# Safety Analysis of AADL Models for Grid Cyber-Physical Systems via Model Checking of Stochastic Games

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Preliminaries

#### 2.1. AADL

#### 2.2. Model Checking of Stochastic Multi-Player Games

**Definition**

**1.**

**SMG**: A (turn-based) stochastic multi-player game (SMG) is a tuple $G=(\Pi ,S,A,{({S}_{i})}_{i\in \Pi},\Delta ,AP,\chi )$, where: Π is a finite set of players; S is a finite, non-empty set of states; A is a finite, non-empty set of actions; ${({S}_{i})}_{i\in \Pi}$ is a partition of S; $\Delta :S\times A\to D(S)$ is a (partial) transition function; $AP$ is a finite set of atomic propositions; and $\chi :S\to {2}^{AP}$ is a labelling function.

`<<player1, player2>> Pmax<=0.05 [ F<=60 terminating ]`, i.e., “can players 1 and 2 collaborate so that the maximal probability of the system terminating within 60 s is at most 0.05, whatever players 3 and 4 do?”

`[a] s>0 & n=1 -> 0.1:(n${}^{\prime}$=2)+0.9:(n${}^{\prime}$=0);`is a command, where

`a`is an action for the synchronization between modules,

`s>0 & n=1`is the guard that is the condition for the execution of this command, and

`0.1:(n${}^{\prime}$=2)`and

`0.9:(n${}^{\prime}$=0)`are transitions. Each transition has a probability value and an update, for example,

`0.1`is a probability corresponding to the update

`n${}^{\prime}$=2`in the transition

`0.1:(n${}^{\prime}$=2)`. Constants can be integers, doubles or booleans. A formula comprises a name and an expression. The formula name can be used as shorthand for the expression to avoid duplication of codes.

## 3. Approach

#### 3.1. Building AADL Models for GCPSs

`bus1`,

`bus2`and

`bus3`), which are managed by PMSs (

`PMS1`,

`PMS2`and

`PMS3`), respectively. A PMS contains some hardware devices such as sensors and line breakers, etc. It can sample data, receive commands from the control center, and control line breakers. Here, a PMS is considered as a whole and the internal structure is not specified at the architecture level. In this GCPS, there are three generators (

`G1`,

`G2`and

`G3`) used to supply the power. Black lines between buses and generators are power transmission lines (

`TL1`,

`TL2`and

`TL3`). Additionally, there exists a control center system to control this GCPS. PMSs and generators can send and receive the information to the control center.

`G1`,

`G2`and

`G3`devices in Figure 2 are corresponding to three generators in Figure 3. Similarly, the

`PMS1`,

`PMS2`and

`PMS3`systems are corresponding to three PMSs. The

`TL1`,

`TL2`and

`TL3`devices are corresponding to three transmission lines. There are also two buses, a transmission line (

`TL`) and a data line (

`DL`). The control center system is modeled as a system component

`GCPSsys`, which contains these subcomponents, so that the

`GCPSsys`can communicate with generators, PMSs and transmission lines through the hierarchical structure in the AADL model.

`GCPSsys`system component,

`GCPS_O`(

`O`denotes an operational state) and

`GCPS_F`(

`F`denotes a failed state) are error states, and

`GCPS_H`(

`H`denotes a hazard) is a hazard. Because the detailed hazard model of

`GCPSsys`is complex, only part of that is shown in Figure 3 and we will introduce the complete hazard model in Section 5. For example, in the subcomponent

`PMS1`, its state can evolve from

`P1O`to

`P1F`and from

`P1F`to

`P1O`. It can also be triggered by an incoming propagation point so that its state may change from

`P1O`to

`P1F`and from

`P1F`to

`P1F`. All generators, PMSs and TLs can be triggered by an incoming propagation point from

`environment`, but to make this AADL model clear, these error transitions are not drawn in Figure 3.

`normal`to

`abnormal`represents a contingency from the environment occurs randomly during the normal execution of the

`GCPSsys`. The

`environment`’s state is

`abnormal`, it means a contingency has occurred. The state transition from

`abnormal`to

`abnormal`represents that this contingency gives rise to the continuous disturbance to the

`GCPSsys`. The state transition from

`abnormal`to

`normal`represents that this contingency disturbs the

`GCPSsys`and recover to

`normal`. The latter two state transitions occur nondeterministically. While one of these two transitions is occurring, the

`environment`can propagate an error to connected components and affects the

`GCPSsys`, for example, the outgoing propagation point of

`environment`can trigger error transitions in

`PMS1`(from

`P1O`to

`P1F`and from

`P1F`to

`P1F`).

