Stochastic Semantics and Statistical Model Checking for Networks of Priced Timed Automata
Alexandre David, Kim G. Larsen, Axel Legay, Marius Mikučionis, Danny Bøgsted Poulsen, Jonas van Vliet, Zheng Wang
aa r X i v : . [ c s . S E ] N ov Stochastic Semantics and Statistical ModelChecking for Networks of Priced Timed Automata
Alexandre David, Kim G. Larsen,Marius Mikuˇcionis, Danny Bøgsted Poulsen,and Jonas van Vliet
Department of Computer ScienceAalborg University, DenmarkEmail: { adavid,kgl,marius,dannypb,jonasvv } @cs.aau.dk Axel Legay
INRIA/IRISARennes Cedex, FranceEmail: [email protected]
Zheng Wang
Software Engineering InstituteEast China Normal University, ChinaEmail: [email protected]
Abstract —This paper offers a natural stochastic semantics ofNetworks of Priced Timed Automata (NPTA) based on racesbetween components. The semantics provides the basis forsatisfaction of Probabilistic Weighted CTL properties (PWCTL),conservatively extending the classical satisfaction of timed auto-mata with respect to TCTL. In particular the extension allowsfor hard real-time properties of timed automata expressible inTCTL to be refined by performance properties, e.g. in terms ofprobabilistic guarantees of time- and cost-bounded properties. Asecond contribution of the paper is the application of StatisticalModel Checking (SMC) to efficiently estimate the correctnessof non-nested PWCTL model checking problems with a desiredlevel of confidence, based on a number of independent runs ofthe NPTA. In addition to applying classical SMC algorithms,we also offer an extension that allows to efficiently compareperformance properties of NPTAs in a parametric setting. Thethird contribution is an efficient tool implementation of our resultand applications to several case studies.
I. I
NTRODUCTION
Model Checking (MC) [1] is a widely recognised approachto guarantee the correctness of a system by checking that anyof its behaviors is a model for a given property. There areseveral variants and extensions of MC aiming at handlingreal-time and hybrid systems with quantitative constraintson time, energy or more general continuous aspects [2]–[5].Within the field of embedded systems these formalisms andtheir supporting tools [6]–[9] are now successfully appliedto time- and energy-optimal scheduling, WCET analysis andschedulability analysis.Compared with traditional approaches, a strong point ofreal-time model checking is that it (in principle) only requiresa model to be applicable, thus extensions to multi-processorsetting is easy. A weak point of model checking is thenotorious problem of state-space explosion, i.e. the exponentialgrowth in the analysis effort measured in the number of model-components. Another limitation of real-time model checkingis that it merely provides – admittedly most important –hard quantitative guarantees, e.g. the worst case response timeof a recurrent task under a certain scheduling principle, theworst case execution time of a piece of code running on a
Work partially supported by VKR Centre of Excellence – MT-LAB and byan “Action de Recherche Collaborative” ARC (TP)I. particular execution platform, or the worst case time beforeconsensus is reached by a real-time network protocol. Inaddition to these hard guarantees, it would be desirable inseveral situations to obtain refined performance informationconcerning likely or expected behaviors in terms of timingand resource consumption. In particular, this would allow todistinguish and select between systems that perform identicallyfrom a worst-case perspective.To illustrate our point consider the network of two pricedtimed automata in Fig. 1 modeling a competition between Axeland Alex both having to hammer three nails down. As can beseen by the representing
Work -locations the time (-interval)and rate of energy-consumption required for hammering a naildepends on the player and the nail-number. As expected Axelis initially quite fast and uses a lot of energy but becomesslow towards the last nail, somewhat in contrast to Alex. Tomake it an interesting competition, there is only one hammerillustrated by repeated competitions between the two playersin the
Ready -locations, where the slowest player has towait in the
Idle -location until the faster player has finishedhammering the next nail. Interestingly, despite the somewhatdifferent strategy applied, the best- and worst-case completiontimes are identical for Axel and Alex: 59 seconds and 150seconds. So, there is no difference between the two players andtheir strategy, or is there? Assume that a third person wants tobet on who is the more likely winner – Axel or Alex – givena refined semantics, where the time-delay before performingan output is chosen stochastically (e.g. by drawing from auniform distribution). Under such a refined semantics there isa significant difference between the two players. In Fig. 2a) theprobability distributions for either of the two players winningbefore a certain time is given. Though it is clear that Axelhas a higher probability of winning than Alex (59% versus41%), however declaring the competition a draw if it has notfinished before 50 seconds actually makes Alex the more likelywinner. Similarly, Fig. 2b) illustrates the probability of eitherof the two players winning given an upper bound on energy.With an unlimited amount of energy, clearly Axel is the mostlikely winner, whereas limiting the consumption of energy tomaximum 52 “energy-units” gives Alex an advantage.As a first contribution of this paper we propose a stochastic) Axel x<=15 && D’==2go! done! x=0 x=0 x=0x=0 x=0x=0 x<=12x<=12 x<=13 && D’==3 x=0x=0x<=11 && D’==4x<=10 x=0 Work2Ready2 Ready3Idle2 done?Idle1Ready1 Work1 go?x>=5x>=6 x>=4 x>=3Idle3 Work3x>=6 Donex>=7go? go!go?done? done!go!done? done! b) Alex x<=10 && C’==4go! done! x=0 x=0 x=0x=0 x=0x=0 x<=13x<=13 x<=12 && C’==3 x=0x=0x<=13 && C’==2x<=15 x=0 Work2Ready2 Ready3Idle2 done?Idle1Ready1 Work1 go?x>=5x>=4 x>=6 x>=7Idle3 Work3x>=4 Donex>=2go? go!go?done? done!go!done? done!
