Verifying the Smart Contracts of the Port Supply Chain System Based on Probabilistic Model Checking

: Port supply chains play a very important role in the process of economic globalization. Lack of trust of the mechanism is the main factor in restricting the development of port supply chains. Blockchains have great potential to solve the trust problem among all participants using port supply chains, which can reduce costs and improve efﬁciency. As the bridge between blockchains and port supply chains, smart contracts reconstruct the business process of blockchain-empowered port supply chains. In this article, we present an architecture of a consortium blockchain-empowered port supply chain system, and propose a system veriﬁcation framework for the smart contracts of port supply chains with probabilistic behaviors. The smart contracts are modeled as DTMCs (Discrete-Time Markov Chains), which are automatically transformed through the BPMN (Business Process Model and Notation) description of the smart contracts. The requirements are speciﬁed by PCTL (Probabilistic Computation Tree Logic). Moreover, we implement the customs clearance process of the Shanghai Yangshan Port based on blockchain Hyperledger Fabric, and reconstruct the clearance process with smart contracts. We use it to demonstrate the effectiveness of this framework, and identify the smart contracts that do not meet the expected needs of users.


Introduction
With the development of economic globalization, the world economy has increasingly become a closely integrated whole system. Port supply chains play a very important role in this process, as they undertake about 80% of the total international trade [1]. A port supply chain refers to when a city center uses its own port to develop the comprehensive service systems that cover all of the of functions of supply chains, which exploit advanced ICT (Information and Communication Technologies) to optimize the port's resources and strengthen its radiation ability [2,3]. It takes a port as the nexus that supports interaction between global supply chains and regional production and consumption markets. Port supply chains have become a new engine of national economic development, an important part of national economy, and one of the important symbols to measure the level of modernization and comprehensive national strength of a country [2]. At present, emerging technologies such as the Internet of Things, Cloud Computing and Big Data are promoting the continuous expansion of port supply chains, and are driving a new round of port supply chain industry innovation [3]. However, the participants in port supply chains do not cooperate efficiently and effectively, which is the key to reducing costs and improving efficiency. The direct cause of this situation is a failure to share data and other resources effectively among all participants, and the root cause is the lack of trust of the mechanism among all participants in port supply chains. Various parties in port supply chains cannot achieve trust consistency, and some core suppliers or distributors cannot provide reliable trust endorsements for upstream and downstream.
Blockchain is a peer-to-peer, distributed ledger that is cryptographically-secure, appendonly, immutable (extremely hard to change), and updateable only via consensus or agreement among peers [4]. As it is decentralized, tamper-proof, auditable (provenance), transparent and so on, blockchain has great potential to solve the problem of trust among all participants in port supply chains. In practice, blockchain has just begun to be used in the port supply chain, thus, it is still in the internal experimental stage. The customs of Mexico, Peru, and Costa Rica, with the support of the Inter-American Development Bank, initiated the construction of an operator sharing platform based on blockchain technology in March 2018. Therefore, the Tianjin Port blockchain verification pilot project was launched with the aim of protecting data privacy and maximizing the operation efficiency of the port supply chain. The U.S. Congressional Research Institute discussed the application of blockchain technology in the field of customs supervision in June 2019.
We argue that smart contracts are the bridge for application of blockchain technology to port supply chains. A smart contract is a coded contract written by computer language and automatically verified and executed by a computer. It is a digital form of a paper contract. With the help of smart contracts, any party in the entire transaction process can access the exact same data, which is essential to improve process efficiency. Smart contracts can automatically trigger and ensure the smooth flow of files among participants, so specific access rules can be effectively implemented, and new information can be instantly and securely shared with all related parties. Leena and Sultan [5] summarized the latest research and showed how smart contracts can change the method of fund flow tracking, improve liquidity in the real estate field, reduce risks, and have a positive impact on the safe operation of the national economy. Stefania [6] closely follows the current hot sharing economy, integrates smart contracts to systematically improve smart cities and public sectors, manages services such as house leasing, greatly reduces third-party commissions, reduces the risk of fraud, and prevents potential high-end processes. This has a very similar application in the order process of the port supply chain. Whether the smart contracts are correct determines the success of blockchain empowered port supply chains. The current research on the smart contracts of port supply chains has hardly taken into account the probabilistic aspects of port supply chains. The probabilistic aspects are essential for, among others: (1) port supply chains themselves contain the randomized behaviors, e.g., nondeterminism, consensus mechanism; (2) unreliable and unpredictable behaviors incurred by execution environment, e.g., message loss, processor failure; (3) performance evaluation by random variables assigned artificially, e.g., reliability, availability [3].
In this article, we propose a verification framework for the smart contracts of port supply chains with probabilistic behaviors. The smart contracts are modeled as DTMCs (Discrete-Time Markov Chains), which are automatically transformed through the BPMN (Business Process Model and Notation) description of smart contracts. The BPMN is the most widely used and simplest tool to describe the business process of port supply chains. It can clearly display the business relationship between each link and department, and visualize the information flow. It can serve as a communication medium between users of port supply chains and developers of smart contracts. DTMC is the formal model for analyzing the user requirement properties that the smart contracts should satisfy; it can be automatically generated from the BPMN. The requirements, such as safety, reliability and reachability, are specified by PCTL (Probabilistic Computation Tree Logic). We use this framework to model the smart contract for the cargo clearance process of the Shanghai Yangshan Port, to abstract the probabilities involved in each contract during the process based on questionnaires from port practitioners, and we use PCTL to specify user requirement properties.
The remainder of this article is structured as follows. Section 2 describes related works about blockchain-powered port supply chain optimization and smart contract verification, and points out their weaknesses. Section 3 presents the scenario of blockchain smart contract reconstructing of the port supply chain, and proposes the verification framework for the probabilistic model checking of smart contracts for port supply chains. Section 4 Systems 2022, 10, 19 3 of 20 takes the port customs clearance process as a case study to demonstrate the effectiveness of this framework. Section 5 provides a conclusion.

