Conditions of contracts for separating responsibilities in heterogeneous systems

A general, compositional, and component-based contract theory is proposed for modeling and specifying heterogeneous systems, characterized by consisting of parts from different domains, e.g. software, electrical and mechanical. Given a contract consisting of assumptions and a guarantee, clearly separated conditions on a component and its environment are presented where the conditions ensure that the guarantee is fulfilled—a responsibility assigned to the component, given that the environment fulfills the assumptions. The conditions are applicable whenever it cannot be ensured that the sets of ports of components are partitioned into inputs and outputs, and hence fully support scenarios where components, characterized by both causal and acausal models, are to be integrated by solely relying on the information of a contract. An example of such a scenario of industrial relevance is explicitly considered, namely a scenario in a supply chain where the development of a component is outsourced. To facilitate the application of the theory in practice, necessary properties of contracts are also derived to serve as sanity checks of the conditions. Furthermore, based on a graph that represents a structuring of a hierarchy of contracts, sufficient conditions to achieve compositionality are presented.


Introduction
The notion of contracts was first introduced in [1] as a pair of pre-and post-conditions [2] to be used in formal specification of software (SW).In more recent contract theory [3][4][5], developed within European project SPEEDS [6], the use of contracts is extended from formal specification of SW to serving as a central systems engineering philosophy to support the design of heterogeneous systems [7][8][9].Heterogeneous systems are characterized by consisting of parts from multiple domains, e.g.SW, mechanical, electrical, etc.The use of theory [3][4][5] has been advocated in several contexts, e.g.Platform Based Design in [5], Model Based Design in [10], safety analyzes in [11], virtual integration and testing in [12], and for structuring safety requirements in [13][14][15].
With the intent to be able to model and specify heterogeneous systems, the theory in [3][4][5] considers a basic component-based modeling formalism that relies on a "language-based abstraction where composition is by intersection.[...] No particular model of computation and communication is enforced, and continuous time dynamics such as those needed in physical system modeling is supported as well."[3] More specifically, the theory in [3][4][5] is centered around the notion of a component M with a set of ports and an implementation, also denoted M, which is an assertion, i.e. a set of value sequences over the ports.A contract C for component M is a pair of assertions (A, G) where G represents an intended property such as a requirement [16][17][18] or a design constraint.The responsibility that guarantee G is fulfilled, is assigned to component M, given that certain assumptions A are fulfilled-a responsibility of the environment of the component.This clear separation of responsibilities, embodied by a contract, is a principle for seamless integration of components, a primary concern in heterogeneous systems development, characterized by complex supply chains distributed over multiple organizations [3,5].
To concretize the separation of responsibilities embodied by a contract in theory [3][4][5], contract satisfiability conditions are presented.Given that "M and C have the same ports" [3], component M satisfies C if A∩M ⊆ G.This satisfaction relation ensures that the composition of component M and an environment component M E where M E ⊆ A fulfills the guarantee, i.e. that M E ∩ M ⊆ G. Hence, given that contract C is limited to the set of ports of M, to ensure that guarantee G is fulfilled, conditions on component M and its environment M E can be separated as A ∩ M ⊆ G and M E ⊆ A, respectively.
However, guarantee G is trivially fulfilled if M E ∩ M = ∅, which is an undesirable case since it characterizes a contradiction if M E and M are represented through logical formulas.
In addition, allowing G to be trivially fulfilled means that a component where A∩ M = ∅ (and in particular where M = ∅) is always an acceptable solution, regardless of how environment M E is implemented.Notably, the theory in [3][4][5] does not explicitly address this undesirable case, but the theory does propose an approach to further separate responsibilities, which indirectly leads to that non-trivial solution M E ∩ M = ∅ is avoided in the typical case.This approach is to partition the sets of ports of component M and its environment M E into mirroring inputs and outputs, and enforcing the additional conditions that M and M E are receptive to their inputs, i.e. that any values of the inputs are allowed by the implementations at any point in time.
From these basic concepts of theory [3][4][5], it can be observed that in order to ensure both that guarantee G is fulfilled M E ∩ M ⊆ G and that trivial solution M E ∩ M = ∅ is avoided, it is necessary to enforce conditions A ∩ M ⊆ G, M E ⊆ A, and that M and M E are receptive to their inputs.However, in order to enforce these conditions, the two following prerequisites apply: (a) the sets of ports of component M and its environment M E are partitioned into mirroring inputs and outputs; and (b) contract C = (A, G) is limited to the set of ports of component M.
Hence, trivial solution M E ∩ M = ∅ is avoided in the theory in [3][4][5] only through prerequisite (a), expressing that the causality of the ports are specified.However, considering typical models of the parts of a heterogeneous system, including not only SW, but also physical parts (mechanical, electrical, etc.), in addition to causal models, there would also be acausal models [19] where the causality of ports is unspecified, which is common in e.g.Modelica [20,21].In fact, as stated in [19], when modeling physical parts, acausal models are well suited given that they reflect the physical structure of the parts and are also more reusable than causal models since the solution direction is not fixed.Hence, prerequisite (a) expresses a limitation of the theory in [3][4][5] and highlights the need for conditions on a component and its environment where these conditions ensure that the guarantee is non-trivially fulfilled ∅ = M E ∩ M ⊆ G whenever prerequisite (a) is not ensured.
Regarding prerequisite (b), while the theory in [3][4][5] only supports contracts that are limited to the sets of ports of components, there are at least two strong reasons why such a limitation needs to be relaxed in the context of specifying heterogeneous systems.
The first reason is to support a central principle in requirements engineering (RE) [16][17][18] where this principle expresses that requirements for a system should be expressed over ports that are not of the system, but rather in the environment [18].In accordance with [18], systems are developed to make the behavior of the environment satisfactory and thus, all requirements on a system should be statements about the environment.An example of when this RE principle is made utterly explicit is the functional documents model [22,23] where, in the context of a SW system represented as a predicate SO F, there are four distinct collections of ports: m and c for quantities respectively monitored and controlled by peripheral devices attached to SO F; and i and o for input and output registers of SO F. SW system SO F and ports are shown in Fig. 1 as a rectangle filled with gray and boxes, respectively.In accordance with this model, requirements are described as a predicate R E Q(m, c), which is to be fulfilled by SO F given environment assumptions expressed as predicates: I N(m, i) on how sensors transform monitored values to their internal representation; OU T (o, c) on how actuators transform software outputs to controlled values; and N AT (m, c) on the rest of the environment.Interpreted through contracts theory, these predicates form a contract (I N(m, i) ∧ OU T (o, c) ∧ N AT (m, c), R E Q(m, c)) for SO F where this contract is not limited to the set of ports of S O F.
An example where this RE principle is manifested in an industrial case study can be found in [24] where ModelicaML [25] is used to specify and verify requirements on a subsystem of a fuel management system where the requirements express the end-to-end functionality of the fuel management system in general.Another example can be found in [26] where SysML [27] is used to specify requirements on an engine knock controller and where the requirements allocated to the controller explicitly refer to parts, such as the piston, which is not a port of the controller but rather a port in its environment.
The second reason why contracts that are not limited to component ports are needed is due to the fact that, in the area of functional safety [28,29], the associated risk of a component, is assessed in the context of how it affects its environment.Hence, in order to properly express a safety specification for a component using a contract, there is a need to refer to parts in the environment that the component is to be deployed in [14].For example, in functional safety standard ISO 26262 [29], top-level safety requirements for an item, i.e. a system within the vehicle, are formulated in order to prevent or mitigate hazards, where these hazards "shall be defined in terms of the conditions or behaviour that can be observed at the vehicle level" [29].Hence, in order for a contract to capture the fact that one overall responsibility of the item is to mitigate or prevent the hazard, which extends beyond the ports of the item, a contract that is not limited to the set of ports of the item, is needed.This can be observed in industrial examples [13,14], and also in [30], where safety requirements that are not limited to the sets of ports of components are necessarily used in order to properly express safety specifications for components.
In the context of specifying heterogeneous systems, the two reasons above explain the importance of relaxing the limitation expressed in prerequisite (b) such that assumptions and guarantees can be specified, not only over the ports of a component, but also over ports in the environment of the component.Considering this, and the previous stated fact that prerequisite (a) also expresses a limitation of theory [3][4][5], it can be concluded that there is a need for conditions on a component and its environment where these conditions ensure that the guarantee is non-trivially fulfilled ∅ = M E ∩ M ⊆ G, whenever prerequisite (a) cannot be ensured and regardless of whether prerequisite (b) holds or not.
Contributions As the main contribution of the present paper, a set of clearly separated conditions on a component and its environment are established where the conditions ensure that the guarantee is non-trivially fulfilled.These conditions are, in contrast to the conditions presented in [3], applicable whenever it cannot be ensured that prerequisites (a) and (b) hold or not.More specifically, the main contribution shows that in order for relation ∅ = M E ∩ M ⊆ G to hold, the respective conditions on the component and the environment can be separated as: where M is limited to constraining only the set of ports of the component, but where A and G are not.Note that this includes the considered case in [3] where A and G only constrain the ports of the component.In fact, it is proven that condition (i) is a necessary and sufficient condition on component M to ensure that relation ∅ = M E ∩ M ⊆ G holds for each environment M E that is such that condition (ii) holds.This means that conditions (i) and (ii) fully support any scenario where a component and its environment are developed in complete isolation; the only information that needs to be shared is a contract and the set of ports of the component where this set is not required to be partitioned into inputs and outputs.An example of such a scenario of industrial relevance is explicitly considered throughout the paper, namely a scenario in a supply chain where the development of a component is outsourced from a client to a supplier.In this scenario, the supplier is to ensure that condition (i) on the component holds, while the client is to ensure that condition (ii) on the environment holds.
A second contribution considers the fact that the relaxation of the limitation expressed in the prerequisite (b) leads to increased expressiveness with respect to how a contract can be specified.However, the increased expressiveness is not unlimited since there are necessary restrictions on the ports constrained by the assumptions and the guarantee of a contract in order for conditions (i) and (ii) to hold.Therefore, to facilitate the specification of contracts in practice, conditions, called scoping conditions, are introduced to limit the set of ports that the assumptions and the guarantee of a contract can constrain; these scoping conditions ensure that the necessary restrictions are not violated without limiting expressiveness.
As a third contribution, considering that the contract properties consistency and compatibility are in [3,5] defined under the limitations expressed in prerequisites (a) and (b), revised definitions of these properties are presented where these limitations are relaxed.More specifically, in [3,5], the definitions of consistency and compatibility are based on the concept of receptivity to inputs, but have the overall aim to ensure that a contract is such that there in fact exist a component and an environment that are such their corresponding conditions, as defined in [3,5], hold.In contrast to the definitions in [3,5], which require prerequisite (a) and (b) to hold, the definitions of consistency and compatibility in the present paper do not.Instead, consistency and compatibility are defined as necessary properties of conditions (i) and (ii); more specifically, consistency and compatibility are defined respectively as: if there exists a component and an environment that are such that their corresponding conditions (i) and (ii) hold.
As a fourth and final contribution, as a basis for structuring a contract C and a set of contracts {C i } N i=1 in parallel to a composition M of a set of components {M i } N i=1 with the intent to establish that M is such that condition (i) holds with respect to C, a graph, called a contracts composition structure, is introduced.Based on a contracts composition structure and in accordance with the principle of compositionality [31,32], sufficient conditions are provided to ensure that: composition M of {M i } N i=1 is such that condition (i) holds with respect to C if each component M i is such that condition (i) holds with respect to C i .Hence, the fourth contribution supports an indirect way of establishing that M is such that condition (i) holds with respect to C when a direct approach is not feasible due to e.g. the complexity of the composition.
The four contributions constitute a general contract theory for heterogeneous systems where all theorems and definitions are expressed in terms of the language-independent formalism of assertions.This generality allows the proposed theorems and definitions to be instantiated in more concrete theories/formalisms tailored for a specific purpose, e.g.formal verification in tools.

