is it important to explain a theorem? a case study in uml and alcqi

Is It Important to Explain a Theorem?A Case Study on UML and ALCQI

Edward Hermann Haeusler Alexandre Rademaker

Departamento de Informática - PUC-Rio - Brasil

Ethecom 2009

Conceptual Modelling from a Logical Point of ViewMain Steps

1. Observe the “World”.

2. Determine what is relevant.

3. Choose/Define your terminology (non-logical linguistic terms).

4. Write down the main laws governing your “World” (Axioms).

5. Verify the correctness (sometimes completeness too) of your setof Laws.

Additional Observations

I Steps 1 and 2 may be facilitated by the use of an informalnotation (UML, ER, FlowCharts, etc) and their respectivemethodology, but it is essentially “Black Art” (cf. Maibaum).

I Step 5 full-filling demands quite a lot of knowledge of the Model.

I Step 5 essentially provides finitely many tests as support for thecorrectness of an infinite quantification.

The Validation Cycle

Figure: Refinements and Cascaded Validation

Validation of (Formal?) Specifications

The Scientific Basis of our approach

I Results/analysis of the philosophy of science are compared tosoftware validation [Haeberer98, Maibaum01, Cengarle98, C.George05, etc].

I Formal Specifications as Scientific Theories⇒ Observableterms, Theoretical terms, Evidences, Refutations, FalseNegatives, False positives, etc.

I Popper’s Falseability Principle drives (formal) validation analysis.

I Correctness⇔ Positives and False Positives.

I Completeness⇔ Negatives and False Negatives.

Positives, False Negatives, False Positives

Is anything true about Truth ??

I M |= φ and Spec(M) ` φ.

I Why is φ truth ?? Provide me a proof of φ.

Is anything wrong with the Truth ??

I M |= φ, but Spec(M) 6|= φ.

I A counter-model is found. Why is this a counter-model ??

I Model-Checking based reasoning is of great help !!

I Explanations from counter-examples.

Is anything true about Falsity ??

I M 6|= φ, but Spec(M) ` φ.

I Why does this false proposition hold ?? Provide me a proof of φ.

Existing Deductive Systems Paradigms

1. Aristotle’s Syllogisms (300 B.C.)2. Axiomatic (Frege1879, Hilbert, Russell).3. Natural Deduction (Jaskowski1929,Gentzen1934-5,

Prawitz1965)4. Sequent Calculus (Gentzen1934-5)5. Tableaux (Beth 1955, Smullyan1964)6. Resolution-Based (A.Robinson1965)

Conceptual Modelling: Some motivation on explaining a theorem

Consider an ontology/KB containing:

(Quad ∧ PissOnFireHydrant)→ Dog

Consider an ontology/KB containing:

(Quad ∧ PissOnFireHydrant)→ Dog

This KB draws

(Quad → Dog) ∨ (PissOnFireHidrant → Dog)

Verifying this using Tableaux: V Quad ∧ PoFH → Dog

F(Quad → Dog) ∨ (PoFH → Dog)

F(Quad → Dog)

FPoFH → Dog

V Quad

V PoFH

FQuad ∧ PoFH

FQuad FPoFH

Another tableaux proof of Quad ∧ PoFH → Dog ` (Quad → Dog) ∨ (PoFH → Dog):

V Quad ∧ PoFH → Dog

FQuad ∧ PoFH

F(Quad → Dog)

FPoFH → Dog

V Quad

V PoFH

FQuad FPoFH

F(Quad → Dog)

FPoFH → Dog

V Quad

One more tableaux proof of Quad ∧ PoFH → Dog ` (Quad → Dog) ∨ (PoFH → Dog):

V Quad ∧ PoFH → Dog

FQuad ∧ PoFH

F(Quad → Dog)

FPoFH → Dog

V Quad

F(Quad → Dog)

FPoFH → Dog

V PoFH

F(Quad → Dog)

FPoFH → Dog

V Quad

Yet another Tableaux: V Quad ∧ PoFH → Dog

F(Quad → Dog)

FPoFH → Dog

FQuad ∧ PoFH

V Quad

V PoFH

V Quad

and many more.....

