J. Software Engineering & Applications, 2010, 3: 426-435
doi: 10.4236/jsea.2010.35048 Published Online May 2010 (http://www.SciRP.org/journal/jsea)
Copyright © 2010 SciRes. JSEA
Mapping UML 2.0 Activities to Zero-Safe Nets
Sabine Boufenara1, Faiza Belala1, Kamel Barkaoui2
1LIRE Laboratory, Mentouri University of Constantine, Algeria; 2CEDRIC-CNAM, Rue Saint-Martin, Paris, France.
Email: sabineboufenara@yahoo.com, belalafaiza@hotmail.com, barkaoui@cnam.fr
Received February 18th, 2010; revised April 6th, 2010; accepted April 6th, 2010.
UML 2.0 activity diagrams (ADs) are largely used as a modeling language for flow-oriented behaviors in software and
business processes. Unfortunately, their place/transition operational semantics is unable to capture and preserve
semantics of the newly defined high-level activities constructs such as Interruptible Activity Region. Particularly, basic
Petri nets do not preserve the non-locality semantics and reactivity concept of ADs. This is mainly due to the absence of
global synchronization mechanisms in basic Petri nets. Zero-safe nets are a high-level variant of Petri nets that ensure
transitions global coordination thanks to a new kind of places, called zero places. Indeed, zero-safe nets naturally
address Interruptible Activity Region that needs a special semantics, forcing the control flow by external events and
defining a certain priority level of executions. Therefore, zero-safe nets are adopted in this work as semantic framework
for UML 2.0 activity diagrams.
Keywords: UML Activity Diagrams Formalization, Interruptible Activity Region, Zero-Safe Nets
1. Introduction
The Unified Modelling Language (UML) [1] has recently
undergone a significant upgrade of its basic concepts,
giving rise to a new major version, namely UML 2.0.
Being widely used for specification and documentation
purposes in the software development process, UML
offers a spectrum of notations for capturing different
aspects of software structure and behaviour. Activity
diagram (AD) notations are intended to model behav-
ioural aspects of software systems, particularly control
and data flows.
Activity Diagrams (ADs) are widely used to model
various types of applications fluctuating from basic
computations to high level business processes, embedded
systems and system-level behaviors. They facilitate the
modelling of control and object (or data) flows by intro-
ducing a multitude of new concepts and notations such as
collections, streams, loops and exceptions. Several se-
mantics models have been defined to support these con-
cepts. Nevertheless, many problems persist and reduce the
usability of ADs [2,3]. This is mainly due to the new
constructs and principles complexity and their formal
semantics lack, leading to inconsistent interpretations of
the model. For example, in a workflow process, described
in terms of tasks and execution orders between them,
Termination (or Cancelation) concept may be modeled via
ADs Interruptible Activity Region. This modelling may
have several interpretations since the used modelling
concepts are still informal. Thus, a large gap has to be
bridged prior to obtain an execution model and automated
The abstract semantics of ADs have also completely
changed in UML 2.0. They are no longer considered as a
kind of state-machine diagrams and their semantics is
being well explained in terms of Petri net concepts. But,
basic Petri nets do not preserve semantics of new con-
structs of UML 2.0 ADs. We believe that this is essen-
tially due to the locality character (local activations at
transitions enabling) of basic Petri nets, whilst in UML 2.0,
contrary to UML 1.x, the activation of computational
steps may be not local.
Many attempts are currently led to give UML 2.0 ADs
an operational semantics via some well known formal
models such as high-level Petri nets [4], Abstract State
Machine [5] and so on, for eventual analysis and simula-
tion purposes. The objective of this paper is to describe
how Zero Safe Nets (ZSNs for short) are very suitable to
handle semantics of UML 2.0 ADs Interruptible Activity
Region. ZSN is a new variant of Petri-net model intro-
duced by Bruni [6] to define synchronization mechanisms
among transitions without introducing any new interac-
tion mechanism. On the basis of this formalism, we sug-
gest a set of mapping rules to define a formal semantic of
UML 2.0 ADs complex constructs. ZSNs semantics is
then used to conduct control flow in the net guarantying
atomicity and isolation of a transaction that is all what we
need in the cancellation schema. This formal specification
Mapping UML2.0 Activities to Zero-Safe Nets
Copyright © 2010 SciRes. JSEA
is precise enough to enable a unique model interpretation
at an utmost detail level. It can therefore serve as tools
implementation basis. Finally, it participates to ensure that
the specified behaviour meets the intended intuition of the
The remainder of this paper is structured as follows. A
detailed discussion of related works is given in Section 2.
Section 3 presents syntax and informal semantics of both
Interruptible Activity Region in UML 2.0 ADs and ZSNs.
In Section 4, we describe our contribution by presenting
first the problematic, then the intuitive mapping to address
the Interruptible Activity Region formalization and finally
the formal definition of this mapping. Section 5 concludes
the paper with remarks and outlook on future work.
2. Related Works and Paper Contribution
The state of the art concerning UML 2.0 activity diagrams
semantics covers three different approaches: the first
based on Petri-nets, the second using graph transformation
rules and the third generating pseudo-code. Since the two
latter approaches are out of the scope of the present paper,
we therefore discuss UML 2.0 semantics related work
only in terms of Petri-nets.
