A computational tool that supports formal diagnosis of process design

Pedro Ramosa,*, Jose Luiz Fiadeirob

aDepartment of Informatics, ISCTE, Av. das ForcËas Armadas, EdifõÂcio ISCTE, 1600 Lisbon, PortugalbDepartment of Informatics, Faculty of Sciences, University of Lisbon, Campo Grande, 1700 Lisbon, Portugal

Received 22 December 1997; received in revised form 11 May 1998; accepted 5 June 1998

Abstract

Computational tools that support process design have been used widely in organisation. These tools usually provide methods and notations

(formal or diagrammatic) that are used to describe and simulate the behaviour of processes, and validate them with the users. The validation

procedure supports mainly syntax validation and consistency analysis against organisation constraints (structure, tasks, documents, etc.). No

further analysis is made with regard to the compliance of a process design with respect to organisational requirements. In this paper we

present a software tool which detects designs that do not accomplish prerequisites supplied by the organisation. The software tool is

supported by formal techniques from arti®cial intelligence and computer science. q 1998 Elsevier Science B.V. All rights reserved.

Keywords: Process design; Diagnosis applications; Software support

1. Introduction

Computational tools that support process design have

been used widely in organisations [1±3]. These tools

usually provide methods and notations (formal or diagram-

matic) that are used to describe and simulate the behaviour

of processes, and validate them with the users. The valida-

tion procedure mainly supports syntax validation and

consistency analysis against organisation constraints (struc-

ture, tasks, documents, etc.). No further analysis is made

with regard to the compliance of a process design with

respect to organisational requirements. As Earl and Khan

[4] state, organisations prescribe rules that should be consid-

ered in the design for structured processes.

In this paper we present a software tool (DDD Ð Deontic

Diagnosis of Process Design) that can be used in a formal

way to analyse the compliance of a process design with

respect to organisation rules (principles) that the organisa-

tion assumes a design must comply with. Using DDD, the

user can detect incorrect and incomplete designs, and be

guided to choose between alternative designs. As an appli-

cation domain, we use control rules for accounting proce-

dures compiled by Chen and Lee [5].

DDD is supported by techniques from arti®cial intelli-

gence and computer science, namely the Theory of Diag-

nosis and Deontic Logic. It is not very common to use

formal techniques in organisational domains. However,

formal approaches provide a solid and rich framework to

describe core concepts and relationships between them.

Formal languages are universal and notably rich and ¯ex-

ible. With them, it is possible to analyse relationships

between concepts and ensure the correctness of the conclu-

sions we draw.

The main contribution of DDD is it shows that a software

tool which supports organisational process aided design can

be easily enriched by using formal languages and theories.

In Section 2, a general description of the framework that

underlies DDD is presented. In Section 3, we present an

example of an Order Delivering Process. This example

will be used throughout most of the paper. In Section 4

we introduce the formal techniques that support DDD

(Theory of Diagnosis and LDD, a formal deontic language).

In Section 5 we present the DDD software and show some

features provided by the software, namely how DDD can

guide the user during design.

2. Framework

The main goal of the software tool (DDD) presented in

this paper is to help the designer make better process designs

by using general rules (principles) that the organisation

assumes a design must comply with. DDD supplies different

features like the detection of incorrect (deviations from the

rules) and incomplete designs, and the capacity to help

the designer deal with alternative choices (namely with

Information and Software Technology 40 (1998) 555±565

INFSOF 3940

0950-5849/98/$19.00 q 1998 Elsevier Science B.V. All rights reserved.

PII: S0950-5849(98)00082-2

* Corresponding author. Tel.: 1 351 1 793 5000; fax: 1 351 1 796

4710; e-mail: pedro.ramas@iscte.pt

con¯icting rules). Fig. 1 shows the structural relation-

ships between the following main components of the global

framework.

² Organisational structure Ð the set of structural concepts

that characterise a speci®c organisation, e.g., agents,

tasks, hierarchies. These concepts are independent of

the processes. They describe the ®xed components over

which the processes ``¯ow''.

² Process description Ð the description of the process

design. The description is made with typical primitives

used in organisational processes, e.g., assign, output_-

to_task.

² General organisational knowledge Ð the de®nitions

(e.g., available, informed) and rules (e.g., if a task is

assigned to a collective agent, the task is assigned to

all the members of the collective agent) common to all

organisations.

² Principles Ð the general rules that characterise the ideal

behaviour of an organisation. Each organisation decides

which rules should be used. Usually the rules that guide

the design are general rules (e.g., no employee can be

assigned to a control task if the decision to control is

assigned to an agent up in the hierarchy). We are inter-

ested in forms of diagnosis of process design that report

violations of such principles.

² Diagnosis Ð the diagnosis procedure that detects viola-

tions of the principles.

As described in Fig. 1, the user must design a process and

specify general principles. The user can also describe the

structure of the organisation and design the process (process

description) using a diagrammatic language. The translation

from the diagrammatic language to a textual formal

language is one step of the diagnosis procedure. We chose

to adopt a declarative formal language because we want to

use formal deduction methods in the diagnosis procedure.

The interaction between the software tool and the user is

crucial. The diagnosis procedure can be executed at any

time during the design. As a result of running the diagnosis

procedure the user is informed of the ``mistakes'' he has

done so far and what is left to do. In the present version of

DDD, the user must supply all the information in a declara-

tive language.

3. Example Ð order delivering process

In order to better understand diagnosis in organisational

process design, we present an example of an Order Deliver-

ing Process. This example is adapted from Chen and Lee

[5]. The same authors have also compiled all the general

accounting rules used in it. This example will be used

throughout the paper.

To avoid frauds in organisational accounting procedures

some control rules are often used. Consider the process

design in Fig. 2.

