Your SlideShare is downloading. ×
Property Specifications for Workflow Modelling
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Property Specifications for Workflow Modelling

312

Published on

Slides used in IFM09

Slides used in IFM09

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
312
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 01 Property Specifications for Workflow Modelling Peter Wong, University of Oxford, UK (Joint work with Jeremy Gibbons) February 2009
  • 2. 02 Overview • Process Semantics for BPMN in CSP (ICFEM08, QSIC08) • Augmented with relative timing information (FOCLASA08) • BPMN is not a specification language • Consider a generalisation of Dwyer et al.’s Property Specification Patterns (PSP) • Define a language PL to capture generalised PSP • Translate into Lowe’s Bounded, Positive fragment of LTL (BTL) • Translate BTL into CSP for refinement checks (FDR) see: Example
  • 3. 03 Problems BPMN... • describes the performance of behaviour • difficult to describe refusal of behaviour in a context while allowing its availability outside that context Example requirement should also permit behaviour such as Request Cancel before Book Seat! see: Example
  • 4. 04 Content • Property Specification Patterns (PSP) • Generalised PSP • Our Approach • Bounded Positive fragment of LTL (BTL) • Refusal Traces Model and Semantics of BTL • A Property Specification Language PL – Patterns of Behaviour – Property Specification • Revisiting the Example
  • 5. 05 Property Specification Patterns PSPs describe the structure of commonly occurring requirements on the permissible patterns of behaviour in finite states systems Here we only consider occurrence patterns.
  • 6. 06 Occurrence Patterns • Absence – A given event does not occur within a scope • Universality – A given event occurs at all times within a scope • Existence – A given event occurs at least once within a scope • Bounded Existence – A given event occurs a bounded number of times within a scope
  • 7. 07 Scopes • Always – throughout all possible executions • Before p – before the occurrence of the event p • After q – after the occurrence of the event q • Between p and q – between the occurrence of the events p and q • After p until q – after the occurrence of the event p until q, but q need not happen
  • 8. 08 Issue • Patterns have been expressed in a range of formalisms (LTL,CTL...) but not for refinement setting (CSP). • We provide a generalisation of the patterns in process-algebraic settings For example: The parallel execution of task A and either task D or task E cannot happen after task B and before task C
  • 9. 09 Occurrence Patterns (generalised) • Absence – A given pattern of behaviour does not occur within a scope • Universality – A given pattern of behaviour occurs at all times within a scope • Existence – A given pattern of behaviour occurs at least once within a scope • Bounded Existence – A given pattern of behaviour occurs a bounded number of times within a scope
  • 10. 10 Scopes (generalised) • Always – throughout all possible executions • Before p – before the occurrence of the pattern of behaviour p • After q – after the occurrence of the pattern of behaviour q • Between p and q – between the occurrence of the patterns of behaviour p and q • After p until q – after the occurrence of the pattern of behaviour p until q, but q need not happen
  • 11. 11 Our Approach • Define a small property specification language PL to capture generalised PSP • Translate from PL to bounded, positive fragment of LTL (BTL) • BTL can be automatically translated into CSP for simple refinement checks
  • 12. 12 Content √ • Property Specification Patterns (PSP) √ • Generalised PSP √ • Our Approach ⇒ • Bounded Positive fragment of LTL (BTL) • Refusal Traces Model and Semantics of BTL • A Property Specification Language PL • Patterns of Behaviour • Property Specification • Revisiting the Example
  • 13. 13 Bounded, Positive Fragment of LTL (BTL) The grammar of BTL (for all a ∈ Σ) e, f ∈ BTL ::= e ∧ f | e ∨ f | e | Pe | e R f | a | ¬a | available a | true | false | live | deadlocked • a – the event a is available to be performed initially, and no other events may be performed; • available a – the event a must not be refused initially, and other events may be performed; • live and deadlock – the system is live (equivalent to a) a∈Σ or deadlocked (equivalent to a∈Σ ¬a), respectively; • true and false – logical formulae with their normal meanings. N.B. Does not capture eventually ( ) and until (U) and negation (¬).
