scispace - formally typeset

Proceedings ArticleDOI

A Probabilistic Model Checking Approach to Analysing Reliability, Availability, and Maintainability of a Single Satellite System

20 Nov 2013-pp 611-616

TL;DR: This paper presents formal modelling of a single satellite and logical specification of its reliability, availability and maintainability properties and the probabilistic model checker PRISM has been used to perform automated quantitative analyses of these properties.
Abstract: Satellites now form a core component for space based systems such as GPS and GLONAS which provide location and timing information for a variety of uses. Such satellites are designed to operate in-orbit and have lifetimes of 10 years or more. Reliability, availability and maintainability (RAM) analysis of these systems has been indispensable in the design phase of satellites in order to achieve minimum failures or to increase mean time between failures (MTBF) and thus to plan maintainability strategies, optimise reliability and maximise availability. In this paper, we present formal modelling of a single satellite and logical specification of its reliability, availability and maintainability properties. The probabilistic model checker PRISM has been used to perform automated quantitative analyses of these properties.

Content maybe subject to copyright    Report

n
Peng, Z., Lu, Y., Miller, A., Johnson, C., and Zhao, T. (2013) A
probabilistic model checking approach to analysing reliability, availability,
and maintainability of a single satellite system. In: 7th European
Symposium on Computer Modelling and Simulation (EMS2013), 20-22
Nov 2013, Manchester, UK.
Copyright © 2013 IEEE
A copy can be downloaded for personal non-commercial research or study,
without prior permission or charge
Content must not be changed in any way or reproduced in any format
or medium without the formal permission of the copyright holder(s)
http://eprints.gla.ac.uk/89809/
Deposited on: 16 January 2014
Enlighten – Research publications by members of the University of Glasgow
http://eprints.gla.ac.uk

A Probabilistic Model Checking Approach to Analysing Reliability, Availability, and
Maintainability of a Single Satellite System
Zhaoguang Peng
1,2
,YuLu
2,
, Alice Miller
2
, Chris Johnson
2
and Tingdi Zhao
1
1
School of Reliability and Systems Engineering, Beijing University of Aeronautics and Astronautics, Beijing, China
2
School of Computing Science, University of Glasgow, Glasgow, United Kingdom
Abstract—Satellites now form a core component for space
based systems such as GPS and GLONAS which provide
location and timing information for a variety of uses. Such
satellites are designed to operate in-orbit and have lifetimes of
10 years or more. Reliability, availability and maintainability
(RAM) analysis of these systems has been indispensable in
the design phase of satellites in order to achieve minimum
failures or to increase mean time between failures (MTBF)
and thus to plan maintainability strategies, optimise reliability
and maximise availability. In this paper, we present formal
modelling of a single satellite and logical specification of
its reliability, availability and maintainability properties. The
probabilistic model checker PRISM has been used to perform
automated quantitative analyses of these properties.
Keywords-satellite systems; reliability, availability and main-
tainability (RAM) analysis; probabilistic model checking; con-
tinuous time Markov chains (CTMCs)
I. INTRODUCTION
With the emergence of efficient, high-performance, and
low cost satellites, earth orbiting satellites are often deployed
in satellite constellations and space systems to ensure re-
liable and dependable missions. These kinds of satellites
have played an essential part in both civil and military
contexts, and support a wide range of applications rang-
ing from satellite navigation to space stations. Reliability,
availability and maintainability (RAM) analysis has been
indispensable in the design phase of satellites in order to
achieve minimum failures or to increase mean time between
failures (MTBF) and thus to plan maintainability strategies,
optimise reliability and maximise availability. The question
of how to select optimal configurations and maintenance
plans and underlying resources, to satisfy requirements and
improve efficiency is a key research question.
This concern calls for effective solutions to the challenges
of verifying large and complex satellite systems. Formal
verification is a well-established technique in Computer
Science for either detecting errors, or for providing increased
confidence in the reliability of a system. Until now, attempts
to verifying satellite systems has been piecemeal. Verifica-
tion largely depends on more brute force approaches, such as
simulation and testing. Generally, simulation is the common
Corresponding author. () School of Computing Science, University
of Glasgow, 17 Lilybank Gardens, Glasgow G12 8RZ, United Kingdom.
() y.lu.3@research.gla.ac.uk.
validation approach used for verification of such systems and
protocols applied in them. However, simulation has been
unable to keep apace with the growth in satellite design
complexity. It is therefore timely to apply formal verification
techniques to this domain.
Model checking is a formal verification technique that
involves defining a model of a system from a formal speci-
fication. The model is then used to check desired properties
of the system. This involves exploring the underlying state
space of the model, and specifying properties via some
formal logic such as temporal logic. In this context, the
effects of proposed changes to an in-orbit system can be first
checked via a model, rather than via expensive prototypes.
The required reliability, availability, and maintainability
properties of satellite systems can be expressed in temporal
logic, and so lend themselves very well to proof via model
checking.
The goal of the paper is to adopt probabilistic model
checking to cope with the verification demand introduced by
satellite systems. Probabilistic model checking is a formal
method for specifying quantitative properties of a system
model. Models obtained by this technique are normally ex-
tensions or variants of Markov chains or automata, extended
with costs and rewards that estimate resources and their
usage during operation. Properties to be verified or analysed
are specified in temporal logic with auxiliary operators
such as probability and reward. We present an automated
quantitative analysis of singe satellite availability with the
probabilistic model checker PRISM [1].
Our paper is organised as follows. In Section II we give
technical background on probabilistic model checking, while
in Section III we present our formal specification of a single
satellite and its associated continuous-time Markov chain
(CTMC) model. Then, we perform RAM analysis using
PRISM in Section IV. In Section V we report related work.
Finally, in Section VI we conclude and outline directions for
future research.
II. P
ROBABILISTIC MODEL C HECKING
In this section we introduce some formal notations that
are relevant to probabilistic model checking. Note that our
definitions are from [2], from which further details can be
found.
2013 European Modelling Symposium
978-1-4799-2578-0/13 $31.00 © 2013 IEEE
DOI
573
2013 European Modelling Symposium
978-1-4799-2578-0/13 $31.00 © 2013 IEEE
DOI 10.1109/EMS.2013.102
573

