Statistical Model Checking of Dynamic Networks of Stochastic Hybrid Automata Electronic Communications of the EASST Volume 66 (2013) Proceedings of the Automated Verification of Critical Systems (AVoCS 2013) Statistical Model Checking of Dynamic Networks of Stochastic Hybrid Automata Alexandre David, Kim G. Larsen, Axel Legay, and Danny Bøgsted Poulsen 15 pages Guest Editors: Steve Schneider, Helen Treharne Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Statistical Model Checking of Dynamic Networks of Stochastic Hybrid Automata Alexandre David1, Kim G. Larsen1, Axel Legay2, and Danny Bøgsted Poulsen1 1 {adavid,kgl,dannybp}@cs.aau.dk Aalborg University, Denmark 2 alegay@irisa.fr Aalborg University, Denmark and INRIA/IRISA Rennes, France Abstract: In this paper we present a modelling formalism for dynamic networks of stochastic hybrid automata. In particular, our formalism is based on primitives for the dynamic creation and termination of hybrid automata components during the execution of a system. In this way we allow for natural modelling of concepts such as multiple threads found in various programming paradigms, as well as the dynamic evolution of biological systems. We provide a natural stochastic semantics of the modelling formalism based on re- peated output races between the dynamic evolving components of a system. As specification language we present a quantified extension of the logic Metric Tempo- ral Logic (MTL). As a main contribution of this paper, the statistical model checking engine of UPPAAL has been extended to the setting of dynamic networks of hybrid systems and quantified MTL. We demonstrate the usefulness of the extended for- malisms in an analysis of a dynamic version of the well-known Train Gate example, as well as in natural monitoring of a MTL formula, where observations may lead to dynamic creation of monitors for sub-formulas. Keywords: Hybrid automata, statistical model-checking, process creation 1 Introduction A computer program was originally seen as a single stream of instructions performed in a linear sequence. In contrast to this are multitasking systems where one program has multiple compu- tational threads with their instructions interleaved in each other. To complicate matters, compu- tational threads are even allowed to spawn other threads. The study of such systems was pioneered by the introduction of process algebras, e.g. CSP [Hoa85] and CCS [Mil80]. Process algebras describe the behaviour of systems with a minimal set of primitives and allow us to reason about the equivalence of systems using bisimulation relations. Adding a recursion/replication operator permits expressing spawning of new threads. Besides having multiple computational threads, modern software is getting more complex due to the distribution of labour: clients connect to servers, servers may delegate work to others and servers may need to contact some other service etc. In general, systems may establish connec- tions to other systems and share communication links. The π -calculus [MPW92b, MPW92a], an 1 / 15 Volume 66 (2013) mailto:\protect \T1\textbraceleft adavid,kgl,dannybp\protect \T1\textbraceright @cs.aau.dk mailto:alegay@irisa.fr Statistical Model Checking of Dynamic Networks of Stochastic Hybrid Automata extension of CCS, allows processes to pass communication links to each other. The minimalistic approach of process algebras, however, makes modelling actual systems tedious. In model checking communities the formalism timed automata [AD94] is one of the most successful modelling formalisms for concurrent systems. Each computational thread can be modelled as a single automaton and all the automata coordinate their actions through synchroni- sations on channels. Because the timed automata formalism was developed for model checking, it defines a finite (symbolic) state space. The number of automata is as a result fixed during execution of the model thus a spawning primitive is not part of the formalism. Statistical model checking is a software verification technique that relaxes the requirements to the modelling language. In particular, the state space does not need to be finite as an execution of the model is always terminated at a specific time point - provided the model is time diverging. We will construct a formalism that allows spawning new threads as in process algebras. In this paper, we present a new modelling formalism founded on the basis of timed input- output (IO) transition systems. The formalism operates on a collection of timed IO-transition systems (templates) that can be instantiated during transitions of active templates. The templates could be generated by any model with semantics given as timed IO-transition system but in our