See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/221455959
Commitments with regulations: Reasoning about
safety and control in REGULA
Conference Paper · January 2011
Source: DBLP
CITATIONS
READS
20
36
6 authors, including:
Elisa Marengo
Viviana Patti
34 PUBLICATIONS 210 CITATIONS
99 PUBLICATIONS 1,038 CITATIONS
Università degli Studi di Torino
SEE PROFILE
Università degli Studi di Torino
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
ArsMeteo View project
All content following this page was uploaded by Elisa Marengo on 06 March 2014.
The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document
and are linked to publications on ResearchGate, letting you access and read them immediately.
�Commitments with Regulations:
Reasoning about Safety and Control in R EGULA
Elisa Marengo
Matteo Baldoni
Cristina Baroglio
Università degli Studi di Torino
Università degli Studi di Torino
Università degli Studi di Torino
emarengo@di.unito.it
Amit K. Chopra
baldoni@di.unito.it
Viviana Patti
baroglio@di.unito.it
Munindar P. Singh
Università degli Studi di Trento
Università degli Studi di Torino
North Carolina State Univ.
chopra@disi.unitn.it
patti@di.unito.it
ABSTRACT
Commitments provide a flexible means for specifying the business relationships among autonomous and heterogeneous agents,
and lead to a natural way of enacting such relationships. However,
current formalizations of commitments incorporate conditions expressed as propositions, but disregard (1) temporal regulations and
(2) an agent’s control over such regulations. Thus, they cannot handle realistic application scenarios where time and control are often
central because of domain conventions or other requirements.
We propose a new formalization of commitments that builds on
an existing representation of events in which we can naturally express temporal regulations as well as what an agent can control, including indirectly as based on the commitments and capabilities of
other agents. Our formalization supports a notion of commitment
safety. A benefit of our consolidated approach is that by incorporating these considerations into commitments we enable agents to
reason about and flexibly enact the regulations.
The main contributions of this paper include (1) a formal semantics of commitments that accommodates temporal regulations; (2)
a formal semantics of the notions of innate and social control; and
(3) a formalization of when a temporal commitment is safe for its
debtor. We evaluate our contributions using an extensive case study.
Categories and Subject Descriptors
I.2.11 [Artificial Intelligence]: Distributed Artificial Intelligence—
Multiagent systems; H.1.0 [Information Systems]: Models and
Principles—General
General Terms
Theory
Keywords
Business process modeling, business protocols
1. INTRODUCTION
Previously, commitments have been studied over propositional
languages [6, 7, 11, 19]. But in a number of practical settings, comCite as: Commitments with Regulations: Reasoning about Safety and
Control in R EGULA, E. Marengo, M. Baldoni, C. Baroglio, A. K. Chopra,
V. Patti, M. P. Singh, Proc. of 10th Int. Conf. on Autonomous Agents
and Multiagent Systems (AAMAS 2011), Tumer, Yolum, Sonenberg
and Stone (eds.), May, 2–6, 2011, Taipei, Taiwan, pp. XXX-XXX.
Copyright c 2011, International Foundation for Autonomous Agents and
Multiagent Systems (www.ifaamas.org). All rights reserved.
singh@ncsu.edu
mitments involve rich temporal structure. Consider the following
examples taken from a healthcare setting.
E XAMPLE 1. An insurance company commits to reimbursing a
covered patient for a health procedure provided the patient obtains
approval from the company prior to the health procedure. Presumably, the patient would delay going in for the procedure until after
having obtained an approval.
E XAMPLE 2. An insurance company commits to paying an innetwork surgeon for a procedure only after a covered patient has
undergone the procedure. Presumably, the surgeon would bill the
insurance company after performing the procedure.
As the following examples illustrate, temporal commitments can
also involve more than two parties.
E XAMPLE 3. A physician commits to a patient that if the patient has any sign of heart trouble after signing up with him, then
the patient will be immediately referred to a laboratory for tests,
the results of which will be evaluated by a specialist.
E XAMPLE 4. A pharmacy commits to provide medicine only if
the patient obtains a prescription for that medicine.
E XAMPLE 5. For an out-of-network surgeon, an insurance company commits to paying the patient (instead of the surgeon) but only
after the surgeon performs the procedure, the patient pays the surgeon, and the patient submits receipts to the insurance company.
Temporal constraints such as those alluded to in Examples 1–5
are traditionally captured as procedural workflows. Instead, following recent approaches [8, 16], we think of such constraints more
broadly as regulations and express them more flexibly in a logical notation. The commitments among autonomous parties capture
their business relationships naturally. In contrast with existing approaches [3, 8, 10], we incorporate regulations as contents of commitments. By thus reifying regulations into business relationships,
we bring normative force to the specification, thereby providing a
clear basis for the participants to guide their actions locally and to
judge the compliance of their counterparties. For example, if a regulation says that a physician’s referral should precede a surgeon’s
procedure, it is not clear whether the physician is responsible for
moving first or the surgeon is responsible for moving second. By
placing the regulations in commitments, we make it explicit that it
is the debtor of the commitment who needs to ensure its satisfaction. Further, in doing so, we can capture the business relationships
(and concomitant regulations) in a flexible manner that avoids unnecessarily coupling or constraining the participants.
�The expression C(debtor , creditor , antecedent, consequent)
means that the debtor commits to the creditor that if the antecedent
holds, the consequent will hold. The antecedent and the consequent, i.e., the contents of a commitment, are typically logical expressions over states of the world [19], although some have added
an explicit temporal component for expressing deadlines [5, 13].
In the present development, the content is specified over events.
We use ‘·’ (center dot) as before, our main temporal operator on
events, where a · b means that event a occurs before event b (though
both occur eventually). Then we may express the commitments in
Example 1 and 2 as C(ins, pat, approve · perform, reimburse)
and C(ins, sur , perform · bill, pay), respectively. The commitment in Example 3 would be C(phy, pat, signup · heartTrouble,
test · evaluate).
1.1
Challenges: Progression, Control, Safety
Placing temporal regulations within commitments enables us to
identify precisely the responsibilities of the agents individually, and
offer flexibility in terms of how the agents enact their commitments. By contrast, a purely temporal approach, such as Singh’s
[16], curtails the autonomy of the participants once the desired
computations are specified. However, placing regulations inside
commitments, as we did in the above examples, leads to new challenges. One, we must formalize the progression that is, the life cycle, of commitments, bearing in mind the events that have occurred.
