Object Management Group Meeting (Santa Clara, Calif., December 2013)

Report by Claude Baudoin (cébé IT & Knowledge Management) January 9, 2014 This report contains notes from sessions the author personally attended during the OMG Technical Meeting in Santa Clara on December 9-13, 2013: the meeting of the Business Modeling and Integration Domain Task Force, the Business Architecture SIG, the Analysis and Design Task Force, the plenary lunch presentations, and the closing plenary report sessions. In addition, a section about the Finance Task Force was compiled from the plenary report and the presentations made during the session, and reviewed by co-Chair Mike Bennett. A comprehensive list of all the committees, task forces and working groups of the OMG can be found at www.omg.org/homepages/. A list of all the work in progress, with links to the corresponding materials (RFPs, etc.) is at http://www.omg.org/schedule/.

Contents

1. Business Modeling and Integration Domain Task Force (BMI DTF) ...... 2 2. Business Architecture SIG – Risk Management Collaborative Session ...... 5 3. Analysis & Design Task Force (ADTF) ...... 10

4. Finance Domain Task Force ...... 13

5. Plenary Lunch Presentations ...... 15 6. Plenary Report Sessions ...... 16 7. Next Meetings ...... 22

1. Business Modeling and Integration Domain Task Force (BMI DTF)

Fred Cummins (Agile Enterprise Design) chaired the meeting and reviewed the agenda, including the joint meeting with the Business Architecture SIG on the second day about modeling risk management (see Section 2).

1.1. Business Design Modeling with VDML Verna Allee explained the motivation for VDML. There is a complex world of collaborative relationships, inside companies and with partners, that is not correctly captured by traditional models. VDML incorporates business value and valuation models, including intangibles; it improves investment decisions and reduces risk. Henk de Man stated, in answer to a question, that there are several vendors that are interested in supporting VDML, including Cordys, Adaptive, REA, and others. Fred Cummins gave an overview of the VDML concepts. Since the initial submission, enhancements were made including some related to the Structured Metrics Metamodel (SMM). The submitters also spent time dealing with the relationships or mappings with other business models:

 Lindgren’s “business cube” model  Osterwalder’s business canvas  the Business Motivation Model (BMM)  the Business Architecture Guild’s draft metamodel  balanced scorecards  the Business Process Model and Notation (BPMN)  the Case Management Model and Notation (CMMN) For example, VDML can support the BMM strategic planning activity through scenarios. All these relations between VDML and the other models are described in Appendix E of the submission (pages 130-154), and a more complete separate paper is also available. Given the number of modeling approaches that exist, Fred explained the VDML differentiators. It integrates various concepts that together constitute a mental model of the business, and of course it is based on tracing the “ecosystem value exchanges.” Jishnu Mukerji asked what the relationship is between VDML and Key Performance Indicators (KPIs).

There was discussion of how VDML helps identify and improve capabilities that lead to value creation. Jishnu also asked whether a taxonomy of capabilities exists, and said this might be an interesting opportunity. Henk de Man explained that there are some industry models as well as company-specific vocabularies. Verna Allee said that Boeing has created an extensive role taxonomy, but she is not aware of work to create a library of capabilities. Manfred Koethe said that UPDM has some capability

1.2. Third Co-Chair Election Fred Cummins explained the desire to elect a third co-chair of the BMI DTF, besides Fred Cummins and Donald Chapin. Claude Baudoin (cébé IT & Knowledge Management) was nominated and gave a summary of his professional history and his involvement with OMG. There were no other nominees, and he was elected.

1.3. Management of Regulation and Compliance (MRC) John Hall, from Model Systems, explained that MRC is essentially an extension of an aspect of the business motivation model (BMM) in two ways:

 A richer model of regulations  Extend BMM into a federated model for compliance with corporate policies An RFP was issued in 2009, the submission deadline was extended several times and there have been no submissions. Time has passed and the situation has changed since the MRC effort was started, so the idea was brought up, in particular by Donald Chapin, to revive the effort and re-issue the RFP, under a process to be defined with OMG this week.

1.4. Bringing the Customer and the Business Together as One” by Michael Clark Mike, who had presented on “business design” during the Business Architecture Information Days in Berlin in June 2013, when he was with JPMorgan Chase, is now an Enterprise Business Designer and Architect, working on contract to Royal Mail. Abstract: The “customer experience” has emerged as the single most important aspect in achieving success for organizations across all industries. To benefit from this, new marketing disciplines such as Service Design are enabling the marketing departments of organizations to gain a deeper understanding of the customer and their desired experiences. Clearly there is significant value in this, but what about architecture? How do we ensure the information captured by designers of what the organization offers and how it provides the customer experience is consistent? How can we be sure we can implement the business changes defined? How can we be sure that organizations can exchange information unambiguously about their offerings and customer experience designs? Fred Cummins asked about the relationship with the “Customer Journey Mapping” model. Mike said that this is one of the views you can generate from a model.

