Timed Automata Semantics for Visual e-Contracts

C-O Diagrams have been introduced as a means to have a more visual representation of electronic contracts, where it is possible to represent the obligations, permissions and prohibitions of the different signatories, as well as what are the penalties in case of not fulfillment of their obligations and prohibitions. In such diagrams we are also able to represent absolute and relative timing constraints. In this paper we present a formal semantics for C-O Diagrams based on timed automata extended with an ordering of states and edges in order to represent different deontic modalities.

💡 Research Summary

The paper addresses the need for a formal, machine‑readable semantics for visual representations of electronic contracts, known as C‑O Diagrams. Traditional software contracts based on pre‑ and post‑conditions are insufficient for modern service‑oriented and component‑based systems, which require richer notions such as obligations, permissions, prohibitions, and temporal constraints. C‑O Diagrams fill this gap by providing a graphical box‑based notation where each box contains a guard (g), a time restriction (tr), a normative field (P, O, or F) that applies to actions, an optional reparations clause (R), a unique name, and an agent identifier. The diagrams support hierarchical composition through three refinement operators: AND (all sub‑clauses must hold), OR (any sub‑clause suffices), and SEQ (sequential execution). These refinements allow the modeling of concurrent actions (“&”), choices (“+”), and sequences (“;”), as well as repetition via arrows that point from a sub‑clause back to an ancestor.

The core contribution is a formal semantics that translates any C‑O Diagram into a Network of Timed Automata (NTA). An NTA consists of multiple timed automata sharing the same set of clocks and integer variables, synchronizing on shared actions. The authors adopt the classic definition of a timed automaton (locations, initial location, edges with guards, actions, assignments, clock resets, and invariants) and extend it with two strict partial orderings: ≺ N on locations (nodes) and ≺ E on edges (transitions). To evaluate contract compliance, each node n is equipped with a violation set V(n) – the set of contractual obligations or prohibitions that have been violated at that point – and a satisfaction set S(n) – the set of obligations/prohibitions already fulfilled. A node n₁ is considered “better” than n₂ (n₁ ≺ N n₂) if V(n₁) is a proper subset of V(n₂), or if the violation sets are equal and S(n₁) is a proper superset of S(n₂). Edges are ordered analogously based on the violation and satisfaction sets of their target nodes. This ordering provides a quantitative way to compare alternative execution paths: paths that incur fewer violations and achieve more satisfactions are preferred.

The translation from diagram to automata respects the refinement operators: an AND refinement becomes a parallel composition of automata (modeling concurrency), an OR refinement becomes a nondeterministic choice between automata, and a SEQ refinement becomes a sequential composition where the second automaton can start only after the first reaches a final location. The guard and time‑restriction fields of a box become invariants and edge guards in the corresponding automata. Reparations are modeled as additional sub‑automata that are triggered when a violation occurs; once the reparations are satisfied, the original obligation is considered fulfilled despite the breach.

The authors implemented the translation in the UPPAAL model‑checking tool. They present a small case study involving a service provider’s obligation to deliver a result within a deadline, with a penalty clause activated upon timeout. The UPPAAL model correctly captures the deadline, the activation of the penalty automaton, and the updating of violation and satisfaction sets. By querying the model, they demonstrate that the ordering relations correctly identify the optimal execution trace (i.e., the one with no violations and maximal satisfaction).

In conclusion, the paper delivers a rigorous bridge between a user‑friendly visual contract language and a well‑established formal verification framework. By enriching timed automata with violation/satisfaction information and a node/edge ordering, it enables automated reasoning about contract compliance, detection of breaches, and selection of optimal remediation strategies. The work opens avenues for extending the approach to richer exception handling, multi‑contract interactions, and integration with higher‑level contract authoring tools, thereby advancing the state of the art in contract‑oriented software engineering.