=Paper=
{{Paper
|id=Vol-1458/F04_CRC75_Zasada
|storemode=property
|title=A Pattern-Based Approach to Transform Natural Text
From Laws Into Compliance Controls in the Food
Industry
|pdfUrl=https://ceur-ws.org/Vol-1458/F04_CRC75_Zasada.pdf
|volume=Vol-1458
|dblpUrl=https://dblp.org/rec/conf/lwa/ZasadaF15
}}
==A Pattern-Based Approach to Transform Natural Text
From Laws Into Compliance Controls in the Food
Industry==
https://ceur-ws.org/Vol-1458/F04_CRC75_Zasada.pdf
A Pattern-based Approach to Transform Natural Text
from Laws into Compliance Controls in the Food
Industry
Andrea Zasada, Michael Fellmann
Rostock University, Rostock, Germany
azasada@web.de, michael.fellmann@uni-rostock.de
Abstract. In the food industry, regulations support companies to specify what
needs to be done to minimize the risks of processing, trade and consumption of
inferior food products. Complying with regulations protects companies from
expensive and negative perceived product recalls, sanctions and financial penal-
ties. A compliant manufacturing process requires a process design that con-
forms to legal requirements, quality and safety standards. Regulations are gen-
erally described in natural text so that relevant information has to be retrieved
and formalized before it can be used for process description. In this contribu-
tion, we use a sample of laws and an initial set of generic control patterns to ex-
plore the scope of food regulations and the extent of formalization that can be
reached by applying control patterns. All in all, we present a pattern-based ap-
proach to turn natural text from laws into formalized machine-readable con-
structs that may serve as basis for a compliant process design.
Keywords: Business Process Management, Control Pattern, Business Process
Compliance, Regulations, Food Industry
1 Motivation and Introduction
The “act of being in alignment with guidelines, regulations and/or legislation” is de-
fined as compliance [6]. This definition implies that compliance does not only com-
prise the adherence to laws but also standards, codes of practice and business partner
contracts [9]. Compliance has been driven by reforms of the American banking and
insurance sector since the 1990s, when more and more scandals of money laundering
and insider trading have been revealed [10, 14]. The increasing reform pressure final-
ly summits in the Sarbanes-Oxley Act (SOX) of 2002 which makes listed companies
responsible for establishing and maintaining an internal control system [11].
Similar observations can be made for the food industry, where compliance is seen
as a current issue but an old problem that has been subject of many regulative at-
tempts [10, 14]. Most frequent compliance offences in the food industry relate to vio-
lations of disclosure information, tax and import regulations and to the processing and
trade of spoiled food [4]. Business process compliance considers how a business op-
Copyright © 2015 by the paper’s authors. Copying permitted only for private and
academic purposes. In: R. Bergmann, S. Görg, G. Müller (Eds.): Proceedings of the
LWA 2015 Workshops: KDML, FGWM, IR, and FGDB. Trier, Germany, 7.-9. Oc-
tober 2015, published at http://ceur-ws.org
230
�eration or service should be carried out to comply with a normative system while
executing a process [5]. In this regard, control patterns are important since they can be
understood as high level domain-specific templates which can be applied to specify
recurring process requirements like regulations [13]. A regulation is a declarative
written statement defined as “a rule or order issued by an executive authority or regu-
latory agency of a government and having the force of law” [7].
The purpose of this paper is to reduce the complexity regulations making implicit
information accessible and machine-readable through the use of control patterns. The
challenge is to identify and convert relevant process information from natural text into
formalized constructs that can implemented by process execution languages. The
investigation’s focus lies on the degree of formalization (extent) and the thematic
focus (scope) of a real-world domain (food industry), which is used as empirical basis
for specifying control patterns. In behalf of that, the resulting research questions are:
RQ1: What is the scope of regulations in the food industry?
RQ2: To what extent can regulations be formalized by control patterns?
To answer these two research questions, we discuss related work and present a
conceptual model for automating compliance checking in Section 2. In Section 3 we
continue with the textual analysis of German food regulations. The regulations have
been retrieved by querying the database of the Federal Ministry of Justice and Con-
sumer Protection [2]. The title search for the keyword “food” led to 20 national regu-
lations, which were analyzed to specify requirement, objective and risk for every
single regulation. Control patterns that are extracted from regulations are classified
with regard to the given process information. Concluding remarks and prospects on
future work are given in Section 5.
