Differential dynamic logic and applications

Universidade de Aveiro Departamento de Matem´atica, 2015

Daniel

Oliveira Figueiredo

L´

ogica diferencial dinˆ

amica e aplica¸

c˜

oes

Differential dynamic logic and applications

Universidade de Aveiro Departamento de Matem´atica, 2015

Daniel

Oliveira Figueiredo

L´

ogica diferencial dinˆ

amica e aplica¸

c˜

oes

Differential dynamic logic and applications

Disserta¸c˜ao apresentada `a Universidade de Aveiro para cumprimento dos requisitos necess´arios `a obten¸c˜ao do grau de Mestre em Matem´atica e Aplica¸c˜oes, realizada sob a orienta¸c˜ao cient´ıfica do Doutor Manuel Ant´onio Martins, Professor Auxiliar do Departamento de Matem´atica da Universi-dade de Aveiro

Esta disserta¸c˜ao foi financiada pelo Fundo Europeu de Desenvolvimento Regional – FEDER – atrav´es do programa COMPETE – Programa Op-eracional Fatores de Competitividade – e por fundos nacionais atrav´es da FCT – Funda¸c˜ao para a Ciˆencia e a Tecnologia – no ˆambito do projeto FCOMP-01-0124-FEDER-028923 (NASONI) sob a Bolsa de Investiga¸c˜ao

o j´uri / the jury

presidente / president Dirk Hofmann

Professor Auxiliar da Universidade de Aveiro (por delega¸c˜ao da Reitora da Univer-sidade de Aveiro)

vogais / examiners committee Manuel Ant´onio Gon¸calves Martins

Professor Auxiliar da Universidade de Aveiro (orientador)

S´ergio Roseiro Teles Marcelino

Bolseiro de P´os-Doutoramento da Universidade de Lisboa – Instituto Superior T´ecnico (arguente principal)

agradecimentos / acknowledgements

Em primeiro lugar, agrade¸co a Deus por sempre me ouvir e por toda a ajuda que me deu.

Quero tamb´em agradecer `a minha fam´ılia, em particular aos meus pais, por todo o apoio dado. Tudo ´e mais f´acil quando se tem uma fam´ılia unida por tr´as. Agrade¸co tamb´em `a Isabel Igl´esias por me acompanhar nestes anos, por conseguir lidar comigo e por sempre ter estado pronta para me ajudar. Agrade¸co ainda a todos os meus colegas de matem´atica por sempre me incentivarem e motivarem durante estes anos. Em particular, agrade¸co `a Diana Costa por toda a ajuda e sujest˜oes est´eticas dadas para esta dissertao. O meu obrigado, tamb´em, aos meus amigos que fizeram e/ou fazem parte do grupo do CLU de Aveiro, pelo tempo passado todas as semanas nas Escolas de Comunidade.

Tamb´em quero agradecer `a doutora Madalena Chaves e ao Claudio Fuentes por todos o apoio prestado. Em particular, agrade¸co pela oportunidade que tive de, com eles, estudar mais sobre biologia molecular na Fran¸ca e no Chile, respetivamente.

Por fim, e em especial, agrade¸co ao professor Manuel Ant´onio Martins por me ter proposto abra¸car este projeto e sempre me ter ajudado e orientado durante estes anos. Especialmente a ele, um grande obrigado.

palavras-chave L´ogica diferencial dinˆamica, l´ogica dinˆamica, l´ogica modal, redes regu-lat´orias biol´ogicas, minimiza¸c˜ao de aut´omatos finitos.

resumo Na ´area industrial ´e habitual usar ferramentas discretas em sistemas cuja evolu¸c˜ao ´e cont´ınua e regida pelas leis da mecˆanica. Estes sistemas que apresentam tanto comportamento cont´ınuo como discreto s˜ao conhecidos como sistemas h´ıbridos. A l´ogica diferencial dinˆamica ´e uma l´ogica desen-volvida recentemente para trabalhar com estes sistemas.

Neste trabalho, apresentamos a l´ogica diferencial dinˆamica como uma gen-eraliza¸cc˜ao da l´ogica dinˆamica (e, consequentemente, da l´ogica modal). Tamb´em s˜ao apresentadas algumas aplica¸c˜oes e discutida a utilidade destas l´ogicas nas ´areas da mecˆanica e da biologia.

Embora o uso de ferramentas computacionais seja comum e os resultados at´e agora obtidos sejam satisfat´orios, os exemplos apresentados mostram que a l´ogica diferencial dinˆamica pode ser usada como uma altenativa, assim como um complemento, na biologia sint´etica.

palavras-chave Differential dynamic logic, dynamic logic, modal logic, biological regulatory networks, finite automata minimization.

abstract In industry, it is often used discrete tools in system which behavior is contin-uous and modeled by the laws of mechanics. These systems which display both continuous and discrete dynamic behavior are known as hybrid sys-tems. Differential dynamic logic is a logic recently developed in order to reasoning about hybrid systems.

In this work, we present the differential dynamic logic as a generalization of dynamic logic (and consequently of modal logic). We also present some applications and we discuss about the utility of using these logics in the areas of mechanics and molecular biology.

Although computational tools have been applied to reasoning about bi-ological regulatory networks with satisfactory results, our examples show that differential dynamic logic can be used as an alternative, or even as a complement, in synthetic biology.

Contents

Contents i

List of Figures iii

List of Tables v

1 Introduction 1

1.1 Logics and their relevance in applications . . . 1

2 Modal and dynamic logic 3 2.1 Modal Logic . . . 3

2.1.1 Syntax and semantics . . . 3

Frames definability . . . 7

2.1.2 Normal logics and proof calculus . . . 8

2.1.3 Decidability . . . 11

2.1.4 Connection with first-order logic and generalizations . . . 13

2.1.5 Simulation/Bisimulation . . . 15

2.1.6 Applications . . . 18

Logic to express properties of automata . . . 18

Model reduction . . . 19

Applications to biology . . . 20

2.2 Dynamic Logic . . . 22

2.2.1 Syntax and semantics . . . 22

2.2.2 Proof calculus . . . 25

2.2.3 Bisimilation in dynamic logic . . . 29

Process Calculus . . . 30

2.2.4 Applications and generalizations . . . 30

3 Differential Dynamic Logic 33 3.1 Syntax . . . 33

3.1.1 Terms and first-order formulas . . . 33

3.1.2 Hybrid programs . . . 34

3.1.3 Formulas of dL . . . 36

3.2 Semantics . . . 37

3.2.1 Valuation of first-order formulas . . . 37

3.2.2 Transition semantics . . . 38

3.3 Proof calculus . . . 42

3.3.1 Substitution . . . 42

3.3.2 Calculus rules . . . 46

Application of rules to Hybrid programs . . . 49

Application of rules to quantifier elimination . . . 50

Other (global) rules . . . 54

3.4 Soundness . . . 56 3.5 Incompleteness . . . 59 4 Applications 61 4.1 Applications in mechanics . . . 61 Bouncing ball . . . 61 Train control . . . 65 4.2 Applications in biology . . . 69

Biological model orbit . . . 71

Biological control . . . 74

4.3 Verification software . . . 77

KeY . . . 78

KeYmaera . . . 78

Other hybrid verification softwares . . . 78

5 Conclusion and further work 81

APPENDICES 83

A Theorems in appendix 83

List of Figures

2.1 Representation of a Kripke model. . . 5

2.2 Two models which are a simulation one of the other. . . 16

2.3 Two bisimilar models . . . 17

2.4 A simple automaton. . . 18

2.5 Boolean network model and partial graphs. . . 21

2.6 A model for dynamic logic . . . 24

2.7 Two non bisimilar dynamic models. . . 29

3.1 A transition for the hybrid program α; β. . . 39

3.2 A transition for the hybrid program α ∪ β. . . 39

3.3 A transition for the hybrid program α∗. . . 40

3.4 A transition for the hybrid program ?χ. . . 40

3.5 A transition for a discrete jump set. . . 40

3.6 A transition for a system of differential equations. . . 41

3.7 A simple proof. . . 49

3.8 A proof schema using a quantifier elimination rule. . . 51

3.9 Another proof schema using a quantifier elimination rule. . . 52

3.10 Comparison between the two proof methods. . . 52

3.11 Two different valid proof schema. . . 53

3.12 Deduction od the rule ind0 . . . 55

3.13 A complete proof. . . 55

4.1 Behavior of a ball after being dropped. . . 62

4.2 Proof of the bouncing ball example. . . 63

4.3 Part of the proof attempt schema for the train control problem. . . 67

4.4 Conclusion of the proof attempt schema for the train control problem. . . 68

4.5 Three different behaviors near a steady state. . . 71

4.6 Orbit of the model in Table 4.1. . . 72

4.7 Proof of the biological model orbit problem. . . 73

4.8 Proof of the biological control problem. . . 76

List of Tables

2.1 Process calculus . . . 30

3.1 Rules of dL calculus . . . 47

4.1 Piecewise linear model. . . 70

Chapter 1

Introduction

1.1

Logics and their relevance in applications

When we look over the history, we see that Logic was always a subject that received special attention. Initially, it was studied by philosophers but with the enormous growth in Science and Knowledge (and, more recently, in Computer Science), it became necessary to study Logic as a science by itself.

