Compliance by design for artifact-centric business processes

Compliance to legal regulations, internal policies, or best practices is becoming a more and more important aspect in business processes management. Compliance requirements are usually formulated in a set of rules that can be checked during or after the execution of the business process, called compliance by detection. If noncompliant behavior is detected, the business process needs to be redesigned. Alternatively, the rules can be already taken into account while modeling the business process to result in a business process that is compliant by design. This technique has the advantage that a subsequent verification of compliance is not required.     

Enforcement of entailment constraints in distributed service-based business processes

ContextA distributed business process is executed in a distributed computing environment. The service-oriented architecture (SOA) paradigm is a popular option for the integration of software services and execution of distributed business processes. Entailment constraints, such as mutual exclusion and binding constraints, are important means to control process execution. Mutually exclusive tasks result from the division of powerful rights and responsibilities to prevent fraud and abuse. In contrast, binding constraints define that a subject who performed one task must also perform the corresponding bound task(s).ObjectiveWe aim to provide a model-driven approach for the specification and enforcement of task-based entailment constraints in distributed service-based business processes.MethodBased on a generic metamodel, we define a domain-specific language (DSL) that maps the different modeling-level artifacts to the implementation-level. The DSL integrates elements from role-based access control (RBAC) with the tasks that are performed in a business process. Process definitions are annotated using the DSL, and our software platform uses automated model transformations to produce executable WS-BPEL specifications which enforce the entailment constraints. We evaluate the impact of constraint enforcement on runtime performance for five selected service-based processes from existing literature.ResultsOur evaluation demonstrates that the approach correctly enforces task-based entailment constraints at runtime. The performance experiments illustrate that the runtime enforcement operates with an overhead that scales well up to the order of several ten thousand logged invocations. Using our DSL annotations, the user-defined process definition remains declarative and clean of security enforcement code.ConclusionOur approach decouples the concerns of (non-technical) domain experts from technical details of entailment constraint enforcement. The developed framework integrates seamlessly with WS-BPEL and the Web services technology stack. Our prototype implementation shows the feasibility of the approach, and the evaluation points to future work and further performance optimizations.     

A framework for visually monitoring business process compliance

Any enterprise must ensure that its business processes comply with imposed compliance rules. The latter stem, for example, from corporate guidelines, legal regulations, and best practices. In general, a compliance rule may constrain multiple perspectives of a business process, including behavior (i.e. control flow), data, time, resources, and interactions with business partners. As a particular challenge, compliance cannot be completely ensured at design time, but needs to be continuously monitored during process enactment as well, i.e., it has to be dynamically checked whether compliance rules are satisfied or temporarily/permanently violated. This paper presents a comprehensive framework for visually monitoring business process compliance. As opposed to existing approaches, the framework supports the visual monitoring of all relevant process perspectives based on the extended Compliance Rule Graph (eCRG) language. Furthermore, it not only allows for the detection of violations, but additionally highlights their causes. Finally, the framework assists users in both monitoring business process compliance and ensuring the compliant continuation of running business processes. Overall, the framework provides a fundamental contribution towards the real-time monitoring of compliance in process-driven enterprises.     

Normative requirements for regulatory compliance: An abstract formal framework

By definition, regulatory rules (in legal context called norms) intend to achieve specific behaviour from business processes, and might be relevant to the whole or part of a business process. They can impose conditions on different aspects of process models, e.g., control-flow, data and resources etc. Based on the rules sets, norms can be classified into various classes and sub-classes according to their effects. This paper presents an abstract framework consisting of a list of norms and a generic compliance checking approach on the idea of (possible) execution of processes. The proposed framework is independent of any existing formalism, and provides a conceptually rich and exhaustive ontology and semantics of norms needed for business process compliance checking. Apart from the other uses, the proposed framework can be used to compare different compliance management frameworks (CMFs).     

An artist life cycle model for digital media content: Strategies for the Light Web and the Dark Web

This paper surveys and categorizes emerging digital media business models. We apply the customer activity cycle of Vandermerwe (2000) to the consumption of digital media, taking three phases into account: pre-consumption, consumption and post-consumption. Our analysis of the business models focuses on their social costs and benefits. We derive the parameters as follows: convenience of use, exposure, ease of compliance and administration. We distinguish two polar environments for digital media: the Dark Web with content created by the masses, and the Light Web with content created by big media. We develop an artist life cycle model in which different business models appear to be optimal at different stages of an artist’s career. Voluntary payment-based models seem to be ideal for newcomers in the Dark Web, while digital rights management-based and complementary product and service-based models are the likely choice of established artists in the Light Web. Established artists might change their approach again, using voluntary payment-based or complementary product and service-based models when they retire.     

