Science of Computer

Abstract Service contracts characterise the desired behavioural compliance of a composition of services. Compliance is typically defined by the fulfilment of all service requests through service offers, as dictated by a given Service-Level Agreement (SLA). Contract automata are a recently introduced formalism for specifying and composing service contracts. Based on the notion of synthesis of the most permissive controller from Supervisory Control Theory, a safe orchestration of contract automata can be computed that refines a composition into a compliant one. To model more fine-grained SLA and more adaptive service orchestrations, in this paper we endow contract automata with two orthogonal layers of variability: (i) at the structural level, constraints over service requests and offers define different configurations of a contract automaton, depending on which requests and offers are selected or discarded, and (ii) at the behavioural level, service requests of different levels of criticality can be declared, which induces the novel notion of semi-controllability. The synthesis of orchestrations is thus extended to respect both the structural and the behavioural variability constraints. Finally, we show how to efficiently compute the orchestration of all configurations from only a subset of these configurations. A prototypical tool supports the developed theory.

Service contracts characterise the desired behavioural compliance of a composition of services. Compliance is typically defined by the fulfilment of all service requests through service offers, as dictated by a given Service-Level Agreement (SLA). Contract automata are a recently introduced formalism for specifying and composing service contracts. Based on the notion of synthesis of the most permissive controller from Supervisory Control Theory, a safe orchestration of contract automata can be computed that refines a composition into a compliant one. To model more fine-grained SLA and more adaptive service orchestrations, in this paper we endow contract automata with two orthogonal layers of variability: (i) at the structural level, constraints over service requests and offers define different configurations of a contract automaton, depending on which requests and offers are selected or discarded, and (ii) at the behavioural level, service requests of different levels of criticality can be declared, which induces the novel notion of semi-controllability. The synthesis of orchestrations is thus extended to respect both the structural and the behavioural variability constraints. Finally, we show how to efficiently compute the orchestration of all configurations from only a subset of these configurations. A prototypical tool supports the developed theory.

Introduction
Service computing is a well-known paradigm for the creation, publication, discovery and orchestration of services, which are autonomous, platform-independent and reusable pieces of software that are loosely coupled into networks of collaborating end-user applications [1,2]. Services are usually programmed with little or no knowledge about clients and other services. They are created and published by possibly mutually distrusted organisations, and may have conflicting goals. Services have to cooperate to achieve overall goals and at the same time compete to perform specific tasks of their organisation. Ensuring reliability of a composite service is important, e.g. to avoid economic loss. Therefore, understanding and fulfilling a minimal number of behavioural obligations of services is crucial to determine whether the interactive behaviour is consistent with the requirements. Such obligations are usually dictated by a Service-Level Agreement (SLA). Recently, the Service Computing Manifesto [3] considers service design as one of the four emerging research challenges in service computing for the next 10 years, and calls for formal models supporting it: "Service systems have so far been built without an adequate rigorous foundation that would enable reasoning about them. [. . . ] The design of service systems should build upon a formal model of services." Service contracts offer means to formalise the externally observable behaviour of services in terms of offers of the service and requests by the service to be matched. The notion of agreement characterises compliance of (a composition of) contracts and it is based on the fulfilment of all service requests through corresponding service offers. Behaviour in agreement is implemented by an orchestration of services. Orchestrations must dynamically adapt to the discovery of new services, to service updates and to services that are no longer available. Moreover, a precise semantics of service contracts allows us to mechanically verify that an orchestration enjoys certain properties and to assess whether it satisfies a given SLA. We refer the reader to [4,5] for surveys on formal models of service contracts.
Contract automata [6] are one such formal model for service contracts. A contract automaton represents either a single service (in which case it is called a principal) or a multi-party composition of services. Each principal's goal is to reach an accepting state by matching its request actions (of the form a, b, . . . ) with corresponding offer actions (of the form a, b, . . . ) of other principals. Service interactions are implicitly controlled by an orchestrator synthesised from the principals, which directs them in such a way that only finite executions in agreement actually occur, i.e. such that each request action a is fulfilled by an offer action a. Technically, such an orchestration is synthesised as the most permissive controller (mpc) known from Supervisory Control Theory (SCT) [7,8]. The goal of this paper is to present a richer framework of contract automata, which allows the user to model more fine-grained SLA and more adaptive service orchestrations.
Consider two automata interacting on a service action a, depicted in Fig. 1 (left and middle parts), and a composition of these automata in Fig. 1 (right part) that models two possibilities of fulfilling service request a from the leftmost automaton by matching it with a service offer a of the middle one (i. e. (a, a)). Assume that a must be matched with a to obtain an agreement, and that for some reason state is to be avoided in favour of state . In most automata-based formalisms, including the contract automata of [6,9], this is typically not allowed by the definition of composition and the resulting mpc is empty. Indeed, we would like to be able to express that a must eventually be matched, rather than always. In this paper, we introduce a type of contract automata in which it is possible to orchestrate the composition of the two automata on the left in such a way that the result is the automaton on the right without state , i.e. a is only matched with a after the occurrence of an unmatched service offer b of the middle automaton (i.e. (•, b)).
Technically, we extend contract automata with action modalities to distinguish necessary from permitted service requests (borrowed from [9]) and with two novel orthogonal variability mechanisms. Necessary and permitted request actions differ in that the first must be fulfilled, while the second may also be omitted. The notions of necessary and permitted modalities stem from modal and deontic logic, which trace back to seminal work by Von Wright [10,11]. As in [9], we assume offer actions to always be permitted because a service contract may always withdraw its offers not needed to reach an agreement.
The first variability mechanism is defined inside service contracts, i.e. at the behavioural level, to declare necessary request actions to be either urgent or lazy. These modalities drive the orchestrator to fulfil all the occurrences of an urgent action, while it is required to fulfil at least one occurrence of lazy actions. The simple example above has no urgent action; the only necessary one is the lazy request a. Intuitively, the matching of a lazy request may be delayed whereas this is not the case for urgent requests.
The second variability mechanism concerns constraints that operate on the entire service contract and that are defined at the structural level. They are used to define different configurations, which is important because services are typically reused in configurations that vary over time and to adapt them to changing environments [3]. Configurations are characterised by which service actions are mandatory and which forbidden. The valid configurations are those respecting all the structural constraints. We follow the well-established paradigm of Software Product Line Engineering (SPLE), which aims at efficiently managing a family of highly (re)configurable systems to allow for mass customisation [12,13]. To compactly represent a product line, i.e. the set of valid product configurations, we use a so-called feature constraint, a propositional formula ϕ whose atoms are features [14][15][16] and we identify features as service actions (offers as well as requests).
To effectively use these two variability mechanisms, we refine the classical synthesis algorithm from SCT. We compute orchestrations, in the form of an mpc, of a single valid configuration, i.e. such that it includes all mandatory actions and none of the forbidden, besides fulfilling all necessary requests and the maximal number of permitted requests. Here maximal is to be understood in the sense that if the orchestration were to fulfil another permitted request, then this would cause one of the other requirements to no longer be fulfilled. An important technical result of this paper is that we can compute the orchestration of a product line without computing the mpc for each of its valid product configurations; it suffices to compute a small selected subset of valid configurations. This guarantees efficiency and scalability of our novel framework of contract automata.
Summarising, the main contributions of this paper are as follows: 1. A novel formalism for service contracts, called Featured Modal Contract Automata (FMCA), which offers support for structural and behavioural variability not available in the literature. 2. The new notion of semi-controllability (related to lazy actions), which refines both those of controllability (related to permitted actions) and of uncontrollability (related to urgent actions) used in classical synthesis algorithms from SCT. This notion is fundamental to handle different service requests in the orchestration synthesis for FMCA. 3. A revised algorithm for synthesising an orchestration of services for a single valid product. 4. An algorithm for computing the orchestration of an entire product line by joining the orchestrations of a small selected subset of valid products. It is worth noting that the number of valid products is exponential in the number of features [17], thus only using few of them greatly improves performance. 5. The open-source prototypical tool FMCAT implementing our proposal. 1 Outline In Section 2, we introduce our running example, a Hotel service product line, and briefly survey and evaluate our tool FMCAT. We formally define FMCA in Section 3, including composition, projection and controllability. In Section 4, we define the synthesis algorithms for FMCA. Two notions needed to efficiently compute the orchestration of an entire product line follow in Section 5, introducing so-called automata refinement, and Section 6, providing a means to (partially) order the products of a product line. In Section 7, we discuss related work, followed by our conclusions in Section 8. All proofs of the results presented in this paper are in Appendix A.

