Abstract
The formal design and development of multi-agent systems has attracted a considerable attention over the past decades because of their extensive use in safety-critical applications. This paper presents an efficient, hybrid and scalable formal development approach for safety-critical systems based on the multi-agent paradigm. In fact, we aim in this paper to benefit from the advantages of existing tools and techniques for each development stage and then integrate them in one unified approach. In particular approach, we advocate using Petri nets and rewriting logic to facilitate the formalization of multi-agent based systems, as well as we have integrated both the model checking and property-based testing techniques in the verification and testing stages. For illustrating the utilization and effectiveness of the proposed approach, we use it to analyze a simple automated distributing machine.
Introduction
In the past few decades, the technological expansion in computer science and electronic domains have led to a variety of innovative software systems; later, so-called the revolution of electronic digital computer. Thereafter, software systems are becoming increasingly present in our environment for personal use, such as microwaves, mobile phones, washing machines, digital cameras, as well as for collective use, such as military, medical and aeronautics. In fact, these systems have not only facilitated to make our daily activities more comfortable, but it is becoming so clear that our lives are shaped and increasingly controlled by software systems to the extent that we cannot even imagine our world without them. However, such software systems are also responsible for an ever-increasing disastrous scenarios when it comes to safety-critical systems.
In this context, the use of multi-agent systems (MAS) has proven to be one of the most relevant approaches to promote the development of real-time [91, 47] and complex systems [31, 110]. Nevertheless, due to the absence of available agent-specific safety analysis methods, it is quite risky to completely trust agent-oriented methods in situations where safety is critical [12, 24]. Hence, the main interest in developing software for such systems is not just confined to clearly defining the system functions, interaction between components and properties of interest, but primordially on how one can identify and eliminate system errors in each development stage in order to ensure a successful implementation of the overall system.
To meet the high quality level and safety objectives satisfying the rising complexity of safety-critical systems, the use of adequate design approaches that support decentralized processing as well as rigorous analysis techniques and methods necessary to specify, design, implement and assess safety-related software systems, is gaining more and more importance.
Motivation
The present work is motivated by a desire to bridge the gap between formal specification, verification and testing during the design and development of multi-agent based critical systems. In this regard, the following issues must be addressed to increase the trustworthiness of safety-critical systems:
The choice of the formalism for behavioral modeling of the safety-critical system. The choice of a verification technique to ensure the correctness of the proposed model before proceeding to the system realization. The choice of the code testing technique to ensure the absence of errors throughout the implementation stage.
In this context, Multi-Agent Systems (MAS) represent an innovative paradigm for modeling, simulating and designing complex distributed systems [101, 7]. Their effectiveness is due to the ability of agents to represent the system entities, their behaviors and interactions. In fact, an agent has proactive and reactive features that are very useful in decision making. In addition, a key characteristic of MAS is the collective intelligence or distributed intelligence. In this context, it is well known in the domain of MAS that a single ant or bee (agent) is not smart, but their colonies are generally characterized by numerous additional capabilities [87], such as solving complex tasks and finding the shortest path to the food source. Moreover, MAS can continue to function even with the failure of one of its components (agent), without degrading the system as a whole. This last feature is extremely important in the case of safety-critical systems. Therefore, the use of multi-agent systems is very advantageous for modeling safety-critical systems[2, 63, 71]. Nevertheless, given the lack of a formal, standardized method for the development of agent-based systems, software engineering for agent-based critical systems is quite challenging.
Petri nets [83] represent a well-defined theoretical model of concurrency in which the temporal ordering and causal relationships between system actions can be easily represented. Therefore, Petri nets are widely accepted for modeling and analyzing complex, dynamic and concurrent systems, like command and control systems [107], industrial real-time applications [41] and safety-critical systems [82, 90]. In addition and in the context of MAS, Petri nets are one of the most reliable formalisms for simulation and analysis of both behavioral modeling and failure analysis [44]. One of the distinguishing features of Petri nets is that they provide a graphical representation of the dynamic behavior of systems by enabling visualization of the state changes in the modeled system that greatly facilitates the analysis process [97]. These features of Petri nets are the key reason behind their wide popularity in the context of MAS [43, 54]. However, this potential of Petri nets should not deter the inherited difficulties and the increasing need for formal methods [89] and tools facilitating the analysis of large scale Petri net models.
