Distribution of Behaviour into Parallel Communicating Subsystems
Omar al Duhaiby (Eindhoven University of Technology), Jan Friso Groote, (Eindhoven University of Technology)

TL;DR
This paper investigates how complex systems can be decomposed into communicating subsystems while preserving behavioral equivalence, focusing on automata learning and bisimilarity, and proving limitations of such decompositions.
Contribution
It introduces methods for decomposing systems into communicating subsystems that preserve branching bisimilarity and establishes fundamental limitations of divergence-preserving decompositions.
Findings
Synchronous and asynchronous decompositions maintain branching bisimilarity.
No universal decomposition operator preserves divergence-preserving branching bisimilarity.
The study advances understanding of system decomposition in distributed automata learning.
Abstract
The process of decomposing a complex system into simpler subsystems has been of interest to computer scientists over many decades, for instance, for the field of distributed computing. In this paper, motivated by the desire to distribute the process of active automata learning onto multiple subsystems, we study the equivalence between a system and the total behaviour of its decomposition which comprises subsystems with communication between them. We show synchronously- and asynchronously-communicating decompositions that maintain branching bisimilarity, and we prove that there is no decomposition operator that maintains divergence-preserving branching bisimilarity over all LTSs.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Distribution of Behaviour
into
Parallel Communicating Subsystems
Omar al Duhaiby Jan Friso Groote Eindhoven University of Technology
Eindhoven, The Netherlands [email protected] [email protected]
(May 2019)
Abstract
The process of decomposing a complex system into simpler subsystems has been of interest to computer scientists over many decades, for instance, for the field of distributed computing. In this paper, motivated by the desire to distribute the process of active automata learning onto multiple subsystems, we study the equivalence between a system and the total behaviour of its decomposition which comprises subsystems with communication between them. We show synchronously- and asynchronously-communicating decompositions that maintain branching bisimilarity, and we prove that there is no decomposition operator that maintains divergence-preserving branching bisimilarity over all LTSs.
1 Introduction
The process of decomposing a complex system into simpler subsystems is the cornerstone of behavioural analysis regardless of where it is applied, to the atom or to the human psyche. Studying the relationship between a complex system and the total behaviour of its decomposition is the subject matter of this paper. However, instead of atoms or human brains, in the field of formal methods, we simply dissect automata. This paper studies how the behaviour of a Labelled Transition System (LTS) can be distributed into a parallel (de)composition of communicating subsystems while maintaining behavioural equivalence.
Motivation
This work was motivated by a case study in the industry [5] based on which we pursued the possibility of deducing the internal components of a system based on the model inferred by the active model learning technique [2]. If it were possible at all, then the learned system must be equivalent to the parallel decomposition deduced.
Our goal is to examine the possibility of such deduction and we do that by devising a decompositioning scheme with certain assumptions, then examine its equivalence with the original system.
Related Work
Previous work done on the topic of decomposition focuses on uniqueness properties and on producing simpler components. For example the primary decomposition theorem by Krohn and Rhodes states that any automaton can be decomposed into a cascaded product of simpler automata such that the automaton is homomorphic to its decomposition [11]. And in 1998, Milner and Moller introduced a semantics of parallel decompositions comprising non-communicating subsystems [13], and they proved that any finite system of behaviour can be decomposed into a unique set of prime parallel non-communicating subsystems. While Milner and Moller’s theorem was in strong bisimulation set in the Calculus of Communicating Systems (CCS), Luttik [12] later introduced a more general framework of commutative monoids that can be used to establish unique decomposition in weak and branching bisimulation semantics.
In contrast to those works, we consider decomposing a system based on partitioning its alphabet into disjoint sets and we require that the subsystems communicate. In that sense, this work is more similar to Brinksma et al. [4] and Hultström [10] who made a decomposition based on a given partition of actions. Another similarity is the need for synchronisation between subsystems as defined in Section 4.1.
Contribution
We define two decompositions of parallel communicating subsystems, one synchronous and the other asynchronous, and we prove that both decompositions maintain branching bisimilarity [7] with the source automaton. We also prove that there is no way of decomposing an automaton (under certain conditions) such that it is divergent-preserving branching-bisimilar [6] to the resulting decomposition. We consider branching bisimilarity, but the results of this paper easily carry over to other equivalences such as weak bisimilarity.