2 Principles of Control Patterns
2.1 Related Work and Problem Specification
Considerable work on patterns has been provided by Dwyer, Avrunin and Corbett
(1999), who developed a pattern system for finite-state verification based on a large
sample of over 500 examples of property specifications [1]. Extensive work on com-
pliance automation has also been conducted by Sadiq, Governatori (2015) [9],
Namiri (2007) [8] as well as Turetken et al. (2012) [13] by exploiting formal tech-
niques (e.g. MTL/LTL and FCL) in alignment to the de facto standard COSO for
managing internal controls. COSO has been settled by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) to comply with significant regu-
lations like SOX [12]. We decided to build our conceptual model upon the four con-
trol patterns Order, Occurrence, Resource and Time suggested by Turetken et al.
(2012) [13] because of the existence of a framework for the key elements of business
process compliance management (BPCM) and its alignment to an established control
framework like COSO. The key elements of BPCM refer to the operational activities
of compliance management (e.g. risk assessment and response) and corresponding
entities of the compliance repository (e.g. risk).
231
�2.2 Conceptual Model for Capturing Compliance Controls
In order to capture compliance controls in the food industry we adopted the BPCM
framework of Turetken et al. (2012) [13]. The focus of the framework has been shift-
ed from operational compliance management activities to the formalization of natural
text language through control patterns. Control Patterns form a separate layer in the
continuum of abstraction ranging from Regulations to machine-readable Process Exe-
cution Languages (see Fig. 1). Each layer contains several process elements repre-
sented by different operands (compare Section 3.2). Regulations are the source of
compliance requirements used to define the requirement, objective and risk of a con-
trol. The smallest entity of a Regulation is a rule. In this layer relevant rules are
adopted, control objectives are set and possible risks are assed. The next layer is as-
signed to the scope of Control Patterns. Within this layer the templates for process
controls are defined and classified. In the bottom layer we specified a number of crite-
ria for selecting a compatible Process Execution Language to pave the way for auto-
mated compliance controls.
Regulations
forms
Adoption of relevant rules Rule Objective
access
Requirement Objective Risk forms
compromises
compromises
Requirement Risk
Control Patterns
forms compromises
Specification of process requirements
define validates
Order Information Resource Time Control Process
Occurence Location Temperature
has
Process Instance Process Element
Process Execution Languages
Automation of control patterns
Mesjkjod has
execute
Process
Expressiveness Usability Applicability Element Object Activity
Instance
Fig. 1. Conceptual model for compliance checking1
As we conducted a facet classification on compliance checking approaches in pre-
vious work [3], we adopted one of its dimensions to assess the scope of regulations in
the food industry. We chose the dimension Scope because we wanted to analyze the
applicability of its elements in more detail. The dimension Scope is based on the
compliance concerns identified by COMPAS, a study on Compliance-driven Models,
Languages and Architectures for Services (COMPAS), which has been conducted by
Tilburg University (2008) [12]. The study introduces two categories of compliance
1
In alignment to Turetken et al. (2012).
232
�concerns that have been aligned from business process modeling. The first category
comprises the basic compliance concerns control flow, locative, information, resource
and time. The second category describes more advanced compliance concerns (e.g.
monitoring, privacy and quality aspects).
3 Applying Control Patterns to Capture Compliance Controls
3.1 Text Analysis of Regulations in the Food Industry
Regulations for the German food industry have been discovered by searching the
database of the Federal Ministry of Justice and Consumer Protection, which claims to
offer nearly the entire body of federal law [2]. A title search for the German equiva-
lent for “food” returned 20 hits of national regulations, which were further analyzed
to gain information on the requirement, objective and risk of each regulation. The
analysis of subsequent paragraphs and sections of each regulation led us to a total of
108 single requirements with process characteristics. The requirements are used to
extract important process information for specifying control patterns. While a re-
quirement can be seen as an early stage of a control pattern, the objective is necessary
to express the importance of each control and the risk to access the negative conse-
quence of non-compliance. Table 1 shows an excerpt of the complete listing which is
addressing the scope of compliance regulations (compare RQ1). The advantage of the
chosen examples is that they cover nearly all facets of the dimension Scope, which is
used in Section 3.2 to demonstrate the transformation from compliance requirements
to control patterns. The retrieved types of regulations vary from the definition of:
• quality controls,
• hygiene and purity requirements,
• requirements regarding the processing of goods,
• preventing the spread of animal diseases,
• requirements regarding transport and storage,
• disclosure agreements to
• tax and export regulations.
