Dave Thinking Aloud

Where do we get our reusable services from?

2008-07-21T17:02:00.001+12:00

With an emphasis on process design first, we do have an opportunity to realise the much vaunted reuse of IT components but not if the expectation is that IT will engage with a process diagram and infer all sorts of things about the future of the business. Definition of services belongs out in the business world (this is what we need the service to deliver) not in the builders yard of the IT engineer. In What does SOA mean for the process modeling world? Rick Geneva wrote

In a SOA system, certain parts and pieces are offered as a service to the entire organization. The role of the IT engineer shifts slightly to where their primary responsibility is to create services, and reuse existing assets before purchasing or building new ones. If a service is needed that doesn’t already exist, the first step is to determine if the organization already has a system that performs a similar function. If so, then there are ways to expose an operation (activity) as a service with minimal impact to the surrounding IT environment.

This is all true but it is going a bit far to suggest that when presented with this abstract of a process diagram (from Rick's post)

the IT team should immediately think of providing as Rick suggests ...

1) The request router. 2) the lookup manager service. The lookup manager service would probably be not be directly used by the process. Instead, we would use the lookup manager service as part of the request router. The request router would most likely be created as a generic service that could also handle the manager response.

Implicit in the use of this type of model as a specification of requirements is an understanding of message handling. Routing messages should certainly be part of a generic implementation (in a BPMS solution perhaps) but hardly considered in a single business process. The process analyst is, at best, defining a requirement for a service that will satisfy the Lookup Manager activity in terms of the data available in Receive Request and required in Route to Manager.

A better approach may be for the process analyst to signal the requirement for a more abstract and generally applicable service by renaming Lookup Manager to Apply Business Rules for Routing Message.

BPMN Pools and Lanes

2008-06-12T14:32:00.005+12:00

Bruce Silver introduces one of the misunderstood areas of BPMN in his recent post . He notes that a Pool is a container for a process.

It’s called a pool, a rectangular shape that serves as a container for a process. So in that sense a pool is synonymous with a process, and that’s as basic as you can get. The confusion sets in when you understand that a business process diagram (BPD) - the top-level object in BPMN, describing a single end-to-end business process - frequently contains multiple pools.

Of course one person may view a process as end-to-end and another will view it simply as an activity their grand plan. It is a matter of perspective. So it is as well to determine what the scope of a BPM exercise is.

Bruce recommends the practice of treating the 'requester' or initiator of a process as an external element communicating with the orchestration. In BPMN terms the requester is a black-box process in its own pool. Here is his view of a simple absence request.

This provides a clear definition of the relationship between the Employee and the orchestrated business process. The message-passing constitutes the shared information between the Employee and the Time Off Request process. The Time Off Request process has a division of responsibilities between HR and the Manager of the employee represented by the BPMN Lane construct. A Lane is a graphical sub-division of the Pool and does not impose limitations on the business process. A pool however does constrain the process design in that sequence flows cannot cross pool boundaries. The problem that I have with this is that it is equally possible to view the HR activities as a service to the Manager and the nature of that service may change over time independently of the Manager or Employee expectations in the end-to-end process. I commented to Bruce

... there is something to be gained by treating the departmental manager and HR as actors at the same level by putting them in different pools. We could then think of these participants as having control of their own processes subject only to the contracts implied by the messages between them. This also recognises that organisational change (including mergers and acquisitions) does not necessarily alter the business process.

Implicit in the division of the Time Off Request Pool by Lane is that all the information of the process is available to both Manager and HR. This is fine until outsourcing comes along and you have to work out what info that you need to pass across in the message. Alternatively it obscures important details about the scope of the participants involvement (as far as the process analyst viewed it). Bruce responded to my question of the value of the Lane...

What is lost is the idea of orchestration, which is central to BPMN. A pool does not represent an actor but a process. (Well, a black box pool could be thought of as an actor, but not a pool with activities inside it.) If you do not have orchestration connecting the activities of multiple actors, you don’t really have a process. You just have independent services sending requests and responses to each other. There is no central “thing” that holds it together. Yes there is a viewpoint that says, “why do we need orchestration [e.g. BPEL] at all?” That’s more of a libertarian or anarchist view of BPM. Maybe a valid viewpoint, but I don’t think proper use of BPMN.

I do not see myself as an anarchist but do see a potential in isolating standalone processes so that they can be included into other end-to-end processes, (re-used as the developers would term it). Drawing the HR and Manager Lanes as Pools within the end-to-end process does not lose the sense of orchestration.

You just have a more precise definition of the relationship between very different actors in the process. There are definite gains in the implementation arena.

