Modelling and verification of reconfigurable multi-agent systems

We propose a formalism to model and reason about reconfigurable multi-agent systems. In our formalism, agents interact and communicate in different modes so that they can pursue joint tasks; agents may dynamically synchronize, exchange data, adapt their behaviour, and reconfigure their communication interfaces. Inspired by existing multi-robot systems, we represent a system as a set of agents (each with local state), executing independently and only influence each other by means of message exchange. Agents are able to sense their local states and partially their surroundings. We extend ltl to be able to reason explicitly about the intentions of agents in the interaction and their communication protocols. We also study the complexity of satisfiability and model-checking of this extension.


Introduction
In recent years formal modelling of multi-agent systems (MAS) and their analysis through model checking has received much attention [49,32].Several mathematical formalisms have been suggested to represent the behaviours of such systems and to reason about the strategies that agents exhibit [32,7].For instance, modelling languages, such as RM [6,24] and ISPL [32], are used to enable efficient analysis by representing these systems through the usage of BDDs.Temporal logics have been also extended and adapted (e.g., with Knowledge support [19] and epistemic operators [22]) specifically to support multi-agent modelling [23].Similarly, logics that support reasoning about the intentions and strategic abilities of such agents have been used and extended [15,41].
These works are heavily influenced by the formalisms used for verification (e.g., Reactive Modules [6,5], concurrent game structures [7], and interpreted systems [32]).They rely on shared memory to implicitly model interactions.It is generally agreed that explicit message passing is more appropriate to model interactions among distributed agents because of its scalability [28,10].However, the mentioned formalisms trade the advantages of message passing for abstraction, and abstract message exchange by controlling the visibility of state variables of the different agents.Based on an early result, where a compilation from shared memory to message passing was provided [9], it was believed that a shared memory model is a higher level abstraction of distributed systems.However, this result holds only in specific cases and under assumptions that practically proved to be unrealistic, see [3].Furthermore, the compositionality of shared memory approaches is limited and the supported interaction interfaces are in general not very flexible [11].Alternatively, message passing formalisms [39] are very compositional and support flexible interaction interfaces.However, unlike shared memory formalisms, they do not accurately support awareness capabilities, where an agent may instantaneously inspect its local state and adapt its behaviour while interacting.The reason is that they model agents as mathematical expressions over interaction operators.Thus the state of an agent is implicit in the structure of the expression.
To combine the benefits of both approaches recent developments [47,3] suggest adopting hybrids, that accurately represent actual distributed systems, e.g., [4,36].We propose a hybrid formalism to model and reason about distributed multi-agent systems.A system is represented as a set of agents (each with local state), executing concurrently and only interacting by message exchange.Inspired by multi-robot systems, e.g., Kilobot [43] and Swarmanoid [16], agents are additionally able to sense their local states and partially their surroundings.Interaction is driven by message passing following the interleaving semantics of [39]; in that only one agent may send a message at a time while other agents may react to it.To support meaningful interaction among agents [48], messages are not mere synchronisations, but carry data that might be used to influence the behaviour of receivers.
Our message exchange is adaptable and reconfigurable.Thus, agents determine how to communicate and with whom.Agents interact on links that change their utility based on the needs of interaction at a given stage.Unlike existing message-passing mechanisms, which use static notions of network connectivity to establish interactions, our mechanisms allow agents to specify receivers using logical formulas.These formulas are interpreted over the evolving local states of the different agents and thus provide a natural way to establish reconfigurable interaction interfaces (for example, limited range communication [36], messages destined for particular agents [1], etc.).
The advantages of our formalism are threefold.We provide more realistic models that are close to their distributed implementations, and how actual distributed MAS are developed, e.g., [27].We provide a modelling convenience for high level interaction features of MAS (e.g., coalition formation, collaboration, self-organisation, etc), that otherwise have to be hard-coded tediously in existing formalisms.Furthermore, we decouple the individual behaviour of agents from their interaction protocols to facilitate reasoning about either one separately.
In addition, we extend ltl to characterise messages and their targets.This way we allow reasoning about the intentions of agents in communication.Our logic can refer directly to the interaction protocols.Thus the interpretation of a formula incorporates information about the causes of assignments to variables and the flow of the interaction protocol.We also study the complexity of satisfiability and Model-checking for our logic.
This article is an extended and revised version of the conference paper presented in [2].The major extensions in this article consist of: (i) a compositional and enumerative semantic definition of the proposed formalism, that coincides with the early symbolic one.The new definition facilitates reasoning about the individual behaviour of agents and their compositions with others.For this purpose, we defined a parallel composition operator with reconfigurable broadcast and multicast semantics.Thus, the definition is not only intuitive, but can also be used to reason about models under open-world assumption; (ii) a major improvement on our early results [2] regarding satisfiability and model checking, that were computed in an expspace upper bound.Here, we provide a novel automata construction that permits pspace analysis, matching the lower bound.Thus, this part is majorly rewritten and improved.Moreover, we enhance the presentation of the different parts of the article and provide the proofs of all results.
The structure of this article is as follows: In Sect.2, we informally present our formalism and motivate our design choices.In Sect.3, we give the necessary background and in Sect. 4 we present the compositional semantic definition.In Sect. 5 we introduce the formalism both in terms of enumerative and symbolic semantics, and we prove that they coincide.In Sect.6, we present a non-trivial case study to show the distinctive features of our formalism.In Sect.7 we discuss our extension to LTL and provide efficient decision procedures to check both satisfiability and model checking in polynomial space.Finally, in Sect.8 we discuss our concluding remarks.

An informal overview
We use a collaborative-robot scenario to informally illustrate the distinctive features of our formalism and we later formalise it in Section 6.The scenario is based on Reconfigurable Manufacturing Systems (RMS) [29,34], where assembly product lines coordinate autonomously with different types of robots to produce products.
In our formalism, each agent has a local state consisting of a set of variables whose values may change due to either contextual conditions or side-effects of interaction.The external behaviour of an agent is only represented by the messages it exposes to other agents while the local one is represented by changes to its state variables.These variables are initialised by initial conditions and updated by send-and receive-transition relations.In our example, a product-line agent initiates different production procedures based on the assignment to its product variable "prd", which is set by the operator, while it controls the progress of its status variable "st" based on interactions with other robots.Furthermore, a product-line agent is characterised: (1) externally only by the recruitment and assembly messages it sends to other robots and (2) internally by a sequence of assignments to its local variables.
Before we explain the send-and receive-transition relations and show the dynamic reconfiguration of communication interfaces we need to introduce a few additional features.We assume that there is an agreed set of channels/links ch that includes a unique broadcast channel .Broadcasts have non-blocking send and blocking receive while multicasts have blocking send and receive.In a broadcast, receivers (if exist) may anonymously receive a message when they are interested in its values and when they satisfy the send guard.Otherwise, the agent does not participate in the interaction either because they cannot (do not satisfy the guard) or because they are not interested (make an idle transition).In multicast, all agents connected to the multicast channel must participate to enable the interaction.For instance, recruitment messages are broadcast because a line agent assumes that there exist enough robots to join the team while assembly messages are multicast because they require that the whole connected team is ready to assemble the product.
Agents dynamically decide (based on local state) whether they can use (i.e., connect-to) multicast channels while the broadcast channel is always available.Thus, initially, agents may not be connected to any channel, except for the broadcast one .These channels may be learned using broadcast messages and thus a structured communication interface can be built at run-time, starting from a (possibly) flat one.
Agents use messages to send selected data and specify how and to whom.Namely, the values in a message specify what is exposed to the others; the channel specifies how to coordinate with others; and a send guard specifies the target.Accordingly, each message carries an assignment to a set of agreed data variables d, i.e., the exposed data; a channel ch; and a send guard g s .In order to write meaningful send guards, we assume a set of common variables cv that each agent stores locally and assigns its own information (e.g., the type of agent, its location, its readiness, etc.).Send guards are expressed in terms of conditions on these variables and are evaluated per agent based on their assigned local values.Send guards are parametric to the local state of the sender and specify what assignments to common variables a potential receiver must have.For example, an agent may send a dedicated link name to a selected set of agents by assigning a data variable in the communicated message and this way a coalition can be built incrementally at run-time.In our RMS, the send guard of the recruitment message specifies the types of the targeted robots while the data values expose the number of required robots per type and a dedicated multicast link to be used to coordinate the production.
Targeted agents may use incoming messages to update their states, reconfigure their interfaces, and/or adapt their behaviour.In order to do so, however, agents are equipped with receive guards g r ; that might be parametrised to local variables and channels, and thus dynamically determine if an agent is connected to a given channel.The interaction among different agents is then derived based on send-and receive-transition relations.These relations are used to decide when to send/receive a message and what are the side-effects of interaction.Technically, every agent has a send and a receive transition relation.Both relations are parameterised by the state variables of the agent, the data variables transmitted on the message, and by the channel name.A sent message is interpreted as a joint transition between the send transition relation of the sender and the receive transition relations of all the receivers.For instance, a robot's receive guard specifies that other than the broadcast link it is also connected to a multicast link that matches the current value of its local variable "lnk".The robot then uses its receive transition relation to react to a recruitment message, for instance, by assigning to its "lnk" the link's data value from the message.
Furthermore, in order to send a message the following has to happen.The send transition relation of the sender must hold on: a given state of the sender, a channel name, and an assignment to data variables.If the message is broadcast, all agents whose assignments to common variables satisfy the send guard jointly receive the message, the others discard it.If the message is multicast, all connected agents must satisfy the send guard to enable the transmission (as otherwise they block the message).In both cases, sender and receivers execute their send-and receive-transition relations jointly.The local side-effect of the message takes into account the origin local state, the channel, and the data.In our example, a (broadcast) recruitment message is received by all robots that are not assigned to other teams (assigned ones discard it) and as a side effect they connect to a multicast channel that is specified in the message.A (multicast) assembly message can only be sent when the whole recruited team is ready to receive (otherwise the message is blocked) and as a side effect the team proceeds to the next production stage.
Clearly, the dynamicity of our formalism stems from the fact that we base interactions directly over the evolving states of the different agents rather than over static notions of network connectivity as of existing approaches.

