Probabilistic Interval Temporal Logic and Duration Calculus with Infinite Intervals: Complete Proof Systems
PROBABILISTIC INTERVAL TEMPORAL LOGIC ANDDURATION CALCULUS WITH INFINITE INTERVALS:COMPLETE PROOF SYSTEMS
DIMITAR P. GUELEVInstitute of Mathematics and Informatics, Bulgarian Academy of Sciences e-mail address : [email protected]
Abstract.
The paper presents probabilistic extensions of interval temporal logic (
ITL )and duration calculus ( DC ) with infinite intervals and complete Hilbert-style proof sys-tems for them. The completeness results are a strong completeness theorem for the systemof probabilistic ITL with respect to an abstract semantics and a relative completeness the-orem for the system of probabilistic DC with respect to real-time semantics. The proposedsystems subsume probabilistic real-time DC as known from the literature. A correspon-dence between the proposed systems and a system of probabilistic interval temporal logicwith finite intervals and expanding modalities is established too. Introduction
The duration calculus ( DC ) was introduced by Zhou, Hoare and Ravn in [ZHR91] asa logic to specify requirements on real-time systems. DC is a classical predicate interval-based linear-time logic with one normal binary modality known as chop . DC was originallydeveloped for real time by augmenting the real-time variant of interval temporal logic ( ITL ,[Mos85, Mos86]) with boolean expressions for state and real-valued terms to denote state durations . DC has been used successfully in many case studies such as [ZZ94, DW96,SX98, Dan98, LH99]. We refer the reader to [HZ97] or the recent monograph [ZH04] for acomprehensive introduction to DC .Temporal logics such as linear temporal logic ( LTL ), computation tree logic (
CTL ) andtheir timed versions are used mostly as requirements languages for model-checkers such asSMV [McM] and UPPAAL [UPP] which accept descriptions of systems in dedicated inputlanguages. The probabilistic variant of
CTL [ASB95] has a similar role in the probabilisticmodel checker PRISM [KNP01, PRI]. The systems in use are typically propositional, whichrestricts the variety of properties that can be expressed. This is only in part compensatedfor by the possibility to do fully algorithmic verification. More complex properties andsystems which, e.g., involve unspecified numbers of concurrent processes or unboundedamounts of data have to be viewed as parameterized families and require the developmentof dedicated techniques. Alternatively, model-checkers are used on instances of the systems
F.3.1.
Key words and phrases: probabililistic interval temporal logic, duration calculus.
LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.2168/LMCS-3 (3:3) 2007 c (cid:13)
D. P. Guelev CC (cid:13) Creative Commons
D. P. GUELEV with artificial bounds on their size, which, however, quickly leads to the notorious statespace explosion problem. The use of the logics as reasoning tools and not just as notations is also limited to optimising simplifications such as abstractions. Unlike these systems oflogic, the expressive power of DC is geared towards the possibility to capture the semanticsof the systems to be verified and therefore it is used as a system description language as well.Examples include the DC semantics of the timed specification language RAISE proposedin [LH99] and the DC semantics of the Verilog hardware specification language [IEE95]proposed in [SX98]. This shifts the interest from the satisfaction of DC formulas by givenmodels towards validity in DC .The needs of applications have brought to life a number of extensions and variants of DC . These include state quantifiers and the least fixed point operator [Pan95], alternativesets of interval modalities [Pan96, ZH98, BRZ00, He 99b], enhancements of the semanticsto combine real and discrete time [PD98, He 99a, Gue04a] and infinite intervals [ZDL95,PWX98, SX98, WX04]. The extension of DC by a probability operator replaces the linearmodel of time of DC by a model based on sets of behaviours with probability on them.Despite the absence of an explicit branching-time modality, the probabilistic DC ( PDC ) isessentially a branching-time predicate interval-based temporal logic. DC and, consequently, its extensions are not recursively axiomatisable. The worstcase complexity of decision procedures for validity is high even for very restricted subsetsof DC such as the so-called propositional DC [ZHS93, Rab98]. No interesting quantifieddecidable subsets of DC seem to be known (The state quantifier in the ⌈ P ⌉ -subset of DC studied in [ZHS93] is expressible in that subset and does not increase its ultimate expres-sive power.) The propositional abstract-time and real-time ITL s with chop are undecidabletoo. Undecidability is typical of interval-based systems as shown in the early works [HS86]and [Ven91a, Ven91b] where the chop modality was studied as an example of an operatorin many-dimensional modal logic. A very simple subset of DC which exhibits its incom-pleteness was identified in [Gue04c]. This is compensated by the convenience of achievingcomposionality in specification and particularly the specification of sequential composition,which is deemed to be difficult to handle in systems without the chop modality [MO99].Tool support for ITL and DC has been developed on the basis of PVS [PVS] by combin-ing ITL - and DC -specific proof and proof through translation into the higher-order logicinput language of PVS [SS94, Hu 99, Ras02]. There is also a model- and validity-checkerDCVALID [Pan], which accepts the discrete time ⌈ P ⌉ -subset of DC ( QDDC ) and a com-bination of
QDDC with
CTL ∗ [Pan01] and uses MONA [Mon] as a back-end tool. Theexpressive power of these subsets of DC is that of weak monadic second order logic withone successor ( W S S ). DCVALID has been successful in interesting case studies such asthat from [Pan02]. However, the finite-state-based algorithms of MONA impose on it thesame ultimate limitations as in other model-checking tools. That is why proof systems area relatively important instrument for verification by DC and its extensions. DC was originally introduced for real time, whereas PDC was first introduced in[LRSZ93] for discrete time. A system of real-time
PDC was introduced later in [DZ99]where some axioms were proposed too. However, these axioms do not form a completeproof system. Calculation with direct reference to the semantics was used to reason aboutproperties expressed in
PDC in both works. More case studies in
PDC were given in[Jos95] and recently in [ZH04], which contains a chapter on discrete time
PDC . The deduc-tive power of the proof system for discrete time
PDC used in [ZH04] has not been studiedeither.
ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 3
A first attempt to develop a complete proof system for
PDC was made in [Gue98],where a system of probabilistic
ITL was proposed with the DC -specific state expressionswith finite variability withdrawn. However, the semantics of that logic had some non-standard elements for technical reasons, and the proof system was a mixture of ITL andelements from Neighbourhood Logic ( NL , [ZH98, RZ97, BRZ00]). Some of these problemswere eliminated in [Tri99]. A more streamlined system of probabilistic NL and a completeproof system with respect to its abstract-time semantics was proposed later in [Gue00]. Theuse of a (commutative) linearly-ordered group as the model of time in that system afterDutertre’s work on abstract-time ITL [Dut95a] allowed a finitary complete proof systemto be obtained. However,
PNL still had some loose ends; the questions of the precisecorrespondence between
PNL and the original systems of
PDC from [LRSZ93, DZ99] andof the deductive power of the proof system with respect to real-time models remainedopen. Systems of (non-probabilistic) branching time NL were developed in the recent works[BMS07] and [BM05]. Some of these systems can be viewed as the underlying branchingtime logics of PNL . The works [BMS07] and [BM05] present the propositional variants ofthese branching time interval temporal logics and focus on decision procedures for them.In this paper we first propose another system of probabilistic
ITL . Unlike that from[Gue98], this system is based on infinite intervals. We propose a proof system for probabilis-tic
ITL with infinite intervals which is complete with respect to the abstract-time semanticsbased on that for
ITL with infinite intervals from [WX04]. The use of infinite intervalsremoves the need to admix NL modalities in proofs, which was done in [Gue98]. Then wedevelop a system of probabilistic DC ( PDC ) as an extension of the proposed probabilistic
ITL and demonstrate that adding the DC axioms and rules known from [HZ92] to our proofsystem for this probabilistic ITL leads to a proof system for
PDC with is complete withrespect to real-time models relative to validity at the real-time-based frame in probabilistic
ITL with infinite intervals. The incompleteness of DC implies that relative completenesslike that from [HZ92] for basic DC is the best we can have with a finitary proof system.Finally, we describe satisfaction-preserving translations between N L -based
PDC and thesystem of
PDC with infinite intervals that we propose.Our system of
PDC has some slight enhancements in comparison with the originalprobabilistic DC from [LRSZ93, DZ99]. They both improve its expressivity and facilitatethe design of the proof system. The first enhancement is a simplification. We remove theextra reference time point needed to define the probability operator. The role of this timepoint is naturally transferred to the flexible constant ℓ which expresses interval lengths in DC . This extends the possibilities for meaningful nesting of occurrences of the probabilityoperator and allows the expression of probabilities of properties which are probabilisticthemselves. The second enhancement is the use of infinite intervals. It is a consequence ofour developing of PDC as an extension of an infinite-interval-based system of probabilistic
ITL . As mentioned above, this makes it possible to avoid the use of an expanding modalitysuch as those of NL , which was made in [Gue00]. The combination of the chop modalityand infinite intervals has the expressive power of expanding modalities with the advantageof keeping the introspectivity of chop , which is a technically useful property. We discuss thetrade-offs between NL and ITL in Section 9. The last enhancement is the replacement of theprobabilistic timed automata which were used in [DZ99] to define sets of behaviours andthe respective probability functions for
PDC models by arbitrary systems of probabilityfunctions, which can be constrained by additional axioms in
PDC theories. One suchconstraint that we study in detail is the requirement on all the probability functions in a
D. P. GUELEV model to be consistent with a global probability function which is defined on the space of allthe behaviours of the modelled system. Models which describe the behaviour of automatalike those involved in the definition of the original system of real-time DC from [DZ99] canbe described by PDC theories in this more general setting too.
Structure of the paper.
After the necessary preliminaries on
ITL with infinite intervals and DC we introduce our system of probabilistic ITL with infinite intervals and a proof systemfor it. We prove the completeness of this proof system with respect to the abstract semanticsof probabilistic
ITL , which is the main result of the paper. Then we propose axioms whichconstrain the system of probability functions in models of
PITL to be consistent with aglobal probability function to the extent that this constraint can be formulated in the settingof abstract probabilies. In the rest of the paper we introduce a system of probabilistic DC as an extension of the new system of probabilistic ITL by state expressions and durationterms for them based on the real-time frame of probabilistic
ITL . We show how thissystem of
PDC subsumes the system proposed in [DZ99]. The main result about
PDC is the completeness of the well-known axioms of DC from [HZ92] relative to validity inreal-time and -probability-based models for probabilistic ITL . Before concluding the paperwe explain the correspondence between
PNL from [Gue00] and the infinite-interval based
PITL proposed in this paper. We conclude by explaining some of the limitations of thescope of its main results. 1.
Preliminaries
In this section we give preliminaries on
ITL and DC with infinite intervals as knownfrom [ZDL95, PWX98, SX98, WX04] and the probability operator of PDC as introducedin [LRSZ93, DZ99].1.1.
Interval temporal logic with infinite intervals.
Here follows a brief formal in-troduction to
ITL with infinite intervals as presented in [WX04], which extends the finiteinterval abstract-time system of
ITL proposed and studied in [Dut95a].1.1.1.
Language. An ITL vocabulary consists of constant symbols c, d, . . . , individual vari-ables x, y, z, . . . , function symbols f, g, . . . and relation symbols R, . . . . Constant, functionand relation symbols can be either rigid or flexible . Below it becomes clear that rigidsymbols have the same meaning at all times, whereas the meaning of flexible symbols candepend on the reference time interval. The rigid constants 0 and ∞ , addition +, equality=, the flexible constant ℓ , which always evaluates to the length of the reference interval,and a countably infinite set of individual variables are mandatory in every ITL vocabulary.We denote the arity of function and relation symbols s by s .Given a vocabulary, the definition of an ITL language is essentially that of its sets of terms t and formulas ϕ , which can be defined by the following BNFs: t ::= c | x | f ( t, . . . , t ) ϕ ::= ⊥ | R ( t, . . . , t ) | ( ϕ ⇒ ϕ ) | ( ϕ ; ϕ ) | ∃ xϕ Many authors use the alternative notation ϕ ⌢ ψ for formulas ( ϕ ; ψ ) which are built with the chop modality. ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 5
Terms and formulas with no occurrences of flexible symbols are called rigid . Otherterms and formulas are called flexible . The set of the variables which have free occurrencesin a formula ϕ is denoted by F V ( ϕ ).1.1.2. Models and satisfaction.
A finite interval
ITL frame consists of a linearly orderedset h T, ≤i called the time domain , a monoid h D, , + i called the duration domain and afunction m : I ( T ) → D called the measure function , where I ( T ) = { [ τ , τ ] : τ , τ ∈ T, τ ≤ τ } is the set of the closed and bounded intervals in T . The monoid h D, , + i is required tosatisfy some additional axioms. The full list of axioms is:( D x + ( y + z ) = ( x + y ) + z ( D x + 0 = 0 + x = x ( D x + y = x + z ⇒ y = z, x + z = y + z ⇒ x = y ( D x + y = 0 ⇒ x = y = 0( D ∃ z ( x + z = y ∨ y + z = x ) , ∃ z ( z + x = y ∨ z + y = x )The measure function m is required to satisfy the axioms:( M m ([ τ , τ ]) = m ([ τ , τ ′ ]) ⇒ τ = τ ′ ( M m ([ τ , τ ]) + m ([ τ, τ ]) = m ([ τ , τ ])( M m ([ τ , τ ]) = x + y ⇒ ∃ τ ( m ([ τ , τ ]) = x )In the case of ITL with infinite intervals the time domain h T, ≤i is supposed to havea distinguished greatest element ∞ and m is defined on the set ˜ I ( T ) = I fin ( T ) ∪ I inf ( T ),where I fin ( T ) = { [ τ , τ ] : τ , τ ∈ T, τ ≤ τ < ∞} and I inf ( T ) = { [ τ, ∞ ] : τ ∈ T, τ < ∞} . The duration domain is augmented with a greatest element ∞ too. The axiom D D ′ ) x + y = x + z ⇒ x = ∞ ∨ y = z, x + z = y + z ⇒ z = ∞ ∨ x = y and the following axioms about durations and the measure functions are added:( D x + y = ∞ ⇔ x = ∞ ∨ y = ∞ ( M m ([ τ , τ ]) = ∞ iff τ = ∞ Given σ , σ ∈ ˜ I ( T ) such that max σ = min σ , we denote σ ∪ σ by σ ; σ .A function I on an ITL vocabulary L is an interpretation of L into a frame F = hh T, ≤ , ∞i , h D, + , , ∞i , m i if it satisfies the conditions: I ( c ) , I ( x ) ∈ D for rigid constants c and individual variables x ; I ( f ) ∈ ( D f → D ) for rigid function symbols f ; I ( R ) ∈ ( D R → { , } ) for rigid relation symbols R ; I ( c ) ∈ (˜ I ( T ) → D ), I ( f ) ∈ (˜ I ( T ) × D f → D ), I ( R ) ∈ (˜ I ( T ) × D R → { , } ) forflexible c , f and R ; I (0) = 0, I ( ∞ ) = ∞ , I (+) = +, I (=) is = and I ( ℓ ) = m .An infinite-interval model for an ITL vocabulary L is a pair of the form h F, I i suchthat F is a frame and I is an interpretation of L into F . Definition 1.1.
Given a model h F, I i , the values I σ ( t ) of terms t at intervals σ ∈ ˜ I ( T ) isdefined by the clauses: D. P. GUELEV I σ ( x ) = I ( x ) for individual variables xI σ ( c ) = I ( c ) for rigid constants cI σ ( f ( t , . . . , t f )) = I ( f )( I σ ( t ) , . . . , I σ ( t f )) for rigid function symbols fI σ ( c ) = I ( c )( σ ) for flexible cI σ ( f ( t , . . . , t f )) = I ( f )( σ, I σ ( t ) , . . . , I σ ( t f )) for flexible f In particular, I σ ( ℓ ) = m ( σ ), which means that the function on ˜ I which is the meaningof the flexible constant ℓ always evaluates to the length of the reference interval σ . Definition 1.2.
Let I be an interpretation of some ITL vocabulary L into a frame F whoseduration domain is h D, + , , ∞i . Let x be an individual variable in L and d ∈ D . Then theinterpretation J of L into F which is defined by the equalities J ( x ) = d and J ( s ) = I ( s ) for s ∈ L \ { x } is denoted by I dx and is called a x -variant of I . We abbreviate ( . . . ( I d x ) d x . . . ) d n x n by I d ,...,d n x ,...,x n and call it an x , . . . , x n -variant of I . An x , . . . , x n -variant of I for some finite list ofvariables x , . . . , x n is called just variant .The modelling relation | = on models based on some frame F , intervals σ and formulas inthe vocabulary L is defined by the clauses: h F, I i , σ = ⊥h F, I i , σ | = R ( t , . . . , t n ) iff I ( R )( I σ ( t ) , . . . , I σ ( t n )) = 1 for rigid R h F, I i , σ | = R ( t , . . . , t n ) iff I ( R )( σ, I σ ( t ) , . . . , I σ ( t n )) = 1 for flexible R h F, I i , σ | = ( ϕ ⇒ ψ ) iff either h F, I i , σ = ϕ or h F, I i , σ | = ψ h F, I i , σ | = ( ϕ ; ψ ) iff h F, I i , σ | = ϕ and h F, I i , σ | = ψ for some σ ∈ I fin ( T F ) and σ ∈ ˜ I ( T F ) such that σ ; σ = σ h F, I i , σ | = ∃ xϕ iff h F, I dx i , σ | = ϕ for some d ∈ D Abbreviations and precedence of operators.
The binary relation symbol ≤ is definedin ITL by the equivalence x ≤ y ⇔ ∃ z ( x + z = y ) . (1.1)The customary infix notation for +, ≤ and = is used in ITL . ⊤ , ∧ , ⇒ and ⇔ , ∀ , =, ≥ , < and > are used in the usual way. We denote the universal closure ∀ x . . . ∀ x n ϕ of a formula ϕ where { x , . . . , x n } = F V ( ϕ ) by ∀ ϕ .Since ( . ; . ) is associative, we omit parentheses in formulas with consecutive occurrencesof ( . ; . ). Here follow the infinite-interval versions of some ITL abbreviations: ✸ ϕ ⇋ ( ⊤ ; ϕ ; ⊤ ) ∨ ( ⊤ ; ϕ ) , ✷ ϕ ⇋ ¬ ✸ ¬ ϕ .Note that ✷ and ✸ abbreviate different constructs in the original discrete-time system of ITL of Moszkowski. Our usage originates from the literature on DC . The disjunctivemember ( ⊤ ; ϕ ) in the definition of ✸ is relevant only at infinite intervals. The formula( ⊤ ; ϕ ; ⊤ ) without it restricts the subinterval which satisfies ϕ to be finite.We assume that ✸ and ✷ bind more tightly and ( . ; . ) binds less tightly than the booleanconnectives. ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 7
Proof system.
