Semantics and Verification of UML Activity Diagrams for Workflow Modelling Promotiecommissie: Prof. dr. R. J. Wieringa (promotor) Prof. dr. W. M. P. van der Aalst, Technische Universiteit Eindhoven Prof. dr. G. Engels, Universit¨at Paderborn Prof. dr. H. Brinksma Dr. M. M. Fokkinga (referent) Dr. ir. P. W. P. J. Grefen Prof. dr. W. H. M. Zijm (voorzitter) The research reported in this thesis has been financially sup- ported by the Netherlands Organisation for Scientific Re- search (NWO), within the scope of project nr. 612-62-02, Deontic Activity and Enterprise Modeling with an Object- oriented Notation (DAEMON). SIKS Dissertation Series No. 2002-15 The research reported in this thesis has been carried out under the auspices of SIKS, the Dutch Research School for Informa- tion and Knowledge Systems. CTIT Ph.D.-thesis Series No. 02-44 Centre for Telematics and Information Technology (CTIT) University of Twente P.O. Box 217, 7500 AE Enschede The Netherlands Copyright c 2002 Rik Eshuis, Wierden, The Netherlands. ISBN: 90-365-1820-2 ISSN: 1381-3617; no. 02-44 (CTIT Ph.D.-thesis series) SEMANTICS AND VERIFICATION OF UML ACTIVITY DIAGRAMS FOR WORKFLOW MODELLING PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Universiteit Twente, op gezag van de rector magnificus, prof. dr. F. A. van Vught, volgens besluit van het College voor Promoties in het openbaar te verdedigen op vrijdag 25 oktober 2002 te 15.00 uur. door Hendrik Eshuis geboren op 17 september 1975 te Almelo Dit proefschrift is goedgekeurd door de promotor: Prof. dr. R. J. Wieringa Acknowledgements Although I wrote this thesis, I couldn’t have done it without the help of several people. First of all, I thank my promotor Roel Wieringa, who managed to find time to read my obscure manuscripts, and more importantly provided useful feedback to improve them. Roel gave me the freedom to pursue my own research interests and helped me to phrase the results in an understandable way. I thank the other members of my promotion committee, Wil van der Aalst, Gregor Engels, Ed Brinksma, Maarten Fokkinga, and Paul Grefen, for their useful comments on a previous version of this thesis. Besides Roel, several other people influenced the contents of this thesis. Paul Grefen and Wijnand Derks were always willing to have a good discussion on work- flow modelling. Wil van der Aalst and J¨org Desel provided helpful criticism on a paper that forms the basis of Chapter 8. Working with Juliane Dehnert confronted me with a Petri net view on workflow modelling, which has been very illuminating for me. Mathematicians Maarten Fokkinga and David Jansen managed to increase the precision of my statements. In 2001, I attended the FASE conference, part of ETAPS, to present a paper on the requirements-level semantics. In a keynote talk at this conference, Bran Selic rejected what he called ‘platonic abstractions’ like the perfect synchrony hypothesis, because they are, in his opinion, unrealistic and unimplementable. Even though I disagree with him, his talk triggered me to define a low-level implementation-level semantics that does not satisfy perfect synchrony, and to prove that the two semantics have similar behaviour. Room mates David Jansen and Wijnand Derks, as well as the rest of the IS and DB group, provided a pleasant atmosphere to work in. Secretaries Sandra Westhoff, Suse Engbers and Els Bosch managed my travels by plane and train. Maarten Fokkinga and Rick van Rein guided the research I did for my Master’s thesis in such a stimulating way that it made me think of doing a PhD. Last but not least, I’d like to thank my friends and family. Omdat dit de afsluiting van mijn onderwijscarri`ere is, wil ik graag twee personen in het bijzonder bedanken: mijn vader en moeder hebben me door de jaren heen altijd gesteund in alles wat ik deed: Pa en ma, bedankt! Rik Eshuis, October 2002 vi Contents 1 Introduction 1 1.1Background............................... 1 1.2Problemstatement........................... 7 1.3Problemsolvingapproach....................... 8 1.4Outline................................. 9 2 Workflow concepts 11 2.1Workflows................................ 11 2.2Workflowmanagement......................... 13 2.3Architectureofworkflowsystems................... 16 2.4Reactivesystems............................ 17 2.5 Interpreting workflow specifications . 20 3 Syntax of activity diagrams 23 3.1Syntacticconstructs.......................... 23 3.2Activityhypergraphs.......................... 31 3.3 From activity diagram to activity hypergraph . 35 3.4Specifyingactivities.......................... 38 4 Design choices in semantics of activity diagrams 41 4.1Mathematicalstructure........................ 41 4.2 Petri net token-game semantics versus statechart semantics . 43 4.3Issuesinreactivesemantics...................... 