# Statistical Model Checking for Stochastic Hybrid Systems



### Kim G. Larsen

#### Alexandre David, Marius Mikucionis,

Peter Bulychev, Axel Legay, Dehui Du, Guangyuan Li, Danny B. Poulsen, Amélie Stainer, Zheng Wang





# **Cyber-Physical Systems**

**Real Time**  Complex systems that tightly integrate Resources ts (hardware and software) with no Hybrid Systems computing physic... CAMER elements such as LIGHTING <sup>e</sup> Stochasticity Î IRRIGATIO components.

LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden

Kim Larsen [2]

#### **Overview**

- Stochastic Hybrid Systems
- Metric Interval Temporal Logic
- UPPAAL SMC
- Schedulability and Performance Analysis of Mixed Critical Systems

Kim Larsen [3]

- Energy Aware Buildings
- Conclusion

LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden

# Hybrid Automata

#### H=(L, I<sub>0</sub>,§, X,E,F,Inv) where

- L set of locations
- I<sub>0</sub> initial location
- $\$ = \$_i [\$_o]$  set of actions
- X set of continuous variables valuation °: X! R (=R<sup>X</sup>)
- E set of edges (I,g,a,Á,I') with gµ R<sup>x</sup> and Áµ R<sup>x</sup>£ R<sup>x</sup> and a2§
- For each I a delay function F(I): R<sub>>0</sub>£ R<sup>X</sup> ! R<sup>X</sup>
- For each I an invariant Inv(I)µ R<sup>x</sup>



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden

Kim Larsen [4]

# Hybrid Automata



#### **Semantics**

- States

   (I,°) where °2R<sup>x</sup>
- Transitions

   (I,°)!
   (I,°') where
   °'=F(I)(d,°)
   provided °'2 Inv(I)

(I,°) ! a (I',°') if there exists (I,g,a,Á,I')2E with °2g and (°,°')2Á and °'2 Inv(I')

### Stochastic Hybrid Automata



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden

Kim Larsen [6]

### Stochastic Hybrid Automata



\* Dirac's delta functions for deterministic delays / next state

LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden

Kim Larsen [7]

#### **Stochastic Semantics NTAs**



Control Systems, April 17–19, Lund, Sweden

#### **Stochastic Semantics of NHAs**



where  $c = c(a_1)$ , and as base case we take  $P_{\mathcal{A}}(\pi(\mathbf{s}), \varepsilon) = 1$ .

LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden

#### Kim Larsen [9]



#### **Logical Properties- WMITL**

$$\mathbf{\dot{A}} = \ \mathsf{ok} \ \mathsf{U}_{\leq 9}^{\tau}(\texttt{problem} \land (\neg \mathsf{ok} \ \mathsf{U}_{\leq 10}^{\tau} \ \mathsf{ok}) \land (\neg \mathsf{ok} \ \mathsf{U}_{\leq 40}^{c} \ \mathsf{ok}))$$



$$Pr_{M}(\mathbf{A}) = ??$$

LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden Kim Larsen [10]



#### **Statistical Model Checking**





LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden Kim Larsen [11]

# Schedulability & Performance Analysis







### **Task Scheduling**

#### utilization of CPU

P(i), UNI[E(i), L(i)], ...: period or earliest/latest arrival or ... for T<sub>i</sub> C(i), UNI[BC(i),WC(i)] : execution time for T<sub>i</sub> D(i): deadline for T<sub>i</sub>



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund,

### Modeling Task



#### **Modeling Scheduler**



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Kim Larsen [15]

### **Modeling Queue**



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Kim Larsen [16]

### **Schedulability Analysis**



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden

Kim Larsen [17]

# **Schedulability Analysis**



Kim Larsen [18]

LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden

### **Performance** Analysis



#### sup : Task2.r, Task3.r



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden

Kim Larsen [19]



#### **Performance** Analysis



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden Kim Larsen [20]

#### Herschel-Planck Scientific Mission at ESA



Attitude and Orbit Control Software TERMA A/S Steen Ulrik Palm, Jan Storbank Pedersen, Poul Hougaard

LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden Kim Larsen [21]



# **Herschel & Planck Satelites**

#### Application software (ASW)

- built and tested by Terma:
- does attitude and orbit control, telecommanding, fault detection isolation and recovery.
- Basic software (BSW)
  - low level communication and scheduling periodic events.
- Real-time operating system (RTEMS)
  - Priority Ceiling for ASW,
  - Priority Inheritance for BSW

#### Hardware

 single processor, a few buses, sensors and act **Requirements:** 



Hardware

Software tasks should be schedulable.

