Generalised soundness of workflow nets is decidable · Generalised soundness of workflow nets is decidable Citation for published version (APA): Voorhoeve, M., Hee, van, K. M., &

Generalised soundness of workflow nets is decidable

Citation for published version (APA):Voorhoeve, M., Hee, van, K. M., & Sidorova, N. (2003). Generalised soundness of workflow nets is decidable.(Computer science reports; Vol. 0315). Technische Universiteit Eindhoven.

Document status and date:Published: 01/01/2003

Document Version:Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)

Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can beimportant differences between the submitted version and the official published version of record. Peopleinterested in the research are advised to contact the author for the final version of the publication, or visit theDOI to the publisher's website.• The final author version and the galley proof are versions of the publication after peer review.• The final published version features the final layout of the paper including the volume, issue and pagenumbers.Link to publication

General rightsCopyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright ownersand it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, pleasefollow below link for the End User Agreement:www.tue.nl/taverne

Take down policyIf you believe that this document breaches copyright please contact us at:[email protected] details and we will investigate your claim.

Download date: 17. Aug. 2020

Generalised Soundness of Work ow Nets

is Decidable

Kees van Hee, Natalia Sidorova, and Marc Voorhoeve

Department of Mathematics and Computer ScienceEindhoven University of Technology

P.O. Box 513, 5600 MB Eindhoven, The [email protected], [email protected], [email protected]

Abstract. We investigate the decidability of the problem of generalised soundness for Work ownets: \Every marking reachable from an initial marking with k tokens on the initial place terminatesproperly, i.e. it can reach a marking with k tokens on the �nal place, for an arbitrary natural numberk". We start with considering simple correctness criteria for Work ow nets and reduce them to thecheck of structural properties formulated in terms of traps and siphons, which can be easily checked.We call the nets that possess those properties Batch Work ow nets (BWF-nets). We show that everyWF-net is either not sound or it can be transformed to a BWF-net with the same behaviour. Thenwe use algebraic methods to prove that generalized soundness is decidable for BWF-nets and give adecision procedure.Keywords: Petri nets; work ows; veri�cation; soundness, decidability.

1 Introduction

Petri nets are widely used for the modelling and veri�cation of work ows. In [1], the classof Work ow (Petri) nets (WF-nets) was de�ned. A Petri net is a WF-net i� it satis�escertain structural properties, namely it possesses one source place (initial place) and onesink place (�nal place) and all other nodes lie on paths from the source to the sink place.The main correctness criterion introduced there was soundness. The requirements a soundwork ow net should meet are (1) the reachability of a marking with a single token on the�nal place from any marking reachable from the marking with one token on the initialplace, (2) the uniqueness of the marking containing a token on the �nal place, and (3) theabsence of dead transitions for the net with a single token on the initial place. Soundnessfor WF-nets is decidable, and the decision procedure has been implemented e.g. in theWOFLAN tool [8].

In [4] we showed that the notion of soundness from [1] is not compositional, and more-over, it does not allow for handling of multiple cases in the WF-net. We introduced therea generalized soundness notion that amounts to proper termination of all markings ob-tained from markings with multiple tokens on the initial place, which corresponds to theprocessing of batches of cases in the WF-net. With proper termination for marking mobtained from a marking with k tokens on the initial place, we mean that there exists a�ring sequence leading from m to the marking with k tokens on the �nal place. We provedthat generalised soundness is compositional. The original soundness notion from [1] corre-sponds to 1-soundness in our case. Deciding generalised soundness is harder than deciding1-soundness, since the straightforward approach involves an in�nite number of checks of

proper termination. We did not solve the problem of soundness in [4] but de�ned a classof nets (ST-nets) that are sound by construction. In this paper we prove that the prob-lem of (generalised) soundness is decidable for arbitrary WF-nets and describe a decisionprocedure for it.

We start with considering simple behavioural correctness criteria for WF-nets: non-redun-dancy and non-persistency. Non-redundancy means that every place can be marked andevery transition can �re, provided that the initial place contains enough tokens, while non-persistency means that all places (except for the �nal one) can become empty again, lestsome garbage would be left after the processing of the case is �nished. We show that theWF-nets meet non-redundancy and non-persistency requirements i� they satisfy a simplestructural characterisation: all proper siphons of these nets contain the initial place andall proper traps contain the �nal place. We call this class of WF-nets Batch Work ow nets(BWF-nets). We show that every WF-net is either not sound (in case it contains persistentplaces) or it can be transformed to a BWF-net with the same behaviour (by removingredundant places and transitions).

In the second half of the paper we consider the problem of (generalised) soundness forBWF-nets and prove that this problem is decidable. The decidability proof is based on twoideas. First, we extend the set R of markings reachable from the initial markings uptoa set G that has a `regular' algebraic structure and show that the notion of soundnesscan be equally de�ned by requiring proper termination of all markings of this extendedset G. And second, we use the regularity of the structure of this set to show that it isenough to check proper termination for the markings of a �nite subset � of G to prove theproper termination of all markings from G. Thus, the in�nite set of markings in the initialformulation of the problem of generalised soundness can be reduced to a �nite set due tothe clean algebraic model of Petri nets.

The rest of the paper is organised as follows. In Section 2, we sketch the basic de�nitionsrelated to Petri nets and Work ow nets. In Section 3 we introduce the notion of BatchWork ow Nets. In Section 4 we prove that the problem of generalised soundness is decid-able. In Section 5 we illustrate the decision procedure for soundness on a concrete example.We conclude in Section 6 with discussion of the obtained results and directions for futurework.

2 Preliminaries

N denotes the set of natural numbers, Z the set of integers and Q the set of rationalnumbers. Q+ stands for the set of non-negative rational numbers.