Related Works
Smart contracts using blockchain technology have been mentioned by a large number of risk analysis agencies in the field of port supply chains. The credit rating agency MOODY'S summarized the three major steps to automate the international trade process using smart contracts: Firstly, design smart contracts based on paper letters of credit; Secondly, store the form; Finally, use the blockchain to record the ownership of each link [4]. In order to overcome difficulties such as overcapacity, increasingly strict environmental regulations, and security threats faced by the shipping industry, the Danish block shipping company is committed to building a global shared container platform (GSCP) based on blockchain technology to improve shipping efficiency and business. The digital transformation of processes and infrastructure ensures the long-term profitability of the industry. The project's white paper stated that the platform will save the shipping industry at least 5.7 billion USD in the future and will reduce carbon dioxide emissions by 4.6 million tons per year [7]. In the current supply chain mechanism, people use the traction system to track data, however, this method cannot avoid business friction, let alone update data in real time without manual query. Shuchih Ernest Chang et al. [8] proposed a blockchain-based BPR (Business Process Re-engineering) framework, which can help companies re-engineer crossborder business processes and track some key links in the supply chain process. Blockchain smart contract technology has been proven to have a very positive effect on supplier inventory management, the dynamic realization of the digital supply chain, and efficient transportation [9][10][11][12]. With the continuous and widespread application of blockchain smart contracts, coupled with the immutability of blockchain technologies, stability and security have increasingly become the focus of attention among researchers. Antonio proposed ESAF (Ethereum Security Analysis Framework), which can be used as a security monitoring tool for the persistence of a set of target contracts [13]. Haya Hasan et al. [12] used IoT-SC to jointly collect data on the chain, taking the vaccine supply chain as an example to test the relationship between smart contracts and entities, interactions between participants, information flow and so on. They proved that this technology can ensure real-time freight tracking performance which can be applied to multi-level and multi-party settings. It has practical applications in the transportation and information traceability of pharmaceutical products and agricultural products [14][15][16][17][18][19][20]. Pietro De Giovanni et al. [21] proved through a game theory model that blockchain technology can reduce business risks and transaction costs, which is more suitable for transactions with large-scale fund transfers such as crossborder bulk trade. Arnab Banerjee et al. [22] comprehensively analyzed the advantages of a blockchain-driven supply chain from the perspectives of ERP (Enterprise Resource Planning) transactions, master data management, order-purchasing, demand and supply management, manufacturing, and logistics management. The traditional concept suggests that smart contracts are designed to achieve traceable and irreversible transactions through the use of distributed databases. However, Gunnar Prause and his team [23] believed that their greater potential is reflected in the promotion of entrepreneurial collaborations across organizational business processes held up by smart supply chains.
Due to the immutability of the blockchain, the smart contract must be strictly verified before being put on the chain. Li et al. [24] proposed a formal method of BPMN (Business Process Modeling Notation) based on the extended Petri net model. They used modeldriven development technology to design BPMN model elements to the extended Petri net model elements. Transformation rules and performing the mapping through the ATL model transformation language achieves formalized automatic execution. Tala Najam and Alexander Perucci [25] converted the BPMN2 choreography diagram into a color choreography network mapping for the lack of formal semantics of the BPMN2 specification, but they did not solve the problem that the Petri net model cannot reflect the content of time and does not support the construction of large-scale models. Due to the immutability Systems 2022, 10, 19 4 of 20 of the blockchain, any error will become a permanent error once it occurs. In this regard, researchers have designed a large number of methods and tools to verify the correctness of smart contracts, the most representative of which is formal verification. Researchers have designed many formal verification frameworks and analyzed mainstream platforms [26][27][28][29][30]. Mouhamad Almakhour and his team [31] classified the existing smart contract verification tools and introduced a series of analysis tools such as Oyente and MAIAN, and deeply analyzed the cutting-edge technology of smart contract verification from the perspectives of static verification and runtime verification. Devrim Unal et al. [32] put forward the FPM-RBAC model from the perspective of policy regulation. He analyzed smart contracts from the three perspectives of identity management, access control, and compliance checking, and fully considered transaction risks and security requirements in 5G networks. Zhang and Mackey [33,34] proposed several methods for the verification of smart contracts for the online social network and antifraud framework. Nguyen and Li [35,36] used a certificate authentication system and puncturable signatures to detected smart contracts and improve overall fault tolerance. Lennart Ante [37] proposed six mainstream smart contract analysis streams, including smart contract standardization, verification and security, and blockchain and smart contracts for the disruption of existing processes and industries. Prashar et al. [38] used OMNeT++ to verify contract stability. Amritraj Singh et al. [28] proposed DSL (Domain specific languages) to formalize smart contracts on the basis of formal testing and automated verification. Flora has done significant research in the field of BPMN modeling smart contracts. Flora Amato et al. [39] believe that smart contracts must be based on laws to restrict the behavior of participants, thus, they proposed a formal model for verifying the compliance of smart contracts in the IoT environment. Compared with the BPMN, this model pays more attention to the interaction between participants. At the same time, they use the TCTL (timed computational tree logics) formula to describe the attributes. At the same time, Wei Wan [40] considered the relationship between PCTL and DTMC and made a relatively complete theoretical summary and expansion. Flavio Corradini [41] introduced the relationship between the blockchain and the BPMN and designed a simple model-driven automatic blockchain code generator.
In short, there have been attempts to apply smart contracts to the port supply chain. Their successful application will achieve a decentralized, traceable, efficient, and trusted global supply chain system. However, correctness research on the smart contracts of port supply chains has not been involved. Some work has been accumulated on the verification of smart contracts themselves, but this has not considered the random factor in the business process execution of smart contracts. Based on this, we propose a verification framework for the smart contracts of port supply chains with probabilistic behaviors.

