service-oriented business and system specification - Semantic Scholar

1 SERVICE-ORIENTED BUSINESS AND SYSTEM SPECIFICATION: BEYOND OBJECT-ORIENTATION Luís Filipe Andrade1 and José Luiz Fiadeiro2 1

ATX Software S.A., Alameda António Sérgio 7 – 1 C, 2795-023 Linda-a-Velha, Portugal, [email protected] 2 Department of Mathematics and Computer Science, University of Leicester, University Road, Leicester LE1 7RH, United Kingdom, [email protected]

1

INTRODUCTION

Quoting directly from [M1992], “There are only two ways to use a class […]. One is to inherit from it; […]. The other one is to become a client of [it].” Indeed, it is generally accepted that, in object-oriented software construction, there are two basic techniques for structuring systems. Inheritance allows us to reuse the behaviour of a class in the definition of new classes. Clientship, i.e. the ability to establish client/supplier relations between objects, provides, through feature calling, the basic mechanism of object-oriented computation. We have to recognise that, through inheritance and clientship, OO has made software construction more scalable. Inheritance provides a powerful organisation mechanism via which we can better control the complexity of the process of software construction. On the other hand, building on what we can call a “societal metaphor” according to which the envisaged system is conceived as a “society” of objects that interact by drawing on the services that each provides, clientship allows us to decompose the global behaviour of the system in a way that mimics typical ways in which people organise themselves in society, which helps in taming the complexity of establishing the interconnections that are necessary to make the global properties required of the system to emerge from more basic and controllable behaviours. Such forms of “programming by emergence” fit well with the General System approach to behavioural modelling that can be found in many other disciplines, including Economic and Social Sciences [F1996].

2!!!!!!

Chapter 1

However, clientship leads to systems of components that are too tightly coupled and rigid to support the levels of agility that are required to operate in environments that are “business time critical”, namely those that make use of Web Services, B2B, P2P, or otherwise operate in what is known as “internet-time” [Web2000]. More and more, organisations require systems that can evolve together with the business domain, either for reacting to external changes coming from new legislation or the competition, or as an instrument of their own business strategies, namely when it is important to have an aggressive presence in the market. The same applies to changes occurring in the technological infrastructures: systems should be able to evolve to capitalise on new technologies as they become available without interfering with the business they support. Object-oriented methods simply do not address these problems from first-principles. More and more, building applications is becoming a dynamic process that consists in locating services that provide required basic functionalities, and “orchestrating” them, i.e. establishing collaborations between them, so that the global properties required of the application, at that time, can emerge from their joint behaviour. This translates directly to the familiar characterisation of Web Services as “late binding” or, better, “just-in-time binding”, showing that flexible architectures are required for making the resulting systems amenable to a continuous process of reconfiguration. For this purpose, interactions cannot be hardwired in the code that implements the services. If collaborations are not modelled explicitly as first-class entities that can be manipulated by a process of dynamic reconfiguration, the overhead that justin-time integration and other operational aspects of this new architecture represent will not lead to the levels of agility that are required for the paradigm to impose itself. Because interactions in object-oriented approaches are based on identities [Ke1993], in the sense that, through clientship, objects interact by invoking specific methods of specific objects (instances) to get something specific done, the resulting systems are too rigid to support the identified levels of agility [S1996]. Any change on the collaborations that an object maintains with other objects needs to be performed at the level of the code that implements that object and, possibly, of the objects with which the new collaborations are established. On the contrary, interactions in a service-oriented approach should be based on the description of what is required, thus decoupling the “what one wants to be done” from the “who does it”. In the context of the “societal metaphor” that we mentioned above, it is interesting to note that this shift from “object” to “service”-oriented interactions mirrors what has been happening already in human society: more and more, business relationships are established in terms of acquisition of services (e.g. 1000 Watts of lighting for your office) instead of products (10 lamps of 100 Watts each for the office). Naturally, object-oriented technology does not prevent such flexible modes of interconnections to be implemented. Design mechanisms, making use of event publishing/subscription through brokers and other well-known patterns [GHJV1995], have already found their way into commercially available products that support implicit invocation [NGGS1993] instead of feature calling (explicit invocation). However, solutions based on the use of design patterns are not at the level of abstraction

Service-Oriented Business and System Specification

3

in which the need for change arises and needs to be managed. Being mechanisms that operate at the design level, there is a wide gap that separates them from the business modelling levels at which change is better perceived and managed. This conceptual gap is not easily bridged, and the process that leads from the business requirements to the identification and instantiation of the relevant design patterns is not easily documented or made otherwise explicit in a way that facilitates changes to be operated. Once instantiated, design patterns code up interactions in ways that, typically, requires evolution to be intrusive because they were not conceived to be evolvable. Hence, most of the times, the pattern will dissolve as the system evolves. Therefore, we need semantic primitives through which interconnections can be externalised, modelled explicitly, and evolved directly as representations of business rules. Our purpose in this paper is to show that support for “service-oriented” development can be found in what we have been calling “coordination technologies”: a set of analysis techniques, modelling primitives, design principles and patterns that we have been developing for externalising interactions into explicit, first-class entities that can be dynamically superposed over system components to coordinate their joint behaviour. The key to the move from “identity” to “service”-based interaction is in the separation between “computation” and “coordination” [GC1992], i.e. the ability to address the computations that need to take place locally within components to implement the functionalities that they advertise through their interfaces, separately from the coordination mechanisms that need to be superposed on these computations to enable the properties that are required of the global behaviour of the system to emerge. It is clear that this separation is not supported by clientship: “In the execution of an object-oriented software system, all computation is achieved by calling certain features on certain objects” [M1992]. In section 2, we discuss around an example the shortcomings of object-oriented approaches that we identified above. Then, in sections 3, 4 and 5 we present the semantic primitives that we are proposing for supporting the development of agile systems: coordination contracts, laws and contexts.

2.