For example, we say that an active commitment C(x, y, r, u) progresses to discharged when u occurs. Analogously, we would like
to say that C(x, y, r, e · f ) progresses to C(x, y, r, f ) when e occurs. The challenge is to formalize general progression rules for
an expressive event language. Two, a regulation expresses a constraint over the occurrence of events in a distributed system. The
capability for bringing about the events, that is, the control of the
events, would also generally be distributed among the agents. In
Example 3, the physician commits to the patient for both testing
and evaluation, but has control of neither—he must rely on a laboratory and a specialist for these tasks. Further, the physician commits to the coordination constraint that the testing will occur before
the evaluation. Clearly, the physician is committing to activities
over whose performance he apparently has no control. What would
make the physician’s commitment reasonable?
In general, an agent would want to commit only to temporal conditions over which it exercises adequate control. We distinguish
between two kinds of control: innate and social. In the above example, the laboratory and the specialist have innate control over
testing and evaluation, respectively. Social control ties in with commitments: for regulations specified over events that the debtor does
not have control over, the debtor would need the appropriate commitments from those who have control. The physician would have
control over testing and evaluation if he could get the appropriate commitments from the laboratory and the specialist. For example, C(lab, phy, ⊤, test) and C(specialist, phy, ⊤, evaluate)
would give the physician social control over the two events; however, the physician really needs C(specialist, phy, ⊤, test·evaluate)
from the specialist in order to ensure the appropriate event order.
Control in turn motivates the notion of the safety of a commitment. A commitment is safe if its debtor has established sufficient
control to guarantee being able to discharge it (assuming others discharge commitments of which they are the debtors). For example,
without the above commitments from the laboratory and the specialist, the physician’s commitment to the patient would be unsafe.
As our examples illustrate, the notions of control and safety are especially relevant for understanding engagements among more than
two parties. How can we determine whether the debtor of a com-
mitment is able to apply the requisite control so as to ensure that its
commitments have the support of the other agents so that together
they satisfy a given regulation, thereby accomplishing the coordination envisaged by the regulation?
1.2
Contributions
Our contributions may be summarized as follows. First, we formalize commitments with regulations in a simple but expressive
event-based model. We formalize rules that capture the progression
of a commitment over runs (sequences of events), using a previous
sound and complete residuation reasoner. Second, we formalize
control and safety in the same event-based model. In particular, we
formalize a notion of social control via commitments, which naturally matches multiagent settings. Third, we declaratively formalize the life cycle of commitments, captured by Theorem 1. Moreover, we connect the notion of commitment progression with the
notions of control and of safety (Theorems 2 and 3). Specifically,
as long as the agents cause events that are expected by the application of the definition of safety itself, safety is preserved. We evaluate the proposed notions by formalizing Robert’s Rules of Order
[14] (RONR), one of the best known set of laws for managing the
proceedings of democratic parliamentary assemblies.
Organization
The paper is organized as follows: Section 2 presents the theoretical background necessary for our formalization; Section 3 contains
the main theoretical results, concerning the notions of progression,
control and safety; Section 4 reports our case study; Section 5 concludes with a discussion and a review of the relevant literature.
2. TECHNICAL FRAMEWORK
Previous works on events and on commitments are relevant here.
However, the approaches of interest are not mutually compatible at
a technical level. On the one hand, to reason incrementally about
control and progression, we need a powerful notion of events and
residuation whose semantics is given with respect to an event run
[16]. On the other hand, to represent conditional, active commitments, we need an approach based on a state-based semantics given
with respect to a state and an index on it [17]. Thus one of the
challenges our framework addresses is reconciling the above. As a
result, although our approach borrows ideas from Singh [17], our
formal model and its details are novel to this paper.
2.1
Precedence logic
Precedence logic is an event-based logic [16]. It has three primary operators for specifying requirements about the occurrence
of events: ‘∨’ (choice), ‘∧’ (concurrence), and ‘·’ (before). The before operator enables one to express specifications such as approve·
perform: both approve and perform must occur and in the specified order. The specifications are interpreted over runs. Each run is
a sequence of events. Figure 1 shows a schematic of our model.
The transitions correspond to event occurrences (the • symbols
merely identify place holders between consecutive events: on each
run, each • corresponds to an index). The model shows several
runs, of which it identifies τ0 , τ1 , and τ2 , which all begin with ab.
Additional runs include all the suffixes of τ0 , τ1 , and τ2 —for example, bef and bcdx (an event subscript indicates which agent has
the capability to perform the event; thus, dx means that x has the
capability to perform d). The same point may be identified with different indices on different runs. For example, the point after b has
index 2 on τ0 = abcdx . . . and index 0 on gh . . . (the top branch).
Let e be an event. Then e, the complement of e, is also an event.
Initially, neither e nor e hold. On any run, either e or e may oc-
�•
a //
•
h //
•
g uu:: •
u
u
dx //
b // u c //
•
• II
•
II
e I$$
•
f
// •
. . . τ1
. . . τ0
. . . τ2
Figure 1: A schematic of runs with common prefixes.
cur, not both. We assume that events are nonrepeating. In practice,
transaction IDs or timestamps differentiate multiple instances of the
same event. This yields the following advantages. First, since we
want to talk about precedence, it helps avoid the confusion where a
preceding b would be consistent with b preceding a. Second, it supports negative events as occurring, and distinct from (and stronger
than) a positive event not having occurred yet. Third, it facilitates
a simpler language and logic that is nevertheless adequate for capturing several regulations of practical interest.
2.2
Language
We distinguish between physical and social (or institutional) events. Our specifications are limited to the physical events (those that
are publicly performed by an agent). For example, the events in
Figure 1 are physical events: think of a as a waiter pushing a menu
card to a customer over a counter in a diner and b as the customer
pushing $5 back to the waiter. However, we supplement physical
events with a set of means axioms, which capture the notion of
counts as [2, 15]. We take the social events corresponding to a
physical event to occur concurrently with the physical event. In this
manner, we respect Goldman’s notion of (conventional) generation
[12]. For example, a in Figure 1 may mean the creation of an offer
to sell a coffee for $5, which thus happens simultaneously with a.
