Quantitative Verification: Formal Guarantees for Timeliness, Reliability and Performance

Computerised systems appear in almost all aspects of our daily lives, often in safety-critical scenarios such as embedded control systems in cars and aircraft or medical devices such as pacemakers and sensors. We are thus increasingly reliant on these systems working correctly, despite often operating in unpredictable or unreliable environments. Designers of such devices need ways to guarantee that they will operate in a reliable and efficient manner. Quantitative verification is a technique for analysing quantitative aspects of a system's design, such as timeliness, reliability or performance. It applies formal methods, based on a rigorous analysis of a mathematical model of the system, to automatically prove certain precisely specified properties, e.g. ``the airbag will always deploy within 20 milliseconds after a crash'' or ``the probability of both sensors failing simultaneously is less than 0.001''. The ability to formally guarantee quantitative properties of this kind is beneficial across a wide range of application domains. For example, in safety-critical systems, it may be essential to establish credible bounds on the probability with which certain failures or combinations of failures can occur. In embedded control systems, it is often important to comply with strict constraints on timing or resources. More generally, being able to derive guarantees on precisely specified levels of performance or efficiency is a valuable tool in the design of, for example, wireless networking protocols, robotic systems or power management algorithms, to name but a few. This report gives a short introduction to quantitative verification, focusing in particular on a widely used technique called model checking, and its generalisation to the analysis of quantitative aspects of a system such as timing, probabilistic behaviour or resource usage. The intended audience is industrial designers and developers of systems such as those highlighted above who could benefit from the application of quantitative verification,but lack expertise in formal verification or modelling

A Modeling and Analysis Framework To Support Monitoring, Assessment, and Control of Manufacturing Systems Using Hybrid Models

The manufacturing industry has constantly been challenged to improve productivity, adapt to continuous changes in demand, and reduce cost. The need for a competitive advantage has motivated research for new modeling and control strategies able to support reconfiguration considering the coupling between different aspects of plant floor operations. However, models of manufacturing systems usually capture the process flow and machine capabilities while neglecting the machine dynamics. The disjoint analysis of system-level interactions and machine-level dynamics limits the effectiveness of performance assessment and control strategies. This dissertation addresses the enhancement of productivity and adaptability of manufacturing systems by monitoring and controlling both the behavior of independent machines and their interactions. A novel control framework is introduced to support performance monitoring and decision making using real-time simulation, anomaly detection, and multi-objective optimization. The intellectual merit of this dissertation lies in (1) the development a mathematical framework to create hybrid models of both machines and systems capable of running in real-time, (2) the algorithms to improve anomaly detection and diagnosis using context-sensitive adaptive threshold limits combined with context-specific classification models, and (3) the construction of a simulation-based optimization strategy to support decision making considering the inherent trade-offs between productivity, quality, reliability, and energy usage. The result is a framework that transforms the state-of-the-art of manufacturing by enabling real-time performance monitoring, assessment, and control of plant floor operations. The control strategy aims to improve the productivity and sustainability of manufacturing systems using multi-objective optimization. The outcomes of this dissertation were implemented in an experimental testbed. Results demonstrate the potential to support maintenance actions, productivity analysis, and decision making in manufacturing systems. Furthermore, the proposed framework lays the foundation for a seamless integration of real systems and virtual models. The broader impact of this dissertation is the advancement of manufacturing science that is crucial to support economic growth. The implementation of the framework proposed in this dissertation can result in higher productivity, lower downtime, and energy savings. Although the project focuses on discrete manufacturing with a flow shop configuration, the control framework, modeling strategy, and optimization approach can be translated to job shop configurations or batch processes. Moreover, the algorithms and infrastructure implemented in the testbed at the University of Michigan can be integrated into automation and control products for wide availability.PHDMechanical EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/147657/1/migsae_1.pd

A pragmatic method for integrated modeling of security attacks and countermeasures

