An Algebraic Method for Analysing Control Flow of BPMN Models

—This paper introduces an approach for formal verification of BPMN models. The incompatible constructs of the BPMN patterns can lead to wrong or incomplete semantics which resulting the behavioral errors such as deadlock and multiple termination. This research is motivated by the need to create a correct business process and in order to generate a more complete formalization of BPMN semantics than existing formalizations. We first introduce the chosen patterns which are the most used in the modelisation of the service-based business processes. Then, we illustrate a definition of the execution semantics of these patterns by using the rules of Max+ Algebra formulas, which have important benefits.

The Business Process Modeling Notation (BPMN) [1] is a standard notation for business process modeling. It presents an execution semantics of process instances that defines precisely how models in the BPMN notation should behave.
The BPMN models are composed of a set of activity nodes and a set of control nodes that can be connected by a flow relation. Others notations exist, for which we refer to a subset of BPMN related to control flow modelling in order to define a precise execution semantics of BPMN elements which are the most used in the modelisation of the service-based business processes.
The most challenging process modeling problem is to make it possible to create models with semantic errors. In fact, this modelisation based on process model (e.g., BPMN), and because the mix constructs in BPMN have an incompletely specified meaning, and the lack of an unambiguous denition of the BPMN notation can cause the behavioral errors. Which business process model is correct is typically modeled with respect to several quality criteria. An important quality criterion is choosing an appropriate definition semantics of the patterns which are used in the modelisation of the business processes. Another model quality criterion is necessary to define a precise mapping between the adopted user-friendly notation and a formal language in order to support formal verification techniques. Therefore, several approaches have been proposed to the formal validation of BPMN [4], [5], [6], [7]. All these approaches are based on the mapping of BPMN to a formal presentation like Petri Nets [8], YAWL [9], PROMELA 1 , and PNML [10] in order to use the formal analysis tools available for these models.
For illustrative purposes, we develop a complete execution semantics of BPMN patterns associated with control flow in terms of Max+ Algebra equations, which is a useful mathematical tool, to specify and evaluate the performance of interaction and interoperability in the processes composition. Max+ Algebra has emerged as the suitable mathematical structure to model the phenomena of synchronization, assembly, concurrency, and parallelism. It is dedicated to the analysis of systems properties whose behavior can be represented by linear equations. Consequently, our execution semantics covers more rules from the BPMN standard than any other formal semantics so far.
As already stated, the main motivation of our work is given by choice phenomena, synchronization, and concurrency in BPMN models. To manage these phenomena, especially where conflicts appear, the analytical behavior of the graphical model using Max+ Algebra system in order to arbitrate and resolve these conflicts is given. Therefore, certain errors such as deadlocks and multiple terminations in process models can be detected in the first phases of the business process modeling [2], [3] without having establishing all steps of model-checking [11].
The remainder of this paper is organized as follows. In section 2, we start by a related work of the used formalisms and their application domains. In section 3, a brief overview of BPMN standard and an abstract syntax of Max+ Algebra system is given. Analysis of execution semantics for BPMN elements related to control flow modelling are presented in section 4 and section 5. Section 6 concludes the paper and presents some perspectives.

RELATED WORK II.
Several current approaches are interested by modeling, analyzing, and evaluating the performance of business process. Furthermore, we mention that many of these researchers do not yet support all possible behavioral semantics of business process regarding the patterns related to control flow.
A variety of techniques define a formal semantics of BPMN [12], [13], which use Petri nets as the target formal model. However, Petri nets are limited in the semantics that they can represent. It is difficult to represent the inclusive and complex gateway. Such concepts can be represented in Max+ Algebra equations. Our work PAPER AN ALGEBRAIC METHOD FOR ANALYSING CONTROL FLOW OF BPMN MODELS supports this claim by showing that the formalization of this paper is relatively complete.
Among the modeling tools used there are: Communicating Sequential Processes (CSP) [16]. In [17] a BPMN model is mapped to a set of CSP. The CSP models produced in this technique may be large and complex, and they do not preserve the structure of the BPMN model.
For an overview of business process modeling, we refer to [19], the authors introduce an approach, based on Business Process Execution Language (BPEL) [14], to formalize and verify BPMN. However, the types of verification problems for BPEL are different from those in BPMN. In particular, deadlocks and multiple terminations that may arise in BPMN models do not arise in BPEL systems.
When examining the BPMN process models described by [20], which rely on a mapping from a subset of BPMN to !-calculus. This tool can be used to check the soundness [21] of BPMN models.
However, this mapping only covers a small subset of BPMN. For example, they do not deal with the patterns related to control flow. Whereas our approach can describe this phenomenon.
In this paper we use Max+ Algebra rules for which efficient analysis techniques are available for representing BPMN models where conflicts appear and to defining their execution semantics. Another benefit of using Max+ Algebra is their expressive power for studying and analyzing composed BPMN pattern.

