Compositional Abstraction Refinement for Component-Based Systems

The efficiency of the compositional verification of invariants depends on the abstraction, which may lead to verification incompleteness. The invariant strengthening and state partitioning techniques are proposed in this paper. The former could refine the overapproximation by removing the unreachable states, and the latter is a variant of counterexample-guided abstraction refinement. Integrated with these two refinement techniques, a unified compositional verification framework is presented to strengthen the abstraction and find counterexamples. Some examples are included to show that the verification of the safety properties in component-based systems has been achieved by our framework.


Introduction
A component-based system is made up of several components using a set of glue (interactions) that describes the coordination between components [1].Some components, like program processes, contain local data and control information to determine their own behaviors, and their interactions represent the communication between components.Component-based system has the advantages that the development can be simplified and the time-to-market would be reduced.However, the tremendously high (or even infinite) number of states of the components makes the verification of properties of these systems intractable.In this paper, we discuss the compositional verification using abstraction refinement techniques on component-based systems.
Compositional verification would alleviate the problem of state explosion in concurrent model checking, especially in conjunction with abstraction.The work in [2,3] proposed an automated compositional abstraction framework which differs in the communication method.The abstraction procedure in [2] is guided by the data (interaction through shared variables) of the model while it is guided by the action (interaction through message-passing event) in [3].Thread modular reasoning is also a compositional abstraction framework proposed in [4], which automatically generates the environment for each thread by analyzing its interaction.Compositional verification using abstraction refinement techniques on component-based systems has been extensively studied.Malkis et al. combined CEGAR and thread modular reasoning in their proposed technique [5], called thread-modular CEGAR.The technique computed reachable states with Cartesian abstraction.They directly compute the reachable states for all processes of the compositional system in an explicit way.Then refinement was applied to eliminate unreachable states by removing them from the Cartesian product.A technique closely related to compositional verification is assume-guarantee reasoning.Henzinger et al. [6,7] proposed a component-based verification algorithm which is complete for verifying safety properties.They first initialize each component as true (the most abstract model which essentially accepts any behaviors) and then iteratively refine them by adding new auxiliary predicates, whereas they initialize the guarantee of the components as false (the most abstract model which essentially rejects any behaviors) and refine them successively by considering abstraction of current component and guarantees of other components.
Another interesting branch for compositional verification is the inductive invariant based method [8][9][10].The properties established from the verification are usually invariants.

Journal of Applied Mathematics
Given a property on component-based system states, compositional verification of invariant is to verify whether the given property can be inferred from the invariants of their components.Divide-and-conquer approaches can be applied in compositional verification to infer global invariants from local invariants.A compositional verification method based on the inductive invariant is presented in [11,12].In this approach, the property of the component-based system can be inferred by the compositional verification rule which is referred to as the component invariant and the interaction invariant.This approach is incomplete.Given a property (predicate), if the conjunction of the component invariants and the interaction invariants is able to establish the property, one concludes the verification.Otherwise, one reports that the verification is inconclusive.
The inconclusive problem is due to two reasons.One is the abstraction, which transforms the original system (infinite) to an abstract system (finite).The other is the interaction invariant, which is the overapproximation of the reachable abstract states.Thus, the conjunction of component invariants and the interaction invariant is such an overapproximation that unreachable states in the original system may be computed as reachable in the abstract system, which may include unreachable error states.We propose two refinement techniques, counterexample-guided invariant strengthening and state partitioning to address the inconclusive problem.
A unified compositional abstraction refinement algorithm for the invariant checking problem on componentbased systems is given, which contains two phases.At the verification phase, we apply compositional verification to the invariant checking problem.If it suffices to conclude the verification, we are done.Otherwise, the verification algorithm moves to the refinement phases.In the other phase, we first strengthen the interaction invariant and remove the spurious counterexamples.After the invariant is strengthened, we analyze the remaining counterexamples and partition abstract states.When our algorithm returns to the verification phase, added states will induce a refined abstract model.
The rest is organized as follows.The component-based system, component invariant, and component abstraction are introduced in Section 2. In Section 3, we introduce the compositional verification of invariant for component-based systems, which is the overapproximation of the system states.We give counterexample-guided invariant strength and partition refinement methods in Section 4. A compositional verification framework integrated with iterative refinement and its correctness proof are presented in Section 5. We show the effectiveness of our proposed method in Section 6 and then conclude in Section 7.