#### 3.2. Transforming AADL Models to SMG Models

**Definition**

**2.**

- $\Pi =\{sys,env\}$ is the set of players formed by a GCPS and its environment.
- $S={S}_{sys}\cup {S}_{env}$ is the set of states, where ${S}_{sys}$ and ${S}_{env}$ are sets of states owned by the system and the environment players, respectively, and ${S}_{sys}\cap {S}_{env}=\mathsf{\varnothing}$.
- $A={A}_{sys}\cup {A}_{env}$ is the set of actions, where ${A}_{sys}$ and ${A}_{env}$ are sets of actions controlled by the system and the environment players, respectively. In this paper, for all commands, actions are ${A}_{sys}=\{run\}$ and ${A}_{env}=\{disturb\}$.
- $\Delta :S\times A\to D(S)$ is a (partial) transition function based on error transitions, hazard transitions, error propagations and hazard propagations.
- $AP$ is a set of all the predicates that are built over state variables including error states and hazards.
- $\chi :S\to {2}^{AP}$ is a labelling function for hazard sources.

#### 3.3. Generating Property Formulae

#### 3.4. Verifying Property Formulae for Safety Analysis

## 4. Model Transformation

#### 4.1. Formalization of AADL Models

`System1`and

`System2`. EPs are propagations between ETs of connected components (

`System1`and

`System2`). CEBs are behaviors of a composite component,

`PowerSystem`, whose state is affected by its subcomponents, two systems. ETs are also allowed to be established in a composite component. HTs are hazard behaviors of a component. HPs are the evolvement from CEBs or ETs to HTs.

#### 4.1.1. Basic Elements of an AADL Model

**Definition**

**3.**

- ${A}_{es}=(S,{s}_{0},A,\Delta ,AP,L)$, where: S is a finite set of error states; ${s}_{0}$ is an initial error state; $AP$ is a finite set of atomic propositions built over error states.
- ${A}_{ee}=(S,{s}_{0},A,\Delta ,AP,L)$, where: A is a finite set of actions based on error events in the triggered condition; For a probabilistic error transition function $\Delta :S\times A\to D(S)$, $D(S)$ is established based on probabilities of error events.
- ${A}_{h}=(S,{s}_{0},A,\Delta ,AP,L)$, where: S is a finite set of hazards; $AP$ is a finite set of atomic propositions built over hazards.
- ${A}_{ht}=(S,{s}_{0},A,\Delta ,AP,L)$ A is a finite set of actions based on hazard triggers in the triggered condition; $\Delta :S\times A\to D(S)$ is a probabilistic hazard transition function and $D(S)$ is established based on probabilities of hazard triggers;
- ${A}_{hs}=(S,{s}_{0},A,\Delta ,AP,L)$, where: S is a finite set of hazard sources; $AP$ is a finite set of atomic propositions built over hazard sources; $L:S\to {2}^{AP}$ is a labelling function.

#### 4.1.2. Other Five Constituent Parts of an AADL Model

**Definition**

**4.**

**EP**Error propagations (EPs) between two components are defined as a tuple ${A}_{ep}=(S,{s}_{0},A,\Delta ,AP,L)$, where: S is a finite set of error states and states of outgoing propagation points; ${s}_{0}$ is an initial error state; A is a finite set of actions based on the triggered condition including error events and ingoing propagation points; $\Delta :S\times A\to D(S)$ is a (partial) probabilistic error transition function and $D(S)$ is established based on probabilities of error events; $AP$ is a finite set of atomic propositions built over error states and outgoing propagation points; $L:S\to {2}^{AP}$ is a labelling function.

**Definition**

**5.**

**ET**Error transitions (ETs) of an AADL component are defined as a tuple ${A}_{et}=(S,{s}_{0},A,\Delta ,AP,L)$, where: S is a finite set of error states; ${s}_{0}$ is an initial error state; A is a finite set of actions based on the triggered condition including error events and ingoing propagation points; $\Delta :S\times A\to D(S)$ is a (partial) probabilistic error transition function and $D(S)$ is established based on probabilities of error events; $AP$ is a finite set of atomic propositions built over error states; $L:S\to {2}^{AP}$ is a labelling function.

**Definition**

**6.**

**CEB**Composite error behaviors (CEBs) of an AADL component are defined as a tuple ${A}_{ceb}=(S,{s}_{0},A,\Delta ,AP,L)$, where: S is a finite set of error states including error states of subcomponents; ${s}_{0}$ is empty; A is empty; $\Delta :S\times A\to D(S)$ is an error transition function and $D(S)$ is equal to 1; $AP$ is a finite set of atomic propositions built over error states; $L:S\to {2}^{AP}$ is a labelling function.