Since UML specification envisions a “Petri-like se-
mantics” for activity diagrams, it is quite interesting to
propose a mapping between the two notations. Barros [7]
suggests translating a subset of ADs concepts to Petri nets
ones. Actions considered as activities in Petri nets are no
longer atomic, inducing to ADs semantics violation in the
UML specification standard ([1] p. 203). Moreover, only
locally behaved activities are considered in Petri nets,
whereas non-locality semantics is one major innovative
characteristic of UML 2.0 ADs.
In [8], an AD is transformed into FMC (Fundamental
Modeling Concepts) for their attractive feature, and then,
a Colored Petri net is constructed for execution and vali-
dation purposes. This approach focuses on abstract syntax
and thus, does not preserve semantics, especially for the
atomicity principle.
Störrle uses different variants of Petri nets (from col-
ored to procedural and exception Petri nets) to propose a
formal semantics to UML 2.0 ADs. The author tackles the
formalization of many concepts [9-12] such as control-
flow, procedure calling, data-flow, exceptions, loop-
nodes, conditional-nodes and expansion-regions using
various versions of Petri nets. However, different con-
cepts can generally coexist in the same AD. Therefore,
analysis of the whole system behavior is not possible due
to non-unified formalism.
The development culminates in [13-15] concluding that
Petri-nets might, after all, not be appropriate for formal-
izing activity diagrams. Especially, mapping advanced
concepts, such as interruptible activity regions, is found to
be not intuitive. Moreover, Petri-nets formalization of
ADs concepts is not unified and integrates different
variants of Petri-nets to map concepts belonging to the
same diagram. Additionally the traverse-to completion
semantics insurance is identified as being the major
problem in Petri-nets mapping. In [16], we have proposed
a generic mapping from UML 2.0 ADs to Zero-Safe Nets
(ZSNs) and have shown by several examples how this
Petri net variant can surmount this latter problem. Indeed,
non-locality semantics of ADs is preserved via a global
synchronization, offered by ZSNs, rather than a local one
as in basic Petri nets. In [17], we have been interested by
streaming parameters and exception outputs constructs in
UML 2.0 ADs, their formal semantics has been defined in
terms of these Petri nets variant without losing an impor-
tant characteristic of those concepts that is atomicity.
In this paper, we extend these recent works by im-
proving the proposed mapping to be more formal and
general. Indeed, we examine semantics of Interruptible
Activity Region construct in which actions need to be
promptly cancelled on the reception of an external event.
This can not be provided with basic Petri nets that are
local and not reactive.
3. Basic Concepts
We are interested in this section to remind fundamental
notions used in this study. For more details, the reader
can consult [1,18] (for Interruptible Activity Region in
ADs) and [6] (for ZSNs).
3.1 Interruptible Activity Region
The UML 2.0 specification made by the OMG [1] stan-
dard provides a meta-model to define the abstract syntax
for activity diagrams including Interruptible Activity
These ADs special regions are groups of nodes where
all execution might be terminated, if an edge traverses an
interruptible activity, before leaving the region. Inter-
rupting edges must have their source node in the region
and their target node outside it, but in the same AD con-
taining the region.
An Interruptible Activity Region is notated by a
dashed, round-cornered rectangle drawn around the
nodes contained in the region. An interrupting edge is
notated with a lightning-bolt activity edge.
During the process of an Interruptible Activity Region,
the reception of an event (exception-event) triggers the
block abort of that part of the Activity, and resumes exe-
cution with another action that may be the excep-
tion-handler. The standard specification [1] states, that
“When a token leaves an interruptible region via edges
designated by the region as interrupting edges, all tokens
and behaviours in the region are terminated”. Interruptible
regions are introduced to support more flexible non-local
termination of flow.
Mapping UML2.0 Activities to Zero-Safe Nets
Copyright © 2010 SciRes. JSEA
Example 1. Figure 1 gives an example taken from [1]
illustrating these concepts. This example illustrates that if
an order cancellation request ‘Order Cancel Request’ is
made, while executing one of the actions (receive, fill, or
ship orders), the ‘Cancel Order’ behaviour is immedi-
ately invoked and the action being executed is aborted.
Cancellation is a very common behavior in the execu-
tion of workflows process. It is used to capture the inter-
ference of an event or an activity in other activities exe-
cution of a workflow preventing execution or termination.
A cancellation can involve a cancellation area, a sub
process or an entire workflow. In UML 2.0 ADs, Inter-
ruptible Activity Region has been defined to hold such
3.2 Introducing ZSNs
Zero-safe nets have been introduced by Bruni in [6] to
define synchronization mechanism among transitions,
without introducing any new interaction mechanism be-
sides the ordinary token-pushing rules of nets. Their role
is to ensure the atomic execution of complex transitions
collections, which can be considered as synchronized.
