Compositional Specification of Commercial Contracts

Compositional Spcification of Commrcial Contracts Jspr Andrsn, Ebb Elsborg*, Fritz Hnglin, Jakob Gru Simonsn, and Christian Stfansn Dpartmnt of Computr Scinc, Univrsity of Copnhagn (DIKU) Univrsittsparkn 1, DK-2100 Copnhagn Ø Dnmark *Institut of Thortical Computr Scinc, IT Univrsity of Copnhagn (ITU) Rud Langgards Vj 7, DK-2300 Copnhagn S Dnmark Abstract. W prsnt a dclarativ languag for compositional spcification of contracts govrning th xchang of rsourcs. It xtnds Ebr and Pyton Jons s dclarativ languag for spcifying financial contracts [JE03] to th xchang of mony, goods and srvics amongst multipl partis, and it complmnts McCarthy s Rsourcs, Evnts and Agnts (REA) accounting modl [McC82] with a viw-indpndnt formal contract modl that supports dfinition of usr-dfind contracts, automatic monitoring undr xcution, and usr-dfinabl analysis of thir stat bfor, during and aftr xcution. W provid svral ralistic xampls of commrcial contracts and thir analyss. A varity of (ral) contracts can b xprssd in such a fashion as to support thir intgration, managmnt and analysis in an oprational nvironmnt that rgistrs vnts. Th languag dsign is drivn by both domain considrations and smantic languag dsign mthods: A contract dnots a st of tracs of vnts, ach of which is an altrnativ way of concluding th contract succssfully, which givs ris to a CSP-styl [BHR84,Hoa85] dnotational smantics. Th dnotational smantics drivs th dvlopmnt of a sound and complt small-stp oprational smantics, whr a partially xcutd contract is rprsntd as a (full) contract that rprsnts th rmaining contractual commitmnts. This oprational smantics is thn systmatically rfind in two stags to an instrumntd oprational smantics that rflcts th bookkping practic of idntifying th spcific contractual commitmnt a particular vnt matchs at th tim th vnt occurs, as opposd to dlaying this matching until th contract is concludd. 1 Introduction Whn ntrprnurs ntr contractual rlationships with a larg numbr of othr partis, ach with possibl variations on standard contracts, thy ar confrontd with th intrconnctd problms of spcifying contracts, monitoring thir xcution for prformanc 1, analyzing thir ramifications for planning, pricing and othr purposs prior to and during xcution, and intgrating this information with accounting, workflow managmnt, supply chain managmnt, production planning, tax rporting, dcision support tc. 1.1 Contract Managmnt and Information Systms Judging by publically availabl information, support for contracts in most prsnt-day ntrpris rsourc planning (ERP) systms is dlgatd to functional silos, spcializd (sub)systms supporting a fixd catalogu of prdfind contracts for spcific application domains;.g. crditor/dbitor moduls in ERP systms such as Microsoft Businss Solutions Navision 3.60 and 1 Prformanc in contract lingo rfrs to complianc with th promiss (contractual commitmnts) stipulatd in a contract; nonprformanc is also trmd brach of contract.

2 Axapta [nav] for simpl commrcial contracts, SAP s spcializd contract managmnt subsystms for particular industris such as th bvrag industry [sap], or indpndnt systms for managing portfolios of financial contracts such as Simcorp s IT/2 systm for managing trasuris [sim]. Common to ths systms sms to b that thy support a fixd and limitd st of contract tmplats spcializd to a particular application domain and lack flxibl intgration with othr (parts of) ntrpris systms. A notabl xcption is LxiFi [lx] whos products for complx financial drivativs incorporat som of th idas pionrd in Pyton Jons, Ebr, and Sward s rsarch in financial nginring [JES00,JE03]. In th absnc of support for usr-dfinabl (custom) contracts usrs ar forcd to adhr to stringnt businss procsss or nd up ngaging in off-book activitis, which ar not asily trackd or intgratd;.g. oral or writtn contracts in natural languag. Furthrmor, dvlopmnt of nw spcializd contract moduls incurs considrabl dvlopmnt costs with littl possibility for supporting fficint division of labor in a multi-stag dvlopmnt modl whr a softwar vndor producs a solution framwork, partnrs with domain xprtis spcializ (instantiat) th framwork to particular industris, and customrs (individual companis) configur and dploy spcializd systms for thir nd usrs. 1.2 Problms with Informal Contract Managmnt Typical problms that can aris in connction with informal modling and rprsntation of contracts and thir xcution includ th following: 1. Disagrmnt on what a contract actually rquirs. Many contract disputs involv a disagrmnt btwn th partis about what th contract rquirs, and many ruls of contract law prtain to intrprtation of trms of a contract that ar vagu or ambiguous. 2. Agrmnt on contract, but disagrmnt on what vnts hav actually happnd (vnt history);.g. buyr of goods claims that paymnt has bn mad, but sllr claims not to hav rcivd it ( chck is in th mail phnomnon). 3. Agrmnt on contract and vnt history, but disagrmnt on rmaining contractual obligations;.g., sllr applis paymnt by buyr to on of svral commitmnts buyr has, but buyr intnds it for anothr commitmnt. 4. Brach or malxcution of contract: A party ovrlooks a dadlin on a commitmnt and is in brach of contract (missd paymnt dadlin) or incurs losss (dadlin on lucrativ put or call option ovrlookd). 5. Entring bad or undsirabl contracts/missd opportunitis;.g., a company ntrs a contract or rfrains from doing so bcaus it cannot quickly analyz its valu and risk. 6. Coordination of contractual obligations with production planning and supply chain managmnt;.g., company ntrs into an othrwis lucrativ contract, but ovrlooks that it dos not hav th rquisit production capacity du to othr, prxisting contractual obligations. 7. Impossibility, slownss or costlinss in valuating stat of company affairs;.g., bad businss dvlopmnts ar dtctd lat, or high du dilignc costs affct chancs and pric of slling company. Ancdotal vidnc suggsts that costs associatd with ths problms can b considrabl. Ebr stimats that a major Frnch invstmnt bank has costs of about 50 mio. Euro pr yar attributabl to 1 and 4 abov, with about half du to lgal costs in connction with contract disputs and th othr half du to malxcution of financial contracts [Eb02]. In summary, capturing contractual obligations prcisly and managing thm conscintiously is important for a company s planning, valuation, and rporting to managmnt, sharholdrs, tax authoritis, rgulatory bodis, potntial buyrs, and othrs.

3 1.3 A Domain-Spcific Languag for Contracts ERP systms usd today captur th activitis of an ntrpris basd on th principls of doubl-ntry bookkping. Sinc th intgration of this with subsystms for handling contract xcution is charactrizd by ad hoc, makshift solutions, it is intrsting to considr if a spcification languag can b dsignd and intgratd with th data modl in which historic activitis of th ntrpris ar collctd. W argu that a dclarativ domain-spcific (spcification) languag (DSL) for compositional spcification of commrcial contracts (dfining contracts by combining subcontracts in various, wll-dfind ways) with an associatd prcis oprational smantics is idally suitd to allviating th abov problms. 2 Not that contracts ar not only put to a singl us as programs ar, whos sol us usually consists of xcution. Thy ar subjctd to monitoring, which can b considrd to b th standard smantics for contracts, plus various usr-dfind analyss. In this sns contract spcifications ar mor lik intllignt data that ar subjctd to various uss. This is in contrast to programs that ar xclusivly xcutd. As a consqunc, both th syntactic structur of contract spcifications and th ability of limiting thir xprssiv (programming) powr ar of particular significanc in thir dsign. W bliv th DSL facilitats multi-stag dvlopmnt as th cntral intrfac btwn framwork dvlopr and partnr: 1. Th framwork dvlopr provids th DSL, which allows spcification of an infinity of contracts in a domain-orintd fashion, but without (too much) prjudic towards spcific industris; dlivrs a run-tim nvironmnt for managing xcution of all dfinabl contracts; and provids a numbr of usful gnral-purpos standard contracts. Furthrmor, th framwork dvlopr provids a languag (or library) and run-tim systm for dfining contract analyss, and dfins a numbr of standard analyss applicabl to all dfinabl contracts;.g., nxt-point-of-intrst computation for alrting usrs human or computr to commitmnts that rquir action (snding paymnt, making dlivris) or computation of accounts rcivabl and accounts payabl for financial rporting. 2. Th partnr dfins a collction of contract tmplats using th DSL for us in a particular industry and adds rlvant industry-spcific analyss using th vndor s analysis languag. No gnral-purpos low-lvl programming xprtis is rquird, but primarily domain knowldg and th ability to formaliz it in th DSL and to xprss spcializd analysis functions in th vndor s analysis languag. Th partnr may lav som aspcts (paramtrs) of th spcializd systm opn for final configuration at th nd usr company. 3. Th customr organization rcivs its systm from th partnr and configurs and dploys it for us by its nd usrs. Not that th DSL provids ncapsulation and division of labor in this piplin: Discussions btwn nd usrs and partnrs ar prformd in trms of domain concpts clos to th DSL, but th nd usr dos not nd to know th DSL itslf. Discussions btwn partnrs and th framwork providr on dsign, functionality, limitations ar in trms of th dsign and smantics of th DSL, not in trms of its undrlying (gnral-purpos) implmntation languag; in particular, spcific implmntation choics by th framwork dvlopr ar unobsrvabl by th partnrs. Th DSL ncapsulats its implmntation and thus facilitats upgrading of softwar throughout th piplin. 1.4 Contributions W mak th following contributions in this articl: 2 Plas not that our languag is rndrd in ordinary linar syntax, but w do not intnd to limit th scop of th trm languag to spcifying linar squncs of charactrs only, but to includ graphical objcts and th lik.

4 W dfin a contract languag for multi-party commrcial contracts with itration and firstordr rcursion. Thy involv xplicit agnts and transfrs of arbitrary rsourcs (mony, goods and srvics, or vn pics of information), not only currncis. Our contract languag is stratifid into a pluggabl bas languag for atomic contracts (commitmnts) and a combinator languag for composing commitmnts into structurd contracts. W provid a natural contract smantics basd on an inductiv dfinition for whn a trac a finit squnc of vnts constituts a succssful ( prforming ) compltion of a contract. This inducs a trac-basd dnotational smantics, which compositionally maps contracts to trac sts. W systmatically dvlop thr oprational smantics in a stpwis fashion, starting from th dnotational smantics: 1. A (sound and complt) rduction smantics for monitoring contract xcution during arrival of vnts. It rprsnts th rsidual obligations of a contract aftr an vnt as a bona fid (full) contract spcification and dfrs matching of vnts to spcific commitmnts until th whol contract has compltd. It can b implmntd by backtracking whr vnts ar tntativly matchd to th first suitabl commitmnt and backtracking is prformd if that choic turns out to b wrong latr on. 2. A nondtrministic rduction smantics for agr matching, whr matching dcisions ar mad as vnts arriv and cannot b backtrackd. Eagr matching corrsponds to bookkping practic, but lads to nondtrminacy in th cas multipl commitmnts in a contract can b matchd by th sam vnt; in particular, th partis to a contract may prform diffrnt matchs and may nd up disagring on th contract s rsidual obligations. 3. An instrumntation of th agr matching smantics that quips vnts with xplicit control information that routs th vnt unambiguously to th particular commitmnt it is to b matchd with. This yilds an agr matching smantics with a dtrministic rduction smantics and thus nsurs that all partis to a contract agr on th rsidual contract if thy agr on th prior contract stat and on which vnt (including its routing information) has happnd. W validat applicability of our languag by ncoding a varity of xisting contracts in it, and illustrat analyzability of contracts by providing xampls of compositional analysis. Th dnotational smantics has bn an instrumntal mthodological tool in driving a small-stp smantics. Our work builds on a prvious languag dsign by Andrsn and Elsborg [AE03] and is inspird by: Pyton-Jons and Ebr s languag for compositional spcification of financial contracts [JES00], which has bn th original imptus for th languag dsign approach w hav takn; McCarthy s Rsourcs-Evnts-Agnts (REA) accounting modl [McC82], which has providd th ontological justification for modling commrcial contracts as bing built from atomic commitmnts stipulating transfrs (conomic vnts) of scarc rsourcs btwn btwn agnts (and nothing ls); Hoar s Calculus of Squntial Procsss (CSP), spcifically its viw-indpndnt vnt synchronization modl, and its associatd trac thortic smantics [BHR84,Hoa85]. S Sction 7 for a mor dtaild comparison with this and othr rlatd work. 2 Modling Commrcial Contracts A contract is an agrmnt btwn two or mor partis which crats obligations to do or not do th spcific things that ar th subjct of that agrmnt. A commrcial contract is

5 a contract whos subjct is th xchang of scarc rsourcs (mony, goods, and srvics). Exampls of commrcial contracts ar sals ordrs, srvic agrmnts, and rntal agrmnts. Adopting trminology from th REA accounting modl [McC82] w shall also call obligations commitmnts and partis agnts. It is worth noticing that contracts may b xprss or implid. Whn two partis dcid to xchang goods, mor oftn than not thr is no xprss contract. Thr is, howvr, an implid contract of th form of Party A xpcts to pay X in xchang for party B s provision of goods Y. Usually whn no xprss contract is prsnt, th contractual obligations ar takn from common practic, gnral trms of trad, or lgislation. Thus th trm contract should b undrstood in a broadr sns as a structur that govrns any trad or production vn if it is not vrbal. 2.1 Contract Pattrns In its simplst form a contract commits two contract partis to an xchang of rsourcs such as goods for mony or srvics for mony; that is to a pair of transfrs of rsourcs from on party to th othr, whr on transfr is in considration of th othr. Th sals ordr tmplat in Figur 1 commits th two partis (sllr, buyr) to a pair of transfrs, of goods from sllr to buyr and of mony from buyr to sllr. Not that both commitmnts ar prdicatd on whn thy must b satisfid: sllr may dlivr any tim, but must do so by a givn dat, and buyr must pay at th tim dlivry happns. W can think of th sals ordr as bing composd squntially of two atomic contracts: th sllr s commitmnt to dlivr goods, followd by th buyr s commitmnt to pay for thm. If goods ar not dlivrd thr is no commitmnt by buyr to pay anything, and only sllr is in brach of contract. In a bartr (goods for goods or goods for srvics) th commitmnts on ach party may b composd concurrntly; that is, both commitmnts ar unconditional and must b satisfid indpndntly of ach othr. If no party dlivrs on tim and no xplicit provision for this is mad in th contract, both partis may b in brach of contract. Many commrcial contracts ar of this simpl quid-pro-quo kind, but far from all. Considr th lgal srvics agrmnt tmplat in Figur 2. Hr commitmnts for rndring of a monthly lgal srvic ar rpatd, and ach monthly srvic consists of a standard srvic part and an optional srvic part. Mor gnrally, a contract may allow for altrnativ xcutions, any on of which satisfis th givn contract. W can discrn th following basic contract pattrns for composing commrcial contracts from subcontracts (a subcontract is a contract usd as part of anothr contract): a commitmnt stipulats th transfr of a rsourc or st of rsourcs btwn two partis; it constituts an atomic contract; a contract may rquir squntial xcution of subcontracts; a contract may rquir concurrnt xcution of subcontracts, that is xcution of all subcontracts, whr individual commitmnts may b intrlavd in arbitrary ordr; a contract may rquir xcution of on of a numbr of altrnativ subcontracts; a contract may rquir rpatd xcution of a subcontract. Furthrmor, commitmnts and, mor gnrally, contracts usually carry tmporal constraints, which stipulat whn th actual rsourc transfrs must happn. In th rmaindr of this rport w shall xplor a dclarativ contract spcification languag basd on ths contract pattrns. 3 Compositional Contract Languag In this sction w prsnt a cor contract spcification languag and its proprtis. All proofs ar rlgatd to Appndix A. Th languag should satisfy th following dsign critria:

6 Fig. 1 Agrmnt to Sll Goods Sction 1. (Sal of goods) Sllr shall sll and dlivr to buyr (dscription of goods) no latr than (dat). Sction 2. (Considration) In considration hrof, buyr shall pay (amount in dollars) in cash on dlivry at th plac whr th goods ar rcivd by buyr. Sction 3. (Right of inspction) Buyr shall hav th right to inspct th goods on arrival and, within (days) businss days aftr dlivry, buyr must giv notic (dtaild-claim) to sllr of any claim for damags on goods. Fig. 2 Agrmnt to Provid Lgal Srvics Sction 1. Th attorny shall provid, on a non-xclusiv basis, lgal srvics up to (n) hours pr month, and furthrmor provid srvics in xcss of (n) hours upon agrmnt. Sction 2. In considration hrof, th company shall pay a monthly f of (amount in dollars) bfor th 8th day of th following month and (rat) pr hour for any srvics in xcss of (n) hours 40 days aftr th rcival of an invoic. Sction 3. This contract is valid 1/1-12/31, 2004. Contracts should b spcifiabl compositionally, rflcting th contract composition pattrns of Sction 2.1. Th languag should sparat contract composition (contract languag) from dfinition of th atomic commitmnts (bas languag), including thir tmporal constraints; this is to mak sur that th dsign can accommodat changs and xtnsions to th bas languag without simultanously forcing substantial changs in th contract languag. Th languag should oby good languag dsign principls such as naming and paramtrization, orthogonality and compositional smantics. Th languag should b xprssiv nough to rprsnt partially xcutd contracts as (full) contracts and hav a rduction smantics that rducs a contract undr arrival of an vnt to a contract that rprsnts th rsidual obligations. By rprsnting partially xcutd contracts as contracts any contract analysis will also b applicabl to partially xcutd contracts. Th rduction smantics should b a good basis for control of xcution; in particular, for matching of vnts against th spcific (intndd) commitmnt in a contract that it satisfis. 3.1 Syntax Our contract languag C P is dfind inductivly by th infrnc systm for driving judgmnts of th forms Γ ; c : Contract and D : Γ. Hr Γ and rang ovr maps from idntifirs to contract tmplat typs and to bas typs, rspctivly. Th map xtnsion oprator on maps is dfind as follows: { (m m m )(x) = (x) if x domain(m ) m(x) othrwis Th languag is built on top of a a bas structur of domains (A, R, T ) of agnts, rsourcs, tim whr (T, T ) is totally ordrd. It consists of a typd bas languag of xprssions P, for which w assum th xistnc of a st of valid typing judgmnts a : for xprssions a, which includ variabls X and constants for ach lmnt in th bas structur. Typs includ Agnt, Rsourc, Tim, which dnot (A, R, T ), rspctivly, as wll as Boolan for prdicats (Boolan xprssions). Th xprssion languag has a notion of substitution b[a/x] 3 3 W us th gnral convntion that mtavariabls in boldfac dnot vctors (squncs) of what th mtavariabl dnots.

