Probabilistic Verification of
Discrete Event Systems
Håkan L. S. Younes
Introduction





Verify properties of discrete event
systems
Probabilistic and real-time properties
Properties expressed using CSL
Acceptance sampling
Guaranteed error bounds
“The Hungry Stork”
“The Hungry Stork”
System
“The probability is at least 0.7 that the stork satisfies its hunger
within 180 seconds”
Systems




A stork hunting for frogs
The CMU post office
The Swedish telephone system
The solar system
Discrete Event Systems

Discrete state changes at the
occurrence of events




A stork hunting for frogs
The CMU post office
The Swedish telephone system
The solar system
“The Hungry Stork” as a
Discrete Event System
hungry
“The Hungry Stork” as a
Discrete Event System
stork sees frog
hungry
40 sec
hungry,
hunting
“The Hungry Stork” as a
Discrete Event System
stork sees frog
frog sees stork
hungry
hungry,
hunting
40 sec
19 sec
hungry,
hunting,
seen
“The Hungry Stork” as a
Discrete Event System
stork sees frog
frog sees stork
stork eats frog
hungry
hungry,
hunting
hungry,
hunting,
seen
40 sec
19 sec
1 sec
not hungry
Sample Execution Paths
stork sees frog
frog sees stork
stork eats frog
hungry
hungry,
hunting
hungry,
hunting,
seen
40 sec
19 sec
1 sec
not hungry
Properties of Interest

Probabilistic real-time properties

“The probability is at least 0.7 that the
stork satisfies its hunger within 180
seconds”
Properties of Interest

Probabilistic real-time properties

“The probability is at least 0.7 that the
stork satisfies its hunger within 180
seconds”
Verifying Real-time Properties

“The stork satisfies its hunger within
180 seconds”
stork sees frog
+
19 sec
stork eats frog
hungry,
hunting,
seen
hungry,
hunting
hungry
40 sec
frog sees stork
+
True!
1 sec
not hungry
≤ 180 sec
Verifying Real-time Properties

“The stork satisfies its hunger within
180 seconds”
stork sees frog
hungry,
hunting
hungry
165 sec
Stork eats frog
+
30 sec
not hungry
> 180 sec
False!
Verifying Probabilistic Properties

“The probability is at least 0.7 that X”

Symbolic Methods



Pro: Exact solution
Con: Works for a restricted class of systems
Sampling


Pro: Works for all systems that can be
simulated
Con: Uncertainty in correctness of solution
Our Approach


Use simulation to generate sample
execution paths
Use sequential acceptance sampling to
verify probabilistic properties
Error Bounds

Probability of false negative: ≤


We say that P is false when it is true
Probability of false positive: ≤

We say that P is true when it is false
Acceptance Sampling

Hypothesis: “The probability is at least
 that X”
Acceptance Sampling

Hypothesis: Pr≥(X)
Sequential
Acceptance Sampling

Hypothesis: Pr≥(X)
True, false,
or another
sample?
Probability of accepting
Pr≥ (X) as true
Performance of Test
1–


Actual probability of X holding
Probability of accepting
Pr≥ (X) as true
Ideal Performance
1–
False positives
False negatives


Actual probability of X holding
Probability of accepting
Pr≥ (X) as true
Actual Performance
1–
False positives
False negatives
Indifference region

–

+
Actual probability of X holding
Number of
positive samples
Graphical Representation of
Sequential Test
Number of samples
Graphical Representation of
Sequential Test
We can find an acceptance line and a
rejection line given , , , and 
Number of
positive samples

Accept
Continue sampling
Reject
Number of samples
Graphical Representation of
Sequential Test
Reject hypothesis
Number of
positive samples

Accept
Continue sampling
Reject
Number of samples
Graphical Representation of
Sequential Test
Accept hypothesis
Number of
positive samples

Accept
Continue sampling
Reject
Number of samples
Continuous Stochastic Logic
(CSL)

State formulas


Truth value is determined in a single state
Path formulas

Truth value is determined over an
execution path
State Formulas


Standard logic operators: ¬, 1  2 …
Probabilistic operator: Pr≥()


True iff probability is at least  that  holds
Pr≥0.7(“The stork satisfies its hunger within
180 seconds”)
Path Formulas

Until: 1 U≤t 2


Holds iff 2 becomes true in some state
along the execution path before time t, and
1 is true in all prior states
“The stork satisfies its hunger within 180
seconds”: true U≤180 ¬hungry
Expressing Properties in CSL

“The probability is at least 0.7 that the
stork satisfies its hunger within 180
seconds”


Pr≥0.7(true U≤180 ¬hungry)
“The probability is at least 0.9 that the
customer is served within 60 seconds
and remains happy while waiting”

