TY - JOUR
AB - Abstract Defining identity for entities is a long-standing logical problem in philosophy, and it has resurfaced in current investigations within the philosophy of technology. The problem has not yet been explored for the philosophy of information and of computer science in particular. This paper provides a logical analysis of identity and copy for computational artefacts. Identity is here understood as the relation holding between an instance of a computational artefact and itself. By contrast, the copy relation holds between two distinct computational artefacts. We distinguish among exact, inexact and approximate copies. We use process algebra to provide suitable formal definitions of these relations, using in particular the notion of bisimulation to define identity and exact copies, and simulation for inexact and approximate copies. Equivalence is unproblematic for identical computational artefacts at each individual time and for inexact copies; we will examine to which extent the formal constraints on identity criteria discussed in the literature are satisfied by our approach. As for inexact and approximate copy, they are intended as a weakening of the identity relation in that equivalence and other constraints on identity are violated. The proposed approach also suggests a computable treatment of identity and copy checking. 1 Introduction Since Frege, the problem of identity of the informational content of two sentences is a fundamental one in the philosophy of language and information. The more recent debate in the philosophy of technology has exploited this problem for the analysis of technical artefacts. The problem of identity for technical artefacts can be rephrased as the one concerning the informational content of sentences describing their functional properties. Computational artefacts are informational systems defined at several levels of abstraction (LoA) for which the problem of identity has not been investigated within the philosophy of computer science [45]. Furthermore, the closely related notion of copy assumes a special significance in the context of computational artefacts which are particularly subject to replication, inducing legal, ethical and technical issues. Available analyses for identity and copy of technical artefacts are largely conceptual and have typically an informal nature. This paper contributes to the philosophical debate on identity and copy by providing a rather formal analysis of those concepts for computational artefacts. The examination of identity and copy for computational artefacts is here carried out at the specification level. This allows us to make use of process algebra to understand the formal relations holding between two specifications for distinct artefacts. The paper is structured as follows. The problem of identity of natural objects in analytic ontology is introduced in Section 2 together with the identity criteria that entities of a given kind are required to satisfy in order to be considered objects. It is then shown how the problem has been reconsidered in the philosophy of technology in terms of the so-called problem of ontological respectability of artefacts. After introducing some formal preliminaries in the representation and specification of computational artefacts in Section 3, a taxonomy of identity and copy relations, that are of significance in the examination of computational artefacts, is provided in Section 4. This paper in particular distinguishes among three different sub-categories of copy, namely exact copies, inexact copies and approximate copies. Section 5 introduces the formal relation of bisimulation on states to capture a suitable identity relation satisfying an identity criterion for computational artefacts. It is shown how, besides being an equivalence relation, bisimulation on states satisfies all of the formal constraints on identity criteria for natural objects. The close relation of bisimulation between state transition systems is used, in Section 6, to capture the notion of exact copies, which is shown to satisfy all the constraints satisfied by the identity relation for computational artefacts. The relation of simulation is then used to formalize the notions of inexact copy and approximate copy. Inexact copy is shown here to be a weaker relation than identity in that it is not symmetric and it violates some additional constraints. In addition, the approximate copy relation is finally shown to be weaker than identity and inexact copy in that it violates transitivity while it preserves symmetry. We conclude in Section 7 to illustrate further developments and applications of the present formal framework. 