Preliminaries
In this section, we present concepts and definitions that are used in this paper.We start with the overview of componentbased systems, which includes the concepts of atomic component, interaction, and compound component.In the rest of this section, we introduce the concepts for the component invariant and abstraction.

Component-Based
System.Component-based system is a basic model of wide-ranging concurrent systems.It is proven in [13] that such a hierarchical model can be converted to semantically equivalent flat model.Therefore, instead of analyzing complex hierarchical structure, we concentrate on two-level structure in this paper.The lower level of the component-based system is atomic component, and the higher level is compound component which is composed of several atomic components with a set of interactions.
An atomic component is a transition system, denoted by a tuple  = (, , , , {  } ∈ , {  } ∈  ), where (, , ) is a transition system; that is,  = { 1 ,  2 , . . .,   } is a set of control locations,  is a set of ports, and  ⊆  ×  ×  is a set of transitions. = { 1 , . . .,   } is a set of variables and for each  ∈ , respectively,   (x) is a guard, a predicate on x, and   (x, x  ) is an update relation, a formula on x(current) and x  (next) state variables.Given a transition  = (, ,   ) ∈ ,  and   are, respectively, the source and target location denoted by  and .
Given a set of components  1 , A typical transition system (e.g., a component ) contains control states, usually the program counter which takes values from the set of control locations.Control states are defined by formulas of the form (at   ), where   ∈ .Additionally, we assume that for each transition  = (  , ,   ) ∈ , we get a transition formula written as at   ∧   (x)  →   (x, x  ); at   where x ∈ .Definition 1 (component system).A component system is denoted by S = (, Init), where  is a component (atomic or compound component) and Init is the initial predicate of the system.

Component Invariant. Most properties established during verification are either invariants or depend on invariants.
To prove that a predicate  is an invariant of some system S, we need to find such a predicate  that  is stronger than  and  is inductive.In general, for a system ,  is an invariant of  if every initial state of system  satisfies  and  is preserved under all transitions of the system.Definition 2 (component invariant).Given a component  = (, , , , {  } ∈ , {  } ∈ ), for a global state predicate Φ = ⋁ ∈ at  ∧   , the generated formula by post predicate is post(Φ) = ⋁ ∈ (⋁ =(,,  ) at   ∧ post  (  )), where post  (()) = ∃  ⋅(  (  )∧  (  , )∧(  )).A fixed point of the post transformer is a component invariant (formula Φ) of the component ; that is, post(Φ) ⇔ Φ.
The component invariant is computed by the post predicate transformer.A more detailed technique, as well as other related properties for component invariants, is given in [8,14] and will not be presented.
Consider a system S = (, Init), where  is a component and Init is a state predicate satisfied by the initial states of .Φ is an invariant of , if it is a component invariant of  and Init ⇒ Φ.

Component Abstraction.
When original system has real or large range discrete variables, enumeration of concrete states by valuation is impossible.Before computing interaction invariants of the compound system, we need first to generate a finite state abstraction for the component-based system.
In our methodology, given a component-based system S = ⟨, Init⟩, component invariant Φ = ⋁ ∈ at  ∧ (⋁ ∈    ) is automatically generated from a transition system (a component) that describes its behavior, which is represented by the disjunction of atomic formulas, such as at  ∧   .However, instead of using the atomic formulas to generate an abstract system, we use them to construct an abstraction function.
The abstraction function maps an atomic formula to an abstract value of that formula, which preserves the relation among the atomic formulas instead of treating them as independent propositions.The abstraction technique used here is based on the approach proposed by Bensalem et al. in [2,8].An abstraction function  maps the concrete representation of the atomic predicates at  ∧   to the abstract presentation , called abstract state.We use Φ  to represent a set of abstract states.

Compositional Verification
After the overview of component-based system, the component invariant, and the component abstraction, we first present the compositional verification rule of componentbased systems, then we give out the concepts of the verification rules, and last we do the analysis on the overapproximation of the compositional abstraction.

