Checking EMTLK Properties of Timed Interpreted Systems Via Bounded Model Checking

We investigate a SAT-based bounded model checking (BMC) method for EMTLK (the existential fragment of the metric temporal logic with knowledge) that is interpreted over timed models generated by timed interpreted systems. In particular, we translate the existential model checking problem for EMTLK to the existential model checking problem for a variant of linear temporal logic (called HLTLK), and we provide a SAT-based BMC technique for HLTLK. We evaluated the performance of our BMC by means of a variant of a timed generic pipeline paradigm scenario and a timed train controller system.


Introduction
The formalism of interpreted systems (ISs) [9] was designed to model multiagent systems (MASs) [21], and to reason about the agents' epistemic and temporal properties.The formalism of timed interpreted systems (TISs) extends ISs to make possible reasoning about real-time aspects of MASs.The TIS provides a computationally grounded semantics on which it is possible to interpret time-bounded temporal modalities as well as traditional epistemic modalities.
The transition system modelling the behaviour of TISs, which we call the timed model, comprises two kinds of transitions: action transitions that are labelled with timeless joint actions and that represent the discrete evolutions of TIS, and time transitions that are labelled with natural numbers and that correspond to the passage of time.Due to infinity of time, there are infinitely many time transitions.
The main idea of SAT-based bounded model checking (BMC) methods [7,19] consists in translating the existential model checking problem for a modal language and for a transition system to the satisfiability problem of a propositional formula, and taking advantage of the power of modern SAT-solvers.The usefulness of SAT-based BMC for error tracking and complementarity to the BDD-based model checking have already been proven in several works, e.g.[6,17].
To describe the requirements of MASs various extensions of standard temporal logics [8] with epistemic [9], doxastic [13], and deontic (to represent correct functioning behaviour) [14] modalities have been proposed.In this paper we consider MTLK which is an epistemic extension of Metric Temporal Logic (MTL) [10] that cannot be translated into LTL (because of the considered semantics), and which allows for the representation of the quantitative temporal evolution of epistemic states of the agents.We interpret MTLK over discrete timed models generated by TISs.
Furthermore, note that both the MTL with discrete-time semantics and the S5 logic for knowledge have decidable model checking problems, [1] and [9], respectively.Since timed interpreted systems can be shown to be as expressive as the MTL-structure in [1], and the fusion between MTL and S5 for knowledge is a proper extension of MTL (which we call MTLK), it follows that problem of model checking for the full fusion is also decidable.This implies that the model checking of the existential fragment of MTLK (EMTLK) is also decidable, and thus BMC methods are worth exploring.
The original contributions of the paper are as follows.First of all, we define timed interpreted systems as a model of MASs where agents have real-time deadlines to achieve intended goals.We assume the synchronous semantics of TISs, thus the agents over this semantics perform a joint action at a given time in a global state.Secondly, we introduce two languages: MTLK and HLTLK-the hard reset linear time temporal epistemic logic.Finally, we define and implement a SAT-based BMC technique for TIS and for EMTLK.This BMC method consists of the following two steps, the formal description of which is provided in Sects.3 and 4, respectively: (a) A translation of the existential model checking problem for EMTLK and for TISs to the existential model checking problem for HLTLK and for an augmented timed interpreted system (ATIS).This translation is necessary because of the EMTLK semantics, which we use.Namely, this semantics is defined with respect to the Kripke model that has been defined for components having their clocks.The values of these clocks have an influence on interpretation of intervals associated to the temporal modalities, contrary to the step semantics, in which the interpretation of intervals takes into account only action steps, and thus the existential model checking problem for EMTLK can be translated into the existential model checking problem for LTLK.
(b) A definition of a SAT-based BMC algorithm for HLTLK and for ATIS.
The proposed SAT-based BMC method for EMTLK and for TISs is based on the BMC method for MTL and for discrete timed automata (DTA) [23].The main differences between SAT-based BMC for MTL and for DTA, and the proposed SAT-based BMC for EMTLK and for TIS are the following.Firstly, EMTLK is an epistemic extension of MTL, thus the proposed method handles a more expressive language that allows to reason about not only temporal properties of MAS but also about the epistemic properties of MAS.Next, we assume the synchronous semantics of TISs, contrary to the asynchronous semantics of DTA (only one local or shared action may be performed by automata (agents) at a given time in a global state).
The rest of the paper is organised as follows.In Sect. 2 we introduce TIS, the MTLK logic, and its subset EMTLK.In Sect. 3 we show how to translate the existential model checking problem for EMTLK to the existential model checking problem for HLTLK.In Sect. 4 we provide a BMC method for HLTLK and for ATIS.In Sect. 5 we discuss our experimental results, and finally in Sect.6 we conclude the paper.

Preliminaries
Let us start by fixing some notation used through the paper.IN is the set of non-negative integers, IN + = IN\{0}, and X is a finite set of non-negative integer variables, called clocks.A clock valuation is a function v : X → IN that assigns to each clock x ∈ X a non-negative integer value v(x).IN |X| is the set of all the clock valuations.For X ⊆ X, the valuation v = v[X := 0] is defined as: ∀x ∈ X , v (x) = 0 and ∀x ∈ X \ X , v (x) = v(x).For δ ∈ IN, v + δ denotes the valuation v such that ∀x ∈ X, v (x) = v(x) + δ.

