managing business process compliance - oktay turetken mumc+ 19-mar-2013
TRANSCRIPT
!"#"$%#$&&'()%#*))&+,-.*))*)&/-012%"#.*!
"#$!%&'()!*+#,'&,-!!"#$%&'($")*+,-.&,/)*01$$2)$#)!"34,-%5'2)6"75"..%5"7))
65"31$8.")9"58.%,5-+)$#):.01"$2$7+);:9<.=)
Maastricht University Medical Center (azM / MUMC+) 19.Mar.2013
3(42%#*&
!!"#$%&'()*+,()-,.'/+*01+2,
!!"3(&&+)4+2,'),5()(4')4,672')+22,8/#*+22,"#$%&'()*+,
!!9+:,"#$%#)+);2,#<,"#$%&'()*+,
!!672')+22,8/#*+22,='<+*:*&+,()-,"#$%&'()*+,
5()(4+$+);,
!!"(2+,>;7-'+2,()-,?')-')42,
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
5'()%#*))&+,-.*))6&/-012%"#.*&
7.8#$&%#&"..-,9"#.*&:%4;&*)4"<2%);*9&,*=(%,*0*#4)&*0*,$%#$&>,-0&./#,012,3!@&(A2B,/+47&(0#)2B,%#&'*'+2B,2;()-(/-2B,%/#;#*#&2B,2%+*'C*(0#)2B,+;*DE,
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
DIRECTIVES
External sources •! Laws, regulations, & public policies
•! EU Directives, Sarbanes Oxley, FINRA, !
•! Privacy/data protection, consumer protection, !
•!HIPAA (US Healthcare) •! Basel III (Finance/Banking)
•! Standards and Codes of Practice •! ISO Standards: ISO 9000, ISO
27000, ISO 14000! •! EFQM, PRINCE II, CMMI, COBIT,
ITIL, ! •! Sector Specific Standards:
•!NIAZ, HKZ, !
Internal Sources •! Internal policies •!Business rules •!QoS, security policies, !
Mutual Agreements •!Service level agreements
(SLA) •!Business Contracts, !
Directives
External sources •! Laws, regulations, & public policies
•! Sarbanes Oxley, FINRA, EU Directives, !
•! Privacy/data protection, consumer protection, !
•! Sector specific regulations •!HIPAA- Healthcare, •! Basel III- Finance/Banking, !
•! Standards and Codes of Practice •! ISO Standards: ISO 9000, ISO/IEC
27000, ! •! PRINCE II, CMMI, COBIT, ITIL, !
Internal Sources •! Internal policies, •! Business rules, •! QoS, security policies, !
Mutual Agreements •! Service level agreements (SLA), •! Business Contracts, !
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
!! F#,/+2;#/+,%7G&'*,*#)C-+)*+,'),*#/%#/(;+,4#1+/)()*+B,&(A2H/+47&(0#)2,A+/+,'227+-,
!! I+J7'/+,#/4()'K(0#)2,;#L,!! M-+)0<:,;3+,#G&'4(0#)2,@-'/+*01+2E,;#,G+,*#$%&'+-,A';3,!! I+1'+A,;3+'/,G72')+22,%/#*+22+2,!! N)27/+,;3(;,;3+:,$++;,;3+,*#$%&'()*+,/+J7'/+$+);2,2+;,<#/;3,
!! O';3#7;,+P+*01+,*#$%&'()*+,$+*3()'2$2,'),%&(*+,Q,,!! =#22,#<,/+%7;(0#)H*#)C-+)*+B,G()R/7%;*:B,&'04(0#),/'2R2B,*/'$')(&,%+)(&0+2B,Q,
7.4)&4-&,*)4-,*&1(<2%.&.-#?9*#.*&@@@&
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Sarbanes Oxley (SOX), US
CLERP9, AUS
EU Directives 2006/43/EC, etc.
