On the Relationship of Event Order Logic and Linear Temporal Logic

Technical Report soft-14-01, Chair for Software Engineering, University of Konstanz, Copyright by the Authors 2014

On the Relationship of Event Order Logic and Linear Temporal Logic

Adrian Beer, Florian Leitner-Fischer and Stefan Leue University of Konstanz, Germany

Abstract. In recent work [1, 2] we have proposed the event order logic (EOL) which is used to reason about the occurrence and order of events in formal system models. In this paper we will discuss the relationship of the event order logic and the linear temporal logic and further more show how EOL formulas can be translated into LTL formulas.

1 Introduction

In recent work [1, 2] we have proposed the event order logic (EOL) which is used to reason about the occurrence and order of events in formal system models. In this paper we will discuss the relationship of the event order logic and the linear temporal logic and further more show how EOL formulas can be translated into LTL formulas.

The contributions of this paper can be summarized as follows:

– The semantics of the EOL is further refined.

– We define equivalence transformations for EOL formulas..

– We defined the Event Order Logic Normal Form (EONF) and prove that each EOL formula can be transformed into an EOL formula in EONF.

– We show how EOL formulas in EONF can be translated into LTL formulas that accept the same set of paths and are thus equivalent.

The remainder of this paper is structured as follows: We first briefly introduce the syntax and semantics of linear temporal logic, a running example of a railroad crossing that we use throughout the paper for illustrative purposes, and the underlying system model in Section 2. We further refine the semantics of the event order logic and show how EOL formulas can be transformed into equivalent EOL formulas in Section 3. Section 4 is devoted to the translation of EOL formulas to LTL formulas. We conclude in Section 5.

2 Preliminaries

2.1 Linear Temporal Logic

The analysis aims at identifying the violation of functional safety requirements.

Such a violation is also referred to as a hazard. We use linear time temporal

Konstanzer Online-Publikations-System (KOPS) URL: http://nbn-resolving.de/urn:nbn:de:bsz:352-262077

logic (LTL) using its standard syntax and semantics as defined in [3] in order to specify hazards.

Hazards imply the reachability of unsafe states and they hence belong to the class of reachability properties. Hence we only need to consider finite execution fragments [4]. Hazards fall within the class of safety properties in the commonly used classification scheme of safety and liveness properties. We use T ⊧l ϕ to express that the LTL formula ϕ holds for the transition system T and σ⊧l ϕ respectively for execution traces.

Definition 1. Syntax of LTL. Formulas in LTL over the set AP of atomic proposition are formed according to the following grammar given in BNF:

ϕ∶∶=true∣a∣ϕ1∧ϕ2∣ ¬ϕ∣ ◯ ϕ∣ϕ1 U ϕ2

wherea∈AP. Additionally the following operators are defined as syntactic sug- aring of those above:

3ϕ=trueU ϕand2ϕ= ¬3¬ϕ

Definition 2. Semantics of LTL over Executions and States. Let T = (S,Act,

→, I,AP, L) be a transition system, let ϕ an LTL formula over AP and σ a finite execution of T and σ[j...]the suffix of σstarting atsj. then the semantic is defined by induction on the structure ofϕ

– σ⊧ltrue – σ/⊧lfalse

– σ⊧lpiffp∈L(s₀) – σ⊧l¬ϕiffσ/⊧lϕ

– σ⊧lϕ1∧ϕ2 iffσ⊧lϕ1 andσ⊧lϕ2

– σ⊧lϕ1∨ϕ2 iffσ⊧lϕ1 orσ⊧lϕ2

– σ⊧l◯ ϕiffσ[1...] ⊧lϕ

– σ⊧lϕ₁U ϕ₂ iff∃k≥0. σ[k...] ⊧lϕ₂ and∀0≤j<k . σ[j...] ⊧lϕ₁ and for the derived operators3and2.

– σ⊧l3ϕiff∃j∶j≥0. σ[j..] ⊧lϕ – σ⊧l2ϕiff∀j∶j≥0. σ[j..] ⊧lϕ

2.2 Running Example: Railroad Crossing

We will demonstrate the presented definitions on a running example of a railroad crossing system. In the running example a train can approach the crossing (Ta), cross the crossing (Tc) and finally leave the crossing (Tl). Whenever a train is approaching, the gate should close (Gc) and will open when the train has left the crossing (Go). It might also be the case that the gate fails (Gf). The car approaches the crossing (Ca) and crosses the crossing (Cc) if the gate is open and finally leaves the crossing (Cl). We are interested in finding those events that lead to a hazard state in which both the car and the train are in the crossing.

This hazard can be characterized by the LTL formula ϕ= 2¬(car crossing∧ train crossing).

2.3 System Model and Events

The systems that we apply causality checking to are concurrent systems. For the formalization of the system model we follow the formalization of a model for concurrent computing systems proposed in [4]. The system model is given by a Transition System which is defined as follows:

Definition 3. Transition System. A transition system TS is a tuple (S,Act,

→, I,AP, L) where S is a finite set of states, Act is a finite set of actions,

→ ⊆ S×Act×S is a transition relation,I⊆S is a set of initial states,APis a set of atomic propositions, andL∶S→2^AP is a labeling function.

A Transition System defines a Kripke structure. Each states∈S is labeled with the setL(s)of all atomic state propositions that are true in this state. The set Act contains all actions that can trigger the system to transit from some state into a successor state. The execution semantics of a transition system is defined as follows:

Definition 4. Execution Trace of a Transition System. Let T = (S,Act,→, I,AP, L)be a transition system. A finite execution σof T is an alternating se- quence of statess∈Sand actionsα∈Actending with a state.σ=s0α1s1 α2...

α_n s_n s.t.s_iÐÐ→^αi+1 s_i+1 for all0≤i<n.

In the following we will use short-hand notationσ=“a_α1,a_α2, ... ,a_αn” for an execution traceσ=s₀α₁s₁α₂... α_n s_n. The traceσ=“Ta, Ca, Gf, Cc, Tc”, for instance, is a trace of the railroad example from Sec. 2.2 where the train and the car are approaching the crossing (Ta, Ca), the gate fails to close (Gf), the car crosses the crossing (Cc) and finally the train crosses the crossing (Tc).

