Model exploration and analysis for quantitative safety refinement in probabilistic B

J. Derrick , E.A. Boiten, S. Reev es (Eds.): Refinement W orkshop 2011. EPTCS 55, 2011, pp. 101–120, doi:10.4204/EPTCS.55.7 c  Ukachukwu Ndukwu and Annabelle McIv er This work is licensed under the Creativ e Commons Attribution License. Model explor ation and analysis f or quantit ative safety r efinem ent in pr o babilistic B Ukachukwu Ndukwu ∗ and Annabelle McIver † Department of Computing, Macquarie Uni versity , NSW 2109 Australia. { ukachukw u.ndukwu,annabe lle.mciver } @mq.edu.au The role playe d by coun terexamples in standard system analy sis is well kn own; but less co mmon is a notion of counterexam ple in prob abilistic systems refineme nt. In this pa per we extend previous work using counterexamples to inductive in variant pr operties o f probabilistic systems, demonstrating how they can be u sed to extend the technique o f boun ded mo del check ing-style an alysis for the r e- finement of q uantitative safety specificatio ns in the p robabilistic B lan guage. I n particu lar , we show how the m ethod can be adap ted to co pe with refinements incorp orating pro babilistic loop s. Finally , we demonstrate the technique on pB m odels su mmarising a one -step re finement of a randomised algorithm fo r find ing the minim um cut of und irected gr aphs, and that for the depen dability analysis of a controller design. Keywords Probabilistic B, quantitativ e safety specification, refinement, counterexamp les. 1 Introd uction The B method [1] and mor e recently its successor E vent -B [2] comprises a method and its automation for modellin g complex software systems. It is based on the top-do w n refinement w here specifications can be elaborated with detail and additio nal feature s, whilst the automated prove r check s cons istency between the refinements. Hoang’ s pr obabilist ic B or pB [15 ] exten sion of stan dard B ga ve desi gners the ability to refer to probabil ity and acce ss to the s pecification o f quantitati ve saf ety properties. In prob abilistic sy stems, the generali sation of tra ditional safety propertie s all ows the sp ecification of random vari ables w hose expecte d va lue must alw ays remain abo ve some gi ven threshold. Else where [23, 25] we ha ve provid ed automati on to chec k this req uirement by analysing pB models using an automati c translati on of their quantitati ve safety specifications as PRISM rew ard structur es [14]. Our techni que allo ws pB mod ellers to explore the quantitati ve safety pro perties encoded within the ir mode ls to obtain diagn ostic feedback in the form of counterex ample tra ces in the case that their model does not satisfy the quantitati ve specificatio n. Counter examples become sets of ex ecution traces each with some probab ility of occurrin g and joint ly implyin g tha t the spe cified th reshold is not m aintain ed. More- ov er pB’ s cons istency checking enfo rces inducti ve in var iance of the quantitati ve safety prope rty , thus the counterex ample traces also de monstrate speci fic points in the mode ls ex ecution where the ind ucti ve proper ty fa ils. The paradigm of abstractio n and refinement supports stepwise dev elopment of p robabilist ic systems aimed at impro ving pro babilistic results. Unfortunat ely , for quantitati ve safety spe cifications (our focus here), a human verifier has no way of inspecting th at this re quirement is m et ev en though the automated ∗ This author ackno wledges support from the Australian Commonwealth Endeavo r International Postgraduate Research Scholarship (E-IPRS ) Fund. † This author ackno wledges support from the Australian Research Council (ARC ) Grant Numbe r DP087 9529. 102 Model exp loration and analysis for q uantitati ve safet y refinemen t in pro babilisti c B pro ver readily establish es consisten cy between the refinements . One way to resolv e this uncertainty is to ex plore algorith mic app roaches similar to probab ilistic m odel che cking te chniques which can p rovide exa ct diagnostics summarising th e failure (if indeed it exis ts) o f the refinement goal. In th is paper we extend so me practica l uses of co unterex amples to pro babilistic systems refineme nt with respec t to quanti tativ e safety s pecifications par ticular to the p B langua ge. W e show how to u se the m to gene ralise bound ed model checkin g-style analysi s for probab ilistic programs so that an iteration can be verified by exh austi ve search provided that quantitat iv e in var iants are in ducti ve for all reacha ble state s. W e also sho w how the use of probabil istic coun terexamp les in quantit ativ e dependabil ity analys is can be used t o determine “fa ilure modes” and “critica l sets” which thus enab les their exten sion to estimating compone nts se ver ity . W e illustrate the techni ques on tw o cas e studie s: one b ased on a pro babilistic algori thm [20] to find the minimum cut set in a graph , and the other a pro babilistic des ign for a controller mechanism [11]. The outline of the paper is as fol lows. In Sec.2 we summarise the unde rlying theory of pB; in Sec.3 we discuss the probabilisti c cou nterex amples we can deri ve from the mod els and a bounded mo del checki ng approa ch to proba bilistic iteration. In Sec.5 we illustra te the techniqu e on the spe cification of a ran domised “min-cut”. W e discuss pro babilistic diagnostics of depen dability in Sec.6 and demon strate with a case study in Sec.7. W e discus s rel ated work and then conclude . 1.0.1 Notation Function app lication is represented by a dot, as in f . x (ra ther than f ( x ) ). W e use an abstract finite st ate space S . Giv en p redicate pre d we write lift pr ed for the c harac teristic functi on mapping states satisfying pr ed to 1 an d to 0 otherwise, punni ng 1 and 0 with “True” and “False” respecti vely . W e write E S as the set of real-v alued fu nctions from S , i.e. the set of e xpectat ions; and whene ver e , e ′ ∈ E S we write e ⇛ e ′ to mean that ( ∀ s ∈ S . e . s ≤ e ′ . s ) . W e le t D S be the se t of all discrete probabi lity dis tribu tions o ver S ; and write E x p . δ . e = ∑ s ∈ S ( δ . s ) × e . s for the e xpected value of e ov er S where δ ∈ D S and e ∈ E S . Finally we write S ∗ for the finite seque nces of state s in S . 2 Pr obabilistic annotations When probabil istic programs e xecu te th ey make random up dates; in the se mantics th at beha viour is modelled by discrete probabil ity distrib utions ov er possible fi nal va lues of the pr ogram variab les. Giv en a program Pr og operating over S we write [ [ Pr og ] ] : S → ( S → [ 0 , 1 ]) for the semantic function taking initial states to distrib utions ov er final states. For e xample, the program fragment pInc , s : = s + 1 p ⊕ s : = s − 1 (1) incremen ts state va riable s with probability p , or decrement s it with probabili ty 1 − p . The semantics [ [ p Inc ] ] for each initial state s is a prob ability dist ribu tion return ing p or ( 1 − p ) for (final) states s ′ = ( s + 1 ) or s ′ = ( s − 1 ) respecti vely . Rather than work ing with this seman tics directl y , w e shall focu s on t he du al logica l vie w gen eralisation of Hoa re logic [16]. Probabil istic H oare logic [22] takes ac count of the proba bilistic judgement s that can be made a bout probab ilistic programs, in particul ar it can expre ss when predica tes can be establish ed only with some pr obability . Howe ver , as we shall see, it is ev en more general than that, capable of expr essing general exp ected propert ies of ran dom v ariables ov er th e program stat e. W e use Real -val ued annotatio ns of the Ukachuk wu Ndukwu an d A nnabe lle McIv er 103 N ame Pr og Wp . Pr og . Expt identity skip Expt assignment x : = f Expt [ x : = f ] composition Pro g ; Prog ′ Wp . Pro g . ( w p · Prog ′ · Expt ) choice Pro g ⊳ G ⊲ Pr og ′ Wp . Pro g . Expt ⊳ G ⊲ Wp . Prog ′ . Expt probab ility Pro g p ⊕ Prog ′ Wp . Pro g . Expt p ⊕ Wp . Prog ′ . Expt nonde terminism Pro g ⊓ Prog ′ Wp . Pro g . Expt min Wp . Prog ′ . Expt weak iteration