A complete proof system for abstract-time
ITL with finite intervalsis given in [Dut95a]. The following axioms and rules have been shown to form a completeproof system for
ITL with infinite intervals when added to a Hilbert-style proof system forclassical first-order predicate logic and the axioms D D D ′ , D D A
1) ( ϕ ; ψ ) ∧ ¬ ( χ ; ψ ) ⇒ ( ϕ ∧ ¬ χ ; ψ ), ( ϕ ; ψ ) ∧ ¬ ( ϕ ; χ ) ⇒ ( ϕ ; ψ ∧ ¬ χ )( A
2) (( ϕ ; ψ ); χ ) ⇔ ( ϕ ; ( ψ ; χ ))( R ) ( ϕ ; ψ ) ⇒ ϕ , ( ψ ; ϕ ) ⇒ ϕ if ϕ is rigid( B ) ( ∃ xϕ ; ψ ) ⇒ ∃ x ( ϕ ; ψ ), ( ψ ; ∃ xϕ ) ⇒ ∃ x ( ψ ; ϕ ) if x F V ( ψ )( L
1) ( ℓ = x ; ϕ ) ⇒ ¬ ( ℓ = x ; ¬ ϕ ), ( ϕ ; ℓ = x ∧ x = ∞ ) ⇒ ¬ ( ¬ ϕ ; ℓ = x )( L ℓ = x + y ∧ x = ∞ ⇔ ( ℓ = x ; ℓ = y )( L ϕ ⇒ ( ℓ = 0; ϕ ), ϕ ∧ ℓ = ∞ ⇒ ( ϕ ; ℓ = 0)( S
1) ( ℓ = x ∧ ϕ ; ψ ) ⇒ ¬ ( ℓ = x ∧ ¬ ϕ ; χ )( P ¬ ( ℓ = ∞ ; ϕ )( P
2) ( ϕ ; ℓ = ∞ ) ⇒ ℓ = ∞ ( P
3) ( ϕ ; ℓ = ∞ ) ⇒ ℓ = ∞ ( N ) ϕ ¬ ( ¬ ϕ ; ψ ) , ϕ ¬ ( ψ ; ¬ ϕ )( Mono ) ϕ ⇒ ψ ( ϕ ; χ ) ⇒ ( ψ ; χ ) , ϕ ⇒ ψ ( χ ; ϕ ) ⇒ ( χ ; ψ )The presence of the modality ( . ; . ) and flexible symbols in ITL brings a restriction on theuse of first order logic axioms which involve substitution such as( ∃ r ) [ t/x ] ϕ ⇒ ∃ xϕ. The application of this axiom is correct only if no variable in t becomes bound due to thesubstitution, and either t is rigid or ( . ; . ) does not occur in ϕ , because the value of a flexibleterm could be different at the different intervals which are involved in evaluating formulaswith ( . ; . ).The correctness of the proof system can be established by a direct check. Here followsome comments and informal reading of the axioms and the proof rules which can behelpful for their understanding too. A ϕ -subinterval and a ψ -subinterval is possible, but chopping into a χ -subinterval and a ψ -subinterval is not, thenany chopping into a ϕ - and a ψ -subinterval would lead to a ϕ -subinterval which additionallysatisfies the negation of χ . In the presence of the rules Mono and propositional tautologiesone can choose between A α ; ψ ) ∨ ( β ; ψ ) ⇔ ( α ∨ β ; ψ ) , which can be described as distributivity of ( . ; . ) over ∨ . Axiom B can be viewed as anparametric analogon of this distributivity axiom, with ∃ x to be read as parametric (possiblyinfinitary) disjunction. A . ; . ). R states that the satisfaction ofrigid formulas does not depend on the reference interval. L S L P P D. P. GUELEV L P ∞ ; ∞ ]. The rules N state that valid formulas are valid in subintervalstoo. These rules are the standard form of the modal logic rule ϕ/ ✷ ϕ , yet about the binary modality ( . ; . ). The fact that weakening the condition on a subinterval in a ( . ; . )-formula canonly facilitate the satisfiability of the whole ( . ; . )-formula is expressed by the rules Mono .1.2. DC with infinite intervals. The formal definition of DC with infinite intervals asan extension of the logic of the real-time-based frame of ITL with infinite intervals belowis after [ZDL95]. The main feature of DC relative to ITL are state expressions whichare propositional formulas that denote piece-wise constant { , } -valued functions of time.Unlike purely- ITL flexible symbols, DC state expressions denote functions on time points and not intervals.1.2.1. Language. DC vocabularies are
ITL vocabularies extended by state variables
P, Q, . . . .State variables are used to build state expressions S which have the syntax S ::= | P | S ⇒ S and in turn appear as the argument of duration terms R S which are the DC -specific con-struct in the syntax of terms t : t ::= c | x | v | R S | f ( t, . . . , t )Duration terms are regarded as flexible. The syntax of formulas is as in ITL .Flexible constants and 0-ary flexible predicate letters in DC are also known as temporalvariables and temporal propositional letters , respectively.1.2.2. Semantics.
We are only interested in real-time DC which is based on the ITL frame F R = hh R , ≤ , ∞i , h R + , + , , ∞i , λσ. max σ − min σ i where R = R ∪ {∞} and R + = { x ∈ R : x ≥ } . DC interpretations extend
ITL interpretations to provide values for state variables,which are functions of type R → { , } that satisfy the following finite variability require-ment: For every pair τ , τ ∈ R such that τ < τ , and every state variable P thereexist an n < ω and τ ′ , . . . , τ ′ n ∈ R such that τ = τ ′ < . . . < τ ′ n = τ and I ( P ) is constant on the semi-open intervals [ τ ′ i , τ ′ i +1 ), i = 1 , . . . , n − I , the values I τ ( S ) of state expressions S at time τ ∈ R are definedby the equalities I τ ( ) = 0 I τ ( P ) = I ( P )( τ ) for state variables PI τ ( S ⇒ S ) = max(1 − I τ ( S ) , I τ ( S ))The value I σ ( R S ) of duration term R S at interval σ ∈ ˜ I ( R ) is defined by the equality I σ ( R S ) = max σ R min σ I τ ( S ) dτ Note that I σ ( R S ) can be ∞ for σ ∈ I inf ( R ). The values of other kinds of terms and | = aredefined as in ITL . ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 9
Abbreviations.
The boolean connectives ¬ , ∨ , ∧ and ⇔ are used in state expressionsas abbreviations in the usual way. The following abbreviations are specific to DC : ⇋ ¬ ⌈⌈ S ⌉⌉ ⇋ R S = ℓ ∧ ℓ = 0Sometimes ℓ is introduced as an abbreviation for R .1.2.4. Proof system.
The axioms and rules below were proposed in [HZ92] for DC with finite intervals.( DC R = 0( DC R = ℓ ( DC R S ≥ DC R S + R S = R ( S ∨ S ) + R ( S ∧ S )( DC
5) ( R S = x ; R S = y ) ⇒ R S = x + y ( DC R S = R S if S and S are propositionally equivalent( IR
1) [ ℓ = 0 /A ] ϕ ϕ ⇒ [ A ∨ ( A ; ⌈⌈ S ⌉⌉ ∨ ⌈⌈¬ S ⌉⌉ ) /A ] ϕ [ ⊤ /A ] ϕ ( IR
2) [ ℓ = 0 /A ] ϕ ϕ ⇒ [ A ∨ ( ⌈⌈ S ⌉⌉ ∨ ⌈⌈¬ S ⌉⌉ ; A ) /A ] ϕ [ ⊤ /A ] ϕ These axioms and rules have been shown to be complete with respect to the finite-interval variant hh R , ≤i , h R + , + , i , λσ. max σ − min σ i of F R relative to validity in the classof the ITL models which are based on the finite-interval variant of F R in [HZ92].The correctness of IR IR S is constant, proving the validity of a property ϕ about zero-length intervals and provingthat the validity of ϕ at intervals with n alternations of the value of S implies the validityof the same property about intervals with n + 1 such alternations is sufficient to concludethat ϕ holds about intervals with any finite number of alternations of the value of S . This,by the assumption of finite variability, means that ϕ is valid about all intervals. Thecompleteness proof from [HZ92] involves two theorems which can be derived using the rules IR IR
2, instead of the rules themselves. The second of these theorems does not holdfor infinite intervals and therefore we modify it appropriately:( T ℓ = 0 ∨ ( ⌈⌈ S ⌉⌉ ; ⊤ ) ∨ ( ⌈⌈¬ S ⌉⌉ ; ⊤ )( T ℓ = 0 ∨ ℓ = ∞ ∨ ( ⊤ ; ⌈⌈ S ⌉⌉ ) ∨ ( ⊤ ; ⌈⌈¬ S ⌉⌉ )The use of T T IR IR DC as a theory in ITL with DC DC T T DC DC T T DC with infinite intervals and disregard the rules IR IR DC in Section 8.1.3. Probabilistic DC for real time. Probabilistic DC was first introduced for discretetime in [LRSZ93]. There is a chapter on discrete time probabilistic DC in [ZH04] too. Herefollows the formal definition of real-time probilistic DC as introduced in [DZ99]. Real-time probabilistic automata.
The semantics of the real-time probabilistic DC asoriginally proposed in [DZ99] is based on a class of real-time probabilistic automata. Definition 1.3. A finite probabilistic timed automaton is a system of the form A = h S, A, s , h q a , a ∈ A i , h p a : a ∈ A ii (1.2)where: S is a finite set of states ; A ⊂ {h s, s ′ i : s, s ′ ∈ S, s = s ′ } is a set of transitions ; s ∈ S is called the initial state ; q a ∈ [0 ,
1] is the choice probability for transition a ∈ A ; p a ∈ ( R + → R + ) is the duration probability density of transition a .Given the automaton A , A s denotes { s ′ ∈ S : h s, s ′ i ∈ A } . If a ∈ A and a = h s, s ′ i , then s and s ′ are denoted by a − and a + , respectively. Choice probabilities q a are required tosatisfy P a ∈ A s q a = 1 for A s = ∅ . Probability densities p a are required to satisfy ∞ R p a ( τ ) dτ = 1.An automaton A of the form (1.2) works by going through a finite or infinite sequenceof states s , s , . . . , s n , . . . such that h s i , s i +1 i ∈ A for all i . Each transition has a duration d i , which is the time that elapses before s i changes to s i +1 . Thus individual behaviours of A can be represented as sequences of the form h a , d i , . . . , h a n , d n i , . . . (1.3)where a i ∈ A , d i ∈ R + , a − = s and a + i = a − i +1 for all i . Having arrived at state s , A chooses transition a ∈ A s with probability q a . The probability for the duration of a to bein [ τ , τ ] is τ R τ p a ( τ ) dτ .Automata of the above type are closely related to the probabilistic real-time processesknown from [ACD91, ACD92].1.3.2. DC models for real-time probabilistic automata behaviours.
Probabilistic DC wasintroduced in [DZ99] for vocabularies built to describe the behaviours of given real-timeprobabilistic automata. The DC vocabulary L A for (1.2) has the states s ∈ S as its statevariables. The only other non-logical symbols are the mandatory ones. A DC interpretationof L A describes the behaviour (1.3) of A if for all i < ω τ ∈ "P j
Given areal-time probabilistic automaton (1.2), the set W A of all the interpretations of L A whichdescribe possible behaviours of A can be endowed with a probability function µ A . Given A ⊆ W A , µ A ( A ) can be defined as the probability for A to have a behaviour describedby an interpretation in A . The sets A in the domain of µ A should be chosen from someappropriate boolean algebra of subsets of 2 W A . Details on the definition of µ A , includingexplicit formulas for µ A in terms of p a and q a , can be found in [DZ99].Given τ ∈ R + and a DC formula ϕ in the vocabulary L A , the value of the PDC term µ A ( ϕ )( τ ) is defined as µ A ( { I ∈ W A : I, [0 , τ ] | = ϕ } ) . ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 11
Probabilistic DC for real time was introduced in [DZ99] by enhancing DC with terms ofthe form µ ( ϕ )( t ) where ϕ is a DC formula in L A for some automaton A and t is a term.The values of such terms were defined by the equality I σ ( µ ( ϕ )( t )) = µ A ( ϕ )( I σ ( t )) . Note that I σ ( µ ( ϕ )( t )) depends on σ only through the value of t . This means that µ ( ϕ )( t )is rigid iff t is. 2. Probabilistic
ITL with infinite intervals
In this section we extend abstract-time
ITL with infinite intervals by a probabilityoperator which generalises the operator µ ( . )( . ) of PDC from [LRSZ93, DZ99]. The newprobability operator is more expressive and syntactically simpler than µ ( . )( . ). Instead ofthe binary µ ( ϕ )( t ) we use a unary p ( ϕ ) which takes the formula argument ϕ of µ . Thesemantics of p ( ϕ ) given below makes it clear that the term argument t which determinesthe length of the interval at which ϕ is to be evaluated need not be written separatelybecause µ ( ϕ )( t ) can be expressed as p (( ϕ ∧ ℓ = t ; ⊤ )). To accomodate the arithmeticsof probabilities, abstract-time frames for the new system of probabilistic ITL include asimilarly abstract probability domain. We use the acronym
PITL for the new system.
PITL and its proof system is the main topic of this paper. As it becomes clear below,
PITL can be extended to
PDC in a straightforward way.2.1.
Language.
PITL vocabularies are two-sorted , with durations and probabilities beingthe two sorts. For this reason, instead of just arities, the non-logical symbols have types which determine the sorts of each argument in the cases of function and relation symbols,and the sort of terms built using the symbol for constants, variables and function symbols.A term or atomic formula s ( t , . . . , t s ) is well formed only if the sorts of the argumentterms t , . . . , t s match the type of s .Along with the mandatory non-logical symbols 0, ∞ , + and ℓ of the duration sort, PITL vocabularies are required to include the rigid constants 0 and 1 and addition + ofthe probability sort. Equality = is included for each sort too. We use the same charactersto denote these otherwise distinct symbols as long as this causes no confusion. We assumecountably infinite sets of individual variables of either sort and no more than countably-infinite sets of other symbols in
PITL vocabularies.The syntax of
PITL terms extends that from
ITL by terms of the form p ( ϕ ) where ϕ is a formula. These terms are of the probability sort and we call them probability terms . F V ( p ( ϕ )) = F V ( ϕ ) and p ( ϕ ) is rigid iff ϕ is rigid.The syntax of formulas is as in ITL .2.2.
Models and satisfaction.
The main part of a
PITL model is a collection of interpre-tations of the given vocabulary into a given two-sorted frame for
ITL with infinite intervals.These interpretations are meant to describe the possible behaviours of a modelled system.Unlike the original
PDC models, which assume a global probability function that is derivedfrom the laws of probabilistic behaviour of appropriate automata, we assume a probabilitydistribution to model the probabilistic branching of every behaviour at every time point.Restrictions on the system of probability distributions which, e.g., force them to model the choice and duration probabilities of an appropriate automaton can be imposed by additionalaxioms such as those from Section 6.3.
Definition 2.1. A PITL frame is a tuple of the form F = hh T, ≤ , ∞i , h D, + , , ∞i , h U, + , , i , m i , where h T, ≤ , ∞i , h D, + , , ∞i and m are as in frames for ITL with infinite intervals and h U, + , , i is a commutative monoid with the additional constant 1, which is called the probability domain . h U, + , , i is supposed to satisfy some additional axioms. Here followsthe full list:( U x + ( y + z ) = ( x + y ) + z ( U x + y = y + x ( U x + 0 = x ( U x + y = x + z ⇒ y = z ( U x + y = 0 ⇒ x = y = 0( U ∃ z ( x + z = y ∨ y + z = x )( U
7) 0 = 1We use the same symbols for + and 0 in both duration domains and probability domains,despite that they are different entities, as long as this causes no confusion. Probabilitydomains are assumed to be ordered by the relation ≤ which is defined by (1.1) like in thecase of durations.For the rest of the section L denotes some PITL vocabulary and F is some PITL framewith its components named as above.
Definition 2.2. A PITL interpretation of L into F is a function I on L which satisfies theconditions: I ( c ) , I ( x ) ∈ A for rigid constants c and individual variables x where A is either D or U , depending on the sort of the symbol; I ( f ) ∈ ( A × . . . × A f → A f +1 ) for rigid function symbols f where A , . . . , A f +1 are either D or U each, depending on the sort of the respective argument of f and the sortof the value of f . I ( R ) ∈ ( A × . . . × A R → { , } ) for rigid relation symbols R where A , . . . , A R arechosen as for function symbols; I ( c ) ∈ (˜ I ( T ) → A ), I ( f ) ∈ (˜ I ( T ) × A × . . . × A f → A f +1 ) and I ( R ) ∈ (˜ I ( T ) × A × . . . × A R → { , } ) for flexible c , f and R where the A s are chosenas for rigid symbols; I (0) = 0, I (+) = + and I (=) is = for 0, + and = of either sort and its correspondingdomain in F . I (1) is the constant 1 from U . I ( ∞ ) = ∞ and I ( ℓ ) = m like with ITL interpretations.Consider a non-empty set W , a function I on W into the set of the PITL interpretationsof the fixed vocabulary L into the fixed frame F and a function P of type W × T × W → U .Let I w and P w abbreviate I ( w ) and λτ, X.P ( w, τ, X ), respectively, for all w ∈ W . I w and P w , w ∈ W , are intended to represent the set of behaviours and the associated probabilitydistributions for every τ ∈ T in the F -based PITL models for L to be defined below. Definition 2.3.
