A Framework to Reason about the Knowledge of Agents in Continuous Dynamic Systems

Applying formal methods to a group of agents provides a precise and unambiguous definition of their behaviors, as well as verify properties of agents against implementations. Hybrid automaton is one of the formal approaches that are used by several works to model a group of agents. Several logics have been proposed, as extension of temporal logics to specify and hence verify those quantitative and qualitative properties of systems modeled by hybrid automaton. However, when it comes to agents, one needs to reason about the knowledge of other agents participating in the model. For this purpose, epistemic logic can be used to specify and reason about the knowledge of agents. But this logic assumes that the model of time is discrete. This paper proposes a novel framework that formally specifies and verifies the epistemic behaviors of agents within continuous dynamics. To do so, the paper first extends the hybrid automaton with knowledge. Second, the paper proposes a new logic that extends epistemic logic with quantitative real time requirement. Finally, the paper shows how to specify several properties that can be verified within our framework. Keywords—Epistemic logic; Reasoning; Hybrid Automata; Agents


I. INTRODUCTION
Multi-agent systems (MAS) consists of several independent agents where the task of some agents may depend on the task of others [1].Thus, to model intelligent systems, knowledge is an important property to consider.This reasoning has become one of the main concerns in artificial intelligence and MAS [2].
Reasoning is either about the agent itself or about other agents in the MAS.Many efforts from different disciplines have tackled issues involving reasoning about agents' knowledge [3], [4], [5].To reason about knowledge of agents, several theories and logics have been proposed.Among of them, a logic of knowledge or the so called epistemic logic [6].Epistemic logic is a type of modal logics [7].The suitability of epistemic logic in a wide range of applications [8] makes it of great importance.The main goal of using epistemic logic in MAS is to model the agents' knowledge either about itself or about other agents.For example, " if agent 1 sends a message S to agent 2 , then eventually, agent 2 will know S" , and agent 1 knows that agent 2 knows S.
To deal with specific type of applications, many techniques have been proposed for extending epistemic logic.Examples of these techniques are the attempts to generate temporal epistemic logics to reason about knowledge changing over time.In order to construct this kind of extension, epistemic logic framework is fused into a kind of temporal logics [9].Examples of this integration can be seen in [3], [10].In [3], the epistemic logic is extended with alternating time temporal logic [11].Also, in [10], the epistemic logic is combined with temporal logic.Temporalization can be seen as an approach for adding a temporal logic on top of another logic and thus having a new logic with temporal features [12].The importance of reasoning about dynamic knowledge comes from its existence in many of the real life applications.In spite of its suitability in many applications, temporal epistemic logic is still not efficient to be applied in a certain type of applications like robotics and networking.Such type of applications requires a model of time and a model of how the agents' actions are changing through time.Also, knowledge that has time constrains cannot be specified by temporal epistemic logic.An example of time constrained knowledge is agent 1 knows that message S will be received within 5 seconds.
According to [13], hybrid systems are systems with combined continuous and discrete state variables.Examples are embedded software in airplanes and medical devices.As hybrid systems involve both the discrete and continuous dynamics of systems, they are naturally used to model many application scenarios [14].Over the past few decades, hybrid automata [15] have been introduced as a formal model for hybrid systems.Hybrid automata integrate differential equations and finite automata in a single formalism.Generally, the discrete dynamics of hybrid systems are modeled using finite automata whereas the differential equations represent the continuous changes of physical variables.A simplified version of hybrid automaton called timed automaton [16] is also used to model MAS [17].Timed (finite) automaton is a simple and powerful way used to represent time constrains through real valued clocks [16].On the other hand, several logics have been introduced in the literature to model the qualitative behaviors of systems.The semantics of many of these logics have been interpreted on the underline operational semantics of hybrid automata.
In spite of the many proposed logics, these logics are not efficient when it comes to express the agents' knowledge about other agents in a continuous dynamic environment.Thus, integrating epistemic logic with qualitative logics of hybrid systems seems to be very appropriate to overcome the shortcomings of the existing logics.However, the epistemic logic assumes only discrete time model which is not adequate when modeling agents' behaviors within continuous dynamics.Thus, this paper proposes a novel framework that formally specifies and verifies the epistemic behaviors of agents within continuous dynamics.The framework of this paper is two fold.First the hybrid automaton is protracted with knowledge.Second, a new logic is proposed to augment epistemic logic with quantitative real time requirement.Furthermore, the paper shows how to specify several properties that can be verified within the proposed framework.
The rest of this paper is organized as follows.Section II summarizes the related work to the problem of specifying MAS requirements.After that, the concept of hybrid automata is introduced and slightly redefined in section III.The formal syntax and semantics of hybrid automata are also highlighted.Section IV, introduces the hybrid interpreted systems that will be used as the underline semantics of the proposed Logic.Section V defines the syntax and semantics of the proposed logic ERCTL.Section VI illustrates how to specify certain requirements on an example. in section VII, the implementation of the proposed framework using constraint logic program (CLP) is shown.Finally, conclusion and future work are summarized in section VIII.

