• No results found

temporal logic representing and reasoning about change unpublished

N/A
N/A
Protected

Academic year: 2020

Share "temporal logic representing and reasoning about change unpublished"

Copied!
8
0
0

Loading.... (view fulltext now)

Full text

(1)

Temporal Logic

Representing and Reasoning about Change

Girish Keshav Palshikar

Tata Research Development and Design Centre (TRDDC),

54B, Hadapsar Industrial Estate, Pune 411013. email: girishp@pune.tcs.co.in Introduction

How do we unambiguously represent knowledge about changes over time? What are the rigorous inference rules that can be used to deduce conclusions from such temporal knowledge? These are important questions that have found new relevance with the advent of modern computing and the deployment of dynamic software systems in safety-critical applications (e.g., in bio-medical, aviation, space and nuclear power plants) that continuously deal with a changing environment.

Propositional logic (PL) provides a simple framework that can be used to represent and reason about static (unchanging) logical relationships. However, it is not possible to represent and reason about temporal (time-dependent) relationships in PL. The reasons: PL does not accord any special status to time, dynamic (temporal) facts cannot be represented by its logical connectives and the deduction rules do not capture changes over time. For example, suppose we are given the following facts:

John will never become a lecturer unless he has previously completed his Ph.D. John has not yet completed his Ph.D.

From these facts, one can conclude that “either John will complete his Ph.D. or he will never become a lecturer”. However, it is not possible to perform this reasoning in PL – we have somehow used a richer representation and reasoning mechanism that “works” with facts that change over time. These facts define relationships between different (unspecified) time instants. Note that in this reasoning example, we do not know what the time is “now” nor when John will complete his Ph.D. or when he will become a lecturer. Essentially, the facts define qualitative temporal relationships between events. It is possible to use first-order predicate logic (FOPL) to represent time-dependent facts by adding a special “time” argument to predicates. For example, by letting L(t) and P(t) denote the predicates that

John is a lecturer at time t and John completed Ph.D. at time t, we can represent the first fact as the formula

t L(t)  (t1 (P(t1)  t1 < t)). However, this approach is unsatisfactory for several reasons. For example, it needs special time variables that must be interpreted over a special pre-defined domain with certain properties like ordering (e.g., the set of natural numbers). There is no such restriction on “ordinary” variables in FOPL. To state other kinds of facts, we may need to introduce two time variables in the predicate, thereby complicating reasoning and understanding. It is not clear whether all temporal deductions can be performed within the FOPL framework. Finally, we are often interested in qualitative relationships between events without associating explicit “timestamps” with them. For this purpose, we shall focus on special temporal logics that extend the PL framework by adding temporal connectives.

(2)

The study of temporal logic received a major attention in computer science when Prof. Amir Pneuli used a simple temporal logic to state properties of programs (remember that when a program is executing, values of the program variables changes over time). Deep relationships have been discovered between temporal logic and automata theory. Temporal logics now play a vital role in specification and verification of programs (particularly safety-critical systems) as well as in artificial intelligence (AI) where they are used to represent knowledge that contains temporal aspects.

Actually, there is no single temporal logic. Depending on whether the underlying model of time is discrete or continuous, time is represented by instants or intervals, flow of time is linear or branching, whether past or future facts are allowed, several different temporal logics can be developed. We focus on the simplest linear future-oriented discrete-time propositional temporal logic called PLTL [3]. We present a syntax and semantics of this logic, define a deduction system for it and discuss its relationship with finite automata.

Linear Propositional Temporal Logic (PLTL)

Let PROP be a given finite set of propositional symbols. A formula in PLTL has the following form: p | F | F  G | F  G | F  G | O F |  F |  F | F U G | F W G

where p is any proposition in PROP, F and G are any formulae in PLTL. Here,  (not),  (and),  (or),  (implies or if-then) are the standard logical connectives. The temporal connectives (Table 1) are: O (next),  (eventually or sometime),  (always or henceforth), U (until) and W (unless, waiting-for or weak-until). For simplicity, we assume that the underlying time domain (i.e., the set of possible time instances) is the same as the infinite set N = {0, 1, 2, …} of natural numbers, having the initial instant

0, along with the ordering  between two time instants. Table 1. Intuitive meaning of the temporal connectives O F true at instant i if F is true at the next instant i+1

 F true at instant i if F is true at all future instants j such that j  i

 F true at instant i if F is true at some future instant j such that j  I

F U G true at instant i if G is eventually true and F is true everywhere prior to G

F W G true at instant i if either (G is eventually true and F is true everywhere prior to G) or p is always true at all future instants j  I

Some examples of formulae in PLTL are as follows (see also Box 1).

