2009 Seventh IEEE International Conference on Software Engineering and Formal Methods

Coordinated Consensus Analysis of Multi-agent Systems
Using Event-B
Ninh-Thuan Truong, Thanh-Binh Trinh, and Viet-Ha Nguyen
College of Technology,
Vietnam National University, Hanoi
144 Xuan Thuy, Cau Giay, Hanoi
{thuantn,binhtt.di07,hanv}@vnu.edu.vn
Abstract—Formal specifications and reasoning techniques in
software modelling are needed to ensure the correctness of
the system at the design phase. Event-B is a formal method
with support tools that allows the stepwise development of
reactive systems. Such systems include multi-agent systems
as a subclass. In this paper, we propose an approach to
specify capabilities of a number of software agents. We then
verify whether these capabilities help the agents to accomplish
a certain task using a supported tool for Event-B. We use
the binary numeral system as a case study to illustrate our
approach.

provided for Event-B specification and proof in the Rodin
platform [1].
In this paper, we propose an approach to build a specification
of a multi-agent system and then to prove the coordinated
consensus of agents in the specification using Event-B. In
our approach, each agent is specified by an abstract machine
which sees its context machine. The context and abstract
machines of agents are later composed to form general ones
as the whole systems according to the rules of the protocol
consensus algorithms. The support tools provided by EventB enable to formally analyze the coordinated consensus of

agent specifications through the composed machines.
The rest of this paper is organized as follows. Section 2
presents an overview about multi-agent systems and EventB. Section 3 presents our main contribution of using Event-B
to specify multi-agent systems and to prove the consensus
of the coordination of some agents. We also illustrate in this
section the proposed approach by a case study, the multiagent system for calculations of binary numbers. Section 4
discusses related works. We conclude the paper and give
some perspectives in Section 5.

I. I NTRODUCTION
Coordinated consensus problems [5] have a long history of
study in computer science and their solutions have become
an important foundation of reactive systems such as multiagent systems. These problems can now be formally and
efficiently analyzed thank to the development of formal
methods in software specification and verification.
A multi-agent system [17], [19] is a collection of subsystems
in which each subsystem, called an agent, updates itself
in accordance with the information it gathers from some
of the other agents, i.e from its neighbors. In general, the
neighbors of an agent are subject to change in time which
introduces a switching behavior to the dynamics of the
system through communication links. It has been proved that
it is very important to study and understand the effect of this
varying communication topology on some common task to
be accomplished (i.e reaching a consensus) by the agents
composing the system.
The B method [2] is a formal software development method,
originally created by J.-R. Abrial. The B notations are
based on the set theory, generalized substitutions and the
first order logic. Event-B [1] is an evolution of the B

method that is more suitable for developing large reactive
and distributed systems. Software development in EventB begins by abstractly specifying the requirements of the
whole system and then refining them through several steps to
reach a description of the system in such a detail that can be
translated into code. The consistency of each model and the
relationship between an abstract model and its refinements
are obtained by formal proofs. Tool supports have been
978-0-7695-3870-9/09 $26.00 © 2009 IEEE
DOI 10.1109/SEFM.2009.24

II. P RELIMINARIES
A. Multi-agent systems
Agents are independent entities with their own goals, actions, and knowledge. An agent can be a part of the environment. Agents are explicitly modeled and interacting with
one another and with the environment. A multi-agent system
(MAS) [14] is a system composed of multiple interacting
agents. A multi-agent system can be developed to solve a
problem which is impossible or otherwise difficult for an
individual agent or monolithic system to solve.
On-line trading [12], disaster response [13], and social
structures modeling [15] are examples that have been successfully implemented as multi-agent systems.
Agents in multi-agent systems are normally reactive agents.
Reactive agents receive stimuli from the environment then
react to these stimuli by modifying their behaviors and
possibly, the environment. Reactive agents do not necessarily
have knowledge and representation of other agents in the
system.
201


(POs). In practice this verification is performed either by

model checking or theorem proving.
The unit of the machine behavior is event. An event e
acting on (a list of) state variables v, subject to enabling
condition, or guard G(v) with an action, or assignment A(v),
has syntax:

