On interval dynamic logic: Introducing quasi-action lattices

. In this paper we discuss the incompatibility between the notions of validity and impreciseness in the context of Dynamic Logics. To achieve that we consider the (cid:2)Lukasiewicz action lattice and its interval counterpart, we show how some validities fail in the context of intervals. In order to capture the properties of action lattices that remain valid for intervals we propose a new structure called Quasi-action Lattices which generalizes action lattices and is able to model both: The (cid:2)Lukasiewicz action lattice, (cid:2)L, and its interval counterpart, (cid:2) (cid:2)L. The notion of graded satisfaction relation is extended to quasi-action lat-tices. We demonstrate that, in the case of intervals, the relation of graded satisfaction is correct (c.f. Theorem 3) with respect to the graded satisfaction relation on the (cid:2)Lukasiewicz action lattice. Although this theorem guarantees that satisﬁability is preserved on intervals, we show that validity is not. We propose, then, to weaken the notion of validity on action lattices to designated validity on quasi-action lattices. In this context, Theorem 4 guarantees that the dynamic formulæ which are valid with respect to (cid:2)L will be designated valid with respect to (cid:2) (cid:2)L .


Introduction
Dynamic Logics (DL) are extensions of modal logic. They are recognised as the most adequate logics to reason about computational systems in an assertional way [15]. In its origin, DL was introduced by V. Pratt [31] as a modal logic suitable to represent and reason about Hoare triples. Since then, DL assumed a central role in program verification. Today, not only in response to the explosion of programming and specification languages, but also in the emerging heterogeneous nature that a program can assume, a wide family of DL were defined to be applied to more general complex behaviors. This ranges from the standard versions for sequential imperative programmes (e.g. [15]) to other versions tailored for new computing paradigms, either probabilistic systems, following the original work of D. Kozen [20], hybrid systems with the differential dynamic logic by Platzer [30] or even quantum versions due to Baltag and Smets [1]. Within this variety of dynamic logics, in [23], a method for a systematic construction of many-valued dynamic logics was studied. The method is parameterized by an action lattice that supports both the computational paradigm and the truth space, combining in just one structure the underlying Kleene algebra for the computations and the residuated lattice for proposition assertions.
Logics with many-valued semantics are applied in a variety of fields such as: Decision Making, Image Processing, Clustering, etc. One of such logics, which is a very important logic, is that of Lukasiewicz [9], which semantics is based on the residuated lattice L = [0, 1], →, 0, 1 -where: a → b = min(1, 1 − a + b). In this logic, the truth-values may be thought of as arising from normalized measurements of bounded physical observables, just as boolean truth-values arise from yes/no-observables [27, §1.6]. The space of valueness [0, 1] models exact measurements which presupposes an uncertainty and are not encoded by the elements of [0,1]. In order to capture and deal with such uncertainty the indicated approach is to use the space of closed intervals I( In [34] Santiago et. al. showed how interval can be used to model computational systems with imprecise transitions through an interval Kleene algebra. In this paper, we show that such algebra cannot be extended to an action lattice and hence be a space of truth values for axioms of DL. To overcome that, we extend the notion of action lattices to a new algebraic structure called Quasiaction lattices. This structure models both: The Lukasiewicz action lattice L and its interval counterpart L.
The notion of satisfiability is extended to Quasi-action lattices and Theorem 3 shows that satisfiability on the action lattice L is represented by satisfiability on L. The notion of representation is discussed in Section 3.
Although satisfiability is preserved, we show in Section 5 that validity is not. We propose to extend the notion of validity on action lattices to designated validity on Quasi-action lattices. We show that every DL formula which is valid with respect to the action lattice L is designated valid with respect to L. Outline of the paper. Section 2 introduces a Multi-valued Dynamic Logic following the 'dynamization' method proposed by Madeira et. al [23]. Section 3 makes an overview of interval arithmetic and gives the 'intervalization' of the Lukasiewicz action lattice: L. It proves that this structure is a Kleene algebra. In Section 3.2, we discuss some pitfalls in defining action lattices over intervals. Section 4 introduces the notion of Quasi-action Lattices which is the abstraction of interval Lukasiewicz action lattice: L. It proposes the notion of satisfiability on Quasi-action lattices and connects satisfiability with respect to L with satisfiability with respect to L. Section 5 shows the impact of imprecision on validity, proposes the weakening of validity on action lattices to designated validity on quasi-action lattices and proves that every valid formula with respect to L is designated valid with respect to L. Finally, in Section 6, we present some final remarks.