Kim Larsen [22]

CPU utilization should not exceed 50% load



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19,

### Modeling in UPPAAL

#### TERMA®



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund,

Kim Larsen [23]

#### Gantt Chart 1. cycle

#### TERMA®



Fig. 11. Gantt chart of a schedule from the first cycle: green means ready, blue means running, cyan means suspended, red means blocked. R stand for resources: CPU\_R=0, Icb\_R=1, Sgm\_R=2, PmReq\_R=3, Other\_RCS=4, Other\_SF1=5, Other\_SF2=6.

## **Blocking & WCRT**

#### 

|    | Secrification Decking times WCDT |                                |        |                     |              |       |        |         | _      |         |   |
|----|----------------------------------|--------------------------------|--------|---------------------|--------------|-------|--------|---------|--------|---------|---|
| ID | <b>T</b> 1                       | Specification<br>Period WCET 1 |        | I                   | Blocking tin |       |        | m       | WCRT   | Dia     |   |
| ID | Task                             |                                |        |                     |              |       | Diff   |         | UPPAAL |         |   |
| 1  |                                  | 10.000                         | 0.013  | 1.000               | 0.035        | 0     | 0.035  | 0.050   | 0.013  | I       |   |
| 2  | AswSync_SyncPulseIsr             | 250.000                        | 0.070  | 1.000               | 0.035        | 0     | 0.035  | 0.120   | 0.083  | 0.037   |   |
| 3  | Hk_SamplerIsr                    | 125.000                        | 0.070  | 1.000               | 0.035        | 0     | 0.035  | 0.120   | 0.070  | 0.050   |   |
| 4  | SwCyc_CycStartIsr                | 250.000                        | 0.200  | 1.000               | 0.035        | 0     | 0.035  | 0.320   | 0.103  | 0.217   |   |
| 5  | SwCyc_CycEndIsr                  | 250.000                        | 0.100  | 1.000               | 0.035        | 0     | 0.035  | 0.220   | 0.113  |         |   |
| 6  |                                  | 15.625                         | 0.070  | 1.000               | 0.035        | 0     | 0.035  | 0.290   | 0.173  | 0.117   |   |
| 7  | Bc1553_Isr                       | 20.000                         | 0.070  | 1.000               | 0.035        | 0     | 0.035  | 0.360   | 0.243  | 0.117   |   |
| 8  | Spw_Isr                          | 39.000                         | 0.070  | 2.000               | 0.035        | 0     | 0.035  | 0.430   | 0.313  | 0.117   |   |
| 9  | Obdh_Isr                         | 250.000                        | 0.070  | 2.000               | 0.035        | 0     | 0.035  | 0.500   | 0.383  | 0.117   |   |
| 10 | RtSdb_P_1                        | 15.625                         | 0.150  | 15.625              | 3.650        | 0     | 3.650  | 4.330   | 0.533  | 3.797   |   |
| 11 | RtSdb_P_2                        | 125.000                        | 0.400  | 15.625              | 3.650        | 0     | 3.650  | 4.870   | 0.933  | 3.937   |   |
| 12 | RtSdb_P_3                        | 250.000                        | 0.170  | 15.625              | 3.650        | 0     | 3.650  | 5.110   | 1.103  | 4.007   |   |
| 14 | FdirEvents                       | 250.000                        | 5.000  | 230.220             | 0.720        | 0     | 0.720  | 7.180   | 5.153  | 2.027   |   |
| 15 | NominalEvents_1                  | 250.000                        | 0.720  | 230.220             | 0.720        | 0     | 0.720  | 7.900   | 5.873  | 2.027   |   |
| 16 | MainCycle                        | 250.000                        | 0.400  | 230.220             | 0.720        | 0     | 0.720  | 8.370   | 6.273  | 2.097   |   |
| 17 | HkSampler_P_2                    | 125.000                        | 0.500  | 62.500              | 3.650        | 0     | 3.650  | 11.960  | 5.380  | 6.580   |   |
| 18 | HkSampler_P_1                    | 250.000                        | 6.000  | 62.500              | 3.650        | 0     | 3.650  | 18.460  | 11.615 | 6.845   |   |
| 19 | Acb_P                            | 250.000                        | 6.000  | 50.000              | 3.650        | 0     | 3.650  | 24.680  | 6.473  | 18.207  |   |
| 20 | IoCyc_P                          | 250.000                        | 3.000  | 50.000              | 3.650        | 0     | 3.650  | 27.820  | 9.473  | 18.347  |   |
| 21 | PrimaryF                         | 250.000                        | 34.050 | <mark>59.600</mark> | 5.770        | 0.966 | 4.804  | 65.470  | 54.115 | 11.355  |   |
| 22 | RCSControlF                      | 250.000                        | 4.070  | 239.600             | 12.120       | 0     | 12.120 | 76.040  | 53.994 | 22.046  |   |
| 23 | Obt_P                            | 1000.000                       | 1.100  | 100.000             | 9.630        | 0     | 9.630  | 74.720  | 2.503  | 72.217  |   |
| 24 | Hk_P                             | 250.000                        | 2.750  | 250.000             | 1.035        | 0     | 1.035  | 6.800   | 4.953  | 1.847   |   |
| 25 | StsMon_P                         | 250.000                        | 3.300  | 125.000             | 16.070       | 0.822 | 15.248 | 85.050  | 17.863 | 67.187  |   |
| 26 | TmGen_P                          | 250.000                        | 4.860  | 250.000             | 4.260        | 0     | 4.260  | 77.650  | 9.813  |         |   |
| 27 | Sgm_P                            | 250.000                        | 4.020  | 250.000             | 1.040        | 0     | 1.040  | 18.680  | 14.796 | 3.884   |   |
| 28 | TcRouter_P                       | 250.000                        | 0.500  | 250.000             | 1.035        | 0     | 1.035  | 19.310  | 11.896 | 7.414   |   |
| 29 | Cmd_P                            | 250.000                        | 14.000 | 250.000             | 26.110       | 1.262 | 24.848 | 114.920 | 94.346 | 20.574  | Ν |
| 30 | NominalEvents_2                  | 250.000                        | 1.780  | 230.220             | 1            |       |        | 102.760 | 65.177 | 37.583  |   |
| 31 | SecondaryF_1                     | 250.000                        | 20.960 | 189.600             | 1            |       |        | 141.550 |        | 30.884  |   |
| 32 |                                  | 250.000                        | 39.690 | 230.220             | 1            |       |        | 204.050 |        | 49.494  |   |
|    | Bkgnd_P                          | 250.000                        | 0.200  | 250.000             | 0.000        | 0     |        | 154.090 |        | 139.044 |   |
|    |                                  |                                |        |                     | 0.000        | 0     | 2.000  | 2020000 |        |         |   |



