Confluence reduction for Markov automata

Contents lists available atScienceDirect

Theoretical

Computer

Science

www.elsevier.com/locate/tcs

Confluence

reduction

for

Markov

automata

✩

Mark Timmer

a

,

∗

,

Joost-Pieter Katoen

a

,

b

,

Jaco van de Pol

a

,

Mariëlle Stoelinga

a a_{FormalMethodsandTools,FacultyofEEMCS,UniversityofTwente,TheNetherlands}

b_{SoftwareModellingandVerification,RWTHAachenUniversity,Germany}

a

r

t

i

c

l

e

i

n

f

o

a

b

s

t

r

a

c

t

Articlehistory: Received 7 July 2015 Accepted 12 January 2016 Available online 19 January 2016 Keywords:

Markov automata Confluence State space reduction Process algebra

Divergence-sensitive branching bisimulation Partial order reduction

Markovautomataareanovelformalismforspecifyingsystemsexhibitingnondeterminism, probabilisticchoicesandMarkovianrates.Asexpected,thestatespaceexplosionthreatens theanalysabilityofthesemodels.WethereforeintroduceconfluencereductionforMarkov automata, a powerful reduction technique to keep them small by omitting internal transitions.WedefinethenotionofconfluencedirectlyonMarkovautomata,anddiscuss additionallyhowtosyntacticallydetectconfluenceontheprocess-algebraiclanguageMAPA thatwasintroducedrecently.Thatway,MarkovautomatageneratedbyMAPAspecifications can be reducedon-the-fly while preservingdivergence-sensitivebranchingbisimulation. Three case studies demonstrate the significance of our approach, with reductions in analysistimeuptoanorderofmagnitude.

©2016ElsevierB.V.All rights reserved.

1. Introduction

Markov automata (MAs) [1–3] are an expressive model incorporating concepts such as random delays, probabilistic branching,aswellasnondeterminism.TheyarecompositionalandsubsumeSegala’sprobabilistic automata(PAs),Markov decisionprocesses(MDPs),continuous-timeMarkovchains(CTMCs),interactiveMarkovchains(IMCs)andcontinuous-time Markovdecisionprocesses(CTMDPs).Theirlargeexpressivenessturns theMAintoanadequate semanticmodelfor high-level modelling formalisms of various application domains. So far, MAs have been used to provide an interpretation to (possibly confused) generalised stochastic Petrinets (GSPNs) [4],a widely used modellingformalism in performance en-gineering. Theyhaveacted ascompositional semanticsof dynamic fault trees [5], akey model inreliability engineering, exploitedforcomponent-basedsystemarchitecturelanguages[6,7],andforscenario-awaredata-flowcomputation[8].

Theclassicalanalysisofsub-modelssuchasMDPsandCTMCsistypicallystate-based,andsoarethemorerecently de-velopedquantitativeanalysistechniquesforMAs[9].Asaresult,theanalysisofMAssuffersfromtheproblemofstatespace explosion—thecurseofdimensionality.Amajorsourceofthisproblemistheoccurrenceofconcurrent,independent transi-tions.Hence,thispaperintroducesanon-the-fly reductiontechniqueforMAsthat—akintopartial-orderreduction—isbased ondetectingcommutativetransitionsthattypicallyarisefromtheparallelcompositionoflargelyindependentcomponents. Thisis done bygeneralising thetechnique ofconfluencereduction [10–12] toMAs. The crux ofthisapproachis todetect so-calledconfluentsetsofinvisibletransitions(i.e.,internalstuttertransitions).Whilegeneratingthestatespace,these

con-✩ _{This research has been partially funded by NWO under grant 612.063.817 (SYRUP), by STW under grant 12238 (ArRangeer), and the EU under grant} 318490 (SENSATION).

*

Corresponding author.

E-mailaddresses:timmer@cs.utwente.nl(M. Timmer), katoen@cs.rwth-aachen.de(J.-P. Katoen), vdpol@cs.utwente.nl(J. van de Pol), marielle@cs.utwente.nl(M. Stoelinga).

http://dx.doi.org/10.1016/j.tcs.2016.01.017 0304-3975/©2016 Elsevier B.V. All rights reserved.

Lifting thenotion of confluence[10–12] to MAs is subjectto various subtleties. This paperdiscusses thesesubtleties thoroughly andcarefullyjustifiesthe definitionofconfluenceforMAs. Althoughthepresence ofrandomdelaysdoesnot necessarily impactthe notionofconfluence comparedto earliervariantsforprobabilistic systems,it doescomplicate the correctnessproofsandnecessitatesthepreservationofdivergenceswhenreducingbasedonconfluence.

The central concept in thispaper is the definitionof confluentsets of transitions.It is shown that confluent sets are closed under union, as opposedto earlierwork on confluence reduction [11,12], and that confluent transitions connect divergence-sensitivebranchingbisimilarstates.ToobtainareducedMAefficiently,wepresentamappingofstatestotheir representatives.Weshowthatconfluencecanbedetectedsymbolicallybytreatingindetailhowconfluencedetectioncanbe performedonspecificationsinthedata-rich process-algebraiclanguage MAPA[14].Thisresultsina techniquetogenerate reducedMAson-the-flyinasymbolicfashion,i.e.,whilegeneratingthestatespacefromaMAPAspecification.Wediscuss heuristics so as to carry out confluence reduction efficiently. Case studies applying these techniques demonstrate state spacereductionswithfactors uptofive,decreasinganalysistimesometimeswithmorethan90%.The obtainedsymbolic, on-the-fly state space reductions reduce up to 90% of the states that could potentially have been reduced using direct branching-bisimulationminimisation.

Relatedwork Althoughthispaper isinspired by earlierapproachesonconfluence reduction forprocess algebras [11,12], there areimportantdifferences. First,ournotion considersstate labelsinaddition toobservable actions,thuslifting con-fluence reductiontoalargerclass ofsystems.Secondly,weconsiderdivergence-sensitivity, i.e.,infiniteinternalbehaviour, hence preservingminimal reachabilityprobabilities(inspiredby [15]). Third,we correctasubtleflaw in[11,12] by intro-ducingaclassificationoftheinteractivetransitions.Inthisway,confluentsetsareclosedunderunion.1 _{Thispropertyiskey}

to thewaywe detectconfluenceonMAPAspecifications.Finally,weallowrandom delaysandhenceprovecorrectnessof confluencereductionforalargerclassofsystems.

Confluence reduction is akintopartial-order reduction (POR)[16–20].These techniquesare basedon ideas similar to confluence, choosing a subset of the outgoing transitions per state (often called ample, stubborn or persistent sets) to reduce thestatespacewhilepreservingacertain notionofbisimulation ortrace equivalence.Theamplesetapproachhas beensuccessfullyextendedtoMDPs[21–23].ForSegala’sPAs,ithasbeendemonstratedthatconfluencereductionismore powerfulintheoryaswellaspracticewhenrestrictingtothepreservationofbranching-timeproperties[15,24].Tothebest ofourknowledge,PORhasnotbeenadaptedtoMAs,ortocontinuous-timeMarkovmodelsingeneral.

