behaviour equivalence and compatibility of business process … · 2017-07-31 · business process...

Behaviour Equivalence andCompatibility of Business Process

Models with ComplexCorrespondences

Matthias Weidlich1, Remco Dijkman2 and Mathias Weske3

1Technion – Israel Institute of Technology, Technion City, Haifa 32000, Israel2Eindhoven University of Technology

Den Dolech 2, 5612 AZ Eindhoven, The Netherlands3Hasso Plattner Institute, University of Potsdam

Prof.-Dr.-Helmert-Str. 2-3, D-14482 Potsdam, Germany

Email: [email protected], [email protected], [email protected]

Once multiple models of a business process are created for different purposes or tocapture different variants, verification of behaviour equivalence or compatibilityis needed. Equivalence verification ensures that two business process modelsspecify the same behaviour. Since different process models are likely to differwith respect to their assumed level of abstraction and the actions that they takeinto account, equivalence notions have to cope with correspondences betweensets of actions and actions that exist in one process but not in the other. Inthis paper, we present notions of equivalence and compatibility that can handlethese problems. In essence, we present a notion of equivalence that works oncorrespondences between sets of actions rather than single actions. We thenintegrate our equivalence notion with work on behaviour inheritance that copeswith actions that exist in one process but not in the other, leading to notions ofbehaviour compatibility. Compatibility notions verify that two models have thesame behaviour with respect to the actions that they have in common. As such,our contribution is a collection of behaviour equivalence and compatibility notions

that are applicable in more general settings than existing ones.

Keywords: Behaviour Equivalence, Behaviour Compatibility, Model Verification, BehaviouralModels

Received 00 January 2009; revised 00 Month 2009

1. INTRODUCTION

Business process management aims at supportingthe operations of large organisations using explicitrepresentations of business processes, i.e., processmodels [1]. Those models define activities, or actions,the essential steps that need to be conducted, alongwith constraints on their logical order of execution. Asevery conceptual model, a process model provides anabstraction that is created for a purpose. The purposeof process modelling determines to which extent theoperations shall be captured and how they are abstractedto the model. Different modelling purposes, therefore,may lead to different process models that capture thesame business operations. Also, process models areclosely related if they do not capture different views ona common business process, but slight variations of abusiness process. In both cases, the process models may

differ with respect to the considered set of activities andtheir logical ordering; a different granularity of activitiesmay be used and activities present in one model may beabsent or differently ordered in another model.

Behavioural equivalence or compatibility analysisof process models reveals whether different modelsspecify the same behaviour. Behaviour compatibilityis a weak form of behaviour equivalence. To becompatible, two behaviours only have to be equivalentwith respect to the activities that they have incommon. There are many drivers for equivalenceand compatibility analysis. First and foremost,process models are means for communication. Assuch, the need to have representations of businessoperations that are equivalent or at least compatible isinherent; a shared understanding of operations cannot beachieved if different process models specify contradictory

The Computer Journal, Vol. ??, No. ??, ????

2 M. Weidlich, R. Dijkman, M. Weske

behaviour. Further, the validation of a requirementsspecification with an according workflow implementation,both captured by process models, requires means forcompatibility analysis. Since business processes areundergoing changes frequently, process models tend todrift apart. Techniques to realise change managementamong process models, therefore, also rely on equivalenceor compatibility criteria.

As a preliminary step, equivalence and compatibilityanalysis of process models requires that correspondencesbetween activities are identified, i.e., between activitiesthat are considered to be equivalent. Since theinvestigated process models serve different modellingpurposes or capture different variations of a businessprocess, it is likely that complex correspondences areidentified in this step. In contrast to elementary 1:1correspondences, complex correspondences relate sets ofactivities to each other. They stem from differences inthe assumed abstraction level.

In this paper, we focus on the challenge imposed bysuch complex correspondences, when doing equivalenceor compatibility analysis. The presence of complexcorrespondences precludes the direct application ofbehaviour equivalences as defined in the lineartime – branching time spectrum [2, 3], because theseequivalence notions are defined for elementary (i.e., 1:1)correspondences only. In this paper, we present notionsthat lift these equivalences to complex correspondences.These notions are independent of the chosen equivalencecriterion. For illustration, we utilise two concreteequivalences as examples: concrete trace equivalenceand branching bisimulation. In essence, we assumecomplex correspondences to induce a relation betweenregions of activities between two process models. Theapproach relies on the aggregated behaviour for theseregions and abstracts from their internal behaviour. Thisallows for assessing whether the start and end of regionsin one model coincide with the start and end of thecorresponding regions in another model. In our previouswork, we followed a similar approach using a partitioningof traces [4]. Despite a similar underlying idea of howto treat complex correspondences, however, the notionspresented in this paper take a different approach byleveraging the notions of a start and an end of a region.As such, they allow for taking the branching structureinto account, which our previous work did not.

After lifting the notion of behaviour equivalence tocomplex correspondences, we also integrate existing workon behaviour inheritance [5, 6]. Notions of behaviourinheritance provide a means to cope with activities in onemodel that are without counterpart in another model.We combine these notions with the aforementionednotions of equivalence to arrive at compatibility notionsthat are applicable in a more general setting than theexisting ones.

The remainder of this paper is structured as follows.Section 2 discusses the background of our work. Weillustrate the challenges of equivalence and compatibility

(A1) (A2) (C)

(B)

(D)

(A3)

(A4) (A5)(B3)

(B1)

(C1)

(C2)

(D1)

(D2)

A3 B1

C1

B1

D1

C1

A4

B3 A5 C2 D2

c1 c2 c3 c4

N1

N2

P1

P2

(X)

(B2)

X

X

B2

B2

C1(Y)

(Z)

Y

Y

Z

Z

C1

A1 A2 C

B

A2 C D

B B

(A1) (A2) (C)

(B)

(D)

(A3)

(A5) (A6)

(B1)

(C1)

(C2)

(D1)

(D2)

A3 A4

D1

C1

A5

B2 A6 C2 D2

c1 c2 c3 c4

N1

N2

P1

P2

(X)

X

X

B1

B1

C1

(Y) (Z)

YZ

Z

C1

A1 A2 C

B

A2 C D

B B

(A4)

(B2)

FIGURE 1: Net systems that are aligned bycorrespondences.

analysis with an example and review the essentials ofbehaviour inheritance. Section 3 defines the formalframework used throughout this paper. In Section 4, weshow how the behaviour of a single region of a processmodel is aggregated. Following this line, Section 5 liftsthe idea of behaviour aggregation from single regions tomultiple regions. Section 6 shows how the aggregatedbehaviour of regions is used to judge on equivalenceor compatibility of aligned process models. Section 7shows how the compatibility notions can be applied toan example from practice. A review of related work andconcluding remarks complete this paper.

2. BACKGROUND

To illustrate the problem addressed by this paper, thissection first introduces an example. Then, we elaborateon related work on behaviour inheritance. It copes withparticular aspects of compatibility of process modelsthat are aligned by correspondences.

2.1. An Example

Process models capture the behaviour of a businessprocess by defining a set of activities, or actions, anda logical order between them [1]. Figure 1 depicts twoprocess models as Petri net systems, see [7]. Here,activities are represented by net transitions. The statesand state transitions of the net system define thebehavioural dependencies for the execution of activities.

The two net systems depicted in Figure 1 are assumedto be closely related in terms of their semantics. Theymay describe the same business process or very similarvariations of a common business process. The semanticcloseness of the models is manifested in correspondencesbetween the activities, i.e., the transitions of the Petrinet systems. Those correspondences relate activities(or groups thereof) to each other that are considered tobe equivalent. We discuss techniques for identifyingsuch correspondences when reviewing related work.Correspondences may be elementary or complex. The


Behaviour Equivalence and Compatibility of Business Process Models 3

former relate pairs of single activities to each other.Complex correspondences are defined between groupsof activities. Here, 1:n correspondences stem fromactivities in one model that are refined or collapsedin the other model. Further, n:m correspondencesrepresent a relation between sets of activities, for whichthere are no correspondences between one of theiractivity subsets. Such a correspondence may stemfrom a different modularisation of the functionalitycaptured by the activities. In Figure 1, there arefour correspondences, all of them are complex. Forinstance, correspondence c1 encodes that the transitionsA1, A2 in net system N1 correspond to the transitionsA3, A4, A5, A6 in net system N2.

Note that correspondences are defined on themodel structure. The behavioural semantics of thecorrespondences, therefore, are not defined explicitly,but are induced by the correspondences. Consideragain correspondence c1 of the example. Thecorrespondence defines that the transition sets A1, A2and A3, A4, A5, A6 jointly refer to the same units ofwork of the business process. The concrete behaviouralrelation between both sets, i.e., the behaviouralsemantics of the correspondence c1, thus follows fromthe behaviour described by the net systems. Thebehavioural semantics in this case is that an occurrenceof transition A1 that is followed by one more occurrencesof transition A2 in net system N1 is considered to beequivalent to the potential occurrence of transition A3followed by an occurrence of transition A4, or theoccurrence of both transitions, A5 and A6, in netsystem N2.

Given a set of correspondences between processmodels, we are interested in knowing whether the modelsare compatible in terms of the behavioural semantics oftheir correspondences. According to Zelewski, behaviourcompatibility, or behaviour consistency, of processmodels refers to a freedom of contradictions [8]. One mayinterpret freedom of contradictions such that processmodels are compatible if their behaviour is equivalent,modulo activities that have been added, removed, orrefined. Earlier, we mentioned various drivers forcompatibility analysis. Those suggest, that differentnotions of behaviour equivalence may be suited tobe the basis for compatibility verification. Followingvan Glabbeek [9], ‘two system descriptions are consideredequivalent only if the described behaviours share theproperties that are essential in the context in which thesystem will be embedded. It depends on this context andon the interests of a particular user which properties areessential.’

Behaviour equivalences can be applied directly tojudge behaviour compatibility only if the correspon-dences between two process models induce a bijectionover their activities. We argue that this is rarely thecase for process models that capture different perspec-tives on a business process or different variations of abusiness process. Hence, the application of behaviour

equivalences to judge behaviour compatibility has toaddress the two following questions.

(1) How to cope with activities that are not aligned byany correspondence?

(2) How to cope with complex correspondences?

The first question has been addressed by work onbehaviour inheritance, of which an overview is presentedin the next section. The second question has notbeen addressed. Although this question is closelyrelated to refinements of behavioural models, we are notaware of any approach that adapts common behaviourequivalence for the setting of complex correspondences.In this paper, we propose a way to lift behaviourequivalences to complex correspondences.

2.2. Behaviour Inheritance

The concept of inheritance is well-known for modelsthat capture static structures. As an example, considerthe subclass – superclass relation as defined within theUnified Modeling Language (UML). Here, the notionof inheritance clarifies how the subclass extends thesuperclass by adding class members. Conceptually,behaviour inheritance tries to adapt this concept tobehavioural models. As such, it defines how to copewith extensions of behavioural models when assessingbehaviour equivalence.

Behaviour inheritance is grounded on two elementaryoperations, i.e., hiding and blocking of activities, oractions [5, 6]. Both operations may be applied to allactivities that extend one model with respect to anothermodel. Blocking means that the activity is removedbefore deciding equivalence. All state transitions relatedto this activity are no longer part of the behaviouralmodels that are compared. Hiding means that anactivity cannot be observed. All state transitions relatedto this activity are invisible when deciding a certainnotion of behaviour equivalence. Apparently, the notionof behaviour equivalence is assumed to distinguish visibleand invisible transitions. To this end, work on behaviourequivalence mainly relies on branching bisimulation.However, the concepts can directly be ported to otherbehaviour equivalences.

