statistical model checking for distributed probabilistic ...aplatzer/pub/bayesmc-grid-slides.pdfj....

Statistical Model Checking for DistributedProbabilistic-Control Hybrid Automata with Smart Grid

Applications

Joao Martins1,2 Andre Platzer1 Joao Leite2

1Computer Science Department,Carnegie Mellon University, Pittsburgh PA

2CENTRIA and Departamento de Informatica,FCT, Universidade Nova de Lisboa

13th International Conference on Formal Engineering Methods

J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 1 / 51

Introduction

Summary

1 IntroductionThe Power GridThe Smart GridModel for the Smart Grid

2 ModelDiscrete-Time Hybrid AutomataDistributed Probabilistic-Control Hybrid Automata

3 VerificationSpecifying propertiesStatistical Model Checking

4 Case Study: network properties

5 Conclusions


Introduction The Power Grid

The Grid is a hierarchical “graph” with sources and sinks

Image from the TCIPG Education applet


Introduction The Power Grid

! "

!"#$%&#''(%")&*+)',-./'0%-&#!#$%&'$!()*+,!-.$!'$,'$))*&+!/&0$12!3$!4'$5-$0!)$6$'51!71&-)!&%!-.$!'53!$1$4-'*4!1&50!05-5!-&!,5*+!5!7'$1*/*+5'8!(+0$')-5+0*+,!&%!.&3!9581*,.-!:56*+,)!;*/$!5%%$4-$0!$1$4-'*4*-8!()5,$!%'&/!<==>!-&!<==?@!A.*1$!/5+8!%54-&')!B$)*0$)!9:;!4&+-'*B(-$!-&!-.$!5/&(+-!&%!$1$4-'*4*-8!4&+)(/$02!-.$!71&-)!0*0!'$6$51!4$'-5*+!-'$+0)!-.5-!0*)-*+,(*).$0!:-5+05'0!;*/$!058)!%'&/!9:;!058)@!!C&50!05-5!%&'!$54.!&%!-.$!<>!.&(')!3$'$!56$'5,$0!&6$'!$54.!&%!-.$!D<!/&+-.)2!5+0!-.$!/&+-.18!56$'5,$)!%&'!-.$!0*%%$'$+-!8$5')!3$'$!4&/75'$02!5)!)$$+!*+!-.$!71&-)!&%!E5+(5'8!5+0!F58!*+!G*,('$!D@!!!

!!

G*,('$!DH!I&('18!1&50!71&-)!%&'!E5+(5'8!J+&!9:;!&B)$'6$0K!5+0!F58!J9:;!&B)$'6$0!*+!<=="!5+0!<==?K!!!

Power consumption follows well-known patterns

Image from The Impact of Daylight Savings Time on Electricity Consumption in Indiana, J. Basconi, J. Kantor


Introduction The Smart Grid

Smart Meters + Smart Appliances

The Grid predicts load, becomes more stable, cost-effective,energy-efficient, secure, resilient



Even today, utilities deploy networks that transmit several thousands ofbits... per day.

Is reliability the most significant factor for the Grid?

How about bandwidth? RTT?

Deployment and testing of technologies is extremely expensive.



Answer: formal verification

Test, evaluate and tweak technologies - then deploy.


Introduction Model for the Smart Grid

Model

What are the properties of the Smart Grid?

It’s a cyber-physical system

It’s a distributed system

It is a stochastic system

Plan:

1 Develop hybrid, distributed and probabilistic model

2 Develop logic for stating properties

3 Verify properties using existing statistical model-checking techniques


Model

Summary





5 Conclusions


Model Discrete-Time Hybrid Automata

DTHA [12]: Washing machine

Standby

Fill up

T ′c = 1,w ′ = 1

T ′c = 0.8,w ′ = 0.8

Flush

T ′c = 0,w ′ = −2

T ′c = 0,w ′ = −2

working=1

working=1

working=

0

working=0

Tc is total water consumed, w is water currently in the machine



Washing machine

Standby

Fill up

T ′c = 1,w ′ = 1

T ′c = 0.8,w ′ = 0.8

Flush

T ′c = 0,w ′ = −2

T ′c = 0,w ′ = −2

working=1

working=1

working=

0

working=0

Control graph 〈Q,E 〉



Washing machine

Standby

Fill up

T ′c = 1,w ′ = 1

T ′c = 0.8,w ′ = 0.8

Flush

T ′c = 0,w ′ = −2

T ′c = 0,w ′ = −2

working=1

working=1

working=

0

working=0

Jump relation jumpe : Rn × Rn



Washing machine

Standby

Fill up

T ′c = 1,w ′ = 1

T ′c = 0.8,w ′ = 0.8

Flush

T ′c = 0,w ′ = −2

T ′c = 0,w ′ = −2

working=1

working=1

working=

0

working=0

Flows ϕq : R≥0 × Rd → Rd



Washing machine: scheduler

•

Standby

Fill up

T ′c = 1,w ′ = 1

T ′c = 0.8,w ′ = 0.8

Flush

T ′c = 0,w ′ = −2

T ′c = 0,w ′ = −2

working=1

working=2

working=

0

working=0

w = 0working = 0

w = 0working = 2

w = 0working = 1

working = 1

working = 2




Standby

Fill up

T ′c = 1,w ′ = 1

•

T ′c = 0.8,w ′ = 0.8

Flush

T ′c = 0,w ′ = −2

T ′c = 0,w ′ = −2

working=1

working=2

working=

0

working=0

w = 0working = 0

w = 0working = 2

w = 0working = 1

working = 1

working = 2




Standby

Fill up

T ′c = 1,w ′ = 1

•

T ′c = 0.8,w ′ = 0.8

Flush

T ′c = 0,w ′ = −2

T ′c = 0,w ′ = −2

working=1

working=2

working=

0

working=0

w = 0working = 0

w = 0working = 2

w = 1.6working = 2

w = 0working = 1

working = 1

working = 2

t = 2



Washing machine: probabilistic scheduler

•

Standby

Fill up

T ′c = 1,w ′ = 1

T ′c = 0.8,w ′ = 0.8

Flush

T ′c = 0,w ′ = −2

T ′c = 0,w ′ = −2

working=1

working=2

working = 0

working = 0

w = 0working = 0

w = 0working = 2

w = 0working = 1

p = 0.5

p = 0.3


Model Distributed Probabilistic-Control Hybrid Automata

Multiple washing machines?

What if they leave?



Actions

Washing machines behave like Petri Net markings.

jmp new[N] die

jumpe create new entity makes entity disappeargiven by N



Actions

They can also communicate asynchronously.

recv[l ][R] snd[l ][T ]

Channel l , reacts with R Channel l , message content T



Example: apartment laundry

Washing machines first initialise, then wait for authorisation to startworking

··

Normal(5, εc )

init

Normal(δ, εc )

standby

·

recv[cauth][auth] working=1

working=0snd[cterm][term]die

They announce when they finish, and exit the system.



Example: apartment laundry

The central unit keeps track of working machines, and starts and enablesthem

Normal(mean(t), stdev(t)) ··new[wm]

snd[cauth][account]

recv[cterm][updterm]


Verification

Summary





5 Conclusions


Verification Specifying properties

Bounded LTL cannot deal with changing number of variables.

Definition (Syntax of QBLTL)

Formulae of QBLTL are given by the following grammar, with∗ ∈ {+,−,÷,×, } and ∼ ∈ {≤,≥,=}:θ ::= c | θ1 ∗ θ2 | πi (e) |

∃

(e) | ag[e](θ), with i ∈ N, c ∈ Qφ ::=

∃

(e) | θ1 ∼ θ2 | φ1 ∨ φ2 | ¬φ1 | φ1 Utφ2 | ∃e.φ1






∃

(e) | ag[e](θ), with i ∈ N, c ∈ Qφ ::=

∃

(e) | θ1 ∼ θ2 | φ1 ∨ φ2 | ¬φ1 | φ1 Utφ2 | ∃e.φ1






∃(e) | ag[e](θ), with i ∈ N, c ∈ Q

φ ::=

∃(e) | θ1 ∼ θ2 | φ1 ∨ φ2 | ¬φ1 | φ1 Utφ2 | ∃e.φ1

Lemma

QBLTL (like BLTL) has bounded simulation traces.