2 Identity and copy: from analytic ontology to the philosophy of technology The notion of identity in contemporary analytic ontology arises in connection with the problem of defining what an object is. Whereas [15], and the tradition following it [40, 50], argued that an object is anything that is associated with interpretations of terms and variables, others, such as [32, 41, 48], argue that an object is anything satisfying defined identity criteria. Such a metaphysical approach [31] on the definition of object is also involved in closely related metaphysical problems. For instance, counting objects falling under a given sortal concept (such as counting cats in a room) presuppose the identification of identity criteria for that sortal, so that each object is counted only once, and counting twice, or more, the same objects are avoided. Identity is also involved in the interpretation of modal predicates using possible worlds semantics; for instance, ∃x(◊Px) is true if and only if there is an x and there is at least one accessible world with an individual identical to x having property P [27]. In addition, identity is also involved in mereology when dealing with the problem of whether the composition of the parts of a whole is identical or not with the whole [3, 28]. According to the ‘classical view’ on identity [36], identity is the reflexive, symmetric and transitive relation that each object has with itself and with nothing else, and such that it satisfies Leibniz’s Law, i.e. the principle of the indiscernibility of identical. According to Leibniz’s Law, if x and y are two identical objects, then, whatever is true of x is also true of y. Much of the philosophical reflection on identity turned around the problem of establishing identity criteria. The problem of identity criteria was initially put forward by [16] and can be splitted into (i) an epistemic question, (ii) an ontological question and (iii) a semantic question on identity [4]. According to this view, any kind K of objects determines an identity criterion for objects of kind K. Given a kind K and objects x and y of kind K How can one know that x = y? In what consists the identity relation x = y between x and y? When do x and y have the same interpretation? Whereas the epistemic question (i) demands for a procedure to decide identity questions, the ontological question (ii) refers to properties that objects of the same kind must share in order to be identical. Frege [16] defined the identity criterion for the identity relation x = y in terms of a relation $$R\left (x^{\prime },y^{\prime }\right )$$ holding between objects $$x^{\prime }$$ and $$y^{\prime }$$ different from, but functionally related to, x and y. For instance, identity of directions was defined in terms of parallelism between lines in the following way: $$ \forall x\forall y ((Line(x) \land Line(y)) \rightarrow (Direction(x) = Direction(y) \leftrightarrow Parallel(x,y))). $$ The identity criterion for directions specified by Frege can be generalized with the following formula, wherein f is a functional expression [30]: \begin{align} \forall x\forall y (\,f(x) = f(\,y) \leftrightarrow R(x,y)). \end{align} (1) Identity criteria of the form of (1) have been called by [49] two-level criteria, in that the equivalence relation R(x, y) defines an identity relation between objects f(x) and f(y) distinct from x and y. By contrast, one-level identity criteria define an identity relation x = y between two objects x and y of kind K by means of an equivalence relation R(x, y) holding just between x and y, according to the following formula: \begin{align} \forall x\forall y ((x,y \in K) \rightarrow ((x=y) \leftrightarrow R(x,y))). \end{align} (2) As an example, consider the following identity criterion proposed by [10] for events: \begin{gather*} \forall x\forall y ((Event(x) \land Event(y)) \rightarrow\\(x = y \leftrightarrow \forall z (Event(z) \rightarrow\\ ((Cause(x,z) \leftrightarrow Cause(y,z)) \land (Cause(z,x) \leftrightarrow Cause(z,y))))). \end{gather*} Here if x and y are two objects of the kind events, they are identical if and only if they cause, and are caused by, any distinct event z. Some argue that two-level criteria are more appropriate to define identity of abstract objects, while one-level criteria are more suitable for concrete objects [36]. Some others argue that it is always possible to reduce a two-level criterion to a one-level criterion so that one can dispense with two-level criteria [31]. For both reasons, this paper will focus only on one-level identity criteria for computational artefacts. The equivalence relation R in (2) can be used to define both synchronic and diachronic identities. Synchronic identity of an object x is the identity of x with itself at a given time t. Diachronic identity is the identity of object x at time t with x at any time $$t^{\prime }> t$$. In this paper we will focus in particular on the former and only provide remarks for an analysis of the latter. Independently of whether synchronic or diachronic identity is considered, relation R is required, besides equivalence, to comply with