Probabilistic Verification of Discrete Event Systems using Acceptance Sampling Håkan L. S. Younes Carnegie Mellon University
Introduction Verify properties of continuous-time discrete event systems Model independent approach Time-bounded probabilistic properties expressed using CSL Acceptance sampling Guaranteed error bounds
Motivating Example Switch Backbone Switch Left clusterRight cluster L1L1 L2L2 L3L3 R3R3 R2R2 R1R1 Dependable workstation cluster Components may fail at any point in time Failed components can be repaired
Motivating Example Switch Backbone Switch Left clusterRight cluster L1L1 L2L2 L3L3 R3R3 R2R2 R1R1 Property of interest: Probability at most 0.1 that QoS drops below minimum within 50 time units
Motivating Example Switch Backbone Switch Left clusterRight cluster L1L1 L2L2 L3L3 R3R3 R2R2 R1R1 all working
Motivating Example Switch Backbone Switch Left clusterRight cluster L1L1 L2L2 L3L3 R3R3 R2R2 R1R1 all workingL 2 failed L 2 fails 3.6
Motivating Example Switch Backbone Switch Left clusterRight cluster L1L1 L2L2 L3L3 R3R3 R2R2 R1R1 all workingL 2 failedrepairing L 2 L 2 failsrepair L
Motivating Example Switch Backbone Switch Left clusterRight cluster L1L1 L2L2 L3L3 R3R3 R2R2 R1R1 all workingL 2 failedrepairing L 2 switch failed L 2 failsrepair L 2 right switch fails
Motivating Example Switch Backbone Switch Left clusterRight cluster L1L1 L2L2 L3L3 R3R3 R2R2 R1R1 all workingL 2 failedrepairing L 2 switch failed repairing L 2 switch failed L 2 failsrepair L 2 right switch failsL 2 repaired
Sample Execution Paths all workingL 2 failedrepairing L 2 switch failed repairing L 2 switch failed L 2 failsrepair L 2 right switch failsL 2 repaired all workingL 1 failedrepairing L 2 bb failedall working L 1 failsrepair L 2 L 1 repairedbackbone fails
Properties of Interest Time-bounded probabilistic properties “The probability is at most 0.1 that QoS drops below minimum within 50 time units”
Properties of Interest Time-bounded probabilistic properties “The probability is at most 0.1 that QoS drops below minimum within 50 time units” ¬Pr ≥0.1 (true U ≤50 ¬Minimum QoS) CSL formula:
Continuous Stochastic Logic (CSL) State formulas Truth value is determined in a single state Path formulas Truth value is determined over an execution path
State Formulas Standard logic operators: ¬ , 1 2 … Probabilistic operator: Pr ≥ ( ) True iff probability is at least that holds
Path Formulas Until: 1 U ≤t 2 Holds iff 2 becomes true in some state along the execution path before time t, and 1 is true in all prior states
Verifying Path Formulas true U ≤50 ¬Minimum QoS True! all workingL 2 failedrepairing L 2 switch failed repairing L 2 switch failed repairing L 2 switch failed L 2 failsrepair L 2 right switch failsL 2 repaired ≤50
Verifying Path Formulas true U ≤50 ¬Minimum QoS False! all workingL 1 failedrepairing L 2 bb failedall working L 1 failsrepair L 2 L 1 repairedbackbone fails ≥50
Verifying Probabilistic Properties “The probability is at least that ” Symbolic Methods Pro: Exact solution Con: Works only for restricted class of systems Sampling Pro: Works for any system that can be simulated Con: Uncertainty in correctness of solution
Our Approach Use simulation to generate sample execution paths Use sequential acceptance sampling to verify probabilistic properties
Error Bounds Probability of false negative: ≤ We say that is false when it is true Probability of false positive: ≤ We say that is true when it is false
Acceptance Sampling Hypothesis: Pr ≥ ( )
Performance of Test Actual probability of holding Probability of accepting Pr ≥ ( ) as true 1 –
Ideal Performance Actual probability of holding Probability of accepting Pr ≥ ( ) as true 1 – False negatives False positives
Actual Performance – + Indifference region Actual probability of holding Probability of accepting Pr ≥ ( ) as true 1 – False negatives False positives
Sequential Acceptance Sampling Hypothesis: Pr ≥ ( ) True, false, or another sample?
