The application of interoperability requirement specification and verification to collaborative processes in industry

HAL Id: hal-00804253

https://hal.archives-ouvertes.fr/hal-00804253

Submitted on 25 May 2021

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

The application of interoperability requirement

specification and verification to collaborative processes

in industry

Sihem Mallek, Nicolas Daclin, Vincent Chapurlat

To cite this version:

Sihem Mallek, Nicolas Daclin, Vincent Chapurlat. The application of interoperability requirement

specification and verification to collaborative processes in industry. Computers in Industry, Elsevier,

2012, to be appear. �hal-00804253�

The

application

of

interoperability

requirement

specification

and

verification

to

collaborative

processes

in

industry

S.

Mallek,

N.

Daclin

*

,

V.

Chapurlat

LGI2P–LaboratoiredeGe´nieInformatiqueetd’Inge´nieriedeProduction,Sitedel’EcoledesMinesd’Ale`s,ParcScientifiqueG.Besse,30035Nıˆmescedex1,France

1. Introduction

In recent decades, enterprises have developed and applied

variousprinciplesandorganizationalsystemstoimprove

collabo-rationwithexternalpartners(i.e.,inter-enterprisecollaboration),

and collaboration between internal teams (i.e., intra-enterprise

collaboration).Theseapproacheshaveallowedthemtomeetthe

challengescreatedbytheglobalizationofmarkets,andespecially

tobeabletofocusontheirowndomainofexpertisewithnolossof

performance,andtoshareexperiences,processes,andtoolswith

internal or external partners confidently. In this context, it is

importanttodescribeandformalizehowdifferentpartners(e.g.,

anisolatedplayer,team,department,orenterprise)canworkwith

othersandthroughtheirinteractionsachieveacommonobjective.

Thisformalizationisperformedusingtheprinciplesof

collabora-tiveprocesses,whichcanbepublic(‘‘processactivitiesbelongto

differentorganizations’’[2])orprivate(‘‘setofactivitiesorderedin

a set of procedural rules to achieve a specific goal within an

organizationandcarriedoutbyagroupofpersons’’[3])[1].The

ability of partners to interact is one of the key factors to

characterizeand assess,in ordertomeasure theoverall

perfor-mance of a collaborative process. This factor is related to the

conceptofinteroperabilitywhichcanbedefinedasthe‘‘abilityof

enterprisesandentitieswithinthoseenterprisestocommunicate

and interact effectively’’ [4]. Therefore, enterprises involved in

collaborativeprocesseshavetoimprovetheirinteroperability.In

order to accomplish this goal, they must be able to detect,

anticipate,andsolvetheirinteroperabilityproblems.Ourresearch

addressestheissueofdetectionfromananticipativepointofview

– i.e.,before theimplementation ofthe collaborativeprocess –

attempting to detect problems of interoperability that can be

inducedbythecharacteristicsandbehaviorsofpartners.Inthis

perspective, in order to anticipate problems, analysis of the

collaborativeprocessmodelmustfirstbeperformed.Second,the

anticipationofproblemsisperformedaccordingtothesatisfaction

ofinteroperabilityneedsbythecollaborativeprocessmodel.Inthis

way, to demonstrate that a need is satisfied, it must first be

formalizedintoarequirementandvariousverificationtechniques

mustbeappliedtothecollaborativeprocessmodel.Basedonthese

considerations, ourresearchaims,first,todefine,structure, and

formalizeinteroperabilityrequirementsthatpartnersmustsatisfy.

Second,it aims toenhanceand implementa setof verification

Keywords:

Interoperabilityrequirements Verification

Collaborativeprocess ABSTRACT

Interoperabilityisbecomingacrucialissueforindustry,andalackofinteroperabilitycanbeseenasan importantbarriertocollaborativework,inbothpublic(inter-enterprise)andprivate(intra-enterprise) collaborativeprocesses.Indeed,interoperabilityis generallydefinedastheabilityofenterprisesto interactwithinacollaborativeprocess.Priortoanyeffectivecollaboration,itisnecessarytoinform enterprises,whichaimtoworktogether,whetherornottheywouldbeabletointeroperate.Researchon interoperabilityhasshownthebenefitsofmeasuringandevaluatinginteroperability,byusingseveral frameworksandmaturitymodels.However,approachesfordetectingandanticipatinginteroperability problemsdonotseemtoexist.Ourresearchproposestouseformalverificationtechniquestodetect differenttypesofinteroperabilityproblems.Ontheonehand,thismeansbeingabletodefine the particularinteroperabilityneedstobeconsidered.Ontheotherhand,itrequires theseneedstobe formalizedas a set of unambiguousand, as formallystated as possible,requirements. Moreover, interoperabilityrequirementscan have temporalor a-temporalfeatures. Todetectinteroperability problemsinanticipativeway, interoperabilityrequirementsmust becheckedbymeansofatarget process model. Three complementary verification techniques are used to verify interoperability requirementsinacollaborativeprocessmodel.Theverificationtechniqueuseddependsontheaspect andthelevelofabstractionoftherequirementtobeverified.Thispaperfocusesandillustratesthe detectionofinteroperabilityproblemsusingverificationtechniques.

* Correspondingauthor.Tel.:+33466387066.

techniquesthatcanbeusedpriortoimplementinganystepsinthe

collaborativeprocess.

This paper focuses on the specification and verification of

interoperabilityrequirementswithincollaborativeprocesses,and

isorganizedasfollow.Section2reviewsseveralresearchprojects

focusingontheinteroperabilityanalysis.Section3presentsthe

differentstepsoftheproposedapproachtodetectinteroperability

problems. Section 4 explains how interoperability needs are

obtained.Section5proposesthedefinitionsandaclassificationof

interoperabilityrequirements.Section6presentstheanalysisof

interoperabilityrequirements using complementaryverification

techniques.The seventh sectiongives a case study in order to

illustratetheverificationofinteroperabilityrequirements.

2. Interoperabilityanalysis:existingresearchanddiscussion

The development of interoperability has become a crucial

questionforenterprisesthatwanttobecomemorecompetitivein

a globalized environment. As a consequence, a large body of

researchhasbeendevelopedinrecentyearsinordertoanalyze

interoperability (i.e., analysis that formalizes, evaluates, and

measures system interoperability). Concerning formalization,

interoperabilityframeworks(e.g.,IDEAS, INTEROP, AIF...)[5–7]

structure interoperability requirements according to different

aspectssuchasinteroperabilityproblemsthatcanoccurorlevelat

which interoperability takes place. For instance, the INTEROP

frameworkconsiderstwofundamentalaspects:the

‘‘interopera-bilitybarriers’’(conceptual,organizationalandtechnological)and

‘‘interoperability concerns’’ (data, services, processes and

busi-ness).Thegoalistoachieveefficientcollaborationbyovercoming

interoperability barriers relating to interoperability concerns.

Although these frameworks can be used to create a better

classificationandstructuringofthebasicaspectsof

interoperabili-ty,theycannotbeusedtoevaluateinteroperability.Theevaluation

ofinteroperabilityismostlyperformedwithmaturitymodels(LISI,

LCIM,OIM...)[8–10],whichcanbeusedtocharacterizetheability

of systems tointeroperate at a given moment withregards to

differentidentifiedinteroperabilitylevels.Someofthesemodels

giverecommendationstogofromoneinteroperabilityleveltoa

higher interoperability level. However, these maturity models

focusonthequalitativeevaluationofinteroperability,anddonot

offeraquantitativemeasurementofinteroperability.A

methodol-ogyhasbeenproposedtomeasureinteroperabilityofenterprises

inbothintra-andinter-enterprisecontexts[11].Thismethodology

measurescompatibilityandinteroperationperformance(i.e.,the

dynamicaspectofthecollaboration)simultaneously.Tomeasure

compatibility,acompatibilitymatrixisusedtoinformenterprises

astowhetherornot)ofinteroperabilityproblemsareexpectedto

occur.Tomeasureinteroperationperformance,somecriteriasuch

ascost ofinteroperation,time of interoperation,andquality of

interoperationaremeasured.Similarly,theresearchproposedby

[12]isbasedonthedevelopmentofseveralmodesof

interopera-bility aiming to offer operational effectiveness. However, this

researchdoesnotformalizeinteroperabilitysoastomeasureit,

andcannot beusedtodetectandidentifylocalinteroperability

problemsinaformalway.Fig.1providesacomparativeoverview

of the research presented above.1 _{It shows the six main}

characteristics that have inspired our research work, which

include (1) the expression of interoperability needs, (2) the

measurementofinteroperability,(3)theformalizationof

interop-erability, (4) the use of verification techniques, (5) the local

detection of interoperability requirements, and finally (6), the

operationalaspectsofthecollaborativeprocess.

