3.5 Property Specification
3.5.3 Modelling PTAs in PRISM
pta const int M; module sender state : [0..3] init 0; try : [0..M] init 0; t : clock; invariant
(state = 0 => t <= 3) & (state = 3 => t <= 6) endinvariant
[transmit] state = 0 & t >= 1 & try < M -> 0.95 : (state’ = 1) + 0.05 : (state’ = 2) & (try’ = try+1) & (t’ = 0); [retransmit] state = 3 & t >= 4 -> (state’ = 0) & (t’ = 0);
[terminate] state = 0 & try == M -> (state’ = 3); endmodule
rewards ’’energy’’ (state=0) : 3.5; endrewards
Figure 3.12: ThePRISMcode of the PTA in Figure 3.10.
PTAs can be enhanced with rewards and costs, which allow us to track the num- ber of occurrences of a transition. This might correspond to energy used or goals achieved. The corresponding model is known as a priced PTA and it allows us to mea- sure accumulated rewards (reflected in properties expressing the expected value of the rewards/costs). A further extension is linearly priced PTAs, where costs or rewards are accumulated linearly (with respect to the elapsed time) [78]. Finally, parallel composi- tion can be modelled by PTAs as well, which is the same feature of other probabilistic
models supported byPRISM. Thus, multiple probabilistic timed automaton are able to
work in parallel, and synchronise by taking transitions with the help of labels that can be matched [79].
ThePRISMmodel checker employs a popular modelling language to specify all the
3.5. PROPERTY SPECIFICATION 55 PTAs is a textual language, based on guarded command notation. A clock variable has
been added in PTAs that PRISM can then recognise. Clock variables can be placed
in guards, which is located on the left-hand side of a command. Like other regular variables in the model, clock variables can also be reset, which results in an update on the right-hand side of the command. There is an additional keyword “invariant” for
the purpose of specifying invariants [78]. Figure 3.12 shows aPRISM modelling lan-
guage description for the example PTA described in Figure 3.10. It further illustrates
a case of including a PRISMreward structure, labelled “energy”, to generate a priced
probabilistic timed automata, which assigns a reward rate of 3.5 when s = 0 (during message transmission).
Part II
Modelling, Specification and
Verification
Chapter 4
Reliability, Availability, Maintainability
Analysis of The Space Segment
This chapter is based on the papers [117, 115]. We present formal models of both a single satellite and a navigation satellite constellation and logical specification of their reliability, availability and maintainability properties respectively. The model checker
PRISMhas been used to perform automated analysis of these quantitative properties.
4.1 Introduction
The space segment is a core component of satellite systems. Satellites in the space segment are designed for operating on orbit to perform tasks and have lifetimes of 10 years or more. Before formally introducing this technique and discussing the role of formal verification, we briefly review some traditional verification techniques that can be applied to analysing satellite systems, which are prototype testing and model simulation.
Prototype testing is a dynamic verification technique that involves actually running prototype of a system. Correctness is thus verified by running the prototype to traverse a set of execution paths. Based on the results during execution, the actual output of the prototype is compared to the system specification which is usually in the form of documents. Model simulation is similar to prototype testing, but is applied to system models. Models are usually described using hardware description languages. A sim- ulator is used to examine execution paths of the model based on configuration inputs. These inputs can be provided by a user, or by automated approaches such as using a random generator. A mismatch between the simulator’s result and the specification of
4.1. INTRODUCTION 58 the system exhibits the incorrect behaviours.
Both verification techniques are limited in that they only allow exploration of a small subset of many possible scenarios. Formal methods is the application of mathe- matical modelling and reasoning to prove that an implementation coincides with pre- cisely expressed notion of formal specification. In this context, the purpose of formal analysis and verification is to analyse the performance and reliability properties and to verify the correctness of satellite systems in such a way that faults and failures can be identified. Model checking and theorem proving are formal techniques that can be used to detect faults and failures in a formal specification.
Although historically these forms of verification were used to prove correctness of explicit software and hardware designs, these days they are also used for failure analysis. They are generally applied during the design phase, where they are arguably most effective, for verifying correctness and other essential properties such as safety, liveness and fairness. Model checking is an automated analysis technique that requires expert knowledge to use. The user must provide an initial specification of the system itself, as well as logical properties describing its desired behaviour.
One strength of model checking to traditional analysis techniques is that it is not sensitive to the probability that a fault or failure is exposed; this contrasts with proto- type testing and model simulation that are aimed at tracing the most probable faults or failures. Moreover, it allows one to precisely analyse results of checking desired properties. Model checking is a general analysis technique that is applicable to a wide range of applications such as embedded systems, software engineering, and hardware design. It also supports analysing properties individually, thus allowing one to focus essential properties first. This enables incomplete formal models to be specified and verified.
The formal model of systems can be defined using a high-level formalism or ex- tracted directly form software using methods such as abstract interpretation. Verifica- tion involves checking paths of the state transition graph (or state-space) of the model. Traditionally this involves either exhaustive or on-the-fly search of the state-space in which states are stored explicitly. Another method, which is symbolic model checking [30], involves search of a symbolic representation of the state space, in which groups of states and transitions are explored in a single step.
Quantitative verification is a analysis technique for establishing quantitative prop- erties of a system model. Models analysed through this method are typically vari- ants of Markov chains, annotated with costs and rewards that describe resources and
4.2. THE SPACE SEGMENT 59