Atomic execution of multiple coordinated transitions
is forth possible in ZSNs thanks to a new kind of places,
called zero places. From an abstract viewpoint, those
transitions will appear as synchronized. Zero places are
bound to zero tokens in a system observable state. A to-
ken in a zero place is equivalent to a system internal state
that is non-observable. ZSN synchronized evolution must
begin at an observable state, evolve in non-observable
markings and must end at an observable state. Therefore,
ZSNs define two sorts of places; stable places corre-
sponding to net places, and zero places. A ZSN evolution
is considered as a transaction. A stable token generated
in a transaction is frozen all over the evolution; it is re-
leased only once the transaction is finished. We notice
that a transaction in this case, is represented by a system
activity possibly composed of a set of concurrent but
atomic sub-activities.
Zero places coordinate the atomic execution of transi-
Figure 1. Interruptible Activity Region enclosed by a dashed
line. The Interrupting edge is expressed by a lightning-bolt
tions which, from an abstract viewpoint, will appear as
synchronized. At the abstract level, we are not interested in
observing the hidden state. Modeling of the well- known
example of ‘dining philosophers’ problem’ is sufficient to
show how ZSNs are powerful to synchronize transitions in
an atomic way (see [19] for more details).
Example 2. (taken from [19]). There are n philoso-
phers (here, we suppose n = 2) sitting on a round table;
each having a plate in front and between each couple of
plates there is a fork, with a total of n forks on the table.
Each philosopher cyclically thinks and eats, but to eat he
needs both the left hand side fork and the right hand one
of his plate. After eating a few mouthfuls, the philoso-
pher puts the forks back on the table and starts thinking
It is not difficult to imagine conflict situations leading
to a deadlock when each philosopher takes one fork and
cannot continue. This is due to the fact that the coordina-
tion mechanism is hidden inside transitions (Take1 and
Take2) that are too abstract (see Figure 2(a) modeling a
centralized non-terminism). Places Fki denote forks. A
token in the place Fki means that the ith fork is on the
The same model is redrawn using free choice nets.
Decisions are now local to each place i.e. decisions are
made independently (see Figure 2(b)) and deadlock
situation is clear. One decision concerns the assignment
of the first fork whether to the first or to the second phi-
losopher, the other decision concerns the assignment of
the second fork. Note that Chi,j stands for Choicei,j where
i denotes Forki and j denotes PHilosopherj. Then, it might
happen that the first fork is assigned to the first philoso-
pher (Ch1,1) and the second fork is assigned to the second
philosopher (Ch2,2), and in such case the free choice net
deadlocks and none of the Takei actions can occur. Thus,
the translated net admits non-allowed computations in
the abstract sub-system of Figure 2(a).
Zero-safe nets surmount this deadlock problem by
executing only some atomic transactions, where tokens
produced in low-level resources are also consumed. In
the example, the ow-level. This is possible, but at the
expense of preseinvisible resources consist of places Fki,j
for 1 i, j 2, that can be interpreted as zero places. In
this way the computation performing Ch1,1 and Ch2,2 is
forbidden, because it stops in an invisible state, i.e., a
state that contains zero tokens (see Figure 2(c)).
While basic Petri nets fail to conserve the system se-
mantics at a low-level, free choice nets make local deci-
sions possible at lrving execution semantics. Zero-safe
nets are able to preserve execution semantics even when
expressed in refined way.
Formal Definitions [6]
A ZSN is a 6-tuple B = (SB, TB, FB, WB, uB, ZB) where NB
= (SB, TB, FB, WB, uB) is the underlying place/ transition
Mapping UML2.0 Activities to Zero-Safe Nets
Copyright © 2010 SciRes. JSEA
Figure 2. Example of dining philosophers: (a) Centralized
nondeterminisme, (b) Local nondeterminisme presenting
deadlock, (c) Atomic free choice
net. SB is a non-empty set of places. TB is a non-empty
set of transitions. FB (SB × TB) (TB × SB) is a set of
directed arcs. WB is the weight function that associates a
positive integer to each arc. uB is the places marking as-
sociating positive tokens number to each place. ZB SB
is the set of zero places (also called synchronization
places). The places in SB \ ZB are stable places. A stable
marking is a multiset of stable places. The presence of
one or more zero places of a given marking makes it un-
observable, while stable markings describe observable
states of the system.
Let B be a zero safe net and let s = u0[t1>u1…un-1[tn>un
be a firing sequence of the underlying net NB of B,
The sequence s is a stable step of B if:
SB \ ZB, Σn
i =1 pre(ti)(a) u0(a)
(Concurrent enabling)
u0 and un are stable markings of B
(Stable fairness)
Pre(t)(a) defines the weight of the arc from place a
input of transition t to this one. Post(t)(a) defines the
weight of the arc from transition t to its output place a. The
concurrent enabling property insures the initial simulta-
neous enabling of all step transitions by stable places and
not only those transitions allowing the initial triggering of
the first execution. We notice that this property prohibits
the consummation of stable tokens produced in the step by
its transitions.
Stable step s is a stable transaction of B if in addition:
Markings u1,…, un-1 are not stable
SB \ ZB, Σn
i =1 pre(ti)(a) = u0(a)
(Perfect enabling)
The perfect enabling ensures the consummation of all
initial stable tokens before the transaction ends.
