Integrate Action Formalisms into Linear Temporal Description Logics

Description logics (DLs) provide expressiveness much beyond the expressiveness of propositional logic while still maintaining decidability of reasoning. This makes DLs a natural choice for formalizing actions. Besides DLs are also used in several application domains. However representing dynamic aspects of such application domains is not out of question. As a result, temporal extensions of DLs have been investigated in literature. In formalizing actions, sometimes we come across a situation, where we want to be sure of a property to hold at a certain time. Thus a suitable approach is of using temporalized DLs in describing such properties meanwhile formalizing actions in DLs. In this thesis, we present the integration of action formalisms in a temporalized DL. We consider the satisfiability problem of an ALCO-LTL formula with respect to an acyclic TBox, an ABox and actions i.e., we check if there is a sequence of world states (interpretations) such that the formula is satisfied in this sequence whereas the semantics of the actions is also respected. We consider two different cases; a simple case in which we consider unconditional actions where all the changes imposed by an action hold trivially after the application of the action and a general case in which we consider conditional actions. A conditional action requires certain conditions to hold in order to impose such changes. In the former case, we reduce the problem to the ABox consistency problem, whereas in the later case, we reduced it to the emptiness problem of a Büchi automaton and the ABox consistency problem.


Introduction
Action programming languages like Golog [8] and Flux [14], which are respectively based on the situation calculus and the fluent calculus, can be used to control the behaviour of autonomous agents and mobile robots.Often, programs written in these languages are non-terminating since the robots are supposed to perform open ended tasks, like delivering coffee as long as there are requests.To ensure that the execution of such a program leads to the desired behaviour of the robot, one needs to specify the required properties in a formal way, and then verify that these requirements are met by any (infinite) execution of the program.In the coffee delivery example, one might, e.g., want to show that anyone requesting coffee will eventually get it delivered.When trying to automate this verification task, one has to deal with two sources of undecidability: (i) the expressiveness of the programming constructs (while loops, recursion) and (ii) the expressiveness of situation/fluent calculus, which encompasses full first-order predicate logic.
Verification for non-terminating Golog programs has first been addressed by De Giacomo, Ternovskaia, and Reiter [7], who express both the semantics of the programs and the properties to be verified using an appropriate fixpoint logic.To verify a property of a program, one first needs to compute a fixpoint, which is expressed in second-order logic.In general, this computation need not terminate (this corresponds to the first source of undecidability).Even if the fixpoint computation does terminate, verifying that the desired property holds requires a manual, meta-theoretic proof.Attempts to automate this approach are usually restricted to propositional logic [11].Claßen and Lakemeyer [6] aim at the fully automated verification of non-terminating Golog programs.They specify properties in an extension of the situation calculus by constructs of the first-order temporal logic CTL * .Verification then basically boils down to the computation of a fixpoint, where again this computation need not terminate.If the fixpoint computation terminates, then the proof that the desired property holds is a deduction in the underlying logic (i.e., no meta-theoretic reasoning is required).However, due to the second source of undecidability mentioned above, this deduction problem is in general not decidable.
In the present paper, we introduce a restricted setting, where both sources of undecidability are avoided.Regarding the first source, instead of examining the actual execution sequences of a given Golog or Flux program, we consider infinite sequences of actions that are accepted by a given Büchi automaton B. If B is an abstraction of the program, i.e. all possible execution sequences of the program are accepted by B, then any property that holds in all the sequences accepted by B is also a property that is satisfied by any execution of the program.For example, assume that, among other actions, researcher John can perform the action "review paper," which makes him tired, and that robot Robin can perform the actions "deliver paper" and "deliver coffee," where the latter one results in John no longer being tired, whereas the former one results in John having to review yet another paper.The property φ tired we want to ensure is that John does not stay tired indefinitely, i.e., whenever he is tired at some time point, then there is a later time point at which he is not tired.Assume that there is a complex program controlling Robin's behaviour, but we can show that Robin will infinitely often deliver coffee.Thus, the Büchi automaton B deliver that accepts all action sequences that contain the action "deliver coffee" infinitely often is an abstraction of this program, and it is easy to see that any infinite sequence of actions accepted by this automaton satisfies φ tired .
To avoid the second source of undecidability, we restrict the underlying logic to a decidable description logic.Description Logics (DLs) [2] are a well-known family of knowledge representation formalisms that may be viewed as fragments of first-order logic (FO).The main strength of DLs is that they offer considerable expressive power going far beyond propositional logic, while reasoning is still decidable.An action formalism based on DLs was first introduced in [4], and it was shown that important reasoning problems such as the projection problem, which are undecidable in the full situation/fluent calculus, are decidable in this restricted formalism.
In this paper, we show that these positive results can be extended to the verification problem.As logic for specifying properties of infinite sequences of DL actions, we use the temporalized DL ALC-LTL recently introduced in [3], which extends the well-known propositional linear temporal logic (LTL) [12] by allowing for the use of axioms (i.e., TBox and ABox statements) of the basic DL ALC in place of propositional letters. 1 Note that the property φ tired that we have used in the above coffee delivery example can easily be expressed in LTL.
In the next section, we first recall the basic definitions for DLs, action formalisms based on DLs, temporalized DLs, and Büchi automata, and then introduce the verification problem and its dual, the satisfiability problem, which asks whether there is an infinite sequence of actions accepted by the given Büchi automaton B that satisfies the property.Since these problems are interreducible in polynomial time, we then concentrate on solving the satisfiability problem.In Section 3, we consider a restricted version of the general problem, where the Büchi automaton accepts exactly one infinite sequence of unconditional actions without occlusions.The general problem is then investigated in Section 4.

Preliminaries
The integration of actions formalisms can be applied to any DL which has welldefined semantics of actions [4].In this paper, we investigate the computational complexity of the inference problems at hand for DLs between ALC and ALCQIO, hence we give the syntax and semantics of those DLs [2] in this section.
