\excludeversion

TR \includeversionPAPER

Contracts for Interacting Two-Party Systems

Gordon J. Pace Department of Computer Science,
University of Malta gordon.pace@um.edu.mt Departamento de Computación, FCEyN,
Universidad de Buenos Aires, Buenos Aires, Argentina Fernando Schapachnik Partially founded by UBACyT 20020100200103.Departamento de Computación, FCEyN,
Universidad de Buenos Aires, Buenos Aires, Argentina fschapachnik@dc.uba.ar

Abstract

This article deals with the interrelation of deontic operators in contracts – an aspect often neglected when considering only one of the involved parties. On top of an automata-based semantics we formalise the onuses that obligations, permissions and prohibitions on one party impose on the other. Such formalisation allows for a clean notion of contract strictness and a derived notion of contract conflict that is enriched with issues arising from party interdependence.

1 Introduction

Deontic modalities such as permission and obligation have been debated exhaustively in the literature, and various formalisms exist with different interpretations and axiomatisation of deontic notions. With few exceptions, the modalities are usually presented in an impersonal manner, refering only to the subject of the modality. For instance, most formalisms enable reasoning about notions such as “John is permitted to withdraw cash” and “John is obliged to pay an annual credit card fee”. However, in a contractual setting, the behaviour involves interaction between the two parties the contract binds, and such statements about the ideal behaviour have both a notion of the subject and object of the action. For instance, in a contract between John and his bank, the clause “John is permitted to withdraw cash” is about both parties, and can be interpreted to mean that if John attempts to withdraw cash, then the bank will not refuse or hinder his action. Similarly, the clause “John is obliged to pay an annual credit card fee” places an obligation on John to perform an action with the bank as the object of the action, and (arguably) also places the onus on the bank to accept the payment. Interacting parties allow for both cooperation and interference between the parties in the actions they perform, and thus bring about an additional dimension to contract analysis. An interesting corollary to this view, is that permission can now be seen as a first class deontic modality. Typically seen as the dual of prohibition, violations of permissions have always proved difficult to formalise their violation, mainly since a branching logic analysis is required (if party $p$ were to perform $a$ then they would not be stopped from doing so). In an interacting two party system context, permission now takes a first class role, obliging the object of the modality to allow the subject to perform the action if they so desire.

Although the work on deontic logic for interacting parties is not abundant, computer scientists have studied for various decades concurrent and synchronous composition, notions which embody precisely interaction from an action-based perspective. In [12] we have presented work-in-progress on how synchrony can be applied in a contractual setting, using a formal automaton-based model of interacting two-party systems in which the parties synchronise over a set of actions. In this paper we extend the work presented there to deal with (i) absence of actions; (ii) mutually exclusive actions; (iii) conflicts.

The rest of the paper is organised as follows. The next section formalises our notions of automata, deontic operators, contracts and contracts’ strength, which allows us to show, in Section 3 that some contracts cannot be satisfied at the same time and thus lead to a conflict. Finally, in Section 4 we discuss related work, and conclude in Section 5.

2 Regulated Two-Party Systems

2.1 An Automata-Based View

To enable direct reasoning about contracts, one requires a model in which the two parties somehow interact to agree on which actions to perform. We use the notion of synchronous composition [2] to model such behaviour. Furthermore, to be able to deal with concurrent obligations (for instance, one party being obliged to perform one action and the other being obliged to perform another), we adopt multi-action labels on transitions, since if we do not, it would be impossible not to violate a contract in which both parties have different obligations at the same time.

Definition 1

A multi-action automaton $S$ is a tuple $\langle\Sigma,\;Q,\;q0,\;\rightarrow\rangle$ , where $\Sigma$ is the alphabet of actions, $Q$ is the set of states, $q0\in Q$ is the initial state and $\rightarrow\subseteq Q\times 2^{\Sigma}\times Q$ is the transition relation. We will write $q\xrightarrow{A}q^{\prime}$ for $(q,A,q^{\prime})\in\rightarrow$ , $\mbox{{next}}(q)$ to be the set of target state and action set pairs of transitions outgoing from $q$ (defined to be $\{(A,q^{\prime})\mid q\xrightarrow{A}q^{\prime}\}$ ) and $\mbox{{acts}}(q)$ to be the set of all action sets on the outgoing transitions from $q$ (defined to be $\{A\mid\exists q^{\prime}\;\cdot\;q\xrightarrow{A}q^{\prime}\}$ ). We say that an automaton is total, if for every $q\in Q$ and $A\subseteq\Sigma$ , there is a $q^{\prime}\in Q$ such that $q\xrightarrow{A}q^{\prime}$ .

The synchronous composition of two automata $S_{i}=\langle Q_{i},\;q0_{i},\;\rightarrow_{i}\rangle$ for $i\in\{1,2\}$ (both with alphabet $\Sigma$ ) synchronising over alphabet $G$ , written $S_{1}\|_{{\small G}}S_{2}$ , and is defined to be $\langle Q_{1}\times Q_{2},\;(q0_{1},q0_{2}),\rightarrow\rangle$ , where $\rightarrow$ is the classical synchronous composition relation defined below:

\displaystyle\displaystyle{\hbox{\qquad\vbox{\hbox{\thinspace\hbox{\hbox{$\displaystyle\displaystyle q_{1}\xrightarrow{A}_{1}q_{1}^{\prime}$}}}\vbox{}}}\over\hbox{\hskip 37.12733pt\vbox{\vbox{}\hbox{\thinspace\hbox{\hbox{$\displaystyle\displaystyle(q_{1},q_{2})\xrightarrow{A}(q_{1}^{\prime},q_{2})$}}}}}}

A\cap G=\emptyset

\displaystyle\displaystyle{\hbox{\qquad\vbox{\hbox{\thinspace\hbox{\hbox{$\displaystyle\displaystyle q_{2}\xrightarrow{A}_{2}q_{2}^{\prime}$}}}\vbox{}}}\over\hbox{\hskip 37.12733pt\vbox{\vbox{}\hbox{\thinspace\hbox{\hbox{$\displaystyle\displaystyle(q_{1},q_{2})\xrightarrow{A}(q_{1},q_{2}^{\prime})$}}}}}}

A\cap G=\emptyset

\displaystyle\displaystyle{\hbox{\hskip 38.70624pt\vbox{\hbox{\thinspace\hbox{\hbox{$\displaystyle\displaystyle q_{1}\xrightarrow{A}_{1}q_{1}^{\prime},\;q_{2}\xrightarrow{B}_{2}q_{2}^{\prime}$}}}\vbox{}}}\over\hbox{\hskip 44.50409pt\vbox{\vbox{}\hbox{\thinspace\hbox{\hbox{$\displaystyle\displaystyle(q_{1},q_{2})\xrightarrow{A\cup B}(q_{1}^{\prime},q_{2}^{\prime})$}}}}}}

A\cap G=B\cap G\neq\emptyset

We can now define contracts to be automata with each state tagged with the contract which will be in force at that point. The contracts will be able to refer to both presence and absence of an action. Given an alphabet of actions $\Sigma$ , we write $\Sigma!$ to refer to the alphabet extended with actions preceded with an exclamation mark $!$ to denote their absence: $\Sigma!\stackrel{{\scriptstyle{\tiny df}}}{{=}}\Sigma\cup\{!a\mid a\in\Sigma\}$ . We use variables $x$ and $y$ to range over $\Sigma!$ . If $x$ is already an inverted action $x=!a$ , then expression $!x$ is interpreted to be $a$ .

