Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cédric Favre(1,2), Hagen Völzer(1), Peter Müller(2) (1) IBM Research - Zurich (2) ETH Zurich 1
Outline Problem - Control-flow analysis of business process models Contribution - Graphical in-model diagnostic information for control-flow errors Conclusion and Outlook 2
A Business Process Model (1/2) 3
A Business Process Model (2/2) Usage of a business process model - Execution on a process engine - Simulation - Documentation Up to 50% of the processes contain a control-flow error 4
Workflow Graph and Corresponding Free-Choice Workflow Net Workflow graph - control flow graph (flow chart) with unique source and sink - concurrent fork and join (besides alternative choice and merge) - maps the core of process languages, but not all 5
Control-Flow Errors / Soundness (Local) Deadlock - A token blocked in the graph XOR-split XOR-join Lack of synchronization - Two tokens on one edge - aka unsafeness AND-split AND-join Sound - no deadlock and - no lack of synchronization - Soundness guarantees that the workflow terminates with unique token on the sink (when loops are terminating) 6
Simplest Examples Sound Unsound 7
A Complex Sound Example 8
Workflow Graph and Corresponding Free-Choice Workflow Net Workflow graph is sound iff connected version of corresponding Petri net is - safe = no two tokens on the same place and - live = from each reachable marking, for each transition t: a marking can be reached that enables t 9
Prior Work Approaches based on free-choice Petri nets theory - polynomial time complexity (!) - no diagnostic information Approaches based on state space exploration - state space explosion (can be successfully addressed) - provide a counterexample trace as diagnostic information detours/build up not contributing to error (esp. DFS) arbitrary interleaving difficult to visualize in model in case of loops Fahland, Lohmann [12]: heuristics can reduce size of trace by a factor of 10 not all modelers have a technical background 10
Anti-Patterns Modeling manuals show anti-patterns in terms of instructive examples 11
Problem Can we build graphical diagnostic information such that: - every error pattern implies unsoundness - unsoundness implies existence one of the error pattern - capture the essence of these simple examples 12
Outline Problem Contribution Conclusion and Outlook 13
Contribution New characterization of soundness in terms of offending graph-structures and Polynomial-time algorithm that - returns one of the graph structures for each unsound graph Experimental evaluation 14
Overview Error Patterns Path to sink with AND-XOR handle Empty siphon DQ-siphon with XOR-AND handle 15
Handle A handle on a subgraph G is a directed path from an element of G to another element b of G that is disjoint from G apart from start and end G G AND-XOR handle refers to the logic of start and end node 16
Error Patterns (1/3) Path from some node to sink with AND/XOR-handle 17
Siphon A subgraph G such that each transition that adds a token to G also takes a token from G - with an XOR node in G, all incoming edges belong to G - with an AND node - at least one incoming edge An empty siphon will remain empty 18
Error Patterns (2/3) empty A siphon that does not contain the source 19
DQ Siphon A DQ-siphon is a siphon G such that no AND-split has more than one outgoing edge in G the number of tokens is always 1 or less Not a DQ-siphon 20
Error Patterns (3/3) A DQ siphon with an XOR/AND handle 21
Structural characterization of soundness A workflow graph is unsound iff one of the following statements holds: 1. There exists a siphon that is not initially marked 2. There exists a DQ siphon with an XOR/AND handle 3. There exists a simple path to the sink with an AND/XOR handle 22
Strongly Related to and Making Use of Esparza/Silva [9] characterization: - A strongly connected free-choice net is safe and live iff none of the following exist: an empty siphon a circuit with a T/P handle a circuit with a P/T handle without bridges 23
Contribution New characterization of soundness in terms of offending graph-structures and Polynomial-time algorithm that - returns one of the graph structures for each unsound graph Experimental evaluation 24
Known Algorithm - Based on the Rank Theorem Check for empty siphons unsound Decomposition into S-components unsound Check rank equation unsound sound 25
New Algorithm Check for empty siphons empty Decomposition into S-components Check rank equation sound unsound Reduce & decompose into S-components 26
Decomposition into S-Components A sound graph is decomposable into sequential components Each S-component has always exactly one token Decomposition can be computed in polynomial time 27
Another Sound Example 28
A Minimal Siphon Generates an S-component (in a Sound Graph) A minimal siphon that is not an S-component contains: or From which we obtain an error pattern: 29
New Algorithm Check for empty siphons empty Decomposition into S-components Check rank equation sound unsound Reduce & decompose into S-components 30
New Algorithm Check for empty siphons empty Decomposition into S-components Check rank equation sound unsound Reduce & decompose into S-components 31
Lucky Decomposition Failure of an Unsound Graph 32
Unlucky Decomposition Success of the Same Graph 33
A Reduction Step 34
Decomposition Failure on Reduced Graph Decomposition failure Error pattern generated Error pattern on original graph 35
Algorithm - Conclusion Prove that reduction eventually leads to a graph that is not decomposable Prove that error pattern in reduced graph are valid in the original (unreduced) graph Soundness of N can be decided in time O( P 2 * (max( P, T )3) such that the algorithm returns one of the structural error patterns in case N is unsound. 36
Contribution New Characterization of soundness in terms of offending graph-structures and Polynomial-time algorithm such that Experimental evaluation 37
Experimental Evaluation - Data Set - 1353 (703 unique original) business process models from the financial domain - Average number of nodes between 89 and 107 per library - Several large nets with up to 627 nodes - 47 nets from library B3 have 200 or more nodes. - Some models have state spaces with more than 1 million states - We validated the correctness of the results with other model checkers 38
Results Fast enough to support demanding use cases - checking while modeling - checking while loading entire libraries into workspace 2-6 times faster than some state space exploration approaches - but those were already fast enough for most use cases 39
Visualization in Modeling Tool 40
Outline Problem Contribution Conclusion and Outlook 41
Conclusion Graphical in-model diagnostic information can be obtained in polynomial time - avoiding some problems of traces Limited expressiveness of free-choice (e.g. no races) allows for polynomial-time verification - sufficient for data set in case study - still applicable in more expressive BPMN models Can be combined with SESE decomposition for further error localization (and speed-up) 42
SESE Decomposition Can be done in linear time Soundness is compositional wrt SESE blocks Errors can be localized to a SESE block 43
What is still missing User study Soundness under data (except one first paper) Control-flow errors dues to message/event passing across processes (orthogonal) 44