A Logical Framework for the Representation and Verification of Context-aware Agents

We propose a logical framework for modelling and verifying context-aware multi-agent systems. We extend CTL∗ with belief and communication modalities, and the resulting logic 𝓛OCRS allows us to describe a set of rule-based reasoning agents with bound on time, memory and communication. The set of rules which are used to model a desired systems is derived from OWL 2 RL ontologies. We provide an axiomatization of the logic and prove it is sound and complete. We show how Maude rewriting system can be used to encode and verify interesting properties of 𝓛OCRS models using existing model checking techniques.


Introduction
The vision of pervasive computing technology intends to provide invisible computing environments so that a user can utilize services at any time and everywhere [28].
Context-awareness is a key concept in pervasive computing.In context-aware pervasive computing every user may have several computing devices, where information can be collected by using tiny resource-bounded devices, including e.g., PDAs, smart phones, and wireless sensor nodes [26].These systems interact with human users, they often exhibit complex adaptive behaviours, they are highly decentralised and can naturally be implemented as multi-agent systems.An agent is a piece of software that requires to be reactive, pro-active, and that is capable of autonomous action in its environment to meet its design objectives.An agent is autonomous if it encapsulates its behaviour and internal state.This means that an agent itself has control over its own actions and behaviour.When a system is composed of multiple interacting agents it is called a multi-agent system (MAS) [29].In a MAS, agents are typically communicate via message passing and co-operate with other agents in order to achieve common goals.In many circumstances building centralized systems are quite impractical or undesirable such as pervasive systems, where MAS technology appears to be a primary choice in producing distributed information systems.In this paper, we address software reasoning agents which are capable of reasoning about their behaviour and interactions, however, an agent could be for example a robot.That is our agents are primarily viewed as doing some kind of inference over a knowledge base (KB), e.g., using forward chaining rules.
There has been considerable work in pervasive computing literature focusing on various domains including health care (see e.g., [2,8,12,19]).Much of this work concentrate on representing and reasoning about contexts.However, unlike many other context-aware application systems, in many cases health care systems are considered as safety critical systems [7].In such systems, not meeting design objectives may result in tremendous loss including possibly human lives.For example, in a non-time critical environment, where small delays due to response time are not an issue, a system may respond to queries without any concern or consideration of the time required for reasoning.However, in many situations the time taken to do the reasoning is of critical importance.Other issues include space requirements for reasoning and the number of messages that are exchanged between tiny resource-bounded devices in order to achieve their goals.This is because memory space of such a device is relatively small and its life time is inversely proportional to the number of messages it exchanges.Systematic, formal approaches to their specification and verification can allow addressing these problems.In this research work, intended systems will not only be able to facilitate knowing who is encountering what problem when and where, but also if a system finds that someone encountering some problem in a particular place at a particular moment then whether assistance seeker will receive favoured services or not, if receives then what computational (time and space) and communication resources must be devoted to its solution by each agent.
In the literature, various logical frameworks have been developed for modelling and verification of multi-agent systems (a brief state-of-the-art survey can be found in [21,22]).However, such frameworks may not be very suitable to model context-aware applications.This is because, most of those existing frameworks consider propositional logic as a simple knowledge representation language which is often not suitable for modelling real life complex systems.For example, propositional logic cannot directly talk about properties of individuals or relations between individuals.Much research in pervasive computing has been focused on incorporation of context-awareness features into pervasive applications by adapting the semantic web technology (see e.g., [12,23,27]), where description logic (DL)-based ontology languages are often used for context representation and reasoning.DL is a decidable fragment of first order logic (FOL).In [23], it has been shown how context-aware systems can be modelled as resource-bounded rule-based systems using ontologies.In that paper, the resources required by the agents to solve a given problem were considered the time and communication bandwidth.But not the space requirements for reasoning.In this paper, we propose a logical framework based on the earlier work of Alechina and colleagues [3][4][5], and the resulting L OCRS logic allows us to describe a set of ontology-driven rule-based reasoning agents with bounds on time, memory, and communication.In addition to the incorporation of space (memory) requirements for reasoning in [4], L OCRS also uses first order Horn clause rules derived from OWL 2 RL ontologies.We prove that the logic is sound and complete.While the frameworks presented in [4,5] provide a useful basis for experimentation with both the logical representation and verification of heterogeneous agents, it has become clear that a more expressive logical language is required if these frameworks are to be used for real world context-aware agents.Though the logic developed by [3] is based on FOL, memory bounds have not been imposed in that framework.The proposed framework allows us to determine how much time (measured as rule-firing cycles) are required to generate certain contexts, how many messages must be exchanged among agents, and how much space (memory) is required for an agent to do the reasoning.For verification, we show how we can encode a L OCRS model using the Maude LTL model checker [11] and verify its certain interesting resource-bounded properties.
The remainder of the paper is organized as follows.In Section 2, we discuss how contexts are represented using OWL 2 RL and SWRL.In Section 3, we describe our model of communicating multi-agent context-aware systems.In Section 4, we develop logic L OCRS , in Section 5 we present an example system and experimental results, and conclude in Section 6.