Outline
The outline of this paper is as follows. Section 2 introduces the preliminaries. Section 3 defines and discussed the general decomposition operator on which we base our arguments. Section 4 defines two decompositions of communicating subsystems, one for synchronous communication and the other for asynchronous communication, and proves that each maintains a branching bisimulation relation with the source automaton. Section 5 contains the proof that there is no way of decomposing an automaton, through our general decomposition operator, such that it maintains divergence preserving branching bisimulation with its decomposition. Finally, Section 6 discusses the results and interprets them in light of our initial motivation.
Acknowledgement
We wish to thank Rick Erkens, Bas Luttik, Thomas Neele, Joshua Moerman, Pieter Cuijpers, Bharat Garhewal, Hans van Wezep, Arjan Mooij and the referees of the EXPRESS/SOS 2019 workshop for their thorough feedback, for sharing their knowledge, and for their motivation and support.
2 Preliminaries
In this section, we present the preliminaries of labelled transition systems, the synchronous product and bisimulation relations, aided by [8]. We start with the definition of a labelled transition system (LTS).
Definition 2.1** (LTS).**
We define our LTS as a four-tuple where:
- •
is a non-empty finite set of states.
- •
is the alphabet, also referred to as the action set.
- •
is a transition relation.
- •
is the initial state.
We use the notation to express a transition with action from state to state . This and variations of it are formally defined as follows.
Definition 2.2** (Transition Relation).**
Let be an LTS with and , where is the internal/unobservable action. We use the following notations:
[TABLE]
Next, we define complementary actions, i.e., actions on which communicating systems synchronise. Then we define the synchronous product of two automata, and show what role complementary actions play in computing it.
Definition 2.3** (Co-actions).**
For an arbitrary action that is not , the action (read as a bar) is called its co-action. Also, . We say that actions and are complementary to each other and we call them a pair of complementary actions.
We lift this operator to sets of actions such that .
Definition 2.4** (Synchronous Product).**
The synchronous product of two LTSs
is the tuple
where .
The transition relation is defined as follows:
[TABLE]
where is the unobservable action.
Next, we define two notions of behavioural equivalence.
Definition 2.5** (Branching bisimulation).**
Given an LTS and a relation . We call a branching bisimulation relation iff for all states such that , it holds that:
if , then:
- •
and ; or
- •
, and . 2. 2.
Symmetrically, if , then:
- •
and ; or
- •
, and .
Two states and are branching bisimilar, denoted iff there is a branching bisimulation relation such that . Two LTSs and are branching bisimilar, denoted , iff their initial states are.
A state with is called divergent. Hence, a state with a loop is also called divergent. Branching bisimulation does not preserve divergence, i.e., a divergent state can be branching bisimilar to a non-divergent one. Therefore, a stronger equivalence relation, namely divergence-preserving branching bisimulation, is defined below.
Definition 2.6** (Divergence-preserving branching bisimulation).**
Given an LTS and a relation . We call a divergence-preserving branching bisimulation relation iff it is a branching bisimulation relation and for all states with , there is an infinite sequence with for all iff there is an infinite sequence and for all .
Two states and are divergence-preserving branching bisimilar, denoted iff there is a divergence-preserving branching bisimulation relation such that . Two LTSs and are divergence-preserving branching bisimilar, denoted , iff their initial states are.
3 The Decomposition Operation
In this section, we establish a decompositioning scheme that is based on action partitioning in order to refer to it as the general decomposition operation on which our theorems apply. Our general decomposition operation is a function transforming a single LTS, given two disjoint actions sets, into two LTSs. It is formally defined as follows.
Definition 3.1** (General Decomposition Operation).**
Given an LTS with alphabet and given two alphabets such that and , we call a general decomposition operator iff such that has alphabet with and , and likewise, has alphabet with and .
We refer to a method of decomposing automata as a decomposition operation whereas the result of such transformation is called a decomposition. A decomposition comprises two or more automata. This transformation is depicted in Figure 2. Throughout the paper, we compare LTSs to the synchronous product of the decomposition, and if a a certain bisimulation relation holds between these two, then we say that the operation maintains that relation.