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
/(,,*#4&/;"22*#$*)&%#&!"#"$%#$&'+&/-012%"#.*&
!!!"#("2,.;*.A)B"(9%4)&#),G72')+22,%/#*+22+2,!,>0&&,%/+-#$')();,!! C*4,-)1*.8D*&,*1-,8#$,!,F/(-'0#)(&,(7-';2,<#/,S(T+/U;3+U<(*;V,-+;+*0#),
!! "#$%&'()*+,2#&70#)2,!,7(4-0"4*9&9*4*.8-#&G7;,;:%'*(&&:,S(T+/U;3+U<(*;V,!! W/(*&+,XI",Y**+&+/(;#/2B,>Y8,672')+22WGZ+*;2,XI",!,[+)-#/,&#*RU'),
!! W/4()'K(0#)V2,M>,2#&70#)2,!! 5()(4+,*#$%&'()*+,'),(),(-U3#*,$())+/,,,,!! \()-U*/(T+-,<#/,%(/0*7&(/,*#$%&'()*+,%/#G&+$2,,
!! >:2;+$2,G+*#$+,Q,!! \(/-,;#,$(');('),()-,+1#&1+B,/+72+,@*72;#$,$(-+,)(//#A,2#&70#)2E,!! \(/-,;#,<#/$(&&:,1+/'<:,(4(')2;,*#$%&'()*+,
,
!! ?('&,;#,+]%&'*';&:,$()(4+,*#$%&'()*+,/+J7'/+$+);2L,!! F#,4,".*,;3+$,<".A,;#,;3+,*#$%&'()*+,2#7/*+2,!! Q()-,>-,:",9,;#,;3+,G72')+22,%/#*+22+2,
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
/-012%"#.*&E&F*G&/-01-#*#4)&
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Prevention
Response
Detection
Set the Tone Senior Mng. Commitment
•! Set the tone for the company •! Define business objectives •! Identify the obligations to be
complied with
Have the Processes & Policies in place
•! Perform Risk Assessment •! Identify processes/procedures
to mitigate risks •! Tailored to the organization
and its units
Communicate/Train •! Carry the message from the top •! Explain the process/policies
Continuous Monitoring of
Processes
Formal (structured)
Internal Auditing
How do you react in case of
problems?
•! Who is involved? •! What is the
policy? •! How to address
and remediate? •! How to feed back?
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Surg
ical
Sui
teO
utpa
tient
Dep
artm
ent
Phys
icia
nM
edic
al T
ech.
A
ssis
tant
Admit Patient
Perform Checkup
Examine Patient
Make a decision
Write Discharge
Letter
Schedule Surgery
Surg
ical
War
d
Nur
sePh
ysic
ian
Check Patient Record
Admit Patient
Perform Surgery
Prepare Patient
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Send Patient to
Surgical Suite
Transport Patient to
Ward
Make Lab Test
Provide Postsurgical
Care
Discharge Patient
Write Discharge
Letter
Surgery OK
Laparoscopic (Keyhole) surgery
Original process model at: M. Reichert, B. Weber: Enabling Flexibility in Process-Aware Information Systems, Springer, 2012
'*%#$&/-012%"#4&H&
!! >7%%#2+,#7/,\#2%';(&,A();2,;#,G+,^MY_,(**/+-';+-`,,
!! >+*0#),abc,d,8/4D,bb,!! IJK@JJL,F3+,%/#1'2'#),#<,')<#/$(0#),<#/,;3+,%(0+);,(G#7;,;3+,');+)-+-,/+2+(/*3B,3'2H3+/,2;(;+,#<,3+(&;3,()-,;3+,%/#%#2+-,;/+(;$+);,#**7/2,'),(,$())+/,A3'*3,+)(G&+2,3'$H3+/,;#,4/();,3'2H3+/,%+/$'22'#),(T+/,-7+,-+&'G+/(0#),@')<#/$+-,*#)2+);ED,
!! I+e+*;,;3+,/+J7'/+$+);,#),#7/,%/#*+22H,8+/<#/$,/'2R,(22+22$+);,,,!! >%+*'(&,I+J7'/+$+);2L,,!! /JU,6+<#/+,;3+,27/4+/:B,;3+,%(0+);,$72;,G+,')<#/$+-,(G#7;,;3+,/'2R2,#<,;3+,@%&())+-E,27/4+/:D,
!! /LU,6+<#/+,;3+,27/4+/:B,;3+,%(0+);,3(2,;#,G+,')<#/$+-,(G#7;,()+2;3+2'(D,
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Surg
ical
Sui
teO
utpa
tient
Dep
artm
ent
Phys
icia
nM
edic
al T
ech.