Related work
Notably, in addition to [3][4][5], there are other general theories  for assume-guarantee reasoning.These theories and other related work will be described in more detail in Sect.7, and the following will instead focus solely on arguing for the fact that the contributions of the present paper cannot be found in any of theories [3][4][5].Since the second to fourth contribution are derived with the main contribution as a foundation, the main contribution alone will be considered as a basis of argumentation.Due to the fact that the part of the main contribution that specifically addresses the limitation expressed in prerequisite (a), is rather specific to assume-guarantee theories with a satisfaction relation A ∩ M ⊆ G, namely [4,5,[34][35][36][37]47,55] and one of the instantiated theories in [33], only these will be considered when arguing for this part of the main contribution.The part of the main contribution regarding the fact that conditions (i) and (ii) are applicable also when relaxing the limitation in prerequisite (b), is compared to this aspect of expressivity of other assume-guarantee theories, in general.
Considering [4,5,[33][34][35][36][37]47,55], the theories [4,33,37] use the same type of approach as [3] to avoid trivial solution M E ∩ M = ∅ and only [34] provides an alternative approach.In [34], a game-theoretic approach [60] is considered where the component and its environment take turns in changing the values (called states) of variables in a fixed set.To avoid trivial solution M E ∩ M = ∅, the approach in [34] requires that each step (or transition) of a run also needs to be identified as an action taken by either the component or its environment.This means that the approach in [34] is not applicable in the case of conventional physical models (see e.g.Modelica [20,21]) where interactions are modeled, not by an explicit separation of actions taken by a component and its environment, but rather by equations that simultaneously constrain each other.In contrast to [34], conditions (i) and (ii) in the present paper are indeed applicable without the need for identifying steps as component or environment actions, and are hence applicable for conventional physical models.
Despite the fact that contracts are limited to the sets of ports of components in [3], there are assume-guarantee theories that do not consider such a limitation, namely [34,36,40,44,47,48,[53][54][55] and the meta theory in [33].However, in contrast to the present paper, in theories [36,44,47,48,[53][54][55], the concept of ports is abstracted away by considering implementations, assumptions, and guarantees as formulas or abstract properties that are not bound to be specified over a certain structure such as a set of variables.In [34,40], assumptions, guarantees, and implementations are all expressed over a fixed set of variables, which means that if a subset of the fixed set is associated as the set of ports of a component, it could be argued that contracts that are not limited to the set of ports of the component are supported.However, in contrast to the present paper, the association of a variable as a port of a component is only established informally since none of theories [34,40] incorporate a means to enforce the condition that the component implementation can only constrain its ports and no other variables in the fixed set.This does not only mean that the second contribution of the present paper is not derivable from theories [33,34,36,40,44,47,48,[53][54][55], but also something more fundamental; these theories consider a looser notion of contract satisfiability where no conditions are enforced on the set of ports that a component can or cannot constrain.Hence, these theories do not capture the additional design conditions enforced on the component as expressed by its set of ports, which is a fundamental principle in many works, e.g.[39] and the present paper.
While none of theories [3][4][5]35,[37][38][39][41][42][43]45,46,[49][50][51][52][56][57][58][59] fully relax the limitation that contracts must be limited to component ports, it can be argued, considering the particular aspect of relaxing such a limitation, that these theories could serve as equivalent formalisms to the one in the present paper if the set of ports of a component is allowed to simply include any port of the environment.These additional ports could further be labeled as "environment ports" to distinguish them from those inherent to the component.However, in addition to this, for these theories to serve as equivalent formalisms to the one in the present paper, there would also be a need to enforce the condition that the component implementation can only constrain the subset of its ports that are not labeled as environment ports.Notably, the theories [3][4][5]35,[37][38][39][41][42][43]45,46,[49][50][51][52][56][57][58][59] do not support a straightforward way to enforce such a condition since, analogous to [34,40], they do not incorporate a means to distinguish a port that an implementation constrains from one that it does not in the set over which the implementation is expressed.This can be contrasted with the present paper where such a condition is enforced at the foundation of the theory, influencing almost all definitions and theorems.Hence, considering the particular aspect of relaxing the limitation that contracts must be limited to component ports, it is clear that theories [3][4][5]35,[37][38][39][41][42][43]45,46,[49][50][51][52][56][57][58][59] do not serve as equivalent formalisms to the present paper and can neither be trivially extended to serve as such.
Organization of paper Based on a theoretical foundation in Sect.2, contracts are introduced in Sect. 3 along with the main contribution, namely the derivation of conditions (i) and (ii).The basis is a scenario where a contract is used to outsource the development of a component.Considering conditions (i) and (ii), Sect. 4 presents necessary restrictions on the set of variables over which assumptions and guarantees are specified.Definitions of consistency and compatibility of a contract are established in Sect. 5 and Sect.6 introduces contracts composition structures as a means to structure a hierarchy of contracts to achieve compositionality.Section 7 extends the related work in this section and Sect.8 summarizes the paper and draws conclusions.

Assertions and elements
This section establishes concepts for modeling a heterogeneous system and its parts, and to be able to derive the contributions concerning contracts and their properties as will be presented in Sects.3, 4, 5 and 6.The concepts presented in this section mainly draws inspiration from contract theory [3][4][5] developed in European research project SPEEDS [6].Similarities between the concepts presented in this section and the ones presented in [3][4][5], as well as with other related work, are discussed briefly throughout this section and in more detail in Sect.7.

Assertions and runs
Let X = {x 1 , . . ., x N } be a non-empty set of variables.Consider a pair (x i , ξ i ) consisting of a variable x i and a trajectory ξ i = {(t, x i (t))} t∈T of values of x i over a time-window ∅ = T ⊆ R ≥0 .For example, Fig. 2a shows a trajectory of values of the variable x 1 .A set {(x 1 , ξ 1 ), . . ., (x N , ξ N )} of such pairs with trajectories over the same time-window T , is called a run for X over T , denoted either ω X,T or simply ω.For example, a run can be a trace [56,[61][62][63] or an execution as presented in [36].As a more illustrative example, a run ω {x 1 ,x 2 },T consisting of two pairs is shown in Fig. 2b as a solid line in three dimensions x 1 , x 2 , t where the trajectories of the pairs are also shown as two dashed lines.The trajectory of values of x 1 is the trajectory shown in Fig. 2a and the other trajectory consists of values of variable x 2 .
In the following, a universal set of variables Ξ will be assumed where Ω will denote the set of all possible runs for Ξ over each time-window ∅ = T ⊆ R ≥0 .An assertion W is a, possibly empty, subset of Ω, i.e.W ⊆ Ω.This notion corresponds to similar definitions in theories [3][4][5]14,64].However, these theories consider assertions as sets of runs for dissimilar sets of variables local to the assertions, rather than sets of runs for a universal set of variables as in the present paper.The choice of considering each run in an assertion for a universal set of variables, i.e. the set Ξ , is inspired by [34,40] and allows to combine and compare assertions with the use of regular set operations (e.g.∪, ∩) and set relations (e.g.⊆).
Note that rather than explicitly declaring its set of runs, an assertion can be expressed through constraints, e.g. by equations, inequalities, or logical formulas.For example, an assertion W expressed through equation u = v, is the set of all runs in Ω where u = v holds for each time point.
As a second example, consider that W is an assertion expressed through first order differential equation dy dt = x(t), where x(t) = t and t ∈ R ≥0 .
Hence, assertion W is the set of all possible runs for Ξ over R ≥0 where the runs are the solutions to the differential equation.Figure 2c shows a subset of these solutions in the dimensions x, y, and t.As a third example of how an assertion can be expressed, consider that W is an assertion expressed through logic formula a(t) = 0 ∨ b(t) = 0 where t ∈ {0, 1, . . ., 10} and where both variables a and b take values from {0, 1}.This means that assertion W is the set of all possible runs for Ξ over discrete time-window {0, 1, . . ., 10} where, for each time-point t, at least one of a and b has value 0.

Projection of assertions
Given an assertion W and a set of variables X , the projection [14,33,65] of W onto X , written proj X (W), is the set obtained by removing each pair that does not contain a variable x ∈ X from each run ω Ξ,T in W, i.e.
Furthermore, relation (1) corresponds to the definition of projection in [14,33], while [65] defines projection as an operation on a single run instead of on a set of runs.
The extended projection of W onto X is denoted proj X (W) and is the assertion obtained by extending each run ω X,T in proj X (W) with all possible runs for Ξ \ X over T .That is, ( Note that proj ∅ (W) = Ω due to the fact that proj ∅ (W) = {∅} and proj ∅ ({ω}) = {∅} for each ω ∈ Ω.
The type of operation used for extending proj X (W) to assertion proj X (W) is called inverse projection in [14,33].Furthermore, if W is expressed through a logical formula P, then the extended projection of W onto Ξ \ {x 1 , . . ., x N } corresponds to the notion of port elimination [3] or variable hiding [66,67] through existential quantification, i.e. ∃x 1 , . . ., x N : P.
As an example of projection and extended projection, consider an assertion expressed through equation y = x, where the assertion will be denoted as W y=x for convenience.Assertion W y=x is shown in Fig. 3a where the x -axis can be the axis of any variable in Ξ \ {x, y} and where only one single point in time is shown considering that y = x is independent of time.The projection of W y=x onto {x}, i.e. set of runs proj {x} W y=x , is shown in Fig. 3b.If each run ω Ξ,T in proj {x} W y=x is extended with all possible runs for Ξ \{x} over T , the extended projection of W y=x onto {x} is obtained.This assertion is shown in Fig. 3c and is in fact the assertion Ω.

Variables constrained by assertions
As previously presented, assertions are sets of runs for universal set of variables Ξ .However, as can be seen in previous examples, assertions can be expressed through constraints specified over a subset of Ξ .For example, equation y = x, through which the assertion W y=x shown in Fig. 3a is expressed, is specified simply over set of variables {x, y}.For a given assertion, this section introduces a concept that distinguishes such as set of variables from set of variables Ξ .
Fig. 3 In a-c, an assertion W y=x , its projection onto {x}, and its extended projection onto {x} are shown, respectively The concept of such a set is not presented in [3][4][5], but is, on the other hand, an essential concept in the present paper.This difference between [3][4][5] and the present paper can be explained by the fact that while each assertion consists of runs for universal set of variables Ξ in the present paper, an assertion consists of runs for a set of variables local to the assertion in [3][4][5].Considering that the use-cases in [3][4][5] show the clear intent that the set of local variables should be equal to the set of variables that are necessary and sufficient to express the assertion, no distinction between these two sets is required in [3][4][5].In contrast, when considering assertions as defined in the present paper, while the runs of an assertion are for Ξ , the set of variables that are necessary and sufficient to express the assertion will, in the generic case, be a proper subset of Ξ , e.g. as exemplified with the assertion W y=x .Thus, to be able to directly refer to the subset of Ξ where this subset is necessary and sufficient to express an assertion, the concept of the set of variables constrained by the assertion, is introduced.

Definition 1 (Variables constrained by assertion) A variable x is constrained by an assertion
Let X W denote the set of variables constrained by W.
Notably, in accordance with Definition 1, to find the set X W , i.e. the set of variables constrained by W, there is a need to iterate through each variable x ∈ Ξ to determine whether or not it holds that proj Ξ \{x} (W) = W.The following proposition provides an alternative approach for finding X W without the need for iterating over Ξ .Proposition 1 Given an assertion W, a set of variables X is equal to X W if and only if each variable in X is constrained by W and proj X (W) = W.
The proof of Proposition 1 is found in "Appendix A".
In accordance with Proposition 1, there exists a unique set of variables X constrained by W such that proj X (W) = W.This unique set of variables is actually set of variables X W constrained by W.
As an example of how to use Proposition 1, consider assertion W y=x .As shown in Fig. 3a,  c, the extended projection of W y=x onto {x} is not equal to W y=x , but rather a proper superset.The same holds for the extended projection of W y=x onto {y}.This means that both variables in set {x, y} are constrained by W y=x .However, not only that, since equality proj {x,y} (W y=x ) = W y=x implies, in accordance with Proposition 1, that {x, y} is in fact also the set of variables constrained by W y=x .

