A Compositional Approach to Bisimulation of Arenas of Finite State Machines

Transcription

1 A Compositional Approach to Bisimulation of Arenas of Finite State Machines Giordano Pola, Maria D. Di Benedetto and Elena De Santis Department of Electrical and Information Engineering, Center of Excellence DEWS, University of L Aquila, L Aquila, Italy, giordano.pola,elena.desantis,mariadomenica.dibenedetto@univaq.it Abstract: Finite state machines are widely used as a sound mathematical formalism which appropriately describes large scale distributed and complex systems, arising in many technological domains of interest. One of the key issues in the modeling and analysis of such systems is to derive formal methods that cope with their inherent complexity. In this paper we introduce a novel class of non flat systems that we term arenas of finite state machines. Arenas of finite state machines are collections of finite state machines that interact concurrently through a communication network. By expanding the arena, a flat system is obtained which is an ordinary finite state machine. For this class of non flat systems we propose a notion of compositional bisimulation, which allows one to check bisimulation equivalence of arenas by directly exploiting their communication networks, without the need of expanding them to the corresponding finite state machines. Computational complexity analysis of the proposed approach is discussed and an illustrative example is included in the paper. Keywords: finite state machines, multi series composition, non flat systems, bisimulation, compositional bisimulation. 1. INTRODUCTION Finite state machines (FSMs) are widely used in the modeling of complex systems, ranging from computer and communication networks, automated manufacturing systems, air traffic management systems, distributed software systems, among many others, see e.g. Cassandras and Lafortune [1999], Clarke et al. [1999]. Recently, finite state machines have been also employed as a sound mathematical paradigm to describe purely continuous and hybrid systems in the context of the so called correct by design embedded control software, see e.g. Alur et al. [2000], Tabuada [2009], Girard et al. [2010], Belta and Habets [2006] and the references therein. The increasing complexity of large scale systems, arising in many technological areas of interest, demanded during the years for formal methods that can render their analysis tractable from a computational point of view. Several approaches have been proposed in the literature which include abstraction, modular verification methods, symmetry and partial order reduction, see e.g. Clarke et al. [1999]. The common goal of these approaches is to find a finite state machine which is equivalent to the original one, and with smaller size of the set of states. In this paper we follow the approach from Alur and co workers (see e.g. Alur and Yannakakis [2001], Alur et al. [1999]), which regards a complex system as a non flat system. A non flat system is a finite state machine, where each state can be either a basic state or a superstate (Harel [1987]), that hides inside a finite state machine or even a (sequential and/or parallel) composition This work has been partially supported by European Commission under STREP projects IFLY and HYCON 2, and by the Center of Excellence for Research DEWS, University of L Aquila, Italy. of finite state machines. By expanding the superstates of a non flat system to their corresponding finite state machines, a flat system is obtained, which is an ordinary finite state machine. One of the early non flat systems appeared in the literature is the one of hierarchical state machines (Alur and Yannakakis [2001]). While hierarchical finite state machines well capture modeling features of many design languages as for example Statecharts (Harel [1987]), they only consider sequential interaction among the finite state machines