**Definition**

**7.**

**HP**Hazard propagations (HPs) of an AADL component are defined as a tuple ${A}_{hp}=(S,{s}_{0},A,\Delta ,AP,L)$, where: S is a finite set of hazard sources and hazards; ${s}_{0}$ is empty; A is a finite set of actions built based on hazard triggers; $\Delta :S\times A\to D(S)$ is a (partial) probabilistic hazard propagation function and $D(S)$ is established based on probabilities of hazard triggers; $AP$ is a finite set of atomic propositions built over hazard sources and hazards; $L:S\to {2}^{AP}$ is a labelling function.

**Definition**

**8.**

**HT**Hazard transitions (HTs) of an AADL component are defined as a tuple ${A}_{ht}=(S,{s}_{0},A,\Delta ,AP,L)$, where: S is a finite set of hazards; ${s}_{0}$ is empty; A is a finite set of actions built based on hazard triggers; $\Delta :S\times A\to D(S)$ is a probabilistic hazard transition function and $D(S)$ is established based on probabilities of hazard triggers; $AP$ is a finite set of atomic propositions built over hazards; $L:S\to {2}^{AP}$ is a labelling function.

#### 4.2. Model Transformation Rules

#### 4.2.1. Basic Rules

**true**(see fourth row). Each hazard source corresponds to an error state or an error event, so a hazard source is encoded as a formula which represents a value of its corresponding error state or error event, as shown in the fifth row.

**Definition**

**9.**

**Rules for Basic Elements:**Transformation rules from basic elements to the PRISM-games language (an SMG model) are defined as a tuple $T{R}_{b}=({A}_{b},P{M}_{b})$, where ${A}_{b}$ can be error states ${A}_{es}$, error events ${A}_{ee}$, hazards ${A}_{h}$, hazard triggers ${A}_{ht}$ or hazard sources ${A}_{hs}$, and $P{M}_{b}$ is a set of the corresponding PRISM-games elements. $T{R}_{b}$ includes rules: $T{R}_{es}=({A}_{es},P{M}_{es})$, $T{R}_{ee}=({A}_{ee},P{M}_{ee})$, $T{R}_{h}=({A}_{h},P{M}_{h})$, $T{R}_{ht}=({A}_{ht},P{M}_{ht})$, and $T{R}_{hs}=({A}_{hs},P{M}_{hs})$, which are defined as follows:

- $T{R}_{es}=({A}_{es},P{M}_{es})$, where ${A}_{es}$ is a set of error states in a component, and $P{M}_{es}$ is a local variable. The value range of this variable is corresponding to the number of error states. Each value represents an error state and 0 is for an initial error state.
- $T{R}_{ee}=({A}_{ee},P{M}_{ee})$, where ${A}_{ee}$ is a set of error events, and $P{M}_{ee}$ is a set of probability values for transitions in commands. Each probability value is defined as a double constant.
- $T{R}_{h}=({A}_{h},P{M}_{h})$, where ${A}_{h}$ is a set of hazards in a component, and $P{M}_{h}$ is equal to $P{M}_{es}$ of the same component. The value range of $P{M}_{es}$ is added with the the number of hazards. Each added value represents a hazard.
- $T{R}_{ht}=({A}_{ht},P{M}_{ht})$, where ${A}_{ht}$ is a set of hazard triggers, and $P{M}_{ht}$ is a set of probability values for transitions in commands. Each probability value is defined as a double constant.
- $T{R}_{hs}=({A}_{hs},P{M}_{hs})$, where ${A}_{hs}$ is a set of hazard sources, and $P{M}_{hs}$ is a set of formulae. Each formula represents a variable with the value of the corresponding state of an error state or a probability value of an error event.

#### 4.2.2. Rules for Error Propagations

`TL1`to

`PMS1`in Figure 3 is based on the event port connection. Since the semantics of connections is included in error propagations, we only need to transform each error propagation to PRISM-games language.

**Definition**

**10.**

**Rules for error propagations**that are not from the environment are defined as a tuple $T{R}_{ep,1}=({A}_{ep},P{M}_{ep,1})$ or $T{R}_{ep,2}=({A}_{ep},P{M}_{ep,2})$, where ${A}_{ep}$ is an error propagation.