Elements
In this section, the concept of an element is introduced.Elements correspond to Heterogeneous Rich Components (HRCs) [4,68,69], as used in contract theory [3][4][5] of SPEEDS, in the sense that an element can represent any part of a heterogeneous system in general, such as a SW or physical part.However, an element can also serve as a connector, e.g. as described in Modelica [20,21], or as a functional or logical design entity in general, e.g. as a SysML block [27].The term element is in the present paper chosen over the term component due to the fact that the concept of elements also encompasses connectors, which are in Modelica [20,21] and in theories such as [39], treated as separate entities from components.
Definition 2 (Element) An element E is an ordered pair (X, B) where: (a) X is a non-empty set of variables, each called a port variable; and (b) B is an assertion, called the behavior of E and where the set of variables constrained by B is a subset of X .
In the typical case, an element represents a real world entity where the port variables represent tangible quantities of the entity from the perspective of an external observer to the entity.The behavior of the element captures the static and dynamic constraints that the entity imposes on the quantities, independent of its surroundings.
Definition 2 is of a general type, which means that conditions (a) and (b) hold regardless of the domain, e.g.mechanical, SW, etc., that is considered.However, in some domains, e.g. the SW domain, set of port variables X of an element (X, B) is typically partitioned into inputs X in and outputs X out .In accordance with [3,5], the partitioning of X into inputs and outputs enforces an additional condition on the behavior B, namely that B is receptive to X in , i.e. that proj X in (B) is the set of all possible runs for X in over each time-window in {T |ω Ξ,T ∈ B}.
As an illustrative example of an element, let E pot = X pot , B pot be an element representing a potentiometer.The element and its port variables are shown in Fig. 4 as a rectangle filled with gray and boxes on the edges of the rectangle, respectively.Port variables v re f , v branch , and v gnd represent the reference, branch, and ground voltages, respectively.Furthermore, h represents the position (0 − 100%) of the 'slider' that moves over the resistor and branches the circuit.Given a representation where it is assumed that the branched circuit is connected to a resistance that is significantly larger than the resistance of the potentiometer, behavior B pot can be expressed through equation h =

Composition of elements
This section describes how a set of elements {E 1 , . . ., E N } can be combined into a single element E-a composition of {E 1 , . . ., E N }.In accordance with [3][4][5], the underlying principle is to combine individual behaviors using intersection where the sharing of port variables between elements captures the interaction points between the elements.Sharing of port variables is also used in e.g.[58].
Fig. 4 An element E pot = X pot , B pot , representing a potentiometer Fig. 5 A set of elements representing a "Level Meter system" and its parts Prior to presenting a formal definition of composition of a set of elements, the concept is introduced by considering a set of elements representing the parts of a "Level Meter system" (LM-system) as shown in Fig. 5. LM-system E L Msys consists of a tank E tank and an electricsystem E Esys , which further consists of potentiometer E pot shown in Fig. 4, a battery E bat , and a level meter E l Meter .The sharing of a port variable between elements is shown either by a line connecting two or more boxes corresponding to the same port variable or by the appearance of the same box on edges of several rectangles.
In the LM-system, slider h is connected to a "floater", trailing level f in the tank.In this way, potentiometer E pot is used as a level sensor to estimate the level in the tank.The estimated level is presented by level meter E l Meter where l denotes the presented level.
Behaviors B bat , B l Meter , and B tank of E bat , E l Meter , and , and h = f , respectively.Intersection While B L Msys captures the combined constraints expressed by the behaviors of E bat , E l Meter , and E tank , and E pot , the set of port variables that is constrained by the assertion B L Msys is a proper superset of set of port variables X L Msys = { f, l} of E L Msys as shown in Fig. 5.In accordance with Definition 2, this means that B L Msys cannot be the behavior of E L Msys .Behavior B L Msys of E L Msys is instead the extended projection of B L Msys onto { f, l}, which, in accordance with relation (2), means that B L Msys can be expressed through equation Now that the concept of element composition has been introduced, the formal definition follows.

Definition 3 (Composition of elements (onto a set of variables)) The composition of a set of elements
In accordance with Definition 3 and as previously indicated, in the case where This case is in accordance with the definition of composition of HRCs in [3][4][5].
In the case where X ⊂ N i=1 X i , Definition 3 combines composition as defined in [3-5] with port elimination [3], also called variable hiding [66,67].As shown in the example in Fig. 5, this case allows representing hierarchical systems.For example, in [70], the overall concept of elements and how they compose were used for representing C-programs as architecture models.
Given a set of elements E, the environment of an element , is the composition of E \ {E}.As an example of the environment of an element, given a subset

Conditions of contracts for separating responsibilities
Based on the concepts presented in Sect.2, this section introduces the concept of a contract containing assumptions and a guarantee, and also conditions that ensure that the guarantee is fulfilled.

Contracts
As mentioned in Sect. 1, the notion of contracts was first introduced in [1] as a pair of pre and post-conditions [2] to be used in formal specification of SW interfaces.In recent contract theory [3][4][5], developed within SPEEDS [6], the use of contracts is extended from formal specification of SW to serving as a central philosophy in systems engineering to support the design of heterogeneous systems.One of the key challenges that triggered the extension of contracts is the increasingly complex development environment of heterogeneous systems, characterized by distributed OEM (Original Equipment Manufacturer)/supplier chains [3].
In the context of an OEM/supplier chain, in order for a global intended property to be fulfilled by a composition of a set of elements, the OEM needs to distribute the responsibilities of fulfilling local properties between different elements that are to be integrated into the composition.Considering that these elements are to be developed by different suppliers, clearly defined interfaces and the separation of responsibilities between the different elements are paramount in order to support seamless integration.A contract addresses such concerns by assigning the responsibility that a certain property is fulfilled, to an element in the form of a guarantee, given that certain assumptions are fulfilled-a responsibility of the environment of the element.Fig. 6 A set of elements representing a "Level Meter system" and its parts, and the set of variables constrained by the assumption and the guarantee of a contract Although the discussion above focuses on the use of contracts for managing the complexity of OEM/supplier chains, the discussion can be generalized and is equally valid for any context where clear separations of responsibilities are desired.
A contract ) is a specification for an element E with a set of port variables X , expressing the intent that the behavior of the element is such that the guarantee G is fulfilled, given a set of elements containing E where its environment fulfills the assumptions in where each A i is called an assumption; and (iii) X is a set of variables.
For the sake of readability, let A A = N j=1 A i .As an illustrative example of a contract, let ({A l Meter }, G l Meter , X l Meter ) be a contract C l Meter where the set of port variables constrained by A l Meter and G l Meter are connected with dashed lines in Fig. 6.Guarantee G l Meter , specified by equation l = f , expresses the intent that the indicated level, displayed by the meter, corresponds to the level in the tank.In the context of set of elements E L Msys = {E bat , E tank , E pot , E l Meter }, the responsibility that guarantee G l Meter is fulfilled, is assigned to E l Meter , but only if the voltage measured between v branch and v gnd maps to a specific level in the tank, i.e.only if the environment . In general assume-guarantee theories [3,4,35,[37][38][39][41][42][43]45,46,[49][50][51][52][56][57][58][59] where ports are explicit, contract C l Meter is not supported since assumption A l Meter and guarantee G l Meter are not specified only over the set of ports of E l Meter , i.e. over the voltage connections v branch and v gnd , and the indicated level l.In contrast to these theories, the present paper supports specifying a contract for E l Meter where both A l Meter and G l Meter constrain port variables that are not in the set of port variables of E l Meter as exemplified in Fig. 6.Note that the present paper also supports contracts that are limited to the set of ports of elements as in other assume-guarantee theories.
Contract C l Meter can for example be used in a scenario where an OEM develops E l Meter in-house while the development of elements E bat , E pot , and E tank are outsourced to suppliers.The responsibility that the overall intended functionality of the LM-system, as expressed by G l Meter , is fulfilled, is assigned to E l Meter with the meaning that the OEM is not only responsible for ensuring the development of E l Meter , but also its successful integration with elements E bat , E tank , and E pot into the composition of E L Msys that fulfills G l Meter .A successful integration of the elements can be ensured by the OEM, given that assumption A l Meter is fulfilled.This is a responsibility of environment E Env E L Msys (E l Meter ) that is to be developed by the suppliers.
Note that assumption A l Meter specifies a property that is intended to be fulfilled by the environment, it does not specify a particular structure of the environment except that f, v gnd , v branch are ports in the environment.That is, this assumption, and also assumptions of contracts in general, do not specify which or how many elements are in the environment, which sets of ports they have, or the total set of ports that are in the environment.
In the previously introduced example, the fact that contract C l Meter is not limited to the set of ports of E l Meter captures the intent of having the OEM being responsible over the integration of the elements in E L Msys .However, in general, contracts that are not limited to the set of ports of elements can be used to capture types of responsibility separation other than that of integration.As another example of a type of responsibility separation that such contracts can capture, consider the contract shown in Fig. 1.In this case, the fact that both assumptions and guarantees constrain port variables not of SO F does not mean that the developer of SO F is responsible for its integration with HW devices.Rather, this contract captures the perspective that the SW developer is responsible for developing SO F with the overall aim to fulfill R E Q; the surrounding HW is simply considered as an enabler to realize this overall aim.An additional example of responsibility separation was also mentioned in Sect. 1, namely that when contracts are used to separate responsibilities of fulfilling overall safety properties.

Conditions on element and environment
Given a set of elements E and a contract (A , G, X ) for an element E = (X, B) ∈ E, this section proposes the following respective conditions on element E and on its environment As will be shown in this section, these conditions ensure that the guarantee is fulfilled, which can expressed as In fact, not only that, but condition (i) on the element E actually ensures that relation B Env E (E) ∩ B ⊆ G holds for each set of elements where the environment of E is such that condition (ii) holds.Furthermore, conditions (i) and (ii) also ensure that the trivial solution where B Env E (E) ∩ B = ∅, is avoided.That is, these conditions actually ensure that the guarantee is non-trivially fulfilled, i.e.
As will be shown, condition can simply consist of one run, and this run can possibly be any run in A A ∩ G.
In contrast to [3][4][5] where trivial solution B Env E (E) ∩ B = ∅ is avoided only in the case where set of ports X is partitioned into inputs and outputs, the conditions that will presented in this section ensure that the trivial solution is avoided even when this is not the case.The conditions that will be presented also hold when the assumptions and the guarantee are not limited to constraining port variables in X ; a case that is prohibited in [3][4][5].
In particular, as mentioned in Sect. 1, conditions (i) and (ii) support the case where an element and its environment are developed in complete isolation and where the only information is shared is a contract.In order to get a better understanding of this case, a scenario in the context of an OEM/supplier chain as previously presented, is examined.In the scenario, a contract C = (A , G, X ) is used to outsource the development of an element E = (X, B).Specifically, the scenario can be described in three phases: (I) a contract C is handed from the OEM to a supplier; (II) the supplier develops an element E = (X, B) that is handed to the OEM; and (III) the OEM integrates element E with a set of elements As expressed in phases (I-II), the development of the element E is guided only by the information available in contract C, i.e. without access to the environment E Env E (E) of E. Therefore, in order for the composition of E in phase (III) to be such that relation (4) holds with respect to C, conditions must be enforced on the element E such that relation (4) holds not just for the set E, but rather for each set of elements containing E where the environment is such that certain conditions hold.The conditions on the element is to be enforced by the supplier, while the conditions on the environment is to be ensured by the OEM.
As will be shown in the following sections, conditions (i) and (ii) are, in fact, instantiations of such conditions for the element and its environment, respectively.The subset of conditions (i) and (ii) that ensure that relation B Env E (E) ∩B ⊆ G holds will first be derived in Sect.3.2.1,followed by the remaining subset that ensure that also relation

Conditions ensuring guarantee is fulfilled
As previously mentioned, in the context of E, the responsibility that the guarantee is fulfilled, is assigned to E, given that the environment of E fulfills the assumptions.This means that it must hold that Supposing that relation (5) holds, it follows that relation (3) holds if Note that if A = ∅, then relation (6) simplifies to B ⊆ G. Condition (6) on the element has previously been identified in e.g.[3][4][5]33,34,64].Relation ( 6) is a sufficient, but not necessary condition for relation (3) to hold considering a specific set of elements where the environment is such that relation (5) holds.As expressed in the following proposition, relation ( 6) is also a necessary condition in order for relation (3) to hold for each set of elements where the environment is such that relation (5) holds.