Figure 1: 3-Nail Hammering Game between Axel and Alex.a)
SomeAxelAlexBothTime p r obab ili t y Time−Dependent Distribution b) AxelAlexCost (C for Alex, D for Axel) p r obab ili t y Cost−Dependent Distribution
Figure 2: Time- and Cost-dependent Probability of winning the Hammering Gamesemantics for Priced Timed Automata (PTA), whose clockscan evolve with different rates, while being used with no re-strictions in guards and invariants. Networks of PTAs (NPTA)are created by composing PTAs via input and output actions.The model is as expressive as linear hybrid automata [3],making even the reachability problem undecidable. More pre-cisely, we define a natural stochastic semantics for networks ofNPTAs based on races between components. We shall observethat such race can generate arbitrarily complex stochasticbehaviors from simple assumptions on individual components.While fully stochastic semantics have already been proposedfor timed systems [10], [11], we are the first to considernetworks of timed and hybrid systems. Other related workincludes the very rich framework of stochastic timed systemsof MoDeST [12]. Here, however, general hybrid variablesare not considered and parallel composition does not yieldfully stochastic models. For the notion of probabilistic hybridsystems considered in [13] the choice of time is resolvednon-deterministically rather than stochastically as in our case.Moreover, based on the stochastic semantics, we are ableto express refined performance properties, e.g. in terms ofprobabilistic guarantees of time- and cost-bounded properties.To allow for the efficient analysis of probabilistic perform-ance properties – despite the general undecidability of these – in contrast to the usual restriction of priced timed automata [4], [5] we propose to work with Statistical Model Checking (SMC)[14], [15], an approach that has recently been proposed as analternative to avoid an exhaustive exploration of the state-spaceof the model. The core idea of the approach is to monitorsome simulations of the system, and then use results fromthe statistic area (including sequential hypothesis testing orMonte Carlo simulation) in order to decide whether the systemsatisfies the property or not with some degree of confidence.By nature, SMC is a compromise between testing and classicalmodel checking techniques.Thus, as a second contribution, we provide an efficientimplementation of existing SMC algorithms that we use forchecking the correctness of NPTAs with respect to cost-constrained temporal logic. The series of algorithms we im-plement includes a version of the sequential hypothesis testby Wald [16] as well as a quantitative approach [17]. Ourimplementation relies on a new efficient algorithm for genera-ting runs of NPTAs in a random manner. In addition, we alsopropose another SMC algorithm to compare the performancesof two properties without computing their probability. Thisproblem, which is far beyond the scope of existing time modelchecking approaches, can be approximated with an extensionof the sequential hypothesis testing. In addition to be the firstto apply such extension in the context of formal verification,we also propose a new variant that allows to reuse existing2esults in parallel when comparing the properties on differenttimed bounds.Finally, one of the most interesting contribution of ourwork takes the form of a series of new case studies thatare analyzed with a new stochastic extension of U PPAAL [18]. Particularly, we show how our approach can be usedto resolve scheduling problems. Such problems are definedusing Duration Probabilistic Automata (DPA) [19], a new andnatural model for specifying list of tasks and shared resources.We observe that our approach is not only more general, butalso much faster than the hypothesis testing engine recentlyimplemented in the P
RISM toolset. Our work thus presentssignificant advances in both the modeling and the efficientverification of network of complex systems.
Related work.
Some works on probabilistic semanticsof timed automata have already been discussed above.Simulation-based approaches such as Monte Carlo have beenin use since decades, however the use of simulation and hypo-thesis testing to reason on formal models is a more recent ad-vance. First attempts to apply hypothesis testing on stochasticextension of Hennessy-Milner logic can be found in [20].In [14], [21], Younes was the first to apply hypothesis testingto stochastic systems whose properties are specified with(bounded) temporal logic. His approach is implemented in theYmer toolset [22] and can be applied on time-homogeneousgeneralized semi-Markov processes, while our semantics ad-dresses the composition of stochastic systems allowing tocompose a global system from components and reason aboutcommunication between independent processes. In addition toYounes work we explore continuous-time features, formalizeand implement Wald’s ideas where the probability comparisoncan be evaluated on NPTA processes. In a recent work [23],Zuliani et al. extended the SMC approach to hybrid systems.Their work is a combination of [24] and [25] based onSimulink models (non-linear hybrid systems), whereas ourmethod is specialised to networks of priced timed automatawhere model-checking techniques can be directly applicableusing the same tool suite. In addition we provide meansof comparing performances without considering individualprobabilities. Finally, a very recent work [26] proposes par-tial order reduction techniques to resolve non-determinismbetween components rather than defining a unique stochasticdistribution on their product behaviors. While this work is ofclear interest, we point out that the application of partial ordermay considerably increase the computation time and for somemodels partial orders cannot resolve non-determinism, espe-cially when considering continuous time [27]. Other works onSMC can be found in [28], [29].II. N
ETWORK OF P RICED T IMED A UTOMATA
We consider the notion of
Networks of Priced Timed Auto-mata (NPTA) , generalizing that of regular timed automata (TA)in that clocks may have different rates in different locations.In fact, the expressive power (up to timed bisimilarity) ofNPTA equals that of general linear hybrid automata (LHA) [3], rendering most problems – including that of reachability– undecidable.Let X be a finite set of variables, called clocks . A clockvaluation over X is a mapping ν : X → R ≥ , where R ≥ isthe set of nonnegative reals. We write R X ≥ for the set of clockvaluations over X . Let r : X → N be a rate vector , assigningto each clock of X a rate. Then, for ν ∈ R X ≥ and d ∈ R ≥ a delay, we write ν + r · d for the clock valuation definedby ( ν + r · d )( x ) = ν ( x ) + r ( x ) · d for any clock x ∈ X .We denote by N X the set of all rate vectors. If Y ⊆ X ,the valuation ν [ Y ] is the valuation assigning when x ∈ Y and ν ( x ) when x Y . An upper bounded (lower bound)guard over X is a finite conjunction of simple clock boundsof the form x ∼ n where x ∈ X , n ∈ N , and ∼∈ { <, ≤} ( ∼∈ { >, ≥} ) We denote by U ( X ) ( L ( X ) the set of upper(lower) bound guards over X , and write ν | = g whenever ν isa clock valuation satisfying the guard g . Let Σ = Σ i ⊎ Σ o bea disjoint sets of input and output actions. Definition 1 A Priced Timed Automaton (PTA) is a tuple A =( L, ℓ , X, Σ , E, R, I ) where: (i) L is a finite set of locations,(ii) ℓ ∈ L is the initial location, (iii) X is a finite set of clocks,(iv) Σ = Σ i ⊎ Σ o is a finite set of actions partitioned into inputs( Σ i ) and outputs ( Σ o ), (v) E ⊆ L × L ( X ) × Σ × X × L is afinite set of edges, (vi) R : L → N X assigns a rate vector toeach location, and (viii) I : L → U ( X ) assigns an invariantto each location.The semantics of NPTAs is a timed labelled transition systemwhose states are pairs ( ℓ, ν ) ∈ L × R X ≥ with ν | = I ( ℓ ) , andwhose transitions are either delay ( ℓ, ν ) d −→ ( ℓ, ν ′ ) with d ∈ R ≥ and ν ′ = ν + R ( ℓ ) · d , or discrete ( ℓ, ν ) a −→ ( ℓ ′ , ν ′ ) ifthere is an edge ( ℓ, g, a, Y, ℓ ′ ) such that ν | = g and ν ′ = ν [ Y ] .We write ( ℓ, ν ) ❀ ( ℓ ′ , ν ′ ) if there is a finite sequence of delayand discrete transitions from ( ℓ, ν ) to ( ℓ ′ , ν ′ ) . a) Networks of Priced Timed Automata:
Followingthe compositional specification theory for timed systems in[30], we shall assume that NPTAs are: (1)[Input-enabled:] forall states ( ℓ, ν ) and input actions ι ∈ Σ i , ( ℓ, ν ) ι −→ , and(2) [Deterministic:] for all states ( ℓ, ν ) and actions a ∈ Σ ,whenever ( ℓ, ν ) a −→ ( ℓ ′ , ν ′ ) and ( ℓ, ν ) a −→ ( ℓ ′′ , ν ′′ ) then ℓ ′ = ℓ ′′ and ν ′ = ν ′′ .Whenever A j = ( L j , X j , Σ j , E j , R j , I j ) ( j = 1 . . . n ) areNPTA, they are composable into a closed network iff theirclock sets are disjoint ( X j ∩ X k = ∅ when j = k ), they havethe same action set ( Σ = Σ j = Σ k for all j, k ), and theiroutput action-sets provide a partition of Σ ( Σ jo ∩ Σ ko = ∅ for j = k , and Σ = ∪ j Σ jo ). For a ∈ Σ we denote by c ( a ) theunique j with a ∈ Σ j . Definition 2
Let A j = ( L j , X j , Σ , E j , R j , I j ) ( j = 1 . . . n )be composable NPTAs. Then the composition ( A | . . . | A n ) is the NPTA A = ( L, X, Σ , E, R, L ) where (i) L = × j L j , We will (mis)use the term “clock” from timed automata, though in thesetting of NPTAs the variables in X are really general real-valued variables. X = ∪ j X j , (iii) R ( ℓ )( x ) = R j ( ℓ j )( x ) when x ∈ X j , (iv) I ( ℓ ) = ∩ j I ( ℓ j ) , and (v) ( ℓ , ∩ j g j , a, ∪ j r j , ℓ ′ ) ∈ E whenever ( ℓ j , g j , a, r j , ℓ ′ j ) ∈ E j for j = 1 . . . n . A1A0x<=1a! B1B0y<=2b! B1B0b!1:2 y<=2ENDx<=1x<=1 && y<=2 b!a!b! a!
