A university for the world real R © 2009, www.yawlfoundation.org Chapter 6 Declarative Workflow Maja Pesic Helen Schonenberg Wil van der Aalst.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
An improved on-the-fly tableau construction for a real-time temporal logic Marc Geilen 12 July 2003 /e.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
A university for the world real R © 2009, Chapter 3 Advanced Synchronization Moe Wynn Wil van der Aalst Arthur ter Hofstede.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.
Probabilistic Verification of Discrete Event Systems using Acceptance Sampling Håkan L. S. YounesReid G. Simmons Carnegie Mellon University.
Towards a DecSerFlow mapping to SCIFF Federico Chesani, Paola Mello, Marco Montali, Sergio Storari.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Aligning Event Logs And Declare Models for Conformance Checking Massimiliano de Leoni, Fabrizio Maggi Wil van der Aalst.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
A university for the world real R © 2009, Chapter 15 The Business Process Execution Language Chun Ouyang Marlon Dumas Petia Wohed.
Run Time Monitoring of Reactive System Models Mikhail Auguston Naval Postgraduate School Mark Trakhtenbrot Holon Academic Institute of.
Probabilistic Verification of Discrete Event Systems Håkan L. S. Younes Reid G. Simmons (initial work performed at HTC, Summer 2001)
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Temporal Specification Chris Patel Vinay Viswanathan.
Constraint-Based Workflow Models Change Made Easy! Maja Pesic Helen Schonenberg Natalia Sidorova Wil van der Aalst Eindhoven University of Technology.
1 Boolean Satisfiability in Electronic Design Automation (EDA ) By Kunal P. Ganeshpure.
On-the-fly Model Checking from Interval Logic Specifications Manuel I. Capel & Miguel J. Hornos Dept. Lenguajes y Sistemas Informáticos Universidad de.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
Review of the automata-theoretic approach to model-checking.
Logical Agents Chapter 7 Feb 26, Knowledge and Reasoning Knowledge of action outcome enables problem solving –a reflex agent can only find way from.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.
Verification technique on SA applications using Incremental Model Checking 컴퓨터학과 신영주.
15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.
Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila
Institute for Applied Information Processing and Communications 1 Karin Greimel Semmering, Open Implication.
REFlex Renata Medeiros de Carvalho
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright , Matt Dwyer, John Hatcliff,
A university for the world real R © 2009, Chapter 21 YAWL4Healthcare Ronny Mans Wil van der Aalst Nick Russell Arnold Moleman Piet.
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright , Matt Dwyer, John Hatcliff,
Semantics & Verification Research Group Department of Computer Science University of Malta FLACOS 2008 Detection of Conflicts in Electronic Contracts Stephen.
Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
A university for the world real R © 2009, Chapter 9 The Runtime Environment Michael Adams.
Recognizing safety and liveness Presented by Qian Huang.
Probabilistic Verification of Discrete Event Systems using Acceptance Sampling Håkan L. S. Younes Carnegie Mellon University.
Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.
VIS Technology Transfer Course Session 7 Fairness Constraints and Monitors Serdar Tasiran.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Reasoning about the Behavior of Semantic Web Services with Concurrent Transaction Logic Presented By Dumitru Roman, Michael Kifer University of Innsbruk,
Probabilistic Verification of Discrete Event Systems Håkan L. S. Younes.
1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously.
Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.
About Alternating Automata Daniel Choi Provable Software Laboratory KAIST.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
A university for the world real R © 2009, Chapter 12 The Declare Service Maja Pesic Helen Schonenberg Wil M.P. van der Aalst.
Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a Specification Presenter: Scott Crosby.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
Andrés Jiménez Ramírez Quivir Research Group University of Seville.
Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.
Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
15-820A 1 LTL Model Checking A Flavio Lerda.
Translating Linear Temporal Logic into Büchi Automata
Chapter 2: Analysis and Verification of Non-Real-Time Systems
Program correctness Linear Time Temporal Logic
Presentation transcript:

a university for the world real R © 2009, Chapter 6 Declarative Workflow Maja Pesic Helen Schonenberg Wil van der Aalst

a university for the world real R 2 © 2009, Outline 1 Introduction 2 Constraint-Based Workflow Specification 3 Enactment of Constraint Model Instances 4 Dynamic Instance Change 5 Conclusions

a university for the world real R 3 © 2009, 1 Introduction Why declarative workflows? Procedural vs. declarative workflows. Combining procedural and declarative workflows.