Though different agents may have their different purpose,
they share some characteristics in common: identifier, role
and organization. These three characteristics are described
as:
• identifier: each agent in the system is uniquely identified by its identifier in the multi-agent system.
• role: a role defines the behavior of an agent among
other agents in the society. For instance, in the auction
multi-agent system, Seller or Buyer are possible roles
for agents. An agent can have multiple roles in the
multi-agent system, or role of an agent can change
during the execution of the system.
• organization: agents are evolving in multi-agent systems, and belong to one or several organizations.
These organizations define the agents’ roles and the
relationships between the roles. Organizations adhere
generally to human organizations, or animal ones such
as hierarchies, markets, groups of common interest, or
herds.
A capability in a multi-agent system describes what an agent
in the system is able to do and under what circumstances.
The capabilities of agents can be specified in a language
called Capability Description Language (CDL) [18]. We can
specify the capabilities of the agents by inputs, outputs, input
constraints, output constraints and input-output constraints.


e = when G(v) then A(v) end
That is, when the state is such that the guard is true, this
enables the action, or state transition defined by A(v). A(v)
does not contain if statement, but we can specify an event
containing a conditional statement by two different events
with two guards corresponding two branches.
Refinement. A machine can be refined by another machine.
Once an abstract model is built, a refinement process is
applied to progress towards implementation. An abstract
model is transformed into a more concrete and elaborate
model by refinement. A refined model specifies the abstract
model it refines in the REFINES clause. New variables can
be introduced and the old variables can be refined into more
concrete ones. This is reflected in the substitutions of the
events as well.
One of the difference from the classical B is that new events
may also be introduced. These new events should not prevent
forever the events already present from being triggered. A
VARIANT, which is a natural number expression that the
new events must decrease, is introduced for ensuring it.
Furthermore, we can also merge several abstract events into
one single event, as well as refine one abstract event by
several events, as permitted by the event-level REFINES
clause.
Composition and Decomposition. On one hand, composition is a technique used to aggregate sub-systems and
generate larger systems. The motivation for the use of such
techniques is the reusability of sub-components and the
possibility of interaction between systems. In a distributed
application, this insight is even more important since the
intention is to have independent systems interacting with

one another, and at same time keeping all the individual
properties.
On the other hand, decomposition is the process on which
a system split into two or more parts. This process is used
when a system becomes too complex to be managed. Dividing it into sub-systems keeps the manageability/tractability.
An interesting property to be explored is the independent
refinement of each sub-system. This process must satisfy the
constraint that the re-composition of (refined) components
should be easy. In other words, the result of re-composition
can be obtained directly from the decomposition. This
property is known as compositionality. The usability of
this technique grows when applied to distributed systems:
handling a large system can become unpractical, hence
dividing it in separated sub-systems can benefit each of the
sub-systems while at the same time, it will benefit the system

B. Event-B
Event-B is a kind of formal method which combines mathematical techniques from the set theory and the first order
logic. It is used as a notation and method for the formal
development of discrete systems. Event-B is an evolution of
others formal method notations like B-Method (also know
as classical B), Z and Action Systems. It is considered as an
evolution because it simplifies the B machine notations, is
easy to learn and more suitable for parallel and distributed
reactive system development. Another advantage that EventB offers is support tools for system modeling [1].
Event-B models are described in terms of two basic constructs: contexts and machines. Contexts form the static
part of the model while machines form the dynamic part.
Contexts can extend (or be extended by) other context and
are referred (seen) by machines.
Being considered as the static part of the model, the context

is used to store, for instance, the types and constants used
during the development of the system.
The machine contains the dynamic part of the model. It
describes the system state, the operations to interact with
the environment together with the properties, conditions and
constraints on the model.
The properties of a model are defined by the machine
invariant, which must be satisfied by every state in the
system. To be consistent, we have to prove that every
event in the system preserves this invariant; this verification
requirement is expressed in a number of proof obligations

