Formal techniques for analyzing business process models by Sivaraman, Eswar





Bachelor of Technology 
National Institute of Foundry & Forge Technology 
Ranchi, India 
1996 
Master of Science 
Oklahoma State University 
Stillwater, Oklahoma 
1998 
Submitted to the Faculty of the 
Graduate College of 
Oklahoma State University 
in partial fulfillment of 
the requirements for 
the Degree of 











M ,~ ~~ 
"'j Thesis Advisor 
11 
Acknowledgments 
I would like to share with the reader a poem that I came across at the Museum of Fine 
Arts, Houston - it was titled INNOCENCE. 
Young, naive, curious, and pure, 
new to life and all the hardships to endure. 
Untarnished by the world's offenses and lies, 
he sees nothing but good through his unbiased eyes. 
Waiting to be molded, he's impressionable as clay, 
receiving characteristics and features day by day. 
I know he'll soon grow up and find his way, 
without too many bruises I hope and pray. 
Innocence is a virtue pure and clean, 
childhood to adulthood, somewhere in between. 
I am deeply grateful to the faculty and staff of the School of Industrial Engineering & 
Management for letting me retain my innocence and· grow up without too many bruises. 
The School has been a home away from home, and that which I lost in not being under 
my father's shadow, I have more than made up for, within the walls of the department. 
The sum total of who I am, my values, and my unflinching belief in goodness and honesty, 
all of which I have been fortunate enough to preserve while here at OSU, I owe to my par-
ents; were it not for their support and blessings, this would not have been possible. It is 
not possible to acknowledge their sacrifices with a simple 'thank you' - my debt is eternal. 
I have admired the personality, the professionalism, and the teaching style of many a 
professor, and I most earnestly aspire to see their shadows in mine. I would like to 
take this opportunity to record my admiration for the following professors - Drs. Ken-
neth E. Case, David B. Pratt, William J. Kolarik (Ind. Engg), Martin T. Hagan (Elec. 
lll 
Engg), Wade B. Brorsen (Ag. Econ), Dave Witte, Alan A. Adolphson, John Wolfe, 
Dennis Bertholf (Mathematics), James Cain (Philosophy), Leroy J. Folks, Mark Payton 
(Statistics), and Blayne Mayfield (Computer Science). To each, I owe a debt of grat-
itude - I have learnt a lot by observing them, both inside and outside the classroom, 
and I am happy to say that most of my mannerisms have been influenced (or tempered) 
by the greatest gift that I could have ever received from them, that of being their student. 
I would like to thank the members of my dissertation advisory committee - Dr. David 
B. Pratt, Dr. William J. Kolarik, and Dr. Syam Menon for their time and interest in 
helping me succeed. I have benefited immensely from my observations and interactions 
with all of them - at times, from a distance, but, close nevertheless. 
This research was supported, in part, by the National Science Foundation, under the 
Scalable Enterprise Systems initiative (Grant# DMI-0075588). 
I am (probably) the worst student anyone can ever have, and Dr. Manjunath Karnath 
is the best advisor anyone can ever have - he has allowed me tremendous freedom of 
thought, expression, and unlimited opportunity to explore my creativity and curiosity. It 
has been a privilege to have earned his trust, friendship, and cherished regard. There is 
a dialogue from the movie Nixon that I often recall - "a man must sometimes go down 
to the deepest and darkest depths of despair before he can begin to appreciate the glory 
of standing at the highest peak" - I am grateful that I had the benefit of Dr. Kamath's 
counsel and wisdom to pull me out from my many frequent trips to the abyss. Growing 
up is not easy; growing up alone is even worse - Dr. Karnath is the closest surrogate 
that I have had for a father, while here in the U.S., and to him, I most fondly dedicate 
this dissertation with these words:1 
The time has come for closing books and long last looks must end 
And as I leave I know that I am leaving my best friend behind. 
A friend who taught me right from wrong and weak from strong 
That's a lot to learn, but what can I give you in return? 





Table of Contents 
1 Introduction 
1.1 Business Process Modeling: Purpose and Scope 
1.2 Motivation for this Research 
1.3 The Control Flow Problem . 
1.3.1 The Control Flow Model . 
1.3.2 Control Flow: Statement of the Problem 
1.3.3 Control Flow: Overview of Research 
1.4 The Resource-Sharing Problem . . . . . . . 
1.4.1 Formalism for Specifying Resource Requirements 
1.4.2 Resource-Sharing: Statement of the Problem . 
1.4.3 Resource-Sharing: Overview of Research 
1.5 Summary . . . . . . . . . . . . . . . . . . . . . 
2 Review of the Literature 
2.1 Business Process Modeling: Major Issues 
2.2 Business Processes - General Classification 
2.3 Business Process Modeling Methodologies 
2.4 Workflow Management .... 
2.4.1 The Modeling Phase 
2.4.2 The Execution Phase . 
2.4.3 Implementation Issues in Workflow Management . 
2.4.4 Process & Workflow Meta-Models - Basic Concepts 
2.4.5 Summary . . . . . . . . . . . . . . . 
2.5 Control Flow Verification: Research Review 
2.5.1 Petri-net Formalizations .. 






























Model-theoretic Event Algebras 
Other Related Network Models 
Summary ........... . 
2.6 Resource-Sharing Correctness: Research Review 
2.6.1 Summary ..... 
3 The Korrectness Algorithm 
3.1 Introduction & Background 
3.2 The Korrectness Algorithm 
3.3 
3.2.1 Definitions ..... . 
3.2.2 The Control Flow Problem is NP-Complete 
3.2.3 Construction of Meta-Paths ..... . 
3.2.4 The Komplete Korrectness Algorithm . 
3.2.5 Resolving Cycles in the Control Flow Model 
3.2.6 Complexity Analysis . . . . . . . . . . . . . 
3.2.7 Diagnostic Checking of the Control Flow Model 
Summary ........... . 
4 The Resource-Sharing Problem 
4.1 Introduction & Background . . 
4.2 The Control Flow Model Revisited 
4.3 The Resource-Sharing Problem: Some Ideas 
4.4 Single-Instance Verification ......... . 
4.4.1 Identifying Circular-Waits Within Concurrent Sets 
4.4.2 Identifying Circular-Waits Across Concurrent Sets . 
4.5 The Static-Design Net Representation ........ . 
4.5.1 The Static-Design Net ............ . 
4.5.2 Computing Minimum Resource Requirements 
4.5.3 Summary . . . . . . . 
4.6 Multiple-Instance Verification 
4.7 Summary .......... . 
5 Modeling and Analysis of Business Process Models 
5.1 MAPS: Proof-Of-Concept Implementation 


































5.3 Analysis and Verification Capabilities of MAPS 
5.3.1 Syntax Verification .... 
5.3.2 Control Flow Verification . 
5.4 Summary . . . . . . . . . . . . . 
6 Summary & Research Contributions 
6.1 Summary . . . . . . . . . . 
6.2 Research Contributions . . . 
6.3 Future Research Directions . 
A Petri Nets: A Primer 
A.1 What is a Petri Net? 
A.2 Basic Definitions .. 
A.3 Additional Concepts 

















List of Figures 
1.1 A Sample Control Flow Model ............. . 
1.2 Mapping an OR logical operand with XORs and ANDs 
2.1 Classification of Business Processes 
2.2 Example of a Workflow Specification 






2.4 Process Meta-Model . . . . . . . . . . . . . . . . 28 
2.5 Petri Net Representation - An Example (control-flow only) 30 
2.6 Two Examples - (a) Non Free-Choice Net, and (b) Free-Choice Net 31 
2. 7 Metagraphs - An Example . . . . . . . . . . . . . . . . . . . . . . . 35 
2.8 Representational Equivalence of Metagraphs & Petri nets - An Example . 35 
3.1 An Illustration of Paths and Meta-paths . . . . . . . . . . . . . . . . 39 
3.2 (a) XOR-Representation, (b) AND-Repr., and (c) Path-Repr. Graphs 42 
3.3 A Control Flow Model with the Maximum Number of S-F Paths 45 
3.4 Connectivity between Vertices in V* and V \ V* . . . . . . . . . . 52 
3.5 Control Flow Sub-model Possibilities for the Case V* n AJ =/. 0 . . 53 
3.6 Illustration of Multiple Paths from an AND-Split to an XOR-Join 54 
3.7 Expected Number of Valid Meta-Paths in a Random Control Flow Model 58 
3.8 Incorrect Process Model - An Example . . . . . . . . 63 
4.1 Partitioning the Control Flow Model - An Example . 67 
4.2 Two different classes of Circular-Wait (CW) problems . 72 
4.3 Circular-Wait Within A Concurrent Set - Another Example 74 
4.4 Petri Net Representation of the Process Model - An Example 76 
4.5 The Static-Design Net Representation - An Example 78 
4.6 Another Example of a Deadlock-Free Process Model . 81 
Vlll 
4.7 Example of a Process with Problems of Deadlock across Multiple Instances 85 
5.1 A Sample Screen-shot of MAPS .... 
5.2 Identifying the Set of Valid Meta-paths 
5.3 Identifying the Set of Valid Meta-paths 






List of Tables 
1.1 Types of Business Processes ................ . 
1.2 Incorrect Control Flow Models - Some Illustrations ... . 
1.3 Incorrect Resource Allocation Models - Some Illustrations 
2.1 A Comparison of Metagraphs and Petri nets . 
3.1 Control Flow Sub-models with Empty Cycles. 








List of Algorithms 
1 Path Enumeration ... 45 
2 Meta-Path Enumeration 49 
3 The Korrectness Algorithm 50 
4 The Partition Algorithm .. 68 
xi 
List of Notation 
























Set of natural numbers, {O, 1, ... } 
Set of all vertices in the control flow model 
Set of all vertices leading out from, and into, vertex x 
The Start node in the control flow model 
The Finish node in the control flow model 
Set of all Tasks in the control flow model 
Set of all XOR-Splits in the control flow model 
Set of all XOR-Joins in the control flow model 
Set of all AND-Splits in the control flow model 
Set of all AND-Joins in the control flow model 
Number of AND- and XOR-Joins 
Number of AND- and XOR-Splits 
Maximum out-degree of AND- and XOR-Splits 
Maximum in-degree of AND- and XOR-Joins 
Minimum out-degree of AND- and XOR-Splits 
Minimum in-degree of AND- and XOR-Joins 
Set of all edges in the control flow model 
Counter on edge (x, y) in the control flow model 
Set of all S - F paths in the control flow model 
Set of all valid meta-paths 
Vertices covered by the paths in valid meta-path m 
Set of all counters arriving at either AND-Join or -Split a 
Set of all paths through AND-Join a 
Set of all AND-Joins in path p 
Xll 











The set { R 1 , R2 , ... , Rr} of all resources 
Number of units available for resource Ri 
Number of units of resource Ri captured by task Tj 
Number of units of resource Ri released by task Tj 
Set of all concurrent sets { Gani} obtained from the control flow model 
Set of concurrent elements that occur on valid meta-path m 
The set of concurrent sets {Con"['} with vertices restricted to V ( m) 
Static-Design Net representation of valid meta-path m 
Incidence matrix of SD"lJet 
Transition sequence Con0 = {S}, Con1 , •.• , Con";= {F} in SD"lJet 
Initial marking of SD"lJet that enables CJm 
Set of weighted arcs connecting transitions to places in SD"lJet 





A business process is much like a recipe - it involves some tasks, ingredients, and re-
sources, all coming together to create something that is useful (and hopefully palatable). 
While cooking involves mostly sequential activities, business processes are characterized 
by combinations of concurrency, choice, and asynchronism, the mix of which could lead to 
incorrect designs. The purpose of this chapter is to highlight challenges in the verification 
of business process designs, and to chart the scope and purpose of this research. 
1.1 Business Process Modeling: Purpose and Scope 
A business process is an ordered sequence of tasks/activities involving people, materials, 
energy, equipment, or information, designed to achieve some specific business outcome. 
Business processes are usually one of either a material, information, or a people process, 
or a combination thereof, the characteristics of which are presented in Table 1.1 [21]. 
1 
Table 1.1: Types of Business Processes 
Process Type 
Material Information People 
(Things) (Data) (Relationships) 
Transform and as-
semble raw materi- Store, retrieve, ma- Articulate and 
als and components nipulate, display, and complete condi-
Purpose into other compo- communicate struc- tions of satisfaction 
nents and finished tured and unstructured between customers 
products, using re- data and knowledge and performers 
sources. 
Based on the tra-
Based on the tradi- Based on structures 
Characteristics ditions of industrial 
tions of computer sci- of human communi-
engineering 
ence and software engi- cation and coordi-
neering nation 
Assemble, Inspect, Request, Promise, 
Verbs Transform, Store, 
Send, Transact, Invoke, Offer, Decline, Pro-
Transport 
Save, Forward, Query pose, Cancel, Mea-
sure 
A business process specifies what a business does, and more importantly, determines 
how well the business does what it does [65]. To this end, irrespective of the type or the 
context of the business process, it is imperative that it be well-designed, to ensure that 
it is both effective and efficient. The effectiveness of a business process is a function of 
the match between the process's operational objectives and the customer's needs, and 
efficiency is an assessment of the process's performance and the level of resource uti-
lization, and depends on its configuration (i.e., its design). The standard approach to 
designing and implementing business processes is to rely on a domain expert to develop 
a process configuration that is subsequently "tuned-up" and configured using descriptive 
(e.g., simulation, queuing models) and/ or prescriptive (e.g., optimization) techniques. 
However, there is a subtle, but significant question that is often never asked, namely -
"what is the guarantee that the process's configuration is correct?" This question has 
2 
become increasingly important, given the growing interest in process automation [18, 21] 
and enterprise integration [62]. Problems, if any, in the design of a process, are usually 
detected by simulating the run-time behavior of a process. The purpose of this disserta-
tion is to develop generic techniques for verifying the correctness of a process's design, by 
focusing exclusively on its static structural definitions, without recourse to any simulated 
executions. 
The study of business processes requires that a description of the business process be 
prepared by a domain expert, namely, one that is context-specific and rich in detail, and 
accommodative of different operational perspectives, occurrence scenarios, etc. - SAP's 
EPC [52], Baan's DEM1 , and IDEF3 [65] are all examples of process description languages 
that allow a domain expert to represent his/her understanding of the business process 
with complete conceptual clarity [47]. Business process modeling (BPM) is the collective 
term for the process of specifying business process descriptions. To quote Vernadat [93]: 
"Enteprise (process) modeling is concerned with the representation and speci-
fication of the various aspects of an enterprise's operations, namely, functional 
aspects that describe what things are to be done, and in what order; infor-
mational aspects that describe which objects are used or processed; resource 
aspects that describe what or who performs things and according to which 
policy; and organizational aspects that describe the organizational structure 
within which things are to be done." 
The purpose of this research is to develop techniques for verifying that the functional 
and resource aspects of a process's design are correct. The major questions addressed in 
this research are briefly summarized below: 
1. FUNCTIONAL ASPECTS - is the logic of the process correct, i.e., does the flow 
of control within the process ensure that the process will execute correctly from 
initiation to completion? 
1http://www.dynaflow-dem.com 
3 
2. RESOURCE ASPECTS - is the release and capture of shared resources among dif-
ferent tasks, either in the same or in different instances of a process, well-designed 
so as to avoid conflict? 
1.2 Motivation for this Research 
The need for re-designing existing business processes, improving process efficiencies, co-
ordinating technology with distributed manpower and material resources, and enforcing 
rapid process development and design makes it imperative to adequately represent, study, 
and when possible, automate business processes [22, 33]. This is especially significant 
in the context of today's growing interest in workftow management, which promises au-
tomated control and coordination of business processes, made possible by the numerous 
advances in information technology [18, 79, 62]. Consequently, it is important that design 
errors, if any, be identified and eliminated before the process is deployed, i.e., implemented 
for execution by an automated system. Unlike manual implementation and coordination 
of a process, where human intuition can readily respond to errors and inconsistencies, 
automated solutions require that the process, by design, be correct. This will guarantee 
that any delays or errors in the automated execution arise only from sources like data 
inconsistency, failure of supporting IT infrastructure, etc., and not for anything lacking 
in the design of the process. 
Process descriptions are generally developed using graphical languages that include con-
structs for modeling concurrency (AND operands) and choice (XOR operands), the com-
bination of both of which can result in incorrect process designs - this is discussed further 
in Section 1.3.2. The verification of control flow correctness has received much attention 
recently, in that several restricted classes of the control flow problem have been addressed 
to date [84, 1, 3, 75, 61]; additionally, the general control flow problem has been shown 
4 
to be NP-complete [40]. As regards the study of resource allocation policies, there has 
been some work, especially in understanding connectivity issues, using metagraphs [11]. 
However, this work does not extend to answering questions about the detection of poten-
tial deadlock possibilities in business process definitions. These are the questions dealt 
with, in this research. 
In the larger context of business process modeling, the research presented herein is an 
essential step in developing an integrated framework for the modeling and analysis of 
business processes that [49, 23]: 
• Reduces the gap between the domain expert and the business process analyst. 
• Allows for the design and analysis of business processes to be simultaneous, with 
analysis influencing the design of effective and efficient processes. 
• Clarifies ambiguities in the domain expert's interpretation, experience, and expec-
tations of the business process through immediate qualitative analysis. 
• Provides a seamless, almost invisible translation between the description of the 
business process and the formalization that feeds the underlying analysis. 
• Provides linkages to other analysis techniques that can be used to derive summary 
metrics about the run-time performance of the business process. 
That the verification of the design of a business process is a fundamental problem that 
should be undertaken for any process modeling effort, is undisputed. That it has only 
taken on an increased urgency, given its relevance to current interest in automated control 
and coordination of business processes, is the motivation for this research. 
5 
1.3 The Control Flow Problem 
1.3.1 The Control Flow Model 
The description of a business process is usually based on a graphical syntax which in-
cludes constructs for representing choice and concurrency, along with details of specific 
operational scenarios, and various perspectives, namely, functional, informational, and 
organizational [22, 93, 11]. While a process's description must be semantically rich, and 
a formalized model may be completely context-independent, the underlying process logic 
can be represented with just a few basic elements that are both amenable to analysis 
and are also semantically useful. The control flow model captures the partial or total 
ordering among the tasks that constitute the process, and is defined using the following 
elements [41, 95]: 
Task: An abstraction of either a unit activity, or a composite description of a larger sub-
process, embedded in the process's definition. It is graphically represented with a 
rectangular symbol. 
AND-Split: A logical operand that models the concurrent creation of several parallel 
threads of control from a single incoming fl.ow. 
AND-Join: A logical operand that models the asynchronous completion of several par-
allel sub-threads of execution, to be followed by a common outgoing fl.ow. 
XOR-Split: A logical operand that depicts choice in the selection of exactly one of 
several possible outgoing control flows from a single incoming fl.ow. 
XOR-Join: A logical operand that merges several mutually exclusive, multiple sources 
of control, to create a common outgoing flow. 
Directed Arrow: The fl.ow of control between the various elements is captured graph-





