Statistical Model Checking for Distributed Probabilistic-Control - - PowerPoint PPT Presentation

Statistical Model Checking for Distributed Probabilistic-Control Hybrid Automata with Smart Grid Applications

Jo˜ ao Martins1,2 Andr´ e Platzer1 Jo˜ ao Leite2

1Computer Science Department,

Carnegie Mellon University, Pittsburgh PA

2CENTRIA and Departamento de Inform´

atica, FCT, Universidade Nova de Lisboa

13th International Conference on Formal Engineering Methods

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 1 / 51

Introduction

Summary

1 Introduction

The Power Grid The Smart Grid Model for the Smart Grid

2 Model

Discrete-Time Hybrid Automata Distributed Probabilistic-Control Hybrid Automata

3 Verification

Specifying properties Statistical Model Checking

4 Case Study: network properties 5 Conclusions

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 2 / 51

Introduction The Power Grid

The Grid is a hierarchical “graph” with sources and sinks

Image from the TCIPG Education applet

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 3 / 51

Introduction The Power Grid

Power consumption follows well-known patterns

Image from The Impact of Daylight Savings Time on Electricity Consumption in Indiana, J. Basconi, J. Kantor

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 4 / 51

Introduction The Smart Grid

Smart Meters + Smart Appliances The Grid predicts load, becomes more stable, cost-effective, energy-efficient, secure, resilient

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 5 / 51

Introduction The Smart Grid

Even today, utilities deploy networks that transmit several thousands of bits... per day.

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 6 / 51

Introduction The Smart Grid

Even today, utilities deploy networks that transmit several thousands of bits... per day. Is reliability the most significant factor for the Grid? How about bandwidth? RTT?

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 6 / 51

Introduction The Smart Grid

Even today, utilities deploy networks that transmit several thousands of bits... per day. Is reliability the most significant factor for the Grid? How about bandwidth? RTT? Deployment and testing of technologies is extremely expensive.

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 6 / 51

Introduction The Smart Grid

Answer: formal verification

Test, evaluate and tweak technologies - then deploy.

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 7 / 51

Introduction Model for the Smart Grid

Model

What are the properties of the Smart Grid? It’s a cyber-physical system It’s a distributed system It is a stochastic system

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 8 / 51

Introduction Model for the Smart Grid

Model

What are the properties of the Smart Grid? It’s a cyber-physical system It’s a distributed system It is a stochastic system Plan:

1 Develop hybrid, distributed and probabilistic model 2 Develop logic for stating properties 3 Verify properties using existing statistical model-checking techniques

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 8 / 51

Model

Summary

1 Introduction

The Power Grid The Smart Grid Model for the Smart Grid

2 Model

Discrete-Time Hybrid Automata Distributed Probabilistic-Control Hybrid Automata

3 Verification

Specifying properties Statistical Model Checking

4 Case Study: network properties 5 Conclusions

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 9 / 51

Model Discrete-Time Hybrid Automata

DTHA [12]: Washing machine

Standby Fill up T ′

c = 1, w ′ = 1

T ′

c = 0.8, w ′ = 0.8

Flush T ′

c = 0, w ′ = −2

T ′

c = 0, w ′ = −2

w

• r

k i n g = 1 w

• r

k i n g = 1 working=0 w

• r

k i n g =

Tc is total water consumed, w is water currently in the machine

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 10 / 51

Model Discrete-Time Hybrid Automata

Washing machine

Standby Fill up T ′

c = 1, w ′ = 1

T ′

c = 0.8, w ′ = 0.8

Flush T ′

c = 0, w ′ = −2

T ′

c = 0, w ′ = −2

w

• r

k i n g = 1 w

• r

k i n g = 1 working=0 w

• r

k i n g =

Control graph Q, E

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 11 / 51

Model Discrete-Time Hybrid Automata

Washing machine

Standby Fill up T ′

c = 1, w ′ = 1

T ′

c = 0.8, w ′ = 0.8

Flush T ′

c = 0, w ′ = −2

T ′

c = 0, w ′ = −2

w

• r

k i n g = 1 w

• r

k i n g = 1 working=0 w

• r

k i n g =

Jump relation jumpe : Rn × Rn

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 12 / 51

Model Discrete-Time Hybrid Automata

Washing machine

Standby Fill up T ′

c = 1, w ′ = 1

T ′

c = 0.8, w ′ = 0.8

Flush T ′

c = 0, w ′ = −2

T ′

c = 0, w ′ = −2

w

• r

k i n g = 1 w

• r

k i n g = 1 working=0 w

• r

k i n g =

Flows ϕq : R≥0 × Rd → Rd

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 13 / 51

Model Discrete-Time Hybrid Automata

Washing machine: scheduler

• Standby

Fill up T ′

c = 1, w ′ = 1

T ′

c = 0.8, w ′ = 0.8

Flush T ′

c = 0, w ′ = −2

T ′

c = 0, w ′ = −2

working=1 working=2 working=0 w

• r

k i n g = w = 0 working = 0 w = 0 working = 2 w = 0 working = 1 working = 1 working = 2