WHY OO IS NOT EVOLUTIONARY

In order to motivate the principles and techniques that we wish to put forward through coordination technologies, namely the difference to what is currently available through object-oriented modelling, consider the familiar world of bank accounts and customers who can make deposits, withdrawals, transfers, and so on. In a typical classroom modelling exercise, a class account is defined with, among others, an operation allowing for the current balance to be obtained, and an operation withdrawal with parameter amount. A customer that owns an account is also part of the business domain and, as such, should figure explicitly, under some representation, in the model with an attribute owns:account so that transactions performed by that customer can be modelled through calls owns.withdrawal(amount). The condition balance≥amount is typically declared

4!!!!!!

Chapter 1

on account as a precondition on withdrawal(amount) to ensure that there are enough funds for the withdrawal to be made. This precondition establishes a contractual relationship between account and customer, both in the technical sense developed by B.Meyer [M1992] and as one of the business rules that establish the way customers are required to interact with accounts. owns Account * The relationship between customers and Balance:money accounts that is established in this way is based on “identities” in the sense that the !Withdrawal(amount): customer has an attribute that identifies the Pre: balance≥amount account and knows precisely which operaPost: balance= old balance–amount tion of account it needs to invoke. This mode of interaction leads to systems in * which components are too tightly coupled to let them, and their interactions, evolve Customer independently from each other. Hence, for instance, when the bank comes up with a new account-package for VIP-customers Figure 1 that give them some credit allowance for overdrawing their accounts, changes need to be made on a variety of components, depending on the way the VIP-package is modelled. A naïve solution to the problem of adapting the existing system to the new business rule would be to enrich account with a new operation – VIP-withdrawal – for the more flexible withdrawals owns (Figure 2). Besides requiring Account * obvious and direct changes to the Balance:money class account, this solution is also intrusive on the client side !Withdrawal(amount):… because customers now have to !VIP-Withdrawal(amount): Pre: balance+credit≥amount decide on which operation to call. Post: balance= A further disadvantage of this old balance–amount * solution is in the fact that the “business rule”, i.e. the VIP Customer status of the relationship between a customer and an account, is completely coded in the way the Figure 2 customer calls the account and, thus, cannot be “managed” explicitly as a business notion. The typical OO-solution to this new situation is different: it consists in defining a subclass VIP-account of account with a new attribute credit and a weaker precondition on operations withdrawal(amount): balance+credit≥amount (Figure 3). In this way, more flexible contractual relationships can be established directly between the client (customer) and the specialisation of the supplier (the VIPaccounts).

Service-Oriented Business and System Specification

5

Nevertheless, there are two main drawBalance:money Withdrawal(amount):… backs in this solution. On the one hand, it introduces, in the conceptual model, * classes that have no VIP-Account Customer counterpart in the real !Withdrawal(amount): Pre: balance+credit≥amount Balance:money problem domain. It Post: balance= Credit:money old balance–amount is the customers who are VIPs, not the Figure 3 accounts. However, having placed the contractual relationship between customers and accounts in account, one is forced to model the revised collaboration through a specialisation of the previous one, which implies the definition of the artificial subclass of account. The second disadvantage is not methodological but a technical one. The new solution is still intrusive because the other classes in the system need to be made aware of the existence of the new specialised class so that links between instances can be established through the new class. More generally, references to accounts need to be reclassified between “regular” and VIP-accounts. The main disadvantages in both solutions result from two important factors. On the one hand, the fact that the business rule that dictates the interaction that is required between customers and accounts is being coded on the side of the supplier (the account), which is what is favoured by Meyer's notion of contract [M1992]. This makes it difficult to accommodate new forms of the interaction that depend on the client side of it. On the other hand, the fact that relationships are established through “identities”, i.e. through explicit naming of client/supplier and operation invocation. This requires that any change be intrusive on the code that implements the objects involved. Indeed, design by contract [M1992] introduces a bias that makes it difficult for evolution to be handled as perceived in the application domain, namely by coding in the operations the rules that dictate how they should be used, which are much more prone to change than the computations that they need to perform to ensure the functionalities that are required of the services that they provide. A more sensible alternative is to place the interaction at the level of the relationship that exists between customers and accounts by promoting it to what in the UML [GRJ1998] is Account Customer known as an Associa* * tion Class, i.e. an Balance:money association that can also have class properties and features. In the ownership example, the promotion could be achieved by introducing an association class ownerFigure 4 owns

*

Account

6!!!!!!

Chapter 1

ship in which the envisaged coordination of the joint behaviour of customers and

accounts, including the preconditions that apply to the interactions, can be placed (Figure 4). Changes to the ownership, such as the addition of an attribute credit and the weaker precondition on the interaction, can now be put on specialisations of the new class without having to change the role classes. Indeed, resorting to association classes keeps the model faithful to the application domain by representing explicitly the business rules that coordinate the interaction between the entities involved. However, association classes still present severe drawbacks as a solution to our problem because the way they address relationships is still “identity”-based. From the discussion held above about the disadvantages of the attribute-based representation of the relationship between accounts and customers, it seems clear that the typical implementation of associations through attributes would take us one step back. The best way of implementing the interaction through the association class would seem to be for a new operation to be declared for ownership that can act as a mediator. Upon a call from the client, the mediator would have the responsibility of determining whether the contractual relationship between the partners is valid and, in case it is, delegate on the supplier to proceed. In this way, it would, indeed, be possible to achieve the required flexibility for accommodating changes in the business rules simply by modifying the contracts as required, e.g. at the level of the preconditions of the mediators, without having to modify the partners in the contract. Notice that the essence of this solution is to put in place a form of implicit invocation [NGGS1993]. Although the advantage of making relationships first-class citizens in conceptual modelling has been recognised by many authors (e.g. [KR1994]), which lead to the ISO General Relationship Model (ISO/IEC 10165-7), things are not as clean with this solution as they may seem. On the one hand, the fact that a mediator is used for coordinating the interaction between two given objects does not prevent direct relationships from being established that may side step it and violate the business rule. In the case of the account package, nothing prevents a designer from connecting directly a customer to an account through attributes and direct invocation, possibly breaching the contract because the precondition has now been moved from the account to the mediator. On the other hand, the solution is still intrusive in the sense that the calls to the mediator must be explicitly programmed in the implementation of the classes involved in the association. Moreover, it is not incremental in the sense that the addition of new business rules cannot be achieved by simply introducing new association classes and mediators. The other classes in the system need to be made aware that new association classes have become available so that the right mediators are used for establishing the required interactions. That is, the burden of deciding which mediator to interact with is put again on the side of clients. On the other hand, different rules may interact with each other thus requiring an additional level of coordination among the mediators themselves to be programmed. This leads to models that are not as abstract as they ought to be due to the need to make explicit (even program) the relationships that may exist between the original classes and the media-

