A Refinement based Verification Approach of BPMN Models using
NuSMV
Salma Ayari
1
, Yousra Bendaly Hlaoui
2
and Leila Jemni Ben Ayed
3
1
University of Sfax, FSEGS, Tunisia
2
University of Tunis Manar, FST, Tunisia
3
University of Mannouba, ENSI, Tunisia
University of Tunis, Latice Laboratory, ENSIT, Tunisia
Keywords:
Refinement, BPMN, Verification, LTL, NuSMV.
Abstract:
Modeling complex workflow systems, using BPMN (Business Process Modeling Notation), is going increasing
attention by all interested researches in distributed field. The step-wise refinement technique facilitates the
understanding of complex systems by dealing with the major issues before getting involved in the details. In
this paper, we propose a verification technique based on refinement BPMN process which allows to model
an application by refinement and to induce gradually required properties at each level from the abstract to
the concrete one. We introduce refinement patterns allowing the design of a complex application at dierent
abstract level. Hence, a formal semantics for BPMN models based on Kripke structure and BPMN refinement
patterns will be provided for a formal verification of this correctness. This verification is ensured automatically
by NuSMV model Checker based on a BPMN language to NuSMV language transformation. The refinement
correctness are expressed as refinement safety properties specified with LTL (Linear Temporal Logic).
1 INTRODUCTION
BPMN(Business Process Modeling and Notati-
ons)(Allweyer, 2010) language is an ISO standard in-
vented to express business processes. This notation
is supported by a number of tools like Bizagi (OMG,
2009), Bonita (Bonitasoft, 2009), jBPM(Hat, 2017),
and Intalio (Zamfir, 2011). Such tools oer a support
for checking BPMN model syntactical errors. Ho-
wever, semantic errors remain undetected during the
design time due to the lack of BPMN semantics which
are ambiguous and not concise. Therefore, to detect
BPMN model semantic errors, it well be proposed,
in this paper, a formal semantics for BPMN models
based on Kripke structure (Read, 1999).
In addition, to carry out their missions in a highly
competitive context and in order to deal with mar-
ket changes, companies, increasingly, need to manage
complex processes, which is a hard task that cannot be
done in one step. These processes must ensure facili-
tate, evolution and adaption to changes. The evolution
which will be discussed here about, is the gradual de-
velopment of the process, especially from a simple to
a more complex one.
It will be proposed, in this paper, a stepwise re-
finement approach that facilitates the understanding
and therefore the good development of such complex
systems. The refinement deals with the major issues
of the system to develop before getting involved in
the details(Younes et al., 2013). This may be implied
by the use of dierent refinement patterns modeling
the semantic details to add in the dierent levels to be
more semantically enriched. After studying and analy-
zing the semantic details that should enrich the more
abstract model, four refinement patterns will be deve-
loped which specifies all alternative semantics such
as sequence pattern, exclusive pattern, parallel pattern
and iterative pattern. At each refinement step and after
inculcating one or more refinement patterns, proofs
must be verified if that the performed refinement pre-
serves the previous abstract model requirements in
addition of the current more concrete requirements.
These requirements are syntactic and semantic design
requirements. The syntactic requirements are chec-
ked by the design tool, as mentioned above, but the
checking of semantic ones represents the object of this
work. These requirements are specifyed as behavio-
ral properties of the entire system which should be
Ayari, S., Hlaoui, Y. and Ayed, L.
A Refinement based Verification Approach of BPMN Models using NuSMV.
DOI: 10.5220/0006914105290540
In Proceedings of the 13th International Conference on Software Technologies (ICSOFT 2018), pages 529-540
ISBN: 978-989-758-320-9
Copyright © 2018 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
529
satisfied by the more abstract BPMN model and then
by all refined models throughout the dierent refine-
ment levels. It is interested in this paper to specify and
to check automatically system safety properties using
NuSMV (Cimatti et al., 2000). For the verification
of semantic requirement preservation, using NuSMV,
the requirements are often specified as LTL proper-
ties using the Linear Temporal Logic (LTL) (Pnueli,
1977). The NuSMV code is semantically equivalent to
a Kripke Structure. This is why this paper is based on
a kripke structure to propose a formal semantics for
BPMN. The originality of our contribution is about the
reliable refinement of BPMN processes that eases the
business process designer
'
s task and makes the busi-
ness process specification more accurate and concise.
This contribution could be summarized as follows:
Definition of refinement patterns. In this paper, it
is proposed to create a BPMN process using an
incremental development based on successive mo-
del semantic refinements. Also, it will be defined
here a set of refinement patterns formally, as refi-
nement operators, which will be used to formalize
the BPMN model safety properties.
Formalization of BPMN semantics. A formal defi-
nition of BPMN semantics using the formal seman-
tics of NuSMV which is based on Kripke structure
will be proposed. This definition allows the formal
specification (LTL formulae) of the safety proper-
ties that the BPMN models should satisfy to ensure
its correctness and reliability.
Transformation of BPMN models to NuSMV mo-
dels. To check, automatically, the LTL safety pro-
perties, we apply a transformation which is based
on the formal semantics of BPMN and NuSMV
languages where both of them are described using
Kripke structure. The common use of the Kripke
structure facilitates the transformation and preser-
ves, intrinsically, the semantics of the transformed
models.
This paper is organized as follows:
Section 2 discusses related works. Section 3, 4, 5 and
6 defines the BPMN formalization and the notion of
transformation in terms of refinement. Section 7 gives
preliminaries which are mandatory for our approach.
