SeaFlows - a compliance checking framework for supporting the process lifecycle

Abstract

Compliance-awareness is undoubtedly of utmost importance for companies nowadays. Even though an automated approach to compliance checking and enforcement has been advocated in recent literature as a means to tame the high costs for compliance-awareness, the potential of automated mechanisms for supporting business process compliance is not yet depleted. Business process compliance deals with the question whether business processes are designed and executed in harmony with imposed regulations. Our objective is to devise a framework that enhances process management systems (PrMSs) with compliance checking functionality.

The SeaFlows compliance checking framework introduces the compliance rule graph (CRG) language for modeling declarative compliance rules. The language provides modeling primitives based on nodes and edges. A compliance rule is modeled by defining a pattern of activity executions activating a compliance rule and consequences that have to apply once a rule becomes activated. In order to enable compliance verification of process models and process instances, the CRG language is operationalized. Key to this approach is the exploitation of the graph structure of CRGs for representing compliance states in a transparent and interpretable manner. For that purpose, we introduce markings to indicate which parts of the CRG patterns can be observed in a process execution. Execution and marking rules enable to update the compliance state. Thus, the framework enables to support process model verification and process instance monitoring using the same mechanisms. As compliance states are encoded based on the CRG structure, fine-grained and intelligible compliance diagnoses can be derived in each detected compliance state. Specifically, feedback can be provided not only on the general enforcement of a compliance rule but also at the level of particular rule activations contained in a process. This can help to explain the source of violations in a process.