Thesedifferentresearchstudieshaveevaluatedorprovidedan

indicationastowhetherornotthereareinteroperabilityproblems,

but they do not specifically describe these problemsor givea

formalproofoftheirexistence.Inaddition,manygapsexist,such

as (1) a lack of interoperability needs and requirements

formalization, (2) a lack of collaborative processanalysis tools,

(3) a lack of detection principlesfor problems in collaborative

processmodels,whichwouldenablethemtobeanticipated,and

finally(4)alackofconsiderationoftheoperationalaspectsofthe

collaborativeprocess.Thesegapsareultimatelyrelatedtothelevel

offormalization,theproblemstobedetected,and theconcepts

needed to detect these problems. They are also related to

techniquesthatcanprovidetheirrefutableproofoftheexistence

of interoperabilityproblems formally(not only qualitatively or

quantitatively).

3. Detectionofinteroperabilityproblems:ourapproach

Todetectinteroperabilityproblemsincollaborativeprocesses

inananticipativeway,weproposeamodel-basedapproachfor

interoperabilityrequirementschecking.Ourapproachisinspired

by requirements engineering that can beused to describeand

structure interoperability requirements that are related to any

interoperabilityproblemthatmayhinderacollaborativeprocess.

Finally, this approachis based, on theonehand,on the useof

formalization, and on the other hand, on the use of various

verification techniquestoensure thatthe collaborative process

modelcomplies withtheseinteroperabilityrequirements.Thus,

thelocaldetectionofinteroperabilityproblemsisperformed by

theuseof modeling,formalization, and verificationtechniques.

ThisapproachisimplementedfollowingthestepsshowninFig.2.

First,interoperabilityneedsarecollectedandexpressedusinga

languageclosetotheoneusedbythestakeholdersinvolvedinthe

implementation,execution,andcontrolofagivenintra-or

inter-enterprise collaborativeprocess.The objectiveofthis stepis to

developarepositoryofinteroperabilityneedsthatisas

compre-hensiveandgenericaspossible.

Theseneedsarethenclarified,structured,andformulatedas

theso-calledinteroperabilityrequirementsdescribedbelow,then

gathered into a repository of interoperability requirements.

Fig.1.Comparativestudyofthedifferentresearchwork.

1

+++:bestaddresstheissue,++:partlyaddresstheissue,+:relevanttotheissue, :irrelevanttotheissue.

Formulatingandstructuringtherequirementsallowtheuserin

chargeofthecollaborativeprocessmodelanalysistoselectthe

appropriateinteroperabilityrequirementstobechecked,

accord-ingtoanalysisobjectives.Thismayinclude,forexample,interest

inprocessperformanceorinthecompatibilityofthetoolsusedin

thecollaborative process. Once these interoperability

require-mentshavebeen selected,theyare formalized intoproperties

throughtheuseofaformallanguagesothattheycanbechecked

onthemodelwithexistingformalverificationtechniques.From

this perspective, the collaborative process model must first

considertheinteroperabilityrequirements.Thus,the

collabora-tive process is modeled with an enriched version of BPMN

(BusinessProcessModelingNotation)[14]inordertointegrate

the concepts related to interoperability so as to make the

verificationofinteroperabilityrequirementspossible.Then,the

modelmustbetranslatedintoaformalstructuresupportingthe

proposedverificationtechnique,whichrequiresmodel

transfor-mation mechanisms. Finally, the result of the verification

indicateswhetherornotarequirementisreallysatisfiedbythe

collaborativeprocessmodel,whichinturnpointstotheexistence

ofaninteroperabilityproblem.Thus,ifallselectedrequirements

are satisfied by the collaborative process model, it can be

implemented.Ifnot,(1)thecollaborativeprocessmodelcanbe

challenged to provide adequate solutions to the problems

detected,and(2)theusercanselectotherrequirementsbefore

performingotherverifications.Thesestepsareexplainedindetail

inthefollowingsections.

4. Establishinginteroperabilityneeds

Thefirststepaimstocreatealistofinteroperabilityneeds.The

reviewofthestateoftheartpresentedinSection2,whichcovers

thedifferentworkrelated tointeroperability,identified several

interoperability needs. For example, the levels proposed in

maturity models,toachieve full interoperability,express many

interoperability needs. These maturity models cover the three

mainaspectsof interoperability(conceptual, organizationaland

technological),andexpressneedsrelatedtotheseaspectssuchas:

Need 1: ‘‘a communication protocol exists for exchanging data

betweenparticipatingsystems’’(LCIM–level1)[9].

Need 2: ‘‘recognized frameworks are in place to support

interoperabilityandsharedgoalsarerecognizedandrolesand

responsibilitiesareallocatedaspartofon-goingresponsibilities,

however,theorganizationsarestilldistinct’’(OIM–level2)[10].

Need3:‘‘Theconnectionsystemsareidentifiedbytheirabilityto

provideanunderstandingofthedataexchanged.Theemailsinclude

attachmentsandcontributetothesuccessoftrade’’(LISI–level2)

[8].

Need4:‘‘Thegovernanceoftheprocurementprocessexplicitlylinks

thebusinessrequirementstotechnicalarchitecturethroughproject

financing’’(IMM–level4)[15].

Toconsolidatethislistofneedsandtoenrichit,anindustrial

survey wasconducted. The purpose ofthis surveywas togive

partnerstheopportunitytodescribeproblemstheyfaceintermsof

interoperabilityandtoexpressthem.Thisquestionnairefocuses

on several aspects. The first aspect highlights the need for

collaboration withinand between partners, which canbe used

to differentiate between the needs in a private collaborative

process and a public collaborative process. The second aspect

focusesoninteroperabilityproblems(conceptual,organizational

andtechnological).Finally,theperformanceaspectsareconsidered

usingstandardcriteria:cost,time,andquality.Therequirements

listed below are extracted from the answers provided by the

industrialsurvey:

Need 5: ‘‘We need to send and receive exploitable data, and

be sure that they are received by the other partnerduring the

activity.’’

Need6:‘‘Homogenizecommunicationwhatevertheform,thenhave

asemanticunderstoodandsharedbybothpartners.’’

Need7:‘‘Keeptheperformanceasgoodaspossibleintermsofcost,

quality(productandservice)andtimespent,afterthepartnershipis

over,asbeforeitwasstarted.’’

Need8:‘‘Aresourcemustbeavailablewhenitisneeded.’’

Theneedscollectedinthebibliographicanalysisandtheneeds

collectedin thesurveyarebothexpressedinnaturallanguage.

They remain difficult to handle due to their nature and the

complexityoftheirexpression.Therefore,repetition,ambiguity,

imprecisionandincoherencemustberemoved.Toaddressthese

problems mainly related to the expressiveness of natural

language,theseneedsareformulatedandstructuredintheform

of requirements as proposed by requirements engineering

[16,17].

5. Interoperabilityrequirements:classificationandstructuring

A requirement is defined as: ‘‘a statement that specifies a

function,abilityoracharacteristicthataproductorasystemmust

satisfyinagivencontext’’[18].Interoperabilityrequirementsare

formulated thanks to the repository of interoperability needs

described intheprevious section.Theserequirementsmustbe

clearly expressed, identifiable,traceable,verifiable,

unambigu-ous, and not contradict another requirement from the same

repository.Allrequirementsobtainedareplacedinarepositoryof

interoperability requirements. This repository is used as a

reference repository to classify and structure interoperability

requirements.

