Parameterised verification for multi-agent systems

(1)

Contents lists available atScienceDirect

Artiﬁcial

Intelligence

www.elsevier.com/locate/artint

Parameterised

veriﬁcation

for

multi-agent

systems

Panagiotis Kouvaros

∗

,

Alessio Lomuscio

∗

DepartmentofComputing,ImperialCollegeLondon,UK

a

r

t

i

c

l

e

i

n

f

o

a

b

s

t

r

a

c

t

Articlehistory:

Received28October2014

Receivedinrevisedform5January2016 Accepted13January2016

Availableonline18January2016 Keywords:

Multi-agentsystems Validation

Parameterisedveriﬁcation Cutoffs

We studythe problemof verifying role-based multi-agent systems, where the number ofcomponentscannotbedeterminedatdesigntime. Wegiveasemanticsthatcaptures parameterised, generic multi-agent systems and identify three notable classes that representdifferent waysin whichthe agentsmay interact among themselvesand with theenvironment.Whiletheverificationproblemisundecidableingeneralweputforward cutoffprocedures forthe classes identified.The methodologyisbased onthe existence of anotion of simulation between the templates for the agents and the template for the environment in the system. We show that the cutoff identification procedures as wellas the generalalgorithms that wepropose are sound; for one classwe show the decidability of the verification problem and present a complete cutoff procedure. We reportexperimental resultsobtainedon MCMAS-P,anovelmodel checkerimplementing theparameterisedmodelcheckingmethodologiesheredevised.

1. Introduction

With thedevelopment anddeployment ofautonomous agentsandmulti-agent systems (MAS) indiverse applications suchasrobot-basedsearch-and-rescue[1],web-services[2],personalnegotiationassistants[3],agrowingneedhasemerged todeveloppowerfulandversatilemethodologiesforthevalidationandveriﬁcationofMAS.Modelchecking[4]isaleading logic-basedtechniquefortheveriﬁcationofsystemsthathasemergedinthepasttwentyyears.Modelcheckingenablesus tocheckwhetheramodelMS representingasystem

S,

satisﬁesaformula

φ

P encodingaspeciﬁcation P .

While plain reactive systems [5] are typically specified by means of reachability or purely temporal statements, au-tonomous agentsaretypicallyspecifiedby meansofhighlevelpropertiesinspiredfromAI.As aconsequence,inthecase of MAS the specification

φ

P is typically given in agent-based logics, such asepistemic logic [6], BDI [7], Desires-Goal-Intention [8],andATL[9].Overthepasttenyearsa numberoftechniqueshavebeenputforwardfortheeﬃcientmodel checkingofMASagainstagent-basedspeciﬁcationsincludingbinarydecisiondiagrams[10,11],abstraction [12],partial or-derreduction[13],boundedmodelchecking[14],parallelmodelchecking[15],therebymakingitpossibletoverifysystems withlarge statespaces. Yet,sincethenumberofstatesis exponentialinthenumberofagentsinthe system,systems of manyagentstypicallyremainintractable.

A further diﬃculty consistson the fact that some agent-based protocols,such as auctions, donot specify how many agentsmaybepresentatruntime.Bymodelcheckingwemaybeabletoverifyasystemfora

given

number of agents. Butthis doesnotenableustodrawanyconclusionastowhetherthespeciﬁcationwouldstillholdshouldmoreagentsbepresent. Intuitively,additionalagentsmaypossiblyinterferewiththesysteminunpredictedwaysresultinginthespeciﬁcationtobe

*

Correspondingauthors.

E-mailaddresses:[email protected](P. Kouvaros),[email protected](A. Lomuscio). http://dx.doi.org/10.1016/j.artint.2016.01.008

(2)

agents adhering to differentroles. In particularwe isolate three classesof MAS for which we show that cutoffs can be givenwhencertainsuﬃcientconditionsaremet.Weillustratethesemanticclassescorrespondtodifferentwaysinwhich theagentsmayinteractamongthemselves andwiththeenvironment.Inaddition toexploringthetheoretical sideofthe problemwealsopresentanimplementationbasedonideasherepresentedanddiscusstheexperimentalresultsobtained.

1.1. Parameterised model checking

Thetraditionalmodelcheckingproblem[4]concernsestablishingwhetheraspeciﬁcation

φ

P representingaproperty P holds on aﬁnite model MS built froma ﬁnite numberof componentsimplementing the system S, or MS

|= φ

P. Inthe traditional approach the behavioursof all the components are speciﬁed beforehand; the model MS resultingfrom their synchronisationisthenconstructedandtheproperty

φ

P isthenchecked.

While the traditional model checking problemestablishes whethera particular system satisfies a given specification, theparameterised model checkingproblem(PMCP)isconcerned withestablishing whetheranysystemcomposedof any numberofagentsfollowingacertainbehaviouraltemplatesatisfiesagivenspecification.Clearlyanyattempttoreducethe parameterisedmodelcheckingproblemtothestandardmodelcheckingproblemwouldentailcheckinganinfinitenumber ofmodels,i.e., allpossiblesystemsbuiltfromanynumberofagents.Giventhenumberofagentsisnotboundeditwould alsoimplycheckingmodelsofunboundedsize.

In traditionalcomputer science thePMCP can potentially be used to verify speciﬁc networking protocols anda wide rangeofdistributedalgorithms.InMASandAIingeneral, techniquesforthePMCPcould inprinciplebe usedtoestablish properties of a wide and diverserange of systems ranging fromrobotic swarms to e-commerce applications where the numberofagentsisnotknownatdesigntime.

Inthe generalsettingthe PMCPis undecidable[18].However, givenits importance,it isof interestto develop sound butincompletetechniquestosolveit.ThePMCPistypicallyformulatedinaﬁnitary,abstractwaybygivingatemplatefor the agentsinthe system, a template fortheenvironment, andthe formulato be veriﬁed.Byproviding the parameter

n

specifyingtheactual numberofagentsinthesystem, wecanthen constructaconcretesystemupon whichthestandard modelcheckingproblemcanbesolved.Awaytolimitthegeneralityoftheproblemistorestrict thesystemsconsidered. Forexample,wemayconsideraspeciﬁctopology,e.g.,rings, whenanalysingnetworkprotocolsforanunboundednumber ofhosts.Inthispaperwefollowadifferentapproach.Wedonotimposemanyconstraintsintermsofhowtheagentsmay behave,butweareconstraintheirinteraction.

1.2. Related work

Inthepast 10yearsseveralmethodshavebeenputforwardforverifyingMASby meansofsymbolicmodelchecking. Mosttechniquessupportepistemicspecifications[13,14,21–24];otherstargetdeonticspecifications[25,26],orspecifications expressingstrategic abilities[27,28].The resultingperformance differs depending ona numberofassumptions; symbolic checkerssuchas MCK[10], MCMAS[11] and VerICS[29]areallcapableofhandlingstate-spacesoftheregionof1015_and

beyond.

Whilethesetechniqueshavereceivedconsiderableattention,theyallsufferfromakeylimitationinthattheyonlydeal withclosedMASwherethenumberofcomponentsisknownatdesigntime.ThismakesitimpossibletoverifyMASwhere thenumberofagentsisnotknownatdesigntime.

Verificationofsystemswithan arbitrarilylarge numberofcomponentshasbeeninvestigated,however,inthecontext of reactive systems where the problem hasbeen shown to be undecidable in general[18]. The techniques put forward typicallyassumeanumberofrestrictionseitheronthesystemsorinthespecificationsconsideredsothateithersoundness or decidability can be retained.The approaches can be classified into abstraction techniques, network invariant techniques, regular model checking, and

cutoff techniques.

