1

Application of Equivalence Checking in a LoanOrigination Process in Banking Industry

Antonella SantoneDipartimento di Ingegneria, Universita degli Studi del Sannio, Italy

e-mail: santone@unisannio.itValentina Intilangelo

e-mail: intivale@hotmail.itDomenico Raucci

Dipartimento di Economia, Universita degli Studi di Chieti-Pescara, Italye-mail: d.raucci@unich.it

Abstract—Equivalence checking is traditionally applied tocomputer system design. It is a promising formal technique forthe improvement of software quality. However, it requires detailedspecifications of systems and is therefore not very accessible,above all in certain restricted fields of application. One ofthis domain is business process management. In particular, weexamine the applicability of equivalence checking to validationof Business Processes that are mapped through the systems ofWorkflow Management. The usage of formal methods in businessdomain, however, is still not widely used. This is due also to thestate explosion problem, which says that the state space grows ex-ponentially in the number of concurrent processes. In this paperwe consider a heuristic-based methodology developed to combatthe state explosion problem for checking process equivalence. Ourproposal is two-fold: (i) we show how equivalence checking canbe applied in the context of business modelling and analysis; (ii)we evaluate and test the heuristic-based methodology using, as acase study, a real-world banking workflow of a loan originationprocess. Our investigations suggest that the business community,especially in the banking field, can benefit from this efficientmethodology developed in the process algebra area to preventsignificant errors. We show and discuss the experimental resultsobtained.

Keywords-Bussiness Process Management; Formal Methods;CCS; Heuristic Search; Workflow Verification; Banking Process.

I. INTRODUCTION

Formal methods are powerful techniques for specifyingand verifying complex systems. Several techniques for formalverification have been developed over the past three decadeamong them equivalence checking. Equivalence checking isthe process of determining whether two systems are equivalentto each other according to some mathematically-defined notionof equivalence. Equivalence checking is typically used toverify if a system design conforms to its high-level servicespecification. Although equivalence checking is currently notapplicable to all domains, it is useful for certain restrictedfields of application. One of this domain is business processmanagement. In particular, we examine the applicability ofequivalence checking to validation of Business Processes thatare mapped through the systems of Workflow Management.The usage of this formal method in the domain of businessprocess management however, is still not widely used. This is

due also to the state explosion problem, which says that thestate space grows exponentially in the number of concurrentprocesses. In fact, the parallelism between the processes ofthe system leads to a number of reachable states which maybecome very large, in some cases on the order of millions orbillions of states. When the number of states is too large tofit in a computer’s main memory, verification quickly breaksdown. In fact, in the business process taken into account,we came across the state explosion problem. Specifically,this problem has emerged as a result of a first modellingof the banking process, in which the excessive number ofprocesses in parallel has made impracticable the verificationusing standard model checker.

Several approaches have been developed to solve or reducethe state explosion problem. In this paper to combat thestate explosion problem for checking process equivalence weconsider an efficient procedure, based on heuristic search [1],proposed in [2]. The procedure is applied to processes definedthrough a specification language very compact, the Calculus ofCommunicating Systems (CCS)[3] defined by Milner, which isone of the most well known process algebras and it is largelyused for modeling concurrent and distributed systems. Theapproach uses a heuristic function that suggests to expandfirst the states that offer the most promising way to deducethat two systems are not equivalent. This makes it possibleto avoid the exhaustive exploration of the global state graphof the two systems when they are not equivalent. One ofthe authors of this paper has contributed to the design ofGrease (GREedy Algorithm for System Equivalence), a C++tool supporting the heuristic approach to check equivalenceof CCS processes. The use of Grease on a sample of smallCCS processes has shown a significant reduction of bothstate-space size and time, compared to traditional equivalencechecking algorithms. Our proposal is two-fold: (i) we showhow equivalence checking can be applied in the context ofbusiness modelling and analysis; (ii) we evaluate and test theheuristic-based methodology using, as a case study, a real-world banking workflow of a loan origination process.

