Model Checking and Abstraction for Workﬂow Nets Veriﬁcationfltiplea/Papers/TiML2004.pdf · The...

Model Checking and Abstraction for Workflow

Nets Verification⋆

Ferucio Laurentiu Tiplea1,⋆⋆, Dan Cristian Marinescu1, and Chuang Lin2

1 School of Computer Science, University of Central FloridaOrlando, FL 32826-2362, USA{tiplea,dcm}@cs.ucf.edu

2 Department of Computer Science and Technology, Tsinghua University,Beijing 100084, China

[email protected]

Abstract. We present a model checking abstraction technique for boun-ded workflow nets. We split the original bounded workflow net into twosub-workflow nets, and augment one of them by the relation induced bythe other one; the result is called a workflow module. When the workflowmodule is bounded, we provide a simulation relation from the originalworkflow to the workflow module, which preserves the ∀CTL∗ formulas.Finally, we discuss criteria for splitting bounded workflow nets to obtainbounded workflow modules.

1 Introduction

The term workflow refers to a complex task consisting of a set of interdependentatomic activities. For example, a complex computation carried out on a compu-tational grid can be considered an workflow [1]. The traditional approaches toworkflow modeling have several limitations: do not scale up well, have limitedfault tolerance, are inflexible, do not support inter-operability, and do not lendthemselves easily to formal verification of correctness. Two approaches for work-flow modeling based on solid theoretical foundations, one based on Petri nets(workflow nets), and one based on directed acyclic graphs (workflow graphs)seem most promising.

The interest in Petri nets for workflow modeling is amply justified by theirproperties [2]: Petri nets have a well-defined semantics, provide a graphical lan-guage, and are expressive. Moreover, many properties and analysis techniquesfor Petri nets are now available. Workflow graphs introduced in [3, 4] providea more direct way of modelling workflows. They are based on directed acyclicgraphs with two types of nodes, tasks and conditions. The graph has one initialnode with no incoming flows, and one final node with no outgoing flows. Several

⋆ The research reported in this paper was partially supported by National ScienceFoundation grants MCB9527131, DBI0296107, ACI0296035, and EIA0296179, andby National University Research Council of Romania grant CNCSIS632/2004.

⋆⋆ On leave from Faculty of Computer Science, “Al.I.Cuza” University of Iasi, Romania.

First International Workshop on Petri Nets and Coordination PNC 04, Bologna (Italy), June 21, 2004, 131-145.

control structures for workflow graphs are defined: sequence, and-split, and-join,or-split, and or-join. Workflow graphs can be used to identify structural conflictsin process models, such as deadlock and lack of synchronization 3.

An important property of a workflow model is proper termination. To satisfythe proper termination property a workflow net must be sound. The soundnessproperty of a workflow net requires that (i) the marking with a single token onthe final place is reachable from any marking, which, in turn is reachable fromthe marking with a single token on the initial place, (ii) the marking containinga token on the final place is unique, and (iii) the net with a single token on theinitial place has no dead transitions.

The soundness of a workflow net is equivalent to liveness and boundednesswhich can be decided by using standard Petri net techniques[7]. The sound-ness of workflow nets has been extended to support modeling various situationsencountered in practice. For example, structural soundness allows modeling ofsystems with shared resources [8]. Structural soundness permits k > 1 tokens onthe initial and final place. Generalized soundness, introduced in [9] requires thatthe marking with k tokens on the final place be reachable from any marking,which is in turn reachable from the marking with k tokens on the initial place.The generalized soundness is decidable [10].

Soundness is a very important correctness criterion for a workflow net, butit is not the only one. Two new properties have been considered, separabilityand serialisability [9]. The former is a behavioral property - the behavior of aworkflow net with k tokens in the initial node can be seen as a combinationof the behavior of k copies of the net, each one of them with a single token inthe initial place. Serialisability requires that the set of traces of a workflow netwith id-markings (each token has an identifier) is equal to the set of traces of anabstraction of the workflow net. In general, we wish to have a model that meetssome specifications given for example by a temporal logic formula. This becomeseven more important when workflow models are data dependent. Recently, datahas been recognized as a fundamental aspect of workflow specification [11], butthere are few results in the validation of process data.

A few proposals for verifying workflow specification by model checking or byusing compositional reasoning are known. For example, the TRACTA approachdeveloped for modeling and analysis of concurrent and distributed systems, isused in practice [12]. In this case labeled transition systems are used to model thebehavior of system components and to express system properties. Such proper-ties are verified by reachability analysis combined with compositionality to avoidthe state space explosion. [13] introduces certain operators for composing simpleworkflow nets to construct complex workflow nets and to verify their proper-ties, but focuses mainly on the termination property - the guaranteed option toterminate successfully.

