Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cédric Favre(1,2), Hagen Völzer(1), Peter Müller(2) (1) IBM Research - Zurich (2) ETH Zurich 1

Outline Problem  Control-flow analysis of business process models Contribution  Graphical in-model diagnostic information for control- flow errors Conclusion and Outlook 2

A Business Process Model (1/2) 3

A Business Process Model (2/2) Usage of a business process model  Execution on a process engine  Simulation  Documentation Up to 50% of the processes contain a control-flow error 4

Workflow Graph and Corresponding Free-Choice Workflow Net Workflow graph  control flow graph (flow chart) with unique source and sink  concurrent fork and join (besides alternative choice and merge)  maps the core of process languages, but not all 5

Lack of synchronization  Two tokens on one edge  aka unsafeness Sound  no deadlock and  no lack of synchronization  Soundness guarantees that the workflow terminates with unique token on the sink (when loops are terminating) XOR-split XOR-join AND-join AND-split Control-Flow Errors / Soundness (Local) Deadlock  A token blocked in the graph 6

Simplest Examples 7 Sound Unsound

A Complex Sound Example 8

Workflow Graph and Corresponding Free-Choice Workflow Net Workflow graph is sound iff connected version of corresponding Petri net is  safe = no two tokens on the same place and  live = from each reachable marking, for each transition t: a marking can be reached that enables t 9

Prior Work Approaches based on free-choice Petri nets theory  polynomial time complexity (!)  no diagnostic information Approaches based on state space exploration  state space explosion (can be successfully addressed)  provide a counterexample trace as diagnostic information detours/build up not contributing to error (esp. DFS) arbitrary interleaving difficult to visualize in model in case of loops Fahland, Lohmann [12]: heuristics can reduce size of trace by a factor of 10 not all modelers have a technical background 10

Anti-Patterns Modeling manuals show anti-patterns in terms of instructive examples 11

Problem Can we build graphical diagnostic information such that:  every error pattern implies unsoundness  unsoundness implies existence one of the error pattern  capture the essence of these simple examples 12

Outline Problem Contribution Conclusion and Outlook 13

Contribution New characterization of soundness in terms of offending graph-structures and Polynomial-time algorithm that  returns one of the graph structures for each unsound graph Experimental evaluation 14

Overview Error Patterns 15 Path to sink with AND-XOR handle Empty siphon DQ-siphon with XOR-AND handle

G G Handle A handle on a subgraph G is a directed path from an element of G to another element b of G that is disjoint from G apart from start and end AND-XOR handle refers to the logic of start and end node 16

Error Patterns (1/3) 17 Path from some node to sink with AND/XOR-handle

A subgraph G such that each transition that adds a token to G also takes a token from G  with an XOR node in G, all incoming edges belong to G  with an AND node - at least one incoming edge An empty siphon will remain empty Siphon 18

empty Error Patterns (2/3) 19 A siphon that does not contain the source

A DQ-siphon is a siphon G such that no AND-split has more than one outgoing edge in G the number of tokens is always 1 or less DQ Siphon 20 Not a DQ-siphon

Error Patterns (3/3) 21 A DQ siphon with an XOR/AND handle

Structural characterization of soundness A workflow graph is unsound iff one of the following statements holds: 1. There exists a siphon that is not initially marked 2. There exists a DQ siphon with an XOR/AND handle 3. There exists a simple path to the sink with an AND/XOR handle 22

Strongly Related to and Making Use of Esparza/Silva [9] characterization:  A strongly connected free-choice net is safe and live iff none of the following exist: an empty siphon a circuit with a T/P handle a circuit with a P/T handle without bridges 23

Contribution New characterization of soundness in terms of offending graph-structures and Polynomial-time algorithm that  returns one of the graph structures for each unsound graph Experimental evaluation 24

Check for empty siphons Decomposition into S-components Check rank equation sound unsound Known Algorithm - Based on the Rank Theorem 25

Check for empty siphons Decomposition into S-components Check rank equation Reduce & decompose into S-components empty sound unsound New Algorithm 26

Decomposition into S-Components A sound graph is decomposable into sequential components Each S-component has always exactly one token Decomposition can be computed in polynomial time 27

Another Sound Example 28

A Minimal Siphon Generates an S-component (in a Sound Graph) A minimal siphon that is not an S-component contains: From which we obtain an error pattern: 29 or

Check for empty siphons Decomposition into S-components Check rank equation Reduce & decompose into S-components empty sound unsound New Algorithm 30

Check for empty siphons Decomposition into S-components Check rank equation Reduce & decompose into S-components empty sound unsound New Algorithm 31

Lucky Decomposition Failure of an Unsound Graph 32

Unlucky Decomposition Success of the Same Graph 33

A Reduction Step 34

Decomposition Failure on Reduced Graph 35 Decomposition failure Error pattern generated Error pattern on original graph

Algorithm - Conclusion Prove that reduction eventually leads to a graph that is not decomposable Prove that error pattern in reduced graph are valid in the original (unreduced) graph Soundness of N can be decided in time O(|P| 2 * (max(|P|,|T|) 3 ) such that the algorithm returns one of the structural error patterns in case N is unsound. 36

Contribution New Characterization of soundness in terms of offending graph-structures and Polynomial-time algorithm such that Experimental evaluation 37

Experimental Evaluation - Data Set (703 unique original) business process models from the financial domain - Average number of nodes between 89 and 107 per library - Several large nets with up to 627 nodes - 47 nets from library B3 have 200 or more nodes. - Some models have state spaces with more than 1 million states - We validated the correctness of the results with other model checkers 38

Results Fast enough to support demanding use cases  checking while modeling  checking while loading entire libraries into workspace 2-6 times faster than some state space exploration approaches  but those were already fast enough for most use cases 39

Visualization in Modeling Tool 40

Outline Problem Contribution Conclusion and Outlook 41

Conclusion Graphical in-model diagnostic information can be obtained in polynomial time  avoiding some problems of traces Limited expressiveness of free-choice (e.g. no races) allows for polynomial-time verification  sufficient for data set in case study  still applicable in more expressive BPMN models Can be combined with SESE decomposition for further error localization (and speed-up) 42

SESE Decomposition Can be done in linear time Soundness is compositional wrt SESE blocks Errors can be localized to a SESE block 43

What is still missing User study Soundness under data (except one first paper) Control-flow errors dues to message/event passing across processes (orthogonal) 44