Predicate-based Linear Temporal Logic (PredLTL)

Representing regulated operations: Given the need to demonstrate conformance to the regulation in case of an audit, regulated organizations such as bloodbanks keep track of their operations in a database, for example, donor information and the tests they perform. Such a system can be thought of abstractly as a relational structure evolving over time. At each point in time (state), there are a set of objects (such as donations and donors) and relations between the objects (such as an association between a donor and her donations). The state changes by the creation, removal or modification of objects. We represent this as a run.

Definition 2.1 (A Run of a System). Given countable sets Φ1, ...,Φn (whereΦj is a

set of predicate names of arity j) and object names O, a run of a system R( Φ1, ..., Φn, O), abbreviated as R, is a tuple(r, π1, ..., πn) where:

set of states.

• πj : Φj×S →2O

j

is a truth assignment to predicates of arity j. Given p∈Φj,

we will say that p(o1, ..., oj) is true at state s iff (o1, ..., oj)∈πj(p, s).

Given a run R and a time i ∈ N, the pair (R, i) is called a point (statements in

linear temporal logic are evaluated at points). Given the predicate names (Φ1, ...,Φn)

and object names O, the corresponding space of runs is denoted byR(Φ1, ...,Φn, O),

abbreviated as R.

Representing the regulation: The logic that we define in this section is a restricted fragment of first-order modal logic. The restriction is that we allow formulas with free variables, but no quantification over objects. Formulas will be interpreted using the universal generalization rule, i.e., over all assignments to free variables. Quantifiers are ommitted because we will need to use provability tests in a fragment of the language here, in order to formalize references. Unrestricted quantification would make these tests undecidable. At the same time, the lack of quantification here can be too restrictive, if we wish to perform a sentential translation of the regulation. We will show, in Section 2.3.3, that when references are added, the logic becomes more expressive than first order logic, and quantifiers can be added in certain places without affecting decidability.

We begin by defining the syntax:

Definition 2.2(Syntax). Given countable sets Φ1, ...,Φn(of predicate names), object

names O, and a set of variables X, the language L(Φ1, ...,Φn, O, X), abbreviated as

L, is the smallest set such that:

• p(y1, ..., yj)∈L where p∈Φj and (y1, ..., yj)∈(X∪O)j.

• If ϕ ∈L, then ¬ϕ ∈L and 2ϕ ∈L. If ϕ, ψ∈L, then ϕ∧ψ ∈L.

Disjunction ϕ∨ψ = ¬(¬ϕ∧ ¬ψ) and implication ϕ ⇒ ψ =¬ϕ∨ψ are derived

connectives. The temporal operator is understood in the usual way: 2ϕ(ϕ holds and

The syntax is extended to to express three kinds of statements in a body of regulation:

Definition 2.3(Syntax of Regulation). Given a finite set of identifiersID, a body of regulation Reg is a set of statements such that for each id∈ID, there exist ϕ, ψ∈L

such that either: (id) ϕ7→ψ ∈Reg, (id).o:ϕ7→ψ ∈Reg, or (id).p:ϕ7→ψ ∈Reg A body of regulation is a finite set of rules, which are understood as follows.

(id) ϕ7→ψ is read as “If ϕ, then the regulatory authoritysays ψ via the law labeled

(id)”. Such rules are used to represent, for example, institutional facts [73], e.g., If a

priest performs a particular ceremony for a couple, then the regulatory authoritysays

that the couple is married (where married is an instiutional fact). The normative

statement (id).o : ϕ 7→ ψ ((id).p : ϕ 7→ ψ) is read as: “If ϕ, then the regulatory

authority says ψ is obligated (permitted) via the law labeled id”. ϕ is called the

preconditionof the law, andψ is called thepostcondition. We use the notation (id).x:

ϕ 7→ψ to stand for a generic rule corresponding to institutional facts, obligations, or

permissions.

