<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>A Symmetric Petri Net Model of Generic Publish-Subscribe Systems for Verification and Business Process Conformance Checking</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Tom Meyer</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Institute for Visual and Analytic Computing, University of Rostock</institution>
          ,
          <addr-line>Albert-Einstein-Straße 22, Rostock, 18059</addr-line>
          ,
          <country country="DE">Germany</country>
        </aff>
      </contrib-group>
      <fpage>88</fpage>
      <lpage>110</lpage>
      <abstract>
        <p>The highly decoupled nature of distributed systems can greatly simplify modular development. However, it is easy to lose track of component interactions and emerging system behavior. To inspect the behavior of the aggregated system, an abstract model and analysis tools can be of great help. In this paper, we present such a model that follows the Event-Driven Architecture paradigm. We argue that a Petri net model that captures the event flow, without modeling event data, is a useful abstraction to give insight into a system composed of distributed components. We present a symmetric Petri net model with publish-subscribe middleware and a generic abstraction of components. The model was designed with the intention to produce a finite P/T net to be compatible with current Petri net model checking tools. To build such a model, information about component behavior is necessary. We show that this information is encoded in the system implementation, and we describe potential means for automatic extraction. With the formal Petri net model, we enable the use of established verification methods. We discuss ideas from business process conformance checking and other verification properties that may deepen the system understanding. The proposed methods can be used either for static analysis during design time or to automatically signal issues at runtime.</p>
      </abstract>
      <kwd-group>
        <kwd>eol&gt;Distributed System</kwd>
        <kwd>Event-Driven Architecture</kwd>
        <kwd>Publish-Subscribe</kwd>
        <kwd>Petri Net Model</kwd>
        <kwd>Conformance Checking</kwd>
        <kwd>Verification</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Introduction</title>
      <p>A distributed system is a collaboration between multiple self-contained modules or components.
Since these are usually individually developed separate code bases, this approach promotes
modular development with a high focus on the individual parts.</p>
      <p>However, hard program borders facilitate ignorance to other components and alienate
developers from foreign code bases. Additionally, in the running system, components can connect and
disconnect to the distributed system at any time, changing the system behavior continuously.
It is hard to keep the overview in this context making predictions on the emergent system
behavior exceedingly dificult. Can the required workflows be executed? Which event afects
which component? A simple look at the implementation does not answer these questions and
design documents and specifications also cannot consider every possible system adaptation.</p>
      <p>However, a model of the implementation can be used in combination with a specification to
answer such questions with formal verification. Yet verification can be complicated and increases
development efort. To make these verification methods accessible, the implementation model
should be extracted directly from the implementation. Additionally, if this model uses adequate
abstractions, it stays humanly understandable, and formal methods can be used practically.</p>
      <p>A common abstraction for distributed systems is the Event-Driven architecture paradigm
(EDA). In an EDA system a central middleware connects distributed components using a
standardized communication abstraction. Commonly a publish-subscribe interface is used here.</p>
      <p>
        A benefit in using an EDA model to reason about the emergent system behavior is that message
contents are usually not relevant. Just knowing the event flow already gives a lot of insight,
while the precise forking conditions are often irrelevant for the general system capabilities.
Conveniently, if messages are represented by type instead of their content, messages can be
reduced to a token that is exchanged between communicating components. With this abstraction
Petri nets [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ] become a suitable modeling formalism for publish-subscribe based communication.
      </p>
      <p>
        With a Petri net system model we can use diferent verification methods to compare our
model with a given specification. The specification can take many forms such as logical formulas
and other formalisms such as workflow nets (WF-nets) [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ]. Particularly, WF-nets can again
improve accessibility because they describe business processes that are already widely used
to specify tasks for production targets or services. Additionally, the topic of business process
conformance checking is under current research [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ] as a verification method.
      </p>
      <p>
        In this paper we present a Petri net model of a publish-subscribe system with a generic model
of components for verification purposes. We describe what is necessary to build the model
automatically from component implementations and give examples for usable verification methods.
In particular, we describe how a behavioral specification in form of business processes can be
integrated in the verification process by using methods from business process conformance
checking [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ].
      </p>
    </sec>
    <sec id="sec-2">
      <title>2. Background</title>
      <p>In the following we give an overview of our mainly used concepts to compile a verification
approach for publish-subscribe systems.</p>
      <sec id="sec-2-1">
        <title>2.1. Event-Driven Architecture (EDA)</title>
        <p>
          In EDA, components observe events and notify other components about events using messages.
An event is a “significant change in state” [
          <xref ref-type="bibr" rid="ref4">4</xref>
          ], while the corresponding notification message is
only a representation of the event. Notifications are distributed by a central middleware, the
notification service (NoSe) using a publish-subscribe (pub/sub) API [
          <xref ref-type="bibr" rid="ref5">5</xref>
          ]. Components use the API
to publish messages on a topic. As a result all topic subscribers are informed. This results in a
decoupling of communication in time, space, and synchronization [
          <xref ref-type="bibr" rid="ref6">6</xref>
          ], so that components have
no information about each other and what publication efects they have. Only the notification
service implicitly keeps track of component connections by storing subscriptions.
        </p>
        <p>With EDA, the computation capacity of distributed hardware can be leveraged, e.g. to run
interconnected web services, or to connect physically distributed devices as in IoT applications.</p>
      </sec>
      <sec id="sec-2-2">
        <title>2.2. Petri Nets</title>
        <p>
          Petri nets are a formalism for concurrent processes [
          <xref ref-type="bibr" rid="ref1">1</xref>
          ]. The basic place-transition nets (P/T
net), are defined as a bipartite, directed graph connecting places with transitions and vice versa.
        </p>
        <p>Transitions can consume and produce tokens on places, depending on the connecting arc
direction and weight. Arcs that connect a place  with a transition  in the direction from  to 
make  an input place of . Similarly, if an arc connects a transition  with a place ,  is an
output place of . The set of input places of a transition  is denoted by ∙  and the set of output
places is denoted by ∙ . A similar notation is used for the pre- and post-sets of places.</p>
        <p>A transition is enabled if all input places contain at least as many tokens as the arc weights
specify. Enabled transitions can fire non-deterministically. A firing transition consumes tokens
from the input places and produces tokens on the output places according to the arc weights.</p>
        <p>In a system model, tokens on places represent the system state and transitions represent the
state changes. P/T nets are well investigated, making them a good target for model checking.</p>
        <p>
          However, in classical Petri nets, tokens are indistinguishable from each other. But, to model
systems with practical complexity it is often useful to discriminate them. Colored Petri nets
address this issue by extending Petri nets with a type (or color) for tokens [
          <xref ref-type="bibr" rid="ref7">7</xref>
          ]. To specify which
token types are afected by a firing transition, transitions can be annotated with a guard. A
guarded transition can only fire if the tokens in its input places satisfy the guard conditions.
Colored Petri nets can be unfolded to P/T nets, although the unfolding may be infinite. However,
a finite unfolding enables the use of P/T net model-checking methods.
        </p>
        <p>
          A kind of colored Petri nets are Symmetric Petri nets (introduced as Stochastic Well-Formed
Colored Nets) defined by Chiola et al. [
          <xref ref-type="bibr" rid="ref8">8</xref>
          ]. This net introduces modeling restrictions for custom
analysis methods. In the paper, a grammar is introduced to define the allowed syntax of place
classes, arc labels and transition guards with a corresponding semantics. The class of a place
describes the color of the tokens that can be produced and consumed on that place. Token
colors can be a composition of multiple classes described as a tuple. Arc labels then describe
compositions of classes by an expression. Only tokens matching the expression are allowed as
input for the connected transition. Additionally, the transition guards are predicates that define
restrictions on classes and dependencies between input and output arcs.
        </p>
        <p>Our model will follow the definition from Chiola et al. although we will abbreviate large
transition patterns. In these cases we will show an example for the unabbreviated patterns.
However, we observe that patterns can be unfolded into a P/T net for model-checking.</p>
      </sec>
      <sec id="sec-2-3">
        <title>2.3. Business Processes</title>
        <p>
          Business processes describe a collection of tasks that are used to build a product or that are
involved in a service. A business process may define a series of tasks, parallel tasks, tasks that
are executed conditionally or a combination of these options. There are a variety of business
process models [
          <xref ref-type="bibr" rid="ref9">9</xref>
          ] including Petri net models.