Abstractiontechniques[30–37]relyontheanalysisofasingleﬁnitestate

abstract system encoding

allpossibleconcrete systems.Typically thesemethodsrequiremanualguidanceforobtaining theabstractmapping.Further,they areoften in-complete: if a certain specification is falsified in the abstract model, then it does not necessarily followthat there is a concretesystemfalsifyingthespecification.Amongthesetechniquesweidentify

counter

abstraction and environment abstrac-tion.

(3)

Counterabstractiontechniquesgenerateabstractstatesthatreflectthenumberofparticipantsineachlocalstate.A sem-inal work in thiscontext definedthe abstract modelin terms ofa Petri Net [32].An automata-theoreticprocedure was definedtochecksingle-indexedLTLpropertiesforsystemscommunicatingviaCSSactions.Theprocedurerunsintime dou-blyexponentialinthesizeofthetemplateprocessandthespecification.A

forward reachability procedure

thatextendsthe

covering graph for PetriNetswasproposedin[37].Theprocedurewasshowntobeincompleteforbroadcastprotocols[35]. In contrast,a backward reachability algorithm which iscompletefor

upwards-closed sets

ofstateswasdiscussed in[35].By buildingon theseideasa forward bounded reachability analysis that sequentially generatesasetofincreasingly refined ab-stractionswasdevised[36].Inanotherline, counterabstractionswererefinedtosaturatebinarycounters[30].Thisgivesa finiteabstractmodelwhichisusedtocheckasynchronousparameterisedsystemsagainstlivelinessproperties.Themethod was showntobesoundbutincomplete.Similarly,thecounterswere alsosaturatedin[34] tocheck synchronoussystems against LTL properties [34]. Although in the asynchronous casethe proposed framework becomes undecidable, the syn-chronouscaseisdecidableviaaprocedure identifyingspuriouscounterexamplesthatmayoccurinthecounter-abstracted model.

Environment abstraction combines counter abstraction withpredicate abstraction by keepingtrack of the number of participantswhichsatisfyacertainpredicate.ThetechniquewasappliedtotheanalysisofLamport’sbakeryalgorithmand Szymanski’salgorithm[31].Soundnessofthetechniquewasshowed[33].

Networkinvarianttechniques[38–40]areinduction-basedmethodsthatreducetheparameterisedmodelchecking prob-lem to model checking a finite state system. They identify a network invariant capturing a system’s behaviour that is independent of the numberof agents; i.e., the invariant is presentin any concretesystem. It followsthat a property is satisfiedby theparameterisedsystemifitissatisfiedby thenetworkinvariant.Methodologiesforcomputingnetwork in-variants as well as sufficient criteriafor their existence havebeen given [38,41]. While theseworks depend on manual guidance,heuristicshavebeenusedtogeneratetheinvariantsautomatically[40,39].

Infinite state model checking techniques have also been applied to parameterised systems via regular model check-ing [42–45].Inregularmodelcheckingthestatesarerepresentedbywordsandthetransitionrelationonthesetofstates isrepresentedbyfinitestatetransducers.Thefundamentaldifficultywiththisapproachisthecomputationofthetransitive closure ofthe transducers. Thisoftenleads toincomplete techniquesandexpensive automata-theoreticconstructions. To improvetheirefficiencyseveralmethodologieshavebeendevelopedincluding

widening

[43,45]and

acceleration

[42,44].

Approachesbasedoncutoffs[16,17,19,20,46–50]aimtoidentifyanintegercalled

cutoff,

expressingthenumberof com-ponents that issufficient to consider whenevaluating a given specification. The identificationmayeither be dynamic or static. Dynamiccutoffsareidentifiedon-the-flyduringtheverificationprocedure.Whilethey werefirstintroducedforthe analysisofreachability propertiesin PetriNets[47],similarideas havebeenusedto analysesystemswithlinearor tree-like topologies[19].Static cutoffsare identifiedby an explicitcutoffprocedure beforethe actualverificationcommences. Techniquesbasedonstaticcutoffscantypicallyanalysericherspecifications,suchasthosebuiltonLTL

\

X [16,17,50,20]or CTL∗

\

X [46,48,49].

While the research discussed above is relatedto theproblem addressedhere, our work isfundamentally different in severalrespects. Firstly, weaddress multi-agentsystems wherethepatternsof interactiondonot depend onaparticular networktopology.Secondly,wesupportepistemicspeciﬁcationsandnotjusttemporalones.

Theparameterised interleavedinterpretedsystems(PIIS)modelweintroducegeneralisesthemodelofbroadcast proto-cols[37],whosePMCPhasbeenanalysedintermsofLTL

\

X properties, LTLproperties,regularand

ω

-regularproperties[35, 37,51].ThePMCPwasshowntobedecidableforregularpropertiesin[35].Thedecidabilityresultinstantiatesthe

backward

reachability procedure[52] tothecontextofbroadcast protocols.Theprocedureonly supportssafetyproperties.ThePMCP was showntobe undecidableforLTL

\

X properties in[51],andthus forLTL and ω-regular properties,anddecidablefor

ω

-regular propertiesundertherestrictionof

initialisable templates

[51].Althoughtherestrictiononinitialisabletemplates, i.e.,everystateofthetemplatehasatransitiontotheinitialstate,hasbeenprovenusefulintheanalysisofcachecoherence protocols[51],theaimofthispaperistomodelgeneralMASnotadheringtothisconstraint.

Closelyrelatedtothetechniquesdevelopedinthispaperarealsothecutofftechniquespreviouslyputforwardforlinear time andcomputation tree logic [16,17,20,46,48,49].Cutoff resultsfor lineartime properties[17,20,46,48] are not easily transferabletoourcontextsincethebranchingnatureoftheknowledgemodalityrequiresastrongernotionofsimulation. Insomecases,however,notionsofstutteringsimulationspreviouslydeﬁnedinthecontextofCTL∗[16,49]canbeextended toincludeknowledgeaswell,asweshow Section3.4.However,whileexistingworkfocusesonparticulartopologies,here weaddressamoregeneralsetup.

Previousworkbytheauthors. InourearlierworkwehavebegunaddressingparameterisedveriﬁcationforMAS[53,54]. However, [53]makes strongassumptionsonthesemanticstherebyforcing allagentstoevolveinthesamewayfollowing synchronisationwiththeenvironment.Thiswastosomeextentovercomein[54],wherefurtherpatternsofsynchronisation wherestudied.Thetechnique herepresented,however,isconsiderablymoregeneral.Mostimportantly,thenotionofrole, leftasanopenproblemin[54],isintroducedandthesemanticsreformulatedinthisway.Theextendedsemanticsenables us to explore and present results for systems composed of different classes of agents performing different behaviours. Throughthenotionofrole,agentsmayinteractamongthemselvesinwaysthatwerenotpreviouslypossible,e.g.,anagent ofonerolecaninteractwithanagentofanotherrole,therebylargelysurpassingtheexpressivepowerofourinitialstudies. Theimplementationwepresentherealsonotablyextendstheonepreviouslypresentedinthatitallowsforthedeclaration ofseveraltemplatesrepresentingtherolesoftheagentsinthesystem.

(4)

preserve logical satisfaction. This enables usto formally deﬁne the PMCP andthe notion of cutoffs on thesemantics in Section4.

Sections5,6and7includethemaintheoreticalresultsofthepaper.WestudyeachoftheclassesidentiﬁedinSection2

andgivecutoff resultsforthem.Bymeans oftheseresultsthe PMCPfora classofPIIS canbesolved bymodelchecking all systemsup tothe cutoff.Giventhecutoffs aretypically low naturalnumberstheseresultsprovidealgorithms forthe effective veriﬁcationof various classesof MAS. Eachrespective class is exempliﬁed via a concrete exampleshowing the applicabilityoftheresults.