Regulation Requirement Objective Risk
LMÜV (1) Fulfil occasionally im- Conduct quality Spread of infectious
§ 5, Sec. 1 posed obligations to combat controls if infectious animal diseases.
01
animal diseases. animal diseases are
(2) Take precaution if infec- reported.
tious animal diseases occur.
LMEV Export goods within 30 days Export goods within a Violation of tax and
§ 9, Sec. 2 to a third country or store certain time limit or import regulations.
02 goods within 60 days in an store goods in an
approved or registered na- approved or regis-
tional storage unit. tered national storage.
233
� LME Depending on the statutory Conduct quality Processing, trade and
Appendix 4, sample size, a sensory test- control to check consumption of
03 Chapter I, ing and a legal assessment goods after opening spoiled or contami-
No. 3 have to be conducted after the packaging. nated goods.
opening the packaging.
TLMV During deep freezing, goods Prevent contact to Processing, trade and
§2 have to be separated from forbidden substances. consumption of
04 specified inadmissible sub- spoiled or contami-
stances. nated goods.
ATP Containers classified as Transport goods Violation of disclo-
§5 thermal maritime by land without permit if sure agreements.
05 without transloading the containers are classi-
goods does not require an fied as thermal mari-
export permit. time by land.
LMHV Transport and store chicken Transport special Processing, trade and
§ 20 eggs 18 days after laying goods within a certain consumption of
06 date at a temperature be- time limit at a given spoiled or contami-
tween 5 °C and 8 °C. temperature range. nated goods.
Table 1. Examples for regulations in the food industry
After completing the text analysis by following the example of Table 1, we were
able to identify four different risk types that are representative for our sample of regu-
lations in the food industry, namely the:
• processing, trade and consumption of spoiled or contaminated goods,
• spread of infectious animal diseases,
• violation of disclosure agreements and
• violation of tax and import regulations.
Subsequent risks are negative consequences like disposal costs, sanctions and fi-
nancial penalties or even health hazards. However, these consequences depend on the
risks above so they have not been considered as single risk types. Given these explicit
information on requirement, objective and risk the next Section is dedicated to the
control pattern layer that serves as intermediary to automate compliance controls with
process execution languages (compare Section 2.2).
3.2 Specification of Control Patterns in the Food Industry
The formalization of legal text implies to find a reasonable abstraction level. This
raises the question to what extent regulations can be formalized by simple constructs
like control patterns (compare RQ2). Table 2 provides an overview on frequent con-
trol patterns in the food industry. Due to space limitations, only those patterns have
234
�been listed that have been applied to formalize compliance regulations. The frequency
(FRQ) indicates how often a pattern has been used and to which category it belongs.
The listing contains 21 unique control patterns that can be combined to express even
more complex compliance requirements using operands and Boolean delimiters (see
Table 3). Patterns can be defined using simple verb constructs and prepositions (e.g.
Oi CompliesWith Qi). Operands are either used to specify general process elements
(e.g. object Oi) or specific compliance concerns (e.g. quality control Qi), which were
introduced in Section 2.2. A complete description of operands is given in Table 2.
Pattern Description
Given A, O, l, p, k and t as operands representing process elements:
A = activity, O = object, l = location, p = production facility,
k = time, t = temperature and
Q, D and P as operands representing compliance concerns:
Q = quality, D = disclosure and P = security precautions,
FRQ with i, j = 1, 2, 3, …n, i ≠ j and constant m.
Aj Precedes Ai 1 Ai must be preceded by Aj.
Basic
Order
Ai LeadsTo Aj 1 Ai must be followed by Aj.
Oi Exclusive Oj 6 If Oi is present then Oj must be absent and vice versa.
Res.
Basic
Oi Exists 3 Oi must exist in the process specification.
Used with order and occurrence patterns to denote a given
ProcessedWith pi 5
Oi is processed with production facility pi.
Used with order and occurrence patterns to denote a given
StoredIn li 4
Oi is stored in storage unit li.
Location
Basic
Used with order and occurrence to denote a given Oi is
MovedFrom li MovedTo lj 4
moved from storage unit li to another storage unit lj.
(Oi , …; m) Multi- A set of objects (Oi , …) has to be processed with a certain
3
ProcessedWith pi number of m different production facilities pi.