Likewise, b may mean accepting the offer created by a.
We propose a language, R EGULA, in which the antecedents and
consequents of commitments are event expressions. In intuitive
terms, a commitment itself remains a state expression and we do
not express it directly in our language of events. Instead, we think
of the operations of commitments as first-class entities, i.e., as events, and let the resulting commitments stay in the background. In
other words, we can think of an operation such as Create(x, y, r, u)
as a social event that brings about the corresponding commitment.
Below, X yields agent names, E yields event types, and param
yields domain values using which an event instance is specified
from an event type. In conceptual terms, an event type may be
either (1) of sort physical, in which case we optionally specify the
agent who has the capability to perform it (an unspecified agent
indicates we do not care about the agent) or (2) of sort social, in
which case it is an operation on commitments. For brevity, “event”
means “event instance” throughout. The syntax of R EGULA is:
R EGULA −→ axiom{ , axiom }
axiom −→ hhphysical means social ii
physical −→ Eh[X , ]param ∗ i
social −→ op(X , X , regulations, regulations)
op −→ Create | Cancel | Release | Assign | Delegate
regulations −→ regulation { ∧ regulation }
regulation −→ sequence { ∨ sequence }
sequence −→ 0 | ⊤ | physical | physical · physical
That is, a R EGULA specification is a set of axioms asserting
which physical events count as which social events. In well-formed
axioms, we require that the performing agent of the physical and
corresponding social event be the same.
We use the following conventions: x, etc. are agents, e, etc. are
physical events, r, s, u, etc. are regulations, τ , etc. are runs, and
i, etc. are indices into runs. We drop agent names when they are
understood. The above grammar limits sequences to two events
each to simplify our formalization. However, in practice we write
longer sequences because e1 · · · en ≡ (e1 · e2 ) ∧ . . . ∧ (en−1 · en ).
2.3
Model and Semantics
We now describe the semantics of R EGULA in terms of a model,
M = hE, T, C, D, X, Vi. Here E and T describe the physical layer,
C describes the social (commitment) layer.
• E is a denumerable set of possible event instances closed under complementation. That is, e ∈ E if and only if e ∈ E.
For simplicity in our notation, we identify e and e; thus wherever we write e in the semantics, it applies both to e and e.
The set E can itself be generated from event types and their
parameters, as described above. Further, we introduce a special symbol ǫ for a null event.
• T = {τ |τ : N 7→ E ∪ {ǫ}, τ is (1) injective, and (2) (∀i, j :
τi 6= τj )} is the set of possible event runs (we write the ith
event in τ as τi ). N is the set of natural numbers. Thus each
member of T is a sequence of events. The above constraints
restrict T to legal runs [16] wherein (1) no event repeats and
(2) no event and its complement both occur.
We use the null event ǫ to indicate the termination of a run.
If ǫ ever occurs on a run, all subsequent events are ǫ. That
is, (∀i, j : j ≥ i and τi = ǫ ⇒ τj = ǫ). Below |τ | is the
length of τ , and equals the smallest index i for which τi = ǫ
if i exists and is ω otherwise (indicating an infinite run).
Notice that T is suffix-closed, meaning that if a run belongs
to T, then so does each suffix of it. Formally, using s as
the successor function for N and ⊙ as functional composition, we have {τ ⊙ s|τ ∈ T} ⊆ T. Below, [i, j] refers to
the subrun between the ith and the j th events, both inclusive.
Likewise, T is prefix-closed. That is, (using the fact that all
natural numbers are less than ω), we have {τ[0,j] |τ ∈ T and
j ≤ |τ |} ⊆ T.
• C : T × N × X × X × ℘(T) 7→ ℘(℘(T)) is the standard
for (active) commitments. That is, at each index on each run,
for each debtor-creditor (ordered) pair of agents, C assigns
to a set of runs a set of set of runs. The intuition is that
C determines which conditional commitment is active from
a debtor to a creditor at an index in a run. Given a potential
antecedent, each of the consequents is placed in the set that is
the output of this function. If the output set is empty at a run
and an index that means no commitments are active there.
We lack the space to include additional semantic (closure)
constraints on C along the lines of Singh [17].
(For readability, we place the agents as subscripts.) If two
runs are equal until i then C yields the same result for each
of them at index i. Formally, (∀τ, τ ′ , i, R ⊆ T : τ[0,i] =
′
τ[0,i]
⇒ Cx,y (τ, i, R) = Cx,y (τ ′ , i, R)).
• D, X, V with the same signature as C are respectively the
standards for discharged, expired, and violated commitments.
The following constraints on our model capture some of the essential intuitions about commitments. Let cone(τ, i) = {τ ′ |τ[0,i] =
′
τ[0,i]
}. In intuitive terms, the cone of a run at an index includes all
possible future branches given the history (the part of the run up to
the index). Because T contains all possible legal runs, the intuition
�M1 . τ |=i ⊤
of the residual guarantees the original regulation. A benefit of using
the event-based semantics is that it supports a set of simple equations or rewrite rules through which we can symbolically calculate
the residual of a regulation given an event. The following equations
are due to Singh [16]. Here, r is a sequence expression, and e is
a physical event or ⊤. Below, Γu is simple the set of literals and
their complements mentioned in u. Thus Γe = {e, e} = Γe and
Γe·f = {e, e, f, f }.
.
0/e = 0
.
⊤/e = ⊤
.
(r ∧ u)/e = ((r/e) ∧ (u/e))
.
(r ∨ u)/e = ((r/e) ∨ (u/e))
.
(e · r)/e = r, if e 6∈ Γr
.
r/e = r, if e 6∈ Γr
.
(e′ · r)/e = 0, if e ∈ Γr
.
(e · r)/e = 0
The above equations characterize the progression of regulations
under physical events. They have some important properties, including that (1) regulations not mentioning an event are independent of that event; (2) conjoined or disjointed regulations can be
treated modularly; and (3) regulations can be incrementally progressed: hence a residuated regulation embodies the relevant history and no additional history need be represented.