II. RELATED WORK
The modal logic of knowledge was first introduced by Hintikka in 1962 [18].According to the logic of Hintikka, knowledge and belief are treated as modalities.The syntax and semantics of this logic was the core for foundation of epistemic logic.Epistemic logic is a type of modal logic concerned with reasoning about knowledge [19], [8].Generally, epistemic logic in MAS began to get more attention in the early 60 th of the previous century.Among several types of epistemic logic, Dynamic Epistemic Logic (DTL) is widely conceived as a logic that is able to model how agents update their knowledge in MAS [20].As agents in MAS evolve over time, the temporal properties of agentsâ knowledge are of great importance.Thus, Epistemic Temporal Logic (ETL) is employed to model these properties [3], [9], [10].In [3], the epistemic logic is extended with alternating time temporal logic [11].In [10], epistemic logic framework is fused into a kind of temporal logics [9].There is a close relationship between dynamic and temporal epistemic logics.The authors in [21] have presented an illuminating survey about these logics.
On the other hand, finite state automata provide the most elegant model for memory structures of reasoning agents [10].Timed automata are also proposed as extensions of finite state automata to model time constrains [16], [31], [32].In order to overcome the inadequacy of epistemic temporal logics in expressing real time behavior of agents, many real time epistemic logic approaches have been introduced [33], [34], [5], [4].These logics use timed automata to express and model the agents while the classical interpreted systems of epistemic logic are extended by adding the operational semantics of timed automata.Timed automaton is considered as a simplified version of hybrid automaton which integrates differential equations and finite automata in a single formalism [15].To specify the behaviors of MAS situated in a dynamic environment, many hybrid automata approaches have been presented in the literature [35], [36], [37], [38], [39].Our work in this paper augments the hybrid automaton with knowledge to formally specify and verify the epistemic behaviors of agents within continuous dynamics.A new logic that extends epistemic logic with quantitative real time requirement is employed for this purpose.

III. BACKGROUND
The concept of hybrid automata along with their constrains are introduced here in details.An example from [40] is used for illustration.Several definitions are presented to describe the constrains that appear within the hybrid automata.

