Towards reduction of Paradigm coordination models

L. Aceto and M.R. Mousa vi (Eds.): P A CO 201 1 EPTCS 60, 2011, pp. 1–18, doi:10.4204/EPTCS.60.1 c  S. Andov a, L.P .J. Groe ne wegen and E.P . d e V ink This work is licensed under the Creativ e Commons Attribution License . T owards r eduction of P aradigm coordination models Suzana Andova ∗ Department of Mathematics and Computer Science TU/e, Eindhov en, the Netherlands Luuk Groene wegen FaST Group, Leiden Institute of Adv anced Computer Science Leiden Uni versity , The Netherlands Erik de V ink Department of Mathematics and Computer Science TU/e, Eindhov en, the Netherlands Abstract The coordin ation modelling langua ge Paradigm addresses collab oration between com po- nents in terms of dy namic constraints. W ithin a Paradigm model, compon ent d ynamics are con- sistently specified at a d etailed and a g lobal level of abstraction. T o enable au tomated verification of Paradigm models, a tran slation of Paradigm into process algebra has been defined in previous work. In this pap er we in vestigate, guid ed b y a client-server example, reduction of Paradigm mod- els based on a n otion of global inertness. Representation of Paradigm m odels as process alge braic specifications help s to establish a pr operty- preserving equiv alence relation b etween the o riginal an d the reduced P aradigm model. Experim ents ind icate tha t in this way larger Paradigm m odels can be analyzed. Keywords coordin ation, process algebra, Paradigm, vertical dy namic consistency , levels of abstrac- tion, branching bisimulation, globally inert, model reduction 1 Introd uction W ith in the current software architec ture pra ctice, architecture s are mostly used for describing static as- pects of softwa re syste ms. T echnique s that allo w system arch itects to describe coor dinatio n among compone nts within an archi tecture and to reaso n about the dyna mics of the system in its e ntirety , are not commonly used. The coordinat ion description language Paradigm helps the designer to merge diff erent dynamic aspects of a system. At the same time the languag e allows for the descrip tion of both detaile d and global behav iour of an indiv idual component i.e. its own specific beha viour and separatel y its inter- action with other compo nents, and the languag e is particu larly helpful in enfor cing consistenc y in the beha vio ur of lar ge sets of interrelate d components. The coordinatio n model ing languag e Paradig m [9, 10] specifies roles and interactio ns within col- labora tions between compon ents. Interac tions are in terms of temporar y constraints on the dynamics of components. T o underpin Parad igm models with formal verificatio n and automated analysis, the Paradi gm language has been linked with the mCRL 2 tool set [11] via its translation to the process algebra A CP [6, 3] and with the pro babilis tic modelche cker Prism [15, 4] via a direct encoding scheme. Proces s algebr as (P A for short), such as CCS, CSP , LO T OS and A CP , provide a powerfu l framewo rk for formal modeling and reasonin g abo ut concurren t sys tems, whi ch turns out to be very suitable for our needs in the setting of coordination . The k ey concepts of compositi onality and synchr onizat ion in pro cess alg ebra are mostly ex ploited in ou r transla tion. As detai led and global aspe cts of compone nt beha viou r are specified by separa te P A specifications , the vertical constrain ts are encoded through synchroniz ations expr essing consis tenc y of detailed and global component behav iour . Horizonta l constraints at the protocol lev el are natura lly captured by parallel composition, synchroniz ation and encaps ulation . ∗ Corresponding author , email s.andova @tue.nl . 2 T o wards red uction of Paradigm coord inatio n models While the transla tion to A CP and mCRL2 allo ws for formal verificat ion of Paradigm models [3, 2, 4], the omnipresent pro blem of state space explo sion when analyzing large models occurs he re as well. In the present paper , w e address the question of reducing Paradigm models of coordinatio n. The reduction method applies to a compone nt’ s behav iour , reduc ing the representat ion of the vertical constrai nts of that component by abstrac ting away an y information on the componen t behav iour irrele v ant for these constr aints. T o thi s end, the benefit of the tra nslatio n of Paradigm langu age into A CP is twof old. On the one hand, we borro w the abstrac tion concept from P A and apply it directly in Pa radigm on detailed beha vio ur . On t he other hand, the tra nslatio n provides us w ith a formal proo f methodol ogy to rea son and guaran tee that the reduced Paradig m model ha s the same propert ies as the o rigina l model. As a matter o f fact , it has gradually become e vident that separating detaile d from global beha viour as supported by the Paradi gm language , allows us to reason about reduction by abstrac tion in a rather natural way . W e shall clarify this point after the Paradi gm over vie w , at the end of Section 2. Our work on dynamic consistenc y in a horizontal and vertica l dimension has been influenced by the work of K ¨ uster [7, 14]. Related work includes the Wright langu age [1] based on CSP prov ides FDR suppo rt to check both types of consistenc y properties. Other bridges from software architectu re to auto- mated verification include the pipeline from UML via R ebeca and P romela to the SP IN model-check er and from UML via Object -Z and CSP to the FDR mode l-chec ker [19, 16]. P rocess alg ebra dri ve n proto- typing as coordinati on from CC S is proposed in [18 ]. The skeleton s generate d from CCS -speci fications ov erlap w ith Paradigm collabora tions. In the TIT AN framewo rk [17], CCS is playing a unifying role in a het erogen eous en viron ment for aspec t-orien ted software engineering . Recently the coordina tion lan- guage Reo has been equippe d with a process algebraic interpretatio n [5, 12]. T he encoding of Reo into mCRL2 and subs equent analysis has been integra ted in the ECT toolset for Reo [13]. W e present our idea by means of an exa mple. T he system we consider consists of n clients who try to get servi ce from one server exclusi v ely , a crit ical sect ion problem, where the server is suppos ed to choose the next clien t in a non-d eterminis tic manner . While the translati on of the Paradigm model into P A for the example is done manually , the toolset mCRL2 is explo ited to generate the complete state spaces , on which furthe r analysis can be done. Initia l results show a substant ial reduc tion in the size of the state space. In Section 2 Par adigm is su mmarized on the basis of the abov e example. Section 3 briefly introd uces our process algebra translatio n for the examp le model. In Section 4 we present our reduct ion technique s. Section 5 conclu des the paper . 