The process is as follows: the Stock Manager receives an

order (from a salesman, for example), ®lls up an Internal

Delivering Order (Fu_IDO) and sends it to the Warehouse

which has to ®ll up an Outgoing Delivering Order

(Fu_ODO); after ®lling the Outgoing Delivering Order

(ODO) the Warehouse sends it to the Client together with

the goods. After receiving the same order, the Accounting

Department ®lls up the Invoice and stores it in the Invoice

File. With this design, a fraud might occur involving, for

example, the Stock Manager and the Warehouse (they can

retrieve more goods from the warehouse than the amount

considered in the invoice).

The following ®ve rules exemplify some concerns of the

organisation about potential frauds (the rules assume that

there are control tasks that control operational tasks):

Rule 1: ``When a control task exists, it must be furnished

with the supporting documents'';

P. Ramos, J.L. Fiadeiro / Information and Software Technology 40 (1998) 555±565556

Fig. 1. Architecture of the framework.

Fig. 2. Example of an order delivering process that allows fraud.

Rule 2: ``If a control task uses a supporting document, the

supporting document should be transferred

directly from the task that produces the

supporting document'';

Rule 3: ``A control task and the operating task it intends

to control should be segregated into two different

agents'';

Rule 4: ``The position assigned to a control task cannot

be lower in the formal power hierarchy than the

position of the operating task to be controlled'';

Rule 5: ``The agent in charge of a control task should be

socially detached from the agent responsible for

the corresponding operational task''.

Consider also the following speci®c rule and the organisa-

tion structure presented in Table 1:

Rule 6: ``Only one employee that works for at least three

years in the organisation can be the Warehouse

Manager''.

In Fig. 3, the same order delivering process is (re)de-

signed in order to ful®l the rules. The process is as follows:

the Stock Manager (John) receives an order, ®lls up an IDO

and sends it to the Stock/Invoice Controller (Phil) assigned

to the task Verify Internal Delivering Order (Ve_IDO); after

receiving the same order the Accounting Department (Ann)

®lls up the Invoice and sends it to the Stock/Invoice Control-

ler; if the values of the two documents are equivalent, the

Stock/Invoice Controller stores the Invoice and sends the

IDO to the Warehouse (David) who has to ®ll up an

Outgoing Delivering Order (Fu_ODO); after ®lling the

Outgoing Delivering Order (ODO) the Warehouse sends it

to the Client together with the goods, and sends a copy of the

ODO to the Stock/Invoice Controller.

The purpose of the task Verify Internal Delivering Order

(Ve_IDO) is to control the task Fill up an Internal Delivery

Order (Fu_IDO), which is done by using the supporting

documents Invoice and IDO. The purpose of the task

Check Delivering Order (Ck_DO) is to control the task

Fu_IDO, which is done by using the supporting documents

copy_ODO and IDO. The role of the Stock/Invoice Control-

ler is to prevent frauds.

As can be easily checked, all the rules are ful®lled. For

example, Rule 4 is ful®lled because Phil is hierarchically

superior to John. Given the previous design (Fig. 3) a diag-

nosis framework should report that there are no violations in

the design.

Scenario 1. Consider now an incomplete attempt to design

an order delivering process where: (1) no one is assigned yet

to Fu_ODO (Warehouse Manager); (2) David is the Stock/

Invoice Controller; (3) instead of sending the invoice to the

Stock/Invoice Controller, Ann stores it in the Invoice File;

and (4) the copy of the ODO is not sent to anyone yet.

Some situations are unambiguous: Rule 4 is ful®lled

because David is hierarchically superior to John; Rule 2 is

violated because the invoice is not transferred directly to the

Stock/Invoice Controller. Other situations require a deeper

analysis:

1. How should a diagnosis report the impossibility to ful®l

simultaneously Rules 3, 5 and 6 in what concerns the

assignment of the task Fu_ODO (notice that given Rule

6 only David and Paul can be assigned, but given Rules 5

and 3 Paul should not be assigned and David should also

not be assigned)? Is the impossibility a consequence of

previous design choices made by the designer, or does it

remain whatever choices are made by the designer?

2. Should a diagnosis report that Rule 5 can also be violated

because the designer has not yet assigned anyone to the

task Fu_ODO (it is possible to assign Paul to the task, but

that will be a violation of the rule because David and Paul

are socially close)? Or should we consider that a diag-

nosis must not report that situation because there is no

violation yet?

3. Should the designer ``prove'' that David and John are not

socially close (in order to ensure that Rule 5 is not

violated)?

P. Ramos, J.L. Fiadeiro / Information and Software Technology 40 (1998) 555±565 557

Table 1

Organisation structure

Agents: John, Ann, Phil, Paul, David

Roles: Stock Manager, Warehouse

Manager, Accounting

Department Manager, Stock/

Invoice Controller

Phil is hierarchically superior to John

David is hierarchically superior to John

David and Paul are socially close

Only David and Paul have worked for more than

three years in the organisation.

Fig. 3. Example of an ideal order delivering process.

In the next section we show how formal approaches to

diagnosis and reasoning can provide a precise way to answer

these questions. In Section 5 we show how DDD supports

those approaches.

4. Formal contributions to the diagnosis of processdesign

It is not common to use formal techniques in organisa-

tional domains. However, formal approaches usually

provide a solid and rich framework to describe the core

concepts and relationships between them. Moreover, when

we want to have a deductive system (i.e., to derive conclu-

sions based on given information, such as the detection of

potential frauds given a process design), it is very important

to be certain about the correctness of the conclusions. Soft-

ware tools are usually the ®nal goal, but they are not expres-

sive enough to provide the kind of analysis described above.

