Towards Formal Methods for Agent-Based Systems

This paper considers how formal methods might be developed for use in agent-based systems. In particular, it presents an approach based upon the description of agents using temporal specifications. Not only can these specifications be executed directly to provide the behaviour of an individual agent, but collections of such descriptions can be executed under a specific operational model in order to give the behaviour of multi-agent systems. In addition to animating their behaviour, verification of the agent descriptions with respect to required logical properties can be carried out; the paper outlines how temporal belief logics can be used to achieve this. Finally, the current limitations of this work are considered and its extension towards the ultimate goal of a full formal development framework for agent-based systems is discussed.


Introduction
The technology of intelligent agents and multi-agent systems provides the software developer with a powerful tool for approaching a complex and important class of software application problems for which mainstream software engineering techniques provide no solution.However, the successful application of agent technology will ultimately depend upon the development and use of principled methodologies for engineering agent-based systems.While many researchers and practitioners are building agent-based systems, almost none are directing research effort at methodologies for agent systems [20].
This paper describes one particular approach to agent-system specification and implementation.Our work lies within the mainstream software engineering tradition of formal methods: such methods have a long and influential history and we believe they have much to offer the agent-system builder.Specifically, our approach provides: a powerful abstract notation for specifying multi-agent systems, based on temporal multi-modal logic; a high-level agent-based programming language, closely related to our specification language, allowing early prototyping; a framework for verifying that our systems meet their specification.
(The approach is described in more detail in [11].)The high-level specification framework is based on the use of a temporal belief logic.The temporal component of the logic allows us to represent the dynamic nature of multi-agent systems, and in particular, to specify liveness and safety requirements.The belief component of the logic allows us to specify the information state of agents -the knowledge they have about the environment they occupy, which may contain other agents.This aspect of a system is essential if we are to reason about agents' decision making processes.
The multi-agent programming language is known as Concurrent METATEM [15]: in this language, agents are programmed by giving them a temporal logic specification of the behaviour it is intended they should exhibit.An agent's behaviour is generated at run-time by directly executing its specification under an appropriate operational model [2].Finally, the verification aspect of our framework is based on an axiomatization of Concurrent METATEM within the temporal belief logic.This axiomatization allows us to develop, for any arbitrary Concurrent METATEM system, a temporal belief logic theory representing the properties of that system.Verification proceeds by showing that the specification of the system follows from the theory of the system.To enable verification to take place, we have developed a range of proof methods for the temporal belief logic, based on both semantic tableaux and resolution proof methods [12,21].
The remainder of the paper is structured as follows.In x2, we outline how the behaviour of agents is provided and introduce the temporal natation used, while, in x3, we describe Concurrent METATEM in more detail.In x4, we develop a Temporal Belief Logic (TBL), discuss various approaches to defining the semantics of this logic and use it to axiomatize the properties of Concurrent METATEM systems.Finally, comments and conclusions are presented in x5.

Describing Agents using Temporal Logic
We use temporal logic to specify the behaviour of an individual agent as it provides the core elements for representing dynamic behaviour, in particular: a description of behaviour at the current moment; a description of transitions that might occur between current and next moments; a description of situations that will occur at some (unspecified) moment in the future.

A Simple Temporal Logic
We next give a definition of the propositional temporal logic used for describing agent behaviour (called PML); for a fuller account of the properties and applications of temporal logic see, for example, [5].
PML is essentially classical propositional logic augmented by a set of modal connectives for referring to the temporal ordering of actions.PML is based on a model of time that is linear (i.e., each moment in time has a unique successor), bounded in the past (i.e., there was a moment that was the 'beginning of time'), and infinite in the future (i.e., there are an infinite number of moments in the future).

Definition 1
The language of PML contains the following symbols: 1. a countable set, Prop, of proposition symbols;

the punctuation symbols ')' and '('.
All the remaining propositional and temporal connectives are introduced as abbreviations (see x2.1.2).The set of well-formed formulae of PML is defined as follows.
Definition 2 Well-formed formulae of PML, WFF p , are defined by the following rules.

All proposition symbols are in WFF p ;
BCS-FACS Northern Formal Methods Workshop, 1996 hM; ui j = true hM; ui j = p iff p (u; p) = T h M ; u i j = : iff hM; ui 6 j = h M ; u i j = _ iff hM; ui j = or hM; ui j = h M ; u i j = g iff hM; u + 1 i j = h M ; u i j = c c d e e f g g iff u > 0 and hM; u 1i j = h M ; u i j = U iff 9v 2 IN (u v) and hM; vi j = and 8w 2 f u ; : : : If is in WFF p then so are :, g and c c d e e f f g ; 3. If and are in WFF p then so are _ , U , and S ; 4. If is in WFF p , then so is ().