Blockchain Enpowered Port Supply Chain
The emergence of blockchain technology has brought new possibilities for solving the complicated trust problems of the port supply chain. As shown in Table 1, there are three types of blockchains: public blockchains, private blockchains and consortium blockchains [42]. The public blockchain is completely decentralized and suitable for multiuser scenarios, the private blockchain is completely centralized and suitable for independent organizations, and the consortium blockchain is partially decentralized and suitable for the common scenarios of multiple organizations. The three types of blockchain have different features in supply chain management. The public blockchain mainly reflects network security, while the private blockchain and the consortium blockchain have the advantage of real-time information transmission. The existing port supply chain involves a large number of departments. There is no unified information verification standard throughout the entire process, and a large number of manual audits are required, while the blockchain smart contract technology has an independent and general consensus mechanism. Users who agree to a certain encryption algorithm will use the smart contract by default. At the same Systems 2022, 10, 19 5 of 20 time, the encrypted information verification is extremely fast, which can save a lot of time in the intermediate process. The port supply chain has the following three main characteristics and requirements: (1) medium transaction speed and medium number of transactions, (2) multiple participants, and (3) high transaction information privacy and time-sensitiveness of transportation information. The public chain cannot solve the problem of transaction speed and cannot guarantee the confidentiality of transaction information, while the strong centralization mechanism of the private chain makes it impossible to have multiple participants, which is contrary to the demands of port supply chains. At present, almost all supply chain blockchain platforms use private chains to ensure that information is not leaked; these are currently in the internal test stage. In this article, we chose the consortium blockchain Hyperledger Fabric to recontruct the port supply chain, as shown in Figure 1. This will be beneficial for large-scale port supply chains. The participants of the port supply chains are authorized to join and participate in data maintenance together. At the same time, the processing speed of 10,000 transactions per second is sufficient to meet the transaction volume requirements of port supply chains.
It can be seen intuitively, from the above figure, that smart contracts are used to implement the business process of port supply chains. Based on the consensus mechanism, once the supply chain information is uploaded to the blockchain, it cannot be changed. Any authorized user can check the chain information at any time. Port administrators can easily check the authenticity of the information by hash verification. We designed the on-chain and off-chain information transfer process of port supply chains as showin in Figure 2. The supplier uploads the purchasing information and transportation information to the supplier chain (SC), and the Hyperledger Fabric automatically integrates it with the port chain (PC) and manufacturer chain (MC), which can also automatically generate a distributor chain (DC) at any time for purchasers to track the progress of the transportation. Due to the characteristics of the Hyperledger Fabric, all authorized participants can read and upload the information on the chain, so multiple sub-chains can be deployed at the same time.

Verification Framework for the Smart Contracts of Port Supply Chains
The overall verification framework of this paper is shown in Figure 3. In the formalizing branch, the requirements of PSC (port supply chain) smart contracts are specified by the PCTL (Probabilistic Computation Tree Logic) formula. In the modeling branch, the PSC smart contracts described in BPMN (Business Process Model and Notation) are modeled as DTMC (Discrete-Time Markov Chains) through a conversion algorithm. The verification process is implemented by the probabilistic model checker PRISM. It can be seen intuitively, from the above figure, that smart contracts are used to implement the business process of port supply chains. Based on the consensus mechanism, once the supply chain information is uploaded to the blockchain, it cannot be changed. Any authorized user can check the chain information at any time. Port administrators can easily check the authenticity of the information by hash verification. We designed the on-chain and off-chain information transfer process of port supply chains as showin in Figure 2. The supplier uploads the purchasing information and transportation information to the supplier chain (SC), and the Hyperledger Fabric automatically integrates it with the port chain (PC) and manufacturer chain (MC), which can also automatically generate a distributor chain (DC) at any time for purchasers to track the progress of the transportation. Due to the characteristics of the Hyperledger Fabric, all authorized participants can read and upload the information on the chain, so multiple sub-chains can be deployed at the same time.   It can be seen intuitively, from the above figure, that smart contracts are used to implement the business process of port supply chains. Based on the consensus mechanism, once the supply chain information is uploaded to the blockchain, it cannot be changed. Any authorized user can check the chain information at any time. Port administrators can easily check the authenticity of the information by hash verification. We designed the on-chain and off-chain information transfer process of port supply chains as showin in Figure 2. The supplier uploads the purchasing information and transportation information to the supplier chain (SC), and the Hyperledger Fabric automatically integrates it with the port chain (PC) and manufacturer chain (MC), which can also automatically generate a distributor chain (DC) at any time for purchasers to track the progress of the transportation. Due to the characteristics of the Hyperledger Fabric, all authorized participants can read and upload the information on the chain, so multiple sub-chains can be deployed at the same time.