Service-Oriented Business and System Specification

7

tors, and among the different mediators themselves. In summary, we end up facing the problems that, in the introduction, we identified for the use of design patterns in general. The primitive that we have developed for modelling this kind of contractual relationship between components circumvents these problems by abandoning the “identity”-based mechanism on which the object-oriented paradigm relies for interactions, and adopting instead a mechanism of superposition that allows for collaborations to be modelled outside the components as connectors (coordination contracts) that can be applied, at run-time, to coordinate their behaviour. From a methodological point of view, this alternative approach encourages developers to identify dependencies between components in terms of services rather than identities. From the implementation point of view, superposition of coordination contracts has the advantage of being non-intrusive on the implementation of the components. That is, it does not require the code that implements the components to be changed or adapted, precisely because there is no information on the interactions that is coded inside the components. As a result, systems can evolve through the addition, deletion or substitution of coordination contracts without requiring any change in the way the core entities have been deployed. This is the approach that we are going to present in the rest of the paper. We start by presenting it as an extension of object-oriented software construction with a new primitive – coordination contracts. We then generalise it to component-oriented development through coordination laws. Finally, we provide primitives – coordination contexts – for controlling the evolutionary process.

3.

COORDINATION CONTRACTS

The method that we are advocating for promoting agility in software systems relies, on the one hand, on the separation between what can be considered the core business entities and the rules according to which they collaborate in order to provide the services required from the system. On the other hand, it models dependencies between components in terms of services rather than identities. In the context of object-oriented software construction techniques, this can be achieved through a new semantic primitive that we called coordination contract [AF1999] and a new principle based on the notion of superposition as developed for parallel program design [KA1993]. The main idea is that, through coordination contracts, explicit invocations of the form a.withdrawal(n) are decoupled from the execution of the service itself by letting the contract intercept the call and superpose whatever coordination mechanisms are required by the business rules. These mechanisms are specified as event/reaction rules of the form: when do with

8!!!!!!

Chapter 1

The “when”-clause identifies the trigger which, in the context of object-oriented modelling, is, typically, a method invocation. Under "do" we identify the reactions to be performed when the trigger occurs. It consists of a set of actions of the partners and the contract's own actions, which constitute what we call the synchronisation set associated with the trigger. Because, in object-oriented modelling, the typical trigger is the invocation of a method, the synchronisation set is usually organised in terms of the operations that need to be performed before the service and after the service. Furthermore, we allow for a new implementation of the service to be superposed on the primitive one. This is achieved through a “replace” clause that introduces the new code. Naturally, the new operation is required to comply with the specification of the service that it implements, normally given through a contract in Meyer’s sense. Under the “with” clause, we include conditions that should be observed for the reaction to be performed. If any of the conditions fails, the reaction is not performed and the occurrence of the trigger fails. Failure is handled through whatever mechanisms are provided by the language used for deployment. Synchronisation sets are executed atomically. The whole interaction is handled as a single transaction, i.e. it consists of an atomic event in the sense that the trigger reports a success only if all the operations identified in the reaction execute successfully and the conditions identified under the “with” clause are satisfied. Notice that the execution of the services is performed locally by the components that hold them and, as such, may be subject to further local constraints. Hence, the whole reaction may fail even if the “with”-clause is satisfied because some of the operations involved may not execute successfully. The “with”-clause plays a fundamental role in the externalisation of business rules in the sense that it allows for the effects of operations (the computations that they perform) to be handled locally, and the conditions under which they are performed to be controlled, totally or partially, at the level of coordination contracts. Ownership For instance, we argued already that it seems best that the VIP-package be modelled in terms of a contract that externalises comwhen c.withdrawal(n,a) with balance()≥n pletely the business rule so that changes can do a.debit(n) be performed that are not intrusive on either party. Deciding what is part of an entity and VIP-Ownership what pertains to a business rule is not an credit:money easy matter and requires a good expertise on when c.withdrawal(n,a) the business domain itself. For instance, with balance()+credit≥n do a.debit(n) market evolution has shown that the circumstances under which a withdrawal can be accepted keeps changing as competition dictates banks to come up with new ways for customers to interact with their accounts. Therefore, it should not be too difficult to come to the conclusion that the precondition on debits derives more from the specification of a business requirement than an intrinsic constraint on the functionality of a basic business entity like account. Hence, it seems best to shift the pre-

