Dynamics of Control - CiteSeerX

UNU-IIST International Institute for Software Technology

Dynamics of Control J W Sanders and Matteo Turilli March 2007

UNU-IIST Report No. 353

T

UNU-IIST and UNU-IIST Reports UNU-IIST (United Nations University International Institute for Software Technology) is a Research and Training Centre of the United Nations University (UNU). It is based in Macao, and was founded in 1991. It started operations in July 1992. UNU-IIST is jointly funded by the government of Macao and the governments of the People’s Republic of China and Portugal through a contribution to the UNU Endowment Fund. As well as providing two-thirds of the endowment fund, the Macao authorities also supply UNU-IIST with its office premises and furniture and subsidise fellow accommodation. The mission of UNU-IIST is to assist developing countries in the application and development of software technology. UNU-IIST contributes through its programmatic activities: 1. Advanced development projects, in which software techniques supported by tools are applied, 2. Research projects, in which new techniques for software development are investigated, 3. Curriculum development projects, in which courses of software technology for universities in developing countries are developed, 4. University development projects, which complement the curriculum development projects by aiming to strengthen all aspects of computer science teaching in universities in developing countries, 5. Schools and Courses, which typically teach advanced software development techniques, 6. Events, in which conferences and workshops are organised or supported by UNU-IIST, and 7. Dissemination, in which UNU-IIST regularly distributes to developing countries information on international progress of software technology. Fellows, who are young scientists and engineers from developing countries, are invited to actively participate in all these projects. By doing the projects they are trained. At present, the technical focus of UNU-IIST is on formal methods for software development. UNU-IIST is an internationally recognised center in the area of formal methods. However, no software technique is universally applicable. We are prepared to choose complementary techniques for our projects, if necessary. UNU-IIST produces a report series. Reports are either Research R , Technical T , Compendia C or Administrative A . They are records of UNU-IIST activities and research and development achievements. Many of the reports are also published in conference proceedings and journals. Please write to UNU-IIST at P.O. Box 3058, Macao or visit UNU-IIST’s home page: http://www.iist.unu.edu, if you would like to know more about UNU-IIST and its report series.

G. M. Reed, Director

UNU-IIST International Institute for Software Technology

P.O. Box 3058 Macao

Dynamics of Control J W Sanders and Matteo Turilli

Abstract This paper proposes a notion, the ‘ambit’ of an action, that allows the degree of distribution of an action in a multi-agent system to be quantified without regard to its functionality. It demonstrates the use of that notion in the design, analysis and implementation of dynamicallyreconfigurable multi-agent systems. It distinguishes between the extensional (or system) view and intensional (or agent-based) view of such a system and shows how, using the notion of ambit, the step-wise derivation paradigm of Formal Methods can be used to derive the latter from the former. In closing it addresses the manner in which these ideas inform studies in the ethics of systems of artificial agents.

Jeff Sanders is Senior Research Fellow at UNU-IIST, having recently joined from the Programming Research Group at Oxford. His interests lie largely in Formal Methods. Matteo Turilli is a DPhil student in the Oxford University Computing Laboratory who began his thesis under the supervision of Jeff Sanders and Luciano Floridi.

c 2007 by UNU-IIST Copyright

Contents

i

Contents 1 Introduction 2 Ambit 2.1 Dynamic multi-agent systems . . . . . . . 2.2 Example: network under duress: Dynanet 2.3 Definition . . . . . . . . . . . . . . . . . . 2.4 Examples . . . . . . . . . . . . . . . . . . 2.4.1 Simple examples . . . . . . . . . . 2.4.2 Interagent communication . . . . . 2.4.3 Empty case . . . . . . . . . . . . . 2.5 Degree of distribution . . . . . . . . . . .

1 . . . . . . . .

2 2 3 4 6 6 6 7 7

3 Case Study: dynamic network Dynanet 3.1 Formalisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8 8

4 Agent-oriented analysis and design 4.1 Example: Tour de France . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Colony: static model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Colony: dynamic model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11 12 13 14

5 Refinement 5.1 Extensional and intensional views . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Intensionality and Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Colony viewed intensionally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17 17 18 19