Marius Micusionis

# **Effort and Utilization**

| cycle      | U       | opaal resou | rces         | Herschel CPU utilization |               |                 |                                  |  |  |  |
|------------|---------|-------------|--------------|--------------------------|---------------|-----------------|----------------------------------|--|--|--|
| limit      | CPU, s  | Mem, KB     | States, $\#$ | Idle, $\mu s$            | Used, $\mu s$ | Global, $\mu s$ | Sum, $\mu s$ Used, %             |  |  |  |
| 1          | 465.2   | 60288       | 173456       | 91225                    | 160015        | 250000          | $251240 \ 0.640060$              |  |  |  |
| 2          | 470.1   | 59536       | 174234       | 182380                   | 318790        | 500000          | $501170 \ 0.637580$              |  |  |  |
| 3          | 461.0   | 58656       | 175228       | 273535                   | 477705        | 750000          | $751240 \ 0.636940$              |  |  |  |
| 4          | 474.5   | 58792       | 176266       | 363590                   | 636480        | 1000000         | $1000070 \ 0.636480$             |  |  |  |
| 6          | 474.6   | 58796       | 178432       | 545900                   | 955270        | 1500000         | $1501170 \ 0.636847$             |  |  |  |
| 8          | 912.3   | 58856       | 352365       | 727110                   | 1272960       | 2000000         | $2000070 \ 0.636480$             |  |  |  |
| 13         | 507.7   | 58796       | 186091       | 1181855                  | 2069385       | 3250000         | $3251240 \ 0.636734$             |  |  |  |
| 16         | 1759.0  | 58728       | 704551       | 1454220                  | 2545850       | 4000000         | 4000070 0.636463                 |  |  |  |
| 26         | 541.9   | 58112       | 200364       | 2363640                  | 4137530       | 6500000         | $6501170 \ 0.636543$             |  |  |  |
| 32         | 3484.0  | 75520       | 1408943      | 2908370                  | 5091700       | 8000000         | 8000070 0.636463                 |  |  |  |
| 39         | 583.5   | 74568       | 214657       | 3545425                  | 6205745       | 9750000         | $9751170 \ 0.636487$             |  |  |  |
| 64         | 7030.0  | 91776       | 2817704      | 5816740                  | 10183330      | 16000000        | $16000070 \ 0.636458$            |  |  |  |
| 78         | 652.2   | 74768       | 257582       | 7089680                  | 12411420      | 19500000        | $19501100 \ 0.636483$            |  |  |  |
| 128        | 14149.4 | 141448      | 5635227      | 11633480                 | 20366590      | 32000000        | $32000070 \ 0.636456$            |  |  |  |
| <b>156</b> | 789.4   | 91204       | 343402       | 14178260                 | 24821740      | 39000000        | 39000000 <mark>0.636455</mark> ) |  |  |  |
| 256        | 23219.4 | 224440      | 11270279     | 23266890                 | 40733180      | 64000000        | 64000070 0.636456                |  |  |  |
| 312        | 1824.6  | 124892      | 686788       | 28356520                 | 49643480      | 78000000        | $78000000 \ 0.636455$            |  |  |  |
| 512        | 49202.2 | 390428      | 22540388     | 46533780                 | 81466290      | 128000000       | $128000070 \ 0.636455$           |  |  |  |
| <b>624</b> | 3734.7  | 207728      | 1373560      | 56713040                 | 99286960      | 156000000       | $15600000 \ 0.636455$            |  |  |  |