Let P be a set. A bag (multiset) m over P is a mapping m : P ! N . The set of all bags overP is NP . We use + and � for the sum and the di�erence of two bags and =; <;>;�;� forcomparisons of bags, which are de�ned in a standard way. We overload the set notation,writing ; for the empty bag and 2 for the element inclusion. We write m = 2[p] + [q ] fora bag m with m(p) = 2, m(q) = 1, and m(x ) = 0 for all x 62 fp; qg. For a sum over the

2

elements of a bag m we writeP

p2m f (p) (assuming that every p appears in the sum m(p)times) rather than

Pp2m m(p) � f (p).

For (�nite) sequences of elements over a set T we use the following notation: The emptysequence is denoted with �; a non-empty sequence can be given by listing its elementsbetween angle brackets. The Parikh vector �!� : T ! N of a sequence � maps everyelement t 2 T to the number of occurrences of t in �.

Transition Systems A transition system is a tuple E = hS ; Act;T i where S is a set ofstates, Act is a �nite set of action names and T � S � Act � S is a transition relation.A process is a pair hE ; s0i where E is a transition system and s0 2 S an initial state. Wedenote (s1; a; s2) from T as s1

a�! s2, and we say that a leads from s1 to s2. For a sequence

of transitions � = ht1; : : : ; tni we write s1��! s2 when s1 = s0

t1�! s1t2�! : : :

tn�! sn = s2,and s1

��! when s1

��! s2 for some s2. In this case we say that � is a trace of E . Finally,

s1��! s2 means that there exists a sequence of transitions � 2 T � such that s1

��! s2.

Petri nets A Petri net is a tuple N = hP ;T ;F+;F�i, where:

{ P and T are two disjoint non-empty �nite sets of places and transitions respectively,the set P [ T are the nodes of N ;

{ F+ and F� are mappings (P � T ) ! N that are ow functions from transitions toplaces and from places to transitions respectively.

F = F+ � F� is the incidence matrix of net N .

We present nets with the usual graphical notation.

Markings are states (con�gurations) of a net. Depending on the context, we interprete amarking m of N either as a bag over P (in Section 3) or as a vector from P ! N (inSections 4 and 5)). We denote the set of all markings reachable in net N from marking mas R(m). The set of markings from which marking m is reachable is denoted as S(m).

Given a transition t 2 T , the preset �t and the postset t� of t are the bags of placeswhere every p 2 P occurs in �t F�(p; t) times and in t� F+(p; t) times. Analogously wewrite �p; p� for pre- and postsets of places. We overload this notation further and applypreset and postset operations to a set B of places: �B = ft j 9 p 2 B : t 2 �pg andB� = ft j 9 p 2 B : t 2 p�g. Note that �B and B� are not bags but sets. We will say thatnode n is a source node i� �n = ; and n is a sink node i� n� = ;. A path of a net is asequence hx0; : : : ; xni of nodes such that 8 i : 1 � i � n : xi�1 2 �xi .

A transition t 2 T is enabled in marking m i� �t � m. An enabled transition t may �re.This results in a new marking m 0 de�ned by m 0 def

= m � �t + t�. We interpret a Petri netN as a transition system/process where markings play the role of states, �rings of theenabled transitions de�ne the transition relation and the initial marking corresponds tothe initial state. The notion of reachability for Petri nets is inherited from the transitionsystems. For a �ring sequence � in a net N , we de�ne �� and �� respectively as

Pt2�

�tand

Pt2� t

�, which are the sums of all tokens consumed/produced during the �rings of �.

So m��! (m + �� � ��). We will use the well-known Marking Equation Lemma:

3

Lemma 1 (Marking Equation). Given a �nite �ring sequence � of a net N : m��! m 0,

the following equation holds: m 0 = m+F+ ��!� �F� ��!� , or in other words, m 0 = m+F ��!� .

Note that the reverse is not true: not every marking m 0 that is representable as a summ + F � v for some v 2 NT is reachable from the marking m.

Traps and Siphons (see [2]) A set R of places is a trap if R� � �R. The trap is a propertrap i� it is not empty. A set R of places is a siphon if �R � R�. The siphon is a propersiphon i� it is not empty. Important properties of traps and siphons are that marked trapsremain marked and unmarked siphons remain unmarked whatever transition �rings wouldhappen. As follows from the de�nition, traps and siphons are dual by their nature.

Place Invariants (see [5]) A place invariant is a row vector I : P ! Q such that I �F = 0.When talking about invariants, we consider markings as vectors. We will say that markingsm1 and m2 agree on a place invariant I if I �m1 = I �m2 (see [3]).

Lemma 2. Two markings m1;m2 agree on all place invariants i� the equation m1+F �x =m2 has some rational-valued solution for x .

The main property of place invariants is thus that any two markings m1;m2 such thatm1

��! m2 agree on all place invariants. The check whether the two markings m1;m2 agree

on all place invariants can be done by a simple check whether I �m1 = I �m2, where I isa matrix that consists of basis place invariants as rows.

Work ow Petri nets In this paper we primarily focus upon the Work ow Petri nets(WF-nets) [1]. As the name suggests, WF-nets are used to model the ordering of tasks inwork ow processes. The initial and �nal nodes indicate respectively the initial and �nalstates of processed cases.

De�nition 3. A Petri net N is a Work ow net (WF-net) i�:

1. N has two special places: i and f . The initial place i is a source place, i.e. �i = ;, andthe �nal place f is a sink place, i.e. f � = ;.

2. For any node n 2 (P [T ) there exists a path from i to n and a path from n to f . (Wecall this property the path property of WF-nets.)

In this paper, we study the processing of batches of tasks in Work ow nets, meaningthat the initial place of a Work ow net may contain an arbitrary number of tokens. Ourgoal is to provide correctness criteria for the design of these nets. One natural correctnessrequirement is proper termination, which is called soundness in the WF-net theory. Wewill use the generalised notion of soundness for WF-nets introduced in [4]:

De�nition 4. We say that a WF-net N with marking m 2 R(k [i ]) terminates properly

i� m��! k [f ].

