Reusing (Safety-oriented) Compliance Artifacts while Recertifying

Julieth Patricia Castellanos-Ardila

and Barbara Gallina

IDT, M

alardalen University, V

aster

as, Sweden

Keywords:

Process Recertiﬁcation, Systematic Reuse, Automated Compliance Checking, ISO 14971.

Abstract:

Revisions of safety-related standards lead to the release of new versions. Consequently, products and pro-

cesses need to be recertiﬁed. To support that need, product line-oriented best practices have been adopted to

systematize reuse at various levels, including the engineering process itself. As a result, Safety-oriented Pro-

cess Line Engineering (SoPLE) is introduced to systematize reuse of safety-oriented process-related artifacts.

To systematize reuse of artifacts during automated process compliance checking, SoPLE was conceptually

combined with a logic-based framework. However, no integrated and tool-supported solution was provided.

In this paper, we focus on process recertiﬁcation (interpreted as the need to show process plan adherence with

the new version of the standard) and propose a concrete technical and tool-supported methodological frame-

work for reusing (safety-oriented) compliance artifacts while recertifying. We illustrate the beneﬁts of our

methodological framework by considering ISO 14971 versions, and measuring the enabled reuse.

1 INTRODUCTION

Revisions of safety-related standards lead to the re-

lease of new versions. Adjustments resulting from

adding, deleting, or modifying requirements change

the compliance status of organizations. Consequently,

products and processes need to be recertiﬁed. To

maintain processes compliance back in line, manu-

facturers perform a gap analysis between standards

versions. A gap analysis permits manufacturers to un-

derstand what can be reused in terms of process infor-

mation and process compliance demonstration (Gal-

lina et al., 2014). In general, by reading the re-

quirements of prescriptive standards, it is possible to

identify similarities regarding tasks, work products,

and other process-related artifacts, which are candi-

dates for reuse. Based on product line-oriented best

practices, reuse can be systematized at various lev-

els, including the engineering process itself. As a re-

sult, Safety-oriented Process Line Engineering (So-

PLE) (Gallina et al., 2012) is introduced to system-

atize reuse of safety-oriented process-related artifacts.

To increase conﬁdence in process compliance

via compliance proofs and efﬁciency via systematic

reuse (Castellanos Ardila and Gallina, 2017), So-

PLE was conceptually combined with a logic-based

framework. The initial logic-based framework was

https://orcid.org/0000-0001-9970-7580

https://orcid.org/0000-0002-6952-1053

adapted to be used with safety-related software pro-

cesses (Castellanos Ardila et al., 2018a; Castellanos

Ardila et al., 2018b). As such, it requires users

to model process plans checkable for compliance

in EPF-C (Eclipse-Foundation, 2018) (recently mi-

grated from Eclipse Galileo 3.5.2 to Eclipse Neon

4.6.3 (Javed and Gallina, 2018a)), which provides

the environment for modeling SPEM 2.0 (Systems

& Software Process Engineering Metamodel) (OMG,

2008)-like artifacts. Process models of this type are

composed of artifacts enriched with compliance in-

formation through annotations representing formal-

ized standards requirements in FCL (Formal Contract

Logic) (Governatori, 2005). FCL, a logic used to in-

terpret and model normative knowledge, can be for-

mally veriﬁed with Regorous (Governatori, 2015), a

compliance checker created in the business and legal

context. The addition of SoPLE was meant to extend

systematic reuse to the automated compliance check-

ing artifacts included in such models. However, no

integrated and tool-supported solution was provided.

In this paper, we focus on showing process plan

adherence with new versions of standards and propose

a concrete technical and tool-supported methodolog-

ical framework for reusing (safety-oriented) com-

pliance artifacts while recertifying. In particular,

we include the tool support for variability manage-

ment offered by BVR-T (Base Variability Resolu-

tion Tool (SINTEF, 2016)), included in the tool-chain

EPF-C ◦ BVR-T (Javed and Gallina, 2018b). EPF-

Castellanos-Ardila, J. and Gallina, B.

Reusing (Safety-oriented) Compliance Artifacts while Recertifying.

DOI: 10.5220/0010224900530064

In Proceedings of the 9th International Conference on Model-Driven Engineering and Software Development (MODELSWARD 2021), pages 53-64

ISBN: 978-989-758-487-9

C ◦ BVR-T was developed in the context of the

AMASS project (de la Vara et al., 2019) and was

used in the space domain (Gallina, 2019). System-

atic reuse of compliance checking artifacts is done

in four steps. 1) Initial compliance checking of sin-

gle process plans is performed, via EPF-C and Re-

gorous. 2) The resulting models are used as the

base for evaluating commonalities and variabilities

while adding standards of the same family, e.g., dif-

ferent versions of the same standard. The artifacts

that vary are modeled in EPF-C. 3) The analysis

of the compliance status of the standard-speciﬁc ar-

tifacts that are part of the variability is performed by

taking into account the annotated compliance infor-

mation. The compliance status can be analyzed by

using Regorous. 4) The tool-chain EPF-C ◦ BVR-T

is used to model the families included in the compli-

ance checking process, pre-check the choices at vari-

ation points and deliver the concrete standard-speciﬁc

(safety-oriented) compliance checking artifacts, i.e.,

process models, rulesets denoting formalized require-

ments from standards, and compliance annotated pro-

cess artifacts. We illustrate the beneﬁts of our tool-

supported methodological framework by considering

the evolution (i.e., new versions of the standard re-

sulting from revisions) of ISO 14971 (ISO, 2000)-

process for risk management to medical devices. In

particular, when published, ISO 14971:2007 (ISO,

2007) was internationally endorsed. In contrast,

EN ISO 14971:2012 (ISO, 2012) is harmonized with

EU directives for the European market. The latest

version, ISO 14971:2019 (ISO, 2019), is internation-

ally endorsed again. Thus, ISO 14971-related com-

pliance is challenging for manufacturers of medical

devices, who need to ﬁnd approval from regulatory

bodies within and outside the EU. By measuring the

enabled reuse, we answer the question To what extent

process-related compliance artifacts can be reused?