In recent years, research efforts in cyber security have steadily increased as a result of growing concerns for cyber attacks and also increasing trend in cyber attack incidents. One of the important areas of research that is gaining importance is modeling of attacks and countermeasures to quantify survivability and other security measures of interest. In this context, on one extreme, attack trees model has received attention due to its simplicity and ease of analysis, and on the other extreme, stochastic models have been advocated. While attack trees model does not capture complex dependencies among events and also is not amenable for modeling dynamic nature of the attacks and countermeasures, the fitness of stochastic models is yet to be established as there is not sufficient evidence to show that attack and defense behaviors follow some known distributions. With this motivation, a new attack modeling approach based on Petri nets, called PENET, is developed in this thesis whose goal is to significantly enhance the modeling power of attack trees. PENET introduces relevant concepts such as dynamic nature of attack, repairability of a system, and the existence of recurring attacks. Moreover, it attempts to find a balance between ease of use and representation power by providing set of constructs, parameters, performance metrics, and time domain analysis of attack progress. Time domain analysis produces valuable output such as time to reach the main goal and the path taken by the attacker. This output helps to evaluate system survivability and defense strategies. This approach is implemented as a software tool, called PENET Tool, which lets users draw model diagrams of a given system through intuitive user interface, perform time domain simulations and carry out security evaluations, and enable interactive ways to improve the survivability of the system

IMPROVE - Innovative Modelling Approaches for Production Systems to Raise Validatable Efficiency

This open access work presents selected results from the European research and innovation project IMPROVE which yielded novel data-based solutions to enhance machine reliability and efficiency in the fields of simulation and optimization, condition monitoring, alarm management, and quality prediction

Probabilistic verification of satellite systems for mission critical applications

In this thesis, we present a quantitative approach using probabilistic verification techniques for the analysis of reliability, availability, maintainability, and safety (RAMS) properties of satellite systems. The subject of our research is satellites used in mission critical industrial applications. A strong case for using probabilistic model checking to support RAMS analysis of satellite systems is made by our verification results. This study is intended to build a foundation to help reliability engineers with a basic background in model checking to apply probabilistic model checking to small satellite systems. We make two major contributions. One of these is the approach of RAMS analysis to satellite systems. In the past, RAMS analysis has been extensively applied to the field of electrical and electronics engineering. It allows system designers and reliability engineers to predict the likelihood of failures from the indication of historical or current operational data. There is a high potential for the application of RAMS analysis in the field of space science and engineering. However, there is a lack of standardisation and suitable procedures for the correct study of RAMS characteristics for satellite systems. This thesis considers the promising application of RAMS analysis to the case of satellite design, use, and maintenance, focusing on its system segments. Data collection and verification procedures are discussed, and a number of considerations are also presented on how to predict the probability of failure. Our second contribution is leveraging the power of probabilistic model checking to analyse satellite systems. We present techniques for analysing satellite systems that differ from the more common quantitative approaches based on traditional simulation and testing. These techniques have not been applied in this context before. We present the use of probabilistic techniques via a suite of detailed examples, together with their analysis. Our presentation is done in an incremental manner: in terms of complexity of application domains and system models, and a detailed PRISM model of each scenario. We also provide results from practical work together with a discussion about future improvements