Service-Oriented Business and System Specification

9

condition to the contract: the corresponding coordination rule includes a “with”clause whose purpose is to specify that the reaction to the trigger will only take place when the condition is true; otherCustomer Account wise, the trigger fails. Therefore, every Balance:money coordination rule !debit(amount): !withdrawal(amount,account): (trigger-reaction Pre: true Pre: … Post: balance= clause) specified in a Post: … old balance–amount contract identifies a point of “rendez-vous” Ownership in which the components are brought together to synchrowhen c.withdrawal(n,a) with balance()≥n nise their lives. As do a.debit(n) we have just seen, in execution terms, the rendez-vous is an indivisible, atomic action. This paradigm of “joint actions” is present in a number of approaches to parallel program design (e.g. [BKS1988]), as well as in recent languages for information system modelling like MERODE [SDVD1999]. Each component has its own “view” of the action and participates in it accordingly, but unaware of the type of coordination to which it is being subjected. This decoupling of roles in an interaction is essential for supporting non-intrusive changes by letting the subjects evolve independently. For instance, having moved the pre-condition to the contract, the VIP-package can now be modelled directly as a specialisation of the standard one, which does not intrude with customers nor accounts. The new coordination rule becomes when c.withdrawal(n,a) with balance()+credit≥n do a.debit(n). As illustrated by our example, it is possible to declare features that are local to the contract itself. For instance, in the case of VIP-withdrawals, it can make sense to assign the credit-limit that is negotiated between the customer and the bank to the contract itself rather than the customer or the account. This is because we may want to be able to assign different credit limits to the same customer but for different accounts, or for the same account but for different owners. One could argue for a separate partner of the contract to be defined for credit but, being a feature that is local to the contract, it should not be externalised. Indeed, although every contract (instance) has an associated component for implementing these local features, this component should not be public. For instance, a contract does not define a public class and its instances are not considered as ordinary components of the system. This is one of the reasons why association classes, as available in the UML, are not expressive enough to model the coordination mechanisms of contracts. Although contracts allow for interactions to be made explicit in conceptual models, they should not be accessed in the same way as the classes that model the core business entities. Contracts do not provide services: they coordinate the services made available by the core entities. Another shortcoming of association classes, and the

10!!!!!!

Chapter 1

use of mediators as seen in the previous section, is that they do not enforce the synchronisation and atomicity requirements of the proposed coordination mechanisms. Nevertheless, from a static point of view, a contract defines, implicitly, an association. Restrictions to the population of this association can be defined in order to capture organisational invariants that are independent of current business policies. For instance, it makes sense to restrict withdrawal contracts to customers that own the corresponding accounts. The general form of a contract is: contract partners invariant local constants attributes operations coordination rules end contract

4.

COORDINATION LAWS

Coordination contracts were introduced in [AF1999,AF2001] as extensions of objectoriented software development. In this context, contracts are defined for specific classes of objects of the application at hand. Hence if, for instance, there is a need to redefine the class account to incorporate new parameters that are required in order to accommodate the integration of the information system of an insurance company that was bought by the bank, it is likely that the service invocations used in the coordination rules will have to be updated. However, such changes are not related to the business domain and, therefore, should leave the business architecture unchanged. More precisely, the business architecture should be modelled in a way that is independent of such concerns so that changes that occur at the level of the deployment of the partners in a contract should not require the redefinition of the coordination rules. This is why, typically, coordination contracts derive from what we call coordination laws – generic models of business rules directed to software components and not objects in particular. The notion of component that we assume is the more general one that has been popularised in [S1998] by which we mean “a unit of composition with contractually specified interfaces and explicit context dependencies only”. Hence, in the description of a law, the partners are not identified as specific classes within the context of a specific application, but in terms of a number of coordination interfaces (an abstraction of the notion of role of architectural connectors [AG1997]) that act as types that identify what features and properties components have to provide, through their public interfaces, in order to be coordinated according to the rule. Hence, the use of these laws in a specific context requires “interface binding mechanisms” through which one can determine, for any component and interface of a coordination law, whether the public interface of the component “complies” with the coordination interface of the law. Better still, we should be able to determine if and how the

Service-Oriented Business and System Specification

11

component can be adapted to comply and become coordinated by the law through that interface. Ideally, this process of binding should be automated, leading to the synthesis of the “binder” through which the component is adapted to fit the requirements expressed in the coordination interface. We should stress the fact that a binding/compliance mechanism needs to be established for each target development environment. Each time a technological change is introduced that makes it necessary for an application to be redeployed, the binding mechanism will be likely to have to change accordingly and, hence, the compliance relations will need to be re-established or the corresponding binders redefined. Again, some degree of automatic synthesis would be welcome but, at least, computational support should be provided for the redefinition of the binders. Another important aspect of coordination laws is that they address directly a service-oriented approach: we do not take triggers to consist of explicit feature calls but, rather, as events that components publish, triggering given laws to react. The laws that are triggered are those that are active at the time the event is issued and match the “when”-clause of one of their coordination rules. A law that is active is one that is present as a connector in the current system configuration, something that we will discuss in the next section. This mode of coordination requires that each interface identifies which events produced during system execution are required to be detected as triggers for a contract to react, and which services must be made available for the reaction to superpose the required effects. The degree of dynamic reconfigurability that can be achieved through coordination depends directly on the ability of the execution environment to make available, as recognisable triggers, interactions between entities as well as events taking place within individual entities. For instance, distributed systems and object-based environments are paradigmatic examples in which collections of triggers are explicitly made available. However, and ultimately, a good design architecture (e.g. publish/subscriber) is a means of enabling collections of triggers to be made available in environments that do not support directly any notion of interaction. It is the responsibility of the “binders” to make available, at every moment, the triggers required by the coordination laws that are active in the current configuration of the system. Changes in the way components are deployed may lead to changes in the way these events are detected. These changes should be encapsulated in the corresponding binders and have no impact on the laws themselves. For instance, in order to model the business rules that apply to withdrawals as performed by customers, one should consider a coordination interface with accounts that only assumes the basic functionality of debits: coordination interface account-debit import types money; services balance():money; debit(a:money) post balance() ="old balance()-a end interface

The inclusion of properties in an interface, e.g. the pre and post-conditions on debits, is meant to provide means for requirements to be specified on the components that can be bound to the interface and become under the coordination of the law. In this

12!!!!!!