The advances of technology have brought great improvements in our lives. However, several systems must be carefully designed, i.e., there are systems where small errors can cause great damages. For instance, an error in a plane control system can provoke a plane crash which causes many human deaths. Examples of this can nowadays be found either in pacemakers or cruise control systems. Moreover, these systems are frequently referred as presenting hybrid behavior that arises from combining the usual continuous evolution with the discrete controls (see [N14]). Because of this, it has become important to have logical languages, models and tools which are able to guarantee the soundness of these systems which are known as safety-critical. Actually, during the last decades, several logics have been developed and many applications arose.

One of the first logics developed with this intention was the Hoare logic, proposed in 1969 (more details can be found in [H69]). This logic was developed specifically to deal with computing languages. However, stronger logics were needed and several have appeared (dynamic logic, temporal logics, ...) to deal with computing correctness questions. There are also other applications of logic. For example, the application of logical concepts and techniques to the study of model reduction processes in automata ([BBFLPPS10]). Indeed, this model reduction is, often, useful to other formal verification methods.

The growth of this area brought interest from new groups. The general industry began to be interested on this logical applications and, in particular, in several logic-based verification softwares.

However, there are also other fields in which the Logic is used. For example in biological systems, boolean networks are already commonly used ([G75],[TC13]). We main consider that the usage of mathematical models to reasoning about biological systems has three general goals: to model it, to simulate its evolution and to verify some properties of it. Nowadays, in the specification of biological systems are already used other mathematical concepts such as Petri nets and both oriented and non-oriented graphs ([D02]). This symbioses between molecular biology and mathematics can produce interesting results and improvements, in a

similar way to what has already been accomplished in other areas.

In this document, there will be presented some logics and their importance to model both mechanical and biological systems. In particular, the study will be centered in the Differential Dynamic Logic, a logic that was developed jointly with a verification software in order to be industrially used. This logic has been recently presented and it has a high level of expressibility. It is a dynamic logic which integrates a first-order logic as well. Moreover, the main novelty of this logic is that it is hybrid since it admits hybrid programs, i.e., admits programs which contain both discrete jump sets (which describe a discrete behavior) and differential equations (which describe continuous behavior). Although we refer the verification software, this document pays special attention to the dL logic itself and not so much attention to the software tool.

Indeed, there are already, several examples in which this logic was successfully used and important results were obtained. Some of these examples are applications in train controlling ([PQ09]), air traffic control ([PC09]) and surgical robotics ([KRPK13]). Due to our study, we believe that this logic can be successfully used to describe the dynamics of regulatory networks as well. In this document, the focus will be done in the areas of mechanics and cellular/molecular biology. We discuss some examples that, as far as we know, represent a new approach to these biological systems.

In Chapter 2 we begin by introducing the syntax and semantics and proof calculus of both modal logic and dynamic logic which are logics that serve as basis for differential dynamic logic (dL). We also prove some important properties of these logics as well as we present some applications of them.

In Chapter 3 we introduce the syntax and semantics of dL. We give special attention to the proof calculus of this logic since it will allow us to prove some properties of an hybrid system. We also prove the soundness and the incompleteness of this calculus.

In Chapter 4 we present several applications of dL. Firstly, we present some already known examples in mechanics but, furthermore, we present some new examples in biological contexts that corroborate the belief that this logic can be used in biology.

Chapter 2

Modal and dynamic logic

In this chapter we introduce modal logic and dynamic logic. To further understand the concepts of dL, it may be useful to comprise these logics and, thus, there will be presented their syntax, semantics and proof calculus. Some applications of these logics will be presented as well.

2.1

Modal Logic

Modal logic was formally proposed and developed in XX century and it is an extension of the classical propositional logic (see [K02]) that includes modalities. These modalities were conceived to deal with possibilities. Nowadays, however, they are interpreted in several ways: for example, they can be used to model phenomena related with time or the transitions between states in an automaton.

Modal logic is nowadays used as base for a huge diversity of logics, as it is the case of differential dynamic logic.

A more complete book about modal logic can be found in [BDV02].

2.1.1 Syntax and semantics

In modal logic, we consider a set Ω = {p1, p2, ...} of atomic formulas (also known as

propositional symbols) from which we construct all formulas. We define the set Fml (Ω) of formulas recursively by: - ⊥, > ∈ Fml(Ω); - If ψ ∈ Ω then ψ ∈ Fml(Ω); - If ψ ∈ Fml(Ω) then ¬ψ ∈ Fml(Ω); - If ψ, ϕ ∈ Fml(Ω) then ψ ∨ ϕ ∈ Fml(Ω); - If ψ, ϕ ∈ Fml(Ω) then ψ ∧ ϕ ∈ Fml(Ω); - If ψ, ϕ ∈ Fml(Ω) then ψ → ϕ ∈ Fml(Ω); - If ψ, ϕ ∈ Fml(Ω) then ψ ↔ ϕ ∈ Fml(Ω); - If ψ ∈ Fml(Ω) then ψ ∈ Fml(Ω); - If ψ ∈ Fml(Ω) then ♦ψ ∈ Fml(Ω); There are not any other formulas.

The introduction of formulas like ψ and ♦ψ is the main difference of this logic when comparing to the classical propositional logic. Both  and ♦ introduce the concept of modal-ity.

When we deal with a specific formula ϕ it may be important to consider the set of sub-formulas of ϕ. The set Φ(ϕ) of sub-sub-formulas of a formula ϕ is recursively defined by:

- Φ(⊥) = {⊥}; - Φ(>) = {>}; - If ϕ ∈ Ω, Φ(ϕ) = {ϕ}; - Φ(¬ϕ) = {¬ϕ} ∪ Φ(ϕ); - Φ(ϕ ∨ ψ) = {ϕ ∨ ψ} ∪ Φ(ϕ) ∪ Φ(ψ); - Φ(ϕ ∧ ψ) = {ϕ ∧ ψ} ∪ Φ(ϕ) ∪ Φ(ψ); - Φ(ϕ → ψ) = {ϕ → ψ} ∪ Φ(ϕ) ∪ Φ(ψ); - Φ(ϕ ↔ ψ) = {ϕ ↔ ψ} ∪ Φ(ϕ) ∪ Φ(ψ); - Φ(ϕ) = {ϕ} ∪ Φ(ϕ); - Φ(♦ϕ) = {♦ϕ} ∪ Φ(ϕ).

In modal logic, a model M for Ω is a triple (W, R, V) such that: - W is a non-empty set;

- R ⊆ W × W is a binary relation;

- V: Ω → P(W) is a function that assigns a subset of W to each atomic formula.

The set W is referred as the set of worlds. R is called the accessibility relation between worlds. This accessibility is closely connected to the interpretation of modalities in the model M. The function V assigns to each atomic formula the set of all the worlds in which the atomic formula is true.

The definition of a true formula at a state w in a model M is done recursively. We write M, w  ϕ to state that the formula ϕ is true (or valid) at the world w of the model M. Otherwise, we write M, w 2 ϕ. - M, w  >; - M, w 2 ⊥; - M, w  p ⇔ w ∈ V(p), for any p ∈ Ω; - M, w  ¬ϕ ⇔ M, w 2 ϕ; - M, w  ψ ∨ ϕ ⇔ M, w  ψ or M, w  ϕ; - M, w  ψ ∧ ϕ ⇔ M, w  ψ and M, w  ϕ; - M, w  ψ → ϕ ⇔ M, w 2 ψ or M, w  ϕ; - M, w  ψ ↔ ϕ ⇔ M, w  ψ → ϕ and M, w  ϕ → ψ; - M, w  ϕ ⇔ ∀w0 such that wRw0, M, w0 ϕ; - M, w  ♦ϕ ⇔ ∃w0 such that wRw0 and M, w0  ϕ.

It is important to note that some of the logical operators above could be substituted by an equivalent formula since their semantical interpretation is the same. For example, ψ ↔ ϕ ≡ (ψ → ϕ) ∧ (ϕ → ψ). We have the equivalence ♦ψ ≡ ¬  ¬ψ and ψ ≡ ¬ ♦ ¬ψ as well.

In a modal logic model M=(W,R,V) we call Kripke frame to the pair (W,R).

For a Kripke frame F , we write F , w ϕ to state that ϕ is true in w for any model whose frame is F . To state the opposite it is used the symbol 1.

We can observe that if M=(W,R,V) and F =(W,R), then F , w ϕ ⇒ M, w ϕ. Modal logic models are usually referred as Kripke models.

Example 2.1.1. Figure 2.1 shows an example of a Kripke model (M, R, V ). Each world contains the atomic propositions which are true at it (described by the function V : Ω → P(W ) of the model). The arrows represent the accessibility relation R.

Figure 2.1: Representation of a Kripke model.