Modeling PSC Smart Contracts
Smart contracts are the programming codes run on blockchain platforms, which are very difficult to understand for the non-professional participants of port supply chains. As a quasi-natural language, BPMN can act as the intermediate language for all users in port supply chains, including business analysts, software developers, and business managers and supervisors. It provides a graphical model for creating a business process that can be used to construct a visual business process diagram of the port supply chain. There are dedicated tools for translating the BPMN into smart contract programming code, such as Caterpillar [44]. We model PSC smart contracts from the BPMN description of smart contracts. Moreover, we model the probabilistic aspects of smart contracts, which are an inherent characteristic of port supply chains. The reasons for this are as follows: (1) port supply chains themselves demonstrate randomized behaviors, e.g., non-determinism, consensus mechanism, (2) unreliable and unpredictable behaviors incurred by execution environment, e.g., message loss, processor failure, and (3) performance evaluation by random variables assigned artificially, e.g., reliability, availability [3]. We use the DMTC modes to model PSC smart contracts.
Systems 2022, 10, x FOR PEER REVIEW 7 of 21

Verification Framework for the Smart Contracts of Port Supply Chains
The overall verification framework of this paper is shown in Figure 3. In the formalizing branch, the requirements of PSC (port supply chain) smart contracts are specified by the PCTL (Probabilistic Computation Tree Logic) formula. In the modeling branch, the PSC smart contracts described in BPMN (Business Process Model and Notation) are modeled as DTMC (Discrete-Time Markov Chains) through a conversion algorithm. The verification process is implemented by the probabilistic model checker PRISM.

Modeling PSC Smart Contracts
Smart contracts are the programming codes run on blockchain platforms, which are very difficult to understand for the non-professional participants of port supply chains. As a quasi-natural language, BPMN can act as the intermediate language for all users in port supply chains, including business analysts, software developers, and business managers and supervisors. It provides a graphical model for creating a business process that can be used to construct a visual business process diagram of the port supply chain. There are dedicated tools for translating the BPMN into smart contract programming code, such as Caterpillar [44]. We model PSC smart contracts from the BPMN description of smart contracts. Moreover, we model the probabilistic aspects of smart contracts, which are an inherent characteristic of port supply chains. The reasons for this are as follows: (1) port supply chains themselves demonstrate randomized behaviors, e.g., nondeterminism, consensus mechanism, (2) unreliable and unpredictable behaviors incurred by execution environment, e.g., message loss, processor failure, and (3) performance evaluation by random variables assigned artificially, e.g., reliability, availability [3]. We use the DMTC modes to model PSC smart contracts.
The DTMC model of a PSC smart contract is defined as a six-tuple, SC = ( , , , , , ). : A set of limited non-empty states, which means that the PSC smart contract is in a normal state space. This set contains the normal status, for example, the supplier sub-contract is normal or the transfer sub-contract is normal. In addition, it includes the initial status and the end status of the port supply chain; : A set of limited non-empty states, which indicates that the PSC smart contract is in an abnormal state space. This set contains all abnormal states, such as the quality The DTMC model of a PSC smart contract is defined as a six-tuple, SC = (S normal , S abnormal , s init , P, AP, L). S normal : A set of limited non-empty states, which means that the PSC smart contract is in a normal state space. This set contains the normal status, for example, the supplier sub-contract is normal or the transfer sub-contract is normal. In addition, it includes the initial status and the end status of the port supply chain; S abnormal : A set of limited non-empty states, which indicates that the PSC smart contract is in an abnormal state space. This set contains all abnormal states, such as the quality inspection contract failed or the goods were lost; s init ∈ S normal represents the initial state; L:S→2 AP is a label function used to describe the set of propositions on the state, and identify the sub-smart contracts being executed or abnormal situations corresponding to each state. AP is the set of atomic propositions. S = S normal ∨ S abnormal is a collection of all state spaces; P: S × S → [0,1] is the state transition matrix, indicating whether it will transition from one state to another and the probability of transition.
Each state of the DTMC model corresponds to an event in the BPMN diagram. The transitions between states correspond to the migration of events. The sequence flows and message flows in the BPMN description represent the completion of the port supply chain sub-process of the previous department and the procedures of the next department. The corresponding mapping rules are shown in Table 2. The left side of the table is the sub-process of the BPMN components, and the right side is the corresponding sub-process of the DTMC model. We automate this process by Algorithm 1.

Sequential event conversion
transitions between states correspond to the migration of events. The sequence flows and message flows in the BPMN description represent the completion of the port supply chain sub-process of the previous department and the procedures of the next department. The corresponding mapping rules are shown in Table 2. The left side of the table is the sub-process of the BPMN components, and the right side is the corresponding subprocess of the DTMC model. We automate this process by Algorithm 1.

Sequential event conversion
Conditional branch event conversion

Cyclic event conversion
Algorithm 1 presents a conversion algorithm which can convert the PSC smart contracts in BPMN description into a DTMC model. The premise of the conversion algorithm is to accurately divide the complete BPMN description into sub-models and then map them. It is more of a flowchart level mapping than a semantic mapping.
transitions between states correspond to the migration of events. The sequence flows and message flows in the BPMN description represent the completion of the port supply chain sub-process of the previous department and the procedures of the next department. The corresponding mapping rules are shown in Table 2. The left side of the table is the sub-process of the BPMN components, and the right side is the corresponding subprocess of the DTMC model. We automate this process by Algorithm 1.

Cyclic event conversion
Algorithm 1 presents a conversion algorithm which can convert the PSC smart contracts in BPMN description into a DTMC model. The premise of the conversion algorithm is to accurately divide the complete BPMN description into sub-models and then map them. It is more of a flowchart level mapping than a semantic mapping.

Conditional branch event conversion
transitions between states correspond to the migration of events. The sequence flows and message flows in the BPMN description represent the completion of the port supply chain sub-process of the previous department and the procedures of the next department. The corresponding mapping rules are shown in Table 2. The left side of the table is the sub-process of the BPMN components, and the right side is the corresponding subprocess of the DTMC model. We automate this process by Algorithm 1.

Cyclic event conversion
Algorithm 1 presents a conversion algorithm which can convert the PSC smart contracts in BPMN description into a DTMC model. The premise of the conversion algorithm is to accurately divide the complete BPMN description into sub-models and then map them. It is more of a flowchart level mapping than a semantic mapping.
transitions between states correspond to the migration of events. The sequence flows and message flows in the BPMN description represent the completion of the port supply chain sub-process of the previous department and the procedures of the next department. The corresponding mapping rules are shown in Table 2. The left side of the table is the sub-process of the BPMN components, and the right side is the corresponding subprocess of the DTMC model. We automate this process by Algorithm 1.

