Bisimulation Relations Between Automata, Stochastic Differential Equations and Petri Nets

Two formal stochastic models are said to be bisimilar if their solutions as a stochastic process (i.e. their executions) are probabilistically equivalent [8,23]. Bisimilarity relations between formal stochastic models are very useful to study since they allow one stochastic model to take advantage of the strengths of the other stochastic model. The aim of this paper is to show bisimulation relations between three different stochastic modelling formalisms: stochastic hybrid automata, stochastic differential equations on hybrid space, and stochastic hybrid Petri nets. These bisimulation relations make it possible to combine the formal verification power of automata with the analysis power of stochastic differential equations and the compositional specification power of Petri nets. For the stochastic automata formalism, we take the general stochastic hybrid system (GSHS) theoretical setting developed by [7]. A GSHS is a hybrid automaton defined on a hybrid state space. This hybrid state space consists of a countable set of discrete modes, and per discrete mode a Euclidean subset. Per discrete mode, a stochastic differential equation (SDE) is defined. Two additional GSHS elements are a jump rate function and a GSHS transition measure. The execution of these elements provides a stochastic process that follows the solution of the SDE connected to the initial discrete mode. After a time period, defined by the jump rate function, the process state may spontaneously jump to another mode, defined by the GSHS transition measure. A jump may also be forced if the process state hits the boundary of the Euclidean subset. The GSHS execution is referred to as general stochastic hybrid process (GSHP). One of the main strengths of the automata formalism is the availability of formal verification tools. For the hybrid stochastic differential equations formalism we take the hybrid stochastic differential equations (HSDE) theoretical setting developed in a series of complementary studies [1,2,20,21]. A HSDE consists of a sequence of SDEs on a hybrid state space, driven by a Poisson random measure. When the Poisson random measure generates a multivariate point, a spontaneous jump occurs. A jump may also be forced if the process state hits the boundary of a Euclidean subset. The HSDE solution process is referred to as general stochastic hybrid process (GSHP). In [16] it is shown that whereas the GSHS formalism is at some points more general than HSDE (for GSHS the dimension of the Euclidean subset may depend on the discrete mode; for HSDE this dimension is fixed), HSDE has the advantage of an established semi-martingale property and includes the coverage of jump-linear systems. For the stochastic hybrid Petri nets formalism, we take stochastically and dynamically coloured Petri nets (SDCPN) developed in a series of studies by [13,14,15]. A Petri net has places (circles), which model possible discrete states or conditions, and which may contain one or more tokens (dots), modelling which of these states are current. The places are connected by transitions (squares), which model state switches by removing input tokens and producing output tokens along arcs (arrows). In SDCPN, the tokens have Euclidean-valued colours that follow SDEs. Some of the transitions remove and produce tokens spontaneously, other transitions are forced and occur when the colours of their input tokens reach the boundary of a Euclidean subset. The collection of token colours in all places forms a general stochastic hybrid process (GSHP). The specific strength of SDCPN is their compositional specification power, which makes available a hierarchical modelling approach that separates local modelling issues from global modelling issues. This is illustrated for a large distributed example in air traffic management [17], which covers many distributed agents each of which interacts in a dynamic way with the others. Other typical Petri net features are concurrency and synchronisation mechanism, hierarchical and modular construction, and natural expression of causal dependencies, in combination with graphical and equational representation. The aim of this paper is to illustrate the relations between SDCPN, GSHP, HSDE and GSHS which show that SDCPN, GSHS and HSDE are bisimilar. This means that if we take the elements of any one of these formalisms, we can construct the elements of another formalism in such a way that their associated GSHPs are probabilistically equivalent. Fig. 1 shows the relations between the formalisms, and the key tools available for each of them. Stochastic analysis denotes bisimilarity denotes execution Figure 1: Relationship between SDCPN, GSHS, GSHP and HSDE, and their key properties and advantages. The [B] arrow is established in [1]. The [BL] arrow is