  • 14. 14 Semantics of BTL for Refinement Checks • Stable Failures is not suitable • Requires a finer model – Refusal Traces RT [Mukarram 93] • P |= e where e is a BTL expression, if and only if Spec(e) RT P where Spec(e) is the CSP specification for e. A refusal trace is an alternating sequence of refusal information and events, of the form X 1, a1, X 2, a2, . ., Xn, an, Σ where each Xi is a refusal set, and each ai is an event: this represents that the process can refuse X 1, perform a1, refuse X 2, perform a2, etc. see: Failures and Eventually
  • 15. 15 Content √ • Property Specification Patterns (PSP) √ • Generalised PSP √ • Our Approach √ • Bounded Positive fragment of LTL (BTL) √ • Refusal Traces Model and Semantics of BTL ⇒ • A Property Specification Language PL • Patterns of Behaviour • Property Specification • Revisiting the Example
  • 16. 16 Patterns of Behaviour SPL – A Sublanguage of PL P ∈ SPL ::= P P |P P | a → P | End where a ∈ AF ::= e | available e | live where e ∈ Σ AF • specifies nondeterministic systems • introduces the nondeterministic interleaving ( ) operator • End has empty semantics – RT SPL [[End ]] = ∅
  • 17. 17 Nondeterministic Interleaving In CSP for any events a and b: a → Skip b → Skip a → Skip RT but not a → Skip ||| b → Skip a → b → Skip RT Since a → Skip ||| b → Skip ≡ a → b → Skip P b → a → Skip • Need an operator to specify concurrent behaviour without determining their orders • Especially useful when applying in our relative timed model of BPMN.
  • 18. 18 Nondeterministic Interleaving The process P Q communicates events from both P and Q nondeterministically. If P = p → P and Q = q → Q then Q = (p → (P (q → (P P Q)) Q )) [ -step] also: End Q =Q [ -End] Note is both commutative and associative and is defined in terms of and →.
  • 19. 19 From SPL to BTL • translate SPL to BTL∗ inductively pattern : SPL → BTL∗ • BTL∗ is BTL augmented with the atomic formula ∗ (RT SPL [[End ]] = RT BTL∗ [[ ∗ ]] = ∅) • convert BTL∗ back to BTL, we simply remove ∗ according to the following equivalences: φ∨∗≡φ ∗∧φ≡φ φ∧ ∗≡φ see: Formalising SPL in Temporal Logic
  • 20. 20 Example Given a pattern of behaviour (a → End ) (b → End ) we get the following BTL expression φ = (a ∧ b) ∨ (b ∧ a), which can be automatically translated into CSP: Spec = let Spec0 = b → Spec2 Spec1 = a → Spec3 Spec2 = a → Spec4 Spec3 = b → Spec4 Spec4 = Stop ( x : Σ • x → Spec4) in Spec0 Spec1 Moreover, a → b → Stop Spec RT a → Stop ||| b → Stop Spec RT
  • 21. 21 Content √ • Property Specification Patterns (PSP) √ • Generalised PSP √ • Our Approach √ • Bounded Positive fragment of LTL (BTL) √ • Refusal Traces Model and Semantics of BTL ⇒ • A Property Specification Language PL √ • Patterns of Behaviour ⇒ • Property Specification • Revisiting the Example
  • 22. 22 Property Specification Language – PL for all p ∈ SPL, n ∈ N1 , b ∈ Bound and s ∈ Scope • Abs(p, s) – absence of behaviour p in scope s • Un(p, s) – universality of behaviour p in scope s • Ex(p, n, s) – existence of behaviour p within subsequent n states from the start of scope s • BEx(p, b, s) – existence of behaviour p with bound b in scope s N.B. state is in the sense of a transition system of a CSP process describing a BPMN diagram: a graph showing the states it can go through and actions, each denoted by a single CSP event, that it takes to get from one to another.
  • 23. 23 Scopes • always – throughout all possible execution • before(p, n) – before behaviour p if p happens in nth state from the start. • after p – after of behaviour p • between p and (q, n) – between behaviour p and q if q happens in nth state after p • from p until (q, n) – after behaviour p and before q if q happens (not necessary) in nth state after p see: Bounded Existence
  • 24. 24 Content √ • Property Specification Patterns (PSP) √ • Generalised PSP √ • Our Approach √ • Bounded Positive fragment of LTL (BTL) √ • Refusal Traces Model and Semantics of BTL √ • A Property Specification Language PL √ • Patterns of Behaviour √ • Property Specification ⇒ • Revisiting the Example
  • 25. 25 Revisiting the Example Use the absence pattern “the absence of p between some behaviour q and r ” Abs(Cancel , between bookseat → End and(sendinvoice → End , 2)) where the pattern of behaviour Cancel is defined as follows: Cancel = requestcancel → End reservetimeout → End See if the diagram satisfies this property by checking the following refusal traces refinement assertion using the FDR tool. Agent N Spec RT where N = Σ { bookseat, requestcancel , reservetimeout, sendinvoice } see: Travel Agent, Requirement and Spec
  • 26. 26 Summary • Generalised PSP to specify patterns of behaviour • Defined PL to capture the generalised PSP • Translated PL into BTL • Implemented a prototype in Haskell
  • 27. 27 Thank You Web site: http://www.comlab.ox.ac.uk/peter.wong/ Email: peter.wong@comlab.ox.ac.uk
  • 28. 28 Summary • Overview • Problems • Content • Property Specification Patterns • Occurrence Patterns • Scopes • Issue • Occurrence Patterns (generalised) • Scopes (generalised) • Our Approach • Content • Bounded, Positive Fragment of LTL (BTL)
  • 29. 29 • Semantics of BTL for Refinement Checks • Content • Patterns of Behaviour • Nondeterministic Interleaving • Nondeterministic Interleaving • From SPL to BTL • Example • Content • Property Specification Language – PL • Scopes • Content • Revisiting the Example • Summary
  • 30. 30 • CSP • CSP • CSP • CSP • Travel Agent • Requirement • Requirement • Unsuitability of the stable failures • Impossibility of eventually , U and negation • Formalising SPL in Temporal logic • Formalising SPL in Temporal logic • Bounded Existence – Preliminaries • Bounded Existence
  • 31. 31 • Bounded Existence • Example – “The bounded existence of p after q” • Corresponding CSP specification...
