SeaFlows Toolset - Compliance Verification Made Easy for Process-aware Information Systems

In the light of an increasing demand on business process compliance, the verication of process models against compliance rules has become essential in enterprise computing. The SeaFlows Toolset featured in this paper extends process-aware information systems with compliance checking functionality. It provides a user-friendly environment for modeling compliance rules using a graph-based formalism and for enriching process models with these rules. To address a multitude of verification settings, we provide two complementary compliance checking approaches: The structural compliance checking approach derives structural criteria from compliance rules and applies them to detect incompliance. The data-aware behavioral compliance checking approach addresses the state explosion problem that can occur when the data dimension is explored during compliance checking. It performs context-sensitive automatic abstraction to derive an abstract process model which is more compact with regard to the data dimension enabling more efficient compliance checking. Altogether, SeaFlows Toolset constitutes a comprehensive and extensible framework for compliance checking of process models

SeaFlows – A Compliance Checking Framework for Supporting the Process Lifecycle

Compliance-awareness is undoubtedly of utmost importance for companies nowadays. Even though an automated approach to compliance checking and enforcement has been advocated in recent literature as a means to tame the high costs for compliance-awareness, the potential of automated mechanisms for supporting business process compliance is not yet depleted. Business process compliance deals with the question whether business processes are designed and executed in harmony with imposed regulations. In this thesis, we propose a compliance checking framework for automating business process compliance verification within process management systems (PrMSs). Such process-aware information systems constitute an ideal environment for the systematic integration of automated business process compliance checking since they bring together different perspectives on a business process and provide access to process data. The objective of this thesis is to devise a framework that enhances PrMSs with compliance checking functionality. As PrMSs enable both the design and the execution of business processes, the designated compliance checking framework must accommodate mechanisms to support these different phases of the process lifecycle. A compliance checking framework essentially consists of two major building blocks: a compliance rule language to capture compliance requirements in a checkable manner and compliance checking mechanisms for verification of process models and process instances. Key to the practical application of a compliance checking framework will be its ability to provide comprehensive and meaningful compliance diagnoses. Based on the requirements analysis and meta-analyses, we developed the SeaFlows compliance checking framework proposed in this thesis. We introduce the compliance rule graph (CRG) language for modeling declarative compliance rules. The language provides modeling primitives with a notation based on nodes and edges. A compliance rule is modeled by defining a pattern of activity executions activating a compliance rule and consequences that have to apply once a rule becomes activated. In order to enable compliance verification of process models and process instances, the CRG language is operationalized. Key to this approach is the exploitation of the graph structure of CRGs for representing compliance states of the respective CRGs in a transparent and interpretable manner. For that purpose, we introduce execution states to mark CRG nodes in order to indicate which parts of the CRG patterns can be observed in a process execution. By providing rules to alter the markings when a new event is processed, we enable to update the compliance state for each observed event. The beauty of our approach is that both design and runtime can be supported using the same mechanisms. Thus, no transformation of compliance rules in different representations for process model verification or for compliance monitoring becomes necessary. At design time, the proposed approach can be applied to explore a process model and to detect which compliance states with respect to imposed CRGs a process model is able to yield. At runtime, the effective compliance state of process instances can be monitored taking also the future predefined in the underlying process model into account. As compliance states are encoded based on the CRG structure, fine-grained and intelligible compliance diagnoses can be derived in each detected compliance state. Specifically, it becomes possible to provide feedback not only on the general enforcement of a compliance rule but also at the level of particular activations of the rule contained in a process. In case of compliance violations, this can explain and pinpoint the source of violations in a process. In addition, measures to satisfy a compliance rule can be easily derived that can be seized for providing proactive support to comply. Altogether, the SeaFlows compliance checking framework proposed in this thesis can be embedded into an overall integrated compliance management framework

On Enabling Data-Aware Compliance Checking of Business Process Models

In the light of an increasing demand on business process compliance, the verication of process models against compliance rules has become essential in enterprise computing. To be broadly applicable compliance checking has to support data-aware compliance rules as well as to consider data conditions within a process model. Independently of the actual technique applied to accomplish compliance checking, dataawareness means that in addition to the control ow dimension, the data dimension has to be explored during compliance checking. However, naive exploration of the data dimension can lead to state explosion. We address this issue by introducing an abstraction approach in this paper. We show how state explosion can be avoided by conducting compliance checking for an abstract process model and abstract compliance rules. Our abstraction approach can serve as preprocessing step to the actual compliance checking and provides the basis for more ecient application of existing compliance checking algorithms

