**Temporal Logic **

### Representing and Reasoning about Change

**Girish Keshav Palshikar **

*Tata Research Development and Design Centre (TRDDC), *

54B, Hadapsar Industrial Estate, Pune 411013.
email: **girishp@pune.tcs.co.in**
**Introduction **

How do we unambiguously represent knowledge about changes over time? What are the rigorous inference rules that can be used to deduce conclusions from such temporal knowledge? These are important questions that have found new relevance with the advent of modern computing and the deployment of dynamic software systems in safety-critical applications (e.g., in bio-medical, aviation, space and nuclear power plants) that continuously deal with a changing environment.

*Propositional logic (PL)* provides a simple framework that can be used to represent and reason about
static (unchanging) logical relationships. However, it is not possible to represent and reason about
temporal (time-dependent) relationships in PL. The reasons: PL does not accord any special status to
time, dynamic (temporal) facts cannot be represented by its logical connectives and the deduction
rules do not capture changes over time. For example, suppose we are given the following facts:

*John will never become a lecturer unless he has previously completed his Ph.D. *
*John has not yet completed his Ph.D. *

From these facts, one can conclude that “*either John will complete his Ph.D. or he will never become a *
*lecturer*”. However, it is not possible to perform this reasoning in PL – we have somehow used a
richer representation and reasoning mechanism that “works” with facts that change over time. These
facts define relationships between different (unspecified) time instants. Note that in this reasoning
example, we do not know what the time is “now” nor when John will complete his Ph.D. or when he
will become a lecturer. Essentially, the facts define qualitative temporal relationships between events.
It is possible to use first-order predicate logic (FOPL) to represent time-dependent facts by adding a
special “time” argument to predicates. For example, by letting L(t) and P(t) denote the predicates that

*John is a lecturer at time t* and *John completed Ph.D. at time t*, we can represent the first fact as the formula

t L(t) (t1 (P(t1) t1 < t)). However, this approach is unsatisfactory for several reasons. For
example, it needs special time variables that must be interpreted over a special pre-defined domain
with certain properties like ordering (e.g., the set of natural numbers). There is no such restriction on
“ordinary” variables in FOPL. To state other kinds of facts, we may need to introduce *two* time
variables in the predicate, thereby complicating reasoning and understanding. It is not clear whether
all temporal deductions can be performed within the FOPL framework. Finally, we are often
interested in qualitative relationships between events without associating explicit “timestamps” with
them. For this purpose, we shall focus on special temporal logics that extend the PL framework by
adding temporal connectives.

The study of temporal logic received a major attention in computer science when Prof. Amir Pneuli
used a simple temporal logic to state properties of programs (remember that when a program is
executing, values of the program variables changes over time). Deep relationships have been
discovered between temporal logic and automata theory. Temporal logics now play a vital role in
specification and verification of programs (particularly safety-critical systems) as well as in *artificial *
*intelligence (AI)* where they are used to represent knowledge that contains temporal aspects.

Actually, there is no single temporal logic. Depending on whether the underlying model of time is discrete or continuous, time is represented by instants or intervals, flow of time is linear or branching, whether past or future facts are allowed, several different temporal logics can be developed. We focus on the simplest linear future-oriented discrete-time propositional temporal logic called PLTL [3]. We present a syntax and semantics of this logic, define a deduction system for it and discuss its relationship with finite automata.

**Linear Propositional Temporal Logic (PLTL) **

Let PROP be a given finite set of propositional symbols. A formula in PLTL has the following form:
p | F | F G | F G | F G | O F | F | F | F **U** G | F **W** G

where p is any proposition in PROP, F and G are any formulae in PLTL. Here, (not), (and),
(or), (implies or if-then) are the standard logical connectives. The temporal connectives (Table 1)
are: O (*next*), (*eventually *or *sometime*), (*always* or *henceforth*), **U** (*until*) and **W** (*unless*, *waiting-for* or
*weak-until*). For simplicity, we assume that the underlying time domain (i.e., the set of possible time
instances) is the same as the infinite set N = {0, 1, 2, …} of natural numbers, having the *initial instant *

0, along with the ordering between two time instants.
**Table 1. Intuitive meaning of the temporal connectives **
**O F ** **true at instant i if F is true at the next instant i+1 **

F **true at instant i if F is true at all future instants j such that j ** i

F **true at instant i if F is true at some future instant j such that j ** I

F **U** G **true at instant i if G is eventually true and F is true everywhere prior to G **

F **W** G **true at instant i if either (G is eventually true and F is true everywhere prior to G) **
or p is always true at all future instants j I

Some examples of formulae in PLTL are as follows (see also Box 1).