Whenever the lift is moving, the door is closed:  (lift_moving  door_closed)

Whenever the lift is called from floor 2, the request is eventually serviced: (lift_call_from_2( lift_services_2))

The door always remains closed until the lift stops moving: (door_closed U (lift_moving))

(3)

Box 1: Using Temporal Logic for System Specification and Verification

Consider a simple pumping control system (Figure 1) that transfers water from a source tank A into another sink tank B using a pump P. Each tank has a level-meter that measures the water level in the tank and sends it to the control system. The possible values for water level are: empty, ok and full. Initially, both tanks are empty. The pump is to be switched on as soon as the water level in tank A reaches ok (from empty), provided that tank B is not full. The pump remains on as long tank A is not empty and as long as tank B is not full. The pump is to be switched off as soon as either the tank A becomes empty or tank B becomes full. The system should not attempt to switch the pump off (on), if it is already off (on). While this example may appear trivial, as indeed it is, it is easy to extend to a controller for a complex network of pumps and pipes to control multiple source and sink tanks.

Pump

full full

empty empty

Tank A Tank B

Figure 1. A simple two-tank pumping system.

Some of these bahavioural requirements are specified as the following PLTL formulae.

(tank_A_empty  tank_A_ok  tank_A_full)

(tank_A_empty  (tank_A_ok tank_A_full)

(tank_A_ok  (tank_A_empty tank_A_full)

(tank_A_full  (tank_A_empty tank_A_ok)

(tank_B_empty  tank_B_ok  tank_B_full)

(tank_B_empty  (tank_B_ok tank_B_full)

(tank_B_ok  (tank_B_empty tank_B_full)

(tank_B_full  (tank_B_empty tank_B_ok) tank_A_empty  tank_B_empty

( (tank_A_empty  Otank_A_ok  Otank_B_full)  (Opump_on) )

( pump_on  (pump_on W (tank__B_full tank_A_empty)) )

( ( pump_on  (tank_A_empty  tank_B_full) )  (Opump_on) )

Several kinds of properties of the system can be stated as PLTL formulae. Deduction systems or other methods can be used to verify whether these properties follow from the requirements. (a) Is it possible that the pump is switched on when it is already on? (b) Is it possible that the pump is off when is should have been on?

(4)

as follows. The notation (, i) ⊨ F means that the PLTL formula F is true at the given instant i in the given state-sequence ; (, i) ⊭ F means that F is false at instant i in .

(, i) ⊨ p if p  si (, i) ⊨ (F) if (, i) ⊭ F

(, i) ⊨ (F  G) if (, i) ⊨ F and (, i) ⊨ G (, i) ⊨ (F  G) if (, i) ⊨ F or (, i) ⊨ G (, i) ⊨ (F  G) if (, i) ⊭ F or (, i) ⊨ G (, i) ⊨ (O F) if (, i+1) ⊨ F

(, i) ⊨ ( F) if there exists j such that j  i and (, j) ⊨ F (, i) ⊨ ( F) if for every j  i, (, j) ⊨ F

(, i) ⊨ (F U G) if there exists j  i such that (, j) ⊨ G and for all i  k  j, (, k) ⊨ F (, i) ⊨ (F W G) if (, i) ⊨ (F U G) or (, i) ⊨ ( G)

We use the notation ⊨ F to mean that the PLTL formula F is true at the initial time instant 0 in the given state-sequence i.e., ⊨ F iff (, 0) ⊨ F; we then say that F is initially satisfiable in  and  is a

model of F. If there exists a state-sequence  such that the given formula F is initially satisfiable in , then F is said to be initially satisfiable; if no such state-sequence exists, then F is initially unsatisfiable. A PLTL formula F is initially valid (or simply, valid) denoted ⊨ F, if it is initially satisfiable in all possible state-sequences over PROP. As an example, if PROP = {p, q} and  = {p}, {p}, {p, q}, {p}, {p}, {p, q}, … then

(, 0) ⊨ (p  q) (, 0) ⊭ q (, 1) ⊨ (O q) (, 2) ⊨ (p  q)

⊨ p ⊨ ( p) ⊨ ( q) ⊨ ( ( q)) ⊨ ( ( (O q))) It is easy to see that the PLTL formulae p, p  q, (p  q), (O q), ( p), ( q), ( ( q)) and ( ( (O q))) are all initially satisfiable. The formulae  (p p),  (p  p) and  ((p( q))  (p( q))) are initially valid. The formulae  (p p),  (p p) are initially unsatisfiable.