- 1.
- For $T{R}_{ep,1}$, $P{M}_{ep,1}$ is a corresponding command of ${A}_{ep}$. The source error state and the triggered condition of ${A}_{ep}$ is encoded as the guard. If error events are included in the triggered condition, they are transformed to a probability value for a transition of the command. The outgoing propagation point in the destination of ${A}_{ep}$ is encoded as a local variable (0 denotes no error, 1 denotes an error). The value 1 is assigned to this variable as an update of a transition for the command. This variable with value 1 will be used as the triggered condition by other components.
- 2.
- If the triggered condition of ${A}_{ep}$ does not contain incoming propagation points, $T{R}_{ep,2}$ is better than $T{R}_{ep,1}$. $P{M}_{ep,2}$ is the value of the state variable that is corresponding to the source error state of ${A}_{ep}$. The probability values of error events in the triggered condition is added to $P{M}_{ep,2}$. The variable corresponding to the source error state will be used as the triggered condition by other components.

`T1F`(a failed state) of

`TL1`to

`PMS1`and it causes an error transition from

`P1O`to

`P1F`. According to $T{R}_{ep,2}$, this error propagation is encoded as “

`TL1s=1`” in the guard of a command at line 9 of Figure 5. Since its triggered condition is empty, it is not transformed to a command. Similarly, “

`TL2s=1`” at line 10 of Figure 5 is for an error propagation from

`TL2`to

`PMS1`. Moreover, according to $T{R}_{ep,1}$, the outgoing propagation point of

`TL1`in Figure 3 is transformed to a variable

`TL1Out`at line 5 of Figure 6. A command at line 10 of Figure 6 is transformed from this error propagation. The source error state

`T1F`in

`TL1`component is encoded as the guard and the value 1 is assigned to the variable

`TL1Out`.

`disturb`for affected error transitions to synchronize with the environment, as follows.

**Definition**

**11.**

**Rules for error propagations**from the environment are defined as a tuple $T{R}_{ep,3}=({A}_{ep},P{M}_{ep,3})$, where ${A}_{ep}$ is an error propagation propagated from the environment. $P{M}_{ep,3}$ is an action, that’s,

`disturb`, which will be used in the affected error transitions.

`abnormal`in the

`environment`component to the outgoing propagation point to error transitions in the

`PMS1`component in Figure 3. This error propagation is encoded as an action

`disturb`, which will be used in the commands corresponding to affected error transitions in the

`PMS1`component. This action

`disturb`is the link between commands.

#### 4.2.3. Rules for Error Transitions and Hazard Transitions

**Definition**

**12.**

**Rules for error transitions**are defined as a tuple $T{R}_{et}=({A}_{et},P{M}_{et})$, where ${A}_{et}$ is an error transition and $P{M}_{et}$ is a command.

- 1.
- If ${A}_{et}$ is not related to the environment component, the source error state and triggered condition of ${A}_{et}$ are transformed to the guard, the destination error state is transformed to a transition t, and error events are transformed to a probability for the transition t. If there are no error events in an error transition, the probability is 1. If there are outgoing propagation points, their corresponding variables should be recovered in the recovered error transition.
- 2.
- Additionally, if ${A}_{et}$ is an error transition specifying the occurrence of interference in the environment component, the action of the command is
`disturb`which will synchronize with the affected error transitions in GCPSs. - 3.
- Moreover, if ${A}_{et}$ is an error transition in a component of a GCPS and it is affected by the incoming propagation point from the environment, the action of the command is
`disturb`which will synchronize with the error transitions in the environment. This action is transformed from the error propagation between the environment and a component of a GCPS. If a component does not has error transitions caused by the environment, a command from`true`to`true`with the action`disturb`should be added to this component.

`T1F`to

`PMS1`in

`TL1`of Figure 3 is transformed according to $T{R}_{ep,2}$ in Definition 10, error transitions in

`TL1`are transformed to commands at lines 8–9 of Figure 6, and error propagations in

`PMS1`are transformed to commands at lines 7–10 of Figure 5. If that error propagation from

`T1F`to

`PMS1`in

`TL1`is transformed according to $T{R}_{ep,1}$ in Definition 10, error transitions of

`TL1`are transformed to commands at lines 8 and 11 of Figure 6, and error transitions of

`PMS1`are transformed to lines 7–8 and 11–12 of Figure 5. The command at line 11 of Figure 6 is corresponding to the recovered error transition, so it also should recover the variable for an outgoing propagation point in the transition of this command.

`abnormal`to

`abnormal`or from

`abnormal`to

`normal`in the

`environment`of Figure 3 is the occurrence of interference. It will disturb

`GCPSsys`through error propagations and event port connections. For example, an error propagation from

`abnormal`state of

`environment`component to

`PMS1`is encoded as an action

`disturb`based on Definition 11. Based on the second and third rules of Definition 10, this action is added to commands at lines 5 and 6 of Figure 7 and lines 5–6 of Figure 5. These commands are transformed from ETs. Moreover, since error transitions of

`GCPSsys`are not caused by the environment, a command at line 11 of Figure 8 is added for the synchronization between modules.

