Reconfiguration is achieved through use of. BPMN elements. ○ Verification of
required properties is achieved by the verification of the BPMN workflow.
MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY 1
Juan Carlos Polanco Aguilar 1 Koji Hasebe 1 Manuel Mazzara 2 Kazuhiko Kato 1 1 University of Tsukuba – Department of Computer Science 2 Newcastle University – School of Computing Science
BACKGROUND WHAT IS WORKFLOW? • A workflow is a model defined by a series of tasks to produce an outcome. • Typical examples of workflow include: • Business office workflow. • Web services workflow. • Mobile workflow.
2
BACKGROUND AN EXAMPLE OF WORKFLOW User
Invoke Process
N User Response
Shop
Payment Company
Order Process
Process Payment
Payment Received Y 3
BUSINESS PROCESS MODELING NOTATION (BPMN) •
• •
•
•
Developed by Business Process Management Initiative (BPMI) in 2004 and maintained by the Object Management Group (OMG) from 2005. Current Version: 2.0 (March 2011). Widely used standard for business process modeling. Simple drawing scheme that is easy to learn and train. Portability for many software vendors implementation 4
EXAMPLE OF BPMN SPECIFICATION
5
WORKFLOW AS A SAFETY-CRITICAL SYSTEM ¢ Workflow
Internet shopping site. Office workflow.
¢ Safety
application examples
/ security problems
Leakage of Information. Impersonation. Design error and flow bugs.
6
REQUIREMENTS OF THE VERIFICATION PROCEDURE ¢ Reconfiguration
process is often applied in a
workflow. ¢ Safety / security properties might be compromised after reconfiguration (deadlock, security). ¢ Reconfiguration is achieved through use of BPMN elements. ¢ Verification of required properties is achieved by the verification of the BPMN workflow specification. 7
MOTIVATION ¢
Reconfiguration of workflow development and verification of requirements through research status.
Verification Procedure
Workflow
Requirements
Formal Language
Revision Verification tool Correct Workflow
8
PURPOSE ¢ Develop
a formal verification for reconfiguration of workflows.
Based on model checking technique (SPIN Model Checker).
Introduce a translation algorithm from a BPMN model into Promela code.
9
OVERVIEW OF THE VERIFICATION
Reconfigura7on
Step 1: Workflow reconfiguration to achieve flexibility.
Step 3: Model checking of the Promela model with a requirement expressed in Linear Temporal Logic (LTL) formulas. Step 4: Recursive reconfiguration to meet all the requirements.
New BPMN Diagram
Automa7c Transla7on Procedure
Formal Specifica7on of BPMN Model
Promela Model
SPIN Model Checker
Valid (BPMN model sa7sfies the requirement.)
Requirement (LTL Formula)
Revision
Step 2: Translation from the BPMN model into a formal Promela model (SPIN Specification Language).
Old BPMN Diagram
Verifica7on Procedure
Invalid (There is a counter example.)
10
OVERVIEW OF THE VERIFICATION–EXAMPLE: BOOKSHOP Bookshop
Client
Provider
11
STEP 1: WORKFLOW RECONFIGURATION
An Example of Requirements
• Client sends an order, the bookshop verifies supply in the warehouse and then sends the order to client.
