Compliance by design for artifact-centric business processes

Compliance to legal regulations, internal policies, or best practices is becoming a more and more important aspect in business processes management. Compliance requirements are usually formulated in a set of rules that can be checked during or after the execution of the business process, called compliance by detection. If noncompliant behavior is detected, the business process needs to be redesigned. Alternatively, the rules can be already taken into account while modeling the business process to result in a business process that is compliant by design. This technique has the advantage that a subsequent verification of compliance is not required.     

SOA-enabled compliance management: instrumenting, assessing, and analyzing service-based business processes

Facilitating compliance management, that is, assisting a company’s management in conforming to laws, regulations, standards, contracts, and policies, is a hot but non-trivial task. The service-oriented architecture (SOA) has evolved traditional, manual business practices into modern, service-based IT practices that ease part of the problem: the systematic definition and execution of business processes. This, in turn, facilitates the online monitoring of system behaviors and the enforcement of allowed behaviors—all ingredients that can be used to assist compliance management on the fly during process execution. In this paper, instead of focusing on monitoring and runtime enforcement of rules or constraints, we strive for an alternative approach to compliance management in SOAs that aims at assessing and improving compliance. We propose two ingredients: (i) a model and tool to design compliant service-based processes and to instrument them in order to generate evidence of how they are executed and (ii) a reporting and analysis suite to create awareness of a company’s compliance state and to enable understanding why and where compliance violations have occurred. Together, these ingredients result in an approach that is close to how the real stakeholders—compliance experts and auditors—actually assess the state of compliance in practice and that is less intrusive than enforcing compliance.     

Algorithms for tractable compliance problems

In general the problem of verifying whether a structured business process is compliant with a given set of regulations is NP-hard. The present paper focuses on identifying a tractable subset of this problem, namely verifying whether a structured business process is compliant with a single global obligation. Global obligations are those whose validity spans for the entire execution of a business process. We identify two types of obligations: achievement and maintenance.In the present paper we firstly define an abstract framework capable to model the problem and secondly we define procedures and algorithms to deal with the compliance problem of checking the compliance of a structured business process with respect to a single global obligation. We show that the algorithms proposed in the paper run in polynomial time.     

A framework for visually monitoring business process compliance

Any enterprise must ensure that its business processes comply with imposed compliance rules. The latter stem, for example, from corporate guidelines, legal regulations, and best practices. In general, a compliance rule may constrain multiple perspectives of a business process, including behavior (i.e. control flow), data, time, resources, and interactions with business partners. As a particular challenge, compliance cannot be completely ensured at design time, but needs to be continuously monitored during process enactment as well, i.e., it has to be dynamically checked whether compliance rules are satisfied or temporarily/permanently violated. This paper presents a comprehensive framework for visually monitoring business process compliance. As opposed to existing approaches, the framework supports the visual monitoring of all relevant process perspectives based on the extended Compliance Rule Graph (eCRG) language. Furthermore, it not only allows for the detection of violations, but additionally highlights their causes. Finally, the framework assists users in both monitoring business process compliance and ensuring the compliant continuation of running business processes. Overall, the framework provides a fundamental contribution towards the real-time monitoring of compliance in process-driven enterprises.     

Using intentional fragments to bridge the gap between organizational and intentional levels

ContextBusiness process models provide a natural way to describe real-world processes to be supported by software-intensive systems. These models can be used to analyze processes in the system-as-is and describe potential improvements for the system-to-be. But, how well does a given business process model satisfy its business goals? How can different perspectives be integrated in order to describe an inter-organizational process?ObjectiveThe aim of the present paper is to link the local and the global perspectives of the inter-organizational business process defined in BPMN 2.0 (Business Process Model and Notation) to KAOS goal models (Keep All Objectives Satisfied). We maintain a separation of concerns between the intentional level captured by the goal model and the organizational level captured by the process model. The paper presents the concept of intentional fragment (a set of flow elements of the process with a common purpose) and assess its usefulness.MethodWe conducted empirical experiments where the proposed concepts – here the intentional fragments – are validated by users. Our method relies on an iterative improvement process led by users feedback.ResultsWe find that the concept of intentional fragment is useful for (1) analyzing the business process model (2) reasoning about the relations between the goal model and the business process model and (3) identifying new goals. In a previous work we focused on BPMN 2.0 collaboration models (local view). This paper extends the previous work by integrating the global view given by choreography models in the approach.ConclusionWe conclude that the notion of intentional fragment is a useful mean to relate business process models and goal models while dealing with their different nature (activity oriented vs goal oriented). Intentional fragments can also be used to analyze the process model and to infer new goals in an iterative manner.     

