1 In the sense that the same person may react in di erent ways to similar situations, depending on conditions that more often than not are not modeled in the system. them, as it does not support who is in charge to get a clear picture of how tasks are, or are not, being carried on. This aspect becomes aggravated when the STS involves principals who belong to di erent organizations and cross-organizational relationships have to be established and maintained.

It is precisely because of the principals' autonomy that accountability becomes a critical feature for an enterprise. When something deviates from the expected and desired behavior, an accountable enterprise is committed to understand what went wrong and why, and to nd a proper course of repairing action. What one expects from STSs is that such a process be, at least partially, automated. In other words, STSs should provide the ground for a form of computational accountability [ 4 ], where accountability is a property that can be checked at runtime, or even enforced at design time.

There are, indeed, attempts in business software applications to model the distribution of tasks and the related responsibility. For instance, the BPMN language for modeling work ows supplies the lane construct to distribute tasks among di erent actors. The idea is that an actor is responsible for performing the activities that lay in its lane, but a lot is left to intuition. Speci cally, responsibility is not modeled explicitly, it is grasped from the work ow structure and may concern an o ce, not necessarily individuals. Then, being responsible for carrying out some activity does not mean being accountable for it. A more explicit instrument is the RACI matrix [29] by which each activity is associated with at least one responsible actor, exactly one accountable actor, and possibly some consulted and informed actors. The limit is that a RACI matrix is substantially an o -line resource that does not support actively an actor during her activities. It cannot be used as a monitoring tool on-line, but just as piece of data that a forum consults a posteriori to determine who was in charge of what. In [ 14 ] RACI matrices are automatically derived from BPMN speci cations, but they are just used to support the resource assignment to each activity.

This paper reports the results of the two-year piloting phase of the AThOS 2 project. The ambitious, long-term objective of the AThOS project is the design of a framework for computational accountability in the context of crossorganizational business processes. From a methodological point of view, AThOS aims at providing a modeling framework for STSs, where the focus is shifted from a procedural representation of work ows to a declarative representation that is centered around the key notions of interaction and social relationships among actors. From a practical perspective, AThOS aims at providing a new enterprise software engine that monitors on-going interactions (and processes), and supports accountability. To achieve these results, the framework we are developing takes advantage of previous declarative approaches to the modeling of business processes, and integrates them with an explicit, rst-class representation of the notion of \relationship", that relies on social commitments [27]. On the practical side, relying on previous works in literature (among which [ 28,13 ]), we are investigating the adoption of the paradigm of Multi-Agent Oriented Program2 The Accountable Trustworthy Organizations and Systems (AThOS) project, funded by Universita degli Studi di Torino and Compagnia di San Paolo (CSP 2014). ming for the realization of business processes. This would allow a programmer to fully exploit the power of declarative agent programming frameworks (such as JaCaMo [ 10 ]).

The paper begins by explaining the kind of accountability the research focuses on (Section 2). Then, it introduces the notion of accountability by design, studying its feasibility in computational settings (Section 3). It continues by explaining the ADOPT protocol, which is a way to achieve computational accountability in multiagent systems (Section 4), and a rst direction of implementation (Section 5). A discussion ends the paper (Section 6). 2

Accountability is a wide-ranging concept, that can take on many di erent characteristics and meanings, depending on the discipline in which discussion takes place. So, the rst point that it is relevant to underline is that our focus is posed on accountability in organizational settings. We do not care whether the organization is persistent, meaning that it has long-lasting goals that will produce many interactions (like a selling company), or if it is speci cally created to achieve a once-in-a-time goal (like building a house), and will dissolve afterwards. We assume, however, the organization's functioning to be supported by an STS. In such a context, we aim at realizing accountability as computational process; more speci cally, a backward-looking, institutional process that permits one entity to be held to account by another.