it Prog ti ν X • ( Wp . Pr og . X min Exp t ) Giv en a program command Pro g and expectation Expt of type E S , Wp . Pr og is of type E S → E S . Note also t hat we write Exp . ([ [ Pro g ] ] . s ) . Expt to mean Wp . Pr og . Expt . s . Figure 1: Structural definition of the expecta tion tran sformer -style semanti cs. progra m va riables interpreted as exp ectations ; a pro gram a nnotation is said to be valid exactl y when the exp ected v alue over the po st-annota tion is at least the value gi ven by the pre-a nnotation . In detail { pr e } Pr og { post } , (2) is v alid exa ctly when Exp . [ [ Pr og ] ] . post . s ≥ pre . s for all states s ∈ S , where post is in terpreted as a r andom v ariable over final s tates and pre as a re al-v alued func tion. W ith our notational co n ven tion, a cor rect annotation fo r pInc (at (1)) is giv en by the triple { p × lift ( s = − 1 ) + ( 1 − p ) × lif t ( s = 1 ) } pInc { lift ( s = 0 ) } , (3) which exp resses the probability of establis hing the sta te s = 0 finally , dep ending on the initial state from which pInc ex ecutes . Thus if the initial state is s = − 1 then that probabili ty is p , b ut it is ( 1 − p ) if the initial state is s = 1. Rather than use the distr ibu tion-cente red semanti cs outli ned abo ve, we shall use a generali sation of Dijkstra’ s weakest preco ndition or Wp semantics defined on the program syntax of the probabil istic Guarded C ommand L anguag e or pGCL [22]. The se mantics of the language is set out in Fig. 1. As for standa rd Wp th is fo rmulation allo ws annotations to be checked mec hanically [15, 17]; moreo ver we se e that annot ation (2) is v alid exac tly whe n pre ⇛ Wp . Pr og . post . In this paper we shall concentrate on certifying probab ilistic safety expr essible using probabilis tic annota tions. Informally , a probabil istic safety property is a random v ariable w hose expe cted v alue cannot be decreased on exe cution of the program. (This idea generalis es standard safety , where the truth of a safety predicate cannot be violate d on execu tion of the program.) Safety p roperties are chara cterised by induct ive in variants : for example the va lid a nnotation { Expt × lift pr ed } Pr og { Expt } says that Expt is an induct iv e in vari ant for P r og provided it is ex ecuted in an initial state satisfying pr ed . T o illustra te, the annota tion { s } pInc { s } , (4) means that the exp ected v alue of s is nev er decreased (and it is therefore only valid if p ≥ 1 / 2). Induct iv e in varia nts w ill be a significant compo nent of the refineme nt of quanti tativ e safety specifi- cation s in our pB machine s, t o w hich we no w turn. 104 Model exp loration and analysis for q uantitati ve safet y refinemen t in pro babilisti c B MA CHINE Faul ty SEES Int TYPE, Real TYPE CONST ANTS p PROPER TIES p ∈ RE AL ∧ p ≥ real ( 0 ) ∧ p ≤ real ( 1 ) V ARIABLES cc INV ARIANT cc ∈ N INITIALISA TION cc : = 0 OPERA TIONS OpX , BEGIN PCHOICE p OF cc : = cc + 1 OR cc : = cc − 1 END; OpY , cc : = 0 EXPECT A TIONS real ( 0 ) ⇛ cc END Bold texts on the left column captu re the fields (or clauses) used to describe the machine. The PCHOICE keyw ord introduces a probabilistic binary operator; the EXPECT A TIONS clause expresses the notion of probabilistic quantitati ve safety . Figure 2: A simple pB machine. 2.1 Prob abilis tic safety and r efinement i n pB Probabil istic B or pB [15], is an exten sion of standard B [1] to support the specificatio n and refinement of probab ilistic systems. Systems are sp ecified by a collec tion of pB mac hines which consist of operat ions descri bing poss ible program execu tions, toge ther with va riable declaratio ns and in va riants prescribing correc t beh avio ur . The machi ne set out in Fig. 2 illu strates some ke y featur es of the language . There are tw o operat ions – OpX a nd OpY – which can update a vari able cc . OpX ca n either increment cc by 1 or decrement it by the same valu e with probabil ity p or ( 1 − p ) respecti vel y , w hile OpY just reset s the current value of cc to 0. In gene ral, operatio ns can e xecute on ly if thei r precon ditions hold. But in the absence of preconditio ns as in this case, the choice of which operat ion to ex ecute is made nond eterministica lly . The remaining claus es ascrib e more information to the vari ables, constant s and beha viour of the operat ions. Declaratio ns are made in the CONST ANTS and V ARIABLE S cl auses; PR OPE R TIES and SEES clauses state assu med prop erties and context of the const ants and varia bles. The INV ARIANT clause sets out in varia nt properties. T he ex pression in the INITIALISA TION clause must establ ish the in vari ant and the oper ations O pX and OpY must maintain it afterwa rds. W e shall concentrat e on th e EXPECT A TION S clause 1 , which was introduced by H oang [15 ] to exp ress quantitati ve in varian t or safet y pro perties. The form of an EX PECT A TIONS clause is giv en by E ⇛ Expt , (5) where both E and Expt are expect ations. It sp ecifies that th e expected valu e of Expt sho uld al ways be at least E , where the expecte d value is determine d by the distrib ution ov er the state space after any v alid ex ecution of th e m achine ’ s operatio ns, follo wing it s init ialisation . Hoang showed that this is gu aranteed by the follo wing valid ann otations: 1 Ho wev er, Hoang [15] sho wed that anothe r way t o check that a real-v alue Ω is indeed an e xpectation is to ev aluate the language-spe cific boolean function e x pec t a t ion ( Ω ) . The refore we shall interchangeab ly use bo th forms to denote e xpectations- based expression s with no loss of generality . Ukachuk wu Ndukwu and Annabelle McIve r 105 { E } init { Expt } and { lift pr ed × Expt } Op { Expt } , (6) where Op is any ope ration with preconditi on p r ed and init is the mac hine’ s initiali sation. In w hat follows we shall refer to (6) as the pr oof obligations for the associated expectati ons clau se (5). Checking th e v alidity of program annot ation, and in particular ind ucti ve in varia nts for loop-f ree progra m fra gments can be d one mechanicall y bas ed on the seman tics set out in Fig. 1. In some ca ses the proof obli gation cannot be dischar ged, and the re are two pos sible re asons for this. The first poss ibility is that Expt is too weak to be an i nducti ve in varian t for the machine’ s op erations, and must be streng thened by finding Expt ′ ⇛ E xpt so th at the original safety pro perty can be va lidated. T he se cond possibility is that the machine’ s operat ions act ually violate the probabilis tic safety property . The same reasoni ng can be e xtended to refinement of abstrac t pB machines. W e no te that quantitati ve safety specificat ions in pB can also be refined in the us ual way with resp ect to ex pectation pairs. Thus anothe r way o f expres sing (5) is to say that any p rogram command P sat isfies the bounde d expec tation pair [ E , Expt ] if exec ution from its initial state guarantees that E ⇛ Wp . P . Expt . (7) Refinement is then implied by the ordering of program c ommands so that more re fined programs improv e probab ilistic results . More spec ifically , we w rite P ⊑ Q iff ( ∀ E ∈ E S · Wp . P . E ⇛ Wp . Q . E ) , (8) to mean that the prog ram command Q is a refinement of the program command P . In addition we note that the preserv ation of an ex pression like (5) is implied by the monotone property of Wp . The refinement of abstract pB machines embed ding quantita tiv e safety state ments is dea lt with in the langua ge fr amewo rk by i ntroducin g the IMPLEME NT A TION an d REF INES clauses. The fo rmer clause specifies the refinemen t of an abstract machine specified in the latte r clause. The refinemen t process is then aimed at p reserving the bounds o f expectati ons in the original specification st atement (th e mach ine to be refined) so that the v alidity of an expres sion lik e (6) can be checked mechanically . Our aim in th e next section is to u se probabilist ic countere xamples adopte d in model checking tech- niques to interpret failu re of proofs of refinement of prob abilistic mac hines in the pB language . W e will find that a countere xample is a trace (or a set of traces) from the initiali sation to a state where the induct iv e in va riant f ails to hold after inspecti ng the EXPECT A TION S clause ov er the refinement. 