implementation we rely on Hybrid Automata. We present a stochastic semantics for our formalism based on races between the instantiated components. We develop a specification logic based on MTL [Koy90]. The main difference from MTL is the addition of two operators, one to quantify on the (unknown) number of components of the network, and another to reason on arithmetic operations on this number. We have made an implementation of the modelling formalism and the monitoring technique inside UPPAAL SMC [DLL+11]. Related Work. Dynamic creation of processes is already part of extensions of process alge- bras. An example is the fork calculus [HL94] that extends CCS with a fork primitive. The ex- tensions do not consider quantities and runtime verification of complex requirements expressed in MTL. As said above, the study of dynamical architecture is an intensive research topic. At the software engineering level, several works propose extensions of UML/MODAF/DODAF to handle dynamicity. Those extensions do not rely on a formal semantic which makes run-time (verification) almost impossible. Additionally, timed and stochastic information are rarely con- sidered in those works. From a more formal perspective, the work of Chen [Ca09] deals with adaptive systems, but again assume that the state space is known in advance. Recently, Sharifloo proposed to avoid this assumption by combining verification and run-time of the deployed system within the Lover framework [SS12]. This work is in line with our objective, but ignores timed and stochastic aspects. Tools such as BIP have been extended to deal with dynamical architec- ture [BJMS12]. BIP focuses on interactions, while UPPAAL proposes a quantitative framework. Other approaches such as PRS also consider dynamical networks. However, they remain at a highly theoretical level, mostly studying what is decidable and what is not [ST09]. Those ap- proaches do not consider effective and efficient algorithms. Finally, Henzinger et al., have also considered dynamical extension of reactive module with an application to systems biology. The theory presented in [FHN+11] remains very complex, there is no run-time monitoring procedure and the verification process is limited to conformance. There are also a wide range of dynamical architectures dedicated to a specific problem [FL10]. Our approach is more generic and hence Proc. AVoCS 2013 2 / 15 ECEASST incomparable to those approaches. 2 Dynamic Networks of Hybrid Automata We introduce a general framework for dynamically evolving networks of real-time components. As the semantical basis of the individual components and the network itself, we use the notion of timed IO-transition systems. Definition 1 (Timed IO-transition System) A timed IO-transition system S is a tuple (S,s0,Σ,−→ ), where (i) S is a set of states, (ii) s0 ∈ S is the initial state, (iii) Σ = Σ0 ]Σi is a finite set of ac- tions partitioned into inputs (Σi) and outputs (Σo), and −→⊆ S×(Σ∪IR≥0)×S is the transition relation. As usual we write s α−→ s′ whenever (s,α,s′) ∈−→, and s α−→ whenever s α−→ s′ for some s′. We call s α−→ s′ a discrete (input respectively output) transition whenever α ∈ Σ (α ∈ Σi respectively α ∈ Σo), and a delay transition whenever α ∈ IR≥0. Following the compositional specification theory for timed systems in [DLL+10], we assume that S is deterministic, i.e. whenever s α−→ s′ and s α−→ s′′ then s′ = s′′. We denote by sα the unique state s′ such that s α−→ s′ (whenever it exists). Also we assume that S is input enabled, i.e. s α−→ for all α ∈ Σi. Well-known formalisms for expressing timed IO transition systems include timed automata [AD94], priced timed automata [BFH+01] and hybrid automata [HR98]. In these formalisms, states are of the type (`,ν), with ` ∈ L being a location of the given automaton, and ν ∈ V a valuation assigning values to the various continuous variables of the automaton (e.g. clocks, costs and hybrid variables). A discrete transition, (`,ν) α−→ (`′,ν′), corresponds to an edge between ` and `′ in the given automaton, whose guard is enabled by the source valuation ν and where the resulting valuation ν′ is obtained from ν by performing the updates required by the edge. In delay transitions, (`,ν) d−→ (`,ν′), the values of the various continuous variables are changed according to a “flow” function F̀ : IR≥0 ×V −→ V specified by the location `, i.e. ν ′ = F̀ (d,ν). For timed automata F̀ (d,_) simply corresponds to increasing the value of all clocks with d, whereas the “flow” function for hybrid automata are specified using differential equations. Example 1 Consider the variant of the bouncing ball in Fig. 1. Here a ball is repeatedly bounc- ing on the floor expressed by the hybrid automaton (template) in Fig. 1(a). In the model p is the height of the and v its velocity on the vertical axis. After being initialised to the state (p = 10,v = 0) - by the first transition allowed in Fig. 1(a) - the following transition sequence may occur: (p = 10,v = 0) 1.02−→ (p = 0,v =−10.00) bounce!