Motivating example: hotel reservation systems product line
A (software) product line is a set of (software-intensive) products in a portfolio of a manufacturer (or software house) that share common features and that are, ideally, built from a set of reusable (software) components by means of well documented variability [12,13]. A feature represents an abstract description of functionality and a feature model typically provides a description of products in terms of features: each product is thus uniquely characterised by a set of features. It is well known that a product can be represented by a Boolean assignment to the features (i.e. selected = true and discarded = false) and a feature model can thus be represented by what we call a feature constraint in this paper (i.e. a Boolean formula over the features). As a matter of fact, checking if a product respects the constraints expressed by a feature model, i.e. if it is valid, reduces to a Boolean satisfiability problem that has efficient solutions [14][15][16].

The hotel reservation systems product line and its feature constraint
We illustrate our approach with a product line of a basic franchise of hotel reservation systems. We consider three types of service contracts: a Hotel and two clients, called BusinessClient and EconomyClient, each with different service requests and offers, and with its own feature constraint. A system is a composition of these contracts, e.g. BusinessClient ⊗ Hotel ⊗ EconomyClient, and the feature constraint of the Hotel service product line is the conjunction of the feature constraints of the individual contracts. The 10 features concern requesting/offering a singleRoom or sharedRoom, privateBathroom or sharedBathroom, payment by card or cash, its confirmation by invoice or receipt, and the possibility of freeCancellation or noFreeCancellation. Furthermore, card and cash are alternative features and there are two additional constraints: invoice is selected in case cash is selected and sharedBathroom in case sharedRoom is. The resulting feature constraint ϕ of the Hotel service product line is as follows, where ⊕ denotes exclusive or and F the set of features:

The valid products of the hotel reservation systems product line
As already said, a product p assigns a Boolean value to each feature, and the atoms of a feature constraint ϕ mapped by p to true (false, resp.) are called mandatory (forbidden, resp.). Usually, in Software Product Line Engineering (SPLE), each feature is either selected or discarded to configure a product.
In other words, all variability is resolved and the interpretation of the atoms of ϕ is total. Here, instead, we consider as valid products also so-called sub-families (in SPLE terms), which are defined by a partial assignment satisfying ϕ (see the comment after the 4 products below). This enables us to synthesise the orchestration of an entire product line by considering a few valid products only, rather than computing all valid ones. This is one of the main results of our paper, presented in Section 6.  To give an idea of the impact of our improvement, it suffices to note that when no variability is left, the feature constraint ϕ characterises 288 product configurations, each representing a different instantiation of all its features. When the assignment is instead partial, as in our case, there are 4860 valid products, but we will show below that only 4 of them suffice to characterise the orchestration of the entire Hotel service product line. It is easy to imagine that for real-world feature models of up to millions of configurations the gain is considerable, confirming the scalability of our approach. We partially order valid products by stipulating p 1 p 2 if and only if the sets of mandatory and forbidden features of p 2 are included in those of p 1 . Accordingly, the maximal products are the valid products maximal in (cf. Definition 17 in A partial assignment that interprets the elements of R as true, those of F as false and all the others as "don't care" satisfies ϕ (cf. Definition 11 in Section 4). Indeed, whichever Boolean value replaces "don't care" leaves the formula satisfied.

FMCA: behavioural representations of the hotel reservation systems
As mentioned above, a feature constraint ϕ describes all the valid products of a product line. However, it has no immediate operational interpretation, in terms of the actions that the principals involved in a contract have to perform in order to achieve their goals. We address this operational aspect by using the aforementioned formalism of FMCA, which extend the model in [9]. The composition of two FMCA is itself an FMCA (see below) and it represents the composition of two service contracts.
Each FMCA A is a pair made of a special finite state automaton and a feature constraint ϕ, which is related to the automaton in the following way. The labels on the arcs of the automaton identify the actions for requests and offers, a subset of which corresponds to all features in ϕ. We say that A respects a product p whenever all features declared mandatory (forbidden, resp.) by p correspond to actions that are reachable (unreachable, resp.) from the initial state of A (cf. Definition 18 in Section 6). Moreover, each automaton describes a contract where the actions corresponding to offers are overlined and those to requests are not. Offers are all considered permitted, while requests are either permitted or necessary at different degrees, namely urgent or lazy (cf. Table 1 and Definition 2 in Section 3). In this way, besides expressing that a request has to be matched (by an offer), one can also specify to what extent this must occur, i.e. whether the request must always (an urgent request) or eventually (a lazy request) be matched in a contract. The behaviour of A is the language it accepts.
We now specify the automata of the three service contracts introduced in the beginning of this section. Actually, we will illustrate different behavioural descriptions. Notationally, permitted actions label dotted arcs, suffixed by 3, while urgent and lazy requests label (red and green in the pdf) full arcs and are suffixed by 2 u and 2 , respectively (cf. Table 1 and The automaton in Fig. 2 provides the behavioural description of service contract BusinessClient, in which a business client classifies the request for a room as urgent and the request for the invoice as lazy; all other actions have an obvious meaning and are permitted. The automaton in Fig. 3 describes the Hotel behaviour. It has several points of non-determinism to comply with the requests of a BusinessClient as well as those of an EconomyClient. It also has cyclic behaviour enabling it to start new interactions with different clients. Finally, the hotel offers free breakfast (action freebrk3) or requires to fill a captcha (action captcha3) to clients that pay by card and request an invoice (for the sake of example), although not all of these actions have corresponding features.   The EconomyClient contract, depicted in Fig. 4, is similar to its business counterpart, but the single room request is lazy. Optionally a shared room is requested instead of a single room, and a shared bathroom is requested.
Composition of two FMCA is similar to standard automata composition, except that one's request actions have to be matched by the other's corresponding offers, if available. Inspecting the composition, we can determine whether services are compliant, in the sense that all requests are fulfilled (i.e., matched by offers). Additionally, we can further refine the composition so that only compliant behaviours are possible, as illustrated in Section 2.4.

Orchestrations of the hotel reservation systems product line
We intuitively show how to synthesise the orchestrations of the products of a product line, again in the form of an FMCA. The orchestration of a product p is defined as the largest sub-portion of A in agreement, i.e. all requests are matched by corresponding offers, and respecting p. Below, we discuss some examples of structural and behavioural variability.
Considering mandatory and forbidden feature constraints We first illustrate structural variability. We start by computing the orchestration of the composition A = BusinessClient ⊗ Hotel ⊗ EconomyClient for product P4858, i.e. the mandatory features card and sharedBathroom are selected whilst the forbidden feature cash is discarded. The orchestration is in Fig. 5, where all requests are matched by corresponding offers. No interleaving of actions from either component can occur (except for freebrk), because as soon as a request is enabled, there is a matching offer available.
The orchestration of A for product P4859 is the same as in Fig. 5, but with state q B3 , q H8 , q E8 and its incident transitions removed. Indeed, in this product the feature sharedRoom is discarded, and hence so is the transition labelled by action sharedRoom leading to q B3 , q H8 , q E8 .
The Hotel service product line has only two maximal products in that have non-empty orchestrations, namely P4858 and P4859. Instead, products P4854 and P4857 have empty orchestrations. Indeed, no cash payment is ever performed by either client (recall that for both cash and invoice are mandatory, while card is forbidden). In addition, invoice is unreachable (in the clients' contracts), because card is forbidden.
Note that mandatory and forbidden feature constraints are more demanding than imposing a request action to be necessary: the feature constraints of a product are global to a whole FMCA, while necessary requests are local to its transitions. More in detail, if an action corresponding to a mandatory feature is unreachable, then agreement is violated (see above). Instead, unreachable necessary requests do not spoil contract agreement.
The orchestration of a product line is the union (in automata theory terms) of the orchestrations of its products. A main result of this paper is based on the notion of canonical product, requiring it to have non-empty orchestration and to satisfy a further mild condition of its forbidden actions (cf. Definition 19 in Section 6). We can compute the orchestration O of a product line as the union of those of its canonical products, only, because all the orchestrations of the non-canonical products are sub-automata of O. In our example, the orchestration O of the Hotel service product line is the union of the orchestrations of the two canonical products P4858 and P4859.
Considering necessary action requests We now continue by illustrating behavioural variability. We first discuss why offers are always permitted. If free breakfast were a necessary offer in Hotel, then we would have the unrealistic scenario in which the hotel contract rejects all clients' contracts. Indeed, no agreement would be reached because in the clients' contracts there is no free breakfast request to match the offer.
Next we consider a composition of the Hotel service with both types of clients and we show how urgent requests can be used for enforcing priorities among service requests. To the best of our knowledge, this is not present in any automata-based formalisms.
In the following, orchestrations always refer to product P4858. If EconomyClient is served before BusinessClient, i.e.
(EconomyClient ⊗ Hotel) ⊗ BusinessClient (we will see later that ⊗ is non-associative), then both lazy matches are present in the composition, so preventing the urgent match t c = ( q E0,H0,B0 , (•, singleRoom , singleRoom)2 u , q E0,H6,B6 ) The absence of the urgent match causes the resulting orchestration to be empty. Intuitively, it should be the converse: the business client should be served before the economy client (i.e. t c instead of t a or t b ). In that case, i.e. (BusinessClient ⊗ Hotel) ⊗ EconomyClient, there does exist a non-empty orchestration respecting a business client's priority (cf. Fig. 5).

