Eunomia (Εὐνομία): A Requirement Engineering based Compliance Framework for Software Systems

Engiel, Priscila

07 February 2018

Laws and regulation affect software development, as they frequently demand changes in software’ requirements to protect individuals and businesses regarding security, privacy, governance, sustainability and more. Legal requirements can dictate new requirements or constrain existing ones. The problem of software compliance is howto ensure that the software complies with the norms that the legislation imposes. The problem is particularly challenging because it combines difficultsteps: 1)analyze legal documents, 2) extract requirements from those documents, 3) identify conflicting requirements with those already implemented in software and 4) ensure that software remains compliant even with the changes. Compliance is a continuous process: laws, software and the context within which software system operates changes continuously. The works dealing with the compliance problem focus only on one or two subjects: analyze legal documents or extract requirements or identify conflicts or changes. This thesis deals with all the problems at the same time; the idea is to extract requirements from legal text, compare them with the software requirement, resolve the possible conflicts that may arise, continuously leading with the changes on environment, laws and requirements. For this, this work proposes a framework that is composed of a compliance process and continuous monitoring of environmental changes. The framework deals with different types of laws (security, privacy, transparency, health care) that are represented in explicit norms. The compliance process supports the identification, extraction, comparison and conflict resolution to help software compliance, by producing a compliant set of requirements. The compliance process is based on the semantic annotation and goal model. The semantic annotation helps to extract requirements from thelaw, using patterns. The goal model is used to help the comparison between requirement and to represent requirements in a formal and consistent requirement specification. The process is tool supported; some tools were reused (Desiree and NomosT) to further each step. It was necessary to adapt the tools for the context of the compliance process, creating a guideline, patterns, and heuristics. The continuous monitoring is concerned about the changes that affect the software compliance and has 7 the mechanism to ensure that even with those changes the software will regain compliance. The compliance monitor is basedon agents and Non Functional Requirements. The agents are represented using in i*, the idea is to showthe collaboration between the agents to ensure the continuous compliance. The requirement specification of how each agent should behave was also generated using Business Process Modeling Notation and Desiree language. The Non Functional Requirements catalogue is used to help to define operalizations for the software awareness. The framework validation was made in two parts: first, the compliance process and after all the framework proposed. For the compliance process, the effort and correctness were measured comparing the use of the proposed process andan ad-hoc method. For the entire framework, the example of monitoring the changes in the environment when an automated car is crossing the border between Washington and Canada was used. The study shows that context has a strong influence on the software requirements, and nonconformity problems may incur penalties. The contribution of this work is the Eunomia framework that has a process and goal model perspective with emphasis on monitoring that helps to deal with the compliance challenge. The framework equips the requirements engineering team with a systematic method. Eunomia framework is a tool-supported and systematic process which can be reused to reduce the time effort and to improve the quality of the requirement specification that helps to create a compliant software requirement specification that is compliant over the time.

Tool-supported compliance proce

software systems design

software system compliance

compliance analysi

requirement compliance.

[en] EUNOMIA (ΕΥΝΟΜIΑ): A REQUIREMENT ENGINEERING BASED COMPLIANCE FRAMEWORK FOR SOFTWARE SYSTEMS / [pt] EUNOMIA: UM FRAMEWORK DE CONFORMIDADE CONTINUA PARA SISTEMAS DE SOFTWARE BASEADO NA ENGENHARIA DE REQUISITOS