Real-time risk monitoring in business processes: A sensor-based approach

This article proposes an approach for real-time monitoring of risks in executable business process models. The approach considers risks in all phases of the business process management lifecycle, from process design, where risks are defined on top of process models, through to process diagnosis, where risks are detected during process execution. The approach has been realized via a distributed, sensor-based architecture. At design-time, sensors are defined to specify risk conditions which when fulfilled, are a likely indicator of negative process states (faults) to eventuate. Both historical and current process execution data can be used to compose such conditions. At run-time, each sensor independently notifies a sensor manager when a risk is detected. In turn, the sensor manager interacts with the monitoring component of a business process management system to prompt the results to process administrators who may take remedial actions. The proposed architecture has been implemented on top of the YAWL system, and evaluated through performance measurements and usability tests with students. The results show that risk conditions can be computed efficiently and that the approach is perceived as useful by the participants in the tests.     

Measurement of Compliance Distance in Business Processes

Abstract

Ensuring that work practice is compliant to regulations and industrial standards is an increasingly important issue in business systems. Whereas as an understanding of control objectives that stem from various legislative, standard and contractual sources may be found at strategic or tactical levels, an assessment of their effective adoption in operational practices is extremely hard. In this paper, we propose a method for assessing the level of compliance in business work practice. The method builds upon business process management platforms, and provides the ability to objectively measure the compliance distance of existing processes within the organization. This in turn empowers process designers and business analysts to quantify the effort required to achieve a compliant process.     

Specification, decomposition and agent synthesis for situation-aware service-based systems

Service-based systems are distributed computing systems with the major advantage of enabling rapid composition of distributed applications, such as collaborative research and development, e-business, health care, military applications and homeland security, regardless of the programming languages and platforms used in developing and running various components of the applications. In dynamic service-oriented computing environment, situation awareness (SAW) is needed for system monitoring, adaptive service coordination and flexible security policy enforcement. To greatly reduce the development effort of SAW capability in service-based systems and effectively support runtime system adaptation, it is necessary to automate the development of reusable and autonomous software components, called SAW agents, for situation-aware service-based systems. In this paper, a logic-based approach to declaratively specifying SAW requirements, decomposing SAW specifications for efficient distributed situation analysis, and automated synthesis of SAW agents is presented. This approach is based on AS³ calculus and logic, and our declarative model for SAW. Evaluation results of our approach are also presented.     

On enabling integrated process compliance with semantic constraints in process management systems

Key to broad use of process management systems (PrMS) in practice is their ability to foster and ease the implementation, execution, monitoring, and adaptation of business processes while still being able to ensure robust and error-free process enactment. To meet these demands a variety of mechanisms has been developed to prevent errors at the structural level (e.g., deadlocks). In many application domains, however, processes often have to comply with business level rules and policies (i.e., semantic constraints) as well. Hence, to ensure error-free executions at the semantic level, PrMS need certain control mechanisms for validating and ensuring the compliance with semantic constraints. In this paper, we discuss fundamental requirements for a comprehensive support of semantic constraints in PrMS. Moreover, we provide a survey on existing approaches and discuss to what extent they are able to meet the requirements and which challenges still have to be tackled. In order to tackle the particular challenge of providing integrated compliance support over the process lifecycle, we introduce the SeaFlows framework. The framework introduces a behavioural level view on processes which serves a conceptual process representation for constraint specification approaches. Further, it provides general compliance criteria for static compliance validation but also for dealing with process changes. Altogether, the SeaFlows framework can serve as formal basis for realizing integrated support of semantic constraints in PrMS.     

Business policy compliance in service-oriented systems

As business policies and environments change constantly, there is a need for service-oriented systems to be compliant, yet adaptive. The solution proposed in this paper is based on a clear architectural separation of policy specification, enforcement strategy and realization. Policy compliance is worked out as a rule transformation process mediating between the business policy language SBVR and Condition-Action (CA) rules. The solution supports adaptation caused by business policy evolution as well as adaptation caused by service evolution. In addition, the paper describes a novel truly service-oriented way of implementing compliance management and enforcement of business policies drawing on Adaptive Service Oriented Architecture (ASOA).     

Deriving business processes with service level agreements from early requirements

When designing a service-based business process employing loosely coupled services, one is not only interested in guaranteeing a certain flow of work, but also in how the work will be performed. This involves the consideration of non-functional properties which go from execution time and costs, to trust and security. Ideally, a designer would like to have guarantees over the behavior of the services involved in the process. These guarantees are the object of Service Level Agreements.We propose a methodology to design service-based business processes together with Service Level Agreements that guarantee a certain quality of execution, with particular emphasis on security. Starting from an early requirements analysis modeled in the Secure Tropos formalism, we provide a set of user-guided transformations and reasoning tools the final output of which is a set of processes in the form of Secure BPELs together with a set of Service Level Agreements to be signed by participating services. To show the potential impact of the approach, we illustrate the functioning of the methodology on a collaborative procurement scenario derived from the application domain of a research project.     

