Compositional Spcification of Commrcial Contracts Jspr Andrsn, Ebb Elsborg, Fritz Hnglin, Jakob Gru Simonsn, and Christian Stfansn Dpartmnt of Computr Scinc, Univrsity of Copnhagn (DIKU) Univrsittsparkn 1, DK-2100 Copnhagn Ø Dnmark Abstract. W prsnt a dclarativ languag for compositional spcification of contracts govrning th xchang of rsourcs. It xtnds Ebr and Pyton Jons s dclarativ languag for spcifying financial contracts to th xchang of mony, goods and srvics amongst multipl partis and complmnts McCarthy s Rsourcs/Evnts/Agnts (REA) accounting modl with a viw-indpndnt formal contract modl that supports dfinition of usr-dfind contracts, automatic monitoring undr xcution, and usr-dfinabl analysis of thir stat bfor, during and aftr xcution. W provid svral ralistic xampls of commrcial contracts and thir analysis. A varity of (ral) contracts can b xprssd in such a fashion as to support thir intgration, managmnt and analysis in an oprational nvironmnt that rgistrs vnts. 1 Introduction Whn ntrprnurs ntr contractual rlationships with a larg numbr of othr partis, ach with possibl variations on standard contracts, thy ar confrontd with th intrconnctd problms of spcifying contracts, monitoring thir xcution for prformanc 1, analyzing thir ramifications for planning, pricing and othr purposs prior to and during xcution, and intgrating this information with accounting, workflow managmnt, supply chain managmnt, production planning, tax rporting, dcision support tc. 1.1 Problms with Informal Contract Managmnt Typical problms that can aris in connction with informal modling and rprsntation of contracts and thir xcution includ: (i) disagrmnt on what a contract actually rquirs; (ii) agrmnt on contract, but disagrmnt on what vnts hav actually happnd (vnt history); (iii) agrmnt on contract and vnt history, but disagrmnt on rmaining contractual obligations; (iv) brach or malxcution of contract; (v) ntring bad or undsirabl contracts/missd opportunitis; (vi) bad coordination of contractual obligations with production planning and supply chain managmnt; (vii) impossibility, slownss or costlinss in valuating stat of company affairs. Ancdotal vidnc suggsts that costs associatd with ths problms can b considrabl. Ebr stimats that a major Frnch invstmnt bank has costs of about 50 mio. Euro pr yar attributabl to (i) and (iv) abov, with about half du to lgal costs in connction with contract disputs and th othr half du to malxcution of financial contracts [Eb02]. In summary, capturing contractual obligations prcisly and managing thm conscintiously is important for a company s planning, valuation, and rporting to managmnt, sharholdrs, tax authoritis, rgulatory bodis, potntial buyrs, and othrs. W argu that a dclarativ domain-spcific (spcification) languag (DSL) for compositional spcification of commrcial contracts (dfining contracts by combining subcontracts in various, wll-dfind ways) with an associatd prcis oprational smantics is idally suitd to allviating th abov problms. 1 Prformanc in contract lingo rfrs to complianc with th promiss (contractual commitmnts) stipulatd in a contract; nonprformanc is also trmd brach of contract.
1.2 Contributions W (i) xtnd th contract languag of Pyton-Jons, Ebr and Sward for two-party financial contracts in a viw-indpndnt fashion to multi-party commrcial contracts with itration and first-ordr rcursion. Thy involv xplicit agnts and transfrs of arbitrary rsourcs (mony, goods and srvics, or vn pics of information), not only currncis. Our contract languag is stratifid into a pluggabl bas languag for atomic contracts (commitmnts) and a combinator languag for composing commitmnts into structurd contracts. In addition, w (ii) provid a natural contract smantics basd on an inductiv dfinition for whn a trac a finit squnc of vnts constituts a succssful ( prforming ) compltion of a contract. This inducs a dnotational smantics, which compositionally maps contracts to trac sts as in Hoar s Communicating Squntial Procsss (CSP). W (iii) systmatically dvlop thr oprational smantics in a stpwis fashion, starting from th dnotational smantics: A rduction smantics with dfrrd matching of vnts to spcific commitmnts in a contract; an agr matching smantics in which vnts ar matchd nondtrministically against commitmnts; and finally an agr matching smantics whr an vnt is quippd with xplicit control information that routs it dtrministically to a particular commitmnt. Finally, w (iv) validat applicability of our languag by ncoding a varity of xisting contracts in it, and illustrat analyzability of contracts by providing xampls of compositional analysis. Our work builds on a prvious languag dsign by Andrsn and Elsborg [AE03] and is inspird by Pyton Jons and Ebr s compositional spcification of financial contracts, th REA accounting modl and CSP-lik procss algbras. S Sction 7 for a comparison with that work. 2 Modling Commrcial Contracts A contract is an agrmnt btwn two or mor partis which crats obligations to do or not do th spcific things that ar th subjct of that agrmnt. A commrcial contract is a contract whos subjct is th xchang of scarc rsourcs (mony, goods, and srvics). Exampls of commrcial contracts ar sals ordrs, srvic agrmnts, and rntal agrmnts. Adopting trminology from th REA accounting modl [McC82] w shall also call obligations commitmnts and partis agnts. 2.1 Contract Pattrns In its simplst form a contract commits two contract partis to an xchang of rsourcs such as goods for mony or srvics for mony; that is to a pair of transfrs of rsourcs from on party to th othr, whr on transfr is in considration of th othr. Th sals ordr tmplat in Figur 1 commits th two partis (sllr, buyr) to a pair of transfrs, of goods from sllr to buyr and of mony from buyr to sllr. Many commrcial contracts ar of this simpl quid-pro-quo kind, but far from all. Considr th lgal srvics agrmnt tmplat in Figur 2. Hr commitmnts for rndring of a monthly lgal srvic ar rpatd, and ach monthly srvic consists of a standard srvic part and an optional srvic part. Mor gnrally, a contract may allow for altrnativ xcutions, any on of which satisfis th givn contract. W can discrn th following basic contract pattrns for composing commrcial contracts from subcontracts (a subcontract is a contract usd as part of anothr contract): a commitmnt stipulats th transfr of a rsourc or st of rsourcs btwn two partis; it constitus an atomic contract; a contract may rquir squntial xcution of subcontracts; a contract may rquir concurrnt xcution of subcontracts, that is xcution of all subcontracts, whr individual commitmnts may b intrlavd in arbitrary ordr;
