An Algorithm to Generate Compliance Monitors from Regulations

Developing software systems in heavily regulated industries requires methods to ensure systems comply with regulations and law. An algorithm to generate finite state machines (FSM) from stakeholder rights and obligations for compliance monitoring is proposed. Rights and obligations define what people are permitted or required to do; these rights and obligations affect software requirements and design. The FSM allows stakeholders, software developers and compliance officers to trace events through the invocation of rights and obligations as preand postconditions. Compliance is monitored by instrumenting runtime systems to report these events and detect violations. Requirements and software engineers specify the rights and obligations, and our algorithm performs three supporting tasks: 1) identify ambiguities, 2) balance rights with obligations, and 3) generate finite state machines. Preliminary validation of the algorithm includes FSMs generated from U.S. healthcare regulations and tool support to parse these specifications and generate the FSMs.