Contract clauses are either (i) obligation clauses of the form ${\mathcal{O}}_{p}(a)$ or ${\mathcal{O}}_{p}(!a)$ , which say that party $p$ is obliged to perform or not perform action $a$ respectively; or (ii) permission clauses which can be either of the form of ${\mathcal{P}}_{p}(a)$ or ${\mathcal{P}}_{p}(!a)$ (party $p$ is permitted to perform, or not perform action $a$ respectively).

Definition 2

A contract clause over alphabet $\Sigma$ is structured as follows (where action $x\in\Sigma!$ , party $p\in\{1,2\}$ ):

$\mbox{Clause}::={\mathcal{O}}_{p}(x)\mid{\mathcal{P}}_{p}(x)$

A contract automaton is a total and deterministic multi-action automaton $S=\langle Q,\;q0,\;\rightarrow\rangle$ , together with a total function $\mbox{{contract}}\in Q\rightarrow 2^{\mbox{Clause}}$ assigning a set of clauses to each state. We use ${\mathcal{C}}{\mathcal{A}}$ to refer to the class of contract automata.

Two contract automata are said to be structurally isomorphic if they are structurally identical automata (they have the same set of states, initial state and transition relation) but may have different contract functions.

Structurally isomorphic contract automata allow us to reason about the weakening or strengthening of a contract by changing the clauses in particular states but respecting the structure (and thus the temporal behaviour) of the contract, and will be used in various theorems in the rest of the paper. We can now define a regulated two-party system in terms of multi-action automata.

Definition 3

A regulated two-party system synchronising over the set of actions $G$ is a tuple $R=\langle S_{1},S_{2}\rangle^{\mathcal{A}}_{G}$ , where $S_{i}=(\Sigma_{i},Q_{i},q0_{i},\rightarrow_{i})$ is a multi-action automaton specifying the behaviour of party $i$ , and ${\mathcal{A}}$ is a contract automaton over alphabet $\Sigma_{1}\cup\Sigma_{2}$ .

The behaviour of a regulated two-party system $R$ , written $[\![R]\!]$ , is defined to be the automaton $(S_{1}\|_{{\small G}}S_{2})\|_{{\small\Sigma}}{\mathcal{A}}$ . To make states in such systems more readable, we will write $((q_{1},q_{2}),q_{\mathcal{A}})$ as $(q_{1},q_{2})_{q_{\mathcal{A}}}$ .

A regulated two-party system is well-formed if $S_{1}\|_{{\small G}}S_{2}$ never deadlocks: $\forall(q_{1},q_{2})\;\cdot\;\mbox{{acts}}(q_{1},q_{2})\neq\emptyset$ .

In the rest of the paper we will assume that all systems are well-formed, i.e., do not deadlock. One way of guaranteeing this may be by having all system states provide a transition with the empty action.

Also note that the totality of the contract automaton guarantees that the system behaviour is not constrained, but simply acts to tag the states with the relevant contracts at each point in time.

2.2 Contract Satisfaction

Given a two-party system $(S_{1},S_{2})$ , and a contract automaton ${\mathcal{A}}$ , we can now define whether or not either party is violating the contract when a particular state is reached or a transition is taken. As we will see, a dual-view of violation, identifying both bad states and bad transitions, is necessary in a deontic context. We will look at the different deontic operators and define the set of violations induced for each of them.

Definition 4

Functions $O_{p}(q_{\mathcal{A}})$ and $F_{p}(q_{\mathcal{A}})$ give the set of actions respectively obliged to be performed and obliged not to be performed by party $p$ . They are defined in terms of the contract clauses in the state.

\begin{array}[]{rcl}&&\\[-23.00006pt] O_{p}(q_{\mathcal{A}})&\stackrel{{\scriptstyle{\tiny df}}}{{=}}&\{a\mid{\mathcal{O}}_{p}(a)\in\mbox{{contract}}(q_{\mathcal{A}})\}\\ F_{p}(q_{\mathcal{A}})&\stackrel{{\scriptstyle{\tiny df}}}{{=}}&\{a\mid{\mathcal{O}}_{p}(!a)\in\mbox{{contract}}(q_{\mathcal{A}})\}\\ &&\\[-23.00006pt] \end{array}

Action set $A$ is said to be viable for party $p$ in a contract automaton state $q_{\mathcal{A}}$ , written $\mbox{{viable}}_{p}(q_{\mathcal{A}},A)$ , if (i) all her obliged actions are included in $A$ but; (ii) no actions which the party is obliged not to perform are included $A$ :

\begin{array}[]{rcl}&&\\[-23.00006pt] \mbox{{viable}}_{p}(q_{\mathcal{A}},A)&\stackrel{{\scriptstyle{\tiny df}}}{{=}}&O_{p}(q_{\mathcal{A}})\subseteq A\land F_{p}(q_{\mathcal{A}})\cap A=\emptyset\\ &&\\[-23.00006pt] \end{array}

Since we would like to be able to place blame in the case of a violation, we parametrise contract satisfaction and violation by party.

It is also worth noting that while obligation to perform an action, for instance, is violated in a transition which does not include the action, permission is violated by a state in which the opportunity to perform the permitted action is not present. The satisfaction predicate will thus be overloaded to be applicable to both states and transitions. The predicate $\mbox{{sat}}^{{\mathcal{A}}}_{p}(X)$ will denote that the contract automaton ${\mathcal{A}}$ , reaching state $X$ or traversing transition $X$ , does not constitute a violation for party $p$ . $X$ ranges over states and transitions in the composed system. When ${\mathcal{A}}$ is clear from the context, we simply write $\mbox{{sat}}_{p}(X)$ . We start by defining separate satisfaction predicates for the deontic operators.

Permission.

