A Method to Acquire Compliance Monitors from Regulations
Developing software systems in heavily regulated industries requires methods to ensure systems comply with regulations and law. A method to acquire finite state machines (FSM) from stakeholder rights and obligations for compliance monitoring is proposed. Rights and obligations define what people are permitted or required to do; these rights and obligations affect software requirements and design. The FSM allows stakeholders, software developers and compliance officers to trace events through the invocation of rights and obligations as pre- and post-conditions. Compliance is monitored by instrumenting runtime systems to report these events and detect violations. Requirements and software engineers specify the rights and obligations, and apply the method using three supporting tasks: 1) identify under-specifications, 2) balance rights with obligations, and 3) generate finite state machines. Preliminary validation of the method includes FSMs generated from U.S. healthcare regulations and tool support to parse these specifications and generate the FSMs.