5.1. Classificationofinteroperabilityrequirements

In general, interoperability is related to the concept of

compatibility.Compatibility meanstoharmonize enterprises in

termsof method,organization, andtools,sothat the

heteroge-neousinformationexchangedcanbeunderstoodandexploitedby

each of them with no extra interfacing efforts. However,

compatibilityisnotsufficienttodescribeinteroperability.Infact,

duringacollaborativeprocess,variousothersourcesofproblemscan

bedistinguished.Forinstance,twoenterprisesusethesamelanguage

tocodetheirdata,butoneofthemisunabletosenditsdata.Inthis

case,‘‘twointeroperablesystemsarecompatible,buttwocompatible

systemsarenotnecessarilyinteroperable’’[19].Thisstatementleadsto

thenotionthatinteroperabilityisrelatedtointeroperationduring

collaboration.Interoperationfocusesonrealinteractionsbetween

enterprises during collaboration (i.e., it concerns the ability of

enterprisestoworkefficientlytogetherthroughouttheinteractive

process and take into account various events that may occur).

Furthermore, interoperability is related to the preservation of

autonomy during collaboration, which means that partners can

worktogether(e.g.,exchangeservices)whilecontinuingtofollow

theirownlogicofoperation[6].Moreover,whencollaborationstops,

enterpriseswishtoreturntotheirpreviousperformancelevelwhile

remainingefficient. Forinstance, onepartnermaynote a lossof

performancewithregardstoitsperformancebeforethe

collabora-tion.Inthiscase,itisquestionofbeingsurethatagivenpartnerwill

beabletorecoverhisorherownperformancelevelaftertheendof

thecollaboration.Thus,interoperabilityisrelatedtoanotherconcept

calledreversibility[6].Reversibilitymeansthatpartnerscanreturnto

theiroriginalstateattheendofcollaborationwithregardstotheir

performance and including positive and/or negative variation

acceptedpriortoanyrealcollaboration.

In consideration of the aforementioned, an interoperability

requirementis definedas: ‘‘astatementthat specifiesafunction,

abilityorcharacteristic,relatedtotheabilityofapartnertoensureits

partnershipintermsofcompatibility,interoperation,autonomy,and

reversibility, that it must satisfy’’. Thus, four categories of

interoperability requirements are defined: compatibility,

inter-operation,autonomy,andreversibility.

A compatibility requirement is defined as ‘‘a statement that

specifies a function, ability, or characteristic, considered to be

invariablethroughoutthecollaborationandrelatedto

interoperabili-tybarriers(conceptual,organizational,andtechnological)foreach

interoperabilityconcern(data,services,processes,andbusiness),and

whichpartnersmustsatisfybeforecollaborationiseffective’’.

Compatibilityrequirementsfocusontheinterfacebetweenthe

partnersinvolved.Alloftheserequirementsmustbecheckedand

areinvariablethroughouttheduration ofthecollaboration.For

instance,threecompatibilityrequirementscanbeformulatedfrom

thefifthneedpresentedinSection4.

CDTTranslation2:‘‘Thereceivingpartnerhasthenecessarymeansto

translatethedataexchanged’’.ThisCRisrelatedtotechnological

aspects of interoperability at thelevel of data. Itreflects the

needs of thereceiving partnerin terms of the translation of

homogeneous or heterogeneous data, and subsequently their

exploitation.

CDOAuthorization:‘‘Thesendingpartnerhastherequiredpermissions

to carry out exchanges with the receiving partner’’. This CR is

relatedtoorganizationalissuesandreflectstheneedsofpartners

toexchangetheirdatasafely.

CSOManager: ‘‘Each service has a clearly defined manager with

authorityovertherestoftheteam’’.ThisCRisexpressedatthe

levelofservicesandisrelatedtotheorganizationalaspect.The

objectiveoftheimplementationofthisrequirementistoavoid,

forexample,lossoftimewhichmaybeharmfultotheprocess

duringitsexecution.

Aninteroperationrequirementis definedas‘‘astatementthat

specifies a function, ability or characteristic, considered to be

variableduringthecollaboration,relatedtotheperformanceofthe

interaction,andwhicheachpartnermustsatisfy’’.

Interoperationrequirementsarerelatedtotheexecutionphase

of the collaborative process. In addition, their veracity can be

consideredtobevariableduringthecollaborationwithregardsto

the interactions themselves. For example, some interoperation

requirementscanbeexpressedfromthefirstandeighthneed.

ISOReceipt:‘‘Thereceiversendsareceipttothesender’’.Formulated

fromneed number 1, this IR is related to theorganizational

aspectatthelevelofservices.

ISOAvailabilityTime:‘‘Resourceisavailablewhenanactivityneedsit’’.

Formulated from need number 8, this IR focuses on the

availabilityof theresource at themomentit is requested by

andforanactivity.

ISOExecutionTime: ‘‘Resource is active throughout the duration of

executionoftheactivity’’.ThisIRisformulatedtoensurethata

resourcecanreallybeexploitedwhileagivenactivityisbeing

executed.Thegoalis toensurethatthis resourcewillnot be

allocatedtoanotheractivityforthedurationofthefirstactivity

thatusesit.

An autonomy requirement is defined as ‘‘a statement that

specifiesafunction,abilityorcharacteristicrelatedtotheabilityof

partnerstoperformtheirowngovernanceandmaintaintheirown

operationalcapacityduringcollaboration,andwhicheachpartner

mustsatisfy’’.

Autonomyrequirementsarerelatedtotheabilityofpartnersto

maintaintheirindependencewhiletheyareinvolvedina

collabora-tiveprocess.Thisischaracterizedbyself-governanceandoperational

autonomy.Self-governanceisnecessaryforthepartnerstokeeptheir

freedomintheirdecisionwithoutconflictanddisagreements thatcan

hinderthecollaboration.Operationalautonomyisnecessarysothe

partnerscanmaintainacertaindegreeoffreedomintheiractionsto

achievetheirowngoals.Bothtypesofautonomymustbepresentat

thebusiness,process,andserviceleveloftheenterpriseandforeach

interoperabilitybarrier(conceptual,technological,and

organization-al). For instance, from need number 4 expressed above, three

autonomyrequirementscanbeformulated.

ABOGovernance: ‘‘Partner involved in a collaborative process is

responsible for selecting its suppliers’’ and ABOGovernanceCost:

‘‘Partner controlcostsrelated to the choice of suppliers’’. These

tworequirementsareexpressedatthebusinesslevelandforthe

organizational barrier.They ensurethat each partnerhasthe

choiceofitssuppliersandassociatedcosts.

APTOperational: ‘‘A process must keep required physical flow of

supply’’.ThisARconcernstheparticularoperationalautonomyin

aprocessandthetechnologicalbarriers.

A reversibility requirement is defined as ‘‘a statement that

specifiesafunction,abilityorcharacteristic,relatedtothecapacity

of a partner to go back to its original state (in terms of

performance)after collaboration,and which each partnermust

satisfy’’.

Reversibilityrequirementsarerelatedtothecapacityofagiven

systemtoreturntoitsinitialstateeveniftheimplementationof

the collaborative process leads to various adaptations and/or

changes(e.g.organization,workingmethod,newtool,etc.).Infact,

2_{Interoperabilityrequirementsareexpressedwiththefollowingconventions:}

Firstletter:classofinteroperability Secondletter:interoperabilityconcern Thirdletter:interoperabilitybarrier Index:nameoftherequirement.

at the endof the collaboration, each partner must beable to

continuetofurtheritsownpurpose,itsmission,andachieveits

objectives. This mainly concerns the impact on the integrity,

stability, and performance of the system. With regard to

integrity,thesystem mustreturntoaknownoperatingmode.

Regarding stability, the system must be able to maintain its

viability.Regardingperformance, thesystem mustrecoverthe

levelofperformancethatcharacterizeditbeforethe

collabora-tionincludingvariations(i.e.,thesystemmayhavetoaccepta

lossof performance thatis knownanddefinedin advance.To

give an example, it is possible to extract three reversibility

requirementsfromneednumber7,whichfocusonperformance

criteria.