−→ (p = 0,v = 9.01) where in the bounce!-transition the dampening factor has non-deterministically been chosen from the interval [0.80,0.92] as 0.901. Fig. 1(b) models an (inexperienced) player that attempts 3 / 15 Volume 66 (2013) Statistical Model Checking of Dynamic Networks of Stochastic Hybrid Automata p >= 6 && v >= 0 p >= 6 && v < 0 && v >= -4 p==0 && v>=-1 && v<0 bounce! p==0 && v < 0 v=-4.0,spawn Ball(hit),hits++ v=-(0.8+random(0.12))*v p=10 v’==-9.81 && p’==1*v v = -(0.85+random(0.1))*v - 4, spawn Ball(hit) exit() hit? hit? (a) Ball template hit! x=0 x<=3 (b) Player template b.p h.x time v a lu e 0 2,5 5,0 7,5 10,0 0 8,3 16,6 24,9 (c) Individual behaviours b.p b.p b.p h.x time v a lu e 0 2,5 5,0 7,5 10,0 0 8,3 16,6 24,9 (d) Interacting behaviours Figure 1: Bouncing Balls with a Player. to repeatedly hit the ball after non-deterministic delays between 0 and 3. The individual be- haviours of the ball and player are illustrated in Fig. 1(c). In our framework, a system consists of a dynamically changing number of interacting com- ponents, where each component is an instance of a template. The available templates is given by a template collection T = (T1,...,Tn), describing closed networks: all templates have the same action set Σ, and their output action sets provide a partitioning of Σ, i.e. Σ = ∪ jΣ j o. For a ∈ Σ we denote by c(a) the unique j for which a ∈ Σ jo. For a set A, we shall denote all multisets over A by M (A). By X ]Y , we denote the multiset union of two multisets X and Y . Whenever f : A → B, where A and B are sets, we shall extend f to the corresponding multisets in the ob- vious manner, i.e. for X ∈ M (A), f (X) = {· f (a) : a ∈ X ·}∈ M (B) where {· ... ·} defines a multiset construction. Definition 2 (Template Collection) Let Σ be a set of actions. A template collection over Σ is a tuple T = (T1,...,Tn), where for j = 1...n, T j = (S j,s j 0,−→ j,Σ j,Ψ j) with: • (S j,s j0,Σ,−→ j) is a timed IO transition systems over Σ with Σ j as output action set; • Σ1,Σ1,...,Σn is a disjoint partitioning of Σ; • Ψ j : Σ j ×S j −→M ({T1,...,Tn}) gives for each output-action-state-pair of T j a multiset of templates that should be spawned while performing the output action. Whenever s a−→ j Proc. AVoCS 2013 4 / 15 ECEASST DELAY (M1,...,Mn) d−→ (M′1,...,M ′ n) if d ∈ IR≥0 and for all i ≤ n,Mi d−→i M′i ; ACTION (M1,...,M j ]{s},...,Mn) a−→ (M′′1 ,...,M ′′ j ,...,M ′′ n )⊕P if a ∈ Σ j and s a−→ j P s ′,M′′j = M j ]{s ′}, and Ml a−→l M′′l for l 6= j. Table 1: Transition relation for S T , where T = (T1,...,Tn) is a template collection. s′ with a ∈ Σ j and P = Ψ j(a,s), we write s a−→ j P s ′. Formally, a template collection T = (T1,...,Tn) describes a timed IO transition system of dynamic networks S T = (ST ,s0,Σ,−→), where all actions are output actions. The set of states ST are tuples (M1,...,Mn) with M j ∈ M (S j) describing the multiset of states comprising the currently active instances of template T j. The initial state s0 is ({s10},...{s n 0}), i.e. initially one instance of each template Ti is instantiated. The transition relation −→ of S T is given by the rules of Table 1. To delay from a state s = (M1,...,Mn), all active instances of all templates must participate in the delay. An a-action transition is driven by an instance of the template T j for which a is an output. All other instances of T j ignore this output, whereas instances of other tem- plates respond with a corresponding input transition on a. Importantly, instances of the templates in the multiset P are spawned and added to the new configuration. Formally, (M1,...,Mn)⊕P is defined inductively in the size of P. As basis (M1,...,Mn)⊕ /0 = (M1,...,Mn). If P = P′]{T j} and (M1,...,Mn)⊕P′ = (M′1,...,M ′ n), then (M1,...,Mn)⊕P = (M′1,...,M ′ j ]{s j 0},...,M ′ n). An (infinite) timed run over T is a sequence ω = s0d0s1d1 ...sndnsn+1 ..., where for all i≥0 si ∈ST , di ∈R≥0 and si di−→ ai−→ si+1 for some ai ∈ Σ. We denote by ω i the suffix sidisi+1di+1 .... Remark 1 For readability, we only consider spawning of template instances on output actions. Extending the semantics to also allow spawning on input actions is, however, straightforward. Alternatively, a desired transition s a−→ j P s ′, where a is an input of template T j, may be encoded as a sequence s a−→ j sa o−→ j P, with o being a new output action for T j and s a being a new intermediate state that can only output o while spawning P. Remark 2 For simplicity our theoretical construction does not allow for parameterising tem- plates. It is, however, allowed in our implementation in UPPAAL SMC. Example 2 Reconsider the bouncing ball example from Fig. 1. Jointly the ball and the player constitutes a template collection T with two templates (Ball and Player), with initially one ball and one player. Figure 1(d) depicts the joint behaviour during the first 25 time-units, with 5 / 15 Volume 66 (2013) Statistical Model Checking of Dynamic Networks of Stochastic Hybrid Automata the first transitions detailed as follows:( {〈p = 10,v = 0〉},{〈x = 0〉} ) 1.02−→({〈p = 0,v =−10.00〉},{〈x = 1.02〉}) bounce!