In a stable transaction, each transition represents a mi-
cro-step carrying out the atomic evolution through in-
visible states. Stable tokens produced during the transac-
tion become active in the system, only at the end of the
Example 3. Consider the zero-safe net example of
Figure 2(c). The firing sequence {Fk1,Fk 2}(Ch1,1>{Fk1,1,
Fk2} (Ch1,1>{Fk2,2,Fk1,1} is not a stable step since the
stable fairness is not satisfied. The marking {Fk2,2,Fk1,1}
enables no transition, defining hence a deadlock situation.
Since the sequence above is not a stable step and dead-
locks at a non-visible state, so it is forbidden.
The two following firing sequences are the unique sta-
ble transactions:
In what follows, we exploit features offered by
zero-safe nets to define a priority level in ADs actions
executions, leading to the reactivity definition.
4. Handling Interruptible Activity Region
via ZSNs
Formalizing ADs using Petri nets seems to be a good
approach. The specification states that “Activities are
redesigned to use a Petri-like semantics” [1]. Unfort-
unately, basic Petri nets present some limits.
In [16], we have shown that Petri nets, supposed to be
a semantic framework for ADs, are not well suitable to
handle new UML semantics such as traverse-to- comple-
tion principle. Indeed, the latter requires a global synchro-
nisation and not a local one as defined by Petri nets. We
defined a generic mapping from ADs to zero-safe nets that
preserves ADs operational semantics while focusing on
traverse-to-completion principle and synchronization of
fork and join nodes. Therefore, we covered control/data
flows and concurrency. Besides, in [17], we have focused
on semantics of streaming parameters and exception out-
puts, and showed also that ZSNs are able to express such
complex semantics. Atomic transactions have been de-
fined in ZSNs under a token game based on freezing to-
kens that have been created in the transaction until it ends.
This becomes possible thanks to the zero-places.
The contribution of this paper is to define a suitable
mapping of ADs to ZSNs, dealing with more complex
concepts of UML 2.0 ADs, namely the Interruptible Ac-
tivity Region. We show how basic Petri nets are not able
Mapping UML2.0 Activities to Zero-Safe Nets
Copyright © 2010 SciRes. JSEA
to express semantics of this construct due to their non
reactive aspect. We define a new net called ZSNIAR based
on ZSNs, formalizing the Interruptible Activity Region
as well as other important ADs principles and constructs
such as global synchronisation of concurrent regions [16]
and streaming parameters and exception outputs [17].
4.1 Petri Nets Limits
When dealing with the Interruptible Activity Region, two
questions are to be considered: the first is about the rais-
ing and handling of exceptions and the second concerns
the reactivity to external event.
1) Exceptions are a key example of non-local behavior.
Raising and handling an exception means switching,
from one of specified program states, to some other ones
in one step (a kind of multi-goto).
In Petri nets, while system state is modeled via distrib-
uted marking over the whole net places, state changes are
local. When mapping Interruptible Activity Region into
Petri nets, state is hence distributed over many places of
the region. To handle the cancellation semantics via Petri
nets, we need to remove a set of place markings (of the
interruptible region) at once. Moreover, the number of
destructed tokens is only known at run time.
Yet, we can create some net structure warranting that
all possible token distributions over places are covered.
This is possible by adding arcs that will be connected to
all potential combinations of all places in the region. It is
obvious that this chaotic solution leads to a huge arcs
number (spaghetti arcs). This, will greatly reduce the
readability and understanding of such net. Reset arcs
seem to be a good solution.
2) The reception of an external event triggers the ac-
tivity block abortion in Interruptible Activity Region, and
continues execution with another action that may be the
All actions of the Interruptible Activity Region are
immediately aborted and no action outside the interrupti-
ble region can be executed before the handling of that
event. This leads to a priority and isolation of execution.
Within the Petri nets semantics, there is no priority in
executing two concurrent transitions. The choice of firing
one of the enabled concurrent transitions is non-deter-
Example 4. In Figure 3, we give a naïve basic Petri
net that formalizes the AD of Figure 1. The transcription
follows mapping rules defined by Storrle in [3] (See Ta-
ble 1). The author added a number of transitions, model-
ing the interruption event, equal to the cancelled actions
in the region. Each transition is connected to the input
place of a cancelled action and to transition Cancel Or-
der via an output common place. When the Cancel Order
Request is made, places of the Interruptible Activity Re-
gion, with dark gray, have to be emptied.
Table 1. Mapping rules from UML activities to basic Petri
nets [3]
Order Cancel
Receive Order
Fill Order
Send Invoice
Ship Order
Accept Payment
Close OrderCancel Order
Order Cancel
Order Cancel
Make Payment
Figure 3. Intuitive mapping of the AD of figure 1 to basic
Petri nets [3]
Nodes and edges UML Activity dia-
gram Petri Nets
Control nodes
Activity edges
Executable nodes
Mapping UML2.0 Activities to Zero-Safe Nets
Copyright © 2010 SciRes. JSEA
We notice that semantics of cancellation (first point)
does not appear in the net: First, the cancel event is not
visible (sketched by transitions Order Cancel Request
that are enabled by internal places) and second, the net is
supposed to be 1-safe.
