Verifying Systems of Resource-Bounded Agents

. Approaches to the veriﬁcation of multi-agent systems are typically based on games or transition systems deﬁned in terms of states and actions. However such approaches often ignore a key aspect of multi-agent systems, namely that the agents’ actions require (and some-times produce) resources. We brieﬂy survey previous work on the ver-iﬁcation of multi-agent systems that takes resources into account


Resource-Bounded Agents
In many multi-agent systems, agents are resource-bounded, in the sense that they require resources in order to act.Actions require time to complete and typically require additional resources depending on the application domain, for example energy or money.For many applications, the availability or otherwise of resources is critical to the properties we want to verify: a multi-agent system will have very different behaviours depending on the resource endowment of the agents that comprise it.For example, an agent with insufficient energy may be unable to complete a task in the time assumed by a team plan, if it has to recharge its battery before performing the task.
However, with a few exceptions which we discuss below, previous work on verification of MAS abstracts away from the fact that many multi-agent systems consist of agents that need resources to operate and that those resources are limited.In particular, current state-of-the-art verification techniques and tools for MAS are unable to verify system properties that depend on the resource production and consumption of the agents comprising the MAS.
In this paper we survey recent work in the emerging field of verification of resourcebounded agents, and highlight a number of challenges that must be overcome to allow practical verification of resource-bounded MAS.We argue that recent work on the complexity of model-checking for logics of strategic ability with resources offers the possibility of significant progress in the field, new verification approaches and tools, and the ability to verify the properties of a large, important class of autonomous system that were previously out of reach.

Model-Checking with Resources
In this section we give a brief introduction to model-checking multi-agent systems and explain how standard model checking approaches can be extended with resources.
In a model-checking approach to the verification of multi-agent systems, a MAS is represented by a finite state transition system. 4A state transition system consists of a set of states and transitions between them.Intuitively, each state of a MAS corresponds to a tuple of states of the agents and of the environment, and each transition corresponds to actions performed by the agents.Each state is labelled with atomic propositions that are true in that state.A standard assumption is that each state in the system has at least one outgoing transition (if a state is a deadlock state in the original MAS, we can model this by adding a transition to itself by some null action and labelling it with a 'deadlock' proposition).Properties of the system to be verified are expressed in an appropriate temporal logic L. The model-checking problem for L is, given a state transition system M (and possibly a state s) and an L formula φ, check whether φ is true in M (at state s).
For multi-agent systems, a temporal logic of particular interest is Alternating Time Temporal Logic (ATL) [8].ATL generalises other temporal logics such as Computation Tree Logic (CTL) [18] (which can be seen as a one-agent ATL) by introducing notions of strategic ability.ATL is interpreted over concurrent game structures (transition systems where edges correspond to a tuple of actions performed simultaneously by all the agents, see the example below).The language of ATL contains atomic propositions, boolean connectives ¬, ∧, etc. and modalities A , A and A U for each subset (or coalition in ATL terms) A of the set of all agents, which express the strategic ability of the coalition A. A φ means that the coalition of agents A has a choice of actions such that, regardless of what the other agents in the system do, φ will hold in the next state.A φ means that coalition A has a strategy to keep φ true forever, regardless of what the other agents do.A strategy is a choice of actions which either only depends on the current state (memoryless strategy) or on the finite history of the current state (perfect recall strategy).Finally, A φ U ψ means that A has a strategy to ensure that after finitely many steps ψ holds, and in all the states before that, φ holds.The model-checking problem for ATL can be solved in time polynomial in the size of the transition system and the property [8], and there exist model-checking tools for ATL, for example, MOCHA [9] and MCMAS [25].
Example Figure 1 illustrates a simple ATL model of a system with two agents, 1 and 2, and actions α, β, γ and idle.Action tuples on the edges show the actions of each agent, for example, in the transition from state s I to s, agent 1 performs action α and agent 2 performs idle.In this system, in state s I , agent 1 has a (memoryless) strategy to enforce that p holds eventually in the future no matter what agent 2 does, which can be expressed in ATL as {1} U p. Similarly, in s I agent 1 has a memoryless strategy to keep ¬p true forever, so {1} ¬p holds in s I .