Pr≥0.9(happy U≤60 served)
Semantics of Until

true U≤180 ¬hungry
hungry
40 sec
hungry,
hunting,
seen
hungry,
hunting
+
19 sec
+
True!
1 sec
¬hungry
≤ 180 sec
Semantics of Until

true U≤180 ¬hungry
hungry,
hunting
hungry
165 sec
+
30 sec
¬hungry
> 180 sec
False!
Semantics of Until

happy U≤60 served
happy,
¬served
17 sec
¬happy,
¬served
+
13 sec
happy,
¬served
+
False!
5 sec
served
≤ 60 sec
Verifying Probabilistic Statements

Verify Pr≥() with error bounds  and 


Generate sample execution paths using
simulation
Verify  over each sample execution path



If  is true, then we have a positive sample
If  is false, then we have a negative sample
Use sequential acceptance sampling to test
the hypothesis Pr≥()
Verification of Nested Probabilistic
Statements

Suppose , in Pr≥(), contains
probabilistic statements


Pr≥0.8(true U≤60 Pr≥0.9(true U≤30 ¬hungry))
Error bounds ’ and ’ when verifying 
Verification of Nested Probabilistic
Statements

Suppose , in Pr≥(), contains
probabilistic statements
True, false,
or another
sample?
Modified Test
Find an acceptance line and a rejection
line given , , , , ’, and ’:
Number of
positive samples

Accept
With
’ and ’ = 0
Continue sampling
Reject
Number of samples
Modified Test
Find an acceptance line and a rejection
line given , , , , ’, and ’:
Number of
positive samples

Accept
With
’ and ’ > 0
Continue sampling
Reject
Number of samples
Verification of Negation

To verify ¬ with error bounds  and 

Verify  with error bounds  and 
Verification of Conjunction

Verify 1  2  …  n with error
bounds  and 


Accept if all conjuncts are true
Reject if some conjunct is false
Acceptance of Conjunction

Accept if all conjuncts are true

Accept all i with bounds i and i




Probability at most i that i is false
Therefore: Probability at most 1 + … + n that
conjunction is false
For example, choose i = /n
Note: i unconstrained
Rejection of Conjunction

Reject if some conjunct is false

Reject some i with bounds i and i




Probability at most i that i is true
Therefore: Probability at most i that
conjunction is true
Choose i = 
Note: i unconstrained
Putting it Together

To verify 1  2  …  n with error
bounds  and 
1.
2.
3.
4.
Verify each i with error bounds  and ’
Return false as soon as any i is verified
to be false
If all i are verified to be true, verify each
i again with error bounds  and /n
Return true iff all i are verified to be true
“Fast reject”
Putting it Together

To verify 1  2  …  n with error
bounds  and 
1.
2.
3.
4.
Verify each i with error bounds  and ’
Return false as soon as any i is verified
to be false
If all i are verified to be true, verify each
i again with error bounds  and /n
Return true iff all i are verified to be true
“Rigorous accept”
Verification of Path Formulas

To verify 1 U≤t 2 with error bounds 
and 

Convert to disjunction

1 U≤t 2 holds if 2 holds in the first state, or if
2 holds in the second state and 1 holds in all
prior states, or …
More on Verifying Until



Given 1 U≤t 2, let n be the index of
the first state more than t time units
away from the current state
Disjunction of n conjunctions c1 through
cn, each of size i
Simplifies if 1 or 2, or both, do not
contain any probabilistic statements
Example

Verify Pr≥0.7(true U≤180 ¬hungry) in
with  =  = 0.1 and  = 0.1
hungry
Positive samples
15
Simulator
10
5
5
10
Number of samples
15
Example

hungry
Verify Pr≥0.7(true U≤180 ¬hungry) in
with  =  = 0.1 and  = 0.1
40
hungry
15
stork
sees frog
19
frog
sees stork
1
Positive samples
hungry,
hunting
hungry,
hunting,
seen
stork
eats frog
10
5
¬hungry
5
10
Number of samples
Total time: 60
0 sec
40
59
sec
15
Example

hungry
Verify Pr≥0.7(true U≤180 ¬hungry) in
with  =  = 0.1 and  = 0.1
63
hungry
stork
sees frog
hungry,
hunting
25
frog
sees stork
2
hungry,
hunting,
seen
frog
jumps
hungry,
tired
Positive samples
15
93
Total time: 183
88
90
sec
sec
0 sec
63
stork
rested
10
5
5
hungry
10
Number of samples
15
Example

Verify Pr≥0.7(true U≤180 ¬hungry) in
with  =  = 0.1 and  = 0.1
hungry
Positive samples
15
10
5
5
Property holds!
10
Number of samples
15
Summary



Algorithm for probabilistic verification of
discrete event systems
Sample execution paths generated
using simulation
Probabilistic properties verified using
sequential acceptance sampling
Future Work



Apply to hybrid dynamic systems
Develop heuristics for formula ordering
and parameter selection
Use verification to aid policy generation
for real-time stochastic domains