Input/Output Stochastic Automata with Urgency Confluence and - PowerPoint PPT Presentation

Input/Output Stochastic Automata with Urgency Confluence and Determinism Pedro R. D’Argenio 1 , 2 , Ra´ ul E. Monti 1 1 Universidad Nacional de C´ ordoba - CONICET - Argentina 2 Saarland University, Saarbr¨ ucken, Germany ICTAC 2018 - Stellenbosch

Table of Contents Introduction Motivation Introducing urgent actions Weak determinism Conclusion

Table of Contents Introduction Motivation Introducing urgent actions Weak determinism Conclusion

Introduction This talk involves the development of an Automata framework tailored to the formal analysis of Stochastic Systems: IOSA

Introduction Do we all know Automata? Do you allow me to skip Formal Analysis? Key point: we want to do discrete event simulation on IOSA, hence we need IOSA to be deterministic .

Table of Contents Introduction Motivation Introducing urgent actions Weak determinism Conclusion

Former Input/Output Stochastic Automata (S , A , C , � → , C 0 , s 0 ) ▸ S = states ▸ A = actions (A I ⊍A O ) ▸ C = clocks ▸ x ∈ C ↦ µ x ▸ � → ⊆ S × C × A × C × S { x } , a , { y , z } ▸ + some rules s 1 s 2 ▸ Compositional ▸ Deterministic

Parallel Composition → , C 0 , s 1 0 ∣∣ s 2 I 1 ∣∣ I 2 = ( S 1 × S 2 , A , C , � 0 ) ▸ A O = A O 1 ∪ A O 2 ▸ A I = (A I 1 ∪ A I 2 ) ∖ A O ▸ C = C 1 ∪ C 2 and C 0 = C 1 0 ∪ C 2 0 C , a , C ′ C , a , C ′ → 1 s ′ � � � → 2 s ′ s 1 � � � s 2 1 2 a ∈ A 1 ∖A 2 a ∈ A 2 ∖A 1 C , a , C ′ C , a , C ′ � � � → s ′ � � � → s 1 ∣∣ s ′ s 1 ∣∣ s 2 1 ∣∣ s 2 s 1 ∣∣ s 2 2 C 1 , a , C ′ C 2 , a , C ′ � � � � → 1 s ′ � � � � → 2 s ′ 1 2 s 1 s 2 1 2 a ∈ A 1 ∩A 2 C 1 ∪ C 2 , a , C ′ 1 ∪ C ′ � � � � � � � � → s ′ 2 1 ∣∣ s ′ s 1 ∣∣ s 2 2

A Fault Tree modeling example s 4 {} , f 2? , {} {} , f 1? , {} s 2 s 3 AND {} , f 1? , {} {} , f 2? , {} s 1 s 6 s 8 { x } , f 1! , {} { y } , f 2! , {} s 5 s 7

A Fault Tree modeling example s 4 {} , f 2? , {} {} , f 1? , {} s 1 ∣∣ s 5 ∣∣ s 7 s 2 s 3 AND { y } , f 2! , {} { x } , f 1! , {} {} , f 1? , {} {} , f 2? , {} s 2 ∣∣ s 6 ∣∣ s 7 ∣∣ s 3 ∣∣ s 5 ∣∣ s 8 s 1 { x } , f 1! , {} { y } , f 2! , {} s 1 ∣∣ s 5 ∣∣ s 7 s 6 s 8 { x } , f 1! , {} { y } , f 2! , {} Deterministic closed IOSA s 5 s 7

Composition problem s 12 s 6 { x } , f 1! , {} {} , ? , {} OR {} , f 3? , {} s 5 s 11 s 8 { y } , f 2! , {} s 4 s 7 {} , f 2? , {} {} , f 1? , {} s 10 s 2 s 3 AND { z } , f 3! , {} {} , f 1? , {} {} , f 2? , {} s 9 s 1

Composition problem Synchronization ⇒ delay s 12 s 6 { x } , f 1! , {} {} , f ? , {} {} , f 3? , {} OR s 5 s 11 s 8 { y } , f 2! , {} { w } ,f!, {} s 4 s 7 {} , f 2? , {} {} , f 1? , {} s 10 s 2 s 3 AND { z } , f 3! , {} {} , f 2? , {} {} , f 1? , {} s 9 s 1

Composition problem Poor use of composition s 6 s 4 { x } , f 1! , {} s 5 {} , f 2? , {} {} , f 1? , {} {} , f 3? , {} s 8 s 2 s 3 { y } , f 2! , {} {} , f 2? , {} s 7 {} , f 1? , {} s 1 s 10 Monolithic AND/OR { z } , f 3! , {} s 9

Table of Contents Introduction Motivation Introducing urgent actions Weak determinism Conclusion

Input/Output Stochastic Automata with urgent actions (S , A , C , � → , C 0 , s 0 ) ▸ S = states ▸ A = actions (A I ⊍ A O ) and A u ⊆ A are urgent. ▸ C = clocks ▸ x ∈ C ↦ µ x {} , a !! , { y , z } s 1 s 2 ▸ � → ⊆ S × C × A × C × S ▸ Compositional

Urgent IOSA are non-det. even for closed models Urgent IOSA Former IOSA s 1 s 1 { x } , a ! , {} { y } , b ! , {} {} , a !! , {} {} , b !! , {} s 2 s 3 s 2 s 3

Spurious non-determinism? s 0 ∅ , a !! , { x } ∅ , b !! , { y } s 1 s 2 ∅ , b !! , { y } ∅ , a !! , { x } s 3 { x } , c ! , ∅ { y } , d ! , ∅ s 4 s 5 I confluent ⇒ I weak deterministic .