The accountability process activates when a state of interest is reached, and an authoritative entity wishes to hold to account those behind said state. Following [ 11 ], the process encompasses three primary phases: 1) an investigative entity (forum) receives all information regarding the agents' actions, e ects, permissions, obligations, etc. that led to the situation under scrutiny, 2) the forum contextualizes actions to understand their adequacy and legitimacy, and nally 3) the forum passes judgment on agents with sanctions or rewards. Our goal consists in automating the entire process for use in a MAS, although we will presently leave out the sanctioning piece of the third phase, which is already studied in the literature on electronic institutions [ 16 ]. To realize our goal, we begin by looking at the reasoning process behind accountability to identify points of adaptation into the software world. Following [ 12 ], we believe that three conditions should all realize for an STS to support an accountability system: agency, causal relevancy, and avoidance opportunity. Such conditions enable accountability attribution. Agency means that the involved individuals are autonomous (indeed, in our setting they are autonomous by assumption), that they have reasoning capacity (idem), and that they can distinguish right and wrong. The third condition is the one that, in our understanding, calls for support by an STS. In order to distinguish right from wrong, individuals must be aware of the binds they have with the others and with the organization, as agent's \ethics" will be expressed through adherence to norms and commitments contextualized within an organization. Causal relevancy expresses the necessity of causation linking a given agent to a situation under scrutiny. The avoidance opportunity condition speci es that an \agent should have had a reasonable opportunity to have done otherwise" [ 12 ]. Once again, awareness of the conditions an individual will be held to account for is crucial, since such knowledge has an impact on the choices of individuals as well as on its liability.

The realization of organizational accountability brings along practical advantages which motivate the purpose of studying accountablity as a system property. Evidence is provided by many studies and documents which promote the adoption of accountability frameworks. Among them, reports by the United Nations [33] and organizations like the OECD [26]. We brie y summarize the main reasons for realizing accountability frameworks and, thus, to study computational accountability. First of all, accountability within an organization is more than reporting information, disclosing reasons, or sanctioning the culprits. It is generally considered as a powerful feedback mechanism aimed at improving performance. An accountability framework, like the one of UNICEF [31] or WHO [32], explicitly establishes desired results, monitors and measures performance, uses the feedback obtained by the accountable parties to decide which changes should be made (which actions should be taken) to achieve the intended result. Such a process enables the evolution of an organization in a way that is functional to the ful llment of its objectives. It is helpful both in those situations where the objectives, to be achieved, need to rely on external actors after the stipulation of a covenant, and in those cases where objectives depend entirely on processes that are internal to the organization itself. Another positive e ect of organizational accountability is that it helps turning implicit expectations into explicit expectations. This is important because expectations that are not communicated create confusion and tensions inside an organization. Parties may be unaware of what they should deliver. Instead, a clear awareness of the expectations (and of the accountabilities) increases reliability, improves performance and trust, and helps to achieve common goals. 3

The research question that raises at this point is whether it is possible to create STSs that show accountability as a design property, that is, such that in every state the accountable parties are clearly identi able. Providing accountability by design requires decision of how to tackle certain situations, long discussed in philosophy as ethical dilemmas. One of these concerns is causal determinism, that in our context we can rephrase as whether or not an agent should be considered accountable for an adverse state if this state is inevitable, whatever action the agent will perform. We adopt the incompatibilist position to moral responsibility and conclude in a software setting that an agent cannot be held accountable in causal determinism but that the discovery of inevitable states lies with the agents. If an agent stipulates provisions for an inevitable adverse state, that same adversity would be represented to some degree in its provisions due to its inevitable nature. The agent would still be held accountable for the state, because it e ectively declares responsibility for a goal through its accepted stipulated conditions. Likewise if an agent o ers to realize a goal in the presence of a certain provisions, it is declaring for all intents and purposes that the goal is possible under certain conditions. Should that agent o er up an incorrect assessment and the goal be e ectively impossible even with stipulations, the agent will nevertheless be held accountable, because the organization \believes" an agent's declaration. We therefore conclude, thanks to the distributed nature of our vision of accountability, that an organization can consider absent both impossibilities and inevitabilities. Another ethical dilemma concerns knowledge of the consequences of one's actions. That is, can one be held accountable for an unforeseeable outcome?

