uppaal smc: statistical model checking for stochastic hybrid systems af marius mikučionis, ciss/aau

UPPAAL SMC:Statistical Model Checking

for Stochastic Hybrid Systems

Alexandre DavidDehui Du

Kim G. LarsenAxel Legay

Marius MikucionisDanny Bøgsted Poulsen

Sean SedwardsArne Skou

Outline

• Overview of UPPAAL flavors• Modeling language• Model-checking technology• Properties and results• Some case studies

2

UPPAAL/SMCAbstract Model Query

UPPAAL TIGA

SystemImplementation

Engineering Processes

UPPAAL/SMC QueryDetailed Model

UPPAAL ECDAR

UPPAAL TRON

3

propertysatisfyDoes ?

UPPAAL flavors• “Classical” UPPAAL – model-checking:

– M ⊨ φ ⇒ true/false, counterexample trace• UPPAAL SMC – statistical model-checking:

– M Pr⊨ t≤T φ ⇒ probability estimate, distribution

• UPPAAL TIGA – controller synthesis: – S(P C) ∥ ⊨ φ ⇒ control strategy: state → action

• UPPAAL ECDAR – refinement checking: – C ≤ A ⇒ true/false, counterexample trace

• UPPAAL TRON – conformance testing: – T(IUT) T(M) ⊆ ⇒ pass/fail/inconc., diagnostics

4

UPPAAL-SMC – Architecture

Graphical Interface

Editor

Simulator

Verifier

Plot composer

Stochastic EngineHypothesis

TestingProbability Evaluation

Probability Comparison

Simulation Engine

Dataprocessing

engineCompiler

Virtual Machine

ExecutionEngine

Server

5

Stochastic Semantics of UPPAAL TAUniform Distribution

6

Stochastic Semantics of UPPAAL TAExponential Distribution

Input enabledbroadcast channels

Composition =Repeated races between components

7

Statistical Model-Checking

1. Generate random runs– According to a stochastic semantics

2. Monitor the runs accept/reject– LTL/MITL formula, monitor

3. Use statistical methods to derive results– Guaranteed with specified confidence– Probabilities, distributions, hypothesis testing

8

Queries: Syntax• Hypothesis testingPr[<=100](<> expr)>=0.1x<=100 #<=50 [] expr <=0.5

• EvaluationPr[<=100](<> expr)

• ComparisonPr[<=20](<> e1)>=Pr[<=20](<> e2)

• Expected valueE[<=10;1000](min: expr)Explicit number of runs. Min or max.

• Simulationssimulate 10 [<=100]{expr1,expr2}

9

Queries: Syntax• Hypothesis testingPr[<=100](<> expr)>=0.1x<=100 #<=50 [] expr <=0.5

• EvaluationPr[<=100](<> expr)

• ComparisonPr[<=20](<> e1)>=Pr[<=20](<> e2)

• Expected valueE[<=10;1000](min: expr)Explicit number of runs. Min or max.

• Simulationssimulate 10 [<=100]{expr1,expr2}

10

Queries in UPPAAL SMC

11

Pr[ <= 200](<> Train(5).Cross)

++precision

Queries: Syntax• Hypothesis testingPr[<=100](<> expr)>=0.1x<=100 #<=50 [] expr <=0.5

• EvaluationPr[<=100](<> expr)

• ComparisonPr[<=20](<> e1) >= Pr[<=20](<> e2)

• Expected valueE[<=10;1000](min: expr)Explicit number of runs. Min or max.

• Simulationssimulate 10 [<=100]{expr1,expr2}

12

Distribution for Comparisons

13

Queries: Syntax

• Hypothesis testingPr[<=100](<> expr)>=0.1x<=100 #<=50 [] expr <=0.5

• EvaluationPr[<=100](<> expr)

• ComparisonPr[<=20](<> e1)>=Pr[<=20](<> e2)

• Expected valueE[<=10;1000](min: expr)Explicit number of runs. Min or max.

• Simulationssimulate 10 [<=100]{expr1,expr2}

14

Queries in UPPAAL SMC

15

simulate 1 [<=100]{ Gate.len }

simulate 10 [<=100]{ Gate.len }

Pr[<=100](<> t > 5 && Gate.len < 3) [0.58,0.69]

Pr[<=100](<> t > 14 && Gate.len < 3) [0.08,0.19]

17

SMC in UPPAAL• Stochastic hybrid automata

– Clocks may have different slopes in different locations, integer/float or expressions involving clocks ODEs.