−→ ( {〈p = 0,v = 9.01〉},{〈x = 1.02〉} ) 0.8−→ ( {〈p = 6.1,v = 1.16〉},{〈x = 1.82〉} ) hit!−→ ( {〈p = 6.1,v =−5.04〉,〈p = 10,v = 0〉},{〈x = 1.82〉} ) In particular, we note that after the (initial) ball have bounced, the player successfully hits it resulting in a new (second) ball being spawned. We see that during the 25 time-units the player is also successful in hitting that (second) ball. In the figure we can see a ball being spawned by the extra curves compared to Fig. 1(d). 3 Stochastic Semantics for Dynamic Networks Reconsidering our dynamic version of the bouncing ball from Section 2, we may consider that there is a constant race between the ball(s) bounce!ing on the floor and the player hit!ing the ball(s). Whereas the time of bouncing is deterministic – given by the ODE obtained from the (stochastic) effect of the previous bounce! or hit! – the time of the hitting by the player is stochastic according to a uniform distribution in the interval [0,3]. In the randomly generated trajectory of Fig. 1(d) it seems that the player was successful in hitting twice, thus generating two additional balls. In fact, a measure on sets of runs of the system is induced, according to which quantitative properties such as “the probability that there are two or more balls with a height greater than 5 within 4 and 6 time-units” become well-defined. Our stochastic semantics is based on the principle of independence between components. Re- peatedly each component decides on its own – based on a given delay density function and output probability function – how much to delay before outputting and what output to broadcast at that moment. Obviously, in such a race between components the outcome will be determined by the component that has chosen to output after the smallest delay: the output is broadcast and all other components may consequently change state. Stochastic Template Collection Stochastic template collections refine the non-deterministic choices that may exist with respect to delay, output and next state in the specification of a tem- plate collection T = (T1,...,Tn). Let T j be a template of the collection and let S j denote the corresponding set of states. For each state s ∈ S j, we assume that there exist probability distributions for delays, outputs as well as next-state: • the delay density function, µs over delays in IR≥0, provides stochastic information for when the component will perform an output, thus ∫ µs(t)dt = 1; • the output probability function γs assigns probabilities for resolving what output o ∈ Σ j o to generate, i.e. ∑o γs(o) = 1 1. 1 For outputs happening deterministically at an exact time point d, µs becomes a Dirac delta function δd . Proc. AVoCS 2013 6 / 15 ECEASST Remark 3 In UPPAAL SMC uniform distributions are applied for states where delay is bounded, and exponential distributions (with location-specified rates) are applied for the cases, where a component can remain indefinitely in a location. Also, UPPAAL SMC provides syntax for as- signing discrete probabilities to different outputs as well as specifying stochastic distributions on next-states (using the function random[b] denoting a uniform distribution on [0,b]). Stochastic Dynamic Networks A stochastic template collection T = (T1,...,Tn) in turns in- duces a stochastic semantics of the dynamic network timed IO transition system S T = (ST ,s0,−→ ,Σ). For s = (M1,...,Mn)∈ ST , π(s,a1a2 ...ak) denotes the set of all maximal runs from s with a prefix t1a1t2a2 ...tkak for some t1,...,tn ∈ IR≥0 (a cylinder), that is runs where the i’th action ai has been outputted by some instance of Tc(ai). Providing the basic elements of a Sigma-algebra, we now inductively define the measure for such sets of runs: PT ( π(s,a1 ...an) ) = ∑ s∈Mc ∫ t≥0 µs ·  ∏ j 6=c ∏ s′∈M j  ∫ τ>t µs′(τ)dτ    ·   ∏ s′′∈Mc\{s}  ∫ τ>t µs′′(τ)dτ    ·γst (a1)·PT (π((st)a1 ,a2 ...an))dt where c = c(a1). This definition requires an explanation: at the outermost level we sum over all states from Mc, i.e. active instances of the template Tc for which a1 is an output. For a given delay t, the outputting