Theory of Regulatory Compliance for Requirements Engineering

Regulatory compliance is increasingly being addressed in the practice of requirements engineering as a main stream concern. This paper points out a gap in the theoretical foundations of regulatory compliance, and presents a theory that states (i) what it means for requirements to be compliant, (ii) the compliance problem, i.e., the problem that the engineer should resolve in order to verify whether requirements are compliant, and (iii) testable hypotheses (predictions) about how compliance of requirements is verified. The theory is instantiated by presenting a requirements engineering framework that implements its principles, and is exemplified on a real-world case study.Comment: 16 page

Developing an Integrated ISO 27701 and GDPR based Information Privacy Compliance Requirements Model

The protection of information assets requires interdisciplinary approach and cross-functional capabilities. In recent times, information security and privacy compliance continue to be a complicated task due to increasing regulatory restrictions, changing legislations and public awareness. The newly published information security and privacy standard ISO/IEC 27701:2019 provides support for organisations looking to put in place systems to support compliance with global data privacy requirements. However, there is little known about how does this standard map to other regulatory requirements in different jurisdictions specifically the globally relevant General Data Protection Regulation (GDPR). Hence, this research aims to answer an important research question: whether and how the ISO/IEC 27701:2019 framework represents an opportunity for the GDPR compliance? This research provides a review and mapping of ISO/IEC 27701:2019 and GDPR by using an integrated requirement engineering model as a kernel theory. The results of this research will assist organisations contemplating to meet their compliance needs. It will also help academics and practitioners interested in integrating the ISO/IEC 27701:2019 and GDPR for developing relevant compliance frameworks and tools

The other GMP: good manufacturing practice and its importance in the validation of constructed pharmaceutical facilities

The work reported is part of an ongoing PhD study prompted by the particular difficulties encountered when two very different quality cultures interact (in this case Pharmaceutical industry clients and Construction industry providers). Pharmaceutical facilities have particular needs for their production requirements. Stringent regulations are set by regulatory bodies such as the Medicines and Healthcare products Regulatory Agency (MHRA) (in the UK) and the Food and Drugs Administration (FDA) in the US. This creates special problems of quality when it comes to the commissioning, validation and hand-over of the building, as it appears to be at odds with the rather less demanding quality systems that are normally accepted in the construction sector. The aim of the research is to model an acceptable process for incorporating these stringent validation requirements into the design, procurement and construction processes. There is little or no specific academic literature on the subject, though the trades and professional press (particularly in the USA) provide some normative comment on the problem area. The main academic grounding of the research is in Systems Theory and empirical data is being collecting using a multiple case study approach. Research data was collected from a number of pharmaceutical facility construction case studies and was used to test and inform a best practice model of facility validation. The qualitative methods of participant and direct observation were used as the main information gathering tools. The paper reports on the regulatory expectations that influence the construction of projects of this type and the impact on the best practice model of validation

Querying a regulatory model for compliant building design audit

The ingredients for an effective automated audit of a building design include a BIM model containing the design information, an electronic regulatory knowledge model, and a practical method of processing these computerised representations. There have been numerous approaches to computer-aided compliance audit in the AEC/FM domain over the last four decades, but none has yet evolved into a practical solution. One reason is that they have all been isolated attempts that lack any form of standardisation. The current research project therefore focuses on using an open standard regulatory knowledge and BIM representations in conjunction with open standard executable compliant design workflows to automate the compliance audit process. This paper provides an overview of different approaches to access information from a regulatory model representation. The paper then describes the use of a purpose-built high-level domain specific query language to extract regulatory information as part of the effort to automate manual design procedures for compliance audit

Examining the complex relationship between innovation and regulation through a survey of wastewater utility managers