Proposition 2 Consider a contract
Proof Consider a contract C = (A , G, X ) and an element E = (X, B).
For the if-only case, assume that A A ∩ B ⊆ G. Consider an arbitrary set of elements For the if case, assume that relation B Env E (E) ∩ B ⊆ G holds for each set of elements E E where B Env E (E) ⊆ A A .Assume that A A ∩ B G, which will be shown to lead to a contradiction.Assume a set of elements E E where B Env E (E) = A A , which means that it follows that A A ∩ B = B Env E (E) ∩ B ⊆ G.This contradicts the fact that A A ∩ B G, which means that it must rather hold that A A ∩ B ⊆ G, which concludes the proof.Proposition 2 expresses that relation (6) on the element E is a necessary and sufficient condition in order to obtain an element and its environment in phase (III) such that relation (3) holds in general, given that relation (5) on the environment holds.However, relation (3) trivially holds if the behavior of the composition of the element and the environment is empty, which would imply that relation (4) does not hold.Therefore, relation (4) does not follow from relations ( 5) and ( 6), which means that additional conditions must be imposed on the environment and on the element in order to ensure that the trivial solution is avoided.These conditions will be examined in Sect.3.2.2, which now follows.

Conditions ensuring non-triviality
This section presents contract conditions, additional to those established in Sect.3.2.1, in order to ensure that the guarantee of a contract is non-trivially fulfilled in a context such as the considered OEM/supplier scenario.Notably, this context assumes that: (a) it cannot be ensured that the set of ports of an element are partitioned into inputs and outputs; and (b) the element and its environment are developed in complete isolation.In another context, e.g. when inputs and outputs are well-defined, these additional conditions may not always be applicable.Such other contexts, and the corresponding contract conditions that are then applicable, will be discussed in Sect.7.1.The rest of this section, as well as Sects.4-6, will focus only on contexts characterized by (a) and (b).
Consider a contract C = (A , G, X ) and an element E = (X, B), and assume a set of elements E containing E such that its environment is such that B Env E (E) ∩ G = ∅.Notably, if the behavior of the composition of the element and its environment is non-empty, i.e. if G since none of the runs in B Env E (E) are in G. Hence, in order for relation (4) to hold, the environment must be such that B Env E (E) ∩ G = ∅.This insight is summarized in the following proposition.

Proposition 3 Given a contract
Now that necessary condition B Env E (E) ∩ G = ∅ on the environment of E has been identified in order for relation (4) to hold, a complementary sufficient condition on the element E is examined in order to ensure that relation (4) holds.
Consider that relation A A ∩B ⊆ G on the element E holds.As shown in the Venn diagram in Fig. 7a, if B Env E (E) ⊆ A A and B Env E (E) ∩ G = ∅, it is possible that relation (4) holds.However, as shown in Fig. 7b, this is not true for all cases.In fact, since B Env E (E) ∩ G can simply consist of one run, and this run can possibly be any run in A A ∩ G, in order to ensure that B Env E (E) ∩ B = ∅, it must hold that A A ∩ G ⊆ B as shown in Fig. 7c.
These insights are now summarized in the following theorem.
Now follows a clarification of Theorem 1 using quantifiers.Given a contract C = (A , G, X ) and an element E = (X, B) where Proof Consider a contract C = (A , G, X ) and an element E = (X, B) such that A A ∩B ⊆ G.
For the if-only part, assume that A A ∩ G ⊆ B. Furthermore, consider a set of elements This and the fact that

This and since relations
This completes the if-only part of the proof.
For the if part, assume that for each set of elements E containing E where which will be shown to lead to a contradiction.This means that there exists a run ω such that ω ∈ A A ∩ G and ω / ∈ B. Furthermore, assume that there exists a set of elements E containing E where B Env E (E) = {ω}.This and the fact that ω ∈ A A ∩ G imply that both relations B Env E (E) ⊆ A A and B Env E (E) ∩ G = ∅ hold.As was assumed, this means that it follows that The condition expressed in Theorem 1 holds regardless of the considered domain, e.g.SW, electrical, mechanical, etc, and does not require the set of port variables of the element to be partitioned into inputs and outputs.
As a technical remark, given that conditions However, this relaxed condition can actually always be embedded in condition B Env E (E) ⊆ A A .This can be understood by considering that relaxed condition the two conditions are, in fact, equally expressive.
Theorem 1 quantifies over sets of elements, and, thus, also over various environments of element E. To clarify the respective conditions on E and its environment E Env E (E) in a specific set of elements, the following corollary simplifies Theorem 1 by removing the quantification over sets of elements.

Corollary 1 Given a contract
ii environment Proof Trivially follows from Theorem 1.
In the context of the scenario presented in the beginning of this section, Corollary 1 specifies condition (i) that the supplier needs to meet and condition (ii) that the OEM needs to meet in order to ensure that the integration of E with the elements in {E i } N i=1 in phase (III) results in that the guarantee is non-trivially fulfilled by the composition of {E} ∪ {E i } N i=1 , i.e. that relation (4) holds.
As a conclusion to this section, it is examined whether element E l Meter and its environment E Env E L Msys (E l Meter ) in the context of the set of elements E L Msys = {E bat , E tank , E pot , E l Meter } shown in Fig. 5 are such that respective conditions (i) and (ii) of Corollary 1 holds with respect to the contract C l Meter shown in Fig. 6.As expressed in condition (i) of Corollary 1, it must hold that Furthermore, as expressed in condition (ii) of Corollary 1, it must hold that In accordance with Sect.2.3, the behavior of Env A L Msys (E l Meter ) is the intersection of the behaviors of E tank , E Esys , and E pot , which are specified by equations f = h, h = (v branch − v gnd )/(v branch − v gnd ), and v branch − v gnd = 5V .Due to the fact that equation f = (v branch − v gnd )/5V can be obtained by combining these equations, relation (13) holds.Furthermore, due to the fact that B Env E L Msys (E l Meter ) does not constrain l, it holds that B Env E L Msys (E l Meter ) ∩ G l Meter is non-empty, i.e. relation ( 14) also holds.
Considering that relations ( 11)-( 14) hold, Corollary 1 implies that guarantee G l Meter is non-trivially fulfilled by the composition of E L Msys .

Scoping conditions for specifying contracts
Section 3 presented conditions on an element and its environment where these conditions ensure that the guarantee of a given contract is non-trivially fulfilled.Previous general assumeguarantee theories [3,4,35,[37][38][39][41][42][43]45,46,[49][50][51][52][56][57][58][59] that explicitly consider ports, do not allow guarantees and assumptions to be specified over ports that are not in the set of ports of an element.This means that the present paper is strictly more expressive than previous assume-guarantee theories with respect to how a contract can be specified.However, the increased expressiveness is not unlimited since there are necessary restrictions on the set of port variables constrained by the assumptions and the guarantee of a contract in order for an element and its environment to be such that conditions (i) and (ii) of Corollary 1 hold.Therefore, to facilitate the specification of contracts in practice, this section introduces conditions, called scoping conditions, which ensure that these restrictions are not violated without limiting expressiveness.
In order to introduce and motivate these scoping conditions, a definition and two propositions, will first be presented.The definition, which now follows, characterizes a necessary condition in order for conditions (i) and (ii) of Corollary 1 to hold.
Definition 5 An assertion W restricts a variable x if W constrains x and there does not exist an assertion W where x / ∈ X W and ∅ = W ⊆ W.
In accordance with Definition 5, if an assertion W restricts x, then it is necessary for an assertion W to constrain x in order to non-trivially fulfill W.
As a first example, guarantee G Esys , specified through equation l = f , restricts both l and f .Consider an architecture containing an element E where B ∩ B Env E (E) does not constrain both l and f .In accordance with Definition 5, it does not hold that ∅ = B∩B Env E (E) ⊆ G Esys .Formulated differently, the fact that G Esys restricts a port variable that is not constrained by B ∩ B Env E (E) means conditions (i) and (ii) of Corollary 1 will not both hold for E and Env E (E), respectively.
In the first example, the port variables constrained by G Esys are also the port variables it restricts; however, in general, an assertion can constrain a port variable without restricting it.As a second example, consider an assertion W x>0⇒y=0 expressed through logical formula x > 0 ⇒ y = 0.The assertion W x>0⇒y=0 constrains y, but it does not restrict it since in the case of e.g. an assertion W x=0 expressed through equation x = 0, it does indeed hold that ∅ = W x=0 ⊆ W x>0⇒y=0 despite the fact that W x=0 does not constrain y.
As shown in the second example, under the conditions that an assertion W constrains a variable x, but does not restrict it, then it is possible that there exists a case where another assertion W does not constrain x, but where it still holds that ∅ = W ⊆ W. As will be shown in the following proposition, under such conditions, it holds that there exists another assertion W that does not constrain x, but where ∅ = W ⊆ W holds regardless of the specific runs that are in W .This means that if the intent is that W is to specify an assertion that is to non-trivially fulfill W and not constrain x, then it is possible to replace W with an assertion W that does not constrain x, but that still specifies the exact same assertions.Proposition 4 Given a set of variables X and an assertion W, there exists an assertion W where X W ⊆ X such that for each assertion W where X W ⊆ X:

Lemma 1 Given two assertions W and W where
The proof of Lemma 1 is found in "Appendix A".The proof of Proposition 4 follows.
Proof Assume that W is the union of each assertion W where X W ⊆ X and ∅ = W ⊆ W. The rest of the proof trivially follows from Lemma 1.
Note that in order for there to exist an assertion W where X W ⊆ X and ∅ = W ⊆ W, in accordance with Definition 5, it is necessary that W does not restrict variables that are not in X .
Given previously presented assertion W x>0⇒y=0 and set {x}.In accordance with Proposition 4, there exists an assertion W where X W ⊆ {x} such that for each assertion W where X W ⊆ {x}, it holds that ∅ = W ⊆ W x>0⇒y=0 if and only if ∅ = W ⊆ W .For example, W can be expressed through the inequality x ≤ 0.

Proposition 5 Given two assertions W and W where
The proof of Proposition 5 is found in "Appendix A".Definition 5 and Propositions 4 and 5 will now be applied on two examples to motivate the need and the basis for the scoping rules that will be proposed for specifying contracts.In the following two examples, the considered use case is to establish that the guarantee of a contract is non-trivially fulfilled in a set of elements containing an element with a set of port variables X Esys and where X tank is the set of port variables of the environment of this element.
What will be shown in the two examples is that, regardless of the specific runs in the assumptions and guarantee of a contract, it is indeed necessary that the assumptions and guarantee do not restrict variables in X Esys ∪ X tank in order for condition (i) and (ii) of Corollary 1 to hold.Furthermore, it will also be shown that if the assumptions and guarantee constrain port variables in X Esys ∪ X tank without restricting them, then the assumptions and guarantee can be reformulated to constrain a subset of X Esys ∪ X tank and still specify the exact same element and environment behaviors constraining a subset of X Esys and X tank , respectively.Esys .This example shows that it is necessary that assumption A A does not restrict any port variable that is not in X Env E (E) .Furthermore, if A A does constrain a port variable x / ∈ X Env E (E) without restricting it, then it is possible to replace A Esys with an assertion A new Esys that does not constrain x, but that still specifies the exact same behaviors constraining a subset of X tank .

