MODEL CHECKING FOR MULTI-AGENT SYSTEMS MODELED BY EPISTEMIC PROCESS CALCULUS

MODEL CHECKING FOR MULTI-AGENT SYSTEMS
MODELED BY EPISTEMIC PROCESS CALCULUS
Qixian Yu 1
, Zining Cao 1,2,3
, Zong Hui 1,4
and Yuan Zhou 1
1
College of Computer Science and Technology, Nanjing University of Aeronautics and
Astronautics, Nanjing 211106, P. R. China
2
Ministry Key Laboratory for Safety-Critical Software Development and Verification,
Nanjing 211106, P. R. China.
3
Collaborative Innovation Center of Novel Software Technology and
Industrialization, Nanjing 210023, P. R. China
4
Faculty of Computer and Software Engineering, Huaiyin Institute Of Technology,
Huaian 223001, P. R. China
ABSTRACT
This paper presents a comprehensive framework for modeling and verifying multi-agent systems. The
paper introduce an Epistemic Process Calculus for multi-agent systems, which formalizes the syntax and
semantics to capture the essential features of agent behavior interactions and epistemic states. Building
upon this calculus, we propose ATLE, an extension of Alternating-time Temporal Logic incorporating
epistemic operators to express complex properties related to agent epistemic state. To verify ATLE
specifications, this paper presents a model checking algorithm that systematically explores the state space
of a multi-agent system and evaluates the satisfaction of the specified properties. Finally, a case study is
given to demonstrate the method.
KEYWORDS
Multi-agent System, Epistemic Logic, Value-Passing CCS, ATL, Model Checking
1. INTRODUCTION
A multi-agent system (MAS) [1] refers to a system composed of multiple autonomous agents
that interact, collaborate, or compete with one another to achieve specific tasks or objectives.
These agents, which can be software entities, robots, or even humans, operate in dynamic
environments where their actions are often influenced by their knowledge, beliefs, and the
behaviors of other agents. In recent years, the rapid advancement of artificial intelligence (AI)
has led to an explosion of applications leveraging MAS, ranging from autonomous robotics and
smart grids to collaborative systems for multiple unmanned aerial vehicles (UAVs) [2]. The
ability of MAS to handle complex, distributed tasks has made them increasingly attractive in
industrial and societal applications, where they are being adopted to enhance efficiency,
scalability, and adaptability in problem-solving scenarios.
One of the key challenges in designing and analyzing MAS lies in effectively modeling the
concurrent interactions and cognitive states of agents. Traditional formal methods, such as
automata, often fall short in capturing the intricate interplay between agents' behaviors and their
epistemic states. In contrast, process calculi provide a powerful framework for modeling
concurrent systems due to their ability to handle communication, synchronization, and
compositional modeling. Process calculi, such as the Calculus of Communicating Systems
(CCS) and π -calculus, offer expressive mechanisms for describing the dynamic interactions and
message-passing behaviors inherent in MAS. This paper builds on these foundations by
International Journal of Software Engineering & Applications (IJSEA), Vol.16, No.1, January 2025
1
DOI: 10.5121/ijsea.2025.16101

adopting value-passing CCS[3], which extends traditional process calculi to include explicit
data parameters in communication actions. This enhancement allows for more flexible and
natural modeling of information exchange and cognitive states among agents, making it
particularly suitable for MAS.
To further address the cognitive aspects of agents, this paper introduces the Epistemic Process
Calculus (EPC), a novel calculus that integrates value-passing CCS with epistemic logic. EPC
enables the modeling of not only the behavioral interactions of agents but also their knowledge
and beliefs, which are critical for decision-making in MAS. Once the system is modeled using
EPC, it becomes necessary to specify and verify its properties. For this purpose, we extend
Alternating-time Temporal Logic (ATL) with epistemic operators, resulting in a new logic
called ATLE (Alternating-time Temporal Logic with Epistemic operators). ATLE allows for the
expression of complex properties related to agents' knowledge, strategic interactions, and
temporal behaviors. Finally, to verify these properties, we propose a model checking algorithm
specifically designed for ATLE, which systematically explores the state space of the MAS and
evaluates the satisfaction of the specified properties. Through this integrated approach, our
framework provides a comprehensive solution for modeling, specifying, and verifying multi-
agent systems, ensuring their correctness and reliability in dynamic and uncertain
environments.The primary contributions of this paper can be encapsulated as follows:
(1) The paper introduces a novel process calculus called epistemic process calculus(EPC)
tailored for multi-agent systems, which it delineates with formal precision.
(2) It proposes a novel logic ATLE for EPC and devises a corresponding model checking
algorithm to facilitate its evaluation.
(3) A case study has been employed to demonstrate the feasibility of employing EPC modeling
for representing the properties of a system using ATLE, followed by the verification of the
model through model checking algorithms.
The paper is structured as follows: Section 2 reviews model checking advancements for multi-
agent systems. Section 3 introduces the syntax and semantics of EPC. Section 4 details a model
checking algorithm for ATLE. Section 5 demonstrates how to implement modeling and model
detection algorithms at the code level. Section 6 presents a case study. Section 7 concludes with
a summary and directions for future research.
2. RELATED WORK
Model checking is a critical technique for safety verification. The process of model checking is
divided into three stages: modeling, specification, and verification. In the modeling phase of
multi-agent systems (MAS), common approaches include automata[4], Petri nets[5], and
process calculi[6]. However, formal modeling methods other than process calculi often fall short
in terms of synchronization, concurrency, and compositional modeling, which are core
requirements for MAS. Existing methods based on process calculi for modeling MAS generally
have some limitations. Firstly, many methods (such as CAML[7], EMMAS[8], and extensions
based on SALMA[9]) are overly complex at the semantic level, increasing the difficulty of
learning and implementation, as well as raising the barrier to practical application. Secondly,
these methods lack adaptability in dynamic environments, making it difficult to effectively
handle dynamic changes in agent behavior and adjustments in interaction patterns. Additionally,
these methods often lack sufficient consideration and support for the cognitive aspects of agents
in MAS.
Value-passing CCS (Calculus of Communicating Systems)[10], compared to traditional CCS,
retains the simplicity of algebraic semantics and rigorous derivation mechanisms while
introducing explicit data parameters in communication actions. This makes the information
2