Given a formula, we can check if it is true in a world wi of the model. For instance,

we can conclude that ¬r is true in w4 since w4 ∈ V (r) and that ♦p is true in w/ 2 because

w3 ∈ V (p) ⇔ M, w3 p and (w2, w3) ∈ R. Furthermore, q is true in w1 and ⊥ is true in

w6 because there exists not any w ∈ W such that (w6, w) ∈ R.

Definition 2.1.1. We say that a formula ϕ is valid in the model M and it is denoted by M  ϕ when M, w  ϕ for any w ∈ W.

We say that a formula ϕ is valid and it is denoted by  ϕ when, for any model M, M  ϕ. We say that a formula ϕ is valid in the frame F and it is denoted by F ϕ when F, w  ϕ, for any w ∈W.

We may use both symbols  and to state validity, however, in order to unify the notation and since no ambiguity arises, from now on, we rather use the symbol  instead of .

We call your attention to the fact that  ϕ implies 2 ¬ϕ. Nevertheless, the reciprocal is not true. For example, if we consider two worlds w1, w2such that M, w1 ϕ and M, w2 ¬ϕ,

we verify that 2 ¬ϕ but also 2 ϕ.

In propositional logic, we call a function f : Ω → {true, f alse} a valuation. In modal logic, this definition has to be generalized to deal with modalities.

Definition 2.1.2. Let us consider the set:

Q(Ω) := {ϕ ∈ F ml(Ω) : ϕ ∈ Ω or ∃ψ ∈ F ml(Ω) such that ϕ = ψ}. The formulas in Q(Ω) are called quasi-atomic formulas of Ω.

We say that a function f : Q(Ω) → {true, f alse} is a basic valuation of the modal logic. Each one of these basic valuations f can be uniquely extended to a valuation f∗ from F ml(Ω) into {true, f alse}. This extension is defined by the following rules:

- f∗(⊥) = f alse; - f∗(>) = true; - If ϕ ∈ Q(Ω), then f∗(ϕ) = f (ϕ); - f∗(¬ϕ) = ( true, if f∗(ϕ) = f alse f alse, if f∗(ϕ) = true - f∗(ϕ ∨ ψ) = (

f alse, if f∗(ϕ) = f alse and f∗(ψ) = f alse true, otherwise

- f∗(ϕ ∧ ψ) = (

true, if f∗(ϕ) = true and f∗(ψ) = true f alse, otherwise

- f∗(ϕ → ψ) = (

f alse, if f∗(ϕ) = true and f∗(ψ) = f alse true, otherwise - f∗(ϕ ↔ ψ) = ( true, if f∗(ϕ) = f∗(ψ) f alse otherwise - f∗(♦ϕ) = ( true, if f∗(¬ϕ) is f alse f alse, otherwise

It is easy to see that if f∗ and g∗ are two extended valuation, then f∗= g∗ ⇔ f = g. Definition 2.1.3. We say that ϕ is a tautology of modal logic if f∗(ϕ) = true for any basic valuation f (that extends to f∗).

In particular, the set of tautologies of propositional logic is contained in the set of tau-tologies of modal logic.

Proposition 2.1.1. For each world w of any model M there exists a basic valuation fM,w

such that, for its correspondent extension, f_M,w∗ (ϕ) = true if and only if M, w  ϕ. Proof: We define fM,w as follows:

- For any p ∈ Ω, fM,w(p) = true ⇔ p ∈ VM(w) ⇔ M, w  p;

- For any ψ ∈ Q(Ω), fM,w(ψ) = true ⇔ M, w0  ϕ for all w0 such that (w, w0)∈ R.

The equivalence f_M,w∗ (ϕ) = true ⇔ M, w  ϕ holds since the recursive definition of the extension f∗ coincides with the recursive definition of truth for general formulas.

 Corollary 2.1.2.  ϕ for any tautology ϕ.

Proof: If ϕ is a tautology, then f∗(ϕ) = true for any basic valuation f , since f can be unambiguously extended to f∗. By the Proposition 2.1.1, we know that to each world w of any model M corresponds a basic valuation fM,w. Thus, M, w  ϕ for any model M and

any world w, i.e.  ϕ.

Definition 2.1.4. If ϕ is a tautology and p1, ..., pn are atomic formulas, then ϕψp11... ψ... pnn is

defined as the formula where the atomic formulas pk are simultaneously replaced by the

corresponding formula ψk. We call uniform substitution to these substitutions.

Proposition 2.1.3. If ϕ is a tautology and ψ is a uniform substitution of ϕ, then ψ is also a tautology.

Proof: Let ψ = ϕψ1... ψn

p1... pn and f an arbitrary valuation. We define a valuation g as follows:

- g(p1) = f∗(ψ1);

...

- g(pn) = f∗(ψn);

- g(γ) = f (γ) for γ ∈ Q(Ω)\{p1, ..., pn}.

Hence, we can state that f∗(ψ) = f∗(ϕψ1... ψn

p1... pn) = g

∗_{(ϕ) and, since ϕ is valid and g a}

valuation, we can conclude that g∗(ϕ) = true. Since f is arbitrary, ψ is a tautology.

 We have shown that all tautologies are valid formulas. However, the reciprocal is not true. An example is the formula

K:= (ϕ → ψ) → (ϕ → ψ)

which is valid but is not a tautology (see [C80]). Frames definability

The study of some classes of frames model can be useful. Indeed, there are some classes of frames that can be defined by modal formulas. We end this section with a proposition which presents some of these properties.

Proposition 2.1.4. Let F = (W, R) be a Kripke frame and p ∈ Ω. Then, it verifies: - F  p → p ⇔ R is a reflexive relation;

- F  p → ♦p ⇔ R is a symmetric relation; - F  p → p ⇔ R is a transitive relation.

Proof: It is not difficult to verify that the “ ⇐ ” implications hold (more details can be found in [G92]). Thus we only prove the reciprocal “ ⇒ ” implications. Let F = (W, R) be a Kripke frame.

Let us consider that R is not reflexive, then, there is a world w ∈ W such that (w, w) /∈ R. But thus, let w0 ∈ V (p) for any w0 _{such that wRw}0 _{and w /∈ V (p), then M, w 2 p → p and}

therefore F 2 p → p.

If R is not symmetric, then there exist two worlds w, w0 in W such that (w, w0) ∈ R but (w0, w) /∈ R. Hence, if we choose V such that V (p) = {w} we can verify that p → ♦p does not hold at w and therefore F 2 p → ♦p.

Finally, if we consider that R is not transitive, then there exist u, v, w ∈ W such that (u, v), (v, w) ∈ R and (u, w) /∈ R. Thus, if v0 ∈ V (p) for any v0 such that (u, v0) ∈ R and w /∈ V (p), then, (F , V ) 2 p → p and therefore F 2 p → p.

Note 1. The formulas in the Proposition 2.1.4 play an important rule in modal logic and thus it is usual to use the following notation when referring to them:

T := p → p B := p → ♦p 4 := p → p

2.1.2 Normal logics and proof calculus

When we study modal logic, an important concept is the notion of normal logic. We say that Λ is a logic if Λ contains all classical tautologies, their uniform substitutions and it is closed with respect to the Modus Ponens rule (i.e. if ϕ, ϕ → ψ ∈ Λ, then ψ ∈ Λ).

Definition 2.1.5. Let Λ ⊆ F ml(Ω) be a logic. We say that Λ is normal when: - It contains the formula K := (ϕ → ψ) → (ϕ → ψ);

- If ϕ ∈ Λ then also ϕ ∈ Λ.

We call K :=T{Λ : Λ is normal} by minimal normal logic.

We now introduce the calculus rules for a normal logic Λ. In the rules, the formulas above the bar are the premises and those bellow the bar are the conclusions.

The calculus rules for a normal logic are the following:

(ax) τ (MP) ϕ ϕ → ψ ψ (I) ϕ ϕ where τ is any formula of Λ.

A proof of a formula ψ in a logic Λ is a finite sequence of formulas ϕ1, ..., ϕn = ψ such

that each formula ϕk is obtained from the previous formulas ϕ1, ..., ϕk−1 via a calculus rule.

When there is a proof of ψ in the logic Λ, we simply write `Λψ. Clearly, `Λτ , for any τ ∈ Λ.

Definition 2.1.6. Let Λ be a normal logic and Γ ⊆ F ml(Ω) be a set of formulas.

We say that Λ is consistent if it is not possible to prove both ϕ and ¬ϕ for any formula ϕ ∈ F ml(Ω), i.e. 0Λ ϕ ∧ ¬ϕ for any ϕ ∈ F ml(Ω). In particular, ϕ ∧ ¬ϕ /∈ Λ for any

ϕ ∈ F ml(Ω).

We write Γ `Λ ϕ when there exists a finite subset of formulas {γ1, γ2, ..., γn} ⊆ Γ such

that `Λ(γ1 → (γ2 → (...(γn→ ϕ)...))).

We say that Γ is Λ − consistent if Γ 0Λϕ ∧ ¬ϕ for any ϕ ∈ F ml(Ω).