基于标注的业务过程合规性验证方法

当前,企业的业务活动受到越来越多的来自政府法律法规、行业标准及自身内控制度的规范约束。如何确保支撑企业业务活动的过程感知系统是合规的已成为信息系统(IS)研究领域的热点问题。确保过程模型的合规性是实现过程感知系统的合规性的重要前提。针对过程设计阶段过程模型的合规性,扩展前期关于语义标注过程模型的可执行性分析的工作,提出了基于标注的合规性验证方法。方法包括:合规性规则模式的标注表达式生成和基于合规性标注的过程模型的可执行性分析方法。合规性标注表达式描述了规则所关联的活动及其相应的合规性约束,对合规性验证的调试及运行时合规性检测评估能起到有效的支持作用;合规性标注的过程模型的可执行分析方法是利用满足性求解器对合规性信息标注后的过程模型是否可执行进行求解。通过银行开户的流程案例,证明了上述方法的有效性。     

A systematic literature review of studies on business process modeling quality

ContextBusiness process modeling is an essential part of understanding and redesigning the activities that a typical enterprise uses to achieve its business goals. The quality of a business process model has a significant impact on the development of any enterprise and IT support for that process.ObjectiveSince the insights on what constitutes modeling quality are constantly evolving, it is unclear whether research on business process modeling quality already covers all major aspects of modeling quality. Therefore, the objective of this research is to determine the state of the art on business process modeling quality: What aspects of process modeling quality have been addressed until now and which gaps remain to be covered?MethodWe performed a systematic literature review of peer reviewed articles as published between 2000 and August 2013 on business process modeling quality. To analyze the contributions of the papers we use the Formal Concept Analysis technique.ResultsWe found 72 studies addressing quality aspects of business process models. These studies were classified into different dimensions: addressed model quality type, research goal, research method, and type of research result. Our findings suggest that there is no generally accepted framework of model quality types. Most research focuses on empirical and pragmatic quality aspects, specifically with respect to improving the understandability or readability of models. Among the various research methods, experimentation is the most popular one. The results from published research most often take the form of intangible knowledge.ConclusionWe believe there is a lack of an encompassing and generally accepted definition of business process modeling quality. This evidences the need for the development of a broader quality framework capable of dealing with the different aspects of business process modeling quality. Different dimensions of business process quality and of the process of modeling still require further research.     

Business policy compliance in service-oriented systems

As business policies and environments change constantly, there is a need for service-oriented systems to be compliant, yet adaptive. The solution proposed in this paper is based on a clear architectural separation of policy specification, enforcement strategy and realization. Policy compliance is worked out as a rule transformation process mediating between the business policy language SBVR and Condition-Action (CA) rules. The solution supports adaptation caused by business policy evolution as well as adaptation caused by service evolution. In addition, the paper describes a novel truly service-oriented way of implementing compliance management and enforcement of business policies drawing on Adaptive Service Oriented Architecture (ASOA).     

GoBIS: An integrated framework to analyse the goal and business process perspectives in information systems

ContextOrganisational reengineering, continuous process improvement, alignment among complementary analysis perspectives, and information traceability are some current motivations to promote investment and scientific effort for integrating goal and business process perspectives. Providing support to integrate information systems analysis becomes a challenge in this complex setting.ObjectiveThe GoBIS framework integrates two goal and business process modelling approaches: i^⁎ (a goal-oriented modelling method) and Communication Analysis (a communication-oriented business process modelling method).MethodIn this paper, we describe the methodological integration of both methods with the aim of fulfilling several criteria: i) to rely on appropriate theories; ii) to provide abstract and concrete syntaxes; iii) to provide scenarios of application; iv) to develop tool support; v) to provide demonstrable benefits to potential adopters.ResultsWe provide guidelines for using the two modelling methods in a top-down analysis scenario. The guidelines are validated by means of a comparative experiment and a focus-group session with students.ConclusionsFrom a practitioner viewpoint (modeller and/or analyst), the guidelines facilitate the traceability between goal and business process models, the experimental results highlight the benefits of GoBIS in performance and usability perceptions, and demonstrate an improvement on the completeness of the latter having an impact on efficiency. From a researcher perspective, the validation has produced useful feedback for future research.     