We can partition the set of all possible execution traces Σ of a transition systemT into the set of “good” execution traces, denotedΣG, where the LTL formula is not violated and thus the hazard does not occur, and the set of “bad”

execution traces, denotedΣB, where the LTL formula is violated and thus the hazard occurs. The elements of ΣB are also referred to as counterexamples in model checking. The traceσ=“Ta, Ca, Gf, Cc, Tc” we already discussed above is a “bad” execution trace, since bot the car and the train are on the crossing at the same time and thus the LTL property is violated. An example for a “good”

trace isσ^′=“T a, Ca, Gf, Cc, Cl, T c” where the car leaves the crossing (Cl) before the train is crossing (Tc) and consequently the train and the car are not on the crossing at the same time and the LTL formula is not violated.

Definition 5. Good and Bad Execution Traces. Let T = (S,Act, →, I,AP, L) be a transition system, let ϕ an LTL formula over AP and Σ that set of all possible finite executions of T. The set Σ is divided into into the set of “good”

execution traces ΣG and in the set of “bad” execution traces ΣB as follows:

Σ_G= {σ∈Σ∣σ⊧lϕ},Σ_B= {σ∈Σ∣σ /⊧lϕ}andΣ_G∪Σ_B=ΣandΣ_G∩Σ_B= ∅. We assume that for a given execution trace σ of a transition system T, Act contains the events that we wish to reason about. For an LTL formula ϕ

specifying a safety requirement and an execution traceσ, the hazard described by the safety requirement occurs on σ if and only if σ /⊧lϕ holds. Notice that since each transition is only labeled with one action, only one event can occur per transition. In order to be able to reason about the causality of events we have to formally capture the occurrence of events. We assume that there exists a set Aof event variables that contains a boolean variable afor each actionα∈Act for some given transition system. The variable a_{T a} for instance represents the event train approaching the crossing. If multiple instances of one event type occur on one execution trace, for example the two train approaching events on

“Ta,Gc,Tc,Tl,Go,Ta”, the variables representing them are numbered according to their occurrence, for our example a_{T a1} and a_{T a2}. In other words, the i-th occurrence of some action of typeαwill be represented by the boolean variable aα_i. In the following we also abbreviate the event variable aT aby Ta.

Definition 6. Events, Event Types and Event Variables. Let T = (S,Act,→, I,AP, L) a transition system and σ=s₀, α₁, s₁, α₂, . . . α_n, s_n a finite execution trace of T. We define the following: each α∈ Act defines an event type α. α_i of σ denotes thei-th occurrence of an event of theevent type α. The variable representing the occurrence of the event αi is denoted by aα_i, and the set A = {aα₁, ..., aα_n} contains a boolean variable for each occurrence of an event.

3 Event Order Logic

Event variables allow us to reason about the occurrence of single events, but since we want to reason about the combination of events, we need a formalism that allows us to express the occurrence of event combinations. In [2] we presented the event order logic (EOL) which allows one to connect event variables fromA with the boolean connectives∧, ∨ and¬. To express the ordering of events we introduced the ordered conjunction operator.. The formulaa.bwith eventsa andbis satisfied if and only if eventsaandboccur in a trace andaoccurs before b. In addition to the.operator we introduced the interval operators.[,.], and .^< φ.^>, which define an interval in which an event has to hold in all states.

These interval operators are necessary to express the causal non-occurrence of events. We present here an amended version of the event order logic and further refine its semantics.

Definition 7. Syntax of Event Order Logic (EOL). Simple EOL formulas over a setA of event variables are formed according to the following grammar:

φ∶∶=a∣φ₁∧φ₂∣ ¬φ∣φ₁∨φ₂

wherea∈ Aandφ,φ1andφ2are simple EOL formulas. Complex EOL formulas are formed according to the following grammar:

ψ∶∶=φ∣ψ1∧ψ2∣ψ1∨ψ2∣ψ1.ψ2∣ψ.[φ∣φ.]ψ∣ψ1.<φ.>ψ2

where φ is a simple EOL formula and ψ1 and ψ2 are complex EOL formulas.

Note that the ¬ operator binds more tightly than the ., .[, .], and .< φ .>, operators and those bind more tightly than the∨ and∧operator.

The formal semantics of this logic is defined over execution traces. Notice that the.,.[,.], and.<φ.>operators are linear temporal logic operators and that the execution traceσ is akin to a linearly ordered Kripke structure.

Definition 8. Semantics of Event Order Logic (EOL). LetT = (S,Act,→, I,AP, L)a transition system, letφ,φ₁,φ₂simple EOL formulas, letψ,ψ₁,ψ₂complex EOL formulas, and let A a set of event variables, with aα_i ∈ A, over which φ, φ1,φ2 are built. Letσ=s0, α1, s1, α2, . . . αn, sn a finite execution trace of T and σ[i..r] =si, αi+1, si+1, αi+2, . . . αr, sr a partial trace. We define that an execution trace σsatisfies a formula ψ, written asσ⊧eψ, as follows:

s_j⊧ea_αiiffs_j−1Ð→^αi s_j sj⊧e¬φiff notsj⊧eφ

σ[i..r] ⊧eφiff∃j∶i≤j≤r . sj⊧eφ σ[i..r] ⊧e¬φiff∀j∶i≤j≤r . sj⊧e¬φ

σ⊧eψiffσ[0..n] ⊧eψ, where n is the length ofσ.

σ[i..r] ⊧eφ₁∧φ₂iffσ[i..r] ⊧eφ₁ andσ[i..r] ⊧eφ₂ σ[i..r] ⊧eφ1∨φ2iffσ[i..r] ⊧eφ1 orσ[i..r] ⊧eφ2

σ[i..r] ⊧e¬(φ₁∧φ₂)iffσ[i..r] ⊧e¬φ₁ andσ[i..r] ⊧e¬φ₂ σ[i..r] ⊧e¬(φ1∨φ2)iffσ[i..r] ⊧e¬φ1 andσ[i..r] ⊧e¬φ2

σ[i..r] ⊧eψ1∧ψ2iffσ[i..r] ⊧eψ1 andσ[i..r] ⊧eψ2

σ[i..r] ⊧eψ₁∨ψ₂iffσ[i..r] ⊧eψ₁ or σ[i..r] ⊧eψ₂

σ[i..r] ⊧eψ1.ψ2iff∃j, k∶i≤j<k≤r . σ[i..j] ⊧eψ1andσ[k..r] ⊧eψ2

σ[i..r] ⊧eψ.[φiff(∃j∶i≤j≤r . σ[j..j] ⊧eψand(∀k∶j≤k≤r . σ[k..k] ⊧eφ)) σ[i..r] ⊧eψ1.ψ2.[φiffσ[i..r] ⊧eψ1.ψ2 andσ[i..r] ⊧eψ2.[φ