Section8reportsanimplementationthatwebuiltrealisingthetechniquesdescribedinSections5to7.Speciﬁcallythe sectionintroduces MCMAS-P,aparameterisedversionof MCMAS,anopen-sourcemodelcheckerfortheveriﬁcationofMAS. Asweexplain, MCMAS-P conductsaniterativecheckontheexistenceofcertainsimulationsthatguarantee,bythemethods ofSections5to7,thata cutoffexists.Ifthiscanbeshown, thecheckerperforms plainmodelcheckingoncorresponding concretesystemsinlinewiththerequirementsofthetheorydeveloped.Wereporttheexperimentalresultsobtained.

WeconcludeinSection9,wherewediscusspossiblefuturework.

2. Parameterisedsystemswithmultipleroles

Interpreted systems are a standard semantics fordescribing multi-agent systems [6]. Theyprovide a naturalsetup to interpretspeciﬁcationsinavariety oflanguagesincludingtemporal-epistemic logicandalternatingtemporallogic [6]. In-terleavedInterpreted Systems(IIS)area classofinterpreted systemsconstraining theinterleavedevolutionoftheagents’ actions [13].Herewe extendIIStoreasonabouttemporal-epistemic propertiesinanunboundedMAS setting.Todothis, wedeﬁne

parameterised IIS to

giveagenericdescriptionofaMAS

irrespective of the

number of agents present. Thiswillenable usto define three important classesof parameterised IISthat exhibit attractive propertiestowards verification. We then proceedtodefineanindexedtemporal-epistemiclogictoexpresspropertiesintheunboundedsystem. Thisisfollowedby theformaldefinitionofthePMCPandthenotionofcutoff.Weshowthatcutoffsdonotexistingeneral,therebypavingthe roadtothesubclasses’analysisinthefollowingsections.

2.1. Interleaved interpreted systems

We beginby assuming a MAS composed of n agents

A

= {

1

, . . . ,

n

}

acting inan environment E. The environmentis treatedasaspecialagentallowingustoconsideraMASascomposedoftheset

A

∪ {

E

}

ofagents.Eachagent

i

∈

A

∪ {

E

}

is describedbyanonemptysetoflocalstates

L

i,auniqueinitiallocalstate

ι

i

∈

Li,andanonemptysetofactions

Act

i.Actions areperformedincompliancewithaprotocol Pi

:

Li

→

Actigoverningwhichactionscanbeperformedatagivenlocalstate. Theevolutionofanagent

i’s

localstatesisspeciﬁedbyatransitionfunction

t

i

:

Li

×

Acti

→

Lireturningthenextlocalstate giventheagent’s(current)localstateandaction.

A“null” action

i isassumedto bea memberofanyset Acti.It isassumedthat forevery state

l

i

∈

Li we havethat: (i)

i

∈

Pi

(

li

)

(i.e.,thenullactionisenabledateverylocalstate);(ii)

t

i

(

li

,

i

)

=

li (i.e.,anagentstuttersinitscurrentlocal statewheneveritperformsthenullaction).

Deﬁnition2.1 (Interleaved interpreted system). An interleavedinterpreted systemis atuple IIS

= {

Li

,

ι

i

,

Acti

,

Pi

,

ti

}

i∈A∪{E}

,

V

,where

V :

L1

× . . . ×

Ln

×

LE

→

P(

AP

)

isavaluationfunctionforaset

AP of

atomicpropositions.

A

global state g

= (

l1

,

. . . ,

ln

,

lE

)

isa tupleoflocalstatesforall the agentsinthe system;itdescribesthe systemata particularinstant oftime.Givena globalstate g

= (

l1

,

. . . ,

ln

,

lE

)

andanagent

i,

wewrite

ls

i

(

g

)

todenote thelocalstate

lsi

(

g

)

=

li ofagent

i in

g. The system’sglobalstatesevolve overtime incompliance withtheagents’localprotocols and localevolution functions, thereby inducing aglobal transitionfunction.To deﬁnethe transitionfunction, givenan action

a

∈

i∈A∪{E}Acti,let

Agent

(

a

)

= {

i

∈

A ∪ {

E

} :

a

∈

Acti

}

bethesetofagentsadmittingtheactionintheirrepertoire. Deﬁnition2.2

(Global transition function).

Theglobaltransitionfunction

t

:

G

×

Act1

× . . .

Actn

×

ActE

→

G on aset

G of

global statesisapartialfunctiondeﬁnedasfollows:

t

(

g

,

a1

,

. . . ,

an

,

aE

)

=

g iffthereisan action

b

∈

i∈A∪{E}Acti suchthat for

(5)

Fig. 1. The interleaved interpreted system for the train-gate-controller.

all

i

∈

Agent

(

b

)

,wehavethat

a

i

=

b, ai

∈

Pi

(

lsi

(

g

))

,and

t

i

(

lsi

(

g

),

ai

)

=

lsi

(

g

)

;andforall

i

∈ (

A

∪ {

E

})

\

Agent

(

b

)

,wehave that

a

i

=

iand

t

i

(

lsi

(

g

),

ai

)

=

lsi

(

g

)

=

lsi

(

g

)

.Inshortwewritetheaboveas

g

→

ag.

Thus theglobaltransitionfunctionisgiveninasimilarfashion toblockingsynchronisationinautomata.Ateachround all agentsparticipatingintheglobaltransitionarerequiredtoperformthesamelocalaction;theagentsnotparticipating intheglobaltransitionareassumedtoperformthenullaction.Everyagentadmittingsaidlocalactioninitsrepertoirehas to perform itatthe round; ifthereis a localprotocolnot permitting this, thenthe localaction cannot be performedin thesystem.Alocalactionissaidtobe

shared by

twoormoreagentsifsaidagentsadmitthatactionintheirrepertoireof actions. So,communicationinIISisbymeansofsharedactions.Weassumethat thejointsilent actionisalways enabled. Therefore

t is

serial.

Given aset ofactions X

⊆

_i_∈_A∪{_E_}Acti,we write g

→

X g to meanthat g

→

ag forsome

a

∈

X . The reﬂexiveand transitive closureof

→

X isdenotedby

→

X∗.Apath

π

iseithera ﬁniteoraninﬁnitesequence

π

=

g1a1g2a2g3

. . .

such that

g

i

_→

aigi+1,forevery

i

≥

1.Givenapath

π

,wewrite

π

(

i

)

(respectively

π

(

i

,

Act

)

)forthe

i-th

state(actionrespectively)

in

π

.If

π

isﬁnite,thenwewrite

π

[]

forthelaststatein

π

.By

π

[

i

]

,wedenotethesuﬃx

g

i_ai_gi+1

_{. . .}

_of

_π

_,_and_by

_[

_i

_]

_π

_we

denoteitspreﬁx

g

1_a1

_{. . .}

_gi_._The_set_of_all_paths_originating_from_a_state

_{g is}

_denoted_by

₍

_g

₎

_._A_global_state

_{g is}

_said_to_be reachablefromaglobalstate g1 _if_there_is_a_path

_π

_{∈ (}

_g1

₎

_such_that

_π

₍

_i

₎

₌

_g,_for_some

_i

_≥

_1._Since_the_global_transition

relationisdeterministicwesometimes(uniquely)denoteapath

g

1_a1_g2_a2

_{. . .}

_by_the_sequence _g1_a1_a2

_{. . .}

_.

We associatetemporal models to IIS that, asshown below, can be used to interpret temporal-epistemic formulae as follows.

Deﬁnition2.3

(Model).

GivenanIIS

{

Li

,

ι

i

,

Acti

,

Pi

,

ti

}

i∈A∪{E}

,

V

,itsassociatedmodelisatuple

S

IIS

=

G,

ι

,

R,

(

∼

i

)

i∈A

,

V

, where

G

is the set ofglobal states reachable via

R

from the initial globalstate

ι

= (

ι

1

,

. . . ,

ι

n

)

,

R

⊆

G × G

is a global transition relation deﬁnedas

(

g

,

g

)

∈

R

iff g

→

ag for some action a, and

∼

i

=

(

g

,

g

)

∈

G

×

G

:

lsi

(

g

)

=

lsi

(

g

)

is the epistemicaccessibilityrelationforagent

i deﬁned

onlocalequalitiesfortheagents’states.