For this purpose, we advocate the use of Maude [32] on the specification stage as a formal specification language based on rewriting logic [68] for describing Petri nets based MAS models. However, the existing rewriting logic based framework for Petri nets [94] needs some enhancements, namely, additional operators to facilitate counting or testing the number of tokens in a Petri net place. In addition, Petri nets require automatic tools to facilitate the transcription of their models into Maude specifications. This step is usually quite time consuming and error-prone in the case of large scale and complex models when performed manually. In order to overcome these limitations, we propose to benefit from this work [18], which presents an efficient algorithm allowing the automatic generation of Maude specifications for multi-agent system models based on Petri nets. Moreover, the choice of using Maude is also motivated by the availability of an integrated tool set that facilitates the formal verification of Petri net models, such as Maude model-checker [39], the reachability analysis tool and Maude’s inductive theorem prover (ITP) [52].
Similarly, we advocate the use of property-based testing (PBT) [75], which is an automatic verification technique of the proposed code skeletons based on random generation of test sequences (i.e. test scenarios). Contrary to the classic testing, the PBT technique is used to automatically test code skeletons or algorithms before implementation [56, 27].
The main objective of this work is on the formal analysis of MAS based safety-critical systems by the proposition of a new approach that covers almost all the development stages. To the best of our knowledge, both the enhanced Petri net specification and the combination of model checking with PBT techniques has never been used in a similar context before.
The remainder of this paper is structured as follows: Section 5 discusses some related works. Then, Section 2 presents an overview about MAS formalization. In Section 3, we briefly present our proposed approach for the formal analysis of multi-agent based safety-critical systems followed by a simple case study to show its feasibility in Section 4. Finally, Section 6 concludes the paper and presents some perspectives for future work.
Formalization is a process that starts with the construction of a formal model (a precise description of the system structure, services and relationships) of the targeted system. Its purpose is to assist designers in proving the conformity of the system with its specification.
In this context, a large number of approaches, programming languages and graphical (or textual) formalisms have been used to describe all aspects of multi-agent systems such as CASL [15], SLABS [100], XABSL [86] and others [95, 9]. Nevertheless, it would be difficult to present an exhaustive list of all these works, and we therefore recall only a few works that we consider very important from the point of view of their relevance and their widespread usage.
Specification approaches
On the basis of specification formalisms and languages, one can easily find that Petri nets are still considered as one of the most used formalisms to help designers formalize and simulate MAS models [54, 80]. For instances, Petri nets and derivatives have been widely used to describe the social and behavioral aspects of agents [29, 88], interaction protocols [66] as well as cooperation and coordination in multi-agent systems [53]. Indeed, Petri nets have also been favored for the analysis of multi-agent systems because of the exact mathematical definition of their semantics of execution as well as the theory developed around them. The corresponding Petri net models of the multi-agent based systems are evaluated using the existing analysis methodologies and simulation techniques for Petri nets [30, 20].
Similarly, Maude has been used in several works for the formal specification of multi-agent systems [35, 3]. In addition, Maude was used to implement a (simplified language of) cognitive agent programming language 3APL in [99]. This work has been enhanced for prototyping the BUpL agent programming language (Belief Update programming language) and for executing agent programs [98]. Moreover, Maude is used in [61, 19] to formalize their agent based models, which are then simulated and verified using associated tools. However, the main disadvantage of all these works is that the translation of the models of the multi-agent systems to a Maude specification is done manually and in an ad hoc manner. It can therefore be quite difficult to ensure that this specification is a true description of the models of multi-agent systems studied especially in the case of complex models.
In this context, UML [10, 36] is widely used to describe the different aspects of multi-agent systems. In addition, the UML language has been a subject of several extensions to capture other aspects of multi-agent systems. For example, AML [28], MAS-ML [48] and AUML [96]. Moreover, many other works have emerged to develop a special Object Constraint Language (OCL) [79, 73] allowing to reduce the ambiguity and the misunderstanding of the models by specifying additional constraints on the behavior of the components of the studied system.
Similarly, architecture description languages (ADLs) are a particular type of languages that provide a concrete syntax for specifying system architectures in a more abstract, flexible and robust way than other traditional approaches. They have been widely used for the description of architectures of multi-agent systems [50, 33].
Except some works that propose a formal UML (or ADL) based description for MAS [70, 21], the major problem with most ADLs and UML is that they lack formal semantics, explicit support for running a description of the architecture, and ensuring compliance between a system and a user-specified architecture. For instance, some works were focused on the translation or combination of UML [42, 40] and ADLs [85, 84] into Petri nets to benefit from the existing formal analysis tools. Other authors attempted to translate UML diagrams [6, 69] and software architecture description language models [104, 74] into rewriting logic. Moreover, some authors proposed rewriting logic (resp, Petri net) based ADLs [46, 92] (resp, [106, 57]) in order to obtain a formal description and simulation mechanism for the studied system architecture.