Let τ ∈ T . We define the equivalence relation ≡ τ on W for all τ ∈ T byputting w ≡ τ v iff I w ( s ) = I v ( s ) for all rigid symbols s ∈ L , except possibly the individual variables; ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 13 I w ( s )( σ, d , . . . , d s ) = I v ( s )( σ, d , . . . , d s ) for all flexible s ∈ L , all d , . . . , d s fromthe appropriate domains and all σ ∈ ˜ I ( T ) such that max σ ≤ τ ; P w ( τ ′ , X ) = P v ( τ ′ , X ) for all X ⊆ W and all τ ′ ≤ τ .Given w ∈ W and τ ∈ T , we denote the set { v ∈ W : v ≡ τ w } by W w,τ .Members of W which are τ -equivalent stand for the same behaviour up to time τ . If τ > τ , then ≡ τ ⊂≡ τ and w ≡ ∞ v holds iff P w = P v and I w and I v agree on all symbols,except possibly some individual variables. W w,τ is the set of those v ∈ W which representthe probabilistic branching of w from time τ onwards. Definition 2.4. A general PDC model for L is a tuple of the form h F, W , I, P i where F , W , I and P are as above and satisfy the following requirements for every w ∈ W : W is closed under variants of interpretations. If w ∈ W , x is an individual variablefrom L and a is in the domain from F which corresponds to the sort of x , then there is a v ∈ W such that P v = P w and I v = ( I w ) ax . P w represents probability measures. The function λX.P w ( τ, X ) for every w ∈ W and τ ∈ T is a finitely additive probability measure on the boolean algebra h W , ∩ , ∪ , ∅ , W i . (2.1)and satisfies the equality P w ( τ, X ) = P w ( τ, X ∩ W w,τ ) for all X ⊆ W , which means that λX.P w ( τ, X ) is required to be concentrated on the set W w,τ .Informally, a general PITL model is based on a set W of descriptions of infinite be-haviours made by means of the ITL interpretations I w which are associated with each w ∈ W . All the interpretations I w are into the same frame F and are supposed to treatrigid symbols identically to express that, e. g., arithmetics is the same in all behaviours.It is assumed that, given a finite initial part of a behaviour w until time τ , the modelledsystem can proceed according to a description within the set W w,τ of the behaviours whichare the same as w up to time τ . The probability for the system to choose a behaviour in X ⊆ W w,τ is P w ( τ, X ).Next we define term values w σ ( t ) and the satisfaction of formulas in PITL models. Thedefinitions of term values, the modelling relation | = and its associated notation [[ . ]] for terms,formulas, models and time intervals in PITL are given by the following clauses, where thecomponents of the model M are named as above: Term values w σ ( x ) = I w ( x ) for variables xw σ ( c ) = I w ( c ) for rigid cw σ ( f ( t , . . . , t f )) = I w ( f )( w σ ( t ) , . . . , w σ ( t f )) for rigid fw σ ( c ) = I w ( c )( σ ) for flexible cw σ ( f ( t , . . . , t f )) = I w ( f )( σ, w σ ( t ) , . . . , w σ ( t f )) for flexible fw σ ( p ( ψ )) = P w (max σ, [[ ψ ]] M,w,σ ) Here [[ ψ ]] M,w,σ stands for { v ∈ W w, max σ : ( ∀ v ′ ∈ W )( P v ′ = P v ∧ I v ′ = ( I v ) I w ( x ) ,...,I w ( x n ) x , ... , x n → M, v ′ , [min σ, ∞ ] | = ψ ) } , (2.2)where x , . . . , x n are the free variables of ψ . This means that [[ ψ ]] M,w,σ consists of thebehaviours v which are max σ -equivalent to w and satisfy ψ at the infinite interval startingat min σ . Satisfaction of formulas
M, w, σ = ⊥ M, w, σ | = R ( t , . . . , t R ) iff I w ( R )( w σ ( t ) , . . . , w σ ( t R )) = 1 for rigid RM, w, σ | = R ( t , . . . , t R ) iff I w ( R )( σ, w σ ( t ) , . . . , w σ ( t R )) = 1 for flexible RM, w, σ | = ( ϕ ⇒ ψ ) iff either M, w, σ = ϕ or M, w, σ | = ψM, w, σ | = ( ϕ ; ψ ) iff M, w, σ | = ϕ and M, w, σ | = ψ for some σ ∈ I fin ( T F ) and σ ∈ ˜ I ( T F ) such that σ ; σ = σM, w, σ | = ∃ xϕ iff M, v, σ | = ϕ for some v ∈ W and some a from thedomain of the sort of x such that P v = P w and I v = ( I w ) ax Obviously
M, w, σ | = ψ iff h F, I w i , [min σ, ∞ ] | = ITL ψ as in non-probabilistic ITL for ψ withno occurrence of probability terms.The probability functions λX.P w ( τ, X ) for w ∈ W and τ ∈ T in general PITL models M = h F, W , I, P i are needed just as much as they provide values for probability terms.That is why these functions need not be defined on the entire algebra (2.1). Indeed, it issufficient for λX.P w ( τ, X ) to be defined on the (generally smaller) algebra h{ [[ ψ ]] M,w,σ : ψ ∈ L , σ ∈ ˜ I ( T ) , max σ = τ } , ∩ , ∪ , ∅ , W w,τ i , which we denote by B M,w,τ . This observation justifies the broadening of the definition ofgeneral
PITL models as follows.
Amendment to Definition 2.4
Structures of the form M = h F, W , P, I i from Definition2.4, but with their probability functions λX.P w ( τ, X ) defined just on the respective algebras B M,w,τ , are general PITL models too.
Example A PITL model M A = h F R , W , P, I i which is based on the real-time frame F R and describes the working of a given probabilistic automaton A of the form (1.2) fromDefinition 1.3 can be defined as follows. The vocabulary of M A includes of the mandatorysymbols 0, +, ℓ , . . . , the transitions a ∈ A as flexible 0-ary predicate letters, and thechoice probabilities q a as rigid constants. As for the duration probability densities p a , it isconvenient to have rigid unary function symbols P a which denote the functions λτ. τ R p b ( t ) dt .The vocabulary does not provide direct reference to the states of A as done in PDC ;behaviour is instead described in terms of transitions whose beginnings and ends mark thetimes of state change. Every possible behaviour (1.3) is described by a w ∈ W such that I w ( a i ) "P j
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 15 "P j
PITL semantics with a remark on the underlying modelof time. As mentioned in the introduction,
P DC and
PITL are essentially branching-timeinterval logics. An alternative way to introduce the semantics of
PITL could be to usepartially ordered time domains h T, ≤i with some additional conditions on their maximallinearly ordered subsets. Given a PITL model h F, W , I, P i as described above, we canconstruct the corresponding partially ordered time domain by taking {h τ, W w,τ i : τ ∈ T, w ∈ W } as the set of time points and defining the partial ordering by the clause h τ , W i ≤ h τ , W i iff τ ≤ τ and W ⊇ W . The chosen way to define
PITL models saves us the need to reformulate results on
ITL which are essentially linear-time and are therefore known in the literature just for the sakeof notation differences. 3.
A proof system for
PITL
In this section we propose axioms and a proof rule for
PITL . If added to the completeproof system for
ITL with infinite intervals from [WX04] given in Section 1.1.4, theseaxioms and the rule form a system which is complete for
PITL with respect to its abstractsemantics introduced in Section 2.2. This is demonstrated in Section 4. Most of our axiomsand rule are modifications of those for
PNL from [Gue00]. The modifications were madeto account for the use of infinite intervals instead of the NL expanding modalities. Somesimple infinite-interval-specific properties of p ( . ) are handled by completely new axioms. The system.
Extensionality ( P ; ) ( ℓ = x ; p ( ψ ) = y ) ⇒ p (( ℓ = x ; ψ )) = y ( P ∞ ) ℓ = ∞ ⇒ ( ϕ ⇔ p ( ϕ ) = 1)( P ≤ ) ⊢ ( ϕ ; ℓ = ∞ ) ⇒ ( ψ ⇒ χ ) ⊢ ϕ ∧ ℓ < ∞ ⇒ p ( ψ ) ≤ p ( χ ) Arithmetics of probabilities ( P ⊥ ) p ( ⊥ ) = 0( P ⊤ ) p ( ⊤ ) = 1( P + ) p ( ϕ ) + p ( ψ ) = p ( ϕ ∨ ψ ) + p ( ϕ ∧ ψ ) P ; expresses that the probability function P h I,P i , max σ which is used to evaluate I σ ( p ( ψ ))depends on the end point max σ and not on the whole reference interval σ . P ∞ means thathaving the entire future as the reference interval renders all properties deterministic: noalternative behaviours are possible ”from ∞ on”; the interpretations I ′ from h I ′ , P ′ i ∈ W h I,P i , ∞ can differ from I only on individual variables and such differences are disregardedin the definition (2.2) of [[ ϕ ]] M, h I,P i ,σ for all intervals σ . The rule P ≤ means that if a property χ is a logical consequence of another property ψ , then the probability of χ is at least as bigas that of ψ . The probabilities of ψ and χ are compared in the context of a finite-intervalcondition ϕ . The case of an infinite-interval condition ϕ is handled by axiom P ∞ . Theaxioms P ⊥ , P ⊤ and P + are self-explanatory. The correctness of the axioms and the rule isstraightforward. The use of ⊢ in P ≤ is to emphasize that we intend to apply this rule onlyto theorems. The maximal consistent sets of formulas which take part in our completenessargument for this proof system below need not be closed under P ≤ .The rule P ≤ can be classified under the category of probability arithmetics as well,because of the meaning of ≤ , which is defined by (1.1). However, we find its role as anextensionality rule, which is further highlighted by the derived rule PITL
Some useful
PITL theorems and a derived rule.
The
PITL theorems
PITL
PITL
PITL
PITL τ -equivalence on probabilities, respectively.( P ∞≤ ) ( ϕ ; ℓ = ∞ ) ∨ ( ϕ ∧ ℓ = ∞ ) ⇒ ( ψ ⇒ χ ) ϕ ⇒ p ( ψ ) ≤ p ( χ )( PITL ϕ ⇔ ψp ( ϕ ) = p ( ψ )( PITL p ( ϕ ) + p ( ¬ ϕ ) = 1( PITL p ( ϕ ) < p ( ψ ) ⇒ p ( ψ ∧ ¬ ϕ ) = 0( PITL p ( ϕ ) = p ( ϕ ∧ ℓ = ∞ ) ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 17
Here follows a derivation for P ∞≤ . The purely ITL parts are skipped and marked “
ITL ”for the sake of brevity. Applications of the axioms U U ϕ ; ℓ = ∞ ) ⇒ ( ψ ⇒ χ ) assumption, ITL ϕ ∧ ℓ < ∞ ⇒ p ( ψ ) ≤ p ( χ ) 1, P ≤ ℓ = ∞ ∧ ϕ ⇒ ( p ( ψ ) = 0 ∧ p ( χ ) = 0) assumption, P ∞ , PITL ∨ ( p ( ψ ) = 0 ∧ p ( χ ) = 1) ∨ ( p ( ψ ) = 1 ∧ p ( χ ) = 1)4 ϕ ∧ ℓ = ∞ ⇒ p ( ψ ) ≤ p ( χ ) 3, ITL ℓ < ∞ ∨ ℓ = ∞ ITL ϕ ⇒ p ( ψ ) ≤ p ( χ ) 2, 4, 5 PITL P ∞≤ to the ITL theorems( ⊤ ; ℓ = ∞ ) ∨ ( ⊤ ∧ ℓ = ∞ ) ⇒ ( ϕ ⇒ ϕ ∧ ℓ = ∞ ) and( ⊤ ; ℓ = ∞ ) ∨ ( ⊤ ∧ ℓ = ∞ ) ⇒ ( ℓ = ∞ ∧ ϕ ⇒ ϕ ) . The rule
PITL P ∞≤ too. The proofs for PITL
PITL
PITL ϕ ∧ ¬ ϕ ⇔ ⊥ ITL p ( ϕ ∧ ¬ ϕ ) = p ( ⊥ ) 1, PITL p ( ϕ ∧ ¬ ϕ ) = 0 2, P ⊥ ϕ ∨ ¬ ϕ ⇔ ⊤ ITL p ( ϕ ∨ ¬ ϕ ) = p ( ⊤ ) 4, PITL p ( ϕ ∧ ¬ ϕ ) = 1 5, P ⊤ p ( ϕ ) + p ( ¬ ϕ ) = p ( ϕ ∧ ¬ ϕ ) + p ( ϕ ∧ ¬ ϕ ) P + p ( ϕ ) + p ( ¬ ϕ ) = 1 2, 6, 7, ITLPITL p ( ψ ) ≤ p ( ϕ ∨ ψ ) P ∞≤ p ( ϕ ) + p ( ψ ∧ ¬ ϕ ) = p ( ϕ ∧ ψ ∧ ¬ ϕ ) + p ( ϕ ∨ ψ ∧ ¬ ϕ ) P + p ( ϕ ) + p ( ψ ∧ ¬ ϕ ) = p ( ϕ ∨ ψ ) 2, PITL P ⊥ p ( ϕ ) < p ( ψ ) ⇒ p ( ϕ ) < p ( ϕ ∨ ψ ) 15 p ( ϕ ) < p ( ψ ) ⇒ p ( ψ ∧ ¬ ϕ ) = 0 3, 44. Completeness of the proof system for
PITL
In this section we show that the proof system for
PITL from Section 3 is complete. Toexploit the full potential of the abstract semantics of
PITL , we prove a strong completenesstheorem. It states that every consistent set of
PITL formulas has a model. This is convenientfor the study of further extensions of the logic whose syntactic elements can be representedby adding infinitely many non-logical symbols and axioms about them, or when a modelledsystem is described using infinitely many formulas.
The main step in this proof is the construction of what is known in model theory asthe elementary diagram ∆ of a
PITL model M for an arbitrary given set of PITL formulasΓ which is consistent in the proposed proof system for
PITL . ∆ is a description of M in a PITL language whose vocabulary has names for all the elements of M . To avoidrepeating the technical steps which are not specific to the probability operator of PITL andcan be found in the completeness proof for (non-probabilistic)
ITL with infinite intervalsfrom [WX04], we introduce a translation of the involved
PITL languages into corresponding
ITL languages with appropriate vocabularies and use it to view subsets of the constructeddiagram and the whole diagram as complete Henkin theories in (non-probabilistic)
ITL aswell.The model M that we construct is very similar to a canonical model. We stop short ofcalling it canonical, because of the dedicated technique which is used to build the behaviourrepresentations v which are needed to populate the sets [[ ϕ ]] M,w,σ for ϕ , σ and w such that M, w, σ | = p ( ϕ ) = 0 is supposed to hold.Without losing generality, we consider only sets of formulas Γ which contain ℓ = ∞ .This way we restrict ourselves to seeking the satisfaction of Γ at an infinite interval. Thesatisfaction of a consistent Γ which is not consistent with ℓ = ∞ can be achieved throughthe satisfaction of { ℓ = ∞} ∪ { ( γ ∧ ℓ = c ; ⊤ ) : γ ∈ Γ } (4.1)where c is some fresh rigid constant.The completeness argument involves the application of some non-trivial results aboutinterpolation in ITL . We present them first.4.1.
Interval-related and Craig interpolation in
ITL with infinite intervals.
Inter-val-related interpolation for
ITL with finite intervals, NL and a subset of DC with finiteintervals and projection onto state were formulated and proved in [Gue01, Gue04b]. Craiginterpolation was shown to hold for these logics there too. Here we just formulate interval-related interpolation for ITL with infinite intervals in the special form which is convenientfor our completeness argument.Let L and L ′ be two vocabularies for ITL with infinite intervals. Let L and L ′ sharetheir rigid symbols, including the individual variables, and let the only flexible symboloccurring in both L and L ′ be ℓ . Let there be a bijection between the flexible symbols from L \ { ℓ } and those from L ′ such that the symbol s ′ from L ′ which corresponds to s ∈ L isof the same kind and arity as s . Let ϕ ′ denote the result of replacing each flexible symbol s ∈ L \ { ℓ } in a formula ϕ written in L by the corresponding s ′ ∈ L ′ . Theorem 4.1.
Let Φ be a finite set of formulas and ϕ and ψ be two more formulas, allwritten in L . Let c be a rigid constant in L . Let ℓ = c ∧ ✷ ∀ ^ χ ∈ Φ ( χ ⇔ χ ′ ); ℓ = ∞ ⇒ ( ϕ ⇒ ψ ′ ) be theorem of ITL with infinite intervals. Then there is a formula θ written in L such that ϕ ∧ c < ∞ ∧ ℓ = ∞ ⇒ ( ℓ = c ∧ θ ; ℓ = ∞ ) and ( ℓ = c ∧ θ ′ ; ℓ = ∞ ) ⇒ ψ ′ are theorems of ITL as well. We use the standard form of Craig interpolation:
ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 19
Theorem 4.2.
Let L and L be two ITL vocabularies. Let ϕ i be a formula of ITL withinfinite intervals written in the vocabulary L i , i = 1 , , and ϕ ⇒ ϕ be a theorem of ITL with infinite intervals. Then there is a formula θ written in the vocab-ulary L ∩ L such that both ϕ ⇒ θ and θ ⇒ ϕ are such theorems. The proofs of the two interpolation theorems are simple variants of those of the theoremsknown from [Gue01], which in their turn follow the pattern of the model-theoretic proof ofCraig interpolation that can be seen in, e.g., [CK73].4.2.
Consistency in
PITL .Definition 4.3.
Given an
ITL ( PITL ) vocabulary L , ITL L ( PITL L ) denotes the set of thetheorems of ITL ( PITL ) written in a given vocabulary L . Given L and a set of formulasΓ written in L , Cn L , ITL (Γ) ( Cn L , PITL (Γ)) denotes the set of formulas written in L whichcan be proved using formulas from ITL L ∪ Γ (
PITL L ∪ Γ) and the propositional logic rule
Modus Ponens ϕ, ϕ ⇒ ψ / ψ . Definition 4.4.