  • 32. 32 Index 2 Overview 3 Problems 4 Content 5 Property Specification Patterns 6 Occurrence Patterns 7 Scopes 8 Issue 9 Occurrence Patterns (generalised) 10 Scopes (generalised) 11 Our Approach 12 Content 13 Bounded, Positive Fragment of LTL (BTL)
  • 33. 33 14 Semantics of BTL for Refinement Checks 15 Content 16 Patterns of Behaviour 17 Nondeterministic Interleaving 18 Nondeterministic Interleaving 19 From SPL to BTL 20 Example 21 Content 22 Property Specification Language – PL 23 Scopes 24 Content 25 Revisiting the Example 26 Summary
  • 34. 34 28 Summary 29 Index 30 CSP 31 CSP 32 CSP 33 CSP 34 Travel Agent 35 Requirement 36 Requirement 37 Unsuitability of the stable failures Impossibility of eventually , U and negation 38 39 Formalising SPL in Temporal logic 40 Formalising SPL in Temporal logic
  • 35. 35 41 Bounded Existence – Preliminaries 42 Bounded Existence 43 Bounded Existence 44 Example – “The bounded existence of p after q” 45 Corresponding CSP specification...
  • 36. 36 CSP The grammar of CSP. P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q| P Q | P P Q | P o Q | e → P | Skip | Stop 9 • Skip, Stop - termination, deadlock;. • e → P - prefixing; • P o Q - sequential composition. 9
  • 37. 37 CSP The grammar of CSP. P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q| P Q | P P Q | P o Q | e → P | Skip | Stop 9 • P ||| Q - interleaving; • P |[ A ]| Q - partial interleaving; •P Q - parallel composition.
  • 38. 38 CSP The grammar of CSP. P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q| P Q | P P Q | P o Q | e → P | Skip | Stop 9 • P A - hiding; •P Q - interrupt; • P P Q - external choice. •P Q - internal choice.
  • 39. 39 CSP The grammar of CSP. P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q| P Q | P P Q | P o Q | e → P | Skip | Stop 9 • We write P i : { 1 . . n } • P (i ) to denote P (1) P . . P P (n), similarly for operators , ||| and ; • Our semantic definition uses Stable Failures F; • Formal verification via refinement checks; • FDR - automated CSP model checker.
