Practical Verification of Decision-Making in Agent-Based Autonomous Systems

We present a verification methodology for analysing the decision-making component in agent-based hybrid systems. Traditionally hybrid automata have been used to both implement and verify such systems, but hybrid automata based modelling, programming and verification techniques scale poorly as the complexity of discrete decision-making increases making them unattractive in situations where complex logical reasoning is required. In the programming of complex systems it has, therefore, become common to separate out logical decision-making into a separate, discrete, component. However, verification techniques have failed to keep pace with this development. We are exploring agent-based logical components and have developed a model checking technique for such components which can then be composed with a separate analysis of the continuous part of the hybrid system. Among other things this allows program model checkers to be used to verify the actual implementation of the decision-making in hybrid autonomous systems.


Introduction
Autonomous systems are moving beyond industrial and military contexts, and are now being deployed in the home, in health-care scenarios, and in automated vehicles. In many cases there may be a human operator who directs the autonomous system, but increasingly the system must work on its own for long periods without such interventions. These systems must essentially decide for themselves what to do and when to do it. This might seem fraught with danger, but there is a clear need for such systems, particularly: • when deployed in remote or dangerous environments where direct and local human control is infeasible; or • when the complexity or speed of the environmental interactions is too high for a human to handle.
Examples of the former include deep sea exploration, space probes, and contaminated area cleanup; examples of the latter include automated stock trading systems, robot swarms, and unmanned air vehicle collision avoidance. In addition to the above reasons, autonomous systems are becoming popular as they can sometimes be much cheaper to develop and deploy than manned systems.

Hybrid Autonomous Systems
Autonomous systems are increasingly constructed from distinct components, some handling continuous interaction, some dealing with discrete analysis. Traditionally, such hybrid autonomous systems have been engineered using the concept of a hybrid automaton. However, as these systems have become more complex, combining discrete decision-making and continuous control within a hybrid automaton has faced challenges. It is difficult to separate the two concerns (decision-making and continuous control) when designing and implementing a system in this fashion -this has an impact on design and code, understandability and reuse. Furthermore many autonomous systems operate in environments where the users wish to access some high level account for why a decision was taken by the system [39], such an account can be difficult to extract from a hybrid automaton. As a result, a distinct strand of research has focused on explicitly separating decision-making components from the underlying control system, often using the popular agent paradigm [88]. A drawback of this approach, however, is that it is generally non-trivial to transform such a system back into a hybrid automaton based model and so well-developed techniques for verifying hybrid automata by model checking [46,40] become difficult to apply to these new systems. Moreover, verification of hybrid automaton based systems tend to scale badly as the reasoning processes become more complex. Since autonomous systems are frequently safety or mission critical this verification gap is a significant concern.

A Methodology for Verifying Autonomous Choices
In [39] we highlighted a methodology for the verification of decision-making components in hybrid autonomous systems, where such a decision-making component is implemented as a rational agent. In this paper, we give a more detailed and technical explanation of the methodology and apply the approach to practically verify a variety of complex autonomous systems (see sections 3, 4, and 5). We argue that the most crucial aspect of verifying complex decision-making algorithms for autonomous systems, for example concerning safety, is to identify that the controlling agent never deliberately makes a choice it believes to be unsafe 1 . In particular this is important in answering questions about whether a decision-making agent will make the same decisions as a human operator given the same information from its sensors.
Thus, rather than verifying agent behaviour within a detailed model of the system's environment, we will now verify the choices the agent makes given the beliefs it has. This approach is clearly simpler than monolithic approaches as we can state properties that only concern the agent's internal decisions and beliefs, and so verification can be carried out without modelling the "real world". At a logical level, the verification of safety properties changes from the global checking of 2 ¬bad i.e., nothing bad can ever happen, to locally checking 3 B agent ¬bad i.e., the agent never believes that something bad happens. Similarly, liveness properties change from checking ♦good globally to checking ♦B agent good locally. Thus, we verify the (finite) choices the agent has, rather than all the (typically infinite) "real world" effects of those choices.
Specifically, we propose model checking (and the model checking of programs, if possible) as an appropriate tool for demonstrating that the core rational agent always endeavours to act in line with our requirements and never deliberately chooses options that lead internally to bad states (e.g., ones where the agent believes something is unsafe). Since we are verifying only the core agent part we can use non-hybrid model checking approaches which allows the verification to be more easily compositional and gives us a wider range of abstraction mechanisms to explore. Thus, we do not verify all the "real world" outcomes of the agent's choices (but assume that analysis of the underlying control system has provided us with theorems about the outcomes of actions etc.), but do verify that it always tries to achieve its goals/targets to the best of its knowledge/beliefs/ability. Thus, the agent believes it will achieve good situations and believes it will avoid bad situations. Consequently, any guarantees here are about the autonomous system's decisions, not about its external effects.

Autonomy in the Real World
Autonomous systems, such as we are discussing, are constructed in a component-based fashion with an agent-based decision maker and a control system. This means they have a natural decomposition at design time. In many cases the agent-based decision maker is viewed as the replacement for a human pilot or operator who would, otherwise, interact with the control system.
How might we guarantee behaviour within such an autonomous system embedded in the real world? Following a decompositional approach we need not (and, indeed we argue that we can not, for the reasons outlined in Section 2.6) ensure that an autonomous system will certainly lead to a change in the real world. When using the model-checking approach to verification, efforts to model the entire system and its interaction with the real world with any degree of accuracy necessarily involve complex abstractions together with a number of assumptions. These abstractions and assumptions are embedded deep within an executable model and may not be explicit to end users, or even to the modellers. Therefore if we provide a guarantee, for example, that the autonomous system can definitely achieve or avoid something, there will be a number of pre-conditions (that the real world will behave in some particular way) to that guarantee that may be hard to extract. One of the aims of our approach is that the assumptions embedded in the modelling of the real world should be as explicit as possible to the end users of a verification attempt.
Obviously, some parts of an agent's reasoning are triggered by the arrival of information from the real world and we must deal with this appropriately. So, we first analyse the agent's program to assess what these incoming perceptions can be, and then explore, via the model checker, all possible combinations of these. This allows us to be agnostic about how the real world might actually behave and simply verify how the agent behaves no matter what information it receives. Furthermore, this allows us to use hypotheses that explicitly describe how patterns of perceptions might occur. Taking such an approach clearly gives rise to a large state space because we explore all possible combinations of inputs to a particular agent. However it also allows us to investigate a multi-agent system in a compositional way. Using standard assume-guarantee (or rely-guarantee) approaches [67,52,53,66,60], we need only check the internal operation of a single agent at a time and can then combine the results from the model checking using deductive methods to prove theorems about the system as a whole. Abstracting away from the continuous parts of the system allows us to use model checking in a compositional fashion.
It should be noted that, in many ways, our approach is the complement of the typical approach employed in the verification of hybrid automata and hybrid programs. We are primarily concerned with the correctness of the discrete algorithms and are happy to abstract away from the underlying continuous system, while the other approaches are more concerned with the verification of the continuous control and are happy to abstract away from the discrete decision-making algorithms.

Overview
In summary, we had two main aims in developing our verification methodology: to maintain the natural decomposition of the system design in the verification, allowing us to verify the symbolic and non-symbolic aspects separately; and to make any assumptions about the continuous/real world environment as explicit as possible. It is preferable to treat the verification and analysis in a compositional fashion, if at all possible, for a variety of reasons. It simplifies the verification task, encourages reuse, and allows appropriate domain specific analysis tools to be used. Moreover, in many of the situations we are interested in, the control system is trusted and the primary concern is the extent to which the decision-making component conforms to the expectations about the behaviour of a human operator. Therefore we have an additional motivation to verify the symbolic reasoning in detail and in isolation.
Thus, in summary, our overall approach [39] involves: 1. modelling/implementing the agent behaviour and describing the interface (input/output) to the agent; 2. model checking the decision-making agent within an coarse over-approximation of the environment derived from the analysis of agent inputs (this will establish some property, ϕ); 3. if available, utilizing environmental hypotheses/assumptions, in the form of logical statements, to derive further properties of the system; 4. if the agent is refined, then modify (1) while if environmental properties are clarified, modify (3); and 5. deducing properties of multi-agent systems by model checking the behaviour of individual agents in a component-wise fashion and then combining the results deductively to infer properties of the whole system.
We will later examine three very different scenarios in order to exemplify the key features of the methodology.

5
Hybrid Autonomous System Figure 1: The Typical Structure of a Hybrid Autonomous System. Low level choices such as (e.g., tight sense-react loops) are governed by the control system while high-level choices (e.g., managing long term goals) are governed by a rational agent.
A general agent is simply the encapsulation of some distributed computational component within a larger system. However, in many settings, something more is needed. Rather than just having a system which makes its own decisions in an opaque way, it is increasingly important for the agent to have explicit reasons (that it could explain, if necessary) for making one choice over another.
In the setting of autonomous systems, explicit reasoning assists acceptance. When queried about its choices an autonomous system should be able to explain them, thus allowing users to convince themselves over time that the system is reasoning competently. More importantly, where an autonomous system is likely to be the subject of certification, it may need to fulfill obligations to do with reporting, particularly in instances where an accident or "near miss" has occurred. It is desirable for such reporting to be presented at a high level which explains its choices in terms of what information it had, and what it was trying to achieve.
Rational agents [13,75,89] enable the representation of this kind of reasoning. Such an agent has explicit reasons for making the choices it does. We often describe a rational agent's beliefs and goals, which in turn determine the agent's intentions. Such agents make decisions about what action to perform, given their current beliefs, goals and intentions.

