1 Introduction
Model checking is an automated technique for the verification of systems [10, 6], applied in many areas of system design where reliability and correctness are key. The biggest challenge model checking faces is the wellknown stateexplosion problem that describes the exponential blow up of states in the number of system variables. One prominent approach to cope with the stateexplosion problem in model checking is the use of symbolic methods, such as those based on binary decision diagrams (BDDs) [8, 26]. Such symbolic methods are most viable the more redundant or shared behaviors are present in the system description, as symbolic methods can exploit them towards concise representations. It is hence not surprising that symbolic modelchecking techniques also have been successfully applied for the analysis of system families those members share lots of common behaviors. Most prominently, in featureoriented system analysis [34], a member of the system family is characterized by its basic functionalities by means of features. Features can either be active or inactive, possibly leading to system families those size is exponential in the number of features. In case family members have active features in common, they likely share the behaviors of these features, making symbolic methods effective. Despite for featureoriented systems, also other kinds of configurable systems can benefit from symbolic methods as one easily faces an exponential blow up in the number of configuration parameters.
There are mainly two approaches to construct and analyze system families.
The first, called onebyone approach,
constructs and analyzes the model for each family member separately.
Differently, within an allinone approach, a single family model is constructed
and analyzed in a single run. For system families those members share a
lot of common behaviors, allinone approaches can benefit from
symbolic representations and analysis methods by efficiently
representing common parts. This usually leads to better analysis times
than for onebyone approaches [12, 34, 15, 9]
or even enables an analysis [22, 16].
In this paper, we focus on allinone approaches where the family model is symbolically represented using reduced ordered BDDs. Such BDDs are rooted directed graphs where inner nodes are labeled by variable names, each path obeying a given variable order. It is well known that the size of the BDD significantly depends on the chosen variable order [7, 22]. In realworld applications, models subject to verification are usually automatically generated such that adhoc variable orders are likely to provide bigger BDD representation than possible with another variable order or even lead to BDD sizes exceeding memory constraints. Reordering algorithms such as sifting [31, 29] help to find suitable variable orders towards a small symbolic representation but are not applicable when the model cannot be constructed a priori due to insufficient memory. A solution is to dynamically reorder BDD variables [18] during model construction, which however comes at the cost of spending much time on reordering. For system families where the family model cannot be constructed due to bad variable orders and dynamic reordering techniques exceed time constraints, we present a third automated method we call iterative variable reordering. The basic idea is to construct parts of the system family, apply variablereordering techniques towards smaller BDD representations, and then successively add family members until a suitable variable order for the whole family model is found. In this way, the shared behaviors between family members are stepwise incorporated into the symbolic representation. We first used this idea in [16] to enable the construction of a family model of aircraft velocity control loops given in the input language of the prominent probabilistic model checker Prism [23]. The model of [16] was automatically generated from Simulink code [2] using SimPars [28], initially not constructible using the symbolic engine of Prism based on multiterminal BDDs [11, 19, 4]. Starting with the most basic variant of the aircraft velocity control loop, we stepwise added system variants and applied automated variable reordering capabilities presented in [22] to obtain a suitable variable order such that the whole family model could be constructed. While [16] focused on enabling a reliability analysis of the aircraft velocity control loop, we approach iterative variable reordering in a generic fashion in this paper and present an automated variant of the adhoc and handcrafted concepts of [16]. Specifically, our contribution is as follows:

we formally specify iterative variable reordering along with heuristics,

present an implementation of the algorithm that enables the automated application of iterative variable reordering on Prism family models, and

evaluate the approach on an even bigger instance of the velocity control loop model from [16], showing the effectiveness of our implementation.
To the best of our knowledge, we are the first who present a variable reordering technique that is specifically tailored for family models.
Outline.
In Section 2, we provide foundations on abstract programs that formalize our models, revisit BDDs and variable reordering as well as Prism programs. The generic algorithm of iterative variable reordering is subject of Section 3. In Section 4 we briefly recall redundancy systems and the aircraft velocity control loop model we introduced in [16] which we will use in Section 5 as example for evaluating our implementation. We close the paper with some concluding remarks in Section 6.