N is k -sound for some k 2 N i� for all m 2 R(k [i ]), (N ;m) terminates properly.N is sound i� it is k-sound for all k 2 N.

4

N1 N2

a i

c

b p

fd

s

a i

b p

fd

s

c

Fig. 1. Redundant and persistent places

We will use terms initial and �nal markings for markings k [i ] and k [f ] respectively (k 2 N).We will write 0 for the vector representation of marking ;, i for the vector representation ofmarking [i ] and f for the vector representation of [f ]. For every marking m reachable froman initial marking k [i ] holds: I �m = I � (k � i), and if net N with marking m terminatesproperly, then I �m = I � (k � f).

3 Batch Work ow Nets

We are interested in the correct and optimal design of WF-nets. Ideally, correctness re-quirements should be formulated as requirements on the structure of the net (thus, theycan be easily checked) and they should guarantee the correctness of the net behaviour.In this section, we consider behavioural criteria of the correct design and reduce them tostructural ones.

3.1 Structural Non-Redundancy for Work ow Nets

Besides soundness, a logical requirement for the correct design of aWF-net is non-redundan-cy, namely: every transition of the net can potentially �re and every place of the net canpotentially obtain tokens, provided that there are enough tokens in the initial place. WF-net N1 in Fig. 1 does not satisfy this requirement because transition d can never �re andplace s can never get tokens. So d and s are redundant. At the same time, it should bepossible for every place (except for f ) to become unmarked again|otherwise the net isguaranteed to be not sound, as e.g. net N2 in Fig. 1|place s can obtain tokens but it cannever become unmarked after that, i.e. this place is persistent. In formal terms:

De�nition 5. Let N = hP ;T ;F+;F�i be a WF-net.

A place p 2 P is non-redundant i� there exist k 2 N and m 2 NP such that k [i ]��!

m ^ p 2 m.A place p 2 P is non-persistent i� there exist k 2 N and m 2 NP such that p 2 m^m

��!

k [f ].

A transition t is non-redundant i� there exist k 2 N and m 2 NP such that k [i ]��! m

t�!.

The following lemma presents these desirable behavioural properties in more general terms:

5

Lemma 6. (1) A WF-net N has no redundant places i� every marking is majorated by amarking reachable from some initial marking k [i ], i.e.8m 2 NP 9 k 2 N ;m 0 2 R(k [i ]) : m 0 � m.(2) A WF-net N has no persistent places i� every marking is majorated by a marking fromwhich some �nal marking k [f ] is reachable, i.e.8m 2 NP : 9 k 2 N ;m 0 2 S(k [f ]) : m 0 � m.

Proof. (1) If every marking can be majorated by a marking reachable from some k [i ],then every marking [p], p 2 P can be majorated and p is non-redundant. In the opposite

direction: for every p there exist kp;mp, such that kp[i ]��! mp wheremp � [p]. Then we can

majorate a given marking m by a marking m 0 =P

p2m mp reachable from�P

p2m kp�[i ].

(2) can be proved similarly. ut

As an immediate consequence we obtain the following property:

Lemma 7. A WF-net N has no redundant places i� it has no redundant transitions.

Proof. Let N has no redundant places. Consider an arbitrary transition t 2 T . By applyingproperty (1) of Lemma 6 to �t we obtain that t can get enabled, and hence it is non-redundant.

Now assume that N has no redundant transitions. Consider an arbitrary place p 2 P n [i ].Since N is a WF-net, �p 6= ;, and since all transitions are non-redundant, transitions from�p can �re and so p can get marked. Thus p is non-redundant. ut

Non-redundancy and non-persistency are behavioural properties. They imply though thefollowing restrictions on the structure of the net: all proper siphons of the net shouldcontain i and all proper traps should contain f . If N contained a proper siphon withouti , the transitions consuming tokens from places of that siphon would be dead, no matterhow many tokens are inserted into i . Similarly, if N contained a trap without f , the netcould not terminate properly. It is not surprising that the absence of traps and siphons isa necessary condition for the correctness of the design. What is more interesting is thatthe absence of such siphons and traps is a suÆcient condition for the absence of redundantand persistent places respectively: if a net has a redundant place, there exists a propersiphon without i , and if a net has a persistent place, there exists a proper trap without f ,i.e. these behavioural and structural characteristics are equivalent for WF-nets:

Theorem 8. Let N = hP ;T ;F+;F�i be a WF-net. Then the following holds:(1) N has no redundant places i� P n fig contains no proper siphon.(2) N has no persistent places i� P n ff g contains no proper trap.

Proof. (1) Let X � P nfig be a proper siphon. Since an unmarked siphon stays unmarked,places from X are redundant.

In the opposite direction: Let X � P n fig be the set of all redundant places of N . Wewill prove that X is a siphon. Consider some t 62 X �; �t contains no places from X andhence all places from �t are non-redundant. Then for every place p in �t there exists a

6

input : A Petri net N = (P ;T ;F+;F�) and S � P ;output: X � S ;

X = S ;while there exists p 2 X and t 2 �p such that t 62 X � do X = X n fpg;return(X);

Fig. 2. Algorithm for �nding the maximal siphon in a set of places S

marking mp � [p] reachable from some kp [i ], kp 2 N . Taking a sum of corresponding initialmarkings we obtain an initial marking from which a marking m � �t can be reached. Thust can �re and all places from t� can obtain tokens, i.e. they are non-redundant. Therefore,t� \ X = ; and so t 62 �X . Hence (T n X �) � (T n �X ), and so X is a siphon. Thus everyWF-net with redundant places contains a proper siphon in P n fig.(2) can be proved analogously. ut

To check that P nfig contains no proper siphon it is enough to compute the largest siphonX in P n fig in a standard manner [7] (see Fig.2): initialize X with P n fig and removeplaces that belong to t� for some t such that t 62 X � until the �xed point is reached. Thelargest trap not containing f can be computed with a similar algorithm.