**Definition**

**13.**

**Rules for a hazard transition**are defined as a tuple $T{R}_{ht}=({A}_{ht},P{M}_{ht})$, where ${A}_{ht}$ is a hazard transition and $P{M}_{ht}$ is a command. The source hazard is transformed to the guard, the destination hazard is transformed to a transition t, and hazard triggers are transformed to a probability for the transition t. If there are not hazard triggers, the probability is 1.

#### 4.2.4. Rules for Logical Operators and Primitives

`And`and

`Or`in EMA and HMA can be directly replaced by PRISM language. EMA also has primitives such as

`Ormore`and

`Orless`, which can be encoded by combining

`And`and

`Or`operators. For instance, a condition expression

`1 Ormore (state1, state2)`means if one or more than one states are true, the value of this expression is true. It can be converted to the logical expression

`state1 Or state2 Or (state1 And state2)`.

**Definition**

**14.**

**Rules for logical operators and primitives**are defined as a tuple $T{R}_{lp}=({A}_{lp},P{M}_{lp})$, where ${A}_{lp}$ is a composition through logical operators and/or primitives, and $P{M}_{lp}$ is a composition through logical operators. For logical operators, it is one-to-one mapping between ${A}_{lp}$ and $P{M}_{lp}$. For primitives,

`Ormore`and

`Orless`are encoded by combining

`And`and

`Or`operators.

#### 4.2.5. Rules for Composite Error Behaviors

**Definition**

**15.**

**Rules for composite error behaviors**are defined as a tuple $T{R}_{ceb}=({A}_{ceb},P{M}_{ceb})$, where ${A}_{ceb}$ is a composite error behavior, and $P{M}_{ceb}$ is a command. The combination of error states of subcomponents are transformed to the guard and the destination error state is encoded as a transition of this command.

#### 4.2.6. Rules for Hazard Propagations

`StateAnd(state thread1Failed, state thread2Failed)-[ht]->h`” is encoded as a command “

`[] s_t1=1 & s_t2=1 -> 0.1:(hazardVar’=1) + 0.9:true;`”, where the occurrence probability value of

`ht`is 0.1, hazard sources

`thread1Failed`and

`thread2Failed`are corresponding to the value 1 of two error state variables in

`thread1`and

`thread2`, respectively, and the hazard

`h`is corresponding to the value 1 of a hazard variable

`hazardVar`.

**Definition**

**16.**

**Rules for hazard propagations**are a tuple $T{R}_{hp}=({A}_{hp},P{M}_{hp})$, where ${A}_{hp}$ is a hazard propagation and $P{M}_{hp}$ is a command. A combination of hazard sources is transformed to the guard, the destination hazard is transformed to a transition t, and hazard triggers are transformed to a probability for the transition t. If there are not hazard triggers, the probability is 1.

#### 4.3. Completeness and Consistency of Model Transformation Rules

**Theorem**

**1.**

**(Completeness 1)**Let A be an AADL model of a GCPS and its environment, $PM$ be the transformed PRISM-games model (SMG model), and $TRS$ be the set of transformation rules. If ${A}_{1}\in A$, there exists a rule $TR\in TRS$ such that $TR({A}_{1})=P{M}_{1}\in PM$.

**Proof.**

**Theorem**

**2.**

**(Completeness 2)**Let A be an AADL model of a GCPS and its environment, $PM$ be the transformed PRISM-games model (an SMG model), and $TRS$ be the set of transformation rules. Given ${A}_{1}\in A$ and $P{M}_{1}\in PM$, if ${A}_{1}$ and $P{M}_{1}$ are equivalent, there exists a rule $TR\in TRS$ such that $TR({A}_{1})=P{M}_{1}$.

**Proof.**

**Theorem**

**3.**

**(Consistency)**Let A be an AADL model of a GCPS and its environment, $PM$ be the transformed PRISM-games model (an SMG model), and $TRS$ be the set of transformation rules. If both $T{R}_{1}\in TRS$ and $T{R}_{2}\in TRS$ can used for the transformation of ${A}_{1}\in A$. $T{R}_{1}({A}_{1})$ and $T{R}_{2}({A}_{1})$ are equivalent.

**Proof.**

## 5. Case Study

#### 5.1. A GCPS, Its AADL Model and Transformed SMG Model

`GCPSsys`system component.