Semantic context model
We view context is any information that can be used to identify the status of an entity.An entity can be a person, a place, a physical or a computing object.This context is relevant to a user and application, and reflects the relationship among themselves [10].A context can be formally defined as a (subject, predicate, object) triple that states a fact about the subject where -the subject is an entity in the environment, the object is a value or another entity, and the predicate is a relationship between the subject and object.According to [10], "if a piece of information can be used to characterize the situation of a participant in an interaction, then that information is context".For example, we can represent contexts "Mary has Systolic Blood Pressure 120" as (Mary, hasSystolicBloodPressure, 120) and "Mary has a carer named Fiona" as (Mary, hasCarer, Fiona).Here, the caregiver of a patient is dynamically identified based on the care status of the caregiver.
Over the last decade, significant research attention has been devoted to explore the various relationships between ontology and knowledge representation.In artificial intelligence (AI) the term ontology has been used to specify a conceptualization in the context of knowledge sharing.In [14], Gruber defines conceptualization as an abstract, simplified view of the environment we want to represent.More formally, an ontology can represent a model of a domain of discourse that introduces a vocabulary to specify the concepts relevant to the domain and their relationships.That is, an ontology can be used to represent knowledge of a domain which gives a clear and coherent view of that domain, and it can be seen as playing a key role in describing the semantics of the data.Suppose we want to describe a domain named smart home; we need to consider important parts including for example, possible locations, furniture equipment, household equipment, technical equipment, and physical devices with which people can interact.By observing the scenario, some questions can be raised into the system designer's mind, for example, who are the dwellers?how many rooms are there in the home?what is the location of TV? which devices are located at what places and how they interact with each other?and so on.Based on these kind of questions we can identify the major concepts those can be used in building the ontology.For instance, "bedroom is a room that is part of the home" is a concept that has terms with relevant semantics, this concept can be formalized using first order logic as follows: The Web Ontology Language OWL built on RDF and RDFS is a semantic markup language for ontologies that provides a formal syntax and semantics for them [9].OWL ontology is essentially a set of axioms and consists of classes, individuals and properties.In the aforementioned (subject, predicate, object) triplet, subjects and objects are denoted by classes (and subclasses), while predicates are typically denoted by properties.Thus contexts can be efficiently modelled using ontologies.There are two types of properties in OWL ontologies, object properties and data properties.Object properties are binary relations which link an individual to an individual, whereas data properties link an individual to a typed data.Description logic based OWL is a good candidate for defining ontologies where automated reasoning is required.A reasoner can infer implicit facts contained in the ontology.As an example, a simple ontology about home is represented in DL Eqs.1-3.
Bedroom ∃hasDoor • Door (2) The first two axioms define the concepts "Bedroom is a room that is part of the home" and "Bedroom has a door", respectively, whereas the third axiom asserts the fact that "Mary is a dweller".A reasoner can infer that "Room has a door" which is implicit in the ontology.
For context modelling we use OWL 2 RL, a profile of the new standardization OWL 2, and based on pD * [17] and the description logic program (DLP) [13].We choose OWL 2 RL because it is more expressive than the RDFS and suitable for the design and development of rule-based systems.An OWL 2 RL ontology can be translated into a set of Horn clause rules based on [13].Furthermore, we express more complex rule-based concepts using SWRL [16] which allow us to write rules using OWL concepts.In our framework, a context-aware system composed of a set of rule-based agents, and firing of rules that infer new facts may determine context changes and representing overall behaviour of the system.
The following subsections show how we model contexts for smart spaces and perform context-awareness reasoning.

Ontology-design
There are several different approaches in designing ontologies for a domain of interest [25].One way to do this is to use bottom-up approach, in which ontology for smaller parts are constructed first, then using high-level abstract classes the desired ontology is developed.That is, bottom-up approach starts with the leaves of the hierarchy that defines the most specific classes first, and subsequently groups these classes into more general concepts.For example, we can start by defining classes for Nurse and Physician, then create a common superclass for these two classes as Formal in turn is a subclass of CareGiver and so on.
In contrast to the bottom-up approach, a top-down approach designs the upper classes first and then develops the small parts of the hierarchy.That is, top-down approach starts with defining the most general concepts in the domain first, and subsequently specializes the concepts down to the hierarchy.
In designing our smart space ontology, we adopt a top-level shared conceptualization and on top of which lower-level (domain specific) ontologies are built.The top-level ontology defines the high-level concepts that are common among different context-aware entities, independently from the application domain.Whereas the domain ontology refers to a specific domain defining the details of general concepts and their relationships.We use top-level concepts such as Location, Person, Device, Service, Activity, Time, and Medication.These conceptual entities specialize different concepts depending on the context sub-domain.For example, the Person context class defines the general feature of a person.In our home health-care modelling domain, it may be divided into Patient and CareGiver subclasses.The CareGiver class is further divided into Formal and Informal subclasses and so on.Our ontology-based context modelling provides physical representation of smart home (including its doors, windows, various locations, and so on), objects available in the smart home (including sensors and electric appliances), and users and their various activities and characteristics.It also provides (local and remote) services including operating electrical appliances, medical consultation, emergency response etc.A fragment of the ontology is depicted in Fig. 1.Note that there is no unique way to model a domain of discourse and there are always viable alternatives, however, a good way to think about modelling a domain depends on the application scenario one has in mind and its possible extensions that will be anticipated.Ontologies try to model real world scenario and therefore the concepts in the desired ontology must reflect this reality.It is an iterative process and many standard terms for health care domain already Fig. 2 A partial view of patient context ontology exist in the literature, for example, to model our domain a set of standard terms are obtained from SNOMED-CT [1], ICNP [15].
The combination of upper and domain ontologies described above, however only capture the static behaviour of a context-aware system.The context-aware systems modelled in our approach define their dynamic behaviour using Semantic Web Rule Language (SWRL).SWRL allows user to write rules using OWL concepts and its combination with OWL 2 RL provide more expressive language having greater deductive reasoning capabilities than OWL 2 RL alone.We can express more complex rule-based concepts using SWRL that cannot be modelled using OWL 2 RL.Some example rules are shown in Fig. 3a.Thus our approach of ontological representation of context-aware systems gives a clean ontology design based on the distinction between the static information represented using OWL 2 RL and the dynamic aspects of the systems go into the SWRL rules.