If party $p$ is permitted to perform shared action $a$ , then the other party $\overline{p}$ must provide $p$ with at least one viable outgoing transition which contains $a$ but does not include any forbidden actions (that is, it is viable for $p$ ). Permission to perform local actions cannot be violated. In the case of a single permission, this can be expressed as follows:

\begin{array}[]{l}(q_{1},q_{2})_{q_{\mathcal{A}}}\vdash_{p}{\mathcal{P}}_{p}(a)\stackrel{{\scriptstyle{\tiny df}}}{{=}}true\\ (q_{1},q_{2})_{q_{\mathcal{A}}}\vdash_{\overline{p}}{\mathcal{P}}_{p}(a)\stackrel{{\scriptstyle{\tiny df}}}{{=}}a\in G\implies\exists A\in\mbox{{acts}}(q_{\overline{p}}),\;A^{\prime}\subseteq G^{c}\;\cdot\;a\in A~\land~\mbox{{viable}}_{p}(q_{\mathcal{A}},A\cup A^{\prime})\end{array}

Similarly, if party $p$ is permitted to not perform action $a$ , then the other party $\overline{p}$ must provide $p$ with at least one viable outgoing transition which does not include $a$ nor any forbidden action. Permission to perform local actions can never be violated. In the case of a single permission, this can be expressed as follows:

\begin{array}[]{l}(q_{1},q_{2})_{q_{\mathcal{A}}}\vdash_{p}{\mathcal{P}}_{p}(!a)\stackrel{{\scriptstyle{\tiny df}}}{{=}}true\\ (q_{1},q_{2})_{q_{\mathcal{A}}}\vdash_{\overline{p}}{\mathcal{P}}_{p}(!a)\stackrel{{\scriptstyle{\tiny df}}}{{=}}a\in G\implies\exists A\in\mbox{{acts}}(q_{\overline{p}}),\;A^{\prime}\subseteq G^{c}\;\cdot\;a\notin A~\land~\mbox{{viable}}_{p}(q_{\mathcal{A}},A\cup A^{\prime})\end{array}

While actual obligation violations occur when an action is not performed, violations of a permission occur when no appropriate action is possible. {TR} In this paper we give a semantics that tags as a violation a state in which one party is permitted to perform an action, while the other provides no way of actually doing so. For any other parameters, the permission is otherwise satisfied.

Example: If $p$ is permitted to withdraw money from the bank, permitted not to deposit, obliged to pay the fee, and obliged not to steal ( ${\mathcal{P}}_{p}(w)$ , ${\mathcal{P}}_{p}(!d)$ , ${\mathcal{O}}_{p}(f)$ , ${\mathcal{O}}_{p}(!s)$ ), $\overline{p}$ should provide at least one transition that contains both a $w$ and an $f$ and contains neither a $d$ nor an $s$ .

To combine all permissions in a state, we simply take the conjunction of all conditions:

\mbox{{sat}}_{p}^{P}((q_{1},q_{2})_{q_{\mathcal{A}}})\stackrel{{\scriptstyle{\tiny df}}}{{=}}\forall{\mathcal{P}}_{\overline{p}}(x)\in q_{\mathcal{A}}\;\cdot\;(q_{1},q_{2})_{q_{\mathcal{A}}}\vdash_{p}{\mathcal{P}}_{\overline{p}}(x)

All transitions are taken as satisfying the permission satisfaction function.

Obligation.

Obligation brings in constraints on both parties. Given that party $p$ is obliged to perform action $a$ in a state means that (i) party $p$ must include the action in any outgoing transition in the composed system in which it participates; and (ii) the other party $\overline{p}$ must provide a viable synchronisation action set which, together with other asynchronous actions performed by $p$ , allows $p$ to perform all its obligations, positive and negative. Obligation to not perform action $a$ ( ${\mathcal{O}}_{p}(!a)$ ) can be similarly expressed. We combine all positive and negative obligations in the following definition:

\begin{array}[]{l}\mbox{{sat}}_{p}^{O}((q_{1},q_{2})_{q_{\mathcal{A}}}\xrightarrow{A}(q^{\prime}_{1},q^{\prime}_{2})_{q_{\mathcal{A}}^{\prime}})\stackrel{{\scriptstyle{\tiny df}}}{{=}}\mbox{{viable}}_{p}(q_{\mathcal{A}},A)\\ \mbox{{sat}}_{\overline{p}}^{O}((q_{1},q_{2})_{q_{\mathcal{A}}})\stackrel{{\scriptstyle{\tiny df}}}{{=}}\exists A\in\mbox{{acts}}(q_{\overline{p}}),\;A^{\prime}\subseteq G^{c}\;\cdot\;\mbox{{viable}}_{p}(q_{\mathcal{A}},A\cup A^{\prime})\end{array}

The satisfaction constraint for transitions is only applicable if $A$ is not an action set performed asynchronously by $\overline{p}$ . For other parameters, $\mbox{{sat}}_{p}^{O}(X)$ is true.

Example: Continuing the previous example, to satisfy $\mbox{{sat}}_{p}^{O}$ , all of $p$ ’s outgoing transitions must be $s$ -free and must have an $f$ , while $\overline{p}$ should offer at least one transition that contains an $f$ and not an $s$ . That is, if at a given state $\overline{p}$ offers only outgoing transitions labeled $\{f,s\}$ then she is forcing $p$ to an $s$ in order to have an $f$ , and thus not satisfying its part in $p$ ’s obligations.

General contract satisfaction.

It is defined as: $\mbox{{sat}}_{p}(X)\stackrel{{\scriptstyle{\tiny df}}}{{=}}\mbox{{sat}}_{p}^{P}(X)\land\mbox{{sat}}_{p}^{O}(X)$ . Based on this, we can now define correctness of a regulated two-party system.

Definition 5

A party $p$ is said to be incapable of breaching a contract in a regulated two-party system $R=\langle S_{1},S_{2}\rangle^{\mathcal{A}}_{G}$ , written $\mbox{{breachIncapable}}_{p}(R)$ , if $p$ cannot be in violation in any of the reachable states and transitions of $R$ .

Note that a party being breach-incapable is stronger than just being compliant for one specific run — $\mbox{{breachIncapable}}_{p}(R)$ means that there is no possible trace of $R$ , in which $p$ breaches the contract.