Only scalable methods based on abstraction and modularization are able tohandle realistic problems. Such techniques transform the task of verifying a large

3 The algorithm given by Sadiq and Orlowska in [3, 4] to verify structural conflictsproved to be incomplete. See [5] and [6] for a complete solution.

system into verification of simpler systems. Modularization exploits the modularstructure of a complex system composed of multiple processes running in paral-lel. In this paper we consider each process as a reactive system (i.e., a collectionof variables that, over time, change their values in a sequence of rounds) because,from the point of view of each process, the rest of the system can be viewed asan environment that continuously interacts with the process. Then, we deriveproperties (proofs) of the entire system from partial (local) properties involv-ing (abstractions of) its modules (components). We propose a model checkingtechnique based upon abstraction for verifying bounded workflow nets against∀CTL∗ formulas. Informally, our method works as follows: the original boundedworkflow net is split into two sub-workflow nets. One of them is augmented bythe relation induced by the other one. The result is called a workflow module.When this workflow module is bounded, a simulation from the original workflownet to it can be established. This simulation assures that a substantial fragmentof ∀CTL∗ formulas is preserved by delaying from the workflow module to theoriginal workflow net. In this manner, the state space of the original workflow netcan be drastically reduced [14]. Then, we present several splitting criteria whichlead to bounded workflow modules (the boundedness requirement is necessaryin order to apply model checking procedures).

2 Temporal Logic

We plan to split workflow structures (nets or graphs) into two workflow substruc-tures. Each sub-workflow is characterized by an internal (proper) behavior and anexternal behavior (the behavior under the influence of the other sub-workflow).This is why the transition relation of Kripke structures (defined later) is dividedinto two relations, internal and external.

We use the universal branching-time temporal logic ∀CTL∗ to specify prop-erties of the systems we want to verify [15]. There are two types of formulas in∀CTL∗, path and state formulas. Their syntax is given by the following rules,where A is a set of atomic propositions, p ∈ A, ϕ is a state formula, and ψ is apath formula:

(i) ϕ := true|false|p|¬p|ϕ ∨ ϕ|ϕ ∧ ϕ|∀(ϕ);(ii) ψ := ϕ|ψ ∨ ψ|ψ ∧ ψ|Xψ|ψ Uψ|ψ V ψ.

The semantics of this logic is given [15, 16] by using fair Kripke structures(structures, for short) K = (Q,Q0,A,L, ρ,F), where Q is a finite set of states,Q0 ⊆ Q is a set of initial states, A is a finite set of atomic propositions, L : Q→P(A) is a function that labels each state with the set of atomic propositionstrue in that state, ρ ⊆ Q×Q is a transition relation, and F ⊆ P(Q) is a set offairness constraints given as Buchi acceptance conditions (P(A) is the powersetof A). If ϕ is a state formula, the notation K, q |= ϕ means that ϕ holds at stateq in the structure K. When ϕ is true in all initial states of K we write K |= ϕ.

Consider now the operators 3 and U given by “3ϕ iff trueUϕ” and “ϕUψ iffϕU(ϕ∧ψ)”, and call them eventually and until with equality. For a given formula

ϕ, denote by ϕ the formula obtained from ϕ by replacing all the occurrences ofU by U , and by ϕ the formula defined inductively as follows:

– if ϕ = true, false, p or ¬p, then ϕ = ϕ;– if ϕ = ϕ1∨ϕ2 (ϕ = ϕ1∧ϕ2, ϕ = ∀(ϕ1), resp.), then ϕ = ϕ1∨ϕ2 (ϕ = ϕ1∧ϕ2,ϕ = ∀(ϕ1), resp.);

– if ϕ = Xϕ1 (ϕ = ϕ1Uϕ2, ϕ = ϕ1V ϕ2, resp.), then ϕ = 3ϕ1 (ϕ = (3ϕ1)Uϕ2,ϕ = ϕ1V (3ϕ2), resp.).

The formula ϕ is called the delayed version of the formula ϕ [17]. We can alsoapply this construction to formulas ϕ by replacing the operator U by U .

We assume that the transition relation ρ of each structure K is the unionof two given binary relations on states, ρ = ρi ∪ ρe, not necessarily disjoint.The relation ρi models the internal state-changes in K (that is, proper atomicsteps performed by K), and ρe models external state-changes in K (that is,state-changes caused by an environment). Usually, ρe is not completely known,but we can approximate it. In many practical cases we know the response ofan environment to an output of the module; indeed this is the case of soundworkflow nets.

Each structure Kj , j = 0, 1, 2, . . ., we consider is assumed to have the com-

ponents Kj = (Qj , Qj0,Aj ,Lj , ρj ,Fj), where ρj = ρij ∪ ρ

ej .