L-Fuzzy Dynamic Logic
Many-valued versions of Modal Logics have been discussed in the literature, the purposed logics vary in the focus where the many-valueness is presented: In accessibility relations, in propositions interpretation or in both. The latter is the case of the works [13,14] of M. Fitting suggesting a logic with many-valueness evaluated in finite Heyting algebras. Later, it was deeply investigated by F. Bou et al in [7], who adopted the more generic truth support of finite integral commutative residuated lattices.
The literature is not so rich with respect to Many-Valued Dynamic Logics. J. Hughes et al introduced in [18] a propositional dynamic logic over the continuum truth (0, 1)-lattice with the standard fuzzy residues. However, from the perspective of dynamic logic, this formalism is quite restrictive, since it leaves behind both transitive closure and non deterministic choice. In the context of rational decision theory, C. Liau [22] also introduced another different many-valued dynamic logic w.r.t. the specific continuum truth (0, 1)-lattice.
A systematic method to build Multi-valued Dynamic Logics was then introduced in [23,24]. This method is parameterized by an action lattice [19], an algebraic structure that provides a generic support for computational space (as a Kleene algebra) and for truth space (as residuated lattice). The logic introduced in this section is based on this work and can be captured as an instantiation of this method.

The Lukasiewicz action lattice
The role of the Lukasiewicz residuated lattice, i.e., the algebraic structure is taken as the standard fuzzy truth space [36]. Moreover, as stated above, we are looking for a structure suitable to support a fuzzy computational model. Whenever the max and the operators are used to model the choice and composition of atomic actions, we need to consider a Kleene operator to model the recursive iteration of programs. These operators constitute the components of an action lattice [19], the structure taken in [23,24] as a generic parameter for a multi-valued logic definition. More precisely:

Definition 1. An action lattice is a tuple
where U is a set, 0 and 1 are constants in U , * is a unary operation over U and +, ; , → and · are binary operations over U satisfying the axioms enumerated in Figure 1, where the relation ≤ is induced by "+": a; 0 = 0; a = 0 (9)
For the illustration of the structure with several examples and properties we suggest [23]. Just as example, we can consider a discrete 3-valued lattice underling the 3-valued logic: Example 1 (3 -linear three-value lattice). The explicit introduction of a denotation for unknown gives rise to the following linear lattice of three elements It is easy to observe that, as a consequence of axiom (10), whenever 1 is the greatest element, we have that x * = 1, for all x.
Hence we have all the ingredients to introduce the Lukasiewicz arithmetic lattice, a structure that plays the main role in the theory developed in the following: Definition 2 ( L -the Lukasiewicz arithmetic lattice). The Lukasiewicz arithmetic lattice is the structure:

The L-Fuzzy Dynamic Logic
Signatures for the dynamic logic intended to be interpreted in L, LDL, are exactly the same as the ones of Propositional Dynamic Logic: Signatures are pairs (Π, Prop) of disjoint sets of atomic programs Π and of propositions symbols Prop.
where the tags mention the uncertainty level of each state transitions. These weighted state transition systems are usually represented by the underlying adjacency matrices. We use the notation A π (w, w ) to mean the fuzziness degree at transition (w, w ) of program π; e.g. in the case of (21) we have A π (s 1 , 2 0.5 Moreover, we need a mathematical framework to interpret more complex programs, i.e. regular expressions of atomic programs, e.g. "π + π ". In other words, we need to consider a computational space for LDL where the programs are interpreted. Based on the classic matricial constructions over Kleene algebras (see [10,21]) we consider the following structure considering its components as follows: 1. M n ( L) is the space of (n × n)-matrices over L; i.e. with elements in L.

