Área de estudio.

As discussed in the previous section, given an IMDP, the complexity of computing∼(∀)

strictly depends on finding t−→ µt: we show how a finer (sub-optimal) equivalence re-

lation can be computed in polynomial time. The bisimulation in Definition 6.1 can be reformulated equivalently as follows:

Definition 6.4(Equivalent form of IMDP probabilistic bisimulation). LetR⊆ S × S be an equivalence relation. We say thatRis a probabilistic bisimulation if(s, t) ∈Rimplies that L(s) = L(t) and for each a ∈ A (s) and each µs ∈ P_Rs,a, there existsµt ∈ PRt such that µsL(R) µt.

Recall that a probabilistic bisimulation can be seen as a game between two players: in each round, the challenger, or attacker, s proposes a transition, or step, that has to be matched by the defender t. The two states s and t are bisimilar if the defender is always able to match the challenging transitions proposed by the attacker, that is, the game can be played forever. Correspondingly, in our setting, probabilistic bisimulations require that each transition proposed by the challenger s which is selected from the setPRs,a, is matched

by the defender t via a single (combined) transition. The above definition essentially dis- allows the state s to randomize over the set of its available actions. Therefore, instead of allowing the challenger to pick a probability distribution from CH(Sa∈A (s)P

s,a

R ), we re-

strict his choice to select a distribution for an action from the polytopePRs,a. This restriction

does not lead to any loss of generality, since it is routine to check that the bisimulationR from Definition 6.4 satisfies the condition of Definition 6.1.

6.2.2.1

Robust Methodologies for Probabilistic Bisimulation

We now discuss the key elements of a decision algorithm for probabilistic bisimulation on IMDPs. As we will see later in this section, the core part and also the main source of the exponential complexity of the exact decision algorithm in Figure 6.3 is the need to repeatedly verify the step condition, that is, given a challenging transition µ ∈ PRs

and (s, t) ∈ R, to check if there exists t−→ µt such that µ L(R) µt. We show that,

using some inspiration from network flow problems, it is possible to treat a transition

t−→ µt of the IMDPMas a flow where the initial probability massδt flows and splits

along transitions appropriately to the transition target distributions and the resolution of the nondeterminism fulfilled by the scheduler and nature. This intuition essen- tially enables us to model the probabilistic bisimulation problem as an adjustable robust counterpart of an uncertain LP problem that is intractable in general [BTGGN04,BTEGN09].

Adjustable Robust Counterpart for Probabilistic Bisimulation. From now on, we as- sume that the IMDP M, the state t, the probability distribution µ, and the equivalence relation R on S are given. We intend to verify or refute the existence of a transition

t−→ µt ofM satisfyingµ L(R) µt via the construction of a flow through the network

graph G(t,R) = (V, E) defined as follows: the set of vertices is V = {Í, È, t}∪SA∪SR∪(S/R)

6.2. Probabilistic Bisimulation for Model Checking IMDPs 105

{(Í, t)} ∪ { (vR,C), (C, È) | C ∈ S/R, v ∈C} ∪ { (t, ta), (ta, vR) | a ∈ A (t), v ∈ S }. In the

flow network definition, Í and È are the source node and the sink node of the network, respectively. The set of transition nodes SAincludes vertices that represent the interval tran-

sitions of the IMDPM. More precisely, each transition labelled by a enabled at state t is represented by a transition node ta ∈ SA. The set SR is a copy of the state set S that is

used to represent the states reached after having performed the transition; for such states, we connect them to the equivalence class they belong to so to verify the condition of the lifting. The network construction can be seen as an adaptation to the strong case of flow networks used in Chapter 5.

We take advantage of the above transformation of the “IMDP into a network graph” to generate an optimization problem. To this aim, we adopt the same notation of the network optimization setting so we use fu,vto show the “flow” through the arc from u to v. In for-

mulating the optimization problem, we use in addition the so-called balancing constraints in order to reflect the probabilistic choices in the given IMDPMand to ensure the correct splitting of outgoing flows from the transition nodes in the set S_A.

