Conference Papers

J.C. Maxwell, A.I. Antón, P. Swire, "Discovering Conflicting Software Requirements by Analyzing Legal Cross-References", Distinguished Paper Intl. Conf. on Requirements Engineering, 2011. | Abstract

Companies must ensure their software complies with relevant laws and regulations to avoid the risk of costly penalties, lost reputation, and brand damage resulting from noncompliance. Laws and regulations contain internal cross-references to portions of the same legal text, as well as cross-references to external legal texts. These cross-references introduce ambiguities, exceptions, as well as other challenges to regulatory compliance. Requirements engineers need guidance as to how to address cross-references in order to comply with the requirements of the law. Herein, we analyze each external cross-reference within the U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to determine whether a cross-reference either: introduces a conflicting requirement, a conflicting definition, and/or refines an existing requirement. Herein, we propose a legal cross-reference taxonomy to aid requirements engineers in classifying cross-references as they specify compliance requirements. Analyzing cross-references enables us to address conflicting requirements that may otherwise thwart legal compliance. We identify five sets of conflicting compliance requirements and recommend strategies for resolving these conflicts.

J.C. Maxwell, A.I. Antón, "The Production Rule Framework: Developing a Canonical Set of Software Requirements for Compliance with Law", 1st ACM Intl. Health Informatics Symposium, Arlington, VA, 2010. | Abstract

The cost of noncompliance, as well as lost reputation and brand damage resulting from noncompliance, makes legal compliance critical in software systems. In this paper, we present a production rule framework that software engineers can to specify compliance requirements for software. A component of our framework is the production rule modeling methodology, which we have introduced in previous work [12, 14]. We apply the framework to check iTrust, an open source electronic medical records system, for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. We model the Security Rule using production rules and employ the model to analyze the iTrust requirements for legal compliance. Using the framework, we were able to identify 13 functional and 5 non-functional requirements that were previously overlooked using an agile driven software engineering approach. These new requirements are critical for compliance with the Security Rule.

J.C. Maxwell, A.I. Antón, "Developing Production Rule Models to Aid in Acquiring Requirements from Legal Texts", Proc. of the 17th Intl. IEEE Requirements Engineering Conf., Atlanta, 2009, pp. 101-110. | Abstract

Regulatory compliance is an important consideration for requirements engineering because recent regulations impose costly penalties for noncompliance. This paper details how developing production rule models can aid in acquiring software requirements from regulatory texts. Production rules enable requirements engineers to gain valuable domain knowledge of a particular legal text by providing the ability to receive precise answers to a specific query. In particular, a production rule model facilitates communication between requirements engineers and legal domain experts , supports and augments requirements elicitation, and resolves ambiguity. Prior work in this area has failed to detail a precise methodology for translating a legal text into production rules, and considered using production rule models for aiding requirements elicitation and validation. This paper introduces our Production Rule Modeling methodology, and demonstrates this methodology using examples from a production rule model for four sections of the U.S. Heath Insurance Portability and Accountability Act (HIPAA).

Workshop Papers

J.C. Maxwell, A.I. Antón, "Validating Existing Requirements for Compliance with Law Using a Production Rule Model", Proc. of the 2nd Intl. IEEE Workshop on Requirements Engineering and the Law, Atlanta, 2009, pp. 1-6. | Abstract

To ensure legal compliance, requirements engineers need tools to determine existing requirements’ compliance with relevant law. We propose using a production rule model for requirements engineers to query as they check software requirements for legal compliance. In this paper, we perform a case study using our approach to evaluate the iTrust Medical Records System requirements for compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA). We identify 12 new compliance requirements beyond the 63 functional requirements with which we began our analysis.

NOTE: Papers are in PDF format.