6 DMASs of artificial agents

20

7 Conclusion

22

Report No. 353, March 2007

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

UNU-IIST, P.O. Box 3058, Macao

Introduction

1

1

Introduction

Information technology seems to have become not only ubiquitous but also, perhaps as a result, mobile. Laptops supported by wireless hot spots and PDAs combined with mobile phones offer the user real-time, synchronous, mobile communication and computation. The resulting multiagent systems are capable of responding dynamically to the way in which they handle both their own internal requirements and duress from their environment. Such reconfigurability is important for convenience, efficiency and above all necessity: the functionality these system offers their users is resilient to forms of oppression. The design of an information system must consequently now be evaluated by taking into account the manner in which it responds to anticipated levels of duress. Typically that means that it must be able to respond by causing its actions to be reconfigured. For example, in ‘normal’ mode they may be afforded a more centralised implementation whilst under duress they may require distributed reconfiguration. The setting for this paper is a multi-agent system in which actions are performed by sets of agents: from individual actions to actions involving every agent. Dynamic reconfigurability of the system manifests itself in the way actions are performed. A centralised action might become decentralised; or conversely. Or the system might reconfigure itself so that individual actions are instead performed in small groups. In that context a concept is needed to quantify the degree of communication and coordination amongst agents involved in an action. Such a concept is introduced and called the ‘ambit’ of the action (in Section 2.3). One of its primary potential applications for the current authors is in positing and analysing ethical principles for systems of artificial agents (for which the absence of free will requires an alternative theory). Two paradigms of agent, and formalism for describing agents, seem to prevail [6, 8, 17]. The first contains a large number of typically identical agents and uses statistical methods to describe and reason about their behaviour (swarms, flocks, colonies, . . . ). The second contains a more moderate number of agents, typically of different capabilities, and uses programming notation to describe their discrete and interactive behaviours; in this case little reasoning is performed about the emergent behaviour which is typically established experimentally (machine learning, robotics, control, . . . ). Ultimately, interest may well lie in large systems whose behaviour is best described statistically. Since the shape of the formalism is not affected by whether the behaviour it describes is statistical or ‘deterministic’ (only the observables and their types reflect a commitment to one approach or the other), here only exact behaviour is considered. Thus state-based Formal Methods are used to design, analyse and develop dynamic multi-agent systems. In moving from one such description to a lower-level one, the concept of ‘ambit’ permits the developer to modularise the development. Throughout, serious attention is paid to keeping descriptions as simple as possible. One of the paper’s (incidental) contributions is the metaphors used to specify dynamic multi-agent systems. The paper is organised as follows. Section 2 introduces the concept of ‘ambit’ of an action in a multi-agent system and shows how it can be used to quantify the action’s degree of distribution.



2

Ambit

Section 3 introduces the Dynanet case study demonstrating how dynamics may be captured in discrete mathematics (here object Z) and ambit used to analyse the resulting dynamics of action. Section 4 introduces a more involved dynamic multi-agent system, Colony, and exercises techniques by which its specification exploits a particular static case of its behaviour. In Section 5 the important distinction between extensional and intensional views of a system are drawn, and it is shown how ambit can be imposed on a functional specification to constrain the implementation so that it maintains the specified functionality but respects the design features of the ambit. Finally Section 6 indicates how the ideas developed in this paper apply to the ethics of systems of artificial agents.

2

Ambit

The purpose of this section is to explain the assumptions made, provide an example to motivate the main definition, present the definition—of ambit—and then give simple examples and discuss ramifications. An important consequence of the definition is the ability to formalise and quantify the ‘degree of distribution’ of an algorithm or protocol.

2.1

Dynamic multi-agent systems

The setting is that of a multi-agent system (MAS) composed of agents that perform actions in varying groups. For example a system-wide action (like some form of voting) is performed by the group of all agents, whilst an entirely localised action (like incrementing a private counter) is performed by an individual agent. ‘Between’ those, lie actions requiring the participation of only some agents (like a client-server interaction between one server and several agents). All state in the system, and all constants, reside in some agent. That is no real restriction, since any ‘system-wide’ state can simply be allocated to a distinguished agent constructed for that purpose. The state space of each agent is partitioned into private state, not accessible to any other agent, and shared state. Agents communicate either by sending and receiving values on channels (each channel being declared for synchronous or asynchronous communication), as in process algebra, or by writing to and reading from shared state. However the simplifying assumption is made that each state variable can be written to by at most one agent. Each MAS is considered at an explicitly-defined level of abstraction, determined by its observables and their types. Thus the definitions, reasoning and conclusions all apply at just that level. When it is wished, as in Section 5, to study how to implement a system that has been specified to behave a certain way, a new system—the implementation (or at least a design for it)—will be explicitly introduced at a lower level of abstraction and the two different levels of abstraction will be explicitly related. It is crucial to this methodology that levels of abstraction are not mixed (for more on the methodology in general and that point in particular, see [4]).



Ambit

3

It does not matter whether the set of agents is considered to be fixed or variable. For if it is fixed and ‘new’ agents are required, they can be drawn, previously unused, from a universe of agents chosen to be sufficiently large initially. However the actions performed by the system, and so by the agents in particular, are considered to change as the system evolves. For theoretical purposes it suffices to consider the addition of new actions to the system (since old actions can simply be ignored). But in practice special cases are important: that in which an old action is thought of as being modified by a relatively mild change in its functionality; and that in which the functionality of an action remains unchanged, but the way it is achieved, by the sub-actions of the agents involved, changes. In this paper both those cases are simply considered to be instances of new actions rather than variations on the old. Of interest here are MASs whose actions vary as the system evolves: in dynamic multi-agent systems (DMASs). There is no difference in principle between a system in which the various actions are known beforehand and one in which they are not. The difference becomes apparent only in how the system is implemented, since in the former case all actions can be made available initially and in the latter, techniques of machine learning etc. are required to achieve them on the fly. The most fundamental thing to change as a system evolves is the degree of distribution of its actions. It is time to introduce an example to motivate the primary definition to cover that.