12
STEP 1: WORKFLOW RECONFIGURATION Introduce a parallel branching
13
STEP 2: TRANSLATION PROCEDURE (1) OVERVIEW OF THE PROCEDURE ¢ Specification
of the BPMN diagram by using set theoretical notation. ¢ Develop and introduction of the translation algorithm by using primary elements obtained after specification. ¢ Modification of the translated model for a challenging verification. ¢ Procedure Limitations
Translation procedure not fully automated. After training on set theory basic concepts and Promela language, handling can be achieved. 14
STEP 2: TRANSLATION PROCEDURE (2) TRANSLATION APPLICATION EXAMPLE Labels e1
e2
t1
t3
t4
Partitioning of Workflow into processes
t2
t5
t8
t7
t6 t9
t10 t14
t12
t11
e3
t13
t15
t16
t17
t19
t18
e4
15
STEP 2: TRANSLATION PROCEDURE (2) TRANSLATION APPLICATION EXAMPLE t3
t4
t5
t8
t7
t6 t9
e3
t11
BPMN formal specification •Tasks = {t3,t4 , t5 , t6, t7, t8, t9, t11} •Events = {e3} •Objects ={e3, t3,t4 , t5 , t6, t7, t8, t9, t11} •Relation = {(t3, t6), (t6, t4), (t6, t5), (t5, t7) , (t5, t8), (t7, e3) , (t7, t9), (t9, t11)} •Connect = {(t4, e2), (t8, t2), (t11, t15)}
Translation Translation algorithm
for all a∈Connect(a,b) print “chan a[buf]” … for all (a,b)∈Connect(a,b) print “a!msg” print “a?msg” …
Primary Promela code
Complete Promela code chan t4[1] of mtype chan t8[1] of mtype
chan t4[1] of mtype chan t8[1] of mtype chan t11[1] of mtype
chan t11[1] of mtype bool flag1 = 0; bool flag2 = 0; bool flag3 = 0;
active proctype P4() { t1?msg; t4!msg; atomic{ t8!msg; t11!msg; } }
active proctype P3() { t1?msg; flag1= 1; t4!msg; atomic{ 16 t8!msg; flag2= 1; t11!msg; flag3= 1; } }
STEP 2: TRANSLATION PROCEDURE (3) COMPLETE PROMELA CODE mtype = {msg}; chan t1 = [1] of {mtype} chan e2 = [1] of {mtype} chan t4 = [1] of {mtype} chan t8 = [1] of {mtype} chan t11 = [1] of {mtype} chan t12 = [1] of {mtype} chan t13 = [1] of {mtype} chan t18= [1] of {mtype} chan t19 = [1] of {mtype} active proctype P1() { t1!msg; } active proctype P2() { e2?msg; } active proctype P3() { t8?msg; }
active proctype P4() { t1?msg; do t4!msg; atomic { t8!msg; t11!msg } od } active proctype P5() { do :: t12!msg; t13!msg; od } active proctype P6() { t4?msg; } active proctype P7() { t13?msg; t18!msg }
active proctype P8() { t12?msg; do :: t18!msg :: t19!msg od } active proctype P9() { t11?msg; } active proctype P10() { t18?msg; } active proctype P11() { t19?msg; } 17
STEP 2: TRANSLATION PROCEDURE (3) COMPLETE PROMELA CODE mtype = {msg, amount};
mtype chan t1 = = {msg}; [1] of {mtype}
chan e2 = [1] of {mtype} chan t4 chan t1==[1] [1]ofof{mtype} {mtype} chan t8 = [1] of {mtype} chan e2 = [1] of {mtype} chan = [1] [1] of chant16 t4 = of{int} {mtype} chan t11 = [1] of {mtype} chan t8 = [1] of {mtype} chan t12 = [1] of {mtype} chan t11 = [1] of {mtype} chan t13 = [1] of {mtype} chan t12 = {mtype} chan t18= [1][1] of of {mtype} chan t13==[1] [1]ofof {mtype} chan t19 {mtype}
chan t18= [1] of {mtype} chanflagA t19 = 0; [1] of {mtype} bool bool flagB = 0; bool flag1 =0; active proctype P1() bool flag2 =0; { t1!msg; bool flag3 =0; } bool flag4 =0; active proctype P2() bool flag5 =0; {bool e2?msg; flagX =0; }bool flagY = 0;
active proctype P3() active proctype P1() { t8?msg; }{ t1!msg; } active proctype P2() { e2?msg; }