We say that Γ is Λ − maximal if it is Λ-consistent and, for each formula ϕ ∈ F ml(Ω), ϕ ∈ Γ or ¬ϕ ∈ Γ.

We note that if Γ is Λ-maximal and Γ `Λϕ, then ϕ ∈ Γ because otherwise ¬ϕ ∈ Γ by the

maximality of Γ which contradicts the fact that Γ is Λ-consistent. In particular, Λ ⊆ Γ. Proposition 2.1.5. Let Λ be a consistent normal logic. If Γ ⊆ F ml(Ω) is Λ-consistent, then Γ can be extended to Λ-maximal set.

Proof: Let us assume that Ω is either finite or countable. Thus, the set of all formulas F ml(Ω) is countable.

Let ϕ0, ϕ1, ... be an enumeration of the formulas in F ml(Ω).

We define Γ0= Γ and Γn+1=

(

Γn∪ {ϕn}, if Γn`Λϕn

Γn∪ {¬ϕn}, otherwise

Then, we can state that ∆ = S{Γn : n ∈ N} contains either ϕ or ¬ϕ for any formula

ϕ ∈ F ml(Ω) and it is an extension of Γ.

Finally, we must prove that ∆ is Λ-consistent. We initially prove by induction over Γns

that each one of these Γns is Λ-consistent.

We know that Γ0 = Γ is Λ-consistent by hypothesis.

Let us suppose that Γn is Λ-consistent and Γn `Λ ϕn. Then if Γn+1 := Γn ∪ {ϕn} is

not Λ-consistent, then it means that Γn∪ {ϕn} `Λ ψ ∧ ¬ψ for some ψ ∈ F ml(Ω) and thus

Γn`Λ ϕn→ (ψ ∧ ¬ψ). But since Γn `Λϕn and Γn is Λ-consistent by induction hypothesis,

this is a contradiction.

If Γnis Λ-consistent but Γn0Λϕn, then Γn+1:= Γn∪ {¬ϕn}. If Γn+1 is not Λ-consistent,

then, by definition and induction hypothesis, we know that Γn `Λ (¬ϕn → (ψ ∧ ¬ψ)).

However, since (¬ϕn → (ψ ∧ ¬ψ)) → ϕn is a classical tautology, we can conclude that

Γn+1`Λϕn which is a contradiction. Therefore, every Γns are Λ-consistent.

Let us suppose that ∆ is not Λ-consistent, thus ∆ `Λ ϕ ∧ ¬ϕ for any formula ϕ, which

means that there is a finite subset {ψ1, ψ2, ..., ψn} of ∆ such that `Λ(ψ1 → (ψ2 → (...(ψn→

ϕ ∧ ¬ϕ)...))). By definition, there exist k1, ..., kn ∈ N such that ψ1 ∈ Γk1, ..., ψn ∈ Γkn.

Therefore, since each Γk ⊆ Γmax(ki)and Γmax(ki)are Λ-consistent, we obtain a contradiction.

 Corollary 2.1.6. If Λ is a consistent normal logic, then Λ =T{Γ : Γ is a Λ-maximal logic}.

Proof: The ⊆ inclusion is trivial since each Γ is Λ-maximal.

To prove the ⊇ inclusion let ϕ /∈ Λ and suppose that there exist a Λ-maximal set of formulas Γ0 such that ϕ ∈ Γ0. We know that it is not the case that 0Λ¬ϕ because otherwise

`<sub>Λ</sub> ¬¬ϕ and by the classical tautology ¬¬ϕ → ϕ we conclude that `_Λ ϕ which contradicts ϕ /∈ Λ. Hence, Λ ∪ {¬ϕ} is Λ-consistent and, consequently, by Proposition 2.1.5, we know that Λ ∪ {¬ϕ} can be extended for a Λ-maximal set Γ1 which does not contains ϕ since Γ1 is

consistent. Thus, ϕ /∈T{Γ : Γ is a Λ-maximal logic}.

 From now on, we assume that Λ is a consistent normal logic.

Definition 2.1.7. The canonical model of Λ is MΛ = (WΛ, RΛ, VΛ) such that: - WΛ= {w : w ⊆ F ml(Ω) and w is Λ-maximal};

- RΛ= {(v, w) : ϕ ∈ v ⇒ ϕ ∈ w, for any ϕ ∈ F ml(Ω)}; - VΛ(p) = {w : p ∈ w}.

Proof: The “⇒” implication is trivial by definition.

Let us assume that ϕ ∈ t, for all t such that sRΛt. Since s is Λ-maximal, we know that either ♦¬ϕ or ¬♦¬ϕ ≡ ϕ is in s. Since ϕ ∈ t for any t such that sRΛt, we can conclude that ♦¬ϕ /∈ s. Thus, ϕ ∈ s.

 Proposition 2.1.8. MΛ, s  ϕ ⇔ ϕ ∈ s

Proof: We prove this proposition by induction over formulas.

• If ϕ ∈ Ω, then MΛ_{, s  ϕ ⇔ s ∈ V (ϕ) ⇔ ϕ ∈ s by the definition of V}Λ_.

• MΛ_{, s  ⊥ ⇔ ⊥ ∈ s, since ⊥ is always f alse and s is consistent. Analogously, the same}

holds for >.

• MΛ_{, s  ¬ϕ ⇔ M}Λ_{, s 2 ϕ ⇔ ϕ /∈ s, by induction hypothesis ⇔ ¬ϕ ∈ s, by the}

Λ-maximality of s.

• MΛ_{, s  ϕ ∧ ψ ⇔ M}Λ_{, s  ϕ and M}Λ_{, s  ψ ⇔ ϕ ∈ s and ψ ∈ s ⇔ ϕ ∧ ψ ∈ s, by}

induction hypothesis and Λ-maximality of s. The proof for the formulas of the form ϕ ∨ ψ, ϕ → ψ and ϕ ↔ ψ is similar.

• MΛ_{, s  ϕ ⇔ ∀t ∈ W}Λ_(sRΛ_{t), M}Λ_{, t  ϕ ⇔ ∀t ∈ W}Λ_(sRΛ_{t), ϕ ∈ t ⇔ ϕ ∈ s, as}

shown at the Lemma 2.1.7.

Since ♦ϕ ≡ ¬¬ϕ, the proof is concluded.

 Theorem 2.1.9. MΛ  ϕ ⇔ ϕ ∈ Λ.

Proof: The Corollary 2.1.6 allow us to conclude that Λ = T{s : s is Λ-maximal}. The result follows from this fact.

 Theorem 2.1.10. `K ϕ ⇔  ϕ.

Proof: To prove the “ ⇒ ” implication we start by recalling that K is the minimal normal logic. We also know that any modal tautology is valid and that K = (ϕ → ψ) → (ϕ → ψ) is valid. Thus, we only need to prove that if ϕ is valid then ϕ is valid as well and that the modus ponens rule maintains the validity.

Let us now consider ϕ valid, i.e., we consider that ϕ is true at any world v of any model. If we now consider the formula ϕ, we know that it is true in a world w if ϕ is true at any world w0 such that wRw0. But, by hypothesis, ϕ is valid and, hence, ϕ is true at w. Since w was arbitrary, ϕ is valid.

To prove the soundness of the modus ponens rule, let us assume that ϕ and ϕ → ψ are valid, i.e.  ϕ and  ϕ → ψ. By definition,  ϕ → ψ ⇔ 2 ϕ or  ψ. Since ϕ is valid, then it is not the case that 2 ϕ and, therefore,  ψ.

To prove the reciprocal implication “ ⇐ ” we see that since  ϕ then, in particular, MK _{ ϕ. By the Theorem 2.1.9, we know that M}K_{ ϕ ⇒ ϕ ∈ K and, by the definition,}

we can conclude ϕ ∈ K ⇒ `K ϕ.

This theorem states the soundness and the completeness for the normal modal logic K proof calculus.

This result can be adapted to other normal logics. For example if we consider KT , the least normal logic which contains K and T, it stills possible to prove that `KT ϕ ⇔ F  ϕ, for

any frame F = (W, R) such that R is reflexive. Analogously, `K4ϕ ⇔ F  ϕ, for any frame

F = (W, R) such that R is transitive, and also, `_{KB ϕ ⇔ F  ϕ, for any frame F = (W, R)} such that R is symmetric.

We may also combine these formulas. For example, the logic KT B induces frames such that the relation is reflexive and symmetric.

Note 2. It is usually used the following notation: S4 := KT 4

S5 := KT B4

A more detailed study of these logics can be found in [C80].

2.1.3 Decidability

The soundness and completeness of a logic are fundamental properties. Nevertheless, given an arbitrary formula ϕ, it may be useful to have an algorithmic process which determines if it is valid or not. This property is called decidability and it holds for classical propositional logic. In this section, we prove that modal logic is, indeed, decidable. Before continuing, we recall that Φ(ϕ) is the set of sub-formulas of ϕ.