Survivability modeling for cyber-physical systems subject to data corruption

Cyber-physical critical infrastructures are created when traditional physical infrastructure is supplemented with advanced monitoring, control, computing, and communication capability. More intelligent decision support and improved efficacy, dependability, and security are expected. Quantitative models and evaluation methods are required for determining the extent to which a cyber-physical infrastructure improves on its physical predecessors. It is essential that these models reflect both cyber and physical aspects of operation and failure. In this dissertation, we propose quantitative models for dependability attributes, in particular, survivability, of cyber-physical systems. Any malfunction or security breach, whether cyber or physical, that causes the system operation to depart from specifications will affect these dependability attributes. Our focus is on data corruption, which compromises decision support -- the fundamental role played by cyber infrastructure. The first research contribution of this work is a Petri net model for information exchange in cyber-physical systems, which facilitates i) evaluation of the extent of data corruption at a given time, and ii) illuminates the service degradation caused by propagation of corrupt data through the cyber infrastructure. In the second research contribution, we propose metrics and an evaluation method for survivability, which captures the extent of functionality retained by a system after a disruptive event. We illustrate the application of our methods through case studies on smart grids, intelligent water distribution networks, and intelligent transportation systems. Data, cyber infrastructure, and intelligent control are part and parcel of nearly every critical infrastructure that underpins daily life in developed countries. Our work provides means for quantifying and predicting the service degradation caused when cyber infrastructure fails to serve its intended purpose. It can also serve as the foundation for efforts to fortify critical systems and mitigate inevitable failures --Abstract, page iii