σ[i..r] ⊧e(ψ1∧ψ2) .[φiffσ[i..r] ⊧eψ1.ψ2.[φorσ[i..r] ⊧eψ2.ψ1.[φ σ[i..r] ⊧e(ψ1∨ψ2) .[φiffσ[i..r] ⊧eψ1.[φ orσ[i..r] ⊧eψ2.[φ

σ[i..r] ⊧eφ.]ψiff(∃j∶i≤j≤r . σ[j..j] ⊧eψand(∀k∶0≤k≤j . σ[k..k] ⊧eφ)) σ[i..r] ⊧eφ.]ψ₁.ψ₂iffσ[i..r] ⊧eφ.]ψ₁ andσ[i..r] ⊧eψ₁.ψ₂

σ[i..r] ⊧eφ.](ψ1∧ψ2)iffσ[i..r] ⊧eφ.]ψ1.ψ2 orσ[i..r] ⊧eφ.]ψ2.ψ1

σ[i..r] ⊧eφ.](ψ₁∨ψ₂)iffσ[i..r] ⊧eφ.]ψ₁ orσ[i..r] ⊧eφ.]ψ₂

σ[i..r] ⊧eψ1.<φ.>ψ2iff(∃j, k∶i≤j<k≤r . σ[j..j] ⊧eψ1 andσ[k..r] ⊧eψ2

and(∀l∶j≤l≤k . σ[l..l] ⊧eφ))

σ[i..r] ⊧eψ₁.ψ₂.^<φ.^>ψ₃iffσ[i..r] ⊧eψ₁.ψ₂ andσ[i..r] ⊧eψ₂.^<φ.^>ψ₃ σ[i..r] ⊧eψ1.<φ.>ψ2.ψ3iffσ[i..r] ⊧eψ1.<φ.>ψ2 andσ[i..r] ⊧eψ2.ψ3

σ[i..r] ⊧e(ψ₁∧ψ₂) .<φ.>ψ₃iffσ[i..r] ⊧eψ₁.ψ₂.<φ.>ψ₃ orσ[i..r] ⊧eψ2.ψ1.<φ.>ψ3

σ[i..r] ⊧e(ψ1∨ψ2) .<φ.>ψ3iffσ[i..r] ⊧eψ1.<φ.>ψ3

orσ[i..r] ⊧eψ2.^<φ.^>ψ3

σ[i..r] ⊧eψ1.<φ.>(ψ2∧ψ3)iffσ[i..r] ⊧eψ1.<φ.>ψ2.ψ3

orσ[i..r] ⊧eψ₁.<φ.>ψ₃.ψ₂

σ[i..r] ⊧eψ1.<φ.>(ψ2∨ψ3)iffσ[i..r] ⊧eψ1.<φ.>ψ2

orσ[i..r] ⊧eψ1.<φ.>ψ3

We define that the transition systemT satisfies the formulaψ, written asT⊧e

ψ, iff∃σ∈T . σ⊧eψ.

We will now show that there are EOL formulas that are different with respect to syntax but equivalent with respect to the semantics and consequently evaluate to the same truth-value under all interpretations. These equivalences can be used to rewrite EOL formulas, which we will later need in order to translate EOL formulas into LTL formulas.

Definition 9. Equivalences of EOL formulas. Let T = (S,Act,→, I,AP, L) a transition system, letφ₁,φ₂ simple EOL formulas, let ψ₁,ψ₂,ψ₃ complex EOL formulas, and let A a set of event variables, with a_αi ∈ A, over which φ, φ₁, φ₂ are built. Let σ = s₀, α₁, s₁, α₂, . . . α_n, s_n a finite execution trace of T and σ[i..r] =s_i, α_i+1, s_i+1, α_i+2, . . . α_r, s_r a partial trace. Two EOL formulas ψ₁ and ψ2 are equivalent, denoted by ψ1≡ψ2 iffσ[i..r] ⊧eψ1⇔σ[i..r] ⊧eψ2.

¬(φ1∧φ2) ≡ ¬φ1∧ ¬φ2

¬(φ1∨φ2) ≡ ¬φ1∧ ¬φ2

¬(φ1∧φ2) ≡ ¬(φ1∨φ2) ψ1∧ψ2 ≡ ψ1.ψ2∨ψ2.ψ1

(ψ1∧ψ2) .ψ3 ≡ ψ1.ψ3∧ψ2.ψ3

ψ1. (ψ2∧ψ3) ≡ ψ1.ψ2∧ψ1.ψ3

(ψ1∨ψ2) .ψ3 ≡ ψ1.ψ3∨ψ2.ψ3

ψ₁. (ψ₂∨ψ₃) ≡ ψ₁.ψ₂∨ψ₁.ψ₃ ψ₁.ψ₂∧ψ₁.ψ₃ ≡ ψ₁.ψ₃∧ψ₁.ψ₂

ψ₁.ψ₂.ψ₃ ≡ ψ₁.ψ₂∧ψ₁.ψ₃∧ψ₂.ψ₃ ψ₁.[(φ₁∧φ₂) ≡ ψ₁.[φ₁∧ψ₁.[φ₂

ψ₁.[(φ₁∨φ₂) ≡ ψ₁.[φ₁∨ψ₁.[φ₂ (φ1∧φ2) .]ψ1 ≡ φ1.]ψ1∧φ2.]ψ1

(φ1∨φ2) .]ψ1 ≡ φ1.]ψ1∨φ2.]ψ1

ψ1.<(φ1∨φ2) .>ψ2≡ ψ1.<φ1.>ψ2∨ψ1.<φ2.>ψ2

Note that ¬(φ1∧φ2) /≡ (¬φ1∨ ¬φ2). An example of two equivalent formulas from the railroad crossing example from Section 2.2 are ψ1=Ta.Tc∧Ca.Cc and ψ2=Ca.Cc∧Ta.Tc which both state that the event train approaching (Ta) happens before the train crossing (Tc) event and the car approaching (Ca) event happens before the car crossing (Cc) event without imposing a restriction on the order of, for instance, the events train approaching and car approaching.

Another example isψ3= (¬Gc∧¬Gf).]Ca andψ4= ¬Gc.]Ca∧¬Gf.]Ca which both state that before the car approaching event neither the gate closing event (Gc) nor the gate failed (Gf) event occurs.

We will now prove the equivalences of EOL formulas from Def. 9.

Theorem 1. ¬(φ1∧φ2) ≡ ¬φ1∧ ¬φ2

Proof. ¬(φ1∧φ2) ≡ ¬φ1∧ ¬φ2 holds if for any transition system T and all traces σin T: σ⊧e¬(φ1∧φ2) ⇔σ⊧e¬φ1∧ ¬φ2.