The idea behind this transformation is, given a partition of actions of a system, to generate two subsystems, each using exclusively one of the two parts.
Recursive decomposition.
Note that Definition 3.1 can easily be applied recursively allowing to decompose behaviour into multiple components. As the alphabets over which an automaton can be decomposed can be empty, the number of components over which behaviour can be split can even be arbitrarily large.
4 Branching Bisimilar Decompositions
In this section, we define two decomposition operations that are designed to maintain branching bisimilarity, and we actually prove that they do. The first one () decomposes into synchronously communicating subsystems while the second () decomposes into asynchronously communicating ones. In both of these operations, we build two automata that pass control between one another using messages. Only if an automaton seizes control can it perform one of its actions, otherwise it has to wait for the other to hand control over. Formal definitions and more detail follow.
4.1 Decomposing into Synchronous Subsystems
We define the decomposition of synchronous subsystems, summarised in Figure 1 in two patterns; the top dictates the decomposition of every state in the source LTS while the bottom dictates the decomposition of every transition. An omitted third pattern is symmetric to the second such that the transition’s label simply belongs to the second subsystem rather than the first.
Definition 4.1** (Synchronous Decomposition Operation).**
Given an LTS and two alphabets such that and , then we can decompose over and by applying the following operation:
where:
. 2. 2.
For every state in , we introduce two states :
[TABLE]
Notation.
Tuple-states of the form such as and are shortened to . Therefore, it is to be held throughout the paper that is derived from rather than it being a completely unrelated symbol to . 3. 3.
The set of -actions is defined as follows:
[TABLE] 4. 4.
The sets of actions and states are defined as follows:
[TABLE] 5. 5.
The complete sets of actions of and are respectively defined as:
[TABLE] 6. 6.
The transition relations are defined as follows. For and , is the minimal relation satisfying the following:
- (a)
For all and for all :
[TABLE] 2. (b)
For all , and all , if , then:
[TABLE]
Two classes of actions are introduced, -actions and -actions. The -actions come in pairs, and they resemble passing a control token between and . For instance, looking at Figure 2, when, at some state for which a pair of states exists in both and , and control is to be passed from to , then a pair of complementary actions synchronises, namely, actions and , to produce a synchronous transition in both machines from to . Likewise, actions and synchronise to pass control in the opposite direction from to .
The -actions are introduced to synchronise transitions occurring in one machine with the other. In addition, they require the introduction of -states. Observe Figure 2 where an transition occurs in . The aim is the transition , but in order to synchronise this with , we introduce a middle state from which the only possible transition is which synchronises with the transition in .
The operation () can be summarised by two patterns shown in Figure 1; the top pattern applies to each state and the bottom one applies to each transition.
Is the Decomposition a Simplification?
The decomposition is obviously larger than the original system. That is due to the nature of an alphabet-partitioning-based decomposition where subsystems must hand control over between one another. Thus, every subsystem must have, for each state in the original, multiple ones expressing where control lies. In special cases, a smaller component may suffice; for example, in Figure 2, because state enables no actions, a state is not needed and all transitions going to can instead go to . However, we believe that our definition the way it is is more understandable because of its generality and symmetry. The element of simplification lies not in reducing the size of a system but rather in partitioning its alphabet.
Computing the Synchronous Product.
For a decomposition by Definition 4.1, the synchronous product is the LTS , where:
[TABLE]
with being sets introduced by . The transition relation is defined as follows for and :
if and then by (LABEL:eq1) there is a state and a pair of complementary actions such that:
[TABLE]
[TABLE] 2. 2.
For all , there exist such that, by (5), and , and thus:
[TABLE]
4.2 Proof that the synchronous decomposition operation maintains branching bisimulation
In this subsection, we show an application of (Definition 4.1) to a sample LTS, we demonstrate that maintains branching bisimilarity, and then we prove that branching bisimilarity is maintained through any and all applications of .
Figure 2 shows the LTS at the left side and its decomposition at the right side. The two patterns shown in Figure 1 can be applied directly to this LTS. The top pattern applies twice, once per state, and the bottom pattern applies three times, once per transition.
