Quantitative evaluation of concurrent systems with non-markovian temporal parameters

Transcription

1 Quantitative evaluation of concurrent systems with non-markovian temporal parameters Enrico Vicario Lab. of Software and Data Science Dept. of Information Engineering, University of Florence, Italy int. symp. on Dependable Computing and the Internet of Things - DCIT 15 Wuhan, Popular Republic of China November 17, 2015 this is about models and stochastic processes,... and non-markovian Processes a method for numerical solution of Markov Regenerative models... with some potential for Dependable Computing and the Internet of Things 1 / 53

2 Outline 1 non-markovian stochastic models and processes stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes 2 transient stochastic tree transient analysis the Oris tool - O 2 version 3 probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol 4 2 / 53

3 stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes non-markovian stochastic models and processes some common ground on models, stochastic processes, the Markov condition,... and non-markovian stochastic processes 3 / 53

4 a model with concurrent stochastic durations stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes a cycle of two step failure, detection delay, repair and restart as new stochastic Time Petri Nets (stpn): a class of SPNs with generally distributed durations places encode state conditions, true if at least one token transitions encode events, enabled if all input conditions are true delay from enabling to firing is a random variable at firing, move tokens from input to output places and sample a time to fire for each newly enabled transition 4 / 53

5 a model with concurrent stochastic durations stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes compose with periodic rejuvenation to increase reliability 1 1 tweaked from: S.Garg, A.Puliafito, M.Telek, K.S.Trivedi, "Analysis of software rejuvenation using Markov regenerative stochastic Petri net," Software Reliability Engineering, / 53

6 stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes quantitative models open the way to quantitative evaluation rejuvenation reduces the probability of functional failures, but it may also reduce availability quantitative evaluation is made on some underlying stochastic process 6 / 53

7 underlying stochastic process(es) of a model stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes a model identifies a probability space (Ω, F, P) an outcome ω Ω is a run of the model an event in the σ-algebra F is a set of runs the measure of probability P : F [0, 1] is induced by stochastic parameters and by the initial condition a model identifies multiple underlying stochastic processes M: "a" collection of random variables on (Ω, F, P) M = {m(t), t T } m : Ω M continuous time process: T is a continuous set (e.g. time) discrete state space process: M is a discrete set (e.g. markings) Ok,Rej Err,Rej Detected,Clock Ko,Clock Err,Clock Ok,Clock m(t) t 7 / 53

8 stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes duration distributions matter - all EXP with DET clock the measure of probability in the probability space of the model depends on support and distribution of durational parameters change durations to EXP (with same mean), keeping the DET clock: (on the meaning of steady state and mixing time in a stochastic process) 8 / 53

9 stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes duration distributions matter - all EXP with Erl(5) clock if also the DET clock is changed into a sequence of 5 EXP (Erlang with the same expected value), ripples are completely lost 9 / 53

10 stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes about the state of a model and the state of a process in the operational semantics of a model, the state is any abstraction sufficient to get rid of the past history in a stochastic process, the state is the value of "a" random variable can be defined quite arbitrarily and may be not sufficient to be a model state the Markov condition: the process state is also a model state a special underlying stochastic process of an stpn marking process := M = {m(t), t R 0 } m(t) := marking at time t observes only the marking, which not always makes a model state with only EXP or IMM transitions, the (full) marking is also a model state (memoryless property of EXP) with GEN transitions, the model state depends also on remaining times 10 / 53

11 the Markov condition stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes Prob{m(t 1 ) m(t 0 )} = Prob{m(t 1 ) m(t 0 ), m(t 1 ),...m(t N )} N, t 1 t 0 t 1... t N the most recent observation subsumes any previous conditioning the future behavior conditional to the current state is independent from the past history the Markov condition permits the formulation of a renewal argument: decompose a set of runs across a time point where the Markov condition is satisfied ( a kind of compositionality) 11 / 53

12 Underlying stochastic marking process stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes the marking process M of an stpn may belong to different classes GSMP MRP SMP CTMC... depending on the type of distributions and on the conditions of concurrence among timed transitions 2 how GEN durations can continue or be restarted at the firing of transitions 2 GF.Ciardo, R.German, C.Lindemann, "A characterization of the stochastic process underlying a stochastic Petri net," IEEE TSE, / 53