As an example, consider a setting where a house is being built. The companies and the workers who contribute to the construction constitute an organization. In particular, the organization involves two members: one who should prepare a wall, wall-preparer, and another, painter, who should paint the wall white at some agreed price. The wall-preparer ful lls her/his task by spackling the wall but instead of using a standard white spackle some dark colored one (a remainder of a previous work) is used. Due to this unexpected action, painter has not the correct amount of materials and cannot ful ll the painting task at the agreed price. Though not coerced, painter cannot ful ll what expected of him/her, due to the choices of another. Clearly, despite the fact that wall-preparer did what assigned, the kind of spackle that was used hampers the painter 's work. In this case it is di cult to identify an accountable party: the painter might have provided adequate provisions instead of giving them as granted, the wall-preparer might have asked if an unusual choice would have had consequences before doing the work, the organization might have checked that the two members properly coordinated. Their sel shness prevents their understanding the assigned tasks as part of a greater work, and the lack of an explicit account of the relationships between the agents (and their tasks) contributes to the picture but. On the other hand, if expectations are not clear and shared, how could it be otherwise? For instance, wall-preparer does not know the circumstances under which the painter can achieve its goal, should it be held accountable for its decision of using a colored spackle? To foster the good functioning of the organization, then, there is the need of adequate support. 3.1

We now introduce our vision to achieve computational accountability via a proper design of the interactions between software components. The rst step is a paradigm shift: from the process-oriented view to the agent-oriented view. The process-oriented view is substantially activity-centric { that is, procedural. It focuses on the (business) process that is carried on by a software component, but overlooks the interaction between components, at the core of the realization of STSs. Instead, an STS can be conveniently thought of as a Multi-agent System (MAS) where software agents interact with each other on behalf of human principals. An advantage of the agent perspective is that it enables the use of some design (and programming) abstractions.These are, for instance, the environment where the agents operate, the norms governing organizations and institutions, the roles, and their powers, possibly de ned therein, and an explicit representation of interactions, for instance, via social commitments.

The agent abstraction allows us to think of software modules as goal-oriented components. That is, the focus moves from the activities within a process to the goal the process aims at reaching. The design process can therefore be modularized, because the interactions among agents (i.e., components) can be kept separated from the inner process of each agent. In fact, interactions can be speci ed as a consequence of the agents' goals. That is, the agents create and maintain interactions as a means for reaching their goals. The internal process of the agent lies at a di erent design level with respect to interaction. For the accountability purpose, only the interaction level is relevant since it makes explicit the engagements that agents have agreed upon. Monitoring the progress of these engagements is one the main objectives of an accountable system.