In DLs, concepts are inductively defined starting with a set N C of concept names, a set N R of role names, and (possibly) a set N I of individual names.The expressiveness of a DL is determined by a set of constructors.The relevant constructors to the DLs considered in this paper are shown in Table 1, where we use C, D to denote concepts, A to denote a concept name, r to denote roles, and a, b to denote individual names.As usual, we use ⊤ as an abbreviation for A ⊔ ¬A.
The DL that allows only for negation, conjunction, disjunction, existential restriction, and value restriction is called ALC.Different extensions of ALC allow additionally for different constructors, indicated by the name of the DL.For example, the name ALCQIO stands for the DL which extends ALC with Qualified number restriction, Inverse role, and nOminals.If a DL allows for inverse roles, a role is r or r −1 for some r ∈ N R .A role is a role name otherwise.
An interpretation I is a pair (∆ I , • I ) where ∆ I is a non-empty set and  The interpretation of inverse role and concept descriptions is shown in the third column of Table 1, where #S is the cardinality of a set S. We call an x ∈ ∆ I is a named object in I iff there exists an a ∈ N I with a I = x.Otherwise, x is an anonymous object in I.
An acyclic TBox T is a finite set of concept definitions of the form A ≡ C such that there is no concept name A occurring twice on the left-hand side of concept definitions or using directly or indirectly itself in its definition [2].The concept names occurring on the left-hand side of concept definitions of T are called defined concept names in T , whereas all other concept names are called primitive concept names in T .An interpretation I is a model of T (denoted by I |= T ) iff for all A ≡ C ∈ T , we have A I = C I .Note that we restrict our attention to acyclic TBoxes since, for more general TBox formalisms involving general concept inclusion axioms (GCIs), it is not clear how to define an appropriate semantics for DL actions.We say that An ABox A is consistent w.r.t. an acyclic TBox T if A and T have a common model.Consistency of an ABox w.r.t. an acyclic TBox is one of the standard inference problems in DLs, which is to decide existence of a model for a given knowledge base.Its complexity in DLs between ALC and ALCQIO has been thoroughly studied.We will see later on that the inference problems considered in this paper can be decided with the help of consistency.

An
The temporalized DLs are obtained from propositional linear temporal logic (LTL) [12] by allowing for the use of assertions in place of propositional letters.Definition 1. DL-LTL formulae are defined by induction: • if β is an assertion, then β is an DL-LTL formula; • if φ, ψ are DL-LTL formulae, then so are φ ∧ ψ, φ ∨ ψ, ¬φ, φUψ, and Xφ.

△
We use true as an abbreviation for ⊤(a), φ → ψ for ¬φ ∨ ψ, φ for trueUφ (diamond, which should be read as "sometime in the future"), and φ for ¬(trueU¬φ) (box, which should be read as "always in the future").
The difference to the logic ALC-LTL introduced in [3] is, on the one hand, that assertions in DLs between ALC and ALCQIO rather than just ALC-assertions can be used.On the other hand, an ALC-LTL formula may also contain GCIs, whereas in DL-LTL we do not allow the use of terminological axioms.Instead, we use a global acyclic TBox, whose concept definitions must hold at every time point.The semantics of DL-LTL is based on DL-LTL structures, which are infinite sequences of interpretations over the same non-empty domain ∆ (constant domain assumption) in which every individual name stands for a unique element of ∆ (rigid individual names).Definition 2. A DL-LTL structure is a sequence I = (I i ) i=0,1,... of interpretations I i = (∆, • I i ) such that a I i = a I j for all individual names a and all i, j ∈ {0, 1, 2, . ..}.Given a DL-LTL formula φ, a DL-LTL structure I = (I i ) i=0,1,... , and a time point i ∈ {0, 1, 2, . ..}, validity of φ in I at time i (written I, i |= φ) is defined inductively: and I, j |= φ for all j, i ≤ j < k

△
In this paper, we assume that the transition from I i to I i+1 in a DL-LTL structure is caused by the application of an action.We recall the pertinent definitions for DL actions from [4].
Definition 3 (Action).Let T be an acyclic TBox.An action α for T is a triple (pre, occ, post) which consists of • a finite set pre of ABox assertions, the pre-conditions; • a finite set occ of occlusions of the form A(a) or r(a, b), with A a primitive concept name in T , r a role name, and a, b ∈ N I ; • a finite set post of conditional post-conditions of the form β/γ, where γ is an ABox assertion and ψ is a primitive literal for T , i.e., an ABox assertion A(a), ¬A(a), r(a, b), or ¬r(a, b) with A a primitive concept name in T , r a role name, and a, b individual names.
If every β/γ ∈ post is of the form ⊤(a)/γ, then we call α an unconditional action, and in this case we write γ instead of ⊤(a)/γ.Otherwise, it is a conditional action.We say that an action α is without occlusions if occ = ∅.Otherwise, α is with occlusions.△ Basically, such an action is applicable in an interpretation if its pre-conditions are satisfied.The conditional post-condition β/γ requires that γ must hold after the application of the action if β was satisfied before the application.In addition, nothing should change that is not required to change by some post-condition.
Occlusions specify the parts where the concept names and the role names can change freely.
Definition 4. Let T be an acyclic TBox, α = (pre, occ, post) an action for T , and I, I ′ interpretations sharing the same domain and interpretations of all individual names.We say that α may transform I to I ′ w.r.t.T (I ⇒ T α I ′ ) iff, I and I ′ are models of T and for each primitive concept name A in T and each role name r, we have where We say that α is executable in We say that an action α is consistent with T iff for all β 1 /γ, β 2 /¬γ in the post-conditions of α, {β 1 , β 2 } ∪ T is inconsistent.In this paper, we consider only consistent actions.The requirement of consistent actions is to avoid an unintuitive result of applying actions.For example, the set of post-conditions of an inconsistent action α is {β/A(a), β/¬A(a)}.Thus, for all models I of T with I |= ϕ, and for all I ′ with I ⇒ T α I ′ , according to Definition 4, I ′ |= A(a).This means that β/A(a) is not satisfied by the application of α.