Modelling and analysing with the FMCAT tool
We implemented in Java a prototypical tool called FMCA Tool (FMCAT) that supports the definition of FMCA and that synthesises its orchestration in terms of its mpc. It is open source, and available at https://github .com /davidebasile /FMCAT, including the models used in this paper. FMCAT builds on CAT [18], a tool for contract automata, and it offers the functionalities described below. Our tool exploits FeatureIDE [19], an open-source framework for feature-oriented software development based on Eclipse, offering different feature model editing and management tools.
Modelling with FMCA decouples tasks of software engineers from tasks of experts in formal methods. Indeed, the syntactic description of a product line as a feature model (interpreted as feature constraint) and the description of its semantics as an automaton are separate concerns. By separating them, a software engineer can focus on designing a feature model and its valid products, leaving the task of specifying the operational semantics to an expert in formal modelling. Subsequently, these two aspects can be seamlessly integrated in the same FMCA, making it possible to detect inconsistencies between the syntactic and semantic levels of the same formalism. In general, a software designer would like to minimise the number of product configurations that do not admit safe behaviour (i.e. empty orchestrations). Indeed, valid products with empty orchestrations are such that the syntactic constraints provided by the feature model are not fulfilled by their behavioural descriptions. By inspecting the orchestration of the product line, one can detect all products with no safe behaviour (in the form of compliant services). If there are any, one either amends the feature model or their behavioural description so as to obtain non-empty orchestrations.
Consider once more the above example. The feature constraint ϕ of the Hotel service product line forces an invoice to be emitted in case of cash payments, and identifies cash and card payments as two alternative features. When the cash feature is selected, it requires also the invoice feature to be implemented while at the same time the card feature must not be implemented. However, in the behavioural description of the Hotel service in Fig. 3, an invoice is emitted only for credit card payments, whereas a mere receipt is provided in case of cash payments. As a result, the maximal products P4854 and P4857 are not canonical because they require the cash feature to be implemented. One can fix this inconsistency between ϕ and the behavioural description by either removing the constraint cash → invoice from ϕ or by swapping receipt with invoice in the Hotel automaton. Note that for detecting possible inconsistencies of this kind it suffices to only inspect the maximal products (here only 4), instead of all product configurations (here 288) with a total Boolean assignment.

Evaluation
To further corroborate our proposal, we provide an evaluation of the two main innovations proposed by FMCA: behavioural and structural variability. Evaluating behavioural variability First we evaluate behavioural variability, and in particular the gain in expressiveness due to the novel notion of semi-controllability. We will informally sketch an encoding of an FMCA into one without lazy transitions and estimate the differences in the state spaces of the two models.

Set-up of the evaluation
As stated in Section 1, while permitted and urgent actions are related to the notions of controllability and uncontrollability of SCT [7,8], respectively, lazy actions are related to a novel notion called semi-controllability. We recall that a lazy request must eventually be matched, rather than always, as is the case for urgent requests. Indeed, a lazy request allows to model a frequent scenario in contracts where the satisfaction of a necessary request can be delayed, as in case of the room request of EconomyClient. While the synthesis algorithm cannot prune "bad" urgent transitions, it can prune "bad" lazy transitions as long as there exists another lazy transition where the same request is matched (cf. Section 4). Note that in general it is not possible to know a priori whether a transition is bad or not, because this depends on the given requirements to enforce (e.g. agreement, forbidden and required actions).
Hence, the encoding A of an FMCA A containing n lazy transitions is the union of 2 n automata that are obtained by all possible combinations of pruning a subset of the n lazy transitions of A and turning the remaining lazy transitions into urgent. One of such combinations will prune exactly the same transitions pruned by the synthesis and thus the resulting orchestration of A will contain the orchestration of the original automaton A, among others that are not maximally permissive. In the worst-case scenario, the number of states of the encoding A will be the number of states of the original automaton A multiplied by 2 n , plus an additional new initial state.
FMCAT has been equipped with a functionality that estimates the worst-case number of states of the encoding discussed above. Table 2 reports the results of the tool for the compositions discussed in this section. For each automaton we display the number of states, the number of lazy transitions and an estimation of the number of states of the encoding. As expected, the results show that in the worst case there is an exponential growth in the number of states of the automata, which quickly makes their analysis and usage non-tractable.
Concluding, the possibility offered by FMCA of primitively expressing necessary requests that must eventually be satisfied allows to reduce the number of states by an exponential factor with respect to other formalisms that only support controllable and uncontrollable actions.
Evaluating structural variability We now evaluate the structural variability of FMCA, and in particular the introduction of a partial order of products to reduce the number of configurations used to compute the orchestration (i.e. the most permissive controller) of the family. While the literature contains other attempts at synthesising the most permissive controller of a product line [20,21] (cf. Section 7), these require to compute the most permissive controller for each product (in which all variability has been resolved) without ordering the products. On the other hand, FMCA only considers canonical products. As shown in the remaining part of this section, ordering the products allows to improve the performance and reduce the state space. To evaluate the benefits introduced by FMCA, FMCAT was equipped with a functionality for computing the most permissive controller of a family with or without taking advantage of such partial order of products.
The results are displayed in Table 3. The table reports for each automaton the number of states and the time needed by FMCAT to compute it. It also reports the number of configurations for which an orchestration has been synthesised and the configurations for which the orchestration is non-empty. These last two columns are relevant when computing the orchestration of the family. The first six rows report the various compositions used in this section. The next four rows report the orchestration of these compositions for a specific product (denoted as K A p , where A is the composition and p is the product). These are the orchestrations discussed in Section 2.4. The next three rows report the orchestration of the family for the various compositions, by exploiting the partial order of products. In this case, the computation only requires to analyse the four canonical products. As previously discussed, products P4858 and P4859 are the only two canonical products used in the orchestration of the family. Finally, the remaining three rows display once again the orchestration of the whole family, but this time without exploiting the partial order. In this last case, computing the orchestration requires to analyse the 288 products originally generated by FeatureIDE, where those with non-empty orchestrations are: These four products are indeed those generating the orchestration of the family without exploiting the partial order. In particular, the orchestrations for products P182 and P190 are identical to those of products P4858 and P4859. However, the orchestration of the family also includes two non-relevant products, namely P86 and P94. Indeed, the orchestrations of products P86 and P94 are included in those of products P182 and P190, and thus are not significant for characterising the orchestration of the family. Concluding, the experiments empirically show that FMCA, and in particular their partial order of products, reduces both the state space of the orchestration of the family and the time needed to compute its orchestration.