2 Foundations
For a given set we denote by its power set, i.e., the set of all subsets of . We call a total order on a finite set an ordered domain. For a finite set of variables we assign to each variable an ordered domain from a set by a function . A variable evaluation over w.r.t. is a function that assigns to each variable a value . We denote by the set of variable evaluations over w.r.t. . In the following, we assume the function to be fixed for a given set of variables and briefly write, e.g., for the set of evaluations over .
We consider programs where is the finite set of variables on which the program is defined, is a set of commands, and is an expression specifying a set of initial variable evaluations that we denote by . Sometimes we use sloppy notations and replace by a single evaluation to represent the initial variable evaluation explicitly. Intuitively, a program defines a statebased semantics where states are variable evaluations in and commands specify how to switch to from one variable evaluation to another. Every program specifies a family of systems through the initial variable evaluations, i.e., we interpret each initial variable evaluation as entry point for a system variant. This kind of interpretation is backed by wellknown concepts from featureoriented and familybased system modeling and analysis [12, 34, 15, 9].
We intentionally defined programs in a rather abstract way, as the concepts presented in this paper are applicable to a wide range of system families described by various specification formalisms. Thus, we also leave out to specify a concrete semantics of programs.
2.1 Symbolic Representations Through Binary Decision Diagrams
Binary decision diagrams (BDDs) [24, 3] were mainly developed as a universal data structure for Boolean functions, i.e., a BDD over a set of Boolean variables describes a function that maps a set of variables assumed to be true to either true or false. Technically, a BDD over is a graph that is rooted, directed, and acyclic and where each node is either terminal and represents a result, i.e., either true or false, or it is a decision node. Each decision node is labeled by a Boolean variable from and has exactly two successor nodes: the successor node, which stands for assigning false to the respective Boolean variable, and the successor node, standing for a true assignment, respectively. We refer to the number of nodes in a BDD as size, denoted by
. In the context of model checking, BDDs are used to represent the characteristic function of the transition relation for statebased models.
Reduced Ordered BDDs.
An ordered BDD [7] is a BDD over a total order on Boolean variables where along all paths from the root to a terminal node the order is respected. The graph structure of an ordered BDD for a Boolean function
arises from a binary decision tree for
using the given variable ordering. By merging isomorphic subgraphs, eliminating terminal nodes with the same value, and removing any node whose two successors are isomorphic we obtain reduced ordered BDDs, which we simply abbreviate as BDDs in the following. In such BDDs, every two nodes represent different Boolean functions. Removing redundancies from a decision tree reveals the potential of BDDs for compactly representing Boolean functions. When BDDs are used to represent family models such as programs defined above, behavior shared between family members could lead to concise BDD representations and analysis of the family. For further details on BDDs, we refer to standard textbooks such as [32, 35].Variable Reordering.
The size of a BDD crucially depends on the given variable ordering [7]. In fact, there are Boolean functions that can be represented by BDDs of linear and exponential size depending on the chosen variable order. Reordering algorithms such as sifting [31, 29], can be applied to improve the size BDD for a given Boolean function. In case BDDs are used as a representation for statebased models, reordering techniques are applied when the model is constructed. However, when the constructed model is used for BDDbased verification, dynamic reordering during the verification process can also be applied, possibly avoiding bad variable orders in those BDDs that represent intermediate results. A good heuristic for variable orderings is to first decide variables which are “mostinfluential”, i.e., changed at the beginning of an execution of the modeled system and influence the systems behavior significantly [25].
BDDs over Program Variables.