It follows directly from Definition 4 that for all interpretation I, DL actions can only change the interpretations of named objects in I.Note that for all acyclic TBoxes T and for all actions α for T , if α is without occlusions, then for all models I of T , there exists a unique I ′ such that I ⇒ T α I ′ [4].In this paper, we are interested in deciding whether the executions of infinite sequences of actions satisfy a (temporal) property expressed in DL-LTL.Let Σ be a finite set of actions for T .An infinite sequence of such actions can be viewed as an infinite word over the alphabet Σ, i.e., a mapping w : N → Σ, where N denotes the set of non-negative integers.Definition 5. Let T be an acyclic TBox, A be an ABox, and w an infinite sequence of actions for T .The DL-LTL structure I = (I i ) i=0,1,... w.r.t.T and w is generated by w from A w.r.t.T if I 0 is a model of A and, for all i ≥ 0, we have For the verification problem, we consider infinite sequences of actions accepted by a Büchi automaton.Büchi automata are finite automata accepting infinite words [15].A Büchi automaton B basically looks and works like a "normal" finite automaton, but it receives infinite words w as inputs, and thus generates infinite runs.An infinite run of B on w is an infinite word r : N → Q over the alphabet Q of states of B such that r(0) is an initial state and, for every i ≥ 0, there is a transition of B from the state r(i) with letter w(i) to the state r(i + 1).This run is accepting if it infinitely often reaches a final state.The language L ω (B) of infinite words accepted by B consists of all infinite words w over Σ such that B has an accepting run on w.
We are now ready to give a formal definition of the verification problem, which was informally introduced in Section 1, as the problem of deciding validity of a DL-LTL formula w.r.t. an acyclic TBox, an ABox, and a Büchi automaton.Definition 6.Let T be an acyclic TBox, A an ABox, Σ a finite set of actions for T , B a Büchi automaton for the alphabet Σ, and φ a DL-LTL formula.
• φ is valid w.r.Let us give the formal description of our example in the previous section.We use the following initial ABox to state that there are 500 papers submitted to the conference ecai2010 and that none of them has been reviewed yet.Robot Robin is in charge of delivering papers to the reviewers and keeping them vigorous by serving them coffee.John is one of the reviewers.We define the following actions: where i is with 1 ≤ i ≤ 500.The property φ tired is captured by the following DL-LTL formula: The Büchi automaton B deliver is depicted in Figure 1.The state q 0 is the initial state and q 1 is the final state.The alphabet of B deliver is Σ which consists of the actions defined above.The actions reviewPaper i , deliverPaper i , and deliverCoffee are respectively abbreviated with rP i , dP i , and dC.It is easy to check that for every w ∈ Σ ω , w ∈ L ω (B deliver ) iff the action deliverCoffee occurs infinitely often in w.

The Case of a Single Cyclic Sequence of Unconditional Actions without Occlusions
We say that the infinite word w is cyclic if it starts with an initial word α 1 • • • α m and then repeats a non-empty word The following facts are well-known [15] (and easy to see): if B is a Büchi automaton that accepts a singleton language {w}, then w is a cyclic word of the form where m, n are bounded by the cardinality of the set of states of B; conversely any singleton language {w} consisting of a cyclic word is accepted by a corresponding Büchi automaton B w such that the cardinality of the set of states of B is linear in m + n.
In this section, we consider only Büchi automata accepting singleton languages.
In addition, we restrict the attention to unconditional actions without occlusions.Thus, for the remainder of this section, we assume that T is an acyclic TBox, A an ABox, Σ a finite set of unconditional actions for T (without occlusions), B w a Büchi automaton for the alphabet Σ accepting the singleton language {w} Proof.Suppose I ′ ⇒ T β J ′ for some interpretation J ′ (such a J ′ always exists since for every model I of T and every action α for T , if α is without occlusions, then there exists an I ′ with I ⇒ T α I ′ [4]).Thus, it is enough to show that I ′ = J ′ .Since both interpretations I ′ and J ′ share the domain (suppose it is denoted by ∆) and interpretations of all individual names, it remains to show for all primary concept name A w.r.t.T and all r ∈ N R , we have A I ′ = A J ′ and r I ′ = r J ′ .Here we show only the former and the latter can be proved analogously.
there is a β j ∈ {β 1 , . . ., β n } such that ¬A(a) ∈ β j for some a ∈ N I with a I = d and for all i with j < i ≤ n, we have A(a) ∈ β i .(Intuitively, it means that d is removed from A by β j and never added afterwards.)However, together with I ⇒ T β I ′ , such a β j in β implies d ∈ A I ′ , which contradicts the assumption.
, there is a β j ∈ {β 1 , . . ., β n } such that A(a) ∈ β j for some a ∈ N I with a I = d and for all i with j < i ≤ n, we have ¬A(a) ∈ β i .
(Intuitively, it means that d is added into A by β j and never removed afterwards.)However, together with I ⇒ T β I ′ , such a β j in β implies d ∈ A I ′ , which contradicts the assumption.t The main observation that allows us to solve the satisfiability problem for φ w.r.t.T , A and B w is that each DL-LTL structure generated by w from A w.r.t.T "runs into a cycle" after the first m + 2n interpretations.This is a direct consequence of Lemma 7.
Based on this observation, we can solve the satisfiability problem by the reduction from the satisfiability problem of DL-LTL formulas to the consistency problem: • Construct an acyclic TBox T red and an ABox A red from A, T , w, and φ, • Construct an ABox A pre from w, and • Compute an ABox A φ from φ by a tableau algorithm.
We show that φ is satisfiable w.r.t.T , A, and Without loss of generality, we can assume that there are no LTL negation signs in φ.Basically, we apply the approach for solving the projection problem from [4] to the finite sequence of actions In this approach, time-stamped copies of all concept and role names occurring in the input (i.e., in w, T , A, φ) are generated, together with a number of additional auxiliary concept names.Using this extended vocabulary, one builds, for every assertion γ occurring in the input, time-stamped variants γ (i) for all i, 0 ≤ i ≤ m+2n−1.The extended vocabulary is also used to construct an acyclic TBox T red and an ABox A red .As we will see in the construction, for each concept name A and each role name r in the input, we introduce labeled names A (i) , T A , and r (i) to describe the interpretation of those names after the sequence of action w(0) • • • w(i − 1). 2et Obj be the set of all the individual names in the input, i.e, in A, T , φ or B w .