component, sc, will choose to make the broadcast at time t with the stated density. Independently, the other components (other components of the template Tc as well as components of other templates) will choose a delay amount, which – in order for c to be the winner – must be larger than t; hence the (two) products of the probabilities that they each make such a choice. Having decided for making the broadcast at time t, the probability of actually outputting a1 is included. Finally, the probability of runs according to the remaining actions a2 ...an is taken into account. L spawn P() 2 (a) Template P. sum (p : P )( p.L) time v a lu e 0 120 240 360 0 1,50 3,00 (b) Number of instances. Figure 2: An exploding template collection? Example 3 Given the dynamic spawning of new instances, the question arises whether the re- sulting network explodes in the sense that discrete actions may occur with shorter and shorter time between them as the number of instances grows, and hence the race between components 7 / 15 Volume 66 (2013) Statistical Model Checking of Dynamic Networks of Stochastic Hybrid Automata become more and more intense over time. Stated differently, we worry that the dynamic network may exhibit Zeno behaviour with a non-zero probability. As a (potential) example consider the template P of Fig. 2, where each instance will spawn new instances according to an exponential distribution with rate 2. The resulting evolution of the number of instances during a random run is illustrated in Fig 2. Fortunately, it follows from Reuter’s criteria for birth-and-death pro- cesses [Reu57], that for template collections where all delay densities are either exponential distributions (spanning a finite range of rates) or uniform (spanning a finite range of intervals), the system does not explode. This is important as termination of our method of statistical model checking relies on the assumption that random runs will eventually exceed any given time-bound with probability one. 4 Dynamic Metric Interval Temporal Logic In this section we present Dynamic Metric Temporal Logic (DMTL) for defining properties of runs of a dynamic network. The logic is based on Metric Temporal Logic (MTL), where atomic propositions have been extended with means for quantifying over the dynamic components of the systems. Let T = (T1,...,Tn) be a template collection. For each template T ∈{T1,...,Tn}, we assume the existence of a syntactic category of arithmetic expressions, EXPRT , interpreted over the states ST of T . Thus, whenever ε ∈ EXPRT and s ∈ ST then [[ε]](s) ∈ N. Similarly we assume a syntactic category of Boolean expressions, BOOLT , interpreted over the states ST of T . Thus, whenever β ∈ BOOLT and s ∈ ST then [[β ]](s)∈B. Considering now global states (M1,...,Mn) of the template collection T , we introduce the sets of arithmetic expressions, EXPR , and Boolean expressions, BOOL given by the following grammars: e ::= c | e1 op e2 | sum(t : T ).εT b ::= tt | ff |¬b | b1 ∧b2 | e1 ./ e2 | forall(t : T ).βT where c ∈ Z, op is a binary arithmetic operator, ./ is a binary comparison operator, and T is a template from the collection T . The semantics are: [[sum(t : T ).εT ]](M1,...,Mn) = ∑ s∈MT [[εT ]](s) [[forall(t : T ).βT ]](M1,...,Mn) = ∧ s∈MT [[βT ]](s) Definition 3 (Dynamic Metric Temporal Logic) Let T = (T1,...,Tn) be a collection of tem- plates. A DMTL formula ϕ over T is defined by the grammar: ϕ ::= b |¬ϕ | ϕ1 ∧ϕ2 | Xϕ | ϕ1U[x,y]ϕ2 where b ∈ BOOL , x,y ∈Q with x ≤ y. Proc. AVoCS 2013 8 / 15 ECEASST We use ff as an abbreviation for (b ∧¬b), tt for ¬ff, and exists(t : T ).βT for ¬forall(t : T ).¬βT . Other commonly used operators of MTL are derived in the usual manners, e.g.: ϕ1 ∨ ϕ2 = ¬(¬ϕ1 ∧¬ϕ2), ϕ1 → ϕ2 = (¬ϕ1 ∨ ϕ2), ♦[x,y]ϕ = tt U[x,y]ϕ , �[a,b]ϕ = ¬♦[x,y]¬ϕ , and ϕ1R[x;y]ϕ2 = ¬(¬ϕ1U[x,y]¬ϕ2), where R is the “release” operator. For a given timed run ω = s0d0s1d1 ...sndnsn+1 ... over S T and a DMTL formula ϕ , we define satisfaction ω i |= ϕ inductively as follows: 1. ω i |= b iff [[b]]si 2. ω i |=¬ϕ iff ω i 6|= ϕ 3. ω i |= ϕ1 ∧ϕ2 iff ω i |= ϕ1 and ω i |= ϕ2 4. ω i |= Xϕ iff ω i+1 |= ϕ 5. ω i |= ϕ1U[x,y]ϕ2 iff there exists j ≥ i such that ω j |= ϕ2 and ∑ j−1 k=i dk ∈ [x,y] and ω k |= ϕ1 whenever i ≤ k < j. We say that a timed run ω satisfies ϕ if ω 0 |= ϕ . We say that a template collection T satisfies ϕ , T |= ϕ , iff all timed runs of S T starting in s0 satisfies ϕ . Given the stochastic semantics of T , we define PT (ϕ) to be the probability that a random run of T satisfies ϕ . As we shall see later, this probability is well-defined as it may be characterized as a countable union and intersection of cylinders over T extended with a monitor Mϕ for ϕ , and is thus measurable. Example 4 