– Branching edges with discrete probabilities (weights).– Beyond DTMC, beyond CTMC.

• All features of UPPAAL supported– User defined functions and types– Expressions in guards, invariants, clock-rates, delay-

rates (rationals), and weights.• New GUI for plot-composing and exporting.

Invariants:x’==0 && y’==function() &&z’==2*x+cos(y)

SMC in UPPAAL• Stochastic hybrid automata

– Clocks may have different slopes in different locations, integer/float or expressions involving clocks ODEs.

– Branching edges with discrete probabilities (weights).– Beyond DTMC, beyond CTMC.

• All features of UPPAAL supported– User defined functions and types– Expressions in guards, invariants, clock-rates, delay-

rates (rationals), and weights.• New GUI for plot-composing and exporting.

18

19

SMC in UPPAAL• Stochastic hybrid automata

– Clocks may have different slopes in different locations, integer/float or expressions involving clocks ODEs.

– Branching edges with discrete probabilities (weights).– Beyond DTMC, beyond CTMC.

• All features of UPPAAL supported– User defined functions and types– Expressions in guards, invariants, clock-rates, delay-

rates (rationals), and weights.• New GUI for plot-composing and exporting.

20

SMC in UPPAAL• Stochastic hybrid automata

– Clocks may have different slopes in different locations, integer/float or expressions involving clocks ODEs.

– Branching edges with discrete probabilities (weights).– Beyond DTMC, beyond CTMC.

• All features of UPPAAL supported– User defined functions and types– Expressions in guards, invariants, clock-rates, delay-

rates (rationals), and weights.• New GUI for plot-composing and exporting.

Estimating Energy Consumption

21

ListeningIdle

ReceivingSending

1 1

x==L

x=0x==2

1:10 x<=L

x<=S

x=0

x<=2

x=0

energy1' == (sum(i:id_t) power1[i])&&energy2' == sum(i:id_t) power2[i]

MonitorMinimum, maximum, average: 125.762, 327.947, 226.452.Probability sums: 1 displayed, 0 remaining.Runs: 738 in total, 738 displayed, 0 remaining.

averagedensity

energy1

pro

babili

ty d

ensi

ty

0

0.002

0.004

0.006

0.008

0.010

125 158 191 224 257 290 323

Probability Density Distribution

Pr[energy1<=1000](<> time==100)

ListeningIdle

ReceivingSending

x<=L

11

x==L

power=2power=4

x==2

1:10

x<=2

x=0,power=1

x=0

x<=S

power=0

x=0,power=4

A Biological Oscillator • Circadian rhythm oscillator.

N. Barkai and S. Leibler. Biological rhythms: Circadian clocks limited by noise. Nature, 403:267–268, 2000

• Two ways to model:1. Stochastic model that follow the reactions.2. Dynamical model solving the ODEs.

• Analysis:– Evaluate time between peaks.– The continuous model is the limit behavior of the

stochastic model.– Use frequency analysis for comparison. 22

Stochastic Model

23

Continuous Model

24

Results of Simulations

25

Time Between Peaks

• MITL formula for peak:true U[<=1000] (A>1100 &

true U[<=5] A<=1000).• Generate monitors.• Run SMC.

27

1100

10005

Energy Aware Buildings

• Rooms to be heated.– Only one heater available.– Matrix of coefficients for heat transfer between

rooms.

– Local and central controllers– Environment temperature weather model.– User profiles

28

31

Other Case Studies

FIREWIRE BLUETOOTH

LMAC for Wireless Sensor Networks Herschel-Planck Satellite schedulability analysis

Conclusions• Symbolic MC proves hard properties: true/false• Statistical MC measures performance: Pr over time/cost• SMC ingredients:

– Stochastic modeling extensions– Compatible stochastic semantics– Support for dynamical equations– Statistical methods for confidence intervals

• Case-studies:– Biology.– Communication protocols.– Temperature controllers.– Disproving schedulability

Extend the application domains of MC/SMC. 32