Formal languages (like logic) are universal and notably rich

and ¯exible. With them, it is possible to analyse relation-

ships between concepts and ensure the correctness of the

conclusions we draw. If a software tool implementation is

based on a formal language, like DDD, it is possible to

discuss the approach at a higher level of abstraction, without

having to know the details of the implementation.

4.1. Theory of diagnosis

In the framework proposed by Chen and Lee [5] for the

evaluation of internal accounting control procedures, the

idea of having general rules guiding organisational diagno-

sis is already present. However, this framework is not

supported by a theory of diagnosis. For instance, situations

(1) and (2) described in Section 3 are partially answered by

the theory of diagnosis, and are not answered by Chen and

Lee's framework. In this section we brie¯y introduce the

classical Theory of Diagnosis and show how it can be

extended to be used for the diagnosis of process design.

4.1.1. Model-based reasoning approach to diagnosis

The Model-Based Reasoning (MBR) approach to diagno-

sis has been studied for several years (for a survey of this

topic see [6]). Numerous applications have been built, most

of all for diagnosis of physical devices. The basic paradigm

is the interaction between prediction and observation.

Predictions are expected outputs given the assumption that

all of the components of a system are working properly (i.e.,

are working according to the model of the structure and

behaviour of the system). If a discrepancy between the

output of the system (given a particular input) and the

prediction is found, the diagnosis procedure will search

for malfunctions in the components of the system (the

correction of the model is assumed).

The contribution of Reiter to the theory of diagnosis has

become a standard in the ®eld of diagnosis theory. His

``Consistency-Based Approach'' [7] was the ®rst one to

formalize the MBR approach to diagnosis. The main goal

is to eliminate system inconsistency, identifying the mini-

mal set of abnormal components that is responsible for the

inconsistency. An abnormal component (AB(c)) is a compo-

nent that, given a speci®c input, does not produce the

expected output.

De®nition Ð Reiter Diagnosis. Given a system (SD,

COMP, OBS) where SD is the system description, COMP

is the set of components of the system and OBS are the

observations, a diagnosis is a minimal set D # COMP

such that:

SD < OBS < {AB�c�uc [ D} < { : AB�c�uc[ COMP 2 D} is consistent �1�

In the de®nition, : means not. This de®nition is based on

the Principle of Parsimony, according to which a diagnosis

is a conjecture that some minimal set of components are

faulty (i.e., it is not rational to assume that all components

are damaged if it is possible that only one damaged compo-

nent explains the error).

MBR can also be applied to diagnosis of process design.

The role of symptoms (evidence of malfunctioning) is

crucial in the MBR approach because it guides the diagno-

sis. However, there are situations in which, even if it is not

possible to detect the malfunctioning of a system, a preven-

tive diagnosis is recommended. Process design diagnosis is

one such situation.

In the MBR approach, there is a strong relationship

between the inputs and outputs of a system: the outputs

are the result of component behaviour given the inputs.

Given an expected behaviour of the components, the

outputs can be predicted. In process design diagnosis,

the Organisation Structure is the input of the system.

The System Description corresponds to the Process

Design, together with the General Organisational Knowl-

edge. The components are the parts of the design that are

in the scope of the rules. Rules are used to check for

abnormalities (violations) of the components. Assuming the

ful®lment of the rules, there is nothing to be predicted. This

happens because there is not a real output that can be

observed. Evidence of malfunction appears later when the

process runs in the organisation. However, in order to ensure

that the process design ful®ls the rules, a preventive diagnosis

is needed.

4.1.2. Model-based reasoning approach to diagnosis of

process design

Consider the example presented in Section 3. Given the

organisation structure and the general organisational knowl-

edge, it can be deduced that, in a correct design, the follow-

ing speci®c rules (particular cases of the general rules),

among others, must be followed (task_output_input_task

P. Ramos, J.L. Fiadeiro / Information and Software Technology 40 (1998) 555±565558

(Task1, Output1, Task2) means that the output Output1 of

task Task1 goes to task Task2):

R1: :(assign(Fu_IDO, Phil) and assign(Ver_IDO,

John));

R2: task_output_input_task(Fu_Invoice, Invoice,

Fu_IDO);

R3: task_output_input_task(Fu_ODO, Copy_ODO,

Ck_DO).

Given Scenario 1 (Section 3), namely the assignment of

Ve_IDO to David, the designer must ensure that:

R4: : assign(Fu_ODO, David);

R5: : assign(Fu_ODO, Paul).

It is not compatible to assume that the empty set (D1 �{ }) is a diagnosis. If that is assumed, it means that all rules

are ful®lled, namely R2 (task_output_input_task(Fu_In-

voice, Invoice, Fu_IDO)), which is incompatible with

Scenario 1. However, it can be assumed that D2 � {R2} is

a diagnosis. If we consider that an abnormal behaviour of

one role is its negation (AB(R2) � : R2), a diagnosis D2 �{R2} means that there is no inconsistency between the

design and the following assumptions (R1, R3, R4 and R5

ful®lled, R2 not ful®lled):

: (assign(Fu_IDO,Phil) and assign(Ver_IDO, John)):

: (task_output_input_task(Fu_Invoice, Invoice,

Fu_IDO));

task_output_input_task(Fu_ODO, Copy_ODO, Ck_DO);

: assign (Fu_ODO, David);

: assign(Fu_ODO, Paul).

The design does not say that assign(Fu_ODO, Paul) is

false, but it also does not say either that assign(Fu_ODO,

Paul) is true; so, it is possible to assume that there is no

violation of the rule. Any set that contains the violation of

R1 (assign(Fu_IDO,Phil) and assign(Ver_IDO, John))

cannot be a diagnosis because it is inconsistent with the

fact (represented in the design) that : (assign(Fu_IDO,Phil)

and assign(Ver_IDO,John)).