Regarding the second point mentioned above: when
place p1 is marked, both transitions Fill Order and Order
Cancel Request are enabled and have the same probabil-
ity to fire (situation of effective conflict). Whereas in this
context, we would like to fire the aborting transition, that
is Order Cancel Request.
The ZSNs model offers transitions coordination thanks
to zero places. It guarantees atomicity and isolation of
transaction, and this is all what we need in the cancella-
tion schema. In what follows, we use ZSNs semantics to
conduct the control flow in the net.
4.2 Mapping Intuition
In what follows, we discuss two zero-safe nets based
approaches to formalize AD interruptible region with
regard to semantics via the running example 1.
The first solution introduces reset arcs and no new
mechanism is necessary beyond the zero-safe nets se-
mantics. In the net of Figure 4, we introduce a transition
called ‘cancel’, and then we connect all places in the
Interruptible Activity Region to that transition by a reset
arc for each. The firing of transition ‘cancel’ empties all
its input places at once, regardless of their marking. Thus,
the net is no longer forced to be 1-safe. To overcome the
second shortcoming pointed out, we add an input place
interface place’ to transition ‘cancel’. This place repre-
sents the external cancel event. It is connected to transi-
tion ‘cancel’ via an arc of weight 1. When the place ‘in-
terface place’ is marked, the transition ‘cancel’ is enabled.
Possibly, other transitions of the region are enabled at the
same time. We need to guide the control to fire transition
‘cancel’ first. This is known as isolation and atomicity. To
achieve this, we assume that ‘interface place’ is a zero
place and not a stable one, so when marked, transition
cancel’ is enabled and immediately fired. This is due to
the enabling property of ZSNs. Then another problem
arises: when combining both solutions i.e. reset arcs and
the interface zero place, enabling of transition cancel is
made via the zero place connected with a non-reset arc.
Thus, if another input place that has to be emptied by
cancel, has an other output transition, it could be possible
to fire that transition first and then ‘cancel transition
indeterminably without impeding ZSNs rules. This is
essentially caused by the presence of reset arcs. To
overcome this problem, we can easily create a stable token
in the transaction that is frozen until the transaction ends.
The corresponding place is also an input one to cancelled
transitions via reset arcs. (see Figure4).
In Figure 4, firing the external transition creates one
stable token in the stable place pfreeze and one zero token in
Interruptible Activity Region
Figure 4. Formal semantics of the Interruptible Activity
Region via ZSNs augmented with reset arcs
interface place. The stable token cannot be consumed
until the transaction ends, hence prohibiting the firing of
the region enabled transitions such as t1 and t2. The unique
transition that satisfies firing conditions is cancel. The
created token in pfreeze can be consumed in the first next
firing not being a cancellation procedure.
It is clear that such construction greatly improves
modeling cancellation patterns and preserves semantics.
However, adopting such technique has its drawbacks; the
number of used reset arcs in this model depends always on
the number of places in the interruptible region. This
reduces considerably the net readability.
In Figure 5, we define a special cancellation transition
cancel (pictured by an underlined rectangle) with its new
enabling and firing semantics. Cancel may have many
stable inputs and one zero input place, that is interface
place. There are two different conditions to enable tran-
sition cancel:
1) Necessary condition but not sufficient to fire cancel:
the input zero place is marked.
2) Effective firing condition: the instantaneous marking
of cancel input places, i.e., input places markings when
the zero token is created. This marking is calculated at run
time, and this one is the enabling marking. Thus, once
firing cancel transition, all of its input places are emptied.
When the zero place is marked (via an external transition),
cancel is enabled, the current marking is then calculated
Interruptible Activity
Figure 5. Formal semantics of the Interruptible Activity
Region via ZSNs and a special transition cancel
Mapping UML2.0 Activities to Zero-Safe Nets
Copyright © 2010 SciRes. JSEA
and is equal to the destroyed tokens. This latter is neces-
sary to the transition firing. Hence, it is forbidden to fire t1
or t2 first. In such case, the cancel firing condition would
not be satisfied leading to a deadlock situation in an in-
visible state (non-observable marking). Firing cancel will
switch, from one of specified program states ({p1}, {p2} or
{p1, p2}), to some other ones in one step.
In our proposed semantics, event triggering cancella-
tion is not formalized via a transition (this should be the
intuition), but via a zero place. Hence, coordinating the
execution of the termination action is made possible.
With basic Petri nets, this is not possible since it is
agreed that an enabled transition can be fired or not, i.e.
firing one of two concurrently enabled transitions is non-
determinitic. With ZSNs, interface place is modeled with
a zero place rather than a stable one. Whenever, an
out-transition (a transition not belonging to the system) is
fired, a zero token is created in the interface place indi-
cating that the system is actually executing a transaction.
Transactions have a higher execution priority compared to
transitions. Hence, firing cancel transition is prior to any
other transition.
Figure 6 presents the mapping of the Interruptible Ac-
tivity Region part of Figure 1. When Ship Order is enabled,
a cancellation event occurs. This is traduced by marking
the zero place interface place. The effective firing condi-
tion of cancel is calculated and it is equal to {interface
place, p3}. Two transitions are now enabled: Ship Order
and Cancel. Firing transition Cancel is prior than transition
Ship Order. Firing Ship Order first, leads to a deadlock
Interface place
Receive Order
Fill Order
Ship Order
Figure 6. Intuitive mapping of the Interruptible Activity
Region of the AD of Figure 1 to ZSNs
situation (non finishing transaction) caused by the con-
sumption of cancel transition enabling tokens.