3 Pr obabilistic safety in Marko v Decision Processes In abstrac t terms pGCL programs and pB machines may be modelled as a Marko v D ecision Process ( MDP ). Recall that an MD P combines the notion of probabi listic update s together w ith some arbitrary choice b etween tho se upda tes [27]: that combinat ion of pro babilistic choice s together with nondete rmin- istic choices is presen t in pGCL and captu res b oth features. In this section w e summarise pB models 2 and their quantita tiv e safety specification s in terms of MDP s, a nd sho w ho w to apply model checking’ s se arch techn iques for counte rexamples to pr ove quanti- tati ve saf ety as a first step to wards g eneralisin g stand ard bounded model checking ver ification. Inducti ve in vari ance is then cru cial to th e application of exhausti ve state e xplorati on for the inten ded goa l. 2 W e note that an abstract pB model beg ins with the MA CHINE ke yword while a refinement is a pB model that begins with the IMPLEMENT A TION k eyword. 106 Model exp loration and analysis for q uantitati ve safet y refinemen t in pro babilisti c B Here we consi der an MDP ex pressed as a nondete rministic selection P , P 0 ⊓ . . . ⊓ P n of deter - ministic pGCL programs, where the nondetermin ism corresp onds to the arbitrary choice, and each P i corres ponds to the probabili stic update for a choice i . When P is iterated for some arbitrarily -many steps, we identify a computation path as a finite sequ ence of st ates h s 0 , s 1 , s 2 , . . . , s n i where ea ch ( s i , s i + 1 ) is a probabilisti c transi tion of P , i.e. s i + 1 can occur with non-zero probab ility by exec uting P from s i . Note that the choice (between 0 . . . n ) can depend on the pre vious computation path since for example guards for the indi vidual operations P i must hold for their selecti on to be enab led. Standard safety proper ties identify a set of “safe” states — the safety property then holds provide d that all states reachab le from the initial state under specified state transitions are amongst the selecte d safe states. A generalisa tion of this for pro babilistic systems specifies thresholds on the probability for w hich the reachable states are always amongst the safe states. The quantitati ve safe ty properties encaps ulated by the EXPECT A TIONS clause a re e ven more gen eral than that, all owing th e possib ility to specif y thresh olds on arbitra ry ex pected properties . The nex t definition se ts out the mathe matical model for interpr eting gener al qu antitati ve safety properties. Since MDP s contain both nonde terministic and proba bilistic cho ice, taking expec ted v alues only makes se nse ov er well-defined proba bility d istrib utions — we ne ed to resolv e the nondet erministic choice in al l possib le ways to yield a se t of probability distrib utions. The ne xt definition sets out a mechanism for doing just that. Definition 1 Given a pr ogr am P, a n e xecuti on schedul e is a map ℵ : S ∗ → D S s o tha t ℵ . α ∈ [ [ P ] ] . s picks a parti cular re solution of the nond eterminism in P to e xecute after the trac e α , wher e s is the last item of α . (A mor e uniform formalis ation would giv e the distrib ution of initial state s as ℵ . hi ; b ut we pr efer to give initial states ex plicitly . ) Once a p articular schedule has b een selecte d, the r esulting beha viour gen erates a probab ility distrib ution ov er computation path. W e call such a distrib ution a pr obabilistic computatio n tr ee ; such distrib utions are well-defined with respect to Borel algebra s bas ed on the trac es. Definition 2 Given a pr ogr am P, initial state s 0 and e xecution schedu le ℵ , we de fine the corr espond ing tra ce distrib ution h | P ℵ | i . s 0 of type S ∗ → [ 0 , 1 ] to be h | P ℵ | i . s 0 . ( s ′ ) , 1 if s ′ = s 0 else 0 and h | P ℵ | i . s 0 . ( α ss ′ ) , h | P ℵ | i . s 0 . ( α s ) × ℵ . ( α s ) . s ′ Computatio n trees of finite depth generate a distrib ution over endpoint s as follo w s. If we take K steps from some initial s 0 accord ing to th e schedule ℵ , then the probabilit y of ending in state s ′ is gi ven by [ [ P K ℵ ] ] . s 0 . s ′ , ∑ | α | = K h | P ℵ | i . s 0 . ( α s ′ ) . General quantitat iv e safety propert ies are intuiti vely sp ecified v ia a n umeric thresh old e and a random v ariable Expt over the state space S : the exp ected v alue of Expt with respect to any distrib ution ove r endpo ints should ne ver fa ll below the thres hold e . Definition 3 Given thr eshold e and an e xpectation E xpt th e general quantita tiv e sa fety pr operty is satis- fied by the pr ogra m P if for all sc hedules ℵ and K ≥ 0 , we have that Exp . [ [ P K ℵ ] ] . Expt . s 0 ≥ e. The probabi listic Computation T ree Logic or pCTL [13] safety proper ty , which places a thresho ld on the probabi lity that the reachab le states alw ays satisfy the identified “s afe” states is express ible using Ukachuk wu Ndukwu and Annabelle McIve r 107 Def. 3 via cha racteristi c expec tation lift sa f e . Ho wev er many more general properties are also exp ress- ible, includ ing e xpected time complexit y [14]. W e shall be inter ested in ident ifying situ ations where the inequali ty in D ef. 3 does not hold. Evidence for the failur e is a (finite) computatio n tree w hose distrib ution ove r endpoin ts illus trates the failur e to meet the threshol d. Definition 4 Given a pr obabili stic saf ety pr operty , a failur e tr ee is define d by a schedu ler ℵ and an inte ger K ≥ 0 such that Exp . [ [ P K ℵ ] ] . Expt . s 0 < e. Else where [24] we sho wed that if E xpt is an inducti ve in va riant, then the safety property based on Expt is implied, prov ided that e ≤ Expt . s 0 . In fact, giv en a failure tree, there must be some finite trace α such that h | P ℵ | i . s 0 . ( α s ) > 0 and W p . ( P ⊓ skip ) . Expt . s < E xpt . s [24]. Thus, as for standard m odel checki ng, we are able to locate specific traces which lead to the failu re of the in vari ant proper ty . W e define a counte rexample to in ductive in varianc e as follo ws. Definition 5 Given a schedule r ℵ , an expec tation E xpt an d a pr og ram P, a counte r examp le to inductive in variance saf ety p r operty is a trace ( α s ) which can occu r with non-ze r o pr obabilit y , and such that Wp . P . Expt . s < Expt . s. A s tate such as s is a witness to failur e. But note th at in practi ce there will be a number of coun terexamp les. Our techni que is able to iden- tify them all gi ven any depth K of computatio n. Next we discuss ho w the strate gy can be extended to probab ilistic loops reas oning. 