Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

A service engagement involves two or more autonomous parties interacting with each other and is thus a prototypical sociotechnical system (STS) [22]. An STS can be fruitfully modeled using normative relationships. To this end, commitments have been extensively employed in modeling service engagements (and associated business processes) [5, 19, 20, 24]. A key benefit of commitments over traditional approaches is that commitments capture outcomes in a declarative manner and minimally constrain the behavior of the participants. Two kinds of commitment are known in the literature [13, 16, 21]: practical and dialectical. In a practical commitment, a debtor agent promises a creditor agent to bring about a condition (consequent) if some other condition (antecedent) holds. For example, a customer may commit to paying a reseller if the reseller delivers the goods. In a dialectical commitment, the debtor claims that the consequent holds provided the antecedent does. For example, a customer may dialectically commit to a reseller that the customer received the goods in a damaged condition. These commitments differ in the nature of their standard of satisfaction. For example, a customer may dialectically commit that it received damaged goods, but may not practically commit to damaging the goods. Previous research has nearly always considered only practical commitments [6, 25, 26], a recent exception being Baldoni et al. [2].

The present paper incorporates dialectical commitments in modeling an STS to tackle a previously ignored challenge, namely, how participants make claims about putative facts, claims that may be mutually inconsistent. For example, a customer may claim that goods received are damaged whereas the courier may claim the goods delivered were not damaged. Although this paper doesn’t tackle norm types other than commitments [22], by bringing forth dialectical commitments, it supports the possibility of modeling disputes between participants in STSs and disparities in their policies. This paper sheds light on how potentially to resolve such disputes, thereby facilitating policy-governed secure collaboration.

Research Question and Contributions. When we model secure collaboration in STSs in normative terms [23], it is important to accommodate disputes among STS participants regarding facts and norms. Previous approaches include the objective, but omit the social, aspect of norms in their lifecycles [22]. This leads to our research question: How can we formalize norms in a manner that incorporates their objective and subjective elements and supports verification of interactions on comprehensive grounds?

This paper is restricted to two norm types: dialectical and practical commitments. It contributes a novel operational model and temporal logic formalization based on Computational Tree Logic (CTL) along with a tool based on NuSMV [17], a CTL model checker, to verify if participants’ interactions comply with their commitments. This paper provides a set of modeling patterns incorporating practical and dialectical commitments. We evaluate our approach on a breast cancer diagnosis process specified by a committee of experts called by a major government agency (Office of the Assistant Secretary for Planning and Evaluation (ASPE), US Department of Health and Human Services) [1]. The significance of this work arises from its expanding the operational treatment and formal verification of commitments to incorporate dialectical commitments, thereby enabling new applications that previous approaches cannot tackle.

2 Background

We illustrate the generality of our approach by introducing it via Cisco’s Quote to Cash (QTC) business process [25] and evaluating it via a healthcare collaboration scenario (introduced in Sect. 4). The QTC process encompasses all of the key activities that begin from a customer requesting a quote, and end in Cisco receiving payment from the customer. The participants in this process include customers, resellers, distributors, logistics providers, banks, contract manufacturers, and service providers. A customer purchases goods either directly from Cisco, or from a reseller. In addition to selling the goods, a reseller provides value-added services of installing and configuring goods. A reseller purchases goods either from a distributor, or from Cisco. A distributor always purchases goods from Cisco. Unlike a reseller, a distributor may purchase and stock the  goods in its warehouse. To build and ship its products, Cisco uses contract manufacturers and transportation providers respectively. The participants use different banks and credit companies for making payments.

2.1 Practical Commitments

A practical commitment [21] \(\mathsf {C}\)(debtor, creditor, o-context, antecedent, consequent) means that debtor commits to creditor in the organizational context o-context to bring about the consequent provided the antecedent holds. (For brevity, we omit o-context where appropriate.) For example, \(\mathsf {C}\)(cisco, customer, court, pay, deliver goods) means that cisco commits under the o-context court to customer to deliver goods, provided customer pays.

Fig. 1.
figure 1

Practical commitment lifecycle as a state transition diagram.