2.2

Example: network under duress: Dynanet

Consider a collection of ubiquitous-computing agents capable of point-to-point inter-communication and wishing to elect a leader. Perhaps the agents are friends in contact pairwise via some cellular service provider and wishing to determine at whose house they will meet. Suppose (as originally done for this purpose in [7]) that each agent has a unique natural-number identifier, so that the standard algorithms [15] apply to find a leader by locating the least identifier. Suppose that under normal conditions the cost of each point-to-point communication is low. The efficiency with which the least identifier can then be found depends on whether communication is synchronous or asynchronous, even though the communication graph of agents is complete. Afek and Gafni [1] show that in the former case the minimum can be found within O (n log n) communications and time O (log n), where n is the number of agents (a number not necessarily known to the agents themselves); and in the latter case it can be found within O (n log n) communications and time O (n). Concern here lies not with the details of the algorithms or the constants involved, but merely with computational and communication efficiency. Suppose that when under duress from external sources (i.e. beyond the control of the network), the complete network of point-to-point communications becomes modified. The set of agents becomes partitioned into regions: the greater the duress, the smaller (and more numerous) the



4

Ambit

regions. Within each region point-to-point communication remains cheap; but between regions point-to-point communication though still possible is much more expensive. The result is still a complete network, but with (say) two bands of communication expense: cheap within regions and expensive between them. Now use of the previous protocols is expensive since cheap and expensive communications are mixed indiscriminately. Instead it is better for a protocol to be used on each region simultaneously to elect a leader there, and then to be used one last time with expensive communications to elect a system leader from those region-leaders. In the extreme case when the regions consist of singletons, no advantage accrues; but otherwise fewer expensive communications are required. The resulting DMAS is called ‘Dynanet’. In fact more than one invocation in the final stage of Dynanet would further decrease the number of expensive communications. Suppose there are l regions. By partitioning in pairs (as far as possible; l may be odd), only 2(l−1) log 2 expensive communications are required (roughly), compared with l log l communications were just one invocation used in the final stage. Thus as the Dynanet DMAS evolves, to remain efficient the election procedure must evolve accordingly. Firstly the protocol is applied on each region, then to various subsets of the resulting sub-leaders and so on until a single leader appears. It is time to introduce the concept which makes precise those varying domains of application of the protocol.

2.3

Definition

Assume a DMAS with the properties described in Section 2.1.

Definition (ambit). If x is a state variable then its ambit, α(x ), is the set consisting of just the agent, call it ax (unique by the previously stated assumptions), with write access to x . If e is an expression1 over the combined state spaces of the agents then its ambit, α(e), is the union of the ambits of the variables appearing in e. If act is an action then its ambit, α(act), is the set of agents whose state is needed to perform the action, i.e. the set of agents whose state components provide the values determining the action. Formally, an action is defined in some formalism ranging from a specification notation to a programming language (to be executed in either software or hardware), in which case ambit is defined in terms of that notation. The example of a simple procedural programming language appears in Fig. 1; primitive actions and combinators are listed on the left with their ambits 1

The important case of a Boolean-valued expression, or predicate, is written b.



Ambit

5

action, act

description

ambit, α(act)

skip x := e S o9 T S if b else T while b do S c?x c!e S kT local x in S

no op assignment sequential composition binary conditional iteration input to x from channel c output of e to channel c parallel composition local block

{} α(x ) ∪ α(e) α(S ) ∪ α(T ) (α(b)∪α(S )) if b else (α(b)∪α(T )) α(b) ∪ α(S ) α(x ) α(e) α(S ) ∪ α(T ) α(S ) \ α(x )

Figure 1: The concept of ambit defined for the actions and combinators of a procedural programming language.

defined on the right. Finally, if a is an agent then its ambit, α(a), is the union of the ambits of each of its actions. The overloading of α for arguments of different types (variables, expressions, actions and agents) will cause no conflict provided care is taken to distinguish the type of the argument. 2

The ambit of an action depends on its description (i.e. its design, and hence level of abstraction). For example the basic action skip of Fig. 1 has empty ambit, but its implementation x := x for a particular x has ambit equal to α(x ), which is nonempty. Thus the ambit of an action does not reflect functionality: it records access to variables. The ambit of an action abstracts ‘causality’ or ‘directionality’ by failing to distinguish reading from writing. In other words variables written by the action are not distinguished from those read. That definition meets present needs. But in more sustained system derivation than is the concern of this paper, that distinction becomes important in assigning inputs and outputs to agents, in which case the following more refined definition is used.

Definition (directed ambit). The write ambit, α!(act), of action act is defined to be the set of agents whose state components are written to by act. The read ambit, α?(act), is the set of agents whose state components are read by act. Evidently α!(act) and α?(act) need not be disjoint, but the ambit is their union: α(act) = α!(act) ∪ α?(act). 2

The formalisation of that definition along the lines of Fig. 1 is routine. For example, α!(c?x ) = {ax } whilst α?(c?x ) = { }, and α!(x := e) = {ax } whilst α?(x := e) = α?(e).



6

2.4

Ambit

Examples

Consider some informal examples, from the world around us, of the ambit of an action.

2.4.1

Simple examples

A hermit’s actions have ambit consisting of the set containing just the hermit; and so the hermit’s ambit is just the set containing himself. For a pair of people living together some of their actions have singleton ambit (sleeping), some have doubleton ambits (talking over dinner) and some actions have ambit which is larger (shopping). If the action of reading is implemented by my reading to myself then the ambit of the reading action is a singleton; if it is instead implemented by my being read to, it is a doubleton (provided no further than two agents are involved). Further examples are given in the next section.