Definition 1. Let K1 and K2 be two structures, and A ⊆ A1∩A2. Let q and q′

be states in K1 and K2, respectively. A simulation from (K1, q) to (K2, q′) with

respect to A is a binary relation H ⊆ Q1 ×Q2 such that (q, q′) ∈ H and, for allq0 and q′0, if (q0, q

′0) ∈ H then:

(1) L1(q0) ∩ A = L2(q′0) ∩ A;

(2) for every fair path σ = q0q1 · · · in K1 there is a fair path σ′ = q′0q′1 · · · in K2

and a decomposition of σ, σ = qi0 · · · qi1 · · · qi2 · · · where i0 = 0, such thatfor all j ≥ 0 the following hold:• (ij+1 = ij+1 ∧ (qij , qij+1

) ∈ ρe1 ⇒ (q′j , q′j+1) ∈ ρe2 ∧ (qij+1

, q′j+1) ∈ H);

• (ij+1 = ij+1 ∧ (qij , qij+1) ∈ ρi1 ⇒ (q′j , q

′j+1) ∈ ρ2 ∧ (qij+1

, q′j+1) ∈ H);• (ij+1 > ij + 1 ⇒ (q′j , q

′j+1) ∈ ρe2 ∧ (qij+1

, q′j+1) ∈ H).

A binary relation H is a simulation from K1 to K2 with respect to A, denotedK1 ≺A K2, if for any q ∈ Q1

0 there exist q′ ∈ Q20 and a simulation relation from

(K1, q) to (K2, q′) with respect to A.

When ρe1 = ρe2 = ∅ and A = A2 ⊆ A1 our definition of simulation is thatfrom [15] (except for the fact that we use fairness constraints given as Buchi butnot as Streett acceptance conditions).

Theorem 1. ([17]) Let K1 and K2 be two structures and A ⊆ A1 ∩ A2. IfK1 ≺A K2 then, for every ∀CTL∗ formula ϕ over A, K2 |= ϕ implies K1 |= ϕ.

This theorem should be interpreted as follows. If we have two structures K1

and K2, and K2 is an abstraction of K1 but there is a simulation from K1 toK2, then the validity of ϕ in K2 implies the validity of ϕ in K1.

3 Model Checking by Abstraction Applied to Workflow

Nets

Now we show that Theorem 1 can be applied to bounded workflow nets. Bound-edness is a necessary condition for soundness as we shall see in the next sub-section, and soundness is a generally recognized correctness criterion for workflownets. Informally, the methodology we propose consists of the following steps:

– given a bounded workflow net Σ we decompose it into two Petri nets Σ1 andΣ2 such that at least one of them is a bounded workflow net, say it Σ2;

– we associate to Σ a Kripke structure K whose transition relation is entirelyinternal, and we associate to Σ1 a Kripke structure K1,2 whose transitionrelation contains external steps induced by Σ2 into Σ1;

– we conclude by showing that there is a simulation from K to K1,2 and,therefore, Theorem 1 can be applied.

At the end of the section we present several criteria for decomposing boundedworkflow nets into two Petri nets such that at least one of them is bounded.

3.1 Petri Nets and Workflow Nets

Recall first a few concepts regarding Petri nets (for details see [18]). A Petrinet is a tuple Σ = (S, T, F,W ), where S and T are two finite sets (of placesand transitions, respectively), S ∩ T = ∅, F ⊆ (S × T ) ∪ (T × S) is the flowrelation, and W : (S × T ) ∪ (T × S) → N is the weight function of Σ verifyingW (x, y) = 0 iff (x, y) /∈ F . Given x ∈ S ∪ T we denote •x = {y|(y, x) ∈ F} andx• = {y|(x, y) ∈ F}.

A marking of Σ is any function M ∈ NS from S into the set N of nat-ural numbers. By setting a total order on S, markings can be representedas (S-indexed) vectors. In our paper, S is of the form S = {s1, . . . , sn} orS = {i, s1, . . . , sn, o} and, in this case, the total order on S is the left-to-rightwritten order of its elements. For example, the vector (1, 2, 3, 4) identifies themarking M on S = {i, s1, s2, o} given by M(i) = 1, M(s1) = 2, M(s2) = 3,and M(o) = 4. The transition relation of a Petri net Σ states that a transi-tion t is enabled at a marking M , denoted by M [t〉Σ , if M(s) ≥ W (s, t) for alls ∈ S. If t is enabled at M , then it can fire yielding a new marking M ′ given byM ′(s) =M(s)−W (s, t)+W (t, s) for all s ∈ S; we denote this byM [t〉ΣM

′. Thetransition relation is extended usually to sequences of transitions. When thereis a sequence w ∈ T ∗ such that M [w〉ΣM

′ we say that M ′ is reachable (from Min Σ). By [M〉Σ we denote the set of all reachable markings (from M) in Σ.