Principles and the Police

2008-06-12T09:11:00.002+12:00

Stephen Franks, a prospective member of parliament later this year, raises the issue of basing the police role on the public support by reference to the founding fathers of London's Metropolitan police. He does so with typically inflammatory language imputing cowardice and other shameful behaviour to police and ambulance staff. Although his politics and attitudes may be an anathema, it is worth considering what society expects of its police service. Interestingly Stephen Franks drops a few of Richard Mayne's principles from his extract:
4. To recognise always that the extent to which the co-operation of the public can be secured diminishes proportionately the necessity of the use of physical force and compulsion for achieving police objectives.

6. To use physical force only when the exercise of persuasion, advice and warning is found to be insufficient to obtain public co-operation to an extent necessary to secure observance of law or to restore order, and to use only the minimum degree of physical force which is necessary on any particular occasion for achieving a police objective.
8. To recognise always the need for strict adherence to police-executive functions, and to refrain from even seeming to usurp the powers of the judiciary of avenging individuals or the State, and of authoritatively judging guilt and punishing the guilty.
9. To recognise always that the test of police efficiency is the absence of crime and disorder, and not the visible evidence of police action in dealing with them.

These are, of course, as relevant as the others.
Unfortunately the time has long gone when the 'Met' has widespread public support and it certainly avoids such detailed principles in current operations but a challenge to the New Zealand Police Commissioner Howard Broad is to identify what he thinks the police should be doing and how well he thinks it is doing it. Unlike most other large organisations, the police do not publish a 'vision statement' or even its operating principles against which the day to day operational success may be measured.
Our politicians and representatives will serve us best by working out what the principles for the Police should be and encouraging support for the front-line staff.

Intalio - Becoming a Good Fit for Enterprise

2008-06-03T10:31:00.001+12:00

Although I really like the approach that Intalio has taken to BPMS with its use, support and provisioning of Open Source components and adoption of standards, I have been frustrated by the user interface and lack of reporting mechanisms for the BPMS itself (broadly BAM). The user interface was developed to support the Tempo workflow component without much consideration that people engaged in workflow may need to have some integration with systems that are not to be provided by the Intalio solutions. There may even be a corporate way of presenting the user interface for tasks/to-do lists (Microsoft's Outlook has a fairly wide usage in this respect). It is intuitively clear that given the use of standards like SOAP in Intalio, replacement of the UI at run-time is fairly simple as all the interfaces are defined in WSDL. Not so easy, is incorporating a replacement UI into the Intalio Designer (eclipse-based). However, there has apparently been some work going on in dark corners to resolve these and the up-coming user conference will have some show and tell on replacing the user interface using, as an example, Ruby-on-Rails. My particular interest will be to see if a full-function XFORMS user-interface can be developed combining the benefits of the visual form design already in Intalio with the ability to use standard message schemas and have full control of the submissions from the form. There has been some smart work on BAM which looks to be following the common Intalio thread of open source by using the Eclipse BIRT reporting project . Again this is featured at the user conference. Unfortunately, I am not able to make the conference but will be following the output with interest.

Desktop on Demand

2008-04-22T13:20:00.003+12:00

In Desktop on Demand Concept looks to quash privacy issues Desire Athow presents a new service as a solution to a privacy issue associated with web browsing...

Desktop on Demand, a remote desktop service launched by Security Firm De Futuro, aims at providing IT and document management teams with a full office suite, enhanced privacy and file sharing functionality.

The additional privacy inherent in the product is the result of a remotely hosted Web browser, which eliminates the possibility of the user's usage habits being tracked by the ISP.

"Our users surf from behind the curtain of our domain," explained Paresh Morjaria, managing director of De Futuro. "As a result, web browsing is once more anonymous. This is a huge benefit for users concerned about Big Brother peeping into their Web usage records. From here information can be derived that could negatively impact on their employment opportunities, insurance prospects or relationship with current employers.

Apart from replacing one potential Big Brother with one, the mere use of such a service could be regarded as a black mark against the individual ... if you use this you must have something to hide about your web traffic ... leaking sensitive info, porn, money laundering.

Stored-value card for Wellington transport

2008-04-22T07:48:00.003+12:00

Vikram reflects on the 'new' payment method for transport in Wellington.
With this innovation you pay in advance for the discount, pay for the snapper, pay for reloading, pay for reloader device on your computer. I am tempted to move back to Christchurch where they have had the free metrocard and larger discount for years. That is without worrying about the leakage facilitated by unproven security of the card.

Process, process, process!

2008-04-17T10:12:00.001+12:00

James McGovern comes right to the point on the project management overhead which is currently embraced as the way to do everything from opening a can of beans to putting a man on Mars.