BDI Agents and Programming Languages
The predominant view of rational agency is that encapsulated within the BDI model [74,75,76]. Here, 'BDI' stands for Beliefs, Desires, and Intentions. Beliefs represent the agent's (possibly incomplete, possibly incorrect) information about itself, other agents, and its environment, desires represent the agent's long-term goals while intentions represent the goals that the agent is actively pursuing.
There are many different agent programming languages and agent platforms based, at least in part, on the BDI approach. Particular languages developed for programming rational agents in a BDI-like way include AgentSpeak [77], Jason [10,7], 3APL [48,22], Jadex [72], Brahms [79], GOAL [49,24], and GWENDOLEN [29]. Agents programmed in these languages commonly contain a set of beliefs, a set of goals, and a set of plans. Plans determine how an agent acts based on its beliefs and goals and form the 7 basis for practical reasoning (i.e., reasoning about actions) in such agents. As a result of executing a plan, the beliefs and goals of an agent may change as the agent performs actions in its environment.

Agent Controlled Hybrid Systems
Agent based control of decision-making in hybrid systems has been an area of research since at least the 1990s. Kohn and Nerode's MAHCA system [57] uses multiple knowledge-based agents as planners. While these agents are not based on the BDI paradigm, which was only in its infancy when MAHCA was originally developed, the approach is motivated by a desire to represent logical decision-making in a high-level declarative fashion.
More recently agent based approaches have been explored in the control of spacecraft [68], Unmanned Aircraft [55,86,70], and robotics [87]. Many of these approaches are explicitly BDI based and are motivated by the desire to separate the symbolic and sub-symbolic reasoning and model the mission designer's intent.

Formal Verification and Model Checking
Formal verification is essentially the process of assessing whether a specification given in formal logic is satisfied on a particular formal description of the system in question. For a specific logical property, ϕ, there are many different approaches to this [37,25,11], ranging from deductive verification against a logical description of the system ψ S (i.e., ψ S ⇒ ϕ) to the algorithmic verification of the property against a model of the system, M (i.e., M |= ϕ). The latter has been extremely successful in Computer Science and Artificial Intelligence, primarily through the model checking approach [17]. This takes an executable model of the system in question, defining all the model's possible executions, and then checks a logical property against this model (and, hence, against all possible executions).
Whereas model checking involves assessing a logical specification against all executions of a model of the system, an alternative approach is to check a logical property directly against all actual executions of the system. This is termed the model checking of programs [85] and crucially depends on being able to determine all executions of the actual program. In the case of Java, this is feasible since a modified virtual machine can be used to manipulate the program executions. The Java Pathfinder (JPF) system [85] carries out formal verification of Java programs in this way by exhaustively analysing all the possible execution paths. This avoids the need for an extra level of abstraction and ensures that verification truly occurs on the real system. However, although exhaustive, such techniques are typically much slower than standard model checking.

Verifying Hybrid Systems
As mentioned above, there are two major approaches to constructing hybrid systems. We have followed the methodology of providing two components, a decision making system that interacts with an underlying control system. The other major approach is that of hybrid automata.
An automaton consists of a set of states with transitions between them. Traditionally automata states are static but, in hybrid automata, the states are governed by differential inclusions which control the behaviour of the overall system while the automata is in that state. Each state therefore contains (state) variables whose value may evolve and change in a continuous fashion while the automata is in that state. Key aspects of a hybrid automaton state are the flow conditions; equations which express the evolution of continuous variables while in that state, and invariant conditions; a predicate over the state variables which must be satisfied in that state. If the invariant conditions are violated then the state is forced to transition to another. When a transition occurs, jump conditions determine the initial values of the state variables in the next state.
The model checking of hybrid automata involves exploring trajectories within each automata state. Given (a set of) starting values for the variables in the state the system attempts to determine a bounded sub-region of R n which contains all possible values of the variables that can be reached within that state before it transitions to another. The possible values of the variables at the point of transition, together with the jump conditions, will form the starting values for the variables in the next state, and so on until all possible states of the system have been explored. (See [45,3] and [46] for detailed descriptions of the model checking of hybrid automata based systems.) From our perspective: the verification of agent-based hybrid control systems, with a particular interest in the verification of implementations of decision-making algorithms, the hybrid automata approach has several drawbacks, as follows.
1. As noted earlier, it is difficult to decompose a hybrid automaton with a complex decision-making process into sub-systems (though approaches using concurrent automata are possible). However, even after such a decomposition, the model checking problem can not be easily decomposed to consider only some sub-set of the states of the system (e.g., just those involved with control algorithms). The calculation of a bounded region that limits the trajectories within a state is dependent upon the possible values of the variables on entering the state and these, in turn, depend upon the values of those variables in the previous state and the jump conditions. Therefore the region of possible trajectories may vary each time a state is visited. As a result, the algorithm needs to calculate all the potential sets of starting values for each state. It is not, in general, possible to determine in advance what the entry constraints will be for some sub-set of the automaton states without exploring the whole automaton.
As a result the whole system must often be treated as a unit. This not only makes the model checking problem harder but also limits the reuse of results when changes are made to the system.
2. The classes of hybrid automata that have decidable model checking problems are limited. While there are several possible decidable fragments, linear hybrid automata are most frequently used (for instance the HYTECH model checker works on linear hybrid automata [46]). The main restrictions on linear hybrid automata are that the formulae describing the evolution of dynamic variables, their constraints, and the evolution to new discrete states must be finite conjunctions of linear inequalities, and the flow conditions may refer only to derivatives of state variables and not to the variables themselves. From the perspective of complex decision-making the restriction to conjunctions of inequalities, rather than more expressive formulae forces logical reasoning to be modelled using sequences of discrete transitions where intuitively only one transition should take place.
3. This in turn means that tools such as HYTECH [46], and PHAVER [40] implemented for the model checking of linear hybrid automata also do not scale well in the presence of large discrete state spaces [21]. Not only do complex logical computations have to be modelled as a set of states with the same continuous dynamics, but also the process of determining trajectories through individual discrete states tends to create multiple states in the model checking algorithm for each state in the hybrid automata (i.e., a state for each possible region of trajectories through the state).
4. As noted above, a hybrid automaton models the behaviour of an entire system; both the computational and the real world parts. As a result, in general, hybrid automata do not provide a suitable implementation language for a programmer wishing to create the computational parts of some larger system. Consequently, hybrid automata model checking operates much like standard model checking, i.e., it verifies a model of the implemented system, rather than the system itself.
Particularly in certification contexts there is a need to verify the actual implemented system. In these cases it is necessary to somehow compile the implemented system, together with a model of its environment, into an explicit hybrid automaton before analysis.

Approaches to Compositionality and Expressivity
PHAVER [40] uses assume-guarantee style reasoning based on I/O Automata to allow the model checking of linear hybrid automata to be approached in a compositional fashion [41]. The approach takes a hybrid automaton that has been constructed from the parallel composition of smaller sub-systems (e.g., a physical system with its continuous dynamics, and a software controller). This work describes how, during model checking, these sub-systems can be replaced by abstractions which are comparable. So a physical system can be model checked, composed with an abstraction of a software controller and vice versa. This work provides results and algorithms for establishing the correctness of the original system via verification of these new systems and experimental results to show the improvements in efficiency gained by verifying multiple simple systems in place of a single monolithic complex system. The more abstract systems constitute an over-approximation of the original sub-system and therefore it is possible for the verification process to return false negatives. The underlying verification continues to use hybrid automata based model checking and so remains constrained by many of the considerations above (e.g., PHAVER is restricted to linear hybrid automata). However the basic approach, abstracting away one sub-system, is substantially similar to the one we adopt here. Platzer has developed a theorem proving approach for verifying hybrid automata which is implemented in the KeYmaera system [71]. This benefits from many of the advantages of theorem proving, in that it can produce stronger, more general, results than model checking but also suffers from its disadvantages. Producing such verifications is generally time-consuming and requires highly skilled users although KeYmaera is linked to a number of automated systems for solving sub-problems.
KeYmaera verifies hybrid systems which are represented as hybrid programs written in a dedicated while-style programming language. There is a direct embedding of hybrid automata into hybrid programs. However hybrid programs are more expressive than, for instance, linear hybrid automata, and it is possible to represent complex logical formulae as invariants on states. Unfortunately, the language remains at a low level, meaning that the implementation of complex decision-making is quite cumbersome.

Solutions to the Modeling Problem
While it is theoretically possible to represent all hybrid systems as hybrid automata or hybrid programs, it is time consuming to do so. In particular, as noted above, it is difficult to represent complex computations occurring at the discrete decision-making level in a compact fashion. As a result, where complex decision-making takes place a hybrid automaton or hybrid program approach frequently abstracts away from the process and, instead, just represents all possible outcomes of the decision-making as non-deterministic choices. While this simplifies the hybrid automaton/program representation and makes its creation feasible it can, as a result, introduce "false negatives" into the verification process -i.e., states exist in the hybrid automaton/program that would not exist in reality since the decision-making process would have vetoed them.
There have been several attempts to produce systems that will compile higher level programming languages into hybrid automata for verification -thus allowing the full complexity of decision-making to be represented. These systems can also, potentially, employ abstraction techniques during the compilation process in order to reduce the search space. Such approaches have focused on synchronous languages such as LUSTRE [15], and Quartz [4].
The agent paradigm, in particular, has been developed to address distributed asynchronous situations which makes it attractive in situations where a synchronous model of time is unhelpful. However, as yet, no system has been created to compile agent-based control into hybrid automata.