established in [7]. The [E1] arrows are established in [15]. The [E2] arrows are established in [16]. With these relations, the properties and advantages of the various approaches come within reach of each other. The compositional specification power of SDCPN makes it relatively easy to develop a model for a complex system with multiple interactions. Subsequently, in the analysis stage three alternative approaches can be taken. The first is direct execution of SDCPN and evaluation through e.g. Monte Carlo simulation. The second is mapping the SDCPN into a GSHS and evaluating its execution, with the advantages of connection to formal methods in automata theory and to optimal control theory [6]. The third is mapping the SDCPN into HSDE and evaluating its solution, with the advantages of stochastic analysis for semi-martingales [10,11]. With the GSHP resulting from any of these three means, properties become available such as convergence of discretisation, existence of limits, existence of event probabilities, strong Markov properties, and reachability analysis [7,9,12]. The organisation of this paper is as follows. Section 2 defines SDCPN and the related SDCPN process. Section 3 presents an example SDCPN model for a simple but illustrative air traffic situation. Section 4 defines GSHS and illustrates how the example SDCPN can be mapped to a bisimilar GSHS. Section 5 defines HSDE and illustrates how the example SDCPN can be mapped to a bisimilar HSDE. Section 6 gives conclusions. This section outlines stochastically and dynamically coloured Petri net (SDCPN). For a more formal definition, we refer to [16]. Definition 2.1 (Stochastically and dynamically coloured Petri net.) An SDCPN is a collection of elements (P, T , A , N , S , C , I , V , W , G , D, F ), together with an SDCPN execution prescription which makes use of a sequence {U i ; i = 0, 1, . . .} of independent uniform U[0, 1] random variables, of independent sequences of mutually independent standard Brownian motions {B i,P t ; i = 1, 2, . . .} of appropriate dimensions, one sequence for each place P, and of five rules R0-R4 that solve enabling conflicts. The SDCPN elements (P, T , A , N , S , C , I , V , W , G , D, F ) are defined as follows: • P is a finite set of places. • T is a finite set of transitions which consists of 1) a set T G of guard transitions, 2) a set T D of delay transitions and 3) a set T I of immediate transitions. • A is a finite set of arcs which consists of 1) a set A O of ordinary arcs, 2) a set A E of enabling arcs and 3) a set A I of inhibitor arcs. • N : A → P × T ∪ T × P is a node function which maps each arc A ∈ A to a pair of ordered nodes N (A), where a node is a place or a transition. • S ⊂ {R 0 , R 1 , R 2 , . . .} is a finite set of colour types, with R 0 / 0. • C : P → S is a colour type function which maps each place P ∈ P to a specific colour type. Each token in P is to have a colour in C (P). If C (P) = R 0 then a token in P has no colour. • I is a probability measure, which defines the initial marking of the net: for each place it defines a number ≥ 0 of tokens initially in it and it defines their initial colours. • V = {V P ; P ∈ P, C (P) = R 0 } is a set of token colour functions. For each place P ∈ P for which C (P) = R 0 , it contains a function V P : C (P) → C (P) that defines the drift coefficient of a differential equation for the colour of a token in place P. • W = {W P ; P ∈ P, C (P) = R 0 } is a set of token colour matrix functions. For each place P ∈ P for which C (P) = R 0 , it contains a measurable mapping W P : C (P) → R n(P)×h(P) that defines the diffusion coefficient of a stochastic differential equation for the colour of a token in place P, where h : P → N and n : P → N is such that C (P) = R n(P) . It is assumed that W P and V P satisfy conditions that ensure a probabilistically unique solution of each stochastic differential equation. • D = {D T ; T ∈ T D } is a set of transition delay rates. For each T ∈ T D , it contains a locally integrable transition delay rate D T . • F = {F T ; T ∈ T } is a set of firing measures. For each T ∈ T , it contains a firing measure F T , which generates the number and colours of the tokens produced when transition T fires, given the value of the vector that collects all input tokens: For each output arc, zero or one token is produced. For each fixed H, F T (H; •) is measurable. For any c, F T (•; c) is a probability measure. For the places, transitions and arcs, the graphical notation is as in Figure 2. The execution of an SDCPN provides a series of increasing stopping times, {τ i ; i = 0, 1, . . .