Section 8 and 9 describes the evaluation of our appro-
ach over an example. Section 10 discusses the metric
of the change. And finally, section 11 concludes the
paper.
2 RELATED WORKS AND
DISCUSSION
Dierent works has been elaborated in the field of
BPMN specification and verification:
Based on Petri Net (PN) (Petri and Reisig, 2008)
for studying the behavior of BPMN models, aut-
hors in (Dijkman et al., 2008), (Ramadan et al.,
2011) and (Van Der Aalst and Ter Hofstede, 2005)
propose a mapping from BPMN to PN, CPN and
Yawl to check the semantic correctness of models.
According to (Kluza et al., 2011) and (Dijkman
et al., 2008) errors revealed in the YAWL model
can not be easily tracked in the BPMN model and
the verification of YAWL is computationally more
complex than the verification on PN. PN is for-
med with a mathematical formalism that defines
its structure and its rules of firing. It can be a po-
werful tool and easy to understand. However, PN
tend to become large even for relatively small sys-
tems. The lack of hierarchical composition makes
it dicult to specify and understand complex sy-
stems using the conventional model(PN) (Cort
´
es
et al., 2003). PN models have limitations in their
inability to test for exactly a specific marking in an
unbounded place and to take action on the outcome
of the test (Choi, 1994).
Based on Process algebras, authors in (Raedts et al.,
2007) propose to automatically transform BPMN
models to PN. Subsequently, the PN models are
transformed into mCRL2 (Groote et al., 2005), a
process algebraic language. Also authors in (Capel
and Mendoza, 2012) propose that a process algebra
can be a formal description language for BPMN
processes.
Based on Automaton : The classical Finite State
Machine (FSM) is a basic model of formal spe-
cifications and the most well-known model used
called a transition system with a finite set of states.
Authors in (Morales, 2013) present a set of guide-
line to transform BPMN models to timed automata
(TA) which is made of a finite automaton based
structure and a set of clocks and performing model
checking with UPPAAL (Behrmann et al., 2004).
Authors in (Kherbouche et al., 2012), use a kind
of transition system with a few specific characte-
ristics called Kripke Structure. Despite that FSM
has lack of expressiveness and the state explosion
problem might be a limitation from practical re-
presentation of complex control behavior, Kripke
structure has a strong point is that it’s an input
semantic language of several model checkers like
Mcheck (Sember, 2005), MlSolver (Oliver and
ICSOFT 2018 - 13th International Conference on Software Technologies
530
Martin, 2008), Xspin (Ruys, 1999), UPPAAL, Ca-
dence(Mir et al., 2000), etc and more precisely
NuSMV. In addition to that it can be tested with a
temporal logic requirements. Most of this model
checkers are carried out automatically. All of this
points make the model checker well adapted to
large scale industrial projects. The adaptability of
a business process is an essential requirement for
businesses to cope with the dynamic nature of their
environments. Flexibility and variability are the
words in the 21st century (Bulanov et al., 2011).
However, implementing flexibility and variability
is not an easy task. The business processes need to
change, while they still have to comply with a set
of requirements (Sam, 2014). Here a change that
is to be discussed named
refinement
. A business
will be able to prove that a process will still comply
with the requirements after a certain change imp-
lied by the
refinement
. Companies will be able to
check, in advance, if they can change their busi-
ness process in such way that they can meet a new
demand from the changing market (Sam, 2014).
In our Contribution, dierently to what was done,
several aspects should be addressed and focused
like:
1.
NuSMV : which is used to analyze BPMN mo-
dels and can provide a semantics for BPMN in
order to verify this model and whether BPMN
satisfy properties formalized in LTL. The more
automatic approach in formal verification is
the model checking and can produce counter-
examples that represent subtle errors or interes-
ting execution paths (compare with the theorem
proving). The verification is fully exhaustive.
Our formal semantic representation of BPMN
processes is finite and not too big, so there is
nothing to be scared o from the state explosion
problem.
2.
Programs are complex. In addition to that, re-
search on flexibility and variability of process
changes continue to generate growing interest
from industry and the community for more than
twenty years (Rajabi and Lee, 2010), (Reijers,
2006). We are the only ones to study that beha-
vior with a dierent succession of layers which
must be equivalent. So their contribution which
constitutes a correct implementation is weaker
than ours.
3 A NEW METHODOLOGY FOR
THE SPECIFICATION AND
THE VERIFICATION OF
BUSINESS PROCESSES
The proposed approach for the verification of BPMN
models is shown in figure 1. The first part of the
application is the configuration loader, where the XML
files, for the abstract and the refinement (with a kind
of pattern), are parsed into their models. It takes both
the abstract view and the refinement view from the
configuration loader and convert each one to Kripke
Structure. Once this is done the LTL property’s file and
the Kripke Structure are converted to the input format
of the NuSMV model checker. The model checker
verifies the requirements and return a counterexample
if they are false.
Figure 1: Refinement and verification of BPMN.
4 SPECIFICATION BPMN
The Business Process Modeling and Notation is the
standard for modeling business process flows proposed
by the Object Management Group (OMG).
For the purpose of our refinement process, a BPMN
specification can be simplified by discarding all layout
information.
Definition 1.
