Keywords

figure a
figure b

1 Introduction

Petri nets are a popular formalism to model problem in software verification [22], business processes [1] and many more (see [42] for a survey). One of the fundamental problems for such models is the termination problem, i.e. whether the lengths of all runs are universally bounded. There are two natural variants of this problem. First, if the initial configuration is fixed then the problem is effectively equivalent to the boundedness problem, known to be EXPSPACE-complete for Petri nets [36, 41]. Second, if termination must hold for all initial configurations the problem known to be in polynomial time [30], and such nets are known as structurally terminating. In this paper we are interested in the latter variant.

Termination time is usually studied for vector addition system with states (VASS), an extension of Petri nets that allows the use of control states. In particular, the aforementioned EXPSPACE and polynomial time bounds work for VASS. In 2018, a deeper study of the termination problem for VASS was initiated [12]. This study concerns the asymptotics of the function f(n) bounding the length of runs, where n bounds the size of the initial configuration. The focus is particularly on classes where f(n) is a polynomial function, suggesting that such classes are more relevant for practical applications. This line of work was later continued for variants of VASS involving probabilities [11] and games [31].

For VASS the function f(n) can asymptotically be as big as \(F_i(n)\) in the Grzegorczyk hierarchy for any finite i (recall that \(F_3(n)\) is nonelementary and \(F_\omega (n)\) is Ackermann) [35, 43]. It was known that for terminating Petri nets many problems are considerably simpler [40]. However, to the best of our knowledge, the asymptotic behaviour of f(n) was not studied for Petri nets.

Our Contributions. In this paper we focus on workflow nets, a class of Petri nets widely used to model business processes [1]. Our first result is the following dichotomy: any workflow net is either non-terminating or f(n) is linear. This confirms the intuition about fast termination of practical models [12]. In our proof, we follow the intuition of applying linear algebra from [40] and rely on recent results on workflow nets [9]. We further show that the optimal constant \(a_{\mathcal {N}}\) such that \(f(n) = a_{\mathcal {N}}\cdot n\) can be computed in polynomial time. The core of this computation relies on a reduction to continuous Petri nets [19], a well known relaxation of Petri nets. Then we can apply standard tools from the theory of continuous Petri nets, where many problems are in polynomial time [7, 19].

For workflow nets, the central decision problems are related to soundness. There are many variants of this problem (see [2] for a survey). For example k-soundness intuitively verifies that k started processes eventually properly terminate. We are interested in generalised soundness, which verifies whether k-soundness holds for all k [25,26,27]. The exact complexity of most popular soundness problems was established only recently in 2022 [9]. Generalised soundness is surprisingly PSPACE-complete. Other variants, like k-soundness, are EXPSPACE-complete, thus computationally harder, despite having a seemingly less complex definition. Moreover, unlike k-soundness and other variants, generalised soundness preserves desirable properties like composition [26]. Building on our first result, i.e. the dichotomy between non-terminating and linearly terminating workflow nets, our second result is that generalised soundness is coNP-complete for terminating workflow nets.

Finally, we observe that the asymptotics of f(n) are defined with the implicit assumption that transitions are fired sequentially. Since workflow nets are models for parallel executions it is natural to expect that runs would also be performed in parallel. Our definition of parallel executions is inspired by similar concepts for time Petri nets, and can be seen as a particular case [5]. We propose a definition of the optimal running time of runs exploiting parallelism and denote this time g(n), where n bounds the size of the initial marking. We show that the asymptotic behaviour of g(n), similar to f(n), can be computed in polynomial time, for workflow nets with mild assumptions. Together, the two functions f(n) and g(n) can be seen as (pessimistic) upper bound and (optimistic) lower bound on the time needed for the workflow net to terminate.

Experiments. Based on our insights, we implement several procedures for problems related to termination in workflow nets. Namely, we implement our algorithms for checking termination, for deciding generalised soundness of workflow nets and for computing the asymptotic behaviour of f(n). We additionally implement procedures to compute f(k), g(k) and decide k-soundness for terminating workflow nets. To demonstrate the efficacy of our procedures, we test our implementation on a popular and well-studied benchmark suite of 1382 workflow nets, originally introduced in [18]. It turns out that the vast majority of instances (roughly 90%) is terminating, thus the class of terminating workflow nets seems highly relevant in practice. Further, we positively evaluate our algorithm for generalised soundness against a recently proposed state-of-art approach [10] which semi-decides the property in general, and is further exact on the class of free-choice workflow nets [3]. Interestingly, our novel approach for generalised soundness is also a semi-procedure in general, but precise on terminating workflow nets. The approach from [10] is implemented as an \(\exists \forall \)-formula from FO(\(\mathbb {Q},<,+\)), while our approach manages to avoid any quantifier alternations. It turns out that our approach is faster on over 95% of benchmark instances, and thus significantly improves upon the state-of-art. The mean analysis time for our approach is just 12.8 ms, while it is about 2 s for the previous state-of-the-art. In addition, the classes of free-choice and terminating workflow nets are incomparable, thus our approach complements the state-of-the-art.

Related Work. For general Petri nets and VASS the most well-known problem is reachability, recently shown to be Ackermann-complete [14, 33, 34]. Despite its high complexity, there are tools for the problem [16, 45], including some based on integer and continuous relaxations [6, 8, 21]. Reachability was also studied in the context of terminating models. In particular, it is PSPACE-complete for structurally terminating Petri nets [40] and EXPSPACE-complete for polynomially terminating VASS [32].

Most algorithms for soundness are based on reductions to reachability [1], this is the case for the first algorithms for generalised soundness [25, 27]. However, such reductions only imply Ackermannian upper bounds on the problem, while a direct study yielded elementary complexities [9].

A different class of approaches for soundness relies on reduction rules, which can be applied iteratively to reduce the size of a net while exactly preserving soundness [4, 39]. These approaches are not precise in general, but can be for subclasses, e.g. for live and bounded free-choice workflow nets [15]. We use a certain set of reduction rules [13] for generalised soundness in our experimental evaluation.

There exist many established tools and frameworks for the analysis of workflow nets, for example Woflan [44], WoPeD [20], and ProM [17]. However, when it comes to soundness problems, these tools typically focus on k-soundness, with a particular focus on \(k=1\) (except for the discussed tool in [10]).

Organisation. In Sect. 2 we define the models, problems and basic notation. In Sect. 3 we prove the dichotomy between non-terminating and linear workflow nets. Then, we show how to compute the linear constants for terminating workflow nets in Sect. 4. Building on the dichotomy we show that generalised soudness is coNP-complete in Sect. 5. In Sect. 6 we define and compute a variant of termination time that takes into account parallelism. We present our experimental results in Sect. 7. Most proofs can be found in the appendix.

2 Preliminaries

We write \(\mathbb {N}, \mathbb {N}_{> 0}, \mathbb {Z}, \mathbb {Q}\) and \(\mathbb {Q}_{\ge 0}\) for the naturals (including 0), the naturals without 0, the integers, the rationals, and the nonnegative rationals, respectively.

Let N be a set of numbers, e.g. \(N = \mathbb {N}\). For \(d, d_1, d_2 \in \mathbb {N}_{> 0}\) we write \(N^d\) for the set of vectors with elements from N in dimension d. Similarly, \(N^{d_1 \times d_2}\) is the set of matrices with \(d_1\) rows and \(d_2\) columns and elements from N. We use bold font for vectors and matrices. For \(a \in \mathbb {Q}\) and \(d \in \mathbb {N}_{> 0}\), we write \(\boldsymbol{a}^d {:}{=}(a,a,\dots ,a) \in \mathbb {Q}^d\) (or \(\boldsymbol{a}\) if d is clear from context). In particular \(\boldsymbol{0}^d = \boldsymbol{0}\) is the zero vector.

Sometimes it is more convenient to have vectors with coordinates in a finite set. Thus, for a finite set \({{S}}\), we write \(\mathbb {N}^{{S}}\), \(\mathbb {Z}^{{S}}\), and \(\mathbb {Q}^{{S}}\) for the set of vectors over naturals, integers and rationals. Given a vector \(\boldsymbol{v}\) and an element \(s \in {{S}}\), we write \(\boldsymbol{v}(s)\) for the value \(\boldsymbol{v}\) assigns to s.

Given \(\boldsymbol{v}, \boldsymbol{w}\in \mathbb {Q}^{{S}}\), we write \(\boldsymbol{v} \le \boldsymbol{w}\) if \(\boldsymbol{v}(s) \le \boldsymbol{w}(s)\) for all \(s \in {{S}}\), and \(\boldsymbol{v} <\boldsymbol{w}\) if \(\boldsymbol{v} \le \boldsymbol{w}\) and \(\boldsymbol{v}(s) <\boldsymbol{w}(s)\) for some \(s \in {{S}}\). The size of \({{S}}\), denoted \(| {{S}} |\), is the number of elements in \({{S}}\). We define the norm of a vector \(\Vert \boldsymbol{v} \Vert {:}{=}\max _{s \in {{S}}} | \boldsymbol{v}(s) |\), and the norm of a matrix \(\boldsymbol{A} \in \mathbb {Q}^{m \times n}\) as \(\Vert \boldsymbol{A} \Vert {:}{=}\max _{1 \le j \le m, 1 \le i \le n} | A(i,j) |\). For a set \({{S}}\in \mathbb {Q}^d\), we denote by \(\overline{{{S}}} \in \mathbb {R}^d\) the closure of \({{S}}\) in the euclidean space.

