ADyadicDeonticLogicinHOL

Christoph Benzmüller

University of Luxembourg, Luxembourg, and Freie Universität Berlin, Germany

c.benzmueller@gmail.com

Ali Farjami

University of Luxembourg, Luxembourg

farjami110@gmail.com

Xavier Parent

University of Luxembourg, Luxembourg

xavier.parent@uni.lu

Abstract

A shallow semantical embedding of a dyadic deontic logic by Carmo and

Jones in classical higher-order logic is presented. This embedding is proven

sound and complete, that is, faithful.

The work presented here provides the theoretical foundation for the imple-

mentation and automation of dyadic deontic logic within oﬀ-the-shelf higher-

order theorem provers and proof assistants.

Keywords: Logic of CTD conditionals by Carmo and Jones; Classical higher-

order logic; Semantic embedding; Automated reasoning

1 Introduction

Dyadic deontic logic is the logic for reasoning with dyadic obligations (“it ought to

be the case that ... if it is the case that ..."). A particular dyadic deontic logic,

tailored to so-called contrary-to-duty (CTD) conditionals, has been proposed by

Carmo and Jones [13]. We shall refer to it as DDL in the remainder. DDL comes

with a neighborhood semantics and a weakly complete axiomatization over the class

of ﬁnite models. The framework is immune to the well-known CTD paradoxes, like

This work has been supported the European Union’s Horizon 2020 research and innovation pro-

gramme under the Marie Sk≥odowska-Curie grant agreement No 690974.

Vol. \jvolume No. \jnumber \jyear

Journal of Applied Logics — IFCoLog Journal of Logics and their Applications

Benzmüller, Farjami and Parent

Chisholm’s paradox [14, 19], and other related puzzles. However, the question of

how to mechanise and automate reasoning tasks in DDL has not been studied yet.

This article adresses this challenge. We essentially devise a faithful semantical

embedding of DDL in classical higher-order logic (HOL). The latter logic thereby

serves as an universal meta-logic. Analogous to successful, recent work in the area

of computational metaphysics (cf. [6] and the references therein), the key motivation

is to mechanise and automate DDL on the computer by reusing existing theorem

proving technology for meta-logic HOL. The embedding of DDL in HOL as devised

in this article enables just this.

Meta-logic HOL [4], as employed in this article, was originally devised by Church

[17], and further developed by Henkin [18] and Andrews [1, 3, 2]. It bases both terms

and formulas on simply typed ⁄-terms. The use of the ⁄-calculus has some major

advantages. For example, ⁄-abstractions over formulas allow the explicit naming of

sets and predicates, something that is achieved in set theory via the comprehension

axioms. Another advantage is, that the complex rules for quantiﬁer instantiation

at ﬁrst-order and higher-order types is completely explained via the rules of ⁄-

conversion (the so-called rules of –-, —-, and ÷-conversion) which were proposed

earlier by Church [15, 16]. These two advantages are exploited in our embedding of

DDL in HOL.

Diﬀerent notions of semantics for HOL have been thoroughly studied in the

literature [7, 20]. In this article we assume HOL with Henkin semantics and choice

(cf. the detailed description by Benzmüller et. al. [7]). For this notion of HOL, which

does not suﬀer from Gödel’s incompleteness results, several sound and complete

theorem provers have been developed in the past decades [9]. We propose to reuse

these theorem provers for the mechanisation and automation of DDL. The semantical

embedding as devised in this article provides both the theoretical foundation for the

approach and the practical bridging technology that is enabling DDL applications

within existing HOL theorem provers.

The article is structured as follows: Section 2 outlines DDL and Sec. 3 introduces

HOL. The semantical embedding of DDL in HOL is then devised and studied in

Sec. 4. This section also addresses soundness and completeness, but due to space

restrictions the proofs can only be sketched here; for details we refer to [8]. Section 5

discusses the implementation and automation of the embedding in Isabelle/HOL [21]

and Sec. 6 concludes the paper.

2

ADyadicDeonticLogicinHOL

2 The Dyadic Deontic Logic of Carmo and Jones

This section provides a concise introduction of DDL, the dyadic deontic logic pro-

posed by Carmo and Jones. Deﬁnitions as required for the remainder are presented.

For further details we refer to the literature [13, 12].

To deﬁne the formulas of DDL we start with a countable set Pof propositional

symbols, and we choose ¬and ‚as the only primitive connectives.

The set of DDL formulas is given as the smallest set of formulas obeying the

following conditions:

•Each piœPis an (atomic) DDL formula.