(BPMN specification definition:) Let
BP =(O,Sf,Art) be a Business process with :
O
=
O
Event
O
Activity
O
Gateway
is a set of objects
with :
1. O
Event
=
ε
S
ε
I
ε
E
, i.e.the set of events partiti-
oned into the disjoint subsets start, intermediate
and end events.
2. O
Activity
=
O
T ask
O
subprocess
, i.e. the set of
activities partitioned into the disjoint subsets
task atomic activity and sub-process.
A Refinement based Verification Approach of BPMN Models using NuSMV
531
3. O
Gateway
=
O
P
O
Ex
O
In
, i.e. the set of gate-
ways partitioned into the disjoint subsets paral-
lel, exclusive(XOR) and exclusive(Or) gateways.
Sf
is a set of sequence flow or connecting of flow
Objects.
Art
is the set of artifacts used to provide additional
information.
The BPMN specification is extended with a function T:
O T
prepost
. With :
T is a type of artifact and can be presented as a textual
tag that is added on flow objects.
T
prepost
Art =
T
pre
T
post
is a set of pre and post-conditions for
objects. It is necessary to remind that
T
pre
and
T
post
will be replaced by pre and post throughout this paper.
This new sets will be used in our refinement patterns.
Sf
(
Pre(A
i
), A
i
, Post(A
i
)
)
×
(Pre(A
i+1
), A
i+1
, Post(A
i+1
)), A
i
, A
i+1
O 0 i n 1.
5 TRANSFORMATION PROCESS
The main of this paper introduces a method for the
preservation of invariant and desirable properties un-
der refinement. The property can be formalized as
the behavior of the
BP
i1
which satisfy the formula
P
i1
.
P
i1
is called the safety property of the abstract
process and, by refinement of BP
i1
using refinement
patterns a BP
i
is given which satisfy another safety
property
P
i
. A
BP
i1
implements another
BP
i
if it
was given a correspondence between them called
P
re f
i
.
P
re f
i
is the translation property which is the resulting
from the change of variables for refinement. The acti-
vity from the abstract level must be refined by using
a refinement pattern and this refinement match the ab-
stract one in the sense of preserving a linking property
P
LinkRe f
i
who captures how the two models(abstract
and refinement models) are related.
This paper investigates a special type of transformation
to extend the standard BPMN with a set of refinement
patterns shown in figure 2.
Figure 2: Refinement in BPMN.
6 REFINEMENT PATTERNS IN
BPMN
The sequential refinement pattern (depicted by
>
) de-
fines a sequential behavior. The result of applying it
consists of a set of activities N (N
2) that performs
one activity first, followed by another activity, in se-
quence, one after the other. This pattern is presented
in figure 3(a).
The parallel refinement pattern (depicted by ) de-
fines a parallel behavior. The result of applying it
consists of a set of activities N (N
2) that performs
the concurrent execution, independently of each ot-
her, by the disjoint union of activities after a parallel
gateway. This pattern is presented in figure 3(b).
The exclusive choice refinement pattern (depicted
by [])defines a conditional behavior. Among the dif-
ferent possible activities N which can be executed(N
2), One activity is selected based on a specific condi-
tion. Once this activity is executed, the other activities
cannot be reached anymore. This pattern is presented
in figure 3(c).
The iterative loop refinement pattern (depicted by
yN
) defines a single activity which is iterated until N
(boolean number) will be equal to zero. This pattern is
presented in figure 3(d).
7 PRELIMINARY
The following definitions, briefly explain the needed
semantic appropriate for the formal description of
BPMN processes and the refinement transformation.
According to (Von Stackelberg et al., 2014), a task
(or sub-process) is the only flow element which may
have both data needs and data results. A precondition
summarizes data needs of an activity. Analogously to
the precondition, an activity may have post-condition,
representing alternative data results.
The safety property of a process BP mentioned
before representing the precondition predicate from
which the process is guaranteed to terminate and result
in a state satisfying the post-condition(figure 4).
Definition 2.
(Safety property:) For functions Pre and
Post over an object A O
Activity
in BPMN :
P ˆ=(pre(A) post(A)).
The symbol ˆ= is read ”is defined to be equal”.
Definition 3.
(Property for the refinement:) A
BP
i1
with a specification property
P
i1
implements a
BP
i
with a specification property
P
i
and by preserving
the linking property
P
LinkRe f
i
, if a correspondence
ICSOFT 2018 - 13th International Conference on Software Technologies
532
Figure 3: Refinement pattern examples.
Figure 4: BPMN Object with pre & post-conditions.
between them is given and called P
re f
i
.
P
re f
i
ˆ=P
LinkRe f
i
P
i1
P
i
, i [1 · · · n].
Definition 4.
(Refinement Mapping:) Each state ob-
ject belonging to the set
O
i+1
of the refined process
BP
i+1
depends on the state object of the abstract pro-
cess
BP
i
belonging to the set
O
i
in terms of a function
mapping f
i
at each refinement level where 0
i
n-1
such that :
f
i
: BP
i
-> BP
i+1
A refinement from a specification BP
i
(O
i
, S f
i
, Art
i
)
to a specification BP
i+1
(O
i+1
, S f
i+1
,Art
i+1
) is a map-
ping.
f
i
defined by the following inductive rules :
1. f
i
(
O
i
)
op
× O
i+1
where op is the operator for
the refinement patterns which can be the sequence
pattern (
>
), the parallel pattern (
), the inclusive
pattern ([])or the loop pattern (yN).