different constraints [29, 48]. Following [5], this paper considers the following list of constraints: Non-vacuousness. R must refer to properties that are relevant for defining identity between objects x and y of a given kind K, and such that they be not trivially satisfiable by x and y. For instance, being parallel is a relevant property to define sameness of directions of two lines, while being 5 cm long is not. Significant properties of this sort have been called by [29] determinables, objects satisfying them determinates. Informativeness. As stated above, it is kind K that determines the identity criterion for objects of kind K. Nevertheless, it is required that relation R in the identity criterion is informative with respect to K, in the sense that R should not specify tautological properties. Partial Exclusivity. Besides being non-vacuous, relation R for kind K should specify determinables such that the determinates satisfying them are only objects of kind K. In other words, R should not appear in the identity criterion for objects of kind different than K and each kind of objects should have its own distinct identity criterion. Minimality. R should include the smallest set of determinables being both necessary and sufficient to determine identity of any two objects of kind K. Minimality ensures that superfluous determinables are not considered. Noncircularity. R must not make reference to the identity relation. Non-totality. It is required that R ⊂ K × K, i.e. that not all object pairs in K satisfy the identity relation defined by R. K-maximality. R should be the maximal equivalence relation defining identity of objects of some kind K. Given two K objects x and y, for any different relation $$R^{\prime }$$ defining identity for K objects, it should hold that $$R^{\prime }(x,y) \rightarrow R(x,y)$$ but $$ \neg (R(x,y) \rightarrow R^{\prime }(x,y))$$. Uniqueness. In addition, R must be unique with respect to K, i.e. for any $$R^{\prime }$$, also $$ \neg (R^{\prime }(x,y) \rightarrow R(x,y))$$ holds. In other words, R is unique with respect to K when there are neither wider, nor narrower relations than R for K objects. Equivalence. R is required to be reflexive, symmetric and transitive. Congruence. If R(x, y), then Leibniz’s Law holds: all properties satisfied by x are all and only the properties satisfied by y. The problem of defining identity of technical artefacts is almost as old as the problem of identity for natural kinds. It traces back to the second book of Aristotelian Physica and the distinction between things that ‘exists by nature’ and ‘artificial products’. Aristotle argued that natural objects can be distinguished from technical artefacts in that the latter lack form. Whereas natural objects, such as water, earth and animals, change according to principles that are inner to them, artefacts change according to principles inner to the artefacts’ material or to human intervention. Paradigmatic is the case, known till antiquity, of the ship of Theseus, i.e. the ship that Theseus used to reach Crete and defeat the Minotaur. Athenians wanted to retain the ship and preserved it by gradually replacing worn planks by new planks. The question is whether the ship retained by the Athenians was the same ship of Theseus. The problem of the distinction between natural objects and technical artefacts is put forward, by contemporary philosophy of technology, in terms of the so-called problem of ontological respectability of artefacts [48]: artefacts are ontologically respectable, i.e. they are on a par with natural objects, if and only if they are able to satisfy identity criteria. Wiggins [48] defines an artefact kind K as composed of all those artefacts satisfying a given set of functional requirements. In addition, two artefacts x and y of kind K are said to be identical if and only if they satisfy the same subset of functional requirements. However, it is known that artefacts correctly instantiating their functional requirements may start, at a certain point, to malfunction, i.e. they may start, under usage, violating one or more requirements. Consequently, transitivity of relation R in (2) may not hold. Artefact x at time t may still be said to be identical to artefact $$x^{\prime }$$ at time $$t^{\prime }$$ even though $$x^{\prime }$$ starts malfunctioning. The same can be said for artefacts $$x^{\prime }$$ and $$x^{\prime \prime }$$ at time $$t^{\prime \prime }$$. However, there may be a time $$t^{\ast }$$ at which artefact $$x^{\ast }$$ is not identical to x insofar as too many requirements are being violated by $$x^{\ast }$$. Identity criteria for technical artefacts thus violate the equivalence constraint. For the same reason they violate the congruence constraint, in that it may be the case that not all that is true of artefact x is still true of artefact $$x^{\ast }$$. Wiggins’s critique highlights a potential