Software-intensive systems in application domains, like medical applications, automotive systems, air traffic control, and railway signalling have stringent quality and dependability requirements. Most of these requirements have a probabilistic nature Examples: 1. Availability requirements probabilistically specify the ability of a system to operate correctly at a certain point in time when a service is requested. 2. Safety the probability that a certain hazard occurs must be less than a probability bound determined by the tolerable hazard rate. 3. Security requirements request that the probability of successful attacks does not exceed tolerable thresholds. 4. Performance requirements for non-real-time critical systems often state that a certain percentage of system requests must be handled within specified time-bounds. Why not traditional verification techniques based on temporal and real-time temporal logics ? Because these techniques focus on absolute guarantee of correctness. What are probabilistic verification techniques? They operate on models that in addition to deterministic and non-deterministic decisions also allow probabilistic decisions. Based on these probabilistic models it is possible to specify probabilistic system behavior due to e.g. intrinsically unreliable hardware components and environment characteristics such as the work-load of a system. Challenges for practitioners: Examples of commonly used models are Markov chains and Markov decision processes. For practitioners the correct translation of informal and textually specified quality requirements into formal probabilistic properties is challenging. To ease the formulation of probabilistic properties this paper investigates the possibility of transferring the concept of specification patterns [17] to probabilistic properties. A property specification pattern describes a generalized recurring property and provides a solution in the form of a formal specification in different traditional temporal logics, e.g. CTL [13] and LTL [31]. The main feature that distinguishes this pattern system from previous pattern systems is the focus on external observable quality requirements and properties in the area of safety, security, reliability, availability performance and performability that are important for many software-intensive systems. Based on this focus the pattern system is constructed to facilitate the specification of probabilistic properties and the underlying formal specification language are probabilistic temporal logics (PCTL [23], PCTL* [4] and CSL [3, 9]). None of the existing pattern systems are able to describe these probabilistic properties as their focus is set to traditional properties [11, 32, 34] and real-time properties [18, 20, 25]. As a result ProProST complements the existing approaches and provides a significant extension of the existing property specification patterns. The main contribution of this paper is a repository of specification patterns for probabilistic properties. This repository called ProProST (Probabilistic Property Specification Templates) has been compiled from a comprehensive literature review on probabilistic logics and probabilistic verification techniques (154 properties from 56 papers), which also pointed out that currently no such repository exists. The analysis showed that 46 out of 48 quality requirements could be specified with one of the probabilistic property specification patterns. Due to the intrinsic probabilistic nature of these quality requirements an adequate formulation of the properties with the existing specification pattern systems was not possible. As a result this pattern repository complements and extends the existing patterns systems [17, 25], in that it allows to specify probabilistic properties as they are required to formulate quality properties. A second contribution of this paper is a structured English grammar to formulate natural-language quality properties and requirements based on the developed specification patterns. The benefit of this approach is an unambiguous relationship between the natural language and formal representation of the property. The structured English grammar itself, provides the possibility for non-expert practitioners to specify probabilistic properties correctly. The Pattern System ProProST The recurring problem that is tackled by the probabilistic patterns is: How we should formalize probabilistic properties as they are used in requirement specifications to express safety, security, reliability, availability, performance, performability requirements and goals. Solution of The pattern system for probabilistic properties: The pattern system for probabilistic properties follows the idea of architecture and design patterns [1, 19] to provide solutions for common recurring problems. Each pattern describes a generalized recurring property and provides a solution in the form of a formal specification template in the probabilistic temporal logic CSL. Benefit: The benefit of these specification patterns is to capture expert