Model Checking Agent Programs
There are a number of approaches to model checking and verifying multi-agent systems [1,63,42]. Most of these are not specifically geared towards BDI-style rational agents but provide more general tools for the analysis of agents. In general these have not been applied to the problem of hybrid systems although MCMAS has been used in the verification of hybrid automata [36].
There are three systems that focus specifically on the model checking of BDI programs. [54] describe a program model checker tailored specifically towards the GOAL programming language. Both [51] and [81] have investigated the model checking of Brahms [79] programs using SPIN [50]. Both systems re-implement Brahms in Java and then either export directly into SPIN [81] or use Java Pathfinder (JPF) to generate a model which is then exported to SPIN [51].
The MCAPL framework [33] (described in more detail below) provides access to model checking facilities to programs written in a wide range of BDI-style agent programming languages so long as those languages have a Java-based program interpreter. We chose to use the MCAPL framework in this work but the general methodology does not depend upon that choice, or even upon the choice of a program model checker for a BDI language.

The MCAPL Framework
In the examples discussed later in this paper we use the MCAPL framework which includes a model checker built on top of JPF. We do not consider the framework to be integral to our approach to the verification of agent-based decision-making in autonomous systems, though some general background on the system will be useful when reading the later examples. The framework is described in detail in [33], we therefore provide only a brief overview here. It has two main sub-components: the AIL-toolkit for implementing interpreters for rational agent programming languages and the AJPF model checker.
Interpreters for BDI languages are programmed by instantiating the Java-based AIL toolkit [30]. An agent system can be programmed in the normal way for a language but runs in the AIL interpreter which in turn runs on the Java Pathfinder (JPF) virtual machine. This is a Java virtual machine specially designed to maintain backtrack points and explore, for instance, all possible thread scheduling options (that can affect the result of the verification) [85].
Agent JPF (AJPF) is a customisation of JPF that is optimised for AIL-based language interpreters. Agents programmed in languages that are implemented using the AIL-toolkit can thus be model checked in AJPF. Furthermore if they run in an environment programmed in Java, then the whole agent system can be model checked. Common to all language interpreters implemented using the AIL are the AIL-agent data structures for beliefs, intentions, goals, etc., which are subsequently accessed by the model checker and on which the modalities of a property specification language are defined. Since we will be using this AJPF property specification language (PSL) extensively later in this paper, we here describe its syntax and semantics (from [33]).

Temporal and Modal Logics and the MCAPL Property Specification Language
So far we have mentioned little about the logical description that we use to describe the properties required of our system. In standard model checking, the logical formulae are typically from some variety of temporal logic, such as PLTL (propositional linear temporal logic). Underlying this particular logic is a model of time based upon the natural numbers, and formulae are evaluated at the current moment in time within this. Thus, some proposition 'raining' might be true at the current moment in time but false in the next moment. Temporal operators then allow us to move between moments in time within our formulae. In PLTL, such operators are typically of the form ' ' (at all future moments), '♦' (at some future moment), ' g ' (at the next moment), etc. Thus ♦raining ⇒ g get umbrella means that if, at some moment in the future it will be raining, then at the next moment in time we should get our umbrella. Such a logical base provides well-understood and unambiguous formalism for describing the basic system dynamics [38]. (Note that we do not define ♦, , etc, directly but give the semantics of the more expressive temporal operators U and R, and then derive other temporal operators from these as needed.) However, in order to describe the behaviour of, and requirements within, rational agents, we often need additional logical dimensions [58]. Thus we combine our basic temporal logic with logical modalities for describing beliefs (that represent the agent's knowledge about its situation) and motivations (that represent the agent's reasons for making choices).
As an example, consider the following formula, a variation of which we will use later: meaning that if a robot believes it has found a trapped human then eventually either it believes the human is free or it intends to make the human free. Notice how this formula combines temporal operators with the belief operator, B, and the intention operator, I. The AJPF property specification language is thus formally defined as follows: PSL Syntax The syntax for property formulae ϕ is as follows, where ag is an "agent constant" referring to a specific agent in the system, and f is a ground first-order atomic formula: Here, B ag f is true if ag believes f to be true, G ag f is true if ag has a goal to make f true, and so on (with A representing actions, I representing intentions, and P representing percepts, i.e., properties that are true in the external environment (e.g., a simulation of the real world) in which the agent operates).
PSL Semantics We next examine the specific semantics of our property formulae. Consider a program, P, describing a multi-agent system and let MAS be the state of the multi-agent system at one point in the run of P. MAS is a tuple consisting of the local states of the individual agents and of the environment. Let ag ∈ MAS be the state of an agent in the MAS tuple at this point in the program execution. Then where |= is logical consequence as implemented by the agent programming language. The interpretation of G ag f is given as: where ag G is the set of agent goals (as implemented by the agent programming language). The interpretation of A ag f is: if, and only if, the last action changing the environment was action f taken by agent ag. Similarly, the interpretation of I ag f is given as: if, and only if, f ∈ ag G and there is an intended means for f (in AIL this is interpreted as having selected some plan that can achieve f ). Finally, the interpretation of P( f ) is given as: if, and only if, f is a percept that holds true in the environment.
The other operators in the AJPF property specification language have standard PLTL semantics [35] and are implemented as Büchi Automata as described in [43,20]. Thus, the classical logic operators are defined by: The temporal formulae apply to runs of the programs in the JPF model checker. A run consists of a (possibly infinite) sequence of program states MAS i , i ≥ 0 where MAS 0 is the initial state of the program (note, however, that for model checking the number of different states in any run is assumed to be finite). Let P be a multi-agent program, then The common temporal operators ♦ (eventually) and (always) are, in turn, derivable from U and R in the usual way [35].
For the future, we hope to incorporate modalities for knowledge (for describing information evolution) and coalitions (for describing cooperative systems) [5] as well as extending some or all of these modalities to a full logic. Investigating alternative logics for model checking autonomous systems is also the subject of further work.

Abstracting from the Real World
Dealing with the "real world" presents a dual challenge to an agent based programming and analysis system. Rational agent reasoning, as supported by BDI languages, is essentially discrete while the real world is typically not only continuous but also unpredictable. Similarly, when we wish to analyse a system embedded in the real world, while we would ideally like to be certain about how it will behave, full/exhaustive formal verification of all aspects of an autonomous system together with its environment is impossible. Thus, we cannot say, for certain, whether any course of action our system takes will definitely achieve/avoid some situation. A typical way to deal with both these problems has been to use abstraction.
Abstraction and Decision-Making. Dealing with the real world presents a number of problems to the integration of a control system with a discrete decision-making part; recall Fig. 1.
Our approach to autonomous decision-making in a hybrid agent system arises from a careful choice of abstractions that relate the continuous world with discrete decision states selected by taking into account 13 all the possible responses of the continuous physical environment and communications from other agents. Using these abstractions one can then define basic rules of behaviour, and can formulate goals to keep the system within constraints and to set both short and long term objectives. This allows us to use the agentbased approach, where goals, plans, and logical inference are all captured within the rational agent.
Generating appropriate abstractions to mediate between continuous and discrete parts of a system is the key to any link between a control system and a reasoning system. Abstractions allow concepts to be translated from the quantitative data derived from sensors (and necessary to actually run the underlying system) to the qualitative data needed for reasoning. For instance a control system may sense and store precise location coordinates, represented as real numbers, while the reasoning system may only be interested in whether a vehicle is within reasonable bounds of its desired position.
We have been exploring an architecture [26] in which the rational agents are partnered with an abstraction engine that discretizes the continuous information in an explicit fashion which we are able to use in verification. Currently the abstraction engine is implemented as a distinct rational agent, though we intend to move to a stream processing model in future.
Abstraction and Formal Verification. Abstraction has a long history in the formal modelling of "real world" phenomena for verification [18]. Abstractions for model checking hybrid systems have been extensively studied [2,46,82,69]. Model checking requires the continuous search space to be divided into a finite set of regions which can be examined, in order for the model checker to exhaustively trace a finite set of paths through these regions. This provides a simpler representation of the world which (hopefully) preserves its key features.
Since the "real world" is inherently complex, often involving control systems, physical processes and human interactions, even defining appropriate abstractions is difficult. Often we either take a very coarse abstraction, which risks being very far away from a real system, or a very detailed abstraction leading to complex structures such as stochastic, hybrid automata (which are, themselves, often very hard to deal with [16]). Neither of these are entirely satisfactory, and neither guarantees completely accurate analysis. Our approach opts for a coarse abstraction which over-approximates the real world. Where we have an explicit abstraction engine, as mentioned above, we use this to form the coarse abstraction (see the examples in sections 4.3 and 5). In many ways this is similar to the approach taken by PHAVER but is not based on a decomposition of the system into parallel hybrid automata; we are also less interested in verifying the whole system but are primarily concerned with verifying the decision-making algorithms.
In this section we have examined the history of agent-based control of hybrid systems and the separate strands of research into the verification in hybrid systems and verification of agent programs. We next begin to tackle a series of example systems, defining the controlling agent(s), describing the environmental assumptions and carrying out formal verification.

