Themulus: A Timed Contract-calculus

∗

Alberto Aranda Garc

ıa

, Mar

ıa-Emilia Cambronero

, Christian Colombo

, Luis Llana

and Gordon J. Pace

Department of Computer Science, University of Malta, Malta

Department of Computer Science, University of Castilla-La Mancha, Albacete, Spain

Department of Computer Science and the Knowledge Technology Institute, University Complutense of Madrid, Spain

gordon.pace@um.edu.mt

Keywords:

Deontic Logic, Formal Methods, Operational Semantics, Simulation Semantics, Themulus.

Abstract:

Over these past years, formal reasoning about contracts between parties has been increasingly explored in the

literature. There has been a shift of view from that viewing contracts simply as properties to be satisﬁed by the

parties to contracts as ﬁrst class syntactic objects which can be reasoned about independently of the parties’

behaviour. In this paper, we present a real-time deontic contract calculus, Themulus, to reason about contracts,

abstracting the parties’ behaviour through the use of a simulation relation. In doing so, we can compare

real-time deontic contracts in terms of their strictness over permissions, prohibitions and obligations.

1 INTRODUCTION

The need for formal techniques for reasoning about

contracts is becoming increasingly important as soft-

ware systems interact more frequently with other sys-

tems and with our everyday life. Although for many

applications a property-based approach sufﬁces —

specifying pre-/post-conditions, invariants, temporal

properties, etc. — other applications require a ﬁrst

class notion of contracts which property-based ap-

proaches do not address sufﬁciently well. Deontic

logics (Georg Henrik Von Wright, 1951) have been

developed precisely to deal with such a need to talk

about ideal behaviour of a system, possibly also in-

cluding exceptional situations when the system devi-

ates from such behaviour. For instance, consider a

contract which speciﬁes that a party is to perform a

particular action, but if they fail to do so, they will

incur an additional charge (which they are obliged to

pay) and prohibited from taking certain actions until

they do so. Such contracts, typically using a deontic

logic, have been referred to as total contracts and have

been argued to be more informative (with the right

abstractions) than simple properties (Fenech et al.,

∗This work has been supported by the Spanish

MINECO-FEDER (grant numbers DArDOS, TIN2015-

65845-C3-1-R and FAME, RTI2018-093608-B-C31) and

the Region of Madrid (grant number FORTE-CM,

S2018/TCS-4314)

2009). The opportunity to move from seeing speci-

ﬁcations simply as expressions in a logic which must

hold to the higher level view of them being a form

of contract goes back to Khosla (Khosla, 1988). By

looking at contracts as ﬁrst-class entities which can

be reasoned about, manipulated, etc., one can perform

contract analysis independent of the systems the con-

tract will regulate, e.g., one can analyze contracts for

potential conﬂicts, or to evaluate which is the stricter

one.

Different approaches to contract analysis have

been reported in the literature, with most approaches

focusing on the violation semantics of contracts, thus

enabling the characterization of agreements between

parties or agents regulating their behaviour. In sys-

tems with interacting parties, contracts play an even

more important role since an agent’s behaviour (or

non-behaviour) directly impacts other agents. Sur-

prisingly, many contract logics reason about deon-

tic modalities such as obligations and permissions

without specifying agents, and the literature address-

ing reasoning about directed deontic modalities is

relatively sparse (e.g. Modal Action Logic (Jere-

maes et al., 1986), deontic STIT logic (Belnap and

Perloff, 1993; Horty, 2001), Business Contract Lan-

guage (Governatori and Milosevic, 2005), contract

automata (Pace and Schapachnik, 2012)).

Interaction has long been studied in computer sci-

ence using calculi to reason about communicating

García, A., Cambronero, M., Colombo, C., Llana, L. and Pace, G.

Themulus: A Timed Contract-calculus.

DOI: 10.5220/0008878001930204

In Proceedings of the 8th International Conference on Model-Driven Engineering and Software Development (MODELSWARD 2020), pages 193-204

ISBN: 978-989-758-400-8; ISSN: 2184-4348

193

transition systems enabling the classiﬁcation of sys-

tems into correct and incorrect ones with respect to

a property. It is only recently, however, that the dis-

tinction between properties and contracts has started

being explored. Yet, in much of the literature, con-

tract comparison is still deﬁned in terms of how the

contracts regulate systems e.g. saying that a contract

is stricter than another if any system which violates

the latter will also violate the former. This means that

to reason about contracts one has to bring to play the

systems which they regulate.

Orthogonal to this issue is that of the notion of

time in contracts. From work in linear temporal log-

ics, one can (broadly) categorize such logics into a

number of categories: (i) ones which permit reason-

ing about sequentiality of events; (ii) ones which can

also reason about time using a notion of a discrete

global clock; and (iii) ones which allow reasoning

about timers which can take continuous time values

and which can interact with such timers e.g. trigger-

ing on timeouts, or resetting the timers. The notion

of continuous time clocks, i.e. (iii), introduces ad-

ditional complexity including aspects which may be

undecidable as can be seen, for instance, in the exten-

sive work on veriﬁcation of timed automata and hy-

brid systems in general (Asarin et al., 2012). Multi-

party session types, which share much with contracts

have been extended to deal with timed aspects (Boc-

chi et al., 2014). Our approach to time shares much

with theirs, although our handling of notions such as

permission allows for an implicit notion of deontic

modalities

Furthermore, if events are timed, one has to intro-

duce a notion of time in the deontic logic — whether

in a point-wise manner (e.g. an obligation to perform

a particular action at a particular time) or over time

intervals (e.g. an obligation to perform a particular

action before a deadline). There is much work about

the combination of discrete time temporal and deon-

tic logics, but less so with dense-time logics. Our ap-

proach is an interval logic one, taking the approach

adopted by real time logics such as duration calculus

(Chaochen et al., 1991), which only allows statements

about signal values over non-point intervals.

In earlier work, we have developed a calculus to

reason about contracts independently of the systems

(Cambronero et al., 2017) in which, only temporal

sequentiality of events was handled. In this paper,

we present a time extension, give an operational view

of contracts, and use simulation techniques to reason

about contracts at an operational level.

The paper is organised as follows. First, we

present a running example (section 2) used through-

out the paper to clarify concepts. Then, the notation

we will use to formalize our notions is presented in

Section 3. We then present our timed contract calcu-

lus Themulus in Section 4 and formalize the notion of

reﬁnement of contracts in section 5. We ﬁnally con-

clude in Section 6 with some conclusions and possible

lines of future work.

2 RUNNING EXAMPLE

In the rest of the paper, we will illustrate our logic and

results based on a contract commonly used in the lit-

erature, that of a plane boarding system, based on e.g.

(Azzopardi et al., 2014). In this section we present

this use case — an agreement between the passenger

and airline company, regulating the plane boarding

process, from check-in till the ﬂight, including time

constraints. The use case is a simpliﬁed version based

on the Madrid Barajas airport regulations.

1. The passenger is permitted to use the check-in desk

within two hours before the plane takes off (t

2. At the check-in desk, the passenger is obliged to present

her boarding pass whitin 5 minutes.

3. After presenting the boarding pass, the passenger must

show her passport, she has 5 minutes for this purpose.