13 Continuous Time Markov Chain (CTMC) stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes if the model includes only IMM or EXP transitions, the marking process always satisfies the marking condition KO 1-p ready start lambda ready,on start lambda idle,on repair beta idle,off repair,ok beta 1:idle,on fail alpha repair beta 2:idle,off off fail alpha repair beta on OK p idle repair beta KO 1-p OK p ready,off fail alpha start lambda start,ko lambda(1-p) 3:ready,off repair,ok beta(p) start lambda the (right-continuous) marking process is a CTMC solution through efficient and mature techniques research frontier on symbolic encoding of the state space not in the scope of this talk 13 / 53

14 Memory and regeneration stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes if the model includes GEN transitions, the marking is in general not a sufficient model state yet, at some points, the marking can be sufficient to characterize future behavior call these points regenerations S2 S1 S3 14 / 53

15 Semi-Markov Process (SMP) -1/2 stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes if GEN transitions never persist through any firing the underlying stochastic process regenerates at every step (yet, memory is accumulated during sojourn) p0 t3 t1 p1 t2 t4 p2 t3 t4 S1:p0 S2:p1 S3:p2 t1 t2 Global Kernel G ij (t): the first step from i is before t and reaches j t 1 := time of the first firing G ij (t) := Prob{(t 1 < t) (m(t 1 ) = j) m(t 0 ) = i t 0 = 0} Holding time H i (t): the first step from i is after t H i (t) := Prob{t 1 > t m(t 0 ) = i t 0 = 0} solved through a set of Volterra integral equations of the 2nd type: π ij (t) = H i (t) δ ij + k t 0 dg ik (x) π kj (t x)dx dx 15 / 53

16 Semi-Markov Process (SMP) - 2/2 stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes global kernel and holding time derived directly from the model p0 t3 t1 p1 t2 t4 p2 t3 t4 S1:p0 S2:p1 S3:p2 t1 t2 G(t) = t f 1 (x)dx 0 t f 3 (x)(1 F 2 (x)) + f 2 (x)(1 F 3 (x))dx 0 t f 4 (x)dx 0 t 0 f 1 (x)dx 0 t 0 t f 3 (x)(1 F 2 (x))dx 0 f 2 (x)(1 F 3 (x))dx 0 t 0 0 f 4 (x) 0dx 0 H(t) =... and Volterra equation solved by numerical integration but, no memory across subsequent locations 16 / 53

17 Markov Regenerative Process (MRP) - 1/2 stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes always, wp1, the process eventually reaches a regeneration (possibly through infinite steps or in unbounded time) p0 p1 t2 t3 [0,1] t0 [0,1] p2 t1 [0,1] p3 t0 P0P1t0 t2 t1 t2 P2P1t2 t1 P2P1t1 Global Kernel G ij (t): the first regeneration from i is j and before t t 1 := time of the first firing G ij (t) := Prob{(t 1 < t) (m(t 1 ) = j) m(t 0 ) = i t 0 = 0} Local Kernel L ij (t): from i, at t no regeneration yet and state j L ij (t) := Prob{(t 1 > t) (m(t) = j) m(t 0 ) = i t 0 = 0} the numerical problem is still Volterra equations of the 2nd type π ij (t) = L ij (t) + t dg ik (x) π kj (t x)dx k 0 dx... but, how to get the kernels? t1 t3 t0 P2P3t3 t3 P0P1 t1 P2P3t2 t2 t2 t0 P0P3t3 t0 P0P3t0 t0 t3 t3 t1 P0P1t1 17 / 53

18 Markov Regenerative Processes (MRP) - 2/2 stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes the special case of the enabling restriction: at most one GEN enabled in any tangible marking and thus, GEN transitions never persist to each other S1:P0P1 t0 t2 p0 p1 t2 t3 t0 t4 t1 p2 p3 t1 t0 S2:P0P3 t3 t1 t4 S4:P2P3 t4 t1 S3:P0P1 t2 S5:P2P1 t3 t0 S6:P0P3 t3 t0 the process subordinated to the activity period of a GEN is a CTMC, and kernels can thus be evaluated by uniformization... but, bad news for expressivity: no concurrent overlapping GEN timers 3 GF.Ciardo, R.German, C.Lindemann, "A characterization of the stochastic process underlying a stochastic Petri net," IEEE TSE, A.Bobbio, M.Telek, "Markov regenerative SPN with non-overlapping activity cycles,"ipds95. 5 H.Choi, V.G.Kulkarni, K.S.Trivedi, "Markov Regenerative stochastic Petri Nets," PEVA / 53

