Logics and Translations for Inconsistency-tolerant Model Checking
Norihiro Kamide
1
and Kazuki Endo
2
1
Teikyo University, Faculty of Science and Engineering, Department of Information and Electronic Engineering,
Toyosatodai 1-1, Utsunomiya-shi, Tochigi 320-8551, Japan
2
Teikyo University, Faculty of Science and Engineering, Department of Human Information Systems, Toyosatodai 1-1,
Utsunomiya-shi, Tochigi 320-8551, Japan
Keywords:
Model Checking, Paraconsistent Logic, Linear-time Temporal Logic, Computation-tree Logic, Embedding
Theorem.
Abstract:
In this study, we develop logics and translations for inconsistency-tolerant (or paraconsistent) model checking
that can be used to verify systems with inconsistencies. Paraconsistent linear-time temporal logic (pLTL)
and paraconsistent computation tree logic (pCTL) are introduced, and these are extensions of standard linear-
time temporal logic (LTL) and standard computation tree logic (CTL), respectively. These novel logics can
be applied when handling inconsistency-tolerant temporal reasoning. These logics are also regarded as four-
valued temporal logics that extend the four-valued logic of Belnap and Dunn. Translations from pLTL into
LTL and pCTL into CTL are defined, and these are used to prove the theorems for embedding pLTL into LTL
and pCTL into CTL. These embedding theorems allow the standard LTL- and CTL-based model checking
algorithms to be used for verifying inconsistent systems that are modeled and specified by pLTL and pCTL.
A new illustrative example for inconsistency-tolerant model checking is also presented on the basis of the
proposed logics and translations.
1 INTRODUCTION
Inconsistencies are frequent and inevitable when ver-
ifying and specifying large, complex, and open sys-
tems. The goal of this study is to develop simple log-
ics and translations for inconsistency-tolerant model
checking (or paraconsistent model checking) that can
be used to verify systems with inconsistencies. Model
checking is a formal and automated technique for
verifying concurrent systems (Clarke and Emerson,
1981; Clarke et al., 1999; Holzmann, 2006). We de-
velop two novel and simple versions of paraconsistent
four-valued temporal logics such as paraconsistent
linear-time temporal logic (pLTL) and paraconsistent
computation tree logic (pCTL). These are extensions
of the standard temporal logics: linear-time tempo-
ral logic (LTL) (Pnueli, 1977) and computation-tree
logic (CTL) (Clarke and Emerson, 1981), typically
used in model checking. pLTL and pCTL may be ap-
plied when handling inconsistency-tolerant temporal
reasoning, and may also provide the base logics for
inconsistency-tolerant model checking. These four-
valued temporal logics are also regarded as exten-
sions of Belnap and Dunn’s four-valued logic (Bel-
nap, 1977b; Belnap, 1977a; Dunn, 1976). In this
paper, we define the translations of pLTL into LTL
and pCTL into CTL. These translations will be used
to prove the theorems for embedding pLTL into LTL
and pCTL into CTL. These embedding theorems al-
low us to repurpose the standard LTL- and CTL-based
model checking algorithms for verifying inconsistent
systems that are modeled and specified by pLTL and
pCTL.
LTL (Pnueli, 1977) is one of the most useful tem-
poral logics for model checking based on the linear-
time paradigm, which uses linear order to represent
the passage of time. CTL (Clarke and Emerson, 1981)
is another form of temporal logic that is widely used
for model checking. It is based on the branching-time
paradigm that uses computation trees to represent the
passage of time. Since these standard temporal logics
lack paraconsistency, they are unsuitable for speci-
fying and verifying inconsistent systems. The sat-
isfaction relation |= of a logic is considered to be
paraconsistent with respect to a negation connective
if the following condition holds: α,β (M,x) 6|=
(α α)β, where x is a state or position in a se-
mantic structure M of the underlying logic. This con-
Kamide, N. and Endo, K.
Logics and Translations for Inconsistency-tolerant Model Checking.
DOI: 10.5220/0006640601910200
In Proceedings of the 10th International Conference on Agents and Artificial Intelligence (ICAART 2018) - Volume 2, pages 191-200
ISBN: 978-989-758-275-2
Copyright © 2018 by SCITEPRESS Science and Technology Publications, Lda. All rights reser ved
191
dition reflects that formulas of the form (α α)β
are not valid in the underlying logics.
Compared to other non-classical logics, para-
consistent logics such as pLTL and pCTL can be
appropriately used in inconsistency-tolerant reason-
ing (Priest, 2002; da Costa et al., 1995; Wansing,
1993). For example, the following scenario is unde-
sirable: (s(x) s(x))d(x) is valid for any symp-
tom s and disease d, where s(x) implies that “a per-
son x does not have a symptom s and d(x) implies
that “a person x suffers from a disease d. The in-
consistent scenario written as melancholia( john)
melancholia( john) will inevitably arise from the
uncertain definition of melancholia; the statement
“John has melancholia” may be judged true or
false based on the perception of different patholo-
gists. In this case, the formula (melancholia( john)
melancholia( john))cancer( john) is valid in
classical logic (as an inconsistency that has an un-
desirable consequence), but invalid in paraconsis-
tent logics (as these logics are inconsistency-tolerant).
Typical examples of non-temporal paraconsistent log-
ics are Belnap and Dunn’s four-valued logic (Belnap,
1977b; Belnap, 1977a; Dunn, 1976) and Nelson’s
paraconsistent four-valued logic (Almukdad and Nel-
son, 1984; Nelson, 1949). The proposed logics, pLTL
and pCTL, are based on these typical paraconsistent
four-valued logics.
