2009 Seventh IEEE International Conference on Software Engineering and Formal Methods Coordinated Consensus Analysis of Multi-agent Systems Using Event-B Ninh-Thuan Truong, Thanh-Binh Trinh, and Viet-Ha Nguyen College of Technology, Vietnam National University, Hanoi 144 Xuan Thuy, Cau Giay, Hanoi {thuantn,binhtt.di07,hanv}@vnu.edu.vn Abstract—Formal specifications and reasoning techniques in software modelling are needed to ensure the correctness of the system at the design phase Event-B is a formal method with support tools that allows the stepwise development of reactive systems Such systems include multi-agent systems as a subclass In this paper, we propose an approach to specify capabilities of a number of software agents We then verify whether these capabilities help the agents to accomplish a certain task using a supported tool for Event-B We use the binary numeral system as a case study to illustrate our approach provided for Event-B specification and proof in the Rodin platform [1] In this paper, we propose an approach to build a specification of a multi-agent system and then to prove the coordinated consensus of agents in the specification using Event-B In our approach, each agent is specified by an abstract machine which sees its context machine The context and abstract machines of agents are later composed to form general ones as the whole systems according to the rules of the protocol consensus algorithms The support tools provided by EventB enable to formally analyze the coordinated consensus of agent specifications through the composed machines The rest of this paper is organized as follows Section presents an overview about multi-agent systems and EventB Section presents our main contribution of using Event-B to specify multi-agent systems and to prove the consensus of the coordination of some agents We also illustrate in this section the proposed approach by a case study, the multiagent system for calculations of binary numbers Section discusses related works We conclude the paper and give some perspectives in Section I I NTRODUCTION Coordinated consensus problems [5] have a long history of study in computer science and their solutions have become an important foundation of reactive systems such as multiagent systems These problems can now be formally and efficiently analyzed thank to the development of formal methods in software specification and verification A multi-agent system [17], [19] is a collection of subsystems in which each subsystem, called an agent, updates itself in accordance with the information it gathers from some of the other agents, i.e from its neighbors In general, the neighbors of an agent are subject to change in time which introduces a switching behavior to the dynamics of the system through communication links It has been proved that it is very important to study and understand the effect of this varying communication topology on some common task to be accomplished (i.e reaching a consensus) by the agents composing the system The B method [2] is a formal software development method, originally created by J.-R Abrial The B notations are based on the set theory, generalized substitutions and the first order logic Event-B [1] is an evolution of the B method that is more suitable for developing large reactive and distributed systems Software development in EventB begins by abstractly specifying the requirements of the whole system and then refining them through several steps to reach a description of the system in such a detail that can be translated into code The consistency of each model and the relationship between an abstract model and its refinements are obtained by formal proofs Tool supports have been 978-0-7695-3870-9/09 $26.00 © 2009 IEEE DOI 10.1109/SEFM.2009.24 II P RELIMINARIES A Multi-agent systems Agents are independent entities with their own goals, actions, and knowledge An agent can be a part of the environment Agents are explicitly modeled and interacting with one another and with the environment A multi-agent system (MAS) [14] is a system composed of multiple interacting agents A multi-agent system can be developed to solve a problem which is impossible or otherwise difficult for an individual agent or monolithic system to solve On-line trading [12], disaster response [13], and social structures modeling [15] are examples that have been successfully implemented as multi-agent systems Agents in multi-agent systems are normally reactive agents Reactive agents receive stimuli from the environment then react to these stimuli by modifying their behaviors and possibly, the environment Reactive agents not necessarily have knowledge and representation of other agents in the system 201 (POs) In practice this verification is performed either by model checking or theorem proving The unit of the machine behavior is event An event e acting on (a list of) state variables v, subject to enabling condition, or guard G(v) with an action, or assignment A(v), has syntax: Though different agents may have their different purpose, they share some