involved. Hierarchical state machines have been further generalized in Alur et al. [1999] to communicating hierarchical state machines where finite state machines can interact not only sequentially but also concurrently, through the notion of parallel composition. A naive approach to analyze and control such systems is to flat them or equivalently, to expand them to ordinary finite state machines, thus incurring in an exponential grow of the state space. This method is in general computationally demanding both from space and time complexity point of view. One challenge in this research direction is to derive formal methods for the analysis of such non flat systems, by directly exploiting their inherent hierarchical structure at the higher level. For example, the work in Alur and Yannakakis [2001] showed that reachability problems for hierarchical finite state machines can be studied with polynomial time complexity by directly analyzing the non flat system. Reachability problems have been studied also in Alur et al. [1999] for communicating hierarchical state machines and proved to fall in the class of exponential time and space complexity problems. Moreover, checking language and bisimulation equivalence are proved in Alur et al. [1999] to be an exponential space hard problem. This last complexity result is in line with the ones further Copyright by the International Federation of Automatic Control (IFAC) 7006

2 established in Laroussinie and Schnoebelen [2000], Sawa and Janar [2009] on space and time complexity arising in checking a range of equivalence notions in the linear time branching time spectrum (van Glabbeek [1990]) for networks of finite state machines, modeled by parallel composition of finite state machines. In particular, these work showed that checking any equivalence relation lying between bisimilarity and trace preorder is an exponential time hard problem, as conjectured in Rabinovich [1997]. As argued in Laroussinie and Schnoebelen [2000], these results strongly suggest that there is no way to escape the state explosion problem, when checking behavioral relations and in particular bisimulation equivalence, for this class of non flat systems. In this paper we introduce a novel class of non flat systems which is termed arena of finite state machines. Arenas of finite state machines are collections of finite state machines that interact concurrently, through a communication network. For this class of non flat systems we propose a notion of compositional bisimulation which is based on the communication network governing interaction mechanism among the FSMs. Existence of compositional bisimulations allows one to check bisimulation equivalence of arenas, without the need of expanding them to ordinary finite state machines. A computational complexity analysis is performed, which shows that checking compositional bisimulation scales as N 2 log(n) with the number N of FSMs in the arena. This approach contrasts with any approach based on checking bisimulation equivalence on the FSM obtained by expanding the arena, which scales exponentially with N. 2. NOTATION Given a set A, the symbol 2 A denotes the set of subsets of A and the symbol A denotes the cardinality of A. A set A is singleton if A = 1. Given a bijective function f : A B, function f 1 : B A denotes the unique inverse function of f so that b = f(f 1 (b)), for any b B. A relation R A B is said to be total if for any a A there exists b B so that (a, b) R and conversely, for any b B there exists a A so that (a, b) R. The relation R is the identity relation if it is total and, (a, b) R if and only if a = b. 3. FINITE STATE MACHINES AND EQUIVALENCE NOTIONS In this paper we consider finite state machines in the formulation of Moore [1956] where states are labeled with outputs and transitions are labeled with inputs. Definition 3.1. (Bustan and Grumberg [2001]) A Finite State Machine (FSM) is a tuple