}, τ 0 = 0, with for t ∈ (τ k , τ k+1 ) a fixed number of tokens per place and per token a colour which is the solution of a stochastic differential equation. Initiation. The probability measure I characterises an initial marking at τ 0 , i.e. it gives each place P ∈ P zero or more tokens and gives each token in P a colour in C (P), i.e. a Euclidean-valued vector. Token colour evolution. For each token in each place P for which C (P) = R 0 : if the colour of this token is equal to C P 0 at time t = τ 0 , and if this token is still in this place at time t > τ 0 , then the colour C P t of this token equals the probabilistically unique solution of the stochastic differential equation dC P t = V P (C P t )dt + W P (C P t )dB i,P t with initial condition C P τ 0 = C P 0 , and with {B i,P t } an h(P)-dimensional standard Brownian motion. Each token in a place for which C (P) = R 0 remains without colour. Transition enabling. A transition T is pre-enabled if it has at least one token per incoming ordinary and enabling arc in each of its input places and has no token in places to which it is connected by an inhibitor arc. For each transition T that is pre-enabled at τ 0 , consider one token per ordinary and enabling arc in its input places and write C T t , t ≥ τ 0 , as the column vector containing the colours of these tokens; C T t evolves through time according to its corresponding token colour functions. If this vector is not unique (i.e., if one input place contains several tokens per arc), all possible such vectors are executed in parallel. A transition T is enabled if it is pre-enabled and a second requirement holds true. For T ∈ T I , the second requirement automatically holds true at the time of pre-enabling. For T ∈ T G , the second requirement holds true when C T t ∈ ∂ G T . For T ∈ T D , the second requirement holds true at t = τ 0 + σ T 1 , where σ T 1 is generated from a probability distribution function In the case of competing enablings, the following rules apply: R0 The firing of an immediate transition has priority over the firing of a guard or a delay transition. R1 If one transition becomes enabled by two or more sets of input tokens at exactly the same time, and the firing of any one set will not disable one or more other sets, then it will fire these sets of tokens independently, at the same time. R2 If one transition becomes enabled by two or more sets of input tokens at exactly the same time, and the firing of any one set disables one or more other sets, then the set that is fired is selected randomly, with the same probability for each set. R3 If two or more transitions become enabled at exactly the same time and the firing of any one transition will not disable the other transitions, then they will fire at the same time. R4 If two or more transitions become enabled at exactly the same time and the firing of any one transition disables some other transitions, then each combination of transitions that can fire independently without leaving enabled transitions gets the same probability of firing. Transition firing. If T is enabled, suppose this occurs at time τ 1 and in a particular vector of token colours C T τ 1 , it removes one token per ordinary input arc corresponding with C T τ 1 from each of its input places (i.e. tokens are not removed along enabling arcs). Next, T produces zero or one token along each output arc: If (e T τ 1 , a T τ 1 ) is a random hybrid vector generated from probability measure F T (•;C T τ 1 ) (by making use of a Uniform random variable U i ), then vector e T τ 1 is a vector of zeros and ones, where the ith vector element corresponds with the ith outgoing arc of transition T . An output place gets a token iff it is connected to an arc that corresponds with a vector element 1. Moreover, a T τ 1 specifies the colours of the produced tokens. Execution from first transition firing onwards. At t = τ 1 , zero or more transitions are pre-enabled (if this number is zero, no transitions will fire anymore). If these include immediate transitions, then these are fired without delay, but with use of rules R0-R4. If after this, still immediate transitions are enabled, then these are also fired, and so forth, until no more immediate transitions are enabled. Next, the SDCPN is executed in the same way as described above for the situation from τ 0 onwards. The marking of the SDCPN is given by the numbers of tokens in the places and the associated colour values of these tokens and can be mapped to a probabilistically unique SDCPN stochastic process {M t ,C t } as follows: For any t ≥ τ 0 , let a token distribution be characterised by the vector M t = (M 1,t , . . . , M |P|,t ), where M i,t ∈ N denotes the number of tokens in place P i at time t and 1, . . . , |P| refers to a unique ordering of places adopted for SDCPN. At times t ∈ (τ k-1 , τ k ) when no transition fires, the token distribution is unique and we define M t = M t . The associated colours of these tokens are gathered in a column vector C t which first contains all colours of tokens in place P 1 , next (i.e. below it) all colours of tokens in place P 2 , etc, until place P |P| . If