Hiding and blocking may be combined for differenttransitions. Following Basten and van der Aalst [5, 6],protocol inheritance holds if equivalence is satisfiedby blocking activities that relate to model extensions,whereas projection inheritance holds if equivalence issatisfied by hiding activities. Behaviour equivalencemay be achieved in both cases, by only blockingcertain activities and by only hiding activities (calledprotocol / projection inheritance). However, it may berequired to combine both operations to satisfy behaviourequivalence. That is, two models are equivalent if oneset of activities is blocked and another set of activitiesis hidden (called life-cycle inheritance).



For the use case of deciding compatibility ofaligned process models, hiding and blocking may beapplied to activities that are not aligned by anycorrespondence. Consider the example net systems inFigure 1. Transition (X) in system N1 is not alignedand may be blocked or hidden when comparing thebehaviour of both net systems. In system N2, we observetwo transitions that are without counterpart in theother system, i.e., transitions (Y ) and (Z). Again, thetransitions may be blocked or hidden. Note that blockingtransition (Z), however, implies that transition (D1)cannot be fired as well.

We consider compatibility to be a symmetric concept.In contrast to behaviour inheritance, therefore, we maydecide to block or hide activities in both models thatare compared.

3. FORMAL PRELIMINARIES

This section clarifies notions and notations used in theremainder of this paper. Section 3.1 defines processgraphs as the formal grounding of our investigations.Section 3.2 defines abstraction and encapsulation forprocess graphs. We elaborate on behaviour equivalencesin Section 3.3. Section 3.4 introduces the concept of analignment for process graphs.

3.1. Process Graphs

A process graph is a generic behavioural model thatallows for defining behaviour by means of states and statetransitions, i.e., it is a transition system. Transitionsmay be labelled with symbols indicating the actions thatare performed to realise a state change. For virtually allnotations used for modelling business processes – Petrinet systems as illustrated earlier or high-level notationssuch as the Business Model and Notation (BPMN) [10]or Event-Driven Process Chains (EPCs) [11] – executionsemantics are defined in terms of states and statetransitions. As such, process graphs enable us to discussbehaviour compatibility in the most general case.

We recall basic notions and notations based on [12].Given an alphabet Σ, we denote all finite sequences overΣ by Σ∗ and all infinite sequences over Σ by Σ∞. Wewrite Σω = Σ∗ ∪ Σ∞. The empty sequence is denotedby ε.

Definition 3.1 (Process Graph). A process graph isa connected, rooted, edge-labelled and directed graph.

We call the set of nodes that have no outgoing edges thefinal nodes, such that these represent the completion ofa business process. We postulate that G is the universalset of process graphs and that A is the universal set oflabels, called actions. Further, we assume that there isa dedicated silent action, τ /∈ A. For a set of actionsA ⊆ A, we write Aτ = A∪ τ. Edges are labelled withelements from a set of actions Aτ ⊆ A ∪ τ. We alsocall a node of the process graph a state and an edge a

(A1) (A2) (C)

(B)

(D)

(A3)

(A4) (A5)(B3)

(B1)

(C1)

(C2)

(D1)

(D2)

A3 B1

C1

B1

D1

C1

A4

B3 A5 C2 D2

c1 c2 c3 c4

N1

N2

P1

P2

(X)

(B2)

X

X

B2

B2

C1(Y)

(Z)

Y

Y

Z

Z

C1

A1 A2 C

B

A2 C D

B B

(A1) (A2) (C)

(B)

(D)

(A3)

(A5) (A6)

(B1)

(C1)

(C2)

(D1)

(D2)

A3 A4

D1

C1

A5

B2 A6 C2 D2

c1 c2 c3 c4

N1

N2

P1

P2

(X)

X

X

B1

B1

C1

(Y) (Z)

YZ

Z

C1

A1 A2 C

B

A2 C D

B B

(A4)

(B2)

FIGURE 2: Two process graphs, which represent thebehaviour of the net systems depicted in Figure 1.

transition or a step. We denote the set of all states ofa process graph g as Sg, the set of final states as Fg,the root node as rg, the set of all actions as Ag and theset of all transitions as →g. We omit the subscripts ifthe respective process graph is clear from the context.Given two states s1, s2 ∈ S of a process graph, we denotea transition from state s1 to state s2 that is labelledwith action a as s1

a−→ s2. In this paper, we assumethat the root has no incoming edges and that it is theonly node in the process graph that does not have anyincoming edges. Also, we assume any process graph toshow only finitely branching behaviour, i.e., the numberof transitions originating from a single state is finite.

We lift transitions to sequences of transitions. Wedefine the relation

σ=⇒ ⊆ S × S with σ ∈ A∗τ as the

smallest relation, such that for all s1, s2, s3 ∈ S anda ∈ Aτ it holds that (1) s1

ε=⇒ s1, (2) s1

a−→ s2

with a ∈ Aτ implies s1a

=⇒ s2 with a ∈ A∗τ , and (3)

s1σ

=⇒ s2ρ

=⇒ s3 implies s1σ

=⇒ s2ρ

=⇒ s3 with σρ asthe concatenation of σ ∈ A∗τ and ρ ∈ Aωτ . A state s2 ∈ Sis reachable from a state s1 ∈ S, if s1

σ=⇒ s2 for some

σ ∈ A∗τ . The set of states that is reachable from a state

s ∈ S is denoted by s∗. sσ

=⇒ denotes that there existssome state s′, such that s

σ=⇒ s′. Further, if s1

σ=⇒ s2

and σ ∈ τ∗ then we write s1 =⇒ s2 to denote statetransitions by silent steps.

For this work, we have further assumptions on processgraphs. We require process graphs to be free of deadtransitions. That is, for each transition s1

a−→ s2 thereexists a transition sequence r

σ=⇒ s1. In addition, we

assume that there are no livelocks, i.e., for each transitions1

a−→ s2 there exists a final state f ∈ F and a transitionsequence s2

σ=⇒ f .

For illustration purposes, consider Figure 2. Theprocess graphs represent the behaviour (aka thestate spaces) of the net systems shown in Figure 1.Both graphs are connected, rooted (the root state ishighlighted with a small unlabelled arrow), edge-labelled,and directed. The edge labels refer to the transitions ofthe Petri net systems and indicate the state transitions.



Note that we depict silent steps (neither process graphin the example shows a silent step) by unlabelled arrowsbetween states.

Finally, we define finite and infinite traces of a processgraph as sequences of visible actions. A sequence ofactions σ = a1, . . . , an ∈ A∗, n ∈ N0, is a finiteconcrete trace of a process graph, iff there exist statess0, . . . , s2n ∈ S, such that s0 = r is the root of theprocess graph and for all i ∈ N, 1 ≤ i ≤ n it holdss2i−2 =⇒ s2i−1

ai−→ s2i. A sequence of actions σ =a1, a2, . . . ∈ A∞, is an infinite concrete trace of a processgraph, iff there exist states s0, s1, s2, s3, s4 . . . ∈ S, suchthat s0 = r is the root of the process graph and for alls0 =⇒ s1

a1−→ s3 =⇒ s4a2−→ . . .. For a process graph g,

we denote the set of all finite concrete traces by Tg andthe set of all infinite concrete by IT g.

3.2. Abstraction & Encapsulation

In Section 2.2, we discussed that notions of behaviourinheritance either hide or block actions when comparingbehaviour. For process graphs, hiding of actions isrealised by abstraction, blocking of actions is realisedby encapsulation. We recall both notions based on [6].

Definition 3.2 (Abstraction). Let g be a processgraph. For a set of actions X ⊆ Ag, the abstractionoperator τX : G 7→ G rewrites g into the process graph hby renaming all actions in X with the silent action τ ,i.e., Sh = Sg; s1

a−→ s2 ∈→h, iff s1a−→ s2 ∈→g and

a /∈ X; and s1τ−→ s2 ∈→h, iff s1

a−→ s2 ∈→g and a ∈ X.

Abstraction rewrites a process graph by changing theaction labelling. Encapsulation, in turn, removestransitions with certain action labels. Since we requirea process graph to be rooted and connected, we alsoremove the states that may only be reached by usingat least one transition with a label that shall be beencapsulated.

Definition 3.3 (Encapsulation). Let g be a processgraph. For a set of actions X ⊆ Ag, the encapsulationoperator δX : G 7→ G rewrites g into the process graphh by removing all transitions with actions in X, i.e.,Sh contains all states s ∈ Sg for which there exists a

sequence σ ∈ A∗g with rgσ

=⇒ s and σ does not contain

any action in X; and s1a−→ s2 ∈→h, iff s1

a−→ s2 ∈→g,s1, s2 ∈ Sh, and a /∈ X.

3.3. Behaviour Equivalences

To compare the behaviour defined by labelled transitionsystems, different notions of behaviour equivalencemay be applied. Behaviour equivalences have beenclassified in the seminal work of van Glabbeek [2, 3],yielding the linear time – branching time spectrumfor sequential processes. For sequential processes withsilent steps (process graphs, respectively), this spectrumis spanned by the notions of trace equivalence andbranching bisimulation. The former is due to Hoare [13]

and relates to the equivalence of the observable sequencesof actions. As such, it can be seen as the lowerbound of the spectrum of behaviour equivalences.Branching bisimulation as defined by van Glabbeekand Weijland [12], in turn, considers not only theobservable behaviour, but takes the moment of choiceinto account. It can be seen as the upper boundof the aforementioned spectrum. Besides these twopoles, various equivalences have been proposed andadvocated to be applied in the field of business processanalysis, see [14]. We focus on the two mentionednotions to exemplify our approach for treating complexcorrespondences between process models. However, ourideas may also be lifted to other behaviour equivalences.

As mentioned earlier, alignments of process modelscan be assumed to be partial. Hence, the models that arecompared show extensions that may be hidden or blockedaccording to the notions of behaviour inheritance, cf.,Section 2.2. Since hiding of actions is realised byabstraction, we neglect silent steps when comparingtraces of process graphs. To highlight that we consideronly traces built of concrete actions, we refer to thisequivalence as concrete trace equivalence.

Definition 3.4 (Concrete Trace Equivalence). Twoprocess graphs g and h are concrete trace equivalent,denoted by g

.= h, iff T (g) = T (h) and IT (g) = IT (h).

Concrete trace equivalence is indeed an equivalence,since reflexivity, transitivity, and symmetry followdirectly from the set equivalence. However, thisequivalence neglects the branching of a process andconsiders only the observable sequences of actions. Themoment of choice is taken into account by the notion ofbranching bisimilarity.

Definition 3.5 (Branching Bisimilarity). Twoprocess graphs g and h are branching bisimilar, denotedby g ∼ h, iff there exists a symmetric relation R betweenthe nodes of g and h, the branching bisimulation, suchthat

1. the root nodes of the process graphs are related,rgRrh;

2. if xRy and xa−→ x′, then either a = τ and x′Ry, or

there exist states u, v, such that y =⇒ ua−→ v =⇒ y′,

xRu, x′Rv, and x′Ry′.

According to [12], branching bisimilarity is anequivalence relation.

3.4. Alignments of Process Graphs

To capture alignments between process models inthe most general setting, we define the concept of acorrespondence relation between actions of two processgraphs. It relates corresponding actions of both graphsto each other.

Definition 3.6 (Correspondence Relation). Let gand h be process graphs. A correspondence relation



' ⊆ (Ag \ Ah) × (Ah \ Ag) associates correspondingactions of both process graphs to each other. LetA1, A2 ⊆ A be two sets of actions such that A1×A2 ⊆ '.Let A1 and A2 be maximal with respect to set inclusion.Then, c = (A1, A2) is referred to as a correspondenceand we also write A1 ' A2. With a slight abuse ofnotation, we also write a1 ' a2 iff there exists A1 ' A2

and a1 ∈ A1 and a2 ∈ A2.

