timed automata for workflow modeling and analysisscholarism.net/fulltext/20141326.pdfinternational...

International Journal of Mathematics and Computer Sciences (IJMCS)

ISSN: 2305-7661 Vol.32 Aug 2014 www.scholarism.net

917

Timed Automata for Workflow Modeling and Analysis

Afsoon Soltani

Department of Computer Engineering, Arak Branch, Islamic Azad University,

Arak, Iran

Email: [email protected]

Abstract- The main purpose of the workflow management systems is supporting of

definition, performing and controlling of the business process, so that it supports the

activities and the particular ordering of them in order to achieve to the common goal. The

accuracy of the characteristics of the workflow for automation of the Business Process is

essential. Because of this reason, the errors in the characteristics should be known and

corrected as soon as possible. Combination of the timed constraints in such systems

deteriorates the issue. The unexpected delays may result in catastrophic destroying or

deficiency in Business Activities. The workflow existent systems provide limited support

of the time issues. However, the implementation of great unverified workflow models

runs the risk of undesirable runtime. Using of the Formal Methods for automating

verifications is very important and essential. But because of the intricate understanding of

math, it is considered a little. So the existent solution in order to rich the workflow with

one series of the timed constraints which are needed, combine the modeling with the

formal comprehension of Timed Automata. This exact solution can help to guaranty the

validity of the workflow systems for analyzing and verifying, use the UPPAAL tools.

Keywords : Workflow, Automation, Verification, Formal Method, Timed Automata

1. Introduction

Information technology has gone through one of the most significant changes in the

last decades, meanwhile having proliferated and penetrated into business processes in

each and every business field, and has become a determining component[1] .A workflow



918

is a collection of activities, agents, and dependencies between activities. Activities

correspond to individual steps in a business process, agents are responsible for the

enactment of activities, and dependencies determine the execution sequence of activities

and the data flow between them. Time-related factors have to be incorporated into the

traditional workflow processes so as to adapt to the globally distributed applications[2,3].

Time violations in workflows can often lead to some negative influences such as

increasing cost, unexpected delays and resource wasting, or even cause catastrophic

breakdowns within business processes. However, there exists no standard for the temporal

behavior of workflow modeling. The correctness of a workflow specification is critical

for the automation of business processes. For this reason, errors in the specification

should be detected and corrected as early as possible at specification time. While formal

verification methods can help ensure the reliability of workflow systems, the industrial

uptake of such methods has been slow largely due to the effort involved in modeling and

the memory required to verify complex systems. Timed automata are one of the most

widely used formalisms for the specification and verification of real-time systems.

Recently, a number of authors have advocated the use of Timed Automata as a semantic

for modeling techniques in computer science[4]. What remains to do is to translate the

workflow specification and the requirement we are interested in into the input language of

a model checker. Model checking is an automatic analysis method, which explores all

possible states of a modeled system to verify whether the system satisfies a formally

specified property.

The present approach which enriches timed workflow is considered to be a new idea.

Furthermore, Timed Automata has been applied to formalize workflow model as one of

the most widely used methods in formalization [4]. The present approach enjoys high

level of accuracy and is able to ensure the reliability of the workflow systems by using

UPPAAL tools for verification and analysis.

The rest of the study is organized as follows: part 2 will concentrate on reviewing the

relevant literature. The definitions of the key concepts are included in part 3. A modeling

approach for timed workflow models is presented in part 4. Afterwards, part 5 will face

with the verification and evaluation of the presented timed workflow model. Finally, the

conclusion of the present study and strategies for future studies will be discussed in part6.



919

2. Related Works

The area of handling time-related issues and detecting potential problems has not

received adequate attention in the workflow literature.

Timed Automata has been suggested as a tool for specification and verification of timed

workflow schema [10]. The present approach has decreased the compatibility of

workflow schema with the emptiness problem of timed Automata. A method of

verification of the workflow's characteristics is presented [14] by using model checking.

Having used timed Automata, the present approach has presented a solution for

scheduling problem which is much easier than Resource Constraint Project Scheduling

(RCPSP).