a contract may rquir xcution of on of a numbr of altrnativ subcontracts; a contract may rquir rpatd xcution of a subcontract. In th rmaindr of this papr w shall xplor a dclarativ contract spcification languag basd on ths contract pattrns. Fig. 1 Agrmnt to Sll Goods Sction 1. (Sal of goods) Sllr shall sll and dlivr to buyr (dscription of goods) no latr than (dat). Sction 2. (Considration) In considration hrof, buyr shall pay (amount in dollars) in cash on dlivry at th plac whr th goods ar rcivd by buyr. Sction 3. (Right of inspction) Buyr shall hav th right to inspct th goods on arrival and, within (days) businss days aftr dlivry, buyr must giv notic (dtaild-claim) to sllr of any claim for damags on goods. Fig. 2 Agrmnt to Provid Lgal Srvics Sction 1. Th attorny shall provid, on a non-xclusiv basis, lgal srvics up to (n) hours pr month, and furthrmor provid srvics in xcss of (n) hours upon agrmnt. Sction 2. In considration hrof, th company shall pay a monthly f of (amount in dollars) bfor th 8th day of th following month and (rat) pr hour for any srvics in xcss of (n) hours 40 days aftr th rcival of an invoic. Sction 3. This contract is valid 1/1-12/31, 2004. 3 Compositional Contract Languag In this sction w prsnt a cor contract spcification languag that rflcts th contract composition pattrns of Sction 2.1. This is a cursory prsntation, with no proofs givn. S th tchnical rport [AEH + 04] for a full prsntation. 3.1 Syntax Our contract languag C P is dfind inductivly by th infrnc systm for driving judgmnts of th forms Γ ; c : Contract and D : Γ. Hr Γ and rang ovr maps from idntifirs to contract tmplat typs and to bas typs, rspctivly. Th -oprator on maps is dfind as follows: { (m m m )(x) = (x) if x domain(m ) m(x) othrwis Th languag is built on top of a typd bas languag P dfind by a : τ that dfins xprssions dnoting agnts, rsourcs, tim, othr basic typs and prdicats (Boolan xprssions) ovr thos. P provids th possibility of rfrring to obsrvabls [JES00,JE03]. Th languag is paramtric in P, and w shall introduc suitabl bas languag xprssions on an ad hoc basis in our xampls for illustrativ purposs. Th languag C P is dfind by th infrnc systm in Figur 3. If judgmnt Γ ; c : Contract is drivabl, w say that c is a wll-dfind contract givn typ assumptions Γ and. Succss dnots th trivial or (succssfully) compltd contract: it carris no obligations on
Fig. 3 Syntax for contract spcifications Γ ; Succss : Contract Γ ; Failur : Contract Γ (f) = τ Contract Γ ; f(a) : Contract a : τ = {A 1 : Agnt, A 2 : Agnt, R : Rsourc, T : Tim} Γ ; c : Contract P : Boolan Γ ; transmit(a 1, A 2, R, T P ). c : Contract Γ ; c 1 : Contract Γ ; c 2 : Contract Γ ; c 1 + c 2 : Contract Γ ; c 1 : Contract Γ ; c 2 : Contract Γ ; c 1 ; c 2 : Contract Γ ; c 1 : Contract Γ ; c 2 : Contract Γ ; c 1 c 2 : Contract Γ = {f i τ i1... τ ini Contract} m i=1 Γ ; {X i1 : τ i1,..., X ini : τ ini } c i : Contract {f i [X i ] = c i } m i=1 : Γ {f i [X i ] = c i } m i=1 : Γ Γ ; c : Contract ltrc {f i[x i] = c i} m i=1 in c : Contract anybody. Failur dnots th inconsistnt or faild contract; it signifis brach of contract or a contract that is impossibl to fulfill. Th nvironmnt D = {f i [X i ] = c i } m i=1 contains namd contract tmplats. A contract tmplat nds to b instantiatd with actual argumnts from th bas languag. Th contract xprssion transmit(a 1, A 2, R, T P ). c rprsnts a contract whr th commitmnt transmit(a 1, A 2, R, T P ) must b satisfid first. Not that A 1, A 2, R, T ar binding variabl occurrncs whos scop is P and c. Th commitmnt must b matchd by a (transfr) vnt = transmit(a 1, a 2, r, t) of rsourc r from agnt a 1 to agnt a 2 at tim t whr P (a 1, a 2, r, t) holds. Aftr matching, th rsidual contract is c in which A 1, A 2, R, T ar bound to a 1, a 2, r, t, rspctivly. In this fashion, th subsqunt contractual obligations xprssd by c may dpnd on th actual valus in vnt. Th contract combinators +, and ; compos subcontracts according to th contract pattrns w hav discrnd: by altrnation, concurrntly, and squntially, rspctivly. A contract consists of a finit st of namd contract tmplats and a contract body. Not that contract tmplats may b (mutually) rcursiv, which, in particular, lts us captur rptition of subcontracts. In th following w shall adopt th convntion that A 1, A 2, R, T must not b bound in nvironmnt. If a variabl from or any xprssion a only involving variabls bound in occurs as an argumnt of a transmit, w intrprt this as an abbrviation;.g., transmit((a, A 2, R, T P )). c abbrviats transmit((a 1, A 2, R, T P A 1 = a)). c whr A 1 is a nw (agnt-typd) variabl not bound in and diffrnt from A 2, R and T. W abbrviat transmit(a 1, A 2, R, T P ). Succss to transmit(a 1, A 2, R, T P ). Exampls ncoding th contracts from Figurs 1 and 2 ar prsntd in Sction 4. 3.2 Evnt Tracs and Contract Satisfaction A contract spcifis a st of altrnativ prforming vnt squncs (contract xcutions), ach of which satisfis th obligations xprssd in th contract and concluds it. In this sction w mak ths notions prcis for our languag. A bas structur is a tupl (R, T, A) of sts of rsourcs R, agnts A and a totally ordrd st (T, T ) of dats (or tim points), plus othr sts for othr typs, as ndd. A (transfr) vnt is a trm transmit(a 1, a 2, r, t), whr a 1, a 2 A, r R and t T. An (vnt) trac s is a finit squnc of vnts that is chronologically ordrd; that is, for s = 1... n th tim points in 1... n occur in ascnding ordr. W adopt th following notation: dnots th mpty squnc; a trac consisting of a singl vnt is dnotd by itslf; concatnation of tracs
