ACPN2010, Rostock, September 22nd Advanced solution methods for Stochastic Petri Nets Prof.ssa Susanna Donatelli Universita’ di Torino, Italy

2 Context (System, question on system) (Model, question on model) (Model, answer on model) (System, answer on system) abstraction model solution backward interpretation

3 Context System type: discrete event systems Categories of questions: qualitative -- will system reach a deadlock? quantitative -- will system reach a deadlock before time T? stochastic -- will system reach a deadlock before time T with probability >0.9 ? Corresponding classes of models: finite automata (but also Petri Nets, Process Algebras, etc.) timed automata (continuous) time Markov chain ( SPN, GSPN, SWN, Queueing networks, Stochastic Process algebras and stochastic processes in general)

4 Context Typical questions/properties qualitative -- reachability, deadlock, liveness, state/action condition, system evolution (path properties) quantitative -- timed reachability, timed system evolution (timed path properties) stochastic -- reachability in probability We concentrate on stochastic properties for stochastic systems Revisit CSL for Petri Nets Go beyond CSL (not only for nets)

5 Outline Verifying quantitative behaviour: CSL for SPN and SWN definition and model checking Verifying quantitative behaviour: CSL for GSPN Beyond CSL Solving large (G)SPN: symbolic representation and tensor- based techniques Bibliographical references

6 Outline Verifying quantitative behaviour: CSL for SPN and SWN definition and model checking Verifying quantitative behaviour: CSL for GSPN Beyond CSL Solving large (G)SPN: symbolic representation and tensor- based techniques Bibliographical references

7 Recall on SWN Stochastic Well-formed Nets (SWN) are a colored extension of Stochastic Petri Nets Color and arc function definition meant to favour a symmetric specification of the system Symmetries are automatically exploited in state space generation Underlying stochastic process is a CTMC

8 Recall on SWN neutral place colored place color domain D = {d1, d2,..} s_srv is enabled for x = color

9 Recall on SWN Equivalent GSPN when D = {d1, d2}

10 Recall on SWN GSPN state: M(wait_d1)=2 SWN colored state: M(wait) = 2·d1 SWN symbolic state: M(wait)= 2·Z D1, with |Z D1 |=1 M(wait)= 1·Z D1, M(srv) = 1·Z D2, |Z D1 |=1, |Z D2 |=2 equivalence class of all markings with 2 tokens of the same color in place wait two jobs waiting for the same device one job waiting for a device while two jobs are using the other two devices

11 Recall on SWN same cardinality usually much smaller

12 Recall on CSL Model Checking CSL allows the definition of probabilistic verification statements Probability of going from a safe to an unsafe state in less than T time units, while traversing only safe states, is <= In equilibrium, system is in safe states with 0.99 probability Satisfability of the formula on a CTMC requires the solution of a number of "modified" CTMCs

13 CSL syntax State formulae (atomic propositions and boolean expression) and path formulae (timed neXt and timed Until) S <>  (  ) is true in state s if the sum of the steady state probabilities of the  states, computed using s as initial state,  is <> . P <>  (  ) is true in s if the probability of the paths leaving s which satisfy  is <> .

14 Examples of CSL: P  0.01 (true U [10,20] a) Satisfied in states from which the probability of reaching an a-labelled state after between 10 and 20 time units is no more than 0.01 S >0.9 (a) Satisfied in states starting from which the probability of being in an a-labelled state in the long-run is greater than 0.9 Nested formulae: e.g. P  0.1 (a U [10,20] S >0.9 (b  c)) CSL examples

15 CSL Model Checking Ingredients of any CSL model checker: 1. A CTMC or a net model? 2. A way to define atomic properties of states 3. Efficient CSL satisfiability algorithms As produced from an SWN defined at the net level: symbolic, colored, or ordinary? reuse existing tools?

16 CSL & SWN: why Probabilistic verification of systems expressed as SWN validate system behaviour "in probability" natural way to express dependability properties SWN model validation particular important since SWN models can be non trivial to specify limited support is (was) available to validate SWN models

17 CSL & SWN: how Exploit reuse: use existing CSL model checking tools best of the available technology, constantly updated  but does not allow to exploit the peculiarities and properties of nets Keep simple the definition of atomic propositions

18 CSL & SWN: how – an example CSL model checking facility for SWN models by linking GreatSPN to: MRMC, the input model is a CTMC PRISM, the input model is a set of interacting modules specified using a guarded command language from which a CTMC is generated GSPN/SWN tool from the universities of Torino, Piemonte Orientale, Paris-6, Reims CSL tool from the universities of Twente, Aachen, Munich CSL/PCTL tool of the university of Birmingham

19 CSL & SWN: how Language for the definition of atomic properties For SWN this task is not always straightforward, as we may want to refer to neutral, colored and symbolic properties Discuss the issues of the link from GreatSPN SWN solver to to MRMC and PRISM (which solution for which type of property)