Scenario: Urban Search and Rescue
Consider a (simplified) example based on the RoboCup Rescue, or "urban search and rescue", scenario [56]. This is a widely used test scenario for autonomous mobile robots, providing not only a variety of environmental abstractions but also the potential for both individual and cooperative behaviours. A natural disaster (e.g., an earthquake) has caused buildings to collapse. Autonomous robots are searching for survivors buried in the rubble. There may be many of these robots, each with sensors for detecting buried humans. Let us model this scenario on a simple grid. A robot can move around spaces on the grid and a human is placed

Implementation
Listing 1 shows part of the agent code for a simple search robot written using the BDI-style agent programming language, GWENDOLEN [29]. The robot has the goal of reaching a state where it can leave the area. It can only achieve this goal if either it believes it has found the human or believes that the area is actually empty.
Syntax. GWENDOLEN uses many syntactic conventions from BDI agent languages: +!g indicates the addition of the goal g; +b indicates the addition of the belief b; while −b indicates the removal of the belief. Plans then consist of three parts, with the pattern trigger : guard ← body.
The ' trigger ' is typically the addition of a goal or a belief (beliefs may be acquired thanks to the operation of perception and as a result of internal deliberation); the 'guard' states conditions about the agent's beliefs (and, potentially, goals) which must be true before the plan can become active; and the 'body' is a stack of 'deeds' the agent performs in order to execute the plan. These deeds typically involve the addition and deletion of goals and beliefs as well as actions (e.g., move to(X1,Y1)) which refer to code that is delegated to non-rational parts of the systems (in this case, motor systems). In the above, PROLOG conventions are used, and so capitalised names inside terms indicate free variables which are instantiated by unification (typically against the agent's beliefs). Programs may also perform deductive reasoning on their atomic beliefs as described in their belief rules. For instance indicates that the agent believes the whole area is empty if it is not the case (i.e., '∼') that it believes there is some square that it does not believe is empty (the "closed world assumption" is used to deduce that the agent does not believe something).
In Listing 1, the goal, +!leave, represents an achievement goal [83] meaning that the agent must continue attempting the plans associated with the goal (if they are applicable) until it has acquired the belief 'leave' (i.e., it wishes to achieve a state of the world in which it believes it can leave the area). Note that, in the above program, the agent cannot directly deduce "B human", i.e., there is a human at the current position, as it requires its sensors to tell it if it can see a human. The underlying language interpreter regularly polls the sensors for belief changes associated with perception.
In Listing 1 the agent picks an unchecked square in the grid to explore. It continues to do this until either its sensors tell it that it can see a human or until it believes the area is empty.

Verification
Now, we wish to verify the robot's reasoning is correct, independent either of the modelling of other parts of the system or any detail of its environment. So, we might wish to verify that if the searching robot, s, believes it can leave the area, then it either believes the human is found or it believes the area is empty.
As noted in Section 2.5, we used the AJPF model checker for this verification. An abstract model for the incoming perceptions must be provided, otherwise we would only be able to check the robot's behaviour when it does not believe it can see a human (since that belief arises from perception alone). Whenever the agent requests some perceptions we supply, randomly, all relevant inputs to the robot. In this case it either sees a human or does not see a human. The choice of which perceptions to supply to the agent and the times at which these perceptions may change obviously represent an abstract model of the real world. However we believe that these are decisions that can be made explicit, avoiding the need for someone to inspect the code of the model in order to determine precisely what has been proved. Moreover it is a model that is extremely conservative in its assumptions about the real world.
Using this model of the environment we were successfully able to verify (1) automatically in AJPF. Similarly we also verified other parts of the agent reasoning for instance, if the searching robot, s, never believes it sees the human then that means that eventually it will believe it has visited all squares in the grid.
NB. the AJPF property specification language is propositional and so the use of universal (∀) quantifiers in these examples is just a shorthand for an enumeration over all possible values. In this case we used a 3 × 3 grid so the actual property checked was Use of quantifiers in other AJPF property specification language expressions throughout the paper should be understood in a similar way.

Deduction using Environmental Assumptions
There is a great deal we can formally verify about an agent's behaviour without reference to the agent's environment. However there are still things we might reasonably wish to prove given simple assumptions about the behaviour of the real world. Thus, once we have shown System |= ϕ, for some relevant property ϕ, then we can use the fact that the environment satisfies ψ to establish System |= (ψ ∧ ϕ) and hence (if For instance, we might want to assume that the robot's sensors accurately detect the human, and that its motor control operates correctly. If we know these facts then we can prove a stronger property that the agent will actually find the human as well as believing it has found the human. Let us define 'found human' as the property that the robot and the human are in the same grid square and the robot believes it can see the human.
We can characterise correct sensors as: the robot believes it can see a human if, and only if, it is in the same square as the human.
Similarly, we need to state, as an assumption, that the robot's motors are working correctly.
the robot believes it has reached a grid square if, and only if, it is actually in that grid square.
Given this framework we might want to show that if the robot's sensors and motors are working correctly and if a human is stationary on the grid then eventually the robot will find the human.
We have already verified the agent's internal reasoning by model checking to give us the property in (2) which tells us that either the robot believes it sees the human or it visits every square. From this (6) can easily be proved. This can be done by hand, or by using a suitable temporal/modal logic prover [38] -for instance we were easily able to prove this theorem on a three by three grid automatically in the online Logics Workbench [47] (see Appendix C for the input commands).
A key aspect here is that this 'proof' that the robot will find the human only works if the human does not move and, indeed, we have had to state that explicitly (via at(human, X, Y))! Without this assumption the proof fails since there will be no way to prove that, eventually, the robot and human will be in the same square at the same time.

Multi-Agent Systems
In more sophisticated scenarios we not only want to check properties of single agents but of groups of agents working together. Thus, imagine that we now have another robot, capable of 'lifting' rubble. The aim is for the two robots to work as a team: the 'searching' robot, 's', will find the human, then the 'lifting' robot, 'l', will come and remove the rubble. We will refer to the beliefs of the lifting robot as B l . Ideally, if these two work together as expected then we would like to show that eventually the lifter believes the human is free: However, this depends on several things, for example that any communication between the robots will actually succeed. We can adopt our previous approach and analyse each robot independently based on random perceptions and, in this case, messages being received from the environment. So we can establish that (we have slightly simplified the properties for presentational purposes): the searcher will send a message to the lifter if it finds a human.
(B s found ⇒ ♦B s sent(lifter, human(SomeX, SomeY))) and the lifter will free the human if it receives such a message (B l rec(searcher, human(X, Y))) ⇒ ♦B l free(human)) We can also express the assumption that messages sent by the searcher will always be received by the lifter and then use the model checker to prove properties of the combined system, e.g: if messages sent by the searcher are always received by the lifter then if the searcher believes it has found a human, eventually the lifter will believe the human is free.
(B s sent(lifter, human(X, Y)) ⇒ ♦B l rec(searcher, human(X, Y))) ⇒ (B s found ⇒ ♦B l free(human)) Potentially, using reasoning such as this, two autonomous robots could believe that they will together achieve a required situation given some joint beliefs about the environment. However if we reason about each agent separately to deduce properties (8) and (9) we reduce both the size of the automaton to be checked and the size of the search space. We can then combine these component properties with an appropriate statement about communication, i.e.
(B s sent(lifter, human(X, Y)) ⇒ ♦B l rec(searcher, human(X, Y))) in order to reach the conclusion of (10) deductively 5 . This demonstrates one of the advantages of a compositional approach -namely that the complexity of model checking tasks can be kept to a minimum.

Goals and Intentions
We have been verifying the beliefs agents acquire about their environment in lieu of verifying actual facts about the environment. However, we are also interested in verifying the choices that agents make. Suppose that our lifting agent does not deduce that the human is free (because it has moved some rubble), but continues to lift rubble out of the way until its sensors tell it the area is clear (see Listing 2). We cannot verify that the robot will eventually believe the human is free since we can not be sure that it will ever believe that the human is actually clear of rubble. However, we can establish (and have verified) that if the lifting agent believes the human to be at position (X, Y) then eventually it will form an intention to free the human.
As above, we can derive further properties under assumptions about the way perception behaves: assuming that, whenever the lifter forms an intention to free the human it will eventually believe the rubble is clear, then receipt of a message from the searcher will eventually result in the lifter believing the human is free.
While much simplification has occurred here, it is clear how we can carry out compositional verification, mixing agent model checking and temporal/modal proof, and how the environmental abstractions we use can be refined in many ways to provide increasingly refined abstractions of the "real world". Crucially, however, we can assess the choices the agent makes based on its beliefs about its environment and not what actually happens in its environment [39].

Scenario: Rational Hybrid Agents for Autonomous Satellites
The previous example involved simple code developed to illustrate our methodology. We now turn to look at code developed as part of a project to investigate agent based control of satellite systems [62]. The code was not initially developed with verification in mind. Traditionally, a satellite is a large and very expensive piece of equipment, tightly controlled by a ground team with little scope for autonomy. Recently, however, the space industry has sought to abandon large monolithic platforms in favour of multiple, smaller, more autonomous, satellites working in teams to accomplish the task of a larger vehicle through distributed methods.
The nature of these satellite systems, having a genuine need for co-operation and autonomy, mission critical aspects and interaction with the real world in an environment that is, in many respects, simpler than a terrestrial one, makes them a good test-bed for our approach to analysing autonomous systems.