        </p>
        <p>
          Van der Aalst was instrumental to formalize business processes as Petri nets including the
definition of a separate net class called workflow nets [
          <xref ref-type="bibr" rid="ref2">2</xref>
          ]. He defines a workflow net as follows:
“A Petri net PN = (P ; T ; F ) is a WF-net (Workflow net) if and only if:
(i)   has two special places:  and . Place  is a source place: ∙  = ∅. Place  is a
sink place: ∙ = ∅.
(ii) If we add a transition * to PN which connects place  with  (i.e. ∙ * = {}
and * ∙ = {}), then the resulting Petri net is strongly connected.”
He then defines important properties such as safeness and soundness for workflow nets.
        </p>
        <p>
          To facilitate the understanding of business processes in WF-nets, other process models define
translations back to Petri nets [
          <xref ref-type="bibr" rid="ref10">10</xref>
          ]. For example Dijkman et al. defined a translation [
          <xref ref-type="bibr" rid="ref11">11</xref>
          ] for
the Business Process Modeling Notation (BPMN) [
          <xref ref-type="bibr" rid="ref12">12</xref>
          ] and Hinz et al. give a translation [
          <xref ref-type="bibr" rid="ref13">13</xref>
          ] for
the Web Services Business Process Execution Language (BPEL) [
          <xref ref-type="bibr" rid="ref14">14</xref>
          ].
        </p>
      </sec>
    </sec>
    <sec id="sec-3">
      <title>3. Related Work</title>
      <p>
        Petri net models where used before in distributed systems. E.g.: Aldred et al. used Petri
nets to model diferent decoupling approaches in distributed systems [
        <xref ref-type="bibr" rid="ref15">15</xref>
        ]. They analyze the
implications for component interactions over the middleware.
      </p>
      <p>
        Valero et al. and Gomez et al. modeled a publish-subscribe system in a timed colored Petri
net specifically for verification purposes. Their model targets web services with a focus on
message timing and timeouts [
        <xref ref-type="bibr" rid="ref16 ref17">16, 17</xref>
        ]. Hens et al. also used colored Petri nets to model a
publishsubscribe system [
        <xref ref-type="bibr" rid="ref18">18</xref>
        ]. These models focus on the middleware and do not further constraint the
component internals. However, the emergent system behavior dependents in large parts on the
component behavior. For verification purposes it is crucial which states are reachable in every
connected component and how the composed components can interact.
      </p>
      <p>
        Unfortunately, the essence of software components is vague. Szyperski et al. summarize
it as follows: “One thing can be stated with certainty: components are for composition. [...]
Beyond this trivial observation, much is unclear.” [
        <xref ref-type="bibr" rid="ref19">19</xref>
        ]. Becker also identifies composability in
his component model as an important feature [
        <xref ref-type="bibr" rid="ref20">20</xref>
        ]. However, both Szyperski and Becker use the
component abstraction in the software design process and not for verification. They capitalize
on the reusability aspect that follows composability.
      </p>
      <p>
        The EDA paradigm intrinsically exploits the composability by decoupling components [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ].
This not only facilitates reusability but also enables components distribution. In EDA,
components mainly process events and react to them. Lamport et al. [
        <xref ref-type="bibr" rid="ref21">21</xref>
        ], describe this pattern as a
general feature in distributed computing:
      </p>
      <p>“Underlying almost all models of concurrent systems is the assumption that
an execution consists of a set of discrete events, each afecting only part of the
system’s state. Events are grouped into processes, each process being a more or
less completely sequenced set of events sharing some common locality in terms of
what part of the state they afect. For a collection of autonomous processes to act
as a coherent system, the processes must be synchronized.”</p>
      <p>Based on the former descriptions, we define components in an EDA system as a set of processes
that are executed as a reaction to incoming events. During the execution of a process, new
events can be generated to synchronize component state with other components. With this
definition, we can model a publish-subscribe system more precisely and use the model to
improve verification accessibility and expressiveness.</p>
      <p>
        An interesting verification branch uses runtime events to evaluate the system behavior. E.g.:
Schmerl et al. built a colored Petri net from runtime observations [
        <xref ref-type="bibr" rid="ref22">22</xref>
        ]. This relates to process
mining as described by van der Aalst [
        <xref ref-type="bibr" rid="ref9">9</xref>
        ]. He describes how processes can be discovered from
log traces and how to check them against a specification. The specification takes the form of
business processes, which are easy to understand in comparison to e.g.: formulas in a temporal
logic. Carmona et al. describes this process in detail in their book on conformance checking [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ].
Hens et al. also have a take on this idea and compare their model with business processes [
        <xref ref-type="bibr" rid="ref18">18</xref>
        ].
      </p>
      <p>However, models always sufer a credibility gap. While the system implementations can
deviate from manually created models, automatically discovered, log based models can always
be incomplete. Also, models created by both approaches get outdated when the system evolves.
This is why we like to explore system models that are close abstractions from the implementation.
We aim at a model that can be automatically generated from code, to be used for verification.
This approach would make model checking much more user-friendly and afordable.</p>
    </sec>
    <sec id="sec-4">
      <title>4. Publish-Subscribe Model</title>
      <p>In this section we introduce our Petri net model of a publish-subscribe system. We will first
highlight our assumptions. After that, we break down the parts, explain their modeling and
functionality. The parts are then extended with a synchronization structure for fairness
constraints. At the end of this section, we describe what system information is needed to build the
model and how we envision an automatic extraction from the implementation. The complete
model is shown in Figure 9.</p>
      <sec id="sec-4-1">
        <title>4.1. Assumptions</title>
        <p>If we want to analyze the behavior of a complex distributed system, we cannot model every
detail of the component implementations. Instead, we should find the right balance between
abstraction and detail. Our assumptions try to balance model expressiveness and simplicity.</p>
        <p>Given our system follows the EDA paradigm it is reasonable to orient our abstractions
towards EDA principles. This means that the movement of events is a central concept. To
analyze the system behavior it is not essential to know the event content, but which actions
can follow. If the event content determines an event reaction, non-determinism can be used
instead. Consequently, we do not model event contents, only event types.</p>
        <p>
          Additionally, we use channels as event filtering mechanism [
          <xref ref-type="bibr" rid="ref5">5</xref>
          ][Chapter 2.3.1]. This is a
pragmatic limitation to reduce the complexity of the Petri net model, but we believe that the
model can be extended to use more complex filtering mechanisms i.e. subject-based filtering.
        </p>
        <p>Our model use case is to verify a specification is covered; we want to know if a specified
behavior is executable in the system. Therefore, we do not model unexpected failures like e.g.
link failures or message loss and target the analysis of the expected system.</p>
        <p>Also, we only consider the known components. If previously unknown components connect
to the system, the model has to be rewritten.
1 EnvEvent = ee[1-m]
2 Notification = n[1-n]
3 SubState = [true, false]
4 ComponentEvent = EnvEvent, Notification
5 AllEvents = ComponentEvent, SubEvent
6 Component = cpt[1-o]
7 Process = p[1-p]
8 Action = a[1-p]_[1-q]
9 Channel = [envch, ch[1-r]]</p>
        <p>Finally, we exclude loops and recursive functions for publishing behavior. Although valid
in EDA components, we presume that loops are used to compute values, not to communicate.
With this assumption the reachability graph of component processes should be finite.</p>
      </sec>
      <sec id="sec-4-2">
        <title>4.2. Color Classes</title>
        <p>Tokens that are produced on places must satisfy a color domain which is composed of color
classes, e.g.: the  place (see next section) has a domain composed of two
classes  × . In a P/T net this composition is unfolded so that
there is a place for every component-event combination.</p>
        <p>In the implementation the color domain represents required information to execute the
behavior that is molded by the consuming transitions. Following the example this would be the
afected component and what event type is received.</p>
        <p>
          The color classes our model is based on are shown in Figure 1. Classes can be an indexed
list of items (e.g. p[1-p] defines a list containing the processes 1 to ), a list of named items
(e.g. SubState class), or a combination of both (see [
          <xref ref-type="bibr" rid="ref8">8</xref>
          ] for the syntax definition). The indexed
lists are placeholders for named identifiers that are used in an instantiated model e.g.: instead
of an enumeration of event types, we assume a final model will use type names. In particular
the elements of the action class are a placeholder for action instances. While the two indexes
suggest each process (index ) has the same amount of tasks (index ), a model instance will
have a varying number of tasks for each process. The next section gives an example how color
classes are used to define place domains by introducing two central event places.