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 14 / 51

Model Discrete-Time Hybrid Automata

Washing machine: scheduler

Standby Fill up T ′

c = 1, w ′ = 1

• T ′

c = 0.8, w ′ = 0.8

Flush T ′

c = 0, w ′ = −2

T ′

c = 0, w ′ = −2

w

• r

k i n g = 1 working=2 working=0 w

• r

k i n g = w = 0 working = 0 w = 0 working = 2 w = 0 working = 1 working = 1 working = 2

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 15 / 51

Model Discrete-Time Hybrid Automata

Washing machine: scheduler

Standby Fill up T ′

c = 1, w ′ = 1

• T ′

c = 0.8, w ′ = 0.8

Flush T ′

c = 0, w ′ = −2

T ′

c = 0, w ′ = −2

w

• r

k i n g = 1 working=2 working=0 w

• r

k i n g = w = 0 working = 0 w = 0 working = 2 w = 1.6 working = 2 w = 0 working = 1 working = 1 working = 2 t = 2

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 16 / 51

Model Discrete-Time Hybrid Automata

Washing machine: probabilistic scheduler

• Standby

Fill up T ′

c = 1, w ′ = 1

T ′

c = 0.8, w ′ = 0.8

Flush T ′

c = 0, w ′ = −2

T ′

c = 0, w ′ = −2

working=1 working=2 working = 0 w

• r

k i n g = w = 0 working = 0 w = 0 working = 2 w = 0 working = 1 p = 0.5 p = 0.3

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 17 / 51

Model Distributed Probabilistic-Control Hybrid Automata

Multiple washing machines?

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 18 / 51

Model Distributed Probabilistic-Control Hybrid Automata

Multiple washing machines?

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 18 / 51

Model Distributed Probabilistic-Control Hybrid Automata

What if they leave?

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 18 / 51

Model Distributed Probabilistic-Control Hybrid Automata

What if they leave?

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 18 / 51

Model Distributed Probabilistic-Control Hybrid Automata

Actions

Washing machines behave like Petri Net markings.

jmp new[N] die

jumpe create new entity makes entity disappear given by N

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 19 / 51

Model Distributed Probabilistic-Control Hybrid Automata

Actions

They can also communicate asynchronously.

recv[l][R] snd[l][T]

Channel l, reacts with R Channel l, message content T

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 20 / 51

Model Distributed Probabilistic-Control Hybrid Automata

Example: apartment laundry

Washing machines first initialise, then wait for authorisation to start working

·· Normal(5, ǫc) init Normal(δ, ǫc) standby · recv[cauth][auth] working=1 working=0 snd[cterm][term] die

They announce when they finish, and exit the system.

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 21 / 51

Model Distributed Probabilistic-Control Hybrid Automata

Example: apartment laundry

The central unit keeps track of working machines, and starts and enables them

Normal(mean(t), stdev(t))

· new[wm] snd[cauth][account] recv[cterm][updterm]

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 22 / 51

Verification

Summary

1 Introduction

The Power Grid The Smart Grid Model for the Smart Grid

2 Model

Discrete-Time Hybrid Automata Distributed Probabilistic-Control Hybrid Automata

3 Verification

Specifying properties Statistical Model Checking

4 Case Study: network properties 5 Conclusions

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 23 / 51

Verification Specifying properties

Bounded LTL cannot deal with changing number of variables. Definition (Syntax of QBLTL) Formulae of QBLTL are given by the following grammar, with ∗ ∈ {+, −, ÷, ×,ˆ} and ∼ ∈ {≤, ≥, =}: θ ::= c | θ1 ∗ θ2 | πi(e) | ∃ (e) | ag[e](θ), with i ∈ N, c ∈ Q φ ::= ∃ (e) | θ1 ∼ θ2 | φ1 ∨ φ2 | ¬φ1 | φ1 Utφ2 | ∃e.φ1