Cyclic event conversion
Algorithm 1 presents a conversion algorithm which can convert the PSC smart contracts in BPMN description into a DTMC model. The premise of the conversion algorithm is to accurately divide the complete BPMN description into sub-models and then map them. It is more of a flowchart level mapping than a semantic mapping.

Cyclic event conversion
and message flows in the BPMN description represent the completion of the port supply chain sub-process of the previous department and the procedures of the next department. The corresponding mapping rules are shown in Table 2. The left side of the table is the sub-process of the BPMN components, and the right side is the corresponding subprocess of the DTMC model. We automate this process by Algorithm 1.

Cyclic event conversion
Algorithm 1 presents a conversion algorithm which can convert the PSC smart contracts in BPMN description into a DTMC model. The premise of the conversion algorithm is to accurately divide the complete BPMN description into sub-models and then map them. It is more of a flowchart level mapping than a semantic mapping. chain sub-process of the previous department and the procedures of the next department. The corresponding mapping rules are shown in Table 2. The left side of the table is the sub-process of the BPMN components, and the right side is the corresponding subprocess of the DTMC model. We automate this process by Algorithm 1.

Cyclic event conversion
Algorithm 1 presents a conversion algorithm which can convert the PSC smart contracts in BPMN description into a DTMC model. The premise of the conversion algorithm is to accurately divide the complete BPMN description into sub-models and then map them. It is more of a flowchart level mapping than a semantic mapping.
Algorithm 1 presents a conversion algorithm which can convert the PSC smart contracts in BPMN description into a DTMC model. The premise of the conversion algorithm is to accurately divide the complete BPMN description into sub-models and then map them. It is more of a flowchart level mapping than a semantic mapping.
The algorithm takes the events, activities and gateways of the BPMN as an input, and performs the following operations: first, the counter s that records the number of nesting times is set to zero, the initial event E 0 is pushed into the stack STATES, and then the following loop is started. The purpose is to add each node of the BPMN to Array[]. Pop the event m from the stack to Array, and make the following judgment: if m belongs to {S (Original Event), A M (Manual Activity), A S (Script Activity), A B (Business Activity)}, push all the subsequent nodes n ∈ LATER(m) that meet the conditions into Array[], and emit them into the DTMC state variable. If the node n does not belong to events, activities, and two restricted gateways (decision gateway and Parallel gateway), the node will pop out. However, for Decision Gateway G D and Parallel Gateway G P , it needs to be converted in the order of G P first and G D later, which is placed in SUBPROCESS here.

Algorithm 1: DTMC Model Mapping
for all the n ∈ LATER(m) do 8 Array Proof. Let the highest layer of the DTMC be k, the next higher layers are k − 1, k − 2, . . . , and the lowest layer is 0. There is only a sequential structure at the k layer. For a BPMN with only a sequential structure, all states are physically reachable, so the subnet is physically reachable. At the k − 1 layer, all k layer subnets are represented by nodes such as events and gateways, and the k − 1 layer has only a sequential structure. Therefore, the k − 1 layer including the k layer is also physically reachable. By analogy, all states of layer 0 are physically reachable, so that the DTMC model is physically reachable. Algorithm 1 has an upper complexity bound of O n 2 , where n is the number of nodes in the BPMN process. The upper limit corresponds to the cumbersome degree of the supply chain process. In the most common case, only the decision gateway appears in the BPMN process, and there are no different types of gateway nesting.

Properties Specification
We use PCTL to specify a set of user requirements. PCTL is defined by the following syntax: Φ ::= true|a|Φ ∧ Φ|¬Φ|P p (Ψ) where p ∈ [0, 1], ∈ [< , ≤, >, ≥], t ∈ R ≥0 , a is the atomic proposition. The tense operators X and U are called Next and Until, which is the same as the temporal logic. The formulas produced by Φ are called state formulas, and their true value can be judged by the true value of each state included. The formulas generated by Ψ are called path formulas, and their true value needs to be evaluated by calculating each execution path. In most cases, Φ only describes the atomic proposition corresponding to the absorption state. When it describes the failure state, the probability constraint is expressed as ≤x, where x is the upper bound of the failure probability; when it describes the success state, the probability constraint is expressed as ≥ x, where x is the lower bound of the probability of success.
As shown in Table 3, we set up the following DTMC states to model the status of PSC smart contracts, respectively, to make the property specification more universal. Current Sup represents the extent of the supplier link among them. Since there is more than one supplier, goods circulation and fund exchange are between suppliers, and they also bring out the document information, thus, it is necessary to split this link in order to present the smart contract of each exchange process. There is a multimodal transportation situation in the transportation part. Current Trans is used to present the sub-contracts generated by different transportation means or different transportation stages of the same transportation means, and it is used to track the steps of the transportation link. There will be multiple buyers or distributors in the procurement process, and Current Pur is used to track the progress of the goods flowing among the buyers. End Sup , End Trans , End Pur are Boolean variables used to monitor whether the supplier link, transportation link, and purchase link are actually completed or not. The completion is 1, and the error is 0. Finally, we use Current PSC and End PSC to monitor the progress of the entire port supply chain (m, n, u ≤ v). On the basis of the above states' definition, we specify requirement and regulation properties for the PSC smart contracts.
Property 1: What is the probability that a certain batch of goods will complete the entire port supply chain smart contract?
Since it is impossible to guarantee the smooth completion of each branch chain in the actual process, the probability is usually less than 1. Under the premise that all links are not required to be perfectly realized, we can make the probability interval in [0.95,1] fuzzy to 1, so that people can compare the actual value with the expected value.
For the three links, there can be more detailed specifications as follows: Property 2: What is the probability that the supplier link smart contracts are completed but the entire process of the port supply chain is not completed?
Property 3: What is the probability that the transportation link smart contracts are completed but the entire process is not completed?
Property 4: What is the probability that the procurement process of the smart contracts are completed but the entire process is not completed?
The above three properties allow the port supply chain supervision agency to track the completion of a certain batch of goods in a timely manner, but it is impossible to know where the problem lies when the probability drops. Therefore, we propose the following three more detailed specifications: Property 5: What is the probability that the supplier link progresses to the step x(x < m) but the total status of the supplier link smart contracts are completed and the whole process status is also completed?
Property 6: What is the probability that the transportation link progresses to the step y(y < n) but the total status of the transportation link smart contracts are completed and the whole process status is also completed?
Property 7: What is the probability that the procurement process progresses to the step z(z < u) but the overall status of the procurement process smart contracts are completed and the whole process status is also completed?