For the example illustrated in figure 5:
O
0
= A
0
, f
0
(A
0
) = ( > ,{A
01
,A
02
,A
03
}).
O
1
= A
01
, f
1
(A
01
) = ([],{A
011
,A
012
}).
2. f
i
(S f
i
) =
pre(A
0
), (>, {A
0
, · · · , A
N
}), post(A
N
),
(
A
j∈{0..N}
pre(A
j
)), (, {A
0
, · · · , A
N
}), (
A
j∈{0..N}
post(A
j
)),
(
A
j∈{0..N}
pre(A
j
)), ([], {A
0
, · · · , A
N
}), (
A
j∈{0..N}
post(A
j
)),
((pre(A
0
) N), (y N,{A
0
}), (post(A
0
) ¬N), N Bool
for
A
j
j∈{0..N}
O
i+1
For the example illustrated in figure 5 we have :
f
0
(
S f
0
) =
pre
(
A
01
)
,
(
>, {A
01
, A
02
, A
03
}
)
, post
(
A
03
);
f
1
(
S f
1
) =
pre
(
A
011
)
pre
(
A
012
)
,
([]
, {A
011
, A
012
}
)
, post
(
A
011
)
post(A
012
).
3. f
i
(P
i
) (P
re f
i+1
) with :
f
i
(P
i
) = P
LinkRe f
i+1
P
i
P
i+1
For the example illustrated in figure 5 we have :
f
0
(
P
0
) = ((
pre
(
A
0
) =
Pre
(
A
01
))
pre
(
A
01
)
(post(A
03
) (post(A
0
) = post(A
03
)).
For the example illustrated in figure 5 we distin-
guish three refinement patterns: sequence, exclusive
and iterative loop patterns.
By referring to the works of (Hlaoui and Ayed, 2010),
the formal semantics for an Activity in BPMN is de-
fined as follows : as it is illustrated in figure 6, when
A Refinement based Verification Approach of BPMN Models using NuSMV
533
Figure 5: Illustration of the refinement process with refinement patterns for a BP.
the transition of the activity A is fired (
t-A fired
), it
assigns the instance of this activity by the in event
then the activity A is enabled. Once it is enabled(
t-A
enabled
), its out event occurs and the transition (
t-A
end
) is executed. Each state with in is labeled with
the precondition pre and each state with out is labeled
with the post-conditionpost.
The semantics of BPMN process specifications with
Figure 6: Semantic states for BPMN.
refinement patterns are defined in terms of Kripke
structure. It is represented as an automaton and modi-
fied with helpful information by adding some atomic
properties to its states. In Kripke structure, the nodes
represent states of the system and edges represent state
transitions.
Definition 5.
(Kripke Structure:) A Kripke structure
is K = (S , I , T ,
) (Kherbouche et al., 2012) where:
S is a finite non-empty set of states,
I S is a set of initial states,
T is a transition relation between states such as T
S × S and
: S
2
AP
assigns truth values to the set of
atomic propositions(AP).
Figure 7 shows an example of a Kripke structure.
We give AP =
{
p,q
}
a set of atomic propositions which
present arbitrary boolean properties. K = ( S , I , T ,
) where :
S = {s
0
, s
1
, s
2
} ,
I = {s
0
} ,
T = {(s
0
, s
1
), (s
1
, s
2
), (s
2
, s
2
)} and
such that :
(s
0
) = {p},
(s
1
) = {p, q} and
(s
2
) = {q}.
S
0
start
{p}
S
1
{p,q}
S
2
{q}
Figure 7: Kripke Structure.
As it was explained before, this structure will be
used in order to illustrate the utilization of the defined
semantics for a BP.
The semantic description is the behavior of the busi-
ness process depicted by the instantiate function of
flow object (Fo) and more precisely of the activity
(task or sub-process) which shows the steps of work
performed in a process. The behavior is presented by
a sequence of permitted states {in, out} S.
Definition 6.
(A proposition of a formal semantic
using the Kripke structure for BPMN processes:) A
process BP =(Fo,Sf,Art) induces a Kripke structure K
= (S,I,T, ) with :
1.
S being the set of all valid system states which
present the behavior of objects in BP called Ins(O)
where O Fo
Activity
such that :
Ins : Fo
Activity
In Fo × Out Fo
where :
In Fo
=
{in O|O Fo
Activity
}
and
Out Fo
=
{out O|O Fo
Activity
}
2. I being the set of initial states;
3.
T being the transition relation between the instan-
tiate object Flow ; Ins(O) × Ins (O);
ICSOFT 2018 - 13th International Conference on Software Technologies
534
4.
: S
2
P
. P is a set of elementary properties
verified by each state of the entire system.
Our description of BPs is based on a description
of the process and a description of the property. We
will focus also on the BPMN model’s refinement pro-
perties. We give their definitions and then explain how
required properties are depicted from the system beha-
vior constructs of BPMN models with refinement and
how they can be formally stated.
I
) The formal semantic using Kripke structure for
a BPMN abstract Activity A
Fo is given as
follows:
(in A) = {pre(A)|@s S s , in B, (s, in A) T}
(out A)= {post(A)|∀s S,(out A, s) < T}
Table 1 gives a semantic description of a BPMN
refined sub-process A to the Kripke structure.
Table 1: Adopted Semantics for a refined sub-process A.