A service-based architecture for dynamically reconfigurable workflows

In the last few years, business process management systems have been employed for handling information systems of ever increasing complexity. As a consequence, the adoption of modelling languages enabling smooth and seamless transitions among the various phases of the process lifecycle, the ability of exploiting coordination schema over distributed execution contexts and the support for dynamic evolution and reconfiguration have become software engineering issues of great importance. This paper proposes the use of PN-Engine, a decentralized Petri nets execution engine, as a business process enactment engine. PN-Engine, which is based on the Jini service architecture, supports the decentralized execution of process models specified as Petri nets (PNs) enhanced with modular constructs and offers suitable mechanisms for dealing with the aforementioned design issues. PN-Engine allows to deploy and enact a new version of an existing process model without requiring the stopping/removal of older instances that are still running. The paper presents a novel approach enabling a decentralized migration procedure where concurrent portions of older instances migrate asynchronously to the new process model. Advantages of the proposed approach are demonstrated by means of an example concerning a workflow for a wine-production process.     

HiPoLDS: A Hierarchical Security Policy Language for Distributed Systems

Expressing security policies to govern distributed systems is a complex and error-prone task. Policies are hard to understand, often expressed with unfriendly syntax, making it difficult for security administrators and for business analysts to create intelligible specifications. We introduce the Hierarchical Policy Language for Distributed Systems (HiPoLDS), which has been designed to enable the specification of security policies in distributed systems in a concise, readable, and extensible way. HiPoLDS design focuses on decentralized execution environments under the control of multiple stakeholders. It represents policy enforcement through the use of distributed reference monitors, which control the flow of information between services. HiPoLDS allows the definition of both abstract and concrete policies, expressing respectively high-level properties required and concrete implementation details to be ultimately introduced into the service implementation.     

Software stories: three cultural perspectives on the organizational practices of software development

Postindustrial organizations have come to depend upon the steady production and modification of software products to meet their competitive needs. This study reports insights into software development practices that were revealed through a cultural interpretation of organizational stories told by members of SWC, a company engaged in software development. Through interviews with 38 members of SWC, 83 stories were extracted and analyzed to identify their main themes. By grouping these content themes, we produced nine broader cultural themes that represented the organization's cultural context. Two management practices applied in SWC—development team organization and outsourcing—were subjected to an analysis in which cultural themes were interpreted from each of three perspectives proposed by Martin, J. [(1992) Cultures in Organisations; Three Perspectives. New York: Oxford University Press]: integration, differentiation, and fragmentation.The interpretation provides a rich reading of SWC's cultural context. Despite management attempts to develop a unified culture based on collaboration and communication among development groups, the team approach to software development was problematic. Imposing teamwork upon groups that manifested distinct subcultural differences disturbed the work life of group members, and the change was only partially successful. SWC's management also sought survival and tighter strategic focus through an outsourcing arrangement. However, our interpretation identified significant difficulties created by the partnership between two organizations with very different cultures. The presence of the outsourcing partner also brought greater uncertainty and ambiguity because work priorities and practices were subject to constant renegotiation. Members from both organizations dealt with contradictions between their previous norms, values and work practices and those required by the new relationship.Overall, our analysis demonstrates the importance of understanding the cultural foundation of management practices used in software development. These practices evoke interpretations from members of a culture, who collectively redefine what might have been intended. A cultural analysis may prepare management to move more gradually or to introduce special approaches to managing change.     

On the adoption of blockchain for business process monitoring

Being the blockchain and distributed ledger technologies particularly suitable to create trusted environments where participants do not trust each other, business process management represents a proper setting in which these technologies can be adopted. In this direction, current research work primarily focuses on blockchain-oriented business process design, or on execution engines able to enact processes through smart contracts. Conversely, less attention has been paid to study if and how blockchains can be beneficial to business process monitoring. This work aims to fill this gap by (1) providing a reference architecture for enabling the adoption of blockchain technologies in business process monitoring solutions, (2) defining a set of relevant research challenges derived from this adoption, and (3) discussing the current approaches to address the aforementioned challenges.