Figure 1.1: A Sample Control Flow Model 
Figure 1.1 illustrates all of these basic elements, including iteration, which basically mod-
els the recursive nature of the flow of control, as would be required in say, an inspection 
(reject/accept/re-process) activity. Observe that the control flow model is devoid of the 
operational details of the tasks, namely, their inputs and outputs, which, while necessary 
for developing a process description that is conceptually complete, are not essential for 
capturing the process's logic. Additionally, the control flow model includes two special 
constructs - "Start" and "Finish" which indicate that the process has a unique initiation, 
and a unique termination. There are several advantages to enforcing the unique Start 
and Finish in the control flow model, namely, 
• Sub-processes that have already been verified can be encapsulated and subsumed as 
composite tasks in a larger control flow model to represent , with coarser granularity, 
the individual task descriptions . Such composite tasks, if needed , could be "blown-
up" to reveal their complete detail, by relying on the S and F nodes of the composite 
tasks to easily plug into the bigger model. 
• It would be possible to achieve an incremental, or piece-wise, verification of the 
various sections of the process, without requiring that the entire model be specified 
before any analysis may begin. This would be made possible, by bounding, and 
isolating with a Start and Finish, those sections of the model that are logically 
disjoint and separated from the rest of the model, so far as control flow is con-
cerned. Consequently, this "debugging" at a local level would increase the speed of 
development of a correct control flow model, which, if need be, could be composed 
of previously verified, smaller component models . 
7 
The four logical operands presented above are adequate for capturing the logic of any 
process. However, certain process description languages ( e.g., IDEF3, EPC) also include 
constructs for modeling inclusive OR-Splits (-Joins) , i.e., activate (merge) at least one 
of several outgoing (incoming) control flows. This, unfortunately, is very ambiguous in 
interpretation, and is ill suited for formalization , for it neither suggests which thread(s) to 
activate, nor how many, except, perhaps those recorded by the domain expert as part of 
his/ her experience. Figure 1.2 illustrates a reformulation of an OR-Split with just XORs 
and ANDs; the equivalent mapping for an OR-Join would be the dual (i.e., graph with 
arrows reversed) of the model shown in Figure 1.2(b). Unfortunately, this comes with 
the penalty that the number of extra XOR or AND operands grows exponentially with 
the out/in-degree of the OR operand. It is recommended that the use of an OR operand 
be explicitly discouraged in developing process descriptions, so as to avoid ambiguity and 
inconsistency of interpretation [2, 53]. 
(a) OR-Split 
example 
Choose exactly one of the three --~ 
possible outgoing threads 
Choose all three possible __ _, 
outgoing threads 
(b) Replacing an OR-Split with XORs and ANDs 
Figure 1.2: Mapping an OR logical operand with XORs and ANDs 
8 
1.3.2 Control Flow: Statement of the Problem 
The question of verifying the process's design to establish control flow correctness, is 
simply this - can it be verified that beginning with Start, the process will always reach 
Finish? In order that the definition of control flow correctness may be made more pre-
cise, it remains to understand what counts as an incorrect model. Table 1.2 illustrates 
several examples of incorrect control flow. 
There are three points that clarify themselves in all five examples of Table 1.2, namely, 
1. The process must terminate exactly once, i.e., unique termination. 
2. The process must terminate completely, without any residual control flows hanging 
in the balance, i.e., proper termination. 
3. The bulk of control flow errors arise from interspersing XOR and AND logical 
operands. 
The control flow problem can now be restated as: 
The Initiation Problem is to determine if there is a sequence of task executions that 
will lead to the execution of a particular task - this has been shown to be NP-
complete [40]. 
The Termination Problem is to determine if the control flow specification will lead to 
a terminal state - this has been shown to require exponential storage r~quirements 
[40]. 
An alternate derivation of the NP-completeness of the control flow problem is presented 
in Section 3.2.2. 
9 
Table 1.2: Incorrect Control Flow Models - Some Illustrations 
Incorrect Control Flow Model 
10 
Discussion 
An example of deadlock. The process 
will never terminate, since the AND 
operand will wait indefinitely for two 
incoming flows of control, while the 
XOR creates only one. 
An example of multiple repetitions. 
The process will "Finish" twice, 
since the XOR is expecting only 
one incoming control flow, while the 
preceding AND activates two parallel 
paths. 
Note: It may be argued that it 
does not matter which of the two 
tasks finishes first, as long as one 
does, to enable control flow to pro-
ceed further. However, in this case, 
what is required is not an XOR-Join, 
but an OR-Join, which must be 
formalized using XORs and ANDs as 
illustrated in Figure 1.2. 
If the XOR next to "Start" chooses 
the top branch, the process will termi-
nate properly; if it chooses the lower 
branch, the process will terminate 
twice. 
If the XOR on the lower branch 
chooses the control flow to its top, 
the process will terminate properly; 
if it chooses the flow to its right, the 
process will terminate once, but there 
will be an AND operand waiting for 
a control flow that will never arrive. 
A process model with the possibility 
for infinite repetitions. If the second 
XOR chooses the branch to its right, 
the process will terminate properly; if 
it chooses the lower branch, the pro-
cess will terminate more than once. 
1.3.3 Control Flow: Overview of Research 
There are two approaches to establishing the correctness of control flow in business pro-
cess models, namely, correctness by construction (i.e., build it correctly), or correctness 
by inspection (i.e., check it completely). The former relies on strict grammatical rules 
that govern the composition of the various elements in the model, and this is the basis of 
the model-theoretic event algebras designed by [81, 30], which, however, do not guarantee 
that all models can be constructed using the pre-specified composition rules. The latter, 
on the contrary, is more appealing, in that it does not inhibit the modeler or the analyst. 
These are the considerations that have prompted the use of graph-theoretic techniques 
[76, 75, 11, 61], and Petri nets [1, 84, 88] for verification studies. 
However, all of these approaches impose restrictions on the form and structure of the 
control-flow model to render the analysis questions more tractable, namely, that the 
control-flow model be acyclic (no loops), and that the Petri-net constructions remain 
free-choice. 2 Moreover, with the exception of [76, 3], all of the other approaches present 
only theoretical analyses, the implementation of which is left to question. 
Additionally, there exists no precise mechanism to isolate and identify the sources of 
control flow anomalies, since it is not just enough to identify that there is a problem, 
but, it is more important to identify the why and the where; these are precisely the 
incentives for studying the control flow problem. 
2 A special class of Petri nets wherein all choices within the Petri net are free - this is elaborated 
further in Section 2.5. 
11 
1.4 The Resource-Sharing Problem 
1.4.1 Formalism for Specifying Resource Requirements 
A process, in the course of its execution, will use some resources ~ more specifically, tasks 
in a process will often require the use of resources (e.g., machines, people, instruments) 
that they capture (i.e., access, exclusively use), and which are then released by either 
the tasks that captured them, or by other subsequently executed tasks. The notion of a 
"resource" as defined here is not to be confused with items like, say, machine-oil or lubri-
eating grease which are consumed, i.e., "depletable resources" exhausted by the process, 
or with items like, say, scrap and metal-filings which are created by the process. In spec-
ifying the resource requirements of a process, the focus is on re-usable, non-perishable, 
and non-depletable physical or informational entities that are accessed or captured by 
tasks, and which are then subsequently released wholly, without loss or detriment in their 
size, quantity, or operational ability [37, 43]. 
More formally, the (re-usable) resource requirements for the tasks in a process are spec-
ified as: 
• R = {R1 ,R2 , .•. ,Rr} is the set of all resources. \/Ri ER, Rf= number of units 
l available for resource ~. 
• \;/ Ri E R, Rf ap : T -. N = {O, 1, ... } is a functional that specifies the number of 
units of resource ~ captured by each task, where T is the set of all tasks. 
• \;/ Ri E R, Rfel : T -. N is a functional that specifies the number of units of resource 
~ released by each task. 
12 
1.4.2 Resource-Sharing: Statement of the Problem 
In the course of the execution of a business process, deadlock arises when tasks that 
have captured some resources are blocked indefinitely from access to resources held by 
other tasks [19, 43, 46]. The following four conditions are necessary for the occurrence 
of deadlock, namely, [19, 34, 67, 8] 
Mutual Exclusion Tasks require exclusive use of resources. 
Hold-while-waiting Tasks continue holding onto resources that they have 
captured, while waiting for other required resources to become available. 
No Preemption Tasks holding resources determine when they are released. 
Circular-Wait A closed chain of two/more tasks waiting for resources held 
by one another. 
In the context of business process modeling, the first three conditions stated above are 
unavoidable, i.e., resources are assigned for exclusive use of the tasks that require them, 
and cannot be preempted without externally aborting the corresponding tasks. To this 
end, the primary design issue that needs to be addressed in the design of business pro-
cesses is to alert the designer to deadlock possibilities that may arise from circular-wait 
conditions that are not immediately evident in the process's design. Clearly, a very ele-
mentary check for the correctness of resource allocation is to verify that the number of 
times a resource R;, is captured is equal to the number of times it is released. However, 
such a simplistic check is inadequate for guaranteeing the correctness of a process's de-
sign. The problems that arise in the consideration of resource-sharing are best motivated 
with several examples, as presented in Table 1.3. The convention followed for these mod-
els is - (i) the capture and release of resources by each task is specified with directed 
arrows entering and leaving the task symbols, respectively, and (ii) it is assumed that 
Rf = 1 for all the resources cited therein. 
13 
Table 1.3: Incorrect Resource Allocation Models - Sorne Illustrations 




There are two problems, namely, (i) re-
source R5 is released before it is captured, 
and (ii) a potential circular-wait could 
arise if T2 captures R1 and T3 captures R2 
and end up waiting indefinitely for each 
other to release their resources. 
There are two major problems, namely, 
(i) if T2 and T3 are assigned R1, R2, re-
spectively, then the process will be dead-
locked, since T1 and T4 will never be exe-
cuted for want of resources that will never 
be released (by T5 and T6) before they are 
completed, and (ii) the number of capture 
requests for both R1 and R2 among the 
concurrent tasks T1, T2, T3, T4, exceeds the 
available number of units, thereby making 
the design infeasible. 
The process will get deadlocked if T1 cap-
tures R1 and T3 captures R2, whereupon 
neither T2 nor T4 can proceed any further, 
and the resources will never be released -
an example of circular-wait. 
Clearly, the control flow is very straight-
forward. However, consider an "incident" 
- T1 captures R1 followed by T2 which cap-
tures R2 and releases R1, and proceeds 
to execute T3; meanwhile, Ti, being en-
abled, captures R1 again and starts an-
other instance of the process, thereby re-
sulting in deadlock since the previous in-
stance will not release R2 without R1 (task 
T4), while the second instance will not re-
lease R1 without R2 (task T2)- another 
circular-wait. 
There are several questions that arise naturally from the three examples presented in 
Table 1.3, namely, 
1. Examples 1 and 3 - what is the order in which resources need to be assigned 
among concurrently enabled tasks, so as to avoid potential circular-wait? 
2. Example 2 - what is the minimum number of units required of each resource 
to enable the process's design to actually succeed? In the case of example 2, for 
the concurrent tasks T1 , T2 , T3 , T4 to actually proceed, a minimum of two units is 
required for resources R1 and R2 - this example was solved intuitively; can it be 
formalized? 
3. Example 4 - the incident described in example 4 merits some more attention. 
Clearly, the problem cited therein is not immediately evident, and the execution of 
a single instance of the process would proceed perfectly. However, it still remains 
to alert the designer about the potential for circular-wait that could arise if multiple 
instances of the process become enabled. 
The resource-sharing problem can now be restated as: 
Single-Instance Verification is to determine if the sharing of resources among tasks 
within an instance of a process could lead to deadlock. 
Multiple-Instance Verification is to determine if the sharing of common resources 
among various instances of the process could lead to deadlock. 
1.4.3 Resource-Sharing: Overview of Research 
The study of deadlock has been motivated primarily by problems arising in operating 
systems, beginning with a problem in concurrent control proposed by Dijkstra [27) and 
solved by others [54, 24, 28, 56), namely, to develop an algorithm that will guarantee 
that exactly one among many competing tasks ( or programs) will execute their "critical 
section" (presumably, access to some common computing resource). Subsequently, this 
15 
problem has been enlarged thus - "given a set of n tasks and m resources, does there 
exist an ordered sequence of the tasks that is safe, and will enable all the tasks to be 
completed? [35, 42, 69, 43]. This problem has received enormous attention, given its im-
portance to operating systems, parallel computing, and distributed database systems, an 
extensive review of which is presented in [46, 39, 82, 31]. These approaches rely primarily 
on the definition of a resource-allocation graph3 that captures the state of the system 
at a particular time, namely, the set of unfulfilled resource requests, the set of captured 
resources, etc., and verifies that the system's evolution into its next state is also safe 
[19, 43]. The existence of a cycle in these resource allocation graphs is necessary for the 
occurrence of a deadlock [19], and is sufficient when there is just a single unit of each re-
source [43, 67, 98, 63]. Unfortunately, these approaches are not applicable to the context 
of business process modeling, since the process's logic pre-specifies the order in which the 
tasks need to be executed. These concerns have also arisen in the study of deadlock as is 
related to the operation of flexible manufacturing systems [8, 94, 29, 99, 74, 73], a recent 
review of which is presented in [92]. 
The most common approaches for handling deadlock are: [43, 46, 94, 57] 
Prevention restrains the request structure of processes so that deadlock is impossible, 
namely, by falsifying any one of the four necessary conditions for deadlock (refer 
Section 1.4.2). 
Detection-Recovery approaches allow deadlock to occur and focus on expedient re-
covery. 
Avoidance uses current state information along with the knowledge of task request 
and release structures to guide look-ahead policies that control how resources are 
allocated so that deadlock is avoided. 
3 also referred to as "wait-for graphs" [67, 58]. 
16 
The general deadlock avoidance problem has been shown to be NP-complete (90, 34, 32, 
67]. In the spirit of the · adage "prevention is better than cure," the focus of the second 
problem addressed in this research is deadlock prevention, namely, to develop techniques 
for alerting the designer of a business process about potential deadlock possibilities. 
1.5 Summary 
The purpose of this chapter has been to motivate the need for a formal foundation to 
verify the correctness of a business process's design. The design of a business process 
minimally requires the specification of the process's logic, and the resource requirements 
for its constituent tasks. Two major problems have been identified, namely, verifying 
the correctness of (i) control flow, and (ii) resource-sharing requirements - these are the 
questions dealt with, in this dissertation. 
The control flow problem relates to establishing the correctness of a process's logic. More 
specifically, it remains to verify that a single instance of the process will execute correctly 
from initiation to completion (i.e., unique termination), and that there are no incomplete 
control flows remaining elsewhere upon completion of the process (i.e., proper termina-
tion) (40]. These two conditions must be satisfied to establish that the control flow 
model is correct - they are not intended to excessively constrain modeling flexibility; on 
the contrary, they serve to focus and discipline a modeler's intuition in developing a more 
precise design that is logically, and therefore, operationally correct. 
The resource-sharing problem relates to establishing the correctness of a process's (re-
usable) resource requirements. More specifically, it remains to establish that the sharing 
of common resources among different tasks, either within a single-, or across multiple-
instances of the process does not lead to situations wherein two or more tasks compete 
17 
for resources, without relinquishing control of currently held resources, thereby lead-
ing to deadlock. Several interesting challenges emerge from the study of this problem, 
namely, is deadlock occurring as a result of inadequate resource availability, or is it truly 
a design error that is not immediately obvious? More particularly, is it necessary to 
simulate the operation of a process to identify any such design errors? That the answer 
to this question is No is a prelude to some of the interesting approaches developed herein. 
The remainder of the document is organized as follows. Chapter 2 presents a review of 
the issues and opportunities in business process modeling, and summarizes all relevant 
research related to the two problems mentioned above - it should excite the reader 
to know that the question of verifying the correctness of a process's resource-sharing 
requirements has not been previously studied, and that the results presented herein are 
the first in this regard. Chapter 3 studies the control flow problem, and presents a 
new algorithm for verifying the correctness of control flow in any control flow model. 
Chapter 4 extends the results of Chapter 3, and presents a simple Petri net-theoretic 
approach to studying the correctness of resource-sharing requirements, both in single- and 
in multiple-instances of a process. Chapter 5 documents the features of a proof-of-concept 
implementation of the algorithms developed in this work. Chapter 6 concludes this 
dissertation with a summary of research contributions, and pointers for further research. 
18 
Chapter 2 
Review of the Literature 
Chapter Overview 
The purpose of this chapter is to present both an overall appraisal of the issues and 
opportunities in business process modeling, and a review of the research approaches and 
results relevant to studying the correctness of control flow and resource-sharing issues. 
2.1 Business Process Modeling: Major Issues 
The complete conceptual description of a business process requires: 
1. specification of the flow of control and the total/partial ordering between the various 
tasks, including feedback and feedforward modes of action, 
2. specification of relevant inputs and outputs, and the flow of data as is dictated by 
the interconnections between the tasks, 
3. assessment of the process's configuration, and a summarization of the process's 
dynamics (i.e., time duration), and estimates of control-flow transition probabilities 
(if required), and 
4. identification of any hierarchical, or multi-level distinctions in the tasks that con-
stitute the process, i.e., is a task elemental, or can the task be expanded to reveal 
other sub-processes? 
19 
These conceptualization requirements have prompted the creation of process meta-models, 
i.e., models about building models, which aim to standardize terminology and suggest an 
abstraction of how process models must be specified [7, 96]. Research in process meta-
models has also been significantly influenced by the need to create process specifications 
amenable to computer implementation, as is required for workflow automation. 
To summarize, the major issues in business process modeling (BPM) can be classified 
into the following sub-categories [33, 44, 45, 91]: 
1. Process meta-models, process definition - language & grammar, and workflow 
schema representation architectures [60, 17, 59, 96, 18, 15, 55, 66]. 
2. Analysis of conceptual specifications of processes for syntactic and semantic cor-
rectness, and support for performance evaluation & process redesign [3, 1, 11, 76, 
88, 84, 77, 79]. 
3. Implementation and run-time issues related to correctness & failure-handling mech-
anisms in workflow management systems [18, 50, 51, 33] and adapting to dynamic 
changes in workflow and process definitions [72]. 
4. Workflow Management System IT infrastructure & inter-operability standards, 
spearheaded by the Workflow Management Coalition [41, 95, 96]. 
This research is related largely to sub-topic 2 above, namely, to develop techniques for 
verifying the correctness of a process's design. However, it would be very instructive to 
trace the development of ideas in all the sub-categories above, more so, in the context 
of today's growing interest in automated solutions and the correspondingly increased 
demand for improved modeling and analysis techniques. 
20 
2.2 Business Processes - General Classification 
In addition to the three kinds of processes identified in Table 1.1, business processes can 
be classified into one of collaborative, production, ad hoc, or administrative, depending 
on their business value and the degree of their repetition [60]. A process of high business 
value is more of a core competency, i.e., a fundamental process based on which the orga-
nization has been established (e.g., loan approval by a bank). The degree of repetition is 
a measure of how often the process is performed. Figure 2.1 classifies the four different 
types of business processes, with representative examples. 
Business 
Value 
















Figure 2.1: Classification of Business Processes 
Collaborative processes are characterized by high business values and low repetitions -
e.g., building a fighter jet, creating a patch for a Windoze bug, etc. The underlying pro-
cess is generally unique and specific to the instance of the process. Ad hoc processes are 
characterized by low business values and low repetitiveness, and are created on-the-fly, 
literally speaking - e.g., enquiring about the number of customers with bank balances 
in excess of 13.27 dollars, circulating a birthday card for staff signatures, etc. There is 
21 
no defined structure or logic for these processes, and it changes from one situation to 
another. Adminstrative processes are highly repetitive, but of low business value - e.g., 
processing travel reimbursements, filing plan of study forms, etc. Production processes 
are high-value, high frequency processes that are repeated over and over, and represent 
the core processes of a company - e.g., approving loans in a bank, sorting mail in the 
post-office, etc. It is the efficient and effective execution of production processes that 
define the competitiveness of a company, and consequentially, merit the maximum at-
tention in any BPM effort. 
The complete specification of business processes includes (i) the control flow, i.e., the par-
tial and total ordering specifying the sequence of the various tasks, (ii) the input-output 
requirements (i.e., information, materials) and (iii) the resource (people, machines, etc.) 
allocations for executing the various tasks. Depending on the type of the process (i.e., ma-
terial, information, or people), the specification of a process would also include context-
specific details like personnel involved, rollback-recovery procedures, exception handling 
procedures, abort-recovery consistency checks, communication protocols, etc. [33, 18, 21) 
- this is referred to as the "discovery" of business processes [21). However, discovering 
and documenting the sequence of activities1 within a business process is an iterative 
and time-consuming process, especially, in stating the flow of control from one activity 
to the next, specifying the logical transition conditions, etc., all of which reinforce the 
requirement for a precise modeling methodology. 
2.3 Business Process Modeling Methodologies 
The purpose of business process modeling is to produce an abstraction of the process that 
serves as a basis for detailed definition, study, and possibly, re-engineering, to eliminate 
1 Both tasks and activities are used interchangeably in this document. 
22 
non-value added activities. To this end, the process model must allow for a clear and 
transparent understanding of the activities being undertaken, the dependencies among 
the activities and resources (people, machines, programs, data, etc.) necessary for the 
process. Process modeling methodologies can be broadly classified into three categories 
' 
- communication-based, artifact-based, and activity-based [66, 17, 18, 33]. 
The communication-based methodology represents an action in a process as a communi-
cation between a customer and a performer, consisting of four phases - request, negotia-
tion, performance, and acceptance. During any phase of the process, the performer of one 
process loop can be a customer of another loop, thus presenting any business process as a 
network of such customer-performer loops. This methodology focuses on communications 
occurring in the workplace and is geared towards one objective, namely, customer satis-
faction, and is not suitable for other goals, especially, process analysis and investigation. 
The artifact-based approach focuses on the objects (artifacts) that are created, modified, 
and used in the process, i.e., the modeling of the process is based on the products, and 
their fl.ow through the various activities; this would be suitable for administrative and ad 
hoc processes. The activity-based methodology focuses on decomposing the process into 
tasks that are ordered based on the dependencies (fl.ow of control and data) between them. 
The activity-based methodology has a number of distinct advantages [59, 66, 18] - (i) it is 
easily understood, (ii) it is readily amenable to formalization2 and (iii) it is the preferred 
choice for computerized specification and modeling, as is evident in it being the basis for 
all the major modeling languages. The reader would no doubt note that the control-fl.ow 
model of Figure 1.1 is an activity-centered process model. 
2Formalizations generally simplify the process model, and replace conceptual descriptions with spe-
cialized abstractions, to focus primarily on the problems being studied. 
23 
2.4 Workflow Management 
Businesses are increasingly relying on enterprise-wide integration of information using 
technologies like advanced database systems, client-server computing, Web-enabled trans-
actions, etc., to improve the efficiency of their business processes, and to be more com-
petitive in responding to customer needs [18, 50, 79, 66, 77]. These concerns have also 
stimulated the popularity of workftow management as a technique to address the needs 
for representation, study, and automation of business processes, especially information 
and people processes. 
Workflow management supports both process specification, and automated execution 
(instantiation, monitoring, and data maintenance) of business processes, and is a next-
generation extension to business process modeling that emphasizes the increased role that 
information systems have come to play in today's businesses [79]. Workflow management 
facilitates the coordinated execution of the various tasks that comprise a business process; 
it involves two phases - (i) the modeling phase that abstracts from business procedures 
and defines computer-implementable workftow specifications, and (ii) the execution phase 
that executes instances of the workflows to meet business requirements - both these 
phases are managed and coordinated by a Workflow Management System (WfMS). 
2.4.1 The Modeling Phase 
A workftow, as defined by the Workflow Management Coalition (WfMC)3 [41], is "a 
procedure where documents, information, or tasks are passed between participants ac-
cording to a defined set of rules to achieve, or contribute to, an overall business goal." Or 
alternatively, based on the activity-centered modeling methodology, a workflow can be 
viewed as a "collection of steps" that have to performed in a certain order. A workftow 
3 An international consortium founded in 1993 to standardize terminology and enable inter-operability 
between different workflow management systems. http://www. wfmc. org. 
24 
schema specifies the set of steps that comprise a workflow, and the data and control 
flow between the steps - Figure 2.2 illustrates an example of the process of approving 
applications in a health insurance firm [50]. 


















Request Opinion from Opinion 
Medical Expert Received 
Archive 
Decision Points: 
1. Client = New 
2. Client = Old 
3. Decision = Accept 
4. Decision = Reject 
5. More Info. = True 
-------- • Data Flow 
__. Control Flow 
Figure 2.2: Example of a Workflow Specification ( adapted from [50]) 
The data flow specification provides the mapping of data (inputs and outputs) between 
steps, and the control flow specifies the execut ion order of the steps. Several types 
of transition conditions can be specified in the control flow requirements - sequential, 
conditional branching, concurrent branching, and iteration, all of which were illustrated 
in Figure 1.1. To perform a business process, a workfiow instance is initiated. Every 
workflow instance is associated with a state that reflects the values of the various data 
items associated with the workflow, and the state of the steps in the workflow, i.e., which 
of the steps have been completed, etc. The WfMC has established standards for process 
definition, and has developed generic modeling concepts to guide the creation of business 
process models (respectively, workflow schemas) [95]. 
25 
Workflow Design & Definition Workflow Instantiation & Control Interaction with Users & Application Tools 






+---Build-Time--...- ------ - Run-Time-------- -+ 
Figure 2.3: Workflow Management System - Reference Model (adapted from [41 , 77, 50]) 
2.4.2 The Execution Phase 
Figure 2.3 illust rates the three major functional areas that a WfMS provides support for, 
namely, workflow design & definition (the context of our research), workflow instantiation 
and control, and interaction with users & other applications [41, 77, 50] . The definitions 
of workflows, t asks, staff designations, etc., are all stored in the workfiow database . This 
database also stores t he states of the workflows that are in progress. Scheduling is usually 
performed by a workfiow engine, which refers to the workflow database to determine 
the state of the various workflows in progress. Staff members interact with the WfMS 
through a hum an interaction agent, and they are presented wit h a work-it em list that 
lists all the t asks that have been assigned to them. If a task requires a program or other 
applications, t hese are invoked by the application agent . The application agents interact 
with the workflow engine to fetch the data required to execute a part icular step, and 
to communicate back the output (i.e., return status code and data) produced by the 
step. The workflow database is not accessible to applications external to the WfMS and 
other external resources (programs, databases, etc.) that are accessed by the applications 
executed on behalf of the workflow's steps. 
26 
2.4.3 Implementation Issues in Workflow Management 
Ensuring data consistency and integrity of the workflow database is a problem that 
is attracting much research - this is largely due to the fact that business procedures 
are generally of extended duration, and traditional transaction models [18, 50, 51] have 
proven inadequate. More specifically, the focus has been on resolving correctness issues 
to ensure data consistency across multiple workflow instances, each of which may be 
in different states, but could require access to common data. The correctness require-
ments in workflow implementation can be broadly classified into two categories, namely, 
execution atomicity, and failure atomicity. Execution atomicity deals with how data is 
committed and how visibility of data between steps, both within and across workflow 
instances, is controlled. Failure atomicity determines what is to be done with the data 
that has already been committed to the steps of a workflow, in the event that a failure 
disrupts the workflow and affects database management and database integrity. This, 
and other run-time issues related to database management, data transaction control 
(check-in, check-out), etc., are beyond the scope of this research. 
2.4.4 Process & Workflow Meta-Models - Basic Concepts 
The WfMC has established commonly accepted terminology for the various components 
of a business process model and associated workflow specifications. The meta-model pre-
sented in Figure 2.4 is a refinement of that proposed by the WfMC [18, 41, 96]. 
The interpretation of the meta-model is as follows: the Business Process is represented by 
a Workfiow that consists of many Activities coordinated by this Workfiow. The Activity 
serves as an abstraction for the Workfiow and Task. The semantics of this approach is 
that the Workfiow consists of tasks or sub-workflows, i.e., a hierarchy of nested workflows. 