2.4.2

Interagent communication

The two common paradigms by which two agents can communicate are message passing and read-write variables. Message passing presumes that agents a and b are connected by a channel c used say for output by a and input by b (and, if required, a second channel in the other direction). Channel c is declared to be either synchronous or asynchronous and either static (i.e. b is determined by a and c, or a by b and c) or mobile. An expression e output to c by a, by action c!e, is input (either synchronously or asynchronously, as declared) to a pre-allocated variable say x in b, by action c?x . Read-write variables are used to achieve the same effect: agent a performs the event c := e for some shared variable c which only it can write, and agent b reads c and assigns the result to its variable say x . Those two paradigms of agent interaction are normally regarded as equivalent since each achieves the functionality of the other. But a distinction is drawn between them because they involve different degrees of coordination between agents: accessing (writing to or reading) another agent’s state involves a greater degree of interaction between the two agents than does asynchronous communication over a mobile channel. It is a test of the current formalisation that it is able to make that distinction: from Fig. 1, the ambit of the output action is the set α(e) whilst the ambit of the input action consists of just the inputting agent, {b}; but by comparison, in the read-write paradigm the ambit of a’s action is {a} ∪ α(e) whilst that of b’s is {a, b} ∪ α(e). With larger ambits, the read-write paradigm exhibits greater coordination between agents than does message passing.



Ambit

2.4.3

7

Empty case

Finally, a slightly technical example. An action with an empty ambit is one that updates no variable nor requires any variable for its execution. In the absence of any global constants or variables in an MAS, it is (equivalent to) the (in)action skip. Output of a constant to the environment does not provide an example since the constant must come from the state of some agent, which then lies in the ambit of the output action.

2.5

Degree of distribution

The concept of ambit makes precise the degree of distribution of an action in a MAS and so it can be used to do the same for an algorithm or protocol (both instances, from the current point of view, of an action composed of sub-actions). The following definition is rather coarse. It is important that ‘ambit’ may be used to quantify the degree of distribution in more subtle cases.

Definition (degree of distribution). An action composed of several sub-actions a.act, where a ∈ As ⊆ Agents, (using, for example, the program combinators of Fig. 1) is said to be centralised iff some agent participates in all subactions: ∩{α(a.act) | a ∈ As} = 6 { }. It is said to be (fully) distributed if the ambit of each sub-action is empty or a singleton: ∀ a : As · α(a.act) ⊆ {a}. It is said to be uniformly distributed if α(a.act) is independent of the number of agents in the system: typically containing just a small number of agents. Thus as the size of the system increases the sizes of the ambits remain unchanged. 2

For example in a ring with message passing, the ambit of each agent’s action has three elements: the agent itself together with its predecessor and successor in the ring. Thus the usual protocols for leadership election in a ring comprise uniformly distributed actions: as the size of the ring increases the ambits retain the same size, namely three. Degree of distribution underlies practical considerations in many systems. For example, control of internet access from the family computer is performed in a decentralised manner if it is achieved by one of the packages that monitors access; its ambit is that computer. But it is performed in a centralised manner if it achieved say nationally by imposing constraints on web sites. Following that line of thought, the idea of an action’s ambit has been used to formulate an ethical ‘principle of distribution’ that applies to MASs and does not require the notion of free will of an agent [12]. This topic is reconsidered in Section 6.



8

Case Study: dynamic network Dynanet

A system may be centralised in its normal mode of action (perhaps being nationally or governmentally run) but in time of disaster, perhaps when governmental facilities are under duress, it may fragment and function in a more decentralised manner. In the former case the implementation may have access to a large database of national users and so have large ambit. In the latter case the implementation may be curtailed to access only local users and so its ambit is far smaller. It is the movement from one control pattern to another that is of interest in this paper; the concept of ambit allows that change to be quantified as the MAS evolves. In the next section a more substantial case study is considered.


3

The purpose of this section is to formalise the example Dynanet from Section 2.2. It is in the dynamics of its action, rather than in the details of its execution, that interest lies and that is captured using ambit. Indeed that has determined the level of abstraction of description: in the next section it will be called an ‘extensional’ view. Of particular interest is the manner in which the dynamic aspects of Dynanet are modelled.

3.1

Formalisation

A formalisation is sought that abstracts the algorithm by which a leader is elected (see [1]) and concentrates instead on the way the algorithm is applied by region in Dynanet, because that enables us to concentrate on the way ambit changes as the system evolves. For this a high-level design is appropriate; here the state-based notation Object-Z [3] is used to express it. However consider first a specification of what election should achieve. Such a specification must imbue each agent with enough state to distinguish a leader from a non-leader. Thus each agent is modelled by a Boolean, leader, which holds iff that agent is a leader. In Object-Z, Specification is a class with state consisting of a non-empty set As of agents; initially no agent in As is a leader, but after the Election action exactly one agent in As is a leader.2 A class for Specification appears in Fig. 2, where the type of agents is written Agent0 to avoid confusion with the more detailed description of agents required in the design of Fig. 3. In Specification, action Election is atomic with α(Election) = As (since any agent not in α(Election) could be in a state contradicting the specification). Now the manner in which Dynanet responds to duress must be modelled, and the way the implementation of Election overcomes duress to achieve an efficient election (as described in 2

The ∆ term in the schema for the Election action ensures that only the observables immediately following it are changed by the action. A dashed observable, like a.leader ′ , refers to a final value of the observable, whilst an undashed observable refers to its initial value.