3.1 Analysis of loops W e assume a loop of the form loop , while G do bod y od w here G is a predicate over the program state represen ting the loop gu ard; bod y is a probabi listic program consisting of a finite nondete rministic choice ov er probabilisti c updates. Our aim in thi s s ection is to gene ralise th e t echnique o f bounded model checki ng to pro ve the safety assert ion of the form { e } loop { in v } . (9) In the case that (9) does not hold there must be a failure tree (Def. 4) to witness that fact, togeth er with a set of failures to inducti ve in varian ce of in v . W e shall be interested in the complementary p roblem, in the case that the property does hold. For standard programs this can be establi shed by exhaust iv ely search ing the reachable states; any re visiting of a state terminates the search at that point, so that the method is comple te for finite state programs: either a countere xample is disc over ed or all reachable states are visited, and each one check ed for satisfacti on of the (qualit ativ e) safety prope rty . The situation is not qu ite s o straightforw ard for probabili stic programs, and that is beca use the tech - nique of exha usti ve search does not general ise immediately to quantita tiv e safety properties. Howe ver via i nducti ve in var iants it do es. Consider th e progra m which repeat edly sets a v ariable x uniformly in the set { 0 , 1 , 2 } after the initialisa tion x : = 1, and terminate s whene ver x is set to 2. In this case w e might like to verify the saf ety pro perty that x ∈ { 1 , 2 } with prob ability at least 1 / 2 . Expresse d as an ass ertion, it becomes { 1 / 2 } x : = 1; while ( x = 1 ) do x : = 0 1 / 3 ⊕ ( x : = 1 1 / 2 ⊕ x : = 2 ) od { post } , (10) where post , { lift ( x ∈ { 1 , 2 } ) } . A quantitat ive inductive in variant establish ing that fact is gi ven by x / 2, express ing the probab ility that the safety property is always satisfied at that s tate. (When x is 2 that 108 Model exp loration and analysis for q uantitati ve safet y refinemen t in pro babilisti c B probab ility is 1, when x is 1, it is 1 / 2 and when x is 0 it is 0.) In fact the propert y (10) is equiv alently formulat ed by setting post , x / 2, w hich can be seen as a streng thening of { lift ( x ∈ { 1 , 2 } ) } . Since the triple (10) does indeed hold, no f ailure t rees exist; more genera lly , in standard model check- ing and for fi nite state spaces such a failure to establish the presenc e of a failur e tree can be con verted to a proo f that t he property holds (provi ded all re achable states are examin ed). For probab ilistic sys tems ho wev er , it is not clear whe n to terminate a st ate ex ploration , si nce Exp . [ [ body K ℵ ] ] . x / 2 steadily appr oaches 1 / 2 from abo ve (wher e here body is take n to be the gu arded loop b ody of (10)). Howe ver we can recov er the termination prop erty e ven for probabilis tic systems by looking at inducti ve in va riants, as the next lemma sho ws. Lemma 1 Let P be a pr obabilistic pr ogr am operat ing ove r a finite state space S ; let s 0 be the initial state . I f for all states s, rea chable fr om s 0 under exe cutions via P, the indu ctive in variance pr operty Wp . P . in v . s ≥ in v . s holds, then Exp . [ [ P K ℵ ] ] . in v ≥ in v . s 0 for all K and sched ules ℵ . Proof 1 (Ske tch) W e use pr oof by inductio n on K . When K = 1 we note tha t E xp . [ [ P 1 ℵ ] ] . in v ≥ in v . s 0 is a co nsequenc e of the assumption since Exp . [ [ P 1 ℵ ] ] . in v ≥ Wp . P . in v . s 0 . F or the gener al step, we observ e similarly that Exp . [ [ P K + 1 ℵ ] ] . in v ≥ Exp . [ [ P K ℵ ] ] . ( Wp . P . in v ) . The r esult follows thr ough monotonicity of the expec tation ope rator . Lem. 1 implies that we can use exh austi ve search to verify quantitat iv e safet y properties using in- ducti ve in v ariants and exh austi ve state e xplorat ion. The search terminates on ce al l reachable sta tes h av e been verified as satisfying the inducti ve property . In the case of (10), using x / 2 for the in varian t, each of the three states satisfies the inducti ve property . Next we summarise a prototy pe tool frame work for locatin g and prese nting co untere xamples. 4 A utom ating counter examples generation Y A GA [25] is a proto type suite of pr ograms for inspecting safety specifications of abstract pB machines and the ir refinements. Importan tly , it allo ws a pB m achine d esigner to ex plore expe rimentally the det ails of system constru ction in order to ascert ain th e cause(s) of failure of a pB safety encodin g as in (5). Y A GA inputs a pB machine or its refinement viol ating a specific safety property ex pressed in its EXPEC T A TIONS clause, and genera tes i ts equi val ent MDP re presentati on in the PRISM lang uage [14]. PRISM is a prob abilistic model ch ecker that permits pB models as MD Ps in the tool frame work and thus can in vestiga te critic al e xpected valu es o f random var iables as “rew ard st ructures” — a part of PRISM’ s specifica tion languag e. PRISM can then be used to explo re the computat ion of E xp . [ [ P K ℵ ] ] . Expt . s 0 for v alues of K ≥ 0, and thus (modulo computing resources ) can determine val ues of K for which the ex- pectat ions clause fails . If such a K is disco vered , Y A GA is able to extract the resultan t fa ilure tree as an “e xtremal scheduler” that fails th e induc tivi ty test. The e xtremal sc heduler is a transit ion probabili ty matrix which gi ves a des cription of the best (or worst -case) deterministic scheduler of the PRISM r epre- sentat ion o f an abstr act ‘f aulty’ pB mach ine — i.e. one whose pro bability (or re ward) of r eaching a state where our intende d safety specifica tion is vi olated is maximal (or m inimal). Finally , Y AGA analyse s the resultant e xtremal sched uler using algo rithmic techniqu es se t out in [24] and genera tes ‘the most us eful’ diagnostic information composed of finite exe cution traces as sequence s of op erations and the ir state v aluations leading fro m the ini tial state of the pB m achine to a stat e where the proper ty is violated. Details of the underly ing theory of Y A GA, its algor ithms and implementatio n can be fou nd else w here [ 25 , 24]. In the n ext section we discuss prac tical detail s on how to us e e xhausti ve search of pB machine s to ve rify compliance of inducti vity fo r fi nite prob abilistic model s. Ukachuk wu Ndukwu and Annabelle McIve r 109 IMPLEMENT A TION cont ractionImp REFINES contrac tion SEES Bool T ype, Int TYPE , Real TYPE OPERA TIONS ans ← − co ntraction ( N N ) , V A R nn IN nn : = N N ; ans : = T R U E ; WHILE (nn > 2) DO ans ← − merge ( nn , ans ) ; nn : = nn − 1 V A RIANT nn INV ARIANT nn ∈ N ∧ nn ≤ N N ∧ 2 ≤ nn ∧ ans ∈ BOOL ∧ ex pec t a t i on ( f rac ( 2 , nn × ( nn − 1 )) × li ft ans ) END; END . Figure 3: A pB refinement of the contractio n specificatio n of the Mincut algorit hm. 5 Case study one: min-cu t W e discuss on e of Hoang’ s pB models [15]: a randomis ed solutio n to findin g the “minimum cut ” in an undire cted graph. The probabilist ic algor ithm is origina lly due to Kar ger [20]. W e also report expe ri- mental result s after runni ng o ur diagnostic to ol. Let an undirected graph be giv en by ( N , E ) where N is a set of nodes and E is a set of edges. The graph is said to be discon nected if N is a disjoin t union of two nonempty sets N 0 , N 1 such that an y ed ge in E co nnects nodes in N 0 or N 1 ; a graph is connec ted if it is not disconnecte d. A cut in a connect ed graph is a subset E ′ ⊆ E such that ( N , E \ E ′ ) is disconnecte d; a cut is minimal if there is no cut with strictl y smaller siz e. Cuts ar e usef ul in o ptimisation prob lems bu t are d ifficult to find. Kar ger’ s algo rithm uses a rando misation technique which is not guarante ed to find the minimal cut, bu t only w ith some probab ility . The idea o f the a lgorithm is to use a “contractio n” st ep, where first an edge e connecti ng two nodes ( n 1 , n 2 ) is selecte d at random an d then a ne w graph cr eated from the old by “mergin g” n 1 and n 2 into a singl e node n 12 ; edg es in the mer ged graph are the same as in the original gra ph exce pt for edges that connected either n 1 or n 2 . In th at case if ( n 1 , a ) , say was an edge in the ori ginal graph th en ( n 12 , a ) is an edge in the merged graph. W e kee p merging while the number of nodes is grea ter than 2. The specifica tion of the mer ge function for an initial number of nodes N N is such that ans ← − merge ( nn , aa ) , n n ∈ N N ∧ aa ∈ BOOL | ans : = ( false ≤ 2 / nn ⊕ aa ) . It e xpresses that with a proba bility of at most 2 / nn , the m inimum c ut will be de stroyed by the contrac- tion step. O therwise the m inimum cut is guaranteed to be found. Contraction satisfies an interestin g combina torial propert y which is that if the edge is chosen uniformly at random from the set of edges then th e merge d graph has the same minimum cut as does the unmerge d graph with probability at leas t 2 / ( N N ( N N − 1 )) . Although this probab ility can be small, it can be amplified b y rep eating the alg orithm to gi ve a proba bility of assur ance to with in any specified threshol d. The pB implementa tion in F ig. 3 sets out part of th e refinement step for the min- cut algo rithm. T he refinement describes an iterati on where the merge functio n is called to perform the con traction des cribed abo ve. The re sult of a call to merg e is that the number of no des in the gr aph (giv en by th e v ariable nn ) is diminis hed by 1 and eith er the origin al minimu m cut is prese rved (with prob ability m ention ed abov e), or it is not; the Boolean ans is used to indica te which of thes e pos sibilities has been selected. 