The paper is organized as follows. In Section 2,

we provide essential background. In Section 3, we

present our methodological framework for compli-

ance checking artifacts reusability. In Section 4, we

illustrate our methodological framework by consid-

ering ISO 14971 versions, and measure the enabled

reuse. In Section 5, we discuss our ﬁndings. In Sec-

tion 6, we present related work. Finally, in Section 7,

we conclude our work and present future work.

2 BACKGROUND

In this section, we provide basic information on which

we base our work.

2.1 ISO 14971 and Its Evolution

ISO 14971 (ISO, 2000) speciﬁes the process re-

quired to identify hazards, estimate, evaluate, con-

trol, and monitor the risk of medical devices dur-

ing its lifecycle. The content of ISO 14971 has

been evolving over the years (Pulla and Bregu,

2020), incorporating consensus-based modiﬁcations

and reﬁnements. As a result, different versions

have been published, i.e., ISO 14971:2007 (ISO,

2007), EN ISO 14971:2012 (ISO, 2012) and

ISO 14971:2019 (ISO, 2019). Relevant concepts

that are used in the following sections are presented

in italics. In particular, the risk analysis phase

in ISO 14971:2007 and EN ISO 14971:2012 cor-

responds to clause 4 and requires the planning of

three tasks, i.e., 1) Deﬁne use/safety characteris-

tics, 2) Estimate risks and 3) Identify hazards. In

contrast, the same phase corresponds to clause 5

in ISO 14971:2019 and the task Deﬁne use/safety

characteristics should be divided into two. For

ISO 14971:2007, the manufacturer shall discard the

negligible risk. Annexes of EN ISO 14971:2012 and

ISO 14971:2019 provide a deviation, i.e., the manu-

facturer shall consider all risks. In all versions, the

manufacturer is the role in charge, the risk manage-

ment plan is the prerequisite of the clause, and the

work products are risk analysis document and risk

management ﬁle. The risk analysis document re-

quires information regarding the medical device de-

scription and identiﬁcation, the identiﬁcation of the

person and organization, the scope, date, the intended

use, and reasonably foreseeable misuse, the quali-

tative/quantitative safety characteristics of the med-

ical device, known and foreseeable hazards associ-

ated with the medical device, fault conditions, rea-

sonably foreseeable sequences of events, and the re-

sulting hazardous situation. Additional information is

prescribed by ISO 14971:2019, i.e., intended medical

indication, patient population, part of the body/tissue,

user proﬁle, and operating principle.

2.2 Automated Compliance Checking

Our logic-based framework for automated compli-

ance checking (Castellanos Ardila et al., 2018a) re-

quires process engineers to model process plans en-

riched with compliance annotations (see Fig. 1),

which are extracted from formalized standards re-

quirements. An expert in FCL (Formal Contract

Logic) (Governatori, 2005) performs the required for-

malization. FCL is a logic that supports the modeling

of norms representing obligations ([O]) and permis-

sions ([P]) in a normative context that can be defeated

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

by evolving knowledge. In FCL, norms are impli-

cations in which the antecedent represents the condi-

tions for the requirements’ applicability, and the con-

clusion represents compliance effects. Compliance

effects express the concrete behavior of the process

elements that adhere to standards requirements. Re-

gorous receives the models automatically transformed

from EPF-C (see (Castellanos Ardila et al., 2018b))

and perform the automated compliance analysis. The

process engineer uses compliance results (which have

the potential to be transformed back into EPF-C-like

formats) to perform compliance analysis and improve

the process compliance iteratively.

Figure 1: Process compliance checking framework.

More concretely, EPF-C is used to model the base

process and its related library (see Fig. 2-(A

)). A

role represents who does a task. Work products iden-

tify a type of artifacts resulting from a task. Guid-

ance represents free-form documentation that can be

attached to process elements. A task is related to other

elements as depicted in Fig. 2-(A

). For performing

automated compliance checking, the process engineer

needs to model three plugins

in EPF-C (see Fig. 2-

(A), -(B) and -(C)).

The Lifecycle Plugin (see Fig. 2-(A)) contains

the method content necessary to create process plans.

Fig. 2-(A

) depicts method content required for

manufacturing a medical device in compliance with

ISO 14971:2007 (see (Pulla and Bregu, 2020)).

The Standard Information Plugin (see Fig. 2-

(B)) contains the standard requirements and their

formalization in FCL. To model FCL-related in-

formation, rule propositions are modeled by us-

ing SPEM 2.0 guidance elements customized in

a speciﬁc way (Castellanos Ardila and Gallina,

2020). For this, we take into account the type

An EPF-C plugin is a mechanism for packaging content

providing modularization and extensibility.

of process elements that are targeted by the stan-

dard requirements. As a result, process ele-

ments deﬁnition are represented with speciﬁc icons

(see Fig. 2-(B

)) and the propositions are created

based on templates, i.e., perform{TaskName}, pro-

vide{WorkProductName}, guidedBy{GuidanceNa-

me}, performedBy{RoleName}. Similarly the

deﬁnition of process elements properties, i.e.,

{ElementName}with{Element Property}. Require-

ments and rules are also represented with speciﬁc cus-

tomized icons (see Fig. 2-(B

)). A set of FCL rules

for ISO 14971-risk analysis is presented in Fig. 2-(D).