for any
4. the matricial 1 and 0 are the (n×n)-matrices defined by where F = max(A, B (D * C)). Note that this construction is recursively defined from the base case (where n = 2) where the operations of the base action lattice A are used.
A classic result (e.g. [10,21]) establishes that Kleene algebras are closed under formation of matrices.
The interpretation of programs in these models belongs to the space of the matrices over the underlying Kleene algebra of L. Each matrix represents the effect of a program executing from any point of the model. Formally, the interpretation of a program π ∈ Prg(Π) in a model M ∈ Mod LDL (Π, Prop) is recursively defined, from the set of atomic programs Π, as follows: Returning to our running example, we are able to calculate the interpretation of the program π + π by making: that represents the following weighted transition system:

Satisfaction.
As mentioned above, the carrier of L corresponds to the space of truth degrees for LDL. In what follows we define what is the graded satisfaction relation for a model M ∈ Mod LDL (Π, Prop).
recursively defined as follows: In order to illustrate the definition, the calculation of the truth degree for the formula " π + π (p → q)" in the proposed model A can be achieved as follows: Therefore, we conclude with a degree of certainty √ 2 2 that, after executing "π + π " from the state s 1 , we have p → q.
Assuming this semantics for LDL, the investigation of calculus for this logic is the natural step to proceed. The next theorem is a first step on this direction, it shows the validity of some propositional dynamic axioms [16] in LDL: Theorem 1. The following are valid formulae in the logic LDL: Proof. As stated above, the logic LDL can be built as an instantiation of the generic method of dynamization [23]. The same reference reports, at this abstract level, a systematic study of the validity of the previous axioms in dynamizations parametric to generic action lattices. Hence, because of the properties of the action lattice L, all these proofs can be constructed by instantiation from this generic study. Indeed, in order to illustrate the principles involved, we explicitly extract here the proof for the validity of formula 1.

L-Interval algebra
The space of values [0, 1] models exact measurements/truth values which is far from the real-world. In fact, any measurement presupposes an uncertainty which is not encoded by the elements of [0, 1]. Another situation arises whenever an expert is unable to supply an exact membership of an object in a fuzzy set, in this case it can be provided a closed subinterval of [0, 1] as an expression of the inability to supply an exact answer [8]. Therefore, assuming the Lukasiewicz arithmetic lattice L = [0, 1], max, , 0, 1, * , →, min as a natural space of measurements/truth values [27, §1.6] it is reasonable to investigate its interval counterpart. But what would such interval counterpart be? Before we proceed to answer this question, let us recall some definitions and facts about the interval counterpart of real numbers algebra: R; +, −, /, ×, 1, 0 .
In the 50's Ramon Moore [25,26] and Teruo Sunaga [35] proposed the so called interval arithmetics. Interval arithmetics is a set of operations on the set of all closed intervals [a, b] ⊆ R. They defined the arithmetic in the following way: Observe what happens with each operation: . . . Optimality. By optimality, we mean that the computed floating-point interval is not wider than necessary." Hickey et.al [17, p.1040] The term Correctness connects n-ary interval operations F with n-ary real operations f and means that if F is correct with respect to f , then we can enfold any exact value r ∈ R in a closed interval [a, b], such that r ∈ [a, b], and then simply operate with such "envelopes" by using F , because the resulting interval F ([a, b]) will enfold the desired result f (r). Formally, a function F is correct with respect to a real function f whenever: In practice, exact values are replaced by intervals which are operated with correct interval functions. Intervals enfold the exact values and provide a measure of impreciseness through their widths.
Santiago et. al [2,33] investigated the notion of Correctness. Instead of correctness the authors used the term representation, since interval expressions could be faced not just as machine representations of an exact calculation, but also as an instance of a "mathematical representation of real numbers" 4 . Beyond correctness, interval arithmetic is also optimum; namely the resulting intervals contain only the values of real operations. We could say that the proposed algebra of intervals is the best interval representation for the arithmetic of real numbers.
One side-effect of this process (called intervalization) is the loss of algebraic properties. The resulting structure is not an euclidean field; for example "X −X" is not always equal to [0, 0]. As we can see in the following, like real numbers, some properties of L are lost when we consider intervals of [0, 1].