2 Paradigm and a cri tical section model This section briefly descr ibes the central notion s of Paradi gm: STD, phase, (co nnectin g) trap, role and consis tenc y rule. • An STD Z ( state-tr ansiti on diag ram ) is a triple Z = h ST , AC , TR i with S T the set of states, AC the set of action s and T R ⊆ ST × AC × ST the set of transitio ns of Z , notat ion x a → x ′ . • A phase S of an STD Z = h ST , AC , TR i is an STD S = h st , ac , tr i suc h that st ⊆ S T , ac ⊆ AC and tr ⊆ { ( x , a , x ′ ) ∈ TR | x , x ′ ∈ st , a ∈ ac } . • A trap t of phase S = h st , ac , tr i of STD Z is a non-empty set of states t ⊆ st such that x ∈ t and x a → x ′ ∈ tr imply x ′ ∈ t . A trap t of phase S of STD Z connects phase S to a phase S ′ = h st ′ , ac ′ , tr ′ i of Z if t ⊆ st ′ . Such trap-bas ed connecti vity between two phases of Z is called a phase tr ansfer and is denoted as S t → S ′ . S. Andov a, L.P .J. Groe ne wege n and E.P . de V ink 3 • A partitio n π = { ( S i , T i ) | i ∈ I } of an STD Z = h ST , AC , T R i , I a non-empty index set, is a set of pairs ( S i , T i ) con sisting of a phase S i = h st i , ac i , tr i i of Z and of a set T i of traps of S i . • A r o le at the le ve l of a partiti on π = { ( S i , T i ) | i ∈ I } of an STD Z = h ST , AC , TR i is an STD Z ( π ) = h c ST , c AC , c TR i with c ST ⊆ { S i | i ∈ I } , c AC ⊆ S i ∈ I T i and c TR ⊆ { S i t → S j | i , j ∈ I , t ∈ c AC } a set of phas e transfers. Z is called the detail ed ST D unde rlying global STD Z ( π ) , being role Z ( π ) . • A cons istency rule or pr otocol step for an ensemble of STDs Z , Z 1 , . . . , Z k and roles Z 1 ( π 1 ) , . . . , Z k ( π k ) is a none mpty set of phase transfer s preceded by one extra tran sition . • Let Z : x a → x ′ ∗ Z 1 ( π 1 ) : S ′ 1 t → S ′′ 1 , . . . , Z k ( π k ) : S ′ k t → S ′′ k be a consisten cy rule for a giv en ensemble; Z i , . . . , Z k are partici pants of it, Z is cond uctor . • A Paradigm model is an ensemble of STDs, roles there of and consistenc y rules. The above notion s constitute Paradig m models. The semantics thereo f are roughly as follows: a consis- tenc y rul e has syn chron ization of its ph ase transfers and its cond uctor trans ition, only if all con necting traps mention ed hav e been entered . Detailed transiti ons are allo wed in the curren t stat e of an STD, only if the current phase (state) of each role of the STD contains the transitio n. In this way , phases are constr aints on under lying ST D dy namics imposed by prot ocols (sets of protocol steps). In a mirrore d way , traps impose constrain ts on the beha viour at the protocol lev el, as traps are in v o lved in the firing of consis tenc y rules. Waiting Without leave AtDoor Out enter Waiting AtDoor Interrupt leave Out notYet request Waiting Busy AtDoor With explain thank done Without Interrrupt With Waiting Busy triv (a) (b) (c) done triv notYet request Out AtDoor leave thank explain enter Figure 1: (a ) detailed S TD of Client , (b) par tition of three phases, (c) global S TD Client ( CS ) . An STD is a step-wise descriptio n of the dynamics belongin g to a component. It is visualize d as a directe d graph: its nodes are states, its action-l abeled edges are transition s. Init ial states are graphic ally indica ted by a black dot -and-a rro w . Figure 1a gi v es the so -called detailed STD of a Cl ient in and around a shop: startin g in state Out the client cycles throu gh states W aiting , Busy , A tDo o r and Out again, subseq uently . The ent ire system we consi der , contain s n such clients , dynamical ly the same, plus one dif feren t component, the server . For the complete system the over all require ment is that only one client at a time, out of all n clients, is allo wed to be in its state Busy . So, being in state B usy is a Critical Section problem (abbre viated CS ). T o solve it, ongoing Client i dynamic s is constr ained by the phase prescr ibed currently . Figure 1b visu alizes phases Without , Interrupt and With . P hase Without exc ludes being in state Busy by prohibitin g to take the actions explain and t hank . Contrarily , phase With allo ws 4 T o wards red uction of Paradigm coord inatio n models both, going to and lea vin g state Bus y . Finally , the intermediate phase Interrupt is an interru pted form of Without , as action enter cann ot be taken, b ut being in state W aiting is allo wed, thoug h. In view of a tra nsfer from the current phas e into a ne xt phase to occur , enough progress withi n the curren t phase must ha ve b een made: a conne cting trap has to b e entere d first. Figure 1b pictu res rele v ant conne cting traps for the abo v e three p hases, dra wn as rec tangles around the stat es the trap consis ts of. In particu lar , we need tra p triv to be connec ting from Without to Interrupt , trap notY et to be co nnectin g from Interrupt back to W ithout , trap request to be con necting from Interrupt forwar d to With and finally , trap done to be connectin g from With back to Without . In this manner , Figure 1b giv es all ingredients needed for the dynamics of a Client i STD at the lev el of partition CS : see role Client i ( CS ) in Figure 1c and repeat ed in Figure 2a. Interrupt[request] Interrupt[notYet] Interrupt[triv] Without[triv] With[done] With[triv] triv−use done−use done−register request−use request−register notYet−use notYet−register With Without Interrrupt done request notYet triv (b) (a) Figure 2: (a ) global process Client ( CS ) and (b) its refinement in vie w of translat ion. Figure 2b present s a slightl y refined diagram of the proper role STD in part (a). S tate names here , additi onally k eep track of the t rap most recently entered w ithin a phase, as if it could be taken as a smaller phase committed to within the larg er one imposed. Action names still refer to a trap that is entered, but the y add itional ly discriminate between , first, r e gister ing the tra p has b een e ntered a nd, sec ond, there after using th is for a p hase tra nsfer . This more refined vie w rep resents the starting point fo r the ACP encodin g of the global process, as discus sed in the next sectio n. So fa r , we ha v e disc ussed ‘sequen tial composition ’ of cons traints : imposed pha ses alterna ted with traps committed to. S emantical ly , any current ph ase co nstrain s the enabled tran sitions to those belonging to the phase. S o, at any moment a current detailed state belongs to the current phase too. From this it follo ws, that the dynamics of the detailed ST D and of the global STD are consistent, the curren t global phase reflects the curren t local state. Paradigm’ s consistenc y rul es are to the essence of ‘parallel composi tion’: they express coupling of role steps of arbitra rily many participa nts and a detailed step of one conductor . Any consi stenc y ru le specifies the simultaneous ex ecuti on of the steps mentioned in the rule, a transit ion of the conductor and phase transfers for the participant s. T o continue the example of n cli ents get ting service , one at a time, we pres ent a non-determini stic coordi nation solution for the n clients via a server . The non-determin istic server checks the clients in arbitra ry order . If a client, when checked , wants help, it gets help by being permitted to enter the critic al sectio n. If not, permis sion to enter is refused to it. Only after a client’ s lea ving the critical section, the serv er stops helping it by returning to the idle position, from which it arbitrarily selects a next client for checki ng. In the e xample, the serv er prov ides a uniqu e conductor step for eac h consis tenc y rule. The