Next, we compute the synchronous product and form one LTS shown at the right of Figure 3. The nodes are divided into two equivalence classes, top and bottom. The states in the top class are branching bisimilar to state whereas the states in the bottom one are branching bisimilar to state .
The following proves the branching bisimilarity and thus proves that there is a way of decomposing an LTS such that branching bisimilarity is maintained.
Theorem 4.2**.**
Given an LTS and two alphabets such that and , and given an LTS where by Definition 4.1, then .
Proof.
Let and .
Define a relation with , , , , . We prove that is a branching bisimulation relation through the following cases:
Consider a pair where .
- (a)
Assume . Then we have two cases:
- i.
. Then, by (8), . We see that . 2. ii.
. Then, by (8), . We see that . 2. (b)
Assume . Then we have the following three cases:
- i.
, then this transition is only possible, by definition, through the transition for some such that . We see that . 2. ii.
. This is a symmetric case where and . We see that . 3. iii.
, then the only transition possible is the transition of (LABEL:eq5). Then where and . We see that . 2. 2.
Consider a pair where , and .
- (a)
Assume . Then we show that and and and . We do this for . The case for is symmetric.
- i.
. We see that . 2. ii.
Since and , then by (8), there exists a state such that , and , where . We see that . 2. (b)
Assume . By the definition of , it is only possible that is a action and that . Thus, . We see that . 3. 3.
Consider a pair where , and . This case is symmetric to Case 2.
∎
Corollary 4.3**.**
It follows from Theorem 4.2 that there is a universal way of decomposing an LTS using a general synchronous decomposition operator (Definition 3.1) such that is branching-bisimilar to the synchronous product of its decomposition.
4.3 Decomposing into Asynchronous Subsystems
We consider asynchronous communication between subsystems simply because many practical systems use asynchronous communication and the aim is to extend our proof towards that. So, we define a new decomposition operation () such that the communication between subsystems is asynchronous. We assign each subsystem a queue that stores received messages until they are consumed. An action of sending such a message does synchronise, however, with the queue of the opposite side receiving it. The operation is summarised in Figure 4.
Definition 4.4** (LTS with Queue).**
A queue is an ordered-list of actions. An LTS with a queue is a transition system of the shape . A state in holds the contents of the queue and is written as .
Elements in a queue are concatenated using the operator. Appending an element to the back of a queue produces the queue , while represents the queue with in the front. The symbol represents the empty queue.
Definition 4.5** (Decomposing into asynchronous subsystems).**
Given an LTS and two alphabets such that and , then we can decompose over and by applying the following operation:
where, for and , is an LTS with a queue (Definition 4.4) defined as follows:
2. 2.
For every state in , we introduce a pair of states , a pair of -actions, and a pair of -actions:
[TABLE] 3. 3.
Sets of -states are defined as follows:
[TABLE] 4. 4.
Sets of synchronous actions are defined as follows:
[TABLE] 5. 5.
The transition relation is the minimal relation satisfying the following:
- (a)
For all :
[TABLE] 2. (b)
For all , and all , if , then:
[TABLE] 3. (c)
Consuming an element from the front of a queue is an internal transition of the form:
[TABLE]
We see in (13) that the two automata synchronise on action . The effect is a message sent from and received in the queue of . The same occurs in (LABEL:eq:a-transition-2). Moreover, this makes sending messages only possible when both machines are in sync, i.e., on the same state . This model is inspired by asynchronous communication in practice and we found it necessary that a sent message is received before any other actions are performed by either side.
The question may arise “why do we still see synchronisation? Is this still considered asynchronous communication?”; and the answer is that it is asynchronous in the sense that the sending party does not know whether and when the receiving party is willing to receive the communication. This is different from synchronous communication where the sender knows that the receiver is willing to participate.
For this construction, a queue of size 1 is enough as it never contains more than one message. If the size of the queue was more than 1, then the transition in (LABEL:eq:a-transition-2) can apply recursively until the queue is full. However, any transition beyond the first one does not translate into a transition in the product because action needs to synchronise with its co-action. In other words, in the product automaton, the queue cannot contain more than one message. Therefore, the upperbound of size 1 of the queue is not a requirement, but rather follows from the construction.