We define the intension of r as the set of runs where it is true on
index 0: [[r]] = {τ |τ |=0 r}. As an auxiliary definition, for a set of
runs R, let R ↓ e = {ν ∈ T|(∀υ : υ ∈ [[e]] ⇒ υν ∈ R)}. Then,
following Singh [16], we can capture residuation semantically as
[[r/e]] = [[r]] ↓ e.
M2 . τ |=i e iff (∃j ≥ i : τj = e), where e is a physical event
2.5
is that when a regulation is true (respectively, false) on all runs on
a cone, then it is definitely true (respectively, definitely false). For
example, e is false at index i of a run τ if it has not occurred yet;
it is definitely false if e would occur on no runs in τ ’s cone at i,
meaning that e must already have occurred.
• U ∈ Dx,y (τ, i, R) only if τ[0,i] ∈ U
The consequent of a discharged commitment must be true.
• U ∈ Xx,y (τ, i, R) only if cone(τ, i) ⊆ (T \ R)
An expired commitment must have its antecedent definitely
false. In other words, we do not just want that the antecedent
is not yet true, we want it to never become true given the run
so far.
• U ∈ Vx,y (τ, i, R) only if cone(τ, i) ⊆ (T \ U ) and τ[0,i] ∈
R
A commitment is violated if its antecedent holds but its consequent is false.
• U ∈ Cx,y (τ, i, R) only if U 6∈ (Dx,y (τ, i, R)∪Xx,y (τ, i, R)
∪Vx,y (τ, i, R))
An active commitment is one that is not discharged, expired,
or violated.
Semantic postulates M1 –M5 , loosely based on Singh [16], address the temporal aspects of our language.
M3 . τ |=i r ∨ u iff τ |=i r or τ |=i u
M4 . τ |=i r ∧ u iff τ |=i r and τ |=i u
M5 . τ |=i r · u iff (∃j ≥ i : τ |=[i,j] r and τ |=[j+1,|τ |] u)
It is helpful to expand the notion of complementation to apply
to regulations, not just to physical events. To this end, we define complementation via a set of inference rules as follows: (1)
r ∧ u = r ∨ u; (2) r ∨ u = r ∧ u; (3) r · u = r ∨ u ∨ u · r; and (4)
e = e. The interesting rule is the one for r · u, which captures that
r · u may fail to occur exactly when one of its components does not
occur or they both occur but in the reverse order.
2.4
Residuation
In simple terms, residuation is a way for us to track progress
in the real world. The residual of a regulation with respect to an
event is the “remainder” regulation that would be left over from the
original after the event, and whose satisfaction would guarantee the
satisfaction of the original regulation.
For example, let r = a ∨ b · a be a regulation under consideration; r means that either a cannot occur, because a occurred, or
b and a both occur with b preceding a. If we residuate r by an
event g, which does not occur in r, the result is the same as r, indicating that the desired regulation is unaffected by irrelevant events.
Residuating r by b yields a, meaning that going forward a remains
the only possibility. A subsequent occurrence of a would residuate
this to ⊤, meaning that the regulation is satisfied on this execution.
Residuating r directly by a yields 0, meaning that the occurrence
of a has caused a violation of the regulation.
Following Singh [16], we can define the residual of a regulation
r with respect to a physical event e as the maximal (most flexible)
regulation such that an occurrence of e followed by an occurrence
Commitments
When the antecedent is ⊤ (true), we refer to the commitment as
being unconditional. An unconditional commitment usually arises
because a conditional commitment was detached. For example,
C(merchant, customer , paid , goods) gives rise to C(merchant,
customer , ⊤, goods) when paid holds. We briefly mention some
important stages in the life cycle of a commitment, that is, its progression. A commitment holds either because of an explicit Create
operation by the debtor or because an existing commitment was
detached. It is considered expired if the antecedent has expired (it
cannot be satisfied anymore), meaning that the creditor did not take
up the offer entailed by the commitment. A commitment is considered violated if it is unconditional and its consequent has expired,
meaning that the debtor did not fulfill the offer. Alternatively, if the
consequent holds, it is considered discharged.
Although we adopt many of the intuitions of the previous works,
our technical development is significantly different in that we model
commitments in an event-based framework. Doing so is nontrivial
but yields rewards in an improved characterization of the progression of commitments than previously available.
Now we enhance the above development to accommodate commitments. The commitment operator C is not included in our language but provides a useful basis for the social operations.
M6 . τ |=i C(x, y, r, u) iff [[u]] ∈ Cx,y (τ, i, [[r]])
The meaning of the physical events in terms of social events is
defined as follows. This simply states that whenever a physical
event occurs the corresponding social event occurs as well. We
leave open the possibility that a social even could occur implicitly
without the matching physical event.
M7 . τ |=i ex means Op(x, y, r, u) iff (∀j ≥ i : τ |=j ex ⇒
τ |=j Op(x, y, r, u))
�Now we can state the meanings of the operations in terms of
how they change the social state by manipulating commitments.
We describe Create for concreteness and omit the rest for brevity.
M9 . τ |=i ζ(x, ⊤)
M10 . τ |=i ζ(x, ex ) iff (∃τ ′ ∈ cone(τ, i) : τ ′ |=i ex )
Notice we refer to cone(τ, i) above because it serves as a
surrogate for notion of state, which is otherwise not present
in our framework. Thus, merely finding a τ ′ on which event
ex occurs at index i would not be enough.
M8 . τ |=i Create(x, y, r, u) iff τ 6|=i C(x, y, r, u) and τ |=i+1
C(x, y, r, u)
We impose a restriction on our model capturing that commitments persist until they are discharged, expired, or violated. Formally, ∀τ, τ ′ , i, R, U ⊆ T if U ∈ Cx,y (τ, i, R) and τi = e, then:
1. U ↓ e ∈ Xx,y (τ, i, R ↓ e) if R ↓ e = ∅;
2. U ↓ e ∈ Vx,y (τ, i, R ↓ e) if R ↓ e = T and U ↓ e = ∅;
3. U ↓ e ∈ Dx,y (τ, i, R ↓ e) if U ↓ e = T;
4. U ↓ e ∈ Cx,y (τ, i, R ↓ e) otherwise.
3. THEORETICAL RESULTS
We now present the main theoretical results on R EGULA.