Context-aware reasoning
We use ontology-based reasoning to determine concept satisfiability, subsumption relations, consistency and instance checking.That is, ontology-based reasoning infers implicit contexts from explicit contexts based on class relationships and property characteristics.For example, in our ontology, hasCarer is an inverse property of takesCareOf.From user defined explicit context hasCarer (Mary, Fiona) which states that "Mary has a carer named Fiona", ontology-based reasoning can infer a new context takesCareOf(Fiona, Mary) which states that "Fiona takes care of a patient named Mary" based on the semantics owl:inverseOf.In Fig. 3b, an instance of the patient domain ontology can be, for example, "Mary" has been shown.In this figure, we asserted some low-level contexts for a patient including hasAge(Mary,65), hasPatientID (Mary,P0001) etc.It also includes some inferred contexts As we have mentioned before, OWL DL is strictly limited to certain tree structure-like axioms and cannot be used to express arbitrary axioms, for example the relation between individuals with which an individual has relations cannot be expressed using OWL DL.The SWRL rules can remove such restrictions.Furthermore, low-level contexts can be transformed into meaningful information in terms of high-level contexts, where a set of suitable rules can exploit the real meaning of some raw values of context properties.Using SWRL rules we can have a flexible reasoning mechanism that will allow us inferring new contexts based on user defined rules.Thus, whenever certain changes are detected in its context, the system can be configured to change its behavior.Our aim is to build a context-aware system through distributed rule-based agents.Therefore, we translate OWL 2 RL ontology into a set of Horn clause rules, and the combination of these translated rules and the user defined SWRL rules (those are already in the Horn clause format) provide foundational knowledge to design the desired distributed rule-based agents.Moreover, user annotated Horn clause rules will enable reasoning with users' needs.

Translation of ontologies into rules
Since OWL 2 RL is based on DLP, the set of axioms and facts of an OWL 2 RL ontology can be translated to Horn clause rules [13].In order to design an ontology-driven rule-based system, first we use the DLP framework [13] to translate an ontology to a set of Horn clause rules.In OWL 2 RL, facts are described using ClassAssertion and ObjectPropertyAssertion/DataPropertyAssertion which correspond to DL axioms of the form a : C and a, b : P , respectively, where a and b are individuals, C is a class, and P is an object/data property.Note that these facts are already in the Horn clause rule format with empty bodies.
The syntax of OWL 2 RL is asymmetric, i.e., the syntactic restrictions allowed for subclass expressions differ from those allowed for superclass expressions.For instance, an existential quantification to a class expression (ObjectSomeValuesFrom) is allowed only in subclass expressions whereas universal quantification to a class expression (ObjectAllValuesFrom) is allowed only in superclass expressions.These restrictions facilitate the translation of OWL 2 RL axioms into Horn clause rules based on the DLP framework.Translations of some of the OWL 2 RL axioms and facts into rules are given in Table 1.In the second column, complete DL statements are given which are constructed by the corresponding OWL 2 RL axioms and facts to illustrate the translation.For example, ObjectIntersectionOf ( ) is represented by the statement C 1 D 1 D 2 .The translation of SWRL rules is straightforward because they are already in the Horn clause rule format.