Context-aware Plan Repair in Environments shared by Multiple Agents

[ES] La monitorización de la ejecución de un plan es crucial para un agente autónomo que realiza su labor en un entorno dinámico, pues influye en su capacidad de reaccionar ante los cambios. Mientras ejecuta su plan puede sufrir un fallo y, en su esfuerzo por solucionarlo, puede interferir sin saberlo con otros agentes que operan en su mismo entorno. Por otra parte, para actuar racionalmente es necesario que el agente sea consciente del contexto y pueda recopilar y ampliar su información a partir de lo que percibe para poder compensar su conocimiento previo parcial o incorrecto del problema y lograr el mejor resultado posible ante las nuevas situaciones que aparecen. El trabajo realizado en esta tesis permite a los agentes autónomos ejecutar sus planes en un entorno dinámico y adaptarse a eventos inesperados y circunstancias desconocidas. Pueden utilizar su percepción del contexto para proporcionar respuestas deliberativas conscientes y ser capaces así de aprovechar las oportunidades que surgen o reparar los fallos sin perturbar a otros agentes. Este trabajo se centra en el desarrollo de una arquitectura independiente del dominio capaz de manejar las necesidades de agentes con este tipo de comportamiento autónomo. Los tres pilares de la arquitectura propuesta los forman el sistema inteligente para la simulación de la ejecución en entornos dinámicos, la adquisición de conocimiento consciente del contexto para ampliar la base de datos del agente y la reparación de planes ante fallos u oportunidades tratando de interferir lo mínimo con los planes de otros agentes. El sistema inteligente de simulación de la ejecución permite al agente representar el plan en una línea de tiempo, actualizar periódicamente su estado interno con información del mundo real y disparar nuevos eventos en momentos concretos. Los eventos se procesan en el contexto del plan; si se detecta un error, el simulador reformula el problema de planificación, invoca de nuevo al planificador y reanuda la ejecución. El simulador es una aplicación de consola y ofrece una interfaz gráfica diseñada específicamente para una aplicación inteligente de turismo. El módulo de adquisición de conocimiento sensible al contexto utiliza operaciones semánticas para aumentar dinámicamente la lista predefinida de tipos de objetos de la tarea de planificación con nuevos tipos relevantes. Esto permite que el agente sea consciente de su entorno, enriquezca el modelo de su tarea y pueda razonar a partir de un conocimiento incompleto. Con todo esto se consigue potenciar la autonomía del sistema y la conciencia del contexto. La novedosa estrategia de reparación de planes le permite a un agente reparar su plan al detectar un fallo de manera responsable con el resto de agentes que comparten su mismo entorno de ejecución. El agente utiliza una nueva métrica, el compromiso del plan, como función heurística para guiar la búsqueda hacia un plan solución comprometido con el plan original, en el sentido de que se trata de respetar los compromisos adquiridos con otros agentes al mismo tiempo que se alcanzan los objetivos originales. En consecuencia, la comunidad de agentes sufrirá menos fallos por cambios bruscos en el entorno o requerirá menos tiempo para ejecutar las acciones correctoras si el fallo es inevitable. Estos tres módulos han sido desarrollados y evaluados en varias aplicaciones como un asistente turístico, una agencia de reparación de electrodomésticos y un asistente del hogar.[CA] El monitoratge de l'execució d'un pla és crucial per a un agent autònom que realitza la seua labor en un entorn dinàmic, perquè influeix en la seua capacitat de reaccionar davant els canvis. Mentre executa el seu pla pot patir una fallada i, en el seu esforç per solucionar-lo, pot interferir sense saber-ho amb altres agents que operen en el seu mateix entorn. D'altra banda, per a actuar racionalment és necessari que l'agent siga conscient del context i puga recopilar i ampliar la seua informació a partir del que percep per a poder compensar el seu coneixement previ parcial o incorrecte del problema i aconseguir el millor resultat possible davant les noves situacions que apareixen. El treball realitzat en aquesta tesi permet als agents autònoms executar els seus plans en un entorn dinàmic i adaptar-se a esdeveniments inesperats i circumstàncies desconegudes. Poden utilitzar la seua percepció del context per a proporcionar respostes deliberatives conscients i ser capaces així d'aprofitar les oportunitats que sorgeixen o reparar les fallades sense pertorbar a altres agents. Aquest treball se centra en el desenvolupament d'una arquitectura independent del domini capaç de manejar les necessitats d'agents amb aquesta mena de comportament autònom. Els tres pilars de l'arquitectura proposada els formen el sistema intel·ligent per a la simulació de l'execució en entorns dinàmics, l'adquisició de coneixement conscient del context per a ampliar la base de dades de l'agent i la reparació de plans davant fallades o oportunitats tractant d'interferir el mínim amb els plans d'altres agents. El sistema intel·ligent de simulació de l'execució permet a l'agent representar el pla en una línia de temps, actualitzar periòdicament el seu estat intern amb informació del món real i disparar nous esdeveniments en moments concrets. Els esdeveniments es processen en el context del pla; si es detecta un error, el simulador reformula el problema de planificació, invoca de nou al planificador i reprén l'execució. El simulador és una aplicació de consola i ofereix una interfície gràfica dissenyada específicament per a una aplicació intel·ligent de turisme. El mòdul d'adquisició de coneixement sensible al context utilitza operacions semàntiques per a augmentar dinàmicament la llista predefinida de tipus d'objectes de la tasca de planificació amb nous tipus rellevants. Això permet que l'agent siga conscient del seu entorn, enriquisca el model de la seua tasca i puga raonar a partir d'un coneixement incomplet. Amb tot això s'aconsegueix potenciar l'autonomia del sistema i la consciència del context. La nova estratègia de reparació de plans li permet a un agent reparar el seu pla en detectar una fallada de manera responsable amb la resta d'agents que comparteixen el seu mateix entorn d'execució. L'agent utilitza una nova mètrica, el compromís del pla, com a funció heurística per a guiar la cerca cap a un pla solució compromés amb el pla original, en el sentit que es tracta de respectar els compromisos adquirits amb altres agents al mateix temps que s'aconsegueixen els objectius originals. En conseqüència, la comunitat d'agents patirà menys fallades per canvis bruscos en l'entorn o requerirà menys temps per a executar les accions correctores si la fallada és inevitable. Aquests tres mòduls han sigut desenvolupats i avaluats en diverses aplicacions com un assistent turístic, una agència de reparació d'electrodomèstics i un assistent de la llar.[EN] Execution Monitoring is crucial for the success of an autonomous agent executing a plan in a dynamic environment as it influences its ability to react to changes. While executing its plan in a dynamic world, it may suffer a failure and, in its endeavour to fix the problem, it may unknowingly disrupt other agents operating in the same environment. Additionally, being rational requires the agent to be context-aware, gather information and extend what is known from what is perceived to compensate for partial or incorrect prior knowledge and achieve the best possible outcome in various novel situations. The work carried out in this PhD thesis allows the autonomous agents executing a plan in a dynamic environment to adapt to unexpected events and unfamiliar circumstances, utilise their perception of context and provide context-aware deliberative responses for seizing an opportunity or repairing a failure without disrupting other agents. This work is focused on developing a domain-independent architecture capable of handling the requirements of such autonomous behaviour. The architecture pillars are the intelligent system for execution simulation in a dynamic environment, the context-aware knowledge acquisition for planning applications and the plan commitment repair. The intelligent system for execution simulation in a dynamic environment allows the agent to transform the plan into a timeline, periodically update its internal state with real-world information and create timed events. Events are processed in the context of the plan; if a failure occurs, the simulator reformulates the planning problem, reinvokes a planner and resumes the execution. The simulator is a console application and has a GUI designed specifically for smart tourism. The context-aware knowledge acquisition module utilises semantic operations to dynamically augment the predefined list of object types of the planning task with relevant new object types. This allows the agent to be context-aware of the environment and the task and reason with incomplete knowledge, boosting the system's autonomy and context-awareness. The novel plan commitment repair strategy among multiple agents sharing the same execution environment allows the agent to repair its plan responsibly when a failure is detected. The agent utilises a new metric, plan commitment, as a heuristic to guide the search for the most committed repair plan to the original plan from the perspective of commitments made to other agents whilst achieving the original goals. Consequently, the community of agents will suffer fewer failures due to the sudden changes or will have less lost time if the failure is inevitable. All these developed modules were investigated and evaluated in several applications, such as a tourist assistant, a kitchen appliance repair agency and a living home assistant.Babli, M. (2023). Context-aware Plan Repair in Environments shared by Multiple Agents [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/19868