Given two process graphs g and h that are aligned by acorrespondence relation ' ⊆ (Ag\Ah)×(Ah\Ag), we usea shorthand notation for all actions of the graphs thatare part of some correspondence, A'g = a ∈ Ag | ∃ b ∈Ah : a ' b and A'h = a ∈ Ah | ∃ b ∈ Ag : b ' a.

A correspondence between two sets of actions meansthat the Cartesian product of the sets is subsumed by thecorrespondence relation. A correspondence c = (A1, A2)is called elementary, iff |A1| = |A2| = 1, and complexotherwise. Two correspondences c1 = (A1, A2) andc2 = (A′1, A

′2) are overlapping, iff A1 ∩ A′1 6= ∅ or

A2 ∩A′2 6= ∅. A correspondence relation is overlapping,iff it induces at least two overlapping correspondences.Otherwise, it is non-overlapping.

In the remainder of this paper, we requireall correspondence relations to be non-overlapping.For actions that are part of an overlap of twocorrespondences in one behavioural model, there isno distinct assignment to either correspondence. Thismay be the case if the functionality encoded in actionsis distributed differently among the actions of twoprocess graphs. Then, a ‘part’ of an action is relatedto one correspondence, whereas another ‘part’ of thesame action relates to a second correspondences. Inthis case, however, clarification of the relation ofthe two correspondences is needed prior to decidingbehavioural compatibility. This may be done bysplitting up the action that is part of the overlap,so that the derived actions relate only to one ofthe correspondences and, therefore, unambiguouslycharacterise the relation between them. In practise,most correspondences are non-overlapping. For thealignments investigated in our previous work [22], thereare 520 elementary correspondences between 20 pairsof process models. More than 40% of them are part ofcomplex correspondences, whereas less than 7% relateto overlapping correspondences. The correspondencerelation discussed for our example in Figure 1 is non-overlapping.

4. AGGREGATE BEHAVIOUR BASED ONA SINGLE REGION

The main idea behind determining compatibilityof complex correspondences is to consider eachcorrespondence as a relation between two regions, whichoccur as a whole, and to determine the compatibilityof the aggregate behaviour that is determined by thoseregions. In other words, actions that are part of acomplex correspondence are not considered independent

of each other. Instead, we assess behaviour compatibilityby investigating regions that are formed by sets ofactions. In our setting, these sets of actions areinduced by complex correspondences. However, thepresented approach is generic in the sense that it isgrounded on regions, i.e., sets of actions. Hence, we firstdiscuss the aggregation of behaviour based on regionswithout referring to the notions of an alignment and acorrespondence. Once we clarified how the aggregatebehaviour of a process graph is defined in terms ofthe occurrence of regions as a whole, we apply theaggregation to regions induced by correspondences.

As a first step, this section explains how we candetermine the aggregate behaviour of a single regionof a process graph. We start by introducing thenotion of aggregate behaviour, explaining how aggregatebehaviour can be determined, and discussing what designdecisions are involved. Then, we define the two essentialnotions for determining aggregate behaviour: starting aregion and ending a region.

4.1. Overview

The basis for determining the aggregate behaviour is toconsider each region as a single block of activity thattakes time. At the start of a process we consider aregion inactive. It can be started during the executionof a process and then becomes active. Once it isstarted, it eventually must end and become inactiveagain. Therefore, to determine the aggregate behaviour,we need to determine, given a behaviour and the regionswithin that behaviour, when each region starts and ends.To determine this, two important design decisions mustbe made:

(1) Do we consider intermediate ‘pauses’ of regions; i.e.:do we allow regions to end and start again?

(2) When does a region end, if the decision to end aregion occurs after other activities (not from theregion) have occurred?

Pausing a region is a logical option, in case it isinterleaved with activities from another region. Forexample, consider the process graph in Figure 3 andtwo regions A1, A2 and B. The region consistingof A1 and A2 is interleaved with the action B. Wecan now choose either to pause this region after A1has occurred and start it again when A2 occurs; or toleave it active in parallel with the region that containsB. We choose to leave regions active, even if they areinterleaved with transitions from other regions. Wemotivate this from a practical perspective: in most casesa region will be considered as a single unit of work thatis started and ended and will remain active, even if itis temporarily interrupted by other work. For example,if an employee checks the eligibility of a client for aloan, the employee may be interrupted by having toenter the client’s personal data into an ERP system.



A1 B

C

A2

FIGURE 3: Interleaving of regions A1, A2 andB and uncertainty of the moment of ending regionA1, A2.

However, conceptually, the employee will not considerthe eligibility check as ‘ended’, because he will have toget back to that later. There is an exception to thatin case an activity (such as checking the eligibility fora loan) is performed, after which there is an activityto verify whether the check is performed correctly and,depending on the outcome, the eligibility check must(partly) be performed again. In that case, the employeewill consider the eligibility check to be ended after thefirst check and re-started for the second check. However,without additional information in the process model, itis not possible to distinguish this case. Therefore, wechoose to let regions only start and end once in all cases.

It is possible that a region has only ended withcertainty, after activities from another region havealready occurred. Figure 3 illustrates this. After A1 hasoccurred, it is unclear whether transition A2 will stilloccur or not. Therefore, it is not possible to say withcertainty whether or not the region is still active afterA1. When C occurs, we can say, with hindsight thatthe region should have been ended after A1 occurred.However, then it is too late, because B has alreadyoccurred, which did not belong to the region. In decidinghow to handle this, we choose to postpone the decisionto end a region until the moment at which we are certainthat the region has ended. Other possible ways of solvingthis are by changing the branching time or by ‘pausing’the region as explained in the previous paragraph. Wecan change the branching time by explicitly choosing toend a region or not, at the moment at which this choiceis relevant and continue processing depending on thisdecision. For example, in Figure 3 we can branch alongtwo transition sequences, one that takes us through Band A and one that takes us through B and C. Alongthe first sequence, the region remains active and alongthe second sequence the region ended. However, weexplicitly aim to preserve branching time in this workand, therefore, do not choose this option. We can also‘pause’ the region by ending it after A1 and starting itagain, should A2 occur. However, we explicitly decidednot to allow regions to ‘pause’. Therefore, we choose toend a region at the moment at which we are certain nomore of its activities will occur.

These design choices lead to the following definitionsfor starting and ending a region.

D A3s3 s4

A1s1 s2

FC

s5 s6

A2

DA3 s4A1s1

s2X A2

D

FC

s5 s6

A2A3

s3X

s2X s3X

B

E

B

E

FIGURE 4: Rewrite ‘may be started’ states for theregion A1, A2, A3.

4.2. Starting a Region

A region starts the first time that an action from thatregion occurs. We define the notion of starting a regionon a process graph. However, for a transition in a processgraph, it may not be certain that it represents the firstoccurrence of an action from a region. This is the casewhen the transition can be reached both via transitionsequences that contain another occurrence of an actionfrom the same region and via sequences that do not. Forsuch a transition, we say that it may start the region,because it starts the region if that has not been doneearlier in the course of reaching the transition.

Definition 4.1 (Start Region, Started Region). Letg be a process graph and let X ⊆ A be a region. The region X is started in s ∈ r∗g , iff each transition

sequence rgσ

=⇒ s contains an action x ∈ X in σ. The region X is not started in s ∈ r∗g , iff no

transition sequence rgσ

=⇒ s contains an actionx ∈ X in σ. The region X may be started (or may not be started)

in s ∈ r∗g , iff at least one transition sequence

rgσ

=⇒ s contains an action x ∈ X in σ and atleast one transition sequence contains no actionx ∈ X in σ.

Let s1a−→ s2 be a transition with a ∈ X and s1, s2 ∈ r∗g .

The transition starts the region, iff the region is notstarted in s1 and started in s2. The transition does notstart the region, iff the region is not started in s2 orstarted in s1.

Figure 4 illustrates these situations. In s2X , s3X and s4

the region A1, A2, A3 was started. In s1, s5, s6, s2X

and s3X the region is not started and in s2 and s3 theregion may, or may not, be started.

The example in Figure 4 also shows that we cannotalways identify the transitions that start the activity of

a region. It is unclear whether the transition s3A3−−→ s4

starts the region A1, A2, A3 or not. Intuitively, thiscan be seen, because the region may have been started



before, for example by the transition s2A2−−→ s3, or may

not have been started before, for example, in case s3 was

reached via s6F−→ s3. However, if we want to determine

equivalence between aggregate processes that are definedin terms of (starting and ending) regions, then we mustbe able to uniquely identify the transitions that startthe activity of a region. Therefore, we introduce abranching time preserving rewrite rule, which rewrites‘may be started’ states in such a way that we can alwaysidentify whether a transition starts a region or not.

The rule rewrites each state s in which it is not clearwhether a region is started or not into a state in whichthe region is started and a state in which the regionis not started. As a convention, we will identify eachof the states that were rewritten from a state s as sXand sX . Subsequently, each transition that originatesfrom or targets the state s needs to be rewritten. Ifit starts the region, it must point to a state in whichthe region is started. If it does not start the region, itneeds to leave the region started if it was started andnot started if it was not started. Figure 5 shows thedifferent possibilities for rewriting a transition. Eachcase on the left side of the table, must be rewritten intothe case(s) on the right. In the figure, X?s means thatin the state s the region X may or may not be started.The figure shows that if the transition comes from s1,in which it is clear whether X is started or not, andpoints to s2, in which it is clear whether X is startedor not, then the transition is simply rewritten into anidentical transition. The figure also shows that if thetransition comes from s1, in which it is clear whether Xis started or not, and points to s2, in which X may bestarted, and the transition is itself from the region X,then the rewritten transition points to the state s2X . Inthat state X is started.

Definition 4.2 (Normalisation for a Region). Letg be a process graph and let X ⊆ A be a region. Thenormalisation operator ηX : G 7→ G rewrites g into theprocess graph h by defining Sh and →h as follows.

Sh is the smallest set that contains:

all s ∈ Sg in which X is started; all s ∈ Sg in which X is not started; and two new states for each s ∈ Sg in which X may, or

may not, be started.

→h is the smallest set that contains:

all s1a−→ s2 ∈→g for which X is not ‘may be started’

in s1 or s2; s1

a−→ s2X , iff s1a−→ s2 ∈→g, X is not ‘may be

started’ in s1, X is ‘may be started’ in s2 anda ∈ X;

s1a−→ s2X , iff s1

a−→ s2 ∈→g, X is not started in s1,X is ‘may be started’ in s2 and a /∈ X;

s1a−→ s2X , iff s1

a−→ s2 ∈→g, X is started in s1, Xis ‘may be started’ in s2 and a /∈ X;

s1Xa−→ s2X and s1X

a−→ s2X , iff s1a−→ s2 ∈→g, X

is ‘may be started’ in s1, X is ‘may be started’ ins2 and a ∈ X;

as1 s2

as1 s2

a Xs1 X?s2

as1 s2X

a Xs1

as1 s2XX?s2

a XX?s1 X?s2

as1X s2X

as1X s2X

a XX?s1 X?s2

as1X s2X

as1X s2X

aX?s1 s2

as1X s2

as1X s2

X is not started in s1

a Xs1

as1 s2XX?s2

X is started in s1

1

2

3

4

5

6

7

8

9

10

FIGURE 5: Rewrite transitions.

s1Xa−→ s2X and s1X

a−→ s2X , iff s1a−→ s2 ∈→g, X

is ‘may be started’ in s1, X is ‘may be started’ ins2 and a /∈ X; and s1X

a−→ s2 and s1Xa−→ s2, iff s1

a−→ s2 ∈→g, X is‘may be started’ in s1 and X is not ‘may be started’in s2.