Compositional Verification Rule.
In the approach presented in [11,12], the property Φ of ( 1 , . . .,   ) can be inferred by the following compositional verification rule: where   ⟨Φ  ⟩ means that Φ  is an invariant of component   and Ψ belongs to the set of interaction invariants II.For component   , a predicate Φ  on the component states is a component invariant of   .Before generating the interaction invariants, one needs to compute the abstraction for the components.The abstraction for   , denoted by     , is computed from Φ  by the abstraction function   .In the abstract system ({  1 1 , . . .,     }), we generate the interaction invariant Ψ under the global behavior constraint, which is the overapproximation of the reachable abstract states.Given a property (predicate) Φ, if the conjunction of the invariant ⋀   Φ  and the interaction invariants Ψ are able to establish the property, one concludes the verification.Otherwise, one reports that the verification is inconclusive.Definition 4 (abstract system).Given a component system S = (,Init), the abstract system is denoted by S  = ⟨  , Init  ⟩, where   is the abstraction for a component and

Related Concepts
= false} is the set of the initial abstract states.
The following lemma in [11] says that ( ) is an abstraction of  = ( 1 , . . .,   ) and that invariants of the abstract system are also invariants of the concrete system.Lemma 5.If   is an abstraction of  with respect to an invariant Φ and  its abstraction function, then   simulates Given an abstract system, interaction invariants characterize constraints on the global abstract state space induced by synchronization among components.Interaction invariants are based on the concept of traps in Petri net, which are computed on finite transition system (  , the forward interaction set is denoted by is related to some interactions.In each interaction, there exists a transition   from  participate in.That is,  is composed of sets of transitions involved in some interaction of  in which a transition   from  can participate.
Given a parallel composition ( Definition 6 (interaction invariant).Given an abstract system is a trap containing the initial states of some components, then ⋁ ∈Φ  at  is the interaction invariant of S  .
The characterization of traps in [12] allows one to compute the set of traps [16] using different approaches, including methods of positive mapping or fix-pointed computation.

Overapproximation.
In the compositional verification rule present in Section 1, the conjunction of component invariants and the interaction invariant is an overapproximation of reachable system states.The overapproximation of the compositional verification mainly results from two kinds of abstractions.One is due to the abstraction function, and the other is caused by interaction interference.The conjunction of interaction invariants overapproximates the set of reachable states, which may cause some unreachable error states to be included.
The abstract system   for a component  is generated by elimination in a conservative way.To check whether     , where  = (at  ∧ ) and   = (at   ∧   ), we check that for all transitions  = (, ,   ) we have post  () ∧   = false.When we generate abstract systems, the behaviors of the abstract system are more than the original system's.As the compositional verification performance on abstract components, the verification is incompleteness.
The conjunction of interaction invariant (a trap) characterizes constraints on the states induced by synchronization among components.States satisfying interaction invariants provide enabled execution information, a local projection of global states on part of components.However, these global states may not be reachable from initial states.Moreover, different interactions may include common ports.The interactions including the same port must exclusively execute, that is, just only one interaction can execute.Interaction invariant cannot characterize this dynamic information.
From the above analysis, we can conclude that invariantbased compositional verification is incomplete.We propose two refinement techniques in conjunction with invariantbased compositional verification rule to get a verification framework.The framework is an iterative scheme which starts from the abstraction until a concrete counterexample is found or until the safety property holds on abstract systems.

Refinement Approaches
We give counterexample-guided invariant strengthening and partition refinement methods in this section.

Invariant Strengthening.
In the first part of this section, we present the invariant strengthening approach.As interaction invariant computed by the greatest fixed point is the overapproximation, counterexamples (represented by the conjunction of abstract states) may be spurious.For this case, we check whether counterexamples can be reachable from the initial states.If not, we generate a fixed point backward from the spurious counterexample and strengthen the invariant by the fixed point.
The following lemma [17] says that if none of the states represented by  is backward reachable from the initial states, then ¬ is an invariant.Lemma 7. Let S  = ⟨Φ, T,   ⟩ be a transition system and  an arbitrary formula (or states).If  is such that ( T −1 () ∨ ) ⇒  and the formula  ∧  is unsatisfiable, then ¬ is an inductive invariant of S  .Corollary 8.If ℎ T −1 () ∩  = 0, then the formula corresponding to the complement of the set of ℎ T −1 () is an inductive invariant.Theorem 9. Assume that V is a counterexample and V ∧  −1 () ̸ = , where  is an abstract state of S  .If ℎ T −1 () ∩   = 0, then V is the spurious counterexample and the complement of the set of ℎ T −1 () is used to strengthen the invariants of   .
Inspired by the above theorem, we propose an approach, called the invariant strengthening, to strengthen the invariants from the compositional verification rule.
We first choose a counterexample and generate a fixed point from the selected counterexample using backward propagation.An abstract state including a counterexample is the conjunction formula of abstract states like  = ⋀   ∈Φ      , where   =   (at  ∧ ), which is the product of abstract states of each component.On the abstract system S  , we do the backward propagation by sp T −1 () = {  | ∃ ⋅ (T(  , ) ∧ )}.Then from a counterexample, we can compute all the global abstract system states using backward propagation.If the intersection of the generated fixed point and the initial states is empty, the counterexample and all of the backward generated fixed points are not reachable from initial states.For this case, we say the selected counterexample is spurious.The invariant strengthening approach removes the spurious counterexample and eliminates the unreachable states generated from the spurious counterexample to strengthen the invariant.
For invariant strengthening, time consumes at counterexample reachable global states set computation.As this set computation is based on fixed-pointed computation and is monotonic, so time complexity for Algorithm 1 is O(Φ), where Φ is number of global states of abstract system and Φ = ∏  =1 Φ  and Φ  = |Φ   | the number of abstract states from th component.

