Soundness of workflow nets : classification, decidability, and analysis

Workflow nets, a particular class of Petri nets, have become one of the standard ways to model and analyze workflows. Typically, they are used as an abstraction of the workflow that is used to check the so-called soundness property. This property guarantees the absence of livelocks, deadlocks, and other anomalies that can be detected without domain knowledge. Several authors have proposed alternative notions of soundness and have suggested to use more expressive languages, e.g., models with cancellations or priorities. This paper provides an overview of the different notions of soundness and investigates these in the presence of different extensions of workflow nets. We will show that the eight soundness notions described in the literature are decidable for workflow nets. However, most extensions will make all of these notions undecidable. These new results show the theoretical limits of workflow verification. Moreover, we discuss some of the analysis approaches described in the literature

Vérification efficace de systèmes à compteurs à l'aide de relaxations

Abstract : Counter systems are popular models used to reason about systems in various fields such as the analysis of concurrent or distributed programs and the discovery and verification of business processes. We study well-established problems on various classes of counter systems. This thesis focusses on three particular systems, namely Petri nets, which are a type of model for discrete systems with concurrent and sequential events, workflow nets, which form a subclass of Petri nets that is suited for modelling and reasoning about business processes, and continuous one-counter automata, a novel model that combines continuous semantics with one-counter automata. For Petri nets, we focus on reachability and coverability properties. We utilize directed search algorithms, using relaxations of Petri nets as heuristics, to obtain novel semi-decision algorithms for reachability and coverability, and positively evaluate a prototype implementation. For workflow nets, we focus on the problem of soundness, a well-established correctness notion for such nets. We precisely characterize the previously widely-open complexity of three variants of soundness. Based on our insights, we develop techniques to verify soundness in practice, based on reachability relaxation of Petri nets. Lastly, we introduce the novel model of continuous one-counter automata. This model is a natural variant of one-counter automata, which allows reasoning in a hybrid manner combining continuous and discrete elements. We characterize the exact complexity of the reachability problem in several variants of the model.Les systèmes à compteurs sont des modèles utilisés afin de raisonner sur les systèmes de divers domaines tels l’analyse de programmes concurrents ou distribués, et la découverte et la vérification de systèmes d’affaires. Nous étudions des problèmes bien établis de différentes classes de systèmes à compteurs. Cette thèse se penche sur trois systèmes particuliers : les réseaux de Petri, qui sont un type de modèle pour les systèmes discrets à événements concurrents et séquentiels ; les « réseaux de processus », qui forment une sous-classe des réseaux de Petri adaptée à la modélisation et au raisonnement des processus d’affaires ; les automates continus à un compteur, un nouveau modèle qui combine une sémantique continue à celles des automates à un compteur. Pour les réseaux de Petri, nous nous concentrons sur les propriétés d’accessibilité et de couverture. Nous utilisons des algorithmes de parcours de graphes, avec des relaxations de réseaux de Petri comme heuristiques, afin d’obtenir de nouveaux algorithmes de semi-décision pour l’accessibilité et la couverture, et nous évaluons positivement un prototype. Pour les «réseaux de processus», nous nous concentrons sur le problème de validité, une notion de correction bien établie pour ces réseaux. Nous caractérisions précisément la complexité calculatoire jusqu’ici largement ouverte de trois variantes du problème de validité. En nous basant sur nos résultats, nous développons des techniques pour vérifier la validité en pratique, à l’aide de relaxations d’accessibilité dans les réseaux de Petri. Enfin, nous introduisons le nouveau modèle d’automates continus à un compteur. Ce modèle est une variante naturelle des automates à un compteur, qui permet de raisonner de manière hybride en combinant des éléments continus et discrets. Nous caractérisons la complexité exacte du problème d’accessibilité dans plusieurs variantes du modèle