Verification Statistical Model Checking

Why Statistical Model Checking?

Estimates probabilities of properties holding (they will never holdalways)

Very efficient

Model is very hard to analyse (dynamic, unbounded number ofentities, asynchronous messages, etc)

Plug’n’play, e.g. black-box model

Successfully used in many applications (cf. Edmund Clarke’s work)



Statistical Model Checking: Hypothesis Testing [12]

n = 0, s = 0

σ = sample from An = n + 1if (σ |= ϕ)

s = s + 1B = BayesFactor(n, s)

return H0 : p ≥ θ return H1 : p < θ

B > T B < 1T

T > B > 1T



Statistical Model Checking

B =P(d |H0)

P(d |H1)

A large Bayes Factor B is evidence for H0 : p > θ.A small Bayes Factor B is evidence for H1 : p ≤ θ.

Theorem (Error bounds for Hypothesis Testing [12])

For any discrete random variable and prior, the probability of a Type I-IIerror for the Bayesian hypothesis testing algorithm 2 is bounded above by1T , where T is the Bayes Factor threshold given as input.

A more sophisticated Interval Estimation Algorithm estimates p.


Case Study: network properties

Summary





5 Conclusions



Even today, utilities deploy networks that transmit several thousands ofbits per day (low bandwidth).

Can we evaluate the impact of network reliability?


Power Controller

•

Normal(5, 1)

snd[go ][Go ]p = 0.4

recv[cf ][Ci ]p = 0

recv[tg ][Gi ]p = 0

Consumer

·····

Normal(5, 3)

snd[cf ][Co ]p = 0.5

Graveyard

••die

p = 1

snd[tgr ][I ]p = 0

Generator

•

Normal(5, 3)

recv[rg ][Rg ]p = 0.8

snd[tg ][Tg ]p = 0.1

Consumer Controller

•

Normal(5, 1)

new[N]p = 0.1

recv[tgr ][Cd ]p = 0.7

Probabilistic core of the system. Creates classes of consumers.

Power Controller

•

Normal(5, 1)


recv[cf ][Ci ]p = 0

recv[tg ][Gi ]p = 0

Consumer

·····

Normal(5, 3)


Graveyard

••die

p = 1

snd[tgr ][I ]p = 0

Generator

•

Normal(5, 3)



Consumer Controller

•

Normal(5, 1)

new[N]p = 0.1


Creates classes of consumers. Keeps track of them.

Power Controller

•

Normal(5, 1)


recv[cf ][Ci ]p = 0

recv[tg ][Gi ]p = 0

Consumer

·····

Normal(5, 3)


Graveyard

••die

p = 1

snd[tgr ][I ]p = 0

Generator

•

Normal(5, 3)



Consumer Controller

•

Normal(5, 1)

new[N]p = 0.1


Consumers feedback consumption. They announce death and exit.

Power Controller

•

Normal(5, 1)


recv[cf ][Ci ]p = 0

recv[tg ][Gi ]p = 0

Consumer

·····

Normal(5, 3)


Graveyard

••die

p = 1

snd[tgr ][I ]p = 0

Generator

•

Normal(5, 3)



Consumer Controller

•

Normal(5, 1)

new[N]p = 0.1


The generator receives control messages and sends output info.

Power Controller

•

Normal(5, 1)


recv[cf ][Ci ]p = 0

recv[tg ][Gi ]p = 0

Consumer

·····

Normal(5, 3)


Graveyard

••die

p = 1

snd[tgr ][I ]p = 0

Generator

•

Normal(5, 3)



Consumer Controller

•

Normal(5, 1)

new[N]p = 0.1


The power controller ties it all together.

Power Controller

•

Normal(5, 1)


recv[cf ][Ci ]p = 0

recv[tg ][Gi ]p = 0

Consumer

·····

Normal(5, 3)


Graveyard

••die

p = 1

snd[tgr ][I ]p = 0

Generator

•

Normal(5, 3)



Consumer Controller

•

Normal(5, 1)

new[N]p = 0.1


Messages get sent periodically.


Smart Grid

Power consumption # Elems * 100 Estimated Consumption Actual energy output

0 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5

Time (hours)

0

250

500

750

1,000

1,250

1,500

1,750

2,000

Ele

ctri

city

Figure: Sample run from the modelled system.