Partition Refinement.
In this part, we proposed a more effective counterexample-guided method, called partition refinement, which can accelerate abstraction refinement mechanism.Consider the abstraction function which transforms the original infinite system to the finite abstract system.An abstract state is an aggregation of a number of original system states.If a concrete state Φ  is part of an abstract state Φ, we cannot make decisions (1) whether Φ is a counterexample, if Φ  is a counterexample in concrete system; (2) whether Φ  is reachable in concrete system, although Φ is reachable in abstract system.We propose our refinement approach to give the solution of the above question (Figure 1).
In the above approach, we analyze whether the remaining counterexamples are the spurious counterexamples which are caused by inaccurate characterization.To eliminate these spurious counterexamples, we refine the abstract component states by the proposed state partition approach.Consider an abstract system state   = at  ∧  and a counterexample   = at  ∧   such that   ⇒  (Dec 0 ).We can partition   into two states   and   ,   = at  ∧   and   = at  ∧   , where   =  −   ; here we denote   ∨   =   and   ∧  = false.Assume that there exist   1 and   2 , from which   is reachable such that post  1 ( −1 (  1 )⋅)∧ −1 (  )⋅ ̸ = false and post  2 ( −1 (  2 ) ⋅ ) ∧  −1 (  ) ⋅  ̸ = false (Dec 1 ) hold.We remove   from abstract state space Φ  and add   and   into Φ  .
From the above, we assume that . The above refinement approaches are applied on the parallel compositional system.However, extended with the decidable theories and symbolic representation, our approaches can be applied on a more complex system like the hierarchical component system.