exchange and cognitive state modeling among agents more flexible and natural. However, the
academic community has rarely extended value-passing CCS for MAS modeling, primarily
because value-passing CCS has limited capabilities in dynamic communication topology and
mobility support, making it difficult to meet the flexible and dynamic interaction requirements
of MAS. Furthermore, value-passing CCS lacks direct support for cognitive mechanisms and
has insufficient composability and extensibility, limiting its application in complex MAS
scenarios. In contrast, π − calculus [11], with its dynamic name migration and high
expressiveness, is more suitable for describing the dynamic interactions and concurrent
behaviors of MAS. Value-passing CCS is typically applied in distributed systems [12], network
protocols[13], programming language theory, and security analysis, where it is used to model
and verify communication protocols and distributed systems.
This paper uses value-passing CCS as a foundation and combines it with dynamic epistemic
logic to create the Epistemic Process Calculus (EPC). EPC enhances communication flexibility
and introduces cognitive modeling, addressing the limitations of value-passing CCS in MAS.
However, manual modeling remains challenging, and future work should focus on improving
EPC-based modeling and verification through interdisciplinary approaches and tool
development.
Extending Alternating-time Temporal Logic (ATL)[14-15] to describe system properties is a
natural choice for EPC. ATL's ability to describe strategic interactions aligns well with EPC's
dynamic nature, and its semantic framework can easily incorporate epistemic operators to model
agent cognition. Together, EPC and ATLE logic enable a complete pipeline from modeling and
specification to verification.
3. EPISTEMIC PROCESS CALCULUS
The Epistemic Process Calculus (EPC) is employed to model multi-agent systems (MAS) due to
its ability to seamlessly integrate concurrency, dynamic communication, and cognitive
reasoning. EPC extends traditional process calculi by incorporating epistemic logic, enabling
the explicit representation of agents' knowledge and beliefs, which is crucial for capturing the
complex interactions and decision-making processes in MAS.
3.1.Syntax
The syntax is given for a set of agents Ag. Processes represent one or more executions of an
individual agent, and the smallest unit of process execution is the action, which is an atomic
operation representing the basic capability of the process. Name is a basic concept that identifies
the communication channel or the subject of the communication. Names have special meanings
in EPC; they can denote a channel, a process, or another communicating entity. Define � as the
data set , and � as the knowledge set, They are the fundamental units for processes to send and
receive, and they are all values. The set of values is denoted as Values, thus � ∪ � = Values.
Actions represent the roles and behaviors of agents within communication events. Let Var be
the set of variables, Ag is the set of agents of multi-agent system.
Definition 3.1: (Action). The action represents the role and behavior of the agent in a
communication event. The action act is specified as follows：
act ≔ a < t > a(x) τ, where x ∈ Var, t ∈ � ∪ �, and a, τ ∈ Name
Here, x represents a variable in the data that receives content through channel a, the specifics of
which are uncertain, hence it is considered a variable, whereas t denotes a definite piece of data
or knowledge. a < t >represents the capability of a process to send data or knowledge after
execute the action. a(x) denotes the ability of a process to receive a variable after executing an
3

action.τ is an action internal to a process, an internal action. Acts is a non-empty set of actions,
its represents all action that process can execute.
Definition 3.2: (Process). Utilizing the syntactic rules of process caculus, we construct process
expressions that delineate the behavior of agents based on their actions and modes of interaction.
The specific process P is defined by the BNF formalism as follows::
P ≔ 0| act . P|(νa)P|(P|P)|P + P|C
In the above, a ∈ Name, 0 means that there is no action prefix process, i.e. “dead” process, the
process does not perform any operation; act.P indicates that process P is guarded by the action
prefix and P must be executed only after the action is finished; C denotes a constant, C ≝ � ,
Where P is a process expression, which can be defined recursively.
Definition 3.3: (Labeled Process). A labeled process includes a global environment and several
agents, where agents are denoted by uppercase letters (except for M and P). The behavior of
each agent is controlled by one or more processes P. The BNF of the labeled process M is as
follows:
M ≔ ({P}i)|(M|M)|(νa)M
Here a ∈ Name, i ∈Ag,{P}idenotes a system composed of unique agent i and the behavior of i
is controlled by the process P . M |M represents a composite on the system, indicating that the
system consists of multiple subsystems The language has two constraint constructions: the
restriction name (νa)M and the input a x .
In EPC, there is a constraint constructs: the restriction νa P. The sets of bound names and free
names in process P are denoted by bn P and fn P , respectively. Processes that differ only in
their bound names are called α -equivalent, denoted by ≡α . This paper does not distinguish
between processes that are α -equivalent. A substitution is a partial mapping from Name to
Name, denoted by σ. Substitution is a postfix operator with higher precedence than any other
operator in the language.
Definition 3.4: (Structural Congruence). The smallest relation ≡ contains the relationship ≡α, ≡
satisfying the following axioms:
P|Q ≡ Q|P P|0 ≡ P
P1 P2 P3 ≡ P1 P2 P3
P1 + P2 + P3 ≡ P1 + P2 + P3 P + 0 ≡ P
νa νb P ≡ νb νa P
P| νa P ≡ νa P Q if a ∉ fn P
3.2. Semantics
In EPC, Structural Operational Semantics (SOS) rules define process behaviors and transitions
through formal inference rules. They specify state changes precisely and underpin the analysis,
verification, and model checking of concurrent systems, refer to Table 1 and Table 2.
In Table 2, there are numerous actions accompanied by labels, which in the form of labeled
actions. Labeled actions are defined as all actions that can be driven by agents with
corresponding labels. Let the set of labels is denoted as LabelActs = {{α}i, {τ}i,j| α = a < t >
or a < t > , i, j ∈ Ag , t ∈ Values}.
4