BPMN Object Kripke Structure
In A
start
{Pre(A)}
Out A
{Post(A)}
P
i1
ˆ=(Pre(A) Post(A))
P
LinkRe f
i
ˆ=
II
) The formal semantic using Kripke structure
for a sequence refinement pattern (
>, {B,· · · , N}
)
where A is the refined activity:
>
(
in B
) =
{pre
(
B
)
, P
linkRe f
i
|@s S s ,
in B;(s, in B) T P
LinkRe f
i
ˆ=pre(B) = pre(A)}
>
(
out N
) =
{post
(
N
)
, P
LinkRe f
i
|∀s S
;(
out N, s
)
<
T P
LinkRe f
i
ˆ=post(N) = post(A)}
Table 2 gives a semantic description of a BPMN
sequence refinement pattern (
>, {B,C}
) to the
Kripke structure.
Table 2: Adopted Semantics for a sequence refinement pat-
tern.
BPMN Object Kripke Structure
In B
start
{Pre(B),P
LinkRe f
i
}
Out B
In COut C
{Post(C),P
LinkRe f
i
}
P
Re f
i
ˆ=(Pre(A) = Pre(B) Pre(B)
(Post(C) Post(C) = Post(A))
III
) The formal semantic using Kripke structure for
a parallel refinement pattern (
, {B,· · · , N}
) where
A is the refined activity:
(
X(B,···,N)
in X
) =
{∩
X(B,···,N)
Pre
(
X
)
, P
linkRe f
i
|@s S s ,
in B
;(
s, in B
)
T P
LinkRe f
i
ˆ=
X(B,···,N)
Pre
(
X
) =
pre(A)}
(
X(B,···,N)
out X
) =
{∩
X(B,···,N)
Post
(
X
)
, P
LinkRe f
i
|∀s S
;(
out N, s
)
<
T P
LinkRe f
i
ˆ=
X(B,···,N)
Post
(
X
) =
post
(
A
)
}
Table 3
gives a semantic description of a BPMN parallel
refinement pattern (
, {B,· · · , N}
) to the Kripke
structure.
Table 3: Adopted Semantics for a parallel refinement pattern.
BPMN Object Kripke Structure
In B,·· · ,In N
start
{∩
X(B,··· ,N)
Pre(X), P
LinkRe f
i
}
Out B,·· · ,Out N
{∩
X(B,··· ,N)
Post(X), P
LinkRe f
i
}
P
Re f
i
ˆ=Pre(A) =
X(B,··· ,N)
Pre(X)
X(B,··· ,N)
Pre(X) (
X(B,··· ,N)
Post(X)
X(B,··· ,N)
Pre(X) (
X(B,··· ,N)
Post(X)
X(B,··· ,N)
Post(X) = Post(A))
IV
) The formal semantic using Kripke structure for
an exclusive refinement pattern ([]
, {B,· · · , N}
)
where A is the refined activity :
[]
(
XB···X)
in X
) =
{∪
XB···N
Pre
(
X
)
, P
LinkRe f
i
|@s
S s , in B
;(
s, in B
)
T P
LinkRe f
i
ˆ=
X(B,···,N)
Pre(X) = pre(A)}
[]
(
XB···X)
out X
) =
{∪
XB···N)
Post
(
X
)
, P
LinkRe f
i
|∀s S
;(
out N, s
)
<
T P
LinkRe f
i
ˆ=
X(B,···,N)
Post
(
X
) =
post
(
A
)
}
Table
4 gives a semantic description of a BPMN
exclusive refinement pattern ([]
, {B,· · · , N}
) to the
Kripke structure.
Table 4: Adopted Semantics for an exclusive refinement
pattern.
BPMN Object Kripke Structure
In B|· · · |In N
start
{∪
X(B,···,N)
Pre(X), P
LinkRe f
i
}
Out B|·· · |Out N
{∪
X(B,···,N)
Post(X), P
LinkRe f
i
}
P
Re f
i
ˆ=Pre(A) =
X(B,···,N )
Pre(X)
X(B,···,N )
Pre(X) (
X(B,···,N )
Post(X)
X(B,···,N )
Pre(X) (
X(B,···,N )
Post(X)
X(B,···,N )
Post(X) = Post(A))
V
) The formal semantic using Kripke
structure for a loop refinement pattern
(
y N, B
) where A is the refined activity:
y
(
in B
) =
{Pre
(
B
)
N, P
LinkRe f
i
|@s S s ,
in B;(s, in B) T P
LinkRe f
i
ˆ=Pre(B) N = Pre(A)}
y
(
out B
) =
{Post
(
B
)
¬N, P
LinkRe f
i
|∀s
S
;(
out N, s
)
< T P
LinkRe f
i
ˆ=Post
(
B
)
¬N
=
Post
(
A
)
}
Table 5 gives a semantic description of a BPMN
loop refinement pattern (
y N, B
) to the Kripke
structure.
A Refinement based Verification Approach of BPMN Models using NuSMV
535
Table 5: Adopted Semantics for a loop refinement pattern.
BPMN Object Kripke Structure
In B
start
{Pre(B) N,P
LinkRe f
i
}
Out B
{Post(B) ¬N,P
LinkRe f
i
}
N=TRUE
P
Re f
i
ˆ=(Pre(B) N) = Pre(A) (Pre(B) N) (Post(B) ¬N
(Pre(B) N) (Post(B) ¬N
(Post(B) ¬N) = Post(A))
The soundness of BPMN process model to verify
the safety and the refinement can be ensured by sa-
tisfying the properties described above.