4.4 Proof that the Asynchronous Decomposition Operation Maintains Branching Bisimulation
In this subsection, similar to Section 4.2, we prove that the asynchronous decomposition operation () also maintains branching bisimilarity. Figure 5 shows the result of applying to the same example behaviour as in Figure 2. In Figure 6, we compute the synchronous product of the decomposition of Figure 5 and then divide the nodes of the product into two equivalence classes, top and bottom. The states in the top class are branching bisimilar to state whereas the states in the bottom on are branching bisimilar to state .
Next, we prove that any LTS decomposed using Definition 4.5 maintains branching bisimulation with its decomposition, thus by proving that there is at least one universal method of decomposing LTSs into asynchronous ones while maintaining branching bisimulation.
Theorem 4.6**.**
Given an LTS and two alphabets such that and , and given an LTS where by Definition 4.5, then .
Proof.
Let and .
Define a relation with
[TABLE]
We prove that is a branching bisimulation relation through the following cases:
Consider a pair where .
- (a)
Assume . Then if , then where with . Else if then where with . We see that both pairs and are in . 2. (b)
Assume . Then we have the following three cases:
- i.
, then this transition is only possible, by definition, through the transition for some such that . We see that the pair and is covered in case 4. 2. ii.
. This is a symmetric case where and . We see that the pair and is covered in case 5. 3. iii.
, then the only transition possible is the transition of (13). Then either or where and . We see that in both possible values of , the pair and is covered in cases 2 and 3. 2. 2.
Consider a pair .
- (a)
Assume . Then , and we covered the pair in case 1. 2. (b)
Assume . The only possible transition in is if is a action consuming the queue message then and we covered the pair in case 1. 3. 3.
Consider a pair . Symmetric to case 2. 4. 4.
Consider a pair such that .
- (a)
Assume . Then . 2. (b)
Assume . The only possible transition in is if is a action resulting from the synchronisation of the two transitions and . Then, in the product, ; and the pair and is covered in case 6. 5. 5.
Consider a pair . Symmetric to case Case 4. 6. 6.
Consider a pair such that .
- (a)
Assume . Then because of the queue-consuming transition , then .
The pair is covered in case 1. 2. (b)
Assume , then there are two possible values for :
- i.
Action is a queue-consuming , then ; and the pair
is covered in case 1. 2. ii.
, then such that ; and the pair . 7. 7.
Consider a pair . Symmetric to case 6. 8. 8.
Consider a pair such that . Then ; and the pair is covered in case 4. 9. 9.
Consider a pair such that . This is symmetric to case 8.
∎
Corollary 4.7**.**
It follows from Theorem 4.6 that there is a universal way of decomposing an LTS using a general asynchronous decomposition operator (Definition 3.1) such that is branching-bisimilar to the synchronous product of its decomposition.
5 Proof that no decomposition operation maintains
In this section, we prove that there is no way of decomposing an LTS such that it is divergence-preserving branching-bisimilar to the synchronous product of its decomposition.
We define confluence based on [9].
Definition 5.1** (Confluence).**
An LTS is called confluent over and iff for all states and for all and , if and , then there is a state such that and .
Lemma 5.2**.**
Any LTS that is the synchronous product (Definition 2.4) of two LTSs and whose action sets are and respectively, is confluent over two sets and .
Proof.
Consider the synchronous product from Definition 2.4 and some actions and . Then . Consider some states , , and . We know that if then that is due to a transition and that makes , and that given a transition , then a transition is possible. Similarly, if then . Therefore, the defined synchronous product is confluent. ∎
Figure 7 (centre) shows a simple LTS . Concretely, it is defined as with alphabets and and transitions and . In the following lemma and theorem, we prove that no way of decomposing maintains divergence-preserving branching bisimulation.
Lemma 5.3**.**
Given the LTS (Figure 7, centre) with action set , let and be two LTSs with action sets and respectively, and with and and . Let be the synchronous product by Definition 2.4. Then .
Proof.