19 Generalized Semi Markov Process (GSMP) stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes if GEN transitions overlap their activity cycles, the underlying process may become a Generalized Semi Markov Process (GSMP) (e.g. parallel composition of two or more Semi-Markov Processes) t2 [0,1] p0 p1 t3 [0,1] t0 [0,1] t1 [0,1] p2 p3 t0 P0P1 t1 P2P1t2 P0P3t3 t1 t2 t3 t0 t1 t0 t1 t1 P2P3t3 P2P3t2 t0 P0P1t0 t2 t0 P0P1t1 t3 t2 P2P1t1 t3 t2 P0P3t0 t3 the real complex case is when 2 GEN persist: persistent times-to-fire become dependent variables supported over Difference Bounds Matrix (DBM) domains tb t2 t3 f pa [1,2] ta [1,2] pb p0 [1,2] [1,2] p2 p1 t0 t1 [1,2] [1,2] p3 tau0 tau1 no analytical formulation 19 / 53

20 on the frontier between MRP and GSMP stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes the class of MRP is much wider than the enabling restriction CTMC SMP MRP enabling restriction GSMP a basic example: GG122 preemptive queue: wp1, eventually p 1 p 3 ; at the firing of t 5 the process regenerates 20 / 53

21 stochastic models stochastic processes on the Markov condition classes of non-markovian stochastic processes consolidated approaches to analytic solution (continuous time) Markovian Petri Nets: only IMM or EXP (with unbounded support) Enabling restriction: no concurrently enabled GEN transitions Supplementary variable(s) 6 7 : not viable beyond enabling restriction Deterministic (and) Stochastic Petri Nets 8 9 : only EXP,IMM,DET Phase type approach 10 : Markovian approximation of the model, trade-off between accuracy and complexity, [0, ] supports. 6 R.German, C.Lindemann, "Analysis of stochastic Petri nets by the method of supplementary variables," PEva R.German, M.Telek, "Formal Relation of Markov Renewal Theory and Supplementary Variables in the Analysis of Stochastic Petri Nets," PNPM C.Lindemann, G.S.Schedler, "Numerical analysis of Deterministic and Stochastic Petri Nets with concurrent deterministic transitions," PEva, C.Lindemann, A.Thuemmler, "Transient analysis of Deterministic and Stochastic Petri Nets with concurrent deterministic transitions," PEva, A. Horváth and M. Telek. "Phfit: A general phase-type fitting tool," Performance TOOLS / 53

22 one "recent" approach transient stochastic tree transient analysis the Oris tool - O 2 version the method of stochastic state classes 11 more recent, less consolidated and less known multiple concurrent GEN, possibly over bounded supports hurdled by the number of transitions between regenerations three main concepts compute probabilities over DBM zones that represent continuous sets of reachable states add an age clock to track the correlation between times to fire and absolute time so as to enable transient analysis use transient analysis within regeneration epochs to evaluate local and global kernels, and then resort to Markov Renewal Theory 11 Qest06, TSE09, TSE09b, PEVA12, TSE16 22 / 53

23 transient stochastic tree transient analysis the Oris tool - O 2 version characterize the process after each execution sequence let ρ := t ρ(1) t ρ(2)... tρ(n) be a finite sequence of transitions ρ can be executed with a continuous multivariate set of timings also known as cylinder set, symbolic run,... call state class S ρ the set of states that can be reached through ρ a common marking, but a set of different vectors of remaining times the set has the shape of a Difference Bounds Matrix (DBM) Zone 12 efficient (polynomial) symbolic encoding and manipulation Si Rin Rik Rij Sn Sk Sj stochastic state class evaluate the joint probability density function of the vector of times to fire of states in a DBM zone e.g. Dill, Berthomieu, Vicario, Uppaal 13 TSE09b 23 / 53

24 calculus of stochastic classes - 1/3 transient stochastic tree transient analysis the Oris tool - O 2 version assume that initially all GEN transitions are newly enabled p0 t0 [0,0] p1 p2 p3 t1 [0,10] t2 [5,15] t3 [12,22] ft1(x1) ft2(x2) ft3(x3) remaining times of transitions are distributed independently, in product form, according to their static density function x1 x2 x3 t3 t1 t0 t2 t2 t3 t1 t2 t3 22 tau2 22 tau2 10 tau tau tau tau3 24 / 53

25 calculus of stochastic classes - 2/3 transient stochastic tree transient analysis the Oris tool - O 2 version starting from a product form over a hyper-rectangle tau2 22 tau2 10 tau tau tau tau3... the assumption that t 1 fires first restricts the support and uniformly conditions probabilities 22 tau tau1... at the firing of t 1 a random time has elapsed remaining times to fire of persistent transitions t 2 and t 3 become dependent, and supported over a Difference Bounds Matrix (DBM) zone 22 tau2 12 tau tau tau3 25 / 53