Example2.4.Fig. 1presentstheinterleavedinterpreted systemoftheuntimedversion oftheTrain-Gate-Controller(TGC) aspresentedin[55]andadaptedfrom[56].ThesystemofTGCiscomposedofacontrollerandtwotrains.Eachtrainruns along acirculartrackandbothtrackspassthroughanarrowtunnel.Thetunnelcanaccommodateonlyone traintobein it atanytime.Both sidesofthe tunnelareequippedwithtraffic lights, whichcanbe eithergreen orred.The controller operates the colour ofthe traffic lightsto let thetrains enterandexit the tunnel.In thefigure, the initial statesof the controller andthetrainsare

GREEN and WAIT respectively.

Thetransitionsthat aredepictedwiththesamestyleofedges aresynchronised.Null

actionsareomittedintheﬁgure.

2.2. Parameterised interleaved interpreted systems

We introduceasemantics forparameterised MAS representingseveraltypesofagents.Agentsofa typeare saidtobe adheringtoa

role.

Eachroleisassociatedwithageneric

agent template which

speciﬁesthebehaviourofeachagentofsaid role.So,thegenericdescriptionofaparameterisedsystemconsistsofthedescriptionsofaﬁnitenumberofagenttemplates and the descriptionof the environment template. A parameter fora parameterised system isa tuple of naturalnumbers, one for eachrole, whose sumdetermines theactual numberof agentsinthe system. Givena parameter

(

n1

,

. . . ,

nk

)

for thesystem, theconcreteinterleavedinterpretedsystemcorrespondingtothecompositionof

n

i agents,foreachrole

i,

can be constructed.Hence,aparameterisedsystemgivesaﬁnitedescriptionofanunboundednumberofdifferentlypopulated interleavedinterpretedsystems.

Wenowdescribeanagenttemplate.ThetemplateissimilarlydeﬁnedtoagentsinIIS.However,todeterminetheagents’ synchronisation patterns in a concrete system, an agent template distinguishesbetween ﬁve types of actions: (i)

asyn-chronous actions; (ii) agent-environment actions; (iii)role-synchronous actions; (iv)global-synchronous actions; (v) multi-role actions. Eachtypeofactionmodeladifferenttypeofinteraction.

(6)

environmentparticipateintheglobaltransition.

v. Multi-role actions encode pairwise communication betweenthe environment and agentsperforming different roles. A multi-roleactionisalwaysadmittedintherepertoireofactionsofexactlytwoagenttemplates.Similarlyto disjunc-tive guards[46],one andonlyone ofthetwo templates guards the action. Amulti-roleaction issaid tobe guarded by an agent template ifthetransition functionof thetemplate returns thesame template state atwhichthe action is performed. The set of multi-role actions admitted by template i is the disjointunion

_r_∈{₁_,...,_k_}MRi,r of the sets

MRi,1

,

. . . ,

MRi,kofactionssharedwithandguardedbytemplates1

,

. . . ,

k, and ofthesets

GMR

1,i

,

. . . ,

GMRk,iofactions sharedwithtemplates1

,

. . . ,

k and guardedby

i.

Notethateach

GMR

r,i,for1

≤

r

≤

k, isequaltotheset

MR

r,i of multi-roleactionsadmittedbytemplate

r.

Amulti-roleactionsharedbytemplates

i and r and

guardedby

r is

instantiatedfor eachpairofconcreteagentsperforming rolesi and r; theinstantiationisalsoadmittedbytheconcreteenvironment. Asaresult, wheneveramulti-roleactionisperformed, thefollowingagentsareparticipatingintheglobaltransition: exactlyoneagent performing role i,exactly oneagent performingrole r,andtheenvironment.Theagent performing role i mayupdateits state viatheglobaltransition, whereasthe agentperforming role r remainsinits currentlocal state.Intuitively,theagentfromrole r guardstheactionasithastobeinalocalstatewheretheactionisenabledfor theglobaltransitiontooccur.

Deﬁnition2.5

(Agent template).

An

agent template

T

i

=

Li

,

ι

i

,

Acti

,

P

i

,

ti

isanagent withaset

Act

i

=

Ai

∪

AEi

∪

RSi

∪

GS

∪

MRi

∪

GMRi of actions, where Ai is a set asynchronous actions, AEi is a set of agent-environment actions, RSi is a set of

role-synchronous actions, GS is asetof

global-synchronous actions, MR

i

=

1≤r≤kMRi,r isaset of

multi-role actions that

are guarded by other templates, and GMRi

=

1≤r≤rGMRr,i is the set of multi-role actions that are guarded by template i. Thefollowingconditionsareassumed:thesets Ai

,

AEi

,

RSi

,

GS

,

MRi,1

,

. . . ,

MRi,k,

GMR

1,i

,

. . . ,

GMRk,iarepairwisedisjoint;for each

a

∈

GMRr,i

,

l

∈

Liwehavethat

t

i

(

l

,

a

)

=

l.

Theenvironment template

E

is similarlydescribed asanagent, butforthesynchronisationpurposesdescribed above,

E

’ssetofactionsistheunionoftheagenttemplates’setsofagent-environment,role-synchronous,global-synchronous,and multi-roleactions.

Deﬁnition2.6

(Environment

template). An

environment

template

E =

LE

,

ι

E

,

ActE

,

P

E

,

tE

isanagentdeﬁnedontheset

Act

E

=

1≤i≤k

(

AEi

∪

RSi

∪

MRi

)

∪

GS of actions.

Aparameterisedinterleavedinterpretedsystemconsistsofaﬁnitecollectionofagenttemplatesandatemplate environ-ment.

Deﬁnition2.7

(Parameterised interleaved interpreted system).

A Parameterised Interleaved Interpreted System is a tuple PIIS

=

T ,

E,

V

, where

T = {T

1

, . . . ,

T

k

}

is a nonemptyand ﬁnite set of agent templates,

E

is an environment template, and

V = {V

i

:

Li

→

P(

APi

)

:

1

≤

i

≤

k

}

isasetofvaluationfunctions,oneforeachagenttemplate.Itisassumedthat

AP

1

,

. . . ,

APk arepairwisedisjointsetsofatomicpropositions.

Let

PIIS

=

T ,

E,

V

beaparameterisedsystemwith

k

≥

1 roles.Letn

¯

∈ N

k_be _a_value_of_the_system’s_parameter_where

N

= {

i

:

i

≥

1

}

denotes thesetofnaturalnumbers. Assumen

¯

(

i

)

todenotethe i-thcomponentinn.

¯

Wenow describethe

¯

n-st concreteinstantiationofaparameterisedsystem. TheconcretesystemPIIS

(

n

¯

)

resultsfromtheparallelcomposition of

¯

n

(

i

)

instantiations

(

i

,

1

),

. . . ,

(

i

,

n

¯

(

i

))

ofeachagent template

T

iandaninstantiation

E(¯

n

)

oftheenvironmenttemplate.We write

A(¯

n

)

forthe set

A(¯

n

)

= {(

i

,

j

)

:

1

≤

i

≤

k

,

1

≤

j

≤ ¯

n

(

i

)

}

ofall concrete agents.Eachconcreteagent is instantiatedby takingindexedcopiesofitsagenttemplate.

Deﬁnition2.8

(Concrete agent).

Givena

PIIS

=

T ,

E,

V

of

k roles

andn

¯

∈ N

k_,_the_concrete_agent

₍

_i

_,

_j

₎

₌

_Lj i

,

ι

j i

,

Act j i

,

P

j i

,

t j i

isdeﬁnedasfollows.