Graphical Representation of Sequential Test Number of samples Number of positive samples
Graphical Representation of Sequential Test We can find an acceptance line and a rejection line given , , , and Reject Accept Continue sampling Number of samples Number of positive samples A , , , (n) R , , , (n)
Graphical Representation of Sequential Test Reject hypothesis Reject Accept Continue sampling Number of samples Number of positive samples
Graphical Representation of Sequential Test Accept hypothesis Reject Accept Continue sampling Number of samples Number of positive samples
Verifying Probabilistic Properties Verify Pr ≥ ( ) with error bounds and Generate sample execution paths using simulation Verify over each sample execution path If is true, then we have a positive sample If is false, then we have a negative sample Use sequential acceptance sampling to test the hypothesis Pr ≥ ( )
Verification of Nested Probabilistic Statements Suppose , in Pr ≥ ( ), contains probabilistic statements Error bounds ’ and ’ when verifying
Verification of Nested Probabilistic Statements Suppose , in Pr ≥ ( ), contains probabilistic statements True, false, or another sample?
Modified Test Find an acceptance line and a rejection line given , , , , ’, and ’: Reject Accept Continue sampling With ’ and ’ = 0 Number of samples Number of positive samples A , , , (n) R , , , (n)
Modified Test Find an acceptance line and a rejection line given , , , , ’, and ’: With ’ and ’ > 0 Reject Accept Continue sampling Number of samples Number of positive samples
Modified Test Find an acceptance line and a rejection line given , , , , ’, and ’: Reject Accept Continue sampling Number of samples Number of positive samples A ’, ’, , (n) R ’, ’, , (n) ’ – ’ = 1 – (1 – ( – ))(1 – ’) ’ + ’ = ( + )(1 – ’)
Verification of Negation To verify ¬ with error bounds and Verify with error bounds and
Verification of Conjunction Verify 1 2 … n with error bounds and Verify each i with error bounds and /n
Verification of Path Formulas To verify 1 U ≤t 2 with error bounds and Convert to disjunction 1 U ≤t 2 holds if 2 holds in the first state, or if 2 holds in the second state and 1 holds in all prior states, or …
More on Verifying Until Given 1 U ≤t 2, let n be the index of the first state more than t time units away from the current state Disjunction of n conjunctions c 1 through c n, each of size i Simplifies if 1 or 2, or both, do not contain any probabilistic statements
Sampling-Based vs. Symbolic Methods Sampling-based methods… use less memory scale better with size of state space adapt to difficulty of problem (sequential) Symbolic methods… give exact results handle time-unbounded and steady-state properties
Dependable Workstation Cluster (results) − Size of state space Verification time (seconds) ¬Pr ≥0.1 (true U ≤t ¬Min QoS) = =10 −2 =10 −2
Dependable Workstation Cluster (results) Verification time (seconds) t = =10 −2 =10 −2 ¬Pr ≥0.1 (true U ≤t ¬Min QoS)
Tandem Queuing Network M/Cox 2 /1 queue sequentially composed with M/M/1 queue Each queue has capacity n State space of size O(n 2 ) 11 22 a …… 1−a
Tandem Queuing Network (property) When empty, probability is less than 0.5 that system becomes full within t time units: ¬Pr ≥0.5 (true U ≤t full) in state “empty” …………
Tandem Queuing Network (results) −2 10 − Size of state space Verification time (seconds) ¬Pr ≥0.5 (true U ≤t full) = =10 −2 =10 −2
Tandem Queuing Network (results) −2 10 − Verification time (seconds) t ¬Pr ≥0.5 (true U ≤t full) = =10 −2 =10 −2
Symmetric Polling System Single server, n polling stations Stations are attended in cyclic order Each station can hold one message State space of size O(n·2 n ) Server … Polling stations
Symmetric Polling System (property) When full and serving station 1, probability is at least 0.5 that station 1 is polled within t time units: Pr ≥0.5 (true U ≤t poll1) in state “full, srv 1” … serving 1polling 1 …
Symmetric Polling System (results) Verification time (seconds) Size of state space −2 10 − Pr ≥0.5 (true U ≤t poll1) = =10 −2 =10 −2
Symmetric Polling System (results) Verification time (seconds) t Pr ≥0.5 (true U ≤t poll1) = =10 −2 =10 −2
Symmetric Polling System (results) = =10 −10 = =10 −8 = =10 −6 = =10 −4 = =10 − Verification time (seconds) Pr ≥0.5 (true U ≤t poll1) n=10 t=50
Summary Model independent probabilistic verification of discrete event systems Sample execution paths generated using simulation Probabilistic properties verified using sequential acceptance sampling Easy to trade accuracy for efficiency
Future Work Develop heuristics for formula ordering and parameter selection Use in combination with symbolic methods Apply to hybrid dynamic systems Use verification to aid controller synthesis for discrete event systems
Verification to Aid Probabilistic Planning Plan verification using discrete event simulation and acceptance sampling Plan repair using sample path analysis Heuristics to guide repair selection Hill-climbing search for satisfactory plan Fast sampling-based plan comparison
Generic Repair Procedure 1. Select some state along some negative sample path 2. Change the action planned for the selected state Develop heuristics to make informed state/action choices