Most software-driven systems we commonly use in our daily life are
huge hierarchical assemblings of components. This observation runs
from the micro-scale (multi-core chips) to the macro-scale (data
centers), and from hardware systems (telecommunication networks) to
software systems (choreographies of web services). The main
characteristics of these pervasive applications are size,
complexity, heterogeneity, and modularity (or concurrency). Besides,
several such systems are actively used before they are fully
mastered, or they have grown so much that they now raise new
problems that are hardly manageable by human operators. While these
systems and applications are becoming more essential, or even
critical, the need for their *reliability*, *efficiency*
and *manageability* becomes a central concern in computer
science. The main objective of SUMO is to develop theoretical
tools to address such challenges, according to the following axes.

Several disciplines in computer science have of course addressed some of the issues raised by large systems. For example, formal methods (essentially for verification purposes), discrete-event systems (diagnosis, control, planning, and their distributed versions), but also concurrency theory (modelling and analysis of large concurrent systems). Practical needs have oriented these methods towards the introduction of quantitative aspects, such as time, probabilities, costs, and their combinations. This approach drastically changes the nature of questions that are raised. For example, verification questions become the reachability of a state in a limited time, the average sojourn duration in a state, the probability that a run of the system satisfies some property, the existence of control strategies with a given winning probability, etc. In this setting, exact computations are not always appropriate as they may end up with unaffordable complexities, or even with undecidability. Approximation strategies then offer a promising way around, and are certainly also a key to handling large systems. Approaches based on discrete-event systems follow the same trend towards quantitative models. For diagnosis aspects, one is interested in the most likely explanations to observed malfunctions, in the identification of the most informative tests to perform, or in the optimal placement of sensors. For control problems, one is of course interested in optimal control, in minimizing communications, in the robustness of the proposed controllers, in the online optimization of QoS (Quality of Service) indicators, etc.

While the above questions have already received partial answers, they remain largely unexplored in a distributed setting. We focus on structured systems, typically a network of dynamic systems with known interaction topology, the latter being either static or dynamic. Interactions can be synchronous or asynchronous. The state-space explosion raised by such systems has been addressed through two techniques. The first one consists in adopting true-concurrency models, which take advantage of the parallelism to reduce the size of the trajectory sets. The second one looks for modular or distributed “supervision" methods, taking the shape of a network of local supervisors, one per component. While these approaches are relatively well understood, their mixing with quantitative models remains a challenge (as an example, there exists no proper setting assembling concurrency theory with stochastic systems). This field is largely open both for modeling, analysis and verification purposes, and for distributed supervision techniques. The difficulties combine with the emergence of data-driven distributed systems (as web services or data centric systems), where the data exchanged by the various components influence both the behaviors of these components and the quantitative aspects of their reactions (e.g. QoS). Such systems call for symbolic or parametric approaches for which a theory is still missing.

Some existing distributed systems like telecommunication networks,
data centers, or large-scale web applications have reached sizes and
complexities that reveal new management problems. One can no longer
assume that the model of the managed systems is static and fully
known at any time and any scale. To scale up the management methods
to such applications, one needs to be able to design reliable
abstractions of parts of the systems, or to dynamically build a part
of their model, following the needs of the management functions to
realize. Besides, one does not wish to define management objectives
at the scale of each single component, but rather to pilot these
systems through high-level policies (maximizing throughput,
minimizing energy consumption, etc.) These distributed systems and
management problems have connections with other approaches for the
management of large structured stochastic systems, such as Bayesian
networks (BN) and their variants. The similarity can actually be
made more formal: inference techniques for BN rely on the concept of
conditional independence, which has a counterpart for networks of
*dynamic* systems and is at the core of techniques like
distributed diagnosis, distributed optimal planning, or the
synthesis of distributed controllers. The potential of this
connection is largely unexplored, but it suggests that one could
derive from it good approximate management methods for large
distributed dynamic systems.

Since its creation in 2015, SUMO has successfully developed formal methods for large quantitative systems, in particular addressing verification, synthesis and control problems. Our current motivation is to expand this by putting emphasis on new concerns, such as algorithm efficiency, imprecision handling, and the more challenging objective of addressing incomplete or missing models. In the following we list a selection of detailed research goals, structured into four axes according to model classes: quantitative models, large systems, population models, and data-driven models. Some correspond to the pursuit of previously obtained results, others are more prospective.

The analysis and control of quantitative models will remain at the heart of a large part of our
research activities. In particular, we have two starting
collaborative projects focusing on **timed models**,
namely our ANR project TickTac and our collaboration with MERCE. The
main expected outcome of TickTac is an open-source tool implementing
the latest algorithms and allowing for quick prototyping of new
algorithms. Several other topics will be explored in these
collaborations, including robustness issues, game-theoretic problems, as well as the
development of efficient algorithms, *e.g.* based on CEGAR approach or
specifically designed for subclasses of automata (*e.g.* automata with
few clocks and/or having a specific structure, as
in ).
Inspired by our collaboration with Alstom, we also aim at
developing symbolic techniques for analysing non-linear timed models.

**Stochastic models** are another important focus for our research. On the one hand, we want to pursue our work on the optimization of non-standard properties for Markov decision processes, beyond the traditional verification questions, and explore *e.g.* long-run probabilities, and quantiles. Also, we aim at lifting our work on decisiveness from purely stochastic , to non-deterministic and stochastic models in order to provide approximation schemes for the probability of (repeated) reachability properties in infinite-state Markov decision processes.
On the other hand, in order to effectively handle large stochastic systems, we will
pursue our work on approximation techniques. We aim at deriving simpler models, enjoying or preserving specific properties, and at determining the appropriate level of abstraction for a given system. One needs of course to quantify the approximation degrees (distances), and to preserve essential features of the original systems (explainability). This is a connection point between formal methods and the booming learning methods.

Regarding **diagnosis/opacity** issues, we will explore further the quantitative aspects. For diagnosis, the theory needs extensions to the case of incomplete or erroneous models, and to reconfigurable systems, in order to develop its applicability (see Sec. ). There is also a need for non-binary causality analysis (*e.g.* performance degradations in complex systems). For opacity, we aim at quantifying the effort attackers must produce *vs* how much of a secret they can guess. We also plan to synthesize robust controllers resisting to sensor failures/attacks.