Timed Petri Nets [15,16] have recently turned into a well-known widely used model

consisting of distributed systems and Timed Petri Nets are presented [18] for modeling

the behavior of workflow systems by using Time Petri Net Analyzer (TINA) as a tool.

This method is based on a united time graph. An automatic translator YAWL2DVEt is

presented [19] where a timed workflow modeled by YAWL tools are the inputs. The

automatic translator presents a method for verification of the timed workflow system. A

slot has been assigned to each task in the workflow diagram[15]. The present study has

tried to develop the workflows with slots which are going to be called Time WF_Net

from now on. For the visualization of the time data of the workflow complex systems, a

modeling method for workflow systems based on Time Constraint Petri Nets (TCPN) has

been suggested [17]. The main idea which has been indicated [13] is to enrich a

characteristic of workflow with time data for the activity and to transform this workflow

description into PERT_Diagram. This approach has presented a PERT_Diagram based on

technics to manage the activities within the framework of the definition of the process. As

a result, with the goal of developing technics to control the time vulnerability, a

framework is offered to calculate the deadlines of the activities [20].

Nowadays, the graph transformation systems have become well-known in defining

models' formal concepts. An approach to define the formal definition of UML 2.0

Activity Diagrams has been introduced through graph transformation [21]. They have

implemented AGG tools. Also a modeling approach toward workflow was presented by

setting time constraints and distributing the activities based on Multiple Time Axes [22].



920

3. Basic Concepts

This section provides background information about the tools and concepts used in

this work.

3.1 Workflow Model

A Workflow Management System (WFMS) is defined as a system that completely

defines, manages and executes workflows through the execution of software whose order

of execution is driven by a computer representation of the workflow logic[2,4].

3.1.1 Routing in workflow

The routing describes the control-flow of the Workflow model. It is a formalized view

which is present as a co-ordinated set of process activities that are connected in order to

achieve a common goal [6,7].

Sequential Routing

the tasks have to be carried out sequentially, one after the other.(see Fig1)

Fig.1.Sequential Routing

Parallel Routing

we refer to parallel routing, when more then one process activities can be carried out

at the same time (see Fig 2). To execute the parallel routing at the beginning we must use

an AND-split to split the control and an AND-join to collect it at the end.

Fig.2. Parallel Routing

A2 A2 A2

AndSpli

t

AndJoi

n

A1

A2

A3

A4

A5



921

Selective Routing

we refer to selective routing, if only one of the process activities have to be carried out

at the same time. To execute selective routing at the beginning we must use an OR-split to

split the control and an OR-join to collect it at the end. The real function of the OR-join is

to choose between the given possible process activities. (See Fig 3).

Fig.3. Selective Routing

3.1.2 Structural Correctness in workflow schema

A workflow specification is structurally correct if every workflow execution reaches

the end node after a finite number of transitions. And when the end node is reached, all

other activities that have been started before are completed and there are no remaining

join nodes waiting for incoming transitions. An example is shown in Fig 4 Only one of

the activities 2 and 3 will be performed after the OR-split, but the following AND-join

would wait for both activities being completed.. For this reason it is reasonable to call

such a workflow specification structurally incorrect.

Fig.4. Incorrect Workflow

AndSplit

00

ORSplit

00

Activity 1

Activity 2

Activity 3

AndJoin …

OrSplit

00 OrSplit

00

A1

A2

A3

A4

A5



922

3.1.3 Timed Workflow Schema

At Fig 5 the workflow is showing the "sell computer hardware: business process of an

E-Business company which sells computer hardware products.

Fig.5. workflow illustrating the workflow with time

when the hardware store receives an order from a customer we begin at initial node

action of the diagram. After the action is done we do the "check order" action. When the

order is checked there is a And_Split. Which means that the "get products" action and

"save order information in archive" action are performed at the same time and the

sequence between them is irrelevant. After the "save order information" action id done

there is an And_Join. This means that the "assemble bundle" action is not performed

before both incoming actions are done. After the "get products" action there is a OR_Split

node. If the product type is a computer the "test computer" action is performed, if it is a

monitor the "test monitor" action is performed. Now the second incoming action of the

"assemble bundle" action is done and this satisfies the And_Join control structure which

means that the "assemble bundle" action can now be performed. The time units are meant

to be minutes but we will not go into detail with our choice of numbers since it is

irrelevant how realistic the time intervals are. For example the [5,15] above the "get

products" action means that this action can take between 5 and 15 minutes to complete.