Chapter 1

example, we are stating minimal properties on the functional behaviour of the services included in the interface, namely that debits interact with observations of the balance as expected. We need to stress the fact that coordination interfaces are defined so as to state requirements placed by laws on the entities that can be subjected to its rules and not as a declaration of features or properties that entities offer to be coordinated. This means that coordination interfaces should restrict themselves to what is essential for the definition of given laws and hence, in the extreme, can be local to the laws themselves. However, for the sake of reusability and simplification of the binding process, it is useful to externalise coordination interfaces from the laws in the context of which they are defined, and establish a hierarchy between them that is consistent with the compliance relationship in the sense that a component that complies with a given interface also complies with any ancestor of that interface or, that any binder of the component for that interface will also serve as a binder for any ancestor. Hence, in a sense, coordination interfaces fulfil the role of representations of abstract business entities in the sense that the hierarchy of interfaces will, ultimately, provide a taxonomy of all the business uses that are made of entities in the application domain. Given this, we insist that, as a methodological principle, the definition of coordination interfaces should be driven by the modelling of the business rules as coordination laws and not by the modelling of the entities of the business domain as it is usual in object-oriented and other traditional “product”-oriented approaches. In this sense, it makes no sense to define a coordination interface for accounts in general but, instead, and in the extreme, as many interfaces as the business rules that apply to accounts require (something that is evolutionary in nature because it is as impossible to predict how an information system will evolve as for how the business of an organisation will grow). Ultimately, these will identify all the usages that the specific business makes of the notion of account in a “service-oriented” perspective. As the business rules evolve, new coordination interfaces are defined and placed in the hierarchy. In a product-oriented notion of interface, each such change in the business rules would require a change in the account interface, which is against the spirit of “agility-enhancer” that our method is supposed to deliver. For the definition of the laws that apply to withdrawals, we need a coordination interface that corresponds to the customers. This is where the triggers are identified: coordination interface customer-withdrawal import types money, account; services owns(a:account):Boolean events withdrawal(n:money; a:account) end interface

For the proposed coordination, we are required to detect as triggers events that consist of customers performing withdrawals, and be provided with services that query about the account ownership relation. Notice that, at the level of accounts, we did not require the ability to detect any events because the trigger is purely on the

Service-Oriented Business and System Specification

13

side of the customer for this particular form of coordination. We will see other coordination laws in which accounts are required to make events available as well. The two coordination laws are: coordination law standard-withdrawal partners a:account-debit; c:customer-withdrawal rules when c.withdrawal(n,a) with a.balance() ≥ n d o a.debit(n); end law coordination law VIP-withdrawal partners a:account-debit; c:customer-withdrawal operations credit():money rules when c.withdrawal(n,a) with a.balance()+credit()≥ n do a.debit(n); end law

The discussion so far has focused on the binding of coordination interfaces to given components of the system that we want to interconnect in order for some global property of the system to emerge from their collaboration. However, coordination interfaces can also act as useful abstractions for either events or services that lie outside the system, or global phenomena that cannot be necessarily localised in specific components. In the case of events, this allows for the definition of reactions that the system should be able to perform to triggers that are either global (e.g. a deadline) or are detected outside the system. In the case of reactions, this allows us to identify services that should be procured externally. This is particularly useful for B2B operations and the modelling of Web-services, the paradigms into which ebusiness is evolving. What is important is that a uniform notation and semantics is maintained for all cases in order not to compromise changes in the boundaries of the system. For instance, one could define a law for handling transfers that arrive at a bank from outside by relying on the following interfaces: coordination interface account-credit import types money; services balance():money; credit(a:money) post balance() = old balance()+a end interface coordination interface external-transfer import types money, account, transfer-id; events transfer(n:money;a:account;t:transfer-id) end interface

When defining the corresponding law

14!!!!!!

Chapter 1

coordination law external-transfer-handler partners a:account-credit; external-transfer operations ackn(t:transfer-id) rules when transfer(n,a,t) with a.exists d o n≥1000:a.credit(n–100) and na.average():a.debit(charge()) end law

We are assuming that end-of-month is a global trigger that the system detects through some calendar mechanism that we take for granted. Otherwise, we could define a global interface as illustrated for the external transfers. Coordination laws are deployed for specific applications through contracts. This includes the identification of the classes that will be partners in the contract and their binding to the corresponding coordination interfaces. Depending on the nature of the implementation language, binders may have to be defined that provide for the triggers required in the interfaces. Furthermore, each such contract has to provide an implementation for the local operations declared in the law.

5.

COORDINATION CONTEXTS

The main purpose of coordination laws and contracts is to model the collaborations that need to be put in place among components to ensure that the global properties that are required of the system in any given state can emerge from the interactions and the computations that are being performed locally within the components that are present in the configuration of the system, at that same state. In broad terms, a configuration of a system consists of a collection of components that deploy core entities of the business domain and a collection of instances of contracts that coordinate the interactions between them. An example of a configuration in the banking domain that we have been discussing is given below in aaa/bbb: john: terms of a diagramstandardAccount Customer withdrawal matic notation that Balance:1000 should be selfexplaining: two customers, mary and john, VIPreportwithdrawal big-credit are joint owners of credit:3000 big:10000 account aaa/bbb; mary uses a VIP-withdrawal ccc/ddd: mary: package with credit standardAccount Customer withdrawal 3000 and john a stanBalance:5000

16!!!!!!