*Whenever the lift is moving, the door is closed: * (lift_moving door_closed)

*Whenever the lift is called from floor 2, the request is eventually serviced:* (lift_call_from_2( lift_services_2))

*The door always remains closed until the lift stops moving*: (door_closed **U** (lift_moving))

**Box 1: Using Temporal Logic for System Specification and Verification **

Consider a simple pumping control system (Figure 1) that transfers water from a *source tank* A into
another *sink tank* B using a pump P. Each tank has a level-meter that measures the water level in the
tank and sends it to the control system. The possible values for water level are: empty, ok and full.
Initially, both tanks are empty. The pump is to be switched on as soon as the water level in tank A
reaches ok (from empty), provided that tank B is not full. The pump remains on as long tank A is not
empty and as long as tank B is not full. The pump is to be switched off as soon as either the tank A
becomes empty or tank B becomes full. The system should not attempt to switch the pump off (on),
if it is already off (on). While this example may appear trivial, as indeed it is, it is easy to extend to a
controller for a complex network of pumps and pipes to control multiple source and sink tanks.

Pump

full full

empty empty

Tank A Tank B

Figure 1. A simple two-tank pumping system.

Some of these bahavioural requirements are specified as the following PLTL formulae.

(tank_A_empty tank_A_ok tank_A_full)

(tank_A_empty (tank_A_ok tank_A_full)

(tank_A_ok (tank_A_empty tank_A_full)

(tank_A_full (tank_A_empty tank_A_ok)

(tank_B_empty tank_B_ok tank_B_full)

(tank_B_empty (tank_B_ok tank_B_full)

(tank_B_ok (tank_B_empty tank_B_full)

(tank_B_full (tank_B_empty tank_B_ok) tank_A_empty tank_B_empty

( (tank_A_empty Otank_A_ok Otank_B_full) (Opump_on) )

( pump_on (pump_on W (tank__B_full tank_A_empty)) )

( ( pump_on (tank_A_empty tank_B_full) ) (Opump_on) )

Several kinds of properties of the system can be stated as PLTL formulae. Deduction systems or other methods can be used to verify whether these properties follow from the requirements. (a) Is it possible that the pump is switched on when it is already on? (b) Is it possible that the pump is off when is should have been on?

as follows. The notation (, i) ⊨ F means that the PLTL formula F is true at the given instant i in the given state-sequence ; (, i) ⊭ F means that F is false at instant i in .

(, i) ⊨ p if p si (, i) ⊨ (F) if (, i) ⊭ F

(, i) ⊨ (F G) if (, i) ⊨ F and (, i) ⊨ G (, i) ⊨ (F G) if (, i) ⊨ F or (, i) ⊨ G (, i) ⊨ (F G) if (, i) ⊭ F or (, i) ⊨ G (, i) ⊨ (O F) if (, i+1) ⊨ F

(, i) ⊨ ( F) if there exists j such that j i and (, j) ⊨ F (, i) ⊨ ( F) if for every j i, (, j) ⊨ F

(, i) ⊨ (F **U** G) if there exists j i such that (, j) ⊨ G and for all i k j, (, k) ⊨ F
(, i) ⊨ (F **W** G) if (, i) ⊨ (F **U** G) or (, i) ⊨ ( G)

We use the notation ⊨ F to mean that the PLTL formula F is true at the initial time instant 0 in the
given state-sequence i.e., ⊨ F iff (, 0) ⊨ F; we then say that F is *initially satisfiable* in and is a

*model* of F. If there exists a state-sequence such that the given formula F is initially satisfiable in ,
then F is said to be *initially satisfiable*; if no such state-sequence exists, then F is *initially unsatisfiable*. A
PLTL formula F is *initially valid* (or simply, *valid*) denoted ⊨ F, if it is initially satisfiable in all possible
state-sequences over PROP. As an example, if PROP = {p, q} and = {p}, {p}, {p, q}, {p}, {p},
{p, q}, … then

(, 0) ⊨ (p q) (, 0) ⊭ q (, 1) ⊨ (O q) (, 2) ⊨ (p q)

⊨ p ⊨ ( p) ⊨ ( q) ⊨ ( ( q)) ⊨ ( ( (O q))) It is easy to see that the PLTL formulae p, p q, (p q), (O q), ( p), ( q), ( ( q)) and ( ( (O q))) are all initially satisfiable. The formulae (p p), (p p) and ((p( q)) (p( q))) are initially valid. The formulae (p p), (p p) are initially unsatisfiable.