STD Server of the serv er is dra wn in Figure 3. As condu ctor , detailed steps of Server need to be c oupled to phase transf ers of each Cli ent i , 1 ≤ i ≤ n . S. Andov a, L.P .J. Groe ne wege n and E.P . de V ink 5 continue refuse permit continue continue refuse refuse permit permit . . . check 2 NDHelping 2 NDChecking 2 Idle check 1 check n NDHelping 1 NDHelping n NDChecking 1 NDChecking n Server Figure 3: STD non -determin istic serv er Server . Server : Idle check i − − − − → NDChecking i ∗ Client i ( CS ) : W ithout tri v − − → Int errupt (1) Server : NDChecking i refuse − − − − → Idle ∗ Client i ( CS ) : Interrupt notY et − − − − → Without (2) Server : NDChecking i permit − − − − → NDHelping i ∗ Client i ( CS ) : Int errupt request − − − − → With (3) Server : NDHelping i continu e − − − − − → Idle ∗ Client i ( CS ) : W ith done − − − → W ithout (4) Note that for this protocol, each con ductor ste p of the server correspon ds to a phase ch ange of exa ctly one clie nt. E.g., the server mov es f rom the s tate Idle to NDChecking i if f the g lobal clien t proces s Client i ( CS ) chang es from the phase Without to the phase Int errupt . The serve r then makes a check i transit ion. In genera l, there is a preconditio n, howe v er . W ithin the phase With out suf ficien t progress should hav e been made, such that the particular trap has been reach ed. In this case, it is the trivi al trap triv renderi ng the requirement superfluous, as the trivia l trap, contain ing all states of the phase Without , is trivia lly reache d. For the a ctual ch ecking , the ne xt two co nsiste ncy rule s, depe ndent on the tra p notY et and request , respec ti vely , decide the targ et of the con ductor transi tion and the nex t participa nt phase, viz. state Idle and phase Without or state NDHelping i and phase With , respecti v ely . The last consistenc y rule couples the condu ctor’ s returnin g from state NDHelping i to Idle with trap done of phase With ha vin g been entered. The con sistenc y rules spec ify horizontal dyna mic consisten cy , i.e. acr oss compo nents, here between serv er and clien ts. Such spe cification is about coo rdinati on, i.e. what Pa radigm act ually models, step- wise computat ion o f next beha vi oural co nstrain ts. The constrai ning pro perty imposed by a phase implies, an underl ying Client i transit ion is al lo wed only if it bel ongs to the phase that cor respon ds to the current state of the role of Client i in the CS collaboratio n, i.e. the current state of the global S TD Client i ( CS ) . The constr aining property Client i commits to by enter ing a trap, allo ws for a phas e transfer , i.e. a transition of Client i ( CS ) , once the (connec ting) trap is entered . These two con strainin g properties synt actical ly guaran tee vertical dynamic consis tenc y , i.e. within a component between its underlying STD and its role. As m ention ed in Section 1, is has become evi dent to us that separa ting detailed from global be- ha viour as supporte d by the Paradigm language, allows one to reason about reductio n by abstractio n in a rather natura l way . The intuiti ve explanati on for this is as follo ws: Global beha viour , actually defin- ing phases a system needs to go through during a particular coordination solution, is bui lt on top of the detaile d beha vi our: each global phase represents a sub-beha vi our of the underlying detai led behav iour . Nev erth eless, not ev ery action at the deta iled le v el affe cts the curr ent glob al ph ase. O nly some acti ons may enable a next phase transfer and hence may affect the protocol execu tion. Thus, it is natural to try to detec t the detail ed actions that do not matter for , i.e. that can not be observ ed at, the proto col le vel . By hidi ng them, a reduced detai led beha viour is obtain ed, just contain ing all rele v ant informat ion and action s neede d for prope r ex ecut ion of the compon ent role within the protoc ol. As we shal l show for 6 T o wards red uction of Paradigm coord inatio n models our runnin g example, this informatio n can be extract ed from the hierarchic al structure per component in the Paradigm model, see S ubsect ion 4.1. Note that all interaction between components (horizontal) and all hierarchic al structure w ithin components (vertic al), as specified in the Paradigm model in an explicit manner , are flattened in the P A translation and hence their charact er being either horizont al or vertica l, gets lost. T hus, after th e P A transla tion only a single co mmunicatio n pattern remains, from which it is no longer straigh tforwar d to extract info rmation needed for proper reduction of detailed beha viour . Y et another aspect of the Paradigm model that can be justified and confirmed by the approach taken here is discus sed shortly in the paper , see Subsection 4.2. From the definition of Paradig m, althou gh pro vided with a forma l operati onal semantics, it is not strai ghtforw ard to see to what ext ent a compo - nent’ s detaile d beha viour is not af fected by some constrain ts or coordinat ion rule . In particu lar , consis- tenc y rules for some co mplex model may hav e an unforesee n effe ct on detailed componen t beha viour , in particular a deadlock at the detailed lev el. The translatio n from Paradig m to ACP combined w ith the abstra ction technique s discuss ed in the nex t section supports formal verification of separat e protocols and of ov erall coord ination . 3 Paradigm model as a pr ocess algebraic speci fication In this secti on we sho w by means of th e examp le introduc ed in Section 2, ho w a Pa radigm mode l can be transla ted into A CP. T he general translatio n has been de fined in [3] to which we refer for more detail. Roughly , each ST D will be repres ented by a recurs i ve specifica tion. V ert ical consistenc y in Paradi gm h as to be exp ressed explicit ly . In partic ular , to represent the intera ction of a detaile d STD and the globa l S TD, we use actions ok ! ( . ) and ok ? ( . ) that take the labels of detailed steps as their ar gument. The complementary action s synch ronize if the step of the de tailed STD is allo wed by the current phase of the glob al STD as co nstrain t. Thus, sy nchron ization of actio ns ok ! ( · ) and ok ? ( · ) between glob al STD and detail ed STD reflect the current permissio n for the detailed step to be taken. In ad dition, we use the compleme ntary actions at ! ( . ) and at ? ( . ) that tak e detailed states as their argu- ments. The complementary actions synchron ize if the step to be take n by the global ST D is allo wed by the current trap of the det ailed STD as constra int. Upon synchron ization of at ! ( · ) and at ? ( · ) the global proces s will update its trap informatio n, if applicable. For the communication within the protocol, here between the server and its clients, actions crule ! ( . ) on the side of a conductor are meant to complement crule ? ( . ) actions on the side of the employ ees. Synchronizat ion lead s to exec ution of the correspond ing consis tenc y rule: a deta iled transitio n of the conductor , phase changes for the employe es in v olv ed. For the concrete example the abo ve amounts to the follo wing. W e adorn the n processes Client i with