Foundations and Applications of

Business Process Compliance

Univ.-Prof. Dr. Stefanie Rinderle-Ma

University of Vienna
Faculty of Computer Science
Research Group Workflow Systems and Technology
stefanie.rinderle-ma@univie.ac.at

18th July 2019

NEMO Summer School 2019

Agenda

1. Motivation

2. Compliance Requirements Along Process Lifecycle

3. Design Time Compliance

4. Runtime Compliance

5. Extracting Compliance Requirements

6. Summary and Outlook

© S. Rinderle-Ma, 2019
1 Motivation

 Financial scandals and resulting legislative and

regulatory packages such as BASEL II, Sarbanes
Oxley Act (SOX)
 SOX: US$15 billion in year 2005 US corporate cost
and $1.4 trillion in market costs
 Goal: strengthen stakeholders confidence and trust
 Proof that financial processes comply with
regulations  no “bad surprises” afterwards

© S. Rinderle-Ma, 2019
1 Motivation

Guidelines Trust

Policies Quality

Contracts Legality

Constraints Reputation

Rules COMPLIANCE Security

© S. Rinderle-Ma, 2019
1 Motivation

Guideline
Compliance
Business Process
Compliance Prozess11
Prozess Process quality
Prozess111
Prozess
Process

Business Contracts
Process Engine
Certification
…
Process-aware information system

 Requirement: prove business process compliance with imposed

compliance rules

© S. Rinderle-Ma, 2019
1 Motivation
Between a feature freeze and the
After a biopsy, there must be a next release, each change has to
time interval of at least 7 days be approved.
before Barium-KE is performed.
Guideline
After an invasive
surgery, the Compliance
After developing a
aftercare should be prototype, a test drive and
Business Process
performed within 24
Compliance Prozess11
Prozess Process quality technical
a subsequent
hours
Prozess111
Prozess
Process
approval has to be
performed. In between the
prototype must not be
changed.

Business
Before Contracts
an invasive
surgery the patient Certification
After developing a
has to be informed Process Engine
component, it has to be
about the risks
… tested with respect to the
defined maturity level
Process-aware information system
before the release.

Challenge: Business Processes are subject to domain-specific

regulations
© S. Rinderle-Ma, 2019
1 Motivation

How to provide IT-based support for business process

compliance?
 Requirements:
 Independent of domain
 Independent of process modeling notation
 Support throughout the entire process life cycle
 Assumptions:
 Business process executions can be traced
 Compliance rules can be processed by computer

© S. Rinderle-Ma, 2019
Agenda

1. Motivation

2. Compliance Requirements Along Process Lifecycle

3. Design Time Compliance

4. Runtime Compliance

5. Extracting Compliance Requirements

6. Summary and Outlook

© S. Rinderle-Ma, 2019
 Process model taken from: Linh Thao Ly, Stefanie Rinderle-Ma, Peter Dadam: Design and Verification of
Instantiable Compliance Rule Graphs in Process-Aware Information Systems. CAiSE 2010: 9-23

Software development process

(depicted in BPMN notation) C1:
Goals have to be
Motivation defined prior to start of
development

C2:
Tests have to be
documented

C3:
No development
shall take place
after feature freeze
Does the process comply with
the imposed constraints? C4:
The testing has to be followed by
an approval and the integration.
Additionally, no changes shall
take place between the approval
© S. Rinderle-Ma, 2019
and the integration
2 Compliance Life Cycle and Tasks
Modeling
C1:
Vor Beginn der Entwicklung
C2: Ziele definiert werden
müssen
compliance rules
Test-Aktivitäten müssen
dokumentiert werden
C2:
Test-Aktivitäten müssen
dokumentiert werden

C2:
Test-Aktivitäten müssen
dokumentiert werden

Compliance
checking

Process
modeling

Compliance rule Process

repository life cycle
Process Process
analysis execution

Process-aware
information system
© S. Rinderle-Ma, 2019
2 Compliance Life Cycle and Tasks
Modeling How to enable modeling of
C1:
Vor Beginn der Entwicklung
C2: Ziele definiert werden
müssen
compliance rules intelligible and formal rules?
Test-Aktivitäten müssen
dokumentiert werden
C2:
Test-Aktivitäten müssen
dokumentiert werden

C2:
Test-Aktivitäten müssen
dokumentiert werden

How to facilitate
maintenance and evolution
How to extract compliance of compliance rules?
requirements from
regulatory documents
Compliance
checking

Process
modeling

Compliance rule Process

repository life cycle
Process Process How to enable helpful
analysis execution feedback?
How to enable dealing with
compliance violations in a
flexible manner?