More precisely, in this paper we describe in CCS both theimplementation of the banking process and the specificationsof the expected behaviours. Our results obtained by evaluating

2

a real-world banking process are validated by comparing themto those obtained by a state-of-the-art tool for equivalencechecking, i.e., the Concurrency Workbench of New Century(CWB-NC) [4], which one of the most popular environmentsfor verifying concurrent system. Applying our approach wecan prove the correctness of the system obtaining a consider-able reduction of both state space size and time with respectto CWB-NC. Actually, for the proposed case study, differentlyfrom Grease, the CWB-NC is not able to give an answer, afterwaiting more than half an hour. This is due to the big numberof states. This confirms that our approach is more scalablethan CWB-NC.

Our investigations suggest that the business community,especially in the banking field, can benefit from this efficientmethodology developed in the process algebra area to preventsignificant errors.

The remainder of the paper is organized as follows. SectionII is a review of the basic concepts of equivalence checking,while Section III briefly describes the heuristic-based approachfor equivalence checking and its applicability in the businessprocess management in banking industry. In Section IV theexperimental results we obtained are reported and discussed.Finally, comparisons with related work and our conclusionsare presented in Section V.

II. EQUIVALENCE CHECKING

In this section we introduce the basic concepts of formalmethods. Formal methods are mathematically based languages,techniques, and tools for specifying and verifying complexsystems. Several techniques for formal verification have beendeveloped over the past three decade among them equivalencechecking.

For applying equivalence checking we first need a precisenotation for defining systems. Specification is the process ofdescribing a system. As starting point, we assume that systembehaviour is represented as an automaton. It basically consistsof a set of nodes together with a set of labelled edges betweenthese nodes. A node represents a system state, while a labellededge represents a transition from one system state to the next.That is, if the automaton contains an edge s a−→ s′, then thesystem can evolve from state s into state s′ by the executionof action a. One state is selected to be the root state, i.e.,the initial state of the automaton. However, for the purposeof mathematical reasoning it is often convenient to representautomaton algebraically in the form of terms.

For this aim, we use Milner’s Calculus of CommunicatingSystems (CCS)[3]. CCS is one of the most well known processalgebras and it is largely used for modeling concurrent anddistributed systems. Readers unfamiliar with CCS are referredto [3] for further details. CCS contains basic operators tobuild finite processes, communication operators to expressconcurrency, and some notion of recursion to capture infinitebehaviour. The semantics of a CCS term p is precisely definedby means of the structural operational semantics. The semanticdefinition is given by a set of conditional rules describingthe transition relation of the automaton corresponding tothe behavior expression defining p. This automaton is calledstandard transition system for p and is denoted by S(p).

More precisely, the syntax of processes is the following:

p ::= nil | α.p | p+ p | p|p | p\L | p[f ] | x

where α ranges over a finite set of actions A ={τ, a, a, b, b, ...}. Input actions are labeled with “non-barred”names, e.g. a, while output actions are “barred”, e.g. a. Theaction τ ∈ A is called internal action. The set L ranges oversets of visible actions (A−{τ}), f ranges over functions fromactions to actions, while x ranges over a set of constant names:each constant x is defined by a constant definition x def

= p.

We give the semantics for CCS by induction over thestructure of processes.

• The process nil can perform no actions.• The process α.p can perform the action α and thereby

become the process p.• The process p+ q can behave either as p or as q.• The operator | expresses parallel composition: if the pro-

cess p can perform α and become p′, then p|q can performα and become p′|q, and similarly for q. Furthermore, if pcan perform a visible action l and become p′, and q canperform l and become q′, then p|q can perform τ andbecome p′|q′.

• The operator \ expresses the restriction of actions. If pcan perform α and become p′, then p\L can perform αto become p′\L only if α, α 6∈ L.

• The operator [f ] expresses the relabeling of actions. Ifp can perform α and become p′, then p[f ] can performf(α) and become p′[f ].

• Each relabeling function f has the property that f(τ) =τ . Finally, a constant x behaves as p if x def

= p.

Equivalence checking is the process of determining whethertwo systems are equivalent to each other according to somemathematically defined notion of equivalence, such as strongand weak equivalence previously defined. The CCS language,like all other process algebras, can be used to describe bothimplementations of processes and specifications of their ex-pected behaviours. Therefore CCS supports the so-called sin-gle language approach to process theory, that is, the approachin which a single language is used to describe both actualprocesses and their specifications. One process description,say SYS, may describe an implementation, and another, saySPEC, may describe a specification of the expected behaviour.This approach to program verification is also sometimes calledimplementation verification. For example, if the observablebehaviour of a communications protocol is identical to thatof a perfect communication channel that delivers all messagesin order, then it would be justifiable to deem the protocolcorrect.