Why on earth is so much process present? Why does it take three documents and six meetings to write six lines of Java? There are twice as many pages of documentation as lines of code! Well, having worked with the people involved on these documents, plus the development, and the testing, not just on this project but several others, I think I've figured out the purpose: process is being used as a substitute for competence. The funny thing is that I too am losing my sense of humor and are starting to become borgified and believe that CMMi is the perfect way to use process as a substitute for competence. With enough steps, documents, design reviews, and test plans, I think that the proverbial 1,000 monkeys with typewriters really could produce a functional IT system. The incredible amount of mutual reinforcement breaks the task down into such minute pieces that each piece is comprehensible and completable by anyone with even the slightest modicum of coding or testing ability. The added advantage is that no one is required to think let alone understand. It even helps project managers to a pretty good degree of accuracy how long each minute task will take, and can thus do a pretty good job coming up with a (obscenely long) timeline for a project in any stage of development.

Things that are worth five minutes conversation between principals involve battalions of portfolio, programme, project managers and their panoply of governance police without consideration of the competence of the few people that actually do the creative stuff or the fact that the individual commissioning the work has the authority and responsibility to do just that. To move on from the 1970's waterfall, we need clear but much shorter chains of commands along the lines of Jean Luc-Picard "Make it, so!" to a small team of competent players responding "Yes, sir"

Parsing calendar entries

2008-04-03T09:58:00.002+13:00

John Udell raises the challenge of translating the human formats of a calendar entry into a machine format. Google Calendars quick add feature does make a fair effort and responds as the human intended in most cases.
From the examples given by John

Tue, 4/1/08	ok
2 Apr - Wed 10:00AM-10:45AM	Gets date wrong (time of day ok)
Weekdays 8:30am-4:30pm	ok
Thu, 11/15/07 - Fri, 4/11/08	ok
Every Tuesday of the month from 10:00-11:00 a.m	ok
Sat., Apr. 05, 9:00 AM Registration/Preview, 10:00 AM Live Auction	ok
2nd Saturday of every other month, 10:00 am-12:00 pm	ok

The API seems to provide a neat packaging of the requirement as a service which could be used in many ways. Problems that are encountered, like the example above, might eventually be dealt with by the team at Google but seem tractable through pre-processing.

Intalio offering BPMS as a service

2008-04-02T11:01:00.002+13:00

Intalio has announced availability of its novel approach to running BPMS as a service

The Intalio|On Demand servers are powerful enough to run hundreds of thousands of process instances concurrently. Each server has the equivalent of 1.7 GB of memory, 160 GB of storage, CPU capacity of a 32-bit 1.0-1.2 GHz 2007 Opteron or 2007 Xeon processor.

The underlying operating system is rPath Linux, following the Just enough Operating System (JeOS) principle. "This makes the appliance more efficient, smaller, more secure and higher performing than an application running under a full general purpose OS (Wikipedia, JeOS)". The Intalio|On Demand software appliance contains a bare minimal Java 1.5, Open SSH, and Intalio|Server.

The compute power comes from the Amazon Web Services Elastic Compute Cloud (EC2) which gives a fair amount of assurance that capacity and connectivity will be there when you need it.

An organisation using this as a production solution will need to consider its exposure to

failure in the cloud removing access to fundamental business process engine and related dashboard information
privacy and security of data passing through a commercial computing host in a jurisdiction that may not have the same legislative protections as your business domicile

But at the extreme, you can develop and test a fully functional BPMS and integration solution on a laptop and then deploy it across the cloud to a worldwide collection of services.

NSW Police ask public to be cameraphone cops

2008-03-28T09:43:00.001+13:00

Vikram draws attention to a move to encourage citizens to capture crimes on their cellphones and send the information to the police in NSW. Although increasing the surveillance society normally makes me very uneasy and the police forces across the ditch (and here in NZ) are not always noted for their probity, I think that this is a step in the right direction. This is a step up from the well established 111 (911, 999 ...) call with better information content. The French have laws against recording violent crime unless you are a professional journalist which seems a bit repressive, even for the Europeans, but there is a measure of sense in this. How about encouraging a society where it is normal to report crime to the legitimate enforcement authorities rather than publish for a dubious or prurient purpose? There is a problem however with the general capture storage of surveillance material ... Quis custodiet ipsos custodes?

Children to be added to Britain's DNA database

2008-03-17T11:42:00.004+13:00

Mark Townsend and Anushka Asthana in The Observer, March 16 2008 report on the burgeoning DNA database. Now the police are looking to capture data on children who might be thought by someone to be a potential future criminal.

Gary Pugh, director of forensic sciences at Scotland Yard and the new DNA spokesman for the Association of Chief Police Officers (Acpo), said a debate was needed on how far Britain should go in identifying potential offenders, given that some experts believe it is possible to identify future offending traits in children as young as five.

Why do we need training for BPMN and BPMS?

2008-03-08T17:32:00.000+13:00

BPMN is intended to formalise the definition of real world business processes. BPMS implementations take a formal definition of business processes (which should be derivable from the BPMN) and control the flow of information around the process. How difficult can it be to develop the design tools to the point that they help the designer think in the 'best practice' of business process and follow the rules of BPMN?