In our setting, we use BDDs as representation for statebased models of programs, which are defined on possibly nonBoolean variables. However, every element of a finite domain can be represented by a bit vector. Given a finite domain
, we enumerate the domain by a function . Then for an element we use the bit representation of with length , i.e., introduce fresh Boolean variables to represent elements of the domain . In this way, the interpretation of BDDs on Boolean variables can easily be lifted to BDDs over variables of programs. We hence might refer to variables and functions in this general meaning rather than referring to Boolean variables and Boolean functions only. When reordering program variables, we assume that the bitwise order of the variables is maintained (i.e., bits are not exploded, see [22]).2.2 Prism Programs
We introduced programs in a generic fashion as tuples . For our case study, we rely on an instance of such programs given by the input language of the probabilistic model checker Prism [23]. In Prism, variables of are assigned to bounded intervals of integers with the standard total order on integers as ordered domain. Possible transitions between states, i.e., variable evaluations, are given by guarded commands [14] collected in . A command has the form
Here, guard is a Boolean expression over arithmetic constraints on variable evaluations, e.g., for is fulfilled in every state where variable x has value 1 and y has a value from the domain of y that is smaller or equal than 5. In case the guard evaluates to true in some state, the command is enabled, leading to a transition into a successor state by updating variables according to updates. An update describes how variables change depending on the current variable evaluation, e.g., x’=1+y changes the value of x to the increment of the value of y. Each update update_{i}
is chosen with probability
p_{i} for . That is, in every state fulfilling guard the evaluations of the expressions p_{1}, p_{2}, …, p_{n}constitute a probability distribution, i.e., must sum up to 1.
Prismprograms describe stochastic statebased models such as Markov decision processes (MDPs) or discrete Markov chains (DTMCs). For further details on such models, we refer to standard textbooks such as
[30, 6].Family Models in Prism.
In Prism, initial variable evaluations describe the entry points for system variants in families, specified through a guard encapsulated in an init block. Guards are, as for commands, Boolean expressions over arithmetic constraints on variable evaluations. All variable evaluations that fulfill the guard in the init block will be considered as initial states. For instance, when considering variables with domains and , the following init block specifies two initial states and where , , and :
The described family model would have two members, one system starting in and one starting in . In this paper, we also consider init blocks in conjunctive normal form (CNF) over single variable evaluations. The above block could, e.g., be represented in CNF by
Variable Ordering in Prism.
For its symbolic engines, Prism uses algorithms that rely on Multiterminal binary decision diagrams [11, 19, 4] (MTBDDs). MTBDDs extend BDDs by allowing for terminal nodes with real values rather than true and false. In Prism they are used as data structure for representing the transition probability matrix of stochastic models. To this end, the performance and memory consumption of an analysis by Prism crucially depends on the variable order inside the MTBDD that represents the model. In Prism, the variable order coincides with the order of variable declarations in the program, enabling reordering methods directly on the sourcecode level^{1}^{1}1Recall that we considered commands to be unordered in general programs. We hence always provide a variable order explicitly for Prism programs.. For family models in Prism, [15] showed that a suitable variable order could significantly improve the analysis speed using a handcrafted approach for tuning variable orders. In [22] automated reordering techniques for Prism models have been presented, also showing that the size of the symbolic representation of the featureoriented family model of [15] could be reduced even further and yield analysis speed ups.
3 Iterative Variable Reordering
For this section, let us fix a program on which we explain our approach of iterative variable reordering. We assume to denote the statebased semantics of the program . Furthermore, we assume that there is a uniquely defined symbolic representation of that depends on a variable order , i.e., a total order on the set of variables the program is defined on. For instance, when is a Prism program, could be the MTBDD representation of the program’s semantics in terms of an MDP or DTMC w.r.t. the variable order .
Recall that the purpose of our reordering approach is to enable the construction of a symbolic representation of system families that are not completely constructible adhoc from a given . In this paper, “constructability” is understood with respect to given memory and time constraints. The presented method can be only effective in case there is a variable order such that the complete family model is constructible. Note that even though, our presented method does not ensure to yield a constructible family model representation . This is mainly due to intermediate model representations that might be not constructible.
As prerequisites to our presented method, we rely on the following assumptions:

We have given an initial variable evaluation and a variable ordering where is constructible.

We have a reordering method that accepts a symbolic representation of a program and a variable order and returns a variable order such that .
The above assumptions intuitively provide a base for the iteration (1) and a method to iterate (2).
We specify iterative variable reordering as pseudo code in Algorithm 1, where for some evaluation domain we define its representation as conjunctive normal form (CNF) by
Choosing the CNF representing is a design decision that could be replaced by any other equivalent representation by Boolean expressions over arithmetic constraints on variables and domains.