Part of the background of SUMO is on the analysis and management of concurrent and modular/distributed systems, that we view as two main approaches to address state explosion problems. We will pursue the study of these models (including their quantitative features): verification of timed concurrent systems, robust distributed control of modular systems, resilient control to coalitions of attackers, distributed diagnosis, modular opacity analysis, distributed optimal planning, etc. Nevertheless, we have identified two new lines of effort, inspired by our application domains.

**Reconfigurable systems.** This is mostly motivated by applications at the convergence of virtualization techs with networking (Orange and Nokia PhDs). Software defined networks, either in the core (SDN/NFV) or at the edge (IoT) involve distributed systems that change structure constantly, to adapt to traffic, failures, maintenance, upgrades, etc. Traditional verification, control, diagnosis approaches (to mention only those) assume static and known models that can be handled as a whole. This is clearly insufficient here: one needs to adapt existing results to models that (sometimes automatically)
change structure, incorporate new components/users or lose some, etc. At the same time, the programming paradigms for such systems (chaos monkey) incorporate resilience mechanisms, that should be considered by our models.

**Hierarchical systems.** Our experience with the regulation of subway lines (Alstom) revealed that large scale complex systems are usually described at a single level of granularity. Determining the appropriate granularity is a problem in itself. The control of such systems, with humans in the loop, can not be expressed at this single level, as tasks become too complex and require extremely skilled staff. It is rather desirable to describe models simultaneously at different levels of granularity, and to perform control at the appropriate level: humans in charge of managing the system by high level objectives, and computers in charge of implementing the appropriate micro-control sequences to achieve these tasks.

We want to step up our effort in parameterized verification of systems consisting of many identical components, so-called population models. In a nutshell our objectives summarize as "from Boolean to quantitative".

Inspired by our experience on the analysis of populations of yeasts, we aim at developping the quantitative analysis and control of population models, *e.g.* using Markov decision processes together with quantitative properties, and focusing on generating strategies with fast convergence.

As for broadcast networks, the challenge is to model the mobility of nodes (representing mobile ad hoc networks) in a faithful way. The obtained model should reflect on the one hand, the placement of nodes at a given time instant, and on the other hand, the physical movement of nodes over time. In this context, we will also use game theory techniques which allows one to study cooperative and conflictual behaviors of the nodes in the network, and to synthesize correct-by-design systems in adversarial environments.

As a new application area, we target randomized distributed algorithms. Our goal is to provide probabilistic variants of threshold automata to represent fault-tolerant randomized distributed algorithms, designed for instance to solve the consensus problem. Most importantly, we then aim at developing new parameterized verification techniques, that will enable the automated verification of the correctness of such algorithms, as well as the assessment of their performances (in particular the expected time to termination).

In this axis, we will investigate whether fluid model checking and mean-field approximation techniques apply to our problems. More generally, we aim at a fruitful cross-fertilizing of these approaches with parameterized model-checking algorithms.

In this axis, we will consider data-centric models, and in particular their application to crowd-sourcing. Many data-centric models such as Business Artifacts orchestrate simple calls and answers to tasks performed by a single user. In a crowd-sourcing context, tasks are realized by pools of users, which may result in imprecise, uncertain and (partially) incompatible information. We thus need mechanisms to reconcile and fuse the various contributions in order to produce reliable information. Another aspect to consider concerns answers of higher-order: how to allow users to return intentional answers, under the form of a sub-workflow (coordinated set of tasks) which execution will provide the intended value. In the framework of the ANR Headwork we will build on formalisms such as GAG (guarded attribute grammars) or variants of business artifacts to propose formalisms adapted to crowd-sourcing applications, and tools to analyze them. To address imprecision, we will study techniques to handle fuzziness in user answers, will explore means to set incentives (rewards) dynamically, and to set competence requirements to guide the execution of a complex workflow, in order to achieve an objective with a desired level of quality.

In collaboration with Open Agora, CESPA and University of Yaoundé (Cameroun) we intend to implement in the GAG formalism some elements of argumentation theory (argumentation schemes, speech acts and dialogic games) in order to build a tool for the conduct of a critical discussion and the collaborative construction of expertise. The tool would incorporate point of view extraction (using clustering mechanisms), amendment management and consensus building mechanisms.

We are concerned with one important lesson derived from our involvement in several application domains. Most of our background gets in force as soon as a perfect model of the system under study is available. Then verification, control, diagnosis, test, etc. can mobilize a solid background, or suggest new algorithmic problems to address. In numerous situations, however, assuming that a model is available is simply unrealistic. This is a major bottleneck for the impact of our research. We therefore intend to address this difficulty, in particular for the following domains.

Model building for diagnosis. As a matter of fact, diagnosis theory hardly touches the ground to the extent that complete models of normal behavior are rarely available, and the identification of the appropriate abstraction level is unclear. Knowledge of faults and their effects is even less accessible. Also, the actual implemented systems may differ significantly from behaviors described in the norms. One therefore needs a theory for incomplete and erroneous models. Besides, one is often less bothered by partial observations than drowned by avalanches of alerts when malfunctions occur. Learning may come to the rescue, all the more that software systems may be deployed in sandpits and damaged for experimentation, thus allowing the collection of masses of labeled data. Competition on that theme clearly comes from Machine Learning techniques.

Verification of large scale software. For some verification problems like the one we address in the IPL HAC-Specis, one does not have access to a formal model of the distributed program under study, but only to executions in a simulator. Formal verification poses new problems due to the difficulties to capture global states, to master state space explosion by gathering and exploiting concurrency information.

Learning of stochastic models. Applications in bioinformatics often lead to large scale models, involving numerous chains of interactions between chemical species and/or cells. Fine grain models can be very precise, but very inefficient for inference or verification. Defining the appropriate levels of description/abstraction, given the available data and the verification goals, remains an open problem. This cannot be considered as a simple data fitting problem, as elements of biological knowledge must be combined with the data in order to preserve explainability of the phenomena.

Testing and learning timed models: during conformance testing of a black-box implementation against its formal specification, one wants to detect non-conformances but may also want to learn the implementation model. Even though mixing testing and learning is not new, this is more recent and challenging for continuous-time models.

