As an increasing amount of commercial activity becomes automated, the importance of techniques for providing complete system specifications, checking the correctness of interactions and flagging incorrect behaviour increases. The aim throughout is to generate more complete information about the system and so to produce IT solutions that reflect the business requirements accurately. So far, most efforts have been placed on the appropriate specification of the system behaviour and then on the non-functional requirements that constitute the contract between a system and its users. But in fully-automated commercial systems, such as Cloud Computing or SOA systems, we should also consider the liability of the different parties, since we should be able that assign responsibility to objects and, more importantly, to know in case of problems or contact violations, which one should be blamed.
The consequence of these considerations is that we need the ability to express more directly the necessary obligations and other deontic concepts, such as permissions and prohibitions, giving the designer the tools for extending the behavioural information to make it clear where obligations apply and with what detailed properties. In this talk we describe current activities within the International Organization for Standardization (ISO) to extend the ODP family of standards for the expression of policies using deontic logic, and on how to improve support for deontic concepts based on their reification.
Accountable objects: Modeling Liability in Open Distributed Systems
1. Accountable objects:
Modeling Liability in Open
Distributed Systems
Antonio Vallecillo
Universidad de Málaga
Vienna, January 28, 2013
[Joint work with Peter F. Linington
and Hiroshi Miyazaki at ISO/IEC]
2. The Supply of Olive Oil
We use a very simple e-commerce example to explore
these ideas:
A business (The Modern Oil
Store) acts as a supply channel
from producers to customers
It uses external contractors to
perform deliveries
The buyer pays on receipt of the
oil
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 2
3. Main Characters (Roles)
Customer Supplier
Producer Carrier
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 3
4. The Supply of Olive Oil
Imagine that at one given moment in time, the supply
process does not work as specified by the contract,
e.g., the olive is not delivered
to the customer
Maybe the supplier forgot to
instruct the producer;
Maybe the producer did not
produce the goods;
Maybe the carrier could not
pickup from the producer;
…
Who is accountable for what?
Who is to be sued in case of losses?
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 4
5. Use of Deontic Logic in system specs
Allows us to deal with norms and expectations:
Obligations to perform specified behaviour
Permissions to perform such behaviour
Prohibitions of certain behaviours
We shift to a style of specification where the focus is
not only on the concrete steps and processes, but on
a set of obligations that must be discharged;
who is responsible for discharging them;
who is allowed to do that, and when;
Delegation of obligations and permissions is possible
Liability can be traced in case of problems, and parties
become accountable for their [in]actions
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 5
6. Background
Activity within the ODP family of
standards
Work is centred within ISO as an
extension to the ODP Enterprise
Language and UML4ODP
standards
Improve support for deontic
concepts
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 6
7. Timeline
Based on ideas published in 2003 (Linington & Neal)
Project to incorporate into the ODP standards first
mooted in 2007
Initial study phase to scope and set direction
Full project approval 2011
1st full draft for revised Enterprise Language balloted
June 2012
ISO Standards take upward compatibility very seriously
Changes must be made in such a way that other
standards in the family are not invalidated
Revisions of particular standards may motivate alignment
changes in dependent or supporting standards
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 7
8. ODP Framework
The Reference Model of ODP (ITU-T Rec X.901-904 |
ISO/IEC 10746) defines a framework for system
specification, covering all aspects of ODS:
“enterprise”, data, functionality, distribution, technology
It comprises
A structure for system specifications in terms of a set of
viewpoints
A set of object-oriented foundation modeling concepts
common to all viewpoint languages
A viewpoint language (concepts and rules) for
expressing each viewpoint specification
A set of correspondences between the viewpoints
A set of common functions
A set of transparencies
A set of conformance points
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 8
9. ODP Viewpoints
Different abstractions of the same system
each abstraction focuses on different concerns
each abstraction is achieved using a
set of viewpoint concepts and rules
(the viewpoint language)
A viewpoint specification is
the specification of a system from a specific viewpoint
expressed in terms of the viewpoint language to
describe the concerns and decisions covered by the
viewpoint specification
related to, and consistent with, other viewpoint
specifications (correspondences)
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 9
10. An ODP system specification
- business aspects Enterprise
- What for? Why? Who? When?
- information
- changes to information Information
- constraints
- object configuration
- Interactions between Computational
objects at interfaces
- mechanisms and services
for distribution trans-
parencies and QoS constraints. Engineering
- hardware and software components Technology
implementing the system
- and correspondences between specifications
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 10
11. The “Enterprise” Viewpoint
The enterprise viewpoint focuses on the specification of
the business constraints and the environment
within which an ODP system is to operate
It describes the business entities and the processes
to be considered.
