Policies (session summary)

International Software Process Workshop Pub Date : 1990-10-01 DOI:10.5555/317498.317689

P. Feiler

{"title":"Policies (session summary)","authors":"P. Feiler","doi":"10.5555/317498.317689","DOIUrl":null,"url":null,"abstract":"The session on policies was led by Mark Dowson as keynoter. A more detailed description of this session was phrased as “Discussion of experience with domains in actual models — the semantic concerns of process models. What are lessons to be learned about model specific semantics? Model independent semantics?”.\nIn his presentation Mark Dowson focused on the term policies. Policies were described as constraints that facilitate coordinated performance of process steps by multiple agents. Different kinds of policies exist, and there are different forms of policies. Issues regarding the relationship between policies and processes were raised, and ways of applying policies were discussed. Formal and informal as well as automated and manual policies and processes involving humans both at the organizational level and at the level of individuals were considered.\nThe discussion generated by the presentation was lively. Examples of processes and policies in a variety of domains including non-software engineering domains were presented. A spectrum of terms were used for the notion of policy ranging from laws and standards to procedures and methods. In the following the reader will find a capsule summary of the findings. This summary does not reflect the flow of the discussions, nor does it include all the examples mentioned. Instead, the summary attempts to present the essence of the messages communicated by the participants by abstracting out some of the characteristics of policies.\nPolicies can be described as constraints with respect to certain processes. They are statements either in terms of the notation describing the process, or in terms of a notation whose interpretation establishes a mapping to the process. There are different degrees of compliance to these constraints and there are a number of ways this compliance can be achieved. In different domains people have identified constraints with certain characteristics and given them special labels. This was evident in the discussion by the usage of terms such as advice, culture, guideline, goal, law, method, objective, order, policy, practice, preference, procedure, rule, standard, strategy, etc. Some of these terms imply particular degrees of compliance and forms of enforcement, while others imply that the constraints apply to certain types of processes and that the constraints may be in terms of the process, in terms of an abstraction of the process, or in terms the process of managing the execution of a process — the latter two requiring interpretation to establish a mapping between the constraint and the process. In the remainder of this discussion we will use the term policy to mean a constraint.\nProcesses and policies can be characterized according to whether they have an explicit or implicit representation, whether their representation is formal or informal, whether the process and the policies are described in the same of different representations, and whether they are interpreted manually or automatically. Processes may not have an explicit representation. This is the case with processes that are performed by humans, have evolved and are part of their culture, but have not been documented. Similarly, policies may not have an explicit representation. They may be part of undocumented cultural guidelines. They may not be explicitly represented themselves, but may be embedded in a process that has an explicit representation. The representation used to describe processes and policies may have different degrees of formality ranging from a natural language and stylized natural language to formal notations with well-defined semantics based on a formal theory. Informal representations require interpretation by humans, while formal descriptions can be interpreted both by humans and by automation tools. The interpretation of a formal representation by an automation tool can be for the purpose of validating the static description, or is the enactment of a process program.\nProcesses and policies can be combined in several ways. The first way is process construction through a human. Policies, described informally or formally, are examined by the human and reflected in the process definition. In the second way, process definitions and policy definitions exist as formal but separate notations. They are supplied to a process driven environment. This environment enacts the process and interprets the policies to check for their compliance. In the third arrangement, both process and policy definitions are described using the same notation and interpreted by a process-driven environment. One way of visualizing the enactment in such an environment is that both processes and policies are being executed as cooperating processes. Certain execution events are passed to the policy process. Synchronous verification of execution events corresponds to enforcement of policies, while asynchronous monitoring of events corresponds to checking for compliance. In the fourth way, process descriptions are refined from process templates. Policies are examined to make sure that the refinements are not in violation. In this case checking of policy compliance is attempted statically. The final way is a process construction process similar to the first way. The difference is that policies are formally expressed and the generation of process definitions is performed automatically.\nSeveral of the above methods embed policies in the process and by enforcing the enactment of the process enforce the compliance of the policy. Such an approach allows for the certification of a process to satisfy certain policies. The certification is dependent on the compliant enactment of the process. Other methods, especially ones involving interpretation of either policies or processes by humans, have a scale of compliance. Different degrees of compliance effectively provide different degrees of flexibility. Flexibility is necessary to handle exceptions, especially in processes involving humans. Compliance of a policy is always relative to the process it is applied to. For example, there may be a policy for always having a testing step done. This policy may be fully complied to. However, this policy does not specify anything regarding the quality of the tests to be applied.\nCompliance to policies is only meaningful if there is accountability to penalty for non-compliance. If there is no penalty to non-compliance, then there is no forcing function for satisfying a policy, and no purpose for the policy.