Arguing regulatory compliance of software requirements

A software system complies with a regulation if its operation is consistent with the regulation under all circumstances. The importance of regulatory compliance for software systems has been growing, as regulations are increasingly impacting both the functional and non-functional requirements of legacy and new systems. HIPAA and SOX are recent examples of laws with broad impact on software systems, as attested by the billions of dollars spent in the US alone on compliance. In this paper we propose a framework for establishing regulatory compliance for a given set of software requirements. The framework assumes as inputs models of the requirements (expressed in i*) and the regulations (expressed in Nomos). In addition, we adopt and integrate with i* and Nomos a modeling technique for capturing arguments and establishing their acceptability. Given these, the framework proposes a systematic process for revising the requirements, and arguing through a discussion among stakeholders that the revisions make the requirements compliant. A pilot industrial case study involving fragments of the Italian regulation on privacy for Electronic Health Records provides preliminary evidence of the framework's adequacy and indicates directions for further improvements.

[1]  Fuyuki Ishikawa,et al.  Modeling, Analyzing and Weaving Legal Interpretations in Goal-Oriented Requirements Engineering , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[2]  James Bown,et al.  Argument-Driven Validation of Computer Simulations - A Necessity, Rather than an Option , 2010, 2010 Second International Conference on Advances in System Testing and Validation Lifecycle.

[3]  Giovanni Sartor,et al.  Fundamental legal concepts: A formal and teleological characterisation* , 2006, Artificial Intelligence and Law.

[4]  N. Isaacs,et al.  Fundamental Legal Conceptions as Applied in Judicial Reasoning: And Other Legal Essays , 2010 .

[5]  Daniel Amyot,et al.  Towards a Framework for Tracking Legal Compliance in Healthcare , 2007, CAiSE.

[6]  Annie I. Antón,et al.  Checking Existing Requirements for Compliance with Law Using a Production Rule Model , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[7]  John Mylopoulos,et al.  Establishing Regulatory Compliance for Software Requirements , 2011, ER.

[8]  Annie I. Antón,et al.  A Method for Identifying Software Requirements Based on Policy Commitments , 2010, 2010 18th IEEE International Requirements Engineering Conference.

[9]  Eric Yu,et al.  Modeling Strategic Relationships for Process Reengineering , 1995, Social Modeling for Requirements Engineering.

[10]  Bashar Nuseibeh,et al.  Arguing security: validating security requirements using structured argumentation , 2005 .

[11]  John Mylopoulos,et al.  Analysis of Multi-Party Agreement in Requirements Validation , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[12]  William N. Robinson Implementing Rule-Based Monitors within a Framework for Continuous Requirements Monitoring , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[13]  Bashar Nuseibeh,et al.  Risk and argument: A risk-based argumentation method for practical security , 2011, 2011 IEEE 19th International Requirements Engineering Conference.

[14]  Eric Dubois,et al.  Using Goal-Oriented Requirements Engineering for Improving the Quality of ISO/IEC 15504 based Compliance Assessment Frameworks , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[15]  Andrew T. Guzman A Compliance-Based Theory of International Law , 2002 .

[16]  Tim Kelly,et al.  The Goal Structuring Notation – A Safety Argument Notation , 2004 .

[17]  Claes Wohlin,et al.  Experimentation in software engineering: an introduction , 2000 .

[18]  Alberto Siena,et al.  Engineering Law-Compliant Requirements: the Nomos Framework , 2010 .

[19]  Smita Ghaisas,et al.  A semantic regulatory framework for nanotechnology application in agri-food domain , 2011, 2011 Fourth International Workshop on Requirements Engineering and Law.

[20]  Tim Kelly,et al.  Extending Argumentation to Goal-Oriented Requirements Engineering , 2007, ER Workshops.