Context-aware systems as MASs
We model context-aware systems as multi-agent systems and rely on decentralised reasoning services and distribute context description to the agents (i.e., unlike many other agent-based context-aware systems we do not store context description managed by a central middleware).In our model a multi-agent context-aware system consists of n Ag (≥ 1) individual agents A g = {1, 2, . . ., n Ag }.Each agent i ∈ A g has a program, consisting of Horn clause rules of the form P 1 , P 2 , . . ., P n → P (derived from OWL 2 RL and SWRL), and a working memory, which contains ground atomic facts (contexts) taken from ABox representing the initial state of the system.In the rule, the antecedents P 1 , P 2 , . . ., P n and the consequent P are context information.The antecedents of the rule form a complex context which is a conjunction of n contexts.In a resource-bounded system, it is quite unrealistic to presume that a single agent can acquire and understand available contextual information and infer new contexts alone.Thus sharing knowledge among agents is an efficient way to build context-aware systems.In our model, agents share a common ontology and communication mechanism.
To model communication between agents, we assume that agents have two special communication primitives Ask(i, j, P ) and Tell(i, j, P ) in their language, where i and j are agents and P is an atomic context not containing an Ask or a Tell.Ask(i, j, P ) means 'i asks j whether the context P is the case' and Tell(i, j, P ) means 'i tells j that context P ' (i = j ).The positions in which the Ask and Tell primitives may appear in a rule depends on which agent's program the rule belongs to.Agent i may have an Ask or a Tell with arguments (i, j, P ) in the consequent of a rule; e.g., P 1 , P 2 , . . ., P n → Ask(i, j, P ) whereas agent j may have an Ask or a Tell with arguments (i, j, P ) in the antecedent of the rule; e.g., Tell(i, j, P ) → P is a well-formed rule (we call it trust rule) for agent j that causes it to believe i when i informs it that context P is the case.No other occurrences of Ask or Tell are allowed.When a rule has either an Ask or a Tell as its consequent, we call it a communication rule.All other rules are known as deduction rules.These include rules with Asks and Tells in the antecedent as well as rules containing neither an Ask nor a Tell.Note that OWL 2 is limited to unary and binary predicates and it is function-free.Therefore, in the Protégé editor all the arguments of Ask and Tell are represented using constant symbols and these annotated symbols are translated appropriately when designing the target system using the Maude specification.We now introduce the logic L OCRS which is an extension of the logic developed by [4].Our proposed approach is based on the work of [13] who show that a subset of DL languages can be effectively mapped into a set of Horn clause rules.Intuitively the set of translated rules corresponds to the ABox joined with TBox axioms ( §2.3).Let us define the internal language of each agent in the system.Let the set of agents be A g = {1, 2, ...., n Ag }, C = {C 1 , C 2 , . . .C n } be a finite set of concepts, R = {R 1 , R 2 , . . ., R n } be a finite set of roles, and A be a finite set of assertions.We also define a set Q = {Ask(i, j, P ), T ell(i, j, P )}, where i, j ∈ A g and P ∈ C ∪ R. Note that C and R are the sets of concepts and roles that appear in A. Let = {r 1 , r 2 , . . ., r n } be a finite set of rules of the form P 1 , P 2 , . . ., P n → P , where n ≥ 0, P i , P ∈ C ∪ R ∪ Q for all i ∈ {1, 2, . . ., n} and P i = P j for all i = j .For convenience, we use the notation ant (r) for the set of antecedents of r and cons(r) for the consequent of r, where r ∈ .Let g : ℘ (A) → be a substitution function that uses a forward-chaining strategy to instantiate the rule-base.We denote by G( ) the set of all the ground instances of the rules occurring in , which is obtained using g.Thus G( ) is finite.Let r ∈ G( ) be one of the possible instances of a rule r ∈ .Note that C(a), R(a, b), Ask(i, j, C(a)),  Ask(i, j, R(a, b)), T ell(i, j, C(a)), and T ell(i, j, R(a, b)) are ground facts, for all C ∈ C, R ∈ R. The internal language L includes all the ground facts and rules.Let us denote the set of all formulas by which is finite.In the modal language of L we have belief operator B i for all i ∈ A g .We assume that there is a bound on communication for each agent i which limits agent i to at most n C (i) ∈ Z * messages.Each agent has a communication counter, cp =n i , which starts at 0 (cp =0 i ) and is not allowed to exceed the value n C (i).We divide agent's memory into two parts as rule memory (knowledge base) and working memory.Rule memory holds set of rules, whereas the facts are stored in the agent's working memory.Working memory is divided into static memory (S M (i)) and dynamic memory (D M (i)).The D M (i) of each agent i ∈ A g is bounded in size by n M (i) ∈ Z * , where one unit of memory corresponds to the ability to store an arbitrary formula.The static part contains initial information to start up the systems, e.g., initial working memory facts, thus its size is determined by the number of initial facts.The dynamic part contains newly derive facts as the system moves.Only formulas stored in D M (i) may get overwritten if it is full.Note that unless otherwise stated, in the rest of the paper we shall assume that memory means D M (i).For convenience, we define the following sets:

The logic L
The syntax of L OCRS includes the temporal operators of CT L * and is defined inductively as follows: -(tautology) and start (a propositional variable which is only true at the initial moment of time) are well-formed formulas (wff) of L OCRS ; cp =n i (which states that the value of agent i's communication counter is n) is a wff of L OCRS for all n ∈ {0, . .