Definition 6.5 (Optimization problem for probabilistic bisimulation). The optimiza- tion problem associated to the network G(t,R) = (V, E) is defined as follows:

minf 0

subject to: f_{u,v≥ 0} for each(u, v) ∈ E

f_Í,t= 1

f_C,È= µ(C) for eachC∈ S/R

P

{ u∈V |(u,v)∈E }fu,v−

P

{ w∈V |(v,w)∈E }fv,w= 0 for each v ∈ V \ {Í, È} ft_a,vR− pa,v· ft,ta= 0 for each a∈ A (t) and v ∈ S p_{a,v∈ I(t, a, v)} for each a∈ A (t) and v ∈ S It is not difficult to see that the optimization problem just defined is not an LP problem, as there are quadratic constraints where the flow variable ft,ta is multiplied

with the “probability” variable pa,v. As a matter of fact, for a given a ∈ A (t), the

variables pa,v have to lie in the interval defined by the interval transition I(t, a, v) and

they have to induce a probability distribution, i.e., pa,v ≥ 0 for each v ∈ S and

P

v∈Spa,v = 1. The non-negativity of the variables comes for free from the constraints p_{a,v ∈ I(t, a, v) since I(t, a, v) ⊆ [0, 1];} P_v∈Sp_a,v = 1 follows by the flow conservation

constraintP_{{ u∈V |(u,v)∈E }}f_u,v−P

{ w∈V |(v,w)∈E }fv,w = 0 for v = ta. Therefore, the optimiza-

tion problem can be easily cast as an LP problem by replacing the pair of constraints

ft_a,vR−pa,v· ft,ta= 0 and pa,v∈ I(t, a, v) with the pair of constraints fta,vR−inf I(t, a, v)· ft,ta≥ 0

and fta,vR−sup I(t, a, v)· ft,ta≤ 0, i.e., the state v is reached from t with probability pa,v=

f_{ta ,vR} ft,ta

at least inf I(t, a, v) and at most sup I(t, a, v), as required. Taking this modification into ac- count, we can reformulate the optimization problem in Definition 6.5 as the following LP problem.

106 Chapter 6 : Compositional Minimization for Model Checking of Interval MDPs

network graph G(t,R) = (V, E) is defined as follows: minf 0

subject to: f_{u,v≥ 0} for each(u, v) ∈ E

f_Í,t= 1

f_C,È= µ(C) for eachC∈ S/R

P

{ u∈V |(u,v)∈E }fu,v−

P

{ w∈V |(v,w)∈E }fv,w= 0 for each v ∈ V \ {Í, È} f_t

a,vR− inf I(t, a, v) · ft,ta≥ 0 for each a∈ A (t) and v ∈ S f_t

a,vR− sup I(t, a, v) · ft,ta≤ 0 for each a∈ A (t) and v ∈ S

The feasibility of the resulting LP problem can be seen as an oracle to verify or refute the existence of a probabilistic transition t−→ µt. Formally,

Lemma 6.3. Given anIMDPM, t ∈ S, µ ∈ Disc(S), and an equivalence relation Ron S, the LP(t, µ,R) LP problem has a feasible solution if and only if there exist σ ∈ Σ and π ∈ Π inducing t−→ µt such thatµL(R) µt.

Proof. For the first implication, suppose that there exist a schedulerσ and a nature π in- ducing t−→ µtsuch thatµL(R) µt. Consider the LP problem LP(t, µ,R) and consider the

following assignment for the variables: f_Í,t = 1, ft,ta = σ(t)(a), fta,vR= σ(t)(a) · π(t, a)(v)

for each a ∈ A (t) and v ∈ S, and fvR,C = Pa∈A (t)σ(t)(a) · π(t, a)(v) and fC,È= µs(C) for

eachC∈ S/Rand v∈C.

