Model Checking Activity Diagrams in TCM

ing from Data. Since an activity hypergraph can have integer and string variables, the state space of the transition system can be infinite. We reduce this infinite transition system to a finite one as follows. The key observation is that the only data that influences the execution of the activity hypergraph are the event and guard labels. The only relevant data, therefore, is the boolean valuation of the event and guard expressions. For example, suppose a guard tests whether variable x < 10. Then we only need to know the truth value of the guard, if we want to know whether the associated hyperedge is enabled. A naive model checking strategy would therefore be to drop all data and to introduce for every guard expression a boolean representative. generate events and new boolean valuations for guard expressions. The guard is true iff its boolean representative is true. This strategy is naive in the sense that is does not reckon with the fact that guard expressions can be dependent upon each other. For example, if guard expression [p ∧ q ] is true then [p] must also be true. And if [s=“red”] is true then [s 6=“red”] must be false, and vice versa. But in the naive model checking strategy, [p ∧ q ] and [p] might be assigned conflicting truth values, for example [p ∧ q ] = true and [p] = false. Such valuations are infeasible, and therefore should not occur in the model. We therefore consider basic guard expressions: those parts of the guard expressions not containing ∧,∨ and ¬ . This partly solves the problem sketched above (for example [p ∧ q ] and [q ] are dependent now). But not fully, since basic guard expressions too can be dependent upon each other. For example, basic guard expressions [x = 10] and [x ≥ 10] are not independent, since x = 10⇒ x ≥ 10. We solve this problem by requiring that a basic guard expression can at most refer to one variable, and that if two basic guard expressions refer to the same variable, then they must be syntactically the same. This may seem a limiting constraint, but we have not yet seen a workflow model in practice that did not satisfy this constraint. We postpone relaxing this constraint to future work. The approach above is based on existing approaches from modal logic theory, e.g. filtration [11]. Similar techniques are also applied in model checking under the name partition refinement [3]. Partition refinement can only be applied to a finite state space. Therefore, as far as we know, partition refinement is never applied to data abstraction, since data may induce an infinite state space. Real time. Activity graphs can contain simple real-time constructs of the form when and after (see Section 2). In our prototype, we have only implemented after constraints; when constraints can be dealt with similarly. In computing a transition system, we need to interpret after constraints in order to generate timeouts. One obvious solution is to use discrete time. But in our semantics we have dense time rather than discrete time: an event can occur at any time, not just at ticks of the clock. A dense time model cannot be discretised straightforwardly, since the discretisation may introduce some (undesired) properties that are not present in the original dense time model. However, in our case, we can use the result of Göllü et al. [12] that dense time models with n clocks can be discretised using clock ticks of 1 n+1 . This discretisation preserves the untimed (reachability) properties of the original dense time model, but it may introduce some different