σ[i..r] ⊧e¬(φ₁∧φ₂) ⇔σ[i..r] ⊧e¬φ₁ andσ[i..r] ⊧e¬φ₂

⇔σ[i..r] ⊧e¬φ1∧ ¬φ2

⊓⊔

Theorem 2. ¬(φ1∨φ2) ≡ ¬φ1∧ ¬φ2

Proof. ¬(φ1∨φ2) ≡ ¬φ1∧ ¬φ2 holds if for any transition system T and all traces σin T: σ⊧e¬(φ1∨φ2) ⇔σ⊧e¬φ1∧ ¬φ2.

σ[i..r] ⊧e¬(φ1∨φ2) ⇔σ[i..r] ⊧e¬φ1 andσ[i..r] ⊧e¬φ2

⇔σ[i..r] ⊧e¬φ1∧ ¬φ2

⊓⊔

Theorem 3. ¬(φ₁∧φ₂) ≡ ¬(φ₁∨φ₂)

Proof. ¬(φ₁∧φ₂) ≡ ¬(φ₁∨φ₂)holds if for any transition system T and all traces σin T: σ⊧e¬(φ₁∧φ₂) ⇔σ⊧e¬(φ₁∨φ₂).

σ[i..r] ⊧e¬(φ1∧φ2) ⇔σ[i..r] ⊧e¬φ1 andσ[i..r] ⊧e¬φ2

⇔σ[i..r] ⊧e¬φ₁∧ ¬φ₂

⇔σ[i..r] ⊧e¬(φ1∨φ2)

⊓⊔

Theorem 4. ψ₁∧ψ₂≡ψ₁.ψ₂∨ψ₂.ψ₁

Proof. ψ₁∧ψ₂≡ψ₁.ψ₂∨ψ₂.ψ₁ holds if for any transition system T and all tracesσ in T:σ⊧eψ₁∧ψ₂⇔σ⊧eψ₁.ψ₂∨ψ₂.ψ₁.

σ[i..r] ⊧eψ1∧ψ2⇔σ[i..r] ⊧eψ1and σ[i..r] ⊧eψ2

⇔ ∃j∶i≤j≤r . σ[i..j] ⊧eψ₁or σ[j..r] ⊧eψ₁ andσ[i..j] ⊧eψ2or σ[j..r] ⊧eψ2

⇔ ∃j∶i≤j≤r . σ[i..j] ⊧eψ1andσ[j..r] ⊧eψ2

orσ[i..j] ⊧eψ2 andσ[j..r] ⊧eψ1

⇔σ[i..r] ⊧eψ1.ψ2∨ψ2.ψ1

⊓⊔

Theorem 5. (ψ1∧ψ2) .ψ3≡ψ1.ψ3∧ψ2.ψ3

Proof. (ψ₁∧ψ₂) .ψ₃≡ψ₁.ψ₃∧ψ₂.ψ₃holds if for any transition system T and all tracesσin T: σ⊧e(ψ₁∧ψ₂) .ψ₃⇔σ⊧eψ₁.ψ₃∧ψ₂.ψ₃.

σ[i..r] ⊧e(ψ1∧ψ2) .ψ3⇔ ∃j, k∶i≤j<k≤r . σ[i..j] ⊧e(ψ1∧ψ2)andσ[k..r] ⊧eψ3

⇔ ∃j, k∶i≤j<k≤r . σ[i..j] ⊧eψ1and σ[i..j] ⊧eψ2

andσ[k..r] ⊧eψ3

⇔ ∃j, l, k∶i≤j<k≤r andi≤l<k≤r . σ[i..j] ⊧eψ₁ andσ[i..l] ⊧eψ2 andσ[k..r] ⊧eψ3

⇔ ∃j, l, k∶i≤j<k≤r andi≤l<k≤r . σ[i..j] ⊧eψ₁ andσ[k..r] ⊧eψ3andσ[i..l] ⊧eψ2 andσ[k..r] ⊧eψ3

⇔σ[i..r] ⊧eψ1.ψ3∧ψ2.ψ3

⊓⊔

Theorem 6. ψ₁. (ψ₂∧ψ₃) ≡ψ₁.ψ₂∧ψ₁.ψ₃

Proof. ψ1. (ψ2∧ψ3) ≡ψ1.ψ2∧ψ1.ψ3holds if for any transition system T and all tracesσin T: σ⊧eψ1. (ψ2∧ψ3) ⇔σ⊧eψ1.ψ2∧ψ1.ψ3.

σ[i..r] ⊧eψ1. (ψ2∧ψ3) ⇔ ∃j, k∶i≤j<k≤r . σ[i..j] ⊧eψ1and σ[k..r] ⊧e(ψ2∧ψ3)

⇔ ∃j, k∶i≤j<k≤r . σ[i..j] ⊧eψ₁and σ[k..r] ⊧eψ₂ andσ[k..r] ⊧eψ3

⇔ ∃j, k∶i≤j<k≤r σ[i..j] ⊧eψ1andσ[k..r] ⊧eψ2

andσ[i..j] ⊧eψ₁ andσ[k..r] ⊧eψ₃

⇔σ[i..r] ⊧eψ1.ψ2∧ψ1.ψ3

⊓⊔

Theorem 7. (ψ₁∨ψ₂) .ψ₃≡ψ₁.ψ₃∨ψ₂.ψ₃

Proof. (ψ1∨ψ2) .ψ3≡ψ1.ψ3∨ψ2.ψ3holds if for any transition system T and all tracesσin T: σ⊧e(ψ1∨ψ2) .ψ3⇔σ⊧eψ1.ψ3∨ψ2.ψ3.

σ[i..r] ⊧e(ψ1∨ψ2) .ψ3⇔ ∃j, k∶i≤j<k≤r . σ[i..j] ⊧e(ψ1∨ψ2)andσ[k..r] ⊧eψ3

⇔ ∃j, k∶i≤j<k≤r .(σ[i..j] ⊧eψ1 orσ[i..j] ⊧eψ2) andσ[k..r] ⊧eψ₃

⇔ ∃j, l, k∶i≤j<k≤r andi≤l<k≤r .(σ[i..j] ⊧eψ1

orσ[i..l] ⊧eψ₂) andσ[k..r] ⊧eψ₃

⇔ ∃j, l, k∶i≤j<k≤r andi≤l<k≤r .(σ[i..j] ⊧eψ1

andσ[k..r] ⊧eψ3)or(σ[i..l] ⊧eψ2 andσ[k..r] ⊧eψ3)

⇔σ[i..r] ⊧eψ1.ψ3∨ψ2.ψ3

⊓⊔

Theorem 8. ψ1. (ψ2∨ψ3) ≡ψ1.ψ2∨ψ1.ψ3

Proof. ψ1. (ψ2∨ψ3) ≡ψ1.ψ2∨ψ1.ψ3holds if for any transition system T and all tracesσin T: σ⊧eψ₁. (ψ₂∨ψ₃) ⇔σ⊧eψ₁.ψ₂∨ψ₁.ψ₃.