System Architecture
We have built a hybrid system embedding existing technology for generating feedback controllers and configuring satellite systems within a decision-making part based upon a high-level agent program. The decision-making relies on discrete information (e.g., "a thruster is broken") while system control tends to rely on continuous information (e.g., "thruster fuel pressure is 65.3"). Thus, it is vital to be able to abstract from the dynamic system properties and provide discrete abstractions for use by the agent program. It is for this reason that, as mentioned earlier, we have an explicit abstraction layer within our architecture that translates between the two information styles as data flows around the system. Fig. 2 shows the full architecture for our system [28]. R is a traditional BDI system dealing with discrete information, Π and Ω are traditional control systems, typically generated by MATLAB/SIMULINK, while A provides the vital "glue" between all these parts [26]. We will not discuss the implementation of Π and Ω in any detail; our concern is primarily with R and its interaction with A.
The agent programming language used to implement R (again, GWENDOLEN) encourages an engineer to express decisions in terms of the beliefs an agent has, what it wants to achieve, and how it will cope with any unusual events. This reduces code size so an engineer need not explicitly describe how the satellite should behave in each possible configuration of the system, but can instead focus on describing the factors relevant to particular decisions [27]. The key aspect of deliberation within agent programs allows the decisionmaking part to adapt intelligently to changing dynamic situations, changing priorities, and uncertain sensors.

Semantics of Interaction
Our hybrid architecture consists of a Physical Engine (Π), a Continuous Engine (Ω), an Abstraction Engine (A) and a Reasoning Engine (R). We developed a semantics for interaction between these which operates via shared sets of which, for our purposes, the most interesting is the set of shared beliefs, Σ, used by both A and R to describe their shared, discrete, understanding of the world. R may also make specific requests for calculations to be performed by Ω or actions to be performed by Π. These requests are sent via A. Among other things, A takes any (potentially continuous) results returned by Ω and discretizes these as a shared belief for R. Overall, the role of A is to interface between R and the other engines. This helps avoid data overload by replacing large 'chunks' of incoming data with key discrete predicates [26].
In this semantics all perceptions that arrive via sensors from the real world are filtered through A, which converts them into discrete shared beliefs, Σ. Therefore, from a model checking perspective, if we are interested in how the external world can affect the internal beliefs of the Reasoning Engine, R, then we are primarily interested in the possible compositions of Σ.

System Implementation
This architecture and interaction semantics have been implemented within a simulation environment, where the Physical and Continuous engines (Π and Ω) are implemented in MATLAB, while A and R are written in a customised variant of the GWENDOLEN programming language [29]. This extended language includes constructs for explicitly calling Π and Ω and a Java environment interface that supports such calls. This Java environment handles the shared data sets, in particular the shared beliefs which are used by A and R and also controls communication with MATLAB via sockets.
The architecture has been deployed on multiple satellites within a satellite hardware test facility as well as within a number of simulated environments. A range of satellite scenarios have been devised and tested, involving assuming and maintaining various formations, fault monitoring and recovery and collaborative surveying work in environments such as geostationary and low Earth orbits and among semi-charted asteroid fields. The system and scenarios are described more fully in [62].
The focus of this example is upon the verification that took place after this initial implementation and testing. Given the verification was of the rational engine alone, it was obviously important that the behaviour of the whole system be tested separately but this paper does not examine these aspects.

Adapting the System for Model Checking
Our principal interest here is in the verification of the discrete reasoning parts of the system. These are represented by R and so we want to abstract away A, Ω and Π, yet do so in a coherent fashion. Since all communication with Π and Ω to and from R occurs via A, we can ignore Ω and Π entirely and just focus on A and R.
The architecture proved particularly conducive to the verification methodology proposed. Since programmers were encouraged to explicitly program up the abstractions to be used with the Abstraction Engine, A, it became possible to "read off" from the code for an abstraction engine all the shared beliefs that could be asserted in response to changing perceptions. This in turn allows us to pre-determine the possible configurations of Σ, the set of shared beliefs. Similarly we were able to analyse the messages that agents sent to determine which messages might be received by other agents in the system. Since the only external input to the reasoning engine was from shared beliefs and messages it was easy to clearly define the set of inputs needed for verification.
We implemented a specific verification environment that observed the Reasoning Engine's interface requirements for the hybrid system. This consisted entirely of asserting and retracting these shared beliefs and messages. Each time an agent took an action in the environment a new set of shared beliefs and a new set of messages were generated at random. Each time the agent requested the shared beliefs a random shared belief set was sent to it (similarly with messages). During model checking the calls to random number generation caused the model checker branch and to explore all possible outcomes that could be generated. In order to limit the search space we take the (simplifying) view that reasoning happens instantaneously, while action has a duration. Therefore the only times at which the system randomly changes the perceptions/shared beliefs and messages available to the reasoning engine are when the reasoning engine takes some form of action (i.e., a request for a calculation from Ω). The model checker will then explore all possible combinations of shared beliefs and messages that might be available at that point, modelling essentially both the times an action results in the expected outcome and those when it does not. It is important to again emphasize that those aspects of the system relating to the Abstraction, Continuous and Physical engines were not required for model checking the system.

Example: Autonomous Satellites in Low Earth Orbit
A low Earth orbit (LEO) is an orbit with an altitude ranging between that of the Earth's upper atmosphere, at approximately 250km, and an upper bound of 2000km; the orbit may be inclined to the equator and may or may not be elliptical. LEOs are used predominantly by Earth observation missions that require high resolution imaging, including weather, Earth resource and military satellites.
LEO based satellites travel at high speed, completing an orbit within approximately 90 minutes. Orbiting at such great speeds presents a secondary issue concerning the control and monitoring of LEO satellites: ground station visibility is restricted to between 5 and 15 minutes per overhead passage of a ground station. Whilst multiple ground stations, or space based relay satellites orbiting at higher altitudes, may be switched between to enable greater communication periods, the growth in infrastructure is a clear disadvantage. As a result there is a need to increase the autonomous control of such systems.

Scenario
We developed a model of satellite formations in low Earth orbit. The Continuous Engine, Ω, was programmed to supply plans for moving to particular locations in a formation. The algorithm used to generate such plans was based on that in [61]. Controls were made available in the Physical Engine, Π, which could send a particular named activation plan (i.e., one calculated by Ω) to the feedback controller and control the valves that determined which fuel line was being utilised by each thruster.
The satellite was assumed holonomic in control, and provided with thrusters in three body axes (X, Y and Z) each of which contained two fuel lines. This enabled the agent to switch fuel line in the event of a rupture (detectable by a drop in fuel pressure).
In the simple case examined here, the satellites were expected to move to pre-generated locations in a formation, correcting for a single fuel line breakage, if it occurred.

Implementation and Testing
The code for the abstraction and rational engines for these examples can be found in Appendix A together with a detailed description of its functionality.
The software was developed and tested both in simulation, using a SIMULINK implementation of Π and Ω, and on a physical satellite simulation environment developed initially at the University of Southampton and then moved to the University of Sheffield. In simulation a "gremlin" agent was introduced that could, at specified points, insert hardware failures into the satellite system. In physical testing it was possible to simulate failures in "path following" by physically moving the satellites from their chosen course. Having produced a working system the task was then to formally analyse it.

Analysis of a Single Satellite Agent
We wish to verify the satellite's Reasoning Engine is correct, independent of the modelling of other parts of the system and any detail of its environment.
Inspection of the Abstraction Engine code revealed that the shared beliefs that needed to be were, close to (Pos) (meaning that the satellite is close to position, Pos), broken(X) (meaning thruster X is broken), thruster bank line (X, B, L) (meaning thruster X, is currently in bank B and using fuel line L) and get close to (Pos, P) (meaning that P is a plan for moving to position, P). All of these have parameters. We knew from the physical satellite set-up that the thruster "name", X, could be x, y or z and its bank, B (not used in these examples), and line, L, could be 1 or 2 respectively, depending upon the formation under consideration, Pos, could be none, right , middle, left , topright , topleft , bottomright or bottomleft. get close to also had the name of a plan, P, as a parameter. This name was generated and supplied by the Continuous Engine. This was more of a challenge since the name of the plan would be derived algorithmically inside the Continuous Engine. However the code, itself, never analysed this name simply passing it on to the Physical Engine and so a place-holder name, plan, was used.
Unfortunately, even with relatively few perceptions the combinatorial explosion associated with exploring all possibilities gets very large. For most experiments it is necessary therefore to limit the number of possibilities (we discuss this further in Section 6). However the analysis does allow us to state clearly which inputs are being considered, as is shown in tables 1, 2, 3, and 4.
The choice of parameters for shared beliefs and the times at which these shared beliefs might change obviously represent an abstract model of the real world. However we believe that these are decisions that can be made explicit, avoiding the need for someone to inspect the code of the model in order to determine precisely what has been proved. Moreover it is a model that is extremely conservative in its assumptions about the real world.
In Section 3.2.2 we modelled reliable communication via a hypothesis to our theorem. We will use the same technique to capture hypotheses about the workings of the Continuous and Physical engines. Thus, potentially, once we have shown R |= (ψ → ϕ) then we can use the fact that, for instance Π satisfies ψ to establish {R, Π} |= ϕ As a result of this analysis a number of additional plans were introduced into the agent code to handle edge conditions where information was changing particularly rapidly. The code shown in Appendix A is the final code. The plans on line 50 and lines 56-58 in the Rational Engine in Appendix A.1 were introduced as a result of model-checking to cover cases where, for instance, an abort has already occurred but information arrives that a thruster is newly broken, or that a thruster had been successfully fixed but is now reporting it is broken again. This demonstrates the ability of verification to locate errors that were not found by simulation or testing.