Repair on orbit
Send
software
commands
Move and
replace the
failed one
Check
redundant
satellite on
obit
Scheduled
interruption
Unscheduled
interruption
Failure
Launch the
satellite
Succeed
Fail
Unavailable
Available
Succeed
Fail
Succeed
Interrupt
Finish
Disappear
Interrupt
Fail
Check
spare
satellite on
ground
Unavailable
Available
Build a
new one
Fail
Normal
Figure 1. A failure model and maintainability plan of a single satellite
A. Continuous-time Markov Chains
Let AP be a fixed, finite set of atomic propositions.
Formally, a continuous-time Markov chain (CTMC) C is a
tuple (S,s
init
,R,L) where:
S = {s
1
,s
2
, ..., s
n
} is a finite set of states.
s
init
S is the initial state.
R : S × S R
0
is the transition rate matrix.
L : S 2
AP
is a labelling function which assigns to
each state s
i
S the set L(s
i
) of atomic propositions
a AP that are valid in s
i
.
Intuitively, R(s
i
,s
j
) > 0 if and only if there is a transition
from state s
i
to state s
j
. Furthermore, R(s
i
,s
j
) specifies
that the probability of moving from s
i
to s
j
within t time
units is 1e
R(s
i
,s
j
)·t
, an exponential distribution with rate
R(s
i
,s
j
).IfR(s
i
,s
j
) > 0 for more than one state s
j
,a
competition between the transitions originating in s
i
exists,
known as the race condition.
B. Continuous Stochastic Logic
Let C =(S, s
init
,R,L) be a continuous time Markov
chain. In this section, we introduce Continuous Stochastic
Logic (CSL) [3], [4]. CSL is inspired by the logic Compu-
tation Tree Logic (CTL) [5], and its extensions to discrete
time stochastic systems (PCTL) [6], and continuous time
non-stochastic systems (TCTL) [7]. There are two types of
formulae in CSL: state formulae, which are true or false in
a specific state, and path formulae, which are true or false
along a specific path.
Let a AP be an atomic proposition, p [0, 1] be a
real number,  ∈{,<,>,≥} be a comparison operator,
and I R
0
be a non-empty interval. The syntax of CSL
formulas over the set of atomic propositions AP is defined
inductively as follows:
true is a state-formula.
Each a AP is a state formula.
If Φ and Ψ are state formulas, then so are ¬Φ and
Φ Ψ.
If Φ is state formula, then so is S
 p
(Φ).
If ϕ is a path formula, then P
 p
(ϕ).
If Φ and Ψ are state formulas, then X
I
Φ and U
I
Ψ are
path formulas.
S
 p
(Φ) asserts that the steady-state probability for a Φ
state meets the boundary condition  p . P
 p
(ϕ) asserts that
the probability measure of the paths satisfying ϕ meets the
bound given by  p . The path formula X
I
Φ asserts that a
transition is made to a Φ state at some time point t I.
Operator U
I
is the timed variant of the until operator of
CTL; the path formula ΦU
I
Ψ asserts that Ψ is satisfied at
some time instant in the interval I and that at all preceding
time instants Φ holds.
III. F
ORMAL MODELLING WITH A CTMC
PRISM [1] is a probabilistic model checker. It sup-
ports the analysis of several types of probabilistic mod-
els: discrete-time Markov chains (DTMCs), continuous-
time Markov chains (CTMCs), Markov decision processes
(MDPs), probabilistic automata (PAs), and also probabilistic
timed automata (PTAs), with optional extensions of costs
and rewards. PRISM allows us to verify properties specified
in the temporal logics PCTL for DTMCs and MDPs and
CSL for CTMCs. Models are described using the PRISM
language, a simple, state-based language. The abstract model
574574