Definition 2.1.8. We say that Γ ⊆ F ml(Ω) is closed under sub-formulas when Φ(ϕ) ⊆ Γ for any ϕ ∈ Γ.

In particular, for any formula ϕ ∈ F ml(Ω), Φ(ϕ) is closed under sub-formulas. Definition 2.1.9. Let Γ be closed for sub-formulas and let M = (W, R, V ) be a model.

We define the set Γw := {ϕ ∈ Γ : M, w  ϕ} and the equivalence relation ∼Γ such that

w ∼Γw0 ⇔ Γw = Γw0.

We simply write WΓ to refer the quotient set W/∼Γ and we denote the equivalence class

of w ∈ W by [w].

If we consider the function f : W −→ P(Γ) such that f (w) = Γw, we can see that there

exists an injective function f0 : WΓ −→ P(Γ). Hence, we can conclude that, if |Γ| = n, then

|W_Γ| ≤ 2n_.

Definition 2.1.10. Let Γ be closed for sub-formulas and let M = (W, R, V ) be a model. We say that MΓ= (WΓ, RΓ, VΓ) is a Γ-filtration of M when:

- wRw0 ⇒ [w]RΓ[w0];

- [w]RΓ[w0] ⇒ ((ϕ ∈ Γ ∧ M, w  ϕ) ⇒ M, w0 ϕ);

- ∀p ∈ Ω ∩ Γ, VΓ(p) = {[w] : w ∈ V (p)}.

It can be seen that it is always possible to find a filtration. For example, we may define [s]RΓ[t] ⇔ sRt. This is the smallest filtration.

Lemma 2.1.11. Let MΓ be a Γ-filtration of M. Then, for any ϕ ∈ Γ, M, w  ϕ ⇔

Proof: The proof is done by induction.

We firstly verify that M, w  p ⇔ MΓ, [w]  p for any p ∈ Ω ∩ Γ. The “ ⇒ ” is trivial

and the reciprocal arises from the fact that Γw = Γw0 for any w, w0 such that [w] = [w0].

We note that we do not need to prove this statement for the complete set Ω before to proceed with the inductive proof since Γ is closed under sub-formulas.

The proof for ⊥, > and for formulas of the form ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ϕ → ψ and ϕ ↔ ψ is trivial, thus we only present the proof for one of these formulas. We prove the result for the formulas of the form ϕ ∨ ψ:

MΓ, [w]  ϕ ∨ ψ

⇔ M_{Γ, [w]  ϕ or MΓ, [w]  ψ (by definition)} ⇔ M, w  ϕ or M, w  ψ (by hypothesis) ⇔ M, w  ϕ ∨ ψ.

Finally, we present the proof for formulas of the form ϕ: “⇒ ”

M_{Γ, [w]  ϕ}

⇔ MΓ, [w0]  ϕ for any w0 such that [w]R[w0]

⇒ M, w0 _{ ϕ for any w}0 _{such that wRw}0 _{(by induction hypothesis and since wRw}0 _⇒

[w]RΓ[w0])

⇔ M, w  ϕ. “⇐ ”

M, w  ϕ

⇔ M, w0 _{ ϕ for any w}0 such that wRw0

⇒ M_Γ, [w0]  ϕ for any w0such that [w]R[w0] (by induction hypothesis and since [w]RΓ[w0]

⇒ ((ϕ ∈ Γ ∧ M, w  ϕ) ⇒ M, w0  ϕ)) ⇔ M_{Γ, [w]  ϕ.}

Since ♦ϕ is semantically equivalent to ¬¬ϕ, we can conclude the proof.

 Corollary 2.1.12. Let MΓ be a Γ-filtration of M and ϕ ∈ Γ. Then, M  ϕ ⇔ MΓ  ϕ.

Theorem 2.1.13. `K ϕ ⇔ F  ϕ, for any frame F = (W, R) with |W | ≤ 2|Φ(ϕ)|.

Proof: The implication “ ⇒ ” is proved by the soundness of K. To prove the reciprocal we begin by assuming that 0K ϕ and hence, by the completeness of K, there exist a model

M and a world w such that M, s 2 ϕ. Let MΦ(ϕ) be a Φ(ϕ)-filtration of M. Thus, by

the previous lemma, we can conclude that M_Φ(ϕ), [s] 2 ϕ. Thus, we know that MΦ(ϕ) =

(W_Φ(ϕ), R_Φ(ϕ), V_Φ(ϕ)) and |W_Φ(ϕ)| = 2Φ(ϕ)

 Theorem 2.1.13 proves the decidability of modal logic since the number of frames with |W | ≤ 2|Φ(ϕ)| is finite and, therefore, it is possible to construct an algorithm that verifies the truth of any formula ϕ in finite computational time.

2.1.4 Connection with first-order logic and generalizations

It is easily seen that propositional classical logic is a fragment of modal logic. However, it is also possible to interpret modal logic as a fragment of first-order logic. This connection is not direct, it is necessary to translate modal logic language into first-order language (in particular, the  and the ♦ symbols). In this section, this connection will be approached and a translation will be presented.

First-order logic formulas are constructed over a set X of variables, a set of function symbols and a set of relation symbols to which are added the logic operators. We reacall that the arity of a function/relation symbol is the number of arguments expected.

In this section we present what is called the standard translation. We only consider a relation symbol R with arity two, and a finite set of relation symbols {P, Q, ...} with arity one. We also consider a set X of variables. With this translation, there will be a correspondence between each atomic formula p and each P . Similarly, there will be a connection between variables and worlds.

We can now define recursively the standard translation stx of a modal formula associated

to a variable x of first-order language: - stx(⊥) = ⊥; - stx(>) = >; - stx(p) = P (x); - stx(¬ϕ) = ¬stx(ϕ); - stx(ϕ ∨ ψ) = stx(ϕ) ∨ stx(ψ); - stx(ϕ ∧ ψ) = stx(ϕ) ∧ stx(ψ); - stx(ϕ → ψ) = stx(ϕ) → stx(ψ); - stx(ϕ ↔ ψ) = stx(ϕ) ↔ stx(ψ);

- stx(ϕ) = ∀y(xRy → sty(ϕ)), such that y is a new variable;

- stx(♦ϕ) = ∃y(xRy ∧ sty(ϕ)), such that y is a new variable;

We may, then, consider the model M = (W, R, V) of modal logic as a model of first-order logic. In this model, to each free variable x is assigned a world w ∈W, the relation R is interpreted as R and for each P , P (x) is true ⇔ x ∈ V (p).

Under these conditions, we have the following result:

Theorem 2.1.14. Let stx be the standard translation with respect to a variable x, then:

1. M, w  ϕ ⇔ M  stx(ϕ) [x 7→ w];

2. M  ϕ ⇔ M  ∀x(stx(ϕ)).

Proof: 1. It is easily seen that, for any atomic formula p ∈ Ω: M, w  p

⇔ w ∈ V (p) ⇔  P (w)

⇔  stx(p) [x 7→ w]

The conclusion of the proof can be done by induction over formulas which is trivial. 2. M  ϕ

⇔ M, w  ϕ, ∀w ∈W

⇔ M  stx(ϕ)[x 7→ w], ∀w ∈W

⇔ M  ∀x(stx(ϕ)).

 As consequence, we can conclude that modal logic is a fragment of first-order logic. In particular, this fragment is decidable, which is an important property that is not verified in first-order logic (see [B12]).

Modal logic can serve as base logic for several other logics. The first possibility is to introduce quantifiers, thus obtaining a quantified modal logic. In order to do this, it becomes necessary to introduce a set of variables, a set of constants and a set of predicates. Similarly to first-order-logic, the set of terms must be defined and, then, the set of the formulas where there are, now, quantifiers ∀ and ∃. A more formal presentation of this and other generalizations can be found in [BV06].

Another generalization (particularly important to applications) is the possibility of using more than one modality in the same logic. This change would be operated by considering not only a relation R but a family of relations R1, R2, R3, ... . This family could be either finite

or infinite. These logics are known as multimodal logics.

In order to distinguish the diverse modalities it is now necessary to label each one of them. Usually, it is used the notation [π1], [π2], ... instead of  and hπ1i, hπ2i, ... instead of ♦.

The same idea of labeling is used in the graphical representation of Kripke models, i.e., each transition arrow must be labeled with the corresponding modality symbol.

The concept of normal modal logic can also be applied to these multimodal logics. How-ever, we must adapt the definition of “normal” to the multimodal context.

Definition 2.1.11. A multimodal logic Λ is normal if:

- It contains [π](p → q) → ([π]p → [π]q) for any modality labeled by π. - If it contains ϕ, then it also contains [π]ϕ for any modality labeled by π

If no ambiguity arises, we denote by K the smallest normal logic of any multimodal context.

Some well studied normal multimodal logics are the temporal logics. Here we present an example of a temporal logic, however, there are many others (see [G92],[RU71],[BBFLPPS10]). We denote the temporal logic that we present by Kt. This logic is a normal logic which contains two modalities usually labeled by F (future) and P (past). The idea of this logic is to describe phenomena related with time.