8 CASE STUDY
In this section we will describe our system and then
try to apply the refinement verification for this system.
8.1 Description
A Compose Email sub-process presented in figure 8 is
a message which can be text or voice. The text mes-
sage can be sent by adding the address of the receiver,
the message title which is called the subject, typing
the email message and sending this text.
Figure 8: Compose Email Sub-process.
8.2 Experimental Result
We discuss thereafter the first refinement of the sub-
process Compose Email. Table 6 shows the state di-
agram of the sub-process compose Email. The trans-
lation from the sub-process shown in table 6(a) to a
Kripke structure shown in table 6(b) is the instantiate
of a sub-process. The refined sub-process compose
Email defined by the refinement sub-process Text mes-
sage or the task Voice message is a choice which can
be made between the two activities is described in ta-
ble 6(c). The translation from this sub-process to a
kripke structure is shown in table 6(d). A generated
specification expressed in LTL language checked for
safety abstract property and refinement property was
the following:
P
0
ˆ=G(pre(C Mail) X post(C Mail).
P
Re f
1
ˆ=G
((
pre
(
C
M
ail
) =
pre
(
OR
))&
pre
(
OR
)
X(post(OR)&post(C Mail) = post(OR))).
With : pre(OR) = pre(T M)— pre(V M)and post(OR) =
post(T M)— post(V M).
We remind that:
pre(C Mail) (post(C Mail)) is the precondition (post-
condition) of the activity Compose Email, pre(T M)
(post(T M)) is the precondition (post-condition) of the acti-
vity text message and pre(V M) (post(V M)) is the precon-
dition (post-condition) of the activity Voice Message.
This requirement is obviously true for the discussed
example cited above according to table 7(e).
Table 6: Modeling and verification of Compose Email sub-
process.
In C Mail
start
{Pre(C Mail)}
Out C Mail
{Post(C Mail)}
(b) Kripke Structure for Compose Email Sub-
process
In T M|In V M
start
{Pre(T M)|Pre(V M),P
LinkRe f
1
}
Out T M|Out V M
{Post(T M)|Post(V M),P
LinkRe f
1
}
(d) Kripke Structure of the refinement
9 IMPLEMENTATION
The figure 9 and 10 shows the screen-shots of the the
abstract process Compose Email and the refinement
ICSOFT 2018 - 13th International Conference on Software Technologies
536
in the main edit view of the application. Users can
drag elements from the element palette in the top of
the Graphical User Interface (GUI). The GUI of the
abstract model is developed by our team (Hlaoui and
Ayed, 2009). After saving or importing a configuration
of both the abstract and the refined matching model
defining the behavior of one of the refinement patterns
in an XML file, the tool converts them to a Kripke
structure each of them. Once this is done it applies
the safety and the refinement properties in order to
check the flexibility of the process. The two Kripke
structures are convert to the input format of NuSMV
model checker and the properties are demonstrated.
10 IMPACT ANALYSIS OF
CHANGE (REFINEMENT)
The flexibility of a process is defined as a property who
allow to this process the adaptation of change without
causing the instability of the system where it is used.
Indeed, in today’s dynamic business world, the econo-
mic success of an enterprise increasingly depends on
its ability to react to changes within its environmen-
tal in a quick and flexible way (Fdhila et al., 2011).
This paper presents a new methodology for adaptation
to a special change called refinement. According to
(Dahman et al., 2013), the changes can be described
by basic operations that express atomic modifications
which are noted by
U
δ
. This changes can be made on
process according to this three operations :
Create(fragment): Insert a new fragment into the
process.
Destroy(fragment): Delete a fragment from the
process.
Update(fragment,
µ
,
ϑ
): Associate the property
µ
of
the fragment with the value ϑ.
Undo(fragment,
µ
,
ϑ
): Dissociate the property
µ
of
the fragment with the value ϑ.
µ
can be a labeling property, a type of object flow, a
target or a source.
The model obtained by applying of a sequence of ope-
rations U
δ
f
in the fragment f is apply(f,U
δ
f
).
Metrics
Definition 7. (Normalized size:) (Dahman, 2012)
The size of a sequence of operations size(Q)=
Q
is
defined by the number of operations of creation and de-
struction of object flows. The normalization simplifies
all reverse or dependent operations.
Figure 11 shows the change of the sub-
process
Compose Email
by the exclusive
refinement([]
, {T ext M,Voice M}
) described in
the previous section. The result of this refinement is:
Comp Email
=
apply
(
Copmose Email, U
δ
Compose Email
)
.
1. Size (compose E) = 1.
create(Comp Email).
2.
Size ([]
, {T ext M,Voice M}
) = Size (
U
δ
comp E
) =
4.
create(Comp Email) , destroy(Comp Email),
create(Text M), create(Voice M),create(G1), cre-
ate(G2). (G1 and G2 are the gateways).
3. Size (comp Email)’ = 4
Definition 8.
(Normalized semantics:)(Dahman,
2012)
The semantics of a sequence of operations Q =
Q
is
defined by the update and the undo operations. The
normalization simplifies all reverse or dependent ope-
rations.
1. Sem(compose E) = 2.
update(compse E,lab,in(compose E)), up-
date(compose Email,lab,out(compose E)).