Enhancing BPMN Conformance Checking with OR Gateways and Data Objects

Äriprotsessimudel ja -notatsioon (BPMN) on arenev standard äriprotsesside graafiliseks kujutamiseks. Protsessimudel kirjeldab, kuidas äriprotsess peaks toimima. Kui äriprotsessi tegelikust käitamisest on saadaval ka sündmuste logi, on võimalik vastata küsimusele, kas protsessimudel vastab tegelikkusele. Vastavusanalüüs püüab tuvastada mittevastavusi protsessimudeli ja äriprotsessi käitamisel tekkinud sündmuste logi vahel. BPMN vastavuseanalüsaator on üks Itaalia ettevõtte SIAV-i poolt arendatud protsessikaeve tööriista osadest. Nimetatud tööriistal on aga puudujäägid formaalse semantika osas. Nimelt keskendub vastavusanalüüs järgnevuse voole (control-flow) protsessis, kuid jätab arvesse võtmata andmetevahelisi sõltuvusi. Lisaks ei ole vastavusanalüüsil võimalik kasutada protsessimudeleid, mis sisaldavad OR väravaid (OR gateway). OR-join omab mitme-tähenduslikku semantikat. Se lle konstruktsiooni jaoks on pakutud mitmeid formaalseid semantikaid sarnastes keeltes, nagu EPCs ja YAWL. Nimetatud semantikate kasutatamine mudelite käitamisel ja vastavuse analaüüsil on aga arvutuslikult kulukas. Seega on käesolevas lõputöös implementeeritud OR värava aktiveerimine lineaarse ajalise sõltuvusega mudeli suuruse suhtes. Kuna SIAV-i vastavusanalüsaator ei võta arvesse andmetevahelisi sõltuvusi, võib puudulik analüüs viia vigase vastavusdiagnostikani. Näiteks võib andmeatribuut anda infot selle kohta, et käitati vale tegevus. Kirjeldatud põhjustel ei peaks vastavusanalüsaator tegelema vaid järgnevuse voo vastavuse analüüsiga, vaid peaks arvesse võtma ka andmeid ja nendevahelisi sõltuvusi ning aega. Käesoleva töö teises osas täiendati olemasolevat andmeanalüsaatorit andmeatribuutidega.The Business Process Model and Notation is a developing standard for capturing business processes. Process models describe how the business process is expected to be executed. When a log is available from process executions, this situation raises the interesting question “Are the model and the log conformant?". Conformance checking, also referred to as conformance analysis, aims at the detection of inconsistencies between a process model and its corresponding execution log.The BPMN conformance checker, as a part of a process mining tool, developed an Italian company called SIAV, however, this tool lacks some formal semantics. In particular, the previous conformance checking approach in SIAV tends to focus on the control-flow in a process, while abstracting from data dependencies and process models containing OR gateways could not be used.OR-join has an ambiguous semantics. The several formal semantics of this construct have been proposed for similar languages such as EPCs and YAWL. However, executing and verifying models using these semantics is computationally expensive. Therefore, in this thesis, we implemented enablement of an OR-join in linear time in the size of the workflow graph.Data dependencies are also not considered in conformance checker developed in SIAV, which may lead to misleading conformance diagnostics. For example, a data attribute may provide strong evidence that the wrong activity was executed. That’s why the conformance checker should not only describe the process behaviour from the control flow point of view, but also from other perspectives like data or time. In the second part of the thesis, we enhanced the existing conformance checker with data attributes

Towards a comprehensive design-time compliance management:A roadmap

Today’s business climate demands business processes to meet many compliance regulations that require all enterprises to review their processes and ensure that they satisfy the set of relevant compliance requirements. Compliance management should be considered from the very early stages of business process design, thus achieving compliance by design. In this paper, we give a brief overview of an approach for managing business process compliance during design-time phase of business process lifecycle. We also discuss the roadmap for the key components and their relationship for a comprehensive design-time compliance support

Visual Modeling of Business Process Compliance Rules with the Support of Multiple Perspectives

A fundamental challenge for any process-aware information system is to ensure compliance of modeled and executed business processes with imposed compliance rules stemming from guidelines, standards and laws. Such compliance rules usually refer to multiple process perspectives including control flow, time, resources, data, and interactions with business partners. On one hand, compliance rules should be comprehensible for domain experts who must define and apply them. On the other, they should have a precise semantics such that they can be automatically processed. In this context, providing a visual compliance rule language seems promising as it allows hiding formal details and offers an intuitive way of modeling. So far, visual compliance rule languages have focused on the control flow perspective, but lack adequate support for the other perspectives. To remedy this drawback, this paper provides an approach that extends visual compliance rule languages with the ability to consider data, time, resources, and partner interactions when modeling business process compliance rules. Overall, this extension will foster business process compliance support in practice

Ensuring Business Process Compliance Along the Process Life Cycle

Business processes are subject to semantic constraints that stem from regulations, laws and guidelines, and are also known as compliance rules. Hence, process-aware information systems have to ensure compliance with those rules in order to guarantee semantically correct and error-free executability as well as changeability of their business processes. This report discusses how compliance rules can be defined and how business process compliance can be ensured for the different phases of the process lifecycle