where: M = (X, X 0, U, Y, H, ), (1) X is a finite set of states; X 0 X is a set of initial states; U is a finite set of input symbols; Y is a finite set of output symbols; H : X 2 Y is an output map; X 2 U X is a transition relation. The above definition differs from the classical ones given for Moore FSMs, which usually model the transition relation as a subset of X U X and the output map H as a function from X to Y. In the sequel we show the benefits of this formulation when modeling multiple interactions of finite state machines. In this paper we denote a transition (x, u, x ) of M by x u x. By definition of, a transition of the form x x is allowed. Such a transition is regarded as private or internal to the FSM. Analogously for a state x X, H(x) = is allowed, meaning that state x is not visible from the external environment. Several notions of equivalence have been introduced for the class of finite state machines, see e.g. van Glabbeek [1990]. In this paper we focus on the notion of bisimulation equivalence (Milner [1989], Park [1981]). Bisimulation equivalence is widely used, as a tool to mitigate complexity of verification and control design of large scale complex systems, see e.g. Clarke et al. [1999]. Intuitively a bisimulation relation between a pair of FSMs M 1 and M 2 is a relation between the corresponding sets of states explaining how a state run of M 1 can be transformed into a state run of M 2 and vice versa. We first recall the notion of isomorphism. Definition 3.2. Finite state machines M i = (X i, X 0 i, U i, Y i, H i, i ) (i = 1, 2) are isomorphic, denoted M 1 = iso M 2, if there exists a bijective function T : X 1 X 2 so that: X2 0 = T (X1 0 ); for any x 1 X 1, H 1 (x 1 ) = H 2 (T (x 1 )); u x 1 x 1 1 if and only if T (x u 1) T (x 2 1 ). The notion of isomorphism is an equivalence relation on the class of finite state machines. The notions of simulation and bisimulation relations are reported hereafter. Definition 3.3. Given a pair of finite state machines M i = (X i, X 0 i, U i, Y i, H i, i ) (i = 1, 2), a relation R X 1 X 2, is a simulation relation from M 1 to M 2 if the following conditions are satisfied: (i) for any x 0 1 X 0 1 there exists x 0 2 X 0 2 so that (x 0 1, x 0 2) R; (ii) for any (x 1, x 2 ) R, H 1 (x 1 ) = H 2 (x 2 ); (iii) for any (x 1, x 2 ) R, existence of x 1 u 1 1 x 1 implies u 2 existence of x 2 x 2 2 so that u 1 = u 2 and (x 1, x 2 ) R. The FSM M 1 is simulated by the FSM M 2, or equivalently M 2 simulates M 1, denoted M 1 M 2, if there exists a simulation relation from M 1 to M 2. Definition 3.4. Given a pair of finite state machines M i = (X i, X 0 i, U i, Y i, H i, i ) (i = 1, 2), a relation R X 1 X 2, is a bisimulation relation between M 1 and M 2 if: (i) R is a simulation relation from M 1 to M 2 ; (ii) R 1 is a simulation relation from M 2 to M

3 Finite state machines M 1 and M 2 are bisimilar, denoted M 1 = M2, if there exists a bisimulation relation between M 1 and M 2. From the above definition it is readily seen that isomorphism implies bisimulation equivalence, while the converse implication is not true in general. Bisimulation equivalence is an equivalence relation on the class of finite state machines. Given a pair of FSMs M 1 and M 2, the maximal bisimulation relation between M 1 and M 2 is a bisimulation relation R (M 1, M 2 ) so that R R (M 1, M 2 ) for any bisimulation relation R between M 1 and M 2. The maximal bisimulation relation exists and is unique. The quotient (Clarke et al. [1999]) of an FSM M induced by R (M, M) is the minimal (in terms of cardinality of the set of states) bisimilar FSM of M. The minimal bisimilar FSM of a FSM M, denoted M min (M), exists and is unique up to isomorphism. Lemma 3.5. If M min (M 1 ) = M min (M 2 ) then M 1 = iso M 2. Efficient algorithms for computing bisimulation equivalence of FSMs have been extensively studied in the literature, see e.g. Paige and Tarjan [1987], Dovier et al. [2004], Hopcroft [1971], Clarke et al. [1999] and the references therein. We conclude this section with a simple example. Example 3.6. Consider the finite state machines F 1 and F 4 in Figures 2(a) and 2(d). Each circle denotes a state and each edge a transition. In each circle, upper symbol denotes the state and lower symbol the output set associated with the state; symbols labeling edges denote the input sets associated with the transitions. It is readily seen that the maximal bisimulation relation between F 1 and F 4 is R (F 1, F 4 ) = {(1, 8), (1, 11), (2, 9), (2, 10)}. Hence, F 1 and F 4 are bisimilar. Analogously, it is possible to show that F 3 = F5 and F 2 = F6. 4. ARENAS OF FINITE STATE MACHINES In this section we introduce a novel class of not flat systems in the spirit of the work of Alur and Yannakakis [2001], Alur et al. [1999], which we term Arenas of Finite State Machines (AFSMs). AFMSs are collections of finite state machines that interact concurrently through a communication network. The syntax of an AFSM is specified by a directed graph A = (V, E), where: V is a collection of N finite state machines M i = (X i, X 0 i, U i, Y i, H i, i ); E V V describes the communication network of the FSMs M i. When expanding the AFSM A, a flat system is obtained which is the ordinary finite state machine M(A) = (X, X 0, U, Y, H, ), where: X = X 1 X 2... X N is the set of states; X 0 = X1 0 X XN 0 is the set of initial states; U = Mi VU i is the set of input symbols; Y = Mi VY i is the set of output symbols; H is the output function so that H((x 1, x 2,..., x N )) = Mi VH i (x i ), for any (x 1, x 2,..., x N ) X; X 2 U X is the transition relation so that u (x 1, x 2,..., x N ) (x 1, x 2,..., x N ), whenever the following conditions are satisfied: u i (i) x i x i i is a transition of M i ; (ii) u = i {1,2,...,N} (u i \( j P re(a,mi)h j (x j ))), where: P re(a, M i ) = {j V (M j, M i ) E}. Finite state machine M(A) specifies the semantics of the AFSM A. Such semantics is given through a notion of composition of FSMs that can be regarded as a notion of parallel composition (Clarke et al. [1999]) as specified by condition (i), which respects the topology of the AFMS communication network through condition (ii). 5. COMPOSITIONAL BISIMULATION OF ARENAS OF FINITE STATE MACHINES 5.1 Compositional Bisimulation A naive approach to check bisimulation equivalence of AFSMs A 1 and A 2 consists in first expanding them to the corresponding FSMs M(A 1 ) and M(A 2 ) to then apply standard bisimulation algorithms (see e.g. Paige and Tarjan [1987], Dovier et al. [2004], Hopcroft [1971]). The main practical limitation of this approach resides in the well known state explosion problem, see e.g. Laroussinie and Schnoebelen [2000], Sawa and Janar [2009]. In fact, according to the semantics of AFSMs, any bisimulation algorithm that applies to the flat systems M(A i ) of the AFSMs, scales exponentially with the number of the FSMs involved in the AFSM. Inspired by the work of Alur and Yannakakis [2001], Alur et al. [1999] in this section we propose an alternative approach to check bisimulation equivalence of AFSMs. The notion of isomorphism between FSMs in Definition 3.2 can be easily adapted to AFSMs, as follows. Definition 5.1. Two arenas A j = (V j, E j ) of FSMs M j 1, M j 2,..., M j N (j = 1, 2) are isomorphic if there exists a j bijective function T : V 1 V 2 so that: Mi 1 V1 and T(Mi 1) V2 are isomorphic; (Mi 1, M 1, i ) E 1 if and only if (T(Mi 1 1, ), T(Mi )) E 2. We can now introduce the central notion of this paper that extends the notion of bisimulation equivalence from FSMs to arenas of FSMs. Definition 5.2. Given a pair of arenas A j = (V j, E j ) of FSMs M j 1, M j 2,..., M j N (j = 1, 2), a relation j R V 1 V 2, is a compositional bisimulation relation between A 1 and A 2 if for any (Mi 1, M j 2 ) R the following conditions are satisfied: (i) Mi 1 = Mj 2; (ii) existence of (Mi 1, M 1, i ) E 1 implies existence of (Mj 2, M 2, j ) E 2 so that (M 1, i, M 2, j ) R; (iii) existence of (M 2 j, M 2, j ) E 2 implies existence of (M 1 i, M 1, i ) E 1 so that (M 1, i, M 2, j ) R. 7008