1. Retatiorllhlp ___ __ 





(wont I m) 
Manipulated 
Object 
canbe , lonHJ /n 
accessedb 
Database 
Figure 2.4: Process Meta-Model (adapted from [18]) 
Worlc:lfst 
Human 
distributed environment. The Task is an abstraction of an Elementary Task and a 
Composite Task that actually consists of Tasks recursively. The Elementary Task requires 
for its performance a Role that can be responsible for many Elementary Tasks. The Role 
is fulfilled by an Agent that plays the role of a processing item. The Agent has assigned 
Tasks that it is responsible for, through a Worklist. The Agent itself can be specialized 
into a System Service (program, application, etc.) or a Human. A System Service can 
be associated with many Databases. The data flow and control flow are represented by 
generic Manipulated Objects (any object or piece of information used and manipulated 
by Workflow) that can be stored in the database. 
2.4.5 Summary 
The discussion has thus far focused on summarizing the major developments in process 
automation and workflow management. The interested reader is directed to refer ad-
ditional references, most notably, [60] for Section 2.2, [66] for Section 2.3, [33, 18, 60] 
for Section 2.4, and [21] for a comprehensive and well-written overview of the issues and 
opportunities in the discovery, design, deployment, and automation of business processes. 
28 
There has also been considerable interest in developing a common specification for doc-
umenting and describing business processes to standardize exchange and interaction of 
business data among companies maintaining different enterprise integration and process 
management systems - readers are encouraged to refer [48, 96, 7] for additional details. 
The remainder of this chapter will focus on reviewing current approaches to addressing 
the control flow and resource-sharing problems. 
2.5 Control Flow Verification: Research Review 
The control-flow problem was introduced earlier in Section 1.3, and a brief overview of 
current research presented in Section 1.3.3. To summarize, the current approaches to the 
control-flow problem may be classified into three main categories: 
1. Petri net formalizations [1, 3, 4, 5, 84, 83, 87, 85, 86], 
2. Graph-theoretic reductions [76, 75, 61], and 
3. Model-theoretic event algebras [81, 30, 88]. 
2.5.1 Petri-net Formalizations 
Petri-nets have emerged as a very popular technique for formalizing business process 
models for the following reasons [77, 66, 4] - (i) clear and unambiguous description 
of process logic, (ii) intuitive ease and feel of a self-documenting, graphical formalism 
that retains complete conceptual clarity, and (iii) extensive qualititative and quantitative 
analysis capabilities that would vastly extend the power and usefulness of structured 
process description languages like IDEF3.4 The Petri-net equivalent of the control flow 





Figure 2.5: Petri Net Representation - An Example (control-flow only) 
The standard approach to establishing control-flow correctness in Petri-net formaliza-
tions of business process models is to establish the soundness property [1 , 3], or the 
simple-control property [84, 88], which is the initiation problem, and the termination 
problem both rolled in one (refer Section 1.3.2) . Stated simply, the idea is to put a token 
in the place labeled Start (refer Figure 2.5) and to see if the execution of the Petri 
net will produce a token in the place labeled Stop, without leaving any residual tokens 
elsewhere in the net. These ideas form the basis of WOFLAN, a modeling and verifica-
tion tool developed at the EINDHOVEN INSTITUTE OF TECHNOLOGY,5 The Netherlands. 
The majority of business processes formalized as Petri nets require that the Petri net be 
free-choice, a special class of Petri nets wherein all choices within the net are free[25]. 
Translated literally, this implies that the choice of which transition to fire, in the pres-
ence of conflict, is not influenced by any other place other than the input places of the 
transitions in content ion - Figure 2.6 highlights an example. 
The net in Figure 2.6(a) is not free-choice since the resolution of the conflict at place Pi 
is not free, i.e., the choice on whether T1 or T2 will be fired depends on the availability 
of a token in P2 , while T1 may be fired irrespective of the presence/ absence of a token 





Figure 2.6: Two Examples - (a) Non Free-Choice Net, and (b) Free-Choice Net 
in P2 . Figure 2.6(b), however, describes a free-choice net wherein the choice between T1 
and T2 is free, since the enabling of either transition requires input tokens only in Pi and 
P2 , and consequently, the choice is equally likely and is unaffected by other elements of 
the net. 
The advantage of requiring that the business process be formalized as a free-choice net is 
that the soundness property can be verified in polynomial time [25, 3]. On the downside, 
restricting the "choice" to free-choice disallows the modeling of all possible business 
processes. Additionally, current applications of Petri net formalizations require that the 
business process model be acyclic, i.e., without any loops. Both these requirements are 
easily violated in practical examples, thus reinforcing the need for a generic approach 
for addressing the control-flow problem without any restrictions on the structure of the 
control-flow model. 
2.5.2 Graph-theoretic Reductions 
This is an interesting visual approach to solving the control-flow problem, deriving from 
the dissertation work of Sadiq [75]; however, Lin et al. [61] have established that the algo-
rithm presented in [75] is incomplete, and have proposed extensions to the same. Stated 
simply, the idea is to remove, from an acyclic control-flow model, all sub-structures of 
31 
the graph that are definitely correct, and if possible, reduce the control-flow model to an 
empty graph. Conversely, if the reduction to an empty graph is not possible, the control 
flow model is studied further to identify the source of the control-flow anomaly. This 
has been formalized through five reduction rules - terminal, sequential, adjacent, closed, 
and overlapped, each of which is applied, in turn, to all vertices of the graph, continuing 
until no further reductions are possible. These ideas are further illustrated in [76] and 
form the basis of FLOWMAKE, a modeling and verification tool developed by the DIS-
TRIBUTED SYSTEMS TECHNOLOGY CENTER,6 Australia. There are no disadvantages, 
per se, excepting that the approach relies more on the visual nature of the final solution 
- should the process model be incorrect, then the reduced model (not an empty graph) 
would have to be "looked-at" to figure out the where's and why's of the control-flow 
error, since the reduced model loses all resemblance to the original model. 
2.5.3 Model-theoretic Event Algebras 
The process model constructions developed in [81, 30] specify inter-task dependencies as 
logical constraints on the occurrence and temporal order of process events. The rigorous 
grammar underlying these construction techniques necessitates that the process model be 
correct; however, they lose out significantly on ease of use, and do not guarantee that all 
models can be specified using the set rules of construction. Additionally, they have not 
been adopted as the basis for any commercial verification tool. A novel theory of threads 
that attempts to blend the power of process-algebraic reasoning with the modeling ease 




2.5.4 Other Related Network Models 
The network-like structure of the control flow model· bears similarity to problems com-
monly addressed in PERT /CPM studies [12], reliability models [80], and network-flow 
optimization problems [71 J. This section briefly summarizes the relevance ( or otherwise) 
of each of these ideas to control flow verification. 
PERT/ CPM Networks The precedence networks of PERT/ CPM cannot model choice, 
and consequently, cannot be applied to the context of control flow verification. 
Reliability Models The primary interest in reliability modeling is in the capture of 
minimal tie sets, i.e., the path that requires the smallest number of operational 
links to make the system function, and analogously, minimal cut-sets, i.e., the 
minimal set of links, the elimination of which will render the system inoperable. 
Again, as in PERT /CPM, there is no notion of choice or concurrency in reliability 
networks - parallel links denote redundancy built into the reliability network, and 
not concurrency as is interpreted in control flow models. 
Network-Flow Optimization The correctness of control flow can also be established 
by representing the control flow model as a 0-1 integer programming formulation 
(the multi-commodity network flow problem), with nodal flows specified in accor-
dance with their expected behavior (XOR/ AND /Task), assigning unit costs to the 
edges, and solving it to see if a unit flow can be routed from Start to Finish. 
However, while such a formulation will identify different execution scenarios for a 
correct control flow model, it does not offer any insight into the source and cause 
of the control flow error(s), should the IP formulation fail. 
2.5.5 Summary 
The control-flow problem has been tackled largely by imposing specific restrictions on the 
underlying representation, namely, that the control-flow model be acyclic, or its Petri-net 
33 
representation be free-choice. Chapter 3 presents an algorithm that is devoid of any such 
restrictions, and identifies, not just the presence/ absence of control-flow anomalies, but 
also the source of the error(s). 
2.6 Resource-Sharing Correctness: Research Review 
As identified in Section 1.4.2, there are two main problems to be addressed in verifying the 
correctness of resource-sharing requirements, namely, the single-instance verification and 
the multiple-instance verification problem. There has been no previous research related to 
studying these problems - this is perhaps due to the fact that most commercial enterprise 
automation systems focus primarily on information and people processes and correctness 
requirements have focused primarily on database consistency checks and transactional 
guarantees [51, 33, 18, 72]. Material processes are usually addressed by industrial engi-
neers, and the motivation for studying deadlock therein arises largely from considerations 
of deadlock avoidance in run-time control of flexible manufacturing systems [92]. 
The design and deployment of business processes begins with the design - thus far, there 
has been some work in developing a formalism for modeling inputs and outputs of a busi-
ness process, called metagraphs [9, 10, 11], and to use it for understanding connectivity 
issues. A metagraph is essentially a directed hypergraph, wherein each edge connects a 
set of invertices to a set of outvertices. In the context of business processes, an edge in 
a metagraph would be a task, and its inputs (resp. outputs) would be captured as the 
edge's in vertices (resp. outvertices). 
Figure 2. 7 illustrates a metagraph description of a business process consisting of four 
tasks { e1 , e2 , e3 , e4}, where the ovals represent the inputs and outputs of each task. More 
specifically, task e3 requires { x 3 , x 4 , x5 } as its inputs, and produces { x 6 , x8 } as its outputs. 
34 
Figure 2.7: Metagraphs - An Example 
The general connectivity-related questions addressed using metagraphs are: [11] 
1. If a certain input is unavailable, what set of tasks will be affected, and to what 
extent will the completion of the process be affected? 
2. If a certain task is disabled, to what extent will the remainder of the process be 
affected? 
Figure 2.8: Representational Equivalence of Metagraphs & Petri nets - An Example 
It is easy to create an equivalent Petri net model for a metagraph, namely, by mapping 
the vertices and edges in the metagraph to places and transitions in a Petri net. This 
equivalency is illustrated in Figure 2.8, which presents an equivalent Petri net model for 
the metagraph of Figure 2.7. However, while a Petri net can model multiplicity in the 
number of inputs and outputs, the metagraph models only the presence/ absence of inputs 
and outputs, and similarly, while the Petri net specifies the partial/total ordering of the 
various tasks, the metagraph fails to capture any ordering among the tasks. Moreover, 
35 
all similarities between the techniques end here, and each has spawned its own set of 
distinct analysis techniques. Table 2.1 compares and contrasts the individual strengths 
and capabilities of both metagraphs and Petri nets. 
Table 2.1: A Comparison of Metagraphs and Petri nets 
Modeling Support 
Control flow 
Multiplicity in resource usage 
Capturing time-specific information 






















There has been no previous research related to studying the resource-sharing problem in 
the design of business processes. More importantly, there are no techniques available to 
alert the designer about potential deadlock possibilities, save for simulated executions, 
which include additional overheads in terms of design specification. The techniques 
presented in Chapter 4 make novel use of the control flow model to alert the designer 
about potential deadlock possibilities not immediately evident in the process's design. 
36 
Chapter 3 
The Korrectness Algorithm 
Chapter Overview 
This chapter presents the KORRECTNESS algorithm, a recursive, backtracking algorithm 
for verifying the correctness of a control flow model. It does not impose any restriction on 
the form/structure of the control flow model and its results can also be used to identify 
the source of control flow error(s), if any. Some interesting results on properties to be 
expected in random control flow models are also derived. 
3.1 Introduction & Background 
The basics of the control-flow problem were defined in Sections 1.3. More formally, a 
control flow model is a directed graph G = (V, E), where: 
• V = S U T U As U AJ U Xs U XJ U F is the set of vertices 
• E = {(x, y) Ix, y EV; x =/ y} is the set of directed edges leading from x toy 
• 3! x EV 3 indeg(x) = 0 {:}xis the Start node, labeled as S 
• 3! x EV 3 outdeg(x) = 0 {:}xis the Finish node, labeled as F 
• T = {~, i = 1, 2, ... , t} is the set of all Tasks 
37 
• As= {Ai, i = 1, 2, ... , as} is the set of all AND-Splits 
• AJ = {Ai, i =as+ 1, as+ 2, ... , as+ aJ} is the set of all AND-Joins 
• Xs = {Xi, i = 1, 2, ... , xs} is the set of all XOR-Splits 
• XJ = {Xi, i = xs + 1, xs + 2, ... , xs + XJ} is the set of all XOR-Joins 
The verification requirements of correct control-flow are [40]: 
Unique Termination The process must terminate exactly once. 
Proper Termination The process must terminate exactly once, without any residual 
control flows abandoned elsewhere in the process. 
3.2 The Korrectness Algorithm 
The KORRECTNESS algorithm is a backtracking algorithm that identifies all valid process 
execution traces from Start to Finish. The algorithm may be informally summarized as 
follows: 
• Find all directed acyclic paths from Start to Finish, ignoring the presence or dis-
tinction among the various logical operands and task node - this is readily done 
with a standard depth-first search. 
• Now that all paths from S to F have been found, is it possible to collect or combine 
them in a manner that represents the execution of the process, while accurately cap-
turing the influence of the various AND (parallelism) and XOR (choice) operands? 
This is the KORRECTNESS algorithm. 
• The paths discovered using the depth-first search would not include cycles in the 
control flow model. In the event that the model does contain cycles, a few addi-




