Statistical model checking for stochastic hybrid systems involving nondeterminism over continuous domains

Abstract

Behavioral verification of technical systems involving both discrete and continuous components is a common and demanding task. The behavior of such systems can often be characterized using stochastic hybrid automata, leading to verification problems which can be formalized and solved using stochastic logic calculi such as stochastic satisfiability modulo theory (SSMT). While algorithms for discharging proof obligations in SSMT form exist, their applicability is limited due to the computational complexity, which often increases exponentially with the number of quantified variables. Recently, statistical model checking has been successfully applied to stochastic hybrid systems, thereby increasing the size of the system for which verification problems is tractable. However, being based on randomized simulation, these methods usually cannot handle non-determinism. In previous work, we have deviated from the usual approach of simulating the model and rather proposed a statistical method for SSMT solving which, being based on statistical AI planning algorithms, can also treat non-determinism over a finite domain. Here, we extend this previous work to the case of continuous domains. In particular, using ideas from noisy optimization, we adaptively build up a decision tree recording the findings and guiding further exploration, thereby favoring the currently most promising sub-domain. The non-determinism is resolved by translating the satisfaction problem into an optimization problem, thereby computing both optimistic and pessimistic bounds on the probability of satisfaction. At each stage of the evaluation process, we show how to obtain confidence statements about the probability of satisfaction for the overall SSMT formula, including reliable estimates on the optimal resolution of any non-deterministic choice involved.

Appendix: Proof of lemmas

1.1 Proof of Lemma 1

Proof

We only consider the upper bound, the argument for the lower bound is analogous. We first consider the case of an existential or universal quantifier. Within the construction of the empirical means, we used interval arithmetic to obtain the maximum and minimum over the whole domain \(\mathcal {P}^j_{h,i},\mathcal {P}_{\searrow j}\) for each individual sample [see Eq. (20a)]. That is the empirical mean can be written as:

$$\begin{aligned} \overline{\mu }_{h,i}^j = \frac{1}{T_{h,i}}\sum \max _{\mathcal {P}^j_{h,i},\mathcal {P}_{\searrow j}} \phi (x_j,x_{\searrow j}) \end{aligned}$$

Therefore, setting \(\epsilon :=|\phi ^s_{j+1}(\mathcal {P}_{h,i}^j,\mathcal {P}_{-j})|\sqrt{-\frac{\log (\delta )}{2T_{h,i}^j}}\) and by applying Jensen’s inequality (as the maximum is a convex operation), we have:

$$\begin{aligned}&P\left( \overline{\mu }_{h,i}^j + \epsilon > \max _{\mathcal {P}^j_{h,i},\mathcal {P}_{\searrow {j}}} \mathbb {E}[\phi _{j+1}(x_1,\dots ,x_n)] \right) \\&\quad \ge P\left( \overline{\mu }_{h,i}^j + \epsilon > \mathbb {E}\left[ \max _{\mathcal {P}^j_{h,i},\mathcal {P}_{\searrow {j}}} \phi _{j+1}(x_1,\dots ,x_n)\right] \right) \\&\quad \ge 1-\delta \end{aligned}$$

where the last inequality is a result of applying Hoeffding’s inequality to the modified random variable \(Z: = \max _{\mathcal {P}^j_{h,i},\mathcal {P}_{\searrow {j}}}\phi (x_1,\dots ,x_n)\).\(\square \)

1.2 Proof of Lemma 2

Proof

The above inequality can be shown for each of the following cases

Case \(\mathop {\text {arg max}}\limits \{\mu _i\} = \mathop {\text {arg max}}\limits \{l_i\}\)    

Holds trivially by assumption.

Case \(\mathop {\text {arg max}}\limits \{\mu _i\} \ne \mathop {\text {arg max}}\limits \{l_i\}\)    

Let \(i^* = \mathop {\text {arg max}}\limits \{\mu _i\}, k^*=\mathop {\text {arg max}}\limits \{l_i\}\). As \(\mu _{k^*} \le \mu _{i^*} \), the set of estimators \(l_{k^*}\) for which \(\mu _{i^*}\le l_{k^*}\) is included in \(\mu _{k^*}\le l_{k^*}\). Therefore, we have

$$\begin{aligned} P\left( \max \{\mu _1, \mu _2\} \le \max \{l_1, l_2\} \right)&= P\left( \mu _{i^* } \le l_{k^*} \right) \\&\le P\left( \mu _{k^* } \le l_{k^*} \right) \le \delta \end{aligned}$$

\(\square \)

1.3 Proof of Lemma 3

Proof

As above, we consider the following proof-by-cases: Case \(\mathop {\text {arg max}}\limits \{\mu _i\} = \mathop {\text {arg max}}\limits \{u_i\}\)    

Holds trivially by assumption.

Case \(\mathop {\text {arg max}}\limits \{\mu _i\} \ne \mathop {\text {arg max}}\limits \{u_i\}\)    

Let \(i^* = \mathop {\text {arg max}}\limits \{\mu _i\}, k^*=\mathop {\text {arg max}}\limits \{u_i\}\). Therefore, we have

$$\begin{aligned}&1- P\left( \max \{\mu _1, \mu _2\} \le \max \{u_1, u_2\} \right) \\&= 1- P\left( \mu _{i^* } \le u_{k^*} \right) \\&\ge 1- P\left( \mu _{k^* } \le u_{k^*} \right) \ge 1- \delta \\&\Rightarrow P\left( \max \{\mu _1, \mu _2\} \ge \max \{u_1, u_2\} \right) \le \delta \end{aligned}$$

\(\square \)