2.1 (Integer) Linear Programs

Let \(n,m \in \mathbb {N}_{> 0}\), \(\boldsymbol{A} \in \mathbb {Z}^{m \times n}\), and \(\boldsymbol{b} \in \mathbb {Z}^m\). We say that \(G {:}{=}\boldsymbol{A}\boldsymbol{x} \le \boldsymbol{b}\) is a system of linear inequalities with m inequalities and n variables. The norm of a system G is defined as \(\Vert G \Vert {:}{=}\Vert \boldsymbol{A} \Vert + \Vert \boldsymbol{b} \Vert + m + n\). An \((m \times n)\)-ILP, short for integer linear program, is a system of linear inequalities with m inequalities and n variables, where we are interested in the integer solutions. An \((m \times n)\)-LP is such a system where we are interested in the rational solutions. We use the term MILP, short for mixed integer linear program, for a system where some variables are allowed to take on rational values, while others are restricted to integer values.

We allow syntactic sugar in ILPs and LPs, such as allowing constraints \(x \ge y\), \(x = y\), \(x< y\) (in the case of ILPs). Sometimes we are interested in finding optimal solutions. This means we have a objective function, formally a linear function on the variables of the system, and look for a solution that either maximizes or minimizes the value of that function. For LPs, finding an optimal solution can be done in polynomial time, while this is NP-complete for ILPs and MILPs.

2.2 Petri Nets

A Petri net \(\mathcal {N}\) is a triple (PTF), where P is a finite set of places; T is a finite set of transitions such that \(T \cap P = \emptyset \); and \(F :((P \times T) \cup (T \times P)) \rightarrow \mathbb {N}\) is a function describing its arcs. A marking is a vector \(\boldsymbol{m}\in \mathbb {N}^P\). We say that \(\boldsymbol{m}(p)\) is the number of tokens in place \(p \in P\) and p is marked if \(\boldsymbol{m}(p)>0\). To write markings, we list only non-zero token amounts. For example, \(\boldsymbol{m}= \{p_1 :2, p_2 :1\}\) is the marking \(\boldsymbol{m}\) with \(\boldsymbol{m}(p_1) = 2, \boldsymbol{m}(p_2) = 1\) and \(\boldsymbol{m}(p) = 0\) for all \(p \in P \setminus \{p_1, p_2\}\).

Let \(t \in T\). We define the vector \({^\bullet t} \in \mathbb {N}^P\) by \({^\bullet t}(p) {:}{=}F(p,t)\) for \(p \in P\). Similarly, the vector \({t^\bullet } \in \mathbb {N}^P\) is defined by \({t^\bullet }(p) {:}{=}F(t,p)\) for \(p \in P\). We write the effect of t as \(\varDelta (t){:}{=}{t^\bullet } - {^\bullet t}\). A transition t is enabled in a marking \(\boldsymbol{m}\) if \(\boldsymbol{m}\ge {^\bullet t}\). If t is enabled in the marking \(\boldsymbol{m}\), we can fire it, which leads to the marking \(\boldsymbol{m}' {:}{=}\boldsymbol{m}+ \varDelta (t)\), which we denote \(\boldsymbol{m}\xrightarrow {}^{t} \boldsymbol{m}'\). We write \(\boldsymbol{m}\xrightarrow {}^{} \boldsymbol{m}'\) if there exists some \(t \in T\) such that \(\boldsymbol{m}\xrightarrow {}^{t} \boldsymbol{m}'\).

A sequence of transitions \(\pi = t_1 t_2 \dots t_n\) is called a run. We denote the length of \(\pi \) as \(| \pi | {:}{=}n\). A run \(\pi \) is enabled in a marking \(\boldsymbol{m}\) iff \(\boldsymbol{m}\xrightarrow {}^{t_1} \boldsymbol{m}_1 \xrightarrow {}^{t_2} \boldsymbol{m}_2 \xrightarrow {}^{t_3} \dots \boldsymbol{m}_{n-1} \xrightarrow {}^{t_n} \boldsymbol{m}'\) for some markings \(\boldsymbol{m}_1, \boldsymbol{m}_2, \dots , \boldsymbol{m}' \in \mathbb {N}^P\). The set of all runs is denoted \(\text {Runs}_{\mathcal {N}}^{\boldsymbol{m}}\), i.e. \(\pi \in \text {Runs}_{\mathcal {N}}^{\boldsymbol{m}}\) if \(\pi \) is enabled in \(\boldsymbol{m}\). The effect of \(\pi \) is \(\varDelta (\pi ) {:}{=}\sum _{i \in [1..n]} \varDelta (t_i)\). Firing \(\pi \) from \(\boldsymbol{m}\) leads to a marking \(\boldsymbol{m}'\), denoted \(\boldsymbol{m}\xrightarrow {}^{\pi } \boldsymbol{m}'\), iff \(\boldsymbol{m}\in \text {Runs}_{\mathcal {N}}^{\boldsymbol{m}}\) and \(\boldsymbol{m}' = \boldsymbol{m}+ \varDelta (\pi )\). We denote by \(\xrightarrow {}^{*}\) the reflexive, transitive closure of \(\xrightarrow {}^{}\). Given two runs \(\pi = t_1 t_2 \dots t_n\) and \(\pi ' = t'_1 t'_2 \dots t'_{n'}\) we denote \(\pi \pi ' {:}{=}t_1 t_2 \dots t_n t'_1 t'_2 \dots t'_{n'}\).

The size of a Petri net is defined as \(| \mathcal {N} | = | P | + | T | + | F |\). We define the norm of \(\mathcal {N}\) as \(\Vert \mathcal {N} \Vert {:}{=}\Vert F \Vert + 1\), where we view F as a vector in \(\mathbb {N}^{(P \times T) \cup (T \times P)}\).

We also consider several variants of the firing semantics of Petri nets which we will need throughout the paper. In the integer semantics, we consider markings over \(\mathbb {Z}^P\), and transitions can be fired without being enabled. To denote the firing and reachability relations, we use the notations \(\xrightarrow {}_{\mathbb {Z}}^{}\) and \(\xrightarrow {}_{\mathbb {Z}}^{*}\). In the continuous semantics [19], we consider markings over \(\mathbb {Q}_{\ge 0}^P\). Given \(t \in T\) and a scaling factor \(\beta \in \mathbb {Q}_{\ge 0}\)Footnote 1, the effect of firing \(\beta t\) is \(\varDelta (\beta t) {:}{=}\beta \cdot \varDelta (t)\). Further, \(\beta t\) is enabled in a marking \(\boldsymbol{m}\) iff \(\beta \cdot {^\bullet t} \le \boldsymbol{m}\). We use \(\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{}\) for the continuous semantics, that is, \(\boldsymbol{m}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\beta t} \boldsymbol{m}'\) means \(\beta t\) is enabled in \(\boldsymbol{m}\) and \(\boldsymbol{m}' = \boldsymbol{m}+ \varDelta (\beta t)\). A continuous run \(\pi \) is a sequence of factors and transitions \(\beta _1 t_1 \beta _2 t_2 \dots \beta _n t_n\). Enabledness and firing are extended to continuous runs: \(\boldsymbol{m}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\pi } \boldsymbol{m}'\) holds iff there exist \(\boldsymbol{m}_1, \dots , \boldsymbol{m}_{n-1}\) such that \(\boldsymbol{m}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\beta _1 t_1} \boldsymbol{m}_1 \xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\beta _2 t_2} \cdots \boldsymbol{m}_{n-1} \xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\beta _n t_n} \boldsymbol{m}'\). The length of \(\pi \) is \(| \pi |_c {:}{=}\sum _{i = 1}^{n} \beta _i\). Given \(\alpha \in \mathbb {Q}_{\ge 0}\) and a run \(\pi = \beta _1 t_1 \beta _2 t_2 \dots \beta _n t_n\) we write \(\alpha \pi \) to denote the run \((\alpha \beta _1) t_1 (\alpha \beta _2) t_2 \dots (\alpha \beta _n) t_n\). We introduce a lemma stating that continuous runs can be rescaled.

Lemma 1

(Lemma 12(1) in [19]). Let \(\alpha \in \mathbb {Q}_{\ge 0}\). Then \(\boldsymbol{m}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\pi } \boldsymbol{m}'\) if and only if \(\alpha \boldsymbol{m}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\alpha \pi } \alpha \boldsymbol{m}'\).

Each run under normal semantics or integer semantics is equivalent to a continuous run i.e. \(t_1t_2\ldots t_n \approx 1 t_11 t_2\ldots 1 t_2\). Given \(\pi \in \text {Runs}_{\mathcal {N}}^{\boldsymbol{m}}\) (i.e. a standard run) we define \(\alpha \pi = \alpha \pi _c\) where \(\pi _c\approx \pi \) is a continuous run. If \(\pi _c = \beta _1 t_1 \ldots \beta _n t_n\) with \(\beta _i \in \mathbb {N}\) for all \(i \in \{1,\ldots , n\}\) then we also call \(\pi \) a (standard) run, i.e. the run where every transition \(t_i\) is repeated \(\beta _i\) times.