An extended systematic literature review on provision of evidence for safety certification

ContextCritical systems in domains such as aviation, railway, and automotive are often subject to a formal process of safety certification. The goal of this process is to ensure that these systems will operate safely without posing undue risks to the user, the public, or the environment. Safety is typically ensured via complying with safety standards. Demonstrating compliance to these standards involves providing evidence to show that the safety criteria of the standards are met.ObjectiveIn order to cope with the complexity of large critical systems and subsequently the plethora of evidence information required for achieving compliance, safety professionals need in-depth knowledge to assist them in classifying different types of evidence, and in structuring and assessing the evidence. This paper is a step towards developing such a body of knowledge that is derived from a large-scale empirically rigorous literature review.MethodWe use a Systematic Literature Review (SLR) as the basis for our work. The SLR builds on 218 peer-reviewed studies, selected through a multi-stage process, from 4963 studies published between 1990 and 2012.ResultsWe develop a taxonomy that classifies the information and artefacts considered as evidence for safety. We review the existing techniques for safety evidence structuring and assessment, and further study the relevant challenges that have been the target of investigation in the academic literature. We analyse commonalities in the results among different application domains and discuss implications of the results for both research and practice.ConclusionThe paper is, to our knowledge, the largest existing study on the topic of safety evidence. The results are particularly relevant to practitioners seeking a better grasp on evidence requirements as well as to researchers in the area of system safety. As a major finding of the review, the results strongly suggest the need for more practitioner-oriented and industry-driven empirical studies in the area of safety certification.     

An iterative approach to synthesize business process templates from compliance rules

Companies have to adhere to compliance requirements. The compliance analysis of business operations is typically a joint effort of business experts and compliance experts. Those experts need to create a common understanding of business processes to effectively conduct compliance management. In this paper, we present a technique that aims at supporting this process. We argue that process templates generated out of compliance requirements provide a basis for negotiation among business and compliance experts. We introduce a semi-automated and iterative approach to the synthesis of such process templates from compliance requirements expressed in Linear Temporal Logic (LTL). We show how generic constraints related to business process execution are incorporated and present criteria that point at underspecification. Further, we outline how such underspecification may be resolved to iteratively build up a complete specification. For the synthesis, we leverage existing work on process mining and process restructuring. However, our approach is not limited to the control-flow perspective, but also considers direct and indirect data-flow dependencies. Finally, we elaborate on the application of the derived process templates and present an implementation of our approach.     

Problems and their mitigation in system and software architecting

ContextToday, software and embedded systems act as enablers for developing new functionality in traditional industries such as the automotive, process automation, and manufacturing automation domains. This differs from 25–30 years ago when these systems where based on electronics and electro-mechanical solutions. The architecture of the embedded system and of the software is important to ensure the qualities of these applications. However, the effort of designing and evolving the architecture is in practice often neglected during system development, whilst development efforts are centered on implementing new functionality.ObjectiveWe present problems and success factors that are central to the architectural development of software intensive systems in the domain of automotive and automation products as judged by practitioners.MethodThe method consisted of three steps. First, we used semi-structured interviews to collect data in an exploratory manner. As a second step, a survey based on problems extracted from the interview data was used to investigate the occurrence of these problems at a wider range of organizations. In order to identify and suggest how to mitigate the problems that were considered important, we finally performed root cause analysis workshops, and from these a number of success factors were elicited.ResultsA total of 21 problems have been identified based on the interview data, and these are related to the technical, organizational, project, and agreement processes. Based on the survey results, the following four problems were selected for a root cause analysis: (1) there is a lack of process for architecture development, (2) there is a lack of method or model to evaluate the business value when choosing the architecture, (3) there is a lack of clear long-term architectural strategy, and (4) processes and methods are less valued than knowledge and competence of individuals.ConclusionIn conclusion, the following identified success factors are crucial components to be successful in developing software intensive systems: (1) define an architectural strategy, (2) implement a process for architectural work, (3) ensure authority for architects, (4) clarify the business impact of the architecture, and (5) optimize on the project portfolio level instead of optimizing each project.     

Enforcement of entailment constraints in distributed service-based business processes

