towards increased efficiency and confidence in process...
TRANSCRIPT
Towards increased efficiency and confidence
in process compliance
Julieth Patricia Castellanos Ardila, Barbara Gallina, Faiz Ul Muram
{julieth.castellanos, barbara.gallina, faiz.ul.muram}@mdh.se
This work is supported by:EU and VINNOVA via the ECSEL JU project AMASS
Certifiable Evidences & Justification Engineering-MDH
6th Scandinavian Conference on System & Software Safety (SCSSS)Workshop Frontiers in Safety
Stockholm, May 22, 2018
Context and motivation
2
Frontiers in Safety-Stockholm, May 22, 2018.
Many Current Safety Standards
“Process-based” [Kelly,2008]
They define a set of requirements for the design,
development, verification and validation of software.
For compliance with process-based standards, companies…
• May (or not) require to adapt their practices• Show, via the provision of a justification, the fulfillment of these requirements.
[Kelly 2008] Kelly, T. P. (2008). Can process-based and product-based approaches to software safety certification be reconciled? Improvements in System Safety, (2008), 3–12.
…
Talk outline
ISO 26262
Compliance Checking Vision
Safety Compliance Patterns
Example
The current status of the work
3Frontiers in Safety-Stockholm, May 22, 2018.
ISO 26262
4
Frontiers in Safety-Stockholm, May 22, 2018.
[ISO26262, 2011] ISO 26262, “Road Vehicles-Functional Safety. International Standard.” 2011.
Adapted from ISO 26262-6:2011: Reference phase model for the software development
• Strictly planned
• Tailored
[Gallina,2015] B. Gallina, “How to increase efficiency with the certification of process compliance,” in The 3rd Scandinavian Conference on Systems & Software Safety., 2015.
The safety plan can be [Galina, 2015]:
a) tailoring shall be defined in the S.P,
b) a rationale shall be provided
Pieces of evidence required:
• Safety plan
• Confirmation review
From the structural
point of view:
a) Divided into parts/clauses
b) Alternative methods
c) Frequently recurring
expressions (e.g., in
accordance with)
d) …
ISO 26262-6:2011
Compliance Checking Vision [Castellanos et al, 2018]
Frontiers in Safety-Stockholm, May 22, 2018.
Process Space
SPEM 2.0
SPEM 2.0. Software and Systems Process Engineering Meta-model. Retrieved June 9, 2017, from http://www.omg.org/spec/SPEM/2.0/
EPF. Eclipse Composer Framework. Retrieved June 9, 2017, from https://eclipse.org/epf/
1. To define a finite state model of the safety
processes.
5
/EPF Composer
[Castellanos et al, 2018] J. P. Castellanos Ardila, B. Gallina, and F. Ul Muram, “Enabling Compliance Checking against Safety Standards from SPEM 2.0 Process Models,” in Euromicro Conference on Software Engineering and Advanced Applications, 2018, p. 4.
Frontiers in Safety-Stockholm, May 22, 2018.
Process model
Process Space Normative Space
Standard
Formalization
Formal Contract Logic (FCL) [Governatori, 2005]
2. To formalize the normative requirements by using
rule-based approaches.
6
𝑟: 𝑎1, … , 𝑎𝑛 ⇒ 𝑐Id
Conditions of the applicability of the norm
Normative effect
Triggering ofdeontic notions
Superiority relations
• Obligations
• Permissions
[1] G. Governatori, “Representing business contracts in RuleML,” Int. J. Coop. Inf. Syst., vol. 14, no. 02n03, pp. 181–216, 2005.
• Prohibitions
[Castellanos et al, 2018] J. P. Castellanos Ardila, B. Gallina, and F. Ul Muram, “Enabling Compliance Checking against Safety Standards from SPEM 2.0 Process Models,” in Euromicro Conference on Software Engineering and Advanced Applications, 2018, p. 4.
Compliance Checking Vision [Castellanos et al, 2018]
Frontiers in Safety-Stockholm, May 22, 2018.
7
Compliance analysis
Compliance report
ComplianceEffects
Annotations
Process model
Execution semantics
Process Space Normative Space
Standard
Formalization
Obligations in force
Compliance Space
Regorous[Governatori, 2015]
[1] Sadiq, S., Governatori, G., & Namiri, K. (2007). Modeling Control Objectives for Business Process Compliance. 5th International Conference, BPM, 149–164.