It is immediate to see that such an assignment is a feasible solution of the LP(t, µ,R) problem: non-negativity of the variables is trivial since all values are sum of (products of) probabilities; the constraints fÍ,t = 1 and fC,È= µs(C) are obvious by the definition of the

assignment; the flow conservation constraint for t is immediate since X (u,t)∈E f_u,t= f_Í,t= 1 = X a∈A (t) σ(t)(a) = X a∈A (t) f_t,ta= X (t,u)∈E f_t,u;

for each action a∈ A (t), the flow conservation constraint for tais clear since

X (u,ta)∈E f_u,t a= ft,ta= σ(t)(a) = σ(t)(a) · X v∈S π(t, a)(v) =X v∈S σ(t)(a) · π(t, a)(v) =X v∈S fta,vR= X (ta,u)∈E fta,u;

for each state v, the flow conservation constraint for vRis immediate since

X (u,vR)∈E f_u,vR= X a∈A (t) f_t a,vR= X a∈A (t) σ(t)(a) · π(t, a)(v) = fvR,[v]R= X (vR,u)∈E fvR,u;

6.2. Probabilistic Bisimulation for Model Checking IMDPs 107

and for each equivalence classC, the flow conservation constraint forCis clear since X (u,C)∈E f_u,C=X v∈C fvR,C= X v∈C X a∈A (t) σ(t)(a) · π(t, a)(v) =X v∈C µt(v) = µs(C) = fC,È= X (C,u)∈E f_C,u.

The last constraints we have to verify are about the split of probability according to the transition: for a∈ A (t) and v ∈ S,

ft_a,vR= σ(t)(a) · π(t, a)(v) = π(t, a)(v) · σ(t)(a) = π(t, a)(v) · ft,ta.

Since by hypothesis onπ we have that π(t, a)(v) ∈ I(t, a, v), it follows that inf I(t, a, v) ≤

π(t, a)(v) ≤ sup I(t, a, v), thus inf I(t, a, v) · ft,ta≤ fta,vR≤ sup I(t, a, v) · ft,ta, as required. This

completes the proof that if there exist a schedulerσ and a nature π inducing t −→ µt such

thatµL(R) µt, then the LP problem LP(t, µ,R) is feasible.

For the second implication, suppose that the LP problem LP(t, µ,R) has a feasible so- lution f∗; define the scheduler σ and the nature π as follows: σ(t)(a) = f_t,t∗

a for each a_{∈ A (t) and π(t, a)(v) =} f

∗

ta ,vR

f∗

t,ta for each a∈ A (t) and v ∈ S if f

∗

t,ta6= 0, an arbitrary distri-

bution inHa

t otherwise. The fact that bothσ and π are probability distributions is trivial:

the non-negativity ofσ(t)(a) and π(t, a)(v) for each a ∈ A (t) and v ∈ S is ensured by the non-negativity of the feasible solution f∗_;P

a∈A (t)σ(t)(a) = Pa∈A (t)ft,t∗a = f

∗

Í,t = 1; if f_t,t∗

a= 0, then π(t, a) is a probability distribution by the way it is chosen; if f

∗ t,ta6= 0, then X v∈S π(t, a)(v) =X v∈S f_t∗ a,vR f_t,t∗ a = P v∈Sft∗a,vR f_t,t∗ a = f ∗ t,ta f_t,t∗ a = 1.

The next step in the proof is to show that for each a ∈ A (t) and v ∈ S, we have that

π(t, a)(v) ∈ I(t, a, v). Fix a ∈ A (t) and v ∈ S and suppose that f∗ t,ta6= 0. f ∗ t_a,vR− inf I(t, a, v) · f_t,t∗ a ≥ 0 implies that f ∗ ta,vR ≥ inf I(t, a, v) · f ∗ t,ta, that is, f_{ta ,vR}∗ f∗

t,ta ≥ inf I(t, a, v), i.e., π(t, a)(v) ≥

inf I(t, a, v); a similar argument shows that π(t, a)(v) ≤ sup I(t, a, v).

