Presentation is loading. Please wait.

Presentation is loading. Please wait.

Probabilistic Verification of Discrete Event Systems using Acceptance Sampling Håkan L. S. YounesReid G. Simmons Carnegie Mellon University.

Similar presentations


Presentation on theme: "Probabilistic Verification of Discrete Event Systems using Acceptance Sampling Håkan L. S. YounesReid G. Simmons Carnegie Mellon University."— Presentation transcript:

1 Probabilistic Verification of Discrete Event Systems using Acceptance Sampling Håkan L. S. YounesReid G. Simmons Carnegie Mellon University

2 Introduction Verify properties of discrete event systems Model independent approach Probabilistic real-time properties expressed using CSL Acceptance sampling Guaranteed error bounds

3 DES Example Triple modular redundant system Three processors Single majority voter CPU 1CPU 2CPU 3 Voter

4 DES Example CPU 1CPU 2CPU 3 Voter 3 CPUs up voter up

5 DES Example CPU 1CPU 2CPU 3 Voter 3 CPUs up voter up 2 CPUs up voter up CPU fails 40

6 DES Example CPU 1CPU 2CPU 3 Voter 3 CPUs up voter up 2 CPUs up voter up 2 CPUs up repairing CPU voter up CPU failsrepair CPU

7 DES Example CPU 1CPU 2CPU 3 Voter 3 CPUs up voter up 2 CPUs up voter up 2 CPUs up repairing CPU voter up 1 CPU up repairing CPU voter up CPU failsrepair CPUCPU fails

8 DES Example CPU 1CPU 2CPU 3 Voter 3 CPUs up voter up 2 CPUs up voter up 2 CPUs up repairing CPU voter up 1 CPU up repairing CPU voter up 2 CPUs up voter up CPU failsrepair CPUCPU failsCPU repaired …

9 Sample Execution Paths 3 CPUs up voter up 2 CPUs up voter up 2 CPUs up repairing CPU voter up 1 CPU up repairing CPU voter up 2 CPUs up voter up CPU failsrepair CPUCPU failsCPU repaired … 3 CPUs up voter up 2 CPUs up voter up 2 CPUs up repairing CPU voter up 3 CPUs up voter up 3 CPUs up voter down CPU failsrepair CPUCPU repairedvoter fails …

10 Properties of Interest Probabilistic real-time properties “The probability is at least 0.1 that the voter fails within 120 time units while at least 2 CPUs have continuously remained up”

11 Properties of Interest Probabilistic real-time properties “The probability is at least 0.1 that the voter fails within 120 time units while at least 2 CPUs have continuously remained up” Pr ≥0.1 (“2 CPUs up”  “3 CPUs up” U ≤120 “voter down”) CSL formula:

12 Continuous Stochastic Logic (CSL) State formulas Truth value is determined in a single state Path formulas Truth value is determined over an execution path

13 State Formulas Standard logic operators: ¬ ,  1   2 … Probabilistic operator: Pr ≥  (  ) True iff probability is at least  that  holds

14 Path Formulas Until:  1 U ≤t  2 Holds iff  2 becomes true in some state along the execution path before time t, and  1 is true in all prior states

15 Verifying Real-time Properties “2 CPUs up”  “3 CPUs up” U ≤120 “voter down” 3 CPUs up voter up 2 CPUs up voter up 2 CPUs up repairing CPU voter up 1 CPU up repairing CPU voter up 2 CPUs up voter up CPU failsrepair CPUCPU failsCPU repaired … False!

16 Verifying Real-time Properties “2 CPUs up”  “3 CPUs up” U ≤120 “voter down” 3 CPUs up voter up 2 CPUs up voter up 2 CPUs up repairing CPU voter up 3 CPUs up voter up 3 CPUs up voter down CPU failsrepair CPUCPU repairedvoter fails … True! ++≤ 120+

17 Verifying Probabilistic Properties “The probability is at least 0.1 that  ” Symbolic Methods Pro: Exact solution Con: Works only for restricted class of systems Sampling Pro: Works for any system that can be simulated Con: Uncertainty in correctness of solution

18 Our Approach Use simulation to generate sample execution paths Use sequential acceptance sampling to verify probabilistic properties