1.5. Roadmap There was discussion of how to bring more people to the table to discuss, and even just to learn about what this Task Force is doing. Once a modeling language is standardized, there may be interest in learning about it, but during the elaboration period, it is difficult to get people interested, including end users as well as smaller vendors. It was suggested that we need to have some sort of Information Day to

It was also suggested that we need to have a “frame of reference” for what the BMI DTF has in its charter and scope of work. This might possibly be an application of VDML to our own work. Fred showed a TED video in which Clay Shirky, a social media thinker and speaker, talks about collaboration and how you can crowdsource information (which is cheap) instead of creating managed institutions (which are expensive to run) to generate that information. This can make the difference between an organization being an enabler as opposed to being an obstacle. As an example, he showed how Flickr allows people to tag photos and retrieve them based on tags. “This is the kind of value you cannot get from an organized institution.” There was a long informal discussion about business models, the roles, and the change brought on by collaboration. Henk related his experience with Vlastuin, an industrial transportation company in the Netherlands, which uses VDML to model its innovation network; that work was presented by Jasper Lentjes at the Berlin meeting in June. The discussion came back to the review of the BMI DTF roadmap. The Google Doc of 20 potential roadmap items was reviewed. Clarifications and additions were suggested. Claude Baudoin took the action to update the file. There was a consensus that the Risk Management day that followed would have a strong impact on what the roadmap would be going forward, but that it was also important not to consume an entire meeting cycle until deciding what to do next. Ham Hayes and Robert Lutton, from Sandhill Consulting, suggested that the roadmap document needs to have priorities and action items with deadlines. Claude pointed out that it is not a work plan, but a basic draft roadmap, and therefore it cannot have all this information yet, but agreed that a sense of priorities and respective difficulty levels would be helpful, and should be generated between this meeting and the next one through a voting process.

2. Business Architecture SIG – Risk Management Collaborative Session

There were about 18 people in attendance. William Ulrich, chair of the BA SIG, opened the meeting by saying that the BMI DTF suggested this joint session, based on its roadmap discussions, to examine what could be modeled about risk. Fred Cummins, co-chair of the BMI DTF, said that the goal is to understand what is going on in other groups about risk management, rather than going off and developing something on our own. Nikolai Mansourov said that the System Assurance Task Force has also been talking about risk from a safety and security perspective. Someone suggested that the goal could be to have a general model that could be specialized for various groups, similar to the PIM/PSM relationship.

2.1. “Regulatory Risk Management Approach” by Wesley Moore (Wells Fargo Securities) Mr. Moore manages the Compliance Control and Infrastructure department of this investment division of Wells Fargo, based in Charlotte, NC. He described the securities business of Wells Fargo, which is divided into a number of categories to which risks are assigned and managed. “Infrastructure” refers to monitoring and review, in the sense of the ISO Risk Management standard. His presentation shows the documentation used by the company to describe the controls it applies. The Dodd-Frank act requires a Compliance Officer to sign, and be personally liable for, a statement certifying that certain controls are in place and are adequate. A lot of the work consists of developing better controls. Many of the processes are manual. Documentation and support are provided to a number of different stakeholders, internal and external. There are multiple systems in place, depending on the financial product type, for various reasons:  Legacy: some of the products are offered as the result of acquisitions.  Actual differences in the types of products. He said that this is not necessarily a problem per se, except when it comes to consolidating information from several groups in order to provide a complete picture. Jim Rhyne (Thematix) said that most banks have tried to consolidate their risk management products, but most have failed. Only UBS has had some success, but it has taken then over a decade and over a billion dollars, and the effort is not complete. The speaker cited “inadequate consolidation of information from the business units” as one of the current pain points. Additional complexity emerges from the multiplicity of legal entities, since each one has a need to document how the regulations impact their own part of the business. Compliance departments don’t make money, and there is no accounting for the cost of compliance – or of non-compliance. Therefore, they are usually under-resourced, with little automation. This makes many things difficult, including searching for potential hidden issues, for example when a problem is reported about a competitor.

2.2. “The Business Motivation Model (BMM) and Risk Management” by John Hall (Model Systems) BMM is a model for recording governance decisions about a business, and also a model for connecting governance to operations. It was originally developed by the Business Rules Group, and released by OMG in 2005, revision 1.2 has been approved, and revision 1.3 is in progress, with all issues resolved. Here is a summary of the basics of BMM (see the presentation for a more complete description):  A business needs to monitor influencers that may affect it, most of which it doesn’t control (markets, competition, regulations, technology emergence, economy…), and to make decisions to react to those.  The effect of reactions is cumulative.  A BMM provides a high-level vocabulary for strategies, tactics, policies, goals and objectives, but it also provides a classical feedback and control system between the business design and the actual operations.  “Motivation” is the shared commitment to do this, even though some stakeholders have different requirements and desires from others.  There are activities that need to be performed, and they have some interdependencies.  A methodology and tools are needed to perform these activities.  A BMM can cover the long-term operations of a business, or it can be a short-term one to handle a specific change.  The content of a BMM is simple – names and text that describe things like “courses of action” and their effects. John Hall pointed out the places in BMM that are related to risk management. He then described how Markus Schachter at KnowGravity has used BMM to do risk-based systems development of interlocking systems for European railways. They have built a bridge to go from the risk analysis in BMM to a SysML model. (See the full presentation at http://doc.omg.org/basig/13-12-02)

2.3. “Strategic Goal: Enterprise Risk Profile Modeling” by Fred Cummins (Agile Enterprise Design) This presentation was adapted from an information day that was held some time ago.