The theoryofMAshasbeenequippedwithnotionsofstrongandweakbisimulations[1–3].Thesenotionsare congru-enceswithrespecttoparallelcomposition.Whereasstrongbisimulationcanbe checkedinpolynomialtime, itisanopen questionwhetherthisalsoholdsforweakbisimulation.Asweshowinthispaper,checkingconfluencesymbolicallycanbe done inpolynomial timeinthesizeoftheprocessalgebraic description.Inaddition,confluencereductionisanon-the-fly reductiontechnique,whereasbisimulationtypicallyisbasedonapartition-refinementschemethatrequiresthestatespace priortotheminimisation.

Organisationofthepaper WeintroduceMarkovautomatainSection2,followedbyaninformalintroductiontotheconcept of confluencereduction inSection 3. Section4 introduces ournotionofconfluenceforMAs, proves closureunderunion, andshowsthat confluent transitionsconnect divergence-sensitivebranching bisimilarstates.Section 5presentsourstate spacereductiontechniquebasedonconfluenceandrepresentationmaps.Section6providesacharacterisationfordetecting confluence on MAPA specifications.This is applied to severalcase studies in Section 7. Finally, Section 8 motivates our designchoicesbydiscussingthedisadvantagesofpossible(naive)variations,andSection9concludes.

Thispaperextends[25]bymoreextensiveexplanations,statelabelsforMAs,proofs(intheappendix)andadiscussion ofalternativeconfluencenotionsthatmayseemreasonable,butturnouttobeinadequate.

2. Preliminaries

Definition1 (Basics).Aprobabilitydistribution overa countableset S is afunction

μ

:

S

→ [

0

,

1

]

suchthat



_s∈S

μ

(

s

)

=

1. For S

⊆

S,let

μ

(

S

)

=



_s∈S

μ

(

s

)

.Wedefinesupp

(

μ

)

= {

s

∈

S

|

μ

(

s

)

>

0

}

tobethesupport of

μ

,andwrite

1

s fortheDirac distribution fors,determinedby

1

s

(

s

)

=

1.Sometimes,weusethenotation

μ

= {

s1

→

p1

,

s2

→

p2

,

. . . ,

sn

→

pn

}

todenote

that

μ

(

s1

)

=

p1,

μ

(

s2

)

=

p2,. . . ,

μ

(

sn

)

=

pn.

We use

P(

S

)

to denotethepowerset of S,andwriteDistr

(

S

)

forthesetofalldiscreteprobabilitydistributions over S.

We use SDistr

(

S

)

forthe setof all substochastic discrete probability distributions over S,i.e., all functions

μ

:

S

→ [

0

,

1

]

1 _{Our approach resembles[11,12]to a substantial degree, albeit that[11,12]consider a less expressive model and does not preserve divergences. Whereas} the theoretical set-up in[11,12]does not guarantee closure under union—although that is assumed—the corresponding implementations did work correctly. We show in this paper that an additional technical restriction (the confluence classification) is needed to remedy the theoretical flaw. This restriction happens to be satisfied in the old implementations (in the same way as in ours). As the confluence reductions in[11,12]are restricted variants of our notion, they could be fixed by introducing a confluence classification precisely in the same way as we do here.

such that



_s∈S

μ

(

s

)

≤

1. Givena function f

:

S

→

T , we denoteby

μ

f the lifting of

μ

over f , i.e.,

μ

f

(

t

)

=

μ

(

f−1

(

t

))

,

with f−1

(

t

)

theinverseimageoft under f .

Givenan equivalencerelation R

⊆

S

×

S,we write

[

s

]

R fortheequivalenceclass of s inducedby R,i.e.,

[

s

]

R

= {

s

∈

S

|

(

s

,

s

)

∈

R

}

.Giventwoprobabilitydistributions

μ

,

μ



∈

Distr

(

S

)

andanequivalencerelation R, wewrite

μ

≡

R

μ

 todenote

that

μ

(

[

s

]

R

)

=

μ



(

[

s

]

R

)

foreverys

∈

S.

Markovautomata[1–3]consistofacountablesetofstates,aninitialstate,analphabetofactions,setsofaction-labelled (interactive)andrate-labelled(Markovian)transitions,asetofatomicpropositionsandastate-labellingfunction.Weassume acountableuniverseofactionsAct andaninternalaction

τ

∈

Act.

Definition2(Markovautomata).AMarkovautomaton isatuple

M

=

S

,

s0

,

A

, 

−

→, ,

AP

,

L



,where

•

S isacountablesetofstates,ofwhichs0

_∈

_{S istheinitialstate;}

•

A

⊆

Act isacountablesetofactions;

• −

→ ⊆

S

×

A

×

Distr

(

S

)

isacountableinteractiveprobabilistictransitionrelation;

•  ⊆

S

× R

>0

_×

_{S isacountableMarkoviantransitionrelation;}

•

AP isacountablesetofstatelabels (alsocalledatomicpropositions);and

•

L

:

S

→

P(

AP

)

isastate-labellingfunction.

If

(

s

,

a

,

μ

)

∈ −

→

,wewrite s



−

→

a

μ

andsaythatactiona canbetakenfromstates,afterwhichtheprobabilitytogotoeach

s

∈

S is

μ

(

s

)

.If

(

s

,

λ,

s

)

∈ 

,wewrites

_

λ sandsaythat s movesto s withrate

λ

.

The (exponential)rate between two states s

,

s

∈

S is rate

(

s

,

s

)

=



_(s,λ,s_)∈

_{ λ}

, and the exit rate of s is rate

(

s

)

=



s∈Srate

(

s

,

s

)

.Werequirerate

(

s

)

<

∞

foreverys

∈

S.Ifrate

(

s

)

>

0,thebranchingprobabilitydistribution ofs isdenotedby

P

s anddefinedas

P

s

(

s

)

=

rate(s,s ₎

rate(s) foreverys

∈

S.Bydefinitionoftheexponentialdistribution,theprobabilityofleavinga

states withint timeunitsisgivenby1

−

e−rate(s)·t (givenrate

(

s

)

>

0),afterwhichthenextstateischosenaccordingto

P

s.

MAsadheretothemaximalprogressassumption,postulating that

τ

-transitionscanneverbedelayed(sincetheyarenot subject to any interaction [26]). Hence, a state that has at least one outgoing

τ

-transition can never take a Markovian transition.Thisfactiscapturedbelowinthedefinitionofextendedtransitions,whichisusedtoprovideauniformmanner fordealingwithbothinteractiveandMarkoviantransitions.Eachstatehasanextendedtransitionperinteractivetransition, whileithasonlyoneextendedtransitionforallitsMarkoviantransitionstogether(ifthereareany).

We assume an arbitrary MA

M =

S

,

s0

,

A

, 

−

→, ,

AP

,

L



in every definition, proposition and theorem.