Timed Interpreted Systems
Let A = {1, . . ., n} denote the non-empty and finite set of agents, E be a special agent that is used to model the environment in which the agents operate, and let PV = c∈A PV c ∪ PV E be a set of propositional variables such that PV c 1 ∩ PV c 2 = ∅ for all c 1 , c 2 ∈ A ∪ {E}.The set of agents A constitute a multi-agent system (MAS).In the paper we use the timed interpreted system to model MAS.In this formalism, each agent c ∈ A is modelled using a non-empty and finite set L c of local states, a non-empty and finite set Act c of possible actions such that the special null action c belongs to Act c (it is assumed that actions are "public"), a non-empty and finite set X c of clocks, a protocol function P c : L c → 2 Act c that defines rules according to which actions may be performed in each local state, a (partial) evolution function ) is called a joint action and an enabling condition, respectively) which defines local transitions, a valuation function V c : L c → 2 PV c which assigns to each local state a set of propositional variables that are assumed to be true at that state, and an invariant function I c : L c → C(X c ) which specifies the amount of time agent c may spend in its local states.We assume that if Similarly to the other agents, the environment E is modelled by a nonempty and finite set L E of local states, a non-empty and finite set Act E of possible actions, a non-empty and finite set X E of clocks, a protocol function

and an invariant function
For a given time interpreted system I we define a timed model as a tuple M = (Σ, ι, S, T, V), where Σ = Act ∪ IN is the set of labels (i.e., joint actions and natural numbers), S is the set of all possible global states as defined above, V : S → 2 PV is the valuation function defined as V(s) = c∈A V c (l c (s)), and T ⊆ S × Σ × S is a transition relation defined by action and time transitions:  We assume that the relation T is total, i.e. for any s ∈ S there exists s ∈ S and there exist either a non-empty joint action a ∈ Act or natural number δ ∈ IN such that it holds T (s, a, s ) or T (s, δ, s ).Given a timed interpreted system and an agent c ∈ A, the indistinguishability relation ∼ c ⊆ S × S is defined as follows: s ∼ c s iff l c (s ) = l c (s) and v c (s ) = v c (s).Moreover, hereafter we assume the following definitions of epistemic relations:

Runs and Discrete Paths
Let M be a timed model generated by TIS.An infinite sequence ρ = s 0 → . . . of global states is called a run originating at s 0 if there is a sequence of transitions from s 0 onwards such that for every i ∈ IN, s i ∈ S, a i ∈ Act, δ i ∈ IN + , and there exists s i ∈ S such that (s i , δ, s i ) ∈ T and (s i , a, s i+1 ) ∈ T .Notice that the definition of the run does not permit two consecutive joint actions to be performed one after the other, i.e., between each two joint actions some time must pass; such a run is called strongly monotonic. Let . .be the sequence of pairwise disjoint intervals, where: b 0 = 0 and b Observe that because of the assumption that the runs are strongly monotonic, the definition of the discrete path is done in a unique way.
Example 2.1.Assume the following run: The set of all the paths originating from s ∈ S is denoted by Π(s).The set of all the paths originating from all initial states in S is defined as Π = s 0 ∈ι Π(s 0 ).

Examples of MASs and Their Models
In the section we present MASs modelled by means of timed interpreted systems.We utilize the systems to assess the bounded model checking methods considered in the paper.In what follows we denote by the joint null action, i.e., the action composed of the null actions only.

Timed Generic Pipeline Paradigm (TGPP).
The TGPP (adapted from [18]) consists of n + 2 agents: Producer P that is able to produce data (P rodReady) within certain time interval [a, b] or being inactive (P rodSend), Consumer C that is able to receive data (ConsReady) within certain time interval [c, d], to consume data (ConsF ree) within certain time interval [g, h] or being inactive (ConsStart), a chain of n intermediate Nodes N i which can be ready for receiving data (Node i Ready) within certain time interval [c, d], processing data (Node i P roc) within certain time interval [e, f ], sending data (Node i Send), or being inactive (Node i Start), and the environment E. The local states, the possible local actions, the local clocks, the clock constraints, invariants and the local protocol for each agent, but for the environment E are shown in Figure 1.Null actions are omitted in the figure .For environment E, to simplify the presentation, we shall consider just one local state: The set of clocks of E is empty, and the invariant function is From Figure 1 we can easily deduce the local evolution functions of each agent.As an example, we show the definition of the local evolution function of Producer P .The remaining ones are equally straightforward.
The example can be scaled by adding Nodes, or by changing the length of intervals (i.e., the parameters a, b, c, d, e, f, g, h) that are used to adjust the time properties of Producer P , Consumer C, and Nodes N i (i = 1, .., n).
It should be straightforward to infer the timed model that is induced by the above description of the TGPP scenario.Next, in the timed model of the scenario we assume the following set of proposition variables: PV = {P rodSend, ConsReady, ConsF ree}, and the following definition of valuation functions for agents the Producer and the Consumer:

A Timed Train Controller System (TTCS).
The TTCS (adapted from [20]) consists of n (for n ≥ 2) trains T 1 , . . ., T n , each one using its own circular track for travelling in one direction and containing its own clock y i , together with controller C used to coordinate the access of trains to the tunnel through all trains have to pass at certain point, and the environment E. Because there is only one track in the tunnel, trains arriving from each direction cannot use it simultaneously.There are signals on both sides of the tunnel, which can be either red or green.All trains notify the controller when they request entry to the tunnel or when they leave the tunnel.The controller controls the colour of the displayed signal, and the behaviour of the scenario depends on the values δ and Δ (Δ > δ + 3 makes it incorrectthe mutual exclusion does not hold).
Figure 2 shows the local states, the possible local actions, the local clocks, the clock constraints, invariants, and the local protocol for each agent, but for the environment E. Null actions are omitted in the figure.Being at state away, train T i may express its will to enter the tunnel, provided that the value of controller C is zero (i.e., no other train has already done the same).It then advances to state try, where it delays for an arbitrary amount of time, less than Δ time units, before setting C to i. From there on, it is ready to enter the tunnel; however, a minimum amount of time δ is necessary for this.Upon leaving the tunnel, the train sets C to state 0.
Controller C has n + 1 states, denoting that all trains are away (state 0), and the numbers of trains, i.e., 1, . . ., n. Controller C is initially at state 0. It moves to state i, if it is notified by train T i .Being at state i, it can either move to state 0, or "jump" to state j when notified by train T j .
The action Start i of train T i denotes the passage from state away to the state where the train wishes to obtain access to the tunnel.As it has been already said, this is allowed only if controller C is in state 0. The restriction is ensured by the fact that train T i synchronises with controller C on action Start i , and the latter is enabled only from state 0 of C. Similarly, train T i synchronizes with controller C on action approach i , which denotes setting C to state i, as well as out i , which denotes setting C to state 0. Finally, action in i denotes the entering of train T i into the tunnel.
For environment E, to simplify the presentation, we shall consider just one local state: The set of clocks of E is empty, and the invariant function is From Figure 2 we can easily deduce the local evolution functions of each agent.As an example, we show the definition of the local evolution function of train T 1 .The remaining ones are equally straightforward.
Let state denote a local state of train T 1 , and and Act E = { E }.Moreover, let a ∈ Act, and act T i (a), act C (a) and act E (a), respectively, denote an action of the i−th train, the controller, and the environment.The local evaluation function of train T 1 is the following: We can define the set of possible global states S for the scenario as the product and we consider the following set of initial states ι = {s 0 }, where s 0 = ((away, 0), . . ., (away, 0), 0, •).
The example can be scaled by adding trains, or the time-delay constants δ and Δ.It should be noted that the preservation of the mutual exclusion property (i.e., the property ensuring that no two trains are in the tunnel at the same time) depends on the relative values of the time-delay constants δ and Δ.In particular, the following holds: "A timed train controller system ensures mutual exclusion iff Δ ≤ δ + 3".
It should be straightforward to infer the timed model that is induced by the above description of the TTCS scenario.Next, in the timed model of the scenario we assume the following set of proposition variables: PV = {tunnel i | i = 1, .., n}, and the following definition of valuation functions for trains: V T i (tunnel) = tunnel i , for i = 1, .., n.

Let
The temporal modalities U I and G I are named as bounded until and bounded globally, respectively.The derived basic temporal modalities for bounded eventually and bounded release are defined as follows: , then we omit it for the simplicity of the presentation.The epistemic operator K c represents "agent c knows", while the operator K c is the corresponding dual one representing "agent c considers possible".The epistemic operators D Γ , E Γ and C Γ represent distributed knowledge in the group Γ, "everyone in Γ knows", and common knowledge among agents in Γ, respectively.The epistemic operators D Γ , E Γ and C Γ are the corresponding dual ones.
EMTLK is the existential fragment of MTLK, defined as: Observe that we assume that MTLK (and so EMTLK) formulae are given in the negation normal form, in which the negation can be only applied to propositional variables.Moreover, EMTLK is existential only w.r.t. the epistemic modalities.
Turning to semantics, MTLK formulae are interpreted on timed models.Let Y ∈ {D, E, C}.The satisfiability relation |=, which indicates truth of a MTLK formula in the timed model M along a path λ ρ at time t, is defined inductively with the classical rules for propositional operators and with the following rules for the temporal and epistemic modalities: The MTLK formula ϕ holds in the model Example 2.2.Consider TTCS described in Sect.2.3.2 for two trains T 1 and T 2 , Δ = 5 and δ = 1 (the mutual exclusion does not hold), the EMTLK formula ϕ = F [0,9) (tunnel 1 ∧ tunnel 2 ), and the run ρ with the following prefix: ((away, 0), (away, 0), 0, •)
To solve the universal model checking problem, one can negate the formula and demonstrate that the existential model checking problem for the negated formula has no solution.Intuitively, we are trying to discover a counterexample, and if we do not find it, then the formula is universally valid.Now, since bounded model checking is designed for finding a solution to an existential model checking problem, in the paper we only consider the EMTLK properties.This is because looking for a counterexample, for example, to M |= ∀ F [0,10) K c p corresponds to the query whether there exists a witness M |= G [0,10) K c ¬p.

From EMTLK to HLTLK
The translation of the existential model checking problem for EMTLK to the existential model checking problem for HLTLK, a language defined below and interpreted over an abstract model for an augmented timed interpreted system is based on [22], where the translation of the existential model checking problem for Metric Interval Temporal Logic (MITL) [2] with a densetime and interleaving semantics defined over timed automata to the existential model checking problem for HLTL with an interleaving semantics defined over the region graph has been introduced.
The reason for redefining the translation of [22] in the discrete-time context, and for extending it to the full MTL with epistemic components is the following.First of all the discrete time semantics is interesting by itself.Secondly, we can take advantage of the finite-state nature of discrete time and apply techniques which cannot be applied directly to dense time.Namely, in our case we can apply the BMC technique directly to the proposed abstract model.In the case of the dense semantics this step is impossible, since we need to discretise the proposed abstract model before we can apply the BMC technique.Moreover, the discretisation process requires additional theoretical background that will show that the used discretisation preserves considered logic.
We begin the section by introducing the definitions of the augmented timed interpreted system, its abstract model, and paths in this model.Then, we define the HLTLK language.Next, we show how to translate an EMTLK formula ϕ into a HLTLK formula H(ϕ), and finally we prove the correctness and completeness of the proposed translation.