Agent Operation without Thruster Failure or Outside Communication
We first chose to investigate the operation of the agent in a situation where its thrusters do not fail and when no messages were received from outside. Therefore it started out with the goal of assuming its position in a formation, and that the position it was to assume was in the middle of a line. This was achieved by preventing the environment from sending the perception broken(X). The environment delivered no messages.
We define two assumptions about the environment: if the agent requests a plan to get to some position, then it eventually believes it has received a plan.
PlanningSucceeds(Pos) ≡ (A ag1 query(get close to(Pos, P)) ⇒ ♦B ag1 have plan(Pos, plan)) (13) We want to establish, using model checking, that: if the agent receives a plan on request, and the execution of that plan takes it to the middle position in a line, then eventually the agent will believe it is maintaining a position in the middle of the line.
If we wish to relax our environmental assumptions, we can also show that if plan execution always succeeds, then either the agent will eventually believe it is in its desired position, or it never believes it has a plan for getting there.
PlanExecutionSucceeds(middle) ⇒ ♦B ag1 maintaining(middle) ∨ ¬B ag1 have plan(middle, plan) (16) Table 1 shows the environment provided for each property (Inputs), and the size of the generated product automata (in states) and the time taken in hours, minutes and seconds on a dual core 2.8GHz Macbook with 8GB of memory running MacOS X 10.7.5 6 (Results). The columns on the left show the arguments that were supplied to each of the potential percepts (i.e., every time it took an action the agent could either gain the perception get close to (middle, plan) or not, but could not, for instance, get the perception get close to ( left , plan)). × indicates that the percept was not supplied at all. These results could be combined deductively with results about the correct performance of the Continuous and Physical engines to produce a proof that the the agent would eventually believe it was in position. Furthermore, with additional analysis to prove that the sensors always operated correctly: if the agent believes it is in the middle then it really is in the middle then the theorem could be extended to prove that the agent really could be guaranteed always to reach its position.
The important thing to note is that the theorem resulting from the model checking process explicitly states its assumptions about the real world (i.e., that plans are always produced and are always accurate) rather than concealing these assumptions within the coding of the model. Since it is, in reality, unlikely that you could ever guarantee that plan execution would always succeed it might be necessary to combine the model checking with probabilistic results to obtain an analysis of the likely reliability of the agent (see further work in Section 6).
Investigating the Response to Thruster Failure If we include the possibility of thruster failure into our analysis then we can show that if the planning process succeeds then either the agent eventually believes it is maintaining the position or it believes it has a broken thruster.
We can improve on this result by adding extra assumptions about the way the environment behaves: whenever the agent fixes a fuel line then eventually it believes the thruster is working again.
where T is the thruster effected. A second hypothesis is broken thrusters never lead to an abort because of thruster failure.
Property (21) states that if planning succeeds for the middle position, and the x thruster is always believed to be fixable and changing a fuel line means eventually the agent believes the thruster is no longer broken, then eventually the agent will believe it is maintaining its position.
This is obviously only true if the y and z thrusters do not also break. Unfortunately expressing the conditions for the additional thrusters made the automaton too large for construction in reasonable time (however, see 'aside' below). As a result this property was checked only with the option of sending the agent the predicate broken(x) not with the option of broken(y) or broken(z). However this restriction is clear from the presentation of results in Table 2.

Analysis of Multi-Agent Models and Communication
Appendix A.2 shows the code for a lead agent which determines the position of other agents in a formation.
In the previous examples we were able to determine the appropriate random inputs to the verification by inspecting the shared beliefs asserted by the Abstraction Engines for each agent. The lead agent has no abstraction engine since it is not controlling a physical system directly and so does not actually receive any information from shared beliefs. It receives all its inputs as messages from other agents. We therefore have to analyse it in the light of the messages the other agents in the system (e.g., ag1) send rather than by analysis of the Abstraction Engine. Messages are passed directly between rational agents rather than being processed  by the Abstraction Engines. Just as we "read off" the shared beliefs from the Abstraction Engine we can "read off" possible messages from the Reasoning Engine code of the other agents in the system. However, this does not allow us to verify the system against the presence of unknown agents, or message corruption. It is important to note, therefore, that we are explicitly not investigating this in the context of a system where malicious agents may send conflicting messages. Using this analysis we determine the following messages that may be received by agents in the system. aglead may receive the message maintaining(AgName) in which agent, AgName, asserts that is is maintaining its position and the message aborted( thruster failure , AgName) in which agent, AgName states that it has aborted its current maneouvre because of thruster failure. The satellite agents (as represented by ag1) can receive three messages, assuming formation(F) which tells them that the group will be assuming some formation, F; position (Pos) which informs them that they should assume position, Pos within the formation; and the instruction drop formation(F) which tells to to abandon the attempt to assume the formation F.
Where, in the system under consideration, AgName can be ag1, ag2, ag3 or ag4. F is one of line or square, and Pos could be none, right , middle, left , topright , topleft , bottomright or bottomleft. For reasons of efficiency, we do not consider the issue of thruster failure in the multi-agent system so we will not use values of aborted( thruster failure , AgName) in what follows.

Single Formation
We verified the behaviour of both the leader agent and the follower agents in the situation where there is only one formation, a line, to be adopted. We needed a new assumption about the performance of the environment, stating that: once the leader believes it has informed an agent that it should assume a position in a line formation then, eventually, it will believe it has received a message telling it that the (informed) agent is maintaining that position.
With this assumption we were able to verify that if all agents respond, the lead agent eventually believes the agents have assumed a linear formation.
We also verified some safety properties, e.g.:  Table 3: Analysis of a Multi-Agent system with no thruster failure attempting to move into a line the leader never believes it has assigned an agent (ag1 in the case shown below) to two positions at the same time.
The follower agent uses the code investigated in our single agent case, but when it is interacting with a multi-agent system we want to verify that the messages it sends to the leader agent accurately portray its beliefs. So, we show that under the assumption that planning and plan execution are successful for the relevant formation and position, the follower will eventually believe it has informed the leader that it is maintaining its position.
PlanningSucceeds(middle) ∧ PlanExecutionSucceeds(middle) ⇒ (B ag1 handling(assuming formation(line)) ∧ B ag1 my position is(middle) ⇒ ♦B ag1 sent(aglead, maintaining(ag1)) We can also verify that followers only send messages if they believes they are maintaining the positions they have been assigned.
if all agents respond, then eventually the leader agent will believe a square formation to have been achieved.
AlwaysResponds(ag1, square) ∧ AlwaysResponds(ag2, square)∧ AlwaysResponds(ag3, square) ∧ AlwaysResponds(ag4, square) ⇒ ♦(B aglead in formation(square)) if all agents respond, then whenever the leader agent believes all the agents to be in square formation it will eventually believe them to be in a line formation.
The results of this are shown in Table 4 We can, of course, continue with further verification. However, it should be clear to the reader by now how this proceeds, combining model checking of behaviour for individual agents in the presence of a random environment, together with straight-forward temporal/modal reasoning that can be carried out by hand or by appropriate automated proof tools.