3.1
Residuation for Commitment Progression
Although commitment expressions are not event expressions in
R EGULA, we can use residuation to compute the progression of a
commitment. For example, consider a commitment c1 = C(x, y, b,
d·c·a) and assume that events d, c, a occur in this order. In intuitive
terms, after d, the antecedent of c1 would be unaffected whereas
its consequent would progress to c · a. If c were to occur then,
the antecedent would still be unaffected, but the consequent would
reduce to a; then when a occurs, the consequent would reduce to ⊤,
indicating that c1 is discharged. Alternatively, assume that events
d, a, b, c occur in this order. Now after d and a, the antecedent
would still be unaffected, but the consequent would reduce to 0,
indicating that commitment c1 is violated.
In essence, the idea is that a commitment progresses as its antecedent and consequent are residuated by the events as they occur.
The foregoing intuition can be thought of as distributing residuation
into the antecedent and consequent of a commitment. This leads us
to Theorem 1 on commitment progression. This theorem is technically trivial but important because it shows how a commitment
progresses. Here, we assume that operators exp, vio, and dis are
defined analogously to C though based on X, V, D, respectively.
T HEOREM 1. If τ |=i C(x, y, r, u) and τi = e, then
.
τ |=i+1 exp(x, y, r/e, u/e)
if r/e = 0
.
.
vio(x, y, r/e, u/e)
if r/e = ⊤, u/e = 0
.
dis(x, y, r/e, u/e)
if u/e = ⊤
C(x, y, r/e, u/e)
otherwise
Proof sketch: Trivial by construction of C, X, V, and D.
3.2
Control
Consider C(x, y, ⊤, ax · by )/ax , yielding C(x, y,⊤,by ). Now x
is committed to by , for which it depends on y. The key challenge
here is one of control, whether an agent can bring about an event or
complex action so as to detach or discharge a given commitment.
Our intuition is that control is a combination of capability and opportunity. An agent may control an event innately, i.e., based on
which events it can perform, or socially, i.e., based on the commitments of others and what they control. We define the intuitive
notion of control ξ(., .) (our primary definition) in two mutually
recursive parts. First, we capture the base cases of control through
ζ(., .), which captures the notion of innate control.
M11 . τ |=i ζ(x, ey ), where x 6= y, iff (∃r : τ |=i ξ(x, r) and
τ |=i C(y, x, r, ey ) and τ |=i ξ(y, ey ))
Second, we formulate control recursively using the above.
M12 . τ |=i ξ(x, r ∨ u) iff τ |=i ξ(x, r) or τ |=i ξ(x, u)
M13 . τ |=i ξ(x, r ∧ u) iff τ |=i ξ(x, r) and τ |=i ξ(x, u)
M14 . τ |=i ξ(x, r · u) iff τ |=i ξ(x, r) and (∀τ ′ ∈ cone(τ, i) :
τ ′ |=i r ⇒ τ ′ |=i (r · ξ(x, u)))
M15 . τ |=i ξ(x, r) iff τ |=i ζ(x, r), when r is not of the form
r ∨ u, r ∧ u, or r · u
Given that an agent controls a regulation, the question is whether
it is possible that such control be propagated along the execution,
as the regulation is residuated based on the occurred events.
T HEOREM 2. If τ |=i ξ(x, r) then (∃τ ′ , e : τ ′ ∈ cone(τ, i)
and τi′ = e, and τ ′ |=i+1 ξ(x, r/e)).
Proof sketch: Follows directly from the definition of control.
Notice that the preservation of control requires some cooperation of the involved agents. For instance, ξ(x, ey ) requires that y
continues to support x. In other words, either y causes ey at some
point or y does not cancel its commitment to x to execute ey when
some condition becomes true.
Informally, by a Create, the debtor provides social control to
the creditor; by performing a Cancel the debtor takes back social
control; by performing a Release the creditor relinquishes social
control. Likewise, Assign and Delegate transfer control suitably.
3.3
Safety
Safety is a property of commitments. Since the regulations embedded in commitments involve many actors, it is important for
the potential debtor to understand when it is “reasonable” for it
to commit. Intuitively, this is reasonable when the agent controls
the events that are part of the regulation. In other words, a commitment is safe for its debtor when the coordination necessary to fulfill
the regulation is supported by commitments by the other agents involved. We can thus define the safety of a commitment C(x, y, r, u)
for the debtor agent x as σ(x, C(x, y, r, u)) as follows:
M16 . τ |=i σ(x, C(x, y, r, u)) iff (∀τ ′ ∈ cone(τ, i) and (τ ′ |=i
′
ξ(x, r) or (µj ≥ i : τ ′ |=[i,j] r ⇒ τ ′ |=j ξ(x, u/τ[i,j]
))))
′
Residuation by subrun τ[i,j]
is a shorthand notation standing for the
residuations, in sequence, by all the events in the subrun. By µj we
refer to a generalized quantifier that selects the least such j index.
So, a commitment is safe for its debtor if either the debtor controls
the negation of the antecedent or whenever the antecedent holds,
the debtor controls the residuation of the consequent. In the former case, the debtor can act so as to avoid letting the commitment
become active. In the latter case, instead, when the commitment
becomes active, there is a way to satisfy it. Residuation is necessary because at j some event that is in the consequent might have
occurred already.
�Notice that the definition of safety does not depend directly on
the given run but consider all runs of the same history. The intuition
here is to capture the fact that safety is essentially a state property,
even though we express it in an event-based model. The definition
is symmetric between all the runs that have the same history as τ .
Moreover, safety does not mean that no matter how bad a decision an agent takes, success is guaranteed; just that the agent is not
subject to the whims of another agent. In other words, the agent
can prevent a bad situation, not that a bad situation is impossible.
T HEOREM 3. If τ |=i σ(x, C(x, y, r, u)) then (∃τ ′ ∈ cone(τ, i),
e and τ ′ |=i r or (τ ′ |=i r and τi′ = e and τ ′ |=i+1 σ(x, C(x, y,
r/e, u/e)))).
In words, Theorem 3 states that if at some point on a run a commitment is safe for an agent, then there is a possible continuation
such that the residuation of the commitment remains safe.
Proof: Follows from Theorem 2 and the definition of safety.