Reconsider the bouncing ball from Fig. 1. The property “there are two or more balls with a height greater than 5 within 2 and 3 time-units” may be expressed as the DTML formula ♦[2,3] ( sum(b : Ball)(b.p > 5) ) ≥ 2. Similarly, the property “for any time-point within 1 and 3 time units, all balls have height less than or equal to 4” corresponds to the formula �[1,3]forall(b : Ball)(b.p≤4). Using UPPAAL SMC, we find [0.164092,0.264092], resp. [0.82,0.92], to the interval of the probability that a random run will satisfy the first, resp. the second, property with 95% confidence. Theorem 1 Let T be a template collection and ϕ be a DMTL formula . Then there exists a template collection T ϕ = {Tϕ ,Tϕ1,...,Tϕn} over Σφ with ttϕ !,ffϕ ! ∈ Σφ associated with ϕ such that: PT (ϕ) = PT ∪T ϕ ( ⋃ ω∈Σ∗ π ( (s,sϕ ),ωttϕ ! )) (1) where sϕ = (Mϕ ,Mϕ1,...Mϕn) with Mϕ ={s ϕ 0 } and for all j 6= 0, Mϕ j = /0, and Σ is the combined alphabet of T and T ϕ excluding ttϕ ! and ffϕ !. 5 Dynamic Networks of Hybrid Automata in UPPAAL UPPAAL SMC has been extended to dynamic instantiation of templates. Templates are, as usual, defined as Stochastics Hybrid Automata (SHA). The extension includes extending the core lan- guage with two keywords (spawn and exit) to create and terminate processes, extending the 9 / 15 Volume 66 (2013) Statistical Model Checking of Dynamic Networks of Stochastic Hybrid Automata notion of ranges to sets of processes using a similar syntax, and extending MTL to refer to the dynamic processes. We mention some interesting details that are important. Core Language Extensions. New processes are created by calling spawn T(args...) where T is the name of a template. The argument list is similar to the ordinary process instances. However, the internal mechanism for dynamically creating processes is different. A dynamic process terminates by calling the special function exit(). Normally, an instance corresponds to a template with its arguments substituted that is then compiled to obtain some byte-code specific for that instance. This is too expensive for dynamic instances not to mention the serious issue concerning memory management when terminating an instance (and the byte-code in the engine too). The mechanism we have creates local variables that correspond to the instance parameters of these templates. The templates are instantiated when needed but are recycled and kept in the engine when they terminate, in particular between each run. Instantiating a dynamic instance (spawn) is done by taking a process in a pool, writing to its local variables (instead of substituting and generating new byte-code), and adding it to the state. Termination of a process (exit) corresponds to recycling. Sets of Processes. The language extends the notion of ranges to sets of processes. The pro- cesses are here instances of stochastic hybrid automata templates. Normally, the user can use for loops, and the statements sum, forall, and exists over ranges, e.g., for(i:id_t) for iteration purposes. Now, this is extended to sets of processes for a given template type. For a template of type T, it is now possible to use the syntax t:T to iterate over this set with, e.g., sum(t:T) t.count. Statistical Model Checking (SMC). We use SMC [SVA04, YS02, LDB10] to estimate and test on the probability that a random run of a network of stochastic hybrid automata satisfies a given property. Given a model H and a trace property φ (expressed in LTL or MTL), SMC refers to a series of simulation-based techniques that can be used to answer two main questions: (1) Qualitative: is the probability that a random run of H satisfies φ greater or equal to a certain threshold θ ? and (2) Quantitative: what is the probability that a random run of H satisfies φ ? In both cases, the answer will be correct up to a user-specified level of confidence, providing a upper bound on the probability that the conclusion made by the algorithm is wrong. For the quantitative approach, the method computes a confidence interval that is an interval of probabilities that contains the true probability to satisfy the property. Here the confidence level provides the probability that the computed confidence interval indeed contains the unknown probability. Implementation of DMTL Monitoring. When checking DMTL properties, the engine rewrites the DMTL formula φ on-the-fly in such a way that the new formula φ1 is satisfied from the next state if and only if φ was satisfied from current state. The technique is similar to the one pre- sented in [BDL+12], but the engine has been extended to check the construct forall(t : T ).