\nIn general, policies can be interpreted two ways. policies can either be viewed as restrictions, a mechanism for controlling the process. Or they can be viewed as a facility for specifying the scope of autonomy — allowing for authority and freedom by specifying the policies at the appropriate level of abstraction and by separating concerns.\nProcesses may be constrained by an number of policies. Policies may be in conflict with each other. Such conflicts must be recognizable. In informal policies it is often left to the person interpreting the policies to determine how to resolve the conflict if and when it is detected. In many systems being modelled by processes and policies, priorities are assigned to policies specifying a precedence ordering regarding their compliance. Basically, the penalties for non-compliance of different policies are weighed against each other. Some systems allow for policies and processes to be changed. In such circumstances, processes and policies can be adapted to avoid conflicts between policies or between policies and processes. For example, in business organizations there is a hierarchy of policies. At the top level there are corporate policies. At the divisional level there are policies referred to as practices. Finally, these get refined into operational policies called procedures. A change to a corporate policy can cause conflict with other corporate policies, which can be resolved before it goes into effect. The new corporate policy also affects practices. Possible conflicts can be resolved by adapting the practices to the new policy, and by recommendation for adjustment of the corporate policy for otherwise unresolvable conflicts.\nThe application of a policy to a process is a process itself. As discussed above this process can take on many forms. Note, however, being a process it can be governed by policies. The result is that we have policies on (the application of) policies. To be more exact these policies divide into policies on the creation of policies, policies on the evolution, i.e., change, of policies, and policies on applying and verifying compliance of policies.\nThis leads to a model of an organization as a growing organism. Legislation is a basis for evolution of an organization. This is considered a deep issue. In an organization there are processes for producing products. These processes are managed. Management is a collection of processes itself. Some processes are concerned with monitoring and improving the production processes. Other processes are concerned with resource allocation across parts of the organization. The management processes are under scrutiny of other management processes. Those are the processes that have delegated responsibility for the execution of the particular process, and processes responsible for monitoring and improving management processes. In effect an organization can be viewed as the bootstrapping and on-the-fly evolution of a system of processes and policies.\nDuring the discussions a number of properties for policies and for commitment to policies were collected. Properties of policies included genesis, scope, binding, change, responsibility, interpretation, enaction, consistency analysis, validation. Properties of commitment included commitment to whom, commitment by whom, commitment known by whom, conditions of commitment, monitoring and reporting of compliance to commitment, and credibility of commitment.\nIn summary, a number of other disci","PeriodicalId":414925,"journal":{"name":"International Software Process Workshop","volume":"136 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1990-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Software Process Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.5555/317498.317689","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The session on policies was led by Mark Dowson as keynoter. A more detailed description of this session was phrased as “Discussion of experience with domains in actual models — the semantic concerns of process models. What are lessons to be learned about model specific semantics? Model independent semantics?”. In his presentation Mark Dowson focused on the term policies. Policies were described as constraints that facilitate coordinated performance of process steps by multiple agents. Different kinds of policies exist, and there are different forms of policies. Issues regarding the relationship between policies and processes were raised, and ways of applying policies were discussed. Formal and informal as well as automated and manual policies and processes involving humans both at the organizational level and at the level of individuals were considered. The discussion generated by the presentation was lively. Examples of processes and policies in a variety of domains including non-software engineering domains were presented. A spectrum of terms were used for the notion of policy ranging from laws and standards to procedures and methods. In the following the reader will find a capsule summary of the findings. This summary does not reflect the flow of the discussions, nor does it include all the examples mentioned. Instead, the summary attempts to present the essence of the messages communicated by the participants by abstracting out some of the characteristics of policies. Policies can be described as constraints with respect to certain processes. They are statements either in terms of the notation describing the process, or in terms of a notation whose interpretation establishes a mapping to the process. There are different degrees of compliance to these constraints and there are a number of ways this compliance can be achieved. In different domains people have identified constraints with certain characteristics and given them special labels. This was evident in the discussion by the usage of terms such as advice, culture, guideline, goal, law, method, objective, order, policy, practice, preference, procedure, rule, standard, strategy, etc. Some of these terms imply particular degrees of compliance and forms of enforcement, while others imply that the constraints apply to certain types of processes and that the constraints may be in terms of the process, in terms of an abstraction of the process, or in terms the process of managing the execution of a process — the latter two requiring interpretation to establish a mapping between the constraint and the process. In the remainder of this discussion we will use the term policy to mean a constraint. Processes and policies can be characterized according to whether they have an explicit or implicit representation, whether their representation is formal or informal, whether the process and the policies are described in the same of different representations, and whether they are interpreted manually or automatically. Processes may not have an explicit representation. This is the case with processes that are performed by humans, have