. , n C (i)} and i ∈ A g ; -B i C(a) (agent i believes C(a)), B i R(a, b) (agent i
believes R(a, b)), and B i r (agent i believes r) are wffs of L OCRS for any C ∈ C, R ∈ R, r ∈ and i ∈ A g ; -B k Ask(i, j, C(a)), B k Ask(i, j, R(a, b)), B k T ell(i, j, C( a)), and B k T ell(i, j, R(a, b)) are wffs of L OCRS for any C ∈ C, R ∈ R, i, j ∈ A g , k ∈ {i, j }, and i = j ; -Ifϕ and ψ are wffs of L OCRS , then so are ¬ϕ and ϕ∧ψ; -If ϕ and ψ are wffs of L OCRS , then so are Xϕ (in the next state ϕ), ϕ Uψ (ϕ holds until ψ), Aϕ (on all paths ϕ).
Other classical abbreviations for ⊥, ∨, → and ↔, and temporal operations: F ϕ ≡ Uϕ (at some point in the future ϕ) and Gϕ ≡ ¬F ¬ϕ (at all points in the future ϕ), and Eϕ ≡ ¬A¬ϕ (on some path ϕ) are defined as usual.
The semantics of L OCRS is defined by L OCRS transition systems which are based on ω-tree structures.Let (S, T ) be a pair where S is a set and T is a binary relation on S that is total, i.e., ∀s ∈ S • ∃s ∈ S • sT s .A branch of (S, T ) is an ω-sequence (s 0 , s 1 , . ..) such that s 0 is the root and s i T s i+1 for all i ≥ 0. We denote B(S, T ) to be the set of all branches of (S, T ).For a branch π ∈ B(S, T ), π i denotes the element s i of π and π ≤i is the prefix (s 0 , s 1 , . . ., s i ) of π.A L OCRS transition system M is defined as M = (S, T , V ) where -(S, T ) is a ω-tree frame -V : S × A g → ℘ ( ∪ CP ); we define the belief part of the assignment V B (s, i) = V (s, i) \ CP and the communication counter part V C (s, i) = V (s, i) ∩ CP .We further define V M (s, i) = {α|α ∈ D M (i)}.V satisfies the following conditions: 1. |V C (s, i)| = 1 for all s ∈ S and i ∈ A g .

If sT s and cp
-we say that a rule r : P 1 , P 2 , . . ., P n → P is applicable in a state s of an agent i if ant (r) ∈ V (s, i) and cons(r) / ∈ V (s, i).The following conditions on the assignments V (s, i), for all i ∈ A g , and transition relation T hold in all models: 1. for all i ∈ A g , s, s ∈ S, and r ∈ , r ∈ V (s, i) iff r ∈ V (s , i).This describes that agent's program does not change.R(a, b)}.This describes that each agent i fires a single applicable rule instance of a rule r, or updates its state by interacting with other agents, otherwise its state does not change.

for all s, s ∈ S, sT s holds iff for all
The truth of a L OCRS formula at a point n of a path π ∈ B(S, T ) is defined inductively as follows: We now describe conditions on the models.The transition relation T corresponds to the agent's executing actions act 1 , act 2 , . . ., act n Ag where act i is a possible action of an agent i in a given state s.The set of actions that each agent i can perform are: Rule i,r,β (agent i firing a rule instance r and adding cons(r) to its working memory and removing β), Copy i,α,β (agent i copying α from other agent's memory and removing β, where α is of the form Ask(j, i, P ) or Tell(j, i, P ), and I dle i (agent i does nothing but moves to the next state).Intuitively, β is an arbitrary facts which gets overwritten if it is in the agent's dynamic memory D M (i).If agent's memory is full |V M (s, i)| = n M (i) then we require that β has to be in V M (s, i).Not all actions are possible in a given state.For example, there may not be any matching rule instances.When the counter value reaches to n C (i), i cannot perform copy action any more.Let us denote the set of all possible actions by agent i in a given state s by T i (s) and its definition is given below: Definition 2 (Available actions) For every state s and agent i, ) for some m < n C (i), α is of the form Ask(j, i, P ) or Tell(j, i, P ), and β as before; 3. I dle i is always in T i (s).

Definition 3 (Effect of actions)
For each i ∈ A g , the result of performing an action act i in a state s ∈ S is defined if act i ∈ T i (s) and has the following effect on the assignment of formulas to i in the successor state s ∈ S: Now, the definition of the set of models corresponding to a system of rule-based reasoners is given below: Definition 4 M(n M , n C ) is the set of models (S, T , V ) which satisfies the following conditions: Note that the bound n C (i) on each agent i's communication ability (no branch contains more than n C (i) Copy actions by agent i) follows from the fact that Copy i is only enabled if i has performed fewer than n C (i) copy actions in the past.Below are some abbreviations which will be used in the axiomatization: This formula describes the state before the agent comes to believe formula P by the Rule transition, m is the value of i's communication counter, P and Q are ground atomic formulas.
, where α is of the form Ask(j, i, P ) or Tell(j, i, P ), i, j ∈ A g and i = j .Now we introduce the axiomatization system.