RSTPerformanceCost:‘‘Thecostofanactivityafterthecollaboration

corresponds to the cost before the collaboration including

variations’’.Thisrequirementconcernsthecostcriterion.

RSTPerformanceTime:‘‘Theexecution timeof anactivityafterthe

collaboration corresponds to the execution time before the

collaborationincludingvariations’’.Thisrequirementisrelated

tothetimecriterion.

RSTPerformanceQuality:‘‘Thenumberofproductsthatareprovidedby

anactivityaftercollaborationmatches–includingtolerances–the

number of products provided before the collaboration’’. This

requirementconcernstheperformancequalitycriterion.

Finally,aGraphofDecompositionofInteroperability

Require-ments(GRADEI)isproposedinordertofacilitatethedescription,

handling,anddecompositionofaninteroperabilityrequirement.

5.2. TheGRADEImodel:structureandpropagation

TheGRADEImodelisagraphusedtoformallyrepresentthe

requirements repository. It is based on (1) the principle of a

decomposition relationship between requirements, (2) the

previously proposed classification of interoperability

require-ments,and(3)theinteroperabilityframeworkdevelopedwithin

the INTEROP Network of Excellence [6]. It helps the user to

organize, reuse, and select the appropriate interoperability

requirementswithregardstoa givencollaborativeprocessfor

thepurposeofchecking.GRADEIisanorientedgraphaspresented

inFig.3.

Anoderepresentsarequirementatagivenlevelofdetail.Anarc

linkinganodeatonelevelofdetailtoothernodesatalowerlevelof

detail represents the decompositionrelationship. This

relation-ship, which links a target node (i.e., representing an abstract

requirementatlevelk)toitssourcenodes(i.e.,representingmore

preciserequirements at level k+1)is constrained by a logical

function.Thisfunctionexpressestheinfluenceofthesatisfactionof

requirementsrepresentedbythesourcenodesontherequirement

representedbythetargetnode.Thefollowingnotationsareusedto

formalizetheGRADEImodel:

p=numberoflevelsofdetail, p2N:

m=numberofnodesofthegraph,m2N:

n=numberofarcsofthegraph,n2N:



P

:setofmoments(times).

String::=(‘a’...‘z’j‘A’...‘Z’)(‘a’...‘z’j‘A’...‘Z’j‘1’...‘9’j‘_’j‘-’)}

Fact={factjfact2VM[PM[Pr}where:

 VM={variablesextractedfromtheprocessmodel}

 PM={parametersextractedfromtheprocessmodel}

 Pr={predicates extracted from the meta model of enriched

BPMN}

GRADEIisformalizedwithagraphG::=(A,N,N0)where:

A represents the set of arcs linking nodes: A={Aj/j2[0,n];

Aj::=(SourceN, TargetN)with(SourceN, TargetN)2NN,

Sour-ceN6¼TargetNandlevel(SourceN)>level(TargetN)}

Nrepresentsnodesofthegraph:N={Ni/i2[0,m];Ni::=(namei,

descriptioni,relationshipi,facti,leveli,valuei)}where:

 (namei,descriptioni)2stringstring

 relationi::=(T,

u

e,

u

c)with:

T

P



u

e: facti[T!{0,1} is thelogical function that describes the

necessarybutnotsufficient conditioninwhichthenodeNiis

verified. This condition is expressed only in the modeling

variables,parameters,andmodelingpredicatestakenfromthe

collaborativeprocessmodel.



u

c: NNi!{0,1}, i.e. {value(N1),..., value (Nk)}!{0,1} is the

logicalfunctionthatdescribesthenecessarybutnotsufficient

conditionwheretherequirementrepresentedbythenodeNiis

verified. This condition can be used to interpret the results

(values)ofnodessources.NNiisthesetofnodeNisourcesdefined

asfollows:

NNi={Nj/

9

Ak(Nj,Ni),k2[0,n],j2[0,m]withi6¼j}

 facti2Fact.

 leveli2[0;p[indicatesthelevelofdetailoftherequirement.By

definition,therootelementhaslevel=0,i.e.interoperabilityin

thiscontextandlevel(Ni)returnstheleveliofnodeNi.

 valuei2{0,1}showstheverificationresult,inabsentia0(false)

andwherevaluei=

u

e^

u

c.



9

!N0=(name0,description0,relation0,fact0,level0=0,value0)2N

istherootnodeofthegraphGrepresentingthemostabstract

interoperabilityrequirement.

Itisworthnotingthatarequirementcanbecharacterizedbya

temporalaspect.Itcanbea-temporal,thatistosayindependentof

time.Inthiscase,itisverifiableatalltimes(thesetTisempty).It

canbetemporal,inotherwords,verifiableonlyatcertainstagesin

thecollaborationlifecycle.Thetemporalaspectofarequirementis

an important elementfor choosing theappropriate verification

technique.Furthermore,thechoiceofthelogicalfunction(

u

c)used

tolinkanabstractrequirementtomorepreciserequirementsisleft

totheuser’sdiscretion.Thus,therequirementsofeachlevelcanbe

analyzedseparately.Inthiscase,someoftherequirementsthatare

notsatisfied,canbeconsideredtobenegligibleorasrepresenting

anacceptableriskfortheuser.Theinteroperabilityrequirements

referencerepositoryobtainedisillustratedinFig.4.

As an example, for the GRADEI model presented Fig. 5,

propagation of interoperability requirements analysis is

performedusingthesefewequations:

Interoperability¼Compatibility^Interoperation

^Reversibility^Autonomy (1)

Compatibility¼BusinessC^ProcessC^ServicesC^DataC (2)

ServicesC¼ConceptualCS^TechnologicalCS^OrganizationalCS

(3)

ConceptualCS¼SyntaxCDS_SemanticCDS (4)

Inotherwords,byhypothesis,theoverallinteroperabilityofan

enterpriserequireseachcompatibility,interoperation,autonomy,

and reversibility requirement to be respected as expressed in

Eq.(1).Inthesameway,compatibilityisrespectedifandonlyif

eachrequirementrelatedtotheinteroperabilityconcerns

(busi-ness, process, services, and data) are themselves respected as

expressedinEq.(2).Then,interoperabilityconcernsarerespected

ifandonlyifinteroperabilitybarriersarerespectedasexpressedin

Eq.(3)attheserviceslevel.Finally,conceptualrequirementsare

respectedifthesyntaxorthesemanticrequirementisrespectedas

expressedinEq.(4).However,ifinteroperabilityisrequiredfor

onlyoneconcern(e.g.,processinteroperability),theusercanselect

andcheckonlyequationsrelatedtothisconcern.

6. Verificationofinteroperabilityrequirements

The objective of verificationis todemonstrate that a set of

selected interoperability requirements is satisfied. Indeed, the

GRADEI model presented above allowsusers to select relevant

requirementstobechecked.In ordertobeabletoperformthis

verificationbeforetheruntimeofthecollaborative process,this

one is done on a model of the collaborative process. Several

verification techniques exist in the literature such as informal

verificationtechniques(test,simulation,andexpertise)[20],and

formal verification techniques (model checking and theorem

proving)[21–23].

Thesimulationisdoneonatheoreticalmodelwhosebehavioris

consideredtobesimilartothebehaviorofthesystemconcerned.It

is done before the implementation of the system. However,

simulation is unable to assume all of the system’s behavioral

scenarios. It requires human expertise to analyze results and

formulatethedemonstration. Nevertheless,simulation isnowa

well-knowntechnique,whichisincreasinglydevelopedandused

inenterprises.Thetestisperformeddirectlyonanexistingsystem.

Itcancheck,forexample,capacityandrelevancetodetecterrors

beforesystemimplementation.Informalmethodsdo not

neces-sarilyrequiretheuseofamodel,butcanbeuseddirectlyonthe

realsystemtomaketheverification.Thesetechniquescanbeused

when a model of the system to analyze is not given or the

descriptionoftherequirementtoformalizeiscomplex.However,

thesemethodsrequirehumanskillsandcanbe,obviously,subject

tohumanerror.