A
ssis
tant
Admit Patient
Perform Checkup
Examine Patient
Make a decision
Write Discharge
Letter
Schedule Surgery
Surg
ical
War
d
Nur
sePh
ysic
ian
Check Patient Record
Admit Patient
Perform Surgery
Prepare Patient
Send Patient to
Surgical Suite
Transport Patient to
Ward
Make Lab Test
Provide Postsurgical
Care
Discharge Patient
Write Discharge
Letter
Surgery OK
Laparoscopic (Keyhole) surgery
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Surg
ical
Sui
te
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Surg
ical
Sui
te
Laparoscopic (Keyhole) surgery
Out
patie
nt D
epar
tmen
t
Phys
icia
nSurgery OKM
edic
al T
ech.
A
ssis
tant
Out
patie
nt D
epar
tmen
t
Phys
icia
nM
edic
al T
ech.
A
ssis
tant
Admit PatientAdmit Patient
Perform CheckupPerform Checkup
Examine Patient
Examine Patient Inform
Patient about Anestesia
Inform Patient about
RisksdecisionMake a
decisionMake a
decision
Write Discharge
Letter
Write Discharge
Letter
Schedule Surgery
Surgery OK
Schedule Surgery
Surg
ical
War
d
Nur
sePh
ysic
ian
Surg
ical
War
d
Nur
sePh
ysic
ian
Check Patient Record
Check Patient Record
Admit PatientAdmit Patient
Perform Surgery Perform Surgery
Prepare Patient
Prepare Patient
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Send Patient to
Surgical Suite
Send Patient to
Surgical Suite
Transport Patient to
Ward
Transport Patient to
Ward
Make Lab Test
Make Lab Test
Provide Postsurgical
Care
Provide Postsurgical
Care
Discharge Patient
Discharge Patient
Write Discharge
Letter
Write Discharge
Letter
Surgery OK
Patient about Patient about AnestesiaAnestesia
Inform Inform
Inform Inform Patient about Patient about Patient about Patient about
RisksRisksRisksRisks
Patient about
Patient about Make a
decisionMake a Make a Make a
decisiondecisionMake a Make a
decisionMake a
decision
C1 & C2
Original process model at: M. Reichert, B. Weber: Enabling Flexibility in Process-Aware Information Systems, Springer, 2012
'*%#$&/-012%"#4&H&
!! >7%%#2+,#7/,\#2%';(&,A();2,;#,G+,^MY_,(**/+-';+-`,,
!! >+*0#),abf,d,8/4D,bg,!! IJM@JNL,F3+,#/4()'2(0#),3(2,(4/++$+);2,(G#7;,;3+,;/()2<+/,#<,')<#/$(0#),G+;A++),;3+,$+$G+/2,#<,2;(P,()-,;3+,A#/R')4,7)';2,A3#,(/+,')1#&1+-,'),;3+,2($+,*(/+,()-,#;3+/,%/#*+22D,
!! I+e+*;,;3+,/+J7'/+$+);,#),#7/,%/#*+22H,8+/<#/$,/'2R,(22+22$+);,,,
!! >%+*'(&,I+J7'/+$+);2L,,!! /OU,YT+/,%+/<#/$')4,;3+,27/4+/:B,(,27/4+/:,/+%#/;,$72;,G+,*/+(;+-,()-,23#7&-,G+,*#)2'-+/+-,G:,;3+,%3:2'*'(),'),;3+,27/4'*(&,A(/-,'),;3+,A/'0)4,#<,;3+,-'2*3(/4+,&+h+/D,
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Laparoscopic (Keyhole) surgery
Surg
ical
Sui
teO
utpa
tient
Dep
artm
ent
Phys
icia
nM
edic
al T
ech.
A
ssis
tant
Admit Patient
Perform Checkup
Examine Patient Inform
Patient about Anestesia
Inform Patient about
Risks Make a decision
Write Discharge
Letter
Schedule Surgery
Surg
ical
War
d
Nur
sePh
ysic
ian
Check Patient Record
Admit Patient
Perform Surgery
Prepare Patient
Send Patient to
Surgical Suite
Transport Patient to
Ward
Make Lab Test
Provide Postsurgical
Care
Discharge Patient
Write Discharge
Letter
Surgery OK
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Surg
ical
Sui
te
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Surg
ical
Sui
te
Laparoscopic (Keyhole) surgery
Out
patie
nt D
epar
tmen
t
Phys
icia
nSurgery OKM
edic
al T
ech.