Definition3(Extendedactionset).Theextendedactionsetof

M

isAχ

=

A

∪ {

χ

(

r

)

|

r

∈ R

>0

}

.Givenastates

∈

S andanaction

α

∈

Aχ ,wewrites

−

→

α

μ

if

•

α

∈

A ands



−→

α

μ

;or

•

α

=

χ

(

rate

(

s

))

,rate

(

s

)

>

0,

μ

= P

sandthereisno

μ

suchthats



−→

τ

μ

.

Atransitions

−

→

α

μ

iscalledanextendedtransition.We writes

−

→

α t fors

−

→ 1

α t,ands

→

t ifs

−

→

α t forsome

α

∈

Aχ .We

write s

−

α

−−→

,μ s ifthereisan extendedtransitions

−

→

α

μ

suchthat

μ

(

s

)

>

0. Atransitions

→

−

a

μ

isinvisible if botha

=

τ

andL

(

s

)

=

L

(

t

)

foreveryt

∈

supp

(

μ

)

.

Example4.ConsidertheMAshownontheright.

Here,rate

(

s2

,

s1

)

=

3

+

4

=

7,rate

(

s2

)

=

7

+

2

=

9,and

P

s2

=

μ

such

that

μ

(

s1

)

=

79 and

μ

(

s3

)

=

29.Therearetwoextendedtransitionsfrom s2: s2

→ 1

−

a s3 (alsowrittenass2

→

−

a s3)ands2

−

χ

−−→ P

(9) s2.

2

We define severalnotions forpaths andconnectivity. Theseare basedon extended transitions,andthus maycontain interactiveaswellasMarkovian steps.

Definition5(Pathsandtraces).

•

Apath in

M

isafinite sequence

π

fin

₌

_s

0

−

α1

−−−→

,μ1 s1

−

−−−→

α2,μ2 s2

−

α3

−−−→ · · · −

,μ3 α

−−−→

n,μn sn,possiblywithn

=

0,oran infinite

sequence

π

inf

₌

_s

0

−

α1

−−−→

,μ1 s1

−

α2

−−−→

,μ2 s2

−

−−−→ . . .

α3,μ3 ,withsi

∈

S for all0

≤

i

≤

n andall i

≥

0,respectively,andsuchthat si

−

α

_−−→

i+1

_μ

Fig. 1. An MA (left), and a tree demonstrating branching transition s=⇒α Rμ(right).

Weusefinpaths_M forthesetofallfinitepaths in

M

(notnecessarilybeginningintheinitialstate),andfinpaths_M

(

s

)

forallsuchpaths with s0

=

s.

•

A path

π

isinvisible (denotedby invis

(

π

)

) if itnever altersthe state labelling andonlyconsists ofinternal actions:

L

(

si

)

=

L

(

s0

)

and

α

i

=

τ

forall i. Given a sufficientlylong path

π

,we use prefix

(

π

,

i

)

to denote the pathfragment s0

−

α1

−−−→ . . . −

,μ1 α

−−→

i,μi si,and step

(

π

,

i

)

forthe transitionsi−1

−

−→

αi

μ

i. If

π

is finite,we define

|

π

|

=

n and last

(

π

)

=

sn,

otherwise

|

π

|

= ∞

andnofinalstateexists.

Definition6(Connectivity).Lets

,

t

∈

S,andconsidertherelation

→ ⊆

S

×

S from

Definition 3

that relatesstatess

,

t

∈

S if

thereisatransitions

−

→ 1

α t for some

α

∈

Aχ .Welet

↠

(reachability) bethereflexiveandtransitiveclosureof

→

,and

↠ ↠

(convertibility) its reflexive, transitiveandsymmetricclosure. We write s

↠ ↠

t (joinability) if s

↠

u andt

↠

u forsome state u

∈

S.

Example7.TheMAin

Example 4

hasinfinitelymanypaths,forexample

π

=

s2

−

χ

−−−−→

(9),μ1 s1

−

a

−−→

,μ2 s0

−

χ(2),1_s1

−−−−−→

s1

−

a

−−→

,μ2 s4

−

τ,1_s5

−−−→

s5

with

μ1

(

s1

)

=

7₉ and

μ1

(

s3

)

=

2₉, and

μ2

(

s0

)

=

2₃ and

μ2

(

s4

)

=

1₃. Here, prefix

(

π

,

2

)

=

s2

−

χ

−−−−→

(9),μ1 s1

−

a

−−→

,μ2 s0, and step

(

π

,

2

)

=

s1

−

→

a

μ2

.Also,s2

↠

s5 (vias3),aswellass3

↠ ↠

s6 (ats5)ands0

↠ ↠

s5.However,s0

↠

s5 ands0

↠ ↠

s5 do

nothold(ass0 cannotgettos4 viaonlytransitionswithDiracdistributions).

2

Therelation

↠ ↠

issymmetric,butnotnecessarilytransitive.Intuitively,s

↠ ↠

t meansthat s isconnectedbyextended transitionstot—disregardingtheirorientation,butallwithaDiracdistribution.Clearly,s

↠

t impliess

↠ ↠

t,ands

↠ ↠

t

impliess

↠ ↠

t.Theseimplicationsdonotholdtheotherway.

Toproveconfluencereductioncorrect,we showthatitpreservesdivergence-sensitivebranching bisimulation.Basically, this means that thereis an equivalence relation R linkingstates inthe original systemto states inthe reducedsystem, such that their initial statesare relatedand all related statescan mimic each other’stransitions and divergences.More precisely, forall

(

s

,

t

)

∈

R andeveryextendedtransitions

−

→

α

μ

,thereshouldbeabranchingtransition t

=⇒

α R

μ

suchthat

μ

≡

R

μ

.The existenceofsuch abranching transitiondependsonthe existenceofa certainscheduler.Schedulersresolve

nondeterministicchoicesinMAsbyselectingwhichtransitionstotakegivenahistory;theymayalsoterminatewithsome probability.

Astatet candoabranchingtransitiont

=⇒

α R

μ

ifeither(1)

α

=

τ

and

μ



= 1

t,or(2)thereisaschedulerthat,starting

from state s, terminatesaccording to

μ

, always schedules precisely one

α

-transition (immediately before terminating), neverschedulesanyothervisibletransitionsanddoesnotleavetheequivalenceclass

[

t

]

R beforedoingan

α

-transition. Example8. Observe the MA in Fig. 1 (left). Due to nondeterminism (that can be resolved probabilistically), there are infinitely many branching transitions from s. We demonstrate the existence of the branching transition s

=⇒

α R

μ

, with

μ

= {

s1

→

₂₄8

,

s2

→

₂₄7

,

s3

→

₂₄1

,

s4

→

₂₄4

,

s5

→

₂₄4

}

,bytheschedulerdepictedin

Fig. 1

(right),assuming

(

s

,

ti

)

∈

R forall ti.

The schedulingtreeillustratestheprobabilistic choicesby whichthenondeterministicchoicesare resolved.Underthis scheduling,theprobabilitiesofendingupins1

,

. . . ,

s5 canbefoundbymultiplying theprobabilitiesonthepathstowards

them.Indeed,thesecorrespondtotheprobabilitiesprescribedby

μ

.