For example, rule 4.1.1.a refers to the provision of the

prerequisite, which as recalled in Section 2.1, is an

obligation. Once provided, we have the obligation of

initiate the risk analysis process (see 4.1.1.b).

The Compliance Annotated Process Plugin con-

tains the process annotated with compliance effects

(see Fig. 2-(C)). The annotation requires users to

evaluate the effect that each element provide to the

overall process compliance (see Fig. 2-(C

)). For

example, the task DeﬁneUse/SafetyCharacteristics is

used to initiate the risk analysis process and to per-

form the deﬁnition of intended use and safety charac-

teristics. Thus, we annotate it with the corresponding

compliance effects. Then, a dynamic representation

of the process plans is created with the annotated pro-

cess elements (see Fig. 2-(C

)).

Regorous automatically generates a compliance

state representation of the annotated process plan and

analyses compliance against the FCL ruleset by us-

ing two functions. The function State(t,i) returns

the state of a task (t), in the step (i). The func-

tion Force(t,i) = {O} associates to each task (t), in the

step (i) a set of obligations O. See, for example, the

rules 4.1.1.a, 4.1.1.b, 4.1.1.c, 4.1.1.d. and 4.2.1.a, pre-

sented in the ruleset excerpt (see Fig. 2-(D)). These

rules represent the obligations in force at different

steps. Thus, rule 4.1.1.a forces the ﬁrst obligation,

i.e., Force(1,1) = [O]provideRiskManagementPlan.

In a similar manner, the subsequent rules are forced,

because the antecedent is getting fulﬁlled. Deﬁne

use/Safety Characteristics is the ﬁrst task in the work-

ﬂow (see Fig. 2-(C

)), and all the elements are associ-

ated to this task (Fig. 2-(A

)) have their corresponding

annotated compliance effects (see Fig. 2-(C

)). Thus,

the state representation of this task, State (1,1), con-

tains all the compliance effects required by the force

functions and the task is compliant. Regorous ap-

ply this strategy to the whole workﬂow and provide

the compliance status of the process as well as the

counterexamples in case of rules violations. When no

counterexamples exist, Regorous deﬁnes that the pro-

cess is compliant (see Fig. 2-(E)).

Reusing (Safety-oriented) Compliance Artifacts while Recertifying

Figure 2: Modeling process plans checkable for compliance.

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

2.3 Compliance Proofs Reuse

A methodological framework (see Fig. 3) for enabling

reuse of compliance proofs (Castellanos Ardila and

Gallina, 2017) includes the combination of formal ap-

proaches with SoPLE (Safety-oriented Process Line

Engineering) (Gallina et al., 2012). SoPLE manages

families of processes and standards (i.e., families that

exhibit several commonalities and differ via as set

of managed variabilities, e.g., different versions of a

standard). In SoPLE, commonalities, indeed, repre-

sent clearly reusable elements. These commonalities

are deﬁned beyond the syntactical comparison. We

are interested in extracting full commonalities, i.e.,

whenever two elements of the same type expose only

common aspects. With our methodological frame-

work, we learned that proofs of compliance could be

fully or partially reused, depending on the compliance

effects produced by the variability. In Section 3.1, we

extend the compliance analysis of such reuse.

Figure 3: Framework for compliance proofs reuse.

The framework is composed by four spaces where the

process engineer perform speciﬁc actions.

1. In the process space, he/she models a Safety-

oriented Process Line (SoPL). A SoPL includes

manually modeling the skeleton (with commonal-

ities and variabilities) of the process sequence.

2. In the normative space, he/she formalizes rules

and models a SoPL-like structure with such rules,

i.e., selects the set of rules that overlap.

3. In the common space, he/she analyzes the com-

pliance of commonalities between the process-

related SoPL with the SoPL-like rules.

4. In the compliance space, he/she analyzes the com-

pliance effects of the tasks that contribute to the

variabilities in the standard-speciﬁc process.

2.4 EPF-C ◦ BVR-T

EPF-C ◦ BVR-T (Javed and Gallina, 2018b) is a

tool-chain composed by EPF (recalled in Section 2.2)

Composer and BVR-T (Base Variability Resolution

Tool) (SINTEF, 2016) that enables SoPLE (recalled

in Section 2.3). We focus on BVR-T. As summarized

in (Gallina et al., 2020), BVR-T is used to manage

the variability by providing an environment in which

families of different kinds, e.g., processes or prod-

ucts, can be modeled. A BVR model consist of three

parts. The ﬁrst part is the variability model, called

VSpec, which permits users to model the family via a

feature diagram-like fashion supplemented with con-

straints. Feature diagrams permit to deﬁne the distinc-

tive user-visible aspects of the family members that

are common and that vary. Table 2 recalls some basic

elements. A choice represents a yes/no decision. A

constraint (given in Basic Constraint Language-BCL)

speciﬁes restrictions on permissible resolution mod-

els. A group dictates the number of choice resolu-

tions. For example, 1..1 (represents an XOR) iden-

tiﬁes that one of the child features must be selected.