of a single satellite is illustrated in Figure 1, parameters are
omitted. We take a CTMC as our underlying PRISM model
for our abstract model. The detailed PRISM model of the
satellite system, the property specification and the analysis
results are available in [8].
We specify our actual CTMC model with states, a tran-
sition rate matrix, and a labelling function. Initially, the
satellite runs in the normal state. After a period of execution
it could be interrupted by an scheduled or unscheduled
interruption during its lifecycle. Scheduled interruptions are
normally caused by certain types of Operations and Main-
tenance (O&M) for routine satellite. This can cause satellite
signal unavailability due to the station keeps manoeuvres,
atomic clock maintenance, software updates, and hardware
maintenance. Unscheduled interruptions can be caused by
solar radiation, the earth’s magnetic field cosmic rays, which
result in a satellite Single Event Upset (SEU). However, both
scheduled and unscheduled interruptions are usually tempo-
rary, lasting just several hours. An unscheduled interruption
usually disappears automatically. The satellite can fail any
time during its lifetime due to End-of-Life (EOL) outage or
other vital failures.
When the satellite fails, staff on the ground must decide
upon the best approach to repair it. It may be possible that
failures can be resolved on orbit by giving specific software
commands to the satellite. Otherwise it might be necessary
to move a redundant satellite into position to replace the
failed satellite. If no redundant satellite is available then a
new satellite must be manufactured and launched. In the
worst case, the new satellite does not launch successfully,
due to a known probability of satellite launch failure.
In our paper, parameter values correspond to those latest
U.S. GPS system, GPS Block III satellites. The GPS III
series is the newest block of GPS satellites (SVN-74 and
up). GPS III provides more powerful signals than previous
versions in addition to enhanced signal reliability, accuracy,
and integrity. The key improvement is the 15-year design
lifespan [9]. Since not all of the actual data for the GPS III is
available, in this paper we instead use some parameter values
associated with similar satellite systems. All parameters used
in our CTMC model and properties are specified in Table I.
Table I
P
ARAMETERS FOR THE CTMC MODEL AND ANALYSES
R MTBF MTTR t
α
p
β
t
γ
t
δ
t
p
η
t
κ
0.80 15y 24h 4320h 80% 24h 1440h 4320h 90% 24h
We use p to express probability and t for time, and the
reliability of the satellite is R. If the satellite fails, we say
that it moves from a “normal” state to a “failure” state. Both
the mean time to unscheduled interruption and the mean
time to the scheduled interruption are t
α
. When the satellite
fails, the probability of the failure being resolved in-orbit by
moving a redundant satellite to replace the failed one is p
β
.
If on orbit repair is not possible, a new satellite is needed.
The times taken to decide to build a new satellite and for
one to be manufactured are t
γ
and t
δ
respectively. If a new
satellite is to be manufactured, the probability of successful
launch is p
η
. After successful launch, the time taken for the
satellite to move to the right position and a normal signal
sent from it to be received on ground is t
κ
.
IV. Q
UANTITATIVE ANALYSIS IN THE PRISM
We have identified the need to analyse reliability, avail-
ability, and maintainability properties of satellite based ap-
plications. We illustrate the use of probabilistic model check-
ing in this domain by describing our PRISM model. The
reliability for a satellite consists of scheduled interruptions,
unscheduled interruptions, and failure states in the system.
The probability of successful launch is the reliability for
the satellite. “Repaired in-orbit”is the maintainability for
the satellite. Reliability and maintainability are availability
properties of a satellite. Reliability must be sufficient to sup-
port the mission capability needed in its expected operating
environment.
If reliability and maintainability are not adequately de-
signed into satellite and space based systems, there is risk
that design will breach desired availability or performance
requirements. System performance baseline thresholds with
significantly higher design or development costs due to
resulting corrective action costs; will cost more than antici-
pated to use and operate; or will fail to provide availability
expected by the researchers or users.
Satellite will deteriorate with time due to failure mech-
anisms. We assume that time delay is a random variable
selected from an exponential distribution, which is an as-
sumption used in PRISM. According to the system reliability
theory [10], the reliability of a satellite from R(t) can be
defined as
R(t)=Pr{T>t} = e
λt
, (1)
and, then we can obtain
λ(t)=
lnR(t)
E(s
i
)
. (2)
Satellite failures typically occur at some constant failure
rate λ, failure probability depends on the rate λ and the
exposure time t. Typically failure rates are carefully derived
from substantiated historical data such as mean time between
failure (MTBF). We have
λ =
lnR
T
= λ =
lnR
MTBF
, (3)
where t = T = MTBF, where MTBF is the design
parameter or the statistics parameter. Referring to the lat-
est characteristics of satellites used for Global Positioning
575575