•Given two arbitrary DDL formulas Ïand Â,then

¬Ï—classical negation,

Ï‚Â—classical disjunction,

•(Â/Ï)—dyadic deontic obligation: “it ought to be Â, given Ï”,

2Ï—in all worlds,

2aÏ—in all actual versions of the current world,

2pÏ—in all potential versions of the current world,

•aÏ—monadic deontic operator for actual obligation, and

•pÏ—monadic deontic operator for primary obligation

are also DDL formulas.

Further logical connectives can be deﬁned as usual: Ï·Â:= ¬(¬Ï‚¬Â),

ÏæÂ:= ¬Ï‚Â,ÏΩæ Â:= (ÏæÂ)·(ÂæÏ),3Ï:= ¬2¬Ï,3aÏ:= ¬2a¬Ï,

3pÏ:= ¬2p¬Ï,€:= ¬q‚q, for some propositional symbol q,‹:= ¬€, and

•Ï:= •(Ï/€).

ADDLmodel is a structure M=ÈS, av, pv, ob, V Í,whereSis a non empty set of

items called possible worlds, Vis a function assigning a set of worlds to each atomic

formula, that is, V(pi)™S.av:Sæ˝(S),where˝(S)is the power set of S,isa

function mapping worlds to sets of worlds such that av(s)”=ÿ.av(s)is the set of

actual versions of the world s.pv:Sæ˝(S)is another, similar mapping such that

av(s)™pv(s)and sœpv(s).pv(s)is the set of potential versions of the world s.

ob:˝(S)æ˝(˝(S)) is a function mapping sets of worlds to sets of sets of worlds.

ob(¯

X)is the set of propositions that are obligatory in context ¯

X™S. The following

conditions hold for ob (where ¯

X, ¯

Y, ¯

Zdesignate arbitrary subsets of S):

1. ÿ/œob(¯

X).

2. If ¯

Yﬂ¯

X=¯

Zﬂ¯

X,then ¯

Yœob(¯

X)if and only if ¯

Zœob(¯

X).

3

Benzmüller, Farjami and Parent

3. Let ¯

—™ob(¯

X)and ¯

—”=ÿ.If(ﬂ¯

—)ﬂ¯

X”=ÿ(where ﬂ¯

—={sœS|for all ¯

Zœ

¯

—we have sœ¯

Z}), then (ﬂ¯

—)œob(¯

X).

4. If ¯

Y™¯

Xand ¯

Yœob(¯

X)and ¯

X™¯

Z, then (¯

Zr¯

X)ﬁ¯

Yœob(¯

Z).

5. If ¯

Y™¯

Xand ¯

Zœob(¯

X)and ¯

Yﬂ¯

Z”=ÿ,then ¯

Zœob(¯

Y).

Satisﬁability of a formula Ïfor a model M=ÈS, av, pv, ob, V Íand a world sœS

is expressed by writing that M,s |=Ïand we deﬁne VM(Ï)={sœS|M, s |=Ï}.

In order to simplify the presentation, whenever the model Mis obvious from context,

we write V(Ï)instead of VM(Ï). Moreover, we often use “iﬀ” as shorthand for “if

and only if”.

M,s |=piﬀsœV(p)

M,s |=¬ÏiﬀM,s ”|=Ï(that is, not M,s |=Ï)

M,s |=Ï‚ÂiﬀM,s |=Ïor M,s |=Â

M,s |=2ÏiﬀV(Ï)=S

M,s |=2aÏiﬀav(s)™V(Ï)

M,s |=2pÏiﬀpv(s)™V(Ï)

M,s |=•(Â/Ï)iﬀV(Â)œob(V(Ï))

M,s |=•aÏiﬀV(Ï)œob(av(s)) and av(s)ﬂV(¬Ï)”=ÿ

M,s |=•pÏiﬀV(Ï)œob(pv(s)) and pv(s)ﬂV(¬Ï)”=ÿ

Our evaluation rule for •(_/_)is a simpliﬁed version of the one used by Carmo

and Jones. Given the constraints placed on ob, the two rules are equivalent (cf. [5,

result II-2-2]).

As usual, a DDL formula Ïis valid in a DDL model M=ÈS, av, pv, ob, V Í,i.e.

M|=DDL Ï, if and only if for all worlds sœSwe have M, s |=Ï. A formula Ïis

valid, denoted |=DDL Ï, if and only if it is valid in every DDL model.

3 Classical Higher-order Logic

In this section we introduce classical higher-order logic (HOL). The presentation,

which has partly been adapted from [5], is rather detailed in order to keep the article

suﬃciently self-contained.

3.1 Syntax of HOL

For deﬁning the syntax of HOL, we ﬁrst introduce the set Tof simple types.We

assume that Tis freely generated from a set of basic types BT ´{o, i}using the

4

ADyadicDeonticLogicinHOL

function type constructor .Typeodenotes the (bivalent) set of Booleans, and ia

non-empty set of individuals.