In Sequent Calculus

A proof that KB ` (Quad → Dog) ∨ (PoFH → Dog)

KB ⇒ PoFH ∧ Quad → Dog

Quad ⇒ QuadQuad, PoFH ⇒ Quad

PoFH ⇒ PoFHQuad, PoFH ⇒ PoFH

Quad, PoFH ⇒ Quad ∧ PoFH Dog ⇒ Dog

Quad, PoFH, PoFH ∧ Quad → Dog ⇒ Dog

Quad, PoFH, PoFH ∧ Quad → Dog ⇒ Dog,Dog

PoFH, PoFH ∧ Quad → Dog ⇒ (Quad → Dog),Dog

PoFH,KB ⇒ (Quad → Dog),Dog

KB ⇒ (Quad → Dog), (PoFH → Dog)

KB ⇒ (Quad → Dog) ∨ (PoFH → Dog)

In Sequent Calculus

Other proof that KB ` (Quad → Dog) ∨ (PoFH → Dog)

KB,Quad, PoFH ⇒ Dog

KB,Quad, PoFH ⇒ Dog,Dog

KB, PoFH ⇒ (Quad → Dog),Dog

In Sequent Calculus

One more proof that KB ` (Quad → Dog) ∨ (PoFH → Dog)

KB,Quad, PoFH ⇒ Dog

KB, PoFH ⇒ (Quad → Dog)

In Sequent Calculus

Yet another proof that KB ` (Quad → Dog) ∨ (PoFH → Dog)

Quad, PoFH ⇒ Quad ∧ PoFH

Dog ⇒ Dog

Dog ⇒ Dog,Dog

Quad, PoFH, PoFH ∧ Quad → Dog ⇒ Dog,Dog

KB,Quad, PoFH ⇒ Dog,Dog

and many more...

In Natural Deduction

A (normal) proof

[Quad ]d

[Quad ]a [PoFH]b

Quad ∧ PoFH Quad ∧ PoFH → Dog

PoFH → Dog

(Quad → Dog) ∨ (PoFH → Dog) [¬((Quad → Dog) ∨ (PoFH → Dog))]c

⊥a¬Quad

⊥Dog

dQuad → Dog

(Quad → Dog) ∨ (PoFH → Dog)

In Natural Deduction

THE other (normal) proof

[Quad ]a [PoFH]b

Quad ∧ PoFH Quad ∧ PoFH → Dog

PoFH → Dog

⊥Dog

aQuad → Dog

(Quad → Dog) ∨ (PoFH → Dog)

Fundamental facts on Automating S.C. and N.D.

Analyticity

I Every proof of Γ ` α has only occurrences of sub-formulasof Γ and α (Sub-formula Principle SFP).

I Cut-Elimination in S.C entails SFP. Haupsatz

I Normalization in N.D. entails SFP. Normalization

I Strongly related to analytic Tableaux based procedures.

Analyticity

Arguments in favour of Natural Deduction as a basis for theorem explanation

Common Sense and Intuitive reasons

I “Fewer” proofs of a proposition when compared to otherDeductive Systems.

I “More” structure and existence of specific patterns to helpparagraph construction in NL.

I Working hypothesis: “Optimal explanations should betailored from well-known proof patterns”

Technical reasons

I Natural Deduction reveals the computational content of aproof. CH-Isomorphism

I The prover can choose the pattern it wants the proofshould have. Seldin Prawitz

Technical reasons

Conceptual Modelling in UML and ER

The Informal Side

I Graphical notations seem to be adequate to the humanbeing understanding and manipulation.

I Lacking of a formal consistency checking.

The Logical Side

I FOL cannot provide checking of KB consistency.I Decidable logics seems to be more adequate.

The Informal Side

The Logical Side

The Informal Side

The Logical Side

The Informal Side

The Logical Side

I FOL cannot provide checking of KB consistency.

I Decidable logics seems to be more adequate.