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 24 / 51

Verification Specifying properties

Bounded LTL cannot deal with changing number of variables. Definition (Syntax of QBLTL) Formulae of QBLTL are given by the following grammar, with ∗ ∈ {+, −, ÷, ×,ˆ} and ∼ ∈ {≤, ≥, =}: θ ::= c | θ1 ∗ θ2 | πi(e) | ∃ (e) | ag[e](θ), with i ∈ N, c ∈ Q φ ::= ∃ (e) | θ1 ∼ θ2 | φ1 ∨ φ2 | ¬φ1 | φ1 Utφ2 | ∃e.φ1

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 25 / 51

Verification Specifying properties

Bounded LTL cannot deal with changing number of variables. Definition (Syntax of QBLTL) Formulae of QBLTL are given by the following grammar, with ∗ ∈ {+, −, ÷, ×,ˆ} and ∼ ∈ {≤, ≥, =}: θ ::= c | θ1 ∗ θ2 | πi(e) | ∃ (e) | ag[e](θ), with i ∈ N, c ∈ Q φ ::= ∃ (e) | θ1 ∼ θ2 | φ1 ∨ φ2 | ¬φ1 | φ1 Utφ2 | ∃e.φ1

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 26 / 51

Verification Specifying properties

Bounded LTL cannot deal with changing number of variables. Definition (Syntax of QBLTL) Formulae of QBLTL are given by the following grammar, with ∗ ∈ {+, −, ÷, ×,ˆ} and ∼ ∈ {≤, ≥, =}: θ ::= c | θ1 ∗ θ2 | πi(e) | ∃ (e) | ag[e](θ), with i ∈ N, c ∈ Q φ ::= ∃ (e) | θ1 ∼ θ2 | φ1 ∨ φ2 | ¬φ1 | φ1 Utφ2 | ∃e.φ1

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 27 / 51

Verification Specifying properties

Bounded LTL cannot deal with changing number of variables. Definition (Syntax of QBLTL) Formulae of QBLTL are given by the following grammar, with ∗ ∈ {+, −, ÷, ×,ˆ} and ∼ ∈ {≤, ≥, =}: θ ::= c | θ1 ∗ θ2 | πi(e) | ∃ (e) | ag[e](θ), with i ∈ N, c ∈ Q φ ::= ∃ (e) | θ1 ∼ θ2 | φ1 ∨ φ2 | ¬φ1 | φ1 Utφ2 | ∃e.φ1

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 28 / 51

Verification Specifying properties

Bounded LTL cannot deal with changing number of variables. Definition (Syntax of QBLTL) Formulae of QBLTL are given by the following grammar, with ∗ ∈ {+, −, ÷, ×,ˆ} and ∼ ∈ {≤, ≥, =}: θ ::= c | θ1 ∗ θ2 | πi(e) | ∃ (e) | ag[e](θ), with i ∈ N, c ∈ Q φ ::= ∃ (e) | θ1 ∼ θ2 | φ1 ∨ φ2 | ¬φ1 | φ1 Utφ2 | ∃e.φ1 Lemma QBLTL (like BLTL) has bounded simulation traces.

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 29 / 51

Verification Statistical Model Checking

Why Statistical Model Checking?

Estimates probabilities of properties holding (they will never hold always) Very efficient Model is very hard to analyse (dynamic, unbounded number of entities, asynchronous messages, etc) Plug’n’play, e.g. black-box model Successfully used in many applications (cf. Edmund Clarke’s work)

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 30 / 51

Verification Statistical Model Checking

Statistical Model Checking: Hypothesis Testing [12]

n = 0, s = 0 σ = sample from A n = n + 1 if (σ | = ϕ) s = s + 1 B = BayesFactor(n, s) return H0 : p ≥ θ return H1 : p < θ B > T B < 1

T

T > B > 1

T

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 31 / 51

Verification Statistical Model Checking

Statistical Model Checking

B = P(d|H0) P(d|H1) A large Bayes Factor B is evidence for H0 : p > θ. A small Bayes Factor B is evidence for H1 : p ≤ θ. Theorem (Error bounds for Hypothesis Testing [12]) For any discrete random variable and prior, the probability of a Type I-II error for the Bayesian hypothesis testing algorithm 2 is bounded above by

1 T , where T is the Bayes Factor threshold given as input.

A more sophisticated Interval Estimation Algorithm estimates p.

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 32 / 51

Case Study: network properties

Summary

1 Introduction

The Power Grid The Smart Grid Model for the Smart Grid

2 Model

Discrete-Time Hybrid Automata Distributed Probabilistic-Control Hybrid Automata

3 Verification

Specifying properties Statistical Model Checking

4 Case Study: network properties 5 Conclusions

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 33 / 51

Case Study: network properties

Even today, utilities deploy networks that transmit several thousands of bits per day (low bandwidth).