Ismael Ghalimi in Process Discovery describes his plans for experiencing the development of a BPMS-based solution for a well defined requirement. Like most users of a new tool he is going to do it without training. OK, he does have an advantage over mere mortals from close involvement with the underlying standards and a key-player in this emerging market but I look forward to seeing the commentary on his effort.

...model the process at a high level, using an off-the-shelf process modeling tool. For this purpose, I will use Intalio|Designer, but I will do so before having attended a formal training session. The reason for it is the following: while I have been working for Intalio for over 8 years now, and originally came up with the idea and the name for the Business Process Modeling Notation (BPMN), I have never fully read its specification, even less learned the proper way to use it with a process development tool capable of turning pretty pictures into executable code. As a result, I expect this first modeling exercise to produce a process that will look nothing like what I will be capable of doing after having attended the Intalio Traning, and learning more from the gap should be a key benefit of the overall experiment...

Although there is some good training for process design becoming available, I question how much we should be reliant on it to get to work with a formal language (BPMN ), with absolute rules, that is intended to describe things that we are familiar with in everyday business. It is not teaching English to Korean speakers!
I would like Ismael to also consider how the Intalio Designer toolset could be improved with an autopilot or helper that leads you through the process of designing a process and explains the rules of the BPMN as you go.

Privacy and Text Communications

2008-03-08T10:35:00.002+13:00

We appear to be facing another challenge to privacy in New Zealand which would take us further towards the surveillance society. The police are seeking the storage of all text communications to facilitate their enquiries. Fortunately, this requires a change in law and will get a bit of discussion. It is to be hoped that the Office of the Privacy Commissioner will be active in the debate.

The relevant rule applying to the retention of text data in NZ is found in the TELECOMMUNICATIONS INFORMATION PRIVACY RULES

Rule 1
Purpose of Collection of Telecommunications Information
Telecommunications information must not be collected by a telecommunications agency
unless:
(a) the information is collected for a lawful purpose connected with a function or
activity of the agency; and
(b) the collection of the information is necessary for that purpose.
Note: Except where it is itself a party to a communication, a telecommunications agency will rarely have a lawful purpose to collect the content of any telecommunication. Indeed, it is unlawful to intercept the content of a private communication in most cases (Crimes Act 1961, Part 9A). There are some limited exceptional circumstances relevant to telecommunications agencies (e.g. where acting pursuant to an interception warrant to assist the Police or SIS). Employees of network operators can, in the course of their duties, intercept telecommunications for maintenance purposes but it is an offence for an employee of a network operator to use or disclose information so obtained for unauthorised purposes – Telecommunications Act 2001, ss.114 and 115).

It is apparent that there is no technical requirement to store all texts to provide services to a party in the communication. Vodafone NZ does not do it and Telecom NZ is going to stop the practice.
Although it may be attractive to the enforcement agencies to be able to dip into a historical pool of all telecommunications in pursuit of information about possible criminals and crimes, this would be a fundamental turn-around in perception of the privacy of communications. It is ridiculous to suggest that telecommunications providers should be breaching this basic requirement of the Privacy Commissioner to be "good corporate citizens" as suggested by Police national crime manager Win van der Velde quoted in Dominion Post 8March .

Privacy - How are we doing in New Zealand?

2007-12-31T18:48:00.000+13:00

Just as we get embarrassed here in NZ when our clean green image is tarnished by farmers polluting streams , we should sit up and take notice when we our privacy is not protected in what we assume is a 'free society'. The 2007 International Privacy Ranking from the US-based Electronic Privacy Information Center and the UK-based Privacy International does not present a pretty picture of the NZ attitude to privacy . Overall the rating represents a systematic failure to uphold safeguards. Notably, NZ is up there with the worst, leading in bad practice in communications interception.

The findings are available in PDF format by clicking here.

E-Petitions

2007-12-18T15:55:00.000+13:00

It has taken a while for me to notice this bit of participatory democracy but I have taken the opportunity to add my name to a petition.

Downing Street is working in partnership with the non-partisan charitable project mySociety to provide a service to allow citizens, charities and campaign groups to set up petitions that are hosted on the Downing Street website, enabling anyone to address and deliver a petition directly to the Prime Minister.

mySociety is a charitable project that runs many of the UK's best-known non-partisan political websites, like HearFromYourMP.com and TheyWorkForYou.com. mySociety is strictly neutral on party political issues, and the e-petition service is within its remit to build websites which give people simple, tangible benefits in the civic and community aspects of their lives. For more information about mySociety and its work, visit its website.

While you are looking, take the opportunity to consider and support this

We the undersigned petition the Prime Minister to require all organisations notify customers immediately of any personal data security breaches.