The idea of introducing paraconsistent versions
of LTL and CTL is not a new one. Multi-valued
computation tree logic, χCTL, was introduced by
Easterbrook and Chechik (Easterbrook and Chechik,
2001) as the base logic for multi-valued model check-
ing, which is considered to be the first framework
for inconsistency-tolerant model checking. Quasi-
classical temporal logic, QCTL, was introduced by
Chen and Wu (Chen and Wu, 2006) to verify inconsis-
tent concurrent systems using inconsistency-tolerant
model checking. Paraconsistent full computation
tree logic, PCTL
, proposed by Kamide (Kamide,
2006), applied bisimulations to inconsistency-tolerant
model checking. Another paraconsistent linear-time
temporal logic, PLTL, was introduced by Kamide
and Wansing (Kamide and Wansing, 2011) to ob-
tain a cut-free and complete Gentzen-type sequent
calculus. Another paraconsistent computation tree
logic, PCTL, was proposed by Kamide and Kaneiwa
(Kamide and Kaneiwa, 2010; Kaneiwa and Kamide,
2011), providing an alternative inconsistency-tolerant
model checking framework. Kamide (Kamide,
2015) also introduced sequence-indexed paraconsis-
tent computation tree logic, SPCTL, which extended
CTL by adding a paraconsistent negation connec-
tive and a sequence modal operator. SPCTL was
used for the representation and verification of med-
ical reasoning with hierarchical and inconsistent in-
formation. Paraconsistent probabilistic computation
tree logic, PpCTL, was introduced by Kamide and
Koizumi (Kamide and Koizumi, 2016) for the verifi-
cation of randomized and stochastic inconsistent sys-
tems.
In this study, we developed pLTL and pCTL as
novel versions of paraconsistent linear-time tempo-
ral logic and paraconsistent computation tree logic
by extending LTL and CTL, respectively. While
PLTL (Kamide and Wansing, 2011), PCTL (Kamide
and Kaneiwa, 2010; Kaneiwa and Kamide, 2011),
SPCTL (Kamide, 2015), and PpCTL (Kamide and
Koizumi, 2016) have two types of dual satisfaction
relations |=
+
(verification or justification) and |=
(refutation or falsification), pLTL and pCTL are sim-
pler, having a single satisfaction relation |=
that is
highly compatible with the standard single satisfac-
tion relations of LTL and CTL. These single satis-
faction relations provide simple proofs for the em-
bedding theorems of pLTL and pCTL, and the para-
consistent negation connective used in pLTL and
pCTL can be simply formalized and uniformly han-
dled. pLTL is also more expressive than PLTL, since
it lacks the standard until and release temporal op-
erators found in LTL. Furthermore, pLTL and pCTL
employ novel sets of axiom schemes for combining
the paraconsistent negation connective , classical
negation connective ¬, and implication connective
. The negated implication and negation axioms
used in pLTL and pCTL are (αβ) ¬∼α β
and ∼¬α ¬∼α. These recently introduced axiom
schemes by De and Omori are natural and plausible
from the point of view of many-valued semantics (De
and Omori, 2015). The logic BD+ (De and Omori,
2015) of these axiom schemes was shown to be essen-
tially equivalent to B
´
eziau’s four-valued modal logic
PM4N (Beziau, 2011) and Zaitsev’s paraconsistent
logic FDEP (Zaitsev, 2012).
The contents of this paper are organized as fol-
lows.
Section 2 discusses the linear-time case based on
LTL and pLTL. The new formulation pLTL is in-
troduced on the basis of the single satisfaction re-
lation |=
. A function translating pLTL into LTL
is defined. This is a simplification of the transla-
tion functions used in (Kamide and Wansing, 2011;
Kamide and Kaneiwa, 2010; Kaneiwa and Kamide,
2011; Kamide, 2015; Kamide and Koizumi, 2016).
The proposed translation function is then used to
prove the theorem for embedding pLTL into LTL.
The present and previous versions of these translation
functions are regarded as modifications or extensions
ICAART 2018 - 10th International Conference on Agents and Artificial Intelligence
192
of those used by Gurevich (Gurevich, 1977), Raut-
enberg (Rautenberg, 1979), and Vorob’ev (Vorob’ev,
1952) to embed Nelson’s constructive logic (Almuk-
dad and Nelson, 1984; Nelson, 1949) into intuitionis-
tic logic. Similar translations have recently been used
(Kamide, 2016; Kamide and Shramko, 2017) to em-
bed some of the paraconsistent logics into classical
logic.
Section 3 discusses the branching-time case based
on CTL and pCTL. Similar to the linear-time case,
pCTL is introduced on the basis of the single satis-
faction relation |=
, a function translating pCTL to
CTL is defined, and the theorem for embedding pCTL
into CTL is proved. The translation function is con-
structed in a similar manner to that of pLTL.
Section 4 presents a new illustrative example for
inconsistency-tolerant model checking on the basis of
the proposed logics and translations.
Section 5 concludes the paper. It is noted in
that two further alternative logics, pLTL
?
and pCTL
?
,
can be respectively obtained from pLTL and pCTL
by replacing the axiom schemes (αβ) ¬∼α
β and ∼¬α ¬∼α with the axiom schemes
(αβ) α β and ∼¬α α by Odintsov
(Odintsov, 2005). It is further noted that, by appropri-
ate modification of the translation functions for pLTL
and pCTL, the embedding theorems for pLTL
?
into
LTL and pCTL
?
into CTL can also be obtained.
2 LINEAR-TIME CASE
Formulas of linear-time temporal logic (LTL) are
constructed from countably many propositional vari-
ables, (implication), (conjunction), (disjunc-
tion), ¬ (classical negation), X (next), G (globally), F
(eventually), U (until) and R (release). An expression
α β is used to denote (αβ)(βα). Lower-case
letters p,q,... are used to denote propositional vari-
ables, and Greek lower-case letters α,β,... are used to
denote formulas. The symbol ω is used to represent
the set of natural numbers. Lower-case letters i, j and
k are used to denote any natural numbers. The symbol
or is used to represent the linear order on ω. An
expression A B is used to indicate the syntactical
identity between A and B.
Definition 2.1. Formulas of LTL are defined by the
following grammar, assuming p represents proposi-
tional variables:
α ::= p | α α | α α | αα | ¬α | Xα | Gα |
Fα | αUα | αRα.
Definition 2.2 (LTL). Let S be a non-empty set of
states, and Φ be the set of propositional variables.
A structure M := (σ,I) is a model iff
1. σ is an infinite sequence s
0
,s
1
,s
2
,... of states in S,
2. I is a mapping from Φ to the power set of S.
A satisfaction relation (M,i) |= α for any formula
α, where M is a model (σ,I) and i ( ω) represents
some position within σ, is defined inductively by:
1. for any p Φ, (M,i) |= p iff s
i
I(p),
2. (M,i) |= α β iff (M, i) |= α and (M,i) |= β,
3. (M,i) |= α β iff (M, i) |= α or (M,i) |= β,
4. (M,i) |= αβ iff (M,i) |= α implies (M,i) |= β,
5. (M,i) |= ¬α iff (M,i) 6|= α,
6. (M,i) |= Xα iff (M,i + 1) |= α,
7. (M,i) |= Gα iff j i [(M, j) |= α],
8. (M,i) |= Fα iff j i [(M, j) |= α],
9. (M,i) |= αUβ iff j i [(M, j) |= β and i k < j
(M,k) |= α],
10. (M,i) |= αRβ iff j i [(M, j) |= β or i k < j
(M,k) |= α].