Iteration Verification Framework
In this section, we present the unified verification framework composed of compositional abstraction and our proposed refinement techniques.
Our verification framework for component-based systems is an iterative scheme presented by Algorithm 1.In our framework, there exists the method of abstraction refinement presented by Algorithm 2, which includes the counterexample guided invariant strengthening and abstract state partitioning inspired by CEGAR mechanism.In the Algorithm 1, the unified compositional abstraction refinement for the invariant checking problem on component-based systems is given, which contains two phases.At the verification phase, we apply compositional verification to the invariant checking problem.If properties can be proven under the current abstraction (see line 12 in Algorithm 1), the verification succeeds immediately.Otherwise, the refinement is performed (see line 16 in Algorithm 1).If the abstraction cannot be further refined by the current reachable counterexample (see line 17 in Algorithm 1), then current counterexample is a genuine counterexample.If current counterexamples are all spurious counterexamples (see line 20 in Algorithm 1), we conclude that verification succeeds.Otherwise, we go to line 23; we get refined abstract system and compute the new more concrete interaction invariant with conjunction of strengthened inductive invariant computed from backward propagation of spurious counterexamples and go back to counterexample guiding abstraction refinement, portion of verification basis, which call for less efforts than previous iteration processes in [11,12].
At the refinement phase, we first strengthen the interaction invariant and remove the spurious counterexamples.After the invariant is strengthened, we analyze the remaining counterexamples and partition abstract states.When our algorithm returns to the verification phase, added states will induce a refined abstract model.Our refinement method (see Algorithm 2) reconsiders information of counterexamples, which may include Err I and Err II , where Err I is unreachable error state introduced by interaction interference and Err II is inaccurate local configuration caused by abstraction function.We use the invariant strengthening technique to remove Err I from the counterexamples and strengthen the invariant use of the counterexample in Err I .We use the counterexample in Err II to do the state partition refinement which refines the abstraction until a genuine counterexample is found or the safety property holds on abstract systems.Theorem 11.Let S = ⟨( 1 , . . .,   ), ⟩ be a compound component-based system, and let Φ be a specific property predicate.
(1) If (S, Φ) returns , then S ⊨ Φ; (2) if (S, Φ) returns , then S ⊭ Φ.  based on   and Φ  (6) end (7) from ( Φ is an invariant of S (14) return  (15) else (16) compute counterexample set  := {Φ  }  := (S  , , Ψ) (17) if  = && ̸ = 0 then (18) return  Proof.(1) If Algorithm 1 returns true from line 14, with the precondition ¬Φ∧Ψ∧(⋀  =1 Ψ  ) = false, we get the conclusion that the property satisfied immediately.Otherwise, if all current counterexamples are spurious counterexamples, the verification stops with the property satisfied at line 21.(2) If Algorithm 1 returns false from line 18 with Refinable = false and Err ̸ = 0, we get that the abstract system is unable to be refined any more by the current counterexample, which means the counterexample is a real violated behavior truly reachable from the initial configuration and cannot be eliminated by a more concrete system.Otherwise, abstract system should be refined by the next refinement using the current counterexamples.
Proof.In each refinement iteration, either some new strengthening invariant is added or the abstract system state is split into new states.Note that the state space of abstract system is finite and that the number of possible split states is also finite.In the worst case, the algorithm finally terminated with the refined system is just the original system.Then the algorithm can terminate finally.Theorem 13.Let S = ⟨( 1 , . . .,   ), ⟩ be a compound component-based system, and let Φ be a specific property predicate.
Proof.(1) According to the second statements of Theorem 11, if S ⊨ Φ, Algorithm 1 cannot return with false.According to Theorem 12, Algorithm 1 always terminates.Thus, if S ⊨ Φ, then algorithm can only terminate with true.
(2) Similarly, according to the first statement of Theorems 11 and 12, if S ⊭ Φ, the algorithm can only terminate with false.

Examples and Experiments
We will provide certain examples to illustrate the effectiveness of our proposed verification framework.

Train Gate Controller.
Consider the example of the train gate controller [18], which consists of a , a , and a number of .The model presented in Figure 2 describes only one train interacting with the controller and the gate.The controller operates the gate up and down when a train enters and exits, respectively.
The  has four locations { 0 ,  1 ,  2 ,  3 }, one variable , five ports {approach, raise, exit, lower, tick}, and eight guarded transitions.The  has three locations {far, in, near}, a variable , four ports {approach, exit, , tick}, and six guarded transitions.The  has four locations { 0 ,  1 ,  2 ,  3 }, a variable The interested safety property is that when the train is at the location  in , the gate is at   2 .We apply the compositional verification rule to check the property.In this model, the verification rule can infer this property, so we get the conclusion of the properties satisfied.
6.2.Temperature Control System.Consider the example of the temperature control system [11,12] presented in Figure 4.The model consists of three atomic components: Controller, Rod 1 , and Rod 2 .
After the application of invariant strengthening on the abstract system, we eliminate Φ 2 and Φ 3 from counterexamples and strengthen invariants by the generated infeasible states.Now, we refine the abstract system and check whether Φ 1 is genuine counterexample or not by state partition technique.After the application of state partition technique on the abstract system, we get the refined abstract system presented in Figure 6.We split the state 3600 and  322 =  3 ∧  2 ≥ 3600; state  52 =  5 ∧ 101 ≤  ≤ 1000 into  521 =  5 ∧ 101 ≤  < 1000 and  522 =  5 ∧  = 1000.By the state partition technique, finally we find that Φ 1 is a counterexample of the system.
The example is implemented as BIP models and has been translated into timed automata using the tool BIP2UPPAAL [19].To illustrate effectiveness of our approach, we verify models against property EFΦ 1 , EFΦ 2 , and EFΦ 3 , which means "there exists a run that eventually reaches deadlock states Φ  ." As a comparison, we first check both original system and abstract system.The checking results are shown in Table 2.As EFΦ 2 and EFΦ 3 are not satisfied by the abstract model, we conclude that Φ 2 and Φ 3 are spurious counterexamples immediately.Then we make partition refinement with Φ 2 .During state partition refinement, states 12, 52, and 32 (refer to  12 ,  52 , and  32 , resp.) have been partitioned.We verified refined abstract models against property.As EFΦ 1 is ultimately satisfied and we cannot use Φ 1 to partition models further, we conclude that Φ 1 is a genuine counterexample.From the above analysis, we have shown the effectiveness of our proposed verification framework.Using our proposed refinement techniques, we reconsidered the counterexamples of the system.We finally identify which are spurious counterexamples and refine the abstract systems.