a university for the world real R 4 © 2009, Flexibility vs. Support

a university for the world real R 5 © 2009, Procedural vs. Declarative Workflow

a university for the world real R 6 © 2009, Workflow Decomposition Combining various workflow languages (e.g., A, B, …, Z) Combining various approaches (e.g., procedural and declarative)

a university for the world real R 7 © 2009, 2 Constraint-based workflow specification Specifying constraints with Linear Temporal Logic. Constraint templates. Constraints. The ConDec language. Constraint workflow models. Truck Load and Less Than Truck Load ConDec models. Verification of constraint models.

a university for the world real R 8 © 2009, Linear Temporal Logic Standard operators negation: !a conjunction: a /\ b disjunction: a \/ b implication: a -> b equivalence: a b true false Temporal operators always: [] a eventually: <> a next: O a until: a U b weak until: a W b = (<> a) -> (a U B)

a university for the world real R 9 © 2009, Specifying Constraints with LTL Automaton can be generated for LTL constraint = exactly the set of all execution traces that satisfy the constraint. LTL formula for constraint automaton representing satisfying traces semantics <> billTask bill must be executed at least once. (! bill) W pickup Task bill can not be executed until (i.e., before) task pickup is executed.

a university for the world real R 10 © 2009, Constraint Templates “Declarative workflow patterns” A template has: –name –LTL formula –graphical representation  existence(A) : <> A  init(A): A  response(A,B): []( A -> <> B)  precedence(A,B): (!B) W A  succession(A,B): response(A,B) /\ precedence(A,B)  not co-existence: !( <>A /\ <>B )  1 of 4(A,B,C,D): <>A \/ <>B \/ <>C \/ <>D

a university for the world real R 11 © 2009, Constraints are created from templates can be “branched”

a university for the world real R 12 © 2009, An Example Language: ConDec Has more than 30 templates: existence, relation (ordered and not ordered), negative relation, and choice (standard and explicit).

a university for the world real R 13 © 2009, Constraint Workflow Models A constraint model has: –set of tasks: T={t1,t2,…,tn} –Set of mandatory constraints (must be followed): CM={cm1,cm2,…,cmp} –optional constraints (can be violated): CO={co1,co2,…,co k} Traces that satisfy a constraint model are: –if CM = Ø : all traces, represented by automaton –if CM ≠ Ø : traces that satisfy formula F= cm 1 /\cm 2 /\…/\cm p, represented by automaton automatically generated for F

a university for the world real R 14 © 2009, Less Than Truck Load (LTTL) (a) YAWL model (b) ConDec model (c) automaton generated for the ConDec model Constraints: <> delivery <> bill (!pickup) W bill

a university for the world real R 15 © 2009, Truck Load (TL) (b) ConDec model Constraints: <> delivery <> bill <> shipment (a) YAWL model

a university for the world real R 16 © 2009, Verification of Constraint Models By analyzing the automaton generated for the model two types of errors can be detected: –Dead task is a task that can never be executed. None of the transitions in the automaton allows the task. –A conflict exists if there is no way to satisfy all mandatory constraints in the model. The generated automaton is empty, there is no trace that satisfies this model.

a university for the world real R 17 © 2009, Example: Model with a Dead Task None of the transitions allows task pickup, i.e., task pickup is dead. None of the transitions allows task bill, i.e., task bill is dead. (a) ConDec model (b) automaton generated for the ConDec model

a university for the world real R 18 © 2009, Example: Model with a Conflict The generated automaton is empty, there is no trace that satisfies this model. (a) ConDec model (b) automaton generated for the ConDec model

a university for the world real R 19 © 2009, Detecting the Cause of Error By searching through the powerset of mandatory constraints and analyzing these automata, the exact subset of constraints that causes the error can be detected.

a university for the world real R 20 © 2009, 3 Enactment of Constraint Model Instances Instances of Constraint Models Monitoring States of Constraints Monitoring State of the Instance Enforcing Correct Instance Execution Enforcing Correct Instance Completion Dynamic Instance Change

a university for the world real R 21 © 2009, Constraint Model Instance Instance = constraint model + trace Trace is a sequence of executed tasks. At the end of the execution, instance’s trace must satisfy all mandatory constraints from instance’s model. During the execution of one instance it is necessary to: –monitor constraint states, –monitor instance state, –enforce correct execution, and –enforce correct completion.

a university for the world real R 22 © 2009, Monitoring Constraint States Every time a new task is executed, the states of constraints are “calculated”. Based on the current trace a constraint can be: –satisfied, –temporarily violated, the constraint is not satisfied, but it is possible to satisfy it in the future, and –violated, the constraint is not satisfied and it is not possible to satisfy it in the future.