Featured modal contract automata
We now formally define Featured Modal Contract Automata (FMCA), borrowing the following notation from [6,22]. In our framework, we distinguish basic actions belonging to the sets of requests We define the involution co : → such that (abusing notation) we denote the concatenation of m vectors v i . From now onwards, we stipulate that in an action vector a there is either a single offer or a single request, or a single pair of request-offer that match, i.e. there exists exactly i, j such that a (i) is an offer and a ( j) is the complementary request; all the other elements of the vector contain the symbol •, meaning that the corresponding principals remain idle. In the following, let • m denote a vector of rank m, all elements of which are •.
Actions a and b are complementary, denoted by a 1 b, iff the following holds: (i) ∃ α ∈ R ∪ O s.t. a is either a request or an offer on α; (ii) a is an offer (request, resp.) on α implies that b is a request (offer, resp.) on co(α).
The actions and states of contract automata are vectors of basic actions and states of principals, respectively. The alphabet of an FMCA consists of vectors, each element of which intuitively records the execution of basic actions of principals in the contract.
An FMCA declares a product line of service contracts through (i) permitted and necessary transitions; and (ii) a feature constraint ϕ identifying all valid products (cf. Section 4). Modalities (i.e. permitted and necessary) classify requests and matches, while all offers are permitted. Offers and permitted requests reflect optional behaviour and can thus be discarded in the orchestration. We further partition the set of necessary requests into urgent and lazy requests. Since these requests must be matched to reach an agreement among contracts, they express another layer of variability that specifies if a necessary request must always or eventually be matched in a contract. This extension leads to an increasing degree of controllability, as formally shown in Section 3.2. Table 1 in Section 2 depicts the different types of basic actions.
The definition of an FMCA follows, which is essentially a finite state automaton with an alphabet of basic actions appropriately partitioned, plus a propositional logic formula used to characterise the product line.

Definition 2 (Featured modal contract automata). Assume as given a finite set of states
finite sets of permitted, urgent and lazy requests, resp.; we denote the set of requests by

is the set of transitions partitioned into permitted transitions T 3 and
necessary transitions T 2 , constrained as follows. Given t = ( q, a, q ) ∈ T , * a is either a request or an offer or a match ϕ is a propositional logic formula, whose atoms belong to R ∪ O -F ⊆ Q is the set of final states A principal FMCA (or just principal) has rank 1 and A r ∩ co( A o ) = ∅.
For brevity, unless stated differently, we assume a fixed Subscript A may be omitted when no confusion can arise. Moreover, if not stated otherwise, each operation f on one of the elements of the tuple (e.g. union f (A r )) is intended to homomorphically act on its elements (e.g. ). Also, let T 3 ∪ 2 be a shorthand for T 3 ∪ T 2 and likewise for other transition sets. Finally, we call a transition t request, offer or match if its label is such. An FMCA recognises a language over (annotated) actions.
By an abuse of notation, the modalities can be attached to either basic actions or to their action vector (thus, e.g., (a2 , a) ≡ (a, a)2 ).

Composing FMCA
The FMCA operators of composition are crucial for generating (at binding time) an ensemble of services. By adding new services to an existing composition, it is possible to dynamically update the product line (i.e. both its feature model and its behaviour) and to synthesise, if possible, a composition satisfying all requests defined by the service contracts (cf. Section 4).
A set of FMCA is composable if and only if the conjunction of their feature constraints leads to no contradiction.

Definition 4 (Composable). A set
We now formally define our first (non-associative) composition operation, intuitively presented in Section 2. Its operands A i , i ∈ 1 . . . n are either principals or composite services. Intuitively, product composition ⊗ partially interleaves the actions of all operands, with one restriction: if two operands A i and A j are ready to execute two complementary actions (i.e.  In the following, we assume every FMCA A of rank r A > 1 to be composed by FMCA with the composition operators described in this section. We now define the projection operator i (A), which retrieves the principal A i involved in A and identifies its original transitions and feature constraint. This operator is now formally defined (recall from Definition 2 that the set A r is the union of all requests, permitted and necessary, while T 3 and T 2 partition the set T ). Note that ϕ = i∈1...n ϕ i as dictated by Definition 5.

Definition 6 (Projection). Let
The associative composition operator 4 is defined below on top of the operators ⊗ and . First, the corresponding principals of the operands are extracted by and then they are recomposed all together in a single step by ⊗. This causes all pre-existing matches to be rearranged.

Definition 7 (A-composition)
. Let A 1 , A 2 be two composable FMCA of rank m and n, resp., and let Then the a-product composition of A 1 and A 2 is Note that 4 models a dynamic composition policy: new services joining composite services can intercept already matched actions.
Hence, by changing operators of composition or the order of composition different composite FMCA can be obtained, as exemplified below.

Controllability
We base our algorithm for orchestration synthesis on that used to obtain the most permissive controller (mpc) in Supervisory Control Theory (SCT).
The purpose of SCT is to synthesise the mpc that enforces only "good" computations in finite state automata in which forbidden states are never traversed while marked (i.e. final) states represent the successful termination of a task. To this aim, SCT distinguishes controllable actions (those that the controller can disable) and uncontrollable actions (those that are always enabled), besides partitioning actions into observable and unobservable (obviously uncontrollable). If all actions are observable, then an mpc exists which never blocks a good computation, if any. Ideally, the actions that ruin an orchestration of service contracts should be removed by the synthesis algorithm. However, this can only be done for actions that are controllable in the orchestration.
Besides the classical controllable and uncontrollable actions, we introduce the new semi-controllable ones. Moreover, we call a transition controllable/uncontrollable if its action label is such.
All permitted actions are fully controllable. Urgent actions (i.e. requests and matches) are uncontrollable. Note that in these cases controllability and uncontrollability can be checked locally on a single transition.
Lazy actions (i.e. requests and matches) are semi-controllable. Semi-controllable transitions may lead to either controllable or uncontrollable transitions, depending on a global condition to be checked on the whole automaton resulting from a composition. If this condition is satisfied, then the semi-controllable transition is also controllable, otherwise it is uncontrollable. This condition states that the request (labelling the semi-controllable transition) must be matched in at least one transition in the automaton. Note that this is not the case for urgent actions that are uncontrollable in every transition in which they appear. The synthesis algorithm can therefore safely discard those lazy transitions leading to bad states (because they are controllable), provided that in the resulting automaton that specific request has been matched somewhere else. The following auxiliary definition will help in defining semi-controllability. It introduces dangling states, i.e. those unreachable or from which no final state can be reached.

Definition 8 (Dangling state). The state q ∈ Dangling(
The next definition classifies the transitions in an FMCA A. Differently than what happens in standard SCT, all the transitions of FMCA are observable, because contracts declare the executions of a principal in terms of their requests and offers. Then we define the transitions that are controllable or not. We state the conditions that make a semi-controllable transition t controllable or not. Intuitively, t is controllable if in a given portion of A there exists a lazy match transition t , with source and target not dangling, and in both t and t the same principal, in the same local state, does the same request. Otherwise, t is uncontrollable. In what follows, we call A sub-automaton of A (in symbols A ⊆ A) whenever ϕ A = ϕ A and the other components of A are included in the corresponding ones of A.
Definition 9 (Classifying transitions). Let t = ( q 1 , a 1 , q 1 ) be an (observable) transition in A. Then -If a 1 is an action on a ∈ A 3 , then t is controllable (in A); -If a 1 is a request or a match on a ∈ A 2 u , then t is uncontrollable (in A); -If a 1 is a request or a match on a ∈ A 2 , then t is semi-controllable (in A).
Example 3. Consider A = BusinessClient ⊗ Hotel ⊗ EconomyClient from Section 2, its orchestration K A P4858 in Fig. 5 Thus, t is safely removed in K A P4858 because the corresponding request appears in another transition in a match (in this example t ).

Example 4. Consider A = BusinessClient ⊗ Hotel from Example 1 and its orchestration K
Conversely, consider the ill-formed orchestration K ill in Fig. 7, obtained from K A P4858 by removing states q B2,H9 and q B3,H7 and its incident transitions (including t ). Now no other matches for invoice2 are reachable. Hence, in this case, t is uncontrollable in K ill . Indeed, K ill cannot be synthesised starting from A because t cannot be removed without violating the constraints in A.