The last step is about the condition of the lifting: fix an equivalence classC∈ S/R;

µt(C) = X v∈C µt(v) = X v∈C X a∈A (t) σ(t)(a) · π(t, a)(v) =X v∈C X a∈A (t) f_t,t∗ a· f_t∗ a,vR f_t,t∗ a =X v∈C X a∈A (t) f_t∗ a,vR= X v∈C f_v∗ R,C= f ∗ C,È= µs(C),

as required. Note that here we are assuming that f_t∗_,t

a6= 0; if f

∗

t,ta= 0, then also σ(t)(a) = 0,

hence we can just omit it from the sum. This completes the proof that if the LP problem

LP(t, µ,R) is feasible, then there exist a scheduler σ and a nature π inducing t −→ µt such

thatµL(R) µt. „

It is worthwhile to be noted that the resulting scheduler and nature are history- independent, i.e., they base their choice only on the current state (and action, for nature).

108 Chapter 6 : Compositional Minimization for Model Checking of Interval MDPs

Moreover, solving the generated LP problem from Definition 6.6 can be done in polynomial time. The polynomial time complexity, however, is not preserved when uncertainty affects transition probabilities in the model. In fact, in presence of uncertainty, the step condition needs to be checked for any realization of the probability distributionµs∈ P

s,a

R . This fact is

essentially the main barrier in designing efficient algorithms for probabilistic bisimulation on such uncertain systems which particularly leads the problem to be intractable. To this end, we first model the probabilistic bisimulation problem as the ARC of the uncertain

LP(t, µ,R) LP problem in which the uncertain data is the probability distribution µ. More precisely, by Lemma 6.3, we can replace in Definition 6.4 the matching transitionµt ∈ P_Rt

forµs∈ P_Rs,asuch thatµsL(R) µt with the check for feasibility of LP(t, µs,R).

Modelling this probabilistic bisimulation game as ARC of an uncertain LP allows the adjustable flow variables fi, j in the LP(t, µ,R) LP problem to tune themselves to the un-

certain probability distributionµ. However, the ARC is in general computationally hard. On the other hand, restricting the adjustable flow variables fi, jto be affinely dependent on

the uncertain probability distributionsµ allows us to model the bisimulation problem as affinely adjustable robust counterpart of an uncertain LP problem and thus to arrive at a poly- nomial time algorithm to compute the equivalence relationR. From the game semantics viewpoint, such affine dependency restriction reduces the power of the defender to match the challenger’s choices and therefore, it leads to a finer (sub-optimal) equivalence relation.

Affinely Adjustable Robust Counterpart for Probabilistic Bisimulation. In the sequel, we adapt the ARC theory presented in Chapter 3 (cf. Section 3.3) to the setting of prob- abilistic bisimulation by imposing a restriction on adjustable flow variables fi, j to tune

themselves affinely upon the uncertain probability distribution µ in the challenger’s un- certainty set PRs,a. Without loss of generality, we letC1, . . . ,Cnbe the equivalence classes

induced by R. We encode the affine dependence in the network graph G(t,R) = (V, E) by restricting, for each arch(i, j) ∈ E, the flow variable fi, jto be

f_{i, j}= l_{i, j}+ n

X

k=1

wk· µ(Ck),

where the new optimization variables are considered in the vector l and the matrix W . Plugging affine equivalences of flow variables, we end up with the affinely adjustable robust counterpart (AARC) of the ULP problem{LP(t, µ,R)}µ∈Ps,a

R shown in Figure 6.4.

In order to show the computational tractability of the AARC, we need to ensure that the uncertainty setPRs,a is itself computationally tractable. Formally, a setP

s,a

R is compu-

tationally tractable [GLS81] if for any vectorµ, there is a tractable “separation oracle” that either decides correctlyµ ∈ P_Rs,a or otherwise, generates a separator, i.e., a non-zero vector

rsuch that rT_{µ ≥ max} γ∈Ps,a

R r

T_γ.

