CTMC of the Hubble space telescope 

Contexts in source publication

Context 1

... this case, the expected value of X is . λ To illustrate the concept of a CTMC let us return to the telescope example. We make the following, not nec- essarily realistic, assumptions about the timing behavior of the telescope: each gyroscope has an average lifetime of 10 years, the average preparation time of a repair mission is two months, and to turn the telescope into sleep mode takes 1/100 year (about 3.5 days) on average. As- suming a base time scale of a single year, the real-time probabilistic behavior of the failure and repair of the gyroscopes is now modeled by the CTMC of Fig. 2. This model can be understood as follows. The mean residence time of a state is the reciprocal of the sum of its outgoing transition rates. In state 6, for instance, one out of 6 gyroscopes may fail. As these failures are stochastically independent and as each gyroscope fails with rate 1 , 10 this state has outgoing rate 6 . If less operational gyro- 10 scopes are available, these rates decrease proportionally, and state residence times become larger. Being in state 2 there are two possibilities: either one of the remaining two gyroscopes fails, or the telescope is turned into sleep mode. The mean residence time of this state is 10 . The 1002 DTMC of Fig. 1 can be obtained from the CTMC of Fig. 2 by multiplying the transition rates by the mean residence time of the state from which they emanate. On the applicability of CTMCs. Markov chains are widely used as simple, yet adequate models in diverse areas, ranging from mathematics and computer science to other disciplines such as operations research, industrial engin- eering, biology, and demographics. They can be used to estimate various performance characteristics; for instance, to quantify throughput of manufacturing systems, to locate bottlenecks in communication systems, or to estimate reliability in aerospace systems. Due to their modeling convenience and the presence of efficient analysis methods, the vast majority of applications of Markov chain modeling involve CTMCs as opposed to DTMCs. This might surprise the reader, as exponential distributions seem at first sight not to be of much practical value, despite their mathematical tractability. This is misleading. Exponential distributions are known to be an appropriate means to adequately model many phenomena with a stochastic nature, such as system lifetimes (failure rates), job arrival processes (inter-arrival times), and the like. Besides, if only the mean value of a random phenomenon is known – a situation that frequently occurs in practice – then the exponential distribution is the most indeterminate distribution, i.e., the distribution with the highest degree of randomness, that describes this phenomenon. Thus, it is the most appropriate distribution when just mean values are known. Technically speaking, the exponential distribution maximizes the entropy [60], a well-known notion from information theory. Due to the rapidly increasing size and complexity of systems, specifying and analyzing stochastic models at the level of states and transitions becomes more and more cumbersome and error-prone. In order to overcome this problem, CTMCs can be generated from higher-level specifications, such as queueing networks [24], stochastic Petri nets [1], stochastic process algebras [16, 40, 45], or from semi-formal software development techniques such as UML (The Unified Modeling Language) [58] or SDL (Specification and Description Language) [28]. The tool- development for these techniques and their success in several case studies of industrial importance during recent years has provided strong evidence that these solutions are indeed very promising. Model checking continuous-time Markov chains. Performance and dependability analysis of CTMCs most often boils down to the calculation of steady-state and transient state probabilities. Steady-state probabilities refer to the system behavior in the “long run”, while the transient probabilities consider the system at a fixed time instant t . High-level measures-of-interest are determined on the basis of these state-level probabilities. So far, the specification of the measure-of-interest for a given CTMC cannot always be done conveniently, nor can all possible measures-of-interest be expressed conveniently. In particular, measures for which a selection of paths matter are usually either “specified” informally, with all its negative implications, or require a manual tailoring of the CTMC so as to address the right subsets of states. With the use of an appropriate extension of temporal logic such measures can be specified in an unambiguous way. Let us illustrate this by means of the Hubble telescope example. In addition to the properties discussed for the DTMC model of the telescope, the presence of dura- tions in a CTMC allows us to specify and verify properties that refer to the time until a certain scenario happens. Under the assumption that a rare astronomical event, such as the appearance of an interesting comet in the cov- erage of the telescope, happens in, say, five years, it would be interesting to check whether “the telescope is operational in exactly 5 years from now with at least probability 99%” Another quantity of interest is the time span before the (fully operational) telescope has to be put into sleep mode for the first time. In reality, this happened within 2.7 years. One could check whether “with at most 10% chance the operational telescope turns into sleep mode within 2.7 years” As a last example property, since the Hubble space ...