PRELIMINARIES III.
In this section, we present concepts and definitions that will be used throughout the rest of the paper. We start with the BPMN that is used to modelize the business process. Then we give a brief description of Max+ Algebra, which is used to model the synchronization and parallelism phenomena of the service-based business processes in the form of linear equations.

Business process modeling notation (BPMN) A.
Before elaborating a formal semantics of BPMN, this section provides a gentle introduction to the BPMN elements related to control flow modelling that define the behavior of the processes and have an impact on the conflict situation (see Table I). Hence, three types of nodes named event, task, and gateway are considered as well as one type of edges called sequence flow. The main elements of BPMN include the following:

Elements
Description An event is represented with a circle and denotes something that happens during the cours of the process, affecting the process flow. This could be a start and end event. A task describes a type of work that has to be completed within a business process. A sequence flow is used to show the order in which particular activities will be performed in a process. It links two objects in a process diagram. A default sequence flow is taken only if all the other outgoing sequence flows from the task or gateway are not valid.
Gateways are used to control how the sequence flows converge or diverge within a process. Some of the typical types of gateways are the following ones: 1.
Parallel gateway: uses for synchronizing parallel flow without checking any conditions; each outgoing sequence flow receives a token [18] upon execution of this gateway. For incoming flows, the parallel gateway will wait for all incoming flows before triggering the flow through its outgoing sequence flows.

2.
Exclusive gateway: is used to create alternative paths within a process flow. For a given instance of the process, only one of the paths can be taken.

3.
Inclusive gateway: uses to create alternative but also parallel paths within a process flow. However, it should be designed so that at least one path is taken.

4.
Complex gateway: uses to model complex synchronization behavior and to describe the precise behavior. For example, this expression could specify that tokens on three out of five incoming sequence flows are needed to activate the gateway.
Scalar operations: Let a, b and c!!! ! !"# ! The operations maximum (implied by the max operator !) and addition (plus operator !) for these scalars are defined as: In this section, we show how to transform BPMN processes into Max+ Algebra equations. For purposes of this paper, we focus on the BPMN elements related to control flow modelling. The introduction of a token [18] facilitates the description of the behavior of conflicted system with algebraic formulas or linear representations. Furthermore, the execution semantics of BPMN elements under our consideration are the most used in the modelisation of the service-based business processes 2 .

PAPER AN ALGEBRAIC METHOD FOR ANALYSING CONTROL FLOW OF BPMN MODELS
In the next section we illustrate how to generate the Max+ Algebra model of the chosen patterns. Before giving the Max+ Algebra model, let us define: • The firing of a task occurs after the end of a time ! ! associated to this task. • To calculate the cumulative total at the firing of the task ! ! , we define the following cumulative application that represents the date of ! !! firing of the task Where !!! is the number of all tasks in the BPMN model.
A sequence flow that has an exclusive or inclusive gateway as its source requires a condition to direct the flow. Consequently, we associate to each tasks a boolean variable that acts as a firing condition. A sequence flows is fired if this condition evaluates to true.
Formally, to express the firing condition related to the outgoing sequence flow connect to the task ! ! , we define the following function: Only task nodes are considered as sequential structure since they have exactly one incoming and one outgoing branch. This pattern is used to model dependencies between tasks so that one task cannot start before another is finished. The analytical behavior of the model presented in Fig. 2 is given as follows: The system (3) can be written in the following equation form: This pattern describes the synchronization phenomenon. It is used to synchronize multiple concurrent branches and to spawn new concurrent threads on parallel branches without checking any conditions. So that the gateway can not be fired if all previous branches are activated (see Fig. 3). The analytical behavior of this graphical model is given in system (5). All the tasks ! ! ! ! !!!!! ! ! will be executed when a token arrives on its incoming sequence flow over all upstream tasks ! ! ! ! !!!!! ! ! : Where !" ! is the set of all downstream tasks of !" and ! !" is the set of all upstream tasks of !".
The system (5) can be expressed as: Exclusive gateway pattern D.
The Fig. 4 describes an exclusive gateway model. In this pattern, m tasks are in conflict situation. When a token arrives at any incoming sequence flows, it can activate the gateway, but we don't know which downstream task will be fired. So, the task that will be fired can be chosen by the evaluation of the conditions in order. The first condition that evaluates to true determines the sequence flow the token is sent to. If and only if none of the conditions evaluates to true, the token is passed on the default sequence flow. Furthermore, it is not obvious to formally express the firing of the downstream tasks. With the aim to describe this functioning by Max+ Algebra equations and in order to facilitate the mathematical analysis, we associate to each task the following function: When only a task ! ! is fired for the ! !" firing (i.e.,! ! ! ! ! !), all other tasks ! ! (with ! ! ! ! ! ) are not fired (i.e., ! ! ! ! ! !).
The behavior of the modeled exclusive gateway pattern is represented by the system (8): As shown in Fig. 5, the inclusive gateway is activated if at least one incoming sequence flow has at least one token. In order to determine the outgoing sequence flows that receive a token, all conditions on the outgoing sequence flows are evaluated. The evaluation does not have to respect a certain order. If none of the conditions evaluates to true, the token is passed on the default sequence flow. Using a standard formalization, this pattern may be expressed under the following form: A complex gateway (see Fig. 6) can be used to describe the precise synchronization behavior. it has an attribute ActivationCondition that refers to the activation of incoming flows. For example, an ActivationCondition could be !! ! ! ! ! !!! ! ! !! ! ! !!"#! ! !!! stating that it needs !!"#! ! !!! out of the n incoming flow to have a token in order to proceed.
The complex gateway is in one of the two states: (represented by the attribute WaitingForStart = True) and waiting for reset (WaitingForStart = False). If it is waiting for start, then it waits for the ActivationCondition to become True. The ActivationCondition is not evaluated before there is at least one token on some incoming sequence flow.
When the ActivationCondition becomes True, the complex gateway uses the synchronization semantics of the split inclusive gateway. The gateway changes its state to waiting for reset (WaitingForStart = False).
When waiting for reset, the gateway waits for a token on each of those incoming sequence flows from which it has not yet received a token in the first phase. If tokens arrive later, those tokens cause a reset of the gateway.
When the gateway resets, it consumes a token from each incoming sequence flow that has a token and from which it had not yet consumed a token in the first phase. Then it uses the synchronization semantics of the split inclusive gateway. Finally, the gateway changes its state back to the state waiting for start. The behavior of the incoming sequence flows related to the complex gateway pattern is represented by the system (10).
To verify and to create the correct BPMN model in the early stage of the conception, the transformation into Max+ Algebra equations of the chosen patterns which are the most used in the modelisation of the service-based business processes is given.
Moreover, the interaction between the chosen patterns into one composed BPMN model can lead to create an incompatible or an ambiguous semantics in this model which resulting the behavioral errors such as deadlock, multiple termination and undesirable cyclic behavior.
In this section, we discuss the use of our proposed model for detecting the deadlock and multiple termination. In fact, the correct BPMN model contains only the compatible composed patterns.
As already mentioned, the execution semantics of BPMN patterns under our consideration is illustrated in Fig. 1. If a token is on one sequence flow, then the destination node for this sequence flow is ready to be triggered.