7 and a dnotation function Q[ a : ] that maps valid typing judgmnts to lmnts of domains Dom [ ]. (S Figur 6 for a brif dscription of th thus dnotd domains.) Th only proprtis w shall assum ar that substitution is compatibl with judgmnts: if X : b : b and a : thn b[a/x] : b whr a = a 1... a n and X = X 1... X n for som n 0; and that th dnotation function is compositional; that is, Q[ b[a/x] : ] δ = Q[ b : ] δ {Xi Q [ a i : i ]δ } i. W us mtavariabl P for Boolan xprssions and abbrviat P : Bool to P. For brvity and radability, w also abbrviat Q[ a : ] to Q[a], laving and to b undrstood from th contxt. Finally, w writ δ = P for Q[P ] δ = tru. Th languag P provids th possibility of rfrring to obsrvabls [JES00,JE03]. W shall introduc suitabl bas languag xprssions on an ad hoc basis in our xampls for illustrativ purposs. Fig. 3 Syntax for contract spcifications Γ ; Succss : Contract Γ ; Failur : Contract Γ (f) = Contract Γ ; f(a) : Contract a : = {A 1 : Agnt, A 2 : Agnt, R : Rsourc, T : Tim} Γ ; c : Contract P : Boolan Γ ; transmit(a 1, A 2, R, T P ). c : Contract Γ ; c 1 : Contract Γ ; c 2 : Contract Γ ; c 1 + c 2 : Contract Γ ; c 1 : Contract Γ ; c 2 : Contract Γ ; c 1; c 2 : Contract Γ ; c 1 : Contract Γ ; c 2 : Contract Γ ; c 1 c 2 : Contract Γ = {f i i1... ini Contract} m i=1 Γ ; {X i1 : i1,..., X ini : ini } c i : Contract {f i[x i] = c i} m i=1 : Γ {f i[x i] = c i} m i=1 : Γ Γ ; c : Contract ltrc {f i[x i] = c i} m i=1 in c : Contract Th contxt-fr structur of contracts dirctly rflcts th contract pattrns w discussd in Sction 2.1: c ::= Succss Failur f(a) transmit(a 1, A 2, R, T P ). c c 1 + c 2 c 1 c 2 c 1 ; c 2 Succss dnots th trivial or (succssfully) compltd contract: it carris no obligations on anybody. Failur dnots th inconsistnt or faild contract; it signifis brach of contract or a contract that is impossibl to fulfill. Th nvironmnt D = {f i [X i ] = c i } m i=1 contains namd contract tmplats whr X i is a vctor of formal paramtrs for us in th mbddd contract c i. A contract tmplat nds to b instantiatd with actual argumnts from th bas languag. (Th n i on th indicats that diffrnt contracts may hav a diffrnt numbr of formal paramtrs.) For a Boolan prdicat P th contract xprssion transmit(a 1, A 2, R, T P ). c rprsnts a contract whr th commitmnt transmit(a 1, A 2, R, T P ) must b satisfid first. Not that A 1, A 2, R, T ar binding variabl occurrncs whos scop is P and c. Th commitmnt must b matchd by a (transfr) vnt = transmit(v 1, v 2, r, t) of rsourc r from agnt v 1 to agnt v 2 at tim t whr P (v 1, v 2, r, t) holds. Aftr matching, th rsidual contract is c in which A 1, A 2, R, T ar bound to v 1, v 2, r, t, rspctivly. In this fashion th subsqunt contractual obligations xprssd by c may dpnd on th actual valus in vnt. Th contract combinators +, and ; compos subcontracts according to th contract pattrns w hav discrnd: by altrnation, concurrntly, and squntially, rspctivly. A (contract) contxt is a

8 finit st of namd contract tmplat dclarations of th form f(x) = c. By using th contract instantiation (or contract application) construct f(a) contract tmplats may b (mutually) rcursiv, which, in particular, lts us captur rptition of subcontracts. Contract tmplat dfinitions occur only at top lvl. Sinc th contract languag C P is statically typd its syntax is formally dfind by th infrnc systm in Figur 3. If top-lvl judgmnt ltrc D in c : Contract is drivabl w shall say that c is wll-formd in contxt D. Hncforth w shall assum that all contracts ar wll-dfind, whr D may b implicitly undrstood. What w call contracts should justly b calld prcontracts as thy do not ncssarily satisfy th lgal rquirmnt for validity. In particular, Succss, Failur and any xprssion that obligats only on agnt ar not judicially valid contracts. Following [JES00,JE03], w shall frly us th trm contract, howvr. Not that considration (rciprocity in REA trms) is not built into our languag as a syntactic construct. This allows flxibl dfinitions of contracts whr commitmnts ar not in a simpl, syntactically vidnt on-to-on rlation, and it allows diffrnt, usr-dfind notions of considration to b applid as analyss to th sam languag. In th following w shall adopt th convntion that A 1, A 2, R, T must not b bound in nvironmnt. If a variabl from or any xprssion a only involving variabls bound in occurs as an argumnt of a transmit, w intrprt this as an abbrviation; for xampl, transmit(a, A 2, R, T P ). c abbrviats transmit(a 1, A 2, R, T P A 1 = a). c whr A 1 is a nw (agnt-typd) variabl not bound in and diffrnt from A 2, R and T. W abbrviat transmit(a 1, A 2, R, T P ). Succss to transmit(a 1, A 2, R, T P ). Th contract from Figur 1 is ncodd in Figur 4, and th contract in Figur 2 is tratd in dpth in Sctions 4 and 5. Fig. 4 Spcification of Agrmnt to Sll Goods ltrc nonconforming [sllr, buyr, goods, paymnt, days, t1, notic] = transmit (buyr, sllr, notic, T T < t1 + days d and #(goods,brokn,t1) = 1). transmit (sllr, buyr, paymnt/2, T T < T + days d). sal [sllr, buyr, goods, paymnt, t1, days, notic] = transmit (sllr, buyr, goods, T T < t1). transmit (buyr, sllr, paymnt, T T < t1). (Succss + nonconforming (sllr, buyr, goods, days, T, notic)) in sal ("Furnitur makr", "M", "Chair", 40, 2004.7.1, 8, "Chair brokn") 3.2 Evnt Tracs and Contract Satisfaction A contract spcifis a st of altrnativ prforming vnt squncs (contract xcutions), ach of which satisfis th obligations xprssd in th contract and concluds it. In this sction w mak ths notions prcis for our languag. Rcall that our bas structur is a tupl (R, T, A) of sts of rsourcs R, agnts A and a totally ordrd st (T, T ) of dats (or tim points). Whnvr convnint, w will xtnd bas structurs with othr sts for othr typs, as ndd. A (transfr) vnt is a trm transmit(v 1, v 2, r, t), whr v 1, v 2 A, r R and t T. An (vnt) trac s is a finit squnc of vnts that is chronologically ordrd; that is, for s = 1... n th tim points in 1... n occur in nondscnding ordr. W adopt th following notation: dnots th mpty squnc;

9 a trac consisting of a singl vnt is dnotd by itslf; concatnation of tracs s 1 and s 2 is dnotd by juxtaposition: s 1 s 2 ; w writ (s 1, s 2 ) s if s is an intrlaving of th vnts in tracs s 1 and s 2 ; w writ X for th vctor X 1,..., X k with k 0 and whr k can b dducd from th contxt; w writ c[v/x], whr v = v 1... v n and X = X 1... X n for som n 0, for th rsult of simultanously substituting lmnts v i for th all fr occurrncs of th corrsponding X i in c. (Fr and bound variabls ar dfind as xpctd.) W ar now rady to spcify whn a trac satisfis a contract, i.. givs ris to a prforming xcution of th contract. This is don inductivly by th infrnc systm for judgmnts δ δ D s : c in Figur 5, whr D = {f i[x i ] = c i } m i=1 is a finit st of namd contract tmplats and δ is a finit st of bindings of variabls to lmnts (valus of a domain) of th givn bas structur. A drivabl judgmnt δ δ D s : c xprsss that vnt squnc s satisfis succssfully xcuts and concluds contract c in an nvironmnt whr contract tmplats ar dfind as in D, δ is th top-lvl nvironmnt for both D and c, and δ is a local nvironmnt for additional fr variabls in c. Convrsly, if δ δ D s : c is not drivabl thn s dos not satisfy c for givn D, δ, δ. Th condition δ δ = P in th third rul stipulats that P, with fr variabls bound as in δ δ, must b tru in th bas languag for an vnt to match th corrsponding commitmnt. Fig. 5 Contract satisfaction δ δ D : Succss X v δ D s : c (f(x) = c) D, v = Q[a] δ δ δ δ D s : f(a) δ δ = P δ δ D s : c (δ = δ {X v}) δ δ D transmit(v) s : transmit(x P ). c δ δ D s 1 : c 1 δ δ D s 2 : c 2 (s 1, s 2) s δ δ D s : c 1 c 2 δ δ D s : c 1 δ δ D s : c 1 + c 2 δ δ D s 1 : c 1 δ δ D s 2 : c 2 δ δ D s 1s 2 : c 1; c 2 δ δ D s : c 2 δ δ D s : c 1 + c 2 3.3 Dnotational Smantics A dnotational smantics maps contract spcifications compositionally into a domain of mathmatical objcts; that is, by induction on th syntax (infrnc tr) of contract xprssions as givn by th infrnc ruls of Figur 3. A dnotational smantics supports rasoning by structural induction on th syntax. In particular, any subcontract of a contract can b rplacd by any othr subcontract with th sam dnotation without changing th bhavior of th whol contract. Th satisfaction rlation rlats ach contract to a st of tracs. W can us that to dfin th xtnsion of a contract c to b th st of its prforming xcutions: E [ltrc D in c] δ = {s : δ D s : c}. This, howvr, is not a dnotational smantics sinc it is not compositional. Turning it into a compositional dfinition w arriv at th smantics givn in Figur 7. Not that ach contract dnots a trac st, and th maning of a compound contract can b xplaind in trms of a mathmatical opration on th trac sts dnotd by its constitunt subcontracts without any rfrnc to th actual syntax of th lattr. Th prsnc of rcursiv contract dfinitions rquirs domain thory; s.g. Winskl [Win93]. Brifly, ach typ in our languag is mappd to a complt partial ordr (cpo); that is, a st quippd with a partial ordr whr ach dirctd subst has a last uppr bound

10 Fig. 6 Domains for C P Dom [Boolan] = ({tru, fals}, =) Dom [Agnt] = (A, =) Dom [Rsourc] = (R, =) Dom [Tim] = (T, =) E = A A R T Tr = (E, =) Dom [Contract]] = (2 Tr, ) Dom [ 1... n Contract] = Dom [ 1 ]... Dom [ n ] Dom [Contract] Dom [Γ ] = {{f i v i} m i=1 v i Dom [ i1 ]... Dom [ ini ] Dom [Contract]} whr Γ = {f i i1... ini Contract} m i=1 Dom [ ] = {{X i v i} m i=1 v i Dom [ i ]} whr = {X i : i} m i=1 Dom [Γ ; c : Contract] = Dom [Γ ] Dom [ ] Dom [Contract]] Fig. 7 Dnotational smantics C [Succss]] γ;δ = { } (1) C [Failur] γ;δ = (2) C [f(a)] γ;δ = γ(f)(q[a] δ ) (3) C [transmit(x P ). c] γ;δ = {transmit(v) s : v E, s Tr (4) Q[P ] δ X v = tru s C [c] γ;δ X v } (5) C [c 1 + c 2 ] γ;δ = C [c 1 ] γ;δ C [c 2 ] γ;δ (6) n o C [c 1 c 2 ] γ;δ = s : s Tr s 1 C [c 1 ] γ;δ, s 2 C [c 2 ] γ;δ. (s 1, s 2) s (7) C [c 1; c 2 ] γ;δ = {s 1s 2 : s 1, s 2 Tr s 1 C [c 1 ] γ;δ s 2 C [c 2 ] γ;δ } (8) D [{f i[x i] = c i} m i=1 ] δ = last γ : γ = {f i λv i.c [c i ] γ;δ X i v i } m i=1 (9) E [ltrc {f i[x i] = c i} m i=1 in c] δ = C [c] D [{f i [X i ]=c i } m i=1 ]δ ;δ (10) (in th st). A pointd complt partial ordr (pcpo) is a cpo that has a last lmnt. All our domains in Figur 6 ar cpos sinc w can choos quality for th bas domains A, R, T. Furthrmor, 2 Tr, th powrst of all finit vnt squncs, is a pcpo undr, and th function spac D D is a pcpo undr pointwis ordring if D is a pcpo. A function btwn cpos is continuous if th rsult of applying it to th last uppr bound of a dirctd st is th sam as th last uppr bound of applying it to ach lmnt of th dirctd st individually. It is wll-known that ach continuous function from a pcpo to th sam pcpo has a last (uniqu minimal) fixd point. It is a routin mattr to chck that C [.]., E [.]. and D [.]. map contracts undr function nvironmnts, contract spcifications, and contract function nvironmnts, rspctivly, to continuous functions. Consquntly th last fixd point in lin 9 of Figur 7 always xists. W say c dnots a trac st S in contxt D, δ, if C [c] D;δ = S. Th following thorm stats that th dnotational smantics charactrizs th satisfaction rlation. Thorm 1 (Dnotational charactrization of contract satisfaction). C [c] D [D ]δ ;δ δ = {s δ δ D s : c}

11 3.4 Contract Monitoring by Rsiduation Extnsionally, contracts classify tracs (vnt squncs) into prforming and nonprforming ons. W ar not only intrstd in classifying complt vnt squncs onc thy hav happnd, though, but in monitoring contract xcution as it unfolds in tim undr th arrival of vnts. W say a trac is consistnt with a trac st S if it is a prfix of an lmnt of S; it is inconsistnt othrwis. Givn a trac st S dnotd by a contract c and an vnt, th rsiduation function \ capturs how c can b satisfid if th first vnt is. It is dfind as follows: 4 \S = {s s S : s = s} Concptually, w can map contracts to trac sts and us th rsiduation function to monitor contract xcution as follows: 1. Map a givn contract c 0 to th trac st S 0 that it dnots. If S 0 =, stop and output inconsistnt. 2. For i = 0, 1,... do: Rciv mssag i. (a) If i is a transfr vnt, comput S i+1 = i \S i. If S i+1 =, stop and output brach of contract ; othrwis continu. (b) If i is a conclud contract mssag, chck whthr S i. If so, all obligations hav bn fulfilld and th contract can b trminatd. Stop and output succssfully compltd. If S i, output cannot b concludd now, lt S i+1 = S i and continu to rciv mssags. To mak th concptual algorithm for contract lif cycl monitoring from Sction 3.4 oprational, w nd to rprsnt th rsidual trac sts and provid mthods for dciding tsts for mptinss and failur. In particular, w would lik to us contracts as rprsntations for trac sts. Not all trac sts ar dnotabl by contracts, howvr. In particular, givn a contract c that dnots a trac st S c it is not a priori clar whthr \S c is dnotabl by a contract c. If it is, w call c th rsidual contract of c aftr. Lt us momntarily xtnd contract spcifications with a rsiduation oprator, which is th syntactic analogu of rsiduation, but for contracts instad of trac sts: C [\c] γ;δ = {s s C [c] γ;δ : s = s}. Lt us writ D, δ = c = c if C [c] γ;δ δ = C [c ] γ;δ δ for all δ, whr γ = D [D] δ ; analogously for D, δ = c c. To lid parnthss w us th following oprator prcdnc ordr in contract xprssions (highst prcdnc first): rsiduation \, concurrnt composition, altrnation +, squntial composition ;. Lmma 1 (Corrctnss of rsiduation). Th rduation qualitis in Figur 8 ar tru. For th proof of this lmma w nd an auxiliary lmma that xtnds th compositionality of th bas languag to th contract languag: Lmma 2 (Agrmnt of substitution and nvironmnts). For all c, γ and δ: C [c] γ;δ X v = C [c[v/x]] γ;δ 4 Conway [Con71] calls \S th -drivativ for a languag S and alphabt symbol. W us th trm rsiduation instad to mphasiz that \S rprsnts th rsidual obligations of a contract aftr xcution of vnt.