Process-aware
© S. Rinderle-Ma, 2019
information system
2 Overview on Compliance Tasks
S. Rinderle-Ma: Process Compliance. Taylor & Francis (2017)

Design time Runtime compliance

compliance
Process artifact Process model Events, event streams

Model paradigm Imperative, Model (partly) not available

declarative
Constraint artifact Patterns (Anti-) patterns enriched with
data values, time information,
and resources

Constraint LTL, CTL, CTL*, Event Calculus, Event-B, CRGs, TLA+,

formalisms PDL, µ-calculus, PQL, APQL,
(selection)
Techniques Model checking, Model checking, pattern
(selection) pattern matching matching, data monitoring,
conformance
checking (ex post)
© S. Rinderle-Ma, 2019
Agenda

1. Motivation

2. Compliance Requirements Along Process Lifecycle

3. Design Time Compliance

4. Runtime Compliance

5. Extracting Compliance Requirements

6. Summary and Outlook

© S. Rinderle-Ma, 2019
3 Design Time Compliance

Compliance Constraints

• Before an invasive surgery the patient has to be informed about the risks

• After an invasive surgery the aftercare must take place within 24 hours.

• In between a biopsy and a Barium-KE there must be a time interval of at

least 7 days.

• Between a feature freeze and the next release each change has to be
approved.

• After developing the prototype a test drive and a subsequent technical

approval have to take place without any changes applied ot the prototype.

• After developing a component it has to be tested with respect to the

defined maturity degree before the component can be released.

© S. Rinderle-Ma, 2019
3 Design Time Compliance

Compliance Constraints

• Before an invasive surgery the patient has to be informed about the risks

• After an invasive surgery the aftercare must take place within 24 hours.

• In between a biopsy and a Barium-KE there must be a time interval of at

least 7 days.

• Between a feature freeze and the next release each change has to be
approved.

• After developing the prototype a test drive and a subsequent technical

approval have to take place without any changes applied ot the prototype.

• After developing a component it has to be tested with respect to the

defined maturity degree before the component can be released.

Rule-activating activity pattern

© S. Rinderle-Ma, 2019
3 Design Time Compliance

Compliance Constraints

• Before an invasive surgery the patient has to be informed about the risks

• After an invasive surgery the aftercare must take place within 24 hours.

• In between a biopsy and a Barium-KE there must be a time interval of at

least 7 days.

• Between a feature freeze and the next release each change has to be
approved.

• After developing the prototype a test drive and a subsequent technical

approval have to take place without any changes applied ot the prototype.

• After developing a component it has to be tested with respect to the

defined maturity degree before the component can be released.

Rule-activating activity pattern  required activity pattern

© S. Rinderle-Ma, 2019
3 Design Time Compliance

 Modeling activity patterns

 Existence and absence of activities
 Order relations between activities
 Temporal relations
 Conditions referring to context of other activities
 Further requirements
 Formal semantics
 Understandable notation
 Extensibility
After an invasive Before an invasive After developing the
surgery, the surgery the patient
prototype a test drive
aftercare must take has to be informed
place witin 24 about the risks. and a subsequent
hours. technical approval have
to take place without any
changes applied ot the
© S. Rinderle-Ma, 2019 prototype.
3 Design Time Compliance

SeaFlows-Approach
 Directly modeling activity patterns by predicate logic (PL1)

 Visualization by compliance rule graphes

After an invasive surgery, aftercare has to be performed within 24 hours.

Rule-activating activity pattern  Required activity pattern

∀a1 ∃ a2
(Is(a1, Invasive surgery)
 Is(a2, aftercare) AND
patient(a1) = patient(a2) AND
Pred(a1, a2) AND
MaxDistEndStart(a1, a2, 24h))

• Linh Thao Ly, Stefanie Rinderle-Ma, Peter Dadam: Design and Verification of Instantiable Compliance Rule Graphs in Process-
Aware Information Systems. CAiSE 2010: 9-23
• Linh Thao Ly, Stefanie Rinderle, Peter Dadam: Integration and verification of semantic constraints in adaptive process
management systems. Data Knowl. Eng. 64(1): 3-23 (2008)

© S. Rinderle-Ma, 2019
3 Design Time Compliance

SeaFlows: Logical Model

Activity nets
∀a1(
Is(a1, Invasive surgery) BPEL Workflow Nets

∃ a2
ADEPT BPMN
Is(a2, aftercare)
AND patient(a1) = patient(a2)
AND Pred(a1, a2) )