The speaker described the notion of “risk profile” and discussed what might be the objectives of an industry standard:

 Define a model of the capture and reporting of risk factors  Capture adjustments to risk assessment for mitigation or changes  Allow the compilation of a repeatable, auditable enterprise risk profile A “risk profile” contains multiple dimensions: risk domain, risk source, incident probability, incident consequences, assessment horizon, confidence level, and mitigation. The presentation contains a small

Fred commented on the applicability of SBVR (Semantics of Business Vocabulary and Business Rules), which is not only a way to specify rules, but also allows the mapping of different vocabularies to a common set of concepts. Thus SBVR might help reconcile the various terminologies that have been adopted in different industry sectors. Fred also suggested that the MRC (Management of Regulation and Compliance) specification, which will be an extension of BMM (see Section 1.3), can play a role. John Hall summarized the status of MRC. (See the full presentation at http://doc.omg.org/basig/13-12-03)

2.4. “Business Architecture and Risk Management” by Bill Ulrich Bill, who co-chairs the BA SIG and leads the Business Architecture Guild, presented the Guild’s model of business architecture, and tied it to risk analysis and impact analysis. The architecture enables traceability of risk-related focal points through the various perspectives on the business ecosystem, which includes capabilities, value streams, etc. An instance of business architecture can also directly address risk by including risk management capabilities (as would be typical in a bank’s loan division). In answer to a question, Bill said that there is no template or even checklist to start the process of defining business capabilities. A checklist would be useful, if only to avoid forgetting some areas of the organizations (such as HR) but the work typically ends up producing a highly customized list that is different even from other companies in the same business. The concluding slide states ways in which business architecture offers interesting perspectives for risk analysis and risk management:

 Improved business transparency and traceability provide a foundation for risk analysis  Instances of business architecture provide specific risk analysis focal points (See the full presentation at http://doc.omg.org/basig/13-12-04)

2.5. “Risk Analysis: Measuring and Managing Cybersecurity Risk” by J.D. Baker (Sparx Systems) J.D. Baker presented slides put together by Jim Hietala, VP Security at the Open Group. Some of the challenges that are identified are:

 The lack of a standard taxonomy  The fact that risk scales (red-yellow-green, 1-to-5, etc.) are not defined formally enough to be usable in calculations, and are very subjective  The rapid evolution of threats (because of mobility, BYOD, the cloud, Internet of Things, etc.)  A risk certification gap – there is a need for an open, standards-based certification program for IT security risk analysis The Open Group has published 5 documents:  O-RT, the Risk Taxonomy Standard

 Requirements for Risk Assessment Methodologies  FAIR-ISO27005 Cookbook (FAIR stands for “Factor Analysis for Information Risk”)  O-DM Dependency Modeling Standard The Open Group has announced a FAIR Certification Program by the Open FAIR Foundation, a two-hour supervised, closed-book exam with 80 multiple -choice questions. (See the full presentation at http://doc.omg.org/basig/13-12-05)

2.6. “Requirements Regarding Integration of Risk” by Matthew Hause (Artisan Software Tools), Lonnie VanZandt (NoMagic), and Lars-Olof Kihlström (Syntell) The speakers are the three co-chairs of the UPDM group at OMG. Matthew Hause spoke first, reminded the audience of UPDM, the Unified Profile for DoDAF and MODAF, and mentioning the new requirements that should be supported in UPDM 3.0 according to its draft roadmap. Lonnie then talked about “Exploiting UML and UPDM for a Lightweight Risk Management Profile.” That profile contains stereotypes for “risk” and “issue.” Matthew said that a standard way to specify risk is needed. (See the full presentation at http://doc.omg.org/basig/13-12-06)

2.7. “Toward a Common OMG Risk Management Metamodel” by Nikolai Mansourov (KDM Analytics) The speaker first presented the model of security risk contained in ISO 15408, but pointed out that there are at least 13 other models, with no interoperability, and that few approaches are systematic enough to provide assurance that a risk is eliminated or reduced. In contrast, he described the concept of “justifiable risk assurance,” which combines risk management and an assurance case. This approach results in a 10-step methodology called FORSA, which stands for “Fact-Oriented, Repeatable Security Assessment.” The speaker described the steps and the underlying risk metamodel. Finally, Mr. Mansourov showed some screen shots from the KDM Blade Tools, now integrated with the Cameo Suite from No Magic. Also see Section 5.1.

(See the full presentation at http://doc.omg.org/basig/13-12-07)

2.8. “CORAS Method for Model-Driven Risk Analysis” by Arne Berre (SINTEF) The CORAS method, first published by SINTEF in 2006 consists of:

 an 8-step method for risk analysis, directed by assets and based on ISO 31000 concepts (for example, it ;  a language for risk modeling, consisting of five diagrams (asset overview diagram, threat diagram, risk overview diagram, treatment diagram, and

 an open-source (Eclipse EMF) tool, available from github, for editing risk analysis diagrams. The main concepts in the risk models are Risk, Asset, Vulnerability, Threat, Party, Threshold, and Unwanted Incidents. The method is supported by a 2011 book, “Model-Driven Risk Analysis” by Lund, Solhaug, and Stølen (www.springer.com/computer/swe/book/978-3-642-12322-1). (See the full presentation at http://doc.omg.org/basig/13-12-08)

2.9. “ISO 31000 Risk Management – Principles and Guidelines” by Richard Weissinger (ISO), presented by John Hall John Hall, presenting third-hand with Donald Chapin unavailable at the beginning of his talk, presented an overview of the ISO 31000:2000 standard. The basic model for the management framework is a classical continuous improvement PDCA (plan, do, check, act) cycle. This is a very generic approach, and John Hall expressed a concern that this has been eviscerated of risk-specific content. In particular, the reason why ISO defines risk as “the effect of uncertainty on objectives” is unclear. This led to a discussion with Djenana Campara and Jim Rhyne about the relationship between risk, uncertainty, and probability. (See the full presentation at http://doc.omg.org/basig/13-12-09)