The algorithm is instantiated with the initial variable order and initial evaluation from which we know by assumption (1) that the symbolic representation is constructible. The actual construction is performed in line 1, directly followed by a reordering step to initialize the variable order (line 2). Then, the evaluation domain based on is specified in line 4, while in line 5 the goal evaluation domain provides the sets of all values a variable can evaluate to in an initial variable evaluation of . The algorithm then iteratively adds values for variables to the evaluation domain that are used in an initial variable evaluation of until the goal evaluation domain is reached (line 610). This is done by always selecting as the variable that is minimal w.r.t. . After constructing , i.e., the symbolic representation of the program with the additional option evaluating , the symbolic representation is reordered using and is updated to a new variable order for which
due to assumption (2). The algorithm terminates always in case the intermediate symbolic representations could be constructed (see line 9) as is strictly increasing, is finite, and in each iteration step and for all we have as an invariant.
3.1 Optimization Heuristics
The basic iterative variable reordering algorithm provided by Algorithm 1 can be extended by various optimization heuristics. Such heuristics could enable or fasten the process of finding a suitable variable reorder that allows for the construction of . We focus here on the following variations:
 Step size:

For a given integer called step size, we repeat line 7 and 8 times, i.e., increase the evaluation domain by elements.
 min/max selection:

In line 7, we choose the minimal or maximal instead the minimal.
The ratio behind the stepsize heuristics is that programs with many variables might waste a lot of time with reordering while adding more family members in one iteration while they could also provide a suitable variable order where the symbolic representation is already constructible. The two latter heuristics provide a form of adaptivity to the selection of variables. For instance, when already has most influential variables at the beginning of the order, adding family members for influential variables could lead to symbolic representations not constructible anymore or, the other way around, less influential variables in front of the variable order could only lead to small changes in the reordered order. Adding variants to variables usually increases their influence on the operational behavior. It is likely that then, this variable appears more in front of the reorder, following the rule of “most influential” variables [25] in case for BDDs as symbolic representation. Choosing maximal variables adds variants to those variables that are not as influential, somehow balancing their effect on the size of the symbolic representation.
4 Redundancy System Models
To support our implementation and evaluation of the iterative variable reordering, this section is devoted to a brief summary of the approach of [16] and the models investigated in this paper.
Redundancy systems are systems where components might be replicated to increase fault tolerance of the overall system. For instance, some component could be protected by triplicating the component and process the replicas’ results through a majority voting mechanism towards a single output, implementing the wellknown triple modular redundancy (TMR) principle. Analyzing each instance of the redundancy system easily becomes infeasible as the number of possible protection combinations grows exponentially in the number of protectable components. In [16] we proposed to use familybased approaches for the analysis of redundancy systems, motivated by the fact that introducing redundancies in components also introduces common behaviors. Such common behaviors are likely to be concisely representable using symbolic techniques. We illustrated the benefits of our approach by a reliability analysis of redundancy systems modeled in Simulink [33], a widely used framework for modelbased system design. A Simulink design comprises blocks that describe the behavior of the system, connected by arrows standing for control and data flow. An example of a Simulink design is provided in Figure 1, borrowed from the Simulink example set [2].
4.1 Simulink Models with Redundancy
To introduce redundancy mechanisms into Simulink models, we consider syntactic transformation rules that describe how to obtain protected blocks from nonprotected ones. In this paper, we consider the following redundancy mechanisms [16]:
 (comparison)

The block is duplicated and both outputs are compared. In case their output differs a dedicated failure state is reached. Otherwise, the output is the one of both blocks.
 (voting)

Following the principle of triple modular redundancy principle, the block is triplicated and the output is based on a majority decision.
For Simulink models with protection mechanisms, we introduced a discrete Markov chain (DTMC) family semantics [16] that can be automatically generated using OpenErrorPro [27]. The general workflow of our approach towards a DTMC family out from Simulink models is depicted in Figure 2.
First, blocks in the Simulink model are annotated with the types of protections that should be considered, e.g., comparison or voting. In Figure 2, we annotated voting protections for the P and D block (indicated by shaded blocks). Then, the annotated model is transformed to a Simulink model that includes redundancies by replacing every block where protection should be taken into account with a switch block that depends on a fresh switch variable, followed by the actual blocks for the redundancy mechanisms. The role of the switch variable is to select the redundancy mechanism, directing the control flow, e.g., to the triplicated blocks in case of the voting mechanism. The Simulink model with redundancy stands for a family of models with different protection combinations. An error model furthermore assigns to each Simulink block the probability for some fault occurring in this block, introducing stochastics into the model required for a reliability analysis. In [16] we presented a DTMC family semantics as Prism family model generated using the tools SimPars [28] and OpenErrorPro [27]. For this, we employed a metamodel representation as Dualgraph Error Propagation Model (DEPM) [27] (see also Figure 2).