Despite pressures to increase performance and decrease costs, innovation has been slow to emerge in the municipal wastewater sector. The relationship between regulation and innovation in this sector is a particularly interesting aspect of this conundrum, given the degree to which public utility decision-making is influenced by regulation. Using a national survey, this paper examines US wastewater utility managers’ perceptions of how regulation influences the adoption of new technologies. Recognizing that the relationship between innovation and regulation is complex, we develop the concept of regulation as multifaceted and examine three interrelated aspects of regulation: (1) regulatory requirements, (2) regulators and relationships, and (3) the broader regulatory environment. Specifically, we seek to understand whether and in what ways wastewater utility managers perceive these aspects of regulation as hindering or encouraging the adoption of new technologies. We find that, although stringent effluent limitations are perceived to be a moderate barrier to innovation, most survey respondents did not identify weakening them as a way to encourage innovation. Instead, respondents generally identified factors related to regulatory relationships and factors related to the broader regulatory environment as barriers to innovation, and indicated that addressing these aspects of regulation would encourage innovation. We conclude that loosening or tightening regulatory requirements is not the most effective way to promote innovation in the municipal wastewater sector. Rather, those parties with an interest in innovation can focus on helping utilities and regulators build relationships and better navigate the processes that influence decisions about new technologies

DETERMINANTS OF CONSTRUCTION FIRMS' COMPLIANCE WITH HEALTH AND SAFETY REGULATIONS IN SOUTH AFRICA

The management of health and safety issues is very significant in the construction industry in South Africa in terms of accident rates and cost to contractors. The costs arise from both the cost of compliance with regulations and the cost of accidents and injuries. In spite of the fact that available evidence shows that construction-related accidents and injuries are on the increase in South Africa, many designers and contractors regard the cost of complying with regulations as unnecessary additional financial burdens. It is against this background that this study investigated the statutory regulations relating to health and safety in construction in South Africa and the level of compliance with the regulations and motivation for compliance by contractors. Data obtained from contractors in a questionnaire survey the Western Cape Province of South Africa were analysed using percentage scores and mean score analysis with the aid of the SPSS software. Although the validity of the findings is limited by sample size used in the survey, it is hoped that the findings will provide empirical basis for a more inclusive survey of H&S in the construction industry in South Africa. Keywords: health and safety, regulations, enforcement & compliance, construction industry, South Africa

Design Challenges for GDPR RegTech

The Accountability Principle of the GDPR requires that an organisation can demonstrate compliance with the regulations. A survey of GDPR compliance software solutions shows significant gaps in their ability to demonstrate compliance. In contrast, RegTech has recently brought great success to financial compliance, resulting in reduced risk, cost saving and enhanced financial regulatory compliance. It is shown that many GDPR solutions lack interoperability features such as standard APIs, meta-data or reports and they are not supported by published methodologies or evidence to support their validity or even utility. A proof of concept prototype was explored using a regulator based self-assessment checklist to establish if RegTech best practice could improve the demonstration of GDPR compliance. The application of a RegTech approach provides opportunities for demonstrable and validated GDPR compliance, notwithstanding the risk reductions and cost savings that RegTech can deliver. This paper demonstrates a RegTech approach to GDPR compliance can facilitate an organisation meeting its accountability obligations

Implied Certification under the False Claims Act

The False Claims Act prohibits fraud by government contractors, including a contractor\u27s false certification of compliance with the contract, statutes or regulations. In the early 1990s, some courts began holding that the act of requesting payment from the government implicitly represents such compliance for the purposes the FCA. Circuits are today split on the implied certification doctrine. This Article provides a theory of implied certification, suggests how the circuit split should be resolved and describes how contracting agencies should write contracts in light of the existing rule. There are good reasons for the implied certification rule: it is an information-forcing majoritarian default; it affirms the special ethical obligations of government contractors; and it addresses agency lassitude in drafting and monitoring performance. But implied certification also has its costs. Most importantly, it lowers the bar to frivolous qui tam actions and threatens to impose FCA liability for violations better addressed by more discretionary and nuanced regulatory responses. This Article recommends a narrow implied certification rule: the fact that a contract, statute or regulation conditions either participation in or payment for a contract on compliance with it should create a prima facie case that a claim for payment represents such compliance, shifting the burden to the defendant to show that FCA liability would interfere with other regulatory monitoring and enforcement mechanisms. The Article also recommends that contracting agencies pay more attention to the FCA when drafting contracts. They can approximate first-best results by requiring express certification of compliance with those duties for which FCA liability makes sense, and contracting-out of implied certification for those duties that are better enforced in other ways. In addition to these practical suggestions, the Article draws some general lessons about the contractual duties to cooperate, interpretive defaults in contract and tort, and the special ethical obligations of government contractors

Developing a Conceptual Framework for Cloud Security Assurance

Postprin