Let Σ be a Petri net and M0 a marking of it. We say that Σ is n-boundedwith respect to M0, where n ∈ N, if M(s) ≤ n for all M ∈ [M0〉Σ and places s;it is called bounded with respect to M0 when it is n-bounded with respect to M0

for some n ∈ N, and safe with respect to M0 when it is 1-bounded with respect toM0. Σ is called live with respect to M0 if for any transition t and anyM ∈ [M0〉Σthere is a marking M ′ ∈ [M〉Σ such that M ′[t〉Σ .

In our discussion we omit “with respect to M0” and simplify the notation[·〉Σ to [·〉 whenever the definition of the marking M0 and of the Petri net Σ isclear from the context.

A workflow net (WF net) is a Petri net Σ with the following two properties:

(i) Σ has two special places, i and o. The place i is called the input place of Σand it satisfies •i = ∅, and the place o is called the output place of Σ and itsatisfies o• = ∅;

(ii) Any node x ∈ S ∪ T in the graph associated to Σ is on a path from i to o.

Given a WF net Σ, a place s of it, and a natural number n ≥ 1, we denoteby Mns the marking Mns : S → N given by Mns(s) = n and Mns(s

′) = 0 for alls′ 6= s. When n = 1 the notation is simplified to Ms.

A WF net Σ is called n-sound, where n ≥ 1 is a natural number, if it satisfiesthe following two properties:

1. (∀M ∈ [Mni〉)(Mno ∈ [M〉);2. (∀t ∈ T )(∃M ∈ [Mni〉)(M [t〉).

Most authors require one more property to be satisfied by n-sound WF nets:

(∀M ∈ [Mni〉)(M(o) ≥ n ⇒ M =Mno).

However, this property can be obtained easily from (1) [10]. Indeed, if there weres ∈ S − {o} such that M(o) ≥ n and M(s) 6= 0, then the marking Mno wouldnever be reached from M because each transition in Σ has at least one outgoingarc and o• = ∅.

Sound WF nets are 1-sound WF nets [7], structurally sound WF nets are n-sound WF nets for some n [8], and generalized sound WF nets are n-sound WFnets for all n [9]. As it has been pointed in [8], the soundness characterizationresults in [7] can be extended to n-soundness as follows.

Theorem 2. ([8]) A WF net Σ is n-sound iff the Petri net Σ is live andbounded with respect to Mni, where Σ is a Petri net obtained from Σ by addinga new transition t∗ connecting only the places o and i and such that W (o, t∗) =W (t∗, i) = n.

3.2 Asynchronous Composition of Workflows

The place/transition refinement is a good starting point for the design and anal-ysis of complex workflows nets. Several refinement operations based on a suitablychosen composition operation are known [7, 9]. For example, the transition refine-ment in [7] is based on the following composition operation on Petri nets: giventwo Petri nets Σ1 and Σ2 which have in common only a subset Sc of places,their composition, denoted Σ1 ◦ Σ2, is the union of the Petri nets. Both Petrinets Σ′

1 and Σ2 in Figure 1, from [7], are generalized sound WF nets.

s9s8t8s7t7 s6s4 11t

10t

9t

i os1

s6t6

t

s5

s4

s3

s2 t2

t3 t5

t4

t1 12t

E1

E2

E1/

Fig. 1. Two WF nets, Σ′

1 and Σ2

The refinement of t in Σ′1 by Σ2 means to remove t from Σ′

1. Let Σ1 be thePetri net obtained in this way. Then we compose Σ1 and Σ2 along Sc = {s4, s6}as shown in Figure 2.

For verification of WF nets we are interested in the “inverse” of the compo-sition operation (and not in the inverse of the transition refinement operation).For example, the Petri net Σ in Figure 2 is a WF net which can be decomposedinto Σ1 and Σ2 (but not into Σ′

1 and Σ2). In this case, both of them are WFnets. Sometimes, one of them is not a WF net, as in the case shown in Figure3. When we decompose the Petri net Σ1 in Figure 1 along {s1, s5} we get thePetri nets in Figure 3. Σ2

1 is a WF net, but Σ11 is not. In general, this fact is not

very important for our discussion and it will be addressed later.

By decomposing Σ as above, we want to verify properties of it by analysingonly Σ1. The behavior of Σ1 in Σ is highly influenced by Σ2 by means of placesin Sc. The good thing is that Σ2 is a bounded WF net (being a generalized WFnet) and, consequently, the only transformation it can generate is to move onetoken from s4 to s6 (assuming that Mi is the initial marking of Σ).

This transformation can be described by using a binary relation R on Sc

as given in Figure 4. The couple (Σ1, ({s4, s6}, R)) acts as an abstraction ofΣ = Σ1 ◦Σ2.

We use a formalism more specific to WF nets and generalize some of theideas in [19, 17, 20].