Compliance Process models

Constraints Process instances

Impose requirements on Specific for process

process executions descriptions languages

© S. Rinderle-Ma, 2019
3 Design Time Compliance

Trace build up interpretation for rule Describes a set of possible execution traces

Approach

Semantic Process models

Execution traces
Integrity Rules Process instances
Impose requirements on execution Specific to process meta models

 Execution traces yield logical model independent of process

description language
 Enable formal compliance checks
 In fact, generating all possible traces is not efficient

© S. Rinderle-Ma, 2019
3 Design Time Compliance

Formal semantics
Compliance rule graph

Compliance rule ∀ a: (ActivityType(a, End of Testing) 

formula in PL1
∃ b, c: ActivityType(b, Approval) ⋀ ActivityType(c, Integration) ⋀
Pred(a,b) ⋀ Pred(b,c) ⋀
∄ d: (ActivityType(d, Change process) ⋀ Pred(b,d) ⋀ Pred(d,c))
)

 Interpretation of the predicates ActivityType and Pred

Execution trace
over execution traces

Processes

© S. Rinderle-Ma, 2019
23
Agenda

1. Motivation

2. Compliance Requirements Along Process Lifecycle

3. Design Time Compliance

4. Runtime Compliance

5. Extracting Compliance Requirements

6. Summary and Outlook

© S. Rinderle-Ma, 2019
4 Runtime Compliance

Design Time
Compliance

Post-Mortem
Compliance
Compliance
Monitoring
Analysis

© S. Rinderle-Ma, 2019
4 Runtime Compliance

Objective 1:
Identify (potential) compliance violations Managers Process supervisors Process users

Objective 2: Process cockpit Monitoring cockpit

Instance 1 of C3
Instance 2 of C3

Support stakeholders in preventing Instance 3 of C3

Instance 4 of C3

violations and identifying reasons for

violations Reporting

Implementation
and modeling Compliance monitoring engine

Compliance Internal controls /

requirements compliance rules
Event Bus

ERP CRM WfMS …

© S. Rinderle-Ma, 2019
4 Runtime Compliance

 Compliance monitoring approaches driven by

LTL ECE ECA

FOL
 Compliance rule language
CRG EC

FSA
 Event format

 Multitude of approaches XES MXML

 Constant arisal of new approaches
CEP

? Selection of approach for Elicit and describe typical

specific application scenario Compliance Monitoring
Functionalities (CMFs)
© S. Rinderle-Ma, 2019
4 Data Collection and CMF Identification

 5 Case Studies from Different Domains

Domain Project URL

Health care EBMC2 ebmc2.univie.ac.at
Manufacturing ADVENTURE www.fp7-adventure.eu
Higher education HEP www.wst.univie.ac.at/communities/hep/
Maritime safety Poseidon www.esi.nl/poseidon/
IT project management SeaFlows www.seaflows.de

 Literature Review on Existing Compliance Monitoring Approaches

 Selection of CMF candidates
 Aggregation and cleaning

Linh Thao Ly, Fabrizio Maria Maggi, Marco Montali, Stefanie Rinderle-Ma, Wil M. P. van der Aalst: Compliance monitoring in
business processes: Functionalities, application, and tool-support. Inf. Syst. 54: 209-234 (2015))

© S. Rinderle-Ma, 2019
4 CMF Framework
time
 CMF 1 – 3: context
data

resources

atomic/non-atomic activities
 CMF 4 – 6: scope
multiple instances

Reactive: detection&management
 CMF 7 – 10: violations
Pro-active: detection&management

Explain root cause of violation

Quantification of compliance degree

Linh Thao Ly, Fabrizio Maria Maggi, Marco Montali, Stefanie Rinderle-Ma, Wil M. P. van der Aalst: Compliance monitoring in
business processes: Functionalities, application, and tool-support. Inf. Syst. 54: 209-234 (2015))