Proposition 6.2. For every state s ∈ S, action a ∈ A (s) and equivalence relation R, the polytopic uncertainty setP_Rs,a is computationally tractable.

Proof. It is easy to see that the polytopic uncertainty setPRs,a, can be represented by finitely

many linear inequalities. It is in fact a special case of ellipsoidal uncertainty that are known

6.2. Probabilistic Bisimulation for Model Checking IMDPs 109

minl,w 0

subject to: l_u,v+ Pn_k=1wk· µ(Ck) ≥ 0 for each(u, v) ∈ E l_Í,t+ Pn_k=1wk · µ(Ck) = 1 l_C,È+ Pn_k=1wk· µ(Ck) = µ(Ci) for eachCi∈ S/R, i= 1, . . . , n P { u|(u,v)∈E }(lu,v+ P n k=1wk· µ(Ck)) − P{ u|(v,u)∈E }(lv,u+ P n k=1wk· µ(Ck)) = 0 for each v∈ V \ {Í, È} lta,vR+ P n k=1wk· µ(Ck) − inf I(t, a, v) · (lt,ta+ P n k=1wk· µ(Ck)) ≥ 0

for each a∈ A (t) and v ∈ S

l_t a,vR+ P n k=1wk· µ(Ck) − sup I(t, a, v) · (lt,ta+ P n k=1wk· µ(Ck)) ≤ 0

for each a∈ A (t) and v ∈ S ∀µ = (µ(C1), . . . , µ(Cn)) ∈ P

s,a R

Figure 6.4: Affinely adjustable robust counterpart of the ULP{LP(t, µ,R)}µ∈Ps,a R .

Computational tractability of the polytopic uncertainty sets concludes immediately tractability of the AARC. Formally,

Theorem 6.6. Given the fixed recourse ULP problem {LP(t, µ,R)}µ∈Ps,a

R, the AARC of

{LP(t, µ,R)}µ∈Ps,a

R is computationally tractable.

Proof. We prove the theorem by getting inspiration from [Gus02]. The AARC of the uncer- tain LP{LP(t, µ,R)}µ∈Ps,a

R can be described in a closed form as the optimization problem

min

l,W

¦

0 : V_{[l + Wµ] ≤ b ∀µ ∈ PR}s,a©

where V is the adjacency matrix and l, W are the set of variables. It is not difficult to see that since the recourse matrix V is fixed, the above optimization problem can be rewritten as

min

x=[l,W]

¦

0 : A(µ)x ≤ b(µ) ∀µ ∈ P_Rs,a©

by appropriately chosen A(µ), b(µ) affinely dependent on µ and with x = [l, W]. The latter optimization can equivalently be written as

minx ¦ 0 : x∈ S© S=¦x    ∀µ ∈ P s,a R :−A(µ)x + b(µ) ≥ 0 ©

This optimization problem is basically the robust counterpart of an uncertain LP with uncertain data that are affinely parametrized by µ ∈ P_Rs,a for which the computational tractability (and therefore, of AARC) is readily given in [BTN99]. „ It is not difficult to see that in the setting of probabilistic bisimulation, the polytopic uncertainty setsPs

Rare closed, convex, and well structured, i.e., they can be described by a

list of linear inequalities. Thus in our setting, the resulting AARC is also well structured and thus can be solved using highly efficient LP solvers (for instance, CPLEX [cpl] and Gurobi [GUR]) even for large-scale cases.

110 Chapter 6 : Compositional Minimization for Model Checking of Interval MDPs

Theorem 6.7. Given the fixed recourse ULP problem {LP(t, µ,R)}µ∈Ps,a

R , the AARC of

{LP(t, µ,R)}µ∈Ps,a

R is equivalent to an explicit LP program.

Proof. We prove the theorem by getting inspiration from [Gus02]. The objective function of the AARC of the ULP{LP(t, µ,R)}µ∈Ps,a

R is linear from the beginning. It is convenient

In document Caracterización meteorológica y modelización de Andalucía occidental (página 56-61)