Specification Agent0 leader : B

9

As : P Agent0 As 6= { }

Init ∀ a : As · ¬a.leader

Election ∆({a.leader | a ∈ As}) ∃!a : As · a.leader ′

Figure 2: A class specifying the Dynanet system for leader election. The decorated existential quantifier means ‘there is a unique’. Dynanet itself is described in Fig. 3.

the previous section). Augment each agent with a (constant) identifier id : Id. Initialisation remains as before. For the sake of technical simplicity, the new system is not defined in terms of Specification, but is defined afresh; there is little repetition anyway. A (more detailed) agent is described at the top of Fig. 3 where a nonempty set Id of identifiers is fixed. Having extended agents appropriately, the system may now be modelled as consisting of a set Bs of such agents, with unique identifiers, that is partitioned into regions. The relation partitions is defined in infix between sets of sets of agents and sets of agents: partitions : P P Agent ↔ P Agent 



∪ N = Bs   N partitions Bs = b  ∀ N : N · N 6= { } . ∀ M , N : N · M 6= N ⇒ M ∩ N = { }

The second conjunct is appropriate because that relation will be applied only to nonempty sets, and hence there is no need for a partition containing an empty region. Initially each agent is in its initial state and the partition consists of just one region. See the second schema in Fig. 3. Duress is modelled simply as an operation on the system that updates the system partition. Greater duress is reflected in a partition with smaller regions. Thus our model of duress is not linearly ordered but instead more realistically corresponds to the partially-ordered space of all partitions on Bs. Our formalisation of Duress sets the partition to P, which may vary from one invocation to the next. It is likely that in reality those partitions would change gradually with time; but here such detail is abstracted. (The conjunct N partitions Bs is included in the schema for operation Duress just for clarity; it follows from the system state invariant.) Again, see Fig. 3. Having captured the dynamics missing from the abstract view, Specification, of Dynanet its action Election must be implemented as suggested in the previous section. For each region



10


Dynanet Agent Id : P N Id 6= { } id : Id leader : B

Init ¬leader

Bs : P Agent N : P P Agent Bs 6= { } ∀ a, b : Bs · a 6= b ⇒ a.id 6= b.id N partitions Bs Init ∀ a : Bs · a.Init N = {Bs}

Duress ∆(N ) P? : P P Agent P? partitions Bs N ′ = P?

E ∆({a.leader | a ∈ Bs}) N : P Agent l : Agent l ∈N ∀ a : N · a.leader ′ ⇔ (a.id = ⊓{b.id | b ∈ N }) l.leader ′ Election = b E [{l : Agent | ∃ M : N · E [M /N ]}/N ] Figure 3: Formalisation of the dynamic election protocol Dynanet.



Agent-oriented analysis and design

11

N : N of the system, a procedure E with α(E ) = N is needed that elects a leader l from N ; for then E uses only cheap communications. Action E in Fig. 3 does just that, by ensuring l is the (unique) agent in region N with least identifier. The refinement of Election given in Fig. 3 applies E to each region and then (to bound the number of expensive communications) applies E with ambit equal to the ‘virtual region’ (1)

{l : Bs | ∃ M : N · E [M /N ]}

consisting of those regional leaders (achieved in Z by instantiating E with observable N replaced by the set (1)). The result is an overall leader l. A routine (downwards) simulation argument [13] shows that the system Dynanet of Fig. 3 meets the more abstract Specification of Fig. 2. The simulation relates a state A of Specification to a state C of Dynanet iff the set A.As of abstract agents is the same as the set obtained by abstracting identifiers in the set C .Bs of concrete agents; thus the component C .N of the concrete state is also abstracted. The three conditions for that relation to form a simulation (pertaining to system initialisation, to precondition and to postcondition of the Election action) are routinely verified and so, by soundness of the simulation technique, correctness follows. The manner in which the Dynanet evolves has been captured (from the outset) in its state component N . Evolution occurs with action Duress and is reflected in the design of Election. Duress is thought of as lying under control of the environment and Election as under control of the system; but at this level of abstraction there is actually no need to make that distinction. It is important to note, however, that by making E and Election atomic the model assumes that duress does not change during execution of those actions (though of course it can change between election of the various local leaders or after election of them all but before election of a global leader). Action Election has ambit consisting of all processes, but has been designed—by the way in which the ambits of the invocations of E have been controlled—to be distributed. In practice Election might be implemented by a parallel combination of E s on the regions of the system, followed sequentially by one or more final invocations on the ‘virtual’ region (1). It is important that in such an implementation, ambits are not expanded; indeed Fig. 1 ensures that they remain unchanged.

4


In this section and the next, the place of state-based Formal Methods in the analysis and design of a DMAS is considered. Of particular interest will be the trade-off between the abstract system-wide view of a MAS (or ‘extensional view’ as it will be called) and the lower-level, agentbased (or ‘intensional’) view. To support the study a second example, Colony, is introduced that is more typical and more generic than the Dynanet example of Section 3. However it is



12


introduced in this section to exemplify and encode the way in which a dynamic system may be conceived and formalised, starting from a static instance. But first some very general motivation for the example.

