Bayesian statistical model checking with application to Stateflow/Simulink verification

Abstract

We address the problem of model checking stochastic systems, i.e., checking whether a stochastic system satisfies a certain temporal property with a probability greater (or smaller) than a fixed threshold. In particular, we present a Statistical Model Checking (SMC) approach based on Bayesian statistics. We show that our approach is feasible for a certain class of hybrid systems with stochastic transitions, a generalization of Simulink/Stateflow models. Standard approaches to stochastic discrete systems require numerical solutions for large optimization problems and quickly become infeasible with larger state spaces. Generalizations of these techniques to hybrid systems with stochastic effects are even more challenging. The SMC approach was pioneered by Younes and Simmons in the discrete and non-Bayesian case. It solves the verification problem by combining randomized sampling of system traces (which is very efficient for Simulink/Stateflow) with hypothesis testing (i.e., testing against a probability threshold) or estimation (i.e., computing with high probability a value close to the true probability). We believe SMC is essential for scaling up to large Stateflow/Simulink models. While the answer to the verification problem is not guaranteed to be correct, we prove that Bayesian SMC can make the probability of giving a wrong answer arbitrarily small. The advantage is that answers can usually be obtained much faster than with standard, exhaustive model checking techniques. We apply our Bayesian SMC approach to a representative example of stochastic discrete-time hybrid system models in Stateflow/Simulink: a fuel control system featuring hybrid behavior and fault tolerance. We show that our technique enables faster verification than state-of-the-art statistical techniques. We emphasize that Bayesian SMC is by no means restricted to Stateflow/Simulink models. It is in principle applicable to a variety of stochastic models from other domains, e.g., systems biology.

Appendix

1.1 A.1 Proofs

In this Section we report proofs for some of the results presented in the paper.

Lemma 1  Function \(K:S\times\mathcal{B}(S)\rightarrow[0,1]\) is a stochastic kernel.

Proof

We show that K is in fact a convex combination of two stochastic kernels. It is easy to see that stochastic kernels are closed with respect to convex combinations.

We have already shown above that the discrete part of K, i.e., the summation term, is a stochastic kernel. Because jump is a function and x is fixed, jump _e (x) is uniquely determined from x and e, so the argument from above still applies. For continuous transitions, consider any (q,x)∈S. Then the following integral

$$\int_0^\infty\varPi_c(q,x) (t) I_B\bigl(\varphi_q(t,x)\bigr) {d}t $$

defines a probability measure over \(\mathcal{B}(S)\). Note that Π _c (q,x) is a probability density over time, φ _q is a continuous (thus measurable) function of time, and I _B is measurable since \(B\in\mathcal{B}(S)\) is a measurable set. Thus, the integral is well-defined and satisfies the usual probability requirements for B=∅ and B=S. Countable additivity follows easily from Lebesgue’s dominated convergence theorem. It remains to prove that, for any \(B\in\mathcal{B}(S)\)

$$\mathcal{I}(x) = \int_0^\infty \varPi_c(q,x) (t)\ I_B\bigl(\varphi_q(t,x) \bigr) {d}t $$

is a measurable function defined over \(\mathbb{R}^{n}\). Again, note that \(\mathcal{I}(x)\) is finite for all x, because the integrand functions are all measurable and integrate up to 1. We recall that the Lebesgue integral of a (non-negative, real) measurable function f with respect to some measure μ, is defined as

$$ \int f d \mu= \sup\biggl\{\int s d \mu: s \text{ simple}, 0 \leqslant s \leqslant f \biggr\} $$

(16)

where a simple function takes only finitely many values (piecewise constant). A measurable simple function s can be written as a finite sum \(s = \sum_{i=1}^{l} c_{i} I_{C_{i}}\), where the c _i ’s are non-negative reals, and the C _i ’s are disjoint measurable sets. The integral of s with respect to μ is defined to be the finite sum

$$\int s d \mu= \sum_{i=1}^l c_i \mu(C_i) $$

and it is easy to check that the integral does not depend on the particular representation of s.

It can be shown (see for example [12, Proposition 2.3.3]) that the Lebesgue integral (16) is equivalently defined as lim _i→∞∫f _i dμ, where {f _i } is any non-decreasing sequence of measurable simple functions that converges pointwise to f. Such a sequence can always be found [12, Proposition 2.1.7]. Finally, for any sequence {g _i } of (non-negative, real) measurable functions, the function lim _i→∞ g _i (with domain {x | lim inf _i→∞ g _i (x)=lim sup _i→∞ g _i (x)}), is measurable [12, Proposition 2.1.4]. Therefore, \(\mathcal{I}(\cdot)\) is a measurable function. □

Lemma 2 (Bounded sampling) The problem “σ⊨ϕ” is well-defined and can be checked for BLTL formulas ϕ and traces σ based on only a finite prefix of σ of bounded duration.