Process mining. We intend to extend our work on process discovery using Petri net synthesis by using negative information (*e.g.* execution traces identified as outliers) and quantitative information (probabilistic or fuzzy sets of execution traces) in order to infer more robust and precise models.

The smart-city trend aims at optimizing all functions of future cities with the help of digital technologies. We focus on the segment of urban trains, which will evolve from static and scheduled offers to reactive and eventually on-demand transportation offers. We address two challenges in this field. The first one concerns the optimal design of robust subway lines. The idea is to be able to evaluate, at design time, the performance of time tables and of different regulation policies. In particular, we focus on robustness issues: how can small perturbations and incidents be accommodated by the system, how fast will return to normality occur, when does the system become unstable? The second challenge concerns the design of new robust regulation strategies to optimize delays, recovery times, and energy consumption at the scale of a full subway line. These problems involve large-scale discrete-event systems, with temporal and stochastic features, and translate into robustness assessment, stability analysis and joint numerical/combinatorial optimization problems on the trajectories of these systems.

Telecommunication-network management is a rich provider of research topics for the team, and some members of SUMO have a long background of contacts and transfer with industry in this domain. Networks are typical examples of large distributed dynamic systems, and their management raises numerous problems ranging from diagnosis (or root-cause analysis), to optimization, reconfiguration, provisioning, planning, verification, etc. They also bring new challenges to the community, for example on the modeling side: building or learning a network model is a complex task, specifically because these models should reflect features like the layering, the multi-resolution view of components, the description of both functions, protocols and configuration, and they should also reflect dynamically-changing architectures. Besides modeling, management algorithms are also challenged by features like the size of systems, the need to work on abstractions, on partial models, on open systems, etc. The networking technology is now evolving toward software-defined networks, virtualized-network functions, multi-tenant systems, etc., which reinforces the need for more automation in the management of such systems.

Data centers are another example of large-scale modular dynamic and reconfigurable systems: they are composed of thousands of servers, on which virtual machines are activated, migrated, resized, etc. Their management covers issues like troubleshooting, reconfiguration, optimal control, in a setting where failures are frequent and mitigated by the performance of the management plane. We have a solid background in the coordination of the various autonomic managers that supervise the different functions/layers of such systems (hardware, middleware, web services, ...) Virtualization technologies now reach the domain of networking, and telecommunication operators/vendors evolve towards providers of distributed open clouds. This convergence of IT and networking strongly calls for new management paradigms, which is an opportunity for the team.

A current trend is to involve end-users in collection and analysis of data. Exemples of this trend are contributive science, crisis-management systems, and crowd sourcing applications. All these applications are data-centric and user-driven. They are often distributed and involve complex, and sometimes dynamic workflows. In many cases, there are strong interactions between data and control flows: indeed, decisons taken regarding the next tasks to be launched highly depend on collected data. For instance, in an epidemic-surveillance system, the aggregation of various reported disease cases may trigger alerts. Another example is crowd sourcing applications where user skills are used to complete tasks that are better performed by humans than computers. In return, this requires addressing imprecise and sometimes unreliable answers. We address several issues related to complex workflows and data. We study declarative and dynamic models that can handle workflows, data, uncertainty, and competence management.

Once these models are mature enough, we plan to build prototypes to experiment them on real use cases from contributive science, health-management systems, and crowd sourcing applications. We also plan to define abstaction schemes allowing formal reasonning on these systems.

SUMO was evaluated in spring 2019, and we took this opportunity to make several changes. First, we adapted the research axes of the team in our scientific foundations to reflect a slight topic drift over the last four years, which is also a consequence of modifications in the team composition. In particular, we now put emphasis on one emergent topic, namely population models. Last but not least, Éric Fabre stepped down as project-team leader and Nathalie Bertrand replaces him since April 2019.

Keywords: Active workspace - Collaborative systems - Artifact centric workflow system

Scientific Description: Tool for computer supported cooperative work where a user's workspace is given by an active structured repository containing the pending tasks together with information needed to perform the tasks. Communication between active workspaces is asynchronous using message passing. The tool is based on the model of guarded attribute grammars.

Authors: Éric Badouel and Robert Nsaibirni

Contact: Éric Badouel

URL: http://

*Simulator for stochastic regulated systems*

Keywords: Simulation - Public transport - Stochastic models - Distributed systems

Functional Description: SIMSTORS is a software for the simulation of stochastic concurrent timed systems. The heart of the software is a variant of stochastic and timed Petri nets, whose execution is controlled by a regulation policy (a controller), or a predetermined theoretical schedule. The role of the regulation policy is to control the system to realize objectives or a schedule when it exists with the best possible precision. SIMSTORS is well adapted to represent systems with randomness, parallelism, tasks scheduling, and resources. From 2015 to 2018, it was used for the P22 collaboration with Asltom Transport, to model metro traffic and evaluate performance of regulation solutions. It is now (2019) at the heart of a collaboration on multi-modal networks with Alstom transport Madrid. This software allows for step by step simulation, but also for efficient performance analysis of systems such as production cells or train systems. The initial implementation was released in 2015, and the software is protected by the APP.

Since then, SIMSTORS has been extended along two main axes: on one hand, SIMSTORS models were extended to handle situations where shared resources can be occupied by more than one object ( this is of paramount importance to represent conveyors, roads occupied by cars, or train tracks with smoothed scheduling allowing shared sections among trains) with priorities, constraint on their ordering and individual characteristics. This allows for instance to model vehicles with different speeds on a road, while handling safety distance constraints. On the other hand, SIMSTORS models were extended to allow control of stochastic nets based on decision rules that follow optimization schemes. In 2019, it was extended to include planning-based regulation techniques during a collaboration with Roma 3 University.