As a spin-o� of the check for absence of traps and siphons, we get a check of the pathproperty of a WF-net:

Lemma 9. Let N = hP ;T ;F+;F�i be a Petri net with a single source place i and asingle sink place f , and every transition of N has at least one input and one output place.Moreover, P n fig contains no proper siphon and P n ff g contains no trap. Then N is aWF-net.

Proof. Consider an arbitrary node n and the set X of all places such that for every placep 2 X there is a path from p to n. We will show that X is a proper siphon, which impliesthat i 2 X and so there exists a path from i to n.

The set X is nonempty: If n is a place then n 2 X (since there is a path from n to n),and if n is a transition then its input places are in X . X it is a proper siphon: For everytransition t , if t 2 �X then there is a path from t to n, and hence there is a path fromplaces from �t to n and so every input place of t is in X . Since �t 6= ;, we have t 2 X �.Thus, X is a proper siphon indeed.

Similarly, the set of places to which there is a path from n is a trap, and so there is a pathfrom n to f . Thus N is indeed a WF-net. ut

Thus we obtained a characterization that guarantees non-redundancy and non-persistencyfor WF-nets, and moreover it serves as a check of the path property.

7

3.2 Batch Work ow nets

Since we are interested in the class of WF-nets that have no redundant or persistent places,we introduce the notion of Batch Work ow nets by imposing requirements on the structureof the net:

De�nition 10. A Batch Work ow net (BWF-net) N is a Petri net that has the followingproperties:(1) N has a single source place i and a single sink place f ;(2) every transition of N has at least one input and one output place;(3) every siphon of N contains i ;(4) every trap of N contains f .

The purpose of imposing structural requirements in the BWF-net de�nition resembles thepurpose of one of the requirements on sound WF-nets from [1]. Sound WF-nets are de�nedthere as nets where(1) 8m 2 R([i ]) : m

��! [f ],

(2) 8m 2 R([i ]) : m � [f ]) m = [f ],

(3) 8 t 2 T : 9m;m 0 : [i ]��! m

t�! m 0.

Our de�nition of soundness is stronger than requirement (1) from the above de�nition: itcorresponds to 1-soundness in our de�nition. We do not use requirement (2) since it followsimmediately from (1) (we prove the implication in a generalized form that is applicable tonets with multiple tokens on i):

Lemma 11. Let N be a WF-net such that 8m 2 R(k [i ]) : m��! k [f ]. Then 8m 2

R(k [i ]) : m � k [f ]) m = k [f ].

Proof. Consider a marking m 2 R(k [i ]) such that m � k [f ], i.e. m = m 0 + k [f ] for some

m 0 � ;. Since m 2 R(k [i ]), m��! k [f ], i.e. m 0 + k [f ]

��! k [f ]. Since f � = ;, we have

m 0 ��! ;. However, every transition of a WF-net has at least one output place. Thus

m 0 = ; and so m = k [f ]. ut

We do not include requirement (3) in the de�nition of soundness. In fact we do not requireall the transitions to be live in (N ; [i ]), since we allow batches of tasks to be processedin the net. The de�nition of BWF-nets implies that the net has no redundant transitions,which corresponds to (3).

In the rest of the paper we focus on the problem of soundness for BWF-nets. Workingwith BWF-nets instead of WF-nets does not limit the applicability of our approach: Leta WF-net N be given. First, we �nd a maximal siphon X in P n fig. All places fromX are redundant (see Theorem 8). Thus, transitions from X � never get enabled and areredundant as well. Hence, by removing places fromX and transitions fromX � together withthe corresponding ingoing and outgoing arcs we obtain a net N1 with the same behavioras the one of net N , whatever initial marking k [i ] is chosen for these nets. N1 is eithernot a WF-net any more (the path condition gets violated, or the place f is removed) andso we can make the conclusion that N was ill-designed, or N1 is a WF-net with the same

8

behavior as the original net N but without redundant places. So N1 is an improved versionof N . Further, we check whether net N1 has persistent places. If yes, we may conclude thatN1 is not a sound WF-net. Otherwise, N1 is a BWF-net.

4 Soundness is decidable

In this section, we show that the problem of soundness is decidable for BWF-nets. Asindicated before, this implies decidability of (general) soundness for WF-nets. We �rstdiscuss the necessary theoretical issues and then move to the actual decision procedure.

4.1 Decidability of Soundness

Proper termination for a given marking can be easily checked by using standard reachabilityalgorithms. Deciding soundness is more intricate: A straightforward approach would requirean in�nite number of checks of proper termination (by checking proper termination forevery marking reachable from some arbitrary initial marking). We shall try and reduce thecheck of soundness to the check of proper termination for a �nite set of markings.

Consider the set of all markings reachable from some initial marking in a BWF-net N :R =

Sk2NR(k � i). Every R(k � i) is a subset of the set

Gk = fk � i+ F � v j v 2 ZTg \ NP

(see Lemma 1). Note that R(k � i) � Gk but in general Gk 6� R(k � i). For every marking mfrom G holds I �m = I � (k � i) (I is a matrix with basis invariants as rows). Clearly, if a

BWF-net is sound, then i��! f , and hence I � i = I � f (see Lemma 1 and Lemma 2). This

is the �rst soundness check we perform. Further on, we will assume that I � i = I � f holdsfor the net under consideration.

We now formulate the lemma that is fundamental for deciding soundness (in the proof weuse the fact that N is a BWF-net, and so it has no redundant places).

Lemma 12. Let N be a sound BWF-net and let m 2 Gk for some k 2 N. Then thereexists ` 2 N such that (k + `) � i

��! m + ` � f .