A set of
ITL ( PITL ) formulas Γ written in a vocabulary L is consistent if ⊥ 6∈ Cn L , ITL (Γ) ( ⊥ 6∈ Cn L , PITL (Γ)). A consistent Γ is maximal in L if it has no consistentproper supersets of formulas written in L .Just like in first-order predicate logic, a set of formulas Γ has witnesses in some set ofrigid constants C if for every existential formula ∃ xϕ ∈ Γ there is a witness c ∈ C such that[ c/x ] ϕ ∈ Γ.Here follows the
Lindenbaum Lemma for
PITL as known from numerous predicate andmodal logics:
Theorem 4.5.
Let Γ be a consistent set of formulas PITL written in some vocabulary L and C be a countably-infinite set which consists of infinitely many fresh constants of boththe sort of durations and the sort of probabilities. Then there is a maximal consistent setof formulas written in L ∪ C which contains Γ and has witnesses in C . We omit the proof for
PITL , because it is the same as that for
ITL with abstractsemantics and finite intervals which can be seen in [Dut95a]. The proof for
ITL withinfinite intervals was omitted in [WX04] for the same reason.4.3.
A vocabulary for the elementary diagram ∆ for the PITL model M . The
PITL vocabulary L D which we introduce next is structured so that a PITL model M forthe extension of some given PITL vocabulary L by a countable set of fresh rigid constantsthat we construct below can be fully described in it in terms of rather simple quantifier-and variable-free formulas which can be regarded as making up a diagram ∆ for M inthe model-theoretic sense. L D contains rigid constants to name all the elements of theduration domain and the probability domain of M and a separate set of flexible symbols todescribe the behaviour of the flexible symbols of L in each interpretation from M . Indeed,we construct an elementary diagram for M in L D , which consists of all the formulas in L D which hold at some infinite interval in M under the convention that formulas written in the various sets of flexible symbols mentioned above are understood to hold at the respectiveinterpretations. L D is the union of the following sets of symbols:1. The rigid symbols of L , including the individual variables, and the mandatory flexibleconstant ℓ .2. Two countably-infinite sets of fresh rigid constants C d and C p of the sorts of durationsand probabilities, respectively, whose structure is explained below.3. The fresh flexible symbols s ν , ν ∈ S , of the same kind and arity as s , for each flexible s ∈ L \ { ℓ } . The countably-infinite index set S is defined below. C d and C p are assumed to be the countably-infinite disjoint unions of some countablyinfinite sets C dk and C pk , k < ω , respectively. Similarly, S is assumed to be the countably-infinite union of the sets S k , k < ω . We denote S i ≤ k C di , S i ≤ k C pi and S i ≤ k S i by C d ≤ k , C p ≤ k and S ≤ k , respectively, for all k < ω . We denote the vocabulary which consists of the rigidsymbols of L , ℓ , the rigid constants from C d ≤ k and C p ≤ k and the flexible symbols s ν for ν ∈ S ≤ k by L ≤ k for all k < ω . We denote the extension of L ≤ k by the flexible symbols s ν for ν ∈ S ≤ k +1 by L ′≤ k +1 .The set S is the singleton {hi} , which consists of the empty list hi . S k +1 = {h ν, c, ϕ i : ν ∈ S ≤ k , c ∈ C d ≤ k , ϕ is written in L ≤ k } for all k < ω. In the construction of ∆ below, given a ν ∈ S , A ν stands for the result of replacing theflexible symbols s ∈ L \ { ℓ } in a term or formula A written in the vocabulary L ∪ C d ∪ C p by their corresponding symbols s ν . We denote the vocabulary which consists of the rigidsymbols of L , including the individual variables, ℓ and the flexible symbols s ν for some fixed ν ∈ S and all flexible s ∈ L \ { ℓ } by L ν .4.4. A translation of
PITL formulas into
ITL . Let L be a PITL vocabulary. Wedefine its corresponding vocabulary L ITL for two-sorted (non-probabilistic)
ITL with infiniteintervals with the sorts of durations and probabilities as in
PITL . Roughly speaking, L ITL is an extension of L by flexible constants and function symbols which are meant to simulateprobability terms. Here follows the precise definition. Definition 4.6. L
ITL is the union of the vocabularies L ITL ,k , k < ω . L ITL , is L . Given L ITL ,i , i ≤ k , L ITL ,k +1 is the set of flexible constants and function symbols { p ϕ : ϕ is a formula written in [ i ≤ k L ITL ,k and contains at least one symbol from L ITL ,k } . The values of the symbols p ϕ are of the probability sort. If ϕ has no free variables, then p ϕ is a flexible constant. Otherwise p ϕ is a flexible function symbol whose arity is | F V ( ϕ ) | and the sort of the i th argument of p ϕ is that of the i th free variable of ϕ with respect tosome fixed ordering of these variables, i = 1 , . . . , | F V ( ϕ ) | .Next we define a translation t of PITL terms and formulas written in L into ITL formulas written in L ITL . The goal of t is to systematically replace the occurrences ofprobability terms by terms built using the corresponding constant and function symbolsfrom Definition 4.6. To achieve this, t works by the following rule:[ p ( ψ ) /z , . . . , p ( ψ n ) /z n ] A (4.2) ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 21 where denotes A a term or formula with no probability terms is translated into[ p t ( ψ ) ( x , , . . . , x ,m ) /z , . . . , p t ( ψ ) ( x n, , . . . , x n,m n ) /z n ] A (4.3)where x i, , . . . , x i,m i are the free variables of ψ i in the fixed ordering mentioned above, i = 1 , . . . , n . If F V ( ψ ) = ∅ , then the expression p t ( ψ i ) ( x i, , . . . , x i,m i ) denotes just theflexible constant p t ( ψ i ) . Example
If there are no probability terms in ϕ and F V ( ϕ ) = x , then t ( p ( ϕ )) is the term p ϕ ( x ) and t ( p (( ℓ = x ; p ( ϕ ) < p ( ¬ ϕ )))) is p ( ℓ = x ; p ϕ ( x ) < p ¬ ϕ ( x )) ( x , x ).Every term and formula can be represented in the form (4.2) in a unique way up torenaming the distinct variables z , . . . , z n , if we assume that all of these variables havefree occurrences in A and that the formulas ψ , . . . , ψ n are all different. The semanticalcorrectness of the substitution in (4.2) and (4.3) is not relevant to this definition of t . Givena set of PITL formulas Γ, we denote { t ( γ ) : γ ∈ Γ } by t (Γ).Terms built using the function symbols p ψ from L ITL in translations of
PITL formulasalways have the free variables of ψ as their argument terms. That is why formulas writtenin L ITL which contain p ψ in terms of other forms are not in the range of t . However, theyalways have equivalents of the form t ( ϕ ) for appropriate PITL formulas ϕ written in L . Torealise that, note that if F V ( ψ ) = { x , . . . , x n } and y , . . . , y n are n fresh variables of theappropriate sorts, then p ψ ( t , . . . , t n ) = z is equivalent to ∃ y . . . ∃ y n n ^ i =1 t i = y i ∧ ∃ x . . . ∃ x n n ^ i =1 y i = x i ∧ p ψ ( x , . . . , x n ) = z !! . Furthermore, every formula written in L ITL has an equivalent in which the terms of theform p ψ ( t , . . . , t n ) appear only in atomic formulas of the form p ψ ( t , . . . , t n ) = z where z can be chosen to be different from x , . . . , x n .Now we turn to the correspondence between derivability in PITL and
ITL with infiniteintervals.
Proposition 4.7.
Let L be a PITL vocabulary and Γ be a set of formulas written in L .Then t ( Cn L , PITL (Γ)) = Cn L ITL , ITL ( t ( PITL L ∪ Γ)) . Proof.
Simple induction on the construction of proofs.
Corollary 4.8.
A set of PITL formulas Γ written in a vocabulary L is consistent iffCn L ITL , ITL ( PITL L ∪ Γ) is consistent.Proof. t ( ⊥ ) is ⊥ .4.5. The weakened proof system
PITL − . The model M constructed below is for L ∪ C d ∪ C p . It contains one class of w ∈ W which are the same except possibly for the inter-pretations I w of some individual variables for every ν ∈ S . Let w ν denote a representativefor the class of interpretations corresponding to ν . Then I w ν ( s ) is defined by the formulasfrom the diagram ∆ for M which describe s ν for all flexible s ∈ L \ { ℓ } . We are interestedin having a set of formulas Γ which contains the formula ℓ = ∞ satisfied at some infiniteinterval [ τ , ∞ ] and some interpretation I in M . Our construction of M provides that if c ∈ C d and τ is defined by the equality m ([ τ , τ ]) = I w ν ( c ) in M , then w ν and w h ν,c,ϕ i arerelated as follows:If M, w ν , [ τ , τ ] | = p ( ϕ ) = 0 and F V ( ϕ ) = { x , . . . , x n } , then w ν ≡ τ w h ν,c,ϕ i and M, v, [ τ , ∞ ] | = ϕ for some v such that I v = ( I w h ν,c,ϕ i ) I ν ( x ) ,...,I ν ( x n ) x , ... , x n and P v = P w h ν,c,ϕ i .This means that w h ν,c,ϕ i ∈ [[ ϕ ]] M,w ν , [ τ ,τ ] .Furthermore, we are interested in enforcing PITL local logical consequence at eachparticular w ∈ W , but not across different w . That is why in the construction of ∆ belowwe restrict the applicability of the PITL -specific axioms P ; , P ∞ , P ⊥ , P ⊤ and P + and rule P ≤ from Section 3 in sets of formulas written in L D . We allow only instances of P ; , P ∞ , P ≤ , P ⊥ , P ⊤ and P + in which all flexible symbols except ℓ have the same superscript ν ∈ S .The resulting weakened proof system is tied to the vocabulary L D . We denote it and theset of its theorems written in a given sub-vocabulary L ′ of L D by PITL − and PITL − L ′ ,respectively. Theorem 4.5 applies to consistency with PITL − L ′ without change. Similarly,we have the following variant of Proposition 4.7: Proposition 4.9.
Let L ′ be a sub-vocabulary of L D and Γ be a set of formulas written in L ′ . Then t ( Cn L ′ , PITL − (Γ)) = Cn L ′ ITL , ITL ( t ( PITL − L ′ ∪ Γ)) . We also use the following somewhat more involved technical consequence of the re-stricted use of the instances of P ; , P ∞ , P ≤ , P ⊥ , P ⊤ and P + and the restricted applicationof P ≤ . Lemma 4.10.
Let α ∈ PITL − L ′ for some sub-vocabulary L ′ of L D . Let C be the set ofthe rigid constants of L ′ . Then there exist finitely many superscripts ν , . . . , ν n ∈ S andtheorems β i ∈ PITL L νi ∪ C , i = 1 , . . . , n , such that the formula n ^ i =1 ✷ ∀ β i ⇒ α (4.4) is provable without the use of P ; , P ∞ , P ⊥ , P ⊤ and P + and P ≤ , that is, essentially in(non-probabilistic) ITL with infinite intervals.Proof. Consider a
PITL − proof of α in L ′ . Let ν , . . . , ν n be all the superscripts of flexiblesymbols occurring in formulas from this proof. If a formula β from the proof is writtenin the vocabulary L ν i ∪ C for some i ∈ { , . . . , n } , then β ∈ PITL L νi ∪ C . To realise this,notice that changing all the superscripts of the flexible symbols in the formulas from thepart of the proof which leads to β to ν i preserves its correctness. We can choose β i to bethe conjunction of all the formulas from PITL L νi ∪ C in the chosen proof of α , i = 1 , . . . , n .Consistency in the rest of this section is with respect to PITL − .4.6. The elementary diagram ∆ for M . Here follows the precise construction of thediagram ∆.∆ is the union of the infinite ascending sequence of sets of formulas∆ ⊂ ∆ ′ ⊂ ∆ ⊂ . . . ⊂ ∆ ′ k ⊂ ∆ k ⊂ . . . (4.5)where ∆ k and ∆ ′ k +1 consist of formulas written in L ≤ k and L ′≤ k +1 , respectively, for each k < ω . ∆ is a maximal consistent set with witnesses in C d ∪ C p which contains the set ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 23 { γ hi : γ ∈ Γ } . Such a set exists by Theorem 4.5. For an arbitrary k < ω , ∆ ′ k +1 is theextension of ∆ k bythe formula ϕ ν ′ and the formulas ( ✷ ∀ ( χ ν ⇔ χ ν ′ ) ∧ ℓ = c ; ℓ = ∞ ) for all χ written in L , (4.6)for each pair of indices ν ∈ S ≤ k and ν ′ ∈ S k +1 such that ν ′ = h ν, c, ϕ i and( p ( ϕ ν ) = 0 ∧ ℓ = c ; ℓ = ∞ ) ∈ ∆ k . Lemma 4.11. If ∆ k is consistent, then ∆ ′ k +1 is consistent too. The proof of this lemma is the key technical step in the entire completeness argumentabout our proof system for
PITL . Proof.
