BP-MaaS: A Runtime Compliance-Monitoring System for Business Processes Ahmed Barnawi1 , Ahmed Awad2 , Amal Elgammal2 , Radwa Elshawi3 , Abduallah Almalaise1 , and Sherif Sakr4 1 King Abdulaziz University, Saudi Arabia {ambarnawi,aalmalaise}@kau.edu.sa 2 Cairo University, Egypt {a.gaafar,a.elgammal}@fci-cu.edu.eg 3 Princess Nourah Bint Abdulrahman University, Saudi Arabia rmelshawi@pnu.edu.sa 4 King Saud bin Abdulaziz University for Health Sciences, Saudi Arabia University of New South Wales, Australia ssakr@cse.unsw.edu.au Abstract Today’s enterprises demand a high degree of compliance in their business pro- cesses to meet diverse regulations and legislations. Several industrial studies have shown that compliance management is a daunting task, and organizations are still struggling and spending billions of dollars annually to ensure and prove their compliance. In this demonstration, we present, BP-MaaS (Business Process Monitoring-as-a-Service), a runtime business process compliance-monitoring framework which incorporates a wide range of expressive high-level compliance patterns for the abstract specification of runtime constraints. The framework provides the end-users with a friendly interface for modeling their compliance monitoring rules. Compliance monitoring is achieved by means of anti-patterns, a novel evaluation approach that is independent of any underlying technology. The applicability, feasibility and utility of BP-MaaS is validated by applying the approach on two real-life large-scale case studies in the banking domain. 1 Overview Compliance monitoring at process execution time is of crucial importance and it complements the design-time checking with techniques to detect violations that are hard or even infeasible to address at the earlier stages of the process lifecycle. For example, time span constraints between tasks can only be checked at runtime, as time-related information is usually not available during prior phases. In this demonstration, we present, BP-MaaS, a runtime business process compliance-monitoring framework which adopts a rich and wide set of compli- ance patterns for the abstract specification of monitoring requirements, spanning the four structural facets of BPs; i.e. control flow, data, employed resources and Copyright c 2015 for this paper by its authors. Copying permitted for private and academic purposes timing constraints [1], [2]. The monitoring evaluation approach is based on the notion of anti-patterns [1], a novel evaluation technique that operates by contin- uously monitoring process execution events and looking for sequences of events or lack of events that may indicate that a violation has occurred or possible to occur in the future. These violation scenarios are denoted as anti-patterns. The main features/functionalities provided by BP-MaaS are: – a graphical compliance requirements builder that implements the compliance patterns in an intuitive and user-freindly manner, and enables process de- signers to build pattern-based expressions in a drag-and-drop fashion – a mapping scheme that automatically maps graphical pattern-based expres- sions, stored as XML, into the underlying formalisms of the complex event processing backend engine – a novel monitoring evaluation approach based on the notion of anti-patterns – a monitoring dashboard, which provides updated information about viola- tions in process instances, the rule/pattern that has been violated and con- textual information of the sequence of events that yields to the violation to facilitate its prevention/resolution As a proof-of-concept of one possible realization of the anti-patterns moni- toring approach, we have implemented BP-MaaS by using Complex Event Pro- cessing (CEP) technology [3], and applied the approach on two large-scale case studies in the banking domain. The first case study is borrowed from the EU- funded project COMPAS, which has been provided by COMPAS industrial part- ners, and addresses the loan approval business scenario. While the second case study is concerned with anti-money laundering, which has been developed in the Governance, Risk and Compliance Technology Centre (GRCTC) as a part of a large-scale project which is funded by the Irish government. The evaluation study [1, 2] has revealed that our approach is sufficiently expressive to capture a wide range of real-life compliance requirements with full support of 70% of the requirements being considered [1]. 2 Architecture and Implementation Fig. 1 illustrates the architecture of the BP-MaaS framework which consists of the following main components: Compliance Repository. This is a central repository that stores and main- tains business process and compliance-related specifics, where business and compliance concepts are semantically aligned. Compliance Rule Editor. This editor provides a graphical representation of the compliance patterns, where Compliance patterns are defined as high-level abstractions of frequently used compliance requirements, which help non- technical users to abstractly represent desired properties and constraints [2]. COMPAS: http://www.compas-ict.eu PriceWaterHouseCoopers the Netherlands (http://www.pwc.nl/) and Thales Service France (https://www.thalesgroup.com/) GRCTC: http://www.grctc.com/ Fig. 1. BP-MaaS architecture represented as a UML component diagram Fig. 2 illustrates the set of compliance patterns which are supported by the BP-MaaS framework. For a detailed description of the compliance patterns, we refer the reader to [1]. The visual editor component has been implemented as a plugin on top of the Oryx editor. The lower-most layer of Fig. 3 repre- sents a screenshot of the visual rule editor representing the typical segrega- tion of duties compliance constraint [1] which mandates