The Informal Side

The Logical Side

Explaining Theorems on the Conceptual Modelling Domain

A Case Study in UML

1. Why UML ?⇒ It is complex (UML consistency isEXPTIME-Complete), useful and popular.

2. What do we need ?

I A Logical Language to express properties and their proofs(ALCQI)

I A Good (Normalizable) Natural Deduction for ALCQII Proof Patterns that yield good explanation (to come...)

A Case Study in UML

I A Good (Normalizable) Natural Deduction for ALCQI

I Proof Patterns that yield good explanation (to come...)

A Case Study in UML

ALCQI KB related to UML Class Diagram [BerCalvGiac2005]D. Berardi et al. / Artificial Intelligence 168 (2005) 70–118 81

Fig. 12. UML class diagram of Example 2.5.

2.4. General constraints

Disjointness and covering constraints are in practice the most commonly used con-straints in UML class diagrams. However, UML allows for other forms of constraints,specifying class identifiers, functional dependencies for associations, and, more generallythrough the use of OCL [8], any form of constraint expressible in FOL. Note that, dueto their expressive power, OCL constraints could in fact be used to express the semanticsof the standard UML class diagram constructs. This is an indication that a liberal use ofOCL constraints can actually compromise the understandability of the diagram. Hence,the use of constraints is typically limited. Also, unrestricted use of OCL constraints makesreasoning on a class diagram undecidable, since it amounts to full FOL reasoning. In thefollowing, we will not consider general constraints.We conclude the section with an example of a full UML class diagram.

Example 2.5. Fig. 12 shows a complete UML class diagram that models phone calls origi-nating from different kinds of phones, and phone bills they belong to.13 The diagram showsthat a MobileCall is a particular kind of PhoneCall and that the Origin of each PhoneCallis one and only one Phone. Additionally, a Phone can be only of two different kinds: aFixedPhone or a CellPhone. Mobile calls originate (through the association MobileOrigin)from cell phones. The association MobileOrigin is contained in the binary association Ori-gin: hence MobileOrigin inherits the attribute place of association class Origin. Finally, aPhoneCall is referenced in one and only one PhoneBill, whereas a PhoneBill contains atleast one PhoneCall. In FOL, the diagram is represented as shown in Fig. 13.Notice that, in the above diagram, one would like to express that each MobileCall is

related via the association Origin only to instances of CellPhone. Similarly for the otherdirection of the association. This can be expressed in FOL as follows:

!y1, y2, x. MobileCall(y1) "Origin(x) " call(x, y1) " from(x, y2) # CellPhone(y2)

!y1, y2, x. CellPhone(y2) "Origin(x) " call(x, y1) " from(x, y2) #MobileCall(y1)

The association MobileOrigin approximates this, making it explicit in the diagram that Mo-bileCalls and CellPhones are related to each other.

13 This diagram is based on an example provided with I.COM, a prototype design tool for conceptual modelingwith reasoning support [17].

Origin v ∀place.StringOrigin v ∃place.> u (≤ 1 place)Origin v ∃call.PhoneCall u (≤ 1 call) u ∃from.Phone u (≤ 1 from)

MobileOrigin v ∃call.MobileCall u (≤ 1call) u ∃from.CellPhone u (≤ 1 from)

PhoneCall v (≥ 1 call−.Origin) u (≤ 1 call−.Origin)

> v ∀reference−.PhoneBill u ∀reference.PhoneCallPhoneBill v (≥ 1 reference−)

PhoneCall v (≥ 1 reference) u (≤ 1 reference)MobileCall v PhoneCall

MobileOrigin v OriginCellPhone v Phone

FixedPhone v PhoneCellPhone v ¬FixedPhone

Phone v CellPhone t FixedPhone

Towards a Natural Deduction for ALCQI

I A Sequent Calculus for ALC (EDOC2007, AOW2007, etc)

I A Proof Theory for ALC (Sequent Calculus[RadeHaeuPere2008,2009])

I A Deterministic Sequent Calculus for ALC[RadeHaeuSBIA2008]

I Maude Implementations of S.C. Provers for ALC and ALCQI[Rade2009]

I A Good Natural Deduction for ALC [RadeHaeu2008-9]