Accuracy
The accuracy of the migration rate must be ensured before model checking. Due to the different levels of manual participation in each link of the port supply chain, we define the manual participation time between all levels of the suppliers as λ 1~λM , and the manual participation time between all levels of the purchasers as µ 1~µN , where necessary participation time is defined as λ m and µ n , respectively, and the accuracy is analyzed through the rewards structure in PRISM.
Randomly generate 1 λ and 1 µ under different node numbers, and the accuracy of the entire model is shown in Table 4. Obviously, when the number of sub-contracts is too large, it will greatly affect the completion of the entire process and reduce the operating efficiency of the main contract.

Reachability
The essence of reachability analysis is to check whether each smart contract is effectively invoked. Each sub-contract of the port supply chain running on the blockchain platform must be accurately invoked and effectively executed to ensure the smooth progress of the entire process. However, in reality, it is difficult to ensure that the hash values of each sub-contract are consistent. We created a module for each contract model. If the contract verification fails, it will be marked as affected, otherwise it will be marked as correct. We designed an algorithm to verify reachability which is shown in Algorithm 2. We can initially obtain whether the status of each sub-process is reachable and whether the status result is true. If the total process is true, then further calculations can be made. Taking three supply terminal processes as an example, the PRISM module code is as follows in Algorithm 3:

Case Study
We have selected the port customs clearance process of port supply chains as a case study. Import and export customs procedures refer to the activities of going through customs procedures for inbound and outbound goods that are subject to different customs systems in accordance with the law.
The way that customs clearance has changed from the traditional 'territorial declarationport inspection and release' to the current 'integrated customs clearance' is that various obstacles between departments and regions have basically been cleared. However, there are still many cumbersome processes that have not been eliminated. Figure 4a shows that according to the 2020 Shanghai Water Transport Port Container Freight Cross-border Trade Expenses and Compliance Cost Assessment Report, the shipping company's document fee reached JPY 1071, which is an amazing proportion. Figure 4b shows that in the questionnaires for import and export companies (55 import responses and 52 export responses), the replies with subjective experience higher than the average mainly focused on customs declaration fees, order replacement fees, and terminal THC (Terminal Handling Charge) fees. It can be seen that there is still a lot of room for optimization in the port supply chain customs clearance process. For the convenience of research, we model the macroscopic customs clearance process smart contracts. The macro-level customs clearance process includes multiple suppliers, purchasers and transportation links. In order to promote the linkage between ports and shipping enterprises, speed up the application and information sharing of digital platforms, and promote the electronic release of imported containers based on blockchain, we have tentatively conducted pilot projects in the Shanghai Yangshan port of China. We cooperated with the Shanghai Yangshan Port to upload and model its customs clearance process, reducing the average processing time of major imported e-commerce cargo documents from 2 days to less than 4 h. mization in the port supply chain customs clearance process. For the convenience of research, we model the macroscopic customs clearance process smart contracts. The macro-level customs clearance process includes multiple suppliers, purchasers and transportation links. In order to promote the linkage between ports and shipping enterprises, speed up the application and information sharing of digital platforms, and promote the electronic release of imported containers based on blockchain, we have tentatively conducted pilot projects in the Shanghai Yangshan port of China. We cooperated with the Shanghai Yangshan Port to upload and model its customs clearance process, reducing the average processing time of major imported e-commerce cargo documents from 2 days to less than 4 h.  Appendix A is a simplified version of the on-site customs declaration manual for a certain customs' rapid customs clearance. We can see that for import and export companies, they have to fill in a large number of forms and provide a large number of letters each time they import customs clearance and export customs clearance, which is the root cause affecting the efficiency of customs clearance.

Modeling Smart Contracts of the Port Customs Clearance Process
Suppliers need to fill in a large amount of contract information during the export stage of goods, such as manifest contracts, inspection and quarantine contracts, and tax payment contracts mentioned in Appendix A. The customs clearance process is an im-  Appendix A is a simplified version of the on-site customs declaration manual for a certain customs' rapid customs clearance. We can see that for import and export companies, they have to fill in a large number of forms and provide a large number of letters each time they import customs clearance and export customs clearance, which is the root cause affecting the efficiency of customs clearance.