Table 1. SOS Rules of Process
(Pref1)
α. P
α
α
α
P
, α ∈ {τ, a < t > }
(Pref2)
a(x). P
a<t>
a<t>
a<t>
P{t/x}
(Sum1)
P
α
α
α
P'
(P + Q)
α
α
α
P'
(Sum2)
Q
α
α
α
Q'
(P + Q)
α
α
α
Q'
(Par1)
P
α
α
α
P'
P|Q
α
α
α
P'|Q
(Par2)
Q
α
α
α
Q'
P|Q
α
α
α
P|Q'
(Com)
P
a<t>
a<t>
a<t>
P' , Q
a<t>
a<t>
a<t>
Q'
P|Q
τ
τ
τ
P'|Q'
(Res)
P
α
α
α
P'
(νa)P
α
α
α
(νa)P'
α ≠ a < t > , a < t >
(Con)
P
α
α
α
P'
C
α
α
α
P'
, C ≝ �
Table 2. SOS Rules of Labeled Process
(PrefM)
{P}i
α i
α i
α i
{P'}i
, α ∈ {τ, a < t > , a < t > }
(ParM1)
M
{α}i
{α}i
{α}i
M'
M|N
{α}i
{α}i
{α}i
M'|N
(ParM2)
N
{α}i
{α}i
{α}i
N'
M|N
{α}i
{α}i
{α}i
M|N'
(ComM)
M
{a<t>)}i
{a<t>)}i
{a<t>)}i
M', N
{a<t>}j
{a<t>}j
{a<t>}j
N'
M|N
{τ}i,j
{τ}i,j
{τ}i,j
M'|N'
(ResM)
M
{α}i
{α}i
{α}i
M'
(νa)M
{α}i
{α}i
{α}i
(va)M'
, α ≠ a < t > , a < t >
This paper employs a set of symbols and functions to denote certain specialized semantics. S=S0
×S1....×Sn is a set of non-empty global state, Si represents the non-empty sate set of agent i. MS
is a set of non-empty labeled process set. SMS=S×MS is the non-empty set of the tuple of state
and labeled process. AP is a set of atomic propositions. T=S×AP→Bool is an abstract function
that maps the propositions under the global state S. K ⊆ S × LabelActs × S is a transition
relation representing the state evolution of the system.
Multi-agent systems are established based on epistemic states, and their evolution is dependent
on changes in these epistemic states. In this paper, we denote the configuration of a system as (s,
M), which includes the state and the processes, while (s,M)
act
act
act
(s', M') represents the transition
5

of the system from one configuration to the next configuration. The definition of this
relationship is as follows:
If M
act
act
act
M', act ∈ LabelActs and (s, act, s') ∈ K , (s, M)
act
act
act
(s', M')
This indicates that under labeled process m, the state s evolves in to labeled process m’ through
the execution of action act, and the system changes from m to m'. Table 1 pertains to the SOS
rules for processes, while Table 2 pertains to the SOS rules for labeled processes. Moreover, the
epistemic state of each agent can be represented by an abstract function: hi s = esi . The
function h(s) = (h0 s , h1 s , . . . , hi s ), i ∈ Ag is tasked with abstracting the epistemic state
from the global state, or with comprehensively abstracting the epistemic state pertinent to agents
from the entire state context.
In multi-agent systems, strategies are essential for modeling how agents make decisions and
interact with each other to achieve specific goals. A strategy defines the actions an agent or a
coalition of agents can take in different states, guiding the system's evolution over time. By
incorporating strategies into the model, we can formally verify whether certain properties, such
as safety or liveness, hold under specific agent behaviors. This is particularly important in
dynamic environments where agents must adapt their actions based on their knowledge and the
state of the system. Strategies enable the analysis of cooperative or competitive behaviors
among agents, ensuring that the system meets its desired specifications.
We define the notion of strategies. Consider a labeled process M. For agents A ∈ 2Ag
, U ⊆ S, a
partial strategy fA
U
maps the next action that can be executed asynchronously by the set of agents
A. When an agent not in A performs an action, it is arbitrary; therefore, when executing a partial
strategy fA
U
in some states, it is the agents not in A who perform certain actions. FA(fA
U
) maps the
actions taken under the strategy fA
U
across all states. Let Acts A = {{α}i, {τ}i,j|i,j ∈ A, α ∈ {a <
t > , a < t > }, fA
U
and FA(fA
U
) can be defined as follows:
fA
U
∈ {U Acts A , U ⊆ S }
FA(fA
U
) = {fA|U ⊆ S, fA(s) = fA
U
(s), if s ∈ U; fA(s) ∈ Acts Ag−A, if s ∉ U}
If labeled process is M, the out(fA, (s, M)) represents all configuration path formed by
iteratively executing the strategies in fA starting from (s, M). A path starts from (s0, M0) after a
series of actions: π = (s0, M0)(s1, M1). . . . (sk, Mk), π ∈ out(fA, (s0, M0)),this sequence satisfies
the following condition:fA(si) = act i and (si, Mi)
act i
act i
act i
(si+1, Mi+1), 0 ≤ i < k. π[i] represents
the i-th element in this sequence, π[1] = (s1, M1).
Next, we will use a simple case to illustrate the use of strategies. Suppose there are three agents
Ag = {1,2,3} using EPC modeling as follows:
P = c < t1 > . a < t2 > . 0|d < t3 > . 0 , Q = c(x). a(x). b < t2 > . 0, R = d(x). 0
M0 = {P}1|{Q}2|{R}3
Here, only one transition is presented for demonstration, while the entire transitions can be
observed in the Fig.1.
M0
{τ}1,2
{τ}1,2
{τ}1,2
M1 = {a < t2 > . b < t2 > . 0|d < t3 > . 0}1|{a(x). 0}2||{d(x). 0}3
6