Controller synthesis for FMCA
We now extend the standard synthesis algorithm of SCT for computing the mpc to also deal with the newly introduced semi-controllable actions. Of course, with only urgent and permitted actions, the standard synthesis of SCT is immediately applicable. Moreover, we want to synthesise an orchestration of services that satisfies the feature constraint. To this aim, the synthesis algorithm computes the mpc of a valid product of the product line.
We first recall from [9] the properties of (modal) agreement and of (modal) safety of FMCA. Intuitively, a trace is in agreement if it is made of matches and offer actions only. An FMCA is safe when all traces of its language are in agreement, and it admits agreement when at least one of its traces is such.  Fig. 6 admits agreement because the following trace belongs to its language and to the set A (singleRoom, singleRoom)2 u (noFreeCancellation, noFreeCancellation)3

(privateBathroom, privateBathroom)3(card, card)3(receipt, receipt )3
A few auxiliary definitions follow, which help to present our algorithm for synthesising an orchestration of an FMCA, viz. its maximal safe sub-portion.
Whilst generally products are total interpretations of a feature constraint, in a product we allow some atoms to have a "don't care" value by letting the interpretation function to be partial. We now define when a product is valid under a given, possibly partial, interpretation, and which are the basic actions that are mandatory and forbidden in the contract.
Now, we formally define when a state is "bad", i.e. a transition outgoing from it cannot be blocked by the orchestrator, be it forbidden or a request that is not matched. This is because such transitions violate the constraint put by the predicate ϕ or they violate the agreement property. We also define when a transition of an FMCA is forced by its controller. Before giving the algorithm that synthesises an orchestration for a contract, we introduce the notion of mpc for an FMCA.

Definition 12 (Uncontrollable disagreement). Let A be an FMCA, K ⊆ A, and let p ∈ Jϕ
Intuitively, given A and one of its valid products p, the mpc K of p is an FMCA that allows all traces of A in agreement with no states in uncontrollable disagreement w.r.t. p by K, and blocks all the others. Moreover, all actions that are mandatory in p must occur in K whilst none of the forbidden ones. It turns out that K is unique up to language equivalence.
Definition 13 (mpc of product). Let A, K be FMCA and let p ∈ Jϕ A K. Then K is a controller of p iff the following hold A controller K of valid product p of A is the most permissive (modal) controller (mpc) iff for all controllers K of p, L (K ) ⊆ L (K) holds.

Example 7.
All orchestrations discussed in Section 2 are the mpc of their corresponding service composition for either products P4858 or P4859.
The rest of this section presents an iterative algorithm that, given an FMCA A, computes the mpc of one of its products p.
Intuitively, the algorithm iteratively builds the set of bad states, i.e. those in uncontrollable disagreement, and it detects the bad transitions, i.e. those leading to such states. Recall that the bad states are those that cannot prevent a necessary request or a forbidden action to be eventually executed. Checking whether a transition is bad requires to inspect the whole automaton A to be able to decide whether a given transition is controllable or uncontrollable (cf. Definition 9). Apart from discarding the transitions forbidden by the product p, this is the main difference between our synthesis algorithm and the standard synthesis algorithm of [7], while-as expected-our algorithm still removes all requests that are not matched.
More precisely, we first let the initial mpc K 0 be the whole A, from which we remove its bad controllable transitions.
The auxiliary set of bad states R 0 is also initialised with the source states of the bad uncontrollable transitions and with the dangling states of K 0 . At each iteration i, the algorithm prunes the controllable transitions with bad target and the uncontrollable transitions with bad source from K i . Moreover, R i is updated by adding to R i−1 (i) the newly generated dangling states; (ii) the sources of uncontrollable transitions with bad target; and (iii) the sources of those transitions (of A) not belonging to K i that become uncontrollable (and bad) because of the pruning above, i.e. the sources of those transitions that turned from semi-controllable to uncontrollable because of pruning (cf. Definition 9). The algorithm terminates when no new updates are available, and the synthesised automaton, say K n , is the mpc of p. Of course, if the initial state is bad (in R n ) or some action mandatory in valid product p is unavailable in K n , then the mpc is empty.

Definition 14 (Synthesis).
Let A be an FMCA and let p ∈ Jϕ A K. The function f : FMCA × 2 Q → FMCA × 2 Q is iteratively defined as follows.
A on a uncontrollable in K 0 and (t request ∨ a ∈ Forbidden(p)) }.
The following property is immediate.

Proposition 1. Given two FMCA A, A and two sets of states R, R , let
The function f of Definition 14 is monotone w.r.t. ≤ and, stipulating that K 0 is as in Definition 14, its unique fixed point is: The definition of the mpc for a valid product p is now straightforward.
Then the mpc K A p for the valid product p of A is: We now prove the main result of this section.

Theorem 1 (mpc for product). Let A be an FMCA and let p ∈ Jϕ A K be a valid product. The FMCA K A p computed through Definition 15 is the mpc for the valid product p of A.
Once obtained the mpc, one can construct the controlled system through a standard synchronous composition of A and K A p (and not through the operators in Definition 5). As a matter of fact, it is unnecessary to specify the controlled system, because in our framework the mpc is the orchestration itself, and the needed interactions between the orchestrator and the principals are left implicit (for a longer discussion, cf. [22]).

Refining FMCA
Based on the notion of controllability of Definition 9, we now define a refinement relation between FMCA in the classical sense such that a refined automaton (i.e. with less states and/or transitions) still preserves certain properties of interest of the original automaton. We will then use this notion to efficiently compute the orchestration of a given product line.
As for the standard modal refinement [23], we stipulate that an FMCA A r refines an FMCA A when T A r ⊆ T A . More precisely, all the uncontrollable transitions of A are also present in A r , and a subset of the controllable ones of A also belong to A r . In addition, we require that a semi-controllable transition that is controllable in A must be present in A r , if it turns out to be uncontrollable there (this means that all the transitions making it controllable in A are not present in A r , as dictated by Definition 9).

Definition 16 (Refinement of FMCA). Let A and A r be two FMCA. Then
Finally, A r is a refinement of A, in symbols A r A, if it is obtained from a pre-refinement of A by removing all the dangling nodes and the transitions they share. Fig. 6 and the automaton K obtained by adding to K A P4859 transition t = ( q B2,H2 , (invoice, invoice )2 , q B3,H7 ), state q B3,H7 and transition ( q B3,H7 , (freebrk3, •), q B3,H3 ).
Then the refinement K A P4859 K holds because t ∈ T K is semi-controllable in K A P4859 and controllable via ( q B2,H9 , (invoice, invoice )2 , q B3,H3 ).
Finally, consider again K ill from Example 4 in Fig. 7; in this case it holds that K ill K because t ∈ T K , t / ∈ K ill but t is uncontrollable in K ill .
The next theorem states that the mpc of valid product p of A produces the largest refinement of the principals in A guaranteeing that there exists an agreement among the parties. Intuitively, if a permitted action does not spoil the overall agreement, then it will be available in the composition of services. Theorem 2 (Largest refinement). Let A = i∈I A i be a composition of principals A i , let p be a valid product of A, let K A p = be its mpc computed through Definition 14 and let ∀i ∈ I : i (K A p ) = A r i be its principals. Then: Example 9. Let K be the orchestration of BusinessClient ⊗ Hotel in Fig. 6. Then ( 1 (K) = Client p ) BusinessClient.

Feature constraints and products
In Section 4, we presented the algorithm for synthesising an orchestration of service contracts for a specific product of a product line. The number of valid products of a product line is in general exponential in the number of features [17]; here we construct the orchestration of the entire product line only using a small selected subset of valid products.
All valid products JϕK of a product line can be partially ordered by (component-wise) set inclusion, providing us with the basis for computing the orchestration of a product line.  words p is a sub-product of p or p is a super-product of p) iff component-wise

Example 10.
The feature constraint ϕ in Section 2 has 4860 valid products (recall that we also consider partially interpreted products). Three exemplary products are the maximal product P4858 (cf. Section 2) with mandatory features {card, shared-Bathroom} and forbidden feature {cash}, product P4829 with mandatory features {card, sharedBathroom} and forbidden features {cash, freeCancellation} and, lastly, product P4832 with mandatory features {card, sharedBathroom, privateBathroom} and forbidden feature {cash}. Thus follows P4829 P4858 and P4832 P4858.