12 Fig. 8 Rsiduation qualitis D, δ = \Succss = Failur D, δ = \Failur = Failur D, δ = \f(a) = \c[v/x] if (f(x) j = c) D, v = Q[a] δ c[v/x] if δ {X v} = P D, δ = transmit(v)\(transmit(x P ). c) = Failur othrwis D, δ = \(c 1 + c 2) = \c 1 + \c 2 D, δ = \(c j 1 c 2) = \c 1 c 2 + c 1 \c 2 (\c1; c 2) + \c 2 if D, δ = Succss c 1 D, δ = \(c 1; c 2) = \c 1; c 2 othrwis Excuting th rsiduation quations as lft-to-right rwrit ruls liminats th rsiduation oprator in \c, assuming c is rsiduation oprator fr to start with. That computation dos not always trminat, howvr. Considr,.g., ltrc f(n) = (transmit(a 1, a 2, r, T T N) f(n + 1)) in f(0) and vnt transmit(a 1, a 2, r, 0). Applying th rwrit ruls will not trminat. Intuitivly, this is bcaus transmit(a 1, a 2, r, 0) can b matchd against any on of th infinitly many commitmnts transmit(a 1, a 2, r, T 0 T 0 0) transmit(a 1, a 2, r, T i T i i) sinc transmit(a 1, a 2, r, 0) satisfis th match condition of ach on of thm. Not that, smantically, f(n) = transmit(a 1, a 2, r, T T N) f(n + 1), = f(0) = Failur, but lft-to-right rwriting according to Figur 8 dos not rwrit f(0) to Failur. 3.5 Nullabl and Guardd Contracts In this sction w charactriz nullability of a contract and introduc guarding, which is a sufficint condition on contracts for nsuring that rsiduation can b prformd by rduction on contracts. Fig. 9 Nullabl contracts D c nullabl (f(x) = c) D D f(a) nullabl D c nullabl D c + c nullabl D c nullabl D c + c nullabl D Succss nullabl D c nullabl D c nullabl D c c nullabl D c nullabl D c nullabl D c; c nullabl Dfinition 1 (Nullability). 1. W writ D = c nullabl if D, δ = Succss c for som δ; that is, C [c] D;δ. 2. W say c is nullabl (or trminabl) in contxt D if D c nullabl is drivabl by th infrnc systm in Figur 9. A nullabl contract can b concludd succssfully, but may possibly also b continud. E.g., th contract Succss + transmit(a 1, a 2, r, t P ) is nullabl, as it may b concludd succssfully (lft choic). Not howvr, that it may also b continud (right choic). It is asy to s

13 that nullability is indpndnt of δ and δ : C [c] γ;δ δ if and only if C [c] γ;ˆδ ˆδ for any othr ˆδ and ˆδ, whr γ = D [D] δ. Dciding nullability is rquird to implmnt Stp 2b in contract monitoring. Th following proposition xprsss that nullability charactrizs smantic nullability. Proposition 1 (Syntactic charactrization of nullability). D = c nullabl D c nullabl. Dfinition 2 (Guardd contract, guardd dclarations). Lt D = {f i [X i ] = c i } m i=1 b contract tmplat dclarations. A contract c is guardd in contxt D if D c guardd is drivabl from Figur 10. W say D is guardd if c i is guardd in contxt D for all i with 1 i m. Intuitivly, guarddnss nsurs that w do not hav (mutual) rcursions such as {f(x) = g(x), g(x) = f(x)} that caus th rsiduation algorithm to loop infinitly. Guardd dclarations nsur that all contracts built from thm ar guardd: Lmma 3 (Guarddnss of contracts using guardd dclarations). For all D, c, if D is guardd thn D c guardd. Fig. 10 Guardd contracts D Succss guardd D transmit(x P ). c guardd D c guardd D c guardd D c + c guardd D Failur guardd D c guardd (f(x) = c) D D f(a) guardd D c guardd D c guardd D c c guardd D c nullabl D c guardd D c guardd D c; c guardd D c nullabl D c guardd D c; c guardd As w shall s, guarddnss is ky to nsuring trmination of contract rsiduation and thus that vry (guardd) contract has a rsidual contract undr any vnt in th rduction smantics of Figur 11. 3.6 Oprational Smantics I: Dfrrd Matching Th dnotational smantics tlls us what trac st is dnotd by a contract, and rsiduation on trac sts tlls us how to turn th dnotational smantics concptually into a monitoring smantics. In this sction w prsnt a rduction smantics for contracts, which lifts rsiduation on trac sts to contracts and is drivd systmatically from th rsiduation qualitis of Figur 8. Th ability of rprsnting rsidual contract obligations of a partially xcutd contract and thus any stat of a contract as a bona fid contract carris th advantag that any analysis that is prformd on original contracts automatically xtnds to partially xcutd contracts as wll. E.g., an invstmnt bank that applis valuations to financial contracts bfor offring thm to customrs can apply thir valuations to thir portfolio of contracts undr xcution;.g., to analyz its risk xposur undr currnt markt conditions.

14 Fig. 11 Dtrministic rduction (dlayd matching) D, δ D Succss δ {X v} = P (v = Q[a] δ ) D, δ D transmit(x P ). c transmit(v) Failur c[v/x] D, δ D Failur Failur δ {X v} =P (v = Q[a] δ ) D, δ D transmit(x P ). c transmit(v) Failur D, δ D c[v/x] c D, δ D f(a) (f(x) = c) D, v = Q[a] δ c D, δ D c d D, δ D c d D, δ D c + c d + d D, δ D c d D, δ D c d D c nullabl D, δ D c d D, δ D c d D, δ D c c c d + d c D, δ D c; c (d; c ) + d D c nullabl D, δ D c D, δ D c; c d; c d Likwis, a company that analyzs production and capacity rquirmnts of a contract bfor offring it to a customr can apply th sam analysis to th contracts it has undr xcution;.g., to adjust planning basd on prsnt capacity rquirmnts. Th rduction smantics is prsntd in Figur 11. Th basic matching rul is δ {X v} = P (v = Q[a] δ ) D, δ D transmit(x P ). c transmit(v) c[v/x] It matchs an vnt with a spcific commitmnt in a contract. Thr may b multipl commitmnts in a contract that match th sam vnt. Th smantics capturs th possibilitis of matching an vnt against multipl commitmnts by applying all possibl rductions in altrnativs and concurrnt contract forms and forming th sum of thir possibl outcoms (som of which may actually b Failur). Th rul D, δ D c d D, δ D c d D, δ D c + c d + d thus rducs both altrnativs c and c and thn forms th sum of thir rspctiv rsults d, d. Likwis, th rul D, δ D c d D, δ D c d D, δ D c c c d + d c for concurrnt subcontracts xprsss that th match could b in ithr on of c or c and rprsnts th rsult as th sum of thos two possibilitis. Finally, th rul D c nullabl D, δ D c d D, δ D c d D, δ D c; c (d; c ) + d capturs that can b matchd in c or, if c is nullabl, in c. Not that, if c is not nullabl, can only b matchd in c, not c, as xprssd by th rul D c nullabl D, δ D c d. D, δ D c; c d; c

15 In this fashion th smantics kps track of th rsults of all possibl matchs in a rduction squnc as xplicit altrnativs (summands) and dfrs th dcision as to which spcific commitmnt is matchd by a particular vnt during contract xcution until th vry nd: By slcting a particular summand in a rsidual contract aftr a numbr of rduction stps that rprsnts Succss (and th contract is thus trminabl) a particular st of matching dcisions is chosn x post. As prsntd, th rduction smantics givs ris to an implmntation in which th multipl rducts of prvious rduction stps ar rducd in paralll, sinc thy ar rprsntd as summands in a singl contract, and th rul for rduction of sums rducs both summands. It is rlativly straightforward to turn this into a backtracking smantics by an asymmtric rduction rul for sums, which dlays rduction of th right summand. Th oprational smantics fully and faithfully implmnts rsiduation (whn th rsiduation qualitis ar orintd): Thorm 2 (Rsiduation by dfrrd matching). 1. For any c, c, δ, and D: if D, δ D c c thn D, δ = \c = c. 2. For all c, δ and guardd D, thr xists a uniqu c such that D, δ D c c ; furthrmor, D c guardd. Using Thorm 2 w can turn our concptual contract monitoring algorithm into a ral algorithm. 1. Lt contract c 0 b givn. If c 0 is inconsistnt, stop and output inconsistnt. 2. For i = 0, 1,... do: Rciv mssag i. i ci+1. If c i+1 is inconsistnt, (a) If i is a transfr vnt, lt c i+1 b such that D c i stop and output brach of contract ; othrwis continu. (b) If is a trminat contract mssag, chck whthr c i is nullabl. If so, all obligations hav bn fulfilld and th contract can b trminatd. Stop and output succssfully compltd. If c i is not nullabl, output cannot b trminatd now, lt c i+1 = c i and continu to rciv mssags. Proposition 1 provids a syntactic charactrization of nullability, which can asily b turnd into an algorithm. Dciding D, δ = c = Failur, that is whthr a contract has actually faild, is a much hardr problm. S Figur 21 for a sktch for a consrvativ approximation (som faild contracts may not b idntifid as such) to this. 3.7 Oprational Smantics II: Eagr Matching Th dfrrd matching smantics of Figur 11 is flxibl and faithful to th natural notion of contract satisfaction as dfind in Figur 5. But from an accounting practic viw it is wird bcaus matching dcisions ar dfrrd. In bookkping standard modus oprandi is that vnts ar matchd against spcific commitmnts agrly; that is onlin, as vnts arriv. 5 W shall turn th dfrrd matching smantics of Figur 11 into an agr matching smantics (Figur 12). Th ida is simpl: Rprsnt hr-and-now choics as altrnativ ruls (mta-lvl) as opposd to altrnativ contracts (objct lvl). Spcifically, w split th ruls for rducing altrnativs and concurrnt subcontracts into multipl ruls, and w captur th possibility of rducing in th scond componnt of a squntial contract by adding -transitions, which spontanously (without a driving xtrnal vnt) rduc a contract of th form Succss; c to 5 Thr ar standard accounting practics for changing such dcisions, but both dfault and standard concptual modl ar that matching dcisions ar mad as arly as possibl. In gnral, it sms rprsnting and dfrring choics and applying hypothtical rasoning to thm appars to b a rathr unusual phnomnon in accounting.

16 c. For this to b sufficint w hav to mak sur that a nullabl contract indd can b rducd to Succss, not just a contract that is quivalnt to Succss, such as Succss Succss. This is don by nsuring that -transitions ar strong nough to guarant rduction to Succss as rquird. Fig. 12 Nondtrministic rduction (agr matching) D, δ N Succss δ {X v} = P, v = Q[a] δ D, δ N transmit(x P ). c transmit(v) Failur c[v/x] D, δ N Failur Failur δ {X v} =P, v = Q[a] δ D, δ N transmit(x P ). c transmit(v) Failur (f(x) = c) D, v = Q[a] δ D, δ N f(a) c[v/x] D, δ N c + c c D, δ N c + c c D, δ N c λ d D, δ N c c λ d c λ D, δ N c d D, δ N c c λ c d D, δ N Succss c c D, δ N c Succss c D, δ N Succss; c c D, δ N c λ d D, δ N c; c λ d; c D, δ N c c D, δ N c c D, δ N c c D, δ N c δ N ltrc D in c c ltrc D in c Basd on ths considrations w arriv at th rduction smantics in Figur 12, whr mta-variabl λ rangs ovr vnts and th intrnal vnt. Not that it is nondtrministic and not vn conflunt: A contract c can b rducd to two diffrnt contracts by th sam vnt. Considr.g., c = a; b + a; b whr a, b, b ar commitmnts, no two of which match th sam vnt. For vnt matching a w hav D, δ N c b and D, δ N c b, but nithr b nor b can b rducd to Succss or any othr contract by th sam vnt squnc. In rducing c w hav not only rsolvd it against, but also mad a dcision: whthr to apply it to th first altrnativ of c or to th scond. Tchnically, th rduction smantics is not closd undr rsiduation: Givn c and it is not always possibl to find c such that D, δ N c c and D; δ = \c = c. It is sound, howvr, in th sns that th rduct always dnots a subst of th rsidual trac st. It is furthrmor complt in th sns that th st of all rductions do prsrv rsiduation. Thorm 3 (Soundnss of agr matching). 1. If D, δ N c c thn D, δ = c \c. 2. If D, δ N c c thn D, δ = c c. Evn though individual agr rductions do not prsrv rsiduation, th st of all rductions dos so: Thorm 4 (Compltnss of agr matching). If D, δ D c c thn thr xist contracts c 1,..., c n for som n 1 such that D, δ N c c i for all i = 1... n and D, δ = c n i=1 c i.

17 As a corollary, Thorms 3 and 4 combind yild that th objct-lvl nondtrminism (xprssd as contract altrnativs) in th dfrrd matching smantics is faithfully rflctd in th mta-lvl nondtrminism (xprssd as multipl applicabl ruls) of th agr matching smantics. 3.8 Oprational Smantics III: Eagr Matching with Explicit Routing Considr th following xcution modl for contracts: Two or mor partis ach hav a copy of th contract thy hav prviously agrd upon and monitor its xcution undr th arrival of vnts. Evn if thy agr on prior contract stat and th nxt vnt, th partis may arriv at diffrnt rsidual contracts and thus diffrnt xpctations as to th futur vnts allowd undr th contract. This is bcaus of nondtrminacy in contract xcution with agr matching;.g., a paymnt of $50 may match multipl paymnt commitmnts, and th partis may mak diffrnt matchs. W can rmdy this by making control of contract rduction with agr matching xplicit in ordr to mak rduction dtrministic: vnts ar accompanid by control information that unambiguously prscribs how a contract is to b rducd. In this fashion partis that agr on what vnts hav happnd and on thir associatd control information, will rduc thir contract idntically. 6 Th basic ida is that all nondtrminism in our rduction smantics (s Figur 12) can b rducd to a sris of choics and routing dcisions to idntify th particular commitmnt th vnt is to b matchd with; in particular, w can xprss such a sris as an lmnt of I whr I = {f, s, l, r}; s blow. A control-annotatd vnt thn is an lmnt of I E. (Rcall that E dnots th st of transfr vnts.) In Figur 13 w not that d I. Th -rductions in Figur 13 rwrit a contract into a simplifid form whil prsrving its smantics faithfully: Proposition 2 (Soundss of -rduction). For all D, δ, c, c, if D, δ C c c thn D, δ = c = c. Furthrmor, thy ar strong nough to guarant that any contract quivalnt to Succss actually rducs to Succss. Proposition 3 (Compltnss of -rduction for concludd contracts). For all D, δ, c, c : D, δ c = Succss if and only if D, δ C c Succss. Finally, -rwriting is strongly normalizing and conflunt, which mans that ach contract has a uniqu -normal form, which can b computd by applying th -rwriting ruls xhaustivly in arbitrary ordr. Lmma 4 (Uniqu normalization of -rduction). For all δ and guardd D thr is a uniqu c such that 1. D, δ C c c and 2. for no c do w hav D, δ C c c. W say c in Lmma 4 is -normalizd or simply normalizd and w call it th -normalizd form of c. W can obsrv that a contract is nullabl if and only if its -normalizd form has th form... + Succss +...; that is, has a Succss-summand. Th following thorm xprsss that squncs of labls f, s, l, r prcding an conomic vnt unambiguously dtrmin how a contract should b rducd. 6 Th qustion of which party has th right of gnrating control information is vry important, of cours. It will b discussd only brifly latr, as it is byond th scop of this papr. W only rquir that a consnsus on th vnts and thir associatd control information has bn achivd, whthr dictatd by on party or th othr having th (contractual) right to do so or by an actual consnsus procss.