active proctype P3() active proctype P4() { t8?msg; flagA = 1; {} t1?msg; do proctype P4() active { t1?msg; t4!msg;flag1 = 1 do atomic { t4!msg t8!msg; atomic{ t11!msg t8!msg; flag2=1; } t11!msg flag3=1; od } } od active proctype P5() } {active do proctype P5() {t16?amount; :: t12!msg; t13!msg; (amount >= 4000) -> od } t12!msg; flagX = 1 (amount < 4000) -> active proctype P6() t13!msg; flagY=1 { do t4?msg; } :: t12!msg; flag4= 1 active proctype P7() :: t13!msg; flag5= 1 { od } t13?msg; t18!msg }active proctype P6() { t4?msg; }
active proctype P7() { active proctype P8() t13?msg; t18!msg {}
t12?msg;
active do proctype P8() { :: t18!msg t12?msg; :: t19!msg do od :: t18!msg } :: t19!msg active od proctype P9() {} t11?msg; }active proctype P9() { t11?msg; active proctype P10() {flagB = 1; }t18?msg; active proctype P10() } { active proctype P11() t18?msg; {} t19?msg; active proctype P11() {} t19?msg; }
18
STEP 3: MODEL CHECKING VERIFICATION (1) PROCEDURE OVERVIEW Introduce Linear Temporal Logic (LTL) formulas to verify the requirement. ¢ Typical examples: deadlock freedom, security, reachability. ¢
Promela code
Requirement (LTL)
• Reachability: • LTL formula: □(p→□(q→◊r)) • define p as flag1 == 1; • define q as flag2 == 1; • define r as flag3 == 1; 19
STEP 3: MODEL CHECKING VERIFICATION (2) REQUIREMENTS DEFINITION ¢ Typical
requirements can be identified through patterns in LTL formulas: Reachability: “Program always reaches aimed state” • □(P→□(Q→◊R)) Deadlock: “There is no next state”
Deadlock: ◊(○⊥∧¬terminal) ¢ Deadlock-freedom: □(○⊥→terminal) ¢
¢ Usage
of assertion alternative
active proctype P4() { t3?msg; flag1 = 1; do :: t8!msg; flag2 = 1; :: t11!msg; flag3 = 1; od assert(flag2 == 1 && flag3 == 1) }
20
STEP 3: MODEL CHECKING VERIFICATION (3) VERIFICATION EXAMPLE active proctype P4( ) { t3?msg; flag1= 1; t4!msg; atomic{ t8!msg; flag2= 1; t11!msg; flag3= 1; } }
t3
t6
t4
t5
t8
t7
t9 e3
t11
Promela code
Requirement (LTL)
SPIN model checker
Model Revision
Property INVALID 21
STEP 4: RECURSIVE RECONFIGURATION OF WORKFLOW MODEL active proctype P4() { t3?msg; flag1 = 1; do :: t8!msg; flag2 = 1; :: t11!msg; flag3 = 1; od }
Verify items and stock t3
Verify Supply
t7
Enough Supply
Yes
Prepare and Send Order
No Generate Purchase t11
Promela code
Requirement (LTL)
SPIN model checker 22
Property VALID
t8
RELATED WORK ¢
¢
¢
Model Checking for Web Services: S. Nakajima. Model-Checking of Safety and Security Aspects in Web Service Flows, ICWE 2004. S. Nakajima. Model-Checking Behavioral Specification of BPEL Applications, WLFM 2005. Translation Procedures: C. Ouyang, M. Dumas, A. H. M. ter Hofstede, W. M. P. van der Aalst. From BPMN Process Models to BPEL Web Services. IEEE International Conference on Web Services 2006. J. Chen, H. Cui. Translation from Adapted UML to Promela for CORBA-based Applications, SPIN 2004. Reconfiguration in Workflow Systems: M.Mazzara, N. Dragoni, M. Zhou. Dependable Workflow Reconfiguration, NODES 2011. M.Mazzara, A. Bhattacharyya. On Modeling and Analysis of Dynamic Reconfiguration of Dependable Real-Time Systems, DEPEND 2010.
23
CONCLUSIONS ¢ Verify
the procedure for the reconfiguration of workflows. ¢ Introduce the translation from the BPMN model into a Promela model and use SPIN model checker for verification. ¢ Develop a formal definition of BPMN model and introduce a translation algorithm. ¢ Introduce a recursive process of verification.
24
FUTURE WORK ¢ Develop
the automation of the verification procedure. ¢ Include a GUI environment. ¢ Increase the handle ability:
Background process of translation and verification. Develop set of templates for requirement patterns (usual LTL formula for deadlock, reachability).
25