Example 1b
In Fig. 8a, a  Consider a contract (A , G, X ) and a set of port variables X Env E (E) .As expressed in Example 1a, in order for condition (ii) of Corollary 1 to hold for an element (X Env E (E) , B Env E (E) ), it is necessary that assumptions A A do not restrict any port variable that is not in X Env E (E) .Similarly, as expressed in Example 1b, in order for condition (i) of Corollary 1 to hold for an element (X, B), it is necessary that guarantee G does not restrict any port variable that is not in X ∪ X A A .
Furthermore, consider that A A and G constrain port variables that are not in respective sets X Env E (E) and X ∪ X A A , but where A A and G do not restrict these port variables.As indicated in Examples 1a and 1b, in such a case, it is in fact redundant to constrain such port variables.That is, these examples indicate that A A and G could be reformulated to not constrain such port variables and yet specify the same element and environment behavior.
These indications are formalized in the following theorem.
Theorem 2 Given a contract (A , G, X ) and set of variables X Env E (E) , there exists a contract (A , G , X ) where: such that for each set of elements containing an element (X, B) and where pair ) is the environment of (X, B): The proof of Theorem 2 is found in "Appendix A".Consider the task of specifying a contract (A , G, X ) with the intent that condition (i) and (ii) are to hold respectively for an element (X, B) and its environment (X Env E (E) , B Env E (E) ) in a set of elements.As expressed in Theorem 2, for such a task, it is sufficient to only allow contracts to be specified in accordance with conditions (a) and (b); that is, no expressiveness is lost by only allowing such contracts.In the following, given a contract C = (A , G, X ) and a set of variables X Env E (E) , conditions (a) and (b) will be called scoping conditions for C and X Env E (E) .
Suppose that either or both of scoping conditions (a) and (b) are violated for a given contract C = (A , G, X ) and a set of variables X Env E (E) .For example, consider that X A A \ X Env E (E) = {x}.Notably, either A A restricts x or it constrains it without restricting it.As previously mentioned and in accordance with Definition 5, the former case ensures that conditions (i) and (ii) of Corollary 1 cannot hold.Considering the latter case, in accordance with Theorem 2, constraining x is indeed redundant.Thus, the scoping conditions of Theorem 2 constitute as checks that either detect the violation of conditions (i) and (ii) or redundantly constrained port variables.
Note that in accordance with Sect.2.1.2,the set of variables constrained by an assertion can only be derived from the runs that the assertion contains.However, as indicated in Sect.2.1, in practice, an assertion would typically be expressed through a constraint, explicitly specified over a set of variables, e.g. as the assertion W y=x shown in Fig. 3a.Assuming the generic case when the set of variables over which the constraint is specified is equal to the set of variables constrained by the assertion, the fact that scoping conditions (a) and (b) hold for a contract C = (A , G, X ) and a set of port variables X Env E (E) , can actually be established by considering only X , X Env E (E) , and the sets of port variables over which assumptions A A and guarantee G are specified.
To illustrate the use of conditions (a) and (b) of Theorem 2, consider again Examples 1a and 1b shown in Fig. 8. Scoping condition (a) is violated for contract C Esys and X tank due to the fact that X A Esys X tank .Furthermore, considering contract C Esys and set of port variables X tank , scoping condition (b) does not hold since X G Esys X tank ∪ X Esys .Thus, checking whether scoping conditions (a) and (b) hold or not, can be done without explicitly considering the runs that are in these assumptions and guarantees.As previously mentioned, the violation of the scoping conditions means that either conditions (i) and (ii) of Corollary 1 are violated or that more port variables are constrained than what is necessary.

Contract properties consistency and compatibility
Section 4 described necessary restrictions on the sets of port variables constrained by assumptions and the guarantee of a contract, in order for conditions (i) and (ii) of Corollary 1 to hold.In contrast to Sect. 4, this section presents sufficient and necessary conditions for the existence of a set of elements where an element and its environment is such that conditions (i) and (ii) of Corollary 1 holds with respect to the contract.If such a set of elements exists, then the contract is said to be consistent and compatible.
In order to get a better understanding of when the properties consistency and compatibility are relevant, the scenario presented in Sect.3.2 is examined.Considering phase (I) of the scenario, the expectation of the OEM when handing over contract C = (A , G, X ) to the supplier, is that the supplier will deliver an element in phase (II) such that condition (i) of Corollary 1 holds with respect to C. However, in order for the supplier to be able to meet this expectation from the OEM, contract C needs to be such that there actually exists an element (X, B) that is such that condition (i) of Corollary 1 holds.If such an element exists, the contract C will be referred to as a consistent contract.
Furthermore, in phase (III), the OEM also has the intent of integrating element E delivered by the supplier with a set of elements {E i } N i=1 such that the composition of {E} ∪ {E i } N i=1 non-trivially fulfills the guarantee G.However, in order for this to be possible, there needs to exists at least one set of elements containing E where the environment of the element is such that condition (ii) of Corollary 1 holds with respect to C. If such a set of elements exists, then the contract C will be referred to as a compatible contract.Now that the concepts of consistency and compatibility have been introduced in the context of a scenario, formal definitions follow.Considering that the definitions quantify over elements and set of elements, complementary sufficient and necessary conditions that can be established to hold on the contract alone, will also be presented.

Definition 6 (Consistent
Definition 6 corresponds to an instantiation of the abstract definition of consistency in the meta theory of contracts in [33] using condition (i) of Corollary 1. Definition 6 is also closely related to definitions of consistency and compatibility in [3,5], and to the definition of realizability in [71], but where Definition 6, in contrast to the definitions in [3,5,71], considers a context where contract (A , G, X ) is not necessarily limited to set of port variables X and where X does not need to be partitioned into inputs and outputs.
A sufficient and necessary condition of Definition 6 now follows.

Theorem 3 A contract (A , G, X ) is consistent if and only if
Lemma 2 Given two assertions W and W , and a set of variables X , it holds that proj The proof of Lemma 2 is found in "Appendix A".The proof of Theorem 3 now follows.
Proof Consider a contract C = (A , G, X ).
For the only-if part, assume that C is consistent.In accordance with Definition 6, this means that there exists an element E = (X, B) such that In accordance with Lemma 2, this means that proj X (A A ∩ G) ⊆ proj X (B).This and the fact that proj X (B) = B in accordance with Definition 2 and Proposition 1, it follows that proj X (A A ∩G) ⊆ B. This and relation For the if part, assume that relation In accordance with relations ( 1) and ( 2), it holds that A A ∩ G ⊆ proj X (A A ∩ G).This and considering that B = proj X (A A ∩ G) imply that A A ∩ G ⊆ B, which concludes the proof.
In contrast to Definition 6, Theorem 3 supports a way of establishing whether a contract is consistent or not without the need for iterating through each element with a set of port variables X in order to determine if there exists an element E = (X, B) that is such that condition (i) of Corollary 1 holds with respect to C. Definition 7 (Compatible contract) A contract (A , G, X ) is compatible if there exists an element E = (X, B) and a set of elements E containing E, such that Definition 7 corresponds to an instantiation of the abstract definition of compatibility in the meta theory of contracts in [33] using condition (ii) of Corollary 1. Definition 7 is also closely related to the definitions of compatibility in [3,5].However, in contrast to [3,5], Definition 7 considers a context where the contract (A , G, X ) is not necessarily limited to set of port variables X and where X does not need to be partitioned into inputs and outputs.
A sufficient and necessary condition of compatibility now follows.

Theorem 4 A contract (A , G, X ) is compatible if and only if
Proof Consider a contract (A , G, X ).
For the if part, assume that A A ∩ G = ∅.This implies that there exists at least one run ω in A A that is also in A A ∩ G. Assume that E 0 is a set of elements containing an element E = (X, B) such that B Env E 0 (E) = {ω}.This implies that there exists a set of elements containing an element E = (X, B), such that relations (i) and (ii) of Definition 7 hold.
For the if-only part, assume that (A , G, X ) is compatible.In accordance with Definition 7, this means that there exists a set of elements E containing an element E = (X, B) such that In contrast to Definition 7, Theorem 4 supports a way of establishing whether a contract C = (A , G) is compatible or not, without the need for iterating through each set of elements containing an element with a set of port variables X in order to determine if there exists a set of elements where the environment of an element E = (X, B) is such that condition (ii) of Corollary 1 holds.
As a conclusion to this section, a scenario is examined where a supplier wants to outsource the development of a level meter by the use of contract C l Meter shown in Fig. 6.In order for the supplier and the client to complete phases (I-III) in the scenario described in Sect.3.2 such that relation (4) holds, contract C l Meter must be consistent and compatible.
In order for this to be the case, Theorems 3 and 4 express that it is necessary and sufficient that: Considering that A l Meter ∩ G l Meter is an assertion specified by equations f = , which can be combined into equation l = f .This means that relation (16) holds.Therefore, it can be concluded that contract C l Meter is consistent and compatible and is, thus, an appropriate specification to be used for outsourced development.

Hierarchical structuring of contracts
Consider a pair (C, {C i } N i=1 ), characterizing a two-level contract hierarchy such that C = (A , G, X ) is a contract at the first level and i=1 is a set of contracts where X ⊆ N i=1 X i , at the second level.This section establishes the following property of two level contract hierarchy (C, {C i } N i=1 ): for each set of elements {(X i , B i )} N i=1 where each element (X i , B i ) is such that condition (i) of Corollary 1 holds with respect to ) is said to be proper.Establishing that a contract hierarchy of an arbitrary number of levels is proper, amounts to establishing that each pair of adjoining levels in the contract hierarchy is proper.

Definition 8 (Proper contract hierarchy) Given a contract
Definition 8 is in accordance with the general principle of compositionality [31,32] since the fact that element (X, B) is such that relations The compositional approach of indirectly establishing that (X, B) is such that condition (i) of Corollary 1 holds with respect to C is needed when a direct approach is not feasible due to e.g. the complexity of (X, B).
Despite considering dissimilar conditions than those presented in Corollary 1 in the present paper, Definition 8 corresponds, in essence, to the definitions of dominance in [39,72] where [72] offers a minor extension to the definitions in [35,44].However, in contrast to [72] where ports are not considered and to [39] where guarantees must be limited to the set of ports of a component, Definition 8 considers a context where port variables are explicit, but where contracts are not necessarily limited to the sets of port variables of elements.
A special case of Definition 8 is when a contract hierarchy is of the form ((A , G, X ), {(A , G , X )}).In accordance with Definitions 3 and 8, in order for such a contract hierarchy to be proper, it means that condition (i) of Corollary 1 must hold with respect to (A , G, X ) for each element (B, X ) that is such that condition (i) of Corollary 1 holds with respect to (A , G , X ).Notably, this special case of Definition 8 corresponds to an instantiation of the abstract definition of refinement in the meta theory of contracts in [33] using condition (i) of Corollary 1.The notion of refinement, defined as a special case of of Definition 8, is further compared to refinement as defined in other contract theories in Sect.7.
In order to provide further understanding of when Definition 8 is relevant, a scenario is presented.The scenario is in the context of an OEM/supplier chain as described in Sect.3, but the principles are equally valid for any design context where clear separations of responsibilities are desired, also within a single company.Specifically, the scenario consists of three phases: ) is handed from the OEM to a supplier and where X ⊆ N i=1 X i ; (II') each supplier develops an element E i = (X i , B i ) such that condition (i) of Corollary 1 holds with respect to C i ; and (III') the OEM integrates the set of elements {E i } N i=1 into an element E = (X, B) that is the composition of {E i } N i=1 onto X and is such that condition (i) of Corollary 1 holds with respect to C.
In order to enable an integration of the set of elements {E i } N i=1 into element E in phase (III'), the fact that element E is such that condition (i) of Corollary 1 holds with respect to C needs to follow from the completion of phase (II').In order for this to be the case, in phase (I'), two-level contract hierarchy (C, {C i } N i=1 ) needs to proper.In order to find a two-level contract hierarchy (C, {C i } N i=1 ) that is proper, a graph, called a composition structure, is introduced in Sect.6.1.Based on a composition structure, a theorem that expresses sufficient conditions for a contract hierarchy to be proper is presented in Sect.6.2.Despite considering dissimilar formalisms than the present paper, the sufficient conditions that will be presented for a contract hierarchy to be proper corresponds, in essence, to the compositional proof step [73] in assume-guarantee theories such as [34,47,51], and also to sufficient conditions of dominance in [39].However, in contrast to [34,39,47,51], the sufficient conditions in Sect.6.2 are based on the concept of a graph, or more specifically, a composition structure.
The proposed graph-based approach supports the approach of establishing that any twolevel contract (C, {C i } N i=1 ) is proper directly.Another alternative, but more indirect, way of establishing that (C, ) is proper and there exists no other contract C = (A , G , X ) that refines C (a special case of Definition 8 as previously mentioned) such that (C , {C i } N i=1 ) is proper; and second, check whether C refines C. In accordance with the meta theory in [33], the contract C in such an approach corresponds to an instantiation of parallel composition [3][4][5]37,44,56] of {C i } N i=1 using condition (i) of Corollary 1. Notably, the indirect way does not require checking that any two-level contract (C, {C i } N i=1 ) is proper, but rather only the special case of refinement.The indirect way does, however, require computing parallel composition, which is not required for the more direct approach.The rest of this section will focus only on the graph-based approach and on supporting the direct, rather than the indirect, approach.The main reason for doing so is that the indirect approach requires a way of checking refinement anyways and this is supported by the graphbased approach.That is, the graph-based approach provides a partial foundation for enabling the indirect approach, while the inverse is not true.