at time t = τ k one or more transitions fire, then the SDCPN discrete process state at time τ k is defined by M τ k = the token distribution that occurs after all transitions that fire at time τ k have been fired. The associated colours of these tokens are gathered in a column vector C τ k in the same way as described above. This construction ensures that the process {M t ,C t } has limits from the left and is continuous from the right, i.e., it satisfies the càdlàg property. To illustrate the advantages of SDCPN when modelling a complex system, consider a simplified model of the evolution of an aircraft in one sector of airspace. The deviation of this aircraft from its intended path is affected by its engine system and its navigation system. Each of these aircraft systems can be in either Working (functioning properly) or Not working (operating in some failure mode). Both systems switch between these modes independently and with exponentially distributed sojourn times, with finite rates δ 3 (engine repaired), δ 4 (engine fails), δ 5 (navigation repaired) and δ 6 (navigation fails), respectively. If both systems are Working, the aircraft evolves in Nominal mode and the position Y t and velocity S t of the aircraft are determined by dX t = V 1 (X t )dt + W 1 dW t , where X t = (Y t , S t ) . If either one, or both, of the systems is Not working, the aircraft evolves in Non-nominal mode and the position and velocity of the aircraft are determined by dX t = V 2 (X t )dt + W 2 dW t . The factors W 1 and W 2 are determined by wind fluctuations. Initially, the aircraft has position Y 0 and velocity S 0 , while both its systems are Working. The evaluation of this process may be stopped when the aircraft has Landed, i.e. its vertical position and velocity are equal to zero. An SDCPN graph for this example is developed in two stages. In the first stage, the agents of the operation are modelled separately, by one local SDCPN each, see Fig. 3a. In the next stage, the interactions between the agents are modelled, thus connecting the local SDCPN, Fig. 3b. Figure 3: SDCPN graph for the aircraft evolution example Fig. 3b shows the SDCPN graph for this example, where, • P 1 denotes aircraft evolution Nominal, i.e. evolution is according to V 1 and W 1 . • P 2 denotes aircraft evolution Non-nominal, i.e. evolution is according to V 2 and W 2 . • P 3 and P 4 denote engine system Not working and Working, respectively. • P 5 and P 6 denote navigation system Not working and Working, respectively. • P 7 denotes the aircraft has landed. • T 1a and T 1b denote a transition of aircraft evolution from Nominal to Non-nominal, due to engine system or navigation system Not working, respectively. • T 2 denotes a transition of aircraft evolution from Non-nominal to Nominal, due to engine system and navigation system both Working again. • T 3 through T 6 denote transitions between Working and Not working of the engine and navigation systems. • T 7 and T 8 denote transitions of the aircraft landing. The graph in Fig. 3b I : Place P 1 initially has a token with colour X 0 = (Y 0 , S 0 ) , with Y 0 ∈ R 2 × (0, ∞) and S 0 ∈ R 3 \ Col{0, 0, 0}. Places P 4 and P 6 initially each have a token without colour. V , W : The token colour functions for places P 1 , P 2 and P 7 are determined by (V 1 , W 1 ), (V 2 , W 2 ), and (V 7 , W 7 ), respectively, where (V 7 , W 7 ) = (0, 0). For places P 3 -P 6 there is no token colour function. G : Transitions T 7 and T 8 have a guard defined by The jump rates for transitions T 3 , T 4 , T 5 and T 6 are F : Each transition has a unique output place, to which it fires a token with a colour (if applicable) equal to the colour of the token removed. 4 From SDCPN to GSHS Following [7], this section first presents a definition of general stochastic hybrid system (GSHS) and its execution. In [15] it has been proven that under a few conditions, SDCPN and GSHS are bisimilar. In Subsection 4.2 this is illustrated by showing how the SDCPN example of the previous section can be mapped to a bisimilar GSHS. Definition 4.1 (General stochastic hybrid system) A GSHS is an automaton (K, d, X , f , g, Init, λ , Q), where • K is a countable set. • d : K → N maps each θ ∈ K to a natural number. θ ) . With this, the hybrid state space is given by E {{θ } × E θ ; θ ∈ K}. • f : E → {R d(θ ) ; θ ∈ K} is a vector field. • g : E → {R d(θ )×h ; θ ∈ K} is a matrix field, with h ∈ N. • Init: B(E) → [0, 1] is an initial probability measure, with B(E) the Borel σ -algebra on E. • λ : E → R + is a jump rate function. Definition 4.2 (GSHS execution) A stochastic process {θ t , X t } is called a GSHS execution if there exists a sequence of stopping times 0 = τ 0 < τ 1 < τ 2 • • • such that for each k ∈ N: • (θ 0 , X 0 ) is an E-valued random variable extracted according to probability measure Init. with initial condition X k τ k = X τ k , and where {B θ t } is h-dimensional standard Brownian motion for each θ ∈ K. • τ k+1 = τ k + σ k , where σ k is chosen according to a survivor function given by F(t) = 1 (t<τ * ) exp(-t 0 λ (θ , X k s )ds). Here, • The probability distribution of (θ τ k+1 , X τ k+1 ), i.e. the hybrid state right after the jump, is governed by the law Q(•; (θ τ k , X τ k+1 -)). [7] show that under assumptions G1-G4 below, a GSHS execution is a strong Markov Process and has the càdlàg property (right continuous with left hand limits). G1 f (θ , •) and g(θ , •) are Lipschitz continuous and bounded. This yields that for each initial state (θ , x) at initial time τ there exists a pathwise unique solution where G3 For each fixed A ∈ B(E), the map ξ → Q(A; ξ ) is measurable and for any , then it is assumed that for every starting point (θ , x) and for all t ∈ R + , EN t < ∞. This means, there will be a finite number of jumps in finite time. Next we transform the SDCPN example model of Section 3 into a bisimilar GSHS. The first step is to construct the state space K for the GSHS discrete process {θ t }. This is done by identifying the SDCPN reachability graph. Nodes in the reachability graph provide the number of tokens in each of the SDCPN places. Arrows connect these nodes as they represent transitions firing. The SDCPN of Fig. 3b has seven places hence the reachability graph for this example has elements that are vectors of length 7. These nodes, excluding the nodes that enable immediate transitions, form the GSHS discrete state space. The reachability graph is shown in Fig. 4, with nodes that form the GSHS discrete state space in Bold typeface, i.e. K = {V 1 , . . . ,V 8 }, with V 1 = (1, 0, 0, 1, 0, 1, 0), V 2 = (0, 1, 1, 0, 0, 1, 0), V 3 = (0, 1, 1, 0, 1, 0, 0), V 4 = (0, 1, 0, 1, 1, 0, 0), V 5 = (0, 0, 0, 1, 0, 1, 1), V 6 = (0, 0, 1, 0, 0, 1, 1), V 7 = (0, 0, 1, 0, 1, 0, 1), V 8 = (0, 0, 0, 1, 1, 0, 1). Since initially there is a token in places P 1 , P 4 and P 6 , the GSHS initial mode equals θ 0 = V 1 = (1, 0, 0, 1, 0, 1, 0). The GSHS initial continuous state value equals the vector containing the initial colours of all initial tokens. Since the initial colour of the token in Place P 1 equals X 0 , and the tokens in places P 4 and P 6 have no colour, the GSHS initial continuous state value equals Col{X 0 , / 0, / 0} = X 0 . The GSHS drift coefficient f is given by f andg(θ , •) = 0 otherwise. The hybrid state space is given by E Always two delay transitions are pre-enabled: either T 3 or T 4 and either T 5 or T 6 . This yields For the determination of GSHS transition measure Q, we make use of the reachability graph, the sets D, G and F and the rules R0-R4. In Table 1, Q(θ , x ; θ , x) = p denotes that if (θ , x) is the value of the GSHS state before the hybrid jump, then, with probability p, (θ , x ) is the value of the GSHS state immediately after the jump. With this, the SDCPN of the aircraft evolution example is uniquely mapped to an GSHS. It can be shown that the SDCPN execution and the execution of the resulting GSHS are probabilistically equiva- δ 4 +δ 5 lent, i.e. the SDCPN and the GSHS are bisimilar. Thanks to this bisimilarity we can now use the automata framework to analyse the GSHP that is defined by the SDCPN model for the example. Following [1] and [2], this section first presents a definition of hybrid stochastic differential equation (HSDE) and gives conditions under which the HSDE has a pathwise unique solution. This pathwise unique solution is referred to as HSDE solution process or GSHP. The basic advantage of using HSDE in defining a GSHP over using GSHS is that with the HSDE approach the spontaneous jump mechanism is explicitly built on an underlying stochastic basis, whereas in GSHS the execution itself imposes an underlying stochastic basis. In [16] it has been proven that under a few conditions, SDCPN and HSDE are bisimilar. In Subsection 5.2 this is illustrated by showing how the SDCPN example of the previous section can be mapped to a bisimilar HSDE. For the HSDE setting we start with a complete stochastic basis (Ω, ℑ, F, P, T), in which a complete probability space (Ω, ℑ, P) is equipped with a right-continuous filtration F = {ℑ t } on the positive time line T = R + . This stochastic basis is endowed with a probability measure µ θ 0 ,X 0 for the initial state, an independent h-dimensional standard Wiener process {W t } and an independent homogeneous Poisson random measure p P (dt, dz) on T × R d+1 . Definition 5.1 (Hybrid stochastic differential equation) An HSDE on stochastic basis (Ω, ℑ, F, P, T), is defined as a set of equations ( 1)-( 8) in which a collection of elements (M, E, f , g, µ θ 0 ,X 0 , Λ, ψ, ρ, µ, p P , {W t }) appear. The elements (M, E, f , g, µ θ 0 ,X 0 , Λ, ψ, ρ, µ, p P , {W t }) are defined as follows: H2: From the construction of f and g above we have for θ H3: Since δ 3 -δ 6 