26 calculus of stochastic classes - 3/3 transient stochastic tree transient analysis the Oris tool - O 2 version when subsequent transitions occur, supports remain in the shape of a Difference Bounds Matrix (DBM) zone density functions are continuous piecewise multivariate functions over a partition in DBM sub-zones, continuous across internal borders closed form symbolic derivation for models with EXP, IMM, DET, and ExPol transitions (with possibly bounded support) 14 f s t (x) = K c k x α k e λ k x k for x [EFT s t, LFT s t, ] implementation amounts to joint symbolic enumeration of DBM domains and analytical form of multi-variate joint density functions intertwining due to zone difference constraints (linear, slope 1) 14 L.Carnevali, L.Grassi, E.Vicario, "State-density functions over DBM domains in the analysis of non-markovian models," TSE / 53

27 measures on stochastic state classes transient stochastic tree transient analysis the Oris tool - O 2 version the probability that t 0 fires first (transition probability) is the integral over a subset of the DBM zone Prob{t o} = f τ (x)dx D x 0 x n n t0 t0<tn tn.6 1. the probability to reach a class is the product of transition probabilities on the path from the root 27 / 53

28 transient stochastic tree transient analysis the Oris tool - O 2 version... a measure of probability over the set of runs the tree of stochastic state classes provides an explicit representation for the measure of probability over sets of runs discrete probability to reach a class continuous probability measure over any subset of remaining times when the class is reached characterizes the process at the time when a class is entered... but not with respect to the absolute time when this happens 28 / 53

29 transient stochastic state classes transient stochastic tree transient analysis the Oris tool - O 2 version supplement classes with a global age variable, representing the absolute time when the class is reached 15 technical subtlety: τ age encodes the opposite of the age regard τ age as a special timer, initially set equal to 0, never reset, decreased (to negative values) as time passes t0 t0 tn age 15 A.Horváth, M.Paolieri, L.Ridi, E.Vicario, "Transient analysis of non-markovian models using stochastic state classes," PEva, / 53

30 transient stochastic tree transient analysis the Oris tool - O 2 version measures on transient stochastic state classes probability that class S is reached within time t: π S f τage,τ (x age, x)dx agedx D x age t probability that S is the last entered class at time t S is reached within u t the sojourn time is not lower than t u π S (t) = π S f τage,τ (x age, x)dx agedx D(t) D(t) = D ( x age t) ( x age + Min n{x n} t) t0 t0 -t age -t age 30 / 53

31 transient stochastic tree transient analysis the Oris tool - O 2 version transient analysis straight through the probability measure a straight approach to transient analysis: enumerate classes until the time horizon is overcome not only for MRP, also for GSMP t0 t0 -t age age fairly general termination conditions exact analysis terminates iff the non-deterministic SCG does not reach within time T any possibly immediate cycle analysis with safe approximation ɛ > 0 terminates iff the non-deterministc SCG does not reach within time T any necessarily immediate cycle (time block) yet, the transient stochastic tree grows exponentially with the number of transition firings within the scope of transient analysis 31 / 53

32 transient stochastic tree transient analysis the Oris tool - O 2 version combine stochastic state classes with Markov renewal theory restrain transient analysis within the first epoch use it to evaluate local and global kernels, and then resort to Markov Renewal Theory for MRPs derive kernels through measures on enumerated classes local kernel: starting from i, at time t the marking is j and no regeneration has occurred L ij (t) := Prob (t 1 > t m(t) = j m(t 0 ) = i t 0 = 0) global kernel: starting from i, the first regeneration is before t and leads to j G ij (t) := Prob (t t 1 m(t 1 ) = j m(t 0 ) = i t 0 = 0) get transient probabilities through generalized Markov renewal equations π ij (t) := Prob{m(t) = j m(0) = i} π ij (t) = L ij (t) + t dg ik k x=0 dx (x)π kj(t x)dx 32 / 53

33 transient analysis in the Oris tool transient stochastic tree transient analysis the Oris tool - O 2 version full Java implementation in the Oris tool 16 rich extension of stpn approximation allowed rewards various analysis techniques underlying implementation also available, with many more functions Sirio: symbolic calculus of PDF over DBM PetriNetLib: syntax and semantics of Petri Nets, easily open to extensions abstracteditor: a customizable framework for the production of graph-based formalisms / 53