Compliance analysis:Checking the extend of fulfillment of the rules with the tasks in the process models
Preventivefocus
Process planning
3. To analize the fulfilment of the normative space into de process space.
[Governatori, 2015] Governatori, G. (2015). The regorous approach to process compliance. In IEEE 19th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations (EDOCW) (pp. 33–40).
Compliance by design [Sadiq et al, 2007]
[Castellanos et al, 2018] J. P. Castellanos Ardila, B. Gallina, and F. Ul Muram, “Enabling Compliance Checking against Safety Standards from SPEM 2.0 Process Models,” in Euromicro Conference on Software Engineering and Advanced Applications, 2018, p. 4.
[Koliadis et al, 2007] G. Koliadis and A. Ghose, “Verifying Semantic Business Process Models in Verifying Semantic Business Process Models in Inter-operation,” in IEEE International Conference on Service-Oriented Computing, 2007, pp. 731–738.
Compliance Checking Vision [Castellanos et al, 2018]
Safety Compliance Patterns[Castellanos et al, 2018]
Frontiers in Safety-Stockholm, May 22, 2018.
8
”Safety Compliance Patterns are patterns that describe commonly occurring normative safety
requirements on the permissible state sequence of a finite state model of a process”[Castellanos et al 2017]
[Castellanos et al, 2017] Castellanos Ardila, J., & Gallina, B. (2017). Formal Contract Logic Based Patterns for Facilitating Compliance Checking against ISO 26262. In 1st Workshop on Technologies for Regulatory Compliance (pp. 65–72).
FCL Requires skills that can not be taken for granted!!!
For ISO 26262
Address Phase
Perform preconditions
Select alternative methods
A phase must occur throughout a scope. Not addressing the phaserequires its tailoring and the provision of a rationale.
A given task cannot occur within a scope. The task is permitted to be performed if the preconditions are performed.
Methods should be selected according to ASIL/recommendation levels. Alternative methods can be selected if a rationale is provided
… …
Example: ISO 26262
9
1. Address Phase
2. Perform Preconditions
3. Select Alternative methods
Methodology:1. Creation of the rule set
a) Describe the rules (e.g.,instantiate patterns)
a) Model the standards and the rules
2. Process Designa) Design of the process tracesb) Include Compliance annotations
3. Check compliance with Regorous
Frontiers in Safety-Stockholm, May 22, 2018.
Explorations: ISO 26262
Frontiers in Safety-Stockholm, May 22, 2018.
10
Methodology:1. Creation of the rule set
a) Describe the rules (e.g.,instantiate patterns)
2. Modelling and Annotating the software processa) Plugin 1: Model the standards and the rulesb) Plugin 2: Capture process elementsc) Plugin 3: Capture the annotated software process
3. Export plugins
Explorations: ISO 26262
Frontiers in Safety-Stockholm, May 22, 2018.
11
Methodology:1. Creation of the rule set
a) Describe the rules (e.g.,instantiate patterns)
2. Modelling and Annotating the software processa) Plugin 1: Model the standards and the rulesb) Plugin 2: Capture process elementsc) Plugin 3: Capture the annotated software process
3. Export plugins
Explorations: ISO 26262
Frontiers in Safety-Stockholm, May 22, 2018.
12
Methodology:1. Creation of the rule set
a) Describe the rules (e.g.,instantiate patterns)
2. Modelling and Annotating the software processa) Plugin 1: Model the standards and the rulesb) Plugin 2: Capture process elementsc) Plugin 3: Capture the annotated software process
3. Export plugins and check compliance with Regorous
The current status of or work
Frontiers in Safety-Stockholm, May 22, 2018.
13
1. We proved the tools separately -> we need to concretize the synergybetween them.
2. We have a basic methodology -> we need to evolve it to includecompliance checking of process elements beyond tasks.
3. We get proofs of compliance -> we are studying the posibility ofreusing them to increase efficiency.
4. We have some safety compliance patterns -> we aim to have acomplete set applicable, initially to ISO 26262.
5. We create the rules manually -> we need a rule editor.
6. We have toy-examples -> we aim at checking real uses cases.
14
Thank you for your attention!
Frontiers in Safety-Stockholm, May 22, 2018.