Definition 1 (Linear Constraints and Evaluation
The grammar of all linear constraints Φ(χ), with a typical element ϕ ∈ Φ(χ), is defined as follows: be the values of the variables in χ and v i be the value of the ith component of v. we call v |= ϕ if v fulfills the constraint ϕ, and is defined using the grammar: Definition 2 (Dynamical Constraints and Evaluation): Let χ be a set of the first derivatives of the variables within χ with typical element ẋ ∈ χ and b = 0, c ∈ R, ∼ d ∈ {=, ≤, ≥}.Let D(χ ∪ χ) be the set of constraints over the variables in χ ∪ χ with typical element d ∈ D. The set of all possible dynamical constraints is defined as follows: Let f : R ≥0 → R |χ| be a differentiable function and f (t) be the differentiation of f with respect to time t ∈ R ≥0 .We call f * d, if the function f fulfills d defined by the grammar: Definition 3 (Hybrid Automaton): A hybrid automaton is defined as the tuple HA = (Q, χ, Ins, F low, η, E, q 0 , v 0 ) where: • Q is a finite set of locations.
• F low : Q → D(χ ∪ χ) is the function that allocates the constraints F low(q) for every q ∈ Q.
• η is a finite set of events.
• q 0 ∈ Q denotes the initial location of the hybrid automaton.
• v 0 ∈ R |χ| denotes the initial values of the variables in χ.
Every e ∈ E is denoted as q 1 a,ϕ,X − −−− → q 2 , where q 1 and q 2 is the start and the end locations respectively, a ∈ η is an event, ϕ denotes the enabling condition of e, and X ⊆ χ denotes the set of real variables to be reset.
of HA is conventionally denoted as the tuple σ = q, v, t , where q ∈ Q and v is the value of the real variables at time t.A state σ = q, v, t satisfies a constraint ϕ ∈ Φ(χ) at point t, conventionally written as A labeled transition system between states is usually used to describe the semantics of HA.The transition between any two admissible states σ 1 = q 1 , v 1 , t 1 and σ 2 = q 2 , v 2 , t 2 is defined either by a discrete or a delay transition as follows: is the time duration passed in location q 1 , there is a differentiable function f having f * F low(q 1 ) and f (t 1 ) = v 1 and f (t 2 ) = v 2 , and for all t ∈ [t 1 , t 2 ], f (t) |= Ins(q1).Now, the states and the transitional rules between states are totally defined and thus we are ready to define the dense state space as follows: Definition 5 (dense state space): The dense state space of HA can be defined as the tuple (θ, σ 0 , −→), where θ = Q × R |χ| × R ≥0 is the set of all states, σ 0 = q 0 , v 0 , 0 is the initial state such that v 0 is the value of the variables in χ in the control location q 0 at t = 0 with v 0 |= Ins(q 0 ), and When a hybrid automaton is run, a sequence of state transitions is generated.In the following, we define the path and the run.

Definition 6 (Path and Run):
A path ρ = σ 1 σ 2 σ 3 , . . ., of HA denotes a finite or infinite sequence of admissible states, where the transition between any two consecutive states is associated either by a discrete or delay transition.Let Π(HA) denotes the set of all paths of HA.A run of HA denotes a path ρ beginning with the initial state σ 0 .
Each path ρ ∈ Π(HA) generates infinite number of reachable states due to the delay transitional rules.An appropriate method to represent those infinite state is to use a symbolic representation using mathematical intervals.Let us call the mathematical interval a region, and it is defined as follows: We write a run ρ as ρ = Γ 0 , a 1 , Γ 1 , a 2 , ..., a sequence of regions, where each is the maximal sub-sequence of admissible states such that for all consecutive states σ j , σ j+1 ∈ Γ, it holds that σ j δ − → σ j+1 .Additionally, a transition between two consecutive regions Γ i and Γ i+1 , conventionally written as Conventionally, Γ is writen as Γ = q, V, T , such that T denotes the total duration time of all states in Γ and V denotes the tuple of intervals values of the variables throughout the time interval T .Let Γ 0 denotes the initial region obtained from the intial state σ 0 using delay transitions.

Definition 7 (Reachability
Now, the dense state space can be generalized by a region state space as follows: Definition 8 (region state space): A region state space of HA can be defined as the tuple (∆, Γ 0 , −→), where ∆ is the set of all possible regions, Γ 0 = q, V, T is the initial region formed by a delay transitions from the initial state σ 0 ∈ Γ 0 , and −→⊆ ∆ × η × ∆ is the transition relation defined as