(Oi , …; m) Multi- A set of objects (Oi , …) has to be stored in a certain
1
StoredIn li number of m different storage units li.
Object Oi complies with quality standards, hygiene and
purity requirements by passing regular quality controls as
Oi CompliesWith Qi 24 well as extraordinary quality controls Qi. Subject of these
controls are e.g. temperature, weight, date of expiry,
ingredients, texture and consistence.
Object Oi complies with disclosure requirements Di. Sub-
ject of these requirements are the consumer protection, tax
Information
and import regulations e.g. by correct and complete prod-
Advanced
Oi CompliesWith Di 10
uct declaration, complying with quality and security
standards, transparent production processes and a tracea-
ble supply chain.
Activity Ai has to be performed with special security
Ai CompliesWith Pi 3 precautions Pi in order to protect users from e.g. infectious
animal diseases.
Activity Ai complies with quality standards, hygiene and
purity requirements by applying regular quality controls as
Ai CompliesWith Qi 2
well as extraordinary quality controls Qi (e.g. to prevent
the spread of animal diseases).
235
� Used with order pattern to denote a given Ai to happen
Within k 10
Basic
within k time units.
Used with order patterns to denote a given Ai to happen
Before k 2
Time
before k time units.
Ai must hold at most/minimum k time units once it hap-
Ai ExistsMax/Min k 2
Adv.
pens
Ai ExistsEvery k 1 Ai must happen in every k time unit.
Used with time patterns to denote a given Oi is tempered
Within tj and ti 7
within temperature t (with i > j).
Basic
Used with time patterns to denote a given Oi is tempered
Temperature
Below t 7
below temperature t.
Used with time patterns to denote a given Oi is tempered
ExactlyAt t 1
exactly at temperature t.
Adv.
Object Oi has to be tempered at most/minimum at tempera-
Oi ExistsMax/Min t 1
ture t.
Table 2. Specification of frequent control patterns in the food industry2
To formalize the requirements given in Table 2, we distinguish a number of typical
keywords for each pattern. For example, a control is often aligned to the assurance of
quality standards, so that the word “control” is tied to an Information pattern. Re-
source patterns (Res.) are usually described by expressions that indicate how goods
should be handled, which is indicated by word orders like “prevent contact”. Location
patterns are clearly addressed if something is about to be “processed”, “moved” or
“stored”. Depending on the context, keywords like “within” or “below” can also indi-
cate if a pattern depends on Time and/or Temperature pattern. The most important
indicators to classify control patterns with regard to our conceptual model for auto-
mating checking are:
• temporal order (e.g. precedes or leads),
• occurrence (e.g. exists, absent or universal),
• human resource (e.g. to segregate or merge activities),
• location in conjunction with the process status (e.g. processed, moved or stored),
• time limitation (e.g. interval, minimum or maximum) and
• temperature setting (e.g. within, below, above or exactly at).
Instead of the control flow proposed by COMPAS [12] we used the three patterns
Time, Order and Occurrence recommended by Turetken et al. (2012) [13] and ex-
panded the focus of the Resource pattern from the segregation of duties to the segre-
gation of input goods. Besides, we added an information, location and temperature
pattern. The Information pattern indicates which legal source, control objective and
risk is addressed or whether the requirements of a quality control, security precaution
or disclosure agreement is met. This ensures transparency and provides valuable con-
2
According to Turetken et al. (2012). Newly added control patterns are indicated by a grey
filled table row.
236
�text information about the impact of different food regulations. The Location pattern
considers how goods should be stored, moved or where they are processed with re-
gard to time and temperature constraints. The Temperature pattern is necessary to
capture compliance regulations regarding the storage and transport of perishable food.
The final set of control patterns consists of seven categories: Order, Occurrence,
Resource, Location, Information, Time and Temperature. Table 3 concludes with the
formalization of compliance regulations that started with Table 1. It shows simple
patterns as well as more complex patterns to demonstrate the applicability of the most
frequent compliance patterns in the food industry.