Full size image

We describe the lifecycle of a practical commitment from Fig. 1 [25] using the above example. When cisco creates the commitment, its state changes to active from null. If customer pays cisco (antecedent holds), the commitment is detached. The commitment is terminated if cisco cancels the commitment when conditional, or customer releases cisco from the commitment. The commitment is satisfied when the goods are delivered (consequent holds). It is violated if customer has paid up (antecedent holds), but cisco does not deliver the goods (consequent fails), or if cisco cancels the commitment. When the commitment is conditional, if customer does not pay (antecedent fails) cisco, then the commitment expires. If cisco delegates the commitment to another company (delegatee), cisco may suspend the commitment, making it pending. If the delegatee company fails to provide goods to customer, then cisco may reactivate its commitment to customer.

2.2 Computation Tree Logic

Computation Tree Logic (CTL) [4] is a temporal logic based on a branching time structure. Each temporal operator in CTL has two components. The first component is a path quantifier: either \(\mathsf {A}\), meaning on all of the paths; or \(\mathsf {E}\), meaning on at least one path. The second component is a linear-time operator: \(\mathsf {F}\), meaning in a future state; \(\mathsf {G}\), meaning (globally) in all future states; and \(\mathsf {X}\), meaning in the next state. A CTL formula may contain the standard logical operators: \(\lnot , \wedge , \vee ,\) and \(\rightarrow \), meaning negation, conjunction, disjunction, and implication, respectively. As an example, \(\mathsf {AG}(p \rightarrow \mathsf {AF} q)\) means that on all paths if proposition p holds in a state, then on all paths emanating from that state proposition q holds in a future state.

3 Dialectical Commitments

The lifecycle of a practical commitment, as shown in Fig. 1, is inadequate for capturing the semantics of a dialectical commitment. For example, consider Fig. 2, which shows a possible execution in which customer and cisco interact to decide if the goods delivered to customer are damaged. customer informs cisco, i.e., dialectically commits that the goods are damaged.

Fig. 2.
figure 2

Customer and Cisco interactions.

Full size image

However, cisco disagrees with customer and challenges customer’s claim. That is cisco dialectically commits that the goods are not damaged. customer then requests a relevant higher authority, such as court, for resolution. court concludes that the goods are not damaged. customer agrees with court and retracts its dialectical commitment.

If we employ the lifecycle of a practical commitment to handle customer’s dialectical commitment, then the commitment is violated since court concludes that the goods are not damaged. Thus, the lifecycle of a practical commitment fails to handle customer’s retraction of a dialectical commitment appropriately.

We write a dialectical commitment using a notation similar to that of a practical commitment: \(\mathsf {D}\)(debtor, creditor, o-context, antecedent, consequent). For example, \(\mathsf {D}\)(customer, cisco, court, \(\top \), goods-damaged) means that customer dialectically and unconditionally (antecedent is \(\top \), true) commits to cisco that the goods are damaged. We allow the debtor to be a set of roles. For example, in the QTC process, customer and reseller may jointly commit to cisco that the goods are damaged: \(\mathsf {D}\)({customer, reseller}, cisco, court, \(\top \), goods-damaged).

3.1 The Proposed Lifecycle of Dialectical Commitments

Figure 3 shows our proposed lifecycle of a dialectical commitment. The state of a dialectical commitment has two dimensions: objective (computed based on the antecedent and consequent, treated as objective facts) and social (computed based on the creditor or the debtor’s actions). Thus, the state of a dialectical commitment is bipartite and written as a pair, e.g., \(\langle satisfied \), \( asserted \rangle \).

Fig. 3.
figure 3

Dialectical commitment lifecycle as a state-transition diagram.

Full size image

A dialectical commitment is null before it is created. Upon creation, its objective state becomes active and its social state becomes asserted. The active state has two substates: conditional and detached. The commitment becomes detached when its antecedent holds. If the antecedent of a conditional commitment fails, then the commitment becomes expired. The commitment is satisfied if its consequent becomes true when it is active. The commitment becomes violated if its consequent fails when it is detached. On the social side, if the debtor cancels or suspends the commitment when it is asserted, it becomes terminated or pending, respectively. If the debtor reactivates the commitment when it is pending, it becomes asserted. We write the bipartite state of a dialectical commitment as a pair: \(\langle \)objective-state, social-state\(\rangle \). We write the objective state as \(\mathsf {D}_{\textsf {obj}}^{ostate}\) and social state as \(\mathsf {D}_{\textsf {soc}}^{sstate}\), where \(ostate \in \{N, C, D, E, S, V\}\) and \(sstate \in \{ N, R, P, T\}\) (state labels are from Fig. 3).