Solid lines permit to link the mandatory features to a

parent feature, while dashed lines permit to link op-

tional features. Fig. 5 depicts a VSpec diagram cre-

ated with the mentioned elements.

Table 1: BVR essential modeling elements.

Choice Constraint Group

The second part, called the resolution, is used to al-

locate speciﬁc family members’ values and validate

such values. Thus, wrong choices violating the cross-

variation points requirements designed in the VSpec

can be detected. Finally, the realization permits users

to bind conceptual resolutions with the concrete el-

ements deﬁned in EPF-C via the deﬁnition of frag-

ment substitutions. The realization permits that spe-

ciﬁc processes are derived automatically. In this pa-

per, we have not performed the realization part.

2.5 Reuse Measurement

A metric for reuse measurement is proposed

by (Banker et al., 1993) (see below).

% Reuse = (1 −

Number of new objects built

Total number of objects used

) ∗ 100

The metric can be applied in hierarchical structures

that permit the identiﬁcation of the objects and the ap-

plications to which they were originally created. This

metric is expressed in terms of percentage by con-

sidering the proportion of the number of new objects

built (created from scratch) and the total number of

objects used (in the absence of reuse). Besides, it fo-

cuses on the total beneﬁt attributable to reuse. Thus,

objects that are reused multiple times are considered

to represent multiple instances of reuse.

Reusing (Safety-oriented) Compliance Artifacts while Recertifying

3 COMPLIANCE ARTIFACTS

REUSABILITY

In this section, we present our methodological frame-

work for compliance artifacts reusability.

3.1 Compliance Analysis

The skeleton of a family in SoPLE (as recalled in

Section 2.3) is represented as the sequence C1-V1-

C2 (see Fig. 4). Such sequence is called the Safety-

oriented Process Line or SoPL, where C1 and C2 rep-

resent the commonalities in the family and V1 repre-

sent the variability. For compliance checking (as re-

called in Section 2.2), C1 and C2 are annotated with

the compliance effects a and b, respectively. When

deriving processes from the family, the variability,

V1, is replaced either with R1 or R2, according to

some aspect, e.g., the selection of a speciﬁc standard.

Moreover, R1 is annotated with c, while R2 does not

have any annotation.

Figure 4: SoPL skeleton of a family of processes.

The VSpec model representing the skeleton of

the family C1-V1-C2 is described in VSpec as

features connected to the parent feature (Check-

ing Management) via solid lines (see Fig. 5). The

variability R1 and R2 are connected via dashed lines.

Additional information can be modeled. In particular,

the standard versions (e.g., S1 and S2) are modeled

with a group element. Moreover, BCL constraints are

created to restrict the selection of the variations ac-

cording to the selected standard, e.g., if S1 is selected,

then R1 and its effect c become mandatory features.

Figure 5: VSpec model of the checking management.

The compliance state representation of the baseline

skeleton (see Fig. 6b) is different from the derived

family member, in which the replacement R1, which

is annotated with the compliance information c, is re-

placed in V1 (see Fig. 6d). Such representations have

to comply with the respective ruleset (see Figs. 6a, 6c)

(a) (b)

Figure 6: Effects/State representation of the variability.

Changes in the compliance status of the derived

standard-speciﬁc processes depend on the normative

effect of the variant. If c = 0, the composition of the

process elements would not affect compliance since

the ruleset in Fig 6a, would be the same that applies

to the SoPLE-member. For c 6= 0, there are two cases.

First, the effect is local to the task, i.e., the effect is

triggered and fulﬁlled in the variant. Second, the vari-

ant effect is not triggered by a previous task and/or

make a new inﬂuence in the subsequent task effect

(see Fig. 6c). In both cases, the compliance status

may be affected. For these cases, we consider the sep-

arations of concerns within the regulatory space and

check the structural compliance (ﬁrst case) separately

from the compliance of the sequence of tasks (second

case). The former permits the integration of the proof

in the line without affecting the general compliance

status. Such checking can be performed by BVR-

T, which checks the presence/absence of process el-

ements features. The latter makes the reuse of proof

conditioned to additional compliance analysis of the

tasks surrounding the variant (C1 and C2 in Fig. 4).

This analysis can be performed by Regorous.

3.2 Systematic Reuse of Compliance

Artifacts

The systematic reuse of compliance artifacts requires

four steps (see Fig. 7).

1. Manage Single Process Plan Compliance. We

seek for single process plan compliance by using the

automated compliance checking method recalled in

Section 2.2. Resulting artifacts are three EPF-C plug-

ins and the compliance results issued by Regorous.

2. Model the Variability. We evaluate the common-

alities and variabilities regarding the models obtained

in step 1) while adding standards of the same fam-

ily, e.g., different versions of the same standard. For

this, we use the method recalled in Section 2.3. The

artifacts that vary are modeled in EPF-C. Thus, the

resulting models are a lifecycle plugin and standard

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

Figure 7: Family-oriented compliance checking process.

information plugin for each standard evolution, con-

taining only artifacts related to the variability.

3. Analysis and Modeling of the Variability Com-

pliance. An analysis of the changes in the compliance

status of the standard-speciﬁc artifacts that are part

of the variability, as presented in Section 3.1, is per-

formed by taking into account the annotated compli-

ance information. If needed, we use Regorous. How-

ever, if the variant is small, such analysis can be done

manually. The result of this step is the compliance

annotated process model of the variants.