4.3 Formal Mapping
Table 2 defines preliminarily hints on formalizing UML
2.0 ADs via ZSNs. This generic mapping covers basic
constructs, concurrent-region, traverse-to-completion pri-
nciple, streaming parameters, exception outputs and the
Interruptible Activity Region.
Executable and fork/join nodes are mapped to transi-
tions. Control nodes become stable or zero places, de-
pending of the synchronization schema to be modeled.
Specific Petri nets models are given in particular cases such
as streaming parameters, exception outputs and the Inter-
ruptible Activity Region. Most of these notations have
already been examined in earlier work. The semantics of
the Interruptible Activity Region is discussed in this paper.
To formalize the mapping, we propose, for both basic
activity diagram AD of UML 1.x and a complete one of
UML 2.0, rigorous notations as given below. Extended
activity diagram AD2 encloses new constructs and se-
mantics, namely object nodes, traverse-to-completion
principle, streaming parameters, exception outputs and
Inturruptible Activity Region. Next, we define a formal
semantic definition of AD2 in terms of ZSNs.
Definition 1:
An activity diagram is defined by a tuple AD = (EN, BN,
CN, iN, fN, CF) where:
EN: denote Executable Nodes, i.e., elementary actions.
EN = {A1, A2, ..., An}.
BN: denote Branch Nodes i.e. decisions and merges.
BN = {d1, ..., dk; m1, ..., mk'}, such as : k k'.
CN: denote Concurrency Nodes i.e. forks and joins.
CN = {f1, ..., fm; j1, ..., jm'}, such as: m m'.
iN: denotes the initial Node.
fN: denotes the final Node.
CF: is a function denoting Control Flows. CF ((EN,
BN, CN, iN) (EN, BN, CN, fN)). A directed arc sketches
the control flow where the source may be an action, a
branch, a control or the initial node and the arc target
may be an action, a branch, a control or the final node.
Definition 2:
An UML2.0 AD is defined by a tuple AD2 = (AD, ON,
OF, CR, SA, EA, IAR) where:
AD: is the corresponding basic activity diagram as de-
fined above.
ON: denotes Object Nodes. In this work, we deal with
pins. ON = {o1, ..., or}. Objects may represent data or
streams {s1, …, sr' } or exceptions {e1, …, ew'}.
OF: is a function denoting Object (token) Flows. OF
((BN, CN, iN, ON) (BN, CN, fN, ON)). OF =
{of1, …ofx}. As tokens move across an object flow edge,
they may undergo transformations. An object flow might
carry a transformation behavior denoted tb.
Mapping UML2.0 Activities to Zero-Safe Nets
Copyright © 2010 SciRes. JSEA
Table 2. The intuition of ADs formal semantics via ZSNs:
Zero places are pictured with small circles
CR: denotes Concurrent Regions. A concurrent region
is a sub-AD2 delimited with a fork and a join. Concurrent
regions have a special semantics under the traverse-to-
completion principle. This one has been discussed in [16]
along with a generic mapping to ZSNs.
SA: is a set of Streaming Actions {S1, …, Sr}. A
streaming action is an elementary action Ai with in-
put/output streaming parameters si.
EA: is a set of Exception Actions {E1, …, Ew}. An ex-
ception action is an elementary action Ai having excep-
tion outputs ei.
IAR: denotes Interruptible Activity Regions. An inter-
ruptible region is a sub-AD2 bound to a special specifica-
tion Sp ec that can, informally, be Spec (IAR) = (evt, can-
cel) where evt is the interruption triggering event and
cancel is the cancellation action. We note that evt and
cancel do not belong to the IAR. In the perspective of
cancellation, only actions EN and control nodes CN may
be interrupted, thus the enclosed actions and control
nodes define an IAR. IARi= {Ag, …, Ag', fh, ..., fh'; jv, ...,
jv'}, such that, A, f and j stand respectively for actions,
forks and joins enclosed in the region.
For the sake of the presentation, we restrict our ZSN
definition purpose to control flow, data flow and Inter-
ruptible Activity Region. Let ADIAR be a sub-AD2, such
that, ADIAR = (EN, BN, CN, iN, fN, CF, ON, OF)) and let
Spec be a specification such that:
Spec (IAR) = (evt, cancel). We define ADIAR by identi-
fying, in addition to IAR nodes, the input and output ob-
ject and branch nodes connected to each IAR node via a
control or object edge, including edges. Recall that an
IARi= {Ag, …, Ag', fh, ..., fh'; jv, ..., jv'}.
Next, we define a formal mapping from a sub AD2
ADIAR to a zero-safe net ZSNIAR.
Example 5. Consider the AD of Figure 1: let IAR1 be
IAR1 = {ReceiveOrder, FillOrder, ShipOrder, f1}, where
f1 stands for the fork node and {ReceiveOrder, FillOrder,
ShipOrder} EN.
