Model checking for probabilistic timed automata

Abstract: Probabilistic timed automata (PTAs) are a formalism for modelling systems whose behaviour incorporates both probabilistic and real-time characteristics. Applications include wireless communication protocols, automotive network protocols and randomised security protocols. This paper gives an introduction to PTAs and describes techniques for analysing a wide range of quantitative properties, such as "the maximum probability of the airbag failing to deploy within 0.02 seconds", "the maximum expected time for the … Show more

“…Formal Modelling Framework As we require probabilities and time to represent the environment and express the properties of interest for validating a certification process, our model uses Probabilistic Timed-Automata (PTA) [25], as supported by the Prism model checker [21]. A PTA is a tuple P = (Locs, l 0 , Clocks, Act, Inv , EnabConds, ProbTrans, Lab), where [25]:…”

“…-Locs is a finite set of locations, and l 0 ∈ Locs; -Clocks is a finite set of clocks, and Act a finite set of action names; -Inv is an invariant on Locs and clock constraints -Inv : Locs → CC (Clocks); -EnabConds are clock conditions -EnabConds : Locs × Act → CC (Clocks); -ProbTrans is a partial probabilistic transition function, which given a location and an action name, gives a probability distribution over the next states (defined by a subset of clocks that are reset to zero by the transition named with action that leads to a new location, and that location) -ProbTrans : Locs × Act → Dist(2 Clocks × Locs); and -Lab labels each location with a set of atomic propositions -Lab : Locs → 2 AP Clock constraints over a set of Clocks, CC (Clocks), are defined by the syntax χ ::= true|x ≤ d|c ≤ x|x + c ≤ y + d|¬χ|χ ∧ χ, where x, y ∈ Clocks and c, d ∈ N [25]. A PTA is well-formed when all enabled transitions take the automaton to states satisfying the clock invariant -see [25].…”

“…A PTA is well-formed when all enabled transitions take the automaton to states satisfying the clock invariant -see [25].…”

“…The most important difference is that the Prism model has a non-deterministic behaviour -whenever multiple transitions are enabled it can execute any of them. It can actually elect to not execute any transition at all and instead simply let the time pass -Prism does not support urgent transitions [25] that must be taken immediately when they are enabled without allowing time to advance. The code we produce on the other hand, will always choose the first enabled transition and will execute it in an eager manner, without allowing time to pass.…”

Cloud Certification Process Validation Using Formal Methods

“…Formal Modelling Framework As we require probabilities and time to represent the environment and express the properties of interest for validating a certification process, our model uses Probabilistic Timed-Automata (PTA) [25], as supported by the Prism model checker [21]. A PTA is a tuple P = (Locs, l 0 , Clocks, Act, Inv , EnabConds, ProbTrans, Lab), where [25]:…”

“…-Locs is a finite set of locations, and l 0 ∈ Locs; -Clocks is a finite set of clocks, and Act a finite set of action names; -Inv is an invariant on Locs and clock constraints -Inv : Locs → CC (Clocks); -EnabConds are clock conditions -EnabConds : Locs × Act → CC (Clocks); -ProbTrans is a partial probabilistic transition function, which given a location and an action name, gives a probability distribution over the next states (defined by a subset of clocks that are reset to zero by the transition named with action that leads to a new location, and that location) -ProbTrans : Locs × Act → Dist(2 Clocks × Locs); and -Lab labels each location with a set of atomic propositions -Lab : Locs → 2 AP Clock constraints over a set of Clocks, CC (Clocks), are defined by the syntax χ ::= true|x ≤ d|c ≤ x|x + c ≤ y + d|¬χ|χ ∧ χ, where x, y ∈ Clocks and c, d ∈ N [25]. A PTA is well-formed when all enabled transitions take the automaton to states satisfying the clock invariant -see [25].…”

“…A PTA is well-formed when all enabled transitions take the automaton to states satisfying the clock invariant -see [25].…”

“…The most important difference is that the Prism model has a non-deterministic behaviour -whenever multiple transitions are enabled it can execute any of them. It can actually elect to not execute any transition at all and instead simply let the time pass -Prism does not support urgent transitions [25] that must be taken immediately when they are enabled without allowing time to advance. The code we produce on the other hand, will always choose the first enabled transition and will execute it in an eager manner, without allowing time to pass.…”

Cloud Certification Process Validation Using Formal Methods

“…A number of techniques have been developed for quantitative verification of PTAs, including the digital clocks [36] approach; forwards [37] and backwards reachability [38] based on zones; and game-based quantitative abstraction-refinement [33]. Strategy synthesis is also possible [44]. PRISM provides native support for PTAs, via the techniques of [33] and [36].…”

Advances in Quantitative Verification for Ubiquitous Computing

Efficient and Adaptive Error Recovery