Ontheotherhand,formalverificationtechniquescanbeusedto

exploreaformalmodelexhaustively(i.e.,amodelobtainedwitha

modelinglanguageusinga formalsemantics).In this case,it is

possibletoprovideaformalproofofwhetherornotarequirement

isrespectedindependentlyofanyhumaninterpretation.Formal

verification techniques can be used to analyze the behavioral

aspectofthecollaboration,whichoffersadynamicvisionofthe

system.However, thesemethods canbe difficulttoimplement

(e.g.,needforgreaterformalization)andaredifficulttoapplyin

somefields such as enterprise modeling (difficultto formalize

models).

Othertoolsdoexist,suchasconceptualgraphs,andcanbeused

as verification techniques [24]. For instance, verification using

conceptualgraphsisbasedonmathematicalmechanisms,suchas

projection, to ensure the veracity or simply the presence of

knowledgeinagivengraph.However,conceptualgraphsdonot

representthebehaviorofasystem,sotheyofferastaticviewofit.

Given theadvantages and disadvantages of each methodof

verification, we have proposed to use two formal verification

techniquesinacomplementarymanner,andtoalsomakeuseof

technicalexpertiseassummarizedinFig.6.

Thefirstverificationtechniqueisbasedonconceptualgraphs

[25]toverifya-temporalrequirements.The advantageofusing

conceptualgraphsis(1)todescribethecollaborativeprocessand

interoperabilityrequirementswiththesamelanguage,(2)tohave

a convenient graphical form to handle, and (3) to have a

mathematicalfoundationandmechanism(projection,rules,and

constraints).

Thesecondtechniqueisbasedonmodelchecking[23]forthe

temporalrequirements.Theadvantageofusingamodelcheckeris

(1) toincludetemporalaspectsofthecollaboration(i.e.,behavioral

modelof collaborativeprocess),(2) toconsiderallstates inthe

collaborativeprocessthroughoutthecollaboration,and(3)togive

formalproofoftheproblemsthatexist.

The finaltechnique is based on expertise.This technique is

deployedwheninteroperabilityrequirementshighlightparticular

pointsofviewoftheprocess,andcannotbedescribedduetoa

limitationimposedbythemodelinglanguage.Thisaspectisnot

consideredinthiswork.

ApplyingthesetechniquesrequiresustoassumethattheBPMN

modelinglanguageusedtobuildtheprocessmodelcanbeusedto

describeinteroperabilityrequirements.BPMNprovides

standard-izednotationthat isreadilyunderstandable byallstakeholders

involved in the design, development, and monitoring of a

collaborative process. However, it is necessary to enrich this

modeling languageto embed theinteroperability requirements

model. Theproposed conceptualenrichments described in[26]

includeinteroperabilityconceptssuchasthenatureoftheflow

exchanged (information,energy,material, orperson), the

avail-abilityofresourcesandtheiraptitudes.Furthermore,operational

enrichmentsaremadetostudythebehaviorofallrelevantBPMN

elements.

Theuseoftheseverificationtechniquesrequiresthe

collabora-tiveprocessmodeledwithenrichedBPMNtobetranslated–using

modeltransformationrules–intoanequivalentmodeluponwhich

the formal verification techniques can be appliedas shown in

Fig.7.Indeed,theproposedenrichedversionofBPMNsuffersfrom

a lack of formalization, and verification techniques cannot be

applied directly with regards to interoperability. The first

equivalent model was obtained using conceptual graphs. It

enabled ustoproducea-temporalrequirements proof,which is

presentedin[26].Inthiscase,verificationwasperformedwiththe

COGITANTtool[27].Thesecondequivalentmodelwasobtained

By using knowledge extracted from model: contextualised and provable By using knowledge coming

from the experts: cannot be ‘formally’ proven Interoperability requirements Model checker are verified by Conceptual Graphs temporal a-temporal Technical expertise

Fig.6.Proposedverificationtechniques.

usingabehavioralmodelinglanguagenamedNetworksofTimed

Automata for temporal requirements proof. In this case, the

UPPAALmodelcheckerisusedforvariousreasons:therichnessof

TCTLtemporallogic,itisanopensource,userfriendly,andstand

alonetool[23].Inbothcasesoftargetmodels,therequiredrules

for model transformation were developed with ATL (Atlas

TransformationLanguage)[28]inordertore-writethe

collabora-tiveprocessmodelintoConceptualGraphsandNetworksofTimed

Automata.InthecaseoftheConceptualGraphs,theobjectiveis

thereforetoassumethecoherenceoftheprocessmodel,thatisto

say to prove that each BPMN modeling entity used, and then

instantiatedintheprocessmodel,iswellandcompletelydefined.

Inthecase ofNetworksofTimedAutomata,thetransformation

ruleshave beenestablishedrespectinganequivalence between

BPMNentitybehaviorandstatemodelentitybehavior.Therefore,

interoperability requirements were formalized to make their

verificationpossible.Thus,a-temporalrequirementsare

formal-ized with conceptual graphs and temporal requirements are

formalized with TCTL. In addition, a non-formal verification

technique was used to verify, by expertise, interoperability

requirementsthatcannotbeformallyproven.Finally,theresults

ofthethreeverificationtechniquesareshowninthecollaborative

processmodel(modeledwithenrichedBPMN).Theseresultswere

further exploited with the GRADEI model to verify abstract

interoperabilityrequirementsusingtheprincipleofpropagation.

6.1. Verificationprocessfora-temporalrequirements

A conceptualgraphis definedas a graphwithtwo kinds of

nodes:conceptsandorientedrelationsasshowninFig.8witha

conceptualgraphthat canberead as: ‘‘Any activities(concept)

begin (relation) at a beginning date (concept)’’. Concepts and

relations aredescribed inhierarchicalstructures calledconcept

andrelationlattices.Individualmarkersareaddedtospecifythe

model(‘‘*’’meansgenericconcept).

TheCOGITANTtoolcanbeusedtohandleconceptualgraphs

uponwhichtheverificationprocessofa-temporalrequirementsis

based.Theverificationwithconceptualgraphsisbasedontheuse

of (1) a graph operation named projection, (2) a graph that

representsarequirement(alsonamedconstraintgraph)and,(3)a

graphthatdescribesthecollaborativeprocessmodel.Theprinciple

istochecktoseeifaconstraintgraphcanbeprojectedonthegraph

modelof theprocess.Ifprojection fails,therequirementisnot

verified and the causes can be highlighted by analyzing the

resultingconceptualgraph.TomakeverificationwithCOGITANT,

threetypesoffilesarenecessary,whicharecalledthesupport,fact,

andconstraintgraphs.

The‘‘support’’graphrepresentsalltheconceptsandrelations

fromtheenrichedBPMNmetamodelandmarkersrepresentingall

theinstancesoftheseconceptsandrelationsdefinedintheprocess

Fig.7.Verificationprocessforinteroperabilityrequirements.

[Acvity: *] (Begin) [Date: BeginningDate]

Fig.8.Exampleofaconceptualgraph.

model.The‘‘fact’’containstheequivalentconceptualgraphofthe

model obtained by applying ATL transformation rules and

respecting the support. Finally, the ‘‘requirement’’ to verify is

modeledinanotherconceptualgraphcalledthe‘‘constraint’’graph.

Verificationis performedusingtheprojection ofapositive ora

negativeconstrainton theconceptualgraphthatrepresentsthe

modeloftheprocessstudied.Apositive constraintisdescribed

witha causeand a conclusion and itsprojection is performed

accordingtothefollowinginterpretation:‘‘Ifthecauseistrue,then

theconclusionmustbetrueaswell’’.Anegativeconstraintisasingle

conceptualgraphanditsprojectionisinterpretedas:‘‘Ifanegative

constraint is not projected on the fact model, it is verified’’. The

projection mechanism is theprojection of a given requirement

translated in theconceptual graph on theobtained conceptual

graphthatrepresentsthetranslationofthemodel.

