MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY

MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY 1 Juan Carlos Polanco Aguilar 1 Koji Hasebe 1 Manuel Mazzara 2 Kazuhiko Kato 1 1 University of Tsukuba Department of Computer Science 2 Newcastle University School of Computing Science

BACKGROUND WHAT IS WORKFLOW? A workflow is a model defined by a series of tasks to produce an outcome. Typical examples of workflow include: Business office workflow. Web services workflow. Mobile workflow. 2

BACKGROUND AN EXAMPLE OF WORKFLOW User Shop Payment Company Invoke Process Order Process Process Payment N Payment Received User Response Y 3

BUSINESS PROCESS MODELING NOTATION (BPMN) Developed by Business Process Management Initiative (BPMI) in 2004 and maintained by the Object Management Group (OMG) from 2005. Current Version: 2.0 (March 2011). Widely used standard for business process modeling. Simple drawing scheme that is easy to learn and train. Portability for many software vendors implementation 4

EXAMPLE OF BPMN SPECIFICATION 5

WORKFLOW AS A SAFETY-CRITICAL SYSTEM Workflow application examples Internet shopping site. Office workflow. Safety / security problems Leakage of Information. Impersonation. Design error and flow bugs. 6

REQUIREMENTS OF THE VERIFICATION PROCEDURE Reconfiguration process is often applied in a workflow. Safety / security properties might be compromised after reconfiguration (deadlock, security). Reconfiguration is achieved through use of BPMN elements. Verification of required properties is achieved by the verification of the BPMN workflow specification. 7

MOTIVATION Reconfiguration of workflow development and verification of requirements through research status. Verification Procedure Workflow Requirements Verification tool Revision Formal Language Correct Workflow 8

PURPOSE Develop a formal verification for reconfiguration of workflows. Based on model checking technique (SPIN Model Checker). Introduce a translation algorithm from a BPMN model into Promela code. 9

OVERVIEW OF THE VERIFICATION Old BPMN Diagram Step 1: Workflow reconfiguration to achieve flexibility. Step 2: Translation from the BPMN model into a formal Promela model (SPIN Specification Language). Step 3: Model checking of the Promela model with a requirement expressed in Linear Temporal Logic (LTL) formulas. Step 4: Recursive reconfiguration to meet all the requirements. Automa7c Transla7on Procedure SPIN Model Checker Promela Model Valid (BPMN model sa7sfies the requirement.) New BPMN Diagram Formal Specifica7on of BPMN Model Verifica7on Procedure Reconfigura7on Requirement (LTL Formula) Invalid (There is a counter example.) Revision 10

OVERVIEW OF THE VERIFICATION EXAMPLE: BOOKSHOP Bookshop Client Provider 11

STEP 1: WORKFLOW RECONFIGURATION An Example of Requirements Client sends an order, the bookshop verifies supply in the warehouse and then sends the order to client. 12

STEP 1: WORKFLOW RECONFIGURATION Introduce a parallel branching 13

STEP 2: TRANSLATION PROCEDURE (1) OVERVIEW OF THE PROCEDURE Specification of the BPMN diagram by using set theoretical notation. Develop and introduction of the translation algorithm by using primary elements obtained after specification. Modification of the translated model for a challenging verification. Procedure Limitations Translation procedure not fully automated. After training on set theory basic concepts and Promela language, handling can be achieved. 14

STEP 2: TRANSLATION PROCEDURE (2) TRANSLATION APPLICATION EXAMPLE Labels e 1 t 1 e 2 t2 Partitioning of Workflow into processes t 3 t 4 t 5 t 6 t 7 t 8 t 9 t 10 t 11 t 12 t 14 e 3 t 13 t 15 t 16 t 17 t 19 t 18 e 4 15

STEP 2: TRANSLATION PROCEDURE (2) TRANSLATION APPLICATION EXAMPLE t 3 t 4 t 5 t 6 t 7 t 8 t 9 t 11 e 3 BPMN formal specification Tasks = {t 3, t 4, t 5, t 6, t 7, t 8, t 9, t 11 Events = {e 3 Objects ={e 3, t 3, t 4, t 5, t 6, t 7, t 8, t 9, t 11 Relation = {(t 3, t 6 ), (t 6, t 4 ), (t 6, t 5 ), (t 5, t 7 ), (t 5, t 8 ), (t 7, e 3 ), (t 7, t 9 ), (t 9, t 11 ) Connect = {(t 4, e 2 ), (t 8, t 2 ), (t 11, t 15 ) Translation Translation algorithm for all a Connect(a,b) print chan a[buf] for all (a,b) Connect(a,b) print a!msg print a?msg Primary Promela code chan t4[1] of mtype chan t8[1] of mtype chan t11[1] of mtype active proctype P4() { t1?msg; t4!msg; atomic{ t8!msg; t11!msg; Complete Promela code chan t4[1] of mtype chan t8[1] of mtype chan t11[1] of mtype bool flag1 = 0; bool flag2 = 0; bool flag3 = 0; active proctype P3() { t1?msg; flag1= 1; t4!msg; atomic{ 16 t8!msg; flag2= 1; t11!msg; flag3= 1;

STEP 2: TRANSLATION PROCEDURE (3) COMPLETE PROMELA CODE mtype = {msg; chan t1 = [1] of {mtype chan e2 = [1] of {mtype chan t4 = [1] of {mtype chan t8 = [1] of {mtype chan t11 = [1] of {mtype chan t12 = [1] of {mtype chan t13 = [1] of {mtype chan t18= [1] of {mtype chan t19 = [1] of {mtype active proctype P1() { t1!msg; active proctype P2() { e2?msg; active proctype P3() { t8?msg; active proctype P4() { t1?msg; do t4!msg; atomic { t8!msg; t11!msg od active proctype P5() { do :: t12!msg; t13!msg; od active proctype P6() { t4?msg; active proctype P7() { t13?msg; t18!msg active proctype P8() { t12?msg; do :: t18!msg :: t19!msg od active proctype P9() { t11?msg; active proctype P10() { t18?msg; active proctype P11() { t19?msg; 17