(7)

•

L_ij

=

Li

× {

j

}

issetofconcretelocalstates;

• ι

_ij

∈

L_ijistheinitialconcretestate;

•

Act_ij isthesetofconcretelocalactionsthatisdeﬁnedastheunionofthefollowingsetsofactions.

– A_ij

=

Ai

× {

j

}

isthesetofconcreteasynchronousactions.Eachactionisindexedbythenameoftheagentinquestion anditisthusnotsharedwithotheragents.

– AE_ij

=

AEi

× {

j

}

isthesetofconcreteagent-environmentactions.Eachactionisindexedbythenameoftheagentin questionanditissharedwiththeenvironment(seethedeﬁnitionoftheconcreteenvironmentbelow).

– RS_ij

=

RSi isthe setofconcrete role-synchronous actions.Eachaction isshared byall the agentsinstantiatedfrom template

T

i.

– GS_ij

=

GS is thesetofconcreteglobal-synchronousactions.Theseactionsaresharedbyalltheagentsintheconcrete system.

– MR_ij

=

(r,s)∈A(¯n)

MR_ij_,,_rs, whereMR_ij_,,_rs

=

MRi,r

× {

j

} × {

s

}

isthe setofmulti-role actions sharedbetweenthe concrete agents

(

i

,

j

),

(

r

,

s

)

andguardedby

(

r

,

s

)

;

– GMR_ij

=

(r,s)∈A(¯n)

GMR_rs,_,_ij,where

GMR

_rs,_,_ij

=

GMRi,r

× {

s

} × {

j

}

isthesetofmulti-roleactionssharedbetweenthe con-creteagents

(

i

,

j

),

(

r

,

s

)

andguardedby

(

i

,

j

)

.

•

P_ij

:

L_ij

→

P(

Act_ij

)

isdeﬁnedasP_ij

(

l

)

= {

a

:

aτ

∈

Pi

(

lτ

)

}

,where

aτ (lτ ,

respectively)denotesthecorrespondingtemplate action(state,respectively)fromwhich

a (l,

respectively)hasbeeninstantiated;

•

t_ij

:

L_ij

×

Act_ij

→

L_ijisgivenby

t

_ij

(

l

,

a

)

=

liff

t

i

(

lτ

,

aτ

)

=

lτ .

So,eachlocalstateofaconcreteagentismadeofthetemplatelocalstatesindexedbythenameoftheagentinquestion andinheritsfromitstemplatetheactions,theprotocolsandthetransitionfunction.Theconcreteenvironmentissimilarly obtainedbyinstantiatingeachactionsharedwiththeagenttemplates.

Deﬁnition2.9 (Concrete environment). Given a PIIS

=

T ,

E, V

of k roles and n

¯

∈ N

k_, _the _concrete _environment

_E(¯

_n

₎

₌

LE

(

n

¯

),

ι

E

(

n

¯

),

ActE

(

n

¯

),

P

E

(

n

¯

),

tE

(

n

¯

)

isdeﬁnedasfollows.

•

LE

(

n

¯

)

=

LE;

•

ActE

(

n

¯

)

=

(i,j)∈A(¯n) Act_ij;

•

PE

(

n

¯

)

:

LE

(

n

¯

)

→

P(

ActE

(

n

¯

))

isdeﬁnedas

P

E

(

n

¯

)(

lE

)

= {

a

:

aτ

∈

PE

(

lE

)

}

;

•

tE

(

n

¯

)

:

LE

(

n

¯

)

×

ActE

(

n

¯

)

→

LE

(

n

¯

)

isgivenby

t

E

(

n

¯

)(

lE

,

a

)

=

lE iff

t

E

(

lE

,

aτ

)

=

lE;

Finally,aparameterisedsystem’sinstantiation,andtheconcretesemanticsweconsider,istheIIScomposedofthe con-crete agents and the concrete environment. The concrete system’s valuation function is deﬁnedon atomic propositions indexed by the agents’identities so that a propositionholds on a globalstate iff theproposition holds by thetemplate valuation functiononthetemplatestate thattheagent indexingthepropositionisin theglobalstate.Thiswillenableus inSection3tospecify

collective properties

thatrangeoverallconcreteagentsirrespectivelyofthesizeofthesystem.

Deﬁnition2.10

(Concrete system).

Given a

PIIS

=

T ,

E, V

of

k roles

andn

¯

∈ N

k,the concrete system PIIS

(

n

¯

)

,composed of

1≤i≤kn

¯

(

i

)

concreteagents,isatuple

PIIS

(

n

¯

)

= (

L_ij

,

ι

_ij

,

Act_ij

,

P_ij

,

t_ij

)

(i,j)∈A(¯n)

,E

(

n

¯

),

V(

n

¯

)

Theconcretevaluationfunction

V(¯

n

)

:

G

→

P(

AP

)

isdeﬁnedontheset

G

=

L1₁

× . . . ×

Ln_k¯(k)

×

LE

(

n

¯

)

ofpossibleglobalstates andontheset

AP

= (

AP1

× {

1

, . . . ,

n

¯

(

1

)

}) ∪ . . . ∪ (

APk

× {

1

, . . . ,

n

¯

(

k

)

})

ofatomicpropositionsasfollows:

for p

∈

APiand 1

≤

j

≤ ¯

n

(

i

), (

p

,

j

)

∈

V

(

g

)

iff p

∈

Vi

(

l

)

where

l is

thetemplatelocalstateofagent

(

i

,

j

)

in

g.

For each concrete system PIIS

(

n

¯

)

we can associate a temporal-epistemic model

S

PIIS(n¯)

=

G(¯

n

),

ι

(

n

¯

),

R(¯

n

),

(

∼

_ij

)

(i,j)∈A(¯n)

,

V(¯

n

)

as standard. When PIIS

(

n

¯

)

is clear from the context we simply write

S(¯

n

)

for

S

PIIS(n¯). For a global

state

g in

S(¯

n

)

wewrite

ls

_ij

(

g

)

forthelocalstateofagent

(

i

,

j

)

in

g.

Thetemplatelocalstateofagent

(

i

,

j

)

in

g is

denoted by

tls

_ij

(

g

)

.

In compliance with the interleaved semantics, we can distinguish ﬁve types of transitions on a concrete system. In particular,aglobaltransitionfromastate

g can

onlyhappeninthefollowingcases(seeFig. 2):(i)aconcreteasynchronous

(8)

Fig. 2. Examplesoftheﬁvetypesoftransitions possibleinaconcreteevolutionfrom aglobalstate g:(a)asynchronousfor agent(1,1); (b) agent-environmentforagent(k,n¯(k))andtheenvironment;(c)role-synchronousforalltheagentsfromtemplateTiandtheenvironment;(d)global-synchronous foralltheagentsandtheenvironment;(e)multi-roleforagent(i,x)thatisguardedbyagent(1,1)andtheenvironment.Symbolsin bold indicatethe componentsofaglobalstateonwhichtheenablingofeachactiondepends.Dashedlinesfromaglobalstatedenotethecomponentsinthestatethatare updateduponthecorrespondingglobaltransition.

theenvironmentandforagent

(

i

,

j

)

performing role i at g; (iii)aconcreterole-synchronous

RS

i actionisenabledforthe environment and for all the agentsperforming role i at g; (iv) a concrete global-synchronous GS action is enabled for the environment andfor all the agents at g; (v) a concrete multi-role MR_ij_,,_rq action is enabledfor the environment, for agent

(

i

,

j

)

performingrole

i,

andforagent

(

r

,

q

)

performingrole

r at

g.