        </p>
      </sec>
      <sec id="sec-4-3">
        <title>4.3. Events</title>
        <p>Events are the central communication messages sent over the network. However, our usage
of the term ’event’ is not equivalent to the usage in an EDA since our environment exceeds the
EDA borders. We distinguish between three types of events as depicted in Figure 2a:
1. Environment events are sent between components and entities that are not part of the
communication via the NoSe.
2. Subscription events are sent from components to the NoSe to update subscription states.
3. Notifications are used for intercomponent communication. They are published on a
specific channel and forwarded to all channel subscribers by the NoSe.
(a) Components communicate with three kinds of
events: (1) environment events are used to
communicate with the environment, (2)
PubSubEvents are sent to the NoSe and can be a
subscription update or a notification, and (3) the
NoSe distributes notifications back to the
components.</p>
        <p>Events are tokens with a given type. The event type is also a placeholder for the event
contents. Places holding events will unfold to at least one place for every event type.</p>
        <p>Components interact with two main event places (see Figure 4a)  and
NoSeEvents.  cannot be subscription updates and are always directed at
a specific component. NoSeEvents can be any of the three event types and are sent from a
source component. Additionally,   are sent on a specific channel. If the event is a
subscription, the channel is the target for the subscription update. If the event is a notification,
the channel is used by the NoSe to determine the afected subscribers. If the event is an
environment event, the channel should always be the special type ℎ to be consistent with
the place domain. In practice this channel will not be used by the environment.</p>
      </sec>
      <sec id="sec-4-4">
        <title>4.4. Notification Service</title>
        <p>
          The fundamental purpose of the Notification Service (NoSe) is to forward events from one
component to other components. In a publish-subscribe system, components can subscribe
to a topic of events. The NoSe then filters all incoming events according to the subscriptions
before forwarding. There are a variety of filtering mechanisms [
          <xref ref-type="bibr" rid="ref5">5</xref>
          ]. We use the simplest one:
the concept of channels (see Figure 3a). Event producers publish all events with an associated
channel, event consumers can subscribe on the diferent channels, and all components that are
subscribed to the associated channel will be notified.
        </p>
        <p>Internally the Nose has to
1. track subscription states,
2. forward events to all components where the subscription filter applies,
3. drop all events where the filter does not apply, and
4. update the subscription state according to special events.</p>
        <p>
          We describe this behavior as depicted in Figure 3b and 3c. The Distribute transition forwards
events of type Notificationfrom NoseEvents to all components on the DistributedEvents
place. The broadcast is modeled by using the SComponent identifier which encodes the set of
every component defined by the  class (see [
          <xref ref-type="bibr" rid="ref8">8</xref>
          ]). The distributed events are then
either dropped or forwarded to the  place, depending on the state of the
 place.
C
h
a
n
n
e
l
1
C
h
a
n
n
e
l
2
        </p>
        <p>ENvoeSnets Subscribe
&lt;cmpt, chnl, &lt;cmpt, chnl,
substate&gt; subdate&gt;
cmpts.al ⨯
chnls.al ⨯
{false}</p>
        <p>&lt;cmsupbtd,acthen&gt;l,
D(event) = SubState
substate &lt;&gt; subdate
&lt;cmpt, chnl, subdate&gt;</p>
        <p>D(event) = Notification</p>
        <p>&lt;cmpt, chnl,
&lt;cmpt, chnl, subdate&gt; notification&gt;
D(event) = SubState</p>
        <sec id="sec-4-4-1">
          <title>Sub Drop</title>
        </sec>
        <sec id="sec-4-4-2">
          <title>Component</title>
        </sec>
        <sec id="sec-4-4-3">
          <title>Events</title>
          <p>iver, ation&gt;
e c</p>
          <p>fi
&lt;rec noti
&lt;
Subscrl,iptioncshnnl,osnuSbusbtsactrei&gt;ber,
n
r,ch te&gt;
ive sta
e b
rec su
&lt;</p>
        </sec>
        <sec id="sec-4-4-4">
          <title>Notify</title>
          <p>subState = true
Notify Drop &lt;
nonSub
subState = false notification&gt;
chnl,scriber,
&lt;receiver, chnl, notification&gt;</p>
        </sec>
        <sec id="sec-4-4-5">
          <title>Distribute</title>
          <p>&lt;
S
tooennpC
m
,
c
h
n
l,
n
o
it
fi
c
a
it
o
n
&gt;</p>
        </sec>
        <sec id="sec-4-4-6">
          <title>Distributed</title>
        </sec>
        <sec id="sec-4-4-7">
          <title>Events</title>
          <p>(b) The NoSe distributes notifications to subscribers
or updates subscriptions. The subscription
function is idempotent.</p>
          <p>The distribution strongly benefits from a colored Petri net approach. For every combination of
sender, channel and notification type, notifications can be sent to every receiver. In an unfolded
P/T net every place-transition-combination has to be instantiated, resulting in a large structure.</p>
          <p>
            The  transition updates the subscription state of a component if the event is of type
SubState. Additionally, the current subscription has to be diferent from the update. If so the
guard is fulfilled, a token with the old subscription state is consumed for the given component
and channel, and a new token with the new state is produced. If the subscription state is
equal to the received subscription event, the update has to be ignored so that subscriptions are
idempotent [
            <xref ref-type="bibr" rid="ref5">5</xref>
            ]. This case is handled by the SubDrop transition.
          </p>
        </sec>
      </sec>
      <sec id="sec-4-5">
        <title>4.5. Components</title>
        <p>Connected to the NoSe are the distributed components. We put forward a pattern of how
components behave in publish-subscribe systems. This pattern can be explicit or implicit, but
we argue an explicit implementation is beneficial. The pattern consists of the following parts
(illustrated in Figure 4a, 5a and 5b):
• An initialization routine, which may or may not produce events. Often, this routine will
be used to subscribe to channels.
• Receiving events from other components, or the environment (e.g. a sensor or the OS).
• Event deconstruction of received events to select a process as reaction or to drop the event.
• And the execution of the selected Process, which may or may not produce new events.</p>
        <p>Following this pattern a component is a collection of executable processes including one
initialization routine. A component reacts to an incoming event by executing a process based on
the incoming event type and content. The process execution is split into a sequence of actions
that change the system state. For our Petri net model, we only consider actions that publish an
event and the order in which actions can be sequenced.</p>
        <p>Incoming events trigger a deconstruction mechanism. In the implementation this is usually a
switch case equivalent. In our model the deconstruction explicitly either selects a process to
react or ignores the event with two transitions.</p>
        <p>Undefined
cmpts.
al
&gt;
t
p
m
c
&lt;</p>
        <p>Process
&lt;cmpt, p&gt;</p>
        <p>Init
initPr=oicneitsPsroces&lt;sc(mcmpptt,)init&gt; PrNoecxetss
&lt;cmpt, chnl, event&gt;</p>
        <p>NoSe</p>
        <p>Events
event ∉ mustProcess(event)</p>
        <p>Component</p>
        <p>Drop
&lt;cmpt, event&gt;
&lt;cmpt, p&gt;
Deconstruct e&lt;vcemnpt&gt;t,
p ∈ deconstruct(event)</p>
        <p>Component</p>
        <p>Events
(a) Transitions of a component. Events are
received in the ComponentEvents place and send
by a process to the NoSeEvents place.
Processes are selected based on incoming events
by the deconstruction transition. A special init
process is executed on component startup.
actn ∈ endAction(cmpt, p)</p>
        <p>End</p>
        <p>Process
actn = a[process]_1 &lt;cmpt, p, actn&gt;</p>
        <p>PrSotcaertss &lt;cmpt, p, actn&gt; Running</p>
        <p>&lt;cmpt, p, post&gt; &lt;cmpt, p, actn&gt;
(event, chnl, post) ∈ eventAction(cmpt, p, actn)</p>
        <p>Action</p>
        <p>&lt;cmpt, chnl, event&gt;
NoSe</p>
        <p>Events
(b) After it is started a process is in a running
state until it finishes. A running process can
change the system state with actions. Only
actions that produce events are modeled.
1 NextProcess = Component x Process
2
3 Deconstruct | process ∈ deconstruct(event) 1 Undefined = Component
4 ComponentEvents.Deconstruct = &lt;component, event&gt; 2
5 Deconstruct.NextProcess = &lt;component, process&gt;
6
7 ComponentDrop | event ∈/ mustProcess(event)
8 ComponentEvents.ComponentDrop = &lt;component,
event&gt;
3 InitProcess | initProcess = initProcess(</p>
        <p>component)
4 Undefined.InitProcess = &lt;component&gt;
5 InitProcess.NextProcess = &lt;component,
initProcess&gt;
(a) Component deconstruction of incoming events.</p>
        <p>Each event can trigger a process, be dropped or
both.