STEP 2: TRANSLATION PROCEDURE (3) COMPLETE PROMELA CODE mtype = {msg, amount; mtype chan t1 = {msg; [1] of {mtype chan e2 = [1] of {mtype chan t4 t1 = [1] [1] of of {mtype chan t8 e2 = = [1] [1] of of {mtype {mtype chan t16 t4 = [1] of of {int {mtype chan t11 t8 = [1] of of {mtype {mtype chan t12 = [1] of {mtype chan t11 = [1] of {mtype chan t13 = [1] of {mtype chan chan t18= t12 = [1] [1] of of {mtype {mtype chan t19 t13 = = [1] [1] of of {mtype {mtype chan t18= [1] of {mtype chan bool flaga t19 = 0; [1] of {mtype bool flagb = 0; active bool flag1 proctype =0; P1() { bool t1!msg; flag2 =0; bool flag3 =0; bool flag4 =0; active bool flag5 proctype =0; P2() { bool e2?msg; flagx =0; bool flagy = 0; active proctype P3() { active t8?msg; proctype P1() { t1!msg; active proctype P2() { e2?msg; active proctype P3() active { t8?msg; proctype flaga = 1; P4() { t1?msg; active do proctype P4() { t1?msg; t4!msg; flag1 = 1 do atomic { t4!msg t8!msg; atomic{ t11!msg t8!msg; flag2=1; t11!msg flag3=1; od od active proctype P5() { active do proctype P5() {t16?amount; :: t12!msg; t13!msg; (amount od >= 4000) -> t12!msg; flagx = 1 (amount < 4000) -> active proctype P6() t13!msg; flagy=1 { do t4?msg; :: t12!msg; flag4= 1 active :: t13!msg; proctype flag5= P7() 1 { od t13?msg; t18!msg active proctype P6() { t4?msg; active proctype P7() { active t13?msg; proctype t18!msg P8() { t12?msg; active do proctype P8() { :: t18!msg t12?msg; :: t19!msg do od :: t18!msg :: t19!msg active od proctype P9() { t11?msg; active proctype P9() active { t11?msg; proctype P10() { flagb = 1; t18?msg; active proctype P10() { active t18?msg; proctype P11() { active t19?msg; proctype P11() { t19?msg; 18

STEP 3: MODEL CHECKING VERIFICATION (1) PROCEDURE OVERVIEW Introduce Linear Temporal Logic (LTL) formulas to verify the requirement. Typical examples: deadlock freedom, security, reachability. Promela code Requirement (LTL) Reachability: LTL formula: (p (q r)) define p as flag1 == 1; define q as flag2 == 1; define r as flag3 == 1; 19

STEP 3: MODEL CHECKING VERIFICATION (2) REQUIREMENTS DEFINITION Typical requirements can be identified through patterns in LTL formulas: Reachability: Program always reaches aimed state (P (Q R)) Deadlock: There is no next state Deadlock: ( terminal) Deadlock-freedom: ( terminal) Usage of assertion alternative active proctype P4() { t3?msg; flag1 = 1; do :: t8!msg; flag2 = 1; :: t11!msg; flag3 = 1; od assert(flag2 == 1 && flag3 == 1) 20

STEP 3: MODEL CHECKING VERIFICATION (3) VERIFICATION EXAMPLE active proctype P4( ) { t3?msg; flag1= 1; t4!msg; atomic{ t8!msg; flag2= 1; t11!msg; flag3= 1; t 3 t 4 t 5 t 6 t 7 t 8 t 9 t 11 e 3 Promela code Requirement (LTL) SPIN model checker Model Revision Property INVALID 21

STEP 4: RECURSIVE RECONFIGURATION OF WORKFLOW MODEL active proctype P4() { t3?msg; flag1 = 1; do :: t8!msg; flag2 = 1; :: t11!msg; flag3 = 1; od Verify items and stock Generate Purchase Verify Enough Prepare and t 3 Supply Supply Yes Send Order t t 8 7 t 11 No Promela code Requirement (LTL) SPIN model checker Property VALID 22

RELATED WORK Model Checking for Web Services: S. Nakajima. Model-Checking of Safety and Security Aspects in Web Service Flows, ICWE 2004. S. Nakajima. Model-Checking Behavioral Specification of BPEL Applications, WLFM 2005. Translation Procedures: C. Ouyang, M. Dumas, A. H. M. ter Hofstede, W. M. P. van der Aalst. From BPMN Process Models to BPEL Web Services. IEEE International Conference on Web Services 2006. J. Chen, H. Cui. Translation from Adapted UML to Promela for CORBA-based Applications, SPIN 2004. Reconfiguration in Workflow Systems: M.Mazzara, N. Dragoni, M. Zhou. Dependable Workflow Reconfiguration, NODES 2011. M.Mazzara, A. Bhattacharyya. On Modeling and Analysis of Dynamic Reconfiguration of Dependable Real-Time Systems, DEPEND 2010. 23

CONCLUSIONS Verify the procedure for the reconfiguration of workflows. Introduce the translation from the BPMN model into a Promela model and use SPIN model checker for verification. Develop a formal definition of BPMN model and introduce a translation algorithm. Introduce a recursive process of verification. 24

FUTURE WORK Develop the automation of the verification procedure. Include a GUI environment. Increase the handle ability: Background process of translation and verification. Develop set of templates for requirement patterns (usual LTL formula for deadlock, reachability). 25