Modeling Smart Contracts of the Port Customs Clearance Process
Suppliers need to fill in a large amount of contract information during the export stage of goods, such as manifest contracts, inspection and quarantine contracts, and tax payment contracts mentioned in Appendix A. The customs clearance process is an important section of the port supply chain, in which all the import and export goods must go through various procedures of entry inspection when they arrive in another country. It plays a critical role in order to ensure the safety of the goods and enable the owner to pick them up smoothly. However, each port department has different requirements for verification of contract internal information. For example, the customs department needs to check the goods required to pay customs duties and tax deductions according to law, while reviewing the value and exchange rate of the goods, the customs declaration department needs to proofread the delivery, loading and transportation information in the manifest, and the quarantine department needs to check whether the quarantine information of the cargo is effective. All departments must upload the results to the smart contract after completing the information verification. The validation of each document is time-consuming. The whole process takes 2-3 days, however, it only takes a few hours to validate with a smart contract, instead of manual validation.
There are many reasons for difficulties and these can be divided into two categories: external and internal. External reasons may include delays caused by weather conditions, lower-than-expected quality of raw materials, delays caused by the dispatch of containers in and out of the port, and supplier or purchaser's breach of contract. Internal reasons may be caused by improper filling of contract information. In the smart contracts of various links in the port supply chain, there is information, such as Port Loading, Port Discharging, Cargo Description, Consignee's name and address, which is greatly affected by the filling specifications, and there is a considerable probability that the hash verification will not pass. This article only discusses external reasons.
Since a certain container or a certain ship of goods corresponds to a large number of suppliers, the failure of any supplier's sub-contract will have an impact on the entire supplier contract, so the relationship between each supplier's sub-contract is 'And'. There is a calling relationship between contracts. When different types of suppliers upload information and call contracts, there is a certain probability that they will default. For each supplier, when completing the various processes in Appendix A, such as filling in the manifest smart contract, completing the export customs declaration smart contract, or applying for the customs clearance inspection and quarantine smart contract, there will be a certain probability that they will not pass. At the same time, purchasers also face the same problems when applying for an import customs clearance smart contract and completing tariff contracts. In this article, we consider such a situation: for a supplier's cross-border transportation smart contract, three different departments are required to review at the export terminal which are independent of each other. During the cargo transportation stage, only the mode of transportation within the port is considered. When goods arrive at the port for the import process, three different departments are also required. Every department needs an auditor to proofread the information. The BPMN description of smart contracts from the customs clearance process is shown in Figure 5. Smart contracts in BPMN description can be converted into a DTMC model through Algorithm 1 and shown in Figure 6. Three auditors correspond to the customs declaration department, the taxation department, and the inspection and quarantine department, respectively. Some goods, such as bulk goods, do not need to be inspected by the quarantine department, while duty-free goods do not need to be reviewed by the tax department. The symbol represents the transition probability between two departments.  Smart contracts in BPMN description can be converted into a DTMC model through Algorithm 1 and shown in Figure 6. Three auditors correspond to the customs declaration department, the taxation department, and the inspection and quarantine department, respectively. Some goods, such as bulk goods, do not need to be inspected by the quarantine department, while duty-free goods do not need to be reviewed by the tax department. The symbol p represents the transition probability between two departments. Smart contracts in BPMN description can be converted into a DTMC model through Algorithm 1 and shown in Figure 6. Three auditors correspond to the customs declaration department, the taxation department, and the inspection and quarantine department, respectively. Some goods, such as bulk goods, do not need to be inspected by the quarantine department, while duty-free goods do not need to be reviewed by the tax department. The symbol represents the transition probability between two departments.

Verification Results and Analysis
Let m = n = u = 3, v = 8, we can redefine the property specification in Section 3.4 as