4. Henceforth, the passenger is (i) prohibited from carry-

ing liquids in her hand-luggage until boarding; and (ii)

prohibited from carrying weapons during the whole trip

until the plane lands. If she has liquids in her hand-

luggage, she is obliged to dispose of them within 10

minutes.

5. After presenting her passport, the passenger is permit-

ted to board within 90 minutes and to present the hand-

luggage to the staff within 10 minutes. Therefore, the

airline company is obliged to allow the passenger to

board within 90 minutes. If the passenger is stopped

from carrying luggage, the airline company is obliged

to put the passenger’s hand luggage in the hold within

20 minutes.

3 BACKGROUND AND

NOTATION

Contracts regulate the behaviour of agents or par-

ties that are acting concurrently. In this Section, we

present notation used to describe these agents and

their behaviour in order to be able to formalize con-

tracts in the following sections.

Structurally, the underlying system consists of

several indexed agents running in parallel, using vari-

ables A, A

to represent the individual agents. The sys-

tem as a whole will consist of the parallel composition

of all agents indexed by a ﬁnite set I i.e. the system

MODELSWARD 2020 - 8th International Conference on Model-Driven Engineering and Software Development

194

will be of the form ||

iPI

. We will use variables A,

to denote the state of the system as a whole.

Notation: The visible behaviour of the system and

agents will be assumed to consist of actions over Act,

and the agents’ behaviour will be assumed to con-

sist of (i) a relation indicating how their state changes

whenever such action occurs; and (ii) a relation indi-

cating how they change over time. Time will be taken

to range over the non-negative reals: T = R

. Agents

semantics are thus represented as timed labelled tran-

sition systems:

• A

−−Ñ A

, for a P Act, indicates that agent A

changes to A

upon performing action a. As it is

usual in process algebrae (Yi, 1991), the execu-

tion of actions does not consume time. The tran-

sition A

−−Û indicates that agent A cannot perform

a: A

−−Û

= DA

¨ A

−−Ñ A

• A

::; A

, for d ą 0 P T, indicates that agent A

evolves to A

after d time units pass.

Assumptions: We will assume that agents are non-

blocking: for any agent A, there is an agent state A

such that either (i) A

−−Ñ A

(for some a P Act); or (ii)

::; A

(for some d ą 0 P T). We also assume the

following common properties of the time transition

relation: time determinism, time additivity, and time

continuity.

We can now deﬁne how a system as a whole

(a composition of agents) evolves. There are two

kinds of transitions: (i) action transitions of the form

a,S

−−Ñ A

will indicate that system A can perform ac-

tion a P Act with agents indexed by S P 2

participat-

ing, to become system A

; and (ii) timed transitions

::; A

indicate the evolution of the system as a

whole over time.

Deﬁnition 1. We deﬁne the following transition rela-

tions over systems:

• A

a,S

−−Ñ A

, with S P 2

indicating that agents in

S (and no others) synchronise on action a. For-

mally, A

a,S

−−Ñ A

, where A = A

}¨¨¨}A

, and

= A

} A

¨¨¨ } A

is deﬁned as follows: (i) the

number of agents does not change: n = n

; (ii)

agents other than those whose index appears in S

do not participate in action a: @i P I ¨i R S ñ A

; and (iii) agents indexed in S evolve over action

a: @i P I ¨ i P S ñ A

−−Ñ A

• A

::; A

indicates that system A evolves to A

after d ą 0 P T time units pass. Formally we deﬁne

::; A

to mean that all agents evolve with a

time transition of length d: A

::; A

for all

i P I, where A = A

} ¨ ¨ ¨ } A

, and A

} ¨¨¨ } A

We will also write A

a,S

−−Ñ to mean that system A

can perform action a involving the agents in set S:

a,S

−−Ñ

= DA

¨ A

a,S

−−Ñ A

. The lack of such a transi-

tion is written as: A

a,S

−−−−Û.

In order to formalize violation of contracts, we

will use predicates over agent behaviour.

Deﬁnition 2. A predicate is deﬁned in terms of the

following grammar:

P ::= tt | ff | xa, ky | xa, ky | P _ Q | P ^ Q

In the grammar above, k P I ranges over agent

indices, a P Act over actions, and P, Q P P over pred-

icates.

Predicates tt and ff denote true and false respec-

tively. Predicate xa, ky means that agent k may per-

form action a. However, since some actions may re-

quire involvement by several agents, we use the pred-

icate xa, ky to indicate that agent k wants to perform

action a, but this action is not offered by any other

agent for synchronisation. For instance, an agent c

may want to purchase a ticket (action: ticket) to go

to a theatre. Predicate xticket, cy indicates the success

of such an action with c participating. However, if

the action requires the participation of the ticket of-

ﬁce, we can write the predicate xticket, cy to indicate

that c wanted to perform the action, but neither the

ticket ofﬁce (nor any other agent) was willing to per-

form the handshake required. Predicate disjunction

and conjunction are indicated by P _ Q and P ^ Q re-

spectively.

Deﬁnition 3.The semantics of a predicate P under a

system A, written A ( P, is deﬁned as follows:

A ( tt

= true

A ( ff

= false

A ( xa, ky

= DS P 2

, A

¨ A

a,S

−−Ñ A

^ k P S

A ( xa, ky

= A

a,tku

−−−−Ñ and @l ¨l ‰ k ñ A

−−Û

A ( P _ Q

= A ( P or A ( Q

A ( P ^ Q

= A ( P and A ( Q

We can now deﬁne the notion of stronger-than and

that of equivalence between predicates.

Deﬁnition 4. Given predicates P, Q P P , we say that

P is stronger than Q, written P ( Q, iff for any state

of any system A for which A ( P holds, A ( Q also

holds. We say that P is equivalent to Q, written P )(

Q, iff P ( Q and Q ( P.

Themulus: A Timed Contract-calculus

195

We will now present a proposition which indicates

how equivalence combines with disjunction and ac-

tion success.

Proposition 1. Let P, Q P P , k be an agent index and

a P Act, then

1. If P



)(tt, then xa, ky _ P



)( tt and xa, ky _



)( tt.

2. If P _ Q )( tt then P )( tt or Q )( tt.

4 A TIMED CONTRACT

CALCULUS

We can now deﬁne our contract calculus Themulus.

We start by deﬁning its syntax and an equivalence re-

lation over the syntactic forms. We then deﬁne the

notion of contract violation conditions based on the

operational semantics of the calculus. As we men-

tioned before, we will assume a time domain T rang-

ing over the non-negative reals. In order to deal with

the recursion operator, we assume a set of variables

fvars over which recursion will be deﬁned.

4.1 Contract Syntax

Deﬁnition 5. The set of contract formulae denoted by

C (with variable ϕ P C to range over the contracts) is

syntactically deﬁned as follows:

ϕ ::= J | K | P

paqrds | O

paqrds | F

paqrds

| waitpdq | cond

paqrdspϕ

, ϕ

q | ϕ

;ϕ

| ϕ

^ ϕ

| ϕ

_ ϕ

| ϕ

§ ϕ

| rec x.ϕ | x

where a P Act, x P fvars, k P I and d P T Y t8u.