202


The disjunction of all guards of related events will not be
hold, then deadlock freeness of the model is violated. We
have to add a new event e = g , a such that g1 ∨ g2 ∨
. . . gn ∨ g hold.
Corollary 3.2: When the interaction of events is convergent,
we can obtain the convergent value by a new added event.
The proof of the Corollary 3.2 is similarly as the one of the
Corollary 3.1.
In order to analyze the coordinated consensus of the composition of the agents in a multi-agent system, we first compose
the Event-B specification of the system. The architecture of
the specification is depicted in Figure 1.

has a whole.
III. C OORDINATED CONSENSUS ANALYSIS OF
MULTI - AGENT SYSTEMS

In this section we propose an approach which allows the
composition of machines in Event-B in order to analyze
the coordinated consensus of the agents specification. We
illustrate the proposed approach via a case study of binary
number calculation.
A. Coordinated consensus analysis using Event-B composition
In multi-agent systems, each agent and their capabilities
is provided to perfom particularly tasks. These agents can
be coordinated to solve a problem which is impossible or
otherwise difficult for an individual agent or monolithic
system to solve. However, the cooperation of agents has been
lacked the consensus analysis in specification and design
tools. As a result, we propose an approach to analyse the
cooperation of agents to accomplish a task using Event-B
notation and tools.
Note that, ”consensus” means to reach an agreement between agents regarding a certain quantity of interest that
depends on the state of all agents. A ”consensus algorithm”
(or protocol) is an interaction rule that specifies the way
of information exchange between an agent and all of its
neighbors [7].
Before introducing the approach of coordinated consensus
analysis using Event-B, we give some definitions and their
corollary related to Event-B specification, they are useful in
the analysis process.

sees
Agent_1.mch

Agent_1.ctx


sees
Agent_2.mch

Agent_2.ctx
...

...
sees
Agent_n.mch

Agent_n.ctx

composition

composition

MAS.mch

Figure 1.

sees

MAS.ctx

Composition of agent machines

In this specification, the context machines of different agents
will be combined into a context machine of the system called
MAS.ctx, while the abstract machines of different agents
will be combined into a general abstract machine called

MAS.mch.
Note that composition in Event-B has been proposed earlier by Poppleton in [10]. His approach of composition is
roughly described as follows. Let M1 and M2 be two models
which are proposed to be fused. The variables and events
from each model will be combined with the ones from
the other model. That is, they concatenate the variable lists
and events, conjoin those events with common names (in a
manner to be defined) in a new model M. The variable list v
in M1 comprises the list x of actioned variables and the list
y of skipping variables for each event. Similarly variables
list w in M2 comprise the list z of actioned variables and
the list a of skipping variables for each event. They define
xz = x∩z, the common actioned variables, and ya = y∩a, the
common skipping variables. Note that the other intersecting
variable lists yz and xa are both empty, to enable meaningful
composition definitions [10].
This approach focuses on the composition of independent
events and variables of machines and on assuring the correctness of proof in the composition machine. It means that,
the events in systems do not affect results of the execution
after the composition.
In addition to the above, the composition mechanism in
Event-B has to ensure that the overall behavior of the

Definition 1 An iterative event e = g, a is convergent
when the guard g is hold and then their list of actions a
executed until g is not hold in the future.
However, when the guard g is unsatisfied, proof obligations
of deadlock freeness defined in a model machine will be
unproved. Thus, we have to add a new event e = g , a
to the model such that g ∨ g is always hold under the

execution of a or a .
Corollary 3.1: The value of a convergent iterative event can
be obtained by a new added event.
Proof Suppose that e = g, a is a convergent event.
According to the Definition 1, the guard g will be unsatisfied
at a moment in the future. Then we can define additionally a
new event e = g , a to the machine in order to get results
of variables in event e where g = ¬ g, in a simple case. ✷
Definition 2 The interaction of events which conforms to a
protocol execution is convergent when:
i. The order of events is conformed to the protocol
execution,
ii. The disjunction of all guards of related events will not
be hold at a moment in the future.