Release Functional Description: modeling of continuous vehicles movements

Participants: Abd El Karim Kecir and Loïc Hélouët

Contact: Loïc Hélouët

**Participants :** Ocan Sankur, Nicolas Markey, Victor Roussanaly

**Participants :** Hugo Bazille, Nathalie Bertrand, Éric Fabre, Blaise Genest, Ocan Sankur

We introduced the concepts of long-run frequency of path properties for paths in Kripke structures, and their generalization to long-run probabilities for schedulers in Markov decision processes . We then studied the natural optimization problem of computing the optimal values of these measures, when ranging over all paths or all schedulers, and the corresponding decision problem when given a threshold. The main results are as follows. For (repeated) reachability and other simple properties, optimal long-run probabilities and corresponding optimal memoryless schedulers are computable in polynomial time. When it comes to constrained reachability properties, memoryless schedulers are no longer sufficient, even in the non-probabilistic setting. Nevertheless, optimal long-run probabilities for constrained reachability are computable in pseudo-polynomial time in the probabilistic setting and in polynomial time for Kripke structures. Finally for co-safety properties expressed by NFA, we gave an exponential-time algorithm to compute the optimal long-run frequency, and proved the PSPACE-completeness of the threshold problem.

We are interested in studying the evolution of large homogeneous populations of cells, where each cell is assumed to be composed of a group of biological players (species) whose dynamics is governed by a complex biological pathway, identical for all cells. Modeling the inherent variability of the species concentrations in different cells is crucial to understand the dynamics of the population. In , we focus on handling this variability by modeling each species by a random variable that evolves over time. This appealing approach runs into the curse of dimensionality since exactly representing a joint probability distribution involving a large set of random variables quickly becomes intractable as the number of variables grows. To make this approach amenable to biopathways, we explore different techniques to (i) approximate the exact joint distribution at a given time point, and (ii) to track its evolution as time elapses.

An important task in AI is one of classifying an observation as belonging to one class among several
(e.g. image classification). We revisit this problem in a verification context:
given

Diagnosis of partially observable stochastic systems prone to faults
was introduced in the late nineties. Diagnosability, *i.e.* the
existence of a diagnoser, may be specified in different ways: exact
diagnosability requires that almost surely a fault is detected and
that no fault is erroneously claimed; approximate diagnosability
tolerates a small error probability when claiming a fault; last,
accurate approximate diagnosability guarantees that the error
probability can be chosen arbitrarily small.

**Participants :** Loïc Hélouët, Nicolas Markey

**Participants :** Nathalie Bertrand, Loïc Hélouët, Ocan Sankur

**Participants :** Hervé Marchand

**Participants :** Arthur Queffelec, Nicolas Markey, Ocan Sankur

We are motivated by the increasing appeal of robots in information-gathering missions. In the problems we study , , the agents must remain interconnected. We model an area by a topological graph specifying the movement and the connectivity constraints of the agents. We study the theoretical complexity of the reachability and the coverage problems of a fleet of connected agents on various classes of topological graphs. We establish the complexity of these problems on known classes, and introduce a new class called sight-moveable graphs which admit efficient algorithms.

We introduce and study SL[F], a quantitative extension of SL (Strategy Logic) , one of the most natural and expressive logics describing strategic behaviours. The satisfaction value of an SL[F] formula is a real value in [0,1], reflecting "how much" or "how well" the strategic on-going objectives of the underlying agents are satisfied. We demonstrate the applications of SL[F] in quantitative reasoning about multi-agent systems, by showing how it can express concepts of stability in multi-agent systems, and how it generalises some fuzzy temporal logics. We also provide a model-checking algorithm for our logic, based on a quantitative extension of Quantified CTL.

**Participants :** Nathalie Bertrand, Anirban Majumdar

Randomized fault-tolerant distributed algorithms pose a number of
challenges for automated verification: (i) parameterization in the
number of processes and faults, (ii) randomized choices and
probabilistic properties, and (iii) an unbounded number of
asynchronous rounds. This combination makes verification hard.
Challenge (i) was recently addressed in the framework of threshold
automata. We extended threshold automata to model randomized consensus
algorithms that perform an unbounded number of asynchronous rounds.
For non-probabilistic properties, we showed
that it is necessary and
sufficient to verify these properties under round-rigid schedules,
that is, schedules where processes enter round

**Participants :** Nathalie Bertrand, Blaise Genest, Anirban Majumdar

Traditional concurrent games on graphs involve a fixed number of
players, who take decisions simultaneously, determining the next state
of the game. In , we introduced a parameterized variant of
concurrent games on graphs, where the parameter is precisely the
number of players. Parameterized concurrent games are described by
finite graphs, in which the transitions bear regular languages to
describe the possible move combinations that lead from one vertex to
another. We considered the problem of determining whether the first
player, say Eve, has a strategy to ensure a reachability objective
against any strategy profile of her opponents as a coalition. In
particular Eve's strategy should be independent of the number of
opponents she actually has. Technically, we focused on an *a
priori* simpler setting where the languages labeling transitions only
constrain the number of opponents (but not their precise action
choices). These constraints are described as semilinear sets, finite
unions of intervals, or intervals. We established the precise
complexities of the parameterized reachability game problem, ranging
from PTIME-complete to PSPACE-complete, in a variety of situations
depending on the contraints (semilinear predicates, unions of
intervals, or intervals) and on the presence or not of
non-determinism.

**Participants :** Loïc Hélouët, Rituraj Singh

Crowdsourcing consists in hiring workers on internet to perform large amounts of simple, independent and replicated work units. We have proposed complex workflows, a model for concurrent orcestration of tasks to solve problems that are more intricate than simpe tagging problems. Complex workflows allow higher-order answers where workers can suggest a process to obtain data rather than a plain answer. It is a data-centric model based on orchestration of concurrent tasks and higher order schemes. We have considered formal properties of specifications described with this model termination (whether some/all runs of a complex workflow terminate) and correctness (whether some/all runs of a workflow terminate with data satisfying FO requirements). We have shown that existential termination/correctness are undecidable in general excepted for specifications with bounded recursion. However, universal termination/correctness are decidable when constraints on inputs are specified in a decidable fragment of FO, and are at least in 2EXPTIME.

**Participants :** Adrian Puerto Aubel, Éric Badouel

The visit of Joskel Ngoufo, a doctoral student at Yaoundé University, was the occasion to initiate a new implementation of the Guarded Attribute Grammars engine, in Racket language, a dialect of Lisp that allows metalanguage facilities and graphical interfaces to be processed more easily than in Haskell, the language chosen for the previous implementation.