The basic formulae J and K indicate, respectively,

the contracts that are trivially satisﬁed and violated.

The key modalities we use from deontic logic to spec-

ify contracts are permissions, obligations, and prohi-

bitions. The formula P

paqrds indicates the permis-

sion of agent k to perform action a within d time units,

while O

paqrds is an obligation on agent k to perform

action a within d time units, and F

paqrds is the pro-

hibition on agent k to perform action a within d time

units. The formula waitpdq represents a delay of d

time units.

Contract disjunction is written as ϕ

_ ϕ

, and

contract conjunction as ϕ

^ ϕ

. The formula ϕ

;ϕ

indicates the sequential composition of two contracts

— in order to satisfy the whole contract, the ﬁrst con-

tract ϕ

must be satisﬁed and then the second one ϕ

For instance, we can model the obligation of agent k

of doing action a in 3 time units after a delay of 2 time

units: waitp2q;O

paqr3s.

The reparation operator, written ϕ

§ ϕ

, is the

contract which starts off as ϕ

, but when violated trig-

gers contract ϕ

, e.g., O

paqr2s § P

pbqr5s is the con-

tract which obliges agent 1 to perform action a in 2

time units, but if she does not, permits agent 2 to per-

form action b in 5 time units.

The formula cond

paqrdspϕ

, ϕ

q is a conditional

contract where (i) if party k performs action a within d

time units it proceeds to behave like ϕ

; otherwise (ii)

if d time units elapse without a being performed by k,

it then proceeds to behave like ϕ

. Note that we can

generalize to more general conditions on the system,

but we limit it to the ability of a party to perform an

action for the scope of this paper.

Finally, rec x.ϕ and x handles recursive contracts,

e.g., rec x.O

paqrds; x is the contract which obliges

agent p to repeatedly perform action a within d time

units of each other. In contrast, rec x.O

pprqr10s ^

waitp30q;x, is the contract in which agent r is repeat-

edly obliged to pay rent (action pr) during the ﬁrst 10

days of the month.

Using these basic contract combinators, we can

deﬁne more complex ones, for example, a prohibi-

tion which persists until a particular action is per-

formed — a prohibition on agent k from perform-

ing action a until party l performs action b, written

F pra, ksU rb, lsq, and deﬁned as follows:

F pra, ksU rb, lsq

= rec x.

cond

paqr8spK, Jq^

cond

pbqr8spJ, xq

Example 1. The contract of the plane boarding sys-

tem from Section 2, can be formalised using our con-

tract calculus as follows:

::= P

pcheckinqrt

− 120s

::= O

pPBPqr5s

::= O

pShPqr5s

::= pF prweapon, ps U rlanding, csqq^

ppF prlq, psU rboarding, psqq § O

pdlqqr10sq

::= pP

pbrdqr90s;P

phlqr10sq§

pbrdqr90s; O

phlhldqr20sq

PBS ::= ϕ

;ϕ

;pϕ

^ ϕ

Where t

is departure estimated time. Note that

the clauses ϕ

to ϕ

are used to express different parts

of the contract, and combined together in the top-level

contract expression PBS.

The syntax of our logic allows for formulae

whose meaning is unclear. For instance, the formula

paqrds_x is not well-formed since it contains a free

instance of variable x. Another problem arises with

formulae such as rec x.F

paqrds _ x, which use recur-

sion not guarded by a preﬁx formula since the latter

ensures certain desirable properties of our operational

MODELSWARD 2020 - 8th International Conference on Model-Driven Engineering and Software Development

196

semantics. In order to simplify our semantics, we re-

strict the set of well-formed formulae to ones which

are (i) closed; and (ii) strongly preﬁxed. As usual,

the closed formulae are those that do not contain free

recursion variables (a recursion variable x is free if it

not bound to a rec x above it). A strongly preﬁxed for-

mula is one where all the occurrences of the formula

variables are preﬁxed by an obligation, prohibition,

permission or wait operation.

4.2 Syntactical Congruence

As in other such approaches (Milner, 1999), we start

by deﬁning a syntactical congruence, denoted by ”,

between contracts. This congruence is to be applied

on a well-formed formula and its subformulae before

the rules of the operational semantics.

Deﬁnition 6. We deﬁne the relation ” Ď C ˆC as the

least congruence relation that includes:

1. ϕ ^ J ” ϕ 2. J ^ ϕ ” ϕ

3. K ^ ϕ ” K 4. ϕ ^ K ” K

5. ϕ _ J ” J 6. J _ ϕ ” J

7. ϕ _ K ” ϕ 8. K _ ϕ ” ϕ

9. J; ϕ ” ϕ 10. K; ϕ ” K

11. J § ϕ ” J 12. K § ϕ ” ϕ

13. O

paqr0s ” K 14. F

paqr0s ” J

15. P

paqr0s ” J 16. waitp0q ” J

17. cond

paqr0spϕ, ψq ” ψ

In order to compute the ” relation, we transform

it into a rewriting calculus: we can see the rules above

as rewriting rules going from left to right. For in-

stance, the equivalence rule 13 (O

paqr0s ” K) allows

us to rewrite O

paqr0s;P

pbqr5s to K; P

pbqr5s, which

in turn can be rewritten to K using rule 10 (K;ϕ ” K).

Deﬁnition 7. We write ϕ ãÑ ϕ

(where ϕ, ϕ

P C ), if ϕ

is the result of applying one of the equivalence rules

from left to right on a subexpression of ϕ.

Example 2. Returning to the plane boarding system

agreement, consider the obligation on passengers to

present the boarding pass (action PBP) within 5 time

units: O

pPBPqr5s. In this case, equivalence rule 13

can be applied after 5 time units: O

pPBPqr5s

::;

pPBPqr0s ãÑ K.

In order to justify the simpliﬁcation of contract

formulae by applying these rules repeatedly, we will

need to prove that the rewriting process is terminat-

ing and conﬂuent. To prove conﬂuence of ãÑ, we

will ﬁrst prove local conﬂuence, from which conﬂu-

ence follows using a standard result from computer

science.

Proposition 2. The ãÑ P C Ø C relation is: (i) ter-

minating: there is no inﬁnite sequence ϕ

, ϕ

. . . ,

such that @i ¨ ϕ

ãÑ ϕ

i+1

; and (ii) locally conﬂuent:

if ϕ ãÑ ϕ

and ϕ ãÑ ϕ

, then there exists a contract ϕ

such that ϕ

ãÑ

∗

and ϕ

ãÑ

∗

Proof. Since the right term is always syntactically

smaller than the one on the left, the relation ãÑ is a

well-founded relation, and thus, termination is easily

proved. Local conﬂuence is proved by structural in-

duction on ϕ. The base cases are trivial. To prove the

inductive cases, we perform case by case analysis on

the different rules, which are applied to the subformu-

lae to show that the conﬂuence result holds. [\

Based on these results, conﬂuence of ãÑ follows using

Newman’s Lemma (Newman, 1942).

Corollary 1. The syntactic equivalence relation ap-

plied from left to right is conﬂuent: if ϕ ãÑ

∗

and

ϕ ãÑ

∗

, then there is a contract ϕ

such that ϕ

ãÑ

∗

and ϕ

ãÑ

∗

Conﬂuence and termination mean that any given

formula can be deterministically reduced to an irre-

ducible formula in a ﬁnite number of steps.