On the Interval Lukasiewicz Lattice
The Lukasiewicz arithmetic lattice L = [0, 1], max, , 0, 1, * , →, min contains non-finitely representable elements; e.g. irrational numbers. In a similar way we can think of an interval algebra for L. A piece of such algebra was introduced by Bedregal and Santiago in [4]. There, the authors proposed a correct interval implication for "→". In what follows, we propose the interval counterpart for L = [0, 1], max, , 0, 1, * , →, min in such a way that the resulting operations are correct and optimal, i.e. they are best interval representations.

Definition 5. Consider the real unit interval
For any interval X ∈ U, X is the minimum of X and X the maximum of X; i.e. X = [X, X]. Given two intervals X, Y ∈ U, let be the following partial orders on U: (i) The product or Kulisch-Miranker order : (ii) The set inclusion order: for all X, Y ∈ U,

Definition 6 ([33]
). An interval X ∈ U is a representation of any real number α ∈ X. Considering two interval representations X and Y for a real number α, X is said to be an interval representation of α better than Y , if X ⊆ Y . This notion can also be naturally extended for n-tuples of intervals.
In what follows we show the best (possible) interval representation for L = [0, 1], max, , 0, 1, * , →, min . Before we proceed, we provide some required definitions and facts about some fuzzy connectives and their best interval representation: Let (L, ≤ L , ⊥, ) be a bounded lattice. A t-norm on L is an ≤ L -increasing function T : L 2 → L that is commutative, associative and has as neutral element [28]. Dually, a t-conorm is a commutative, associative and ≤ L -increasing function S : L 2 → L which has ⊥ as neutral element [28]. A function I : L 2 → L which is ≤ L -decreasing in the first variable, ≤ L -increasing in the second variable, I(⊥, ⊥) = I( , ) = and I( , ⊥) = ⊥ is called implication of L [29].   Proof. max trivially satisfies equations (1)-(4). It is also clear that satisfies equations (5)- (6). Equations (7) is also satisfied, since given X,
Since K( L) is a Kleene algebra, we can canonically construct, as in (22), the space of matrices M n (K( L)) (which is also a Kleene algebra).
Observation: According to Proposition 1 every operation of the Kleene algebra K( L) is the best interval representation of the respective operation of K( L). Therefore, we can say that K( L) and M n (K( L)) are, respectively, the best interval representation of the Kleene algebras L and M n (K( L)).

Notation:
In order to simplify the notation, we use the same symbols for the operations of Lukasiewicz Kleene algebras whenever the context is clear j j Although we have defined operation "⇒ >" on intervals, the relation between them and action lattices will be exposed in the next section.

Pitfalls in defining action lattices over intervals
Before we proceed, it must be clear why do we use intervals. Intervals are used in a variety of situations when it is not possible to use exact values. If the exact values can be used, then it does not make sense to use intervals.
Although it is possible to use a near exact value to represent a desired point (e.g. 3.14 would be used to represent π), the information about impreciseness is not codified by such exact value. Intervals provide such kind of information and the quality of such representation can be measured by the width of the interval: the tighter is the interval the better is the representation.
Sometimes intervals are the only representation available to work with; e.g. (1) some magnetic resonance machines provide intervals for non-exact values (2) some applications in fuzzy systems provide intervals as inexact membership degree or as the abstraction of several membership degrees provided by different experts.
In any case, intervals are the entities provided instead of exact values. To deal with intervals a price must be paid; namely: not all properties of the space containing the exact values are preserved in the interval space. For example, in the case of real numbers, interval representations in general do not satisfy the property: X − X = 0.
As we will see the same happens with the interval representation of the action lattice L. All properties stated in Figure 1 are satisfied by L, whereas some are not by its interval representation L. Since these properties are connected with Dynamic Logics, there will be impacts of interval representation on the logical axioms. Some of these impacts are discussed below: Observe that in the Lukasiewicz action lattice, L, the equation "x → x = 1" is satisfied while this is not true in its interval representation: L. But this is a crucial feature of L ! Take the following example:  [a, a], it does not make sense to impose X⇒ >X = [1,1], since the same interval can be used to represent two different exact values. Therefore, the known logical laws of Dynamic Logic must be reviewed or the notion of validity must be extended.
The price to be paid for using intervals does not stop here, in what follows we show that the structure L = U, max, , 0, 1, * , ⇒ > , min is not an action lattice. This means that to propose a Dynamic Logic which deals with interval values some properties of action lattices must be generalized.