{τ}1,2
M2 = {b < t2 > . 0|d < t3 > . 0}1|{0}2|{d(x). 0}3
{b<t2>}2
M3 = {d < t3 > . 0}1|{0}2|{d(x). 0}3
{τ}1,3
M4 = {0}1|{0}2||{. 0}3
Fig.1. The Diagram of Systemic Transition
DefineU = {s0, s1, s2, s5, s6,s8, s9, s10}, A = {1,2},fA
U
= {{τ}1,2 , {b < t2 > }2}.In this context, U
denotes a collection of states, indicating that agents within set A are capable of performing
actions in accordance with policy fA
U
when in states that are included in U. Conversely, for states
that are not part of U, actions are selected by agents outside of set A. Then according to the
strategy out(fA, s) , a path is generated as follows: π0 = (s0, M0)(s1, M1)(s2, M2) . Only this
sequence satisfies the FA(fA
U
) , whereas others, such as (s0, M0)
{τ}1,3
(s5, M5), s0 ∈ U , {τ}1,3 ∉
fA
U
(s0).
4. MODEL CHECKING
Alternating-time Temporal Logic with Epistemic (ATLE) is used for model checking in multi-
agent systems because it combines the strengths of temporal logic and epistemic logic, enabling
the specification and verification of complex properties related to both time and knowledge.
ATLE extends Alternating-time Temporal Logic (ATL)[14] by incorporating epistemic
operators, allowing us to express not only temporal properties (e.g., "eventually" or "always")
but also knowledge-based properties (e.g., "an agent knows that a condition holds"). This is
crucial in multi-agent systems, where agents' actions often depend on their knowledge of the
environment and other agents. By using ATLE, we can formally verify properties such as
whether a coalition of agents can achieve a goal based on their shared knowledge, or whether
certain safety or liveness conditions hold under specific strategies.
4.1. ATLE
Definition 4.1: (Syntax of ATLE ). In the set of atomic propositions AP, let the number of
agents be denoted by Ag = 1,...,n. The ATLE formula ϕ indicates that a certain property ϕ holds
under A:
ϕ ∷= ap ∣¬ϕ∣ ϕ1 ∨ ϕ2∣Ki(ϕ)∣EA(ϕ)∣CA(ϕ)∣DA(ϕ) ∣
⟨⟨A⟩⟩X (ϕ)∣⟨⟨A⟩⟩(ϕ1Uϕ2)∣⟨⟨A⟩⟩F(ϕ)| ⟨⟨A⟩⟩G(ϕ)
Where ap ∈ AP, A ⊆ Ag. ϕ, ϕ1, ϕ2are ATLE formulas. Moreover, Ki(ϕ) represent the agent i
know the ϕ, DAϕmean that in A, ϕis distributed knowledge, CA(ϕ)mean that in A, ϕ is common
knowledge, EA(ϕ) mean that in A, every agent knows ϕ. Respectively, distributed knowledge is
about the combined potential knowledge of a group, while common knowledge requires that
everyone in the group knows a fact and is aware that everyone else knows it too...,recursively,
leading to an infinite regression of mutual knowledge.
7

The ATLE formulas ⟨⟨A⟩⟩X(ϕ), ⟨⟨A⟩⟩(ϕ1 U ϕ2 ), ⟨⟨A⟩⟩F(ϕ), ⟨⟨A⟩⟩G(ϕ) represent the next, until,
eventually, and globally modalities, indicating that there exists a strategy for set A, ϕ is true
at the next state, there exists a strategy for set A, ϕ1 remains true until ϕ2 , there exists a
strategy for set A, ϕ eventually becomes true, and there exists a strategy for set A, ϕ is always
true, respectively.
Definition 4.2: (Semantics of ATLE). Given a labeled process M, a state s and ATLE formula ϕ,
the satisfaction of ϕ is denoted as (s,M) ⊨ ϕ , and satisfies the following recursive condition:
•(s, M) ⊨ ap, ap is atomic proposition iff T(s, ap) = true;
•(s, M) ⊨ ¬ϕ iff (s, M) ⊭ ϕ;
•(s, M) ⊨ ϕ1 ∨ ϕ2 iff (s, M) ⊨ ϕ1 or (s, M) ⊭ ϕ2;
• (s, M) ⊨ ⟨⟨A⟩⟩X(ϕ) iff there exists a set U ⊆ S and a strategy fA
U
for any fA ∈ FA(fA
U
),
such that for any paths π ∈ out(fA, s) , we have π[1] ⊨ ϕ;
• (s,M) ⊨ ⟨⟨A⟩⟩G(ϕ) iff there exists a set U ⊆ S and a strategy fA
U
, for any fA ∈ FA(fA
U
), π ∈
out(fA, s), such that for any paths for all i ≥ 0, we have π[i] ⊨ ϕ;
•(s,M) ⊨ ⟨⟨A⟩⟩F(ϕ) iff there exists a set U ⊆ S and a strategy fA
U
, for some fA ∈ FA(fA
U
), π ∈
out(fA, s), such that for any paths for some 0 ≤ i < ∞ , we have π[i] ⊨ ϕ;
•(s,M) ⊨ ⟨⟨A⟩⟩(ϕ1U ϕ2) iff there exists a set U ⊆ S and a strategy fA
U
, for some fA ∈ FA(fA
U
),
such that for any pathsπ ∈ out(fA, s), for some i ≥ 0, we have π[i] ⊨ ϕ1, and for any 0 ≤
j < i,we have π[j] ⊨ ϕ2;
•(s,M) ⊨ Kiϕ iff if hi(s)=hi(s’) , we have (s',M') ⊨ ϕ;
•(s,M) ⊨ EA(ϕ) iff for any agent i ∈ A, we have (s,M) ⊨ Kiϕ;
•(s,M) ⊨ CA(ϕ)iff for any agent i ∈ A, Ri = {((s,M) , (s', M'))| hi s = hi s' }, Ri
+
is Ri’s
transitive closure, if ((s,M) , (s',M')) ∈ Ri
+
, we have (s',M') ⊨ ϕ;
•(s,M) ⊨ DA(ϕ) iff exist agent i ∈ A, we have (s,M) ⊨ Ki(ϕ);
The axioms and inference rules of epistemic logic are sound under the syntactic framework
defined in this paper. According to the research[18], the soundness of epistemic logic is closely
tied to the definition of its syntax, ensuring that all inference rules maintain logical consistency
and correctness within the given syntactic framework Consequently, the syntactic framework
proposed in this paper is capable of supporting epistemic reasoning, thereby ensuring the
reliable transmission and sharing of knowledge in multi-agent systems.
4.2. Model Checking for ATLE
This section introduces a specific model checking algorithm for ATLE specification formulas.
Algorithm 1 determines whether a propositional formula ϕ holds in a state s for a labeled
process M. The input process M must be specified as a finite-state process; otherwise, the
algorithm may fail to terminate when handling infinite-state processes. It processes different
logical constructs, such as atomic propositions, negations, dis-junctions, and various modal
operators including knowledge, common knowledge, and temporal modalities, etc... Each case
is handled through specific checks to evaluate the truth of ϕ under different logical rules.The
algorithms for the knowledge-related operators Ki, EA, DA, and CA as illustrated in Algorithms 2,
3, 4 and 5 respectively. Algorithms 6, 7, 8 and 9 primarily involve the implementation of path
operators, corresponding respectively to the operators ⟨⟨A⟩⟩X (Next),⟨⟨A⟩⟩G (Global), ⟨⟨A⟩⟩F
(Finally) and ⟨⟨A⟩⟩U (Until).
8