characteristics in common: identifier, role and organization These three characteristics are described as: • identifier: each agent in the system is uniquely identified by its identifier in the multi-agent system • role: a role defines the behavior of an agent among other agents in the society For instance, in the auction multi-agent system, Seller or Buyer are possible roles for agents An agent can have multiple roles in the multi-agent system, or role of an agent can change during the execution of the system • organization: agents are evolving in multi-agent systems, and belong to one or several organizations These organizations define the agents’ roles and the relationships between the roles Organizations adhere generally to human organizations, or animal ones such as hierarchies, markets, groups of common interest, or herds A capability in a multi-agent system describes what an agent in the system is able to and under what circumstances The capabilities of agents can be specified in a language called Capability Description Language (CDL) [18] We can specify the capabilities of the agents by inputs, outputs, input constraints, output constraints and input-output constraints e = when G(v) then A(v) end That is, when the state is such that the guard is true, this enables the action, or state transition defined by A(v) A(v) does not contain if statement, but we can specify an event containing a conditional statement by two different events with two guards corresponding two branches Refinement A machine can be refined by another machine Once an abstract model is built, a refinement process is applied to progress towards implementation An abstract model is transformed into a more concrete and elaborate model by refinement A refined model specifies the abstract model it refines in the REFINES clause New variables can be introduced and the old variables can be refined into more concrete ones This is reflected in the substitutions of the events as well One of the difference from the classical B is that new events may also be introduced These new events should not prevent forever the events already present from being triggered A VARIANT, which is a natural number expression that the new events must decrease, is introduced for ensuring it Furthermore, we can also merge several abstract events into one single event, as well as refine one abstract event by several events, as permitted by the event-level REFINES clause Composition and Decomposition On one hand, composition is a technique used to aggregate sub-systems and generate larger systems The motivation for the use of such techniques is the reusability of sub-components and the possibility of interaction between systems In a distributed application, this insight is even more important since the intention is to have independent systems interacting with one another, and at same time keeping all the individual properties On the other hand, decomposition is the process on which a system split into two or more parts This process is used when a system becomes too complex to be managed Dividing it into sub-systems keeps the manageability/tractability An interesting property to be explored is the independent refinement of each sub-system This process must satisfy the constraint that the re-composition of (refined) components should be easy In other words, the result of re-composition can be obtained directly from the decomposition This property is known as compositionality The usability of this technique grows when applied to distributed systems: handling a large system can become unpractical, hence dividing it in separated sub-systems can benefit each of the sub-systems while at the same time, it will benefit the system B Event-B Event-B is a kind of formal method which combines mathematical techniques from the set theory and the first order logic It is used as a notation and method for the formal development of discrete systems Event-B is an evolution of others formal method notations like B-Method (also know as classical B), Z and Action Systems It is considered as an evolution because it simplifies the B machine notations, is easy to learn and more suitable for parallel and distributed reactive system development Another advantage that EventB offers is support tools for system modeling [1] Event-B models are described in terms of two basic constructs: contexts and machines Contexts form the static part of the model while machines form the dynamic part Contexts can extend (or be extended by) other context and are referred (seen) by machines Being considered as the static part of the model, the context is used to store, for instance, the types and constants used during the development of the system The machine contains the dynamic part of the model It describes the system state, the operations to interact with the environment together with the properties, conditions and constraints on the model The properties of a model are defined by the machine invariant, which must be satisfied by every state in the system To be consistent, we have to prove