towards increased efficiency and confidence in process...

Towards increased efficiency and confidence

in process compliance

Julieth Patricia Castellanos Ardila, Barbara Gallina, Faiz Ul Muram

{julieth.castellanos, barbara.gallina, faiz.ul.muram}@mdh.se

This work is supported by:EU and VINNOVA via the ECSEL JU project AMASS

Certifiable Evidences & Justification Engineering-MDH

6th Scandinavian Conference on System & Software Safety (SCSSS)Workshop Frontiers in Safety

Stockholm, May 22, 2018

mailto:[email protected]

Context and motivation

2

Frontiers in Safety-Stockholm, May 22, 2018.

Many Current Safety Standards

“Process-based” [Kelly,2008]

They define a set of requirements for the design,

development, verification and validation of software.

For compliance with process-based standards, companies…

• May (or not) require to adapt their practices• Show, via the provision of a justification, the fulfillment of these requirements.

[Kelly 2008] Kelly, T. P. (2008). Can process-based and product-based approaches to software safety certification be reconciled? Improvements in System Safety, (2008), 3–12.

…

Talk outline

ISO 26262

Compliance Checking Vision

Safety Compliance Patterns

Example

The current status of the work

3Frontiers in Safety-Stockholm, May 22, 2018.

ISO 26262

4


[ISO26262, 2011] ISO 26262, “Road Vehicles-Functional Safety. International Standard.” 2011.

Adapted from ISO 26262-6:2011: Reference phase model for the software development

• Strictly planned

• Tailored

[Gallina,2015] B. Gallina, “How to increase efficiency with the certification of process compliance,” in The 3rd Scandinavian Conference on Systems & Software Safety., 2015.

The safety plan can be [Galina, 2015]:

a) tailoring shall be defined in the S.P,

b) a rationale shall be provided

Pieces of evidence required:

• Safety plan

• Confirmation review

From the structural

point of view:

a) Divided into parts/clauses

b) Alternative methods

c) Frequently recurring

expressions (e.g., in

accordance with)

d) …

ISO 26262-6:2011

Compliance Checking Vision [Castellanos et al, 2018]


Process Space

SPEM 2.0

SPEM 2.0. Software and Systems Process Engineering Meta-model. Retrieved June 9, 2017, from http://www.omg.org/spec/SPEM/2.0/

EPF. Eclipse Composer Framework. Retrieved June 9, 2017, from https://eclipse.org/epf/

1. To define a finite state model of the safety

processes.

5

/EPF Composer

[Castellanos et al, 2018] J. P. Castellanos Ardila, B. Gallina, and F. Ul Muram, “Enabling Compliance Checking against Safety Standards from SPEM 2.0 Process Models,” in Euromicro Conference on Software Engineering and Advanced Applications, 2018, p. 4.


Process model

Process Space Normative Space

Standard

Formalization

Formal Contract Logic (FCL) [Governatori, 2005]

2. To formalize the normative requirements by using

rule-based approaches.

6

𝑟: 𝑎1, … , 𝑎𝑛 ⇒ 𝑐Id

Conditions of the applicability of the norm

Normative effect

Triggering ofdeontic notions

Superiority relations

• Obligations

• Permissions

[1] G. Governatori, “Representing business contracts in RuleML,” Int. J. Coop. Inf. Syst., vol. 14, no. 02n03, pp. 181–216, 2005.

• Prohibitions




7

Compliance analysis

Compliance report

ComplianceEffects

Annotations

Process model

Execution semantics

Process Space Normative Space

Standard

Formalization

Obligations in force

Compliance Space

Regorous[Governatori, 2015]

[1] Sadiq, S., Governatori, G., & Namiri, K. (2007). Modeling Control Objectives for Business Process Compliance. 5th International Conference, BPM, 149–164.

Compliance analysis:Checking the extend of fulfillment of the rules with the tasks in the process models

Preventivefocus

Process planning

3. To analize the fulfilment of the normative space into de process space.

[Governatori, 2015] Governatori, G. (2015). The regorous approach to process compliance. In IEEE 19th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations (EDOCW) (pp. 33–40).

Compliance by design [Sadiq et al, 2007]


[Koliadis et al, 2007] G. Koliadis and A. Ghose, “Verifying Semantic Business Process Models in Verifying Semantic Business Process Models in Inter-operation,” in IEEE International Conference on Service-Oriented Computing, 2007, pp. 731–738.


Safety Compliance Patterns[Castellanos et al, 2018]


8

”Safety Compliance Patterns are patterns that describe commonly occurring normative safety

requirements on the permissible state sequence of a finite state model of a process”[Castellanos et al 2017]

[Castellanos et al, 2017] Castellanos Ardila, J., & Gallina, B. (2017). Formal Contract Logic Based Patterns for Facilitating Compliance Checking against ISO 26262. In 1st Workshop on Technologies for Regulatory Compliance (pp. 65–72).

FCL Requires skills that can not be taken for granted!!!

For ISO 26262

Address Phase

Perform preconditions

Select alternative methods

A phase must occur throughout a scope. Not addressing the phaserequires its tailoring and the provision of a rationale.

A given task cannot occur within a scope. The task is permitted to be performed if the preconditions are performed.

Methods should be selected according to ASIL/recommendation levels. Alternative methods can be selected if a rationale is provided

… …

Example: ISO 26262

9

1. Address Phase

2. Perform Preconditions

3. Select Alternative methods

Methodology:1. Creation of the rule set

a) Describe the rules (e.g.,instantiate patterns)

a) Model the standards and the rules

2. Process Designa) Design of the process tracesb) Include Compliance annotations

3. Check compliance with Regorous


Explorations: ISO 26262


10



2. Modelling and Annotating the software processa) Plugin 1: Model the standards and the rulesb) Plugin 2: Capture process elementsc) Plugin 3: Capture the annotated software process

3. Export plugins



11




3. Export plugins



12




3. Export plugins and check compliance with Regorous

The current status of or work


13

1. We proved the tools separately -> we need to concretize the synergybetween them.

2. We have a basic methodology -> we need to evolve it to includecompliance checking of process elements beyond tasks.

3. We get proofs of compliance -> we are studying the posibility ofreusing them to increase efficiency.

4. We have some safety compliance patterns -> we aim to have acomplete set applicable, initially to ISO 26262.

5. We create the rules manually -> we need a rule editor.

6. We have toy-examples -> we aim at checking real uses cases.

14

Thank you for your attention!


towards increased efficiency and confidence in process...

Documents