4.1.2.1. Benevolent and exigent diagnosis

Let us consider that in Scenario 1 the designer assigns the

task Verify Internal Delivering Order to Phil (assign(Ver_-

IDO, Phil)), instead of assigning it to David. As a

consequence of general Rule 4 (Section 3), Paul should

not be assigned to the task Fill up Outgoing Delivering

Order ( : assign(Paul, Fu_ODO)). Since the designer has

not yet assigned anyone to the task Fu_ODO, there is not a

violation yet, but the violation can occur if Paul is assigned

to that task.

In spite of not knowing anything about the ful®lment of

that rule, an MBR approach based on the Parsimony Prin-

ciple ``accepts'' that situation (that is, a diagnosis will not

report that rule). That happens because there is no evidence

of the violation of the rule. The Parsimony Principle follows

the rule ``innocent until proven guilty''.

If it is really important that the task is not assigned to

Paul, a design which does not commit it with respect to that

assignment must be avoided. Indeed, if the rule is not

enforced, it is possible that, during the implementation of

the process in the organisation, the task is assigned to Paul.

To avoid this undesired situation, the diagnosis should alert

to the ``incompleteness'' of the design. When it is important

to ensure that all rules are ful®lled, and not only detect

violation of the rules, the Parsimony Principle is much too

benevolent (it is like the assumption of the ful®lment of

rules in the absence of information). In that case, an approach

based only on minimal diagnosis is not adequate and an

exigent diagnosis (where unful®lled rules are detected, i.e.,

``guilty until proven innocent'') is more suitable.

To deal with the notions of benevolent and exigent diag-

noses, we do not consider the Parsimony Principle to be a

built-in feature of diagnosis, but an extra logical principle

that can be applied or not. We choose to have a more general

and independent diagnosis de®nition (Potential Diagnosis)

over which principles, like the Parsimony Principle, can be

applied.

Underlying the notion of exigent diagnosis we are consid-

ering a different principle (opposite to the Principle of Parsi-

mony): a diagnosis is a conjecture that a maximal set of

rules can be violated. In order to capture the notion of

exigent diagnosis, a computation of maximal sets is

required. In the Fig. 4 we illustrate the kind of useful infor-

mation that can be presented during the design.

Consider the six following speci®c rules and Scenario 1:

R1: assign(Fu_ODO,Paul) or

assign(Fu_ODO,David);

R2: : assign(Fu_ODO, David);

R3: : assign(Fu_ODO, Paul);

R4: task_output_input_task(Fu_Invoice, Invoice,

Fu_IDO);

R5: : (assign(Fu_IDO,Phil) and

assign(Ver_IDO,John));

R6: task_output_input_task(Fu_ODO, Copy_ODO,

Ck_DO).

Each set in the tree represents one consistent set of

violated rules. Vi means violation of rule Ri (for example,

{V2,V4} means that it is consistent to assume the violations

P. Ramos, J.L. Fiadeiro / Information and Software Technology 40 (1998) 555±565 559

Fig. 4. Consistent violation sets.

assign(Fu_ODO, David) and : task_output_input_task

(Fu_Invoice, Invoice, Fu_IDO), and the ful®lment of rules

R1, R3, R5 and R6). All consistent sets of violated rules are

considered in the ®gure. The sets are ordered by set inclu-

sion.

The three minimal sets are the only three diagnoses

according to Eq. (1). In order to capture the so-called

Exigent Diagnosis, maximal sets are required. Indeed the

sets {V2,V3,V4,V6} and {V1,V4,V6} must be understood as

the ``work to be done''; that is, all the rules that are not yet

ful®lled, but ought to be. Given the two exigent diagnoses,

the user knows that it must ful®l rules 4 and 6, and must also

ful®l rules 2 and 3 or, alternatively, rule 1 (notice that it is

not possible to violate simultaneously rules 1, 2 and 3; that

is the reason for having two exigent diagnoses). Notice that

rule 5 (already ful®lled) does not appear in any set, and rule

6 (not violated or ful®lled yet) does not appear in minimal

sets).

Given the entire diagram, the designer has a clear picture

of what should be done and what ``mistakes'' have been

done so far. If we do not consider the possibility to change

previous design decisions, and assuming that the rules does

not change, the designer knows that, whatever is done, any

diagnosis will always be in the original diagram.

All consistent sets of violations (all sets of the tree) are

Potential Diagnoses, minimal sets are Benevolent Diag-

noses and maximal sets are Exigent Diagnoses. Formally,

De®nition Ð Potential Diagnosis. Given a system (ORG,

PD, RL) where ORG is the organisation structure and general

organisation knowledge, PD is the process design and RL are

the rules, D is a potential diagnosis iff D # RL and:

ORG < PD < { : �r�ur [ D} < {rur

[ RL 2 D} is consistent �2�Considering POT, the set of all potential diagnoses:

De®nition Ð Benevolent Diagnosis.

D is a benevolent diagnosis iff D

[ POT and D is minimal in POT �3�De®nition Ð Exigent Diagnosis.

D is an exigent diagnosis iff D

[ POT and D is maximal in POT �4�

4.1.2.2. Implicit and explicit violations and con¯icting rules

In question (i) (Section 3) we said that a diagnosis should

report the impossibility to ful®l simultaneously several

rules. Consider the four following speci®c rules and

Scenario 1:

R1: assign(Fu_ODO, Paul) or assign(Fu_ODO,

David);

R2: : assign(Fu_ODO, David);

R3: : assign(Fu_ODO, Paul);

R4: task_output_input_task(Fu_Invoice,Invoice,

Fu_IDO).