Scenario: Adaptive Cruise Control
For our final example we demonstrate how our approach can integrate with approaches based on hybrid automata or hybrid programs which focus on the continuous dynamics of the system. We look at an example developed in KeYmaera by [65]. This example considers the problem of a car with adaptive cruise control that must maintain a safe distance between itself and the car in front and may only change lane when it is safe to do so. Loos et al., analyse this problem compositionally working up from the simple case of two cars in a single lane to an arbitrary number of cars on a motorway with an arbitrary number of lanes. The control system for the cars is modelled as a hybrid program.
It is outside the scope of this paper to describe the syntax and semantics of hybrid programs. But we reproduce a simple example from [65] to give a flavour of the language. In Fig. 4, x f is the position of the follower car, v f its velocity and a f its acceleration. Similarly x l , v l and a l represent the position, velocity and acceleration of the leader car. −B is a global constant for the maximum possible deceleration due to braking, −b is a global constant for the minimum deceleration and A is the maximum possible acceleration. ε is an upper bound on the reaction time for all vehicles. Safe ε is an equation used by the control system to determine the safe distance between cars. A key part of the verification effort reported is establishing this equation and proving that it does guarantee the system to be collision free. It is defined as In Fig. 4, llc defines a repeated sequence of a discrete control, ctrl, followed by dynamic control, dyn. The discrete control is the parallel composition of the control of the leader, l ctrl , and the follower, f ctrl . The leader has a simple control program -it may adopt any acceleration (a l ::= * ) within the available range. f ctrl defines three possible states. In the first (a f ::= * ; ?(−B ≤ a f ≤ −b)) the acceleration may be any negative value. In the second (?Safe ε ; a f ::= * ; ?(−B ≤ a f ≤ A)) the acceleration may be any possible value provided the car is a safe distance behind the leader, and in the final state (?(v f = 0); a f ::= 0), the acceleration may be zero if the velocity is zero. The dynamic control, dyn, states how position and velocity vary depending upon acceleration, using the standard differential equations for motion. The control systems for the cars in the more complex examples follow a similar form -represented as a non-deterministic choice over legal states for the system. The decision-making represented by the constraints on each state is relatively simple here with no reference, for instance, to any goals of the system. It would be possible to represent more complex control in hybrid programs, particularly since the constraints have access to full first order logic (unlike the constraints in linear hybrid automata) as well as simple if-then control structures, but it would be cumbersome to do so since the language remains low level.
We implemented an agent for adaptive cruise control within the system described in Section 4. This adopted the above rules for safety but added in additional features involving goal-based and normative behaviour. We present the code for the Reasoning Engine here, the code for the Abstraction Engine can be found in Appendix B.
The simple case of a car travelling in a single lane of a motorway is shown in Listing 3. The agent has a goal to drive at the speed limit. To achieve this goal it accelerates if it believes it can do so and then waits for a period before checking if the goal is achieved. If it can not accelerate then it waits until it believes it can. The construct * b causes an intention to suspend until b becomes true. can accelerate is determined by a belief rule and is true if it is safe to accelerate and the driver is not currently taking any action. Once the car has reached the speed limit (line 18) it maintains its speed. At this point the goal will be dropped because it has been achieved. So if the speed drops below the speed limit the goal will be re-established (lines 20, 21). If it stops being safe to accelerate, the agent brakes (line 23). Actions by the driver override decisions by the agent, but it still will not accelerate unless it believes it is safe to do so.
We tested the agent in a simple Java environment which modelled the dynamics described by [65] and performed the calculation of Safe ε passing the perception, safe, to the Abstraction Engine if Safe ε returned true 7 . We then used our agent based model checking to verify that the agent obeyed the constraints verified by Loos et al. (i.e., it only accelerated if it was safe to do so) We analysed the abstraction engine (shown in Appendix B) to determine the possible incoming shared beliefs were safe, at speed limit , driver accelerates , and driver brakes . Then we proved that whenever the agent accelerates then it believes itself to be a safe distance from the car in front: We also investigated a more complex case (also analysed by Loos et al) in which cars could change lane. We implemented the normative rules of the UK highway code so that the agent would always attempt to drive in the leftmost lane unless it wished to overtake a car in front, in which case it would attempt to overtake on the right. The code is shown in Listing 4. This code introduces further features of our GWENDOLEN language variant. The action 'perf' is interpreted by the environment as a message to the Abstraction Engine to adopt a goal which in turn cause the execution of some non-symbolic code. + Σ b and − Σ b are used to indicate when an agent adds b to, or removes b from, the set of shared beliefs. We introduce a new type of perform goal which is distinguished from an achieve goal by the fact that there is no check that it succeeds; once the actions in a plan associated with a perform goal have been executed then the goal vanishes. Lastly, . lock and .unlock are used to lock an intention to remain current, this ensures that the sequence of deeds are executed one after the other without interference from other intentions.
The code represents an agent which can be in one of two contexts, moving left or overtaking which are represented as beliefs. Lines 9-10 control switching between these contexts. The use of contexts allows us to control dropping goals as the situation changes even if they have not been achieved. The percepts car ahead and car ahead in left lane are supplied by the Abstraction Engine and represent the detection of a car the agent wishes to overtake or pass on the right. The intention is that these beliefs are shared before the car would need decelerate in order to maintain a safe distance from the car in front (although we verified the more general case where the beliefs could appear in any order). Similarly It should be noted that our verification here shows that the implemented rational agent adheres to the constraints on the discrete control used in the verification of the full hybrid system by Loos et al. We assume, among other things, that 'safe' is calculated correctly. The point is not to redo the safety analysis but to show that the additional normative and goal-directed behaviours do not effect the agent's ability to obey the safety constraints.

Concluding Remarks
In this paper we have presented a compositional approach to the verification of the decision-making parts of hybrid autonomous systems, demonstrating both that such an approach is feasible and how it can be pursued. The methodology uses model checking to perform formal verification of the reasoning of a rational agent that is controlling a hybrid autonomous system. This approach avoids the necessity for complex and opaque models of the external system. At the same time our approach allows the results of model checking to be combined deductively (in a straight-forward way) with results about the full system, in order to provide formal analysis of the whole. Our hypothesis is that different verification techniques are more suited to different aspects of hybrid system analysis. Program model checking is well-adapted to the analysis of rational agent code, but less well adapted to reasoning in continuous domains where probabilistic, analytical and deductive techniques may yield more accurate results. Our approach allows theorems about the rational agent to be combined deductively in a compositional fashion with results about the rest of the system. Our claim is that it is easier, under this methodology, to make explicit the assumptions we have utilized in order to allow verification to take place. While we have focused particularly on the program model checking of rational agent implementations, the methodology would also be suitable for general model checking of complex agent-based (and possibly other) models for discrete control of hybrid systems. This could be done in a specialised model checker for agent systems such as MCMAS [63] or MCK [42]. In essence we believe approaches such as ours are suitable wherever there is significant complexity within the discrete reasoning required to control a hybrid system. 34 {B s a f e r i g h t , B c a r a h e a d i n l a n e , B o v e r t a k i n g , ∼ B i n r i g h t m o s t l a n e } ← 35 +. l o c k , − Σ ( c h a n g e d l a n e ) , p e r f ( c h a n g e r i g h t ) , −. l o c k , 36 * c h a n g e d l a n e , +o v e r t a k e n ; To exhibit this approach, we explored three examples in which verification was performed in this compositional manner. The first example used a simple program based on the RoboCup Rescue scenario. Our second example examined code actually developed separately for the control of satellites in low Earth orbit, and our third looked at an adaptive cruise control system already analysed in KeYmaera. In all examples we were able to prove properties about the efficacy of the system in the absence of a detailed formal analysis of real world (and continuous) aspects. Work of this kind enables us to provide accurate and clear analysis of the autonomous decisions made by agents in real world scenarios. It is made feasible by the ability for us to refer to the beliefs, goals and actions of the agent in the property specification language, which allow us to limit our theorems to the internals of the agent.
Our interest is primarily in the verification of discrete logic/agent based decision-making algorithms for controlling hybrid systems, rather than in the analysis of the underlying continuous control. As such our approach abstracts away from the continuous aspects entirely, much as many hybrid automata based analyses abstract away from the details of decision-making. This potentially leads to over-approximation, where we examine all the inputs that an agent could receive not just those that "make sense" from the continuous perspective -e.g., in our adaptive cruise control example we explored the case where the driver is reported to be both braking and accelerating at the same time. It is a matter of some debate whether this truly represents an over-approximation since it would potentially be possible for a malfunctioning sensor to transmit contradictory information. However it is clear that the over-approximation also has repercussions on the search space as the number of potential sensor inputs increases which, combined with the inefficiencies of program model checking currently limits the scope of the methodology.
There are a number of avenues for further work. The most urgent problem is that the agent verification technology is actually very slow (as can be seen from the times reported in Section 4.3). Program model checking, such as that provided by Java Pathfinder (JPF), analyzes the real code, often in an explicit way which increases the time taken to generate new states in the model. Improving the efficiency of AJPF, including the investigation of well-known abstraction techniques such as property-based slicing [9], is the subject of on-going work. Following the work by [51], we have also investigated the use of AJPF to generate models of the program that can be exported into other model checking systems such as SPIN, NuSMV or MCMAS [32].
We have shown how agent decision-making can be formally verified in the presence of random environmental interactions. However, we would also like to incorporate a more refined probabilistic analysis of environmental interactions. For instance, it is highly probable that no guarantee can be supplied that data incoming from sensors is correct, yet it is highly likely that the sensor will come with a probabilistic guarantee of reliability. It is therefore desirable to extend the kind of analysis we have done here to theorems of the form "Assuming data from sensors is correct 98% of the time, and actions succeed 98% of the time, then 97% of the time the agent never believes it has reached a bad state". Initial investigation of a link between AJPF and the probabilistic PRISM model checker [59] reported in [32] will allow us to explore this direction further.
We are also interested in formalising the composition of the environment used for this kind of analysis. We presented an informal overview of how incoming percepts could be chosen and in the examples we performed this selection was carried out by hand. However, we believe that much could be done to automate the process and so ensure that no potential inputs are overlooked.
As noted above, the non-deterministic modelling of sensor input places limits on the ability of our system to scale as the number of sensors, and more importantly sensor values, increase. It would therefore be beneficial to move in the direction of [41] and represent the continuous parts of the system as an abstract automata, or a similar formulation, which allowed us to control the number of possible states. This would draw on work such as [64,73,80].
Finally, we also wish to consider agent control systems that can co-operate together, exchange information (and, potentially, plans) and, in some cases, learn new plans for solving problems. Techniques such as those presented above, if embedded within an agent's own reasoning capabilities, would allow individual agents to assess whether any new plan violated safety constraints imposed upon it, and would allow groups of agents to reason about whether their combined capabilities could ever achieve some goal.
Similarly we are interested in techniques for providing guarantees that an agent always operates within certain bounds no matter what new plans it is given or learns. Some initial steps towards this have been investigated in [31].

A.1 A Satellite Agent
The code in this section is for an agent that is in direct control of a single satellite but which receives information on formations from a separate, coordinating, leader agent.