A process graph j is normalised for X, iff j = ηX(j).

Figure 4 illustrates the rewrite rule. In state s2, it isunclear whether the region A1, A2, A3 is started ornot. Consequently, we rewrite it into two states: s2X inwhich the region is started and s2X in which the regionis not started. Similarly, s3 is rewritten into s3X ands2X .

What remains to be proven is that the process graphh that was constructed from g using the rewrite rule isbranching bisimilar to g and does not contain any statesin which region X may, or may not, be started.

Property 1. For a process graph h that is derivedby normalising a process graph g for a region X ⊆ A,h = ηX(g), it holds that Sh does not contain any statesin which X may, or may not, be started.

Proof. In any state that does not have any incomingtransitions, X is not started. Therefore, for such statesit holds that X is not ‘may be started’.

Any state that does have incoming transitions isreachable from rh via transitions that were generatedthrough the rewrite rules from Definition 4.2. Thereare 10 possible cases (also see Figure 5). For each ofthese cases, we prove that X is not ‘may be started’ inthe target states (s2, s2X , or s2X) of the transitions.If this holds for the target state, it must also hold for



the source states, because these can, in turn, only bereachable from rh via the transitions.

A state denoted as s2X is only reachable: via atransition that contains an a ∈ X (case 2, 5 or 6), or froma state in which X is started and that by Definition 4.1is only reachable via a transition sequence that containan a ∈ X (case 4, 7). Consequently, in a state denotedas s2X , X must be started by Definition 4.1.

A state denoted as s2X is only reachable via atransition a /∈ X from a state in which X is notstarted and that by Definition 4.1 is only reachable viaa transition sequence that does not contain an a ∈ X(case 3 and 8). Consequently, in a state denoted as s2X ,X must be not be started by Definition 4.1.

A state s2, for which it is clear in process g whetherthe region X is started or not, can only be reached viaa state s1 (case 1) or a ‘may be started’ state (case 9and 10). If it is reached via a state s1 (case 1), in whichit is clear was clear in process g whether the region isstarted or not, we know that the transition takes thecriteria into account under which we know whether Xis started or not in s2, because this transition is derivedfrom g without modification. If it is reached via a ‘maybe started’ state (case 9 and 10), the only way in whichit can be known in s2 whether X was started or not,was if a ∈ X, making X started in s2. This is preservedby the rewrite rule.

Consequently, in each state that is reachable viatransitions that were generated by the rewrite rules,it is clear whether X is started or not and X is not ‘maybe started’.

Using this property, it immediately follows that anyprocess graph that is normalised for a region does notcontain any state in which the region may, or maynot be started. Further, rewriting preserves branchingbisimilarity.

Property 2. For a process graph h that is derivedby normalising a process graph g for a region X ⊆ A,h = ηX(g), it holds that h ∼ g.

Proof. h is branching bisimilar to g, because wecan construct the branching bisimulation relation Rthat meets the two criteria of branching bisimulation(Definition 3.5). We construct this relation as follows.Clearly, g is branching bisimilar to itself (because of thereflexive property of branching bisimilarity). Let Q bethe relation that makes g branching bisimilar to itself.We define R to be the smallest relation derived from Qthat contains: (s1, s2) iff (s1, s2) ∈ Q and X is not ‘may be started’

in s1 or s2; (s1X , s2) and (s1X , s2) iff (s1, s2) ∈ Q and X is

‘may be started’ in s1 and not ‘may be started’ ins2;

(s1, s2X) and (s1, s2X) iff (s1, s2) ∈ Q and X is not‘may be started’ in s1 and ‘may be started’ in s2; (s1X , s2X) and (s1X , s2X) iff (s1, s2) ∈ Q and X is

‘may be started’ in both s1 and s2;We show that R satisfies the two criteria.Criterion 1. For the root state rg, it holds that(rg, rg) ∈ Q. Also, since the root state has no incomingtransitions, X is not started in rg, such that rg is alsoin h (where it is identified as rh) and is not split up intomultiple states, and (rg, rh) ∈ R by construction of Rabove.Criterion 2. If xRy and x

a−→ x′ with x, x′ ∈ Sg,

then ya−→ y′ is derived from x

a−→ x′ according toDefinition 4.2. Also, x′Ry′ by construction of R above.Consequently, there exist states u, v ∈ Sh, such thaty =⇒ u

a−→ v =⇒ y′, xRu, x′Rv, and x′Ry′, for y = uand v = y′.

If xRy and xa−→ x′ with x, x′ ∈ Sh, then y

a−→ y′

is the transition from which xa−→ x′ was according to

Definition 4.2. Also, x′Ry′ by construction of R above.Consequently, there exist states u, v ∈ Sg, such that

y =⇒ ua−→ v =⇒ y′, xRu, x′Rv, and x′Ry′, for y = u

and v = y′.

We can now define and prove the property that we needto analyse behaviour at the abstraction level of regions.This property states that a region is started at the firstoccurrence of a transition from that region.

Property 3. Let h be a process graph that is derivedby normalising a process graph g for a region X ⊆ A,h = ηX(g). It holds that:

if a transition s1a−→ s2 starts the region X, it must

not be preceded by a transition that starts theregion on any transition sequence rg

σ=⇒ s1.

if a transition s1a−→ s2 has a ∈ X it must either

start the region or be preceded on each transitionsequence rg

σ=⇒ s1 by a transition that starts the

region.

Proof. We prove the first part of the property. If atransition s1

a−→ s2 starts the region X, according toDefinition 4.1, the region X must not be started in s1.Consequently, according to the definition, there must beno transition sequence rg

σ=⇒ s that contains an action

x ∈ X in σ. Therefore s1a−→ s2 cannot be preceded

by a transition that starts the region, because such atransition must have an action x ∈ X.

We prove the second part of the property bycontradiction. Suppose a transition s1

a−→ s2 has a ∈ Xand neither starts the region nor is preceded on eachtransition sequence rg

σ=⇒ s1 by a transition that starts

the region. Because g was derived by rewriting, itmust be the case according to Property 1 that in eachstate the region must either be started or not started.Consequently, also in s1 the region X must either bestarted or not started. According to Definition 4.1 thatmeans that either each transition sequence rg

σ=⇒ s1

contains an action x ∈ X in σ, or no transition sequencerg

σ=⇒ s1 contains an action x ∈ X in σ. However,

because of the supposition that the transition s1a−→ s2



must not be preceded on each transition sequencerg

σ=⇒ s1 by a transition that starts the region, it

must be the case that no transition sequence rgσ

=⇒ s1

contains an action x ∈ X in σ. This means that theregion X must not be started in s1. Also, because of thesupposition that the transition s1

a−→ s2 does not startthe region and Definition 4.1, the region must eitheralready be started in s1 or not be started in s2. Sincewe just concluded that the region must not be startedin s1, it must be the case that the region must not bestarted in s2. According to Definition 4.1 that meansthat no transition sequence rg

σ=⇒ s2 contains an action

x ∈ X in σ. This leads to a contradiction, becauses1

a−→ s2 has a ∈ X, such that the sequences rgσ

=⇒ s2

that contain this transition contain an action x ∈ X.This proves that, if a transition s1

a−→ s2 has a ∈ X,it must either start the region or be preceded on eachtransition sequence rg

σ=⇒ s1 by a transition that starts

the region.

4.3. Ending a Region (with Possible Delay)

A region ends the last time that an action from thatregion occurs. Analogous to the definition of starttransitions, we say that a transition may end a region,if that transition may or may not be the last transitionof the region to occur. This situation is also explainedin Section 4.1 and Figure 3.

Definition 4.3 (Ended Region). Let g be a processgraph and let X ⊆ A be a region. The region X has ended in s ∈ r∗g , iff for no f ∈ F

a transition sequence sσ

=⇒ f contains an actionx ∈ X in σ.

The region X has not ended in s ∈ r∗g , iff for each

f ∈ F each sequence sσ

=⇒ f contains an actionx ∈ X in σ.

The region X may have ended (or may not haveended) in s ∈ r∗g , iff there exists at least one f ∈ Ffor which there exists a sequence s

σ=⇒ f that

contains an action x ∈ X in σ and there existsat least one f ∈ F for which there exists a sequences

σ=⇒ f that does not contain an action x ∈ X in

σ.

We would now like to define property that a regionends at the last occurrence of a transition from thatregion. However, as we explained in Section 4.1, wecannot with certainty say whether a transition ends aregion or not. Moreover, unlike for start transitions, wecannot define a branching bisimilarity preserving rewriterule, such that we can define this property. Therefore,for ending a region, we require a more relaxed property.This property states that a region ends with possibledelay at the occurrence of the first transition after whichwe are sure that no transition from that region can occuranymore.

We define that a region ends, with possible delay, as

follows.

Definition 4.4 (End Region with Possible Delay).Let g be a process graph and let X ⊆ A be a region.Furthermore, let s1

a−→ s2 be a transition. The transitionends the region with possible delay, iff the region is not‘ended’ or ‘may have ended’ in s1 and ‘ended’ in s2.

Now we define and prove the property that a regionends with possible delay at the occurrence of the firsttransition after which we are sure that no transitionfrom that region can occur anymore.

Property 4. Let h be a process graph that is derivedby normalising a process graph g for a region X ⊆ A,h = ηX(g). It holds that:

if a transition s1a−→ s2 ends the region X with

possible delay, it is not succeeded by a transition

s′1b−→ s′2 that ends the region with possible delay,

on a transition sequence s2σ

=⇒ f for any f ∈ Fg. a transition s1

a−→ s2, for which for no f ∈ F a

transition sequence s2ρ

=⇒ f contains an actionx ∈ X in ρ, must either end the region with possibledelay or be preceded on each transition sequencerg

σ=⇒ s1 by a transition that ends the region with

possible delay.