We describe the progression of a dialectical commitment in the customer-cisco interactions from Fig. 2. customer informs cisco that the goods are damaged and thus creates the dialectical commitment: \(\mathsf {D}_{u} = \mathsf {D}\)(customer, cisco, court, \(\top \), goods-damaged). Upon creation, \(\mathsf {D}_{u}\)’s state is \(\langle detached \), \( asserted \rangle \) (detached since its antecedent is true (\(\top \))).

However, cisco disagrees with customer and challenges customer’s claim, thus creating the dialectical commitment: \(\mathsf {D}_{c} = \mathsf {D}\)(cisco, customer, court, \(\top \), \(\lnot \)goods-damaged). Upon creation, \(\mathsf {D}_{c}\) is \(\langle detached \), \( asserted \rangle \). customer and cisco may resolve their difference of opinion among themselves. But in Fig. 2 they escalate the dispute to court on the condition of goods. court concludes that the goods are not damaged, which causes \(\mathsf {D}_{u}\) to transition to \(\langle violated \), \( asserted \rangle \), and \(\mathsf {D}_{c}\) to transition to \(\langle satisfied \), \( asserted \rangle \). Finally, customer agrees that the goods are not damaged, that is, customer cancels \(\mathsf {D}_{u}\), causing its state to transition to \(\langle violated \), \( terminated \rangle \).

3.2 Formalization

We now formalize the lifecycle of dialectical commitments in CTL. We group the specifications into four groups: state-action, state-state, terminal states, and acceptable executions. To save the space, we describe one from each group.

State-Action Transitions. The CTL specifications for state-action transitions follow from the lifecycle given above. For brevity, we explain only a few of them in English.

  1. SA1.

    \(\mathsf {AG}\ (\mathsf {D}_{obj}^N \wedge \mathsf {create} \wedge \lnot \textsf {antecedent} \rightarrow \mathsf {AX}\ \mathsf {D}_{obj}^C)\)

  2. SA2.

    \(\mathsf {AG}\ (\mathsf {D}_{obj}^N \wedge \mathsf {create} \wedge \textsf {antecedent} \rightarrow \mathsf {AX}\ \mathsf {D}_{obj}^D)\)

  3. SA3.

    \(\mathsf {AG}\ (\mathsf {D}_{obj}^C \wedge \textsf {antecedent} \rightarrow \mathsf {AX}\ \mathsf {D}_{obj}^D)\)

  4. SA4.

    \(\mathsf {AG}\ (\mathsf {D}_{obj}^C \wedge \textsf {antecedent\_fail} \rightarrow \mathsf {AX}\ \mathsf {D}_{obj}^E)\)

  5. SA5.

    \(\mathsf {AG}\ (\mathsf {D}_{obj}^D \wedge \textsf {consequent\_fail} \rightarrow \mathsf {AX}\ \mathsf {D}_{obj}^V)\)

  6. SA6.

    \(\mathsf {AG}\ (\mathsf {D}_{obj}^{C \vee D} \wedge \textsf {consequent} \rightarrow \mathsf {AX}\ \mathsf {D}_{obj}^S)\)

    On any path, if a dialectical commitment is conditional or detached in a state and its consequent holds, then on all paths emanating from that state in the next state, the commitment’s objective state becomes satisfied.

  7. SA7.

    \(\mathsf {AG}\ (\mathsf {D}_{soc}^N \wedge \mathsf {create} \rightarrow \mathsf {AX}\ \mathsf {D}_{soc}^R)\) On any path, if a dialectical commitment’s social state is null in a state and the debtor creates it, then on all paths emanating from that state in the next state, the commitment’s social state becomes asserted.