FMCA respecting valid products
The validity of a product p is defined in logical terms, but it is convenient to see how it is reflected in the behaviour of an FMCA A. Intuitively, all the mandatory actions in p correspond to executable transitions in A and no actions forbidden in p have executable counterparts in A.

Definition 18 (Respecting validity).
An FMCA A respects p ∈ Jϕ A K iff 1. ∀ a ∈ Mandatory(p) ∃ ( q, a, q ) ∈ T A s.t. a is an action on a and q, q / ∈ Dangling(A), and 2. ∀ b ∈ Forbidden(p) ( q, b, q ) ∈ T A s.t. b is an action on b and q, q / ∈ Dangling(A).
We now prove that the partial order on valid products is such that if A respects one of them, then it respects all its super-products.

Theorem 3 (Respecting validity is preserved by ). Let
A be an FMCA and let p, p ∈ Jϕ A K. Then: (A respects p and p p ) implies A respects p Example 11. While P4858 and P4859 from Section 2 are maximal products featuring payments made by credit card, the maximal products P4854 and P4857 correspond to the Hotel product requiring payments by cash (and hence forbidding payments by credit card). Both products P4858 and P4859 are respected by BusinessClient ⊗ Hotel ⊗ EconomyClient (cf. Fig. 5), whereas P4854 and P4857 are not. Consider again product P4829 from Example 10. Since P4829 P4858 and BusinessClient ⊗ Hotel ⊗ EconomyClient respects P4829, it also respects P4858. Moreover, every sub-product of P4854 or P4857 is not respected by all the given orchestrations (clients never pay cash).
The theorem above suggests an efficient procedure for singling out valid products respected by A: visit the partially ordered set (JϕK, ) in top-down fashion, starting from the maximal ones, and discard the subsets of products rooted in p if A does not respect p.
The following lemma relates (i) the existence of an mpc for a valid product p of A to (ii) the notion of respecting validity. While (i) implies (ii), the two notions imply each other whenever the set of actions mandatory in p is non-empty. Finally, Lemma 1(5) complements Theorem 3 and says that if a valid product p has a non-empty mpc, then there exists a p such that p p and p has a non-empty mpc. Lemma 1. Let K A p be the mpc of a product p of A. Then:

(K A p respects p and Mandatory(p) = ∅) implies L (K
Example 12. Consider BusinessClient ⊗ Hotel ⊗ EconomyClient from Section 2. The orchestrations of products P4858 and P4859 are non-empty, and by Lemma 1(3) it follows that both products are respected in their orchestration. Conversely, since both products have a non-empty mandatory set of actions and are respected by their corresponding mpc, by Lemma 1(4) it follows that their orchestrations are non-empty. Finally, consider products P4832 and P4829, which are both sub-products of P4858 (cf. Example 10). By Lemma 1(5) it follows that there exists a sub-product of P4858 with non-empty orchestration. Actually, both products P4832 and P4829 are such.
Note that in general the converse of Lemma 1(3) does not hold, because respecting validity ignores agreement, which is enforced by the mpc. A trivial counterexample is an A not admitting agreement and with products with no mandatory features.
The following lemma shows that the mpc K A p for a valid product p of A is a refinement of the mpc K A p of a super-product p . In other words, the partial order on valid products induces a refinement of controllers.

Lemma 2. Let
A be an FMCA and let p, p ∈ Jϕ A K. Then: Example 13. Consider again A = BusinessClient ⊗ Hotel ⊗ EconomyClient from Section 2, the maximal product P4858, and its sub-product P4844 with mandatory features {card, sharedBathroom} and forbidden features {cash, sharedRoom}. Since the orchestration K A P4844 is non-empty, by Lemma 2 it is a refinement of the orchestration K A P4858 of A for product 4858 (depicted in Fig. 5). Indeed, K A P4844 is obtained from K A P4858 by removing state q B3,H8,E8 and its incident transitions.
An important consequence of Lemma 2 is that we can compute the orchestration O A of a product line A without generating the mpc for each of its valid products. Indeed, O A is the union of some controllers of certain valid products defined below, where we introduce the relation that is clearly an equivalence relation. Note that in the following we refer to the set of valid products of A with non-empty controllers, partially ordered in the usual way.

Definition 19 (Canonical products). Let
A be an FMCA, let p, p ∈ Jϕ A K, let ME(A) be the set of maximal elements of ({p | L (K A p ) = ∅}, ), let p p iff Forbidden(p) = Forbidden(p ) and let the canonical products p c ∈ CP (A) be the representatives of the equivalence classes of ME (A)/ .
Intuitively, a canonical product represents all the maximal elements in that have the same set of forbidden actions. Note that the information about mandatory actions is ignored by the equivalence relation because we are only considering non-empty controllers.

Example 14.
For A = BusinessClient ⊗ Hotel ⊗ EconomyClient from Section 2, as before, we obtain ME(A) = {P4858, P4859}. Furthermore, the product P4844 of Example 13 has the same set of forbidden features as maximal product P4857, and P4844 P4857. Finally, P4858 and P4859 are the canonical elements of their (singleton) equivalence class in ME(A)/ .
The orchestration of the product line is now defined as the union of the orchestrations of the canonical products, where union is the standard operation on automata.
Definition 20 (Orchestration of product line). The orchestration of an FMCA A is defined as: The canonical products fully characterise the mpc of each valid product in A as refinement of the orchestration of the product line, as guaranteed by the following theorem.
Consider again A = BusinessClient ⊗ Hotel ⊗ EconomyClient from Section 2. Its orchestration of the product line Example 13) and, by Theorem 4, We now sketch an algorithm that incrementally computes the synthesis of the mpc for a valid product p of A (starting from the canonical products). First compute the mpc of the immediate super-products of p, then intersect all the resulting automata (with the standard intersection operation on automata) and, finally, apply to it the procedure defined in Definition 15 to obtain K A p . This algorithm is based on Theorem 4 and its correctness is guaranteed by the following theorem.
The algorithm sketched above is more efficient than the standard ones (cf., e.g., [20]) that compute the controllers for all the valid products of a given product line, without taking advantage of the fact that they share some parts, as expressed by the relation .