An Augmented Timed Interpreted System
Let I = ({L c , Act c , X c , P c , t c , V c , I c } c∈A∪{E} , ι) be a timed interpreted system, ϕ an EMTLK formula, and m the number of intervals appearing in ϕ.An augmented timed interpreted system (ATIS) is defined as a tuple ) with: • X E = X E ∪ Y , where Y = {y 1 , . . ., y m } is a set of new clocks that corresponds to all the time intervals appearing in ϕ; one clock y i per one time interval.Each clock y i measures the passage of time for the i-th interval. • • ) such that for all c ∈ A and for all x ∈ X c it holds v c (x) = 0, and for all x ∈ X E it holds v E (x) = 0.
Example 3.1.Consider TTCS described in Sect.2.3.2.In the TIS model of the system the environment E is modelled as follows.The set of local states is In the ATIS model I ϕ of TTCS for an EMTLK formula ϕ with two intervals (e.g.,

A Model for ATIS
Let ϕ be an EMTLK formula, m a number of intervals appearing in ϕ, PV = PV ∪ PV y with PV y = {q y h ∈I h | h = 1, . . ., m}, and is a transition relation defined by action and time transitions.Let a ∈ Act: Note that each transition is followed by a possible reset of new clocks.This is to ensure that the new clocks can be reset along the evolution of the system any time it is needed.
Given an ATIS one can define the indistinguishability relation ∼ c ⊆ S ϕ × S ϕ for agent c as follows: s ∼ c s iff l c (s) = l c (s ) and v c (s) = v c (s ).
Observe that the above definition of the path ensures that the first transition is the time one, and between each two action transitions at least one time transition appears.
For a path π, π(i) denotes the i-th state s i of π, π i = (s i , s i+1 , . ..) denotes the suffix of π starting with π(i), Π ϕ (s) denotes the set of all the paths starting at s ∈ S ϕ , and Π ϕ = s 0 ∈ι Π ϕ (s 0 ) denotes the set of all the paths originating from all initial states in S ϕ .

The HLTLK Language
Let ϕ be an EMTLK formula, m the number of intervals in ϕ, h = 1, . . ., m, p ∈ PV , c ∈ A, and Γ ⊆ A. The HLTLK formulae in the negation normal form are given by the following grammar: The symbols U h and G h denote the indexed until and indexed globally modalities, respectively.The meaning of until and globally is standard.The index h denotes the number of a clock that will be set to zero at the starting point of a path along which the until (globally) will be interpreted.
The symbols K c , E Γ , D Γ , and C Γ denote the existential epistemic modalities as defined in the previous section.In addition, we introduce some useful derived temporal modalities: Turning to semantics, HLTLK formulae are interpreted on abstract models M ϕ .Let Y ∈ {D, E, C}, t ≥ 0, π a path in M ϕ , and π = Υ t y h (π).The satisfiability relation |=, which indicates truth of a HLTLK formula ψ in the abstract model M ϕ along a path π at time t (in symbols M ϕ , π t |= ψ) is defined inductively with the classical rules for propositional operators and with the following rules for the temporal and epistemic modalities: We use the following notation M ϕ |= ψ iff M ϕ , π 0 |= ψ for some π ∈ Π ϕ .The existential model checking problem consists in finding out whether M ϕ |= ψ.

Translation and Its Correctness
Let ϕ be an EMTLK formula, p ∈ PV, I an interval, y ∈ Y a clock associated with the interval I, and h the index of the clock y.We translate the formula ϕ inductively into the HLTLK formula H(ϕ) in the following way: Observe that the length of H(ϕ) is linear in the length of ϕ.Furthermore, our translation preserves the existential model checking problem, i.e., the existential model checking of ϕ interpreted over the timed model for TIS can be reduced to the existential model checking of H(ϕ) interpreted over the abstract model for ATIS.Lemma 3.5.Let I be a timed interpreted system, ϕ an EMTLK formula, I ϕ an augmented timed interpreted system, and M ϕ the abstract model for I ϕ .For each run ρ of I there exists a path π ρ of M ϕ that is generated by ρ.
Proof.By the definition of a run, we have that ρ must be of the following form: and s . By the definition of the discrete path λ ρ * corresponding to run ρ * , we have that for all t ∈ IN and i Lemma 3.6.For each path λ of M there exists a path λ * of M ϕ that is generated by λ.
Proof.Observe that each path λ = (λ(0), λ(1), . ..) of M is generated by a run ρ = s 0 ∈ S for all i ∈ IN.By Lemma 3.5, we have that there exists a path π ρ of M ϕ that is generated by ρ.Thus, it is enough to take λ * = π ρ .Lemma 3.7.Let I be a timed interpreted system, M the timed model for I, ϕ an EMTLK formula, I ϕ an augmented timed interpreted system, M ϕ the abstract model for I ϕ , and ρ a run of I.For each subformula ψ of ϕ and for each t ∈ IN, M, λ t ρ |= ψ implies M ϕ , π t ρ |= H(ψ).Proof.We proceed by induction on the length of formulae.