that two activities cannot be performed by the same roles or actors in order to minimize the possibility of fraud. Statement Manager. This module is responsible for automatically compiling the visually modelled compliance rule into a set of statements/queries based on the defined mapping scheme. For BP-MaaS, we are considering Event Processing Language (EPL) queries of the ESPER framework [5]. In this context, streams replace tables as the source of data with events replacing rows as the basic unit of data. Listing 1 shows an example of automatically generated EPL statement for the absence anti-pattern. The absence pattern requires that a specific activity not to be executed within a specific scope of the process execution [1]. Generated EPL queries are sent to the compliance monitoring component. INSERT i nt o R u l e V i o l a t i o n E v e n t ( p r o c e s s I D , Message , RuleID , RuleType ) SELECT s . P r o c e s s I D , ’ Event { A n t e c e d e n t } ( { TaskName } ) o c c u r r e d l e s s than { MinOccurs } w i t h i n { S c o p e S t a r t } ( { s t } ) and { ScopeEnd } ( { s e } ) i n t h e p r o c e s s i n s t a n c e ’ , ’ { RuleID } ’ , ’ { R u l e P a t t e r n } ’ FROM PATTERN [ e v e r y ( s = { S c o p e S t a r t } ( c a s t ( s . Task , s t r i n g )= ’ { s t } ’ ) −>(e = { ScopeEnd } ( c a s t ( e . Task , s t r i n g )= ’ { s e } ’ , P r o c e s s I D=s . P r o c e s s I D ) ) ) ] as s c o p e WHERE { MinOccurs}>( s e l e c t count ( ∗ ) from{ A n t e c e d e n t } . win : k e e p a l l ( ) as T WHERE c a s t (T . Task , s t r i n g )= ’ {TaskName} ’ and (T . TimeStamp between s c o p e . s . TimeStamp and s c o p e . e . TimeStamp ) ) Listing 1 . EPL statement to detect below-min-occurrences absence anti- pattern https://code.google.com/p/oryx-editor/ http://esper.codehaus.org/esper-4.2.0/doc/reference/en/html/epl_ clauses.html Antecendent Event 0..1 Compliance Patterns Consequent Atomic Composite Resource Patterns Patterns Patterns Order Patterns Occurrence PerformedBy Patterns Wit h Absence Time Span Al ert Time Span Absence Segregation isBefore OfDuty Binding Existence OfDuty Sequence Precedence Response Multiplici ty isNex t isOneToOne isOneToOne Fig. 2. The set of compliance patterns supported by the BP-MaaS framework [1] Business Process Editor and Execution Engine. Provides the end users with a user-friendly modelling environment where the users can model their business process using the standard BPMN 2.0 language. We employ the open source BPM platform Activiti as a realization of this component where the user can model and enact business processes. We also did an extension of the Activiti engine to allow emitting process execution events to our com- pliance monitoring engine. Compliance Monitoring Engine. The open source complex event processing platform ESPER is responsible for continuously evaluating the generated statements from the ’Statement Manager‘ over the stream of events, which is received from the BP execution engine. The engine triggers the execu- tion of the compliance actions for any detected violations of the compliance rules. Compliance recovery actions are defined as meta-data for each defined rule. Our choice of Esper is mainly because it provides an environment for developing applications that can process large volumes of incoming mes- sages or events, regardless of whether the incoming messages are historical or real-time in nature. It also supports filtering and analyzing of events in various ways, and responds to conditions of interest. In addition, ESPER shows acceptable performance as it is able to handle about 120, 000 events per second [4,5] making it scalable to handle process execution environments with numerous process instances. Monitoring Dashboard. The dashboard is a user-friendly interface that en- ables the end-user to monitor the stream of events and manipulate (e.g., adding, removing, activating, deactivating) the set of registered compliance rules in addition to being able to receive the notifications about the detected non-compliance instances. Fig. 3 shows screenshots of the developed dash- board, which has been implemented using Microsoft C# .Net technology. http://activiti.org/ Fig. 3. BP-MaaS System Screenshots. 3 Demonstration Scenario In our demo, we are presenting the implementation of the BP-Maas System. In particular, we are showing the scenario where we model a compliance rule using the graphical rule editor (Fig. 3). Then, the modeled rule is registered to the compliance monitoring component. This is followed by showing how the dashboard is updated with information about the newly registered rule. The loan approval BP from the EU COMPAS project is used for monitoring its execution steps. When the execution events start to arrive at the monitoring component and a violation scenario is detected, we show how the dashboard is updated with information about the instance(s) violating a specific rule. Acknowledgment This work was supported by King Abdulaziz City for Science and Technology (KACST) project 11-INF1991-03. References 1. A. Awad, A. Barnawi, A. Algammal, A. Almalaise, R. Elshawi, and S. Sakr. Runtime Detection of Business Process Compliance Violations: An Approach based on Anti Patterns. In SAC, 2015. 2. A. Elgammal, O. Turetken, W.-J. van den Heuvel, and M. Papazoglou. Formalizing and applying compliance patterns for business process compliance. Software and Systems Modeling, 2014. 3. O. Etzion and P. Niblett. Event processing in action. Manning, 2010. 4. A. Mathew. Benchmarking of complex event processing engine- esper, 2014. 5. V. Mijovic and S. Vranes. A survey and Evaluation of CEP Tools. In YUINFO, 2011. Video demonstration of BP-MaaS is available on https://www.youtube.com/watch?v=wRdZKsOi5x4