Assume that ∆ k is consistent and ∆ ′ k +1 is not for the sake of contradiction. Sinceproofs in PITL − are finitary, there is a finite inconsistent Ξ ⊂ ∆ ′ k +1 . Ξ ∆ k , because ∆ k is a consistent set. Hence there are finitely many ν ′ ∈ S k +1 \ S ≤ k such that flexible symbolssuperscripted by ν ′ occur in formulas from Ξ. These formulas are of some of the forms(4.6). Below we prove that the assumed inconsistency of Ξ is preserved after withdrawingthe formulas of the forms (4.6) for each such ν ′ ∈ S k +1 \ S ≤ k . The remaining formulas in Ξare also in ∆ k . This will bring contradiction with the assumed consistency of ∆ k . Let uschoose one such ν ′ and let ν ′ = h ν, c, ϕ i . This means that ( p ( ϕ ν ) = 0 ∧ ℓ = c ; ℓ = ∞ ) ∈ ∆ k .Then the formulas (4.6) for the chosen ν ′ and ν are in ∆ ′ k +1 . Let the formulas in Ξ withflexible symbols superscripted by ν ′ be ( ✷ ∀ ( χ νi ⇔ χ ν ′ i ) ∧ ℓ = c ; ℓ = ∞ ), i = 1 , . . . , m , and ϕ ν ′ . Let Ξ ν ′ be the set of the remaining formulas from Ξ, which have no flexible symbolssuperscripted by ν ′ . Then ⊢ PITL − L ′≤ k +1 ( ^ Ξ ν ′ ) ⇒ m ^ i =1 ( ✷ ∀ ( χ νi ⇔ χ ν ′ i ) ∧ ℓ = c ; ℓ = ∞ ) ⇒ ¬ ϕ ν ′ ! . Now Proposition 4.9 entails that ⊢ ITL t ( α ) ⇒ t ( ^ Ξ ν ′ ) ⇒ m ^ i =1 ( ✷ ∀ ( t ( χ νi ) ⇔ t ( χ ν ′ i )) ∧ ℓ = c ; ℓ = ∞ ) ⇒ ¬ t ( ϕ ν ′ ) !! where α ∈ PITL − L ′≤ k +1 . According to Lemma 4.10, there is a finite set of superscripts ν , . . . , ν n ∈ S ≤ k +1 and this many formulas β i ∈ PITL L νi ∪ C d ≤ k ∪ C p ≤ k , i = 1 , . . . , n , such that(4.4) is provable without the PITL -specific axioms and rule, that is, essentially in
ITL withinfinite intervals. Without loss of generality we can assume that β ∈ PITL L ν ∪ C d ≤ k ∪ C p ≤ k and β ∈ PITL L ν ′ ∪ C d ≤ k ∪ C p ≤ k . Then we have ⊢ ITL t (cid:18) ( V Ξ ν ′ ) ∧ n V i =3 ✷ ∀ β i (cid:19) ⇒ (cid:18) t ( ✷ ∀ β ) ∧ t ( ✷ ∀ β ) ∧ m V i =1 ( ✷ ∀ ( t ( χ νi ) ⇔ t ( χ ν ′ i )) ∧ ℓ = c ; ℓ = ∞ ) ⇒ ¬ t ( ϕ ν ′ ) (cid:19) . All the flexible symbols on the right of the main ⇒ in this formula except ℓ are superscriptedby either ν or ν ′ and the superscript ν ′ does not appear on symbols in the formula on theleft of ⇒ . Hence by Craig interpolation (Theorem 4.2) some ITL formula λ written in ( L ν ∪ C d ≤ k ∪ C p ≤ k ) ITL satisfies both ⊢ ITL t ( ^ Ξ ν ′ ) ∧ n ^ i =3 ✷ ∀ β i ! ⇒ λ (4.7)and ⊢ ITL m ^ i =1 ( ✷ ∀ ( t ( χ νi ) ⇔ t ( χ ν ′ i )) ∧ ℓ = c ; ℓ = ∞ ) ⇒ (( λ ∧ t ( ✷ ∀ β )) ⇒ ( t ( ✷ ∀ β ) ⇒ ¬ t ( ϕ ν ′ ))) . (4.8)The formulas λ ∧ t ( ✷ ∀ β ) and t ( ✷ ∀ β ) ⇒ ¬ t ( ϕ ν ′ ) in (4.8) are written in ( L ν ∪ C d ≤ k ∪ C p ≤ k ) ITL and ( L ν ′ ∪ C d ≤ k ∪ C p ≤ k ) ITL , respectively. A bijection can be defined between the sets ofthe flexible symbols of these two vocabularies, excluding ℓ , in which the flexible symbol s ′ ∈ ( L ν ′ ∪ C d ≤ k ∪ C p ≤ k ) ITL \ { ℓ } which corresponds to s ∈ ( L ν ∪ C d ≤ k ∪ C p ≤ k ) ITL \ { ℓ } isobtained by changing all the superscripts ν in s to ν ′ and vice-versa. If s is of the form p t ( ψ ) (see Definition 4.6), it may have more than one occurrence of a superscript ν in thesubscript formula t ( ψ ). All these occurrences have to be changed. This bijection allowsus to apply interval-related interpolation (Theorem 4.1) to (4.8) and conclude that some ITL formulas θ ITL ∈ ( L ν ∪ C d ≤ k ∪ C p ≤ k ) ITL and θ ′ ITL ∈ ( L ν ′ ∪ C d ≤ k ∪ C p ≤ k ) ITL which canbe obtained from each other by replacing the corresponding flexible symbols from theirrespective vocabularies satisfy ⊢ ITL λ ∧ t ( ✷ ∀ β ) ∧ c < ∞ ∧ ℓ = ∞ ⇒ ( ℓ = c ∧ θ ITL ; ℓ = ∞ ) (4.9)and ⊢ ITL ( ℓ = c ∧ θ ′ ITL ; ℓ = ∞ ) ⇒ ( t ( ✷ ∀ β ) ⇒ ¬ t ( ϕ ν ′ ))which by simply changing all superscripts ν ′ to ν implies ⊢ ITL ( ℓ = c ∧ θ ITL ; ℓ = ∞ ) ⇒ ( t ( ✷ ∀ β ′ ) ⇒ ¬ t ( ϕ ν )) (4.10)where β ′ is the result of changing all the superscripts ν ′ of the flexible symbols in β to ν .By (4.7) and (4.9) we obtain ⊢ ITL t ( ^ Ξ ν ′ ) ∧ n ^ i =3 ✷ ∀ β i ! ∧ t ( ✷ ∀ β ) ∧ c < ∞ ∧ ℓ = ∞ ⇒ ( ℓ = c ∧ θ ITL ; ℓ = ∞ ) (4.11)The formula θ ITL is the t -translation of some PITL formula written in L ν ∪ C d ≤ k ∪ C p ≤ k which, in its turn, has the form θ ν where θ is a formula written in L ∪ C d ≤ k ∪ C p ≤ k . (Then θ ′ ITL is t ( θ ν ′ ).) Hence we have ⊢ PITL − L ′≤ k +1 ( ^ Ξ ν ′ ) ∧ n ^ i =3 ✷ ∀ β i ∧ ✷ ∀ β ∧ c < ∞ ∧ ℓ = ∞ ⇒ ( ℓ = c ∧ θ ν ; ℓ = ∞ ) . Since β i ∈ PITL L νi ∪ C d ≤ k ∪ C p ≤ k ⊆ PITL − L ′≤ k +1 , i = 3 , . . . , n , and β ∈ PITL L ν ∪ C d ≤ k ∪ C p ≤ k ⊆ PITL − L ′≤ k +1 , the above formula can be simplified to ⊢ PITL − L ′≤ k +1 ( ^ Ξ ν ′ ) ∧ c < ∞ ∧ ℓ = ∞ ⇒ ( ℓ = c ∧ θ ν ; ℓ = ∞ ) . ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 25
Since ( p ( ϕ ν ) = 0 ∧ ℓ = c ; ℓ = ∞ ) ∈ ∆ k , c < ∞ , ℓ = ∞ ∈ ∆ k too. This implies that( ℓ = c ∧ θ ν ; ℓ = ∞ ) ∈ Cn L ′≤ k +1 (∆ k ∪ Ξ ν ′ ). Similarly, (4.10) implies than ⊢ PITL L ν ∪ Cd ≤ k ∪ Cp ≤ k ( ℓ = c ∧ θ ν ; ℓ = ∞ ) ⇒ ( ✷ ∀ β ′ ⇒ ¬ ϕ ν ) , and, since β ′ is a PITL theorem written in the vocabulary L ν ∪ C d ≤ k ∪ C p ≤ k , ⊢ PITL L ν ∪ Cd ≤ k ∪ Cp ≤ k ( ℓ = c ∧ θ ν ; ℓ = ∞ ) ⇒ ( ϕ ν ⇒ ⊥ ) , (4.12)Now by an application of the rule P ≤ to (4.12), where the flexible symbols have no othersuperscript except ν as required by our restricted way of applying this PITL -specific rule,we obtain ⊢ PITL − L ′≤ k +1 ℓ = c ∧ θ ν ∧ ℓ < ∞ ⇒ p ( ϕ ν ) ≤ p ( ⊥ )which implies ⊢ PITL − L ′≤ k +1 ℓ = c ∧ θ ν ∧ ℓ < ∞ ⇒ p ( ϕ ν ) = 0by P ⊥ and, finally, ⊢ PITL − L ′≤ k +1 ( ℓ = c ∧ θ ν ∧ ℓ < ∞ ; ℓ = ∞ ) ⇒ ( p ( ϕ ν ) = 0 ∧ ℓ = c ; ℓ = ∞ )by an application of the ITL proof rule
Mono . Since c < ∞ , ( ℓ = c ∧ θ ν ; ℓ = ∞ ) ∈ Cn L ′≤ k +1 (∆ k ∪ Ξ ν ′ ), this implies ( p ( ϕ ν ) = 0 ∧ ℓ = c ; ℓ = ∞ ) ∈ Cn L ′≤ k +1 (∆ k ∪ Ξ ν ′ ). Hence∆ k ∪ Ξ ν ′ is just as inconsistent as ∆ k ∪ Ξ, because the reason for all the formulas withflexible symbols superscripted by ν ′ = h ν, c, ϕ i to be in the finite subset Ξ of ∆ ′ k +1 is( p ( ϕ ν ) = 0 ∧ ℓ = c ; ℓ = ∞ ) ∈ ∆ k . We can continue by showing that taking away theformulas of the form (4.6) for some other superscript ν ′′ ∈ S k +1 \ S ≤ k leads to a subset(Ξ ν ′ ) ν ′′ of Ξ ν ′ such that ∆ k ∪ (Ξ ν ′ ) ν ′′ is still inconsistent, etc., until there are no moresymbols with superscripts from S k +1 \ S ≤ k in the remaining subset of Ξ, which then will bea subset of ∆ k . This is the sought contradiction, because we assume that ∆ k is consistent.For an arbitrary k < ω , if ∆ ′ k +1 is consistent, then ∆ k +1 is defined as some maximalconsistent set which contains ∆ ′ k +1 and has witnesses in C dk +1 ∪ C pk +1 . Its existence followsfrom Theorem 4.5 again. Then Lemma 4.11 implies that all the sets in the sequence (4.5)are consistent. Furthermore, obviously ∆ is a maximal consistent set in L D with respect to ⊢ PITL − and has witnesses in C d ∪ C p . The construction of ∆ is complete.4.7. The
PITL model M . Since ∆ is a maximal consistent set of
PITL formulas writtenin L D with witnesses in C d ∪ C p , t (∆) is maximal consistent set of ITL formulas writtenin ( L D ) ITL with witnesses in C d ∪ C p too. We use this to construct the model M at twosteps, the first being the construction of a canonical ITL model M ITL which satisfies t (∆)and the second being the construction of M itself. This way we avoid the repetition of thenon- PITL -specific steps in the construction of M which are as in [WX04]. The ITL counterpart of M . Let c ≡ c iff c = c ∈ ∆for constants c , c ∈ C d and c , c ∈ C p . Clearly, ≡ is an equivalence relation on theconstants from C d ∪ C p . Let [ c ] denote the ≡ -equivalence class which contains c for each c ∈ C d ∪ C p . Let T = { [ c ] : c ∈ C d } , D = T, and U = { [ c ] : c ∈ C d } . Let [ c ′ ] ≤ [ c ′′ ] iff c ′ ≤ c ′′ ∈ ∆for c ′ , c ′′ ∈ C d . Clearly, ≤ is a linear ordering on T . Let c ∞ be a witness in C d for theformula ∃ x ( x = ∞ ) in ∆. Then clearly h T, ≤ , [ c ∞ ] i is a time domain.Given [[ c ′ ] , [ c ′′ ]] ∈ ˜ I ( T ), we denote the set of formulas written in L D { ϕ : (( ℓ = c ′ ; ϕ ) ∧ ℓ = c ′′ ; ⊤ ) ∨ ( c ′′ = ∞ ∧ ( ℓ = c ′ ; ϕ )) ∈ ∆ } by ∆ [[ c ′ ] , [ c ′′ ]] . To understand the definition of ∆ [[ c ′ ] , [ c ′′ ]] , recall our choice to start from aset Γ such that ℓ = ∞ ∈ Γ and, consequently, ℓ = ∞ ∈ ∆. Let c ∈ C d be a witness for ∃ x ( x = 0) in ∆ and σ = [[ c ] , [ c ∞ ]] for the rest of the section. Then obviously ∆ σ = ∆and ϕ ∈ ∆ [[ c ′ ] , [ c ′′ ]] iff ( ℓ = c ′ ; ϕ ) ∈ ∆ [[ c ] , [ c ′′ ]] (4.13)for all ϕ ∈ L D .We define the mapping I ITL of ( L D ) ITL by the clauses: I ITL ( x ) , I ITL ( d ) ∈ A for individual variables x and constants d where A = D for x and d of the duration sort and A = U otherwise, and I ITL ( x ) = { c ∈ C d ∪ C p : c = x ∈ t (∆) } , I ITL ( d ) = { c ∈ C d ∪ C p : c = d ∈ t (∆) } .I ITL ( f ) : A × . . . × A f → A f +1 rigid function symbols f where A , . . . , A f +1 areeither D or U , depending on the sort of the respective arguments of f and the sort of itsvalue, and I ITL ( f )([ c ] , . . . , [ c f ]) = { c ∈ C d ∪ C p : c = f ( c , . . . , c f ) ∈ t (∆) } .I ITL ( R ) : A × . . . × A R → { , } for rigid relation symbols R where A , . . . , A R areas for function symbols, and I ITL ( R )([ c ] , . . . , [ c R ]) = 1 iff R ( c , . . . , c n ) ∈ t (∆) .I ITL ( d ) : ˜ I ( T ) → A , I ITL ( f ) : ˜ I ( T ) × A × . . . × A f → A f +1 and I ITL ( R ) : A × . . . × A R → { , } for flexible d , f and R , respectively, where the A s are asfor rigid symbols. I ITL ( d )( σ ) = { c ∈ C d ∪ C p : c = d ∈ t (∆ σ ) } . Similarly, I ITL ( f )( σ, [ c ] , . . . , [ c f ]) = { c ∈ C d ∪ C p : c = f ( c , . . . , c f ) ∈ t (∆ σ ) } . Finally, I ITL ( R )( σ, [ c ] , . . . , [ c R ]) = 1 iff R ( c , . . . , c R ) ∈ t (∆ σ ). ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 27
A lengthy but otherwise straighforward argument, which is standard for canonical models,shows that the above definitions are correct, h D, I
ITL (+) , I
ITL (0) , I
ITL ( ∞ ) i is a duration do-main, h U, I
ITL (+) , I
ITL (0) , I
ITL (1) i is a probability domain and I ITL ( ℓ ) is a measure functionfrom ˜ I ( T ) to D , F = hh T, ≤ , I ITL ( ∞ ) i , h D, I
ITL (+) , I
ITL (0) , I
ITL ( ∞ ) i , h U, I
ITL (+) , I
ITL (0) , I
ITL (1) i , I ( ℓ ) i is a two-sorted frame for ITL with infinite intervals and I is an ITL interpretation of ( L D ) ITL into F , which means that M ITL = h F, I
ITL i is a two-sorted ITL model for ( L D ) ITL . Thestandard truth lemma holds for M ITL , which is a canonical model:
Lemma 4.12 (Truth Lemma for M ITL ) . Let σ ∈ ˜ I ( T ) . Then ( I ITL ) σ ( t ) = { c ∈ C d ∪ C p : t = c ∈ t (∆ σ ) } and M ITL , σ | = ϕ iff ϕ ∈ t (∆ σ ) for every term t and every formula ϕ written in the vocabulary ( L D ) ITL . The model M . Our next step is to define the
PITL model M = h F, W , I, P i itself.The vocabulary of M is L ∪ C d ∪ C p and its frame is F . Let Π denote the set of the functions π : V → D ∪ U where V is a finite set of individual variables in L and π ( x ) is in the domainwhich corresponds to the sort of x for each x ∈ V . We define W as the set S × Π. Given ν ∈ S , we define the interpretation I ν by the equalities I ν ( s ) = I ITL ( s )for rigid s ∈ L ∪ C d ∪ C p , including the individual variables, I ν ( ℓ ) = m and I ν ( d ) = I ITL ( d ν )for flexible constants d ∈ L \ { ℓ } and I ν ( s )( σ, a , . . . , a s ) = I ITL ( s ν )( σ, a , . . . , a s )for other flexible s ∈ L . Now W consists of all the variants of the I ν for all ν ∈ S .Given w = h ν, π i such that dom π = { x , . . . , x n } , we put I w = ( I ν ) π ( x ) ,...,π ( x n ) x , , ... , x n . Some auxiliary notation is needed for the definition of P w .Let ϕ be a formula written in L ∪ C d ∪ C p , F V ( ϕ ) = ∅ , ν ∈ S and [[ c ′ ] , [ c ′′ ]] ∈ ˜ I ( T ).Then we denote the set { ν ′ ∈ S : ϕ ν ′ ∈ ∆ [[ c ′ ] , [ c ∞ ]] , ( ✷ ∀ ( χ ν ⇔ χ ν ′ ) ∧ ℓ = [ c ′′ ]; ⊤ ) ∈ ∆ [[ c ′ ] , [ c ∞ ]] for all χ in L ∪ C d ∪ C p } by S ϕ,ν, [[ c ′ ] , [ c ′′ ]] . We use S ϕ,ν, [[ c ′ ] , [ c ′′ ]] to define a syntactical conterpart (( . )) to [[ . ]] in our modelunder construction. If ψ is a formula written in L ∪ C d ∪ C p , F V ( ψ ) = { x , . . . , x n } and c i ∈ I h ν,π i ( x i ), i = 1 , . . . , n , then we put(( ϕ )) h ν,π i , [[ c ′ ] , [ c ′′ ]] = {h ν ′ , π ′ i ∈ W : ν ′ ∈ S [ c /x ,...,c n /x n ] ϕ,ν, [[ c ′ ] , [ c ′′ ]] , π ′ ∈ Π } . (4.14)Clearly, the set on the right of = in (4.14) does not depend on the precise choice of c i ∈ I h ν,π i ( x i ), i = 1 , . . . , n . The truth lemma about M which is proved below entails that(( ϕ )) w, [[ c ′ ] , [ c ′′ ]] = [[ ϕ ]] M,w, [[ c ′ ] , [ c ′′ ]] . (4.15)Note that (( ϕ )) w, [[ c ′ ] , [ c ′′ ]] = ((( ℓ = c ′ ; ϕ ))) w, [[ c ] , [ c ′′ ]] (4.16) follows from (4.13) and therefore the rest of the construction steps involve mostly intervals σ ∈ ˜ I ( T ) such that min σ = [ c ]. Given w ∈ W , w = h ν, π i , a formula ϕ written in L ∪ C d ∪ C p whose free variables are x , . . . , x n , ν ∈ S , c i ∈ I w ( x i ), i = 1 , . . . , n , and[ c ′′ ] ∈ T we define P w on the subsets of W of the form (4.14) by the equality P w ([ c ′′ ] , (( ϕ )) w, [[ c ] , [ c ′′ ]] ) = { c ∈ C p : p ([ c /x , . . . , c n /x n ] ϕ ν ) = c ∈ ∆ [[ c ] , [ c ′′ ]] } . For this definition to be correct, we need to have p ([ c /x , . . . , c n /x n ] ϕ ν ) = c ∈ ∆ [[ c ] , [ c ′′ ]] iff p ([ c /x , . . . , c n /x n ] ψ ν ) = c ∈ ∆ [[ c ] , [ c ′′ ]] for formulas ϕ and ψ such that(( ϕ )) w, [[ c ] , [ c ′′ ]] = (( ψ )) w, [[ c ] , [ c ′′ ]] , (4.17)and c i ∈ I w ( x i ), i = 1 , . . . , n , where { x , . . . , x n } = F V ( ϕ ) ∪ F V ( ψ ). To prove it, assumethat p ([ c /x , . . . , c n /x n ] ϕ ν ) < p ([ c /x , . . . , c n /x n ] ψ ν ) ∈ ∆ [[ c ] , [ c ′′ ]] for the sake of contradiction. Then p ([ c /x , . . . , c n /x n ]( ψ ν ∧ ¬ ϕ ν )) = 0 ∈ ∆ [[ c ] , [ c ′′ ]] by PITL c ′′ < ∞ ∈ ∆, then this implies that hh ν, c ′′ , ψ ∧ ¬ ϕ i , π ′ i ∈ (( ψ )) w, [[ c ] , [ c ′′ ]] \ (( ϕ )) w, [[ c ] , [ c ′′ ]] where dom π ′ = F V ( ϕ ) ∪ F V ( ψ ) and π ′ ( x i ) = I w ( x i ). i = 1 , . . . , n , which contradicts (4.17).If c ′′ = ∞ ∈ ∆, then the appropriate instances of P ∞ and PITL p ([ c /x , . . . , c n /x n ]( ψ ν ∧ ¬ ϕ ν )) = 1 ∈ ∆ [[ c ] , [ c ′′ ]] and, consequently, [ c /x , . . . , c n /x n ]( ψ ν ∧ ¬ ϕ ν ) ∈ ∆ [[ c ] , [ c ′′ ]] . This implies that w itself is in (( ψ )) w, [[ c ] , [ c ′′ ]] \ (( ϕ )) w, [[ c ] , [ c ′′ ]] , which contradicts (4.17) too.The presence of all the instances of P ⊥ , P ⊤ and P + written in the vocabularies L ν ∪ C d ∪ C p , ν ∈ S , in ∆ [[ c ] , [ c ′′ ]] implies that λX.P w ([ c ′′ ] , X ) is a finitely additive probabilityfunction on the boolean algebra h{ (( ψ )) w, [[ c ] , [ c ′′ ]] : ψ ∈ L } , ∩ , ∪ , ∅ , W w, [ c ′′ ] i for every w ∈ W and every [ c ′′ ] ∈ T . Note that this algebra contains the sets (( ψ )) w, [[ c ′ ] , [ c ′′ ]] for all c ′ ∈ C d such that c ′ ≤ c ′′ ∈ ∆ because of (4.16). Clearly, M = h F, W , I, P i is a P IT L model for the vocabulary L ∪ C d ∪ C p .Obviously if w = h ν, π i for some π ∈ Π then {hh ν, c, ϕ i , π ′ i : π ′ ∈ Π } ⊆∈ W w, [ c ] for all ν ∈ S ≤ k , c ∈ C d and all ϕ written in L ≤ k such that ( p ( ϕ ν ) = 0 ∧ ℓ = c ; ⊤ ) ∈ ∆ and all k < ω , because, according to the construction of ∆, in this case( ✷ ∀ ( χ ν ⇔ χ h ν,c,ϕ i ) ∧ ℓ = c ; ⊤ ) ∈ ∆for all formulas χ written in L ∪ C d ∪ C p , and in particular for χ of the forms d = x , f ( x , . . . , x f ) = x f +1 , R ( x , . . . , x R ) and p ( ψ ) = x where d , f and R are flexibleconstants, function and relation symbols from L , and ψ is written in L ∪ C d ∪ C p respectively.Furthermore, if I w is a variant of I v and P w = P v for some w, v ∈ W , then W w, [ c ] = W v, [ c ] for all [ c ] ∈ T .Here follows the truth lemma for M : ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 29
Lemma 4.13 (Truth Lemma for M ) . Let σ ∈ ˜ I ( T ) , w ∈ W and w = h ν, π i . If t is a termwritten in L D , F V ( t ) = { x , . . . , x n } and c , . . . , c n ∈ C d ∪ C p are such that c i ∈ I w ( x i ) , i = 1 , . . . , n , then w σ ( t ) = { c ∈ C d ∪ C p : [ c /x , . . . , c n /x n ] t ν = c ∈ ∆ σ } . If ϕ is a formula written in L D , F V ( ϕ ) = { x , . . . , x n } and c , . . . , c n satisfy the sameconditions as above, then M, w, σ | = ϕ iff [ c /x , . . . , c n /x n ] ϕ ν ∈ ∆ σ . We use the constants c , . . . , c n in the formulation of the lemma, because we need it toapply to w ∈ W with variants to some interpretation of the form I ν , and not just to theinterpretations I ν , ν ∈ S , themselves. Proof.