34 probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol a further aim: extend transient analysis to probabilistic model checking while still using regenerations to break complexity 34 / 53

35 On properties of states and runs probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol transient analysis is about the probability of a state: measure of the set of runs that are in some state i at time t according to the measure of the probability space of the model, induced by initial probabilities and stochastic parameters can be generalized to the probability of a behaviour measure of the set of runs that satisfy some property restricting the sequencing of events and their quantitative timing probabilistic bounded until: Prob{φ 1 Unt [α,β] φ 2 } measure of the set of runs that are in some φ 2 -state at some time t [α, β] after having visited only φ 1 -states TBD drawing of a path satisfying the bounded until property 35 / 53

36 a standard efficient solution for Markovian models probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol if the model is a CTMC 17 evaluate the transient probability π φ 1 i (α) of any state x i that can be reached without visiting any φ 1 -state from each x i evaluate the probability π φ 2 i (β α) that a φ 2 state is reached within β α, without visiting any φ 1 state basically, a renewal argument at time α compose the measure of runs through φ 1 states in time [0, alpha] with the measure of runs through φ 1 states to φ 2 states in [0, β alpha] a CTMC always satisfies the Markov condition, in particular, at time α can be efficiently extended to nested temporal operators, e.g. Prob >0.7 {φ 1 Unt [α,β] Prob >0.3 {φ 2 Unt [γ,δ] φ 3 }} TBD uno schema che illustra l albero con i KO e gli OK 17 C.Baier, B.Haverkort, H.Hermanns, J.P.Katoen, "Model-checking algorithms for continuous-time Markov chains," TSE / 53

37 another suggestive solution for Markovian models probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol express the property as a Deterministic Timed Automaton (DTA) with a single clock distinguishing states in [0, α] and in [α, β] compose the CTMC of the model with the DTA of the property the result is a Markov Regenerative Process under enabling restriction the problem can be reduced to transient analysis less efficient, but open to expressive extension TBD picture of the DTA and the CTMC (based on stpns) suggestion: memory is carried both by the model and by the property the automaton keeps memory from 0 to α, and then from α to β 18 S.Donatelli, S.Haddad, J.Sproston, "Model checking Timed and Stochastic Properties with CSL TA," TSE T.Chen, T.Han, J.P.Katoen, A.Mereacre, "Quantitative model checking of continuous-time Markov chains against timed automata specifications," LICS / 53

38 probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol probabilistic model checking over non-markovian models? remark: in a CTMC, any feasible behavior can occur with non-null probability in any time in (0, ) when we evaluate/decide a time bounded probabilistic until over a CTMC we are evaluating how many behaviors of a model without firm constraints do satisfy a firmly time-constrained property yet, if we are interested in a property with firm time constraints we may be also interested in checking these property on a model that can capture firm time bounds a much hurdled aim, combining the complexities of non Markovian Processes and probabilistic model checking 38 / 53

39 first main concept probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol exploit the measure of probability over the set of runs made explicit by the transient stochastic tree 39 / 53

40 probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol a "straight" approach based on stochastic state classes evaluate φ 1 Unt [α,β] φ 2 during the construction of the stochastic transient tree 20 on-the-fly: restrain state space traversal to φ 1 states, and make (timely) φ 2 states absorbing many pros applicable also to GSMP, beyond the limit of MRP extremely general termination conditions witnesses made explicit as absorbing nodes in the tree open to approximation and heuristics... yet, complexity exponential in the number of transitions fired before β can complexity be broken by composing behaviors at regenerations? 20 A.Horváth, M.Paolieri, L.Ridi, E.Vicario, "Probabilistic Model Checking of non-markovian Models with Concurrent Generally Distributed Timers," QEST / 53

41 a subtle hurdle probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol (as previously mentioned) in probabilistic model checking memory in the model is combined with that in the property even if the model finds a regeneration some memory must be carried about the absolute time so as to determine whether the run is in the time interval [α, β] TBD un disegno che illustra l until che soddisfa la proprieta prima e dopo alpha in principle, this can break every regeneration until α and thus let complexity explode 41 / 53

42 second main concept probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol compose behaviours across regenerations using an extension of generalized Markov renewal equations, that fits the structure of the until operator 42 / 53