Deﬁnition 8. A contract formula ϕ P C is said to be

irreducible, if the equivalence relation cannot be ap-

plied to any of its subexpressions: Dϕ

P C ¨ ϕ ãÑ ϕ

Given contract formulae ϕ,ϕ

P C , we write ϕ ÞÝÑ

iff (i) ϕ can be syntactically reduced to ϕ

in a num-

ber of steps: ϕ ãÑ

∗

; and (ii) ϕ

is irreducible.

Conﬂuence and termination guarantee that for a

given ϕ, there exists a unique ϕ

such that ϕ ÞÝÑ ϕ

4.3 Operational Semantics

We can now deﬁne an operational semantics for our

contract calculus. The rules of the operational seman-

tics appear in Figure 1. The semantics take one of

three forms: (i) ϕ

a,k

−−Ñ ϕ

to denote that contract ϕ

can evolve (in one step) to ϕ

when action a is per-

formed, which involves party k (and possibly other

parties); or (ii) ϕ

pa,kq

−−−−Ñ ϕ

indicating that the contract

ϕ can evolve to ϕ

when the action a is not offered by

any party other than k; or (iii) ϕ

::; ϕ

to represent

that contract ϕ can evolve to contract ϕ

when d time

units pass. We will use variable α to stand for a label

of either form: pa, kq or pa, kq. The rules of the op-

erational semantics are always applied to irreducible

terms.

The core of any contract reasoning formalism is

the rules deﬁning the semantics of the deontic modal-

ities.

Rules (O1), (O2), (O3), (O4), and (O5) deﬁne the

behaviour of obligations O

paqrds, i.e., the obligation

on agent k to perform action a within d time units.

Themulus: A Timed Contract-calculus

197

(O1) O

paqrds

a,k

−−Ñ J

(O2) O

paqrds

pa,kq

−−−−Ñ J

(O3) O

paqrds

b,l

−−Ñ O

paqrds , pa, kq ‰ pb, lq

(O4) O

paqrds

pb,lq

−−−−Ñ O

paqrds , pa, kq ‰ pb, lq

(O5) O

paqrds

::; O

paqrd − d

s, 0 < d

ď d

(F1) F

paqrds

a,k

−−Ñ K

(F2) F

paqrds

pa,kq

−−−−Ñ K

(F3) F

paqrds

b,l

−−Ñ F

paqrds , pb, lq ‰ pa, kq

(F4) F

paqrds

pb,lq

−−−−Ñ F

paqrds , pb, lq ‰ pa, kq

(F5) F

paqrds

::; F

paqrd − d

s, 0 < d

ď d

(P1) P

paqrds

a,k

−−Ñ J

(P2) P

paqrds

b,l

−−Ñ P

paqrds, pa, kq ‰ pb, lq

(P3) P

paqrds

pa,kq

−−−−Ñ K

(P4) P

paqrds

pb,lq

−−−−Ñ P

paqrds, pa, kq ‰ pb, lq

(P5) P

paqrds

::; P

paqrd − d

s, 0 < d

ď d

(C1) cond

paqrdspϕ, ψq

a,k

−−Ñ ϕ

(C2) cond

paqrdspϕ, ψq

pa,kq

−−−−Ñ ϕ

(C3) cond

paqrdspϕ, ψq

b,l

−−Ñ ψ, pb, lq ‰ pa, kq

(C4) cond

paqrdspϕ, ψq

pb,lq

−−−−Ñ ψ, pb, lq ‰ pa, kq

(C5) cond

paqrdspϕ, ψq

::;

cond

paqrd − d

spϕ, ψq , 0 < d

ď d

(AO1)

−−Ñ ϕ

, ψ

−−Ñ ψ

ϕ op ψ

−−Ñ ϕ

op ψ

(AO2)

::; ϕ

, ψ

::; ψ

ϕ op ψ

::; ϕ

op ψ

(AO3)

::; J, ψ

::; ψ

ϕ ^ ψ

::; ψ

, d

ě d

(AO4)

::; ϕ

, ψ

::; J

ϕ ^ ψ

::; ϕ

, d ě d

(AO5)

::; K, ψ

::; ψ

ϕ _ ψ

::; ψ

, d

ě d

(AO6)

::; ϕ

, ψ

::; K

ϕ _ ψ

::; ϕ

, d ě d

(V1)

−−Ñ ϕ

ϕ § ψ

−−Ñ ϕ

§ ψ

(V2)

::; ϕ

ϕ § ψ

::; ϕ

§ ψ

(V3)

::; K, ψ

::; ψ

ϕ § ψ

d+d

::::; ψ

(S1)

−−Ñ ϕ

ϕ;ψ

−−Ñ ϕ

;ψ

(S2)

::; ϕ

ϕ;ψ

::; ϕ

;ψ

(S3)

::; J, ψ

::; ψ

ϕ;ψ

d+d

::::; ψ

(wait1) waitpdq

::; waitpd − d

q , 0 < d

ď d

(wait2) waitpdq

−−Ñ waitpdq

(REC1)

−−Ñ ϕ

rec x.ϕ

−−Ñ ϕ

rx{rec x.ϕs

(REC2)

::; ϕ

rec x.ϕ

::; ϕ

rx{rec x.ϕs

Figure 1: Operational Semantics transition rules.

Rules (O1) and (O2) handle the case of the obliga-

tion clause being satisﬁed when agent k does action a

within d time units, in this case, the contract reduces

to the trivially satisﬁed one (J). Rules (O3) and (O4)

consider the case when another agent l performs an

action (l ‰ k) or the action b is not the compulsory

one b ‰ a; in both cases the obligation remaining in-

tact. Let us recall that actions are instantaneous, so

the time constraints do not change. Finally, (O5) han-

dles the case when d

time units pass with d

ď d,

then the obligation remains, but the obligation time

decreases in d

time units. Recall that O

paqr0s is han-

dled through syntactic equivalence (” K).

Example 3. Let us consider the obligation on the pas-

senger (agent: p) to present the boarding pass (action

PBP) within 5 time units: O

pPBPqr5s. The possible

outcomes are: (i) rule (O1) applies if the passenger

presents the boarding pass within 5 time units, with

the contract evolving to J: O

pPBPqr5s

PBP,p

−−−−Ñ J; (ii)

rule (O2) can be applied if the passenger is not al-

lowed to perform the action: O

pPBPqr5s

pPBP,pq

−−−−−Ñ J;

(iii) if an action other than PBP is performed or PBP

is performed by another party, the obligation remains

intact by rule (O3): O

pPBPqr5s

b,l

−−Ñ O

pPBPqr5s

(where b ‰ PBP or l ‰ p); (iv) similarly if other

parties or actions are not allowed, the obligation re-

mains unchanged by rule (O4): O

pPBPqr5s

pb,lq

−−−−Ñ

pPBPqr5s (where b ‰ PBP or l ‰ p ); and ﬁnally

(v) rule (O5) handles when an amount of time less

than 5 time units elapses, in which case the obliga-

tion remains in force, but the deadline is moved ac-

cordingly: O

pPBPqr5s

::; O

pPBPqr5 − δs (where

δ ď 5). Note that in this ﬁnal case, when the deadline

of the obligation decreases to 0, the syntactic equiva-

lence O

pPBPqr0s ” K is directly applied and reduced

accordingly.

