This document discusses an approach called "compliance by design" for ensuring that artifact-centric business processes are compliant with regulations. It involves:
1) Specifying a business process model, artifacts, agents, locations and goals
2) Translating legal texts into compliance rules
3) Modeling the compliance rules and integrating them with the business process model
4) Using tools to generate a compliant business process model that satisfies both behavioral and compliance requirements.
This approach aims to avoid subsequent proofs of compliance by building compliance into the design from the start. It also allows flexibility to change compliance rules without needing to regenerate the entire process model.
12. CORRECTNESS BY DESIGN 3
SPECIFICATION CORRECT MODEL
BEHAVIOR
SOUNDNESS
DESCRIPTION
COMPLIANCE RULES COMPLIANCE
13. CORRECTNESS BY DESIGN 3
3
SPECIFICATION CORRECT MODEL
BEHAVIOR
DESCRIPTION 2 SOUNDNESS
COMPLIANCE RULES 1 COMPLIANCE
14. COMPLIANCE RULES 4
LEGAL TEXTS + REGULATIONS
OFTEN PROCESS-INDEPENDENT
TRANSLATED INTO
RULES BY DOMAIN
EXPERTS
ASSUMPTION:
RULES AFFECT MODEL’S BEHAVIOR
15. COMPLIANCE RULES 4
LEGAL TEXTS + REGULATIONS
OFTEN PROCESS-INDEPENDENT
TRANSLATED INTO
RULES BY DOMAIN
EXPERTS
ASSUMPTION:
RULES AFFECT MODEL’S BEHAVIOR
“The action ‘create settlement’ must be executed
a"er ‘submit claim’, but before ‘archive claim’.”
16. COMPLIANCE RULES 4
LEGAL TEXTS + REGULATIONS
OFTEN PROCESS-INDEPENDENT
TRANSLATED INTO
RULES BY DOMAIN
EXPERTS
ASSUMPTION:
RULES AFFECT MODEL’S BEHAVIOR
“The action ‘create settlement’ must be executed
a"er ‘submit claim’, but before ‘archive claim’.”
17. COMPLIANCE RULES 4
LEGAL TEXTS + REGULATIONS
OFTEN PROCESS-INDEPENDENT
TRANSLATED INTO
RULES BY DOMAIN
EXPERTS
ASSUMPTION:
RULES AFFECT MODEL’S BEHAVIOR
“The action ‘create settlement’ must be executed
a"er ‘submit claim’, but before ‘archive claim’.”
18. COMPLIANCE RULES 4
LEGAL TEXTS + REGULATIONS
OFTEN PROCESS-INDEPENDENT
TRANSLATED INTO
RULES BY DOMAIN
EXPERTS
ASSUMPTION:
RULES AFFECT MODEL’S BEHAVIOR
“The action ‘create settlement’ must be executed
a"er ‘submit claim’, but before ‘archive claim’.”
19. MODELING COMPLIANCE RULES 5
SUBMIT CREATE ARCHIVE
CLAIM SETTLEMENT CLAIM
“The action ‘create settlement’ must be executed
a"er ‘submit claim’, but before ‘archive claim’.”
20. MODELING COMPLIANCE RULES 5
SUBMIT CREATE ARCHIVE
CLAIM SETTLEMENT CLAIM
“The action ‘create settlement’ must be executed
a"er ‘submit claim’, but before ‘archive claim’.”
21. MODELING COMPLIANCE RULES 5
SUBMIT CREATE ARCHIVE
CLAIM SETTLEMENT CLAIM
CREATE
SETTLEMENT
“The action ‘create settlement’ must be executed
a"er ‘submit claim’, but before ‘archive claim’.”
22. MODELING COMPLIANCE RULES 5
ARCHIVE
CLAIM
SUBMIT CREATE ARCHIVE
CLAIM SETTLEMENT CLAIM
CREATE
SETTLEMENT
“The action ‘create settlement’ must be executed
a"er ‘submit claim’, but before ‘archive claim’.”