  8. SA8.

    \(\mathsf {AG}\ (\mathsf {D}_{soc}^R \wedge \textsf {suspend} \rightarrow \mathsf {AX}\ \mathsf {D}_{soc}^P)\)

  9. SA9.

    \(\mathsf {AG}\ (\mathsf {D}_{soc}^P \wedge \textsf {reactivate} \rightarrow \mathsf {AX}\ \mathsf {D}_{soc}^R)\)

  10. SA10.

    \(\mathsf {AG}\ (\mathsf {D}_{soc}^R \wedge (\textsf {cancel} \vee \textsf {release}) \rightarrow \mathsf {AX}\ \mathsf {D}_{soc}^T)\)

SA1 means that on any path, if a dialectical commitment is null in a state, the antecedent is not holding, and the debtor creates it, then on all paths emanating from that state, the commitment objectively becomes conditional in the next state.

State-State Transitions. These follow from the dialectical commitment lifecycle.

figure a

SS1 means if a dialectical commitment is objectively null in a state, then on all paths emanating from that state, in the next state, the commitment may objectively remain null or may transition to conditional, expired, detached, satisfied, or violated.

Terminal States. These follow from the dialectical commitment lifecycle.

figure b

TS1 means on any path, if a dialectical commitment is objectively expired in a state, then on all paths emanating from that state in the next state, the commitment objectively remains expired.

Acceptable Executions. The above CTL specifications, which follow from the lifecycle, represent hard integrity requirements on the executions. The participants may have additional requirements on acceptable executions. We now describe some common acceptable executions.

figure c

AE1 means an execution is acceptable if a dialectical commitment is never created or remains forever conditional on it. AE2 means an execution is acceptable if a dialectical commitment is created but later expires. AE3 means on an execution, a dialectical commitment may be objectively satisfied and socially asserted, i.e., \(\langle satisfied \), \( asserted \rangle \). However, such an execution may be acceptable since the debtor is asserting a statement that is deemed objectively true. AE4 means on an execution, a debtor may create a dialectical commitment whose consequent turns out to be false, that is, the commitment transitions to: \(\langle violated \), \( asserted \rangle \). In such a case, the debtor should cancel the commitment thus transitioning its state to: \(\langle violated \), \( terminated \rangle \). Debtor’s cancellation implies that the debtor acknowledges its error. In some scenarios, debtor may be penalized for such fallacies—the context may create a commitment in which the debtor is required to pay a penalty to the creditor.

The CTL specification capturing the above desirable states of a dialectical commitment is: \(\mathsf {AF}\ \mathsf {AG}\ (\mathsf {D}_{obj}^{N} \vee \mathsf {D}_{obj}^{C} \vee (\mathsf {D}_{obj}^{S} \wedge \mathsf {D}_{soc}^{R}) \vee (\mathsf {D}_{obj}^{V} \wedge \mathsf {D}_{soc}^{T})) \). This specification means that on all paths in the future, a dialectical commitment’s objective state remains \( null \) or \( conditional \), or its objective and social state becomes \(\langle satisfied , asserted \rangle \), or \(\langle violated , terminated \rangle \).

These examples pertain to executions ending up in certain states. In some cases, the participants may desire executions that pass through some intermediate states. We can state and verify additional properties on intermediate states as well. For example, we can write the requirement that \(\mathsf {D}\) should always be created as: \(\mathsf {AF}\ \mathsf {D}_{obj}^{C \vee D}\).

3.3 Modeling Patterns

This section presents a nonexhaustive set of representative modeling patterns.

Service Provisioning with Claimed Correctness. A provider (1) practically commits to a client to bring about a consequent condition if some antecedent condition holds, and (2) dialectically commits that either the client would agree with the consequent, or in case of a disagreement between the client and the provider, a higher authority would agree with the consequent.

