Slides used in IFM09

1. 01
Property Specifications for
Workflow Modelling
Peter Wong, University of Oxford, UK
(Joint work with Jeremy Gibbons)
February 2009

2. 02
Overview
• Process Semantics for BPMN in CSP (ICFEM08, QSIC08)
• Augmented with relative timing information (FOCLASA08)
• BPMN is not a specification language
• Consider a generalisation of Dwyer et al.’s Property
Specification Patterns (PSP)
• Define a language PL to capture generalised PSP
• Translate into Lowe’s Bounded, Positive fragment of LTL (BTL)
• Translate BTL into CSP for refinement checks (FDR)
see: Example

3. 03
Problems
BPMN...
• describes the performance of behaviour
• difficult to describe refusal of behaviour in a context while
allowing its availability outside that context
Example requirement should also permit behaviour such as
Request Cancel before Book Seat!
see: Example

4. 04
Content
• Property Specification Patterns (PSP)
• Generalised PSP
• Our Approach
• Bounded Positive fragment of LTL (BTL)
• Refusal Traces Model and Semantics of BTL
• A Property Specification Language PL
– Patterns of Behaviour
– Property Specification
• Revisiting the Example

5. 05
Property Specification Patterns
PSPs describe the structure of commonly occurring requirements on
the permissible patterns of behaviour in finite states systems
Here we only consider occurrence patterns.

6. 06
Occurrence Patterns
• Absence – A given event does not occur within a scope
• Universality – A given event occurs at all times within a scope
• Existence – A given event occurs at least once within a scope
• Bounded Existence – A given event occurs a bounded number of
times within a scope

7. 07
Scopes
• Always – throughout all possible executions
• Before p – before the occurrence of the event p
• After q – after the occurrence of the event q
• Between p and q – between the occurrence of the events p and q
• After p until q – after the occurrence of the event p until q, but
q need not happen

8. 08
Issue
• Patterns have been expressed in a range of formalisms
(LTL,CTL...) but not for refinement setting (CSP).
• We provide a generalisation of the patterns in process-algebraic
settings
For example: The parallel execution of task A and either task D or
task E cannot happen after task B and before task C

9. 09
Occurrence Patterns (generalised)
• Absence – A given pattern of behaviour does not occur within a
scope
• Universality – A given pattern of behaviour occurs at all times
within a scope
• Existence – A given pattern of behaviour occurs at least once
within a scope
• Bounded Existence – A given pattern of behaviour occurs a
bounded number of times within a scope

10. 10
Scopes (generalised)
• Always – throughout all possible executions
• Before p – before the occurrence of the pattern of behaviour p
• After q – after the occurrence of the pattern of behaviour q
• Between p and q – between the occurrence of the patterns of
behaviour p and q
• After p until q – after the occurrence of the pattern of behaviour
p until q, but q need not happen

11. 11
Our Approach
• Define a small property specification language PL to capture
generalised PSP
• Translate from PL to bounded, positive fragment of LTL (BTL)
• BTL can be automatically translated into CSP for simple
refinement checks

12. 12
Content
√
• Property Specification Patterns (PSP)
√
• Generalised PSP
√
• Our Approach
⇒ • Bounded Positive fragment of LTL (BTL)
• Refusal Traces Model and Semantics of BTL
• A Property Specification Language PL
• Patterns of Behaviour
• Property Specification
• Revisiting the Example

13. 13
Bounded, Positive Fragment of LTL (BTL)
The grammar of BTL (for all a ∈ Σ)
e, f ∈ BTL ::= e ∧ f | e ∨ f | e | Pe | e R f | a | ¬a |
available a | true | false | live | deadlocked
• a – the event a is available to be performed initially, and no
other events may be performed;
• available a – the event a must not be refused initially, and
other events may be performed;
• live and deadlock – the system is live (equivalent to a)
a∈Σ
or deadlocked (equivalent to a∈Σ ¬a), respectively;
• true and false – logical formulae with their normal meanings.
N.B. Does not capture eventually ( ) and until (U) and negation (¬).