I A Natural Deduction for ALCQI [RadeHaeu2009]

ALC, ALCQI and further DLs

C ::= ⊥ | > | A | ¬C | C1 u C2 | C1 t C2 | ∃R.C | ∀R.C

C ::= ⊥ | A | ¬C | C1 u C2 | C1 t C2 | ∃R.C | ∀R.C |≤ nR.C |≥ nR.CR ::= P | P−

UML with OCL constraintsSecureUML needs ID(C) role for each concept C for specifyinguniqueness of a default in a concept. [BragaHaeu2009]

∀ID(>).A v ∃ID(>).A A ≡ (= 1isdefault .(= 1isdefault−.Role))

Labeling formulas of ALC

Labeling Grammar:

LL ::= R,LL | ∅LR ::= R,LR | R(LL),LR | ∅C ::= LLCLR

The ALC formula:∃R2.∀Q2.∃R1.∀Q1.α

is represented by the labeled formula:

Q2,Q1αR1(Q2),R2

A Natural Deduction to ALC

L(α u β)

Lαu-e

Lα Lβ

L(α u β)u-i

L1αL2

R,L1αL2Gen

(α t β)L

[αL]....γ

[βL]....γ

γ t-eαL

(α t β)Lt-i

L1αL2

L2L1 ¬α

⊥¬-e

[L1αL2 ]....⊥

L2L1 ¬α

¬-i L1∃R.αL2

L1αR(L1),L2∃-e

L1αR(L1),L2

L1∃R.αL2∃-i

L1∀R.αL2

L1,RαL2∀-e

L1,RαL2

L1∀R.αL2∀-i

L1αL2 L1αL2 v M1βM2

M1βM2v -e

[L1αL2 ]....

M1βM2

L1αL2 v M1βM2v -i

L2L1 ¬α

L1L2 ]

L1αL2⊥c

A Natural Deduction for ALCQI

Main properties of NALCTheoremNALCQI is complete regarding the standard semantics of ALC.

TheoremNALCQI is sound regarding the standard semantics of ALC.if Ω ` γ then Ω |= γ.

FactThe NALCQI t-rules and ∃-rules are derived in ALCQI − t,∃ .

Lemma (Moving ⊥c downwards on branches)If Ω ` α in ALCQI − t,∃ then there is a deduction Π of α from Ω,such that, each branch in Π has at most one application of ⊥c-rule,which is the last rule in it.

Theorem (Eliminating maximal v-formulas)reductions If Π is a deduction of α from Ω, in the restricted system, then

there is a deduction Π′ of α from Ω without any maximal formulas.

FactSFP holds in ALC.

Example : A Negative Testing

I An (incorrect) generalization (a CellPhone is aFixedPhone) is introduced in the KB.

I CellPhone v FixedPhone is added to KB.I CellPhone is empty (inconsistent)

.Cell v ¬Fixed [Cell]1

¬FixedCell v Fixed [Cell]1

Fixed⊥

1Cell v ⊥

I CellPhone v FixedPhone is added to KB.

I CellPhone is empty (inconsistent).

Cell v ¬Fixed [Cell]1

Fixed⊥

1Cell v ⊥

I CellPhone v FixedPhone is added to KB.I CellPhone is empty (inconsistent)

.Cell v ¬Fixed [Cell]1

Fixed⊥

1Cell v ⊥

Example: A False Positive in the new KB

I In the modified diagram, Phone ≡ FixedPhone can be drawn.This is not directly proved from the inconsistency of CellPhone.

I It is shown that Phone v FixedPhone sinceFixedPhone v Phone is already an axiom of KB.