Proof. Let m be a marking from Gk , i.e. m = k � i + F � v for some v 2 ZT . Then thereexist v1; v2 2 NT such that v = v1 � v2. Note that F = F+ � F�. So

m = k � i+ F+ � v1 + F� � v2 � F� � v1 � F+ � v2:

By Lemma 6, we can majorate markings F+ �v1, F� �v2: There exist a; b 2 N and markingsA;B such that a � i

��! A + F+ � v1 and b � i

��! B + F� � v2. Then (k + a + b) � i

��!

k � i+ A+ F+ � v1 + B + F� � v2 = m + A+ F� � v1 + B + F+ � v2.

Let 2 be an arbitrary �ring sequence with�! 2 = v2. Then b �i

��! B+F��v2

2�! B+F+�v2,

and since N is sound, B + F+ � v2��! b � f . Now consider a marking A + F� � v1. For an

9

arbitrary �ring sequence 1 with�! 1 = v1, A+ F� � v1

1�! A+ F+ � v1. Moreover, we havea � i

��! A+ F+ � v1, and since N is sound, A+ F� � v1

��! A+ F+ � v1

��! a � f . Thus we

obtain m + A + F� � v1 + B + F+ � v2��! m + (a + b) � f . So with ` = a + b the lemma

holds. ut

This immediately leads us to the conclusion that every marking from Gk should enablesome �ring sequence leading to k � f , lest the soundness condition gets violated.

Lemma 13. Let N be a sound BWF-net and m 2 Gk . Then m��! k � f .

Proof. By Lemma 12, there exists ` 2 N such that (k + `) � i��! m + ` � f . Since N is

sound, m + ` � f��! (k + `) � f . Since f is a sink place, we deduce m

��! k � f . ut

One more conclusion we can draw now is the following:

Corollary 14. Let N be a sound BWF-net. Then I � x = 0 for x 2 (Q+)P i� x = 0.1

Proof. Let I � x = 0 for some x > 0. Then we can �nd ` 2 N such that y = ` � x is inNP . Note that I � y = 0 as well. So y agrees with marking 0 on all place invariants. ByLemma 2, y = F � v for some v 2 QT . Then there exists n > 0 such that w = n � v 2 ZT

and thus z = n � y = F � w is also the solution for the equation I � x = 0. Note that z isa non-empty marking from G0. By Lemma 13, we have z

��! 0. This is in contradiction

with the fact that for any transition of N , t� 6= ;. ut

Thus, the second soundness check we perform is the check whether the equation I � x = 0has only the trivial solution on NP . If so, we can conclude that Gk 's are disjoint sets:

Corollary 15. Let N be a BWF-net such that the equation I � x = 0 has only the trivialsolution in NP . Then Gk \ G` 6= f0g implies k = `.

Proof. Since m 2 Gk implies I � m = I � (k � i) and m 2 G` implies I � m = I � (` � i),m 2 (Gk \ G`) implies I � (k � i) = I � (` � i). By Corollary 14, k = `. ut

Further on, we assume that I � x = 0 has only the trivial solution on NP and thus Gk 's aredisjoint sets. We de�ne the i -weight function w(m) of a marking m as a natural numberk such that I � m = I � (k � i) (w(m) is unde�ned if such a value k does not exist). Allmarkings in Gk have i -weight k .

Now we introduce the set G =S

k2N Gk , i.e.

G = fk � i+ F � v j k 2 N ^ v 2 ZTg \ NP ;

and extend the notion of proper termination for all markings from G: We say that a markingm 2 G terminates properly i� m

��! w(m) � f .

Lemma 16. Let m1;m2 2 G be markings that terminate properly and m = �1m1 + �

2m2

for some �1; �

22 N. Then m 2 G and it terminates properly.

1 We overload the notation and use 0 for a zero-vector of an arbitrary dimension.

10

Proof. By the de�nition of Gk , (�1m1 + �2m2) 2 G�1 k1+�2 k2 and I � (�

1m1 + �

2m2) =

I �((�1k1+�

2k2) � i). Thus w(�1m1+�

2m2) = �

1w(m1)+�

2w(m2). Since m1

��! w(m1) �f

and m2

��! w(m2) � f , we have �1m1 + �

2m2

��! (�

1w(m1) + �

2w(m2)) � f . ut

We now formulate a necessary and suÆcient condition for soundness.

Theorem 17. Let N be a BWF-net. Then N is sound i� all markings in G terminateproperly.

Proof. ()): Suppose N is sound. Consider arbitrary k 2 N ;m 2 Gk . By Lemma 13,

m��! k � f .

((): Suppose 8 k 2 N ;m 2 Gk : m��! k � f . Let k � i

��! m for some k ;m. Then m 2 Gk

and therefore m��! k � f . Hence N is sound. ut

We thus obtained a characterization of soundness involving the set G rather than reachablemarkings. We shall use the regularity of the structure of G to reduce the problem of propertermination of markings of G to the problem of proper termination of some �nite subset �of G.

In order to construct � , we extend the set G even further by making a step from integersto rational numbers and considering the set

H = fa � i+ F � v j a 2 Q+ ^ v 2 QT g \ (Q+)P :

(We refer to the appendix for the de�nitions of algebraic notions that we use in the rest ofthis section.)

Lemma 18. The set H is a convex polyhedral cone. Moreover, there exists a �nite sete1; : : : ; en of generators such that e1; : : : ; en 2 G.

Proof. H is a convex polyhedral cone. By Theorem 26, we can �nd generators E1; : : : ;En

of H. Each Ei is a linear combination of i and the column vectors of F with rationalcoeÆcients. The lcm of the denominators divided by the gcd of the numerators gives fora given Ei the smallest rational number i such that iEi can be written as ki � i + F � viwith ki 2 N ; vi 2 ZT . Set ei = iEi for i = 1; : : : ; n. Then the e1; : : : ; en are generators ofH and e1; : : : ; en 2 G. ut

We de�ne our �nite set � as

� = fXi

�i � ei j 0 � �i � 1g \ G

and show that the proper termination of any marking from G can be reduced to the propertermination of markings from � . Note that e1; : : : ; en are in � .