Properties

Property (1): the output of the generator is always within 400 units ofenergy of actual demand

G1440|∑

[e](Gen(e) ·πoutput(e))−∑

[e](Cons(e) ·πconsumption(e))| < 400

Property (2): the PC’s estimate of power consumption is not too farfrom the truth.

G1440|∑

[e](Gen(e) · πoutput(e))−

−∑

[e](PC (e) · (π0(e) + ...+ π19(e)))| < 250

We estimate that Property (1) is harder than (2).


Results: probability of satisfying properties

0

0.2

0.4

0.6

0.8

1

1.2

1 0.99 0.98 0.97 0.95 0.9

Es#mated

proba

bility of prope

rty ho

lding

Probability of message delivery

(1) max

(1) min

(2) min

(2) max

Results: number of traces required

0

200

400

600

800

1000

1200

1400

1600

0.97 0.93 0.88 0.84 0.68 0.18

# of to

tal sam

ples

Probability of property holding

Property 1

Property 2


Case Study Conclusion

The algorithm is efficient (# of traces required)

Reliability becomes a major concern only below a certain threshold

Utilities can easily visualise the cost/benefit relation

Once the model has been implemented, it can be tweaked andretested quickly


Conclusions

Summary





5 Conclusions


Conclusions

Contributions

Developed a formal model for distributed, probabilistic cyber-physicalsystems

Extended BLTL to QBLTL

Ensured SMC could be applied

Implemented the above in a Java library

Studied network reliability in a simplified Smart Grid model

Quickly revealed important relations in a non-trivial system


Conclusions

Edmund M. Clarke, Alexandre Donze, and Axel Legay.Statistical model checking of mixed-analog circuits with an application to a third orderdelta-sigma modulator.In Haifa Verification Conference, pages 149–163, 2008.

Edmund M. Clarke, Alexandre Donze, and Axel Legay.On simulation-based probabilistic model checking of mixed-analog circuits.Formal Methods in System Design, 36(2):97–113, 2010.

Edmund M. Clarke, E. Allen Emerson, and A. Prasad Sistla.Automatic verification of finite-state concurrent systems using temporal logicspecifications.ACM Trans. Program. Lang. Syst., 8(2), 1986.

Edmund M. Clarke, James R. Faeder, Christopher James Langmead, Leonard A. Harris,Sumit Kumar Jha, and Axel Legay.Statistical model checking in biolab: Applications to the automated analysis of t-cellreceptor signaling pathway.In CMSB, pages 231–250, 2008.

Sumit Kumar Jha, Edmund M. Clarke, Christopher James Langmead, Axel Legay, AndrePlatzer, and Paolo Zuliani.A bayesian approach to model checking biological systems.In CMSB, 2009.


Conclusions

Nancy A. Lynch.Input/Output automata: Basic, timed, hybrid, probabilistic, dynamic, ...In CONCUR, pages 187–188, 2003.

Jose Meseguer and Raman Sharykin.Specification and analysis of distributed object-based stochastic hybrid systems.In HSCC, 2006.

Ying-Chih Wang, Anvesh Komuravelli, Paolo Zuliani, and Edmund M. Clarke.Analog circuit verification by statistical model checking.In ASP-DAC, pages 1–6, 2011.

E. Yahav, T. Reps, and M. Sagiv.LTL model checking for systems with unbounded number of dynamically created threadsand objects.Technical Report TR-1424, Computer Sciences Department, University of Wisconsin, 2001.

Hakan L. S. Younes, Edmund M. Clarke, and Paolo Zuliani.Statistical verification of probabilistic properties with unbounded until.In SBMF, 2010.

Hakan L. S. Younes and Reid G. Simmons.Statistical probabilistic model checking with a focus on time-bounded properties.Inf. Comput., 204(9):1368–1409, 2006.


Conclusions

Paolo Zuliani, Andre Platzer, and Edmund M. Clarke.Bayesian statistical model checking with application to Simulink/Stateflow verification.In HSCC, pages 243–252, 2010.


Conclusions

Thank you, questions?


statistical model checking for distributed probabilistic ...aplatzer/pub/bayesmc-grid-slides.pdfj....

Documents