Let Sub be the set of the subconcepts in the input.For every C ∈ Sub, if C ∈ Sub is not a defined concept name of T , then there is a concept definition of Sub contains only those concept definitions.The concept definition of C is defined inductively on the structure of C as described in Figure 2. We are now ready to assemble T red : The TBoxes T N and T (i) sub can ensure that the interpretations of concept and role names remain unchanged by actions on the anonymous objects and the last part of T red is to make sure that T is satisfied no matter how actions change an interpretation.The changes by actions on the named objects will be guaranteed by A red .For every ABox assertion ϕ we define ϕ (i) as For 1 ≤ i ≤ m + 2n − 1, we define min only contains 1. the following assertions for every a ∈ Obj and every primitive concept name A in T in the input: ) for a primary concept name A w.r.t.T T 2. the following assertions for all a, b ∈ Obj and every role name r in the input: a : (∃r (i−1) .{b}→ ∃r (i) .{b})if ¬r(a, b) ∈ post i−1 a : (∀r (i−1) .¬{b}→ ∀r (i) .¬{b})if r(a, b) ∈ post i−1 .
The ABox A ini is defined as follows: Then, we construct A red : As revealed in [4], from every model of T red and A red we can construct the crucial part of a DL-LTL structure generated by w from A w.r.t.T and vice versa.Lemma 9. Let (T , A, B w , φ) be an input of the satisfiability problem.Let A red and T red be respectively the ABox and the TBox obtained according to the above construction using w = α 1 . . .α m β 1 . . .β n is the only word accepted by B w .Then, we have • for every sequence I 0 , . . ., I m+2n−1 of models of T such that I 0 |= A and I i ⇒ T w(i) I i+1 for every i with 0 ≤ i < m + 2n − 1, there exists an interpretation J such that J |= A red , J |= T red , and for all i ∈ {0, . . ., m + 2n − 1} and for all assertions γ in the input, I i |= γ iff J |= γ (i) .
• for every interpretation J such that J |= A red , J |= T red , there exists a sequence I 0 , . . ., I m+2n−1 of models of T such that I 0 |= A, and for every i with 0 ≤ i < m + 2n − 1, we have I i ⇒ T w(i) I i+1 and for all assertions γ in the input, Employing this property of A red and T red , we can also check executability of w.Define A pre as follows: The tableau rules displayed in Figure 3 try to satisfy the semantics of LTL operators in the DL-LTL formula φ, where in ∨-rule we have: 1 }, and in U-rule 1 and U-rule 2 , we have: 2 } for all k with i ≤ k < m + 2n, and and in R-rule 1 and R-rule 2 we have: As we can see, the tableau rules work on a set of sets of DL-LTL formulas.Each formula is labeled with (i).Intuitively, the label stands for the time point, e.g., ψ (i) can be read as the formula ψ holds at time point i.We apply exhaustively the tableau rules to S = {{φ (0) }}.The following lemma tells us that every application of a tableau rule preserves satisfiability of the formula the rule applies to: Lemma 10.Let S be the set in some status of the tableau algorithm starting with {{φ (0) }}.S ′ is obtained from S by an application of one of the tableau rules to A l ∈ S. Then for every DL-LTL structure I = (I i ) i=0,1,... generated by w from A w.r.t.T , the following statements are equivalent: • there exists an new element B k ∈ S ′ such that I, i |= ϕ for all ϕ (i) ∈ B k .
Thus, it follows that the above statements are equivalent for X-rule 1 and X-rule 2 .
U-rule 1 : Consider the removed formula (ϕ 1 Uϕ 2 ) (i) ∈ A l .Then we know that for all i ≤ m + n, I, i |= ϕ 1 Uϕ 2 iff (by the semantics of U) there exists a k ≥ i such that I, k |= ϕ 2 and I, j |= ϕ 1 for all i ≤ j < k iff (from the form of I we know that k must be smaller than m + 2n) there exists a k with i ≤ k ≤ m + 2n − 1 such that I, k |= ϕ 2 and I, j |= ϕ 1 for all j with i ≤ j < k, i.e., there is one new added B k such that I, i |= ϕ for all ϕ (i) ∈ B k \ A l .
U-rule 2 : Consider the removed formula (ϕ 1 Uϕ 2 ) (i) ∈ A l .Then we know that for all i > m + n, I, i |= ϕ 1 Uϕ 2 iff (by the semantics of U) there exists a k ≥ i such that I, k |= ϕ 2 and I, j |= ϕ 1 for all i ≤ j < k iff (from the form of I we know that k must be between m + n and m + 2n) there exists a k with i ≤ k ≤ m + 2n − 1 such that I, k |= ϕ 2 and I, j |= ϕ 1 for all j with i ≤ j < k or there exists a k with m + n ≤ k < i such that I, k |= ϕ 2 and I, j |= ϕ 1 for all j with i ≤ j ≤ m + 2n and for all j with m + n ≤ j < k iff there is one new added B k such that Similarly, the form of I, together with the semantics of R operator, implies that the two statements in the lemma are equivalent if either of R-rule 1 and R-rule 2 is applied.t After the tableau algorithm terminates with S, for every A in S, every formula in A is an ABox assertion and the function defined in (1) can applied to those assertions. 3Thus, every element in S can be viewed as an ABox.Then, we use the set S, together with the constructed T red , A red , and A pre to decide whether φ is satisfiable w.r.t.T , A, and B w .
Lemma 11.Let S be the set when the tableau algorithm terminates.Then φ is satisfiable w.r.t.T , A, and B w iff there is an A φ ∈ S such that A red ∪ A pre ∪ A φ is consistent w.r.t.T red .