σ[i..r] ⊧eψ1. (ψ2∨ψ3) ⇔ ∃j, k∶i≤j<k≤r . σ[i..j] ⊧eψ1and σ[k..r] ⊧e(ψ2∨ψ3)

⇔ ∃j, k∶i≤j<k≤r . σ[i..j] ⊧eψ1and (σ[k..r] ⊧eψ2

orσ[k..r] ⊧eψ₃)

⇔ ∃j, k∶i≤j<k≤r σ[i..j] ⊧eψ1andσ[k..r] ⊧eψ2

orσ[i..j] ⊧eψ₁andσ[k..r] ⊧eψ₃

⇔σ[i..r] ⊧eψ1.ψ2∨ψ1.ψ3

⊓⊔

Theorem 9. ψ1.ψ2∧ψ1.ψ3≡ψ1.ψ3∧ψ1.ψ2

Proof. ψ1.ψ2∧ψ1.ψ3≡ψ1.ψ3∧ψ1.ψ2 holds if for any transition system T and all tracesσin T: σ⊧eψ₁.ψ₂∧ψ₁.ψ₃⇔σ⊧eψ₁.ψ₃∧ψ₁.ψ₂.

σ[i..r] ⊧eψ1.ψ2∧ψ1.ψ3⇔σ[i..r] ⊧eψ1.ψ2andσ[i..r] ⊧eψ1.ψ3

⇔σ[i..r] ⊧eψ1.ψ3∧ψ1.ψ2

⊓⊔

Theorem 10. ψ1.ψ2.ψ3≡ψ1.ψ2∧ψ1.ψ3∧ψ2.ψ3

Proof. ψ1.ψ2.ψ3≡ψ1.ψ2∧ψ1.ψ3∧ψ2.ψ3holds if for any transition system T and all tracesσin T:σ⊧eψ1.ψ2.ψ3⇔σ⊧eψ1.ψ2∧ψ1.ψ3∧ψ2.ψ3.

σ[i..r] ⊧eψ1.ψ2.ψ3⇔ ∃j, k, l∶i≤j<k<l≤r . σ[i..j] ⊧eψ1

andσ[k..l−1] ⊧eψ₂andσ[l..r] ⊧eψ₃

⇔σ[i..r] ⊧eψ1.ψ2∧ψ1.ψ3∧ψ2.ψ3

⊓⊔

Theorem 11. ψ1.[(φ1∧φ2) ≡ψ1.[φ1∧ψ1.[φ2

Proof. ψ1.[(φ1∧φ2) ≡ψ1.[φ1∧ψ1.[φ2 holds if for any transition system T and all tracesσin T: σ⊧eψ1.[(φ1∧φ2) ⇔σ⊧eψ1.[φ1∧ψ1.[φ2.

σ[i..r] ⊧eψ1.[(φ1∧φ2) ⇔ (∃j∶i≤j≤r . σ[j..j] ⊧eψ1and (∀k∶j≤k≤r . σ[k..k] ⊧e(φ₁∧φ₂)))

⇔ (∃j∶i≤j≤r . σ[j..j] ⊧eψ1and

(∀k∶j≤k≤r . σ[k..k] ⊧eφ₁and σ[k..k] ⊧eφ₂))

⇔σ[i..r] ⊧eψ1.[φ1∧ψ1.[φ2

In theoryσ[k..k] ⊧e(φ1∧φ2)is not possible since only one event is allowed per states_k but this form is needed forσ[k..k] ⊧e¬(φ₁∧φ₂) ⊓⊔

Theorem 12. ψ₁.[(φ₁∨φ₂) ≡ψ₁.[φ₁∨ψ₁.[φ₂

Proof. ψ₁.[(φ₁∨φ₂) ≡ψ₁.[φ₁∨ψ₁.[φ₂ holds if for any transition system T and all tracesσin T: σ⊧eψ₁.[(φ₁∨φ₂) ⇔σ⊧eψ₁.[φ₁∨ψ₁.[φ₂.

σ[i..r] ⊧eψ₁.[(φ₁∨φ₂) ⇔ (∃j∶i≤j≤r . σ[j..j] ⊧eψ₁ and (∀k∶j≤k≤r . σ[k..k] ⊧e(φ1∨φ2)))

⇔ (∃j∶i≤j≤r . σ[j..j] ⊧eψ1 and

(∀k∶j≤k≤r . σ[k..k] ⊧eφ₁ orσ[k..k] ⊧eφ₂))

⇔σ[i..r] ⊧eψ1.[φ1∨ψ1.[φ2

⊓⊔

Theorem 13. (φ1∧φ2) .]ψ1≡φ1.]ψ1∧φ2.]ψ1

Proof. (φ1∧φ2) .]ψ1≡φ1.]ψ1∧φ2.]ψ1 holds if for any transition system T and all tracesσin T: σ⊧e(φ1∧φ2) .]ψ1⇔σ⊧eφ1.]ψ1∧φ2.]ψ1.

σ[i..r] ⊧e(φ1∧φ2) .]ψ1⇔ (∃j∶i≤j≤r . σ[j..j] ⊧eψ1 and (∀k∶0≤k≤j . σ[k..k] ⊧e(φ₁∧φ₂)))

⇔ (∃j∶i≤j≤r . σ[j..j] ⊧eψ1 and

(∀k∶0≤k≤j . σ[k..k] ⊧eφ1 andσ[k..k] ⊧eφ2))

⇔σ[i..r] ⊧eφ₁.]ψ₁∧φ₂.]ψ₁

In theoryσ[k..k] ⊧e(φ1∧φ2)is not possible since only one event is allowed per statesk but this form is needed forσ[k..k] ⊧e¬(φ1∧φ2) ⊓⊔

Theorem 14. (φ1∨φ2) .]ψ1≡φ1.]ψ1∨φ2.]ψ1

Proof. (φ1∨φ2) .]ψ1≡φ1.]ψ1∨φ2.]ψ1 holds if for any transition system T and all tracesσin T: σ⊧e(φ1∨φ2) .]ψ1⇔σ⊧eφ1.]ψ1∨φ2.]ψ1.