Confluence (from Milner) a and b urgent actions: ∅ , a , C 1 ∀ s 1 s ∅ , b , C 2 ∅ , b , C 2 ∅ , a , C 1 s 2 s 3 ∃ Proposition If I 1 and I 2 are confluent, I 1 ∣∣I 2 is also confluent.

Weak determinism Definition We say that a closed IOSA is weakly deterministic if (i) almost surely at most one discrete non-urgent transition is enabled at every time point, (ii) the election over enabled urgent transitions does not affect the non urgent-behavior of the model, and (iii) no non-urgent output and urgent output are enabled simultaneously.

Weak transition s 0 s 0 ∅ , a !! , { x } ∅ , b !! , { y } {} ,τ, { x , y } s 1 s 2 ∅ , b !! , { y } ∅ , a !! , { x } s 3 s 3 { x } , c ! , ∅ { y } , d ! , ∅ { x } , c ! , ∅ { y } , d ! , ∅ s 4 s 5 s 4 s 5

IOSA semantics Given an IOSA I = ( S , A , C , � → , C 0 , s 0 ) with C = { x 1 ,..., x N } , its semantics is defined by the NLMP P ( I ) = ( S , B ( S ) , { T a ∣ a ∈ L }) where ▸ S = ( S ∪ { init }) × R N , L = A ∪ R > 0 ∪ { init } , with init ∉ S ∪ A ∪ R > 0 ▸ T init ( init , ⃗ v ) = { δ s 0 × ∏ N i = 1 µ x i } , C , a , C ′ ▸ T a ( s , ⃗ v ) = { µ ⃗ C ′ , s ′ ∣ s � � � → s ′ , ⋀ x i ∈ C ⃗ v ( i ) ≤ 0 } , for all a ∈ A , v i = 1 µ x i with µ x i = µ x i if x i ∈ C ′ and C ′ , s ′ = δ s ′ × ∏ N where µ ⃗ v µ x i = δ ⃗ v ( i ) otherwise, and v ( i )− d } if there is no urgent b ∈ A o ∩ A u ▸ T d ( s , ⃗ v ) = { δ s × ∏ N i = 1 δ ⃗ , b , � � → for which s and { x i } , a , C ′ 0 < d ≤ min {⃗ v ( i ) ∣ ∃ a ∈ A o , C ′ ⊆ C , s ′ ∈ S ∶ s � � � � � → s ′ } , and T d ( s , ⃗ v ) = ∅ otherwise, for all d ∈ R ≥ 0 .

Discrete vs Continuous Confluence s 0 τ τ s 1 s 2 τ τ s 3

Discrete vs Continuous Confluence s 0 τ τ s 1 s 2 τ τ s 3

Discrete vs Continuous Confluence s 0 τ τ s 1 s 2 τ τ s 3 µ

Table of Contents Introduction Motivation Introducing urgent actions Weak determinism Conclusion

Weak Transition Definition C � ⇒ n µ inductively by the following rules: We define ( s , ⃗ v ) ∅ ,τ, C � � � → s ′ st ( s ′ ) s (T1) C � ⇒ 1 µ ⃗ v ( s , ⃗ v ) C , s ′ v ′ ∈ R N ∶ ∃ C ′′ ,µ ′ ∶ ( s ′ , ⃗ ∅ ,τ, C ′ C ′′ � � � → s ′ ∀ ⃗ � ⇒ n µ ′ v ′ ) s (T2) C ′ ∪ C ′′ � � � ⇒ n + 1 ˆ ( s , ⃗ v ) µ Where µ ⃗ v C , s is defined as in IOSA semantics and C ′′ µ = ∫ S× R N f C ′′ � ⇒ n ν , and d µ ⃗ C ′ , s ′ , with f C ′′ v ˆ ( t , ⃗ w ) = ν , if ( t , ⃗ w ) n n f C ′′ v ) � ⇒ µ ( t , ⃗ w ) = 0 otherwise. We define the weak transition ( s , ⃗ n C � ⇒ n µ for some n ≥ 1 and C ⊆ C . if ( s , ⃗ v )

Weak determinism Definition A closed IOSA I is weakly deterministic if � ⇒ is well defined in I and, in P ( I ) , any state ( s , v ) ∈ S that satisfies one of the following conditions is almost never reached from any ( init , v 0 ) ∈ S : (a) s is stable and ∪ a ∈ A ∪{ init } T a ( s , v ) contains at least two different probability measures, ⇒ µ ′ and µ ≠ µ ′ , or (b) s is not stable, ( s , v ) � ⇒ µ , ( s , v ) � → µ for some a ∈ A o ∖ A u . a (c) s is not stable and ( s , v ) � Theorem Every closed confluent IOSA is weakly deterministic.

Table of Contents Introduction Motivation Introducing urgent actions Weak determinism Conclusion

Conclusion and Bonus ▸ IOSA allows to compositionally model general distributed stochastic systems. It behaves deterministically under confluence conditions, hence it is amenable to discrete event simulation. ▸ Non confluent components may yield a confluent closed IOSA. Sufficient conditions for weak determinism. ▸ We achieved a deterministic general distributed model of Repairable Fault Trees. We do rare event simulation with the FIG tool.

Conclusion and Bonus ▸ We achieved a deterministic general distributed model of Repairable Fault Trees. We do rare event simulation with the FIG tool.