limitation to any approach using functions to determine identity criteria. This includes, in principle, an understanding of computational artefacts in terms of their functional requirements. Below, starting in Section 3, we provide a description of computational artefacts based on their layered ontology, which includes the designer’s intention, its translation to a functional specification and their implementation: this exposes our analysis to a critique similar to Wiggins’. To dispel any doubt on this matter, let us briefly consider two main approaches to functional analysis in engineering: Functional Representation: This approach defines a function in a device-centric sense; it starts from a description of the intended function independently of how the function is accomplished, followed by a description of the structure of the device in terms of its components’ composition, finally matching the device to the function by offering a process description, see [7]; Functional Basis: This approach aims at constructing a functional design of an artefact; it starts from a generic input/output relationship, followed by its decomposition in terms of sub-functions, inductively generating a function flow and then the artefact’s process in terms of a model and a structure, finally combined in a design language, see [43]. The approach followed below for computational artefacts resembles the Functional Representation approach. We provide a functional description not just as a characterization of a function, but rather as a description of the artefact involved in the execution of such a function. As computational artefacts present multiple realizability of their functional description (several languages and architectures can implement the same functional requirements), this cannot be done in terms of the device’s components composition. Instead, we do so by formulating functions in terms of behaviours, clarifying in Section 3 in which sense are such behaviours intended. For the purposes of this section, it is just essential to note the following: on the one hand, the notion of behaviour used here allows us to sidestep Wiggins’s critique, in that behaviours provide a low-level treatment of malfunctions, hence not falling in the same problem that functions have; on the other hand, while computational artefacts can in principle be understood as I/O black boxes, the use of behaviours to characterize functional representations of such artefacts allows us to avoid a functional basis interpretation. In contrast to natural objects, the notion of copy is proper of technical—and hence specifically of computational—artefacts, but also of artworks [18]. Except for some analyses [6, 21, 46], there is not a well-established and accepted analysis of the notion of copy in the philosophy of technology. Tzouvaras [46] understand copy as an equivalence relation holding between two artefacts x and y such that x and y are functionally interchangeable, i.e. such that each can replace the other one in a given system, by playing the same functional role. Carrara and Soavi [6] criticize Tzouvaras’ definition in that it does not take into account the intentional aspect of copying. Copying means reproducing an artefact taken as a model: if y is a copy of x, the latter is the model of the former and it cannot be said that, at the same time, x is a copy of y. It follows that the copy relation is neither reflexive, nor symmetric, and hence it is not an equivalence relation. Transitivity does not apply either, at least in those cases in which copying means reproducing an artefact taken as a model: if x is the model for the copy y and y is also taken as a model for copy z, it does not hold that x is the model of z. Also consider that, if x is used as a model to produce y, y is supposed to present structural similarities or resemblances with x. If $$x^{\prime }$$ resembles x, and $$x^{\prime \prime }$$ resembles $$x^{\prime }$$, there will be a point in which some $$x^{\ast }$$ cannot be said to resemble x. There are cases, though, in which copying consists of creating a ‘perfect copy’, such as when duplicating digital artefacts, in which copying is transitive. Perfect copies allowed by the producer of the original artefacts are called by [6] ‘replicas’, this being the case, for instance, of the copies of a piece of software released by a software company. This paper contributes to fill the gap in the analysis of the notion of copy for computational artefacts by defining it as a weaker relation than identity. To do so, we first define identity for computational artefacts, i.e. a candidate for relation R in (2) and show that it is an equivalence relation complying with all the constraints for the identity criteria. Secondly, we consider candidates for the copy relation $$R^{\prime }$$ in (3) below, defining when x ⇜ y, i.e. when a computational artefact y is a copy of a distinct artefact x: $$\forall x \forall y ((x,y \in K) \rightarrow ((x$$ ⇜ $$y) \leftrightarrow R^{\prime}(x,y)))\qquad\qquad\qquad (3)$$ The proposed candidates for relation $$R^{\prime }$$ in (3) are shown, besides violating equivalence, not to comply with all constraints for identity. Preliminarily, let us introduce some formal notions concerning the representation and the specification of computational artefacts. 