2.3 Other Modalities

Definition 6

Permissions and obligations are duals under a notion of norm opposites and action absence. We define the opposite of permission and obligation $!{\mathcal{P}}_{p}(x)$ and $!{\mathcal{O}}_{p}(x)$ syntactically in the following manner:

•

Party $p$ not being permitted to perform an action is equivalent to $p$ being obliged not to perform the action: $!{\mathcal{P}}_{p}(a)\stackrel{{\scriptstyle{\tiny df}}}{{=}}{\mathcal{O}}_{p}(!a)\quad\quad!{\mathcal{P}}_{p}(!a)\stackrel{{\scriptstyle{\tiny df}}}{{=}}{\mathcal{O}}_{p}(a)$
•

Party $p$ not being obliged to perform an action is equivalent to $p$ being permitted not to perform the action: $!{\mathcal{O}}_{p}(a)\stackrel{{\scriptstyle{\tiny df}}}{{=}}{\mathcal{P}}_{p}(!a)\quad\quad!{\mathcal{O}}_{p}(!a)\stackrel{{\scriptstyle{\tiny df}}}{{=}}{\mathcal{P}}_{p}(a)$

It should be noted that we are equating lack of permission to do $a$ to an obligation to perform an action set which does not include $a$ . Although this seems to go against the intuitive idea of letting a party do nothing as a way of not violating lack of permission, note that (i) since transitions carry sets of actions, the empty set of actions is a way of satisfying the obligation; and (ii) well-formedness (see Definition 3) of the parties ensures that progress is always possible thus making the formulation of lack of permission conform to our expectations.

It is interesting to note that in a two party system there are alternative notions of opposites to permission and obligation. Consider party $p$ not being permitted to perform action $a$ . Apart from the interpretation we gave, in which the norm places the onus on party $p$ not to perform $a$ , an alternative view is to push the responsibility to $\overline{p}$ and interpret it as: party $\overline{p}$ may not provide a viable action set which includes $a$ . This is distinct from $!{\mathcal{P}}_{p}(a)$ (and indeed from the other modalities we have). Similarly, consider party $p$ not being obliged to perform action $a$ . The interpretation we adopted permits party $p$ to not perform $a$ , but once again, alternative definitions may be adopted. One possibility is to push the responsibility to $\overline{p}$ and interpret it as: party $\overline{p}$ must provide a viable transition which does not include $a$ . These duals, in which the outer negation of a norm also corresponds to shifting of responsibility give an interesting alternative view of norm opposites in a two-party system. Another interesting alternative would be to interpret these negations as modalities whose only effect is the cancelling of existing clauses. We will not explore these alternative modalities any further in this paper, since the modalities we adopt provide a clean notion of conflicts, as discussed in Section 3. Should they be needed for a particular application, any of the above mentioned interpretations could be included as alternative type of negation. One of the advantages of clear formal semantics is that there is no need to dispute the meaning of a given term, since different ones can be defined and the appropriate one be picked to convey specific meanings. Prohibition can now be defined as the dual of permission:

Definition 7

Prohibition contract clauses ${\mathcal{F}}_{p}(a)$ and ${\mathcal{F}}_{p}(!a)$ , prohibiting party $p$ from performing and not performing $a$ respectively, can be expressed in terms of permission:

${\mathcal{F}}_{p}(a)~\stackrel{{\scriptstyle{\tiny df}}}{{=}}~!{\mathcal{P}}_{p}(a)\quad\quad{\mathcal{F}}_{p}(!a)~\stackrel{{\scriptstyle{\tiny df}}}{{=}}~!{\mathcal{P}}_{p}(!a)$

These definitions allow us to express prohibition in terms of obligation not to perform an action:

Proposition 1

Prohibition to perform an action is equivalent to obligation not to perform the action: ${\mathcal{F}}_{p}(x)={\mathcal{O}}_{p}(!x)$ .

2.4 Contract Strength

We can now define strictness relationships over contracts.

Definition 8

A contract automaton ${\mathcal{A}^{\prime}}$ is said to be stricter than contract automaton ${\mathcal{A}}$ for party $p$ (or ${\mathcal{A}}$ said to be more lenient than ${\mathcal{A}^{\prime}}$ for party $p$ ), written ${\mathcal{A}}\sqsubseteq_{p}{\mathcal{A}^{\prime}}$ , if for any systems $S_{1}$ and $S_{2}$ , $\mbox{{breachIncapable}}_{p}(\langle S_{1},S_{2}\rangle^{{\mathcal{A}^{\prime}}}_{G})\implies\mbox{{breachIncapable}}_{p}(\langle S_{1},S_{2}\rangle^{{\mathcal{A}}}_{G})$ . We say that two contract automata ${\mathcal{A}}$ and ${\mathcal{A}^{\prime}}$ are equivalent for party $p$ , written ${\mathcal{A}}=_{p}{\mathcal{A}^{\prime}}$ , if ${\mathcal{A}}\sqsubseteq_{p}{\mathcal{A}^{\prime}}$ and ${\mathcal{A}^{\prime}}\sqsubseteq_{p}{\mathcal{A}}$ . We define global contract strictness ${\mathcal{A}}\sqsubseteq{\mathcal{A}^{\prime}}$ to hold if ${\mathcal{A}}\sqsubseteq_{p}{\mathcal{A}^{\prime}}$ holds for all parties $p$ , and similarly global contract equivalence ${\mathcal{A}}={\mathcal{A}^{\prime}}$ .

Proposition 2

The relation over contracts $\sqsubseteq$ is a partial order.

Structurally isomorphic contract automata provide a useful proof technique:

Proposition 3

Given two structurally isomorphic contract automata ${\mathcal{A}}$ and ${\mathcal{A}}^{\prime}$ , ${\mathcal{A}}\sqsubseteq{\mathcal{A}}^{\prime}$ if and only if, for any state or transition $X$ , $\mbox{{sat}}^{{\mathcal{A}}^{\prime}}_{p}(X)\implies\mbox{{sat}}^{{\mathcal{A}}}_{p}(X)$ .

{TR}

This proof principle can be proved to hold by showing that (i) the automata obtained from the synchronous composition with the two contracts are structurally identical; and (ii) using the definition of breach incapability. The principle can be used to prove that contract automata are monotonic: {PAPER} The full proof of the proposition can be found in [11].

Proposition 4

Contract automata are monotonic: given two structurally isomorphic contract automata ${\mathcal{A}}$ and ${\mathcal{A}}^{\prime}$ , with contract clause functions contract and $\mbox{{contract}}^{\prime}$ respectively, which satisfy that $\forall q\;\cdot\;\mbox{{contract}}(q)\subseteq\mbox{{contract}}^{\prime}(q)$ , it follows that ${\mathcal{A}}\sqsubseteq{\mathcal{A}}^{\prime}$ .

{TR}

The proof follows from the observation that $\mbox{{sat}}_{p}(X)$ is essentially a conjunction of a proposition for each contract clause in the state. Hence, $\mbox{{sat}}^{{\mathcal{A}^{\prime}}}_{p}(X)$ (which has a larger set of clauses) implies $\mbox{{sat}}^{{\mathcal{A}}}_{p}(X)$ . Applying Proposition 3 to this observation completes the proof.

