First of all, we need to declare the service channels to be used in the choreography or orchestration. If a service channel is used without declaration, it will fail the parser.

• channel B2S ; //The pre-established channel between the buyer and the seller
• channel S2H ; //The pre-established channel between the seller and the shipper

The following is the specification of choreography.

Chor cBuySell {

1.    Main() =  B2S(Buyer, Seller, {Bch})  -> Bch(Seller, Buyer, Ack) -> Session();
2.    Session() = Bch(Buyer, Seller, QuoteRequest) ->
3.                      Bch(Seller, Buyer, QuoteResponse.x) ->
4.                      if (x <= 1000) {
5.                              Bch(Buyer, Seller, QuoteAccept) ->
6.                              Bch(Seller, Buyer, OrderConfirmation) ->
7.                              S2H(Seller, Shipper, {Bch, Sch}) ->
8.                              (Sch(Shipper, Buyer, DeliveryDetails.y) -> Stop ||| Bch(Shipper, Seller, DeliveryDetails.z) -> Stop)
9.                      } else {
10.                             Bch(Buyer, Seller, QuoteReject) -> Session() [] Bch(Buyer, Seller, Terminate) -> Stop
11.                    };

}

The choreography coordinates three roles (i.e.,Buyer, Seller and Shipper) to complete a business transaction. At line 1, the Buyer communicates with the Seller through service channel B2S to invoke its service. Channel Bch which is sent along the service invocation is to be used as a session channel for this session only. In the Session, the Buyer firstly sends a message QuoteRequest to the Seller through channel Bch. At line 3, the Seller responds with some quotation value x, which is a variable. Notice that in choreography, the value of x may be left unspecified at this point. At line 7, the Seller sends a message through the service channel S2H to invoke a shipping service. Notice that the channel Bch is passed onto the Shipper so that the shipper may contact the Buyer directly. At line 8, the Shipper sends delivery details to the Buyer and Seller through the respective channels. The rest is self-explanatory.

The following is the implementation of the orchstration. Each role is implemented as a separate component. Each component contains variable declarations (optional) and process definitions. We assume that the process Main defines the computational logic of the role after initialization. We remark that the orchestration generally contains more details than the choreography, e.g., the variable counter in Buyer constraints the number of attempts the buyer would try before giving up.

• Role Seller[1] { // the size of the role gives the number of threads that can be forked for the service invocations. If this number is bigger, the more number of service can be invoked concurrently.
•     var x = 1200; //the quotation
•     Main =  B2S?{ch} -> ch!Ack -> Session();
•    
•     Session() = ch?QuoteRequest ->
•                       ch!QuoteResponse.x ->
•                       (
•                              ch?QuoteAccept ->
•                              ch!OrderConfirmation ->
•                              S2H!{ch,Sch} ->
•                              Sch?DeliveryDetails.y -> Stop
•                       []
•                              (ch?QuoteReject -> Session() [] ch?Terminate -> Stop)
•                       );
• }

• Role Shipper[1] {
•     var detail = 2010; //the delivery detail
•     Main() = S2H?{ch1,ch2} ->
•                  (ch1!DelieryDetails.detail -> Stop ||| ch2!DelieryDetails.detail -> Stop);
•     }
• }

Some properties that can be checked are the following:

• #assert oBuySell deadlockfree;
• #assert oBuySell refines cBuySell;
• #define inv Buyer1.counter <= 4;
• #assert oBuySell |= []inv;
• #assert oBuySell |= []<> inv;
• #assert oBuySell reaches inv;