Semantics
The meaning of the temporal connectives is quite straightforward, with formulae being interpreted at a particular moment in time.If and are well-formed formulae of PML, then g is satisfied at the current moment in time if is satisfied at the next moment in time, while U is satisfied now if is satisfied at some future moment, and is satisfied until then.The past-time connectives are similar: c c d e e f g g is satisfied at the current moment in time if there was a last moment in time and was satisfied then; S is satsfied at the current moment in time if was satisfied at some previous moment in time, and has been satisfied since then More formally, we define a model, M, for PML as a structure h; p i where is the ordered set of states s 0 ; s 1 ; s 2 ; : : : representing 'moments' in time, and p : I N Prop !f T ; F g is a function assigning T or F to each atomic proposition at each moment in time.
As usual, we use the relation ' j =' to give the truth value of a formula in a model M, at a particular moment in time u.This relation is defined for well-formed formulae of PML in Fig. 1.Note that these rules only define the semantics of the basic propositional and temporal connectives; the remainder are introduced as abbreviations (we omit the propositional connectives, as these are standard): w def = : c c d e e f g g : Towards Formal Methods for Agent-Based Systems Note that the 'start' operator is particularly useful in that it can only ever be satisfied at the first moment in time.We will see in the next section that this plays an important role in the definition of a normal form for PML.

A Normal Form for Temporal Formulae
While we use arbitrary PML formulae to specify agent behaviour, it is often useful to translate such formulae into a normal form.The normal form we use is called Separated Normal Form (SNF) as it separates past-time from present and future-time formulae.It has been used to provide the basis for clausal proof methods [13] and execution methods [2], and can be defined as follows [14].Formulae in SNF are where each 'P i ) F i ' (called a rule) is constructed as follows.
where l k , m j , and l are literals.
In addition to being relatively easy to generate an SNF translation of an arbitrary PML formula, this normal form provides us with an intuitive representation for temporal formulae.To illustrate this, we below provide a few simple examples of properties that might be represented directly as SNF rules.

Specifying initial conditions:
start ) sad Defining transitions between states: c c d e e f g g (sad : rich) ) sad Introducing new eventualities (goals):

Animating Individual Agents
A Concurrent METATEM system contains a number of concurrently executing agents, each directly executing a temporal logic specification, provided by a set of SNF rules.Execution of such a specification, ', is taken to mean constructing a model, M, for ', i.e.M j = PML '.
Given a set of SNF rules, there are many ways to go about constructing an appropriate model and thus animating the specification [8].The mechanism we use is based upon the METATEM paradigm of executable temporal logics [1].
The key idea that underpins this approach was intrpoduced by Gabbay [17], involves executing each antecedent about past ) consequent about future rule by, on the basis of the past antecendent, imperatively making the future consequent true.This approach is called the Imperative Future paradigm [17].
Thus, the execution of an agent's specification is carried out by, at each moment in time, checking the past-time consequents of its rules and collecting together present and future-time constraints.A choice among these constraints is then made and execution continues to the next state.Thus, this approach utilises a form of forward chaining.This basic execution is further constrained by attempting to satisfy goals, such as }g.If only a subset of the goals can be satisfied at a given state, the oldest outstanding goals are attempted first.Any remaining unsatisfied are passed on as constraints to the next state.
In METATEM, execution is allowed to backtrack if a contradiction is found.However, in Concurrent METATEM backtracking is not allowed past the output of a message to the agent's environment (see below).Thus, the agent has effectively committed its execution after a message is output.

Execution in a Multi-Agent Environment
While we described the execution of a single specification in the previous section, Concurrent METATEM executes an evolving set of agent descriptions concurrently, allowing asynchronous communication between them.In Concurrent METATEM [15], each agent has two main components: an interface, which defines how the agent may interact with its environment (i.e., other agents); a computational engine, which defines how the agent may act.
In Concurrent METATEM the computational engine is simply provided by direct execution of the agent's temporal rules using the METATEM paradigm.An agent's interface consists of three components: a unique agent identifier (or just agent id), which names the agent; a set of symbols defining what messages will be accepted by the agent -these are called environment propositions; a set of symbols defining messages that the agent may send -these are called component propositions.
For example, the interface definition of a 'car' agent might be:

car(go; stop; turn)[fuel; overheat]
Here, car is the agent id that names the agent, fgo; stop; turng are the environment propositions, and ffuel; overheatg are the component propositions.Within the individual agent's execution, if a component predicate is satisfied, this has the side-effect of broadcasting the value of that proposition to all other agents.If a particular message is received, a corresponding environment proposition is made true in the agent's execution.
Although the use of only broadcast message-passing may seem restrictive, not only can standard point-to-point message-passing be easily simulated by adding an extra 'destination' argument to each message, but also the use of broadcast message-passing as the communication mechanism gives the language the ability to define more adaptable and flexible systems [7,4,3,19].
Finally, not only are agents autonomous, having control over which (and how many) messages to send and receive, but they can form groups within the agent space.Groups are dynamic, open and first-class, and this natural structuring mechanism and has a variety of diverse applications [7,9,16].