Although contracts are expressed as automata, we would like to be able to compare individual clauses. To do this we will need to relate contract automata which are equivalent except for a particular clause replaced by another.

Definition 9

Given two contract clauses $C$ and $C^{\prime}$ , the relation over contract automata $[C\rightarrow C^{\prime}]\subseteq{\mathcal{C}}{\mathcal{A}}\times{\mathcal{C}}{\mathcal{A}}$ relates two contract automata ${\mathcal{A}}$ and ${\mathcal{A}^{\prime}}$ if ${\mathcal{A}}$ is equivalent to ${\mathcal{A}^{\prime}}$ except possibly for a number of instances of clause $C$ replaced by $C^{\prime}$ .

We extend the notion of strictness to contract clauses. We say that clause $C^{\prime}$ is stricter than clause $C$ for party $p$ , written $C\sqsubseteq_{p}C^{\prime}$ , if for any contract automata ${\mathcal{A}}$ and ${\mathcal{A}^{\prime}}$ such that $({\mathcal{A}},{\mathcal{A}^{\prime}})\in[C\rightarrow C^{\prime}]$ , it follows that ${\mathcal{A}}\sqsubseteq_{p}{\mathcal{A}^{\prime}}$ . We similarly extend the notion of strictness for all parties $\sqsubseteq$ .

The following proposition allows us to use the proof principle given in Proposition 3 for reasoning about clause strictness:

Proposition 5

Given clauses $C$ and $C^{\prime}$ , any two contract automata related by $[C\rightarrow C^{\prime}]$ are structurally isomorphic.

2.5 Strictness Theorems

The strictness relationship between clauses allows us to state the following theorems.

Theorem 1

Obligation is stricter than permission: (i) ${\mathcal{P}}_{p}(a)\sqsubseteq{\mathcal{O}}_{p}(a)$ ; and (ii) ${\mathcal{P}}_{p}(!a)\sqsubseteq{\mathcal{O}}_{p}(!a)$ .

Proof 2.2.

We present the proof of (i) — the proof of (ii) is very similar. We need to prove that for any contract automata ${\mathcal{A}}$ and ${\mathcal{A}}^{\prime}$ such that $({\mathcal{A}},{\mathcal{A}}^{\prime})\in[{\mathcal{P}}_{p}(a)\rightarrow{\mathcal{O}}_{p}(a)]$ , then it follows that ${\mathcal{A}}\sqsubseteq{\mathcal{A}}^{\prime}$ . Using Proposition 5, we know that ${\mathcal{A}}$ and ${\mathcal{A}}^{\prime}$ are structurally isomorphic, allowing us to apply the proof principle of Proposition 3.

We thus have to show that $\mbox{{sat}}^{{\mathcal{A}^{\prime}}}_{p}(X)$ implies $\mbox{{sat}}^{{\mathcal{A}}}_{p}(X)$ . Since the permission in ${\mathcal{A}}$ which is replaced by an obligation, never yields violations for party $p$ nor for any party on transitions, it suffices to prove that this implication holds on states for party $\overline{p}$ .

The satisfaction function for $\overline{p}$ ’s obligations in states is:

$\exists A\in\mbox{{acts}}(q_{\overline{p}}),\;A^{\prime}\subseteq G^{c}\;\cdot\;\mbox{{viable}}_{p}(q_{\mathcal{A}^{\prime}},A\cup A^{\prime})$

If $a\in G$ , and since $a\in O_{p}(q_{\mathcal{A}^{\prime}})$ , we can conclude that $a\in A$ :

$a\in G\implies\exists A\in\mbox{{acts}}(q_{p}),\;A^{\prime}\subseteq G^{c}\;\cdot\;a\in A\land\mbox{{viable}}_{\overline{p}}(q_{\mathcal{A}^{\prime}},A\cup A^{\prime})$

Furthermore, since $q_{\mathcal{A}}$ has less obligations than $q_{\mathcal{A}^{\prime}}$ , viability for $q_{\mathcal{A}^{\prime}}$ implies viability for $q_{\mathcal{A}}$ :

$a\in G\implies\exists A\in\mbox{{acts}}(q_{p}),\;A^{\prime}\subseteq G^{c}\;\cdot\;a\in A\land\mbox{{viable}}_{\overline{p}}(q_{\mathcal{A}},A\cup A^{\prime})$

Hence, the satisfaction function for the permission ${\mathcal{P}}_{p}(a)$ holds and thus, by Proposition 3 we can conclude that ${\mathcal{A}}\sqsubseteq{\mathcal{A}}^{\prime}$ .

Theorem 2.3.

For synchronised actions, obligation for one party is stricter than permission for the other: (i) ${\mathcal{P}}_{p}(a)\sqsubseteq{\mathcal{O}}_{\overline{p}}(a)$ ; and (ii) ${\mathcal{P}}_{p}(!a)\sqsubseteq{\mathcal{O}}_{\overline{p}}(!a)$ .

{TR}

Proof 2.4.

As in the previous theorem, we observe that ${\mathcal{P}}_{p}(a)$ can only yield violations for states and for party $\overline{p}$ .

Observe that the obligation ${\mathcal{O}}_{\overline{p}}(a)$ in a state $q_{\mathcal{A}^{\prime}}$ guarantees that all outgoing transitions from the state $(q_{1},q_{2})_{q_{\mathcal{A}^{\prime}}}\xrightarrow{A}(q^{\prime}_{1},q^{\prime}_{2})_{q^{\prime}_{{\mathcal{A}}^{\prime}}}$ satisfy $\mbox{{viable}}_{\overline{p}}(q_{\mathcal{A}^{\prime}},A)$ .

Since we assume that the system does not deadlock, there is at least one such transition which party $p$ participates in. Furthermore, if $a\in G$ , it must also appear in the actions on the transition:

a\in G\implies\exists A\in\mbox{{acts}}(q_{p}),\;A^{\prime}\subseteq G^{c}\;\cdot\;a\in A\land\mbox{{viable}}_{\overline{p}}(q_{\mathcal{A}^{\prime}},A\cup A^{\prime})

This guarantees that $(q_{1},q_{2})_{q_{\mathcal{A}}}\vdash_{p}{\mathcal{P}}_{p}(a)$ , and allows us to complete the proof using Proposition 3.

It is interesting to note that if we had a weaker semantics which simply identifies a violation without identifying the guilty party, we would be able to show equivalence between ${\mathcal{O}}_{p}(a)$ and ${\mathcal{O}}_{\overline{p}}(a)$ , since a lack of $a$ on a transition would cause a violation of both obligations. However, since our semantics characterise violations for the parties separately, and the partial order $\sqsubseteq_{p}$ is parametrised by the party, we can show that the two obligations are in fact different [12].