A
ssis
tant
Out
patie
nt D
epar
tmen
t
Phys
icia
nM
edic
al T
ech.
A
ssis
tant
Admit PatientAdmit Patient
Perform CheckupPerform Checkup
Examine Patient
Examine Patient
AnestesiaPatient about Patient about
Inform Patient about
Anestesia
Inform Inform Inform Inform Inform
Inform Patient about
RisksRisksPatient about
RisksPatient about Patient about
Inform Patient about
RisksPatient about
Patient about Patient about Patient about Patient about
Patient about Patient about Patient about Make a
decisionMake a
decision
Write Discharge
Letter
Write Discharge
Letter
Schedule Surgery
Surgery OK
Schedule Surgery
Surg
ical
War
d
Nur
sePh
ysic
ian
Surg
ical
War
d
Nur
sePh
ysic
ian
Check Patient Record
Check Patient Record
Admit PatientAdmit Patient
Perform Surgery Perform Surgery
Prepare PatientPrepare Patient
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Send Patient to
Surgical Suite
Send Patient to
Surgical Suite
Transport Patient to
Ward
Transport Patient to
Ward Make Lab Test
Test
Create Surgery Report
Provide Postsurgical
Care
Provide Postsurgical
Care
Discharge Patient
Discharge Patient
Write Discharge
Letter
Write Discharge
Letter
Surgery OK
TestTestMake Lab Make Lab
Create Surgery Surgery Surgery ReportMake Lab ReportMake Lab Make Lab ReportMake Lab
C3
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Conceptual Model (for the Compliance Repository’s key elements)
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
BP Compliance Management Operational Components
Business Process Analysis & Design
Business Process Execution
Business Process Monitoring & Optimization
Risk Assessment & Response
Objective Setting and Boundary Identication
Design Controls
Preventive Design-time Compliance
Verification
Preventive Runtime Compliance Monitoring
Detective Offline Comp. Analysis &
Monitoring
Directive/Source
Control Rule
Process Process Element
Process Instance
Process Element Instance
Compliance Requirement/
Control Objective
originate from
Risk
Control formalized by
refer have
have have
refer
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Examples of Concepts
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Conceptual Model (for the Compliance Repository’s key elements)
Directive/Source
Control Rule
Process Process Element
Process Instance
Process Element Instance
Compliance Requirement
/Control Objective
originate from
Risk
Control formalized by
refer have
have have
COBIT PO4.11 COBIT PO4.11 Internal
Policy 4.11
NIAZ 2.3 516.11
Patient should be informed about the status and
proposed treatment, and his/her permission should be
granted after due deliberation
originate from
Surgery without patient consent
G (Examine Patient " F Inform Patient about
Risks.Role(‘Physician’))
formalized by
- Schedule Surgery W (Inform Patient about
Anesthesia.Role (‘Physician’))
have
(Keyhole) Surgery
prevented by,
mitigated by
Before the surgery, the patient should be
informed about the risks of the (planned) surgery
Before the surgery, the
patient should be informed about
anesthesia
refer
Physician
Examine Patient
Inform Patient about Risks
CRM Demo! http://eriss.uvt.nl/
compas/
refer
refer
Examples of Concepts
COBIT PO4.11 COBIT PO4.11 Internal
Policy 4.11
NIAZ 2.3 516.11
Patient should be informed about the status and proposed treatment, and his/her permission should be granted after
due deliberation
originate from
Surgery without patient consent
G (Examine Patient " F Inform Patient about
Risks.Role(‘Physicisian’))
implemented by, formalized by - Schedule Surgery W (Inform Patient about
Anesthesia.Role (‘Physicisian’))
Before the surgery, the patient should be
informed about the risks of the (planned)
surgery.
