Software-intensive systems in application domains, like medical applications, automotive systems,
air traffic control, and railway signalling have stringent quality and dependability requirements. Most
of these requirements have a probabilistic nature
Examples:
1. Availability requirements probabilistically specify the ability of a system to operate correctly at a
certain point in time when a service is requested.
2. Safety the probability that a certain hazard occurs must be less than a probability bound
determined by the tolerable hazard rate.
3. Security requirements request that the probability of successful attacks does not exceed tolerable
thresholds.
4. Performance requirements for non-real-time critical systems often state that a certain percentage
of system requests must be handled within specified time-bounds.
Why not traditional verification techniques based on temporal and real-time temporal logics ?
Because these techniques focus on absolute guarantee of correctness.
What are probabilistic verification techniques? They operate on models that in addition to
deterministic and non-deterministic decisions also allow probabilistic decisions. Based on these
probabilistic models it is possible to specify probabilistic system behavior due to e.g. intrinsically
unreliable hardware components and environment characteristics such as the work-load of a
system.
Challenges for practitioners: Examples of commonly used models are Markov chains and Markov
decision processes. For practitioners the correct translation of informal and textually specified
quality requirements into formal probabilistic properties is challenging.
To ease the formulation of probabilistic properties this paper investigates the possibility of
transferring the concept of specification patterns [17] to probabilistic properties. A property
specification pattern describes a generalized recurring property and provides a solution in the form
of a formal specification in different traditional temporal logics, e.g. CTL [13] and LTL [31].
The main feature that distinguishes this pattern system from previous pattern systems is the focus
on external observable quality requirements and properties in the area of safety, security, reliability,
availability performance and performability that are important for many software-intensive systems.
Based on this focus the pattern system is constructed to facilitate the specification of probabilistic
properties and the underlying formal specification language are probabilistic temporal logics (PCTL
[23], PCTL* [4] and CSL [3, 9]). None of the existing pattern systems are able to describe these
probabilistic properties as their focus is set to traditional properties [11, 32, 34] and real-time
properties [18, 20, 25]. As a result ProProST complements the existing approaches and provides a
significant extension of the existing property specification patterns.
The main contribution of this paper is a repository of specification patterns for probabilistic
properties. This repository called ProProST (Probabilistic Property Specification Templates) has been
compiled from a comprehensive literature review on probabilistic logics and probabilistic verification
techniques (154 properties from 56 papers), which also pointed out that currently no such
repository exists.
The analysis showed that


46 out of 48 quality requirements could be specified with one of the probabilistic property
specification patterns.
Due to the intrinsic probabilistic nature of these quality requirements an adequate
formulation of the properties with the existing specification pattern systems was not
possible. As a result this pattern repository complements and extends the existing patterns
systems [17, 25], in that it allows to specify probabilistic properties as they are required to
formulate quality properties.
A second contribution of this paper is a structured English grammar to formulate natural-language
quality properties and requirements based on the developed specification patterns. The benefit of
this approach is an unambiguous relationship between the natural language and formal
representation of the property. The structured English grammar itself, provides the possibility for
non-expert practitioners to specify probabilistic properties correctly.
The Pattern System ProProST
The recurring problem that is tackled by the probabilistic patterns is:
How we should formalize probabilistic properties as they are used in requirement specifications to
express safety, security, reliability, availability, performance, performability requirements and goals.
Solution of The pattern system for probabilistic properties:
The pattern system for probabilistic properties follows the idea of architecture and design patterns
[1, 19] to provide solutions for common recurring problems.
Each pattern describes a generalized recurring property and provides a solution in the form of a
formal specification template in the probabilistic temporal logic CSL.
Benefit: The benefit of these specification patterns is to capture expert knowledge in terms of
formalization of probabilistic properties. This knowledge should be presented in a way that it allows
non-experts in probabilistic verification techniques to specify these properties correctly.
STRUCTURED GRAMMAR
As a textual front-end for the ProProST pattern system a structured English grammar has been
constructed. This grammar contains two sub-grammars, one for natural language representations
and one for CSL formulae. The sentences constructed by this pair of grammars are tuples containing
a natural language representation of the probabilistic property and a probabilistic temporal logical
formula. The natural language representation is often easier to understand for practitioners and can
also be used directly to express quality requirements. Based on this novel formalism a clear
relationship between the natural language and the formal representation in probabilistic logic can
be established.
As a result the research presented in this paper can support the maturation of probabilistic
verification techniques, similar to the earlier property specification pattern systems for finite-state
and real-time verification.
To explain the use of the structured English grammar, the following safety property: “Whenever a
crash has occurred and the crash location is not a front-on crash then within 60 milliseconds both
side airbags shall be deployed with a probability higher then 99.999%” shall be translated into a CSL
formula. This property is an instance of the Probabilistic Response pattern, where the first state
formula phi1 is (crash=occured AND crash-location = not(fronton)) and the second state formula
phi2 is (side-airbag1=deployed AND side-airbag2=deployed). Based on the grammar the following
natural language requirement and CSL formula can be constructed with the derivation sequence
(1,2,4,11,15,21,24,25):
The system shall have a behavior where with a probability greater than 0.99999 it is the case that if
(crash=occured AND crash-location = not(front-on)) holds, then as a response (sideairbag1=
deployed AND side-airbag2=deployed) becomes true within 60 milliseconds.