Suppose that τ |=i σ(x, C(x, y, r, u)) holds. Therefore, (∀τ ′ ∈
cone(τ, i) and τ ′ |=i ξ(x, r) or (µj ≥ i : τ ′ |=[i,j] r ⇒ τ ′ |=j
′
))) by M16 . We have two cases. First case. Let us
ξ(x, u/τ[i,j]
suppose that τ ′ |=i ξ(x, r). By Theorem 2, (∃τ ′′ ∈ cone(τ ′ , i), e
and τi′′ = e, and τ ′′ |=i+1 ξ(x, r/e)) and this proves the case.
Second case. Let us suppose that (µj ≥ i : τ ′ |=[i,j] r ⇒
′
τ ′ |=j ξ(x, u/τ[i,j]
)). Thus, whenever τ ′ |=[i,j] r we have τ ′ |=j
′
ξ(x, u/τ[i,j] ). By Theorem 2, (∃τ ′′ ∈ cone(τ ′ , j + 1), e and
′
τi′′ = e, and τ ′′ |=j+1 ξ(x, (u/τ[i,j]
)/e)). Let us consider the
′′
previous τ and e and assume that τ ′′ |=[i,j+1] r/e holds. Then,
′
we have that τ ′′ |=i ξ(x, (u/τ[i,j]
)/e). This proves the theorem.
4. CASE STUDY
We apply our approach on Robert’s New Rules of Order (RONR)
[14], a system of parliamentary laws. RONR posits two roles:
chair and participants. The activity of the assembly consists of discussing a motion at a time, and then voting. The rules are aimed at
guaranteeing that the assembly works in a democratic way. Among
other rules, in particular, it specifies that voting will not take place
until all the participants who raised their hand for expressing their
opinion have spoken. Different members are not allowed to speak
at the same time and, in particular, in order to speak one must have
the floor. As long as everybody behaves according to the rules,
the assembly works in a democratic way. In other terms, RONR
not only specifies the actions but also governs the behavior of the
participants and the chair (specifying the contexts in which the execution of actions makes sense) so as to guarantee the success of the
assembly if all the agents behave according to RONR. Each participant autonomously decides whether to conform to the rules, but
doing so confers some rights on the participant.
The first column of Table 1 lists physical events that can occur during an enactment of RONR (the subscript indicates which
agent directly controls the event: c stands for chair and pi generically stands for participant). Recall that given two agents p1 and
p2 , the event instance ep1 is different from ep2 . So, for instance,
askFloor p1 is different from askFloor p2 . A possible specification of the semantics of events is given in terms of their effects on
the social state. The second column of Table 1 reports event effects in terms of commitments that are created by their occurrence.
Antecedents and consequents are written in R EGULA. The social
effects are operations on commitments. Besides Create, in the example, we also use Assign and Delegate: a participant can delegate
its vote or assign its time slot for speaking to another participant.
Notice that if the meaning were given using propositional commitments, one could not express temporal regulations. For instance,
Physical event
openAssemblyc
openDebatec hmi
cfvc
enterAssemblyp
askFloorp
exposeMotionc hmi
discussp
giveFloorc hpi
passFloorpi hpj i
votep
delegateVotepi hpj i
close_cfvc
closeAssemblyc
punishc hpi
Means these social events
∀pi ∈ P , Create(C(c, pi , ⊤,
exposeMotion c hmi · openDebate c hmi)) ∧
∀pi , pj 6= pi ∈ P , Create(C(c, pi ,
discuss pj ∧ giveFloor c hpj i
∨discuss pj · giveFloor c hpj i,
punish c hpj i))
∀pi ∈ P, Create(C(c, pi , askFloor pi ,
askFloor pi · giveFloor c hpi i)) ∧
∀pi ∈ P, Create(C(c, pi ,
askFloor pi · giveFloor c hpi i · discuss pi
∨askFloor pi ,
askFloor pi · giveFloor c hpi i·
discuss pi · cfv c
∨askFloor pi · cfv c ))
none
Create(C(p, c, cfv c , cfv c · votep ))
Create(C(p, c, ⊤, discuss p ))
none
none
none
Assign(pj , C(c, pi , ⊤, giveFloor c hpi i))
none
Delegate(pj , C(pi , c, ⊤, votepi ))
none
none
none
Table 1: RONR physical events mapped to their social effects.
Here pi are participants, c the chair, and m a motion.
to express that the floor is given after it is asked for, the commitment C(c, pi , askFloor pi , giveFloor c hpi i) would be inadequate
since it does not ensure that the two events occur in the expected
order. Potentially, the chair could give the floor to pi before pi
asked for it and the commitment would be discharged. Such apparent flexibility may be desirable in some settings but not where it
violates a regulation.
The following is an example commitment whose antecedent or
consequent use all the allowed operators of R EGULA. In this case,
c commits to each pi that c would punish any other pj if pj starts
speaking when the chair refused to give it the floor or speaks before
having the floor.
C1 = ∀pi , pj 6= pi ∈ P, C(c, pi , discuss pj ∧ giveFloor c hpj i
∨ discuss pj · giveFloor c hpj i, punish c hpj i)
4.1
Simulation of a Possible Enactment
In order to explain the notions of safety and of control, let us
suppose that, instead of the commitments in Table 1, the physical
event openDebate creates the following commitments:
∀pi ∈ P, C2 (pi ) = C(c, pi , ⊤, askFloor pi · giveFloor c hpi i·
discuss pi · cfv c ∨ askFloor pi · cfv c )
Given that P denotes the set of all participants to the assembly,
the formula specifies the set of unconditional commitments of c
to all the participants to the assembly to call for votes (cfv c ) after
each participant has either (1) asked for the floor, obtained it, and
discussed or (2) declined the possibility to speak.