19 Error Bounds Probability of false negative: ≤  We say that  is false when it is true Probability of false positive: ≤  We say that  is true when it is false

20 Acceptance Sampling Hypothesis: Pr ≥  (  )

21 Performance of Test Actual probability of  holding Probability of accepting Pr ≥  (  ) as true  1 –  

22 Ideal Performance Actual probability of  holding Probability of accepting Pr ≥  (  ) as true  1 –   False negatives False positives

23 Actual Performance  –  +  Indifference region Actual probability of  holding Probability of accepting Pr ≥  (  ) as true  1 –   False negatives False positives

24 Sequential Acceptance Sampling Hypothesis: Pr ≥  (  ) True, false, or another sample?

25 Graphical Representation of Sequential Test Number of samples Number of positive samples

26 Graphical Representation of Sequential Test We can find an acceptance line and a rejection line given , , , and  Reject Accept Continue sampling Number of samples Number of positive samples A , , ,  (n) R , , ,  (n)

27 Graphical Representation of Sequential Test Reject hypothesis Reject Accept Continue sampling Number of samples Number of positive samples

28 Graphical Representation of Sequential Test Accept hypothesis Reject Accept Continue sampling Number of samples Number of positive samples

29 Verifying Probabilistic Properties Verify Pr ≥  (  ) with error bounds  and  Generate sample execution paths using simulation Verify  over each sample execution path If  is true, then we have a positive sample If  is false, then we have a negative sample Use sequential acceptance sampling to test the hypothesis Pr ≥  (  )

30 Verification of Nested Probabilistic Statements Suppose , in Pr ≥  (  ), contains probabilistic statements Error bounds  ’ and  ’ when verifying 

31 Verification of Nested Probabilistic Statements Suppose , in Pr ≥  (  ), contains probabilistic statements True, false, or another sample?

32 Modified Test Find an acceptance line and a rejection line given , , , ,  ’, and  ’: Reject Accept Continue sampling With  ’ and  ’ = 0 Number of samples Number of positive samples A , , ,  (n) R , , ,  (n)

33 Modified Test Find an acceptance line and a rejection line given , , , ,  ’, and  ’: With  ’ and  ’ > 0 Reject Accept Continue sampling Number of samples Number of positive samples

34 Modified Test Find an acceptance line and a rejection line given , , , ,  ’, and  ’: Reject Accept Continue sampling Number of samples Number of positive samples A  ’,  ’, ,  (n) R  ’,  ’, ,  (n)  ’ –  ’ = 1 – (1 – (  –  ))(1 –  ’)  ’ +  ’ = (  +  )(1 –  ’)

35 Verification of Negation To verify ¬  with error bounds  and  Verify  with error bounds  and 

36 Verification of Conjunction Verify  1   2  …   n with error bounds  and  Verify each  i with error bounds  and  /n

37 Verification of Path Formulas To verify  1 U ≤t  2 with error bounds  and  Convert to disjunction  1 U ≤t  2 holds if  2 holds in the first state, or if  2 holds in the second state and  1 holds in all prior states, or …

38 More on Verifying Until Given  1 U ≤t  2, let n be the index of the first state more than t time units away from the current state Disjunction of n conjunctions c 1 through c n, each of size i Simplifies if  1 or  2, or both, do not contain any probabilistic statements

39 Performance  = 0.9  =  = Actual probability of  holding Average number of samples  =  =  = 0.01

40 Performance  =0.05 Actual probability of  holding Average number of samples  = 0.9  =  =  =0.02  =0.01  =0.005  =0.002  =0.001

41 Summary Model independent probabilistic verification of discrete event systems Sample execution paths generated using simulation Probabilistic properties verified using sequential acceptance sampling Easy to trade accuracy for efficiency

42 Future Work Develop heuristics for formula ordering and parameter selection Use in combination with symbolic methods Apply to hybrid dynamic systems Use verification to aid controller synthesis for discrete event systems

43 ProVer: Probabilistic Verifier


Download ppt "Probabilistic Verification of Discrete Event Systems using Acceptance Sampling Håkan L. S. YounesReid G. Simmons Carnegie Mellon University."

Similar presentations


Ads by Google