Related References: [8, 16, 21,17,18,25].
8. REFERENCES
[1] C. Alexander. The Timeless Way of Building. Oxford
and T. A. Henzinger, editors, Proc. 8th International
University Press, New York, 1979.
Conference on Computer Aided Verification, CAV 96,
[2] R. Alur, C. Courcoubetis, and D. Dill. Model-checking
volume 1102 of LNCS, pages 269–276. Springer, 1996.
for real-time systems. In Proc. , Fifth Annual IEEE
[4] A. Aziz, V. Singhal, and F. Balarin. It usually works:
Symposium on Logic in Computer Science, LICS 90,
The temporal logic of stochastic systems. In
pages 414–425. IEEE Computer Society Press, 1990.
P. Wolper, editor, Proc. 7th International Conference
[3] A. Aziz, K. Sanwal, V. Singhal, and R. K. Brayton.
on Computer Aided Verification, CAV 95, volume 939
Verifying continuous time markov chains. In R. Alur
of LNCS, pages 155–165. Springer, 1995.
[5] C. Baier, L. Cloth, B. R. Haverkort, M. Kuntz, and
In Proc. 22nd International Conference on Software
M. Siegle. Model checking markov chains with actions
Engineering, ICSE 00, pages 439–448. IEEE
and state labels. IEEE Trans. Software Eng.,
Computer Society, 2000.
33(4):209–224, 2007.
[15] DCCS-Project. ProProST Webpage
[6] C. Baier, B. R. Haverkort, H. Hermanns, and J.-P.
http://www.itee.uq.edu.au/˜dccs/ProProST/. 2007.
Katoen. Model checking continuous-time markov
[16] L. de Alfaro. Formal Verification of Probabilistic
chains by transient analysis. In E. A. Emerson and
Systems. PhD thesis, Stanford University, 1997.
A. P. Sistla, editors, Proc. 12th International
Technical report STAN-CS-TR-98-1601.
Conference on Computer Aided Verification, CAV 00,
[17] M. B. Dwyer, G. S. Avrunin, and J. C. Corbett.
volume 1855 of LNCS, pages 358–372. Springer, 2000.
Patterns in property specifications for finite-state
[7] C. Baier, B. R. Haverkort, H. Hermanns, and J.-P.
verification. In Proc. 21st International Conference on
Katoen. Automated performance and dependability
Software Engineering, ICSE 99, pages 411–420. IEEE
evaluation using model checking. In M. Calzarossa and
Comp. Society/ACM Press, 1999.
S. Tucci, editors, Performance 2002, Tutorial Lectures,
[18] S. Flake, W. M¨uller, and J. Ruf. Structured English
volume 2459 of LNCS, pages 261–289. Springer, 2002.
for Model Checking Specification. Methoden und
[8] C. Baier, B. R. Haverkort, H. Hermanns, and J.-P.
Beschreibungssprachen zur Modellierung und
Katoen. Model-checking algorithms for
Verifikation von Schaltungen und Systemen,
continuous-time markov chains. IEEE Trans. Software
Frankfurt/M, pages 99–108.
Eng, 29(6):524–541, 2003.
[19] E. Gamma, R. Helm, R. Johnson, and J. Vlissides.
[9] C. Baier, J.-P. Katoen, and H. Hermanns.
Design Patterns. Addison-Wesley, 1995.
Approximate symbolic model checking of
[20] V. Gruhn and R. Laue. Patterns for timed property
continuous-time markov chains. In J. C. M. Baeten
specifications. Electr. Not. Theor. Comp. Sci,
and S. Mauw, editors, Proc. 10th International
153(2):117–133, 2006.
Conference on Concurrency Theory, CONCUR 99,
[21] L. Grunske. Early quality prediction of
volume 1664 of LNCS, pages 146–161. Springer, 1999.
component-based systems - a generic framework.
[10] A. Bianco and L. de Alfaro. Model checking of
Journal of Systems and Software, 80(5):678–686, 2007.
probabilistic and nondeterministic systems. In P. S.
[22] L. Grunske, R. Colvin, and K. Winter. Probabilistic
Thiagarajan, editor, Proc. of the 15th Conference on
Model-Checking Support for FMEA. In Proc. 4th
Foundations of Software Technology and Theoretical
International Conference on the Quantitative
Comp. Science, FSTTCS 95, volume 1026 of LNCS,
Evaluation of Systems, QEST 07, pages 119–128.
pages 499–513. Springer, 1995.
IEEE Computer Society, 2007.