14. 14
Semantics of BTL for Refinement Checks
• Stable Failures is not suitable
• Requires a finer model – Refusal Traces RT [Mukarram 93]
• P |= e where e is a BTL expression, if and only if
Spec(e) RT P where Spec(e) is the CSP specification for e.
A refusal trace is an alternating sequence of refusal information and
events, of the form
X 1, a1, X 2, a2, . ., Xn, an, Σ
where each Xi is a refusal set, and each ai is an event: this represents
that the process can refuse X 1, perform a1, refuse X 2, perform a2,
etc.
see: Failures and Eventually

15. 15
Content
√
• Property Specification Patterns (PSP)
√
• Generalised PSP
√
• Our Approach
√
• Bounded Positive fragment of LTL (BTL)
√
• Refusal Traces Model and Semantics of BTL
⇒ • A Property Specification Language PL
• Patterns of Behaviour
• Property Specification
• Revisiting the Example

16. 16
Patterns of Behaviour
SPL – A Sublanguage of PL
P ∈ SPL ::= P P |P P | a → P | End where a ∈ AF
::= e | available e | live where e ∈ Σ
AF
• specifies nondeterministic systems
• introduces the nondeterministic interleaving ( ) operator
• End has empty semantics – RT SPL [[End ]] = ∅

17. 17
Nondeterministic Interleaving
In CSP for any events a and b:
a → Skip b → Skip a → Skip
RT
but not
a → Skip ||| b → Skip a → b → Skip
RT
Since
a → Skip ||| b → Skip ≡ a → b → Skip P b → a → Skip
• Need an operator to specify concurrent behaviour without
determining their orders
• Especially useful when applying in our relative timed model of
BPMN.

18. 18
Nondeterministic Interleaving
The process P Q communicates events from both P and Q
nondeterministically.
If P = p → P and Q = q → Q then
Q = (p → (P (q → (P
P Q)) Q )) [ -step]
also:
End Q =Q [ -End]
Note is both commutative and associative and is defined in terms
of and →.

19. 19
From SPL to BTL
• translate SPL to BTL∗ inductively
pattern : SPL → BTL∗
• BTL∗ is BTL augmented with the atomic formula ∗
(RT SPL [[End ]] = RT BTL∗ [[ ∗ ]] = ∅)
• convert BTL∗ back to BTL, we simply remove ∗ according to the
following equivalences:
φ∨∗≡φ
∗∧φ≡φ
φ∧ ∗≡φ
see: Formalising SPL in Temporal Logic

20. 20
Example
Given a pattern of behaviour (a → End ) (b → End ) we get the
following BTL expression φ = (a ∧ b) ∨ (b ∧ a), which can be
automatically translated into CSP:
Spec = let
Spec0 = b → Spec2
Spec1 = a → Spec3
Spec2 = a → Spec4
Spec3 = b → Spec4
Spec4 = Stop ( x : Σ • x → Spec4)
in Spec0 Spec1
Moreover,
a → b → Stop
Spec RT
a → Stop ||| b → Stop
Spec RT

21. 21
Content
√
• Property Specification Patterns (PSP)
√
• Generalised PSP
√
• Our Approach
√
• Bounded Positive fragment of LTL (BTL)
√
• Refusal Traces Model and Semantics of BTL
⇒ • A Property Specification Language PL
√
• Patterns of Behaviour
⇒ • Property Specification
• Revisiting the Example

22. 22
Property Specification Language – PL
for all p ∈ SPL, n ∈ N1 , b ∈ Bound and s ∈ Scope
• Abs(p, s) – absence of behaviour p in scope s
• Un(p, s) – universality of behaviour p in scope s
• Ex(p, n, s) – existence of behaviour p within subsequent n states
from the start of scope s
• BEx(p, b, s) – existence of behaviour p with bound b in scope s
N.B. state is in the sense of a transition system of a CSP process
describing a BPMN diagram: a graph showing the states it can go
through and actions, each denoted by a single CSP event, that it
takes to get from one to another.

23. 23
Scopes
• always – throughout all possible execution
• before(p, n) – before behaviour p if p happens in nth state from
the start.
• after p – after of behaviour p
• between p and (q, n) – between behaviour p and q if q happens
in nth state after p
• from p until (q, n) – after behaviour p and before q if q happens
(not necessary) in nth state after p
see: Bounded Existence

24. 24
Content
√
• Property Specification Patterns (PSP)
√
• Generalised PSP
√
• Our Approach
√
• Bounded Positive fragment of LTL (BTL)
√
• Refusal Traces Model and Semantics of BTL
√
• A Property Specification Language PL
√
• Patterns of Behaviour
√
• Property Specification
⇒ • Revisiting the Example

25. 25
Revisiting the Example
Use the absence pattern “the absence of p between some behaviour q
and r ”
Abs(Cancel , between bookseat → End and(sendinvoice → End , 2))
where the pattern of behaviour Cancel is defined as follows:
Cancel = requestcancel → End reservetimeout → End
See if the diagram satisfies this property by checking the following
refusal traces refinement assertion using the FDR tool.
Agent N
Spec RT
where N = Σ { bookseat, requestcancel , reservetimeout, sendinvoice }
see: Travel Agent, Requirement and Spec

26. 26
Summary
• Generalised PSP to specify patterns of behaviour
• Defined PL to capture the generalised PSP
• Translated PL into BTL
• Implemented a prototype in Haskell