110 Model exp loration and analysis for q uantitati ve safet y refinemen t in pro babilisti c B Figure 4: G raph comparing th e proba bilities to fi nd a min -cut for the c orrect an d incor rect implementa - tions of t he contr action specification of the minc ut algorith m. The inco rrect implementation is where we ha ve intr oduced a hig h probabil ity in the le ft branch of the merge operation thus fo rcing the v ariable ans to become false often. ****** * Startin g Error Reporti ng f or Failure Traces located on step 2 ******** * Sequen ce of operat ions leading to bad state ::>>> [{INIT } (3,true ), {Skip} (3,true ) Probab ility mass of failu re trace is:>>> > 1 ****** ***** * Fini shed Error Reportin g**** *********** Figure 5: Diagnostics detailing a failure of t he inducti ve in v ariance at the implementation step (for N N = 3) in volving the merge operation . Note that this is a countere xample si nce the ex ecution of the merge operation wi ll result in an endpo int distribution which yields a decreased expectation (see Def.5). That is, there is a witness s ( nn = 3, ans = t rue ) such that Wp . merge . 2 / ( nn ( nn − 1 )) . s = 1 / 12 < 2 / ( nn ( nn − 1 )) . s = 1 / 3. Note that ev ery trace componen t of the countere xample is marked with a pair which denotes the state valuation s of the program variables occurring in the EXP ECT A TIONS clause, in this case ( nn , ans ). Here we use t he ex pec t at ion ( . ) func tion to check that th e expres sion lift ans × 2 / ( nn ( nn − 1 )) simpli- fies t o an inducti ve property ; tha t is, t hat the probabil ity of preserv ing the mini mum cut should a lways be at least 2 / ( nn ( nn − 1 )) while ans re mains true , but is 0 if ans e ver beco mes fa lse . Note that if this p rop- erty ho lds then we are able to ded uce exactly tha t the o verall pro bability that the o riginal minimum cut is preserv ed w hen the graph is mer ged to one of 2 nodes is the theoretically predicted 2 / ( N N ( N N − 1 )) . Next we des cribe bo unded m odel check ing styl e experiment s to analy se the refine ment. 5.1 Experiments for min cut 5.1.1 Counter example diagnostics In our first expe riment we introduc e an er ror 3 in the d esign of the merge function . The graph de picted in Fig. 4 shows a failure to preserv e the ex pected p robability thr eshold o f t he mincut algorithm. Specifically the graph sho ws that the probability f alls belo w 2 / ( N N ( N N − 1 )) . An examinati on of t he res ultant f ailure tree produces the cou nterex ample depicted in Fig. 5. It cl early re veals a pro blem u ltimately lead ing to a witness after ex ecuting the merge opera tion. 3 W e set th e pro bability of choosing the left branch in the merge specification to b e “a t most” 3/4 so that the new specification becomes ans : = ( false ≤ 3 / 4 ⊕ aa ) Ukachuk wu Ndukwu and Annabelle McIve r 111 PRISM model checking results for mincut algorithm for varying node sizes NN States, transitions Probability to find a mincut Duration (secs) 10 72517 , 1280 78 2.22 22 E-1 18.04 6 50 41279 7, 732718 8.163 3 E-4 131.3 63 100 79764 7, 14165 18 2.020 2 E-4 277.6 05 T able 1: P erformanc e resu lt of i nducti ve in v ariance checking for m incut 5.1.2 Pro of of correc tness f or small models In the nex t experiment we fix the error in the merge function and attempt a ver ification of mincut for specific (small) model sizes. In particular , we use Y A GA to check that the E XPECT A TION S clause satisfies the inducti ve property for all reachable states. The result is sho wn in T able 1. It depicts the v arious sizes of the PR ISM model relati ve to the number of nodes N N of interest of the original graph. 6 Pr obabilistic diagnostics of dependabil ity In th is sec tion we in vestigate ho w the us e of probab ilistic countere xamples can pla y a r ole in the analy sis of dependa bility , especially in compiling quantitati ve diagno stics rel ated to s pecific “failur e modes”. W e a ssume a probab ilistic model of a criti cal syst em, and we shall use the notation and co n ven tions set up in Sec.3. In addition , we shall reserve th e symbol F for a sp ecial desig nated state co rrespond ing to “complete failure”; in the case that a system completely fails (i.e. enters the F stat e) we shall posit that no more action s are pos sible. In the design of depen dable syst ems, one of the goals is to understan d what beha viours lead to complete failu re, and ho w the design is able to cope ov erall w ith the situation where partial fail ures occur . For e xample, the design of the system shou ld be able to pre ven t complete fail ure e ven if one or more compone nts fail. Regrettab ly , some combinat ions of compo nent fai lures will e ventua lly le ad to complete failure — those combin ations are usually referred to as failur e mod es . In such cases, de pendabilit y analysis wou ld seek to confirm th at the rele v ant failu re modes were v ery unlik ely to occur and also, to produ ce some esti mate of the ti me to complete failure once the failu re mode aro se. W e first set out definitions of failure modes and related concept s relativ e to an MDP model. In the definitio ns below we refer to P as an MDP , w ith F a des ignated state to indicate “comple te failure”, such that the an notation { F } P { F } holds. Let φ be a predic ate over the sta te space a nd α a sequen ce of state s indica ting an ex ecution trace of P . W e define the the path fo rmula ⋄ φ to be ( ⋄ φ ) . α = true if and only if there is some n ≥ 0 such that α . n satisfies φ , correspo nding to the usual definition of “e ventua lity” [13]. Our next definition identifies a failure m ode: it i s a pre dicate w hich, if eve r satisfied, le ads to f ailure with probabili ty 1. W e formalise this as the condition al pr obabili ty i.e . that F occur s giv en that the fail ure mode occu rs. W e use the standar d formulatio n for conditio nal probabili ty: if µ is a d istrib ution ov er a n e ven t spac e, we w rite µ . A for the probabili ty that e vent A oc curs and µ . ( A | B ) for the probabil ity that e vent A occurs gi ven that e vent B occu rs. It is defined by the quotient µ . ( A ∧ B ) / µ . B . Standard approaches for depend ability analysis lar gely rely on the failur e mode and ef fects analysis or (FME A) [18] for identifying a “critica l set” — the minimal set of components whose simultaneo us fail ure constit utes a f ailure m ode. N ext we shall sho w ho w probab ilistic model checking can be used to genera lize this proced ure. Definition 6 Let P be an M DP and let ℵ be a s chedul er; we say that a pre dicate φ ove r the stat e spa ce 112 Model exp loration and analysis for q uantitati ve safet y refinemen t in pro babilisti c B is a failur e mode fo r ℵ if the pr obabili ty that F occur s given that φ eve r holds is 1 : [ [ P K ℵ ] ] . s 0 . ( ⋄ F | ⋄ φ ) = 1 , wher e we write Exp . [ [ P K ℵ ] ] . s 0 . ( ⋄ F | ⋄ φ ) as the condition al pr obability over traces suc h that F is r eachab le fr om the initial state s 0 given that φ pr eviously occurr ed. W e say that φ define s a critica l set if φ is a weake st pr edicate which is also a failu r e mode . Giv en the as sumption that once the system enters the stat e F , it can ne ver lea ve it, Def. 6 conseq uently identi fy states of the syste m whic h certainly lead to failure. Once a c ritical s et ha s bee n ide ntified, we can use pr obabilisti c analysis to gi ve detailed quantitati ve profiles, includ ing the pro bability that it occurs, and estimates of the time to comple te f ailure once it has been en tered. The pr obability that a critical set φ occurs for a sch eduler ℵ is giv en by Exp . h | P ℵ | i . ( ⋄ φ ) . The next definitio n sets out the basic definition for measuring the time to failure — it is based on the condit ional prob ability measu red at vario us de pths of the execut ion tree. Definition 7 Let P be an MDP , ℵ a schedule r and let K re fer to the depth of the associated e xecution tr ee. Furthermor e let φ be a critical set. T he pr obabil ity that complete failur e has oc curr ed at depth K given that φ has occurr ed is g iven by: [ [ P K ℵ ] ] . s 0 . ( ⋄ F | ⋄ φ ) . Thus ev en though a fail ure mod e ha s bee n ent ered, the analysi s can determine th e approximate de pth of computa tion k ≤ K before complete failure occurs. 