Reduction rules for reset workflow nets

When a workflow contains a large number of tasks and involves complex control flow dependencies, verification can take too much time or it may even be impossible. Reduction rules can be used to abstract from certain transitions and places in a large net and thus could cut down the size of the net used for verification. Petri nets have been proposed to model and analyse workflows and Petri nets reduction rules have been used for efficient verification of various properties of workflows, such as liveness and boundedness. Reset nets are Petri nets with reset arcs, which can remove tokens from places when a transition fires. The nature of reset arcs closely relates to the cancellation behaviour in workflows. As a result, reset nets have been proposed to formally represent workflows with cancellation behaviour, which is not easily modelled in ordinary Petri nets. Even though reduction rules exist for Petri nets, the nature of reset arcs could invalidate the transformation rules applicable to Petri nets. This motivated us to consider possible reduction rules for reset nets. In this paper, we propose a number of reduction rules for Reset Workflow Nets (RWF-nets) that are soundness preserving. These reduction rules are based on reduction rules available for Petri nets [19] and we present the necessary conditions under which these rules hold in the context of reset nets

Soundness of workflow nets : classification, decidability, and analysis

Workflow nets, a particular class of Petri nets, have become one of the standard ways to model and analyze workflows. Typically, they are used as an abstraction of the workflow that is used to check the so-called soundness property. This property guarantees the absence of livelocks, deadlocks, and other anomalies that can be detected without domain knowledge. Several authors have proposed alternative notions of soundness and have suggested to use more expressive languages, e.g., models with cancellations or priorities. This paper provides an overview of the different notions of soundness and investigates these in the presence of different extensions of workflow nets. We will show that the eight soundness notions described in the literature are decidable for workflow nets. However, most extensions will make all of these notions undecidable. These new results show the theoretical limits of workflow verification. Moreover, we discuss some of the analysis approaches described in the literature

Verification of soundness and other properties of business processes

In this thesis we focus on improving current modeling and verification techniques for complex business processes. The objective of the thesis is to consider several aspects of real-life business processes and give specific solutions to cope with their complexity. In particular, we address verification of a proper termination property for workflows, called generalized soundness. We give a new decision procedure for generalized soundness that improves the original decision procedure. The new decision procedure reports on the decidability status of generalized soundness and returns a counterexample in case the workflow net is not generalized sound. We report on experimental results obtained with the prototype implementation we made and describe how to verify large workflows compositionally, using reduction rules. Next, we concentrate on modeling and verification of adaptive workflows — workflows that are able to change their structure at runtime, for instance when some exceptional events occur. In order to model the exception handling properly and allow structural changes of the system in a modular way, we introduce a new class of nets, called adaptive workflow nets. Adaptive workflow nets are a special type of Nets in Nets and they allow for creation, deletion and transformation of net tokens at runtime and for two types of synchronizations: synchronization on proper termination and synchronization on exception. We define some behavioral properties of adaptive workflow nets: soundness and circumspectness and employ an abstraction to reduce the verification of these properties to the verification of behavioral properties of a finite state abstraction. Further, we study how formal methods can help in understanding and designing business processes. We investigate this for the extended event-driven process chains (eEPCs), a popular industrial business process language used in the ARIS Toolset. Several semantics have been proposed for EPCs. However, most of them concentrated solely on the control flow. We argue that other aspects of business processes must also be taken into account in order to analyze eEPCs and propose a semantics that takes data and time information from eEPCs into account. Moreover, we provide a translation of eEPCs to Timed Colored Petri nets in order to facilitate verification of eEPCs. Finally, we discuss modeling issues for business processes whose behavior may depend on the previous behavior of the process, history which is recorded by workflow management systems as a log. To increase the precision of models with respect to modeling choices depending on the process history, we introduce history-dependent guards. The obtained business processes are called historydependent processes.We introduce a logic, called LogLogics for the specification of guards based on a log of a current running process and give an evaluation algorithm for such guards. Moreover, we show how these guards can be used in practice and define LogLogics patterns for properties that occur most commonly in practice