Transition Systems and Finite Automata
We unify notations and give the necessary background.We introduce doubly-labeled transition systems and discrete systems and show how to translate the former to the latter.We further introduce nondeterministic and alternating Büchi word automata.

Transition Systems and Discrete
where Σ is a state alphabet, Υ is a transition alphabet, S is a set of states, S 0 ⊆ S is a set of initial states, R ⊆ S × Υ × S is a transition relation, and L : S → Σ is a labeling function.
A path of a transition system T is a maximal sequence of states and transition labels σ = s 0 , a 0 , s 1 , a 1 , . . .such that s 0 ∈ S 0 and for every j ≥ 0 we have (s i , a i , s i+1 ) ∈ R. We assume that for every state s ∈ S there are a ∈ Υ and s ∈ S such that (s, a, s ) ∈ R. Thus, a sequence σ is maximal if it is infinite.If |Υ| = 1 then T is a state-labeled transition system and if |Σ| = 1 then T is a transition-labeled transition system.
We introduce Discrete Systems (DS) that represent state-labeled systems symbolically.A DS is D = V , θ, ρ , where the components of D are as follows: • V = {v 1 , ..., v n }: A finite set of typed variables.Variables range over discrete domains, e.g., Boolean or Integer.
A state s is an interpretation of V , i.e., if D v is the domain of v, then s is in vi∈V D vi .We assume some underlying first-order language over V that includes (i) expressions constructed from the variables in V , (ii) atomic formulas that are either Boolean variables or the application of different predicates to expressions, and (iii) assertions that are first-order formulas constructed from atomic formulas using Boolean connectives or quantification of variables.Assertions, also sometimes called state formulas, characterize states through restriction of possible variable values in them.
• θ : This is an assertion over V characterising all the initial states of the DS.A state is called initial if it satisfies θ. • ρ : A transition relation.This is an assertion ρ(V ∪ V ), where V is a primed copy of variables in V .The transition relation ρ relates a state s ∈ Σ to its D-successors s ∈ Σ, i.e., (s, s ) |= ρ, where s is an interpretation to variables in V and s is for variables in V .
The DS D gives rise to a state transition system T D = Σ, {1}, T, T 0 , R , where Σ and T are the set of states of T D , T 0 is the set of initial states, and R is the set of triplets (s, 1, s ) such that (s, s ) |= ρ.Clearly, the paths of T D are exactly the paths of D, but the size of T D is exponentially larger than the description of D.
A common way to translate a DLTS into a DS, which we adapt and extend below, would be to include additional variables that encode the transition alphabet.Given such a set of variables V Υ , an assertion ρ(V ∪ V Υ ∪ V ) characterises the triplets (s, υ, s ) such that (s, υ, s ) |= ρ, where s supplies the interpretation to V , υ to V Υ and s to V .
3.2.Finite Automata on Infinite Words.We use the automata-theoretic approach to linear temporal logic [46].Thus, we translate temporal logic formulas to automata.We give here the necessary background.
For an alphabet Σ, the set Σ ω is the set of infinite sequences of elements from Σ.Given an alphabet Σ and a set D of directions, a Σ-labeled D-tree is a pair (T, τ ), where T ⊆ D * is a tree over D and τ : T → Σ maps each node of T to a letter in Σ.A path π of a tree T is a set π ⊆ T such that ∈ π and for every x ∈ π either x is a leaf in T or there exists a unique γ ∈ D such that x • γ ∈ π.
For a finite set X, let B + (X) be the set of positive Boolean formulas over X (i.e., Boolean formulas built from elements in X using ∧ and ∨), where we also allow the formulas true and false.For a set Y ⊆ X and a formula θ ∈ B + (X), we say that Y satisfies θ iff assigning true to elements in Y and assigning false to elements in X \ Y makes θ true.
and for all i ≥ 0 we have q i+1 ∈ δ(q i , σ i+1 ).For a run r, we denote the set of automaton states visited infinitely often by inf (r), i.e., inf (r) = {q | q appears infinitely often in r}.A run is accepting if inf (r) ∩ F = ∅.The NBW N accepts w if there exists an accepting run of N on w.We say that w is in the language of N and denote by L ω (N ) the set of words accepted by N .
Definition 2 (Alternating Büchi Word Automata (ABW)).An alternating Büchi word automaton is of the form A = Σ, Q, q in , δ, F , where Σ is the input alphabet, Q is a finite set of states, δ : Q × Σ → B + (Q) is a transition function, q in ∈ Q is an initial state, and F ⊆ Q specifies a Büchi acceptance condition.

A run of an ABW
tree, (T, τ ), where τ ( ) = q in and, for every x ∈ T , we have {τ A run of A is accepting if all its infinite paths satisfy the acceptance condition.For a path π, let inf (π) = {q | q appears infinitely often in τ (π)}.A path π is accepting if inf (π) ∩ F = ∅.Thus, every infinite path in the run tree must visit the acceptance set F infinitely often.The ABW A accepts w if there exists an accepting run on w.As before, we denote by L ω (A) the set of words accepted by A.
We state the following well known results about Linear Temporal Logic (LTL), NBW, and ABW (omitting the definition of LTL).

Theorem 4 ([40]
).For every ABW A with n states there is an NBW N such that L ω (N ) = L ω (A).The number of states of N is in 2 O(n) .

Channelled Transition Systems
In this section, we propose Channelled Transition System (CTS) to facilitate compositional modelling of interactive systems.Namely, we extend the format of transition labels of Doubly-Labelled Transition Systems to also specify the role of the transition (i.e., send-or receive-message) and the used communication channels.We define a parallel composition operator that considers both broadcast and multicast semantics and we study its properties.The techniques to prove these results are rather standard.However, we are not familiar with a setup that conveniently allows the existence of transitions to depend on subscription to channels as we suggest below.