s 1 and s 2 is dnotd by juxtaposition: s 1 s 2 ; w writ (s 1, s 2 ) s if s is an intrlaving of th vnts in tracs s 1 and s 2 ; w writ X for th vctor X 1,..., X k with k 0 and whr k can b dducd from th contxt; w writ P [a 1 /A 1, a 2 /A 2, r/r, t/t ] and c[a 1 /A 1, a 2 /A 2, r/r, t/t ] for substitution of xprssions a 1, a 2, r, t for fr variabls A 1, A 2, R, T in Boolan xprssion P and contract xprssion c, rspctivly. 2 W ar now rady to spcify whn a trac satisfis a contract, i.. givs ris to a prforming xcution of th contract. This is don inductivly by th infrnc systm for judgmnts s δ D c in Figur 4, whr D = {f i[x i ] = c i } m i=1 is a finit st of namd contract tmplats and δ is a finit st of bindings of variabls to lmnts of th givn bas structur. A drivabl judgmnt s δ D c xprsss that vnt squnc s satisfis succssfully xcuts and concluds contract c in an nvironmnt whr contract tmplats ar dfind as in D and δ spcifis to which valus th bas variabls in c and D ar bound. Convrsly, if s δ D c is not drivabl thn s dos not satisfy c. Th prmis δ = P [a 1 /A 1, a 2 /A 2, r/r, t/t ] in th 3d rul stipulats that P [a 1 /A 1, a 2 /A 2, r/r, t/t ], with fr variabls bound as in δ, must b tru for an vnt to match th corrsponding commitmnt. Fig. 4 Contract satisfaction δ D Succss s δ D c[a/x] (f[x] = c) D s δ D f(a) δ = P [a 1 /A 1, a 2 /A 2, r/r, t/t ] s δ D c[a 1 /A 1, a 2 /A 2, r/r, t/t ] transmit(a 1, a 2, r, t) s δ D transmit((a 1, A 2, R, T P )). c s 1 δ D c 1 s 2 δ D c 2 (s 1, s 2) s s δ D c 1 c 2 s 1 δ D c 1 s 2 δ D c 2 s 1 s 2 δ D c 1 ; c 2 s δ D c s δ ltrc D in c s δ D c 1 s δ D c 1 + c 2 s δ D c 2 s δ D c 1 + c 2 3.3 Contract Monitoring by Rsiduation Extnsionally, contracts classify tracs (vnt squncs) into prforming and nonprforming ons. W dfin th xtnsion of a contract c to b th st of its prforming xcutions: C[[c]] D;δ = {s : s δ D c}. W say c dnots a trac st S in contxt D, δ, if C[[c]]D;δ = S. 3 W ar not only intrstd in classifying complt vnt squncs onc thy hav happnd, though, but in monitoring contract xcution as it unfolds in tim undr th arrival of vnts. Givn a trac st S dnotd by a contract c and an vnt, th rsiduation function / capturs how c can b satisfid if th first vnt is. It is dfind as follows: S/ = {s s S : s = s} Concptually, w can map contracts to trac sts and us th rsiduation function to monitor contract xcution as follows: 2 W hav not spcifid a particular languag of Boolan xprssions; w only rquir that it has a wll-dfind notion of substitution. 3 A variant of C[[c]] D;δ can b charactrizd compositionally, yilding a dnotational smantics; s [AEH + 04].
1. Map a givn contract c 0 to th trac st S 0 that it dnots. If S 0 =, stop and output inconsistnt. 2. For i = 0, 1,... do: Rciv mssag i. (a) If i is a transfr vnt, comput S i+1 = S i / i. If S i+1 =, stop and output brach of contract ; othrwis continu. (b) If i is a trminat contract mssag, chck whthr S i. If so, all obligations hav bn fulfilld and th contract can b trminatd. Stop and output succssfully compltd. If S i, output cannot b trminatd now, lt S i+1 = S i and continu to rciv mssags. To mak th concptual algorithm for contract lif cycl monitoring from Sction 3.3 oprational, w nd to rprsnt th rsidual trac sts and provid mthods for dciding tsts for mptinss and failur. In particular, w would lik to us contracts as rprsntations for trac sts. Not all trac sts ar dnotabl by contracts, howvr. In particular, givn a contract c that dnots a trac st S c it is not a priori clar whthr S c / is dnotabl by a contract c. If it is, w call c th rsidual contract of c aftr. 3.4 Nullabl and Guardd Contracts In this sction w charactriz nullability of a contract and introduc guarding, which is a sufficint condition on contracts for nsuring that rsiduation can b prformd by rduction on contracts. Fig. 5 Nullabl contracts D c nullabl (f[x] = c) D D f(a) nullabl D c nullabl D c + c nullabl D c nullabl D c + c nullabl D Succss nullabl D c nullabl D c nullabl D c c nullabl D c nullabl D c nullabl D c; c nullabl Lt us writ D = c nullabl if C[[c]] D;δ for all δ. W call such a contract nullabl (or trminabl): it can b concludd succssfully, but may possibly also b continud. E.g., th contract Succss + transmit(a 1, a 2, r, t P ) is nullabl, as it may b concludd succssfully (lft choic). Not howvr, that it may also b continud (right choic). It is asy to s that nullability is indpndnt of δ: C[[c]] D;δ for som δ if and only if C[[c]] D;δ for any othr δ. Dciding nullability is rquird to implmnt Stp 2b in contract monitoring. Th following proposition xprsss that nullability is charactrizd by th infrnc systm in Figur 5. Proposition 1. D = c nullabl D c nullabl A contract c is (hrditarily) guardd in contxt D if D c guardd is drivabl from Figur 6; intuitivly, guarddnss nsurs that in a contract with mutual rcursion, w do not hav (mutual) rcursions such as {f[x] = g[x], g[x] = f[x]} that caus th rsiduation algorithm to loop infinitly. 3.5 Oprational Smantics I: Dfrrd Matching Rsiduation on trac sts tlls us how to maintain th trac st undr arrival of vnts. In this sction w prsnt a rduction smantics for contracts, which lifts rsiduation on trac sts to contracts and thus provids a monitoring smantics for contract xcution.