Context 2

... this case, the expected value of X is . λ To illustrate the concept of a CTMC let us return to the telescope example. We make the following, not nec- essarily realistic, assumptions about the timing behavior of the telescope: each gyroscope has an average lifetime of 10 years, the average preparation time of a repair mission is two months, and to turn the telescope into sleep mode takes 1/100 year (about 3.5 days) on average. As- suming a base time scale of a single year, the real-time probabilistic behavior of the failure and repair of the gyroscopes is now modeled by the CTMC of Fig. 2. This model can be understood as follows. The mean residence time of a state is the reciprocal of the sum of its outgoing transition rates. In state 6, for instance, one out of 6 gyroscopes may fail. As these failures are stochastically independent and as each gyroscope fails with rate 1 , 10 this state has outgoing rate 6 . If less operational gyro- 10 scopes are available, these rates decrease proportionally, and state residence times become larger. Being in state 2 there are two possibilities: either one of the remaining two gyroscopes fails, or the telescope is turned into sleep mode. The mean residence time of this state is 10 . The 1002 DTMC of Fig. 1 can be obtained from the CTMC of Fig. 2 by multiplying the transition rates by the mean residence time of the state from which they emanate. On the applicability of CTMCs. Markov chains are widely used as simple, yet adequate models in diverse areas, ranging from mathematics and computer science to other disciplines such as operations research, industrial engin- eering, biology, and demographics. They can be used to estimate various performance characteristics; for instance, to quantify throughput of manufacturing systems, to locate bottlenecks in communication systems, or to estimate reliability in aerospace systems. Due to their modeling convenience and the presence of efficient analysis methods, the vast majority of applications of Markov chain modeling involve CTMCs as opposed to DTMCs. This might surprise the reader, as exponential distributions seem at first sight not to be of much practical value, despite their mathematical tractability. This is misleading. Exponential distributions are known to be an appropriate means to adequately model many phenomena with a stochastic nature, such as system lifetimes (failure rates), job arrival processes (inter-arrival times), and the like. Besides, if only the mean value of a random phenomenon is known – a situation that frequently occurs in practice – then the exponential distribution is the most indeterminate distribution, i.e., the distribution with the highest degree of randomness, that describes this phenomenon. Thus, it is the most appropriate distribution when just mean values are known. Technically speaking, the exponential distribution maximizes the entropy [60], a well-known notion from information theory. Due to the rapidly increasing size and complexity of systems, specifying and analyzing stochastic models at the level of states and transitions becomes more and more cumbersome and error-prone. In order to overcome this problem, CTMCs can be generated from higher-level specifications, such as queueing networks [24], stochastic Petri nets [1], stochastic process algebras [16, 40, 45], or from semi-formal software development techniques such as UML (The Unified Modeling Language) [58] or SDL (Specification and Description Language) [28]. The tool- development for these techniques and their success in several case studies of industrial importance during recent years has provided strong evidence that these solutions are indeed very promising. Model checking continuous-time Markov chains. Performance and dependability analysis of CTMCs most often boils down to the calculation of steady-state and transient state probabilities. Steady-state probabilities refer to the system behavior in the “long run”, while the transient probabilities consider the system at a fixed time instant t . High-level measures-of-interest are determined on the basis of these state-level probabilities. So far, the specification of the measure-of-interest for a given CTMC cannot always be done conveniently, nor can all possible measures-of-interest be expressed conveniently. In particular, measures for which a selection of paths matter are usually either “specified” informally, with all its negative implications, or require a manual tailoring of the CTMC so as to address the right subsets of states. With the use of an appropriate extension of temporal logic such measures can be specified in an unambiguous way. Let us illustrate this by means of the Hubble telescope example. In addition to the properties discussed for the DTMC model of the telescope, the presence of dura- tions in a CTMC allows us to specify and verify properties that refer to the time until a certain scenario happens. Under the assumption that a rare astronomical event, such as the appearance of an interesting comet in the cov- erage of the telescope, happens in, say, five years, it would be interesting to check whether “the telescope is operational in exactly 5 years from now with at least probability 99%” Another quantity of interest is the time span before the (fully operational) telescope has to be put into sleep mode for the first time. In reality, this happened within 2.7 years. One could check whether “with at most 10% chance the operational telescope turns into sleep mode within 2.7 years” As a last example property, since the Hubble space telescope is planned to stay in orbit through 2010, it is worth- while studying the likelihood of a crash before that year: “there is at most a 1% chance that the system will crash within the next 10 years” given that the system was reset to state 6 in late 1999. Contributions of this paper. Model checking of CTMCs has been discussed in [12], introducing a (branching) temporal logic called continuous-time stochastic logic (CSL) to express properties over CTMCs. This logic is an extension of the (equally named) logic by Aziz et al. [7, 8] with an operator to reason about steady-state probabilities. In this paper, we describe the Erlangen–Twente Markov Chain Checker (E MC 2 ), to our knowledge the first ...