Channelled Transition Systems (CTS).
A Channelled Transition System (CTS) is T = C, Σ, Υ, S, S 0 , R, L, ls , where C is a set of channels, including the broadcast channel ( ), Σ is a state alphabet, Υ is a transition alphabet, S is a set of states, S 0 ⊆ S is a set of initial states, R ⊆ S × Υ × S is a transition relation, L : S → Σ is a labelling function, and ls : S → 2 C is a channel-listening function such that for every s ∈ S we have ∈ ls(s).We assume that Υ = Υ + × {!, ?} × C, for some set Υ + .That is, every transition labelled with some υ ∈ Υ + is either a message send (!) or a message receive (?) on some channel c ∈ C.
A path of a CTS T is a maximal sequence of states and transition labels σ = s 0 , a 0 , s 1 , a 1 , . . .such that s 0 ∈ S 0 and for every i ≥ 0 we have (s i , a i , s i+1 ) ∈ R. As before, we assume that for every state s ∈ S there exist a ∈ Υ and s ∈ S such that (s, a, s ) ∈ R. Thus, a sequence σ is maximal if it is infinite.
Remark 5. Note that the transition labels a i of a CTS's path σ = s 0 , a 0 , s 1 , a 1 , . . .range over both send (!) and receive (?) transitions.Depending on the underlying semantics of the CTS, send transitions may happen independently regardless of the existence of receivers, e.g., in case of broadcast semantics.However, receive transitions may only happen jointly with some send transition.By allowing CTS's paths to also range over receive transitions, we can model every system as a collection of (open) systems that interact through message exchange.That is, a receive transition in a system is a hole that is closed/filled when composed with a send transition from another system.A complete system (i.e., with filled holes) is called a closed system.
The analysis in this article considers closed systems where a system path ranges over send transitions only.In other word, we only consider the messages exchanged within the system under consideration.
The parallel composition of systems is defined below.
( is commutative):: we consider all possible joint transitions from T 1 T 2 and we show that they have corresponding transitions in T 2 T 1 and vice versa.We only show one direction and the other direction follows in a similar way.
( is associative):: we consider all possible joint transitions from (T 1 T 2 ) T 3 and we show that they have corresponding transitions in T 1 (T 2 T 3 ) and vice versa.We only show one direction and the other direction follows in a similar way.
Lemma 8 (Non-blocking Broadcast).Given a CTS T 1 and for every other CTS T , we have that for every reachable state (s 1 , s) of T 1 T the following holds.
(s 1 , (υ, !, ), s 1 ) ∈ R 1 implies ((s 1 , s), (υ, !, ), (s 1 , s )) ∈ R T1 T Proof.By Def. 6, we have only two cases to derive ((s 1 , s), (υ, !, ), (s 1 , s )) ∈ R T1 T given that (s 1 , (υ, !, ), s 1 ) ∈ R 1 .Note that, by definition, the condition ∈ ls k (s) always holds for any agent k and in any state s.We show that when the channel is a broadcast , the receiver does not play any role in enabling the transmission on the channel.In other words, it is only sufficient to have a sender to enable a broadcast at system level.More precisely, if (s 1 , (υ, !, ), s 1 ) ∈ R 1 then we have the following: Namely, whether there exists a receiver or not, a broadcast can always happen (cannot be blocked).
Lemma 9 (Blocking Multicast).Given a CTS T 1 and a multicast channel c ∈ C\{ } such that (s 1 , (υ, !, c), s 1 ) ∈ R 1 , then for every other CTS T we have that in every reachable state (s 1 , s) of T 1 T the following holds.
Proof.We show that it is not sufficient to only have a sender on a multicast channel c to enable a send transition at system level.We require that all listening/connected agents to that channel being able to jointly receive the transmitted message.This also implies that if no one is listening then the transition can happen.By Def. 6, there exist only two cases where ((s 1 , s), (υ, !, c), (s 1 , s )) ∈ R T1 T given that (s 1 , (υ, !, c), s 1 ) ∈ R 1 .More precisely, if (s 1 , (υ, !, c), s 1 ) ∈ R 1 then we have the following: Namely, either all receivers jointly participate or no one is listening, as otherwise the multicast on c is blocked.
The other direction of the proof follows similarly.

ReCiPe: Reconfigurable Communicating Programs
We formally present the ReCiPe communication formalism and its main ingredients.We start by specifying agents (or programs) and their local behaviours.We give semantics to individual agents in terms of channelled transition systems (CTS).Therefore, we use the parallel composition operator in Def.6 to compose the individual behaviour of the different agents to generate a global (or a system) one.
While the CTS semantics makes it clear what are the capabilities of individual agents and their interaction, it may not be the most convenient in order to mechanically analyse large systems comprised of multiple agents.Thus, we provide a symbolic semantics at system level using discrete systems.This second semantics enables efficient analysis by representing closed systems through the usage of BDDs.We show that the two semantics (when restricted to closed systems) coincide.The efficient analysis of open ReCiPe systems is left as future work.
We assume that agents agree on a set of common variables cv, a set of data variables d, and a set of channels ch containing the broadcast channel .As explained, common variables are variables that are owned (separately) by all agents.The values of these variables may be different in different agents.The common variables are used in order to have a common langauge to express properties that are interpretable on all agents (as either true or false).

