Methods for the specification and verification of business processes MPB (6 cfu, 295AA) Roberto Bruni http://www.di.unipi.it/~bruni 20 - Workflow modules 1
Object We study Workflow modules to model interaction between workflows Ch.6 of Business Process Management: Concepts, Languages, Architectures 2
Problem Not all tasks of a workflow net are automatic: they can be triggered manually or by a message they can be used to trigger other tasks How do we represent this? 3
Implicit interaction Separately developed Seller workflow Some activities can input messages Some activities can rec_reject reject rec_accept accept M. Weske: Business Process Management, Springer-Verlag Berlin Heidelberg 2007 output messages 4
Implicit interaction Seller can receive Seller (symbol?) recommendations Seller can send (symbol!)?rec_reject!reject?rec_accept!accept M. Weske: Business Process Management, Springer-Verlag Berlin Heidelberg 2007 decisions 5
Interface Seller has an interface Seller for interaction It consists of some input places and ra rr sa sr?rec_reject!reject?rec_accept!accept M. Weske: Business Process Management, Springer-Verlag Berlin Heidelberg 2007 some output places 6
Interface P I Seller receiving? sending! P O ra rr sa sr?rec_reject!reject?rec_accept!accept M. Weske: Business Process Management, Springer-Verlag Berlin Heidelberg 2007 7
Problem Assume the original workflow net has been validated: it is a sound (and maybe safe) workflow net When we add the (places in the) interface it is no longer a workflow net! 8
Workflow Modules Definition: A workflow module consists of a workflow net (P,T,F) plus a set P I of incoming places plus a set of incoming arcs F I (P I x T) plus a set P O of outgoing places plus a set of outgoing arcs F O (T x P O ) such that each transition has at most one connection to places in the interface 9
Problem Workflow modules must be capable to interact How do we check that their interfaces match? How do we combine them together? 10
Strong structural compatibility A set of workflow modules is called strongly structural compatible if for every message that can be sent there is a module who can receive it, and for every message that can be received there is a module who can send it (formats of message data are assumed to match) 11
Weak structural compatibility A set of workflow modules is called weakly structural compatible if all messages sent by modules can be received by other modules more likely than a complete structural match (workflow modules are developed separately) 12
Interaction Auctioning Service P O P I Seller sending! receiving?!rec_accept?accept!rec_reject?reject ra rr sa sr P I P O ra rr sa sr?rec_reject!reject?rec_accept!accept M. Weske: Business Process Management, Springer-Verlag Berlin Heidelberg 2007 13
Interaction Auctioning Service Seller!rec_accept?accept!rec_reject?reject ra rr sa sr ra rr sa sr?rec_reject!reject?rec_accept!accept M. Weske: Business Process Management, Springer-Verlag Berlin Heidelberg 2007 14
Problem We have added places and arcs to single nets We have joined places of different nets We have paired their initial markings How do we check that the system behaves well? What has this check to do with WF net soundness? 15
Workflow systems 16
Workflow system Auctioning Service Seller ra ra!rec_accept?accept!rec_reject?reject rr sa sr rr sa sr?rec_reject!reject?rec_accept!accept M. Weske: Business Process Management, Springer-Verlag Berlin Heidelberg 2007 17
Workflow system Definition: A workflow system consists of a set of n structurally compatible workflow modules (initial places i1,...,in, final places o1,...,on) plus an initial place i and a transition ti from i to i1,...,in plus a final place o and a transition to from o1,...,on to o 18
Soundness of workflow systems A workflow system is just an ordinary workflow net We can check its soundness as usual 19
Exercise Can the system deadlock? Auctioning Service Seller ra ra!rec_accept?accept!rec_reject?reject rr sa sr rr sa sr?rec_reject!reject?rec_accept!accept M. Weske: Business Process Management, Springer-Verlag Berlin Heidelberg 2007 20