2

Inadditionto themimickingoftransitionsby branchingtransitions,werequire R-relatedstatestoeitherbothbe able to performaninfiniteinvisiblepathwithprobability 1 (diverge),ortobothnotbe abletodoso.Wewrite s

≈

div_b t iftwo statess

,

t aredivergence-sensitivebranchingbisimilar,and

M

1

≈

divb

M

2 iftwoMAsare(i.e.,iftheirinitialstatesaresoin

theirdisjointunion)[27].

Technicalities We now formalise the notions of schedulers, branching transitions and (divergence-sensitive) branching bisimulation. Thesetechnicalities are needed solelyfor the proofsof our theorems andpropositions, andhence maybe skippedbythereaderonlyinterestedintheresultsthemselves.

Thedecisionsofschedulersmayberandomised:insteadofchoosingasingletransition,aschedulermayresolvea non-deterministic choice probabilistically. Schedulers can alsobe partial, assigning some probability to notchoosing anynext

transitionatall (andhenceterminating).Theycan selectfrominteractivetransitions aswellasMarkoviantransitions,as bothmaybeenabledatthesametime.Thisisduetothefactthat weconsideropen MAs,inwhichthetiming ofvisible actionsisstilltobedetermined by their context.

Definition9(Schedulers).Let

→ ⊆

S

×

Aχ

×

Distr

(

S

)

bethesetofextendedtransitionsof

M

.Then,ascheduler for

M

isa function

S

:

finpaths_M

→

Distr

({⊥} ∪ →)

such that, for every

π

∈

finpaths_M, the transitions s

−

→

α

μ

that are scheduled by

S

after

π

are indeed possible, i.e.,

S(

π

)(

s

,

α

,

μ

)

>

0 impliess

=

last

(

π

)

.Thedecisionofnotchoosinganytransitionisrepresentedby

⊥

.

Note that ourschedulers are time-homogeneous (also calledtime-abstract): they cannot take into account theamount of time that has already passed during a path. When dealing with time-bounded reachability properties [28], time-inhomogeneous schedulers are important, as they may be needed for optimalresults. However, inthis work we can do without as we will not formally define such properties. Since time-homogeneous schedulers do take into account the rates of an MA, we can use them to define notions of bisimulation that do preserve time-bounded properties (similar to weak bisimulation in [1] beingdefined in terms of ‘time-homogeneous’ labelled trees). As discussed in [29], measur-ability is not an issue for time-homogeneous schedulers. We refer to [30] fora thorough analysis of different types of schedulers.SinceMarkovianextendedtransitionsonlyemanatefromstateswithoutanyoutgoing

τ

-transitions,schedulers cannotviolate the maximal progress assumption.

WenowdefinefiniteandmaximalpathsofanMAunderascheduler.Thefinitepathsunderaschedulerarethosefinite paths oftheMA forwhicheach stephasbeen assignedanonzero probability.Themaximal paths area subset ofthose; theyarethepathsafterwhichthescheduler may decide to terminate.

Definition10(Finiteandmaximalpaths).Thesetoffinitepaths of

M

underascheduler

S

is

finpathsS_M

= {

π

∈

finpaths_M

| ∀

0

≤

i

<

|

π

| .

S

(

prefix

(

π

,

i

))(

step

(

π

,

i

+

1

)) >

0

}

LetfinpathsS_M

(

s

)

⊆

finpathsS_M bethesetofallsuchpathsstartinginstates

∈

S.

Thesetofmaximalpathsof

M

under

S

isgivenbymaxpathsS_M

= {

π

∈

finpathsS_M

|

S(

π

)(

⊥)

>

0

}

.Similarly,maxpathsS_M

(

s

)

isthesetofmaximalpathsof

M

under

S

startingin s.

As schedulersresolveall nondeterministicchoices, wecan compute theprobability that,starting froma givenstate s,

thepathgeneratedby

S

hassomefiniteprefix

π

.Thisprobabilityisdenotedby P_M,S _s

(

π

)

.

Definition 11 (Pathprobabilities). Let

S

be a scheduler for

M

, and let s

∈

S be a state of

M

. Then, the function

PS_M,s

:

finpaths_M

(

s

)

→ [

0

,

1

]

isdefinedby

P_M,S _s

(

s

)

=

1 P_M,S _s

(

π

−

α

−−→

,μ t

)

=

PS_M,s

(

π

)

·

S

(

π

)(

last

(

π

),

α

,

μ

)

·

μ

(

t

)

Basedontheseprobabilitieswecancomputetheprobabilitydistribution F_MS

(

s

)

overthestateswhereanMA

M

under ascheduler

S

terminates,whenstartinginstates.Notethat F_MS

(

s

)

maybesubstochastic(i.e.,theprobabilitiesdonotadd upto 1),as

S

doesnotnecessarilyterminate.

Definition12(Finalstateprobabilities).Givenascheduler

S

for

M

,wedefine F_MS

:

S

→

SDistr

(

S

)

by

F_MS

(

s

)

=



s

→



π∈maxpathsS_M(s) last(π)=s PS_M,s

(

π

)

·

S

(

π

)(

⊥) |

s

∈

S



∀

s

∈

S

Extendedexamplesofthesedefinitionscanbefoundin[34].

Tointroducebranching bisimulation,we firstdefine thebranchingtransition.Dueto theuseofextended transitionsas a uniformmannerofdealing withbothinteractive andMarkoviantransitions,thisdefinitionpreciselycoincides withthe definitionofbranchingstepsforPAs[12].

Definition13 (Branchingtransitions). Let s

∈

S, and let R

⊆

S

×

S be an equivalence relation. Then, s

=⇒

α R

μ

if either

(1)

α

=

τ

and

μ

= 1

s,or(2) ascheduler

S

exists such that

Fig. 2. Two systems to illustrate divergence.

•

forevery maximalpath s

−

α1

−−−→

,μ1 s1

−

α2

−−−→ . . . −

,μ2

−−−→

αn,μn sn

∈

maxpathsS_M

(

s

)

it holdsthat

α

n

=

α

.Moreover,forevery 1

≤

i

<

n wehave

α

i

=

τ

,

(

s

,

si

)

∈

R andL

(

s

)

=

L

(

si

)

.

Example 8alreadyprovidedanexampleofabranchingtransition.

Basedonbranchingtransitions,wedefinebranchingbisimulation forMAsasanaturalextensionofthenotionofnaive weakbisimulationfrom[1].2NaiveweakbisimulationisanintuitivegeneralisationofweakbisimulationfromPAsandIMCs to MAs. Forfinitelybranchingsystems, naiveweak bisimulation isimplied by ournotionofbranching bisimulation, asit is basically obtainedby omitting therequirement that

(

s

,

si

)

∈

R for all 1

≤

i

<

n, and allowing convexcombinations of

transitions.