3 Formal preliminaries for computational artefacts and their specifications Technical artefacts are artefacts, i.e. human made systems, built with the specific purpose of fulfilling some functions, in contrast with other kind of artefacts, such as artworks, which are not supposed to implement functions. It follows that technical artefacts can be defined on the basis of both functional properties, dealing with the functions to be fulfilled, and structural properties, concerning the physical properties of the artefacts that allow it to accomplish the intended functions [23, 33]. Functions usually reflect intentions of both designers and users [24] and they can be multiply realized by different artefacts1. What is often called the dual nature of technical artefacts [25] is also reflected in their design process: stakeholders’ requirements are usually translated into a set of functional requirements on the basis of which set of design specifications is advanced, flowing into a final blueprint of the artefacts [14]. Computational artefacts can be described in terms of functional and structural properties, and their design process associated with that of technical artefacts. However, the nature of computational artefacts cannot be fully understood by the dual ontology approach of [25]. This is due to the role programmes play in the design process [12]. Functional requirements are translated into programme specifications which are in turn implemented by high-level language programmes. For this reason, programmes themselves can be understood as technical artefacts providing design specifications for the lower structural levels [44]. Also, programmes can instantiate specifications in several ways, thereby adding a further level of multiple realizability in the design process. Accordingly, computational artefacts are characterized by a more layered ontology requiring a description at several (LoA) [11, 17]. Primiero [38] summarizes the informational description of computational systems provided by the philosophy of computer science, distinguishing among Intention Specification Algorithm High-level programming language instructions Assembly/machine code operations Execution. Our approach makes use of this layered analysis to investigate the issue of identity and copies by providing a formal analysis at the level of Specifications. This will also cascade through the lower levels. Identity and Copy are formalized as relations between two entities x, y belonging to some kind K, according to (2) and (3) above. Following [48] in the functional definition of artefacts kinds, K is here taken to be a class of programmes implementing a well-defined set of algorithms (computable functions) and the entities x, y of interest are computational artefacts implementing those functions. For brevity, we will refer to a computational artefact as P, to its specification as S(P), to its implementation in a programming language as L(P) and to its physical realization as I(P). As mentioned above, the analysis of the notions of identity and copy for computational artefacts is here addressed at the level of S(P). As such, kind $$K=\left \{P, P^{\prime }, P^{\prime \prime } \ldots \right \}$$ is given as the class of programmes each correctly implementing a defined set of specifications in the class $$\left \{S(P), S(P^{\prime })^{\prime }, S(P^{\prime \prime })^{\prime \prime } \dots \right \}$$ and such that all specifications defining K be the realization of some common Intention. For instance, K may be identified with the class of text editors; all specifications defining K are specifications of text editors, and members of K are editors each satisfying the proper specifications. It makes sense to question whether a text editor y ∈ K is a copy of editor x ∈ K. In order to do so, we first define the identity relation for the members of K. We consider formal specifications S(P) as state transition systems defined as follows: Definition 3.1 (Finite State Transition System) A finite transition system $$ TS=(S, A, T, I, F, AP, L) $$ is a set-theoretic structure where $$S=(s_{0}, \ldots , s_{n})$$ is a finite set of states; A is a set of finite transitions labels; T ⊆ S × A × A is a transition relation; I ⊆ S is a set of initial states; F ⊆ S is a set of final states; AP is a finite set of states labels; $$L: S \rightarrow 2^{AP}$$ is the function labelling states. Figure 1. View largeDownload slide A Transition System for the factorial function. Figure 1. View