Using Intalio to Develop a new Business Process

2007-12-06T10:38:00.000+13:00

While Intalio is a BPMS tool rather than an all singing and dancing development workbench, you can deliver a working solution that is useful to a business unit. In this scenario a business analyst or consultant may take a pure business solution approach without attempting to specify system services or enterprise-grade business services. A question that has been raised with me is how do I know that the business process design is sufficiently developed that it is worth investing time and money in building or buying service components. With a tool like Intalio, the answer is when the business process is executable and the business can work through it. That does not necessarily mean that the BA has to solve all the integration issues.

As the BA works through the process, s/he will encounter interactions with services that may or may not exist. In a significant portion of enterprises, there will not be a catalogue of every business service that has been implemented, let alone every one that could be desired. Rather than stopping at each case of need of interaction with a business service, the BA could 'simply' define the interface as the business process sees it and support it with a quick and dirty database (a bit like using MS Access to deliver you operational support systems because it takes too long to get the necessary work done with SAP). Using Intalio, MySQL and a bit of AXIS generation the BA could refine the business process with a working example (I suspect that this may fit within the Agile manifesto). At the point that the working solution satisfies the business for flow, it could be handed over for technical improvement. (integration into the normal pattern of user interface - say MS Outlook or Facebook; and integration into the back office systems of CMS and Finance). For the enterprise, there is a risk associated with this approach ... the initial delivery may become operational and valuable enterprise level information remain hidden from the organisation as a whole (very much as happened with the general use of Access databases).

Jacques-Alexandre Gerber covered this aspect in a post

To summarize, here is how simulation and emulation can be envisioned to be used in order to indeed provide valuable business information before deploying processes in a production environment:

Business Analysts create new process models in Intalio|BPMS Designer
Business Analysts use Intalio|BPMS Designer simulation capabilities to ensure their process models meet their objectives and requirements as far as they can tell.
IT Engineers add emulation processes and deploy them in the emulation environment.
Business Analysts analyze the business reports they get from the emulation environment.
Based on the reports, Business Analysts may revisit their models and go back to step #2. Once they are happy with the business outcome they can truly expect to get, it’s time to actually implement those processes.
IT Engineers now fully implement processes by integrating external systems and users. The next steps are the traditional steps to deploy an application in a production system (test, acceptance, production)

I suggest that step 3 in most cases should not need a propeller-head 'IT Engineer' but a sandpit and toolset for the BA to work with ideas about what the service should look like at that point. Generally, a simple database will do the job for a business process emulation but more exotic plug-ins may evolve in this space (for example instant-messenger presence behavior).

The world does not stand still so the effectiveness of the business process should be measured in production. This is where the BPMS really pays off, as the throughput and utilisation of every activity is automatically gathered and available for analysis. The cycle then resumes at step 2 with improvement in process.

Somewhere in the development cycle, some human-factor engineering needs to take place. If the enterprise has a particular style of working with information "the way we work here", then the BA tool-set could include some helpers here. For example, if the culture is to manage personal tasks through Outlook task lists then providing the task management user interface through an OBA.

If you are faced with inertia in database and enterprise services then building solutions with CRUD services delivered out of the business process delivery seems a good way of establishing what the business requirement is, and what the value will be without having to deal with the triage mechanisms that stand in your way.

Open Information v Privacy

2007-12-05T09:53:00.000+13:00

There is an increasing amount of personal information being collected for all manner of worthy? reasons like ensuring that health providers do not use taxpayer dollars to treat aliens. Combined with the desire for more openness in government and means to provide data rather than just the results of a conclusion there is a risk of exposure of personal information.
In the paper, Robust De-anonymization of Large Datasets (How to Break Anonymity of the Netflix Prize Dataset), Arvind Narayanan and Vitaly Shmatikov of The University of Texas at Austin describe the problem; show a general method of de-anonymizing statistical data and demonstrate its use in an area where the participants were under the impression that their information was anonymous.

Datasets containing “micro-data,” that is, information about specific individuals, are increasingly becoming
public—both in response to “open government” laws, and to support data mining research. Some datasets
include legally protected information such as health histories; others contain individual preferences, purchases,
and transactions, which many people may view as private or sensitive.
Privacy risks of publishing micro-data are well-known. Even if identifying information such as names,
addresses, and Social Security numbers has been removed, the adversary can use contextual and background
knowledge, as well as cross-correlation with publicly available databases, to re-identify individual
data records. Famous re-identification attacks include de-anonymization of a Massachusetts hospital discharge
database by joining it with with a public voter database [...]

We present a very general class of statistical de-anonymization algorithms which
demonstrate the fundamental limits of privacy in public micro-data. We then show how these methods
can be used in practice to de-anonymize the Netflix Prize dataset, a 500,000-record public dataset.

