) ?

FORMATS, Sep 2012

Stochastic Semantics of NHAsAssumptions: Component SHAs are:

• Input enabled• Deterministic• Disjoint set of output actions

¼ ( s , a1 a2 …. an ) : the set of maximal runs from s with a prefix

t1 a1 t2 a2 … tn ak for some t1,…,tn 2 R.

Kim Larsen [13]

FORMATS, Sep 2012

Metric Interval Temporal Logic MITL≤ syntax:

ϕ ::=σ | ¬ϕ | ϕ1 ∧ ϕ2 | Oϕ | ϕ1 U≤d ϕ2

where d ∈ ℕ is a natural number. MITL≤ semantics [ r=(a1,t1)(a2,t2)(a3,t3) … ]:

r ⊨σ if a1= σ r ⊨¬ϕ if r ⊭ ϕ r ⊨ ϕ1 ∧ ϕ2 if r ⊨ ϕ1 and r ⊨ ϕ2

r ⊨Oϕ if (a2,t2)(a3,t3)… ⊨ ϕ r ⊨ϕ1 U≤d ϕ2 if 9 i. (ai,ti)(ai+1,ti+1)… ⊨ ϕ2

with t1 +t2 +…+ti ≤d and (aj,tj)(aj+1,tj+1)… ⊨ ϕ1

for j<i

Kim Larsen [14]

FORMATS, Sep 2012

Logical Properties– WMITL

Kim Larsen [15]

MODEL M

Á =

PrM(Á) = ??

FORMATS, Sep 2012

Statistical Model Checking

Kim Larsen [16]

M

Á

µ, ²

Generator

Validator

Core Algorithm

Inco

nclu

sive

PrM(Á) 2 [a-²,a+²] with confidence µ

p,®

PrM(Á) ¸ pat significance level ®

}<T p

[FORMATS11,RV12]

FORMATS, Sep 2012

Logical Properties– WMITL

Kim Larsen [17]

95% confidence interval: [0.215,0.225]

MODEL M OBSERVER(det)

Á =

FORMATS, Sep 2012

Statistical Model Checking [LPAR2012]

Kim Larsen [18]

M

Á

µ, ²

Generator

Validator

Core Algorithm

Inco

nclu

sive

PrM(Á) 2 [a-²,a+²] with confidence µ

p,®

PrM(Á) ¸ pat significance level ®

CASAAL

OÁUÁ AÁ

} acc

M | OÁ

M | UÁ

FORMATS, Sep 2012

Experiments

Kim Larsen [19]

How exact is the O/U?1000 random formulas

2, 3, 4 actions15 connectives

New exact method for full MITL[a,b]

using rewriting [RV12]

Energy Aware Buildings

Fehnker, Ivancic. Benchmarks for Hybrid Systems Verification. HSCC04

With Alexandre David,Dehui Du

Marius MikucionisArne Skou

FORMATS, Sep 2012

Stochastic Hybrid Systems

Kim Larsen [21]

on/off

on/off

Room 1

Room 2Heater

simulate 1 [<=100]{Temp(0).T, Temp(1).T}

simulate 10 [<=100]{Temp(0).T, Temp(1).T}

Pr[<=100](<> Temp(0).T >= 10)

Pr[<=100](<> Temp(1).T<=5 and time>30) >= 0.2

FORMATS, Sep 2012

Framework

DesignSpace

Exploration

Kim Larsen [22]

FORMATS, Sep 2012

Rooms & Heaters – MODELS

Kim Larsen [23]

FORMATS, Sep 2012

Control Strategies – MODELS Temperature Threshold

Strategies

Kim Larsen [24]

FORMATS, Sep 2012

Weather & User Profile – MODELS

Kim Larsen [25]

FORMATS, Sep 2012

Results – Simulations

simulate 1 [<=2*day] { T[1], T[2], T[3], T[4], T[5] }

simulate 1 [<=2*day] { Heater(1).r, Heater(2).r, Heater(3).r }

Kim Larsen [26]