Formal Deduction System

We have now a syntax for defining formulae in PLTL and a way to assign meaning to these formulae. We now need inference rules to deduce new facts from a given set of PLTL formulae. Remember that valid formulae (i.e., tautologies) play a crucial role in reasoning and arguments. The logician Tarski characterised the process of deduction as follows. According the celebrated Tarski’s Theorem, given a set of formulae S = {F1, F2, …, Fn} and a conclusion C (given as another formula), C is a logical consequence of S if and only if the formula (F1 F2  …  Fn)  C is valid. We need a systematic method to prove that a given formula is indeed valid.

(5)

formulae (p  q) and (q). Given a set S = {F1, F2, …, Fm} of formulae (called assumptions) and another formula G (called goal), a proof of G from S in an FDS is a sequence of formulae H1, H2, …, Hn = G such that every Hi is either (ii) an assumption (i.e., Hi S) or (ii) an instance of some axiom Ai or (iii) there are two members Hj and Hk (j, k < i) such that Hi is obtained from Hj and Hk as a direct application of the MP rule. If G has a proof from S in the FDS, then G is said to be provable

within the FSD and it is denoted as S ├ G. An FDS is sound if every provable formula is valid and

complete if every valid formula is provable. More formally, an FDS is sound and complete if for every set {F1, F2, …, Fm}of formulae (assumptions) and every formula G, S ├ G if and only if ((F1 F2 …  Fm)  G) is a tautology (i.e., it is valid). Note that if the set S is empty, then a proof of  ├ G amounts to proving that the formula G is valid (i.e., a tautology). It is necessary to Proving whether a particular FDS for a particular logic is sound and complete is often difficult.

Box 2 shows an FDS for the simple PL and an example of proving a formula valid, using this deduction system [2]. There are other FDS for PL using other axioms and other deduction rules. Manually performing proofs using FDS is a notoriously difficult task. Many automated theorem-proving systems (e.g., PVS, Isabelle or HOL) provide built-in facilities that can perform many (but not all) proofs automatically, within the strict framework of an FDS.

Box 2: A Formal Deduction System for Simple Propositional Logic [2]

Axioms:

(A1) (F  (F  G))

(A2) ((F  (G  H))  ((F  G)  (F  H)) (A3) (((F)  (G))  (G  F))

Deduction (Inference) Rule (called modus ponens (MP)): From F and (F  G) deduce G, for any formulae F and G.

We now show that {p, (q  (p  r))}├ (q  r) i.e., prove (q  r) from {p, (q  (p  r))}.

(1) p assumption

(2) (q  (p  r) assumption

(3) (p  (q  p) instance of A1

(4) (q  p) MP with (1) and (3)

(5) ((q  (p  r))  ((q  p)  (q  r))) instance of A2

(6) ((q  p)  (q  r) MP with (2) and (5)

(7) (q  r) MP with (4) and (6)

We now describe a sound and complete FDS [1] for the temporal logic PLTL. We assume that PLTL consists of only the O and W temporal connectives; other temporal connectives are defined in terms of these two, as given below. Whenever a PLTL formula contains any other temporal connectives, they are replaced with their equivalent formulations in terms of these two temporal connectives.

(6)

to be valid (for this purpose, the FDS can be augmented to include axioms and deduction rules for simple non-temporal PL, such as the one described earlier).

Axioms: (F0) F  F

If F holds at all instants, then in particular F holds at the first instant (F1) OF OF

The connective O is self-dual. (F2) O(F  G)  (OF  OG)

O distributes over  i.e., F  G holds in the next instant iff (OF)(OG) holds at the current instant

(F3) (F  G)  (F G)

Weak distribution of  over  i.e., if F  G holds at all instants after i and F holds at all future instants then so does q

(F4) ( F)  O F

If F holds at all instants then OF also holds at all instants (F5) (F  OF)  (F F)

(Temporal induction): If, whenever F holds at some instant, it also holds at the next instant; then whenever F holds at instant i, it also holds at all future instants j  i.

(F6) (F W G)  (G  (F  O(F W G)))

F W G holds at instant i iff either G holds at i or F holds at i and F W G holds at i+1 (F7) F  (F W G)

If F holds at all instants then F W G holds at all instants

We now describe a set of deduction rules for PLTL; here, F, G are any arbitrary formulae. The basic deduction rules in this FSD can be augmented with more rules to simplify the deductions or proofs. We omit the proof that this FDS is sound and complete..