We define the set of continuous runs enabled from \(\boldsymbol{m}\in \mathbb {N}^P\) in \(\mathcal {N}\) as \(\text {CRuns}_{\mathcal {N}}^{\boldsymbol{m}}\). The Parikh image of a continuous run \(\pi = \beta _1 t_1 \beta _2 t_2 \dots \beta _n t_n\) is the vector \(\boldsymbol{R}_{\pi } \in \mathbb {Q}^{T}\) such that \(\boldsymbol{R}_{\pi }(t)=\sum _{i \mid t_i = t} \beta _i\). For a (standard) run \(\pi \) we define its Parikh image \(\boldsymbol{R}_{\pi }{:}{=}\boldsymbol{R}_{\pi _c}\) where \(\pi _c\approx \pi \). Given a vector \(\boldsymbol{R}_{} \in \mathbb {Q}_{\ge 0}^T\), we define \(\varDelta (\boldsymbol{R}_{}) {:}{=}\sum _{t \in T} \boldsymbol{R}_{}(t) \cdot \varDelta (t)\), \({^\bullet \boldsymbol{R}_{}} {:}{=}\sum _{t\in T} {^\bullet t} \cdot \boldsymbol{R}_{}(t)\), \({\boldsymbol{R}_{}^\bullet } {:}{=}\sum _{t\in T} {t^\bullet } \cdot \boldsymbol{R}_{}(t)\). Note that \(\boldsymbol{R}_{}\) is essentially a run without imposing an order on the transitions. For ease of notation, we define \(\varDelta (T)\) as a matrix with columns indexed by T and rows indexed by P, where \(\varDelta (T)(t)(p) {:}{=}\varDelta (t)(p)\). Then \(\varDelta (\boldsymbol{R}_{}) = \varDelta (T)\boldsymbol{R}_{}\).

Fig. 1.
figure 1

A Petri net with places \(p_1\), \(p_2, p_3, p_4\) and transitions \(t_1, t_2\). Marking \(\{p_1:2, p_4 :1\}\) is drawn. No transition is enabled.

Full size image

Example 1

Consider the Petri net drawn in Fig. 1. Marking \(\boldsymbol{m}{:}{=}\{p_1:2, p_4 :1\}\) enables no transitions. However, we have \(\boldsymbol{m}\xrightarrow {}_{\mathbb {Z}}^{t_1 t_2} \{p_3:2\}\). We also have \(\boldsymbol{m}\xrightarrow {}_{\mathbb {Z}}^{t_2 t_1} \{p_3 :2\}\), since the transition order does not matter under the integer semantics. Thus, when we take \(R = \{t_1:1, t_2 :1\}\), we have \(\boldsymbol{m}\xrightarrow {}_{\mathbb {Z}}^{R} \{p_3 :2\}\).

Under the continuous semantics we can fire \(\nicefrac {1}{2}t_1\), which is impossible under the normal semantics. For example, we have \(\boldsymbol{m}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\nicefrac {1}{2}t_1}\{p_1:1, p_2 :\nicefrac {1}{2}\}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\nicefrac {1}{2}t_2} \{p_1:1, p_3 :1, p_4 :1\}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\nicefrac {1}{3}t_1}\{p_1:\nicefrac {1}{3}, p_2 :\nicefrac {1}{3}, p_3 :1, p_4 :\nicefrac {2}{3}\}\).

2.3 Workflow Nets

A workflow net is a Petri net \(\mathcal {N}\) such that:

  • There exists an initial place \(\textsf{i}\) with \(F(t, \textsf{i}) = 0\) for all \(t \in T\) (i.e. no tokens can be added to \(\textsf{i}\));

  • there exists a final place \(\textsf{f}\) with \(F(\textsf{f}, t) = 0\) for all \(t \in T\) (i.e. no tokens can be removed from \(\textsf{f}\)); and

  • in the graph (VE) with \(V = P \cup T\) and \((u,v) \in E\) iff \(F(u,v) \ne 0\), each \(v \in V\) lies on at least one path from \(\textsf{i}\) to \(\textsf{f}\).

We say that \(\mathcal {N}\) is k-sound iff for all \(\boldsymbol{m}\), \(\{\textsf{i}:k\} \xrightarrow {}^{*}\boldsymbol{m}\) implies \(\boldsymbol{m}\xrightarrow {}^{*}\{\textsf{f}:k\}\). Further, we say \(\mathcal {N}\) is generalised sound iff it is k-sound for all k.

A place \(p \in P\) is nonredundant if \(\{\textsf{i}:k\} \xrightarrow {}^{*}\boldsymbol{m}\) for some \(k \in \mathbb {N}\) and marking \(\boldsymbol{m}\) with \(\boldsymbol{m}(p) > 0\), and redundant otherwise. We accordingly say that \(\mathcal {N}\) is nonredundant if all \(p \in P\) are nonredundant, otherwise \(\mathcal {N}\) is redundant. A redundant workflow net can be made nonredundant by removing each redundant place \(p \in P\) and all transitions such that \({^\bullet t}(p) > 0\) or \({t^\bullet }(p) > 0\). Note that this does not impact behaviour of the workflow, as the discarded transitions could not be fired in the original net. A polynomial-time saturation procedure can identify redundant places, see [27, Thm. 8, Def. 10, Sect. 3.2] and [9, Prop. 5.2].

If \(\mathcal {N}\) is a workflow net, we write \(\text {Runs}_{\mathcal {N}}^k\) for the set of runs that are enabled from the marking \(\{\textsf{i}:k\}\), and \(\text {CRuns}_{\mathcal {N}}^k\) for the same for continuous runs. Lemma 1 implies that if \(\pi \in \text {Runs}_{\mathcal {N}}^k\) then \(\frac{1}{k}\pi \in \text {CRuns}_{\mathcal {N}}^1\). The converse does not need to hold as the rescaled continuous run need not have natural coefficients.

Example 2

The Petri net in Fig. 1 can be seen as a workflow net with initial place \(p_1\) and final place \(p_3\). The workflow is not k-sound for any k. Further, the net is redundant: \(\{\textsf{i}:k\}\) is a deadlock for every k, so places \(p_2, p_3\) and \(p_4\) are redundant.\(\lhd \)

2.4 Termination Complexity

Let \(\mathcal {N}\) be a workflow net. Let us define as \(MaxTime_\mathcal {N}(k)\) the supremum of lengths among runs enabled in \(\{\textsf{i}:k\}\), that is, \(MaxTime_\mathcal {N}(k) = \sup \{| \pi | \mid \pi \in \text {Runs}_{\mathcal {N}}^k\}\). We say that \(\mathcal {N}\) is terminating if \(MaxTime_\mathcal {N}(k) \ne \infty \) for all \(k \in \mathbb {N}_{> 0}\), otherwise it is non-terminating.

Fig. 2.
figure 2

Two workflow nets with the initial marking \(\{\textsf{i}:1\}\). The workflow net on the left-hand side is terminating in linear time. The workflow net on the right-hand side is the same as the one on the left, but with one extra transition \(t_4\). It is non-terminating.

Full size image

We say that \(\mathcal {N}\) has polynomial termination time if there exist \(d \in \mathbb {N}\), \(\ell \in \mathbb {R}\) such that for all k,

$$\begin{aligned} MaxTime_\mathcal {N}(k) \le \ell \cdot k^d.\end{aligned}$$
(1)

Further \(\mathcal {N}\) has linear termination time if Eq. (1) holds with \(d = 1\). Even more fine-grained, \(\mathcal {N}\) has \(a\)-linear termination time if Eq. (1) holds for \(\ell =a\) and \(d = 1\). Note that any net with \(a\)-linear termination time also has \((a+b)\)-linear termination time for all \(b \ge 0\). For ease of notation, we call workflow nets that have linear termination time linear workflow nets, and similarly for \(a\)-linear.

We define \(a_\mathcal {N}{:}{=}\inf \{a \in \mathbb {R}\mid \mathcal {N}\text { is } a \text { -linear}\}\). Note that in particular \(\mathcal {N}\) is \(a_\mathcal {N}\)-linear (because the inequality in Eq. (1) is not strict) and that \(a_\mathcal {N}\) is the smallest constant with this property.

Example 3

The net on the left-hand side of Fig. 2 is terminating. For example, from \(\{\textsf{i}:2\}\) all runs have length at most 3. It is easy to see that from \(\{\textsf{i}:k\}\) all runs have length at most \(\frac{3}{2}k\) (e.g. the run \((t_1t_2t_3)^{\lfloor \frac{k}{2} \rfloor }\)). The net has \(a_\mathcal {N}= \nicefrac {3}{2}\).

The net on the right-hand side is non-terminating. From \(\{\textsf{i}:2\}\), all runs of the form \(t_1t_2t_4^*\) are enabled. Note that while the net is non-terminating, all runs from \(\{\textsf{i}:1\}\) have length at most 1 (because \(t_3\) and \(t_4\) are never enabled). \(\lhd \)

Our definition of termination time is particular to workflow nets, as there it is natural to have only \(\textsf{i}\) marked initially. It differs from the original definition of termination complexity in [12]. In [12] VASS are considered instead of Petri nets, and the initial marking is arbitrary. The termination complexity is measured in the size of the encoding of \(\boldsymbol{m}\). The core difference is that in [12] it is possible to have a fixed number of tokens in some places, but arbitrarily many tokens in other places. In Sect. 3 we show an example that highlights the difference between the two notions. Our definition is a more natural fit for workflow nets, and will allow us to reason about soundness. Indeed, our particular definition of termination time allows us to obtain the coNP-completeness result of generalised soundness for linear workflow nets in Sect. 5.