`GCPSsys`has two error states,

`GCPS_O`and

`GCPSsys_F`. There are two CEBs in

`GCPSsys`. First, when one of PMSs fails,

`GCPSsys`fails. Second, when one of the generators fails,

`GCPSsys`fails. These two CEBs use OR logical operator to combine error states. According to model transformation rules in Definition 15, two CEBs are encoded as two commands at lines 14 and 15 of Figure 8.

`GCPSsys`system is a hazard source. These hazard sources are encoded as formulae at lines 1–3 of Figure 8. These hazard sources can lead to hazards through HPs. When two of PMSs fail or

`GCPSsys`system state fails, the dangerous overvoltage may occur as a hazard (

`OverVoltage`) triggered by a hazard trigger

`ht1`.

`OverVoltage`will lead to a hazard

`EquipDamage`(equipment damage) triggered by a hazard trigger

`ht2`. When two of generators fail, the power is not enough for users and may affect the normal production process as a hazard (

`LowPower`) triggered by a hazard trigger

`ht3`. Assuming that occurrence probabilities of hazard triggers is $10\times {10}^{-6}$. According to model transformation rules in Definition 16, two HBs are encoded as two commands at lines 16 and 18 of Figure 8. A HT is encoded as a command at line 17.

`environment`may affect PMSs, generators and TLs and they may fail with the probability $10\times {10}^{-6}$. The

`environment`is transformed a module, as shown in Figure 7.

`environment`module, which is regarded as a player

`env`, as shown at lines 5–7. Other modules are composed as a player

`sys`, as shown at lines 2–4. The action

`disturb`is controlled by the environment, so it is contained in the

`env`player. The action

`run`is contained in the

`sys`player.

#### 5.2. Results

`GCPSsysFailed`,

`OverVoltage`,

`LowPower`and

`EquipDamage`. For example, a property formula for

`GCPSsysFailed`is presented in Formula (2), where “$Cs=1$” is corresponding to

`GCPSsysFailed`(see line 10 of Figure 8). Using the PRISM-games tool, we verify property formulae for a complete transformed SGM model to obtain occurrence probabilities. Safety analysis results are shown in Table 2. We can see that

`GCPSsys`’s failure may occur with a large probability at the system-level. The occurrence probabilities of hazards are smaller. They can used to decide if the design of a GCPS is feasible and it satisfies safety requirements. If a probability is too large, the GCPS architecture model should be modified or the failed probabilities of subcomponents should be lowered.