203


3) Init = Init1 , the Init event of the composition is
defined as the Init event of the first capability machine
in protocol execution.
4) ee = ∪eei where eei = Initi+1 ∪ eei , to activate the
events of the next capability, a part of its event Init
is combined to the get result event of the previous
capability.
5) eeM is the new event added to the model to get final
result of computation process.
After executing the composition, we have to optimize the
MAS model machine and its context by eliminating some
constants and variables which are redundant or unnecessary.

The principle proposed above is reasonable because it can
make the events executed in the order of the protocol
consensus. The event ec1 is executed first via the definition
Init of the machine, then the next event will be executed
via a part of the definition of the get result event of the
previous event. The convergence of each event and of the
interaction between events will be automatically proved by
the tool support of Event-B [1].

abstract model is kept and that the concrete model does not
get into two states:
• Divergence: this situation occurs when the system behaves chaotically, it happens whenever some events are
aborted.
• Deadlock: this situation occurs when no event is enabled and as a consequence, the system’s state never
change since it happens.
The first constraint (non-divergence), imposes to exhibit a
variant V, which is a well-founded structure (e.g. N,≤), is
proved to be decreased by a well-founded relation.
The second constraint (deadlock freeness) is proved by proof
obligations which state that the disjunction of the event
guards always hold under the properties of the constant and
the invariant.
The absence of the divergence and the deadlock can be
proved by the support tool of Event-B. This leads us to
the thought of applying the idea of machine composition to
compose machines of agents and to analyze the coordinated
consensus between agents. In this composition, the interaction between events plays an important role in accomplishing
a task.
Note that, in order to avoid the ambiguity in the case that
an agent may have many capabilities, we decompose it

to several model machines, each of them corresponds to
one capability. The decomposition process is applied to a
model machine which specifies an agent with more than
one capabilities [4]. Alternatively, we can also specify each
capability of the agent by a model machine at the beginning.
Suppose that, in our model, an abstract machine specifies
an agent’s capability, which is expressed by a quatro-tuple
Mi = vi , Initi , eci , eei . where vi is the list of variables, Initi
is the initial event of the agent’s machine i, eci is the list of
events which completely specify the agent capability, and eei
is the event used to obtain the result (see the Corollary 3.1).

B. Description of a case study
Supposing that in a multi-agent system, an organisation contains agents used to calculate the results of some operations
for binary numbers: BitShift, Sum and MultiDigit agents.
Multiplication for binary numbers works in the same way
as for the decimal numbers. In our multi-agent system,
we have three capabilities: multiplyWithOneDigit, shiftLeft,
and addition. These capabilities respectively belong to the
MultiDigit agent, the BitShift agent, and the Sum agent.
In the BitShift operation, the digits are shifted left or right.
The shiftLeft capability of the BitShift agent enables digits
in a binary number move a number of bits left by the
operation with the same number of right bits being filled
up by zero. For instance, if we apply the shift left operator
by one position to the binary number 00011011, we obtain
the number 00110110. The BitShift agent can be specified
by AUML as depicted in Figure 2.

Definition 3 A multi-agent system Mult is a quatro-tuple

Mult = Ag, Mact, α, Γ where:
• Ag is a finite set of agents (in a MAS),
• Mact is the set of capabilities possible in Mult,
• α : Mact → Ag assigns to each capability of Mact the
agent that performs it,
• Γ is the execution protocol between capabilities to
accomplish a task.

<<agent>> BitShift
Role
shiftLeft, shiftRight
<<capability>> shiftLeft

<<capability>> shiftRight

Organisation
Calculator

Input

Input
Protocol

binaryNumber, numShift

binaryNumber, numShift

enter−society, exit−society, compute

Then, let M = V, Init, ec, ee, eeM be the composed machine for the agent capabilities Mi , i = 1, . . . , n. Without the loss of generality, we suppose that the execution

protocol between events of agents is the ordering Γ =
[ec1 , ec2 , ec3 , ...ecn ]. The construction of M must be conformed to the following principle:
1) V = ∪vi , the list of variables of the composition
machine contains variables of agent machines
2) ec = ∪eci , the composition machine contains all
events of the agent machines

Output

Output
binaryNumber

binaryNumber

Description

Description
This capability makes the shift left a
binary number with numShift bits

Figure 2.