2. Sem([],{T ext M,Voice M})= 10.
update(Text M,lab,in(Text M)),update(Text M,
lab,out(Text M)), update(G1,typ,objectFlow),
update(G1,tar,Text M),update(G1,tar,Voice M),
update(G2,typ,objectFlow),update(Text M,
tar,G2),update(Voice M,tar,G2),update(Voice M
,lab,in(Voice M)),update(Voice M
,lab,out(Voice M)).
3. Sem(Comp E’) = 10.
update(compse E ,lab,in(compose E)), up-
date(compose Email, lab,out(compose E)),
undo(compse E ,lab,in(compose E)),
undo(compose Email ,lab,out(compose E))
update(Text M ,lab,in(Text M)), update(Text M
,lab,out(Text M)),update(G1,typ,objectFlow),
update(G1,tar,Text M),update(G1,tar,Voice M),
update(G2,typ,objectFlow),update(Text M
,tar,G2), update(Voice M ,tar,G2), up-
date(Voice M ,lab,in(Voice M)), update(Voice M
,lab,out(Voice M)).
Definition 9.
(Normalized complexity:(Dahman,
2012)) The normalized complexity is a complexity of a
sequence of operations defined by:
Comp(Q) = S em(Q)/S ize(Q)
For the example illustrated before we have:
A Refinement based Verification Approach of BPMN Models using NuSMV
537
Figure 9: Screen Shots for the abstract and the refinement processes.
Figure 10: Screen Shots for the the mapping to Kripke structure and then to NuSMV.
Figure 11: Applying an operation with a first refinement
change of Compose Email.
Table 7: Results of complexity for the example.
Comp(Compose Email 2/1 = 1
Comp(([], {T ext M,Voice M}) 10/4 = 2.5
Comp(comp Email’ 10/4 = 2.5
Based on this results, authors in (Dahman, 2012) de-
fine a Metric of a correct automated transformation.
They allow to compare transformations and synchroni-
zation.
size(M
) = λ * size(M)&
sem(M
) = φ * sem(M)&
comp(M
) = φ/λ comp(M).
where M’ is the transformation of M,
λ
and
φ
are
factors who depend on the mapping of the operations
that are present in the source models.
1. λ
=
size
(
Comp Email
)
/size
(
Comp Email
) =
4/1 = 4.
2. φ
=
sem
(
comp
E
mail
)
/sem
(
comp
E
mail
) = 10
/
2 =
5.
3. φ/λ
= 5
/
4 = 1
.
25
1
Comp Email
Comp Email
. Complexity is preserved during this
transformation.
We can also conclude that even with incremental
semantic enrichment (here refinement) the complexity
is not high which favors our methodology.
11 CONCLUSIONS
To reduce the complexity of business process mo-
deling, we introduced in this paper refinement techni-
que in modeling with BPMN. This allows developers
to introduce gradually system requirements and to
prove at each level that the model preserves the re-
fined one. Refinement patterns have been introduced
allowing rigorous refinement. Also, with proofs rela-
ted to these patterns, developer can introduce grading
ICSOFT 2018 - 13th International Conference on Software Technologies
538
requirements in the development process and can ve-
rify that the refinement preserves requirements of the
refined model. Throughout this paper, we proposed
new methodology for the specification and the veri-
fication of business processes based on BPMN and
refinement, and using NuSMV model checker for the
verification. This allows the developer to guarantee
that the properties of a business process are conserved
by the dierent refinement patterns. We won’t make
an automatic refinement because until now it’s an in-
teractive step of our approach. Also, it’s important
to propose a solution allowing developer to discover
the origin of an eventual error on the model in case
of non verified LTL formulas in the checking step. In
the future we will implement a quality management
plug-in to manage the quality of a business process
after each change.
REFERENCES
Allweyer, T. (2010). BPMN 2.0: Introduction to the Standard
for Business Process Modeling. Books on Demand.
https://books.google.tn/books?id=fdlC7K 3dzEC.
Behrmann, G., David, A., and Larsen, K. G. (2004). A
tutorial on uppaal. In Formal methods for the design
of real-time systems, pages 200–236. Springer.
Bonitasoft (2009). Bonita open solution.
Bulanov, P., Groefsema, H., and Aiello, M. (2011). Business
process variability: A tool for declarative template de-
sign. In International Conference on Service-Oriented
Computing, pages 241–242. Springer.
Capel, M. I. and Mendoza, L. E. (2012). Automating the
transformation from bpmn models to csp+ t specifica-
tions. In Software Engineering Workshop (SEW), 2012
35th Annual IEEE, pages 100–109. IEEE.
Choi, B. W. (1994). Petri net approaches for modeling, con-
trolling, and validating flexible manufacturing systems.
Cimatti, A., Clarke, E., Giunchiglia, F., and Roveri, M.
(2000). Nusmv: a new symbolic model checker. In-
ternational Journal on Software Tools for Technology
Transfer, 2(4):410–425.
Cort
´
es, L. A., Eles, P., and Peng, Z. (2003). Modeling and
formal verification of embedded systems based on a pe-
tri net representation. Journal of Systems Architecture,
49(12-15):571–598.
Dahman, K. (2012). Gouvernance et ´etude de l’impact du
changement des processus m´etiers sur les architec-
tures orient´ees services : une approche dirig´ee par
les mod`eles. (Governance and Analysis of Business
Processes Change Impact on Service Oriented Archi-
tectures: A Model-Driven Approach). PhD thesis, Uni-
versity of Lorraine, Nancy, France.