4 AFSMs A 1 and A 2 are compositionally bisimilar, denoted A 1 = c A 2, if there exists a total compositional bisimulation relation between A 1 and A 2. Basic facts on bisimulation equivalence of FSMs recalled in Section 3 can be adapted to compositional bisimulation of AFSMs, as follows. The notion of compositional bisimulation is an equivalence relation on the class of AFSMs. Given a pair of AFSMs A 1 and A 2, the maximal compositional bisimulation relation between A 1 and A 2 is a compositional bisimulation relation R (A 1, A 2 ) so that R R (A 1, A 2 ) for any compositional bisimulation relation R. The quotient 1 of an AFSM A induced by R (A, A) is the minimal (in terms of the number of the FSMs involved) compositionally bisimilar AFSM of A. The minimal AFSM of an AFSM A, denoted A min (A), exists and it is unique, up to isomorphisms. We are now ready to present the main result of this paper which shows that the notion of compositional bisimulation of AFSMs conforms the notion of bisimulation of the corresponding flat systems. Theorem 5.3. If AFSMs A 1 = c A 2 then FSMs M(A 1 ) = M(A 2 ). The above result is important because it provides a method to assess bisimulation equivalence of AFSMs A i without expanding them to the corresponding FSMs M(A i ). The following example shows that the converse implication, i.e. whether M(A 1 ) = M(A 2 ) implies A 1 = c A 2 does not hold. Example 5.4. Consider four FSMs M i = (X i, Xi 0, U i, Y i, H i, i ), where each M i is characterized by the unique transition x 0 u i i x i i, where: M 1 M 2 M 3 M 4 u i {b, d} {a, d} H i (x 0 i ) {b, e} H i (x i ) {f} {f} {f} {f} Consider a pair of AFSMs A 1 = (V 1, E 1 ) and A 2 = (V 2, E 2 ), depicted in Figure 1, where V 1 = {M 1, M 2, M 3 }, E 1 = {(M 1, M 3 ), (M 2, M 3 )}, V 2 = {M 2, M 4 } and E 2 = {(M 2, M 4 )}. It is easy to see that the FSM M(A 1 ) is composed by the unique transition: (x 0 1, x 0 2, x 0 3) {a,c} (x 1, x 2, x 3 ), with output function H 1 defined by H 1 (x 0 1, x 0 2, x 0 3) = {b, d, e} and H 1 (x 1, x 2, x 3 ) = {f}. Moreover, the FSM M(A 2 ) is characterized by the unique transition: (x 0 2, x 0 4) {a,c} (x 2, x 4 ), with output function H 2 defined by H 2 (x 0 2, x 0 4) = {b, d, e} and H 2 (x 2, x 4 ) = {f}. Hence, FSMs M(A1 ) and M(A 2 ) are bisimilar. On the other hand, it is easy to see that FSM M 4 is not bisimilar with any FSM M i, i = 1, 2, 3. Hence, A 1 and A 2 are not compositionally bisimilar. 1 In the next section we show how quotients of AFSMs induced by compositional bisimulation can be computed as quotients of appropriate FSMs induced by ordinary bisimulation. M 1 M 3 M 2 M 2 M 4 Fig. 1. AFSM A 1 in the left and AFSM A 2 in the right. Fig {b, d} (a) F 1 (c) F 3 (e) F (b) F 2 {b, d} {b, d} (d) F 4 (f) F Theorem 5.3 can be used to reduce the size of AFSMs by compositional bisimulation, as follows. Given A, we recall that M min (M(A)) denotes the minimal bisimilar FSM of M(A) and A min (A) denotes the minimal compositionally bisimilar AFSM of A. Theorem 5.5. M min (M(A)) = iso M min (M(A min (A))). The above result suggests a method to employ compositional bisimulation for complexity reduction of AFSMs, as follows: Compute the relation R (A, A); Compute the quotient A min (A); Expand the non flat system A min (A) to the FSM M(A min (A)); Compute the relation R (M(A min (A)), M(A min (A))); Compute the quotient M min (M(A min (A))). The benefits of the above procedure in computing bisimulation equivalence between AFSMs are quantified in the next section, through a computational complexity analysis, and illustrated in Section 6 through an example. 5.2 Computation and Complexity Analysis Semantics of AFSMs is different from the one of FSMs because vertices of the first correspond to FSMs which interact concurrently, while states of the second can be regarded as static processes that interact sequentially. Syntax of AFSMs instead, can be reformulated in terms of syntax of FSMs. Consider a pair of AFSMs A j = (V j, E j ) (j = 1, 2) and define the tuple : 7009