Verification approaches
The verification of multi-agent systems is gaining more importance [72, 60]. For instance, a considerable amount of work has been done to verify the behavior of agents [93, 105], analyzing interaction protocols and their communication languages [67, 4] as well as to simulate and control security in multi-agent systems [22, 109]. However, we can see that the existing research works are generally directed towards the creation of verification tools for multi-agent systems, otherwise, they are based on existing model checkers. Table 1 presents a summary of the most known model-checkers based works, alongside the used formalism for system and/or property specification.
Summary of works using model-checkers for MAS verification
Summary of works using model-checkers for MAS verification
The specification of a multi-agent system involves the identification of a large number of entities and their relationships. For this, several types of formalisms have been used to construct the most appropriate system model to verify the properties in question and not to be limited – if necessary – on the use of a single formalism so to manage the different perspectives of the system [81].
In this context, we can easily deduce that Petri nets and rewriting logic are quite well-suited for MAS modeling and specification. At the verification stage, Maude is widely used as a formal semantic framework in many works for the verification of multi-agent systems and therefore its use is very appropriate and endorsed.
In addition, within the scope of enhancing multi-agent based systems quality, numerous other testing based works have been realized [13, 26]. However, it is better if testing strategies are combined (used jointly) with model checking based ones in order to better guarantee the system implementation quality.
Based on the literature review about MAS formalization, the fundamental steps of a formal analysis approach of multi-agent based systems can be summarized in the following three points:
Clearly define the structure and behavior of the system using the appropriate modeling formalisms and/or the most adapted formal specification languages. Identify the risks and errors of the system – which may be catastrophic or expensive – to support and better verify its corresponding properties using formal verification techniques. Ensure that the system implementation meets the specification and that the proposed code will not make errors using advanced testing techniques.
The proposed approach for the formal development and analysis of behavioral aspect of multi-agent based safety-critical systems contemplates the following phases of software development: modeling, specification, validation, and testing. The next subsections provide an overview of each stage of the proposed approach.
Modeling stage
The goal of this first stage is to construct the Petri net model formalizing the dynamic behavior of the studied system. In addition, the designer uses rewriting logic, which is a very expressive logic to give formal semantics when specifying Petri net models. Depending on the system studied, a system may have several operational phases, generally: startup, initialization, processing etc. Usually, each operational phase may have its own model. Therefore, it is necessary in the case of some complex systems to built more than one model, and according to the property or aspect to be verified, the designer must prepare an independent (separate) Petri net model before the complete model is developed.
Specification stage
This stage is intended to prepare two specification levels:
System specification: The main objective of the specification level is to translate the proposed model into rewriting logic by using an enhanced proposed specification for Petri nets based on rewriting logic. Properties specification: If the aim of system specification level, is to give a more or less abstract description of the system then the system can be formally defined by its properties. In this step, we refer to the created model and its specification to prepare a module that defines the set of predicates expressed in standard LTL propositional logic. These predicates are considered by the Maude’s model-checker tool as the set of verified properties in the system. Then, the set of properties to be checked must be expressed in LTL as well.
The verification stage is used to show that the system satisfies the desired properties and that it exhibits a stable behavior, and/or certifies that the probable malfunctions of the system will not causes damages.
The following two verification tools may be used in this stage:
LTL model-checker: It checks the properties of a model by expressing them in linear temporal logic (LTL).
Search tool: This tool may overcome some of the shortcomings of the model-checking technique. For instance, it allows designers to check the absence/existence of some worst-cases – offered by experts in the field – that may not be expressible in LTL. In addition, it presents all the possible scenarios for the such worst-cases if they exist, which is not the case for the model-checker counter example (single scenario).
The more complex a software system is, the more difficult (or unfeasible) its formal verification becomes. In addition, even if the model has been completely verified by model checking techniques, its full realization also needs to be tested. In the final stage of our approach, we advocate to use property-based testing to test the proposed implementation of the SUT. Therefore, we define all desired properties in addition to those that have not been verified in earlier phases as universally quantified expressions, and devote as much time as available to automatically generate, run, and evaluate them as test cases. In this step, we propose to use QuickCheck’s capabilities to produce shunk (i.e. simplified) counterexamples when a specific test case is found to show how that the realization of the system violates a given property.
Meaning of Petri net places and transitions
Meaning of Petri net places and transitions
Petri Net model of the automatic distributor.
System description and modeling
To show the practical usefulness and effectiveness of the proposed approach, we consider a simple automated distributing machine placed in a hotel to provide coffee, cakes and beverage items to hotel visitors. The visitor has to use his magnetic hotel visitor card to gain services from the machine.