Verification Results and Analysis
Let m = n = u = 3, v = 8, we can redefine the property specification in Section 3.4 as follows: Property 1: What is the probability that all contracts are failed?
Property 2-Property 4: use a similar description. Property 5: What is the probability that the export contract 2 is successfully passed and the entire customs clearance process contract is failed?
Property 6: What is the probability that the transition contract 2 is successfully passed and the entire customs clearance process contract is failed?
Property 7: What is the probability that the import contract 2 is successfully passed and the entire customs clearance process contract is failed?
In order to make the code more universal, we present part of the PRISM code in a modularized style in Figure 7. The user can freely define the number of states and the probability of state transitions according to the actual situation. We count them by N and Max. The characteristic x12 represents the migration from state one to state two, p1 represents the migration probability, and meanwhile the success or failure is represented by a Boolean variable. : What is the probability that the transition contract 2 is successfully passed and the entire customs clearance process contract is failed?
: What is the probability that the import contract 2 is successfully passed and the entire customs clearance process contract is failed?
In order to make the code more universal, we present part of the PRISM code in a modularized style in Figure 7. The user can freely define the number of states and the probability of state transitions according to the actual situation. We count them by N and Max. The characteristic x12 represents the migration from state one to state two, p1 represents the migration probability, and meanwhile the success or failure is represented by a Boolean variable. According to the questionnaire survey of port practitioners in the Shanghai Yangshan Port, we selected the actual passing probability of three main links and preset the success probability of the smart contract for the export part and the import part as 80%, 90% and 95%. By default, there are no accidents in the smart contract for internal port transportation. We took property one in the first set of preset values as an example for verification, and set the probability index in reverse to get the calculation result shown in Figure 8. The rest of the verification results of the three sets of preset values are shown in Table 5. According to the questionnaire survey of port practitioners in the Shanghai Yangshan Port, we selected the actual passing probability of three main links and preset the success probability of the smart contract for the export part and the import part as 80%, 90% and 95%. By default, there are no accidents in the smart contract for internal port transportation. We took property one in the first set of preset values as an example for verification, and set the probability index in reverse to get the calculation result shown in Figure 8. The rest of the verification results of the three sets of preset values are shown in Table 5.  The status of smart contracts in the entire port supply chain can be analyzed with different probabilities, and fault contracts can be located under different preset values to achieve the purpose of supervision. Through the longitudinal analysis of different preset value groups, the influence of different parts in the port supply chain on the success rate can be judged separately in Figure 9. International logistics and port practitioners informed that the pass rate of each link must reach 90-95% to ensure the continuous and efficient operation of the entire port customs clearance business. Thus, we set the expected probability to 90%.  The status of smart contracts in the entire port supply chain can be analyzed with different probabilities, and fault contracts can be located under different preset values to achieve the purpose of supervision. Through the longitudinal analysis of different preset value groups, the influence of different parts in the port supply chain on the success rate can be judged separately in Figure 9. International logistics and port practitioners informed that the pass rate of each link must reach 90-95% to ensure the continuous and efficient operation of the entire port customs clearance business. Thus, we set the expected probability to 90%.
Since we assume that the transportation contract is not damaged, the results of Property 2 and Property 3 are the same. There is no obvious difference between the impact of export contracts and import contracts on the overall success rate, which shows that what really affects the port supply chain smart contract is the failure probability of the local contract. If the value of Property 5~7 is greater than the complement set of Property 2~4, the damage contract can be located as export-department contract 3 and import-department contract 3. If the probability of damage to the internal transport contract is considered, we can use the same method to compare Property 3 and Property 6. In this case, for the export section, only the probability of the third set of preset values is higher than the expected probability. At the import section, the pass rate of contract 5 in the three sets of preset values is lower than 90%, and only contracts 6 and 7 in the second and third set of preset values are higher than expectated. Therefore, this method can quickly locate unqualified smart contracts. Systems 2022, 10, x FOR PEER REVIEW 18 of 21 Since we assume that the transportation contract is not damaged, the results of and are the same. There is no obvious difference between the impact of export contracts and import contracts on the overall success rate, which shows that what really affects the port supply chain smart contract is the failure probability of the local contract. If the value of ~ is greater than the complement set of ~, the damage contract can be located as export-department contract 3 and import-department contract 3. If the probability of damage to the internal transport contract is considered, we can use the same method to compare and . In this case, for the export section, only the probability of the third set of preset values is higher than the expected probability. At the import section, the pass rate of contract 5 in the three sets of preset values is lower than 90%, and only contracts 6 and 7 in the second and third set of preset values are higher than expectated. Therefore, this method can quickly locate unqualified smart contracts.
Through comparing the values of the same property under different preset probabilities horizontally, it can be seen that the smaller the number of state transitions, which means the smaller the number of sub-contracts, the higher the success rate of the entire port supply chain contract. At the same time, the export contracts have a more important impact on the overall success rate than the import contracts, which requires contract programmers and suppliers to pay more attention to accuracy in the process of information uploading and contract construction.

Conclusions
In this article, we present an architecture of consortium blockchain empowered port supply chains, and propose a framework for the smart contracts of port supply chains with probabilistic behaviors. The consortium blockchain is a compromise between decentralization and efficiency. The public blockchain takes too long time to validate transactions, while the private blockchain has a high degree of centralization which is contrary to the original intention of a blockchain. The consortium blockchain combines the advantages of both. The smart contracts are modeled as DTMCs, which are automatically transformed through the BPMN description of smart contracts. The requirements, are specified by PCTL. A casestudy of the port customs clearance process of port supply chains is used to demonstrate the effectiveness of this framework. The limitation of this work is that this framework only considers the probability aspect of the port supply chain, and the time variable, reward mechanism, etc.,s are not included, which also affects the integrity of the smart contract for port supply chains. In the future, we will exploit MDP (Markov decision process) to the model smart contracts of port supply chains, which can include non-deterministic and probabilistic behaviors simultaneously. Alter- Through comparing the values of the same property under different preset probabilities horizontally, it can be seen that the smaller the number of state transitions, which means the smaller the number of sub-contracts, the higher the success rate of the entire port supply chain contract. At the same time, the export contracts have a more important impact on the overall success rate than the import contracts, which requires contract programmers and suppliers to pay more attention to accuracy in the process of information uploading and contract construction.

Conclusions
In this article, we present an architecture of consortium blockchain empowered port supply chains, and propose a framework for the smart contracts of port supply chains with probabilistic behaviors. The consortium blockchain is a compromise between decentralization and efficiency. The public blockchain takes too long time to validate transactions, while the private blockchain has a high degree of centralization which is contrary to the original intention of a blockchain. The consortium blockchain combines the advantages of both. The smart contracts are modeled as DTMCs, which are automatically transformed through the BPMN description of smart contracts. The requirements, are specified by PCTL. A casestudy of the port customs clearance process of port supply chains is used to demonstrate the effectiveness of this framework. The limitation of this work is that this framework only considers the probability aspect of the port supply chain, and the time variable, reward mechanism, etc.,s are not included, which also affects the integrity of the smart contract for port supply chains. In the future, we will exploit MDP (Markov decision process) to the model smart contracts of port supply chains, which can include non-deterministic and probabilistic behaviors simultaneously. Alternatively, we will use CTMDP(continuous-time Markov decision process) to model smart contracts which involve continuous-time behaviors, and we will consider the more complex user requirement properties, such as security, privacy and liveness, which can be specified by PCTL* (super set of PCTL).  Acknowledgments: Thanks to Marta Kwiatkowska at The University of Oxford, UK, she has inspired us through her books and papers, and particularly through having a direct discussion with her. On-site delivery, release delivery, post-delivery (paperless customs clearance)

Inspection and release
The logistics monitoring department handles the second confirmation of the manifest

Inspection and release
The terminal supervision department handles inspection and release procedures Application for clearance procedures at the clearance post of the Customs Clearance Section The enterprise ships the ship with the "Export Goods Shipment List" The terminal supervision department handles inspection and release procedures Logistics Monitoring Section handles ship export customs clearance procedures Customs clearance and issuance certificate Customs clearance and issuance certificate