The proof is by simultaneous induction on the length of terms and formulas. Theclause of the lemma about formulas implies (4.15).The induction base and the steps for formulas and for terms built using constants,variables and function symbols are as in (non-probabilistic)
ITL and we omit them. We onlydo the case of probabilistic terms p ( ψ ). According to our definition, F V ( p ( ψ )) = F V ( ψ ).Let x , . . . , x n and c , . . . , c n be as in the lemma and σ = [[ c ′ ] , [ c ′′ ]]. Since w [[ c ′ ] , [ c ′′ ]] ( p ( ψ )) = P w ([ c ′′ ] , [[ ψ ]] M,w, [[ c ′ ] , [ c ′′ ]] )= P w ([ c ′′ ] , [[( ℓ = c ′ ; ψ )]] M,w, [[ c ] , [ c ′′ ]] )= w [[ c ] , [ c ′′ ]] ( p (( ℓ = c ′ ; ψ )))and[ c /x , . . . , c n /x n ] p ( ψ ν ) = c ∈ ∆ [[ c ′ ] , [ c ′′ ]] iff [ c /x , . . . , c n /x n ] p (( ℓ = c ′ ; ψ ν )) = c ∈ ∆ [[ c ] , [ c ′′ ]] because of the instances ( ℓ = c ′ ; p ( ψ ) = d ) ⇒ p (( ℓ = c ′ ; ψ )) = d of P ; , which are in ∆ [ c ] , [ c ′′ ] for all d ∈ C p , it is sufficient to prove w [[ c ] , [ c ′′ ]] ( p (( ℓ = c ′ ; ψ ))) = { c ∈ C d ∪ C p : p (( ℓ = c ′ ; [ c /x , . . . , c n /x n ] ψ ν )) = c ∈ ∆ [[ c ] , [ c ′′ ]] } . (4.18)By the induction hypothesis, the lemma holds for ψ and therefore(( ψ )) w, [[ c ′ ] , [ c ′′ ]] = [[ ψ ]] M,w, [[ c ′ ] , [ c ′′ ]] , which implies ((( ℓ = c ′ ; ψ ))) w, [[ c ] , [ c ′′ ]] = [[( ℓ = c ′ ; ψ )]] M,w, [[ c ] , [ c ′′ ]] by (4.16) and the definition of [[ . ]] M,w, [ ., [ c ′′ ]] . Now (4.18) follows from the definition of P w .We conclude the presentation of M with the observation that S and the domains in F are countably-infinite and therefore every interpretation in W has only countably manyvariants, which entails that W is a countably-infinite set.4.8. The completeness theorem.
Now it is easy to prove the strong completeness theo-rem for our proof system for
PITL . Theorem 4.14.
Let L be a PITL vocabulary and Γ be a set of formulas written in L which is consistent with the proof system from Section 3. Then there exists a model M Γ = h F Γ , W Γ , I Γ , P Γ i for L and an w ∈ W Γ and a time interval σ in it such that M Γ , w , σ | = ϕ for all ϕ ∈ Γ . (4.19) Proof.
If Γ is consistent with the formula ℓ = ∞ , then we can take the model M = h F, W , I, P i constructed in Section 4.7 for Γ ∪ { ℓ = ∞} . Otherwise Γ is consistent with theformula ℓ = c ∧ c < ∞ for some rigid constant c L and we can take M from Section 4.7for the set (4.1). In both cases M Γ can be chosen to be h F, W , λw. ( I w | L ) , P i where I w | L stands for the restriction of I w to the initially given vocabulary L , and w can be chosen tobe hhi , ∅i where hi is the only element of S and ∅ denotes the empty function ∅ → C d ∪ C p .In the first case the interval σ can be chosen to be the entire time domain T of F . In thesecond case σ can be chosen to be [min T, I w ( c )] where c is the constant introduced above.The equivalence now follows from the definition of ∆ and Lemma 4.13.5. Axioms for global probability in
PITL models
We call the models for
PITL introduced in Definition 2.4 general , because the probabil-ity functions λX.P w ( τ, X ) in them can be arbitrary, whereas it is natural to require thesefunctions to satisfy certain constraints. Applications typically lead to models in whichall the probability functions originate from a global probability function on the entire W such as the automata-based models of PDC . Consider models M = h F, W , I, P i withframes F = hh T, ≤ , ∞i , h D, + , , ∞i , h U, + , , i , m i whose time domain has a least element τ = min T and a distinguished w ∈ W such that W w ,τ = W . Then λX.P w ( τ , X ) canbe regarded as the global probability function and, given an arbitrary w ∈ W and τ ∈ T ,the probability function λX.P w ( τ, X ) should represent conditional probability on sets ofinterpretations, the condition being τ -equivalence with w . Hence we should have P w ( τ , W w,τ ) .P w ( τ, A ) = P w ( τ , W w,τ ∩ A ) (5.1)with respect to an appropriately defined operation of multiplication . on the probabilitydomain for all A ⊆ W such that the above equality is defined. This equality is usuallyinsufficient to determine λX.P w ( τ, X ), because, e.g., it is possible that P w ( τ, W w,τ ) = 0.A more general constraint of this form can be formulated as follows. Let M , w and A ⊆ W be as above, τ, τ ′ ∈ T and τ ≤ τ ′ . Then P w ( τ, A ) = Z w ∈ W w ,τ P w ( τ ′ , A ) d ( λX.P w ( τ, X )) . (5.2)The integral above is not guaranteed to exist for an arbitrary probability domain, becauseits definition involves least upper bounds and greatest lower bounds of sets of approximatingsums, which may be unavailable if there are Dedekind gaps, which is the case if, e.g., theprobability domain is based the non-negative rational numbers. Dedekind-completeness isnot a first-order property and therefore our proof system for PITL cannot be extended toone that is complete with respect to Dedekind-complete domains by finitary means. In thissection we propose axioms which enforce the best possible approximation of (5.2) permittedby the probability domain.In the rest of the section we consider
PITL models h F, W , I, P i with the probabilitydomains of their frames F extended to have multiplication. Given F = hh T, ≤ , ∞i , h D, + , , ∞i , h U, + , ., , i , m i , we assume that the new operation satisfies,e.g., the following axioms: ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 31 ( U
8) ( x.y ) .z = x. ( y.z )( U x.y = y.x ( U
10) ( x + y ) .z = x.z + y.z ( U x. x ( U x.y = x.z ⇒ x = 0 ∨ y = z ( U x = 0 ∨ ∃ y ( x.y = z )Together with ( U U B , . . . , B n form a partition of W w ,τ and let P w ( τ ′ , A ) ∈ [ ξ i , η i ] for all w ∈ B i , i = 0 , . . . , n .Then the sums n X i =0 ξ i P w ( τ, B i ) and n X i =0 η i P w ( τ, B i ) (5.3)are a lower and an upper approximation for the integral from (5.2), respectively. The integralis defined if both the least upper bound of the lower approximations and the greatest lowerbound of the upper approximations of the above forms taken for all partitions B , . . . , B n of W w,τ into measurable subsets and all appropriate boundary probabilities ξ i , η i , i = 0 , . . . , n ,exist and are equal.The sets A for which P w ( τ, A ) and P w ( τ ′ , A ), w ∈ W w ,τ need to be defined have theforms [[ ϕ ]] M,w , [ τ ′′ ,τ ] and [[ ϕ ]] M,w, [ τ ′′ ,τ ′ ] = [[ ϕ ]] M,w , [ τ ′′ ,τ ] ∩ W w,τ ′ , respectively, where ϕ is aformula in the vocabulary of M and τ ′′ ≤ τ . Hence (5.2) can be written as P w ( τ, [[ ϕ ]] M,w , [ τ ′′ ,τ ] ) = Z w ∈ W w ,τ P ( τ ′ , [[ ϕ ]] M,w, [ τ ′′ ,τ ′ ] ) d ( λX.P w ( τ, X )) . (5.4)Our axioms for (5.4) exploit the observation that the sets which are available for the con-struction of partitions B , . . . , B n have such forms too. Here they are:( P ) ℓ ≤ y ∧ p (( ℓ = y ∧ θ ∧ p ( ϕ ) > x ; ⊤ )) = 0 ⇒ p (( θ ∧ ℓ = y ; ⊤ ) ∧ ϕ ) ≤ x.p (( θ ∧ ℓ = y ; ⊤ ))( P ) ℓ ≤ y ∧ p (( ℓ = y ∧ θ ∧ p ( ϕ ) ≤ x ; ⊤ )) = 0 ⇒ p (( θ ∧ ℓ = y ; ⊤ ) ∧ ϕ ) ≥ x.p (( θ ∧ ℓ = y ; ⊤ ))Let us show that these axioms enforce the possible approximations of (5.4). Assume that P and P are part of our proof system. Let ϕ be a PITL formula, y be an individual variableof the duration sort and x , . . . , x n be n + 1 individual variables of the probability sort. Let θ ⇋ p ( ϕ ) ≤ x , θ i ⇋ x i − < p ( ϕ ) ∧ p ( ϕ ) ≤ x i , i = 1 , . . . , n. Now consider the instances ℓ ≤ y ∧ p (( ℓ = y ∧ θ i ∧ p ( ϕ ) > x i ; ⊤ )) = 0 ⇒ p (( θ i ∧ ℓ = y ; ⊤ ) ∧ ϕ ) ≤ x i .p (( θ i ∧ ℓ = y ; ⊤ )) ℓ ≤ y ∧ p (( ℓ = y ∧ θ i ∧ p ( ϕ ) ≤ x i − ; ⊤ )) = 0 ⇒ p (( θ i ∧ ℓ = y ; ⊤ ) ∧ ϕ ) ≥ x i − .p (( θ i ∧ ℓ = y ; ⊤ ))of P and P for i = 1 , . . . , n and the instance ℓ ≤ y ∧ p (( ℓ = y ∧ θ ∧ p ( ϕ ) > x ; ⊤ )) = 0 ⇒ p (( θ ∧ ℓ = y ; ⊤ ) ∧ ϕ ) ≤ x .p (( θ ∧ ℓ = y ; ⊤ ))of P . Since ⊢ PITL θ i ∧ p ( ϕ ) > x i ⇒ ⊥ and ⊢ PITL θ i ∧ p ( ϕ ) ≤ x i − ⇒ ⊥ , we have ⊢ PITL p (( ℓ = y ∧ θ i ∧ p ( ϕ ) > x i ; ⊤ )) = 0 , p (( ℓ = y ∧ θ i ∧ p ( ϕ ) < x i − ; ⊤ )) = 0by PITL P ⊥ . Hence the considered instances of P and P entail ⊢ PITL ℓ ≤ y ⇒ x i − .p (( θ i ∧ ℓ = y ; ⊤ )) ≤ p (( θ i ∧ ℓ = y ; ⊤ ) ∧ ϕ ) (5.5)for i = 1 , . . . , n and ⊢ PITL ℓ ≤ y ⇒ p (( θ i ∧ ℓ = y ; ⊤ ) ∧ ϕ ) ≤ x i .p (( θ i ∧ ℓ = y ; ⊤ )) (5.6)for i = 0 , . . . , n . Let χ denote the rigid formula y < ∞ ∧ x = 0 ∧ x n = 1 ∧ n ^ i =1 x i − ≤ x i . Then a purely
ITL deduction shows that ⊢ PITL χ ⇒ ϕ ⇔ n _ i =0 (( θ i ∧ ℓ = y ; ⊤ ) ∧ ϕ ) ! and ⊢ PITL χ ⇒ ¬ ((( θ i ∧ ℓ = y ; ⊤ ) ∧ ϕ ) ∧ (( θ j ∧ ℓ = y ; ⊤ ) ∧ ϕ ))for i = j , i, j = 0 , . . . , n . Hence, using the axioms for arithmetics of probabilities and PITL
4, we can derive ⊢ PITL χ ⇒ p ( ϕ ) = n X i =0 p (( θ i ∧ ℓ = y ; ⊤ ) ∧ ϕ ) . Now (5.5) and (5.6) imply ⊢ PITL χ ⇒ n X i =1 x i − .p (( θ i ∧ ℓ = y ; ⊤ )) ≤ p ( ϕ ) ∧ p ( ϕ ) ≤ n X i =0 x i .p (( θ i ∧ ℓ = y ; ⊤ )) . (5.7)Recall the model M and its distinguished w ∈ W and time point τ . Let τ, τ ′ ∈ T and τ ≤ τ ′ . Let I w ( y ) = m ([ τ , τ ′ ]). Then the satisfaction of (5.7) at w , [ τ , τ ] in M meansthat if A = [[ ϕ ]] M,w ,τ and B i = [[ θ i ]] M,w ,τ , i = 0 , . . . , n , then P w ( τ, A ) is bounded by thesums (5.3) where ξ = 0, η = I w ( x ) and ξ i = I w ( x i − ) and η i = I w ( x i ) for i = 1 , . . . , n .Assume that z is a variable of the probability sort and M satisfies the rigid formula n ^ i =1 x i ≤ x i − + z at w as well. Then, since n P i =0 P w ( τ, B i ) = 1, the lower and upper approximations (5.3)differ by no more than I w ( z ). Now it is clear that the validity of P and P in M entailsthat (5.4) holds approximately with precision which is smaller than any probability δ ∈ U such that δ + . . . + δ | {z } n times ≥ n < ω . Hence, if h U, + , ., , i has no “infinitely small”elements, then the integral from (5.4) is defined and (5.4) holds. If there are such elements,then the difference between the least upper bound and the greatest lower bound of the sums(5.3), respectively, is “infinitely small”. ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 33
Obviously the condition W w ,τ = W is relevant just to the scope of the (approximate)validity of (5.2). If all instances of P and P hold everywhere in a PITL model, then so dothe approximations of (5.2).6.
Probabilistic real-time DC with infinite intervals In this section we introduce an enhanced system of real-time probabilistic DC whichenables the handling of infinite intervals and has a syntactically simpler and more expressiveprobability operator instead of the original µ ( . )( . ). The new system is obtained as theextension of PITL by state expressions and duration terms. It properly subsumes theoriginal probabilistic real-time DC from [DZ99] in a straightforward way. The relativecompleteness result about probabilistic DC in this paper is about this enhanced systemand we use the acronym PDC for it in the rest of the paper.6.1.
Language.
PDC vocabularies are just
PITL vocabularies extended by state vari-ables, which are used to construct state expressions and duration terms just like in (non-probabilistic) DC (see Section 1.2 of the Preliminaries).6.2. Models and satisfaction.
PDC models are
PITL models which are based on thereal-time and -probability frame for two-sorted
ITL with infinite intervals F R = hh R , ≤ , ∞i , h R + , + , , ∞i , h R + , + , ., , i , λσ. max σ − min σ i , the only difference being that the interpretations I w , w ∈ W are supposed to map thestate variables from the respective vocabularies to { , } -valued functions of time with thefinite variability property. We assume that multiplication is available for probabilities. Thedefinition of the values of duration terms and the definition of the satisfaction relation arejust like in DC and PITL , respectively.6.3.