This capability makes the shift right a
binary number with numShift bits

Bit shift agents specification

The Sum agent is used to add or subtract two binary
numbers. The input of the Sum agent are two binary numbers
and the output is a binary number as the result of the

operation. For example:

204


+

00011011
00011011
00110110

the coordination between agents capabilities. The execution
of events in the composition machine MAS is as follows.
First, the Init event is executed. In Init event, we start
the variable value jj := 1. It enables to activate the execution of the event multiplyWithOneDigit. As this event
is proved to be a convergent event in the machine MultiDigit then it run until the guard jj ≤ size aa is not
hold. This implies the guard jj = size aa+1 hold and
thus the event multiplyWithOneDigit result is activated.
This one, as defined in the machine MultiDigit, does
not change the guard of any event. However, the event
multiplyWithOneDigit result in the machine MAS.mch contains a part of the Init event of the machine BitShift, as
defined in the principle composition above. This definition
allows to activate the event shiftLeft, etc.
The mechanism is continued until all events in the protocol
algorithm activated. If these events are not convergent, they
will run forever and proof obligations of non-divergence will
be violated. If they are convergent, the conjunction of all
related events will not be hold in the future, then the guard of
the event multiply2BinaryNumbers will be satisfied, actions
in this event are executed. As these actions do not contain

any variant, the guard of the event multiply2BinaryNumbers
thus always hold. As a result, if proof obligations of the
composition machine are preserved, the execution of the
events will be convergent.

The capabilility of the MultiDigit agent is to multiply a
binary number by one digit number (0 or 1). The input is
a binary number and a binary digit, the output is a binary
number as the result.
C. Specifying the case study in Event-B notation
Let us consider the specification of these capabilities for
agents using Event-B notations. We will use sets to represent
binary numbers. The set representation for a binary number
is a set of pairs, each pair maps a position of the number
from the right to the binary digit of the number at that
position. For example, binary number 00011011 can be
specified via set as follows:
{8 → 0, 7 → 0, 6 → 0, 5 → 1, 4 → 1,
3 → 0, 2 → 1, 1 → 1}
With this representation and ease of understanding the
algorithm, we use the conditional statement (if .. then) in the
part of actions of events. We specify the MultiDigit agent as
presented in Figure 5. The abstract machine MultiDigit.mch
in Figure 5(a) specifies the dynamic part of the system.
This machine sees the context MultiDigit.ctx depicted in
Figure 5(b).
The shiftLeft capability of the BitShift agent is specified
in Figure 6, the addition capability of the Sum agent is
specified in Figure 7. Note that, with each event corresponds to a capability, we define a new event namely
[event name] result to get the convergent value (see Corollary 3.1).

Using the three capabilities multiplyWithOneDigit, shiftLeft,
and addition in the agent organisation, we describe the
consensus algorithm of the multiplication of two binary
numbers as Algorithm 1.

IV. R ELATED WORK
In the literatures, there are many papers proposed to formalize multi-agent systems using different formal methods
in order to support the formal verification of the system.
Hilaire et al [7] proposed a general framework for modelling
multi-agent systems based on Object-Z and statecharts. This
framework focused on organisational aspects in order to
represent agents and their roles. Similarly, Regayeg et al
[11] combined Z notations and linear temporal logic to
specify the internal part of agents and the specification of
the communication protocols between agents. They proposed
general patterns and the use of Z support tools to modelcheck their specifications.
H. Fadil and J. Koning presented a work [6] involving the
use of classical B to model agents roles and interactions.
The goal of the paper is to model the interaction between
agents with a formal method that is able to check and then
prove their initial UML specification.
The paper [3] also focused on the interaction protocol
between agents using Event-B. Some patterns for the B
specification of fault tolerance protocols are proposed in the
case of agent communication.
A. Lanoix [8] proposed an approach to report their experience with the Even-B stepwise development of a situated
MAS which study the displacement of vehicles in a convoy.
In the case study, they suppose that all the vehicles move in
a simultaneous movement using Event-B to ensure a safety