Deadlock Patterns A.
Deadlock patterns have already been identified by Onada et al. in [15]. Two concepts were behind these patterns. The first is reachability. Reachability between two nodes A and B (A (resp. B) represents a task or a task flow) in a process graph simply means that there is at least one path from A to B. The second is absolute transferability. This is a much stronger concept because it states that a token (work item) can always be transferred PAPER AN ALGEBRAIC METHOD FOR ANALYSING CONTROL FLOW OF BPMN MODELS from node A to all input points of node B. What makes absolute transferability reduce reachability between two nodes is the existence of routing control nodes in between.
In BPMN, deadlock occurs when a parallel gateway receives inputs which contain exclusive split. From the definition of exclusive connector and the definition of parallel gateway, the parallel gateway requires every incoming sequences to be processed. However, the exclusive split chooses only a single outgoing sequence to be processed. The example of deadlock is shown in Fig. 7. Formally, the analytical behavior of the BPMN model presented in Fig. 7 is given as follows: On the contrary, to deal with this deadlock error, it is necessary that the earlier Max+ Algebra equations will be expressed as: Therefore, it is clearly that there is a deadlock in the merge parallel gateway.
Remark: Note that if the ActivationCondition in the case of the complex gateway never becomes true in the first phase (WaitingForStart = True), tokens are blocked indefinitely at the gateway, which causes a deadlock of the entire process model.

Multiple Termination Patterns B.
The multiple termination is the situation that there exists a parallel split before an exclusive gateway as shown in Fig. 8. Only one sequence is traversed when the exclusive gateway is executed. This leads to the violation of soundness criterion [21]. Some of the tasks are not terminated in one of predefined terminate process. The analytical behavior of the scenario presented in Fig.8 is: ! ! ! !! !"#!!!!! ! ! ! ! ! !!!!!!!!!!!!!!!!!!!!
The BPMN standard is a graphical notation that describes the logic of steps in a business process, but it is ambiguous and inconsistent when it comes to defining their semantics. The lack of formal semantics of BPMN patterns related to control flow motivates the works in this area for checking the correctness of BPMN models from a semantic perspective.
This paper deals with the development of a theory and a generic method to model and analyze business process with conflicts in Max+ Algebra. This method allows to arbitrate these conflicts by given the corresponding linear equations of the chosen BPMN patterns which are the most used in the modelisation of the service-based business processes.
In future work, we plan to adapt the proposed approach with our previous works [4], [7] so that to develop a plugin which can integrate the formal verification techniques of business processes in the design phase.