Two Petri nets Σ1 and Σ2 are called compatible with respect to a subset ofplaces Sc if S1 ∩ S2 = Sc and T1 ∩ T2 = ∅. If they are compatible then they canbe composed. Their composition is denoted by Σ1 ◦Sc Σ2 (or simply Σ1 ◦ Σ2,when Sc is clear from the context) and is defined as follows:

s9s8t8s7t7 11t

10t

9t

i os1

s6t6

s5

s4

s3

s2 t2

t3 t5

t4

t1 12t

Fig. 2. Σ = Σ1 ◦Σ2 obtained by refining t in Σ′

1 by Σ2

s1 s5s3t3 t5

t4

i o

s6t6s4s2 t2

s1 s5t1 12t

E11

E12

Fig. 3. Σ1 = Σ1

1 ◦Σ2

1 , Σ2

1 is a WF net, but Σ1

1 is not a WF net

– Σ1 ◦ Σ2 = (S, T, F,W ), where S, T , F , and W are the union of the setsof places, transitions, flow relations, and weight functions of Σ1 and Σ2,respectively.

When dealing with such compositions, the set Sc is called the set of interfaceor shared places, while Si

1 = S1 − Sc and Si2 = S2 − Sc are the sets of internal

places of Σ1 and Σ2, respectively.A couple M = (Σ,R) formed by a net Σ and a set R of binary relations

on subsets of S (i.e., each element of R is a pair (Sc, R), where Sc ⊆ S andR ⊆ NSc

×NSc

), is called a Petri net module or, simply, a module. When R issingleton, R = {(Sc, R)}, we will write simply M = (Σ, (Sc, R)).

The transition relation M induces is the binary relation [·〉M on NS givenas follows. For all M,M ′ ∈ NS , M [x〉MM ′ iff

1. x is a transition and M [x〉γM′, or

2. x = (M c,Mc) ∈ R, M |S−Sc = M ′|S−Sc and (M |Sc ,M ′|Sc) = x, for some

(Sc, R) ∈ R.

i os1

s6t6

s5

s4

s3

s2 t2

t3 t5

t4

t1 12t

R={((1,0),(0,0)),((0,0),(0,0)),((0,0),(0,1)),((1,0),(0,1))}

Fig. 4. (Σ1, ({s4, s6}, R)) acts as an abstraction of Σ = Σ1 ◦Σ2

Sometimes we will simply write M RM ′ instead of M [(M c,Mc)〉MM ′.

Petri net composition is component wise extended to modules by M1◦M2 =(Σ1 ◦Σ2,R1 ∪R2), whenever Σ1 ◦Σ2 is defined.

A WF module is any module M = (Σ,R) satisfying:

(i) There are two special places i and o with the same properties as for WFnets;

(ii) Any node x ∈ S∪T in the graph associated to Σ is on a path from i to o, orthere is (Sc, R) ∈ R and y ∈ Sc such that x ∈ Sc and there is a path from ito x and from y to o, or vice versa (i.e., a path from i to y and from x to o).

The concept of soundness for WF modules is introduced as for WF nets bytaking into consideration the transition relation of WF modules.

Example 1. (1) The couple M1 = (Σ1, ({s4, s6}, R)) in Figure 4 is a WF mod-ule. It acts as an abstraction of Σ1 ◦Σ2.

(2) If we compose the Petri nets Σ11 and Σ2

1 in Figure 3 along {s1, s5} we getthe Petri net Σ1 in Figure 1. Let R′ be the binary relation on N{s1,s5} givenby R′ = {((1, 0), (0, 0)), ((0, 0), (0, 1)), ((1, 0), (0, 1))}. It can be easily verifiedthat M1

1 = (Σ11 , ({s1, s5}, R

′)) is a WF module. This WF module acts as anabstraction of Σ1 = Σ1

1 ◦Σ21 .

3.3 From WF Nets to Kripke Structures

Our main goal is to set up a model checking technique for (structurally, gener-alized, n-) sound WF nets based on abstraction. As such WF nets are bounded,most of the constructions in this paragraph hold for bounded Petri nets as well.The main difference between bounded Petri nets and n-sound WF nets, for in-stance, consists in the fact that the relation R obtained by decomposing n-soundWF nets is very small. This is because n-sound WF nets start from a markingMni and end up with a marking Mno.

There is a general construction [21] which associates to each pair (Σ,M0),where Σ is a bounded net with respect toM0, a Kripke structure without fairness

constraints K(Σ,M0) = (Q,Q0,A,L, ρ). We adapt this construct to our case asfollows:

– we regard places as variables ranging over finite sets of positive integers.Then, the set of states is the set of all the interpretations of variables (mark-ings of γ component wise bounded by some integer n). The only initial stateis M0;

– we may define a set A of atomic propositions using the variables in S and theconstants, functions and predicates over the corresponding domains (as in[22], p. 182). These propositions should be either true or false at a marking(state) M , and they will be used to define state and path formulas. Let Lbe the function which associates to each marking M the set of all atomicpropositions in A satisfied at M ;

– we specify the transitions in the set γ in an obvious way; (M,M ′) ∈ ρiff there is a transition t such that M [t〉γM

′. The relation ρ is consideredinternal (ρ = ρi).