Theorem 19. Let N be a BWF-net such that I � i = I � f and I � x = 0 has only thetrivial solution in (Q+)P . Further, let G = fk � i + F � v j k 2 N ^ v 2 ZTg \ NP ,H = fa � i + F � v j a 2 Q+ ^ v 2 QT g \ (Q+)P , e1; : : : ; en 2 G be the generators of thecone H and � = f

Pi �i � ei j 0 � �i � 1g \ G. Then N is sound i� all markings from �

terminate properly.

11

Proof. ()): Let N be a sound WF-net. By Theorem 17 all markings of G terminate prop-erly. Since � � G, all markings of � terminate properly.

((): Let all markings from � terminate properly. Consider an arbitrary marking m 2 G.Since m 2 G, m = n � i + F � w for some n 2 N ;w 2 ZT . Since G � H and so m 2 H,m =

Pi �i �ei with the �i 2 Q+ . We can represent m as

Pi `i �ei+

Pi �i �ei where `i = b�ic

(the integer part of �i) and �j = �j �b�j c (the fractional part of �i), i.e. 0 � �i < 1. Wewill prove that m 0 = m �

Pi `i � ei =

Pi �i �ei is a marking from G. First note that

m 2 NP ; ei 2 NP ; `i 2 N for all i . Thus m 0 2 ZP. Moreover, �i � 0, which implies thatm 0 � 0. Thus m 0 2 NP . Since ei 2 G, they can be represented as ki � i + F � vi whereki 2 N ; vi 2 ZT . Since m 0 = m�

Pi `i � ei , we have m

0 = k � i+F � v with k = n�P

i ki � `iand v = w �

Pi `i � vi . Therefore, we can conclude that k 2 Z and v 2 ZT . Now we only

have to show that k 2 N.

Note that since columns of F are not necessarily linearly independent, the representationof m 0 as k � i + F � v is not necessarily unique. However, k has the same value in everysuch a representation: Let a = I �m 0 and k � i+ F � v is some representation of m 0. ThenI �m 0 = I � (k � i) + I � (F � v). By the de�nition of place invariants, I � (F � v) = 0. Thusa = I � (k � i). Due to Corollary 14, k is uniquely de�ned. Since k =

Pi �i �ki , k � 0 and

so k 2 N . Therefore m 0 2 G. Since 0 � �i < 1, m 0 2 � .

Since e1; : : : ; en and m 0 are markings from � and thus terminate properly, m terminatesproperly as well (Lemma 16). Thus, all markings in G terminate properly and, due toTheorem 17, N is sound. ut

Thus we have reduced the problem of soundness to the problem of proper termination ofa �nite number of markings and hereby proved its decidability.

4.2 Decision Procedure

In this subsection, we describe the decision procedure for soundness in a systematic way.We do not claim algorithm status: we focused on clarity rather than eÆciency here.

We start with trivial checks that can lead to the negative answer. First we �nd a set ofbasis place invariants and check that I �i = I �f . If not, the net is not sound. Then we checkthat the only solution of the equation I � x = 0 on (Q+)P is the trivial solution x = 0;otherwise the net is not sound (see Corollary 14). This second condition also guaranteesthe boundedness of the net:

Lemma 20. Let N be a BWF-net such that the only solution of I � x in (Q+)P is x = 0.Then R(k � i) and S(k � f) are �nite sets for any k 2 N.

Proof. Assume some R(k � i) is an in�nite set. Then there exist m1;m2 2 R(k � i) such thatm1 < m2 and I �m1 = I �m2 = I � (k � i). Then I � (m2 �m1) = 0 and thus m2 �m1 = 0.This is a contradiction with m1 < m2. Thus R(k � i) is �nite. Analogously, we prove thatS(k � f) is a �nite set. ut

At the next step, we compute generators E1; : : : ;En of H and rescale them to obtaingenerators e1; : : : ; en 2 G of H. Now our goal is to enumerate the markings of � .

12

The generators of the cone H are not necessarily linearly independent (e.g. the set ofgenerators can include vectors e; f ; g and f + g � e). This implies that the representationof elements of the cone as nonnegative linear combinations of the cone generators are notnecessarily unique. However, by Carath�eodory's theorem (Theorem 27 in Appendix A),we can represent H as H =

Sj Hj , where Hj 's are cones generated by vectors from some

maximal subset Ej � fe1; : : : ; eng of linearly independent vectors. We de�ne Gj � G asGj = (G \ Hj ) and �j � � as

�j = fXei2Ej

�i ei j 0 < �i � 1g \ Gj :

Note that G =S

j Gj but in general � 6=S

j �j though � �S

j �j . Still, the propertermination of markings from

Sj �j guarantees the proper termination of markings in G.

We do not give a complete proof but sketch the main idea. Every x 2 G is also an elementof H and so an element of some Hj . Thus it can be represented as

Pei2Ej

�i �ei . Now we

can use the same construction with the integer and the fractional part of �i as in the proofof Theorem 19 to prove that x is a nonnegative integer linear combination of markingsthat terminate properly, x terminates properly as well.

Now we will construct an algorithm for the enumeration of the elements of �j . Since vectorsin Ej are linearly independent, any x 2 Gj has a unique representation as a nonnegativelinear combination of vectors from Ej . Note that the dimension m of any set Ei equals thedimension of the vector space f� �i+ F � v j � 2 Q ^ v 2 QT g, thus all vectors from thisvector space have unique representations as

Pei2Ei

�i �ei where �i 2 Q . Now consider the

set U � Gj de�ned as U = fk � i + F � v j k 2 N ^ v 2 ZTg (note that we do not requireelements of U to be nonnegative vectors). Every element of U has a unique representationas a linear combination of vectors from Ej . We de�ne the translation functions �j : U ! �j

as follows:

�j� X

ei2Ej

�i �ei�=Xei2Ej

�i �ei where �i = �i �b�ic (the fractional part of �i):

We will use a simple property of the translation function:

Lemma 21. For any markings x ; y 2 Hi , �j (x + y) = �j (x + �j (y)).