Definition 10 (Agent). An agent is
is the domain of v, then s i is an element in v∈Vi Dom(v).We use V to denote the primed copy of V and Id i to denote the assertion v∈Vi v = v .• f i : cv → V i is a renaming function, associating common variables to local variables.We freely use the notation ) is a send guard specifying a condition on receivers.That is, the predicate, obtained from g s i after assigning s i , ch, and d (an assignment to d) , which is checked against every receiver j after applying f j .• g r i (V i , ch) is a receive guard describing the connection of an agent to channel ch.We let g r i (V i , ) = true, i.e., every agent is always connected to the broadcast channel.We note, however, that receiving a broadcast message could have no effect on an agent.
) is an assertion describing the send transition relation.
) is an assertion describing the receive transition relation.We assume that agents are broadcast input-enabled, i.e., ∀v, d ∃v s.t.T r i (v, v , d, ).In examples, we use keep(X) to denote that the variables X are not changed by a transition (either send or receive).More precisely, keep(X) is equivalent to the following assertion x∈X x = x .• θ i is an assertion on V i describing the initial states, i.e., a state is initial if it satisfies θ i .Agents exchange messages.A message (that we shall call an observation) is defined by the channel it is sent on (ch), the data it carries (d), the sender identity (i), and the assertion describing the possible local assignments to common variables of receivers (π).Formally: Definition 11 (Observation).An observation is a tuple m = (ch, d, i, π), where ch is a channel, d is an assignment to d, i is an identity, and π is a predicate over cv.
In Def.11 we interpret π as a set of possible assignments to common variables cv.In practice, π is obtained from g s i (s i , ch, d, cv) for an agent i, where s i ∈ v∈Vi Dom(v) and ch and d are the channel and assignment in the observation.We freely use π to denote either a predicate over cv or its interpretation, i.e., the set of variable assignments c such that c |= π.We also use π(f The semantics of an agent A i is the CTS T (A i ) defined as follows.
Definition 12 (Agent Semantics).Given an agent A i we define T (A i ) = C, Σ, Υ, S, S 0 , R, L, ls , where the components of T (A i ) are as follows.
• C = ch • Σ = v∈Vi Dom(v), i.e., the set of states of A i c)} Generally, the semantics of an agent is defined as an open CTS T (A i ).The transition alphabet Υ of T (A i ) is the set of observations (as in Def.11) that are additionally labelled with either send (!) or receive (?) symbols, corresponding to send and receive transitions.Furthermore, in every state s, an agent is listening to the set of channels in ls(s).Namely, all channels that satisfy the agent's receive guard g r i in state s.We give further intuition for the definition of the transition relation R.
A triplet (s, υ, s ) ∈ R, where υ = (d, i, π, γ, ch), if the following holds: • Case (γ =!): Agent i is a sender and we have that π = g s i (s i , ch, d), i.e., π is obtained from g s i by assigning the state of i, the data variables assignment d and the channel ch, and T s i (s i , s i , d, ch) evaluates to true.• Case (γ =?): Agent i is a receiver (potentially) accepting a message from another agent i on channel c and data d with a send guard π such that c ∈ ls(s), π(f −1 i (s i )), and T r i (s i , s i , d, ch).Note that the condition i = i is required to ensure that the message is sent by another agent.Intuitively, if the agent i is the sender, it determines the predicate π (by assigning s i , d, and ch in g s i ) and i's send transition T s i is satisfied by assigning s i , s i , d, and ch to it.That is, upon sending the message with d on channel ch the sender changes the state from s i to s i .If the agent i is the receiver, it must satisfy the condition on receivers π (when translated to its local copies of the common variables), it must be connected to ch (according to g r i ), and it must have a valid receive transition T r i when reading the data sent in d on channel ch.Note that the semantics of an individual agent is totally decoupled from the semantics of how agents interact.Thus, different interaction modes (or parallel composition operators) can be adopted without affecting the semantics of individual agents.In our case, we have chosen to implement broadcast as a non-blocking send and non-blocking receive and a multicast as a blocking send and receive.However, if one chooses to do so, other composition operators could be defined.For example, a point-to-point composition would allow only two agents to communicate over a channel and would not allow send without receive.
A set of agents agreeing on the common variables cv, data variables d, and channels ch define a system.We define a CTS capturing the interaction and then give a DS-like symbolic representation of the same system.
Let S i =Π v∈Vi Dom(v) be the set of states of agent i and S = Π i S i be the set of states of the whole system.Given an assignment s ∈ S we denote by s i the projection of s on S i .
Definition 13 (ReCiPe System as a CTS).Given a set {A i } i of agents, a system is defined as the parallel composition of the CTS representations of all A i , i.e., a system is a CTS of the form T = i∈I T (A i ).
A triplet (s, υ, s ), where υ = (d, i, π, !, c) is in the transition relation of the composed system T (according to Def. 6), if the following conditions hold: • There exists a sender i such that (s i , (d, i, π, !, c), s i ) ∈ R i .By Def. 12, we know that (s i , (d, i, π, !, c), s i ) ∈ R i iff π = g s i (s i , ch, d), i.e., π is obtained from g s i by assigning the state of i, the data variables assignment d and the channel ch, and T s i (s i , s i , d, ch) evaluates to true.• For every other agent i we have that either: (1) c ∈ ls i (s i ) and (s i , (d, i, π, ?, c), s i ) ∈ R i .By Def. 12, we know that c ∈ ls i (s i ) and (s i , (d, i, π, ?, c), , and T r i (s i , s i , d, ch), all evaluate to true; (2) c / ∈ ls i (s i ) and s i = s i .By Def. 12 this is equivalent to ¬g r i (s i , ch); or (3) ch = and s i = s i .By Def. 12 this is equivalent to ¬π(f Intuitively, a message (d, i, π, !, c) labels a transition from s to s if the sender i determines the predicate (by assigning s i , d, and ch in g s i ) and the send transition of i is satisfied by assigning s i , s i , d, and ch to it, i.e., the sender changes the state from s i to s i and sets the data variables in the observation to d.All the other agents either (a) satisfy this condition on receivers (when translated to their local copies of the common variables), are connected to ch (according to g r i ), and perform a valid transition when reading the data sent in d on ch, (b) are not connected to ch (according to g r i ) and all their variables do not change, or (c) the channel is a broadcast channel, the agent does not satisfy the condition on receivers, and all their variables do not change.
In order to facilitate symbolic analysis, we now define a symbolic version of k∈K T (A k ), under closed world assumption.That is, we only focus on messages that originate from the system under consideration.In fact, from an external observer point of view, only message sending is observable while reception cannot be observed.This notion of observability is the norm in existing theories on group communication [42,18].Thus, we consider the paths of k∈K T (A k ) that are of the form σ = s 0 , a 0 , s 1 , a 1 , . . .such that a j is of the form (d, i, π, !, c), s 0 ∈ S 0 and for every j ≥ 0 we have (s j , a j , s j+1 ) ∈ R. Note that (d, i, π, !, c) coincides with our definition of an observation m.
Thus, let Υ be the set of possible observations in k∈K T (A k ).That is, let ch be the set of channels, D the product of the domains of variables in d, K the set of agent identities, and Π(cv) the set of predicates over cv then Υ ⊆ ch × D × K × Π(cv).In practice, we restrict attention to predicates in Π(cv) that are obtained from g s i (V i , ch, d, cv) by assigning V i (a state of the agent with identity i), ch, and d.Furthermore, we extend the format of the allowed transitions in the classical definition of a discrete system from assertions over an extended set of variables to assertions that allow quantification.Definition 14 (Discrete System).Given a set {A i } i of agents, a system is defined as follows: S = V , ρ, θ , where V = i and θ = i θ i and a state of the system is in i v∈Vi Dom(v).The transition relation of the system is characterised as follows: The transition relation ρ relates a system state s to its successors s given an observation m = (ch, d, k, π).Namely, there exists an agent k that sends a message with data d (an assignment to d) with assertion π (an assignment to g s k ) on channel ch and all other agents are either (a) connected, satisfy the send predicate, and participate in the interaction, (b) not connected and idle, or (c) do not satisfy the send predicate of a broadcast and idle.That is, the agents satisfying π (translated to their local state by the conjunct ∃cv.f j ) and connected to channel ch (i.e., g r j (s j , ch)) get the message and perform a receive transition.As a result of interaction, the state variables of the sender and these receivers might be updated.The agents that are not connected to the channel (i.e., ¬g r j (s j , ch)) do not participate in the interaction and stay still.In case of broadcast, namely when sending on , agents are always connected and the set of receivers not satisfying π (translated again as above) stay still.Thus, a blocking multicast arises when a sender is blocked until all connected agents satisfy π ∧ f j .The relation ensures that, when sending on a channel that is different from the broadcast channel , the set of receivers is the full set of connected agents.On the broadcast channel agents who do not satisfy the send predicate do not block the sender.
The translation above to a transition system leads to a natural definition of a trace, where the information about channels, data, senders, and predicates is lost.We extend this definition to include this information as follows: Definition 15 (System trace).A system trace is an infinite sequence ρ = s 0 m 0 , s 1 m 1 , . . . of system states and observations such that ∀t ≥ 0: m t = (ch t , d t , k, π t ), π t = g s k (s k t , d t , ch t ), and: That is, we use the information in the observation to localize the sender k and to specify the channel, data values, and the send predicate.
The following theorem states a full abstraction property [38], namely that the CTS semantics of systems and their discrete counterpart define the same transition relation, under closed world assumption.That is, by considering the messages originating from the system under consideration as the only observations.Theorem 16 (Full abstraction).Given a set of ReCiPe agents {A i } i , their discrete system representation, defined as S = V , ρ, θ , is semantically equivalent to the parallel composition of their CTS representation, defined as T = i T (A i ), under closed world assumption.More precisely, • for every assignment s to system variables V , it follows that: θ(s) iff s ∈ S 0 ; • for all assignments s and s to variables in V and respectively in V it follows that: ρ(s, s ) iff there exist assignment to data variables d, a communication channel ch, and an agent i such that (s, (d, i, π, !, ch), s ) ∈ R T .
Proof.We prove each statement separately.
• For k agents in the symbolic representation, θ characterises the set of system states S ⊆ Π i S i that satisfy the initial conditions of all agents, i.e., {s | s = (s 0 , s 1 , . . ., s k ) and s By Def. 6 and Def. 12 this is exactly the set of initial states S 0 in T = i T (A i ); • By Def.14, we have that ρ(s, s ) evaluates to true if there exists a valuation d to d and a channel ch in ch such that both of the following hold: • There exists an agent i such that the send transition T s i is satisfied by assigning to current local state s i , next local state s i (i.e., the projection of the system states s and s on agent i), the valuation d, and the communication channel ch.According to the enumerative semantics in Def. 12, agent i has an individual send transition given the current local state s i , next local state s i , valuation d to data variables, and channel ch.Namely, agent i has a send transition (s i , (d, i, π, !, ch), s i ) ∈ R i such that π = g s i (s i , ch, d), i.e., π is obtained from g s i by assigning the state of i, the data variables assignment d and the channel ch, and T s i (s i , s i , d, ch) evaluates to true.• For every other agent i we have that either: (1) it is connected (i.e., g r i (s i , ch) holds), satisfies the send predicate (i.e., π(f −1 i (s i )) holds), and participates in the interaction (i.e., T r i (s i , s i , d, ch) holds).By Def. 12, we know that agent i has an individual receive transition (s i , (d, i, π, ?, ch), s i ) ∈ R i where ch ∈ ls i (s i ); (2) it is not connected (i.e., ¬g r i (s i , ch) ) and s i = s i .By Def. 12, agent i does not have a receive transition for this message.In other words, since ch / ∈ ls i (s i ) then agent i cannot observe this transmission ; (3) or the message is sent on a broadcast channel (ch = ) where agent i does not satisfy the sender predicate (i.e., ¬π(f −1 i (s i ))) and s i = s i .By Def. 12 this is equivalent to ignoring this message by not implementing a receive transition.So far, we have shown that every individual (send/receive transition) in the symbolic model has a corresponding one in the enumerative semantics of individual agents.It remains to show that the composition of these individual transitions according to ρ in the symbolic model has exactly the same semantics of the parallel composition in Def. 6.That is, ρ(s, s ) iff for the identified d, i, ch and π we have (s, (d, i, π, !, ch), s ) ∈ R T , given the assignments s and s to variables in V and respectively in V .The existential quantification on sender transitions in ρ (i.e., k implies that the order of the composition is immaterial, namely any two systems states (s 0 , s 1 , . . ., s k ) and (s 1 , s 0 , . . ., s k ) that only differ in the order of individual agent' states are semantically equivalent.By Lemma 7, we have that parallel composition is commutative, and thus the order is immaterial under the enumerative system semantics as well.If ρ(s, s ) is due to a message exchange on the broadcast channel then the non-blocking semantics of the broadcast is preserved by the transition relation of the CTS composition as stated in Lemma 8.Moreover, if ρ(s, s ) is due to a message exchange on a multicast channel c then the blocking semantics of the multicast is preserved by the transition relation of the CTS composition as stated in Lemma 9. Lastly, the universal quantification on all possible receivers in ρ (i.e., j =k ) follows by the CTS semantics of parallel composition in Def.6, where a receive transition can be received jointly by different agents, and by the commutativity and associativity of parallel composition (Lemma 7) where the scope of a send transition can be extended to cover all possible receivers.The other direction of the proof follows in similar manners.
The following is a corollary of Theorem 16 to relate the traces arising from Def. 15 to that of Def. 13.
Corollary 17 (Trace equivalence).The traces of a symbolic system composed of a set of agents {A i } i are the paths of the induced CTS.