Collectors and publishers of data need to be aware of the potential for exposure of information that may be regarded as sensitive.
The issue is not limited to widely disseminated information. Individuals or special-interest groups may have legitimate need for micro-data (for example in health funding policy) but then have the means of uncovering personal data for an unauthorised purpose.
Consider:

are ethics sufficient to protect the privacy of individuals described by such micro-data?
is the information exposed by statistical de-anonymization sufficiently protected by legislation?
where would you go for assurance that the data that you are providing is not susceptible to statistical de-anonymization?

Intalio as a complete development environment?

2007-11-16T08:35:00.000+13:00

Virgil Green, a contributor to the Intalio forum posed a question which approaches my own reason for studying Intalio

I've been considering BMPS in general and Intalio specifically as a development platform. I'm wondering if I'm expecting too much from this technology. I'd like to replace a complete software system including Contract Management, Claim Management, Invoicing, Letter Generation, etc.
My question is (rather broadly) whether the combination of Intalio Community edition (or any higher level edition), a database for which there are adapters, and a reporting tool such as BIRT provide sufficient tools to develop a complete enterprise system.

Business rules? Are they covered/enforceable in Intalio? User Inquiry and Data Entry? Are XForms enough? Am I expecting too much or should I continue to think of this software as middleware for moving data between other systems that handle those functions?

At present the answer is probably that you are asking too much of Intalio alone and that you are being very ambitious. However, the underlying ideas of Intalio and its open-source, and standards basis mean that there is likely to be a way of working with Intalio as a core to deliver a reasonable enterprise architecture.

I think it is a good idea to consider BPMS as the centre of an execution platform. Intalio then provides a good implementation of the BPEL engine and a corresponding designer. Because BPMS does not work well without people somewhere in the end to end operation, there is an element of human workflow required to complete the picture. Intalio adds to the BPMS a web application that implements the human workflow using a standard form expression BPEL4People. This is the TEMPO component. The Intalio Designer integrates this for you automatically. If you are happy to express your workflow with the BPEL4People constructs, and there are plenty of for and against arguments, that covers your business processes very well.

Either side of the business process management system you will require technology components that interact with people (the human interface) and services (the IT systems components for you Contract Management, Claim Management etc.).

Let us consider the services first. My observation of organisations which are not unduly tied into technology (a retailer or small manufacturer rather than a national Telco) is that when you manage the Business Process independently of the business services, the both the services and the business process implementations will become much simpler than if they are combined in say a customer management suite.

Intalio itself does not provide much in the way of application development of the kind you might find in IBM's Websphere or Microsoft Visual Studio. However, once the business processes are managed there may be little left to worry about other than the persistence layer of simple create, read, update and delete of data (CRUD). Of course there are a number of development tools that would work alongside Intalio to deliver the services components.

The user interface components of Intalio are designed for the workflow alone. This will not be sufficient for a complete software solution for many organisations. Although Intalio makes use of a generic user interface product (ORBEON ) which itself is a server implementation of the XFORMS standard, the method of development of user interface in Intalio does not allow the full capabilities of either to be used.

There is no direct control over the presentation within the designer. The view of the form is defined by CSS , but the CSS scripting has to be unpacked from the Intalio distribution and modified independently of the forms designer component.
The form input and output messages are defined automatically from the form components (widgets) which precludes the use of standard schemas common in business and government circles (for example the XNAL standard used for names and addresses).
Fundamental XFORMS presentation controls are not available within the designer (for example, Appearance, which is used by XFORMS implementations to decide how the input/output should be presented)
There is no control over XFORMS submission. Submission is limited to the messages to TEMPO.

However, the presentation layer of the architecture can be readily replaced with anything else that can communicate with SOAP (doc-literal) messaging. A commercial organisation might even consider using Microsoft Office as the presentation layer. Organisations with an architectural bias to Open Source and standards might still choose XFORMS but with a different development tool.

Whether Intalio is sufficient to develop for the enterprise will ultimately depend on the complexity of that enterprise. There will be plenty of businesses that perform their functions within Microsoft Office and Access environments. Intalio and a database would be a step up from that. MySQL and JDBC seems to fit well with Intalio. There are some samples of providing data access services through MySQL in Intalio.

At first glance, BIRT for reporting looks a good companion for Intalio in the development area as it is also based on the Eclipse development platform. However, the Intalio distribution seems a bit hostile to other Eclipse plug-ins. This may be resolved as Intalio matures.

Explicitly calling a business rules engine within the BPMS seems to be a reasonable approach and is readily achieved in Intalio provided the BRE provides a web service interface. Intalio provides a sample implementation with OpenLexicon.

Intalio could not be classed as a general development environment in its current incarnation but it is certainly capable of becoming one.