Figure 2 shows a tree corresponding to some of the possible runs
that can be obtained by RONR. Since the RONR events have no
preconditions, all interleavings where each event instance occurs at
most once are possible. The chair, by executing openDebate commits unconditionally to the regulation u = askFloor pi · giveFloor c
�openAssemblyc
//
enterAssemblyp
1
•
•
jj//
jjjj
j
j
enterAssemblyp2
j
jjj
44 •
askFloor p jjj
jjjj
j
j
jj2j
j
j
j
j
j
j
j
openDebate
hmi
c
ttjj
// •
// • TjjTT
•
TTTT
exposeMotion c hmi
TTTT
askFloor p
**
•
1
jj44 •
jjjj
j
j
j
// • jj
// •
···
giveFloor c hp2 i
askFloor p1
···
//
giveFloor c hp1 i
jj44 •
jjjj
j
j
j
// •
// • jj
···
//
giveFloor c hp2 i
askFloor p
2
•
discuss p
1
giveFloor c hp1 i
//
// •
. . . τ0
•
. . . τ1
. . . τ2
•
discuss p
•
2
//
•
. . . τ3
Figure 2: A schematic of some runs with common prefixes for RONR.
hpi i · discuss pi · cfv c ∨ askFloor pi · cfv c . Let us consider the bottom run, which involves the chair and two participants (p1 and p2 ):
participant p1 asks for the floor, receives it and speaks; instead, p2
asks for the floor but starts speaking before the chair gives it the
floor. This causes a violation of the commitment of the chair. This
violation is due to p2 , who, however, did not have any commitment to wait for the floor before speaking. Therefore, the chair has
no right to expect this behavior by p2 . Indeed, it was not safe for
the chair to adopt the above commitment by opening the debate.
More formally, we can show that τ ′ 6|=5 σ(c, C2 (p2 )). Safety
holds iff (∀τ ′′ ∈ cone(τ ′ , 5) : (∃j ≥ 5 : τ ′′ |=[5,j] ⊤ ⇒
′′
τ ′′ |=j ξ(c, u/τ[5,j]
))). With j = 5 this simplifies to (∀τ ′′ ∈
′
′′
cone(τ , 5) : τ |=5 ξ(c, u)), which does not hold. The participant has not adopted any commitment toward the chair to execute
any of the actions under its control. In particular, by repeatedly applying the definition of control, it is easy to see that, in order for the
commitment to be safe, it is necessary that after a certain step, for
all τ , τ |=i askFloor p2 ·giveFloor c hp2 i·ξ(c, discuss p2 ·cfv c ). In
other words, after askFloor p2 ·giveFloor c hp2 i occurs, c must have
control over discuss p2 · cfv c . If there were a commitment of kind
C(p2 , c, ⊤, askF loorp2 · giveFloor c hp2 i · discuss p2 ) at Step 5,
C2 (p2 ) would be safe because after askFloor p2 · giveFloor c hp2 i
it would have residuated to C(p2 , c, ⊤, discuss p2 ). The fact that
no similar commitment is adopted by all agents can lead to the violation described above.
Let us suppose that the commitment adopted after openDebate
were instead: C(c, pi , askFloor pi · giveFloor c hpi i · discuss pi ,
askFloorpi ·giveFloor c hpi i·discuss pi ·cfv c ). Can the chair cause
the event openDebate without worrying about the above commitment? Again, the answer depends on whether the commitment is
safe for c. From the definition, it is easy to see that when the
antecedent is satisfied and, thus, askFloor pi · giveFloor c hpi i ·
discuss pi occurs, safety depends on the fact that ξ(c, cfv c ) which
is trivially true. The effect of openDebate in Table 1 is safe.
The notion of control enables other kinds of reasoning. Let us
consider the antecedent of the second commitment that is created as
an effect of the action openAssembly: discuss pi ∧ giveFloor c hpi i
∨discuss pi · giveFloor c hpi i The effect of the action will be a punishment applied to pi . Does pi have control over the set of runs
respecting these dependencies, so as to avoid activating the commitment of the chair to punish it? The application of the M12
rule allows for destructuring the expression into (a) discuss pi ∧
giveFloor c hpi i and (b) discuss pi · giveFloor c hpi i. Condition (a)
is a conjunction where discuss pi is a physical action which is controlled by pi . The conjunction can be made false by avoiding contributing to a discussion when giveFloor c hpi i. Condition (b) is a
sequence that is started by a physical action, which is controlled by
pi : this agent can avoid that the condition becomes true by avoiding
to contribute to the discussion until c gives it the floor.
5. DISCUSSION
The RONR case study validates some important claims about
R EGULA. First, it shows that commitments with regulations better
help a group of agents coordinate their interactions than traditional
propositional commitments would.
In general, because of the autonomy of the agents, no agent x
may legitimately expect that another agent y would satisfy a particular regulation. However, the existence of a commitment whose
debtor is y and creditor x, and whose consequent is the given regulation precisely specifies and legitimizes such an expectation. The
placement of regulations within the antecedents and consequents of
commitments helps make the regulations explicit within the system
of interacting agents and thereby facilitates their coordination. In
particular, autonomous agents can potentially trade off the regulations that they respectively prefer with such trade offs expressed in
the commitments they make to one another. Lastly, using events
makes regulations, control, safety computationally precise while
preserving flexibility of commitments: no event trace is explicitly
dictated.
Safety is a means for deciding whether it is reasonable for an
agent to adopt a commitment in a given state. We showed that
when safety holds for the current state, then there is a possible evolution to another safe state. Further, it is possible to exploit the
notion of control in other kinds of reasoning. For instance, as the
above example shows, if an agent wants to prevent another agent’s
commitment from being activated, it can check whether it controls
the antecedent of such a commitment.
5.1
Relevant Literature
We now review some previous efforts at enriching commitments
with time. Following Searle [15], we can classify norms as either
constitutive or regulative. Clearly openAssembly, openDebate, and
so on are constitutive: their meaning is defined in terms of commitments using the means construct, which amounts to a counts-as relation. However, the commitments also have a naturally regulative
flavor, which we enhance thanks to the coordination requirements
arising from the temporal nature of their content. Thus, in effect,
both kinds of norms are grounded in communication in our framework. By contrast, Boella and van der Torre [4] define both kinds
of norms in terms of agents’ mental states.
Aldewereld et al. [2] use the counts-as relation to operationalize
norms. By contrast, we use the counts-as relation to understand
physical events in terms of the normative relations they create. Our
framework includes significant operational elements. The notion of
commitment progression is an operational one. Further, the notion
of control may be also viewed as an operational tool for reasoning
about norm compliance.