43 probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol a solution based on kernels fitting the structure of until bivariate 3-kernels extension of Generalized Markov renewal equations based on Local Kernel L φ 1,φ 2 i (α, β), Global Kernel G φ 1 ik (x), and Conditional Global Kernel H φ 1,φ 2 ik (α, x) π i (α, β) := measure of runs from state i that satisfy π i (α, β) = L φ 1,φ 2 i (α, β) + dg φ 1 ik (x) π k(α x, β x) + k x [0,α] dh φ 1,φ 2 ik (α, x) π k (0, β x) k x [α,β] i, k set of regeneration points the 3 terms account for three classes of successful runs / 53

44 a partition of the set of successful runs probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol L φ 1,φ 2 i (α, β) measures the set of successful runs that reach a φ 2 state in [α, β] before any regeneration k x [0,α] dgφ 1 ik (x) π k(α x, β x) measures successful runs that reach the first regeneration before α and before any φ 2 -state k x [α,β] dhφ 1,φ 2 ik (α, x) π k (0, β x) measures successful runs that reach the first regeneration after α without any φ 2 -state after α 44 / 53

45 third main concept probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol derive the 3 kernels in renewal equations through state space analysis restrained within the first regeneration 45 / 53

46 derivation of kernels through stochastic classes probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol the three kernels can be derived from measures taken on the classes reached within the first regeneration dependence between H φ 1,φ 2 ik (α, x) and L φ 1,φ 2 i (α, β) π i (α, β) = L φ 1,φ 2 i (α, β)+ dg φ 1 ik (x) π k(α x, β x)+ k x [0,α] dh φ 1,φ 2 ik (α, x) π k (0, β x) k x [α,β] i, k set of regeneration points... broken through a diagonal order in the evaluation 46 / 53

47 example: Fischer mutual exclusion protocol probabilistic model checking for Markovian models measure the probability of sets of runs through stochastic classes example: Fischer mutual exclusion protocol / 53

48 key concepts of the approach a method of numerical solution for non-markovian models, with multiple concurrent GEN durations, possibly distributed over firmly bounded supports with a bounded number of steps between regenerations supporting transient analysis, (steady state analysis), and probabilistic model Checking based on combine symbolic state space analysis based on DBM zones with symbolic derivation of multivariate probability distributions use the resulting abstraction to derive kernels of Markov Regenerative Processes resort to numerical integration of generalized Markov renewal equations 48 / 53

49 current direction: from methods to applications move along the chain of reality, stylized facts, models, theory the other way around: identify classes of problems, or cases, where the extended expressivity can be successfully applied joint aim on validating methods and providing concrete results two patterns performance/dependability evaluation of protocols/applications/systems on-line implementation within smart components of protocols/applications/systems both have potential for Dependable Computing and the Internet of Things 49 / 53

50 current direction: from solution methods to modeling cases - 1/2 availability in railways signalling, signalling ETCS-RTCS-level3 21 : impact of communication (un)availability in headway control for a chasing train in the level-3 signalling standard a transient problem, with multiple concurrent GEN durations previous works on steady state, and under enabling restriction 22 Fischer mutual exclusion protocol 23 validation of a distributed synchronization protocol that inherently combines stochastic behavior and firm time bounds a kind of stylized reality case 21 epew Zimmermann 23 TSE16 50 / 53

51 current direction: from solution methods to modeling cases - 2/2 recoverability and quality of service in gas distribution networks 24 : compose the physical behavior of a gas distribution network, with stochastic durations in a maintenance procedure evaluate the distribution of un-served demand due to one/more contingency/planned network sections a kind of cyber-physical problem, for planning or operation engaged with a real industrial development program 25 extension to manage water distribution networks tank levels comprise a continuous element of memory and cast the problem in the context of stochastic-hybrid systems collaboration being established with the water distribution utility of central Tuscany 24 Pasm14, SafeComp14, TII-Submitted / 53

52 current direction: on-line transient analysis - 1/2 maintain an on-line stochastic model observations received from some sensing or metering infrastructure on-line transient analysis rejuvenated at each new observation aims: diagnosis, prediction, and scheduling compare predicted probabilities against actual observations, to get a likelihood for the classification of the current state predict evolution from plausible current states, weighed by likelihood, to get the hitting time distribution of some critical condition use predicted hitting times, to schedule the time point of some typed action 52 / 53

53 current direction: on-line transient analysis - 2/2 a kind of application tailored for a method able to precisely keep the information of transient behavior... (as mentioned) on the meaning of steady state in a stochastic process applicable to a variety of scenarios first results in Activity Recognition for Ambient Assisted Living Qest15 53 / 53