(a) Reliability property 2 (b) Reliability property 4
Figure 2. Analysis results of reliability properties.
Systems (GPSs), we assume the MTBF of the satellite to
be 15 years. As a result, R =0.80 and MTBF =15years.
Further, the mean time to repair (MTTR)is24 hours.
PRISM provides support for automated analysis of a wide
range of quantitative properties of these models, such as
“what is the probability of a failure causing the satellite to
stop working within 12 hours?”, “what is the worst-case
probability of the satellite on-board system terminating due
to an error, over all possible initial configurations?”, or “what
is the worst-case expected time taken for the satellite signal
to be received?”.
A. Reliability Properties and Analysis
Reliability properties that we can analyse using PRISM
include:
1) the probability that a satellite will need to be replaced by a
new one in 15 years at the reliability 0.80:
P
=?
[F<= Ts=5]; T = 129600;
2) the probability that a satellite will need to be replaced by a
new one due to complete failure in 15 years at the reliability
0.80 over the time:
P
=?
[F<= Ts =5];R =0.80; T = 0 : 129600 : 8640;
3) how many times a satellite will need to be replaced by a
new one in 15 years at the reliability 0.80:
R
=?
[C<= T ]; T = 129600; R =0.80;
4) how many times a satellite will need to be replaced by a
new one over different reliabilities, in 15 years:
R
=?
[C<= T ]; T = 129600; r =0.01 : 0.99 : 0.05.
As is shown in Figure 2(a), the probability that the satellite
has a failure and is unable to be repaired during 15 years is
7.71%. From the analysis result in Figure 2(b), the number
of times the satellite will have a failure and be unable to be
repaired in 15 years is 0.08, under the precondition that the
reliability is 0.80. If the reliability is set to 0.5, the number
of vital failures will be smaller than 0.25 during 15 years.
Using the property to calculate the number of unscheduled
interruptions, the number of times will be 29.95 in 15 years.
B. Maintainability Properties and Analysis
Maintainability properties that we can analyse using
PRISM include:
1) the number of times that satellites need to be repaired on
the orbit in 15 years:
R
=?
[C<= T ]; T = 129600; R =0.80;
2) the satellite maintenance times when the reliability from the
0.01 to 0.99 in 15 years:
R
=?
[C<= T ]; T = 129600; R =0.01 : 0.99 : 0.01;
3) the satellite maintenance times when the MTBF from the
1st year to 15th years:
R
=?
[C<= T ]; T = 129600; R =0.01 : 0.99 :
0.01; MTBF = 1 : 129600 : 8640;
4) the number of cases that a satellite needs to be repaired on
orbit, but not eventually succeed in 15 years:
R
=?
[C<= T ]; T = 129600; r =0.80.
The number of times the satellite needs to be repaired
on orbit in 15 years is 0.18. The number of times the
satellite needs to be repaired on orbit over time is shown in
Figure 3(a). When the reliability of the satellite is increased
to 0.5, the number of times the satellite needs to be repaired
will decrease to 0.5. Figure 3(b) illustrates that the number
of times to repair the satellite is below 1 when the MTBF
is 2 years.
C. Availability Properties and Analysis
Availability properties that we can analyse using PRISM
includes:
1) the availability of the satellite in 15 years, when the
reliability is 0.80:
(R
=?
[C<= T ])/T ; T = 129600; R =0.80, and
R
=?
[C<= T ]; T = 129600; R =0.01 : 0.99 : 0.01;
2) the unavailability of a satellite over the satellite operation
time:
(T R
=?
[C<= T ])/T ; T = 0 : 129600 : 8640; R =
0.80;
3) the relationship between satellite availability and its main-
tenance time taken for scheduled interruption:
(R
=?
[C<= T ])/T ; T = 129600; R =0.80,f=1:
48 : 3.
The availability of the satellite is 99.83% in 15 years when
the reliability is 0.80. As is shown in Figure 4(a), if the
reliability increases to 0.4, the availability of the satellite
reaches 0.995. So if the required probability of the available
satellite is 0.995, the reliability must have minimum value
0.4. Figure 4(b) presents the result of availability property
576576