4.2 The Velocity Control Loop Model
We illustrate our approach of iterative variable reordering described in Section 3 on a Prism program that stems from an aircraft velocity control loop (VCL) with redundancies described in [16]. Our model is a simplified version of the aircraft model borrowed from the Simulink example set [2] that itself is based on a longhaul passenger aircraft flying at cruising altitude and speed, adjusting the fuel flow rate to control the aircraft velocity. Figure 1 shows the Simulink model where all blocks are amendable for protection mechanisms. In [16] we applied three different kinds of redundancy mechanisms on eight of these blocks, leading a Prism DTMC family model with family members, each member standing for one protection combination. The Prism family model generated by OpenErrorPro [27] could not immediately be constructed by Prism’s symbolic engine. We hence had to apply two (handcrafted) optimizations to enable a reliability analysis of the VCL redundancy system: reset value optimization [20, 17] and iterative variable reordering. While reset value optimization speeded up the analysis time, iterative variable reordering was the technique that enabled the construction of the model.
In this paper, we use a variant of the VCL model of [16] as starting point where neither reset value optimization nor handcrafted iterative variable reordering has been applied to and where 13 blocks could be protected with either voting or comparison mechanisms.
5 Implementation and Evaluation
In this section, we report on an implementation of the iterative variable reordering for family models expressed in the input language of Prism that follows Algorithm 1 and includes the optimization heuristics detailed in Section 3.
5.1 Implementation
Our implementation is done in Python and takes as input a Prism family model, a parameter specifying the variable selection heuristics (minimal, minimal, or maximal), and the step size of the iteration. The advantage of the heuristics is that the construction of the model can be parallelized trying different heuristics on multicore systems to eventually obtain a suitable variable order that renders the whole system family to be constructible even when some heuristics are slow or not successful.
Remark.
Prism provides a faster model construction for nonfamily models, i.e., models without an init block, than for family models as evaluating the initblock expression relies on SAT solving, an NPcomplete problem [21]. Hence, we implemented the initial construction step in line 1 of Algorithm 1 for a model representation without init block. For later constructions (line 9 of Algorithm 1) generated an init block for as indicated.
5.2 Evaluation
We evaluated our implementation on the Prism DTMC family generated from a Simulink VCL redundancy model (see Section 4) where 13 blocks are marked as protectable by comparison or voting mechanisms. Thus, we applied iterative variable reordering on a family model with protection variants, more than 24 times the number of protections considered in [16]. Note that we did not apply reset value optimization [20, 17] as in [16]. All experiments are carried out on a Linux server system^{2}^{2}22 Intel Xeon E52680 (Octa Core, Sandy Bridge) running at 2.70 GHz with 384 GB of RAM; Turbo Boost and Hyper Threading disabled; Debian GNU/Linux 9.1. with a memory bound of 30 GB of RAM, running the Prism version presented in [22].
Heuristic Comparison.
First, we evaluate the different heuristics implemented. Table 1 shows the situation of the implementation as snapshot after 20 minutes.
variable selection  step size  iteration  combinations  states  nodes 

minimal  1  22  177 147  8.67  97 386 
2  12  531 441  6.19  130 321  
3  7  118 098  6.29  101 766  
4  5  59 049  1.25  88 054  
minimal  1  22  177 147  8.67  97 386 
2  12  531 441  7.37  153 189  
3  7  118 098  8.17  138 287  
4  5  59 049  1.19  163 882  
maximal  1  12  4 096  9.47  126 338 
2  10  59 049  6.83  139 991  
3  5  7 776  1.25  251 944  
4  5  59 049  9.71  225 711 
As expected, the higher the step size, the less iterations could be performed by the iterative variable reordering. On our model, minimal and minimal selection heuristics perform best with step size 2. For both heuristics, the complete family model with its protection variants was constructed within half an hour. It is not surprising that step size 2 is a good choice as we considered two redundancy mechanisms for each block, i.e., in each step all redundancies for each block contribute to the family model at once.