**Formal Deduction System **

We have now a syntax for defining formulae in PLTL and a way to assign meaning to these formulae.
We now need inference rules to deduce new facts from a given set of PLTL formulae. Remember
that valid formulae (i.e., tautologies) play a crucial role in reasoning and arguments. The logician
Tarski characterised the process of deduction as follows. According the celebrated *Tarski’s Theorem*,
given a set of formulae S = {F1, F2, …, Fn} and a conclusion C (given as another formula), C is a
logical consequence of S if and only if the formula (F1 F2 … Fn) C is valid. We need a
systematic method to prove that a given formula is indeed valid.

formulae (p q) and (q). Given a set S = {F1, F2, …, Fm} of formulae (called *assumptions*) and
another formula G (called *goal*), a *proof* of G from S in an FDS is a sequence of formulae H1, H2, …,
Hn = G such that every Hi is either (ii) an assumption (i.e., Hi S) or (ii) an instance of some axiom
Ai or (iii) there are two members Hj and Hk (j, k < i) such that Hi is obtained from Hj and Hk as a
direct application of the MP rule. If G has a proof from S in the FDS, then G is said to be *provable *

within the FSD and it is denoted as S ├ G. An FDS is *sound* if every provable formula is valid and

*complete *if every valid formula is provable. More formally, an FDS is sound and complete if for every
set {F1, F2, …, Fm}of formulae (assumptions) and every formula G, S ├ G if and only if ((F1 F2
… Fm) G) is a tautology (i.e., it is valid). Note that if the set S is empty, then a proof of ├ G
amounts to proving that the formula G is valid (i.e., a tautology). It is necessary to Proving whether a
particular FDS for a particular logic is sound and complete is often difficult.

Box 2 shows an FDS for the simple PL and an example of proving a formula valid, using this deduction system [2]. There are other FDS for PL using other axioms and other deduction rules. Manually performing proofs using FDS is a notoriously difficult task. Many automated theorem-proving systems (e.g., PVS, Isabelle or HOL) provide built-in facilities that can perform many (but not all) proofs automatically, within the strict framework of an FDS.

**Box 2: A Formal Deduction System for Simple Propositional Logic [2] **

**Axioms: **

(A1) (F (F G))

(A2) ((F (G H)) ((F G) (F H)) (A3) (((F) (G)) (G F))

**Deduction (Inference) Rule (called modus ponens (MP)): **
From F and (F G) deduce G, for any formulae F and G.

We now show that {p, (q (p r))}├ (q r) i.e., prove (q r) from {p, (q (p r))}.

(1) p assumption

(2) (q (p r) assumption

(3) (p (q p) instance of A1

(4) (q p) MP with (1) and (3)

(5) ((q (p r)) ((q p) (q r))) instance of A2

(6) ((q p) (q r) MP with (2) and (5)

(7) (q r) MP with (4) and (6)

We now describe a sound and complete FDS [1] for the temporal logic PLTL. We assume that PLTL
consists of only the O and **W** temporal connectives; other temporal connectives are defined in terms
of these two, as given below. Whenever a PLTL formula contains any other temporal connectives,
they are replaced with their equivalent formulations in terms of these two temporal connectives.

to be valid (for this purpose, the FDS can be augmented to include axioms and deduction rules for simple non-temporal PL, such as the one described earlier).

**Axioms: **
(F0) F F

If F holds at all instants, then in particular F holds at the first instant
(F1) **O**F **OF **

The connective O is self-dual.
(F2) **O(F ** G) (OF OG)

**O distributes over ** i.e., F G holds in the next instant iff (OF)(OG) holds at the current
instant

(F3) (F G) (F G)

Weak distribution of over i.e., if F G holds at all instants after i and F holds at all future instants then so does q

(F4) ( F) O F

If F holds at all instants then OF also holds at all instants (F5) (F OF) (F F)

(Temporal induction): If, whenever F holds at some instant, it also holds at the next instant; then whenever F holds at instant i, it also holds at all future instants j i.