Definition 14 (Branchingbisimulation). An equivalence relation R

⊆

S

×

S is a branchingbisimulationfor

M

if for every

(

s

,

t

)

∈

R andall

α

∈

Aχ

,

μ

∈

Distr

(

S

)

,itholdsthat L

(

s

)

=

L

(

t

)

and

s

−

→

α

μ

implies



∃

μ



∈

Distr

(

S

) .

t

=⇒

α R

μ



∧

μ

≡

R

μ





Twostates s

,

t

∈

S arebranchingbisimilar (denotedby s

≈

bt)ifthereexists abranching bisimulation R for

M

suchthat

(

s

,

t

)

∈

R.TwoMAs

M,

M

arebranchingbisimilar(denotedby

M

≈

b

M

)iftheir initialstatesarebranchingbisimilarin

theirdisjointunion.

Notethat,sinceeachbranchingbisimulationrelationR hasthepropertythat

(

s

,

t

)

∈

R impliesL

(

s

)

=

L

(

t

)

,thecondition “L

(

s

)

=

L

(

si

)

forevery1

≤

i

<

n”in

Definition 13

isalreadyimpliedby

(

s

,

si

)

∈

R,andhencedoesnotexplicitlyneedtobe checkedfort

=⇒

α R

μ

.

Ifinfinitepathsof

τ

-actionscanbe scheduledwithnon-zeroprobability,thenminimal probabilities(e.g.,ofeventually seeingana-action)arenotpreservedbybranchingbisimulation.ConsiderforinstancethetwoMAsin

Fig. 2

.Notethat,for the oneontheleft, thea-transitionisnot necessarilyevertaken. Afterall,itispossibleto indefinitelyandinvisiblyloop throughstates0:divergence.FortheMAontheright,thea-transitioncannotbeavoided(assumingthatterminationcannot

occur instateswithoutgoingtransitions).Still,theseMAsarebranching bisimilar,andhencebranchingbisimulationdoes notleaveinvariantallproperties—inthiscase,theminimalprobabilityofeventuallytakingana-transition.

To solve thisproblem, divergence-sensitive notions of bisimulation havebeen introduced [27,31].They force diverging states to be mapped to diverging states. We adopt thisconcept forMarkovian branching bisimulation. Since Markovian transitions alreadyneed to be mimicked,and thesame holds fortransitions that changethe state labelling(since these cannot stay within thesameequivalence class),divergenceis definedasthe traversalofan infinitepath

π

thatcontains only

τ

-actionsandneverchangesthestatelabelling(i.e.,apath

π

suchthatinvis

(

π

)

).

Definition15(Divergence-sensitiverelations).Anequivalencerelation R

⊆

S

×

S overthestatesof

M

isdivergencesensitive

ifforall

(

s

,

s

)

∈

R itholdsthat



∃

S

.

∀

π

∈

finpathsS_M

(

s

) .

invis

(

π

)

∧

S

(

π

)(

⊥) =

0



iff



∃

S



.

∀

π

∈

finpathsS_M

(

s

) .

invis

(

π

)

∧

S



(

π

)(

⊥) =

0



where

S

and

S

 rangeover all possibleschedulersfor

M

.TwoMAs

M

1

,

M

2 are divergence-sensitivebranchingbisimilar,

denotedby

M

1

≈

div_b

M

2,iftheyarerelatedbyadivergence-sensitivebranchingbisimulation.

Example16.The twoMAs in

Fig. 2

arebranching bisimilarbythe equivalencerelationthat relatess0 tot0 ands1 tot1.

However, whereasfroms0 an infiniteinvisible pathcanbescheduled,thiscannot bedonefromt0;hence,thisrelationis

notdivergencesensitive.Indeed,sincefroms0 aschedulercanpreventthea-transitionfromtakingplace,whilefromt0 it

cannot,wedonotwanttoconsidertheseMAsequivalent.

2

2 _{Since our notion of branching bisimulation for MAs is just as naive as naive weak bisimulation for MAs, we could have called it naivebranching} bisimulation.

However, since naive weak bisimulation for MAs is actually strongly related to weak bisimulation for PAs and IMCs, we argue that it would

have made more sense to omit the ‘naive’ in the existing notion of naive weak bisimulation for MAs and prefix ‘smart’ to the existing notion of weak bisimulation for MAs.

Fig. 3. Observable versus unobservable invisible transitions.

Fig. 4. State space reduction based on confluence.

3. Informalintroductionofconfluence

Beforeintroducingthe technicaldefinitionsofconfluenceforMAs,we provideaninformaloverviewofconfluenceand itsusageinstatespacereduction[11,12].SincetheadditionaltechnicaldifficultiesduetoprobabilitiesandMarkovianrates maydistractfromtheunderlyingideas,weomittheminthisintroduction.

Confluencereductionisbasedontheideathatsometransitionsdonotinfluencetheobservablebehaviourofasystem— assumingthatonlyvisibleactionsa

=

τ

andchangesinthetruthvaluesofatomicpropositionsareobserved.Hence,these transitionscanbegivenpriorityoverothertransitions.Tothisend,theyatleasthavetobeinvisiblethemselves.Still,some invisible transitionsmay influencethe observablebehaviour ofan MA,eventhough they arenot observable themselves— thesecannotbeconfluent.

Fig. 3

illustratesthisphenomenon.

Example17.While thetransitions1

−

→

τ s2 in

Fig. 3

(a)cannot beobserveddirectly, itdoesdisable theb-transition.Hence,

thistransition influences the observable behaviour: if it was always taken froms1 while omitting the other two

transi-tionsemanatingfromthisstate,thennob-actionwouldeverbeobservedandtheatomicpropositionr wouldneverhold. Therefore,statess1 ands2 arenotbranchingbisimilar.

The transition s1

−

→

τ s2 in Fig. 3(b) is different:we can always take it from s1, ignoring s1

→

−

a s3, without losing any

observablebehaviour:s1

−

→

τ s2 isconfluent.Boththeoriginalsystemandthesystemreducedinthiswaymaytakeana or

ab-actionandmayendupinastatesatisfyingeitherq orr.Actually,statess1 ands2 arebranchingbisimilar,andsoare

theoriginalandthereduced system (Fig. 4(b)).

2

The exampleillustrates the mostimportantproperty ofconfluent transitions:they connect branching bisimilar states, andhenceinprincipletheycanbegivenpriorityovertheirneighbouringtransitionswithoutlosinganybehaviour.Toverify thatatransitionisconfluent,itshouldbeinvisibleand stillallowallbehaviourenabledfromitssourcestatetooccurfrom itstargetstateaswell.Inotherwords,allothertransitionsfromitssourcestateshouldbemimicked fromitstargetstate.

3.1. Checkingformimickingbehaviour

Tocheckwhetherallbehaviourfromatransition’ssourcestateisalsoenabledfromitstargetstate,confluenceemploys acoinductiveapproachsimilartothecommondefinitionsofbisimulation.Foraninvisibletransitions

−

→

τ stobeconfluent, the existence of a transition s

→

−

a t should imply the existence of a transition s

→

−

a t for some t. Additionally, for all behaviour froms tobe presentat s, alsoall behaviourfromt shouldbe presentatt.Toachieve this, we coinductively requirestohaveaconfluenttransitionto t,andthensaythatthea-transitionsandtheconfluent

τ

-transitionscommute.