3.2 Timed Automata

Timed automata are one of the most widely used formalisms for the specification and

verification of real-time systems[9,11].

Check order

AndSplit

00

Get product

Save order

informant in

archive

AndJoin

0

OrSplit0

test computer

Assemble

bundle

ORJoin0

test monitor

Act0

Act2

Act1

Act3 Act4

Act5

[3,5]

[1,2]

[30,50] [2,5]

[5,15]

[5,15]



923

Definition 1 )

A timed automaton A is a tuple <S,S0,∑,C,I,E,F>, where S is a finite set of

locations,S0 ⊆ 𝑆 is a set of initial locations, ∑ is an input alphabet, C is a finite set of

clocks, I is a mapping from S to a set of

clock constraints, E⊆ 𝑆 × 𝑆 × 𝛴 ×2c×Ф(𝑐) is a set of switches, F⊆ S is a set of final

locations. For any location s, I specifies the time constraints that must be satisfied to

remain in s (invariant set). As soon as an invariant is violated due to the elapse of time,

we must exit the location. <S,S´,a,λ,δ> represents a transition from location s to location

s0 on input symbol a; the set λ⊆C specifies the clocks to be reset by the transition, while

δ is a clock constraint over C that specifies when the switch is enabled [10,23].

3.3 Model Checker UPPAAL

UPPAAL is a toolbox for verification of real-time systems. The model-checker

UPPAAL is based on the theory of timed automata [24] and its modeling language offers

additional features such as bounded integer variables and urgency. The query language of

UPPAAL, used to specify properties to be checked, is a subset of CTL (computation tree

logic) [25]. The query language consists of path formulae and state formulae. State

formulae describe individual states states, whereas path formulae quantify over paths or

traces of the model. Properties that could be checked include:

Dead Lock Freeness Property

A state is a deadlock state if there are no outgoing action transitions neither from the

state itself or any of its delay successors[12].

Reachability Property

They ask whether a given state formula, ɸ, possibly can be satisfied by any reachable

state. In UPPAAL, we write this property using the syntax E<> ɸ .



924

Safety Property

Safety properties are on the form: “something bad will never happen”. In UPPAAL

we write A[]ɸ and E[]ɸ, respectively.

Liveness Property

Something will eventually happen. liveness is expressed with the path formula A3 ɸ ,

meaning ɸ is eventually satisfied.

4. Timed workflow modeling

Using the elements introduced in the last section, we can define templates for the

different kinds of nodes in a workflow specification. The present study has used token

concept for modeling. At the beginning there is only one token in the workflow and that

belongs to the Start Node. Each node runs only when it is accompanied by a token, then it

will pass the token to the next node. The token will disappear when it reaches the final

token at last.

4.1 Global declaration

Regarding the fact that a workflow model is consisting of a number of nodes and a

model may contain several instances of each of the nodes, therefore, a constant has been

defined for each node. Thereafter, the numbers of each node have been limited by

defining the data type and with regard to the variables of the same type.

const int Act;

typedef int[0,Act-1] act_id;

Array variable t is used for keeping time of each task implementation and totaltime

variable is used for keeping the global time. In order to synchronize the nodes, the

broadcast channel has been defined.

clock t[Act];

clock totaltime;

const int MaxSizeNode;

broadcast chan c [MaxSizeNode];



925

Each node keeps the required data in a structure data type. Only one instance of the

structures has been mentioned due to the similarities between the nodes.

typedef struct}

int PostTyp;

int PostID;

bool HasToken;

bool Visited;

{StartNode;

StartNode Start;

Given the fact that each node may contain several instances; an array from each

structure has been taken into the consideration

.

4.2 Workflow Elements

Using the elements introduced in the last section, we can define templates for the

different kinds of nodes in a workflow specification.

