Slides of the paper presented at EDOC 2015, Adelaide, September 2015.
ABSTRACT: In the past few years several business process compliance frameworks based on
temporal logic have been proposed. In this paper we investigate whether the
use of temporal logic is suitable for the task at hand: namely to check whether
the specifications of a business process are compatible with the formalisation
of the norms regulating the business process. We provide an example inspired
by real life norms where the use of linear temporal logic produces a result
that is not compatible with the legal understanding of the norms in the example.
1. No Time for Compliance
Guido Governatori, Mustafa Hashmi
23 September 2015
www.data61.csiro.au
2. A Privacy Act
Section 1: (Prohibition to collect personal medical information)
Offence: It is an offence to collect personal medical information.
Defence: It is a defence to the prohibition of collecting personal medical information, if an
entity immediately destroys the illegally collected personal medical information
before making any use of the personal medical information
Section 2: An entity is permitted to collect personal medical information if the entity acts under
a Court Order authorising the collection of personal medical information.
Section 3: (Prohibition to collect personal information) It is forbidden to collect personal
information unless an entity is permitted to collect personal medical information.
Offence: an entity collected personal information
Defence: an entity being permitted to collect personal medical information.
2 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
3. Making Sense of the Act
• Collection of medical information is forbidden.
• Destruction of the illegally collected medical information excuses the illegal
collection.
• Collection of medical information is permitted if there is an authorising court
order.
• Collection of personal information is forbidden.
• Collection of personal information is permitted if the collection of medical
information is permitted
3 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
5. Motivation
• Linear Temporal Logic (LTL): mature technology to verify systems
• Similarity between conditions for obligations and temporal notions in LTL
• many compliance frameworks proposed LTL to check compliance of business
processes
5 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
6. Motivation
• Linear Temporal Logic (LTL): mature technology to verify systems
• Similarity between conditions for obligations and temporal notions in LTL
• many compliance frameworks proposed LTL to check compliance of business
processes
Can current compliance frameworks based on LTL be used to
determine compliance of processes with norms?
5 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
7. Linear Temporal Logic 101 (Syntax)
• Xφ: at the next time φ holds;
• Fφ: eventually φ holds (sometimes in the future φ); and
• Gφ: globally φ holds (always in the future φ).
In addition we have three binary operators:
• φ U ψ (until): φ holds until ψ holds;
• φ W ψ (weak until): φ holds until ψ holds and ψ might not hold.
Interdefinability
• Fφ ≡ U φ,
• Gφ ≡ ¬F¬φ,
• φ W ψ ≡ (φ U ψ) ∨ Gφ
6 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
8. Linear Temporal Logic 102 (Semantics)
TS, σ |= a
s0
a
s1 s2 s3
TS, σ |= Xa
s0 s1
a
s2 s3
TS, σ |= a U b
s0
a ∧ ¬b
s1
a ∧ ¬b
s2
b
s3
TS, σ |= Fa
s0
¬a
s1
¬a
s2
a
s3
TS, σ |= Ga
s0
a
s1
a
s2
a
s3
a
7 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
9. Linear Temporal Logic 102 (Semantics)
TS, σ |= a
s0
a
s1 s2 s3
TS, σ |= Xa
s0 s1
a
s2 s3
TS, σ |= a U b
s0
a ∧ ¬b
s1
a ∧ ¬b
s2
b
s3
TS, σ |= Fa
s0
¬a
s1
¬a
s2
a
s3
TS, σ |= Ga
s0
a
s1
a
s2
a
s3
a
A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.
7 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
10. Linear Temporal Logic 102 (Semantics)
TS, σ |= a
s0
a
s1 s2 s3
TS, σ |= Xa
s0 s1
a
s2 s3
TS, σ |= a U b
s0
a ∧ ¬b
s1
a ∧ ¬b
s2
b
s3
TS, σ |= Fa
s0
¬a
s1
¬a
s2
a
s3
TS, σ |= Ga
s0
a
s1
a
s2
a
s3
a
A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.
A formula is true in a state S
TS, s |= φ iff ∀σ: σ[0] = s, TS, σ |= φ.
7 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
11. Obligation, Prohibition and Permission
Obligation A situation, an act, or a course of action to which a bearer is legally
bound, and if it is not achieved or performed results in a violation.
Prohibition A situation, an act, or a course of action which a bearer should avoid,
and if it is achieved results in a violation.
Permission Something is permitted if the obligation or the prohibition to the
contrary does not hold.