Wenotethatacoinductiveapproachsuchastheonejustdescribedrequiresasetoftransitionstobedefinedupfront.Then, we can validate whetherornot thisset indeedsatisfies theconditions forit tobe confluent. In practice,we are mostly interestedinfindingthelargest setforwhichthisisthecase.

Fig. 5. Confluence reduction in the presence of cyclic confluent transitions.

Example18. InFig. 3(a), the set containing both

τ

-transitions isnot confluent. After all, for s1

−

→

τ s2 it is not the case

that every actionenabledfroms1 isalsoenabled froms2.In Fig. 3(b),thesetcontaining both

τ

-transitionsis confluent.

For s3

−

→

τ s4, the mimicking condition is satisfied trivially, since s3 has no other outgoing transitions. For s1

−

→

τ s2 the

conditionisalsosatisfied,sinces1

→

−

a s3ismimickedbys2

→

−

a s4.Asrequired,s3ands4areindeedconnectedbyaconfluent

transition.

2

3.2. Statespacereductionbasedonconfluence

Confluenttransitionscanoftenbegivenpriority,omittingallothertransitionsemanatingfromthesamestate.Thismay yieldmanyunreachablestates,andhencesignificantstatespacereductions.Althoughasystemobtainedduetoprioritisation ofconfluenttransitionsisindeedbranchingbisimilartotheoriginal system(undersomeassumptions discussedbelow),it oftenstillcontainssuperfluousstates.Theyhaveonlyoneoutgoinginvisibletransition, andhencedonotcontributetothe system’sobservablebehaviourinanyway.So,insteadofprioritisingconfluenttransitions,werathercompletelyskipthem. Example19.Consider again

Fig. 3

(b),repeatedin

Fig. 4

(a),wherebothinvisible transitionsareconfluent.

Fig. 4

(b) demon-stratesthereducedstatespacewhengivingthesetransitionspriorityovertheirneighbours.Althoughthisreductionisvalid, state s1 haslittlepurposeandcanbeskipped.Thatway,weobtainthesystemillustratedin

Fig. 4

(c).

2

Prioritisation of transitions aswell as skipping them onlyworks in theabsence of cyclesof confluent transitions. To see why,considerthe systeminFig. 5(a).All invisibletransitions areconfluent. However,when continuously ignoringall non-confluent transitions(yielding

Fig. 5

(b)),thea-transitionispostponedforeverandtheatomicpropositionq willnever hold. Clearly, such areduction doesnot preservereachability propertiesandhencethereducedsystemis notconsidered equivalent to theoriginal (indeed,they are not branchingbisimilar). Thisproblemisknown inthesettingof PORasthe

ignoringproblem [16,32],andoftendealtwithby requiringthereduction tobeacyclic.Thatis,nocycleofstatesthatare all omittingsomeoftheirtransitionsshouldbepresent.Indeed,thisrequirementisviolatedin

Fig. 5

(b).Asasolution,we couldalsorequirereductionstobeacyclic,forcingatleastonestateofacycletobefullyexplored.

(Note that Valmari [33] recentlyshowedthat thereis noneedfortreating the ignoringproblematall for,e.g., safety andfairness-insensitiveprogressproperties,whenthetransitionsystemisalways may-terminating,i.e., whenalongevery executionthereisapossibilitytoreachaterminatingstate.)

Example20.

Fig. 5

(c)showstheresultofreducing

Fig. 5

(a)basedonprioritisationwhileforcingatleastonestateonacycle tobefullyexplored(here,states2).

2

The ideaofskippingconfluent transitionscanbe extendedtoworkinthe presenceofcyclesofconfluenttransitions— thatisalsotheapproachwetake.Intheir absence,thisapproachsimplyboilsdowntoskippingconfluenttransitionsuntil

reaching a state withoutanyoutgoing confluent transitions(state s2 in

Fig. 4

(c)). Inthe presenceof cycles,we continue

untilreaching thebottomstrongly connectedcomponent(BSCC)ofthe subgraphwhenconsidering onlyconfluent transi-tions. When requiringconfluent transitionsto always bemimicked by confluent transitions,thereis aunique such BSCC reachablefromeverystate(in

Fig. 5

(a),s1 hasBSCC

{

s2

,

s3

}

whenonlyconsideringtheconfluenttransitions).InthisBSCC,

we randomly select one state to be the representative for all states that can reach it by skipping confluent transitions. Since confluent transitions never disable behaviour, such a representative state exhibits all behaviour of the states that it represents.Therepresentative state isexplored fully,andall transitions tostatesthat can reachthat representative by confluent transitions are redirected towards the representative.

Example21.

Fig. 5

(d)illustratestherepresentativesapproach,selectings2 asrepresentativeofs1,s2 ands3,ands6 as

rep-resentativeofs5 ands6.NotethatboththeacyclicreductionandtherepresentativeapproachyieldMAsthatarebranching

bisimilartotheoriginal,butthelatterallowsformorereduction.

2

Overview Summarising,confluencereductionentails:

1. Constructingasubsetoftheinvisibletransitionssatisfyingtheconfluencerestrictions. 2. Choosingarepresentativestateforeachstateintheoriginalsystem.

3. Reducingthestatespacebyskippingconfluenttransitionsuntilreachingarepresentativestate.

We will seethat, inpractice, theset ofconfluent transitions is oftenimplicit:we check whetherhigher-level constructs generatesolelyconfluenttransitions.Also,thesecondandthirdstepareoftenintegrated,choosingrepresentativeson-the-fly forallstatesthatarereachedduringstatespacegeneration.

4. ConfluenceforMarkovautomata 4.1. Commutativityofdistributions

For non-probabilistic strong confluence, a confluent transition s

−

→

τ t and neighbouring transition s

−

→

a s have to be accompanied by a transition t

→

−

a t and a confluent transition s

−

→

τ t: the transitions s

−

→

τ t and s

−

→

a s commute. No transitions fromt to s or longer paths oftransitions betweens andt are takeninto account. Wegeneralise thisidea to theprobabilistic setting,where distributions

μ

,

ν

have tobe connectedby confluent transitions.To thisend, we con-sider an equivalence relation RT_{μ,ν over} S based on a set of confluent transitions

T

in the MA under consideration, that partitionsthestate spaceintoequivalence classesrequiringthe sameprobability from

μ

asfrom

ν

(i.e.,

μ

≡

RT_μ,ν

ν

).

Reflecting the non-probabilistic case, we consider only direct transitions from the support of

μ

to the support of

ν

3_;

see[12,34]for more details.

Definition22.Givenasetoftransitions

T

andtwoprobabilitydistributions

μ

,

ν

∈

Distr

(

S

)

,letRT_{μ,ν be}thesmallest equiv-alencerelationover S suchthat

RT_μ,ν

⊇ {(

s

,

t

)

∈

supp

(

μ

)

×

supp

(

ν

)

| (

s

−

→

τ t

)

∈

T

}

Weoftenomitthesubscripts

μ

,

ν

andthesuperscript

T

whenclearfromthecontext.