4.2.1 Start Node Template

After the condition of possessing the token became true, the Start node which has

received a C signal, will pass it to the next node. Then, token status will be marked false

but its own visited status will be marked true. Finally, in order to synchronize, it will send

a C signal on the channel to the next node. (See Fig. 6)

Fig.6. Start Node

As an example, the SetStartToken function changes HasToken field of the next node's to

True.

void SetStartToken(bool b){Start.HasToken=b;}



926

4.2.2 Activity Node Template

Like the Start Node, this process has to attend the activation. Then, variable t should

be set on zero and transfer the token to the next node. Working state, the Process rests at

the minimum time and maximum time. Then it marks the visited characteristic and the

next node's token true and its own token false. Finally, it sends a signal to the next node.

(See Fig.7)

Fig.7. Activity Node

4.2.3 And_Split Node Template

This process will simultaneously activate more nodes along the next one, therefore,

the signal will be sent twice and the token of the next two nodes will be marked True.

(See Fig.8)

Fig.8. And_Split Node

4.2.4 And_Join Node Template

And_ Join starts when both of the pervious nodes had been visited. In that case the

process will move to the next state. When the token of the next node is activated, the



927

status of the next token and the status of the visited one will be marked subsequently

False and True. Consequently a signal will be sent to the next node. ( See Fig.9)

Fig.9. And_Join Node

4.2.5 OR_Split Node Template

Unlike And_Split, the OR_Split process will only activate the next node. Thus, after

changing the status of its characteristic, it will change the status of one token of the next

nodes to True and will send it a C signal through synchronization channel. (See Fig.10)

Fig.10. OR_Split Node

4.2.6 OR_Join Node Template

OR_Join will start when not only when C signal is received and the status of the

token is True, but also when it finds one of the pervious nodes visited. In that case, the

token and the visited one will change their statuses, mark the next node's token as True,

and send a signal on Channel C for the next node.(See Fig.11)



928

Fig.11. OR_Join Node

4.2.7 End Node Template

While this process is activated, the token characteristic will be marked false and it will

enter the terminal state. From this stage on, the available token will disappear in the

workflow and none of the nodes will be working. (See Fig.12)

Fig.12. End Node

4.3 System Declaration

The system declarations are made after all the templates have been modeled. In this

part of the code the templates are instantiated into UPPAAL processes.

That is how the real amounts will be assigned to the structure of the fields related to each

node. After defining all templates, the system results will be announced.

System Start, Activity, And_Split, And_Join, OR_Split, OR_Join, End;

5. Verification and Evaluation of the Timed Workflow Model

In this section we are going to use UPPAAL to verify the most interesting properties

of the system we modeled.



929

Property 1) The terminal Node will be available in all routes.

A<> End.terminal

This characteristic which verifies the structure correctness will be evaluated True for the

given system. However, if OR_Join and And_Join change their places, this characteristic

will be overturned. The tools will identify the error position by trying a counterexample.

Property2) There is no deadlock in the system.

E<> deadlock

This characteristic was evaluated to be True. This will seem to be surprising at first

but closer observation will lead us to admit that the system will always end up in the

terminal state. Otherwise stating, the system always ends up in deadlock.

Property3) Test monitor will finally be carried out.

E<> Activity(4).final

This characteristic was evaluated to be True . We will study a characteristic here

which is apparently incorrect.

.Property 4) Both monitor test and computer tests activities could be implemented.

E<> Activity(3).final + Activity(4).final >1

We are directed toward a counterexample through not only the receiving tools but also

by the overturned characteristic. The OR_Split node will only result in the performance of

the one of the next nodes. Overturn of this characteristic is obvious.

Property5) Finally the data will be saved in the archive if check order activity is carried

out in the system.

Activity(0).final-->Activity(5).final

This characteristic was evaluated to be True .

Property 6) Check order activity will always precede get product activity.

Activity(2).working --> Activity(0).final



930

This characteristic was evaluated to be True .

Proprty7) Minimum time of the workflow

E<>End.terminal

To study the minimum time of the workflow, the tracking feature of the diagnostic

tool has been used to analyze the totaltime. The tool showed totaltime≥ 15 which is the

minimum time of the workflow. However, to verify the accuracy of the tool, the

following characteristic was checked.

Property 8) Workflow could be completed in less than 15 minutes.