Our intuition is that an STS can be seen as an organization in which agents (i.e., the software components of the STS at hand) can join and operate. More precisely, we follow the ontological de nition of organizations given in [ 9 ]. Organizations are characterized by roles, which are rst-class modeling entities. Roles are actually social roles, and are related to their players (i.e., the agents), and their organization by three properties: (1) a role must always be associated with the institution it belongs to and with its player; (2) a role is meaningful only within the institution it belongs to, and hence the de nition of a role is only given within an institution; (3) the actions de ned for a role in an institution have access to the state of the institution and of other roles; these actions are, therefore, the powers a role player is endowed with. In order to obtain an accountable organization, we require that the interactions between the organization and its members follow a given accountability protocol (ADOPT3 [ 3,5 ]) that, 3 Accountability-Driven Organization Programming Technique by realizing the ve principles introduced above, guarantees accountability as a design property of the system as a whole. In essence, the accountability protocol makes the legal relationships between each agent and its organization explicit. Relationships are expressed as a set of (abstract) commitments (i.e., contracts), directed from the agents towards the organization itself, and vice versa. ADOPT consists of two phases: the enactment phase, and the goal-assignment phase. Enactment Phase. In this phase, an agent enrolls in an organization by playing a role. During this phase, the agent is made aware of the powers the organization will grant to it as a player of a speci c role, and the agent will commit towards the organization to use these powers when time will demand it. Let Agi be the agent willing to enroll in organization Org: (1) Agi : commit to be a player for role Ri with powers pwri;1 : : : pwri;n if Org accepts (2) Org : accept Agi as player of role Ri (3) Agi : commit to use the powers pwri;1 : : : pwrin when Org demands to In step (1) agent Agi asks Org to join the organization becoming a player of role Ri, with powers pwri;1 : : : pwri;n. Note that a power calls for a capability of the agent to exercise it. For instance, the wall-preparer is given the power to prepare the walls of the house being built, but to prepare the wall it needs materials, skill, and to take approriate action. Thus, the powers associated with role Ri will pose some capability requirements on the agent side. An agent willing to play role Ri is made aware of the capabilities it has to possess for being a proper actor of that role. The powers will be the means through which the agent will operate within the organization by changing the state of the organization itself. Capabilities, instead, will be sets of behaviors, owned by the agent, that allow it to exercise the powers that go with some role the agent plays. In the enactment phase the agent takes on the responsibility of this (previously implicit) declaration. This allows overcoming the impossibility to inspect the agents' code (which is not disclosed) that characterizes, in particular, cross-organizational settings as well as many STSs: the organization cannot verify whether the agent's implementation is compliant with the capability requirements, but if, during the execution, the agent will be unable to exercise one of its powers, it will be deemed accountable thanks to the commitments established during this phase.

The internal decision process, by which Org decides whether to accept the agent, are outside the scope of ADOPT. Here we are only interested in the nal decision of accepting the agent. Step (2) encodes such a case. Once Org has accepted Agi, this agent is obliged, by the engagement created at step (1), to commit to use Ri powers in case Org will ever need them. This is done with the commitments created at step (3). After these three steps, agent Agi is enrolled within the organization. Notably, these few steps are su cient to satisfy the rst three principles we have identi ed. In fact, the protocol imposes the existence of an organization within which all the relevant events must occur (Principle 1). The protocol allows an agent to be part of an organization only by playing a role within that organization (Principle 2), and nally, the protocol is such that an agent is aware of the powers it will possibly use within the organization as player of a speci c role (Protocol 3).

Goal-assignment Phase. The second phase of ADOPT considers the assignment of goals to some member of the organization. According to Principle 5, an agent should be able to negotiate with the organization the provisions it needs in order to accomplish a given goal. This negotiation is not part of the ADOPT proposal, and any negotiation algorithm can be used. Here, we just assume that after the negotiation, the agent and the organization have agreed upon the goal gi;k the organization wants Agi to perform, and the provision provi;k the agent demands to the organization as a prerequisite. Such an agreement is \sealed" by the agent and the organization in the ADOPT protocol as below outlined. (4) Org : commit to assign goal gi;k with provisions provi;k if Agi accepts (5) Agi : commit to bring about gi;k if Org assigns it and brings about provisions provi;k (6) Org : assign gi;k to Agi (7) Org : bring about provision provi;k (8) Agi : achieve goalgi;k In step (4), Org commits towards agent Agi that, if the agent will accept to accomplish the goal, it will assign the goal to the agent, and will supply Agi the agreed provisions. Thus, also Org takes on commitments towards its members. These commitments, in particular, assure that Org will never ask an agent to bring about a goal, for which either no agreement was reached, or provisions are missing. In case Org contravenes this expectation, it will be held accountable as any other player in the system. In step (5), Agi creates the commitment of bringing about goal gi;k provided that the provisions provi;k have been supplied, and the goal has been assigned to it. In the last three steps, the two parties operate so as to satisfy their commitments. Org will bring about the provisions4, and will assign goal gi;k to Agi. On its side, Agi will try achieve the assigned goal so as to satisfy its commitment towards Org.