#### 5.3. Discussion

## 6. Related Work

## 7. Conclusions and Future Work

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Yu, X.; Xue, Y. Smart grids: A cyber–physical systems perspective. Proc. IEEE
**2016**, 104, 1058–1070. [Google Scholar] [CrossRef] - Huang, Z.; Wang, C.; Zhu, T.; Nayak, A. Cascading failures in smart grid: Joint effect of load propagation and interdependence. IEEE Access
**2015**, 3, 2520–2530. [Google Scholar] [CrossRef] - Huang, Z.; Wang, C.; Stojmenovic, M.; Nayak, A. Characterization of cascading failures in interdependent cyber-physical systems. IEEE Trans. Comput.
**2015**, 64, 2158–2168. [Google Scholar] [CrossRef] - Rahnamay-Naeini, M.; Hayat, M.M. Cascading Failures in Interdependent Infrastructures: An Interdependent Markov-Chain Approach. IEEE Trans. Smart Grid
**2016**, 7, 1997–2006. [Google Scholar] [CrossRef] - Wei, M.; Lu, Z.; Tang, Y.; Lu, X. How Can Cyber-Physical Interdependence Affect the Mitigation of Cascading Power Failure? In Proceedings of the IEEE INFOCOM 2018-IEEE Conference on Computer Communication, Honolulu, HI, USA, 16–19 April 2018; pp. 2501–2509. [Google Scholar]
- Buldyrev, S.V.; Parshani, R.; Paul, G.; Stanley, H.E.; Havlin, S. Catastrophic cascade of failures in interdependent networks. Nature
**2010**, 464, 1025–1028. [Google Scholar] [CrossRef] [PubMed] - Vellaithurai, C.; Srivastava, A.; Zonouz, S.; Berthier, R. CPIndex: Cyber-Physical Vulnerability Assessment for Power-Grid Infrastructures. IEEE Trans. Smart Grid
**2015**, 6, 566–575. [Google Scholar] [CrossRef] - Xun, P.; Zhu, P.; Zhang, Z.; Cui, P.; Xiong, Y. Detectors on Edge Nodes against False Data Injection on Transmission Lines of Smart Grid. Electronics
**2018**, 7, 89. [Google Scholar] [CrossRef] - Wadhawan, Y.; AlMajali, A.; Neuman, C. A Comprehensive Analysis of Smart Grid Systems against Cyber-Physical Attacks. Electronics
**2018**, 7, 249. [Google Scholar] [CrossRef] - Kundur, P.; Balu, N.J.; Lauby, M.G. Power System Stability and Control; McGraw-Hill: New York, NY, USA, 1994; Volume 7. [Google Scholar]
- Nguyen, H.H.; Tan, R.; Yau, D.K. Safety-assured collaborative load management in smart grids. In Proceedings of the 2014 ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS), Berlin, Germany, 14–17 April 2014; pp. 151–162. [Google Scholar]
- SAE International. AS5506C—(R) Architecture Analysis and Design Language (AADL); SAE International: Warrendale, PA, USA, 2017. [Google Scholar]
- Wei, X.; Dong, Y.; Li, X.; Wong, W.E. Architecture-level hazard analysis using AADL. J. Syst. Softw.
**2018**, 137, 580–604. [Google Scholar] [CrossRef] - Wei, X.; Dong, Y.; Yang, M.; Hu, N.; Ye, H. Hazard analysis for AADL model. In Proceedings of the 2014 IEEE 20th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA), Chongqing, China, 20–22 August 2014; pp. 1–10. [Google Scholar] [CrossRef]
- Bozzano, M.; Cimatti, A.; Katoen, J.P.; Nguyen, V.Y.; Noll, T.; Roveri, M. Safety, Dependability and Performance Analysis of Extended AADL Models. Comput. J.
**2011**, 54, 754–775. [Google Scholar] [CrossRef] - Bozzano, M.; Bruintjes, H.; Cimatti, A.; Katoen, J.P.; Noll, T.; Tonetta, S. The COMPASS 3.0 Toolset. In Proceedings of the fifth International Symposium on Model-Based Safety and Assessment (IMBSA 2017), Trento, Italy, 11–13 September 2017. [Google Scholar]
- Wei, X.; Dong, Y.; Ye, H. QaSten: Integrating Quantitative Verification with Safety Analysis for AADL Model. In Proceedings of the 2015 International Symposium on Theoretical Aspects of Software Engineering (TASE), Nanjing, China, 12–14 September 2015; pp. 103–110. [Google Scholar] [CrossRef]
- SAE International. (R) SAE Architecture Analysis and Design Language (AADL) Annex Volume 1: Annex E: Error Model Annex; SAE International: Warrendale, PA, USA, 2015. [Google Scholar]
- Simaitis, A. Automatic Verification of Competitive Stochastic Systems. Ph.D. Thesis, Department of Computer Science, University of Oxford, Oxford, UK, 2014. [Google Scholar]
- Svoreňová, M.; Kwiatkowska, M. Quantitative verification and strategy synthesis for stochastic games. Eur. J. Control
**2016**, 30, 15–30. [Google Scholar] [CrossRef] - Kwiatkowska, M. Model Checking and Strategy Synthesis for Stochastic Games: From Theory to Practice. In Proceedings of the 43rd International Colloquium on Automata, Languages, and Programming (ICALP 2016), Rome, Italy, 12–15 July 2016. [Google Scholar]
- Kwiatkowska, M.; Parker, D.; Wiltsche, C. PRISM-games 2.0: A Tool for Multi-Objective Strategy Synthesis for Stochastic Games. In Proceedings of the 22nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’16), Eindhoven, The Netherlands, 2–8 April 2016. [Google Scholar]
- Dehnert, C.; Junges, S.; Katoen, J.P.; Volk, M. A storm is coming: A modern probabilistic model-checker. In Proceedings of the International Conference on Computer Aided Verification, Heidelberg, Germany, 24–28 July 2017; Springer: Cham, Switzerland, 2017; pp. 592–600. [Google Scholar]
- WSCC 9-Bus System. Available online: http://icseg.iti.illinois.edu/wscc-9-bus-system/ (accessed on 10 September 2018).
- Markov Reward Model Checker. Available online: http://www.mrmc-tool.org/trac/ (accessed on 1 February 2019).
- Morozov, A.; Mutzke, T.; Ren, B.; Janschek, K. AADL-based stochastic error propagation analysis for reliable system design of a medical patient table. In Proceedings of the 2018 Annual Reliability and Maintainability Symposium (RAMS), Reno, NV, USA, 22–25 January 2018; pp. 1–7. [Google Scholar]
- Dong, Y.; Wei, X.; Xiao, M. Overview: System Architecture Virtual Integration based on an AADL Model. In Symposium on Real-Time and Hybrid Systems; Springer: Cham, Switzerland, 2018; pp. 105–115. [Google Scholar]
- Bernardi, S.; Merseguer, J.; Petriu, D. An UML Profile for Dependability Analysis and Modeling of Software Systems; Technical Report RR-08-05; University of Zaragoza: Zaragoza, Spain, 2008. [Google Scholar]
- Qi, J.; Sun, K.; Mei, S. An interaction model for simulation and mitigation of cascading failures. IEEE Trans. Power Syst.
**2015**, 30, 804–819. [Google Scholar] [CrossRef] - Xin, S.; Guo, Q.; Sun, H.; Zhang, B.; Wang, J.; Chen, C. Cyber-physical modeling and cyber-contingency assessment of hierarchical control systems. IEEE Trans. Smart Grid
**2015**, 6, 2375–2385. [Google Scholar] [CrossRef] - Qin, B.; Liu, D.; Cao, M.; Zou, J. Formal modeling and verification of flexible load control for power grid CPS based on differential dynamic logic. In Proceedings of the 2017 IEEE Conference on Energy Internet and Energy System Integration (EI2), Beijing, China, 26–28 November 2017; pp. 1–6. [Google Scholar] [CrossRef]

