Towards Model-Checking Contracts

We understand by a contract a document written in natural language which engages several parties into a transaction, and which stipulates commitments (obligations, rights, and prohibitions) of the parties. Moreover the contract specifies also reparations in case of contract violation (i.e. some obligations or prohibitions are not respected). Because the human language is ambiguous by nature, contracts (written in plain English, for example) are inherent ambiguous. This ambiguity can, and many times is exploited by the parties involved in the contract. The purpose of our research is to eliminate this ambiguity as much as possible and to automate the process of designing, negotiation and monitoring of contracts. For this purpose contracts should be amenable to formal analysis (including model-checking) and thus should be written in a formal language. There are currently several different approaches aiming at defining a formal language for contracts. Some works concentrate on the definition of contract taxonomies [1], while others look for formalizations based on logics (e.g. classical [4], modal [3], deontic [6] or defeasible logic [5]). Other formalizations are based on models of computation (e.g. FSMs [7], Petri Nets [2], or process calculi [12]). None of the above has reached enough maturity as to be considered the solution to the problems of formal definition of contracts. In our opinion, the most promising approach to formalizing contracts is the one based on logics of actions [13,14] (i.e. actions found in contracts). It has been argued for the need to base deontic logic on a theory of actions which would solve many of the paradoxes deontic logic faces. The method of model-checking is an old and established field of computer science. Model-checking has been applied in several fields of computer science from hardware circuits to concurrent programs. The idea of model-checking electronic contracts is extremely new and of great interest. From our knowledge there has been no attempt of using the classical model-checking techniques (or an established model-checking tool) on a real electronic contract example. Model-checking tools usually describe the system as an automata-like structure and the property to be checked in a temporal logic (like CTL, LTL, or μ-calculus). With the contract written in a formal language with semantics based on a Kripke-like structure we wold have the automaton input for the model-checking tools. Our aim is to define a general framework for describing in a uniform way both the contract and the properties. In [11] we have provided a formal language for writing contracts, which allows to write (conditional) obligations, permissions and prohibitions over (names of) human actions as well as reparations in case of violations. The language is specially tailored for representing statements found in contracts and is proven to avoid major deontic paradoxes (for motivations and design decisions we refer the reader to [11]). Here we briefly sketch and discuss the ideas behind the syntax of the contract language CL.