Algorithm 4 CHECKD(s, M,ϕ, A)
1: for all agent i in A do
2: �� CHECKK(s, M, ϕ, i) = true ��
3: label(s) := label(s)∪{DA(ϕ)};
4: return true;
5: end if
6: end for
7: return false;
Algorithm 3 CHECKE(s, M, ϕ, A)
1: for all agent i in A do
2: �� CHECKK (s, M, ϕ, i) = false ��
3: return false;
4: end if
5: end for
6:label(s) := label(s)∪{EA(ϕ)};
7: return true;
Algorithm 2 CHECKKs, M, ϕ, i)
1: for all (s’, M’) in SMS do
2: if hi(s') = hi(s ) and CHECK (s, M, ϕ) = false then
3: return false;
4: end if
5: end for
6: label(s) := label(s)∪{Ki(ϕ)};
7: return true;
Algorithm 1 CHECK(s, M, ϕ)
1: switch(ϕ):
2: case atomic proposition: �� T(s, ϕ) ;
3: case ¬ϕ: return CHECK(s, M, ϕ);
4: case ϕ1 ∨ ϕ2:
5: �� CHECK(s, M, ϕ1) ∨ CHECK(s, M, ϕ2) ;
6: case Ki(ϕ):
7: �� CHECKK(s, M, ϕ, i);
8: case EA(ϕ):
9: �� CHECKE(s, M, ϕ, A);
10: case DA(ϕ):
11: �� CHECKD(s, M, ϕ, A);
12: case CA(ϕ):
13: �� CHECKC(s, M, ϕ, A);
14: �� ⟨⟨A⟩⟩X(ϕ):
15: �� CHECKX (s, M, ϕ, A);
16: �� ⟨⟨A⟩⟩G(ϕ):
17: �� CHECKG(s, M, ϕ, A);
18: �� ⟨⟨A⟩⟩F (ϕ):
19: �� CHECKF (s, M, ϕ, A);
20: �� ⟨⟨A⟩⟩(ϕ1U ϕ2):
21: �� CHECKU (s, M, ϕ1, ϕ2, A);
22: default: throw a formula error exception;
23:end switch
9

Algorithm 5 CHECKC(s, M, ϕ, A)
1:Initialize RA
+
to store transitive closure of relation RA;
2:if CHECKK (s, M, ϕ, A) = false then
3: return false;
4:end if
5: for �� (s’, M’) in SMS do
6: if ((s, M),(s’, M’)) ∈ RA
+
and CHECKK (s , M, ϕ, A) = false then
7: return false;
8: end if
9: end for
10: label(s) := label(s)∪{CA(ϕ)};
11:return true;
Algorithm 6 CHECKX (s, M, ϕ, A)
1:function CHECKX (s, M, ϕ, A):
2: for all fA
U
��
3: if checkX(s,M,ϕ,fA
U
) = true then
4: return true;
5: end if
6: end for
7: return false;
8:end function
9:function checkX(s, M, ϕ, fA
U
)
10: for �� act in FA(fA
U
)(s) do
11: if ((s, M)
act
act
act
(s', M') and CHECK(s', M', ϕ) = false ��
13: return false;
14: end if
15: end for
16: label(s) := label(s)∪{⟨⟨A⟩⟩X(ϕ)};
17: return true;
18:end function
Algorithm 7 CHECKG(s, M, ϕ, A)
1:function CHECKG(s, M, ϕ, A)
2: for �� fA
U
��
3: SCCs = findSCCS(s, M, FA(fA
U
));
4: if checkG(SCCs, fA
U
, ϕ) = true do
5: return true;
6: end if
7: end for
8: return false;
9:end function
10:function checkG(SCCs , ψ):
11: for all scc in SCCs do
12: for all (s,M) in scc do
13: �� ϕ ∉ label(s) or CHECK(s, M, ϕ) = false ��
14: return false;
15: end if
17: end for
18: end for
10

19: label(s) := label(s)∪{⟨⟨A⟩⟩G(ϕ)};
20: return true;
21:end function
Algorithm 8 CHECKF (s, M, ϕ, A)
1:function CHECKG(s, M, ϕ, A)
2: for �� fA
U
��
3: SCCs : = findSCCS(s, M, FA(fA
U
));
4: if checkF(SCCs, ϕ) = true do
5: return true;
6: end if
7: end for
8: return false;
9:end function
10:function checkF(SCCs, ϕ):
11: for all sccc in SCCs do
12: for �� (s', M') is (s, M)'s successor do
13: �� CHECK(s', M', ϕ) = true ��
14: label(s) := label(s)∪{⟨⟨A⟩⟩Fϕ};
15: return true;
16: end if
17: end for
18: end for
19: return false;
20:end function
Algorithm 9 CHECKU (s, M, ϕ1, ϕ2, A)
1:functionCHECKU (s, M, ϕ1, ϕ2, A):
2: for �� fA
U
��
3: SCCs = findSCCS(s, M, FA(fA
U
));
4: if checkU(s, M, ϕ1, ϕ2, SCCs) = true then
5: return true;
6: end if
7: end for
8: return false;
9:end function
10:function checkU(s, M, ϕ1, ϕ2, SCCs):
11: for all scc in SCCs do
12: for all (s, M)’s successor (s’, M’) in scc do
13: �� ϕ1 ∉ label(s') �� CHECK(s’, M’, ϕ1) = false ��
14: return false;
15: end if
16: �� ϕ2 ∈ label(s') �� CHECK(s’, M’, ϕ2) = true ��
17: break;
18: end if
19: end for
20: end for
21: label(s) := label(s)∪{⟨⟨A⟩⟩(ϕ1U ϕ2)};
22: return true;
23:end function
11