ψ = α∨β. By the definition of the satisfiability relation we have
Proceeding by induction it follows that M ϕ , π i λ |= H(α).By Lemmas 3.5 and 3.6 we have that for λ ρ there exists a path π ρ of M ϕ that is generated by λ ρ .Since λ(i) ∼ c λ ρ (t) holds, by the construction of the paths π λ and π ρ we have that π λ (i) ∼ c π ρ (t) holds.Therefore, we have M ϕ , π ρ t |= H(K c α).
Lemma 3.8.Let I be a timed interpreted system, ϕ an EMTLK formula, I ϕ an augmented timed interpreted system, M ϕ the abstract model for I ϕ .
For each path π of M ϕ there exists a run ρ of I that is induced by π and such that for all i ≥ 0, π(i)| X = λ ρ (i), where X = c∈A∪{E} X c and π(i)| X denotes the state of M ϕ from which the values of auxiliary clocks from Y have been removed.
Proof.Each path of M ϕ is of the form π = (s 0 , s 1 , . ..) with (s 0 , τ, s 1 ) ∈ T ϕ , and for each i ≥ 0, ), and either (s i , a i , s i+1 ) ∈ T ϕ or (s i , τ, s i+1 ) ∈ T ϕ , and if (s i , a i , s i+1 ) ∈ T ϕ holds, then (s i+1 , τ, s i+2 ) ∈ T ϕ holds, and a i ∈ Act for each i ≥ 0. This implies that π has the following shape: s k+1 , . . .with i ≥ 1, j > i, and k > j.Thus, we have that the path π is generated by the following run ρ * of I ϕ : , and so on.Now, assume that ) for all i ≥ 0, and consider the following run ρ = r 0 , and for all i > 0, . Observe that ρ is a valid run of I, and moreover π(i)| X = λ ρ (i) for all i ≥ 0. Lemma 3.9.Let I be a timed interpreted system, M the timed model for I, ϕ an EMTLK formula, I ϕ the augmented timed interpreted system, M ϕ the abstract model for I ϕ , π a path of M ϕ that is induced by a run ρ of I.Then, for each subformula ψ of ϕ and for each Proof.We proceed by induction on the length of formulae.
1. ψ = p, for some p ∈ PV.We have that M ϕ , π . By Lemma 3.8 we have that there exists a run ρ of TIS that is induced by π .Thus, by induction, we have Further, by the construction of the run of I in Lemma 3.8 we have that λ ρ (i) ∼ c λ ρ (t).Thus, we can conclude that M, λ t ρ |= K c α.
The main theorem of the section states that existential validity of the EMTLK formula ϕ over the timed model for TIS is equivalent to the existential validity of the HLTLK formula H(ϕ) over the abstract model for ATIS.Proof.The proof of the theorem follows from Lemmas 3.7 and 3.9.
The construction of the augmented timed interpreted system for the timed interpreted system and an EMTLK formula ϕ involves an exponential blow-up, the reduction of ϕ into H(ϕ) involves only a linear blow-up, and the HLTLK language can be viewed as an existential LTLK; notice that LTLK is a multi-dimensional logic obtained by the fusion (or independent join) [5] of LTL with S5 n , where n is the number of distinct epistemic modalities.Since, the (symbolic) model checking problem for LTLK is PSPACE [12], Theorem 3.10 suggests a PSPACE model checking algorithm for the existential model checking problem of EMTLK.

A SAT-Based BMC Method for HLTLK
In this section we present a SAT-based BMC method for HLTLK.In SATbased BMC we construct a propositional formula that is satisfiable if and only if there exists a finite set of prefixes of paths of the underlying model that is a solution to the existential model checking problem.To construct the propositional formula, first of all we need to define the bounded semantics for the underlying logic (i.e., in our case for HLTLK), then to encode the semantics by means of a propositional formula, and finally to represent a part of the model by a propositional formula.
We begin the section by introducing the definition of the bounded semantics for HLTLK and proving that the bounded and unbounded semantics are equivalent.Then, we define a translation of the existential model checking problem for HLTLK to the propositional satisfiability problem, and we formulate the theorem about the correctness and completeness of the proposed translation.
If π l is a loop with l < t, then (Ψ t,k y (π), l) = ((s 0 , . . ., s k ), l) is the k-path defined as follows.(∀0 Example 4.5.To illustrate the notion of k-path (Φ  Let ϕ be an EMTLK formula, ψ = H(ϕ) the HLTLK formula, M ϕ an abstract model, k ≥ 0 a bound, and 0 ≤ t ≤ k.The bounded satisfiability relation |= k , which indicates truth of ψ in M ϕ along the k-path π l at time t (denoted π t l ), is defined inductively with the classical rules for propositional operators and with the following rules for the temporal and epistemic modalities: The bounded model checking problem consists in finding out whether there exists k ∈ IN such that M ϕ |= k ψ.

Equivalence of Bounded and Unbounded Semantics
Lemma 4.6.Let M ϕ an abstract model, ψ = H(ϕ) an HLTLK formula, k > 0 a bound, π l a k-path in M ϕ , and 0 ≤ t ≤ k.The following implication holds: where π is the path generated by the loop π l .
Proof.We proceed by induction on the length of formulae ψ.The lemma follows directly for the propositional variables and their negations.Consider the following cases: • ψ = αU h β and M ϕ , π t l |= k ψ.By the definition of the bounded semantics we have that either Assume that ( †) holds and that π l is a loop.By the definition of (Φ t,k y h (π), l) we have l ≥ t.By induction and fact that π is generated by Assume now that ( †) holds and that π l is not a loop.By the definition of Φ t,k y h (π) and by induction we have (∃i Thus, we have M ϕ , π t |= αU h β.
Assume now that ( † †) holds.Since π l is a loop, by the definition of (Ψ t,k y h (π), l) we have l < t.By induction and fact that π is generated by π l we have (∃k By the definition of the bounded semantics we have Assume that ( †) holds.Since π l is a loop, by the definition of (Φ t,k y h (π), l) we have t ≤ l < k.By induction and fact that π is generated by π l we have (∀i Assume that ( † †) holds.Since π l is a loop, by the definition of (Ψ t,k y h (π), l) we have l < t.By induction and fact that π is generated by π l we have (∀i ≥ t)M ϕ , π i |= α.Thus, we have M ϕ , π t |= G h α.
Proof.The proof can be completed by the similar arguments as in the proof of Theorem 3.1 of [4].Proof.The proof follows from Lemma 4.7 and Lemma 4 of [17].
Proof.We proceed by induction on the length of formulae ϕ.The lemma follows directly for the propositional variables and their negations.Assume that the hypothesis holds for all the proper subformulae of ϕ and consider ϕ to be of the following form: If this list is empty, then α is a "pure" HLTL formula with no nested epistemic modalities.Hence, by Lemma 4.8 we have M, π |= ψ implies that for some k ≥ 0 and 0 ≤ l ≤ k, M, π l |= k ϕ with π l being the k-prefix of π.
Otherwise, introduce for each Y i α i a new proposition q i , where i = 1, . . ., n.By Lemma 1 of [17], we can augment with q i the labelling of each state s of M initialising some path along which the epistemic formula Y i α i holds, and then translate the formula α to the formula α , which instead of each subformula Y i α i contains adequate propositions q i .Therefore, we obtain "pure" HLTL formula.Hence, by Lemma 4.8 we have M, π |= ϕ implies that for some k ≥ 0 and 0 ≤ l ≤ k, M, π l |= k ϕ with π l being the k-prefix of π.
The following theorem shows that for some particular bound the bounded and unbounded semantics are equivalent.A proof of the theorem follows from Lemmas 4.6 and 4.9.