Health Information Privacy

2007-11-08T09:15:00.000+13:00

IT managers often fail to do their best work in delivering security to the information within the health sector but they certainly do better than the health managers themselves.
A recent audit of the Wellington region's health service revealed patient records being stored in public corridors with no controls on access

The audit [Telarc] underlines that the organisation is bordering on dysfunctional. It records grave failings, such as leaving patient records in public corridors where anybody passing can take a peek,.... Dominion Post 8 Nov 2007

There are plenty of things that can be done technically to meet the required standards of privacy but if the underlying organisation has an irresponsible attitude to security we will see ill-considered technical 'solutions' that compound the problem.

As Blindside comments on one mobile health care device

Let’s see. Wireless transmission of sensitive information–yeah, we’ll get to that right after we take care of those pesky ergonomic and battery life issues. And preventing hacking and malware to ensure that the information is accurate? Hmm. Let’s put that on the list of things to do after we make sure it doesn’t add to the weight of the tablet device

I suspect that the subject of healthcare privacy needs a shake up from top to bottom. A few questions ...

Is it clear what the customer (that's us, not the health managers) wants?
What 'need' do these 'wants' reflect?
Do the legislation and ethical requirements reflect this underlying need?
Is there suitable compliance and enforcement of the legislation and ethical requirements?
Should we get anaesthetists and paediatric cancer specialists before worrying about privacy and security?

When we have a good answer to those, we may be able to evaluate the technical questions about encrypting data at point of entry; securing information over wifi; ensuring that laptops and tablet devices are not attractive to thieves of information, identity or property (because they certainly will be available to all of those).

Intalio Components

2007-10-31T09:19:00.000+13:00

It may be worth clarifying the relationships between the standards and open source components of Intalio. From my perspective as an architect :

The central feature of the Intalio run-time is a business process engine implementation of BPEL 2.0.
Human interaction with the business process is termed workflow and in Intalio is an implementation of loose standard specification BPEL4PEOPLE. This is packaged as an application TEMPO. There is a form-based user interface for this workflow which relies on the XFORMS W3C standard. Note that XFORMS is a device-independent standard which does not define the presentation form, only the function. ORBEON is used to present the user interface in HTML. This is a server-based implementation of XFORMS with the transformation from XFORMS to HTML taking place at the server.
The Intalio Designer component for forms design is specific to workflow and not a generic user interface designer nor even a full-function graphical XFORMS designer.

An advantage of the open source approach is that components can be bypassed or supplemented to extend the capabilities.

If your organisation has adopted XFORMS as a standard, it is likely that the limitations of the Intalio Designer will force you into a development method that delivers the XFORMS by other means. You could use the Intalio ORBEON implementation for your separately developed XFORMS or use the browser implementations of XFORMS (eg XFORMS Plugin in Mozilla Firefox or Formsplayer for IE). Designing a user interface with XFORMS is not necessarily a job for a graphical design tool. Unfortunately, the Intalio Designer does not provide a source editor for the XFORMS XML and may loose edits that you make externally to forms.

There is a reasonable application design/development approach in which a business analyst uses Intalio Designer with the included workflow to develop a working model of the business process. Then the user interface could be replaced with a house style anywhere in the range from all singing and dancing Silverlight down to plain text forms.
Developers asking how to add buttons or improve the look and feel of Intalio forms for production quality applications would be advised to look at their forms as a separate piece of design rather than attempting to work within the constraints of the Intalio implementation. The interface between the presentation layer and the TEMPO and BPMS components is fully defined and implemented in standards.

Intalio - A usable and accessible BPMS

2007-10-01T14:07:00.000+13:00

Ismael Ghalimi is justly proud of the current incarnation of Intalio.
Intalio provides a useful development and runtime environment for initiatives centred on the business process. There is a real opportunity for analyst and business subject matter expert to explore a target business process and deliver a functioning solution with human workflow and integration with legacy applications. Based on standards with an active development path (BPMN, BPEL, SOAP, XFORMS ...) and open source components (Apache Geronimo, Derby, Orbeon, Eclipse... ), it is a development platform with low cost of entry and little risk of being left with an unsupported orphan. Low cost of entry? - I have managed to work through a proof of concept using the free community edition on my laptop. Many small organisations would be able to develop and run exclusively in the community edition while government and corporates may be happier with the support and connector technology (for SAP, Oracle, DB/2) from an enterprise edition.

For organisations, large and small, now exploring the BPMS world, Intalio provides a useful means of developing practical end to end solutions that can be used as the proof of concept, prototype and initial production. Fitting with enterprise standards for user interface and database can come later when the business design is fully explored.

I need a Redux Model/1!

2007-09-29T11:31:00.001+12:00

Ismael Ghalimi has developed an idea of a need into a specification for a practical product in a few days. I really want one of these devices .