Deduction Rules:

Generalization rule GEN: If F is a valid non-temporal formula in simple PL then conclude F. Specialization Rule SPEC: If F is valid in PLTL then conclude that F is valid in simple PL Instantiation rule INST: From any formula scheme F conclude F[p := ] where F[p := ] is the formula obtained from F by replacing all occurrence of formula p in F by another formula .

Modus ponens rule MP:

From F and (F  G) deduce G, for any formulae F and G

Another way to state MP: From (F1 F2 …  Fn)  G and F1, F2, …, Fn conclude G As an example, the proof of {p} ├ p W q is given below.

(1) p  p W q axiom F7

(2)  (p  p W q) definition of 

(3) (p  p W q) (2) and SPEC

(4) p assumption

(5) p W q (3), (4) and MP

(7)

Thus we need to prove that {(p) W q, p}├q (p). The formal proof, using the axioms and deduction rules is somewhat involved (Try it. Use simplification rules if necessary).

Classes of Properties

Typically, a hardware, software or control system being built is specified or modeled in some notation like finite state machines (FSM). PLTL can be used to state various desirable properties of the system. Verification tools can be used to automatically check that the model or specification (e.g., an FSM) satisfies the given property stated as a PLTL formula. In this way, the designer gains confidence that the system model is correct. The system properties typically fall into certain classes and the corresponding PLTL formulae have similar structure for the properties within a class. There are several other interesting classes of properties; e.g., liveness, justice, fairness, reachability, timing, compassion, boundedness, starvation-freedom, deadlock-freedom etc. We assume that F, G, X, Y are non-temporal formulae not containing any temporal connectives. (Can you state and classify some properties of the system in Box 1?)

Table 1. Classes of system properties stated using PLTL. Property Formula Meaning

Safety F F holds at all instances

Conditional safety F G When p holds, G holds at that and all future instants Guarantee F F holds at at-least one future instant

Obligation F G (or F

G)

either p holds at all instants or q holds at some instant Response-1 F Infinitely many instants in the future satisfy F

Response-2 (F G) Whenever F occurs, G occurs at the same or later instant Persistence F All except finitely many instants satisfy F

Reactivity F  G (or

X Y)

Either F occurs at infinitely many instants or G holds at all except finitely many positions

Liveness: something “good” eventually happens

Deadlock freedom: a program that is expected terminate always eventually reaches the terminal state and a program that is not expected to terminate will never reach a terminal state.

Justice: either a transition  is disabled infinitely many times or it is taken infinitely many times

Compassion: if a transition  is enabled infinitely many times then it is taken infinitely many times

Livelock: no starvation for any individual process

Conclusions

We presented an introduction to the mathematical framework for a simple propositional linear temporal logic PLTL that allows us to state temporal knowledge and deduce new facts from it. We illustrated its use for specifying behaviour and properties of a small system. There is a lot more to the theory of temporal logic, in terms of more sophisticated syntax and semantics, other deduction systems, relationships between temporal logic and automata etc. In the revolutionary technique of

model checking, used for automatic system verification, properties are stated in temporal logic. Artificial intelligence is also making use of temporal logic to reason with temporal knowledge.

(8)

1. Z. Manna, A. Pneuli, The Temporal Logic of Reactive and Concurrent Systems, Springer-Verlag, 1992. 2. S. Reeves, M. Clarke, Logic for Computer Science, Addison-Wesley, 1990.

Figure

Figure 1. A simple two-tank pumping system.
Table 1. Classes of system properties stated using PLTL.

References

Related documents

23 (1) Except as otherwise provided in subsection (2), a holder required to file a report under 70-9-808 shall maintain the records containing the information required to be

However, this study did not differ by several researchers , among others ; Salno and Baridwan ( 2000 ) find evidence that there is no difference in returns between companies

Therefore, along its entire mainland periphery China’s strategic circumstances resemble U�S� strategic circumstances in the late nineteenth century and early twentieth century,

Anti-infective dosing in critically ill patients and in patients with acute renal failure undergoing continuous replacement therapy .... Daptomycin in critically ill

Our results indicate that along with the standard fundamentals, both non-fundamental news and order flow matter, suggesting that future models of exchange rate determination ought

As far as the authors are aware, this is the first time that remote sensing data, hydrological modelling and flood damage data at a property level have been combined to

In the assignment block Organizational Unit select the root organization BP Company and choose the button Organizational Unit to create a new organizational unit on the level

There is scant support from these cases for a stages model of development, as the SMEs appear to consider the role of the Internet as they would other technology investments: if