Exercise Can the system deadlock? Auctioning Service' Seller ra ra!rec_accept?accept!rec_reject?reject rr sa sr rr sa sr?rec_reject!reject?rec_accept!accept M. Weske: Business Process Management, Springer-Verlag Berlin Heidelberg 2007 21
Exercise Complete with missing arcs the following behavioural interfaces and check their compatibility pr pr! participation_req? participation_req ra rr ra rr! rec_accept! rec_reject? rec_reject? rec_accept ba br ba br? accept? reject! reject! accept a a? reject? accept! accept! reject r r M. Weske: Business Process Management, Springer-Verlag Berlin Heidelberg 2007 n n! notify? notify 22
Exercise Check compatibility of WF modules below a a e e b b f f c c g g d d h h (a) (b) 23 (c)
Weak soundness 24
Problem When checking behavioural compatibility the soundness of the overall net is a too restrictive requirement Workflow modules are designed separately, possibly reused in several systems It is unlikely that every functionality they offer is involved in each system 25
Problem Definition: A workflow net is weak sound if it satisfies option to complete and proper completion (dead tasks are allowed) Weak soundness can be checked on the RG It guarantees deadlock freedom and proper termination of all modules 26
Sound + Sound =? p1 p2 M. Weske : Busines s Proce ss Management, Springer-Verlag Berlin Heide lberg 2007 p3 27
Sound + Sound = not sound M. Weske : Busines s Proce ss Management, Springer-Verlag Berlin Heide lberg 2007 28
Sound + Sound = not sound M. Weske : Busines s Proce ss Management, Springer-Verlag Berlin Heide lberg 2007 29
Sound + Sound = not sound M. Weske : Busines s Proce ss Management, Springer-Verlag Berlin Heide lberg 2007 30
Sound + Sound = not sound M. Weske : Busines s Proce ss Management, Springer-Verlag Berlin Heide lberg 2007 31
Sound + Sound = not sound M. Weske : Busines s Proce ss Management, Springer-Verlag Berlin Heide lberg 2007 32
Sound + Sound = not sound M. Weske : Busines s Proce ss Management, Springer-Verlag Berlin Heide lberg 2007 33
Sound + Sound = not sound M. Weske : Busines s Proce ss Management, Springer-Verlag Berlin Heide lberg 2007 34
Sound + Sound = not sound M. Weske : Busines s Proce ss Management, Springer-Verlag Berlin Heide lberg 2007 35
Sound + Sound = not sound Dead tasks! M. Weske : Busines s Proce ss Management, Springer-Verlag Berlin Heide lberg 2007 36
Sound + Sound = not sound Weak Sound! M. Weske : Busines s Proce ss Management, Springer-Verlag Berlin Heide lberg 2007 37
Exercise: Preliminaries contractor subcontractor order part N0 specification cost_statement part N1 product 38
Exercise: Check Weak Soundness of The Assembly order specification cost_statement product 39
Exercise: Check Again After Refactoring Contractor order specification cost_statement product 40
Exercise: Check Again After Refactoring Both order specification cost_statement product order specification cost_statement product 41
(Contractor zoom-in) 42
(Subcontractor zoom-in) 43
Partner existence (aka controllability) Does My Service Have Partners? Karsten Wolf Universität Rostock, Institut für Informatik, 18051 Rostock, Germany karsten.wolf@uni-rostock.de K. Jensen and W. van der Aalst (Eds.): ToPNoC II, LNCS 5460, pp. 152 171, 2009. c Springer-Verlag Berlin Heidelberg 2009 44
Problem Processes are designed in isolation (loose coupling) We would like their composition to be well-behaved Given a process: Can we guarantee that at least one partner exists? If so, can we synthesize the most permissive partner? 45
Controllability Assume a notion of well-behaving is defined We say that a process N is controllable if it has at least one partner N such that the composition of N with N is well-behaving 46
Controllability: idea Given a process N we aim to construct an automaton that over-approximates the behaviour of any partner, then we iteratively remove states and arcs that invalidate the behavioural property we are after: if we end up with the empty automaton, then the process N is uncontrollable otherwise, the automaton defines the most general strategy to collaborate with N (guaranteeing the behavioural property we are after) 47