ADOPT supports the realization of an accountable system through the mutual commitments that exist between Org and any agent Agi, which are made explicit. This feature realizes Principle 4, for which an agent is accountable only for those goals it has explicitly accepted to achieve. In fact, in our proposal, an organization cannot command one of its members to achieve a goal. Rather, the organization will propose a goal, and the agent will have to decide whether explicitly accepting that goal. Only in this way it becomes possible to assess accountability. It is possible to verify that the ADOPT protocol satis es Principle 4 via model checking. In fact, di erently from the other principles that are directly satis ed by the structure of the organization we propose, the veri cation of this principle demands consideration of the possible evolutions of the protocol. Indeed, one has to guarantee that, in any possible run of the protocol, the organization assigns a goal to an agent only when this goal is accepted. In [ 3 ] we discuss how the ADOPT protocol can be encoded as an interpreted system [ 18 ], and then, by means the MCMAS model checker [ 21 ], the validity of Principle 4 can be veri ed in terms of CTL formulae. 4 Provisions will reasonably be supplied by other agents within the organization.

Conditional antecedent fail

Expired

Active antecedent

Detached consequent

consequent fail Satis ed

Violated

One straightforward way for implementing ADOPT is to rely on the notion of social commitment [ 15,27 ]. A social commitment (sometimes called commitment, for simplicity, in the following) is a sort of contract between two parties: a debtor commits towards a creditor to bring about a consequent condition con should an antecedent condition ant occur. Social commitments, thus, nd a direct mapping with the commitments that arise in the ADOPT protocol. Formally, commitments have the form C(debtor; creditor; ant; con), and their evolution follows the lifecycle reported in Figure 1: a commitment is Violated either when its antecedent is true but its consequent will forever be false, or when it is canceled when Detached. It is Satis ed, when the engagement is accomplished (notice that a commitment does not need to be detached before being satis ed). It is Expired, when it is no longer in e ect and therefore the debtor would not fail to comply even if does not accomplish the consequent. Active has two substates: Conditional as long as the antecedent does not occur, and Detached when the antecedent has occurred. Commitments have a normative value because when the antecedent condition is satis ed, the debtor is obliged to bring about the consequent, lest the violation of the commitment. Di erently from obligations in deontic logic, however, a commitment can only be created by its debtor; thus, its creation is a consequence of an internal process of the debtor, rather than the consequence of a normative system as it happens with obligations.

Commitments can be used to specify the semantics of message-based protocols, or they can be a means for specifying protocols on their own, see for instance the JaCaMo+ agent platform [ 1 ], an extension of JaCaMo [ 10 ], where commitment-based protocols are made available as a speci cation of protocol artifacts. Commitments are, therefore, a viable tool for the realization of accountable systems because, on the one side, the ADOPT protocol is easily mapped into a commitment-based interaction protocol and, on the other side, there are agent platforms that support commitments as a native programming element, providing a technological infrastructure for the implementation of accountable STSs. The adoption of commitments opens also novel development directions, that we will shortly outline in the rest of this section. 5.1

In this paper we have summarized the main results about computational accountability we have collected in the scope of the AThOS project. AThOS was a two-year, local project completed in 2017, whose main objective was to shed some light on the design and development of accountable Sociotechnical Systems (STSs). Current methodologies for the development of STSs, are mainly focused on procedural aspects, with the purpose of gaining in e ciency of execution. Many such systems rely on languages (like BPMN, YAML, or UML Activity Diagrams) and related tools for modeling work ows. The procedural perspective is inadequate for the computational accountability purpose. First of all, it results in a too rigid model where the possible lines of activity are all delineated a priori. Each actor is forced to follow a prede ned course of action, without the possibility to deviate for taking advantage of arising opportunities or for managing unexpected emergencies. More importantly, a procedural perspective, being activity-centric, overlooks the interaction dimension, which is central for the accountability reasoning. An accountability system, in fact, should in principle involve at least two actors: one which is held to account for its actions, and one (often referred to as the forum) which judges the conduct of the previous one. Both actors rely on the relationships they have created, and on the mutual expectations these relationships induce, to sustain their position (i.e., good vs. bad conduct). The AThOS project answers to these de ciencies by modeling STSs based on the typical abstractions provided by the agent-oriented paradigm (e.g., electronic institutions, organizations, norms, etc.). By leveraging on these abstraction, the main contribution of AThOS lies in the de nition of organizational accountability : the STS becomes the organization within which all the relevant interactions among the actors (i.e., the agents) occur, and are explicitly traced. We have introduced ve principles underpinning the accountability at the organizational level, and presented the ADOPT protocol as a means for satisfying these principles at the design of the STS. From a practical point of view, we have envisaged the use of social commitment for representing, and manipulating, the accountability relationships between the organization and its members.