4. Model BVR Artifacts. BVR-T is used to create

the abstract representation of the families involved in

compliance checking, i.e., lifecycle, standard infor-

mation and compliance annotated processes. Reso-

lution models are automatically generated from the

VSpec models, and use to validate the membership

of the elements according to the selected standard. In

a ﬁnal step, which is not part of the scope of this pa-

per, realization models are created. Realization per-

mits to deﬁne the replacements that should be part

of the concrete standard-related artifacts that are ex-

ported back to EPF-C. Thus, in this step we use the

tool-chain EPF-C ◦ BVR-T, recalled in Section 2.4.

4 REUSE WITHIN ISO 14971

EVOLUTION

In this section, we use our solution (presented in Sec-

tion 3.2) to systematize and measure compliance ar-

tifacts reuse within the evolution of the ISO 14971

standards (recalled in Section 2.1).

4.1 ISO 14971 Evolved Artifacts

As presented in Fig. 7, the ﬁrst step consists of seek-

ing the compliance of a process plan against an ini-

tial standard, in this case, ISO 14971:2007. The re-

sults of this step are three plugins that contain process

elements, compliance rules, annotated process mod-

els (see Fig. 2-(A), -(B) and -(C)), and the compli-

ance analysis delivered by Regorous (see Fig. 2-(E)),

which shows that the process is compliant with the

rules derived from the standard.

The second step consists of modeling the vari-

ability, i.e., we perform a gap analysis and model

the additional artifacts imposed by the new stan-

dard versions. In particular, a new process ele-

ment is additionally required for compliance with

EN ISO 14971:2012, i.e., the guidance related to the

inclusion of all risks for the treatment of negligible

risk (see Fig. 8).

Figure 8: EN ISO 14971:2012-Variable process elements.

In contrast, four new elements are required for com-

pliance with ISO 14971:2019, i.e., two guidance ele-

ments (ISO 14871 clause 5 and the treatments of neg-

ligible risk), and two additional tasks, which are the

result of splitting the task Deﬁne/use safety character-

istics (see Fig 9).

Figure 9: ISO 14971:2019-Variable process elements.

Reusing (Safety-oriented) Compliance Artifacts while Recertifying

We also model the compliance effects. Fig. 10

represents compliance effects extracted from

ISO 14971:2007. Fig. 11 shows 1 new compli-

ance effect found in EN ISO14971:2012, while

Fig. 12 shows 11 new compliance effects found in

ISO 14971:2019.

Figure 10: ISO 14971:2007-Compliance effects.

Figure 11: EN ISO 14971:2012-Effects variability.

Figure 12: ISO 14971:2019-Effects variability.

Figs. 10, 11, and 12 also depict artifacts highlighted

with colors. Such colors represent replacements

that are necessary to be done during the standard-

speciﬁc derivation. For example, performIdenti-

ﬁcationofSafetyCharacteristics and performIntende-

dUse, created for the ISO 14971:2019 ruleset, are

meant to replace the effect performDeﬁnitionOfIn-

tendedUseAndSafetyCharacteristics, created for the

ISO 14971:2007. In black, we highlight an artifact

which contains the general information of the ruleset,

which also varies with each standard. Compliance ef-

fects that are not highlighted represent artifacts that

are common and can be reused.

In Step 3, the compliance analysis of the vari-

ability is performed, as presented in Section 3.1.

In our case, we found that the compliance with

EN ISO 14971:2012 requires that one new element,

speciﬁcally a guidance called Treatment of Negligi-

ble Risk-Take all Risks (see Fig. 8) is annotated with

a compliance effect called guidedByTakeIntoAccoun-

tAllRisks (see Fig. 11). A more complex analysis is

performed in the case of ISO 14971:2019. In particu-

lar, there are requirements that mandate the replace-

ment of the task Deﬁne/Use Safety Characteristics.

This implies a variation in the ruleset as presented in

Fig. 13, which is evidently different from the ruleset

created for ISO 14971:2007 (see Fig. 2-(D)). With

the introduction of these requirements, the compli-

ance ﬂow changes. Thus, we need to use Regorous

for perform compliance checking in the ﬁrst 3 tasks

of the new workﬂow.

Figure 13: Ruleset variation respect ISO 14971:2019.

The remaining new elements (see Fig. 9) trigger and

fulﬁl themselves the new compliance effects (see

Fig 12). The result of this analysis corresponds to the

compliance annotations presented in Table 2.

Table 2: ISO 14971: 2019-related Annotations.

Element Compliance Effect

Task: Deﬁnition of

the Intended Use

performIntendedUse, initiateRiskAnalysisProcess

Task: Identiﬁcation

of Characteristics re-

lated to Safety

performIdentiﬁcationSafetyCharacteristics

Work Product: Iden-

tiﬁcation of Char-

acteristics related to

Safety

RiskAnalysisDocumentWithDescriptionPartOfTheTissue,

RiskAnalysisDocumentWithDescriptionPatientPop-

ulation, RiskAnalysisDocumentWithDocumented-

HazardousSituation, RiskAnalysisDocumentWith-

IntendedMedicalIndication, RiskAnalysisDocumen-

tWithIntendedUseAndReasonablyForeseeableMisuse,

RiskAnalysisDocumentWithOperatingPrinciple,

RiskAnalysisDocumentWithUseEnvironment, RiskAnaly-

sisDocumentWithUserProﬁle

Guidance: ISO

14971 Clause 5

GuideByClause5

Guidance: Treat-

ment of Negligible

Risk-Take all Risks

guidedByTakeIntoAccountAllRisks

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

Figure 14: BVR VSpec.

Figure 15: Variation related to compliance effects.