© S. Rinderle-Ma, 2019
Agenda

1. Motivation

2. Compliance Requirements Along Process Lifecycle

3. Design Time Compliance

4. Runtime Compliance

5. Extracting Compliance Requirements

6. Summary and Outlook

© S. Rinderle-Ma, 2019
 Data Streams
5 Compliance 4.0
<event>
<string key="concept:name" value="reinitiate
request"/>
<string key="org:resource" value="Sara"/>
<date key="time:timestamp" value="2011-01-
06T12:18:00.000+01:00"/>
<string key="Activity" value="reinitiate request"/>
<string key="Resource" value="Sara"/> Sensor Data
<string key="Costs" value="200"/>
</event>
<event> event:
trace:id: '375'
<string key="concept:name" value="examine
concept:name:
thoroughly"/> external
id:id: external
<string key="org:resource" value="Sean"/>
cpee:uuid: 3a17d071-b756-4ad4-adca-e3e0e2f685ad
<date key="time:timestamp" value="2011-01-
lifecycle:transition: unknown
06T13:06:00.000+01:00"/>
cpee:lifecycle:transition:
<string key="Activity"endpoints/change
value="examine
AnaCredit list:
thoroughly"/>
data_changer:
<string key="Resource" value="Sean"/>
- timeout
<string key="Costs" value="400"/>
ELGA Machine Data
</event> - start_instance
- start_url
- queue
- queue_stat
data_values:
DSGVO timeout:
http://gruppe.wst.univie.ac.at/~mangler/services/timeout.php
start_instance: https://centurio.work/flow/start/instance/
start_url: https://centurio.work/flow/start/url/
queue: https://centurio.work/data/mm500/queue/
Regulatory Documents queue_stat: https://centurio.work/data/mm500/queue/
time:timestamp: '2018-06-12T13:29:20+02:00'
33
© S. Rinderle-Ma, Uni Wien (2019)
5 Constraint Extraction

© K. Winter

• Karolin Winter, Stefanie Rinderle-Ma: Deriving and Combining Mixed Graphs from Regulatory Documents Based on
Constraint Relations. CAiSE 2019: 430-445
• Karolin Winter, Stefanie Rinderle-Ma: Detecting Constraints and Their Relations from Regulatory Documents Using NLP
Techniques. OTM Conferences (1) 2018: 261-278
© S. Rinderle-Ma, 2019
5 Constraint Extraction Constraint Network Map

© S. Rinderle-Ma, 2019 © S. Rinderle-Ma, Uni Wien (2019)

5 Constraint Representation

© S. Rinderle-Ma, 2019
Agenda

1. Motivation

2. Compliance Requirements Along Process Lifecycle

3. Design Time Compliance

4. Runtime Compliance

5. Extracting Compliance Requirements

6. Summary and Outlook

© S. Rinderle-Ma, 2019
6 Summary & Outlook

 Business process compliance ongoing challenge

 New regulations arise „every day“
 IT-based support is crucial

 Compliance violation handling

 Visualization of violations
 Explanations
 Remedy strategies

© S. Rinderle-Ma, 2019
References

 Karolin Winter, Stefanie Rinderle-Ma: Deriving and Combining Mixed Graphs from
Regulatory Documents Based on Constraint Relations. CAiSE 2019: 430-445
 Karolin Winter, Stefanie Rinderle-Ma: Detecting Constraints and Their Relations from
Regulatory Documents Using NLP Techniques. OTM Conferences (1) 2018: 261-278
 Karolin Winter, Stefanie Rinderle-Ma: Untangling the GDPR Using ConRelMiner. CoRR
abs/1811.03399 (2018)
 Linh Thao Ly, Fabrizio Maria Maggi, Marco Montali, Stefanie Rinderle-Ma, Wil M. P. van der
Aalst: Compliance monitoring in business processes: Functionalities, application, and tool-
support. Inf. Syst. 54: 209-234 (2015)
 David Knuplesch, Manfred Reichert, Linh Thao Ly, Akhil Kumar, Stefanie Rinderle-Ma:
Visual Modeling of Business Process Compliance Rules with the Support of Multiple
Perspectives. ER 2013: 106-120
 Linh Thao Ly, Stefanie Rinderle-Ma, David Knuplesch, Peter Dadam: Monitoring Business
Process Compliance Using Compliance Rule Graphs. OTM Conferences (1) 2011: 82-99
 Linh Thao Ly, Stefanie Rinderle-Ma, Peter Dadam: Design and Verification of Instantiable
Compliance Rule Graphs in Process-Aware Information Systems. CAiSE 2010: 9-23
 David Knuplesch, Linh Thao Ly, Stefanie Rinderle-Ma, Holger Pfeifer, Peter Dadam: On
Enabling Data-Aware Compliance Checking of Business Process Models. ER 2010: 332-346
 Linh Thao Ly, Stefanie Rinderle, Peter Dadam: Integration and verification of semantic
constraints in adaptive process management systems. Data Knowl. Eng. 64(1): 3-23 (2008)
© S. Rinderle-Ma, 2019
 Twitter:
@SRinderleMa
@wstcsunivie

THANK YOU FOR YOUR ATTENTION

Contact:
Univ.-Prof. Dr. Stefanie Rinderle-Ma
stefanie.rinderle-ma@univie.ac.at