σ[i..r] ⊧e(φ1∨φ2) .]ψ1⇔ (∃j∶i≤j≤r . σ[j..j] ⊧eψ1and (∀k∶0≤k≤j . σ[k..k] ⊧e(φ₁∨φ₂)))

⇔ (∃j∶i≤j≤r . σ[j..j] ⊧eψ1and

(∀k∶0≤k≤j . σ[k..k] ⊧eφ₁ orσ[k..k] ⊧eφ₂))

⇔σ[i..r] ⊧eφ1.]ψ1∨φ2.]ψ1

⊓⊔

Theorem 15. ψ1.<(φ1∨φ2) .>ψ2≡ψ1.<φ1.>ψ2∨ψ1.<φ2.>ψ2

Proof. ψ₁.^<(φ₁∨φ₂) .^>ψ₂ ≡ψ₁.^<φ₁.^>ψ₂∨ψ₁.^<φ₂.^>ψ₂ holds if for any transition system T and all traces σ in T: σ ⊧eψ₁.^<(φ₁∨φ₂) .^>ψ₂⇔ σ⊧e

ψ₁.^<φ₁.^>ψ₂∨ψ₁.^<φ₂.^>ψ₂.

σ[i..r] ⊧eψ1.<(φ1∨φ2) .>ψ2⇔ (∃j, k∶i≤j<k≤r . σ[j..j] ⊧eψ1

andσ[k..k] ⊧eψ2and(∀l∶j≤l≤k . σ[l..l] ⊧e(φ₁∨φ₂)))

⇔ (∃j, k∶i≤j<k≤r . σ[j..j] ⊧eψ1

andσ[k..k] ⊧eψ₂and(∀l∶j≤l≤k . σ[l..l] ⊧eφ1 orσ[l..l] ⊧eφ2))

⇔ψ1.<φ1.>ψ2∨ψ1.<φ2.>ψ2

⊓⊔

In order to be later able to define translation rules from EOL to LTL we will now define the event order normal form (EONF) which permits the unordered and-(∧) andor-operator (∨) only if they are not bound by any ordered operator and in addition permits the unordered and-operator (∧) in the scope of the between operators.< and.>.

Definition 10. Event Order Normal Form (EONF) The set of EOL formulas over a setAof event variables in event order normal form (EONF) is given by:

φ∶∶=a∣ ¬φ

φ∧∶∶=φ∣φ∧∣ ¬φ∧∣φ∧₁∧φ∧₂

ψ∶∶=φ∣φ1.φ2∣φ.[φ∣φ.]φ∣φ1.<φ∧.>φ2

ψ∧∶∶=ψ∣ψ∧∣ψ∧₁∧ψ∧₂∣ψ∧₁∨ψ∧₂

where a ∈ A and φ, φ1, φ2 are simple EOL formulas in EONF and φ∧, φ∧₁

and φ∧₂ are simple EOL formulas containing the∧-operator in EONF and ψ∧, ψ∧1 and ψ∧2 are complex EOL formulas containing the∧-operator and / or ∨- operator in EONF.

An EOL formula can be transformed into an equivalent EOL formula in EONF by rewriting using the equivalence rules from Def. 9. For instance, the EOL formulaψ=Ta.Gc.Tc can be rewritten in EONF asψ^′=Ta.Gc∧Gc. Tc∧Ta.Tc.

Theorem 16. For each EOL formula there exists a semantically equivalent EOL formula in EONF.

Proof. Each of the following transformations allows to rewrite a EOL formula that is not in EONF into an semantically equivalent EOL formula which is in EONF.

EONF((φ₁∧φ₂) .φ₃) = φ₁.φ₃∧φ₂.φ₃ EONF((φ₁∨φ₂) .φ₃) = φ₁.φ₃∨φ₂.φ₃ EONF(φ₁. (φ₂∧φ₃)) = φ₁.φ₂∧φ₁.φ₃ EONF(φ₁. (φ₂∨φ₃)) = φ₁.φ₂∨φ₁.φ₃

EONF(φ₁.φ₂.φ₃) = φ₁.φ₂∧φ₁.φ₃∧φ₂.φ₃ EONF((φ1∧φ2) .]φ3) = φ1.]φ3∧φ2.]φ3

EONF((φ1∨φ2) .]φ3) = φ1.]φ3∨φ2.]φ3

EONF(φ1.[(φ2∧φ3)) = φ1.[φ2∧φ1.[φ3

EONF(φ1.[(φ2∨φ3)) = φ1.[φ2∨φ1.[φ3

EONF(φ1.<(φ2∨φ3) .>φ4) =φ1.<φ2.>φ4∨φ1.<φ3.>φ4

⊓⊔

4 Event Order Logic and Linear Temporal Logic

In this section we will show that the EOL is a sub-set of the LTL and hence, it is possible to translate each EOL formula into an equivalent LTL formula.

An EOL formula and an LTL formula are equivalent if they are satisfied by the same set of execution traces. More formally we define

Definition 11. An EOL formula ψ and an LTL formula ϕ are equivalent de- noted byψ≡ϕif any transition system T and all tracesσin T:σ⊧eψ⇔σ⊧lϕ.

We will now define translation rules that can be used to translate a EOL formula in EONF into a equivalent LTL formula.

Definition 12. LTL formula for an EOL formula. Letψ an EOL formula that is built over the set of event variables a∈ A and is in EONF. The states in T are labeled with an atomic proposition indicating whether the event represented by the event variable a leads to this states. More formally, if s_j−1 Ð→^αi s_j then aα_i ∈ L(sj). The equivalent EOL formula for an EOL formula ψ can be con- structed as follows:

Ifψdoes contain one of the ordered operators.,.[,.], or.<....>the transla- tion function LTL.(ψ)is used, LTL(ψ)else. The translation functions LTL.(ψ) and LTL(ψ)are applied recursively over the structure ofψ.