Proof. We prove the first part of the property. Ifs1

a−→ s2 ends the region X with possible delay, theregion must have ended in s2, according to Definition 4.4.Consequently, according to Definition 4.3, for no f ∈ Fga transition sequence s2

ρ=⇒ f contains an action x ∈ X

in ρ. Thus, according to Definition 4.3, X must haveended in all states that succeed s1

a−→ s2 on a transitionsequence s2

ρ=⇒ f for some f ∈ Fg. A transition on

such a transition sequence can not end the region withpossible delay, because that requires that the region isnot ended. Therefore, s1

a−→ s2, is not succeeded by a

transition s′1b−→ s′2 that ends the region with possible

delay, on a transition sequence s2σ

=⇒ f for any f ∈ Fg.We prove the part criterion of the property by

contradiction. Suppose that a transition s1a−→ s2, for

which for no f ∈ F a transition sequence sρ

=⇒ fcontains an action x ∈ X in ρ, neither ends the regionwith possible delay nor is preceded on each transitionsequence rg

σ=⇒ s1 by a transition that ends the region

with possible delay. Because of the supposition that for

no f ∈ F a transition sequence s2ρ

=⇒ f contains anaction x ∈ X in ρ and Definition 4.3, region X musthave ended in s2. Because of the supposition that thetransition does not end the region and Definition 4.4,either the region is not ‘may have ended’ and not ‘notended’ in s1, or the region is not ‘ended’ in s2. Sincewe just showed that the region must have ended in s2,it must be so that the region is not ‘may have ended’and not ‘not ended’ in s1. By Definition 4.3 this meansthat not “there exists at least one f ∈ F for which

there exists a sequence s1ρ

=⇒ f that contains an action



x ∈ X in ρ and there exists at least one f ∈ F for which

there exists a sequence s1ρ

=⇒ f that does not containan action x ∈ X in ρ” and not “for each f ∈ F each

sequence s1ρ

=⇒ f contains an action x ∈ X in ρ”. Inpurely logical notation this reads:

¬(∃f ∈ Fg : ∃ρ ∈ A∗g : s1ρ

=⇒ f ∧ ∃x ∈ X : x in ρ∧∃f ∈ Fg : ∃ρ ∈ A∗g : s1

ρ=⇒ f ∧ ¬∃x ∈ X : x in ρ)

∧¬(∀f ∈ Fg : ∀ρ ∈ A∗g : s1

ρ=⇒ f ∧ ∃x ∈ X : x in ρ)

We can rewrite this, using standard logic operations,into:∀f ∈ Fg : ∀ρ ∈ A∗g : s1

ρ=⇒ f ∧ ¬∃x ∈ X : x in ρ

According to Definition 4.3 this means that the regionX has ended in s1. Because of the assumptions thatthere are no dead tasks and no livelocks (see Section 3.1),each x ∈ Ag must occur on a transition sequence fromrg to some f ∈ Fg. Consequently, each x ∈ X mustoccur as well. With Definition 4.3 this means that in theroot state rg, the region X must either have ‘not ended’or ‘may have ended’. Consequently, each transitionsequence rg

σ=⇒ s1 starts with X ‘not ended’ or ‘may

have ended’ and ends with X ‘ended’. Consequently, for

some transition s′1b−→ s′2 in each of these sequences: X

is ‘not ended’ or ‘may have ended’ in s′1 and ‘ended’ ins′2. Thus, according to Definition 4.4, some transitionin each of these transition sequences ends the region Xwith possible delay. This is a contradiction with thesupposition that the transition s1

a−→ s2 is not precededon each transition sequence rg

σ=⇒ s1 by a transition

that ends the region with possible delay. This provesthat a transition s1

a−→ s2, for which for no f ∈ F a

transition sequence s2ρ

=⇒ f contains an action x ∈ Xin ρ, must either end the region with possible delay orbe preceded on each transition sequence rg

σ=⇒ s1 by a

transition that ends the region with possible delay.

5. AGGREGATE BEHAVIOUR BASED ONMULTIPLE REGIONS

In the previous section, we elaborated on aggregatingthe behaviour of a process graph based on a single region.Verification of behaviour compatibility between processgraphs in the presence of complex correspondences mayrequire to consider multiple regions for each processgraph. In this section, we turn the focus on a set ofregions. We first lift the normalisation defined for asingle region to sets of regions in Section 5.1. Then,Section 5.2 shows how we rewrite a process graph toseparate the information of starting and ending formultiple regions. Finally, Section 5.3 discusses propertiesof this rewriting.

5.1. Normalisation based on Multiple Regions

Normalisation in terms of rewriting ‘may be started’states has to be done for all regions. We lift thenormalisation operator to a set of regions by combining

the normalisations for single regions. We assume allregions to be distinct, i.e., for all regions X1 and X2

considered for normalisation it holds X1 ∩ X2 = ∅.This assumption is necessary to separate the start andend of different regions. Note that a non-overlappingcorrespondence relation between process graphs, seeSection 3.4, induces only distinct regions.

Definition 5.1 (Normalisation for a Set of Regions).Let Ω = X1, . . . , Xn be a set of distinct regions,Xi ⊆ A. The normalisation operator ηΩ : G 7→ Gis defined as the concatenation of normalisations for allregions, i.e., ηΩ = ηX1

. . . ηXn. A process graph g is

normalised for Ω, iff g = ηΩ(g).

The normalisation operator for a group of regionsrepresents the joint application of normalisations forsingle regions. Therefore, it is important to verify thatnormalisation for one region does not interfere withnormalisation for another region in terms of startingand ending regions. Indeed, this is the case.

Property 5. Let g be a process graph and letX1, X2 ⊆ A be two distinct regions. If process graph his derived from g by rewriting for region X1, h = ηX1

(g),it holds that: if X2 is started / may be started / ended / may

have ended in s ∈ Sg in g and it holds s ∈ Sh, thenX2 is started / may be started / ended / may haveended in s in h. if X2 is started / may be started / ended / may have

ended in s ∈ Sg in g and it holds sX1, sX1

∈ Sh,then X2 is started / may be started / ended / mayhave ended in sX1 and in sX1

in h.

Proof. Both criteria follow directly from the factthat normalisation preserves branching bisimilarity(Property 2).

Rewriting ‘may be started’ states of different regions isindependent of each other. Each normalisation rewrites‘may be started’ states for the respective region. Hence,normalisation of a process graph for a set of regionsyields a graph that is free of ‘may be started’ states forall regions.

Property 6. Let h be a process graph that is derivedby normalising a process graph g for a set of distinctregions Ω = X1, . . . , Xn, Xi ⊆ A. It holds that Shdoes not contain any states in which any region Xi may,or may not, be started.

Proof. Rewriting a process graph for a single regionyields a graph that is free of ‘may be started’ states forthis region by Property 2. According to Property 5, thisrewriting step does not introduce any ‘may be started’states for another region that have not been part of theprocess graph before.

For the process graphs introduced earlier and depictedin Figure 2, we depict the normalised process graphsin Figure 6. For both graphs, we used regions as



A1 A2 C

B

A2 C

B B

A3 A4

D1

C1

A5

B2 A6 C2 D2

P1'

P2'

X

B1

B1

C1YZ

Z

C1

A2 C

B

A2 C

B B

X

A4

X

X

D

D

A3 B1

C1

B1

D1

C1

A5

B2 A6 C2 D2

P2'B2

B2

C1

Y

Y

Z

Z

C1

B2

B2

C1

FIGURE 6: Process graphs of Figure 2 normalisedfor the sets of regions A1, A2, B, C, D (P1′)and A3, A4, A5, A6, B1, B2, C1, C2, D1, D2(P2′), respectively.

they are induced by the correspondences. At hisstage, we neglected regions formed by actions thatare not part of any correspondence. Process graphP1′ is obtained by normalising process graph P1for the set of regions A1, A2, B, C, D. Alarge part of process graph P1 has been duplicatedin the course of normalisation. This is caused bythe cycles in the process graph P1. All states thatare part of a cycle are ‘may be started’ states forregion C. For process graph P2 in Figure 2, graphP2′ is derived by normalisation for the set of regionsA3, A4, A5, A6, B1, B2, C1, C2, D1, D2.Here, states in which region A3, A4, A5, A6 may, ormay not, be started have been rewritten.

Finally, we turn the focus on the interplay of startingand ending different regions. We observe that a singletransition starts at most one region.

Property 7. Let g be a process graph thatis normalised for a set of distinct regions Ω =X1, . . . , Xn, Xi ⊆ A. Any transition s1

a−→ s2 startsat most one region Xi ∈ Ω.

Proof. According to Definition 4.1, a region X can onlybe started by a transition with a ∈ X. Since we assumethat for all regions X1, X2, it holds that X1 ∩X2 = ∅, atransition can start at most one region.

Since we adopted a notion of ending a region that mayincorporate a delay, a single transition may end morethan one region.

Property 8. Let g be a process graph thatis normalised for a set of distinct regions Ω =X1, . . . , Xn, Xi ⊆ A. A transition s1

a−→ s2 can endmore than one region Xi ∈ Ω.

Proof. Consider the process graph P1′ in Fig-ure 6 that is normalised for the set of regionsA1, A2, B, C, D. Both transitions labelledwith action D end regions A1, A2 and C.

5.2. Separation of Regions

To assess behaviour compatibility of two process graphsbased on regions, we rewrite the graphs so that theycapture only the aggregated behaviour in terms ofstarting and ending regions. Technically, we assign labelsthat indicate starting and ending of a region to thosetransitions, whereas all other transitions are renamed tosilent steps. Two aspects need to be taken into accountwhen rewriting a process graph to separate regions.

First, a transition starts at most one region(Property 7), but may end multiple regions (Property 8).Since we rely on interleaving semantics, in whichparallellism of actions is equal to arbitrary interleaving ofactions, the latter shall be equivalent to all interleavingsof ending the respective regions. Thus, we rewritetransitions that end multiple regions into a subgraphthat encodes all these interleavings. Now, considerthe case that a transition ends multiple regions butalso starts a region. Assuming distinct regions, such atransition must be labelled with an action of the regionthat is started. As a consequence, we know that allregions ended (but not started) by the transition areended with a delay. This observation lets us prioritiseending of regions. Following the discussion presentedin Section 4.1, we aim at capturing the earliest state inwhich a region has definitely ended. Hence, we first endall regions, before a region is started.

Second, it may be the case that a single transitionstarts and ends a region. For our use case, weabstract from the internal behaviour of a region. Hence,starting and ending a region with one transition shallbe equivalent to starting the region and closing it ata later stage. Our rewriting to separate regions splitsup a transition that starts and ends a region into twotransitions.

Note that both phenomena may occur together. Asingle transition may end multiple regions among themone region that is also started by the transition. In thiscase, we first end all regions except the region that isalso started. Then, the latter region is started and endedwith separate transitions.

We obtain a process graph with separate regions byrewriting. To keep the formalisation concise, we useregions, i.e., sets of actions, to construct actions thatrelate to these regions. We assign the actions s(Xi)or e(Xi) to all transitions that start or end a regionXi, respectively. The silent action is assigned to alltransitions that neither start or end any region. As partof this step, all transitions that end more than one regionare replaced by a subgraph capturing all interleavingsof ending the regions. All transitions that start and enda region Xi, are expanded into an intermediate state



s(Y)

as1 s2

a does not start or end any region

s1 s2

as1 s2

a starts X and ends no region

s(X)s1 s2

as1 s2

a starts and ends X, and ends no other

region

s(X)s1 smid(X)

e(X)s2

as1 s2

a ends X, does not start X, and ends no other region

e(X)s1 s2

as1 s2

a ends multiple regions X1,...,Xn and

starts no region

e(X1)s1

e(Xn)

e(Xn)

e(X1)

s2

...

...

... ...

as1 s2

a ends but does not start multiple

regions X1,...,Xn and starts but does not

end a region Y

e(X1)s1

e(Xn)

e(Xn)

e(X1)

spre(Y)

...

...

... ...

as1 s2

a ends but does not start multiple

regions X1,...,Xn and starts and ends a

region Y

s2

s(Y)e(X1)s1

e(Xn)

e(Xn)

e(X1)

spre(Y)

...

...

... ... smid(Y)e(Y)

s2

FIGURE 7: Overview of the rewriting to separateregions.

and two transitions labelled with s(Xi) and e(Xi). Thedifferent cases in terms of starting and ending regionsfor a single transition are shown in Figure 7.

The result of region separation is illustrated for anexample in Figure 8. Here, we used a short-handnotation to reference the regions, e.g., label A refers tothe region A1, A2. Besides relabelling the transitionsthat start or end any of the three regions A1, A2,B1, B2, and C, two transitions that end more thanone region are rewritten to capture all interleavings.Also, we first end regions A1, A2 and B1, B2, beforestarting the region C by the respective transition.

Formally, the rewriting is defined as follows. Notethat, given a set M , we denote the powerset of M by℘(M).

Definition 5.2 (Region Separation). Let g be aprocess graph that is normalised with respect to a setof regions Ω = X1, . . . , Xn, Xi ⊆ A. The separationoperator ζΩ : G 7→ G rewrites g into the process graph hby defining Sh and →h as follows.