Related work
Many formalisms exist for modelling and analysing service contracts. In this section, we first discuss some main differences between the most representative ones and FMCA, after which we discuss the basic differences with automata-based formalisms from Component-Based Software Engineering.
In [24][25][26], behavioural contracts of web services are described by CCS-like process algebrae, which model service features through input and output actions that synchronise. They have different, generally weaker notions of contract compliance than ours, e.g. only involving two parties. Choreographies were studied in [26] by seeing them as compound services, similar to our composed services, except that service competition was not considered. Sessions and session types [27][28][29][30][31] were introduced to reason over the behaviour of orchestrations and choreographies in terms of service interactions. Differently than in our proposal, none of the above papers considers different levels of criticality of service interactions (cf. [32] for a survey).
As anticipated, FMCA builds upon contract automata [6] that were used to study several issues arising in a composition of service contracts. In particular, the problem of circular dependencies among contracts was investigated by defining weak agreement. Roughly, this property considers acceptable traces where requests are recorded as debits that in the future are satisfied by the corresponding offers. It was studied for so-called competitive and collaborative contracts, with the results that generally safety is preserved in collaborative contracts and not in competitive ones. Weak agreement is suitably checked by algorithms for network flow optimisation. Contract automata were also related to two intuitionistic logics introduced for modelling circular dependencies among contracts. Orchestration and choreography of contract automata was investigated in [22], by identifying the conditions for dismissing the central orchestrator for both synchronous and asynchronous choreographies, thus avoiding the overhead due to the interactions between services and the orchestrator. Controller synthesis of contracts was recently extended to a real-time setting [33,34], where it is rendered as a winning strategy for timed contract games.
The definition of FMCA also borrows from two automata-based formalisms, namely Modal Transition Systems (MTSs) [35,36] and Featured Transition Systems (FTSs) [37]. Our distinction into permitted and necessary transitions, borrowed from [9], was inspired by MTSs, while the explicit incorporation of feature constraints comes from FTSs. Compared to FMCA, neither of these two formalisms can explicitly handle dynamic composition and orchestration, by means of which new services that join composite services can intercept already matched actions. Such a compositionality is a basic characteristic that FMCA inherited from contract automata.
The accidentally homonym contract automata of [38] model generic legal contracts between two parties, expressed in natural language. Their states are tagged with deontic modalities in the form of obligations and permissions. These modalities are similar to our necessary and permitted requests, but they have no degree of criticality. FMCA target a different domain, viz. multi-party service contracts. Moreover, [38] studies techniques for solving contract violation, while the focus of our compositional approach is on the synthesis of an orchestration of services.
Within the area of Component-Based Software Engineering, there are many formalisms for describing and composing components, similar to behavioural contracts. We briefly survey some of them. I/O automata [39] are input-enabled, i.e. in any state they are ready to receive any possible input from the environment, and composition is restricted to automata that do not share external actions. Therefore, they cannot model contracts that compete on offering or requesting the same service, a key feature of FMCA. Interface automata [40] are not input-enabled, rather they broadcast offers to every request. Their compatibility between interfaces requires that all offers are matched, dual to our agreement. Neither interface nor I/O automata have actions with different levels of criticality (other than concrete real-time constraints in their timed version). Modal I/O automata [41] combine the characteristics of interface and I/O automata with may and must modalities of MTSs. Some actions can thus be declared more critical than others, but still they differ from FMCA in the aspects mentioned above.
Supervisory Control Theory (SCT) was first applied to behavioural product line models in [20], where the CIF 3 toolset was used to synthesise all the valid products starting from components and requirements rendered as automata. However, all the actions are controllable, unlike our approach; the controller of the product line requires computing those of all the valid products, and finally orchestration is not considered. Another work along this line is [21], where the standard synthesis algorithm was adapted to obtain a specific controller for each consistent product of the product line. Differently than in our proposal, the behaviour is specified by modal sequence diagrams and their actions are only controllable or uncontrollable. More recently, the interplay between SCT and product lines modelled as Priced Featured Automata was studied [42], where three-valued logic and partial-order reduction were used to greatly reduce the number of controllers required.

Conclusions and future work
We have proposed FMCA, an automata-based formalism for service contracts borrowing some aspects of Software Product Lines. According to this approach, services come in different configurations, or products. Two distinguished orthogonal ingredients of FMCA deal with the arising variability, which permit (i) different levels of criticality for service requests, defining how certain requests must be matched in a contract, and (ii) feature constraints over the product line, defining the valid products. With these ingredients, one can model service contracts with more adaptive service orchestrations and more fine-grained Service Level Agreement.
We have defined automata composition and their orchestration, i.e. a way to guarantee that both types of variability constraints are satisfied, besides fulfilling client's requests. The orchestration has the form of the most permissive controller of Supervisory Control Theory, and it has been obtained by extending the classical synthesis algorithm. Our novel notion of semi-controllability turned out to be crucial in handling different service requests.
We have defined a partial order on the valid products of a product line, through which its orchestration can be efficiently computed. Indeed, one only constructs the orchestration of the few maximal products in the partial order. Technically, this required to introduce a refinement relation on automata and to consider partially interpreted products. Typically, the maximal products of a product line are much less than its valid products that are exponentially many. Our proposal thus improves over the methods available in the literature, e.g. that in [20]. Also, one can only inspect these maximal products to find possible inconsistencies in the contract specifications.
We have implemented an open-source prototypical tool to support specification of a product line through the associated FMCA, and to compute the orchestrations of its valid products.
Future work includes a study of circular dependencies among services, by extending the results of [6]. It would also be interesting to investigate a choreographed coordination approach for FMCA, as was recently undertaken for a related contract automata formalism with different notions of semi-controllability [43]. Moreover, we plan to establish a correspondence between FMCA and Featured Transition Systems [37], in order to transfer some techniques of [44] for proving correctness properties.
Further work is needed to apply our theory to provide a formal framework for modelling and synthesising dynamic service product lines [45][46][47][48][49][50][51][52][53], i.e. services in which different configurations are reused to adapt to environments that change over time (including so-called late variability at runtime).
Finally, another research direction is enhancing service requests and offers with quantitative information. Reaching an agreement would then amount to finding the optimal trade-off among FMCA, each with a positive pay-off. This might lead to a formalisation of Quality of Service, allowing us to assess non-functional properties of services, like reliability or performance.

Appendix A. Proofs
We provide here all the proofs and some auxiliary results.

Proposition 1. Given two FMCA A, A and two sets of states R, R , let
The function f of Definition 14 is monotone w.r.t. ≤ and, stipulating that K 0 is as in Definition 14, its unique fixed point is: (∃ w not containing basic actions a ∈ Forbidden(p) s.t.
Proof. We first prove (A.1). By contradiction, assume q 0 / ∈ R n and there exists a sequence of states (traversed by a trace) ρ = q 0 · · · q q · · · q s.t. q , . . . , q ∈ R n and q / ∈ R n . Let i be an iteration of the algorithm in Definition 14 s.t. q ∈ R i−1 , q / ∈ R i−1 , and let t = q − → q be the transition traversed in ρ. If t is controllable, then by Definition 14 it is removed in K n , a contradiction. Otherwise, if t is uncontrollable, then q is added to R i by Definition 14, and q ∈ R n , a contradiction.
Next we prove (A.2). We start by proving U pAK n ∪ Dangling(K n ) ⊆ R n . By contradiction, assume ∃ q ∈ U pAK n ∪ Dangling(K n ) s.t. q / ∈ R n . By Definition 14, Dangling(K n ) ⊆ R n . Hence, q / ∈ Dangling(K n ) and q ∈ U pAK n . Thus, by Definition 12, there exists a trace w s.t. q w − → * q 1 is only executing forced transitions, and either (i) w / ∈ A or w contains a basic action a ∈ Forbidden(p) or (ii) ∀ q 1 w − − → * q f ∈ F A and w satisfies condition (i).
We first assume case (i) holds and let w 1 a be a prefix of w such that q w 1 − − → * q a − → and either a is a request or it is forbidden in p. We first prove that q ∈ R 0 . If q a − → is controllable, then by Definition 12 it is the only outgoing transition from q , which is removed in K 0 by Definition 14, and hence q ∈ Dangling(K 0 ) ⊆ R 0 . Similarly, if q a − → is uncontrollable in K 0 , then q ∈ R 0 by Definition 14. Thus we have proved that q ∈ R 0 is reachable by only executing forced transitions from q in A.
We now proceed by induction on the length of the trace q w 1 − − → * q . For the base case, we have a transition t = q − → q . Similarly to the previous reasoning, if t is controllable in K 1 then by Definition 14, it is removed in K 1 and, by Definition 12, t is the only outgoing transition from state q (i.e. it is forced) and hence q ∈ Dangling(K 1 ) and q ∈ R 1 ⊆ R n , a contradiction. Otherwise, if t is uncontrollable in K 1 , then by Definition 14, q ∈ R 1 ⊆ R n , a contradiction. For the inductive step, we have q − → q − → * q s.t. q ∈ R i−1 and q / ∈ R i−1 . By applying the same reasoning as for the base case we can conclude that q ∈ R i ⊆ R n , a contradiction.
For case (ii), a final state q f cannot be reached from q 1 without executing either a request or a forbidden action, hence by hypothesis q 1 cannot avoid to reach a final state without traversing a state q ∈ R 0 (otherwise a trace without requests and forbidden actions would exist). By Definition 14, there will be an iteration i s.t. q 1 ∈ R i , and q ∈ R n by proceeding as for case (i).
We now prove R n ⊆ U pAK n ∪ Dangling(K n ). The proof is by induction on R i . The base case is R 0 . From Definition 14, it follows that Dangling A on a uncontrollable in K 0 , (t request ∨ a ∈ Forbidden(p)) }, i.e. by Definition 12, in U pAK n . Note that if a transition t is uncontrollable in K i for some i, then for all j, For the inductive step, by the inductive hypothesis we know R i−1 ⊆ U pAK n ∪ Dangling (K i−1 ) and we prove R i ⊆ U pAK n ∪ Dangling(K i ). We proceed again by the cases of Definition 14. The first case is By Definition 12, the transitions used in S are forced in A because they are uncontrollable in K i (hence in K n ) and, by the inductive hypothesis, their target state is in U pAK n ∪ Dangling(K i−1 ). It follows that S ⊆ U pAK n ∪ Dangling(K i ). The last case is Dangling(K i ) that holds trivially.
Finally, we prove (A.3). By hypothesis, S w ∩ Dangling(K n ) = ∅ and the thesis follows by (A.2). 2 Theorem 1 (mpc for product). Let A be an FMCA and let p ∈ Jϕ A K be a valid product. The FMCA K A p computed through Definition 15 is the mpc for the valid product p of A.
Proof. We will prove that the algorithm always terminates, that K A p is a controller of product p of A and, in particular, that it is the mpc of product p of A. Termination of the algorithm is ensured by Proposition 1.
Next we prove that K A p is a controller of p of A, i.e.: p ∈ Jϕ A K (trivial); (1) K is safe, (2) Dangling(K) = ∅ (trivial), (3) L (K) = ∅ or ∀ a ∈ Mandatory(p) ∃ w ∈ L (K) s.t. basic action a occurs in w, and (4) w ∈ L (K) s.t. w contains actions a ∈ Forbidden(p) or q 0K w − → * q K , q 0 A w − → * q A and q K is in uncontrollable disagreement w.r.t. p by K. We first prove (1). Since K A p is derived from A by pruning transitions, trivially L (K A p ) ⊆ L (A). To prove L (K A p ) ⊆ A, we have to show that no trace w recognised by L (K A p ) contains a request a. Note that the algorithm only prunes and never adds transitions and since in K 0 all controllable requests are pruned, a cannot be a controllable request. By contradiction, assume a is an uncontrollable request, executed by a transition q a2 − − →, and w is recognised by K A p . Then q ∈ R 0 and thus q ∈ R n by Definition 14. By Lemma 3(A.1), we have q 0 ∈ R n and we reach the contradiction K A p = .
We now prove (3). From the fact that none of the states of K A p is dangling, (3) trivially holds by Definition 14.
We conclude by proving (4). Assume q 0K w − − → * q K a − →, w a prefix of w, with a on action a ∈ Forbidden(p) holds. By Definition 14, q K a − → is not controllable (otherwise it would have been removed) and hence q K ∈ R 0 ⊆ R n . Then q K is not a state of K A p , a contradiction. Assume that (w, q 0K ) w − → * (ε, q K ) and (w, q 0 A ) w − → * (ε, q A ), with q in uncontrollable disagreement holds. Since K A p is derived from A, we have q 0K = q 0 A and q K = q A . By Lemma 3(A.2), q A ∈ R n and since it is reachable from q 0 A , by Lemma 3(A.1), it must be the case that q 0 A ∈ R n and we reach the contradiction K A p = .
Finally, it remains to prove that K A p is the mpc. By contradiction, assume K to be a controller of product p of A such that L (K A p ) ⊂ L (K ). Hence there must be a trace w 1 ∈ L (K ) s.t. w 1 / ∈ L (K A p ). Let S w 1 be the set of states traversed by K to recognise w 1 . Since K is a controller, S w 1 ∩ U pAK = ∅. By Lemma 3(A.3), S w 1 ∩ R n = ∅. Then, by Definition 14, all states in S w 1 are in K A p . Moreover, all transitions used for recognising w 1 are not requests nor forbidden because K is a controller, and since S w 1 ∩ R n = ∅ no state in S w 1 is in any of R 0 , . . . , R n . By Definition 14, these are all possible cases for which a transition is removed. Hence, all transitions used for recognising w are also in K A p , and it follows that w 1 ∈ L (K A p ), a contradiction. 2 The proof of the next theorem makes use of the following auxiliary lemma.