A PATH from S to Fis an ordered sequence of vertices (S = v1, v2 , ••• , Vn = F) where 
vi EV, and (vi-I,vi) EE. A META-PATH is a union of one/more paths, and a VALID 
META-PATH is a collection of paths, which, taken together, represents one possible pro-
cess trace, i.e., an instance of the correct execution of the process from Start to Finish. 
F 
Figure 3.1: An Illustration of Paths and Meta-paths 
The set P of all paths from S to F for the control-flow model in Figure 3.1 is: 
• PATH 1 (p1): (S, A1, Ti, A3, F) 
• PATH 2 (p2): (S,A1,A2,T2,A3,F) 
• PATH 3 (p3): (S, A1, A2, X1, T3, X2, A3, F) 
• PATH 4 (p4): (S,A1,A2,X1,T4,X2,A3,F) 
There are two valid meta-paths for the process in Figure 3.1, namely, {PATH 1, PATH 2, 
PATH 3}, and {PATH 1, PATH 2, PATH 4}, both representing valid execution traces for 
the process. Now, how does one go about identifying the various meta-paths in a process 
model, and how will it help us in verifying if the process model is correct or otherwise? 
Some more definitions follow. 
39 
A COUNTER is a 2-tuple (i,j) that is added as a label by AND-Split (or AND-Join) 
Ai to each of its j outgoing (respectively, incoming) edges. Counters are added only to 
edges originating from (or leading into) AND-Splits (-Joins), and by default, there are 
no labels on any of the other edges - the counter on edge ( x, y) will be identified by 
the set c(x,y). While identifying the various paths from S to F, the counters that are 
present in the edges traversed along those paths are also noted. Thus, PATH 3 uses {(1, 
2), (2, 2), (3, 3)}. This is more compactly represented as a 2-tuple (p, Gp), where pis the 
name of the path, and GP is the set of all counters present in path p; this is stored as the 
PATH-COUNTER information for the control-flow model of the process. Thus, the path-
counter information for the process in Figure 3,1 is {(PATH 1, {(1, 2), (3, 3)}), (PATH 2, 
{(l, 2), (2, 2), (3, 3)} ), (PATH 3, {(l, 2), (2, 2), (3, 3)} ), (PATH 4, {(l, 2), (2, 2), (3, 3)} )}. 
A few additional concepts are required for identifying the meta-paths. Observe that 
two paths that share a common XOR-Join (or -Split), namely, by entering (or leaving) 
through different edges into (or from) a common XOR-Join (or -Split), cannot be in the 
same meta-path, since it would violate the definition of an XOR operand. To illustrate, 
PATH 3 and PATH 4, in the example above, cannot occur in the same meta-path, since 
they share a common XOR-Join, namely, X 2 • However, note that two paths that enter 
(or leave) a common XOR-Join (or -Split) through the same edge do not violate the 
situation just described, and may likely occur in the same meta-path. More formally, 
\fpi,Pi E P, ViolateXOR(pi,Pi) = TRUE if both Pi and Pi enter (or leave) a common 
XOR-operand through different edges. 
A few other definitions that would be required are: 
• \fp E P, let V(p) ~ V be the set of vertices covered by path p. 
• \fx EV, N+(x) = {yl(x, y) EE} is the set of vertices leading out from x 
40 
• Vx EV, N-(x) = {yj(y, x) EE} is the set of vertices leading into x 
• Va E AJ, CounterslnAN D(a) = LJ c(x, a), i.e., the counters arriving at an 
xEN-(a) 
AND-Join. 
• Va E As, CounterslnAN D(a) = LJ c(a, x), i.e., the counters created at an 
xEN+(a) 
AND-Split. 
• Va E AJ, PathsThrough(a) = {p E P I a E V(p)}, i.e., the set of all paths through 
an AND-Join. 
• Vp E P, ANDJoinslnPath(p) = {a E AJ I a E V(p)}, i.e., the set of all AND-Joins 
in a path. 
3.2.2 The Control Flow Problem is NP-Complete 
Hofstede et al. (1998) use a reduction of the Satisfiability problem to a control flow 
problem, to prove that the latter is NP-complete. This section presents an alternate 
derivation that reduces the problem of finding valid meta-paths to that of finding maximal 
cliques, an approach that offers more insights into the nature of the control flow problem. 
In addition to the control flow model, three additional graphs, using the set of all paths 
P as their vertex set, are constructed. 
XOR-Representation Graph Xe= (P, Ex). The edge set Ex is constructed thus: 
Vpi,Pj E P, (pi,Pj) E Ex{:} ViolateXOR(pi,Pj) = TRUE. 
The edges of this graph identify the paths that share a common XOR-Join or -Split, 
and thus cannot be in the same meta-path. 
AND-Representation Graph Ac= (P, EA)- The edge set EA is constructed thus: 
Vpi,Pj, (Pi,Pj) E EA{:} ANDJoinslnPath(pi) n ANDJoinslnPath(pj) =/- r/J. 
This edges of this graph identify the paths that share common AND-Joins, and 
thus are likely to be included in the same meta-path. 
41 
Path-Representation Graph Pa= (P, Ep), where Ep =EA\ Ex. 
The edges of this graph combine the information contained in Aa and Xa; the 
edges identify all pairs of paths that will occur in the same valid meta-path. 
The three {·}-representation graphs for the control flow model of Figure 3.1 are shown 
in Figure 3.2. 
P3 •e---eep4 
(a) 
Figure 3.2: (a) XOR-Representation, (b) AND-Repr., and (c) Path-Repr. Graphs 
In general, both Xa and Aa will be a collection of disjoint vertices, and other connected 
components. The XOR-representation graph reveals a few intuitive details about the 
various meta-paths in a process, namely, that every set of independent vertices (i.e., a 
set of vertices, no two of which are connected by an edge) in Xa is a potential meta-path, 
and thus, the number of valid meta-paths cannot exceed the number of independent sets 
in Xa. Additionally, each complete sub-graph in Aa is a potential valid meta-path, given 
· that all paths in that sub-graph share common AND-Joins, and consequently, common 
counters. Now, the Path-representation graph essentially combines the information con-
tained in both Aa and Xa, to create a graph consisting of several components, from 
which all valid meta-paths can be extracted, using the following theorem. 
42 
Theorem 3.1 The control flow model is correct if and only if the vertices in every max-
imal clique in Pa represent a valid meta-path. 
Proof ( =}, by contradiction) Suppose C C P is a maximal clique in Pa, and the paths 
in C do not represent a valid meta-path. Now, are all the paths in C required for a valid 
meta-path? Yes, since they all share common AND-Joins. Since the control flow model 
is correct, there exists at least one more path p Ff C that is required to complete the valid 
meta-path. Since pis required, it must merge with a path Pa E C at some AND-Join, say 
Aa. Since C is a complete subgraph, any other path Pf3 EC must also share a common 
AND-Join, say, Af3, with Pa· Now, since Aa and Af3 lie on Pa, there are two possibilities, 
i.e., there is either (i) a path from Af3 to Am or (ii) a path from Aa to Af3· In case (i), 
the path from Af3 to Aa lies on both Pf3 and Pm which implies that pis incident with Pf3 
as well, since Pf3 joins p at Aa. In case (ii), the path from Aa to Af3 lies on both p and 
Pa, which implies that p joins Pf3 as well at Af3· Since this holds for any path Pf3, this can 
be extended to show that pis incident with all other vertices in C, thereby contradicting 
the maximality of C. 
( ¢=, by contrapositive example) Consider the first incorrect model shown in Table 1.2. 
The Path-representation graph is just the empty graph with two isolated vertices, the 
vertices corresponding to the two paths from S to F. Each isolated vertex in Pa is a 
maximal subgraph; however, each vertex by itself is not a valid meta-path, thereby com-
pleting the proof. • 
Let M be the set of all valid meta-paths for the control flow model represented with Pa. 
An immediate corollary of Theorem 3.1 is: 
Corollary 3.1 The control flow model is correct{:} Vp E P, :3m EM 3 p Em. 
43 
The * part of the proof tells us that for a correct control flow model, every maximal 
clique in Pa is a valid meta-path, identifying all of which is NP-complete [97]. It also 
suggests our first bound, namely, that the size of the largest clique in Pa is the size of the 
largest valid meta-path - can this bound be improved? Suppose, in the extremal case, 
there is a path p which traverses through all the AND-Joins; clearly, in a correct model 
this path would require the maximum number of paths to be included along with it, to 
create a valid meta-path. The maximum number of paths thus required will be equal to 
the sum of the in-degrees of all the AND-Joins in p, which would be at most 6AJ * aJ, 
where 6AJ is the maximum in-degree of any of the aJ AND-Joins. Thus, the size of the 
largest valid meta-path in a control flow model (and the size of the largest clique in Pa) 
is at most 6AJ * aJ. 
The ~ part of the proof presents some clues on how to identify if the model is incorrect 
or otherwise, namely, that if a maximal clique is an invalid meta-path, then the control 
flow model is incorrect. In any case, establishing that the control flow model is correct 
is equivalent to finding all the maximal cliques in Pa, thereby making it NP-complete -
so why study this problem at all? 
Let us analyze the steps that would be needed for solving the control flow problem. 
Finding all the Paths 
The first step is to find the set P of all directed acyclic paths from S to F - this is 
readily done with a standard depth-first search routine (Algorithm 1); the special case of 
handling cycles in the control flow model is discussed in Section 3.2.5. The time taken 
for finding a single path is 0(/E/), and as we will see in Section 3.2.6, many of our results 
will depend on /Pl, the number of S-F paths. However, there is no closed-form expres-
sion for estimating /Pl as a function of the degree distribution (6x8 , 6A8 ) and other 
44 
parameters, namely, X8 , XJ, as, aJ, of the control flow model. Moreover, in the worst-case, 
the number of S-F paths can be exponential, as is for the extremal example of Figure 3.3. 
Algorithm 1: Path Enumeration 
Input: The current-node in the search tree, the path traversed thus far, and 
the goal. 
Output: The set P of all paths from S to F. 
PATHENUM( currnode, currpath, goal) 
(1) if currnode = goal 
(2) PATHS t- PATHS U {currpath} 
(3) else 
( 4) foreach x E N+ ( currnode) 
(5) if x fj. currpath 
(6) PATHENUM(x, currpath U { x }, goal) 
Figure 3.3: A Control Flow Model with the Maximum Number of S-F Paths 
Construction of the Meta-Paths 
Now that all paths have been found, the maximum number of potentially valid meta-
paths would be the power set P(P) with size 2IPI - all of these possibilities would have 
to be checked to identify which one is, and which one is not a valid meta-path, which 
is exponential in the worst case. However, the problem is not entirely without hope. 
45 
Observe that if Vi_ and Vi are two valid meta-paths, is it possible that Vi_ c Vi? - No, 
since that would contradict the maximality of the clique that Vi_ represents in Pa. Thus, 
there are certain subtleties unique to the character of the control flow problem that can, 
and have been exploited, in developing MPSEARCH, a recursive backtracking approach for 
identifying all the valid meta-paths. 
3.2.3 Construction of Meta-Paths 
The MPSEARCH procedure is a recursive, backtracking algorithm that identifies all valid 
meta-paths from a depth-first search tree of all meta-paths. To better motivate the 
discussion that follows, consider a few questions - what is a valid meta-path, or more 
simply, why isn't a path sufficient to represent the process's execution? Suppose there 
is a path p with a non-NULL counter set Gp. The presence of counters in p implies that 
there is at least one AND-Split ( or -Join) occurring in p, which indicates that there are 
one/more parallel threads created (or merged) along with pin the process's execution. 
The collective representation of p, along with all of its parallel threads, represents a trace 
of the sequence of tasks that an instance of the process might progress through - this 
collective representation is what is defined as a valid meta-path. The idea behind the 
creation of meta-paths originated from the realization that in a correct process execution, 
all parallel threads created with an AND-Split are subsequently merged at an AND-Join. 
More intuitively, the process begins with no counters from S and ends with no counters 
upon reaching F - this is the principle that has been formalized as the KORRECTNESS 
algorithm, an informal description of which is presented next. 
In the example of Figure 3.1, PATH 1, i.e., p1 = (S, A1 , T1 , A3 , F), is not a valid meta-
path in itself, since it carries the counters {(1, 2), (3, 3)}, with (1, 2) implying that it 
is one of the two threads that originate at A1 , and (3, 3) implying that it is one of the 
three threads that merge at A3 . Consequently, some more paths have to be included 
46 
along with p1 to account for the missing threads; let M = {p1} be the current meta-path, 
and CM = {(1, 2), (3, 3)} be its counter-set. Any other path that is included with p1 
must necessarily pass through some AND-Join present in p1 . To this end, if there were 
no AND-Joins in p1 , and yet if it carries some counter, say (i,j), then this would be an 
invalid meta-path, since the sub-thread created at AND-Split Ai could never be merged 
with any other thread due to the absence of AND-Joins along the path. Clearly, this 
intuitive approach presents the germ of an idea for diagnostic checking to help identify 
the source of control flow errors, if any - this is further elaborated in Section 3.2. 7. 
Is it permissive to include PATH 3 in M? Yes, since ViolateXOR(p1,p3 ) = FALSE, and 
there is an AND-Join present in p1 . Is it worthwhile adding p3 to the current meta-path? 
Yes, since it carries counters that are present in the counter-set of our meta-path, and 
thus, the meta-path is now M = {p1,p3}. What is CM, the current counter-set of M? 
Note that when a new path Pi is added to a meta-path M, care must be taken to include 
only those counters that occur on edges not already traversed by one of the paths in-
cluded in M, to avoid double-counting of any counter(s) - this is the GETUSEFULCNTRS 
procedure. By this rule, if p3 is included in M, all of its counters can be appended to CM, 
since all of them occur on edges not already covered by the existing path in M, namely, 
p1 . Thus, the meta-path is now M = {p1 , p3} and CM = {(1, 2), (1, 2), (2, 2), (3, 3), 
(3, 3)}. 
Observe that there are two occurrences of the counter (1, 2) in CM - this confirms that 
both the threads that originated at A1 have been accounted for, and can be removed 
from all future consideration. Moreover, the GETUSEFULCNTRS procedure ensures that 
these counters will not be included again. Thus, if the number of occurrences of a counter 
(i,j) in CM is equal to j, they are removed from the counter-set - this is the REMOVE-
MATCHEDCOUNTERS procedure. By this rule, both occurrences of (1, 2) in CM are 
47 
removed, whereby, CM= {(2, 2), (3, 3), (3, 3)}. The meta-path is not valid yet - it still 
remains to account for (2, 2) and (3, 3). Consider the most recently added path, namely, 
p3 - any other path(s) to be included in the meta-path must also necessarily pass through 
any AND-Joins in p3 ; to this end, the reasoning used for including p3 can be repeated 
recursively, i.e., by looking at the AND-Joins in the last added path (p3 ). There is one 
AND-Join, namely, A3, in p3, and PathsThrough(A3) = {p1, P2, p3, p4}. Since p1 and 
p3 are already present in M, the only paths that merit consideration for inclusion in M 
are p2 and p4. 
As before, consider the question - is it permissive to include p4 in M? No, since 
ViolateXOR(p3,p4) = TRUE, or alternatively, (p3,p4) E Ex. More precisely, only 
paths that do not share a common XOR-Join or -Split, along different edges, with one of 
the paths already present in the meta-path can be chosen for inclusion. We can however, 
include p 2 in our meta-path, whereby M = {p1 , p 2 , p 3 }. Although CP2 = {(1, 2), (2, 2), 
(3, 3)}, the (1, 2) counter cannot be included since it occurs on an edge A1 --+ A2 that 
has already been covered by p3 - this is handled by the GETUSEFULCNTRS procedure. 
Now, CM = {(2, 2), (2, 2), (3, 3), (3, 3), (3, 3)}, and by an application of the REMOVE-
MATCHEDCOUNTERS procedure, it reduces to CM= 0. Thus, one valid meta-path for 
the control flow model of Figure 3.1 has been identified, namely, by accounting for all 
sub-threads that were created along the paths from S to F. The intuition described thus 
far has been formalized into a backtracking procedure, MPSEARCH (Algorithm 2), that 
can be used to generate all the meta-paths that require a particular path. To illustrate, 
the set of all valid meta-paths that include PATH 1, i.e., p1 , for the control-flow model 
of Figure 3.1, is generated by MPSEARCH(p1, {p1}, CpJ-
Line 1 begins the MPSEARCH procedure by removing all matched counters, following 
which, if the set Temp is empty, it follows that currmetapath is a valid meta-path, and 
48 
Algorithm 2: Meta-Path Enumeration 
Input: The last-added path, the current meta-path, and the current counter-
set. 
Output: The set of all valid meta-paths that can be generated from the current 
meta-path. 
MPSEARCH(lastaddedpath, currmetapath, currcounterset) 
(1) Temp+- REMQVEMATCHEDCOVNTERS(currcounterset) 
(2) if Temp = 0 
(3) # we have a valid meta-path - adjoin it to the set of valid meta-paths 
(4) ValidMetaPaths +- ValidMetaPaths U {currmetapath} 
(5) # include the paths in currmetapath in the set of paths covered 
(6) PathsCovered +- PathsCovered U currmetapath 
(7) # mark the last added path 
(8) PathsMarked +- PathsMarked U {lastaddedpath} 
(9) else 
(10) CurrentM etaPathlnvalid +- TRUE 
(11) foreach a E ANDJoinslnPath(lastaddedpath) 
(12) if Temp n CounterslnAN D( a) =/. 0 
(13) foreach p E PathsThrough(a) 
(14) if p ¢ currmetapath and p ¢ PathsMarked 
(15) if NoCOMMONXORJOINORSPLIT(p, currmetapath) 
(16) Temp+- Temp U GETUSEFULCNTRS(p, currmetapath) 
(17) CurrentM etaPathlnvalid +- F ALBE 
(18) MPSEARCH(p, currmetapath U {p}, Temp) 
(19) if CurrentMetaPathlnvalid 
(20) # The current meta-path is an invalid meta-path 
(21) InValMPath +- InValMPath U {{currmetapath}, {currcounterset}} 
is included with the set of valid meta-paths (line 4). Upon discovering a valid meta-
path, the lastaddedpath is also marked (line 8), as a way of remembering that all valid 
meta-paths that include it will be discovered in the current call to MPSEARCH, i.e., by 
exploring all branches leading out from lastaddedpath. Additionally, the paths in the 
set PathsM arked serve us well in that, should a marked path be encountered in ex-
ploring any other branch of the search tree, the search can be terminated, since any/ all 
valid meta-paths in that route would have already been discovered. The procedure No-
COMMONXORJOINORSPLIT(p, currmetapath) checks to see that ViolateXOR(·, ·) is 
FALSE for p and every other path in currmetapath. Additionally, if the search fails to 
progress along the search tree, currmetapath is included in the set of invalid meta-paths 
(line 21), to be used later for diagnostic checking (Section 3.2.7). The remainder of the 
procedure is self-explanatory, and is identical to the discussion presented earlier. 
49 
3.2.4 The Komplete Korrectness Algorithm 
The KORRECTNESS algorithm (Algorithm 3) is a backtracking algorithm for generating 
all valid meta-paths in the process model. It involves two steps - (i) generate all di-
rected paths from Start to Finish, and (ii) scan them one by one, calling in turn, the 
MPSEARCH routine, while taking care not to scan paths that have already been included 
in other meta-paths. After all the valid meta-paths have been identified, it only remains 
to check that all paths in P appear in at least one valid meta-path to ensure that the 
control flow model is correct (Corollary 3.1). 
Algorithm 3: The Korrectness Algorithm 
Input: The control-flow model G = (V, E) 
Output: The set ValidM etaPaths of all valid meta-paths 
KORRECTNESS( G) 
(1) # generate the set P of all Paths from S to F 
(2) PATHENUM(S, { S}, F) 
(3) # generate the set of all valid meta-paths 
(4) PathsCovered +-- (/J 
(5) foreach p E Paths 
(6) if p (/_ PathsCovered 
(7) PathsM arked +-- (/J 
(8) MPSEARCH(p, {p}, Gp) 
3.2.5 Resolving Cycles in the Control Flow Model 
The set P includes only directed acyclic paths from S to F; what if the control flow 
model was not acyclic? A simple test to check if the model is cyclic or otherwise is to 
check if v \ upEP V(p) = 0, i.e., do the paths in P cover all the vertices of the set V? 
This gives rise to two cases. 
Case 1: V \ upEP V(p) = 0 
The fact that the paths in P include all vertices in V does not exclude the presence of 
cycles - four such possibilities are presented in Table 3.1. 
50 
.Table 3.1: Control Flow Sub-models with Empty Cycles 
Sub-models Discussion 
(a) This sub-model is correct. 
(b) This sub-model is incorrect, since it 
violates the requirement of unique ter-
mination. 
( c and d) These sub-models are incor-
rect, since they model concurrency in 
feedback which makes it impossible for 
control flow to proceed. 
In sub-model (a) of Table 3.1, the XOR-pairs model recursion in the flow of control, 
which must eventually move ahead from the second XOR - to this end, it is immaterial 
if control flow is looped more than once within the model, and such a model can be 
analyzed with the KORRECTNESS algorithm. However, should iteration be misused as in 
sub-models (b)-(d) of Table 3.1, the algorithm will correctly identify the error, since the 
counters generated at the AND-Joins/Splits will never be accounted for by any path in 
P. Consequently, the KORRECTNESS algorithm can be used without any further checks 
for the case v \ upEP V(p) = 0. 
Case 2: V \ upEP V(p) =I- 0 
Let V* = V \ upEP V(p). The following two rules can be used to immediately identify if 
a control flow model with cycles is incorrect. 
Rule 1 :3a E As 3 N+(a) n V* =I- 0 =} The control flow model is incorrect. The fifth 
example in Table 1.2 illustrates this rule, which essentially means that should an 
AND-Split lead control flow away into a cycle that does not reach toward F, then 
51 
the model is incorrect , since the counter created by the AND-Split will never be 
accounted for, in any meta-path. 
Rule 2 :la E AJ 3 N-( a) n V* =/- 0 =:, The control flow model is incorrect. The situation 
tackled by this rule is similar to that created in sub-models ( c) and ( d) of Table 
3.1 , and essentially implies that should an AND-Join receive control flow from an 
element that is not part of a directed path from S to F , it becomes a situation 
wherein control flow will not proceed any further. 
Now, there are four possibilities, as regards the content of V*, namely - (i) V* ~ T , i.e., 
the elements not covered by P are all tasks with just sequential flow of control among 
them, (ii) V* ~ (T UXsUXJ) , i.e. , the elements not covered include just choice and/or 
sequential flow of control among them, (iii) V* n AJ =I- 0, and/or (iv) V* n As =I- 0. Both 
(i) and (ii) can be easily eliminated by applying rules 1 and 2; it is (iii) and (iv) that is 
more interesting. 
The Set V \ V * 
The Set v • 
Figure 3.4: Connectivity between Vertices in V* and V \ V* 
By definition, the control flow model is a single connected component, and so, the ele-
ments in V* must be connected to the vertices in V \ V* at either XOR/ AND logical 
operands (labeled in Figure 3.4 with???). If they were connected at an AND-Join/Split, 
then rules 1 and 2 will eliminate the model as incorrect. Consequently, the only cases 
that need to be considered are those in which the elements in V* are c9nnected to the 
main model via XOR operands - this will be referred to as the XOR Rule. 
52 
The Set V \ v • 
--~ :::::: )E)j- -- -=e--
An AND.Join that is part of an internal A dead AND.Join 
concurrent path 
Figure 3.5: Control Flow Sub-model Possibilit ies for the Case V* n AJ =/. 0 
Consider cases (iii) and (iv) presented above. If v• n AJ =/. 0, then there are only two 
possible ways that an AND-Join may occur in V*. Figure 3.5 illustrates these two pos-
sibilities, namely, an AND-Join is dead and will never get activated, or is part of an 
internal con current path. If the AND-Join is dead , it doesn 't affect the KORRECTNESS 
algorithm, but it still remains to ident ify that it is dead; if it is part of an internal con-
current path, then V* n As =/. 0, or else the model would be incorrect, which leads us to 
(iv) above. Note that the operand labeled ??? in Figure 3.5 may either be an XOR (in 
which case it would be incorrect) , or an AND (which would be (iv) again). 
Let P{x,y} be the set of all directed, acyclic paths from vertex x to vertex y , and let 
V(P{x,y}) be the set of vertices covered by these paths. If V* n As =/. 0, then the 
following rules can be used to (i) identify dead AND-Joins, and (ii) eliminate incorrect 
models. 
Rule 3 3x E AJ n V* , {y,z} E Xs \ V * 3 (IP{y,x} I ~ 1) A (IP{z,x}I ~ 1) A (IP{y,x} I =/. 
IP{ z ,x} I) =} the AND-Join x is dead. This essentially means that if there are two 
XOR-Splits {y, z} E V \ V * which have different paths leading into a common 
AND-Join x E V *, then the AND-Join is dead, as is illustrated in Figure 3.5. 
Consider case (iv): Let x E As nV* ~nd y E XJ \ V *). If IP{x,y} I = 0, then the XOR-Join 
does not lie on a direct path from x, and can be ignored. If IP{x,y} I = 1, then the control 
flow model is incorrect, since there are at least two threads created at AND-Split x, and 
53 
The Set V \ v• 
Multiple paths from A 9 to X 6 
Figure 3.6: Illustration of Multiple Paths from an AND-Split to an XOR-Join 
they must all be merged before they reach the main threads in V \ V* , or else they will 
never be merged (by the XOR Rule). If the multiple threads created at x were merged 
at say, node z, then there would be (at least) one path from z toy and two/more paths 
from x to z, each of which can be combined to create two/more x - z -y paths, thereby 
contradicting the correctness of a model with IP{x,y}I = 1. If IP{x,y} I > 1, then these mul-
t iple paths may occur as a result of internal concurrent paths, as is illustrated in Figure 
3.5, or multiple distinct paths as is illustrated in Figure 3.6, the latter being incorrect 
- this can be easily solved by applying the KORRECTNESS algorithm to the sub-model 
beginning with AND-Split x and ending with XOR-Join y, and using P{x,y} as the set of 
paths from which the valid meta-paths will be constructed. If no valid meta-paths are 
found, as would be the case for the example in Figure 3.6, then the model is correctly 
identified as incorrect. 
Rules 1 and 2 can both be evaluated in linear time, and Rule 3 can be evaluated in O(IEI), 
namely, the run-time complexity for generating P{x,y} · The last rule (case (iv)), how-
ever, requires the same run-time complexity as that of the backtracking KORRECTNESS 
algorithm, which can be exponential in the worst-case. 
54 
3.2.6 Complexity Analysis 
The KORRECTNESS algorithm identifies all valid (and invalid) meta-paths by selectively 
enumerating and exploring combinations of the paths from S to F. In the worst case, 
the algorithm could end up scanning all 2IPI possible combinations of paths to identify 
even one valid meta-path - this could explode further if the number of valid meta-paths 
is again large. Note, however, that it is not entirely correct to say that all 2IPI possible 
combinations of paths will be explored, without taking into account the structure of 
the control flow model, namely, the number of AND-Joins, the distribution of the in-
degrees of the AND-Joins, the number of AND- and XOR-Splits, etc. - these issues are 
summarized in the following questions: 
• What is the expected number of valid meta-paths in any control flow model? 
• What is the expected time it will take to identify a single valid meta-path? 
It is clear that the KORRECTNESS algorithm is exponential in the worst case. However, 
what about on average? 
Establishing the Average Number of Valid Meta-Paths 
Suppose a control flow model with 20 nodes is randomly drawn - it is possible to estimate 
the average number of valid meta-paths in such a model? What if the model has 20,000 
nodes? It turns out that, on average, the number of valid meta-paths to be expected in 
any control flow model is at most 9. Also, if the number of paths from S to F is say, 
50, then, the expected number of valid meta-paths in such a control flow model is only 
about 4.6. 
Let Pn be the maximum number of pa_ths possible between S and F in a control flow 
model with n vertices, and call this set Pmax = {p1,P2, ... ,PPn}. The set of all possible 
paths that can be discovered for a given control flow model is the power set P(Pmax) with 
55 
size 2Pn. Let Av ( k) be the average number of valid meta-paths that can be discovered 
among k paths. Consequently, Vn, the average number of valid meta-paths in a control 
flow model with n vertices, averaged over all possible combinations of paths, is: 
(3.1) 
Equation 3.1 essentially sums over the number of ways of choosing k paths from a maxi-
mum of Pn, multiplied by Av(k), the average number of valid meta-paths among k paths 
(k = 0, 1, ... , Pn), and we have used the identity Lf:,0 (~n) = 2Pn. Consider Av(k) - it 
was noted earlier in Section 3.2.1 that the maximum number of valid meta-paths can-
not exceed the the number of independent sets in Xe, the XOR-representation graph. 
Consequently, the average number of valid meta-paths among k paths cannot exceed the 
average number of independent sets in the XOR-representation graph with k vertices. 
The exact formula for h, the average number of independent sets in a graph of order k 
is ([97], §5.6) 
1- -t, G)r<.-1>1, (3.2) 
substituting for which, in equation 3.1, and using the relation Av(k) ::; h, we get 
(3.3) 
where the last inequality has been obtained by just manipulating the binomial coeffi-
cients in the inner sum using the identities (~n) (;) = (Pn-k~(~-r)!r! :S; (P;r (~n_7), and 
~Pn (Pn -r) = 2Pn -r. 
wk=r k-r 
56 
Now, the series represented in equation 3.3 is a unimodal sequence, i.e., the terms tr 
increase up to a certain value rm and then decrease thereon, whereby it follows that the 
sum of the sequence is at most ( Pn + 1) times the largest element in the sequence. To 
show that the sequence is unimodal, consider the ratio of two successive terms, tk/tk-l, 
which evaluates to Pn/(k2k). It is immediately obvious that for k ~ log2 (Pn), the ratio 
is less than 1, assuming Pn ~ 2. To better estimate rm, it remains to solve for k in 
k 2k = Pn, which can be rewritten as 
(k · ln(2)) · ek·ln2 = Pn · ln(2) (3.4) 
which, incidentally, is in the standard form for the Lambert's W function. The Lam-
bert's W function [14, 20] is evaluated as the value of W(x) that satisfies the equation 
W(x)ew(x) = x, and is usually approximated as:1 
{ 
0.665 · (1 + 0.0195 · ln(x + 1)) · ln(x + 1) + 0.04 
W(x) ~ 
ln(x - 4) - (1 - ln(x)) · ln(ln(x)) 
0::; X::; 500 
X > 500 
Additionally, symbolic processing packages like Maple readily compute the values of 
the Lambert's function using in-built recurrence relations [13, 20]. Comparing with 
the standard form of the Lambert's W function, it follows that the value of k · ln(2) 
that satisfies equation 3.4 is W(Pn · ln(2)). Thus, the value at which the sequence in 
equation 3.3 attains its maximum is rm = W(Pn · ln(2))/ln(2). Since the sum of the 
series in equation 3.3 cannot exceed (Pn + 1) times the value at trm, it follows that 
(3.5) 
The final result is obtained by using Sterling's approximation [97], i.e., n! ~ (e/nr, in 
equation 3.5 to prove that, on average, the number of valid meta-paths in a control flow 
model on n vertices is 
V: < _( P,_n_+_l_)_· _er~m 