that every event in the system preserves this invariant; this verification requirement is expressed in a number of proof obligations 202 The disjunction of all guards of related events will not be hold, then deadlock freeness of the model is violated We have to add a new event e = g , a such that g1 ∨ g2 ∨ gn ∨ g hold Corollary 3.2: When the interaction of events is convergent, we can obtain the convergent value by a new added event The proof of the Corollary 3.2 is similarly as the one of the Corollary 3.1 In order to analyze the coordinated consensus of the composition of the agents in a multi-agent system, we first compose the Event-B specification of the system The architecture of the specification is depicted in Figure has a whole III C OORDINATED CONSENSUS ANALYSIS OF MULTI - AGENT SYSTEMS In this section we propose an approach which allows the composition of machines in Event-B in order to analyze the coordinated consensus of the agents specification We illustrate the proposed approach via a case study of binary number calculation A Coordinated consensus analysis using Event-B composition In multi-agent systems, each agent and their capabilities is provided to perfom particularly tasks These agents can be coordinated to solve a problem which is impossible or otherwise difficult for an individual agent or monolithic system to solve However, the cooperation of agents has been lacked the consensus analysis in specification and design tools As a result, we propose an approach to analyse the cooperation of agents to accomplish a task using Event-B notation and tools Note that, ”consensus” means to reach an agreement between agents regarding a certain quantity of interest that depends on the state of all agents A ”consensus algorithm” (or protocol) is an interaction rule that specifies the way of information exchange between an agent and all of its neighbors [7] Before introducing the approach of coordinated consensus analysis using Event-B, we give some definitions and their corollary related to Event-B specification, they are useful in the analysis process sees Agent_1.mch Agent_1.ctx sees Agent_2.mch Agent_2.ctx sees Agent_n.mch Agent_n.ctx composition composition MAS.mch Figure sees MAS.ctx Composition of agent machines In this specification, the context machines of different agents will be combined into a context machine of the system called MAS.ctx, while the abstract machines of different agents will be combined into a general abstract machine called MAS.mch Note that composition in Event-B has been proposed earlier by Poppleton in [10] His approach of composition is roughly described as follows Let M1 and M2 be two models which are proposed to be fused The variables and events from each model will be combined with the ones from the other model That is, they concatenate the variable lists and events, conjoin those events with common names (in a manner to be defined) in a new model M The variable list v in M1 comprises the list x of actioned variables and the list y of skipping variables for each event Similarly variables list w in M2 comprise the list z of actioned variables and the list a of skipping variables for each event They define xz = x∩z, the common actioned variables, and ya = y∩a, the common skipping variables Note that the other intersecting variable lists yz and xa are both empty, to enable meaningful composition definitions [10] This approach focuses on the composition of independent events and variables of machines and on assuring the correctness of proof in the composition machine It means that, the events in systems not affect results of the execution after the composition In addition to the above, the composition mechanism in Event-B has to ensure that the overall behavior of the Definition An iterative event e = g, a is convergent when the guard g is hold and then their list of actions a executed until g is not hold in the future However, when the guard g is unsatisfied, proof obligations of deadlock freeness defined in a model machine will be unproved Thus, we have to add a new event e = g , a to the model such that g ∨ g is always hold under the execution of a or a Corollary 3.1: The value of a convergent iterative event can be obtained by a new added event Proof Suppose that e = g, a is a convergent event According to the Definition 1, the guard g will be unsatisfied at a moment in the future Then we can define additionally a new event e = g , a to the machine in order to get results of variables in event e where g = ¬ g, in a simple case ✷ Definition The interaction of events which conforms to a protocol execution is convergent when: i The order of events is conformed to the protocol execution, ii The disjunction of all guards of related events will not be hold at a moment in the future 203 3) Init = Init1 , the Init event of the composition is defined as the Init event of the first capability machine in protocol execution 4) ee = ∪eei where eei = Initi+1 ∪ eei , to activate the events of the next capability, a part of its event Init is combined to the