45 4.4Tworeactivesemantics......................... 48 5 Two formal semantics of activity diagrams 55 5.1ClockedTransitionSystem....................... 55 5.2Stepsemantics............................. 57 5.3Requirements-levelsemantics..................... 61 5.4Implementation-levelsemantics.................... 67 Appendix:Token-gamesemantics...................... 75 viii Contents 6 Relation between the two formal semantics 77 6.1 Differences between the two semantics . 78 6.2Similaritiesbetweenthetwosemantics................ 92 6.3Conclusion............................... 103 7 Advanced activity diagram constructs 105 7.1Dynamicconcurrency......................... 105 7.2Objectnodesandobjectflows..................... 108 7.3Deferredevents............................. 116 7.4Interruptregions............................ 116 8 Comparison with Petri nets 119 8.1 Modelling events . 120 8.2 Modelling steps . 124 8.3 Modelling data . 129 8.4 Modelling activities . 131 8.5 Modelling the implementation-level semantics . 133 8.6 Petri nets for workflow modelling . 133 8.7WhatisaPetrinet?.......................... 134 8.8 Discussion and conclusion . 136 9 Related work 139 9.1Statecharts............................... 139 9.2 OMG semantics of UML activity diagrams . 144 9.3 Other work on UML activity diagrams . 147 9.4Thestateofthepractice........................ 149 9.5 Other workflow modelling languages . 149 9.6Activedatabases............................ 150 9.7Transactionalworkflows........................ 151 9.8Conclusion............................... 151 10 Verification of functional requirements 153 10.1Temporallogic............................. 155 10.2 From infinite to finite state space . 160 10.3Strongfairness............................. 163 10.4Implementation............................. 166 10.5Exampleverifications.......................... 169 10.6Stateexplosion............................. 173 10.7Relatedwork.............................. 180 10.8Conclusionandfuturework...................... 183 Contents ix 11 Case studies 185 11.1 Seizure of goods under criminal law . 185 11.2 Order procedure within IT department . 194 11.3Lessonslearned............................. 198 11.4Conclusionandfuturework...................... 199 12 Conclusion and future work 201 12.1Conclusion............................... 201 12.2Summaryofmaincontributions.................... 202 12.3Futurework............................... 204 A Notational conventions 205 Bibliography 207 Index 220 Abstract 223 Samenvatting 225 x Contents Chapter 1 Introduction In this thesis, we show how model checking can be used to verify functional re- quirements on workflow specifications. To specify workflows, we use UML activity diagrams. Since UML activity diagrams lack a formal semantics, we define a formal semantics for activity diagrams that is suitable for workflow modelling. To define the problem more precisely, in Section 1.1 we introduce some termi- nology. Then, in Section 1.2, we define the problem. In Section 1.3, we explain the problem-solving approach. Section 1.4 gives an outline of the remainder of this thesis. 1.1 Background A workflow is an operational business process. Workflow management is con- cerned with the control and coordination of workflows. Several computer-based systems have been developed that implement workflow management, either as a dedicated system or as part (component) of a larger system, for example as part of an Enterprise Resource Planning system. We call such systems workflow man- agement systems1 (WFMSs). Workflow management systems, once used, are vital for an organisation, since the processes that they support are usually primary and secondary processes. Malfunctioning of WFMSs hampers the functioning of or- ganisations, and may lead to a decline in the quality of products and services that the organisation delivers to society. In recent years, there has been a trend to use WFMSs to integrate distributed systems which may be cross-organisational. In this case malfunctioning of one WFMS can affect more than one organisation, making the correct functioning of a WFMS even more critical than before. An important function of WFMSs is to enforce certain ordering rules between 1In this thesis, we use the term ‘workflow management system’ to denote every computer system or part of a computer system that implements workflow management functionality, even though in literature the term is reserved for a dedicated computer system. 2 Chapter 1 · Introduction business activities. For instance, in a workflow that handles insurance claims, an example ordering rule could be that after a claim is registered, it is checked. Apart from ordering rules, a WFMS enforces other rules, for example allocation rules, which state to which