5 Fig. 3. where: (1,3,5) {a,e} (2,4,7) {b,d,e} (2,4,6) {b,e} (1,3,6) {d,e} {a, d} (1,3,7) {a,d,e} (2,4,5) {d,e} M A j = (X A j, XA 0, U j A j, Y A j, H A j, Aj ), (2) X A j = V j ; XA 0 = V j ; U j A j = {u}; Y A j = V 1 V 2 ; H A j : X A j Y A j is so that H A j (M i ) = H A j (M k) for j, j {1, 2} if and only if M i = Mk ; A j X A j 2 U {u} A j X A j, so that M i M k, if (M i, M k ) E j. A j The syntax of the tuple in (2) is the same as the one of FSMs from which, the following result holds. Proposition 5.6. Consider a pair of AFSMs A 1 and A 2. Then A 1 = c A 2 if and only if M A 1 = MA 2. The above result is important because it implies that existing algorithms for checking bisimulation equivalence of FSMs (see e.g. Paige and Tarjan [1987], Dovier et al. [2004], Hopcroft [1971]) can be used to check compositional bisimulation of AFSMs. We conclude this section by discussing computational complexity in checking compositional bisimulation. Consider a pair of AFSMs A j = (V j, E j ) (j = 1, 2) of FSMs M j i = (Xj i, X0,j i, U j i, Y j i, Hj i, j i ), (i = 1, 2,..., N j ). Proposition 5.7. Time complexity for checking compositional bisimulation between A 1 and A 2 is O((N 1 N 2 ) 2 log(n 1 N 2 )). Proposition 5.8. Space complexity in checking compositional bisimulation between AFSMs A 1 and A 2 is O( A 1 A 2 ), where: A j = V j E i M j i V M j i, M j i = Xj i U j i Y j i j i. 6. AN ILLUSTRATIVE EXAMPLE Consider an arena A = (V, E) of nine FSMs M i, where: M 1 and M 8 coincide with F 1 in Figure 2(a); M 2 and M 7 coincide with F 2 depicted in Figure 2(b); M 5 coincides with F 3 in Figure 2(c); M 3 and M 6 coincide with F 4 in Figure 2(d); M 9 coincides with F 5 depicted in Figure 2(e); M 4 coincides with F 6 depicted in Figure 2(f). Arena A is depicted in Figure 4 (Left Panel). In the following we face the problem of computing the minimal bisimilar FSM M min (M(A)) of M(A). To this purpose we apply Theorem 5.5. We first construct the maximal compositional bisimulation relation R (A, A) between A and itself. By Example 3.6, F 1 = F4, F 3 = F5, and F 2 = F6. By transitivity property of bisimulation equivalence, finite state machines M i in A are so that M 1 = M3 = M6 = M8, M 5 = M9, and M 2 = M4 = M7. A straightforward computation reveals that the resulting maximal compositional bisimulation R (M, M) is composed by the pairs (M i, M j ) R (M, M) for which i, j {1, 3, 6, 8} or i, j {2, 5, 9} or i, j {2, 4}. The quotient A min (A) of A induced by R (A, A) has been constructed and it is easy to see that it is isomorphic to the arena depicted in Figure 4 (Right Panel). By expanding the arena A min (A), the FSM M(A min (A)) has been constructed and reported in Figure 2 3. It is readily seen that the maximal bisimulation relation R (M(A min (A)), M(A min (A))) is the identity relation, and hence M min (A min (A)) = M(A min (A)). An approach to reduction by bisimulation of the arena A, based on expanding the arena A, requires to run the bisimulation algorithm on the FSM M(A), which consists of 49, 152 states. The approach presented in this paper requires to run the bisimulation algorithm: (i) on the collection of FSMs F i composing the arena A, whose sets of states sum up to 28 states; (ii) on the FSM M A induced by the arena A, whose states are 9; (iii) on the FSM M(A min (A)) whose states are CONCLUSION In this paper we introduced a novel class of non flat systems which we called arenas of finite state machines. For this class of non flat systems we proposed a notion of compositional bisimulation. Existence of compositional bisimulations provides a