Lemma 22. �j = f�j (x ) j x 2 Ug.

Proof. �j � Gj � U and for any x 2 �j , �j (x ) = x (by the de�nition of �), so �j � f�j (x ) jx 2 Ug.

For every x 2 Gj , �j (x ) 2 �j (cf. the proof of Theorem 19).

For any x 2 (U n Gj ), there exist representations of x as k � i+ F � v where k 2 N ; v 2 ZT

and asP

i �i ei with ei 2 Ei and �i 2 Q . We choose y 2 Gj , y = ` � i + F � w =P

i �ieiwith ` 2 N ;w 2 ZT ; � 2 N ; ei 2 Ei , such that k + ` � 0 and �i + �i � 0 for all i . Nowconsider the marking z = x + y . By the choice of y , z � 0 and z = (k + `) � i+F � (v +w)

13

input : a BWF-net N , a set of linearly independent vectors Ei , translation function �j ;output : the set X of markings;

X = f0g;repeatX = X [ f�j (x + i) j x 2 X g [ f�j (x � Ft ) j x 2 X ^ t 2 Tg

until the �xed point is reached;return(X );

Fig. 3. Algorithm for enumeration of �

with (k + l) 2 N and (v + w) 2 ZT , i.e. z 2 G. Moreover, z =P

i(�i + �i) � ei , i.e.it is a nonnegative linear combination of vectors from Ei and thus z 2 Gj . Note that�j (y) = 0, which means �j (z ) = �j (x ). Since z 2 Gj , �j (z ) 2 �j and so �j (x ) 2 �j . Thus�j � f�j (x ) j x 2 Ug. ut

Fig. 3 gives the algorithm that enumerates the elements of �j . Ft stands there for thecolumn of F that corresponds to transition t , i.e. that is a vector corresponding to t�� �t .

Theorem 23. The algorithm in Fig. 3 terminates and its output equals �j .

Proof. First we prove by induction on the iteration step number that X � �j at everyiteration step. Let X` be the value of X at iteration l . X0 = f0g and by the de�nition of�j , 0 2 �j . Now let X` � �j at some step. Consider some x 2 X` (and hence x 2 �j andx 2 U). The elements added to X at iteration (`+ 1) are (x + i) and (x � Ft), t 2 T . Bythe de�nition of U , (x + i) 2 U and thus �j (x + i) 2 �j by the de�nition of �j . Now considera marking (x � Ft), t 2 T . By the de�nition of U , (x � Ft) 2 U and so �j (x � Ft) 2 �j .Thus, X � �j at every iteration step. Since X grows monotonously and �j is bounded, thealgorithm terminates and it returns a subset X of �j .

Now we will prove that �j � X . Any marking x 2 �j is a marking from U and hence itcan be represented as m = k � i + F � v for some k 2 N and v 2 ZT with componentsv1; : : : ; vn 2 Z. We de�ne kxk = k +

Pj jvj j. Then for any x such that kxk � l , �j (x ) 2 Xl .

We prove it by induction on l . For l = 0 it holds trivially. Let it hold for some l . Considerx = k � i + F � v such that kxk = l + 1. If k > 0, x = i + ((k � 1) � i + F � v). Note thatfor y = (k � 1) � i+ F � v , kyk = l and thus �j (y) 2 Xl . By Lemma 21, �j (x ) = �j (i+ y) =�j (i + �j (y)). Since �j (y) 2 Xl , �j (i + �j (y)) is in Xl+1 by the de�nition of the algorithm,and thus �j (x ) 2 Xl+1.

If k = 0 then v 6= 0, i.e. vj 6= 0 for some j . We represent x as Ftj + (k � i+F � v 0) where allcomponents of v 0 equal the corresponding components of v , except for v 0j :

��v 0j�� = jvj j � 1

and vj � v 0j � 0. Then we use a similar induction scheme to prove the statement.

Thus at iteration l = maxx2�jkxk, Xl contains all elements of �j . ut

When we found all markings of �j 's, we check proper termination for every marking.To check whether a marking m terminates properly, it is enough to check whether m 2S(w(m) � f). Since S(w(m) � f) is a �nite set (see Lemma 20), we can construct it by a

14

3

38

2

28

t wu v

i f

b

a

Fig. 4. Example net N

backward reachability analysis, starting with X = fw(m)�fg and consequently augmentingthis set by adding markings fx � Ft j x 2 X ^ t 2 T ^ (x � Ft) � 0g.

5 Example

We illustrate the decision procedure for soundness with an example. Consider net N de-picted in Figure 4. (The net has weighted arcs as indicated.) We have P = fi ; a; b; f g;T =ft ; u; v ;wg and the incidence matrix

F =

0BB@�1 0 0 03�2 8�11 2�8 �30 0 0 1

1CCA :

First, we �nd the place invariants of the net. Solutions of the equation I �F = 0 are vectorsI = k � (4; 1; 1; 4), k 2 Q . Thus the matrix of basis invariants I is (4; 1; 1; 4). Now we checkthat I � i = I � f indeed (the �rst and the last columns of I coincide).

The cone H for this example is the set (Q+)P , i.e. H is the cone generated by vectorsi; a;b; f corresponding to markings [i ]; [a]; [b]; [f ]. These are vectors from H, so they arerepresentable as a � i + F � v for some a 2 Q+ ; v 2 QT . By solving linear equations, weobtain the following representations of a and b.

a =1

4� i+ F �

0BB@1=41=800

1CCA and b =

1

4� i+ F �

0BB@1=45=800

1CCA .