The collaboration with Carlo Ferigato, is in line with the latter's thesis subject . The set of regions of a condition/event transition system represents all the possible local states of a net system the behaviour of which is specified by the transition system. This set can be endowed with a structure, so as to form an orthomodular partial order. Given such a structure, one can then define another condition/event transition system. We study cases in which this second transition system has the same collection of regions as the first one. When it is so, the structure of regions is called stable. We proposed, to this aim, a composition operation, and a refinement operation for stable orthomodular partial orders, the results of which are stable.

**Participants :** Hugo Bazille, Sihem Cherrared, Éric Fabre, Blaise Genest, Thierry Jéron, The Anh Pham

Unfolding-based Dynamic Partial Order Reduction (UDPOR) is a recent
technique mixing Dynamic Partial Order Reduction (DPOR) with concepts
of concurrency such as unfoldings to efficiently mitigate state space
explosion in model-checking of concurrent programs. It is optimal in
the sense that each Mazurkiewicz trace, *i.e.* a class of
interleavings equivalent by commuting independent actions, is explored
exactly once. In this work we show that UDPOR
can be extended to verify asynchronous distributed applications, where
processes both communicate by messages and synchronize on shared
resources. To do so, a general model of asynchronous distributed
programs is formalized in TLA+. This allows to define an independence
relation, a main ingredient of the unfolding semantics used by UDPOR
during the UDPOR exploration. Then, the adaptation of UDPOR, involving
the construction of an unfolding during the execution of the
applicaton (*i.e.* with no model of the application but the code
iteself), is made efficient by a precise analysis of dependencies. A
prototype implementation gives promising experimental results.

Model based methods have been recognised as the most appropriate approach to fault diagnosis in telecommunication networks, as they not only help in detecting and classifying failures, but is also provides useful explanations about the propagation of faults in such large distributed and concurrent systems. However, the bottleneck of these methods is of course the derivation and validation of a relevant model . We have explored two techniques in this direction, based on fault/stress injection.

Deep neural networks are as effective in their respective tasks as hardly understandable by a human. To use them in critical applications, not only they should be understood, they must be certified. We surveyed in a large number of recent attempts to formally certify deep neural networks obtained by deep machine learning techniques. Most of the work currently focus on forward-propagating networks, and the problem of certifying their robustness.

Several researchers of SUMO are involved in the joint research lab of
Nokia Bell Labs France and Inria. We participate in the common
research team SAPIENS (Smart Automated and Programmable
Infrastructures for End-to-end Networks and Services), previously
named “Softwarization of Everything.” This team involves several
other Inria teams: Convecs, Diverse and Spades. SUMO focuses on the
management of reconfigurable systems, both at the edge (IoT based
applications) and in the core (*e.g.* virtualized IMS
systems). In particular, we study control and diagnosis issues for
such systems.

Two PhD students are involved in the project. Erij Elmajed (3rd year), on the topic of Diagnosis of virtualized and reconfigurable systems supervised by Éric Fabre and Armen Aghasaryan (Nokia Bell Labs). Abdul Majith (started in January 2019) on Controller Synthesis of Adaptive Systems, supervised by Hervé Marchand, Ocan Sankur and Dinh Thai Bui (Nokia Bell Labs).

SUMO takes part in IOLab, the common lab of Orange Labs and Inria, dedicated to the design and management of Software Defined Networks. Our activities concern the diagnosis of malfunctions in virtualized multi-tenant networks.

This collaboration supports one Cifre PhD student, Sihem Cherrared (2nd year), supervised by Éric Fabre, Gregor Goessler (Inria Spades, Grenoble) and Sofiane Imadali (Orange Labs).

Several researchers of SUMO are involved in the joint research lab of Alstom and Inria, in a common research team called P22. On Alstom side, this joint research team involves researchers of the ATS division (Automatic Train Supervision). The objective of this joint team is to evaluate regulation policies of urban train systems, to assess their robustness to perturbations and failures, to design more efficient regulation policies and finally to provide decision support for human regulators. The P22 project between Alstom and Inria ended in 2018. However, our collaboration with Alstom Transport continues. One of the outcomes of this collaboration is the PhD defense of Karim Kecir in July 2019 .

Several researchers of SUMO are involved in a collaboration on the verification of real-time systems with the "Information and Network Systems (INS)" Team led by David Mentré of the "Communication & Information Systems (CIS)" Division of MERCE Rennes. The members of the team at MERCE work on different aspects of formal verification. Currently the SUMO team and MERCE jointly supervise a Cifre PhD student (Emily Clément) funded by MERCE since fall 2018; the thesis is about robustness of reachability in timed automata. Moreover Reiya Noguchi, a young engineer, member of MERCE, on leave of a Japanese operational division of Mitsubishi is also hosted and co-supervised by the SUMO team since the beginning of 2019, one day per week; we collaborate with him on the consistency of timed requirements.

Individual grant, led by Nicolas Markey

The objective of this project is to explore two research directions in the continuity of recent works: a truly quantitative theory of formal verification on the one hand, and the development of strategy-synthesis algorithms for modular systems on the other hand. It ended in June 2019.

Led by Ocan Sankur (SUMO);

SUMO participants: Emily Clément, Léo Henry, Thierry Jéron, Nicolas Markey, Victor Roussanaly, Ocan Sankur

Partners: LSV (Cachan), ISIR (Paris), LaBRI (Bordeaux), LRDE (Paris), LIF (Marseille)

The aim of TickTac is to develop novel algorithms for the verification and synthesis of real-time systems using the timed automata formalism. One of the project's objectives is to develop an open-source and configurable model checker which will allow the community to compare algorithms. The algorithms and the tool will be used on a motion planning case study for robotics.

Led by David Gross-Amblard (Université Rennes 1);

Participants : Éric Badouel, Loïc Hélouët, Adrian Puerto Aubel, Rituraj Singh;

Partners: Inria Project-Teams Valda (Paris), DRUID (Rennes), SUMO (Rennes), Links (Lille), MNHN, Foule Factory.

The objective of this project is to develop techniques to facilite development, deployment, and monitoring of crowd-based participative applications. This requires handling complex workflows with multiple participants, incertainty in data collections, incentives, skills of contributors, ... To overcome these challenges, Headwork will define rich workflows with multiple participants, data and knowledge models to capture various kind of crowd applications with complex data acquisition tasks and human specificities. We will also address methods for deploying, verifying, optimizing, but also monitoring and adapting crowd-based workflow executions at run time.