In temporal logic, we may interpret modalities as: - [F ] – “At any future”

- hF i – “At some future” - [P ] – “At any past” - hP i – “At some past”

Definition 2.1.12. A temporal logic is a normal multimodal logic which contains the fol-lowing formulas:

- ϕ → [F ]hP iϕ (“If ϕ happens today, then, at any future, ϕ will be part of the past”); - [P ]ϕ → [P ][P ]ϕ (Transitivity of the past);

- [F ]ϕ → [F ][F ]ϕ (Transitivity of the future). Kt is the smallest temporal logic.

There are some other interesting formulas that may be considered. For example:

- hP iϕ → [F ]hP iϕ (“What belongs to the past today, in the future will always belong to the past”).

- hF iϕ → hF ihF iϕ (“Between today and any future there is an intermediate time” or “Time is continuous/dense”).

A frame of a model of this logic must admit two relations: RP, RF related to the

corre-sponding modalities P and F , i.e.:

- M, w  [P ]ϕ ⇔ M, w0  ϕ for any wRPw0;

- M, w  [F ]ϕ ⇔ M, w0  ϕ for any wRFw0.

Definition 2.1.13. We call temporal f rame to a frame (W, RF, RP) such that:

- Both relation RP and RF are transitive;

- sRPt ⇔ tRFs, and thus, the frame (W, RF, RP) can be interpreted as (W, R, R−1).

We move on with two fundamental theorems regarding the temporal logic Kt. Theorem 2.1.15. `Kt ϕ ⇔ F  ϕ for any temporal frame.

Theorem 2.1.16. The Kt logic is decidable.

The proofs of these theorems are not presented here. They can be found in [RU71].

2.1.5 Simulation/Bisimulation

An important tool to relate modal models is the notion of bisimulation. It consists of a relation between two models and it is used to show an equivalence between them.

Definition 2.1.14. Let M1=(W1, R1, V1) and M2=(W2, R2, V2) be models for Ω and

S ⊆ W₁× W₂ a binary relation. Then, S is a bisimulation when:

1. If v ∈ W1, w ∈ W2 such that vSw then M1, v  p ⇔ M2, w  p, for any p ∈ Ω;

2. For any v, v0 ∈ W1, w ∈ W2, such that vSw and vR1v0, ∃w0 ∈ W2 such that wR2w0

and v0Sw0;

3. For any v ∈ W1, w, w0 ∈ W2, such that vSw and wR2w0, ∃v0 ∈ W1 such that vR1v0

and v0Sw0.

If there is a bisimulation linking v and v0, then it is said that v and v0 are bisimilar and it is written M1, v  M2, v0.

We say that this relation is total if each state of M1 is bisimilar to a state of M2.

If there is a S is a bisimulation between two models M1 and M2, and it is total, then we

say that M1 and M2 are bisimilar models.

A relation that verifies 1. and 2. but that does not verify 3. is called a simulation. If such a relation is found, it is said that the model M2 simulates the model M1.

It is important to note that even if there exist two simulations such that M1 simulates

M₂ and M2 simulates M1, it does not mean that there is a bisimulation between M1 and

M₂.

Consider the following models presented in Figure 2.2.

M₁ M₂

Figure 2.2: Two models which are a simulation one of the other.

We can see that, with the relation S1 = {(A1, B1), (A2, B2)}, M1 is a simulation of M2.

In order to verify this, we observe that if we consider (A1, B1) ∈ S1, then, there is only

a transition from A1 which goes to A2, but there is also a transition from B1 to B2 and,

moreover, (A2, B2) ∈ S1. Also, if we consider (A2, B2) ∈ S1, then, there is only a transition

from A2 which goes to A1, but there is also a transition from B2 to B1 and (A1, B1) ∈ S1. In

addition, we can verify that M1, Ai  ϕ ⇔ M2, Bj  ϕ for (Ai, Bj) ∈ S1, ϕ ∈ {p, q}.

On the other hand, if we consider the relation S2 = {(B1, A1), (B2, A2), (B3, A1)}, it is

possible to see that M1 is also a simulation of M2. To see this, if we consider (B1, A1) ∈ S2,

then, there is only a transition from B1which goes to B2 but there is also a transition from A1

to A2 and (B2, A2) ∈ S2. If we consider (B2, A2) ∈ S2, there are two transitions coming out

from B2: one going B1and another going to B3. However, there is also a transition from A2to

A1 and (A1, B1), (A1, B3) ∈ S2. Furthermore, we can verify that M1, Ai  ϕ ⇔ M2, Bj  ϕ

for (Ai, Bj) ∈ S2, ϕ ∈ {p, q}.

However, there is no bisimulation between M1and M2because B3could not be in relation

with any world of M1 since both have a transition arrow coming out and B3 does not. But

if B3 is not in relation with any world of M1, B2 is not as well because there is a transition

from B2 to B3. Similarly, B1 cannot be in relation with any world of M1.

Figure 2.3 represents a classical example. We consider the relation T = {(A1, Bk) :

for any k ∈ N\{0}}. For any (A1, Bk) ∈ T , there is a transition from A1 to itself, but we

also have (A1, Bk+1) ∈ T . In the opposite direction, there is a transition from Bk to Bk+1

but as already seen, (A1, Bk+1) ∈ T . Still, M1, A1  p ⇔ M2, Bk p for any k.

So, T is a bisimulation.

Theorem 2.1.17. Let M1 and M2 be models such that M1, v  M2, w, then M1, v  ϕ ⇔

M1 M2

Figure 2.3: Two bisimilar models

Proof: Since M1, v  M2, w, then there is a bisimulation S that links v and w. The proof

is done by induction over formulas.

For any ϕ ∈ Ω, the result follows by definition of bisimulation.

M_{1, v  > and M2, w  > by definition. Thus M1, v  > ⇔ M2, w  >. In a similar} way, it can be verified that it also holds for ⊥.

If the result holds for ϕ and ψ, then it is trivial to conclude that the result also holds for ¬ϕ, ϕ ∨ ψ, ϕ ∧ ψ, ϕ → ψ and ϕ ↔ ψ.

M1, v  ϕ ⇔ M1, v0  ϕ for any v0 such that (v, v0) ∈ R1. By induction hypothesis

and since v and w are bisimilar, for each v0 such that (v, v0) ∈ R1, there exists w0 such that

(w, w0) ∈ R2 and M1, v0  ϕ ⇔ M2, w0  ϕ. Therefore M2, w  ϕ ⇔ M2, w0  ϕ for any

w0 such that (w, w0) ∈ R2 ⇒ M1, v  ϕ.

The reciprocal implication is proved analogously. We note that if there was no transition neither from v nor w in their respective models, then M1, v  ϕ ⇔ M2, w  ϕ holds since

both M1, v  ϕ and M2, w  ϕ are valid by definition.

Since formulas of the form ♦ϕ are semantically equivalent to ¬¬ϕ, then we can conclude the proof.

 Note 3. From this proof, we can also observe that, if S is a simulation such that the model M₁ simulates the model M2 then M1, w  ϕ ⇒ M2, v  ϕ for any (w, v) ∈ S and any

formula ϕ in which the symbols ¬ and ♦ do not occur ([BDV02]).

Corollary 2.1.18. Let M1 = (W1, R1, V1) and M2 = (W2, R2, V2) be two models. If each

world v ∈ W1 is bisimilar with at least one world w ∈ W2 and vice versa, then M1  ϕ ⇔

M2  ϕ.

Proof: Let us assume M1  ϕ. For any arbitrary world w ∈ W2, we know that there exists

a world v ∈ W1such that M1, v  M2, w. Since ϕ is valid in the model M1, by the previous

theorem, we can conclude M2, w  ϕ. Since w is arbitrary, then M2  ϕ.

The other implication is proven analogously.

 Note 4. For models such that each state has a finite number of arc leaving, the reciprocal of Corollary 2.1.18 can be proven ([BDV02]).

The concepts of simulation and bisimulation are important tools with useful applications as it will be seen further.

2.1.6 Applications

The usage of modal logic in applications is usually related to state transition machines, due to the similarity between Kripke models and these state transition machines diagrams. In this section the focus will be done in the application of modal logic to finite automata.

Briefly, an automaton is a machine which admits some number of states and that evolves in time from one state to another when submitted to some action that induces this transition. An automaton is often represented by a set of circles (representing states) and arrows (representing possible transitions). Usually these arrows are labeled by the action which induces the respective transition. To represent the initial state of an automaton it is used an incoming arrow with no origin.

Figure 2.4: A simple automaton.

Automatons are nowadays largely used to represent models of machines which admit several states, i.e. ways of working. In Figure 2.4 it is represented a lock system which contains buttons A, B and C and that must open when the code ABA is introduced. Each state of the represented automaton represents a state in the lock system. Furthermore, the initial state is indicated by the incoming arrow with no origin and the state “Open” represents the state in which the lock is open.

