Model Checking of BPMN Models for Reconfigurable Workflows

Nowadays, business enterprises often need to dynamically reconfigure their internal processes in order to improve the efficiency of the business flow. However, modifications of the workflow usually lead to several problems in terms of deadlock freedom, completeness and security. A solid solution to these problems consists in the application of model checking techniques in order to verify if specific properties of the workflow are preserved by the change in configuration. Our goal in this work is to develop a formal verification procedure to deal with these problems. The first step consists in developing a formal definition of a BPMN model of a business workflow. Then, a given BPMN model is translated into a formal model specified in Promela. Finally, by using the SPIN model checker, the correctness of the reconfigured workflow is verified.

💡 Research Summary

The paper addresses the growing need for enterprises to dynamically reconfigure their internal business processes while preserving essential correctness properties such as deadlock‑freedom, completeness, and security. To this end, the authors propose a three‑stage formal verification framework that starts with a rigorous mathematical definition of BPMN (Business Process Model and Notation) models, proceeds to an automated translation of these models into Promela—the input language of the SPIN model checker—and culminates in the systematic verification of the reconfigured workflow using SPIN’s exhaustive state‑space exploration capabilities.

In the first stage, the authors decompose BPMN diagrams into their fundamental constructs: start, intermediate, and end events; tasks and sub‑processes; various gateway types (exclusive, inclusive, parallel, complex); sequence flows; and message flows. Each construct is mapped to a formal semantic element—states, transitions, or synchronization primitives—thereby providing a precise operational semantics for BPMN that goes beyond its usual graphical description. Special attention is given to complex gateways and exception handling, which are modeled using nondeterministic choice combined with concurrent execution to faithfully capture the intended control‑flow semantics.

The second stage introduces an automated transformation pipeline that converts the formally defined BPMN model into a Promela specification. Tasks become independent proctype blocks, while sequence flows are represented as channel communications. Parallel gateways are encoded as simultaneous channel activations, exclusive gateways as guarded if statements, and events (including timers) as conditional statements or timeout constructs. The translation deliberately preserves variable names and channel structures to facilitate later comparison between the original and reconfigured models. To mitigate the well‑known state‑explosion problem, the authors apply partial‑order reduction and data abstraction techniques during the generation of the Promela code.

In the final verification stage, the SPIN model checker is employed to assess three categories of properties. Deadlock‑freedom is checked using SPIN’s built‑in detection mechanisms; safety properties (e.g., “no two concurrent tasks access the same critical resource”) are expressed as LTL (Linear Temporal Logic) formulas such as `