Efficient conditional compliance checking of business process models
Introduction
Laws and regulations affect the way businesses are run on a daily basis. With constantly changing laws, companies are forced to increase the flexibility and agility of their business processes. Consequently, the information systems supporting those business processes continue to evolve, such that it becomes increasingly difficult to ensure their compliance to laws and regulations. As a result, a need for automated compliance checking of business processes has become evident.
Compliance checking of business processes aims to prove whether or not a business process adheres to a set of imposed rules [1], [2]. These rules can stem from laws, regulations, internal business rules, or even as part of a specification describing different variants of the process [3], [4]. Compliance checking can be supported at various stages of the business process lifecycle [5]. For example, many existing approaches enable compliance checking either during enactment using monitoring techniques, or during analysis using mining techniques. In this context, we focus on design-time verification where preventative solutions for possible non-compliance can be implemented. This is distinct from after-the-fact approaches (such as the aforementioned monitoring and analysis techniques) where costly rollbacks could be required to undo any faulty non-compliant execution.
The ability to handle and verify conditional branches (e.g. “manager approval is required if the loan amount is larger than $50,000”) is an essential requirement for compliance verification. Existing design-time verification approaches, however, either completely lack support for verification over conditions given business process models or require inclusion of the data perspective (i.e. taking into account the entire domain of each data attribute), which can quickly cause state space explosion problems.
This paper proposes a novel method that fully abstracts conditions from a model and its specifications. This is achieved by generating partial models, based on the overlap and contradictions between the specified conditions. The result is a light-weight verification method over the structure of the business process that is preferable over expensive verification methods that include the data perspective, as the internal representations are simplified significantly while still enabling verification only over the paths that are reachable under the given condition. We prove that when the partial models are combined, they contain the complete set of possible paths as represented in the full model given its condition, while simultaneously reducing its state space complexity in the relevant cases.
A high-level overview of the approach is shown graphically in Fig. 1 below. First, we take as input a Petri net with conditional branches and a set of conditional temporal logic specifications (1). Next, we generate a set of partial models, specific to each condition in the specification (2). Finally, we verify compliance over every partial model (3).
As such, the contribution of the paper is fourfold: (i) it demonstrates that the full data perspective is not required for the verification of structural properties over conditional branches, (ii) it shows how to formally abstract conditions from the models and specifications, (iii) it shows how to obtain a formally verifiable partial model to conditions, and (iv) it proves that partial models preserve the same reachable states given their condition, while at the same time reducing the state space complexity in the relevant cases where the condition affects the number of reachable states.
The approach presented in this paper can be used by organizations to check if their business process models are compliant with established rules and regulations on a much more fine-grained level when compared to compliance checking without support for conditions. As such, it enables organizations to formulate the rules that should hold in their processes in a much more precise way compared to some existing approaches that ignore the data perspective, while ensuring that each of their processes is fully compliant. The presented approach is particularly useful in dynamic environments where processes are changing frequently and efficient data-oriented conditional compliance checking is a necessity and frequently required, such that performance gains are significant.
The remainder of the paper is structured as follows. First, Section 2 discusses related work and positions our work within the existing state of the art. Section 3 introduces the preliminary paradigms used for both business process models and verification (Step 1 in Fig. 1). Subsequently, Section 4 describes how to obtain partial models (Step 2 in Fig. 1) and how to interpret specifications on those models (Step 3 in Fig. 1). Section 5 describes a real life case from the Australian telecommunications sector, which – together with a set of synthetic process models – is used in Section 6 to evaluate the proposed approach with respect to complexity, performance, and practicability. Finally, the paper is concluded in Section 7.
Section snippets
Related work
Compliance verification aims to prove or disprove whether a business process adheres to a set of rules, like laws, regulations, business rules or internal policies [2]. In this way, compliance verification does not aim to prove the correctness of the business process itself (like e.g. [6], [7], [8]), but merely whether it adheres to a set of rules. Compliance can be verified at different stages of the business process lifecycle, including design-time, enactment, and analysis [5]. At
Preliminaries
We now first introduce the preliminary paradigms used for modeling business process models and verifying those business process models subject to a specified set of rules, as required by Step 1 in Fig. 1.