Proof."⇒": If ϕ is satisfiable w.r.t.T , A, and B w then there is a DL-LTL structure I = (I i ) i=0,1,... generated by w from A w.r.t.T such that I, 0 |= A. By Point 1 of Lemma 9, there exists an interpretation J such that J |= A red , J |= T red and for all i ∈ {0, . . ., m + 2n − 1} and for all assertions γ in the input, . Since I i |= pre i for all i with 0 ≤ i ≤ m + 2n − 1, we obtain that J |= A pre .By Lemma 10, I, 0 |= φ implies there exists A φ ∈ S such that I, i |= ϕ for all ϕ (i) ∈ A φ .Since for every ϕ (i) ∈ A φ , ϕ is an assertion, I, i |= ϕ yields I i |= ϕ.Hence, J |= A φ .
By the definition of A pre , we know that I i |= pre i for all i with 0 ≤ i < m + 2n − 1, which implies that I i |= pre i for all i ≥ 0. By Lemma 7, I is a DL-LTL structure generated by w from A w.r.t.T .Moreover, J |= A φ implies for all ψ (i) ∈ A φ , I i |= ψ, i.e., I, i |= ψ.By Lemma 10, we have I, 0 |= φ. t For arbitrary T , A, B w , and φ, the size of A red and T red is polynomial in the size of input and they can be constructed in polynomial time.This is independent of the codings of numbers in the number restrictions in the input [9].It is clear that A pre has those properties as well.In general, the size of S can be exponential in the size of the input.However, we need only one element A φ in S such that A red ∪ A pre ∪ A ϕ ∪ T red is consistent.For a DL-LTL formula φ, A φ can be constructed in NPSpace since • each application of a tableau rule generates at most only (m + 2n) (i.e., polynomially many) sets of labeled formulas; • every labeled formula in generated sets is a strict subformula of the formula that the rule applies to and i in all labels (i) is never over m + 2n − 1; • there is a tableau rule applicable iff there is an LTL operator in S.
By Savitch's theorem [10], the construction of A φ can be done in PSpace.Overall, A red , A pre , A φ and T red can be constructed in PSpace.Consistency checking of an ALCQO-ABox w.r.t. an ALCQO-TBox is in PSpace [5] if the numbers in qualified number restriction are coded in unary.For ALCIO, it is in Exp-Time [1].For ALCQIO, a fragment of C 2 , it is in NExpTime [16,13], even if the numbers are in binary coding.Thus, we obtained an upper bound of the satisfiability problem for DLs between ALC and ALCQIO.

Lemma 12. The satisfiability problem of DL-LTL formulas w.r.t. acyclic TBoxes, ABoxes, and Büchi automata (with the restriction specified at the beginning of this section) is
• in PSpace for ALCQO if the numbers in qualified number restriction are coded in unary; • in ExpTime for ALCIO; • in NExpTime for ALCQIO.
In what follows, we show that those upper bounds are tight by reducing the projection problem to the (un)satisfiability problem.
Definition 13 (The projection problem).Let T be an acyclic TBox, α 1 • • • α m a finite sequence of actions for T , and A an ABox.An assertion ϕ is a consequence of applying T iff for all models of A and T , and all It has been shown in [4] that for DLs L between ALC and ALCQIO, the projection problem in L is as hard as the (in)consistency problem in LO even if every action has empty set of pre-conditions and occlusions and unconditional post-conditions.
We can reduce the projection problem in L to the validity problem of DL-LTL formulas w.r.t.acyclic TBoxes, ABoxes, and Büchi sequences of actions in L. Let A be an ABox and α i = (∅, ∅, post i ) an unconditional action for an TBox T for all i with 1 ≤ i ≤ m.It is easy to see that an assertion ϕ is a consequence of applying α 1 . . .α m in A w.r.t.T iff X m ϕ is valid w.r.t.T , A, and B w with w = α 1 . . .α m β ω 1 and β 1 = (∅, ∅, ∅) (in which X m is the abbreviation of number m of Xs).Thus, the complexity results about the projection problem in [4] imply the following lemma:

Lemma 14. The validity problem of DL-LTL formulas w.r.t. acyclic TBoxes, ABoxes, and Büchi automata (with the restriction specified at the beginning of this section) is
• PSpace-hard for ALC; • ExpTime-hard for ALCI; • co-NExpTime-hard for ALCQI.
The above lemma does not rely on the coding of numbers.Recall that the validity problem can be further reduced to the (un)satisfiability problem.Thus,

Theorem 15. The satisfiability problem (and the complement of the validity problem) of DL-LTL formulas w.r.t. acyclic TBoxes, ABoxes, and Büchi automata (with the restriction specified at the beginning of this section) for the DL L is
• PSpace-complete if L is in {ALC, ALCO, ALCQ, ALCQO} and the numbers in qualified number restriction are coded in unary;

The General Case
Now, we consider arbitrary Büchi automata and (possibly) conditional actions.
In this setting, we cannot use the approach introduced in the previous section.On the one hand, it is easy to see that, for conditional actions, the crucial Lemma 8 need not hold.On the other hand, while any non-empty language accepted by a Büchi automaton contains a cyclic word, it may also contain non-cyclic ones.Thus, it is not a propri clear whether a cyclic word can be taken as the word w ∈ L ω (B) required by the definition of the satisfiability problem.
Our approach for solving satisfiablity of a DL-LTL formula φ w.r.t. an acyclic TBox T , an ABox A, and a Büchi automaton B over an alphabet Σ of (possibly) conditional actions is based on the approach for deciding satisfiablity in ALC-LTL introduced in [3].Given a DL-LTL formula φ to be tested for satisfiability, this approach builds the propositional abstraction φ of φ by replacing each assertion4 γ occurring in φ by a corresponding propositional letter p γ .Let L be the set of propositional letters used for the abstraction.Consider a set S ⊆ P(L), i.e., a set of subsets of L. Such a set induces the following (propositional) LTL formula: Intuitively, this formula is satisfiable if there exists a propositional LTL structure satisfying φ in which, at every time point, the set of propositional letters satisfied at this time point is one of the sets X ∈ S. To get satisfiability of φ from satisfiability of φ S for some S ⊆ P(L), we must check whether the sets of assertions induced by the sets X ∈ S are consistent.To be more precise, assume that a set S = {X 1 , . . ., X k } ⊆ P(L) is given.For every i, 1 ≤ i ≤ k, and every concept name A (role name r) occurring in φ, we introduce a copy A (i) (r (i) ).We call A (i) (r (i) ) the ith copy of A (r).The assertion γ (i) is obtained from γ by replacing every occurrence of a concept or role name by its ith copy.The set S = {X 1 , . . ., X k } induces the following ABox: The following lemma is proved in [3].