Tosummarise,weintroducedanotionofparameterised systemsgivingaconcisedescriptionofan arbitrarilybigsetof IIS.Eachsystemisbuiltfromn

¯

(

i

)

identicalagentsforeachrole

i

∈ {

1

, . . . ,

k

}

andfromtheconcreteenvironment correspond-ing tothe n-th

¯

instantiationof thetemplate environment.The concreteagentsmayevolve asynchronously, communicate withthe environmentvia agent-environmentactions, synchronisewiththe agentsofthe samerole via role-synchronous actions, synchronise with all the agents in the system via global-synchronous actions, and communicate with an agent performinganotherroleviamulti-roleactions.WerefertoAppendix Aforasummaryofthenotationusedinthepaper.

2.3. Examples

We exemplify the technical notions introduced above on three examples: a train-gate-controller model [55], a robot foraging scenario [57], an autonomousrobot example[6].The train-gate-controller illustrates the agent-environmentand global-synchronouscommunicationpatterns.Therobot-foragingscenariogivesan intuitiveexampleofmulti-role synchro-nisations.Wediscussrole-synchronouscommunicationinthecontextoftheautonomousrobotexample.Weherefocuson thesemanticmodelling.Wewilllaterdiscussspeciﬁcationsandveriﬁcationmethodologies.

2.3.1. Robot foraging scenario

Swarm robotics concerns the coordination and analysis of an unbounded collection of behaviourally simple robotic agents [58–60]. The interaction between the agents and their environment is meant to exhibit a collective, emergent behaviour often inspired by biological systems, e.g., ant colonies [61].As argued in [59], despite the lack of centralised coordination,biologicalswarm-based systemscanstillberobust, scalable,andﬂexible.Itisthereforeofinteresttodesign swarmroboticsystemsthatcanbeshowntobeincompliancewiththeirspeciﬁcations.Todothis,weneedtoanalysethe propertiesofaswarmirrespectivelyofthenumberofrobotsinthesystem.

In thefollowing we describe an untimedversion of therobot foraging scenario(RFS) from[57].The RFSincludes an arbitrary number of robots initially resting in a nest before undertaking a campaign in search for food by means of a randomwalk.Uponobservingafoodsource,arobottriestoreachforit.Ifitsucceeds,then(i)itcollectsanddepositsthe foodinthenest; (ii)it makesthe locationofthe foodknown sothat allother robotscan ﬁndit.Otherwise,ifitfailsto reachthe foodsource,itthen scansthearea tolocatethe sourceagain, orlocateanewsource. Ifthescan issuccessful, thentherobotattemptstoreachthefoodsource.Otherwise,ifthescanisnotsuccessful(underatimeout),thentherobot returnstoitsnest.

We can encode thescenario asa PIIS

S

RFS composed ofa template agent TR representing the robotsanda template agent

TFS representing

thefoodsources.ThetemplaterobotisdepictedinFig. 3a.

TR is

initiallyinstate R representing that therobot isrestinginitsnest.The states

RW,

MF, SA represent thattherobot isperforming arandomwalk, therobotis moving tothe food,andthe robot isscanningthe area,respectively. Thetemplate foodsourceis givenby Fig. 3b.TFS is

initially inthestate N_F representing that thefoodsource hasnot beenfound, whereasthe state F represents thatthe foodsourceisfound.

We now describe the globaltransitions induced by the templates. As discussed in the previous section, a multi-role actionisalwaysadmittedintherepertoireofactionsoftwoagenttemplates,anditisguardedbyoneofthem.Amulti-role action is instantiated for each pair of agents instantiated from the two templates. In a global transition induced by a multi-roleactiononlytheagentsforwhichtheactionisinstantiatedandtheenvironmentareparticipatinginthetransition. The concreteagent fromthe templatenot guarding theactionmay updateits state inthe globaltransition, whereasthe

(9)

Fig. 3. Theparameterisedinterleavedinterpretedsystemfortherobotforagingscenario.R standsfor“Resting”,RW standsfor“RandomWalk”,MF for “MovetoFood”,SA for“ScanArea”,N_F for“NotFound”,andF for“Found”.Theactionssearch,fail areasynchronousactions,whereastheactionsobserve, deposit,scan,reached aremulti-roleactions.

concreteagentfromthetemplateguardingtheactionremainsinitscurrentlocalstate.Wedescribethepossibleactionsfor thetemplatesinthesystem.

•

search. Thisan asynchronous actionthat is deﬁnedforthetemplate robot. It isenabledat state R and it represents a robot moving outofits nest tosearch forfood.A globaltransitionby means ofthe

search action

resultstherobot performingtheactiontomovetostate

RW.

•

fail. Thisisalsoanasynchronousactionthatisenabledatstates

RW and SA of

thetemplaterobot.Theactionrepresents a robot failingto locate a food source when performing a random walk and when scanning the area, respectively. A globaltransitionviathe

fail action

resultstherobotperformingtheactiontomovetostate R.

•

observe. This is a multi-role action that is guarded by TFS. Assume the instantiation

(

observe

,

i

,

j

)

of the action for robot i andfoodsource j.Aconcretetransitionviathe

(

observe

,

(

i

,

j

))

actionisonlyenablediftherobot i iseitherin state

RW or

instate

SA,

andthefoodsource j isinstate N_F . Intuitivelytherobotcanobservethefoodsourceifthe latterhasnotalreadybeenfound.Theactioncausestherobot i tochangeitsstateto

MF.

•

reached. Thisis also a multi-role action that is guarded by TR. Followingthe transition described above, a concrete transitionviathe

(

reached

,

(

j

,

i

))

actionisenabled.Thistransitioncausesthefoodsource j tochangeitsstateto F thus

modellingthatrobot i hassucceededinreachingthefoodsource j.

•

deposit. Theabove transitionenablesthe multi-roleaction

(

deposit

,

(

i

,

j

))

that isguardedby

TFS.

Atransitionviathis actioncausestherobottomovetostate

R.

•

scan. Finally,

scan is

amulti-roleactionthatisguarded by

TFS.

Intuitively,robot i may fail toreachthefoodsource j

(i.e.,the

(

reached

,

(

j

,

i

))

actionis notperformed).In thiscasethe

(

scan

,

(

i

,

j

))

actionisenabled. Upon thistransition therobotupdatesitsstateto

SA.

2.3.2. Train-gate-controller

InSection2.1wedeﬁnedtheIISofthetrain-gate-controller(TGC)composedofacontrollerandtwotrains.Wenowgive thePIISmodelofaparameterisedversionoftheTGC.Weextendtheoriginaldescriptiontoincludeanarbitrarynumberof twotypesoftrains:

prioritised trains and normal trains.

Aprioritisedtraincanenterthetunnelatanygiventime,assuming thereisnoothertraininthetunnel,whereasanormaltraincanonlyenterthetunnelwhenthereisnoothertrainwaiting to enter the tunnel. Toaccomplish this, the traﬃc lightsinclude two shades of the green colour: prioritised green and normal green.Prioritised greenisused bythe controllertoserve prioritisedtrains, whereasnormalgreen isusedby the controllertoservenormaltrains.

ThescenariocanbeencodedasaPIIScomposedofanagenttemplaterepresentingprioritisedtrains(Fig. 4a),anagent template representing normaltrains (Fig. 4c), and an environment template representing the controller (Fig. 4b). A pri-oritised train isinitially instate WAIT, the controlleris initiallyinstate P _GREEN, andanormaltrain isinitially instate

TUNNEL_LOCKED. Therefore prioritised trains are initially waiting to enter the tunnel, normal trains are initially locked from entering the tunnel, and the controller initially serves only prioritised trains. The actions p_enter and p_exit are

agent-environment actions modellingthe prioritisedtrains entering andexiting thetunnel. Similarly, theactions

n_enter

and

n_exit are

agent-environment actionsenabling the normaltrainsto enterandexitthe tunnel.The action

n_lock is

a global-synchronousactionandrepresentsthenormaltrainstakingthelockonthetunnel.Also,theaction

p_lock is

a global-synchronousaction;itmodelstheprioritisedtrainstakingthelockontunnel.Finally,theactions p_approach

,

n_appoach are

(10)

Fig. 4. The parameterised interleaved interpreted system for the train-gate-controller.