[11] F. Bitsch. Safety patterns - the key to formal
[23] H. Hansson and B. Jonsson. A logic for reasoning
specification of safety requirements. In U. Voges,
about time and reliability. Formal Aspects of
editor, Proc. Computer Safety, Reliability and
Computing, 6(5):512–535, 1994.
Security, 20th Int. Conference, SAFECOMP 2001,
[24] H. Hermanns, J.-P. Katoen, J. Meyer-Kayser, and
volume 2187 of LNCS, pages 176–189. Springer, 2001.
M. Siegle. A tool for model-checking Markov chains.
[12] F. Ciesinski and M. Gr¨oßer. On probabilistic
International Journal on Software Tools for
computation tree logic. In C. Baier, B. R. Haverkort,
Technology Transfer (STTT), 4(2):153–172, Feb. 2003.
H. Hermanns, J.-P. Katoen, and M. Siegle, editors,
Validation of Stochastic Systems - A Guide to Current
[25] S. Konrad and B. H. C. Cheng. Real-time
specification
Research, volume 2925 of LNCS, pages 147–188.
patterns. In 27th Int. Conf. on Software Engineering,
Springer, 2004.
ICSE 05, pages 372–381. ACM, 2005.
[13] E. M. Clarke Jr., E. A. Emerson, and A. P. Sistla.
[26] R. Koymans. Specifying Real-Time Properties with
Automatic verification of finite-state concurrent
Metric Temporal Logic. Real-Time Systems,
systems using temporal logic specifications. ACM
2:255–299, 1990.
Transactions on Programming Languages and
[27] M. Z. Kwiatkowska. Model checking for probability
Systems, 8(2):244–263, Apr. 1986.
and time: from theory to practice. In Proceedings of
[14] J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu,
the 18th Annual IEEE Syposium on Logic in Computer
Robby, S. Laubach, and H. Zheng. Bandera:
Science, LICS 03, pages 351–360, Los Alamitos, CA,
Extracting finite-state models from Java source code.
June 22–25 2003. IEEE Computer Society.
[28] M. Z. Kwiatkowska, G. Norman, and D. Parker.
hybrid approach. Int. Journal on Software Tools for
Probabilistic symbolic model checking with PRISM: a
Technology Transfer(STTT), 6(2):128–142, Aug. 2004.
[29] M. Z. Kwiatkowska, G. Norman, D. Parker, and
J. Sproston. Performance analysis of probabilistic
timed automata using digital clocks. Formal Methods
in System Design, 29(1):33–78, 2006.
[30] M. Z. Kwiatkowska, G. Norman, J. Sproston, and
F. Wang. Symbolic model checking for probabilistic
timed automata. Inf. Comput, 205(7):1027–1077, 2007.
[31] Z. Manna and A. Pnueli. The Temporal Logic of
Reactive and Concurrent Systems, Specification.
Springer-Verlag, 1992.
[32] D. O. Paun and M. Chechik. Events in linear-time
properties. In Proc. 4th IEEE International
Symposium on Requirements Engineering, RE 99,
pages 123–132. IEEE Computer Society, 1999.
[33] K. Sen, M. Viswanathan, and G. Agha. On statistical
model checking of stochastic systems. In K. Etessami
and S. K. Rajamani, editors, Proc. 17th International
Conference Computer Aided Verification, CAV 05,
volume 3576 of LNCS, pages 266–280. Springer, 2005.
[34] R. L. Smith, G. S. Avrunin, L. A. Clarke, and L. J.
Osterweil. PROPEL: an approach supporting property
elucidation. In Proc. of the 24th International
Conference on Software Engineering, ICSE-02, pages
11–21. ACM Press, 2002.
[35] T. Suto, J. T. Bradley and W. J. Knottenbelt.
Performance Trees: A New Approach to Quantitative
Performance Specification. In Proc. of the 14th Int.
Symp. on Modeling, Analysis, and Simulation of
Computer and Telecom. Systems, (MASCOTS 2006),
pages 303–313. IEEE Computer Society, 2006.
[36] H. L. S. Younes, M. Z. Kwiatkowska, G. Norman, and
D. Parker. Numerical vs. statistical probabilistic
model checking: An empirical study. In K. Jensen and
A. Podelski, editors, Proc. Tools and Algorithms for
the Construction and Analysis of Systems, TACAS 04,
volume 2988 of LNCS, pages 46–60. Springer, 2004.
[37] H. L. S. Younes and R. G. Simmons. Probabilistic
verification of discrete event systems using acceptance
sampling. In E. Brinksma and K. G. Larsen, editors,
Proc. 14th International Conference Computer Aided
Verification, CAV 02, volume 2404 of LNCS, pages
223–235. Springer, 2002.
[38] J. Yu, T. Phan, J. Han, Y. Jin, Y. Han, and J. Wang.
Pattern based property specification and verification
for service composition. In K. Aberer et al., editor,
Proc. 7th Int. Conference on Web Information
Systems Engineering, WISE 06, volume 4255 of
LNCS, pages 156–168. Springer, 2006.