ContextA distributed business process is executed in a distributed computing environment. The service-oriented architecture (SOA) paradigm is a popular option for the integration of software services and execution of distributed business processes. Entailment constraints, such as mutual exclusion and binding constraints, are important means to control process execution. Mutually exclusive tasks result from the division of powerful rights and responsibilities to prevent fraud and abuse. In contrast, binding constraints define that a subject who performed one task must also perform the corresponding bound task(s).ObjectiveWe aim to provide a model-driven approach for the specification and enforcement of task-based entailment constraints in distributed service-based business processes.MethodBased on a generic metamodel, we define a domain-specific language (DSL) that maps the different modeling-level artifacts to the implementation-level. The DSL integrates elements from role-based access control (RBAC) with the tasks that are performed in a business process. Process definitions are annotated using the DSL, and our software platform uses automated model transformations to produce executable WS-BPEL specifications which enforce the entailment constraints. We evaluate the impact of constraint enforcement on runtime performance for five selected service-based processes from existing literature.ResultsOur evaluation demonstrates that the approach correctly enforces task-based entailment constraints at runtime. The performance experiments illustrate that the runtime enforcement operates with an overhead that scales well up to the order of several ten thousand logged invocations. Using our DSL annotations, the user-defined process definition remains declarative and clean of security enforcement code.ConclusionOur approach decouples the concerns of (non-technical) domain experts from technical details of entailment constraint enforcement. The developed framework integrates seamlessly with WS-BPEL and the Web services technology stack. Our prototype implementation shows the feasibility of the approach, and the evaluation points to future work and further performance optimizations.     

Generating optimized configurable business process models in scenarios subject to uncertainty

ContextThe quality of business process models (i.e., software artifacts that capture the relations between the organizational units of a business) is essential for enhancing the management of business processes. However, such modeling is typically carried out manually. This is already challenging and time consuming when (1) input uncertainty exists, (2) activities are related, and (3) resource allocation has to be considered. When including optimization requirements regarding flexibility and robustness it becomes even more complicated potentially resulting into non-optimized models, errors, and lack of flexibility.ObjectiveTo facilitate the human work and to improve the resulting models in scenarios subject to uncertainty, we propose a software-supported approach for automatically creating configurable business process models from declarative specifications considering all the aforementioned requirements.MethodFirst, the scenario is modeled through a declarative language which allows the analysts to specify its variability and uncertainty. Thereafter, a set of optimized enactment plans (each one representing a potential execution alternative) are generated from such a model considering the input uncertainty. Finally, to deal with this uncertainty during run-time, a flexible configurable business process model is created from these plans.ResultsTo validate the proposed approach, we conduct a case study based on a real business which is subject to uncertainty. Results indicate that our approach improves the actual performance of the business and that the generated models support most of the uncertainty inherent to the business.ConclusionsThe proposed approach automatically selects the best part of the variability of a declarative specification. Unlike existing approaches, our approach considers input uncertainty, the optimization of multiple objective functions, as well as the resource and the control-flow perspectives. However, our approach also presents a few limitations: (1) it is focused on the control-flow and the data perspective is only partially addressed and (2) model attributes need to be estimated.     

Managing project risk using combined analytic hierarchy process and risk map

The main purpose of the study is to develop an integrated framework for managing project risks by analyzing risk across project, work package and activity levels, and developing responses.Design/methodology/approachThe study first reviews the literature of various contemporary risk management frameworks in order to identify gaps in project risk management knowledge. Then it develops a conceptual risk management framework using combined analytic hierarchy process (AHP) and risk map for managing project risks. The proposed framework has then been applied to a 1500 km oil pipeline construction project in India in order to demonstrate its effectiveness. The concerned project stakeholders were involved through focus group discussions for applying the proposed risk management framework in the project under study.FindingsThe combined AHP and risk map approach is very effective to manage project risks across project, work package and activity levels. The risk factors in project level are caused because of external forces such as business environment (e.g. customers, competitors, technological development, politics, socio-economic environment). The risk factors in work package and activity levels are operational in nature and created due to internal causes such as lack of material and labor productivity, implementation issues, team ineffectiveness, etc.Practical implicationsThe suggested model can be applied to any complex project and helps manage risk throughout the project life cycle.Originality/valueBoth business and operational risks constitute project risks. In one hand, the conventional project risk management frameworks emphasize on managing business risks and often ignore operational risks. On the other hand, the studies that deal with operational risk often do not link them with business risks. However, they need to be addressed in an integrated way as there are a few risks that affect only the specific level. Hence, this study bridges the gaps.     