One of the most popular environments for verifying concur-rent systems is the Concurrency Workbench of New Century(CWB-NC) [4], which supports several different specificationlanguages, among which CCS. In the CWB-NC the verifi-cation can be based both on model checking [5] and onequivalence checking.

3

III. HOW TO GREASE IN A LOAN ORIGINATION PROCESS

Formal methods cannot be easily scaled due to the stateexplosion problem, which says that the state space growsexponentially in the number of concurrent processes. In fact,the parallelism between the processes of the system leads to anumber of reachable states which may become very large, insome cases on the order of millions or billions of states. Whenthe number of states is too large to fit in a computer’s mainmemory, verification quickly breaks down. Several approacheshave been developed to solve or reduce the state explosionproblem. We now present a methodology to combat the stateexplosion problem for equivalence checking.

In [2] an efficient approach based on heuristic searchtechniques to check equivalences has been defined. In general,a heuristic search strategy [1] uses an evaluation function todetermine the order in which the nodes in the search graphare selected for expansion. The evaluation function measuresthe distance to a goal node based on an heuristic functionwhich gives the estimated shortest distance from the givennode to a goal node. In [2] the equivalence checking hasbeen formalized as a search problem on AND/OR graphs.Moreover, an efficient equivalence checking procedure hasbeen proposed, defining a heuristic function that suggests toexpand first the states that offer the most promising way todeduce that two systems are not equivalent. This makes itpossible to avoid the exhaustive exploration of the global stategraph of the two systems when they are not equivalent. Oneof the authors of this paper has contributed to the design ofGrease1 (GREedy Algorithm for System Equivalence), a C++tool supporting the heuristic approach to check equivalence ofCCS processes. The use of Grease on a sample of small CCSprocesses has shown a significant reduction of both state-spacesize and time, compared to traditional equivalence checkingalgorithms. In this paper we evaluate the methodology on areal-world banking workflow of a loan origination process.

A. Banking Process Overview

As stated above, the application of formal techniques con-sists of an algorithmic approach to verification of such systemsthat can be represented by a formal model. According to thementioned outlook, these methodologies are primarily relatedto verification of hardware and software systems. However,formal techniques and tools have a number of features thatmake it possible to extend their use to specific businessdomains, including the formal verification of business pro-cesses that are mapped and administrated through the systemsof Workflow Management. The latter are generally used bymanagers to automate all or part of business processes byflushing documents, information and tasks from one par-ticipant to another, according to a set of procedural rules.With specific reference to dynamic workflows, i.e. those thatevolve according to the events that occur and to the waysin which tasks are handled by users, a particular problemis represented by fairness because it is necessary to ensurethat workflows have been defined adequately with regard to

1http://www2.ing.unipi.it/∼a080224/grease/

desired properties. To deal with this situation it is possible touse the formal verification techniques and the associated tools.The underlying idea consists in representing each businessprocess, including interactions between human components,databases, and hardware/software elements of the informationsystem as a finite state transition system [6], [7], [8]. However,the complexity of this approach ends to limit its applicabilityto restricted areas where its use is justified in the lightof economic considerations arising from the natural trade-off between the costs of implementation and the benefitsachieved. We refer in particular to those business processesso-called business-critical or commercially-critical, where thecharacteristics of fairness and integrity are prerequisites forthe success of a market or business transaction [9], [10],[11], [12], [13]. The above-mentioned banking process ofloan origination fits into this context. The need to increaseefficiency and reduce costs is pushing for a long time manybanks to review internal processes, models, organizationalprocedures and technological applications, in order to ensurecost-effectiveness and maintain, at the same time, a high levelof quality of services provided to customers. In this vein aresituated very important projects including the reengineering ofthe process of investigation and provision of different formsof credit on mortgages and personal loans, aimed in particularto the introduction of new procedures supported by WorkflowManagement tools [14], [15], [16]. We introduce, at this point,the banking process in question, providing a broad overview ofthe same thanks to typical logic of workflow tools. The processis instantiated whenever a customer of the bank applies for aloan and it starts with the update of customer data if he/she isalready present in the registry or with the insertion of a newrecord in the database if he/she is a new customer. Takinginto account the information provided, the process proceedswith the identification of the type of customer and with itssimultaneous location in the segmentation made by the bank.Then there is the need to make a series of internal and externalcontrols in order to assign a rating to the customer, which is asynthetic judgment of reliability based on assets and incomeof the same, thanks to which it is possible to express the levelof the loan credit-worthiness. Afterwards it is selected amongthe products that are part of the bank’s offer, the one whichcorresponds to the set of features and price conditions that fitsbetter the type of client that requested the funding. If the latteris satisfied with the proposal received, the bank proceeds tothe signing of the contract and, therefore, the formalization ofthe agreement, reaching the end of the process.