Conclusions
We have proposed a unified framework with iterative refinements for compositional verification of component-based systems.This framework extends invariant-based compositional verification rule with the counterexample-guided invariant strength and state partition techniques.The former removes the spurious counterexample and uses the fixed point generated backward from the spurious to strengthen the system invariant.The latter partitions the abstract states according to the rest counterexamples to refine the abstract system.Both contribute to the unified verification framework which is proved to be sound and complete.
Compared with the invariant-based compositional verification which is incomplete, our verification framework with the iterative refinements can get more precise results with the balance of the verification complexity.

Definition 3 (
abstract component).Given a component , a component invariant Φ of , and the associated abstraction function , the abstract component   is denoted by   = (Φ  , , ), where (i) Φ  is the abstract state, where Φ is the component invariant and  is abstraction function, (ii)  is a set of ports of , (iii)  is the transition of .For any pair of abstract states  = (at  ∧ ) and   = (at   ∧   ), there exists the transition from  to   through  (denoted by      ) if and only if ∃ = (, ,   ) ∈ , post  () ∧   ̸ = false.

Get
Figure 1
,   ,   ) is a transition system.For a set of abstract states Φ  ⊆ ⋃  =1 Φ

𝛼 1 1
, . . .,     ) and  Formally, S  = (Φ, T, Init  ) is a finite state machine (FSM) in which (i) Φ is a set of global states; for the abstract state  = ( 1 , . . .,   )   ∈Φ    , we can represent it as conjunction (a vector) of local abstract state; that is,  = ⋀   ∈Φ     ), where  = ⋀   ∈Φ      and   = ⋀   Init  is the initial predicate of the abstract system.A formula  is interpreted as the set |[]| of all the global states;  ∈ Φ satisfy .We define the set Reach T (Init  ) of the global states ℎ from the states |[Init  ]| via the transition as the smallest set such that | ,   ,   ).  ∈ Φ;(ii) T is a predicate on global states Φ and Φ  ; for (( 1 , . . .,   ), , (  1 , . . .,    )), where  ∈ , there exists T(, 1 reach the error-part   of   and   2 reach the other   .In this case, we should add the transitions into the system.If ∃   , ∃  : (   ,   ,   ) ∈ such that post   ( −1 (   ) ⋅ ) ∧  −1 () ⋅  ̸ = false (Dec 2 ), we add a transition from    to  (here,  stands for both   and   ); likewise, if ∃   , and ∃  : (  ,   ,    ) ∈ such that post  ( −1 ()⋅)∧ −1 (   )⋅ ̸ = false (Dec 3 ), we add a transition from  to    .∧  1 , then there exists   such that  −1 (  ) = at  ∧ , (,   )  , and  .If   ⇒  does not hold, then the abstract state   cannot be partitioned by   .Otherwise, we split abstract state   with disjoint two parts  = (at ∧  ) and   = (at ∧  ), and we have   ∧   = false and   ∨   = , so we have either If Φ  is an invariant of   ref , then  −1 (Φ  ) is an invariant of .For partition refinement method, given a counterexample Φ  = ⋀   ∈Φ      , state partition in th component, based on   , only affects one abstract state to be parted.And a state is parted only once by   .As exists quantifier for states needs examines all possible abstract state pairs and so does the quantifier of transitions, state partition needs time complexity as O(∑  =1 (|Φ simulates .Moreover, if Φ  is an invariant of    , then Φ =  −1 (Φ  ) is an invariant of .Proof.By Lemma 5, we show that the Algorithm 2 only makes states partition and then has no effect on the simulation relation.If ( 1 , )   → (,   ) and  −1 (  1 ) = at  1

Table 2 :
Figure 3: The abstraction for the TGC.Figure 4: The component-based model for temperature control system.Figure 6: The refined abstract model.Simple table.
Figure 5: The abstraction for the component-based model.