Iteration Statistics.
For step size of 2 and using minimal variable selection, we detail the statistics of every iteration until the whole family model has been constructed in Table 2. We shaded the iteration that was reached after 45 minutes of computation time (cf. the shaded row in Table 1).
#nodes  time [s]  
iteration  combinations  states  before  after  model  reorder 
0  1  113 891  24 816  23 359  7.40  2.67 
1  3  347 401  24 576  23 329  7.81  2.87 
2  9  1.06  24 545  23 319  7.36  2.93 
3  27  3.93  48 413  33 647  8.48  4.76 
4  81  1.19  35 185  33 664  8.30  4.55 
5  243  4.05  52 497  40 431  9.18  6.12 
6  729  1.54  69 535  48 888  13.76  8.07 
7  2 187  6.65  94 022  55 835  23.57  11.00 
8  6 561  3.00  73 242  62 636  28.55  9.75 
9  19 683  1.85  132 279  76 518  73.55  18.14 
10  59 049  1.25  95 740  79 420  76.40  14.63 
11  177 147  8.67  120 565  97 386  155.03  19.08 
12  531 441  6.19  205 962  130 321  360.38  33.37 
13  1 594 323  4.87  256 662  160 798  723.02  41.08 
1 502.80  179.00 
In the column combinations, the family size of the intermediate family is listed. Column #nodes shows the number of MTBDDnodes used to represent that family model before applying reordering (cf. line 10 of Algorithm 1) and thereafter. The last row indicates the time required to construct the model (cf. line 9 of Algorithm 1) and to perform reordering (cf. line 10 of Algorithm 1).
Alternative Approaches.
Clearly, there are alternative methods that could be used to enable an analysis of largescale system families when the family model cannot be constructed in an adhoc fashion. The first is to switch from an allinone approach to a onebyone approach, i.e., analyzing every family member in isolation. However, even the smallest family member (see Table 2, first iteration) required more than 7 seconds for the construction of the model. One could hence expect at least seconds of construction time for all family members, which would correspond to more than one year of construction time on our test system. Second, one could apply dynamic reordering techniques as implemented in the probabilistic model checker Storm [13]. With this method, the variable order on the MTBDD is dynamically changed during the modelconstruction process. However, even with smaller families, e.g., the VCL family model from [16] where only 8 protectable blocks were considered, model construction did not finish within days. We hence conclude that, at least for the VCL family models we generated, iterative variable reordering is the only technique we considered and yielded a successful model construction.
6 Concluding Remarks
In this paper we presented iterative variable reordering as a generic method to cope with the problem of constructing family models of huge system families. While our implementation supports models specified in the input language of the probabilistic model checker Prism, the formally defined algorithm is applicable to a wide range of analysis tools that use variableorder sensitive symbolic representations for their models and support some kind of reordering mechanism. For instance, the verification of large featureoriented system families according to [12] those verification is based on the BDD engine of NuSMV also could benefit from our approach. By supporting system families given as Prism programs, our implementation can be directly applied on featureoriented systems specified in ProFeat [9]. Our methods could be also viable for familybased parameter synthesis [5]. Experiments on such system families are left for future work.
Acknowledgements.
We would like to thank Joachim Klein who extended Storm with support for family models, used to validate that dynamic reordering techniques are not viable for the VCL example.
References
 [1]
 [2] Verify Model Using Simulink Control Design and Simulink Verification Blocks (accessed 19/02/2019). https://mathworks.com/help/slcontrol/ug/modelverificationusingsimulinkcontroldesignandsimulinkverificationblocks.html.
 [3] S. B. Akers (1978): Binary Decision Diagrams. IEEE Transactions Computers 27(6), pp. 509–516, doi:http://dx.doi.org/10.1109/TC.1978.1675141.
 [4] R. I. Bahar, E. A. Frohm, C. M. Gaona, G. D. Hachtel, E. Macii, A. Pardo & F. Somenzi (1997): Algebraic Decision Diagrams and Their Applications. Formal Methods in System Design 10(2/3), pp. 171–206, doi:http://dx.doi.org/10.1023/A:1008699807402.