Algorithm 1 Consensus algorithm of agents in the multiplication system
ar ← Multiplication2BinaryNumber(aa,bb)
1: for each ii ≤ size bb do
2:
modr ← multiplyWithOneDigit(bb[ii], aa)
3:
slr ← shiftLeft(modr, ii)
4:
cc ← addition(slr, cc)
5: end for
6: ar ← cc
Based on the consensus algorithm above and the principle
proposed in Subsection III-A, the composition of the agent
machines in the system called MAS.mch and MAS.ctx, these
are illustrated in Figure 3 and in Figure 4, respectively. We
add an event called multiply2BinaryNumbers to get the final
result of the interaction between events (see Corollary 3.2).
The support tools of the Event-B will prove the consensus of

205


context
MAS.ctx
context Sum.ctx
constants
aa
bb
size aa
size bb

size res
axioms
aa ∈ NAT1 → 0..1
bb ∈ NAT1 → 0..1
0 < size aa
0 < size bb
size aa < size res
size bb < size res
theorems
ran(aa) = ∅
ran(bb) = ∅
end

machine MAS.mch
sees MAS.ctx
variables
ii
jj
...
invariant
ii ∈ NAT
jj ∈ NAT
...
events
INIT
ii := 1
jj := 1
...
end
multiply2BinaryNumbers

when (ii = size bb+1) then
res := cc
end
multiplyWithOneDigit
when (jj ≤ size aa) then
pp(jj) := bb(ii) ∗ aa(jj)
jj := jj+1
end
multiplyWithOneDigit result
when jj = size aa+1 then
modr := pp
kk := size pp //activate shiftLeft
end
shiftLeft
when (kk > 0 ∧ kk ≤ size pp) then
if (kk > numShift) then
modr(kk) := modr(kk−numShift)
else if (kk ≤ numshift) then
modr(kk) := 0
end
kk := kk−1
end
shiftLeft result
when (kk = 0) then
slr := modr
hh := 1 //activate the addition event
end
addition
when (hh ≤ size ar) then
if (hh = size ar ∧ carry = 0) then

cc(hh+1) := 1
else
cc(hh) := (cc(hh)+slr(hh)+carry) mod 2
carry := (cc(hh)+slr(hh)+carry) div 2
hh := hh+1
end
end
addition result
when hh = size ar+1 then
ar := cc
jj := 1
ii := ii+1
end
end
Figure 3.

Figure 4.

MAS context

property of the system: no collision must occur between a
vehicle and its predecessor.
The papers above try to specify protocol execution between
tasks of agents using Z, classical B, Event-B, etc. but it did
not provide an approach to check if tasks are coordinated
consensus, that our paper proposes.
The coordinated consensus problems in multi-agent systems
have been also considered in [5], [16], [9].
R. Carli et al [5] discussed a work concerned a group
of autonomous mobile agents in order to analyse a common task, communications constraints impose limits on the

achievable control performance. Analysing the consensus
or state agreement problem, the authors characterize the
relationship between the amount of information exchanged
by the agents and the rate of convergence to the agreement.
Another approach to the coordinated consensus problem of
multi-agent systems is presented in [16]. In this approach,
the authors introduce a characterization of contraction for
bounded convex set. For discrete-time multi-agent systems,
the authors provide an upperbound on the rate of convergence to a consensus under some assumptions.
However, these papers focused on analysing coordinated
consensus problems using mathematical models, this is still
impossible to use support tools to prove the convergence of
tasks.
V. C ONCLUDING REMARKS
Multi-agent systems play an important role in developing
complex or distributed information systems. As each agent
of the system usually be designed to be autonomous and
does not aware of other agent existences, it is difficult for
developers to ensure the coordinated task of these agents
will be accomplished.
In this paper, we proposed an approach to specify multiagent systems and then verify the consensus property of