Temperature
Information
Occurrence
Resource
Location
Control Patterns
Order
Time
Oi CompliesWith Qi AND Ai CompliesWith
01
Pi AND Oi ProcessedWith pi
(Oi MovedFrom li MovedTo lj Within k)
02
OR (Oi StoredIn li Within k)
03 Ai LeadsTo Aj AND Oi CompliesWith Qi
04 Oi Exclusive Oj
(Oi MovedFrom li MovedTo lj AND Oi
05
Exists) AND Oi CompliesWith Di
(MovedFrom li MovedTo li OR StoredIn li)
06
Within tj and ti
Table 3. Examples for control patterns in the food industry
4 Conclusion and Outlook
In this contribution we applied a pattern-based approach for specifying compliance
controls in the food industry. Based on a sample of 20 legal text documents, provided
by the German Federal Ministry of Justice and Consumer Protection law database, we
derived 108 legal statements with process character. These were used to analyze the
content of every regulation concerning requirement, objective and risk. To access the
scope of food regulations we adopted a business process compliance framework and
expanded it by refining the Scope of control patterns by Resource, Location, Infor-
mation and Temperature patterns. Determining the frequency of compliance patterns
we were able to present a list of relevant control patterns in the food industry. The use
of control patterns has been illustrated by a choice of regulations which address the
previously defined facets of the Scope dimension. This led to a deeper understanding
of the involved process elements and compliance concerns, which will help to evalu-
ate the benefits and boundaries of current process execution languages used for com-
237
�pliance checking. Future work will be guided by the research question, how control
patterns can be used to automate compliance controls. Remaining challenges, regard-
ing the syntax of control patterns, deal with the accuracy versus complexity of applied
control patterns and a standardized use of patterns and connectors that enable the
implementation of compliance patterns by common process execution languages. To
improve the approach further, we will evaluate the usability for the average user with
basic IT knowledge and the process modeler with high IT affinity as well.
References
1. Dwyer, M. B., Avrunin, G. S., Corbett, J. C.: Patterns in property specifications for finite-
state verification. In: IEEE International Conference on Software Engineering, pp. 411–
420. IEEE Press, New York (1999)
2. Federal Ministry of Justice and Consumer Protection, Juris (Bundesministerium für Justiz
und Verbraucherschutz – BMJ): http://www.gesetze-im-internet.de
3. Fellmann, M., Zasada, A.: State-of-the-Art of Business Process Compliance Approaches:
A Survey, Proceedings of the 22nd European Conference on Information Systems (ECIS),
Tel Aviv (2014)
4. Foodwatch: http://www.foodwatch.org/en/what-we-do/campaigns/foodwatch-campaigns
5. Hashmi, M., Governatori, G., Wynn, M.T.: Normative requirements for business process
compliance. Service Research and Innovation, pp. 100–116. Springer, Berlin (2014)
6. Merriam-Webster, An Encyclopædia Britannica Company: Compliance,
http://www.merriam-webster.com/dictionary/compliance
7. Merriam-Webster, An Encyclopædia Britannica Company: Regulation,
http://www.merriam-webster.com/dictionary/regulation
8. Namiri, K. and Stojanovic, N.: Pattern-based design and validation of business process
compliance. In: Proceedings of 6th On The Move Conference (OTM), Tari, Z. (ed.), LNCS
4083, pp. 59–76. Springer, Berlin, (2007)
9. Sadiq, S. and Governatori, G.: Managing Regulatory Compliance in Business Processes.
In: Handbook on Business Process Management 2: Strategic Alignment, Governance,
People and Culture, International Handbooks on Information Systems, vom Brocke, J.,
Rosemann, M. (eds.), vol. 2, pp. 265–288. Springer, Berlin (2015)
10. Shears, P.: Food Fraud: A Current Issue but an Old Problem. British Food Journal, vol.
112, no. 2, pp. 198–213 (2010)
11. SOX: Sarbanes-Oxley Act of 30 July 2002, 15 USC 7201 note, Public Law 107-204, 107th
Congress, 116 Statistics Act, Sec. 404, pp. 745–810 (2002)
12. Tilburg University: State-of-the-Art for Compliance Languages: Compliance-driven Mod-
els, Languages, and Architectures for Services, Specific Targeted Research Project. Infor-
mation Society Technologies (COMPAS Project no. 215175, D2.1), Netherlands (2008)
13. Turetken, O., Elgammal, A., Van den Heuvel, W.J., Papazoglou, M.P.: Capturing compli-
ance requirements: A pattern-based approach. IEEE, vol. 29, no. 3, pp. 28–36. IEEE Press,
New York (2012)
14. Weber, O., Diaz, M., Schwegler, R.: Corporate social responsibility of the financial sector
– Strengths, weaknesses and the impact on sustainable development. Sustainable Develo-
pment, vol. 22, no. 5, pp. 321–335 (2014)
238