evolved and are part of their culture, but have not been documented. Similarly, policies may not have an explicit representation. They may be part of undocumented cultural guidelines. They may not be explicitly represented themselves, but may be embedded in a process that has an explicit representation. The representation used to describe processes and policies may have different degrees of formality ranging from a natural language and stylized natural language to formal notations with well-defined semantics based on a formal theory. Informal representations require interpretation by humans, while formal descriptions can be interpreted both by humans and by automation tools. The interpretation of a formal representation by an automation tool can be for the purpose of validating the static description, or is the enactment of a process program. Processes and policies can be combined in several ways. The first way is process construction through a human. Policies, described informally or formally, are examined by the human and reflected in the process definition. In the second way, process definitions and policy definitions exist as formal but separate notations. They are supplied to a process driven environment. This environment enacts the process and interprets the policies to check for their compliance. In the third arrangement, both process and policy definitions are described using the same notation and interpreted by a process-driven environment. One way of visualizing the enactment in such an environment is that both processes and policies are being executed as cooperating processes. Certain execution events are passed to the policy process. Synchronous verification of execution events corresponds to enforcement of policies, while asynchronous monitoring of events corresponds to checking for compliance. In the fourth way, process descriptions are refined from process templates. Policies are examined to make sure that the refinements are not in violation. In this case checking of policy compliance is attempted statically. The final way is a process construction process similar to the first way. The difference is that policies are formally expressed and the generation of process definitions is performed automatically. Several of the above methods embed policies in the process and by enforcing the enactment of the process enforce the compliance of the policy. Such an approach allows for the certification of a process to satisfy certain policies. The certification is dependent on the compliant enactment of the process. Other methods, especially ones involving interpretation of either policies or processes by humans, have a scale of compliance. Different degrees of compliance effectively provide different degrees of flexibility. Flexibility is necessary to handle exceptions, especially in processes involving humans. Compliance of a policy is always relative to the process it is applied to. For example, there may be a policy for always having a testing step done. This policy may be fully complied to. However, this policy does not specify anything regarding the quality of the tests to be applied. Compliance to policies is only meaningful if there is accountability to penalty for non-compliance. If there is no penalty to non-compliance, then there is no forcing function for satisfying a policy, and no purpose for the policy. In general, policies can be interpreted two ways. policies can either be viewed as restrictions, a mechanism for controlling the process. Or they can be viewed as a facility for specifying the scope of autonomy — allowing for authority and freedom by specifying the policies at the appropriate level of abstraction and by separating concerns. Processes may be constrained by an number of policies. Policies may be in conflict with each other. Such conflicts must be recognizable. In informal policies it is often left to the person interpreting the policies to determine how to resolve the conflict if and when it is detected. In many systems being modelled by processes and policies, priorities are assigned to policies specifying a precedence ordering regarding their compliance. Basically, the penalties for non-compliance of different policies are weighed against each other. Some systems allow for policies and processes to be changed. In such circumstances, processes and policies can be adapted to avoid conflicts between policies or between policies and processes. For example, in business organizations there is a hierarchy of policies. At the top level there are corporate policies. At the divisional level there are policies referred to as practices. Finally, these get refined into operational policies called procedures. A change to a corporate policy can cause conflict with other corporate policies, which can be resolved before it goes into effect. The new corporate policy also affects practices. Possible conflicts can be resolved by adapting the practices to the new policy, and by recommendation for adjustment of the corporate policy for otherwise unresolvable conflicts. The application of a policy to a process is a process itself. As discussed above this process can take on many forms. Note, however, being a process it can be governed by policies. The result is that we have policies on (the application of) policies. To be more exact these policies divide into policies on the creation of policies, policies on the evolution, i.e., change, of policies, and policies on applying and verifying compliance of policies. This leads to a model of an organization as a growing organism. Legislation is a basis for evolution of an organization. This is considered a deep issue. In an organization there are processes for producing products. These processes are managed. Management is a collection of processes itself. Some processes are concerned with monitoring and improving the production processes. Other processes are concerned with resource allocation across parts of the organization. The management processes are under scrutiny of other management processes. Those are the processes that have delegated responsibility for the execution of the particular process, and processes responsible for monitoring and improving management processes. In effect an organization can be viewed as the bootstrapping and on-the-fly evolution of a system of processes and policies. During the discussions a number of properties for policies and for commitment to policies were collected. Properties of policies included genesis, scope, binding, change, responsibility, interpretation, enaction, consistency analysis, validation. Properties of commitment included commitment to whom, commitment by whom, commitment known by whom, conditions of commitment, monitoring and reporting of compliance to commitment, and credibility of commitment. In summary, a number of other disci

