Verifying GSM-based Business Artifacts Pavel Gonzalez, Andreas Griesmayer, Alessio Lomuscio Department of Computing, Imperial College London {pavel.gonzalez09, a.griesmayer, a.lomuscio}@imperial.ac.uk Abstract—Business artifacts allow to manage operations of business processes by capturing the key concepts and relevant information to guide their work flow. The Guard-Stage- Milestone (GSM) meta-model is a novel formalism for designing business artifacts that features declarative description of the intended behaviour without requiring an explicit specification of the control flow. Its concept of hierarchical structures of stages and explicit rules for the fulfilment of their guards and milestones supports the designing process but poses a challenge for formal verification. We show here how to approach the verification problem by developing a symbolic representation amenable to model checking. The feasibility of the approach is demonstrated by presenting a case study on the direct verification of a GSM model using a tool implementation. Keywords-Business Artifacts; Formal Verification; Model Checking I. I NTRODUCTION Business artifacts are a growing topic in web-services [1], [2], [3]. Differently from the standard process-based paradigm popular in web-services, in artifact systems data is given the same prominence as processes. One such approach, Business Artifacts with Guard-Stage-Milestone Lifecycles (GSM), was recently introduced as a declarative method for specification of artifact lifecycles [4], [5], [6]. The main advantage of this formalism is that it closely follows the intuitive way in which stakeholders think about their business. While much of the work is focused on the design, deployment and maintenance of GSM models, the verification of this formalism has not been tackled yet. The key components of a business artifact are the infor- mation model that captures the data and the lifecycle model that controls the possible behaviour. A GSM artifact system consists of a set of artifact instances that communicate with the environment via events. Unlike most of the previous work on business artifacts, which modelled lifecycles as state ma- chines, GSM allows for a declarative way of modelling using a hierarchical structure of stages. Each stage is equipped with a set of guards to control its activation, milestones to determine when its goals are achieved, and, optionally, sub- stages that provide direct support of parallelism within an instance. Guards and milestones are controlled by conditions that depend on data from the information model and are triggered by events. An important feature of the framework This research was supported by the EU FP7 projects ACSI (FP7-ICT- 257593) and DiVerMAS (FP7-PEOPLE-252184), and the EPRSC project EP/I00520X. is that an occurrence of a single event may lead to a chain of changes in the artifact system, such as activation and inactivation of stages or achieving and invalidating milestones. The declarative description of the model supports the natural way of thinking about the different stages of a working process and the necessary milestones towards achieving a certain goal. However, a complex artifact system supports a large number of services involving many stakeholders, making it difficult to asses whether the system will behave as intended once deployed. It is therefore desirable to have a mechanism in place to ensure the validity of the design. Of course, verification of services is an active field of research (e.g., see [7], [8]). The automatic verification of business artifacts was investigated in [9]; however, the lifecycles of artifacts were based on finite-state machines, which does not correspond to the GSM model. To the best of our knowledge, no solution currently exists for this declarative approach. This paper presents such a solution. Specifically, we introduce a methodology to apply sym- bolic model checking [10], [11] on GSM and present an implementation, called GSM Checker (GSMC), that enables us to verify properties of models produced by Barcelona [5], a web-based engine developed by IBM Watson that supports the execution of GSM models. The verification is done directly on Barcelona models without the need for translating them into another modelling language. To verify the behaviour of an artifact system, we transform the GSM model into a finite-state machine and systematically examine all possible behaviours of the new model against specifications. The key aspect is the construction of a transition relation using rules that are derived from lifecycle models of artifacts. We introduce GSM and symbolic model checking in Section II. Details on encoding of GSM, generation of the transition relation, and verification are given in Section III. The implementation is described in Section IV before we present a detailed case study in Section V. We conclude the paper and give some directions for future work in Section VI. II. PRELIMINARIES We first present GSM and its semantics, followed by a brief introduction to model checking and the temporal logic CTL, which is used for the specification of properties.