largeDownload slide A Transition System for the factorial function. Let us start with an easy example showing why it is convenient to focus on S(P) when reasoning about identity and copy of computational artefacts. Consider a programme P to compute the factorial of any integer n.2 At the S(P) level, such programme can be presented as a transition system, see Figure 1. This formal specification S(P) presented by a TS can then be offered at the L(P) level in several formats: e.g. as a Pascal implementation (Figure 2), or as a programme written in C (Figure 3). The programme from Figure 3 can in some sense be considered a copy of the programme from Figure 2, even though its high-level programming language instructions are different, while its specification is the same. Figure 2. View largeDownload slide A programme to compute the factorial in PASCAL. Figure 2. View largeDownload slide A programme to compute the factorial in PASCAL. Figure 3. View largeDownload slide A programme to compute the factorial in C. Figure 3. View largeDownload slide A programme to compute the factorial in C. Actual executions of the two programmes above correspond to paths in the TS presented in Figure 1, which list the states the computation goes through, according to the following definition of path3: Definition 3.2 (Path) Given a finite transition system TS, a finite path fragment is a finite sequence of states $$\pi =(s_{0}, \ldots , s_{n})$$, such that each $$s_{i}$$ is the successor of $$s_{i-1}$$. An infinite path fragment is an infinite sequence of states $$\pi =(s_{0}, s_{1}, \ldots )$$ such that each $$s_{i}$$ is the successor of $$s_{i-1}$$. A path is a path fragment which starts in an initial state $$s_{i}\in I$$ and either terminates in a final state $$s_{j}\in F$$ or is infinite. A path in the TS from Figure 1 is therefore an execution of the programme with given values (see Figure 4; here multiple labels on the edges indicate corresponding executions of the related sub-path for computing the factorial of 2). A notion equivalent to the one of path is given by looking at labels of states belonging to it, corresponding to the following notion of trace4: Definition 3.3 (Trace) Given a finite transition system TS, the trace of a finite path fragment $$\pi =(s_{0}, \ldots , s_{n})$$ is the sequence of its labels $$trace(\pi )=(L(s_{0}), \ldots , L(s_{n}))$$. The trace of an infinite path fragment $$\pi =(s_{0}, s_{1}, \ldots )$$ is the sequence of its labels $$trace(\pi )=(L(s_{0}), L(s_{1}) \ldots )$$. Figure 4. View largeDownload slide A path in the TS from Figure 1 for n = 2. Figure 4. View largeDownload slide A path in the TS from Figure 1 for n = 2. State transition systems specify all the allowed behaviours of the programme implementing the corresponding specification. Individual behaviours are usually formalized by means of temporal logic formulas. Temporal logics [26] are formalisms capable of stating how systems evolve over time. Originally they were developed in modal logic in order to express how propositions may change their truth values over time; they extend propositional logic with temporal operators and path quantifiers that allow reference to the ordering of events so as to render them suitable for formalizing specifications of concurrent systems, wherein different processes take place at the same time. When an individual behaviour is executable by a computational system, the transition system corresponding to the latter will satisfy a temporal logic formula expressing that behaviour. CTL (Computational Tree Logic) is the temporal logic which allows for branching time models, i.e. where at each stage different paths are non-deterministically possible, and it is a typical model to analyse properties of software artefacts. Definition 3.4 (Satisfaction of CTL formulas) Given a TS and an atomic formula p, the satisfaction relation in TS of CTL formulas is defined as follows: \begin{array}{lll} TS,s_{i} \models p & \textrm{iff} & p \in L(s_{i}); \\ TS,s_{i} \models \neg p & \textrm{iff} & TS,s_{i} \nvDash p; \\ TS,s_{i} \models p \wedge q & \textrm{iff} & TS,s_{i} \models p \ \textrm{and} \ TS,s_{i} \models q; \\ TS,s_{i} \models X p & \textrm{iff} & \textrm{there exists } s_{j} \in S\ \text{s.t.