18 Fig. 13 Eagr matching with xplicit rduction control D, δ C Succss D, δ C Failur Failur Failur δ {X v} = P (v = Q[a] δ ) D, δ C transmit(x P ). c transmit(v) δ {X v} =P (v = Q[a] δ ) D, δ C transmit(x P ). c transmit(v) (f(x) = c) D (v = Q[a] δ ) D, δ C f(a) c[v/x] c[v/x] Failur D, δ C c d D, δ C c + c d + c D, δ C c d D, δ C c + c c + d D, δ C Succss + Succss Succss D, δ C c d c D, δ C c + d fd c D, δ C c d D, δ C c c d c D, δ C c d d D, δ C c c ld d c D, δ C Succss c c D, δ C d d d D, δ C c + d sd d D, δ C c d D, δ C c c c d d D, δ C c d D, δ C c c rd c d D, δ C c Succss c D, δ C c d D, δ C c; c d; c D, δ C c d D, δ D, δ C c; c C Succss; c c d; c

19 Thorm 5 (Corrctnss of agr matching with routing). For ach δ, D, normalizd c and vnt w hav that D, δ N c c if and only if thr xists d {f, s, l, r} such that D, δ C c d c. Furthrmor, for all c such that D, δ C c d c w hav c = c ; that is, givn c and control-annotatd vnt d th rsidual contract c is uniquly dtrmind. Intuitivly, a control-annotatd vnt d convys an vnt and information d that unambiguously routs th vnt to th particular commitmnt it is to b matchd with: f, s dtrmin which branch of a. +.-contract is to b chosn, and l, r idntify in which subcontract of a..- contract th conomic vnt is to b matchd. This routing information nsurs that all trading partnrs in a contract, ach maintaining thir own stat of th contract, match vnts to th sam atomic commitmnt and thus can b assurd that thy will also b in agrmnt on th rsidual contract. Othr mthods for controlling rduction in an agr matching smantics ar discussd by Andrsn and Elsborg [AE03]. Som of ths lft/right choics may b furthr liminatd in practic (that is, infrrd automatically) whr thy ar forcd (no othr choic allows succssful compltion of contract). 4 Exampl Contracts W prviously saw an ncoding of th Agrmnt to Sll Goods (Figur 4). In this sction, two additional ral-lif xampl contracts ar considrd. First, th prviously prsntd abbrviatd vrsion of th natural languag Lgal Srvics Agrmnt (Figur 2) is ncodd in our contract spcification languag. Scond, w prsnt a natural languag contract for softwar dvlopmnt (Figur 15) and provid its ncoding in our languag (Figur 16). Bfor it is possibl to xprss ral-lif contracts, howvr, th prdicat languag and th arithmtic languag must b dfind. For th purpos of dmonstration w will afford ourslvs a fairly advancd languag that has multipl datatyps (.g. intgrs and dats), common arithmtic oprators, logical connctivs, lists and a numbr of built-in functions. Th syntax is common and straightforward, and hnc w shall not dlv into th tchnical dtails hr. Latr, in Sction 5, w will dfin th languag and considr possibl rstrictions that amliorat contract analysis. Fig. 14 Spcification of Agrmnt to Provid Lgal Srvics ltrc xtra (att, com, invoic, pay) = ( Succss + transmit (att, com, invoic, T2). transmit (com, att, pay, T3 T3 <= T2 + 45d)) lgal (att, com, f, invoic, pay, n, m, nd) = transmit (att, com, H, T n < T and T <= m). ( xtra (att, com, invoic, pay) transmit (com att, f, T T <= m + 8d) ( lgal (att, com, f, invoic, pay, m, min(m + 30d,nd), nd) + transmit (att, com, nd, T nd <= T))) in lgal ("Attorny","Company",10000,invoic,pay,0,30,360) Writing th formal spcification of th Lgal Srvics Agrmnt (Figur 2) is fairly straightforward, bar two points: Considr th validity priod spcifid in Sction 3 of th contract.

20 Takn litrally, it would imply, that th attorny shall rndr srvics in th month of Dcmbr, but rciv no f in considration sinc January 2005 is outsid th validity priod. Surly, this is not th intntion; in fact, considration will dfat most dadlins as is clarly th intnt hr and this is avoidd in th ncoding of th contract (Figur 14). This waknss in th informal contract is rvald, which is a good thing, whn ncoding it formally. Th Agrmnt to Provid Lgal Srvics fails to spcify who dcids if lgal srvics should b rndrd. In th ncoding it is simply assumd that th attorny is th initiator and that all srvics rndrd ovr a month can b modlld as on vnt. Basd on th hours of srvics rndrd, th attorny has a choic to invoic xtra hours at th hourly rat. Furthrmor, th attorny is assumd to giv th notic nd to allow contract trmination. This is introducd to mak sur that th contract is not nullabl btwn vry rcursion. Fig. 15 Softwar Dvlopmnt Agrmnt Sction 1. Th Dvlopr shall dvlop softwar as dscribd in Exhibit A (Rquirmnts Spcification) according th schdul st forth in Exhibit B (Projct Schdul and Dlivrabls). Spcifically, th Dvlopr shall b rsponsibl for th timly compltion of th dlivrabls idntifid in Exhibit B. Sction 2. Th Clint shall provid writtn approval upon th compltion of ach dlivrabl idntifid in Exhibit B. Sction 3. In th vnt of any dlay by th Clint, all th Dvlopr s rmaining dadlins shall b xtndd by th gratr of th two following: (i) fiv working days, (ii) two tims th dlay inducd by th Clint. Th Clint s dadlins shall b unchangd. Sction 4. In considration of srvics rndrd th Clint shall pay USD $100.000 du on 7/1. Sction 5. If th Clint wishs to add to th ordr, or if upon writtn approval of a dlivrabl, th Clint wishs to mak modifications to th dlivrabl, th Clint and th Dvlopr shall ntr into a Chang Ordr. Upon mutual agrmnt th Chang Ordr shall b attachd to this contract. Sction 6. Th Dvlopr shall rtain all intllctual rights associatd with th softwar dvlopd. Th Clint may not copy or transfr th softwar to any third party without th xplicit, writtn consnt of th Dvlopr. Exhibit A. (omittd) Exhibit B. Dadlins for dlivrabls and approval: (i) 1/1, 1/15; (ii) 3/1, 3/15, (final dadlin) 7/1, 7/15. Now considr th mor laborat Softwar Dvlopmnt Agrmnt in Figur 15. Whn coding th contract, on notics that th contract fails to spcify th ramifications of th clint s non-approval of a dlivrabl. On also ss that th contract dos not spcify what to do if du to dlay, som approval dadlin coms bfor th postpond dlivry dat. In th currnt cod, this is takn to man furthr dlay on th clint s part vn if th clint gav approval at th sam tim as th dlivrabl was transmittd. It sms that contract coding is a halthy procss in th sns that it will oftn unvil undrspcification and rrors in th natural languag contract bing codd. Th Chang Ordr dscribd in Sction 5 of th contract and th intllctual rights dscribd in Sction 6 ar not codd du to crtain limitations in our languag. W will postpon th discussion of this until Sction 6. 4.1 Exampl Rduction W now dmonstrat how th Lgal Srvics Agrmnt bhavs undr our thr rduction stratgis: dfrrd matching, agr matching, and agr matching with xplicit control. All thr drivations assum that w invok th contract as lgal (att, com, f, invoic, pay, 0, 30, 60)

21 Fig. 16 Spcification of Softwar Dvlopmnt Agrmnt not that w assum (asily dfind) abbrviations for max(x,y) and allow subtraction on th domain Tim. ltrc dlivrabls (dv, clint, paymnt, dliv1, dadlin1, approv1, dliv2, dadlin2, approv2, dlivf, dadlinf, approvf) = transmit(dv, clint, dliv1, T1 T1 <= dadlin1)). transmit(clint, dv, "ok", T). transmit(dv, clint, dliv2, T2 T2 <= dadlin2 + max(5d, (T - approv1) * 2)). transmit(clint, dv, "ok", T). transmit(dv, clint, dlivf, Tf Tf <= dadlinf + max(5d, (T - approv2) * 2)). transmit(clint, dv, "ok", T). transmit(dv, clint, "don", T). Succss softwar (dv, clint, paymnt, paymntdadlin, ds) = dlivrabls (dv, clint, dliv1, dadlin1, approv1, dliv2, dadlin2, approv2, dlivf, dadlinf, approvf) transmit(clint, dv, paymnt, T T <= paymntdadlin) in softwar ("M", "Clint", 100000, 2004.7.1, d1, 2004.1.1, 2004.1.15, d2, 2004.3.1, 2004.3.15, final, 2004.7.1, 2004.7.15) i.. w would lik th contract to run for two months. Of cours, th paramtrs att, com, f, invoic, and pay should b bound to valus, but w lav thm as is for radability sinc non of thm hav an impact on th control flow of th contract. This yilds th contract body: transmit (att, com, H, T 0 < T and T <= 30). ( transmit (com att, f, T T <= 30 + 8d) ( lgal (att, com, f, invoic, pay, 30, min(30 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) Th sub-contract xtra has bn takn out to rduc th siz of th rductions. To facilitat comparison w will us th sam basic vnt trac for all thr rduction stratgis: (att,com,h1,20) (att,com,h2,37) (com,att,f,38) (com,att,f,62) (att,com,nd,64) Srvics rndrd first month Srvics rndrd scond month F for first month F for scond month Attorny signals nd-of-contract Th trac will b furnishd with rduction controls and intrsprsd with whn mandatd by th concrt smantics in qustion. Considr Figur 17 for a juxtaposition of th two agr matching stratgis (with and without xplicit control) on th Lgal Srvics Agrmnt and Figur 18 for a dmonstration of th dfrrd matching stratgy.

22 Fig. 17 Eagr matching without and with xplicit control on th lgal srvics agrmnt transmit (att, com, H, T 0 < T and T <= 30). ( transmit (com, att, f, T T <= 30 + 8d) ( lgal (..., 30, min(30 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) Srvics rndrd first month: (att,com,h1,20) ( transmit (com, att, f, T T <= 30 + 8d) ( lgal (..., 30, min(30 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) Tak th first branch in + and unfold lgal : ( transmit (com, att, f, T T <= 30 + 8d) (transmit (att, com, H, T 30 < T and T <= 60). ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))))) Srvics rndrd scond month: (att,com,h2,37) Th non-dtrminism is not constraind to viabl options, but will allow any obviously wrong rduction to go wrong at any point. Assuming th dsird outcom: ( transmit (com, att, f, T T <= 30 + 8d) ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)))) Th nxt vnt matchs a transmit in th first itration and a transmit in th scond itration. Th contract could rduc proprly or fail. W dmonstrat th lattr. F for first month: (com,att,f,38) ( transmit (com, att, f, T T <= 30 + 8d) ( Succss ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)))) At tim 39 th whol contract can trminat, bcaus th 30 + 8d condition bcoms unsatisfiabl. Assum that this possibility is xploitd. F for scond month: (com,att,f,62) Now, thr is a srious problm. Th choic of matching th first f was unwis, and th limits of th agr matching smantics shows. Th contract can now only fail. ( Failur ( Succss ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)))) transmit (att, com, H, T 0 < T and T <= 30). ( transmit (com, att, f, T T <= 30 + 8d) ( lgal (..., 30, min(30 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) Srvics rndrd first month: (att,com,h1,20) ( transmit (com, att, f, T T <= 30 + 8d) ( lgal (..., 30, min(30 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) W now tak th first branch in + and unfold lgal ( transmit (com, att, f, T T <= 30 + 8d) (transmit (att, com, H, T 30 < T and T <= 60). ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))))) Srvics rndrd scond month: r(att,com,h2,37) W us xplicit dirctivs to point out th transmit w wish to match. Probably, th runtim systm alrady suggstd th options availabl and w pickd on laving th dtails to th systm. ( transmit (com, att, f, T T <= 30 + 8d) ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)))) F for first month l(com,att,f,38) This vnt matchs two diffrnt transmits, but th dcision is takn by th dirctivs: ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) F for scond month: l(com,att,f,62) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)) Attorny signals nd-of-contract: Succss s(att,com,nd,64) Failur

23 Fig. 18 Dfrrd matching on th lgal srvics agrmnt transmit (att, com, H, T 0 < T and T <= 30). ( transmit (com, att, f, T T <= 30 + 8d) ( lgal (..., 30, min(30 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) Srvics rndrd first month: (att,com,h1,20) ( transmit (com, att, f, T T <= 30 + 8d) ( lgal (..., 30, min(30 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) Srvics rndrd scond month: (att,com,h2,37) ( Failur ( lgal (..., 30, min(30 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) + ( transmit (com, att, f, T T <= 30 + 8d) ( ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) + Failur)) Lt us rmov th faild parts, i.. C + Failur C and C Failur Failur: ( transmit (com, att, f, T T <= 30 + 8d) ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)))) F for first month: (com,att,f,38) ( Succss ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)))) + ( transmit (com, att, f, T T <= 30 + 8d) ( Succss ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)))) + ( transmit (com, att, f, T T <= 30 + 8d) ( transmit (com, att, f, T T <= 60 + 8d) ( Failur + Failur))) And som mor housclaning, also Succss C C: ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) + ( transmit (com, att, f, T T <= 30 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) Two continuations ar valid at tim T 38. Th first has matchd th first month s f with th first itration. Th scond rprsnts matching th first f with th scond itration. At tim 39 th scond branch can b rwrittn to failur if our algorithm is abl to dcid that th condition 30 8d bcoms unsatisfiabl. But lt us lav both branchs for now and s what happns. F for scond month: (com,att,f,62) This tim lt us skip th stp whr all non-matching branchs gt thir own continuation, which is thn rmovd immdiatly aftrwards. Assum that w only attmpt a match on th two transmits mntioning th f: ( Succss ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) + ( Failur ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) At this tim a good failur algorithm would dtct that th invocation of lgal can b rducd to failur. Unfolding lgal givs prdicats of th form 60 < T and T 60 on all transmits, hnc no vnt can match in lgal. Attorny signals nd-of-contract: Succss (att,com,nd,64) Tchnically, this is Succss xtra xtra bcaus w lft out xtra during rduction. Evnts can still match th invoics (i.. th attorny rtains th right to invoic any xtra hours of srvic prviously rndrd). Th contract is trminabl (nullabl) at this point. 5 Contract Analysis Th formal groundwork in ordr, w can bgin to ask ourslvs qustions about contracts such as: What is my first ordr of businss? Whn is th nxt dadlin? How much of a particular rsourc will I gain from my portfolio and at what tims? What is th montary valu of my portfolio? Is th contract I just wrot saf and fair? Will contract fulfillmnt rquir mor than th x units I currntly hav in stock?

24 Th attmpt to answr such qustions is broadly rfrrd to as contract analysis. Som analyss, notably safnss, will primarily b of intrst during contract dvlopmnt, whras othr analyss apply to running contracts. Th rsiduation proprty allows a contract analysis to b applid at any tim (i.. to any rsidual contract), and w can thus continuously monitor th xcution of th contracts in our portfolio. Rcall that our contract spcification languag is paramtrizd ovr th languag of prdicats and arithmtic. Thr is a clar trad-off in play hr: a sophisticatd languag buys xprssivnss, but rndrs most of th analyss undcidabl. Thr is anothr sourc of difficultis. Variabls may b bound to componnts of an vnt that is unknown at th tim of analysis. An xprssion lik transmit(a 1, a 2, R, T tru). offrs littl insight into th natur of R unlss furnishd with a probability vctor ovr all rsourcs. Hr w will circumvnt ths problms by making do with a rstrictd prdicat languag and accpting that analyss may not giv answrs on all input (but will giv corrct answrs). Th prdicat languag is pluggd in at two locations. In function application f(a) whr all componnts of th vctor a must b chckd according to th ruls of th prdicat languag, and in transmit(a 1, a 2, r, t P ) whr P must hav th typ Boolan. As prviously w rquir that a 1, a 2, r, and t ar ithr variabls (bound or unbound) or constants. If som componnts ar bound variabls or constants, thy must b qual to th corrsponding componnts of an incoming vnt (a 1, a 2, r, t ) for a match to occur. Considr th syntax providd in figur 19. In addition to th typs Agnt, Rsourc, and Tim, th languag has th fundamntal typs Int and Boolan. Tak ρ to rang ovr {Int, Tim}, tak σ to rang ovr ρ {Agnt, Rsourc}, and assum that constants can b uniquly typd (.g. tim constants ar in ISO format, and agnt and rsourc constants ar disjoint and known). Th languag allows arithmtic on intgrs, simpl propositional logic, and manipulation of th two abstract typs Rsourc and Tim. Givn a tim (dat) t w may add an intgral numbr of yars, months or days. For xampl 2004.1.1 + 3d + 1y yilds 2005.1.4. Rsourcs prmit a projction on a namd componnt (fild) and all filds ar of typ Int. E.g. to xtract th total amount from an information rsourc namd invoic w writ #(invoic, total, t) whr t is som dat 7. Th filds of rsourcs may chang ovr tim; hnc th third paramtr of typ Tim. Obsrvabls can now b undrstood simply as filds of a ubiquitous rsourc namd obs. An Int may doubl for a Rsourc in which cas th Int is undrstood to b a currncy amount. For th dnotational smantics of th prdicat languag w dfin th following functions mapping syntactic xprssions to mathmatical objcts: E : Exp (Agnt Rsourc Int Tim) B : Bxp {t, f} whr w assum th following mathmatical nvironmnt: is th st of all possibl bindings δ of variabls to valus. Exp is th st of all possibl xprssions of typ Int, Tim, Rsourc or Agnt in th languag. Bxp is th st of all possibl xprssions of typ Boolan in th languag. Rsourc and Agnt ar th sts of rsourcs and agnts rspctivly. 7 Whn a rsourc is introducd into th systm through a match, it must b dynamically chckd that it posssss th rquird filds. Th st of rquird filds can b statically dtrmind by a routin typ chck annotating rsourcs with fild nams à la {dat, total, paymntdadlin} Rsourc. To kp things simpl w omit this typ xtnsion hr.