To �nd generators from G we need to rescale these vectors. Thus, we obtain e1 = i; e2 =8 � a; e3 = 8 � b; e4 = f . So we have de�ned our set � and we can �nd all the points insideit. In Figure 5, the points of � are depicted, projected on the (a; b)-plane. We have alsodepicted the transitions between them, from which it can be inferred that all grid pointsterminate. The net N is thus sound.

If the transition v were removed from N , the resulting net would not be sound, since thegrid point e3 no longer terminates. The net then is 1-sound but not 2-sound.

15

a

b

e2u

u

u

t

w

t

t

wt

v

u

u

e3

t

t

w

u

w

w

w

Fig. 5. Grid within � of net N

6 Conclusion

We have introduced a subclass of Work ow nets: Batch Work ow nets (BWF-nets) thathave a simple structural characterisation based on traps and siphons. Batch Work ow netsare Work ow nets without redundant places and transitions and without persistent places.We have shown that Work ow nets with redundant places/transitions or with persistentplaces are ill-designed. Therefore, we moved from the study of Work ow nets to the studyof Batch Work ow nets.

Since we are interested in the processing of batches of tasks in the net, we investigated thegeneralised notion of soundness introduced in [4] for Batch Work ow nets. We have provedthat the generalised soundness is decidable and have described the decision procedure.

The decidability of soundness implies trivially the decidability of weak separability [4]. Itremains still unclear whether strong separability is decidable.

Future work For the soundness decision procedure, we focused on the clarity rather thaneÆciency. It is still to be investigated how to solve the problem of soundness in an eÆcientmanner and what complexity this algorithm would have. Besides, soundness preservingPetri net reduction techniques can be employed prior to the use of the soundness decisionprocedure to speed up the check.

Acknowledgements We want to thank our colleague Aart Blokhuis for useful discussionson algebraic issues.

References

1. W. van der Aalst. Veri�cation of work ow nets. In P. Az�ema and G. Balbo, editors, Application and Theory of

Petri Nets 1997, ICATPN'1997, volume 1248 of Lecture Notes in Computer Science. Springer-Verlag, 1997.

16

2. F. Commoner. Deadlocks in Petri Nets. Applied Data Research, Inc., Wake�eld, Massachusetts, Report CA-7206-2311, 1972.

3. J. Desel and J. Esparza. Free Choice Petri nets., volume 40 of Cambridge Tracts in Theoretical Computer

Science. Cambridge University Press, 1995.

4. K. van Hee, N. Sidorova, and M. Voorhoeve. Soundness and separability of work ow nets in the stepwisere�nement approach. In W. van der Aalst and E. Best, editors, Application and Theory of Petri Nets 2003,

ICATPN'2003, volume 2679 of Lecture Notes in Computer Science. Springer-Verlag, 2003.

5. K. Lautenbach. Liveness in Petri Nets. Internal Report of the Gesellschaft f�ur Mathematik und Datenverar-beitung, Bonn, Germany, ISF/75-02-1, 1975.

6. A. Schrijver. Theory of Linear and Integer Programming. Wiley-Interscience series in discrete mathematics.John Wiley & Sons, 1986.

7. P. Starke. Analyse von Petri-Netz-Modellen. Teubner, 1990.

8. H. Verbeek, T. Basten, and W. van der Aalst. Diagnosing work ow processes using wo an. The Computer

Journal, 44(4):246{279, 2001.

A Appendix

Here we give the mathematical de�nitions and results we need (see e.g. [6] for more detail).

Let En stand for an n-dimensional vector space over some number �eld (in our case therational numbers). Let u be a vector. We write u(x ) for the value of the vector componentcorresponding to coordinate x .

A convex combination of the vectors u1; u2; : : : ; un from En is a vector u = �1 � u1 + �2 �u2 + : : :+ �n � un where the �i are nonnegative scalars such that

Pi �i = 1. A subset S of

En is convex i� for all pairs of vectors u1; u2 any convex combination of them is also in S .

Lemma 24. The intersection of two convex sets is convex.

A set of vectors C is called a cone if, for every vector u 2 C , � u 2 C for every nonnegative�. A convex cone C is polyhedral if C = fx j A � x � 0g for some matrix A, i.e. C is theintersection of �nitely many linear half-spaces.

Lemma 25. Let X ;Y be convex polyhedral cones. Then Z = X \Y is a convex polyhedralcone as well.

Proof. Since X ;Y are convex polyhedral cones, X = fx j A�x � 0g and Y = fy j B �y � 0gfor some matrix A;B . Then X \ Y is de�ned as fz j C � z � 0g where C is the matrixcomposed of matrices A and B , namely a matrix whose rows are the ones of A and B .Thus X \ Y is a convex polyhedral cone. ut

A cone C is �nitely generated if there exist vectors x1; : : : ; xn such that C = fP

i �i �xi j�i � 0g. These vectors are called generators of C .

Theorem 26 (Farkas-Minkowski-Weyl). A convex cone is polyhedral i� it is �nitelygenerated.

A set of generators of a convex polyhedral cone can be obtained by solving linear equationsde�ning the cone.

17

Theorem 27 (Carath�eodory's theorem). Let C be a cone generated by vectors of the(�nite) set X . Then for any vector x 2 C there exists a set Y � X of linearly independentvectors such that x is a vector of the cone generated by the vectors of Y .

Lemma 28. The set H = fa � i+F �v j a 2 Q+ ^ v 2 QT g\ (Q+)P is a convex polyhedralcone.

Proof. The set fa � i+F �v j a 2 Q+ ^ v 2 QT g is clearly a convex cone and it is generatedby i and the column vectors of F and �F so it is polyhedral. The intersection of this conewith the cone (Q+)P is polyhedral too. ut

18