For the deﬁnition of HOL, we start out with a family of denumerable sets of typed

constant symbols (C–)–œT, called the HOL signature, and a family of denumerable

sets of typed variable symbols (V–)–œT.1We employ Church-style typing, where

each term t–explicitly encodes its type information in subscript –.

The language of HOL is given as the smallest set of terms obeying the following

conditions.

•Every typed constant symbol c–œC–is a HOL term of type –.

•Every typed variable symbol X–œV–is a HOL term of type –.

•If s–—and t–are HOL terms of types –—and –,respectively,then

(s–—t–)—, called application, is an HOL term of type —.

•If X–œV–is a typed variable symbol and s—is an HOL term of type —,then

(⁄X–s—)–—, called abstraction, is an HOL term of type –—.

The above deﬁnition encompasses the simply typed ⁄-calculus. In order to

extend this base framework into logic HOL we simply ensure that the signature

(C–)–œTprovides a suﬃcient selection of primitive logical connectives. Without

loss of generality, we here assume the following primitive logical connectives to be

part of the signature: ¬ooœCoo,‚oooœCooo,(–o)oœC(–o)oand

=–––œC–––, abbreviated as =–. The symbols (–o)oand =–––are

generally assumed for each type –œT. The denotation of the primitive logical con-

nectives is ﬁxed below according to their intended meaning. Binder notation ’X–so

is used as an abbreviation for (–o)o⁄X–so. Universal quantiﬁcation in HOL is

thus modeled with the help of the logical constants (–o)oto be used in combi-

nation with lambda-abstraction. That is, the only binding mechanism provided in

HOL is lambda-abstraction.

HOL is a logic of terms in the sense that the formulas of HOL are given as the

terms of type o. In addition to the primitive logical connectives selected above,

we could assume choice operators ‘(–o)–œC(–o)–(for each type –)inthe

signature. We are not pursuing this here.

Type information as well as brackets may be omitted if obvious from the context,

and we may also use inﬁx notation to improve readability. For example, we may

write (s‚t)instead of ((‚oooso)to).

1For example in Section 4 we will assume constant symbols av,pv and ob with types iio,

iioand (io)(io)oas part of the signature.

5

Benzmüller, Farjami and Parent

From the selected set of primitive connectives, other logical connectives can be

introduced as abbreviations.2For example, we may deﬁne s·t:= ¬(¬s‚¬t),

sæt:= ¬s‚t,sΩæ t:= (sæt)·(tæs),€:= (⁄XiX)=(⁄XiX),‹:= ¬€

and ÷X–s:= ¬’X–¬s.

The notions of free variables,–-conversion,—÷-equality (denoted as =—÷) and

substitution of a term s–for a variable X–in a term t—(denoted as [s/X]t) are

deﬁned as usual.

3.2 Semantics of HOL

The semantics of HOL is well understood and thoroughly documented. The intro-

duction provided next focuses on the aspects as needed for this article. For more

details we refer to the previously mentioned literature [7].

The semantics of choice for the remainder is Henkin semantics, i.e., we work with

Henkin’s general models [18]. Henkin models (and standard models) are introduced

next. We start out with introducing frame structures.

Aframe Dis a collection {D–}–œTof nonempty sets D–, such that Do={T,F}

(for truth and falsehood). The D–æ—are collections of functions mapping D–into

D—.

Amodel for HOL is a tuple M=ÈD, IÍ,whereDis a frame, and Iis a family

of typed interpretation functions mapping constant symbols p–œC–to appropriate

elements of D–, called the denotation of p–. The logical connectives ¬,‚,and =

are always given their expected, standard denotations:3

•I(¬oæo)=not œDoæosuch that not(T)=Fand not(F)=T.

•I(‚oæoæo)=or œDoæoæosuch that or(a, b)=Tiﬀ(a=Tor b=T).

•I(=–æ–æo)=id œD–æ–æosuch that for all a, b œD–,id(a, b)=Tiﬀais

identical to b.

2As demonstrated by Andrews [4], we could in fact start out with only primitive equality in

the signature (for all types –) and introduce all other logical connectives as abbreviations based on

it. Alternatively, we could remove primitive equality from the above signature, since equality can

be deﬁned in HOL from these other logical connectives by exploiting Leibniz’ principle, expressing

that two objects are equal if they share the same properties. Leibn iz equal ity .

=–at type –is thus

deﬁned as s–

.

