IEEE Transactions on Software Engineering Vol. 40 No. 4, April 2014, 338-365. 1 Abstract— Decision-based processes are composed of tasks whose application may depend on explicit decisions relying on the state of the process environment. In specific domains such as healthcare, decision-based processes are often complex and critical in terms of timing and resources. The paper presents a variety of tool-supported techniques for analyzing models of such processes. The analyses allow a variety of errors to be detected early and incrementally on partial models, notably: inadequate decisions resulting from inaccurate or outdated information about the environment state; incomplete decisions; non-deterministic task selections; unreachable tasks along process paths; and violations of non-functional process requirements involving time, resources or costs. The proposed techniques are based on different instantiations of the same generic algorithm that propagates decorations iteratively through the process model. This algorithm in particular allows event- based models to be automatically decorated with state-based invariants. A formal language supporting both event-based and state-based specifications is introduced as a process modeling language to enable such analyses. This language mimics the informal flowcharts commonly used by process stakeholders. It extends High-Level Message Sequence Charts with guards on task-related and environment-related variables. The language provides constructs for specifying task compositions, task refinements, decision trees, multi-agent communication scenarios, and time and resource constraints. The proposed techniques are demonstrated on the incremental building and analysis of a complex model of a real protocol for cancer therapy. Index Terms—Process modeling, process analysis, model verification, decision errors, safety-critical workflows, non- functional requirements, domain-specific languages, formal specification. I. INTRODUCTION T he growing maturity of software engineering technologies makes it possible to export them to other areas in need of more systematic approaches. This is in particular the case for domain-specific processes such as medical processes [13, 25, 37, 68, 69] where process safety is a key concern [16, 39, 44]. Conversely, such domains raise new challenges on modeling Manuscript received November 12, 2012. This work was partially supported by the Regional Government of Wallonia (GISELE and PIPAS projects, RW Conv. n° 616425 and 1017087) and the MoVES project (PAI program of the Belgian government). The authors are with the Department of Computing, ICTEAM Institute, Université catholique de Louvain, e-mail: {christophe.damas, bernard.lambeau, axel.vanlamsweerde}@uclouvain.be. and analysis techniques. For example, cancer therapy processes are composed of safety-critical subprocesses, such as radiotherapy, surgery and chemotherapy processes, to be coordinated over long periods of time, at multiple sites, according to critical decisions often made under incomplete information, and subject to a variety of non-functional requirements. The latter refer to strict timing and dose constraints, resource limitations, cost restrictions, and so forth. Such processes are continuously evolving from progress in research and practice. Models in this context may be used for a variety of purposes, e.g., for process orchestration, conformance checking, process documentation, or the generation of directives, explanations or other operational information targeted at specific parties [13, 25]. Process models should therefore be as error-free as possible. Building an adequate, complete, and consistent model may be far from easy in such domains. Techniques should therefore help detect and fix severe flaws –in the model being built or in the actual process itself [12, 25]. To enable tool-supported analysis, the target processes should be captured through some adequate formal model. Many languages are available for modeling processes and workflows, e.g., UML Activity Diagrams [62], BPMN [63], Yawl [27, 75] and Little-Jil [78] to cite just a few. When a formal semantics is available, such languages support various analyses such as model checking against event-based properties [28, 54, 79], verification of process termination [73] or of absence of deadlocks [54, 80], or conformance checking between the process model and its execution [73]. Model enactment can also be used for runtime support [78]. The modeling techniques available to date do not allow process decisions to be formally captured in terms of state variables characterizing the process environment (e.g., state variables about the patient under treatment). As a consequence, the properties that can be model-checked are purely event-based; they refer to task applications only. When alternative branches in a task flow are supported, the choice among them is non-deterministic. The paper focusses on decision-based processes to address this current limitation. In a decision-based process, decisions relying on the state of the process environment regulate the subsequent tasks to be specifically performed. For example, a specific sequencing of weekly chemotherapy sessions is the outcome of a medical decision relying on environment state variables such as the patient’s blood platelet level. The possible unobservability of the environment state at which a decision must be made is a challenging issue raised by such processes. State variables approximating the environment state are needed; such variables do not necessarily reflect the exact state of the process environment at the corresponding decision Analyzing Critical Decision-Based Processes Christophe Damas, Bernard Lambeau and Axel van Lamsweerde, Member, IEEE