A formula α is valid in LTL iff (M, 0) |= α for any
model M := (σ,I).
The language of paraconsistent linear-time tem-
poral logic (pLTL) is obtained from that of LTL by
adding (paraconsistent negation).
Definition 2.3. Formulas of pLTL are defined by the
following grammar, assuming p represents proposi-
tional variables:
α ::= p | α α | α α | αα | ¬α | α |
Xα | Gα | Fα | αUα | αRα.
Definition 2.4 (pLTL). Let S be a non-empty set of
states, Φ be the set of propositional variables and Φ
be the set {∼p | p Φ} of negated propositional vari-
ables.
A structure M := (σ, I
) is a paraconsistent model
iff
1. σ is an infinite sequence s
0
,s
1
,s
2
,... of states in S,
2. I
is a mapping from Φ Φ
to the power set of
S.
A paraconsistent satisfaction relation (M,i) |=
α
for any formula α, where M is a paraconsistent model
(σ,I
) and i ( ω) represents some position within σ,
is defined inductively by:
1. for any p Φ, (M,i) |=
p iff s
i
I
(p),
2. for any p Φ
, (M,i) |=
p iff s
i
I
(p),
3. (M,i) |=
α β iff (M, i) |=
α and (M,i) |=
β,
4. (M,i) |=
α β iff (M, i) |=
α or (M,i) |=
β,
5. (M,i) |=
αβ iff (M, i) |=
α implies (M,i) |=
β,
6. (M,i) |=
¬α iff (M,i) 6|=
α,
Logics and Translations for Inconsistency-tolerant Model Checking
193
7. (M,i) |=
Xα iff (M,i + 1) |=
α,
8. (M,i) |=
Gα iff j i [(M, j) |=
α],
9. (M,i) |=
Fα iff j i [(M, j) |=
α],
10. (M,i) |=
αUβ iff j i [(M, j) |=
β and i
k < j (M,k) |=
α],
11. (M,i) |=
αRβ iff j i [(M, j) |=
β or i k <
j (M,k) |=
α],
12. (M,i) |=
∼∼α iff (M,i) |=
α,
13. (M,i) |=
(α β) iff (M,i) |=
α or (M,i) |=
β,
14. (M,i) |=
(α β) iff (M,i) |=
α and
(M,i) |=
β,
15. (M,i) |=
(αβ) iff (M,i) 6|=
α and
(M,i) |=
β,
16. (M,i) |=
∼¬α iff (M,i) 6|=
α,
17. (M,i) |=
Xα iff (M,i + 1) |=
α,
18. (M,i) |=
Gα iff j i [(M, j) |=
α],
19. (M,i) |=
Fα iff j i [(M, j) |=
α],
20. (M,i) |=
(αUβ) iff j i [(M, j) |=
β or
i k < j (M,k) |=
α],
21. (M,i) |=
(αRβ) iff j i [(M, j) |=
β and
i k < j (M,k) |=
α].
A formula α is valid in pLTL iff (M,0) |=
α for
any paraconsistent model M := (σ, I
).
We make some remarks.
1. pLTL is paraconsistent with respect to . The
reason is explained as follows. Assume a para-
consistent model M := (σ,I
) such that s
i
I
(p),
s
i
I
(p) and s
i
/ I
(q) for a pair of distinct
propositional variables p and q. Then, (M,i) |=
(p p)q does not hold.
2. pLTL is regarded as a four-valued logic. The rea-
son is explained as follows. For each i σ and
each formula α, we can take one of the following
four cases:
(a) α is verified at i, i.e., (M,i) |=
α,
(b) α is falsified at i, i.e., (M, i) |=
α,
(c) α is both verified and falsified at i,
(d) α is neither verified nor falsified at i.
Next, we define a translation function f from
pLTL into LTL.
Definition 2.5. Let Φ be a non-empty set of propo-
sitional variables, and Φ
0
be the set {p
0
| p Φ} of
propositional variables. The language L
p
(the set of
formulas) of pLTL is defined using Φ, ,,,¬, X,
G, F, U, R and . The language L of LTL is obtained
from L
p
by adding Φ
0
and deleting .
A mapping f from L
p
to L is defined inductively
by:
1. for any p Φ, f (p) := p and f (p) := p
0
Φ
0
,
2. f (α ] β) := f (α) ] f (β)
where ] {∧,,,U,R},
3. f (]α) := ] f (α) where ] ,X,F,G},
4. f (∼∼α) := f (α),
5. f ((α β)) := f (α) f (β),
6. f ((α β)) := f (α) f (β),
7. f ((αβ)) := ¬ f (α) f (β),
8. f (]α) := ] f (α) where ] ,X},
9. f (Fα) := G f (α),
10. f (Gα) := F f (α),
11. f ((αUβ)) := f (α)R f (β),
12. f ((αRβ)) := f (α)U f (β).
In order to obtain the theorem for embedding
pLTL into LTL, we need to show some lemmas.
Lemma 2.6. Let f be the mapping defined in Defi-
nition 2.5, and S be a non-empty set of states. For
any paraconsistent model M := (σ,I
) of pLTL, any
paraconsistent satisfaction relation |=
on M, and any
state s
i
in σ, we can construct a model N := (σ,I) of
LTL and a satisfaction relation |= on N such that for
any formula α in L
p
, (M,i) |=
α iff (N,i) |= f (α).
Proof. Let Φ be a non-empty set of propositional
variables, Φ
be {∼p | p Φ}, and Φ
0
be {p
0
| p
Φ}. Suppose that M is a paraconsisitent model (σ,I
)
where I
is a mapping from Φ Φ
to the power set
of S. We then define a model N := (σ, I) such that
1. I is a mapping from Φ Φ
0
to the power set of S,
2. for any s
i
in σ,
(a) s
i
I
(p) iff s
i
I(p),
(b) s
i
I
(p) iff s
i
I(p
0
),
Then, this lemma is proved by induction on the
complexity of α.