the actions at ! , con veyi ng state information, and actions ok ? , regarding transi tion eligibilit y . \ Client i = Out i Out i = at ! ( Out i ) · Out i + ok ? ( enter i ) · Wai ting i Waiting i = at ! ( Waiting i ) · Wai ting i + ok ? ( explain i ) · Busy i Busy i = ok ? ( thank i ) · A tDo o r i A tDo o r i = at ! ( AtDoor i ) · A tDo o r i + ok ? ( leave i ) · Out i The L TS of \ Client i of Client i is gi ven in Figure 4 a (with the subscript i suppres sed). T he definition of proces s \ Client i assure s, the process really starts in clo se correspo ndence to startin g state Ou t fro m Fig- ure 1a. The definition of proce ss Ou t i exp resses: (1) u pon being ask ed, it can exch ange state info rmation while k eeping the p rocess as-is ; (2) it c an ask for permission to tak e the an alogue of tra nsition enter from S. Andov a, L.P .J. Groe ne wege n and E.P . de V ink 7 Figure 1a, in view of continuing w ith process Waiting i therea fter . Note, in the definition of proces s Busy i the possib ility for exchange of state informati on is not specified , as asking for it does nev er occur . Note, in Figure 1b, state Busy does not belo ng to trap d one . With[done] ok!(leave) Waiting Busy Inter[triv] With[triv] Inter[notYet] at?(Out) at?(AtDoor) ok!(enter) ok!(leave) at?(AtDoor) ok!(leave) ok!(thank) ok!(explain) at?(Waiting) Without[triv] Inter[request] Out AtDoor ok?(leave) at!(Out) at!(AtDoor) ok?(thank) ok?(explain) at!(Waiting) ok?(enter) (a) (b) crule?(notYet) crule?(triv) crule?(request) crule?(done) Figure 4: Proc esses (a) \ Client and (b) \ Client ( CS ) . In a similar manner , the n processes Client i ( CS ) are augmented w ith the action s at ? and ok ! . Now , at the global lev el, the relev a nt information is the pair of the current phase and the current trap. For exa mple, the recurs ion variab le Without i [ triv ] repres ents that Client i is constrained to phase W ithout and hasn’ t reached a specific trap, whereas Interrupt i [ notY et ] reflects that Client i committed to phase Interrupt reside s in trap notY et . As t hese global proces ses play a partici pant role in the protoco l, the crule ? acti ons for engagi ng in a consisten cy rule hav e been put in place as well. \ Client i ( CS ) = Without i [ triv ] Without i [ triv ] = ok ! ( leave i ) · Without i [ triv ] + ok ! ( enter i ) · Without i [ triv ] + crule ? ( triv i ) · Interrupt i [ triv ] Interrupt i [ triv ] = at ? ( AtDoor i ) · Interrupt i [ notY et ] + at ? ( Out i ) · Interrupt i [ notY et ] + at ? ( Waiting i ) · Interrupt i [ request ] + ok ! ( leave i ) · Interrupt i [ triv ] Interrupt i [ notY et ] = ok ! ( leave i ) · Interrupt i [ notY et ] + crule ? ( notY et i ) · Without i [ triv ] Interrupt i [ request ] = crule ? ( request i ) · With i [ triv ] With i [ triv ] = at ? ( AtDoor i ) · With i [ done ] + ok ! ( explain i ) · With i [ triv ] + ok ! ( thank i ) · With i [ triv ] With i [ done ] = crule ? ( done i ) · Without i [ triv ] The corres pondin g L TS of the spec ification \ Client i ( CS ) of Client i ( CS ) is giv en in Figure 4b . As abo ve , process \ Client i ( CS ) is defined in close corr espond ence to Without i [ triv ] being startin g state in Figure 2b . The ok ! ( . ) -actio ns provide the permissio n answers to reques ts from \ Client i to take a de- tailed step. The at ? ( . ) -actio ns ask for state informatio n rele v ant for deciding a next, smaller trap has been entered. The crule ? ( . ) -actions correspond to a phase change, so they synchroniz e with a particular condu ctor step. The final co mponent of th e Paradigm m odel t hat needs to be translate d into A CP is the non- determini s- tic serv er Server . In fact, the STD of the server as gi ven in Figure 3 exactly correspond s to its recursi v e specifica tion; we only rename each transition label ℓ from Figure 3 into crule ! ( ℓ ) to stay consistent w ith the general translation as defined in [3], for instance p ermit i is renamed into crule ! ( p ermit i ) in the P A 8 T o wards red uction of Paradigm coord inatio n models specifica tion. There is neither an y ok ( . ) action nor any at ( . ) action added here. This component plays the condu ctor role in the protoco l and as such it is represe nted only by its detail ed beha vi our (detailed STD). Therefore , no vertical constra ints are imposed on its detailed behav iour . \ Server = Idle Idle = crule ! ( check 1 ) · NDChecking 1 + · · · + crule ! ( check n ) · NDChecking n NDChecking i = crule ! ( p ermit i ) · NDHelping i + crule ! ( refuse i ) · Idle NDHelping i = crule ! ( continue i ) · Idle For the communi cation function ‘ | ’ we put at ! ( s ) | at ? ( s ) = τ for ‘states’ s = Ou t i , Waiting i , AtDoor i , and ok ? ( a ) | ok ! ( a ) = ok ( a ) , for actions a = ent er i , explain i , thank i , leave i . Note, A CP allo ws to kee p the result of the synchroniz ation of ok ? ( a ) and ok ! ( a ) observ able, here as the acti on ok ( a ) , for suitable a . W e exp loit t his feature belo w to express system properties, since the synchroni zation actio ns ok ( a ) describe detailed steps tak en by clients. E .g., ob serving ok ( enter i ) indicates a service request made by Client i . On the contrary , synch ronizat ion of at ! () and at ? () is only used to update the informat ion of the current detai led state. The resulti ng actions are internal to the compone nt and not needed in any further analysis. Therefore , we safely use τ for the sync hroniza tion of at ? () and at ! () . Finally , we need to encode the coordinati on captured by the consistenc y rules. For exampl e, consis- tenc y rul e (1) cou ples a detai led ch eck i step of the Server , being the conductor of the CS protocol, to the global triv step of Client i , being a participa nt in the CS protocol. The net result is a s tate t ransfer , i.e. a tr an- sition Idle check i − − − − → ND Checking i for the serv er , and a ph ase tr ansfer , i.e. a transi tion Without tri v − − → Interrupt in the global S TD for the i -th client. Similar correspon dences app ly to the other consistenc y rules. T herefo re, we put crule ! ( check i ) | crule ? ( triv i ) = check i crule ! ( p ermit i ) | crule ? ( request i ) = p ermit i crule ! ( refuse i ) | crule ? ( n otY et i ) = refuse i crule ! ( continue i ) | crule ? ( d one i ) = continue i As usual, unmatched synchroniz ation actio ns will be block ed to enforce communication . W e collect those in the set A = { crule ! , crule ? , at ? , at ! , ok ? , ok ! } . Finall y , the p rocess f or the collaborati on of the serve r and the n clie nts is giv en by ∂ A ( \ Client 1 k \ Client 1 ( CS ) k . . . k \ Client n k \ Client n ( CS ) k \ Server ) (5) The next se ction is concern ed with th e intertwinin g of detaile d and the global beha v ior , and possible ways to reduce the component specification by abstracting away from spec ific detailed activ ities. T he proce ss algebr aic specification of our running client- serv er exampl e will be used belo w to establi sh relations be- tween Para digm models befo re and after redu ction. Therefor e, it comes in ha ndy to repres ent the ov erall beha vio ur of th e Client compo nent as the pa rallel compositio n of its detail ed and global beha v iour . T o this end, we denote the set of states of the detailed process \ Client by States D = { Out , Wai ting , Busy , A tDoor } , the set of labels of its transit ions by of detailed Lab els D = { enter , explain , thank , leave } and we put A T = { at ! ( s ) , at ? ( s ) | s ∈ States D } OK = { ok ! ( a ) , ok ? ( a ) | a ∈ Lab els D } and define H = A T ∪ OK . Then the pr ocess combining det ailed beha viour of \ Client and global beha v iour of \ Client ( CS ) can be e xpress ed as \ Client ( DG ) , with DG ref erring to ‘detailed’ and ‘global’, giv en by \ Client ( DG ) = ∂ H ( \ Client k \ Client ( CS )) S. Andov a, L.P .J. Groe ne wege n and E.P . de V ink 9 crule?