Led by Arnaud Legrand (Inria Grenoble Rhône-Alpes)

Participants: Thierry Jéron, The Anh Pham.

Partners: Inria project-teams Avalon (Lyon), POLARIS (Grenoble), HiePACS, STORM (Bordeaux), MExICo (Saclay), MYRIADS, SUMO (Rennes), VeriDis (Nancy).

The Inria Project Lab HAC-SPECIS (High-performance Application and Computers, Studying PErformance and Correctness In Simulation, is a transversal project internal to Inria. The goal of the HAC SPECIS project is to answer the methodological needs raised by the recent evolution of HPC architectures by allowing application and runtime developers to study such systems both from the correctness and performance point of view. Inside this project, we collaborate with Martin Quinson (Myriads team) on the dynamic formal verification of high performance runtimes and applications. The PhD of The Anh Pham is granted by this project.

This year we have been mainly interested in the extension of the SimGrid programming model of MPI with synchronization primitives, the formalisation in ATL, of this model, and its adaptation to dynamic partial-order-reduction methods (DPOR) that allow to reduce the explored state space. A prototype implementation of an existing method that combines DPOR with true-concurrency models has been experimented on toy examples. The Anh Pham completed his PhD in december 2019.

The team collaborates with the following researchers:

Béatrice Bérard (LIP6, Paris 6) on problems of opacity and diagnosis, and on problems related to logics and partial orders for security;

Patricia Bouyer (LSV, ENS Paris-Saclay) on the analysis of probabilistic timed systems and quantitative aspects of verification;

Thomas Chatain and Stefan Haar (Inria team MExICo, LSV, ENS Paris-Saclay) on topics related to concurrency and time, and to modeling and verification of metro networks, multimodal systems and passenger flows;

Gwenaël Delaval and Éric Rutten (Inria team Ctrl-A, LIG,
Université Grenoble-Alpes) on the control of reconfigurable
systems and the link between Reax and Heptagon/BZR
(http://

Serge Haddad (Inria team MExICo, LSV, ENS Paris-Saclay) on opacity and diagnosis;

Loïg Jézéquel (LS2N, Université de Nantes) on stochastic and timed nets, and on distributed optimal planning;

Didier Lime and Olivier H. Roux (LS2N, Université de Nantes) on stochastic and timed Petri nets;

François Laroussinie (IRIF, UP7-Diderot) on logics for multi-agent systems,

**LIRIMA**: International Laboratory for Research in Computer Science and Applied Mathematics

Associate Team involved in the international lab LIRIMA.

Title: Flexible user-centric higher-order systems for collective intelligence in agencies

International Partner

U. Yaoundé (Cameroon) Georges-Edouard Kouamou

Start year: 2019

See also: https://

Develop methods and tools, based on guarded attribute grammars, to design flexible and adaptive systems for information gathering and deliberation in order to collaboratively build expertise in health emergency situations.

Title: Efficient Quantitative Verification

International Partner

Indian Institute of Technology Bombay (India) - Dpt of Computer Science and Engineering - S. Akshay

Start year: 2018

See also: http://

Formal verification has been addressed for a long time. A lot of effort has been devoted to Boolean verification, i.e., formal analyis of systems that check whether a given property is true or false.

In many settings, a Boolean verdict is not sufficient. The notions of interest are for instance the amount of confidential information leaked by a system, the proportion of some protein after a duration in some experiment in a biological system, whether a distributed protocol satisfies some property only for a bounded number of participants... This calls for quantitative verification, in which algorithms compute a value such as the probability for a property to hold, the mean cost of runs satisfying it, the time needed to achieve a complex workflow...

A second limitation of formal verification is the efficiency of algorithms. Even for simple questions, verification is rapidly PSPACE-complete. However, some classes of models allow polynomial time verification. The key techniques to master complexity are to use concurrency, approximation, etc

The objective of this project is to study efficient techniques for quantitative verification, and develop efficient algorithms for models such as stochastic games, timed and concurrent systems.

The team collaborates with the following researchers:

S. Akshay (IIT Bombay, India) on timed concurrent models;

Andrea D'Ariano (University Roma Tre, Italy), on train regulation.

Christel Baier (Technical University of Dresden, Germany) on verification and control of stochastic systems;

Thomas Brihaye (Université de Mons, Belgium) on the verification of stochastic timed systems;

Gilles Geeraerts and Jean-François Raskin, (Université Libre de Bruxelles, Belgium) on multiplayer game theory and synthesis;

Alessandro Giua and Michele Pinna (University Cagliari, Italy) on diagnosis and unfolding techniques for concurrent systems.

Igor Konnov (Interchain, Austria), Marijana Laźic (Technical University Munich, Germany) and Josef Widder (Interchain, Austria) on the automated verification of randomized distributed algorithms.

Stéfane Lafortune (University of Michigan, USA) on the control of cyber-physical systems;

Kim G. Larsen (University Aalborg, Denmark) on quantitative timed games, and on topics related to urban train systems modeling;

John Mullins (Polytechnique Montréal, Canada) on security and opacity;

Mickael Randour (Université de Mons, Belgium) on quantitative games for synthesis.

S. Akshay (IIT Bombay, India) visited the team for one week.

Christel Baier and Jakob Piribauer (TU Dresden, Germany) visited the SUMO team for one week in september.

Khushraj Nanik Madnani (IIT Bombay, India) visited our team during two months.

Laurie Ricker (Mount Allison University, Canada) visited the team during 2 months.

Graeme Zinck (Mount Allison University, Canada) visited our team during four months. He obtained a 5000$ grant provided by Mitacs through a collaboration between Mount Allison University (L. Ricker) and Inria (Loïc Hélouët and Hervé Marchand). Two papers are in preparation (one regarding the enforcement of opacity for modular systems (submitted to Ifac World congress) and the other about the enforcement of concurrent secrets for multiple systems.

Pierre Boudart, ENS Ulm, June-July 2019, Éric Fabre.

Kritin Garg and Sharvik Mital, IIT Bombay, May-July 2019, Éric Fabre, Blaise Genest and Loïc Hélouët.