Composition structures of contract hierarchies
Prior to presenting the formal definition of a composition structure, the concept is introduced in an informal manner by structuring a two-level contract hierarchy (C Esys , {C pot ,C bat ,C l Meter }).The contracts express specifications for the elements of the electric-system of an LM-system, e.g. the one shown in Fig. 5.
Consider the assumptions and the guarantee of each contract in set of contracts {C Esys ,C pot ,C bat ,C l Meter } being structured as nodes in a directed graph, as shown in Fig. 9 where the boxes with rounded corners and dashed edges have been added to also show the two-level contract hierarchy.The set of incoming arcs to a guarantee G from a set of assumptions A , represents that A and G are in the same contract, e.g. the arc from A Esys to guarantee The set of incoming arcs to an assumption A from a set of assertions {W i } N i=1 where W i is either an assumption or a guarantee represents the intent N i=1 W i ⊆ A. For example, the arc to A pot2 from assumption A Esys , represents the intent of A Esys ⊆ A pot2 .
The set of incoming arcs to a guarantee G from a set of guarantees {G j } M j=1 represents the intent of M j=1 G j ⊆ G.For example, the arc from the guarantee G l Meter to G Esys , represents the intent of G l Meter ⊆ G Esys .Now that the concept of a composition structure has been introduced informally, the formal definition follows.
Definition 9 (Composition structure of contract hierarchy) Given a contract C = (A , G, X ) and a set of contracts ) is a Directed Acyclic Graph (DAG), such that: (a) the guarantees G i , the assumptions in each A i , the assumptions in A , and guarantee G are the nodes in D; (b) G has no successors; (c) each assumption in A has no predecessor; (d) at least one G i is a direct predecessor of G; (e) each assumption in each A i has at least one predecessor; (f) the assumptions in A i are the only direct predecessors of each G i ; (g) G i is the only direct successor of each assumption in each A i ; and (h) G is a direct successor of each assumption in A .
As described in the beginning of this section and in Definition 9, a composition structure represents a structuring of a two-level contract hierarchy as expressed in condition (a) where: the set of incoming arcs to a guarantee from a set of assumptions represents that the assumptions and the guarantee are in the same contract as expressed in conditions (f) and (h); the intent is that at least one guarantee G i or an assumption in A should be a subset of each assumption in A i , as expressed in conditions (b) and (g), and condition (e) in particular; and the intent is that at least one guarantee G i should be a subset of the guarantee G, as expressed in condition (d).Condition (c), and further also conditions (b), (f), and (g), disallow the existence of any other arcs from those not already mentioned above.
Out of general assume-guarantee theories [3,4,, only [48] considers a graph-based approach for structuring contracts.However, in contrast to [48] where the aim of the structuring is to be able to verify a set of contracts with circular dependencies (see Remark 1 in the end of this section), a composition structure represents a structuring of a two-level contract hierarchy in general.
Apart from general assume-guarantee theories, composition structures do have a lot in common with Goal Oriented Requirements Engineering (GORE) models, see e.g.I* [74] or KAOS [75] or [76] for a survey, where [74,75] draw on ideas presented in [77][78][79].The main difference is, again, that while a composition structure represents a structuring of a two-level contract hierarchy in general, GORE models are more specific since the use of assumptions, also called expectations, in GORE models are strictly limited to top-level specifications that split the responsibilities between a SW system and its environment.Furthermore, a similar concept to a contract structure is presented in [80,81] based on Bayesian networks, but with the specific focus to model failure propagation.
Given a composition structure D of a contract hierarchy (C, {C i } N i=1 ), in accordance with Definition 9, each assumption and each guarantee in C and C i are nodes in D. There are, however, cases when re-using an assumption or a guarantee would be preferred [15], e.g. if two guarantees rely on the same assumption or if a guarantee is equal to an assumption.In practice, such a case can be represented by either the use of a single node or to label one node as a copy of another.
Remark 1 (Circular reasoning) Since a composition structure is a directed acyclic graph where the assumptions and guarantees are the nodes, the use of circular argumentation is avoided.Note that circularity can be resolved in other ways, e.g. by introducing assumptions about the computational model [34] or the timing model [48].See also [82,83] for more discussions on such matters.

Sufficient conditions for proper contract hierarchy
This section presents sufficient conditions for a two-level contract hierarchy ) to be proper in accordance with Definition 8, based on the concept of a composition structure.The sufficient conditions supports a way of establishing that (C, {C i } N i=1 ) is proper, without having to iterate through each possible set of elements {(X i , B i )} N i=1 to determine that their composition onto X is such that condition (i) of Corollary 1 holds with respect to C, if each element (X i , B i ) is such that condition (i) of Corollary 1 holds with respect to (A i , G i , X i ).
Consider a composition structure of D of (C, {C i } N i=1 ).Let d Pred() denote a function that takes a node W in D as input and returns the set of all nodes that are direct predecessors of W. As presented in Sect.6.1, the composition structure D represents the intent that W∈d Pred(A i j ) W ⊆ A i j , for each i, j. (18) As an example, the composition structure (C Esys , {C pot ,C bat ,C l Meter }) in Fig. 9 represents the intent that relation G l Meter ⊆ G Esys holds, and furthermore that relations However, as will be shown in the following illustrative Examples 2a, 2b, and 2c, the fact that relations ( 17) and ( 18) hold for D does not imply that (C, {C i } N i=1 ) is proper.As a quick overview, Examples 2a and 2b will show that properness cannot be ensured if either the assumptions in A A or guarantee G of contract C constrains port variables in set N i=1 X i \ X .Example 2c shows the need to introduce an additional condition for the specific purpose of ensuring that relation A A ∩G ⊆ B (of condition (i) of Corollary 1) holds for the composition (X, B) of each set of elements {(X i , B i )} N i=1 where (X i , B i ) is such that condition (i) of Corollary 1 holds with respect to Example 2a Consider that a composition structure D a of a two level contract hierarchy (C Esys , {C pot ,C bat ,C l Meter }) is the resulting composition structure from making the following modifications to the composition structure and two-level contract hierarchy shown in Fig. 9: in contract C bat = ({}, G bat , X bat ), it holds that G bat = Ω, instead of being specified by equation v re f − v gnd = 5V ; A Esys in contract C Esys = ({A Esys }, G Esys , X Esys ) is specified by equations f = h and v re f − v gnd = 5V , instead of only f = h; and that an outgoing arc has been added from A Esys to A pot1 .In accordance with relation (18), the intent is that A Esys ∩ Ω ⊆ A pot1 , which is equal to ∅ = A Esys ⊆ A pot1 .In accordance with Definition 5, due to the fact that A pot1 restricts {v re f , v gnd }, A Esys also needs to restrict {v re f , v gnd } in order for relation (18) to hold.Note that neither v re f nor v gnd are in X Esys .Now consider set of elements {E bat , E pot , E l Meter } where E pot and E l Meter are shown in Fig. 5 and where E bat is the modification of E bat such that the behavior of E bat is equal to Ω, instead of being specified by equation v re f − v gnd = 5V .It trivially holds that elements E bat , E pot , E l Meter are such that condition (i) of Corollary 1 holds with respect to C bat , C pot , and C l Meter .Furthermore, it can easily be realized that relations (17) and (18) hold for D a .However, since relation v re f − v gnd = 5V is ensured by A Esys , rather than by the behavior of E bat , the behavior of the composition E sys of {E bat , E pot , E l Meter } onto X Esys is Ω, rather than being specified by l = h.This means that E sys is not such that relation (7) of condition (i) of Corollary 1 holds with respect to C Esys , i.e. it does not hold that A Esys ∩B Esys ⊆ G Esys .Thus, the composition E Esys of {E bat , E pot , E l Meter } onto X Esys is not such that condition (i) of Corollary 1 holds with respect to C Esys .
As shown in Example 2a, the fact that it is necessary for A Esys to restrict port variables in X bat ∪ X pot ∪ X l Meter \ X Esys , in order for relation (18) to hold, means that even if relations (17) and ( 18) do hold, (C Esys , {C pot ,C bat ,C l Meter }) is not proper.Notably, regardless if is necessary or not for A Esys to restrict port variables in X bat ∪ X pot ∪ X l Meter \ X Esys , if A Esys does restrict such variables, then in accordance with Definition 5, there does not exists an element that non-trivially fulfills A Esys .That is, the fact that A Esys restricts variables in X bat ∪ X pot ∪ X l Meter \ X Esys is undesirable all together.
Considering the general case with a composition structure D, a sufficient condition for ensuring that A A does not restrict port variables in N i=1 X i \ X is to ensure that A A does not constrain any port variable in N i=1 X i \ X , i.e.
Notably, while ensuring that A A does not restrict port variables in N i=1 X i \ X , in accordance with Proposition 4, it is also the case that relation (19) can be enforced without loosing expressiveness.However, the fact that relation 19 holds in combination with relations ( 17)-( 18), as will be shown by the following illustrative Examples 2b and 2c, is not sufficient to ensure that (C, {C i } N i=1 ) is proper; thus, additional conditions are presented in the following.Example 2b Suppose that a composition structure D b of a two level contract hierarchy (C Esys , {C pot ,C bat ,C l Meter }) is the resulting composition structure from making the following modifications to the composition structure and two-level contract hierarchy shown in Fig. 9: both guarantees G l Meter and G Esys in C Esys = ({A Esys }, G Esys , X Esys ) and C l Meter = ({A l Meter }, G l Meter , X l Meter ) are specified by equations = f and f = l, instead of f = l.Considering the composition of the set of elements {E bat , E pot , E l Meter } onto X Esys , i.e. element E Esys shown in Fig. 5, due to the fact that A Esys ∩ B Esys is specified by equations f = h and l = h, it holds that A Esys ∩ B Esys is non-empty and constrains exactly { f, l, h}.In accordance with Definition 5, from the fact that G Esys does indeed restrict both v branch and v gnd , where neither of these are in { f, l, h}, it follows that relation (7)  In both Examples 2b and 2c, it trivially holds that elements E bat , E pot , and E l Meter are such that condition (i) of Corollary 1 hold with respect to the contracts containing their sets of port variables.Furthermore, it can easily be realized that relations (17)  For a two level contract hierarchy is not proper.In accordance with Proposition 4, a sufficient condition to avoid this case, but without loosing expressiveness, is (X G \ X A A ) ∩ N i=1 X i = ∅.This and relation (19) imply that Example 2c, on the other hand, shows that it is necessary for G to be a subset of the extended projection of the guarantees However, given that this holds, as well relations ( 19) and (20), it follows that G must be equal to proj Ξ \( N i=1 X i \X ) ( N i=1 G i ), rather than a subset, i.e. that This can be realized by considering that proj Ξ \( N i=1 X i \X ) ( N i=1 G i ) ⊆ G, which follows from the fact that relations (20) and (19) To characterize a composition structure where relations ( 17)-( 21) hold, the concept of a proper composition structure is introduced.Definition 10 (Proper composition structure) Given a composition structure D of a two-level contract hierarchy consisting of a contract (A , G, X ) and set of contracts Condition (i) and (ii) of Definition 10 are relations (17) and (18), respectively.Condition (iii) of Definition 10 combines relations (19) and ( 20) into a single condition.Considering Example 2a, due to the fact that iii) of Definition 10 ensures that the case highlighted in Example 2a is avoided.Furthermore, condition (iii) also ensures that the case highlighted in Example 2b is avoided considering that conditions and properties of contracts.As previously mentioned Sect.6, in the context of the proposed contract conditions in the present paper, refinement is simply a special case of Definition 8, i.e. a proper contract hierarchy of the form ((A , G, X ), {(A , G , X )}).
Refinement has the property that if relation (4) holds for a set of elements E containing an element E = (X, B) that is such that condition (i) holds with respect to a contract (A , G, X ), then relation (4) will also hold if E is replaced with an element E = (X, B ) that is such that condition (i) of Corollary 1 holds with respect to a contract (A , G , X ) that refines (A , G, X ).This property of refinement is called independent implementability in [84].It is also stated in [84] that independent implementability can only be ensured in a context where ports are partitioned into inputs and outputs.Notably, this statement is indeed true when refinement is defined to mean that A A ⊆ A A and G ⊆ G, as in e.g.[3,5] and corresponding to A A → A A and G → G in [84].Notably, these conditions allow that A ∩ G ⊆ A ∩ G, which means that the conditions are actually tailored for the inputoutput case since relation B Env E (E ) A ∩ G \ (A ∩ G ), necessary for relation (3) to hold when E is replaced with E , is ensured solely through the constraint that the environment must be receptive to output ports.If this constraint is relaxed, as required when inputs and outputs are not considered, conditions A A ⊆ A A and G ⊆ G do not ensure the property of independent implementability.However, this property is indeed ensured if refinement is defined as a proper contract hierarchy of the form ((A , G, X ), {(A , G , X )}) as in the present paper, instead of being defined to mean conditions A A ⊆ A A and G ⊆ G as in [3,5,84].This can be understood by considering the fact that sufficient and necessary conditions for a contract hierarchy additional to the conditions for refinement proposed in [3,5,84], caters to the relaxation of the constraint applicable only when inputs and outputs are considered.

