Challenges to the regulatory compliance of SIPS are general types of SE issues that emerge in achieving the regulatory compliance of SIPS.
Principles and practices (PPs) for regulatory compliance of SIPS are any means employed to implement regulatory compliance of SIPS and to tackle the related challenges. These includes but is not limited to SE methods, tools, frameworks, solutions, and models.
Automation refers to the full or partial replacement of a function previously carried out by the human operator (Parasuraman et al. 2000). The levels of automation are as follows (Parasuraman et al. 2000):
- information acquisition: automation in acquiring information applies to sensing and recording input data.
- information analysis: automation in information analysis incorporates cognitive functions, such as working memory and inferential processes.
- decision and action selection: The third stage, which involves decision and action selection, requires choosing from various alternatives. Automating this stage encompasses varying degrees of enhancing or substituting human decision-making with machine-based decision-making processes.
- action implementation: The last stage, action implementation, pertains to the actual execution of the chosen action. Automating this stage involves varying degrees of machine-based execution of the selected action, typically substituting human manual or vocal execution.
Stakeholder types are as follows: software engineering roles, legal or compliance experts, researchers, other experts, and other stakeholders. We consider that the life cycle of PPs comprises three core stages: development, application, and validation.
We identify the following process areas (PAs) in the SIPS life cycle based on SWEBOK and ISO/IEC 12207 and deduce their potential contribution to regulatory compliance of SIPS:
- SIPS Requirements Engineering (RE)---systematic handling of requirements to SIPS that derive from regulations. This main process area includes the following processes: requirements elicitation, requirements analysis and modeling (REA/M), requirements specification (RES), requirements verification and validation (REVV), and requirements management (REM). Regulatory RE is an area of requirements engineering practice and research that contributes to the compliance of software systems by processing requirements derived from regulations for SE purposes.
- SIPS design (SD) - the process of defining the internal structure (e.g., architecture, components, interfaces) of SIPS in a way that will enable their regulatory compliance (e.g., assure verifiability, address future evolution of regulations).
- SIPS development (SDev) refers to the detailed creation of working SIPS through coding, verification, unit testing, integration testing, and debugging. SIPS development process areas are related to implementing requirements derived from regulations.
- SIPS quality assurance (SQA) consists of the dynamic verification that SIPS provide expected behaviors on a set of test cases addressing the regulators' perspective on compliance by verifying the implementation of all requirements originating from regulations (e.g., \cite{corriveau2014requirements}) and also by using tools and methods applied by regulators for compliance verification.
- In our study, we define a SIPS deployment as a set of activities directed towards generating executable and testable SIPS components, combining related components with a single deployable artefact and putting SIPS into operation. With the advancement of DevOps and automation practices, it becomes essential to ensure regulatory compliance of the SIPS deployment process and regulatory compliance of the deployed SIPS.
- SIPS maintenance (SM) is the totality of activities required to provide cost-effective support to software to ensure that SIPS remains compliant throughout the software and regulatory evolution.
Field of regulation (like the concept of "field of law") is a group of social relations that are addressed by the regulation (e.g., GDPR belongs to the personal data protection field of regulation). In our study we have identified the following fields of regulation: Accessibility, AI/ML (capturing any regulations applicable to AI/ML-based software systems), Business (capturing regulations applicable to both business processes and/or enterprise information systems across different industries), Privacy, Privacy\&Security (identified in case same regulation considers both Privacy and Security simultaneously), Quality, Safety, Security, Traffic law, User rights (capturing regulations applicable to SIPS users only, e.g., human rights, patient rights).
Domain of application - operational domain in which SIPS are engineered, and PPs for the regulatory compliance of SIPS are applied. In our study we have defined the following domains of application: Automotive, Avionics, Cloud computing, E-commerce, Education, Energy (including nuclear energy, electricity distribution), Enterprise (capturing wide range industries (e.g., retail, food industries) and activities characteristic or enterprises (e.g., marketing, taxation)), Finances, Government, Healthcare, IoT, Manufacturing, Media, Metrology, Military, Smart home/city, Software development (capturing primary study which focused on SIPS product and outsourcing companies, not belonging to specific industry), Telecommunications, Transport.
Scoring rubrics for evaluating rigor and relevance are described according to Ivarsson & Gorschek, T. (2011)