Base step:
1. Case α p Φ: We obtain: (M,i) |=
p iff s
i
I
(p) iff s
i
I(p) iff (N,i) |= p iff (N,i) |= f (p)
(by the definition of f ).
2. Case α p Φ
: We obtain: (M,i) |=
p iff
s
i
I
(p) iff s
i
I(p
0
) iff (N,i) |= p
0
iff (N, i) |=
f (p) (by the definition of f ).
Induction step: We show some cases.
1. Case α βUγ: We obtain:
(M,i) |=
βUγ
iff j i [(M, j) |=
γ and i k < j (M,k) |=
β]
iff j i [(N, j) |= f (γ) and i k < j (N,k) |=
f (β)] (by induction hypothesis)
iff (N, i) |= f (β)U f (γ)
iff (N, i) |= f (βUγ) (by the definition of f ).
ICAART 2018 - 10th International Conference on Agents and Artificial Intelligence
194
2. Case α (βγ): We obtain: (M, i) |=
(βγ)
iff (M,i) |=
β or (M,i) |=
γ iff (N,i) |=
f (β) or (N, i) |= f (γ) (by induction hypoth-
esis) iff (N,i) |= f (β) f (γ) iff (N,i) |=
f ((β γ)) (by the definition of f ).
3. Case α (βγ): We obtain: (M,i) |=
(βγ) iff (M, i) 6|=
β and (M, i) |=
γ iff
(N,i) 6|= f (β) and (N, i) |= f (γ) (by induc-
tion hypothesis) iff (N,i) |= ¬ f (β) f (γ) iff
(N,i) |= f ((βγ)) (by the definition of f ).
4. Case α ∼¬β: We obtain: (M,i) |=
∼¬β iff
(M,i) 6|=
β iff (N,i) 6|= f (β) (by induction hy-
pothesis) iff (N,i) |= ¬ f (β) iff (N, i) |= f (∼¬β)
(by the definition of f ).
5. Case α ∼∼β: We obtain: (M, i) |=
∼∼β iff
(M,i) |=
β iff (N,i) |= f (β) (by induction hy-
pothesis) iff (N,i) |= f (∼∼β) (by the definition
of f ).
6. Case α Xβ: We obtain: (M, i) |=
Xβ iff
(M,i+1) |=
β iff (N,i+1) |= f (β) (by induc-
tion hypothesis) iff (N, i) |= X f (β) iff (N,i) |=
f (Xβ) (by the definition of f ).
7. Case α Gβ: We obtain: (M, i) |=
Gβ iff
j i [(M, j) |=
β] iff j i [(N, j) |= f (β)]
(by induction hypothesis) iff (N,i) |= F f (β) iff
(N,i) |= f (Gβ) (by the definition of f ).
8. Case α (βUγ): We obtain:
(M,i) |=
(βUγ)
iff j i [(M, j) |=
γ or i k < j (M,k) |=
β]
iff j i [(N, j) |= f (γ) or i k < j (N,k) |=
f (β)] (by induction hypothesis)
iff (N, i) |= f (β)R f (γ)
iff (N, i) |= f ((βUγ)) (by the definition of f ).
9. Case α (βRγ): We obtain:
(M,i) |=
(βRγ)
iff j i [(M, j) |=
γ and i k < j (M, k) |=
β]
iff j i [(N, j) |= f (γ) and i k < j (N, k) |=
f (β)] (by induction hypothesis)
iff (N, i) |= f (β)U f (γ)
iff (N, i) |= f ((βRγ)) (by the definition of f ).
Q.E.D.
Lemma 2.7. Let f be the mapping defined in Defini-
tion 2.5, and S be a non-empty set of states. For any
model N := (σ,I) of LTL, any satisfaction relation |=
on N, and any state s
i
in σ, we can construct a para-
consisitent model M := (σ,I
) of pLTL and a satis-
faction relation |=
on M such that for any formula α
in L
p
, (N,i) |= f (α) iff (M, i) |=
α.
Proof. Similar to the proof of Lemma 2.6. Q.E.D.
Theorem 2.8 (Embedding from pLTL into LTL). Let
f be the mapping defined in Definition 2.5. For any
formula α, α is valid in pLTL iff f (α) is valid in LTL.
Proof. By Lemmas 2.6 and 2.7. Q.E.D.
3 BRANCHING-TIME CASE
Formulas of computation tree logic (CTL) are con-
structed from countably many propositional variables,
, , , ¬, X, G, F, U, R, A (all computation paths),
and E (some computation path). The same notions
and notations as those in the previous sections are also
used in the following.
Definition 3.1. Formulas of CTL are defined by the
following grammar, assuming p represents proposi-
tional variables:
α ::= p | α α | α α | αα | ¬α |
AXα | EXα | AGα | EGα | AFα | EFα |
A(αUα) | E(αUα) | A(αRα) | E(αRα).
Note that pairs of symbols like AX and EU are in-
divisible, and that the symbols X,G,F,U, and R can-
not occur without being preceded by an A or an E.
Similarly, every A or E must have one of X, G, F, U,
and R to accompany it.
Definition 3.2 (CTL). A structure (S,S
0
,R, L) is a
model iff
1. S is the set of states,
2. S
0
is a set of initial states and S
0
S,
3. R is a binary relation on S which satisfies the con-
dition: s S s
0
S [(s,s
0
) R],
4. L is a mapping from S to the power set of a
nonempty set Φ of propositional variables.
A path in a model is an infinite sequence of states,
π = s
0
,s
1
,s
2
,... such that i 0 [(s
i
,s
i+1
) R].