Before the surgery, the patient should be informed about
anesthesia
5#-+&')4,A';3,8/#*+22,"#);/#&,8(h+/)2,
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
implemented by, formalized by Before the surgery, the
Control Modeling
!"#$%"&'
()%*!$)+*,-".%!*'
!"#$%"&'%.&*'
%)-/'
!"012'%*3.)%*0*#$'Examples of Concepts
5#-+&')4,A';3,8/#*+22,"#);/#&,8(h+/)2,
G (Examine Patient
!"#$%"&'%.&*'
G (Examine Patient G (Examine Patient
!"#$%"&'%.&*'
Control Rule Generation
originate from from
Before the surgery, the
originate from from
CONTROL PATTERNS
/-#4,-2&+"P*,#)&
ORDER PATTERNS
Precedes
LeadsTo
XLeadsTo
PLeadsTo
Chain Precedes
Chain LeadsTo
Else
ElseNext
OCCURRENCE PATTERNS
Exists
Absent
Universal
CoExists
CoAbsent
Exclusive
CoRequisite MutexChoice
RESOURCE PATTERNS
PerformedBy
Segregated From
USegregatedFrom
BondedWith
RBondedWith
Multi-Segregated
Multi-Bonded
TIME PATTERNS
Within
After
ExactlyAt
Max/Min
Every
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
/-#4,-2&+"P*,#)&*Q12"%#*9&&
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM) MAY/JUNE 2012 | IEEE SOFTWARE 33
TAB
LE
1 Business process control patterns.
Pattern Description*
Orde
r
Basic
Q Precedes P Q must precede P.
P LeadsTo Q Q must follow P.
P XLeadsTo Q Q must immediately follow P.
P PLeadsTo Q P and Q must occur sequentially.
Adva
nced
(P, S, ...) ChainLeadsTo (Q, T, …) A sequence of Q, T, … must follow a sequence of P, S, ....
(Q, T, …) ChainPrecedes (P, S, …) A sequence of Q, T, … must precede a sequence of P, S, ....
P LeadsTo Q Else S Else T Else … If condition P is true, then Q should occur; if Q can’t be satis!ed, then S should occur (which compensates for the violation of Q); if S is violated, then T should occur; and so on.
Occu
rrenc
e
Basi
c
P Exists P must exist in the process speci!cation.
P Absent The process speci!cation must be free of P.
P Universal P must occur or be valid throughout the speci!cation.
Adva
nced
P CoExists Q If P is present, then Q must also be present.
P CoAbsent Q If P is absent, then Q must also be absent.
P Exclusive Q If P is present, then Q must be absent, and vice versa.
P CoRequisite Q Both P and Q must be present or absent.
P MutexChoice Q Either P or Q must be present.
Reso
urce
Basi
c
P PerformedBy Q Role Q must perform (be assigned to) activity P.
P SegregatedFrom Q Activities P and Q must be assigned to different roles, and different users must perform them.
P USegregatedFrom Q Different users must perform activities P and Q.
P BondedWith Q Activities P and Q must be assigned to the same role, and the same user must perform them.
P RBondedWith Q Activities P and Q must be assigned to the same role, but different users must perform them.
Adva
nced
(P, Q, S, …; m) Multisegregated A certain number of different users (m) must perform a set of activities (P, Q, S, …).
(P, Q, S, …) Multibonded The same user and role must perform a set of activities (P, Q, S, …).
Tim
e
Basi
c
Within k Used with order patterns to denote a given P to happen within k time units. For example, P LeadsTo Q Within k indicates that Q must follow P within k time units.
After k Used with order patterns to denote a given P to happen after k time units. For example, P LeadsTo Q After k speci!es that Q must follow P after k time units.
ExactlyAt k Used with order and occurrence patterns to denote a given P to happen exactly at time k. For example, P Exists ExactlyAt k indicates that P must occur at time k, starting from the process instance’s initial state.
Adva
nced
P Exists Max k P can hold at most k time units once it happens.
P Exists Min k P must hold at least k time units once it happens.
P Exists Every k P must happen in every k time unit.
* P, Q, S, and T are operands representing process elements, their attributes, or conditions based on them (for example, CreateOrder.GrandTotal > $100.000).
'+&/-012%"#.*&!"#"$*0*#4&R--2ST(%4*&
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
BP Repository
Compliance Repository
Compliance Requirements Manager
BP Models and
Elements Elements
Compliance Requirements
Compliance elements
(reqs., risks, controls, ...)
Compliance
controls, ...)