Dahman, K., Charoy, F., and Godart, C. (2013). Alignment
and change propagation between business processes
and service-oriented architectures. In Services Compu-
ting (SCC), 2013 IEEE International Conference on,
pages 168–175. IEEE.
Dijkman, R. M., Dumas, M., and Ouyang, C. (2008). Seman-
tics and analysis of business process models in bpmn.
Information and Software technology, 50(12):1281–
1294.
Fdhila, W., Baouab, A., Dahman, K., Godart, C., Perrin, O.,
and Charoy, F. (2011). Change propagation in decentra-
lized composite web services. In Collaborative Com-
puting: Networking, Applications and Worksharing
(CollaborateCom), 2011 7th International Conference
on, pages 508–511. IEEE.
Groote, J. F., Mathijssen, A., van Weerdenburg, M., and
Usenko, Y. (2005). From
µ
crl to mcrl2. Algebraic Pro-
cess Calculi: The First Twenty Five Years and Beyond,
page 126.
Hat, R. (2017). Java business process model. Technical
report.
Hlaoui, Y. B. and Ayed, L. J. B. (2009). Patterns for mo-
deling and composing workflows from grid services.
In Enterprise Information Systems, 11th International
Conference, ICEIS 2009, Milan, Italy, May 6-10, 2009.
Proceedings, pages 615–626.
Hlaoui, Y. B. and Ayed, L. J. B. (2010). Symbolic model
checking supporting formal verification of grid service
workflow models specified by UML activity diagrams.
In NOTERE 2010, Annual International Conference
on New Technologies of Distributed Systems, Touzeur,
Tunisia, May 31 - June 2, 2010, Proceedings, pages
255–260.
Kherbouche, O. M., Ahmad, A., and Basson, H. (2012). De-
tecting structural errors in bpmn process models. In
Multitopic Conference (INMIC), 2012 15th Internatio-
nal, pages 425–431. IEEE.
Kluza, K., Nalepa, G. J., Szpyrka, M., and Ligeza, A. (2011).
Proposal of a hierarchical approach to formal verifi-
cation of bpmn models using alvis and xtt2 methods.
In 7th Workshop on Knowledge Engineering and Soft-
ware Engineering (KESE 2011) at the Conference of
the Spanish Association for Artificial Intelligence (CA-
EPIA 2011), La Laguna (Tenerife), Spain, November,
volume 10, pages 15–23.
Mir, A. A., Balakrishnan, S., and Tahar, S. (2000). Modeling
and verification of embedded systems using cadence
smv. In Electrical and Computer Engineering, 2000
Canadian Conference on, volume 1, pages 179–183.
IEEE.
Morales, L. E. M. (2013). Business process verification using
a formal compositional approach and timed automata.
In Computing Conference (CLEI), 2013 XXXIX Latin
American, pages 1–10. IEEE.
Oliver, F. and Martin, L. (2008). Mlsolver.
OMG (2009). Bizagi modeler.
Petri, C. A. and Reisig, W. (2008). Petri net. Scholarpedia,
3(4):6477.
Pnueli, A. (1977). The temporal logic of programs. In
Foundations of Computer Science, 1977., 18th Annual
Symposium on, pages 46–57. IEEE.
Raedts, I., Petkovic, M., Usenko, Y. S., van der Werf, J.
M. E., Groote, J. F., and Somers, L. J. (2007). Trans-
formation of bpmn models for behaviour analysis.
MSVVEIS, 2007:126–137.
A Refinement based Verification Approach of BPMN Models using NuSMV
539
Rajabi, B. A. and Lee, S. P. (2010). Modeling and analysis
of change management in dynamic business process.
International Journal of Computer and Electrical En-
gineering, 2(1):181.
Ramadan, M., Elmongui, H. G., and Hassan, R. (2011).
Bpmn formalisation using coloured petri nets. In Pro-
ceedings of the 2nd GSTF Annual International Confe-
rence on Software Engineering & Applications (SEA
2011).
Read, S. (1999). A new introduction to modal logic.
Reijers, H. A. (2006). Implementing bpm systems: the role
of process orientation. Business Process Management
Journal, 12(4):389–409.
Ruys, T. C. (1999). Xspin/project-integrated validation ma-
nagement for xspin. In International SPIN Workshop
on Model Checking of Software, pages 108–119. Sprin-
ger.
Sam, v. D. (2014). Model checking business processes the
search for the most compatible model checker.
Sember, J. (2005). Mcheck: A model checker for ltl and ctl
formulas.
Van Der Aalst, W. M. and Ter Hofstede, A. H. (2005). Yawl:
yet another workflow language. Information systems,
30(4):245–275.
Von Stackelberg, S., Putze, S., M
¨
ulle, J., and B
¨
ohm, K.
(2014). Detecting data-flow errors in bpmn 2.0. Open
Journal of Information Systems (OJIS), 1(2):1–19.
Younes, A. B., Hlaoui, Y. B., Ayed, L. J. B., and Jlassi, R.
(2013). Refinement based modeling of workflow ap-
plications using UML activity diagrams. In IEEE 37th
Annual Computer Software and Applications Confe-
rence, COMPSAC Workshops 2013, Kyoto, Japan, July
22-26, 2013, pages 187–192.
Zamfir, M. (2011). Evaluation of Intalio BPM Tool. Revista
Rom¨an¨a de Informatic¨a ¸si Automatic¨a, 21(1):59–70.
ICSOFT 2018 - 13th International Conference on Software Technologies
540