Chapter 1

dard-withdrawal package; mary is the owner of a second account ccc/ddd with a standard-withdrawal contract and is monitored for credits above 10000. The use of coordination contracts for representing business rules leads to an approach to the evolution process that is based on reconfiguration techniques as known from Configurable Distributed Systems [KR1994,MK1996]. At each moment of the life of the system, its configuration can be identified with the collection of components that have been created (but not destroyed) interconnected through the contracts that will have been superposed among them. As part of the evolution process, new components may be added, existing components may be removed, new contracts may be superposed, existing contracts can be removed or replaced, and so on. All these operations rewrite the configuration, producing a new configuration for the system. The new configuration will dictate how the system will behave from then on, computationally speaking, through the revised set of components and interactions among them. On the other hand, as a result of the computations performed by the components, or the interactions that are maintained with the environment, the global state of the system changes, which may require a reconfiguration to adapt it to the new circumstances. Having mechanisms for evolving systems is not the same as prescribing when and how these mechanisms should be applied. Evolution is a process that needs to be subject to rules that aim at enforcing given policies of organisations over the way they wish or are required, e.g. through legislation, to see their businesses conducted. For this purpose, we provide a modelling primitive – coordination contexts – through which the reconfiguration capabilities of the system can be automated, both in terms of ad-hoc services that can be invoked by authorised users, and programmed reconfigurations that allow systems to react to well identified triggers and, hence, adapt themselves to changes brought about on their state or configuration. For instance, in the banking domain that we have been using as an example, a coordination context normally exists for each customer. The purpose of this context is to manage the relationships that the customer may hold with its various accounts according to the packages that the bank offers. Such contexts are made available to bank managers each time the customer goes to a branch, or to the customer itself through the Internet or ATMs. The syntax that we are developing for contexts can be illustrated as follows: coordination context customer(c:customer) workspace component types account, customer contract types standard-withdrawal, VIP-withdrawal, pensioner-package, home-owner-package constants min-VIP: money attributes avg-balance = … services subscribe_VIP(a:account,V:money): pre: c.owns(a) and avg-balance≥min-VIP and not exists home-ownerpackage(c,a) post: exists’ VIP-withdrawal(c,a) and VIP-withdrawal(c,a)’.credit=V

subscribe_home(a:account): pre: not exists pensioner-package(c) post: c.owns(a)’ and exists’ home-owner-package(c,a)

Service-Oriented Business and System Specification

17

subscribe_pensioner: pre: not exists pensioner-package(c) and not exists home-ownerpackage(c,a) post: exists’ pensioner-package(c)

rules VIP-to-std: when exists VIP-withdrawal(c,a) and avg-balance < min-VIP post not exists’ VIP-withdrawal(c,a) and exists’ standardwithdrawal(c,a)

end

context

Besides the contracts that we introduced in the previous sections for managing withdrawals, we have added the names of a few other ones just to make the example more “interesting”. These account for other financial packages such as those concerned with retirement pensions and credit for home-purchase. We leave their specification to the reader as an exercise! Each instance of a coordination context is “anchored” to a component or set of components. In the example, the anchor is a customer instance, referred to as c in the definition of the context (type). Under “workspace” we identify the component and contract types that are made available for evolving the way the anchor interacts with the rest of the system. Configuration services correspond to operations for ad-hoc reconfiguration, i.e. they are performed on demand from users of the system. Notice that we include in this category operations that, in traditional OO modelling, are assigned to classes like object creation. The rationale is that, by interfering with the population of the system, such operations address the evolution of its configuration and, hence, their use should be regulated in the scope of a coordination context. Configuration services involve both components and contracts. In the example above, besides the creation of new accounts, three other services are provided for each of the contracts that models a financial package that can be offered to the customer. These services have pre-conditions through which business policies are enforced. For instance, VIP-withdrawals are not available on accounts that support a home-owner package. Pensioners are not allowed to subscribe home-owner packages. Configuration rules correspond to different ways of programmed reconfiguration, i.e. to the ability of the system to reconfigure itself in reaction to external events or internal state changes. In the example above, a VIP-package is replaced by a standard one when the average balance of the customer falls below the minimum value set up for being a VIP. Typically, the programmed configuration rules capture more dynamic properties that require specific actions to be taken in reaction to certain state changes, for instance to restore consistency with respect to policies like the ones that regulate VIP-status for customers. Notice the use of a post-condition in the configuration rule instead of a specific (trans)action to be performed as a reaction. Together with the use of pre/postconditions in the definition of services, this allows us to separate context interfaces from their implementations, which adds to flexibility by allowing the choice of the actual reconfiguration operations to depend on “lower level” issues like the physical distribution topology. The pre/post-conditions capture business policies that should be elicited during analysis, like eligibility conditions as illustrated in the example, or

18!!!!!!

Chapter 1

dependencies that regulate the subscription of different business products, as well as legislation that becomes applicable, etc. When writing post-conditions, we use primed expressions to denote the value that they take in the state that is obtained by executing the service or rule. Contexts should not be treated as "normal" components in the sense that they are not used in configurations to add new functionalities to the system. That is, they are not defined in order to contribute to the functional properties that the system can exhibit but only to manage the way the system is allowed to evolve. For instance, coordination contexts can be used, among others, for modelling actors as in use cases, i.e. the mechanisms through which "users" (regardless of whether they are human, physical, software, etc) have access to the system, except that, now, such users can interfere with the configuration of the system, not just with its state. Indeed, although the example above does not illustrate it, contexts can also make available operations that act on the states of the components through the methods that these offer through their public interfaces. Different contexts may even make use of different implementations for the same operations, for instance reflecting the fact that access to the system may be provided through different channels. For instance, the withdrawal service of customer is typically offered in a coordination context that models access over the counter at the local branch, but not if the access is via the Internet, whereas the amount that can be requested will be limited for accesses via an ATM. From a methodological point of view, coordination contexts become necessary, and come into play, during the transition from a business model to a conceptual/logical model of the intended software system. This should be the first time in the process that a boundary starts to be drawn between the information system and the business environment, leading to the need for deciding on the interface in which this boundary will be managed. Basic reconfiguration actions like creation and deletion of component and contract instances can be formalised directly in an algebraic graph-rewriting setting, for instance using the double-pushout approach, by identifying configurations with (categorical) diagrams. More details on the graph-rewriting based operational semantics can be found in [WF2002]. Concerning the relationship between coordination contexts and business policies, for simplicity, we shall take policies to be cast as properties of system configuration that are required to be invariants of the evolution process. The language that we use for representing business invariants is a first order language over the observable attributes of components (methods that return values) extended with a predicate e x ists that indicates whether a given component or contract instance is part of the current configuration, i.e. of the subsystem defined by the context. Examples of business policies expressed in this language are “forall a:account, not (exists VIP(c,a) and exists home-owner(c,a))” and “forall a:account, not (exists homeowner(c,a) and exists pensioner(c))”. Both these properties can be proved to be invariants for the coordination context that we defined above. Once a property is proved to be an invariant of every coordination context defined for the application, it

Service-Oriented Business and System Specification

19

will be an invariant for the whole system, meaning that it will emerge as a property of every configuration that can be reached during the evolution of the system. Work on the methodology that supports the definition of policies (e.g. as invariants) and contexts is progressing, mainly through the application of the approach to a number of case studies [e.g. KGAF2001,KKAFGW2001]. Even at this early stage, it is clear that coordination contexts provide an effective means of defining the way in which the evolution process can be controlled and the enforcement of business policies automated. We are now extending tool-support [GKAF2001] and logical analysis [FOMMP2000] to this particular activity.