=–t–:= ’P–o(Ps Ωæ Pt). The motivation for the redundant signature as selected

here is to stay close to the the choices taken in implemented theorem provers such as LEO-II and

Leo-III and also to theory paper [7], which is recommended for further details.

3Since =–æ–æo(for all types –) is in the signature, it is ensured that the domains D–æ–æo

contain the respective identity relations. This addresses an issue discovered by Andrews [2]: if such

identity relations did not existing in the D–æ–æo, then Leibniz equality in Henkin semantics might

not denote as intended.

6

ADyadicDeonticLogicinHOL

•I((–æo)æo)=all œD(–æo)æosuch that for all sœD–æo,all(s)=Tiﬀ

s(a)=Tfor all aœD–;i.e.,sis the set of all objects of type –.

Variable assignments are a technical aid for the subsequent deﬁnition of an inter-

pretation function Î.ÎM,g for HOL terms. This interpretation function is parametric

over a model Mand a variable assignment g.

Avariable assignment gmaps variables X–to elements in D–.g[d/W ]denotes

the assignment that is identical to g, except for variable W, which is now mapped

to d.

The denotation Îs–ÎM,g of an HOL term s–on a model M=ÈD, IÍunder

assignment gis an element dœD–deﬁned in the following way:

Îp–ÎM,g =I(p–)

ÎX–ÎM,g =g(X–)

Î(s–æ—t–)—ÎM,g =Îs–æ—ÎM,g(Ît–ÎM,g)

Î(⁄X–s—)–æ—ÎM,g =the function ffrom D–to D—such that

f(d)=Îs—ÎM,g[d/X–]for all dœD–

AmodelM=ÈD, I Íis called a standard model if and only if for all –,—œ

Twe have D–æ—={f|f:D–≠æ D—}.InaHenkin model (general model)

function spaces are not necessarily full. Instead it is only required that for all

–,—œT,D–æ—™{f|f:D–≠æ D—}. However, it is required that the valuation

function Î·Î

M,g from above is total, so that every term denotes. Note that this

requirement, which is called Denotatpﬂicht, ensures that the function domains D–æ—

never become too sparse, that is, the denotations of the lambda-abstractions as

devised above are always contained in them.

Corollary 1. For any Henkin model M=ÈD, IÍand variable assignment g:

1. Î(¬oæoso)oÎM,g =TiﬀÎsoÎM,g =F.

2. Î((‚oæoæoso)to)oÎM,g =TiﬀÎsoÎM,g =Tor ÎtoÎM,g =T.

3. Î((·oæoæoso)to)oÎM,g =TiﬀÎsoÎM,g =Tand ÎtoÎM,g =T.

4. Î((æoæoæoso)to)oÎM,g =Tiﬀ(if ÎsoÎM,g =Tthen ÎtoÎM,g =T).

5. Î((Ωæ oæoæoso)to)oÎM,g =Tiﬀ(ÎsoÎM,g =TiﬀÎtoÎM,g =T).

6. Î€ÎM,g =T.

7. Î‹ÎM,g =F.

7

Benzmüller, Farjami and Parent

8. Î(’X–so)oÎM,g =Tiﬀfor all dœD–we have ÎsoÎM,g[d/X–]=T.

9. Î(÷X–so)oÎM,g =Tiﬀthere exists dœD–such that ÎsoÎM,g[d/X–]=T.

Proof. We leave the proof as an exercise to the reader.

An HOL formula sois true in an Henkin model Munder assignment gif and

only if ÎsoÎM,g =T; this is also expressed by writing that M,g |=HOL so. An HOL

formula sois called valid in M, which is expressed by writing that M|=HOL so,if

and only if M,g |=HOL sofor all assignments g. Moreover, a formula sois called

valid, expressed by writing that |=HOL so, if and only if sois valid in all Henkin

models M. Finally, we deﬁne |=HOL sofor a set of HOL formulas if and only if

M|=HOL sofor all Henkin models Mwith M|=HOL tofor all toœ.

Note that any standard model is obviously also a Henkin model. Hence, validity

of a HOL formula sofor all Henkin models, implies validity of sofor all standard

models.

4 Modeling DDL as a Fragment of HOL

This section, the core contribution of this article, presents a shallow semantical

embedding of DDL in HOL and proves its soundness and completeness. In contrast

to a deep logical embedding, where the syntax and semantics of logic Lwould

be formalized in full detail (using structural induction and recursion), only the core

diﬀerences in the semantics of both DDL and meta-logic HOL are explicitly encoded

here.

4.1 Semantical Embedding

DDL formulas are identiﬁed in our semantical embedding with certain HOL terms

(predicates) of type io. They can be applied to terms of type i, which are

assumed to denote possible worlds. That is, the HOL type iis now identiﬁed with

a (non-empty) set of worlds. Type iois abbreviated as ·in the remainder.