Citations
More filters

Proceedings ArticleDOI
09 Mar 2015-
TL;DR: This paper shows the formal modeling and verification of RAM related properties of a satellite system and presents and compares modeling results with those obtained with a previously reported approach that demonstrate an improved modeling accuracy.
Abstract: From navigation to telecommunication, and from weather forecasting to military, or entertainment services - satellites play a major role in our daily lives. Satellites in the Medium Earth Orbit (MEO) and geostationary orbit have a life span of 10 years or more. Reliability, Availability and Maintainability (RAM) analysis of a satellite system is a crucial part at their design phase to ensure the highest availability and optimized reliability. This paper shows the formal modeling and verification of RAM related properties of a satellite system. In a previously reported approach, time between possible failures and time between repairs are assumed to follow an exponential distribution, which does not represent a realistic scenario. In contrast, in our work, discrete time delays in the classical Continuous Time Markov Chain (CTMC) are approximated using the Erlang distribution. This is done by approximating nonexponential holding time with several intermediate states based on a phase type distribution. The RAM properties are then verified using the PRISM model checker. We present and compare modeling results with those obtained with a previously reported approach that demonstrate an improved modeling accuracy.

22 citations


Cites background or methods or result from "A Probabilistic Model Checking Appr..."

  • ...A simplified model of a satellite system taken in [5] is shown in Fig....

    [...]

  • ...In [5], authors proposed a probabilistic model checking approach to perform RAM analysis of satellite systems using PRISM [6] and claimed this to be the first in this area....

    [...]

  • ...A description of that model using the PRISM language was developed using two approaches: our approach and the approach in [5]....

    [...]

  • ...In [5], authors claimed the first use of probabilistic model checking to perform RAM analysis of satellite systems....

    [...]

  • ...Note that reward operator R from PRISM property specification language and Re that was also called R in [5] should not be confused....

    [...]


