Multi-objective probabilistic model checking provides a way to verify several, possibly conflicting, quantitative properties of a stochastic system. It has useful applications in controller synthesis and compositional probabilistic verification. However, existing methods are based on linear programming, which limits the scale of systems that can be analysed and makes verification of time-bounded properties very difficult. We present a novel approach that addresses both of these shortcomings, based on the generation of successive approximations of the Pareto curve for a multi-objective model checking problem. We illustrate dramatic improvements in efficiency on a large set of benchmarks and show how the ability to visualise Pareto curves significantly enhances the quality of results obtained from current probabilistic verification tools.amenable to symbolic (BDD-based) implementations. Value iteration can also be used for time-bounded (finite-horizon) properties, which is impractical with LP. Another alternative is policy iteration, but this is also impractical for timebounded properties, and preliminary investigations in [10] showed no particular improvement over value iteration in the context of probabilistic verification.There has recently been increased interest in multi-objective probabilistic model checking for MDPs [5,9,11,4], which can be used to analyse trade-offs between several, possibly conflicting, quantitative properties. Consider, for example, two events of interest, A and B, and let p σ A and p σ B be the probability that each occurs under an adversary σ of an MDP. In this paper, we study several kinds of multi-objective properties. Achievability queries ask, e.g., "is there an adversary σ satisfying the predicate ψ = p σ A x ∧ p σ B y?" and numerical queries ask, e.g., "what is maximum value of x such that ψ is achievable?". We also consider the Pareto curve of undominated solution points: for this example, the set of pairs (x, y) such that ψ is achievable but any increase in either x or y would necessitate a decrease in the other.Multi-objective techniques have natural applications to controller synthesis for MDPs (e.g., "how can we maximise the probability of successful message transmission, whilst keeping the expected energy usage below 100 mJ?"). They also form the basis of recent compositional verification techniques [15], which decompose model checking into separate tasks for each system component using assume-guarantee reasoning (e.g., "what is the maximum probability of a global system error, under the assumption that component 1 fails with probability at most 0.02?"). This approach has been successfully used to verify probabilistic systems too large to analyse without compositional techniques.Existing multi-objective model checking methods [5,9,11,4] rely on a reduction to LP. The linear program solved, although of a rather different form to the standard (single objective) case, is still linear in the size of the MDP, yielding polynomial time complexity. As discussed above, though, LP-bas...
