Verifying Properties of Process Definitions

It seems important that the complex processes that synergize humans and computers to solve widening classes of societal problems be subjected to rigorous analysis. One approach is to use a process definition language to specify these processes and to then use analysis techniques to evaluate these definitions for important correctness properties. Because humans demand flexibility in their participation in complex processes, process definition languages must incorporate complicated control structures, such as various concurrency, choice, reactive control, and exception mechanisms. The underlying complexity of these control abstractions, however, often confounds the users’ intuitions as well as complicates any analysis. Thus, the control abstraction complexity in process definition languages presents analysis challenges beyond those posed by traditional programming languages. This paper explores some of the difficulties of analyzing process definitions. We explore issues arising when applying the FLAVERS finite state verification system to processes written in the Little-JIL process definition language and illustrate these issues using a realistic auction example. Although we employ a particular process definition language and analysis technique, our results seem more generally applicable

An Incremental Approach to Identifying Causes of System Failures using Fault Tree Analysis

This work presents a systematic, incremental approach to identifying causes of potential failures in complex systems. The approach builds upon Fault Tree Analysis (FTA), but enhances previous work to deliver better results. FTA has been applied in a number of domains to determine what combinations of events might lead to a specified undesired event that represents a system failure. Given an undesired event, FTA constructs a fault tree (FT) and computes its cut sets, the sets of events that together could cause the undesired event. Such cut sets provide valuable insights into how to improve the design of the system being analyzed to reduce the likelihood of the failure. Manual FT construction can be tedious and error-prone. Previous approaches to automatic FT construction are limited to systems modeled in specific modeling languages and often fail to recognize some important causes of failures. Also, these approaches tend to not provide enough information to help users understand how the events in a cut set could lead to the specified undesired event and, at the same time, often provide too many cut sets to be helpful, especially when systems are large and complex. Our approach to identifying causes of potential system failures is incremental and consists of two phases that support selective exploration. In the first phase, a high-level FT, called the initial FT, is constructed based on the system\u27s data and control dependence information and then the initial FT\u27s cut sets, called the initial cut sets, are computed. In the second phase, users select one initial cut set for more detailed analysis. In this detailed analysis, additional control dependence information is incorporated and error combinations are considered to construct a more detailed FT, called the elaborated FT, that focuses on the chosen initial cut set. The cut sets of the elaborated FT, called the elaborated cut sets, are then computed, and concrete scenarios are generated to show how events in each of those elaborated cut sets could cause the specified undesired event. Our approach is applicable to any system model that incorporates control and data dependence information. The approach also improves the precision of the results by automatically eliminating some inconsistent and spurious cut sets

Specification and Analysis of Resource Utilization Policies for Human-Intensive Systems

Contemporary systems often require the effective support of many types of resources, each governed by complex utilization policies. Sound management of these resources plays a key role in assuring that these systems achieve their key goals. To help system developers make sound resource management decisions, I provide a resource utilization policy specification and analysis framework for (1) specifying very diverse kinds of resources and their potentially complex resource utilization policies, (2) dynamically evaluating the policies’ effects on the outcomes achieved by systems utilizing the resources, and (3) formally verifying various kinds of properties of these systems. Resource utilization policies range from simple, e.g., first-in-first-out, to extremely complex, responding to changes in system environment, state, and stimuli. Further, policies may at times conflict with each other, requiring conflict resolution strategies that add extra complexity. Prior specification approaches rely on relatively simple resource models that prevent the specification of complex utilization and conflict resolution policies. My approach (1) separates resource utilization policy concerns from resource characteristic and request specifications, (2) creates an expressive specification notation for constraint policies, and (3) creates a resource constraint conflict resolution capability. My approach enables creating specifications of policies that are sufficiently precise and detailed to support static and dynamic analyses of how these policies affect the properties of systems constrained or governed by these policies. I provide a process- and resource-aware discrete-event simulator for simulating system executions that adhere to policies of resource utilization. The simulator integrates the existing JSim simulation engine with a separate resource management system. The separate architectural component makes it easy to keep track of resource utilization traces during a simulation run. My simulation framework facilitates considerable flexibility in the evaluation of diverse resource management decisions and powerful dynamic analyses. Dynamic verification through simulation is inherently limited because of the impossibility of exhaustive simulation of all scenarios. I complement this approach with static verification. Prior static resource analysis has supported the verification only of relatively simple resource utilization policies. My research utilizes powerful model checking techniques, building on the existing FLAVERS model checking tool, to verify properties of complex systems that are also verified to conform to complex resource utilization policies. My research demonstrates how to use systems such as FLAVERS to verify adherence to complex resource utilization policies as well as overall system properties, such as the absence of resource leak and resource deadlock. I evaluated my approach working with a hospital emergency department domain expert, using detailed, expert-developed models of the processes and resource utilization policies of an emergency department. In doing this, my research demonstrates how my framework can be effective in guiding the domain expert towards making sound decisions about policies for the management of hospital resources, while also providing rigorously-based assurances that the guidance is reliable and well-founded. My research makes the following contributions: (1) a specification language for resources and resource utilization policies for human-intensive systems, (2) a process- and resource-aware discrete-event simulation engine that creates simulations that adhere to the resource utilization policies, allowing for the dynamic evaluation of resource utilization policies, (3) a process- and resource-aware model checking technique that formally verifies system properties and adherence to resource utilization policies, and (4) validated and verified specifications of an emergency department healthcare system, demonstrating the utility of my approach