Adding Resources
In order to model multi-agent systems where agents' actions produce and consume resources, it is necessary to modify the approach above in two ways.One is to add resource annotations to the actions in the transition system: for each individual action and each resource type, we need to specify how many units of this resource type the action produces or consumes.For example, suppose that there are two resource types, r 1 and r 2 (e.g., energy and money).Then we can specify that action α in Figure 1 produces two units of r 1 and consumes one unit of r 2 , action β consumes one unit of r 1 and produces one unit of r 2 , action γ consumes five units of r 1 , and action idle does not produce or consume any resources.
The second modification is to extend the temporal logic so that we can express properties related to resources.For example, we may want to express a property that a group of agents A can eventually reach a state satisfying φ or can maintain the truth of ψ forever, provided that they have available n 1 units of resource type r 1 and n 2 units of resource type r 2 .Such statements about coalitional ability under resource bounds can be expressed in an extension of ATL where coalitional modalities are annotated with a resource bound on the strategies available to the coalition.We call logics where every action is associated with produced and consumed resources and the syntax reflects resource requirements on agents, resource logics.
To illustrate the properties resource logics allow us to express, consider the model in Figure 1 with the production and consumption of resources by actions specified above.
In this setting, we can verify if agent 1 can eventually enforce p provided that it has one unit of r 2 in state s I , or whether the coalition of agents {1, 2} can achieve p under this resource bound by working together.There are surprisingly many different ways of measuring costs of strategies and deciding which actions are executable by the agents given the resources available to them, but under at least one possible semantics, the answer to the first question is no and to the second one yes, but the latter requires a perfect recall strategy (the two agents should loop between states s I and s until they produce a sufficient amount of resource r 1 , and then execute actions corresponding to the γ, idle transition from s to s ).Clearly, the model-checking problem for temporal logics is a special case of the model-checking problem for the corresponding resource logics.The question is, how much harder does the model-checking problem become when resources are added?

A Brief Survey of Resource Logics
In this section, we briefly review recent theoretical work on the development of resource logics.We focus on expressiveness and model-checking complexity, as these features determine the suitability of a particular logic for practical verification.

Consumption of Resources
Early work on resource logics considered only consumption of resources (no action produced resources), and initial results were encouraging.
One of the first logics capable of expressing resource requirements of agents was a version of Coalition Logic (CL) 5 , called Resource-Bounded Coalition Logic (RBCL), where actions only consume (and don't produce) resources.It was introduced in [1] with the primary motivation of modelling systems of resource-bounded reasoners, however the framework is sufficiently general to model any kind of action.The model-checking problem for this logic was shown to be decidable in [4] in polynomial time in the transition system and the property and exponential in the number of resource types.
A resource-bounded version of ATL, RB-ATL, where again actions only consume (and not produce) resources was introduced in [2].It was also shown that the modelchecking problem for this logic is decidable in time polynomial in the size of the transition system and exponential in the number of resource types.(For a single resource type, e.g., energy, the model-checking problem is no harder than for ATL.) Practical work on model-checking standard computer science transition systems (not multi-agent systems) with resources also falls in the category of consumption-only systems, for example probabilistic model-checking of systems with numerical resources as done using PRISM model-checker [24] assumes costs monotonically increasing with time.

Adding Production
However, when resource production is considered in addition to consumption, the situation changes.In a separate strand of work, a range of different formalisms for reasoning about resources was introduced in [15,13].In those formalisms, both consumption and production of resources was considered.In [14] it was shown that the problem of halting on empty input for two-counter automata [23] can be reduced to the model-checking problem for several of their resource logics.Since the halting problem for two-counter automata is undecidable, the model-checking problem for a variety of resource logic with production of resources is undecidable.The reduction uses two resource types (to represent the values of the two counters) and either one or two agents depending on the version of the logic (whether the agents have perfect recall, whether the formula talking about coalition A can also specify resource availability for remaining agents, and whether nested operators 'remember' initial allocation of resources or can be evaluated independently of such initial allocation).
The only decidable cases considered in [13] are an extension of CTL with resources (essentially one-agent ATL) and a version where on every path only a fixed finite amount of resources can be produced.They call the models satisfying this property bounded, and pointed out that RBCL and RB-ATL are logics over a special kind of bounded models (where no resources are produced at all).Other decidability results for bounded resource logics have also been reported in the literature.For example, [19] define a decidable logic, PRB-ATL (Priced Resource-Bounded ATL), where the total amount of resources in the system has a fixed bound.The model-checking algorithm for PRB-ATL requires time polynomial in the size of the model and exponential in the number of resource types and the resource bound on the system.In [20] an EXPTIME lower bound in the number of resource types for the PRB-ATL model-checking problem is shown.
A general logic over systems with numerical constraints called QATL * was introduced in [16].In that paper, more undecidability results for the model-checking problem of QATL * and its fragments were shown.For example, QATL (Quantitative ATL) is undecidable even if no nestings of cooperation modalities is allowed.The main proposals for restoring decidability to the model-checking problem for QATL in [16] are removing negative payoffs (similar to removing resource production) and also introducing memoryless strategies.Shared resources were considered in [17]; most of the cases considered there have undecidable model-checking (apart from the case of a single shared resource, which has decidable model-checking).
This brief survey of work to date suggest that the main approach until recently to dealing with both resource production and consumption was to bound the amount of produced resources globally in the model.For some systems of resource-bounded agents, this is a reasonable restriction.For example, agents that need energy to function and are able to charge their battery, can never 'produce' more energy than the capacity of their battery.This is a typical bounded system.However, in some cases, although every single application of the agent's actions produces a fixed amount of some resource, repeating this action arbitrarily often will produce arbitrarily large amounts of the resource.This may apply to energy stored in unbounded storage, or to money, or many other natural situations.Recent work suggests that verification of such systems may still be possible.