25 Fig. 19 Exampl syntax for prdicat languag (var) = σ var : σ typ(const) = σ const : σ 1 : Int 2 : Int op {+,,, /} 1 op 2 : Int t : Tim : Int f {y, m, d} op {+, } t op f : Tim r : Rsourc t : Tim f filds(r) #(r, f, t) : Int : Tim f {y, m, d} #f : Int : Int : Rsourc 1 : ρ 2 : ρ 1 < 2 : Boolan 1 : σ 2 : σ 1 = 2 : Boolan b 1 : Boolan b 2 : Boolan op {and, or} b 1 op b 2 : Boolan b : Boolan not b : Boolan Int = Z Tim = {..., 2 t, 1 t, 0 t, 1 t, 2 t,...} whr oprators + and hav th obvious intrprtations, and w hav th map ( ) t : Z Tim dfind by (n) t = n t. Int Rsourc Agnt, Rsourc, and Tim ar pairwis disjoint. (Agnt Rsourc Int Tim) is quippd with an (non-total) ordr < that is th union of th ordrs of th participating sts. Assum that Int and Tim hav th usual ordrings.,, and srv as logical oprators with th usual maning ovr th st {t, f}. If a and b ar intgrs, a b givs th th largst intgr c such that c b a. mod is th corrsponding modulo function so that c b + a mod b = a. ϕ : Rsourc Fild Tim Int is a projction function on rsourcs, and Fild is a st of static fild idntifirs. A contract analysis is a map from a syntactic dscription of a contract and som auxiliary information to a domain of our choic. Th auxiliary information is oftn an agnt or a point in tim that th analysis should b rlativ to or an stimat of th probabilitis associatd with an undrlying procss. Idally, a contract analysis can b prformd compositionally. This sction contains two simpl analyss with this proprty. Spac considrations prvnt a walkthrough of mor involvd xampls, but th basic ida should b clar. W will assum for simplicity that rcursivly dfind contracts ar guardd. Th analyss ar prsntd using infrnc systms dfind by induction on syntax, mphasizing th dclarativ and compositional natur of th analyss. 5.1 Exampl: Faild Contracts A contract may accpt a squnc of on of mor vnts that is not a prfix of a prforming trac. Thus th rsidual contract is faild and its dnotation is th mpty st th contract is in an inconsistnt stat. Th infrnc ruls providd in Figur 21 sktch how on could go about dtcting this. Th focal point is bing abl to dcid if a prdicat P can not hold tru for any futur valus of its paramtrs. In practic, this oftn amounts to a simpl argumnt: A dadlin has bn passd. W hav rfrrd to th faild analysis numrous tims in th xampl rductions. In sction 4 w saw that agr matching mad a bad choic, which was not dtctd until much latr. Th failur analysis sks to allviat such situations as arly as possibl. Considr th scnario

26 Fig. 20 Dnotational smantics for prdicat languag E [const] = λδ.const E [var ] = λδ.δ(var) E [ 1 + 2 ] = λδ.e [ 1 ]δ + E [ 2 ]δ E [ 1 2 ] = λδ.e [ 1 ]δ E [ 2 ]δ E [ 1 2 ] = λδ.e [ 1 ]δ E [ 2 ]δ E [ 1/ 2 ] = λδ.e [ 1 ]δ E [ 2 ]δ E [#d] = λδ.e []δ mod 30 E [#m] = λδ.e []δ 30 mod 12 E [#y] = λδ.e []δ 360 E [ + f d] = λδ.e []δ + (E [f ]δ) t E [ + f m] = λδ.e []δ + (E [f ]δ 30) t E [ + f y] = λδ.e []δ + (E [f ]δ 360) t E [ f d] = λδ.e []δ (E [f ]δ) t E [ f m] = λδ.e []δ (E [f ]δ 30) t E [ f y] = λδ.e []δ (E [f ]δ 360) t E [#(r, f, t)] = λδ.ϕ(e [r ]δ, f, E [t]δ) j t if E [1 ]δ < E [ 2 ]δ B [ 1 < 2 ] = λδ. f othrwis j t if E [1 ]δ = E [ 2 ]δ B [ 1 = 2 ] = λδ. f othrwis B [b 1and b 2 ] = λδ.b [b 1 ]δ B [b 2 ]δ B [b 1or b 2 ] = λδ.b [b 1 ]δ B [b 2 ]δ B [not b] = λδ. B [b]δ Fig. 21 Faild contracts δ, t t : (δ δ T t = P ) D, δ, t transmit(xt P ). c faild D, δ, t c faild D, δ, t transmit(xt P ). c faild D Failur faild D, δ, t c faild D, δ, t c faild D, δ, t c + c faild D, δ, t c faild D, δ, t c c faild D, δ, t c faild D, δ, t c; c faild D, δ, t c faild D, δ, t c c faild D, δ, t c faild D, δ, t c; c faild D, δ, t c faild (f(x) = c) D D, δ, t f(a) faild

27 in Figur 22 for an xampl undr th agr matching rgim. Th failur of th contract is dtctd as soon as thr is no rmdy, i.. at T = 39. Fig. 22 Exampl: Faild lgal srvics agrmnt undr agr matching (non-dtrministic) transmit (att, com, H, T 0 < T and T <= 30). ( transmit (com, att, f, T T <= 30 + 8d) ( lgal (..., 30, min(30 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) (att, com, h1, 20), (att, com, h2, 37), (com, att, f, 38) ( transmit (com, att, f, T T <= 30 + 8d) ( Succss ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)))) W would rathr not wait for th nxt vnt (com,att,f,62) bfor ralizing that th situation is not working. As soon as T = 39, transmit (com att, f, T T <= 30 + 8d) can transition to Failur. Th rlvant part of th drivation looks lik this: D, d, 39 39 30 + 8d D, d, 39 transmit (com att, f, T T <= 30 + 8d) faild ( transmit (com att, f, T T <= 30 + 8d) ( Succss D, d, 39 faild ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)))) 5.2 Exampl: Task List Givn a contract or a portfolio of contracts it is trmndously important for an agnt to know whn and how to act. To this nd w dmonstrat how a vry simpl task list can b compild. Considr th dfinition givn in Figur 23. Th function givs rturns a list of outstanding commitmnts that can b carrid out at tim t. W only admit intrval conditions of th form a T and T b with T bing th tim variabl in th nclosing transmit, sinc in ral contracts hardly anything ls is usd. It is important to notic that th rsult of th analysis may b incomplt. A task is only addd if th agnts agr (i.. a = a1), but if a1 is not bound at th tim t of analysis, th task is simply skippd. A mor laborat dataflow analysis might rval that in fact a1 is always bound to a. Also notic th cas for application f(a). W xpand th body of th namd contract f givn argumnts a but only onc (assuming f is guardd). This masur nsurs trmination of th analysis, but rducs th function s look-ahad horizon. Hnc, any task or point of intrst mor than on rcursiv unfolding away is not dtctd. This is unlikly to hav practical significanc for two rasons: (1) rcursivly dfind contracts ar guardd and so a transmit must b matchd bfor a nw unfold can occur. This transmit thrfor is prsumably mor rlvant than any othr transmits furthr down th lin; (2) it would b uttrly unidiomatic if som transmit t 1 was rquird to b matchd bfor anothr transmit t 2, but nvrthlss had a latr dadlin than that of t 2. For an xampl of th task list analysis, w rturn to th Lgal Srvics Agrmnt. Th task list works bst with agr matching with xplicit rduction control. Eagr matching alon is too carlss, and dfrrd matching rprsnts many stats, which ar all assumd valid, but may confus th usr whn h or sh ss ovrlapping tasks for vry hypothtical stat of th contract. Considr Figur 24 for an xampl of how th task list volvs undr rduction of th Lgal Srvics Agrmnt. Th xampls givn abov, in thir simplicity, may b xtndd givn knowldg of th problm domain. In particular, knowldg of or forcasting about probabl vnt squncs may b usd in a mannr orthogonal to th coding of analyss by appropriat function calls. Analyss possibl to implmnt in this way includ: Rsourc flow forcasting (supply rquirmnts). Trminability by agnt, latst trmination, arlist trmination.

28 Fig. 23 Task list analysis D, δ, a, t Succss : [] D, δ, a, t Failur : [] = a a 1 X = (a 1, a 2, R, T ) D, δ, a, t transmit(x x T and T y). c : [] = (x t and t y) D, δ, a, t transmit(x x T and T y). c : [] = a = a 1 X = (a 1, a 2, R, T ) = x t and t y D, δ, a, t transmit(x x T and T y). c : [transmit(x x T and T y). c] D, δ, a, t c 1 : l 1 D, δ, a, t c 2 : l 2 D, δ, a, t c 1 + c 2 : l 1 @ l 2 D c 1 nullabl D, δ, a, t c 1 : l 1 D, δ, a, t c 2 : l 2 D, δ, a, t c 1; c 2 : l 1 @ l 2 D c 1 nullabl D, δ, a, t c 1 : l 1 D, δ, a, t c 1; c 2 : l 1 D, δ, a, t c 1 : l 1 D, δ, a, t c 2 : l 2 D, δ, a, t c 1 c 2 : l 1 @ l 2 (f(x) = c) D D, δ, a, t f(a) : l D, δ, a, t c : l Valuation, or simply put: What is th valu to an agnt of a givn contract? Th analysis is fairly intricat and rquirs knowldg of financial modls and stochastic procsss. Intrstd radrs ar rfrrd to Pyton Jons and Ebr [JES00,JE03] who provid a vry radabl introduction targtd at computr scintists. Gnral modl chcking for businss ruls: (a) static (b) dynamic/runtim (Timd LTL chcking), cf. [KPA04]. 6 Discussion and Futur Work Our dfinition of contracts focuss on contracts as classifirs of vnt tracs into prforming and nonprforming ons. This is coars, and many ral-world issus ar lft out not for good, but for now. Th basic ida is to dvlop ths notions within a gnral framwork that may rquir spcifications of runtim nvironmnt and protocols for vnt transmission. Th inclusion of xplicit oprators in th languag to mimic many standard stps in th contract lifcycl say chcking a contract for potntial problms with currnt law would not facilitat asy contract coding without both static ( dos this contract conform to standard practic? ) and dynamic ( is this squnc of vnts and thir handling propr? ) chcks appaling to som nclosing structurs. W dcidd to pursu compositionality hirarchical spcification from th outst as a cntral notion and thus follow a procss algbra approach, basically to valuat how far that would tak us in th givn domain. This can b contrastd to a ntwork-orintd approach supportd by suitabl diagramming to appal to visual facultis, which appars to b th prfrrd modling approach for workflow systms (Ptri nts) [vdavh02] and in objct-orintd analysis (UML diagramming). Not that hirarchical spcification is also ndd in a ntwork-orintd approach to achiv modular dscription and rus of spcification componnts. Furthrmor, powrful spcification mchanisms such as functional abstraction and (non-tail) rcursion hav no simpl visual rprsntations. Th Softwar Dvlopmnt Agrmnt (Figur 15) provids a good stting to obsrv th limitations to our approach and th ramifications of th dsign choics mad.

Fig. 24 Task list for th Lgal Srvics Agrmnts undr agr matching with xplicit control 29 transmit (att, com, H, T 0 < T and T <= 30). ( transmit (com, att, f, T T <= 30 + 8d) ( lgal (..., 30, min(30 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) T = 0 : att: transmit (att, com, H, T 0 < T and T <= 30) Srvics rndrd first month: (att,com,h1,20) ( transmit (com, att, f, T T <= 30 + 8d) (transmit (att, com, H, T 30 < T and T <= 60). ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))))) Srvics rndrd scond month: T = 20 : com: [transmit (com att, f, T T <= 30 + 8d)] T = 31 : att: transmit (att, com, H, T 30 < T and T <= 60) com: transmit (com att, f, T T <= 30 + 8d) r(att,com,h2,37) ( transmit (com, att, f, T T <= 30 + 8d) ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)))) F for first month: l(com,att,f,38) T = 37 : com: transmit (com att, f, T T <= 30 + 8d) com: transmit (com att, f, T T <= 60 + 8d) Assuming th systm was unabl to dcid prdicats, two additional tasks would hav bn shown for att: att: transmit (att, com, H, T 60 < T and T <= 60) att: transmit (att, com, nd, T 60 <= T) ( transmit (com, att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T))) F for scond month: l(com,att,f,62) T = 38 : com: transmit (com att, f, T T <= 60 + 8d) T = 60 : att: transmit (att, com, nd, T 60 <= T) com: transmit (com att, f, T T <= 60 + 8d) ( lgal (..., 60, min(60 + 30d,60), 60) + transmit (att, com, nd, T 60 <= T)) T = 62 : att: transmit (att, com, nd, T 60 <= T) Attorny signals nd-of-contract: s(att,com,nd,64) Succss T 64 : No tasks! Th Chang Ordr is not codd. It might b clvrly codd in th currnt languag, again using constraints on th vnts passd around, but a mor natural way would b using highrordr contracts, i.. contracts taking contracts as argumnts. Thus, a Chang Ordr would simply b th passing back and forth of a contract followd by an instantiation upon agrmnt. Th transmission of rights can asily b codd, but th prohibition to transmit a particular rsourc affcts all othr contracts. Currntly, w hav no construct availabl to handl this situation. Contracts oftn spcify crtain things that ar not to b don (.g. not copying th softwar). Such rstrictions should intrsct all othr outstanding contracts and limit thm appropriatly. A highr-ordr languag or prdicats that could guard all transmits of an ntir subcontract might amliorat this in a natural way.

30 A fullr rang of languag constructions that programmrs ar familiar with is also dsirabl; in th prsnt incarnation of th contract languag, svral standard constructions hav bn lft out in ordr to mphasiz th cor vnt modl. In practic, conditionals and various sorts of lambda abstractions would mak th languag asir to us, though not strictly mor xprssiv, as thy can b ncodd through vnts, albit in a non-intuitiv way. A conditional that is not drivn by vnts (i.. an if-thn-ls) sms to b ndd for natural coding in many ral-world contracts. Also, a catch-throw mchanism for unxpctd vnts would mak contracts mor robust. Convrsly, crtain faturs of th languag appar to b almost too strong for th domain; th inclusion of full rcursion mans that contracts activ for an unlimitd priod of tim, say lass, ar asy to cod, but mak contract analysis significantly hardr. In practic, contracts running for unlimitd tim priods oftn hav xtrnal constraints (usually local lgislation) forcing th contract to b rassssd by its partis, and possibly govrnmnt rprsntativs, from tim to tim. Having only a rstrictd form of rcursion that suffics for most practical applications should simplify contract analysis. Th xprssivity of th contract languag and indd th fasibility of non-trivial contract analysis dpnds havily on th prdicat languag usd. Prdicats rstrictd to th form [a; b] ar surly too limitd, and furthr invstigation into th rquird xprssivnss of th prdicat languag is dsirabl. Whil th languag is paramtrizd ovr th prdicat languag usd, almost all ral-world applications will rquir som modl of tim and timd vnts to b incorporatdvis-à-vis th xampls using intrval in Sction 5. Th currnt vnt modl allows for ncoding through th prdicat languag, but an xtndd st of vnts, with companion smantics, would mak for asir contract programming; timr (or triggr ) vnts appar to b ubiquitous whn ncoding contracts. 7 Rlatd Work Th imptus for this work coms from two dirctions: th REA accounting modl pionrd by McCarthy [McC82] and Pyton Jons, Ebr and Sward s sminal articl on spcification of financial contracts [JES00]. Furthrmor, givn that contracts spcify protocols as to how partis bound by thm ar to intract with ach othr thr ar links to procss and workflow modls. 7.1 Composing Contracts Pyton Jons, Ebr and Sward [JES00] prsnt a compositional languag for spcifying financial contracts. It provids a dcomposition of known standard contracts such as zro coupon bonds, options, swaps, straddls, tc., into individual paymnt commitmnts that ar combind dclarativly using a small st of contract combinators. All contracts ar two-party contracts, and th partis ar implicit. Th combinators (takn from [JE03], rvisd from [JES00]) corrspond to Succss,, +, transmit( ) of our languag C P ; it has no dirct countrparts to Failur, ; nor, most importantly, rcursion or itration. On th othr hand, it provids conditionals and prdicats that ar applicabl to arbitrary contracts, not just commitmnts as in C P, somthing w hav found to b worthwhil also for spcifying commrcial contracts. Furthrmor, thir languag provids an until-oprator that allows a party to trminat a contract succssfully at a particular tim, vn if not all commitmnts hav bn satisfid. Using until for contract spcification sms difficult, howvr, sinc it may lgally cut off contract xcution bfor all rciprocal commitmnts hav bn satisfid,.g., th rquirmnt to pay for a srvic that has bn rndrd.