(request) Inter[triv] Waiting Busy With[triv] Inter[triv] AtDoor Out With[triv] Waiting Waiting Waiting With[done] With[triv] AtDoor AtDoor AtDoor Without[triv] Inter[notYet] AtDoor Out ok(enter) ok(explain) ok(leave) ok(leave) ok(thank) ok(leave) Inter[notYet] Inter[triv] Out Without[triv] Without[triv] Inter[request] crule?(done) crule?(notYet) crule?(triv) crule?(notYet) crule?(triv) crule?(triv) τ τ τ τ Figure 5: Proc ess \ Client ( DG ) Figure 5 shows the beha vior of \ Client ( DG ) graph ically . T he process describes the wa y the detailed and global beha vio rs occur and const rain each other . On the one hand , steps taken at the detailed le vel influenc e the current phase at the global le ve l, and therefore allo ws and forbids certain phase transitio ns at the global le vel. The global process and its transit ions, are ‘navig ated’ by the activ ities ex ecuted at the detailed lev el. For instance, the effe ct of the detaile d transitio n ok ( enter ) is descr ibed with the appear ance of two triv tran sitions . One of them ca ptures the scenari o in which the client has not yet requir ed any service, which means that ent er ha s not been tak en yet at the detailed leve l, althoug h the serve r (conducto r) may offe r service. It can be observe d that this tran sition is follo wed by the phase transitio n n otY et which bring s the process back to t he ini tial state. W e can also observ e that a s soo n as th e det ailed transi tion enter is taken , the enabl ed triv transition dif fers from the pre vious one. On the other hand, from \ Client ( DG ) we can obser ve ho w each phase, i.e. a global state, constrain s the steps that can be tak en locally . Moreov er , it is speci fied exactly ho w a trap that is reached blocks an y detaile d transiti ons, just as expected. For insta nce, we see that the action ok ( leave ) on top of Figure 5 canno t be exe cuted before the phase is change d, i.e. a step from With [ d one ] to Without [ triv ] via the global transit ion crule ? ( done ) . Note that such details , which are expl icit and easily observ able from the A CP specifica tion of the composition \ Client ( DG ) , canno t be directly detected in the Paradigm model. Once syste ms are modeled alg ebraic ally , their b eha viou rs can be compare d. Comparison is typ ically done by means of equi v alenc e relations, chosen approp riately to pre serv e certain pro perties . Since w e aim at the mCR L2 toolset for tool support, we choose for branching bisimulatio n [8] as the equi v alence relatio n we appl y . Indeed, bra nching bisimula tion is the strong est in the spectrum of b eha viou ral equi v a- lence relations , bu t y et weak enoug h to identi fy suf ficie ntly many syste ms. Belo w we adapt the definition from [8] (orig inally d efined o n labelled tran sition s ystems) to STDs with uniqu ely indic ated ini tial st ates. In fa ct, labelle d transition systems (L TS), as a (visual) repres entatio n of proc ess algebra ic specifications , can be seen also as STD s. Therefore, in the se quel we do not mak e e xplici t distinctio n between L TSs and STDs. Definition 1. F or two STDs Z = h ST , AC , TS i , Z ′ = h ST ′ , AC ′ , TS ′ i a symmetric relation R ⊆ ST × ST ′ is called a branc hing bisimulation relation if for all s ∈ ST and t ∈ ST ′ such that R ( s , t ) , the following condition is met: if s a − → s ′ in Z , for some a ∈ AC ∪ { τ } , then either a = τ and R ( s ′ , t ) , or for some n ≥ 0 , ther e exist t 1 , . . . , t n and t ′ in ST ′ such that t τ − → t 1 τ − → . . . τ − → t n a − → t ′ in Z ′ , R ( s , t 1 ) , . . . , R ( s , t n ) and R ( s ′ , t ′ ) . 10 T o wards red uction of Paradigm coord inatio n models For two STDs Z and Z ′ , two states s ∈ Z and t ∈ Z ′ are called branching bisimilar , notation s ↔ b t , if there exi sts a branch ing bisimulation relation R for Z and Z ′ such that R ( s , t ) . The ST Ds Z and Z ′ are branching bisimilar , notation Z ↔ b Z ′ if their initial states are branch ing bisimilar . 4 Reduction of the client pr ocesses In S ection 3 we explai ned how A CP specificatio ns are obtained from the detailed and glo bal client STDs, and ho w A CP’ s communicat ion function captures synchron ization of det ailed and global steps, guaran teeing consisten t dynamics at both le ve ls. Based on the compl ete clien t compone nt we are able to make sev eral observ atio ns regardin g the Paradigm approa ch to separate the detaile d from the global beha vio ur . 4.1 First-r educe then-compose The global ST D of a component is an abstr act representati on of its detailed STD. It represents the part of the beha viour of the compo nent that is essential for the interactio n within a gi v en co llabora tion. In genera l, for the g lobal behav iour not a ll local transitions are relev ant, most are not influenci ng the ov erall coordi nation at all. Although not alway s easy to isolate , in actual full-fledged systems only a restricte d part of the whole system provide s a specific functionalit y . In such a situation , from a m odelin g perspec- ti ve it is c larifyin g to ab stract a way the irrele v a nt part an d to concentra te on a r educed d etailed beh a viour contai ning the rele v ant interactio n. As a consequ ence, dealing with models that are purposely made concis e becomes simpler , more feasible and less error -pron e. In the pre vious sections, we hav e m ade a Paradig m model out of the compone nts: detai led client STDs, their global STDs and the server STD. Moreov er , we ha ve presented their t ranslat ions into proc ess algebr aic specificatio ns. T he ov erall behavi our of the client -serv er system is obtained by putting the compone nts in v olv ed in p arallel and mak e them in teract. In this sectio n we sho w that we can achie v e the same total beha viou r of the client-s erve r sys tem by first redu cing the client components and then composin g the reduced v ersio ns aft erward s with other components of the system. Reduction is directly applied on the origina l Paradigm client model, by abstr acting away irr ele v ant states and local transitions . It is intuiti v ely clea r that the global behav iour alone is not branching bisimila r to the ov eral l client beha vio ur \ Client ( DG ) . This is be cause some local steps ch ange the further global behavi our . As a con- sequen ce, such local tra nsition s can be detected at the gl obal lev el. Extendin g terminol ogy goi ng ba ck to [8], we call these transitions globally non-inert . Similarly , a local transiti on is referred to as globally inert if it cannot be