Such a machine is daily programmed to deliver a cup of coffee, cake with a bottle of water and juice (Service 1) to the visitor upon the first usage of his card. Otherwise, the machine delivers only coffee and cake (Service 2). For that, the machine tests the inserted card to check its validity and determines if it is the first use for a card or no. Thereafter, the corresponding service is delivered.
For the sake of simplicity, we assume that the visitor card contains a bar code with 14 digits where the addition of digits in positions (1, 2, 4, 8) equals to 20. In addition, the card codes of the present visitors in the hotels are inserted daily in a list into the memory of the machine and when a valid visitor card is used, it will be automatically deleted from this list. Such a mechanism facilitates the process to deliver Service 1 or Service 2 to a visitor.
Therefore, in both cases (Testing card validity and Determining services), two algorithms are used for verification. Figure 1 shows the Petri net that models the described machine, and Table 2 presents the meaning of places and transitions.
System and properties specification
We should note that the existing rewriting logic semantics for Petri nets does not support (without other additional operators) neither the specification of inhibitor arcs nor counting the number of tokens in a specific place. Therefore, we propose an enhanced specification that alleviates such two limitations.
System specification
The corresponding rewrite theory of the Petri net model is illustrated in Snippet 1. In this specification, the static aspect (the signature) of the system is defined in the functional module
Properties specification
In the case of our system, the following properties have to be verified:
System evolution: This property ensures that the system is always (or able to be) active and it will not be blocked in a deadlock situation.
Serving visitors: This property ensures that whenever a visitor is present and wants to take something from the machine, he must be served, either by Service 1, Service 2 or his card is rejected if it is not valid.
Determining services: This property ensures that each visitor gets Service 1 at the first time and Service 2 after that. In fact, this property is very important for the hotel due to the financial loss it can incur. Therefore, it must be rigorously verified.
Then, two modules for the specification of system properties are prepared. The first module,
Starting from the initial state of the Petri net, the Maude LTL model-checker has been used for the verification of two properties.
System evolution: This property is defined in the module
Model-checking the deadlock absence property.
Serving visitors: This property is defined as “

Model-checking the serving property.
As per the proposed approach, we used PBT to test the “Determining service" property mentioned in Section 4.2.2. In fact, this property is not expressible as a LTL formula and cannot be verified even by the Maude “search tool” since it is related to the implementation and not to the system model. However, it can be translated into a number of declarative properties, such as given in Snippet 3:
These two functions aim to test the two possibilities when it comes to the service control: either the client should get the first service when using the machine, or else the card had already been used and so the service should be the second type. These statements should hold for all the valid client cards that we test.
In this first formulation, the kind of testing to be performed is positive testing, since only valid client cards are generated to be used as input. The
where
The additional helper functions
Finally, we take advantage of recursion to implement one last helper to invoke the SUT a random number of times, to simulate the card being used
Running these properties as many times as desired will increase our confidence in the SUT implementation if we are unable to find a counterexample (1000 tests for instance, see Fig. 4). Of course, this is not as strong as proving that the SUT is correct, but it is the best that can be done using testing.
PBT of the determining service property.
Of course, we could also formulate the previous two properties to perform negative testing as well, i.e. generate valid and invalid inputs, and state that only if the input is valid, the property is expected to hold. These new properties could be defined as shown in Snippet 7.
where the new data generator
If the SUT had a similar functionality to that of
Last but not least, we could also test the behaviour of the SUT when a card is invalid. In doing so, we would generate invalid card data on purpose, and test that invoking the SUT always returns the no service message. This property can be expressed as shown in Snippet 9:
Based on the above-mentioned analysis, we now highlight the main advantages of the proposed approach. In the modeling stage, we justify the selection of the Petri net among many other formalisms, such as UML diagrams, and architecture description languages (ADL) based on the following points:
Expressiveness: In addition to the intuitive graphical representation, the expressiveness of Petri nets, makes it a very suitable formalism for modeling and analyzing a rich variety of systems and applications including, concurrent, distributed and critical system architectures. Formal Semantics: Since Petri Net is one of the most important formalisms having a well-defined formal semantic and theoretical foundation, it is widely used to formalize not only systems but even other modeling techniques and description languages that are used to describe software architecture (see, Subsection 2.1). Formal analysis: Petri net has gained wide acceptance as a modeling technique in both industrial and academic areas because of the existence of a large number of analysis tools [102, 51] and techniques [55] for Petri net based models.
