Contract example with priority rules conflict

A well known class of inconsistency that impact contracts is conflicts at level that – if not addressed – result in conflicts at rule implementation level. A conflict happens when two or more contradictory actions (operations) appear to be in force simulta- neously. Consider the following example (discussed earlier in Section 3.2.1):

• Rule A - if customer returns the purchased e-ticket for any reason, within 7 days, then the purchase amount, minus a 10% penalty fee, will be refunded.

• Rule B - if customer returns the purchased e-ticket because the flight was can- celed by the seller (travel agent), before the due date (up to one year), then the full purchase amount will be refunded.

A conflict would occur if the ticket is canceled by the seller in the overlapping period between rule A and rule B, within 7 days of the ticket issuing date, so both rules are applicable.

RULE(RNR7D) {

WHEN::EVENT(RNR7D, IS_R(RNR7D, CLIENT), SC(RNR7D)) ‐>{ RefundAmount = 9; SET_R(RNR7D, 0); SYN(CANCEL, AGENCY) ‐>{ RefundAmount = 10; } NYS(CANCEL) SET_X(RNR7D, CLIENT); RD(RNR7D, CLIENT, CCO, RST); } END(RNR7D); } Contract Rule RNR7D RULE(RFC365D) {

WHEN::EVENT(RFC365D, IS_R(RFC365D, CLIENT), SC(RFC365D)) ‐>{ RefundAmount = 10; SET_R(RFC365D, 0); SET_X(RFC365D, CLIENT); RD(RFC365D, CLIENT, CCO, RST); } END(RFC365D); } Contract Rule RFC365D RULE(CANCEL) {

WHEN::EVENT(CANCEL, IS_R(CANCEL, AGENCY) ,SC(CANCEL)) ‐>{

SET_R(CANCEL, 0); SET_X(CANCEL, AGENCY); RD(CANCEL, AGENCY, CCR, CO); }

END(CANCEL); }

Contract Rule CANCEL

Figure 4.12: E-ticket refund contract rules

This contract needs to consider both the client’s refund and the travel agency’s cancellation business operations. Two contract rules are defined to handle the refund operations. Rule(RNR7D) for refund for no reason (RNR) within seven days (7D), this could happen if the buyer changed his mind about the flight, and (RFC365D) for refund for canceled e-ticket (RFC) within one year (365D), this normally happens

when the Seller cancels the flight. Furthermore, Rule(CANCEL) is added for han- dling the cancellation business event (CANCEL) from the travel agent. The contract is initialised with right to the client to perform RNR7D and RFC365D, as well as a right to the travel agent to cancel the ticket at any time. Figure4.12above shows rule implementation to this contract using extended Promela. Each rule can be triggered by an event from the set of business events (RNR7D, RFC365D and CANCEL). By default, the set of the contract rules respond only to the contract compliant busi- ness events. In response to such events, the contract status is updated; for example rights, obligation or prohibitions may be applied, or permissible operations might be prohibited. Note that the block SYN, NYS in Rule(RNR7D) is to synchronise with cancel business operation (hence the name SYN() is used). Basically, SYN(CANCEL, AGENCY) checks for the execution history of cancel business operation. If it has been found executed, the rule would guarantee full refund to the client. By default, the client would be penalised 10% as a cancelation for no reason penalty. Figure 4.13, shows different possible timelines of the execution of the refund operation.

Figures 4.13(a) and 4.13(b) respectively show that the business event RNR7D is permitted within 7 Days, and the business event RFC365D is permitted within the whole year. In both timelines no cancellation business events have been witnessed. Figure 4.13(c), shows that the seller has the right to cancel the flight ticket for the whole year, whereas the grey arrows in a,b and c show different points in time in which the business events RNR7D, RFC365D and CANCEL may occur. Figure 4.13(d), shows possible scenario when both of the contract rules RNR7D and RFC365D can be executed within the first 7 after the commencement of the contract date. In such a situation, the buyer might be penalised if he return the flight ticket for no reason within 7 Days, however, the full refund amount must be returned as the seller has already canceled the flight.

Rest of the year

d)

7 Days

Seller cancel ticket (CANCEL)

Buyer refund ticket (RNR7D)

b)

One year

Buyer refund ticket (RFC365D)

c)

One year

Seller cancel ticket (CANCEL)

a)

7 Days

Buyer refund ticket (RNR7D)

Rest of the year

Figure 4.13: Priority rule conflict illustrated with timeline

In order to verify that the above contract rules consider the discussed possible conflict, Spin is first executed with its default settings with the feature for assertion violations detection is enabled to verify the contract-independent conflicts. Then for the contract-dependent conflicts, the following two formulae P1 and P2 can be verified. P1 verifies that whenever RNR7D and CANCEL are executed, the RefundAmount must be paid in full, whereas P2 verifies that whenever RNR7D is executed and ticket is not canceled, then the Client must be penalised.

ltl P1{[]((IS_X(RNR7D,CLIENT)&&IS_X(CANCEL,AGENCY))->

(RefundAmount==10))} ltl P2{[]((IS_X(RNR7D,CLIENT)&& not(IS_X(CANCEL,AGENCY)))->

(RefundAmount==9))}

The current implementation of the contract does not complain about P1 and P2; the verification ended with no problems. This would ensure that there will be no case when a client refund the ticket within 7 Days for no reason while the ticket is has

already been cancelled and refunded £9 instead of £10. Injecting the Rule(RNR7D) with an error, such as changing the refund amount to 10 or any other value, and verify for P2 will cause Spin to complain and return counterexample instantly after receiving the RNR7D business event and execute the body of Rule(RNR7D).