MAS machine

206


agents using Event-B. In our approach, each agent is specified by an abstract machine which sees its context machine.
A context machine here refers to the environment of the
agents. The interactions between agents are specified as

protocols or algorithms that modify machine states. The
context and machines of agents are then composed to general
ones as the whole systems according to the rules of the
protocol consensus algorithms. Then, we can use Event-B
tools to formally analyze the coordinated consensus of agent
specifications through the composed machines.
We illustrated our approach by an example of a binary
multiplication system. In this system, the result of a multiple
operation is accomplished by the collaboration of different
agents. Using Rodin platform, we proved that the system
will reach the state that provide the result.
Our approach is based on the proving ability of Event-B
tools so it cannot cope with large multi-agent systems which
have a large number of agents and complex interactions. Another limitation is that it only works with simple consensus
problems that can be specified by Event-B.
We are working to extend our approach to check the plan
of agents and to solve above limitations.

[8] Arnaud Lanoix. Event-B specification of a situated multiagent system: Study of a platoon of vehicles. In TASE
’08: Proceedings of the 2008 2nd IFIP/IEEE International
Symposium on Theoretical Aspects of Software Engineering,
pages 297–304. IEEE Computer Society, 2008.
[9] R. Olfati-Saber, J. A. Fax, and R. M. Murray. Consensus and
cooperation in networked multi-agent systems. Proceedings
of the IEEE, 95(1):215–233, 2007.
[10] Michael Poppleton. The composition of Event-B models. In
ABZ ’08: Proceedings of the 1st international conference on
Abstract State Machines, B and Z, pages 209–222. SpringerVerlag, 2008.
[11] A. Regayeg, A.H. Kacem, and M. Jmaiel. Specification and
verification of multi-agent applications using temporal Z.

In Intelligent Agent Technology Conference, pages 260–266.
IEEE Computer Society, 2004.
[12] Alex Rogers, Esther David, Nicholas R. Jennings, and Jeremy
Schiff. The effects of proxy bidding and minimum bid
increments within ebay auctions. ACM Trans. Web, 1(2):9,
2007.
[13] Nathan Schurr, Janusz Marecki, Milind Tambe, and Paul
Scerri. The future of disaster response: Humans working
with multiagent teams using defacto. In In AAAI Spring
Symposium on AI Technologies for Homeland Security, 2005.

ACKNOWLEDGEMENTS
This work is partly supported by the research grant of
College of Technology and by the research project No.
QGTD 09.02 granted by Vietnam National University, Ha
Noi. The authors would like to thank Dr. Van-Hung Dang
for his useful comments.

[14] Yoav Shoham and Kevin Leyton-Brown. Multi-agent Systems: Algorithmic, Game-Theoretic, and Logical Foundations.
Cambridge University Press, New York, 2009.
[15] Ron Sun and Isaac Naveh.
Simulating organizational
decision-making using a cognitively realistic agent model. J.
Artificial Societies and Social Simulation, 7(3), 2004.

R EFERENCES
[1] .

[16] Sezai Emre Tuna and Rodolphe Sepulchre. Quantitative
convergence analysis of multi-agent systems. In 7th IFAC

Symposium on Nonlinear Control Systems, pages 236–241,
August 2007.

[2] J.-R. Abrial. The B-Book, Assigning Programs to Meanings.
Cambridge University Press, 1996.
[3] E. Ball and M. Butler. Event-B patterns for specifying
fault-tolerance in multi-agent interaction. In Proceedings of
Methods, Models and Tools for Fault Tolerance, volume 5454
of LNCS. Springer, 2009.

[17] Gerhard Weiss. Multiagent Systems: A Modern Approach to
Distributed Artificial Intelligence. The MIT Press, 2000.
[18] G.J Wickler. Using Expressive and Flexible Action Representations to Reason about Capabilties for Intelligent Agent
Cooperation. PhD thesis, The University of Edinburgh, 1999.

[4] Michael Butler. Decomposition structures for Event-B. In
IFM’09: Proceedings of the 7th International Conference on
Integrated Formal Methods, pages 20–38, Berlin, Heidelberg,
2009. Springer-Verlag.