It is impossible to ful®l simultaneously R1, R2 and R3

(R4 is already violated). Indeed, Section 2 gives us three

alternative diagnoses: D1 � {R1,R4}; D2 � {R2,R4}; D3 �{R3,R4}. In every diagnosis R4 is violated, and there is no

diagnosis where R1, R2 and R3 are simultaneously ful®lled

(i.e., D4 � {R4} is not a diagnosis). The set {R1,R2,R3} is

called an Implicit Violation Set. Formally, we have,

De®nition Ð Implicit Violation Set.

IVDi is an Implicit Violation Set iff IVDi is a minimal set

such that

IVDi # RL and ORG < PD < {rur [ IVDi} is inconsistent

�5�Informally, it is not possible to ful®l all the rules related

with the violations in IVDi (at least one violation will occur).

This de®nition corresponds to Reiter's de®nition of Con¯ict

Set.

For a particular process description it is possible to have

several violation sets. We call Vk an Implicit Violation iff

there exists one IVDi such that Vi [ IVDi.

De®nition Ð Explicit Violation.

Vk is an Explicit Violation iff {Vk} is an implicit

violation set�6�

Informally, if Vk is an explicit violation then the rule

related with Vk is always violated unless the designer

changes the design (R4 is explicit violated).

As mentioned in question (i) (Section 3), it is not suf®-

cient to alert the designer that it is impossible to ful®l simul-

taneously R1, R2 and R3 (i.e., deduce that {R1,R2,R3} is an

implicit violation set). It is important to know if that impos-

sibility is a consequence of previous design choices made by

the designer or the impossibility remains whatever the

designer does (i.e., it results from a con¯ict between the

rules).

A con¯ict between rules occurs when, whatever options

the designer takes, it is impossible to ful®l these rules

together (in the example there are not con¯icting rules; in

Fig. 3 all rules are ful®lled).

P. Ramos, J.L. Fiadeiro / Information and Software Technology 40 (1998) 555±565560

Fig. 5. Potential diagnoses after ful®lling rules R1 and R2.

De®nition Ð Con¯icting Rules.

CODi is a Conflicting Rule Set iff CODi is a minimal set

such that CODi # RL and ORG < {rur

[ CODi} is inconsistent

�7�

Notice that all con¯icting rule sets are implicit violation

sets. The only difference between the de®nitions of Eqs. (5)

and (7) is that in Eq. (7) we leave out the process design (the

rules are inconsistent with the organisation, whatever the

design).

In the example related to the potential diagnoses diagram

presented in Fig. 4, we have two implicit violation sets:

{V1,V2,V3} and {V4}, and no con¯ict set. If the designer

chooses to assign Paul to the task Fu_ODO (ful®l rules 1

and 2, violating rule 3), the potential diagnosis diagram will

be as presented in Fig. 5.

In this section we presented how the Theory of Diagnosis

can be extended in order to deal with questions (i) and (ii)

(Eq. (3)). More detailed information is available in [8].

Question (iii) raises a different problem. As will become

clear in the next section, that question is related with the

representation and interpretation of the rules.

4.2. Formal logic

As mentioned at the beginning of Section 4.1, we want to

use formal deduction within the diagnosis procedure.

Formal logic is a rich and ¯exible language, suitable to

represent and analyse relationships between concepts, and

to infer correct conclusions.

It is not our purpose to present a full description of the

logic we developed (LDD, language for deontic diagnosis)

for the diagnosis of process design [9, 10]. However, a brief

description is required in order highlight some characteris-

tics of the software we have built.

Deontic Logic (DL) is based on the concept of obligation.

The notion of obligation can be used to explicitly represent

ideal situations. For example, when we say that a designer

must ensure that assign(Fu_ODO, David) is false, we are

saying that, in order to ensure that an ideal design is made,

the designer is ``obliged'' to make assign(Fu_ODO, David)

false. In DL obligations are represented with the O operator.

The situation above is modelled by the sentence

O(: assign(Fu_ODO, David)). With this operator, ideal

and actual situations can coexist, even when ideal situations

do not occur. For example, it is possible to have simulta-

neously O(: assign(Fu_ODO, David)) and assign(-

Fu_ODO, David). When such a situation occurs we say

that the obligation is violated.

DL has been applied to several domains, for example: an

agent's responsibility within organisations [11], con®denti-

ality in databases [12] and security in computer systems

[13]. Here we show how deontic logic can be easily used

in aided process design.

4.2.1. Conditional obligations

Most of the rules that guide the design of a process are

better represented in a conditioned way (for example, ``If

one person is lower in the formal power hierarchy than

another person [condition] then the ®rst one cannot control

the second one''). We consider that a conditional obligation

has two components: the design action that indicates what

the designer should do, and the context (condition) that

describes the situation in which the design action should

be done. That distinction is crucial in our approach.

Conditional obligations are represented with Von

Wright's dyadic operator O[_/_] [14]. The obligation O[p/

q] should be read as ``if the context q is the case, there is an

obligation to perform the action p''. The sentence

O[: assign(Fu_ODO, Paul)/assign(Ck_DO, David)] is an

example of a conditional obligation.

4.2.2. Structural and design concepts

In our approach to process design in organisations, two

types of concept are considered: Structural and Design

concepts. Structural concepts represent the organisation

structure, i.e., what is ®xed in the organisation and cannot

be changed as a consequence of a process (re)design. For

example: ability, existing tasks, kinds of tasks, employees.

Design concepts are those that can be manipulated by the

person that designs the process. They can be understood as

``design actions''. For example: assign tasks to agents,

redirect outputs.