Example: Competing Academics
In this section, we provide a simple example of a multi-agent system, represented in PML, that can be executed using Concurrent METATEM.This example is a variation of the Snow White system so over-used in papers on Concurrent METATEM and considers competition between three agents (representing academics) to secure funding from a funder agent.In order to secure funding, the agents must send apply messages.These are processed by the funder and appropriate grant messages are then sent out.
The behaviour of the agents involved is presented in Fig. 2, and is described below.Note that we, for clarity, we have used the first order version of the language.prof1 wants to apply at every cycle (perhaps a professor from a MMU?) in order to maximise the chances of achieving a grant.This is achieved because in the agent's first rule, start is satisfied at the beginning of time, and so an apply message is broadcast then, thus ensuring that c c d e e f g g apply(prof 1) is satisfied in the next moment, thus firing rule 2, and so on.prof2 needs to be spurred into applying by seeing that prof1 has applied (perhaps prof2 is a professor from another 'new' university?).Thus, the agent's one rule is triggered when an appropriate apply is seen.
prof3 only thinks about applying when it sees that prof1 has achieved some funding (perhaps prof3 is a professor from an 'old' university?).Again its single rule is activated once a grant(prof1) message has been received.Finally, the funder will accept apply messages and promises to grant to each applicant at some point in the future (first rule).However, funder will only grant to at most one applicant at a time (second rule).This relatively simple example demonstrates a number of features of Concurrent METATEM: safety and liveness rules (in funder); several agents sending the same message; different interfaces; and, broadcast enabling behaviour of one agent to be dependent on messages sent to/from others.
In the next section, we consider how propertiees of the system we described in x2 may be verified.

BCS-FACS Northern Formal Methods Workshop, 1996 4 Verifying Properties of Temporal Descriptions
In order to reason about multiple agents, each containing a temporal specification, we introduce a temporal belief logic.Like PML, Temporal Belif Logic (TBL) is a linear discrete temporal logic, with bounded past and infinite future.In TBL, the language of PML is extended to include '[i]'', where ' is a temporal formula and i is an agent id, representing the 'belief' by agent i that ' is true.Thus, this extension allows us to describe the properties of formulae that are local to an agent.We now formally define the syntax of TBL, and examine two alternative semantics for this type of language.
Syntactically, TBL can be thought of as PML augmented by an indexed set of unary modal operators [i], (applied to formulae of PML), and closed under the propositional and temporal connectives of PML.The 'i' in [i] is an agent id.A TBL formula of the form [i] should be read " is in i's current state."Thus if is a history formula, this would say that was in i's history; if was a rule, this would say that was one of i's rules, and if were a commitment, it would say that i was committed to .

Definition 3
The language of TBL contains all the symbols of PML, and in addition the square brackets '[' and ']' and a countable set, obj, of agent ids.Definition 4 Well-formed formulae of TBL are defined by the following rules: 1. TBL contains all formulae of PML; 2. If is a formula of PML and i 2 obj then [i] is a formula of TBL;

TBL is closed under the propositional and temporal connectives of PML.
There many possible ways of defining the semantics of TBL.Two that we have investigated are as follows: Wooldridge's TBL [24,22].This logic is similar to L B that Konolige developed for his deduction model of belief [18], and has been extensively studied as a formalism for multi-agent systems [24,11].
It extends PML models with a function mapping each agent id and each moment in time to a set of PML formulae representing the agent's state at that moment in time.Thus, a model, M, for TBL is a structure h; p ; Oiwhere O : obj IN !powerset(WFF p ) and and p are as in PML.
The formula [i] will be satisfied if is in i's state at the appropriate time.This gives the following additional semantic rule, for formulae of the form [i].
hM; ui j = [ i ] iff 2 O ( i ; u ) Other formulae are interpreted using the same rules as before.We will call this grounded TBL.
The second approach is to treat the [i] operator as a normal modal connective with Kripke semantics given by a serial, transitive, euclidean accessibility relation, giving a belief logic KD45 [6].
Models for this approach are slightly more complex, consisting of two relations, one for the temporal axis and one for the modal one.Points now exist in two dimensional space, rather than just in a sequence.
Thus, a model, M, for TBL is a structure hS; p ; N ; R i i where R i : ( S S Ag) !(S S) defines the modal relation for each agent id, while N : ( S S ) ! ( S S )

BCS-FACS Northern Formal Methods Workshop, 1996
The proof methods we have for temporal belief logics such as TBL are currently restricted to the propositional case -proof methods for (restricted) first-order temporal belief logics will be required if we hope to verify properties of realistic systems.
The theoretical complexity of proof methods for temporal belief logics -even in the propositional case -is likely to limit the applicability of such methods in general.