are constant, for all θ , Λ(θ , •) is bounded and continuous, with upper bound C Λ = max{δ 4 + δ 6 , δ 3 + δ 6 , δ 3 + δ 5 , δ 4 + δ 5 }. H4: Since for all θ , ϑ , P Q (ϑ , •; θ , x) is constant, we find ρ(ϑ , θ , x) = P Q (ϑ , x, θ , x) is continuous. H5 and H6: These are satisfied due to ψ(V i ,V j , x, z) = 0 for all V i , V j , x, z. H7: This condition holds due to δ 3 -δ 6 being finite and the fact that in this SDCPN example, there is no firing sequence of more than one guard transition. H8: This condition holds for all V 1 , . . . ,V 8 , with metric Thanks to this bisimilarity mapping we can now use HSDE tools to analyse the GSHP that is defined by the execution of the SDCPN model for the example. The aim of this paper was to explain bisimilarity relations between SDCPN (stochastically and dynamically coloured Petri net), GSHS (general stochastic hybrid system) and HSDE (hybrid stochastic differential equation), which means that the strengths of one stochastic model formalism can be used by both of the other stochastic model formalisms. More specifically, these bisimilarity relations make it possible to combine the formal verification power of automata with the analysis power of stochastic differential equations and the compositional specification power of Petri nets. We started in Section 2 by defining SDCPN and the resulting SDCPN stochastic process, which is referred to as a GSHP (general stochastic hybrid process). In Section 3 we presented a simple but illustrative SDCPN example model. In Section 4 we studied GSHP as an execution of a GSHS and illustrated by using the example of Section 3 that SDCPN and GSHS are bisimilar. Next, in Section 5 we studied GSHP as a stochastic process solution of HSDE and showed with an illustrative example that SDCPN and HSDE are bisimilar. The bisimilarities between SDCPN, GSHS and HSDE models for the example considered mean that the resulting example model inherits the strengths of all three formal stochastic modelling formalisms. This has been depicted in Fig. 1 in the introduction. Examples of GSHP properties are convergence in discretisation, existence of limits, existence of event probabilities, strong Markov properties, reachability analysis. Examples of GSHS features are their connection to formal methods in automata theory and optimal control theory. Examples of HSDE features are stochastic analysis tools for semi-martingales. Examples of SDCPN features are natural expression of causal dependencies, concurrency and synchronisation mechanism, hierarchical and modular construction, and graphical representation. These complementary advantages of SDCPN, GSHS, HSDE and GSHP perspectives tend to increase with the complexity of the system considered. An illustrative large scale application of bisimularity relations between SDCPN, HSDE and stochastic hybrid automata has been developed in air traffic management. Currently pilots depend of air traffic controllers in solving potential conflicts between their flight trajectories. This places a huge requirement on the tasks of an air traffic controller. Imagine a similar kind of approach for road traffic; then each car driver would be blind and depends of instructions that some road traffic controller is communicating with the car drivers. How many cars do you think can be managed by one road traffic controller? The number of aircraft that one air traffic controller can handle ranges between 10 and 20, depending of the complexity of the traffic pattern. Over a decade ago, it had been suggested by [22] that this limitation of the air traffic controller can be solved by moving the responsibility of conflict resolution from the air traffic controller to the pilots. Since then this airborne self separation idea has received a lot of research attention. Nevertheless, it still is unknown how much more air traffic can safely be accommodated under a well designed airborne self separation way of working. In order to add to the solution of this debate, a series of large European studies towards solving this question have been started under the name HYBRIDGE [18] and iFly [19] respectively. The way of working is to first develop a well defined SDCPN model of the airborne self separation concept of operation to be analysed, e.g. [17]. Subsequently this SDCPN model is further analysed using a bisimilar HSDE and hybrid automation formal model representation [5,3], in which powerful stochastic analysis theory is exploited for the speeding up of Monte Carlo simulations. Using this approach, [4] have shown that the first generation of airborne self separation concept designs falls short in safely accommodating higher air traffic demand than conventional ATM can. The feedback of this finding to advanced air traffic concept designers triggered the development of more advanced airborne self separation concept of operation, e.g. see [19].