 [5] C. Baier & C. Dubslaff (2018): From Verification to Synthesis under CostUtility Constraints. ACM SIGLOG News 5(4), pp. 26–46, doi:http://dx.doi.org/10.1145/3292048.3292052.
 [6] C. Baier & J.P. Katoen (2008): Principles of Model Checking. MIT Press.
 [7] R. E. Bryant (1986): GraphBased Algorithms for Boolean Function Manipulation. IEEE Transactions on Computers 35, pp. 677–691, doi:http://dx.doi.org/10.1109/TC.1986.1676819.
 [8] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill & L. J. Hwang (1992): Symbolic Model Checking: 10 States and Beyond. Inform. and Comp. 98(2), pp. 142–170, doi:http://dx.doi.org/10.1016/08905401(92)90017A.
 [9] P. Chrszon, C. Dubslaff, S. Klüppelholz & C. Baier (2018): ProFeat: featureoriented engineering for familybased probabilistic model checking. Formal Aspects of Computing 30(1), pp. 45–75, doi:http://dx.doi.org/10.1007/s0016501704324.
 [10] E. Clarke, O. Grumberg & D. Peled (2000): Model Checking. MIT Press.
 [11] E. M. Clarke, M. Fujita, P. C. McGeers, K. L. McMillan, J. C.Y. Yang & X.J. Zhao (1993): Multiterminal binary decision diagrams: An efficient data structure for matrix representation. In: Proc. International Workshop on Logic & Synthesis, doi:http://dx.doi.org/10.1023/A:1008647823331.
 [12] A. Classen, P. Heymans, P.Y. Schobbens & A. Legay (2011): Symbolic model checking of software product lines. In: Proceedings of the 33rd International Conference on Software Engineering, ICSE 2011, Waikiki, Honolulu , HI, USA, May 2128, 2011, pp. 321–330, doi:http://dx.doi.org/10.1145/1985793.1985838.
 [13] C. Dehnert, S. Junges, J.P. Katoen & M. Volk (2017): A Storm is Coming: A Modern Probabilistic Model Checker. In: 29th Int. Conf. on Computer Aided Verification (CAV), LNCS 10427, Springer, pp. 592–600, doi:http://dx.doi.org/10.1007/9783319633909_31.
 [14] E. W. Dijkstra (1975): Guarded Commands, Nondeterminacy and Formal Derivation of Programs. Commun. ACM 18(8), pp. 453–457, doi:http://dx.doi.org/10.1145/360933.360975.
 [15] C. Dubslaff, C. Baier & S. Klüppelholz (2015): Probabilistic Model Checking for FeatureOriented Systems. Transactions on AspectOriented Software Development 12, pp. 180–220, doi:http://dx.doi.org/10.1007/9783662467343_5.
 [16] C. Dubslaff, K. Ding, A. Morozov, C. Baier & K. Janschek (2019): Breaking the Limits of Redundancy Systems Analysis. In: Proceedings of the 29th European Safety and Reliability Conference, Research Publishing, Singapore, pp. 2317–2325, doi:http://dx.doi.org/10.3850/9789811127243_0618cd.
 [17] C. Dubslaff, A. Morozov, C. Baier & K. Janschek (2020): Reduction Methods on Probabilistic Controlflow Programs for Reliability Analysis. CoRR abs/2004.06637. Available at https://arxiv.org/abs/2004.06637.
 [18] E. Felt, G. York, R. Brayton & A. SangiovanniVincentelli (1993): Dynamic variable reordering for BDD minimization. In: Proceedings of EURODAC 93 and EUROVHDL 93 European Design Automation Conference, pp. 130–135, doi:http://dx.doi.org/10.1109/EURDAC.1993.410627.
 [19] M. Fujita, P.C. McGeer & J.C.Y. Yang (1997): MultiTerminal Binary Decision Diagrams: An Efficient Data Structure for Matrix Representation. Formal Methods in System Design 10(23), pp. 149–169, doi:http://dx.doi.org/10.1023/A:1008647823331.
 [20] H. Garavel & W. Serwe (2006): State space reduction for process algebra specifications. Theoretical Computer Science 351(2), pp. 131 – 145, doi:http://dx.doi.org/10.1016/j.tcs.2005.09.064. Algebraic Methodology and Software Technology.