Fig. 6 Guardd contracts D Succss guardd D transmit(x P ). c guardd D c guardd D c guardd D c + c guardd D Failur guardd D c guardd (f[x] = c) D D f(a) guardd D c guardd D c guardd D c c guardd D c guardd D c guardd D c; c guardd Fig. 7 Dtrministic rduction (dlayd matching) D, δ D Succss δ = P [a/x] D, δ D transmit(x P ). c transmit(a) D, δ D c[a/x] c D, δ D f(a) Failur c[a/x] (f[x] = c) D c D, δ D Failur Failur δ =P [a/x] D, δ D transmit(x P ). c transmit(a) D, δ D c d D, δ D c d D, δ D c + c d + d Failur D, δ D c d D, δ D c d D c nullabl D, δ D c d D, δ D c d D, δ D c c c d + d c D, δ D c; c d; c + d D c nullabl D, δ D c D, δ D c; c d; c d D, δ D c δ D ltrc D in c c ltrc D in c Th ability of rprsnting rsidual contract obligations of a partially xcutd contract and thus any stat of a contract as a bona fid contract carris th advantag that any analysis that is prformd on original contracts automatically xtnds to partially xcutd contracts as wll. E.g., an invstmnt bank that applis valuations to financial contracts bfor offring thm to customrs can apply thir valuations to thir portfolio of contracts undr xcution;.g., to analyz its risk xposur undr currnt markt conditions. Th rduction smantics is prsntd in Figur 7. Th basic matching rul is δ = P [a/x] D, δ D transmit(x P ). c transmit(a) c[a/x]. It matchs an vnt with a spcific commitmnt in a contract. Thr may b multipl commitmnts in a contract that match th sam vnt. Th smantics capturs th possibilitis of matching an vnt against multipl commitmnts by applying all possibl rductions in altrnativs and concurrnt contract forms and forming th sum of thir possibl outcoms (som of which may actually b Failur). Th rul D, δ D c d D, δ D c d D, δ D c + c d + d thus rducs both altrnativs c and c and thn forms th sum of thir rspctiv rsults d, d.
Finally, th rul D c nullabl D, δ D c D, δ D c; c d; c + d d D, δ D c d capturs that can b matchd in c or, if c is nullabl, in c. Not that, if c is not nullabl, can only b matchd in c, not c, as xprssd by th rul D c nullabl D, δ D c d. D, δ D c; c d; c In this fashion th smantics kps track of th rsults of all possibl matchs in a rduction squnc as xplicit altrnativs (summands) and dfrs th dcision as to which spcific commitmnt is matchd by a particular vnt during contract xctution until th vry nd: By slcting a particular summand in a rsidual contract aftr a numbr of rduction stps that rprsnts Succss (and th contract is thus trminabl) a particular st of matching dcisions is chosn x post. As prsntd, th rduction smantics givs ris to an implmntation in which th multipl rducts of prvious rduction stps ar rducd in paralll, sinc thy ar rprsntd as summands in a singl contract, and th rul for rduction of sums rducs both summands. It is rlativly straightforward to turn this into a backtracking smantics by an asymmtric rduction rul for sums, which dlays rduction of th right summand. Guarddnss is ky to nsuring trmination of contract rsiduation and thus that vry (guardd) contract has a rsidual contract undr any vnt in th rduction smantics of Figur 7. Thorm 1. If c C P is guardd thn for ach vnt thr xists a uniqu c C P such that D, δ D c c. Furthrmor, w hav that c is guardd and D, δ = c/ = c, which mans C[[c]] D;δ / = C[[c ]] D;δ. Using this rduction smantics w can turn our concptual contract monitoring algorithm into a ral algorithm. Proposition 1 provids a syntactic charactrization of nullability, which can asily (not trivially) b turnd into an algorithm. Inconsistncy whthr a contract dnots th mpty trac st or not is not tratd hr; s th full rport [AEH + 04]. 3.6 Oprational Smantics II: Eagr Matching Th dfrrd matching smantics of Figur 7 is flxibl and faithful to th natural notion of contract satisfaction as dfind in Figur 4. But from an accounting practic point of viw it is wird bcaus matching dcisions ar dfrrd. In bookkping standard modus oprandi is that vnts ar matchd against spcific commitmnts agrly; that is onlin, as vnts arriv. 4 W shall turn th dfrrd matching smantics of Figur 7 into an agr matching smantics (Figur 8). Th ida is simpl: Rprsnt hr-and-now choics as altrnativ ruls (mta-lvl) as opposd to altrnativ contracts (objct lvl). Spcifically, w split th ruls for rducing altrnativs and concurrnt subcontracts into multipl ruls, and w captur th possibility of rducing in th scond componnt of a squntial contract by adding τ- transitions, which spontanously (without a driving xtrnal vnt) rduc a contract of th form Succss; c to c. For this to b sufficint w hav to mak sur that a nullabl contract indd can b rducd to Succss, not just a contract that is quivalnt with Succss, such as Succss Succss. This is don by nsuring that τ-transitions ar strong nough to guarant rduction to Succss as rquird. 4 Thr ar standard accounting practics for changing such dcisions, but both dfault and standard concptual modl ar that matching dcisions ar mad as arly as possibl. In gnral, it sms rprsnting and dfrring choics and applying hypothtical rasoning to thm appars to b a rathr unusual phnomnon in accounting.