3 A Dichotomy of Termination Time in Workflow Nets

Let us exhibit behaviour in Petri nets that cannot occur in workflow nets. Consider the net drawn in black in Fig. 3 and a family of initial markings \(\{\{p_1: 1, s_1: 1, b: n\} \mid n\in \mathbb {N}\}\). From the marking \(\{p_1: 1, s_1: 1, b: n\}\), all runs have finite length, yet a run has length exponential in n. From the marking \(\{p_1:k, s_1: 1, b: n\}\), the sequence \((t_1 t_2)^k t_4 (t_3)^{2k} t_5\) results in the marking \(\{p_1: 2k, s_1: 1, b:n-1\}\). Thus, following this pattern n times leads from \(\{p_1: 1, s_1: 1, b: n\}\) to \(\{p_1: 2^n, s_1: 1\}\). This behaviour crucially requires us to keep a single token in \(s_1\), while having n tokens in b.

We can transform the net into a workflow net, as demonstrated by the part of Fig. 3. However, observe that then

$$\begin{aligned} \{\textsf{i}: 2\} \xrightarrow {}^{t_\textsf{i}t_\textsf{i}t_4} \{p_1: 2, s_1: 1, s_2: 1, b : 1\} \xrightarrow {}^{t_1 t_2 t_3} \{p_1: 2, s_1: 1, s_2: 1, b : 1, p_3:1\}. \end{aligned}$$

Note that the sequence \(t_1 t_2 t_3\) strictly increased the marking. It can thus be fired arbitrarily many times, and the workflow net is non-terminating.

It turns out that, contrary to standard Petri nets, there exist no workflow nets with exponential termination time.Footnote 2 Instead, there is a dichotomy between non-termination and linear termination time.

Theorem 1

Every workflow net \(\mathcal {N}\) is either non-terminating or linear. Moreover, \(MaxTime_\mathcal {N}(k) \le ak\) for some \(a \le \Vert \mathcal {N} \Vert ^{poly(| \mathcal {N} |)}\).

Fig. 3.
figure 3

In black: A Petri net \(\mathcal {N}\) adapted from [28, Lemma 2.8]. It enables a run with length exponential in n from marking \(\{p_1: 1, s_1: 1, b: n\}\). In : Additional places and transitions, which make \(\mathcal {N}\) a workflow net.

Full size image

As explained in Sect. 2.3 we can assume that \(\mathcal {N}\) is nonredundant, i.e. for all \(p \in P\) there exists \(k \in \mathbb {N}\) such that \(\{\textsf{i}:k\} \xrightarrow {}^{*}\boldsymbol{m}\) with \(\boldsymbol{m}(p) > 0\). The first important ingredient is the following lemma.

Lemma 2

Let \(\mathcal {N}= (P,T,F)\) be a nonredundant workflow net. Then \(\mathcal {N}\) is non-terminating iff there exists a nonzero \(\boldsymbol{R}_{} \in \mathbb {N}^T\) such that \(\varDelta (\boldsymbol{R}_{}) \ge \boldsymbol{0}\).

Proof (sketch)

The first implication follows from the fact that if we start from a big initial marking, then it is possible to fill every place with arbitrarily many tokens. In such a configuration any short run is enabled, so if there is a run with non-negative effect then it is further possible to repeat it infinitely many times. For the other implication we reason as follows. If there is an infinite run then by Dickson’s lemma there are \(\boldsymbol{m},\boldsymbol{m}' \in \mathbb {N}^P\) such that for some k, it holds that \(\{\textsf{i}:k\}\xrightarrow {}^{\pi }\boldsymbol{m}\xrightarrow {}^{\rho }\boldsymbol{m}'\) and \(\boldsymbol{m}'\ge \boldsymbol{m}\). But then \(\varDelta (\boldsymbol{R}_{\rho })=\boldsymbol{m}'-\boldsymbol{m}\ge \boldsymbol{0}\).    \(\square \)

We define ILP\(_\mathcal {N}\) with a \(| T |\) dimensional vector of variables \(\boldsymbol{x}\) as the following system of inequalities: \(\boldsymbol{x}\ge \boldsymbol{0}\) and \(\varDelta (T)\boldsymbol{x}\ge \boldsymbol{0} -\{\textsf{i}:\infty \}\).Footnote 3 The next lemma follows immediately from the definition of \(\xrightarrow {}_{\mathbb {Z}}^{}\).

Lemma 3

[Adapted from Claim 5.7 in [9]] For every \(k \in \mathbb {N}\), \(\boldsymbol{m}\in \mathbb {N}^P\), and a run \(\pi \), it holds that \(\{\textsf{i}:k\} \xrightarrow {}_{\mathbb {Z}}^{\pi } \boldsymbol{m}\) iff \(\boldsymbol{R}_{\pi }\) is a solution to ILP\(_\mathcal {N}\) with the additional constraint \(\sum _{i = 1}^{| T |} \varDelta (t_i)(\textsf{i}) \cdot \boldsymbol{R}_{\pi }(t_i) \ge -k\).

Proof

(Sketch for Theorem 1). Because of Lemma 3 the Parikh image of every run (in \(\bigcup _{k\in \mathbb {N}}\text {Runs}_{\mathcal {N}}^k\)) is a solution \(\boldsymbol{R}_{}\in \mathbb {N}^{T}\) of \(\varDelta (T)\boldsymbol{\boldsymbol{R}_{}}\ge -\{\textsf{i}:\infty \}\). So, we consider a set of solutions of the system of inequalities \(\varDelta (T)\boldsymbol{\boldsymbol{R}_{}}\ge -\{\textsf{i}:\infty \}\). It is a linear set, so the sum of two solutions is again a solution and any solution can be written as a sum of small solutions with norm smaller than some \(c \in \mathbb {N}\). For such small solutions, the length of any corresponding run is at most \(| T | \cdot c\). Now observe that if the workflow is terminating then there is no \(\boldsymbol{R}_{}\in \mathbb {N}^T\) such that \(\varDelta (T)\boldsymbol{\boldsymbol{R}_{}}\ge \boldsymbol{0}\), because of Lemma 2. But it holds that \(\varDelta (\boldsymbol{R}_{})(\textsf{i})\le -1\) for any solution \(\boldsymbol{R}_{}\), so in particular for all small solutions. Let us take a run \(\pi \in \text {Runs}_{\mathcal {N}}^k\). We decompose \(\boldsymbol{R}_{\pi }\) as a finite sum \(\sum _i^\ell \boldsymbol{R}_{i}\) where \(\boldsymbol{R}_{i}\) are from the set of small solutions. We have \(-k\le \varDelta (\boldsymbol{R}_{i})(\textsf{i})=\sum _{i}^\ell \varDelta (\boldsymbol{R}_{i})(\textsf{i})\le \sum _{i}^\ell -1=-\ell \). Recall that the norm of small solutions is bounded by c. It follows that the length of the run \(\pi \) is bounded by \(\ell \cdot | T | \cdot c\le k\cdot | T |\cdot c\). So the workflow is \(| T | \cdot c\)-linear.

4 Refining Termination Time

Recall that \(a_{\mathcal {N}}\) is the smallest constant such that \(\mathcal {N}\) is \(a_{\mathcal {N}}\)-linear. In this section, we are interested in computing \(a_{\mathcal {N}}\). This number is interesting, as it can give insights into the shape and complexity of the net, i.e. a large \(a_{\mathcal {N}}\) implies complicated runs firing transitions several times, while a small \(a_{\mathcal {N}}\) implies some degree of choice, where not all transitions can be fired for each initial token.

The main goal of this section is to show an algorithm for computing \(a_{\mathcal {N}}\). Our algorithm handles the more general class of aggregates on workflow nets, and we can compute \(a_{\mathcal {N}}\) as such an aggregate. More formally, let \(\mathcal {N}=(P,T,F)\) be a workflow net. An aggregate is a linear map \(f : \mathbb {Q}^{T} \rightarrow \mathbb {Q}\). The aggregate of a (continuous) run is the aggregate of its Parikh image, that is \(f(\pi ) {:}{=}f(\boldsymbol{R}_{\pi })\).

Example 4

Consider the aggregate \(f_{all}(\pi ){:}{=}\sum _{t\in T}\boldsymbol{R}_{\pi }(t) = | \pi |\), which computes the number of occurrences of all transitions. Let us consider two other natural aggregates. The aggregate \(f_t(\pi ){:}{=}\boldsymbol{R}_{\pi }(t)\) computes the number of occurrences of transition t, and \(f_p(\pi ){:}{=}\sum _{t\in T}\varDelta (t)(p) \cdot \boldsymbol{R}_{\pi }(t)\) computes the number of tokens added to place p. Another use for aggregates is counting transition, but with different weights for each transition, thus simulating e.g. different costs.\(\lhd \)

Given a workflow net \(\mathcal {N}\) and an aggregate f we define

$$\begin{aligned} \text {sup}_{f,\mathcal {N}} = \sup \left\{ \frac{f(\pi )}{k} \mid k \in \mathbb {N}_{> 0}, \; \pi \in \text {Runs}_{\mathcal {N}}^k \right\} . \end{aligned}$$
(2)

Let us justify the importance of this notion by relating it to \(a_{\mathcal {N}}\).