(b) Every component is initialized with a
specific process. Only initialized components
can receive events.
(c) Processes are selected by the deconstruction mechanism. Each event received by a component can
trigger a process as an event reaction.
dropped or deconstructed non-deterministically.</p>
        <p>The  transition discards events that should be ignored. We abbreviate its
guard predicate with the formula  ∈/  (). To expand the
formula, all cases that do not require a reaction are enumerated as shown in Figure 6b. The
drop transition is enabled for all events that return   for the   relation.</p>
        <p>The  transition is enabled for all events that may return a process. An event can
result in multiple processes non-deterministically. We abbreviate this behavior with the formula
  ∈ (). The formula expands to the pattern shown in
Figure 6d. For every event where   is ,  cannot be  . Or
∀ ∈  :  () ⇒ (). However, an event can be</p>
        <p>During startup, a component usually initializes its state, connects to the NoSe and often
subscribes to a channel. We model this behavior with the   transition. Before the
  transition has fired, the corresponding component state is undefined, and it cannot
receive events (see Section 4.7). Only after initialization, more processes can be queued. We
as shown in Figure 6c. The formula defines exactly one process for each component.
abbreviate the transition predicate with the formula  () →  
A component can produce new events in processes. Figure 1 shows that processes are uniquely
1
2
3
(action = a_x1 AND postAction = a_y1 AND event = e_z1 AND channel = type1) OR
(action = a_x2 AND postAction = a_y2 AND event = e_z2 AND channel = type2) OR
...</p>
        <p>(a) Action transition pattern.
1 event != e1 AND
2 event != e2 AND
3 ...
1 (component = c1 AND init = p1) OR
2 (component = c2 AND init = p2) OR
3 ...
(b) Component drop transition pattern.
(c) Init process transition pattern.
1 (event = e1 AND process = p1) OR
2 (event = e1 AND process = p2) OR
3 (event = e2 AND process = p1) OR
4 (event = e2 AND process = p3) OR
5 ...
identified with an ID, indicated by the  class. In the model a process is gated by a start
and an end transition. Between these two transitions, the process is in its running state,
where a sequence of actions is executed. In the component implementation, the start transition
corresponds to the function call of the given process. The guard of the start transition ensures
that the first action of the given process is produced.</p>
        <p>Each action is executed by the  transition and always produces an event. Actions are
indexed by a process ID and an action ID (see Figure 1). An action that produces a Notification
corresponds to a call to the ℎ function in the publish-subscribe interface. An action that
produces a  event corresponds to a call to the  or  function in
the publish-subscribe interface. An action that produces an EnvEvent corresponds to the part
of the code that interacts with the environment.</p>
        <p>In a custom framework it might be useful to publish environment events with the
publishsubscribe interface, on the special ℎ channel, for easy parsing.</p>
        <p>The action transition predicate generates all possible action sequences and is abbreviated with
the formula (, ℎ, ) ∈ (,  , ).
If a process includes a condition that produces multiple event sequences, an action can produce
diferent followup actions. Thus, multiple transitions are enabled non-deterministically.
Consequently, the guard maps the parameters from the  place domain to at least one tuple of
(, ℎ, ). The expanded pattern is shown in Figure 6a</p>
        <p>The end transition corresponds to the return statement of the function previously called with
the start transition. The guard of the end transition is an enumeration of end actions abbreviated
by the formula  ∈ (,  ). The pattern expansion is shown
in Figure 6e. It is possible that  and end action are simultaneously enabled to allow
conditional endings of a process. However, every action sequence requires an end action as last
action to ensure process termination.
1 EnvEvents = Component x EnvEvent
2
3 Sense | - // no guard
4 EnvEvents.Sense = &lt;component, event&gt;
5 Sense.ComponentEvents = &lt;component, event&gt;
6
7 EnvironmentOut | D(event) = EnvEvent
8 | channel = envch
9 NoSeEvents.EnvironmentOut = &lt;component, channel, event&gt;
10
11 EnvironmentIn |
12 EnvironmentIn.EnvEvents = &lt;component, event&gt;</p>
      </sec>
      <sec id="sec-4-6">
        <title>4.6. Environment Model</title>
        <p>The system environment contains every entity that cannot use EDA abstractions to communicate
with components, e.g.: human interaction, sensors or OS events. Because it is highly individual,
we make no assumptions of its behavior. However, for a basic compatibility we define a default
behavior with two transitions: EnvironmentIn and EnvironmentOut . These transitions can
produce and consume EnvEvents in any order; at any time.</p>
        <p>In general each component has a unique sensing capability (e.g. a specific combination of
sensors). Therefore, produced environment events always target a component. Consequently,
the domain of the EnvEvents place is a tuple consisting of a produced event and a targeted
component. Idle components can then sense environment events, deconstruct them and react
with process actions.</p>
        <p>For verification purposes it is useful to restrict the production of events to specific start events
and collect produced events. This can be achieved by removing the EnvironmentIn transition,
putting the desired start event on the EnvEvents place, and adding an output place to the
EnvironmentOut transition that collects the events consumed from the NoseEvents place.</p>
      </sec>
      <sec id="sec-4-7">
        <title>4.7. Synchronization</title>
        <p>Modelling just the communication routes of our system is insuficient if events and processes
have ordering constraints. To bind the arrival of an event to a process execution, we introduce
a ComponentIdle place. If an event arrives via Notify or Sense, a token from the receivers
ComponentIdle place is consumed. Components cannot receive new events with an empty
ComponentIdle place. The ComponentEvents place is therefore safe. The StartProcess
transition returns the ComponentIdle token after deconstruction, freeing the event reception. As
a result, component processes can run in parallel. The execution order depends on the event
arrival order. Initially the ComponentIdle place is not marked to ensure the   is
always started first.</p>
        <p>
          Events can only accumulate in an arbitrary order in the NoSeEvents and DistributedEvents
places; the models only unbounded places (excluding environment places like EnvEvents since
the environment has no canonical form). However, often it is desirable to guarantee event
ordering constraints. A similar problem is formulated in the literature for distributed event
1 Source = Component
2 Sync = Component
3 ComponentIdle = Component
4 NoSeIdle = {}
5
6 StartProcess.ComponentIdle = &lt;component&gt;
7 ComponentDrop.Idle = &lt;component&gt;
8 ComponentIdle.Sense = &lt;component&gt;
9 ComponentIdle.Notify = &lt;receiver&gt;
10
11 Sync.Action = &lt;component&gt;
12 EnvironmentOut.Sync = &lt;component&gt;
13
14 Distribute.Source = &lt;component&gt;
15 Subscribe.Source = &lt;component&gt;
16 SubDrop.Source = &lt;component&gt;
1 Done = {}
2
3 Notify.Done = &lt;{}&gt;
4 NotifyDrop.Done = &lt;{}&gt;
5 Subscribe.Done = &lt;{}&gt;
6 SubDrop.Done = &lt;{}&gt;
7
8 NoseIdle.Distribute = &lt;{}&gt;
9 NoseIdle.SubDrop = &lt;{}&gt;
10 NoseIdle.Subscribe = &lt;{}&gt;
11
12 Resume | - // no guard
13 Resume.NoseIdle = &lt;{}&gt;
14 Resume.Sync = &lt;component&gt;
15 Source.Resume = &lt;component&gt;
16 Done.Resume = &lt;{}&gt;
systems. Muehl et. al. [
          <xref ref-type="bibr" rid="ref5">5</xref>
          ][Chapter 2.5.3] distinguish four orderings:
1. No ordering: No guarantees are given on the event ordering.
2. FIFO ordering: "[...] the notifications that are published by a component 1 should not
be delivered to a component 2 in an order diferent from the order in which they were
published." All outgoing events from a single Component are ordered. Events can be
shufled, but events from a single source arrive in the order that they were sent.
3. Causal ordering: "[...] if there is a sequence of components 1, ...,  such that each
component  publishes a notification  that is notified to component +1 if  &lt;  then
a component  should not be notified about 1 after it was notified about ." In causal
ordering, event chains that span multiple components are ordered.
4. Total ordering: "[...] if a component 1 is notified about 1 and eventually notified about
2, then a component 2 should not be notified about 1 after it was notified about 2."