T1T3T0C’==2C’==4a?b?
A B B r AB T
Figure 3: Four composable NPTAs:
A, B and T ; A, B r and T ; and AB and T . Example 1.
Let A , B , T and AB be the priced timed automatadepicted in Fig. 3 . Then A, B and T are composable aswell as AB and T . In fact the composite systems ( A | B | T ) and ( AB | T ) are timed (and priced) bisimilar, both having thetransition sequence: (cid:0) ( A , B o , T ) , [ x = 0 , y = 0 , C = 0] (cid:1) −→ a ! −→ (cid:0) ( A , B , T ) , [ x = 1 , y = 1 , C = 4] (cid:1) −→ b ! −→ (cid:0) ( A , B , T ) , [ x = 2 , y = 2 , C = 6] (cid:1) , demonstrating that the final location T of T is reachable withcost . III. P ROBABILISTIC S EMANTICS OF
NPTAContinuing Example 1 we may realise that location T ofthe component T is reachable within cost to and withintotal time and in both ( A | B | T ) and ( AB | T ) depending onwhen (and in which order) A and B ( AB ) chooses to performthe output actions a ! and b ! . Assuming that the choice of thesetime-delays is governed by probability distributions, we willin this section define a probability measure over sets of infiniteruns of networks of NPTAs.In contrast to the probabilistic semantics of timed automatain [10], [11] our semantics deals with networks and thus withraces between components. Let A j = ( L j , X j , Σ , E j , R j , I j ) ( j = 1 . . . n ) be a collection of composable NPTAs. Underthe assumption of input-enabledness, disjointness of clock setsand output actions, states of the the composite NPTA A =( A | . . . | A n ) may be seen as tuples s = ( s , . . . , s n ) where s j is a state of A j , i.e. of the form ( ℓ, ν ) where ℓ ∈ L j and ν ∈ R X j ≥ . Our probabilistic semantics is based on theprinciple of independency between components. Repeatedlyeach component decides on its own – based on a given delaydensity function and output probability function – how muchto delay before outputting and what output to broadcast at thatmoment. Obviously, in such a race between components theoutcome will be determined by the component that has chosento output after the minimum delay: the output is broadcast andall other components may consequently change state. it is assumed that all components are completed with looping inputtransitions, where these are missing. b) Probabilistic Semantics of NPTA Components : Let us first consider a component A j and let St j denote thecorresponding set of states. For each state s = ( ℓ, ν ) of A j we shall provide probability distributions for both delays andoutputs.The delay density function µ s over delays in R ≥ will beeither a uniform or an exponential distribution depending onthe invariant of ℓ . Denote by E ℓ the disjunction of guards g such that ( ℓ, g, o, − , − ) ∈ E j for some output o . Denoteby d ( ℓ, ν ) the infimum delay before enabling an output, i.e. d ( ℓ, ν ) = inf { d ∈ R ≥ : ν + R j · d | = E ℓ } , and denote by D ( ℓ, ν ) the supremum delay, i.e. D ( ℓ, ν ) = sup { d ∈ R ≥ : ν + R j · d | = I j ( ℓ ) } . If D ( ℓ, ν ) < ∞ then the delay densityfunction µ s is a uniform distribution on [ d ( ℓ, ν ) , D ( ℓ, ν )] .Otherwise – that is I j ( ℓ ) does not put an upper bound onthe possible delays out of s – the delay density function µ s is an exponential distribution with a rate P ( ℓ ) , where P : L j → R ≥ is an additional distribution rate componentadded to the NPTA A j . For every state s = ( ℓ, ν ) , the outputprobability function γ s over Σ jo is the uniform distribution overthe set { o : ( ℓ, g, o, − , − ) ∈ E j ∧ ν | = g } whenever this set isnon-empty . We denote by s o the state after the output of o .Similarly, for every state s and any input action ι , we denoteby s ι the state after having received the input ι . c) Probabilistic Semantics of Networks of NPTA : We shall now see that while the stochastic semantics of eachPTA is rather simple (but quite realistic), arbitrarily complexstochastic behavior can be obtained by their composition.Reconsider the closed network A = ( A | . . . | A n ) with astate space St = St ×· · ·× St n . For s = ( s , . . . , s n ) ∈ St and a a . . . a k ∈ Σ ∗ we denote by π ( s , a a . . . a k ) the set of allmaximal runs from s with a prefix t a t a . . . t k a k for some t , . . . , t n ∈ R ≥ , that is runs where the i ’th action a i hasbeen outputted by the component A c ( a i ) . We now inductivelydefine the following measure for such sets of runs: P A (cid:0) π ( s , a a . . . a n ) (cid:1) = R t ≥ µ s c ( t ) · (cid:0) Q j = c R τ>t µ s j ( τ ) dτ (cid:1) · γ s ct ( a ) · P A (cid:0) π ( s t ) a , a . . . a n ) (cid:1) dt where c = c ( a ) , and as base case we take P A ( π ( s ) , ε ) = 1 .This definition requires a few words of explanation: at theoutermost level we integrate over all possible initial delays t . For a given delay t , the outputting component c = c ( a ) will choose to make the broadcast at time t with the stateddensity. Independently, the other components will choose toa delay amount, which – in order for c to be the winner –must be larger than t ; hence the product of the probabilitiesthat they each make such a choice. Having decided for makingthe broadcast at time t , the probability of actually outputting a is included. Finally, in the global state resulting from allcomponents having delayed t time-units and changed stateaccording to the broadcasted action a the probability of runs otherwise a specific weight distribution can be specified and used instead. |Br|TA|B|TAB|TTime p r obab ili t y A|Br|TA|B|TAB|TC p r obab ili t y (a) (b)Figure 4: Cumulative probabilities for time and cost-boundedreachability of T .according to the remaining actions a . . . a n is taken intoaccount. d) Logical Properties : Following [31], the measure P A may be extended in a standard and unique way to the σ -algebra generated by the sets of runs (so-called cylinders) π ( s , a a . . . a n ) . As we shall see this will allow us to giveproper semantics to a range of probabilistic time- and cost-constrained temporal properties. Let A be a NPTA. Then weconsider the following non-nested PWCTL properties: ψ ::= P (cid:0) ✸ C ≤ c ϕ (cid:1) ∼ p | P (cid:0) ✷ C ≤ c ϕ (cid:1) ∼ p where C is an observer clock (of A ), ϕ a state-property (wrt. A ) , ∼∈ { <, ≤ , = , ≥ , > } , and p ∈ [0 , . For the semanticslet A ∗ be the modification of A , where the guard C ≤ c hasbeen conjoined to the invariant of all locations and an edge ( ℓ, ϕ, o ϕ , ∅ , ℓ ) has been added to all edges ℓ , where o ϕ is anew output action. Then: A | = P (cid:0) ✸ C ≤ c ϕ (cid:1) ∼ p iff P A ∗ (cid:16) [ σ ∈ Σ ∗ π ( s , σo ϕ ) (cid:17) ∼ p which is well-defined since the σ -algebra on which P A ∗ isdefined is closed under countable unions and finite intersec-tions. To complete the semantics, we note that P ( ✷ C ≤ c ϕ ) ∼ p is equivalent to (1 − p ) ∼ P ( ✸ C ≤ c ¬ ϕ ) . Example 1