A<>End.terminal and totaltime<15

This characteristic was evaluated to be False which confirms the correctness of the

pervious characteristic. But in more complex systems with a lot of splits and joins it will

be very complicated to do in that way. So in these cases UPPAAL can be a great help.

Model checking will study all possible states of the modeled system. One of the

critical issues of all model-checking approaches is the memory limitation problem. The

amount of memory used by the approach has been evaluated in Table 1.

Table1. Evaluation Result

Memory(KB) True/False Property

9,488 True 1

8,980 True 2

9,492 True 3

8,296 False 4

9,304 True 5

8,844 True 6

10,280 True 7

9,512 False 8

The results of the study indicated that this approach would use a small size of the memory

for the verification, and thus, could increase the reliability of the workflow systems.



931

6. Conclusion

The objective of the present approach is to enrich the workflow with required

templates for the current applications. In order to model and verify, this approach has

been concentrating on accuracy and validity issues by using timed Automata as an

accurate formal concept in specification of the concepts. Moreover, to verify the

characteristics of checking tools, tool checker of the UPPAAL model has been applied

where one characteristic of workflow and the requirements of the correctness have been

translated to state machine. Therefore, the requirements to design workflow system with

high levels of reliability have been meet. Using only one tool for verification of different

characteristics and easy translation of UPPAAL to other characteristics is one of the

privileges of this approach. The findings of the study confirm that this approach will

occupy a small size of the memory.

7. References

[1]. Y. Yang, L. Xiaohui, A Workflow Model with Temporal Logic Constraints and Its

Automated Verification, in Proc. of 9th

International Conference on Grid and

Cooperating Computing(GCC),2007.

[2]. P. Altenbernd, R. Milczewski, Description of Timing Problems Using Petri Nets for

Level-Independent Timing verification, in Proc. of Workshop on Timing Issues in

the Specification and Synthesis of Digital Systems (TAU),1993.

[3]. N. Adam, V. Atluri, W. Huang, Modeling and Analysis of Workflows Using Petri

Nets, International Journal of Intelligent Information Systems,Vol.10, pp.131-158,

1998.

[4]. I. Ober, S. Graf, validation of uml models via a mapping to communicating extended

timed automata, in Proc of 11th Workshop on Model Checking of Software, LNCS

2989,PP.127-145, 2004.

[5]. M. Kutatok, N. Szimpoziuma, Workflow Model Representation Concepts, in Proc.

7th International Symposium of Hungarian Researchers on Computational

Intelligence, PP.331-337.2003.

[6]. K.G, process modeling using petri nets, in Proc, of International Conference on

Computer Systems and Technologies, CompSysTech,2003.



932

[7]. J. Eder, E. Panagos, M. Rabinovich, time constraints in workflow Systems, in Proc.

of Conference on Advanced Information Systems Engineering, CAiSE, Vol.1626,

PP.286-300,1999.

[8]. T.S, Intuitive Mapping of UML 2 Activity Diagrams into Fundamental Modeling

Concept Petri Net Diagrams and Colored Petri Nets, in Proc. of 15th Annual IEEE

International Conference and Workshop on the Engineering of Computer Based

Systems (ECBS), PP.191-200, 2008.

[9]. Y. Abdeddaim, D. Masson, Real-Time Scheduling of Energy Harvesting Embedded

Systems with Timed Automata, in Proc. of International Conference on Embeded

and and Real-Time Computing System and Applications, RTCSA, PP. 19-22, 2012.

[10]. E. De Maria, A. Montanari, an automata -based approach to the verification of timed

workflow schemas, in Proc. of 6thProceedings of the Thirteenth International

Symposium on Temporal Representation and Reasoning, pp.87-94, 2006.

[11]. A.ALUR, Timed Automata, in Proc. of the 11th International Conference on

Computer Aided Verification, CAV, PP.8-22,1999.

[12]. E. Maria, A. Montanari, M. Zantoni, Checking Workflow Schemas with Time

Constraints Using Timed Automata, in Proc, of Workshop, OMMIS, Vol.3762,

PP.1-2, 2005.

[13]. J. Eder, E Panagos, H. Posewauing, M. Robinovic, Time Management in Workflow

Systems, in Proc. of 3th International Conference on Business Information Syste,

Springer Verlag, PP.265-280, 1999.