The HOL signature is assumed to contain the constant symbols avi·,pvi·and

ob··o. Moreover, for each propositional symbol piof DDL, the HOL signature

must contain the corresponding constant symbol pi

·. Without loss of generality, we

assume that besides those symbols and the primitive logical connectives of HOL, no

other constant symbols are given in the signature of HOL.

8

ADyadicDeonticLogicinHOL

The mapping Â·Êtranslates DDL formulas sinto HOL terms ÂsÊof type ·.The

mapping is recursively4deﬁned:

ÂpiÊ=pi

·

Â¬sÊ=¬·ÂsÊ

Âs‚tÊ=‚···ÂsÊÂtÊ

Â2sÊ=2··ÂsÊ

Â•(t/s)Ê=•···ÂsÊÂtÊ

Â2asÊ=2a

··ÂsÊ

Â2psÊ=2p

··ÂsÊ

Â•asÊ=•a

··ÂsÊ

Â•psÊ=•p

··ÂsÊ

¬··,‚···,2··,•···,2a

··,2p

··,•a

··and •p

··thereby abbreviate

the following HOL terms:

¬··=⁄A·⁄Xi¬(AX)

‚···=⁄A·⁄B·⁄Xi(AX ‚BX)

2··=⁄A·⁄Xi’Yi(AY)

•···=⁄A·⁄B·⁄Xi(ob A B)

2a

··=⁄A·⁄Xi’Yi(¬(av X Y )‚AY)

2p

··=⁄A·⁄Xi’Yi(¬(pv X Y )‚(AY))

•a

··=⁄A·⁄Xi((ob (av X)A)·÷Yi(av X Y ·¬(AY)))

•p

··=⁄A·⁄Xi((ob (pv X)A)·÷Yi(pv X Y ·¬(AY)))

Analyzing the truth of a translated formula ÂsÊin a world represented by term wi

corresponds to evaluating the application (ÂsÊwi). In line with previous work [10],

we deﬁne vld·o=⁄A·’Si(AS). With this deﬁnition, validity of a DDL formula s

in DDL corresponds to the validity of formula (vld ÂsÊ)in HOL, and vice versa.

4.2 Soundness and Completeness

To prove the soundness and completeness, that is, faithfulness, of the above embed-

ding, a mapping from DDL models into Henkin models is employed.

Deﬁnition 1 (Henkin model HMfor DDL model M).For any DDL model M=

ÈS, av, pv, ob, V Í, we deﬁne a corresponding Henkin model HM. Thus, let a DDL

model M=ÈS, av, pv, ob, V Íbe given. Moreover, assume that piœP,foriØ1,are

4A recursive deﬁnition is actually not needed in practice. By inspecting the equations below it

should become clear that only the abbreviations for the logical connectives of DDL are required in

combination with a type-lifting for the propositional constant symbols; cf. also Fig. 1.

9

Benzmüller, Farjami and Parent

the only propositional symbols of DDL. Remember that our embedding requires the

corresponding signature of HOL to provide constant symbols pj

·such that ÂpjÊ=pj

·

for j=1,...,m.

A Henkin model HM=È{D–}–œT,IÍfor Mis now deﬁned as follows: Diis cho-

sen as the set of possible worlds S; all other sets D–—are chosen as (not necessarily

full) sets of functions from D–to D—.ForallD–—the rule that every term t–—

must have a denotation in D–—must be obeyed (Denotatpﬂicht). In particular, it

is required that D·,Di·and D··ocontain the elements Ipj

·,Iavi·,Ipvi·and

Iob··o. The interpretation function Iof HMis deﬁned as follows:

1. For i=1,...,m,Ipi

·œD·is chosen such that Ipi

·(s)=TiﬀsœV(pj)in

M.

2. Iavi·œDi·is chosen such that Iavi·(s, u)=Tiﬀuœav(s)in M.

3. Ipvi·œDi·is chosen such that Ipvi·(s, u)=Tiﬀuœpv(s)in M.

4. Iob··oœD··ois such that Iob··o(¯

X, ¯

Y)=Tiﬀ¯

Yœob(¯

X)in M.

5. For the logical connectives ¬,‚,and =of HOL the interpretation function

Iis deﬁned as usual (see the previous section).

Since we assume that there are no other symbols (besides the pi,av,pv,ob and

¬,‚,,and=) in the signature of HOL, Iis a total function. Moreover, the

above construction guarantees that HMis a Henkin model: ÈD, IÍis a frame, and

the choice of Iin combination with the Denotatpﬂicht ensures that for arbitrary

assignments g,Î.ÎHM,g is an total evaluation function.