Forthepurposeofverification,weproposetotransformeach

enrichedBPMN element (UML class in themeta model)into a

concept. Then, we propose to convert each attribute of each

element(i.e.,attributesof eachclass)asaconceptalso.Finally,

relationsbetweenclasses(intheenrichedBPMNmeta-model)are

transformedintorelationsintheconceptualgraphasshowninthe

Fig.9.

ThreeATLtransformationsmustbeperformedtocompletethe

transformation from process model to COGITANT. Hereafter,

Fig.10representstheprincipleofthefirsttransformationtoget

thesupport model (the two others transformations – fact and

constraint–arebasedonthesameprinciplesandarenotdescribed

here).

Thefirsttransformationprocedure toobtainthesupportfile

(levelM1)startswiththeconsiderationofthemetamodels(level

M2) of the enriched BPMN language and COGITANT, which

conform,aswell,tothee-coremodel(levelM3).Thus,eachclass

(including its attributes)is translated into a concept and each

relationshipinthemeta-modelistranslatedintoarelationshipin

thesupportfile.Thistransformationismadeinordertoprovideall

the needed concepts and relationships used and subsequently

deployedinthefactfile.

Thesecondtransformationisusedtoobtainarepresentationof

the collaborative process model (fact) as a conceptual graph.

Finally,thelasttransformationisperformedtoobtainconstraints

(representingtherequirements)thathavetobeprojectedontothe

equivalent graph model of the process. In this case, the

requirementistranslatedintoapositive ornegativeconceptual

graphconstraintdependingontheuser’sintention.

Forexample,thecompatibilityrequirementCSOManager

previ-ouslypresentedanddescribedas:‘‘Eachservicehasaclearlydefined

manager who has authority over the rest of the team’’ can be

formalizedintoapositiveconstraintasshowninFig.11.

Theverificationofthisconstraintusingprojectionisperformed

withtheprojectionofthecauseontothefactsmodel.Ifthecause

canbesuccessfullyprojected,theconclusionmustbeprojectedtoo

inordertorespecttherequirement.

6.2. Verificationprocessfortemporalrequirements

The principle of a model checker is to verify properties

exhaustivelywithtemporizedandpossiblyconstrained

autom-atathatdescribethebehaviorofasystem.Obviously,herethe

system is the collaborative process model. Verification with

modelcheckersrequirestwophases.Thefirstphaseconsistsin

definingasetofequivalentbehavioralmodelsinthe

collabora-tive process model and in defining the collaborative process

Fig.10.TransformationfromenrichedversionofBPMNtosupportinCOGITANT.

modeltransformationrulestoapply.Thesecondphaseconsists

inreformulatingthetemporalrequirementsunder theformof

propertiesrespectingtheformallanguageadoptedbythechosen

modelchecker(inthisstudy,atemporallogic)[29].

TheUPPAALtoolcanthenbeusedtohandleabehavioralmodel

defined as a set of templates, which communicates with

synchronization (either in the form Expression! for sending or

Expression? for receiving synchronization), using channels and

syntaxlikesent/receive.Eachtemplatehaslocationsand

transi-tionstolinkalocationsourcetoatargetsource[23].

TheenrichedBPMNmodelmustbetransformedintoNetworks

ofTimedAutomatatoperformverificationoftemporal

require-ments.InFig.12,themodeltransformationprocedure(levelM1)

startswiththeconsiderationofthemetamodels(levelM2)ofthe

enrichedBPMNlanguageandUPPAALwhichconform,aswell,to

thee-e-e-coremodel(levelM3).

This transformation is made in order to provide all the

necessaryconceptsthatareusedanddeployedintheNetworks

ofTimedAutomata.Inthisway,itismandatorytoconsiderallthe

modelingentitieswhichwillbeusedinthecheckingtask.Thus,

eachclass(includingitsattributes)inthemeta-modelistranslated

intotemplates.Respectingthisconsideration,eachBPMNelement

canbeextractedfromthecollaborativeprocessmodelinorderto

produce the corresponding template representing Networks of

Fig.12.TransformationfromenrichedversionofBPMNtonetworksoftimedautomata.

Fig.13.Existingmodelandmodelwedeveloped.

TimedAutomata.Thus,thesetemplatesgatheralltheknowledge

describedinthemodel,and representthecollaborativeprocess

behavioralmodel.

Some behavioral models of BPMN elements, which use

NetworksofTimedAutomata,canbefoundintheliterature.For

instance,[30]proposethebehavioralmodeloftheBPMNelements

suchas:startandendevent,‘‘gatewaydatabasedparallel’’(AND),

the‘‘gatewaydatabasedexclusive’’(XOR),andthenativemodelof

Task.For instance,thebehaviorofataskis representedbyfour

locationsandtwosynchronizationsaspresentedinFig.13.Inthis

case,transformationrulesaredefineddirectly.Otherbehavioral

modelsthatdonotexist,butthatareconsideredtobefundamental

incollaborativeprocesses,arebeingdeveloped.Likewise,inthis

researchwork,wedevelopotherbehavioralmodelscorresponding

to(1)thetaskwhenaresourceisinvolved,(2)theresource,(3)the

‘‘gatewaydatabasedinclusive’’(OR)and(4)considerationofmany

in/outflow(includingsequenceand/ormessageflows)onatask.

Then,foreachenrichedBPMNelement,atransformationusingATL

isdefinedand performedtoobtainthebehavioralmodelinthe

formofNetworksofTimedAutomata.

Forinstance,thetranslationofataskwhenitusesaresource

andthetranslationofaresourcearepresentedFig.14.Initially,the

Fig.15.Behaviorofagatewaydatabasedinclusiveandmany(in/out)flows.

taskis waitingtostart.Then afterstarting,itusestheresource

whichisavailableatthebeginningbysendingitasynchronization

suchas‘‘in_resource!’’.Subsequently,theresourcereturnstoits

initialstatebyreceivingasynchronization‘‘out_resource?’’when

thetaskhasfinishedusingit.Finally,thetaskstops.

Furthermore, based on the templates given by [30] for the

gatewaydata based parallel (AND) and the‘‘gateway data based

exclusive’’(XOR),thebehaviorofthe‘‘gatewaydatabasedinclusive’’

(OR)andtheconsiderationofmany(in/out)flowsisproposedas

showninFig.15.Asaconsequence,weproposetorepresentthe

behavior of the‘‘gateway data based inclusive’’ by theuse of a

‘‘gatewaydatabasedexclusive’’and‘‘gatewaydatabasedparallel’’.

Then,we proposetosimulatetheexistence ofa ‘‘gateway data

basedparallel’’torepresentthein/outof manyflows(sequence

flowand/ormessageflow)ofatask.

Toenabletheimplementationofformalverificationtechniques,

thetemporal requirements areformalized intoTCTLproperties

(Timed Computation Tree Logic, i.e., the UPPAAL property

specification language) [23]. TCTL is an extension of CTL

(ComputationalTreeLogic)whichcanbeusedtoconsiderseveral

possiblefuturesbasedonthestateofasystem.TheUPPAALmodel

checkerhasfourTCTLquantifiers(A:forallpaths,E:apathexists,

[]:allstatesinapath,<>:somestatesinapath),whichcanbe

usedtowriteapropertyp:

- E<>p:reachability(i.e.,itispossibletoreachastateinwhichp

issatisfied).

- A[]p:invariantlyp(i.e.,pistrueinallreachablestates).

- A<>p:inevitablep(i.e.,pwillinevitablybecometrue).

- E[]p:potentiallyAlwaysp(i.e.,pispotentiallyalwaystrue).

- P!q:pleadstoq(i.e.,ifpbecomestrue,qwillinevitablybecome

true).

According to the UPPAAL property specification language

defined above, the temporal requirements written in natural

languagearemanuallyre-writtenintopropertiesusingTCTL.Then

theUPPAALmodelcheckerexhaustivelyverifiespropertiesinTCTL

throughalltheexecutionpathsofthebehavioralmodelsthatare

reachable.