The operators corresponding to Algorithms 7, 8, and 9, denoted as ⟨⟨A⟩⟩G, ⟨⟨A⟩⟩F, and ⟨⟨A⟩⟩U
respectively, all leverage Algorithm 10 to reduce the time complexity by generating strongly
connected components during the marking of process transitions. Algorithm 10 is implemented
using the conventional Tarjan’s algorithm[16-17]. In essence, it conducts a depth-first search
(DFS) to record the traversal index, denoted as index, for each node, as well as the index value
of the earliest vertex reachable from vertex v and its descendants via non-tree edges, which is
referred to as the lowlink value. This algorithm enables the identification of strongly connected
components in linear time. Consequently, the time complexity of Algorithms 7, 8, and 9 is
O(N*(V+E)), where V+E represents the total number of vertices and edges across all connected
components, and N is the number of partial strategies.
5.IMPLEMENT
We present a data structure for describing formulas termed the Formula Node Structure, which
assumes a tree-like form. In this structure, the root node represents an operator, and the child
nodes are also instances of the Formula Node Structure, denoting the data structure for the sub-
formulas of the operator. This structure is simple and conducive to recursive calls on sub-
formulas.For example, the Formula Node structure of ⟨⟨A⟩⟩(ϕ1U ϕ2) is shown in Fig.2.
Algorithm 10 findSCCS(s, M, FA(fA
U
))
1:function findSCCS(s, M, FA(fA
U
)):
2: stack : = empty stack, SCCs : = empty list of scc , v : = new vertex(s, M), index : = 0;
3: strongConnect(v, SCCs , index, stack);
4: return SCCs ;
5: end function
6:�� strongConnect(v, SCCs , index, stack):
7: v.index : = index;
8: v. lowlink : = index;
9: index : = index + 1;
10: pushToStack(stack, v);
11: v.onStack : = true;
12: for all (s', M')’ in (s, M)
act
(s, M)
act
(s',M'), act ∈ FA(fA
U
)(s) do
13: w := new vertex(s', M’ );
14: if w.index is undefined then
15: strongConnect(w , SCCs , index, stack);
16: v.lowlink : = min(v.lowlink, w.lowlink);
17: �� w.onStack ��
18: v.lowlink : = min(v.lowlink, w.index);
19: end if
20: end for
21: �� v. lowlink = v. index ��
22: scc : = ∅;
23: while true do
24: w : = popFromStack(stack);
25: w.onStack : = false;
26: scc := scc ∪{w};
27: if w = v then
28: break;
29: end if
30: end while
31: SCCs := SCCs∪scc;
32: end if
33: end function
12

Fig.2. the Formula Node structure of ⟨⟨A⟩⟩(ϕ1U ϕ2)
The input consists of an EPC model and an ATLE formula ϕ. Upon receiving a formula, the
program recursively invokes sub-procedures to perform verification. Next, the implementation
of the CA(ϕ) and ⟨⟨A⟩⟩G(ϕ) operators is mainly used as an example.
The Common Knowledge operator CA(ϕ), denotes that a proposition ϕ is common knowledge
among a group of agents A. This concept implies that not only does each agent in A know ϕ,
but they also know that others know ϕ...,recursively, leading to an infinite regression of mutual
knowledge. To implement CA(ϕ) in the ATLE model, the CHECKC algorithm is designed to
confirm whether the formula ϕ holds as common knowledge among the agents in A. The
procedure begins by verifying that ϕ is satisfied for each agent in A at a given state. It then
employs an iterative approach to verify the transitive propagation of knowledge between agents
through epistemic accessibility relations RA
+
, which denote which states are accessible to each
agent based on their knowledge. To ensure common knowledge, CHECKC recursively verifies
that each agent within the set A maintains this knowledge across all related states.
The Global operator ⟨A⟩⟩G(ϕ) asserts that there exists a strategy for a coalition of agents A that
guarantees the formula ϕ remains true across all states along any path that the system might
follow. The CHECKG algorithm implements this operator by exploring the state space
iteratively, ensuring that ϕ is satisfied along every possible path dictated by the strategies
available to agents in A. The algorithm leverages depth-first search (DFS) to find strongly
connected components (SCCs) within the state space, which allows it to identify loops or
recurring states that must consistently satisfy ϕ . By locating these SCCs, the algorithm can
verify that ϕ holds globally within each component, as any failure to satisfy ϕ at any state
within an SCC would imply that Gϕ does not hold. The Strategy data structure defines the set of
actions agents can perform, guiding the exploration of state transitions recorded in the
Transition structure. Each strategy for agents in A generates different paths through the
system’s states, and the algorithm checks ϕ at each state along these paths until all possible
strategies are evaluated or a counterexample is found.
6.CASE STUDY
6.1. Modeling
Fig.3. a system for multiple drones engagement
13