31 Our contract languag gnralizs financial paymnt commitmnts to arbitrary transfrs of rsourcs and information, provids xplicit agnts and thus provids th possibility of spcifying multi-party contracts. W hav providd a dnotational smantics for C P and dvlopd oprational smantics for contract monitoring from it, whras Pyton Jons, Ebr and Sward focus on valuation, a sophisticatd contract analysis basd on stochastic analysis for pricing contracts. 7.2 Rsourcs/Evnts/Agnts (REA) McCarthy [McC82] pionrd REA, an accounting modl that focuss on th basic transaction pattrns of th ntrpris, th xchang of scarc goods and th transformation of rsourcs by production, and sparats it from phnomna that can b drivd by aggrgation or othr mans. Grts and McCarthy [GM00] complmnt REA s ntity-rlationship modl of basic x-post notions of vnts, in which agnts transmit scarc rsourcs, with x-ant notions: commitmnts and sts of commitmnts making up contracts. 8 Contracts, howvr, ar only modld as sts of commitmnts whos concrt trms and constraints ar usually dscribd in natural languag and as such liv outsid th scop of th ntity-rlationship modl. Our work provids a formalization for contracts and thir (prforming) xcutions and thus complmnts th REA s data-cntrd notions with a wll-dfind procss prspctiv. 7.3 Procss Algbra and Logic Disrgarding th structur of vnts and thir tmporal proprtis, C P is basically a procss algbra. It corrsponds to Algbra of Communicating Procsss (ACP) with dadlock (Failur), fr mrg ( ) and rcursion, but without ncapsulation [BW90]. Not that contracts ar to b thought of as xclusivly ractiv procsss, howvr: thy rspond to xtrnally gnratd vnts, but do not autonomously gnrat thm. This lads naturally to contracts classifying vnt tracs, making CSP [BHR84,Hoa85] and its trac-thortic smantics a natural concptual framwork for our viw-indpndnt approach to contract spcification. This is in contrast to CCS-lik procss calculi [Hn88,Mil89,Mil99], which tak a rathr oprational procss-asmachin viw; thy trat communication as dual pairs of snd and rciv mssags and allow obsrvation of branching dcisions in procsss. Not that C P, as prsntd hr, contains no synchronization btwn concurrntly xcuting subcontracts. A prvious vrsion of C P containd th contract conjunction oprator c & c, whos dnotational smantics is C [c & c ] D;δ = C [c] D;δ C [c ] D;δ. This is th paralll composition oprator of CSP with synchronization at ach stp. A trac satisfis c & c if it satisfis both c and c. This maks it possibl to spcify a contract by providing a basic spcification, c (sals ordr), and rfining it by conjoining it with an additional policy, c (no alcohol must b sold to minors), that a corrct contract xcution must satisfy. Our languag can b xtndd to includ contract conjunction. W hav not includd it hr to kp th thortical tratmnt of C P simpl. Furthrmor, it is our imprssion that th abov asymmtry of c spcifying th fundamntal protocol for contract xcution and c filtring illgal xcutions may b bttr capturd by formulating policis logically,.g., in Linar-Tim Logic (LTL), possibly nforcd by run-tim vrification [KPA03]. Thr ar numrous timd variants of procss algbras and tmporal logics; s.g. Batn and Middlburg [BM02] for timd procss algbras. It should b notd that our contract languag is fundamntally dtrministic to avoid misundrstanding btwn contract partnrs: by dsign, nondtrministic implicit control dcisions as in CCS-basd procss calculi ar avoidd. 8 This is a highly simplifid dscription of ky parts of REA.

32 Indd th agr matching smantics prsntd can b considrd a procss languag with implicit control dcisions (a procss may volv nondtrministically and autonomously). Sinc this is considrd undsirabl in our contxt (though ralistic as it rflcts th matching ambiguitis common in bookkping), its vnts (actions in procss trminology) ar bfd up with control ( routing ) information to control procss/contract volution dtrministically. Not that, in contrast to convntional procss calculi, w hav includd both squntial composition and paramtrizd rcursion to support a sparation of data (th bas languag) and control (th contract languag). Also, our bas languag is not fixd, but a paramtr of th contract languag so as to accommodat xprssing tmporal (and othr) constraints modularly and naturally. Indd, th basic structur of vnts can b ntirly ncapsulatd in th bas languag, making th tchnical dvlopmnt of th contract languag (th control part ) indpndnt of REA or othr data modls for that mattr. Timd procss calculi tnd to build on rudimntary modls of tim. Ths appar to b insufficint for xprssing contract constraints naturally, but may turn out to b viabl as cor languags. Clarly, studying timing mor closly as wll as othr connctions to procss calculi constituts rquisit futur work. Finally, most of th xtant procss algbras apparntly do not considr th approach of contract monitoring by rsiduation. In this papr, th nd for considring (prfixs of) vnt tracs lads to th problm of allowing only contracts that nsur that th arrival of any vnt lads to a wll-dfind rsidual contract. Calculi such as CCS do not hav a notion of vnt tracs, and do not ncountr th problm, sinc th (structural) oprational smantics turns out to b sound and complt for th st of structural quivalncs dfining a program in CCS. Th main diffrnc sms to b th libral rcursion oprator mployd in our languag which admits mutual rcursion, unlik CCS whr th constructs of qual strngth only admit transitions that ar syntactically guardd in th sns that if an oprator has a transition to a nw trm, th root of that trm contains an oprator of lowr strngth (.g. th rplication oprator is guardd by th paralll oprator in CCS). 7.4 Work flow and businss procss languags In [SMTA95] an vnt algbra is dvlopd which is usd to monitor a discrt vnt systm. Th trms of th algbra contain th quivalnt of Succss, Failur,, +, ; whil th atomic contract transmit( ). is rplacd by an numratd st of uniqu atomic constructs with no fr variabls. Itration is statd to b don by instantiating trms such that atomic trms ar rlabld to nsur uniqunss of all atomic trms. A trac smantics is givn for trms as wll as rsiduation quations. Th quations allow monitoring of trms by a syntactic mthod lik in C P. Guarddnss (in th sns of C P ) is guarntd by xcluding rcursion from th languag. It is not ntirly clar how itration is includd in th languag as no formal dscription of it is givn. Th rsiduation quations givn, ssntially implmnt th agr smantics of C P. Anothr branch of rsarch has focusd on th spcification and modlling of businss procsss. In this vin, th Businss Procss Modlling Languag (BPML) is an XML-inspird spcification languag dfind by a consortium of agnts from industry and rportd in svral whit paprs and tchnical rports [Ark02,vdADtHW02]. A program in th languag is, ssntially, an XML schma containing procss spcifications, including tmporal and conditional statmnts, as wll as a rstrictd itration construct ( rpat ). Th scop of ntitis that can rasonably b modlld by BPML is concptually largr than th on considrd in this papr, sinc arbitrary (intrnal or xtrnal) procsss and commitmnts can b modlld hnc also contractual obligations. Howvr, whil th languag oprats with an xcution modl loosly basd on π-calculus [MPW89], a propr (and formal) smantics for procss xcution, prformanc and monitoring is lacking. Th smantics of th framwork is currntly dscribd only in trms of natural languag, and any kind of saf automatd or formal analysis of xcution of procsss spcifid in th languag thus cannot b prformd at prsnt.

33 8 Acknowldgmnts This work has bn partially fundd by th NEXT Projct, which is a collaboration btwn Microsoft Businss Solutions, Th IT Univrsity of Copnhagn (ITU) and th Dpartmnt of Computr Scinc at th Univrsity of Copnhagn (DIKU). S http://www.itu.dk/nxt for mor information on NEXT. W would lik to thank Simon Pyton Jons and Jan-Marc Ebr for valuabl discussions on modling financial contracts. Kaspr Østrby, Jspr Kihn and th mmbrs of th NEXT Working Group hav providd hlpful commnts and fdback on xtnding th work of Pyton Jons and Ebr to commrcial contracts basd on th REA accounting modl. Indd, Kaspr has workd out similar idas on rprsnting contracts as ours, but in an objct-orintd stting.

34 A Full Proofs Proof (Thorm 1). Lt D = {f i [X i ] = c i } m i=1 and δ b givn. W prov whr γ = D [D] δ. C [c] γ;δ δ = {s : δ δ D s : c} : Dfin δ = δ D s : c s C [c]γ;δ δ. W prov by induction on th drivation of δ δ D s : c that δ = δ D s : c. δ δ D : Succss W nd to show that δ = δ D : Succss. This follows immdiatly from C [Succss] γ;δ δ = { }. X v δ D s : c (f(x) = c) D, v = Q[a]δ δ δ δ D s : f(a) Assum X v = δ D s : c (induction hypothsis) with v = Q[a] δ δ and (f(x) = c) D. W nd to show that δ = δ D s : f(a). By dfinition w hav C [f(a)] γ;δ δ = γ(f)(q[a] δ δ ) (by df. of v) = γ(f)(v) (by df. of γ) = C [c] γ;δ X v and thus, sinc X v = δ D s : c by induction hypothsis, w can conclud that δ = δ D s : f(a). δ δ = P δ δ D s : c (δ = δ {X v}) Assum δ δ = P and δ = δ δ δ D D transmit(v) s : transmit(x P ). c s : c whr δ = δ {X v}. W nd to show that δ = δ D transmit(v) s : transmit(x P ). c. Sinc δ δ = P and δ = δ D s : c it follows immdiatly from th dfinition of C [transmit(x P ). c] γ;δ δ that δ = δ D transmit(v) s : transmit(x P ). c. δ δ D s 1 : c 1 δ δ D s 2 : c 2 (s 1, s 2 ) s δ δ D s : c Assum δ = δ D 1 c s 1 : c 1, δ = δ D s 2 : c 2 and 2 (s 1, s 2 ) s. W nd to show that δ = δ D s : c 1 c 2. From th assumptions and th dfinition of C [c 1 c 2 ] γ;δ δ it follows immdiatly that δ = δ D s : c 1 c 2. δ δ D s 1 : c 1 δ δ D s 2 : c 2 δ δ D s 1s 2 : c 1 ; c 2 Immdiat from th dfinition of C [c 1 ; c 2 ] γ;δ δ. δ δ D s : c 1 δ δ D s : c 1 + c 2 Immdiat from th dfinition of C [c 1 + c 2 ] γ;δ δ. δ δ D s : c 2 δ δ D s : c 1 + c 2 Immdiat from th dfinition of C [c 1 + c 2 ] γ;δ δ. : W prov C [c] γ;δ δ {s δ δ D s : c}. Dfin γ (f i ) = λv.{s X i v δ D s : c i} for 1 i m. (Rcall that δ is fixd.) Claim: C [c] γ ;δ δ = {s δ δ D s : c} for all δ. Proof of claim: Th proof is by structural induction on c.

35 Considr f(a) for som (f(x) = c) D. Lt v = Q[a] δ δ. W nd to show that C [f(a)] γ ;δ δ = {s δ δ D s : f(a)}. W hav: C [f(a)] γ ;δ δ = γ (f)(q[a] δ δ ) = γ (f)(v) = {s X v δ D s : c} = {s δ δ D s : f(a)} which concluds this cas. Considr transmit(x P ). c. W may assum C [c] γ ;δ δ = {s δ δ D s : c} for all δ. W nd to show that C [transmit(x P ). c] γ ;δ δ = {s δ δ D s : transmit(x P ). c}. W hav: C [transmit(x P ). c] γ ;δ δ = {transmit(v) s Q[P ] δ δ X v = tru s C [c] γ ;δ δ X v } = {transmit(v) s δ δ X v = P δ δ δ D s : c} = {s δ δ D s : transmit(x P ). c} which concluds this cas. Th rmaining cass ar straightforward. From C [c] γ ;δ δ = {s δ δ D s : c} for all δ follows immdiatly that γ (f) = λv.c [c] γ ;δ X v for all (f(x) = c) D. Sinc γ = D [D] δ is th last function with this proprty, it follows that γ γ and thus C [c] γ;δ δ C [c] γ ;δ δ = {s δ δ D s : c} and w ar don. Proof (Lmma 2). Th proof procds by structural induction on c assuming (A) for our bas languag: Q[ b[v/x] : ] δ = Q[ b : ] δ {X v. W us figur 7 and abbrviat D [D] δ by γ whr appropriat. c Succss To show: C [Succss] γ;δ X v = C [Succss[v/X]] γ;δ. W hav C [Succss] γ;δ X v = { } = C [Succss[v/X]] γ;δ. c Failur This cas procds xactly as th prvious xcpt that both sids dnot. c f(b) To show: C [f(b)[v/x ] γ;δ = C [f(b)] γ;δ X v. W hav: C [f(b)[v/x ] γ;δ = C [f(b[v/x])] γ;δ = γ(f)(q[b[v/x]] δ = γ(f)(q[b] δ X v )(by (A)) = C [f(b)] γ;δ X v c transmit(x P ). c To show: C [transmit(x P ). c [v/x]] γ;δ = C [transmit(x P ). c ] γ;δ X v. W allow α-convrsion and may thus assum that X is chosn such that X X =. W hav: C [transmit(x P ). c [v/x]] γ;δ = C [transmit(x P [v/x]). c [v/x]] γ;δ = {transmit(v ) s Q[P [v/x]] δ X v = tru s C [c [v/x]] γ;δ X v } = {transmit(v) s Q[P ] δ X v X v = tru s C [c ] γ;δ X v X v = {transmit(v) s Q[P ] δ X v X v = tru s C [c ] γ;δ X v X v = C [transmit(x P ). c ] γ;δ X v

36 c c 1 + c 2 To show: C [c 1 + c 2 [v/x]] γ;δ = C [c 1 + c 2 ] γ;δ X v. W hav: C [c 1 + c 2 [v/x]] γ;δ = C [c 1 [v/x] + c 2 [v/x]] γ;δ = C [c 1 [v/x]] γ;δ C [c 2 [v/x]] γ;δ = C [c 1 ] γ;δ X v C [c 2 ] γ;δ X v = C [c 1 + c 2 ] γ;δ X v c c 1 c 2 Similar to + cas. c c 1 ; c 2 Similar to + cas. Proof (Lmma 1). W vrify that ach quation in Figur 8 holds. Not that γ = D [D] δ in th following. C [\Failur] γ;δ = C [Failur]] γ;δ By dfinition of th rsiduation oprator w hav C [\Failur] γ;δ = \ = = C [Failur]] γ;δ. C [\Succss] γ;δ = C [Failur]] γ;δ By dfinition of th rsiduation oprator w hav C [\Succss] γ;δ = \{ } = = C [Failur]] γ;δ. C [\f(a)] γ;δ = C [\c[v/x]] γ;δ This follows from C [f(a)] γ;δ = C [c] γ;δ X v = C [c[v/x]] γ;δ. W assum (f(x) = c) D and v = Q[a] δ. W hav C [f(a)] γ;δ = C [c] γ;δ X v by dfinition of γ and assumption for v. By Lmma 2 this can b rwrittn to C [c[v/x]] γ;δ, and w ar don. C [transmit(v)\(transmit(x P ). c )] γ;δ Thr ar two cass to considr: δ {X v} = P. To show: C [transmit(v)\(transmit(x P ). c )] γ;δ = C [c [v/x]] γ;δ. Again w unfold th lft-hand sid of th quation and th goal is thn: {s s C [transmit(x P ). c ] γ;δ : transmit(v)s = s} = C [c [v/x]] γ;δ. From th dnotational smantics w s that C [transmit(x P ). c ] γ;δ = {transmit(v) s s C [c ] γ;δ X v. What w nd to show is thn that C [c ] γ;δ X v = C [c [v/x]] γ;δ, which follows immdiatly from Lmma 2. δ {X a} =P. To show: C [transmit(a)\(transmit(x P ). c )] γ;δ = C [Failur]] γ;δ. W unfold th lft-hand sid of th quation using th dnotational smantics and th goal is now to show: {s s C [transmit(x P ). c ] γ;δ : transmit(v)s = s} =. Sinc δ {X a} =P w know that C [transmit(x P ). c ] γ;δ =, and w ar don. C [\(c 1 + c 2 )] γ;δ = C [\c 1 + \c 2 ] γ;δ Unfolding th lft-hand sid givs {s s C [c 1 + c 2 ] γ;δ : s = s}. Th dnotation of a choic contract is givn by C [c 1 + c 2 ] γ;δ = C [c 1 ] γ;δ C [c 2 ] γ;δ. Any s will thus b a trac of c 1 or a trac of c 2 with a prfix of rmovd. Th dnotation of th right-hand sid is C [\c 1 ] γ;δ C [\c 2 ] γ;δ which unfolds to {s 1 s C [c 1 ] γ;δ : s 1 = s} {s 2 s C [c 2 ] γ;δ : s 2 = s}. Thus any s 1 or s 2 is a trac of c 1 or c 2 with th prfix rmovd. W can now conclud that in any cas s = s i for 0 < i 2 as rquird.