Lemma 1. Let HMbe a Henkin model for a DDL model M.InHMwe have for

all sœDiand all ¯

X, ¯

Y, ¯

ZœD·(cf. the conditions on DDL models as stated on

page 3):5

(av) Iavi·(s)”=ÿ.

(pv1) Iavi·(s)™Ipvi·(s).

(pv2) sœIpvi·(s).

(ob1) ÿ/œIob··o(¯

X).

(ob2) If ¯

Yﬂ¯

X=¯

Zﬂ¯

X, then (¯

YœIob··o(¯

X)iﬀ¯

ZœIob··o(¯

X)).

(ob3) Let ¯

—™Iob··o(¯

X)and ¯

—”=ÿ.

If (ﬂ¯

—)ﬂ¯

X”=ÿ, where ﬂ¯

—={sœS|for all ¯

Zœ¯

—we have sœ¯

Z},

then (ﬂ¯

—)œIob··o(¯

X).

5In the proof in [8] we implicitly employ curring and uncurring, and we associate sets with their

characteristic functions. This analogously applies to the remainder of this article.

10

ADyadicDeonticLogicinHOL

(ob4) If ¯

Y™¯

Xand ¯

YœIob··o(¯

X)and ¯

X™¯

Z,

then (¯

Z\¯

X)ﬁ¯

YœIob··o(¯

Z).

(ob5) If ¯

Y™¯

Xand ¯

ZœIob··o(¯

X)and ¯

Yﬂ¯

Z”=ÿ,

then ¯

ZœIob··o(¯

Y).

Proof. Each statement follows by construction of HMfor M.

Lemma 2. Let HM=È{D–}–œT,IÍbe a Henkin model for a DDL model M.We

have HM|=HOL for all œ{AV, P V 1,PV2,OB1,...,OB5}, where

AV is ’Wi÷Vi(avi·WiVi)

PV1 is ’Wi’Vi(avi·WiViæpvi·WiVi)

PV2 is ’Wi(pvi·WiWi)

OB1 is ’X·¬ob··oX·(⁄X·‹)

OB2 is ’X·Y·Z·((’Wi((Y·Wi·X·Wi)Ωæ (Z·Wi·X·Wi)))

æ(ob··oX·Y·Ωæ ob··oX·Z·))

OB3 is ’—··o’X·

(((’Z·(—··oZ·æob··oX·Z·)) ·÷Z·(—··oZ·))

æ((÷Yi(((⁄Wi’Z·(—··oZ·æZ·Wi)) Yi)·X·Yi))

æob··oX·(⁄Wi’Z·(—··oZ·æZ·Wi))))

OB4 is ’X·Y·Z·

((’Wi(Y·WiæX·Wi)·ob··oX·Y··’X·(X·WiæZ·Wi))

æob··oZ·(⁄Wi((Z·Wi·¬X·Wi)‚Y·Wi)))

OB5 is ’X·Y·Z·

((’Wi(Y·WiæX·Wi)·ob··oX·Z··÷Wi(Y·Wi·Z·Wi))

æob··oY·Z·)

Proof. By construction of HMfor Min combination with Lemma 1.

Lemma 3. Let HMbe a Henkin model for a DDL model M. For all DDL formulas

”, arbitrary variable assignments gand worlds sit holds:

M,s |=”if and only if ÎÂ”ÊSiÎHM,g[s/Si]=T

Proof. By induction on the structure of ”.

Lemma 4. For every Henkin model H=È{D–}–œT,IÍsuch that H|=HOL for all

œ{AV , PV 1, P V2 , O B1 ,. .. , OB5 }, there exists a corresponding DDL model M.

Corresponding means that for all DDL formulas ”and for all assignments gand

worlds s,ÎÂ”ÊSiÎH,g[s/Si]=Tif and only if M,s ✏”.

11

Benzmüller, Farjami and Parent

Proof. Suppose that H=È{D–}–œT,IÍis a Henkin model such that H|=HOL for

all œ{AV, PV1, PV2, OB1,..,OB5}. Without loss of generality, we can assume

that the domains of Hare denumerable [18]. We construct the corresponding DDL

model Mas follows:

1. S=Di,

2. sœav(u)for s, u œSiﬀIavi·(s, u)=T,

3. sœpv(u)for s, u œSiﬀIpvi·(s, u)=T,

4. ¯

Xœob(¯

Y)for ¯

X, ¯

YœDi≠æ DoiﬀIob··o(¯

X, ¯

Y)=T, and

5. sœV(pj)iﬀIpj

·(s)=T.