With the rapid development of UAV technology, drones are now widely used in military and
civilian applications such as reconnaissance, strikes, and transport. In the military field, UAV
swarms have become a key combat strategy, where multiple drones collaborate to perform
missions like attacking targets or gathering intelligence (see Fig.3). However, UAV swarm
operations face challenges, including coordinating actions to avoid conflicts, efficiently sharing
information like target data, and ensuring mission safety and reliability against enemy
interference. Advanced modeling and verification methods are crucial to address these issues.
This study examines a cooperative system where three UAVs attack a single target under
ground control. Using Epistemic Process Calculus (EPC) and Alternating-time Temporal Logic
with Epistemic operators (ATLE), it explores modeling and verifying the system to ensure
safety and reliability.
In order to precisely model the collaborative engagement system involving multiple UAVs, a
set of atomic propositions is defined to represent the fundamental events and states of the
system:
(1) pi: UAVi has successfully struck the target.
(2) qi: the UAVi receives the attack command.
The “com” and “attack” are two actions, where “com” represents the GCS sending cognition to
all UAVs, and “attack” signifies a UAV targeting and attacking a certain objective while
transmitting cognition.
Let r=q0∧q1∧ ¬p1∧ ¬p2, the system is modelling as follows:
Pi =com(v).attack<pi>.Pi , 0 ≤ i ≤ 1
Q= com<r>.(attack(v1). attack(v0)|attack(v0).attack(v1)).Q
The labeled process of the system is defined as follows:
M0 = {P 0}UAV0
| {P 1}UAV1
|{Q}GCS
The following presents the relevant symbolic definitions and notations:
(1) Ag = {UAV0, UAV1, GCS}.
(2) S = {s0, s1, s2, s3, s4}.
(3) ES= {es0, es1, es2}.
(4) PS={{P0}UAV0={com(v).attack<p0>.P0}UAV0, {P0
'
}UAV0={attack<p0>.P0}UAV0, {P1}UAV1={com(v).
attack<p1>.P1}UAV1,{P1
'
}UAV1={attack<p1>.P1}UAV1, {Q}GCS={com<r>.(attack(v1). attack(v0)|attack
(v0).attack(v1)).Q}GCS}, {Q’}GCS={(attack(v1).attack(v0)|attack(v0).attack(v1)).Q}GCS}.
(5) MS={M0={P0}UAV0|{P1}UAV1|{Q}GCS, M1={P0
'
}UAV1|{P1
'
}UAV1|{Q’}GCS, M2={P0
'
}UAV0|{P1}UAV1|{Q’}GC
S, M3={P0}UAV0|{P1
'
}UAV1|{Q’}GCS}.
(6) AP = {p0, p1 , q0, q1}.
(7) acts={a1={com<r>}GCS, a2={attack<p0>}UAV0, a3={attack<p1>}UAV1, {τ}GCS,UAV0
, {τ}UAV0,GCS,
{τ}UAV1,GCS}.
(8) K={(s0, {τ}GCS,UAV0
,s1),(s1, {τ}UAV0,GCS,s2), (s1, {τ}UAV1,GCS,s3), (s2, {τ}UAV1,GCS,s4), (s3,
{τ}UAV0,GCS,s4),(s4, {τ}GCS,UAV0,},s1)}.
(9) ∆={ M0
{τ}GCS,UAV0
M1, M1
{τ}UAV0,GCS
M2, M1
{τ}UAV1,GCS
M3}.
(10) h0(s0) = es0, h1(s0) = es0, h2(s0) = es0, h0(s1) = es1, h1(s1) = es1, h2(s1) = es1, h0(s2) = es2, h1(s2)
= es0, h2(s2) = es0, h0(s3) = es0, h1(s3) = es2, h2(s3) = es0, h0(s4) = es2, h1(s4) = es2, h2(s4) = es2.
14

(11) T(s0)=∅ , T(s1)={q0,q1} , T(s2) ={ p1, q0, q1}, T(s3)={ p0, q0, q1}, T(s4)={ p0, p1, q0, q1}.
The aforementioned constitutes a set of pivotal information as delineated by the marked process.
Herein, Ag represents the collective of agents within the system, S denotes the set of states, ES
constitutes the collection of epistemic states, PS is the assemblage of processes for each agent,
and MS encompasses the entire array of marked processes that can be generated subsequent to
the transition of the system as a marked process. Additional definitions can be referenced in the
formal specifications provided in preceding sections. In particular, hi(sj) abstracts the epistemic
situation of agent i to form the epistemic state es. For instance, h0(s0) = es0 indicates that
UAV0 has not received an attack command. Different epistemic states under different states may
indeed be identical. s0 represents a global state that encompasses not only cognitive states but
also various physical states of the agent, including positional information and network status.
For instance, the position of an unmanned aerial vehicle being at 300 meters is a physical state,
whereas the UAV's knowledge of its own position at 300 meters constitutes its cognitive state.
The former pertains to positional information, while the latter is the focal point of this paper,
representing the UAV's cognitive state. In addition, es1 signifies that the agent is aware of the
attack command. es2 indicates that the agent is aware of the attack command and now that it
initiated an attack. Following the establishment of these formal definitions, they can be
employed as inputs, along with the definitions of relevant properties expressed using ATLE
formulas, also considered as inputs. Subsequently, model checking algorithms can be utilized to
ascertain the veracity of the specified properties.
Fig.4. the transitions of the system
Refer to Fig.4. this is the transition model of the system. (s0, M0) represents the initial
preparatory state of the system, where the Ground Control Station (GCS) issues a command for
the swarm of Unmanned Aerial Vehicles (UAVs) to initiate an attack on a specified target,
transitioning the system into state (s1, M1). S1 is the attack readiness state for two UAVs, each
of which carries out an attack action, subsequently entering states (s2, M2) and (s3, M3) ,
respectively. Following the attack actions, instructions are transmitted back to the GCS, moving
the system into state (s4, M0). Thereafter, the GCS can issue further attack commands, returning
the system to state (s1, M1), thereby establishing a recyclable chain of command.
6.2. Experiments Result
By substituting the formula into the algorithm in section 4.2 and the implement in section 5, the
ATLE logic formula can be constructed and verified. The final evaluation results are show in
the Table 3. Let A ={UAV0, UAV1, GCS} and B = {UAV0, UAV1} be two sets of agents.
15