TERMA®

Marius Micusionis

LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund,

Page 26

#### **TERMA Case Conclusion**

- Schedulability analysis using UPPAAL:
  - Reusable and customizable task templates.
  - Blocking times and WCRTs can be derived from the model.
  - WCRTs of all tasks are more optimistic than in RTA.
  - There are very few blocking times and they are short.
  - PrimaryF meets deadline (59.6ms) with WCRT=54.1ms (65.5ms in RTA).
  - Herschel event mode is schedulable.
- UPPAAL verification for schedulability:
  - can be scaled using sweep-line method,
  - takes up to 2min to verify schedulability of 32 task system,

Kim Larsen [27]

- takes up to 8min to find all WCRTs and CPU utilization.
- In addition, it is possible to:
  - simulate the system model and examine details,
  - render a Gantt chart, validate and inspect visually.

LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund,

#### **TERMA Case Follow-Up**

ISOLA 2012



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Kim Larsen [28]

#### **TERMA Case** – **Statistical MC**

|        |                      |          |       |             |      |             |       |         | 0                     |
|--------|----------------------|----------|-------|-------------|------|-------------|-------|---------|-----------------------|
| Limit  | $\stackrel{f}{\sim}$ | $\alpha$ | ε     | Total       |      | ror traces  |       |         | Verification          |
| cycles | %                    |          |       | traces, $#$ | #    | Probability | cycle | offset  | $\operatorname{time}$ |
| 1      | 0                    | 0.0100   | 0.005 | 105967      | 1928 | 0.018194    | 0     | 79600.0 | 1:58:06               |
| 1      | 50                   | 0.0100   | 0.005 | 105967      | 753  | 0.007106    | 0     | 79600.0 | 2:00:52               |
| 1      | 60                   | 0.0100   | 0.005 | 105967      | 13   | 0.000123    | 0     | 79778.3 | 2:01:18               |
| 1      | 62                   | 0.0005   | 0.002 | 1036757     | 34   | 0.000033    | 0     | 79616.4 | 19:52:22              |
| 160    | 63                   | 0.0100   | 0.05  | 1060        | 177  | 0.166981    | 0     | 81531.6 | 2:47:03               |
| 160    | 64                   | 0.0100   | 0.05  | 1060        | 118  | 0.111321    | 1     | 79803.0 | 2:55:13               |
| 160    | 65                   | 0.0500   | 0.05  | 738         | 57   | 0.077236    | 3     | 79648.0 | 2:06:55               |
| 160    | 66                   | 0.0100   | 0.05  | 1060        | 60   | 0.056604    | 2     | 82504.0 | 2:62:44               |
| 160    | 67                   | 0.0100   | 0.05  | 1060        | 26   | 0.024528    | 1     | 79789.0 | 2:64:20               |
| 160    | 68                   | 0.0100   | 0.05  | 1060        | 3    | 0.002830    | 67    | 81000.0 | 2:67:08               |
| 640    | 69                   | 0.0100   | 0.05  | 1060        | 8    | 0.007547    | 114   | 80000.0 | 12:23:00              |
| 640    | 70                   | 0.0100   | 0.05  | 1060        | 3    | 0.002830    | 6     | 88070.0 | 12:30:49              |
| 1280   | 71                   | 0.0100   | 0.05  | 1060        | 2    | 0.001887    | 458   | 80000.0 | 25:19:35              |

LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund,

Kim Larsen [29]

#### **TERMA Case – Conclusion**



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Kim Larsen [30]

#### **Other Case Studies**



Control Systems, April 17-19, Lund, Sweden

#### www.uppaal.{org,com}



LCCC Workshop on Formal Verification of Embedded Control Systems, April 17–19, Lund, Sweden

Kim Larsen [32]