get result event of the previous capability 5) eeM is the new event added to the model to get final result of computation process After executing the composition, we have to optimize the MAS model machine and its context by eliminating some constants and variables which are redundant or unnecessary The principle proposed above is reasonable because it can make the events executed in the order of the protocol consensus The event ec1 is executed first via the definition Init of the machine, then the next event will be executed via a part of the definition of the get result event of the previous event The convergence of each event and of the interaction between events will be automatically proved by the tool support of Event-B [1] abstract model is kept and that the concrete model does not get into two states: • Divergence: this situation occurs when the system behaves chaotically, it happens whenever some events are aborted • Deadlock: this situation occurs when no event is enabled and as a consequence, the system’s state never change since it happens The first constraint (non-divergence), imposes to exhibit a variant V, which is a well-founded structure (e.g N,≤), is proved to be decreased by a well-founded relation The second constraint (deadlock freeness) is proved by proof obligations which state that the disjunction of the event guards always hold under the properties of the constant and the invariant The absence of the divergence and the deadlock can be proved by the support tool of Event-B This leads us to the thought of applying the idea of machine composition to compose machines of agents and to analyze the coordinated consensus between agents In this composition, the interaction between events plays an important role in accomplishing a task Note that, in order to avoid the ambiguity in the case that an agent may have many capabilities, we decompose it to several model machines, each of them corresponds to one capability The decomposition process is applied to a model machine which specifies an agent with more than one capabilities [4] Alternatively, we can also specify each capability of the agent by a model machine at the beginning Suppose that, in our model, an abstract machine specifies an agent’s capability, which is expressed by a quatro-tuple Mi = vi , Initi , eci , eei where vi is the list of variables, Initi is the initial event of the agent’s machine i, eci is the list of events which completely specify the agent capability, and eei is the event used to obtain the result (see the Corollary 3.1) B Description of a case study Supposing that in a multi-agent system, an organisation contains agents used to calculate the results of some operations for binary numbers: BitShift, Sum and MultiDigit agents Multiplication for binary numbers works in the same way as for the decimal numbers In our multi-agent system, we have three capabilities: multiplyWithOneDigit, shiftLeft, and addition These capabilities respectively belong to the MultiDigit agent, the BitShift agent, and the Sum agent In the BitShift operation, the digits are shifted left or right The shiftLeft capability of the BitShift agent enables digits in a binary number move a number of bits left by the operation with the same number of right bits being filled up by zero For instance, if we apply the shift left operator by one position to the binary number 00011011, we obtain the number 00110110 The BitShift agent can be specified by AUML as depicted in Figure Definition A multi-agent system Mult is a quatro-tuple Mult = Ag, Mact, α, Γ where: • Ag is a finite set of agents (in a MAS), • Mact is the set of capabilities possible in Mult, • α : Mact → Ag assigns to each capability of Mact the agent that performs it, • Γ is the execution protocol between capabilities to accomplish a task BitShift Role shiftLeft, shiftRight shiftLeft shiftRight Organisation Calculator Input Input Protocol binaryNumber, numShift binaryNumber, numShift enter−society, exit−society, compute Then, let M = V, Init, ec, ee, eeM be the composed machine for the agent capabilities Mi , i = 1, , n Without the loss of generality, we suppose that the execution protocol between events of agents is the ordering Γ = [ec1 , ec2 , ec3 , ecn ] The construction of M must be conformed to the following principle: 1) V = ∪vi , the list of variables of the composition machine contains variables of agent machines 2) ec = ∪eci , the composition machine contains all events of the agent machines Output Output binaryNumber binaryNumber Description Description This capability makes the shift left a binary number with numShift bits Figure This capability makes the shift right a binary number with numShift bits Bit shift agents specification The Sum agent is used to add or subtract two binary numbers The input of the Sum agent are two binary numbers and the output is a binary number as the result of the operation For example: 204 + 00011011 00011011 00110110 the coordination between agents capabilities The execution of events in the composition machine MAS is as follows