2.6 Mutually Exclusive Actions

Although we adopt a multi-action approach, modelling real-world scenarios means that certain actions should never occur concurrently. For instance, one would expect that the automata never perform the action openDoor and closeDoor on the same transition. This allows us to identify strictness laws which hold only for mutually exclusive actions.

Definition 2.5.

Given a multi-action automaton $\langle\Sigma,\;Q,\;q0,\;\rightarrow\rangle$ , two actions $a$ and $b$ ( $\{a,b\}\subseteq\Sigma$ ) are said to be mutually exclusive, written $a\bowtie b$ , if they can never appear in the same set of actions on transitions. Thus, for any automaton, it should be the case that:

$\forall(q,A,q^{\prime})\in\rightarrow\;\cdot\;a\in A\implies b\notin A$

In the rest of the article we will assume that mutually exclusive actions never appear in the synchronisation sets. {PAPER} Removing this restriction, however, does not affect the results we present. {TR} This is done to simplify the presentation, since otherwise we would need a more complex rule for synchronous composition (not allowing synchronisation when the asynchronous actions of party are in conflict with those of the other) and a modified definition for the satisfaction of obligations (the other party must provide a viable action set which does not include any actions which may conflict with the obligations of the party to whom the obligation applies). Removing this restriction, however, does not affect the results we present. The following theorem shows how mutually exclusive actions and action absence are related together under both obligation and permission:

Theorem 2.6.

If $a\bowtie b$ then (i) ${\mathcal{O}}_{p}(!a)\sqsubseteq{\mathcal{O}}_{p}(b)$ ; and (ii) ${\mathcal{P}}_{p}(!a)\sqsubseteq{\mathcal{P}}_{p}(b)$ . {TR}

Proof 2.7.

To show (i), we need to prove that for any contract automata ${\mathcal{A}}$ and ${\mathcal{A}}^{\prime}$ such that $({\mathcal{A}}$ , ${\mathcal{A}}^{\prime})\in[{\mathcal{O}}_{p}(!a)\rightarrow{\mathcal{O}}_{p}(b)]$ , then it follows that ${\mathcal{A}}\sqsubseteq{\mathcal{A}}^{\prime}$ . As in the previous proofs, we can use Proposition 5 to conclude that ${\mathcal{A}}$ and ${\mathcal{A}}^{\prime}$ are structurally isomorphic, allowing us to apply the proof principle of Proposition 3.

We thus have to show that $\mbox{{sat}}^{{\mathcal{A}^{\prime}}}_{p}(X)$ implies $\mbox{{sat}}^{{\mathcal{A}}}_{p}(X)$ . We look at transitions and states separately:

Transitions:: The satisfaction function for the combined obligations for a transition $(q_{1},q_{2})_{q_{\mathcal{A}^{\prime}}}\xrightarrow{A}(q^{\prime}_{1},q^{\prime}_{2})_{q^{\prime}_{\mathcal{A}^{\prime}}}$ in automaton ${\mathcal{A}^{\prime}}$ is that $\mbox{{viable}}_{p}(q_{\mathcal{A}^{\prime}},A)$ . By definition of viability and the obligation ${\mathcal{O}}_{p}(b)$ in $q_{\mathcal{A}^{\prime}}$ , we can thus conclude that $b\in A$ . However, since $a\bowtie b$ , this means that $a\notin A$ , from which we can conclude that $\mbox{{viable}}_{p}(q_{\mathcal{A}},A)$ and hence that the satisfaction function also holds for transitions in ${\mathcal{A}}$ .
States:: The satisfaction function applied to states acts on the other party $\overline{p}$ . For state $(q_{1},q_{2})_{q_{\mathcal{A}^{\prime}}}$ , it is defined to be $\exists A\in\mbox{{acts}}(q_{\overline{p}}),\;A^{\prime}\subseteq G^{c}\;\cdot\;\mbox{{viable}}_{p}(q_{\mathcal{A}^{\prime}},A\cup A^{\prime})$ . Since $a\in G$ , the proof is identical to the previous case.

Hence, the satisfaction function for ${\mathcal{O}}_{p}(a)$ holds and thus, by Proposition 3 we can conclude that ${\mathcal{A}}\sqsubseteq{\mathcal{A}}^{\prime}$ and hence (i) holds.

The proof of (ii) follows similarly.

A similar result can be shown, but referring to the other party in the contract:

Theorem 2.8.

If $a\bowtie b$ then ${\mathcal{O}}_{\overline{p}}(!b)\sqsubseteq{\mathcal{O}}_{p}(a)$ .

{TR}

Proof 2.9.

We take an approach identical to the previous theorems and prove that for any contract automata ${\mathcal{A}}$ and ${\mathcal{A}}^{\prime}$ such that $({\mathcal{A}}$ , ${\mathcal{A}}^{\prime})\in[{\mathcal{O}}_{\overline{p}}(!b)\rightarrow{\mathcal{O}}_{p}(a)]$ , then it follows that ${\mathcal{A}}\sqsubseteq{\mathcal{A}}^{\prime}$ . Propositions 5 and 3 can then be used to complete the proof. As before, we consider the satisfaction relation on states and transitions separately:

Transitions:: The satisfaction function for the combined obligations for a transition $(q_{1},q_{2})_{q_{\mathcal{A}^{\prime}}}\xrightarrow{A}(q^{\prime}_{1},q^{\prime}_{2})_{q^{\prime}_{\mathcal{A}^{\prime}}}$ in automaton ${\mathcal{A}^{\prime}}$ is that $\mbox{{viable}}_{p}(q_{\mathcal{A}^{\prime}},A)$ . By definition of viability and the obligation ${\mathcal{O}}_{p}(a)$ in $q_{\mathcal{A}^{\prime}}$ , we can thus conclude that $a\in A$ . However, since $a\bowtie b$ , this means that $b\notin A$ . The same transition must be viable for $\overline{p}$ in ${\mathcal{A}^{\prime}}$ , so $\mbox{{viable}}_{\overline{p}}(q_{\mathcal{A}^{\prime}},A)$ holds. The absence of $b$ also allows us to conclude that $\mbox{{viable}}_{\overline{p}}(q_{\mathcal{A}},A)$ , which is the satisfaction function for ${\mathcal{O}}_{\overline{p}}(!b)$ over transitions in ${\mathcal{A}}$ .
States:: For state $(q_{1},q_{2})_{q_{\mathcal{A}^{\prime}}}$ , since we assume deadlock freedom and satisfaction of the obligation to perform $a$ , we know of the existence of an outgoing transition with action $a$ such that $a\in A$ . Since party $p$ is participating in this transition, and $a\in G$ , we can conclude that there is a transition viable for $\overline{p}$ , leaving from $q_{p}$ and with an action set which includes $a$ and hence not $b$ . Propositions 5 and 3 can then be conclude that $\exists A\in\mbox{{acts}}(q_{p}),\;A^{\prime}\subseteq G^{c}\;\cdot\;\mbox{{viable}}_{\overline{p}}(q_{\mathcal{A}},A\cup A^{\prime})$ .