Since H|=HOL for all œ{AV, PV1, PV2, OB1, .., OB5}, it is straightfor-

ward (but tedious) to verify that av,pv and ob satisfy the conditions as required for

aDDLmodel.

Moreover, the above construction ensures that His a Henkin model HMfor

DDL model M. Hence, Lemma 3 applies. This ensures that for all DDL formulas

”, for all assignment gand all worlds swe have ÎÂ”ÊSiÎH,g[s/Si]=Tif and only if

M,s ✏”.

Theorem 1 (Soundness and Completeness of the Embedding).

|=DDL Ïif and only if {AV , PV 1, P V2 , O B1 ,. ., OB5 }|=HOL vld ÂÏÊ

Proof. (Soundness, Ω) The proof is by contraposition. Assume ”|=DDL Ï, that is,

there is a DDL model M=ÈS, av, pv, ob, V Í, and world sœS, such that M,s ”|=Ï.

Now let HMbe a Henkin model for DDL model M. By Lemma 3, for an arbitrary

assignment g, it holds that ÎÂÏÊSiÎHM,g[s/Si]=F. Thus, by deﬁnition of Î.Î,

it holds that Î’Si(ÂÏÊS)ÎHM,g =Îvld ÂÏÊÎHM,g =F. Hence, HM”|=HOL vld ÂÏÊ.

Furthermore, HM|=HOL for all œ{AV, PV1, PV2, OB1,. . . ,OB5}by Lemma 2.

Thus, {AV, PV1, PV2, OB1,..,OB5}”|=HOL vld ÂÏÊ.

(Completeness, æ) The proof is again by contraposition. Assume

{AV, PV1, PV2, OB1,..,OB5}”|=HOL vld ÂÏÊ, that is, there is a Henkin model H=

È{D–}–œT,IÍsuch that H|=HOL for all œ{AV, PV1, PV2, OB1,..,OB5},but

Îvld ÂÏÊÎH,g =Ffor some assignment g. By Lemma 4, there is a DDL model M

such that M2Ï. Hence, ”|=DDL Ï.

Each DDL reasoning problem thus represents a particular HOL problem. The

embedding presented in this section, which is based on simple abbreviations, tells

us how the two logics are connected.

12

ADyadicDeonticLogicinHOL

5 Implementation in Isabelle/HOL

The semantical embedding as devised in Sec. 4 has been implemented in the higher-

order proof assistant Isabelle/HOL [21]. Figure 1 displays the respective encoding.

Figure 2 applies this encoding to Chisholm’s paradox (cf. [14]), which involves the

following four statements:

1. It ought to be that Jones goes to assist his neighbors;

2. It ought to be that if Jones goes, then he tells them he is coming;

3. If Jones doesn’t go, then he ought not tell them he is coming;

4. Jones doesn’t go.

These statements can be given a consistent formalisation in DDL see Fig. 2. This

is conﬁrmed by the model ﬁnder Nitpick [11] integrated with Isabelle/HOL. Nitpick

computes an intuitive, small model for the scenario consisting of two possible worlds

i1and i2. Function ob is interpreted in this model as follows:

ob({i1,i

2})={{i1,i

2},{i1}}

ob({i1})={{i1,i

2},{i1}}

ob({i2})={{i1,i

2},{i2}}

ob(ÿ)=ÿ

The designated current world in the given model is i2, in which Jones doesn’t go to

assist his neighbors and doesn’t tell them that he is coming. In the other possible

world i1, Jones is going to assist them and he also tells them that he his coming.

That is, V(go)=V(tell)={i1}. Also, we have {i1}œob({i1,i

2}). So, i2|=•go by

the evaluation rule for •. Similarly, {i1}œob({i1})implies i2|=•(tell/go), and

{i2}œob({i2})implies i2|=•(¬tell/¬go).

For further experiments, focusing on the automation of meta-theoretic aspects

of DDL, we refer to [8, Fig. 2 and Fig. 3].

6 Conclusion

A shallow semantical embedding of Carmo and Jones’s logic of contrary-to-duty

conditionals in classical higher-order logic has been presented, and shown to be

faithful (sound an complete). This theory work has meanwhile been implemented in

the proof assistant Isabelle/HOL. This implementation constitutes the ﬁrst theorem

13

Benzmüller, Farjami and Parent

prover for the logic by Carmo and Jones that is available to date. The foundational

theory for this implementation has been laid in this article.

There is much room for future work. First, experiments could investigate whether

the provided implementation already supports non-trivial applications in practical

normative reasoning, or whether further emendations and improvements are re-

quired. Second, the introduced framework could also be used to systematically anal-

yse the properties of Carmo and Jones’s dyadic deontic logic within Isabelle/HOL.