It provides a place to express general organizational
policies that constraint the other viewpoints and
stakeholders
One “enterprise”…
…may be a single organization
…may be describing an ad hoc grouping
…may be a loose social group
…may be a legal jurisdiction
…may be a federation
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 11
12. The enterprise language
Specifies the roles played by the system in its
organizational environment
An object model of, for example, part of some
social/commercial organization in terms of:
Communities (of enterprise objects) with objectives
Enterprise objects
Behaviour
Roles (fulfilled by enterprise objects in a community)
Processes (leading to objectives)
Policies
Accountability
The IT system is just another object
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 12
13. Communities
Configuration of objects with a stated purpose
Objects participate by filling typed roles
Community behaviour is expressed as recursive
composition of interactions between roles
Constraints on role filling can be used to express e.g.
dynamic separation of duties
Community type seen as the community “contract”
Examples
The Olive Oil community
A University
A Library
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 13
14. Roles
Roles provide an essential way of expressing the way in
which fragments of specification are composed to form
a whole
Particularly as an aid to the reuse of a fragment in a number of
situations within the specification
Underlying metaphor is the filling of roles defined in a script to
describe a performance…
…or filling formal parameters with actual terms in a language –
e.g. in a procedure
Active roles (actors), passive roles (artefacts)
Examples
Customer, Supplier, Carrier, Goods,…
Teacher, Student, Classroom, …
Librarian, Library member, Book…
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 14
15. Interactions
• Interactions involve a number of participants
• Model as the filling of action-roles by objects
• Express action types using action roles as their formal
parameters
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 15
16. How to deal with Obligations,
Permissions and Prohibitions?
17. Dynamics of Obligations
• The main idea is that systems evolve by interactions
resulting in the creation, transfer or destruction of
obligations
• Reify obligations as deontic tokens, which are first-class
objects held by actors in the system
• Tokens can be used in expressing
Obligations (Burdens)
Permissions (Permits)
Prohibitions (Embargos)
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 17
18. The Enterprise specification
The e-commerce system will be specified by one single
community
Its goal is to “act as supply channel from producers
customers”
Its objects model the community entities: people (“Joe
Smith”, “Lucy Brown”), companies (“LaEspañola”), items
(olive oil bottle#123), purchase order#999, etc.
Its basic roles are:
Customer, who wants the oil and will pay for it
Supplier, the Modern Oil Company
Producer, one of a group of participating farmers
Carrier, who take the oil from supplier to customer
Its processes include Purchase, Return defective lot, etc.
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 18
19. Enterprise specification (ct’d)
Assignment policies (e.g., the requirements of a person or
a company to become a customer)
Policies:
Permissions: what can be done, e.g. the customer can buy
from the supplier
Prohibition: what must not be done, e.g. individual customers
must not buy directly from the producer
Obligations: what must be done, e.g. the supplier must
deliver the goods to the customer; the customer must pay 30
days after delivery of goods.
Authorizations: regular customers are entitled to have
discounts and to pay up to 60 days after delivery
Delegations: suppliers can use external carrier companies to
deliver the goods to the customers
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 19
20. The Basic “Purchase” Process
Community Roles in an
individual purchase
transaction:
Customer, who wants
the oil and will pay for it
Supplier, the Modern Oil
Company
Producer, one of a group
of participating farmers
Carrier, who take the oil
from supplier to
customer
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 20
21. Tokens Involved
At each stage in a transaction tokens may be:
Needed from some roles as input
Created by an interaction
Passed to roles in the interaction
Discharged or cancelled
Maintained
These changes can capture the details we want to
specify in a concise way
Authorization to proceed
Delegations of responsibility
Discharge of obligations
Release of duties
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 21
22. The “Order” Interaction
Permit supplied by customer, burdens created
Place
order
pay on supply
delivery oil
order()
customer supplier customer supplier
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 22
23. The “InstructProducer” Interaction
Subcontracting moves tokens, creates others
pay
producer produce
oil goods
supply oil
supply oil produce
oil goods
monitor produce
delivery oil
instruct()
supplier producer supplier producer
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 23
25. The “Report” Interaction
Finalizes both subcontracts; some permits remain
Deliver oil
supply
charge Deliver oil
oil deliver oil customer
report()
supplier carrier supplier carrier
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 25
26. The “Charge” Interaction
[Note: The charge interaction is seen here as binary; there is probably
a hidden involvement of a bank]
pay on charge transaction
delivery customer complete!
charge()
customer supplier customer supplier
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 26
27. Patterns of Token Use
Unique tokens for individual actions/artefacts vs.
Universal tokens for types of actions/artefacts
Permit to deliver one box of olive oil
Permit to carry goods (in general)
Implicit tokens vs. Explicit tokens
Permits by default and explicit prohibitions vs.