     

Hybrid business process modeling for the optimization of outcome data

Context: Declarative business processes are commonly used to describe permitted and prohibited actions in a business process. However, most current proposals of declarative languages fail in three aspects: (1) they tend to be oriented only towards the execution order of the activities; (2) the optimization is oriented only towards the minimization of the execution time or the resources used in the business process; and (3) there is an absence of capacity of execution of declarative models in commercial Business Process Management Systems.Objective: This contribution aims at taking into account these three aspects, by means of: (1) the formalization of a hybrid model oriented towards obtaining the outcome data optimization by combining a data-oriented declarative specification and a control-flow-oriented imperative specification; and (2) the automatic creation from this hybrid model to an imperative model that is executable in a standard Business Process Management System.Method: An approach, based on the definition of a hybrid business process, which uses a constraint programming paradigm, is presented. This approach enables the optimized outcome data to be obtained at runtime for the various instances.Results: A language capable of defining a hybrid model is provided, and applied to a case study. Likewise, the automatic creation of an executable constraint satisfaction problem is addressed, whose resolution allows us to attain the optimized outcome data. A brief computational study is also shown.Conclusion: A hybrid business process is defined for the specification of the relationships between declarative data and control-flow imperative components of a business process. In addition, the way in which this hybrid model automatically creates an entirely imperative model at design time is also defined. The resulting imperative model, executable in any commercial Business Process Management System, can obtain, at execution time, the optimized outcome data of the process.     

Improving process models by discovering decision points

Workflow management systems (WfMS) are widely used by business enterprises as tools for administrating, automating and scheduling the business process activities with the available resources. Since the control flow specifications of workflows are manually designed, they entail assumptions and errors, leading to inaccurate workflow models. Decision points, the XOR nodes in a workflow graph model, determine the path chosen toward completion of any process invocation. In this work, we show that positioning the decision points at their earliest points can improve process efficiency by decreasing their uncertainties and identifying redundant activities. We present novel techniques to discover the earliest positions by analyzing workflow logs and to transform the model graph. The experimental results show that the transformed model is more efficient with respect to its average execution time and uncertainty, when compared to the original model.     

Use of portable ladders – field observations and self-reported safety performance in the cable TV industry

Abstract

Portable ladders incidents remain a major cause of falls from heights. This study reported field observations of environments, work conditions and safety behaviour involving portable ladders and their correlations with self-reported safety performance. Seventy-five professional installers of a company in the cable and other pay TV industry were observed for 320 ladder usages at their worksites. The participants also filled out a questionnaire to measure self-reported safety performance. Proper setup on slippery surfaces, correct method for ladder inclination setup and ladder secured at the bottom had the lowest compliance with best practices and training guidelines. The observation compliance score was found to have significant correlation with straight ladder inclined angle (Pearson’s r = 0.23, p < 0.0002) and employees’ self-reported safety participation (r = 0.29, p < 0.01). The results provide a broad perspective on employees’ safety compliance and identify areas for improving safety behaviours.

Practitioner Summary: A checklist was used while observing professional installers of a cable company for portable ladder usage at their worksites. Items that had the lowest compliance with best practices and training guidelines were identified. The results provide a broad perspective on employees’ safety compliance and identify areas for improving safety behaviours.     

An iterative approach to synthesize business process templates from compliance rules

Companies have to adhere to compliance requirements. The compliance analysis of business operations is typically a joint effort of business experts and compliance experts. Those experts need to create a common understanding of business processes to effectively conduct compliance management. In this paper, we present a technique that aims at supporting this process. We argue that process templates generated out of compliance requirements provide a basis for negotiation among business and compliance experts. We introduce a semi-automated and iterative approach to the synthesis of such process templates from compliance requirements expressed in Linear Temporal Logic (LTL). We show how generic constraints related to business process execution are incorporated and present criteria that point at underspecification. Further, we outline how such underspecification may be resolved to iteratively build up a complete specification. For the synthesis, we leverage existing work on process mining and process restructuring. However, our approach is not limited to the control-flow perspective, but also considers direct and indirect data-flow dependencies. Finally, we elaborate on the application of the derived process templates and present an implementation of our approach.     

What are the roles of software product managers? An empirical investigation

Software product management covers both technical and business activities to management of products like roadmaps, strategic, tactical, and release planning. In practice, one product manager is seldom responsible for all these activities but several persons share the responsibilities. Therefore, it is important to understand the boundaries of product managers’ work in managing software products, as well as the impact a product manager has on the company business. The purpose of the study is to clarify what roles of software product managers exist and understand how these roles are interrelated with each other and the whole structure and business of an organization. The study is designed as an interpretative qualitative study using grounded theory as the research method. Based on the gathered data we developed a framework that reveals the role of a product manager in the organization and shows how this role can evolve by extending the level of responsibilities. Using the framework, we identified four stereotypical roles of product managers in the studied organizations: experts, strategists, leaders, and problem solvers. The presented framework shows that product managers’ roles are not limited to the conception of the “mini-CEO.” The results allow product managers and top management to collaborate effectively by assigning responsibilities and managing expectations by having a common tool for understanding the role of product managers in the organization.