A. Automata Composition
A MAS is generally modeled by various parallel hybrid automata representing the agents.Communication among the agents is achieved using synchronized events.The overall behavior of the entire MAS can be described using the parallel composition.A two hybrid automata can be composed as follows: 2 ), and a transition in E is defined as follows: A run of any two composed automata, denoted as H1•H2 , is the sequence Λ 0 , a 1 , Λ 1 , a 2 , ... of compound regions, where a transition between two regions relates according to the definition of the transitional relation defined previously.Each global regions takes the form Λ = Γ 1 , Γ 2 , where Γ i = (q i , V i , T ).
Again, the regions state space (∆, γ 0 , −→) is similar to its previous definition, except that each element Λ ∈ ∆ is a global region, and γ 0 is the initial global region for each automaton.
Let loc i : ∆ → Q i be a function that takes a global region and returns the current location of the agent i, and Loc : ∆ → Q a function that returns the locations of the m agents.Let duration(Γ) :⊆ R ≥0 be a relation that returns the time interval of a region Γ; i.e for Γ i = (q, V, T ), duration(Γ) = T .

IV. HYBRID INTERPRETED SYSTEM
Interpreted Systems [2] are usually used as the formal semantics that describe the temporal epistemic language.Therefore, the interpreted systems is extended to be adapted on hybrid automata as well.
Let AG denotes a set of m agents such that each agent is represented as a hybrid automaton and their parallel composition in HA = (Q, χ, Ins, F low, η, E, q 0 , v 0 ).Let P rop i be a set of Propositional variables for each agent 1 ≤ i ≤ m, and P rop = P rop i .Let V al i : Q i → 2 P ropi be the valuation functions for the ith agent, which assigns the truth value of P rop i to the locations.Let V al : Q → 2 P rop is the valuation function for the m agents, such that V al(q) = V al i (q i ).Then, the hybrid interpreted system is defined as follows: Definition 10 (Hybrid Interpreted System): A hybrid interpreted system is the tuple M = (∆, Γ 0 , −→, 1 , 2 , . . ., m , ν) , where • ∆, Γ 0 , −→ are defined as the definition in region state space.
• ν : ∆ → 2 P rop is the valuation function that is defined by extending the definition of V al such that ν(Γ) = V al(loc(Γ).
The epistemic relation defined previously is standard in epistemic logic under interpreted systems.More details and examples about this relation can be found in [41].The knowledge of a group of agents can be defined as: Definition 11 (Group epistemic relation): Let AG be a set of m agents, and κ ⊆ AG, we define a group epistemic relations on a group of agents κ as follow: , where + denotes the reflexive transitive closure of the underlying relation.

V. THE PROPOSED LOGIC (ERCTL)
The syntax and semantics of the proposed ERCTL are formally described in this section.As previously mentioned, the proposed ERCTL extends the logic RCTL [28] by adding knowledge operators.We first begin by describing timed variables that might appear in a formula to quantify its timing.
Definition 12 (Clocks): Let T ⊆ χ denotes a set of nonnegative real variables called clocks, and Φ(T) denotes a set of constraints over T. Let ξ : T → R ≥0 denotes the valuation ξ of the clocks T. For π ∈ Φ(T), we call ξ |= π, if ξ satisfies π.

A. Syntax of ERCTL
Let L denotes a set of propositions representing the locations, η denotes a set of propositions representing the events, χ denotes a set of real variables, T ⊆ χ denotes a set of clocks, Φ(χ) and Φ(T) denote the set of all constraints on the variables in χ, T respectively.Let AG be a set of m agents, with κ ⊆ AG.Let y ∈ T, l ∈ L, a ∈ η, φ ∈ Φ(χ), π ∈ Φ(T), i ∈ AG, and κ ⊆ AG.

Definition 13 (ERCTL Formulas):
The set of ERCTL formulas is defined inductively as follows: In addition to the standard Boolean connectives, the previous syntax includes the path quantifiers ∀, denoted in all possible paths, and ∃, denotes that there exists a path (more details about path quantifiers can be found in [42]).Furthermore, the syntax of ERCTL defines two fragments: RCTL and an epistemic one.The RCTL fragment includes formulas of the form y.Ψ representing "the formula Ψ is true at certain time represented by the clock y".The epistemic fragment of ERCTL includes formula of the form K i Ψ to represent "agent i knows that Ψ", E κ Ψ to represent "everyone in group κ knows that Ψ", D κ Ψ to represent "it is distributed knowledge in group κ that Ψ is true", and C κ Ψ standing for "it is common knowledge in group κ that Ψ".