A satisfaction relation (M,s) |= α for any formula
α, where M is a model (S, S
0
,R, L) and s represents a
state in S, is defined inductively by:
1. for any p Φ, (M,s) |= p iff p L(s),
2. (M,s) |= α β iff (M,s) |= α and (M,s) |= β,
3. (M,s) |= α β iff (M,s) |= α or (M,s) |= β,
4. (M,s) |= αβ iff (M, s) |= α implies (M,s) |= β,
5. (M,s) |= ¬α iff (M,s) 6|= α,
6. (M,s) |= AXα iff s
1
S [(s, s
1
) R implies
(M,s
1
) |= α],
7. (M,s) |= EXα iff s
1
S [(s,s
1
) R and
(M,s
1
) |= α],
Logics and Translations for Inconsistency-tolerant Model Checking
195
8. (M,s) |= AGα iff for all paths π s
0
,s
1
,s
2
,...,
where s s
0
, and all states s
i
along π, we have
(M,s
i
) |= α,
9. (M,s) |= EGα iff there is a path π s
0
,s
1
,s
2
,...,
where s s
0
, and for all states s
i
along π, we have
(M,s
i
) |= α,
10. (M,s) |= AFα iff for all paths π s
0
,s
1
,s
2
,...,
where s s
0
, there is a state s
i
along π such that
(M,s
i
) |= α,
11. (M,s) |= EFα iff there is a path π s
0
,s
1
,s
2
,...,
where s s
0
, and for some state s
i
along π, we
have (M,s
i
) |= α,
12. (M,s) |= A(αUβ) iff for all paths π s
0
,s
1
,s
2
,...,
where s s
0
, there is a state s
j
along π such that
(M,s
j
) |= β and 0 k < j (M,s
k
) |= α,
13. (M,s) |= E(αUβ) iff there is a path π
s
0
,s
1
,s
2
,..., where s s
0
, and for some state s
j
along π, we have (M,s
j
) |= β and 0 k < j
(M,s
k
) |= α,
14. (M,s) |= A(αRβ) iff for all paths π s
0
,s
1
,s
2
,...,
where s s
0
, and all states s
j
along π, we have
(M,s
j
) |= β or 0 k < j (M,s
k
) |= α,
15. (M,s) |= E(αRβ) iff there is a path π
s
0
,s
1
,s
2
,..., where s s
0
, and for all states s
j
along π, we have (M,s
j
) |= β or 0 k < j
(M,s
k
) |= α.
A formula α is valid in CTL iff (M,s) |= α holds
for any model M := (S,S
0
,R, L), any s S, and any
satisfaction relation |= on M.
The language of paraconsistent computation tree
logic (pCTL) is obtained from that of CTL by adding
.
Definition 3.3. Formulas of pCTL are defined by the
following grammar, assuming p represents proposi-
tional variables:
α ::= p | α α | α α | αα | ¬α | α |
AXα | EXα | AGα | EGα | AFα | EFα |
A(αUα) | E(αUα) | A(αRα) | E(αRα).
Definition 3.4 (pCTL). Let Φ be a non-empty set of
propositional variables, and Φ
be the set {∼p | p
Φ} of negated propositional variables.
A structure (S,S
0
,R, L
) is a paraconsistent model
iff
1. S is the set of states,
2. S
0
is a set of initial states and S
0
S,
3. R is a binary relation on S which satisfies the con-
dition: s S s
0
S [(s,s
0
) R],
4. L
is a mapping from S to the power set of ΦΦ
.
A path in a paraconsistent model is an infinite se-
quence of states, π = s
0
,s
1
,s
2
,... such that i 0
[(s
i
,s
i+1
) R].
A paraconsistent satisfaction relation (M,s) |=
α
for any formula α, where M is a paraconsistent model
(S,S
0
,R, L
) and s represents a state in S, is defined
inductively by:
1. for any p Φ, (M,s) |=
p iff p L
(s),
2. for any p Φ
, (M,s) |=
p iff p L
(s),
3. (M,s) |=
α β iff (M, s) |=
α and (M,s) |=
β,
4. (M,s) |=
α β iff (M, s) |=
α or (M,s) |=
β,
5. (M,s) |=
αβ iff (M,s) |=
α implies (M,s) |=
β,
6. (M,s) |=
¬α iff (M,s) 6|=
α,
7. (M,s) |=
AXα iff s
1
S [(s,s
1
) R implies
(M,s
1
) |=
α],
8. (M,s) |=
EXα iff s
1
S [(s,s
1
) R and
(M,s
1
) |=
α],
9. (M,s) |=
AGα iff for all paths π s
0
,s
1
,s
2
,...,
where s s
0
, and all states s
i
along π, we have
(M,s
i
) |=
α,
10. (M,s) |=
EGα iff there is a path π s
0
,s
1
,s
2
,...,
where s s
0
, and for all states s
i
along π, we have
(M,s
i
) |=
α,
11. (M,s) |=
AFα iff for all paths π s
0
,s
1
,s
2
,...,
where s s
0
, there is a state s
i
along π such that
(M,s
i
) |=
α,
12. (M,s) |=
EFα iff there is a path π s
0
,s
1
,s
2
,...,
where s s
0
, and for some state s
i
along π, we
have (M,s
i
) |=
α,
13. (M,s) |=
A(αUβ) iff for all paths π
s
0
,s
1
,s
2
,..., where s s
0
, there is a state s
j
along π such that (M,s
j
) |=
β and 0 k < j
(M,s
k
) |=
α,
14. (M,s) |=
E(αUβ) iff there is a path π
s
0
,s
1
,s
2
,..., where s s
0
, and for some state s
j
along π, we have (M,s
j
) |=
β and 0 k < j
(M,s
k
) |=
α,
15. (M,s) |=
A(αRβ) iff for all paths π
s
0
,s
1
,s
2
,..., where s s
0
, and all states s
j
along
π, we have (M,s
j
) |=
β or 0 k < j (M,s
k
) |=
α,
16. (M,s) |=
E(αRβ) iff there is a path π
s
0
,s
1
,s
2
,..., where s s
0
, and for all states s
j
along π, we have (M,s
j
) |=
β or 0 k < j
(M,s
k
) |=
α,
17. (M,s) |=
∼∼α iff (M,s) |=
α,
18. (M,s) |=
(αβ) iff (M, s) |=
α or (M, s) |=
β,
19. (M,s) |=
(α β) iff (M,s) |=
α and
(M,s) |=
β,
20. (M,s) |=
(αβ) iff (M, s) 6|=
α and
(M,s) |=
β,
21. (M,s) |=
∼¬α iff (M,s) 6|=
α,
ICAART 2018 - 10th International Conference on Agents and Artificial Intelligence
196
22. (M,s) |=
AXα iff s
1
S [(s,s
1
) R and
(M,s
1
) |=
α],
23. (M,s) |=
EXα iff s
1
S [(s, s
1
) R implies
(M,s
1
) |=
α],
24. (M,s) |=
AGα iff there is a path π
s
0
,s
1
,s
2
,..., where s s
0
, and for some state s
i
along π, we have (M,s
i
) |=
α,
25. (M,s) |=
EGα iff for all paths π s
0
,s
1
,s
2
,...,
where s s
0
, there is a state s
i
along π such that
(M,s
i
) |=
α,
26. (M,s) |=
AFα iff there is a path π
s
0
,s
1
,s
2
,..., where s s
0
, and for all states s
i
along π, we have (M,s
i
) |=
α,
27. (M,s) |=
EFα iff for all paths π s
0
,s
1
,s
2
,...,
where s s
0
, and all states s
i
along π, we have
(M,s
i
) |=
α,
28. (M,s) |=
A(αUβ) iff there is a path π
s
0
,s
1
,s
2
,..., where s s
0
, and for all states s
j
along π, we have (M,s
j
) |=
β or 0 k < j
(M,s
k
) |=
α,
29. (M,s) |=
E(αUβ) iff for all paths π
s
0
,s
1
,s
2
,..., where s s
0
, and all states s
j
along π, we have (M,s
j
) |=
β or 0 k < j
(M,s
k
) |=
α,
30. (M,s) |=
A(αRβ) iff there is a path π
s
0
,s
1
,s
2
,..., where s s
0
, and for some state s
j
along π, we have (M,s
j
) |=
β and 0 k < j
(M,s
k
) |=
α,
31. (M,s) |=
E(αRβ) iff for all paths π
s
0
,s
1
,s
2
,..., where s s
0
, there is a state s
j
along π such that (M,s
j
) |=
β and 0 k < j
(M,s
k
) |=
α.