Posted Content
TL;DR: A comprehensive review of existing formal dependability analysis techniques along with their pros and cons for handling a particular dependability model is presented.
Abstract: Dependability is an umbrella concept that subsumes many key properties about a system, including reliability, maintainability, safety, availability, confidentiality, and integrity. Various dependability modeling techniques have been developed to effectively capture the failure characteristics of systems over time. Traditionally, dependability models are analyzed using paper-and-pencil proof methods and computer based simulation tools but their results cannot be trusted due to their inherent inaccuracy limitations. The recent developments in probabilistic analysis support using formal methods have enabled the possibility of accurate and rigorous dependability analysis. Thus, the usage of formal methods for dependability analysis is widely advocated for safety-critical domains, such as transportation, aerospace and health. Given the complementary strengths of mainstream formal methods, like theorem proving and model checking, and the variety of dependability models judging the most suitable formal technique for a given dependability model is not a straightforward task. In this paper, we present a comprehensive review of existing formal dependability analysis techniques along with their pros and cons for handling a particular dependability model.

10 citations


Cites methods from "A Probabilistic Model Checking Appr..."

  • ...PRISM has also been utilized for quantitative reliability and availability analysis of a satellite system [53]....

    [...]


Book ChapterDOI
Waqar Ahmad1, Osman Hasan1, Sofiène Tahar2Institutions (2)
25 Jul 2016-
Abstract: Dependability is an umbrella concept that subsumes many key properties about a system, including reliability, maintainability, safety, availability, confidentiality, and integrity. Various dependability modeling techniques have been developed to effectively capture the failure characteristics of systems over time. Traditionally, dependability models are analyzed using paper-and-pencil proof methods and computer based simulation tools but their results cannot be trusted due to their inherent inaccuracy limitations. The recent developments in probabilistic analysis support using formal methods have enabled the possibility of accurate and rigorous dependability analysis. Thus, the usage of formal methods for dependability analysis is widely advocated for safety-critical domains, such as transportation, aerospace and health. Given the complementary strengths of mainstream formal methods, like theorem proving and model checking, and the variety of dependability models judging the most suitable formal technique for a given dependability model is not a straightforward task. In this paper, we present a comprehensive review of existing formal dependability analysis techniques along with their pros and cons for handling a particular dependability model.

9 citations


Journal ArticleDOI
Zhaoguang Peng1, Yu Lu2, Alice Miller2, Tingdi Zhao1  +1 moreInstitutions (2)
Abstract: Navigation satellites are a core component of navigation satellite based systems such as GPS, GLONASS and Galileo which provide location and timing information for a variety of uses. Such satellites are designed for operating on orbit to perform tasks and have lifetimes of 10 years or more. Reliability, availability and maintainability (RAM) analysis of systems has been indispensable in the design phase of satellites in order to achieve minimum failures or to increase mean time between failures (MTBF) and thus to plan maintenance strategies, optimise reliability and maximise availability. In this paper, we present formal models of both a single satellite and a navigation satellite constellation and logical specification of their reliability, availability and maintainability properties respectively. The probabilistic model checker PRISM has been used to perform automated analysis of these quantitative properties.

9 citations


Journal ArticleDOI
Zhaoguang Peng1, Yu Lu2, Alice Miller2, Tingdi Zhao1  +1 moreInstitutions (2)
Abstract: Navigation satellites are a core component of navigation satellite-based systems such as Global Positioning System, Global Navigation Satellite System and Galileo, which provide location and timing information for a variety of uses. Such satellites are designed for operating on orbit to perform tasks and have lifetimes of 10 years or more. Reliability, availability and maintainability analysis of systems has been indispensable in the design phase of satellites in order to achieve minimum failures or to increase mean time between failures and thus to plan maintenance strategies, optimise reliability and maximise availability. In this paper, we present formal models of both a single satellite and a navigation satellite constellation and logical specification of their reliability, availability and maintainability properties, respectively. The probabilistic model checker PRISM has been used to perform automated analysis of these quantitative properties. Copyright © 2014 John Wiley & Sons, Ltd.

