Continuous Stochastic Logic

Continuous Stochastic Logic (CSL) [11, 12] is the counterpart of PCTL for specify- ing properties for CTMC models. CSL extends the non-probabilistic Computation Tree Logic with a probabilistic operator P and a steady-state operator S. We define below the syntax of the cost-reward augmented CSL variant adopted in this thesis [145].

Definition 2.9. The syntax of Continuous Stochastic Logic (CSL) is given by the fol- lowing grammar:

Φ ::= true| a | ¬Φ | Φ ∧ Φ | P./p[φ]| S./p[Φ]

φ ::= XΦ| ΦSI Φ

and the cost/reward augmented CSL state formulae are defined by the grammar:

R./r[C≤T]| R./r[I=T]| R./r[F Φ]| R./r[S]

where:

• a ∈ AP is an atomic proposition with AP being a set of atomic propositions; • ./ ∈ {<, ≤, ≥, >} is a relational operator;

• I ⊆ R≥0 andT ∈ R≥0 are a time interval and a time instant, respectively;

• p ∈ [0, 1] is a probability bound (or threshold); • r ∈ R≥0 is a reward bound.

CSL formulae are analysed over the states of a CTMC model. CSL path formulae are interpreted as for PCTL, except for the intervalI _{∈ R}≥0parameter of the “until” opera-

torU . For completeness, we describe the semantics of CSL formulae. The probabilistic operatorP specifies upper or lower bounds on the probability of system evolution. For instance, formula P./p[φ] is true if the probability of future system evolution satisfying

φ meets the bound ./ p. For a path π, the “next” formula XΦ holds if Φ is satisfied in the next state. The “time-bounded until” formulaP./p[Φ1S≤IΦ2] holds, if across all

paths, at some time instant in the intervalI, Φ2becomes true andΦ1holds continuously

before. When I = [0,∞], we obtain an “unbounded until” formula. The steady-state operatorS defines the system behaviour in the long-run. Hence, formula S./p[Φ] holds,

if the steady-state probability of the system being in a state satisfying Φ meets the bound./ p. Finally, the formula P=?[φ] establishes the probability of path formula φ.

The high-level meaning of the cost/reward operator R assuming a target state s is: • R./r[C≤T] is true if the expected cumulative reward up to time T satisfies ./ r;

• R./r[I=T] holds if the expected value of the reward at time instant T satisfies ./ r;

• R./r[F Φ] holds if the expected cumulative reward before reaching a state satisfying

Φ meets bound ./ r;

• R./r[S] is true if the average expected reward in the long-run satisfies ./ r.

Similarly to PCTL, the formula R=?[·] can be used to calculate the expected value

of a reward. The semantics of cost-reward augmented CSL over CTMCs are as follows.

Definition 2.10. Let C = (S, ¯s, R, L) be a labelled CTMC. For any state s∈ S, time interval I _{∈ R}≥0, time instant T ∈ R≥0, and reward r ∈ R≥0, the satisfaction relation

|= is defined inductively by:

s_{|= true for all s ∈ S} s_{|= a ⇔ a ∈ L(s)} s|= ¬Φ ⇔ s 6|= Φ

s_{|= Φ}1∧ Φ2 ⇔ s |= Φ1∧ s |= Φ2

s|= P./p[φ] ⇔ P r(s |= φ) ./ p

where P r(s_{|= φ) = P r}s(π∈ P athC(s)|π |= φ) is the probability that a path

originating in s satisfies φ.

Moreover, for any path π_{∈ P ath}C_(s)

π|= P./p[XΦ] ⇔ π(1) |= Φ

π _{|= P}./p[Φ1SIΦ2] ⇔ ∃t ∈ I.(π@t |= Φ2∧ ∀j ∈ [0, t).(π@j |= Φ1)

Finally, for the cost/reward structures s|= R./r[C≤k] ⇔ ExpC(s, XC≤T) ./ r s_{|= R}./r[I=k] ⇔ ExpC(s, XI=T) ./ r s|= R./r[FΦ] ⇔ ExpC(s, XFΦ) ./ r s_{|= R}./r[S] ⇔ lim t→∞ 1 t · Exp C_{(s, X} C≤T) ./ r where ExpC_{(s, X}

Evaluating a CSL formula for a CTMC

The model checking algorithm for a CSL formulaΦ takes as input a labelled CTMC and outputs the set of states satisfyingΦ. The algorithm for non-probabilistic formulae, i.e., “true”, “a”,_{¬Φ, and Φ ∧ Φ, is similar to PCTL for DTMCs, which proceeds by induction} on the parse tree ofΦ. Evaluating properties that involve the probabilistic P or reward R operators is achieved through analytical techniques. Untimed properties, i.e., properties that do not express any of the real time aspects of a CTMC, can be evaluated using the embedded DTMC (Def. 2.5). As with PCTL, the “next” formulaP./p[XΦ] requires one

matrix-vector multiplication. Calculating unbounded until probabilities P./p[Φ1S Φ2],

steady-state probabilities S./p[Φ], reachability rewards R./r[F Φ], and steady-state re-

wards R./r[S] is done by solving a system of linear equations. For timed properties,

including probabilistic bounded untilP./p[Φ1SIΦ2], cumulative R./r[C≤T] and instan-

taneous R./r[I=T] rewards, the problem reduces to calculating the transient probabil-

ities of the CTMC, using efficient iterative numerical methods such as uniformisation and matrix-vector multiplications. A comprehensive analysis of the techniques used to quantify each CSL formula is presented in [148, 182].

Example 2.4. Suppose an unmanned underwater vehicle (UUV) travelling with speed sp is equipped with a set of sensors. The behaviour of each sensor is defined by the CTMC model in Figure 2.3. Let “accurate” indicate the state in which any of the sensors performs an accurate measurement. A set of example QoS requirements for the UUV system is given in Table 2.2. For each requirement, we provide an informal description and its formalisation in cost/reward augmented CSL.

Table 2.2: QoS requirements for the UUV system

ID Informal description CSL

R1 (Sensor liveness): “The probability that during the first second of operation, the sensors make an accurate measurement must be at least 95%”

P≥0.95[trueS[0,1]“accurate”]

R2 (Sensor accuracy ): “At least 300 measurements of sufficient accuracy must be taken every 100m travelled by the UUV”

R“measurement”

≥300 [C≤100/sp]

R3 (Energy consumption): “The energy consump- tion of the sensor must not exceed 400J per 100m travelled by the UUV”