For instance, the ISOExecutionTime requirement described as:

‘‘Resource is active throughout the duration of execution of

theactivity(5<T<10)’’canbeformalizedintoapropertyusing

TCTLas:

‘‘E<>Resource.ActiveandTask.WorkingandT>5andT<10’’

This property indicates that a path can exist, where the

resourceisactiveandthetaskisinthestateWorkingbetween

5<T<10. This property can be verified with the templates

representedFig.14.Thenextpartpresentsanapplicationcase

study.

7. Applicationcasestudy

ThecollaborativeprocessweproposeisshowninFig.16.Itaims

todesignandproducevehicles.Variousgeographicallydistributed

partners in the European territory wish to anticipate potential

defectsinherentintheirinteroperability.

Thecompatibilityrequirementstobeverifiedarerelatedtothe

organizationalbarrieratthelevelofservicesandareexpressedas

follow:

CSOManager:‘‘Eachservicehasaclearlyidentifiedmanager.’’

CSOAbility:‘‘Aresourcehastheabilitytodoactivityrequested.’’

CSOAuthorization: ‘‘The senderhas the necessaryauthorizationsto

interactwiththereceiver.’’

Thesecompatibilityrequirementsarea-temporal.Theymustbe

verified with conceptual graphs. As a result, they must be

formalizedintoconceptualgraphsasshowninFig.17.

ThecompatibilityrequirementCSOManagerisformalizedusinga

positiveconstraint. Thisconstraint expresses thefactthat each

service has a manager. However, it does not indicate if this

managerhasbeenidentified.Therefore,thisrequirementcanbe

decomposedintothreecompatibilityrequirementsdescribedas

follow:

CSOManagerName:‘‘Themanagerofaservicehasaname.’’

CSOManagerPhone:‘‘Themanagerofaservicehasaphonenumber.’’

CSOManager:‘‘Themanagerofaservicehasan’’

Thesecompatibilityrequirementsgivemoreinformationabout

themanager’sname,phonenumber,andtheycanbeformalized

withthreenegativeconstraintsasshowninFig.18.

ThecompatibilityrequirementCSOAptitudeisformalizedusinga

positiveconstraint.Thisconstraintisexpressedasfollows:foreach

service(task),theresourcesusedbythis servicemusthavethe

requiredskills.

The compatibility requirement CSOAuthorization is formalized

usinga positiveconstraint. Thisconstraint reflectsthefact that

each task interactingwith another taskrequires theresources

involved to have the relevant authorizations to perform the

exchanges.

The interoperationrequirements toverify arerelated tothe

organizationalbarrierattheserviceslevel,andareexpressedas

follow:

ISOTimeExecution: ‘‘Resource is active throughout the duration of

executionoftheactivity.’’

Fig.18.FormalizationofCSOManaagerwiththreenegativeconstraints.

ISOExchangeTime:‘‘Thetimeforexchangebetweenservicesisstrictly

lessthanntimeunits(TU).’’

ISOReceipt:‘‘Thereceiversendsareceipttothesender.’’

Thefirstandsecondinteroperationrequirementshave

tempo-ral aspects and must be formalized with TCTL to make their

verificationpossiblewith theUPPAAL modelchecker. The final

interoperationrequirementhasana-temporalaspectandmustbe

formalizedwithconceptualgraphstoverifyitusingtheCOGITANT

tool.ThefirstinteroperationrequirementISOTimeExecutionisusedto

verifyiftheactivities‘‘motorassembly’’and‘‘chassisassembly’’can

usethesameresource. Asaconsequence, this requirementhas

temporalaspectsandisformalizedusingthetwopropertiesshown

inFig.19.

ThesecondrequirementISOExchangeTimeischosentobeverified

toinforminteractingenterprisesif theexchangetime between

theiractivitiesisrespectedandlessthanthedesiredexchangetime

limit.Thistemporalrequirementisformalizedbyapropertyusing

TCTL.The finalinteroperationrequirement ISOReceipt is used to

ensurethatthereceiverhasreceivedstocks.Thisrequirementhas

ana-temporal aspect and is formalizedby a constraint with a

ConceptualGraph.

Furthermore,weproposetoverifyanautonomyrequirement

andareversibilityrequirement.Theserequirementsareexpressed

attheservicelevelfortheorganizationalbarrierandareexpressed

asfollows:

ASOResource: ‘‘A service canreplace a resource used by another

serviceinthepubliccollaborativeprocess.’’

RSOPerformanceResource: ‘‘The resources used in the collaborative

processhavethesameperformancelevel–includingtolerances–as

beforethecollaboration.’’

ASOResourceexpressesthefactthataserviceisabletoreplaceits

resource if it is used by another one. RSOPerformanceResource

represents the abilityof a resource to retrieveits past

perfor-mances. These requirements cannot be verified using formal

verificationtechniques;however,theycanbeverifiedusingthe

expertisetechnique.Finally,theresultoftheverificationusingthe

UPPAALand COGITANTtoolfortheverificationofcompatibility

andinteroperationrequirementsisshownFig.20.

Theresultsofa-temporalrequirementsverificationareshownon

theleftsideofFig.20.TherequirementsCSOManagerName,CSO

Mana-gerPhone and CSOManagerare satisfied by all tasks (no errors are

reported).Thismeansthatthemanagerisknownandidentified.The

CSOAptituderequirementwasnotsatisfiedbyalltasks.Indeed,wecan

notethatthe‘‘Motorassembly’’andthe‘‘Chassisassembly’’tasksuse

the sameresource.Thefirsttaskrequires the‘‘Motorcomponent

assembly’’abilitywhilethesecond taskrequires the‘‘Component

assembly’’ ability. However, the resource only has the ‘‘Motor

componentassembly’’ability.Asaresult,thetaskshouldchangethe

resource.Throughthedetectionofthisproblemusingtheapproach,

thechangeoftheresourcecanbemadebeforetheexecutionofthe

process.Ifthischangeisnotmadebeforerunningthecollaborative

process,thisproblemcanhinderthecollaborativeprocessinterms

ofexecutiontimetomakethischangeafterithasbeendetected.The

verificationoftheCSOAuthorizationrequirementindicatesthatithas

beensatisfiedbyallactivitiesthatrequireauthorizations.

Finally,verificationoftheISOReceiptinteroperationrequirement

indicatesthatthe‘‘Chassisreceptionandstorage’’,‘‘Supplyreception

andstorage’’,and‘‘Motorreceptionandstorage’’tasksdonotreturna

receiptforthetasksthatprovidedthemsupplies.Thepartnerthat

isinchargeofdeliveringthecomponentsfortheotherpartners

mustensurethat thedelivery ofeach componentis completed

successfullyto avoid possiblecosts for re-delivery and related

delays.

The verificationof temporal requirementsis shownonthe

rightof Fig.20. ThetwopropertiesrepresentingtheISO

TimeEx-ecution requirement for the ‘‘Motor assembly’’ and ‘‘Chassis

assembly’’ tasks are satisfied. Indeed, one resource is used by

thetwotasksatdifferentperiods.However, it isimportant to

keepinmindthatthisresourcedoesnothavetheskillsrequired

byonetask.Asaresult,theabilityofthetwotaskstousethe

sameresourcedoesnotmeanthatitcanbeused.Inconclusion,

itisimportanttotakealltheinteroperabilityrequirementsinto

consideration because the verifications with both tools are

complementary. Finally, the verification of the ISOExchangeTime

requirementcanbeused toconcludequicklyontheexchange

time between all tasks.The resultindicates thatone of tasks

doesnotrespectthemandatoryexchangetime.Theverification

oftheseinteroperabilityrequirementsprovideslocaldetection,

whichcanbeusedsubsequentlytosolvetheproblemsdetected.

However, this local detection is not sufficient. Indeed, these

problems can impact the collaboration at a global level. As a

result, we propose to use propagation mechanisms with the

GRADEImodelasshowninFig.21.

TheresultsoftheverificationwiththeUPPAALandCOGITANT

toolsforthetemporalanda-temporalrequirementsareusedby

the GRADEI model (requirements represented on the far left).