Now, equation 3.6 is interesting in its own right. A plot of the value of the estimated 
upper bound for Vn for Pn = {1, 2, ... , 300} is shown in Figure 3.7. Figure 3.7 offers 
some interesting insights, namely, that in any control flow model, drawn at random, the 
average number of valid meta-paths does not exceed 9, which shall be referred to as the 
threshold of valid meta-paths, and moreover, as the number of paths from S to F in-
creases, the value of Vn converges to zero!! 
Threshold of Valid Meta-Paths 
l\ 




6 I \ 
i \ 
V_n I \\ 
4 I 
I 
"'" ~' -----~ --------------------·--·-······· 
2 
0 50 100 150 200 250 300 
Number of Paths from Start to Finish 
Figure 3.7: Expected Number of Valid Meta-Paths in a Random Control Flow Model 
Consider equation 3.6 ~ it reveals that, irrespective of the order of the control flow model 
n, the expected number of valid meta-paths is bounded, and is a function only of the 
number of paths from S to F. Suppose there are 237 paths from S to F. Equation 3.6 
and Figure 3. 7 confirm our intuition that in a model of such complexity, it is very likely 
that there are only a limited number of valid meta-paths. Now, what about the run-time 
complexity? More specifically, what is the expected time it takes to identify one valid 
meta-path? 
58 
Estimating the Run-time for the Korrectness Algorithm 
The main sets of notation that would be required are briefly summarized - P is the 
set of all S-F paths found in a control flow model on IVI vertices, with IEI edges, xs 
XOR-Splits, XJ XOR-Joins, as AND-Splits, and aJ AND-Joins. The maximum and 
minimum in-degree (resp., out-degree) of the XOR/ AND-Joins (resp., -Splits) will be de-
noted by 6.* and 8*, where { *} represents the logical operand under consideration, and 
6.A = max(6.As, 6.A.1). Note that the maximum size of a valid meta-path is 6.AJ * aJ 
(refer Section 3.2.2). It is also assumed that the three representation graphs Xe, Ac, 
and Pa have been constructed - this would require a run time of 8(IPl 2), to identify all 
the (l;I) possible edges in the graphs. Consequently, checking conditions like NoCoM-
MONXORJOINORSPLIT(pi, Pi) is just equivalent to checking if the corresponding edge 
is present (or absent) in Xe. A step-by-step analysis of Algorithm 2 is presented next. 
Line 1: Temp+- REMOVEMATCHEDCOUNTERS(currcounterset) 
Since counters are created only on edges incident with AND-Joins and -Splits, the maxi-
mum number of counters possible is 6.As *as+ 6.A.1 * aJ = 0(6.A)· Thus the maximum 
time required for this step of the algorithm is 0(6.A) - run through currcounterset once 
tracking the occurrence count of each counter, and run through it again, removing the 
matched counters. 
Line 11: foreach a E ANDJoinslnPath(lastaddedpath) 
Let us condition on the number of AND-Joins in the lastaddedpath, which corresponds to 
the number of times this loop will be executed. The probability that the lastaddedpath 
contains any AND-Join is the probability that it is one of the at least 8A.1 paths through 
the AND-Join, which is 8A.1/IPI. Thus, the probability that the lastaddedpath contains 
k AND-Joins is~(~) (~~.1 )· 
59 
Line 12: if Temp n CounterslnAN D(a) -/= 0 
Suppose the number of paths in currmetapath isl. Consider any path in currmetapath. 
The probability that it contains AND-Join a is the probability that it is one of the at 
least OAJ paths through a. Since there are l paths in currmetapath, the probability that 
at least one of them includes AND-Join a is 2'.: l ~it. 
Line 13: foreach p E PathsThrough(a) 
This loop will be executed at least o AJ times. 
Line 14: if p rt currmetapath and p rt PathsM arked 
This probability shall be approximated by q1, where l is the number of paths~in currmetapath. 
Line 15: if NoCOMMONXORJOINORSPLIT(p, currmetapath) 
The probability that p and some path p* E currmetapath share a common XOR-Join or 
-Split is at most x 8 / ('\s) + x 1 / ("~J), where 1/ ("~J) is the maximum probability that p 
and p* share two of the at least OxJ paths through a particular XOR-Join, and there are 
x1 choices for the XOR-Join (the argument is similar for XOR-Splits). Since there are l 
choices for p*, the pro~ability that p do~s not sh(are a c:;mon ~~R)-Join or -Split with 
any one of the l paths m currmetapath 1s 2'.: l * 1 - ("~s) - ("~J) . 
Line 16: Temp - Temp U GETUSEFULCNTRS(p, currmetapath). 
This step would require a run time of O(IEI) for checking the counters in each path, and 
consequently a total of l * O(IEI) for all paths in curremetapath, which is again O(IEI). 
60 
The calculations for the running time of the MPSEARCH procedure can now be sum-
marized. Let f(l) be the running time required by the procedure when the size of 
currmetapath isl. Based on the observations above, the running time can be written as 
Equation 3.7 is quite unwieldy. To simplify it further - in a worst case scenario - let us 
suppose that the probability that all the if conditions are satisfied is 1. In such a case, 
equation 3. 7 can be rewritten into a more comforting first-order recurrence as follows. 
(3.8) 
where we have used the identity I::;=0 k (;) = n * 2n-1 . The solution for the first-order 
recurrence of equation 3.8 is f(l) = O(c + E)1, where c = 2 I~~ 8 2 , for every E > 0 aJ. aJ • aJ 
([97], Theorem 1.4.1). 
Now, f(l) is the time spent in evaluating all branches in the search tree at a level where 
the number of paths in currmetapath is l. In the worst case, the MPSEARCH proce-
dure may end up exploring all branches at all levels, namely, for l = {1, 2, ... , IPI - 1}, 
whereby, the absolute worst case running time for finding even one single valid meta-path 
is estimated as I::1 f(l) = O(c + E)IPI. 
Clearly, this is the worst-case scenario for the time it takes to complete one run through 
the MPSEARCH procedure, and correspondingly, to identify one valid meta-path. Since 
the expected number of meta-paths is bounded (Section 3.2.6), the expected running 
time for finding all valid meta-paths is also O(c + E)IPI. Thus, the total running time for 
the KORRECTNESS algorithm is O(IEI) + 8(IPl 2 ) + O(c + E)IPI. 
61 
Scope for Improvement 
There are two main avenues for improving both the design and the analysis of the Ko-
RRECTNESS algorithm, namely: 
· • Is it possible to design heuristics to "speed-up" the search process? Will it improve 
the speed of the MPSEARCH procedure if it is begun with a path that has the 
maximum number of AND-Joins? Or, is it possible to pre-process and sort the set 
of paths in P taking into account the specific structure of the control flow model, 
namely, the in- and out-degree distribution of the logical operands? Also, none of 
the steps in Algorithm 2 make any choices based on the size of currmetapath - can 
this information be used to influence the search time? 
• The worst case analysis presented in Section 3.2.6 is quite crude, and does not 
exploit attributes specific to the structure of the control flow model which will 
definitely impact the traversal of the search tree. There is much scope for improving 
the running-time bound for J(l). More specifically, is it possible to estimate the 
probability qi that was assumed for line 14 of Algorithm 2? Is it possible to derive 
a better estimate of the expected running time of the algorithm to show that, 
perhaps, it is usually fast? 
3.2. 7 Diagnostic Checking of the Control Flow Model 
This section will discuss the use of the KORRECTNESS algorithm for identifying the source 
of control flow errors in a business process model. Consider the incorrect process model 
of Figure 3.8. 
The results of the KORRECTNESS algorithm (implemented in PYTHON) are as follows: 
Paths There are 7 paths from Start to Finish. The paths from Start to Finish are: 
'path2': [ 's' ' 'Ai' , C Xi' ' 'Ti' , 'X6' , 'A2' , 'X7' , 'F' J ' 
'path3': [ 's' ' 'Ai', 'Xi' , 'T2' , 'X5' , 'A2', 'X7', 'F' J ' 
'path!': [ 's' ' 'Ai', 'X2' , 'T4' , 'X7', 'F' J ' 
'path6': [ 's' ' 'Ai' , 'X2', 'T3' , 'X4' , 'X5', 'A2', 'X7', 'F' J , 
62 
Figure 3.8: Incorrect Process Model - An Example 
'path7': ['S', 'A1', 'X2', 'T3', 'X4', 'X6', 'A2', 'X7', 'F'], 
'path4': ['S', 'A1', 'X3', 'T5', 'X6', 'A2', 'X7', 'F'], 
'path5': ['S', 'A1', 'X3', 'T6', 'X5', 'A2', 'X7', 'F'] 
Counter-Sets The counters in all the paths, including the edge that the counter occurs 
on, are: 
'path2' : [ [ ( 'A1' , 'X1') , (1, 3)], [ ( 'X6' , 'A2') , (2, 2)]], 
'path3' : [ [ ( 'A1' , 'X1') , (1, 3)], [ ( 'X5' , 'A2') , (2, 2)]], 
'path1': [[('A1', 'X2'), (1, 3)]], 
'path6': [[(' Ai', 'X2'), (1, 3)], [('X5', 'A2'), (2, 2)]], 
'path7': [[('A1', 'X2'), (1, 3)], [('X6', 'A2'L (2, 2)]], 
'path4' : [ [ ( 'A1' , 'X3') , (1, 3)], [ ( 'X6' , 'A2') , (2, 2)]], 
'path5': [[('A1', 'X3'), (1, 3)], [('X5', 'A2'), (2, 2)]] 
Predictably, the set of valid meta-paths is empty. The list InValMPath of all invalid 
meta-paths is: 
Invalid Meta-paths The invalid meta-path results, i.e., (set of paths, counter-set) are: 
1: [[-'path2', 'path6'], [(1, 3), (1, 3)]], 
2: [['path3', 'path7'], [(1, 3), (1, 3)]], 
3: [['path1'], [(1, 3)]], 
4: [['path4', 'path3'], [(1, 3), (1, 3)]], 
5: [['path5', 'path2'], [(1, 3), (1, 3)]] 
63 
None of the paths occur in any valid meta-path - let us investigate further. 
• PATH 1 does not cover any AND-Joins, and so, the (1, 3) counter that it carries 
can never be removed. 
• All the other meta-paths are short of just one more (1, 3) counter - now, why did 
this occur? Observe that each meta-path includes both the XOR-Joins, namely, 
X5 and X 6 • Since each XOR-Join requires only one flow through its incoming arcs, 
other paths through these XOR-Joins cannot be included. The only other path is 
PATH 1, which, however, cannot be added since it doesn't cover any AND-Joins. 
Thus, a wealth of information can be extracted simply by examining the final meta-path 
results and by tracking the counters that remain unaccounted for, in each incomplete 
meta-path, to provide precise feedback about the source of the control flow error(s). 
3.3 Summary 
This chapter presented the KORRECTNESS algorithm, a graph-theoretic approach to ad-
dressing correctness issues in control-flow models, without any restriction on the form 
or structure of the business process. The algorithm has been implemented in MAPS, a 
computerised environment for Modeling and Analysis of Process modelS, the details of 
which are presented in Chapter 5. 
Additionally, it has been shown that, on average, the number of valid meta-paths in a 
random control-flow model does not exceed 9. From an implementation standpoint, this 
is very satisfying, since it would imply that the enumerative approach of the KORRECT-
NESS algorithm does not fall prey to the exponential growth in problem complexity, but 
instead, is bounded in its average run-time complexity. 
64 
Chapter 4 
The Resource-Sharing Problem 
Chapter Overview 
This chapter outlines a collection of novel techniques that exploit the control flow model to 
gain insight into the structure and behavior of a process. Several simple rules are derived 
to help the designer compute minimal resource requirements to maximize parallelism 
within the process, and also to identify design errors that could lead to deadlocks either 
within a single-instance, or across multiple-instances of a process. 
4.1 Introduction & Background 
The basics of the resource-sharing problem were introduced in Section 1.4.1- the resource 
requirements for a business process may be specified as follows: 
• R = {R1 , R2 , ... , Rr} is the set of all resources. VR ER, Rf = number of units 
available for resource R. 
• \:/Ri E R, Rfap : T ---+ N = {O, 1, ... } is a functional that specifies the number of 
units of resource R captured by each task, where T is the set of all tasks. 
• V Ri E R, Rfel : T ---+ N is a functional that specifies the number of units of resource 
R released by each task. 
65 
The verification requirements of correct resource-sharing are: 
Single-Instance Verification is to determine if the sharing of common resources among 
tasks within an instance of a process could lead to deadlock. 
Multiple-Instance Verification is to determine if the sharing of common resources 
among various instances of the process could lead to deadlock. 
The principal challenge associated with both problems above is to identify potential 
circular-wait (CW) conditions that could arise in the process - these are determined 
primarily by the logic of the process, i.e., the control flow model. It is assumed that the 
control flow model is correct; consequently, the focus of this chapter is to further study 
the control flow model, coupled with the additional information contained in Rf ap, Rfel, 
etc., to identify potential deadlock situations, as were illustrated in Table 1.3. 
4.2 The Control Flow Model Revisited 
The control flow model was formalized in Chapter 3 - to summarize, it is a directed 
graph representation of tasks and logical operands (AND, XOR), which taken together, 
represent the logic and ordering of the process. The main sets of notation that would 
be required are V, T, P, and M, representing respectively, the sets of vertices, tasks, 
the S - F paths, and the set of all valid meta-paths identified by the KORRECTNESS 
algorithm. Additionally, Vm E M, V(m) ~ V is the set of vertices covered by all the 
paths included in the meta-path m - the reader is referred to Section 3.1 for notation 
not covered here. 
Consider the control flow model of Figure 3.1, repeated in Figure 4.1. Observe that 
the control flow model lends itself naturally to being partitioned into sets of concurrent 
elements ( tasks and logical operands), as illustrated in Figure 4.1. 
66 
Concurrent Set Con0 
Con, Con2 Con3 Con4 Con7 
Figure 4.1: Partitioning the Control Flow Model - An Example 
Figure 4.1 highlights many interesting ideas - the control flow model has been partitioned 
into seven disjoint sets of concurrent elements. The concurrent sets are interpreted thus: 
Can2 = {T1, A2 } implies that both T1 and A2 can be activated simultaneously within a 
single instance of the process. Additionally, the index 2 in Can2 suggests the order in 
which its elements are arrived at , beginning at Can0 = {S}. The reader would no doubt 
wonder, among other questions, why partition the control flow model? 
The objective of partitioning the control flow model into sets of concurrent tasks is to 
explicitly order the tasks, namely, by assigning a functional value f : T - N such that 
for any two tasks ti, tj , f(ti) < (= ) f(tj) implies that task ti precedes (is concurrently 
enabled with) task tj in the execution of a process. Such an ordering would aid in 
immediate investigation of potential circular-wait conditions t hat could arise between 
tasks t hat have t he same f ( ·) value - this is elaborated in Section 4.3. Once the set 
Con = {Gani} of concurrent elements have been identified, assigning the functional f(·) 
is trivial, namely, Vt E Ganin T , f (t) = i . 
67 
The partitioning of the control flow model into the concurrent sets { Conj is based on a 
very simple idea, namely, for an element x to belong to Gani, all of its incoming elements, 
i.e., N-(x) must belong in LJk<i Conk. This is formalized in Algorithm 4. 
Algorithm 4: The Partition Algorithm 
Input: The control-flow model G = (V, E) 
Output: The set {Gani} of all concurrent elements, the function f: T-+ N 
PARTITION(G) 
(1) # Partition the control flow model into concurrent sets 
(2) Con0 f- {S} # Initialize the algorithm 
(3) if- 1; Temp f- 0 
(4) # Repeat until the Finish node is reached 
(5) while Con;_1 -=/= { F} 
(6) Con; f- 0 # Initialize the current set 
(7) # Create a set Temp of all elements covered thus far 
(8) Temp f- Temp U Con;-1 
(9) # For each element x in the last concurrent set 
(10) foreach x E Con;-1 
(11) # For each new vertex y leading out from x 
(12) foreach y E N+(x) \ Temp 
(13) # If all of y's input vertices are present in Temp, include in Con; 
(14) if N-(y) ~ Temp 
(15) Con; f- Con; U {y} 
(16) # Assign the functional f : T-+ N 
(17) foreach t E Con; n T 
(18) J(t) f- i 
( 19) i f- i + 1 # Increment the set index 
The PARTITION procedure (Algorithm 4) is quite self-explanatory. Lines 2 and 3 initialize 
the algorithm by setting Con0 = {S}. The loop in line 5 repeats until the Finish node is 
reached, and begins by creating a new empty set, i.e., Gani= 0 (line 7). Line 8 appends 
the previously discovered concurrent set, Coni-l, to the set Temp of all elements covered 
thus far. Subsequently, for each vertex x in the most recent concurrent set Coni-l (loop 
in line 10), it remains to check that, for each new (i.e., not included in other concurrent 
sets) output vertex y of x (loop in line 12), that all of y's input vertices are present in one 
of the previously discovered concurrent sets (line 14), for it to merit inclusion in Gani 
(line 15). Lines 17 and 18 assign the functional f : T -, N by assigning the index i to 
all tasks in Gani, i.e., Vt E Ganin T, f(t) = i. 
68 
The run-time complexity of the PARTITION procedure is O(IV/ 2 ) - lines 5 and 10 are 
executed at most /V/ times, and line 12 is executed at most max{.6.As, .6x5 } times. The 
partitioning of the control flow model was inspired by a similar concept presented in [89]. 
The { Gani} partitions need to be understood as purely mathematical conveniences ob-
tained from the control flow graph G, minus the actual interpretation of the elements 
contained within. To see why, consider the set of concurrent elements in Figure 4.1; 
Gon4 = {n, T4} is especially interesting, since it implies that both T3 and T4 can be 
enabled simultaneously, which is impossible since they are activated by a common XOR-
Split, X 1 ; this would also be clarified by examining the set of valid meta-paths M -
observe that both T3 and T4 do not occur together in any of the valid meta-paths, 
i.e., ~m E M 3 {T3 , T4 } ~ V(m). This is clarified thus: for each valid meta-path 
m E M, define Gonr = Gani n V(m) to be the concurrent set relevant to m, and 
ConlV(m) = {Gonr} to be the set of concurrent sets with vertices restricted to V(m). 
However, note that tasks that have the same J(-) values and occur in the same valid 
meta-path may not be truly concurrent - they may need to be executed in some partial 
sequence, as constrained by the availability of resources. To illustrate, suppose R! = 1, 
f(~) = f(Tj), and both require resource Ra; clearly, both ~ and Tj cannot occur 
concurrently ( assuming that they are present in the same valid meta-path) - one must 
precede the other. But, for each valid meta-path m, { Gonr} reveals the sets of truly 
concurrent elements that the process designer envisioned for the process; consequently, 
for the benefits of concurrency to be fully realized, it only remains to ensure that for 
each valid meta-path m, the number of available resources is adequate to ensure full 
parallelism for all tasks in any concurrent set Gonr. This, and other considerations, are 
more thoroughly explored in the sections that follow. 
69 
4.3 The Resource-Sharing Problem: Some Ideas 
The design of a business process minimally requires the specification of the process's 
logic, and the specifics of resource requirements by the constituent tasks. Additional 
details like input-output requirements, infrastructure support, activity durations, etc., 
while necessary for completing the process's description, are not essential to verifying 
the correctness of a process's design. As illustrated in Table 1.3, the design problems 
that may arise from resource-allocation can be categorized into one of: 
Conservation of Resources To check that the number of times a resource is captured 
is equal to the number of times it is released. This is enforced by verifying that 
VRi ER, Vm EM 
tEV(m)nT tEV(m)nT 
This rule essentially checks to see that in each valid meta-path, the number of times 
each resource is captured is equal to the number of times it is released, i.e., a simple 
check for conservation of resources. 
Release-before-Capture Improperly specified process definitions wherein resource units 
are released before they are captured. This is enforced by verifying that 
Rfap(ta) + L [Rfap(t) - R~1(t)] ~ Rfel(ta) 
\ltEV(m)nT:/(t)</(t,.) 
This rule essentially checks to see that in each valid meta-path, the number of units 
of a particular resource that are being "held" by the process is greater than or equal 
to the number of units that are being released by a particular task. 
Inadequate Capacity The specified resource capacity {Rf} is inadequate for satisfying 
the resource requirements of a single instance of the process. 
70 
Circular-Wait The most important and the least evident problem of all, wherein two or 
more tasks capture a set of resources and end up waiting indefinitely for resources 
held by one another. 
In the context of resource-allocation, there are two main problems that the process de-
signer needs to be alerted to, namely, the obvious and the not-so-obvious. The obvious 
design errors include "conservation of resources" and "release-before-capture," both of 
which have been addressed above. The not-so-obvious problems include "inadequate ca-
pacity" and "circular-wait." Clearly, the circular-waits are the most severe design errors 
that could escape the attention of a process designer - the intuition derived from the par-
titions { Gani} will be used extensively in identifying potential circular-waits, especially 
across multiple instances of the process. 
4.4 Single-Instance Verification 
With regard to the execution of a single instance of a process, the circular-waits (CWs) 
are further classified into two categories, namely (i) CWs within a concurrent set, and (ii) 
CWs across concurrent sets. Both (i) and (ii) are illustrated, based on examples drawn 
from Table 1.3, in Figure 4.2 - the reader is referred to Table 1.3 for a detailed discussion 
on both examples. 
Identifying CWs within a concurrent set is relatively straightforward, and is discussed 
in Section 4.4.1. Circular-Waits across concurrent sets are also (easily?) identified by 
creating an equivalent Petri net representation of the control flow model, and exploring 
its reachability tree to verify that it is deadlock free, and is discussed in Section 4.4.2. 
71 