knowledge in terms of formalization of probabilistic properties. This knowledge should be presented in a way that it allows non-experts in probabilistic verification techniques to specify these properties correctly. STRUCTURED GRAMMAR As a textual front-end for the ProProST pattern system a structured English grammar has been constructed. This grammar contains two sub-grammars, one for natural language representations and one for CSL formulae. The sentences constructed by this pair of grammars are tuples containing a natural language representation of the probabilistic property and a probabilistic temporal logical formula. The natural language representation is often easier to understand for practitioners and can also be used directly to express quality requirements. Based on this novel formalism a clear relationship between the natural language and the formal representation in probabilistic logic can be established. As a result the research presented in this paper can support the maturation of probabilistic verification techniques, similar to the earlier property specification pattern systems for finite-state and real-time verification. To explain the use of the structured English grammar, the following safety property: “Whenever a crash has occurred and the crash location is not a front-on crash then within 60 milliseconds both side airbags shall be deployed with a probability higher then 99.999%” shall be translated into a CSL formula. This property is an instance of the Probabilistic Response pattern, where the first state formula phi1 is (crash=occured AND crash-location = not(fronton)) and the second state formula phi2 is (side-airbag1=deployed AND side-airbag2=deployed). Based on the grammar the following natural language requirement and CSL formula can be constructed with the derivation sequence (1,2,4,11,15,21,24,25): The system shall have a behavior where with a probability greater than 0.99999 it is the case that if (crash=occured AND crash-location = not(front-on)) holds, then as a response (sideairbag1= deployed AND side-airbag2=deployed) becomes true within 60 milliseconds. Related References: [8, 16, 21,17,18,25]. 8. REFERENCES [1] C. Alexander. The Timeless Way of Building. Oxford and T. A. Henzinger, editors, Proc. 8th International University Press, New York, 1979. Conference on Computer Aided Verification, CAV 96, [2] R. Alur, C. Courcoubetis, and D. Dill. Model-checking volume 1102 of LNCS, pages 269–276. Springer, 1996. for real-time systems. In Proc. , Fifth Annual IEEE [4] A. Aziz, V. Singhal, and F. Balarin. It usually works: Symposium on Logic in Computer Science, LICS 90, The temporal logic of stochastic systems. In pages 414–425. IEEE Computer Society Press, 1990. P. Wolper, editor, Proc. 7th International Conference [3] A. Aziz, K. Sanwal, V. Singhal, and R. K. Brayton. on Computer Aided Verification, CAV 95, volume 939 Verifying continuous time markov chains. In R. Alur of LNCS, pages 155–165. Springer, 1995. [5] C. Baier, L. Cloth, B. R. Haverkort, M. Kuntz, and In Proc. 22nd International Conference on Software M. Siegle. Model checking markov chains with actions Engineering, ICSE 00, pages 439–448. IEEE and state labels. IEEE Trans. Software Eng., Computer Society, 2000. 33(4):209–224, 2007. [15] DCCS-Project. ProProST Webpage [6] C. Baier, B. R. Haverkort, H. Hermanns, and J.-P. http://www.itee.uq.edu.au/˜dccs/ProProST/. 2007. Katoen. Model checking continuous-time markov [16] L. de Alfaro. Formal Verification of Probabilistic chains by transient analysis. In E. A. Emerson and Systems. PhD thesis, Stanford University, 1997. A. P. Sistla, editors, Proc. 12th International Technical report STAN-CS-TR-98-1601. Conference on Computer Aided Verification, CAV 00, [17] M. B. Dwyer, G. S. Avrunin, and J. C. Corbett. volume 1855 of LNCS, pages 358–372. Springer, 2000. Patterns in property specifications for finite-state [7] C. Baier, B. R. Haverkort, H. Hermanns, and J.-P. verification. In Proc. 21st International Conference on Katoen. Automated performance and dependability Software Engineering, ICSE 99, pages 411–420. IEEE evaluation using model checking. In M. Calzarossa and Comp. Society/ACM Press, 1999. S. Tucci, editors, Performance 2002, Tutorial Lectures, [18] S. Flake, W. M¨uller, and J. Ruf. Structured English volume 2459 of LNCS, pages 261–289. Springer, 2002. for Model Checking Specification. Methoden und [8] C. Baier, B. R. Haverkort, H. Hermanns, and J.-P. Beschreibungssprachen zur Modellierung und Katoen. Model-checking algorithms for Verifikation von Schaltungen und Systemen, continuous-time markov chains. IEEE Trans. Software Frankfurt/M, pages 99–108. Eng, 29(6):524–541, 2003. [19] E. Gamma, R. Helm, R. Johnson, and J. Vlissides. [9] C. Baier, J.