Mathieu Poirier, ENS Rennes, May-July 2019, Éric Badouel and Adrian Puerto Aubel.

Bastien Thomas, ENS Rennes, Feb-July 2019, Nathalie Bertrand.

Hervé Marchand is a member of the IFAC Technical Committees (TC 1.3 on Discrete Event and Hybrid Systems). He is the president of the steering committee of MSR (modélisation de systèmes réactifs).

Nathalie Bertrand and Nicolas Markey are members of the steering committee of
the Summer School MOVEP (*Modélisation et Vérification des Processus
Parallèles*).

Blaise Genest is member of the steering comittee of the international workshop FMAI (*Formal Methods and Artificial Intelligence*).

Blaise Genest coorganized the 2nd workshop FMAI 2019 (Rennes, 2-3 May 2019).

Éric Badouel was member of the Program Committees of VECOS, ATAED, ICTAC, CRI, and JIMIS in 2019.

Nathalie Bertrand was a member of the Program Committees of the following international events: TIME'19, RP'19, MFCS'19.

Éric Fabre was a member of the Program Committee of CREST'19.

Blaise Genest was a member of the Program Committee of FMAI'19.

Loïc Hélouët was member of the Program Committee of ACSD'2019.

Thierry Jéron served on the Program Committees of ICTSS'19 and SAC-SVT'20.

Nicolas Markey was a member of the Program Committee of LATA'20.

Ocan Sankur was a member of the Program Committee of FORMATS'19.

In 2019, members of SUMO reviewed submissions for following conferences: VECOS, ATAED, CARI, ICTAC, CONCUR, SOFSEM, FOCS, ATVA, VMCAI, ICALP, SAC-SVT, TAP, ACSD, MFCS, STACS, WODES, HSCC, FSTTCS, CSL, AAMAS, TACAS, FoSSaCS, LICS, PODC, MORE, RP.

Éric Badouel is co-editor-in-Chief of ARIMA Journal.

Hervé Marchand is associate editor of the journal Discrete Event Dynamical Systems - Theory and applications since january 2019.

In 2019, members of SUMO reviewed submissions for following journals: Automatica, Fundamenta Informaticae, Information and Computation, The Scientific Annals of Computer Science, Science of Computer Programming, ACM Transactions on Computational Logic, ACM Transactions on Embedded Computing Systems, Journal of Systems and Software, Mathematical Review (MathSciNet), Journal of Discrete Event Dynamical Systems, Formal Methods in System Design, Software Testing, Verification and Reliability, Journal of Logic and Computation, IEEE Transactions on Automatic Control, PLoS one, Performance Evaluation, Artificial Intelligence, Journal of Logic and Algebraic Methods in Programming, Logical Methods in Computer Science, ACM Transactions on Modeling and Computer Simulation, Journal of Systems and Software.

Nathalie Bertrand gave an invited talk at the international conference Formats'19 on Taming real-time stochastic systems.

Blaise Genest was invited to the workshop SinFra'19 in Singapore and gave a talk on Trust in AI.

Léo Henry was invited to a workshop on test generation by IMDEA (Madrid) to give a talk about test generation for timed automata using games.

Nathalie Bertrand is the co-head of the *Groupe de Travail Vérif* (together
with Pierre-Alain Reynier (LIS, Marseille)) which is part of *GDR
Informatique Mathématique (GDR-IM)*.

Nathalie Bertrand was a reviewer for Thelam Fund and FWO (Belgium) and Grenoble-MSTIC. She served on the HCERES committee for Vérimag.

Blaise Genest was reviewer for a DIGICOSME project.

Loïc Hélouët was reviewer for ANR.

Thierry Jéron was a reviewer for NWO (Netherlands Organisation for Scientific Research).

Nicolas Markey served on the HCERES committee for LACL.

Éric Badouel is the co-director (with Moussa Lo, UGB, Saint-Louis du Sénégal) of LIRIMA, the Inria International Lab for Africa. He is scientific officer for the African and Middle-East region at Inria DPEI (European and International Partnership Department). He is member of the executive board of GIS SARIMA.

Nathalie Bertrand was nominated member of the Conseil National des Universités, section 27 (computer science) until November 2019.

Emily Clément is a representative of PhD students in the Comité de Centre of Inria Rennes.

Éric Fabre is the co-director (with Olivier Audouin, Nokia) of the joint lab of Nokia Bell Labs France and Inria. The lab has been running for 9 years and started in Nov. 2017 its 3rd phase of joint research teams. A series of 6 new started in 2017, for a duration of 4 years. They cover topics like network virtualization, network management, information theory, (distributed) machine learning, network security. SUMO is involved in the joint team SAPIENS.

Éric Fabre is also a member of Inria Evaluation Commission since September 2019.

Loïc Hélouët is member of Inria CNHSCT (committee for Health and Security). He is also a suppletive member in the Comité de Centre of Inria Rennes. He leads a working group of the comittee on harrassment, and another of daily life improvement. He is member of a commission at IRISA on harrassment.

Thierry Jéron is a member of the IFIP Working Group 10.2 on Embedded Systems. He is a member of the Comité d'orientation scientifique (COS) of IRISA Rennes. He was member of the Comité de Centre of Inria Rennes until mid-2019. Since 2016 he is “référent chercheur” for the Inria-Rennes research center.

Hervé Marchand was chairman of the *Comission des utilisateurs des
moyens informatiques* (CUMI) in Rennes until December 2019. He is
an elected member of the Comité de Centre at Inria Rennes since
June 2019.

Nicolas Markey manages the mentoring programme at Irisa/InriaRBA; this programme aims at having senior researchers transfering their experience to younger colleagues (including PhD students and postdoc). The programme currently concerns about 30 mentor/mentee pairs.

Licence: Nathalie Bertrand, Advanced Algorithms (ALGO2), 20h, L3, Univ Rennes 1, France;

Licence: Loïc Hélouët, JAVA and algorithms, L2, 40h, INSA de Rennes, France.

Master: Éric Badouel, Logic and argumentation, 32h, Univ Yaoundé I, Cameroon.

Master: Nathalie Bertrand, Language Theory; Algorithms, 20h, Agrégation, ENS Rennes, France.