Thetemplatesinducethefollowingagent-environmentandglobal-synchronousconcretetransitions:

•

p_enter

,

n_enter. Inadditiontotheagentperformingtheactionenteringthetunnel,theenvironmentparticipatesinthe globaltransition.Thiscausestheenvironmenttochangeitsstate to

RED,

thereby disallowingothertrainstoenterthe tunnel.

•

p_exit

,

n_exit. The environmentsynchronises with theagent that is currentlyinthe tunnelvia the p_exit and n_exit

actions.Thesynchronisationcauses theenvironmenttochangeits stateto P _GREEN if theagent isaprioritisedtrain orto

N_GREEN if

theagentisanormaltrain.Followingthis,othertrainsareallowedtoenterthetunnel.

•

n_lock. Thisactionisonlyenabledif:(i)theenvironmentisinstate P _GREEN; (ii)thereisnotraininthetunnel;(iii)all prioritisedtrainsareinstate

AWAY.

Aconcreteglobal-transitionviathe

n_lock action

causestheenvironmenttoupdate its state to N_GREEN. Thus the transition freesthe tunnel to serve normal trainswhenever there are no prioritised trainswaitingtobeserved.

•

p_lock. Thisactionisonlyenabledif:(i)theenvironmentisinstate

N_GREEN;

(ii)thereisnotraininthetunnel.Upon performing this action the environment movesto state P _GREEN. Therefore the transitionlocks the tunnel to serve prioritisedtrainsanditcanhappenirrespectiveofwhethertherearenormaltrainswaitingtobeserved.

Theabove transitionsaredepictedinFig. 5fora fragmentoftheconcretesystemwithtwoprioritisedtrainsandtwo normaltrains.

2.3.3. Autonomous robot

We now considera parameterised version ofthe autonomous robot (AR) scenario from[6].The scenario includes an autonomousrobotrunningalonganendlessstraighttrack.Thepositionoftherobotisgivenintermsoflocationsnumbered as0

,

1

,

2

,

. . .

.Therobotcanonlymoveforwardalongthetrackstartingatposition0anditsmovementiscontrolledbythe environment.Asensorisattachedtotherobotmeasuringitsposition.Thesensorisfaultyinthesensethatasensorreading atposition

q can

beanyofthevaluesin

{

q

−

1

,

q

,

q

+

1

}

.Theonlyactiontherobotcanperformistohalt.Iftherobothalts, thentheenvironmentcannolongermovetherobot.Otherwise,theenvironmentmaymovetherobotonepositionforward ateach time step.The goalof therobot isto halt inthe goalregion GR

= {

2

,

3

,

4

}

.A solutionto theAR probleminthe single robot caseis forthe robotto donothingwhilethevalue ofits sensorislessthan3andtohalt oncethe valueof its sensorisgreaterthan orequalto3[6].Weshow inSection 7thatthissolutionapplies tothearbitrarycasewithan unboundednumberofrobots.

Wemodelageneralisationoftheabovedescriptioninwhichanarbitrarynumberofrobotsrunsynchronouslyalongthe trackandinwhichtherobotshaveaccesstoauniquesharedsensor.Toillustratetherole-synchronousactions,weassume asecond typeofrobots,identicaltothedescriptionoftheﬁrsttype, butwithnoaccesstoasensor.Werefer tothetwo typesofrobotsastype 1robotsandtype 2robots,respectively.Type 2robotshaltafterreceivinga

halting

event from type 1 robots.Theeventissignaledafterthetype 1robotshavehalted.

WeencodetheARscenarioasaPIIS

S

ARcomposedofatemplateagent

TR1 representing

robotswithaccesstoasensor, a templateagent TR2 representing robotswithno accesstoa sensor, andatemplate environment

E

forsynchronisation purposes.Theencodingassumesaﬁnitetrackwith 8distinctlocations.

TR1 is givenby Fig. 6a. Atemplate state representsthe position ofthe robot, its sensor reading, andwhether ithas haltedornot,respectively.

TR2 is

depictedinFig. 6b.Atemplatestaterepresentsthepositionoftherobotandwhetherit hashaltedornot, respectively.Finally,

E

isdeﬁnedby Fig. 6c.Atemplatestate representsthepositionof therobotsand whetherornotthetype 1robotshavehalted.

(11)

Fig. 5. Fragment oftheconcrete systemforthetrain-gate-controller withtwoprioritisedtrainsandtwonormaltrains.Eachglobalstateisa5-tuple representing,fromlefttoright,thelocalstateofthefirstprioritisedtrain,thelocalstateofthesecondprioritisedtrain,thelocalstateofthecontroller,the localstateofthefirstnormaltrainandthelocalstateofthesecondnormaltrain.InthefigureW standsforWAIT,PG forP _GREEN,L forTUNNEL_LOCKED, T forTUNNEL,R forRED,A forAWAY,andNG forN_GREEN.

•

move+

,

move=

,

move−.Theseareglobal-synchronousactions.Aconcretetransitionviatheseactionscausesalltherobots to move one step forwards. Additionally, type 1 robots change their sensor readingto be either the correctreading (move=),thecorrectreadingplus 1(move+),orthecorrectreadingminus 1(move−).

•

halt. Therole-synchronous action

halt is

enabledatanystate inwhichthesensor readingoftype 1robotsis greater than orequalto 3. Type 1robotshalt upon thistransitionandthe environmentstoresinits state thefact thatthey havehalted.

•

signal. Followingthe above transition, a concrete transition via the global-synchronous action signal is enabled. The transitioncausesthetype 2robotstohalt.

(12)

Fig. 6. The parameterised interleaved interpreted system of the autonomous robot.

2.4. The systems

SMR,

SGS,

SFE

Becauseoftheirimportancewithrespecttotheir amenabilitytoveriﬁcation,wenowidentifythreenoteworthyclasses ofPIIS.Theclassescorrespondtodifferentcombinationsoftemplateactions.Theyaredeﬁnedasfollows.

SMR

istheclassofPIISgeneratedfromagent templatesdeﬁnedonlyonasynchronous,agent-environment,and multi-roleactions.

SMR =

⎧

⎨

⎩

S

:

S

is a PIIS composed of k

≥

1 roles such that

1≤i≤k RSi

= ∅

and GS

= ∅

⎫

⎬

⎭

Decentralisedsystemsmaybeencodedin

SMR

usingthemachineryofmulti-roleactions,whereascentralisedsystems canbe representedin

SMR

usingthecommunicationprimitiveofagent-environmentactions. Asaresult, the

SMR

class isparticularlysuitableformodellingswarmrobotics,whicharenaturally decentralisedsystems,butinteractingwiththeir environment[58].

SGS

istheclassofPIIS generatedfromagenttemplates deﬁnedonlyonasynchronous,agent-environment,and global-synchronousactions.

SGS =

⎧

⎨

⎩

S

:

S

≥

1 roles such that

1≤i≤k RSi

= ∅

and

1≤i≤k MRi

= ∅

⎫

⎬

⎭

Thisclasscanrepresentbroadcast protocols[37],cachecoherenceprotocols,swarmaggregationalgorithmsinagrid envi-ronment,andseveralscenarioswheresynchronoushandshakingisrequired.

SFE

is theclass ofPIIS generated fromagent templates deﬁnedonly onasynchronous, role-synchronous, and global-synchronousactions.

SFE =

⎧

⎨

⎩

S

:

S

≥

1 roles such that

1≤i≤k AEi

= ∅

and

1≤i≤k MRi

= ∅

⎫

⎬

⎭

The absence ofagent-environment actions impliesthat all theagents evolve in the sameway followingsynchronisation withtheenvironment.Differentlyfromthe

SMR

and

SGS

classes,the PMCPforthisclassis,aswewillshow,decidable. Thisgivesclearadvantageswhenprotocolscanbeexpressedby

SFE

.