The other common formulas are defined as follows:
• ∃♦Ψ is equivalent to the formula ∃(true U Ψ).

•
Ki Ψ is equivalent to the formula ¬K i ¬Ψ.

B. Semantics of ERCTL
Let AG denotes a set of m agents such that each agent is represented by a hybrid automaton and their parallel composition in HA = (Q, χ, Ins, F low, η, E, q 0 , v 0 ).Let M = (∆, Γ 0 , −→, 1 , 2 , . . ., m , ν) be a hybrid interpreted system.Let Π(HA) denotes the set of all regions produced from the runs of hybrid automaton with a typical region Γ = (q, V, T ) ∈ Π(HA) Definition 14 (Satisfaction Relation ERCTL ): Let Ψ is a ERCTL formula, The satisfaction relation M, Γ Ψ denotes that Ψ is true at a region Γ in the model M and is defined as follows: Intuitively, the formula K i Ψ holds in a region Γ within the hybrid interpreted system M if Ψ holds in all regions that are indistinguishable for the agent i from Γ.The formula E κ Ψ holds in a region Γ within the hybrid interpreted system M if Ψ is true in all regions that a group κ of agents is unable to distinguish from the Γ.The formula D κ Ψ holds in a region Γ within the hybrid interpreted system M if the combined knowledge of all agents in κ implies Ψ.The formula C κ Ψ holds in a region Γ within the hybrid interpreted system M if everyone knows that Ψ holds at Γ, and everyone knows that everyone knows that Ψ holds at Γ, etc.

VI. SPECIFICATION OF REQUIREMENTS
As the proposed ERCTL combines the expressive power of RCTL and epistemic logic, we will focus on the expressive power of ERCTL to specify those properties that combine both logics together.To exemplify the expressive power of the proposed ERCTL, we specify properties on a slightly modified version of railroad crossing system found in [43].More details about this illustrative example can be found in [40].

A. Example
The example shown in figure 1 consists of three agents, namely the Train, the Gate, and the Controller.The main goal is to track the trains crossing an intersection.The gate guards the intersection and it closes or opens based on a train status which is approaching or leaving the intersection.The gate is completely monitored by the controller.The controller receives signals from the train and accordingly sends lower or raise commands to the gate.Let the train is initially 1000 meters away from the gate and moves at a speed of 50 m/s.There is a sensor positioned at a distance of 500 meters on the track.The sensor detects that the train is approaching and thus sends an app signal to the controller.After sending the app signal, the train slows down according to the differential equation ẋ = − x 25 − 30.After a duration of 5 seconds, the controller sends a lower command to the gate, which in turn starts to lower down at a rate of -20 degrees per second.After the train crosses the gate, it accelerates following the differential equation ẋ = x 5 +30.Another sensor is positioned at a distance of 100 meters after the crossing to detect the train when it is leaving.This sensor sends an exit command to the controller.After 5 seconds, the controller starts to raise the gate to its normal position.
By using ERCTL, we can specify a property Ψ that cannot be expressed by the standard RCTL or epistemic logic.To clarify more, we consider the following example: Formula 1 specifies that there exists a behavior in the system such that the Train knows a situation in which it sends app and then the Gate eventually will not be closed within 10 sec.
Formula 2 specifies that the Controller agent knows that when it sends a lower command, the agent Gate will send to close command within 5 sec.and thus the agent Gate eventually will not be closed within 10 sec.
Formula 3 specifies that the agent Train always knows that whenever it approaches the gate, its distance to the gate is always greater than 100 meters for 20 time units.
In order to formally verify a certain property using model checking within the proposed ERCTL, we should focus on fragment of ERCTL that can be checked with reachability.Several requirements of interest can be specified as kind of reachability.Generally, a formula Ψ is reachable, if it is possible to reach a state holding Ψ.Thus the reachability of the property Ψ aims to find if it is possible to find a region within the run of agents in which the formula Ψ is satisfiable?.This can be achieved using ERCTL as follows: init in formula 4 indicates the conjunctions of the initial states of the system under investigation.The reachability of a certain formula is usually computed starting with the initial region of a region-space exploration of a model and extending the reachability on transitions until reaching fixed regions.In [44], a semi-decision algorithm for computing the reachability of regions of a hybrid automaton is introduced by one of the authors.This algorithm is shown in Fig. 2. In Fig. 2, if the initial region is Γ 0 , produce(R) denotes the set of reached regions attached to the region R with a discrete step.2. Computation of the reachability analysis [44] .
Checking the reachability for a property within the underline transition system of hybrid automata is generally undecidable except for certain classes of hybrid automata [45].Consequently, the decidability problem is inherited in ERCTL.