Lemma 16.The DL-LTL formula φ is satisfiable iff there is a set S ⊆ P(L) such that the propositional LTL formula φ S is satisfiable and the ABox A S is consistent (w.r.t. the empty TBox).
Now, we show how we can use this approach to solve the satisfiability problem introduced in Definition 6, i.e., satisfiability of a DL-LTL formula φ w.r.t. an acyclic TBox T , an ABox A, and a Büchi automaton B over an alphabet Σ of (possibly) conditional actions.First, note that Lemma 16 also holds if we formulate it for DL-LTL formulae, with a DL between ALC and ALCQIO, rather than ALC-LTL formulae.However, the existence of a set S ⊆ P(L) such that φ S is satisfiable and the ABox A S is consistent is not enough to have satisfiability of φ w.r.t.T , A, and B. In fact, the existence of such a set only yields a DL-LTL structure I = (I i ) i=0,1,... satisfying φ.We also need to ensure (i) that I 0 is a model of A and (ii) that there is an infinite word w ∈ L ω (B) such that, for all i ≥ 0, the transition from I i to I i+1 is caused by the action w(i) and I i is a model of T .
Ensuring that I 0 is a model of A is easy since A can be encoded in the DL-LTL formula by working with the formula φ ∧ γ∈A γ instead of φ.For this reason, we will assume in the following (without loss of generality) that the ABox A is empty.
To deal with the second issue, we introduce corresponding propositional letters p γ not only for the assertions γ occurring in φ, but also for (i) the assertions γ occurring in the actions in Σ, and (ii) the assertions γ of the form A(a) and r(a, b) where A, r, a, b occur in φ, T , or an action in Σ, A is a concept name that is primitive in T , r is a role name, and a, b are individual names.We call the assertions introduced in (ii) primitive assertions.In the following, let L be the (finite) set of propositional letters obtained this way.Obviously, Lemma 16 still holds if we use this larger set of propositional letters to build the sets S and the formulae φ S .
One way of deciding satisfiability of a propositional LTL formula φ is to construct a Büchi automaton C b φ that accepts the propositional LTL structures satisfying φ [18].To be more precise, let Γ := P(L).A propositional LTL structure I = (w i ) i=0,1,... is an infinite sequence of truth assignments to the propositional letters from L. Such a structure can be represented by an infinite word X = X(0)X(1) . . .over Γ, where X(i) consists of the propositional variables that w i makes true.The Büchi automaton C b φ is built such that it accepts exactly those infinite words over Γ that represent propositional LTL structures satisfying φ.Consequently, φ is satisfiable iff the language accepted by C b φ is non-empty.The size of C b φ is exponential in the size of φ, and the emptiness test for Büchi automata is polynomial in the size of the automaton.As sketched in [3], the automaton C b φ can easily be modified into one accepting exactly the words representing propositional LTL structures satisfying φ S .In fact, we just need to remove all transitions that use a letter from Γ \ S. Obviously, this modification can be done in time polynomial in the size of C b φ , and thus in time exponential in the size of φ.We denote the Büchi automaton obtained this way by C S b φ .
Lemma 17.Let φ be a DL-LTL formula and L the set of propositional letters constructed as described above.Let S be a subset of P(L).We construct φ S and C S b φ as above.Then for every propositional structure I = (w i ) i=0,1,... , I, 0 |= φ S iff the infinite word represented by I is accepted by C S b φ .Now, consider the Büchi automaton B from the input, and assume that it is of the form B = (Q, Σ, I, ∆, F ), where Q is the set of states, I ⊆ Q the set of initial states, ∆ ⊆ Q × Σ × Q the transition relation, and F ⊆ Q the set of final states.We use B to construct a Büchi automaton B ′ = (Q ′ , Γ, I ′ , ∆ ′ , F ′ ) that accepts those infinite words X = X(0)X(1) . . .over the alphabet Γ for which there is an infinite word w ∈ L ω (B) such that the difference between X(i) and X(i + 1) is "caused by" the action w(i): • ((q, α, X), Y, (q ′ , α ′ , X ′ )) ∈ ∆ ′ iff the following holds: 1. (q, α, q ′ ) ∈ ∆; 2. X = Y ; 3. Let α = (pre, occ, post).
p γ ∈ X for all γ ∈ pre; -if β/γ ∈ post and p β ∈ X then p γ ∈ X ′ ; -for every primitive assertion γ, if p γ ∈ X, γ / ∈ occ, and there is no β/¬γ ∈ post with p β ∈ X, then p γ ∈ X ′ ; -for every primitive assertion γ, if p γ ∈ X, γ / ∈ occ, and there is no β/γ ∈ post with p β ∈ X, then p γ ∈ X ′ ; The intersection of the languages L ω (B ′ ) and L ω (C S b φ ) thus contains those infinite words X = X(0)X(1) . . .over the alphabet Γ (i) that represent propositional LTL structures satisfying φ S , and (ii) for which there is an infinite word w ∈ L ω (B) such that the difference between X(i) and X(i + 1) is caused by the action w(i), where the formal meaning of "caused by" is given by the conditions in Item 3 of the definition of B ′ .Since the class of languages of infinite words accepted by Büchi automata is closed under intersection, there is a Büchi automaton D( φ, S, B) accepting this intersection.This automaton can be obtained from B ′ and C S b φ by a product construction that is a bit more complicated, but not more complex, than the construction for "normal" finite automata [15].Thus, like C S b φ and B ′ , the automaton D( φ, S, B) is of size exponential in the size of the input.