Requirementsmodeledingreen(satisfied)andred(notsatisfied)

representtheresultoftheexpertise.Theexpertcanvalidateornot

validatearequirementdirectlyintheGRADEImodel.Thelogical

function that links the abstract requirements to more specific

requirements is the logical ‘AND’ operator. The result of the

propagationindicatesthatevenifaresourceisavailabletoperform

a task, if it does nothave the requiredskills, thecollaborative

process has interoperability problems. In addition, the

non-verificationoftheserequirementsmeansthatthemoreabstract

requirement‘‘interoperability’’isnotsatisfied.

8. Conclusion

In a collaborative context, interoperability is becoming

increasinglyimportant.Apartnerinvolvedincollaborationwith

otherpartnersaimstodetectandsolveinteroperabilityproblems

asquicklyaspossible.Theapproachweproposeaimstoformulate,

formalize, and check interoperability requirements in order to

detect locally and globally interoperability problems in an

anticipativewaythatusesverificationtechniques.Theformulation

of interoperabilityleadstodefinefourcategoriesrelatedtothe

compatibility, interoperationautonomy and reversibility. These

categories are then split up and structured using the GRADEI

model. The analysis of interoperability requirements in a

collaborative process model uses model transformation

techni-ques, formal verification techniques for local verification and

propagationmechanismforglobalverification.Localverificationis

performedusingcomplementaryverificationtechniques.Thefirst

verificationtechniqueusesconceptualgraphstoverifya-temporal

interoperabilityrequirements.Thesecondverificationtechniqueis

a formal verification technique using model checkingto verify

temporal interoperability requirements. Finally, a non formal

verification technique such as expertise is applied to verify

requirementsthatcannotbeformallyverified.Thelocaldetection

ofinteroperabilityrequirementsisinsufficient.Indeed,theresult

oftheverificationofarequirementcaninfluencetheinterpretation

oftheresultofanotherrequirement.Sotheglobalverificationis

basedonthepropagationoftheresultsofthelocalverificationby

interpreting some parts of the GRADEI model. Futureresearch

mustfirstanalyzetheverificationofreversibilityandautonomy

requirements.Thisverificationcanbedonewithacomplementary

simulation approach based on distributed multi-agent systems

[31]toimprove interoperabilityproblemdetection. Finally,our

research work aims to find solutions for the interoperability

problemsdetected.

References

[1]J.Touzi,«Aidea` laconceptiondeSyste`med’InformationCollaboratif:supportde l’interope´rabilite´ desentreprises»,PhDThesis,InstitutNationalPolytechniquede Toulouse,November2007(inFrench).

[2]B.Aubert,A.Dussart,Syste`med’InformationInter-Organizationnel,Rapport Bour-gogne,GroupeCIRANO,March2002(inFrench).

[3]A.Esper,«Inte´grationdesapprochesSOAetoriente´eobjetpourmode´liserune orchestrationcohe´rentedeservices»,PhDThesis,InstitutNationaldesSciences Applique´sdeLyon,September2010(inFrench).

[4] ISO/DIS11345-1,Advancedautomationtechnologiesandtheirapplications,Part 1:Frameworkforenterpriseinteroperability,2009.

[5] IDEASProjectDeliverables,«WP1-WP7»,Publicreports,2003.

[6] INTEROP:EnterpriseInteroperability-Frameworkandknowledgecorpus–Final report,INTEROPNoE,FP6–Contractno.508011,DeliverableDI.3,May21st2007. [7] ATHENA IntegratedProject,«Guidelinesand best practicesfor applying the ATHENAinteroperabilityframeworktosupport SME participationindigital ecosystems»,ATHENAdeliverableA8.2,2007.

[8] C4ISRArchitectureWorkingGroupLevelsofInformationSystemsInteroperability (LISI),UnitedStatesofAmericaDepartmentofDefense,WashingtonDC,USA,30 March,1998.

[9]A.Tolk,J.A.Muguira,TheLevelsofConceptualInteroperabilityModel, Proceed-ingsofFallSimulationInteroperabilityWorkshop(SIW),Orlando,USA,2003. [10] T.Clark,R.Jones,OrganizationalInteroperabilityMaturityModelforC2,Proc.of

CommandandControlResearch&Techn.Symposium,Newport,USA,1999. [11] N.Daclin,D.Chen,B.Vallespir,Methodologyforenterpriseinteroperability,in:

17thIFACWorldCongress(IFAC’08),Seoul,Korea,2008.

[12] C.T.Ford,«Interoperabilitymeasurement»,PhDThesis,DepartmentoftheAir ForceAirUniversity,AirForceInstituteofTechnology,2008.

[14] BPMN,BusinessProcessModelingNotation,V1.2,http://www.bpmn.org/,2009. [15] NEHTA,«Interoperabilitymaturitymodel»,Version1.0,26March2007. [16] INCOSE,«SystemEngineering(SE)HandbookWorkingGroup,SystemEngineering

Handbook,A«HowTo»»,Version3.1,GuideForAllEngineers,http://www.incose. org,2007.

[17]ISO/IEC15288:2008(E),«IEEEStandards15288.2008–Systemsengineering– Systemlifecycleprocesses(2ndedition)»,2008.

[18] S.J.Scucanec,J.R.VanGaasbeek,Adayinthelifeofaverificationrequirement,in: U.S.AirForceT&EDays,LosAngeles,California,February,2008,2008. [19] M.Kasunic,W.Anderson,Measuringsystemsinteroperability:challengesand

opportunities,Softwareengineeringmeasurementandanalysisinitiative, Tech-nicalnoteCMU/SUE-2004-TN-003,2004.

[20] O.Balci,W.Ornwsby,Expandingourhorizonsinverification,validationand accreditationresearchandpractice,in:E.Yu¨cesan,C.-H.Chen,J.L.Snowdon,J.M. Charnes(Eds.),2002WinterSimulationConference,2002.

[21] M.Edmund,ClarkeJr.,O.Grumbereg,A.P.Doron,ModelChecking,TheMITPress, 1999.

[22] B.Be´rard,M.Bidoit,A.Finkel,F.Laroussinie,A.Petit,L.Petrucci,PhSchnoebelen,P. McKenzie,SystemsandSoftwareverification:ModelCheckingTechniquesand Tools, Springer,2001.

[23] G.Behrmann,A.David,K.G.Larsen, ATutorialon Uppaal, Department of ComputerScience,AalborgUniversity,Denmark,2004.

[24] V.Chapurlat,B.Kamsu-Foguem,F.Prunet,«Enterprisemodelverificationand validation:anapproach»,AnnualReviewinControl,vol.27,no.2,pp.185–197, 2003.

[25] J.F.Sowa,Conceptualgraphs,IBMJournalofResearchandDevelopment(1976). [26] M.Roque,V.Chapurlat,Interoperabilityincollaborativeprocesses:requirements characterisationandproofapproach,in:PRO-VE’09,10thIFIPWorking Confer-enceonVIRTUALENTERPRISES,Thessaloniki,Greece,7–9October,2009,2009. [27] CogitantCoGITaNTVersion5.2.0,ReferenceManual,http://cogitant.sourceforge.

net,2009.

[28] ATLASGroupeINA&INRIANantesATLAtlasTransformationLanguage, Specifi-cationoftheATLVirtualMachine,Version0.1,2005.

[29] R.Alur,C.Courcoubetis,D.Dill,Model-checkingindensereal-time,Information andComputation104(1)(1993)2–34.

[30]V.Gruhn,R.Laue,Usingtimedmodelcheckingforverifyingworkflows,Computer SupportedActivityCoordination7(2005)5–88.

[31] A.S.Rebai, V.Chapurlat, Systeminteroperabilityanalysis bymixingsystem modelingandMAS:anapproach,agent-based,technologiesandapplications forenterpriseinteroperability(ATOP),in:EighthInternationalJointConference on Autonomous Agents & Multi-Agent Systems (AAMAS 2009), Budapest, Hungary,May,2009,2009.