Proposition 1

Let \(\mathcal {N}\) be a linear workflow net. Then \(a_{\mathcal {N}}=\text {sup}_{f_{all},\mathcal {N}}\).

Proof

Recall that \(a_{\mathcal {N}}\) is the smallest number a such that \(| \pi | \le a \cdot k\) for all \(k \in \mathbb {N}_{> 0}\) and \(\pi \in \text {Runs}_{\mathcal {N}}^k\). Equivalently, \(\frac{| f_{all}(\pi ) |}{k} \le a\). Thus by definition \( \text {sup}_{f_{all},\mathcal {N}} \le a_{\mathcal {N}}\), and the inequality cannot be strict since \(a_{\mathcal {N}}\) is the smallest number with this property.    \(\square \)

Theorem 2

Consider a workflow net \(\mathcal {N}\) and an aggregate f. The value \(\text {sup}_{f,\mathcal {N}}\) can be computed in polynomial time.

Corollary 1

Let \(\mathcal {N}= (P,T,F)\) be a linear workflow net. The constant \(a_{\mathcal {N}}\) can be computed in polynomial time.

In practice, we can use an LP solver to compute the constant \(a_{\mathcal {N}}\). The algorithm is based on the fact that continuous reachability for Petri nets is in polynomial time [7, 19]. We formulate a lemma that relates the values of aggregates under the continuous and standard semantics.

Lemma 4

Let \(\mathcal {N}\) be a Petri net and f be an aggregate.

  1. 1.

    Let \(\pi \in \text {Runs}_{\mathcal {N}}^k\). Then \(\nicefrac {1}{k} \cdot \pi \in \text {CRuns}_{\mathcal {N}}^1\) and \(f(\nicefrac {1}{k}\cdot \pi )=\nicefrac {f(\pi )}{k}\).

  2. 2.

    Let \(\pi _c \in \text {CRuns}_{\mathcal {N}}^1\). There are \(k \in \mathbb {N}\) and \(\pi \in \text {Runs}_{\mathcal {N}}^k\) with \(f(\pi _c)=\nicefrac {f(\pi )}{k}\).

Proof

Both items are simple consequences of Lemma 1 and the linearity of aggregates. Note that for (2), if \(\pi _c=\beta _1t_1 \ldots \beta _nt_n\) then it suffices to define k such that \(\beta _i \cdot k \in \mathbb {N}\) for all \(i \in \{1,\ldots ,n\}\).    \(\square \)

From the above lemma we immediately conclude the following.

Corollary 2

It holds that \(\text {sup}_{f,\mathcal {N}}=sup\{f(\pi _c) \mid \pi _c \in \text {CRuns}_{\mathcal {N}}^1\}\).

Proof

(The proof of Theorem 2). We use Corollary 2 and conclude that we have to compute \(sup\{f(\pi _c) \mid \pi _c \in \text {CRuns}_{\mathcal {N}}^1\}\). Let \({{S}}=\{\boldsymbol{R}_{\pi _c} \mid \pi _c \in \text {CRuns}_{\mathcal {N}}^1\}\). As \(f(\pi )\) is defined as \(f(\boldsymbol{R}_{\pi })\) , we reformulate our problem to compute \(sup\{f(\boldsymbol{v}) \mid \boldsymbol{v} \in {{S}}\}\). Since f is a continuous function, it holds that \(sup\{f(\boldsymbol{v}) \mid \boldsymbol{v} \in {{S}}\}=sup\{f(\boldsymbol{v}) \mid \boldsymbol{v} \in \overline{{{S}}}\}\). Let us define \(\text {LP}_{\text {f}, \mathcal {N}}\) as an LP with variables \(\boldsymbol{x} {:}{=}x_1, \dots , x_{| T |}\) and constraints \(\varDelta (T)\boldsymbol{x}\ge - \{\textsf{i}:1\}\) and \(\boldsymbol{x} \ge \boldsymbol{0}\).

Claim 1

It holds that \(\boldsymbol{v}\in \overline{{{S}}}\) if and only if \(\boldsymbol{v}\) is a solution to \(\text {LP}_{\text {f}, \mathcal {N}}\).

We postpone the proof of Claim 1. Claim 1 allows us to rephrase the computation of \(sup\{f(\boldsymbol{v}) \mid \boldsymbol{v} \in \overline{{{S}}}\}\) as an \(\text {LP}_{\text {f}, \mathcal {N}}\) where we want to maximise \(f(\boldsymbol{v})\), which can be done in polynomial time.    \(\square \)

What remains is the proof of Claim 1. It constitutes the remaining part of this Section. The claim is a special case of the forthcoming Lemma 8. Its formulation and proof require some preparation.

Definition 1

A workflow net is good for a set of markings \({{M}}\subseteq \mathbb {Q}_{\ge 0}^{P}\) if for every place p there are markings \(\boldsymbol{m}, \boldsymbol{m}'\) and continuous runs \(\pi \) and \(\pi '\) such that \(\boldsymbol{m}(p)>0\), \(\boldsymbol{m}'\in {{M}}\), and \(\{\textsf{i}:1\}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\pi } \boldsymbol{m} \xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\pi '} \boldsymbol{m}'\).

The notion of being good for a set of markings is a refined concept of nonredundancy. The nonredundancy allow us to mark every place. But if, after marking the place, we want to continue the run and reach a marking in a specific set of markings \({{M}}\subseteq \mathbb {Q}_{\ge 0}^{P}\), then we don’t know if the given place can be marked. This motivates Definition 1.

Example 5

Let us consider a workflow net depicted on Fig. 4. It is nonredundant, as every place can be marked. But it is not good for \(\{\textsf{f}:1\}\) as there is no continuous run to the marking \(\{\textsf{f}:1\}\). In the initial marking the only enabled transition is \(t_1\) but firing \(\beta t_1\) for any \(\beta \in \mathbb {Q}_{\ge 0}\) reduce the total amount of tokens in the net. The lost tokens can not be recrated so it is not possible to reach \(\{\textsf{f}:1\}\).

Fig. 4.
figure 4

A Petri net with places \(p_1\), \(p_2, p_3\) and transitions \(t_1, t_2, t_3\). Marking \(\{\textsf{i}:1\}\) is drawn.

Full size image

The important fact is as follows:

Lemma 5

Let \({{M}}\subseteq \mathbb {Q}_{\ge 0}^{P}\) be a set of solutions of some LP. Then testing if a net is good for \({{M}}\) can be done in polynomial time.

Lemma 6

Suppose a workflow net \(\mathcal {N}\) is good for \({{M}}\subseteq \mathbb {Q}_{\ge 0}^{P}\) and \({{M}}\) is a convex set. Then there is a marking \(\boldsymbol{m_+}\) such that \(\boldsymbol{m_+}(p)>0\) for every \(p\in P\) and there are continuous runs \(\pi \), \(\pi '\), and a marking \(\boldsymbol{m_f}\in {{M}}\) such that \(\{\textsf{i}:1\}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\pi }\boldsymbol{m_+}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\pi '} \boldsymbol{m_f}\).

Informally, we prove it by taking a convex combination of a \(| P |\) runs one for each \(p\in P\). The last bit needed for the proof of Lemma 8 is the following lemma, shown in [19].

Lemma 7

([19], Lemma 13). Let \(\mathcal {N}\) be a Petri net. Consider \(\boldsymbol{m_0}\), \(\boldsymbol{m} \in \mathbb {N}^P\) and \(\boldsymbol{v} \in \mathbb {Q}_{\ge 0}^{T}\) such that:

  • \(\boldsymbol{m}=\boldsymbol{m_0}+ \varDelta (\boldsymbol{v})\);

  • \(\forall p \in {^\bullet \boldsymbol{v}}:\ \boldsymbol{m_0}(p)>0\);

  • \(\forall p \in {\boldsymbol{v}^\bullet }:\ \boldsymbol{m}(p) >0\).

Then there exists a finite continuous run \(\pi \) such that \(\boldsymbol{m_0}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\pi }\boldsymbol{m}\) and \(\boldsymbol{R}_{\pi } = \boldsymbol{v}\).

Lemma 8

Suppose \({{M}}\) is a convex set of markings over \(\mathbb {Q}_{\ge 0}^P\) and that the workflow net is good for M. Let \({{S}}\) be the set of Parikh images of continuous runs that start in \(\{\textsf{i}:1\}\) and end in some marking \(\boldsymbol{m}' \in {{M}}\) i.e.

$${{S}}{:}{=}\{\boldsymbol{R}_{\pi } \mid \exists _{\pi \in \text {CRuns}_{\mathcal {N}}^1}\ \exists _{\boldsymbol{m}'\in {{M}}}\text { such that } \{\textsf{i}:1\}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\pi }\boldsymbol{m}'\}.$$

Then \(\boldsymbol{v}\in \overline{S}\) if and only if there is a marking \(\boldsymbol{m}\in M\) such that \(\varDelta (T)\boldsymbol{v}=\boldsymbol{m}-\{\textsf{i}:1\}\).