27. 27
Thank You
Web site: http://www.comlab.ox.ac.uk/peter.wong/
Email: peter.wong@comlab.ox.ac.uk

28. 28
Summary
• Overview
• Problems
• Content
• Property Specification Patterns
• Occurrence Patterns
• Scopes
• Issue
• Occurrence Patterns (generalised)
• Scopes (generalised)
• Our Approach
• Content
• Bounded, Positive Fragment of LTL (BTL)

29. 29
• Semantics of BTL for Refinement Checks
• Content
• Patterns of Behaviour
• Nondeterministic Interleaving
• Nondeterministic Interleaving
• From SPL to BTL
• Example
• Content
• Property Specification Language – PL
• Scopes
• Content
• Revisiting the Example
• Summary

30. 30
• CSP
• CSP
• CSP
• CSP
• Travel Agent
• Requirement
• Requirement
• Unsuitability of the stable failures
• Impossibility of eventually , U and negation
• Formalising SPL in Temporal logic
• Formalising SPL in Temporal logic
• Bounded Existence – Preliminaries
• Bounded Existence

31. 31
• Bounded Existence
• Example – “The bounded existence of p after q”
• Corresponding CSP specification...

32. 32
Index
2 Overview
3 Problems
4 Content
5 Property Specification Patterns
6 Occurrence Patterns
7 Scopes
8 Issue
9 Occurrence Patterns (generalised)
10 Scopes (generalised)
11 Our Approach
12 Content
13 Bounded, Positive Fragment of LTL (BTL)

33. 33
14 Semantics of BTL for Refinement Checks
15 Content
16 Patterns of Behaviour
17 Nondeterministic Interleaving
18 Nondeterministic Interleaving
19 From SPL to BTL
20 Example
21 Content
22 Property Specification Language – PL
23 Scopes
24 Content
25 Revisiting the Example
26 Summary

34. 34
28 Summary
29 Index
30 CSP
31 CSP
32 CSP
33 CSP
34 Travel Agent
35 Requirement
36 Requirement
37 Unsuitability of the stable failures
Impossibility of eventually , U and negation
38
39 Formalising SPL in Temporal logic
40 Formalising SPL in Temporal logic

35. 35
41 Bounded Existence – Preliminaries
42 Bounded Existence
43 Bounded Existence
44 Example – “The bounded existence of p after q”
45 Corresponding CSP specification...

36. 36
CSP
The grammar of CSP.
P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q|
P Q | P P Q | P o Q | e → P | Skip | Stop
9
• Skip, Stop - termination, deadlock;.
• e → P - prefixing;
• P o Q - sequential composition.
9

37. 37
CSP
The grammar of CSP.
P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q|
P Q | P P Q | P o Q | e → P | Skip | Stop
9
• P ||| Q - interleaving;
• P |[ A ]| Q - partial interleaving;
•P Q - parallel composition.

38. 38
CSP
The grammar of CSP.
P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q|
P Q | P P Q | P o Q | e → P | Skip | Stop
9
• P A - hiding;
•P Q - interrupt;
• P P Q - external choice.
•P Q - internal choice.

39. 39
CSP
The grammar of CSP.
P , Q ::= P ||| Q | P |[ A ]| Q | P Q | P A | P Q|
P Q | P P Q | P o Q | e → P | Skip | Stop
9
• We write P i : { 1 . . n } • P (i ) to denote P (1) P . . P P (n),
similarly for operators , ||| and ;
• Our semantic definition uses Stable Failures F;
• Formal verification via refinement checks;
• FDR - automated CSP model checker.

40. 40
Travel Agent
see: Introduction and Revisit

41. 41
Requirement
Property : Agent must not allow cancellation after booking if invoice
is to be sent.
see: Introduction, Problems and Revisit

42. 42
Requirement
Property : Agent must not allow cancellation after booking if invoice
is to be sent.
Try checking this: Agent N Requirement ?
F
see: Introduction and Problems

43. 43
Unsuitability of the stable failures
F[[available a]] = { ( , X ) | a ∈ X } ∪ { (tr , X ) | tr = ∧ X ∈ PΣ}
/
F[[ available a]] =
{ ( b , X ) | b ∈ Σ ∧ a ∈ X } ∪ { (tr , X ) | #tr = 1 ∧ X ∈ P Σ }
/
F[[available a ∨ available a]] =
F[[available a]] ∪ F[[ available a]] =
{ (tr , X ) | tr ∈ Σ∗ ∧ X ∈ P }
i.e. available a ∨ available a is satisfied by every process!
see: Semantics of BTL