Quasi-action Lattices and Interval-valued Propositions
In this section we provide an algebraic structure which generalizes action lattices and is enough to model those lattices and their interval counterpart.
Example 3. Every action lattice, A, is a quasi-action lattice, since U = Δ and it satisfies (13'). Proposition 6 shows the main Quasi-action lattice studied here.

Given
for p ∈ Prop and π ∈ Prg(Π). ADL-models, M, for a set of propositions in Prop and programs in Π, denoted by: M ∈ Mod ADL (Π, Prop), are tuples: in which W is a finite set (of states), V : Prop × W → U is a function called valuation and A π is a U -valued binary relation indexed by program π.
recursively defined as follows:

Lemma 5. Let
A be a quasi-action lattice, then: Now, let us see the situation in the context of intervals. Observe how the notion of interval representation behaves as expected.
For example, considering the propositions: Prop = {p, q}, the transition system: i.e. the interval valuation Rep(V ) represents the exact valuation V . Further, it is also expected that satisfability relation defined on exact values relate to the satisfability relation defined on intervals in the following way: So, it is expected that if intervals are used to represent exact truth values then the satisfability relation on intervals should be correct; namely it gives a truth value (an interval) which contain the exact truth-value of the satisfability relation on exact values. The next theorem guarantees the above situation in a general setting: Proof. The proof is by induction on the structure of α Θ .

Satisfiability vs Validity
Although satisfiability is preserved by intervalization (Theorem 3) validity is not. In fact, this section shows that the introduction of impreciseness on logical values affects validity and as a consequence this concept must be weakened.
Suppose we state, as usually, that valid formulae are those which are always interpreted in quasi-action lattices as "1". This is always true for the case in which Δ = U . This is the case of the formula: π (ρ ∧ ρ ) → π ρ ∧ π ρ . 9 (32) In general this is not true if Δ is a proper subset of U . The proof of such validity relies on the following property: see [23,Lemma 1 (36), p. 7]. Proposition 5 guarantees that this is true for x, y, a ∈ Δ. In order to extend this property to the whole quasi-action lattice we should require: (x y) → (a; x a; y) which is not always true.
In fact, this is not true for the interval model proposed here. Observe that in such quasi-action lattice the subset "U − Δ " is the set of non-degenerate intervals; and hence the set of imprecise values. Take  ∈ Δ affects the relation " " via the Kleene operation ";". Since the operation ";" plays a fundamental role on the definition of modalities, we are obligated to generalize the notion of validity. Instead of validity we propose designated validity; intuitively: "A formula 'ρ' will be designated valid whenever for every quasiaction lattice A, the value of 'w |= U ρ', for every w ∈ W , belongs to a 'suitable' proper subset D ⊂ U such that 1 ∈ D and 0 / ∈ D." In what follows we define the set of designated values for any quasi-action lattice followed by the notion of designated model and designated validity. Definition 11. Let A be a quasi-action lattice. The set of designated elements of A is the set: Given a quasi-action lattice, A, the set of its designated elements, D, and a formula ρ ∈ F m ADL (Π, Prop), A is a designated model for ρ or ρ is designated valid in A, |= d A ρ, if for every w ∈ W, (w |= U ρ) ∈ D. ρ is designated valid if for every quasi-action lattice, A, |= d A ρ.

Final Remarks
In this paper we have shown how the notion of validity on Lukasiewicz Dynamic Logic must be reviewed when the notion of impreciseness (through intervals) need to be taken into account for the specification/verification of computational systems. There are two ways to achieve that (Section 3.2): To review the laws of Dynamic Logics or extend the notion of validity. We chose the second way and proposed the notion of designated validity which is a weakening of validity.
In the case of intervals, the result is: Every law of Dynamic Logic is preserved under the notion of Designated Validity. Therefore, the quasi-action lattice L is a structure where there is some harmony between impreciseness and a kind of validity. However, we could not demonstrate that all designated valid formulae with respect to L is also valid with respect to L. If we prove this, it means that this specific Dynamic Logic is not affected when we deal with imprecision, what is required is to enlarge the concept of validity. This is a subject of a current investigation.