A1 All axioms and inference rules of CT L
This axiom describes that, in a given state, each agent can store maximally at most n M (i) formulas in its memory, A3 where α is of the form Ask(j, i, P ) or Tell(j, i, P ), i, j ∈ A g , j = i, m < n C (i).This axiom describes transitions made by Copy with communication counter increased.A7 EX(B i α ∧ B i β) → B i α ∨ B i β, where α and β are not of the form Ask(j, i, P ) and Tell(j, i, P ).This axiom says that at most one new belief is added in the next state.A8 B i α → AXB i α for any α ∈ S M (i) ∪ .This axiom states that an agent i ∈ A g always believes formulas residing in its static memory and its rules.α, m) for any α ∈ ∪ .This axiom says that a new belief can only be added by one of the valid reasoning actions.A10a start → cp =0 i for all i ∈ A g .At the start state, the agent has not performed any Copy actions.A10b ¬EX start.start holds only at the root of the tree.A11 B i r where r ∈ and i ∈ A g .This axiom tells agent i believes its rules.A12 ¬B i r where r / ∈ and i ∈ A g .This axiom tells agent i only believes its rules.A13 ϕ → EXϕ, where ϕ does not contain start.This axiom describes an I dle transition by all the agents.A14 i∈A g EX( α∈ i B i α ∧ cp ) for any i ⊆ .This axiom describes that if each agent i can separately reach a state where it believes formulas in i , then all agents together can reach a state where for each i, agent i believes formulas in i .
Let us now define the logic obtained from the above axiomatisation system.Definition 5 L(n M , n C ) is the logic defined by the axiomatisation A1 -A14.

Theorem 1 L(n M , n C ) is sound and complete with respect to M(n M , n C ).
Sketch of Proof.The proof of soundness is standard.The proofs for axioms and rules included in A1 are given in [24].Axiom A2 assures that at a state, each agent can store maximally at most n M (i) formulas in its memory.Axioms A3 and A4 force the presence of a unique counter for each agent to record the number of copies it has performed so far.In particular, A3 makes sure that at least a counter is available for any agent and A4 guaranties that only one of them is present.In the following, we provide the proof for A5 and A6.The proofs for other axioms are similar.
Let M = (S, T , V ) ∈ M(n M , n C ), π ∈ B(S, T ) and n ≥ 0. We assume that M, π, n |= B i r∧ P ∈ant (r) B i P ∧cp =m i ∧ ¬B i cons(r), for some r ∈ , and |V M (s, i)| ≤ n M (i).Then P ∈ V (π n , i) for all P ∈ ant (r), and cons(r) / ∈ V (π n , i).This means that the action performed by i is Rule i,r,β .According to the definition of M(n M , n C ), ∃s ∈ S • π n T s and V (s , i) = V (π n , i) \ {β} ∪ {cons(r)}.Let π be a branch in B(S, T ) such that π ≤n = π ≤n and π n+1 = s .Then we have M, π , n+1 ), and α ∈ V (π n , j), for i, j ∈ A g , i = j , and m < n C (i).This means that the action performed by i is Copy i,α,β .According to the def- Let π be a branch in B(S, T ) such that π ≤n = π ≤n and π n+1 = s .Then we have Completeness can be shown by constructing a tree model for a consistent formula ϕ.This is constructed as in the completeness proof introduced in [24].Then we use the axioms to show that this model is in M(n M , n C ).
Since the initial state of all agents does not restrict the set of formulas they may derive in the future, for simplicity we conjunctively add to ϕ a tautology that contains all the potentially necessary formulas and message counters, in order to have enough sub-formulas for the construction.We construct a model M = (S, T , V ) for We then prove that M is in M(n M , n C ) by showing that it satisfies all properties listed in Definition 4. Axioms A3 and A4 show that for any i ∈ A g , there exists a unique n ∈ {0 . . .n C } such that at a state s of M, cp =n i ∈ V (s, i).At the root s 0 of (S, T ), the construction of the model implies that there exists a maximally consistent set (MCS) 0 such that 0 ⊇ V (s 0 , i) and start ∈ 0 .Therefore, by axiom A10, it is trivial that cp =0 i ∈ V (s 0 , i).We then need to prove that ∀s ∈ S, act i ∈ T i (s), and i ∈ A g , ∃s ∈ S • sT s and V (s , i) is the result of V (s, i) after i has performed action act i .Let us consider the case when act i is Rule i,r,β ∈ T i (s) for some r ∈ .Since Rule i,r,β is applicable at s, ant (r) ⊆ V (s, i), cons(r) / ∈ V (s, i).Therefore there exists a MCS such that ⊇ V (s, i), and P ∈ant (r) B i P ∧ cp =m i ∧ ¬B i cons(r) ∈ , for some m ∈ {0, . . ., n C } and |V M (s, i)| ≤ n M (i).By axiom A5 and Modus Ponens (MP), EX(B i cons(r) ∧ cp =m i ) ∈ .Therefore, according to the construction, ∃s ∈ S • sT s , V (s , i) ⊆ for some , and B i cons(r) ∧ cp =m i ∈ .Therefore V (s , i) = V (s, i) \ {β} ∪ {cons(r)}.For the Copy i,α,β ∈ T i (s) and I dle i ∈ T i (s) actions, the proofs are similar by using MP and axioms A6 and axiom A13.Then, using axiom A14 we can show that, for any tuple of actions act 1 , act 2 , . . ., act n Ag , act i ∈ T i (s) is applicable at s ∈ S ∀i ∈ A g , then ∃s ∈ S such that V (s , i) is the result of V (s, i) after performing act i at s by agent i, ∀i ∈ A g .
Finally, we prove that ∀s, s ∈ S • sT s , ∃ a tuple of actions act 1 , act 2 , . . ., act n Ag and V (s , i) is the result of V (s, i) when agent i performs act i for all i ∈ A g .By axioms A7 and A2, V (s , i) is different from V (s, i) by at most one formula added and possibly a formula is removed.If no formula is added or removed, we consider act i to be I dle i .Let us now consider the case where a formula α is added.By axiom A9, if ) then set act i to be Copy i,α,β .Thus, we proved the existence of the tuple act 1 , act 2 , . . ., act n Ag for sT s .Therefore, M is in M(n M , n C ).