Explicit permits and prohibitions by default
Economy of the language/”By default” policy
Full delegation vs. No delegation vs. Monitoring
We can model different strategies depending on the system we
want to represent/specify
Delegation may require permissions, too
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 27
28. Simple Tokens
Consider one active object and the tokens it carries:
object
burden
permit
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 28
29. More Complex Situations
There may be many tactics:
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 29
30. Community Burdens
• Need to have a community has burden
compact way of
showing how tokens community
pass to objects
filling community community assigns
roles burden to role
• Need to show role
recovery from
exceptions
object fills role,
inherits burden
object’s enterprise object
other burdens
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 30
31. Inheritance of Tokens
One of the open issues is whether it is more powerful to
talk of assigning tokens to roles rather than objects
Token automatically reverts to community, associated
with empty role, if role-filling object fails
But is this too abrupt?
Is it too complex?
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 31
32. Notations and tools
How to express these concepts and mechanisms in the
specification of systems?
The real issue is what the tools available in practice will
support!
Different options still being studied to see what
practitioners find acceptable
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 32
33. UML Mapping
ISO 19793 – UML4ODP provides a concrete
representation for ODP models
Each viewpoint language has a profile defined in terms
of a set of UML stereotypes
We extend this to add the new concepts, e.g.
Deontic Tokens
Active Objects
Conditional Actions
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 33
34. Changing The Enterprise Language Metamodel
Placing the specification in context.
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 34
38. Token Lifecycle
Most behaviour is enterprise-specific
Provide minimal lifecycle behaviour as root
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 38
39. The Olive Oil Community
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 39
45. Issues of Style
Flexible and Expressive approach
Still many open ways to model liability in UML4ODP
No approach fits all purposes
Different ways to model obligations, depending on the
particular system
Delegations and monitoring of responsibilities depends on the
kinds of analysis to be conducted
Usability and Readability of diagrams and specifications
essential for proper specification and maintainability
UML tool support for analysis and simulation still insufficient
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 45
46. A BPMN Mapping?
UML is not the only show in town
Interest in mapping the same conceptual structure onto
other languages and notations
Primary candidate for a second mapping is BPMN
Progression depends on the level of support and
contribution
Likely to need a new project in ISO
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 46
47. Rule-based DSLs
DSLs can provide more effective solutions
Such as eMotions…
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 47
48. Simulations
[Spanshot after 50 simulation steps]
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 48
49. The Importance of Tools
There is a symbiotic relationship between users,
standardizers and tool vendors
Often the tool vendors lag behind current modelling ideas
But without tools, ideas cannot be used in practice
Validation of additional semantic constraints can be added via
plug-ins, but this is a single tool solution
Tool support for Behavioural Specifications still in its infancy
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 49
51. What is an Obligation?
So far, we have assumed it is obvious what a deontic
constraint, such as an obligation means
Need to establish a formal semantic basis
Other views, e.g. Computational, have used
correspondences to a labelled transition system
This focuses on correctness of a move to the direct
successor state
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 51
52. Providing a Broader View
Deontic concepts need to be defined in terms of
properties of possible successor traces
Need to evaluate across properties of sequence of
successor worlds (trace)
One approach is to base interpretation on
correspondences to a set of Kripke frames
But can this be normative? Currently included as an
informative discussion
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 52
53. Next Steps
ISO 15414 – The Enterprise Language
CD Ballot complete, comments resolved at November
meeting
FCD in preparation
No obvious show-stoppers
19793 – UML4ODP
Start November 2012, offset by 12 months from 15414
Preliminary planning and directions document produced
WD in preparation
Currently internal ISO drafts
Contact peter@linington.eu or av@lcc.uma.es for copies
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 53
54. References
P. F. Linington, H. Miyazaki and A. Vallecillo. “Obligations and
Delegation in the ODP Enterprise Language.” In Proc. of VORTE
2012 (EDOC Workshops), IEEE Computer Society, Sept 2012, pp.
146-155. http://www.lcc.uma.es/~av/Publicaciones/12/edoc-
tokens.pdf
P. F. Linington and S. Neal, “Using policies in the checking of
business to business contracts.” In Proc. of the 4th IEEE Int. Work.
on Policies for Distributed Systems and Networks (POLICY’03). Lake
Como, Italy: IEEE Computer Society, Jun. 2003, pp. 207–218.
http://www.cs.kent.ac.uk/pubs/2003/1636/content.pdf
P. F. Linington, Z. Milosevic, A. Tanaka and A. Vallecillo “Building
Enterprise Systems with ODP — An Introduction to Open Distributed
Processing.” Chapman & Hall/CRC Press, 2012.
http://theodpbook.lcc.uma.es/
A.Vallecillo: "Accountable Objects: Modeling Liability in Open Distributed Systems" Vienna, 2013 54
55. Accountable objects:
Modeling Liability in Open
Distributed Systems
Antonio Vallecillo
Universidad de Málaga
Vienna, January 28, 2013
[Joint work with Peter F. Linington
and Hiroshi Miyazaki at ISO/IEC]