6.1 Instrumenting model checking with failure mode analysis In this se ction we describe ho w th e definitions abo ve can be rea lised within a prob abilistic model check- ing en vironment in o rder to identify and analyse particular combination s of actions that lead to failu re. 4 6.1.1 Identification of failur e modes The fi rst task is to in terpret Def. 6 as a model checking probl em: this relies on the c alculation of condi- tional pr obabil ities w hich is not usually p ossible usi ng stand ard techniq ues. H o wev er , ad opting the more genera l e xpectatio ns appr oach — instrumented as re ward struc tures of MDP s — w e are ab le to compute lo wer bounds on conditiona l probabili ties after all. Lemma 2 Let P be a pGCL pr ogram and ℵ a schedul er , X , C ar e pr edicates over S , and λ is a r eal value at least 0 . Starting fr om an initial state s 0 , the followin g r elationship holds. 5 Exp . [ [ P ℵ ] ] . s 0 . ( lift ( C ∧ X ) − λ × lift C ) ≥ 0 iff Exp . [ [ P ℵ ] ] . s 0 . ( X | C ) ≥ λ . Proof 2 F ollows fr om linearit y of the e xpectation opera tor and the definition of conditional pr obability as Exp . [ [ P ℵ ] ] . s 0 . lift ( C ∧ X ) / Exp . [ [ P ℵ ] ] . s 0 . lift C pr ovid ed that C has a non-zer o pr obab ility of occu rring. 4 Note that Y AGA computes probabilities over endpoints rather than over traces, thus we assume that failure modes can be identified by entering a state which persists according to Def. 6. These will be deadlock states of the MDP being analysed. 5 This expression may be generalised to allow for non-determinism: Exp . [ [ P ] ] . s 0 . ( lift ( C ∧ X ) − λ × lift C ) ≥ 0 iff [ [ P ℵ ] ] . s 0 . ( X | C ) ≥ λ , for an y scheduler ℵ . Note also that if C does not hold with a non-zero probability then this definition assumes that the conditional probability is still defined and is maximal. Ukachuk wu Ndukwu and Annabelle McIve r 113 O S1 A1 S2 M A2 I Figure 6: An embedded control system. From L em. 2 we can see that (putting λ = 1) if Exp . [ [ P ℵ ] ] . s 0 . ( lift ( C ∧ X ) − lift C ) ≥ 0 then the condit ional proba bility Exp . [ [ P ℵ ] ] . s 0 . ( X | C ) = 1. On the other han d, we can v erify the exp ression Exp . [ [ P ℵ ] ] . s 0 . ( lift ( C ∧ X ) − lift C ) ≥ 0 dire ctly using Y AGA ’ s ou tput. T hus th e follo wing steps su mmarise our propos ed method for f ailure mode analysis. (a) Use Y A GA to identif y a fai lure tree consisting of traces which terminate in F . (b) From the failure tree identi fy cand idate combin ations of ev ents C which correspond to trace s termi- nating in F . (c) Using Y A GA ’ s output, ver ify that the candidate combina tions C are indeed failur e m odes by ev alu- ating the const raint Exp . [ [ P ℵ ] ] . s 0 . ( lift ( C ∧ X ) − lift C ) ≥ 0 i . e . after setti ng λ = 1. (d) Compute expe cted times to failure for the identified failur e modes . In the next section w e shall illustrate thi s t echnique o n a ca se stu dy o f an e mbedded c ontroller de sign. 7 Case study two: controller design Here we show how Y A GA can be used to pro vide import ant diagnost ics feed back to a pB dev eloper summarisin g the failu re the EXP ECT A TIONS c lause in a pB machine refinement. W e incorp orate the ke y dimensions of systems depe ndability — a vailability — the probabi lity tha t a system resource (s) can be assesse d; r eliabilit y — the probability th at a sy stem meet s its stat ed re quirement; sa fety — e xpresses that nothin g bad happ ens. The design in Fig. 6 is originally base d on the wo rk by G ¨ udemann and Ortmeie r [11]. It cons ists of two redundant inpu t sensors (S1 and S2) measuring some input signal ( I). This signal is then proce ssed in an arithmetic unit to genera te the requir ed output signa l (O). T wo arithmetic units e xist, a primary uni t (A1) and its back up unit (A2). A1 gets an input signal from both S1 and S2, and A2 only from on e of the two senso rs. The se nsors deli ver a signal in fi nite interva ls (but this requir ement is not a k ey de sign issue since we assume that signals will always be propagated ). If A1 produces no output signal, then a monitoring unit (M) switches to A2 for the genera tion of the output signal. A2 should only produ ce outpu ts when it has been trigg ered by M. An abstract descrip tion of the beha viour of the controller is captured in the specificatio n of Fig. 7. The reliability o f t he system is gi ven by the real v alue rr ; we encode this in the safety specification w ithin the e x pect at ion ( . ) function. State lab els sg = 2 and sg = 3 denote s ignal succ ess and f ailure respect iv ely . Otherwise state labels sg = 0 and sg = 1 respecti vely denote idle state and signal in transit. 114 Model exp loration and analysis for q uantitati ve safet y refinemen t in pro babilisti c B MA CHINE SignalT rack er ( max t ime , s 1 p , s 2 p , a 1 p , a 2 p , m p ) SEES Int TYPE, Real T ype CONSTRAINTS max t ime ∈ N ∧ s 1 p , s 2 p , a 1 p , a 2 p , m p ∈ RE AL ∧ s 1 p , s 2 p , a 1 p , a 2 p , m p : ∈ real ( 0 ) .. real ( 1 ) CONST ANTS rr PROPER TIES r r ∈ R E AL ∧ r r ≥ real ( 0 ) ∧ r r ≤ real ( 1 ) OPERA TIONS sgou t ← − sendsignal , PRE ex pec t at ion ( real ( r r )) THEN ANY sg WHERE sg ≥ 0 ∧ sg ≤ 3 ∧ ex pec t at ion ( lift ( sg = 0 ∨ sg = 1 ) × real ( r r ) + lif t ( sg = 2 )) THEN sgou t : = sg END; END ; END . Figure 7: Again we use the ex pect at ion ( . ) f unction to specify that states where sg = 0 ( or 1 ) are worth the system reliability rr ; states where sg = 2 are worth 1 an d states wh ere sg = 3 are worth 0. Th is encoding is a safety proper ty for the send signa l oper ation and must be preser ved by any refinement of the abstract machine. 7.1 Refining the contr oll er specification Here we pro vide an implementa tion of the cont roller by refining the abstra ct speci fication in F ig. 7. W e also sho w how to adapt the standard B -style m odellin g of timing constrain ts [7, 6 ] to pB models. W e use the EXPECT A TIONS cl ause of the form q ⇛ p × lift ( s 6 = F ) ⊔ lift succ ess , whic h cap tures the idea that the prob ability of reach ing the “success” state should ex ceed the gi ven threshold q . Here p is a paramete r which could v ary over the state, b ut which should ini tially be at least the v alue of q . Observe that F denotes a state where signal is lost. But before we do this , we as sign indi vidual av ailability to components of the cont roller and include the information in the CONS T ANT S clause of th eir abst ract machine descriptio ns. The implemen tation of the co ntroller as well as the abstract descriptio ns of its compon ents are in the Append ix. In th e next sectio n, we sho w ho w to perfo rm dep endability analys is on the contro ller after setting a ll t he components a vail ability to 95% ( s 1 p = s 2 p = a 1 p = a 2 p = m p = 0 . 95 ) . T o do this, w e use Y A GA to provi de an equi v alent MDP interpretatio n of the refineme nt in th e PRISM language. T his then permits experiment al analys is of the refinemen t and hen ce generation of system diagnostics to summarise the process. 