βT . methods. Proc. AVoCS 2013 10 / 15 ECEASST Terminate Cross start Stopped Appr Safe x=0,b=true exit() x=0,b=true x=0 x=0 x<=5 x<=15 x<=20 x<=20 x>=10 x>=7 leave! go? stop? appr! (a) train (chan& stop, chan& go, chan& appr,chan& leave) c = getFreeChanSet(), spawn train (stop[c],go[c],appr[c],leave[c]), c=-1, i++ i1 myNumber>1 myNumber ==1 Trainleft TrainRunning Started TrainStopped SomeTrainLeft exit(), releaseChanSet (chanSet) x<=tdecide myNumber=myNumber-1 (a) trainStopper ( int myNumber, chan &stop, chan &leave, chan &go) StartStopper Waiting cur=cur+1,c=k initialise() cur=cur-1 spawn trainStopper(cur,stop[c],leave[c],go[c],c) k : int [0,channels-1] appr[k]? globalStop? (b) gate() Figure 4: Model of the queue (a) and the gate controller (b) are encoding a queue. In the original model the queue was encoded explicitly in the C-like language of UPPAAL but as this does not allow dynamic allocation of memory we resorted to using templates. Initially the only instances in the system are the gate and train spawner.. Experiments Fig. 5 shows the number of trains in each of their possible location. This plot was obtained by running the UPPAAL SMC query: simulate 1 [<=300] {sum (t:train)(t.Stopped),sum (t:train)(t.Safe)...} We see in the run that only one train is on the bridge at a time (i.e. in the location Cross). We also see that the trains are spawned at the beginning of the run, resulting in a high number of trains being stopped. At some point,approximately about 40 time units into the run, all the trains have been spawned and the number of stopped trains decreases, as the trains are moved one by one to the crossing. sum (t : train )( t.Cross) sum (t : train )( t.start) sum (t : train )( t.Stopped) sum (t : train )( t.Appr) sum (t : train )( t.Safe) time v a lu e 0 3 6 9 12 15 18 0 40 80 120 160 200 240 280 320 Figure 5: The number of trains in each location. The number of trains in this run is 20 and the trains stoppers time to decide (tdecide) is 0 Proc. AVoCS 2013 12 / 15 ECEASST In the model h trains are spawned by the the template in Fig. 3(b) with some delay in be- tween. The gate is supposed to ensure only one train crosses the bridge at a time, and in h tdecide Probability 20 10 [0.000; 0.097] 20 12 [0.091; 0.191] 20 15 [0.393; 0.494] 40 10 [0.000; 0.0974] 40 12 [0.156; 0.255] 40 15 [0.701; 0.801] Table 2: Probability of collision within 110 time units with h trains and a decision time of tdecide order to do so it relies on the train stopper templates. The train stoppers need some time, tdecide, to decide if a train should be stopped or not. Using UPPAAL SMC we can find the probability that two trains are on the bridge simultaneously within 1100 time units through the query: Pr[<=X] (<> exists (t : train) (t.Cross && exists (p : train)(p.Cross && p!=t))) The delayed reaction from the train stoppers may, obvi- ously, result in the gate not being safe. The results in Table 2 suggests, however, that if the time the train stoppers need is less than the minimum time for the train to enter the bridge then the probability is low. 7 Experiments with the Monitoring of DMTL For experimenting with the MTL monitoring stated in Theorem 1 we have created an automaton that generate random runs over the propositions p,q and r. The automaton “flips” the truth assignment of p,q or r with a rate of 2 i.e. the delays between state changes is extracted from an exponential distribution with rate parameter 2. The advantage of “implementing” the rewrite technique as observers is that we can use the plotting feature of UPPAAL SMC to obtain plots of the number of active observers during a simulation. This can be done with a query in the style of Pr[<=10]{sum (b : T1) (1) +sum (b : T2) (1) ...}. We show such a plot in Fig. 6. Obtaining this plot with the optimised version in UPPAAL SMC is more difficult because you would have to explicitly gather information during the rewriting. In addition to obtain such plots, we can experiment with variations of time v a lu e 0 15 30 0 0,36 0,72 1,08 1,44 1,80 2,16 Figure 6: The number active observers dur- ing a verification of the formula ♦[0;1](p ∧ �[0; 1](¬r)∧♦[0;1](q)) the rewrite technique. It is well-known, that for run time verification it is not feasible to observe a system every time it changes state. Instead the system is observed at distinct time points. This can result in different verifica- tion results thus we are interested in knowing how the verification result differs when us- ing fewer observations. To exemplify this we have created three collections of observers for the formula ♦[0;1](p∧�[0; 1](¬r)∧♦[0;1](q)) and parallel composed them with the random 13 / 15 Volume 66 (2013) Statistical Model Checking of Dynamic Networks of Stochastic Hybrid Automata automata previously described: The first one, T 1 φ , observes every state change of the system. The second one T 2 φ observes the system at time points randomly selected - with the restriction that there should be one observation each time unit. The third, T 3 φ , is similar to the second, but the maximal time between observations is 2. Verifying the property with the different observer setups gives probability bounds [0.02,0.12] using T 1 φ and [0.03,0.13] for T 2 φ . For T 3 φ we obtain a probability bound [0.00,0.10]. These results are not surprising, but they exemplify the possibility of using UPPAAL SMC to make an analysis of a run validation technique. 