查看原文本刊更多论文

策略(会话摘要)

在第四种方式中，过程描述是从过程模板中提炼出来的。检查政策以确保改进不违反规定。在这种情况下，尝试静态地检查策略遵从性。最后一种方法是类似于第一种方法的过程构建过程。不同之处在于，策略是正式表达的，而流程定义的生成是自动执行的。上面的一些方法将策略嵌入到流程中，并通过执行流程的制定来执行策略的遵从性。这种方法允许对流程进行认证以满足某些策略。认证依赖于流程的合规制定。其他方法，特别是那些涉及到由人来解释政策或流程的方法，具有一定程度的遵从性。不同程度的遵从性有效地提供了不同程度的灵活性。灵活性是处理异常的必要条件，特别是在涉及人工的流程中。策略的遵从性总是与它所应用的流程相关。例如，可能存在一个策略，要求始终完成一个测试步骤。本政策可以完全遵守。但是，该策略没有指定任何有关要应用的测试质量的内容。遵守政策只有在对不遵守的行为进行惩罚的情况下才有意义。如果对不遵守没有惩罚，那么就没有满足政策的强制功能，也没有政策的目的。一般来说，可以用两种方式解释策略。策略可以被看作是一种限制，一种控制流程的机制。或者，它们可以被看作是指定自治范围的工具——通过在适当的抽象级别上指定策略并通过分离关注点来允许权力和自由。流程可能受到许多策略的约束。政策之间可能存在冲突。这种冲突必须是可识别的。在非正式政策中，当发现冲突时，通常由解释政策的人来决定如何解决冲突。在许多由流程和策略建模的系统中，将优先级分配给策略，并根据策略的遵从性指定优先级顺序。基本上，不遵守不同政策的惩罚是相互权衡的。有些系统允许更改策略和流程。在这种情况下，可以调整流程和策略，以避免策略之间或策略与流程之间的冲突。例如，在商业组织中存在一个政策层次结构。最高层是公司政策。在司一级有被称为惯例的政策。最后，这些被细化为称为过程的操作策略。对公司策略的更改可能会导致与其他公司策略的冲突，可以在其生效之前解决。新的公司政策也影响到实践。可能的冲突可以通过使实践适应新政策，以及针对无法解决的冲突提出调整公司政策的建议来解决。将策略应用于流程本身就是流程。如上所述，这个过程可以采取多种形式。但是请注意，作为一个过程，它可以由策略进行管理。结果是我们有了政策(应用)政策。更确切地说，这些策略分为关于创建策略的策略、关于策略演变的策略，即策略的变化，以及关于应用和验证策略遵从性的策略。这就产生了一种将组织视为生长有机体的模型。立法是组织发展的基础。这被认为是一个深刻的问题。在一个组织中，有生产产品的过程。这些过程是受管理的。管理本身就是一系列过程的集合。有些过程与监控和改进生产过程有关。其他过程与组织各部分之间的资源分配有关。管理程序受到其他管理程序的审查。这些过程被授权执行特定的过程，以及负责监视和改进管理过程的过程。实际上，一个组织可以被看作是一个过程和政策系统的引导和动态演变。在讨论期间，收集了许多策略和策略承诺的属性。策略的属性包括起源、范围、绑定、变更、责任、解释、制定、一致性分析、有效性。承诺的属性包括对谁的承诺、由谁承诺、由谁知道的承诺、承诺的条件、遵守承诺的监督和报告、承诺的可信度。综上所述，还有其他一些问题

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Software Process Workshop

自引率

0.00%

发文量