We assume that it makes no sense to have obligations

according to which a process designer has to act over the

structure of the organisation. It follows from that assump-

tion that, whatever the context might be, any obligation

where the action is represented by a structural concept is

not a valid one. For example, the rule if the task Approve

Budget is assigned to John, John must be the Head of

Department (HD) can only be valid if it is interpreted as a

restriction upon the action of assigning task Approve Budget

to John, and not as an obligation to decide that John is the

Head of Department if the task is assigned to John (being

the Head of Department is a structural concept).

4.2.3. Detachment

In what concerns the detachment of the condition in a

conditional obligation (infer the obligation on the design

action when the condition is true), we follow the approach

of Carmo and Jones [15]. In their approach, the condition

can only be detached if (among other restrictions) it repre-

sents a ®xed situation.

In our approach, ®xed situations correspond to structural

characteristics of an organisation. Indeed, when the condi-

tion of an obligation is a structural concept and the condition

holds, the detachment can be made. For example, consider

the rule: if John is the HD he should be assigned to the task

P. Ramos, J.L. Fiadeiro / Information and Software Technology 40 (1998) 555±565 561

Approve Budget. If John is the HD, whatever the designer

does, John will always be the HD and the designer should

assign him the task Approve Budget. Notice that design

decisions are not ®xed. All that is designed can be undone

until the design has not ended.

4.2.4. Conditioned obligations is an exigent diagnosis

As mentioned in Section 4.1.2.1, an exigent diagnosis

does not only detect violations of obligations, but also

reports obligations that are not yet ful®lled. Given the de®-

nition of exigent diagnosis (Eq. (4)), it is consistent to

assume that a conditional obligation can be violated (i.e.,

be a member of an exigent diagnosis), even if the condition

and the action are unknown (it is not possible to infer if they

are true or false). However, in our view, a diagnosis should

not report all conditional obligations that can be violated.

The next two examples illustrate the kind of conditional

obligations that should be considered in an exigent diagno-

sis. The second example answers the question (iii) we posed

in Section 3.

Consider again the following rule: if the task Approve

Budget is assigned to the HD, the HD can not be assigned

to the task Prepare Budget. If, in the design, the tasks

Approve Budget and Prepare Budget are not assigned to

anyone yet, we do not consider that an exigent diagnosis

should report the unful®lment of that obligation (it would be

an extremely exigent diagnosis). However, if the task

Prepare Budget is assigned to the HD, we believe that,

even if the designer has not made any commitment with

respect to the task Approve Budget, an exigent diagnosis

should report that situation (i.e., from the design it should be

deduced that the condition does not hold).

However, it is not always the case that a decision not to

execute an action (when the truth value of the condition is

unknown) should be reported in an exigent diagnosis.

Consider the following rule: if John is assigned to the task

Prepare Budget and he is socially close to Ann, Ann can not

be assigned to the task Approve Budget. Suppose the

designer assigned Ann to the task Approve Budget and

John to the task Prepare Budget. Consider also that we do

not know if Ann and John are socially close, and that

``socially close'' is a structural concept (it is ``®xed''). If

that situation is reported in an exigent diagnosis it means

that the designer should assume that Ann and John are not

socially close. However, as it was said before, since the

designer should not act in the organisation structure, he

cannot be obliged to enforce anything on the social lives

of Ann and John.

A conditional obligation should only be considered in an

exigent diagnosis if: (1) the condition is true or (2) the action

is not performed and the condition is not ®xed. From now

on, all obligations that can be considered in a diagnosis

(exigent or not) will be called Applicable Obligations.

4.2.5. Con¯icting obligations

In Section 4.1.2.2 we mentioned that the framework

should help the designer to make decisions when there are

implicit violation sets or con¯icting sets. In those situations,

the designer must choose between the ful®lment of one

obligation and the ful®lment of other obligation(s). Casta-

nÄeda's proposal [16] for handling con¯icting obligations

seems to be suitable for our approach. The general idea is

to accept con¯icts and have a supra-normative system that

tells which obligation prevails whenever a con¯ict is

detected. Considering the amount of obligations that can

rule a design, it is preferable to allow the organisation to

express the preferences in terms of sets of obligations. For

this purpose, grouping obligations in different normative

systems seems to be a suitable approach. The organisation

should de®ne criteria for grouping the obligations (for

example, by department). Since con¯icts can occur in real

situations, the language must allow con¯icts between

normative systems.

The obligation Oi[p/q] should be read as ``if the context q

is the case, there is an obligation to perform the action p,

given the normative system i''.

P. Ramos, J.L. Fiadeiro / Information and Software Technology 40 (1998) 555±565562

Fig. 6. Aliases and implicit violation sets.

5. DDD software tool

The software tool is implemented in LPA Win Prolog.

Prolog (Programming in Logic) is a declarative powerful

computational language, appropriate to develop applica-

tions based on logic. We have not yet implemented the

graphic interface for the design of processes. In this version,

the components described in Fig. 1 (process description,

organisation structure, the rules and the general organisa-

tional knowledge) must be supplied through logical propo-

sitions.

Our purpose is to describe the functionality of DDD.

Regarding the implementation of the framework, we choose

the following main options. All the consistency checks are

made with Semantic Tableaux [17]. LDD is not fully imple-

mented. The inference procedure is guided in order to obtain

only the applicable obligation (in logical terms, we do not

have a complete system). Con¯icting obligations are

allowed and detected, but, in DDD, we assume that the

data supplied by the user are consistent (except, as presented

later, if the user updates the design using the DDD menus).

In this section we use again the previous example

P. Ramos, J.L. Fiadeiro / Information and Software Technology 40 (1998) 555±565 563

Fig. 7. Potential diagnoses diagram.

Fig. 8. Potential diagnoses diagram.