The fourth step is the modeling of BVR artifacts. In

this step, we model the VSpecs of the families corre-

sponding to the process, ruleset, and checking man-

agement. All the families are created under the same

root, i.e., ISO 14971 (see Fig. 14). A branch of the

feature model tree contains the version of the stan-

dards used to make the changes at variation points.

The interested reader may refer to (Pulla and

Bregu, 2020) for detailed information regarding the

VSpec of the process for risk management with

ISO 14971. In this paper, we focus on the VSpec

model for the ruleset and the checking management.

For example, Fig. 15 depicts the representation of

the compliance effects related to the requirements

that impose the creation of the task Deﬁne use/safety

characteristics. In particular, as presented in Sec-

tion 2.1, such task is mandatory for ISO 14971:2007

and EN ISO 14971:2012, while in ISO 14971:2019

becomes two tasks, i.e., intended Use and Identiﬁca-

tion of Safety Characteristics. Thus, the three com-

pliance effects (highlighted in purple in Figs. 10 and

11) are modeled and two BCL constraints are cre-

ated to deﬁne the variations regarding the version

of the standard selected. For example, if the stan-

dard ISO

14971 2019 is selected in the branch of the

version, BVR resolution will check that we select

performIdentiﬁcationSafetyCharacteristics and per-

formIntendedUse during the selection of the family-

member corresponding to the ruleset of such ver-

sion. The VSpec for the branch compliance check-

ing management, contains the compliant process ele-

ments grouped by their concern, i.e., tasks, role, work

product, and guidance, and enriched with the compli-

ance effects annotations. Fig. 16 presents the branch

Compliant Task that shows the set of tasks that should

appear in the process plan as well as BCL constraint

that restrict the correct representation according to the

standard version selected. The resolution permits the

selection of correct conﬁguration that could be ex-

ported back to EPF-C via realization models. A re-

alization model will permit to bind the selected con-

ﬁguration into the concrete EPF-C related models.

4.2 Reuse Measurement

In our approach, we opt to model the full commonal-

ities between families of standards, the process they

regulate, and the compliance annotations required for

automated compliance checking. Full commonalities

can be guaranteed by atomizing the elements in the

compliance spaces as much as possible so that only

common aspects are present. For this reason, we con-

sider that the commonalities included in the model-

ing of such families have the potential to be fully

reusable. In that light, the percentage of reuse of com-

pliance artifacts can be performed by using the metric

deﬁned for reuse measurement which is recalled in

Section 2.5.

4.2.1 Reuse-related to EN ISO 14971:2012

For compliance with EN ISO 14971:2012, the

guidance called Treatment of Negligible Risk-

Take all Risks (see Fig. 8) was additionally re-

Reusing (Safety-oriented) Compliance Artifacts while Recertifying

Figure 16: Variation related to annotated compliant tasks.

quired with respect to compliance established with

ISO 14971:2007. In total, we used 9 process ele-

ments. Thus, the percentage of reuse is 88,9%. We

also need to create 1 compliance effect and 1 rule-

set (see Fig. 11). As we used 27 artifacts, the reuse

is 92,3%. The compliance effect is associated to the

new guidance, which corresponds to a new compli-

ance annotation of 26 used in total. Thus, the reuse of

compliance annotations is 96,2%. (See Table 3).

Table 3: Reuse measurement related to EN ISO

14971:2012.

Type of artifacts New Total Used Reuse Percentage

Process 1 9 88,9%

Compl. Effects 2 27 92,3%

Compl. Annotations 1 26 96,2%

4.2.2 Reuse-related to ISO 14971:2019

For compliance with ISO 14971:2019, we need to cre-

ate 4 new process artifacts (see Fig. 9), 11 new com-

pliance effects (see Fig. 12) and perform 13 compli-

ance annotations (see Table 2). The number of total

artifacts was 10 process elements, and 32 compliance

effects and compliance annotations. Thus, reuse is

60%, 61,3% and 59,4% respectively (see Table 4).

Table 4: Reuse measurement related to ISO 14971:2019.

Type of artifacts New Total Used Reuse Percentage

Process 4 10 60%

Compl. Effects 12 32 61,3%

Compl. Annotations 13 32 59,4%

5 DISCUSSION

For coping with the recertiﬁcation demands enforced

by the new versions of standards (new requirements,

jurisdictional changes) in the medical domain, pro-

cess plan reconﬁguration is necessary. Compliant

process plan reconﬁguration supported by models au-

tomatically checked for compliance is a plausible so-

lution. Such solution involves the creation of new

modeling artifacts, as presented in Section 4.1. How-

ever, it also involves high degrees of artifacts reuse, as

presented in Section 4.2. In particular, Tables 3 and 4

shows a positive gain in terms of compliance check-

ing artifacts reusability. With these percentages, the

answer to the question posed in the introductory part

of this paper, to what extent process-related compli-

ance artifacts can be reused?, could be the following:

the reuse extent in the context of medical devices is

signiﬁcant (the minimum gain was 59,4%). In partic-

ular, given that the manual conﬁguration of process

models checkable for compliance in EPF-C could be

labor-intensive and time-consuming, the context of

medical devices complying with ISO 14971 can posi-

tively beneﬁt from the systematic reuse of compliance

checking artifacts. In general, processes and stan-

dards that evince low levels of variation could be part

of a family that exhibits high reuse levels in terms of

compliance checking artifacts and could beneﬁt from

using our methodological framework during the re-

quired modeling task.