7.2 Experiment 1: identification of critical sets Step 1: W e set the parameters q , p : = 1 in the express ion q ⇛ p × li ft ( s 6 = F ) ⊔ lift su ccess to identify all fail ure trace s for chosen v alues of the components a vailab ility . Fig. 8 lists three of the failure traces (out of a total of 5) rele vant to ou r discussio n, resulting in a maximu m probability of f ailure of 0.0025 aft er the 6th ex ecution time stamp i . e . m ax t im e = 6. Step 2: From insp ection of the abo ve trac es w e not ice that the fai lure of A 1 and M en ables us to ident ify them as potent ial cand idates for th e construction of our critical set. Step 3: W e verify that their fail ure will indeed result in overal l failure by examining the v alue of the exp ectation lift ( F ∧ A 1 ∧ M ) − lift ( A 1 ∧ M ) . For c andidates such as A1 and M, we use the diagnostic traces to c alculate the condit ional probabili- ties as in Def. 6. T o do thi s w e extr act all the traces which result in F and then examine the v ariations of the compone nt fai lures in the traces to identify those w hich corres ponded to a f ailure configuration . Ukachuk wu Ndukwu and Annabelle McIve r 115 ***** Startin g Error Report ing for Fa ilure Traces located on step 6 ***** Sequen ce of operat ions leading to bad state ::>>> [{INIT } (1,0,0, 0,0,0 ), {Se nsor2A ction } (1,0,1 ,0,0, 0), {Prima ryAct ion} ( 1,0,1 ,2,0, 0), {Mon itorAc tion} (1,0,1,2 ,0,2) , {Skip} (1,0,1 ,2,0, 2), {Sen sor1A ction} (1,2,1,2 ,0,2) , {Sen dSign al} (3 ,2,1, 2,0,2) ] Probab ility mass of failu re trace is:>>> > 0.00012 Sequen ce of operat ions leading to bad state ::>>> [{INIT } (1,0,0, 0,0,0 ), {Se nsor2A ction } (1,0,2 ,0,0, 0), {Senso r1Act ion} ( 1,1,2 ,0,0, 0), {Pri maryAc tion} (1,1,2,2 ,0,0) , {Monit orAct ion} (1, 1,2,2 ,0,2) , {Ski p} (1,1,2,2,0 ,2), { SendS ignal } (3,1 ,2,2, 0,2)] Probab ility mass of failu re trace is:>>> > 0.00012 Sequen ce of operat ions leading to bad state ::>>> [{INIT } (1,0,0,0,0 ,0), { Senso r2Act ion} (1,0 ,1,0, 0,0), {Prima ryAct ion} ( 1,0,1 ,2,0, 0), {Mon itorAc tion} (1,0,1,2 ,0,2) , {Skip} (1,0,1 ,2,0, 2), {Sen sor1A ction} (1,1,1,2 ,0,2) , {Sen dSign al} (3 ,1,1, 2,0,2) ] Probab ility mass of failu re trace is:>>> > 0.00226 ****** ***** * F inish ed Error Report ing ... **** ***** ***** * Figure 8: Diagnostic feedback re vealing single traces at en dpoint probability d istributions (after setting parameter maxt ime = 6) correspo nding to the failure of the c ontroller to d eliv er an o utput signal. Note that the state tuple in this case is given by ( sg , s 1, s 2, a 1, a 2, m ). The results were un surprisin g and inc luded fo r e xample, i dentifying that a simultaneous f ailure of the primary unit A 1 and the bac kup monitor M . On the other han d, onc e the pB modell ing w as complete d, the genera tion of the fai lure t races was auto matic impr oving the confidence of full covera ge. T o illustrate this point, a prog ramming m istak e was uncov ered using this analys is wher e A 1 was mistak enly programmed to extra ct a co rrect reading only if it receiv ed signals from both sensors, rather than from at least 1. 7.3 Experiment 2: in vestigating time to failur e This experimen t in vestig ates the time to first occu rrence of failu re gi ven a particu lar critical set. In fact , the results sho w that members of the set of interest are indeed critical after verifyin g their overal l condit ional probabiliti es of fa ilure. In s ummary , for example, a f ailure tree corres ponding to d epth K = 6 yields distrib utions ov er endpoin ts trace s whose comp onents time to f ailure is sho wn in T able 2. 8 Related work T raditiona l approaches for safety analysi s via model explorati on rely on qualitati ve assessmen t — ex- plorin g the causa l relations hip between system subco mponents to determin e if some ty pes of failu re or accide nt scen arios are feasible. T his is the method large ly employed in techniqu es lik e the Deducti ve Cause Conse quence Analysis (DCCA) [26], which pr ovides a generalisati on of the Fault T ree A nalysis (FT A) [19]. Other Indus trial methods that support this kind of analysis also include the Failure Modes and Effect s A nalysis (FMEA ) [18] and the Hazard O perabi lity Studies (HAZOP ) [8]. But the efficien cy 116 Model exp loration and analysis for q uantitati ve safet y refinemen t in pro babilisti c B Identify ing critical compo nents time to first failure Critical Compon ents Time step to first failure Max imum probability of failure S1, S2 2 steps 2.500 0 E-3 A1, M 3 steps 2.493 8 E-3 A1, A2 4 steps 2.493 8 E-3 A1, S2 3 steps 2.493 8 E-3 T able 2: Max imum probabilities of failure are co mputed with resp ect to en dpoin t distributions of failure tr aces (Fig. 8) and cond itional probabilities are gi ven by Def. 6. of these techniqu es is lar gely depend ent on the exp erience of their practitio ners. Moreo ver , with prob- abilist ic systems, where an interplay of random probabilis tic updates and nondeter minism characteri se system beha viours, such methods are not likely to scale especially with the dependab ility analysis of indust rial size d sy stems. The use of pr obabilisti c model-base d analys is to e xplore dep endability features in systems constru c- tion has recen tly become a topi cal issue [21, 10, 11, 3]. One way to ach iev e this is to use prob abilistic counte rexample s [12, 4, 5] which can gua rantee profiles refuting the desired propert y i.e. after visiting the reachab le state s of th e supposedly ‘fi nite’ proba bilistic mode l. What we ha ve don e here is to s how ho w a simila r in ves tigation can be achi ev ed for the refinement o f proof- based models by taking adv antag e of the state ex ploration facility of fered by proba bilistic m odel checki ng. Our method is very precise since it can guaran tee the goal of refinement — impro ving proba- bilisti c results. Howe ver , if this does not h old then we a re able to p rovide e xact diagn ostics s ummarising the failu re pr ovided that computatio n resou rces are not scarc e. 9 Conclusion and futur e work This paper has summarised an approac h based on model explora tion for the refinement of proof-base d probab ilistic systems with respect to quan titati ve safety spe cifications in the pB lan guage. Our method can provi de a pB desig ner with informatio n necessar y to make judgements relating to dependabil ity feature s of di strib uted probabil istic systems. W e ha ve sho wn ho w this c an be done for probabilisti c loo ps hence general ising stand ard mode ls. Even th ough most of the f ailure analysis conject ured herein ha ve been bas ed on intuition, it should be mentione d that a more interesti ng in vestig ation would be to explo re the use of constr aint program- ming techniques to suppor t full cover age of probabilis tic system model s. This will enable us tar get l arge r refinement frame works as in [9] where probabi lity is not curren tly bein g su pported. Acknowledgement: The auth ors are gratefu l to T hai Son Hoang for assistan ce with the pB m odels of the embedded contro ller . W e also appreci ate the anon ymous rev iewers for their very hel pful comments. Refer ences [1] J. R. Abrial (1996 ): The B-Boo k: Assigning pr ograms to meaning. Cambridge University Press. [2] J. R. Abrial (200 9): Modelin g in Event-B: system an d software engineering. T o appear . Cambridg e Univ ersity Press. A vailable at http://www.event- b.org . Ukachuk wu Ndukwu and Annabelle McIve r 117 [3] H. Aljazzar , M. Fisch er , L. Grunske, M. Kuntz, F . Leitner & S. Le ue (2009): Sa fety analysis of an airbag system u sing pr oba bilistic FMEA an d pr obab ilistic countere x amples . In pro ceeding s of QEST’09, pp. 29 9– 308, doi: 10.1109/QEST.2009.8 . [4] H. Aljazzar & S. L eue (20 09): Generation of co unter examples for model chec king of Markov Decision Pr o- cesses . In pro ceedings of QEST’09, pp. 197–206, doi: 10.1109/QEST.2009.10 . [5] M. E. Andr ´ e s, P . D’ Argenio & P . v Rossum (200 9): Significan t diagnostic counter examples in pr ob abilistic model c hecking . In proceeding s of HVC’08. Lecture Notes in Computer Science 5394, pp. 1 29–1 48, doi: 10. 