Translation to SAT
Let M ϕ be an abstract model, ψ a HLTLK formula, and k ≥ 0 a bound.The presented propositional encoding of the BMC problem for HLTLK is based on the BMC encoding of [24], and it relies on defining the propositional formula The definition of [M ϕ , ψ] k assumes that both the states and the joint actions of M ϕ are encoded symbolically.This is possible, since both the sets of agents' states and the set of joint actions are finite.Also, since we work with a set of k-paths, we can bound the clocks valuation to the set D = {0, . . ., c+1} with c being the largest constant appearing in any enabling condition or state invariants of all the agents and in intervals appearing in ϕ.Moreover, this definition assumes knowledge of the number of k-paths of M ϕ that are sufficient to validate ψ.To this aim, as usually, we define the auxiliary function f k : HLT LK → IN as f k (ψ) = f k (ψ) + 1, where the function f k : HLT LK → IN is defined as follows.Let p ∈ PV .Then, Let us formally define the first conjunct of [M ϕ , ψ] k (i.e., [M ψ,ι ϕ ] k ).We start by introducing the fundamental notation.First of all we assume that each state s ∈ S ϕ is represented by a vector w = ((w 1 , v 1 ), . . ., (w n , v n ), (w E , v E )) (called a symbolic state) of symbolic local states.Each symbolic local state (w c , v c ) is a pair of vectors of propositional variables; the first vector w c encodes elements of L c , and the second vector v c encodes the clock valuations of agent c ∈ A ∪ {E} over D. Secondly, we assume that each joint action a = (a 1 , . . ., a n , a E ) ∈ Act is represented by a vector a = (a 1 , . . ., a n , a E ) (called a symbolic action) of symbolic local actions, where each symbolic local action a c is a vector of propositional variables.Next, we assume that the time action τ is represented by a proposition variable ℘ τ , and we consider the vector u = (u 1 , . . ., u t ), which we call the symbolic number.It consists of propositional variables (called natural variables) of length t = max(1, log 2 (k + 1) ).Finally, we assume a symbolic representation of a k-path π l , the number of which is j, and we call it the j-th symbolic kpath π j = ((w 0,j , . . ., w k,j ), u j ), where 0 ≤ j < f k (ψ), 0 ≤ i ≤ k, w i,j is a symbolic state, and u j is a symbolic number.
Let w and w be two different symbolic states, a a symbolic action, and u a symbolic number.We assume definitions of the following auxiliary propositional formulae: • p(w) -encodes the set of states of M ϕ in which p ∈ PV holds.
• I s (w) -encodes the state s of M ϕ .
• H c (w, w ) -encodes the equality of two local states and two local clock valuations of agent c ∈ A.
• H(w, w ) := c∈A H c (w, w ) -encodes equality of two global states.
• H h=0 (w, w ) -encodes equality of two global states on local states and values of the original clocks, and the equality of values of the new clocks (i.e., clocks from Y ) but the value of clock y h .
• H =h (w, w ) -encodes equality of two global states on local states and on values of the original clocks, and on the values of the new clocks with the potential exception of clock y h .For clock y h the formula guarantees that its value in the 2nd global state is greater than zero.
• N ∼ j (u) -encodes that the value j is in the arithmetic relation ∼∈ {<, , =, , >} with the value represented by the symbolic number u.
• T Act (w, a, w ) -encodes the action transition relation of M ϕ .
• H X (w, w ) -encodes equality of two global states on local states and values of the original clocks.
• L l k (π j ) := N = l (u j ) ∧ H X (w k,j , w l,j ), where π j is a jth symbolic k-path.
Having introduced the fundamental auxiliary propositional formulae, we can formally define the propositional formula [M ψ,ι ϕ ] k , which encodes the unfolding of the transition relation of the abstract model M ϕ f k (ψ)-times to the depth k.Specifically, let w i,j , a i,j , and u j be, respectively, symbolic states, symbolic actions, and symbolic numbers, for 0 ≤ i ≤ k and 0 ≤ j < f k (ψ).The formula [M ψ,ι ϕ ] k , is defined as follows: Let us now formally define the second conjunct of [M ϕ , ψ] k (i.e., [ψ] M ϕ ,k ), which encodes the bounded semantics of the HLTL formula ψ.In the definition of [ψ] M ϕ ,k we assume the same fundamental notation and the same crucial ancillary propositional formulae which have been introduced above.Additionally, we assume knowledge of auxiliary functions that are defined in [24].Their purpose is to divide the set A ⊂ IN + of numbers of k-paths such that |A| = f k (ψ) into subsets needed for translating the subformulae of ψ.Their names and arguments are the following: denotes the translation of α along the n-th symbolic path π m n with the starting point m by using the set First of all, observe that in the translation of αU h β the propositional formula ) encodes the part of the bounded semantics where we look for β on a k-path which is not a loop or the looping state is after the state t.Further, the propositional formula , encodes the part of the bounded semantics where we look for β on a k-path which is a loop with l < t.Thus, β must hold at some state j that is between states l and m, and α must hold at all the states form m to k, and from l to j − 1.
Next, observe that in the translation of G h α the propositional formula and it ensures that it is a loop with l ≥ t.Further, the propositional formula encodes the part of the bounded semantics where we ensure that α holds at all the states between the states m and k.Further, the propositional formula encodes the part of the bounded semantics where we ensure that α holds between states l + 1 and m − 1. Lastly, the propositional formula encodes the part of the bounded semantics where we ensure that α holds between states m and k.
Finally, observe that in the translation of K c α the propositional formula s∈ι ϕ I s (w 0,n ) ensures that we look for a new k-path that starts at an initial state.Next, the propositional formula encodes the part of the bounded semantics where we ensure that α holds at some state j on the new initial k-path and that this state is in the epistemic relation with the state encoded by the symbolic state w m,n ; the translation of other epistemic modalities follows from the translation of K c α.
The following theorem guarantees that the BMC problem for HLTLK and for ATIS can be reduced to the SAT-problem.The theorem can be proven by induction on the length of the formula ψ.Moreover, the scheme of the proof follows closely the proof of Theorem 2 of [17].