This construction can be extended to bounded modules M = (Σ,R) with respectto M0 (i.e., Σ is bounded with respect to M0) by simply adding the externaltransition relation

ρe = {(M,M ′) ∈ NS×NS |(∃(Sc, R) ∈ R)(M ′|Si =M |Si ∧ (M |Sc ,M ′|Sc) ∈ R)}

to the Kripke structure K(Σ,M0). Moreover, the set Sc is regarded as a set ofexternal (interface) variables, for any (Sc, R) ∈ R. We denote this structure byK(M,M0).

We suppose from now on that for every net or module a set of atomic propo-sitions is given (referring to its set of markings). Moreover, we assume thatwhenever we merge (combine) two markings M1 and M2 which agree on someplaces (in order to obtain a marking of the composed net or module), the propo-sitions that are satisfied at the new marking are exactly those that are satisfiedat M1 and M2.

Example 2. The Kripke structure K(M1,Mi) associated to the WF module M1

in Example 1(1) is given in Figure 5. It has only 14 states in contrast to theKripke structure associated to the net Σ = Σ1 ◦ Σ2 in Figure 2 (together withthe initial marking Mi) which has 20 states.

If we consider the initial state M2i for the Petri net Σ, then the associatedKripke structure has about 200 states. The Kripke structure associated to M1,with the same initial markingM2i, has less than 60 states. We will see later thatwe can transfer properties from M1 to Σ. This shows us clearly how importantis such an abstraction when we wish to verify temporal properties of WF netsby model checking.

We may also add a set F of fairness constraints to all Kripke structures ob-tained as above. We will denote the newly obtained structures by K(Σ,M0,F)and K(M,M0,F). The tuples (Σ,M0,F) and (M,M0,F) will be called fairnets and fair modules, respectively. The simulation and satisfaction relations

s 3s 2 s 5s 2

i

s 5 s 4

s 4s 3s 1s 2

s 1s 4 s 1

s 6 s 6s 3

s 1

s3

s 5

os 6s 5

indicates a transition by R

Fig. 5. The Kripke structure K(M1,Mi)

are defined for them by means of the structures they induce. For example,(M1,M1,F1) ≺A (M2,M2,F2) stands for K(M1,M1,F1) ≺A K(M2,M2,F2).

To define the notion of an abstraction of a module we introduce first theconcept of a narrowed relation. If R is a binary relation on a set NA and B ⊂ A,then the narrowed relation associated to R and B, denoted R/B , is the relationobtained from R by removing all the components that are not in B. For example,if A = {a1, a2, a3}, R = {((1, 2, 0), (2, 3, 1))} and B = {a1, a3}, then R/B ={((1, 0), (2, 1))}.

Now, let (M,M0,F) be a fair module which is a composition of two netsalong a subset Sc of places, (M,M0,F) = ((Σ1 ◦Σ2,R),M0,F). Define the fairmodule (M1,2,M1,2,F1,2) = ((Σ1,R1,2),M1,2,F1,2) as follows:

– R1,2 = R2 ∪R′, where:1. R2 is the set of all pairs (M |Sc ,M ′|Sc), where M is reachable from M0

in (Σ1 ◦Σ2,R) and M ′ is reachable from M by transitions in Σ2, but atleast one transition occurrence. This relation will be called the relationinduced by Σ2 in Σ with respect to M0;

2. R′ = {(S − Si2, R/S−Si

2)|(S,R) ∈ R};

– M1,2 =M0|S1;

– F1,2 = {{M |S1|M ∈ A}|A ∈ F}.

In general, M1,2 has more behavior than M (an example showing this canbe found in the extended version of our paper [14]).

Example 3. We will give an example of a two step abstraction applied to the WFnet Σ in Figure 2 (for simplicity, fairness constraints are omitted). In the firststep, we viewΣ as a composition of two Petri nets (M,Mi) = ((Σ1◦Σ2),R),Mi),where the composition is along {s4, s6} and R = ∅. We abstract from Σ2 andwe get the fair module (M′,M ′

i) = ((Σ1,R′),M ′

i), where R′ = {({s4, s6}, R)},R is the relation in Figure 4, and M ′

i =Mi|S1.