  • \(\mathsf {C}_1\) = \(\mathsf {C}\)(provider, client, ant, con)

  • \(\mathsf {D}_1\) = \(\mathsf {D}\)(provider, client, con, clientAgrees \(\vee \) authAgrees)

For example, reseller (practically) commits to customer to providing and installing the goods if customer pays: \(\mathsf {C}\)(reseller, customer, pay, goods \(\wedge \) install). And reseller dialectically commits to customer that the goods will be in a working condition, and the installation service acceptable: \(\mathsf {D}\)(reseller, customer, goods, clientGoodsWorking \(\vee \) authGoodsWorking), \(\mathsf {D}\)(reseller, customer, install, clientAcceptableInstallation \(\vee \) authAcceptableInstallation).

Escalation. o-context commits to bringing about the creation of a commitment (\(\mathsf {C}_2\)) that if the provider violates its commitment (\(\mathsf {C}_1\)), and the client escalates the (presumed) violation to the o-context. In \(\mathsf {C}_3\), another provider commits to client to bring about the consequent. Additionally, the o-context may penalize the violating provider or not, depending on the modeled settings and the particular circumstances that obtain, some of which need not concern client.

  • \(\mathsf {C}_1 = \mathsf {C}(\textsc {provider}, \textsc {client}, \textsf {ant}, \textsf {con})\)

  • \(\mathsf {C}_2 = \mathsf {C}(\textsf {o}\text {-}\textsf {context}, \textsc {client}, \textsf {vio}(\mathsf {C}_1) \wedge \textsf {escalate}, \textsf {create}(\mathsf {C}_3))\)

  • \(\mathsf {C}_3 = \mathsf {C}(\textsc {provider}\text {'}, \textsc {client}, \textsf {ant}\text {'}, \textsf {con})\)

For example, distributor practically commits to delivering goods to customer: \(\mathsf {C}_1 = \mathsf {C}\)(distributor, customer, \(\top \), goods). If distributor fails to deliver the goods, the context court directs another distributor to deliver the goods: \(\mathsf {C}_2 = \mathsf {C}\)(court, customer, vio(\(\mathsf {C}_1\)) \(\wedge \) escalate, create(\(\mathsf {C}_3\))), \(\mathsf {C}_3 = \mathsf {C}\)(distributor’, customer, \(\top \), goods).

Chained Service Provisioning with Jointly Claimed Correctness. Provider SP1 commits to a client to bring about a consequent if some antecedent holds. Additionally, SP1 dialectically commits that either the client or (in case of a disagreement between the client and the provider) a higher authority would agree that the consequent holds, if providers SP2 and SP3 do not violate their dialectical commitment (\(\mathsf {D}_2\)). SP2 and SP3 jointly dialectically commit to SP1 that either SP1 or (in case of a disagreement) a higher authority would agree that con-3 holds.

  • \(\mathsf {C}_1 = \mathsf {C}(\textsc {sp1}, \textsc {client}, \textsf {ant1}, \textsf {con1})\)

  • \(\mathsf {D}_1 = \mathsf {D}(\textsc {sp1}, \textsc {client}, \lnot \textsf {vio}(D_2) \wedge \textsf {con1}, \textsf {clientAgreeCon1} \vee \textsf {authAgreeCon1})\)

  • \(\mathsf {C}_2 = \mathsf {C}(\textsc {sp3}, \textsc {sp2}, \textsf {ant2}, \textsf {con2})\)

  • \(\mathsf {C}_3 = \mathsf {C}(\textsc {sp2}, \textsc {sp1}, \textsf {ant3}, \textsf {con3})\)

  • \(\mathsf {D}_2 = \mathsf {C}(\textsc {\{sp2, sp3\}}, \textsc {sp1}, \textsf {con3}, \textsf {sp1AgreeCon3} \vee \textsf {authAgreeCon3})\)

4 Evaluation

We evaluate our approach on a breast cancer diagnosis process specified by a committee of experts called by a major government agency (US Department of Health and Human Services) [1]. This process models five roles: patient, physician, radiologist, pathologist, and registrar. The roles interact as follows: (1) the physician orders a mammography (imaging) exam for the patient; (2) if the radiologist notices suspicious calcifications, she recommends a biopsy; (3) if the physician agrees, she performs a biopsy, and sends the collected tissue specimen to the pathologist; (4) the pathologist analyzes the specimen, and performs ancillary studies; (5) the pathologist and radiologist may confer to reconcile their results and produce a consensus report; (6) the physician reviews the integrated report with the patient to create a treatment plan; and (7) the pathologist forwards his report to a cancer registry’s registrar.