Given a word X = X(0)X(1) . . .accepted by D( φ, S, B), we still cannot be sure that the propositional LTL structure represented by this word can be lifted to a DL-LTL structure generated by a word w ∈ L ω (B) from the empty ABox w.r.t.T .The first problem is that we must ensure that X = X(0)X(1) . . .can be lifted to a DL-LTL structure I = (I i ) i=0,1,... satisfying φ.By Lemma 16, this is the case if the ABox A S is consistent (w.r.t. the empty TBox).However, we will see below that we need to adapt the definition of A S in order to align it with the approach used to solve the second problem.
This second problem is that we need to ensure that I i ⇒ T w(i) I i+1 holds for all i ≥ 0.5 Note that Item 3 in the definition of B ′ only enforces that the changes to the named part of the interpretation (i.e., for the domain elements interpreting individual names) are according to the action w(i).It does not say anything about the unnamed part of the interpretation (which, according to the semantics of our actions, should not be modified) and it does not deal with the TBox.Fortunately, this is exactly what the TBox T red already used in the previous section is designed for.The idea is that every concept description C occurring in the input (directly or as subdescription) is represented by new concept names T (i) C for i = 1, . . ., k, where the index i corresponds to the set X i ∈ S. Recall that we already have copies A (i) , r (i) (i = 1, . . ., k) for all concepts and role names occurring in the input.In addition, we now introduce an additional copy A (0) , r (0) .Intuitively, for every index i, we want to have an interpretation I i that is a model of the ABox and of the input TBox T , such that all these interpretations coincide on their unnamed parts.Now, for every concept name A (role name r), the copy A (0) (r (0) ) corresponds to the extension of A (r) on the unnamed part of I i (which is the same for all i), and the copy A (i) (r (i) ) corresponds to the extension of A (r) on the named part of I i .For a concept description C, the concept name T (i) C corresponds to the extension of C in I i (both named and unnamed part).Let S = {X 1 , . . ., X k }.We define where T N and T (i) Sub are defined as in the previous section.The TBox T red is defined such that, from a model of T red , one can derive models I i of T coinciding on their unnamed parts.To ensure that I i is also a model of A i , we basically use the ABox A S introduced above with the only difference that γ (i) is defined as in (1) in the previous section, instead of the copy γ (i) used in [3] (see above).Let A S be the ABox obtained this way: We are now ready to formlate the main technical result of this section.
Lemma 18.The DL-LTL formula φ is satisfiable w.r.t.T , ∅, and B iff there is a set S ⊆ P(L) such that L ω (D( φ, S, B)) = ∅ and A S is consistent w.r.t.T red .
Proof."⇒": Suppose that φ is satisfiable w.r.t.T , A, and B. Then there exist a w = α 0 α 1 • • • ∈ L ω (B) and a DL-LTL structure I = (I i ) i=0,1,... generated by w from A (A = ∅ by our assumption) w.r.t.T such that I, 0 |= φ.We define X i for all i ≥ 0 and S as follows: It follows from the definition of X i that for all i ≥ 0, for all p γ ∈ L, p γ ∈ X i iff I i |= γ.Let I be the propositional LTL structure (X i ) i=0,1,... .Then, for all i ≥ 0, ).We now show that X 0 X 1 . . . is accepted by B ′ .Since w ∈ L ω (B), there exists an accepting run q 0 q 1 . . . of B on w.We show that (q 0 , α 0 , X 0 )(q 1 , α 1 , X 1 ) . . . is a run of B ′ on X 0 X 1 . . .: For all i ≥ 0, we have for all γ ∈ pre i : since I is a DL-LTL structure generated by w from A w.r.t.T , I i |= pre i .Thus, for all γ ∈ pre i , p γ ∈ X i .
• if β/γ ∈ post i and p β ∈ X i then p γ ∈ X i+1 : since I is a DL-LTL structure generated by w from A w.r.t.T , I i ⇒ T α i I i+1 .Thus, for every β/γ ∈ post i , we have if I i |= β then I i+1 |= γ.By the definition of X i , p β ∈ X i implies that I i |= β.Thus, I i+1 |= γ, which implies p γ ∈ X i+1 .
• for every primitive assertion γ, if p γ ∈ X i , γ / ∈ occ i , and there is no β/¬γ ∈ post i with p β ∈ X i , then p γ ∈ X i+1 : since I is a DL-LTL structure generated by w from A w.r.t.T , I i ⇒ T α i I i+1 .Thus, for every primitive assertion γ, if I i |= γ, β / ∈ occ, and there is no β/¬γ ∈ post i with I i |= β, we have I i+1 |= γ.By the definition of X i , p γ ∈ X i implies that I i |= γ.Moreover, since there is no β/¬γ ∈ post i with p β ∈ X i , there is no β/¬γ ∈ post i with I i |= β.Thus, I i+1 |= γ, which implies that p γ ∈ X i+1 .
• for every primitive assertion γ, if p γ ∈ X and there is no β/γ ∈ post with p β ∈ X, then p γ ∈ X ′ : This can be shown similarly to the previous condition.
It follows from the fact that q 0 q 1 . . . is accepting by B that the above run is accepting by B ′ .Thus, X 0 X 1 . . . is accepted by the automaton D( φ, S, B).
It remains to show that A S is consistent w.r.t.T red .Suppose S = {X 1 , . . ., X k }.
For each ι ≥ 0, we know that there is an i ι ∈ {1, . . ., k} such that X iι = {p γ ∈ L | I ι |= γ}.Conversely, for each i ∈ {1, . . ., k}, there is an ι ≥ 0 such that i = i ι .Let ι 1 , . . ., ι k ∈ {0, 1, . . .} be such that i ι 1 = 1, . . ., i ι k = k.The interpretation J is obtained from I ι i by the following construction:6 • (A (i) ) J := A Iι i for all concept names A in the input and 1 ≤ i ≤ k, • (A (0) ) J := A I 0 for all concept names A in the input, • (r (i) ) J := r Iι i for all role names r in the input and 1 ≤ i ≤ k, • (r (0) ) J := r I 0 for all role names r in the input, and It follows from the definition of J that J |= T N .By induction on the structure of C, it can be shown that for all C ∈ Sub and for all i with 1 ≤ i ≤ k, J satisfies the concept definition of T (i) C (cf. the proof of Lemma 15 in [5] for details).Thus, we get J |= T red .