2.10. “Going Forward” Discussion Henk de Man asked what would be the purpose of doing work within OMG, since ISO 31000 exists. John Hall said that since he finds the ISO standard very generic, the OMG work could aim to be more specific, and that might be done in the context of a specific vertical. Donald Chapin said that OMG would probably focus on how to exchange risk information, while the ISO standard is purely about the process of risk analysis and management. Henk pointed out that some of the people who were in the meeting earlier in the day seemed to be of the opinion that everything should be put into UPDM, which clearly intends to have a security view in the profile. There was discussion of a potential “turf conflict” between UPDM and other groups, in which case the Architecture Board would have the authority to arbitrate, but Andrew Watson said that it is preferable not to arrive to that point. It is possible that various RFPs will be generated independently by different groups. The question is whether there can be some common work (terminology, reference model, etc.) that can benefit these other groups and “constrain” their work in a constructive way. For certain stakeholders, it is the interface or the import/export formats that are more important than the actual form or notation of the model. Claude Baudoin gave the example of the oil industry, where it may be nice to have a risk modeling standard for internal exchange, but it does not need to be an industry-wide standard; but on the other hand, they are going to need an industry-wide risk reporting standard in order to meet increasingly severe regulatory requirements.

Bill mentioned the possibility that the BA SIG could work on a risk metamodel. Fred Cummins said “don’t

3. Analysis & Design Task Force (ADTF)

The Task Force was chaired by James Odell (independent methodologist, consultant and speaker) and Michael Chonoles (Change Vision). J.D. Baker (Sparx Systems) had to relinquish his co-chair position because he has been elected (again) to the Architecture Board. Dr. Fatma Dandashi (MITRE) was elected to replace him as the third co-chair.

3.1. Precise Semantics of UML Composite Structures (PSCS) Submission Arnaud Cuccuru (Commissariat à l’Energie Atomique) presented the status of the submission. All the substantive work that was required after the last meeting has been done, but there was insufficient time to iron out all the details and finalize the submission. Therefore, a motion to extend the deadline to the next meeting was made and approved.

3.2. Ontology Model and Specification Integration and Interoperability (OntoIOP) Fabien Neuhaus (University of Magdeburg) said that the RFP was first presented in June 2013. There have been some changes since then, and the Architecture Board raised some issues during its review two days earlier. The presenter went over the motivations for OntoIOP, using as an example the Date- Time Vocabulary (DTV). In such a specification, there are multiple vocabularies that are not properly glued together. A metalanguage would allow ontologies and other formal specifications to be combined together. It would also allow the detection of conflicts. There was an attempt to do something like that under the aegis of ISO; it was called the Distributed Ontology Language. The working group stopped and its members came over to work with the OMG. Since the OMG’s September meeting, work has taken place to narrow down the scope of the OntoIOP RFP and to add new and better uses cases. The Architecture Board has now raised the issue of the relationship with SIMF (Semantic Information Modeling for Federation). Fabien presented the relationship between SIMF and OntoIOP in graphic form. He proposed to add some language to the OntoIOP RFP to encourage submitters to coordinate their submission with SIMF. Elisa Kendall (Thematix Partners) suggested that the SIMF Letter of Intent phase could be reopened to allow OntoIOP submitters to participate in SIMF submissions. There was a concern that this could delay SIMF, which has already been delayed several times, and there was discussion of ways to avoid this. This was followed by a collective wordsmithing exercise. Once the rewriting concluded to everyone’s satisfaction, a motion was made to recommend the RFP for

3.3. Application Programming Interface for Knowledge Bases (API4KB) Ed Skoviak (ACORD) gave an overview of this submission to the Task Force, and explained what remaining changes are needed to finalize it. The deadlines for Letters of Intent and for closing the voting list were move to February 2014, the initial submission deadline to June 2014, and the revised submission deadline to September 2014.

3.4. UML Testing Profile V2 (UT2P) RFP Marc-Florian Wendland (Fraunhofer FOKUS) presented the revised RFP text. UML does not originally include concepts for model-based testing, and the purpose of the Testing Profile is to solve this gap. The appearance of new requirements, as well as changes in other specifications, requires a new version to be created. The RFP is large because it incorporates all the concepts of the related ISO standard. The presenter went over all the changes made in the RFP since the last published version. He then moved to issue the revised RFP. The motion passed by white ballot.

3.5. CTS2 XML-to-JSON Transformation Rules RFC Harold Solbrig (Mayo Clinic) presented an overview and the status of the RFC. The CTS2 1.1 specification (Common Terminology Services, adopted by the Healthcare DTF) defines an XML model for interchange. JavaScript implementations often use JSON, so a transformation was required. The speaker reviewed several alternatives that were considered, and why they were not practical. In the end, it was decided to create a generic (not CTS-specific) XML-to-JSON (not XML Schema to JSON) transformation. The RFC was issued in September, and received no public comments during the review period. There were 6 comments from the Architecture Board. The RFC could therefore be ready for adoption (and formation of a Finalization Task Force) at this meeting. There was discussion of whether the AB comments should be addressed in the document before it is proposed for adoption. Tom Rutt stated that the vote should instead be about the original document, and the handling of the comments should be deferred to the FTF. Harold moved to recommend the RFC for adoption, Elisa Kendall seconded, and the motion passed by

white ballot.