(b) CW across concurrent sets 
Figure 4.2: Two different classes of Circular-Wait (CW) problems 
4.4.1 Identifying Circular-Waits Within Concurrent Sets 
It would be useful to begin by summarizing the main question that is being addressed in 
this section - are there any potential circular-waits among a set of concurrent activities? 
Consider any concurrent set Con7I', for some valid meta-path m - if ICon7I' n Tl ::; 1, 
there is no concern about circular-waits within Con7I'. It is only in the case when there 
are two/more concurrent tasks that it remains to verify that circular-wait conditions are 
not existent. A few additional definitions that would be required before continuing the 
discussion are: 
• Vt ET, tCap ={~E R I R fap(t) =/=- O} is the set of resources captured by task t. 
• Vt E T , tRel = { ~ E RI Rfel ( t) =/=- 0} is the set of resources released by task t. 
The general rules presented next will be useful in detecting potential circular-waits within 
a concurrent set. The special case of when resource capture/release by a task is limited 
to one unit each is presented first , and is subsequently generalized to allow for multiple 
units of resource capture/release by a task. 
72 
Special Case: R[°ap,Rel}: T-+ {O, 1} and Rf:::; 1. In the special case when the re-
lease/capture of resources by a task is limited to one unit each, and unit resource 
availabilities, the following situation would lead to a circular-wait. If there is a 
meta-path with two concurrent tasks, say ti and tj, each requiring two or more 
common resources, then a deadlock would arise if both ti and tj capture some re-
sources and end up waiting for one another to relinquish their captured resources 
(refer example 1 in Table 1.3). 
More formally, 't/m E M, 't/Con": E Con1v(m) 3 JCon": n Tl > 1 
General Case: R[°ap, Rel} : T -+ N and Rf :2: O. In the general case when multiple units 
of a resource may be released/captured by a task, a circular-wait will occur if the 
combined request for any two common resources Rp and Rq by two concurrently 
enabled tasks exceeds the resource capacities Rf and Rf. 
Figure 4.3 illustrates an example, with Rf = Rf = 2. A circular-wait will occur 
if both T1 and T2 capture one unit each of R1 and R2 - more specifically, the 
combined request for both R1 and R2 by the two concurrently enabled tasks T1 and 
T2 is equal to three, and exceeds the resource capacity of two. 
More formally, 't/m EM, 't/Con": E ConlV(m) 3 JCon": n Tl> 1 
:3Rp, Rq ER, ti, tj E Conf n T 3 [{Rp, Rq} ~ tfap] A [{(Rp, Rq} ~ tfap]A 
[tfap(Rp) + tfap(Rp) :2: Rf] A [tfap(Rq) + tfap(Rq)J :2: Rf]=} Circular - Wait 
The rules presented above are just elementary count-based checks for identifying potential 
circular-waits within a concurrent set. Moreover, as will become evident in Section 4.5.2, 
these checks become redundant with the calculation of minimal resource requirements 
that guarantee the successful deadlock-free execution of a process, which, by definition, 
renders void the existence of any circular-wait conditions. 
73 
Figure 4.3: Circular-Wait Within A Concurrent Set - Another Example 
4.4.2 Identifying Circular-Waits Across Concurrent Sets 
The main question addressed in this section is - is it possible to detect potential circular-
waits that may occur among activities that are not necessarily simultaneously enabled? 
This question is readily answered by creating a Petri net representation of each valid 
meta-path of the control flow model, including the resource requirements, and studying 
its reachability tree to identify potential deadlock possibilities. Table 4.1 illustrates the 
Petri net mappings used to translate basic control flow elements into net constructions. 
It is assumed that the reader is familiar with the basics of Petri nets - a brief primer is 
presented in Appendix A. 
The equivalent Petri net construction for the example in Figure 4.2(b) is presented in 
Figure 4.4 - note that there is only one valid meta-path for this process. The tokens 
in the net are interpreted thus - (i) a single token in the place "Start" corresponds to 
the execution of a single instance, and (ii) the tokens in the places corresponding to the 
resources signify the number of units of the resource that are available, i.e., Rf. 
74 
Table 4.1: Petri Net Mappings of Basic Routing Constructs 
Logical Operand 
AND-Split: A point 
within the process model 
where a single thread of 
control splits into two or 
more threads to be exe-
cuted simultaneously. 
AND-Join: A point 
within the process model 
where two or more dif-
ferent threads of control 
merge asynchronously. 
XOR-Split: A point 
within the process model 
where the thread of control 
selectively chooses one of 
several possible paths. 
XOR-Join: A point 
within the process model 
where the thread of con-
trol from one of several 
different paths converges. 
Iteration/Feedback 
Routing: A section 
within the process model 
that may require the 
repetitive execution of one 
or more activities until 



















Control Flow Model 
Finish 
Resource R2 
Figure 4.4: Petri Net Representation of the Process Model - An Example 
Consider the Petri net illustrated in Figure 4.4 - clearly, the transition sequence As1 , T1 , n 
leads to deadlock, and will be immediately evident upon studying the net's reachability 
tree. This approach can be applied to verifying the correctness of resource-sharing for any 
process - a total of IMI (the number of valid meta-paths) different Petri nets will need to 
be constructed and their reachability trees examined to confirm the presence/absence of 
deadlocks. Should deadlocks occur, the transition sequence that led to the same can be 
studied to identify and isolate the reasons for deadlock. Additionally, the Petri nets thus 
constructed will all be k-bounded , where k = maxi(Rf), i.e., the maximum number of 
tokens in the net corresponds to the resource with the highest Rf . However, generating 
the reachability tree is computationally expensive [68 , 26] - is it really necessary to gen-
erate the complete reachability tree to even establish that the process's design is correct? 
More specifically, is there a simpler way to just check the process's design and to answer 
"YES - the resource-sharing in this process is OK, and will not lead to deadlock," thereby 
avoiding the expense of detailed reachability enumeration? That this is so is the impetus 
for the approaches derived next. 
76 
4.5 The Static-Design Net Representation 
The purpose of this section is to develop an approach that will identify if the process's 
resource-sharing requirements will or will not lead to deadlock - should the answer be in 
the negative, the analysis can be continued with a detailed reachability enumeration of 
the Petri net construction as presented in Section 4.4.2. It would be useful to begin by 
summarizing what has been achieved thus far, namely: 
1. Given a correct control flow model, partition it into sets of concurrent elements 
Con= {Goni}, and consequently order the tasks with the functional f: T - N. 
2. Confirm that there are no potential circular-waits within each concurrent set in 
ConlV(m), for all valid meta-paths m E M. 
Thus far, the control flow model and the resource-allocation requirements have been 
considered in separate formalisms; Section 4.5.1 presents a Petri-net construction that 
captures both the ordering suggested by the control flow model and the details of resource 
allocations. 
4.5.1 The Static-Design Net 
Consider the following Petri net construction for some valid meta-path m of the process. 
The concurrent sets {Oonr} are represented as transitions, and the resources {.RJ are 
represented as places; the places and transitions are connected by weighted arcs, the 
weights indicating the effective number of units of a particular resource that are captured 
( or released) by the tasks in the concurrent set, according to as whether the arc is directed 
from a place to a transition, or vice-versa. Figure 4.5 illustrates this Petri net construction 
for the example in Figure 4.2(b) - note that Rf = Rf = 1 and since there is only one 
valid meta-path in the process, the superscript mis omitted from oonr. 
77 
I Con0= {S} 
I Con1= {A.1} 
I Cons= {Ai2} 
I Con6 = {F} 
Figure 4.5: The Static-Design Net Representation - An Example 
This Petri-net mapping shall be referred to as the Static-Design Net, named in part, to 
reinforce the suggestion that the structure of the net will be used to gain insights about 
the correctness of the process's design with regard to resource-sharing requirements. 
More formally, for each valid meta-path m E M, its Static-Design net representation is 
a 4-tuple SDTJJet = (R, ConlV(m), :F;;,,, :F;f;,), where R, the set of resources, corresponds 
to the set of places, and ConlV(m) = {Gonf}, the set of concurrent sets with vertices 
restricted to V(m), corresponds to the set of transitions. The functionals :F;;,, : {R x 
Con1v(m)} - N and :F;f;, : {Con1v(m) x R} - N specify the weighted arcs connecting 
places to transitions, and vice-versa. The initial marking of the net is Mo= [Rf], namely, 
the capacities of the various resources. The structure of the net SDTJJet is captured with 
the incidence matrix C,:n = [Cijl, where 
l!ij = L Rfap(t) - Rtre1(t) 
VtECon7J'nT 
78 
The Static-Design net of Figure 4.5, and in particular, the example in Figure 4.2(b), 
reveal several points of interest, namely: 
1. Unlike the regular Pi, ti naming convention for places and transitions, the places 
and transitions in the static-design net have been named by their actual definitions, 
namely resources (~) - places, and concurrent sets (Canr) - transitions. This 
is to avoid any conflict with the definition of a task Ti, and to aid concept clarity. 
2. The interpretation of the Static-Design net is as follows: 
• An arc is drawn from a place, Ri (respectively, transition Can7F) to a tran-
sition Conj (respectively, place Ri) if there is a task in Can7F that captures 
(respectively, releases) resource ~-
• The weight on the arc, and in turn; its direction, is determined by the number 
of capture and release requests within the concurrent set. To illustrate, observe 
that both tasks T2 and T3 capture a unit of resource R2 , and so, an arc with 
weight 2 is drawn from place R 2 to transition Can2 . 
• The number of tokens in place ~ signifies the number of units Rf available 
for that resource. 
3. There is only valid meta-path in the example of Figure 4.2(b), and the sequence 
through which the process progresses is strictly Can0 - Can1 - Can2 • • • - Can5 • 
Thus, the concurrent sets also aid in capturing the process ordering imposed by the 
control flow model. 
In continuation of point (3) above, note that, although Con0 is, by definition, per-
manently enabled, and can fire indefinitely, such firing sequences will not be stud-
ied - in fact, the control flow model specifies the transition firing sequence, namely, 
Can0 - Can1 - Can2 • • • - Can5 , i.e., the increasing order of { Gani} suggests the 
sequence through which the process progresses. Observe that this transition sequence is 
not possible in the static-design net shown in Figure 4.5-why so? At the very least, Can2 
cannot be enabled given that there is only one unit of R2 - this hints at problems either 
in inadequate resource capacity or potential circular-waits. The intuition just described 
is formalized in the following theorem. 
79 
Theorem 4.1 Suppose it is given that, for each valid meta-path m in a process, there 
are no circular-waits within any concurrent set in Coniv(m). If the transition sequence 
C on0 = { S}, C onf, ... , Con"; = { F} is enabled1 for the static-design net of all valid 
meta-paths m, then there exist no deadlocks within a single instance of the process. 
Proof Consider any valid meta-path m of the process. Since resources cannot be re-
leased before they are captured Conf is automatically enabled, as Con0 = {S} does not 
capture/release any resource. Consequently, the fact that Con'f, i > 1 is enabled, and 
requires, say, resource Ra, implies that there is either another transition Conr;, 1 ::; j < i 
that releases the required number of units of resource Ra, or there are adequate number 
of units of Ra available to meet the needs of Con'f. Since this holds for all Con'f, it fol-
lows that there cannot be any problems in resource-sharing across concurrent sets in that 
valid meta-path. Moreover, it is given that there are no circular-waits within any Con'f 
for all valid meta-paths m. Therefore, the transition sequence Con0, Conf, ... , Con"; 
does indeed correspond to the deadlock-free execution of a single instance of the process 
for any valid meta-path m, thereby completing the proof. • 
Note, however, that the failure of the conditions of the proof, for some valid meta-path 
m of a process, does not imply that the process cannot execute correctly. To see why, 
consider the process represented in Figure 4.4 - while the transition sequence aincarrect = 
As1 , T1 , T3 leads to deadlock, the reader may argue that the process could still execute 
correctly with the transition sequence acorrect = A81 , T1 , T2 , Aj1 , T5 , T3 , T4 , Ai2 • Thus, 
Theorem 4.1 establishes only a sufficiency condition - it is not a necessary condition 
for deadlock freedom. To illustrate - the process in Figure 4.6 fails the conditions for 
Theorem 4.1, but is nevertheless deadlock-free. 
1 Refer Definition A.4. 
80 
Con2 Con, Con4 
R1 R2 
Figure 4.6: Another Example of a Deadlock-Free Process Model 
Before continuing with the discussion, it would be worthwhile to pause and reconsider 
a statement presented in the paragraph above. It is true that, for the process in Figure 
4.4, the transition sequence O'correct satisfies the requirements of the correct execution of 
the process. However, observe that O'correct breaks the process into two sequential threads 
As1 , T1 , T2 , A11 , n and T3 , T4 , A12 - is this what the process designer envisioned? where 
is the parallelism? if such an execution was acceptable, then why design the process such 
that task T3 is concurrent with tasks T1 and T2? (refer Figure 4.2(b) .) 
In summary, what is the contribution of Theorem 4.1? Should the conditions of Theorem 
4.1 be satisfied, i.e., the ordered transition sequence Con0 = {S}, Conf, . . . , Con;i = 
{ F} is enabled for every valid meta-path m of a process, then, it confirms that a single-
instance of the process is deadlock-free without requiring any additional analysis. How-
ever, the failure of the conditions for Theorem 4.1 indicates an immediate problem with 
inadequate resource capacity - ideally, the designer envisioned the tasks in each concur-
rent set Conr_:', for each valid meta-path m, to be truly concurrent. The parallelism 
dictated by the design would have been possible had there been adequate number of 
resource units to meet the resource requirements of each task in Conr_:', in which case 
Theorem 4.1 would not have failed; that it failed is the answer to begin answering the 
question of minimal resource requirements for the process. 
81 
4.5.2 Computing Minimum Resource Requirements 
The failure of Theorem 4.1 offers an immediate opportunity to compute the minimal 
resource requirements that will guarantee the successful execution of an instance of the 
process that also assures the parallelism envisioned by the process's designer. More 
specifically, for each valid meta-path m, it remains to compute the minimum resource 
requirement (i.e., the initial marking for the net SD"!Jet) that will guarantee that the 
transition sequence Con0 = {S}, Con1 , ••• ,Con";' = {F} (call it crm) will be enabled. 
Note that upon execution of crm, the net will return to its initial marking (by conserva-
tion of resources). Consequently, the minimum resource requirements for the process is 
computed as Rf= M0(i), where, Vm EM, M; ~ M; holds, i.e., M0(i) is the minimum 
number of units required for resource ~ that will guarantee that the conditions of The-
orem 4.1 hold true for all valid meta-paths min the process. 
To illustrate - suppose there are two valid meta-paths m1 and m2 in a process, and that 
two resources R1 and R2 are being used by the process. Suppose the smallest initial 
marking that will satisfy the requirements of Theorem 4.1 for both meta-paths is [1, 3] 
and [2, 1], respectively. Taken together, the minimum resource requirements that ensure 
that Theorem 4.1 holds for both meta-paths is [2, 3], i.e., Rf= 2, and Rf= 3. 
It is quite easy to compute M*. Suppose that R = { R1, R2 , ••• , R,.} is the set of r 
resources. Consider some valid meta-path m with q+ 1 concurrent sets, namely, { Con0 = 
{S}, Con1 , ... , Con";' = {F} }. Let M[f" be the smallest initial marking for SD"!Jet that 
guarantees that M[f" ~ M[f" holds, where the superscript m indicates that the marking 
corresponds to valid meta-path m. M[f" is computed thus: 
Vi=l,2, ... ,r 
q 




The mechanics of equation 4.1 is quite simple. It essentially keeps track of how many 
new tokens are required in place Ri, in addition to those returned by ConT-- 1 , to enable 
each Con1. Once M0 has been computed, it follows that the minimal requirements for 
resource ~ is 
M;(i) = max Mf;(i) Vi= 1, 2, ... , r 
m 
Interestingly, note that M0 also eliminates the possibility for circular-waits within a con-
current set, since the resource requirements for all competing concurrent tasks will be 
satisfied by M0, thus rendering redundant the count-based checks presented in Section 
4.4.1. 
Thus, the computations above derive the minimum number of units required for each 
resource ~ to ensure that the conditions of Theorem 4.1 hold - this will ensure the 
successful deadlock-free execution of a single instance of the process, with the maximum 
degree of parallelism as desired by the process's designer. 
4.5.3 Summary 
Recall that design errors in resource-sharing are not restricted to single instances ( refer 
example 4 in Table 1.3). Clearly, the basic Petri net approach suggested in Section 
4.4.2 can be extended to study multiple-instance verification, simply by increasing the 
number of tokens in the place corresponding to Start and exploring the reachability tree 
to detect deadlock occurrences. However, can the static-design net be used to derive a 
quicker answer to help detect the possibility for potential deadlock, without recourse to 
exhaustive enumeration via reachability analysis? 
83 
4.6 Multiple-Instance Verification 
The purpose of this section is to develop an approach that will identify if the sharing 
of resources across multiple instances of the process will or will not lead to deadlock -
the approach will rely on the static-design net representation of the process, and on the 
notion of transition invariants for a Petri net ( refer Section A.4). 
Observe that the static-design net will be a collection of isolated vertices and several 
disjoint, connected components.2 There is no sharing of resources across disjoint com-
ponents (else, they would not be disconnected), and isolated transitions (i.e., concurrent 
sets) do not capture/release any resources, and hence, are inconsequential. Isolated 
places correspond to resources that are not being accessed in the valid meta-path that 
the static-design net represents. Consequently, it is within a connected component of the 
static-design net, that deadlock possibilities, if any, wait to be unearthed. 
Figure 4. 7(b) illustrates the static-design representation for example 4 from Table 1.3, 
also repeated in Figure 4.7(a). Note that the process is completely sequential, with no 
choice or concurrency; therefore, it readily follows that a single-instance of the process is 
deadlock free, since the size of each concurrent set is only one. 
The weights on the arcs of the static-design net in Figure 4. 7(b) have been omitted since 
they are all equal to one - this net consists of one connected component ( consisting of R1 , 
R2 , Con1 , Con2 , Con4, and Cons), and other isolated vertices. The connected component 
has two transition invariants, namely, Tinv1 = [Con1 , Cons] and Tinv2 = [Con2 , Con4]. 
Does this suggest something? Yes, it does - it suggests that there is a potential problem 
of circular-wait across two instances with one executing Tinv1 and the other executing 
2 A connected component is a subset of a graph which is disjoint from the remainder of the graph, and 
within which, every pair of vertices is connected by an undirected path. A strongly connected component 
is a connected component, within which, every pair of vertices is connected by a directed path. 
84 
(a) Incorrect Process Design 
I Con0= {S} 
r-------- Con1= {T 1} 
Con2= {T2} 
Con5 = {T J 
I Con6 = {F} 
(b) Static-Design Net 
Figure 4.7: Example of a Process with Problems of Deadlock across Multiple Instances 
Tinv2 , with the latter being denied access to R1 being held by the former - this is 
possible since R1 is released by Con2 enabling another instance to commence execution. 
More specifically, the connected component in Figure 4. 7(b) runs the risk of deadlock 
because the resources required by it are not guaranteed to he exclusively available for 
its execution without the possibility of being captured by other previous/later instances. 
The intuition underlying this argument is very simple, namely - disjoint components of 
the static-design net do not have any problems of resource-sharing either within a single-
or multiple-instances of the process; consequently, within a connected component, the 
only way to ensure that it will not get deadlocked is to ensure complete access to all of its 
required resources before another instance may begin. In short, the transition invariant 
of a connected component of the static-design net must consist of all the transitions in 
that component - this is formalized in Theorem 4.2. 
85 
Theorem 4.2 Suppose it is given that there are no deadlocks within a single-instance 
of the process. Then) there exist no deadlocks arising from resource-sharing across mul-
tiple instances of the process executing the same valid meta-path, only if the transition 
invariant for each connected component of the process's static-design net consists of all 
transitions in that component. 
Proof The proof follows immediately from the argument above, and from the definition 
of a transition invariant. • 
The uniqueness of Theorem 4.2 is that it relies only on the structure of the static-design 
net, and not on its initial marking [Rf], or the number of instances that are active -
it is thus a simple approach to identify problems across multiple instances without the 
simulated execution of multiple concurrent instances. 
Note that Theorem 4.2 also establishes only a sufficiency condition, i.e., it is sufficient to 
show that the transition invariant for each connected component consists of all transitions 
in that component to confirm that there are no deadlocks when multiple instances of the 
same valid meta-path are active. To show that it is also a necessary condition would be 
a tremendous achievement, since computing transition-invariants is a polynomial-time 
operation [64, 26], as opposed to the exponential state-space explosion of reachability 
enumeration. 
There is however, one shortcoming of Theorem 4.2 - it cannot identify deadlock possibil-
ities for multiple instances of the process, each executing different valid meta-paths. The 
answer to this question would ultimately require the reachability enumeration approach 
of 4.4.2 with multiple tokens in the place corresponding to Start. More specifically, The-
orem 4.2 captures the border between that which can be answered in polynomial time, 
and that which requires exhaustive enumeration. 
86 
4.7 Summary 
The ideas presented in this chapter form the foundations of the first-ever attempts to 
study the business process's design in its entirety, including both the process's logic, 
and its resource requirements - not with simulated executions, but with very elemen-
tary graph-theoretic ideas. The most notable achievement is that the simplicity of the 
approaches presented herein is complemented only by the sheer magnitude and value 
of the questions addressed and answered. More specifically, the purpose of this chapter 
has been to study the process's design as the designer envisioned it, and to study its 
resource allocations with the intent of (i) computing the minimal resource requirements 
that guarantee the successful execution of the process and exploit the parallelism allowed 
in its design, and (ii) alerting the designer about potential deadlock possibilities that 
may &rise either within a single-, or across multiple-instances of the process. 
An alternate Petri net representation of the process that captures the ordering sug-
gested by the control flow model with the specifics of resource requirements, the STATIC-
DESIGN NET, has been developed, and sufficiency conditions have been derived to estab-
lish deadlock-freedom both within a single- and across multiple-instances of the process. 
A simple approach to compute the minimum resource requirements that guarantee the 
successful deadlock-free execution of the process has also been developed. 
The correctness issues studied thus far have focused primarily on design errors arising 
either from incorrect control flow or improper resource-sharing. What about the inputs 
and outputs for each task? Are there any correctness issues that remain to be investigated 
in the input-output specification for the tasks in a process? Metagraphs [9, 10, 11] have 
been used to study connectivity issues in the input-output specification of a process. 
Additionally, an immediate extension of the ideas presented in this chapter would be 
87 
to use the concurrent set partitions, { Gani}, of the control flow model to study the 
correctness of a process's input-output specifications. This would r~quire a formalism 
identical to R(ap, and Rfel, focusing, in turn, on the inputs and outputs of each task, 
and addressing questions similar to those presented in Section 4.3 - these ideas are 
reserved for future work. 
88 
Chapter 5 
Modeling and Analysis of Business 
Process Models 
Chapter Overview 
This chapter outlines the features of a proof-of-concept implementation of the algorithms 
developed in this work. 
5.1 MAPS: Proof-Of-Concept Implementation 
A computerized environment titled MAPS - Modeling and Analysis of business Process. 
modelS has been developed to support the techniques developed in this dissertation. 
MAPS has been written in PYTHON, an open-source programming language, and its 
graphical interface coded in Tkinter - it retains the native look and feel of a Windows 
application, and supports a good graphical editor for the development of process models. 
MAPS includes the KORRECTNESS algorithm (Chapter 3) for control flow verification, 
and also provides diagnostic feedback about control flow errors, if any. 
89 
The choice of PYTHON as the development language was motivated by two reasons: 
1. MAPS is intended to grow as a research test-bed for new ideas and algorithms 
in business process modeling, and it was essential that the underlying code and 
program design remain simple, without being excessively clouded with the details 
of syntax and software-specific overheads.1 
2. The complexity of the algorithms notwithstanding, Python provided for nearly-
identical translations of mathematical intuition ( especially, set-theoretic formula-
tions) into program syntax, making it ideal as a tool-of-choice that would attract 
and offer incentives for other researchers to continue experimenting with, and de-
veloping MAPS. 
This chapter is intended to be a walk-through of MAPS's salient features and the signifi-
cance of its contribution as a modeling and design verification tool. The main attributes 
of MAPS are its simple modeling interface, and support for control flow verification. 
5.2 Modeling Interface 
The development of a process's design in MAPS begins with the specification of its 
control flow model, followed by the separate specification of its resource requirements. 
Figure 5.1 presents a screen-shot of MAPS ~ it illustrates the control flow model of the 
counter-example presented by Lin et al. [61] to show that the algorithms of Sadiq [75] 
are incomplete. 
1VC++/MFC and JAVA/JFC-Swing applications, to name a few. 
90 
Figure 5.1: A Sample Screen-shot of MAPS 
The major components of the graphical editor are: 
1. The stencil that the user uses to select the control flow element being drawn. 
The stencil offers simple click-to-select functionality - the user selects (left-click) 
the control flow element that needs to be drawn, and then selects a position in the 
canvas to place them, or, if a control flow arrow is being drawn, the user selects the 
"source" (from) and "destination" (to) of the arrow with consecutive clicks inside 
the face of two elements on the canvas. The model can contain only one "Start" and 
one "Finish" - the corresponding stencil elements get disabled thereafter, unless 
those elements are subsequently deleted from the model. 
91 
2. The canvas on which the model is drawn - the canvas supports intuitive operations 
for both movement and deletion of elements in it. Deletion is enabled only in the 
"cursor ~ mode" via right-click mouse operations on the edges of the elements -
the mouse cursor will change to a hollow circle to indicate that the element can be 
deleted with a right-click. Movement of elements is enabled in the "cursor mode" 
with a left-click hold and release mouse movement, or with a right-click hold and 
release mouse movement in one of the "non-cursor modes" - in both cases, the 
mouse click must be inside the face of the element, which will be signalled by the 
cursor changing to a filled circle with an embedded cross (a ffour) . The "non-cursor 
modes" refer to the selection of either a task/logical-operand/ arrow on the stencil 
- a left-click operation either places a new element (task/logical-operand) on the 
canvas, or is used to consecutively select the source and destination of a control 
flow arrow. 
3. The control flow elements' tablet ( or frame) that provides an easy and accessible 
summary of each control flow element's attributes. 
This frame is organized as follows - a drop-down options box allows the user to 
select the type of the control flow element that they need details for , namely, Start, 
92 
Finish, Task, or a logical operand. Once the selection is made, say, "Task," a list 
of all tasks is generated, ordered by their screen IDs, individual selection of which 
will populate the basic fields beneath to reveal their names, input and output el-
ements, and on-screen graphical coordinates. The screen IDs of the elements are 
prefixed with a [ "S," "F ," "T _," "Xs," Xj ," "As," "Aj"] to indicate that they are 
either a "Start ," "Finish," "Task," "XOR-Split ," "XOR-Join," "AND-Split ," or an 
"AND-Join." All of the basic fields are fixed and cannot be edited, except for the 
names of tasks, which can be changed from the program-generated "Task n" to 
something more meaningful, if needed. 
4. The model monitor that provides continuous feedback to the modeler about their 
actions through short messages. 
The model monitor will be indispensable when dealing with complex models - it 
includes several useful features that will guide the user in the construction of the 
model, and more so, when the user is contemplating the deletion of some elements. 
Unlike commercial grade software with the luxury of undos and such, the user will 
have to rely on the model monitor to inject the requisite caution in dealing with 
mouse-clicks, right or left . 
In addition to the features listed above, help balloons have been programmed to appear 
liberally across all aspects of the application to clarify the purpose of all four components 
above. The models thus created can be saved and retrieved with standard File-> Save 
operations. 
93 
5.3 Analysis and Verification Capabilities of MAPS 
The current version of MAPS includes support for verifying the model syntax, and the 
KORRECTNESS algorithm for control flow verification, both of which are described below. 
5.3.1 Syntax Verification 
The syntax checks enforced in MAPS ensure that the model does not have any abandoned 
elements, that it has a "Start" and a "Finish," and that all other elements have properly 
defined "from" and "to" elements, as illustrated below. 
Iools 
-::!!~- I/,® 
~ ~ ,ii_jiYioiu,1moidi~ih~i lhieiroillow,i njgje"iorisijii::::, ::"""=~ I 
1.You do not have t>Stt>rtnode, II! 2. You do not hDVe" Finish.no.de. ! 3 The following nodes do nol have IOllY mes coming into !hem. 
I T_l. Xst 
:
If ~ The following nodes do not have IOllY arcs coming out of !hem: 
[I\ T_1. ~1 
Additionally, should the user attempt to draw, say, two arcs leading into a task (or 
an AND / XOR-split) , or other such basic modeling errors that violate the definition of 
the elements, the model monitor will alert the modeler to the same, thereby allowing 
for immediate model checks as well - the syntax verification capabilities in MAPS are 
dynamic and work constantly during the development of the model. 
5.3.2 Control Flow Verification 
The verification of control flow correctness follows the KORRECTNESS algorithm, in that 
it proceeds by generating the set of S - F paths, the set of valid meta-paths, and the set 
94 
of invalid meta-paths, if any. Figure 5.2 shows a snap-shot of the application interface 
after the KORRECTNESS algorithm has been applied to the control flow model shown in 
Figure 5.1 - note that the results of the control flow verification procedure will open up 
on a new page titled "Korrectness Results." 
~ 
! Error Commenteiy 
/®\ ® @ 
Figure 5.2: Identifying the Set of Valid Meta-paths 
The interfaces for browsing through the set of paths, valid, and invalid meta-paths are 
all designed to be very simple, and follow a layout identical to the control flow elements' 
frame discussed for the modeling interface. 
95 
Figure 5.3 illustrates a snap-shot of the application interface after the KORRECTNESS 
algorithm has been applied to the incorrect control flow model of Figure 3.8 - it illustrates 
one of several invalid meta-paths in the process. 
Figure 5.3: Identifying the Set of Valid Meta-paths 
Much like the "model monitor" in the modeling interface, the "Error Commentary" 
provides feedback about the source of the control flow error - the meta-path in Figure 
5.3 is invalid because one of the three control flows required at AND-Split As1 is missing. 
This "error commentary" feature of MAPS in unique in providing precise reasons as to 
the failure of a control flow design - what is missing however, is a way to automate the 