The Timed Generic Pipeline Protocol (TGPP)
The specifications we checked for TGPP are given in the universal form, for which we verify the EMTLK formulae that are negated and interpreted existentially.For every specification given, there exists a counterexample in the model of the benchmark.Let n be the number of nodes.Then: To apply the BMC method for the TGPP scenario and, e.g., for formula ϕ 1 , first, we have to define the ATIS for the given TIS and for the negation of ϕ 1 .To this aim, it is enough to extend the set of clocks, the set of actions, the protocol function, and the evolution function of the environment E by taking into account the intervals appearing in ϕ 1 .Since there are two intervals in ϕ 1 (i.e., I 1 = [0, ∞) and I 2 = [2n − 2, 2n + 2)) and the set X E is empty, the new set X E is equal to {y 1 , y 2 }.The set Act E of actions is of the form Act E ∪ {{y 1 }, {y 2 }, {y 1 , y 2 }}, and the protocol is defined as P E (•) = Act E = { E , {y 1 }, {y 2 }, {y 1 , y 2 }}.Finally, the local evolution function is defined as follows: t E (•, true, B, a) = •, if either act E (a) = E and B = ∅ or act E (a) = B and B ∈ {{y 1 }, {y 2 }, {y 1 , y 2 }}.Having defined the ATIS for TIS and for ϕ 1 , it should be straightforward to infer the model M ϕ 1 .Further, we need to translate the negation of ϕ 1 , denoted ϕ 1 , (which is in EMTLK) into the HLTLK formula H(ϕ 1 ).Let p = P rodSend, q = ConsF ree, and ϕ 1 = FK P (p∧G I 2 (¬q)).H(ϕ 1 ) = F y 1 (p y 1 ∈I 1 ∧H(K P (p∧G I 2 (¬q)))) = F y 1 (p y 1 ∈I 1 ∧ K P H(p ∧ G I 2 (¬q))) = F y 1 (p y 1 ∈I 1 ∧ K P (p ∧ H(G I 2 (¬q)))) = F y 1 (p y 1 ∈I 1 ∧ K P (p ∧ G y 2 (¬p y 2 ∈I 2 ∨ ¬q))).
Finally, we apply the BMC method for the HLTLK formula H(ϕ 1 ) (similarly for H(ϕ 2 ) and H(ϕ 3 )) and for the model M ϕ 1 (resp.for M ϕ 2 and M ϕ 3 ).Checking that the TGPP does not satisfy the properties ϕ 1 , ϕ 2 , and ϕ 3 can now be done by feeding a SAT solver with the propositional formulae generated in the way explained above.

The Timed Train Controller System (TTCS)
The specifications we checked for TTCS are given in the universal form, for which we verify the EMTLK formulae that are negated and interpreted existentially.Moreover, for every specification given, there exists a counterexample in the model of the benchmark.
(¬tunnel i ∨ ¬tunnel j )).It expresses that the system satisfies mutual exclusion property.
¬tunnel j ))).It expresses that always at time in the interval [0, 2δ + 7) if the T rain 1 enters its critical section, then it knows that always in the future no other train will enter its critical section.
Analogously as for TGPP we apply the BMC method for the HLTLK formulae H(¬ϕ 4 ) and H(¬ϕ 5 ), and for the models M ϕ 4 and M ϕ 5 respectively.Checking that the TTCP does not satisfy the properties ϕ 4 and ϕ 5 is done by feeding a SAT solver with the propositional formulae generated in the way explained in Sect.4.6.

Performance Evaluation
For the tests we used a computer with I7-3770 processor, 32 GB of RAM, and running Arch Linux 3.19.3.We set the CPU time limit to 3600 seconds.Moreover, we used PicoSAT [3] in version 957 to test the satisfiability of the propositional formulae generated by our SAT-based BMC encoding.We did not compare our results with other model checkers for MASs, e.g.MCMAS [16] or MCK [11], simply because they do not support EMTLK and TIS.