3.6. IFML FTF Status report and IFML Beta2 Marco Brambilla (WebRatio and Politecnico di Milano) presented an update about the Interaction Flow Modeling Language (IFML), which is being finalized. 56 issues have been filed so far, and 15 more are known to be coming in. They range from typos to clarifications to several metamodel extension requests. All issues have all been addressed. The speaker described the substantial metamodel changes, such as added abstract layers that allow

On the implementation front, an editor has been designed in Eclipse, and there is also work being done with No Magic for a commercial-grade implementation. On the marketing side, the proponents are building an OMG Press Book, and are touring various places to promote the language. The plan is to have v 1.0 ready for adoption in March.

3.7. OCL 2.5 RFP Draft Presentation Ed Willink (Nomos Software) presented remotely with the assistance of Tom Rutt (Fujitsu). A number of fixes that were required in the Object Constraint Language (OCL), which Tom described, were deemed to have such extensive impact on the specification that they were beyond the scope of a Revision Task Force. Instead, the preferred approach is to issue a new RFP for OCL 2.5. The result would be a “grand alignment” of the new versions of four standards: UML, MOF, XMI, and OCL. Tom and Ed described the requirements in Chapter 6 of the proposed RFP. Jim Odell mentioned the need to consult with the authors of current OCL books about how OCL 2.5 would be publicized through revised editions. The licensing mode specified in the document is royalty-free on limited terms (“RF limited” for short), but it sounded like the “non-assert” mode would be preferable. Ed will consult with the submitters to see if they can accept that change. The deadlines mentioned in the RFP are fairly conservative, leading to revised submissions and adoptions in early 2015, which should be feasible. A version of the draft RFP with embedded discussion questions was filed as an OMG document.

3.8. Motion to withdraw the MDA Tool Component RFP Jim Odell said that there has been no work since a 2007 proposal from Softeam, which was not adopted then, and no deliverables from the group working on this for about five years. Someone asked if there had been any contact with Philippe Desfray of Softeam. James said that he would make another attempt to contact him and ascertain whether there was any chance that work could resume.

3.9. Integrating UML/SysML and GSN/Assurance Case

This was a joint session between the System Assurance Platform Task Force (SysA), the Systems Engineering Domain SIG, and the ADTF. It included a demonstration of a new tool by Kenji Hiranabe (Change Vision).

4. Finance Domain Task Force

Mike Bennett (Enterprise Data Management Council – EDMC) chaired the meeting. The two-day agenda included an afternoon meeting of FIBO submitters (not an official OMG activity). The agenda alternated between sessions about the progress of three Requests for Comments (RFCs), and sessions about building new capabilities on top of FIBO or applying FIBO to real business cases. A presentation of a proof-of-concept for regulatory reporting by the Bank of England was omitted due to scheduling constraints.

4.1. FIBO Foundations RFC – Second Reading Mike Bennett reviewed the public comments received on the RFC, including 10 comments from Wells Fargo, and managed the adoption voting process. The RFC was approved by this Task Force and recommended to the Architecture Board and the Domain Technical Committee for adoption.

4.2. FIBO Business Entities RFC – First Reading Mike Bennett explained the status of this RFC. Two annexes did not make the original submission, and these along with “functionally defined entities” will be in a future revision. Later on during the meeting, the Task Force reviewed comments received from the Architecture Board reviewers, and then voted to recommend the first reading to the DTC.

4.3. “FIGI and FIBO: Helping FIBO Deliver” Richard Beatch (Bloomberg) distinguished between the “universals” (classes) that an ontology like FIBO provides, and the “particulars” that regulations require to be captured, including legal entity identifiers (LEI) and financial instrument identifiers. The FIGI specification, which is the object of an RFC in progress, references FIBO concepts and provides this missing link, with a global identifier that never changes once issued. See the presentation at http://doc.omg.org/finance/13-12-02.pdf.

4.4. FIBO/Flora Rules Working Group – Objectives and Progress Report David Newman (Wells Fargo) said that the FIBO Technology Summit, held in San Francisco in June 2013 in conjunction with SemTechBiz, identified as a challenge the conversion of requirements (i.e., regulatory rules) into executable semantic rule statements.

A working group was formed to address this challenge. Its objectives include:

 leverage FIBO  show the “art of the possible” in semantic technologies (including SBVR)  engage the financial risk management community  produce a working demo in Q1 2014 The group consists of EDMC; Wells Fargo; Coherent Knowledge Systems; SRI International; and the Governance, Risk and Compliance Technology Centre at University College Cork (UCC), Ireland. The participants have met weekly, in person or virtually. The chosen subject matter is Regulation W, a U.S.

Federal Reserve rule about the transactions between a bank and its affiliates that might result in OMG Santa Clara Meeting Report Meeting Clara OMGSanta 13 Copyright © 2014 Object Management Group concentrated risk. The presentation (http://doc.omg.org/finance/13-12-03.pdf) shows how the proof-of- concept could determine whether Regulation W is applicable and would be violated by certain transactions. Mr. Newman concluded with an appeal for additional suggestions, participants, testers, and resources.

4.5. Financial Instrument Global Identifier (FIGI) Draft RFC Richard Beatch and Corby Dear (Bloomberg) gave a presentation on the rationale and design of the identifiers, the alignment with FIBO, and the relationship with other instrument identifier-related standards. See http://doc.omg.org/finance/13-12-05.pdf. The technical components of the RFC are complete, but four aspects need additional work:

 Additional standard content is needed on registration management.  An additional annex is needed.  Additional clarity on the scope, including coverage of over-the-counter derivatives.  Other industry participants need to be brought in to ensure that the RFC is vendor-neutral and can be considered by regulators and others as a non-proprietary standard. In view of these issues, the issuance of the FIGI RFC was deferred to March 2014, but it was resolved to make the current draft available to OMG members as a discussion document, not as a formal RFC yet, to give industry participants a clear path to involvement. This should be ready for a vote in March 2014.