The definition of J implies that for all i with 1 ≤ i ≤ k and for all p γ ∈ L, "⇐": Suppose that there is a set S ⊆ P(L) such that L ω (D( φ, S, B)) = ∅ and A S is consistent w.r.t.T red .Thus, there exists a model J of A S and T red .For i ∈ {1, . . ., k}, we define J i as follows: A ) J for every concept name A in the input, and • r J i := (r (i) ) J ∩ (N J × N J ) ∪ (r (0) ) J ∩ (∆ J × (¬N ) J ∪ (¬N ) J × ∆ J ) for every role name r in the input.
By induction on the structure of C, we can show that for each C ∈ Sub, C J i = (T (i) C ) J (cf. the proof of Lemma 15 in [5] for details).Since J |= T red , for all A ≡ C ∈ T , J |= T (i) C for all i with 1 ≤ i ≤ k.Hence, J i |= T for all i with 1 ≤ i ≤ k.Moreover, J |= A S implies that for all i with 1 ≤ i ≤ k, J is a model of the following ABox A i : Thus, for all p γ ∈ L, p γ ∈ X i iff J i |= γ.
Now we show that for all ι ≥ 0, I ι ⇒ T w(ι) I ι+1 .By the definition of I ι , we know that all of I ι share the domain and interpretation of individuals.Since J i |= T for all i with 1 ≤ i ≤ k, by the definition of I ι , we have I ι |= T for all ι ≥ 0. It follows from the definitions of J 1 , . . ., J k and the fact J |= T red that for all x, y ∈ ∆ J , we have for all i with 1 ≤ i ≤ k, • for each primitie concept name A in T , if x ∈ N J , then x ∈ A J i iff x ∈ (A (0) ) J and • for each role name r, if x ∈ N J or y ∈ N J , then (x, y) ∈ r J i iff (x, y) ∈ (r (0) ) J .
This implies the anonymous objects respect the semantics of actions, which, together with the fact that for all ι ≥ 0, for all p γ ∈ L, p γ ∈ X ι iff I ι |= γ, and the definition of ∆ ′ (the transition relation of B ′ ) yields that the conditions in Definition 4 are satisfied.Similarly, for all ι ≥ 0, I ι |= pre ι since for all γ ∈ pre ι , p γ ∈ X ι .Thus, α i is executable in I ι .Hence, I is a DL-LTL structure generated by w from A (A = ∅ by our assumption) w.r.t.T .t This lemma yields a decision procedure for the satisfiability problem.In fact, the double-exponentially many sets S ⊆ P(L) can be enumerate within ExpSpace, and the exponentially large automaton D( φ, S, B) can be tested for emptiness in exponential time.Finally, the ABox A is of exponential size (due to the fact that S is of exponential size) and the same is true for T red .Since consistency w.r.t. an acyclic TBox is PSpace-complete in ALCQO (ExpTime-complete in ALCIO, NExpTime-complete in ALCQIO, respectively), the required consistency test can be performed in ExpSpace (2-ExpTime, 2-NExpTime, respectively).
Theorem 19.The satisfiability problem (and the complement of the validity problem) of DL-LTL formulas w.r.t.acyclic TBoxes, ABoxes, and Büchi automaton over an alphabet of (possibly) conditional actions (possibly) with occusions is • in ExpSpace for ALCQO if the numbers in qualified number restriction are coded in unary; • in 2-ExpTime for ALCIO; • in 2-NExpTime for ALCQIO.

Future Work
To sum up, we have shown that the verification problem for non-terminating action logic programs becomes decidable if we abstract from the actual execution sequences of a non-terminating program by considering infinite sequences of actions defined by a Büchi automaton, and assume that the logic employed by the action theory is a decidable description logic.
In this paper, we have assumed that a Büchi automaton abstracting the program in the sense that all possible execution sequences of the program are accepted by this automaton is given (e.g., by the developer of the action program).An important topic for future research is how to generate such an abstraction automatically from a given program.Alternatively, if this is not possible since it yields abstractions that are too coarse (i.e., containing too many infinite sequences of actions that are not execution sequences of the program), it would still be helpful to develop tools that facilitate proving that a given Büchi automaton is an abstraction of a given program.In addition, it will probably be necessary to develop optimized versions of the decisions procedures introduced in this paper before they can be applied to large DL-based action theories.
mapping that assigns a subset A I of ∆ I to each concept name A ∈ N C , a binary relation r I on ∆ I to each role name r ∈ N R , and an element a I of ∆ I to each individual name a ∈ N I .Moreover, for all a, b ∈ N I , a = b implies a I = b I .
ABox A is a finite set of assertions of the form C(a), r(a, b), or ¬r(a, b), where C is a concept, r is a role, a, b are individual names.We call an assertion with the first form a concept assertion, a role assertion otherwise.An interpretation I is a model of assertion C(a) iff a I ∈ C I ; r(a, b) iff (a I , b I ) ∈ r I ; ¬r(a, b) iff (a I , b I ) ∈ r I .I is a model of A (denoted by I |= A) iff for all ϕ ∈ A, I is a model of ϕ.Given an assertion γ, its negation ¬γ is again an assertion: ¬(C(a)) := (¬C)(a), ¬(r(a, b)) := ¬r(a, b), and ¬(¬r(a, b)) := r(a, b).
and φ an DL-LTL formula.Such a cyclic sequence of actions represents a program that, after an initialization phase, runs in a nonterminating loop.Lemma 7. Let I and I ′ be two interpretations and β = β 1 • • • β n be a sequence of actions for a TBox T .If I ⇒ T β I ′ , then I ′ ⇒ T β I ′ .

Table 1 :
Syntax and semantics of concepts and roles.