 [21] M. R. Garey & D. S. Johnson (1979): Computers and Intractability: A Guide to the Theory of NPCompleteness. W. H. Freeman & Company.

[22]
J. Klein,
C. Baier,
P. Chrszon,
M. Daum,
C. Dubslaff,
S. Klüppelholz,
S. Märcker &
D. Müller
(2018):
Advances in probabilistic model checking with PRISM: variable reordering, quantiles and weak deterministic Büchi automata
. Intern. Journal on Software Tools for Technology Transfer 20(2), pp. 179–194, doi:http://dx.doi.org/10.1007/s1000901704563.  [23] M. Kwiatkowska, G. Norman & D. Parker (2011): PRISM 4.0: Verification of Probabilistic Realtime Systems. In G. Gopalakrishnan & S. Qadeer, editors: Proc. 23rd International Conference on Computer Aided Verification (CAV’11), LNCS 6806, Springer, pp. 585–591, doi:http://dx.doi.org/10.1007/9783642221101_47.
 [24] C. Y. Lee (1959): Representation of Switching Circuits by BinaryDecision Programs. Bell System Technical Journal 38(4), pp. 985–999, doi:http://dx.doi.org/10.1002/j.15387305.1959.tb01585.x.
 [25] S. Malik, A.R. Wang, R.K. Brayton & A. SangiovanniVincentelli (1988): Logic verification using binary decision diagrams in a logic synthesis environment. In: ComputerAided Design, 1988. ICCAD88. Digest of Technical Papers., IEEE International Conference on, pp. 6–9, doi:http://dx.doi.org/10.1109/ICCAD.1988.122451.
 [26] K. L. McMillan (1993): Symbolic Model Checking. Kluwer, doi:http://dx.doi.org/10.1007/9781461531906.
 [27] A. Morozov, K. Ding, M. Steurer & K. Janschek (2019): OpenErrorPro: A New Tool for Stochastic ModelBased Reliability and Resilience Analysis. In: 30th IEEE International Symposium on Software Reliability Engineering, ISSRE 2019, Berlin, Germany, October 2831, 2019, pp. 303–312, doi:http://dx.doi.org/10.1109/ISSRE.2019.00038.
 [28] A. Morozov, K. Janschek, T. Krüger & A. Schiele (2016): Stochastic Error Propagation Analysis of ModelDriven Space Robotic Software Implemented in Simulink. In: Proceedings of the 3rd Workshop on ModelDriven Robot Software Engineering, MORSE ’16, Association for Computing Machinery, New York, NY, USA, pp. 24–31, doi:http://dx.doi.org/10.1145/3022099.3022103.
 [29] S. Panda & F. Somenzi (1995): Who Are the Variables in Your Neighborhood. In: Proc. ComputerAided Design (ICCAD’95), IEEE, pp. 74–77, doi:http://dx.doi.org/10.5555/224841.224862.
 [30] M. L. Puterman (1994): Markov Decision Processes. Wiley, doi:http://dx.doi.org/10.1002/9780470316887.
 [31] R. Rudell (1993): Dynamic variable ordering for ordered binary decision diagrams. In: IEEE/ACM International Conference on ComputerAided Design (ICCAD93)., pp. 42–47, doi:http://dx.doi.org/10.1109/ICCAD.1993.580029.
 [32] F. Somenzi (1999): Binary Decision Diagrams. In: Calculational System Design, volume 173 of NATO Science Series F: Computer and Systems Sciences, IOS Press, pp. 303–366.
 [33] The MathWorks Inc. (2018): MATLAB and Statistics Toolbox Release 2018b. Natick, Massachusetts, United States.
 [34] T. Thüm, S. Apel, C. Kästner, I. Schaefer & G. Saake (2014): A Classification and Survey of Analysis Strategies for Software Product Lines. ACM Comput. Surv. 47, pp. 1–45, doi:http://dx.doi.org/10.1145/2580950.
 [35] I. Wegener (2000): Branching Programs and Binary Decision Diagrams: Theory and Applications. Monographs on Discrete Mathematics and Applications. SIAM, doi:http://dx.doi.org/10.1137/1.9780898719789.