Summary

This chapter introduced parameterised interpreted systems and parameterised interleaved in- terpreted systems.

A parameterised interpreted system PIS of k roles gives a concise description of an unbounded collection PIS (n) : n ∈ Nk _{of concrete interpreted systems. Each system is built from n.i}

identical agents, for each role i, and from the concrete environment corresponding to the n’th instantiation of the environment template. Differently from the standard treatment of interpreted systems, the evolution function of a concrete agent does not depend on which agent performed which action (i.e., the joint action), but it depends on the set of actions performed by all the agents.

3.5. Summary 73

Similarly, a parameterised interleaved interpreted system PIIS of k roles gives a concise de- scription of an unbounded collection PIIS (n) : n ∈ Nk _{of concrete interleaved interpreted}

systems. Each system is built from n.i identical agents, for each role i, and from the con- crete environment corresponding to the n’th instantiation of the environment template. The concrete agents may evolve asynchronously, communicate with the environment via agent- environment actions, synchronise with the agents of the same role via role-synchronous ac- tions, synchronise with all the agents in the system via global-synchronous actions, and com- municate with an agent performing another role via multi-role actions.

Further, this chapter introduced the specification language indexed CTL∗K. The logic extends CTL∗K by introducing indexed atomic propositions and indexed epistemic modalities. This allows for properties to be expressed independently of the number of agents in a UMAS. Finally, the notions of m-stuttering simulation and cycle-stuttering simulation were defined on PIIS and PIS, respectively. The former simulation was shown to preserve indexed ACTL∗K\X formulae. The latter simulation was shown to preserve indexed ACTLK formulae up to a level of temporal depth.

Verifying parameterised interpreted

systems

This chapter develops a parameterised model checking procedure for the verification of un- bounded multiagent systems represented in the formalism of parameterised interpreted sys- tems. Section4.1gives a formal definition of the parameterised model checking problem and of the notion of cutoffs for parameterised interpreted systems. Section4.2introduces the PIS procedure. The procedure identifies a cutoff for a given system and a given specification. A cutoff expresses the number of agents that is sufficient to consider when evaluating a given specification. Following the cutoff identification, the procedure solves the parameterised model checking problem by checking all concrete systems up to the cutoff. Finally, Section4.3applies the procedure to the autonomous robot example and the Beta swarm aggregation algorithm.

4.1

Parameterised model checking problem

We outline parameterised interpreted systems as presented in Section3.1. We then define the parameterised model checking problem for PIS. Finally, we define the notion of cutoffs in the context of PIS.

4.1. Parameterised model checking problem 75

A PIS is a tuple

P IS = (T , E , I, V)

where T = {T1, . . . , Tk} = {(L1, Act1, P1, t1), . . . , (Lk, Actk, Pk, tk)} is a set of k ≥ 1 agent

templates and E = (LE, ActE, PE, tE) is an environment template. An agent template is as-

sociated with a set Li of template states, a set Acti of template actions, a template protocol

Pi: Li→ P(Acti), and a template transition function ti : Li× Acti× P(STiActi) × ActE → Li.

The environment template is similarly associated with a set LEof template states, a set ActE of

template actions, a template protocol PE : LE → P(ActE), and a template transition function

tE : LE× ActE× P(S_TiActi) → LE. The definition of a PIS concludes with the description of

a set I = I1× . . . Ik× IE of initial states for the templates, and a set of valuation functions on

the template states V = {Vi: Li → P(APi) : 1 ≤ i ≤ k }.

Given a value n = (n1, . . . , nk) of the system’s parameter, the concrete system PIS (n) is the

interpreted system

PIS (n) = 

(Lj_i, Act_ij, P_ij, t_ij)(i ,j )A(n), (LE, ActE, PE, tE), I , V

 .

PIS (n)results from the composition of n.i instantiations {(i, 1), . . . , (i, n.i)} of each agent tem- plate Ti and an instantiation of the environment template. Given x ≤ n, we write A(x) for the

set A(x) = {(i, j) : 1 ≤ i ≤ k, 1 ≤ j ≤ x.i} of concrete agents. For each concrete system P IS(n) we can associate a temporal-epistemic model SPIS (n) =



G(n), I(n), R(n), (Kj_i)(i,j)∈A(n), V (n)



as standard (see Section2.1.1). When PIS (n) is clear from the context we simply write S(n) for SPIS (n). We assume that the transition relation for each concrete system is serial1.

We now proceed to state the parameterised model checking problem for PIS.

Definition 4.1 (Parameterised model checking problem for PIS). Given a PIS S and an m- indexed ACTLK formula ∀vφ(v), the parameterised model checking problem concerns establishing whether or not the following holds:

∀n ≥ m. S(n) |= ∀vφ(v)

1_{A serial transition relation can be enforced by the templates’ descriptions by assuming a null action that is}

enabled at each local state for each of the templates. Upon performing the null action, an agent remains in its current state irrespective of the other agents’ actions.

If the above holds, then ∀vφ(v)is said to be satisfied by S. This is denoted by S |= ∀vφ(v).

In other words, differently from the standard model checking problem, the parameterised model checking problem involves establishing whether a specification is satisfied on an un- bounded number of systems resulting from the instantiations of the agent templates. This is a task that in principle involves an unbounded state space which is intractable for traditional model checking techniques. Cutoffs have been studied in the context of reactive systems to cir- cumvent this difficulty by reducing the number of systems to consider [EK00,EN95,HBR09, KKW10]. A cutoff for a system is the number of components that is sufficient to consider when evaluating a given specification.

Definition 4.2 (MAS cutoff). Given a PIS S composed of k roles and an m-indexed ACTLK formula ∀vφ(v), a k-tuple c ∈ Nk is said to be a MAS cutoff if the following holds:

∀m ≤ x ≤ c. S(x) |= ∀vφ(v)if and only if ∀n ≥ m. S(n) |= ∀vφ(v)

We say that S admits a cutoff for ∀vφ(v)and we call S(c) the cutoff system.

By definition, given a cutoff for a system, the parameterised model checking problem can be reduced to model checking all concrete systems up to the cutoff system. The aim of this chapter is to develop a sound and complete procedure that takes as input a PIS S and an m-indexed formula ∀vφ(v), and returns a cutoff for S and ∀vφ(v).