Thedefinitionisinspiredby[24].Itisslightlymorepowerfulthantheonein[12]and,inourview,easiertounderstand. Notethat, for

μ

≡

RTμ,ν

ν

,we require

T

-transitionsfromthesupportof

μ

tothe supportof

ν

.Eventhough a(symmetric

andtransitive)equivalence relationisused,transitionsfromthe supportof

ν

to thesupportof

μ

donot influence RT_{μ,ν ,}

andneitherdoconfluentpathsfrom

μ

to

ν

oflengthmore than one.

Example23.Consider

Fig. 6

,assume that all

τ

-transitionsarein

T

andlet

μ

= {

s1

→

1₂

,

s2

→

1₂

}

and

ν

= {

t1

→

1₃

,

t2

→

1

6

,

t3

→

1

2

}

.Then, RTμ,ν givesrisetothreeequivalence classes:C1

= {

s

,

t

}

,C2

= {

s1

,

t3

}

andC3

= {

s2

,

t1

,

t2

}

.Now,

μ

and

ν

coincidefortheseclasses:

μ

(

C1

)

=

0

=

ν

(

C1

)

,

μ

(

C2

)

=

1₂

=

ν

(

C2

)

and

μ

(

C3

)

=

1₂

=

ν

(

C3

)

.Hence,

μ

≡

RTμ,ν

ν

.

Ifthetransitionbetweens2 andt1 hadbeendirectedfromt1 tos2,that wouldhaveresultedinthepartitioningC1

=

{

s

,

t

}

,C2

= {

s1

,

t3

}

,C3

= {

s2

,

t2

}

andC4

= {

t1

}

.Hence,inthatcase

μ

≡

RμT,ν

ν

,since

μ

(

C4

)

=

0

=

1

3

=

ν

(

C4

)

.

2

3 _{We could have also chosen to be a bit more liberal, allowing a path ofT-transitions from s tot.}

_{However, the current approach simplifies the definitions}

and some proofs later on; it also corresponds more directly to the way we detect confluence heuristically in practice.

Fig. 6. Commutativity in the presence of probabilistic choice.

Fig. 7. Confluence diagrams for s−_→τ

Tt. If the solid steps are present, so should the dashed ones be (such thatμ≡Rν).

4.2. Confluenceclassifications

Earlier approachesjusttook any subsetof theinvisible transitions andshowedthat itwas confluent—those confluent setswerenotclosedunderunion,though.Now,weimposesomemorestructure,classifyingtheinteractivetransitionsofan MA intogroups upfront—allowingoverlapandnotrequiringallinteractive transitionstobeinatleastonegroup.Wewill seethatthisisnaturalinthecontextoftheprocessalgebraMAPAandcanbeappliedimplicitly—astheimplementationsof earlierapproachesonconfluencereductionalready(unknowingly)didaswell.

At thispoint, the set of interactive transitions as well as the classification are still allowed to be countably infinite. However,fortherepresentationmapapproachlateron,finitenessisrequired.

Definition 24 (Confluence classification). A confluence classification P for

M

is a set of sets of interactive transitions

{

C1

,

C2

,

. . . ,

Cn

}

⊆

P(−

→)

.

Givenaset

T ⊆

P ofgroups, weslightlyabusenotation bywriting

(

s

−

→

a

μ

)

∈

T

todenotethat

(

s

−

→

a

μ

)

∈

C forsome

C

∈

T

.Additionally,we uses

→

−

a Ci

μ

to denotethat

(

s

−

a

→

μ

)

∈

Ci ands

−

→

a _T

μ

to denotethat

(

s

−

→

a

μ

)

∈

T

.Similarly, we subscript reachability, joinability andconvertibilityarrows (e.g.,s

↠ ↠

_T t) toindicate that they onlytraverse transitions fromacertaingrouporsetofgroupsoftransitions.

4.3. Confluentsets

We define confluence on a confluence classification: we designate setsofgroups

T ⊆

P to be confluent (now called

Markovianconfluent).Justlikeinprobabilistic branching-timePOR[23],only invisibletransitionswitha Diracdistribution are allowed to be confluent.Fora set

T

to be Markovianconfluent, itis thereforenot allowedto contain anyvisibleor probabilistic transitions.Still,prioritisinginvisibletransitionsmayverywellreduce probabilistictransitionstoo,aswewill see in Section 5.The reasonfor excluding probabilistic

τ

-transitionsfrom theconfluent set is that confluencereduction basedonthemwouldnotpreservebranchingbisimulationanymore (see[12]foranexample).Hence,atthismomentitis unclearwhichpropertieswouldstillbepreserved.

Confluence requireseachtransitions

−

→

a

μ

(allowinga

=

τ

) enabledtogether withatransitions

−

→

τ _T t tohavea mim-ickingtransitiont

−

→

a

ν

suchthat

μ

and

ν

are

R

T_{μ,ν -equivalent.}Additionally,werequireforeachgroupintheclassification that transitionsfromthatgroup aremimicked bytransitionsfromthesamegroup. Thisturnsout tobeessential for clo-sureofconfluenceunderunion.Norestrictionsareimposed ontransitionsthatarenotinanygroup,sincetheycannotbe confluentanyway.

Allisformalisedinthedefinitionbelow,andillustratedin

Fig. 7

.

Definition25(Markovianconfluence). LetP

⊆

P(−

→)

beaconfluenceclassificationfor

M

.Then,aset

T ⊆

P isMarkovian confluentforP if (1) itonlycontains sets ofinvisible transitions withDiracdistributions, and (2) forall s

−

→

τ _T t and all transitions

(

s

−

→

a

μ

)

= (

s

−

→

τ t

)

:

Fig. 8. An MAM.

(

i

)

(

s

−

→

a

μ

)

∈

P implies

∀

C

∈

P

.

s

−

→

a C

μ

=⇒∃

ν

∈

Distr

(

S

) .

t

→

−

a C

ν

∧

μ

≡

RTμ,ν

ν

(

ii

) (

s

−

→

a

μ

) /

∈

P implies

∃

ν

∈

Distr

(

S

) .

t

→

−

a

ν

∧

μ

≡

RTμ,ν

ν

Atransitions

−

→

τ t isMarkovianconfluent ifthereexistsaMarkovianconfluentset

T

suchthats

−

→

τ _Tt.Often,weomitthe adjective‘Markovian’.

Remark26. Markoviantransitions are irrelevant forthe definitionof confluence.Afterall, states witha

τ

-transition can neverexecuteaMarkoviantransitionduetothemaximalprogressassumption.Hence,ifs

−

→

τ t ands

−

→

a

μ

,thenby defini-tionofextendedtransitionss

−

→

a

μ

correspondstoaninteractivetransitions



−

→

a

μ

.

Notethat,duetotheconfluenceclassification,confluenttransitionsarealwaysmimickedbyconfluenttransitions.After all,transitionsfromagroupC

∈

P aremimickedbytransitionsfromC .So,ifC isdesignatedconfluentby

T

,thenallthese confluenttransitionsareindeedmimickedbyconfluenttransitions.