Events are ordered globally, but events can be omitted for single components.
        </p>
        <p>We add a synchronization mechanism between components and NoSe to ensure event ordering
constraints. The NoSe can only process events if NoseIdle is marked. After the final transition
has fired (i.e. Notify , Subscribe or the corresponding drop transitions) a token is produced on
the  place and the  transition resets the event processing transitions.</p>
        <p>The Sync place then ensures synchronization between NoSe and Components. A  token
is required to enable the  transition. We can guarantee FIFO ordering with a Sync place
domain over all , or Total ordering with a single shared token for all components.
Only after the previous event has been delivered and the  transition has fired the next
action can produce a new event.</p>
        <p>To guarantee Causal ordering the notification service needs to store additional information.
Firstly, the past notification order, and secondly, which event was already delivered to which
consumer. This would be a complex addition to the model and is therefore excluded.
n
o
C
s
c&lt;m itcoafi</p>
        <p>n
o
N
t
Tom Meyer CEUR Workshop Proceedings
n
o
i
t
a
c
i
f
i
t
No is
=t) l,n D
en ch n&gt;
ve( ,tp ito
D
&gt;
e
t
a
d
b
u
s
l,
n
h t&gt;
taetS ,tcp p &lt;cmp
e Sub cm ro
c = &lt; D
i ) b</p>
        <p>t
v en e&gt; uS
re e(vD tadb</p>
        <p>u
S l,s
n
h
n tea et ,</p>
        <p>c
o St da tp e
it Sub sub cm irb tcpm saudb
a = &lt;&gt; &lt; c
sb &lt;
uS l, lla⨯ ll⨯
&gt;
n
o
e ti
rop slaf ifica</p>
        <p>D = ot
r, &gt; ifty tate nl,n
pt,&gt;lnhc,t&gt;petmatcsbus oenD &lt;noncShunbls,csruibbestate oN ubsS receiver,ch
&lt;cml,,cnh te&gt;
&lt;
nhc ,revi ecer &lt; ircp,l ifto e=t
s
iton y true
s N ta
ub Sbu</p>
        <p>s
tnevEvnE =)tneve(D no ven
= lennahc iv (cmp t&gt; &lt;hcvne
n t&gt;
e ) l,veen ten &lt;cmpt&gt;
m nt n m t
n ac ch n u</p>
        <p>, ,t iro O
o p p v
r t, cm En
n cit l,e
E At n
en ch
v ,
e t</p>
        <p>t&gt;
ven
,e
t
p
cm
e &lt;
s
n
e</p>
        <p>S
t&gt;
∈ pm p
)ts c&lt; &lt;cm
o
p
,
l
n n
ch io</p>
        <p>t
,t c
n A
e
v
e
(
n
e
v
e
t t(
c c
,tpp&gt; trsoun trsunoec
m c d
c e ∈
&lt; D p
&gt;
t
n
e
v
e
&gt; ,t
tcp&lt;m toennp rop c&lt;
p
m
s&gt;
c&lt;m(ssec
c
o
ss tPr
t
n
e
on le
p Id
,tcpm tven&gt;
&lt; e
s
t s
x e
e c
N ro</p>
        <p>P
&gt;
t
s
o
p
,
p
,t
p
m
c
&lt;
m D
o</p>
        <p>C</p>
      </sec>
      <sec id="sec-4-8">
        <title>4.8. Building the Net</title>
        <p>The complete model is shown in Figure 9. For assembly, all variables need to be instantiated,
i.e.: the final enumeration for all color classes (Figure 1) and the final transition guards. We
distinguish between the following kind of information:
Static information is encoded in the component implementations and known at compile
time. For each compiled component the processes and action transitions are static. As a result
the Process and  classes can be enumerated completely at compile time. Additionally,
initialization processes and event deconstruction is static. Consequently, the transition guards
for the initProcess, deconstruct and mustProcess transition can be generated.</p>
        <p>However, action sequences are still incomplete since the used channels and event types can
depend on the component state. Hence, the remaining classes are dynamic.</p>
        <p>Dynamic information For behavior that depends on the component state, we need
assumptions or further knowledge to build the model. This knowledge might be known by the system
designers or accumulated dynamically at runtime. However, newly discovered information then
requires a rebuild of the model making all previous analysis obsolete.</p>
        <p>The most characteristic dynamic information in the model are the involved components.
During the system lifetime components can disconnect and entirely new components can
connect. Thus, the enumeration of components in the -class changes. Newly
introduced components also introduce new events and channels. This makes the Notification,
EnvEvent and Channel classes also dynamic.</p>
        <p>Furthermore, actions may change the channels on which events are published. While the
domain of event types is static, channels are usually unrestricted i.e.: represented as strings.
Creating an infinite number of new channels is entirely possible. Consequently, for newly
introduced event-channel combination, a new action instance has to be added to the guard of
the  transition. If this action is also an end action, the EndProcess transition has to be
updated as well. The new action instance will still have the same ID and post action.
Environment Information is what interacts with the system not using a publish-subscribe
interface. However, the environment transitions introduced in Section 4.6 can be replaced with a
more sophisticated environment model. In this case, the environment model has to be provided
for the system composition.</p>
        <p>The Initial marking depends on the use case. Yet, the ComponentEvents place is the most
noteworthy to be marked. An initial set of events can be defined here. If desired components can
be individually initialized by moving tokens from the Undefinedplace to the ComponentIdle
place and setting the subscription state for a set of component-channel combinations to .
Additionally, the NoSeIdle place should be marked initially.</p>
      </sec>
      <sec id="sec-4-9">
        <title>4.9. Automatic Extraction of Static Information</title>
        <p>Manually collecting information that is already available in the component implementation
is cumbersome and prone to errors. Instead, it is desirable to parse the implementation for
information. We think this is possible with a static code analysis at compile time if the code:
1. uses a recognizable publish-subscribe-interface,
2. marks the initialization process,
3. has a deconstruction function of the form () →   with parsable
event cases,
4. uses the same kind of event deconstruction for environmentally caused processes, and
5. marks environment interactions in a manner that is parsable, e.g.: with an interface,
structured logs or comments.</p>
        <p>This functionality could be integrated to an existing publish-subscribe client library. Besides
the already existing publish-subscribe interface, this library could export a component interface
with a deconstruction function and a distinct function to send environment events. Additionally,
a basic process interface could be provided to encapsulate the event reactions. Then a static code
analysis has to extract the following information from the implementation for each component:
1. The process that is used for initialization.
2. All possible event-process combinations in the deconstruction routine.</p>
        <p>3. All possible action sequences.</p>
        <p>The initialization process can be assigned to a known variable, so it can be extracted by reading
this variable.</p>
        <p>To parse the event-process combinations the return values (started processes) of the
deconstruction function have to be related to a causing event. We assume this is usually done in a
switch-case block, a matching statement or similar kinds of case distinction. Given the simple
form that each event is handled by one case arm and each case returns at least one process, an
extraction method traverses all case arms, stores the event for each case, and adds the returned
processes to the stored event.</p>
        <p>To extract the action sequences from a process, the process implementation has to be searched
for all sequence paths. For this, we can build a reduced control flow graph, which only contains
the event publishing statements. Occurring function calls can be replaced with the control flow
of the called function. As long as no recursion is used, the graph will be finite.</p>
        <p>In the reduced control flow graph every event publishing is an action and the possible
successor actions as well as end actions are known. For actions with static channels, we
can then build the complete transition guard. However, for actions with variable publishing
information we can only build an action template at compile time. If no further input is given
by the system designer, we require runtime information to generate the action instances.</p>
      </sec>
    </sec>
    <sec id="sec-5">
      <title>5. Using the Publish-Subscribe Model for Verification</title>
      <p>After model assembly we can use it to further our system understanding. This can be done with
diferent verification methods at diferent stages in the software life cycle.</p>
      <p>On the one hand we can run a static analysis during design time, before deployment. In this
stage the system has no current state i.e. we do not know which components are connected.
Instead, a reference state has to be defined for verification. This can be a default state or a
scenario of interest. Since static analysis is not constrained by runtime requirements, it can be
used with time or computation intensive verifications methods on dedicated hardware.</p>
      <p>
        On the other hand, the model can be continuously updated for a dynamic analysis at runtime,
to verify properties on the current system state. Although, dynamic analysis can be resource
limited, it has the advantage of direct feedback. With our model we can reflect on the currently
executable behavior to inform about errors or trigger required system adaptations. This is
comparable to use cases envisioned in models@run.time by Blair et al. [
        <xref ref-type="bibr" rid="ref23">23</xref>
        ].