Open nets Definition: An open net consists of a net (P,T,F,m0) plus incoming places P I P plus outgoing places P O P plus a finite set Mf of final markings such that each transition has at most one connection to places in the interface any initial or final marking does not mark any place in the interface 48
Example: open net m0 = a P I = { i } P O = { o } Mf = { b } 49
Notation Definition: The label of a transition t is the interface place connected to t, if any, or the special silent action tau otherwise `(t) = x if x 2 (P I [ P O ) and (t, x) 2 F _ (x, t) 2 F otherwise 50
Example: open net m0 = a P I = { i } P O = { o } Mf = { b } `(t 1 ) = i `(t 2 ) = o 51
Closed nets An open net N = (P,T,F,m0,P I,P O,Mf) is called closed if P I = P O = 52
Inner nets Let N = (P,T,F,m0,P I,P O,Mf) be an open net and let IO = (P I P O ) be its interface its inner net In(N) is the closed net obtained by removing the interface In(N) = ( P \ IO, T, F \ ((IO T) (T IO)), m0,,, Mf ) 53
Example: inner net 54
Bounded and responsive nets We focus on open nets N such that their inner nets In(N) are bounded (in the usual sense, they have finite occurrence graphs) responsive from any marking m either a final marking is reachable or m enables a transition t connected to the interface 55
Composition of open nets Given two open nets N1 = (P1,T1,F1,m01,P I 1,P O 1,Mf1) N2 = (P2,T2,F2,m02,P I 2,P O 2,Mf2) such that P I 1=P O 2 and P O 1= P I 2 56
Composition of open nets Given two open nets N1 = (P1,T1,F1,m01,P I,P O,Mf1) N2 = (P2,T2,F2,m02,P O,P I,Mf2) their composition N = N1 N2 is the closed net N = ( P1 P2, T1 T2, F1 F2, m01+m02,,, Mf1 Mf2 ) A final marking of the composed net is any combination of final markings of the original nets note that even if N1 and N2 are bounded and responsive, their composition N1 N2 is not necessarily so 57
Behavioural properties: DF A closed net N = (P,T,F,m0,,,Mf) is DF (deadlock-free) if any non-final reachable marking enables a transition 8m 2 ([m 0 i \ M f ). 9t. M t! 58
DF,k-controllable nets A bounded and responsive open net N = (P,T,F,m0,P I,P O,Mf) is DF,k-controllable if there is a (bounded and responsive) partner N such that N N is DF and any place p (P I P O ) is k-bounded in N N such an N is called a DF,k-strategy of N 59
Approach Start with a bounded and responsive open net N = (P,T,F,m0,P I,P O,Mf) 1st step Define a strategy TS0 which is an automaton such that a state q of TS0 represents the set of markings N can be in while TS0 is in q i.e. q is the view of N according to the interactions observed so far Note that TS0 can be infinite 60
Notation A special symbol # tags final states Given a set of markings M of N, we denote by cl(m)n the closure of M i.e., the set of markings reachable in N from any of the markings in M cl(m) N = { m 0 9m 2 M. m 0 2 [Mi N } 61
TS 0 =(Q, E, q 0,Q f ) TS 0 q 0 = cl({m 0 }) N q 0 2 Q if q 2 Q if # 62 q any state q has a final counterpart then q 0 = q [ # 2 Q, q! q 2 E, q! q 0 2 E if x 2 P I ^ # 62 q then q 0 = cl({m + x m 2 q}) 2 Q, q x! q 0 2 E if x 2 P O TS0 simulates the production of messages in input places TS0 simulates the consumption of messages from output places then q 0 = {m x m 2 q, m(x) > 0}\{#} 2 Q, q x! q 0 Q f = {q 2 Q # 2 q} 62
Approach Starting from the strategy TS0 2nd step Define a strategy TS1 that removes from TS0 all states q that contains a marking m that exceeds the capacity bound k for some place in the interface (as a consequence remove all adjacent edges and all states that become unreachable) TS1 is always a finite automaton (actually it can be constructed directly from N) 63
TS 1 TS 0 =(Q, E, q 0,Q f ) Q 1 = Q \{q 2 Q 9m 2 q. 9x 2 (P I [ P O ).m(x) >k} E 1 = {q! q 0 2 E q, q 0 2 Q 1 } Q f1 = Q f \ Q 1 TS 1 =(Q 1,E 1,q 0,Q f1 ) 64
DF,1-controllability example: TS 1 N cl({a}) N 65
DF,1-controllability example: TS 1 N any state q has a final counterpart 66