Describing probabilistic real-time automata and expressing µ ( . )( . ) . The prob-abilistic automata from the semantics of
PDC originally introduced in [DZ99] can be de-scribed in the system of
PDC proposed in this paper. The original probability operator µ ( . )( . ) can be expressed using p ( . ) as follows.Let A be an automaton of the form (1.2) from Definition 1.3. The DC vocabulary whichcorresponds to A consists the states of A as state variables and the PITL vocabulary for A introduced the example from Section 2.2, which includes the transitions of A as temporalpropositional letters (0-ary flexible predicate symbols), the rigid constants q a and the rigidunary function symbols P a to denote λτ. τ R p a ( t ) dt for each transition a , respectively. Let M = h F R , W , I, P i be a PDC model for this vocabulary in the sense of Section 6.2 with W being the set of all the behaviours of A and λX.P w ( τ, X ) being the conditional probabilityfor a behaviour of A to be described by an interpretation in the set X ⊆ W w,τ , given that w ∈ W describes this behaviour within the interval [0 , τ ], like in the example from Section2.2. Then M validates the axioms ✷ ¬ ( ⌈⌈¬ a − ⌉⌉ ; ⌈⌈ a − ⌉⌉ ∧ ¬ a ; ⌈⌈ a + ⌉⌉ ) , ¬ ( ⌈⌈ a − ⌉⌉ ∧ ¬ a ; ⌈⌈ a + ⌉⌉ ; ⊤ )and ✷ ( ¬ ( ⌈⌈ a − ⌉⌉ ; a ) ∧ ¬ ( a ∧ ¬⌈⌈ a − ⌉⌉ ) ∧ ¬ ( a ; ⌈⌈¬ a + ⌉⌉ )) for all transitions a at all intervals σ such that min σ = 0. These axioms force the interpre-tations of the temporal propositional letters a to correspond to the respective transitionsof A , which are identified by observing their source states a − and destination states a + ,in the way proposed in the example from Section 2.2. Having this correspondence, theprobabilistic behaviour of A can be described by formulas such as (2.4). If used togetherwith the axioms P and P from Section 5, such formulas are sufficient to express the con-ditions on the probability functions λX.P w ( τ, X ) for w ∈ W which are encoded by thecomponents p a and q a of the automaton A . Furthermore, the value of µ ( ϕ )( t ) is equal to w [0 , ( p (( ϕ ∧ ℓ = t ; ⊤ ))) for every DC formula ϕ and every w ∈ W .Note that the probabilities expressed by terms of the form p ( ϕ ) are determined by usingthe truth values of ϕ at infinite intervals. That is why the probability for ϕ to hold at afinite interval ending at some future time point is expressed by the term p (( ϕ ; ⊤ )), in which ⊤ accounts of the infinite interval following that end point.In our PDC axioms about probabilistic timed automata behaviour we refer to theprobability P a ( τ ) for transition a to be over by time τ instead of the probability density p a ( t )for a to finish at time t , which was used in the original paper [DZ99]. This is not a limitation,because, at least in the case of piece-wise continuous p a , the relation P a ( τ ) = τ R p a ( t ) dt between P a and p a can be axiomatised much like (5.2). On the contrary, there are practicallyinteresting cases such as that of transitions with discrete or finite sets of possible durationsin which p a cannot be defined whereas P a exists.7. A proof system for
PDC
The proof system for
PDC that we propose consists of the DC axioms DC DC T T PITL modelswhich are based on F R means that all formulas which are valid at such PITL models areadmitted as axioms, the
PITL axioms from Section 3 are no more relevant than any of thesevalid formulas from the formal point of view.8.
Relative completeness of the proof system for
PDC
The proof of the completeness of the axioms DC DC T T PDC relativeto validity in the class of the F R -based models of PITL follows closely the pattern of theoriginal relative completeness proof for (non-probabilistic) DC from [HZ92]. The variant ofthis proof about the system of DC based on the modalities of NL from [RZ97] is very closeto our setting. Therefore we include the proof details mostly for the sake of completeness.Below PITL RL stands for the set of the PITL formulas written in the vocabulary L whichare valid in the class of all F R -based PITL models.Let ϕ be a PDC formula written in some vocabulary L and let S be the set of allthe state expressions which can be written using only the state variables which occur in ϕ .Given a state expression S ∈ S , we denote the set { S ′ ∈ S : S ′ is propositionally equivalent to S } by [ S ]. Since ϕ contains a finite number of state variables, there are finitely many differentequivalence classes [ S ] for S ∈ S . Let L ′ be the ITL vocabulary which consists of the
ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 35 symbols from L , except the state variables, and the fresh flexible constants ℓ [ S ] , S ∈ S .Since there are finitely many classes [ S ], these flexible constants are finitely many too. Ifall the state expressions which occur in some PDC formula ψ are from S , we denote theresult of substituting every duration term R S with the respective flexible constant ℓ [ S ] in ψ by ψ ′ . Note that ψ ′ is a PITL formula with no
PDC -specific constructs left in it.Now consider the set H of all the instances of DC DC T T S . Unless no state variables occur in ϕ , H is infinite. However, since there are finitelymany equivalence classes [ S ], the set H ′ = { α ′ : α ∈ H } is finite. We define the sequence of formulas ψ k , k < ω as follows: ψ ⇋ ✷ ^ H ′ , ψ k +1 ⇋ ✷ ^ H ′ ∧ p ( ψ k ) = 1 for all k < ω. The formula ψ k states that all the instances of the DC axioms hold with probability 1 atinterpretations which are accessible through probability terms of height at most k .Now assume that ϕ is consistent with our proof system for PDC . Let n = h ( ϕ ) where h ( ϕ ) = 0 for ϕ with no occurrence of probability terms, and h ( ϕ ) = 1 + max { h ( ψ ) : p ( ψ ) occurs in ϕ } for ϕ with probability terms. Then the formula ψ ⇋ ℓ = ∞ ∧ ( ϕ ′ ∨ ( ϕ ′ ; ℓ = ∞ )) ∧ ψ n is consistent with PITL RL . This entails that there is a PITL model M = h F R , W , I, P i , w ∈ W and an interval σ ∈ ˜ I ( R ) such that M, w , σ | = ψ. Clearly σ ∈ I inf ( R ). Following the example from [HZ92], we use M in order to build a PDC model for L which satisfies ϕ .We define the ascending sequence of subsets N ⊆ N ⊆ . . . ⊆ N n of W by theequalities N = { w } and N k = [ w ∈ N k − { v ∈ W w, min σ : M, v, σ | = ψ n − k } for k = 1 , . . . , n. The set of the behaviour descriptions W ′ for the PDC model we are constructing is N n .Let w ∈ N n and τ ∈ (min σ , ∞ ). Let Q be a state variable occurring in ϕ . Then ℓ = 0 ∨ ( ⌈⌈ Q ⌉⌉ ; ⊤ ) ∨ ( ⌈⌈¬ Q ⌉⌉ ; ⊤ ) , ℓ = 0 ∨ ℓ = ∞ ∨ ( ⊤ ; ⌈⌈ Q ⌉⌉ ) ∨ ( ⊤ ; ⌈⌈¬ Q ⌉⌉ ) ∈ H , because these formulas are instances of T T
2, respectively. This entails that
M, w, [ τ, τ + 1] | = ( ℓ [ Q ] = ℓ ∧ ℓ = 0; ⊤ ) ∨ ( ℓ [ ¬ Q ] = ℓ ∧ ℓ = 0; ⊤ )and M, w, [min σ , τ ] | = ( ⊤ ; ℓ [ Q ] = ℓ ∧ ℓ = 0) ∨ ( ⊤ ; ℓ [ ¬ Q ] = ℓ ∧ ℓ = 0) , which implies that there are some ξ, η ∈ R such that ξ < τ < η and M, w, [ τ, η ] | = ℓ [ Q ] = ℓ ∨ ℓ [ ¬ Q ] = ℓ and M, I, [ ξ, τ ] | = ℓ [ Q ] = ℓ ∨ ℓ [ ¬ Q ] = ℓ. Let us fix some ξ and η with this property and denote the open neighbourhood ( ξ, η ) of τ by O Q,w,τ . Similarly,
M, w, [min σ , min σ + 1] | = ( ℓ [ Q ] = ℓ ∧ ℓ = 0; ⊤ ) ∨ ( ℓ [ ¬ Q ] = ℓ ∧ ℓ = 0; ⊤ ) and hence there is an η > min σ such that M, w, [min σ , η ] | = ℓ [ Q ] = ℓ ∨ ℓ [ ¬ Q ] = ℓ. We fix such an η and write O Q,w, min σ for the semi-open neighbourhood [min σ , η ) of min σ .Obviously [ τ ∈ [min σ , ∞ ) O Q,w,τ = [min σ , ∞ ) . Moreover, O Q,w = { O Q,w,τ : τ ∈ [min σ , ∞ ) } is a (relatively) open covering of [min σ , ∞ ).Here follows the key observation in this proof: the compactness of the intervals of theform [min σ + k, min σ + k + 1] where k = 0 , , , . . . implies that for every such k thereis a finite sub-covering O Q,w,k ⊂ O Q,w of [min σ + k, min σ + k + 1]. Let O Q,w,k = { O Q,w,τ
Q,w,k, , . . . , O Q,w,τ
Q,w,k,nw,k } . We will use the time points τ Q,w,k,i , i = 1 , . . . , n w,k , k = 0 , , . . . , where Q is a state variable occurring in ϕ to define an interpretation ( I ′ ) w of L in our PDC model under construction which corresponds to I w for w ∈ W ′ . Let usdenote the set of these time points by C Q,w . Since min σ ∈ C Q,w and C Q,w ∩ σ is finite forevery bounded interval σ , the set C Q,w ∩ [min σ , τ ] contains a greatest time point for every τ ∈ [min σ , ∞ ). ( I ′ ) w is defined by the following clauses( I ′ ) w ( s ) = I ( s ) for all symbols s ∈ L which are not state variables;( I ′ ) w ( Q )( τ ) = 0 for all state variables Q ∈ L which do not occur in ϕ and all τ ∈ R ;( I ′ ) w ( Q )( τ ) = 1 for state variables P which occur in ϕ and τ such that M, w, [ τ ′ , sup O Q,w,τ ′ ] | = ℓ [ Q ] = ℓ , where τ ′ = max( C Q,w ∩ [min σ , τ ]);( I ′ ) w ( Q )( τ ) = 0 for state variables Q which occur in ϕ and τ such that M, w, [ τ ′ , sup O Q,w,τ ′ ] | = ℓ [ ¬ Q ] = ℓ , where τ ′ is as above and for τ < min σ as well.A straightforward argument based on the presence of the appropriate instances of DC DC H implies that this definition of ( I ′ ) w is correct and I ′ satisfies the equality( I ′ ) wσ ( R S ) = I wσ ( ℓ [ S ] )for all state expressions S ∈ S and all intervals σ ∈ ˜ I ( R ) such that min σ ≤ min σ .The functions ( P ′ ) w , w ∈ W ′ , are defined using the respective P w by the equality( P ′ ) w ( τ, A ∩ W ′ ) = P w ( τ, A ) (8.1)for w ∈ S n − i =0 N i and τ ≥ min σ . Since M, w , σ | = ψ n , the construction of W ′ implies that P w ( τ, ( W ′ ) w,τ ) = 1 for all such w . Hence if P ( τ, A ) = P ( τ, A ), then P ( τ, A ∩ W ′ w,τ ) = P ( τ, A ∩ W ′ w,τ ) as well, which implies that A ∩ ( W ′ ) w,τ = A ∩ ( W ′ ) w,τ . That is whythe equality (8.1) defines the function ( P ′ ) w correctly. We allow ( P ′ ) w to be arbitrary for w ∈ W ′ \ S n − i =0 N i , because the truth values of formulas of probability height up to n at w , σ do not depend on these functions.Let M ′ = h F R , W ′ , I ′ , P ′ i . An induction on k implies that if ψ is a PDC formulawritten in L , h ( ψ ) ≤ k , w ∈ N i , σ ∈ ˜ I ( R ), min σ ≥ min σ and k + i ≤ n , then M ′ , w, σ | = ψ iff M, w, σ | = ψ ′ and P w (max σ, [[ ψ ′ ]] M,w,σ ) = ( P ′ ) w ( τ, [[ ψ ]] M ′ ,w,σ ) . This, in particular, implies that M ′ , w , σ | = ϕ or M ′ , w , σ | = ( ϕ ; ℓ = ∞ ) . In the latter case M ′ , w , σ | = ϕ for some σ ∈ I fin ( R ) such that min σ = min σ . ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 37
This concludes the proof of the relative completeness of the axioms DC DC T T PDC , because we have shown that the assumption that a given
PDC formula isconsistent with this proof system entails that the formula is satisfiable at a
PDC model.9.
PITL with infinite intervals and
PNL
The system which is closest to
PITL both in its semantics and proof system is theprobabilistic extension of neighbourhood logic
PNL which was proposed in [Gue00]. Themodalities ✸ l and ✸ r of NL are defined by the clauses: M, σ | = ✸ l ϕ iff M, σ ′ | = ϕ for some σ ′ such that max σ ′ = min σM, σ | = ✸ r ϕ iff M, σ ′ | = ϕ for some σ ′ such that min σ ′ = max σ ✸ l and ✸ r are called expanding modalities because they allow access outside the referenceinterval. The dual modalities ✷ d of ✸ d are defined by the clauses ✸ d ⇋ ¬ ✸ r ¬ ✸ d ϕ for d ∈ { l, r } .A duration calculus on the basis of NL was developed in [RZ97]. Infinite intervals arean alternative way to achieve the expressivity of ✸ r . A truth preserving translation from ITL with infinite intervals to NL is impossible for the trivial reason that NL does not haveinfinite intervals and there is no straightforward way to capture the ITL interpretation offlexible symbols at infinite intervals. Furthermore, NL duration domains known from theliterature do not include ∞ , but include negative durations. However, if the only flexiblesymbols in the considered vocabularies are ℓ and state variables, then the duration calculibased on NL and on ITL with infinite intervals, respectively, can be related by means of atranslation which has the following property:If ψ is the NL -based DC formula which is the translation of some ITL -based DC formula ϕ and F V ( ϕ ) = { x , . . . , x n } , then M ′ , [ τ, τ ] | = ψ iff M, [ τ, ∞ ] | = ϕ, (9.1)where the duration domain of the ITL model M is obtained from that of the NL model M ′ by removing the negative elements and adding ∞ , and the meanings of the non-logicalsymbols in M and M ′ on the intersection of the two duration domains are the same. Wedescribe such a translation in this section.The predicate logic equivalences R ( t , . . . , t n ) ⇔ ∃ x . . . ∃ x n R ( x , . . . , x n ) ∧ n ^ i =1 t i = x i ! and f ( t , . . . , t n ) = z ⇔ ∃ x . . . ∃ x n f ( x , . . . , x n ) = z ∧ n ^ i =1 t i = x i ! , where x , . . . , x n do not occur in t , . . . , t n , allow us to assume that all atomic subformulasof the ITL formulas to be translated are either rigid of have the form R S = x where x isa variable. We can also treat ℓ as R . The clauses below define two auxiliary translations( . ) fin and ( . ) inf from ITL -based to NL -based DC . ( . ) fin translates an ITL formula which isto be evaluated at a finite interval into its NL equivalent. ( . ) inf translates an ITL formulawhich is to be evaluated at an infinite interval σ into a corresponding NL formula which defines the same condition on σ when evaluated at the zero-length interval [min σ, min σ ].( . ) inf refers to ( . ) fin for the translation of ( . ; . )-formulas. Both auxiliary translations arecorrect only under the assumption that the free variables of the given ITL formulas rangeover non-negative finite durations. Infinity is handled only where explicitly denoted by thesymbol ∞ . Atomic formulas R ( t , . . . , t n ) with the parameter list t , . . . , t n consisting ofindividual variables and, possibly, ∞ translate into dedicated specialising formulas S Rt ,...,t n ,which define the appropriate predicates on the non- ∞ parameters according to the intendedmeaning of R and the positions of the occurrences of ∞ in t , . . . , t n . For instance, S = x,y is x = y , S = x, ∞ is ⊥ , and S = ∞ , ∞ is ⊤ . Atomic formulas with = and function symbols arehandled similarly, e.g. the formula S + x, ∞ ; y for x + ∞ = y is ⊥ , and S + x, ∞ ; ∞ is ⊤ . ⊥ fin ⇋ ⊥ ( R ( t , . . . , t n )) fin ⇋ S Rt ,...,t n ( f ( t , . . . , t n ) = t n +1 ) fin ⇋ S ft ,...,t n ; t n +1 ( R S = ∞ ) fin ⇋ ⊥ ( R S = x ) fin ⇋ R S = x ( ϕ ⇒ ψ ) fin ⇋ ϕ fin ⇒ ψ fin ( ϕ ; ψ ) fin ⇋ ∃ x ∃ y ( R = x + y ∧ ✸ l ✸ r ( ℓ = x ∧ ϕ fin ∧ ✸ r ( ℓ = y ∧ ψ fin )))( ∃ xϕ ) fin ⇋ ([ ∞ /x ] ϕ ) fin ∨ ∃ x ( x ≥ ∧ ϕ fin ) ⊥ inf ⇋ ⊥ ( R ( t , . . . , t n )) inf ⇋ S Rt ,...,t n ( f ( t , . . . , t n ) = t n +1 ) inf ⇋ S ft ,...,t n ; t n +1 ( R S = ∞ ) inf ⇋ ∀ x ✸ r R S > x ( R S = x ) inf ⇋ ✸ r ( R S = x ∧ ✷ r R S = 0)( ϕ ⇒ ψ ) inf ⇋ ϕ inf ⇒ ψ inf ( ϕ ; ψ ) inf ⇋ ✸ r ( ϕ fin ∧ ✸ r ( ℓ = 0 ∧ ψ inf ))( ∃ xϕ ) inf ⇋ ([ ∞ /x ] ϕ ) inf ∨ ∃ x ( x ≥ ∧ ϕ inf )As mentioned above, ( . ) inf is correct only under the assumption that the free variables ofthe given ITL formulas range over non-negative finite durations. To remove this restriction,given an
ITL formula ϕ whose free variables are x , . . . , x n , we define the sequence offormulas ϕ , . . . , ϕ n by the clauses ϕ ⇋ ϕ and ϕ i ⇋ ( x i ≥ ∧ ϕ i − ) ∨ [ ∞ /x i ] ϕ i − for i = 1 , . . . , n, and choose the formula ψ from (9.1) to be ( ϕ n ) inf . This translation can be extended toone between PDC with infinite intervals and a system of probabilistic DC based on NL byputting ( p ( ϕ ) = x ) fin ⇋ p ( ϕ inf ) = x .( p ( ϕ ) = x ) inf ⇋ ϕ inf ∧ x = 1 ∨ ¬ ϕ inf ∧ x = 0.A translation from NL into ITL with infinite intervals is possible too under the assumptionthat there is a time point τ such that the values of all flexible symbols except ℓ at intervalsstarting before τ are irrelevant to the truth value of the translated formula. This restrictionis necessary, because an ITL formula cannot express conditions on the past prior to thebeginning of the infinite reference interval. It can be avoided if one considers a system of
ITL with intervals which can be infinite into the past as well, which is beyond the scope of
ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 39 this paper. If a property does not depend on the interpretation of the flexible symbols onthe left of the beginning of the reference interval and can be expressed by an NL formula,then it can be expressed by an NL formula in which the only occurrences of ✸ l are insubformulas of the form ✸ l ✸ r χ . Given an NL formula ϕ which satisfies this syntacticalrestriction, one can find an ITL formula ψ such that M, [ τ , ∞ ] | = ψ is equivalent to theexistence of a τ ≥ τ such that M ′ , [ τ , τ ] | = ϕ . Below we give a translation which, givena ϕ of the form ϕ ::= ⊥ | R ( t, . . . , t ) | ( ϕ ⇒ ϕ ) | ✸ r ϕ | ✸ l ✸ r ϕ | ∃ x ( x ≥ ∧ ϕ )produces a corresponding ψ . This translation produces formulas constructed using ∃ , ⇒ , ⊥ , rigid formulas and formulas of the form( ℓ = t ; ℓ = t ∧ α ; ⊤ ) (9.2)with α being a modality-free formula. The translation works by reducing the number of theoccurrences of ✸ l ✸ r and ✸ r in formulas of the form (9.2), yet with α being a NL formula.The ITL formula ψ is obtained by starting from ( ℓ = 0; ℓ = 0 ∧ ✸ ϕ ; ⊤ ). To understand thecorrectness of the translation, one can think of a system which has all the modalities ( . ; . ), ✸ l and ✸ r , with the obvious semantics, and check that the translation rules correspond to validequivalences at infinite reference intervals, provided that the free variables of the involvedformulas have finite non-negative values. Here follow the transformation rules which definethe translation:( ℓ = t ; ℓ = t ∧ ( χ ⇒ χ ); ⊤ ) → ( ℓ = t ; ℓ = t ∧ χ ; ⊤ ) ⇒ ( ℓ = t ; ℓ = t ∧ χ ; ⊤ )( ℓ = t ; ℓ = t ∧ ✸ r χ ; ⊤ ) → ∃ z ( ℓ = t + t ; ℓ = z ∧ χ ; ⊤ )( ℓ = t ; ℓ = t ∧ ✸ l ✸ r χ ; ⊤ ) → ∃ z ( ℓ = t ; ℓ = z ∧ χ ; ⊤ )( ℓ = t ; ℓ = t ∧ ∃ x ( x ≥ ∧ χ ); ⊤ ) → ∃ x ( x < ∞ ∧ ( ℓ = t ; ℓ = t ∧ χ ; ⊤ ))The individual variable z in the rules above is supposed to be fresh. The last rule canbe applied only if x F V ( t ) , F V ( t ). This translation can be extended to one from PNL to PITL by mapping NL probability terms p ( ϕ ) to PITL corresponding probability terms p ( ψ ) where ψ is the translation of ϕ . Concluding remarks
We conclude by discussing some restrictions on the scope of the completeness resultsabout
PITL and
PDC presented in this paper.