Rules (F1), (F2), (F3), (F4), and (F5) deﬁne the cases

for prohibition similar to obligation.

Permission of agent k to perform action a within

MODELSWARD 2020 - 8th International Conference on Model-Driven Engineering and Software Development

198

d time units (P

paqrds) is deﬁned through Rules (P1),

(P2), (P3), (P4) and (P5). Rule (P1) considers the

case when agent k consumes her permission to per-

form action a by actually performing it, in this case,

the contract reduces to the trivially satisﬁed one (J).

Rule (P2) handles the case when an agent other than

k performs an action or the action involving b is

not the permitted one a, leaving k’s permission in-

tact. Rule (P3) handles the case when the permis-

sion is violated because agent k intended to perform

action a, but it was not offered a synchronizing ac-

tion. Rule (P4) considers the case when another agent

than k intends to perform an action b (different to

a), but it was not offered a synchronizing action. Fi-

nally, Rule (P5) considers the case when d

time units

elapse, with d

ď d, then the permission remains, but

the permission time decreases by d

time units.

The rules for conditional contracts handle the

cases when the condition holds ((C1) and (C2)), and

when it does not ((C3) and (C4)), resolving the con-

tract to the appropriate branch. The rule (C5) consid-

ers the case when d

time units pass (with d

ď d), in

which case the conditional deadline decreases accord-

ingly.

The rules for conjunction and disjunction are

structurally identical, since both take the two con-

tracts to evolve concurrently. The difference between

the two operators is only exhibited when one of the

two operands reduces to J or K, which is then han-

dled by the equivalence rules. The ﬁrst rule (AO1)

states that the conjunction or disjunction of two for-

mulae evolves along with both operands concurrently.

The second rule (AO2) considers the case in

which d time units pass for both contracts. Rule

(AO3) shows the case in which: (i) d time units pass

for the ﬁrst contract, ϕ, then it evolves to J and (ii)

for the second one, ψ, evolving to ψ

, with d

ě d.

Thus, the contracts’ conjunction evolves as the sec-

ond one. (AO4) handles the case in which d time

units pass for the ﬁrst contract, ϕ, then it evolves to

and d

time units for the second one, ψ, then it

evolves to J, with d ě d

, thus the contracts conjunc-

tion evolves as the ﬁrst one. Rules (AO5) and (AO6)

consider the cases in which the ﬁrst or second contract

has been already violated and how the disjunction of

both contracts evolve, in an analogous manner as the

conjunction.

The rules for reparation and sequential composi-

tion are similar. The rules (V1) and (V2) allow mov-

ing along the primary contract when some actions are

done or the time passes. There is no need for rules

dealing with the recovering from a violation since this

is handled by the syntactic equivalence rules. The se-

quential composition rules (S1) and (S2) behave in

an analogous manner, allowing evolution along with

the ﬁrst contract, with no need for additional rules

thanks to the syntactic equivalence rules. It is worth

noting that, similar to reparation which ﬁres the sec-

ond operand on the ﬁrst (shortest trace) violation, se-

quential composition ﬁres the second operand on the

shortest match of the ﬁrst operand. Rules (V3) and

(S3) are necessary for time additivity with reparation

and sequential composition, respectively.

Example 4. In our running example, we can consider

clause ϕ

, that is:

::= pP

pbrdqr90s;P

phlqr10sq §

pbrdqr90s; O

phlhldqr20sq

where the passenger is permitted to board within 90

minutes (P

pbrdqr90s) and, then to present the hand-

luggage to the staff within 10 minutes (P

phlqr10s).

Therefore, the reparation part of this clause indi-

cates that if the passenger is stopped from board-

ing or carrying luggage, the airline company is

obliged to allow the passenger to board within 90

minutes (O

pbrdqr90s) and then, to put the passen-

ger’s hand luggage in the hold within 20 minutes

phlhldqr20s). If 90-time units pass, ϕ

evolves

in the following way:

pbrdqr90s;P

phlqr10s § O

pbrdqr90s; O

phlhldqr20s

::;

pbrdqr0s;P

phlqr10s § pO

pbrdqr90s; O

phlhldqr20s

” J;P

phlqr10s § pO

pbrdqr90s; O

phlhldqr20sq

The latter equivalence applies by rule 15, since

pbrdqr0s ” J. In turn, rule 9 can be applied to

the ﬁrst part (J; P

phlqr10s ” P

phlqr10s), then

::= P

phlqr10s § pO

pbrdqr90s; O

phlhldqr20sq.

Thereafter, if 10 time units pass, rule 15 can be

applied again (P

phlqr10s

::; P

pbrdqr0s ” J),

then ϕ

::= J § pO

pbrdqr90s; O

phlhldqr20sq.

And ﬁnally, applying rule 11: ϕ

::=

J § pO

pbrdqr90s; O

phlhldqr20sq ” J, then in

this case, it is possible to conclude that the contract is

satisﬁed by only applying the congruence relations.

The wait rules deﬁne two possible cases: when

time units pass, with d

ď d, then the time delay

decreases by d

time units (Rule (wait1)), and when

an action is performed (Rule (wait2)) the time delay

remains intact since (let us recall) actions are instan-

taneous.

The ﬁnal rules deal with recursion in a standard

manner — by replacing free instances of the recur-

sion variable by the whole recursion formula. Note

that since we assume formulae to be closed and recur-

sion guarded, we require no rules for expressions con-

sisting of just a free variable, or to handle unguarded

recursion such as rec x. x.

Themulus: A Timed Contract-calculus

199

The following proposition shows that the seman-

tics ensure that any non-trivial contract (i.e. any ir-

reducible contract other than J and K) can evolve to

any observed action. Furthermore, they evolve in a

deterministic manner.

Proposition 3. Given a contract ϕ P C :

1. One of the following holds: (i) ϕ ” J; (ii) ϕ ”

K; or (iii) for any a P Act and k P I , ϕ

a,k

−−Ñ and

pa,kq

−−−−Ñ.

2. If ϕ

a,k

−−Ñ ϕ

and ϕ

a,k

−−Ñ ϕ

, then ϕ

” ϕ

Proof. The ﬁrst property follows immediately from

the operational semantics. The second follows by

structural induction on ϕ. [\

The following proposition shows that the con-

tracts behave coherently with respect to time.

Proposition 4. Let ϕ, ϕ

, ϕ

P C be contracts and

, d

P T be time values. Then, the following proper-

ties hold:

1. If ϕ

::; ϕ

and ϕ

::; ϕ

then ϕ

” ϕ

2. If ϕ

::; ϕ

, then ϕ

::::; ϕ

3. If ϕ

::::; ϕ

then there is ϕ

P C such that

::; ϕ

Proof. These properties are proved by structural

induction. The base cases are trivial, one only

needs to take into account that the contracts O

paqrds,

paqrds, P

paqrds do not transition beyond time d

because the contracts are violated (in the case of obli-

gation) or satisﬁed (in the case for prohibition and

permission). [\

4.4 Contract Violation

We can now formally deﬁne contract violation. First,

we deﬁne the predicate viopϕq. This predicate will

be used to verify if a contract is currently violated,

which enables us to determine how a system can be

monitored with respect to a contract.