In one direction the proof of the lemma is trivial, in the opposite direction, intuitively, we construct a sequence of runs with Parikh images converging to \(\boldsymbol{v}\). The Lemma 6 is used to put \(\varepsilon \) in every place (for \(\varepsilon \xrightarrow {} 0\)) and Lemma 7 to show that there are runs with the Parihk image equal \(\varepsilon \boldsymbol{x} + (1-\varepsilon )\boldsymbol{v}\) for some \(\boldsymbol{x}\) witnessing Lemma 6. We are ready to prove Claim 1.

Claim 1

It holds that \(\boldsymbol{v}\in \overline{{{S}}}\) if and only if \(\boldsymbol{v}\) is a solution to \(\text {LP}_{\text {f}, \mathcal {N}}\).

Proof

Let \({{M}}\) be the set of all markings over \(\mathbb {Q}_{\ge 0}^P\), which clearly is convex. As \(\mathcal {N}\) is nonredundant we know that every place can be marked via a continuous run, and because \({{M}}\) is the set of all markings we conclude that \(\mathcal {N}\) is good for \({{M}}\) according to Definition 1. Thus \({{M}}\) satisfies the prerequisites of Lemma 8. It follows that \(\overline{{{S}}}\) is the set of solutions of a system of linear inequalities. Precisely, \(\boldsymbol{v}\in \overline{{{S}}}\) if and only if there is \(\boldsymbol{m}\in \mathbb {Q}_{\ge 0}^P\) such that \(\varDelta (T)\boldsymbol{v}\ge \boldsymbol{m}-\{\textsf{i}:1\}\) and \(\boldsymbol{v}\ge 0\), which is equivalent to \(\varDelta (T)\boldsymbol{v}\ge -\{\textsf{i}:1\}\) and \(\boldsymbol{v}\ge 0\), as required.   \(\square \)

5 Soundness in Terminating Workflow Nets

The dichotomy between linear termination time and non-termination shown in Sect. 3 yields an interesting avenue for framing questions in workflow nets. We know that testing generalised soundness is PSPACE-complete, but the lower bound in [9] relies on a reset gadget which makes the net non-terminating. Indeed, it turns out that the problem is simpler for linear workflow nets.

Theorem 3

Generalised soundness is coNP-complete for linear workflow nets.

A marking \(\boldsymbol{m}\) is called a deadlock if \(\text {Runs}_{\mathcal {N}}^{\boldsymbol{m}} = \emptyset \). To help prove the coNP upper bound, let us introduce a lemma.

Lemma 9

Let \(\mathcal {N}\) be a terminating nonredundant workflow net. Then \(\mathcal {N}\) is not generalised sound iff there exist \(k \in \mathbb {N}\) and a marking \(\boldsymbol{m}\in \mathbb {N}^P\) such that \(\{\textsf{i}:k\} \xrightarrow {}_{\mathbb {Z}}^{*}\boldsymbol{m}\), \(\boldsymbol{m}\) is a deadlock and \(\boldsymbol{m}\ne \{\textsf{f}:k\}\). Moreover, if \(\Vert \mathcal {N} \Vert \le 1\) then \(\{\textsf{i}:k\} \xrightarrow {}_{\mathbb {Z}}^{*}\boldsymbol{m}\) can be replaced with \(\{\textsf{i}:k\} \xrightarrow {}_{\mathbb {Q}}^{*}\boldsymbol{m}\).

The last part of the lemma is not needed for the theoretical results, but it will speed up the implementation in Sect. 7. We can now show Theorem 3.

Proof

(of the coNP upper bound in Theorem 3). Let \(\mathcal {N}= (P,T,F)\) and denote \(T = \{t_1,\ldots , t_n\}\). By Lemma 9\(\mathcal {N}\) is not generalised sound iff there are \(k \in \mathbb {N}\) and \(\boldsymbol{m}\in \mathbb {N}^P\) such that \(\{\textsf{i}:k\} \xrightarrow {}_{\mathbb {Z}}^{*}\boldsymbol{m}\), \(\boldsymbol{m}\) is a deadlock and \(\boldsymbol{m}\ne \{\textsf{f}:k\}\). We can reduce the property to an ILP. First, the procedure guesses \(| T |\) places \(p_1,\ldots , p_n \in P\) (one for each transition). For each transition \(t_i\), place \(p_i\) will prohibit firing \(t_i\) by not being marked with enough tokens. We create ILP\(_{\mathcal {N}, p_1, \dots , p_n}\), which is very similar to ILP\(_\mathcal {N}\) (see Sect. 3), but adds additional constraints. They state that \((\varDelta (T)\boldsymbol{x})(p_j)- {^\bullet t_j}(p_j)<0\) for every \(1\le j \le n\).

Let us show that there are \(p_1, \ldots , p_n\) such that ILP\(_{\mathcal {N}, p_1, \dots , p_n}\)has a solution iff there exist k and a deadlock \(\boldsymbol{m}\) such that \(\{\textsf{i}:k\} \xrightarrow {}_{\mathbb {Z}}^{*}\boldsymbol{m}\). Indeed, let \(x_1,\ldots ,x_n\) be a solution of ILP\(_{\mathcal {N}, p_1, \dots , p_n}\). We denote \(k = -\sum _{i = 1}^n \varDelta (t_i)(\textsf{i}) \cdot x_i\) and \(\boldsymbol{m}= \{\textsf{i}:k\} + \sum _{i = 1}^n \varDelta (t_i) \cdot x_i\). It is clear that \(\{\textsf{i}:k\} \xrightarrow {}_{\mathbb {Z}}^{*}\boldsymbol{m}\). The new constraints ensure that for each \(t_i \in T\) there exists \(p_i \in P\) such that \({^\bullet t_i}(p_i) >\boldsymbol{m}(p_i)\), thus \(\boldsymbol{m}\) is a deadlock.

To encode the requirement that \(\boldsymbol{m}\ne \{\textsf{f}:k\}\), note that there are three cases, either \(\boldsymbol{m}(k) \le k - 1\), \(\boldsymbol{m}(k) \ge k + 1\), or \(\boldsymbol{m}(k) = k\) but \(\boldsymbol{m}- \{\textsf{f}:k\} \ge 0\). We guess which case occurs, and add the constraint for that case to ILP\(_{\mathcal {N}, p_1, \dots , p_n}\).    \(\square \)

The lower bound can be proven using a construction presented in [10, Theorem 2] to show a problem called continuous soundness on acyclic workflow nets is coNP-hard. We say that a workflow net is continuously sound iff for all \(\boldsymbol{m}\) such that \(\{\textsf{i}:1\} \xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{*}\boldsymbol{m}\), it holds that \(\boldsymbol{m}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{*}\{\textsf{f}:1\}\). The reduction can be used as is to show that generalised soundness of nets with linear termination time is coNP-hard, but the proof differs slightly. See the appendix for more details.

6 Termination Time and Concurrent Semantics

Note that in Petri nets, transitions may be fired concurrently. Thus, in a sense, our definition of termination time may overestimate the termination time.

In this section we investigate parallel executions for workflow nets. Whereas the termination time is focused on the worst case sequential execution, now we are interested in finding the best case parallel executions. Thus, we provide an optimistic lower bound on the execution time to contrast the pessimistic upper bound investigated in Sect. 3 and Sect. 4.

Definition 2

Given a Petri net \(\mathcal {N}\) let \(\pi =t_1t_2\ldots t_n \in \text {Runs}_{\mathcal {N}}^{k}\) for some \(k \in \mathbb {N}\). A block in \(\pi \) is a subsequence of \(\pi \), i.e. \(t_a,\ldots ,t_b\) for some \(1 \le a \le b \le n\). We define the parallel execution of \(\pi \) with respect to k as a decomposition of \(\pi \) into blocks \(\pi =\pi _1\pi _2\ldots \pi _{\ell }\) such that

  1. 1.

    all transitions are pairwise different in a single block; and

  2. 2.

    \({^\bullet \boldsymbol{R}_{\pi _i}}\le \{\textsf{i}:k\} + \sum _{j<i} \varDelta (\pi _j)\) for every \(1 \le i \le \ell \).

The execution time of a parallel execution is denoted as \(exec(\pi _1\pi _2\ldots \pi _\ell ) {:}{=}\ell \).

Example 6

We consider parallel executions of the run \(t_1t_2t_1t_2t_3t_3\) with respect to 4 initial tokens. The run can be decomposed into \((t_1t_2)(t_1t_2)(t_3)(t_3)\) but also into \((t_1)(t_2t_1)(t_2t_3)(t_3)\). Both executions have execution time 4. The parallel execution \((t_1t_2)(t_1t_2t_3)(t_3)\) has execution time 3.\(\lhd \)

figure e

We are interested in finding the parallel executions of a run that minimise the execution time. It turns out that the so-called greedy parallel execution is such a minimal parallel execution. Given \(\pi \) and k it is defined inductively on the prefix of \(\pi \). Suppose we already have some blocks \(\pi _1 \ldots \pi _{i-1}\). To construct block \(\pi _i\), we simply choose the maximal sequence of transitions immediately following the last block \(\pi _{i-1}\) that satisfies the two conditions of Definition 2. In particular the last partition in Example 6 is the greedy parallel execution.

Lemma 10

Consider a run \(\pi \) and \(k \in \mathbb {N}\). The greedy parallel execution of \(\pi \) has the smallest execution time among all parallel executions of \(\pi \) with respect to k.