Contracts and their properties, compositionality, elements, and runs
In Sects.1-6, a vast number of general assume-guarantee theories [4, have been referred to, without a proper introduction.Therefore, the following two paragraphs of this section is dedicated to describing the contexts and applications of these general theories, as well as related concrete theories.The rest of this section compares the present paper with these theories and other related work, focusing on technical matters that have not been previously discussed in the present paper.
As mentioned in Sect.3, the notion of contracts was first introduced in [1] to be used as formal specification in object-oriented programming.Since then, the use of contracts has been extended to component-based design [85] and a contract theory for analog systems have been proposed in [38,86].Contracts have also been introduced in formalisms Behavior Interaction Priority (BIP) [87] and refinement calculus [88], in [39,89] and [40], respectively.Furthermore, in European research project SPEEDS [6], a contract theory [3][4][5] was introduced as a means to meet the challenges in the design of heterogeneous systems [7][8][9].Similar work to [3][4][5] is presented in [46] and in [35] with tool support [90], and also in a more applied setting in [91,92].The use of theory [3][4][5] has been advocated in [10][11][12][13][14][15] and the use of contracts in general has been proposed for analyzes integration [93] and as a means to achieve functional safety in [94,95] and also in [96] with tool support [97].Contract theory has also been extended both with modalities [98] in [12,41] and to a stochastic setting in [37,42].Meta theories of contracts have been established in [33,36], and in [44] with refinement [45].Theory [44] also clarifies the distinction between contracts and specification e.g.[56,99,100] that extend interface automata [101,102] and where [56] is shown to also support assume-guarantee reasoning in [103].
As previously mentioned in Sect.6, both properties refinement and parallel composition can be derived from Definition 8 in accordance with the meta theory in [33].As further shown in [33] and also in [44], these properties also allow deriving other properties of contracts, namely conjunction [3][4][5]33,37,56] and quotient [33,56].While both parallel composition and conjunction merge a set of contracts into a single contract, the latter is only applicable when the contracts contain the same set of port variables and concerns the case when the contracts are specified for different viewpoints [122,123].Quotient computes a missing contract in a contract hierarchy to achieve compositionality.
In Sect.2.2, the concept of an element that essentially corresponds to a HRC [68,69] as used in [3][4][5], was introduced.The main difference is that a HRC can have several implementations, i.e. behaviors, which means that an element corresponds to an implementation of a HRC, rather than to a HRC itself.An element in the present paper is in that sense more similar to a component as defined in [65] that is inspired by the tagged signal model [124] and interface theory [125].
In accordance with [3][4][5] and also with [14,64], contracts and behaviors of elements are in the present paper both defined by relying on the concept of assertions as a set of runs.The concept of runs is, in turn, largely inspired by the works in [36,126,127] that generalize the concept of traces [61][62][63] to behaviors that are independent of a particular model of computation.Notably, two assertions are equivalent if they have the same runs, i.e. they are trace-equivalent [128], which means that assertions are limited to a weaker form of equivalence than e.g.observation equivalence [129] or equivalence through alternating simulation [130], which can be verified on labeled and alternating transition systems, respectively.However, as shown in [128], for deterministic models, trace equivalence means observation equivalence, and vice versa.

Conclusion
This paper has presented a general compositional contract theory for modeling and specifying heterogeneous systems.As the main contribution, given a contract for an element representing any part of a heterogeneous system, e.g.SW, mechanical, or electrical part, Corollary 1 presented clearly separated conditions (i) and (ii) on the element and its environment where the conditions ensure that the guarantee is non-trivially fulfilled by the composition of the element and the environment.
In contrast to similar conditions of other general assume-guarantee theories [3][4][5], while explicitly considering the set of port variables of an element, conditions (i) and (ii) require neither this set is partitioned into inputs and outputs nor that the assumptions and guarantee must be specified over this set of port variables.The former means that the causality of the port variables can remain unspecified, which is common and recommended practice when modeling physical parts.The latter allows assigning the responsibility of fulfilling a global property to the element; this is needed in order to properly express safety specifications for the element, e.g. in accordance with ISO 26262.
The ability to assign the responsibility of fulfilling a global property to an element, increases the expressiveness with respect to how a contract can be specified.To facilitate the specification of contracts in practice, scoping conditions were introduced that limit the set of port variables over which the assumptions and the guarantee of a contract are specified.These scoping conditions ensure that certain necessary properties of conditions (i) and (ii) are are not violated without limiting expressiveness.Notably, these conditions can be checked, not only for the cases where the assumptions and the guarantee are specified using formal notation, but also when they are specified using semi-formal notation, e.g. as free text with formal references to port variables of elements.Hence, considering a tool where these checks are automatically performed, feedback to a user specifying a contract can be given, both when semi-formal and formal notations are used.
In the context of a scenario where a contract is used to outsource the development of an element, necessary contract properties consistency and compatibility were presented.Complementary necessary and sufficient conditions of these properties were also introduced where these conditions are easier to enforce in practice (e.g. by a tool) than their corresponding definitions.Furthermore, as a basis for structuring contracts in parallel to an hierarchical composition of a set of elements, a graph, called a composition structure, was introduced.Based on a composition structure, sufficient conditions to achieve compositionality was presented.Note that proving that the sufficient conditions hold, requires specifying the assumptions and the guarantees using formal notation.However, regardless if the assumptions and guarantees are specified using formal, semi-formal, or informal notation, e.g. as free text, the conditions for structuring the overall intended relations between the assumptions and guarantees as a composition structure, still apply.This means that, regardless of the level of formalization used in the specifications, support for structuring a contract hierarchy can be given in the form of a tool that enforces these conditions.
Considering the concepts presented above, they are all general in both the senses that they are relevant to any developer of heterogeneous system parts, and that they rely on a general set-theoretic formalism.Due to the generality of the theory, it is essentially applicable in any context, and it can also be instantiated by more concrete theories whenever needed.Moreover, the theory is tightly coupled with practical application where introduced definitions have been both well motivated by industrial needs and/or scenarios, and complemented with necessary and sufficient conditions that can more easily be enforced in practice, e.g. by tools implementing the theory.As previously mentioned, the concrete support that can be given by such tools, is not limited to the cases where formal notations are used, but also when semiformal and informal notations are used.Hence, not only does the presented theory constitute a general compositional contract theory for modeling and specifying heterogeneous systems, but the theory is indeed also accommodated for providing concrete support for developing such systems in practice.
for Ξ \ (X W ∪ X W ). In accordance with Definition 1, this means that X W∪W ⊆ X W ∪ X W .
Proposition 5 Given two assertions W and W where W ∩ W = ∅, it holds that X W∩W ⊆ X W ∪ X W .
Proof Given two assertions W and W where W ∩ W = ∅, in accordance with relation (1), for each run ω ∈ W ∩ W , it holds that proj X W ∪X W ({ω}) is in both proj X W ∪X W (W) and proj X W ∪X W (W ).This and since proj X W ∪X W (W) = W and proj X W ∪X W (W) = W in accordance with Proposition 1 and Sect.2.1.2,imply that each run in proj X W ∪X W ({ω}) is in both W and W . Overall, this means that each run ω X W ∪X W ,T in proj X W ∪X W (W ∩ W ) can be extended with any run for Ξ \ (X W ∪ X W ) over T , and the obtained run will also be in W ∩ W .In accordance with relation (2), this means that proj X W ∪X W (W ∩ W ) = W ∩ W .In accordance with Proposition 1 and Sect.2.1.2,it follows that X W∩W ⊆ X W ∪ X W .
Lemma 2 Given two assertions W and W , and set of variables X , it holds that proj X (W) ⊆ proj X (W ), if W ⊆ W .
Proof Given two assertions W and W and a set of variables X , consider that W ⊆ W .In accordance with relation (1), the set of runs proj X (W) and proj X (W ) are obtained by removing each pair (x / ∈ X, ξ) from each run in W and W , respectively.This and since W ⊆ W , it follows that each pair that is removed from W to obtain proj X (W ), is also removed from W to obtain proj X (W).Hence, it holds that proj X (W) ⊆ proj X (W ).In accordance with relation (2), assertions proj X (W) and proj X (W ) are obtained by extending each run ω Ξ,T in proj X (W) and proj X (W ) with all possible runs for Ξ \ X over T .This and since proj X (W) ⊆ proj X (W ), it follows that each run ω Ξ,T that is extended in proj X (W) with all possible runs for Ξ \ X over T to obtain proj X (W), is also extended in proj X (W) with all possible runs for Ξ \ X over T to obtain proj X (W ).Hence, it holds that proj X (W) ⊆ proj X (W ).
Theorem 2 Given a contract (A , G, X ) and set of variables X Env E (E) , there exists a contract (A , G , X ) where: a) X A A ⊆ X Env E (E) ; and b) X G ⊆ X Env E (E) ∪ X such that for each set of elements containing an element (X, B) and where the environment of (X, B) is pair (X Env E (E) , B Env E (E) ): Proof Consider a contract (A , G, X ) and a set of variables X Env E (E) .First, let (A , G , X ) be a contract with a first property that A A is the union of the behavior of each element (X Env E (E) , B Env E (E) ) where B Env E (E) ⊆ A A and B Env E (E) ∩ G = ∅.This means, in accordance with Lemma 1 and Definition 2, it holds that condition (a) holds, i.e.X A A ⊆ X Env E (E) .
Generally, this first property also implies that ∀(X Env E (E) , B Env E (E) ) where B Env E (E) ⊆ A A and B Env E (E) ∩ G = ∅ : As a second property, consider that G is the union of each intersection A A ∩B where (X, B) is an element where ∅ = A A ∩B ⊆ G and A A ∩G ⊆ B. Given the fact that X A A ⊆ X Env E (E) and in accordance with Lemma 1, Proposition 5, and Definition 2, it follows that condition (b) holds, i.e.X G ⊆ X Env E (E) ∪ X .Generally, this also implies that ∀(X, B) where Now, for the if case, assume that conditions (i) and (ii) hold with respect to (A , G , X ) for an arbitrary set of elements E containing an element (X, B) and where pair (X Env E (E) , B Env E (E) ) is the environment of (X, B).Condition (ii) and relation ( 22) imply that Condition (i) and relation (23) imply that A A ∩ B ⊆ G ⊆ G.This and relation (24) imply that Furthermore, in accordance with Theorem 1, conditions (i) and (ii) imply that B Env E (E) ∩B = ∅.This and relations ( 24) and ( 25) imply that B Env E (E) ∩G = ∅.Finally, relation A A ∩G ⊆ B of condition (i) and the fact that A A ⊆ A A and G ⊆ G, as expressed in relations ( 24) and ( 25), respectively, imply that A A ∩ G ⊆ B. Relations ( 24), (25), B Env E (E) ∩ G = ∅ and A A ∩ G ⊆ B imply that conditions (i') and (ii') hold.
For the if-only case, assume that conditions (i') and (ii') hold for an arbitrary set of elements E containing an element (X, B) and where pair (X Env E (E) , B Env E (E) ) is the environment of (X, B).From the first and second property of contract (A , G , X ), it directly follows that (X, B) and (X Env E (E) , B Env E (E) ) are such condition (i) and (ii) hold, respectively.
Thus, given contract (A , G, X ) and set of variables X Env E (E) , it can be concluded that there exists a contract (A , G , X ) where conditions (a) and (b) hold such that for each set of elements containing an element (X, B) and where pair (X Env E (E) , B Env E (E) ) is the environment of (X, B), conditions (i') and (ii') hold if and only if conditions (i) and (ii) hold.
Theorem 5 Given a contract C = (A , G, X ) and a set of contracts {C i } N i=1 where C i = (A i , G i , X i ) and X ⊆ N i=1 X i , the two-level contract hierarchy (C, {C i } N i=1 ) is proper if there exists a proper composition structure of (C, {C i } N i=1 ).
Proof Given a contract C = (A , G, X ) and a set of contracts {C i } N i=1 where C i = (A i , G i , X i ) and X ⊆ N i=1 X i , assume that there exists a proper composition structure of the contract hierarchy (C, {C i } N i=1 ).In accordance with Definition 8, assume that there exists an arbitrary set of elements {(X i , B i )} N i=1 such that A A i ∩ B i ⊆ G i and A A i ∩ G i ⊆ B i holds for each i.
With the intent to first show that the composition (X, B) of {(X i , B i )} N i=1 onto X is such that A A ∩ B ⊆ G holds, consider the fact that A A i ∩ B i ⊆ G i holds for each i.In accordance with Definition 9, this and since each assertion that is a direct predecessor of an assumption in A i is either a guarantee G j or an assumption in A , it follows that A A ∩ N i=1 B i ⊆ N i=1 G i in accordance with condition (ii) of Definition 10.This and condition (i) of Definition 10 imply that A A ∩ N i=1 B i ⊆ G.In accordance with Sect.2.1 and Proposition 1, this and considering that condition (iii) implies that neither A A nor G constrains any subset of N i=1 X i \ X , it follows that A A ∩ proj X ( N i=1 B i ) ⊆ G due to the fact that X = N i=1 X i \ ( N i=1 X i \ X ).In accordance with Definition 3, this means that it holds that A A ∩ B ⊆ G.
With the intent to now show that the composition (X, B) of {(X i , B i )} N i=1 onto X also is such that A A ∩ G ⊆ B holds, consider the fact that A A i ∩ G i ⊆ B i holds for each i.In accordance with Definition 9, this and since each assertion that is a direct predecessor of an assumption in A i is either a guarantee G i or an assumption in A , it trivially follows that A A ∩ N i=1 G i ⊆ N i=1 B i in accordance with condition (ii) of Definition 10.This and given that it holds that N i=1 B i ⊆ proj X ( N i=1 B i ) in accordance with relations (1) and ( 2), it follows that A A ∩ N i=1 G i ⊆ B in accordance with Definition 3. In accordance with Sect.2.1 and Proposition 1, this and due to the fact that Definition 3 and condition (iii) of Definition 10 imply that neither A A nor B can constrain any non-empty subset of N i=1 X i \ X , it holds that This and condition (iv) of Definition 10 imply that A A ∩ G ⊆ B.
Since the set of elements {(X i , B i )} N i=1 was chosen arbitrarily, it holds that the composition of each set of elements {(X i , B i )} N i=1 onto X is such that relations A A ∩B ⊆ G and A A ∩G ⊆ B hold, if each element (X i , B i ) is such that ) is proper in accordance with Definition 8, which completes the proof.