IV. EXPERIMENT RESULTS

In this section we present and discuss our experience withusing the Grease, implementing the heuristic-based approach,to verify the banking process previously described. The aim isto evaluate the performances of the approach and compare itagainst the CWB-NC. Experiments were executed on a 64 bit,2.67 GHz Intel i5 CPU equipped with 8 GiB of RAM and run-ning Gentoo Linux. The tool is freely available for downloadat the url http://www2.ing.unipi.it/∼a080224/grease/.

Figure 1 shows a typical loan origination process in thebanking domain, as previously described. To formally verify

4

Customer Clerk preprocessor

Clerk postprocessor

Supervisor Manager

Internal and External Rating

Loan Request

Input Customer Data and Identification

Customer Signature

Big Amount?

Rating Request

Internal Rating Verification

Possible Modifications

Pricing Bundled Product

Verification Request Price Bundled

Product

Three Attempts?

Negative feedback

Positive feedback

Manager Signature

No

No

Yes

Yes

No

Yes

Adequate?

Fig. 1: Loan origination workflow.

the banking process it is firstly required to give a formal spec-ification of each component of the system. Each componentof the banking process involves complex interactions since thecomponent can dialogue with other components. For example,the customer dialogue with the first phase clerk, for instanceto ask for a loan request.

Figure 2 shows a view of all the processes (the boxes in thefigure) involved in this loan origination process as well as thesynchronisations between these entities. Synchronisations aredenoted using lines joining the involved agents with actionsand their direction (prefixed by a quote for emissions).

All component have been specified in CCS; in Table Iwe show only the CCS specification of the first phase clerk,just to give the reader the flavor of the approach followed.From a textual CCS specification it is possible to generatethe corresponding labeled transition system, which can besuccessively used for equivalence checking. We prefer textualsyntax since it is more adapted to proof-writing and formalreasoning, as well as to the description of large-scale systems.Graphical notations are anyway complementary and can beused by user-friendly front-ends.

The results for the verification of our system using weakequivalence are shown in Table II. In the table the secondcolumn shows the results in terms of generating states (gen)and time, expressed in seconds, using Grease. The thirdcolumn should show the number of generated states and timeresulting from the CWB-NC. The CCS specification (namelyp) representing the CCS banking process has 105409 states and635905 transitions. To apply equivalence checking we have tospecify in CCS also the expected behaviours. Thus, in thefirst experiment we represent as CCS process (namely q) thefollowing requirement: ”the customer receives a copy of thecontract only if the loan application was successful”.

The result is that p is not weak equivalent to q, since it

must hold that the customer receives a copy of the contractnot only if the loan application was successful but also whenanother condition is satisfied, i.e., when the customers he hasaffixed his signature.

In the second experiment, we represent as CCS process(namely q) the following requirement: ”after a request by thecustomer for a loan, the procedure terminates with success”.

The result is that p is not weak equivalent to q, sinceobviously the procedure can terminate also with a failure.

It is worth pointing out that, differently from Grease, theCWB-NC is not able to give an answer, after waiting morethan half an hour for both the requirements. Therefore noverification can be performed. This is due to the big number ofstates. This confirms that our approach is more scalable thanCWB-NC.

Grease CWB-NC

gen time gen time

first requirement 16380 64.85 - -

second requirement 8163 8.53 - -

TABLE II: Results - weak equivalence.

