Designing Compliant Business Processes with Obligations and Permissions

The sequence and timing constraints on the activities in business processes are an important aspect of business process compliance. To date, these constraints are most often implicitly transcribed into controlflow-based process models. This implicit representation of constraints, however, complicates the verification, validation and reuse in business process design. In this paper, we investigate the use of temporal deontic assignments on activities as a means to declaratively capture the controlflow semantics that reside in business regulations and business policies. In particular, we introduce PENELOPE, a language to express temporal rules about the obligations and permissions in a business interaction, and an algorithm to generate compliant sequence-flow-based process models that can be used in business process design. 1 Motivation and Methodology Nowadays there is an increased pressure on companies to guarantee compliance of their business processes with business policy, the whole of internally defined business constraints, and business regulations, the whole of externally imposed business constraints. The obligation to guarantee compliance, whether imposed by management, customers, governments or financial markets, is often the main driver for business process automation. The downside to automating business processes, however, is that ill-conceived automation can make business processes more difficult to adapt to ever changing business policies and regulations. As such, automated business processes risk to become in time an impediment to compliance, rather than a enabler. Consequently, reconciling compliance and flexibility is a major concern in business process design. Companies often only implicitly think about business policy and regulations when they design business processes and pay little attention to avoid hardcoding policies and regulations directly in control-flow based process models. What is lacking is a more declarative approach in business process design in which business policy and regulations are made explicit in terms of definitions and constraints. The sequence and timing constraints on the activities in business processes, known as control flow, are an important aspect of compliance. In a software-release process, for instance, a new version may only be put in production after it has been tested and approved. Similarly, in an order-to-cash J. Eder, S. Dustdar et al. (Eds.): BPM 2006 Workshops, LNCS 4103, pp. 5–14, 2006. c © Springer-Verlag Berlin Heidelberg 2006 6 S. Goedertier and J. Vanthienen process, an order may only be shipped by the dispatching office after it has been accepted by a salesperson. Designers often think implicitly about these kinds of permissions and obligations when modeling the control-flow perspective of business processes. In this paper we show how the logic behind the obligations and permissions can be made explicit in the form of temporal deontic assignments that can be (re)used in business process design. To verify and validate such a set of deontic assignments, we show how to generate a compliant control-flow-based process model from it. The generated process model is not intended for process execution, but can rather be used by the process designer for verification and validation. Moreover, the generated process model allows the designer to identify the decision points and all possible violations of obligations, i.e. exceptions, that can occur. The remainder of this article is structured as follows. In section 2 we discus the relevant literature on the use of constraints in obtaining business process compliance and flexibility. In section 3, we formally introduce PENELOPE (Process ENtailment from the ELicitation of Obligations and PErmissions), a language to express temporal deontic assignments. Next, we discuss some issues in the verification and validation of temporal deontic assignments. Finally, in section 5 we define and illustrate the algorithm to generate control-flow based process models from a rule set of obligations and permissions.