-P. Katoen, and H. Hermanns. Design Patterns. Addison-Wesley, 1995. Approximate symbolic model checking of [20] V. Gruhn and R. Laue. Patterns for timed property continuous-time markov chains. In J. C. M. Baeten specifications. Electr. Not. Theor. Comp. Sci, and S. Mauw, editors, Proc. 10th International 153(2):117–133, 2006. Conference on Concurrency Theory, CONCUR 99, [21] L. Grunske. Early quality prediction of volume 1664 of LNCS, pages 146–161. Springer, 1999. component-based systems - a generic framework. [10] A. Bianco and L. de Alfaro. Model checking of Journal of Systems and Software, 80(5):678–686, 2007. probabilistic and nondeterministic systems. In P. S. [22] L. Grunske, R. Colvin, and K. Winter. Probabilistic Thiagarajan, editor, Proc. of the 15th Conference on Model-Checking Support for FMEA. In Proc. 4th Foundations of Software Technology and Theoretical International Conference on the Quantitative Comp. Science, FSTTCS 95, volume 1026 of LNCS, Evaluation of Systems, QEST 07, pages 119–128. pages 499–513. Springer, 1995. IEEE Computer Society, 2007. [11] F. Bitsch. Safety patterns - the key to formal [23] H. Hansson and B. Jonsson. A logic for reasoning specification of safety requirements. In U. Voges, about time and reliability. Formal Aspects of editor, Proc. Computer Safety, Reliability and Computing, 6(5):512–535, 1994. Security, 20th Int. Conference, SAFECOMP 2001, [24] H. Hermanns, J.-P. Katoen, J. Meyer-Kayser, and volume 2187 of LNCS, pages 176–189. Springer, 2001. M. Siegle. A tool for model-checking Markov chains. [12] F. Ciesinski and M. Gr¨oßer. On probabilistic International Journal on Software Tools for computation tree logic. In C. Baier, B. R. Haverkort, Technology Transfer (STTT), 4(2):153–172, Feb. 2003. H. Hermanns, J.-P. Katoen, and M. Siegle, editors, Validation of Stochastic Systems - A Guide to Current [25] S. Konrad and B. H. C. Cheng. Real-time specification Research, volume 2925 of LNCS, pages 147–188. patterns. In 27th Int. Conf. on Software Engineering, Springer, 2004. ICSE 05, pages 372–381. ACM, 2005. [13] E. M. Clarke Jr., E. A. Emerson, and A. P. Sistla. [26] R. Koymans. Specifying Real-Time Properties with Automatic verification of finite-state concurrent Metric Temporal Logic. Real-Time Systems, systems using temporal logic specifications. ACM 2:255–299, 1990. Transactions on Programming Languages and [27] M. Z. Kwiatkowska. Model checking for probability Systems, 8(2):244–263, Apr. 1986. and time: from theory to practice. In Proceedings of [14] J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, the 18th Annual IEEE Syposium on Logic in Computer Robby, S. Laubach, and H. Zheng. Bandera: Science, LICS 03, pages 351–360, Los Alamitos, CA, Extracting finite-state models from Java source code. June 22–25 2003. IEEE Computer Society. [28] M. Z. Kwiatkowska, G. Norman, and D. Parker. hybrid approach. Int. Journal on Software Tools for Probabilistic symbolic model checking with PRISM: a Technology Transfer(STTT), 6(2):128–142, Aug. 2004. [29] M. Z. Kwiatkowska, G. Norman, D. Parker, and J. Sproston. Performance analysis of probabilistic timed automata using digital clocks. Formal Methods in System Design, 29(1):33–78, 2006. [30] M. Z. Kwiatkowska, G. Norman, J. Sproston, and F. Wang. Symbolic model checking for probabilistic timed automata. Inf. Comput, 205(7):1027–1077, 2007. [31] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems, Specification. Springer-Verlag, 1992. [32] D. O. Paun and M. Chechik. Events in linear-time properties. In Proc. 4th IEEE International Symposium on Requirements Engineering, RE 99, pages 123–132. IEEE Computer Society, 1999. [33] K. Sen, M. Viswanathan, and G. Agha. On statistical model checking of stochastic systems. In K. Etessami and S. K. Rajamani, editors, Proc. 17th International Conference Computer Aided Verification, CAV 05, volume 3576 of LNCS, pages 266–280. Springer, 2005. [34] R. L. Smith, G. S. Avrunin, L. A. Clarke, and L. J. Osterweil. PROPEL: an approach supporting property elucidation. In Proc. of the 24th International Conference on Software Engineering, ICSE-02, pages 11–21. ACM Press, 2002. [35] T. Suto, J. T. Bradley and W. J. Knottenbelt. Performance Trees: A New Approach to Quantitative Performance Specification. In Proc. of the 14th Int. Symp. on Modeling, Analysis, and Simulation of Computer and Telecom. Systems, (MASCOTS 2006), pages 303–313. IEEE Computer Society, 2006. [36] H. L. S. Younes, M. Z. Kwiatkowska, G. Norman, and D. Parker. Numerical vs. statistical probabilistic model checking: An empirical study. In K. Jensen and A. Podelski, editors, Proc. Tools and Algorithms for the Construction and Analysis of Systems, TACAS 04, volume 2988 of LNCS, pages 46–60. Springer, 2004. [37] H. L. S. Younes and R. G. Simmons. Probabilistic verification of discrete event systems using acceptance sampling. In E. Brinksma and K. G. Larsen, editors, Proc. 14th International Conference Computer Aided Verification, CAV 02, volume 2404 of LNCS, pages 223–235. Springer, 2002. [38] J. Yu, T. Phan, J. Han, Y. Jin, Y. Han, and J. Wang. Pattern based property specification and verification for service composition. In K. Aberer et al., editor, Proc. 7th Int. Conference on Web Information Systems Engineering, WISE 06, volume 4255 of LNCS, pages 156–168. Springer, 2006.