This chapter outlined the use of MAPS, a computerized environment that was devel-
oped to support the algorithms developed in this dissertation. MAPS has been designed 
to be easily extendible with new functionalities, either in graphical modeling, or algorith-
mic support. Thus far, MAPS includes only qualitative analysis capabilities; it would 
be a wonderful addition to also incorporate code-support for simulation of a business 
process, and possibly, detailed Petri net modeling and queuing analysis - these are not 
careless dreams or whimsical hopes·. It is the author's earnest hope that the simplicity 
of MAPS's program design will inspire further work in extending it to make it a useful 
tool for classroom instruction, and also as a rewarding intellectual exercise for those who 
choose to relive the joy that was the author's privilege in creating it. 
Currently, MAPS includes an editor for creating, storing, and retrieving control flow mod-
els, and analysis support to establish control flow correctness. The following extensions 
are anticipated for future development of MAPS: 
1. Incorporating functionality for verifying the correctness of resource-sharing and 
computing minimal resource requirements, based on the techniques developed in 
Chapter 4. 
2. Interfaces to (the input and output of) XML descriptions of business process def-
initions, based on pre-specified process templates as specified by [96, 7], would be 
a fantastic addition that would impact both the commerce and the care that the 
BPM software industry extends to design verification. 
97 
Chapter 6 
Summary & Research Contributions 
Chapter Overview 
This chapter summarizes the major contributions of this research, and outlines research 
questions that will expand the reach and value of the design verification techniques 
developed in this work. 
6.1 Summary 
The purpose of this dissertation has been to study the design of a business process, as 
determined by its logic, and to give useful feedback to the designer about the correct-
ness of the design. Stated simply, the. question being addressed is not "how good is this 
process's design," but is more fundamental, namely, "is the design good at all?" The 
former question relates to studying the performance of a business process, with regard to 
its operational efficiency and other metrics summarized through analytical calculations 
or simulated executions of the process - it necessarily assumes an affirmative answer to 
the latter question. That the design of a process may not be good to begin with, ( and if 
not, why so?) is the motivation for this dissertation. 
98 
This dissertation presents a comprehensive foundation for the formalization and verifi-
cation of business process designs. A business process could be one of either a material, 
information, or a people process, or a combination thereof (Table 1.1) - irrespective of 
the type of the business process, the design of a process minimally requires the spec-
ification of the process's logic, and the resource requirements for its constituent tasks. 
Business processes arise in numerous contexts; however, the verification issues are the 
same, namely 
1. FUNCTIONAL ASPECTS - is the logic of the process correct, i.e., does the flow 
of control within the process ensure that the process will execute correctly from 
initiation to completion? 
2. RESOURCE ASPECTS - is the release and capture of shared resources among dif-
ferent tasks, either in the same or in different instances of a process, well-designed 
so as to avoid conflict? 
This dissertation presents a completely context-independent formalism that bridges the 
diversity in process types, with the commonality of the questions and correctness issues 
that arise within - this, above all, is the most significant contribution of this work. Both 
the control fl.ow and resource-sharing problems have been thoroughly studied, to present, 
in effect, a solid foundation for the verification of process designs that will significantly 
change the currently understood interpretation of design verification, which relates pri-
marily to syntactic checks restricted to the graphical modeling formalism. 
Chapter 1 presents a short, but precise, introduction that motivates the relevance of, 
and the challenges associated with, the control fl.ow and the resource-sharing problem. 
Chapter 2 presents a comprehensive overview of the issues and opportunities in business 
process modeling, business process automation, and an accurate review of all relevant 
99 
research - it is important to note that the resource-sharing problem, as studied in this 
dissertation has not been previously addressed anywhere else. Chapter 3 presents the 
KORRECTNESS algorithm, a recursive, backtracking algorithm for verifying the correct-
ness of control fl.ow in any process, without any restrictions on the form/structure of its 
design, and to provide diagnostic feedback about the source of the control fl.ow error (if 
any). Chapter 4 presents a collection of Petri net-theoretic techniques for studying the 
correctness of resource-sharing in a process, and to identify potential design errors that 
could lead to deadlock. Chapter 5 details the success of a proof-of-concept implementa-
tion of the algorithms developed in this work. 
6.2 Research Contributions 
The most significant contribution of this dissertation is a simple formalism for specifying 
both the control fl.ow (Chapter 3) and resource requirements (Chapter 4) of a process, in 
a manner that does not diminish the semantic value of the elements being defined, while 
still retaining sufficient rigor to motivate abstract study of the process's definition. The 
specific contributions of this dissertation are listed below. 
Control Flow A recursive, backtracking algorithm for verifying control fl.ow correct-
ness has been developed. The algorithm does not impose any restrictions on the 
form/structure of the control flow model, and some interesting results on proper-
ties to be expected in random control flow models have been derived. Additionally, 
the results of the algorithms also provide precise diagnostic information about the 
reasons for the control flow error(s), if any. 
Resource-Sharing A simple Petri-net theoretic approach for identifying potential dead-
locks, especially circular-waits, has been developed. The approach is unique in that 
it exploits the control fl.ow model to gain intuitions about the structure and behav-
ior of the process, without ever requiring any simulations. More specifically, simple 
100 
rules have been developed to (i) compute the minimal resource requirements that 
guarantee the successful execution of the process, while fully exploiting the paral-
lelism in the process as envisioned by its designer, and (ii) alert the designer about 
potential deadlock possibilities that may arise either within a single-, or across 
multiple-instances of the process. 
MAPS A computerized environment titled MAPS - Modeling and Analysis of Process 
modelS (implemented in Tcl/Tk and Python) has been developed to support the 
algorithms developed in the dissertation. Ideally, MAPS should grow as a research 
test-bed for new ideas and algorithms in business process modeling. The salient 
features of MAPS are: 
• A good graphical environment for modeling anq specifying business processes. 
• Algorithms for verifying the correctness of control flow and providing diagnos-
tic feedback about the sources of control flow error(s), if any. 
6.3 Future Research Directions 
Automatic design verification capabilities are as yet unavailable in current business pro-
cess modeling softwares. To this end, the ideas developed herein significantly advance 
the power and potential for the development of good processes, the designs of which are 
influenced both by the judgment of the domain expert and by the clarity of analysis. In 
continuance of this work, the following ideas merit inquiry: 
1. Automation of Business Process Redesign Suppose the process's design, i.e., 
control flow and/ or resource requirements, is incorrect; can the redesign of business 
processes, to eliminate design errors, be automated? More specifically, can hu-
man intuition be replaced with algorithmic deduction and correction? Currently, 
101 
diagnostic checking is limited to identification - can it be extended to include elim-
ination? 
2. Automatic Reconfiguration of Business Processes Suppose the process's de-
.sign, i.e., control flow and resource-sharing, is correct; is it possible to suggest 
approaches to reconfigure or "optimize" the process's design, based on the nature 
of the resource-allocation requirements and the precedence-order relationships that 
are imposed by the logic of the process? This would require a more precise under-
standing of the expectations of "optimality" in business process designs - stated 
simply, the domain expert has identified a particular configuration for the process; 
can it be improved? 
3. Standards for Business Process Specification To develop a formalism for mod-
eling and specification of business processes that blends the ease of modeling intu-
ition with the rigor required for design verification. Ideally, a formalism that capital-
izes on the transparency of XML, the ease of graphical modeling, and the support of 
underlying design verification techniques would greatly enhance the value-addition 
of enterprise automation. 
The research proposed in question (3) above has already been initiated, and the Business 
Process Management Initiative1 is spearheading current efforts toward the development 
of BPML, an open-source standard Business Process Modeling Language. There is 
also a competitive, commercial effort that has been initiated by Microsoft, IBM, and 
BEA, called BPEL4WS - readers are referred to [48, 78, 36] for a good overview of the 
issues involved in developing a standard for the design, deployment, execution, control, 
and optimization of business processes. In conjunction with these efforts, it would be 
extremely useful to explore the possibilities for abstracting from the XML description 
of a business process, sufficient detail such as is required for developing an analytical 
1http://www.bpmi.org. 
102 
or a simulation model, to motivate further analysis of the process's configuration and 
performance, independent of the context in which the process may arise - this has been 
partly addressed in IBM's OPS (Operational Specification), an artifact-based approach 
to business process modeling and enterprise integration [16]. 
The questions raised in (1) and (2) are more fundamental and as yet unexplored; to 
allow for a computer to suggest a better process design is very intriguing, and such 
an ability would lend new meaning to "automation" in business process automation -
some preliminary work has been addressed in [38], but, it is still not "automation." 
The extent of the second question's appeal is surpassed only by the vagueness of its 
answer. To answer the same, without requiring context-specific information particular to 
a process's domain, would be the first steps in establishing a "science-base" for business 
process modeling. The bridge between the abstract and the real has thus far been absent 
in business process modeling, so much so, that the question of "deadlock" in business 
processes is met, not with a !, but with a ? - it is hoped that the techniques developed 
in this dissertation would contribute to building such a bridge. 
103 
Appendix A 
Petri Nets: A Primer 
Chapter Overview 
This appendix presents a quick overview of the basics of Petri nets. Readers are referred 
to [6, 70, 68, 25, 26] for a more extended discussion on the theory, applications, and 
analysis of Petri nets. 
A.1 What is a Petri Net? 
A Petri net is an anagraphical (i.e., analytical and graphical) tool that combines the 
appeal of graphical description with the rigor of mathematical formalism, making it the 
preferred tool of choice for modeling discrete event systems. In particular, systems, 
whose description can be specified as a collection of events, and conditions preceding and 
succeeding the execution of those events, are well suited to being modeled and studied 
with Petri nets. Petri nets· are especially well-suited to modeling concurrency, asynchro-
1 
nism, and choice. More formally, a Petri net is a 4-tuple, N = (P, T, 1+ 1-), where 
P = {P1,P2, ... ,Pn} and T = {t1 , t2, ... , tm} are disjoint, finite sets of places and transi-
tions, respectively. Additionally, 1+ : T x P -+ N = {O, 1, ... } and 1- : P x T -+ N are 
104 
the incidence functions from transitions to places, and vice-versa. It is common practice 
to associate places with conditions, and transitions with events in a discrete event system. 
The graphical representation of a Petri net is a directed, bi-partite graph with two sets of 
vertices - places P (represented as circles) and transitions T (represented as lines/bars), 
and weighted arcs drawn from places to transitions, (respectively, transitions to places), 
the weights on the arcs corresponding to the values of J-(Pi, ti) (respectively, J+(ti,Pi)), 
for every pair (pi, ti) of places and transitions - Figure A.1 illustrates an example (arcs 
with unit weights are left unlabeled). 
Figure A.1: An Example of a Petri Net Model 
For each t E T, •t = {p E PI J-(p, t) > O} and t• = {p E PI J+(t,p) > O} represent, 
respectively, the set of input and output places of t. The sets •p and p• are defined 
analogously for each place p. The incidence matrices Ctxm (from transitions to places) 
and c;xm (from places to transitions) are defined as 
105 
The incidence matrix of the net is represented as C = c+ - c-. A marking is a func-
tion M : P ---+ N that assigns a numeric value to each place in the net. Graphically, 
markings are identified by tokens (black dots) residing in the places of the net, and 
capture the state of the net. The Petri net N, together with an initial marking M 0 , 
is adequate to model the evolution of a system starting at state M 0 • The dynamics of 
the net's evolution are controlled by firing transitions, the definitions of all of which are 
presented next. Unless stated otherwise, assume that the initial marking of the net is M0 . 
The initial marking for the Petri net in Figure A.l is M 0 = (1, 0, 1, 0, 1), and its incidence 
matrices are 
0 1 0 1 1 0 0 0 
1 0 0 0 0 1 0 0 
c+= 0 0 0 0 c-= 0 0 1 0 
0 0 1 0 0 0 0 1 
0 1 0 1 0 1 0 1 
A.2 Basic Definitions 
The vector oi will denote the vector whose ith element is 1, and O elsewhere, i.e., oi = 
(0, 0, ... , 0, 1, 0, ... ]. The dimensions of the vector will be obvious from the context in 
which it appears. 
Definition A.1 A transition ti is enabled under some marking Mj if Mj 2::: c-oi, i.e., 
there are enough tokens available in all of ti's input places, i.e., •ti, to meet its "input" 
requirements. 
For the net in Figure A.l, only transitions t 1 and t3 are enabled under Mo= (1, 0, 1, 0, 1]. 
106 
Definition A.2 An transition ti that is enabled under marking Mi can fire, i.e., it 
can move tokens from its input places {•ti) to its output places (ti•). More specifically, 
upon firing an enabled transition ti, the net evolves from marking Mi to marking MH1 
according to the equation 
Mj+l = Mj + c+8i - c-8i = Mj + C8i 
and is usually notated as Mi ~ MH1, signifying that marking Mi+l is immediately 
reachable from Mi. 
Actually, when a transition t fires, it removes f-(p, t) tokens from each input place p E •t, 
and deposits f+(t,p) tokens in each output place p Et•. For the net in Figure A.l, the 
marking reached from firing transition t 1 is [O, 1, 1, 0, 1]. 
The function z : T - N will be used to generalize the definition of 8i presented above, 
and model multiplicities in the number of times each transition fires - it will be referred 
to as the firing-count vector, with [z]i indicating the number of times that transition ti 
is fired. 
Definition A.3 The firing-count vector z is enabled under marking Mi if Mi 2:: c-z. 
The state that the system evolves into, upon firing z, is Mi+l = Mi + C · z - this is also 
referred to as the state equation. 
For the net in Figure A.1, the marking reached upon executing the firing-count vector 
[1, 1, 1, 1] is equal to M 0 , i.e., the tokens arrive in their initial places after executing all 
four transitions. 
Note that the firing count vector does not specify the order in which the transitions are 
fired. Define u = tii, ti2 , tia, ... , tik to be an ordered sequence of transitions, and u( i) to 
be the ith transition in that sequence. 
107 
Definition A.4 A transition sequence a is enabled under marking Mi if, for all i, tran-
sition t = a(i) is enabled under marking Mi+(i-1), where Mi+(i-1) = Mj + C · Lr<i 8a(r)· 
More specifically, the transition sequence a = ti1 , ti2 , ti3 , ••• , tik is enabled under marking 
holds true. This is frequently abbreviated as Mi .:!.+ Mi+k. 
A marking Md is said to be reachable from marking M 0 if there exists a transition 
sequence a such that M 0 .:!.+ Md. The reachability set R(M0) is the set of all mark-
ings that can be reached from M0 . The reachability set for the net in Figure A.1 is 
{[1, 0, 1, 0, 1], [O, 1, 1, 0, 1], [1, 0, 0, 1, 1], [O, 1, 0, 1, 1]}. 
A.3 Additional Concepts 
There are a few additional definitions that merit inclusion for sake of completeness. A 
Petri net is said to be acyclic if it does not contain any cycles, and pure if it does not 
contain any self-loops. A Petri net is said to be free-choice if and only if for every 
two transitions t 1 and t2 , •t1 n •t2 =J. (/J implies that •t1 = •t2 - the reader is referred 
to [25] for an excellent treatise on free-choice Petri nets. Aside from these structural 
characterizations, there are certain behavioral properties that are defined as follows. 
Definition A.5 A Petri net is said to be proper if M 0 E R(M0), i.e., if the initial 
marking is reachable from itself 
Definition A.6 A transition t is said to be live if for each marking M' E R(M0), there 
exists another marking reachable from M' in which t is enabled. 
Murata [68] presents several other characterizations of liveness, based on slight modifica-
tions of the conditions of Definition A.6 above. A Petri net N, together with an initial 
marking M 0 , is said to be live if all of its transitions are live. 
108 
Definition A. 7 A place p is said be k-bounded is there is an integer k such that for all 
ME R(M0 ), M(p) ::; k. 
The Petri net (N) is said to be k-bounded if all of its places are k-bounded. An 1-bounded 
Petri net is called safe. The net in Figure A.1 is proper, live, and safe. 
To summarize, a Petri net captures the structure of a system, and can model its evolution 
through the movement of tokens. Thus, the net N, taken together with an initial marking 
M0 , and the reachability set R(M0), completely describes a system's behavior. Aside from 
the state evolution rules outlined in Definitions A.3 and A.4, the structure of the net, as 
represented by its incidence matrix C, also reveals several clues about the behavior of 
the system, the study of which is known as invariant analysis. 
A.4 .Invariant Analysis 
Recall from Definition A.3 above that the evolution of the system is characterized by the 
state equation Md= M0 + C · z, where Cnxm is the incidence matrix for the net with n 
places and m transitions. 
Definition A.8 An x 1 vector X is a place-invariant if xr · C = 0. 
Suppose X is a place-invariant. Substituting in the state equation, we get xr · Md = 
xr · Mo (since xr · C = 0), whereupon it follows that for all markings M reachable from 
Mo, the weighted sum of tokens, i.e., ~~=l Xi· M(pi), is a constant. Consequently, if 
there exists a place invariant vector all of whose n entries are strictly positive, it follows 
that the net is bounded. 
For the net in Figure A.l, the minimal, linearly independent (i.e., one is not a subset of 
another) place-invariants are {[1, 1, 0, 0, 1], [O, 0, 1, 1, l]}. 
109 
Definition A.9 A m x 1 vector Y is a transition-invariant if C · Y == 0. 
Suppose Y is a place-invariant, all of whose entries are positive. The firirig vector corre-
sponding to such a vector returns the net back to its initial marking, i.e., M0+C·Y = M0 . 
Consequently, if there exists a transition-invariant with some positive elements and some 
zeros, then, it indicates that the net can be returned to its initial marking by firing only 
a subset of the transitions. 
For the net in Figure A.1, the minimal, linearly independent (i.e., one is not a subset of 
another) transition-invariants are {[1, 1, 0, O], [O, 0, 1, 1]}. 
The definitions presented in this section are by no means exhaustive - the reader is 
referred to [26] for a well-written and comprehensive introduction to the theory and 
applications of Petri nets. 
110 
Bibliography 
[1] Aalst, W.M.P. "The Application of Petri Nets to Workflow Management". The 
Journal of Circuits, Systems, and Computers, 8(1):21-66, 1998. 
[2] Aalst, W.M.P. "Formalization and Verification of Event-Driven Process Chains". 
Information and Software Technology, 41(10):639-650, 1999. 
[3] Aalst, W.M.P. "Workflow Verification: Finding Control-Flow Errors Using Petri-Net 
Based Techniques". In Aalst, W.M.P., Desel, J., and Oberweis, A., editors, Business 
Process Management - Models, Techniques, and Empirical Studies, volume 1806 of 
Lecture Notes in Computer Science, pages 161-183. Springer-Verlag, 2000. 
[4] Aalst, W.M.P., Desel, J., and Oberweis, A.(Eds.). Business Process Management -
Models, Techniques, and Empirical Studies, volume 1806 of Lecture Notes in Com-
puter Science. Springer-Verlag, 2000. 
[5] Aalst, W.M.P and Hee, K. Workfiow Management: Models, Methods, and Systems. 
MIT Press, Cambridge, MA, 2002. 
[6] Agerwala, T. "Putting Petri Nets To Work". Computer, 12(12):85-94, 1979. 
[7] Arkin, A. "Business Process Modeling Language". Technical report, Business Pro-
cess Management Initiative, http://www.bpmi.org, 2003. 
[8] Banaszak, Z.A. and Krogh, B.H. "Deadlock Avoidance in Flexible Manufactur-
ing Systems with Concurrently Competing Process Flows". IEEE Transactions on 
Robotics and Automation, 6:724-734, 1990. 
[9] Basu, A. and Blanning, R.W. "Metagraphs: A Tool for Modeling Decision Support 
Systems". Management Science, 40(12):1579-1600, 1994. 
[10] Basu, A. and Blanning, R.W. "Metagraphs in Workflow Support Systems". Decision 
Support Systems, 25:199-208, 1999. 
[11] Basu, A. and Blanning, R.W. "A Formal Approach to Workflow Analysis". Infor-
mation Systems Research, 11(1):17-36, 2000. 
[12] Bedworth, D.D. and Bailey, J.E. Integrated Production Control Systems: Manage-
ment, Analysis and Design. John Wiley & Sons, Inc., NY, 2 edition, 1987. 
111 
[13] Borwein, J.M. "The Experimental Mathematician: 




