Conformance Verification of Normative Specifications using C-O Diagrams

C-O Diagrams have been introduced as a means to have a visual representation of normative texts and electronic contracts, where it is possible to represent the obligations, permissions and prohibitions of the different signatories, as well as what are the penalties in case of not fulfillment of their obligations and prohibitions. In such diagrams we are also able to represent absolute and relative timing constrains. In this paper we consider a formal semantics for C-O Diagrams based on a network of timed automata and we present several relations to check the consistency of a contract in terms of realizability, to analyze whether an implementation satisfies the requirements defined on its contract, and to compare several implementations using the executed permissions as criteria.

💡 Research Summary

The paper addresses the need for a formal, machine‑checkable semantics for C‑O Diagrams, a visual notation used to capture normative specifications such as electronic contracts. A C‑O Diagram can express obligations, permissions, prohibitions, associated penalties, and both absolute and relative timing constraints. The authors propose a semantics based on a Network of Timed Automata (NTA), where each normative element is translated into a timed automaton: obligations become mandatory transitions with deadline guards, permissions become optional transitions, prohibitions become error‑triggering transitions, and penalty clauses are modeled as separate automata that are activated upon violation. Absolute time constraints are expressed as bounds on a global clock, while relative constraints are expressed as differences between clocks that are reset when preceding obligations are satisfied.

With this formal foundation, the paper defines three verification relations. The first, realizability, checks whether a contract is internally consistent and executable. Using model‑checking tools such as UPPAAL, the authors verify that from the initial state there exists at least one path that can satisfy all obligations within their deadlines without triggering any prohibition. If no such path exists, the contract is deemed unrealizable due to contradictory timing or normative clauses.

The second relation, implementation conformance, maps a concrete implementation (software, service workflow, or protocol) to its own NTA representation and then tests language inclusion: the set of timed traces generated by the implementation must be a subset of the traces allowed by the contract automaton. Successful inclusion guarantees that the implementation fulfills every obligation, never performs a prohibited action, and only exercises permissions that the contract explicitly allows. The authors also discuss how to handle nondeterminism and how to incorporate penalty handling into the conformance check.

The third relation, permission‑based comparison, provides a quantitative way to compare multiple implementations. For each implementation the set of executed permission events is collected. By comparing these sets using subset or partial‑order relations, the approach can rank implementations according to how many (and which) permissions they actually exercise. An implementation that enables more permissions without violating obligations or prohibitions is considered more flexible or higher‑quality, while one that restricts permissions unnecessarily may be less desirable.

A detailed case study illustrates the methodology. The authors model an e‑commerce contract involving buyer and seller obligations (payment, delivery), permissions (return request), prohibitions (unauthorized copying), and complex timing (delivery within 48 hours, return within 7 days). They translate the diagram into an NTA, verify realizability with UPPAAL, and then model two different service workflows as NTAs. Conformance checking shows that both workflows satisfy the contract, but the optimized workflow activates additional permission transitions (early return) that the baseline workflow does not. This demonstrates how the permission‑based comparison can highlight functional improvements.

Overall, the contribution of the paper is threefold: (1) a rigorous timed‑automata semantics for C‑O Diagrams, (2) automated verification techniques for contract consistency and implementation conformance, and (3) a novel metric for comparing implementations based on executed permissions. By bridging the gap between informal visual contracts and formal verification tools, the work enables early detection of normative errors, systematic compliance checking, and informed selection among alternative implementations in domains such as electronic contracts, service‑level agreements, and policy‑driven network management.