Although one may be tempted to induce that a similar result can be shown for permission (analogous to part (ii) of Theorem 2.6) — ${\mathcal{P}}_{\overline{p}}(!b)\sqsubseteq{\mathcal{P}}_{p}(a)$ does not always hold. As a simple example of a system satisfying ${\mathcal{P}}_{p}(a)$ but not ${\mathcal{P}}_{\overline{p}}(!b)$ , consider party $p$ be able to perform just one transition with action set $\{b\}$ , and party $\overline{p}$ being able to perform one of two transitions: one with action set $\{a\}$ , the other with action set $\{b\}$ . Party $p$ is permitted to perform $a$ but party $\overline{p}$ is not permitted to perform $!b$ .

3 Conflicts

Contract clauses are not always compatible with one another. Many definitions of conflict are possible — in this article we deal only with one particular class of conflicts which focusses on conflicting norms and mutually exclusive actions, but some interesting issues arise from party interdependence. As expected, the obligation on a party to perform an action $a$ and the obligation on the same party not to perform the same action can never be satisfied together. Another interesting example is that of ${\mathcal{P}}_{p}(!a)$ and ${\mathcal{O}}_{p}(a)$ . Although one is tempted to intuitively think that having the possibility of doing something other than $a$ does not conflict with the obligation of doing $a$ , multi-action semantics in contracts are different: to satisfy the permission party $\overline{p}$ must provide $a$ -free action sets which allow $p$ to satisfy her obligations, but that requires that they contain $a$ . In this section we axiomatise the notion of conflicts in interacting two-party systems and investigate some consequences.

Definition 3.10.

Contract conflicts is a relation between contract clauses $\maltese\in\mbox{Clause}\leftrightarrow\mbox{Clause}$ and is defined to be the least relation satisfying the following axioms:

Axiom 1: Opposite permissions conflict: $\vdash{\mathcal{P}}_{p}(x)\;\maltese\;!{\mathcal{P}}_{p}(x)$ .

Axiom 2: Obligation to perform mutually exclusive actions is a conflict: $a\bowtie b\vdash{\mathcal{O}}_{p}(a)\;\maltese\;{\mathcal{O}}_{p}(b)$ .

Axiom 3: Conflicts are closed under symmetry: $C\;\maltese\;C^{\prime}\vdash C^{\prime}\;\maltese\;C$ .

Axiom 4: Conflicts are closed under increased strictness: $C\;\maltese\;C^{\prime}\land C^{\prime}\sqsubseteq C^{\prime\prime}\vdash C\;\maltese\;C^{\prime\prime}$ .

Although conflicts are only identified for opposing permissions in the axioms, they also arise in opposing obligations, and can be shown to follow from the axioms.

Proposition 3.11.

Opposite obligations conflict with each other: ${\mathcal{O}}_{p}(x)\;\maltese\;!{\mathcal{O}}_{p}(x)$ . {TR}

Proof 3.12.

The proof uses the definition of negated permission and obligation to derive the desired result:

\begin{array}[]{cl}&\mbox{definition of conflict on opposing permissions}\\ \implies&{\mathcal{P}}_{p}(x)\;\maltese\;!{\mathcal{P}}_{p}(x)\\ \implies&\mbox{for some $y$, $x=!y$}\\ &{\mathcal{P}}_{p}(!y)\;\maltese\;!{\mathcal{P}}_{p}(!y)\\ \implies&\mbox{definition of $!{\mathcal{P}}_{p}(y)$ and $!{\mathcal{O}}_{p}(y)$}\\ &!{\mathcal{O}}_{p}(y)\;\maltese\;{\mathcal{O}}_{p}(y)\\ \implies&\mbox{symmetry of $\maltese$}\\ &{\mathcal{O}}_{p}(y)\;\maltese\;!{\mathcal{O}}_{p}(y)\end{array}

{TR}

Various other conflicts can be derived from the axioms. The following show conflicts between permissions and obligations and arising from enforcing norms over both the presence and absence of an action.

Proposition 3.13.

Obligation to perform an action conflicts with both permission and obligation to not perform it: (i) ${\mathcal{O}}_{p}(x)\;\maltese\;{\mathcal{P}}_{p}(!x)$ ; and (ii) ${\mathcal{O}}_{p}(x)\;\maltese\;{\mathcal{O}}_{p}(!x)$ . Obligation to perform an action also conflicts with lack of permission to perform the action: (iii) ${\mathcal{O}}_{p}(x)\;\maltese\;!{\mathcal{P}}_{p}(x)$ .

{TR}

Proof 3.14.

By Proposition 3.11, we know that ${\mathcal{O}}_{p}(x)\;\maltese\;!{\mathcal{O}}_{p}(x)$ , which, by definition of $!{\mathcal{O}}_{p}(x)$ is equivalent to ${\mathcal{O}}_{p}(x)\;\maltese\;{\mathcal{P}}_{p}(!x)$ , hence completing the proof for (i).

By result (i) and ${\mathcal{P}}_{p}(!x)\sqsubseteq{\mathcal{O}}_{p}(!x)$ , we can use the strictness axiom of conflicts to conclude that (ii) holds: ${\mathcal{O}}_{p}(x)\;\maltese\;{\mathcal{O}}_{p}(!x)$ .

Result (iii) follows directly from the definition of $!{\mathcal{P}}_{p}(x)$ and result (ii).

{TR}

Finally, we show how making two conflicting contracts stricter does not get rid of the conflict:

Proposition 3.15.

Given two conflicting clauses $C_{1}\;\maltese\;C_{2}$ , making the two clauses stricter does not resolve the conflict: if $C_{1}\sqsubseteq C_{1}^{\prime}$ and $C_{2}\sqsubseteq C_{2}^{\prime}$ , then $C_{1}^{\prime}\;\maltese\;C_{2}^{\prime}$ . {TR}

Proof 3.16.

The proof follows by applying axiom of closure under increased strictness twice and the axiom of symmetry.