4.1

Example: Tour de France

A day in the tour de France might be considered a DMAS as follows. Agents are cyclists. Although they act continuously, the various modes of action are so different that it seems reasonable to make a discrete approximation, using a small number of modes and one action for each. Initially the cyclists engage in the action of warming up. Some do so individually, whilst some coordinate and do so in teams. All navigate and avoid collisions, subject to some pre-determined protocol involving time and effort; but those involved in a team warm-up also coordinate with their team members. Accordingly, for each agent the ambit of the warm-up action ranges from being singleton to being team-wide, depending on the protocol chosen. As the day’s race begins the competitors cycle as members of their team, subject to the peleton. The mechanics of cycling makes it advantageous to ‘slip stream’; but so onerous is the task of leading the peleton that all members benefit by switching the lead (this seems to distinguish cycling from otherwise apparently similar sports, like marathon running where leading seems to confer a largely psychological advantage). At this stage the ambit is complicated, but lies somewhere between the cyclist’s team and the whole peleton. But the point system of the tour makes it advantageous to break from the peleton in spite of the huge effort required to do so. So at some point ‘breakaways’ form. From then on, a cyclist may decide to break from the peleton in pursuit of the leaders. Here the ambit is typically a singleton or at least small. Thus the action in which a given agent engages, varies as the race progresses: as the system evolves. Its ambit might be a singleton (warm-up); it might include a few agents (the team) or most other agents (the peleton); and it might later evolve to being more individual, including just a few other agents (pursuit). The functionality changes little (navigate and follow a protocol ‘satisficing’3 speed and energy) but the coordination with other agents changes substantially with time. The precise action being followed can, after warmup, not—apparently—be anticipated beforehand and evolves dynamically. It is that which forms the key to this and similar examples, and which is now to be formalised, starting from a static (extensional) view.

3

A term introduced by Simon [14] but here used in what has become the MAS interpretation [8] (which is slightly different from the original): ‘not necessarily optimal but achieving an acceptable result with reasonable efficiency given the context’.




13

Colony0 c, e : Agent → N count : N count = Count a : Agent

P

a:Agent

c(a)

c ′ = c ⊕ {(a, c(a)+1)} e ′ = e ⊕ {(a, e(a)−1)}

Init c = λ a : Agent · 0 e = λ a : Agent · E count = 0 Replenish a : Agent c′ = c e ′ = e ⊕ {(a, e(a)+E )}

Figure 4: Formalisation of the naive benign system Colony0 .

4.2

Colony: static model

Motivated by the Tour de France the example Colony consists of agents who individually perform work, by action Count, that results in an increase of their local counter. But work consumes energy which an agent can replenish by performing action Replenish. The type of agents is again [Agent]. Energy is modelled by the natural numbers, and a quantum of energy to be used in initialisation and replenishing is [E : N | E > 0]. Consider first a naive (extensional) description of system Colony, later to be revised. That seems quite typical: the system is viewed as being static and only later is its dynamics (here relating to formation of groups of agents) acknowledged and formalised. The (naive) system state consists of a count and energy for each agent, and a system count that is, at any time, the sum of the individual counts (and so is a derived variable). Initially each individual count is 0 and each agent begins with E units of energy. Action Count consists of a nominated agent incrementing its counter and decrementing its energy. Its precondition is thus that the energy of the nominated agent be positive. Action Replenish adds E to the energy of a nominated agent. Its precondition is true. See Fig. 4. The specification so far describes a system that performs any sequence of those actions inside their preconditions. For example agents may simply replenish their energy indefinitely. To constrain the system in some way, for example to bound the number of consecutive Replenish actions performed by any agent, an appropriate history invariant would be added; it is overlooked here. Actions Count and Replenish are executed by agents individually and so their ambits are single-



14


tons. Hence the ambit of each agent is also a singleton and so the system is fully decentralised. However the system Colony0 contains no action to return the observable count. Were there to be one, it would involve access to c(a) for each a : Agent and so the ambit of that action would be the whole type Agent.

4.3

Colony: dynamic model

In Colony0 , without any further constraint, agents count when they have sufficient energy and replenish their energy at any time. But in reality the system of agents is beset by oppression, from time to time, as measured by a force, f . The benign case just treated corresponds to the case f = 0. Consider now the case f = 1. Under oppression work is harder: counting costs 2 units of energy if an agent stays alone. But that may be ameliorated by agents combining into groups. If an agent pairs up with another agent the cost remains only 1 unit of energy; however the act of pairing costs 4 units of energy for each member of the pair. And in a pair, counting is synchronised although replenishing energy is not. Added to the system state is now a partition of Agent into singletons or doubletons, indicating the groupings formed by the agents under oppression, and the oppressive force f (which is observable but not changeable by the agents). Let P (a) denote the member of the partition to which agent a belongs. Counting now is well defined on members of the partition, but here it is defined by agent in order to mirror Colony0 .Count (and the following Replenish). Alternatively that could be written using a conditional for the update of energy: Count ∆(c, e, count) a : Agent ∀ b : P (a) · c ′ = c ⊕ {(b, c(b)+1)} ∀ b : P (a) · e ′ = e ⊕ {(b, e(b)−2) if #P (a) = 1 else (e(b)−1)} The precondition for Count is that each agent in the member of the partition of the nominated agent has sufficient energy. pre Count Colony a : Agent ∀ b : P (a) · (e(b) ≥ 1) if #P (a) = 1 else (e(b) ≥ 2) Evidently its ambit is P (a)—the member of the partition containing the nominated agent. That is a pair, unless the agent has remained alone, and so the action Count is no longer fully




15

Colony Init Colony0 .Init ∀ P : P · #P = 1

Colony0 f :N P : P F Agent P partitions Agent ∀ P : P · 1 ≤ #P ≤ 2 Count ∆(c, e, count) a : Agent #P (a) = 1 ⇒ ∀ b : P (a) ·

c ′ = c ⊕ {(b, c(b)+1)} e ′ = e ⊕ {(b, e(b)−2)}

#P (a) = 2 ⇒ ∀ b : P (a) ·

c ′ = c ⊕ {(b, c(b)+1)} e ′ = e ⊕ {(b, e(b)−1)}

!