We prove this lemma by contradiction. Assume that , and let be the initial state of , then . As is not divergent and cannot do a -transition, it holds that only finite sequences of ’s are possible from . This can be seen as follows. If , then for all . Hence, is divergent. But this is not possible because is not divergent. So, takes a finite number of steps to reach some state where .
Since it must be that , and since and where and , then there are two states and such that and , and and .
Now because and , then is confluent over these two sets, then there must exist a state such that . However, . Therefore, . Contradiction. Therefore . ∎
The proof is illustrated in Figure 7 showing that divergence-preserving branching bisimulation () does not hold when decomposing the LTS due to the confluence property of decompositions. On the other hand (literally the other hand of the same figure), branching bisimulation holds when decomposing LTS . The reason it holds under , but not under is that the former admits infinite cycles, i.e. divergence, which, as demonstrated here in right side of the figure, avoids the premise of confluence altogether. [3] provides a similar insight into how divergence maintains branching bisimilarity but breaks divergence-preserving branching bisimilarity.
Theorem 5.4**.**
There is no decomposition operation that maintains divergence-preserving branching bisimulation () for all LTSs.
Proof.
We prove this theorem by contradiction. Assume that there is a decomposition operation that maintains for all LTSs. Then it must do so for any arbitrary LTS . But since Lemma 5.3 proves that no LTS maintains for one such LTS , i.e the one in Figure 7, then there is no decomposition operation that maintains for all LTSs. ∎
6 Interpretation
One way to understand this fundamental result is that if the subsystems of the decomposition must communicate, then there is no escape from introducing divergence in order to maintain equivalence over any and all decompositions of LTSs.
With respect to automata learning, this result implies that, unless one values divergency, it is not possible to make any assumption about the distribution of components based on the information that is learned. If one can observe divergencies while learning behaviour, it might be possible to say something about the internal structure of a system though this will be highly non trivial to accomplish.
And with respect to software, our result says that it is always possible to distribute a piece of software over different components if one allows divergent behaviour. Otherwise, such a distribution is not possible and based on our proof. One can see that this already applies to very simple behaviours.
Furthermore, divergence, in an industrial context, is undesired due to the requirement of fairness, i.e., one subsystem seizing unfair control over the total behaviour of the system through infinite looping. This means that if some decomposition is found to maintain fairness, then that is guaranteed not to be the case universally over all contexts and all LTSs.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1]
- 2[2] Dana Angluin (1987): Learning Regular Sets from Queries and Counterexamples . Inf. Comput. 75(2), pp. 87–106, 10.1016/0890-5401(87)90052-6 . · doi ↗
- 3[3] Jos C. M. Baeten, Bas Luttik & Paul van Tilburg (2013): Reactive Turing machines . Inf. Comput. 231, pp. 143–166, 10.1016/j.ic.2013.08.010 . · doi ↗
- 4[4] Hendrik Brinksma & Romanus Langerak (1995): Functionality Decomposition by Compositional Correctness Preserving Transformation . South African Computer Journal 13, pp. 2–13.
- 5[5] Omar al Duhaiby, Arjan J. Mooij, Hans van Wezep & Jan Friso Groote (2018): Pitfalls in Applying Model Learning to Industrial Legacy Software . In: Leveraging Applications of Formal Methods, Verification and Validation. Industrial Practice - 8th International Symposium, I So LA 2018, Limassol, Cyprus, November 5-9, 2018, Proceedings, Part IV , pp. 121–138, 10.1007/978-3-030-03427-6_13 . · doi ↗
- 6[6] Rob J. van Glabbeek, Bas Luttik & Nikola Trcka (2009): Branching Bisimilarity with Explicit Divergence . Fundam. Inform. 93(4), pp. 371–392, 10.3233/FI-2009-109 . · doi ↗
- 7[7] Rob J. van Glabbeek & W. P. Weijland (1996): Branching Time and Abstraction in Bisimulation Semantics . J. ACM 43(3), pp. 555–600, 10.1145/233551.233556 . · doi ↗
- 8[8] Jan Friso Groote & Mohammad Reza Mousavi (2014): Modeling and Analysis of Communicating Systems . MIT Press, 10.7551/mitpress/9946.001.0001 . · doi ↗