Example: As a simple example, consider John signing a contract with his bank. The contract says that (i) whenever he is logged into his Internet banking account, he is to be permitted to make money transfers; and (ii) if a malicious attempt to log in to his account is identified, logging in and making transfers will be prohibited until the situation is cleared. The two statements can be expressed in the two contract automata shown in Fig. 1. Combining the two statements, however results in an automaton where initially, after performing action set $\{\mbox{login},\;\mbox{malicious}\}$ , one ends up in a state with both ${\mathcal{P}}_{p}(\mbox{transfer})$ and ${\mathcal{F}}_{p}(\mbox{transfer})$ , which are in conflict.

Figure 1: Internet banking contracts

4 Related Work

Despite the fact that contracts are, by definition, an agreement between two or more parties, most formal studies regulate the parties independently and do not analyse how permissions, obligations or prohibitions for one party affect the other, or do so in limited ways. Here we summarise the most related work.

[4] deals with obligation violations in contracts using the domain specific BCL language [5], introducing contrary-to-duty clauses and directed obligations, but does not analyse the reciprocity of deontic clauses in a contract. [10] aims at formalisations of contracts for e-commerce but focuses only on analysing temporal consistency. A related line of research was started by [6], later followed upon by various others ([15, 3], etc.) — although not explicitly about contracts, they look at a flavour of axiomatic deontic logic with obligations being directed from one individual towards another, termed directed obligations. Directed permissions have also been studied, but were termed to be conflicting because of lack of a clear counterparty, following both the claimant theory or the benefit theory. Once one considers actions that are only realisable by the two parties in synchrony, as our approach does, the concept of permission appears more clearly. Although it does not fully consider many aspects of permission e.g., ${\mathcal{P}}_{p}(!a)$ – it would be interesting to direct further research to look at the similarities between both approaches, including variations such as [13].

Our model does not provide explicitly for the notion of interference that has been analysed by many, notably Hohfeld [7] and Lindahl [9], It is important to understand, however, that the difference between vested and naked liberties (i.e., warranty of immunity from interference) relates to a real concern in the context of general law but blurs in the context of a contract where one party allowing the other to perform a shared action, but reserving itself the right to interfere, does not have practical sense. More specifically, in our formal model ${\mathcal{P}}_{p}(a)$ means not only that $p$ may attempt to perform $a$ — it means that $p$ would succeed in doing $a$ should she try. If the notion of attempting to do an action $a$ that can be interfered by others needs to be modeled, then another action $\mathit{attempt\_a}$ should be added and the permission placed onto the latter. Another alternative is to introduce modalities for trying, as in Santos et al. [14].

Lindahl [9] studies liberty spaces to present the concept of less free than, a relationship between maximally consistent sets of deontic positions. The general idea is somewhat similar to our definition of strictness; however, as Lindahl notes, most of the maximally consistent sets are incomparable using this relationship, whereas our notion of strictness provides interesting theorems.

Many of the above mentioned authors, and also others, deal with some definition of conflicts but they usually leave out the inconsistencies that arise because of the onuses imposed to the other party (see our example of ${\mathcal{P}}_{p}(!a)$ conflicting with ${\mathcal{O}}_{p}(a)$ in Section 3).

5 Conclusions

In this article we extended our formalisation of contracts for interactive systems [12] to deal with absence of actions, mutually exclusive actions and conflicts. The issues raised by interaction between parties, allowing for collaboration and interference, are particularly interesting in the domain of computer-mediated contracts, in which systems typically work in synchrony and proceed only through handshaked actions. Much work has been done in this domain of synchronous systems from a Computer Science perspective, and we believe that our approach allows us to adopt many existing results into the field of contracts. We are currently applying this approach to the analysis of software requirements documents and studying the classes of rights identified in Kanger et al. [8] in an interactive setting.

References

[1]
[2] André Arnold (2002): Nivat’s processes and their synchronization. Theor. Comput. Sci. 281, pp. 31–36, 10.1016/S0304-3975(02)00006-3.
[3] Maria Fasli (2002): On Commitments, Roles, and Obligations. In: Revised Papers from the Second International Workshop of Central and Eastern Europe on Multi-Agent Systems: From Theory to Practice in Multi-Agent Systems, CEEMAS ’01, Springer-Verlag, pp. 93–102, 10.1007/3-540-45941-3_10.
[4] G. Governatori & Z. Milosevic (2005): Dealing with contract violations: formalism and domain specific language. In: EDOC Enterprise Computing Conference, 2005 Ninth IEEE International, IEEE, pp. 46–57, 10.1109/EDOC.2005.13.
[5] Guido Governatori (2005): Representing business contracts in RuleML. Int. J. Cooperative Inf. Syst. 14(2-3), pp. 181–216, 10.1142/S0218843005001092.
[6] H. Herrestad & C. Krogh (1995): Deontic logic relativised to bearers and counterparties. Anniversary Anthology in Computers and Law, pp. 453–522.
[7] W.N. Hohfeld (1913): Some fundamental legal conceptions as applied in judicial reasoning. Yale Law Journal 23, p. 16, 10.2307/785533.
[8] S. Kanger & H. Kanger (1966): Rights and parliamentarism. Theoria 32(2), pp. 85–115, 10.1111/j.1755-2567.1966.tb00594.x.
[9] L. Lindahl (1977): Position and change: A study in law and logic. 112, Springer, 10.1007/978-94-010-1202-7.
[10] Olivera Marjanovic & Zoran Milosevic (2001): Towards Formal Modeling of e-Contracts. In: Proceedings of the 5th IEEE International Conference on Enterprise Distributed Object Computing, EDOC ’01, IEEE Computer Society, Washington, DC, USA, pp. 59–, 10.1109/EDOC.2001.950423.
[11] Gordon Pace & Fernando Schapachnik (2012): Contracts for Interacting Two-Party Systems. Technical Report, FCEyN, Universidad de Buenos Aires. Available at http://publicaciones.dc.uba.ar/Publications/2012/PS12a.
[12] Gordon J. Pace & Fernando Schapachnik (2011): Permissions in Contracts, a Logical Insight. In: JURIX, pp. 140–144, 10.3233/978-1-60750-981-3-140.
[13] Y.U. Ryu (1998): Specification of contractual obligations in formal business communication. Data & knowledge engineering 26(3), pp. 309–326, 10.1016/S0169-023X(97)00048-7.
[14] F.A.A. Santos, A.J.I. Jones & J. Carmo (1997): Action concepts for describing organised interaction. In: System Sciences, 1997, Proceedings of the Thirtieth Hawaii International Conference on, 5, IEEE, pp. 373–382, 10.1109/HICSS.1997.10062.
[15] Yao-Hua Tan & Walter Thoen (1998): A logical model of directed obligations and permissions to support electronic contracting. Int. J. Electron. Commerce 3, pp. 87–104.