4.6. “Semantic Data Definition of Treasuries Notes/Bonds and Mortgage Loans” by Lars Toomre Lars Toomre (Toomre Capital Market) gave an oral report on recent developments about integrating the mortgage e-commerce standards from MISMO (Mortgage Industry Standards Maintenance Organization) into the FIBO standard.

4.7. “Consuming Semantic Ontologies to Improve Semantic Interoperability” David Frankel (David Frankel Consulting) talked about a structured approach to using semantic ontologies and vocabularies to enhance semantic interoperability. He covered:

 The business impact of the lack of semantic interoperability in industry  The current state of the art in data integration

 Techniques for improving semantic interoperability, leveraging ISO 11179, UN/CEFACT and Semantic Web standards  How the new techniques are being incorporated into key finance and business reporting standards to which David has been a major contributor, including BIAN, XBRL, and ISO 20022  The synergy between the new techniques and initiatives to build semantic vocabularies and ontologies such as FIBO  Preliminary thoughts on the synergy between these new techniques and the Schema.org initiative.

5. Plenary Lunch Presentations

5.1. No Magic Product Update Gary Duncanson (No Magic) and Djenana Campara (KDM Analytics) took turns presenting this update. Gary started by reviewing the current portfolio of modeling and integration tools from No Magic:

 Cameo Systems Modeler  Cameo Business Modeler (now BPMN 2-compliant)  Cameo E2E Builder  Cameo E2E Bridge (the run-time part that complements the Builder)  Cameo NIEM Plugin  Cameo Enterprise Architecture (a bundled product containing all the above) Future tools include:

 Cameo Visual Ontology Modeler  Cameo Essential Data Modeler The latest product to be released is Cameo Risk Analyzer, “powered by KDM Analytics.” At that point, Djenana presented the Risk Analyzer in more detail. The tool allows the user to analyze a UPDM architecture for vulnerabilities. The product received a Canadian award in 2012.

5.2. Update on the Cloud Standards Customer Council (CSCC) Claude Baudoin (cébé IT & Knowledge Management) presented on behalf of its chair, John Meegan of IBM, an overview of the history, accomplishments so far, and work in progress by the CSCC. The Practical Guide Working Group is finalizing a document about migrating applications to a public cloud. The document was published later in December and will be presented in a Webinar in January. Claude invited interested companies to join the CSCC, which is free. All information and a registration page can be found at www.cloud-council.org. The presentation is available at http://doc.omg.org/ omg/13-12-02.pdf, as well as on Slideshare at www.slideshare.net/cbaudoin/cscc-omg-tc-prez-20131211.

5.3. Issue Management Tool

Mariano Benitez (TekGenesis) presented the tool he has developed to help a Finalization or Revision Task Force (FTF/RTF) manage its often long list of issues. The tool is based on the JIRA project and issue tracking software from Atlassian. It covers the full workflow:

 Recording an issue  Voting  Report generation (not fully functional yet)  Closure Several task forces are already using the tool, and current issues lists are being migrated into the tool so

6. Plenary Report Sessions

Friday morning, as always, was devoted to plenary sessions during which all OMG subgroups briefly reported on their work, and the Platform and Domain Technology Committees made decisions on technology adoptions. While many attendees choose to leave the OMG meetings after the work of their Task Forces and SIGs ends on Wednesday or Thursday, the plenary reports offer a comprehensive view of the scope of activity at the OMG. The points below were judged worthy of mention, but are not an exhaustive list of the work reported. This section will frequently refer to the three forms of requests issued by OMG Technical Committees:

 A Request for Proposal (RFP) is a formal call for the submission of specifications; it opens up a time window for organizations at the appropriate level of membership to submit proposals.  A Request for Comments (RFC) is a fast-track process whereby someone submits a specification that is expected to receive broad consensus. A comment period opens to allow people to voice any objections or submit changes. If there are no serious objections, the proposal is adopted. If there are, then the process reverts to a competitive RFP.  A Request for Information (RFI) is a less formal process to obtain feedback from the community, and organizations can respond regardless of OMG membership level. An RFI is often used to generate enough information about the “state of the practice” to allow the writing of an RFP.

6.1. Architecture Board Subgroup Reports Andrew Watson announced that there were five candidates for five open seats on the Architecture Board, therefore all five were deemed elected. Angelo Corsaro of PrismTech was elected to the seat vacated by Steve Cook, who has retired from Microsoft.

Business Claude Baudoin reported on this group’s work on behalf of Bill Ulrich. See Section Architecture SIG 2 Error! Reference source not found.for more details.

Model The AB chartered last June a new group to coordinate the existing interchange Interchange SIG testing efforts, including the UML interchange effort that had been going on for a while, and the BPMN interchange activity started by Denis Gagné (Trisotech). The chairs were absent, but Lonnie Van Zandt (No Magic) said that there was a meeting of about 8 members. He said that the group is considering the importance

of UPDM. JD Baker said that there is a shift in priorities at NIST, and there has been some doubt on maintaining momentum about the development and support of the XMI Validation suite, but there may be a candidate to pick this up.

