Journal Papers

[MA10] Maxwell, J.C., and Antón, A.I., "A Refined Production Rule Model for Aiding in Regulatory Compliance", (in submission) IEEE Trans. on Software Engineering, 2010. North Carolina State University Technical Report, TR-2010-3, 2010 | Abstract

Software engineers are being asked to develop software for increasingly regulated environments. When systems are not dependably compliant, companies must pay the high cost of non-compliance, including the cost of lost reputation and brand damage. Regulations represent the minimum level of security and dependability with which systems must comply. We develop a methodology for creating production rule models to aid developers in specifying legally compliant software requirements. By querying production rule models, software engineers can gain valuable knowledge of the legal text. They can perform an initial compliance analysis and obtain preliminary compliance requirements that can be further refined in consultation with a lawyer. We model the law using the legal concepts of rights, obligations, privileges, no-rights, powers, liabilities, immunities, and disabilities. Herein, we develop heuristics for specifying production rules that model legal texts. We refined our methodology within the context of a case study in which we model the Privacy Rule, Part E, of the Health Insurance Portability and Accountability Act (HIPAA).

Conference Papers

[MA09a] Maxwell, J.C., and Antón, A.I., "Developing Production Rule Models to Aid in Acquiring Requirements from Legal Texts", Proc. of the 17th Intl. IEEE Requirements Engineering Conf., Atlanta, 2009, pp. 101-110. | Abstract

Regulatory compliance is an important consideration for requirements engineering because recent regulations impose costly penalties for noncompliance. This paper details how developing production rule models can aid in acquiring software requirements from regulatory texts. Production rules enable requirements engineers to gain valuable domain knowledge of a particular legal text by providing the ability to receive precise answers to a specific query. In particular, a production rule model facilitates communication between requirements engineers and legal domain experts , supports and augments requirements elicitation, and resolves ambiguity. Prior work in this area has failed to detail a precise methodology for translating a legal text into production rules, and considered using production rule models for aiding requirements elicitation and validation. This paper introduces our Production Rule Modeling methodology, and demonstrates this methodology using examples from a production rule model for four sections of the U.S. Heath Insurance Portability and Accountability Act (HIPAA).

Workshop Papers

[MA09b] Maxwell, J.C., and Antón, A.I., "Validating Existing Requirements for Compliance with Law Using a Production Rule Model", Proc. of the 2nd Intl. IEEE Workshop on Requirements Engineering and the Law, Atlanta, 2009, pp. 1-6. | Abstract

To ensure legal compliance, requirements engineers need tools to determine existing requirements’ compliance with relevant law. We propose using a production rule model for requirements engineers to query as they check software requirements for legal compliance. In this paper, we perform a case study using our approach to evaluate the iTrust Medical Records System requirements for compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA). We identify 12 new compliance requirements beyond the 63 functional requirements with which we began our analysis.

NOTE: Papers are in PDF format.