A1 B1

C

B2 A2

s(A) s(B) e(B)

e(A)

e(A)

e(A)e(A) e(B)

e(A)e(B)

e(A) e(B)

e(A)e(B)

s(C) e(C)

FIGURE 8: Rewriting to separate the regions A1, A2,B1, B2, and C.

Sh is the smallest set that contains: all s ∈ Sg;

2m − m new states sp for each transition s1a−→

s2 ∈→g that ends m regions X1, . . . , Xm ∈ Ω,1 < m, but starts none of them, with p ∈℘(X1, . . . , Xm) \ , X1, . . . , Xm being a setthat represents all permutations of regions exceptfor the empty set or the set that contains all regions. one new state spre(Xi) for each transition s1

a−→s2 ∈→g that ends at least one region and starts theregion Xi ∈ Ω. one new state smid(Xi) for each transition s1

a−→s2 ∈→g that starts and ends the region Xi ∈ Ω.

→h is the smallest set that contains:

s1s(Xi)−−−→ s2, iff s1

a−→ s2 ∈→g starts the regionXi ∈ Ω and ends no region;

s1s(Xi)−−−→ smid(Xi)

e(Xi)−−−→ s2, iff s1a−→ s2 ∈→g starts

and ends a single region Xi ∈ Ω and ends no otherregion;

s1e(Xi)−−−→ s2, iff s1

a−→ s2 ∈→g ends a single regionXi ∈ Ω, ends no other region, and starts no region;

s1e(Xi)−−−→ spre(Xj), iff s1

a−→ s2 ∈→g ends a singleregion Xi ∈ Ω, ends no other region, and startsanother region Xj ∈ Ω;

spe(Xi)−−−→ sq, iff s1

a−→ s2 ∈→g ends more than oneregion, among them Xi ∈ Ω and either− sp = s1 and Xi ∈ q,− Xi /∈ p and Xi ∈ q,− sq = s2 and Xi /∈ p, and s1

a−→ s2 does notstart any region,

− sq = spre(Xj) and Xi /∈ p, and s1a−→ s2 starts

the region Xj ∈ Ω.

spre(Xi)s(Xi)−−−→ s2, iff s1

a−→ s2 ∈→g starts the regionXi ∈ Ω and ends at least one other region.

spre(Xi)s(Xi)−−−→ smid(Xi)

e(Xi)−−−→ s2, iff s1a−→ s2 ∈→g

starts and ends the region Xi ∈ Ω and ends at leastone other region. s1

τ−→ s2, iff s1a−→ s2 ∈→g neither starts nor ends

any region Xi ∈ Ω.



s(B)

e(B)

s(A) s(C)

s(B)

s(C)

P1''

e(C)

e(B)

s(B)

e(B)

s(B)

s(B)

e(B)

s(B)

e(B)e(B)

e(A)

s(A) s(D)

e(C)

e(D)

e(C)

e(A)

s(A) s(D)

e(C)

e(D)

s(A)

s(A)

s(B) e(B) e(A) s(C) e(C) s(D) e(D)

s(B)

s(B)

e(A)

s(C)

e(C)

s(C)

e(C)

s(C)

e(C)

e(D)

s(D)

P2''

s(A) e(A)e(B)

e(B)

FIGURE 9: Process graphs of Figure 6 for which the following regions have been separated: A1, A2, B, C, Dfor process graph P1′′ and A3, A4, A5, B1, B2, B3, C1, C2, D1, D2 for process graph P2′′.

For our initial example, region separation is illustratedin Figure 9. For the process graphs depicted inFigure 6, we separated all regions that are inducedby the correspondences between the two behaviouralmodels as illustrated initially in Figure 1. We used ashorthand notation to indicate the regions, e.g., the labelA refers to the region A1, A2 or A3, A4, A5, A6. Weobserve that several transitions of the graphs in Figure 6are split up in two transitions to indicate the start andend of the regions, respectively. Also, in graph P1′

of Figure 6, two transitions end more than one region.Using the proposed rewriting, we obtain the graph P1′′

that comprises all interleavings of ending these regions.

5.3. Properties for Separated Regions

The process after region separation should be equivalentto the process before region separation. However, clearlywe cannot prove branching bisimilarity between thetwo processes, because the region separation operatorchanges the labels of the processes. This is donedeliberately, to encode the events of starting a regionand ending a region, as they have been explained in theprevious section. Therefore, we show a weaker propertyfor the region separation operator. In particular, weshow that the order in which regions are started orended is preserved by the operator.

Property 9. Let g be a process graph that isnormalised with respect to a set of regions Ω =

X1, . . . , Xn, Xi ⊆ A, and let h = ζΩ(g) be the regionseparated process graph for g. Let x and y be actions ofstarting some region, ending some region or not startingor ending any region. Furthermore, let g contain the

transition sequence s1a−→ s2

b−→ s3, where s1a−→ s2

also contains a transition labelled with x and s2b−→ s3

also contains a transition labelled with y. It holds thats1, s2, s3 ∈ Sh and there exists a transition sequence

s1σ

=⇒ s2ρ

=⇒ s3 in h and all transition sequencess1

σ=⇒ s2 in h also contain a transition labelled with x

and all transition sequences s2ρ

=⇒ s3 in h also containa transition labelled with y.

Proof. The proof is by construction. All s ∈ Sg are also

in Sh and each transition sa−→ s′ ∈→g that contains a

transition labelled with x is rewritten (by the rewriterules that are illustrated in Figure 8) into transitionsequences that connect s and s′ and that all comprise atransition labelled with x.

6. EQUIVALENCE AND COMPATIBILITY

This section shows how we can lift existing notionsof behaviour equivalence and compatibility, whichwork for 1:1 correspondences, to notions of behaviourequivalence and compatibility that work for complexcorrespondences. Aggregation of behaviour based onregions, as it is introduced in the previous sections, isthe basis for these notions.



First, we show how equivalence of behaviours withcomplex correspondences can be defined in Section 6.1.Then, we follow the work on behaviour inheritanceto cope with model extensions. We elaborate onnotions of projection compatibility, which incorporateaction abstraction, in Section 6.2. Then, we turn thefocus to protocol compatibility, which relies on actionencapsulation, in Section 6.3. Finally, abstraction andencapsulation are combined to arrive at the notion oflifecycle compatibility in Section 6.4.

6.1. Region Equivalence

Given two process graphs that are aligned by (potentiallycomplex) correspondences, behaviour equivalence can bedecided based on the introduced aggregate behavioursof the two process graphs. To this end, we construct aset of regions, such that each correspondence betweentwo process graphs forms a region. Further, alltransitions that are not part of any correspondence areconsidered separate regions. Using the resulting set ofregions, we apply region normalisation and separationto both process graphs. Thus, we obtain two processgraphs that capture aggregated behaviour, i.e., thebehavioural dependencies between the regions inducedby the correspondences. For these process graphs, wecheck behaviour equivalence. In the following definition,we rely on concrete trace equivalence and branchingbisimulation, as introduced in Section 3.3. Note that wealso use the notations for sets of actions that are partof correspondences as defined in Section 3.4.

Definition 6.1 (Region Equivalence). Let g and hbe two process graphs and ' ⊆ (Ag \Ah)× (Ah \Ag) acorrespondence relation. Let Ω = X1, . . . , Xn be a set of regions that is

induced by correspondences and transitions that arenot aligned, i.e., it holds X ∈ Ω, iff either− X = X ′ ∪X ′′ and X ′ ' X ′′, or− X = x and x ∈ (Ag ∪Ah) \ (A'g ∪A'h ).

Let g′ and h′ be the process graphs derived from gand h by region normalisation and separation forΩ, i.e., g′ = ζΩ(ηΩ(g)) and h′ = ζΩ(ηΩ(h)).

The graphs g and h are region concrete traceequivalent, denoted by g

.=Ω h, iff g′

.= h′.

The graphs g and h are region branching bisimilar,denoted by g ∼Ω h, iff g′ ∼ h′.

For our initial example, depicted in Figure 1 andFigure 2, none of the region equivalences is satisfied.This is caused by actions that are not part of anycorrespondence. For instance, the process graph derivedfrom the graph P1 in Figure 2 by region normalisationand separation contains transitions labelled with s(X)and e(X) to indicate starting and ending of the regionX. (Recall that for the graphs shown in Figure 6,we neglected actions that are not aligned by anycorrespondence.) Starting and ending the region X isapparently not mirrored by the graph derived by region

normalisation and separation from P2 in Figure 2.

6.2. Projection Compatibility

Following the work on behaviour inheritance, actionsmay be hidden before behaviour equivalence is decided.Hiding of actions is realised by abstraction, as introducedin Section 3.2. We define projection compatibility inthe line of projection inheritance. We use the termcompatibility instead of inheritance to highlight thatabstraction may be applied to both process graphs underinvestigation. In contrast to inheritance, compatibilitydoes not assume the relation between both processgraphs to be directed in the sense of a subclass –superclass relation.

Projection compatibility holds between two processgraphs, if they are equivalent once a set of actionsis abstracted. The original definition of projectioninheritance, see [6], does not restrict the set ofactions that can be abstracted. However, we assumethat correspondences are defined explicitly to indicatecorresponding actions. Those actions shall not be subjectto abstraction, so that we restrict the set of actions thatmay be abstracted to all actions that are not part ofa correspondence. To decide behaviour equivalence inthe presence of complex correspondences, we rely on thenotions of region equivalence introduced in the previoussection. Region equivalence may be based on traces orthe branching structure.

Definition 6.2 (Projection Compatibility). Let gand h be two process graphs and ' ⊆ (Ag\Ah)×(Ah\Ag)a correspondence relation. The graphs g and h are trace projection compatible,

iff there are sets of actions X ⊆ Ag \ A'g andY ⊆ Ah \A'h , such that τX(g)

.=Ω τY (h).

The graphs g and h are projection compatible,iff there are sets of actions X ⊆ Ag \ A'g andY ⊆ Ah \A'h , such that τX(g) ∼Ω τY (h).

Projection compatibility for our initial example isdetermined using the process graphs depicted in Figure 9.Here, all actions that are not aligned by correspondences,see Figure 1, have been abstracted. Note that, again,we interpret Figure 9 such that the labels are short-hand notations for the respective regions, e.g., the labelA refers to the region A1, A2, A3, A4, A5, A6 that isformed by actions of either process graphs. Despitetheir commonalities, the process graphs in Figure 9 donot satisfy (trace) projection compatibility. In processgraph P1′′, region C,C1, C2 may be started afterregion A1, A2, A3, A4, A5, A6 has been started, butbefore it has ended. This behaviour is not possible inprocess graph P2′′.

6.3. Protocol Compatibility

Besides hiding of actions, blocking of actions maybe applied before behaviour equivalence is decided.



Blocking of actions is realised by encapsulation andgives rise to the notion of protocol inheritance. In thesame vein, we introduce protocol compatibility thatencapsulates a set of actions before a notion of regionequivalence is decided.

Definition 6.3 (Protocol Compatibility). Let g andh be two process graphs and ' ⊆ (Ag \Ah)× (Ah \Ag)a correspondence relation. The graphs g and h are trace protocol compatible,

iff there are sets of actions X ⊆ Ag \ A'g andY ⊆ Ah \A'h , such that δX(g)

.=Ω δY (h).

The graphs g and h are protocol compatible, iffthere are sets of actions X ⊆ Ag \ A'g and Y ⊆Ah \A'h , such that δX(g) ∼Ω δY (h).

To verify (trace) protocol compatibility for our initialexample, we need to encapsulate the actions X, Y ,and Z of the process graphs. As mentioned earlier,encapsulation of action Z for the process graph P2 inFigure 2 means that once the transition labelled with A3is taken, no transition labelled with an action from theregion D,D1, D2 may be taken from some reachablestate. Since this region is started and ended for alltransition sequences leading to a final state in processgraph P1 in Figure 2, both process graphs do not satisfy(trace) protocol compatibility.