  • 40. 40 Travel Agent see: Introduction and Revisit
  • 41. 41 Requirement Property : Agent must not allow cancellation after booking if invoice is to be sent. see: Introduction, Problems and Revisit
  • 42. 42 Requirement Property : Agent must not allow cancellation after booking if invoice is to be sent. Try checking this: Agent N Requirement ? F see: Introduction and Problems
  • 43. 43 Unsuitability of the stable failures F[[available a]] = { ( , X ) | a ∈ X } ∪ { (tr , X ) | tr = ∧ X ∈ PΣ} / F[[ available a]] = { ( b , X ) | b ∈ Σ ∧ a ∈ X } ∪ { (tr , X ) | #tr = 1 ∧ X ∈ P Σ } / F[[available a ∨ available a]] = F[[available a]] ∪ F[[ available a]] = { (tr , X ) | tr ∈ Σ∗ ∧ X ∈ P } i.e. available a ∨ available a is satisfied by every process! see: Semantics of BTL
  • 44. 44 Impossibility of eventually , U and negation Suppose P |= a if and only if Spec RT P where Spec is the CSP specification for a. Spec would have the refusal trace Σ {b}, b n •, a for all n. However RT is prefixed-closed therefore it would also have the refusal trace Σ {b}, b n for all n and this is satisfied by the process P = b → P ! Also since φ = true U φ and φ = ¬(P¬φ) see: Semantics of BTL
  • 45. 45 Formalising SPL in Temporal logic • translate SPL to BTL∗ • convert BTL∗ back to BTL SPL to BTL∗ pattern(End ) = ∗ pattern(a → P ) = atom(a) ∧ (pattern P ) pattern(P Q) = pattern(P ) ∨ pattern(Q) pattern(P Q) = pattern(npar (P , Q)) where atom(available t) = available (event(t)) atom(live) = live atom(t) = event(t) see: SPL
  • 46. 46 Formalising SPL in Temporal logic npar (End , End ) = End npar (End , Q) = Q npar (P , End ) = P npar (P , Q) = ( (a, X ) : initials(P ) • a → npar (X , Q)) ( (a, X ) : initials(Q) • a → npar (X , P )) where i : I • P (i ) denotes the nondeterministic choice of a set of indexed terms P (i ) where i ranges over I . initials(P Q) = initials(P ) ∪ initials(Q) initials(P Q) = initials(npar (P , Q)) initials(a → P ) = { (a, P ) } initials(End ) = ∅ see: SPL
  • 47. 47 Bounded Existence – Preliminaries We extend BTL to BTLδ to include two new operators ¡ and U £ such that: ψ Un φ = ( nextsi∗states(ψ) (φ ∨ ψ)) ∧ nexts(n−1)∗states(ψ) φ i∈{ 0..n−2 } where • states(φ) returns one minus the furthest state the expression φ i • nextsi ψ = ψ for i ∈ N n • nextφ ψ = ψ where n = states(φ) Note : ¡ n φ = true U n φ £
  • 48. 48 Bounded Existence • The global existence p with bound b – bound (p, false, b); • The existence of p with bound b before some behaviour q – ¡ n q ⇒ ¬q U n−getbound(b)∗states(p) bound (p, q, b) £ • The existence of p with bound b after some behaviour q – P(q ⇒ nextq (bound (p, q, b))) • The existence of p with bound b between behaviour q and r – P(q ⇒ (nextq ¡ n r ⇒ (bound (p, r , b) ∧ bound (p, r , b) R ¬r ∧ r R ¬q))) £ where n > getbound (b) ∗ states(p) • The existence of p after behaviour q until r – P(q ⇒ (nextq ¬r U 1 bound (p, r ∨ q, b)))
  • 49. 49 Bounded Existence bound (p, q, b) is defined as follows : • (= n) – p) ∧ nextsn∗states(p) (q R ¬p) i∈{ 0..n−1 } (nextsi∗states(p) • (≥ n) – i∈{ 0..n−1 } (nextsi∗states(p) p) • (≤ n) – nextsn∗states(p) (q R ¬p) and getbound (b) for some bound b denotes the number part of the value.
  • 50. 50 Example – “The bounded existence of p after q” Property – Either task A or C has to occur followed by either one of them again after Task B has occurred. Spec = let Spec0 = Proceed ({ b }, Spec0 Spec1) Spec1 = b → (Spec2 Spec3) Spec2 = c → (Spec4 Spec5) Spec3 = a → (Spec4 Spec5) Spec4 = c → (Spec6 Spec7) Spec5 = a → (Spec6 Spec7) Spec6 = Proceed ({ a, b, c }, Spec6 Spec7) Spec7 = b → (Spec2 Spec3) in Spec0 Spec1 ( x : Σ X • x → P) where Proceed (X , P ) = Stop Skip
  • 51. 51 Corresponding CSP specification... Spec0 = Proceed ({ bookseat }, Spec0 Spec1) Spec1 = bookseat → (Spec2 Spec3 Spec4 Spec5 Spec6) Spec2 = Proceed ({ bookseat, sendinvoice }, Spec7 Spec1) Spec3 = sendinvoice → (Spec0 Spec1) Spec4 = bookseat → (Spec2 Spec4 Spec8 Spec9) Spec5 = Proceed ({ bookseat, requestcancel , reservetimeout }, Spec3) Spec6 = bookseat → (Spec3) Spec7 = Proceed ({ bookseat, sendinvoice }, Spec0 Spec1) Spec8 = let poss = { bookseat, requestcancel , reservetimeout, sendinvoice } in Proceed (poss, Spec3) Spec9 = bookseat → (Spec3) Spec = Spec0 Spec1 see: Revisit

×