FORMATS, Sep 2012

Results – Discomfort

Pr[<=2*day](<> time>0 && Monitor.Discomfort)

Kim Larsen [27]

FORMATS, Sep 2012

Results – Comfort

Pr[comfort<=2*day] (<> time>=2*day)

Kim Larsen [28]

FORMATS, Sep 2012

Results – Energy

Pr[Monitor.energy<=1000000](<> time>=2*day)

Kim Larsen [29]

FORMATS, Sep 2012

Result – User Profile

Pr[Monitor.energy<=1000000](<> time>=2*day)

Kim Larsen [30]

Refinement

FORMATS, Sep 2012 Kim Larsen [31]

FORMATS, Sep 2012

const int Tenv=7;const int k=2;const int H=20;const int TB[4]= {12, 18, 25, 28};

Controller Synthesis

Kim Larsen [32]

on/off

??const int Tenv=7;const int k=2;const int H=20;const int TB[4]= {12, 18, 25, 28};

low

normal

high

critical high

critical low

12

18

2528

Room

Room Heater

FORMATS, Sep 2012

Unfolding

Kim Larsen [33]

low

normal

high

critical high

critical low

12

18

2528

FORMATS, Sep 2012

Timing

Kim Larsen [34]

low

normal

high

critical high

critical low

12

18

2528

FORMATS, Sep 2012

TA Abstraction

Kim Larsen [35]

const int uL[3]={3,5,2};const int uU[3]={4,6,3};const int dL[3]={3,9,15};const int dU[3]={4,10,16}

FORMATS, Sep 2012

Validation by Simulation

Kim Larsen [36]

FORMATS, Sep 2012

Validation by Simulation

Kim Larsen [37]

const int uL[3]={3,8,2};const int uU[3]={4,9,3};const int dL[3]={3,9,15};const int dU[3]={4,10,16}

Optimization

FORMATS, Sep 2012 Kim Larsen [38]

WATA, Dresden, May 30, 2012

Time Bounded L-problem [Qest12]

Kim Larsen [39]

simulate 1 [time<=5] {C, x, y} Problem:Determine schedule that maximizestime until out of energy

WATA, Dresden, May 30, 2012

Time Bounded L-problem [Qest12]

Kim Larsen [40]

Pr[time<=30] (<> C<0 )

WATA, Dresden, May 30, 2012

TEST

Time Bounded L-problem [Qest12]

Kim Larsen [41]

simulate 10000 [time<=10] {C,x,y}: 1 : time>=7 && Test.GOOD

Pr [time<=10] (<> time>=7 && Test.GOOD

Can we do better?

FORMATS, Sep 2012

RESTART Method

Kim Larsen [42]

FORMATS, Sep 2012

Meta Modeling

Kim Larsen [43]

RESTART Approach

FORMATS, Sep 2012

Meta Modeling

Kim Larsen [44]

Direct Approach

FORMATS, Sep 2012

Meta Analysis

Kim Larsen [45]

Direct ApproachRE

STAR

T Ap

proa

ch

FORMATS, Sep 2012

Meta Analysis

Kim Larsen [46]

FORMATS, Sep 2012

Meta Analysis

Kim Larsen [47]

FORMATS, Sep 2012

Other Case Studies

FIREWIRE BLUETOOTH 10 node LMAC

ROBOT

Kim Larsen [48]

Energy AwareBuildings

Genetic Oscilator(HBS)

SchedulabilityAnalysis forMix Cr Sys

PassengerSeating in

Aircraft

FORMATS, Sep 2012

Contribution & More Natural stochastic semantics of networks of

stochastic hybrid systems. Efficient implementation of SMC

algorithms: Estimation of Sequential testing ¸ p Sequential probability comparison ¸ Parameterized comparison

Distributed Implementation of SMC !Kim Larsen [49]

FORMATS, Sep 2012

Thank You !

Kim Larsen [50]