More informations about automata can be found in [HU79]. Logic to express properties of automata

We have already referred that modal logic is an important tool to reasoning with these structures due to the similarity between automata and Kripke structures. Indeed, there is even a class of modal logic models called pointed models which can signal the initial state. More information about pointed models can be found in [BDV02].

The advantage of using a logic to reasoning with automata is the possibility of specifying some properties in a formal language. For example, we can express that a state does not contain an evolution to another state. Moreover, we can even find the state of a model which

verify such property by an algorithm. For example, in Figure 2.4, the “Open” state will not, as it is natural, evolve by the usage of buttons A, B, C since the lock is already open. We can describe this property by the formula ⊥, i.e., if the state verifies the formula ⊥, then it does not admit any transition. If it does not verify the formula ⊥, then it admits a transition. We call your attention to the fact that this does not mean that the referred state must evolve to another state since it may contain a transition to itself.

To verify these formulas in an automaton by hand may be both boring and costing. However, there are several computational tools available which verify if a formula is valid at each state. The idea of the algorithm of these tools is to verify and mark recursively states in which each sub-formula of the original one is valid, starting by the simplest. The algorithm ends after completing this verification for the desired formula and returns the set of states of the automaton in which it is valid. This type of verification is called model checking.

This kind of approach is widely used. It provides an automatic tool to know in which states of an automaton a certain formula is valid. Nevertheless, there are some disadvantages as well. The algorithm described above has exponential complexity (see [BBFLPPS10]) and thus, the cost of running this algorithm grows quickly with the increase of either the number of states of the automaton or the number of sub-formulas which the algorithm verifies.

Another advantage of the usage of modal logic is that it is decidable. The utility of this property may be seen by imagining that we describe a family of models (possibly, an infinite number of them) by a set of modal formulas. Due to the decidability of modal logic, we can infer about the validity of any formula for all models in the family considered.

The main limitation of modal logic is the expressibility. Modal logic is useful to describe automata but there are unfortunately some characteristics which are not possible to be de-scribed in it. Thus, there exist some logics which are more often used to deal with automata, such as Computation Tree Logic (CTL), a superset of CTL which is denoted by CTL∗ or even Propositional Linear Temporal Logic (PLTL). These logics are able to deal with the phenomena related with time which may be useful since the automata’s states evolve with time. Also, both CTL and CTL∗ include quantifiers in order to obtain more expressibility. This is why these logics are commonly used in model checking.

An algorithm for model checking and more information about these temporal logics can be found in [BBFLPPS10].

Model reduction

One of the major inconvenients of the study of automata is the size of the model. A great number of states turns some algorithms practically useless. Thereby, another methods that have been studied to deal with this factor are the model reduction ones.

For this, it is possible to use bisimulations, i.e., when we are dealing with an automaton with many states, we may look for a bisimilar model which contains a smaller number of states. Since the concept of true is preserved between two bisimilar states of a model, it is possible to verify all properties of the initial automaton in the new bisimilar smaller automaton with a lower cost. An example of a direct application of bisimulations to reduce models can be found in [PDD11].

Actually, given an automaton and, if instead of a bisimulation, we are only able to find a simulation between it and another smaller model, then it may also be useful since some properties of the original are preserved as well. A more specific example of how to apply these concepts will be given further.

Another model reductions based into equivalence relations may also be used. The idea is, indeed, very simple: we use a equivalence relation which preserves the property that we desire and then we construct a quotient graph which aggregates the states within the same equivalence class into a single state.

Several examples of model reduction algorithms are presented in [AMR07].

Applications to biology

In biology, one of the most used types of models to describe the behavior of the components within a cell are the so called boolean networks. These models are oriented graphs in which each vertex represents a different state characterized by a specific combination of either the presence/absence (1’s and 0’s) of proteins and activation/inhibition of genes and the edges represent the possible transitions between those states. These edges are defined with recourse to a boolean function by an asynchronous rule (more detaild can be found in [CC14],[D02]). This kind of models does not contain quantitative information about the system, however, the qualitative information that it provides allows us to infer about some characteristics of the regulatory system of the modeled cell ([G75]).

In the study of a cell, when the activity of the genes and the concentrations of the proteins stabilizes around some values, we call that configuration a steady state. We highlight that it is possible to exist more than one steady state in the same regulatory system. The existence of steady states is one of the most studied properties of a biological models. Steady states may represent either convergent or cyclic behaviors. Their existence as well as their study may be useful to better understand the regulatory system of the cell. However, the cell contains several components and even the study of an isolated module of a cell with 10 components would create a digraph with 210states (since each state is considered as a possible combination of 0’s and 1’s for each component of the cell). This fact turns computationally inviable to study complex regulatory systems which usually contain much more than 10 components. Thereby, it is usually necessary to apply some model reduction before proceeding with the analysis of one of these graphs.

When we connect these concepts to graph theory, we can verify that these steady states are represented as strongly connected components (SCC) which do not contain an edge leading out of the SCC. We simply call attractors to these SCC.

An effective procedure that allows the reduction of a model and then computes the at-tractors of the system was developed by M. Chaves ([TC13]). Without going into details, the general idea is to split the entire system into two smaller subsystems, i.e., separate the components of an entire system among two subsystems. These two subsystems are easier to study than the first one since they have less components and, therefore, the respective graphs will have less vertices. We call attention to the fact that the previous boolean function that was being used to determine the edges of the digraph of the entire system is now split into two as well but, since there will not be connections between both subsystems, it will be necessary to consider “input” and “output” variables in each of the split functions.

To exemplify the usage of this method, we consider an hypothetic example of a regulatory system with 4 components modeled by a boolean model which contains variables a1, a2, b1

and b2, and that is defined by the following boolean function:

Since we just want to provide a simple example on how to apply this procedure, the pre-sented case would be easily solved even by hand. To proceed, we firstly divide this regulatory system into two subsystems A and B (which contain the variables a1, a2 and the variables b1

and b2 respectively). Thus, we must also consider two new boolean function fA and fB for

each subsystem.

fA(a1, a2; u) = (a2, a1∧ a2∧ u)

fB(b1, b2; v1, v2) = (v1∨ b1∨ b2, v1∧ ¬v2∧ b1)

Above, the variables u, v1 and v2 are input variables whose value is not known. They were

introduced to substitute variables b1, a1 and a2 which do not occur in the respective

subsys-tems. With this we may consider the partial graph of each subsystem for each combination of input values. The graph G of the original system model as well as the partial graphs for both subsystem A and B are shown in Figure 2.5. In this figure, the attractors of the original graph G are enhanced by a box.

Figure 2.5: Boolean network model and partial graphs.

Here we introduce some logical concepts. Let us consider each one of the graphs Gi

pre-sented in Figure 2.5 as a Kripke model (Gi,V ) such that V (p) = ∅ for any atomic proposition

p, for simplicity. With this definition, it is easy to see that the original graph simulates each one of the partial graphs of the each subsystem. In particular, S = {(00, 0011), (00, 0001), (01, 0111), (01, 0101), (10, 1001), (10, 1011), (11, 1101), (11, 1111)} ⊂ GA,u=1×G is a simula-tion. As an example, in the figure, some states were shaded to represent the pairs (01, 0111), (01, 0101) under relation.

As we pointed out before in Note 3, simulations do not preserve the validity of all formulas, notwithstanding, some properties are preserved. In our context, we can note that, since the original graph simulates the partial graphs if for some set of vertices there is not an edge leading outside the set, then, in the respective set of partial graphs, there is not such edge as well. Therefore, partial graphs signal all attractors of the original graph. Moreover, since we have a simulation, if we express some properties with modal logic formulas (which do not contain neither the symbol ¬ nor ♦), then it would be possible to use these smaller models to prove properties of the original one.

Hence, we see that simulations may be an important tool for model reduction. In this procedure, it allows us to find only few candidates to attractors instead of searching in the entire graph which is usually much bigger than the partials. The remaining proceedings and another examples can be found in [CC14],[CP13],[CT11].

2.2

Dynamic Logic

Dynamic logic arises from the necessity of applying logical tools to systems in which modalities are representations of programs built from a set of basic programs. Due to this characteristic, these systems and therefore this logic are called dynamic.

Several dynamic logics have been defined, depending on the choice of program operators allowed and the base logic. In the following presented propositional dynamic logic (usually known as PDL), only a simple and abstract notion of program will be given, but the theory behind these ideas are important to understand further notions presented in this document.

A more complete book about propositional dynamic logic can be found in [HKT00]

2.2.1 Syntax and semantics

Dynamic logic has two important sets: a set of atomic formulas Ω = {p1, p2, ...} and a set

of atomic programs Γ = {a1, a2, ...}.