We note that the formal notation doesn’t quite capture the informal reading of

normative statements. In particular, the informal interpretation suggests that obli-

gationand permissionneed to be operators within the postcondition. We make some simplifying assumptions in this chapter (discussed below), in order build up intuition

for the analysis of obligation and permission in Chapter 4. The semantics is defined

as follows:

Definition 2.4 (Semantics). Given a run R = (r, π1, ..., πn), ϕ ∈ L, and a variable

assignment v :X →O, the relation (R, i, v)|=ϕ is defined inductively as follows:

• (R, i, v) |= p(y1, ..., yj) iff (o1, ..., oj) ∈ πj(p, r(i)) where ok = v(yk) if yk ∈ O,

and ok =yk otherwise.

• (R, i, v)|=2ϕ iff for all k ≥i: (R, k, v)|=ϕ

We extend the semantic relation to regulatory statements. We take |= to stand for “conforms to”:

• (R, i, v)|= (id).o:ϕ 7→ψ iff (R, i, v)|=ϕ⇒ψ (⇒ is implication)

• (R, i, v) |= (id).p : ϕ 7→ ψ. Runs vacuously conform to permissions. Permis- sions will become relevant when references from obligations are present (Section 2.3.2).

• (R, i, v) |= (id) ϕ 7→ ψ. Institutional facts are also not directly relevant to conformance, and will be used via references from other laws.

Consider again our example from Section 4.2. We use three predicates defined as follows. d(x) is true iff x is a donation. sp(x) is true iff x consists of source plama. test(x) is true iffx is tested for Hepatitis B. Statement (5) is represented as:

(5).o:d(x)∧ ¬sp(x)7→3test(x) Statement (4) is be represented as:

(4).p:d(y)∧sp(y)7→ ¬3test(y) However, statement (3) cannot be represented directly.

We will now define conformance, and then discuss the various definitions in the

context of related work. Conformance of a runRis defined using the notion of validity.

A formula ϕ is valid at the point (R, i), (R, i)|=ϕ, iff for all variable assignments v: (R, i, v) |=ϕ. A formula ϕ is valid on R if it is valid in all points, that is, R |=ϕ iff for all i: (R, i)|=ϕ.

Definition 2.5(Run Conformance). Given a body of regulationReg and a runRrep- resenting the operations of an organization, we say that R conforms to the regulation iff for all (id).x:ϕ7→ψ ∈Reg, we have R|= (id).x:ϕ7→ ψ.

Discussion: The deontic concepts of obligation and permission are treated as prop- erties of sentences. Only obligations matter for conformance. If a non-source plasma donation is not tested, there is a problem. On the other hand, a bloodbank may choose to test a donation of source plasma or not. In assessing conformance, the function of a permission is to serve as an exception to an obligation, and in this indirect manner it becomes relevant. We will give a semantics to this function of permissions in Section 2.3.2. Such a treatment of permissions has its basis in the legal theory of Ross [130].

Ross’ approach to permission is by no means the only one. Theories have distin- guished between various kinds of permission (cf. [23]), the most common distinction being that of positive and negative permission. We discuss the analysis by Makinson

and van der Torre [99]. ϕ is said to positively permitted iff it is explictly permitted

by the laws, and ϕ is negatively permitted iff it is not forbidden. The key issue is

whether positive permissions can give rise to violations. In regulations phrased ex-

clusively in terms of permissions, it is desirable to say that if ϕ denotes a “relevant”

condition which is not explicitly permitted, then it should not hold in conforming im- plementations. While this has been analysed as a property of permission, following Ross, we take such violations as arising from an implicit obligation, i.e., the italicized clause. This implicit obligation can be represented using the techniques we discuss in Section 2.3.2, provided that the relevance of the condition is known.

In this chapter, we treat obligation and permission as top-level operators. Nested deontic constructs [100] cannot be expressed, i.e., sentences of the form “required to allow x” or “allowed to require x.”. Conformance is defined at the level of a run, and as a result, blame cannot be assigned to different individuals. The motivation for these simplifications is to focus on the problem of exceptions, which is taken to be orthogonal to the analysis of obligations and permissions. We will formalize obligation and permission in Chapter 4.