6.4. Lifecycle Compatibility

It may be necessary to combine hiding and blockingof actions to satisfy behaviour equivalence. Inthis framework for behaviour inheritance, this caseis represented by lifecycle inheritance. Adaptingthis notion for region equivalence yields lifecyclecompatibility.

Definition 6.4 (Lifecycle Compatibility). Let g andh be two process graphs and ' ⊆ (Ag \Ah)× (Ah \Ag)a correspondence relation. The graphs g and h are trace lifecycle compatible,

iff there are sets of actions V,W ⊆ Ag \ A'g ,V ∩ W = ∅, and X,Y ⊆ Ah \ A'h , X ∩ Y = ∅,such that τV δW (g)

.=Ω τX δY (h).

The graphs g and h are lifecycle compatible, iffthere are sets of actions V,W ⊆ Ag\A'g , V ∩W = ∅,and X,Y ⊆ Ah \ A'h , X ∩ Y = ∅, such thatτV δW (g) ∼Ω τX δY (h).

For the initial example introduced in Figure 2, Figure 10shows the process graphs obtained after hiding andblocking of actions has been combined. That is, weencapsulated actions X and Y , and abstracted actionZ. All remaining actions are part of correspondencesdefined between both process graphs. Using the regionsinduced by the correspondences, we applied regionnormalisation and separation to both process graphs.Figure 10 illustrates that both process graphs are tracelifecycle compatible. The sets of (in this example onlyfinite) concrete traces coincide for the process graphs

P1∗ and P2∗. In other words, the observable behaviourof both process graphs is the same, once the behaviourfor correspondences is aggregated and actions that arenot aligned are blocked or hidden.

Figure 10 also illustrates that both process graphs arenot lifecycle compatible. Despite the same observablebehaviour, both process graphs show differences in theirbranching structure. In P1∗, the transition that startsthe region A1, A2, A3, A4, A5, A6 leads to a state thatmay be left by a transition that closes this region orstarts the region B,B1, B2. This branching behaviouris not in line with the process graph P2∗.

7. EXTENDED EXAMPLE

This section explains how the compatibility notions thatwere presented in the previous section, can be appliedto an example from practice.

Figure 11a shows two process models that representbusiness processes from practice. They are simplifiedversions of processes that we used in previousresearch [22]. The top shows a reference process forapplying for a permit to chop down a tree. Thebottom process is an implementation of that process ata municipality. Compatibility between the two processescan be verified to determine the extent to which theimplementation conforms to the reference process. Theactivities in the processes have been annotated withletters to indicate correspondences; activities with thesame letter correspond.

Figure 11b shows the respective process graphs. Thegraphs represent the start and end transitions of eachregion as well as transitions that do not correspondto the start or end of a region. The latter are silenttransitions, but they are labelled with the letter thatrefers to the activity from which the transition wasderived. This convention is used here to be able to referto the transitions.

Using Figure 11, we can see that the processes arenot projection compatible, because hiding activities H(‘Check admissible’) and I (‘Notify not admissible’)enables the trace s(A), e(A) in the bottom graph,which is not possible in the top graph. In practicalterms the bottom process allows an application tobe received and then be discarded, because it isinadmissible, while the top process does not allowthis. Using protocol compatibility solves this problem,because it blocks rather than hides activity I (‘Notifynot admissible’). Blocking this activity makes itimpossible to discard claims due to inadmissibility in thebottom process. However, using protocol compatibilityintroduces problems at other places in the process,because blocking activities E, F or H leads to dead tasks.Blocking transition G leads to the situation in whichthe top process ends after activity C (‘Send approval’),while the bottom process still must perform activity D(‘Send bill’).

The processes are lifecycle compatible, i.e.: they are



A1 A2 C

B

A2 C

B B

P1'

D

e(B)

s(A) e(A) s(C)

s(B)

e(A) s(C)

P1*

e(B)

s(B)

e(B)

s(B)

s(D) e(D)

s(A)

s(A)

s(B) e(B) e(A) s(C) e(C) s(D) e(D)

s(B)

s(B)

e(B)

e(B)

e(A)

s(C)

e(C)

s(C)

e(C)

s(C)

e(C)

e(C)

s(C)

P2*

e(C)

e(C)

A3 A4

D1

C1

A5

B2 A6 C2 D2

P1

P2B1

B1

C1 C1

A1 A2 C

B

A2 C D

B B

A3 A4

D1

C1

A5

B2 A6 C2 D2

P2'B1

B1

C1 C1

FIGURE 10: Process graphs of Figure 2 for which we encapsulated actions X andY , abstracted action Z, and applied region normalisation and separation for the regionsA1, A2, A3, A4, A5, A6, B,B1, B2, C,C1, C2, D,D1, D2.

Receive application

Check application

Publish notification

Make decision

Local inspection

Send approval

Send rejection

Effectuate permit

Manage debit

Receive form

Check admissible

Need inspection?

Perform inspection

Process permit Send bill

Notify not admissible

(A)

(A)

(B)

(C1)

(C2)

(C3)

(C)

(D)

(D)(B1) (B2)

(E)

(F)

(G)

(H)

(I)

s(A) e(A) s(B)

E E

s(B) e(B)

e(B)

E F

s(C)e(C)

e(C)

G

s(D) e(D)

s(A) e(A) HI

s(B)e(B)

s(C) e(C) s(D) e(D)e(B)

(a)

Receive application

Check application

Publish notification

Make decision

Local inspection

Send approval

Send rejection

Effectuate permit

Manage debit

Receive form

Check admissible

Need inspection?

Perform inspection

Process permit Send bill

Notify not admissible

(A)

(A)

(B)

(C1)

(C2)

(C3)

(C)

(D)

(D)(B1) (B2)

(E)

(F)

(G)

(H)

(I)

e(A) s(B)

E E

s(B) e(B)

e(B)

E F

s(C)e(C)

e(C)

G

s(D) e(D)

e(A) HI

s(B)e(B)

s(C) e(C) s(D) e(D)e(B)

s(A)

s(A)

(b)

FIGURE 11: (a) net systems for related processes; (b) corresponding process graphs with start and end regiontransitions.

both trace equivalent and branching bisimilar whenblocking activity I and hiding activities E, F , G andH. In practical terms, this means that in order to makethe implemented process compatible with the referenceprocess, rejecting an application due to inadmissibilitymust be made impossible, while the admissibility checkmust be skipped. In the reference process, checking the

application, publishing a notification and effectuatingthe permit must be skipped. The information that isobtained by this compatibility check, can be used to, forexample, configure a software application that has beenbuilt to support the reference process and to discuss thesuitability of that software for the organization.



8. RELATED WORK

Behaviour equivalence and compatibility relate todifferent streams of research. In this section, we focuson model matching, similarity of process models, andmodel refinements and compatibility.

8.1. Model Matching

We argued that verification of behaviour compatibility,first and foremost, requires the identification ofcorresponding activities of two business process models,or corresponding actions of two process graphs. Suchcorrespondences may implicitly be given once businessprocess models originate from a common source.An example would be models that are derived bycustomisation of a reference model [15, 16]. Inother use cases, however, correspondences need tobe defined explicitly. Even though correspondencesmay be defined manually, compatibility verificationin a large scale requires automated support forsuggesting correspondences. In general, the detection ofcorrespondences between business process models canbe seen as an instantiation of the matching problem [17]known from the field of data integration or ontologymatching. Hence, techniques proposed to match dataschemas or ontologies, see [17, 18, 19] for thoroughoverviews, may be adapted to detected process modelcorrespondences.

For business process models, most matchingapproaches rely on a textual techniques that areapplied to the labels of activities. Further, the modelstructure and the behaviour defined by the modelsmay be exploited, for instance in [20, 21]. Thatis, structural and behavioural similarity measures areused in combination with textual measures to identifycorrespondences. We review such similarities separately.However, except for a few exceptions, e.g., the ICoPframework [22], matching of business process modelsfocusses on elementary correspondences and largelyneglects complex correspondences.

8.2. Process Model Similarity

Besides guiding the identification of correspondences,similarity measures for business process models allow fordrawing conclusions on the extent to which two modelsdiffer once they do not show behaviour compatibility.

Textual similarity measures are at the very core ofmost approaches to judge similarity of business processmodels. In addition, the graph structure may beleveraged using the notions of maximum common sub-graph isomorphism and graph edit distance [23]. Anoverview of graph matching techniques can be foundin [24]. The graph edit distance has been used tojudge similarity of business process models in [25, 26].In essence, this measure is based on the fractions ofactivities and flow arcs between them that need to beinserted or deleted in order to transform one graph into

another. Other work follows a similar idea, but relies onhigh-level and hierarchical change operations instead ofelementary graph operations [27, 28].

Depending on the kind of semantics assumed forbusiness process models, similarity measures may bedefined for transitions systems such as process graphsused in this work, traces that represent valid sequencesof visible actions, or behavioural abstractions. Theextent to which two transition systems simulate eachother was leveraged in [29, 21]. Those works iterativelyevaluate the similarity of states based on the similarityof neighbouring state transitions and states. The overallsimilarity is obtained once a fixpoint or a predefinednumber of iterations is reached. Further, the editdistances for sets of traces, or different representationsthereof, have been proposed as similarity measures [30,31]. Yet other work uses behavioural abstractions asthe basis of similarity measures. Such measures aregrounded on causal footprints that capture sets of causalpredecessors and successors for activities [32, 26], orbehavioural profiles that capture the order of potentialexecution for pairs of activities [33].

8.3. Model Refinements & Compatibility

Complex correspondences between behavioural modelsare closely related to refinements between them. Arefinement refers to the specification of a certain processmodel activity, or an action of a process graph, inmore detail. Hence, a refinement relation between twomodels induces complex correspondences of a particulartype, i.e., 1:n correspondences that are equally directed(all compound activities are part of one model, allrefined activities are part of the other model) and non-overlapping. Refinements, therefore, are commonlyassumed to be hierarchical. Following this line, a varietyof refinements that are behaviour preserving have beenpresented. An overview of Petri net refinements can befound in [34]. Here, a place or transition is typicallysubstituted by a subnet, see [35, 36]. Refinementoperators for process algebra have been introducedin [37, 38].

Refinement operators guide the adaptation ofbehavioural models and aim at preserving selectedproperties, such as deadlock freedom or weakbisimulation. As such, models that are aligned bycorrespondences may be considered to be compatible, ifthe correspondences can be traced back to refinements.However, such an approach is hard to operationalise oncecorresponding sets of activities, or regions of actions,are not isolated. For instance, it is unclear how thecorrespondences between the example net systems inFigure 1 can be traced back to Petri net refinements.

There is little work on notions of behaviourcompatibility that is applicable for arbitrary complexcorrespondences between behavioural models. Recently,we advocated the application of behavioural profiles asan behavioural abstraction to decide compatibility of



process models [39, 40]. This approach assesses whetherbehavioural relations defined over pairs of activitiesin one model coincide with the relations defined forcorresponding activities in another model. Even thoughthis approach is applicable for correspondences of anytype, it considers only an abstraction of trace semantics.