V. CONCLUSIONS AND RELATED WORK

The work presented in this paper shows that equivalencechecking can be very useful to enhance the quality in thedoamin of business management. However, using traditionalequivalence checkers we find some difficulties to prove theconcreteness of real-world banking. This is mainly due to thestate explosion problem. To combat this problem we consideran efficient procedure, based on heuristic search, which uses

5

Fig. 2: Graphic representation of the interactions among all the components involved in a loan origination process.

proc FirstPhaseClerk =loanRequest.’informationRequest.customerInformation.(

’insertCustumerData.’ratingRequest.FirstPhaseClerk +’updateCustomerData.’ratingRequest.FirstPhaseClerk)

TABLE I: The CCS first phase clerk specification

a heuristic function that suggests to expand first the states thatoffer the most promising way to deduce that two systems arenot equivalent. This makes it possible to avoid the exhaustiveexploration of the global state graph of the two systems whenthey are not equivalent. We use Grease (GREedy Algorithmfor System Equivalence), a C++ tool supporting the heuristicapproach to check equivalence of CCS processes.

Our investigations suggest that the business community,especially in the banking filed, can benefit from the efficientheuristic-based methodology developed in the process algebraarea to prevent significant errors. A real-world banking work-

flow of a loan origination process was chosen as a case studyto demonstrate the usefulness of Grease which reduces thestate explosion problem.

As shown by the above experiments, Grease obtains goodresults when compared with CWB-NC both in performance,i.e., the speed at which the tool returns its results, and itsscalability, i.e., the extent to which the tool can manageincreasingly large systems.

Similarly to our investigation, in [17], the authors analysethe verification of the safety of a system (i.e., avoiding theundesired propagation of access rights or indirect access

6

through some other granted resource) which is one of thegoals of access control research. In particular, they con-sider delegation and revocation functionalities mainly focusingon organizational control principles. However, differently byour equivalence-checking approach, they propose a model-checking based methodology using SMV tool. Moreover, ouraim is also to reduce the state explosion problem arising whendealing with complex systems such as the loan originationprocesses in banking industry.

The most challenging task when applying automated formalverification in practice is to conquer the state explosionproblem. Several approaches have been developed to solveor reduce the state explosion problem for model checking.Among them, reduction techniques based on process equiv-alences [18], symbolic model checking techniques [19], on-the-fly techniques [20], partial order techniques [21], compo-sitional techniques [22], [23], and abstraction approaches [24].

For equivalence checking algorithms with minimal spacecomplexity are of particular interest. Two algorithmic familiescan be considered to perform the equivalence checking. Thefirst one is based on refinement principle: given an initialpartition, find the coarsest partition stable with respect tothe transition relation see for example the algorithm proposedby Paige and Tarjan in [25]. The other family of algorithmsis based on a Cartesian product traversal from the initialstate [26], [27]. These algorithms are both applied on thewhole state graph, and they require an explicit enumeration ofthis state space. This approach leads to the well-known stateexplosion problem. Classical reduction algorithms alreadyexist [28], [29], but they can be applied only when the wholestate space has been computed, which limits their interest. Apossible solution is to reduce the state graph before performingthe check as shown in [30], where symbolic representation ofthe state space is used.

Other algorithms are the ones by Bustan and Grumberg[31] and by Gentilini, Piazza and Policriti [32]. For aninput graph with N states, T transitions and S simulationequivalence classes, the space complexity of both algorithmsis O(S2+N logS). The approach of Gentilini et al. representsthe simulation problem as a generalised coarsest partitionproblem.

REFERENCES

[1] J. Pearl, Heuristics - intelligent search strategies for computer prob-lem solving, Addison-Wesley series in artificial intelligence, Addison-Wesley, 1984.

[2] A. Santone, Heuristic for simulation checking, in: Proceedings of the2011 International Conference on Artificial Intelligence, ICAI 2011,Vol. 1, 2011, pp. 293–299.

[3] R. Milner, Communication and concurrency, PHI Series in computerscience, Prentice Hall, 1989.

[4] R. Cleaveland, S. Sims, The ncsu concurrency workbench, in: R. Alur,T. A. Henzinger (Eds.), CAV, Vol. 1102 of Lecture Notes in ComputerScience, Springer, 1996, pp. 394–397.

[5] E. M. Clarke, O. Grumberg, D. Peled, Model checking, MIT Press, 2001.

[6] M. Kohlbacher, The effects of process orientation on customer satis-faction, product quality and time-based performance, 29th InternationalConference of the Strategic Management Society, Washington DC(2009).

[7] G. Gorry, M. S. Morton, A framework for management informationsystems, vol. 13, n. 1, Sloan Management Review (1971).