Althoughtheconfluenceclassificationmayappearrestrictive,wewillseethatitisobtainednaturallyinpractice. Transi-tionsareofteninstantiationsofhigher-levelsyntacticconstructs,andarethereforeeasilygroupedtogether.Then,itmakes sense todetect theconfluence ofsuch ahigher-levelconstruct. Also, to showthat a certain setofinvisible transitionsis confluent,we canjusttake P to consistofone groupcontaining preciselyallthose transitions.Then, therequirementfor

P -transitionstobemimickedbythesamegroupcoincideswiththeoldrequirementthatconfluenttransitionsaremimicked byconfluenttransitions.

Example27.

Fig. 8

provides an MA

M

withnondeterminism,probability,Markovianratesandstate labels.Itis our run-ningexampletoillustrate thevariousconcepts relatedtoconfluence.Weindicate aconfluenceclassification P for

M

by superscriptsonthe

τ

-labelsofsomeofthetransitions:

C1

= {(

s0,

τ

,

1

s1

), (

s2,

τ

,

1

s3

), (

s3,

τ

,

1

s4

), (

s5,

τ

,

1

s6

), (

s8,

τ

,

1

s9

), (

s9,

τ

,1

s10

),

(

s10,

τ

,1

s11

), (

s11,

τ

,1

s8

), (

s13,

τ

,1

s14

), (

s16,

τ

,1

s15

), (

s15,

τ

,1

s10

)}

C2

= {(

s3,

τ

,

1

s5

), (

s4,

τ

,

1

s6

)}

C3

= {(

s6

,

τ

,

1

s17

)

}

All transitions in P are labelledby

τ

,have a Diracdistribution and donot change the state labelling. Hence, they may potentiallybeconfluent,iftheyadditionallycommute withallneighbouringtransitions.Notethatnoothertransitionscan be confluent, as they all are visible (i.e., they are either labelled by a visible action or change the state labelling). For

T = {

C1

}

,weshowthateachtransitionin

T

isconfluent.

First,considers0

−

→

τ _T s1.Thereisoneother transitionfroms0,namelys0

→

−

a

μ

with

μ

(

s2

)

=

₁₀9 and

μ

(

s0

)

=

₁₀1.Since s0

−

→

a

μ

∈

/

P ,weneedtoshowthat

∃

ν

∈

Distr

(

S

)

.

s1

→

−

a

ν

∧

μ

≡

R

ν

.Wetake s1

−

→

a

ν

with

ν

(

s3

)

=

₁₀9 and

ν

(

s1

)

=

₁₀1.This

yields R

=

Id

∪ {(

s0

,

s1

),

(

s1

,

s0

),

(

s2

,

s3

),

(

s3

,

s2

)

}

,withId theidentityrelation.Indeed,

μ

and

ν

assignthesameprobability

toeachequivalenceclassofR,so

μ

≡

R

ν

.

Second,considers2

−

→

τ _T s3.Sincetherearenoothertransitionsfroms2,thereisnothingtocheck.

Finally, consider s3

−

→

τ _T s4.It has two neighbouring transitions: s3

→ 1

−

b s7 and s3

−

→ 1

τ s5. The first one can be

mim-icked by s4

−

→ 1

b s7. Clearly

1

s7

≡

R

1

s7, due to reflexivity. The second can be mimicked by s4

−

τ

4.4. Propertiesofconfluentsets

Sinceconfluenttransitionsarealwaysmimickedbyconfluenttransitions,confluentpaths(i.e.,pathsfollowingonly tran-sitionsfromaconfluentset)arealwaysjoinable.Thisiscapturedbythefollowingresult.

Proposition28.LetP beaconfluenceclassificationfor

M

,andlet

T

beaconfluentsetforP .Then,

s

↠ ↠

_T t if and only if s

↠ ↠

_T t

Contrary topreviouswork,wenowcanshow thatconfluentsetsare indeedclosedunderunion.Thistellsusthatitis safetoshowconfluenceofmultiplesetsoftransitionsinisolation,andthenjusttaketheirunionasoneconfluentset.Also, itimpliesthatthereexistsauniquemaximalconfluentset.

Theorem29.LetP beaconfluenceclassificationfor

M

,andlet

T

1

,

T

2betwoMarkovianconfluentsetsforP .Then,

T

1

∪

T

2isalsoa MarkovianconfluentsetforP .

Example30. Example 27 demonstrated that

T = {

C1

}

isconfluent for ourrunning example.In the sameway, itcan be

shownthat

T



= {

C2

}

isconfluent.Hence,

T



= {

C1

,

C2

}

isalsoconfluent.

2

Remark31. Inearlierworks[11,12], confluentsets were notyet closedunderunion,even thoughthiswas assumedand was actually neededforconfluencereduction towork.Inpractical applicationstheassumptionturned outto bevalid—in particular,theimplementationsofconfluencereductionforLTSsandPAswerenoterroneous.Still,technically,closureunder union ofconfluent setscouldnotjustbeassumed. Whentakingtheunionoftwovalidsetsofconfluenttransitions,their requirement that confluent transitionshaveto be mimickedby confluent transitions was possiblyinvalidated (as willbe discussedinmoredetailinSection8.3).

The final resultof thissection statesthat confluenttransitionsconnect divergence-sensitivebranching bisimilarstates. This is a key result: it implies that confluent transitions can be given priority over other transitions without losing behaviour—whenbeingcarefulnottoignoreanybehaviourindefinitely.

Theorem32.Lets

,

s

∈

S betwostatesand

T

aconfluentsetforsomeconfluenceclassificationP .Then,

s

↠ ↠

_T simplies s

≈

div_b s

5. Statespacereductionusingconfluence

AsexplainedinSection3.2,weaimatomittingallintermediatestatesonconfluentpaths;afterall,theyareallbisimilar. Confluence evendictatesthatallvisibletransitionsanddivergencesenabledfromastate s candirectlybemimickedfrom another state t if s

↠

_T t. Hence, during state space generation we can justkeep following a confluent path and only retain the laststate. Toavoidgettingstuck inan infiniteconfluentloop, wedetect entering abottom stronglyconnected component (BSCC)ofconfluent transitionsandchoosea uniquerepresentative fromthisBSCCforall statesthatcan reach it. Thistechnique wasproposed first in[35],andlater usedin[11] and[12].Asimilarconstruction was usedin[36] for representingsetsofstatesfortheso-calledessentialstate abstractionfor probabilistic transition systems.

Since confluent joinability is transitive(as implied by Proposition 28), itfollows immediatelythat all confluent paths startinginacertainstate s alwaysendupinauniqueBSCC(aslongasthesystemisfinite).

5.1. Representationmaps

Formally, we usea representationmap, assigning a representative state

φ (

s

)

to every s

∈

S. We make surethat

φ (

s

)

exhibitsallbehaviourofs,byrequiring

φ (

s

)

tobeinaBSCCreachablefroms via

T

-transitions.

Definition33(Representationmap).Let

T

beaconfluentsetfor

M

.Then,afunction

φ

_T

:

S

→

S isarepresentationmap for

M

under

T

ifforalls

,

s

∈

S

•

s

↠

_T

φ

_T

(

s

)

;and