8 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
12. Achievement vs Maintenance Obligations
• For an achievement obligation, a certain condition must occur at least once before
the deadline
‘Customers must pay before the delivery of the good, after receiving the invoice’
• For maintenance obligations, a certain condition must obtain during all instants
before the deadline:
‘After opening a bank account, customers must keep a positive balance until bank
charges are taken out’
9 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
13. Achievement and Maintenance Obligations in
LTL
Maintenance obligation
Gφ G(τ → φ U δ)
Achievement obligation
Fφ G(τ → ¬(¬φ U δ))
10 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
14. Compliance in LTL
To determine, given a model encoding a trace of a business process
and a set of formulas encoding the relevant norms, whether the
formulas are satisfiable by the model.
11 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
15. LTL Compliance Frameworks
• Several compliance frameworks based on LTL have been proposed (e.g.,
COMPAS, MoBuCOM, BPMN-Q, we focus on COMPAS Compliance
Requirement Language CRL).
• Propose templates/patterns to capture “compliance requirements” based on the
“temporal order” of tasks or business process components.
• Templates correspond to temporal logic formulas
12 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
16. CRL Patterns
• Absence: φ isAbsent, φ does not occur in the process
G¬φ
• Existence: φ Exists, φ occurs in the the process
Fφ
• Leads To: φ LeadsTo ψ, φ must always be followed by ψ
G(φ → Fψ)
13 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
17. CRL Contrary-to-duty Pattern
Pattern to represent compensations to violations
φ (LeadsTo|DirectlyFollowedBy) φ1 (Else|ElseNext)
φ2 . . . (Else|ElseNext) φn
translated to
G(φ → F|X(φ1 ∧1≤i<n−1 (F|X(φi NotSucceed) ∧
(φi NotSucceed → F|Xφi+1))))
14 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
18. CRL Contrary-to-duty Pattern
Pattern to represent compensations to violations
φ (LeadsTo|DirectlyFollowedBy) φ1 (Else|ElseNext)
φ2 . . . (Else|ElseNext) φn
translated to
G(φ → F|X(φ1 ∧1≤i<n−1 (F|X(φi NotSucceed) ∧
(φi NotSucceed → F|Xφi+1))))
but it does not work for maintenance obligations (prohibitions), Gφ ∧ ¬φ → ⊥.
Gφ ∨ F(¬φ ∧ F|Xψ)
14 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
19. CRL Exception Patterns
Strong Exceptions: [[R]]Pattern
φ → ψ
Weak Exceptions: [R]Pattern
φ ∨ ψ
where:
• φ is the LTL translation of R
• ψ is the LTL translation of Pattern
15 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
20. Privacy Act Logical Structure
• A (“collection of medical information”) is forbidden
B (“destruction of medical information”) compensates the illegal collection
• A is permitted if C (“acting under a court order”)
• D (“collection of personal information”) is forbidden
• D is permitted if A is permitted
16 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
21. Privacy Act in CRL and LTL
CRL1 R1 : ([R2]A isAbsent) Else B,
CRL2 R2 : C,
CRL3 R3 : [R4]D isAbsent,
CRL4 R4 : A isPermitted.
17 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
22. Privacy Act in CRL and LTL
CRL1 R1 : ([R2]A isAbsent) Else B,
CRL2 R2 : C,
CRL3 R3 : [R4]D isAbsent,
CRL4 R4 : A isPermitted.
LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));
LTL2 G(FA ∨ G¬D).
17 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
23. CRL: Are We Compliant?
Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));
LTL2 G(FA ∨ G¬D).
• v(start) = { ¬A, ¬B, ¬C, ¬D };
• v(T1) = { A, ¬B, ¬C, ¬D };
• v(T2) = { A, ¬B, ¬C, D };
• v(T3) = { A, B, ¬C, D };
• v(end) = { A, B, ¬C, D }.
M |= LTL1 ∧ LTL2
18 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
24. Conclusions
• Current Compliance Frameworks based on Temporal Logic are not able to model
real life norms.
• Result not restricted to Linear Temporal Logic, it extends to other temporal logics
• Result is not an impossibility theorem. If one knows what are the compliant
traces, one can build a set of temporal formulas corresponding to the compliant
traces (but it means using an external oracle, so useless for compliance)
• Result seems to affect Deontic logic based on possible world semantics.
• As far as we know, PCL and Deontic Event Calculus are not affected by the
problem
19 | No Time for Compliance | Guido Governatori, Mustafa Hashmi