Maude encoding
We build a multi-agent rule-based context-aware system whose rules are derived from the ontology of the smart space scenario described in Section 2, and the example system is adopted from [18,19].The system consists of twelve agents, Fig. 4 depicts smart space context-aware agents their possible interactions.These are Blood Pressure Measurement Agent (1), Blood Sugar Measurement Agent (2), Heart Rate Measurement Agent (3), Smart Bed Agent (4), ACEInhibitor Box agent (5), Patient Monitor Agent (6), Communication Manager Agent (7), Palliative Care Unit (PCU) Coordinator Agent (8), General physician (formal care giver) Agent ( 9), General Nurse (formal care giver) agent (10), Relative (informal care giver) Agent (11) and Emergency Service Agent (12).Some of these agents, namely, 1, 2, 3, 4, 5 and 6 are located at the smart home, 7,8 and 12 are located at the health centre, and the location of the care givers are not fixed.However, by adding more agents the system designer can make the system much more complex.For the specification and verification of the system we use Maude LTL model checker.The choice of LTL is not essential, it is straightforward to encode a L OCRS model for a standard model checker.We use LTL because it is the logic supported by the Maude system used in our case study.We chose the Maude LTL model checker because it can model check systems whose states involve arbitrary algebraic data types.The only assumption is that the set of states reachable from a given initial state is finite.Rule variables can be represented directly in the Maude encoding, without having to generate all ground instances resulting from possible variable substitutions.We omit the encoding here, however, it is similar to [23], apart from the implementation of agents memory bounds.
The measurement agents 1, 2, and 3 are able to infer highlevel contexts from sensed low-level contexts using Horn clause rules in their KB.They can classify current blood pressure, blood sugar, and heart rate into different categories based on their current measurement values.E.g., agent 1's KB contains rules including the following: The first rule checks whether the person is a patient.The second rule is a trust rule for agent 6 that causes it to believe agent 1 when agent 1 informs it that context, for example, hasBPCategory('Mary, 'Hypertension).Agent 6 many infer various other contexts depending on the current contexts it has received from those measurement agents.The patient monitor agent also classifies the alarm levels based on the contexts and interacts with other agents.Using the second rule, agent 6 infers the context, for example, hasPrescribedDrug('Mary, 'ACEInhibitor) which prescribes the drug ACEInhibitor to Mary.Using the third rule agent 6 interacts with agent 5 and informs that the indicator of the ACEInhinitor Box must be switched on, so that patient can know she has to take ACEInhibitor at this moment.The patient monitor agent also interacts with the communication manager agent 7 which is located in the health centre.Once the communication manager agent receives the alarming information from agent 6, it communicates with the PCU coordinator agent.Depending on the alarm level, PCU coordinator agent interacts with various agents including general physician, nurse, relative and emergency service.For example, if the alarm level is VeryHigh, PCU coordinator directly informs to the emergency service.If the alarm level is Low, PCU coordinator only informs to the relative.If the alarm level is High, PCU coordinator interacts with the nurse and waits for a response.If it receives NotAvailalabe or Busy response, then it interacts with the general physician, and waits for a response, if it also receives NotAvailalabe or Busy response from the physician, then PCU coordinator informs the patient's alarming level to the emergency service, and so on.For the sake of brevity, we are unable to represent example rules of other agents in the system.In order to model this scenario we have derived 176 Horn clause rules from the smart space ontology and distributed them to the agents as working memory facts and knowledge base rules.E.g., the KB of the blood pressure measurement agent contains 8 rules, heart rate measurement agent is modelled using 12 rules, patient monitor agent is modelled using 30 rules, PCU coordinator agent is modelled using 36 rules and so on.We verified a number of interesting resource-bounded properties of the system including the following: G(B 6 Tell (1, 6,  the above property specifies that whenever alarm level of the patient Mary is High and the PCU coordinator agent has interacted the physician Dr John and received acknowledgement as NotAvailable, then the PCU coordinator agent informs the patient's alarm level to the emergency service within n timesteps.which specifies that whenever agent 6 classifies that alarm level of the patient Mary is High, within n time steps it tells agent 5 to switch on the indicator of the ACEInhibitor Box, so that Mary should know she has to take ACEInhibitor, while exchanging m messages (cp 6 =m states that the value of agent 6's communication counter is m).
The above properties are verified as true when the value of n is 7 in the first property, value of n is 3 in the second property, and the values of n and m are 4 and 5 in the third property.However, the properties are verified as false and the model checker returns counterexamples when we assign a value to n which is less than 7 in the first property, less than 3 in the second property, and values to n and m which are less than 4 and 5 in the third property.While verifying the first property, agents 1, 2, and 3 have the same dynamic memory size of 2 units and the memory size of the agent 6 is 6 units.For the second property, agent 8 requires 3 units and for the third property agent 6 requires 4 units of memory space for their reasoning tasks.These are the minimal space requirements for their reasoning while verifying above properties.Note that, while verifying a particular property, the amount of space needed for the reasoning task for an agent(s) may vary for other properties.Therefore, a system designer has to decide what are the desired properties of the system that should be verified, and what would be an optimal use of resources for that problem.