Reconfigurable Manufacturing Scenario
We complete the details of the RMS example, informally described in Section 2. Many aspects of the example are kept simple on purpose to aid the presentation.
The system, in our scenario, consists of an assembly product line agent (line) and several types of task-driven robots.We describe the behaviour of the product line and only robots of type-1 (t1) as these are sufficient for exposing all features of ReCiPe.
A product line is responsible for assembling the main parts and delivering the final product.Different types of robots are responsible for sub-tasks, e.g., retrieving and/or assembling individual parts.The product line is Every agent has copies of the common variables: @type indicating its type (e.g., line, t1, t2, t3), @asgn indicating whether a robot is assigned, and @rdy indicating what stage of production the robot is in.The set of channels includes the broadcast channel and multicast channels {A, . ..}.For simplicity, we only use the multicast channel A and fix it to the line agent.The set of data variables includes msg, no, and lnk, indicating the type of the message, a number (of robots per type), and a name of a channel respectively.
We note that when a data variable is not important for some message it is omitted from the description.We start with the description of the line agent line.We give a high-level overview of the protocol applied by the line agent using the state machine in Fig. 1.The states capture a partial evaluation of the state variables of the agent.In this case, the value of the state variable st.Transitions labels represent guarded commands.We use the format " Φ d !/? ch[v 1 = a 1 ; . . .v n = a n ]" to denote a guarded command cmd.Namely, the predicate Φ is a condition on the current assignment to local variables of an agent (and for receive transitions also on data variables that appear in the message).We freely use d to refer to an assignment to data variables.Usually, we write directly only the value of the msg variable to avoid cluttering.Sometimes, we add the values of additional data variables.Each guarded command is labelled with a role (! for send and ?for receive transitions); also with a channel name ch and a new assignment to local variables [v 1 = a 1 ; . . .v n = a n ] to represent the side effects of the interaction.For the line agent, the protocol consists of starting from the pending state and sending a team formation broadcast.This is followed by sending of an assembly multicast on the channel stored in local variable lnk and updating the stage to 2. Finally, an additional assembly multicast on the same channel resets the process.We include below the full description with the guards and predicates.Each transition in the state machine corresponds to a disjunct in either the send or the receive transition predicate below.Variables that are not assigned in a transition are kept unchanged in the predicate.The send and receive guards of the agent are only partially captured in the state machine.
We now turn to the formal description of the line agent, starting with its set of variables.In addition to copies of common variables (e.g., f l (@type) = ltype), the line agent has the following state variables: st is a state ranging over {pnd, strt} (pending and start), lnk is the link of the product line, prd is the id of the active product, and stage is used to range over the different stages of production.
The initial condition θ l of a line agent is defined as follows: Thus, starting from the pending state, the line agent has a task of assembling one of two products, and uses a multicast channel A to coordinate the assembly team.If there are multiple product lines, then each is initialised with a dedicated channel.
The send guard of the Line agent is of the following form: g s l : ch= ∧¬@asgn ∧ (prd=1→(@type=t1 ∨ @type=t2))∧ (prd=2→(@type=t1 ∨ @type=t3)) ∨ ch=lnk ∧ @rdy = stage Namely, broadcasts are sent to robots whose @asgn is false (i.e., free to join a team).If the identity of the product to be assembled is 1, then the required agents are of types t1 and t2 and if the identity of the product is 2, then the required agents are of types t1 and t3.Messages on channel A (the value of lnk) are sent to connected agents when they reach a matching stage of production, i.e., @rdy = stage.The receive guard of Line is ch = , i.e., it is only connected to channel .
We may now proceed by explaining ReCiPe's send and receive transition relations of the line agent in light of the state machine in Fig. 1.The send transition relation of Line is of the following form: The Line agent starts in the pending state (see θ l ).It broadcasts a request (d(msg → team)) for two robots (d(no → 2)) per required type asking them to join the team on the multicast channel stored in its lnk variable (d(lnk → lnk)).According to the send guard, described before, if the identity of the product to assemble is 1 (prd = 1) the broadcast goes to type 1 and type 2 robots and if the identity is 2 then it goes to type 1 and type 3 robots.Thanks to channel mobility (i.e., d(lnk) = lnk) a team on a dedicated link can be formed incrementally at run-time.As a side effects of broadcasting the team message, the line agent moves to the start state (st = strt) where the first stage of production begins (stage = 1).In the start state, the line agent attempts an assemble (blocking) multicast on A. The multicast can be sent only when the entire team completed the work on the production stage (when their common variable @rdy agrees with stage as specified in the send guard).One multicast increases the value of stage and keeps Line in the start state.A second multicast finalises the production and Line becomes free again.We set T r l : keep(all) as Line's recieve transition relation.That is, Line is not influenced by incoming messages.We now specify the behaviour of t1-robots and show how an autonomous and incremental one-by-one team formation is done anonymously at run-time.As before, we give a high-level overview of the protocol using the state machine in Fig. 2. The team formation starts when unassigned robots are in pending states (pnd).From this state they may only receive a team message from a line agent.The message contains the number of required robots d(no) and a team link d(lnk).The robots copy these values to their local variables (i.e., lnk = d(lnk) etc.) and move to the start state (strt).From the start state there are three possible transitions: • Join -move to state end -a robot joins the team by broadcasting a form message to t1-robots forwarding the number of still required robots (d(no) = (no − 1)) and the team link (d(lnk) = lnk).This message is sent only if no ≥ 1, i.e, at least one robot is needed.From state (end) the robot starts its mission.• Wait -stay in state strt -a robot receives a form message from a robot, updating the number of still required robots (i.e., if d(no) > 0).• Step back -return to state pnd -a robot receives a form message from a robot, informing that no more robots are needed, i.e., d(no) = 0.The robot disconnects from the team link, i.e., lnk = ⊥.Thus it may not block interaction on the team link.After joining the team, a robot in state end (i.e., with step = 1) starts its mission independently until it finishes (step = n ∧ brdy = 1).We have used (. . . ) to abstract the individual behaviour of the robot in state (end).In fact, each local step corresponds to a broadcast message (local) that is hidden from other agents.This will be clarified later in the send guard of the robot which evaluates to false when (local) is enabled.
When all team robots finish their individual tasks (i.e., circled in the self-loop on state end while brdy = 1 until step = n), they become ready to receive an asmbl message on A, to start the next stage of production (i.e, brdy = 2) while still staying in end state.
From this final stage (i.e., brdy = 2) the robots are ready to receive the final asmbl message to finalise the product and subsequently they reset to their initial conditions.
As before, each transition corresponds to a disjunct in the send and receive transition relations, which are fully specified later in this section.
We now turn to the formal description of the robot, starting with its set of variables.In addition to copies of common variables a t1-robot has the following variables: st ranges over {pnd, strt, end}, step is used to control the progress of individual behaviour, no (resp.lnk) is a placeholder to a number (resp.link) learned at run-time, and f b relabels common variables as follows: f b (@type) = btype, f b (@asgn) = basgn and f b (@rdy) = brdy.
Initially, a robot is in the pending state and is available for recruitment: The send guard of the robot is of the following form: Interestingly, the send guard delimits the scope of the broadcast, depending on the assignment to data variables.Namely, it specifies that a robot either broadcasts to unassigned robots of the same type if the message is not a local one (d(msg = local) or otherwise hides the message from all other agents by broadcasting on a false predicate (i.e., the tautology @asgn ∧ ¬@asgn).Note that such message cannot be received by any agent, and it can be regarded as a local computation.Thus, it becomes very easy to distinguish the individual behaviour of an agent from its interactions with the rest of the system.
The receive guard specifies that a t1-robot is connected either to a broadcast or to a channel matching the value of its link variable: Finally, we report the send T s b and receive T r b transition predicates below.