In the second step, we write Σ1 as a composition of two Petri nets as in Figure3, ((Σ1,R

′),M ′i) = ((Σ1

1 ◦ Σ21 ,R

′),M ′i). Now, we abstract from Σ2

1 and we get(M′′,M ′′

i ) = ((Σ11 ,R

′′),M ′′i ), where R′′ = {({s4, s6}, R), ({s1, s5}, R

′)}, R′ isthe binary relation in Example 1(2), and M ′′

i = M ′i |S1

1. The Kripke structure

associated to (M′′,M ′′i ) is given in Figure 6. It has 13 states.

s 2 s 5s 2

i

s 5 s 4

s4s 1s 2

s 1s 4 s 1

s 6 s 6

s 1

s 5

os 6s 5

indicates a transition by R

indicates a transition by R’

Fig. 6. The Kripke structure K(M′′,M ′′

i )

The main theorem of our paper follows:

Theorem 3. If (M,M0,F) and (M1,2,M1,2,F1,2) given as above are boundedmodules, then the following is true

(M,M0,F) ≺A1(M1,2,M1,2,F1,2)

(A1 denotes the set of atomic propositions associated to Σ1).

Corollary 1. If (M,M0,F) and (M1,2,M1,2,F1,2) given as above are boundedmodules, then

(M1,2,M1,2,F1,2) |= ϕ ⇒ (M,M0,F) |= ϕ,

for any ∀CTL∗ formula ϕ over the set of atomic proposition of Σ1.

3.4 Separating Bounded Modules from Bounded Modules

The main problem in using Theorem 3 and its corollary is to find a method to de-compose bounded modules (M,M0,F) such that (M1,2,M1,2,F1,2) is a boundedmodule. If Σ is a bounded Petri net with respect toM0, then any decompositionΣ = Σ1 ◦Σ2 leads to bounded Petri nets Σ1 and Σ2. But, (Σ1,R1,2) might beunbounded with respect to M0|S1

(an example showing this can be found in theextended version of our paper [14]).

We say that a module (Σ,R) = (Σ1 ◦ Σ2,R) is context-free with respect toΣ2 and M0 if for every pair (M c,M

c) induced by Σ2 and for every reachable

marking M from M0 in (Σ,R), if M |Sc =M c then Σ2 can induce (M c,Mc) at

M (that is, a marking M ′ is reachable from M only by transitions in Σ2 andM ′|Sc =M

c).

Theorem 4. If M = (Σ1 ◦Sc Σ2,R) is a module satisfying the properties:

(1) it is bounded with respect to M0;(2) it is context-free with respect to Σ2 and M0;(3) S′ ∩ Si

2 = ∅, for all (S′, R) ∈ R,

then M1,2 = (Σ1,R1,2) is a bounded module with respect to M0|S1.

If the second condition in the above theorem fails, then M1,2 = (Σ1,R1,2)might not be bounded with respect to M0|S1

. Similarly, if the third conditionin the above theorem fails, then M1,2 = (Σ1,R1,2) might not be bounded withrespect to M0|S1

(an example showing this can be found in the extended versionof our paper [14]).

Theorem 5. If M = (Σ1 ◦{i,o} Σ2,R) is a module satisfying the properties:

(1) it is n-bounded with respect to M0, for some n ≥ 1;

(2) Σ2 is a k-sound WF net, for all k ≤ n0, where n0 = max{M(i)|M ∈ [M0〉M}(i is the input place and o is the output place of Σ2);

(3) S′ ∩ Si2 = ∅, for all (S′, R) ∈ R,

then M1,2 = (Σ1,R1,2) is a bounded module with respect to M0|S1.

In the general case, Property (2) in Theorem 5 does not imply, that M iscontext-free with respect to Σ2 and M0. Of course, Theorem 5 holds when Σ2

is generalized sound as well.

We conclude that if we have an n-bounded WF module and we are ableto isolate a WF net as in Theorem 5, then Corollary 1 can be applied to itto verify properties that can be expressed by our temporal logic. For example,the modules in Example 3 satisfy the hypothesis of Theorem 5 and, therefore,Corollary 1 can be applied to them.

Summary

We present a model checking technique for bounded workflow nets based on adecomposition of the original net into two subnets. We augment one of them bythe relation induced by the other and apply the model checking to the result ofthis transformation, the so called workflow module, instead of the original work-flow net. We prove that, when one of the subnets is a k-sound worflow net, forany k ≤ n where n is the upper bound for all reachable marking components ofthe original workflow net, then the workflow module is bounded. Moreover, therelation induced by a k-sound workflow net is very small, thus such a decompo-sition leads to a substantial reduction of the effort required for model checking.The set of properties of the workflow module we are able to prove by modelchecking, using this technique, can be expressed by a substantial fragment of∀CTL∗. As a common practice when using abstraction, our technique is alsobased on a simulation relation from the original workflow net to the abstractone (the workflow module). This simulation preserves the delayed version of ourformulas. Many interesting properties are invariant to delaying.