23. EXPRESSIVENESS 6
✔ ENFORCEMENT/EXCLUSION OF
ACTIONS AND DATA STATES
✔ ORDERING AND NUMBERING CONSTRAINTS
✔ DATA AND CONTROL FLOW CONCURRENCE
✔ FINITE LTL-X
27. ARTIFACT-CENTRIC BUSINESS PROCESS 7
CREATED
ACCEPTED RECEIVED
REJECTED CONFIRMED
QUOTE
ORDER FILED
“NOUN-CENTRIC”
DECLARATIVE
SENT
PAID ASSEMBLED
INVOICE PACKAGED
CARGO SHIPPED
[LOHMANN AND WOLF, ICSOC 2010]
28. ARTIFACT-CENTRIC BUSINESS PROCESS 7
CREATED
ACCEPTED RECEIVED
REJECTED CONFIRMED
QUOTE
ORDER FILED
“NOUN-CENTRIC”
DECLARATIVE
SENT
PAID ASSEMBLED
INVOICE PACKAGED
CARGO SHIPPED
[LOHMANN AND WOLF, ICSOC 2010]
29. ARTIFACTS 8
OBJECT LIFE CYCLE
EMPTY MODELS ARTIFACT’S
EVOLUTION
CREATED
ACCEPTED REJECTED
QUOTE
[LOHMANN AND WOLF, ICSOC 2010]
30. ARTIFACTS 8
OBJECT LIFE CYCLE
EMPTY MODELS ARTIFACT’S
EVOLUTION
SELLER
CREATED AGENTS
MAY EXECUTE
ARTIFACT’S TASKS
CUSTOMER CUSTOMER
ACCEPTED REJECTED
QUOTE
[LOHMANN AND WOLF, ICSOC 2010]
31. ARTIFACTS 8
OBJECT LIFE CYCLE
EMPTY MODELS ARTIFACT’S
EVOLUTION
SELLER @ SELLER
CREATED AGENTS
MAY EXECUTE
ARTIFACT’S TASKS
CUSTOMER CUSTOMER
LOCATIONS
ACCEPTED REJECTED INFLUENCE
QUOTE EXECUTABILITY @ SELLER
[LOHMANN AND WOLF, ICSOC 2010]
32. ARTIFACT-CENTRIC BUSINESS PROCESS 9
9
ARTIFACTS
+ AGENTS >
>
>
+ LOCATIONS >
>
>
= receive
order
create
quote
send
quote
quote
rejected
! POLICIES
>
>
quote
accepted +
confirm
order
send
invoice
payment
received +
>
> assemble ship
>
cargo cargo
>
; SOUND
✔ GOAL STATES BUSINESS PROCESS
[LOHMANN AND WOLF, ICSOC 2010]
33. ARTIFACT-CENTRIC BUSINESS PROCESS 9
9
ARTIFACTS >
+ AGENTS >
>
+ LOCATIONS >
>
>
=
!
receive create send quote
order quote quote rejected
POLICIES confirm
order
>
>
quote
accepted + send
invoice
payment
received +
✔ >
GOAL STATES >
assemble
cargo
ship
cargo
>
> SOUND AND
COMPLIANCE ; COMPLIANT
RULES BUSINESS PROCESS
34. ARTIFACT-CENTRIC BUSINESS PROCESS 9
9
ARTIFACTS > TOOL
+ AGENTS >
> SUPPORT
+ LOCATIONS >
>
>
=
POLICIES
>
>
>
GOAL STATES >
>
> SOUND AND
COMPLIANCE ; COMPLIANT
RULES BUSINESS PROCESS
35. POLICIES VS. COMPLIANCE RULES 10
POLICIES
! CONSTRAIN ARTIFACT BEHAVIOR
MAY DISABLE ARBITRARY ACTIONS
COMPLIANCE RULES
MONITOR ARTIFACT BEHAVIOR
MUST NOT DISABLE ACTIONS
NONCOMPLIANCE IS REFLECTED
BY NONFINAL STATES
36. DIAGNOSIS INFORMATION 11
COMPLIANCE BY DETECTION
CORRECT MODEL
REPAIR
CHECK COUNTEREXAMPLE MEANS:
CURRENT MODEL IS
SPECIFICATION
NONCOMPLIANT (YET..?)
COMPLIANCE BY CONSTRUCTION
COUNTEREXAMPLE MEANS:
PROCESS SPECIFICATION
CANNOT BE MADE SPECIFICATION CORRECT MODEL
COMPLIANT
37. TAKE-HOME POINTS 12
COMPLIANCE BY DESIGN
1 AVOIDS SUBSEQUENT PROOFS
EXPRESSIVENESS
2 A LOT OF RULES CAN BE EXPRESSED
FLEXIBILITY
3 CHANGED RULES = REPEAT GENERATION
COMPLETENESS
4 GENERATE MAXIMAL COMPLIANT MODEL
38. COMPLIANCE BY DESIGN
FOR ARTIFACT-CENTRIC
BUSINESS PROCESSES
niels.lohmann@uni-rostock.de
http://about.me/nlohmann
Niels Lohmann