Can we evaluate the impact of network reliability?

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 34 / 51

Power Controller

• Normal(5, 1)

snd[go][Go] p = 0.4 recv[cf ][Ci] p = 0 recv[tg][Gi] p = 0 Consumer ····· Normal(5, 3) snd[cf ][Co] p = 0.5 Graveyard

• die

p = 1 snd[tgr][I] p = 0 Generator

• Normal(5, 3)

recv[rg][Rg] p = 0.8 snd[tg][Tg] p = 0.1 Consumer Controller

• Normal(5, 1)

new[N] p = 0.1 recv[tgr][Cd] p = 0.7

Power Controller

• Normal(5, 1)

snd[go][Go] p = 0.4 recv[cf ][Ci] p = 0 recv[tg][Gi] p = 0 Consumer ····· Normal(5, 3) snd[cf ][Co] p = 0.5 Graveyard

• die

p = 1 snd[tgr][I] p = 0 Generator

• Normal(5, 3)

recv[rg][Rg] p = 0.8 snd[tg][Tg] p = 0.1 Consumer Controller

• Normal(5, 1)

new[N] p = 0.1 recv[tgr][Cd] p = 0.7

Creates classes of consumers. Keeps track of them.

Power Controller

• Normal(5, 1)

snd[go][Go] p = 0.4 recv[cf ][Ci] p = 0 recv[tg][Gi] p = 0 Consumer ····· Normal(5, 3) snd[cf ][Co] p = 0.5 Graveyard

• die

p = 1 snd[tgr][I] p = 0 Generator

• Normal(5, 3)

recv[rg][Rg] p = 0.8 snd[tg][Tg] p = 0.1 Consumer Controller

• Normal(5, 1)

new[N] p = 0.1 recv[tgr][Cd] p = 0.7

Consumers feedback consumption. They announce death and exit.

Power Controller

• Normal(5, 1)

snd[go][Go] p = 0.4 recv[cf ][Ci] p = 0 recv[tg][Gi] p = 0 Consumer ····· Normal(5, 3) snd[cf ][Co] p = 0.5 Graveyard

• die

p = 1 snd[tgr][I] p = 0 Generator

• Normal(5, 3)

recv[rg][Rg] p = 0.8 snd[tg][Tg] p = 0.1 Consumer Controller

• Normal(5, 1)

new[N] p = 0.1 recv[tgr][Cd] p = 0.7

The generator receives control messages and sends output info.

Power Controller

• Normal(5, 1)

snd[go][Go] p = 0.4 recv[cf ][Ci] p = 0 recv[tg][Gi] p = 0 Consumer ····· Normal(5, 3) snd[cf ][Co] p = 0.5 Graveyard

• die

p = 1 snd[tgr][I] p = 0 Generator

• Normal(5, 3)

recv[rg][Rg] p = 0.8 snd[tg][Tg] p = 0.1 Consumer Controller

• Normal(5, 1)

new[N] p = 0.1 recv[tgr][Cd] p = 0.7

The power controller ties it all together.

Power Controller

• Normal(5, 1)

snd[go][Go] p = 0.4 recv[cf ][Ci] p = 0 recv[tg][Gi] p = 0 Consumer ····· Normal(5, 3) snd[cf ][Co] p = 0.5 Graveyard

• die

p = 1 snd[tgr][I] p = 0 Generator

• Normal(5, 3)

recv[rg][Rg] p = 0.8 snd[tg][Tg] p = 0.1 Consumer Controller

• Normal(5, 1)

new[N] p = 0.1 recv[tgr][Cd] p = 0.7

Messages get sent periodically.

Case Study: network properties

Smart Grid

Power consumption # Elems * 100 Estimated Consumption Actual energy output 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5

Time (hours)

250 500 750 1,000 1,250 1,500 1,750 2,000

Electricity

Figure: Sample run from the modelled system.

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 41 / 51

Case Study: network properties

Properties

Property (1): the output of the generator is always within 400 units of energy of actual demand G1440|

• [e](Gen(e) · πoutput(e)) −
• [e](Cons(e) · πconsumption(e))| < 400

Property (2): the PC’s estimate of power consumption is not too far from the truth. G1440|

• [e](Gen(e) · πoutput(e))−

−

• [e](PC(e) · (π0(e) + ... + π19(e)))| < 250

We estimate that Property (1) is harder than (2).