37 C [\(c 1 c 2 )] γ;δ = C [\c 1 c 2 + c 1 \c 2 ] γ;δ Rwriting th lft-hand sid of th quation by dfinition of th rsiduation oprator w arriv at th following quation: {s s C [c 1 c 2 ] γ;δ : s = s} = C [\c 1 c 2 + c 1 \c 2 ] γ;δ. Using th dfinition of th dnotational smantics to rwrit th right-hand sid w arriv at: {s s C [c 1 c 2 ] γ;δ : s = s} = C [\c 1 c 2 ] γ;δ C [c 1 \c 2 ] γ;δ. From th dnotational smantics, w not that th trac st of a paralll contract is an intrlaving of th vnts from both subcontracts: {s s {s s 1 C [c 1 ] γ;δ, s 2 C [c 2 ] γ;δ : (s 1, s 2 ) s } : s = s} =... If is a prfix of s 1 w hav th trac st C [\c 1 c 2 ] γ;δ and if is a prfix of s 2 w hav th tracst C [c 1 \c 2 ] γ;δ. Combining ths two sts w conclud what was rquird. { C [\(c 1 ; c 2 )] γ;δ (\c1 ; c = 2 ) + \c 2 if D, δ = Succss c 1 \c 1 ; c 2 othrwis W unfold th lft-hand sid and th goal bcoms: D, δ = Succss c 1. {s s {s 1 s 2 s 1 C [c 1 ] γ;δ, s 2 C [c 2 ] γ;δ } : s = s} = C [\c 1 ; c 2 + \c 2 ] γ;δ. Unfold th right-hand sid {s s {s 1 s 2 s 1 C [c 1 ] γ;δ, s 2 C [c 2 ] γ;δ } : s = s} = {s 1s 2 s 1 C [\c 1 ] γ;δ, s 2 C [c 2 ] γ;δ } C [\c 2 ] γ;δ In cas s 1 =, w gt that s = C [c 2 ] γ;δ and C [\c 1 ] γ;δ =. Thus w nd to show that: {s s C [c 2 ] γ;δ : s = s} = C [\c 2 ] γ;δ, which is immdiat from th dfinition of rsiduation. If s 1 thr is som s 1 in which occurs as th first vnt. Thus s = s 1s 2, which mans s = s 1s 2 as rquird. Th addd C [\c 2 ] γ;δ ar accountd for by th prvious cas. D, δ = Succss c 1. W unfold th lft-hand sid and th goal bcoms: {s s {s 1 s 2 s 1 C [c 1 ] γ;δ, s 2 C [c 2 ] γ;δ } : s = s} = C [\c 1 ; c 2 ] γ;δ Unfold th right-hand sid {s s {s 1 s 2 s 1 C [c 1 ] γ;δ, s 2 C [c 2 ] γ;δ } : s = s} = {s 1s 2 s 1 C [\c 1 ] γ;δ, s 2 C [c 2 ] γ;δ } Sinc / C [c 1 ] γ;δ, w know that s 1 from which w immdiatly s that s 2 = s 2; thus w just nd to show that. That is, {s s {s 1 s 1 C [c 1 ] γ;δ } : s = s} = {s 1 s 1 C [\c 1 ] γ;δ } {s s C [c 1 ] γ;δ } : s = s} = C [\c 1 ] γ;δ. Which is xactly th dfinition of th rsiduation oprator. Proof (Proposition 1). W show D, δ, δ, c : δ δ D : c D c nullabl. From this th proposition follows by Thorm 1.

38 = : To show D, δ, δ, c : δ δ D : c = D c nullabl w procd by induction on drivations of δ δ D s : c. δ δ D : Succss W nd to show that D Succss nullabl. This follows immdiatly from th nullability axiom for Succss. X v δ D s : c (f(x) = c) D, v = Q[a]δ δ δ δ D s : f(a) Assum D c nullabl (induction hypothsis). W nd to show that D f(a) nullabl, which follows from th nullability infrnc rul for f(a). δ δ = P δ δ D s : c (δ = δ {X v}) W nd to show D transmit(x P ). c nullabl δ δ D transmit(v) s : transmit(x P ). c if transmit(v) s =. This implication is vacuously tru sinc th assumption transmit(v) s = is fals. δ δ D s 1 : c 1 δ δ D s 2 : c 2 (s 1, s 2 ) s δ δ D s : c Assum (, ) s; that is, s =. Assum furthrmor D c 1 nullabl and D c 2 nullabl. W nd to show that D 1 c 2 c 1 c 2 nullabl, which follows from th nullability infrnc rul for c 1 c 2. δ δ D s 1 : c 1 δ δ D s 2 : c 2 δ δ D s 1s 2 : c 1 ; c 2 Immdiat from nullability infrnc rul for c 1 ; c 2. δ δ D s : c 1 δ δ D s : c 1 + c 2 Immdiat from first nullability infrnc rul for c 1 + c 2. δ δ D s : c 2 δ δ D s : c 1 + c 2 Immdiat from scond nullability infrnc rul for c 1 + c 2. = : To show D, c : D c nullabl = δ, δ.δ δ D : c w procd by induction on drivations of D c nullabl. D c nullabl (f(x) = c) D Assum δ, δ.δ δ D : c (induction hypothsis). D f(a) nullabl W nd to show δ, δ.δ δ D : f(a). Lt δ, δ b arbitrary nvironmnts for D and f(a). From th induction hypothsis it follows that X v δ D : c whr v = Q[a] δ δ. And, using th satisfaction infrnc rul for contract application, w arriv at δ δ D : f(a). D c nullabl D c + c Immdiat. nullabl D c nullabl D c + c nullabl Immdiat. D Succss nullabl Lt δ, δ b arbitrary nvironmnts. Using th satisfaction rul for Succss w obtain δ δ D : Succss. D c nullabl D c nullabl D c c Immdiat. nullabl D c nullabl D c nullabl D c; c nullabl Immdiat. Proof (Lmma 3). This is provd by straightforward structural induction on th dfinition of contracts. Th only intrsting cass ar th cass of a contract application f(a), whr (f(x) = c) D, and squntial composition.

39 In th first cas, w can us th assumption of th Lmma that D c guardd, which, by rul application, immdiatly implis that D f(a) guardd. In th scond cas, w hav th induction hypothss D c 1 guardd and D c 2 guardd. Now, ithr D c 1 nullabl or D c 1 nullabl. In ithr cas, w hav a rul for concluding that D c 1 ; c 2 guardd. Proof (Thorm 2). (Sktch) 1. W show D, δ D c c = D, δ = \c = c by induction on drivations of D, δ D c c. Each cas follows immdiatly from Lmma 1. In th cas of squntial composition w also rquir Proposition 1. 2. Not that, by Lmma 3, D c guardd if D is guardd. It is sufficint to show D c guardd = δ c.d, δ D c c. Th fact that c is guardd in contxt D follows from Lmma 3, and it is a routin mattr to xtnd th proof cass with a chck of uniqunss of c. W cannot prov D c guardd = δ c.d, δ D c c by induction on th dfinition of guaradd contracts, howvr, sinc th induction hypothsis is not strong nough in th cas of contract application: W would rquir that c[v/x] has a rsidual contract for arbitrary δ,, but th induction hypothsis only yilds that that holds for c. Consquntly, w strngthn th lmma and prov D c guardd = δ,, X, v c.d, δ D c[v/x] c. All cass ar straightforward xcpt th scond rul for squntial composition: To mak th induction proof go through w rquir D c[/x] nullabl th last dtrministic rduction rul, but th cas only carris th assumption D c nullabl. Consquntly, if w can show that D c[/x] nullabl = D c nullabl, w ar don. Claim: D c[/x] nullabl = D c nullabl. Proof of claim: By structural induction on c. All cass ar straightforward xcpt th rul for contract application. In that cas w nd to show D f(a[v/x]) nullabl = D f(a) nullabl. Assum D f(a[v/x]) nullabl. By inspction of th ruls for nullability w can s that this must hav bn concludd from D c nullabl whr (f(y ) = c) D. By th sam rul w can infr, howvr, D f(a) nullabl, and w ar don. Proof (Thorm 3). W prov th two statmnts 1. If D, δ N c c thn D, δ = c \c 2. If D, δ N c c thn D, δ = c c by induction on th hight of th drivation of D, δ N c c and D, δ N c c, rspctivly. W us dfinitions in Figurs 7, 8 and 12. Assum... is usd as short-hand for Assum a drivation with th conclusion.... Finally, γ abbrviats D [D] δ in th following. Proving 1: Assum D, δ N Succss Failur. To show C [Failur]] γ;δ C [\Succss] γ;δ = C [Failur]] γ;δ. Don. Assum D, δ N Failur Failur. To show C [Failur]] γ;δ C [\Failur] γ;δ = C [Failur]] γ;δ. Don. Assum D, δ N transmit(x P ). c transmit(v) c[v/x] and also δ X v = P whr v = Q[a] δ. To show C [c[v/x]] γ;δ C [(transmit(v)\transmit(x P ). c)] γ;δ = C [c[v/x]] γ;δ. Don. Assum D, δ N transmit(x P ). c transmit(v) Failur and also δ X v =P whr v = Q[a] δ. To show C [Failur]] γ;δ C [(transmit(v)\transmit(x P ). c)] γ;δ = C [Failur]] γ;δ. Don.

40 Assum D, δ N c c d c and D, δ N c d. To show C [d c ] γ;δ C [\(c c )] γ;δ = C [\c c + c \c ] γ;δ = C [\c c ] γ;δ C [c \c ] γ;δ. By th IH, C [d] γ;δ C [\c] γ;δ so in particular C [d c ] γ;δ C [\c c ] γ;δ, which is sufficint. Assum D, δ N c c c d and D, δ N c d. Analogous to th abov cas. Assum D, δ N c; c d; c and also D, δ N c d. To show C [d; c ] γ;δ C [\(c; c )] γ;δ. If D, δ = Succss c thn C [\(c; c )] γ;δ = C [(\c; c ) + \c ] γ;δ = C [\c; c ] γ;δ C [\c ] γ;δ. By th IH, C [d] γ;δ C [\c] γ;δ so in particular C [d; c ] γ;δ C [\c; c ] γ;δ, which is sufficint. Assum D, δ N c c and D, δ N c c. By th IH, w hav C [c ] γ;δ C [c] γ;δ and C [c ] γ;δ C [\c ] γ;δ. W nd to show C [c ] γ;δ C [\c] γ;δ. But this follows from th IH and monotonicity of rsiduation: C [c ] γ;δ C [\c ] γ;δ C [\c] γ;δ. Proving 2: Assum D, δ N f(a) c[v /X] whr (f(x) = c) D and v = Q[a] δ. To show C [c[v/x]] γ;δ C [f(a)] γ;δ = γ(f)(v), which holds by dfinition of γ and Lmma 2. Assum D, δ N c + c c. To show C [c] γ;δ C [c + c ] γ;δ = C [c] γ;δ C [c ] γ;δ. Don. Assum D, δ N c + c c. Analogous to th abov cas. Assum D, δ N c c d c and D, δ N c d. To show C [d c ] γ;δ C [c c ] γ;δ, which follows asily by th IH. Assum D, δ N c c c d and D, δ N c d. To show C [c d ] γ;δ C [c c ] γ;δ, which follows asily by th IH. Assum D, δ N Succss c c. To show C [c] γ;δ C [Succss c] γ;δ, holds trivially. Assum D, δ N c Succss c. To show C [c] γ;δ C [c Succss] γ;δ, holds trivially. Assum D, δ N Succss; c c. To show C [c ] γ;δ C [Succss; c ] γ;δ, holds trivially. Assum D, δ N c; c d; c and D, δ N c d. To show C [d; c ] γ;δ C [c; c ] γ;δ, which follows asily by th IH. Proof (Thorm 4). Th proof is by induction on th drivation of D, δ D c c. D, δ D Succss Failur. Clarly no -transitions can b takn in th non-dtrministic rduction systm. Howvr, thr is just on contract c 1 such that D, δ N Succss c 1 which is Failur. W must thn show: D, δ = Failur Failur. By dfinition D, δ = Failur =, so w must show which is trivially tru. D, δ D Failur Failur. Again no -transitions ar possibl. Thr is just on contract c 1 such that D, δ N Failur c 1 namly Failur. W must show D, δ = Failur Failur, which is tru sinc. D, δ D transmit(x P ). c transmit(v) c[v/x] whr δ X v = P and v = Q[a] δ. In this cas w can only do th rduction D, δ N transmit(x P ). c transmit(v) c[v/x]. Now w must show D, δ = c[v/x] c[v/x], which is obviously tru. D, δ D transmit(x P ). c transmit(v) Failur and δ X v =P whr v = Q[a] δ. No -transitions ar possibl and only on contract c 1 xists such that D, δ D transmit(x P ). c transmit(v) c 1, so c 1 = Failur. This mans w must show D, δ = c[v/x] c[v/x] which clarly holds. D, δ D f(a) c. This implis that (f(x) = c) D and D, δ D c[v/x] c with v = Q[a] δ. By a drivation of D, δ D c[v/x] c w us th IH to gt contracts c 1,..., c n such that D, δ N c[v/x] c i c and D, δ = c n i=1 c i. Howvr w nd to show D, δ N f(a) c i c i and c n i=1 c i, th lattr of which follows dirctly from th IH. By th non-dtrministic rduction ruls, f(a) has just on rduction D, δ N f(a) c[v/x]. Thus w can xtnd all rductions of D, δ N c[v/x] c i c i with on mor -transition giving rductions D, δ N f(a) c c i for all 0 < i n. i

D, δ D c + c d + d. This implis that D, δ D c d and D, δ D c d. From th non-dtrministic rduction ruls w s that c + c may b rducd by a -transition into ithr c or c. By th IH w thn hav contracts d 0,..., d n and d 0,..., d m such that D, δ N c d i d i for 0 < i n, D, δ = d n i=1 d i and D, δ N c d j d j for 0 < j m, D, δ = d m j=1 d j. Thus w can xtnd th non-dtrministic rductions of c and c to gt rductions of c+c into contracts c 0,..., c n+m. That is: thr ar contracts, c i such that D, δ N c + c c i c i with 0 < i m + n. As sn from th IH w know that D, δ = d n i=1 d i and D, δ = d m j=1 d j. Taking th union of ths w gt D, δ = d d n i=1 d i + m j=1 d j. By dfinition this is D, δ = d + d m+n i=1 d i (givn propr numration of contracts in d i and d j which is th dsird goal. D, δ D c c d c + c d. By a drivation D, δ D c d w us th IH to gt contracts d i such that c c i d i and D, δ = d n i=1 d i. Thn us th lft - introduction rul to gt contracts d i c such that c c c i c d i c and D, δ = d c n i=1 d i c. By a drivation D, δ D c d w now again us th IH to gt contracts d i such that c c i d i and D, δ = d m i=1 d i. Thn us th right -introduction rul to gt contracts c d i such that c c c c i c d i and D, δ = c d m i=1 c d i. Taking all contracts d i c and c d i w nd to show D, δ = d c + c d n i=1 d i c + m i=1 c d i which follows dirctly by th abov. D, δ D c; c d; c + d and D c nullabl. Thr ar two possibl rductions of c; c undr th non-dtrministic rduction ruls. Eithr D, δ N c Succss and so D, δ N Succss; c c or D, δ N c c p d p whr c p Succss and thn D, δ N c; c c f d p. In th formr cas, by a drivation of D, δ D c d w gt by th IH that thr xist contracts d i such that c c d i and D, δ = d n i=1 d i. Taking c p = c and d p = d. In th lattr cas thr is no squnc of -transitions that maks c = Succss so all contracts d q such that c; c c q d q must hav th form d i ; c. By a drivation D, δ D c d th IH givs that thr ar contracts d i such that c c d i and D, δ = d m i=1 d i. This implis D, δ N c; c c d i ; c for 0 < i m and furthrmor that D, δ = d; c m i=1 d i; c. W hav thus shown that thr ar contracts c i such that D, δ N c; c c c i and that c i is ithr d i or d i ; c. W still nd to show that D, δ = d; c + d k i=1 c i; that is: D, δ = d; c + d m i=1 d i; c + n i=1 d i. This follows dirctly by th alrady notd fact that by th IH D, δ = d; c m i=1 d i; c and D, δ = d n i=1 d i D, δ D c; c d; c and D c nullabl. To show: D, δ N c; c c i c i and D, δ = d; c n i=1 c i. By a drivation D, δ D c d th IH yilds contracts d 0,..., d n for 0 < i n such that D, δ N c c i d i and D, δ = d n i=1 d i. Sinc D c nullabl c Succss so no numbr of -rductions can mak c; c = c. Th form of all c i must thn b d i ; c. Th goal is thn to show D, δ = d; c d i ; c which follows by D, δ = d n i=1 d i. Proof (Proposition 2). By induction on th drivation of D, δ C c c. 41 (f(x) = c) D, v = Q[a] δ D, δ C f(a) c[v/x] Hr, w hav C [f(a)] D [D ]δ ;δ = D [D] δ (f)(q[a] δ ) = C [c[a/x]] D [D ]δ ;δ, as dsird.

