Diagnostic Information for Control-Flow Analysis of Workflow Graphs - - PowerPoint PPT Presentation

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Cédric Favre(1,2), Hagen Völzer(1), Peter Müller(2) (1) IBM Research - Zurich (2) ETH Zurich

1

Outline

• Problem
• Control-flow analysis of business process models
• Contribution
• Graphical in-model diagnostic information for

control-flow errors

• Conclusion and Outlook

2

A Business Process Model (1/2)

3

A Business Process Model (2/2)

• Usage of a business process model
• Execution on a process engine
• Simulation
• Documentation
• Up to 50% of the processes contain a control-flow error

4

Workflow Graph and Corresponding Free-Choice Workflow Net

• Workflow graph
• control flow graph (flow chart) with unique source and sink
• concurrent fork and join (besides alternative choice and

merge)

• maps the core of process languages, but not all

5

• Lack of synchronization
• Two tokens on one edge
• aka unsafeness
• Sound
• no deadlock and
• no lack of synchronization
• Soundness guarantees that the workflow terminates with unique

token on the sink (when loops are terminating)

XOR-split XOR-join AND-join AND-split

Control-Flow Errors / Soundness

• (Local) Deadlock
• A token blocked in the graph

6

Simplest Examples

7

Sound Unsound

A Complex Sound Example

8

Workflow Graph and Corresponding Free-Choice Workflow Net

• Workflow graph is sound iff connected version of

corresponding Petri net is

• safe = no two tokens on the same place and
• live = from each reachable marking, for each transition t:

a marking can be reached that enables t

9

Prior Work

• Approaches based on free-choice Petri nets theory
• polynomial time complexity (!)
• no diagnostic information
• Approaches based on state space exploration
• state space explosion (can be successfully addressed)
• provide a counterexample trace as diagnostic information
• detours/build up not contributing to error (esp. DFS)
• arbitrary interleaving
• difficult to visualize in model in case of loops
• Fahland, Lohmann [12]: heuristics can reduce size of trace by a

factor of 10

• not all modelers have a technical background

10

Anti-Patterns

• Modeling manuals show anti-patterns in terms of

instructive examples

11

Problem

• Can we build graphical diagnostic information such

that:

• every error pattern implies unsoundness
• unsoundness implies existence one of the error

pattern

• capture the essence of these simple examples

12

Outline

• Problem
• Contribution
• Conclusion and Outlook

13

Contribution

• New characterization of soundness in terms of
• ffending graph-structures and
• Polynomial-time algorithm that
• returns one of the graph structures for each

unsound graph

• Experimental evaluation

14

Overview Error Patterns

15

Path to sink with AND-XOR handle Empty siphon DQ-siphon with XOR-AND handle

G G

Handle

• A handle on a subgraph G is a directed path from an

element of G to another element b of G that is disjoint from G apart from start and end

• AND-XOR handle refers to the logic of start and end node

16

Error Patterns (1/3)

17

Path from some node to sink with AND/XOR-handle

• A subgraph G such that each transition that adds a token to

G also takes a token from G

• with an XOR node in G, all incoming edges belong to G
• with an AND node - at least one incoming edge
• An empty siphon will remain empty

Siphon

18

empty

Error Patterns (2/3)

19

A siphon that does not contain the source

• A DQ-siphon is a siphon G such that no AND-split

has more than one outgoing edge in G

• the number of tokens is always 1 or less

DQ Siphon

20

Not a DQ-siphon

Error Patterns (3/3)

21

A DQ siphon with an XOR/AND handle

Structural characterization of soundness

• A workflow graph is unsound iff one of the following

statements holds:


• 1. There exists a siphon that is not initially marked

• 2. There exists a DQ siphon with an XOR/AND

handle


• 3. There exists a simple path to the sink with an

AND/XOR handle

22

Strongly Related to and Making Use of

• Esparza/Silva [9] characterization:
• A strongly connected free-choice net is safe and

live iff none of the following exist:

• an empty siphon
• a circuit with a T/P handle
• a circuit with a P/T handle without bridges

23

Contribution

• New characterization of soundness in terms of
• ffending graph-structures and
• Polynomial-time algorithm that
• returns one of the graph structures for each

unsound graph

• Experimental evaluation

24

Check for empty siphons Decomposition into 
 S-components Check 
 rank equation sound unsound unsound unsound

Known Algorithm - Based on the Rank Theorem

25

Check for empty siphons Decomposition into 
 S-components Check 
 rank equation Reduce & decompose 
 into S-components

empty

sound

unsound

New Algorithm

26

Decomposition into S-Components

• A sound graph is

decomposable into sequential components

• Each S-component has

always exactly one token

• Decomposition can be

computed in polynomial time

27

Another Sound Example

28

A Minimal Siphon Generates an S-component

(in a Sound Graph)

• A minimal siphon that is not an S-component contains:

• From which we obtain an error pattern:

29

• r

Check for empty siphons Decomposition into 
 S-components Check 
 rank equation Reduce & decompose 
 into S-components

empty

sound

unsound

New Algorithm

30

Check for empty siphons Decomposition into 
 S-components Check 
 rank equation Reduce & decompose 
 into S-components

empty

sound

unsound

New Algorithm

31

Lucky Decomposition Failure of an Unsound Graph

32

Unlucky Decomposition Success of the Same Graph

33

A Reduction Step

34

Decomposition Failure on Reduced Graph

35

Decomposition failure Error pattern generated Error pattern

• n original graph

Algorithm - Conclusion

• Prove that reduction eventually leads to a graph

that is not decomposable

• Prove that error pattern in reduced graph are valid

in the original (unreduced) graph Soundness of N can be decided in time O(|P|2 * (max(| P|,|T|)3) such that the algorithm returns one of the structural error patterns in case N is unsound.

36

Contribution

• New Characterization of soundness in terms of
• ffending graph-structures and
• Polynomial-time algorithm such that
• Experimental evaluation

37

Experimental Evaluation - Data Set

• 1353 (703 unique original) business process models from the

financial domain

• Average number of nodes between 89 and 107 per library
• Several large nets with up to 627 nodes
• 47 nets from library B3 have 200 or more nodes.
• Some models have state spaces with more than 1 million

states

• We validated the correctness of the results with other model

checkers

38

Results

• Fast enough to support demanding use cases
• checking while modeling
• checking while loading entire libraries into workspace
• 2-6 times faster than some state space exploration approaches
• but those were already fast enough for most use cases

39

Visualization in Modeling Tool

40

Outline

• Problem
• Contribution
• Conclusion and Outlook

41

Conclusion

• Graphical in-model diagnostic information can be
• btained in polynomial time
• avoiding some problems of traces
• Limited expressiveness of free-choice (e.g. no races)

allows for polynomial-time verification

• sufficient for data set in case study
• still applicable in more expressive BPMN models
• Can be combined with SESE decomposition for

further error localization (and speed-up)

42

SESE Decomposition

• Can be done in linear

time

• Soundness is

compositional wrt SESE blocks

• Errors can be localized

to a SESE block

43

What is still missing

• User study
• Soundness under data (except one first paper)
• Control-flow errors dues to message/event passing

across processes (orthogonal)

44