LTOL: An extension of LTL
We introduce ltol, an extension of ltl with the ability to refer and therefore reason about agents interactions.We replace the next operator of ltl with the observation descriptors: possible O and necessary [O], to refer to messages and the intended set of receivers.The syntax of formulas ϕ and observation descriptors O is as follows: We use the classic abbreviations →, ↔ and the usual definitions for true and false.We also introduce the temporal abbreviations Fϕ ≡ true U ϕ (eventually), Gϕ ≡ ¬F¬ϕ (globally) and ϕ W ψ ≡ ψ R (ψ ∨ ϕ) (weak until ).Furthermore we assume that all variables are Boolean because every finite domain can be encoded by multiple Boolean variables.For convenience we will, however, use non-Boolean variables when relating to our RMS example.
The syntax of ltol is presented in positive normal form to facilitate translation into alternating Büchi automata (ABW) as shown later.That is, we push the negation down to atomic propositions.We, therefore, use Θ to denote the dual of formula Θ where Θ ranges over either ϕ or O. Intuitively, Θ is obtained from Θ by switching ∨ and ∧ and by applying dual to sub formulas, e.g., Observation descriptors are built from referring to the different parts of the observations and their Boolean combinations.Thus, they refer to the channel in ch, the data variables in d, the sender k, and the predicate over common variables in cv.These predicates are interpreted as sets of possible assignments to common variables, and therefore we include existential • ∃ O and universal • ∀ O quantifiers over these assignments.
The semantics of an observation descriptor O is defined for an observation m = (ch, d, k, π) as follows: We only comment on the semantics of the descriptors • ∃ O and • ∀ O as the rest are standard propositional formulas.The descriptor • ∃ O requires that at least one assignment c to the common variables in the sender predicate π satisfies O. Dually • ∀ O requires that all assignments in π satisfy O. Using the former, we express properties where we require that the sender predicate has a possibility to satisfy O while using the latter we express properties where the sender predicate can only satisfy O.For instance, both observations (ch, d, k, cv 1 ∨ ¬cv 2 ) and (ch, d, k, cv 1 ) satisfy • ∃ cv 1 while only the latter satisfies • ∀ cv 1 .Furthermore, the observation descriptor • ∀ false ∧ ch = says that a message is sent on the broadcast channel with a false predicate.That is, the message cannot be received by other agents.In our RMS example in Section 6, the descriptor • ∃ (@type = t1) ∧ • ∀ (@type = t1) says that the message is intended exactly for robots of type-1.
Note that the semantics of • ∃ O and • ∀ O (when nested) ensures that the outermost cancels the inner ones, e.g., . Furthermore, when cv and respectively ¬cv appear outside the scope of a quantifier (• ∀ or • ∃ ), they are semantically equivalent to the descriptors • ∀ cv and respectively • ∃ ¬cv.Thus, we assume that they are written in the latter normal form.
We interpret ltol formulas over system computations: Definition 18 (System computation).A system computation ρ is a function from natural numbers N to 2 V × M where V is the set of state variable propositions and M = ch × 2 d × K × 2 2 cv is the set of possible observations.That is, ρ includes values for the variables in 2 V and an observation in M at each time instant.We denote by s i the system state at the i-th time point of the system computation.Moreover, we denote the suffix of ρ starting with the i-th state by ρ ≥i and we use m i to denote the observation (ch, d, k, π) in ρ at time point i.
The semantics of an ltol formula ϕ is defined for a computation ρ at a time point i as follows: Intuitively, the temporal formula O ϕ is satisfied on the computation ρ at point i if the observation m i satisfies O and ϕ is satisfied on the suffix computation ρ ≥i+1 .On the other hand, the formula [O]ϕ is satisfied on the computation ρ at point i if m i satisfying O implies that ϕ is satisfied on the suffix computation ρ ≥i+1 .Other formulas are interpreted exactly as in ltl.
With observation descriptors we can refer to the intention of agents in the interaction.For example, the following descriptor specifies that the target of the message is "exactly and only" type-1 and type-2 robots.This descriptor can be used later to specify that whenever the line agent "l" recruits for a product with identity 1, it notifies both type-1 and type-2 robots as follows: Namely, whenever the line agent is in the pending state and tasked with product 1 it notifies both type-1 and type-2 robots by a broadcast.The pattern "After q have exactly two p until r" [35,17] can be easily expressed in ltl and can be used to check the formation protocol.Consider the following formulas: specifying that a team message is sent to type-1 robots and requires two robots, specifying that a formation message is sent to type-1 robots, and specifying that a message is sent on channel A. Now, the template "After ϕ 1 have exactly two ϕ 2 until ϕ 3 " specifies that whenever a team message is sent to robots of type-1 requiring two robots, then two form messages destined for type-1 robots will follow before using the multicast channel.That is, two type-1 robots join the team before a (blocking) multicast on channel A may become possible.
We can also reason at a local rather than a global level.For instance, we can specify that robots follow a "correct" utilisation of channel A. Formally, specifies that a team message is sent to robots of type t; O 2 (k, t) := msg=form ∧ ¬k ∧ no=0 ∧ • ∃ (¬@asgn ∧ @type=t) specifies that a robot different from k sends a form message specifying that no more robots are needed and this message is sent to unassigned type t robots; specifies that an assembly message is sent on channel A to robots of type t who reached stage 2 of the production.Thus, for robot k of type t, the formulas state that: (i) robots are not connected to channel A until they get a team message, inviting them to join a team; (ii) if either they are not selected (O 2 (k, t)) or they finished production after selection (O 3 (t)) then they disconnect again until the next team message.This reduces to checking the "correct" utilisation of channel A to individual level, by verifying these properties on all types of robots independently.By allowing the logic to relate to the set of targeted robots, verifying all targeted robots separately entails the correct "group usage" of channel A.
7.1.The Satisfiability and the Model Checking problems of ltol.In this section, we improve our early results on satisfiability and model checking of ltol, presented in the aamas version [2] of this article.In that version, we computed an expspace upper bound for both problems with respect to the set of common variables cv that appear in the observation descriptors and pspace upper bound with respect to the rest of the input.This result was not surprising as the semantics of observations requires quantification on the assignments to common variables cv appearing in O. Indeed, the number of assignments to cv is doubly exponential in the size of cv, i.e, the number of assignments is 2 2 |cv| .Both problems require translation to Nondeterministic Büchi Automata (NBW), and a direct translation would incur a double exponential blowup in the size of the automaton with respect to |cv|.Thus, a membership in expspace with respect to |cv| follows from the membership in nlogspace of the nonemptiness problem for NBW.
In this article, we improved the latter results to pspace, matching the lower bound.This is achieved by a novel automaton construction.Namely, we introduce a further dependency between the formula and the alphabet that is read by the automaton.Thus, the automaton does not read concrete messages but it rather partitions messages into sets, according to their effects on the truth values of subformulas of the formula.
Before we proceed with the automaton construction, we fix the sets of system variables V , the communication channels ch, the data variables d, the identities of agents K, and the common variables cv.
Our direct construction in [2] considers a state-alphabet Σ = 2 V and a message-alphabet M = ch×d×K ×2 2 cv .Clearly, the message-alphabet is doubly-exponential in cv and implies that the decision procedures based on M would be in expspace (with respect to cv).However, M is "too large" for the automaton (c.f., [50]).Thus, we consider a smaller alphabet that is derived from the observation descriptors appearing in the formula.This alphabet is at most exponential in the size of the formula (allowing for pspace analysis).To achieve pspace analysis, we have to extend the decision procedures to further consider observation-alphabet satisfiability and observation-alphabet model-checking, as we will see below.
Recall the alphabets Σ and M above and fix an ltol formula ϕ.Let obs(ϕ) be the set of observations appearing "top-level" in the operators • and [•] in ϕ.More precisely, obs(ϕ) is closed under the subformula relation of ϕ, but is not closed under the subformula relation of O. Consider ϕ 2 (k, t) in Equation 1: We denote by |obs(ϕ)| the size of the set obs(ϕ).We denote by ||O|| the length of the observation O and by ||obs(ϕ)|| the sum of lengths of observations in ϕ.Note that ||obs(ϕ)|| is bounded by the size of ϕ.Thus, we may now define an observation-alphabet O = 2 obs(ϕ) , that is at most exponential in the size of ϕ.We will use this alphabet to enable pspace analysis.
In our construction, the automaton reads words from the alphabet (Σ × O) ω while system computations are derived from the alphabet (Σ × M ) ω .
Intuitively, an automaton word w ∈ (Σ × O) ω and a system computation ρ ∈ (Σ × M ) ω agree on the statealphabet Σ and only differ in their treatment to messages.Formally, given a word w = (σ 0 , O 0 ), (σ 1 , O 1 ), . . ., and a system computation ρ = (σ 0 , m 0 ), (σ 1 , m 1 ), . . . .We say that ρ satisfies w if for every i ≥ 0 we have that σ i = σ i and for every O ∈ obs(ϕ) we have m i |= O iff O ∈ O i .Note that m i |= O follows the semantics of observation descriptors.Thus, a word w defines a language over system computations.
More precisely, for a word w ∈ (Σ × O) ω we denote by L ω (w) the set of system computations satisfying w.We say that w is non empty if there is some system computation satisfying it, i.e., if L ω (w) = ∅.Furthermore, for a letter O ∈ O, we denote by M (O) = {m ∈ M | ∀O ∈ obs(ϕ) .O ∈ O ⇐⇒ m |= O} the set of models of O.That is, all the messages that satisfy all the observations in O and do not satisfy all the observations that are not in O.We say that O is non empty if M (O) = ∅.
Clearly, a word w = (σ 0 , O 0 ), (σ 1 , O 1 ), . . . is non empty if and only if for every i ≥ 0 we have that O i is non empty.
We show that satisfiability of ltol can be reduced to finding a word w such that the set of system computations satisfying w is not empty.Similarly, model checking is reduced to building an automaton for ¬ϕ and identifying a word w satisfying ¬ϕ and a computation ρ of the system under study such that ρ satisfies w.
The following theorem states that the set of computations satisfying a given formula are exactly the ones satisfying words accepted by some finite automaton on infinite words.
Notice that for a given word w, either all the computations that satisfy w satisfy ϕ or all the computations that satisfy w do not satisfy ϕ (i.e., satisfy ϕ).In the first case w is accepted by A ϕ and in the second it is not accepted by A ϕ .Thus, the definition of O is such that words partition the computations to equivalence sets that are uniform with respect to the satisfaction of ϕ.
Proof.The set of states Q is the set of all sub formulas of ϕ with ϕ being the initial state q 0 .The automaton has two alphabets, namely the state-alphabet Σ = 2 V and the observation alphabet O = 2 obs(ϕ) .The set F of accepting states consists of all sub formulas of the form ϕ 1 Rϕ 2 .The transition relation δ is defined inductively on the structure of ϕ, as follows: The proof of correctness of this construction proceeds by induction on the structure of ϕ.We prove that when A ϕ is in state ϕ 1 , it accepts exactly all computations that satisfy ϕ 1 .The base cases (i.e., state variable propositions) follow from the definition of δ ϕ while other cases follow from the semantics of ϕ and the induction hypothesis.The construction ensures that a computation can only satisfy ϕ 1 U ϕ 2 , if it has a suffix satisfying ϕ 2 ; otherwise A ϕ will have an infinite path stuck in ϕ 1 U ϕ 2 which is not accepting.The hardness argument can be proved by a reduction from ltl satisfiability [44].
Theorem 22.The model-checking problem of ltol is pspace-complete with respect to |Sys| and |ϕ|.
Note that the stated bounds in terms of |Sys| refer to the symbolic representation of the system.The complexity is logspace in the size of the corresponding CTS T (Sys), which is anyway exponentially larger.
Proof.Given a finite state system Sys = V , ρ, θ and a set of assertions on state variables V , on ch, d, K, and on cv 1 , . . .cv n .We assume ρ to be total and then we can construct a CTS representation of Sys as follows: T (Sys) = ch, Σ, M, S, S 0 , R, L, ls , where the components of T (Sys) are as follows.S = Σ (L is the identity function), and thus S is the set of possible interpretations of the variables in V , i.e., S = 2 V .The set of initial states S 0 is the set of states s such that s |= θ, i.e., S 0 = {s |= θ}, and M = ch × 2 d × K × 2 2 cv .We have that R(s, m) = {s : (s, m, s ) |= ρ} and ∅ otherwise.Furthermore, we consider all states in T (Sys) to be accepting.The number of states in the transition system T (Sys) may be exponentially larger than the description of Sys.Notice that although M is doubly exponential in cv the labels of transitions of T (Sys) are those obtained from T s k for some k.Thus, the number of distinct labels appearing on transitions of T (Sys) is bounded by The system Sys satisfies ϕ iff all the computations of Sys satisfy ϕ, thus for every computation ρ ∈ L ω (T (Sys)) there exists a word w ∈ L ω (N ϕ ) such that ρ |= w.Dually, Sys does not satisfy ϕ iff for some computation ρ ∈ L ω (T (Sys)) and for some word w ∈ L ω (N ¬ϕ ) we have ρ |= w.This is equivalent to check L ω (T (Sys)) ∩ Thus, we check letter by letter that the word w accepted by N ¬ϕ and the computation ρ produced by T (Sys) are such that ρ |= w.Thus, we only need to show that checking m |= O can be tested in space polynomial in |ϕ|.Indeed, This follows from Proposition 24.Since all states in T (Sys) are accepting, the construction of N T (Sys),¬ϕ is the product of T (Sys) with N ¬ϕ with transitions composed as explained.We have that N T (Sys),¬ϕ has 2 O(|Sys|+|ϕ|) states.Hence, |N T (Sys),¬ϕ | is in 2 O(|Sys|+|ϕ|) .We have that N T (Sys),¬ϕ can be constructed on-the-fly and a membership in pspace with respect to |Sys| and |ϕ|, follows from the membership in nlogspace of the nonemptiness problem for NBW.Checking that Sys |= ϕ is in O(|ϕ| + |Sys|).
The hardness follows from the same hardness results for discrete systems and ltl [44].
The following proposition states that given a letter O ∈ O we can check whether there exists a message m that satisfies O in np with respect to ||obs(ϕ)||.Notice that, in particular, ||obs(ϕ)|| should be larger than the number of variables in cv and d that appear in ϕ, the number of agents in K that are mentioned in ϕ and the number of channels in ch appearing in ϕ.Those that do not appear in ϕ can be removed from the message alphabet M .We show that satisfaction of O can be solved in NP as follows: • select a subset S of atom(O); • select an assignment to d, a channel ch and an agent k; • for each • ∃ O ∈ S guess one assignment to cv.
Verify that the choice of S, the assignment to d, the channel ch and the agent k satisfy O. Notice, that the elements of atom(O) are treated as Boolean values in this check: O ∈ S is evaluted as true and O / ∈ S is evaluated as false.For each • ∃ O ∈ S check that the assignment to cv guessed for • ∃ O fulfills two conditions: • the assignment to cv together with the assignment to d, the channel ch and the agent k satisfy O .
• For every • ∀ O ∈ S check that the assignment to cv together with the assignment to d, the channel ch and the agent k satisfy O .Notice that the sum of sizes of the guessed elements is polynomal in the size of O and the verification can be completed in polynomial time.
Hardness in np follows from the hardness of Boolean satisfiability.
The following proposition states that checking if a message m ∈ M satisfies an observation letter O ∈ O can be tested in p np in ||obs(ϕ)||.We consider the case that π is represented as a Boolean formula over cv.This is reasonable as when considering a transition (s, m, s ), where m = (ch, d, i, π), then π can be obtained as such a formula from g s i by using the values in s, ch, and The problem is np-hard in |cv| as m |= • ∃ true holds iff π is satisfiable.The problem is co-np-hard in |cv| as m |= • ∀ false iff π is unsatisfiable.We do not know whether the problem is p np -complete.
We note that in the case that m is represented as a set of assignments to cv, we can modify the Boolean value problem [33] to show that m |= O can be evaluated in logspace.