It is widely recognized that standards require-

ments are challenging to understand due to their

wordiness and how they relate to each other. Their

evolution is also challenging, due to the need to han-

dle the normative changes and the recertiﬁcation ef-

fort, which, as for ISO 14971, may include cross-

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development

jurisdictional spaces. When using our methodolog-

ical framework, process engineers need to analyze

new requirements systematically. This analysis is

required to determine whether an existing compli-

ance checking-related artifact can fulﬁll a speciﬁc re-

quirement as-is or with modiﬁcations (new properties

should be added/deleted), or if new artifacts have to

be modeled from scratch. It also highlights problems

between requirements, which may put compliance at

risk, i.e., contradictory requirements, real/fake depen-

dencies between requirements and new compliance

information applicable to existing process plans. The

most important is that the process engineer’s analy-

sis is recorded in graphical models, which not only

provide automated checks but also automated pro-

cess plan’s reconﬁguration. Thus, our methodological

framework supports a conﬁdent reduction of the work

required to be done when new instances of compliant

process plans have to be modeled.

6 RELATED WORK

The change triggered by updated standards for soft-

ware process is a topic tackled from different perspec-

tives. In (Ocampo and M

unch, 2009), the authors

propose a method that permits to attach change in-

formation to process documents to facilitate change

understandability. However, no systematic methods

to reuse modeling artifacts facilitating the changes

are proposed as we do in our work. Methods

for modeling the change/variation and reuse of pro-

cesses result from the application of software process

lines methodologies, as recently surveyed in (Teixeira

et al., 2019). In particular, SoPLE (Gallina et al.,

2012) has been exploited to provide a representa-

tion of family members with safety information, e.g.,

reusable process arguments used in safety cases (Mar-

tin et al., 2016) and tailoring of process models ac-

cording to safety integrity levels of products (Bres-

san et al., 2020). In our work, we also use SoPLE to

provide mechanisms to support variation knowledge

reuse regarding compliance checking artifacts, which

has not being yet addresses in other approaches.

Advances regarding compliance artifacts reusabil-

ity exist in the business community. Some researchers

tackled reuse by deﬁning building blocks that im-

plement compliance requirements, e.g., compliance

scopes (Schleicher et al., 2011), and compliance frag-

ments (G

orlach et al., 2011; Ma, 2012). Reuse is also

approached with the use of process patterns (Kabir

et al., 2017), and rule patterns (Elgammal et al.,

2016). In contrast, we propose a holistic model-

ing framework for safety-related process compliance

checking that permits to model artifacts, which can be

automatically interleaved with evolutionary/changing

artifacts originated from new versions of standards.

In that way, not only building blocks that implement

compliance requirements (i.e., called in our frame-

work, process models checkable for compliance) are

reusable but also process models and rulesets denot-

ing formalized requirements from standards.

7 CONCLUSIONS AND FUTURE

WORK

Recertiﬁcation is the consequence of the release of

new versions of standards. In this paper, we fo-

cused on process recertiﬁcation needs (interpreted

as the need to show process plan adherence with

the new version of the standard). Taking this

into account, we proposed a concrete technical and

tool-supported methodological framework for reusing

(safety-oriented) compliance artifacts while recerti-

fying. This methodological framework encompasses

process modeling, process compliance checking, and

variability management capabilities to enable system-

atic reuse and automatic generation of process-related

compliance checking artifacts (i.e., process models,

rulesets denoting formalized requirements from stan-

dards, and compliance annotated process artifacts).

We illustrate our methodological framework within

the family composed of the versions of the standard

ISO 14971. Finally, we answer our initial question re-

garding the extent of reuse of process-related compli-

ance artifacts by measuring the reuse enabled by our

methodological framework. In particular, in the con-

text of medical devices complying with different ver-

sions of ISO 14971, the reuse is signiﬁcant. We con-

cluded that processes and standards that evince low

levels of variation (such as ISO 14971) could beneﬁt

from using our methodological framework during the

modeling task required for compliance checking.

In the future, we intend to perform evaluations that

consider the entire ISO 14971 and related standards

(e.g., process improvement and security). Moreover,

we plan to conduct controlled experiments to evalu-

ate the users’ perceived usefulness. We also believe

that when creating/updating standards, process mod-

els, and formal representations of the requirements

should also be provided. Thus, we plan to contact

standardization bodies to investigate this possibility,

which could reduce our approach’s modeling effort

and at the same time reduce undesired room for inter-

pretation of the standards. Finally, we intend to use

more elaborated measurement frameworks to provide

evidence concerning our solution’s efﬁciency in terms

Reusing (Safety-oriented) Compliance Artifacts while Recertifying

of time and cost reduction, as well as scalability.

REFERENCES

Banker, R., Kauffman, R., and Zweig, D. (1993). Repos-

itory Evaluation of Software Reuse. IEEE Transac-

tions on Software Engineering, 19(4):379–389.

Bressan, L., de Oliveira, A. L., Campos, F., Papadopou-

los, Y., and Parker, D. (2020). An integrated approach

to support the process-based certiﬁcation of variant-

intensive systems. In International Symposium on

Model-Based Safety and Assessment, pages 179–193.

Castellanos Ardila, J. P. and Gallina, B. (2017). Towards

increased efﬁciency and conﬁdence in process com-

pliance. In Systems, Software and Services Process

Improvement, pages 162–174.

Castellanos Ardila, J. P. and Gallina, B. (2020). Separation

of concerns in process compliance checking: Divide-

and-conquer. In Systems, Software and Services Pro-

cess Improvement, pages 135–147.