(F6) (F **W** G) (G (F O(F **W** G)))

F **W** G holds at instant i iff either G holds at i or F holds at i and F **W** G holds at i+1
(F7) F (F **W** G)

If F holds at all instants then F **W** G holds at all instants

We now describe a set of deduction rules for PLTL; here, F, G are any arbitrary formulae. The basic deduction rules in this FSD can be augmented with more rules to simplify the deductions or proofs. We omit the proof that this FDS is sound and complete..

**Deduction Rules: **

**Generalization rule GEN: If F is a valid non-temporal formula in simple PL then conclude **F.
**Specialization Rule SPEC: If **F is valid in PLTL then conclude that F is valid in simple PL
**Instantiation rule INST: From any formula scheme F conclude F[p := **] where F[p := ] is the
formula obtained from F by replacing all occurrence of formula p in F by another formula .

**Modus ponens rule MP: **

From F and (F G) deduce G, for any formulae F and G

Another way to state MP: From (F1 F2 … Fn) G and F1, F2, …, Fn conclude G
As an example, the proof of {p} ├ p **W** q is given below.

(1) p p **W** q axiom F7

(2) (p p **W** q) definition of

(3) (p p **W** q) (2) and SPEC

(4) p assumption

(5) p **W** q (3), (4) and MP

Thus we need to prove that {(p) **W** q, p}├q (p). The formal proof, using the axioms and
deduction rules is somewhat involved (Try it. Use simplification rules if necessary).

**Classes of Properties **

Typically, a hardware, software or control system being built is specified or modeled in some
notation like finite state machines (FSM). PLTL can be used to state various desirable properties of
the system. *Verification tools *can be used to automatically check that the model or specification (e.g., an
FSM) satisfies the given property stated as a PLTL formula. In this way, the designer gains
confidence that the system model is correct. The system properties typically fall into certain classes
and the corresponding PLTL formulae have similar structure for the properties within a class. There
are several other interesting classes of properties; e.g., liveness, justice, fairness, reachability, timing,
compassion, boundedness, starvation-freedom, deadlock-freedom etc. We assume that F, G, X, Y are
non-temporal formulae not containing any temporal connectives. (Can you state and classify some
properties of the system in Box 1?)

**Table 1. Classes of system properties stated using PLTL. **
**Property ** **Formula ** **Meaning **

Safety F F holds at all instances

Conditional safety F G When p holds, G holds at that and all future instants Guarantee F F holds at at-least one future instant

Obligation F G (or F

G)

either p holds at all instants or q holds at some instant Response-1 F Infinitely many instants in the future satisfy F

Response-2 (F G) Whenever F occurs, G occurs at the same or later instant Persistence F All except finitely many instants satisfy F

Reactivity F G (or

X Y)

Either F occurs at infinitely many instants or G holds at all except finitely many positions

**Liveness: something “good” eventually happens **

**Deadlock freedom: a program that is expected terminate always eventually reaches the terminal **
state and a program that is not expected to terminate will never reach a terminal state.

**Justice: either a transition ** is disabled infinitely many times or it is taken infinitely many times

**Compassion: if a transition ** is enabled infinitely many times then it is taken infinitely many
times

**Livelock: no starvation for any individual process **

**Conclusions **

We presented an introduction to the mathematical framework for a simple propositional linear temporal logic PLTL that allows us to state temporal knowledge and deduce new facts from it. We illustrated its use for specifying behaviour and properties of a small system. There is a lot more to the theory of temporal logic, in terms of more sophisticated syntax and semantics, other deduction systems, relationships between temporal logic and automata etc. In the revolutionary technique of

*model checking*, used for automatic system verification, properties are stated in temporal logic. Artificial
intelligence is also making use of temporal logic to reason with temporal knowledge.

1. Z. Manna, A. Pneuli, *The Temporal Logic of Reactive and Concurrent Systems*, Springer-Verlag, 1992.
2. S. Reeves, M. Clarke, *Logic for Computer Science*, Addison-Wesley, 1990.