[8] R. Daft, Organization theory and design, South Western Educ Pub.(2009).

[9] R. Kaplan, D. Norton, The execution premium: linking strategy tooperations for competitive advantage, Harward Business School Press,Boston (2008).

[10] M. Porter, Competitive advantage, Free Press, New York (1985).[11] M. Morrow, M. Hazell, Activity mapping for business process redesign,

management accounting, feb. p. 36 (1992).[12] M. Hammer, J. Champy, Reengineering the corporation, Harper Busi-

ness, NY (1993).[13] T. Davenport, Process innovation, Harvard Business School Press,

Boston (1993).[14] S. Drew, Business re-engineering in financial services, Pitman Publish-

ing, London (1994).[15] G. De Laurentis, (edited by), Performance measurements frontiers in

banking and finance, Egea (2004).[16] P. Allen, Reengineering the bank, Probus Publishing Company (1994).[17] A. Schaad, V. Lotz, K. Sohr, A model-checking approach to analysing

organisational controls in a loan origination process, in: SACMAT, 2006,pp. 139–149.

[18] A. Bouajjani, J.-C. Fernandez, N. Halbwachs, Minimal model genera-tion, in: E. M. Clarke, R. P. Kurshan (Eds.), CAV, Vol. 531 of LectureNotes in Computer Science, Springer, 1990, pp. 197–203.

[19] K. L. McMillan, Symbolic model checking, Kluwer, 1993.[20] C. Jard, T. Jeron, Bounded-memory algorithms for verification on-the-

fly, in: Larsen and Skou [33], pp. 192–202.[21] P. Godefroid, Partial-Order Methods for the Verification of Concurrent

Systems - An Approach to the State-Explosion Problem, Vol. 1032 ofLecture Notes in Computer Science, Springer, 1996.

[22] E. M. Clarke, D. E. Long, K. L. McMillan, Compositional modelchecking, in: LICS, IEEE Computer Society, 1989, pp. 353–362.

[23] A. Santone, Automatic verification of concurrent systems using aformula-based compositional approach, Acta Inf. 38 (8) (2002) 531–564.

[24] E. M. Clarke, O. Grumberg, D. E. Long, Model checking and abstrac-tion, ACM Trans. Program. Lang. Syst. 16 (5) (1994) 1512–1542.

[25] R. Paige, R. E. Tarjan, Three partition refinement algorithms, SIAM J.Comput. 16 (6) (1987) 973–989.

[26] J.-C. Fernandez, L. Mounier, “on the fly“ verification of behaviouralequivalences and preorders, in: Larsen and Skou [33], pp. 181–191.

[27] J. Godskesen, K. Larsen, M. Zeeberg, TAV - tools for automaticverification: users manual, Institute for Electronic Systems, Departmentof Mathematics and Computer Science, The University of Aalborg, 1989.URL http://books.google.com/books?id=jiaJYgEACAAJ

[28] J.-C. Fernandez, An implementation of an efficient algorithm for bisim-ulation equivalence, Sci. Comput. Program. 13 (1) (1989) 219–236.

[29] P. C. Kanellakis, S. A. Smolka, Ccs expressions, finite state processes,and three problems of equivalence, Inf. Comput. 86 (1) (1990) 43–68.

[30] J.-C. Fernandez, A. Kerbrat, L. Mounier, Symbolic equivalence check-ing, in: Courcoubetis [34], pp. 85–96.

[31] D. Bustan, O. Grumberg, Simulation-based minimazation, ACM Trans.Comput. Log. 4 (2) (2003) 181–206.

[32] R. Gentilini, C. Piazza, A. Policriti, From bisimulation to simulation:Coarsest partition problems, J. Autom. Reasoning 31 (1) (2003) 73–103.

[33] K. G. Larsen, A. Skou (Eds.), Computer Aided Verification, 3rd In-ternational Workshop, CAV ’91, Aalborg, Denmark, July, 1-4, 1991,Proceedings, Vol. 575 of Lecture Notes in Computer Science, Springer,1992.

[34] C. Courcoubetis (Ed.), Computer Aided Verification, 5th InternationalConference, CAV ’93, Elounda, Greece, June 28 - July 1, 1993,Proceedings, Vol. 697 of Lecture Notes in Computer Science, Springer,1993.