7 citations


References
More filters

Book
25 Apr 2008-
TL;DR: Principles of Model Checking offers a comprehensive introduction to model checking that is not only a text suitable for classroom use but also a valuable reference for researchers and practitioners in the field.
Abstract: Our growing dependence on increasingly complex computer and software systems necessitates the development of formalisms, techniques, and tools for assessing functional properties of these systems. One such technique that has emerged in the last twenty years is model checking, which systematically (and automatically) checks whether a model of a given system satisfies a desired property such as deadlock freedom, invariants, and request-response properties. This automated technique for verification and debugging has developed into a mature and widely used approach with many applications. Principles of Model Checking offers a comprehensive introduction to model checking that is not only a text suitable for classroom use but also a valuable reference for researchers and practitioners in the field. The book begins with the basic principles for modeling concurrent and communicating systems, introduces different classes of properties (including safety and liveness), presents the notion of fairness, and provides automata-based algorithms for these properties. It introduces the temporal logics LTL and CTL, compares them, and covers algorithms for verifying these logics, discussing real-time systems as well as systems subject to random phenomena. Separate chapters treat such efficiency-improving techniques as abstraction and symbolic manipulation. The book includes an extensive set of examples (most of which run through several chapters) and a complete set of basic results accompanied by detailed proofs. Each chapter concludes with a summary, bibliographic notes, and an extensive list of exercises of both practical and theoretical nature.

4,450 citations


"A Probabilistic Model Checking Appr..." refers background in this paper

  • ...Note that our definitions are from [2], from which further details can be found....

    [...]


Book ChapterDOI
E. Allen Emerson1Institutions (1)
02 Jan 1991-
Abstract: Publisher Summary This chapter discusses temporal and modal logic. The chapter describes a multiaxis classification of systems of temporal logic. The chapter describes the framework of linear temporal logic. In both its propositional and first-order forms, linear temporal logic has been widely employed in the specification and verification of programs. The chapter describes the competing framework of branching temporal logic, which has seen wide use. It also explains how temporal logic structures can be used to model concurrent programs using non-determinism and fairness. The chapter also discusses other modal and temporal logics in computer science. The chapter describes the formal syntax and semantics of Propositional Linear Temporal Logic (PLTL). The chapter also describes the formal syntax and semantics for two representative systems of propositional branching-time temporal logics.

2,823 citations


Book ChapterDOI
Sam Owre1, John Rushby1, Natarajan Shankar1Institutions (1)
15 Jun 1992-

1,617 citations


"A Probabilistic Model Checking Appr..." refers methods in this paper

  • ...The theorem prover PVS [11] was used to verify desired properties in system models of Ariane 5 where cost of failure is highest....

    [...]


Journal Article
Abstract: This paper describes version 2 of the NuSMV tool. NuSMV is a symbolic model checker originated from the reengineering, reimplementation and extension of SMV, the original BDD-based model checker developed at CMU [15]. The NuSMV project aims at the development of a state-of-the-art symbolic model checker, designed to be applicable in technology transfer projects: it is a well structured, open, flexible and documented platform for model checking, and is robust and close to industrial systems standards [6].

1,377 citations


Book ChapterDOI
27 Jul 2002-
TL;DR: This paper describes version 2 of the NuSMV tool, a state-of-the-art symbolic model checker designed to be applicable in technology transfer projects and is robust and close to industrial systems standards.
Abstract: This paper describes version 2 of the NuSMV tool. NuSMV is a symbolic model checker originated from the reengineering, reimplementation and extension of SMV, the original BDD-based model checker developed at CMU [15]. The NuSMV project aims at the development of a state-of-the-art symbolic model checker, designed to be applicable in technology transfer projects: it is a well structured, open, flexible and documented platform for model checking, and is robust and close to industrial systems standards [6].

1,368 citations


"A Probabilistic Model Checking Appr..." refers methods in this paper

  • ...In [24] the model checker NuSMV [25] is used to model and verify the implementation of a mission and safety critical embedded satellite software control system....

    [...]


Network Information
Related Papers (5)
25 Mar 2009

Marta Kwiatkowska, Gethin Norman +1 more

27 Jul 2002

Alessandro Cimatti, Edmund M. Clarke +6 more

28 May 2007

Marta Kwiatkowska, Gethin Norman +1 more

Performance
Metrics
No. of citations received by the Paper in previous years
YearCitations
20212
20191
20168
20151
20144