!

Replenish ∆(e) a : Agent e ′ = e ⊕ {(a, e(a)+E )} Merge ∆(e, P) a, b : Agent a 6= b P (a) = {a} P (b) = {b} P ′ = (P \ {{a}, {b}}) ∪ {{a, b}} e ′ = e ⊕ {(a, e(a)−4), (b, e(a)−4)} Unmerge ∆(e, P) P :P ∃ a, b : Agent · P = {a, b} P ′ = (P \ {{a, b}}) ∪ {{a}, {b}} P (a) = {a, b} = P (b) e ′ = e ⊕ {(a, e(a)−4), (b, e(a)−4)}

Figure 5: Formalisation of the DMAS containing as a special case Colony0 of Fig. 4.



16


distributed.4 Action Replenish is defined by agent (not by member of the partition containing it); it is just the lifting to Colony of action Colony0 .Replenish. Its precondition is true. Under oppression (f = 1) life goes on in pairs or singletons and the only interest is how the partition is formed when f changes from 0 to 1 and how it unforms when f returns from 1 to 0. The previous two descriptions, of Colony0 and the part of Colony considered so far, have been given at a level of abstraction that abstracts the actions of merging and unmerging that formed and unformed the partition. They are described at a level of abstraction at which the choice of partner is nondeterministic. But first singleton partitions must be introduced into Colony so that it resembles Colony0 . In the new version, initialisation ensures that each member of the partition is singleton. Recall that neither of the original actions Colony0 .Count or Colony0 .Replenish changes the partition. They are lifted to Colony.Count and Colony.Replenish respectively. Now the system can change the partition from the singletons in Init by a sequence of merges. The precondition of each merge is that the nominated agents are distinct, are alone and have sufficient energy to merge. pre Merge Colony a, b : Agent a 6= b P (a) = {a} P (b) = {b} e(a) ≥ 4 e(b) ≥ 4

Unmerging is defined by nominating a member of the partition (though it could be defined by nominating instead a member agent) and it consumes the same energy. Its precondition is that the member of the partition be a doubleton whose agents have sufficient energy. In particular the action Unmerge does not apply to singletons. Fig. 5 formalises the DMAS Colony. System Colony has been described in such a way as to include the previous, easy, life as well as a response to oppression. Note that f is not ‘used’ in the description of the merge actions; the choice about whether to merge as a result of increase in oppression lies with the agents. After agents merge, the ambit of their count and replenish actions increases from singletons to doubletons, thus becoming (slightly) less distributed. Duress f appears as an observable in the state of Colony but remains unused by the actions. That choice has been made, at this level of abstraction and extensional view of the system, to 4

That is, unless the level of abstraction is changed so that the members of P become the agents.



Refinement

17

permit agents latitude in responding to duress: they may merge or unmerge in anticipation of an change in f . However it will be essential in an intensional view, where its history of values may be exploited by an agent’s strategy. Oppression may increase further to f = 2, 3, . . . with a consequent further increase in the cost of counting, which may be allayed by further merges. Since that adds nothing but detail to the study, it is omitted. In summary, a DMAS has originally been conceived (naively) statically and extensionally. It has been recognised as a special case of a DMAS that includes actions for change, and so has been specified using more state—in this case a partition structure—to enable change to be captured. It is to be observed that in Colony agents have more scope for ingenuity than they do in Dynanet of Section 2.2, and as a result there is a more pronounced distinction between the extensional and intensional views.

5

Refinement

So far the concept of ambit has been used in the design and analysis of distributed systems. But Formal Methods provides more than that. It provides techniques for the verification and even derivation of an implementation design against its specification in a step-wise manner. In Section 5.1 a summary of that methodology is given and the concepts of extensionality and intensionality placed against it, whilst Section 5.2 concentrates on intensionality. In Section 5.3 ambit is incorporated and the result applied to the Colony example of the previous section. It will be found that ambit is useful as a specification tool part-way through the derivation of a distributed system.

5.1

Extensional and intensional views

The Dynanet system of Section 2.2 has been specified, and an abstract protocol for it described, in Section 3.1 using Object-Z. The view adopted by both those descriptions is, in terms of the methodology of the Australian AI Institute ([11], see Wooldridge’s text [17], Section 10.2, for an overview) ‘external’: it pertains to system behaviour with agents largely abstracted as black boxes. By contrast an ‘internal’ view, in their terminology, would reveal the agents in sufficient detail to describe their strategies for attaining that externally-described behaviour. Thus the former acts as a specification which is refined by the latter. Alternatively, in terms of Wooldridge et al’s Gaia ([17], Section 10.2), the two descriptions have been ‘abstract’ rather than ‘concrete’. The important distinction both those methodologies seek to make lies between the abstract system view and the more low-level intensional agent-based view. The former we call extensional and the latter intensional.5 5

Those terms seem preferable because in Formal Methods ‘internal’ and ‘external’ are already used for nondeterminism; and ‘abstract’ and ‘concrete’ are used with a more general meaning that is about to be recalled.