Third, analogous to previous work in modal logic [10], the provided framework could

be extended to study and support ﬁrst-order and higher-order variants of the frame-

work.

Acknowledgements

We thank the anonymous reviewers for their valuable feedback and comments.

References

[1] P.B. Andrews. Resolution in type theory. Journal of Symbolic Logic, 36(3):414–432,

1971.

[2] P.B. Andrews. General models and extensionality. Journal of Symbolic Logic, 37(2):395–

397, 1972.

[3] P.B. Andrews. General models, descriptions, and choice in type theory. Journal of

Symbolic Logic, 37(2):385–394, 1972.

[4] P.B. Andrews. Church’s type theory. In E.N. Zalta, editor, The Stanford Encyclopedia

of Philosophy. Metaphysics Research Lab, Stanford University, spring 2014 edition,

2014.

[5] C. Benzmüller. Cut-elimination for quantiﬁed conditional logic. Journal of Philosophical

Logic, 46(3):333–353, 2017.

[6] C. Benzmüller. Recent successes with a meta-logical approach to universal logical

reasoning (extended abstract). In S.A. da Costa Cavalheiro and J.L. Fiadeiro, editors,

Formal Methods: Foundations and Applications - 20th Brazilian Symposium, SBMF

2017, Recife, Brazil, November 29 - December 1, 2017, Proceedings, volume 10623 of

Lecture Notes in Computer Science, pages 7–11. Springer, 2017.

[7] C. Benzmüller, C. Brown, and M. Kohlhase. Higher-order semantics and extensionality.

Journal of Symbolic Logic, 69(4):1027–1088, 2004.

[8] C. Benzmüller, A. Farjami, and X. Parent. Faithful semantical embedding of a dyadic

deontic logic in HOL. CoRR, https://arxiv.org/abs/1802.08454, 2018.

[9] C. Benzmüller and D. Miller. Automation of higher-order logic. In D.M. Gabbay,

J.H. Siekmann, and J. Woods, editors, Handbook of the History of Logic, Volume 9 —

Computational Logic, pages 215–254. North Holland, Elsevier, 2014.

14

ADyadicDeonticLogicinHOL

[10] C. Benzmüller and L.C. Paulson. Quantiﬁed multimodal logics in simple type theory.

Logica Universalis (Special Issue on Multimodal Logics), 7(1):7–20, 2013.

[11] J.C. Blanchette and T. Nipkow. Nitpick: A counterexample generator for higher-order

logic based on a relational model ﬁnder. In ITP 2010, number 6172 in Lecture Notes

in Computer Science, pages 131–146. Springer, 2010.

[12] J. Carmo and A.J.I. Jones. Deontic logic and contrary-to-duties. In D. M. Gabbay

and F. Guenthner, editors, Handbook of Philosophical Logic: Volume 8, pages 265–343.

Springer Netherlands, Dordrecht, 2002.

[13] J. Carmo and A.J.I. Jones. Completeness and decidability results for a logic of contrary-

to-duty conditionals. J. Log. Comput., 23(3):585–626, 2013.

[14] R.M. Chisholm. Contrary-to-duty imperatives and deontic logic. Analysis, 24:33–36,

1963.

[15] A. Church. A set of postulates for the foundation of logic. Annals of Mathematics,

33(3):346–366, 1932.

[16] A. Church. An unsolvable problem of elementary number theory. American Journal of

Mathematics, 58(2):354–363, 1936.

[17] A. Church. A formulation of the simple theory of types. Journal of Symbolic Logic,

5(2):56–68, 1940.

[18] L. Henkin. Completeness in the theory of types. Journal of Symbolic Logic, 15(2):81–91,

1950.

[19] P. McNamara. Deontic logic. In E.N. Zalta, editor, The Stanford Encyclopedia of

Philosophy. Metaphysics Research Lab, Stanford University, winter 2014 edition, 2014.

[20] R. Muskens. Intensional models for the theory of types. Journal of Symbolic Logic,

75(1):98–118, 2007.

[21] T. Nipkow, L.C. Paulson, and M. Wenzel. Isabelle/HOL — A Proof Assistant for

Higher-Order Logic, volume 2283 of Lecture Notes in Computer Science. Springer,

2002.

Received \jreceived

Benzmüller, Farjami and Parent

Figure 1: Shallow semantical embedding of DDL in Isabelle/HOL.

Received \jreceived

ADyadicDeonticLogicinHOL

Figure 2: The Chisholm paradox scenario encoded in DDL (the shallow semantical

embedding of DDL in Isabelle/HOL as displayed in Fig. 1 is imported here). Nitpick

conﬁrms consistency the encoded statements.

Received \jreceived