6.

RELATED WORK

Several authors have made similar observations about the need to make explicit and available, as first-class citizens, the rules that govern the behaviour of systems, namely in [KR1994], which became the subject matter of the ISO General Relationship Model (ISO/IEC 10165-7). The notion of contract that we proposed in the paper is in the spirit of this work but adds to it the evolutionary aspects that it inherits from the architectural approaches, and the concurrency and synchronisation aspects that it inherits from the notion of superposition as used for parallel program design. A recent evolution of this approach that we intend to investigate in relationship to ours is the treatment of roles (and templates) in RM-ODP [Ki2002]. We have to recognise that the term 'contract' itself has been quite overloaded: - there are, of course, contracts in the sense of Meyer [M1992]; their purpose is to support the development of object methods in the context of client-supplier relationships between objects. They apply, essentially, to the construction of systems and, as argued in section 2, they do not scale up to evolution. - A notion of contract that applies to behaviours and not to individual operations or methods is the one developed in [HHG1990]. The aim of contracts as developed therein is to model collaboration and behavioural relationships between objects that are jointly required to accomplish some task. The emphasis, however, is in software construction, not so much in evolution. - A notion of contract can also be found in [BPP1999] that emerged in the context of the action-systems approach [BKS1988]. Like in our approach, it promotes the separation between the specification of what actors can do in a system and how they need to be coordinated so that the computations required of the system are indeed part of the global behaviour. The architectural and evolutionary dimensions are not explored as such. - Concrete extensions to the UML in order to provide automated support for evolution are proposed in [MH2000] through “evolution contracts”. The idea behind evolution contracts is that incremental modification and evolution of software artifacts is made explicit by means of a formal contract between the provider and the modifier of the artifact. The purpose of the evolution contract is tomake evolution more disciplined. The coordination contracts that we presented can also extend the UML but at the level of the semantic primitives that can be used for

20!!!!!!

Chapter 1

modelling, facilitating evolution, not managing it. For managing evolution, we provide explicit primitives at the configuration layer as already discussed. Besides these related notions of contract, it is important to mention the work of N.Minsky and his colleagues who, for quite some time, have been developing what they call Law-Governed Systems/Architectures/Interactions (e.g. [MU2000]). These authors address, however, more the architectural aspects of system design (e.g. as enforcing a token-ring architecture throughout evolution) whereas we tend to focus more on policies and other properties that relate to the business level. This is, however, a rather simplistic and reductionist comparison because, on the one hand, we have also explored our coordination technologies for design and technical architectures and, on the other hand, Minsky’s work seems to be applicable to the earlier levels of development as well. Hence, the truth is that more research is necessary to investigate how the two approaches actually relate and can benefit from the experience that both groups have developed in applying them.

7.

CONCLUDING REMARKS

In this paper, we presented a set of technologies that, in our opinion, can supplement the shortcomings of object-oriented approaches in endowing systems with the levels of agility required for operating in “internet-time” and support the next generation of the e-world – Web Services, B2B, P2P… Basically, we argued that the move from an “identity” to a “service”-oriented approach, replacing the tight coupling that explicit feature calling – the basic mechanism of OO-computation – imposes on system,s in favour of interconnections that can be established “just-in-time”, can be supported by clearly separating computation and coordination concerns [GC1992] and relying on superposition mechanisms [Ka1993] for establishing interconnections between components that are otherwise completely unaware of one another. Reconfiguration techniques as known from Distributed Systems [MK1996] can then be used for addressing system evolution, namely the process of dynamically interconnecting components according to the business rules that determine how the system should behave at each time. Although we focused on the semantic primitives – coordination contracts, laws and contexts – and their intuitive semantics, our approach is well supported (1) at the foundational level through a mathematical characterisation of the notions of coordination, superposition and reconfiguration [e.g. FL1999,WF2002], (2) at the implementation level through micro-architectures that show how coordination technologies can be deployed in existing environments for component-based development [e.g. GKAF2001], and (3) at the pragmatic level through the development of a series of case studies in typical areas where agility is a key concern [e.g. KGAF2001,KKAFGW2001]. See [LFA2002] in particular for an application of this approach to system design in Java. Work is progressing in several fronts, including the extension of coordination technologies to distribution and mobility in the IST project 2001-32747 (AGILE – Architectures for Mobility) with IEI/CNR and the Universities of Florence, Lisbon,

Service-Oriented Business and System Specification

21

Munich, Pisa and Warsaw, their application to data-intensive systems in collaboration with CERN, and their integration with the UML [GRJ1998] in collaboration with a team of researchers coordinated by A. Moreira.

ACKNOWLEDGEMENTS The work that we reported in this paper has been developed within a team that includes J.Gouveia, G.Koutsoukos, A.Lopes and M.Wermelinger. Much useful feedback has also been received from L.Barroca and A.Moreira. We would also like to thank Haim Kilov for the continued interest that he has shown for our work and the useful feedback that we have received from him.