      </p>
      <p>Additionally, not only the analysis phase influences the used verification methods, but also
the unique system features. However, during modeling we collected properties that may indicate
structural or semantic mistakes in the system design. Such properties can be defined once by
experienced people and used anywhere in a general toolkit. Before we address custom business
process specifications we like to give a short record of potentially general properties.</p>
      <sec id="sec-5-1">
        <title>5.1. General Verification Problems</title>
        <p>The model can be used with current Petri net model-checking tools for verification. During
modeling we thought of this non-exhaustive list of properties that might be of interest to
evaluate:
• Live locks: Usually the system reacts to an input event with a finite sequence of followup
events. Afterwards the system returns into a listening state where no transition can fire
before a new environment event is introduced into the system.
• Dead components: can this component be reached from an initial marking?
• Distance: Given an event produced by a component, how many other components are
needed before a token is produced on the event input of a target component?
• Dead messages: is there an unproduced message type for an initial marking.
• Short circuits: is there a component that can send messages to itself for any incoming
message type? This behavior can cause a live lock and message flooding.
• Event cascades: which events can be caused by a starting event (up to a maximum depth)?</p>
        <p>If all possible cascades are finite the system will always "terminate" into a listing state.
• Event sequences: can a sequence of events occur from a given initial marking?
However, a graphical workflow specification can make verification more accessible, since it
is more comprehensive. But to use workflows, a mapping to the system model is needed.
5.1.1. Business Process Mapping
For the comparison of the publish-subscribe model with a business process, we first need a
mapping relation between both. We assume the business process has the form of a WF-net and
will address them as workflow from here on.</p>
        <p>Finding a mapping is potentially the largest added human labor in our approach. Each task
in the workflow needs to be mapped to a substructure in the implementation model. With a
careful design the additional development overhead can be limited i.e. by mapping task names
to matching event names. But this may not always be possible.</p>
        <p>
          Every well-formed WF-net has three features that need to be mapped: a single start event a
single end event and the tasks that describe the business process.
Mapping the start event: Van der Aalst makes the case that workflows [
          <xref ref-type="bibr" rid="ref2">2</xref>
          ] can be best
analyzed on a single case basis to avoid case mixing. Therefore, the start event is mapped
to a single token on the  place. The place’ color domain,  ×
, gives a hint to the token semantics: it encodes an event sensing component
and the sensed event, which is either an environment event or a notification. As a result, the
corresponding marking has the form EnvEvents(startcomponent , startevent ).
Mapping the end event: An end event is mapped to a token on the NoseEvents place with
the color domain  × ℎ × . The token must be contained in a set
of possible end tokens where the event type fixed and  × ℎ is variable. A
marking with such a token is equivalent to a workflow in its end state. The marking in our
model has the form (, ℎ, ) where  are
all connected components, ℎ are all known channels and  is the fixed event
type of the final event.
        </p>
        <p>
          In contrast to a workflow in its end state, the execution of the publish-subscribe model can
continue. Usually other events exist and other component processes can be executed.
Mapping Tasks: The task semantics in a workflow is vague. Van der Aalst states that it
"corresponds to a generic piece of work" [
          <xref ref-type="bibr" rid="ref2">2</xref>
          ] and that transitions in its Petri net representation,
"abstracts from the internal behavior of a task".
        </p>
        <p>
          As a result an abstract workflow task transition may not map directly to a transition in
our model, because they represent dissimilar concepts. However, it is reasonable to assume
that a workflow task is constraint by a component process for the following reason: software
components in general encapsulate some functionality for system composition [
          <xref ref-type="bibr" rid="ref19">19</xref>
          ]. In the
context of our model, this is the ’work’ component processes do. The work done by a workflow
task is related to the same behavior, just from another point of view. Given this relation, the
case that a workflow task is more general than a component process, seems unlikely.
        </p>
        <p>Yet, tasks and processes are not equivalent. Indeed, multiple tasks can be executed in a single
process. In a special case, every task is represented by a single action. However, since actions are
derived from code while tasks are derived from business processes, this perfect fit is unreliable.
Actions with and without an associated task usually take turns.</p>
        <p>Thus, some actions can be executed without an associated task and tasks may be associated
with multiple actions. The latter case is divided into two variants: either the actions represent
the same work just on diferent paths in the implementation (e.g. a call to publish in a function
that is called at diferent locations), or the task spans multiple actions. If the task spans multiple
actions it begins with an initial action and ends with a succeeding action in the current process.
We know that the task is done, when the last successor action has fired. If multiple actions mark
the end of a task because of conditions in the path, executing one is suficient to mark the end.</p>
        <p>In an additional, undesirable relation there is no transition a task can be mapped to. This is
the case for tasks that do not result in a significant state change in the publish-subscribe model.
As a result no action transition is generated. Again, we assume this to be a rare case, because
chances are, a system specification is reflected in the system implementation.</p>
        <p>Nonetheless, this case needs to be resolved with a surrogate transition, marking task
completion. A special surrogate is the execution of the end process transition: given a task is finished
somewhere in a process, we know it is finished not later than the containing process.
Alternatively, a dummy action, publishing a dummy event, added to the component implementation
can be used as surrogate. Since a task completion is usually desired information, we can even
consider this state change as significant and require a published event. Such events might also
be desirable in other parts of the development, e.g. for logging. Otherwise, another existing
action can act as surrogate if it is known to be executed after the task is done.</p>
        <p>This leaves us with the following mapping possibilities:
1. Mapping the task to a single action.
2. Mapping the task to the last action(s) of a collection of connected actions.
3. Mapping the task to multiple actions that represent the same unit of work.
4. Mapping the task to a surrogate transition where the surrogate is one of the following:
a) The Process End transition.
b) A synthetic action added in the implementation, i.e.: publishing an additional event.
c) A single or multiple actions on diferent paths, that are known to be executed directly
after the given task has been finished.</p>
        <p>The mapping relation then is a relation task → target where target ⊆
Action ∨ target ∈ Process.</p>
      </sec>
      <sec id="sec-5-2">
        <title>5.2. Business Process Verification</title>
        <p>With a workflow specification, the publish-subscribe model and a mapping relation between
the two, we can collect assurance that the model conforms to the workflow.</p>
        <p>
          Compared to the conformance checking literature [
          <xref ref-type="bibr" rid="ref3">3</xref>
          ] we have a special case. Usually
conformance checking is done on previously gathered event traces. Either to check if the business
process models an observed trace or to check if a trace conforms to the business process.
However, instead of an event trace, we have a Petri net model that is able to generate all possible
event traces. We want to know if our implementation model conforms to a business process
(represented as WF-net). In this section we like to sketch out how this can be achieved.
        </p>
        <p>A minimal conformance requirement is the existence of the previously discussed mapping. In
a running system, components can connect and disconnect to the broker at any time. However,
disconnected components cannot react to events making all internal actions unreachable. Since
unreachable parts cannot be executed, we cannot map tasks of a business process to them.
As a result a first inexpensive test can check the existence of a given mapping to all connected
components. If no complete mapping exists, the workflow cannot be executed in our system.</p>
        <p>
          If a mapping exists, further methods can be applied. Rule checking is a conformance checking
method that can be extended to our model. In rule checking, diferent rules are extracted from
the workflow to confirm the rules are observed in the event trace [
          <xref ref-type="bibr" rid="ref3">3</xref>
          ]. For example, a certain
activity always precedes another or two activities are never executed in the same case. The same
rules should hold in the publish-subscribe model. If they are translated into a logical formula, a
model checker can be used to search for proof that the rule holds, or generate counterexamples.
        </p>
        <p>
          A more extensive, but also a more expensive, verification method can be based on a reachability
analysis. For both the workflow and the publish-subscribe model we can build a reachability
graph (given a finite state space). Having both graphs, we can check for similarity with diferent
approaches. Hens et al. suggested [
          <xref ref-type="bibr" rid="ref18">18</xref>
          ] to show that the publish-subscribe net is branching
bisimilar [
          <xref ref-type="bibr" rid="ref24">24</xref>
          ] to the business process, preserving its branching structure. This results in an
observational equivalence so that the same event sequences can be observed (including silent
intermediate events). Branching bisimilarity requires a symmetric relation that relates both
graphs and fulfill some properties [
          <xref ref-type="bibr" rid="ref24">24</xref>
          ]. If it can be shown that our mapping relation fulfills
these properties, our publish-subscribe model is observational equivalent to the workflow.