Verification of priced and timed extensions of Petri Nets with multile instances

Tesis inédita de la Universidad Complutense de Madrid, Facultad de Informática, Departamento de Sistemas Informáticos y Computación, leída el 25-01-2016Las redes de Petri son un lenguaje formal muy adecuado para la modelizacíon, ańalisis y verificacíon de sistemas concurrentes con infinitos estados. En particular, son muy apropiadas para estudiar las propiedades de seguridad de dichos sistemas, dadas sus buenas propiedades de decidibilidad. Sin embargo, en muchas ocasiones las redes de Petri carecen de la expresividad necesaria para representar algunas caracteŕısticas fundamentales de los sistemas que se manejan hoy en d́ıa, como el manejo de tiempo real, costes reales, o la presencia de varios procesos con un ńumero no acotado de estados ejecut́andose en paralelo. En la literatura se han definido y estudiado algunas extensiones de las redes de Petri para la representaci ́on de las caracteŕısticas anteriores. Por ejemplo, las “Redes de Petri Temporizadas” [83, 10](TPN) incluyen el manejo de tiempo real y las ν-redes de Petri [78](ν-PN) son capaces de representar un ńumero no acotado de procesos con infinitos estados ejecut́andose concurrentemente. En esta tesis definimos varias extensiones que réunen estas dos caracteŕısticas y estudiamos sus propiedades de decidibilidad. En primer lugar definimos las “ν-Redes de Petri Temporizadas”, que réunen las caracteŕısticas expresivas de las TPN y las ν-PN. Este nuevo modelo es capaz de representar sistemas con un ńumero no acotado de procesos o instancias, donde cada proceso es representado por un nombre diferente, y tiene un ńumero no acotado de relojes reales. En este modelo un reloj de una instancia debe satisfacer ciertas condiciones (pertenecer a un intervalo dado) para formar parte en el disparo de una transicíon. Desafortunadamente, demostramos que la verificacíon de propiedades de seguridad es indecidible para este modelo...The model of Petri nets is a formal modeling language which is very suitable for the analysis and verification of infinite-state concurrent systems. In particular, due to its good decidability properties, it is very appropriate to study safety properties over such systems. However, Petri nets frequently lack the expressiveness to represent several essential characteristics of nowadays systems such as real time, real costs, or the managing of several parallel processes, each with an unbounded number of states. Several extensions of Petri nets have been defined and studied in the literature to fix these shortcomings. For example, Timed Petri nets [83, 10] deal with real time and ν-Petri nets [78] are able to represent an unbounded number of different infinite-state processes running concurrently. In this thesis we define new extensions which encompass these two characteristics, and study their decidability properties. First, we define Timed ν-Petri nets by joining together Timed Petri nets and ν-Petri nets. The new model represents systems in which each process (also called instance) is represented by a different pure name, and it is endowed with an unbounded number of clocks. Then, a clock of an instance must satisfy certain given conditions (belonging to a given interval) in order to take part in the firing of a transition. Unfortunately, we prove that the verification of safety properties is undecidable for this model. In fact, it is undecidable even if we only consider two clocks per process. We restrict this model and define Locally-Synchronous ν-Petri nets by considering only one clock per instance, and successfully prove the decidability of safety properties for this model. Moreover, we study the expressiveness of Locally-Synchronous ν-Petri nets and prove that it is the most expressive non Turing-complete extension of Petri nets with respect to the languages they accept...Depto. de Sistemas Informáticos y ComputaciónFac. de InformáticaTRUEunpu

Complexity of the soundness problem of bounded workflow nets

Classical workflow nets (WF-nets) are an important class of Petri nets that are widely used to model and analyze workflow systems. Soundness is a crucial property that guarantees these systems are deadlock-free and bounded. Aalst et al. proved that the soundness problem is decidable, and proposed (but not proved) that the soundness problem is EXPSPACE-hard. In this paper, we show that the satisfiability problem of Boolean expression is polynomial time reducible to the liveness problem of bounded WF-nets, and soundness and liveness are equivalent for bounded WF-nets. As a result, the soundness problem of bounded WF-nets is co-NP-hard. Workflow nets with reset arcs (reWF-nets) are an extension to WF-nets, which enhance the expressiveness of WF-nets. Aalst et al. proved that the soundness problem of reWF-nets is undecidable. In this paper, we show that for bounded reWF-nets, the soundness problem is decidable and equivalent to the liveness problem. Furthermore, a bounded reWF-net can be constructed in polynomial time for every linear bounded automaton (LBA) with an input string, and we prove that the LBA accepts the input string if and only if the constructed reWF-net is live. As a result, the soundness problem of bounded reWF-nets is PSPACE-hard.No Full Tex

Complexity of the soundness problem of workflow nets

Classical workflow nets (WF-nets for short) are an important subclass of Petri nets that are widely used to model and analyze workflow systems. Soundness is a crucial property of workflow systems and guarantees that these systems are deadlock-free and bounded. Aalst et al. proved that the soundness problem is decidable for WF-nets and can be polynomially solvable for free-choice WF-nets. This paper proves that the soundness problem is PSPACE-hard for WF-nets. Furthermore, it is proven that the soundness problem is PSPACE-complete for bounded WF-nets. Based on the above conclusion, it is derived that the soundness problem is also PSPACE-complete for bounded WF-nets with reset or inhibitor arcs (ReWF-nets and InWF-nets for short, resp.). ReWF- and InWF-nets are two extensions to WF-nets and their soundness problems were proven by Aalst et al. to be undecidable. Additionally, we prove that the soundness problem is co-NP-hard for asymmetric-choice WF-nets that are a larger class and can model more cases of interaction and resource allocation than free-choice ones.No Full Tex