Timed Generic Pipeline Paradigm.
The number of considered kpaths for all the tested properties is equal to 4. The length of the counterexample for formula ϕ 1 is is equal to 4n + 7. The length of the counterexample for formula ϕ 2 is equal to 12 if n = 1, and 4n + 10 if n > 1.The length of the counterexample for formula ϕ 3 is equal to n + 1 if n ∈ {1, 2}, 2n − 1 if n ∈ {3, 4}, and 2n if n > 4.

Timed Train Controller System.
The number of considered k-paths for the formula ϕ 4 is equal to 2 and for the formula ϕ 5 is equal to 3. The length of the counterexample for both the formulae ϕ 4 and ϕ 5 depends on δ and is equal to 2δ + 12.We tested both of the formulae by scaling separately the number of trains and the value of the constant delta.

Performance Evaluation Summary.
As one can see from the line charts in Figures 3, 4, and 5 showing the total time and the memory consumption for all the tested properties, the experimental results confirm that our new SAT-based BMC for TIS and for EMTLK is indeed feasible.Moreover, we can observe that as in the case of other known SAT-based BMC methods, this new method is also sensitive on the size of the counterexample, where the size of the counterexample is defined as the length of the k-path in the counterexample (i.e., the value k) multiplied by the number of k-paths (i.e., the value of the function f k ).The high efficiency of our method in the case of the formula ϕ 3 results from the shorter length of the counterexample.

Conclusions
We have proposed TISs as a new formalism to model MASs with the agents that have real-time deadlines to achieve intended goals, and that possess their private clocks.Further, we have defined, implemented, and experimentally evaluated a SAT-based BMC for TISs and for properties expressed in EMTLK.The method is based on a translation of the existential model checking problem for EMTLK to the existential model checking problem for HLTLK, and then on the translation of the existential model checking problem for HLTLK to the SAT-problem.
In [15] a formalism of Real Time Interpreted Systems has been defined to model MASs with hard real-time deadlines.However, the agents of this model do not enjoy having access to the private clocks, namely, all the clocks are public.This constraint, in our opinion, violates the self governance (autonomy) of agents.Therefore, we plan to extend the TIS to a formalism that is able to model MASs with the agents that have hard which specifies the amount of time agent E may spend in its local states.It is assumed that local states, actions and clocks for E are "public".For convenience, the symbol S = c∈A∪E L c × IN |X c | denotes the non-empty set of all global states.Next, given a global state s = (( 1 , v 1 ), . . ., ( n , v n ), ( E , v E )) ∈ S, the symbols l c (s) = c and v c (s) = v c denote, respectively, the local component and the clock valuation of agent c ∈ A ∪ {E} in the global state s.Finally, given a set of initial global states ι ⊆ S such that for all c ∈ A ∪ {E} and for all x ∈ X c it holds v c (x) = 0, a set of agents A and an environment E, a timed interpreted system (TIS) as a tuple I

1 .
Action transition: for any a ∈ Act, (s, a, s ) ∈ T iff for all c ∈ A, there exists a local transition t c (l c (s), l E (s), φ c , X , a) = l c (s ) such that v c (s) |= φ c ∧ I(l c (s)) and v c (s ) = v c (s)[X := 0] and v c (s ) |= I(l c (s )), and there exists a local transition t

Figure 2 .
Figure 2. A timed train controller system p ∈ PV, c ∈ A, Γ ⊆ A, and I be an interval in IN of the form: [a, b) or [a, ∞), for a, b ∈ IN and a = b.Metric temporal logic with knowledge (MTLK) in negation normal form is defined by the following grammar: ) and v c (s) |= I(l c (s)) and v c (s ) = succ(v c (s)) and v c (s ) |= I(l c (s))).
where Y ∈ {D, E, C}.Observe that the translation of literals, Boolean connectives, and epistemic modalities is straightforward.The translation of the U I operator ensures that: (1) the translation of β holds in the interval I, which is expressed by the requirement H(β) ∧ p y∈I ; (2) the translation of α holds always before the translation of β.The translation of the G I operator ensures that if the value of the clock y is in interval I, then the translation of α holds.Example 3.4.Consider TTCS described in Sect.2.3.2 for two trains T 1 and T 2 , and the following EMTLK formula ϕ = FK P (p ∧ G[5,20) (¬q)) with p = P rodSend, q = ConsF ree.Furthermore, assume that y 1 and y 2 are clocks belonging to the set Y , and that correspond to the intervals I 1 = [0, ∞), and I 2 = [5, 20), respectively.Then the HLTLK formula H(ϕ) is calculated as follows:

Theorem 4 . 11 .
Let M ϕ be an abstract model, and ψ a HLTLK formula.For every k ∈ IN, M ϕ |= k ψ if, and only if, the propositional formula [M ϕ , ψ] k is satisfiable.

3 Figure 3 . 2 Figure 4 . 2 Figure 5 .
Figure 3. SAT-based BMC.TGPP with n nodes.All properties state denote a local state of Producer P , andAct = Act P × n i=1 Act Ni × Act C × Act E with Act P = {P roduce, Send 1 , P }, Act C = {Start n+1 , Send n+1 , Consume, C }, Act Ni = {Start i , Send i , Send i+1 , Ni , P roc i },and Act E = { E }.Moreover, let a ∈ Act, and act P (a), act N i (a), act C (a) and act E (a), respectively, denote an action of Producer P , Node I, by the construction of π we have M ϕ , π t+i |= p y∈I ∧ H(α) for all i ∈ I. Therefore, for all i ≥ t we have M ϕ , π t+i |= ¬p y∈I ∨ H(α).Thus, by the semantics we get that M ϕ , π ρ t |= G h (¬p y∈I ∨ H(α)), where h is the index of the clock y.