        </p>
        <p>Without a pure equivalence we may show that all, or at least some possible workflow event
sequences are observable in the publish-subscribe model. For this all transition sequences can
be generated, and a model checking tool can verify the existence in the publish-subscribe net.</p>
        <p>
          An even weaker equivalence can measure the alignment of transition sequences between
workflow and implementation model [
          <xref ref-type="bibr" rid="ref3">3</xref>
          ]. Alignment of two transition sequences increases
the more synchronous moves workflow and system model do, i.e. transitions related by our
mapping fire in the same order. If related transitions fire in a diferent order, alignment decreases.
Depending on the requirements, an imperfect alignments may sufice to show conformance.
        </p>
        <p>
          Additionally, van der Aalst describes workflow related properties that could be applied to our
model [
          <xref ref-type="bibr" rid="ref2">2</xref>
          ]. E.g. all transitions in a WF-net should be alive and on a path between start place to
end place. These properties should also hold for the mapped tasks. A weaker version of this
property can verify the reachability of an end marking from the initial marking.
        </p>
        <p>During runtime, our model changes e.g. if previously unknown components connect to the
NoSe. As a result previously evaluated properties have to be reevaluated. Therefore, runtime
evaluations need to be adjusted to the model complexity and the available resources. For
example checking the existence of a mapping should be cheap while reachability based methods
can get impractical. The methods of conformance checking seem like a good middle way
between computability and expressiveness as well. And they have the added benefit to be
directly applicable on observed logs besides event traces that where sampled from our model.</p>
      </sec>
    </sec>
    <sec id="sec-6">
      <title>6. Conclusion</title>
      <p>In this paper we presented a symmetric Petri net model of a publish-subscribe system for
verification. We explicitly included a generic component model to represent the state of the
composed system. Since the behavior of an EDA system is largely characterized by components
interchanging events, our abstractions reduce events to types without event contents.</p>
      <p>A framework conforming to our component model could use static code analysis to
automatically compose a model instance from component implementations. However, the resulting
model may depend on runtime information like involved components and channel names. In
this case the model can be managed and adapted by the central notification service at runtime.</p>
      <p>We showed which part of the model is static and which is dynamic. Since components are
modelled explicitly, a mapping of business process tasks to model transitions can be found. This
enables a comparison of the system capabilities, with business processes behavior specified as
workflow nets. We showed a variety of methods that can be used for the comparison partially
inspired by business process conformance checking. Some of these methods are inexpensive
enough to be tested at runtime to increase assurance.</p>
      <p>A framework implementation that supports building the model with a high level of automation
is desirable future work. The minimally constraining component model still allows expressive
process behavior but may also make model checking highly accessible for EDA systems.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <given-names>C. A.</given-names>
            <surname>Petri</surname>
          </string-name>
          , Kommunikation mit Automaten,
          <source>Ph.D. thesis</source>
          , University of Bonn,
          <year>1962</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <surname>W. M. P. Van Der</surname>
            <given-names>Aalst,</given-names>
          </string-name>
          <article-title>THE APPLICATION OF PETRI NETS TO WORKFLOW MANAGEMENT</article-title>
          ,
          <source>Journal of Circuits, Systems and Computers</source>
          <volume>08</volume>
          (
          <year>1998</year>
          )
          <fpage>21</fpage>
          -
          <lpage>66</lpage>
          . doi:
          <volume>10</volume>
          .1142/ S0218126698000043.
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3]
          <string-name>
            <given-names>J.</given-names>
            <surname>Carmona</surname>
          </string-name>
          ,
          <string-name>
            <surname>B. van Dongen</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Solti</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Weidlich</surname>
          </string-name>
          ,
          <source>Conformance Checking: Relating Processes and Models</source>
          , Springer International Publishing, Cham,
          <year>2018</year>
          . doi:
          <volume>10</volume>
          .1007/ 978-3-
          <fpage>319</fpage>
          -99414-7.
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <surname>K. M. Chandy</surname>
          </string-name>
          ,
          <article-title>Event-driven applications: Costs, benefits and design approaches</article-title>
          ,
          <source>Gartner Application Integration and Web Services Summit</source>
          <year>2006</year>
          (
          <year>2006</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>G.</given-names>
            <surname>Mühl</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Fiege</surname>
          </string-name>
          ,
          <string-name>
            <given-names>P.</given-names>
            <surname>Pietzuch</surname>
          </string-name>
          ,
          <source>Distributed Event-Based Systems</source>
          , Springer-Verlag, Berlin,
          <year>2006</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>P. T.</given-names>
            <surname>Eugster</surname>
          </string-name>
          ,
          <string-name>
            <given-names>P. A.</given-names>
            <surname>Felber</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Guerraoui</surname>
          </string-name>
          ,
          <string-name>
            <surname>A.-M. Kermarrec</surname>
          </string-name>
          ,
          <article-title>The many faces of publish/subscribe</article-title>
          , ACM Computing Surveys
          <volume>35</volume>
          (
          <year>2003</year>
          )
          <fpage>114</fpage>
          -
          <lpage>131</lpage>
          . doi:
          <volume>10</volume>
          .1145/857076.857078.
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <given-names>K.</given-names>
            <surname>Jensen</surname>
          </string-name>
          ,
          <source>Coloured Petri Nets: Basic Concepts</source>
          ,
          <source>Analysis Methods and Practical Use</source>
          , Springer Science &amp; Business
          <string-name>
            <surname>Media</surname>
          </string-name>
          ,
          <year>1996</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [8]
          <string-name>
            <given-names>G.</given-names>
            <surname>Chiola</surname>
          </string-name>
          ,
          <string-name>
            <given-names>C.</given-names>
            <surname>Dutheillet</surname>
          </string-name>
          , G. Franceschinis,
          <string-name>
            <given-names>S.</given-names>
            <surname>Haddad</surname>
          </string-name>
          ,
          <article-title>Stochastic well-formed colored nets and symmetric modeling applications</article-title>
          ,
          <source>IEEE Transactions on Computers</source>
          <volume>42</volume>
          (
          <year>1993</year>
          )
          <fpage>1343</fpage>
          -
          <lpage>1360</lpage>
          . doi:
          <volume>10</volume>
          .1109/12.247838.
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          [9]
          <string-name>
            <surname>W. M. P. van der Aalst</surname>
          </string-name>
          , Process Mining: Discovery, Conformance and Enhancement of Business Processes, Springer, Berlin, Heidelberg,
          <year>2011</year>
          . doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>642</fpage>
          -19345-3.
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          [10]
          <string-name>
            <given-names>N.</given-names>
            <surname>Lohmann</surname>
          </string-name>
          , E. Verbeek,
          <string-name>
            <given-names>R.</given-names>
            <surname>Dijkman</surname>
          </string-name>
          ,
          <article-title>Petri Net Transformations for Business Processes - A Survey, in:</article-title>
          K. Jensen, W. M. P. van der Aalst (Eds.),
          <source>Transactions on Petri Nets and Other Models of Concurrency II</source>
          , volume
          <volume>5460</volume>
          , Springer Berlin Heidelberg, Berlin, Heidelberg,
          <year>2009</year>
          , pp.
          <fpage>46</fpage>
          -
          <lpage>63</lpage>
          . doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>642</fpage>
          -00899-
          <issue>3</issue>
          _
          <fpage>3</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          [11]
          <string-name>
            <surname>R. M. Dijkman</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          <string-name>
            <surname>Dumas</surname>
            ,
            <given-names>C.</given-names>
          </string-name>
          <string-name>
            <surname>Ouyang</surname>
          </string-name>
          ,
          <article-title>Semantics and analysis of business process models in BPMN</article-title>
          ,
          <source>Information and Software Technology</source>
          <volume>50</volume>
          (
          <year>2008</year>
          )
          <fpage>1281</fpage>
          -
          <lpage>1294</lpage>
          . doi:
          <volume>10</volume>
          .1016/j. infsof.
          <year>2008</year>
          .
          <volume>02</volume>
          .006.
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          [12]
          <string-name>
            <given-names>O. F. A.</given-names>
            <surname>Specification</surname>
          </string-name>
          ,
          <article-title>Business process modeling notation specification, février (</article-title>
          <year>2006</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          [13]
          <string-name>
            <given-names>S.</given-names>
            <surname>Hinz</surname>
          </string-name>
          ,
          <string-name>
            <given-names>K.</given-names>
            <surname>Schmidt</surname>
          </string-name>
          ,
          <string-name>
            <given-names>C.</given-names>
            <surname>Stahl</surname>
          </string-name>
          , Transforming BPEL to Petri Nets, in: W.