The specification language used in our approach is Maude. This choice is motivated by the expressiveness, modularity and parametrization of Maude. Moreover, the rewriting logic allows us to naturally express both flat and hierarchically composite Petri net models. Finally, the availability of a large number of integrated tools, such as Maude model-checker [39] and Maude search tool, facilitate the formal verification of Petri net models in the verification stage. These tools cannot be used to analyze infinite-state systems, and for such systems Maude supports reachability analysis and model checking, including model checking for a useful class of temporal logic formulas. Furthermore, due to the reflective nature of its logic and its implementation, such a library can be easily extended by the user with new model checking strategies.
Because of the excellent results obtained in the context of MAS [13], we advocate the use of property-based testing (PBT) for the testing stage. Indeed, testing is the last checkpoint at which software errors can be detected before a system goes into operation. However, it leaves all responsibility of designing and writing test scenarios to a human developer, who is limited by time constraints and usually based on his/her own experience and views on the SUT [108]. PBT has proven to play a vital role – as an automatic technique – in detecting corner cases that usually slip through human-conducted testing [34]. Moreover, PBT supports randomness for the generation of test sequences (i.e. test scenarios) themselves not only to alleviate the human factor, but also to compromise effort and correctness [49].
Consequently, we can say that we have proposed a generic approach that covers all software development stages. Thus, we have used rewriting logic as a unifying semantic framework in the specification stage, Maude model checking tool to check model properties, and finally QuickCheck’s property-based testing at the implementation level, to raise the confidence on the realization of the given system.
Safety-critical systems refer to systems in which failures may lead to catastrophic consequences, such as loss of human life, significant damage to the environment, and/or financial disasters. Multi-agent systems have been widely used to develop [23, 38], simulate [1], secure [77] and analyze [62] critical systems.
A formal methodology was proposed in [2] to ensure the correctness properties of safety and liveness of the Mail Transport System. While specifying Gaia based multi-agent requirement and design specifications, authors used regular expression in specifying the liveness properties and the first-order predicate calculus to specify the safety properties. In the verification stage, The Finite State Processes (FSP) and Labelled Transition System (LTS) are used. Then, Event-B is utilized for an exhaustive analysis.
Similarly, a multi-agent approach is proposed in [71] to ensure the reliability problem of an Air Traffic Control (ATC). Therefore, an agent-based decision-aided system was developed to help controllers in using their multiple software tools in critical situations such as the unavailability of some tools due to technical incidents. Practically, a simulation environment is used to test the MAS and demonstrate its significance to air traffic controllers.
A simulation-based hazard analysis method using multi-agent modeling has been presented in [5] to explore the effects of deviant node behaviour within a System of System (SoS). In comparison with traditional hazard analysis techniques, the presented method has demonstrated its effectiveness in revealing hidden and undiscovered hazards.
In addition, a formal development of a hospital MAS by refinement in Event-B has been presented in [76]. In this work, authors focused on modeling and verifying some safety critical activities, such as consistent updates of patient data and handling emergencies. The main properties of MAS have been formalized and demonstrated using Event-B. However, due to the autonomous agent behaviour, the highly dynamic nature of a hospital and volatile error-prone communication environment, ensuring correctness of these activities was not a trivial task.
Moreover, in [25], agent-based modeling has been investigated to study and simulate the interdependencies in critical infrastructures. In fact, authors had proposed to adopt UML for better representing the interdependencies between the different components of the critical system. Thereafter, it has been exploited to simulate such complex systems through multi-agent paradigm.
Analyzing the characteristics of the presented works, we can conclude that a promising approach for developing multi-agent based safety-critical system can be very advantageous if it based on Petri nets as a well-defined theoretical model of concurrency on the modeling stage. Then, the use of rewriting logic at the specification stage can provide many benefits for both specification and verification purposes because of the formal analysis tools associated with Maude. Finally, the integration of a powerful technique to ensure the absence of code error during the system implementation can faciltate the usage of such an approach in critical system context.
Conclusion and future work
In this paper, we have presented a new user-friendly approach for the formal analysis of behavioral software architecture of multi-agent based safety-critical systems. The proposed approach has been tested on a case study and results have been found to be quite promising. The ultimate objectives of our approach were:
Using the Petri net formalism in the modeling stage to prepare an appropriate model of the given system architecture. Then, the rewriting logic is used for the specification of petri net in an enhanced version that naturally allows the specification of inhibitor arcs and count tokens in a Petri net place. Combining model-checking and PBT techniques to ensure the absence of any error or unexpected behavior in the specification and implementation of the software under design.
In the future, we plan to implement an algorithm for the automatic generation Petri nets specification based on the enhanced semantics. Such algorithm will enlarge and facilitate the use of our approach and permit developers to benefits from the Maude associated formal analysis tools while developing their safety-critical systems.
Footnotes
Authors’ Bios