Reconsider the Example of Fig. 3. Then it can beshown that ( A | B | T ) | = P (cid:0) ✸ t ≤ T (cid:1) = 0 . and ( A | B | T ) | = P (cid:0) ✸ C ≤ T (cid:1) = 0 . , whereas ( AB | T ) | = P (cid:0) ✸ t ≤ T (cid:1) = 0 . and ( AB | T ) | = P (cid:0) ✸ C ≤ T (cid:1) = 0 . . Fig. 4 gives a time-and cost-bounded reachability probabilities for ( A | B | T ) and ( AB | T ) for a range of bounds. Thus, though the two NPTAssatisfy the same WCTL properties, they are obviously quitedifferent with respect to PWCTL. The NPTA B r of Fig. 3 is avariant of B , with the uniform delay distribution enforced bythe invariant y ≤ being replaced by an exponential distribu-tion with rate . Here ( A | B r | T ) satisfies P (cid:0) ✸ t ≤ T (cid:1) ≈ . and P (cid:0) ✸ C ≤ T (cid:1) ≈ . .IV. S TATISTICAL M ODEL C HECKING FOR
NPTAAs we pointed out, most of model checking problems forNPTAs and PWCTL (including reachability) are undecidable.Our solution is to use a technique that approximates the an-swer. We rely on
Statistical Model Checking (SMC) [14], [15],that is a series of simulation-based techniques that generateruns of the systems, monitor them, and then use algorithmsfrom statistics to get an estimate of the entire system. At the
Algorithm 1:
Random run for a NPTA-network A function RR A (( ℓ , ν ) , C, c ) run := ( ℓ , ν ) := tail ( run ) := ( ℓ , ν ) while ν ( C ) < c do for i = 1 to | ℓ | do d i := delay ( µ ( ℓ i ,ν i ) ) d := min ≤ i ≤| ℓ | ( d i ) if d = + ∞ ∨ ν ( C ) + d ∗ R ( ℓ )( C ) ≥ c then d := ( c − ν ( C )) /R ( ℓ )( C ) return run ⊕ d −→ ( ℓ , ν + d ∗ R ( ℓ )) end else pick k such that d k = d ; ν d := ν + d ∗ R ( ℓ ) pick ℓ k g,o,r −−−→ ℓ ′ k with g ( ν d ) run := run ⊕ d −→ ( ℓ , ν d ) g,o,r −−−→ ( ℓ [ l ′ k /l k ] , [ r ν d )) end ( ℓ , ν ) := tail ( run ) endreturn run heart of any SMC approach, there is an algorithm used togenerate runs of the system following a stochastic semantics.We propose such an algorithm for NPTAs corresponding tothe stochastic semantics proposed in Section III. Then, werecap existing statistic algorithms, providing the basis for afirst SMC algorithm for NPTAs. e) Generating Runs of NPTA:
SMC is used for prop-erties that can be monitored on finite runs. Here, we proposean algorithm that given an NPTA generates a random run upto a cost bound c (with time bounds being a simple case)of an observer clock C . A run of a NPTA is a sequence ofalternations of states s d −→ s ′ o −→ s d −→ . . . s n obtainedby performing delays d i and emitting outputs o i . Here weconsider a network of NPTAs with states being of the form ( ℓ , ν ) . We construct random runs according to Algorithm 1.We start from an initial state ( ℓ , ν ) and repeatedly concat-enate random successor states until we reach the bound c forthe given observer clock C . Recall that ν ( C ) is the value of C in state ( ℓ , ν ) , and the rate of C in location ℓ is R ( C )( ℓ ) .We use the notation ⊕ to concatenate runs and tail ( run ) toaccess the last state of a run and delay ( µ s ) returns a randomdelay according to the delay density function µ s as describedin Section III. The statement “pick” means choose uniformlyamong the possible choices. The correctness of Algorithm 1with respect to the stochastic semantics of NPTAs given inSection III follows from the Theorem below: Theorem 1
Let A be a network of NPTAs. Then: P (cid:16) RR A (cid:0) ( ℓ , ν ) , C, c (cid:1) | = ✸ C ≤ c ϕ (cid:17) = P A (cid:16) ✸ C ≤ c ϕ (cid:17) f) Statistical Model Checking Algorithms:
We brieflyrecap statistical algorithms permitting to answer the followingtwo types of questions : (1) Qualitative: Is the probability fora given NPTA A to satisfy a property ✸ C ≤ c ϕ greater or equalto a certain threshold θ ? and (2) Quantitative : What is theprobability for A to satisfy ✸ C ≤ c ϕ . Each run of the system5s encoded as a Bernoulli random variable that is true if therun satisfies the property and false otherwise. g) QualitativeQuestion.: This problem reduces to test thehypothesis H : p = P A ( ✸ C ≤ c ϕ ) ≥ θ against K : p < θ .To bound the probability of making errors, we use strengthparameters α and β and we test the hypothesis H : p ≥ p and H : p ≤ p with p = θ + δ and p = θ − δ . Theinterval p − p defines an indifference region, and p and p are used as thresholds in the algorithm. The parameter α is theprobability of accepting H when H holds (false positives)and the parameter β is the probability of accepting H when H holds (false negatives). The above test can be solved byusing Wald’s sequential hypothesis testing [16]. This test,which is presented in Algorithm 2, computes a proportion r among those runs that satisfy the property. With probability 1,the value of the proportion will eventually cross log( β/ (1 − α ) or log((1 − β ) /α ) and one of the two hypothesis will beselected. Algorithm 2:
Hypothesis testing function hypothesis( S :model , ψ : property) r:=0 while true do Observe the random variable x corresponding to ✸ C ≤ c ϕ for a run. r := r + x ∗ log( p /p ) + (1 − x ) ∗ log((1 − p ) / (1 − p )) if r ≤ log( β/ (1 − α )) then accept H if r ≥ log((1 − β ) /α ) then accept H end h) Quantitative question:
This algorithm [32] computesthe number N of runs needed in order to produce an ap-proximation interval [ p − ǫ, p + ǫ ] for p = P r ( ψ ) with aconfidence − α . The values of ǫ and α are chosen by theuser and N relies on the Chernoff-Hoeffding bound as shownin algorithm 3. Algorithm 3:
Probability estimation function estimate( S :model , ψ : property, δ : confidence, ǫ :approximation) N := ln(2 /α ) / (2 ǫ ) , a := 0 for i := 1 to N do Observe the random variable x corresponding to ψ for arun. a := a + x end return a/N V. B