Concluding Remarks
We introduced a formalism that combines message-passing and shared-memory to facilitate realistic modelling of distributed multi agent systems.A system is defined as a set of distributed agents that execute concurrently and only interact by message-passing.Each agent controls its local behaviour as in Reactive Modules [6,21] while interacting externally by message passing as in π-calculus-like formalisms [39,1].Thus, we decouple the individual behaviour of an agent from its external interactions to facilitate reasoning about either one separately.We also make it easy to model interaction features of MAS, that may only be tediously hard-coded in existing formalisms.
We introduced an extension to ltl, named ltol, that characterises messages and their targets.This way we may not only be able to reason about the intentions of agents in communication, but also we may explicitly specify their interaction protocols.Finally, we provided a novel automata construction that permits satisfiability and model-checking in space polynomial with respect to the size of the formula and the size of the system.This is a major improvement on the early results in [2] that were in expspace with respect to the number of common variables and pspace-complete with respect to the rest of the input.Related works.As mentioned before, formal modelling is highly influenced by traditional formalisms used for verification, see [6,19].These formalisms are, however, very abstract in that their models representations are very close to their mathematical interpretations (i.e., the underlying transition systems).Although this may make it easy to conduct some logical analysis [7,15,41] on models, it does imply that most of the high-level MAS features may only be hard-coded, and thus leading to very detailed models that may not be tractable or efficiently implementable.This concern has been already recognised and thus more formalisms have been proposed, e.g., Interpreted Systems Programming Language (ISPL) [32] and MOCHA [8] are proposed as implementation languages of Interpreted Systems (IS) [19] and Reactive Modules (RM) [6] respectively.They are still either fully synchronous or shared-memory based and thus do not support flexible coordination and/or interaction interfaces.A recent attempt to add dynamicity in this sense has been adopted by visibly CGS (vCGS) [11]: an extension of Concurrent-Game Structures (CGS) [7] to enable agents to dynamically hide/reveal their internal states to selected agents.However, vCGS relies on an assumption of [9] which requires that agents know the identities of each other.This, however, only works for closed systems with a fixed number of agents.
Other attempts to add dynamicity and reconfiguration include dynamic I/O automata [14], Dynamic reactive modules of Alur and Grosu [5], Dynamic reactive modules of Fisher et al. [21], and open MAS [30].However, their main interest was in supporting dynamic creation of agents.Thus, the reconfiguration of communication was not their main interest.While ReCiPe may be easily extended to support dynamic creation of agents, none of these formalisms may easily be used to control the targets of communication and dissemination of information.
As for logics we differ from traditional languages like ltl and ctl in that our formula may refer to messages and their constraints.This is, however, different from the atomic labels of pdl [37] and modal µ-calculus [31] in that ltol mounts complex and structured observations on which designers may predicate on.Thus the interpretation of a formula includes information about the causes of variable assignments and the interaction protocols among agents.Such extra information may prove useful in developing compositional verification techniques.
Future works.We plan to provide tool support for ReCiPe, but with a more user-friendly syntax.We would like to provide a light-weight programming-language-like syntax to further simplify modelling.
We want to exploit the interaction mechanisms in ReCiPe and the extra information in ltol formulas to conduct verification compositionally.As mentioned, we believe that relating to sender intentions will facilitate that.
We intend to study the relation with respect to temporal epistemic logic [26].Although we do not provide explicit knowledge operators, the combination of data exchange, receivers selection, and enabling/disabling of synchronisation based on the evolving states of the different agents, allow them to dynamically deduce information about each other.Furthermore we want to study ReCiPe under dynamic creation of agents while reconfiguring communication.Thanks to the new compositional semantics in terms of CTS, the dynamic creation of agents can now be easily linked to the execution of some blocking transitions.To give an intuition about a (possible) extension consider the following semantic rule: (2) A 1 (υ,?,c) Here, we use A m − → A to denote that in state s agent A may receive a message m and evolves to A with state s , i.e., (s, m, s ) ∈ R A .Clearly, the semantic rule 2 indicates that the agent replicates itself once a multicast message on c is received as a side-effect of interaction.Thus, if we compose A 1 with some other agent, say A 2 , such that A 2 Namely, a new replica of A 1 is dynamically created when agents exchanged a specific message.Agent A 1 can be thought of as a server that spawn a new thread to handle concurrent requests from clients.
Finally, we want to target the distributed synthesis problem [20].Several fragments of the problem have been proven to be decidable, e.g., when the information of agents is arranged hierarchically [13], the number of agents is limited [25], or the actions are made public [12].We conjecture that the ability to disseminate information and reason about it might prove useful in this setting.