(Scenario 1 and Fig. 4). The data are supplied into DDD as

presented in Table 2. To avoid a large number of formulas,

we just present in Table 2 a subset of it. In order to obtain the

subset of Table 1, another set of formulas has been intro-

duced. For example, org(assign(fu_ido), john) limp (neg

assign(fu_ido))) is a consequence of a more general rule

that stands that just one person can be assigned to the task

fu_ido.

The predicate ctrl_task associates one task with the corre-

sponding task that controls it (e.g., ctrl_task(chk_do,-

fu_odo) means that the task chk_do controls the task

fu_odo). The predicate hier_sup(phil,john) means that phil

is hierarchically superior than john. The predicate soc_clo-

se(paul,david) means that paul is socially close to david. We

use the symbols ``and'', ``or'', ``neg'' and ``limp'' for the

usual logical operators: conjunction, disjunction, negation

and material implication. The ®rst argument of the O opera-

tor (an integer) is related with the sets of obligations that are

grouped together (Section 4.2) and used to help the designer

choose between con¯icting rules (we come back to this

subject at the end of this section).

Given that information, DDD computes all the applicable

obligations. For to clarity and because of space limitation on

screen, DDD assigns aliases to the obligations. In Fig. 6 we

can see the applicable obligations (and the corresponding

aliases) generated by DDD. The word true in the context

component of the obligation means an unconditional obli-

gation.

In Fig. 7 we present the potential diagnoses diagram

generated by DDD. The user can expand or reduce the

diagram in order to have better perception of bigger

diagrams. The numbers in the left top of each diagnosis

(box) are also related with con¯icting rules and are

explained at the end of the section. In Fig. 6 we can see

the two implicit violation sets: {V1} and {V2,V3,V4}.

The user can click the mouse in any diagnosis in order to

obtain more detailed information (the corresponding obliga-

tions and information about the state of the obligations:

Violated, Ful®l or Not Ful®l). The same information can

be obtained with the menus, as exempli®ed in Fig. 7. Asso-

ciated with the alias V2, we have the Not Ful®l (neither

ful®lled neither violated) obligation O(assign(fu_odo,paul)

or assign(fu_odo,david)/true). The last entries in the menu,

for each component (context and action design), decompose

the members of the obligation: for each argument of a

conjunction there is a submenu with the arguments of the

disjunction. In the example, there is no context (it is an

unconditional obligation) and no conjunction. The question

mark on the right of each formula indicates that the user has

not committed him/herself yet about the ful®lment or viola-

tion of the formula (equivalent to Not Ful®l). For each argu-

ment of the disjunction (assign(fu_odo,david),

assign(fu_odo,paul)) there is a submenu in which the user

can decide what to do (update the design): Ful®l the formula

(assigning the task to paul), Violate the formula (explicitly

determine that the task is not assigned to paul) or delay the

decision (Not Ful®l). DDD only allows consistent decisions.

For example, the user cannot ful®l V1, V2 and V3.

At any moment the user can redesign the diagram. In Fig.

8 we present the diagram resulting from the assignment of

paul to the task fu_odo. Notice that, given the previous

decision, obligation O(assign(fu_odo,paul) or assign(fu_o-

do,david)/true) becomes ful®lled and does not appear as an

applicable obligation. Notice that one possible way to ful®l

the conditional obligation presented in Fig. 8 (V4) is to

choose Violate in the condition (assign(chk_do,david)).

5.1. Con¯icting rules

In Section 4.1.2.2 it was mentioned that in the presence of

an implicit violation set (IVDi), the designer knows that it is

not possible to ful®l all the obligations related with the

violations in IVDi (at least one violation will occur). In

Section 4.2 we mentioned that the organisation should

group the obligations in sets (normative systems) and

express the preferences in terms of those sets. For example,

in Table 2, the organisation considers that the fourth and

sixth obligations are grouped together in the same normative

system (the ®rst argument of the obligation Ð 2 Ð is the

identi®cation of the normative system).

The general idea is to have a supra-normative system (we

call it normative system 0) that tells which obligation

prevails whenever a con¯ict between normative systems is

detected. The representation of the supra-normative system

0 (NS0) that is proposed is a very simple one: the organisa-

tion uses rules that explicitly tell which normative system

prevails when there is a con¯ict between two normative

systems. The result of these rules will be the NS0. The

obligations of NS0 are not deduced in the LDD language.

NS0 obligations are additional formulas added by a diag-

nosis procedure that uses the NS0 organisational rules.

Those obligations are only relevant in a diagnosis context.

The schema of the rules is the following one (the meaning

is that normative system i prevails upon normative system j,

assuming that i ± j)1:

De®nition Ð NS0 Rule.

�Viol�a=b�i [ IVDk ^ Viol�a 0=b 0�j [ IVDk� ! O0�a=b�

In order to help the designer to choose between ``paths''

in a potential diagnoses diagram, it is suf®cient to order the

potential diagnoses. Potential diagnoses can be ordered with

the following rules: (1) a potential diagnosis is to be referred

upon another one if it has less (or the same amount) viola-

tions of ``normal obligations'' (obligations that are not part

of the normative system 0); (2) if two potential diagnoses

have the same number of violations of ``normal obliga-

tions'', the preferred diagnosis is the one that has less viola-

tions of obligations of the normative system 0. It is possible

P. Ramos, J.L. Fiadeiro / Information and Software Technology 40 (1998) 555±565564

1 In DDD it is only necessary to write the predicate prefer(6,3) to express

that normative system 2 prevails upon normative system 3.

to have other ordering criteria. Nevertheless, we assume that

the number of violations is more important than the number

of ``wrong'' choices when there are con¯icting obligations.