Compliance elements
Compliance Rule Modeler
BP Elements
BP
Compliance Rule Modeler
Control Definitions
Control
Compliance Rule Modeler
Pattern-based Expressions and Formal Control
Rules
Repository
Pattern-based
Formal Control Rules
Design-time Compliance Verification Manager
Verification Handler
WSAT
Formal Control Rules
(in LTL) Verification
BP Specifications
(in BPEL) Specifications Specifications
(in BPEL) Specifications Specifications
Dashboard (Design-time)
Compliance Verification
Results Results
Compliance
elements ., risks,
controls, ...) Formal Control Rules
(in LTL) (in LTL) Verification (in LTL) (in LTL)
(Design-time)
SPIN Model
Checker Selected Control Rules
& BP Specifications
Control Rules
Specifications
Model Checker
Verification Results
Verification Verification
/")*&T4(9%*)&
!! "(2+,2;7-'+2,*#)-7*;+-,,!! A';3'),;3+,*#);+];,#<,Ni,<7)-+-,/+2+(/*3,%/#Z+*;,,
!! F3+,#GZ+*01+L,,!! M)1+204(;+,;3+,"112%."<%2%4G&()-,*Q1,*))%D*#*)),#<,;3+,%(h+/)2,<#/L,"! 2%+*'<:')4,*#$%&'()*+,/+J7'/+$+);2,()-,4+)+/(0)4,<#/$(&,*#$%&'()*+,/7&+2B,(4(')2;,A3'*3,G72')+22,%/#*+22+2,A'&&,G+,+P+*01+&:,1+/'C+-,(;,'+&U*)%$#S80*D,
!! "(2+,>;7-:,bL,M);+/)+;,/+2+&&+/,*#$%():,@A';3,8/'*+A(;+/3#72+"##%+/2B,^=E,!! 8/#*+22+2L,W/-+/,%/#*+22')4B,')1#'*')4B,*(23,/+*+'%0)4B,-+&'1+/:B,()-,&+-4+/,$()(4+$+);,()-,$(');+)()*+,
!! "(2+,>;7-:,jL,=#(),8/#*+22')4,'),(,6()R,,@A';3,F3(&+2B,?IE,
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
/-#4,-2&RG1*)&%#&4;*&/")*&T4(9%*)&&
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
!! "#$%&'!()!!*($+,!-&.#/'&$&012!!
3))&41/5&67!&8+'&22&9!#2/0:!!%&!4566789:;!
<7+&!()!*(01'(62! *=2&!>1,?@!!A01&'0&1!!-&2&66&'!
*=2&!>1,B@!C(=0!!
D'(4&22/0:!
<E<FC! !G&2!
!"(!
!!!!!!!!!!
D-E*3>>!
<3*H"A*FC!
DHG>A*FC!
!! "#$%&'!()!!*($+,!-&.#/'&$&012!!
3))&41/5&67!&8+'&22&9!#2/0:!!%&!4566789:;!
<7+&!()!*(01'(62! *=2&!>1,?@!!A01&'0&1!!-&2&66&'!
*=2&!>1,B@!C(=0!!
D'(4&22/0:!
<E<FC! !G&2!
!"(!
D-E*3>>! D-3I3"<AI3!!!"#$%&$%'()*+!*,!-.()$/"0#1-2!!"344$//!&)%5(/6!3.(5*&)7'()*+/!!"34()8)(9"#$:.$+4)+%!!"-'('";&*4$//)+%!
!J?!<=!>=!?>!>=!
!??!?!<!@!"!
!KB!<?!><!?A!>=!
!JB!<?!><!?A!"""!!
!?L!"!!"!!"!!>=!
M3<3*<AI3!!"B'+'%$C$+("D$8)$E/""""F"D$4*+4)G)'()*+/!!"H*#"6";$&,*&C'+4$"B*+)(*&)+%!
!NK!<=!"!"I!
!O!!!!!!
!NK!<=!!"I!
!O!!!"!!!
!NK!<=!"!I!
<3*H"A*FC! D-3I3"<AI3! !#! !$! !%! !"! !%!
M3<3*<AI3! !"! !"! !"! !"! !"!
DHG>A*FC! D-3I3"<AI3! !&! !"! !&! !"! !&!M3<3*<AI3! !"! !"! !"! !"! !"!
!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<E<FC! !?BB! !?N! !?NP! !JB! !QN!
D-3I3"<AI3! !#! !$! !%!
M3<3*<AI3! !"! !"! !"!
D-3I3"<AI3! !&! !"! !&!M3<3*<AI3! !"! !"! !"!