Verification of soundness and other properties of business processes

In this thesis we focus on improving current modeling and verification techniques for complex business processes. The objective of the thesis is to consider several aspects of real-life business processes and give specific solutions to cope with their complexity. In particular, we address verification of a proper termination property for workflows, called generalized soundness. We give a new decision procedure for generalized soundness that improves the original decision procedure. The new decision procedure reports on the decidability status of generalized soundness and returns a counterexample in case the workflow net is not generalized sound. We report on experimental results obtained with the prototype implementation we made and describe how to verify large workflows compositionally, using reduction rules. Next, we concentrate on modeling and verification of adaptive workflows — workflows that are able to change their structure at runtime, for instance when some exceptional events occur. In order to model the exception handling properly and allow structural changes of the system in a modular way, we introduce a new class of nets, called adaptive workflow nets. Adaptive workflow nets are a special type of Nets in Nets and they allow for creation, deletion and transformation of net tokens at runtime and for two types of synchronizations: synchronization on proper termination and synchronization on exception. We define some behavioral properties of adaptive workflow nets: soundness and circumspectness and employ an abstraction to reduce the verification of these properties to the verification of behavioral properties of a finite state abstraction. Further, we study how formal methods can help in understanding and designing business processes. We investigate this for the extended event-driven process chains (eEPCs), a popular industrial business process language used in the ARIS Toolset. Several semantics have been proposed for EPCs. However, most of them concentrated solely on the control flow. We argue that other aspects of business processes must also be taken into account in order to analyze eEPCs and propose a semantics that takes data and time information from eEPCs into account. Moreover, we provide a translation of eEPCs to Timed Colored Petri nets in order to facilitate verification of eEPCs. Finally, we discuss modeling issues for business processes whose behavior may depend on the previous behavior of the process, history which is recorded by workflow management systems as a log. To increase the precision of models with respect to modeling choices depending on the process history, we introduce history-dependent guards. The obtained business processes are called historydependent processes.We introduce a logic, called LogLogics for the specification of guards based on a log of a current running process and give an evaluation algorithm for such guards. Moreover, we show how these guards can be used in practice and define LogLogics patterns for properties that occur most commonly in practice

Adaptable processes

We propose the concept of adaptable processes as a way of overcoming the limitations that process calculi have for describing patterns of dynamic process evolution. Such patterns rely on direct ways of controlling the behavior and location of running processes, and so they are at the heart of the adaptation capabilities present in many modern concurrent systems. Adaptable processes have a location and are sensible to actions of dynamic update at runtime; this allows to express a wide range of evolvability patterns for concurrent processes. We introduce a core calculus of adaptable processes and propose two verification problems for them: bounded and eventual adaptation. While the former ensures that the number of consecutive erroneous states that can be traversed during a computation is bound by some given number k, the latter ensures that if the system enters into a state with errors then a state without errors will be eventually reached. We study the (un)decidability of these two problems in several variants of the calculus, which result from considering dynamic and static topologies of adaptable processes as well as different evolvability patterns. Rather than a specification language, our calculus intends to be a basis for investigating the fundamental properties of evolvable processes and for developing richer languages with evolvability capabilities

О разрешимости бездефектности для сетей потоков работ с неограниченным ресурсом

In this work, we consider the modeling of workflow systems with Petri nets. A resource workflow net (RWF-net) is a workflow net supplied with an additional set of initially marked resource places. Resources can be consumed and/or produced by transitions. We constrain neither the intermediate nor final resource markings, hence a net can have an infinite number of different reachable states. An initially marked RWF-net is called sound if it properly terminates its work and, moreover, an increase of the initial resource does not violate its proper termination. An unmarked RWF-net is sound if it is sound for some initial resource. In this paper, we prove the decidability of both marked and unmarked soundness for a restricted class of RWF-nets with a single unbounded resource place (1-dim RWF-nets). We present an algorithm for computing the minimal sound resource for a given sound 1-dim RWF-net.Рассматривается моделирование схем потоков работ (workflow) при помощи сетей Петри. Определяется класс сетей потоков работ с ресурсами (RWF- сетей) — обычных workflow-сетей, в которых дополнительно добавлено множество ресурсных позиций, содержащих какую-то начальную разметку (начальный ресурс). Ресурсы могут уничтожаться и производиться при срабатываниях переходов. Мы не накладываем ограничений ни на промежуточные, ни на финальные ресурсные разметки, поэтому сеть может порождать бесконечное множество различных достижимых состояний. RWF-сеть с данной начальной ресурсной разметкой называется бездефектной, если, во-первых, она всегда корректно завершает свою работу, и, во- вторых, любое увеличение начального ресурса не нарушает свойства корректного завершения. Неразмеченная RWF-сеть бездефектна, если она бездефектна при некоторой начальной ресурсной разметке. В данной работе доказана разрешимость обоих вариантов бездефектности для важного подкласса RWF- сетей — сетей с одномерным ресурсом (одной ресурсной позицией). Также представлен алгоритм вычисления наименьшего бездефектного ресурса

Analysis of Petri Nets with Context-Free Structure Changes

Structure-changing Petri nets are Petri nets with transition replacement rules. In this paper, we investigate the restricted class of structure-changing workflow nets and show that two different reachability properties (concrete and abstract reachability) and word membership in the language of labelled firing sequences are decidable, while a language-based notion of correctness (containment of the language of labelled firing sequences in a regular language) is undecidable