VII. REACHABILITY AS CLP
In this section the implementation of the proposed framework using constraint logic program (CLP) [46] is shown.CLP has been chosen to implement the proposed framework for many reasons.First, hybrid interpreted system can be described as a constrained system.These constraints represent the continuous dynamics e.g., the invariants, the flows, and transitions.Second, constraints can be used to represent specific parts of the state space easily.Third, there are operational semantics similarities between CLP and the hybrid Interpreted System.Moreover, constraints allow us to concisely represent regions symbolically as mathematical intervals where an appropriate constraint solver used to reason about the reachability of a particular state inside this interval.Moreover, the Logic programming parts allows us to implement the knowledge efficiently.
The implemented prototype is built using ECLiPSe Prolog [47].The definitions of both the formal syntax and semantics of hybrid automata and the enrichment of knowledge are followed.An overview of the implementation is given here.Let's start with modeling the locations and their constraints using the predicate epistemicAutomaton as shown in fig. 3. epis-temicAutomaton denotes the epistemic automaton and Location denotes the current location of the automaton.V ars represents the variables participating in epistemic automaton and V ars0 represents their corresponding initial values.Ins(V ars) is the list of invariant constraints on the variables in V ars within the control location.Whereas, F low(vars) represents the list of constraints flows on the variables V ars with respect to initial time T 0 at the start of the continuous flow and T ime.initKnow represents knowledge at the location.The knowledge remains unchanged during the continuous evolution.finally, Event represents the fired event during the run.
The transition systems are then encoded into the predicate evolve as shown in fig.4, that describes the two kind of transitions.The automaton evolves with either continuous or discrete transitions depending on the occurring constraints during the run.It is important to note that , within the discrete step, the knowledge is updated from a state to another by appending the knowledge of the first state Know1 with the shared knowledge Shared, coming from the other automata, to produce the knowledge know2.Once the epistemic automata have been modeled, an overall state machine is constructed with the aim to execute the model.To achieve this goal, a reachability predicate is implemented as shown in Fig. 5.
The reachability is a state machine employed to generate the behaviors of the concurrent epistemic hybrid automata.It starts with the definition of each participating epistemic hybrid automaton with its initial variables, timing, and knowledge.As soon as the reachability has been defined, the entire model is    invoked for the purpose of running and verification.By using the CLP model, we are able to verify the properties described in VI.

VIII. CONCLUSION
In this paper, we have introduced a new logic called ERCTL that extends the logic RCTL with epistemic modalities.This extension allows us to formally specify several qualitative epistemic requirements of MAS evolving in continuous dynamical environment.The fundamental underline Interpretation model of the logic was hybrid automata.The later, were extended to produce the so-called interpreted hybrid system that forms the basic Interpretation model for both the epistemic part and the real time continuous dynamic part.The paper showed how to specify several interesting requirements using ERCTL.To put the formal verification into consideration, we showed how to implement the proposed work using constraints logic programming CLP.As converting a model to CLP is a tedious work, it's worth developing to incorporate the ERCTL in the model checking tool [48].

Fig. 5 .
Fig. 5.A reachability to the execution of epistemic hybrid automata.