Alberti et al. [1] use events and expectations to model interaction protocols. Expectations help define a temporal relation between events. For example, one can state that if an event occurs at
�a certain point in time, another event must occur afterward. Expectations, however, are not scoped by a debtor or creditor nor they are
used inside commitments. By contrast, we include temporal regulations inside commitments. This enables precisely identifying who
is responsible for each regulation and potentially liable for a violation. Moreover, we define control and safety properties both over
regulations and commitments. Using these, an agent can determine
whether it would be able to satisfy a (temporal) engagement and to
reason about the opportunity of adopting specific commitments.
Baldoni et al. [3] define commitment-based protocols wherein
the constitutive and the regulative specifications are decoupled. In
particular, they assert regulations as temporal constraints but place
them separate from commitments, not within the antecedents and
consequents of commitments, as we have done here. By contrast,
by including regulations inside commitment, we identify a debtor
and a creditor with duties and rights, and propose a notion of control and of safety.
Commitment life cycles, that is progressions, have been variously formalized, especially by Fornara and Colombetti [10], Mallya
et al. [13], and El-Menshawy et al. [9]. However, in general, these
works neither provide a symbolic characterization of progression
as we did above nor do they consider the interplay between control and commitment progression. And, the previous semantic approach work on commitments [17] considers only whether a commitment is active or not, and does not discuss the full life cycle.
Cranefield and Winikoff [7] formalize expectation progression in
a linear temporal logic. However, unlike commitments, the expectation modality is not a relation between agents. Such a modality
would not be able to support the notions of control and safety as we
have formalized here.
Verification of protocols is an important theme. Giordano and
Martelli [11] perform two kinds of verification: one, whether an
agent’s execution is compliant with the protocol, and two, whether
the protocol specification itself satisfies some temporal property.
Our notion of safety is a third category in that it helps an agent
determine whether it has adequate control in order to be able to fulfill its commitments. Safety suggests that the protocol in question
is well-designed and the agent’s behavior complies with the protocol. We establish compliance at runtime through the notion of the
progression of a commitment (Theorem 1).
van der Hoek and Wooldridge [18] reason about the abilities of
a coalition of agents given each agent’s control over certain variables. Moreover, control may be transferred via what they term a
“delegate” operation. Our work embodies similar intuitions: commitments allow control to be passed among agents. Additionally,
through the use of commitments, we can support cancel and release as ways to return control and delegate and assign as ways to
propagate control.
5.2
Future Directions
The notions of control and of safety that we proposed concern
single agents. Along the lines of van der Hoek and Wooldridge
[18], a key future direction is to explore notions of teamwork and
to extend the definitions of control and safety accordingly. It would
be worth investigating a richer formal model and language in which
we include both states and events as transitions between states. Another interesting question is: given a specification in terms of a
set of temporal regulations, and knowledge of what events are performed by what agent, can we determine the safe commitments that
the agents should adopt so that the resulting computation satisfies
the original specification? Such set of commitments could be used
to implement agents, interacting by means of commitment-based
protocols [3, 19].
View publication stats
Acknowledgments
We thank the reviewers for their helpful comments. The Torino
team was partially funded by Regione Piemonte, ICT4LAW project.
Chopra was supported by a Marie Curie Trentino Fellowship.
6. REFERENCES
[1] M. Alberti, F. Chesani, D. Daolio, M. Gavanelli, E. Lamma,
P. Mello, and P. Torroni. Specification and Verification of
Agent Interaction Protocols in a Logic-based System.
Scalable Computing: Pract. & Exp., 8(1):1–13, 2007.
[2] H. Aldewereld, S. Álvarez-Napagao, F. Dignum, and
J. Vázquez-Salceda. Making norms concrete. AAMAS,
pp. 807–814, 2010.
[3] M. Baldoni, C. Baroglio, and E. Marengo. Behavior-oriented
commitment-based protocols. In ECAI, pp. 137–142, 2010.
[4] G. Boella and L. W. N. van der Torre. Regulative and
constitutive norms in normative multiagent systems. In KR
Conf., pp. 255–266, 2004.
[5] F. Chesani, P. Mello, M. Montali, and P. Torroni.
Commitment tracking via the reactive event calculus. In
IJCAI, pp. 91–96, 2009.
[6] A. K. Chopra and M. P. Singh. Contextualizing commitment
protocol. In AAMAS, pp. 1345–1352, 2006.
[7] S. Cranefield and M. Winikoff. Verifying social expectations
by model checking truncated paths. In COIN, LNCS 5428,
pp. 204–219. Springer, 2009.
[8] N. Desai and M. P. Singh. On the enactability of business
protocols. In AAAI, pages 1126–1131, July 2008.
[9] M. El-Menshawy, J. Bentahar, and R. Dssouli. Verifiable
semantic model for agent interactions using social
commitments. In Proc. Intl. WS Languages, Methodologies,
and Development Tools for Multi-Agent Sys., LNCS 6039,
pages 128–152. Springer, 2010.
[10] N. Fornara and M. Colombetti. Operational specification of a
commitment-based agent communication language. In
AAMAS, pp. 535–542, 2002.
[11] L. Giordano, A. Martelli, and C. Schwind. Specifying and
verifying interaction protocols in a temporal action logic.
Journal of Applied Logic, 5(2):214–234, 2007.
[12] A. I. Goldman. A Theory of Human Action. Prentice-Hall,
Englewood Cliffs, NJ, 1970.
[13] A. U. Mallya, P. Yolum, and M. P. Singh. Resolving
commitments among autonomous agents. In WS on Agent
Communication, LNAI 2922, pp. 166–182. Springer, 2003.
[14] H. M. I. Robert, W. J. Evans, D. H. Honemann, and T. J.
Balch. Robert’s Rules of Order, 10th Ed. Da Capo Press,
2000.
[15] J. R. Searle. The Construction of Social Reality. Free Press,
New York, 1995.
[16] M. P. Singh. Distributed enactment of multiagent workflows:
Temporal logic for service composition. In AAMAS, 2003.
[17] M. P. Singh. Semantical considerations on dialectical and
practical commitments. In AAAI, pp. 176–181, 2008.
[18] W. van der Hoek and M. Wooldridge. On the dynamics of
delegation, cooperation, and control: a logical account. In
AAMAS, pp. 701–708, 2005.
[19] P. Yolum and M. P. Singh. Flexible protocol specification and
execution: Applying event calculus planning using
commitments. In AAMAS, pp. 527–534, 2002.
�
Viviana Patti