We apply the patterns on the cancer diagnosis scenario to produce a commitment-based model. We rename the pattern roles with the scenario-specific role names, and substitute the scenario-specific tasks as the antecedents and consequents of the appropriate commitments. We describe the commitments shown in Table 1 and the patterns that compose the model.

Table 1. Commitment-based model for the diagnosis process
Full size table

Patient’s Appointments. Practical commitments (\(\mathsf {C}_2\), \(\mathsf {C}_3\)). patient commits to physician to keep her imaging (\(\mathsf {C}_2\)) and biopsy appointments (\(\mathsf {C}_3\)) if requested.

Add Patient to Registry. Practical commitments (\(\mathsf {C}_7\), \(\mathsf {C}_8\)). pathologist commits to hospital (\(\mathsf {C}_7\)) to reporting patient to registrar if patient has cancer, and registrar commits to hospital (\(\mathsf {C}_8\)) to add patient to the registry.

Patient’s Radiology and Pathologist’s Diagnosis. Chained service provider with jointly claimed correctness (\(\mathsf {C}_1\), \(\mathsf {D}_1\), \(\mathsf {C}_4\), \(\mathsf {C}_6\), \(\mathsf {D}_3\)). pathologist commits to radiologist (\(\mathsf {C}_6\)) to provide a pathology report if radiologist requests it and provides a tissue sample. radiologist commits to physician (\(\mathsf {C}_4\)) to provide an integrated radiology and pathology report if physician requests it and patient keeps the necessary appointment. pathologist and radiologist jointly dialectically commit to physician (\(\mathsf {D}_3\)) regarding the correctness of the integrated report. physician commits to patient (\(\mathsf {C}_1\)) to provide a diagnosis report if patient requests it and keeps necessary appointments. physician dialectically commits to patient (\(\mathsf {D}_1\)) to the correctness of the diagnosis report if the integrated radiology and pathology report is correct.

Patient’s Imaging. Service provisioning with correctness (\(\mathsf {C}_5\), \(\mathsf {D}_2\)). radiologist commits to physician (\(\mathsf {C}_5\)) to provide imaging results if physician requests the results. In addition, radiologist dialectically commits to physician (\(\mathsf {D}_2\)) regarding the correctness of the imaging results.

Escalate Radiologist’s Failure to Provide Imaging Results. Escalate (\(\mathsf {C}_5\), \(\mathsf {C}_9\), \(\mathsf {C}_5\)’, \(\mathsf {D}_2\)’). hospital commits to physician to bring about the creation of practical (\(\mathsf {C}_5\)’) and dialectical (\(\mathsf {D}_2\)’) commitments from an alternative radiologist if the original radiologist violates commitment \(\mathsf {C}_5\) and physician escalates the violation.

Tumor Board Provides Input on a Diagnosis. Practical commitments (\(\mathsf {C}_{10}\), \(\mathsf {C}_{11}\), \(\mathsf {C}_{12}\), \(\mathsf {C}_{13}\)). tumor board commits to physician, radiologist, patient, and pathologist to provide its input on a diagnosis upon request.

Radiologist and Pathologist Guarantee their Diagnoses. Dialectical commitments (\(\mathsf {D}_4\), \(\mathsf {D}_5\)). radiologist dialectically commits (\(\mathsf {D}_4\)) to pathologist that upon providing the radiology report, either pathologist would agree with those results, or in the case of a disagreement, tumor board will agree with those results. pathologist makes a similar commitment (\(\mathsf {D}_5\)) to radiologist regarding the pathology report.