[14]. V. Gruhm, R. Laue, Using Timed Model Checking for Verifying Workflows, 2005.

[15]. S. Ling, C. Vic, Time Petri nets for workflow modeling and analysis, International

Conference on IEEE, ICSMC.2000.

[16]. P. Alternberd, R. Milczewski, verification of Timing Problems Using Petri Nets for

Level-Independent Timing Verification, In Proc. of Workshop on Timing Issues in

the Specification and Synthesis of Digital Systems ,1993.

[17]. J. Barnat, J. Cern, J. Tomoy, Timed automata approach to verification of systems

with degradation, MEMICS, In Proc. of international conference on Mathematical

and Engineering Methods in Computer Science,PP.84-93,2011.

http://academic.research.microsoft.com/Conference/550/caise-conference-on-advanced-information-systems-engineering

http://academic.research.microsoft.com/Conference/550/caise-conference-on-advanced-information-systems-engineering

http://ieeexplore.ieee.org/search/searchresult.jsp?searchWithin=p_Authors:.QT.Sea%20Ling.QT.&searchWithin=p_Author_Ids:37275861900&newsearch=true



933

[18]. J. ReinaldoSilva, Using Timed Petri nets for Modeling and Verification of Timed

Constraint Workflow Systems, in Proc. of Symposium series in mechatronic, 2008.

[19]. C. Cristina, Time Pattern in Workflow Management System, in Department of

Mathematics and Computer Science, 2011.

[20]. J. Eder , E. Panagos , M. Rabinovich, Constraint in Workflow Systems, In Proc. of

the 11 th International Conference on Advanced Information Systems Engineering,

CAiSE, 1999

[21]. V. Rafe, A. Ragmani, R.Rafe, Formal Analysis of UML2.0 Activities Using Graph

Transformation Systems, in Proc, if International Journal of Software Engineering

and Knowledge Engineering, Vol. 20, No. 5, PP.1-16, 2010.

[22]. H. Zhuge, T. Cheung, H. Pung, Workflow Process Model,in Proc.of Journal of

Systems and Software, 2001.

[23]. Y. Abdeddaim, OMaler, Scheduling with Timed Automata, 2003.

[24]. M. Bernardo, F. Corradini, A Tutorial on Uppaal, in Conference of School on

Formal Methods for the Design of Computer , pp. 200-236, 2004.

[25]. G. Fey, Assessing system vulnerability using formal verification techniques, in

Proc.7th international conference on Mathematical and Engineering Methods in

Computer Science .PP. 47-56, 2011.

[26]. Xian Yang, Rui Han, Yike Guo, Jeremy Bradley, Benita Cox, Robert Dickinson,

and Richard Kitney ,Modeling and Performance Analysis of Clinical Pathway Using

the Stochastic Problem Algebra Pepa, in Proc.BMC.BioInformatics,V.13, 2012.

http://academic.research.microsoft.com/Conference/1552/school-on-formal-methods-for-the-design-of-computer-communication-and-software-systems

http://academic.research.microsoft.com/Conference/1552/school-on-formal-methods-for-the-design-of-computer-communication-and-software-systems

http://dl.acm.org/author_page.cfm?id=81363591535&coll=DL&dl=ACM&trk=0&cfid=245943967&cftoken=88207498

http://www.ncbi.nlm.nih.gov/pubmed/?term=Yang%20X%5Bauth%5D

http://www.ncbi.nlm.nih.gov/pubmed/?term=Han%20R%5Bauth%5D

http://www.ncbi.nlm.nih.gov/pubmed/?term=Guo%20Y%5Bauth%5D

http://www.ncbi.nlm.nih.gov/pubmed/?term=Bradley%20J%5Bauth%5D

http://www.ncbi.nlm.nih.gov/pubmed/?term=Cox%20B%5Bauth%5D

http://www.ncbi.nlm.nih.gov/pubmed/?term=Dickinson%20R%5Bauth%5D

http://www.ncbi.nlm.nih.gov/pubmed/?term=Kitney%20R%5Bauth%5D

timed automata for workflow modeling and analysisscholarism.net/fulltext/20141326.pdfinternational...

Documents