We describe the set F ml(Ω,Γ) of formulas and the set P (Ω,Γ) of programs recursively by: - ⊥, > ∈ F ml(Ω,Γ); - If ψ ∈ Ω, then ψ ∈ F ml(Ω,Γ); - If α ∈ Γ, then α ∈ P (Ω,Γ); - If ψ ∈ F ml(Ω,Γ), then ¬ψ ∈ F ml(Ω,Γ); - If ψ, ϕ ∈ F ml(Ω,Γ), then ψ ∨ ϕ ∈ F ml(Ω,Γ); - If ψ, ϕ ∈ F ml(Ω,Γ), then ψ ∧ ϕ ∈ F ml(Ω,Γ); - If ψ, ϕ ∈ F ml(Ω,Γ), then ψ → ϕ ∈ F ml(Ω,Γ); - If ψ, ϕ ∈ F ml(Ω,Γ), then ψ ↔ ϕ ∈ F ml(Ω,Γ); - If α, β ∈ P (Ω,Γ), then α;β ∈ P (Ω,Γ); - If α, β ∈ P (Ω,Γ), then α ∪ β ∈ P (Ω,Γ); - If α ∈ P (Ω,Γ), then α∗∈ P (Ω,Γ); - If α ∈ P (Ω,Γ) and ϕ ∈ F ml(Ω,Γ), then [α]ϕ ∈ F ml(Ω,Γ); - If α ∈ P (Ω,Γ) and ϕ ∈ F ml(Ω,Γ), then hαiϕ ∈ F ml(Ω,Γ); - If ϕ ∈ F ml(Ω,Γ), then ?ϕ ∈ P (Ω,Γ).

There are not other formulas neither programs.

It is important to note that, due to the infinite number of possibilities for programs, there is not a unique possible modality but an infinite number of them.

In order to understand better the meaning and the usage of the programs, some interpre-tations are listed bellow:

[α]ϕ α; β α∪β

α∗ ?ϕ

– “It is necessary, after executing α, that ϕ is true.” – “Execute α, then execute β.”

– “Choose either α or β in a nondeterministic way and execute it.”

– “Execute α a nondeterministically chosen (possibly zero) finite number of times.” – “Test ϕ. Proceed if true; fail if false.”

In this last case, if the program “fails”, then it immediately stops the execution and the program does not lead to any state.

With these definitions for programs it is possible to translate into PDL syntax the following examples of usual programs:

skip fail if ϕ then α else β while ϕ do α – ?> – ?⊥ – (?ϕ); α ∪ (?¬ϕ); β – (?ϕ; α)∗; (?¬ϕ)

The semantics of dynamic logic is an extension of the semantics of modal logic. Here, it is considered a (dynamic) Kripke frame F as a pair (W,R) where W is the set of possible worlds and R is no longer a relation but a function R: Γ → P(W × W ). Also, a (dynamic) Kripke model M=(F ,V ) is now a pair where F is a Kripke frame and V : Ω → P(W) is a function.

Similarly to the modal logic case, the function V assigns to each atomic formula the set of states (or worlds) where it is true. The main difference appears in the function R. This “new” function assigns to each atomic program a the set of ordered pairs (w, w0) ∈ W × W such that w becomes w0 after the execution of a.

To define the validity of the formulas in the states we need to extend the function R to the set P (Ω, Γ) of all programs. Bellow, we extend this function R and define the validity of a formula in a state. This is done simultaneously due to the dependence between both.

In the definition bellow it is assumed that ϕ, ψ ∈ F ml(Ω, Γ) and that α, β ∈ P (Ω, Γ). It is written M, w  ϕ when the formula ϕ is true at the state w of the model M. In the same way, it is written M, w 2 ϕ when ϕ is false at the state w:

- M, w  ϕ ⇔ w ∈ V (ϕ), for any ϕ ∈ Ω; - M, w 2 ⊥; - M, w  >; - M, w  ¬ϕ ⇔ M, w 2 ϕ; - M, w  ϕ ∨ ψ ⇔ M, w  ϕ or M, w  ψ; - M, w  ϕ ∧ ψ ⇔ M, w  ϕ and M, w  ψ; - M, w  ϕ → ψ ⇔ M, w 2 ϕ or M, w  ψ; - M, w  ϕ ↔ ψ ⇔ M, w  ϕ → ψ and M, w  ψ → ϕ;

- R(α; β) = {(u, v) ∈ W × W : ∃w ∈ W such that (u,w) ∈ R(α) and (w,v) ∈ R(β)}; - R(α ∪ β) = R(α) ∪ R(β);

- R(α∗) = {(u, v) ∈ W × W : ∃n ≥ 0 integer, ∃ w0, w1, ..., wn∈ W with u = w0,

v = wn, such that (wj−1, wj) ∈ R(α) for any j ∈ {1, ..., n}};

- R(?ϕ) = {(w, w) ∈ W × W : M, w  ϕ)}

- M, w  [α]ϕ ⇔ ∀ w0 ∈ W , if (w, w0)∈ R(α), then M, w0 ϕ;

- M, w  hαiϕ ⇔ ∃ w0 ∈ W such that (w, w0_{) ∈ R(α) and M, w}0 _{ ϕ.}

Similarly to modal logic semantics, some of the presented logical operators of dynamic logic are semantically equivalent to expressions in which they do not occur. For example > ≡ ¬⊥ and [α]ϕ ≡ ¬hαi¬ϕ and hαiϕ ≡ ¬[α]¬ϕ.

Definition 2.2.1. We write M  ϕ and we say that the formula ϕ is valid in the model M, if M, w  ϕ for any state w of M.

We write  ϕ and we say that the formula ϕ is valid, if M  ϕ for any model M.

For example, we can note that the formula [?⊥]ϕ is valid because ϕ is valid in every state obtained after the execution of ?⊥ (which are none, since R(?⊥) = ∅).

We end this subsection with an example of a model in dynamic logic.

Example 2.2.1. Consider a model with two atomic programs a, b and two atomic formulas p, q. Figure 2.6 shows which atomic propositions are valid at each state and some transition relations induced by the atomic programs. It is shown an example of a transition induced by the non-atomic program a; b. It is easily seen that the referred transition results from executing b after having executed a.

Figure 2.6: A model for dynamic logic

Some examples of formulas which are valid in this model are p ∨ q and p ∨ haiq ∨ hbip. As in modal logic, it is possible to conclude that the tautologies of classical propositional logic are valid formulas of dynamic logic. However, there are other formulas which are not tautologies but that are, indeed, valid since in dynamic logic there is a structure to programs. For instance, it is possible to find such formulas by relating programs and the modalities.

2.2.2 Proof calculus

Dynamic logic has a proof calculus where the axioms and calculus rules of dynamic logic can be seen as a generalization of the ones of modal logic.

We start by introducing the axioms of dynamic logic. Again, as in modal logic, the tautologies of classical propositional logic are also axioms of dynamic logic. The remaining considered axioms are the formulas presented in the proposition that follows ([HKT00]): Proposition 2.2.1. The following formulas of the dynamic logic are valid:

1. [α](ϕ → ψ) → ([α]ϕ → [α]ψ); 2. [α](ϕ ∧ ψ) ↔ ([α]ϕ ∧ [α]ψ); 3. [α ∪ β]ϕ ↔ ([α]ϕ) ∧ ([β]ϕ); 4. [α; β]ϕ ↔ [α][β]ϕ; 5. [?ψ]ϕ ↔ (ψ → ϕ); 6. ϕ ∧ [α][α∗]ϕ ↔ [α∗]ϕ; 7. ϕ ∧ [α∗](ϕ → [α]ϕ) → [α∗]ϕ.

Proof: The formula 1 may be simply considered as a generalization of the formula K pre-sented in modal logic to dynamic logic. We also note that the formula 7 represents a proof by induction.

The validity of the 2–7 formulas is proven bellow for an arbitrary state w: 2 – M, w  [α](ϕ ∧ ψ)

⇔ M, w0 _{ ϕ ∧ ψ for any w}0 such that (w, w0) ∈ R(α)

⇔ M, w0 _{ ϕ and M, w}0 _{ ψ for any w}0 _{such that (w, w}0_{) ∈ R(α)}

⇔ M, w  [α]ϕ and M, w  [α]ψ ⇔ M, w  [α]ϕ ∧ [α]ψ.

3 – M, w  [α ∪ β]ϕ

⇔ M, w0 _{ ϕ for any w}0 such that (w, w0) ∈ R(α ∪ β) ⇔ M, w0 _{ ϕ for any w}0 such that (w, w0) ∈ R(α) ∪ R(β)

⇔ M, w0 _{ ϕ for any w}0 _{such that (w, w}0_{) ∈ R(α) and M, w}0 _{ ϕ for any w}0 _{such that}

(w, w0) ∈ R(β)

⇔ M, w  [α]ϕ and M, w  [β]ϕ ⇔ M, w  [α]ϕ ∧ [β]ϕ.

4 – M, w  [α; β]ϕ

⇔ M, w0 _{ ϕ for any w}0 _{such that (w, w}0_{) ∈ R(α; β)}

⇔ M, w0 _{ ϕ for any w}0 such that ∃u, (w, u) ∈ R(α) and (u, w0) ∈ R(β) ⇔1 _{M, u  [β]ϕ for any u such that (w, u) ∈ R(α)}

⇔ M, u  [α][β]ϕ. 5 – M, w  [?ψ]ϕ