LTL(a_αi) =3a_αi LTL(¬a_αi) =2¬a_αi

LTL(φ₁∧φ₂) =LTL(φ₁) ∧LTL(φ₂) LTL(¬(φ₁∧φ₂)) =LTL(¬φ₁) ∧LTL(¬φ₂)

LTL.(a) =a

LTL.(¬a) = ¬a

LTL.(φ1∧φ2) =LTL.(φ1) ∧LTL.(φ2) LTL.(¬(φ1∧φ2)) =LTL.(¬φ1) ∧LTL.(¬φ2) LTL.(ψ∧₁∧ψ∧₂) =LTL.(ψ∧₁) ∧LTL.(ψ∧₂) LTL.(ψ∧₁∨ψ∧₂) =LTL.(ψ∧₁) ∨LTL.(ψ∧₂) LTL.(φ1.φ2) =3(LTL.(φ1) ∧3LTL.(φ2)) LTL.(φ1.[φ2) =3(LTL.(φ1) ∧2LTL.(φ2)) LTL.(φ1.]φ2) =LTL.(φ1) ULTL.(φ2)

LTL.(φ1.<φ∧.>φ2) =3(LTL.(φ1) ∧ (LTL.(φ∧) ULTL.(φ2))

whereaα_iis an Event variable and the corresponding atomic proposition with which the state is labeled, φ,φ1,φ2 are simple EOL formulas in EONF, φwedge

is a simple EOL formula in EONF containing the∧-operator, andψ∧,ψ∧₁ and ψ∧₂ are complex EOL formulas containing the ∧-operator and / or ∨-operator in EONF.

It remains to show that the translation rules defined in Def. 12 are equivalent with respect to Def. 11.

Theorem 17. sj⊧eaα_i ≡sj⊧laα_i

Proof. s_j⊧ea_αi ≡s_j⊧la_αi holds if for any transition system T and all states s in T: s⊧ea_αi⇔s⊧la_αi.

s_j⊧ea_αi ⇔ s_j⊧la_αi s_j⊧ea_αi iff s_j−1Ð→^αi s_j ⇔s_j⊧la_αi iffa_αi ∈L(s_j)

Per definitionaα_i∈L(sj)holds ifsj−1 αi

Ð→sj.

⊓⊔

Theorem 18. s_j⊧e¬a_αi ≡s_j⊧l¬a_αi

Proof. sj⊧e¬aα_i≡sj⊧l¬aα_i holds if for any transition system T and all states s in T:s⊧e¬aα_i⇔s⊧l¬aα_i.

sj⊧e¬aα_i ⇔ sj⊧l¬aα_i

sj⊧e¬aα_iiff not sj−1 α_i

Ð→sj⇔sj⊧l¬aα_i iff notaα_i∈L(sj)

⊓⊔

Theorem 19. σ⊧ea_αi≡σ⊧l3a_αi

Proof. σ⊧eaαi≡σ⊧l3aαi holds if for any transition system T and all tracesσ in T: σ⊧eaαi⇔σ⊧l3aαi.

σ⊧eaα_i ⇔ σ⊧l3aα_i

σ⊧eaα_iiff ∃j∶0≤j≤n . sj⊧eaα_i⇔ σ⊧l trueUaα_i iff∃k≥0. σ[k...] ⊧laα_i

and∀j∶0≤j<k . σ[j...] ⊧l true

⇔ σ⊧l trueUa_αi iff∃k≥0. σ[k...] ⊧la_αi

⊓⊔

Theorem 20. σ⊧e¬aα_i≡σ⊧l2¬aα_i

Proof. σ⊧e¬a_αi≡σ⊧l2¬a_αiholds if for any transition system T and all traces σin T: σ⊧e¬a_αi⇔σ⊧l2¬a_αi.

σ⊧e¬aα_i ⇔ σ⊧l2¬aα_i

σ⊧e¬aαiiff

∀j∶0≤j≤n . s_j⊧e¬a_αi ⇔ σ⊧l¬(trueU ¬¬aαi)iff not

∃k≥0. σ[k...] ⊧l¬¬a_αi

⇔ σ⊧l¬(trueU a_αi)iff not

∃k≥0. σ[k...] ⊧la_αi

⇔ σ⊧l¬(trueUaα_i)iff

∀k≥0. σ[k...] ⊧l¬aα_i

⊓⊔

Theorem 21. σ⊧eφ1∧φ2≡σ⊧lLTL(φ1) ∧LTL(φ2)

Proof. σ⊧eφ1∧φ2≡σ⊧lLTL(φ1) ∧LTL(φ2)holds if for any transition system T and all tracesσin T:σ⊧eφ1∧φ2⇔σ⊧lLTL(φ1) ∧LTL(φ2)

σ⊧eφ₁∧φ₂ ⇔ σ⊧lLTL(φ₁) ∧LTL(φ₂) σ⊧eφ₁∧φ₂iff

σ⊧eφ1 andσ⊧eφ2 ⇔ σ⊧lLTL(φ₁) ∧LTL(φ₂)iff σ⊧lLTL(φ1)andσ⊧lLTL(φ2)

⊓⊔

Theorem 22. σ⊧e¬(φ1∧φ2) ≡σ⊧lLTL(¬φ1) ∧LTL(¬φ2)

Proof. σ⊧e¬(φ1∧φ2) ≡σ⊧lLTL(¬φ1) ∧LTL(¬φ2)holds if for any transition system T and all traces σin T:σ⊧e¬(φ1∧φ2) ⇔σ⊧lLTL(¬φ1) ∧LTL(¬φ2)

σ⊧e¬(φ₁∧φ₂) ⇔ σ⊧lLTL(¬φ₁) ∧LTL(¬φ₂) σ⊧e¬(φ₁∧φ₂)iff

σ⊧e¬φ₁ andσ⊧e¬φ₂ ⇔ σ⊧lLTL(¬φ₁) ∧LTL(¬φ₂)iff σ⊧lLTL(¬φ₁)and LTL(¬φ₂)

⊓⊔

Theorem 23. σ⊧eφ1∧φ2≡σ⊧lLTL.(φ1) ∧LTL.(φ2)

Proof. σ ⊧e φ1∧φ2 ≡ σ ⊧l LTL.(φ1) ∧LTL.(φ2) holds if for any transition system T and all traces σ in T:σ⊧eφ1∧φ2 ⇔σ⊧lLTL.(φ1) ∧LTL.(φ2). If LTL. is appliedφ1∧φ2can only occur in the formulaφ1^′.<(φ1∧φ2) .>φ2^′ and consequently according to the semantics of EOL has to hold on someσ[l..l] ≡sl.

s_l⊧eφ₁∧φ₂ ⇔ s_l⊧lLTL.(φ₁) ∧LTL.(φ₂) s_l⊧eφ₁∧φ₂iff

sl⊧eφ1 andsl⊧eφ2 ⇔ s_l⊧lLTL.(φ₁) ∧LTL.(φ₂)iff sl⊧lLTL.(φ1)andsl⊧lLTL.(φ2)

⊓⊔

Theorem 24. σ⊧e¬(φ1∧φ2) ≡σ⊧lLTL.(¬φ1) ∧LTL.(¬φ2)