Anexampleofan

SMR

systemistherobotforagingscenariodiscussedinSection2.3.1,anexampleofan

SGS

systemis thetrain-gate-controllerdescribed inSection2.3.2,an exampleofan

SFE

systemistheautonomousrobot examplegiven inSection2.3.3.Wewillstudythe

SMR

,

SGS

,and

SFE

classesindetailinSection5,Section6,andSection7,respectively.

3. TheparameterisedspeciﬁcationlanguageindexedACTL∗K

\

X

We verifyparameterised MAS against propertiesexpressed in indexed ACTL∗K

\

X . Thislogic extends ACTL∗K

\

X [13]

by introducingindexedatomicpropositionsandindexedepistemic modalities.Aswe describebelowindices enableusto expresspropertiesirrespectively ofthe numberofagentspresent. Weﬁrst recall ACTL∗K

\

X ; wethen introduce indexed ACTL∗K

\

X . Thisisfollowedby thedeﬁnitionofanotionofsimulationbetweenconcretesystemsandananalysisonthe preservationoflogicalsatisfactionbetweensimilarsystems.

(13)

3.1. ACTL∗K

\

X

ACTL∗K

\

X is atemporal-epistemiclogiccombiningtheepistemiclogicS5withthetemporallogicACTL∗

\

X , theuniversal fragment of CTL∗ without thenext time operator X . Note thatrestrictions on thespecificationlanguage are typically as-sumedinparameterisedverificationgiventheproblem’sgeneralundecidability.Itisknownthatifthelanguagecanexpress the numberof agentsin thesystem, then the parameterised verificationproblemis undecidable [51]. The next operator is thereforeexcludedto accommodatethis[62,46,51].Wefurther restrictthe languageto universalpathquantification to establishthebehaviouralequivalenceresultsrequired,aspresentedinSection5,Section6,andSection7.

Givensetsofatomicpropositions

AP

1

,

. . . ,

APk foreachagenttemplateandaset

A(¯

n

)

ofconcreteagents,thestateand pathformulaeofACTL∗K

\

X are deﬁnedbythefollowingBNFexpressions:

φ

::= (

p

,

j

)

| ¬(

p

,

j

)

| φ ∧ φ | φ ∨ φ |

K_ij

φ

|

A

(ψ )

ψ

::= φ | ψ ∧ ψ | ψ ∨ ψ |

U

(ψ, ψ )

|

R

(ψ, ψ )

where

φ

and

ψ

arestateandpathformulae,

(

i

,

j

)

∈

A(¯

n

)

(1

≤

i

≤

k

,

1

≤

j

≤ ¯

n

(

i

)

),and

p

∈

APi.Theknowledgemodality

K

ij standsfor“agent j of role

i knows

that”;thepathquantiﬁer

A is

read“forallpaths”;thetemporaloperators

U and R denote

the“until”and“release”modalities.FormulaeexpressedinACTL∗K

\

X are interpretedonamodel

S(¯

n

)

asstandard[6]:the temporalmodalitiesareinterpretedbymeansoftheglobaltransitionrelation,andtheepistemicmodalitiesareinterpreted bytherespectiveepistemicaccessibilityrelations.Wewrite

(S(¯

n

),

g

)

|= φ

(

(S(¯

n

),

π

)

|= φ

respectively)tomeanthatastate formula(pathformularespectively)istrueatastate g (path π respectively)in

S(¯

n

)

.If

S(¯

n

)

isclear,thenwesimplifythe notationto

g

|= φ

(

π

|= φ

respectively).

Deﬁnition3.1

(Satisfaction).

Givenamodel

S(¯

n

)

,thesatisfactionrelation

|=

isinductivelydeﬁnedasfollows.

g

|= (

p

,

j

)

iff

(

p

,

j

)

∈

V(

n

¯

)(

g

)

;

g

|= ¬

p iff not g

|=

p

;

g

|= φ ∧ ψ

iff g

|= φ

and g

|= ψ;

g

|= φ ∨ ψ

iff g

|= φ

or g

|= ψ;

g

|=

K_ij

φ

iff for every g

∈

G such that g

∼

_ijg

,

we have that g

|= φ;

g

|=

A

φ

iff for every

π

∈ (

g

)

we have that

π

|= φ;

π

|= φ

iff

π

(

1

)

|= φ

for any state formula

φ

;

π

|= φ ∧ ψ

iff

π

|= φ

and

π

|= ψ;

π

|= φ ∨ ψ

iff

π

|= φ

or

π

|= ψ;

π

|=

U

(φ, ψ )

iff there is an i

≥

1 such that

π

[

i

] |= ψ

and

π

[

j

] |= φ

for all 1

≤

j

<

i

;

π

|=

R

(φ, ψ )

iff for every i

,

if

π

[

j

] φ,

for all 1

≤

j

<

i

,

then

π

[

i

] |= ψ.

Aformula

φ

issaidtobetruein

S(¯

n

)

,denoted

S(¯

n

)

|= φ

,if

ι

|= φ

.Thecustomaryabbreviationsof

truth and falsity are

assumed:

p

∨ ¬

p,

⊥

p

∧ ¬

p, forsome p

∈

APiand1

≤

i

≤

k. Furtherwedeﬁne

F

φ

U

(

,

φ)

withtheusualmeaning of“Eventually

φ

”,and

G

φ

R

(

⊥,

φ)

standingfor“Always

φ

”.

3.2. Indexed ACTL∗K

\

X

To establish the correctness of a system irrespectively of the number of agents present, we express properties that reﬂect itsparameterised nature.Inotherwords,we areinterested inexpressingcollective behaviours for thesystemunder consideration; thisinterestcorresponds,forexample,to

emergent behaviours

[63] inswarm-basedsystems.Suchproperties are expressible by introducing indexed atomic propositions and indexed epistemic modalities. In particular, the atomic propositions andepistemic modalities appearing in a formulaare indexedwith variables insteadof the identitiesof the concreteagents.Then,givenanarbitraryconcretesystem,thevariablesinaformulaarequantiﬁedovertheconcreteagents inthesystem.ThisgivesanACTL∗K

\

X formula whichcanbeevaluatedontheconcretesystembymeansofDeﬁnition 3.1. Let

VAR

=

VAR1

∪ . . . ∪

VARk betheunionofdisjointsetsofvariablesymbols,whereeach

VAR

i isassociatedwithrole

i,

andrecallthat

AP

1

,

. . . ,

APkaredisjointsetsofatomicpropositions,oneforeachtemplaterole.Thestateandpathformulae ofindexedACTL∗K

\

X are deﬁnedasthestateandpathformulaeofACTL∗K

\

X , butbuiltfromtemplateatomicpropositions, andwitheach propositionp

∈

APi andepistemicmodality

K

i (notethat onlythetemplateroleisspeciﬁedinKi)indexed by avariable v

∈

VARi.Thedomainofa variable v

∈

VARi appearing inaformula

φ

isdeﬁnedby theconcretesystemon which

φ

isevaluated:if

φ

isevaluatedon

S(¯

n

)

,thenthepotentialsetofvaluesfor

v is

{

1

, . . . ,

n

¯

(

i

)

}

.Wewrite

φ (

v

¯

)

,where

¯

v

= (

V1

,

. . . ,

Vk

)

is a

k-tuple

ofsets of variables,to indicate that each ofthe variables v

∈

Vi (Vi

⊆

VARi) appears inan atomicpropositionorepistemicmodality in

φ

.Wesaythat

φ (

v

¯

)

isanm-indexed

¯

formula,wherem is k-tuple

¯

ofnatural