ORMSC (Object & Jon Siegel (OMG) said that the ORMSC continued its work on the MDA Guide, with Reference Model a reliable team of participants, including Cory Casanave (Model-Driven Solutions), Subcommittee) Pete Rivett (Adaptive) and Markus Schacher (KnowGravity). The Guide is almost ready to be presented to the Architecture Board. Chapter 6 needs a contribution

Specification Jishnu Mukerji reported that a lot of specifications have been published since the Management last meeting, and new ones have been added to the pipeline. One publication that Subcommittee was “missing in action” last time has been found and its status is being resolved – a letter is needed from the submitter to certify that they have an implementation. Tom Rutt has drafted a Namespace Policy that will be reviewed and potentially adopted at the next meeting.

Intellectual The IPR SC has not met for a while, having completed its work, but will be “kept on Property Rights the books” in case the new policy needs to be tweaked. Andrew Watson reminded Subcommittee the audience of the new obligations of submitters to commit to an IPR mode for the life of a specification (including products of the FTF and successive RTFs), and that the RFP templates have changed due to the need to choose an IPR mode.

Liaison Tom Rutt (Fujitsu) reported on the work done at ISO to adopt various OMG specs: Subcommittee Comments from ISO/IEC on MOF 2.4.1 and XMI 2.4.1 were resolved; there are still some editorial comments but there were no negative votes from the committee. All comments will be processed into versions 2.4.2 under the OMG process, and published as ISO 19508:2014 and 19509:2014. This will then serve as the basis for work on versions 2.5. UPDM 2.1 and SysML 1.3 are being submitted to ISO TC184/SC4 under the “Harvesting” fast track process (TC184 is the Industrial Data technical committee). They were supposed to be handled at their November meeting but this did not happen, and there is no clear news. ISO wants to standardize SBVR, but prefers to wait for version 1.3. ODM has been removed from the Publicly Available Specification (PAS) progression plan. A Memorandum of Understanding was signed with Energistics (ex-POSC) to collaborate on standards for the Oil & Gas industry. The first joint activity will be a couple of workshops held in Houston on Feb. 25-26, and in Utrecht, Netherlands, on March 30-31. If interested, contact Claude Baudoin who is working on this.

6.2. Platform Technical Committee Subgroup Reports

Andrew Watson verified that the quorum was met. The minutes of the September meeting were approved by white ballot.

Analysis and Design JD Baker reported on the ADTF. See Section 3 for details. Task Force

Architecture Driven Claude Baudoin reported on behalf of co-chairs Bill Ulrich and Djenana Modernization PTF Campara that the meeting was entirely devoted to a detailed walkthrough and edits of the Implementation Patterns Metamodel for Software Systems (IPMSS) RFC. Version 7 of the RFC should progress to the Architecture Board

Data Distribution SIG Gerardo Pardo reported that the SIG had a short meeting. There were discussions on how, procedurally, to progress the revisions required on both the interoperability protocol and the core DDS specification. This will result in the formation of two Revision Task Forces. In the second case, it is simply aimed at splitting the DCPS profile and the DLRL profile into separate documents, so it will be a short-lived RTF with just two members.

System Assurance Co-chair Kenji Taguchi (AIST) reported that the meeting included: (SysA) Platform Task  a report by Toyota on the Dependability Assurance Framework for Force Safety-Sensitive Consumer Devices  a presentation of a UML profile for Threat Modeling and Sharing by Demandware  an update by Robert Martin (MITRE) on the Structured Assurance Case Metamodel (SACM) RTF  Ben Calloni (Lockheed Martin) presented on the RFI on Security Policy Extensions for UML, SysML and UPDM The Machine-checkable Assurance Case Language (MACL) RFP draft should be ready for review at the next meeting.

MARS (Middleware Char Wales (MITRE) reported that MARS had a busy full week as usual. and Related Services) The Unified Component Model for Distributed, Real-time and Embedded Task Force Systems (UCM for DRE Systems) revised submission was recommended for issuance at the last meeting, but there was a request at this meeting to re- open the LOI. The deadline RIA Dynamic Components submissions was extended to March. There is an IEF Reference Architecture draft RFP, which should be issued in March. There was an update on the IDL 4.0 RFC, which will probably be issued in March 2014. The UML Profile for DDS RFP will be discussed and should be issued in June. The merged RTI and PrismTech RFCs for a TCP/IP Platform-Specific Model (PSM) for DDS Interoperability should also be ready for adoption in June. The Software Defined Network Working Group met and reviewed 8 responses received to its RFI on Software-Defined Network Application Ecosystem from Cisco/RTI, Dell/Xflow Research, CA, NEC, and Midokura. Responses to the DDS for the Enterprise Edge RFI, which was issued in

Ontology Platform SIG Elisa Kendall (Thematix Partners) reported that the submission team for the API for Knowledge Bases (API4KB) met. There is a lot of synergy between this work and the OntoIOP RFP (which is described in Section 3.2), and Elisa gave some background on the importance of the API4KB work. The ODM 1.1 RTF has been running a long time and has a lot of comments to handle. The report is being submitted for adoption, and there will be an ODM 1.2 RTF to complete the work to support OWL2.

Andrew Watson led the process of issuing the following RFPs, which all passed by white ballot:  The UML2 Testing Profile (UTP2) RFP, which was approved conditionally by the Architecture Board as long as 4 specific changes are made.  The OntoIOP RFP. Andrew led the process to charter, extend, rename or add members to several Finalization Task Forces and Revision Task Forces. All motions passed by white ballot. Five technology adoptions were recommended to the PTC. The vote was started in person and will complete via e-mail:

 Information Exchange Framework Policy Vocabulary (IEFPV) submission  CTS2 XML-to-JSON Transformation Rules RFC  DDS Interoperability Wire Protocol 2.2 RTF report  SysML 1.4 RTF report  DDS Xtypes RTF report

6.3. Domain Technical Committee Subgroup Reports Andrew Watson verified that the quorum was met. The minutes of the September meeting were approved by white ballot. The DTC then proceeded with the presentation of subgroup reports.