Proof. σ⊧e¬(φ₁∧φ₂) ≡σ⊧lLTL.(¬φ₁)∧LTL.(¬φ₂)holds if for any transition system T and all tracesσin T:σ⊧e¬(φ1∧φ2) ⇔σ⊧lLTL.(¬φ1)∧LTL.(¬φ2). If LTL.is applied¬(φ1∧φ2)can only occur in the formulaφ1^′.<¬(φ1∧φ2).>φ2^′

and consequently according to the semantics of EOL has to hold on someσ[l..l] ≡ sl.

sl⊧e¬(φ1∧φ2) ⇔ sl⊧lLTL.(¬φ1) ∧LTL.(¬φ2) s_l⊧e¬(φ₁∧φ₂)iff

s_l⊧e¬φ₁ ands_l⊧e¬φ₂ ⇔ s_l⊧lLTL.(¬φ₁) ∧LTL.(¬φ₂)iff s_l⊧lLTL.(¬φ₁)and LTL.(¬φ₂)

⊓⊔

Theorem 25. σ⊧eψ∧₁∧ψ∧2≡σ⊧lLTL.(ψ∧₁) ∧LTL.(ψ∧2)

Proof. σ⊧eψ∧₁∧ψ∧2≡LTL.(ψ∧₁)∧LTL.(ψ∧2)holds if for any transition system T and all tracesσin T:σ⊧eψ∧₁∧ψ_∧2⇔σ⊧lLTL.(ψ∧₁) ∧LTL.(ψ_∧2)

σ⊧eψ∧₁∧ψ∧2 ⇔ σ⊧lLTL.(ψ∧₁) ∧LTL.(ψ∧2) σ⊧eψ∧₁∧ψ∧2iff

σ⊧eψ∧₁ and σ⊧eψ∧2 ⇔ σ⊧lLTL.(ψ∧₁) ∧LTL.(ψ∧2)iff σ⊧lLTL.(ψ∧₁)andσ⊧lLTL.(ψ∧2)

⊓⊔

Theorem 26. σ⊧eψ∧1∨ψ∧2≡σ⊧lLTL.(ψ∧1) ∨LTL.(ψ∧2)

Proof. σ⊧eψ∧₁∨ψ∧2≡LTL.(ψ∧₁)∨LTL.(ψ∧2)holds if for any transition system T and all tracesσin T:σ⊧eψ∧₁∨ψ∧2⇔σ⊧lLTL.(ψ∧₁) ∨LTL.(ψ∧2)

σ⊧eψ∧₁∨ψ∧2 ⇔ σ⊧lLTL.(ψ∧₁) ∨LTL.(ψ∧2) σ⊧eψ∧₁∨ψ∧2iff

σ⊧eψ∧₁ or σ⊧eψ_∧2 ⇔ σ⊧lLTL.(ψ∧₁) ∨LTL.(ψ∧2)iff σ⊧lLTL.(ψ∧₁)orσ⊧lLTL.(ψ_∧2)

⊓⊔

Theorem 27. σ⊧eφ1.φ2≡3(LTL.(φ1) ∧3LTL.(φ2))

Proof. σ ⊧e φ1.φ2 ≡ 3(LTL.(φ1) ∧3LTL.(φ2)) holds if for any transition system T and all traces σin T:σ⊧eφ1.φ2⇔3(LTL.(φ1) ∧3LTL.(φ2))

σ⊧eφ1.φ2 ⇔3(LTL.(φ1) ∧3LTL.(φ2))

σ⊧eφ1.φ2iff

∃j, k∶0≤j<k≤n . σ[0..j] ⊧eφ1

andσ[k..n] ⊧eφ₂

⇔

σ⊧l trueU (LTL.(φ1)∧

trueU (LTL.(φ2)))iff

∃j≥0. σ[j...] ⊧l(LTL.(φ₁)∧

trueU (LTL.(φ₂)))

⇔

σ⊧l trueU (LTL.(φ₁)∧

trueU (LTL.(φ₂)))iff

∃j≥0. σ[j...] ⊧lLTL.(φ₁) and

∃k≥j . σ[k...] ⊧lLTL.(φ2)

⊓⊔

Theorem 28. σ⊧eφ1.[φ2≡σ⊧l3(LTL.(φ1) ∧2LTL.(φ2))

Proof. σ⊧eφ1.[φ2≡σ⊧l3(LTL.(φ1)∧2LTL.(φ2))holds if for any transition system T and all tracesσin T:σ⊧eφ1.[φ2⇔σ⊧l3(LTL.(φ1)∧2LTL.(φ2))

σ⊧eφ1.[φ2 ⇔ σ⊧l3(LTL.(φ1) ∧2LTL.(φ2)) σ⊧eφ1.[φ2 iff

∃j∶0≤j≤n . σ[j..j] ⊧eφ1 and

∀k∶j≤k≤n . σ[k..k] ⊧eφ2

⇔ σ⊧l3(LTL.(φ1) ∧2LTL.(φ2))iff trueU(LTL.(φ1) ∧ ¬(trueU¬LTL.(φ2)))

⇔ ∃j∶j≥0. σ[j..] ⊧lLTL.(φ1)and

∀k∶k≥j . σ[k..] ⊧lLTL.(φ2)

⊓⊔

Theorem 29. σ⊧eφ₁.]φ₂≡LTL.(φ₁) ULTL.(φ₂)

Proof. σ⊧eφ1.]φ2≡LTL.(φ1) ULTL.(φ2)holds if for any transition system T and all tracesσin T:σ⊧eφ1.]φ2⇔LTL.(φ1) ULTL.(φ2)

σ⊧eφ1.]φ2 ⇔ LTL.(φ1) ULTL.(φ2) σ⊧eφ1.]φ2iff

∃j∶i≤j≤r . σ[j..j] ⊧eψand

∀k∶0≤k≤j . σ[k..k] ⊧eφ1

⇔

LTL.(φ1) ULTL.(φ2)iff

∃j∶j≥0. σ[j..] ⊧lLTL.(φ2)and

∀k∶0≤k≤j . σ[k..] ⊧lLTL.(φ1)

⊓⊔

Theorem 30. σ⊧eφ₁.^<φ∧.^>φ₂≡σ⊧l3(LTL.(φ₁)∧(LTL.(φ∧) ULTL.(φ₂))) Proof. σ⊧eφ1.<φ∧.>φ2≡σ⊧l3(LTL.(φ1) ∧ (LTL.(φ∧) ULTL.(φ2)))holds if for any transition system T and all tracesσ in T:σ⊧eφ1.<φ∧.>φ2⇔σ⊧l

3(LTL.(φ1) ∧ (LTL.(φ∧) ULTL.(φ2)))