Fig. 8 Nondtrministic rduction (agr matching) D, δ N Succss δ = P [a/x] D, δ N transmit(x P ). c transmit(a) Failur c[a/x] D, δ N Failur Failur δ =P [a/x] D, δ N transmit(x P ). c transmit(a) Failur (f[x] = c) D D, δ N f(a) τ c[a/x] D, δ N c + c τ c D, δ N c + c τ c D, δ N c λ d D, δ N c c λ d c λ D, δ N c d D, δ N c c λ c d D, δ N Succss c τ c D, δ N c Succss τ c D, δ N Succss; c τ c D, δ N c λ d D, δ N c; c λ d; c D, δ N c δ N ltrc D in c c ltrc D in c Basd on ths considrations w arriv at th rduction smantics in Figur 8, whr mta-variabl λ rangs ovr vnts and th intrnal vnt τ. Not that it is nondtrministic and not vn conflunt: A contract c can b rducd to two diffrnt contracts by th sam vnt. Considr.g., c = a; b + a; b whr a, b, b ar commitmnts with suitabl D, δ, no two of which match th sam vnt. For vnt matching a w hav D, δ N c b and D, δ N c b, but nithr b nor b can b rducd to Succss or any othr contract by th sam vnt squnc. In rducing c w hav not only rsolvd it against, but also mad a dcision: whthr to apply it to th first altrnativ of c or to th scond. Tchnically, th rduction smantics is not closd undr rsiduation: Givn c and it is not always possibl to find c such that D, δ N c c and D; δ = c/ = c. It is sound, howvr, in th sns that th rduct always dnots a subst of th rsidual trac st: Proposition 2. 1. If D, δ N c c thn D, δ = c c/. 2. If D, δ N c τ c thn D, δ = c c. Evn though individual agr rductions do not prsrv rsiduation, th st of all rductions dos so: Proposition 3. If D, δ D c c thn thr xist contracts c 1,..., c n for som n 1 such that D, δ N c τ c i c i for all i = 1... n and D, δ = c n i=1 c τ i. Th notation indicats any numbr 0 of τ-transitions. As a corollary, Propositions 2 and 3 combind yild that th objct-lvl nondtrminism (xprssd as contract altrnativs) in th dfrrd matching smantics is faithfully rflctd in th mta-lvl nondtrminism (xprssd as multipl applicabl ruls) of th agr matching smantics. 3.7 Oprational Smantics III: Eagr Matching with Explicit Routing Considr th following xcution modl for contracts: Two or mor partis ach hav a copy of th contract thy hav prviously agrd upon and monitor its xcution undr th arrival of vnts. Evn though thy agr on prior contract stat and th nxt vnt, th partis may
arriv at diffrnt rsidual contracts and thus diffrnt xpctations as to th futur vnts allowd undr th contract. This is bcaus of nondtrminacy in contract xcution with agr matching;.g., a paymnt of $50 may match multipl paymnt commitmnts, and th partis may mak diffrnt matchs. W can rmdy this by making control of contract rduction with agr matching xplicit in ordr to mak rduction dtrministic: vnts ar accompanid by control information that unambiguously prscribs how a contract is to b rducd. In this fashion partis that agr on what vnts hav happnd and on thir associatd control information, will rduc thir contract idntically. S th full tchnical rport for dtails [AEH + 04]. 4 Exampl Contracts For th purpos of dmonstration w will afford ourslvs a fairly advancd prdicat languag with basic arithmtic, logical connctivs, lists and basic functions. Th syntax is standard and straightforward, and th dtails will b obvious from th xampls. Considr th validity priod spcifid in Sction 3 of th Agrmnt to Provid Lgal Srvics (Figur 2). Takn litrally, it would imply, that th attorny shall rndr srvics in th month of Dcmbr, but rciv no f in considration sinc January 2005 is outsid th validity priod. Surly, this is not th intntion; in fact, considration will dfat most dadlins as is clarly th intnt hr. In th coding of th Agrmnt to Provid Lgal Srvics th xpiration dat nd has to b pushd down on all transmits dspit its global natur to mak sur that considration would not b cut off. Th Agrmnt to Provid Lgal Srvics fails to spcify who dcids if lgal srvics should b rndrd. In th coding it is simply assumd that th attorny is th initiator and that all srvics rndrd ovr a month can b modlld as on vnt. Furthrmor, th attorny is assumd to giv th notic nowork if no work was don for th past month. This is an artifact introducd to guard th rcursiv call to lgal. Fig. 9 Softwar Dvlopmnt Agrmnt Sction 1. Th Dvlopr shall dvlop softwar as dscribd in Exhibit A (Rquirmnts Spcification) according th schdul st forth in Exhibit B (Projct Schdul and Dlivrabls). Spcifically, th Dvlopr shall b rsponsibl for th timly compltion of th dlivrabls idntifid in Exhibit B. Sction 2. Th Clint shall provid writtn approval upon th compltion of ach dlivrabl idntifid in Exhibit B. Sction 3. In th vnt of any dlay by th Clint, all th Dvlopr s rmaining dadlins shall b xtndd by th gratr of th two following: (i) fiv working days, (ii) two tims th dlay inducd by th Clint. Th Clint s dadlins shall b unchangd. Sction 4. In considration of srvics rndrd th Clint shall pay USD $100.000 du on 7/1. Sction 5. If th Clint wishs to add to th ordr, or if upon writtn approval of a dlivrabl, th Clint wishs to mak modifications to th dlivrabl, th Clint and th Dvlopr shall ntr into a Chang Ordr. Upon mutual agrmnt th Chang Ordr shall b attachd to this contract. Sction 6. Th Dvlopr shall rtain all intllctual rights associatd with th softwar dvlopd. Th Clint may not copy or transfr th softwar to any third party without th xplicit, writtn consnt of th Dvlopr. Exhibit A. (omittd) Exhibit B. Dadlins for dlivrabls and approval: (i) 1/1, 1/15; (ii) 3/1, 3/15, (final dadlin) 7/1, 7/15. Now considr th mor laborat Softwar Dvlopmnt Agrmnt in Figur 9. Whn coding th contract, on notics that th contract fails to spcify th ramifications of th clint s