Decidable Unbounded Production
In [5] a version of ATL, RB±ATL, was introduced where actions both produce and consume resources.The models of the logic do not impose bounds on the overall production of resources, and the agents have perfect recall.Nevertheless, the model-checking problem for RB±ATL is decidable (RB±ATL is very similar to one of the resource logics introduced in [13] for which the decidability of the model-checking problem was left open).The existence of a decidable resource logic with unbounded production is surprsing, as it is the first indication that it is possible to reason about the properties of this important class of resource-bounded multi-agent system.However, although this work is encouraging, we are not yet at the point of practical verification of such systems.In [5] the lower bound on the complexity of the modelchecking problem for RB±ATL is shown to be EXPSPACE.The proof of EXPSPACEhardness is by reduction of the reachability problem for Petri Nets to the model-checking problem for RB±ATL.Although the Petri Net reachability problem is decidable, the upper bound on its complexity is still unknown; similarly we do not know the upper bound on the RB±ATL complexity.The complexity of the model-checking problem RB±ATL is thus much higher than that for ATL without resources and the consumption-only resource logics surveyed above.This high complexity makes it difficult to develop practical verification approaches.
In [3], a new syntactic fragment of resource logic RAL with decidable modelchecking has been identified.It restricts the occurrences of coalitional modalities on the left of the Until formulas; on the other hand, it allows nested modalities refer to resource allocation at the time of evaluation rather than always consider a fresh resource allocation, as in RB±ATL.More precisely, a formula A b φ U A ↓ ψ 1 U ψ 2 says that given resource allocation b, coalition A can always reach a state (maintaining φ) where with the remaining resources, it can reach ψ 2 maintaining ψ 1 .
The RB±ATL results offer the possibility of significant progress in the verification of resource-bounded multi-agent systems.However many challenges remain for future research.Below we list three of the most important.
Understanding sources of undecidability Developing a better understanding of the sources of decidability and undecidability (beyond boundedness) will be critical to future progress.As observed in [13], subtle differences in truth conditions for resource logics result in the difference between decidability and undecidability of the modelchecking problem.Preliminary work in this direction is reported in [3].
Lower complexity It is useful to discover sources of undecidability and how to construct expressive logics for which the model-checking problem is decidable.However, it is even more important to be able to develop logics, or fragments of existing logics such as RB±ATL, that are sufficiently expressive for practical problems, but where the model-checking problem has tractable complexity (ideally polynomial in the size of the transition system, as in the case of bounded production logics).Only then would we be able to implement practical model-checking tools for systems of resource-bounded agents.
Practical tools Although model checking algorithms have been proposed for several of the logics surveyed, work on implementation is only beginning.We aim to develop practical model-checking tools for verifying resource-bounded MAS by extending the MCMAS model checker [25] to allow the modelling of multi-agent systems in which agents can both consume and produce resources.Work on symbolic encoding of RB-ATL model-checking is reported in [7] and work on symbolic encoding of RB±ATL model-checking are reported in [6].
Addressing these challenges will allow practical model-checking of resource logics and constitute a major break-through in multi-agent system verification.