No. | AADL Model | PRISM-Games Language |
---|---|---|

1 | Component implementation, e.g., system implementation sys.i; | Module, e.g., module sys_i; |

2 | Error states and hazards, e.g., srcState : initial error state;dstState : error state;overVoltage : hazard; | Integer variable, e.g., stateVar : [0..2] init 0;(0 for srcState, 1 for dstState, 2 for OverVoltage) |

3 | Initial error state | Initial value (0) of the variable |

4 | Error event and hazard trigger with occurrence property, e.g., errEvent : error event; (with 0.1) | double constants for probability values, e.g., const double proErrEvent = 0.1; // for itself.(1-proErrEvent) // for others represented by true. |

5 | Hazard source, e.g., hs1 : error state dstState;hs2 : error event errEvent; | Formula e.g., formula hs1 = stateVar = 1;formula hs2 = 0.1; |

State | Components | $<<$sys$>>$${\mathit{P}}_{\mathit{max}}$ |
---|---|---|

GCPSsysFailed | GCPSsys | 0.29638545685060275 |

OverVoltage | GCPSsys | 0.00553889850028547 |

LowPower | GCPSsys | $2.1901294138765\times {10}^{-5}$ |

EquipDamage | GCPSsys | $6.769683540208\times {10}^{-5}$ |

Iterations/ | 360 | 3600 | 36,000 | 360,000 |
---|---|---|---|---|

State | (Probability/Time(s)) | (Probability/Time(s)) | (Probability/Time(s)) | (Probability/Time(s)) |

GCPSsysFailed | 0.29563894732784135 | 0.29638545685060275 | 0.29646006198918473 | 0.2964675220331432 |

51 | 583 | 3845 | 38,844 | |

OverVoltage | 0.005498371833365312 | 0.00553889850028547 | 0.0055429599223609655 | 0.005543366152586064 |

40 | 583 | 4093 | 43,007 | |

LowPower | $2.1877226353822\times {10}^{-5}$ | $2.1901294138765\times {10}^{-5}$ | $2.1903700745296\times {10}^{-5}$ | $2.190394140766\times {10}^{-5}$ |

46 | 449 | 4690 | 48,084 | |

EquipDamage | $6.671261704829\times {10}^{-5}$ | $6.769683540208\times {10}^{-5}$ | $6.779579390681\times {10}^{-5}$ | $6.78056951417\times {10}^{-5}$ |

41 | 391 | 4439 | 46,209 |

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Wei, X.; Dong, Y.; Sun, P.; Xiao, M.
Safety Analysis of AADL Models for Grid Cyber-Physical Systems via Model Checking of Stochastic Games. *Electronics* **2019**, *8*, 212.
https://doi.org/10.3390/electronics8020212

**AMA Style**

Wei X, Dong Y, Sun P, Xiao M.
Safety Analysis of AADL Models for Grid Cyber-Physical Systems via Model Checking of Stochastic Games. *Electronics*. 2019; 8(2):212.
https://doi.org/10.3390/electronics8020212

**Chicago/Turabian Style**

Wei, Xiaomin, Yunwei Dong, Pengpeng Sun, and Mingrui Xiao.
2019. "Safety Analysis of AADL Models for Grid Cyber-Physical Systems via Model Checking of Stochastic Games" *Electronics* 8, no. 2: 212.
https://doi.org/10.3390/electronics8020212