Fig. 10 Spcification of Softwar Dvlopmnt Agrmnt not that w assum (asily dfind) abbrviations for max(x,y) and allow subtraction on th domain Tim. ltrc dlivrabls (dv, clint, paymnt, dliv1, dadlin1, approv1, dliv2, dadlin2, approv2, dlivf, dadlinf, approvf) = transmit(dv, clint, dliv1, T1 T1 <= dadlin1)). transmit(clint, dv, "ok", T). transmit(dv, clint, dliv2, T2 T2 <= dadlin2 + max(5d, (T - approv1) * 2)). transmit(clint, dv, "ok", T). transmit(dv, clint, dlivf, Tf Tf <= dadlinf + max(5d, (T - approv2) * 2)). transmit(clint, dv, "ok", T). transmit(dv, clint, "don", T). Succss softwar (dv, clint, paymnt, paymntdadlin, ds) = dlivrabls (dv, clint, dliv1, dadlin1, approv1, dliv2, dadlin2, approv2, dlivf, dadlinf, approvf) transmit(clint, dv, paymnt, T T <= paymntdadlin) in softwar ("M", "Clint", 100000, 2004.7.1, d1, 2004.1.1, 2004.1.15, d2, 2004.3.1, 2004.3.15, final, 2004.7.1, 2004.7.15) non-approval of a dlivrabl. On also ss that th contract dos not spcify what to do if du to dlay, som approval dadlin coms bfor th postpond dlivry dat. In th currnt cod, this is takn to man furthr dlay on th clint s part vn if th clint gav approval at th sam tim as th dlivrabl was transmittd. It sms that contract coding is a halthy procss in th sns that it will oftn unvil undrspcification and rrors in th natural languag contract bing codd. Th Chang Ordr dscribd in Sction 5 of th contract and th intllctual rights dscribd in Sction 6 ar not codd du to crtain limitations in our languag. W will postpon th discussion of this this papr s Sction 6. 5 Contract Analysis Th formal groundwork in ordr, w can bgin to ask ourslvs qustions about contracts such as: What is my first ordr of businss? Whn is th nxt dadlin? How much of a particular rsourc will I gain from my portfolio and at what tims? What is th montary valu of my portfolio? Will contract fulfillmnt rquir mor than th x units I currntly hav in stock? Th attmpt to answr such qustions is broadly rfrrd to as contract analysis. Th rsiduation proprty allows a contract analysis to b applid at any tim (i.. to any rsidual contract), and w can thus continuously monitor th xcution of th contracts in our portfolio. Rcall that our contract spcification languag is paramtrizd ovr th languag of prdicats and arithmtic. Thr is a clar trad-off in play hr: a sophisticatd languag buys xprssivnss, but rndrs most of th analyss undcidabl. Thr is anothr sourc of difficultis. Variabls may b bound to componnts of an vnt that is unknown at th tim of analysis. An xprssion lik transmit(a 1, a 2, R, T tru). offrs littl insight into th natur of R unlss furnishd with a probability vctor ovr all rsourcs.
Hr w will circumvnt ths problms by making do with a rstrictd prdicat languag and accpting that analyss may not giv answrs on all input (but will giv corrct answrs). Th prdicat languag is pluggd in at two locations. In function application f(a) whr all componnts of th vctor a must chckd according to th ruls of th prdicat languag, and in transmit(a 1, a 2, r, t P ) whr P must hav th typ Boolan. As prviously w rquir that a 1, a 2, r, and t ar ithr variabls (bound or unbound) or constants. If som componnts ar bound variabls or constants, thy must b qual to th corrsponding componnts of an incoming vnt (a 1, a 2, r, t ) for a match to occur. Considr th syntax providd in figur 11. In addition to th typs Agnt, Rsourc, and Tim, th languag has th fundamntal typs Int and Boolan. Tak τ to rang ovr {Int, Tim}, tak σ to rang ovr τ {Agnt, Rsourc}, and assum that constants can b uniquly typd (.g. tim constants ar in ISO format, and agnt and rsourc constants ar known). Th languag allows arithmtic on intgrs, simpl propositional logic, and manipulation of th two abstract typs Rsourc and Tim. Givn a tim (dat) t w may add an intgral numbr of yars, months or days. For xampl 2004.1.1 + 3d + 1y yilds 2005.1.4. Rsourcs prmit a projction on a namd componnt (fild) and all filds ar of typ Int. E.g. to xtract th total amount from an information rsourc namd invoic w writ #(invoic, total, t) whr t is som dat 5. Th filds of rsourcs may chang ovr tim; hnc th third Tim paramtr. Obsrvabls can now b undrstood simply as filds of a ubiquitous rsourc namd obs. An Int may doubl for a Rsourc in which cas th Int is undrstood to b a currncy amount. Fig. 11 Exampl syntax for prdicat languag (var) = σ var : σ typ(const) = σ const : σ 1 : Int 2 : Int op {+,,, /} 1 op 2 : Int t : Tim : Int f {y, m, d} op {+, } t op f : Tim r : Rsourc t : Tim f filds(r) #(r, f, t) : Int : Tim f {y, m, d} #f : Int : Int : Rsourc 1 : τ 2 : τ 1 < 2 : Boolan 1 : σ 2 : σ 1 = 2 : Boolan b 1 : Boolan b 2 : Boolan op {and, or} b 1 op b 2 : Boolan b : Boolan not b : Boolan Idally, a contract analysis can b prformd compositionally, i.. can b implmntd by rcursivly valuating subcontracts. This sction contains a simpl analysis with this proprty. Spac considrations prvnt a walkthrough of mor involvd xampls, but th basic ida should b clar. W will assum for simplicity that rcursivly dfind contracts ar guardd. Th analyss ar prsntd using infrnc systms dfind by induction on syntax, mphasizing th dclarativ and compositional natur of th analyss. 5 Whn a rsourc is introducd into th systm through a match, it must b dynamically chckd that it posssss th rquird filds. Th st of rquird filds can b statically dtrmind by a routin typ chck annotating rsourcs with fild nams à la {dat, total, paymntdadlin}rsourc. To kp things simpl w omit this typ xtnsion hr.