Deﬁnition 9. We say that an irreducible contract ϕ

is in a violated state, written viopϕq if and only if the

contract has already been violated:

viopJq

= ff viopKq

= tt

viopP

paqrdsq

= pa, kq viopO

paqrdsq

= ff

viopF

paqrdsq

= pa, kq viopwaitpdqq

= ff

viopϕ;ϕ

= viopϕq vioprec x.ϕq

= viopϕq

viopcond

paqrdspϕ, ϕ

= ff

viopϕ ^ ϕ

= viopϕq _ viopϕ

viopϕ _ ϕ

= viopϕq ^ viopϕ

viopϕ § ϕ

= viopϕq ^ viopϕ

Since syntactical equivalences would remove any

zero time windows (i.e. d = 0), the above deﬁnition

covers only when d ą 0.

The two ﬁrst cases for the trivially satisﬁed and

violated contracts are straightforward. In the case of

permission being currently in force, we ﬂag a viola-

tion if the party holding the permission wants to per-

form the action but is not offered a synchronizing ac-

tion. In case of an obligation, a violation can only

occur after the time has expired (d = 0), but this case

is already deﬁned because of the syntactical equiva-

lence O

paqr0s ” K. Let us note that an obligation

to perform an action within a (non-zero) time frame

is never in violation at this instant since there is still

time to perform the action and fulﬁl the obligation.

In the case of a reparation viopϕ § ϕ

q, a viola-

tion can only occur, if both ϕ and ϕ

are violated. In

the case of viopcond

paqrdspϕ, ϕ

qq, whether the ac-

tion a or any other action is observed the violation is

always false since the conditional contract only de-

ﬁnes how the contract will behave (as ϕ or ϕ

). In the

case of sequential composition viopϕ; ϕ

q, an imme-

diate violation must occur on the ﬁrst operand (since

J;ϕ would have been reduced to ϕ), and it is thus de-

ﬁned as viopϕq. In the case of waitpdq, the violation

is always false, since it depicts a time delay, then an

immediate violation is false. Finally, the deﬁnition

vioprec x.ϕq = viopϕq is well-formed since recursion

is always assumed to be guarded.

Lemma 1. For any contract ϕ P C , viopϕq )( tt if

and only if ϕ ” K.

Proof. The proof uses structural induction on ϕ.

The only non-trivial case being when ϕ = ϕ

^ ϕ

in which case we use Proposition 1. [\

4.5 Contracts Acting on Systems

We can now deﬁne how contracts evolve alongside a

system, and what it means for a system to satisfy a

contract.

Deﬁnition 10. Given a contract ϕ P C with a set of

actions Act

and a system A, we deﬁne the semantics

of ϕ}A — the combination of the system with the con-

tract — with alphabet Act with Act

Ď Act through

the following rules:

MODELSWARD 2020 - 8th International Conference on Model-Driven Engineering and Software Development

200

(M1)

a,k

−−Ñ ϕ

, A

a,s

−−Ñ A

ϕ } A =ñ ϕ

} A

k P s

(M2)

pa,kq

−−−−Ñ ϕ

, A ( xa, ky

ϕ } A =ñ ϕ

} A

(M3)

a,s

−−Ñ A

ϕ } A =ñ ϕ } A

a R Act

(M4)

::; A

, ϕ

::; ϕ

< d ¨ if A

::; A

and

::; ϕ

then A

( viopϕ

ϕ } A =ñ ϕ

} A

Rule (M1) and (M2) handles synchronization be-

tween the contract and the system. If an action a per-

formed by the system is of interest to the contract, the

contract evolves alongside the system ((M1)), if the

contract allows an agent to perform an action but only

agent k (and no other agent) is willing to engage in the

action, then only the contract evolves ((M2)). Rule

(M3) handles actions on the system in which the con-

tract is not interested in. Finally, rule (M4) ensures

that time cannot skip over a violation.

Deﬁnition 11. Let A be a system and ϕ P C be a con-

tract.

• System A can breach ϕ, written breachpA, ϕq, if

there exists a computation that leads to a violation

of the contract: for some n ě 0 and contracts ϕ

till ϕ

such that:

ϕ } A = ϕ

} A

=ñ . . . ϕ

n−1

} A

n−1

=ñ ϕ

} A

and A

( viopϕ

• System A may fulﬁl ϕ, written fulﬁllpA, ϕq, if there

exists a computation of the system that fulﬁls the

contract: for some n ě 0 and contracts ϕ

till ϕ

ϕ } A = ϕ

} A

=ñ . . . ϕ

n−1

} A

n−1

=ñ ϕ

} A

and A ( viopϕ

q for 0 ď k < n, and ϕ

” J.

Note that there are contracts that may never be

fulﬁlled. An example of such a contract is ϕ =

rec x.ra, k, 8spK, 8q, which may never be fulﬁlled

since there are no transitions from this contract lead-

ing to J. Nevertheless, if agent k never performs ac-

tion a, then neither is the contract broken.

5 REFINEMENT

We now deﬁne two notions of contract reﬁnement

(ď

and ď

). Intuitively ď

relates two contracts

ϕ, ψ P C (i.e. ϕ ď

ψ) if any system which can breach

contract ϕ, can also breach contract ψ. The meaning

of ď

is its dual: if ϕď

ψ then any system which can

fulﬁl ϕ can also fulﬁl ψ. Both notions are based on

simulation techniques, deﬁned in a co-inductive fash-

ion.

Deﬁnition 12. Let ϕ, ψ P C and R Ď C ˆ C , we say

that R is a K-simulation relation iff whenever pϕ, ψq P

R the following conditions hold:

(i) viopϕq ( viopψq.

(ii) If ϕ

::; ϕ

then

a. there is d

ď d such that ψ

::; K, or

b. there is ψ

P C and ψ

::; ψ

and pϕ

, ψ

q P

(iii) If ϕ

−−Ñ ϕ

then there exists ψ

P C and ψ

−−Ñ

and pϕ

, ψ

q P R.

We say ϕ ď

ψ if there is a K-simulation relation R

such that pϕ, ψq P R.

Deﬁnition 13. Let ϕ, ψ P C and R Ď C ˆ C , we say

that R is a J-simulation relation iff whenever pϕ, ψq P

R, the following conditions hold:

(i) If ϕ ” J then ψ ” J.

(ii) If viopψq ( viopϕq.

(iii) If ϕ

::; ϕ

then

a. there is d

ď d such that ψ

::; J, or

b. there is ψ

P C and that ψ

::; ψ

and

pϕ

, ψ

q P R.

(iv) If ϕ

−−Ñ ϕ

then there is ψ

P C such that ψ

−−Ñ

and pϕ

, ψ

q P R.

We say ϕ ď

ψ if there is a K-simulation relation R

such that pϕ, ψq P R.

Lemma 2. The relation id = tpϕ, ϕq | ϕ P C u is both

a K-simulation relation and a J-simulation relation.