EYOND “C LASSICAL ” S
TATISTICAL M ODEL -C HECKING
Here, we want to compare p = P A ( ✸ C ≤ c ϕ ) and p = P A ( ✸ C ≤ c ϕ ) without computing them, with clearapplications e.g. in determining the possible improvementin performance of a new control program. In [16], Waldhas shown that this problem can be reduced to a sequentialhypothesis testing one. Our contributions here are (1) to apply this algorithm in the formal verification area, (2) to extend theoriginal algorithm of [16] to handle cases where we observethe same outcomes for both experiments, and (3) to implementa parametric extension of the algorithm that allows to reuseresults on several timed bounds. More precisely, instead ofcomparing two probabilities with one common cost bound C ≤ c , the new extension does it for all the N bounds i ∗ c/N with i = 1 . . . N by reusing existing runs. i) Comparison Algorithm.:
Let the efficiency of sat-isfying ✸ C ≤ c ϕ over runs be given by k = p / (1 − p ) and similarly for ✸ C ≤ c ϕ . The relative superiority of “ ϕ over ϕ ” is measured by the ratio u = k k = p (1 − p ) p (1 − p ) . If u = 1 both properties are equally good, if u > , ϕ is better,otherwise ϕ is better. Due to indifference region, we havetwo parameters u and u such that u < u to make thedecision. If u ≤ u we favor ϕ and if u ≥ u we favor ϕ . The parameter α is the probability of rejecting ϕ when u ≤ u and the parameter β is the probability of rejecting ϕ when u ≥ u . An outcome for the comparison algorithmis a pair ( x , x ) = ( r | = ✸ C ≤ c ϕ , r | = ✸ C ≤ c ϕ ) for two independent runs r and r . In Wald’s version (lines10–14 of Algorithm 4), the outcomes (0 , and (1 , areignored. The algorithm works if it is guaranteed to eventuallygenerate different outcomes. We extend the algorithm witha qualitative test (lines 5–9 of Algorithm 4) to handle thecase when the outcomes are always the same. The hypothesiswe test is P A ( r | = ✸ C ≤ c ϕ = r | = ✸ C ≤ c ϕ ) ≥ θ for two independent runs r and r . Typically we want theparameters p ′ = θ + δ (for the corresponding hypothesis H )and p ′ = θ − δ (for H ) to be close to . Our version ofthe comparison algorithm is shown in algorithm 4 with thefollowing initializations: a = log( β − α )log( u ) − log( u ) , r = log( − βα )log( u ) − log( u o ) , c = log( u u )log( u ) − log( u o ) Algorithm 4:
Comparison of probabilities function comprise( S :model , ψ , ψ : properties) check := 1 , q := 0 , t := 0 while true do Observe the random variable x corresponding to ψ for arun. Observe the random variable x corresponding to ψ for arun. if check = 1 then x = ( x == x ) q = q + x ∗ log( p ′ /p ′ )+(1 − x ) ∗ log((1 − p ′ ) / (1 − p ′ )) if q ≤ log( β/ (1 − α )) then return indifferent if r ≥ log((1 − β ) /α ) then check = 0 end if x = x then a = a + c , r = r + c if x = 0 and x = 1 then t := t + 1 if t ≤ a then accept process . if t ≥ r then reject process . endend ) Parametrised Comparisons:
We now generalise thecomparison algorithm to give answers not only for one costbound c but N cost bounds i ∗ c/N (with i = 1 . . . N ). Thisalgorithm is of particular interest to generate distribution overtimed bounds value of the property. The idea is to reuse theruns of smaller bounds. When ✸ C ≤ c ϕ or ✸ C ≤ c ϕ holds onsome run we keep track of the corresponding point in cost(otherwise the cost value is irrelevant). Every pair or runs givesa pair of outcomes ( x , x ) at cost points ( c , c ) . For every i = 1 . . . N we define the new pair of outcomes ( y i , y i ) = (cid:0) x ∧ ( i · c/N ≥ t · rate C ) , x ∧ ( i · c/N ≥ t · rate C ) (cid:1) for which we use our comparison algorithm. We terminate thealgorithm when a result for every i th bound is known.Let a, r, c be the parameters of the previous comparisonalgorithm. Let a ′ , r ′ , c ′ be the parameters of the qualitativecheck of Section IV. The procedure is shown in Algorithm 5: Algorithm 5:
The algorithm for parametrised probabilitiescomparison function comprise2( S :model , ϕ , ϕ : properties, C: clock, c:cost bound, N: for i := 1 to N do q i := 0 , a ′ i := a ′ , r ′ i := r ′ , t i := 0 , a i := a , r i := r end repeat Observe x corresponding to ϕ for a run at time t . Observe x corresponding to ϕ for a run at time t . stop := 1 for i := 1 to N do y := x ∧ i ∗ c/N ≥ t ∗ rate C y := x ∧ i ∗ c/N ≥ t ∗ rate C if result i = − then a ′ i := a ′ i + c ′ , r ′ i = r ′ i + c ′ if y = y then q i := q i + 1 if q i ≤ a ′ i then result i := 0 . if q i ≥ r ′ i then result i := − end if result i < and y = y then a i := a i + c , r i = r i + c if y = 0 and y = 1 then t i := t i + 1 end if t i ≤ a i then result i := 1 if t i ≥ r i then result i := 0 end if result i < then stop := 0 . enduntil stop = 1 ; The results for every i th bound are three-valued: means ϕ is rejected, means ϕ is accepted, and . meansindifference. VI. C ASE S TUDIES
We have extended U
PPAAL with the algorithms describedin this paper. The implementation provides access to all thepowerful features of the tool, including user defined functionsand types, and use of expressions in guards, invariants, clock-rates as well as delay-rates. Also the implementation supportsbranching edges with discrete probabilities (using weights), thus supporting probabilistic timed automata (a feature forwhich our stochastic semantics of NPTA may be easily ex-tended). Besides these additional features, the case-studiesreported below (as well as the plots in the previous part of thepaper) illustrate the nice features of the new plot composingGUI of the tool. For more results including models of thecase-studies see . k) Train-Gate Example:
We consider the train-gateexample [33], where N trains want to cross a one-track bridge.We extend the original model by specifying an arrival ratefor Train i ( ( i + 1) /N ). Trains are then approaching, butthey can be stopped before some time threshold. When atrain is stopped, it can start again. Eventually trains cross thebridge and go back to their safe state. The template of thesetrains is given in Fig. 5(a). Our model captures the naturalbehavior of arrivals with some exponential rate and randomdelays chosen with uniform distributions in states labelled withinvariants. The tool is used to estimate the probability thatTrain and Train will cross the bridge in less than units of time. Given a confidence level of . the confidenceintervals returned are [0 . , . and [0 . , . The toolcomputes for each time bound T the frequency count of runsof length T for which the property holds. Figure 5(b) shows asuperposition of both distributions obtained directly with ourtool that provides a plot composer for this purpose.a) Safe Stop CrossAppr Startx>=10x<=10x>=3 x>=7stop[id]?leave[id]!appr[id]! go[id]?(1+id):N*N x=0x=0 x=0x=0 x<=5x<=20 x<=15 b) Train(0)Train(5)Time p r obab ili t y Figure 5: Template of a train (a) and probability density distri-butions for ✸ T ≤ t Train ( ) . Cross and ✸ T ≤ t Train ( ) . Cross .The distribution for Train is the one with higher probab-ility at the beginning, which confirms that this train is indeedthe faster one. An interesting point is to note the valleysin the probability densities that correspond to other trainsconflicting for crossing the bridge. They are particularly visiblefor Train . The number of valleys corresponds to the numberof trains. This is clearly not a trivial distribution (not even uni-modal) that we could not have guessed manually even fromsuch a simple model. In addition, we use the qualitative checkto cheaply refine the result to [0 . , . and [0 . , .We then compare the probability for Train to cross whenall other trains are stopped with the same probability for7 R un s Time bound 0.10.050.01 0 0.2 0.4 0.6 0.8 1 0 100 200 300 400 500 600 700 800 900 1000 C u m u l a t i v e d i s t r i bu t i on s and c o m pa r i s on s Time bound 0.10.050.01Train(0)Train(5)
Figure 6: Comparing trains and .Train . In the first plot (Fig. 6 top), we check the sameproperty with different time bounds from to in steps of and we plot the number of runs for eachcheck. These experiments only check for the specified bound,they are not parametrised. In the second plot, we use theparametric extension presented in Section V with a granularityof 10 time units. We configured the thresholds u and u todifferentiate the comparisons at u = 1 − ǫ and u = 1+ ǫ with ǫ = 0 . , . , . as shown on the figure. In addition, we usea larger time bound to visualise the behaviors after thatare interesting for our checker. In the first plot of Fig. 6, weshow for each time bound the average of runs needed by thecomparison algorithm repeated 30 times for different valuesof ǫ . In the bottom plot, we first superpose the cumulativeprobability for both trains (curves Train 0 and Train 5) thatwe obtain by applying the quantitative algorithm of Section IVfor each time bound in the sampling. Interestingly, before thatpoint, train is better and later train is better. Second, wecompare these probabilities by using the comparison algorithm(curves 0.1 0.05 0.01). This algorithm can retrieve 3 values:0 if Train 0 wins, 1 if Train 5 wins and 0.5 otherwise. Wereport for each time bound and each value of ǫ the average ofthese values for 30 executions of the algorithm.Table I: Sequential and parallel check comparison. ǫ properties for the firstplot (sequential check), and the time to obtain all the resultsat once (parallel check). The results are shown in Table I.The experiments are done on a Pentium D at 2.4GHz andconsume very little memory. The parallel check is about 10times faster . In fact it is limited by the highest number of runs The implementation checks simulations sequentially using a single thread. required as shown by the second peak in Fig. 6. The expensivepart is to generate the runs so reusing them is important.Note that at the beginning and at the end, our algorithmaborts the comparison of the curves, which is visible as thenumber of runs is sharply cut. l) Lightweight Media Access Control Protocol:
TheLightweight Media Access Control (LMAC) protocol is usedin sensor networks to schedule communication between nodes.This protocol is targeted for distributed self-configuration,collision avoidance and energy efficiency. In this study wereproduce the improved U
PPAAL model from [34] withoutverification optimisations, parametrise with network topology(ring and chain), add probabilistic weights (exponential anduniform) over discrete delay decisions and examine statisticalproperties which were not possible to check before. Basedon [35], our node model consumes 21, 22, 2 and 1 power unitsper time unit when a node is sending, receiving, listening formessages or being idle respectively. uni−ringuni−chainexp−ringexp−chaintime p r obab ili t y (a) Cumulative probability of collision over time. uni−chainexp−chaincollisions p r obab ili t y (b) Probability of having various numbers of collisions.Figure 7: Collision probabilities when using exponential anduniform weights in chain and ring topologies.Fig. 7a shows that collisions may happen in all cases andthe probability of collision is higher with exponential decisionweights than uniform decision weights, but seems independentof topology (ring or chain). The probability of collision staysstable after 50 time units, despite longer simulations, meaningthat the network may stay collision free if the first collisionsare avoided. We also applied the method for parametrisedprobability comparison for the collision probability. The res-ults are that up to 14 time units the probabilities are thesame and later exponential weights have higher collisionprobability than uniform, but the results were inconclusivewhen comparing different topologies.The probable collision counts in the chain topology areshown in Fig. 7b, where the case with 0 collisions has a8robability of 87.06% and 89.21% when using exponentialand uniform weights respectively. The maximum number ofprobable collisions is 7 for both weight distributions despitevery long runs, meaning that the network eventually recoversfrom collisions.The probable collision count in the ring topology (notshown) yields that there is no upper bound of collision countas the collisions add up indefinitely, but there is a fixedprobability peak at 0 collisions (87.06% and 88.39% usinguniform and exponential weights resp.) with a short tail up to7 collisions (like in Fig. 7b), long interval of 0 probability andthen small probability bump (0.35% in total) at large numberof collisions. Thus chances of perpetual collisions are tiny. exp−chainuni−chainexp−ringuni−ringenergy p r obab ili t y Figure 8: Total energy consumption.Fig. 8 showsenergy consumptionprobability density:using uniform andexponential weightsin a chain and aring topologies. Ringtopology uses morepower (possibly due to collisions), and uniform weightsuse slightly less energy than exponential weights in theseparticular topologies. m) Duration Probabilistic Automata:
Duration Prob-abilistic Automata [19] (DPA) are used for modeling job-shopproblems. A DPA consists of several Simple DPAs (SDPA). AnSDPA is a processing unit, a clock and a list of tasks to processsequentially. Each task has an associated duration interval,from which its duration is chosen (uniformly). Resources areused to model task races – we allow different resource typesand different quantities of each type. A fixed priority scheduleris used to resolve conflicts. A DPA example is shown in Fig. 9. start [2,5] [1,2] End wt start [1,6] [2,3] End[ r = 4 ] [ r = 2 ][ r = 1 ,r = 2 ] [ r = 2 ,r = 1 ] Figure 9: Rectangles are busy states and circles are for waitingwhen resources are not available. There are r = 5 and r = 3 resources available.DPA can be encoded in our tool (with a continuous ordiscrete time semantics) or in P RISM (discrete semantics),see the technical report [36]. In P
RISM , integer and booleanvariables are used to encode the current tasks and resources.P
RISM only supports the discrete time model. In U
PPAAL , achain of waiting and task locations is created for each SDPA.Guards and invariants encode the duration of the task, and anarray of integers contain the available resources. The scheduleris encoded as a separate template. We omit the resourcesand durations from the table for simplicity, they are chosenarbitrarily for the experiment. For U
PPAAL , both a discreteand continuous time versions have been implemented. Theperformance of the translations is measured on several casestudies and shown in Tables II and III. In the hypothesis testing column, U
PPAAL (Upp in the table) uses the sequentialhypothesis testing introduced in Section IV, whereas P
RISM uses its own new implementation of the hypothesis testingalgorithm. In the estimation column, both U
PPAAL and P
RISM use the quantitative check of Section IV, but U
PPAAL is fasterdue to implementation details. For both tools, the error boundsused are α = β = 0 . . In the hypothesis test, the indifferenceregion size is . , while we have ǫ = 0 . for the quantitativeapproach. The results show that U PPAAL is faster than P
RISM even with the discrete encoding, which currently is the onlyfair comparison.Table II: Tool performance comparison.
Parameters Estimation Hypothesis Testing n k
Duration P
RISM U pp d U pp c P RISM U pp d U pp c
10 10 4,8 42.2 8.7 6.9 64.1 1.0 .310 10 8,16 60.3 11.3 7.2 49.4 .7 .310 10 16,32 91.8 13.4 7.0 77.1 .9 .410 10 32,64 126.0 14.8 7.0 65.8 .9 .310 10 64,128 176.8 16.3 7.0 83.4 .9 .320 20 64,128 - 129.4 52.2 - 5.2 1.620 20 128,256 - 146.4 52.1 - 8.1 1.820 20 256,512 - 173.8 52.3 - 11.6 1.8
In the first test, we create a DPA with n SDPAs, k tasks perSDPA and no resources. The duration interval of each task ischanged and the verification time is measured. In the secondtest, we choose n , k and let m be the number of resource types.The resource usage and duration intervals are randomised. Thequery for the approximation test is: “What is the probabilityof all SDPAs ending within t time units?”. In the verificationtest, we ask the query: “Do all SDPAs end within t time unitswith probability greater than 40%?”. The value of t varies foreach model as it was computed by simulating the system 369times and represent the value for which at least 60% of theruns reached the final state.Table III: Comparison with various durations. Parameters Estimation Hypothesis Testing n k m P RISM U pp d U pp c P RISM U pp d U pp c >
300 34.2 24.430 40 20 - >
300 57.3 38.040 40 20 - >
300 67.4 70.040 20 20 - >
300 40.0 35.440 30 20 - >
300 55.5 51.440 55 40 - 219.550 55 40 - 323.855 40 40 - 307.055 50 40 - 342.7
VII. C
ONCLUSION AND F UTURE W ORK
This paper proposes a natural stochastic semantics fornetworks of priced timed automata. The paper also explainshow Statistical Model Checking can be applied on the resultingmodel, handling case studies that are beyond the scope ofexisting approaches.9he case studies show that models are more expressive,the tool is faster and capable of handling larger models thanthe scope of the state-of-the-art model-checker of stochasticsystems. The extended property language allows quantificationof events with a limited impact in terms of probability and costcomplementing critical property checks. Hypothesis testinghas an order of magnitude advantage in verification time overprobability estimation, thus provides an opportunity to gainleverage when more information is available.There are many directions for future research. For example,the designer may have some prior knowledge about the prob-ability of the property violation. This information could beused in a Bayesian fashion to improve the efficiency of thetest. If the system is assumed to be “well-designed”, one canpostulate that the property under verification should rarely befalsified. In this case, the statistical model checking algorithmswill be efficient to compute the probability of absence oferrors. Unfortunately, they will not be efficient to computethe probability of making an error. We propose to overcomethis problem by mixing existing SMC approaches with rare-event techniques [37]. Finally, it would also be of interest toconsider more elaborated properties [38]–[41] or black-boxsystems [15]. R
EFERENCES[1] E. Clarke, O. Grumberg, and D. Peled,
Model Checking . MIT Press,1999.[2] R. Alur and D. Dill, “A Theory of Timed Automata,”
TheoreticalComputer Science , vol. 126, pp. 183–235, 1994.[3] R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P. Ho,X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine, “The algorithmicanalysis of hybrid systems,”