4.1 Verification

This section applies our verification approach to the ASPE process. We adopt the UML 2.0 Sequence Diagram notation [18] to create sequence diagrams for the model from Table 1. Figure 4 shows one of the sequence diagrams. The condition on the outer opt(ional) block is that radiologist has reported the imaging results (whether patient has cancer or not) to physician, and created \(\mathsf {D}_2\). In the nested alt(ernate) block, physician either agrees with the imaging results, thus satisfying \(\mathsf {D}_2\), or requests tumor board for an assessment, thus creating \(\mathsf {C}_{11}\). In the inner alt(ernate) block, tumor board either agrees or disagrees with the imaging results. In either case, tumor board satisfies \(\mathsf {C}_{11}\). If tumor board disagrees with the imaging results, radiologist cancels and retracts \(\mathsf {D}_2\) by informing physician her agreement with tumor board.

Fig. 4.
figure 4

physician requests tumor board to review the imaging results.

Full size image

We develop a NuSMV module for dialectical commitments. We employ this module in verifying models that contain dialectical commitments. Our verification tool (based on NuSMV) [10] takes sequence diagrams and a commitment model as the input. It reports if the sequence diagrams comply with the commitments in the model.

On a computer with 2.66 GHz Intel Core 2 Duo processor, and 8 GB memory, our tool verified the set of sequence diagrams we developed for this scenario (including the one from Fig. 4) in 0.2 s. Our tool reported that the sequence diagrams satisfy the model from Table 1. To demonstrate how our approach detects an error, we remove the message from radiologist to physician agreeing to tumor board’s assessment from the sequence diagram in Fig. 4. Figure 5 shows a partial screenshot of the NuSMV output demonstrating that the model fails to satisfy the (highlighted) CTL specification. The specification shows that \(\mathsf {AF}\ \mathsf {AG}\ ( \mathsf {D}_{obj}^{N} \vee \mathsf {D}_{obj}^{C} \vee (\mathsf {D}_{obj}^{S} \wedge \mathsf {D}_{soc}^{R}) \vee (\mathsf {D}_{obj}^{V} \wedge \mathsf {D}_{soc}^{T}))\) is false for \(\mathsf {D}_2\). The counterexample shows a trace in which radiologist violates \(\mathsf {D}_2\); i.e., \(\mathsf {D}_2\) remains in the state (violated, asserted). This means radiologist does not agree with tumor board’s recommendation, and does not cancel \(\mathsf {D}_2\).

Fig. 5.
figure 5

Tool output indicating an error in the sequence diagrams with respect to the commitments.

Full size image

4.2 Benefits of Dialectical Commitments

Our approach captures relationships between the participants in terms of practical and dialectical commitments and omits the internal activities of individual participants (e.g., pathologist’s slides activity). In this way, it avoids tight coupling between the participants. In addition, our approach provides a basis for answering some significant questions, which the traditional approach cannot answer.

What happens if the treatment plan turns out to be incorrect? Who is or are accountable? An incorrect treatment plan arises from an incorrect integrated radiology and pathology report, which means radiologist and pathologist both violate their joint dialectical commitment \(\mathsf {D}_3\). In this case, \(\mathsf {D}_1\) never detaches, and thus physician is not accountable for the incorrect diagnosis (that is, he does not violate \(\mathsf {D}_1\)).

What happens if radiologist delivers the mammography results on time but her diagnosis is wrong? radiologist violates \(\mathsf {D}_2\) by delivering an incorrect mammography. physician may incorrectly conclude that patient is free of cancer. In such a case, radiologist would be accountable for the erroneous claim.

The questions show how our approach produces models that are valuable for diagnosis and organizational governance.

5 Related Work

Commitments have been extensively employed for modeling processes. However, in contrast to our work, most of the previous work has considered only practical commitments. El Menshawy et al. [7] propose the CTLC+ logic for verifying commitments. Their logic handles practical commitments, and includes modalities for commitment creation and fulfillment (or violation). In contrast, our approach handles both practical and dialectical commitments, and considers the entire lifecycle of commitments not just their creation and fulfillment (or violation). Specifically, CTLC+ cannot handle scenarios in which the debtor cancels its commitment, or the creditor releases the debtor from the commitment.

Winikoff [27] states that agent interactions designed by focusing on messages restrict agent autonomy by limiting their interaction flexibility. He proposes a commitment-based approach for modeling agent interactions. We agree with Winikoff and employ commitments for modeling processes. However, unlike Winikoff, in addition to practical commitments, we consider dialectical commitments as a first class abstraction to model the guarantees made by the participants (agents). Further, we show how agents’ interactions can be verified with respect to their commitments.