First, the Init event is executed In Init event, we start the variable value jj := It enables to activate the execution of the event multiplyWithOneDigit As this event is proved to be a convergent event in the machine MultiDigit then it run until the guard jj ≤ size aa is not hold This implies the guard jj = size aa+1 hold and thus the event multiplyWithOneDigit result is activated This one, as defined in the machine MultiDigit, does not change the guard of any event However, the event multiplyWithOneDigit result in the machine MAS.mch contains a part of the Init event of the machine BitShift, as defined in the principle composition above This definition allows to activate the event shiftLeft, etc The mechanism is continued until all events in the protocol algorithm activated If these events are not convergent, they will run forever and proof obligations of non-divergence will be violated If they are convergent, the conjunction of all related events will not be hold in the future, then the guard of the event multiply2BinaryNumbers will be satisfied, actions in this event are executed As these actions not contain any variant, the guard of the event multiply2BinaryNumbers thus always hold As a result, if proof obligations of the composition machine are preserved, the execution of the events will be convergent The capabilility of the MultiDigit agent is to multiply a binary number by one digit number (0 or 1) The input is a binary number and a binary digit, the output is a binary number as the result C Specifying the case study in Event-B notation Let us consider the specification of these capabilities for agents using Event-B notations We will use sets to represent binary numbers The set representation for a binary number is a set of pairs, each pair maps a position of the number from the right to the binary digit of the number at that position For example, binary number 00011011 can be specified via set as follows: {8 → 0, → 0, → 0, → 1, → 1, → 0, → 1, → 1} With this representation and ease of understanding the algorithm, we use the conditional statement (if then) in the part of actions of events We specify the MultiDigit agent as presented in Figure The abstract machine MultiDigit.mch in Figure 5(a) specifies the dynamic part of the system This machine sees the context MultiDigit.ctx depicted in Figure 5(b) The shiftLeft capability of the BitShift agent is specified in Figure 6, the addition capability of the Sum agent is specified in Figure Note that, with each event corresponds to a capability, we define a new event namely [event name] result to get the convergent value (see Corollary 3.1) Using the three capabilities multiplyWithOneDigit, shiftLeft, and addition in the agent organisation, we describe the consensus algorithm of the multiplication of two binary numbers as Algorithm IV R ELATED WORK In the literatures, there are many papers proposed to formalize multi-agent systems using different formal methods in order to support the formal verification of the system Hilaire et al [7] proposed a general framework for modelling multi-agent systems based on Object-Z and statecharts This framework focused on organisational aspects in order to represent agents and their roles Similarly, Regayeg et al [11] combined Z notations and linear temporal logic to specify the internal part of agents and the specification of the communication protocols between agents They proposed general patterns and the use of Z support tools to modelcheck their specifications H Fadil and J Koning presented a work [6] involving the use of classical B to model agents roles and interactions The goal of the paper is to model the interaction between agents with a formal method that is able to check and then prove their initial UML specification The paper [3] also focused on the interaction protocol between agents using Event-B Some patterns for the B specification of fault tolerance protocols are proposed in the case of agent communication A Lanoix [8] proposed an approach to report their experience with the Even-B stepwise development of a situated MAS which study the displacement of vehicles in a convoy In the case study, they suppose that all the vehicles move in a simultaneous movement using Event-B to ensure a safety Algorithm Consensus algorithm of agents in the multiplication system ar ← Multiplication2BinaryNumber(aa,bb) 1: for each ii ≤ size bb 2: modr ← multiplyWithOneDigit(bb[ii], aa) 3: slr ← shiftLeft(modr, ii) 4: cc ← addition(slr, cc) 5: end for 6: ar ← cc Based on the consensus algorithm above and the principle proposed in Subsection III-A, the composition of the agent machines in the system called MAS.mch and MAS.ctx, these are illustrated in Figure and in Figure 4, respectively We add an event called multiply2BinaryNumbers to get the final result of the interaction between events (see Corollary 3.2) The support tools of the Event-B will prove the consensus of 205 context MAS.ctx context Sum.ctx constants aa bb size aa size bb size res axioms aa ∈ NAT1 → bb ∈ NAT1 → < size aa < size bb size aa < size res size bb < size res theorems ran(aa) = ∅ ran(bb) = ∅ end machine MAS.mch sees MAS.ctx variables ii jj invariant ii ∈ NAT jj ∈ NAT events INIT ii := jj := end multiply2BinaryNumbers when (ii = size bb+1) then res := cc end multiplyWithOneDigit when (jj ≤ size aa) then pp(jj) := bb(ii) ∗ aa(jj) jj := jj+1 end multiplyWithOneDigit result when jj = size aa+1 then modr := pp kk := size pp //activate shiftLeft end shiftLeft when (kk > ∧ kk ≤ size pp) then if (kk > numShift) then modr(kk) := modr(kk−numShift) else if (kk ≤ numshift) then modr(kk) := end kk := kk−1 end shiftLeft result when (kk = 0) then slr := modr hh := //activate the addition event end addition when (hh ≤ size ar) then if (hh = size ar ∧ carry = 0) then cc(hh+1) := else cc(hh) := (cc(hh)+slr(hh)+carry) mod carry := (cc(hh)+slr(hh)+carry) div hh := hh+1 end end addition result when hh = size ar+1 then ar := cc jj := ii := ii+1 end end Figure Figure MAS context property of the system: no collision must occur between a vehicle and its predecessor The papers above try to specify protocol execution between tasks of agents using Z, classical B, Event-B, etc but it did not provide an approach to check if tasks are coordinated consensus, that our paper proposes The coordinated consensus problems in multi-agent systems have been also considered in [5], [16], [9] R Carli et al [5] discussed a work concerned a group of autonomous mobile agents in order to analyse a common task, communications constraints impose limits on the achievable control performance Analysing the consensus or state agreement problem, the authors characterize the relationship between the amount of information exchanged by the agents and the rate of convergence to the agreement Another approach to the coordinated consensus problem of multi-agent systems is presented in [16] In this approach, the authors introduce a characterization of contraction for bounded convex set For discrete-time multi-agent systems, the authors provide an upperbound on the rate of convergence to a consensus under some assumptions However, these papers focused on analysing coordinated consensus problems using mathematical models, this is still impossible to use support tools to prove the convergence of tasks V C ONCLUDING REMARKS Multi-agent systems play an important role in developing complex or distributed information systems As each agent of the system usually be designed to be autonomous and does not aware of other agent existences, it is difficult for developers to ensure the coordinated task of these agents will be accomplished In this paper, we proposed an approach to specify multiagent systems and then verify the consensus property of MAS machine 206 agents using Event-B In our approach, each agent is specified by an abstract machine which sees its context machine A context machine here refers to the environment of the agents The interactions between agents are specified as protocols or algorithms that modify machine states The context and machines of agents are then composed to general ones as the whole systems according to the rules of the protocol consensus algorithms Then, we can use Event-B tools to formally analyze the coordinated consensus of agent specifications through the composed machines We illustrated our approach by an example of a binary multiplication system In this system, the result of a multiple operation is accomplished by the collaboration of different agents Using Rodin platform, we proved that the system will reach the state that provide the result Our approach is based on the proving ability of Event-B tools so it cannot cope with large multi-agent systems which have a large number of agents and complex interactions Another limitation is that it only works with simple consensus problems that can be specified by Event-B We are working to extend our approach to check the plan of agents and to solve above limitations [8] Arnaud Lanoix Event-B specification of a situated multiagent system: Study of a platoon of vehicles In TASE ’08: Proceedings of the 2008 2nd IFIP/IEEE International Symposium on Theoretical Aspects of Software Engineering, pages 297–304 IEEE Computer Society, 2008 [9] R Olfati-Saber, J A Fax, and R M Murray Consensus and cooperation in networked multi-agent systems Proceedings of the IEEE, 95(1):215–233, 2007 [10] Michael Poppleton The composition of Event-B models In ABZ ’08: Proceedings of the 1st international conference on Abstract State Machines, B and Z, pages 209–222 SpringerVerlag, 2008 [11] A Regayeg, A.H Kacem, and M Jmaiel Specification and verification of multi-agent applications using temporal Z In Intelligent Agent Technology Conference, pages 260–266 IEEE Computer Society, 2004 [12] Alex Rogers, Esther David, Nicholas R Jennings, and Jeremy Schiff The effects of proxy bidding and minimum bid increments within ebay auctions ACM Trans Web, 1(2):9, 2007 [13] Nathan Schurr, Janusz Marecki, Milind Tambe, and Paul Scerri The future of disaster response: Humans working with multiagent teams using defacto In In AAAI Spring