Proof

According to Lemma 3, the decision “σ⊨ϕ” is uniquely determined (and well-defined) by considering only a prefix of σ of duration \(\#(\phi) \in \mathbb{Q}_{{\geq}0}\). By divergence of time, σ reaches or exceeds this duration #(ϕ) in some finite number of steps n. Let σ′ denote a finite prefix of σ of length n such that ∑_0≤l<n t _l ≥#(ϕ). Again by Lemma 3, the semantics of σ′⊨ϕ is well-defined because any extension σ″ of σ′ satisfies σ″⊨ϕ if and only if σ′⊨ϕ. Consequently the semantics of σ′⊨ϕ coincides with the semantics of σ⊨ϕ. On the finite trace σ′, it is easy to see that BLTL is decidable by evaluating the atomic formulas x∼v at each state s _i of the system simulation. □

Lemma 3 (BLTL on bounded simulation traces) Let ϕ be a BLTL formula, \(k\in\mathbb{N}\) . Then for any two infinite traces σ=(s ₀,t ₀),(s ₁,t ₁),… and \(\tilde{\sigma}= (\tilde{s_{0}},\tilde{t_{0}}),(\tilde{s_{1}},\tilde {t_{1}}),\dots\) with

$$ s_{k+I}=\tilde{s}_{k+I} \quad\textit{and}\quad t_{k+I}= \tilde{t}_{k+I} \quad\forall I\in\mathbb{N}\quad\textit{with } \sum_{0\leq l<I} {t}_{k+l}\leq\#(\phi) $$

(17)

we have that

$$\sigma^k \models\phi\quad\textit{iff}\quad\tilde{\sigma}^k \models\phi. $$

Proof

The proof is by induction on the structure of the BLTL formula ϕ. IH is short for induction hypothesis.

1. 1.

   If ϕ is of the form y∼v, then σ ^k⊨y∼v iff \(\tilde{\sigma}^{k} \models y \sim v\), because \(s_{k} = \tilde{s}_{k}\) by using (17) for i=0.

2. 2.

   If ϕ is of the form ϕ ₁∨ϕ ₂, then

   $$\begin{aligned} & \sigma^k \models\phi_1 \lor\phi_2 \\ &\quad\text{iff} \quad\sigma^k \models\phi_1 \quad\text {or}\quad\sigma^k \models\phi_2 \\ &\quad\text{iff} \quad\tilde{\sigma}^k \models\phi_1 \quad\text {or}\quad\tilde{\sigma}^k \models\phi_2 \quad\text{by IH as } \# (\phi_1\lor\phi_2)\geq\#(\phi_1) \ \ \ \text{and}\ \ \ \#(\phi_1\lor\phi_2)\geq\#(\phi_2) \\ &\quad\text{iff} \quad\tilde{\sigma}^k \models\phi_1 \lor\phi_2 \end{aligned}$$

   The proof is similar for ¬ϕ ₁ and ϕ ₁∧ϕ ₂.

3. 3.

   If ϕ is of the form ϕ ₁ U ^t ϕ ₂, then σ ^k⊨ϕ ₁ U ^t ϕ ₂ iff conditions (a), (b), (c) of Definition 6 hold. Those conditions are equivalent, respectively, to the following conditions (a′), (b′), (c′):

   (a′):

   \(\sum_{0\leq l<i} {\tilde{t}}_{k+l} \leq t\), because #(ϕ ₁ U ^t ϕ ₂)≥t such that the durations of trace σ and \(\tilde{\sigma}\) are \(t_{k+l}=\tilde{t}_{k+l}\) for each index l with 0≤l<i by assumption (17).

   (b′):

   \(\tilde{\sigma}^{k+i}\models\phi_{2}\) by induction hypothesis as follows: We know that the traces σ and \(\tilde{\sigma}\) match at k for duration #(ϕ ₁ U ^t ϕ ₂) and need to show that the semantics of ϕ ₁ U ^t ϕ ₂ matches at k. By IH we know that ϕ ₂ has the same semantics at k+i (that is \(\tilde{\sigma}^{k+i}\models\phi_{2}\) iff σ ^k+i⊨ϕ ₂) provided that we can show that the traces σ and \(\tilde{\sigma}\) match at k+i for duration #(ϕ ₂). For this, consider any \(I\in\mathbb{N}\) with ∑_0≤l<I t _k+i+l ≤#(ϕ ₂). Then

   $$\begin{aligned} \#(\phi_2) &\geq\sum_{0\leq l<I} {t}_{k+i+l} = \sum_{0\leq l<i+I} {t}_{k+l} - \sum_{0\leq l<i} {t}_{k+l} \stackrel {(\mathrm{a})}{\geq} \sum_{0\leq l<i+I} {t}_{k+l} - t \end{aligned}$$