observe d, expli citly or implicitly , at the global lev el. More specifically , it can be detected whether local action enter has been taken or not by observin g w hether the globa l transiti on notY et or global transition request follo ws after global step triv . Puttin g it dif feren tly , the transitio n labeled enter makes the diff erence for phase Interrup t of residi ng in trap n otY et or in trap request , as can be seen in F ig- ure 1. Thus , the local transitio n enter is not glo bally inert. In a similar manner , the lo cal action thank is not global ly ine rt as it enables –and so it can be detected– the execu tion of the global action done . In terms of the pa rtition, in ph ase With the actio n than k en ters the trap d one . On the other hand, again referrin g to the phases of Client ( CS ) in Figure 1b, w e see that the action leave is in each phase either w ithin a trap (phase s W ithout and Int errupt ) or not possible at all (phase With is missing the target state Out ). Like wise, the acti on explain is not poss ible (phases Without and Interrupt ar e missing st ate Busy ) or doesn’ t chan ge the trap informati on (in phase W ith the transition doesn’ t enter the trap done ). Definition 2. L et a P ar adigm model b e given. A deta iled transition x a → x ′ of a p articipant of a pr otocol is called globally inert with r espect to i ts partition π = { ( S i , T i ) | i ∈ I } if for all traps t in T i it holds that x ∈ t ⇐ ⇒ x ′ ∈ t whenever both x , x ′ ∈ S i , S. Andov a, L.P .J. Groe ne wege n and E.P . de V ink 11 i ∈ I . An action a is called globally inert f or a participant of a protoco l with resp ect to a partition, if all a-labeled transitions ar e . Using the notion of detailed transit ions being globally inert or non-inert, we can reduce the detailed STD of th e c lient. After r enaming all g lobally i nert transitions into τ , w e can identify br anchin g bisimila r states. The re sulting quotient ST D fo r the client carries the beha viou r that is necessary and sufficie nt for the global ST D to intera ct w ith the other component s, includin g the conducto r of the collaborat ion. The composi tion of the process alg ebraic spec ifications of the q uotien t STD an d the global \ Client ( CS ) beha ve s exa ctly (up to branch ing bisimulat ion) as the beha viour of the composition of the original detai led and global STDs toge ther as represe nted by \ Client ( DG ) . By congru ence, c ompositi on of either of these syste ms with the other clients and the server leads, modulo branchi ng bisimu lation equiv alence, to the same beha vio ur . This is summarized by the next result, where τ I , for a set of labels I , represents the hiding of the acti ons in I from P by ren aming them int o τ , an d ∂ J ( P ) , for a set of labels J , is the encaps ulation of the action s of J from P by blockin g and transition for P with label in J . Lemma 3. Let G ⊆ Labels D be a subs et of globa lly inert actions. T hen it holds for the induce d quotient QClient of Clie nt that (i) QCli ent ↔ b τ G ( Client ) , and (ii) ∂ H ( \ QClient k \ Client ( CS ) ) ↔ b τ OK ( G ) ( \ Client ( DG ) ) , wher e OK ( G ) = { ok ( a ) | a ∈ G } . Q P Q P Waiting Busy Out AtDoor thank enter at!(Q) at!(P) ok?(thank) ok?(enter) thank enter (b) (c) (a) P Q τ τ Figure 6: (a ) process τ G ( Client ) and rela ted states, (b) quotient ST D QClient and (c) \ QClient . Pr oof. W e consider the case of the maximal set of local actions t hat are globally inert, i .e. for G = { explain , leave } . S plit the set of states States D of the detailed STD into P = { Out , A tDoor } and Q = { Waiting , Busy } . Let QClient be t he induced quotient STD, the STD o btained from Client by identifying the states Out an d A tDo o r as well as the states W aiting and B usy . The processes QClient and τ G ( Client ) are sho wn in Figure 6ab . A branching bisimulation between Q Client and τ G ( Client ) can be immediately established, which prov es the first part of the lemma. In order to prove the second part of the lemma, we first translate QClient into the process algebraic specification \ QClient whose S TD is sho wn in Figure 6c. In order to compute the co mposition of \ QClient and \ Client ( CS ) t he communication func tion has to be ada pted to \ QClient . For t he \ QClient process Ou t and AtDoor are identified into the P . S imilar for Waiting , Busy , no w represented by Q . Thus, a detailed \ QClient communication intention con veying ‘ at P ’ or ‘ at Q ’ updates the global process about the current local state. Hence, we extend the communication function with at ! ( P ) | at ? ( Out ) = τ , at ! ( P ) | at ? ( AtDoor ) = τ , at ! ( Q ) | at ? ( Wai ting ) = τ and at ! ( Q ) | at ? ( Busy ) = τ . Now we consider the process ∂ H ( \ QClient k \ Client ( CS ) ) with H = A T ∪ O K as defined in Section 3, with A T extend ed accordingly . The composition is sho wn in Figure 7a, the process τ OK ( G ) ( \ Client ( DG ) ) is depicted in Figure 7b. It is straightforward to establish a branchin g bisimulati on between these two processes. State names o f τ OK ( G ) ( \ Client ( DG ) ) ha ve been suppressed i n Figure 7b for readabili ty . Note t hat the n umber of states in τ G ( \ Client ( DG ) ) is 13, while the first-r educe t hen-compo se approach with \ QClient and \ Client ( CS ) genera tes a process w ith 9 sta tes only . See table 1 belo w for more numerical results . 12 T o wards red uction of Paradigm coord inatio n models ok(thank) (a) ok(enter) ok(enter) ok(thank) (b) crule?(notYet) crule?(triv) crule?(triv) crule?(request) crule?(done) crule?(triv) crule?(triv) crule?(notYet) crule?(done) crule?(notYet) crule?(triv) crule?(request) τ τ τ τ τ τ τ τ τ τ τ Figure 7: Bran ching bisimilar processes: (a) ∂ H ( \ QClient k \ Client ( CS )) (b) proce ss τ OK ( G ) ( \ Client ( DG )) . P’ Q’ ok(explain) ok(leave) (a) (b) crule?(notYet) crule?(triv) crule?(done) explain leave crule?(request) τ τ τ Figure 8: (a ) adapted quotient process QClient , (b) composition of ne w \ QClient and \ Client ( CS ) . It is obviou s that not e v ery choice of actions at the d etailed le vel has the prop erty of L emma 3. Fo r exam- ple, selec ting the set of actions G ′ = { ent er , thank } , yields a split-up into { Out , W aiting } and { Busy , A tDoor } and another reduction, depicted in Figure 8a. H o we ver , this reduction is not a proper one as the induced composi tion of the reduced detaile d and the global beha viour in Figure 8 is not bran ching bisimilar with the origina l composition τ OK ( G ′ ) ( \ Client ( DG )) . It is instructi v e to consider a slightly diff erent client. Now we assume that the client m ay decide to dra w bac k the ser vice request and return back to the init ial sta te Out . T he detaile d STD and the global STD sh o wn in Figure 9 dif fer from the model in F igure 1 onl y in the return transitio n. If we apply the same reasoning of Lemma 3 to this model of a client, we observ e that the return transition does not chang e the situation regardin g the reduct ion of the local beha vi our . Again, the enter transit ion is not global ly inert, for the same reason s as in the pre vious model. Similarly , return is also not globally inert. Still, the origina