Consider a workflow net \(\mathcal {N}\) with the initial marking \(\{\textsf{i}:k\}\). Let \({{S_k}} {:}{=}\{\pi \mid \{\textsf{i}:k\} \xrightarrow {}^{\pi } \{\textsf{f}:k\}\}\). We define \(MinTime_\mathcal {N}(k)\) as the minimal execution time among parallel executions of runs in \({{S_k}}\). If \({{S_k}} = \emptyset \) then \(MinTime_\mathcal {N}(k) = +\infty \).

Lemma 11

Let \(\mathcal {N}\) be a workflow net and let \(k, x \in \mathbb {N}\). Deciding whether \(MinTime_\mathcal {N}(k) \le x\) is PSPACE-hard even if we fix \(k = 1\).

As computing \(MinTime_\mathcal {N}(k)\) is computationally hard, we modify the question and ask about the asymptotic behaviour (similarly to Sect. 4). Thus, we are interested in computing \(\lim _{k\rightarrow \infty }\frac{MinTime_\mathcal {N}(k)}{k}\). The problem is well defined as the limit exists. This is interesting as \(\lim _{k\rightarrow \infty }\frac{MinTime_\mathcal {N}(k)}{k}\) corresponds to the average processing time of a single token when the workflow runs (informally speaking) on its maximal efficiency.

Theorem 4

For a given nonredundant, generalised sound workflow netFootnote 4 \(\mathcal {N}\) we can compute \(lim_{k\rightarrow \infty }\frac{MinTime_\mathcal {N}(k)}{k}\) in polynomial time.

Proof

(A sketch of the proof). The main idea relies on the continuous semantics, similarly to the proof of Theorem 2. We show that the limit is equal to the infimum over execution timesFootnote 5 of continuous runs \(\{\textsf{i}:1\}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{}\{\textsf{f}:1\}\). Then we prove the following claim.

Claim 2

Let \(\boldsymbol{v}\in \mathbb {Q}_{\ge 0}^{T}\). Let \({{S_{\boldsymbol{v}}}} = \{\pi \mid \{\textsf{i}:1\}\xrightarrow {}_{\mathbb {Q}_{\ge 0}}^{\pi }\{\textsf{f}:1\} \text { and } \boldsymbol{R}_{\pi } = \boldsymbol{v}\}\). If \({{S}}\ne \emptyset \) then the infimum over optimal execution time of runs in \({{S_{\boldsymbol{v}}}}\) equals \(\Vert \boldsymbol{v} \Vert \).

Let \({{S}}\) be the set of Parikh images of continuous runs from \(\{\textsf{i}:1\}\) to \(\{\textsf{f}:1\}\). We define \(f:\overline{{{S}}}\rightarrow \mathbb {Q}_{\ge 0}\) such that \(f(\boldsymbol{v})=\Vert \boldsymbol{v} \Vert \). Thus we can reformulate the problem as computing \(inf\{f(\boldsymbol{v}) \mid \boldsymbol{v}\in {{S}}\}\). The function f is continuous, thus we can reformulate further as compute \(inf\{f(\boldsymbol{v}) \mid \boldsymbol{v}\in \overline{{{S}}}\}\). The function f is not linear on \(\overline{{{S}}}\), but it is piecewise linear. We define \(\overline{{{S_t}}}\subseteq \overline{{{S}}}\) for \(t\in T\) as follows \(\overline{{{S_t}}}=\{\boldsymbol{v} \mid \boldsymbol{v}\in \overline{{{S}}}\text { and } \boldsymbol{v}(t)\ge \boldsymbol{v}(t')\text { for all }t'\in T\}\). Observe that f is linear over \(\overline{{{S_t}}}\) for every \(t\in T\) and that \(\overline{{{S}}}=\bigcup _{t\in T}\overline{{{S_t}}}\). Thus we can rephrase our problem as computing the minimum over the set \(\{inf\{\boldsymbol{v}(t) \mid \boldsymbol{v}\in \overline{{{S_t}}}\} \mid t\in T\}\).

Thus it is sufficient to show that \(inf\{\boldsymbol{v}(t) \mid \boldsymbol{v}\in \overline{{{S_t}}}\}\) can be computed in polynomial time for any \(t\in T\). Lemma 8 allows us to characterize \(\overline{{{S}}}\) as follows: \(\boldsymbol{v}\in \overline{{{S}}}\) iff \(\varDelta (T)\boldsymbol{v}=\{\textsf{f}:1\}-\{\textsf{i}:1\}\text { and }\boldsymbol{v}\ge \boldsymbol{0}\). In consequence, \(\overline{{{S_t}}}\) can be characterized as the set of solutions of the following system of inequalities

$$\varDelta (T)\boldsymbol{v}=\{\textsf{f}:1\}-\{\textsf{i}:1\}\text { and }\boldsymbol{v}\ge \boldsymbol{0}\text { and }\boldsymbol{v}(t)\ge \boldsymbol{v}(t')\text { for all }t'\in T.$$

This allows us to capture \(\{inf\{\boldsymbol{v}(t) \mid \boldsymbol{v}\in \overline{{{S_t}}}\} \mid t\in T\}\) as an LP problem which can be solved in polynomial time.    \(\square \)

7 Experimental Evaluation

We have implemented prototypes of several procedures outlined in the paper, namely procedures to 1) decide termination; 2) decide soundness for terminating nets; 3) compute \(a_{\mathcal {N}}\) for terminating nets; and 4) compute \(MinTime_\mathcal {N}(1)\), \(MaxTime_\mathcal {N}(1)\), and decide 1-soundness for nets with known \(a_{\mathcal {N}}\). The idea behind all procedures is to use our results to encode the properties in LPs/ILPs. To solve these programs, we utilize the MILP solver Gurobi [24].

For 1), recall Lemma 2, which states that non-termination of a workflow net \(\mathcal {N}\) is equivalent to the existence of a Parikh image \(\boldsymbol{R}_{} \in \mathbb {N}^T\) with \(\varDelta (\boldsymbol{R}_{}) \ge \boldsymbol{0}\). We can instead search for \(\boldsymbol{R}_{} \in \mathbb {Q}^T\), as any solution could be scaled up to an integral one. Thus, we can encode this condition as an LP in a straightforward manner, and decide termination in polynomial time.Footnote 6

For 2), we essentially use ILP\(_{\mathcal {N}, p_1, \dots , p_n}\), as defined in the proof of Theorem 3. A solution to ILP\(_{\mathcal {N}, p_1, \dots , p_n}\) yields a run \(\pi \) such that there exists \(k \in \mathbb {N}\) with \(\{\textsf{i}:k\} \xrightarrow {}_{\mathbb {Z}}^{\pi } \boldsymbol{m}\), where \(\boldsymbol{m}\) is a deadlock.

We also consider continuous instead of integral variables. Then solutions relate to runs over \(\xrightarrow {}_{\mathbb {Q}}^{*}\) instead. As hinted at in the last sentence of Lemma 9, both variants yield equivalent results on nets without arc weights, i.e. \(\Vert \mathcal {N} \Vert \le 1\). However, continuous variables are generally easier to handle for MILP solvers. For brevity, by integer deadlocks we refer to the approach using integer variables, and by continuous deadlocks to the approach with continuous variables.

For 3), recall the LP given in Claim 1. We can use it to compute \(\text {sup}_{f,\mathcal {N}}\) for any aggregate \(\mathcal {N}\), so in particular we can use it to compute \(\text {sup}_{f_{all},\mathcal {N}}\), which is equal to \(a_{\mathcal {N}}\) by Equation (2). Here, it only remains to mention that Gurobi allows not only checking feasibility of systems of linear inequalities, but further allows optimizing an objective value, as required by the LP.

For 4), note that if we have the bound \(a_{\mathcal {N}}\) on the length of runs from \(\{\textsf{i}:1\}\), we can check properties by unrolling runs. The intuition is as follows. We have \(a_{\mathcal {N}} \cdot | T |\) integer variables. For step j of the run, we have variables \(x_{1, j}, x_{2, j}, \dots , x_{| T |, j}\). The variables for a step encode which transition(s) are fired in that step. We ensure that we encode a run by requiring \(\sum _{i=1}^{| T |} x_{i,j} \le 1\) for all \(j \in [1..a_{\mathcal {N}}]\). We use integer variables, so either one or no transition is fired in each step.

Alternatively, we encode a parallel execution by imposing the requirements of Definition 2 on steps. By further specifying that for all \(j \in [1..a_{\mathcal {N}}]\), it holds that \(\{\textsf{i}:1\} + \sum _{j' = 0}^{j} \sum _{i = 1}^{| T |} \varDelta (t_i) x_{i, j'} \ge \boldsymbol{0}, \) thus the marking reached so far after each step is nonnegative. To compute \(MinTime_\mathcal {N}(1)\)/\(MaxTime_\mathcal {N}(1)\), we minimise/maximise the number of blocks/steps with non-zero transition variables. For 1-soundness, we require reaching a deadlock different from \(\{\textsf{f}:1\}\).

Our prototype is implemented in C#. All experiments were run on an 8-Core Intel® Core™ i7-7700 CPU @ 3.60 GHz with Ubuntu 18.04. We limited memory to \(\sim \)8 GB. The time was limited to 60 s for checking termination and generalised soundness as well as for computing \(a_{\mathcal {N}}\). It was limited to 15 s for computing \(MinTime_\mathcal {N}(1), MaxTime_\mathcal {N}(1)\) and for checking 1-soundness.