I Proof:[Phone]1 Phone v Cell t Fixed

Cell t Fixed

[Cell] Cell v Fixed

Fixed [Fixed]

Fixed1

Phone v Fixed

Cell t Fixed

[Cell] Cell v Fixed

Fixed [Fixed]

Fixed1

Phone v Fixed

Cell t Fixed

[Cell] Cell v Fixed

Fixed [Fixed]

Fixed1

Phone v Fixed

A Natural Deduction for ALCQI

Example: A False Positive yielding a refining of KB

I MobileCall participates on the association MobileOrigin

with multiplicity 0..1, instead of the 0..* presented in the UMLdiagram

I Proof:

[≥ 2 c−.MO]2

MO v O

≥ 2 c−.MO v≥ 2 c−.O

≥ 2 c−.O

[MC]1 MC v PC

PC PC v≥ 1 c−.O u ≤ 1 c−.O

≥ 1 c−.O u ≤ 1 c−.O

≤ 1 c−.O

¬ ≥ 2 c−.MO1

MC v ¬ ≥ 2 c−.MO

Sequent

I Proof:

[≥ 2 c−.MO]2

MO v O

≥ 2 c−.MO v≥ 2 c−.O

≥ 2 c−.O

[MC]1 MC v PC

PC PC v≥ 1 c−.O u ≤ 1 c−.O

≥ 1 c−.O u ≤ 1 c−.O

≤ 1 c−.O

¬ ≥ 2 c−.MO1

MC v ¬ ≥ 2 c−.MO

Sequent

I Proof:

[≥ 2 c−.MO]2

MO v O

≥ 2 c−.MO v≥ 2 c−.O

≥ 2 c−.O

[MC]1 MC v PC

PC PC v≥ 1 c−.O u ≤ 1 c−.O

≥ 1 c−.O u ≤ 1 c−.O

≤ 1 c−.O

¬ ≥ 2 c−.MO1

MC v ¬ ≥ 2 c−.MO

Sequent

Conclusions

I Yes !! It is Important to explain a theorem !!!

I Proof explanations provide good and adequate support forformal validation of KB. It is as important as Model Checkingbased explanations.

I Under our Working Hyp., N.D. provides the adequate basis forexplanation generation from formal proofs.

I N.D. for DLs is an important step towards good explanations inConceptual Modeling. NALCQI provides a good basis regardingUML and ER reasoning explanation.

Advices

I Conceptual Modeling in UML is not tractable(EXPTIME-complete)

I Unless CoNP = NP, proofs can be really huge !!! IntroducingCuts/Maximal formulas cannot reduce always the size of a proof.

I Interactive theorem proving helps with the above feature. Whatabout partial (under) Modelling (?)

Conclusions

Advices

Conclusions

Advices

Conclusions

Advices

Conclusions

Advices

Conclusions

Advices

Conclusions

Advices

Conclusions

Advices

Curry-Howard Isomorphism

The computational content of Intuitionistic ProofsAny Proof of α from γ1, . . . , γn in IL corresponds to analgorithm that yields values of type α from any list of n values oftypes γ1, . . . , γn, respectively

IntuitionisticLogic

Technically:Any proof π of α from γ1, . . . , γn corresponds to a typed λ-termt(x1, . . . , xn) : α[x1 : γ1, . . . , xn : γn], such that any evaluation in tcorresponds a normalization step in π, and vice-versa.

return

Seldin’s strategy to normalize Classical Proofs

Moving the Classical Absurdity Rule towards the Conclusion of theproofGiven any Classical derivation Π of α from Γ, one can transform Π

into a derivation Π1 of α from Γ of the following form:

Γ, [¬α]a

⊥a α

where Π1 is intuitionistic. reductions

return

Prawitz’s strategy to normalize Classical ProofsMoving the Classical Absurdity Rule towards atomic conclusions inthe proofGiven any Classical derivation Π of α from Γ, one can transform Πinto a derivation Π1 of α from Γ where the Classical-⊥ has onlyatomic conclusions

[¬(α ∧ β)]a

α ∧ β

Transforms into

[α ∧ β]a

α [¬α]b

⊥a¬(α ∧ β)

⊥b α

[α ∧ β]c

β [¬β]d

⊥c¬(α ∧ β)