9. CONCLUSIONS

Given a relation between corresponding activities of twobusiness process models, we argued that two challengesarise when verifying equivalence or compatibility:(1) one model can contain activities that do notcorrespond to any activity in the other model; and(2) complex correspondences can exist between themodels, where each complex correspondence representsa relation between a set of activities in one modeland a set of activities in the other model. Thefirst challenge can be approached using notions ofbehaviour inheritances, whereas the second challengehas not been addressed in previous work. In thispaper, we focussed on this challenge and introduceda framework that leverages regions of activities to decideequivalence and compatibility in the presence of complexcorrespondences. We require the regions in one modelto coincide with the regions formed by correspondingactivities in the other model, in terms of when theseregions start and end. We illustrated the approachusing two equivalences, concrete trace equivalence andbranching bisimulation. In addition, we showed how theapproach integrates with the existing work on behaviourinheritance to develop notions of compatibility.

The question of how behaviour equivalences maybe applied in the presence of complex correspondencebetween behavioural models, first and foremost, is ageneric question that is independent of any use case.However, we made explicit that any solution to thisproblem involves several design decisions. Dependingon how these design choices are answered, the processgraphs are preprocessed such that they are comparableusing existing notions of equivalence. Apparently thisallows for conclusions only if the applied preprocessingis considered to be valid. We perceive this to bean inherent problem of behaviour compatibility ofcomplex correspondences that cannot be avoided. Inthis paper, we answered the respective design decisionsfor behavioural models that capture business processes.For instance, we argued that pausing regions does notseem to be appropriate for this use case. Based onsuch application specific reasoning, we implemented apreprocessing step that yields an aggregation of thebehaviour of multiple regions. For a different setting,e.g., for behavioural models describing electronic circuitsor software applications, the aforementioned designdecisions may be answered differently. By making thedecision explicit, we have outlined how our compatibilitynotions may be adapted for a different purpose. Thediscussion of the impact of differently taken design

choices, however, has been beyond the scope of thispaper.

Besides, the assumption of non-overlapping correspon-dences has to be seen as a limitation of our work. Eventhough we argued that the majority of complex corre-spondences observed in practice are non-overlapping, themodel collection described in [22] also shows some over-lapping correspondences. Those cannot be addressed byour approach. Further work is needed to investigate thesemantics of these correspondences and the actions thatare part of the overlap. In particular, splitting up therespective actions to clearly separate correspondencesmay turn out to be a resolution strategy that, in theend, enables the application of the technique presentedin this work.

We discussed that there is a large body of workon refinement operations that preserve behaviouralproperties. Similarly, transformation rules forbehavioural models that preserve the notions ofbehaviour inheritance have been presented in [6]. Weaim at investigating similar rules that go beyond existingrules in terms of expressiveness, but preserve thepresented notions of behaviour compatibility in futurework. As outlined in [6], such rules shall meet twocriteria, computational efficiency for verifying whetherthe rule satisfies the requirements and usability from apractical point of view. Besides transformation rules,feedback on deviations in case of violated compatibilityis a direction for future work.

REFERENCES

[1] Weske, M. (2007) Business Process Management:Concepts, Languages, Architectures. Springer.

[2] van Glabbeek, R. J. (2001) Handbook of ProcessAlgebra. Elsevier.

[3] van Glabbeek, R. J. (1993) The linear time - branchingtime spectrum ii. In Best, E. (ed.), CONCUR,Hildesheim, Germany, August 23-26, Lecture Notes inComputer Science, 715, pp. 66–81. Springer.

[4] Weidlich, M., Dijkman, R. M., and Weske, M.(2010) Deciding behaviour compatibility of complexcorrespondences between process models. In Hull, R.,Mendling, J., and Tai, S. (eds.), BPM, Hoboken, NJ,USA, September 13-16, Lecture Notes in ComputerScience, 6336, pp. 78–94. Springer.

[5] van der Aalst, W. M. P. and Basten, T. (1997) Life-cycleinheritance: A petri-net-based approach. In Azema, P.and Balbo, G. (eds.), ICATPN, Toulouse, France, June23-27, Lecture Notes in Computer Science, 1248, pp.62–81. Springer.

[6] Basten, T. and Aalst, W. (2001) Inheritance of behavior.JLAP, 47, 47–145.

[7] Reisig, W. (1985) Petri Nets: An Introduction,Monographs in Theoretical Computer Science. AnEATCS Series, 4. Springer.

[8] Zelewski, S. (1995) Petrinetzbasierte Modellierungkomplexer Produktionssysteme - Eine Untersuchungdes Beitrags von Petrinetzen zur Prozeßkoordinierungin komplexen Produktionssystemen, insbesondere



Flexiblen Fertigungssystemen, Band 9: Beurteilungdes Petrinetz-Konzepts. Technical report. Universityof Leipzig. (in German).

[9] van Glabbeek, R. J. (1990) Comparative ConcurrencySemantics and Refinement of Actions. PhD thesisFree University Amsterdam. Introduction availableat http://theory.stanford.edu/~rvg/thesis.html.Second edition available as CWI tract 109, CWI,Amsterdam 1996.

[10] (2011) Business Process Model and Notation (BPMN)Version 2.0. Technical Report. Object ManagementGroup (OMG).

[11] Keller, G., Nuttgens, M., and Scheer, A.-W. (1992)Semantische Prozeßmodellierung auf der Grundlage‘Ereignisgesteuerter Prozeßketten (EPK)’. TechnicalReport 89. Veroffentlichungen des Instituts furWirtschaftsinformatik, Saarbrucken.

[12] van Glabbeek, R. J. and Weijland, W. P. (1996)Branching time and abstraction in bisimulationsemantics. J. ACM, 43, 555–600.

[13] Hoare, C. A. R. (1980) Communicating sequentialprocesses. In McKeag, R. M. and MacNaghten, A. M.(eds.), On the construction of programs. CambridgeUniversity Press.

[14] Hidders, J., Dumas, M., Aalst, W., Hofstede, A., andVerelst, J. (2005) When are two workflows the same? InAtkinson, M. D. and Dehne, F. K. H. A. (eds.), CATS,Newcastle, NSW, Australia, January-February 2005,CRPIT, 41, pp. 3–11. Australian Computer Society.

[15] Rosemann, M. and van der Aalst, W. M. P. (2007) Aconfigurable reference modelling language. Inf. Syst.,32, 1–23.

[16] Gottschalk, F., van der Aalst, W. M. P., Jansen-Vullers,M. H., and Rosa, M. L. (2008) Configurable workflowmodels. Int. J. Cooperative Inf. Syst., 17, 177–221.

[17] Euzenat, J. and Shvaiko, P. (2007) Ontology Matching.Springer-Verlag.

[18] Rahm, E. and Bernstein, P. A. (2001) A survey ofapproaches to automatic schema matching. VLDBJournal, 10, 334–350.

[19] Choi, N., Song, I.-Y., and Han, H. (2006) A survey onontology mapping. SIGMOD Record, 35, 34–41.

[20] Dijkman, R., Dumas, M., Garcıa-Banuelos, L., andKaarik, R. (2009) Aligning business process models.In: EDOC, Auckland, New Zealand, September 1-4,pp.45–53, IEEE Computer Society.

[21] Nejati, S., Sabetzadeh, M., Chechik, M., Easterbrook,S. M., and Zave, P. (2007) Matching and merging ofstatecharts specifications. ICSE, Minneapolis, MN,USA, May 20-26, pp. 54–64. IEEE Computer Society.

[22] Weidlich, M., Dijkman, R. M., and Mendling, J. (2010)The ICoP framework: Identification of correspondencesbetween process models. In Pernici, B. (ed.), CAiSE,Hammamet, Tunisia, June 7-9, Lecture Notes inComputer Science, 6051, pp. 483–498. Springer.

[23] Dumas, M., Garcıa-Banuelos, L., and Dijkman, R. M.(2009) Similarity search of business process models.IEEE Data Eng. Bull., 32, 23–28.

[24] Bunke, H. (2000) Graph matching: Theoreticalfoundations, algorithms, and applications. Proceedingsof the International Conference on Vision Interface,Montreal, Quebec, Canada, May, pp. 82–88.

[25] Dijkman, R. M., Dumas, M., and Garcıa-Banuelos, L.(2009) Graph matching algorithms for business processmodel similarity search. In Dayal, U., Eder, J., Koehler,J., and Reijers, H. A. (eds.), BPM, Ulm, Germany,September 8-10, Lecture Notes in Computer Science,5701, pp. 48–63. Springer.

[26] Dijkman, R. M., Dumas, M., van Dongen, B. F., Kaarik,R., and Mendling, J. (2011) Similarity of businessprocess models: Metrics and evaluation. Inf. Syst.,36, 498–516.

[27] Li, C., Reichert, M., and Wombacher, A. (2008) Onmeasuring process model similarity based on high-levelchange operations. In Li, Q., Spaccapietra, S., Yu,E. S. K., and Olive, A. (eds.), ER, Barcelona, Spain,October 20-24, Lecture Notes in Computer Science,5231, pp. 248–264. Springer.

[28] Kuster, J., Gerth, C., Forster, A., and Engels, G. (2008)Detecting and resolving process model differences in theabsence of a change log. BPM, Milan, Italy, September2-4, LNCS, 5240, pp. 244–260.

[29] Sokolsky, O., Kannan, S., and Lee, I. (2006) Simulation-based graph similarity. TACAS, Vienna, Austria, March25 - April 2, pp. 426–440.

[30] Wombacher, A. and Rozie, M. (2006) Evaluation ofworkflow similarity measures in service discovery. InSchoop, M., Huemer, C., Rebstock, M., and Bichler, M.(eds.), Service Oriented Electronic Commerce, LNI, 80,pp. 51–71. GI.

[31] Wombacher, A. and Li, C. (2010) Alternative approachesfor workflow similarity. IEEE SCC, Miami, Florida,USA, July 5-10, pp. 337–345. IEEE Computer Society.

[32] Dongen, B., Dijkman, R. M., and Mendling, J. (2008)Measuring similarity between business process models.In Bellahsene, Z. and Leonard, M. (eds.), CAiSE,Montpellier, France, June 16-20, LNCS, 5074, pp. 450–464. Springer.

[33] Kunze, M., Weidlich, M., and Weske, M. (2011)Behavioral similarity - a proper metric. In Rinderle-Ma, S., Toumani, F., and Wolf, K. (eds.), BPM,Clermont-Ferrand, France, August 30 - September 2,Lecture Notes in Computer Science, 6896, pp. 166–181.Springer.

[34] Brauer, W., Gold, R., and Vogler, W. (1989) A surveyof behaviour and equivalence preserving refinements ofPetri nets. In Rozenberg, G. (ed.), Applications andTheory of Petri Nets, Bonn, Germany, June, LectureNotes in Computer Science, 483, pp. 1–46. Springer.

[35] Peterson, J. L. (1977) Petri nets. ACM Comput. Surv.,9, 223–252.

[36] Murata, T. (1989) Petri nets: Properties, analysis andapplications. Proceedings of the IEEE, 77, 541–580.

[37] Aceto, L. and Hennessy, M. (1994) Adding actionrefinement to a finite process algebra. Inf. Comput.,115, 179–247.

[38] Wong, P. Y. H. and Gibbons, J. (2007) A process-algebraic approach to workflow specification andrefinement. In Lumpe, M. and Vanderperren, W. (eds.),Software Composition, Lecture Notes in ComputerScience, 4829, pp. 51–65. Springer.

[39] Weidlich, M., Mendling, J., and Weske, M. (2011)Efficient consistency measurement based on behavioralprofiles of process models. IEEE Trans. Software Eng.,37, 410–429.



[40] Weidlich, M., Polyvyanyy, A., Mendling, J., andWeske, M. (2011) Causal behavioural profiles – efficientcomputation, applications, and evaluation. FundamentaInformaticae (FI), -, –. To appear.


behaviour equivalence and compatibility of business process … · 2017-07-31 · business process...

Documents