I will be looking for this to be the email interface for HF/SSB radio when ocean sailing ... I will not want to be running expensive power hungry pc/laptop computers. I will be happy to leave browsing the internet to download charts etc until I reach port. Any chance of ruggedising Redux Model 1? Protecting it from the salty element can't be much more of a problem than the exposure to coffee and worse around the meeting rooms, planes and lounges of its natural habitat.

A Universal DNA matching database?

2007-09-06T10:01:00.000+12:00

Andreas Busch summarises developments in the DNA identification debate arising from

One of the United Kingdom's most senior judges, Lord Justice Sedley, today demanded that every UK resident and every visitor to the country should have their DNA recorded on the national DNA database ...

The judge has logic on his side. Britain has the largest DNA database in the world covering 7.5% of the population. Mathematical techniques can extend the range of matching further by detecting relatives of people on the database. So the brits are well on their way to achieving the judge's goal.

However consider,

Outside of CSI and similar TV programs, how many crimes are solved through DNA matching? Is there a reasonable value proposition to extend this collection because of the current success rate?

How often is unknown DNA (not on match database) available as a pointer to an otherwise unknown perpetrator?

My guess is that a universal DNA database (relatively simple to achieve by diverting sample collected at birth) does not add much to detection or prevention of crime because there is generally a small set of persons of interest around a particular crime not the whole population.

But as matching technology improves, what a great resource for control of the population at large ... no need for pesky ID cards, passports, fingerprints at airports ... just a bit of sweat or saliva as you pass myriad control points.

Information Commissioner, Richard Thomas, warned that it raised serious issues around the criminal justice system: "if you get the knock on the door saying 'we’ve found your DNA’, you’ve got to start proving your innocence"

If the British justice system has descended to that level then a dna database does not make much difference. There is a risk at present that relying on DNA for more than supporting evidence introduces the defence that other (unidentified) DNA indicates reasonable doubt that the identified person is the guilty party. It seems to me that the only clear benefit of a universal DNA database is to avoid such a defence.

As an aside, why stop at the border? why not share the DNA database worldwide and track fugitives as they supply dna at the border?

I think the debate lies outside the technology arena and more in the political and philosophical area. Do I have right not to be identified?

Are you safely backed up?

2007-09-06T09:16:00.000+12:00

Sean McBreen highlights the potential for information loss in our multi-gigabyte stores at home.
I guess that some assumptions had been made about the use of RAID arrays.

...terror as I cam home to hear my Maxtor Onetouch III 1TB external HDD clicking away and no longer in explorer... SCARY!
A few quick searches on the web and looks like I'm toast - so ironic as we have had a few HDD failures in our team over the last month. I just knew I should have backed up all those new baby photos we had been taking (I'm a dad now for 3 months).

After looking on-line and deciding that a fee of up to $2,000 and a distinct lack or warranty cover from the vendor I decided that I should take my chances and pop off the lid...
...I had the 2x500Gb drives configures in a Raid 0 set-up so ...

Unfortunately, RAID 0 does not provide any fault tolerance from disk failure, just better performance. In this case it doubles the chance of loss of data because either disk failing destroys the array. The RAID 1 option available on the Maxtor unit is preferable for resilience with marginal loss in write performance.
I think this takes you into the forensic data recovery area and having to re-build the entire 2 disk array sector by sector (assuming that some forensic geek can read the sectors off the dead drive). I recommend that you do not write to the remaining drive of the array as you may increase the rebuild effort.

Safety fears over new register of all children

2007-08-29T09:17:00.000+12:00

The headline is from The Times in the UK but the concerns apply everywhere that a 'database' is seen as solution to a communication problem.

ContactPoint was set up after the official report into the death of Victoria Climbié. Lord Laming concluded that the eight-year-old’s murder could have been prevented had there been better communication between professionals.

Communication is not the same as broadcasting or publication. There is a sense of checks and balances between the participants in a communication. This is rarely apparent in stores of data offered to people on the basis of the role they undertake.
As Tom Fuller points out persons having a particular role are not necessarily to be trusted with the information. There will be inevitable bad eggs present in teaching; medical; legal; social work professions; and the police. Also leakage of information which should be private to the individual can occur from simple careless behaviour of otherwise trustworthy individuals. Sadly, assigning information access rights to a role (for example, head-teacher), does not prevent individual head-teachers delegating that responsibility to a temporary secretary which is probably not how the legislators or system designers saw the 'database' being acceptable.
In conventional communication, each request for information can trigger a question in the mind of the receiver about the possible use being made of the information provided. Ideally, technology solutions to the communication problems around public safety, health information and other privacy-loaded areas should not bypass these checks and balances. Given the risk of misuse of information by persons in a position of trust through their role, technology solutions should ensure that the minimum (necessary) information is released and that a clear trail of information release is maintained. If an authorised person enquires on such a database, they should expect to face enquiries themselves as to why and how the information was used. The kind of pattern analysis that detects potential credit card fraud should be applied to detect the abusers of the information systems.