α ∧ β

return

Example of reduction

[¬α]a

[¬β]b

⊥b α

α ∧ β

Transforms into

[α]a [β]b

α ∧ β [¬(α ∧ β)]c

⊥a ¬α

⊥b¬β

α ∧ β

Normalizing reductions

u-reduction ∀-reductionΠ1Lα

Π2Lβ

L(α u β)Lα B

Π1Lα

Π1L1,RαL2

L1∀R.αL2

L1,RαL2 BΠ1

L1,RαL2

¬-reduction v -reduction[L2L1 ¬α

]Π1⊥

L1αL2

Π2L2L1 ¬α

Π2[L2L1 ¬α

]Π1⊥

[α]Π2β

α v ββ B

Π1[α]Π2β

return

MC v ¬ ≥ 2 c−.MO in Sequent Calculus

MO⇒ O

≥ 2 call−.MO⇒ ≥ 2 call−.O

MC,≥ 2 call−.MO⇒ ≥ 2 call−.O

MC⇒ PC PC⇒ ≥ 1 call−.O u ≤ 1 call−.O

MC⇒ ≥ 1 call−.O u ≤ 1 call−.O

MC,≥ 2 call−.MO⇒ ≥ 1 call−.O u ≤ 1call−.O

MC,≥ 2 call−.MO⇒ ≥ 1 call−.O u ≤ 1call−.O u ≥ 2call−.O

MC,≥ 2 call−.MO⇒ ⊥

MC⇒ ¬ ≥ 2 call−.MO

return

The Haupsatz

I The cut rule:

Γ1 ⇒ ∆1, α α, Γ2 ⇒ ∆2

Γ1, Γ2 ⇒ ∆1,∆2

I Every proof of Γ⇒ ∆ can be rewritten without the cut-rule.

I Corollary: Every formula in a proof of Γ⇒ ∆ is subformula fromat least one formula of Γ ∪∆.

I Corollary: If the Haupsatz holds for a logic/theory L then thislogic is consistent. (There is no proof of the empty sequent).

I Gentzen proved that PA is consistent by means of Haupsatz.

return

The Haupsatz

I The cut rule:

Γ1 ⇒ ∆1, α α, Γ2 ⇒ ∆2

Γ1, Γ2 ⇒ ∆1,∆2

return

The Haupsatz

I The cut rule:

Γ1 ⇒ ∆1, α α, Γ2 ⇒ ∆2

Γ1, Γ2 ⇒ ∆1,∆2

return

The Haupsatz

I The cut rule:

Γ1 ⇒ ∆1, α α, Γ2 ⇒ ∆2

Γ1, Γ2 ⇒ ∆1,∆2

return

The Haupsatz

I The cut rule:

Γ1 ⇒ ∆1, α α, Γ2 ⇒ ∆2

Γ1, Γ2 ⇒ ∆1,∆2

return

Normalization and Normal Proofs

I A→ B is maximal formula in a ND proof:

BA→ B

reduces to

I Normalization: Every derivation of α from ∆ can be transformedinto a Normal derivation (without maximal formulas) of α from ∆′

(∆′ ⊆ ∆)

I Corollary: Every formula in a proof of α from Γ is subformula of Γor α.

return

BA→ B

reduces to

(∆′ ⊆ ∆)

return

BA→ B

reduces to

(∆′ ⊆ ∆)

return

Moving the ⊥ towards the conclusion of a derivation [Seldin1977]

[¬A]a

BA ∧ B

reduces to

[A]aΠ2

BA ∧ B [¬(A ∧ B)]b

⊥a ¬AΠ1

⊥b A ∧ B

return

Classical Logic × Intuitionistic Logic

TheoremThere are a,b ∈ R−Q, such that, ab ∈ Q

A Classical Proof (Math Folklore)Consider a = b =

√2. Then, either ab ∈ Q or ab 6∈ Q. In the first case

we are done. In the second case, consider a =√

2and b =

hence, ab = 2 ∈ Q.

An Intuitionistic (constructive) proof (E. Bishop)Consider a =

√2 and b = 2log2(3). We have a,b 6∈ Q and

ab = 3 ∈ Qreturn

is it important to explain a theorem? a case study in uml and alcqi

Education

validation of formal

main laws

formal validation analysis

false positives

theoretical terms

false negatives

conceptual modelling

world axioms