42 D, δ C c d In this cas, C [d + c ] D [D ] δ ;δ = C [d] D [D ]δ;δ C [c ] D [D ]δ;δ = D, δ C c + c d + c C [c] D [D ]δ ;δ C [c ] D [D ]δ ;δ, whr th last quality follows from th IH. But C [c] D [D ]δ ;δ C [c ] D [D ]δ ;δ = C [c + c ] D [D ]δ ;δ, concluding th proof of th cas. D, δ C c d D, δ C c + c c + d As th prvious cas. D, δ C c d W hav that C [d c ] D [D ] δ ;δ quals D, δ C c c d c { } s : s Tr s 1 C [d] D [D ]δ;δ s 2 C [c ] D [D ]δ;δ. (s 1, s 2 ) s By th IH, w gathr that {t C [d] D [D ]δ } quals {s C [c] D [D ]δ }, whnc {s : s Tr s 1 C [d] D [D ]δ ;δ s 2 C [c ] D [D ]δ ;δ. (s 1, s 2 ) s} quals { } s : s Tr s 1 C [c] D [D ]δ;δ s 2 C [c ] D [D ]δ;δ. (s 1, s 2 ) s as dsird. D, δ C c d D, δ C c c c d As th prvious cas. D, δ C Succss c c W hav C [Succss] D [D ]δ ;δ = { }, and thus obtain {s : s Tr s 1 C [Succss] D [D ]δ ;δ s 2 C [c ] D [D ]δ ;δ. (s 1, s 2 ) s} = {s : s C [c ] D [D ]δ ;δ } = C [c ] D [D ]δ ;δ, as dsird. D, δ C c Succss c As th prvious cas. D, δ C c d W hav C [c; c ] D [D ] δ ;δ = {ss : s Tr, s Tr s C [c] D [D ]δ;δ D, δ C c; c d; c s C [c ] D [D ]δ ;δ }. But by th IH, w gathr that C [c] D [D ]δ ;δ = C [d] D [D ]δ ;δ, whnc {ss : s Tr, s Tr s C [c] D [D ]δ ;δ s C [c ] D [D ]δ ;δ } = {ss : s Tr, s Tr s C [d] D [D ]δ ;δ s C [c ] D [D ]δ ;δ }. D, δ C Succss; c c As th prvious cas, noting that C [Succss] D [D ]δ ;δ = { }. δ C ltrc D in c D, δ C c c Hr, C [ltrc D in c] δ = C [c] D [D ] ltrc D in c By th IH, w hav C [c] D [D ]δ ;δ = D [c ] D [D ]δ ;δ and hnc C [ltrc D in c] δ = C [ltrc D in c ] δ, as dsird. δ ;δ for som D. Proof (Proposition 3). If. To show: For all D, δ, c, c : D, δ c = Succss if D, δ C c Succss. A trivial induction on th lngth of th -rduction squncs using Proposition 2 furnishs C [c] D [D ]δ;δ = C [Succss] D [D ]δ;δ, and th rsult follows. Only if : To show: For all D, δ, c, c : D, δ c = Succss only if D, δ C c Succss. Not that D, δ c = Succss implis D = c nullabl and, by Proposition 1, D c nullabl.

43 Consquntly, th rsult follows if w can prov D c nullabl = (D, δ c = Succss = D, δ C c Succss). Claim: Th st of drivations of D c nullabl is finit. Proof of claim: Obsrv that all contracts c that can occur in a drivation of D c nullabl must occur in ithr D or c. Furthrmor thr no contract can occur twic on any path in a drivation tr. Thus th dpth of any drivation tr of D c nullabl is boundd by th sum of th sizs of D and c. Sinc, furthrmor, th outdgr of drivation trs is boundd by 2, w can conclud that th st of drivation trs for D c nullabl is finit. Lt us dfin th maximal drivation dpth of a drivabl judgmnt D c nullabl to b th maximal dpth of any of th drivations of D c nullabl. By th claim abov this is wll-dfind. W shall now prov by Nothrian (wll-foundd) induction on th maximal drivation dpth of D c nullabl that D, δ c = Succss implis D, δ C c Succss. W do this by cass on th syntax of c. Succss. In this cas, w hav D, δ C Succss 0 Succss and w ar don. c 1 + c 2. Lt D c 1 + c 2 nullabl with maximal drivation dpth n. Assum D, δ c 1 + c 2 = Succss. It follows that both D, δ c 1 = Succss and D, δ c 1 = Succss and thus D = c 1 nullabl and D = c 2 nullabl. By Proposition 1 w thus hav that D c 1 nullabl and D c 2 nullabl. Sinc both D c 1 nullabl and D c 2 nullabl yild a drivation of D c 1 + c 2 nullabl it follows that th maximal drivation dpths of D c 1 nullabl and D c 2 nullabl ar lss than n. Consquntly w can apply th induction hypothss to thm and obtain that D, δ C c 1 Succss and D, δ C c 2 Succss. By induction on th combind lngth of th two rductions, it can now b shown that D, δ C c 1 + c 2 Succss + Succss. Now, w can apply Rul D, δ C Succss + Succss Succss and w ar don. c 1 c 2. Lt D c 1 c 2 nullabl with maximal drivation dpth n. Assum D, δ c 1 c 2 = Succss. It follows that both D, δ c 1 = Succss and D, δ c 1 = Succss. D c 1 c 2 nullabl can only b drivd from D c 1 nullabl and D c 2 nullabl, ach of which consquntly has maximal drivation dpth lss than n. W can thus apply th induction hypothsis to D c 1 nullabl and D c 2 nullabl, which yild that D, δ C c 1 Succss and D, δ C c 2 Succss. By induction on th combind lngth of th two rductions it can now b shown that D, δ C c 1 c 2 Succss Succss. Using on of th two ruls for liminating a paralll Succss, w thus arriv at D, δ C c 1 c 2 Succss and w ar don. c 1 ; c 2. Similar to abov. f(a). Lt D f(a) nullabl with maximal drivation dpth n whr (f(x) = c) D. Assum D, δ f(a) = Succss. It follows that D, δ c[v/x] = Succss whr v = Q[a] δ. Sinc D f(a) nullabl can only b drivd from D c nullabl it follows that th maximal drivation dpth of D c nullabl is lss than n. Furthrmor, it can b shown that for ach drivation of D c nullabl thr is a drivation of D c[v/x] nullabl qual dpth. Consquntly th maximal drivation dpth of D c[v/x] nullabl is also lss than n, and w can apply th induction hypothsis to obtain that D, δ C c[v/x] Succss. Prfixing this rduction squnc with Rul D, δ C f(a) c[v/x] w arriv at D, δ C f(a) Succss and w ar don.

44 Othr cass. In all othr cass D c nullabl is not drivabl. Proof (Lmma 4). W show th lmma by proving th strongr rsult that -rduction is normalizing and conflunt. First w show that all guardd contracts ar -normalizing, i.., thr xists a (-normal form) c s.t. D, δ C c c and for no c D, δ C c c. Proof by induction on th (minimal) hight of th drivation of guarddnss of c. Us Figur 10. Assum D Succss guardd. Clarly, thr is no rul such that Succss rducs via, so w must alrady hav a -normal form. Assum D Failur guardd. Analogous to th cas abov. Assum D transmit(x P ). c guardd. Analogous to th cass abov. D c guardd (f(x) = c) D Assum. Sinc (f(x) = c) D w can build a drivation of D, δ C f(a) c[v/x] whr v = Q[a] δ. It is lft to show that c[v/x] is - D f(a) guardd normalizing. Claim: For any drivation of D c guardd thr is a drivation of D c[/x] guardd of qual hight. Proof of claim: By induction on guarddnss. By th abov claim it follows that th hight of drivation of D c[/x] guardd is th sam as th hight of D c guardd, which is lss than th hight of D f(a) guardd. Applying th induction hypothsis to D c[/x] guardd w gt that c[/x] is -normalizing and sinc D, δ C f(a) c[/x] also that f(a) is -normalizing. D c guardd D c guardd Assum D c + c. Thr ar thr cass to considr. guardd D, δ C c d 1. Suppos. By th IH w ar don. D, δ C c + c d + c D, δ C c d 2. Suppos. Again by th IH w ar don. D, δ C c + c c + d 3. Suppos D, δ C Succss + Succss Succss. But Succss is alrady a normal form so w ar don. D c guardd D c guardd Assum D c c. Thr ar four cass to considr. guardd D, δ C c d 1. Suppos. By th IH on th two prmisss of th drivation D, δ C c c d c of guarddnss of c c, w obtain what was rquird. D, δ C c d 2. Suppos. Analogous to th cas just shown. D, δ C c c c d 3. Suppos D, δ C Succss c c. By assumption D c guardd and by th IH w ar don. 4. Suppos D, δ C c Succss c. By assumption, w hav D c guardd and by th IH w ar don. D c guardd D c guardd Assum D c; c. Thr ar two cass to considr. guardd D, δ C c d 1. Suppos. Easy, by th IH. D, δ C c; c d; c 2. Suppos D, δ C Succss; c c. Immdiat by th IH. Scond, w prov conflunc by showing that th diamond proprty holds for -rduction, c and D, δ C c c, thn thr xists a d with D, δ C c = d and i.. if D, δ C c D, δ C c = d. Th proof is by induction on th drivation of D, δ C c c.

(f(x) = c) D, v = Q[a] δ D, δ C f(a) c[v/x]. No othr ruls match any subtrm of f(a), and w must hnc hav c = c, whnc th rsult follows. D, δ C c 1 d 1 D, δ C c 1 + c 2 d 1 + c 2. If th -rwrit stp D, δ C c c taks plac insid c, w hav c = c 1 + c 2, and th IH furnishs a d 1 such that D, δ C c = 1 d 1 and D, δ C d = 1 d 1. W hnc hav D, δ C c = d 1 + c 2 and D, δ C c = d 1 + c 2, as dsird. D, δ C c 2 d 2 D, δ C c 1 + c 2 c 1 + d 2. As th prvious cas. D, δ C Succss + Succss Succss. In this cas, w must hav c = c, and th rsult follows. D, δ C c d D, δ C c c d c. Exactly as th cas D, δ C c 1 d 1 D, δ C c 1 + c 2 d 1 + c 2. D, δ C c d D, δ C c c c d. As th prvious cas. D, δ C Succss d d. In this cas, D, δ C c c must b an application of ithr of th ruls D, δ C D, δ C d d c Succss c, or D, δ C c 1 + d c 1 + d. In th first cas, w hav c = Succss = c, and w ar don. in th scond cas, w hav c 1 = Succss, and thus D, δ C d d and D, δ C c 1 + d d, as dsird. D, δ C c Succss c. Symmtric to th prvious cas. D, δ C c 1 d 1 D, δ C c 1 ; c 2 d 1 ; c 2. If th rduction stp D, δ C c c taks plac insid c 1, thn c = d 1; c 2, and th IH furnishs xistnc of a d 1 such that D, δ C d = 1 d 1 and D, δ C d = 1 d 1. Thn, d 1; c 2 is a common -rduct of c and c, and th dsird rsult follows. Othrwis, D, δ C c c is an application of th rul D, δ C Succss; c c, which is impossibl, sinc Succss is a -normal form, i.. it cannot b th cas that D, δ C c 1 d 1. D, δ C Succss; c c. Symmtric to th prvious cas. 45 Proof (Thorm 5). If : By induction on th hight of th drivation of D, δ C Only if : By induction on th hight of th drivation of D, δ N c c. c d c. Proving Only if : (not that w only considr non--drivations) Assum D, δ N Succss Failur. From th rduction smantics of w s that thr is just on possibl rduction D, δ C Succss c giving c = Failur so c = Failur. Assum D, δ N Failur Failur. Analogous.

46 Assum δ X v = P, v = Q[a] δ. Again w s that thr is a D, δ N transmit(x P ). c transmit(v) c[v/x] uniqu rduction of th transmit(x P ). c-contract and w hav, δ X v = P, v = Q[a] δ D, δ C transmit(x P ). c transmit(v) c[v/x] by which w conclud c = c[v/x]. Assum δ X v = P, v = Q[a] δ. Analogous. D, δ N transmit(x P ). c transmit(v) Failur Assum D, δ N c d D, δ N c c d c. By th IH w gathr that D, δ C c d d. W can xtnd d with l and build a uniqu drivation D, δ N c d D, δ C c d d. D, δ C c c ld d c Assum. Analogously by xtnding d with r. D, δ N c c c d D, δ N c d Assum. By th IH w hav a drivation D, δ D, δ N c; c C c d. Thus d; c D, δ C c d w can construct th uniqu drivation. D, δ C c; c d; c Proving If : Assum D, δ C Succss Failur. Thr is no d in this cas, and w can immdiatly build D, δ N Succss Failur, also choosing no -transitions for th first part. Assum D, δ C Failur Failur. Analogous. Assum δ X v = P, v = Q[a] δ. Tak no d and choos no D, δ C transmit(x P ). c transmit(v) c[v/x] -transitions. Thn immdiat. Assum δ X v =P, v = Q[a] δ. Analogous. D, δ C transmit(x P ). c transmit(a) Failur Assum D, δ C c d c c c. D, δ C c + d fd c. Must build a drivation of D, δ N c + d By IH: D, δ N c c c. So w just nd th first part. Clarly, w hav D, δ N c + d c. Thus, by choosing c = c and xactly on -transition, w ar don. D, δ C d d d Assum. Analogous. D, δ C c + d sd d Assum D, δ C c d d D, δ C c c ld d c. By using th IH, taking c = c, and making no - transitions in th first part, w ar don. Assum D, δ C c d d D, δ C c c rd c d. Analogous. Assum D, δ C c d D, δ C c; c d; c. Analogous.

47 Assum D, δ C c c δ C ltrc D in c ltrc D in c. Analogous. It is obvious that, if d xists in th abov cas, it is uniqu. Furthrmor, for all c such that D, δ C c d c w hav c = c. Again, it is obvious. Rfrncs [AE03] Jspr Andrsn and Ebb Elsborg. Compositional spcification of commrcial contracts. M.S. trm projct, Dcmbr 2003. [Ark02] A. Arkin. Businss procss modlling languag. Tchnical Rport BPMI rport, 2002. [BHR84] S. D. Brooks, C. A. R. Hoar, and A. W. Rosco. A thory of communicating squntial procsss. J. ACM, 31(3):560 599, 1984. [BM02] J.C.M. Batn and C.A. Middlburg. Procss Algbra with Timing. Springr, 2002. [BW90] J.C.M. Batn and W.P. Wijland. Procss Algbra. Numbr 18 in Cambridg Tracts in Thortical Computr Scinc. Cambridg Univrsity Prss, 1990. [Con71] J. H. Conway. Rgular Algbra and Finit Machins. Chapman and Hall, 1971. [Eb02] Jan-Marc Ebr. Prsonal communication, Jun 2002. [GM00] Guido Grts and William E. McCarthy. Th ontological foundations of ra ntrpris information systms. Unpublishd, August 2000. [Hn88] Matthw Hnnssy. Algbraic Thory of Procsss. MIT Prss, 1988. [Hoa85] C.A.R. Hoar. Communicating Squntial Procsss. Intrnational Sris in Computr Scinc. Prntic-Hall, 1985. [JE03] Simon Pyton Jons and Jan-Marc Ebr. How to writ a financial contract. In Jrmy Gibbons and Og d Moor, ditors, Th Fun of Programming. Palgrav Macmillan, 2003. [JES00] Simon Pyton Jons, Jan-Marc Ebr, and Julian Sward. Composing contracts: an advntur in financial nginring (functional parl). In Procdings of th fifth ACM SIGPLAN intrnational confrnc on Functional programming, pags 280 292. ACM Prss, 2000. [KPA03] Kår J. Kristoffrsn, Christian Pdrsn, and Hnrik R. Andrsn. Runtim vrification of timd LTL using disjunctiv normalizd quation systms. Unpublishd, Sptmbr 2003. [KPA04] K.J Kristoffrsn, C. Pdrsn, and H.R. Andrsn. Chcking tmporal businss ruls. In Procdings of th First Intrnational REA Workshop, 2004. http://www.itu.dk/popl/kaspr/rea2004/pospaprs/kaarjkristoffrsnfullpapr.pdf. [lx] http://www.lxifi.com. [McC82] William E. McCarthy. Th REA accounting modl: A gnralizd framwork for accounting systms in a shard data nvironmnt. Th Accounting Rviw, LVII(3):554 578, July 1982. [Mil89] Robin Milnr. Communication and Concurrncy. Intrnational Sris in Computr Scinc. Prntic-Hall, 1989. [Mil99] Robin Milnr. Communicating and Mobil Systms: Th π-calculus. Cambridg Univrsity Prss, 1999. [MPW89] Robin Milnr, Joachim Parrow, and David Walkr. A calculus of mobil procsss, parts I and II. Tchnical Rport -86, 1989. [nav] http://www.navision.dk. [sap] http://www.sap.com. [sim] http://www.simcorp.com. [SMTA95] Munindar P. Singh, Grg Mrdith, Christin Tomlinson, and Paul C. Atti. An vnt algbra for spcifying and schduling workflows. In Databas Systms for Advancd Applications, pags 53 60, 1995.

48 [vdadthw02] W. M. P. van dr Aalst, M. Dumas, A. H. M. tr Hofstd, and P. Wohd. Pattrn-basd analysis of BPML (and WSCI). Tchnical Rport Qunsland Univrsity Tchnical rport, FIT-TR-2002-05, 2002. [vdavh02] Wil van dr Aalst and Ks van H. Workflow Managmnt Modls, Mthods, and Systms. MIT Prss, 2002. [Win93] G. Winskl. Th Formal Smantics of Programming Languags. Th MIT Prss, 1993.