Lemma 4. Let
A be an FMCA, let p ∈ Jϕ A K and let K A p = be its mpc computed through Definition 15. Then K A p A.
Proof. From Theorem 1 and Definition 14, we have K A p ⊆ A (component-wise inclusion with exception of ϕ) and, more- It remains to prove that (1) all uncontrollable transitions of A and (2) all semi-controllable transitions t of A that are uncontrollable in K A p (i.e. t ∈ T K Ap s.t. t is controllable via t in K A p ), in both cases (1-2) with source q ∈ Q K , are available in K A p . For (1), by contradiction, let q ∈ Q K and let t = ( q, a, q ) be s.t. t is uncontrollable in A and t / ∈ T 2 K . By Definition 14, t / ∈ T 2 K only if q ∈ R n and, by Lemma 3(A.2), q ∈ U pAK n . If q ∈ U pAK n , then by Lemma 3(A.1) K A p = , a contradiction.
For (2), by contradiction, let q ∈ Q K and let t = ( q, a, q ) be s.t. t is controllable in A, uncontrollable in K A p and t / ∈ T 2 K .
Hence t must be uncontrollable lazy in K A p , and q ∈ R n by Definition 14. Finally, by Lemma 3(A.2), q ∈ U pAK n and, by Lemma 3(A.1), K A p = , a contradiction. 2 Theorem 2 (Largest refinement). Let A = i∈I A i be a composition of principals A i , let p be a valid product of A, let K A p = be its mpc computed through Definition 14 and let ∀i ∈ I : i (K A p ) = A r i be its principals. Then: Proof. Lemma 4 and Definition 6 suffice to prove (1). To prove (2), assume by contradiction that for some i we have (A respects p and p p ) implies A respects p Proof. Intuitively, p imposes more restrictions on respecting validity than p . By contradiction, assume that p is respected by A and that p is not respected by A. By Definition 18, either one of the following cases must hold: (1) ∃ a ∈ Mandatory(p ) s.t. ∀ ( q, a, q ) ∈ T A : a is an action on b = a or q, q ∈ Dangling(A). In this case, p is not respected by A because, by Definition 17, Mandatory(p ) ⊆ Mandatory(p), a contradiction. (2) ∃ b ∈ Forbidden(p ) s.t. ( q, b, q ) ∈ T A , b is an action on b and q, q / ∈ Dangling(A). In this case, p is not respected by A because by Definition 17, Forbidden(p ) ⊆ Forbidden(p), a contradiction. 2 Lemma 1. Let K A p be the mpc of a product p of A. Then: L (K A p ) = ∅ implies K A p respects p (3) (K A p respects p and Mandatory(p) = ∅) implies L (K A p ) = ∅ (4) (L (K A p ) =∅ and I ={p = p | p p} =∅) implies ∃p ∈ I : L (K A p ) =∅ (5) Proof. For (3) assume by contradiction that p is not respected by K A p . Then, by Definition 18, either one of the following two cases must hold: (1) ∃ a ∈ Mandatory(p) s.t. ∀ ( q, a, q ) ∈ T K Ap : a is an action on b = a or q, q ∈ Dangling(K A p ). In this case, w ∈ L (K A p ) s.t. w contains a basic action a and thus, by Definition 13, K A p is not an mpc, a contradiction. (2) ∃ b ∈ Forbidden(p) s.t. ( q, b, q ) ∈ T K Ap , b is an action on b and q, q / ∈ Dangling(K A p ). In this case, ∃ w 1 bw 2 ∈ L (K A p ) for some w 1 , w 2 and, by Definition 13, K A p is not an mpc, a contradiction.
For (4), by hypothesis ∃ a ∈ Mandatory(p) such that ( q, a, q ) ∈ T K Ap on a and q, q / ∈ Dangling(K A p ), and L (K A p ) = ∅ by Definition 8.
For (5), it suffices to note that a sub-product p can be obtained by adding an action a / ∈ Mandatory(p) ∪ Forbidden(p) to either (i) Mandatory (p ) or (ii) Forbidden(p ) (the existence of such action a is guaranteed by hypothesis). Action a is either present or not in K A p . If action a is present, then the sub-product p obtained through case (i) (i.e. a ∈ Mandatory(p )) is s.t. L (K A p ) = ∅ by hypothesis (we are requiring an action that is present). If action a is not present, then the sub-product obtained through case (ii) (i.e. a ∈ Forbidden(p )) is s.t. L (K A p ) = ∅ by hypothesis (we are forbidding an action that is not present).