Structural health monitoring of civil infrastructure

Structural health monitoring (SHM) is a term increasingly used in the last decade to describe a range of systems implemented on full-scale civil infrastructures and whose purposes are to assist and inform operators about continued 'fitness for purpose' of structures under gradual or sudden changes to their state, to learn about either or both of the load and response mechanisms. Arguably, various forms of SHM have been employed in civil infrastructure for at least half a century, but it is only in the last decade or two that computer-based systems are being designed for the purpose of assisting owners/operators of ageing infrastructure with timely information for their continued safe and economic operation. This paper describes the motivations for and recent history of SHM applications to various forms of civil infrastructure and provides case studies on specific types of structure. It ends with a discussion of the present state-of-the-art and future developments in terms of instrumentation, data acquisition, communication systems and data mining and presentation procedures for diagnosis of infrastructural 'health'

Behavioural Preorders on Stochastic Systems - Logical, Topological, and Computational Aspects

Computer systems can be found everywhere: in space, in our homes, in our cars, in our pockets, and sometimes even in our own bodies. For concerns of safety, economy, and convenience, it is important that such systems work correctly. However, it is a notoriously difficult task to ensure that the software running on computers behaves correctly. One approach to ease this task is that of model checking, where a model of the system is made using some mathematical formalism. Requirements expressed in a formal language can then be verified against the model in order to give guarantees that the model satisfies the requirements. For many computer systems, time is an important factor. As such, we need our formalisms and requirement languages to be able to incorporate real time. We therefore develop formalisms and algorithms that allow us to compare and express properties about real-time systems. We first introduce a logical formalism for reasoning about upper and lower bounds on time, and study the properties of this formalism, including axiomatisation and algorithms for checking when a formula is satisfied. We then consider the question of when a system is faster than another system. We show that this is a difficult question which can not be answered in general, but we identify special cases where this question can be answered. We also show that under this notion of faster-than, a local increase in speed may lead to a global decrease in speed, and we take step towards avoiding this. Finally, we consider how to compare the real-time behaviour of systems not just qualitatively, but also quantitatively. Thus, we are interested in knowing how much one system is faster or slower than another system. This is done by introducing a distance between systems. We show how to compute this distance and that it behaves well with respect to certain properties.Comment: PhD dissertation from Aalborg Universit