l quo tient from L emma 3 based on the inert actions explain an d leave y ields a proper reduct ion. See Figure 10. The last examp le we consider as a further variat ion, named Client ′′ , is presented in Figure 11. The only chang e is now in the global ST D Client ′′ ( CS ) . T he client is provid ed service uncondit ionally , i.e. without interru ption, e ve n without needing it. But, if it doesn’ t need it the client is handle d as if it does not need service any longer . The simplified global beha viou r , with less phases and less traps, imposes less constr aints on the detailed behav iour . Thus, the rel ation be tween the detailed and the global beha viour S. Andov a, L.P .J. Groe ne wege n and E.P . de V ink 13 Waiting Busy Waiting Waiting AtDoor Waiting Busy AtDoor triv (b) (a) Out AtDoor leave explain thank enter return Without leave AtDoor Out Interrupt leave Out notYet request With explain thank done enter return Figure 9: Mod ified client: (a) STD of Client ′ , (b) phase and trap constr aints. ok(thank) (a) ok(enter) ok(thank) (b) ok(return) ok(enter) ok(return) crule?(done) crule?(triv) crule?(request) crule?(triv) crule?(notYet) crule?(done) crule?(notYet) crule?(triv) crule?(triv) crule?(notYet) crule?(request) crule?(triv) τ τ τ τ τ τ τ τ τ τ τ Figure 10: Branching bisimilar processes : (a) ∂ H ( QClient ′ k \ Client ′ ( CS )) , (b) τ OK ( G ) ( \ Client ′ ( DG )) . is rathe r loose. In Figu re 12 the beha vio ur of process \ Client ′′ ( CS ) and the parallel compositio n \ Client ′′ ( DG ) are graph ically represente d. In order to sho w this formally , we again apply the first-r ed uce then-compose approa ch along the lin es of L emma 3 by tak ing the tri v ial split -up of States D along all detailed action s in Lab els D . T hus, we identify all local actions in G ′′ = Lab els D as globally inert. The resul ting quotient STD of QClient ′′ and its process algebra ic translatio n are shown in Figure 13bc. T he composition of the reduce d detailed beha viour of Client ′′ with its global behav iour has now 3 states as shown in Figure 13d. A branching bisimulatio n between this proces s and the correspon ding proces s τ G ′′ ( \ Client ′′ ( DG ) ) can be establ ished easily . In order to in vest igate the effe ct of the reductio n on a larg er scale, we ha v e analyzed the client- serv er system using t he mCRL2 toolset [11 ] and compar ed the implementation of the sys tem usin g eith er the orig- inal \ Client components or their reduced versions \ QClient . The translat ion of A CP-based specifications of the n clients \ Client i , th e global \ Client i ( CS ) and the serv er Server into the in put langua ge of the mCRL2 toolset, which we use for our m odel analysi s, is lar gely straightfo rward (see also [3]). Indeed, the applicatio n of 14 T o wards red uction of Paradigm coord inatio n models enter Waiting AtDoor Busy Waiting Without leave AtDoor Out enter triv Waiting Busy (b) leave Out explain thank With done (a) Out AtDoor leave explain thank Figure 11: T he Para digm model of Client ′′ . With[done] Out With[done] Out Waiting Busy ok(enter) ok(explain) ok(leave) ok(leave) ok(thank) ok(leave) With[triv] Waiting AtDoor With[triv] AtDoor With[triv] AtDoor AtDoor Out With[done] Without[triv] With[triv] With[triv] Without[triv] Without[triv] ok!(enter) ok!(leave) emp(triv) Without[triv] With[triv] ok!(thank) ok!(explain) at?(Out) emp(done) at?(AtDoor) ok!(leave) (a) (b) crule?(triv) crule?(done) crule?(triv) crule?(done) crule?(triv) τ τ Figure 12: P roces ses \ Client ′′ ( CS ) and \ Client ′′ ( DG ) . the fir st-r educe then-compose prin ciple yields a sign ificant decrease in the size of the s tate space in a number of cases. T he results are colle cted in T able 1. 4.2 Extracting detailed behaviour Intuiti v ely it is clear tha t in the case of the client-serv er exa mple th e global beha viour does not cha nge or influence the local beha v iour . In fact, if in the total client beha viou r \ Client ( DG ) we hide the actio ns crule ? ( · ) from th e set E performed by the global proce ss ( E for extern al), we obtain a proces s which is branch ing bisimilar to the detailed beha viour Client . This is exp ressed by the follo wing lemma. Lemma 4. Client ↔ b τ E ( \ Client ( DG ) ) . Pr oof. W e start fr om the process \ Client ( DG ) as sho wn in Figure 5. After hiding the actions in E , i.e. r enaming them i nto τ , the process τ E ( \ Client ( DG ) ) is obtained, shown in Figure 14. A branching bisimulation equiv alence between this process and P P Busy Out AtDoor (d) crule?(done) crule?(triv) (a) (b) (c) Waiting τ τ τ τ τ τ τ τ at ! ( S d ) Figure 13: (a) τ G ′′ ( Client ′′ ) , (b) \ Client ′′ , (c) \ QClient ′′ , (d) composi tion of \ QClient ′′ and \ Client ′′ ( CS ) . S. Andov a, L.P .J. Groe ne wege n and E.P . de V ink 15 n with \ Client with \ QClient states transitio ns states transitio ns 2 69 142 32 54 3 297 819 92 204 4 1161 3996 240 656 5 4293 17685 592 1920 6 15309 7338 6 1 408 5280 10 – – 36863 212480 (no result for \ Client with n = 10 within 24 hour s) T able 1: E f fect of the firs t-r ed uce then-compos e approac h. Client process can be defined wit hout difficulty . In Fi gure 15 related states are connected by differently do tted lines. Note, we hav e mirrored the Client orientation with respect to the North-East South-W est diagonal. Inter[triv] Waiting Busy With[triv] Inter[triv] AtDoor Out With[triv] Waiting Waiting Waiting With[done] With[triv] AtDoor AtDoor AtDoor Inter[notYet] AtDoor ok(leave) Out ok(enter) ok(explain) ok(leave) ok(thank) Without[triv] Without[triv] Inter[request] Inter[notYet] Out Without[triv] Inter[triv] ok(leave) τ τ τ τ τ τ τ τ τ τ τ Figure 14: P roces s τ E ( \ Client ( DG )) . In the general situation, the statement of the lemma pro vides a check on the constraints imposed by the global STD on the detailed one . In cas e the stat ement of the lemma holds, the complete beha vio ur of the component is preserv ed in the consistent compositio n, assu ming the coordina ting pro tocol prov ides all phase transfers in some order . In case the statement of the lemma does not hold, pa rt of the original detaile d beha vi our has been elimina ted because of the participatio n w ith the protocol. This may be delibe rate and allo ws for fur ther reduct ion of the deta iled STD . This may be acciden tal, requiring the ov erall coordin ation to be revi sed. 5 Concludin g r emarks In a Paradigm model se v eral STDs may belong to the same compon ent, describi ng the component’ s dynamic s eith er at variou s le v els of abstract ion (deta iled vs. globa l STDs) or describing differe nt rol es 16 T o wards red uction of Paradigm coord inatio n models Inter[triv] AtDoor Out AtDoor Busy Out Inter[request] With[triv] Waiting Waiting Waiting With[done] With[triv] AtDoor AtDoor AtDoor ok(enter) ok(explain) ok(leave) ok(thank) ok(leave) ok(leave) Busy With[triv] Out Inter[triv] Waiting Without[triv] AtDoor Inter[notYet] Inter[notYet] Inter[triv] Out Without[triv] Without[triv] Waiting explain leave thank enter (a) (b) τ τ τ τ τ τ τ τ τ τ τ Figure 15: Branching bisimulation between (a) τ E ( \ Client ( DG )) and (b) Client . of the component in vari ous collaboratio ns. Collabor ation between