A formula α is valid in pCTL iff (M, s) |=
α holds
for any paraconsistent model M := (S, S
0
,R, L
), any
s S, and any paraconsistent satisfaction relation |=
on M.
We make some remarks.
1. pCTL is paraconsistent with respect to . The
reason is explained as follows. Assume a para-
consistent model M = (S,S
0
,R, L
) such that p
L
(s), p L
(s) and q / L
(s) for a pair of
distinct propositional variables p and q. Then,
(M,s) |=
(p p)q does not hold.
2. pCTL is regarded as a four-valued logic. The rea-
son is explained as follows. For each s S and
each formula α, we can take one of the following
four cases:
(a) α is verified at s, i.e., (M,s) |=
α,
(b) α is falsified at s, i.e., (M, s) |=
α,
(c) α is both verified and falsified at s,
(d) α is neither verified nor falsified at s.
Definition 3.5. Let Φ be a non-empty set of propo-
sitional variables, and Φ
0
be the set {p
0
| p Φ} of
propositional variables. The language L
p
(the set of
formulas) of pCTL is defined using Φ, , , ,¬, X,
F, G, U, R, A, E and . The language L of CTL is
obtained from L
p
by adding Φ
0
and deleting .
A mapping f from L
p
to L is defined inductively
by:
1. for any p Φ, f (p) := p and f (p) := p
0
Φ
0
,
2. f (α ] β) := f (α) ] f (β) where ] {∧, ,→},
3. f (]α) := ] f (α)
where ] ,AX, EX, AG, EG, AF, EF},
4. f (A(αUβ))) := A( f (α)U f (β)),
5. f (E(αUβ))) := E( f (α)U f (β)),
6. f (A(αRβ))) := A( f (α)R f (β)),
7. f (E(αRβ))) := E( f (α)R f (β)),
8. f (∼∼α) := f (α),
9. f ((α β)) := f (α) f (β),
10. f ((α β)) := f (α) f (β),
11. f ((αβ)) := ¬ f (α) f (β),
12. f (∼¬α) := ¬ f (α),
13. f (AXα) := EX f (α),
14. f (EXα) := AX f (α),
15. f (AGα) := EF f (α),
16. f (EGα) := AF f (α),
17. f (AFα) := EG f (α),
18. f (EFα) := AG f (α),
19. f ((A(αUβ))) := E( f (α)R f (β)),
20. f ((E(αUβ))) := A( f (α)R f (β)),
21. f ((A(αRβ))) := E( f (α)U f (β)),
22. f ((E(αRβ))) := A( f (α)U f (β)).
Lemma 3.6. Let f be the mapping defined in Def-
inition 3.5. For any paraconsistent model M :=
(S,S
0
,R, L
) of pCTL, and any paraconsistent satis-
faction relation |=
on M, we can construct a model
N := (S,S
0
,R, L) of CTL and a satisfaction relation
|= on N such that for any formula α in L
p
and any
state s in S, (M,s) |=
α iff (N,s) |= f (α).
Proof. Let Φ be a nonempty set of propositional vari-
ables, Φ
be {∼p | p Φ}, and Φ
0
be {p
0
| p
Φ}. Suppose that M is a paraconsistent model
(S,S
0
,R, L
) such that L
is a mapping from S to the
power set of Φ Φ
. We then define a model N :=
(S,S
0
,R, L) such that
1. L is a mapping from S to the power set of Φ Φ
0
,
2. for any s S and any p Φ,
(a) p L
(s) iff p L(s),
(b) p L
(s) iff p
0
L(s).
Logics and Translations for Inconsistency-tolerant Model Checking
197
Then, this lemma is proved by induction on the
complexity of α.
Base step:
1. Case α p Φ: We obtain: (M,s) |=
p iff p
L
(s) iff p L(s) iff (N, s) |= p iff (N,s) |= f (p)
(by the definition of f ).
2. We obtain: (M,s) |=
p iff p L
(s) iff p
0
L(s) iff (N, s) |= p
0
iff (N, s) |= f (p) (by the def-
inition of f ).
Induction step: We show some cases.
1. Case α AXβ: We obtain: (M,s) |=
AXβ
iff s
1
S [(s,s
1
) R and (M,s
1
) |=
β] iff
s
1
S [(s, s
1
) R and (N, s
1
) |= f (β)] (by
induction hypothesis) iff (N, s) |= EX f (β) iff
(N,s) |= f (AXβ) (by the definition of f ).
2. Case α AGβ: We obtain:
(M,s) |=
AGβ
iff there is a path π s
0
,s
1
,s
2
,..., where s s
0
, for
some state s
i
along π, we have (M,s
i
) |=
β
iff there is a path π s
0
,s
1
,s
2
,..., where s s
0
, for
some state s
i
along π, we have (N, s
i
) |= f (β)
(by induction hypothesis)
iff (N, s) |= EF f (β)
iff (N, s) |= f (AGβ)) (by the definition of f ).