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 42 / 51

Results: probability of satisfying properties

0 ¡ 0.2 ¡ 0.4 ¡ 0.6 ¡ 0.8 ¡ 1 ¡ 1.2 ¡ 1 ¡ 0.99 ¡ 0.98 ¡ 0.97 ¡ 0.95 ¡ 0.9 ¡

Es#mated ¡probability ¡of ¡property ¡holding ¡ Probability ¡of ¡message ¡delivery ¡

(1) ¡max ¡ (1) ¡min ¡ (2) ¡min ¡ (2) ¡max ¡

Results: number of traces required

0 ¡ 200 ¡ 400 ¡ 600 ¡ 800 ¡ 1000 ¡ 1200 ¡ 1400 ¡ 1600 ¡ 0.97 ¡ 0.93 ¡ 0.88 ¡ 0.84 ¡ 0.68 ¡ 0.18 ¡

# ¡of ¡total ¡samples ¡ Probability ¡of ¡property ¡holding ¡

Property ¡1 ¡ Property ¡2 ¡

Case Study: network properties

Case Study Conclusion

The algorithm is efficient (# of traces required) Reliability becomes a major concern only below a certain threshold Utilities can easily visualise the cost/benefit relation Once the model has been implemented, it can be tweaked and retested quickly

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 45 / 51

Conclusions

Summary

1 Introduction

The Power Grid The Smart Grid Model for the Smart Grid

2 Model

Discrete-Time Hybrid Automata Distributed Probabilistic-Control Hybrid Automata

3 Verification

Specifying properties Statistical Model Checking

4 Case Study: network properties 5 Conclusions

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 46 / 51

Conclusions

Contributions

Developed a formal model for distributed, probabilistic cyber-physical systems Extended BLTL to QBLTL Ensured SMC could be applied Implemented the above in a Java library Studied network reliability in a simplified Smart Grid model Quickly revealed important relations in a non-trivial system

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 47 / 51

Conclusions

Edmund M. Clarke, Alexandre Donz´ e, and Axel Legay. Statistical model checking of mixed-analog circuits with an application to a third order delta-sigma modulator. In Haifa Verification Conference, pages 149–163, 2008. Edmund M. Clarke, Alexandre Donz´ e, and Axel Legay. On simulation-based probabilistic model checking of mixed-analog circuits. Formal Methods in System Design, 36(2):97–113, 2010. Edmund M. Clarke, E. Allen Emerson, and A. Prasad Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans. Program. Lang. Syst., 8(2), 1986. Edmund M. Clarke, James R. Faeder, Christopher James Langmead, Leonard A. Harris, Sumit Kumar Jha, and Axel Legay. Statistical model checking in biolab: Applications to the automated analysis of t-cell receptor signaling pathway. In CMSB, pages 231–250, 2008. Sumit Kumar Jha, Edmund M. Clarke, Christopher James Langmead, Axel Legay, Andr´ e Platzer, and Paolo Zuliani. A bayesian approach to model checking biological systems. In CMSB, 2009.

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 48 / 51

Conclusions

Nancy A. Lynch. Input/Output automata: Basic, timed, hybrid, probabilistic, dynamic, ... In CONCUR, pages 187–188, 2003. Jos´ e Meseguer and Raman Sharykin. Specification and analysis of distributed object-based stochastic hybrid systems. In HSCC, 2006. Ying-Chih Wang, Anvesh Komuravelli, Paolo Zuliani, and Edmund M. Clarke. Analog circuit verification by statistical model checking. In ASP-DAC, pages 1–6, 2011.

• E. Yahav, T. Reps, and M. Sagiv.

LTL model checking for systems with unbounded number of dynamically created threads and objects. Technical Report TR-1424, Computer Sciences Department, University of Wisconsin, 2001. H˚ akan L. S. Younes, Edmund M. Clarke, and Paolo Zuliani. Statistical verification of probabilistic properties with unbounded until. In SBMF, 2010. H˚ akan L. S. Younes and Reid G. Simmons. Statistical probabilistic model checking with a focus on time-bounded properties.

• Inf. Comput., 204(9):1368–1409, 2006.
• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 49 / 51

Conclusions

Paolo Zuliani, Andr´ e Platzer, and Edmund M. Clarke. Bayesian statistical model checking with application to Simulink/Stateflow verification. In HSCC, pages 243–252, 2010.

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 50 / 51

Conclusions

Thank you, questions?

• J. Martins, A. Platzer, J. Leite (CMU, FCT/UNL)

Statistical Model Checking for DPCHA and the Smart Grid ICFEM’11 51 / 51