Fig. 1 A
Fig. 1 A SW system SO F and its inputs i and outputs o; requirements R E Q(m, c); assumptions I N(m, i), OU T (o, c), and N AT (m, c); and ports m and c in the environment of SO F

Fig. 2
Fig. 2 In (a), a trajectory of values of x 1 is shown.In (b), a run ω {x 1 ,x 2 },T is shown, consisting of two pairs containing the trajectory shown in (a) and another trajectory of values of x 2 .In (c), a subset of the runs that are solutions to differential equation dy dt = x(t), where x(t) = t are shown

Fig. 7 Theorem 1
Fig. 7 In a, a Venn diagram shows a case where ∅ = B Env E (E) ∩ B ⊆ G holds and b shows a case where this does not hold.In c, a Venn diagram is shown where ∅ = B Env E (E) ∩ B ⊆ G for each set E where B Env E (E) ⊆ A A and B Env E (E) ∩ G = ∅ be true, which means that it must hold that A A ∩ G ⊆ B, which concludes the proof.Given that relation A A ∩ B ⊆ G on the element E holds, Theorem 1 expresses necessary and sufficient condition A A ∩ G ⊆ B on element E such that, for each set of elements E E where B Env E (E) ⊆ A A and B Env E (E) ∩ G = ∅, the composition of E non-trivially fulfills G.
By applying the operation of intersection, A l Meter ∩ B Lmeter yields an assertion specified by equations f = (v branch − v gnd )/5V and l = (v branch − v gnd )/5V .Due to the fact that equation f = l, which specifies G l Meter , can be obtained by combining the equations specifying A l Meter ∩ B Lmeter , relation(11) holds.Furthermore, since A l Meter ∩ G l Meter is an assertion specified by equations l = f and f = (v branch − v gnd )/5V , which can be combined into equation l = (v branch − v gnd )/5V that specifies B l Meter , relation (12) also holds.

v
branch −v gnd 5 and l = f , which obviously have intersecting solutions, relation (15) holds.The extended projection of this assertion onto set of variables X l Meter = {l, v branch , v gnd }, i.e. proj X l Meter (A l Meter ∩ G l Meter ), is specified by equation l = v branch −v gnd 5 .The intersection of A l Meter and assertion proj X (A l Meter ∩ G l Meter ) yields an assertion specified by equations f = v branch −v gnd 5 and l = v branch −v gnd 5

Fig. 9 A
Fig. 9 A composition structure of two-level contract hierarchy (C Esys , {C pot ,C bat ,C l Meter }) of condition (i) of Corollary 1 does not hold, i.e. that A Esys ∩ B Esys G Esys .Example 2c Consider that a composition structure D b of a two level contract hierarchy (C Esys , {C pot ,C bat ,C l Meter }) is the resulting composition structure from making the following modifications to the composition structure and two-level contract hierarchy shown in Fig. 9: guarantee G Esys in the contract C l Meter = ({A l Meter }, G l Meter , X l Meter ) is specified by relation l − 0.1 ≤ f ≤ l + 0.1, instead of equation f = l.Considering element E Esys , since B Esys is specified by equation l = f and A Esys ∩ G Esys by relation l − 0.1 ≤ f ≤ l + 0.1 and equation h = f , relation (8) of condition (i) of Corollary 1 does not hold.That is, it does not hold that A Esys ∩ G Esys ⊆ B Esys .
(i')A A ∩ B ⊆ G and A A ∩ G ⊆ B, and (ii') B Env E (E) ⊆ A A and B Env E (E) ∩ G = ∅, if and only if (i) A A ∩ B ⊆ G and A A ∩ G ⊆ B, and (ii) B Env E (E) ⊆ A A and B Env E (E) ∩ G = ∅.
Consider a contract C Esys = ({A Esys }, G Esys , X Esys ) as shown in Fig.8a.Esys and E tank with respect to C Esys .From condition (ii), it follows that ∅ = B tank ⊆ A Esys .As shown In a and b, two contracts ({A Esys }, G Esys , X Esys ) and ({A Esys }, G Esys , X Esys ) are shown where none of them are scope-compliant with respect to X tank in Fig.8a, port variable v gnd is constrained by A Esys , but v gnd is not a port variable of E tank , i.e. the environment of E Esys .In accordance with Definition 2, this means that v gnd is not constrained by B tank .This means, in accordance with Definition 5 and considering that ∅ = B tank ⊆ A Esys , that A Esys does not restrict v gnd .That is, the fact that condition (ii) holds, implies that A Esys does not restrict v gnd .Furthermore, considering X tank as given, in accordance with Proposition 4, there exists an assertion A new Esys that constrains a subset of X tank and where, for each element (X tank , B tank ), it holds that ∅ = B tank ⊆ A Esys if and only if ∅ = B tank ⊆ A new Assume that conditions (i) and (ii) of Corollary 1 hold respectively for E contract C Esys = ({A Esys }, G Esys , X Esys ) is shown.Similar to Example 1a, assume that conditions (i) and (ii) of Corollary 1 hold respectively for E Esys and E tank with respect to C Esys .Conditions (i) and (ii) imply that ∅ = A Esys ∩ B Esys ⊆ G Esys .As shown in Fig. 8b, the port variable v gnd is constrained by G Esys , but v gnd is not a port variable of E Esys .This and considering that v gnd / ∈ X A Esys imply, in accordance with Definition 2 and Proposition 5, that v gnd is not constrained by A Esys ∩ B Esys .It follows, in accordance with Definition 5 and considering that ∅ = A Esys ∩B Esys ⊆ G Esys , that G Esys does not restrict v gnd .That is, the fact that condition (i) and (ii) hold implies that G Esys does not restrict v gnd .In addition, considering set X A Esys ∪ X Esys as given, in accordance with Propositions 4 and 5, there exists an assertion G new Esys that constrains a subset of X A Esys ∪ X Esys and where, for each element (X Esys , B Esys ), it holds that ∅ = A Esys ∩ B Esys ⊆ G Esys if and only if ∅ = A Esys ∩ B Esys ⊆ G new Esys .That is, similar to Example 1a, it is possible to replace G Esys with an assertion G new Esys that does not constrain v gnd , but that still specifies the exact same behaviors constraining a subset of X A Esys ∪ X Esys .
and (18) hold for both D b and D c .However, since neither one of relations A Esys ∩B Esys ⊆ G Esys and A Esys ∩ G Esys ⊆ B Esys hold, it does not follow that the composition E Esys of {E bat , E pot , E l Meter } onto X Esys is such that condition (i) of Corollary 1 holds with respect to any of C Esys or C Esys .Hence, despite the fact that relations (17) and (18) hold for D b and D c , neither (C Esys , {C pot ,C bat ,C l Meter }) nor (C Esys , {C pot ,C bat ,C l Meter }) are proper.