PRISCILA ENGIEL

14 December 2018

[pt] Leis e regulamentos afetam o desenvolvimento de software, já que freqüentemente exigem mudanças nos requisitos de software para proteger indivíduos e empresas em relação à segurança, privacidade, governança, sustentabilidade e muito mais. Requisitos legais podem ditar novos requisitos ou restringir os existentes. O problema da conformidade de software é como garantir que o software esteja em conformidade com as normas impostas pela legislação. O problema é particularmente desafiador porque combina etapas difíceis: 1) analisar documentos legais, 2) extrair requisitos desses documentos, 3) identificar requisitos conflitantes com aqueles já implementados em software e 4) garantir que o software permaneça compatível mesmo com as alterações. A conformidade é um processo contínuo: as leis, o software e o contexto no qual o sistema de software opera mudam continuamente. Os trabalhos que lidam com o problema de conformidade concentram-se apenas em um ou dois assuntos: analisar documentos legais ou extrair requisitos ou identificar conflitos ou mudanças. Esta tese trata de todos os problemas ao mesmo tempo; a ideia é extrair requisitos do texto legal, compará-los com o requisito de software, resolver os possíveis conflitos que possam surgir, lidando continuamente as mudanças no ambiente, leis e requisitos. Para tanto, este trabalho propõe um framework que é composto por um processo de compliance e monitoramento contínuo das mudanças ambientais. O processo de conformidade suporta a identificação, extração, comparação e resolução de conflitos para ajudar na conformidade do software, produzindo um conjunto conforme de requisitos. O processo de conformidade é baseado na anotação semântica e no modelo de meta. A anotação semântica ajuda a extrair requisitos do arquivo, usando padrões. O modelo de meta é usado para ajudar na comparação entre requisitos e representar requisitos em uma especificação de requisitos formal e consistente. O processo é suportado por ferramentas; sendo algumas reutilizadas (Desiree e NomosT) para avançar cada etapa. Foi necessário adaptar as ferramentas para o contexto do processo de conformidade, criando diretrizes, padrões e heurísticas. O monitoramento contínuo está preocupado com as mudanças que afetam a conformidade do software e tem o mecanismo para garantir que, mesmo com essas mudanças, o software recupere a conformidade. O monitoramento da conformidade é baseado em agentes e requisitos não funcionais. Os agentes são representados usando em i, a idéia é mostrar a colaboração entre os agentes para garantir a conformidade contínua. A especificação de requisitos de como cada agente deve se comportar também foi gerada usando a linguagem Desiree e BPMN. O catálogo de Requisitos Não Funcionais é usado para ajudar a definir as operações para o reconhecimento de software. A validação do framework foi feita em duas partes: primeiro, o processo de compliance e após todo o framework proposto. Para o processo de conformidade, o esforço e a exatidão foram medidos comparando o uso do processo proposto e um método ad-hoc. Para todo o framework, foi usado o exemplo de monitoramento das mudanças no ambiente quando um carro automatizado cruza a fronteira entre Washington e o Canadá. A contribuição deste trabalho é a estrutura da Eunomia, que tem uma perspectiva de processo e modelo de metas, com ênfase no monitoramento que ajuda a lidar com o desafio da conformidade. O framework equipa a equipe de engenharia de requisitos com um método sistemático e suportado por ferramentas que pode ser reutilizado para reduzir o esforço de tempo e melhorar a qualidade da especificação de requisitos. / [en] Laws and regulation affect software development, as they frequently demand changes in software requirements to protect individuals and businesses regarding security, privacy, governance, sustainability and more. Legal requirements can dictate new requirements or constrain existing ones. The problem of software compliance is how to ensure that the software complies with the norms that the legislation imposes. The problem is particularly challenging because it combines difficultsteps: 1)analyze legal documents, 2) extract requirements from those documents, 3) identify conflictingrequirements with those already implemented in software and 4) ensure that software remains compliant even with the changes. Compliance is a continuous process: laws, software and the context within which software system operates changes continuously. The works dealing with the compliance problem focus only on one or two subjects: analyze legal documents or extract requirements or identify conflicts or changes. This thesis deals with all the problems at the same time; the idea is to extract requirements from legal text, compare them with the software requirement, resolve the possible conflicts that may arise, continuously leading with the changes on environment, laws and requirements. For this, this work proposes a framework that is composed of a compliance process and continuous monitoring of environmental changes. The framework deals with different types of laws (security, privacy, transparency, health care) that are represented in explicit norms. The compliance process supports the identification, extraction, comparison and conflict resolution to help software compliance, by producing a compliant set of requirements. The compliance process is based on the semantic annotation and goal model. The semantic annotation helps to extract requirements from thelaw, using patterns. The goal model is used to help the comparison between requirement and to represent requirements in a formal and consistent requirement specification. The process is tool supported; some tools were reused (Desiree and NomosT) to further each step. It was necessary to adapt the tools for the context of the compliance process, creating a guideline, patterns, and heuristics. The continuous monitoring is concerned about the changes that affect the software compliance and has presented using in i, the idea is to showthe collaboration between the agents to ensure the continuous compliance. The requirement specification of how each agent should behave was also generated using Business Process Modeling Notation and Desiree language. The Non Functional Requirements catalogue is used to help to define operalizations for the software awareness. The framework validation was made in two parts: first, the compliance process and after all the framework proposed. For the compliance process, the effort and correctness were measured comparing the use of the proposed process andan ad-hoc method. For the entire framework, the example of monitoring the changes in the environment when an automated car is crossing the border between Washington and Canada was used. The study shows that context has a strong influence on the software requirements, and nonconformity problems may incur penalties. The contribution of this work is the Eunomia framework that has a process and goal model perspective with emphasis on monitoring that helps to deal with the compliance challenge. The framework equips the requirements engineering team with a systematic method. Eunomia framework is a tool-supported and systematic process which can be reused to reduce the time effort and to improve the quality of the requirement specification that helps to create a compliant software requirement specification that is compliant over the time.

[pt] PROCESSO DE COMPLIANCE

[en] TOOL-SUPPORTED COMPLIANCE PROCESS

[pt] DESENHO DE SOFTWARE

[en] SOFTWARE SYSTEMS DESIGN

[pt] CONFORMIDADE LEGAL

[en] SOFTWARE SYSTEM COMPLIANCE

[pt] CONFORMIDADE DE SISTEMAS

[en] COMPLIANCE ANALYSIS