Symposium on AI Technologies for Homeland Security, 2005 ACKNOWLEDGEMENTS This work is partly supported by the research grant of College of Technology and by the research project No QGTD 09.02 granted by Vietnam National University, Ha Noi The authors would like to thank Dr Van-Hung Dang for his useful comments [14] Yoav Shoham and Kevin Leyton-Brown Multi-agent Systems: Algorithmic, Game-Theoretic, and Logical Foundations Cambridge University Press, New York, 2009 [15] Ron Sun and Isaac Naveh Simulating organizational decision-making using a cognitively realistic agent model J Artificial Societies and Social Simulation, 7(3), 2004 R EFERENCES [1] http://event-b.org [16] Sezai Emre Tuna and Rodolphe Sepulchre Quantitative convergence analysis of multi-agent systems In 7th IFAC Symposium on Nonlinear Control Systems, pages 236–241, August 2007 [2] J.-R Abrial The B-Book, Assigning Programs to Meanings Cambridge University Press, 1996 [3] E Ball and M Butler Event-B patterns for specifying fault-tolerance in multi-agent interaction In Proceedings of Methods, Models and Tools for Fault Tolerance, volume 5454 of LNCS Springer, 2009 [17] Gerhard Weiss Multiagent Systems: A Modern Approach to Distributed Artificial Intelligence The MIT Press, 2000 [18] G.J Wickler Using Expressive and Flexible Action Representations to Reason about Capabilties for Intelligent Agent Cooperation PhD thesis, The University of Edinburgh, 1999 [4] Michael Butler Decomposition structures for Event-B In IFM’09: Proceedings of the 7th International Conference on Integrated Formal Methods, pages 20–38, Berlin, Heidelberg, 2009 Springer-Verlag [19] Michael Wooldridge An Introduction to MultiAgent Systems John Wiley & Sons, 2002 [5] R Carli, F Fagnani, Speranzon, and A.Zampieri Communication constraints in coordinated consensus problems In American Control Conference IEEE, 2006 ANNEX Below we use Event-B to describe the specifications of multiplyWithOneDigit, leftShift and addition capabilities of the MultiDigit, BitShift and Sum agents, respectively [6] H Fadil and J Koning A formal approach to model multiagent interactions using the B formal method In International Symposium on Advanced Distributed Systems, volume 3563 of LNCS, pages 516–528 Springer Verlag, 2005 [7] V Hilaire, P Gruer, A Koukam, and O Simonin Formal specification approach of role dynamics in agent organisations: Application to the satisfaction-altruism model Int Jour of Software Engineering and Knowledge Engineering, 17(5):615–641, 2007 207 machine MultiDigit.mch sees MultiDigit.ctx variables pp modr // Final result jj invariant modr ∈ NAT1 → pp ∈ NAT1 → jj ∈ NAT events INIT modr := ∅ pp := ∅ jj := end multiplyWithOneDigit when (jj ≤ size aa) then pp(jj) := digit ∗ aa(jj) jj := jj+1 end multiplyWithOneDigit result when jj = size aa+1 then modr := pp //Get results end end (a) MultiDigit machine machine BitShift.mch sees BitShift.ctx variables pp //Get temporary results slr //Result of the shift left kk invariant pp ∈ NAT1 → slr ∈ NAT1 → kk ∈ NAT events INIT pp := ∅ slr := ∅ kk := size pp end shiftLeft when (kk > 0) then if (kk > numShift) then pp(kk) := pp(kk−numShift) else if (kk ≤ numshift) then pp(kk) := end kk := kk−1 end shiftLeft result when (kk = 0) then slr := pp end end (a) BitShift machine context MultiDigit.ctx constants aa digit size aa size modr axioms aa ∈ NAT1 → digit ∈ NAT < size aa < size modr size modr ≥ size aa theorems ran(aa) = ∅ end (b) MultiDigit context Figure context BitShift.ctx constants pp size pp numShift axioms pp ∈ NAT1 → < size pp < numShift numShift < size pp theorems ran(pp) = ∅ end (b) BitShift context Event-B specification of MultiDigit agents Figure 208 Event-B specification of BitShift agents machine Sum.mch sees Sum.ctx variables cc //Get temporary results ar // Result of the addition operation carry hh invariant cc ∈ NAT1 → ar ∈ NAT1 → hh ∈ NAT carry ∈ NAT events INIT cc := ∅ ar := ∅ hh := carry := end addition when (hh ≤ size ar) then if (hh = size ar ∧ carry = 0) then cc(hh+1) := else cc(hh) := (aa(hh)+bb(hh)+carry) mod carry := (aa(hh)+bb(hh)+carry) div hh := hh+1 end end addition result when hh = size ar+1 then ar := cc //Get results end end (a) Sum machine context MAS.ctx constants aa bb size aa size bb size ar axioms aa ∈ NAT1 → bb ∈ NAT1 → < size aa < size bb size aa < size ar size bb < size ar size ar < size aa+size bb theorems ran(aa) = ∅ ran(bb) = ∅ end (b) Sum context Figure Event-B specification of Sum agents 209 ... problem, the authors characterize the relationship between the amount of information exchanged by the agents and the rate of convergence to the agreement Another approach to the coordinated consensus... international conference on Abstract State Machines, B and Z, pages 209–222 SpringerVerlag, 2008 [11] A Regayeg, A. H Kacem, and M Jmaiel Specification and verification of multi-agent applications... aa ∈ NAT1 → bb ∈ NAT1 → < size aa < size bb size aa < size res size bb < size res theorems ran(aa) = ∅ ran(bb) = ∅ end machine MAS.mch sees MAS.ctx variables ii jj invariant ii ∈ NAT jj ∈ NAT