5.1 Exampl: Nxt Point of Intrst and Task List Givn a contract or a portfolio of contracts it is trmndously important for an agnt to know whn and how to act. To this nd w dmonstrat how a vry simpl task list can b compild. Considr th dfinition givn in Figur 12. Th function givs a structurd rspons to rflct th dcision structur (th task list) of th contract. It oprats on a vry simpl subst of th prdicat languag that, howvr, is indicativ of th bulk of tmporal constraints in contracts: only intrval conditions of th form a T andt b with T th tim variabl in th nclosing transmit commitmnt ar admittd. Such a condition is abbrviatd to [a; b]. It is important to notic that th rsult of th analysis may b incomplt. A task is only addd if th agnts agr (i.. a = a1), but if a1 is not bound at th tim of analysis, th task is simply skippd. A mor laborat dataflow analysis might rval that in fact a1 is always bound to a. Also notic th cas for application f(a). W xpand th body of th namd contract f givn argumnts a but only onc. This masur nsurs trmination of th analysis, but rducs th function s look-ahad horizon. Hnc, any task or point of intrst mor than on rcursiv unfolding away is not dtctd. This is unlikly to hav practical significanc for two rasons: (1) rcursivly dfind contracts ar guardd and so a transmit must b matchd bfor a nw unfold can occur. This transmit thrfor is prsumably mor rlvant than any othr transmits furthr down th lin; (2) it would b grossly unidiomatic that som transmit t 1 was rquird to b matchd bfor anothr transmit t 2, but nvrthlss had a latr dadlin than that of t 2. Fig. 12 Task list analysis D, δ, a, t Succss : [] D, δ, a, t Failur : [] = a a 1 X = (a 1, A, R, T ) D, δ, a, t transmit(x [x; y]). c : do [] = t / [x; y] D, δ, a, t transmit(x [x; y]). c : do [] = a = a 1 X = (a 1, A, R, T ) t [x; y] D, δ, a, t transmit(x [x; y]) : do [transmit(x [x; y])] D, δ, a, t c 1 : l 1 D, δ, a, t c 2 : l 2 D, δ, a, t c 1 + c 2 : choos[l 1, l 2] D c 1 nullabl D, δ, a, t c 1 : l 1 D, δ, a, t c 2 : l 2 D, δ, a, t c 1; c 2 : choos[l 1, l 2] D c 1 nullabl D, δ, a, t c 1 : l 1 D, δ, a, t c 1 ; c 2 : l 1 D, δ, a, t c 1 : l 1 D, δ, a, t c 2 : l 2 D, δ, a, t c 1 c 2 : l 1 @ l 2 (f[x] = c) D D, δ, a, t f(a) : l D, δ, a, t c : l Th xampls givn abov, in thir simplicity, may b xtndd givn knowldg of th problm domain. In particular, knowldg of or forcasting about probabl vnt squncs may b usd in a mannr orthogonal to th coding of analyss by appropriat function calls. Analyss that ar possibl to implmnt in this way includ rsourc flow forcasting (supply rquirmnts); trminability by agnt; latst trmination; arlist trmination; and valuation, or simply put: What is th valu to an agnt of a givn contract?