3. Case α A(βUγ): We obtain:
(M,s) |=
A(βUγ)
iff there is a path π s
0
,s
1
,s
2
,..., where s s
0
,
and for all states s
j
along π, we have (M, s
j
) |=
γ or 0 k < j (M,s
k
) |=
β
iff there is a path π s
0
,s
1
,s
2
,..., where s s
0
,
and for all states s
j
along π, we have (N,s
j
) |=
f (γ) or 0 k < j (N, s
k
) |= f (β) (by in-
duction hypothesis)
iff (N, s) |= E( f (β)R f (γ))
iff (N, s) |= f (A(βUγ)) (by the definition of f ).
4. Case α A(βRγ): We obtain:
(M,s) |=
A(βRγ)
iff there is a path π s
0
,s
1
,s
2
,..., where s
s
0
, and for some state s
j
along π, we have
(M,s
j
) |=
γ and 0 k < j (M,s
k
) |=
β
iff there is a path π s
0
,s
1
,s
2
,..., where s s
0
,
and for some state s
j
along π, we have (N,s
j
) |=
f (γ) or 0 k < j (N, s
k
) |= f (β) (by in-
duction hypothesis)
iff (N, s) |= E( f (β)U f (γ))
iff (N, s) |= f (A(βRγ)) (by the definition of f ).
Q.E.D.
Lemma 3.7. Let f be the mapping defined in Defini-
tion 3.5. For any model N := (S,S
0
,R, L) of CTL, and
any satisfaction relation |= on N, we can construct a
paraconsistent model M := (S, S
0
,R, L
) of pCTL and
a paraconsistent satisfaction relation |=
on M such
that for any formula α in L
p
and any state s in S,
(N,s) |= f (α) iff (M, s) |=
α,
Proof. Similar to the proof of Lemma 3.6. Q.E.D.
Theorem 3.8 (Embedding from pCTL into CTL). Let
f be the mapping defined in Definition 3.5. For any
formula α, α is valid in pCTL iff f (α) is valid in CTL.
Proof. By Lemmas 3.6 and 3.7. Q.E.D.
4 ILLUSTRATIVE EXAMPLE
We present a new illustrative example for
inconsistency-tolerant model checking, as shown in
Figure 1 for representing the health of a person who
has a tumor. The proposed example is regarded as a
modification of the example presented in (Kamide
and Kaneiwa, 2010; Kaneiwa and Kamide, 2011).
In this example, a paraconsistent negation connec-
tive is used to express the negation of ambiguous
concepts. If we cannot determine whether someone
is healthy, then the ambiguous concept healthy can
be represented by asserting the inconsistent formula
healthy healthy. This is well-formalized because
(healthy healthy)→⊥ is not valid in pLTL and
pCTL. On the other hand, we can decide whether
someone has a tumor. The decision is represented
by hasTumor or ¬hasTumor, where (hasTumor
¬hasToumor)→⊥ is valid in pLTL and pCTL.
In the model of Figure 1, the initial state implies
that a person is healthy. When a person undergoes a
medical checkup, his or her state changes to one of
the two states. If a tumor is detected in a person by
the medical checkup, he or she is both healthy and
not healthy, i.e., both healthy and healthy are true,
because it is unknown if the tumor is malignant (i.e.,
cancer) or not. If cancer is detected in a person (i.e.,
the tumor is diagnosed with cancer), then healthy
is true. This means that the person is not healthy,
but he or she may return to good health if the cancer
is completely removed by surgical operation. More-
over, when the cancer increases, the diagnosis reveals
worse cancer. If the cancer is cured, the person will
be healthy. Otherwise, if the cancer is not controlled,
the person will die.
We can verify the statement “Is there a state in
which a person is both healthy and not healthy?”
This statement is true and expressed as: EF(healthy
healthy). We can also verify the statement “Is
ICAART 2018 - 10th International Conference on Agents and Artificial Intelligence
198
@
@R
@
@
@
@
@
@R
@
@
@
@
@I
?
@
@R
- -
? ?
medicalCheckup
medicalCheckup
cured
cured
cured
curedsurgicalOperation
thoroughExamination
cancerIncrease cancerIncrease
cancerIncrease
healthy
healthy
healthy
hasTumor
healthy
¬hasTumor
stage1
healthy
hasCancer
stage2
healthy
hasCancer
stage3
healthy
hasCancer
healthy
healthy
¬hasCancer
died
hasCancer
Figure 1: A clinical reasoning process model.
there a state in which a dead person will not be alive
again?” This statement is true and expressed as:
EF(died ¬EF¬died).
As already pointed out in (Kamide and Kaneiwa,
2010; Kaneiwa and Kamide, 2011), two negative ex-
pressions can be differently interpreted as ¬healthy
(definitely unhealthy) and healthy (not healthy).
The first statement indicates that a person is definitely
unhealthy that is inconsistent with his or her health.
The second statement means that we can say that a
person is not healthy but he or she may be healthy.
The interpretation of the two negations leads to some
useful verification examples. For example, the state-
ment “Is there a state in which a person is not defi-
nitely unhealthy?” can be expressed as EF¬¬healthy.
Moreover, the statement “Is there a state in which it
is not true that a person is not healthy?” can be ex-
pressed as: EF¬∼healthy.
5 CONCLUDING REMARKS
In this paper, we proposed pLTL and pCTL as
novel versions of paraconsistent linear-time tempo-
ral logic and paraconsistent computation tree logic,
respectively. These provided a logical basis for
inconsistency-tolerant model checking, and were de-
veloped by extending the standard temporal logics
LTL and CTL. These are also regarded as extensions
of Belnap and Dunn’s four-valued logics. The trans-
lations from pLTL into LTL and pCTL into CTL were
defined, and were used to prove the theorems for em-
bedding pLTL into LTL and pCTL into CTL. It was
thus demonstrated that the standard LTL- and CTL-
based model checking algorithms can be repurposed
for verifying inconsistent systems that are modeled
and specified using pLTL and pCTL. A new illustra-
tive example for verifying clinical reasoning process
was presented on the basis of the proposed logics and
translations.