[14] Borwein, J.M. and Corless, R. "Emerging Methods in Experimental Mathematics". 
American Mathematical Monthly, 106:181-194, 1999. 
[15] Casati, F., Ceri, S., Pernici, B., and Pozzi, G. "Conceptual Modeling of Worfk-
lows". Proceedings of the DOER '95, 14th International Object-Oriented and Entity-
Relationship Modelling Conference, Gold Coast, Australia, pages 341-354, 1995. 
[16] Caswell, N .S. and Nigam, A. "Operational Specification: A Technique for Busi-
ness Process Integration and Analysis". Invited paper at the INFORMS Fall 2002 
Meeting, November 2002. 
[17] Chen, P. A Use Case Driven Object-Oriented Design Methodology for the Design 
of Multi-Level Workfiow Schemas. PhD thesis, Department of Computer Science, 
Illinois Institute of Technology, Chicago, IL, 2000. 
[18] Cichocki, A., Helal, A., Rusinkiewicz, M., and Woelk, D. Workfiow and Process 
Automation: Concepts and Technology. Kluwer Academic Publishers, MA, 1998. 
[19] Coffman, E.G., Elphick, M.J., and Shoshani, A. "System Deadlocks". Computing 
Surveys, 3:67-78, 1971. 
[20] Corless, R.M., Gonnet, G.H., Hare, D.E.G., Jeffrey, D.G., and Knuth, D.E. "On the 
Lambert W Function". Advances in Computational Mathematics, 5:339-359, 1996. 
[21] CSC Corporation. "The Emergence of Business Process Management". Research 
report, version 1.0, Computer Sciences Corporation, http://www.bpmi.org, January 
2002. 
[22] Curtis, B., Kellner, M.I., and Over, J. "Process Modeling". Communications of the 
ACM, 35(9):75-90, 1992. 
[23] Dalal, N.P., Karnath, M., Kolarik, W.J., and Sivaraman, E. "Toward an Integrated 
Framework for Modeling Enterprise Processes". Communications of the ACM, 2003 
(in print). 
[24] de Bruijn, N.G. "Additional Comments on a Problem in Concurrent Programming 
Control". Communications of the ACM, 10:137-138, 1967. 
[25] Desel, J. and Esparza, J. Free Choice Petri Nets. Cambridge University Press, 1995. 
[26] Desrochers, A.A. and Al-Jaar, R.Y. Applications of Petri Nets in Manufacturing 
Systems: Modeling, Control, and Performance Analysis. IEEE Press, NJ., 1995. 
[27] Dijkstra, E.W. "Solution of a Problem in Concurrent Programming Control". Com-
munications of the ACM, 8:569, 1965. 
112 
• [28] Eisenberg, M.A. and McGuire, M.R. "Further Comments on Dijkstra's Concurrent 
Programming Control Problem". Communications of the ACM, 15:999-1000, 1972. 
[29] Ezpeleta, J., Colom, J.M., and Martinez, J. "A Petri Net Based Deadlock Prevention 
Policy for Flexible Manufacturing Systems". IEEE Transactions on Robotics and 
Automation, 11:173-184, 1995. 
[30] Fan, W. and Weinstein, S. "Specifying and Reasoning About Workflows with Path 
Constraints". In Proceedings of the 5th International Computer Science Confer-
ence{ICSC'99}, HongKong, China, volume 1749 of Lecture Notes in Computer Sci-
ence. Springer, Dec. 13-15 1999. 
[31] Fujimoto, R.M. "Parallel Discrete Event Simulation". Communications of the ACM, 
33:30-53, 1990. 
[32] Garey, M.R. and Johnson, D.S. Computers and Intractability: A Guide to the Theory 
of NP-Completeness. W.H. Freeman· Co., San Francisco, 1979. 
[33] Georgakopoulos, D., Hornick, M., and Sheth, A. "An Overview ofWorkflow Manage-
ment: From Process Modeling to Workflow Automation Infrastructure". Distributed 
and Parallel Databases, 3:119-153, 1995. 
[34] Gold, E.M. "Deadlock Prediction: Easy and Difficult Cases". SIAM Journal of 
Computing, 7:320-336, 1978. 
[35] Habermann A.N. "Prevention of System Deadlocks". Communications of the ACM, 
12:373-377, 385, 1969. 
· [36] Harmon, P. "XML Business Process Languages". The Business Process Trends 
Newsletter, http://www.bptrends.com, March 2003. 
[37] Havender J.W. "Avoiding Deadlock in Multitasking Systems". IBM Systems Jour-
nal, 7:74-84, 1968. 
[38] Hofacker, I. and Vetschera, R. "Algorithmical Approaches to Business Process De-
sign". Computers & Operations Research, 28:1253-1275, 2001. 
[39] Hofri, M. "The Deadlock Problem in Computing and Communication Systems - An 
Annotated Bibliography". Technical Report 500, Technion, Haifa, Israel, 1988. 
[40] Hofstede, A.H.M., Orlowska, M.E., and Rajapakse, J. "Verification Problems in 
Conceptual Workflow Specifications". Data & Knowledge Engineering, 24(3):239-
256, 1998. 
[41] Hollingsworth, D. "The Workflow Reference Model". · Techni-
cal Report WfMC-TC-1003, The Workflow Management Coalition, 
http://www.wfmc.org/standards/docs.htm, 1995. 
[42] Holt, R.C. "Comments on Prevention of System Deadlocks". Communications of 
the ACM, 14:36-38, 1971. 
113 
[43] Holt, R.C. "Some Deadlock Properties of Computer Systems". Computing Surveys, 
4:179-196, 1972. 
[44] Hsu, M. "Special Issue on Workflow Systems". Bulletin of the Technical Committee 
on Data Engineering, IEEE, 16(2), 1993. 
[45] Hsu, M. "Special Issue on Workflow Systems". Bulletin of the Technical Committee 
on Data Engineering, IEEE, 18(1), 1995. 
[46] Isloor, S.S. and Marsland, T.A. "The Deadlock Problem: An Overview". IEEE 
Computer, 9:58-:-77, 1980. 
[47] Karnath, M., Dalal, N.P., Chaugule, A., Sivaraman, E., and Kolarik, W.J. "A Re-
view of Enterprise Modeling Techniques". In Prabhu, V., Kumara, S., and Karnath, 
M., editors, Scalable Enterprise Systems:_ Recent Advances. Kluwer Academic Pub-
lishers, 2003. 
[48] Karnath, M., Dalal, N.P., and Chinnanchetty, R. "The Application of XML-Based 
Markup Languages in Enterprise Process Modeling". Proceedings of the 11th Annual 
Industrial Engineering Research Conference, Orlando, USA, 2002. 
[49] Karnath, M. and Sivaraman, E. "Analysis of Business Processes". Invited paper at 
the INFORMS Fall 2002 Meeting, November 2002. 
[50] Karnath, M.U. Improving Correctness and Failure Handling in Workftow Manage-
ment Systems. PhD thesis, Department of Computer Science, University of Mas-
sachusetts, Amherst, MA, 1998. 
[51] Karnath, M.U. and Ramamritham, K. "Correctness Issues in Workflow Manage-
ment". Distributed Systems Engineering Journal, 3(4):213-221, December 1996. 
Special Issue on Workflow Systems. 
[52] Keller, G. and Detering, S. "Process-Oriented Modeling and Analysis of Business 
Processes using the R/3 Reference Model". In Bemus, P. and Nemes, L., editors, 
Modeling and Methodologies for Enterprise Integration, pages 183-200. Chapman & 
Hall, U.K., 1996. 
[53] Kiepuszewski, B., Hofstede, A.H.M., and Aalst, W.M.P. "Fundamentals of Control 
Flow in Workflows". Technical Report FIT-TR-2002-02, Queensland Institute of 
Technology, Brisbane, Australia, 2002. 
[54] Knuth, D.E. "Additional Comments on a Problem in Concurrent Programming 
Control". Communications of the ACM, 9:321-322, 1966. 
[55] Knutilla, A., Schlenoff, C., Ray, S., Polyak, S.T., Tate, A., Cheah, S.C., and An-
derson, R.C. "Process Specification Language: An Analysis of Existing Representa-
tions". NISTIR 6160, National Institute of Standards and Technology, Gaithersburg, 
MD, 1998. http://www.mel.nist.gov/psl/. 
114 
[56] Lamport, L. "A New Solution of Dijkstra's Concurrent Programming Problem". 
Communications of the ACM, 17:453-455, 1974. 
[57] Lawley, M.A. and Reveliotis, S.A. "Deadlock Avoidance for Sequential Resource 
Allocation Systems: Hard and Easy Cases". The International Journal of Flexible 
Manufacturing Systems, 13:385-404, 2001. 
[58] Lee. D. and Kim, M. "A Distributed Scheme for Dynamic Deadlock Detection and 
Resolution". Information Sciences, 64:149-164, 1992. 
[59] Lei, Y. and Singh, M.P. "A Comparison of Workflow Metamodels". Proceed-
ings of the ER-97 Workshop on Behavioral Modeling €3 Design Transformation Is-
sues and Opportunities in Conceptual Modeling, Los Angeles, CA, November 1997. 
http://osm7.cs.byu.edu/ER97 /workshop4/ls.html. 
[60] Leymann, F. and Roller, D. Production Workfiow: Concepts and Techniques. 
Prentice-Hall, Inc., 2000. 
[61] Lin, H., Zhao, H., Li, H., and Chen, Z. "A Novel Graph Reduction Algorithm to 
Identify Structural Conflicts". In Proceedings of the 35th Annual Hawaii Interna-
tional Conference on System Science {HICSS-35'02). IEEE Computer Society Press, 
2002. 
[62] Linthicum, D.S. Enterprise Application Integration. Addison-Wesley, Boston, USA, 
2000. 
[63] Lynch, J.F. "Random Resource Allocation Graphs and The Probability of Dead-
lock". SIAM Journal on Discrete Mathematics, 7:458-473, 1994. 
[64] Martinez, J. and Silva, M. "A Simple and Fast Algorithm to Obtain all Invariants 
of a Generalized Petri Net". In Girault, C. and Reisig, W., editors, Application 
and Theory of Petri Nets, volume 52 of Lecture Notes in Computer Science, pages 
301-311. Springer-Verlag, 1982. 
[65] Mayer, R.J., Menzel, C.P., Painter, M.K., deWitte, P.S., Blinn, T., and Perakath, 
B. "Information Integration for Concurrent Engineering (IICE) - IDEF3 Process 
Description Capture Report". Technical report, KBSI Systems, Inc., College Station, 
TX, http://www.idef.com, 1995. 
[66] Mentzas, G., Halaris, C., and Kavadias, S. "Modelling Business Processes with 
Workflow Systems: An Evaluation of Alternative Approaches". International Jour-
nal of Information Management, 21:123-135, 2001. 
[67] Minoura, T. "Deadlock Avoidance Revisited". Journal of the ACM, 29:1023-1048, 
1982. 
[68] Murata, T. "Petri Nets: Properties, Analysis, and Applications". Proceedings of the 
IEEE, 77(4):541-580, 1989. 
115 
[69] Parnas, D.L. and Habermann, A.N. "Comment on Deadlock Prevention Method". 
Communications of the ACM, 15:840-841, 1972. 
[70] Peterson, J.L. Petri Net Theory and the Modeling of Systems. Prentice-Hall, Inc., 
1981. 
[71] Rardin, R.L. Optimization in Operations Research. Prentice-Hall, NJ, 1998. 
[72] Recihert, M. and Dadam, P. "ADEPT flex - Supporting Dynamic Changes of Work-
flows Without Losing Control". Journal of Intelligent Information Systems, 10:93-
129, 1998. Special Issue on Workflow Management Systems. 
[73] Reveliotis, S.A. "Liveness Enforcing Supervision for Sequential Resource Allocation 
Systems: State of the Art and Open Issues". In Cailaud, B., Xie, X., Darondeau, P., 
and Lavagno. L., editors, Synthesis and Control of Discrete Event Systems, pages 
203-212. Kluwer Academic Publishers, 2002. 
[7 4] Reveliotis, S.A. and Ferreira, P.M. "Deadlock Avoidance Policies for Automated 
Manufacturing Systems". IEEE Transactions on Robotics and Automation, 12:845-
857, 1996. 
[75] Sadiq, W. On Verification Issues in Conceptual Modeling of Workfiow Processes. 
PhD thesis, Department of Computer Science and Electrical Engineering, The Uni-
versity of Queensland, Australia, 2001. 
[76) Sadiq, W. and Orlowska, M.E. "Analyzing Process Models using Graph Reduction 
Techniques". Information Systems, 25(2):117-134, 2000. 
[77] Salimifard, K. and Wright, M. "Petri-Net based Modeling of Workflow Systems: An 
Overview". European Journal of Operational Research, 134(3):218-230, 2001. 
[78] Shapiro, R. "A Technical Comparison of XPDL, BPML, and BPEL4WS". Business 
Process Trends - White Paper/Technical Brief, http://www.bptrends.com, 2002. 
[79] Sheth, A., Aalst, W.M.P., and Arpinar, I. "Processes Driving the Networked Econ-
omy". IEEE Concurrency, 7(3):18-31, 1999. 
[80] Shooman, M.L. Probabilistic Reliability: An Engineering Approach. McGraw-Hill 
Book Company, NY, 1968. 
[81 J Singh, M.P. "Formal Semantics for Workflow Computations". Technical Report TR-
96-08, Department of Computer Science, North Carolina State University, January 
1996. 
[82] Singhal, M. "Deadlock Detection in Distributed Systems". IEEE Computer, 22:37-
48, 1989. 
[83) Straub, P. and Hurtado, C.L. "A Theory of Parallel Threads in Process Models". 
Technical Report RT-PUC-DCC-95-05, Computer Science Department, Catholic 
University of Chile, Santiago, Chile, 1995. ftp://ing.puc.cl/doc/techReports. 
116 
(84] Straub, P. and Hurtado, C.L. "The Simple Control Property of Business Process 
Models". Proceedings of the XV Conference of the Chilean Computer Society, Arica, 
Chile, Oct. 30-Nov. 3, 1995. ftp://ing.puc.cl/doc/techReports. 
(85] Straub, P. and Hurtado, C.L. "Avoiding Useless Work in Workflow Systems". Pro-
ceedings of the International Conference on Information Systems Analysis and Syn-
thesis, Orlando, USA, July 22-26, 1996. 
(86] Straub, P. and Hurtado, C.L. "Business Process Behavior is (almost) Free-
choice". Computational Engineering in Systems Applications, Session on Petri 
Nets for Multi-Agent Systems and Groupware, Lille, France, July 9-12, 1996. 
ftp://ing.puc.cl/doc/techReports. 
(87] Straub, P. and Hurtado, C.L. "Understanding Behavior of Business Process Models". 
Proceedings of the First International Conference on Coordination Languages and 
Models, Cesena, Italy, April 15-17, 1996. ftp://ing.puc.cl/doc/techReports. 
(88] Straub, P. and Hurtado, C.L. "Control in Multi-Threaded Information Systems". 
Unpublished working report, Computer Science Department, Catholic University of 
Chile, Santiago, Chile, 1997. ftp://ing.puc.cl/doc/techReports. 
(89] Stremersch, G. and Boel, R.K. "Structuring Acyclic Petri Nets for Reachability 
Analysis and Control". Discrete Event Dynamic Systems, 12:7-41, 2002. 
(90] Sugiyama, Y., Araki, T., Kasami, T., and Okui, J. "Complexity of the Deadlock 
Avoidance Problem". Systems, Computers, Controls, 8:44-51, 1977. 
(91] Veijalainen, J., Lehtola, A., and Pihlajamaa, 0. "Research Issues in Work-
flow Systems". Proceedings of the 8th ERCIM Database Research Group Work-
shop on Database Issues and Infrastructure in Cooperative Informations Sys-
tems Trondheim, Norway, August 1995. http://www.ercim.org/publication/ws-
proceedings/ 8th-ED RG /8th-EDRG-contents.html. 
(92] Venkatesh, S. Deadlock Detection and Resolution in Discrete Event Simulation and 
Shop Floor Control. PhD thesis, Department of Industrial Engineering, Texas A&M 
University, College Station, TX, 1996. 
(93] Vernadat, F.B. "CIM Business Process and Enterprise Activity Modeling". In 
Bemus, P. and Nemes, L., editors, Modeling and Methodologies for Enterprise Inte-
gration, pages 171-182. Chapman & Hall, U .K., 1996. 
(94] Viswanadham, N., Narahari, Y., and Johnson, T.J. "Deadlock Prevention and 
Deadlock Avoidance in Flexible Manufacturing Systems Using Petri Net Models". 
IEEE Transactions on Robotics and Automation, 6:713-723, 1990. 
(95] WfMC. "Terminology & Glossary". Technical Report WfMC-TC-1011, The Work-
flow Management Coalition, http://www.wfmc.org/standards/docs.htm, 1999. 
117 
[96] WfMC Work Group 1. "Interface 1: Process Definition Interchange Process 
Model". Technical Report WfMC-TC-1016-P, The Workflow Management Coali-
tion, http://www.wfmc.org/standards/docs.htm, 1999. 
[97] Wilf, H. Algorithms and Complexity. Prentice-Hall, Inc., NY., 1986. 
[98] Wojcik, B.E. and Wojcik, Z.M. "Sufficient Condition for Communication Deadlock 
and Distributed Deadlock Detection". IEEE Transactions on Software Engineering, 
15:1587-1595, 1989. 
[99] Xing, K.Y., Hu, B.S., and Chen, H.X. "Deadlock Avoidance Policy for Petri-Net 
Modeling of Flexible Manufacturing Systems with Shared Resources". IEEE Trans-




Candidate for the Degree of 
Doctor of Philosophy 
THESIS: FORMAL TECHNIQUES FOR ANALYZING BUSINESS PROCESS MODELS 
MAJOR FIELD: Industrial Engineering & Management 
BIOGRAPHICAL: 
Personal Data : Born in Kumbakonam, Tamil Nadu, India, September 15, 
1975, son of Mrs. K. Vasantha and Mr. E. Sivaraman. 
Education : Graduated from Padma Seshadri Bala Bhavan Senior Sec-
ondary School, Madras, India, in May 1992; received the Bachelor of 
Technology degree in Manufacturing Engineering from National Institute 
of Foundry & Forge Technology, Ranchi, India, in May 1996; received the 
Master of Science degree in Industrial Engineering & Management from 
Oklahoma State University in May 1998; completed requirements for the 
Doctor of Philosophy degree at Oklahoma State University in May 2003. 
Experience : Graduate Teaching Assistant, School of Industrial Engineering 
and Management, Oklahoma State University, Fall 1996 ~ Spring 2003; 
Graduate Research Associate, Center for Computer Integrated Manu-
facturing, Oklahoma State University, Fall 1998 ~ Spring 2003; Summer 
Intern (Mathematical Programming), CIENA Corporation, Cupertino, 
CA, June 2000 ~ July 2000. 
Honors : OSU Graduate Research Excellence Award for outstanding Ph.D. 
Dissertation, Spring 2003; OSU Graduate Research Excellence Award 
for outstanding M.S. Thesis, Spring 1998; Phi Kappa Phi, Spring 2003; 
Pi Mu Epsilon, Fall 1998; Alpha Pi Mu, Fall 1997. 
Professional Membership : INFORMS, IIE, and AMA. 