Static Analysis of Deterministic Negotiations

Negotiation diagrams are a model of concurrent computation akin to workflow Petri nets. Deterministic negotiation diagrams, equivalent to the much studied and used free-choice workflow Petri nets, are surprisingly amenable to verification. Soundness (a property close to deadlock-freedom) can be decided in PTIME. Further, other fundamental questions like computing summaries or the expected cost, can also be solved in PTIME for sound deterministic negotiation diagrams, while they are PSPACE-complete in the general case. In this paper we generalize and explain these results. We extend the classical "meet-over-all-paths" (MOP) formulation of static analysis problems to our concurrent setting, and introduce Mazurkiewicz-invariant analysis problems, which encompass the questions above and new ones. We show that any Mazurkiewicz-invariant analysis problem can be solved in PTIME for sound deterministic negotiations whenever it is in PTIME for sequential flow-graphs---even though the flow-graph of a deterministic negotiation diagram can be exponentially larger than the diagram itself. This gives a common explanation to the low-complexity of all the analysis questions studied so far. Finally, we show that classical gen/kill analyses are also an instance of our framework, and obtain a PTIME algorithm for detecting anti-patterns in free-choice workflow Petri nets. Our result is based on a novel decomposition theorem, of independent interest, showing that sound deterministic negotiation diagrams can be hierarchically decomposed into (possibly overlapping) smaller sound diagrams.Comment: To appear in the Proceedings of LICS 2017, IEEE Computer Societ

Reduction rules for YAWL workflow nets with cancellation regions and OR-joins

A reduction rule can transform a large net into a smaller and simple net while preserving certain interesting properties and it is usually applied before verification to reduce the complexity and to prevent state space explosion. Reset nets have been proposed to formally describe workflows with cancellation behaviour. In our previous work, we have presented a set of reduction rules for Reset Workflow Net (RWF-net), which is a subclass of reset nets. In this paper, we will present a set of reduction rules for YAWL nets with cancellation regions and OR-joins. The reduction rules for RWF-nets combined with the formal mappings from YAWL nets provide us with the means to dene a set of reduction rules for YAWL nets. We will also demonstrate how these reduction rules can be used for efficient verification of YAWL nets these features

Petri nets with may/must semantics: Preserving properties through data refinements

Many systems used in process managements, like workflow systems, are developed in a top-down fashion, when the original design is refined at each step bringing it closer to the underlying reality. Underdefined specifications cannot however be used for verification, since both false positives and false negatives can be reported. In this paper we introduce colored Petri nets where guards can be evaluated to true, false and indefinite values, the last ones reflecting underspecification. This results in the semantics of Petri nets with may- and must-enableness and firings. In this framework we introduce property-preserving refinements that allow for verification in an early design phase. We present results on property preservation through refinements. We also apply our framework to workflow nets, introduce notions of may- and must-soundness and show that they are preserved through refinements. We shortly describe a prototype under implementation

Checking and Enforcing Security through Opacity in Healthcare Applications

The Internet of Things (IoT) is a paradigm that can tremendously revolutionize health care thus benefiting both hospitals, doctors and patients. In this context, protecting the IoT in health care against interference, including service attacks and malwares, is challenging. Opacity is a confidentiality property capturing a system's ability to keep a subset of its behavior hidden from passive observers. In this work, we seek to introduce an IoT-based heart attack detection system, that could be life-saving for patients without risking their need for privacy through the verification and enforcement of opacity. Our main contributions are the use of a tool to verify opacity in three of its forms, so as to detect privacy leaks in our system. Furthermore, we develop an efficient, Symbolic Observation Graph (SOG)-based algorithm for enforcing opacity

An LTL Semantics of Business Workflows with Recovery

We describe a business workflow case study with abnormal behavior management (i.e. recovery) and demonstrate how temporal logics and model checking can provide a methodology to iteratively revise the design and obtain a correct-by construction system. To do so we define a formal semantics by giving a compilation of generic workflow patterns into LTL and we use the bound model checker Zot to prove specific properties and requirements validity. The working assumption is that such a lightweight approach would easily fit into processes that are already in place without the need for a radical change of procedures, tools and people's attitudes. The complexity of formalisms and invasiveness of methods have been demonstrated to be one of the major drawback and obstacle for deployment of formal engineering techniques into mundane projects

On the Computability of Agent-Based Workflows

Workflow research is commonly concerned with optimization, modeling, and dependency. In this research, we however address a more fundamental issue. By modeling humans and machines as agents and making use of a theoretical computer and statecharts, we prove that many workflow problems do not have computer-based solutions. We also demonstrate a sufficient condition under which computers are able to solve these problems. We end by discussing the relationships between our research and Petri Nets, the multi-agent framework in the literature, linear programming and workflow verification