Manufacturing Uwe Kaufmann (ModelAlchemy) reported that the Task Force met this time. and Industrial The EXPRESS Metamodel RTF Report was postponed to the next meeting. Systems (MANTIS) There was a report from the Product Data Technology Europe Conference on ALM and PLM and Systems engineering.

The Task Force’s roadmap was discussed.

At the next meeting, there should be discussion on:  a draft RFI on Engineering Information Management  Smart Manufacturing and Factory of the Future (a NIST proposal)  Domain-specific model libraries for SysML Berndt Wenzel will be replaced by another co-chair at that meeting, due to

Government Manfred Koethe (88 Solutions) reported for co-chairs John Butler and Larry Johnson DTF that there was a one-day meeting of the GovDTF Information Sharing Working Group. There were presentations and discussions about:  Life Event Concept, presented by the Smart Lean Government Working Group of the American Council for Technology - Industry Advisory Council (ACT-IAC)  a draft of an Information Sharing Maturity Model  NIEM-UML 3 standardization path  Approach to Shared Services  Alignment of I2F and IEF  IEF status and Secure Access Management Manfred reported that the UML Profile for Global Justice Information Sharing Architecture (GRA) RFP was recommended for issuance, and the NIEM-UML FTF report was presented. Future plans include continued work on NIEM 3, and a Workshop on Information Sharing and Safeguarding Standards (WIS3).

Business Fred Cummins reported on this meeting. See details in Section 1 of this report. Modeling & Integration DTF

Regulatory Andrew Watson said that John Hall was back working on this after a long hiatus due Compliance to health issues, and is looking forward to reviving the MRC RFP (see Section 1.3).

Systems Sandy Friedenthal (Lockheed Martin) reported that Matthew Hause presented on Engineering UPDM, and Arnaud Cuccuru presented on Precise Semantics of Composite Structures. Domain SIG There was a joint meeting with the System Assurance PTF on integrating UML/SysML and the GSN (Goal Structuring Notation) Assurance Case. There were presentations about:  a Model Management working group  a JPL application of Enterprise Content Management to model management (using the Alfresco open-source ECM tool)  another JPL presentation on project management modeling approaches There was an overview of the changes in SysML 1.4, which was approved by the Architecture Board at this meeting, and a discussion of the subsequent SysML

roadmap. Yves Bernard (Airbus) is leading this activity.

Space DTF Brad Kizzort (Harris Corp.) reported that the Space DTF:  discussed an RFI for GEMS (Ground Equipment Monitoring Service)  worked to finalize the XTCE parameter data exchange, and will pursue a Key

C4I Task Force Char Wales reported on behalf of Ron Townsend that C4I:  worked on drafting an RFP for TACSIT (Tactical-Situational) Real Time Data Injection  received a presentation by the Security Fabric Working Group (SFWG), which had a formation meeting in September and was leaning toward getting chartered as a SIG of the System Assurance PTF  discussed a Unified Architecture Framework, which may be work done with a broader group than OMG  received presentations on implementations of the TestIF standard  voted to suspend the Naval Navigation RFP and the METOC RFP.

Finance DTF Mike Bennett (EDMC) reported on the meeting, which covered the FIBO Foundation RFC, the FIBO Business Entities RFC, and the Financial Instruments Global Identifiers (FIGI) RFC proposed by Bloomberg. See Section Error! Reference source not found.4 for details. The issuance of the FIGI RFC was deferred to March 2014 in order to resolve some completeness issues, and especially to ensure that the RFC is vendor-neutral and non- proprietary. The involvement of other industry participants besides Bloomberg is highly desirable but is not assured. Andrew Watson asked what the probability of this happening was, and Mike answered “medium to low.” Andrew also asked if regulators were willing to be formally involved, especially since the next meeting will be near Washington, DC. Mike was not quite sure how interested they would be to attend and participate. Elisa Kendall suggested that banks, which have been clamoring for this, should be solicited to help. The March 2014 meeting will only last one day in order to accommodate the “Semantics – Crossing the Chasm” day.

Robotics DTF Toyotaka Torii (Honda) discussed the Finite State Machine Component for Robotic Technology Component RFP, for which there was a submission from Honda. JASA presented a response to the Hardware Abstract Layer (HAL) RFI. This will lead to an RFP at a future meeting. The three working groups of the DTF reported on their work. There was a report on contacts with SIT regarding collaboration toward the Unmanned Vehicle Conference in Boston in June 2014.

Andrew Watson led the process to approve the first reading of the FIBO Business Entities RFC.

Several motions were made and adopted to charter Finalization and Revision Task Forces, add members to existing ones, and to extend certain RTF deadlines. Votes were started, and will complete by e-mail, on technology adoptions:

 VDML  FIBO Foundations RFC

7. Next Meetings

The next OMG Technical Meetings are scheduled as follows:

 Reston, Va., March 24-28, 2014  Boston, Mass., June 16-20, 2014  Austin, Tex., September 15-19, 2014  Long Beach, Calif., December 8-12, 2014  Reston, Va., March 23-27, 2015

 somewhere in Europe, t.b.d., in June 2015