method to assess bisimulation equivalence between AFSMs without expanding them to the corresponding FSMs and hence, without incurring in the state explosion problem. The computational effort in checking compositional bisimulation scales as N 2 log(n) with the number N of FSMs involved in the AFSMs, while the computational effort in checking ordinary bisimulation on the corresponding expanded FSMs scales exponentially with N. Future work will focus on generalizations of the results here presented to non flat systems exhibiting more general compositional features, as for example the class of Communicating Hierarchical Finite State Machines introduced in Alur et al. [1999], which combine parallel and sequential composition. Acknowledgement: The authors would like to thank Alberto Sangiovanni Vincentelli for fruitful discussions on the topic of this paper. REFERENCES Alur, R., Henzinger, T.A., Lafferriere, G., and Pappas, G.J. (2000). Discrete abstractions of hybrid systems. Proceedings of the IEEE, 88, Alur, R., Kannan, S., and Yannakakis, M. (1999). Communicating hierarchical state machines. In Computer Science Automata, Languages and Programming, volume 1644 of Lecture Notes in Computer Science, Springer Verlag. 2 In fact, the FSM depicted in Figure 3 is the accessible part (Cassandras and Lafortune [1999]) of M(A min (A)). 7010

6 M 1 M 2 M 3 M 4 F 1 F 2 M 5 M 6 M 7 M 8 M 9 F 3 Fig. 4. Alur, R. and Yannakakis, M. (2001). Model checking of hierarchical state machines. ACM Transactions on Programming Languages and Systems, 23(3), Belta, C. and Habets, L. (2006). Controlling a class of nonlinear systems on rectangles. IEEE Transactions of Automatic Control, 51(11), Bustan, D. and Grumberg, O. (2001). Modular Minimization of Deterministic Finite State Machines. In 6th International Workshop on Formal Methods for Industrial Critical Systems, volume 6, Paris, France. Cassandras, C. and Lafortune, S. (1999). Introduction to Discrete Event Systems. Kluwer Academic Publishers. Clarke, E., Grumberg, O., and Peled, D. (1999). Model Checking. MIT Press. Dovier, A., Piazza, C., and Policriti, A. (2004). An efficient algorithm for computing bisimulation. Theoretical Computer Science, 311(1 3), Girard, A., Pola, G., and Tabuada, P. (2010). Approximately bisimilar symbolic models for incrementally stable switched systems. IEEE Transactions of Automatic Control, 55(1), Harel, D. (1987). Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8, Hopcroft, J. (1971). An n log(n) algorithm for minimizing states in a finite automaton. In Z. Kohavi and A. Paz (eds.), Theory of Machines and Computations. Academic Press, New York. Laroussinie, F. and Schnoebelen, P. (2000). The state explosion problem from trace to bisimulation equivalence. In Foundations of Software Science and Computation Structures, volume 1784 of Lecture Notes in Computer Science, Springer Verlag. Milner, R. (1989). Communication and Concurrency. Prentice Hall. Moore, E. (1956). Gedanken experiments on sequential machines. In C. Shannon and J. Mc-Carthy (eds.), Annals of Mathematics Studies, volume 34 of Automata Studies, Princeton University Press, Princeton, NJ. Paige, R. and Tarjan, R. (1987). Three partition refinement algorithms. SIAM Journal on Computing, 16(6), Park, D. (1981). Concurrency and automata on infinite sequences. volume 104 of Lecture Notes in Computer Science, Rabinovich, A. (1997). Complexity of equivalence problems for concurrent systems of finite agents. Information and Computation, 139(2), Sawa, Z. and Janar, P. (2009). Hardness of equivalence checking for composed finite-state systems. Acta Informatica, 46(3), Tabuada, P. (2009). Verification and Control of Hybrid Systems: A Symbolic Approach. Springer. van Glabbeek, R. (1990). The linear time branching time spectrum. In CONCUR 90 Theories of Concurrency: Unification and Extension, volume 458 of Lecture Notes in Computer Science, Springer Verlag. 7011