8 Conclusion & Future Work We have presented a formalism that allows for dynamical instantiation of templates of hybrid automata. The formalism is given a natural stochastic semantics based on repeated output races. Also, we have extended MTL with the possibility of quantifying over components at the propo- sitional level. In particular, the engine of UPPAAL SMC has been extended to allow for statistical model checking of DMTL properties for dynamic networks of stochastic hybrid systems. Also we added additional visualisation option to UPPAAL SMC. Future extension involve extension to more advanced specification formalism in which we allow for nesting the quantifications over components. References [AD94] R. Alur, D. L. Dill. A Theory of Timed Automata. TCS 126(2):183–235, 1994. [BDL+12] P. E. Bulychev, A. David, K. G. Larsen, A. Legay, G. Li, D. B. Poulsen. Rewrite- Based Statistical Model Checking of WMTL. In RV. LNCS 7687, pp. 260–275. 2012. [BFH+01] G. Berhmann, A. Fehnker, T. Hune, K. G. Larsen, P. Pettersson, J. Romijn, F. Vaan- drager. Minimum-Cost Reachability for Priced Timed Automata. In Benedetto and Sangiovanni-Vincentelli (eds.), 4th HSCC. Pp. 147–161. March 2001. http://www.mrtc.mdh.se/index.php?choice=publications&id=2849 [BJMS12] M. Bozga, M. Jaber, N. Maris, J. Sifakis. Modeling Dynamic Architectures Using Dy-BIP. In SC. LNCS 7306, pp. 1–16. 2012. [Ca09] Cheng, all. Software Engineering for Self-Adaptive Systems: A Research Roadmap. In SESAS. LNCS 5525. 2009. [DLL+10] A. David, K. G. Larsen, A. Legay, U. Nyman, A. Wasowski. Timed I/O automata: a complete specification theory for real-time systems. In HSCC. Pp. 91–100. ACM, 2010. [DLL+11] A. David, K. G. Larsen, A. Legay, M. Mikucionis, Z. Wang. Time for Statistical Model Checking of Real-Time Systems. In CAV. LNCS 7687, pp. 349–355. 2011. Proc. AVoCS 2013 14 / 15 http://www.mrtc.mdh.se/index.php?choice=publications&id=2849 ECEASST [FHN+11] J. Fisher, T. A. Henzinger, D. Nickovic, N. Piterman, A. V. Singh, M. Y. Vardi. Dy- namic Reactive Modules. In CONCUR. LNCS 6901, pp. 404–418. Springer, 2011. [FL10] J. L. Fiadeiro, A. Lopes. A Model for Dynamic Reconfiguration in Service-Oriented Architectures. In ECSA. LNCS 6285, pp. 70–85. Springer, 2010. [HL94] K. Havelund, K. G. Larsen. The Fork Calculus. Nord. J. Comput. 1(3):346–363, 1994. [Hoa85] C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985. [HR98] T. A. Henzinger, V. Rusu. Reachability verification for hybrid automata. In HSCC. LNCS 1386, pp. 190–204. 1998. [Koy90] R. Koymans. Specifying Real-Time Properties with Metric Temporal Logic. Real- Time Systems 2(4):255–299, 1990. [LDB10] A. Legay, B. Delahaye, S. Bensalem. Statistical Model Checking: An Overview. In RV. LNCS 6418, pp. 122–135. Springer, 2010. [Mil80] R. Milner. A Calculus of Communicating Systems. LNCS 92. Springer, 1980. [MPW92a] R. Milner, J. Parrow, D. Walker. A Calculus of Mobile Processes, I. Inf. Comput. 100(1):1–40, 1992. [MPW92b] R. Milner, J. Parrow, D. Walker. A Calculus of Mobile Processes, II. Inf. Comput. 100(1):41–77, 1992. [Reu57] G. E. H. Reuter. Denumerable Markov Processes and the associated contracting semigroups onL. Acta Mathematica 97(1-4):1–46, 1957. [SS12] A. M. Sharifloo, P. Spoletini. LOVER: Light-Weight fOrmal Verification of adap- tivE Systems at Run Time. In FACS. LNCS 7684, pp. 170–187. 2012. [ST09] M. Sighireanu, T. Touili. Bounded Communication Reachability Analysis of Pro- cess Rewrite Systems with Ordered Parallelism. ENTCS 239:43–56, 2009. [SVA04] K. Sen, M. Viswanathan, G. Agha. Statistical Model Checking of Black-Box Prob- abilistic Systems. In CAV. LNCS 3114, pp. 202–215. 2004. [YS02] H. L. S. Younes, R. G. Simmons. Probabilistic Verification of Discrete Event Sys- tems Using Acceptance Sampling. In CAV. LNCS 2404, pp. 223–235. Springer, 2002. doi:10.1007/3-540-45657-0_17 15 / 15 Volume 66 (2013) http://dx.doi.org/10.1007/3-540-45657-0_17 Introduction Dynamic Networks of Hybrid Automata Stochastic Semantics for Dynamic Networks Dynamic Metric Interval Temporal Logic Dynamic Networks of Hybrid Automata in Uppaal Dynamic Train Gate Experiments with the Monitoring of DMTL Conclusion & Future Work