Proof. It is immediate from the deﬁnitions. [\

Lemma 3. Let R

and R

be K-simulation relations

(respectively J-simulation). Then, their composition

˝ R

is also a K-simulation relation (respectively

J-simulation).

Proof. The proof is simple from the deﬁnitions. [\

Proposition 5. The relations ď

and ď

are reﬂex-

ive and transitive.

Proof. This proposition is immediate from Lemmas 2

and 3. [\

Consider the following example illustrating the

use of these deﬁnitions.

Example 5.

waitp3q ď

paqr5s

waitp3q;K ę

paqr5s;K

paqr3s ď

waitp3q

paqr3s § O

pbqr2s ę

waitp3q § O

pbqr2s

waitp5q ď

paqr6s

waitp5q ^ waitp7qď

paqr6s ^ waitp7q

Themulus: A Timed Contract-calculus

201

It is not difﬁcult to formally verify the correctness of

these orderings. For instance, consider waitp3q and

paqr5s — the former cannot be violated, whilst the

latter can be violated by any system that does not al-

low agent k to perform action a within 5 units of time,

which ensures that the simulation holds. Now con-

sider waitp3q ď

paqr5s, we can put both contracts

in the context of the continuation operator to follow

up with K. While waitp3q;K cannot be fulﬁlled after

3 units of time whatever the system does, in the case

of P

paqr5s;K, if the system allows agent k to perform

a after 3 units of time but agent k does not perform the

action, the contract is not broken yet. Regarding the

relation, dual reasoning can be applied, whilst the

other relations can be similarly reasoned about.

Since the relations are preorders, for each of them

we have an equivalence relation. However, we can

prove that these relations are, in fact, equivalent.

Proposition 6. The two equivalence relations v

Xď

−1

and v

= ď

Xď

−1

, are equal to each

other: v

= v

Proof. In order to prove v

Ď v

we have to prove

Ď ď

and v

Ď ď

−1

. Both proofs are symmet-

rical, so let us prove the ﬁrst. It is sufﬁcient to prove

that v

is a J-simulation relation. Consider ϕ, ψ P C

such that ϕ v

ψ — we must prove the conditions

of Deﬁnition 13, with the only non-trivial one being

condition i. Assume ϕ ” J. Since ϕv

ψ, we deduce

viopψq = ff . If ψ ı J, then by Proposition 3, for any

possible α there must exist ψ

such that ψ

−−Ñ ψ

Again, since ϕ v

ψ we obtain that for any α, there

must exist ϕ

such that J = ϕ

−−Ñ ϕ

, which is im-

possible. We can thus conclude that ψ ” J. [\

Given their equivalence, we can deﬁne the sim-

ulation equivalence of contracts as either of the two

equivalence relations.

Deﬁnition 14. We deﬁne the simulation equivalence

relation as v

= ď

X ď

−1

Consider the K simulation: if two contracts are

related ϕď

ψ, then the violations identiﬁed by ϕ are

also identiﬁed by ψ.

Theorem 1. Let A be a system and ϕ, ψ P C be con-

tracts, such that ϕ ď

ψ. Then, if A violates ϕ, it also

violates ψ: breachpA, ϕq ñ breachpA, ψq.

Proof. Since ϕ ď

ψ, then there exists a simula-

tion contract relation R, such that pϕ, ψq P R. On the

other hand, since breachpA, ϕq holds, there exists a

sequence of transitions

ϕ } A = ϕ

} A

=ñ . . . ϕ

} A

= ϕ

} A

where n ě 0, such that breachpA

, ϕ

q. By simulat-

ing ϕ, we can build a computation beginning with the

contract ψ

= ψ:

ψ } A = ψ

} A

=ñ . . . ψ

} A

= ψ

} A

such that m ď n, pϕ

, ψ

q P R for 0 ď k < m, and

breachpA

, ψ

q. Let us proceed by induction. If n = 0

the proof is immediate, so let us consider the induc-

tive case n ą 0. Let us consider the ﬁrst transition.

There are four cases according to the rules of the sys-

tem transitions (Deﬁnition 1):

Rules M1 and M2. ϕ

−−Ñ ϕ

. Since pϕ

, ψ

q P R,

then there is a contract ψ

such that ψ

−−Ñ ψ

and

pϕ

, ψ

q P R. Therefore, we obtain that we have the

computation ψ

} A

=ñ ψ

} A

. Then we obtain the

result by induction.

Rule M3. This is trivial because the contract is not

involved.

Rule M4. ϕ

::; ϕ

then either:

1. There exists d

< d such that ψ

::; K. In this

case we obtain ψ } A =ñ K} A

2. There exists ψ

such that ψ

::; ψ

and

pϕ

, ψ

q P R. If there were 0 < d

< d such

that ψ

::; ψ

, A

::; A

, and A

( viopψ

then we obtain the result immediately. Otherwise

ψ } A =ñ ψ

} A

and we obtain the result by in-

duction.

Finally, if m < n we have found the computation ψ }

A =ñ

∗

K } A

. Otherwise pϕ

, ψ

q P R, then viopϕ

q (

viopψ

q, and by deﬁnition A

( viopψ

q. [\

Now let us prove the corresponding property of J

simulated contract. If two contracts are related ϕ ď

, and if ϕ can be fulﬁlled by a system, then ϕ

is also

fulﬁlled by the same system.

Theorem 2. Let A be a system and ϕ, ψ P C be con-

tracts such that ϕď

ψ. Then, if A can fulﬁl ϕ, it can

also fulﬁl ψ: fulﬁllpA, ϕq ñ fulﬁllpA, ψq.

Proof. The proof of this theorem is very similar to

the previous one. The inductive cases for rules M1,

M2 and M3 are similar: We only have to verify A

(

viopψ

q, which is immediate since viopψ

q ( viopϕ

The case M4 is slightly different; so let us assume

−−Ñ ϕ

. First let us suppose that there exists d

< d

such that ψ

−−Ñ ψ

, A

::; A

and A

( viopψ

Due to Proposition 4 and the deﬁnition of J simula-

tion contract, there exists ϕ

such that ϕ

−−Ñ ϕ

with

pϕ

, ψ

q P R. Therefore viopψ

q ( viopϕ

q and then the

transition ϕ } A =ñ ϕ

} A is not possible. Now, since

pϕ

, ψ

q P R there are two cases:

1. There exists d

< d such that ψ

::; J, so in this

case we have found the computation ψ

::;

J } A.

MODELSWARD 2020 - 8th International Conference on Model-Driven Engineering and Software Development

202

2. There exists ψ

such that ψ

::; ψ

and

pϕ

, ψ

q P R. If ϕ

” J then ψ

” J and we

have found the required computation. Otherwise,

viopψ

q ( viopϕ

q and then A

( viopψ

q, so we

obtain the result by induction.

Finally, in this section we are going to show im-

portant properties of the relations ď

and ď

. First,

let us show that J and K are the best contracts in their

respective relations ď

and ď

. Then, as ϕ ^ J ” ϕ

and ϕ _ K ” ϕ, it is important to show ϕ ^ ϕ

and ϕ _ ϕ

ϕ.