Figure 1 .
Figure 1.Product Line Agent w∈Lω(N¬ϕ) L ω (w) = ∅.Since our formulas are in positive normal form, ¬ϕ can be obtained from ϕ by ϕ.By Corollary 20, we have that N ¬ϕ has 2 O(|ϕ|) states and |N ¬ϕ | is in 2 O(|ϕ|) .Note, however, that the words of N ¬ϕ are in (Σ × O) ω while the computations of T (Sys) are in (Σ × M ) ω .The model-checking problem can be reduced to finding a word w accepted by A ¬ϕ and a computation ρ of T (Sys) such that ρ |= w.Recall that ρ |= w if for every i ≥ 0 we have that σ ρ i = σ w i and for every O ∈ obs(ϕ) we have m ρ i |= O iff O ∈ O w i .This amounts to check the nonemptiness problem of a (modified) intersection of T (Sys) and N ¬ϕ , where the transition (s, m, s ) of T (Sys) can match transitions of N ¬ϕ that read letters (s, O) for m |= O.Note that for every m ∈ M there is a unique O ∈ O such that m |= O.

Proposition 23 (
Observation satisfiability).Consider a letter O ∈ O. Emptiness of O is np-complete in ||obs(ϕ)||.Proof.Given a letter O ∈ O let O ⇑ be the set of observations in O and their negations, i.e., observations not appearing in O.That is, O ⇑ = O ∪ {O | O ∈ obs(ϕ) \ O}.Let O ⇑ ∧ = O∈O ⇑ O be the conjunction of all observations in O ⇑ .Clearly, the Emptiness of a letter O ∈ O is equivalent to the satisfiability of O ⇑ ∧ .Thus, we can restrict our attention to the satisfaction of an observation.Given an observation O let atom(O) denote the set of subformulas of O of the form • ∃ O and ∀O .

d. Proposition 24 (
Observation model-checking).Consider a letter O ∈ O and an observation m ∈ M .Whether m |= O can be tested in p np in ||obs(ϕ)||.Proof.As in the case of propsition 23 give a letter O ∈ O we consider O ⇑ ∧ .Thus, we restrict our attention to the case of whether m satisfies an observation O. Let m = (ch, d, i, π).We simplify O by converting every reference to ch, d or i to the constants appearing in m.It follows that we are left with a Boolean combination of • ∃ • and • ∀ • subformulas, where only variables from cv appear.For a subformula • ∃ O we can check whether m |= • ∃ O by checking whether π ∧ O is satisfiable.For a subformula • ∀ O we can check whether m |= • ∀ O by checking whether π → O is valid.Both checks can be accomplished by an np oracle.
• The size of the Büchi automaton is |Q|.|δ|,i.e., |N | is in 2 O(|ϕ|) .Theorem 21.The satisfiability problem of ltol is pspace-complete with respect to |ϕ|.Proof.By Corollary 20, given a formula ϕ, we can construct an NBW N ϕ of size |Q n |.|δ n | that accepts precisely the computations that satisfy ϕ.Thus, ϕ is satisfiable iff N ϕ is nonempty.In order to prove that the formula is satisfiable we have to show that N ϕ accepts a word w such that some computation ρ satisfies w.However, a word w