          <string-name>
            <surname>M. P. van der Aalst</surname>
            ,
            <given-names>B.</given-names>
          </string-name>
          <string-name>
            <surname>Benatallah</surname>
            ,
            <given-names>F.</given-names>
          </string-name>
          <string-name>
            <surname>Casati</surname>
            ,
            <given-names>F.</given-names>
          </string-name>
          <string-name>
            <surname>Curbera</surname>
          </string-name>
          (Eds.),
          <source>Business Process Management, Lecture Notes in Computer Science</source>
          , Springer, Berlin, Heidelberg,
          <year>2005</year>
          , pp.
          <fpage>220</fpage>
          -
          <lpage>235</lpage>
          . doi:
          <volume>10</volume>
          .1007/ 11538394_
          <fpage>15</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          [14]
          <string-name>
            <surname>S. OASIS</surname>
          </string-name>
          ,
          <article-title>Web services business process execution language version 2</article-title>
          .0, http://www. oasis-open. org/committees/tc_home. php? wg_abbrev= wsbpel (
          <year>2007</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref15">
        <mixed-citation>
          [15]
          <string-name>
            <given-names>L.</given-names>
            <surname>Aldred</surname>
          </string-name>
          ,
          <string-name>
            <surname>W. M. P. van der Aalst</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          <string-name>
            <surname>Dumas</surname>
          </string-name>
          ,
          <string-name>
            <surname>A. H. M. ter Hofstede</surname>
          </string-name>
          ,
          <article-title>On the Notion of Coupling in Communication Middleware</article-title>
          , in: R.
          <string-name>
            <surname>Meersman</surname>
            ,
            <given-names>Z.</given-names>
          </string-name>
          Tari (Eds.),
          <article-title>On the Move to Meaningful Internet Systems 2005: CoopIS, DOA, and</article-title>
          <string-name>
            <surname>ODBASE</surname>
          </string-name>
          , Lecture Notes in Computer Science, Springer, Berlin, Heidelberg,
          <year>2005</year>
          , pp.
          <fpage>1015</fpage>
          -
          <lpage>1033</lpage>
          . doi:
          <volume>10</volume>
          .1007/11575801_6.
        </mixed-citation>
      </ref>
      <ref id="ref16">
        <mixed-citation>
          [16]
          <string-name>
            <given-names>V.</given-names>
            <surname>Valero</surname>
          </string-name>
          ,
          <string-name>
            <given-names>H.</given-names>
            <surname>Macià</surname>
          </string-name>
          , G. Díaz,
          <string-name>
            <given-names>M. E.</given-names>
            <surname>Cambronero</surname>
          </string-name>
          ,
          <article-title>Colored Petri Net Modeling of the Publish/Subscribe Paradigm in the Context of Web Services Resources</article-title>
          , in: M.
          <string-name>
            <surname>Núñez</surname>
          </string-name>
          , M. Güdemann (Eds.),
          <source>Formal Methods for Industrial Critical Systems, Lecture Notes in Computer Science</source>
          , Springer International Publishing, Cham,
          <year>2015</year>
          , pp.
          <fpage>81</fpage>
          -
          <lpage>95</lpage>
          . doi:
          <volume>10</volume>
          . 1007/978-3-
          <fpage>319</fpage>
          -19458-
          <issue>5</issue>
          _
          <fpage>6</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref17">
        <mixed-citation>
          [17]
          <string-name>
            <given-names>A.</given-names>
            <surname>Gómez</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R. J.</given-names>
            <surname>Rodríguez</surname>
          </string-name>
          ,
          <string-name>
            <surname>M.-E. Cambronero</surname>
            ,
            <given-names>V.</given-names>
          </string-name>
          <string-name>
            <surname>Valero</surname>
          </string-name>
          ,
          <article-title>Profiling the publish/subscribe paradigm for automated analysis using colored Petri nets</article-title>
          ,
          <source>Software &amp; Systems Modeling</source>
          <volume>18</volume>
          (
          <year>2019</year>
          )
          <fpage>2973</fpage>
          -
          <lpage>3003</lpage>
          . doi:
          <volume>10</volume>
          .1007/s10270-019-00716-1.
        </mixed-citation>
      </ref>
      <ref id="ref18">
        <mixed-citation>
          [18]
          <string-name>
            <given-names>P.</given-names>
            <surname>Hens</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Snoeck</surname>
          </string-name>
          , G. Poels,
          <string-name>
            <surname>M. De Backer</surname>
            ,
            <given-names>A Petri</given-names>
          </string-name>
          <string-name>
            <surname>Net</surname>
          </string-name>
          <article-title>Formalization of a Publish-Subscribe Process System</article-title>
          ,
          <year>2011</year>
          . doi:
          <volume>10</volume>
          .2139/ssrn.1886198.
        </mixed-citation>
      </ref>
      <ref id="ref19">
        <mixed-citation>
          [19]
          <string-name>
            <given-names>C.</given-names>
            <surname>Szyperski</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Gruntz</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Murer</surname>
          </string-name>
          , Component Software:
          <article-title>Beyond Object-oriented Programming</article-title>
          ,
          <source>Pearson Education</source>
          ,
          <year>2002</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref20">
        <mixed-citation>
          [20]
          <string-name>
            <given-names>S.</given-names>
            <surname>Becker</surname>
          </string-name>
          ,
          <article-title>The palladio component model</article-title>
          ,
          <source>in: Proceedings of the First Joint WOSP/SIPEW International Conference on Performance Engineering - WOSP/SIPEW '10</source>
          , ACM Press, San Jose, California, USA,
          <year>2010</year>
          , p.
          <fpage>257</fpage>
          . doi:
          <volume>10</volume>
          .1145/1712605.1712651.
        </mixed-citation>
      </ref>
      <ref id="ref21">
        <mixed-citation>
          [21]
          <string-name>
            <given-names>L.</given-names>
            <surname>Lamport</surname>
          </string-name>
          ,
          <string-name>
            <given-names>N.</given-names>
            <surname>Lynch</surname>
          </string-name>
          , Chapter on Distributed Computing:,
          <source>Technical Report, Defense Technical Information Center</source>
          , Fort Belvoir,
          <string-name>
            <surname>VA</surname>
          </string-name>
          ,
          <year>1989</year>
          . doi:
          <volume>10</volume>
          .21236/ADA208996.
        </mixed-citation>
      </ref>
      <ref id="ref22">
        <mixed-citation>
          [22]
          <string-name>
            <surname>Schmerl</surname>
          </string-name>
          , Bradley, Aldrich, Jonathan, Garlan, David, Kazman, Rick, Yan, Hong,
          <article-title>DiscoTect: A System for Discovering the Architectures of Running Programs Using Colored Petri Nets</article-title>
          ,
          <source>Technical Report</source>
          , Carnegie-Mellon University Pittsburgh,
          <year>2006</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref23">
        <mixed-citation>
          [23]
          <string-name>
            <given-names>G.</given-names>
            <surname>Blair</surname>
          </string-name>
          ,
          <string-name>
            <given-names>N.</given-names>
            <surname>Bencomo</surname>
          </string-name>
          , R. B. France, Models@ run.time,
          <source>Computer</source>
          <volume>42</volume>
          (
          <year>2009</year>
          )
          <fpage>22</fpage>
          -
          <lpage>27</lpage>
          . doi:
          <volume>10</volume>
          .1109/
          <string-name>
            <surname>MC</surname>
          </string-name>
          .
          <year>2009</year>
          .
          <volume>326</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref24">
        <mixed-citation>
          [24]
          <string-name>
            <given-names>T.</given-names>
            <surname>Basten</surname>
          </string-name>
          ,
          <article-title>Branching bisimilarity is an equivalence indeed!</article-title>
          ,
          <source>Information Processing Letters</source>
          <volume>58</volume>
          (
          <year>1996</year>
          )
          <fpage>141</fpage>
          -
          <lpage>147</lpage>
          . doi:
          <volume>10</volume>
          .1016/
          <fpage>0020</fpage>
          -
          <lpage>0190</lpage>
          (
          <issue>96</issue>
          )
          <fpage>00034</fpage>
          -
          <lpage>8</lpage>
          .
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>