a university for the world real R 23 © 2009, Determining Constraint States The state is determined by the automaton generated form the constraint’s formula: –satisfied: trace is accepted by the automaton, –temporarily violated, trace can be replayed on the automaton but it is not accepted by the automaton, and –violated, trace can not be replayed on the automaton. (a) precedence constraint and its automaton(b) existence constraint and its automaton Trace 1 State of constraint (a)(b) initialsat. (S 0 )tmp. viol. (S 0 ) pickupsat. (S 1 )tmp. viol. (S 0 ) deliver y sat. (S 1 ) billsat. (S 1 ) Trace 2 State of constraint (a)(b) initialsat. (S 0 )tmp. viol. (S 0 ) deliver y sat. (S 0 )sat. (S 1 ) Trace 3 State of constraint (a)(b) initialsat. (S 0 )tmp. viol. (S 0 ) deliver y sat. (S 0 )sat. (S 1 ) billviol. (?)sat. (S 1 )

a university for the world real R 24 © 2009, Monitoring Instance States For the instance state everything holds like for the constraint state, but now we use the automaton created for the instance’s model. Trace 1 State of instance initialtmp. viol. (S 0 ) pickuptmp. viol. (S 1 ) deliver y tmp. viol. (S 4 ) billsat. (S 5 ) Trace 2 State of instance initialtmp. viol. (S 0 ) deliver y tmp. viol. (S 2 ) Trace 3 State of instance initialtmp. viol. (S 0 ) deliver y tmp. viol. (S 2 ) billviol. (?) (a) Less Than Truck Load (LTTL) ConDec model (b) automaton generated for the LTTL model

a university for the world real R 25 © 2009, Enforcing Correct Instance Execution Making sure that users do not execute tasks that make the instance violated. Enabling only tasks that are allowed by the automaton. Trace 1 Enabled tasks and executed task initialpickup, delivery (S 0 ) pickupbill, pickup, delivery (S 1 ) deliver y bill, pickup, delivery (S 4 ) billbill, pickup, delivery (S 5 ) Trace 2 Enabled tasks and executed task initialpickup, delivery (S 0 ) deliver y pickup, delivery (S 2 ) Trace 3 Enabled tasks and executed task initialpickup, delivery (S 0 ) deliver y pickup, delivery (S 2 ) bill Not possible to execute – bill was not enabled! (a) Less Than Truck Load (LTTL) ConDec model (b) automaton generated for the LTTL model

a university for the world real R 26 © 2009, Enforcing Correct Instance Completion Making sure the instance can be closed only when it is satisfied. Allowing completion only when the automaton is in the accepting state. Trace 1 Enabled tasks and executed task initialcan’t close (S 0 ) pickupcan’t close (S 1 ) deliverycan’t close (S 4 ) billCAN CLOSE (S 5 ) Trace 2 Enabled tasks and executed task initialcan’t close (S 0 ) deliverycan’t close (S 2 ) (a) Less Than Truck Load (LTTL) ConDec model (b) automaton generated for the LTTL model

a university for the world real R 27 © 2009, Dynamic Instance Change The change is allowed only if the new model does not bring the instance into the violated state. (a) original model (b) automaton generated for the original model Instance 1 Trace State initialtemporarily violated (S 0 ) pickuptemporarily violated (S 1 ) deliverytemporarily violated (S 4 ) billsatisfied (S 5 ) Instance 2 Trace State initialtemporarily violated (S 0 ) pickuptemporarily violated (S 1 ) billtemporarily violated (S 3 ) deliverysatisfied (S 5 )

a university for the world real R 28 © 2009, Making Instance Change (b) new model (b) automaton generated for the new model Instance 1 (change refused) Trace State initialsatisfied (S 0 ) pickupsatisfied (S 0 ) deliveryviolated (?) bill Instance 2 (change accepted) Trace State initialsatisfied (S 0 ) pickupsatisfied (S 0 ) billsatisfied (S 1 ) deliverysatisfied (S 1 ) (a) original model

a university for the world real R 29 © 2009, 4 Conclusions Procedural Workflows and Declarative Workflows Flexibility and Support in Declarative Workflows

a university for the world real R 30 © 2009, Procedural Workflows and Declarative Workflows none is better solution should be combined implementation in YAWL

a university for the world real R 31 © 2009, Flexibility and Support in Declarative Workflows flexibility by design by underspecification by change by deviation support model verification monitoring instance state monitoring states of constraints ensuring correct instance execution ensuring correct instance completion

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.