44. 44
Impossibility of eventually , U and negation
Suppose P |= a if and only if Spec RT P where Spec is the CSP
specification for a. Spec would have the refusal trace
Σ {b}, b n •, a for all n. However RT is prefixed-closed
therefore it would also have the refusal trace Σ {b}, b n for all n
and this is satisfied by the process P = b → P !
Also since φ = true U φ and φ = ¬(P¬φ)
see: Semantics of BTL

45. 45
Formalising SPL in Temporal logic
• translate SPL to BTL∗
• convert BTL∗ back to BTL
SPL to BTL∗
pattern(End ) = ∗
pattern(a → P ) = atom(a) ∧ (pattern P )
pattern(P Q) = pattern(P ) ∨ pattern(Q)
pattern(P Q) = pattern(npar (P , Q))
where
atom(available t) = available (event(t))
atom(live) = live
atom(t) = event(t)
see: SPL

46. 46
Formalising SPL in Temporal logic
npar (End , End ) = End
npar (End , Q) = Q
npar (P , End ) = P
npar (P , Q) = ( (a, X ) : initials(P ) • a → npar (X , Q))
( (a, X ) : initials(Q) • a → npar (X , P ))
where i : I • P (i ) denotes the nondeterministic choice of a set of
indexed terms P (i ) where i ranges over I .
initials(P Q) = initials(P ) ∪ initials(Q)
initials(P Q) = initials(npar (P , Q))
initials(a → P ) = { (a, P ) }
initials(End ) = ∅
see: SPL

47. 47
Bounded Existence – Preliminaries
We extend BTL to BTLδ to include two new operators ¡ and U
£
such that:
ψ Un φ = ( nextsi∗states(ψ) (φ ∨ ψ)) ∧ nexts(n−1)∗states(ψ) φ
i∈{ 0..n−2 }
where
• states(φ) returns one minus the furthest state the expression φ
i
• nextsi ψ = ψ for i ∈ N
n
• nextφ ψ = ψ where n = states(φ)
Note : ¡ n φ = true U n φ
£

48. 48
Bounded Existence
• The global existence p with bound b – bound (p, false, b);
• The existence of p with bound b before some behaviour q –
¡ n q ⇒ ¬q U n−getbound(b)∗states(p) bound (p, q, b)
£
• The existence of p with bound b after some behaviour q –
P(q ⇒ nextq (bound (p, q, b)))
• The existence of p with bound b between behaviour q and r –
P(q ⇒
(nextq ¡ n r ⇒ (bound (p, r , b) ∧ bound (p, r , b) R ¬r ∧ r R ¬q)))
£
where n > getbound (b) ∗ states(p)
• The existence of p after behaviour q until r –
P(q ⇒ (nextq ¬r U 1 bound (p, r ∨ q, b)))

49. 49
Bounded Existence
bound (p, q, b) is defined as follows :
• (= n) – p) ∧ nextsn∗states(p) (q R ¬p)
i∈{ 0..n−1 } (nextsi∗states(p)
• (≥ n) – i∈{ 0..n−1 } (nextsi∗states(p) p)
• (≤ n) – nextsn∗states(p) (q R ¬p)
and getbound (b) for some bound b denotes the number part of the
value.

50. 50
Example – “The bounded existence of p after q”
Property – Either task A or C has to occur followed by either one of
them again after Task B has occurred.
Spec = let
Spec0 = Proceed ({ b }, Spec0 Spec1)
Spec1 = b → (Spec2 Spec3)
Spec2 = c → (Spec4 Spec5)
Spec3 = a → (Spec4 Spec5)
Spec4 = c → (Spec6 Spec7)
Spec5 = a → (Spec6 Spec7)
Spec6 = Proceed ({ a, b, c }, Spec6 Spec7)
Spec7 = b → (Spec2 Spec3)
in Spec0 Spec1
( x : Σ X • x → P)
where Proceed (X , P ) = Stop Skip

51. 51
Corresponding CSP specification...
Spec0 = Proceed ({ bookseat }, Spec0 Spec1)
Spec1 = bookseat → (Spec2 Spec3 Spec4 Spec5 Spec6)
Spec2 = Proceed ({ bookseat, sendinvoice }, Spec7 Spec1)
Spec3 = sendinvoice → (Spec0 Spec1)
Spec4 = bookseat → (Spec2 Spec4 Spec8 Spec9)
Spec5 = Proceed ({ bookseat, requestcancel , reservetimeout }, Spec3)
Spec6 = bookseat → (Spec3)
Spec7 = Proceed ({ bookseat, sendinvoice }, Spec0 Spec1)
Spec8 = let poss = { bookseat, requestcancel , reservetimeout, sendinvoice }
in Proceed (poss, Spec3)
Spec9 = bookseat → (Spec3)
Spec = Spec0 Spec1
see: Revisit