20 CSL & SWN: how Marking properties (Type M ):  p  P w p · M (p) ≤ K e.g: M(loc)>1 e.g.: M(loc) + M(wait) < 2 (Type Mcol ):  p  P, c  CD (p) w p,c · M (p)[ c ] ≤ K e.g: M(wait)[d1] >= 2 e.g.: M(wait)[d1] + M(srv)[d2] = 2 (Type Msymb ): Two tokens of the same color in place p and p’? --- not so obvious

21 CSL & SWN: how Transition enabling properties (Type T ): transition t is enabled e.g.: s_srv is enabled, s_srv_d1 is enabled (Type Tcol ): transition t is enabled for a given assignment to the variables of t. e.g.: s_srv is enabled for x=d1 (Type Tsymb): transition t is enabled for x=y

22 Linking GreatSPN to MRMC MRMC works with two input files: the CTMC rate matrix CTMC generated using GreatSPN from the RG/CRG or SRG the list of the atomic propositions valid in each state

23 Atomic properties Labelling states with atomic properties M M(loc)>1 Mcol M(srv)[d1] >=1 Msymb Same color in wait and un_av T s_srv is enabled Tcol s_srv is ena- bled for x=d1 Tsymb t is ena- bled for x=y RG simple---- simple ---- CRG sum over colored tokens simpleOR of many terms (one per color instance simple SRG sum over | Z Di | equivalence may be too coarse Check on Z Di simple equivalence may be too coarse Check on Z Di if x=y is not in the guard of t in symbolic marking M(wait)= 1·Z D1, M(srv) = 1·Z D2, |Z D1 |=1, |Z D2 |=2 (one job waiting for a device while two jobs are using the other two devices) the property is true for only 2 of the 3 states in the equivalence class

24 Atomic properties Solving the red problem: observation transitions M M(loc)>1 Mcol M(srv)[d1] >=1 Msymb Token of same color in srv and un_av T s_srv is enabled Tcol s_srv is ena- bled for x=d1 Tcol t is ena- bled for x=y SRG sum over | Z Di | equivalence may be too coarse Check on Z Di simpleequivalence may be too coarse Check on Z Di if x=y is not in the guard of t

25 Atomic properties M M(loc)>1 Mcol M(srv)[d1] >=1 T s_srv is enabled Tcol s_srv is ena- bled for x=d1 SRG sum over | Z Di | equivalence may be too coarse simple equivalence may be too coarse a token of color d1 in place wait x = d1 test1 s_srv enabled for x=d1 x = d1 test2

26 Atomic properties 2 two tokens of the same color in place wait Observation transitions can be used to define also symbolic (symmetric) properties

27 Linking GreatSPN to MRMC GMC2MRMC.xlab.tra STATES 352 TRANSITIONS … 1 av(1 1 ) loc(8) tloc 2 av(1 1 )loc(7)wait(1 ) s_srv_d1....net GreatSPN.net.ap wait>=4 wait_d1>=4 wait_d2>=4 user APGenerator.lab #DECLARATION t_HS #END wait>=4 wait_d1>= wait>=4 wait_d2>=4... GreatSPN2MRMC

28 Linking GreatSPN to PRISM The PRISM input language is a state-based language State = valuation of a number of bounded variables A set of guarded commands describes the dynamics of the system: from them PRISM derives the CTMC Atomic propositions are implicitly defined, as a CSL formula can include any logical condition on the variables' values

29 Linking GreatSPN to PRISM Two possible ways to connect to PRISM: produce a Prism module directly from the SWN, such that the same CTMC (up to state numbering) is produced; produce a Prism module directly from the CTMC of the SRG/RG  definition of atomic propositions? unfolding the SWN into an SPN, followed by the translation of the SPN into a PRISM module using the already-existing translation for SPN. Current solution does the unfolding, since it is easier and there is already a GSPN->Prism translator.

30 Linking GreatSPN to PRISM For GSPN place names are mapped one-to-one to variable names no particular support is needed to translate M and Mcol atomic propositions T and Tcol propositions have to be restated in terms of markings (variable values). The unfolding algorithm names unfolded places using color names (e.g.: srv_d1)

31 Linking GreatSPN to PRISM GreatSPN.net.def Great2Prism.sm unfolding.net.def const int N = 4; module M … wait_d2 : [0..4]; av_d2 : [0..1] init 1; …. [tloc_0] (loc_ > 0) & (wait_d1 < N) -> : (wait_d1’ = wait_d1 +1) & (loc_’ = loc_ -1); ….. [back_1] (un_av_d2 > 0) & (av_d2 < 1) -> : (av_d2’ = av_d2 +1) & (un_av_d2’ = un_av_d2 -1);

32 Model checking example

33 model checking example (  1 ) : S> 0. 7 (hot spot) the system has a probability > 0.7 of being in an hot-spot state (  2 ) : S≤ 0. 2 (P≥ 0. 9 ( F [ 0, 5 ] hot spot)) probability of being, in equilibrium, in “dangerous” states is at most 0.2. (  3 ) : P≥ 0. 9 ( F [ 0, 5 ] (hot spot & P≥ 0. 7 ( F [ 0, 3 ] ￢ hot spot)) dangerous states good hot spot states