Proposition 7. For any ϕ, ϕ

P C , the following hold:

1. ϕ ď

2. ϕ ď

3. ϕ _ ϕ

4. ϕ ^ ϕ

5. ϕ v ϕ _ ϕ

6. ϕ v ϕ ^ ϕ

Proof.. Statements 1 and 2 follow from the def-

initions and Lemma 1. For 3 we have to check

that R

= tpϕ _ ϕ

, ϕq | ϕ, ϕ

P C u is a K simula-

tion contract. While for 4 we have to check that

= tpϕ ^ ϕ

, ϕq | ϕ, ϕ

P C u is a J simulation con-

tract. For 5 and 6 it is easy to check that the relations

= tpϕ, ϕ _ ϕq | ϕ P C }, R

= tpϕ _ϕ, ϕq | ϕ P C },

= tpϕ, ϕ ^ ϕq | ϕ P C }, and R

= tpϕ ^ ϕ, ϕq | ϕ P

C } are respectively both, J simulation contracts and

K simulation contracts. [\

Let us show cases in which the relations act as

congruences.

Proposition 8. For any ϕ, ϕ

, ψ, ψ

P C , the following

hold:

If ϕ

ϕ and ψ

ψ:

K.1 ϕ

§ ψ

ϕ § ψ

K.2 ϕ

^ ψ

ϕ ^ ψ

K.3 ϕ

_ ψ

ϕ _ ψ

K.4 cond

paqrdspϕ

, ψ

cond

paqrdspϕ, ψq

If ϕ

ϕ and ψ

ψ:

J.1 ϕ

;ψ

ϕ;ψ

J.2 ϕ

^ ψ

ϕ ^ ψ

J.3 ϕ

_ ψ

ϕ _ ψ

J.4 cond

paqrdspϕ

, ψ

cond

paqrdspϕ, ψq

Proof. For all the cases consider the relations:

pop,relq

= ď

rel

Ytpϕ op ψ, ϕ

op ψ

q |

ϕ, ϕ

, ψ, ψ

P C , ϕ ď

rel

, ψ ď

rel

where op P t;, §, ^, _, cond

paqrdsp¨, ¨qu and rel P

tJ, Ku. In all cases we have to prove that R

pop,relq

is a

rel simulation. Also in all cases we are going to con-

sider pχ, χ

q P R

pop,relq

and to prove that pχ, χ

q Pď

rel

. If pχ, χ

q Pď

rel

there is nothing to prove, so we con-

sider that χ = ϕ op ψ, χ

= ϕ

op ψ

, ϕ ď

rel

and

ψ ď

rel

. In all cases we have to check the condi-

tions on the corresponding relation in Deﬁnitions 12

and 13. [\

Theorem 3. v is a congruence.

Proof. This follows from the previous proposition

and Proposition 6. [\

6 CONCLUSIONS

The calculus Themulus allows us to reason about con-

tracts with time constraints independent of the sys-

tems on which they are applied to. In order to achieve

this, we have introduced a notion of similarity be-

tween contracts, which takes into account predicates

over system states, and shows how these semantics

can be used for runtime veriﬁcation of contracts.

There are various research directions we intend

to explore. From a practical perspective, we will be

looking into automated runtime veriﬁcation of con-

tracts, and looking at how this scales up with more

complex contracts. From a theoretical perspective,

there are various questions we have yet to explore —

from identifying conﬂicts in our contract language, to

looking at automated synthesis of the strongest con-

tract satisﬁed by a given system (analogous to the

weakest-precondition) and synthesis of the weakest

system satisfying a given contract.

One application arising from runtime monitoring

was that of runtime enforcement, where starting from

a speciﬁcation, algorithmic machinery is synthesized

to ensure that the system under scrutiny does not vi-

olate the speciﬁcation e.g. by delaying or injecting

events. In particular, there is a body of work on run-

time enforcement of timed properties e.g. (Falcone

et al., 2016) which could offer insight on how our

work can be extended to build contract enforcement

engines, a notion that has not been widely explored in

the deontic logic world.

REFERENCES

Asarin, E., Mysore, V., Pnueli, A., and Schneider, G.

(2012). Low dimensional hybrid systems - decidable,

undecidable, don’t know. Inf. Comput., 211:138–159.

Azzopardi, S., Pace, G. J., and Schapachnik, F. (2014).

Contract automata with reparations. In Legal Knowl-

edge and Information Systems - JURIX: The Twenty-

Seventh Annual Conference, Jagiellonian University,

Krakow, Poland, 10-12 December, pages 49–54.

Belnap, N. and Perloff, M. (1993). In the realm of agents.

Ann. Math. Artif. Intell., 9(1-2):25–48.

Bocchi, L., Yang, W., and Yoshida, N. (2014). Timed mul-

tiparty session types. In CONCUR 2014 - Concur-

rency Theory - 25th International Conference, CON-

CUR 2014, Rome, Italy, September 2-5, 2014. Pro-

ceedings, pages 419–434.

Cambronero, M., Llana, L., and Pace, G. J. (2017). A cal-

culus supporting contract reasoning and monitoring.

IEEE Access, 5:6735–6745.

Chaochen, Z., Hoare, C. A. R., and Ravn, A. P. (1991). A

calculus of durations. Inf. Process. Lett., 40(5):269–

276.

Themulus: A Timed Contract-calculus

203

Falcone, Y., J

eron, T., Marchand, H., and Pinisetty, S.

(2016). Runtime enforcement of regular timed proper-

ties by suppressing and delaying events. Sci. Comput.

Program., 123:2–41.

Fenech, S., Pace, G. J., Okika, J. C., Ravn, A. P., and

Schneider, G. (2009). On the speciﬁcation of full con-

tracts. Electr. Notes Theor. Comput. Sci., 253(1):39–

55.

Georg Henrik Von Wright (1951). Deontic Logic. Mind,

60(237):1–15.

Governatori, G. and Milosevic, Z. (2005). Dealing with

contract violations: formalism and domain speciﬁc

language. In EDOC Enterprise Computing Confer-

ence, Ninth IEEE International, pages 46–57. IEEE

Computer Society.

Horty, J. F. (2001). Agency and Deontic Logic. Oxford

University Press.

Jeremaes, P., Khosla, S., and Maibaum, T. (1986). A modal

(action) logic for requirements speciﬁcation. Software

Engineering, 86:278–294.

Khosla, S. (1988). System Speciﬁcation: A Deontic Ap-

proach. PhD thesis, Imperial College of Science and

Technology, University of London.

Milner, R. (1999). Communicating and Mobile Systems:

the π-Calculus. Cambridge University Press.

Newman, M. H. A. (1942). On theories with a combinato-

rial deﬁnition of” equivalence”. Annals of mathemat-

ics, pages 223–243.

Pace, G. J. and Schapachnik, F. (2012). Contracts for Inter-

acting Two-Party Systems. In FLACOS’12, volume 94

of ENTCS, pages 21–30.

Yi, W. (1991). CCS + time = an interleaving model for

real time systems. In Automata, Languages and Pro-

gramming, 18th International Colloquium, ICALP91,

Madrid, Spain, July 8-12, 1991, Proceedings, pages

217–228.

MODELSWARD 2020 - 8th International Conference on Model-Driven Engineering and Software Development

204