Theoretical Computer Science , vol. 138,no. 1, pp. 3–34, 1995.[4] G. Behrmann, A. Fehnker, T. Hune, K. G. Larsen, P. Pettersson,J. Romijn, and F. W. Vaandrager, “Minimum-cost reachability for pricedtimed automata,” in
HSCC , ser. LNCS, M. D. D. Benedetto and A. L.Sangiovanni-Vincentelli, Eds., vol. 2034. Springer, 2001, pp. 147–161.[5] R. Alur, S. L. Torre, and G. J. Pappas, “Optimal paths in weightedtimed automata,” in
HSCC , ser. LNCS, M. D. D. Benedetto and A. L.Sangiovanni-Vincentelli, Eds., vol. 2034. Springer, 2001, pp. 49–62.[6] “The spin tool (spin),” available at http://spinroot.com/spin/whatispin.html .[7] “The smv model checker,” available at .[8] “The uppaal tool,” available at .[9] G. Frehse, “Phaver: algorithmic verification of hybrid systems pasthytech,”
STTT , vol. 10, no. 3, pp. 263–279, 2008.[10] C. Baier, N. Bertrand, P. Bouyer, T. Brihaye, and M. Gr¨oßer, “Probab-ilistic and topological semantics for timed automata,” in
FSTTCS , ser.LNCS, vol. 4855. Springer, 2007, pp. 179–191.[11] N. Bertrand, P. Bouyer, T. Brihaye, and N. Markey, “Quantitative model-checking of one-clock timed automata under probabilistic semantics,” in
QEST . IEEE Computer Society, 2008, pp. 55–64.[12] H. Bohnenkamp, P. D’Argenio, H. Hermanns, and J.-P. Katoen, “Mod-est: A compositional modeling formalism for real-time and stochasticsystems,” University of Twente, Technical Report CTIT 04-46, 2004.[13] T. Teige, A. Eggers, and M. Fr¨anzle, “Constraint-based analysis ofconcurrent probabilistic hybrid systems: An application to networkedautomation systems,”
Nonlinear Analysis: Hybrid Systems , 2011.[14] H. L. S. Younes, “Verification and planning for stochastic processes withasynchronous events,” Ph.D. dissertation, Carnegie Mellon, 2005.[15] K. Sen, M. Viswanathan, and G. Agha, “Statistical model checking ofblack-box probabilistic systems,” in
CAV , ser. LNCS 3114. Springer,2004, pp. 202–215.[16] R. Wald,
Sequential Analysis . Dove Publisher, 2004. [17] T. H´erault, R. Lassaigne, F. Magniette, and S. Peyronnet, “Approximateprobabilistic model checking,” in
VMCAI , ser. LNCS, 2004, pp. 73–84.[18] A. David, K. Larsen, A. Legay, Z.Wang, and M. Mikucionis, “Time forreal statistical model-checking: Statistical model-checking for real-timesystems,” in
CAV , ser. LNCS. Springer, 2011.[19] O. Maler, K. G. Larsen, and B. H. Krogh, “On zone-based analysisof duration probabilistic automata,” in
INFINITY , ser. EPTCS, vol. 39,2010, pp. 33–46.[20] K. G. Larsen and A. Skou, “Bisimulation through probabilistic testing,”in
POPL , 1989, pp. 344–352.[21] H. L. S. Younes and R. G. Simmons, “Probabilistic verification ofdiscrete event systems using acceptance sampling,” in
CAV , ser. LNCS2404. Springer, 2002, pp. 223–235.[22] H. L. S. Younes, “Ymer: A statistical model checker,” in
CAV , ser.LNCS, vol. 3576. Springer, 2005, pp. 429–433.[23] P. Zuliani, A. Platzer, and E. M. Clarke, “Bayesian statistical modelchecking with application to simulink/stateflow verification,” in
HSCC .ACM ACM, 2010, pp. 243–252.[24] S. K. Jha, E. M. Clarke, C. J. Langmead, A. Legay, A. Platzer, andP. Zuliani, “A bayesian approach to model checking biological systems,”in
CMSB , ser. LNCS, vol. 5688. Springer, 2009, pp. 218–234.[25] E. M. Clarke, A. Donz´e, and A. Legay, “Statistical model checking ofmixed-analog circuits with an application to a third order delta-sigmamodulator,” in
HVC , ser. LNCS, vol. 5394. Springer, 2008, pp. 149–163.[26] J. Bogdoll, L.-M. Fiorti, A. Hartmanns, and H. Hermanns, “Partial ordermethods for statistical model checking and simulation,” in
FORTE , ser.LNCS. Springer, 2011, to appear.[27] M. Minea, “Partial order reduction for verification of timed systems,”Ph.D. dissertation, Carnegie Mellon, 1999.[28] K. Sen, M. Viswanathan, and G. Agha, “On statistical model checkingof stochastic systems,” in
CAV , ser. LNCS 3576, 2005, pp. 266–280.[29] A. Basu, S. Bensalem, M. Bozga, B. Caillaud, B. Delahaye, andA. Legay, “Statistical abstraction and model-checking of large hetero-geneous systems,” in
FORTE , ser. LNCS, vol. 6117. Springer, 2010,pp. 32–46.[30] A. David, K. Larsen, A. Legay, U. Nyman, and A. Wasowski, “TimedI/O automata: a complete specification theory for real-time systems,” in
HSCC . ACM, 2010.[31] P. Panangaden,
Labelled Markov Processes . Imperial College Press,2010.[32] T. H´erault, R. Lassaigne, F. Magniette, and S. Peyronnet, “Approxim-ate probabilistic model checking,” in
VMCAI , ser. LNCS, vol. 2937.Springer, 2003, pp. 307–329.[33] G. Behrmann, A. David, and K. G. Larsen, “A tutorial on Uppaal,” in
SFM , ser. ncs(3185), M. Bernardo and F. Corradini, Eds. Springer,2004, pp. 200–236.[34] A. Fehnker, L. van Hoesel, and A. Mader, “Modelling and verificationof the lmac protocol for wireless sensor networks,” in
Integrated FormalMethods , ser. LNCS, J. Davies and J. Gibbons, Eds. Springer Berlin /Heidelberg, 2007, vol. 4591, pp. 253–272.[35] L. F. W. van Hoesel, “Sensors on speaking terms: schedule-basedmedium access control protocols for wireless sensor networks,” Ph.D.dissertation, University of Twente, June 2007. [Online]. Available:http://doc.utwente.nl/57885/[36] D. Poulsen and J. van Vliet, “Duration probabilistic automata,” AalborgUniversity, Tech. Rep., 2011.[37] J. Bucklew,
Introduction to Rare event Simulation . Springer, 2004.[38] D. E. Rabih and N. Pekergin, “Statistical model checking using perfectsimulation,” in
ATVA , ser. LNCS, vol. 5799. Springer, 2009, pp. 120–134.[39] J.-P. Katoen and I. S. Zapreev, “Simulation-based ctmc model checking:An empirical evaluation,” in
QEST . IEEE, 2009, pp. 31–40.[40] H. L. S. Younes, E. M. Clarke, and P. Zuliani, “Statistical verificationof probabilistic properties with unbounded until,” in
SBMF , ser. LNCS,vol. 6527. Springer, 2010, pp. 144–160.[41] P. Ballarini, H. Djafri, M. Duflot, S. Haddad, and N. Pekergin, “HASL:An expressive language for statistical verification of stochastic models,”in
VALUETOOLS) , May 2011, to appear.[42] M. D. D. Benedetto and A. L. Sangiovanni-Vincentelli, Eds.,
HybridSystems: Computation and Control, 4th International Workshop, HSCC2001, Proceedings , ser. LNCS, vol. 2034. Springer, 2001., ser. LNCS, vol. 2034. Springer, 2001.