References

1. Marinescu, D.C.: Internet-BasedWorkflowManagement: Towards a Semantic Web.Wiley, New York, NY (2002) 627+xxiii pages.

2. van der Aalst, V.: Three good reasons for using a Petri-net-based workflow manage-ment system. In: Proceedings of the International Working Conference on Informa-tion and Process Integration in Enterprises (IPIC’96), Cambridge, Massachusetts(1996) 179–201

3. Sadiq, W., Orlowska, M.: Applying graph reduction techniques for identifyingstructural conflicts in process models. In: Proceedings of the 11th InternationalConference on Advanced Information Systems Engineering CAiSE’99. Volume 1626of Lecture Notes in Computer Science. (1999) 195–209

4. Sadiq, W., Orlowska, M.: Analyzing process models using graph reduction tech-niques. Information Systems 25 (2000) 117–134

5. Lin, H., Zhao, Z., Li, H., Chen, Z.: A novel graph reduction algorithm to identifystructural conflicts. In: Proceedings of the 35th Hawaii International Conferenceon System Sciences, IEEE Computer Society Press (2002)

6. van der Aalst, V., Hirnschall, A., Verbeek, H.: An alternative way to analyzeworkflow graphs. In: Proceedings of the 14th International Conference on AdvancedInformation Systems Engineering (CAiSE’02). Volume 2348 of Lecture Notes inComputer Science. (2002) 535–552

7. van der Aalst, V.: Structural characterization of sound workflow nets. TechnicalReport 23, Eindhoven University of Technology (1996)

8. Barkoui, K., Petrucci, L.: Structural analysis of workflow nets with shared re-sources. In: Proceeding of the Workshop “Workflow Management: Net-based Con-cepts, Models, Techniques and Tools WFM’98”, Lisbon, Portugal (1998) 82–95

9. van Hee, K., Sidorova, N., Voorhoeve, M.: Soundness and separability of workflownets in the stepwise refinement approach. In: Proceedings of the 24th InternationalConference on Application and Theory of Petri Nets. Volume 2679 of Lecture Notesin Computer Science. (2003) 337–356

10. van Hee, K., Sidorova, N., Voorhoeve, M.: Generalised soundness of workflow netsis decidable. In: Proceedings of the 25th International Conference on Applicationand Theory of Petri Nets, Bologna, Italy (2004) to appear.

11. Sadiq, S., Orlowska, M., Sadiq, W., Foulger, C.: Data flow and validation inworkflow modelling. In: Proceedings of the International Conference in Researchand Practice in Information Technology, Dunedin, New Zealand (2003)

12. Karamanolis, C., Giannakopoulou, D., Magee, J., Wheater, S.: Model checking ofworkflow schemas. In: Proceedings of the 4th International Enterprise DistributedObject Computing Conference, Mahukari, Japan (2000)

13. Voorhoeve, M.: Compositional modeling and verification of workflow processes. Invan der Aalst, W., Desel, J., Oberweis, A., eds.: Business Process Managements- Models, Techniques and Empirical Studies. Volume 1806 of Lecture Notes inComputer Science. (2000) 184–200

14. Tiplea, F., Marinescu, D., Lin, C.: Verifying workflow nets by model checking andabstraction. IEEE Transactions on Automatic Control (2004) (submitted).

15. Grumberg, O., Long, D.: Model checking and modular verification. ACM Trans-actions on Programming Languages and Systems 16 (1994) 843–871

16. Clarke, E., Grumberg, O., Long, D.: Model checking. In: Model Checking, Ab-straction and Composition. Volume 152 of NATO ASI Series F. Springer-Verlag(1996) 477–498

17. Tiplea, F., Tiplea, A.: A simulation preorder for abstraction of reactive systems.In: Proceedings of the 3rd International Workshop VMCAI 2002. Volume 2294 ofLecture Notes in Computer Science., Venice, Italy (2002) 272–288

18. Reisig, W.: Petri Nets. An Introduction. EATCS Monographs on TheoreticalComputer Science. Springer-Verlag (1985)

19. Tiplea, F., Tiplea, A.: Petri net reactive modules. Technical Report 1999-7, Institutfur Informatik, Universitat Augsburg (1999) 50 p.

20. Tiplea, F., Tiplea, A.: A compositional semantics for Petri net reactive modules.In: Proceedings of NATO International Workshop on Concurrent Information Pro-cessing and Computing CIPC2003, Sinaia, Romania, IOS Press (2004)

21. Esparza, J., Melzer, S.: Model checking LTL using constraint programming. Tech-nical report, Technische Universitat Munchen (1997)

22. Manna, Z., Pnueli, A.: The Temporal Logic of Reactive and Concurrent Systems.Specification. Springer-Verlag (1992)

Model Checking and Abstraction for Workﬂow Nets Veriﬁcationfltiplea/Papers/TiML2004.pdf · The...

Documents

Transcript of Model Checking and Abstraction for Workﬂow Nets Veriﬁcationfltiplea/Papers/TiML2004.pdf · The...