   Thus

   $$\begin{aligned} \sum_{0\leq l<i+I} {t}_{k+l} &\leq t+\# (\phi_2) \leq t+\max\bigl(\#(\phi_1),\# (\phi_2)\bigr) = \#(\phi_1{ \mathbf{U}}^t {\phi_2}) \end{aligned}$$

   As \(I\in\mathbb{N}\) was arbitrary, we conclude from this with assumption (17) that, indeed \(s_{I}=\tilde{s}_{I} \) and \(t_{I}=\tilde{t}_{I}\) for all \(I\in\mathbb{N}\) with

   $$\sum_{0\leq l<I} {t}_{k+i+l}\leq\# (\phi_2) $$

   Thus the IH for ϕ ₂ yields the equivalence of σ ^k+i⊨ϕ ₂ and \(\tilde{\sigma}^{k+i}\models\phi_{2}\) when using the equivalence of (a) and (a′).

   (c′):

   for each 0≤j<i, \(\tilde{\sigma }^{k+j}\models \phi_{1}\). The proof of equivalence to (c) is similar to that for (b′) using j<i.

The existence of an \(i\in\mathbb{N}\) for which these conditions (a′),(b′),(c′) hold is equivalent to \(\tilde{\sigma}^{k} \models\phi_{1}{\mathbf{U}}^{t} {\phi_{2}}\). □

Theorem 1 (Termination of Bayesian estimation) The Sequential Bayesian interval estimation Algorithm 2 terminates with probability one.

Proof

We follow an argument by DeGroot [14, Sect. 10.5]. Let p be the actual probability that the BLTL formula ϕ holds, and let x ₁,…,x _n a sample given by model checking ϕ over n simulation traces (i.e., iid as the random variable X defined by (2)). Recall that the estimation algorithm returns an interval of width 2δ which contains p with posterior probability at least c, where \(\delta\in(0,\frac {1}{2})\) and \(c\in(\frac{1}{2},1)\) are user-specified parameters. We shall show that the posterior probability of any open interval containing p must converge almost surely to 1, as n→∞.

Let α,β>0 be the parameters of the Beta prior. We know that the posterior X _n given the sample x ₁,…,x _n has a Beta distribution (5) with parameters x+α and n−x+β, where \(x = \sum_{i=1}^{n} x_{i}\). Recall that the posterior mean (8) is:

$$E[ X_n ] = \hat{p}_n = \frac{x+\alpha}{n+\alpha+\beta} $$

and the posterior variance is (see Appendix A.2):

$$E\bigl[ (X_n - \hat{p}_n)^2\bigr] = \hat{ \sigma}^2_n = \frac{(x+\alpha)(n-x+\beta)}{(n+\alpha+\beta)^2 (n+\alpha+\beta+1)} . $$

Because x⩽n and α,β>0, we have that

$$\hat{\sigma}^2_n \leqslant\frac{1}{n+\alpha+\beta} $$

and thus \(\lim_{n\rightarrow\infty} \hat{\sigma}^{2}_{n} = 0\), i.e., the posterior variance tends to 0 as we increase the sample size. (Intuitively, X _n will be arbitrarily close to its mean, as n→∞.) Also, note that this is everywhere convergence, and not just almost sure convergence.

Now, since α and β are fixed, from the law of large numbers it follows that

$$ \lim_{n\rightarrow\infty} \hat{p}_n = p \quad\text {(almost surely)} $$

(18)

But \(\lim_{n\rightarrow\infty} \hat{\sigma}^{2}_{n} = \lim _{n\rightarrow\infty} E[ (X_{n} - \hat{p}_{n})^{2}] =0\), so X _n converges almost surely to the constant random variable p. Therefore, the posterior probability P(X _n ∈I) of any open interval I containing p must converge almost surely to 1, as n→∞. Finally, note that the interval returned by the algorithm is always of fixed size 2δ>0. □

Theorem 2 (Error bound for hypothesis testing) For any discrete random variable and prior, the probability of a Type I-II error for the Bayesian hypothesis testing Algorithm 1 is bounded above by \(\frac{1}{T}\) , where T is the Bayes Factor threshold given as input.