Formally,

De®nition Ð Preference Relation. pdi s pdj (potential

diagnosis i is preferred over potential diagnosis j) iff

(symbol # means a function count):

#{Viol�a=b�k.0 : Viol�a=b�k [ pdi} # #{Viol�a=b�k.0

: Viol�a=b�k [ pdj}

#{Viol�a=b�k�0 : Viol�a=b�k [ pdi} # #{Viol�a=b�k�0

: Viol�a=b�k [ pdj}

�8�

In the example of Fig. 6, DDD only considers the prefer-

ence relation prefer(6,3); i.e., if the designer has to choose,

he must ful®l obligations of NS2 system 2 and accept viola-

tions of NS3 obligations. The numbers in the left top of each

diagnosis (box) represents the preference order: diagnosis

{V1,V4} is preferred upon diagnosis {V1,V2}. As a conse-

quence of that preference relation, in the actual state of the

design (Fig. 6), the designer must consider that the ``work to

be done'' is represented by the set {V1,V3,V4,V5} and not

{V1,V2,V5} (it is the only ``path'' that does not ended in

{V1,V2}).

6. Conclusions

A software tool (DDD) was presented which supports the

formal analysis of compliance between process designs and

organisation rules. DDD is supported by formal techniques

from arti®cial intelligence and computer science, namely by

an extension of the Theory of Diagnosis with the notion of

exigent diagnosis. DDD is also based on a deontic language

LDD and corresponding inference mechanism which allow

us to deal with ideal and actual (not necessary ideal) situa-

tions. The resulting formal approach supports a highly

enriched analysis of a process design. This approach was

illustrated with control rules for accounting procedures.

DDD is still a specialised software tool and requires the

support of an expert user. However, a ¯exible and easy

interaction between the software tool and the user is crucial

to make it usable. In future versions we intend to supply a

diagrammatic language for the design of processes.

Acknowledgements

This work was partially supported by the Esprit WG 8319

(ModelAge), contracts PSCH/OGE/1038/95 and UNIDE/

ISCTE.

References

[1] G. Lyons, Application of information technology in the redesign and

implementation of business processes, in: Proceedings of the IFIP

TC5/WG5.7 Working Conference on Re-engineering the Enterprise,

Galway, Ireland, 1995.

[2] G. Abeysinghe, K. Phalp, Combining process modelling methods,

Information and Software Technology 39 (1997) 107±124.

[3] D. Berkeley, P. Humphreys, F. Quek, Dynamic process modelling for

organisational systems supported by SASOS, in: Proceedings of the

Third International Working Conference on Dynamic Modelling of

Information Systems, Noodrwijkerhout, The Netherlands, June 1992.

[4] M. Earl, B. Khan, How new is business process redesign? European

Management Journal 12 (1) (1994) 20±30.

[5] K.-T. Chen, R. Lee, Schematic evaluation of internal accounting

control systems, Research Monograph No. RM-1992-08-01, Euridis,

Erasmus University Research Institute for Decision and Information

Systems, 1992.

[6] R. Davis, W. Hamscher, Model based reasoning: troubleshooting, in:

H.E. Shrobe (Ed.), Exploring Arti®cial Intelligence: Survey Talks

from the National Conferences on Arti®cial Intelligence, Morgan

Kaufmann, San Mateo, CA, 1988, pp. 297±346.

[7] R. Reiter, A theory of diagnosis from ®rst principles, Arti®cial Intel-

ligence 32 (1987) 57±95.

[8] P. Ramos, J.L. Fiadeiro, Organisational process aided design, in:

Conference on Systemics, Cybernetics and Informatics (SCI), Focus

Symposium on BPR, May 1997.

[9] P. Ramos, J.L. Fiadeiro, A deontic logic for diagnosis of organisa-

tional process design, in: Fourth International Workshop on Deontic

Logic in Computer Science (DEON'98), Bologna, Italy, 1998.

[10] L. Van der Torre, P. Ramos, Y.-H. Tan, J.L. Fiadeiro, The Role of

diagnosis and decision theory in normative reasoning, in: ModelAge,

4th Workshop on Formal Models of Agents, Italy, 1997.

[11] F. Santos, J. Carmo, Indirect action, in¯uence and responsibility, in:

M. Brown, J. Carmo (Eds.), Deontic Logic, Agency and Normative

Systems, Springer, Berlin, 1996, pp. 194±215.

[12] F. Cuppens, R. Demolombe, A deontic logic for reasoning about

con®dentiality, in: M. Brown, J. Carmo (Eds.), Deontic Logic,

Agency and Normative Systems, Springer, London, 1996, pp. 66±80.

[13] A. Jones, M. Sergot, On the characterisation of law and computer

systems: the normative systems perspective, in: J.-J.Ch. Meyer, R.J.

Wieringa (Eds.), Deontic Logic in Computer Science, John Wiley and

Sons, London, 1993, pp. 275±305.

[14] G.H. Von Wright, Deontic logic and the theory of conditions, in:

Deontic Logic: Introductory and Systematic Readings, in: Hilpinen

(Ed.), Reidel Publishing, Holland, 1971, pp. 159±177.

[15] J. Carmo, A. Jones, A new approach to contrary-to-duty obligations,

in: D. Dute (Ed.), Defeasible Deontic Logic, vol. I, Synthese Library,

1996 (in press).

[16] H.-N. CastanÄeda, The paradoxes in deontic logic: the simplest solu-

tion to all of them in one fell swoop, in: New Studies in Deontic

Logic, in: Hilpinen (Ed.), Reidel Publishing, Holland, 1981.

[17] M. Fitting, First-Order Logic and Automated Theorem Proving,

Springer-Verlag, New York, 1990, Ch. 3.

P. Ramos, J.L. Fiadeiro / Information and Software Technology 40 (1998) 555±565 565