D-3I3"<AI3!!!"#$%&$%'()*+!*,!-.()$/"0#1-2!!"344$//!&)%5(/6!3.(5*&)7'()*+/!!"34()8)(9"#$:.$+4)+%!!"-'('";&*4$//)+%!
!!!!!!
!!!!!!
!!!!!!
!!!!!"""!
!!"!"!!!
M3<3*<AI3!!"B'+'%$C$+("D$8)$E/""""F"D$4*+4)G)'()*+/!!"H*#"6";$&,*&C'+4$"B*+)(*&)+%!
!!!"!"!
!!!!!
!!!"!
!!!"!!
!!!"!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<E<FC! !?BB! !?N! !?NP!
D-3I3"<AI3!!
M3<3*<AI3!!
!J?!<=!>=!?>!>=!
!??!?!<!@!"!
!KB!<?!><!?A!>=!
!NK!<=!"!"I!
!O!!!!!!
!NK!<=!!"I!
D-3I3"<AI3!!
M3<3*<AI3!!
D-3I3"<AI3!!M3<3*<AI3!!
!JB!<?!><!?A!"""!!
!?L!"!!"!!"!!>=!
!O!!!"!!!
!NK!<=!"!I!
!"! !%!
!"! !"!
!"! !&!!"! !"!!JB! !QN!
G&2 "(
JB<?><?A"""!
!?L"!"!"!>=
!NK
+(<2%);*9&C*)(24)V&
!! F7/+;R+)B,WDB,N&4($$(&B,YDB,1(),-+),\+71+&B,OUkDB,8(%(K#4B,5D,@jlbjED,m"(%;7/')4,"#$%&'()*+,I+J7'/+$+);2L,Y,8(h+/)U6(2+-,Y%%/#(*3nD,!666)*$NO'%.B,5(:Hk7)+,jlbjB,%%D,joUpcD,
!! N&4($$(&B,YDB,F7/+;R+)B,WDB,1(),-+),\+71+&B,OUkD,@jlbjED,mi2')4,8(h+/)2,<#/,;3+,Y)(&:2'2,()-,I+2#&70#),#<,"#$%&'()*+,['#&(0#)2nB,!"-.%"'($"'2)P$4%"'2)$#)F$$G.%'(8.)!"#$%&'($")*+,-.&,);!PF!*=/,[#&D,jbB,^#D,bD,,
!! F7/+;R+)B,WDB,N&4($$(&B,YDB,1(),-+),\+71+&B,OUkDB,8(%(K#4B,5D,@jlbbEB,mN)<#/*')4,"#$%&'()*+,#),672')+22,8/#*+22+2,;3/#743,;3+,72+,#<,8(h+/)2nB,64%$G.'")F$"#.%."0.)$")!"#$%&'($")*+,-.&,);6F!*)KLII=D,,
!! N&4($$(&B,YDB,F7/+;R+)B,WDB,1(),-+),\+71+&B,OUkDB,8(%(K#4B,5D,@jlblED,mI##;U"(72+,Y)(&:2'2,#<,.+2'4)U0$+,"#$%&'()*+,['#&(0#)2,#),;3+,G(2'2,#<,8/#%+/;:,8(h+/)2nD,!"-.%"'($"'2)F$"#.%."0.)$")*.%850.Q@%5."-.3)F$&G4("7);!F*@F)KLIL=D,
!! >*37$$B,.DB,F7/+;R+)B,WDB,9#R(23B,^DB,N&4($$(&B,YD?D>DYDB,=+:$())B,?DB,q,\+71+&B,ODkDYD5D,1(),-+),@jlblED,m672')+22,%/#*+22,*#$%&'()*+,;3/#743,/+72(G&+,7)';2,#<,*#$%&'();,%/#*+22+2nD,6*R)SIL/)TUF*QVMWXB,%%D,pjaUppgD,
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Elgammal, A., Turetken, O., van den Heuvel, W-J. (2013, under review). “Towards a Comprehensive Pattern-based Business Process Compliance Language”, IEEE Transactions on Software Engineering (TSE).
>%?)@?:4%.-A."B)C'"'75"7)D4,5".,,)E%$0.,,)F$&G25'"0.)))))))))))))))))C9CFH/)IJ?C'%?KLIM)
Thank you!
For more information: Oktay Turetken