Master: Éric Fabre, Models and Algorithms for Distributed Systems (MADS), 10h, M2, Univ Rennes 1, France;

Master: Éric Fabre, Information Theory, 15h, M1, ENS Rennes, France.

Master: Loïc Hélouët, Algorithms, 4h, Agrégation, ENS Rennes, France;

Master: Loïc Hélouët, Algorithms and proof, 12h, Agrégation, ENS Rennes, France;

Master: Nicolas Markey, Verification of Complex Systems (CSV), 15h, M2, Univ Rennes 1, France;

Master: Nicolas Markey, Algorithms, 12h, Agrégation, ENS Rennes, France;

Master: Ocan Sankur, Verification of Complex Systems (CSV), 10h, M2, Univ Rennes 1, France;

Master: Ocan Sankur, *Travaux pratiques*, Analyse et Conception Formelle (ACF), 22h, M1, Univ Rennes 1, France;

PhD: Robert Fondze Jr Nsaibirni, A Guarded Attribute Grammar Based Model for User Centered, Distributed, and Collaborative Case Management – Case of the Disease Surveillance Process , supervised by Éric Badouel. Defended at the University of Yaoundé I, Cameroon in April 2019.

PhD: Karim Kecir, Performance Evaluation of Urban Rail Traffic Management Techniques , supervised by Loïc Hélouët and Pierre Dersin (Alstom), Université Rennes 1, July 2019.

PhD: Samy Jaziri, Automata on Timed Structures, supervised by Nicolas Markey, Université Paris Saclay, September 2019.

PhD: Mauricio Gonzalez, Stochastic Games on Graphs with Applications to Smart-Grids Optimization, supervised by Nicolas Markey, Université Paris Saclay, November 2019.

PhD: Hugo Bazille, Detection and Quantification of Events in Stochastic Systems , supervised by Blaise Genest and Éric Fabre, Université Rennes 1, December 2019.

PhD: The Anh Pham, Efficient state-space exploration for asynchronous distributed programs - Adapting unfolding-based dynamic partial order reduction to MPI programs , supervised by Thierry Jéron and Martin Quinson (Myriads, Inria Rennes), ENS Rennes, December 2019.

PhD in progress: Sihem Cherrared, Diagnosis of multi-tenant programmable networks, started Dec. 2016, Éric Fabre, Gregor Goessler (Inria, Spades) and Sofiane Imadali (Orange).

PhD in progress: Emily Clément, Verification and synthesis of control systems: efficiency and robustnes, started Dec. 2018, supervised by Thierry Jéron, Nicolas Markey, and David Mentré (Mitsubishi Electric)

PhD in progress: Rodrigue Djeumen Djatcha, Collaborative Model for Urban Crowdsourcing, started in September 2017, University of Douala, Cameroon, supervised by Éric Badouel.

PhD in progress: Erij Elmajed, Diagnosis of reconfigurable systems, started March 2017, Éric Fabre and Armen Aghasaryan (Nokia).

PhD in progress: Léo Henry, Optimal test-case generation with game theory, started Oct. 2018, supervised by Thierry Jéron and Nicolas Markey.

PhD in progress: Abdul Majith, Control of Adaptive Systems, started in Jan. 2019, supervised by Hervé Marchand, Ocan Sankur, and Dinh Thai-Bui (Nokia Bell Labs).

PhD in progress: Anirban Majumdar, Games for distributed networks: models and algorithms, ENS Paris Saclay, started Sept 2018, supervised by Nathalie Bertrand and Patricia Bouyer (LSV).

PhD in progress: Arthur Queffelec, Tradeoff between Robustness and Optimality in Strategic Reasoning, started Nov. 2018, supervised by Ocan Sankur and François Schwarzentruber (Logica, IRISA).

PhD in progress: Victor Roussanaly, Efficient verification of timed systems, started Sep. 2017, supervised by Nicolas Markey and Ocan Sankur.

PhD in progress: Suman Sadhukhan, Modelling and parameterized verification of mobile networks, started Oct. 2018, supervised by Nathalie Bertrand, Nicolas Markey and Ocan Sankur.

PhD in progress: Rituraj Singh, Data-centric Workflows for Crowdsourcing Applications, started Feb. 2018, supervised by Loïc Hélouët.

PhD in progress: Bastien Thomas, Automated verification of randomized distributed algorithms, started in Oct. 2019, supervised by Nathalie Bertrand and Josef Widder (Interchain, Austria).

Nathalie Bertrand supervised the master's thesis (M2) of Bastien Thomas, feb-june 2019.

Blaise Genest and and Léo Henry supervise (2 h/week during 6 months) Alexandre Drewery, a master 1 student. The topic is reinforcement learning of mixed discrete/continuous systems.

L3 Internship of Pierre Boudard, ENS ULM, supervised by Éric Fabre.

L2 Internship of Kritin Garg, supervised by Éric Fabre and Blaise Genest.

L3 Internship of Sharvik Mital, supervised by Blaise Genest and Loïc Hélouët.

L3 Internship of Mathieu Poirier, supervised by Éric Badouel and Adrian Puerto Aubel.

Nathalie Bertrand was an examiner for the PhD thesis of Damien Busatto-Gaston (Université Aix-Marseille, december 2019).

Éric Fabre took part to the jury for the PhD in Computer Science of Maha Mdini, Institut Mines Telecom (IMT) Atlantique, Sept. 2019

Blaise Genest was a reviewer for the PhD of Sukanya Basu, IIT Bombay, India.

Hervé Marchand was an examiner in the PhD defense of Raphael Jakse, Université Grenoble Alpes in December 2019.

Nicolas Markey was a reviewer for the PhD thesis of Nicola Gigante, Jan 2019, University Udine, Italy.

Nathalie Bertrand was in the *Moyens incitatifs* committee for Inria Rennes Bretagne Atlantique in 2019.

Éric Fabre was in the hiring committee for CRCN positions at Inria Rennes Bretagne Atlantique in 2019.

Ocan Sankur was in the hiring committee for two Maitre de conférences positions at Université de Nantes in 2019.

Nicolas Markey is involved in the organization of action "J'Peux Pas, J'Ai Informatique", whose aim is to break down stereotypes about computer science for 12-year-old pupils.