6 Discussion and Futur Work Th Softwar Dvlopmnt Agrmnt (Figur 9) provids a good stting to obsrv th limitations to our approach and th ramifications of th dsign choics mad. Th Chang Ordr is not codd. It might b clvrly codd in th currnt languag, again using constraints on th vnts passd around, but a mor natural way would b using highrordr contracts, i.. contracts taking contracts as argumnts. Thus, a Chang Ordr would simply b th passing back and forth of a contract followd by an instantiation upon agrmnt. Contracts oftn spcify crtain things that ar not to b don (.g. not copying th softwar). Such rstrictions should intrsct all othr outstanding contracts and limit thm appropriatly. A highr-ordr languag or prdicats that could guard all transmits of an ntir subcontract might amliorat this in a natural way. A fullr rang of languag constructions that programmrs ar familiar with is also dsirabl; in th prsnt incarnation of th contract languag, svral standard constructions hav bn lft out in ordr to mphasiz th cor vnt modl. In practic, conditionals and various sorts of lambda abstractions would mak th languag asir to us, though not strictly mor xprssiv, as thy can b ncodd through vnts, albit in a non-intuitiv way. A conditional that is not drivn by vnts (i.. an if-thn-ls) sms to b ndd for natural coding in many ral-world contracts. Also, a catch-throw mchanism for unxpctd vnts would mak contracts mor robust. Convrsly, crtain faturs of th languag appar to b almost too strong for th domain; th inclusion of full rcursion mans that contracts activ for an unlimitd priod of tim, say lass, ar asy to cod, but mak contract analysis significantly hardr. In practic, contracts running for unlimitd tim priods oftn hav xtrnal constraints (usually local lgislation) forcing th contract to b rassssd by its partis, and possibly govrnmnt rprsntativs, from tim to tim. Having only a rstrictd form of rcursion that suffics for most practical applications should simplify contract analysis. Th xprssivity of th contract languag and indd th fasibility of non-trivial contract analysis dpnds havily on th prdicat languag usd. Prdicats rstrictd to th form [a; b] ar surly too limitd, and furthr invstigation into th rquird xprssivnss of th prdicat languag is dsirabl. Whil th languag is paramtrizd ovr th prdicat languag usd, almost all ralworld applications will rquir som modl of tim and timd vnts to b incorporatd. Th currnt vnt modl allows for ncoding through th prdicat languag, but an xtndd st of vnts, with companion smantics, would mak for asir contract programming; timr (or triggr ) vnts appar to b ubiquitous whn ncoding contracts. 7 Rlatd Work Th imptus for this work coms from two dirctions: th REA accounting modl pionrd by McCarthy [McC82] and Pyton Jons, Ebr and Sward s sminal articl on spcification of financial contracts [JES00]. Furthrmor, givn that contracts spcify protocols as to how partis bound by thm ar to intract with ach othr thr ar links to procss and workflow modls. Pyton Jons, Ebr and Sward [JES00] prsnt a compositional languag for spcifying financial contracts. It provids a dcomposition of known standard contracts such as zro coupon bonds, options, swaps, straddls, tc., into individual paymnt commitmnts that ar combind dclarativly using a small st of contract combinators. All contracts ar twoparty contracts, and th partis ar implicit. Th combinators (takn from [JE03], rvisd from [JES00]) corrspond to Succss,, +, transmit( ) of our languag C P ; it has no dirct countrparts to Failur, ; nor, most importantly, rcursion or itration. On th othr hand, it
provids conditionals and prdicats that ar applicabl to arbitrary contracts, not just commitmnts as in C P, somthing w hav found to b worthwhil also for spcifying commrcial contracts. Our contract languag gnralizs financial paymnt commitmnts to arbitrary transfrs of rsourcs and information, provids xplicit agnts and thus provids th possibility of spcifying multi-party contracts. Disrgarding th structur of vnts and thir tmporal proprtis, C P is basically a procss algbra. It corrsponds to Algbra of Communicating Procsss (ACP) with dadlock (Failur), fr mrg ( ) and rcursion, but without ncapsulation [BW90]. This procss algbra is also part of CSP [BHR84,Hoa85]. Not that contracts ar to b thought as xclusivly ractiv procsss, howvr: thy rspond to xtrnally gnratd vnts, but do not autonomously gnrat thm. Thr ar numrous timd variants of procss algbras and tmporal logics; s.g. Batn and Middlburg [BM02] for timd procss algbras. Thir rlation to our bas languag is not vidnt at this point. This is in part bcaus our bas languag is not fixd yt to accommodat xprssing tmporal (and othr) constraints naturally, in part bcaus th tmporal notions of timd procss languags sm rathr low-lvl and distinct from th notions w hav usd in contract xampls. 8 Acknowldgmnts This work has bn partially fundd by th NEXT Projct, which is a collaboration btwn Microsoft Businss Solutions, Th IT Univrsity of Copnhagn and th Dpartmnt of Computr Scinc at th Univrsity of Copnhagn (DIKU). S http://www.itu.dk/nxt for mor information on NEXT. W would lik to thank Simon Pyton Jons, Jan-Marc Ebr, Kaspr Østrby, and Jspr Kihn for valuabl discussions on modling financial contracts and xtnding that work to commrcial contracts basd on th REA accounting modl. Rfrncs [AE03] Jspr Andrsn and Ebb Elsborg. Compositional spcification of commrcial contracts. M.S. trm projct, Dcmbr 2003. [AEH + 04] Jspr Andrsn, Ebb Elsborg, Fritz Hnglin, Jakob Gru Simonsn, and Christian Stfansn. Compositional spcification of commrcial contracts. Tchnical rport, DIKU, Univrsity of Copnhagn, Univrsittsparkn 1, DK-2100 Copnhagn, Dnmark, July 2004. http://topps.diku.dk/nxt/contracts. [BHR84] S. D. Brooks, C. A. R. Hoar, and A. W. Rosco. A thory of communicating squntial procsss. J. ACM, 31(3):560 599, 1984. [BM02] J.C.M. Batn and C.A. Middlburg. Procss Algbra with Timing. Springr, 2002. [BW90] J.C.M. Batn and W.P. Wijland. Procss Algbra. Numbr 18 in Cambridg Tracts in Thortical Computr Scinc. Cambridg Univrsity Prss, 1990. [Eb02] Jan-Marc Ebr. Prsonal communication, Jun 2002. [Hoa85] C.A.R. Hoar. Communicating Squntial Procsss. Intrnational Sris in Computr Scinc. Prntic-Hall, 1985. [JE03] Simon Pyton Jons and Jan-Marc Ebr. How to writ a financial contract. In Jrmy Gibbons and Og d Moor, ditors, Th Fun of Programming. Palgrav Macmillan, 2003. [JES00] Simon Pyton Jons, Jan-Marc Ebr, and Julian Sward. Composing contracts: an advntur in financial nginring (functional parl). In Procdings of th fifth ACM SIGPLAN intrnational confrnc on Functional programming, pags 280 292. ACM Prss, 2000. [McC82] William E. McCarthy. Th REA accounting modl: A gnralizd framwork for accounting systms in a shard data nvironmnt. Th Accounting Rviw, LVII(3):554 578, July 1982.