Social commitments pave the way to further extensions that are sketched in the paper. They provide a promising solution for dealing with accountability of data and information management, overcoming some limits of the artifactcentric proposals [ 7,8 ], namely the use of choreographies for the synchronization of the activities of di erent processes. Since choreographies capture interaction only in terms of exchanged messages, it will not be possible, by looking at a choreography, to reason on the relationships between some actors, or to have expectations on their behavior. In AThOS, we have investigated an extension to business artifacts with a normative layer. Such a normative layer makes explicit the mutual expectations that processes (i.e., agents in our agent-oriented perspective) may have on each other while using a given business artifact. A rst advantage of normative business artifacts is that the coordination among agents needs not a further modeling element such a choreography. Indeed, the business artifact itself becomes the medium of coordination, with a signi cant improvements from the software engineering point view, as we have observed. In addition, normative business artifact could be the key for the de nition of accountability of data and information. The idea, is not only to model how the information can evolve over an interaction, but also how operations on data in uence the way in which agents behave.

Another interesting line of research that stems from using social commitments is about acting in an accountable system. In [ 6 ] we have introduced a methodology{Social Continual Planning{integrating practical reasoning patterns relating goals and commitments [30] into a multi-agent planning framework. The technique is a good starting point for developing systems where the accountability property is guaranteed not only between an agent and the organization it belongs to, but also between any two agents that come to interact in the attempt to achieve their own goals. Thus, this is a promising line for reaching the desiderata of establishing accountable relationships across all levels of an organization. 24. Roberto Micalizio and Pietro Torasso. Cooperative monitoring to diagnose multiagent plans. Journal of Arti cial Intelligence Research, 51:1{70, 2014. 25. Anil Nigam and Nathan S. Caswell. Business artifacts: An approach to operational speci cation. IBM Systems Journal, 42(3):428 { 445, 2003. 26. OECD. E ective institutions and the 2030 agenda for sustainable development. http://www.effectiveinstitutions.org/media/Session_1_Background_ note_SDG.pdf. 27. Munindar P. Singh. An ontology for commitments in multiagent systems. Artif.

Intell. Law, 7(1):97{113, 1999. 28. Munindar P. Singh. Norms as a basis for governing sociotechnical systems. ACM

Transactions on Intelligent Systems and Technology, 5(1):21:1{21:23, 2013. 29. Michael L. Smith and James Erwin. Role and responsibility charting (RACI). https://pmicie.starchapter.com/images/downloads/raci_r_web3_1. pdf, 2005. 30. Pankaj R. Telang, Munindar P. Singh, and Neil Yorke-Smith. Relating Goal and Commitment Semantics. In Post-proc. of ProMAS, volume 7217 of LNCS. Springer, 2011. 31. United Nations Children's Fund. Report on the accountability system of UNICEF. https://www.unicef.org/about/execboard/files/ 09\discretionary{-}{}{}15\discretionary{-}{}{}accountability\ discretionary{-}{}{}ODS-English.pdf, 2009. E/ICEF/2009/15. 32. World Health Organization. WHO accountability framework. http://www.who.

int/about/who_reform/managerial/accountability-framework.pdf, 2015. 33. Mounir Zahran. Accountability Frameworks in the United Nations System. https://www.unjiu.org/en/reports-notes/JIU%20Products/JIU_REP_ 2011_5_English.pdf, 2011. UN Report.