components is described in terms of dynamic con straints . V ertical consistenc y is maintaine d by keep ing phases vs. detailed transi tions and traps vs. transfers aligned. Starting point of our in ve stigati on here is the translation of Paradigm models into the process algebra ACP and its coupling with the mCRL2 toolset for subsequen t automated analys is. In the tra nslated model, e very STD from the Paradigm model is r epresen ted by a recu rsi ve specificat ion; the total behav iour of a single component is obtained as a composition of the recursi ve specificatio ns of the detailed and the global componen t’ s STDs; the ov erall system is specified as a parallel compositi on of all compone nts. In this paper w e ha ve described a method t o r educe th e P aradig m repres entatio n of the detailed STDs of the components, yielding reduction of the ov erall Paradigm models, but preserving the overa ll be- ha viour . The reducti on boils do wn to inferring globally inert detailed steps. By abstracting them away a smaller representa tion of the detailed component is obtai ned. This representati on contain s all informa- tion about the constraint s the detailed behav iour impos es on the glob al be ha viour (s) of the component. The formal valida tion that the reduction , indeed, does not change the o v erall model behav iour is ach ie ved via the process algebr aic representat ion of the model: we sh o w for our client-ser ver example that the re- duced model is branchin g bisimilar to the original one, ha ving the same properties. Furthermore , by means of a proper abstractio n, in this case applied at th e global le vel, we can observ e directly from the model, b y a direct compari son, in which way th e glo bal beha v iour , and th us th e col laborat ion, affec ts the compone nts’ detaile d beh a viour . I n case no influence is to be expected , it is sufficient to sho w th at the compone nt model is equiv a lent, up to branchin g bisimul ation, to the detailed beha viour after all global steps are abstracte d away . As to the contrib utio n of this paper , we ha ve establish ed a further conne ction of process algebra and its supporti ng apparatus to the domain of coordin ation. In particu lar , abstracti on and equiv alences, typica l for proce ss algebra, beco me techniq ues that can be applie d to coord inatio n m odels , via the e stab- lished link of the Paradigm language and A CP , in our case. Thus, coordinatio n can be initially modeled in the Parad igm langua ge which off ers compo sitiona l and hierarc hical modeling flexibil ity . Then, model reduct ion can be applied, if a pprop riate. Finally , via its process represen tation the mod el can be formally analyz ed. As future work we w ant to addre ss the reduction of general Para digm models and property gu ided S. Andov a, L.P .J. Groe ne wege n and E.P . de V ink 17 reduct ion, in particular in a situation with ove rlappin g or orthogonal c oordin ation. More specifically , it is interes ting to study the notion of globally inert detailed steps f or a componen t t hat participa tes in multipl e collab oration s. W e plan to in vestigate whether other techniqu es from proce ss algeb raic analysis, e.g. iterate d abstraction, and pattern-bas ed simplificati ons can be beneficial for the modeling with Paradig m. Refer ences [1] R.J. Allen (19 97): A F ormal Appr oach to Softwar e Ar chitectur es . Ph.D. thesis, Carnegie Mellon Univ ersity . [2] S. Andova, L.P .J. Groenewegen, J.H.S. V erschuren & E. P . de V ink (2 009): Ar chitecting Secu rity with P aradigm . In: Architecting Depe ndable Systems VI , LNCS 58 35, pp. 25 5–283 . doi: 10.1007/ 978- 3- 642- 102 48- 6_ 11 . [3] S. Andova, L.P .J. Gro enewe gen & E.P . de V ink (201 0): Dynamic Consistency in P r o cess Algebra: F r om P aradigm to A CP . Science of Computer Program ming . doi: 10.1016/j.scico .2010.04. 011 , 45p p. [4] S. And ov a, L.P .J. Groenewegen & E.P . de V in k (201 0): T o war ds Dynamic Adaptatio n of Pr obabilistic Sys- tems . I n T . Margaria & B. Steffen, editors: Proc. ISOLA 2010 , LNCS 641 6, p p. 143 –159. do i: 10.1007/ 978- 3- 642- 165 61- 0_ 19 . [5] F . Arb ab ( 2004) : Reo: A Cha nnel-ba sed Coor dination Mod el for Componen t Compo sition . Mathematical Structures in Computer Science 14, pp. 329–3 66. do i: 10.1017/S0960129 504004 153 . [6] J.C.M. Baeten, T . Basten & M.A. Reniers (2010): P r o cess Algebra: Equ ational Theories of Communicating Pr ocesses . Cambridge T racts in Theoretical Computer Science 50, CUP . [7] G. Eng els, R. Heckel, J.M. K ¨ uster & L . Groenewegen (2 002): Consistency-Pr eserving Model Evolu tion thr ough T ransformatio ns . In J.-M. J ´ ez ´ e quel, H. Hußmann & S. Cook, editors: Proc. UML 2002 , LNCS 2460, pp. 212– 226. d oi: 10.1007/3- 5 40- 45800 - X _ 18 . [8] R.J. van Glabbeek & P . W eijland (199 6): Branching time and abstraction in bisimulation semantics . Journal of the A CM 43, pp. 555–6 00. do i: 10.1145/233551.233556 . [9] L. Gr oenewegen & E. de V ink (20 02): Ope rational Semantics for Coor dination in P aradigm . In F . Arbab & C. T alcott, editors: Proc. C oord ination 2002 , LNCS 2315, pp. 191–206 . doi: 10 .1007/3- 540- 46 000- 4_ 20 . [10] L. Groenewe gen & E. de V ink (2006) : Evolu tion-On-Th e-Fly with P aradigm . In P . Ciancarini & H. W iklicky , editors: Proc. Coordination 2006 , LNCS 4038, pp. 97–112. doi: 10.1007/11767954 _ 7 . [11] J.F . Groote et al. (2007): The F o rmal Specification Language mCRL2 . In E. Brinksma et al., editor: Methods for Modelling Software Systems , IBFI, Schloss Dagstuhl. 34 pages. [12] N. K okash, C. K oehler & E .P . de V ink ( 2010) : T ime an d Data-A war e Analysis of Graph ical Service Models in Reo . In J.L . Fiadeiro A. Magg iolo-Schettini & S. Gnesi, editors: Proc. SEFM 2010 , IEEE, pp. 125–13 4. doi: 10.1109/SEFM.2010.26 . [13] C. Kra use (2011) : R econfigu rable Component C onnecto rs . Ph.D. the sis, Leiden Uni versity . T o app ear . [14] J.M. K ¨ uster (200 4): Con sistency Management of Object-Orien ted Behavioral Models . Ph .D. thesis, Un iv er- sity of Paderborn . [15] M.Z . Kwiatkowska, G. Norm an & D. Parker (2 009): PR ISM: pr obabilistic model checking for performance and reliability a nalysis . SIGMETRICS Per formanc e Evaluation Revie w 36, pp. 40–4 5. doi: 10 .1145/ 153087 3.1530882 . [16] M. M ¨ oller , E.-R. Older og, H. Rasch & H. W ehrhe im (20 08): Integr ating a formal method into a soft- war e en gineering pr ocess with UML and Java . Formal Aspects of Computing , pp. 161–2 04. doi: 10.1007/ s00165 - 007- 0042- 7 . [17] M.A. P ´ erez-T oled ano, A . Navasa, J.M. Murillo & C. Can al (2007): TIT AN: a F r amework for Aspect- Oriented System Evolution . In: Proc. ICSEA 2007, Cap Esterel , IEEE. doi: 10.1109/ICSEA . 2007.77 , 8 pages. 18 T o wards red uction of Paradigm coord inatio n models [18] N.F . Rodrigu es & L.S. Barbosa (200 5): Ar chitectural Pr o totyping: F r om CCS to .Net . In A. Mota & A.V . Moura, editors: Proc. SBMF 2004 , ENTCS 130, pp. 151–1 67. d oi: 10.1016/j.entcs.2005.03.009 . [19] M. Sirjani, A. Movaghar , A . Shali & F .S. de Boer (2004): Mode ling and V e rification of Rea ctive Systems using Rebeca . Fundamen ta Infor maticae 63, pp. 385–4 10. do i: 10.1.1.107.2074 .