Castellanos Ardila, J. P., Gallina, B., and Ul Muram,

F. (2018a). Enabling Compliance Checking against

Safety Standards from SPEM 2.0 Process Models. In

Euromicro Conference on Software Engineering and

Advanced Applications, pages 45 – 49.

Castellanos Ardila, J. P., Gallina, B., and UL Muram, F.

(2018b). Transforming SPEM 2.0-compatible Process

Models into Models Checkable for Compliance. In

18th International SPICE Conference.

de la Vara, J. L., Parra, E., Ruiz, A., and Gallina, B.

(2019). AMASS: A Large-Scale European Project

to Improve the Assurance and Certiﬁcation of Cyber-

Physical Systems. In 20th International Conference

in Product-Focused Software Process Improvement,

pages 626–632.

Eclipse-Foundation (2018). Eclipse Process Framework

(EPF) Composer – EPF 1.5.2 Release.

Elgammal, A., Turetken, O., van den Heuvel, W., and Papa-

zoglou, M. (2016). Formalizing and applying compli-

ance patterns for business process compliance. Soft-

ware and Systems Modeling., pages 119–146.

Gallina, B. (2019). Quantitative evaluation of tailor-

ing within spice-compliant security-informed safety-

oriented process lines. Journal of Software: Evolution

and Process, e2212(e2212):1–13.

Gallina, B., Kashiyarandi, S., Martin, H., and Bramberger,

R. (2014). Modeling a Safety- and Automotive-

Oriented Process Line to Enable Reuse and Flexible

Process Derivation. In 38th International Computer

Software and Applications Conference, pages 504–

509.

Gallina, B., Pulla, A., Bregu, A., and Castellanos Ardila,

J. (2020). Process Compliance Re-Certiﬁcation Efﬁ-

ciency Enabled by EPF-C ◦ BVR-T : a Case Study. In

13th International Conference on the Quality of Infor-

mation and Communications Technology, pages 1–8.

Gallina, B., Sljivo, I., and Jaradat, O. (2012). Towards

a Safety-oriented Process Line for Enabling Reuse

in Safety Critical Systems Development and Certiﬁ-

cation. In 35th Annual IEEE Software Engineering

Workshop, pages 148–157.

orlach, K., Kopp, O., Leymann, F., and Schumm, D.

(2011). WS-BPEL extension for compliance frag-

ments (BPEL4CFrags). Technical report, Institute of

Architecture of Application Systems, University of

Stuttgart.

Governatori, G. (2005). Representing Business Contracts in

RuleML. International Journal of Cooperative Infor-

mation Systems., pages 181–216.

Governatori, G. (2015). The Regorous Approach to Pro-

cess Compliance. In 19th International Enterprise

Distributed Object Computing Workshop, pages 33–

40.

ISO (2000). ISO 14971:2000 – Application of risk manage-

ment to medical devices.

ISO (2007). ISO 14971:2007 – Application of risk manage-

ment to medical devices.

ISO (2012). EN ISO 14971:2012 – Application of risk man-

agement to medical devices (ISO 14971:2007, Cor-

rected version 2007-10-01).

ISO (2019). ISO 14971:2019 – Application of risk manage-

ment to medical devices.

Javed, M. and Gallina, B. (2018a). Get EPF Composer back

to the future: a trip from Galileo to Photon after 11

years. In EclipseCon.

Javed, M. and Gallina, B. (2018b). Safety-oriented Process

Line Engineering via Seamless Integration between

EPF Composer and BVR Tool. In 22nd International

Systems and Software Product Line Conference, pages

23–28.

Kabir, M., Xing, Z., Chandrasekaran, P., and Lin, S. (2017).

Process Patterns: Reusable Design Artifacts for Busi-

ness Process Models. International Computer Soft-

ware and Applications Conference, 1:714–721.

Ma, Z. (2012). Process fragments: enhancing reuse of pro-

cess logic in BPEL process models. Ph.d. dissertation,

University of Stuttgart.

Martin, H., Krammer, M., Bramberger, R., and Armengaud,

E. (2016). Process-and product-based lines of argu-

ment for automotive safety cases. In 7th International

Conference on Cyber-Physical Systems.

Ocampo, A. and M

unch, J. (2009). Rationale Modeling for

Software Process Evolution Alexis. Software Process:

Improvement and Practice, 14(2):85–105.

OMG (2008). Software & Systems Process Engineering

Meta-Model Speciﬁcation. Version 2.0.

Pulla, A. and Bregu, A. (2020). Master Thesis: Evalu-

ating the Compliance Re-Certiﬁcation Efﬁciency En-

abled by the AMASS Platform for Medical Devices,

alardalen University, School of Innovation, Design

and Engineering, V

aster

as, Sweden.

Schleicher, D., Grohe, S., Leymann, F., Schneider, P.,

Schumm, D., and Wolf, T. (2011). An approach to

combine data-related and control-ﬂow-related compli-

ance rules. In International Conference on Service-

Oriented Computing and Applications, pages 1–8.

SINTEF (2016). BVR Tool, https://github.com/SINTEF-

9012/bvr.

Teixeira, E. N., Aleixo, F. A., de Sousa Am

ancio, F. D.,

OliveiraJr, E., Kulesza, U., and Werner, C. (2019).

Software process line as an approach to support soft-

ware process reuse: A systematic literature review. In-

formation and Software Technology, 116:106175.

MODELSWARD 2021 - 9th International Conference on Model-Driven Engineering and Software Development