We define ADIAR1 by identifying inputs and outputs of
IAR1 nodes. ADIAR1 = {ReceiveOrder, FillOrder, ShipOr-
der, f1, d1, ReceiveOrder, d1, d1, FillOrder, FillOrder,
f1), f1, ShipOrder} where d1 stands for the decision node
and pairs of the form x, y stand for edges such as x is
the edge source and y is its target. Spec (IAR1) = (Or-
derCancelRequest, CancelOrder) where OrderCancel-
Request stands for evt and CancelOrder for Cancel.
Definition 3:
ZSNIAR is a special ZSN defining the semantic of ADIAR,
an UML 2.0 sub activity diagram with the Spec specifi-
ZSNIAR = (ZSN, SIAR, Zcancel, Cancel, ip, sp) where:
- There is a single source place ip, such that, ip
SB, ip =.
- There is a single sink place sp, where sp SB,
ZSNs Nodes
Activities Nodes Basic
Executable Nodes
Object Nodes
Control Nodes
Object Flows
Control Flows
Streaming Parameters
zero place
Zero place
interface place
Mapping UML2.0 Activities to Zero-Safe Nets
Copyright © 2010 SciRes. JSEA
sp =.
- Every node n in the instance net is on the path
from ip to sp.
1) Zcancel
ZB: is a set of zero places {zcanc1, …, zcancx},
such that,
Zcancel, zcanc
= {canci}
2) SIAR P. SIAR is a set of places. SIAR = {p (p SB)
(p = n n {ADIAR {BN ON – {poi of OF and
of = oi oi' and tb on of} {iN, fN} {pc c
3) Cancel T: a set of special transitions {can c1, …,
cancx}, such that, the enabling condition to each transi-
tion canci is the marking of zcanci and the effective firing
condition is the instantaneous marking calculated, when
zcanci is marked. Given a transition canci, the firing se-
quence is given by:
{zcanci, MSIAR}(canci > M'/ zcanci, M' M'SIAR = and
canci = {SIAR, zcanci} where MSIAR and M'SIAR respec-
tively stand for SIAR markings before and after firing
4) ZSN: denotes a zero-safe net, i.e., ZSN = (SB, TB; FB,
WB, uB; ZB) as defined in Section 3.2 such that:
SB = BN ON – {poi  of = (poi, poi+1) and
tb on
of} {iN, fN} {pc c CF}
For each branch or object node, we create a place.
When two object nodes are connected via an edge not
carrying a transformation behavior, just one place is cre-
ated and takes the name of one of the two (since they
have the same name).
TB = EN CN {toi of OF and of = oi oi' and
tb on of} {td id i' of OF and of = di di' or cf
CF and cf = di di' } {tm im i' of OF and of = mi mi'
or cf CF and cf = mi mi' } Cancel.
Executable and control nodes are mapped into transi-
tions. An object flow gives rise to a new transition iff this
edge carries a transformation behavior. For each control
flow, we define a transition.
FB = {x, y x, y CF (x TB) (y SB)}
{x, y x, y CF (x SB) (y TB)} {x, y (x
TB) (y SB) Ai x = Ai y = oi'}.
WB: FB lN.
ip = iN.
sp = fN.
uB = {iN}
ZB = {evt}, zcanc = evt.
The above definition, mapping an ADIAR to a ZSN, is
faithful to the intuitive mapping given in Table 2. Con-
current regions, streams, and exceptions are not yet taken
into account. The semantics of cancellation is deeply
considered. So far, none of the previous works authors
has considered the problem of reactivity in ADs cancel-
lation behavior.
5. Conclusions
This paper is a continuation of our last two papers [16],
[17]. Their main goal was to propose a generic mapping
of ADs basic concepts to ZSNs ones. Especially, they
handle formalization of concurrent-region, while con-
sidering the traverse-to-completion semantics and excep-
tion outputs streaming parameters via ZSNs.
This paper highlights also the failure of Petri nets to
cover high semantics of ADs, namely the Interruptible
Activity Region. Here, we have proposed, with the same
spirit, the use of ZSNs as a formal semantic framework
to handle this region.
A generic mapping from ADs to ZSNs, covering basic
constructs, concurrent-region, traverse-to-completion
principle, streaming parameters, exception outputs and
the Interruptible Activity Region has been defined. Its
formal definition based on ZSNs covers until now con-
trol flow, data flow and Interruptible Activity Region.
Concurrent region, streaming parameters and exceptions
are not yet covered, but they can be integrated very sim-
ply in the defined ZSNIAR .
Some other constructs namely expansion-region and
exception handling are to be considered in future works.
Our aim is to define an EZS-Net (Extended Zero-Safe
Net) for all new constructs defined in AD2. The EZS-Net
will be dedicated to formalize UML ADs in a complete
and unified way.