REFERENCES [AG1997] R.Allen and D.Garlan, "A Formal Basis for Architectural Connectors", ACM TOSEM, 6(3), 1997, 213-249. [AF1999] L.F.Andrade and J.L.Fiadeiro, "Interconnecting Objects via Contracts", in UML'99 – Beyond the Standard, R.France and B.Rumpe (eds), LNCS 1723, Springer Verlag 1999, 566-583. [AF2001] L.F.Andrade and J.L.Fiadeiro, “Coordination: the Evolutionary Dimension", i n Technology of Object-Oriented Languages and Systems – TOOLS 38, W.Pree (ed), IEEE Computer Society Press 2001, 136-147. [BKS1988] R.Back and R.Kurki-Suonio, "Distributed Cooperation with Action Systems", ACM TOPLAS 10(4), 1988, 513-554. [BPP1999] RJ.Back, L.Petre and I.Paltor, "Analysing UML Use Cases as Contracts", in UML'99 – Beyond the Standard, R.France and B.Rumpe (eds), LNCS 1723, Springer Verlag 1999, 518-533. [BRJ1998] G.Booch, J.Rumbaugh and I.Jacobson, The Unified Modeling Language User Guide, Addison-Wesley 1998. [F1996] J.L.Fiadeiro, "On the Emergence of Properties in Component-Based Systems", i n Proc. AMAST'96, M.Wirsing and M.Nivat (eds), LNCS 1101, Springer-Verlag 1996, 421-443. [FL1999] J.L.Fiadeiro and A.Lopes, "Algebraic Semantics of Coordination, or what is in a signature?", in AMAST'98, A.Haeberer (ed), Springer-Verlag 1999. [FOMMP2000] J.L.Fiadeiro, N.Martí-Oliet, T.Maibaum, J.Meseguer and I. Pita, “Towards a Verification Logic for Rewriting Logic", in Recent Trends in Algebraic Development Techniques, D.Bert and C.Choppy (eds), LNCS 1827, pp. 438-458, Springer-Verlag 2000

22!!!!!!

Chapter 1

[GHJV1995] E.Gamma, R.Helm, R.Johnson and J.Vlissides, Design Patterns: Elements of Reusable Object Oriented Software, Addison-Wesley 1995 [GC1992] D.Gelernter and N.Carriero, "Coordination Languages and their Significance", Communications ACM 35, 2, pp. 97-107, 1992. [GKAF2001] J.Gouveia, G.Koutsoukos, L.Andrade and J.Fiadeiro, “Tool Support for Coordination-Based Software Evolution", in Technology of Object-Oriented Languages and Systems – TOOLS 38, W.Pree (ed), IEEE Computer Society Press 2001, 184-196. [HHG1990] R.Helm, I.Holland and D.Gangopadhyay, "Contracts: Specifying Behavioral Compositions in Object-Oriented Systems", in Proc. OOPSLA'90/ECOOP'90, ACM Press 1990, 169-180 [Ka1993] S.Katz, "A Superimposition Control Construct for Distributed Systems", ACM TOPLAS 15(2), 1993, 337-356. [Ke1993] W.Kent, “Participants and Performers: A Basis for Classifying Object Models”, i n Proc. OOPSLA 1993 Workshop on Specification of Behavioral Semantics in Object-Oriented Information Modeling, 1993 [Ki2002] H.Kilov, Business Models, Prentice-Hall 2002. [KR1994] H.Kilov and J.Ross, Information Modeling: an Object-oriented Approach, PrenticeHall 1994. [KGAF2001] G.Koutsoukos, J.Gouveia, L.Andrade and J.L.Fiadeiro, “Managing Evolution i n Telecommunications Systems”, in Proc. IFIP Working Conference on Distributed Applications and Interoperable Systems, Kluwer 2001, 133-139. [KKAFGW2001] G.Koutsoukos, T.Kotridis, L.Andrade, J.L.Fiadeiro, J.Gouveia and M.Wermelinger, “Coordination Technologies for Business Strategy Support: a case study in Stock Trading”, accessible from www.atxsoftware.com [Kr1994] J.Kramer, "Exoskeletal Software", in Proc. 16th ICSE, 1994, 366. [KFA2002] K.Lano, J.Fiadeiro and L.Andrade, Software Design in Java 2, Palgrave-Macmillan, 2002. [MK1996] J.Magee and J.Kramer, "Dynamic Structure in Software Architectures", in 4th Symp. on Foundations of Software Engineering, ACM Press 1996, 3-14. [MH2000] T.Mens T. and T.D’Hondt, “Automating Support for Software Evolution in UML”, Automated Software Engineering Journal 7, Kluwer Academic Publishers, 2000, 3959. [M1992] B.Meyer, "Applying Design b y Contract", IEEE Computer, Oct.1992, 40-51. [M1992] B.Meyer, Object-Oriented Software Construction, Addison-Wesley 1992. [MU2000] N.Minsky and V.Ungureanu, “Law-Governed Interaction: A Coordination & Control Mechanism for Heterogeneous Distributed Systems” in ACM TOSEM 9(3), 2000, 273-305.

Service-Oriented Business and System Specification

23

[NGGS1993] D.Notkin, D.Garlan, W.Griswold and K.Sullivan, “Adding Implicit Invocation t o Languages: Three Approaches”, in Object Technologies for Advanced Software, S.Nishio and A.Yonezawa (editors), LNCS 742, Springer-Verlag 1993, 489-510. [S1996] M.Shaw, "Procedure Calls are the Assembly Language of Software Interconnection: Connectors Deserve First-Class Status", in D.A. Lamb (Ed.), Studies of Software Design, LNCS 1078, Springer-Verlag 1996. [SDVD1999] M.Snoeck, G.Dedene, M.Verhels and A-M.Depuydt, Object-oriented Enterprise Modelling with MERODE, Leuvense Universitaire Press, 1999. [S1998] C.Szyperski, Component Software: Beyond Object-Oriented Programming, Addison Wesley 1998. [WF2002] M.Wermelinger and J.L.Fiadeiro, "A Graph Transformation Approach to Software Architecture Reconfiguration", Science of Computer Programming, 44, 2002, 133155. [Web2000] Web Services architecture overview – the next stage of evolution for e-business, September 2000, www-106.ibm.com/developerswork/web/library