Transition Selection

In order to deal with minimality and synchronizability, we define in this sec-tion a selecsec-tion funcsec-tion and a new derivasec-tion relasec-tion. Because both the function and the derivation relation reason about the set of enabled transi-tions, we first define the enabledSet(γ) function. This function returns the set of all enabled transitions for a configuration γ.

Definition 34. (EnabledSet)

Let γ =< s_Pd, s_P1, .., s_Pn, s_B1, .., s_Br > be a configuration. Given γ, we define the function enabledSet : γ → E (where E is a set of transitions) as follows:

enabledSet(γ) =

∪

i∈{Pd,P1,..,Pn,B1,...,Br}

{< si, m, s₂ > :< s_i, m, s₂ >∈ Ti, enabled(< s_i, m, s₂ >)}

Note that if a transition is enabled it stays enabled until it is executed.

For instance, if enough data is present to send a credibility check to the bank on time 0, then this data is also present at time 1. The relaxation of this assumption on the monotonicity of the data is left for future work.

The following function selects the set of executable transition that will be executed.

Definition 35. (Select)

Let E be the set of all enabled transitions for all automata of a configuration γ. Given E, we define the function select : E → E^′ (where E^′ and E are set of transitions with E^′ ⊆ E) as follows:

select(E) =

The first line of the function checks whether there is a transition with an incoming message. The second line checks whether there are any transitions possible for the target protocol. If so then we choose only these as possible transition to execute.

Based on the above described selection of enabled transition, we define a derivation relation that is well-formed.

Definition 36. (Reduced derivation relation)

Let the set of states, etc of an automaton Ai be labeled with subscript i with i∈ {Pd, P₁, .., P_n, B₁, ..., B_r}. For two configurations

γ =< sP_d, sP1, .., sPn, sB1, .., sBr > and γ^′ =< s^′_P

d, s^′_P1, .., s^′_Pn, s^′_B1, .., s^′_Br >, γ derives γ^′, if one of the following two conditions holds:

• Automaton Ai performs a send action, i.e. there exist i and a tran-sition t = (s_i; (!m; ϱ); s^′_i) such that t ∈ Ti, s^′_k = s_k for each k ̸= i and t∈ select(E)

• Automaton Ai performs a receive action, i.e. there exist i and a tran-sition t = (s_i; (?m; ϱ); s^′_i) such that t ∈ Ti and s^′_k = s_k for each k ̸= i, and t ∈ select(E)

This derivation relation takes into account both synchronizability as well as the minimality by using the select function.

Lemma 10. Let S be a composite service using the enabled derivation rela-tion (Definirela-tion 26) and Sred a composite service using the Reduced deriva-tion reladeriva-tion. Then M EX_Sred ⊆ MEXS.

The language of the composite service created by the algorithm is a subset of the language of the composite service described above. The proof of this lemma can be easily shown by looking at the select(E) function, which is defined to give a subset of the set that was given as input.

Theorem 3. M EX_Sred satisfies the autonomous property.

Proof. Lemma 8 states that M EX_S does not satisfy the autonomous prop-erty. The difference between M EX_Sredand M EX_S is the derivation relation, more specific the set of enabled transitions that is executed. Thus, to prove that M EX_Sred does satisfy the autonomous property, we need to show by using the select function that a set that violates the autonomous property is never returned. We prove this by induction on the possible set of enabled transitionsEi. LetEi denote the set of enabled transitions obtained from the function enabled(γi) at time i. In this set there are four types of transitions, namely tⁱⁿ_d , t^out_d denote incoming and outgoing message of the target protocol, tⁱⁿ_S, t^out_S denotes incoming and outgoing messages of a service. We make two observations: First, based on our assumption that only one party has the initiative, it follows that tⁱⁿ_d ⊗ t^out_d ⊗ tⁱⁿ_S ⊗ t^out_S at time i = 0. Second, if a transition is enabled at time x, then it will also be enabled at time x + 1, unless executed.

Given theses types we distinguish between seven situations:

(1) tⁱⁿ_d ⊗ t^outd ⊗ tⁱⁿS ⊗ t^outS : if only one type is element of E then the select function simply returns that type.

(2) t^out_S ∧ t^out_d : select function states that t^out_d is returned.

(3) t^out_S ∧ tⁱⁿS: select function states that tⁱⁿ_S is returned.

(4) t^out_S ∧ tⁱⁿd: select function states that tⁱⁿ_d is returned.

(5) tⁱⁿ_d ∧ t^outd : This situation can never occur, because the autonomous property must hold for each protocol (also for the target protocol).

(6) tⁱⁿ_S ∧ tⁱⁿd : This situation can not occur. At time i = 0, this situation cannot occur due to our assumption of one initial party. Thus there must be a time i−1, where either t^out_S ∈ Ei−1 or t^out_d ∈ Ei−1. However, if a transition is enabled at time i then it was also enabled at time i− 1, thus we get the two following possible situations at time i−1: t^outS ∧tⁱⁿd

or tⁱⁿ_S ∧ t^outd . However, in t^out_S ∧ tⁱⁿd the transition tⁱⁿ_d would have been chosen, see (3). Also the possible situation tⁱⁿ_S ∧ t^outd is not possible, see (7).

(7) tⁱⁿ_S ∧ t^outd : This situation can not occur. Similar reasoning as for the previous situation. Following our assumption that only one service will take the initiative at first, it follows that another message was sent out in the configuration before. We get two possible situation at time i−1:

t^out_S ∧ t^outd or tⁱⁿ_S ∧ tⁱⁿd. For t^out_S ∧ t^outd , see (2). For the other situation tⁱⁿ_S ∧ tⁱⁿd, we get into a loop where every time i− 1 the other situation ((6) and (7) alternately) should hold. This loop continues until i = 0 where either (6) or (7) holds. However, at time i = 0 both situations can not hold.

All other possible combinations (and those including business rules) contain a situation as described above. From the above situations, it follows that M EX_Sred satisfies the autonomous property since every possible output of the select function produces a set that adheres to this property.

Theorem 4. M EX_Sred is minimal.

Proof. What we need to proof is that M EX_Sred does not contain any se-quences, where at any point another transition could have been chosen in-stead of a transition by the target protocol. Assume that M EX_Sred is not minimal. Thus there must exists at least one < t₁, ..t_n >∈ MEX_Sred, such that at time 1 < x < n another transition t could be chosen such that t /∈ Pd. However, since the well-formed derivation relation states that all chosen transitions must come out of the set produced by select(E, tl), it

follows that if a transition t ∈ Pd exists, that this is executed (see Theorem 3). This is a contradiction and thus M EX_Sred is minimal.

In the following we will describe how an orchestrator can be constructed with additional constraints to create a single orchestrator, e.g. in the case where multiple valid orchestrators exist how only one is selected.

In the initial configuration, all the services and business rules start in their initial state, the state of the orchestrator is set to the initial state of the target protocol.