ZSNs are tile logic based models which is an extension
of rewriting logic, taking into account the concept of side
effects and dynamic constraints on terms. Mapping
UML2 ADs to ZSNs can be followed by the projection
of these latter in rewriting logic and thus, exploiting its
practical system Maude for verification and validation
[1] “OMG Unified Modelling Language: Superstructure,” Fi-
nal Adopted Specification Version 2.0,Technical Report,
Object Management Group, November 2003.
http://www .omg.org
[2] T. Schttkowsky and A. Föster, “On the Pitfalls of UML 2
Activity Modeling,” International Workshop on Modeling
in Software Engineering, Minneapolis, IEEE Computer
Society, 2007.
[3] H. Störrle and J. H. Hausmann, “Towards a Formal
Semantics of UML 2.0 Activities,” Software Engineering
Vol. 64, 2005, pp. 117-128.
[4] T. Murata, “Petri Nets: Properties, Analysis and Appli-
cations,” Proceedings of the IEEE, Vol. 77, No. 4, April
1989, pp. 541-580.
[5] E. Borger and R. Stark, “Abstract State Machines,” Sprin-
ger Verlag, 2003.
[6] R. Bruni and U. Montanari, “Zero-Safe Nets, or Transition
Synchronization Made Simple,” In C. Palamidessi and J.
Parrow, Eds., Proceedings of the 4th workshop on Expre-
ssiveness in Concurrency, Electronic Notes in
Theoretical Computer Science, Santa Margherita
Mapping UML2.0 Activities to Zero-Safe Nets
Copyright © 2010 SciRes. JSEA
Ligure, Elsevier Science, Vol. 7, 1997.
[7] J. P. Barros and L. Gomes, “Actions as Activities and
Activities as Petri Nets,” In Jan J¨urjens, Bernhard Rumpe,
Robert France, and Eduardo B. Fernandey, Eds., UML
2003 Workshop on Critical Systems Development with
UML, San Francisco, 2003, pp. 129-135.
[8] T. S. Staines, “Intuitive Mapping of UML 2 Activity
Diagrams into Fundamental Modeling,” “Concept Petri
Net Diagrams and Colored Petri Nets,” 15th Annual IEEE
International Conference and Workshop on the Engi-
neering of Computer Based Systems, Belfast, 2008.
[9] H. Störrle, “Semantics of Exceptions in UML 2.0 Acti-
vities,” Journal of Software and Systems Modeling, 9 May
2004. www.pst.informatik.uni-muenchen.de/stoerrle
[10] H. Störrle, “Semantics of Control-Flow in UML 2.0
Activities,” In N.N. Ed., Proceedings IEEE Symposium on
Visual Languages and Human-Centric Computing, Rome,
Springer Verlag, 2004.
[11] H. Störrle, “Semantics and Verification of Data Flow in
UML 2.0 Activities,” Electronic Notes in Theoretical
Computer Science, Vol. 127, No. 4, 2005, pp. 35-52.
www. pst.informatik.uni-muenchen.de/-stoerrle
[12] H. Störrle, “Semantics and Verification of Data-Flow in
UML 2.0 Activities,” Proceedings International Work-
shop on Visual Languages and Formal Methods, IEEE
Press, 2004, pp. 38-52. www.pst.informatik.uni-muench
[13] R. Eshuis and R. Wieringa. “Comparing Petri Net and
Activity Diagram Variants for Workflow Modelling–A
Quest for Reactive Petri Nets,” In Weber et al. Petri Net
Technology for Communication Based Systems, Lecture
Notes in Computer Science, Vol. 2472, 2002, pp. 321-351.
[14] R. Eshuis and R. Wieringa. “A Real-Time Execution
Semantics for UML Activity Diagrams,” In H. Hussmann,
Ed., Fundamental Approaches to Software Engineering,
Lecture Notes in Computer Science, Genova, Springer
Verlag, Vol. 2029, 2001, pp. 76-90.
[15] R. Eshuis and R. Wieringa. “An Execution Algorithm for
UML Activity Graphs,” Proceedings of the 4th Interna-
tional Conference on The Unified Modeling Language,
Modeling Languages, Concepts, and Tools, Lecture
Notes in Computer Science, Toronto, Springer Verlag,
Vol. 2185, 2001, pp. 47-61.
[16] S. Boufenara, F. Belala and C. Bouanaka, “Les Zero-Safe
Nets Pour la Préservation de la TTC Dans les Diagrammes
d’activité d’UML, ” “Revue des Nouvelles Technologies
de l’Information RNTI-L-3,” Cépaduès éditions, 15ème
Conférence Internationnale sur les Langages et Modèles à
Objets : LMO, 2009, pp. 91-106.
[17] S. Boufenara, F. Belala and N. Debnath, “On Formalizing
UML 2.0 Activities: Stream and Exception Parameters,”
22nd International Conference on Computers and Their
Applications in Industry and Engineering CAINE-2009,
San Francisco, 4-6 November 2009.
[18] C. Bock, “UML 2 Activity and Action Models,” Part 6:
Structured Activities, 2005. http://www.jot.fm/issues/issue
[19] R. Bruni and U. Montanari, “Transactions and Zero-Safe
Nets,” In: H. Ehrig, G. Juhás, J. Padberg and G. Rozenberg,
Eds., Proceedings of Advances in Petri Nets: Unifying
Petri Nets, Lecture Notes in Com- puter Science,
Springer Verlag, Vol. 2128, 2001, pp. 380-426.