[19] Michael Wooldridge. An Introduction to MultiAgent Systems.
John Wiley & Sons, 2002.

[5] R Carli, F Fagnani, Speranzon, and A.Zampieri. Communication constraints in coordinated consensus problems. In
American Control Conference. IEEE, 2006.

ANNEX
Below we use Event-B to describe the specifications of
multiplyWithOneDigit, leftShift and addition capabilities of
the MultiDigit, BitShift and Sum agents, respectively.


[6] H. Fadil and J. Koning. A formal approach to model multiagent interactions using the B formal method. In International
Symposium on Advanced Distributed Systems, volume 3563
of LNCS, pages 516–528. Springer Verlag, 2005.
[7] V. Hilaire, P. Gruer, A. Koukam, and O. Simonin. Formal
specification approach of role dynamics in agent organisations: Application to the satisfaction-altruism model. Int.
Jour. of Software Engineering and Knowledge Engineering,
17(5):615–641, 2007.

207


machine MultiDigit.mch
sees MultiDigit.ctx
variables
pp
modr // Final result
jj
invariant
modr ∈ NAT1 → 0..1
pp ∈ NAT1 → 0..1
jj ∈ NAT
events
INIT
modr := ∅
pp := ∅
jj := 1
end
multiplyWithOneDigit
when (jj ≤ size aa) then

pp(jj) := digit ∗ aa(jj)
jj := jj+1
end
multiplyWithOneDigit result
when jj = size aa+1 then
modr := pp //Get results
end
end
(a) MultiDigit machine

machine BitShift.mch
sees BitShift.ctx
variables
pp //Get temporary results
slr //Result of the shift left
kk
invariant
pp ∈ NAT1 → 0..1
slr ∈ NAT1 → 0..1
kk ∈ NAT
events
INIT
pp := ∅
slr := ∅
kk := size pp
end
shiftLeft
when (kk > 0) then
if (kk > numShift) then
pp(kk) := pp(kk−numShift)

else if (kk ≤ numshift) then
pp(kk) := 0
end
kk := kk−1
end
shiftLeft result
when (kk = 0) then
slr := pp
end
end
(a) BitShift machine

context
MultiDigit.ctx
constants
aa
digit
size aa
size modr
axioms
aa ∈ NAT1 → 0..1
digit ∈ NAT
0 < size aa
0 < size modr
size modr ≥ size aa
theorems
ran(aa) = ∅
end
(b) MultiDigit context
Figure 5.


context
BitShift.ctx
constants
pp
size pp
numShift
axioms
pp ∈ NAT1 → 0..1
0 < size pp
0 < numShift
numShift < size pp
theorems
ran(pp) = ∅
end
(b) BitShift context

Event-B specification of MultiDigit agents

Figure 6.

208

Event-B specification of BitShift agents


machine Sum.mch
sees Sum.ctx
variables
cc //Get temporary results

ar // Result of the addition operation
carry
hh
invariant
cc ∈ NAT1 → 0..1
ar ∈ NAT1 → 0..1
hh ∈ NAT
carry ∈ NAT
events
INIT
cc := ∅
ar := ∅
hh := 1
carry := 0
end
addition
when (hh ≤ size ar) then
if (hh = size ar ∧ carry = 0) then
cc(hh+1) := 1
else
cc(hh) := (aa(hh)+bb(hh)+carry)
mod 2
carry := (aa(hh)+bb(hh)+carry)
div 2
hh := hh+1
end
end
addition result
when hh = size ar+1 then
ar := cc //Get results

end
end
(a) Sum machine
context MAS.ctx
constants
aa
bb
size aa
size bb
size ar
axioms
aa ∈ NAT1 → 0..1
bb ∈ NAT1 → 0..1
0 < size aa
0 < size bb
size aa < size ar
size bb < size ar
size ar < size aa+size bb
theorems
ran(aa) = ∅
ran(bb) = ∅
end
(b) Sum context
Figure 7.

Event-B specification of Sum agents

209