Supporting the verification of compliance to safety standards via model-driven engineering: Approach,tool-support and empirical validation

ContextMany safety–critical systems are subject to safety certification as a way to provide assurance that these systems cannot unduly harm people, property or the environment. Creating the requisite evidence for certification can be a challenging task due to the sheer size of the textual standards based on which certification is performed and the amenability of these standards to subjective interpretation.ObjectiveThis paper proposes a novel approach to aid suppliers in creating the evidence necessary for certification according to standards. The approach is based on Model-Driven Engineering (MDE) and addresses the challenges of using certification standards while providing assistance with compliance.MethodGiven a safety standard, a conceptual model is built that provides a succinct and explicit interpretation of the standard. This model is then used to create a UML profile that helps system suppliers in relating the concepts of the safety standard to those of the application domain, in turn enabling the suppliers to demonstrate how their system development artifacts comply with the standard.ResultsWe provide a generalizable and tool-supported solution to support the verification of compliance to safety standards. Empirical validation of the work is presented via an industrial case study that shows how the concepts of a sub-sea production control system can be aligned with the evidence requirements of the IEC61508 standard. A subsequent survey examines the perceptions of practitioners about the solution.ConclusionThe case study indicates that the supplier company where the study was performed found the approach useful in helping them prepare for certification of their software. The survey indicates that practitioners found our approach easy to understand and that they would be willing to adopt it in practice. Since the IEC61508 standard applies to multiple domains, these results suggest wider applicability and usefulness of our work.     

VIVACE: A framework for the systematic evaluation of variability support in process-aware information systems

ContextThe increasing adoption of process-aware information systems (PAISs) such as workflow management systems, enterprise resource planning systems, or case management systems, together with the high variability in business processes (e.g., sales processes may vary depending on the respective products and countries), has resulted in large industrial process model repositories. To cope with this business process variability, the proper management of process variants along the entire process lifecycle becomes crucial.ObjectiveThe goal of this paper is to develop a fundamental understanding of business process variability. In particular, the paper will provide a framework for assessing and comparing process variability approaches and the support they provide for the different phases of the business process lifecycle (i.e., process analysis and design, configuration, enactment, diagnosis, and evolution).MethodWe conducted a systematic literature review (SLR) in order to discover how process variability is supported by existing approaches.ResultsThe SLR resulted in 63 primary studies which were deeply analyzed. Based on this analysis, we derived the VIVACE framework. VIVACE allows assessing the expressiveness of a process modeling language regarding the explicit specification of process variability. Furthermore, the support provided by a process-aware information system to properly deal with process model variants can be assessed with VIVACE as well.ConclusionsVIVACE provides an empirically-grounded framework for process engineers that enables them to evaluate existing process variability approaches as well as to select that variability approach meeting their requirements best. Finally, it helps process engineers in implementing PAISs supporting process variability along the entire process lifecycle.     

Managing the alignment between business processes and software systems

ContextThe alignment degree existing between a business process and the supporting software systems strongly affects the performance of the business process execution. Methodologies and tools are needed for detecting the alignment level and keeping a business process aligned with the supporting software systems even when they evolve.ObjectiveThis paper aims to provide an adequate support for managing such a kind of alignment and suggesting evolution actions if misalignment is detected. It proposes an approach including modeling and measuring activities for evaluating the alignment level and suggesting evolution activities, if needed.MethodThe proposed approach is composed of three main phases. The first phase regards the modeling of business process and software systems supporting it by applying a modeling notation based on UML and adequately extended for representing business processes. The second phase concerns the evaluation of the alignment degree through the assessment of a set of metrics codifying the alignment concept. Finally, the last phase analyses the evaluation results for suggesting evolution activities if misalignment is detected.ResultsThe paper analyses the application of the proposed approach to a case study regarding a working business process and related software system. The obtained results provided useful suggestion for evolving the supporting software system and improving the alignment level existing between them and the supported business process.ConclusionThe approach contributes in all phases of the process and software system evolution, even if its improvement can be needed for identifying the impact of the changes. The proposed approach facilitates the understanding of business processes, software systems and related models. This favors the interaction of the software and business analysts, as it was possible to better formulate the interviews to be conducted with regard to the objectives and, thus, to collect the required data.     

A self-adjusting active compliance controller for multiple robots handling an object

This paper presents the concept and experimental validation of a self-adjusting active compliance controller for n robots handling its compliant behaviour concerning partly unknown flexible object. The control strategy is based on the decomposition of the 6n-dimensional position/force space and includes a feedforward and feedback level. The feedforward level contains motion coordination, force distribution of external forces, creation of internal forces, and an additional loop adding the elastic displacements due to the applied forces to the planned robot positions. The feedback level is organized in the form of an active compliance control law. For adjusting the controller to the, in general, unknown flexible behaviour, which in practice is the main problem of the controller design, a quasi-static model of the system is derived for different contact cases of the object and a procedure is presented, which by use of this model is capable of determining the compliance of the considered system and therefore of adjusting the controller. Experiments with two puma-type robots have been conducted to show the applicability of the self-adjusting control strategy. The task has been to grasp and move an unconstrained object. It is shown, that the system can adjust the control parameters to the unknown system compliance and that the control performance is improved considerably.