Singh [21] presents a combined logic for practical and dialectical commitments. He formulates postulates that capture reasoning patterns for commitments. Our work goes beyond Singh’s work in proposing an operationalization of dialectical commitments via a new lifecycle, and showing how to employ CTL to formally verify agent interactions. Additionally, we propose novel reasoning patterns incorporating practical and dialectical commitments.

McBurney and Parsons [13], and Krabbe and Walton [11] describe an argumentation-based representation for agent dialogs (interactions), and formal dialectical systems in argumentation, respectively, that include a notion of commitments. However, their approach violates the autonomy of the participants. For example, a question by one agent may “impose a commitment on the second to provide a response” (p. 266). In contrast, we treat a commitment being created autonomously by its debtor. In addition, we provide a formalization of commitments that supports verification.

Some work on architecture for collaboration is relevant even though it does not incorporate commitments. Narendra et al. [15] propose an architecture framework for modeling cross-enterprise collaborations that consists of three layers: strategy, operational, and service layers. The strategy layer specifies the goals and business rules; the operational layer specifies the services; and the service layer specifies the service implementations. Narendra et al.’s framework lacks adequate modeling of the relationships among the participants. It will be interesting to incorporate commitments (practical and dialectical) to capture the relationships among the participants at the strategy layer.

Liptchinsky et al. [12] propose an approach for modeling dynamic collaboration processes that employs a network of collaborative documents and a social network of collaborators. The notion of relations is a fundamental element in Liptchinsky et al.’s modeling approach. It will be interesting to incorporate commitments to model the relations. Commitments provide a rigorous way to capture the relations among the actors such as an actor (or a group of actors) committing to performing certain action or an actor (or a group of actors) making a claim.

Hofreiter et al. [9] present the UMM methodology for modeling global choreographies, that is, interactions among organizations. UMM seeks to specify a choreography at a high level, independently of the underlying implementation technology. However, UMM lacks well-defined abstractions for capturing the relationships underlying the collaborations. Commitments can provide an abstract and technology independent way of specifying relationships in UMM’s business domain and requirements views.

We agree with Grando et al. [8] regarding the benefits of high-level abstractions for specifying medical processes. However, unlike our approach, Grando et al. take a centralized viewpoint that violates the autonomy of the participants by mandating their goals. Further, since Grando et al.’s approach ignores the social commitments between the participants, it misses specifying the participants’ responsibilities to each other in the modeled process.

MĂĽller et al. [14] describe the importance of interoperability in healthcare but focus on data interoperability, i.e., with respect to message formats. We incorporate considerations of interactions and thus enable specifying and verifying interoperability in general. For example, a radiologist is interoperable with a hospital not only because they agree on the formats of messages they exchange but because they agree on the commitments involved in those messages.

6 Discussion and Future Work

To model sociotechnical systems, such as service engagements, involves modeling the relevant normative relationships or norms properly [22]. Although we consider commitments as the only norm type in this paper, we give first-class status to dialectical commitments, which are a crucial element of secure collaboration. The main new idea of our approach is highlighting the social nature of dialectical commitments. This idea would readily apply to other norm types. We enhance an existing commitment-based process modeling and verification method [25] to incorporate dialectical commitments and organizational context. In healthcare settings, dialectical commitments enable precisely identifying the accountable party behind a diagnosis.

We incorporate our proposed method into a verification approach and tool based on NuSMV. Our representation enables stating important properties of models in high-level terms to capture stakeholder requirements. Our tool can identify potential errors in models, thereby leading to the design of correct STSs.

In future research, we will address some limitations of this work. In particular, on the theoretical side, we will investigate how dialectical commitments relate to other norm types in STSS from the standpoint of foundations of representing, verifying, and achieving secure collaboration in open settings. On the practical side, we will develop and empirically evaluate an enhanced modeling methodology incorporating dialectical commitments as well as a verification method that incorporates an enhanced notion of time to support better representation and verification of STSs. We will also study how commitments relate to existing business process modeling standards such as BPEL [3].