he Executable choreography framework needs to address the following requirements. First, the control and data flow has to remain under control of the initiator of the service collaboration activity. Domain controllers have to allow the execution of composition logic on their domain that they do not control completely. Second, safety should not be compromised. Domain controllers should be able to verify the foreign logic does not violate essential properties of the system they control. Third, the entity that controls the collaboration can only affect the control and data flow of a collaboration it initiated itself. The collaboration controller can kill itself, but cannot affect other activities. Fourth, the correctness of the global composition should be verifiable; composition components scattered over several domains should be traceable back to a global composition model. Finally, non-functional concerns and context-sensitive behaviors need to be factored out of the core logic of collaborations. Separation of concerns facilitates the runtime evolution and refinement of collaboration activities.

Fig. 1. Executable choreography framework stack

Fig. 1 shows the different ECF modeling and implementation layers. The lower layer represents composite services that are composed using centralized workflow mechanisms, such as BPEL engines. Executable choreographies are realized by deploying composition and transformation units across different domains of control. ECF uses an Aspect-Oriented Programming (AOP) [1,2] language to weave composition logic at the level of the message processing engine. These units work together to carry out the global model of the choreography process. These composition elements should be traceable back to a global business process definition, which can be formally checked for correctness. A formal relationship between the global model and the executable composition elements needs therefore to be defined. Tough, formal treatment of the model is out of the scope of this paper. The upper layer represents the global contracts and business rules across and within domains of control. These contracts establish constraints on the choreography model and implementation. When deploying or refining a choreography, new relationships between control domains can be created. Administrative domains should be able to enforce constraints on those relationships, so that the choreography does not violate the mutual business rules of participants. Contracts between controllers take the form of a set of reactive rules. The contracts do not specify the specific ordering of messages; they are application independent. Those business rules imperatively need to be enforced at the level of the executable choreography process, to ensure safety of the participants. The treatment of inter-domain and cross-domain business rules is out of the scope of this paper. Tough, the paper discusses platform support for the enforcement of constraints on the composition. Next sections establish the relationship process analysis models, executable choreography elements and a choreography process meta-model.