Finally, we note that the proposed framework is
applicable to other new variants pLTL
?
and pCTL
?
of
pLTL and pCTL, respectively. The proposed logics
pLTL and pCTL have the axiom schemes (αβ)
¬∼α β and ∼¬α ¬∼α by De and Omori (De
and Omori, 2015), using the paraconsistent negation
connective and the classical negation connective ¬.
These axiom schemes are known to be plausible can-
didates for combining and ¬ within a logic (De
and Omori, 2015). Our framework is equally appli-
cable to the logics pLTL
?
and pCTL
?
. These are ob-
tained from pLTL and pCTL by replacing the follow-
ing clauses for x {i,s}:
1. (M,x) |=
(αβ)
iff (M,x) 6|=
α and (M,x) |=
β,
2. (M,x) |=
∼¬α iff (M,x) 6|=
α,
with the following clauses for x {i, s}, which just
correspond to the axiom schemes (αβ) α β
and ∼¬α α by Odintsov (Odintsov, 2005):
1. (M,x) |=
(αβ)
iff (M,x) |=
α and (M,x) |=
β,
Logics and Translations for Inconsistency-tolerant Model Checking
199
2. (M,x) |=
∼¬α iff (M,x) |=
α.
By applying appropriate modifications to the transla-
tion functions of pLTL and pCTL, we obtain the em-
bedding theorems of pLTL
?
into LTL and pCTL
?
into
CTL, in the same way as with pLTL and pCTL.
ACKNOWLEDGEMENTS
We would like to thank the anonymous referees for
their valuable comments. We would also like to thank
Yosuke Matsuo and Ryu Yano for their assistance of
this research. This research has been supported by the
Kayamori Foundation of Informational Science Ad-
vancement. This research was partially supported by
JSPS KAKENHI Grant (C) JP26330263.
REFERENCES
Almukdad, A. and Nelson, D. (1984). Constructible falsity
and inexact predicates. Journal of Symbolic Logic,
49:231–233.
Belnap, N. (1977a). How a computer should think. Con-
temporary Aspects of Philosophy, (G. Ryle ed.), Oriel
Press, Stocksfield, pages 30–56.
Belnap, N. (1977b). A useful four-valued logic. Modern
Uses of Multiple-Valued Logic, G. Epstein and J. M.
Dunn, eds. Dordrecht: Reidel, pages 5–37.
Beziau, J.-Y. (2011). A new four-valued approach to modal
logic. Logique et Analyse, 54 (213):109–121.
Chen, D. and Wu, J. (2006). Reasoning about inconsistent
concurrent systems: A non-classical temporal logic.
In Lecture Notes in Computer Science, volume 3831,
pages 207–217.
Clarke, E. and Emerson, E. (1981). Design and synthesis of
synchronization skeletons using branching time tem-
poral logic. In Lecture Notes in Computer Science,
volume 131, pages 52–71.
Clarke, E., Grumberg, O., and Peled, D. (1999). Model
checking. The MIT Press.
da Costa, N., Beziau, J., and Bueno, O. (1995). Aspects of
paraconsistent logic. Bulletin of the IGPL, 3 (4):597–
614.
De, M. and Omori, H. (2015). Classical negation and ex-
pansions of belnap-dunn logic. Studia Logica, 103
(4):825–851.
Dunn, J. (1976). Intuitive semantics for first-degree entail-
ment and ‘coupled trees’. Philosophical Studies, 29
(3):146–168.
Easterbrook, S. and Chechik, M. (2001). A framework for
multi-valued reasoning over inconsistent viewpoints.
In Proceedings of the 23rd International Conference
on Software Engineering, pages 411–420.
Gurevich, Y. (1977). Intuitionistic logic with strong nega-
tion. Studia Logica, 36:49–59.
Holzmann, G. (2006). The SPIN model checker: Primer
and reference manual. Addison-Wesley.
Kamide, N. (2006). Extended full computation tree logics
for paraconsistent model checking. Logic and Logical
Philosophy, 15 (3):251–276.
Kamide, N. (2015). Inconsistency-tolerant temporal rea-
soning with hierarchical information. Information Sci-
ences, 320:140–155.
Kamide, N. (2016). Paraconsistent double negation that
can simulate classical negation. In Proceedings of
the 46th IEEE International Symposium on Multiple-
Valued Logic (ISMVL 2016), pages 131–136.
Kamide, N. and Kaneiwa, K. (2010). Paraconsistent nega-
tion and classical negation in computation tree logic.
In Proceedings of the 2nd International Conference
on Agents and Artificial Intelligence (ICAART 2010),
Vol.1, pages 464–469.
Kamide, N. and Koizumi, D. (2016). Method for combin-
ing paraconsistency and probability in temporal rea-
soning. Journal of Advanced Computational Intelli-
gence and Intelligent Informatics, 20:813–827.
Kamide, N. and Shramko, Y. (2017). Embedding from mul-
tilattice logic into classical logic and vice versa. Jour-
nal of Logic and Computation, 25 (5):1549–1575.
Kamide, N. and Wansing, H. (2011). A paraconsistent
linear-time temporal logic. Fundamenta Informaticae,
106 (1):1–23.
Kaneiwa, K. and Kamide, N. (2011). Paraconsistent com-
putation tree logic. New Generation Computing, 29
(4):391–408.
Nelson, D. (1949). Constructible falsity. Journal of Sym-
bolic Logic, 14:16–26.
Odintsov, S. (2005). The class of extensions of nelson para-
consistent logic. Studia Logica, 80:291–320.
Pnueli, A. (1977). The temporal logic of programs. In Pro-
ceedings of the 18th IEEE Symposium on Foundations
of Computer Science, pages 46–57.
Priest, G. (2002). Paraconsistent logic, handbook of philo-
sophical logic (second edition), d. gabbay and f. guen-
thner (eds.). Handbook of Philosophical Logic (Sec-
ond Edition), D. Gabbay and F. Guenthner (eds.),
6:287–393.
Rautenberg, W. (1979). Klassische und nicht-klassische
Aussagenlogik. Vieweg, Braunschweig.
Vorob’ev, N. (1952). A constructive propositional calculus
with strong negation (in Russian). Doklady Akademii
Nauk SSR, 85:465–468.
Wansing, H. (1993). The logic of information structures.
Springer.
Zaitsev, D. (2012). Generalized relevant logic and models
of reasoning. Moscow State Lomonosov University
(Doctoral Dissertation).
ICAART 2018 - 10th International Conference on Agents and Artificial Intelligence
200