There are different notations for modeling business processes, mostly using an intuitive graphical representation. In the context of this work, we use Petri nets, a well-known modeling tool for concurrent processes, for which a rich body of theory and tools to verify their properties have been
Verification over guards
Following the basic definitions of the model, we can now describe the procedure to obtain a set of partial models from the full model as visualized by Step 2 in Fig. 1. The presented method requires two elements as input, (1) a process model annotated with conditional paths, and (2) a set of conditional CTL rules (pairs of CTL rules and conditions). The conditions in the model and the conditions in the conditional CTL rules are formally defined as follows: Definition 4 Condition A condition C is a quantifier-free
Case description: customer support
In Australia, all telecommunications service providers that supply telecommunications products to Australian consumers must adhere to the Telecommunications Consumer Protections (TCP) code of conduct. The TCP code of conduct describes a large set of rules, including a number of obligations regarding the handling of complaints.
Fig. 7 illustrates a customer support process in the form of a marked net from one of the telecommunications providers that must adhere to the TCP code of conduct. Guards
Evaluation
We implemented the proposed partial verification method in a Java package called BPM Verification.2 The package takes as input a process model in PNML format3 extended with guards and a specification containing the CTL formulas to be evaluated. Subsequently, the conditional graph is generated and formally verified against its specifications using NuSMV2. NuSMV2 is a software tool for the formal verification of finite state
Conclusion
In this paper, we presented a novel approach towards preventative compliance verification of business processes. The approach goes beyond existing approaches because of its ability to abstract and evaluate over conditional branches with non-propositional guards, without including the full data perspective. Most existing approaches completely lack support for verification over non-propositional guards or require the full data perspective which can quickly cause state space explosion problems.
References (29)
- et al.
Change patterns and change support features – enhancing flexibility in process-aware information systems
Data Knowl. Eng.
(2008) - et al.
Design-time compliance of service compositions in dynamic service environments
International Conference on Service Oriented Computing & Applications
(2015) - et al.
A formal model for compliance verification of service compositions
IEEE Trans. Serv. Comput.
(2018) - et al.
Automated compliance verification of business processes in Apromore
Proceedings of the BPM Demo Track
(2017) - et al.
Variability in business processes: automatically obtaining a generic specification
Inf. Syst.
(2018) - et al.
A survey of formal business process verification: from soundness to variability
International Symposium on Business Modeling and Software Design
(2013) Formal analysis of BPMN models: a NUSMV-based approach
Int. J. Softw. Eng. Knowl. Eng.
(2010)- et al.
Using model checking to control the structural errors in BPMN models
IEEE 7th International Conference on Research Challenges in Information Science (RCIS)
(2013) - et al.
Transformation of the BPMN design model into a colored petri net using the partitioning approach
IEEE Access
(2018) - et al.
Compliance checking between business processes and business contracts
Enterprise Distributed Object Computing Conference
(2006)
Designing compliant business processes with obligations and permissions
Proc. Int. Conf. on Business Process Management Workshops, BPM
Auditing business process compliance
Int. Conf. on Service-Oriented Computing
A model checking approach to verify BPEL4WS workflows
Int. Conf. on Service-Oriented Computing and Applications
Symbolic execution of acyclic workflow graphs
Int. Conf. on Business Process Management
Cited by (7)
ProcessChain: a blockchain-based framework for privacy preserving cross-organizational business process mining from distributed event logs
2024, Business Process Management JournalCross-Instance Regulatory Compliance Checking of Business Process Event Logs
2023, IEEE Transactions on Software EngineeringDealing with Unexpected Runtime Outcomes Within Process Models
2022, Lecture Notes in Business Information ProcessingResults from the Verification of Models of Spectrum Auctions
2022, Lecture Notes in Business Information Processing