7.1 Benchmark Suite

We use a popular benchmark suite of 1386 free-choice nets originating from models created in the IBM WebSphere Business Modeler. The instances were originally introduced in [18] and have frequently been studied since, see [13, 37, 38]. The nets use a slightly different formalisation of workflow nets that allow multiple final places, which can be transformed to standard workflow nets using a technique from [29]. This technique adds transitions, thus can increase \(a_{\mathcal {N}}\), \(MinTime_\mathcal {N}\) and \(MaxTime_\mathcal {N}\). Unfortunately, 4 instances cannot be transformed to workflow nets with this technique, so we remove them. We also apply a set of well-known reduction rules from [13] that reduce the size of instances while keeping all types of soundness intact, and remove instances that are trivially sound after reduction. These rules never increase \(a_{\mathcal {N}}\). While they in theory could increase \(MinTime_\mathcal {N}\), this does not happen on our benchmarks. Due to the nature of the reduction rules, it may not be appropriate to run them before analyzing \(MinTime_\mathcal {N}, MaxTime_\mathcal {N}(1)\) and \(a_{\mathcal {N}}\), since these numbers then give no information about the original workflow. Thus we only run experiments on the reduced instances when we check soundness and termination.

In total, we are left with 1382 unreduced and 740 non-trivial reduced instances. Statistics about the sizes of the workflow nets can be seen in the columns under Net Size in Fig. 5. The reduced nets are much smaller than the unreduced ones, even when the nets are not reduced to the trivial net.

7.2 Termination and Deadlocks

The time taken to decide termination is shown in the column labelled “Termination” in the top table of Fig. 5. The numbers of nets that are terminating and non-terminating are shown in the bottom table of Fig. 5. Among both the unreduced and reduced instances, the vast majority are terminating (about 90%). Note that the reduction rules can remove nontermination, even when they do not make the net nontrivial, thus the prevalence of terminating instances is even stronger among the reduced instances. In terms of analysis time, termination can be decided in under 25 ms for all instances, with a median of 3 ms.

The top of Fig. 5 shows the analysis times for generalised soundness. We use three algorithms. Columns “Continuous Deadlock” and “Integer Deadlock” show results for our two proposed approaches, and column “Continuous Soundness” shows the performance of a state-of-art approach [10] for deciding generalised soundness. Note that both approaches may claim an unsound workflow net to be sound, but they are precise on different classes of nets. The absence of integer deadlocks is equivalent to generalised soundness on terminating nets, see Lemma 9. Similarly, continuous soundness is equivalent to generalised soundness on free-choice nets [10].

Fig. 5.
figure 5

Top: Statistics on the net size, and analysis times for deciding termination, and checking generalised soundness via deadlocks and continuous soundness. Bottom: Statistics on the number of terminating/non-terminating and deadlocking/non-deadlocking (thus generalised unsound/generalised sound) nets.

Full size image

In practice, it turns out that our approach for checking the absence of integer deadlocks is faster than the existing approach using continuous soundness on every single instance. Continuous soundness times out on 215 of the unreduced instances (not listed in the table), but neither of the approaches utilizing deadlocks times out on any instance. The performance of continuous soundness is not surprising: continuous soundness is checked by passing an \(\exists \forall \)-formula from FO(\(\mathbb {Q},<,+\)) to an SMT solver. Quantifier alternation increases the complexity of validating such formulas [23]. In comparison, our check for integer deadlocks is implemented using standard ILP techniques, and thus an existential formula.

The bottom shows how many nets are non-terminating, as well as how many are deadlocking (thus not generalised sound). Recall that integer deadlocks and continuous deadlocks are equivalent for nets without arc weights, which all of our nets are. Both types of deadlocks are fast to compute, taking less than 90ms on each instance. In practice, checking for continuous deadlocks may be useful even for nets with arc weights, since their absence also proves the absence of integer deadlocks. About \(50\%\) of the unreduced instances and roughly \(75\%\) of the reduced instances are deadlocking. Note that the reduction rules can only make sound instances trivial, which are by definition not able to reach a deadlock.

7.3 \(a_{\mathcal {N}}\), \(MinTime_\mathcal {N}(1)\) and \(MaxTime_\mathcal {N}(1)\)

The top of Fig. 6 the distribution of \(a_{\mathcal {N}}\). This number depends on the number of transitions, so is hard to put into context. We instead display \(\mathfrak {L}{:}{=}\nicefrac {a_{\mathcal {N}}}{| T |}\). Intuitively, that number is an upper bound on the average of how many times each transition can be fired per initial tokens. For example, a net with \(\mathfrak {L}= 1\) likely is linear, i.e. each transition can be fired only once per initial token, while nets with \(\mathfrak {L}>> 1\) may exhibit more complex behaviour, and nets with \(\mathfrak {L}<< 1\) may exhibit high degrees of choice, where runs only visit a part of the net. We group nets with similar \(\mathfrak {L}\) to give an idea of the distribution of the values of \(\mathfrak {L}\) across instances. Our computation of \(a_{\mathcal {N}}\) ran out of memory on 8 nets, so the figure displays only 1254 nets. Most nets have \(\mathfrak {L}\le 1\), with a significant number having in particular \(\mathfrak {L}= 1\). The maximal \(\mathfrak {L}\) is 5.83 among unreduced and 4.33 among reduced instances, while the minimal \(\mathfrak {L}\) is 0.17 and 0.11 respectively.

Fig. 6.
figure 6

Top: Statistics on the distribution of \(\mathfrak {L}\). Middle: Statistics on the distribution of \(\mathfrak {D}\). Bottom: Statistics on the analysis times for \(a_{\mathcal {N}}\), \(\mathfrak {I}_{Min}\) and \(\mathfrak {I}_{Max}\).

Full size image

To display \(MinTime_\mathcal {N}(1)\) and \(MaxTime_\mathcal {N}(1)\), we also divide them by the number of transitions, as we did for \(a_{\mathcal {N}}\). We write \(\mathfrak {T}_{Min} {:}{=}\nicefrac {MinTime_\mathcal {N}(1)}{| T |}\) and \(\mathfrak {T}_{Max} {:}{=}\nicefrac {MaxTime_\mathcal {N}(1)}{| T |}\). We are mostly interested in their difference \(\mathfrak {D} {:}{=}\mathfrak {T}_{Max} - \mathfrak {T}_{Min}\). For nets with large \(\mathfrak {D}\), the difference between the pessimistic sequential and optimistic parallel execution time is large, thus they might allow a high degree of parallelism. On the contrary, if nets have very small \(\mathfrak {D}\), they have a sequential structure. We again group nets with similar \(\mathfrak {D}\), as we did for \(\mathfrak {L}\) above. The results of the analysis are shown in the middle table of Fig. 6.

As we divide by \(| T |\) in the definition of \(\mathfrak {D}\), it would be unusual for it to take on huge values, and indeed all nets have \(\mathfrak {D} < 1\). Note that even \(\mathfrak {D} = 0.5\) is significant, as it means that \(MinTime_\mathcal {N}(1)\) and \(MaxTime_\mathcal {N}(1)\) differ by half the number of transitions. The table totals only 700 nets. On 111 nets, computing \(MinTime_\mathcal {N}(1)\) times out, while on 32 nets computing \(MaxTime_\mathcal {N}(1)\) times out, and both time out on 51 nets. On the remaining 360 nets, there is no execution from \(\{\textsf{i}:1\}\) to \(\{\textsf{f}:1\}\), thus \(MinTime_\mathcal {N}(1) = \infty \).

The analysis times for computing \(a_{\mathcal {N}}\), \(MinTime_\mathcal {N}(1)\) and \(MaxTime_\mathcal {N}(1)\) are shown in the bottom table of Fig. 6. We group nets by their size \(| \mathcal {N} | = | P | + | T |\) to show how the analysis times depend on the instance size. We only list 1060 nets, as we omit those where the computation of \(MinTime_\mathcal {N}(1)\) or \(MaxTime_\mathcal {N}(1)\) timed out. One interesting observation is that for most instances, particularly small ones, \(MinTime_\mathcal {N}(1)\) is harder to compute than \(MaxTime_\mathcal {N}(1)\). However, both are very slow to compute compared to \(a_{\mathcal {N}}\), which indeed never times out on our instances. In fact, \(a_{\mathcal {N}}\) takes at most 714ms to compute for any instance. It is interesting that the time for computing \(a_{\mathcal {N}}\) does not seem to depend highly on the net size. We suspect this might be partly due to the fact that \(a_{\mathcal {N}}\) tends to be proportionally smaller for larger instances: Bucket [0, 20) has a mean \(\mathfrak {L}\) of 1.04, while the mean is 0.86 for bucket [150, 405).

7.4 1-Soundness

Lastly, we briefly comment on the time for deciding 1-soundness via unrolling for nets with known \(a_{\mathcal {N}}\). The procedure times out for 71 instances, among which \(a_{\mathcal {N}}\) has a mean of 133.88 and a maximum of 256. It takes a mean of 612.66ms and a maximum of 14431ms to decide 1-soundness in this way. Unlike in the case for generalised soundness, our procedure for 1-soundness does not seem to be able to compete with the state-of-the-art. In [18], 1-soundness is decided for many of our instances in a few milliseconds per instance, which our approach does so only for instances with small \(a_{\mathcal {N}}\) (up to about 25).