DF,1-controllability example: TS 1 simulates the production of messages in input places cl({a + i, b + o + i}) N N 67
DF,1-controllability example: TS 1 N any state q has a final counterpart 68
DF,1-controllability example: TS 1 N q1 has not outgoing arc with label i because of 1-boundedness (this is TS1, not TS0) 69
DF,1-controllability example: TS 1 N cl({b}) N simulates the consumption of messages from output places 70
DF,1-controllability example: TS 1 N any state q has a final counterpart 71
DF,1-controllability example: TS 1 simulates the consumption of messages from output places N cl({b + i}) N simulates the production of messages in input places 72
DF,1-controllability example: TS 1 N any state q has a final counterpart 73
DF,1-controllability example: TS 1 simulates the consumption of messages from output places N 74
DF,1-controllability example: TS 1 N simulates the consumption of messages from output places cl({}) N 75
DF,1-controllability example: TS 1 N any state q has a final counterpart 76
DF,1-controllability example: TS 1 N 77
Approach Starting from the strategy TSi Iterative step Define a strategy TSi+1 that removes from TSi all states q that can invalidate the property of interest (as a consequence remove all adjacent edges and all states that become unreachable) At some point TSj+1 = TSj and we terminate 78
Notation We can compose TS i with N, writtents i N States are pairs [q, m] with q 2 Q i and m 2 q if m! t m 0 in N then [q, m] `(t)! [q, m 0 ] if q! q 0 2 E i then [q, m]! [q 0,m] if q! x q 0 2 E i with x 2 P I then [q, m]! x [q 0,m+ x] if q! x q 0 2 E i with x 2 P O and m(x) > 0 then [q, m]! x [q 0,m x] 79
DF,1-controllability example: TS 1 N 80
TS i+1 TS i =(Q i,e i,q 0,Q fi ) remove the state q if q! q is the only edge with source q remove the state q if 9m 2 q such that in TS i N if [q 0,m 0 ] is reachable from [q, m] then m 0 62 M f and only sequences of -steps are possible from [q, m] 81
DF,1-controllability example: TS 2 82
DF,1-controllability example: TS 2 83 X
DF,1-controllability example: TS 2 X 84 X
DF,1-controllability example: TS 2 X X 85 X
DF,1-controllability example: TS 2 X X X 86 X
DF,1-controllability example: TS 2 87
DF,1-controllability example: TS 2 N 88
DF,1-controllability example: TS 2 N X 89
X DF,1-controllability example: TS 2 N X 90
X DF,1-controllability example: TS 2 N X X X 91
X DF,1-controllability example: TS 2 N X X X X 92
DF,1-controllability example: TS 2 N X X X X X X 93
DF,1-controllability example: TS 2 N X X X X X X X X 94
DF,1-controllability example: TS 3 95
DF,1-controllability example: TS 3 N 96
Note Note the presence of a state associated with the empty set of markings it can appear in a strategy, but is actually unreachable in the composition with N for DF,k-controllability it makes no harm 97
DF,k-controllability theorem Let TS = (Q,E,q0,Qf) be the automaton produced by applying the above procedure to the open net N Theorem N is DF,k-controllable iff Q (proof omitted) 98
Behavioural properties: LF A closed net N = (P,T,F,m0,,,Mf) is LF (livelock-free) if from any reachable marking a final marking is reachable 8m 2 [m 0 i. [mi\m f 6= ; 99
LF,k-controllable nets A bounded and responsive open net N = (P,T,F,m0,P I,P O,Mf) is LF,k-controllable if there is a (bounded and responsive) partner N such that N N is LF and any place p (P I P O ) is k-bounded in N N such an N is called a LF,k-strategy of N 100
Approach We construct TS0 and TS1 as before. We change only the iterative step Iterative step Define a strategy TSi+1 that removes from TSi all states q that can invalidate the property of interest (as a consequence remove all adjacent edges and all states that become unreachable) At some point TSj+1 = TSj and we terminate 101
TS i+1 TS i =(Q i,e i,q 0,Q fi ) remove the state q if 9m 2 q such that in TS i no [q 0,m 0 ] with q 0 2 Q fi ^ m 0 2 M f is reachable from [q, m] N 102
LF,k-controllability theorem Let TS = (Q,E,q0,Qf) be the automaton produced by applying the above procedure to the open net N Theorem N is LF,k-controllable iff Q (proof omitted) 103