Proof

We present the proof for Type I error only—for Type II it is very similar. A Type I error occurs when the null hypothesis H ₀ is true, but we reject it. We then want to bound P(reject H ₀∣H ₀). If the Bayesian Algorithm 1 stops at step n, then it will accept H ₀ if \(\mathcal{B}(d) > T\), and reject H ₀ if \(\mathcal {B}(d)< \frac{1}{T}\), where d=(x ₁,…,x _n ) is the data sample, and the Bayes Factor is

$$ \mathcal{B}(d) = \frac{P (d | H_0)}{P (d | H_1)} . $$

The event {reject H ₀} is formally defined as

$$ \{\text{reject}\ H_0\} = \bigcup _{d\in\varOmega}\biggl\{ \mathcal{B}(d) < \frac{1}{T} \wedge D=d\biggr\} $$

(19)

where D is the random variable denoting a sequence of n (finite) discrete random variables, and Ω is the sample space of D—i.e., the (countable) set of all the possible realizations of D (in our case D is clearly finite). We now reason:

 □

Theorem 3 (Error bound for estimation) For any discrete random variable and prior, the Type I and II errors for the output interval (t ₀,t ₁) of the Bayesian estimation Algorithm 2 are bounded above by \(\frac{(1-c)\pi_{0}}{c(1-\pi_{0})}\) , where c is the coverage coefficient given as input and π ₀ is the prior probability of the hypothesis H ₀:p∈(t ₀,t ₁).

Proof

Let (t ₀,t ₁) be the interval estimate when the estimation Algorithm 2 terminates (with coverage c). From the hypothesis

$$ H_0 : p \in(t_0, t_1) $$

(20)

we compute the Bayes factor for H ₀ vs. the alternate hypothesis H ₁:p∉(t ₀,t ₁). Then we use Theorem 2 to derive the bounds on the Type I and II error. If the estimation Algorithm 2 terminates at step n with output t ₀,t ₁, we have that:

$$ \int_{H_0} f(u|x_1, \ldots,x_n) du = \int_{t_0}^{t_1} f(u|x_1,\ldots,x_n) du \geqslant c $$

(21)

and therefore (since the posterior is a distribution):

$$ \int_{H_1} f(u|x_1, \ldots,x_n) du \leqslant1-c . $$

(22)

By (13) we get the Bayes factor of H ₀ vs. H ₁, which can then be bounded by (21) and (22) as follows

$$\frac{(1-\pi_0)}{\pi_0}\cdot\frac{\int_{H_0} f(u|x_1,\ldots,x_n) du}{\int_{H_1} f(u|x_1,\ldots,x_n) du} \geqslant \frac{(1-\pi_0)}{\pi_0}\cdot\frac{c}{1-c} . $$

Therefore, by Theorem 2 the error is bounded above by \((\frac{c(1-\pi_{0})}{(1-c)\pi_{0}} )^{-1} = \frac{(1-c)\pi _{0}}{c(1-\pi_{0})}\). □

1.2 A.2 The Beta Distribution

For the reader’s convenience, we calculate the mean and variance of a random variable Y with Beta density of parameters u,v>0. What we outline below can be found in most textbooks on Bayesian statistics and special functions, e.g., [39] and [4].

Recall that the Beta density is

$$\forall t\in(0,1)\quad g(t,u,v) \;\widehat{=}\;\frac{1}{B(u,v)} t^{u-1}(1-t)^{v-1} $$

where the Beta function B(u,v) is defined as:

$$B(u,v)\;\widehat{=}\;\int_0^1 t^{u-1}(1-t)^{v-1} d t . $$

It is well known that

$$B(u,v) = \frac{\varGamma(u)\varGamma(v)}{\varGamma(u+v)} $$

where Γ(⋅) is Euler’s gamma function defined for \(z\in \mathbb{C}\) with ℜ(z)>0 as:

$$\varGamma(z) \;\widehat{=}\;\int_0^\infty t^{z-1}e^{-t} d t . $$

Also, the gamma function satisfies the equation Γ(z+1)=zΓ(z), for ℜ(z)>0. By means of a few algebraic steps, we are now able to compute the mean of Y:

$$\begin{aligned} E[Y] =& \frac{1}{B(u,v)}\int_0^1 t^u (1-t)^{v-1} d t = \frac{B(u+1,v)}{B(u,v)} \\ = &\frac{\varGamma(u+1)\varGamma(v)}{\varGamma(u+1+v)} \cdot\frac {\varGamma(u+v)}{\varGamma(u)\varGamma(v)} = \frac{u \varGamma (u)\varGamma(u+v)}{(u+v)\varGamma(u+v)\varGamma(u)} = \frac{u}{u+v} . \end{aligned}$$

For the variance, we proceed analogously to show that

$$E\bigl[Y^2\bigr] = \frac{1}{B(u,v)}\int_0^1 t^{u+1} (1-t)^{v-1} d t = \frac{(u+1)u}{(u+v+1)(u+v)} $$

and therefore

$$\mathit{Var}[Y] = E\bigl[Y^2\bigr] - \bigl(E[Y]\bigr)^2 = \frac{uv}{(u+v)^2(u+v+1)} . $$