1007/978- 3- 6 42- 017 02- 5_15 . [6] M. Butler (200 9): Using Event-B refinement to verify a c ontr ol strate gy . T ech nical Report, University of Southamp ton, United Kingdo m. [7] D. Cansell, D. M ` e ry & J. R ehm (2006): T ime con straint patterns for Event-B d evelopment . In pro ceedings of B’07. Lecture Notes in Computer Science 4355. Springer, pp. 140–15 4, doi: 10.1007/119557 57_13 . [8] Chemical Industries Association Limited, London (1987): CIA.: A gu ide to hazar d and operability s tud ies. [9] : Deploy . A vailable at http://www.deploy- p rojec t. eu/ . [10] L. Grunske, R . Colvin & K. W inter (2 007): Pr obab ilistic model chec king support for FMEA . In proceed ings of QEST’07, doi: 10.1109/QEST . 2007 .18 . [11] M. Gudeman n & F . Ortmeier (201 0): P r o babilistic model-ba sed safety analysis . I n proceeding s of QAPL ’10. EPTCS 28, pp. 114–1 28, doi: 10.4204/EPTC S. 28.8 . [12] T . Han, J.-P Kato en & B. Damma n (2009) : Countere xa mples generation in pr obab ilistic model checking . IEEE T ransactio n on s of tware engineering 32(2) , pp. 241–25 7, doi: 10.1007/ 978- 3- 540- 71 209- 1_ 8 . [13] H. Hansson & B. Jonsson (1994 ): A logic fo r r easonin g a bout time a nd r eliab ility . Formal Aspects o f Computing 6(5), pp. 512 –535, doi: 10.1007/BF0121186 6 . [14] A. Hinton, M. Kwiatkowska, G. Norman & D. Parker (2006 ): PRI SM: A tool for au tomatic v erification o f pr o babilistic systems . In pr oceeding s of T ACAS’06. Lecture Notes in Computer Science 3920. Springer, pp. 441–4 44, doi: 10.1007/11691 372_2 9 . [15] T . S. Hoan g (2005 ): De velop ing a pr oba bilistic B-Method and a su pporting toolkit. Ph.D. thesis, University of New South W ales, Au stralia. [16] C. A. R. Hoare (1969): An axiomatic ba sis for c omputer pr ogramming . Communica tions of the ACM 12(10 ), pp. 576– 580, doi: 10.1145/ 3579 80.358001 . [17] J. Hurd (2002): F ormal verification of p r o babilistic algo rithms. Ph .D. thesis, University of Cambr idge, United Kingdo m. [18] Internatin al Electrotechnical Commission, Gene va (1985): IE C Internation al Standar d 812: “A nalysis tech- niques for system r eliability: pr oced ur es for failur e mode and effect analysis . [19] Internatin al Electro technical Com mission, Genev a (199 0): Internatio nal Stan dar d IE C 1025 : F au lt T ree Analysis (FT A). [20] D.R. Karger (1993): Glob al mi n- cuts in RNC, and other r amifica tions of a s imple min-o ut algorithm . In pro- ceedings of fo urth annua l A CM-SIAM symposium on d iscrete algor ithms. p p 21- 30, Austin, T exas, United States. [21] M. Kwiatkowska, G. Norman & D. Parker (2007) : Contr oller dep endab ility analysis by pr oba bilistic model chec king . Control En gineerin g Practice 15(11 ), pp. 14 27–14 34, doi: 10.1016/j.coneng prac. 2006 .07. 003 . [22] A.K. McIver & C.C. M organ ( 2004 ): Abstraction, r efinemen t and pr o of for pr obab ilistic systems . Mo no- graphs in Computer Science. Springer V erlag. [23] U. Ndukwu (2009) : Qua ntitative safety: linking pr oof-b ased verification with model chec king for pr obab ilis- tic systems . In pro ceedings of QFM’09. EPTCS 13, pp. 27–39, doi: 10.4204/EPTCS.13.3 . 118 Model exp loration and analysis for q uantitati ve safet y refinemen t in pro babilisti c B [24] U. Ndukwu (2 010): Generating countere xamples for qua ntitative sa fety sp ecification s in pr oba bilistic B . Accepted for inclusion in the journ al of logic and algebra ic programming . [25] U. Nduk wu & A.K. McIver (201 0): Y AGA: A utoma ted analysis of qua ntitative safety specifications in pr ob- abilistic B . In procee dings of A TV A ’1 0. Lecture Notes in Computer Science 62 52. Sprin ger, p p. 3 78–38 6, doi: 10.1007/978- 3- 6 42- 156 43- 4_31 . [26] F . Ortmeier , W . Reif & G. Schellhor n (2006): D eductive cau se-consequ ence an alysis (DCCA) . In pro ceedings of IF A C W orld Con gress, Else vier . [27] M.L. Puterman (199 4): Markov Decision Pr ocesses. Wile y . Ukachuk wu Ndukwu and Annabelle McIve r 119 A ppendi x MA CHINE Clock ( max t ime ) CONSTRAINTS max t ime ∈ N V A RIABLES t ime , ac t ion INV ARIANT t ime ∈ N ∧ act ion ∈ N ∧ t ime ≥ 0 ∧ t ime ≤ maxt ime INITIALISA TION t ime , ac t ion : = 0 , 0 OPERA TIONS t imeou t ← − initCl ock , BEGIN ac t ion : = 0 || t imeou t : = 0 END; t imeou t ← − cl ockAct ion ( l abel ) , PRE l abel ∈ N ∧ t ime < maxt ime THEN BEGIN ac t ion : = l abel || t ime : = t ime + 1 END; END; t imeou t : = t ime ; END . Figure 9: The specification of th e discr ete Clock is such that whenever an action due to the com ponen ts or even a Skip action fires, time is incremen ted wh ile also mark ing th e specific action. W e use the action variable as a marker to abstract the identification of the operations constituting the the diagnostic traces (See Fig. 8). MA CHINE Cmp ( c p ) SEES Real TYPE CONSTRAINTS c p ∈ R E AL ∧ c p ≥ real ( 0 ) ∧ c p ≤ real ( 1 ) OPERA TIONS cou t ← − com ponen t act ion , PCHOICE c p OF cou t : = 1 OR cou t : = 2 END; END . Figure 10: Here we mode l an abstract stateless machine for components with similar be haviours. Later on, we shall use pB’ s IMPOR T clause to clone Sensor1, Sensor2, Primary Unit, Monitor an d Backup Units via variable renaming . The specification of the abstract Cmp machine is such that it can probabilistically either respond to a signal request ( cout = 1 [ act ive ]) o r it f ails to do so ( co ut = 2 [ d ead ]) . The p robab ility c p is a paremeter of the machine and specifies the av ailability of the compo nent. 120 Model exp loration and analysis for q uantitati ve safet y refinemen t in pro babilisti c B MA CHINE SignalProc ess( s 1 p , s 2 p , a 1 p , a 2 p , m p ) CONSTRAINTS s 1 p , s 2 p , a 1 p , a 2 p , m p ∈ RE AL ∧ s 1 p , s 2 p , a 1 p , a 2 p , m p : ∈ real ( 0 ) .. real ( 1 ) INCLUDES Sensor1.Cmp(s1p), Sensor2.Cmp(s2p), PrimaryUn it.Cmp(a1p), BackupUni t.Cmp(a2p), Monitor .Cmp(mp) V A RIABLES s 1 , s 2 , a 1 , a 2 , m INV ARIANT s 1 , s 2 , a 1 , a 2 , m ∈ N ∧ s 1 , s 2 , a 1 , a 2 , m :: [ 0 , 2 ] INITIALISA TION s 1 , s 2 , a 1 , a 2 , m : = 0 OPERA TIONS l abel ← − act ion , SELECT s 1 = 0 THEN s 1 ← − Sensor 1 . com ponen t act ion || label : = 1 WHEN s 2 = 0 THEN s 2 ← − Sensor 2 . com ponen t act ion || label : = 2 WHEN a 1 = 0 ∧ s 1 = 1 THEN a 1 ← − Pr imar y U ni t . com ponen t act ion || label : = 3 WHEN a 1 = 0 ∧ s 2 = 1 THEN a 1 ← − Pr imar y U ni t . com ponen t act ion || label : = 3 WHEN a 1 = 2 THEN m ← − M onit or . com ponent act ion || label : = 4 WHEN m = 1 THEN a 2 ← − Backu p U ni t . com ponen t act ion || label : = 5 ELSE l abel : = 6 s 1 ou t , s 2 out , a 1 out , a 2 out , mout ← − ge t St at e , BEGIN s1out,s2out,a1out,a2ou t,mout := s1,s2,a1,a2,m END ; END . Figure 11: The nondetermin istic beh aviour of the componen ts is specified in this machine. An individual compo- nent can probabilistically respond to a signal request by setting its state value to 1 or 2 denoting ‘active’ and ‘dead’ respectively , after lea vin g the initial state with value 0 (’idle’). IMPLEMENT A TION SignalT rack erI( max t ime , s 1 p , s 2 p , a 1 p , a 2 p , m p ) REFINES Signa lTrack er SEES Real TYPE, Int TYPE IMPORTS SignalProc ess( s 1 p , s 2 p , a 1 p , a 2 p , m p ), Clock( max t ime ) OPERA TIONS sgou t ← − sendsignal , V A R sg, s1, s2, a1, a2, m, t IN t ← ini t Cl ock ; WHILE ( t ≤ maxt ime ) DO ac t ← − act ion ; t ← clockAc t ion ( act ) ; s 1 , s 2 , a 1 , a 2 , m ← − g et St at e ; IF ( a 2 = 1 ) ∧ ( s 2 = 1 ) THEN sg : = 2; ELSIF ( a 1 = 1 ) ∧ ( s 1 = 1 ) THEN sg : = 2; ELSIF ( a 1 = 1 ) ∧ ( s 2 = 1 ) THEN sg : = 2; ELSE sg : = 3; END; sgou t : = sg ; INV ARIANT s 1 , s 2 , a 1 , a 2 , m , t ∈ N ∧ s 1 , s 2 , a 1 , a 2 , m :: [ 1 , 2 ] ∧ sg :: [ 0 , 3 ] ∧ t ≤ max t ime EXPECT A TIONS real ( r r ) ⇛ ( lift ( sg = 0 ∨ sg = 1 ) × re al ( r r ) + lift ( sg = 2 )) × lift ( t = maxt ime ) END; END . Figure 12: SignalTrackerI u ses a WHILE-DO loop structure to model th e p assage of discrete time. The PCHOICE op eration provides implem entation c onstructs of the abstract p robab ilistic bran ching stateme nts with respect to the av ailability of the controller compon ents.