Verification of interlocking systems using statistical model checking

In the railway domain, an interlocking is the system ensuring safe train traffic inside a station by controlling its active elements such as the signals or points. Modern interlockings are configured using particular data, called application data, reflecting the track layout and defining the actions that the interlocking can take. The safety of the train traffic relies thereby on application data correctness, errors inside them can cause safety issues such as derailments or collisions. Given the high level of safety required by such a system, its verification is a critical concern. In addition to the safety, an interlocking must also ensure that availability properties, stating that no train would be stopped forever in a station, are satisfied. Most of the research dealing with this verification relies on model checking. However, due to the state space explosion problem, this approach does not scale for large stations. More recently, a discrete event simulation approach limiting the verification to a set of likely scenarios, was proposed. The simulation enables the verification of larger stations, but with no proof that all the interesting scenarios are covered by the simulation. In this paper, we apply an intermediate statistical model checking approach, offering both the advantages of model checking and simulation. Even if exhaustiveness is not obtained, statistical model checking evaluates with a parametrizable confidence the reliability and the availability of the entire system.Comment: 12 pages, 3 figures, 2 table

Stochastic model checking for predicting component failures and service availability

When a component fails in a critical communications service, how urgent is a repair? If we repair within 1 hour, 2 hours, or n hours, how does this affect the likelihood of service failure? Can a formal model support assessing the impact, prioritisation, and scheduling of repairs in the event of component failures, and forecasting of maintenance costs? These are some of the questions posed to us by a large organisation and here we report on our experience of developing a stochastic framework based on a discrete space model and temporal logic to answer them. We define and explore both standard steady-state and transient temporal logic properties concerning the likelihood of service failure within certain time bounds, forecasting maintenance costs, and we introduce a new concept of envelopes of behaviour that quantify the effect of the status of lower level components on service availability. The resulting model is highly parameterised and user interaction for experimentation is supported by a lightweight, web-based interface

Statistical Model Checking : An Overview

Quantitative properties of stochastic systems are usually specified in logics that allow one to compare the measure of executions satisfying certain temporal properties with thresholds. The model checking problem for stochastic systems with respect to such logics is typically solved by a numerical approach that iteratively computes (or approximates) the exact measure of paths satisfying relevant subformulas; the algorithms themselves depend on the class of systems being analyzed as well as the logic used for specifying the properties. Another approach to solve the model checking problem is to \emph{simulate} the system for finitely many runs, and use \emph{hypothesis testing} to infer whether the samples provide a \emph{statistical} evidence for the satisfaction or violation of the specification. In this short paper, we survey the statistical approach, and outline its main advantages in terms of efficiency, uniformity, and simplicity.Comment: non

Abstractions of stochastic hybrid systems

Many control systems have large, infinite state space that can not be easily abstracted. One method to analyse and verify these systems is reachability analysis. It is frequently used for air traffic control and power plants. Because of lack of complete information about the environment or unpredicted changes, the stochastic approach is a viable alternative. In this paper, different ways of introducing rechability under uncertainty are presented. A new concept of stochastic bisimulation is introduced and its connection with the reachability analysis is established. The work is mainly motivated by safety critical situations in air traffic control (like collision detection and avoidance) and formal tools are based on stochastic analysis

A Bayesian space-time model for discrete spread processes on a lattice

Funding for this work was provided by GEOIDE through the Government of Canada’s Networks for Centres of Excellence program.In this article we present a Bayesian Markov model for investigating environmental spread processes. We formulate a model where the spread of a disease over a heterogeneous landscape through time is represented as a probabilistic function of two processes: local diffusion and random-jump dispersal. This formulation represents two mechanisms of spread which result in highly peaked and long-tailed distributions of dispersal distances (i.e., local and long-distance spread), commonly observed in the spread of infectious diseases and biological invasions. We demonstrate the properties of this model using a simulation experiment and an empirical case study - the spread of mountain pine beetle in western Canada. Posterior predictive checking was used to validate the number of newly inhabited regions in each time period. The model performed well in the simulation study in which a goodness-of-fit statistic measuring the number of newly inhabited regions in each time interval fell within the 95% posterior predictive credible interval in over 97% of simulations. The case study of a mountain pine beetle infestation in western Canada (1999-2009) extended the base model in two ways. First, spatial covariates thought to impact the local diffusion parameters, elevation and forest cover, were included in the model. Second, a refined definition for translocation or jump-dispersal based on mountain pine beetle ecology was incorporated improving the fit of the model. Posterior predictive checks on the mountain pine beetle model found that the observed goodness-of-fit test statistic fell within the 95% posterior predictive credible interval for 8 out of 10. years. The simulation study and case study provide evidence that the model presented here is both robust and flexible; and is therefore appropriate for a wide range of spread processes in epidemiology and ecology.PostprintPeer reviewe

Recent advances in importance sampling for statistical model checking

In the following work we present an overview of recent advances in rare event simulation for model checking made at the University of Twente. The overview is divided into the several model classes for which we propose algorithms, namely multicomponent systems, Markov chains and stochastic Petri nets, and probabilistic timed automata