18

Refinement

For example in an intensional description of Dynanet, Election might be achieved by a parallel execution of actions one, thread-like, for each agent. Without going in to detail, each agent’s action could determine the other agents in its region, then communicate to determine whether or not it is a leader for the region; if not, the action terminates; but if so, then it continues to the ‘next round’ and reiterates with other local leaders to find a global leader. There is little scope for strategy there. As will be seen in Section 5.3 ambit is used to ensure that in that design, those subactions retain the required degree of distribution. Consider now how to move from an extensional view of a DMAS to an intensional one, in an incremental manner consistent with that dictated by the derivation methodology of Formal Methods. According to that methodology, at each step in the derivation of an implementation from its specification the developer is confronted with a relatively abstract design and must come up with a relatively concrete, functionally-correct but efficient, implementation design. Two styles prevail. In the more abstract reaches of derivation where the step can be completed in just specification notation, the usual technique for documenting the refinement step and for establishing correctness is that of simulation: a simulation relation is defined between the states of the abstract and concrete systems [13]. But in the more concrete steps, closer to code, mere specification notation is insufficient for a simple description of the design which by now has become at least partially algorithmic (in any procedural notation). And so a refinement calculus [10] is used, in order to combine features of both specifications and code and in order to end eventually entirely with code. The derivation is complete when the specification (what must be achieved by the system) has been converted into an executable version (how it is to be achieved). In either of the two styles, the concrete design is motivated by a combination of non-functional and functional properties, but guaranteed by the formalism to be functionally correct. The current situation, i.e. the step-wise derivation of an intensionally explicit DMAS from its extensional specification, is of considerable interest because apparently non-functional information— intensionality—is to be incorporated in some derivation step and then maintained through subsequent steps to the final implementation. It is time to see how intensionality may be incorporated into a derivation step.

5.2

Intensionality and Formal Methods

On evaluating the Luck-d’Inverno framework [9] for specifying agents in Z, Wooldridge [17], page 232, has written of Z:

This language is inherently geared towards the specification of operation-based, functional systems. The basic language has no mechanisms to allow easy specification of the ongoing behaviour of an agent-based system. There are of course extensions to Moreover use of the new terms coincides with that in both Logic and Philosophy.



Refinement

19

Z designed for this purpose.

Bearing in mind the distinction between specification and programming languages drawn in the previous section, that comment obviously applies far more generally than just to Z: to any (state-based) specification language. Intensionality is algorithmic, a feature which programming languages are designed to express, but specification languages are not. However the criticism does not extend to the Formal Method of which Z is a part since, as just seen, a refinement calculus is designed precisely to bridge the gap between specifications and programs. In other words, introduction of intensionality into a derivation corresponds to introduction of agentcentred algorithms and hence to a move from pure specification to refinement-calculus steps or their equivalent. And indeed that is to be expected in the stepwise derivation of any system. So how does intensionality differ? Consider an example.

5.3

Colony viewed intensionally

In an intensional design for the Colony example of Section 4 each agent would be defined individually, with its own values for energy and count and its own neighbourhood (i.e. the members of its equivalence class). It is also likely to have access to some history of the values of duress f , so that the next change can be predicted; and it may have access to (at least part of) the states of its neighbours in order to anticipate their behaviour. It may also have access to agents outside its neighbourhood for the purpose of merging, which it does using some algorithm whose purpose is to decide when to merge (presumably some satisficing strategy depending on f and the states of neighbouring agents) and with which agent(s) to do so. Consider a simple case in which each agent executes a history-independent strategy by performing Count if possible but Merge if f ∧ single (where f is treated as Boolean and single denotes a predicate that is true iff the agent’s neighbourhood is a singleton) and Unmerge if ¬f ∧ ¬single; otherwise it performs Replenish. Being an algorithm it is readily expressed in programming notation. In the guarded-command language its loop is: do [] [] [] od

f f ¬f ¬f

∧e ∧e ∧e ∧e

< E1 ≥ E1 < E0 ≥ E0

→ → → →

Replenish Merge if single else Count Replenish Unmerge if ¬single else Count

Such behaviour refines that of the extensionally-specified system Colony in Figure 5 which, without any history invariant, insists only that the actions occur within their preconditions. The ambits of the guarded actions vary from being singletons to being larger. Even from that simple example it is clear that, in a derivation step introducing intensionality, ambit is used to constrain the actions in the refinement. A typical situation is one in which an abstract action A is to be refined by a succession of two concrete actions B and B ′ whose ambits



20

DMASs of artificial agents

are constrained to lie within β and β ′ respectively, A ⊑ B o9 B ′

with

α(B) ⊆ β, α(B ′ ) ⊆ β ′

where β ∪ β ′ ⊆ α(A) (although equality would be more typical). If B and B ′ affect independent passes, then β ∩ β ′ = { }. If a single variable is used to communicate the result of B to B ′ then #(β ∩ β ′ ) = 1. Ambit is thus used to augment a functional specification to cause its refinement to have the appropriate degree of distribution. There is a similar rule for each programming combinator. For example for binary conditional, A ⊑ B if b else B ′

with

α(b) ∪ α(B) ∪ α(B ′ ) ⊆ α(A) .

Returning to Dynanet from Section 3, an appropriate derivation step has the form E [N ] ⊑ (k0≤i