Countable additivity of probability functions.
According to our definition, the probabilityfunctions in
PITL models are required to be just finitely additive, whereas classical prob-ability theory is about countably additive probability functions. One simple reason forthis is the choice to have an abstract domain of probabilities which is not required to beDedekind-complete and therefore the infinite sums which are relevant to countable addi-tivity cannot be guaranteed to exist. The difficulty in axiomatising countable additivitybecomes even more obvious from the observation that
PITL has the
L¨owenheim-Skolem property. This means that countably-infinite consistent sets of
PITL formulas can be sat-isfied at countably-infinite models, which, in particular, have countably-infinite domains.This follows immediately from the construction of the
PITL model in the completeness argument for our proof system. Countably-infinite
PITL models with countably additiveprobability functions validate formulas of the form ∀ x ( p ( ϕ ) = 0) ⇒ p ( ∃ xϕ ) = 0 . This follows immediately from the fact that x ranges over a countably-infinite domain.Hence, the above formula should be a theorem in a proof system which is complete withrespect to models with countably additive probability functions, as long as the L¨owenheim-Skolem property holds. However, this formula is not valid in arbitrary models. Completeness of PDC relative to (non-probabilistic) real-time ITL.
Our demonstration thatsome well-known axioms of (non-probabilistic) DC form a proof system which is completerelative to probabilistic ITL with infinite intervals was hardly a technical challenge, giventhe similar proofs from [HZ92, RZ97]. It would have been interesting to develop a proofsystem for PDC which is complete relative to real-time
ITL without probabilities. Theproof of Lemma 4.11, which is the key step in our model construction for the completenessargument for
PITL , explains why this is impossible. The model construction involves anexpression of τ -equivalence by the formulas( ✷ ∀ ( χ ν ⇔ χ ν ′ ) ∧ ℓ = c ; ℓ = ∞ ) (9.3)for τ being the equivalence class [ c ] of the rigid constant c . The relation of τ -equivalenceis needed to hold between any given w ∈ W from a PDC model M = h F R , W , I, P i andthe v ∈ W which are needed to populate [[ ϕ ]] M,w,σ for ϕ such that M, w is supposed tosatisfy p ( ϕ ) = 0 at intervals σ whose end point is τ . The proof of Lemma 4.11 relies on thepossibility to use the formulas (9.3) and an assumption which essentially amounts to thederivability of ¬ ϕ from some appropriately chosen formulas in order to derive the existenceof a formula θ such that the same formulas imply ( θ ∧ ℓ = c ; ℓ = ∞ ) ⇒ ¬ ϕ , which in itsturn enables an application of the PITL proof rule P ≤ to derive θ ⇒ p ( ϕ ) = 0 and reachthe aimed contradiction. The existence of the formula θ amounts to the interval-relatedintepolation property of ITL with infinite intervals (see Section 4.1). Unfortunately, DC hasneither this interpolation property, nor the related Craig interpolation property [Gue04b].The counterexample to Craig interpolation in [Gue04b] indicates that the property couldpossibly be restored by allowing infinitary formulas to take the role of θ . DC is not acompact logic and therefore derivability from infinite sets of premises is not reducible toderivability from finite ones. Hence, in order to achieve sufficient deductive power, the proofrule P ≤ would have to be replaced by one allowing infinitary formulas on the left of ⇒ aswell. The deductive power of a finitary rule would be insufficient for the role of P ≤ in anypresumable finitary proof system for PDC that is complete relative to (non-probabilistic)real-time
ITL with infinite intervals.
References [ACD91] Rajeev Alur, Costas Courcoubetis, and David L. Dill. Model-checking for Probabilistic Real-timeSystems. In
Proceedings of ICALP’91 , volume 510 of
LNCS , pages 115–136. Springer, 1991.[ACD92] Rajeev Alur, Costas Courcoubetis, and David L. Dill. Verifying Automata Specifications of Proba-bilistic Real-time Systems. In
Real-Time: Theory and Practice , volume 600 of
LNCS , pages 28–44.Springer, 1992.[ASB95] Adnan Aziz, Vigyan Singhal, and Felice Balarin. It Usually Works: The Temporal Logic of Sto-chastic Systems. In
Proceedings of CAV’95 , volume 939 of
LNCS , pages 155–165. Springer, 1995.
ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 41 [BM05] Davide Bresolin and Angelo Montanari. A Tableau-based Decision Procedure for Branching TimeInterval Temporal Logic. In
TABLEAUX 2005. 14th Conference on Automatic Reasoning withAnalytic Tableaux and Related Methods , volume 3702 of
LNAI , pages 63–77. Springer, 2005.[BMS07] Davide Bresolin, Angelo Montanari, and Pietro Sala. An Optimal Tableau-based Decision Proce-dure for Propositional Neighbourhood Logic. In
STACS 2007. 24th International Symposium onTheoretical Aspects of Computer Science , 2007. to appear.[BRZ00] Rana Barua, Suman Roy, and Zhou Chaochen. Completeness of Neighbourhood Logic.
Journal ofLogic and Computation , 10(2):271–295, 2000.[CK73] C. C. Chang and H. J. Keisler.
Model Theory . North Holland, 1973. The book has had more recenteditions.[Dan98] Dang Van Hung. Modelling and Verification of Biphase Mark Protocols in Duration Calculus UsingPVS/DC − . In Proceedings of the 1998 International Conference on Application of Concurrency toSystem Design (CSD’98) , pages 88–98. IEEE Computer Society Press, March 1998.[Dut95a] Bruno Dutertre. On First-order Interval Temporal Logic. Report CSD-TR-94-3, Department ofComputer Science, Royal Holloway, University of London, Egham, Surrey TW20 0EX, England,1995. A short version appeared as [Dut95b].[Dut95b] Bruno Dutertre. On First Order Interval Temporal Logic. In
Proceedings of LICS’95 , pages 36–43.IEEE Computer Society Press, 1995.[DW96] Dang Van Hung and Wang Ji. On The Design of Hybrid Control Systems Using Automata Models.In
Proceedings of FST TCS 1996 , volume 1180 of
LNCS , pages 156–167. Springer, 1996.[DZ99] Dang Van Hung and Zhou Chaochen. Probabilistic Duration Calculus for Continuous Time.
FormalAspects of Computing , 11(1):21–44, 1999.[Gue98] Dimitar P. Guelev. Probabilistic Interval Temporal Logic. Technical Report 144, UNU/IIST,P.O.Box 3058, August 1998. Draft.[Gue00] Dimitar P. Guelev. Probabilistic Neighbourhood Logic. In Mathai Joseph, editor,
Proceedings ofFTRTFT 2000 , volume 1926, pages 264–275. Springer, 2000. A proof-complete version is availableas UNU/IIST Technical Report 196 from .[Gue01] Dimitar P. Guelev. Interval-related Interpolation in Interval Temporal Logics.
Logic Journal of theIGPL , 9(5):677–685, 2001. Presented at
ICTL 2000 , Leipzig, October, 2000.[Gue04a] Dimitar P. Guelev. A Complete Proof System for First-order Interval Temporal Logic with Pro-jection.
Journal of Logic and Computation , 14(2):215–249, 2004.[Gue04b] Dimitar P. Guelev. Logical Interpolation and Projection onto State in the Duration Calculus.
Journal of Applied Non-classical Logics, Special Issue on Interval Temporal Logics and DurationCalculi , 14(1-2):185–213, 2004. Presented at the
ESSLLI Workshop on Interval Temporal Logicsand Duration Calculi , Vienna, August, 2003.[Gue04c] Dimitar P. Guelev. Sharpening the Incompleteness of the Duration Calculus. In Irek Ulidowski,editor,
Proceedings of ARTS 2004 , volume ? of
ENTCS . Elsevier Science, 2004. Presented at ARTS2004, Stirling, UK.[He 99a] He Jifeng. A Behavioral Model for Co-design. In
Proceedings of FM’99 , volume 1709 of
LNCS ,pages 1420–1438. Springer, 1999.[He 99b] He Jifeng. Integrating Variants of DC . Research Report 172, UNU/IIST, P.O.Box 3058, Macau,August 1999.[HS86] J. Y. Halpern and Y. Shoham. A Propositional Logic of Time Intervals. In Proceedings of LICS’86 ,pages 279–292. IEEE Computer Society Press, 1986.[Hu 99] Hu Chengjun.
Proof Techniques and Tools for Interval Logics . Ph.D. thesis, Changsha Institute ofTechnology, Changsha, China, 1999. (In Chinese).[HZ92] Michael R. Hansen and Zhou Chaochen. Semantics and Completeness of Duration Calculus. In
Real-Time: Theory and Practice , volume 600 of
LNCS , pages 209–225. Springer, 1992.[HZ97] Michael R. Hansen and Zhou Chaochen. Duration Calculus: Logical Foundations.
Formal Aspectsof Computing , 9:283–330, 1997.[IEE95] IEEE Computer Society.
IEEE Standard Hardware Description Language Based on the VerilogHardware Description Language (IEEE std 1364-1995) . IEEE Computer Society Press, 1995.[Jos95] Mathai Joseph.
Real-Time Systems . Prentice Hall, 1995.[KNP01] Marta Kwiatkowska, Gethin Norman, and David Parker. PRISM: Probabilistic symbolic modelchecker. In P. Kemper, editor,
Proc. Tools Session of Aachen 2001 International Multiconference on Measurement, Modelling and Evaluation of Computer-Communication Systems , pages 7–12,2001. Available as Technical Report 760/2001, University of Dortmund.[LH99] Li Li and He Jifeng. A Denotational Semantics of Timed RSL using Duration Calculus. In
Pro-ceedings of RTCSA’99 , pages 492–503. IEEE Computer Society Press, 1999.[LRSZ93] Liu Zhiming, A. P. Ravn, E. V. Sørensen, and Zhou Chaochen. A Probabilistic Duration Calculus.In H. Kopetz and Y. Kakuda, editors,
Dependable Computing and Fault-tolerant Systems Vol. 7:Responsive Computer Systems , pages 30–52. Springer, 1993.[McM] Ken McMillan. SMV documentation postscript versions. URL: . Accessed in February, 2002.[MO99] Markus M¨uller-Olm. A modal fixpoint logic with chop. In
Proceedings of STACS’99 , volume 1563of
LNCS , pages 510–512. Springer, 1999.[Mon] The MONA Project. URL: . Maintained by Anders Mo \ ller.[Mos85] Ben Moszkowski. Temporal Logic For Multilevel Reasoning About Hardware. IEEE Computer ,18(2):10–19, 1985.[Mos86] Ben Moszkowski.
Executing Temporal Logic Programs . Cambridge University Press, 1986.[Pan] Paritosh K. Pandya. DCVALID. A tool for modelchecking Duration Calculus Formulae. URL: .[Pan95] Paritosh K. Pandya. Some extensions to Mean-Value Calculus: Expressiveness and Decidability.In
Proceedings of CSL’95 , volume 1092 of
LNCS , pages 434–451. Springer, 1995.[Pan96] Paritosh K. Pandya. Weak Chop Inverses and Liveness in Mean-Value Calculus. In
Proceedings ofFTRTFT’96 , volume 1135 of
LNCS , pages 148–167. Springer, 1996.[Pan01] Paritosh K. Pandya. Model checking CTL[DC]. In
Proceedings of TACAS 2001 , volume 2031 of
LNCS , pages 559–573. Springer, 2001.[Pan02] Paritosh K. Pandya. The saga of synchronous bus arbiter: On model checking quantitative timingproperties of synchronous programs. In
Proceedings of SLAP’02 , volume 65(5) of
ENTCS . ElsevierScience, 2002.[PD98] Paritosh K. Pandya and Dang Van Hung. Duration Calculus of Weakly Monotonic Time. In
Pro-ceedings of FTRTFT’98 , volume 1486 of
LNCS , pages 55–64. Springer, 1998.[PRI] PRISM: Probabilistic Symbolic Model Checker. URL: .Maintained by David Parker.[PVS] PVS Specification and Verification System. URL: http://pvs.csl.sri.com . Maintained by SamOwre.[PWX98] Paritosh K. Pandya, Wang Hanping, and Xu Qiwen. Towards a Theory of Sequential HybridPrograms. In D. Gries and W.-P. de Roever, editors,
Proceedings of IFIP Working ConferencePROCOMET’98 , pages 336–384. Chapman & Hall, 1998.[Rab98] Alexander Rabinovich. Non-elementary Lower Bound for Propositional Duration Calculus.
Infor-mation Processing Letters , 66:7–11, 1998.[Ras02] Thomas M. Rasmussen.
Interval Logic - Proof Theory and Theorem Proving . Ph.D. thesis, TechnicalUniversity of Denmark, 2002.[RZ97] Suman Roy and Zhou Chaochen. Notes on Neighbourhood Logic. Technical Report 97, UNU/IIST,P.O.Box 3058, February 1997.[SS94] J.U. Skakkebæk and N. Shankar. Towards a Duration Calculus Proof Assistant in PVS. In
Pro-ceedings of FTRTFT’94 , volume 863 of
LNCS , pages 660–679. Springer, 1994.[SX98] Gerardo Schneider and Xu Qiwen. Towards a Formal Semantics of Verilog Using Duration Calculus.In Anders P. Ravn and Hans Rischel, editors,
Proceedings of FTRTFT’98 , volume 1486 of
LNCS ,pages 282–293. Springer, 1998.[Tri99] Vladimir T. Trifonov.
A completeness theorem for the probabilistic interval temporal logic withrespect to its standard semantics . M.Sc. Thesis, Sofia University, July 1999. (In Bulgarian).[UPP] UPPAAL. URL: .[Ven91a] Yde Venema. A Modal Logic for Chopping Intervals.
Journal of Logic and Computation , 1(4):453–476, 1991.[Ven91b] Yde Venema.
Many-Dimensional Modal Logics . Ph.D. thesis, University of Amsterdam, 1991.[WX04] Wang Hanpin and Xu Qiwen. Completeness of Temporal Logics over Infinite Intervals.
DiscreteApplied Mathematics , 136(1):87–103, 2004.
ROBABILISTIC
ITL
AND DC WITH INFINITE INTERVALS: COMPLETE PROOF SYSTEMS 43 [ZDL95] Zhou Chaochen, Dang Van Hung, and Li Xiaoshan. A Duration Calculus with Infinite Intervals. InHorst Reichel, editor,
Fundamentals of Computation Theory , volume 965 of
LNCS , pages 16–41.Springer, 1995.[ZH98] Zhou Chaochen and Michael R. Hansen. An Adequate First Order Interval Logic. In
InternationalSymposium, Compositionality - The Significant Difference , volume 1536 of
LNCS , pages 584–608.Springer, 1998.[ZH04] Zhou Chaochen and Michael R. Hansen.
Duration Calculus. A Formal Approach to Real-TimeSystems . Springer, 2004.[ZHR91] Zhou Chaochen, C. A. R. Hoare, and Anders P. Ravn. A Calculus of Durations.
InformationProcessing Letters , 40(5):269–276, 1991.[ZHS93] Zhou Chaochen, Michael R. Hansen, and P. Sestoft. Decidability and Undecidability Results forDuration Calculus. In
Proceedings of STACS’93 , volume 665 of
LNCS , pages 58–68. Springer, 1993.[ZZ94] Zheng Yuhua and Zhou Chaochen. A Formal Proof of a Deadline Driven Scheduler. In
Proceedingsof FTRTFT’94 , volume 863 of
LNCS , pages 756–775. Springer, 1994.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To viewa copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/http://creativecommons.org/licenses/by-nd/2.0/