Table 3. Some Logic Formulas Verification results.
Logic Formula Meaning Result
(s0, M0) ⊨ ⟨⟨A⟩⟩G(CA(q1 q0))
Within set A, there exists a strategy that
ensures along this subsequent path, the
cognition that “if UAV1 receives an attack
command, then UAV0 also receives the
command” becomes common knowledge.
true
(s0, M0) ⊨ ⟨⟨A⟩⟩X(K0(K1(q0))))
Within set A, there exists a strategy that in
the next state, UAV0 is aware that UAV1
knows the knowledge“UAV0 receive the
command”.
true
(s0, M0) ⊨ ⟨⟨A⟩⟩F(EA(p0)))
Within set A, there exists a strategy that
finally, every agent know the knowledge
“UAV0 struck the target”.
false
(s0, M0) ⊨ ⟨⟨A⟩⟩F(DA(q0)))
Within set A, there exists a strategy that q0
will ultimately become a piece of distributed
knowledge.
true
(s0, M0) ⊨ ⟨⟨B⟩⟩F(DA(q0)))
Within set B, there exists a strategy that, q0
will ultimately become a piece of distributed
knowledge.
false
For the first property, since the GCS sends commands synchronously to all UAVs, it is evident
that only in state (s1, M1) are commands sent, and all UAVs receive both q0 and q1. Therefore,
the property is true. For the second property, in the subsequent state (s1, M1), since h1(s1)=es1
and there are no epistemically equivalent states, it is clear that K1(q0) holds. Similarly, when
iteratively computing K0(K1(q0)), the same reasoning applies. Thus, the property is validated as
true only in state (s1, M1). For the third property, after UAV0 sends an attack command, it
transitions to state (s2, M2). In this state, both the GCS and UAV0 become aware of p0.
Therefore, the property is false. For the fourth property, once the system enters the command
loop phase, it continuously maintains the presence of q0, which represents distributed
knowledge. Hence, the property is true. For the fifth property, we have fB
U
(s0) = a1, fB
U
(s2) =
{τ}UAV0,GCS , fB
U
(s3) = {τ}UAV1,GCS , U = {s0, s2, s3} . Then we have
(s0, M0)
{τ}GCS,UAV0
(s1, M1), {τ}GCS,UAV0, ∉ fB
U
(s0)
So out(f{UAV0,UAV1}, (s0, M0)) = ∅ , the fifth property is false. Put simply, all strategies here
restrict the actions of the GCS and there is no action from the GCS that can transition to the next
state.
7.CONCLUSION AND FUTURE WORK
This paper presents a model checking framework for multi-agent systems based on Value-
passing CCS, effectively addressing the complex epistemic and communication interactions
inherent in such systems. The proposed ATLE logic and its model checking algorithm enable
the verification of key properties, demonstrated through a case study on collaborative UAV
mission. In the future, we are committed to investigating a broader spectrum of complex
scenarios to further refine and validate the robustness of this framework.
ACKNOWLEDGEMENTS
This work was supported by the Fundamental Research Funds for the Central Universities under
Grant NJ2024030.
16

REFERENCES
[1] Shi W, Wang K, Yu C, et al(2021). Artificial Intelligence Security in Multiple-Unmanned System
Cooperation[J]. Strategic Study of Chinese Academy of Engineering, 23(3): 82-89.
[2] Harikumar K, Senthilnath J, Sundaram S(2018).Multi-UAV oxyrrhis marina-inspired search and
dynamic formation control for forest firefighting[J]. IEEE Transactions on Automation Science and
Engineering, 16(2): 863-873.
[3] Firore M, TuriD(2001). Semantics of name and value passing[C]//Proceedings 16th Annual IEEE
Symposium on Logic in Computer Science. IEEE: 93-104.
[4] D'Antoni L, Veanes M(2021). Automata modulo theories[J]. Communications of the ACM,
64(5): 86-95.
[5] Ghilardi S, Gianola A, Montali M, et al(2022). Petri net-based object-centric processes with read-
only data[J]. Information Systems, 107: 102011.
[6] Ceragioli L, Gadducci F, Lomurno G, et al(2024). Effect semantics for quantum process
calculi[C]//35th International Conference on Concurrency Theory (CONCUR 2024). Schloss
Dagstuhl–Leibniz-Zentrum für Informatik.
[7] Ahmad R, Rahimi S, Gupta B( 2007). An Intelligence-Aware Process Calculus for Multi-Agent
System Modeling[C]//2007 International Conference on Integration of Knowledge Intensive Multi-
Agent Systems. IEEE: 210-215.
[8] da Silva, Paulo Salem, and Ana CV de Melo(2010). "A formal environment model for multiagent
systems." Brazilian Symposium on Formal Methods. Berlin, Heidelberg: Springer Berlin
Heidelberg.
[9] Kroiß C, Bureš T(2016). Logic-based modeling of information transfer in cyber–physical
multiagent systems[J]. Future Generation Computer Systems, 56: 124-139.
[10] Firore M, Turi D(2001). Semantics of name and value passing[C]//Proceedings 16th Annual IEEE
Symposium on Logic in Computer Science. IEEE: 93-104.
[11] Milner R. Communicating and mobile systems: the pi calculus[M]. Cambridge university press,
1999.
[12] Zhang Q, Jiang Y, Ding L(2016). Modelling and Analysis of Network Security-a Probabilistic
Value-passing CCS Approach[C]//Information and Communications Security: 17th International
Conference, ICICS 2015, Beijing, China, December 9– 11, 2015, Revised Selected Papers 17.
Springer International Publishing: 295-302.
[13] Philippou A, Michael G(2006). Verification techniques for distributed algorithms[C]//International
Conference On Principles Of Distributed Systems. Berlin, Heidelberg: Springer Berlin Heidelberg:
172-186.
[14] Alur R, Henzinger T A, Kupferman O(2002,). Alternating-time temporal logic[J]. Journal of the
ACM (JACM) 49(5): 672-713.
[15] Beutner R, Finkbeiner B(2024). On Alternating-Time Temporal Logic, Hyperproperties, and
Strategy Sharing[C]//Proceedings of the AAAI Conference on Artificial Intelligence.38(16):
17317-17326.
[16] Tarjan R(1972). Depth-first search and linear graph algorithms[J]. SIAM journal on computing,
1(2): 146-160.
[17] Gongye X, Wang Y, Wen Y, et al(2022). A simple detection and generation algorithm for simple
circuits in directed graph based on depth-first traversal[J]. Evolutionary Intelligence: 1-10.
[18] Halpern D F(2013). Thought and knowledge: An introduction to critical thinking[M]. Psychology
press.
17
AUTHORS
received the Ph.D. degree in 2001. He is now a professor in the College of Computer Science and Technology
at Nanjing University of Aeronautics and Astronautics. His current research interests include formal methods in software
engineering and logic in computer science. Zining Cao is the corresponding author. Email: caozn@nuaa.edu.cn
Zining Cao

MODEL CHECKING FOR MULTI-AGENT SYSTEMS MODELED BY EPISTEMIC PROCESS CALCULUS

More Related Content

Similar to MODEL CHECKING FOR MULTI-AGENT SYSTEMS MODELED BY EPISTEMIC PROCESS CALCULUS (20)

Recently uploaded (20)

MODEL CHECKING FOR MULTI-AGENT SYSTEMS MODELED BY EPISTEMIC PROCESS CALCULUS