A.1.1 The Abstraction Engine
It should be noted that, while we believe a BDI-style programming language to be an appropriate implementation language for R, the Reasoning Engine, we are investigating the use of stream processing languages for A, the Abstraction Engine. This is the subject of ongoing work. In the example here, however, the abstraction engine is programmed in our variant of the GWENDOLEN language.
Code for the Abstraction Engine, A, is shown in Listing 5. We use standard BDI syntax, as described previously, extended with new constructs for manipulating the shared beliefs. + Σ b and − Σ b are used to indicate when an agent adds b to or removes b from the set of shared beliefs.
The code is split into roughly three sections for abstraction, reification and housekeeping (not shown). The key aim for this satellite is to take up a position in a formation of satellites. Lines 1-14 provide code for generating abstractions. As information about the satellite's current location arrives from Π (via ' stateinfo ') the agent (if it does not already believe itself to be in location ' close to (Pos)') requests the calculation of the distance from its desired location (via comp distance) which returns a judgment of whether the agent is "close enough" to the target position. This is then used to assert a shared belief about whether the agent is in position or not.
Similarly, information about the thruster status is used in lines 8-14. Thruster information arrives via perception as ' thruster (X,L1,L2,P,C,V)' which gives information about the pressure on the two incoming fuel lines (L1 and L2) and the output fuel line (P) as well as the current (C) and voltage (V) in thruster X. Based on this information, particularly the observation that the output fuel pressure has dropped below 1, the agent can assert or retract shared beliefs about whether a particular thruster is broken (lines 10 and 12) 8 .
The reification code in lines 18-42 tells the abstraction engine how to respond to requests for calculations or actions from the Reasoning Engine, R, e.g., a request to ' get close to ' is translated into a calculation request to Ω to call the function ' plan named approach to location multi '. The details of this code are of less interest in terms of verification of the Reasoning Engine, since they describe its effects upon the rest of the system rather than the external system's effect on the Reasoning Engine. However, it is worth noting that some of these effects still involve the assertion of new shared beliefs (e.g., in lines 19-22, when the abstraction engine has a response to its calculation from the Continuous Engine it asserts the value of this response as a shared belief get close to (Pos, P)). Similarly it can be seen that a request to change fuel line (i.e., ' change line ' at line [36][37][38][39][40][41][42][43] involves setting several valves ('run' takes two arguments, the name of a MATLAB function and a list of arguments to be supplied to that function. 'pred' allows a MATLAB function call name to be composed from a number of strings), modifying the shared beliefs about which fuel line is being used (' thruster bank line '), and then waiting for any change to take effect before asserting a shared belief that the thruster should no longer be broken. Note that, at this point, if the pressure is still low on the output fuel line then the shared belief that the thruster is broken will be reasserted the next time thruster data is perceived.
Finally, the housekeeping code handles some details of abstracting specific thruster information sent by Π into more generic information which passes the name of the thruster as a parameter, and the code for handling waiting. This is omitted from the code fragment shown.
Note that we can read off the changes in the shared beliefs of the system that may arise simply by looking for the occurrences of + Σ and − Σ that occur in the above code.

A.1.2 The Reasoning Engine
Code for the Reasoning Engine, R, is shown in Code fragment 6. We use the same syntax as we did for the Abstraction Engine, A, and for the rescue robots in Section 3. We additionally use the construction ' * b' to indicate that processing of a plan should suspend until some belief, b, becomes true. Here the actions, 'perf' and 'query', are interpreted by the environment as messages to A to adopt a goal. Calls to query pause execution of the plan in order to wait for a shared belief indicating a response from the calculation engine. The plans that are triggered in the abstraction engine by perf and query can be seen in the reification part of A's code.
In the Reasoning Engine we use both achieve and perform goals [83]. Achieve goals persist in the agent's goal base until it believes them to be true, so plans for achieve goals may be enacted several times until they succeed. Perform goals, on the other hand, disappear once a plan associated with them has been executed and contain no implicit check that they have succeeded.
The code for R has several plans and one belief rule. A belief rule is a Prolog-style rule used for deducing beliefs. In this case it deduces that a thruster failure is repairable if the thruster is currently using the first fuel line.
assuming formation (lines 6-10) is a perform goal that runs the agent through some general initialisation, i.e., finding the formation to be assumed (if not already known) and the agent's position in that formation and then starting an attempt to achieve that position. The agent can either start out with the goal of assuming a formation, or can be sent the goal as a request from another agent.
Lines 12-20 of code handle instructions from a leader agent to drop the attempt to assume the current formation.
Lines 22-24 deal with converting any new beliefs (typically received from messages sent by a coordinating leader agent) about the position the agent is required to adopt ( position ) into a belief that the agent actually wants to adopt that position ( my position is ). Once a position has been adopted by the agent then no other suggestion is accepted.
none informs the agent that it is not needed for this formation and so it immediately asserts a belief that it is maintaining the desired position.
Lines 26-36 handle moving to a position, one case involves the agent requesting a plan to get there and the other case assumes the agent already has a plan.
Lines 39-56 handle the agent's plans for getting into a state where it is maintaining a position, while handling possible aborts. Once it believes it is in the right place in the formation it will instruct the Abstraction Engine to initiate position maintenance procedures, perf (maintain path). If it is not in the right place it sets up a goal to get there +! in position (Pos) [ achieve ]. If a thruster is broken, but the system has not yet aborted, then the agent waits for the thruster to be fixed (because maintaining(Pos) is an achieve goal, once this plan is completed when the thruster is fixed, the agent will then select a different plan to achieve the move into position). Lastly if the system is aborted the agent will wait for new instructions. If the satellite successfully reaches a position then it will perform +! cleanup to remove any interim beliefs it has generated such as which plans it has and whether it is attempting to assume a formation. 32 +! c h a n g e t h r u s t e r (X , N, NewN) : { B t h r u s t e r (X , N) } ← 33 − t h r u s t e r (X , N) , 34 +t h r u s t e r (X , NewN ) ; 35 36 +! c h a n g e l i n e (T) : 37 { B t h r u s t e r b a n k l i n e (T , B , 1 ) , B t h r u s t e r (X , L1 , L2 , P , C , V , P) } ← 38 r u n ( p r e d ( " s e t " ,T, " v a l v e s " ) , a r g s ( o f f , o f f , on , on ) ) , 39 − Σ ( t h r u s t e r b a n k l i n e (T , B , 1 ) ) , 40 + Σ ( t h r u s t e r b a n k l i n e (T , B , 2 ) ) , 41 − t h r u s t e r (X , L1 , L2 , P , C , V ) , 42 +! w a i t , 43 − Σ ( b r o k e n (T ) ) ;

Listing 5: Low Earth Orbit: Abstraction Engine
Lines 57-60 involve informing a leader agent once the agent is maintaining its position. Lines 61-71 handle thruster failures either by attempting a repair or by aborting. Lines 73-85 handle aborts by dropping any goals to maintain a position, informing a leader agent of the abort and getting the satellite to cease any attempt to maintain a position. 'perf ( null )' switches off the satellites thrusters, effectively stopping any maneuver it is attempting.
We have omitted from the code the initial beliefs and goals of the agent. The configuration of those beliefs and goals creates a number of different agents which we used during testing. For instance, if the agent already has beliefs about the formation that has been chosen and its position within that formation then it does not need to request information from the leader agent. Some initialisation and clean up code has also been omitted.
The architecture lets us represent the high-level decision making aspects of the system in terms of the beliefs and goals of the agent and the events it observes. So, for instance, when the Abstraction Engine, A, observes that the thruster line pressure has dropped below 1, it asserts a shared belief that the thruster is broken. When the Reasoning Engine, R, observes that the thruster is broken, it changes fuel line. This is communicated to A, which then sets the appropriate valves and switches in the Physical Engine, Π.

A.2 A Leader Agent
Listing 7 shows a lead agent, aglead, which determines the position of other agents in a formation. This agent has several belief rules that are designed to establish that all agents have been informed of their positions in the formation ( all positions assigned is true if there is no position in the formation which is not the position of an agent). The belief rule for desired formation has two configurations: one in which the only formation to be attempted is a line; and the other in which the agent will start out attempting a square, and then change to a line. The belief one formation determines which configuration is adapted and can be used to generate different agents from the same code.
The plan for in formation (lines [26][27][28][29][30][31] is where most of the work happens. First, the leader chooses positions for all the agents in the system and informs them of their position. Then it informs all the agents of the formation to be adopted and waits for the other agents to tell it when they have reached their positions. Lines 33-36 show the code for assigning positions. While there is an agent who has no position, and a position in the formation that has no agent assigned, the leader will assign that agent to that position and inform the agent of this fact. Since all positions assigned is an achieve goal, the plan continues to be selected until either there are no more available agents or no more available positions. The plan for inform start (not shown) works in a similar way.
The description in Listing 7 is simplified from the actual code used. In particular we have omitted those parts that handle messages from follower agents, which report failures and aborts; we will not consider these aspects in the discussion of verification here.

B Adaptive Cruise Control: The Abstraction Engines
Listing 8 shows the abstraction engine for our simple example where a car attempts to drive a the speed limit in a single lane. As sensor input the abstraction engine receives the speed of the car and the acceleration dictated by pressure on the acceleration or brake pedals. It is also informed whether it is currently a safe distance from the car in front. These inputs are passed on to the Reasining Engine as shared beliefs in lines 1 : B e l i e f R u l e s :

3
B r e p a i r a b l e (X , w i t h ( c h a n g e l i n e (X ) ) ) : − B t h r u s t e r l i n e (X , 1 ) ;

5
: P l a n s :