Conclusions and future work
In this paper, we presented a formal logical framework for modelling and verifying context-aware multi-agent systems.Where agents reason using ontology-driven first order Horn clause rules.We considered space requirement for reasoning in addition to the time and communication resources.We extend CT L * with belief and communication modalities, and the resulting logic L OCRS allows us to describe a set of rule-based reasoning agents with bound on time, memory and communication.We modelled an ontology-based context-aware system to show how we can encode a L OCRS model using Maude LTL model checker and formally verify its resource-bounded properties.In future work, we would like to develop a framework that will allow us to design context-aware agents considering non-monotonic reasoning.The logic developed in this paper is based on monotonic reasoning where beliefs of an agent cannot be revised based on some contradictory evidence.We would like to extend this logic considering defeasible reasoning which is a simple rule-based technique used to reason with incomplete and inconsistent information [6].

Fig. 1 A
Fig. 1 A partial view of home environment and context ontology

Fig. 3
Fig. 3 Example SWRL rules and individualised patient ontology

OCRSADefinition 1 (
DL knowledge base (KB) has two components: the Terminology Box (TBox) T and the Assertion Box (ABox) A. The TBox introduces the terminology of a domain, while the ABox contains assertions about individuals in terms of this vocabulary.The TBox is a finite set of general concept inclusions (GCI) and role inclusions.A GCI is of the form C D where C, D are DL-concepts and a role inclusion is of the form R S where R, S are DL-roles.We may use C ≡ D (concept equivalence) as an abbreviation for the two GCIs C D and D C and R ≡ S (role equivalence) as an abbreviation for R S and S R. The ABox is a finite set of concept assertions in the form of C(a) and role assertions in the form of R(a, b).Interpretation of DL-knowledge bases) An Interpretation of a DL knowledge base is a pair I =< I , .I > where I is a non-empty set (the domain of interpretation) and .I is a function that maps every concept to a subset of I , every role to a subset of I × I , and each individual name to an element of the domain I .An interpretation I satisfies the concept assertion C(a), denoted by I |= C(a), iff a I ∈ C I and it satisfies the role assertion R(a, b), denoted by I |= R(a, b), iff (a I , b I ) ∈ R I , where a and b are individuals.

Table 1 Translation
is the root of (S, T ), ∀i ∈ A g ; 2. ∀s ∈ S and a tuple of actions act 1 , act 2 , . . ., act n Ag , if act i ∈ T i (s), ∀i ∈ A g , then ∃s ∈ S s.t.sT s and s satisfies the effects of act i , ∀i ∈ A g ; 3. ∀s, s ∈ S, sT s iff for some tuple of actions act 1 , act 2 , . . ., act n Ag , act i ∈ T i (s) and the assignment in s satisfies the effects of act i , ∀i ∈ A g ; 4. The bound on each agent's memory is set by the following constraint on the mapping A5 B i r ∧ P ∈ant (r) B i P ∧ cp =n i ∧ ¬B i cons(r) → EX ( B i cons(r) ∧ cp =n i ), i ∈ A g .This axiom describes that if a rule matches, its consequent belongs to some successor state.A6 cp =m i ifor any m = n, Once these agents infer high level contexts they can interact with the patient monitor agent 6 and pass those information.Agent 6's KB contains rules including: hasBPCategory( Mary, Hypertension)) ∧ B 6 Tell(2, 6, hasDBCategory(?p,EstablishedDiabetes)) ∧ B 6 Tell(3, 6, hasHRCategory(?p,BelowAverage)) → X n B 6 Tell(6, 7, hasAlarmLevel( Mary, High)) the above property specifies that whenever agents 1, 2, and 3 tell agent 6 that the blood pressure, diabetes, and heart rate categories are Hypertension, EstablishedDiabetes, and BelowAverage, respectively, of the patient Mary, within n time steps agent 6 sending a classified message to agent 7 that the alarm level of the patient Mary is High.G(B 8 hasAlarmLevel( Mary, High) ∧ B 8 Tell(9, 8, hasCareStatus( John, NotAvailable)) → X n B 8 Tell(8, 12, hasAlarmLevel( Mary, High)))