}\ s_{i} T s_{j}\ \textrm{and} \ TS,s_{j} \models p; \\ TS,s_{i} \models F p & \textrm{iff} & \textrm{for all paths}\ \pi=\left(s_{i},s_{j},\dots\right)\ \textrm{such that} \\ & & \textrm{there exists}\ s_{k} \in \pi, TS,s_{k} \models p;\\ TS,s_{i} \models G p & \textrm{iff} & \textrm{there exists a path}\ \pi = \left(s_{i},s_{j},\dots\right)\ \textrm{such that} \\ & & \textrm{for all}\ s_{k} \in \pi, TS,s_{k} \models p;\\ TS, s_{i} \models [\,p U q] & \textrm{iff} & \textrm{there exists a path}\ \pi =\left(s_{i},s_{j},\dots\right)\ \text{and an index (k) such that} \\ & & TS,s_{k} \models q \ \textrm{and}\ TS,s_{j} \models p\ \textrm{for all}\ j \leq k;\\ TS,s_{i} \models \forall p & \textrm{iff} & \textrm{for all paths}\ \pi =\left(s_{i},s_{j},\dots\right), TS,\pi \models p;\\ TS,s_{i} \models \exists p & \textrm{iff} & \textrm{there exists a path}\ \pi =\left(s_{i},s_{j},\dots\right)\ \textrm{such that}\ TS,\pi \models p;\\ TS,\pi \models X p & \textrm{iff} & TS,\pi_{1} \models p;\\ TS,\pi \models F p & \textrm{iff} & \textrm{there exists}\ k \geq 0\ \textrm{such that}\ TS,\pi_{k} \models p;\\ TS,\pi \models G p & \textrm{iff} & \textrm{for all}\ k \geq 0, TS,\pi_{k} \models p;\\ TS, \pi \models [\,p U q] & \textrm{iff} & \textrm{there exists}\ k \geq 0\ \textrm{such that}\ TS,\pi_{k} \models q\\ & & \textrm{and}\ TS,\pi_{j} \models p\ \textrm{for all}\ j \leq k. \end{array} The above clauses formulate the satisfaction relation distinguishing between state formulas and path formulas. For the state formulas a formula p is satisfied at a give state $$s_{i} \in TS$$ when p is in the labels of $$s_{i}$$; its contradictory is valid if and only if the satisfaction does not hold; the conjunction of two formulas p, q is satisfied iff each can be individually satisfied; Xp (next) holds at a given state when p will hold at the following state; Fp (finally) holds at a given state when p will eventually hold at some successive state; Gp (globally) holds at a given state when p will hold at all successive states; pUq (until) holds at a given state when q holds at a given state and p holds in all in-between states; ∀p holds at a given state s if every path starting from it satisfies p; ∃p holds at a given state s if there is a path starting from it that satisfies p. For the path formulas Xp holds in a given path when there is an immediate suffix of the path in which p holds; Fp holds in a given path when there exists a non-immediate suffix of the path in which p holds; Gp holds in a given path when for all suffixes of the path, p holds; pUq holds in a given path when there exists a non-immediate suffix of the path in which q holds and for all in-between suffixes p holds. Process algebras allow therefore to express a system’s functional structure in terms of paths and their traces. A temporal logic formula satisfiable within a given transition system reflects a valid behaviour for the computational artefact interpreted by that system. In the following, starting from Section 4, identity and copy relations are expressed in terms of relations quantified over such behaviours. An important task is the characterization of this formal notion of behaviour with that in use in engineering design. To illustrate such comparison, let us refer to the different meanings of ‘behaviour’ offered in [8, p. 169]: Beh-i: The value(s), or relations between values, of state variables of interest at a particular instant; Beh-ii: The value(s), or relations between values, of properties of an object. Beh-iii: The value(s) of state variables of interest over an interval of time. Beh-iv: The value(s) of state variable(s) specifically labelled ‘output’ state variables, either at an instant or over an interval of time. Beh-v: The values of all the state variables in the object description, either at an instant or over an interval of time. Beh-vi: The causal rules that describe the values of the variables under various conditions. When considering the path of a system in terms of a finite fragment of its states and a trace as the corresponding sequence of labels, we are considering both meaning (i) and (ii) above, as we look at values of state variables and relations between them. When we further express these by a temporal logic formula, we add the interval of time parameter required by meaning (iii) above. If the formula of interest refers to a trace including a final state, we are referring to meaning (iv) above. If we are considering all paths of a given transition system, i.e. the set of all possible behaviours, then we are looking at meaning (v) above. The last meaning of behaviour, interpreted in terms of causal rules, can be covered in terms of the implicative relations between states of a given system. In other words, it appears that the use of a definition of behaviour as regulated by temporal logics and process algebra is general enough to provide all the intended standard meaning in engineering design. Note, moreover, that such meanings are not different between identity and the various versions of copy relations: the difference is determined by the transition systems and the set-theoretical relations between their traces. 4 Defining identity and copy relations We are now able to associate the specification of a computational artefact S(P) to the corresponding formal representation provided by a TS; different language implementations $$L(P),L(P)^{\prime }, L(P)^{\prime \prime }, \ldots $$ may correspond to a single S(P); the physical realization I(P) corresponds to the set of possible paths (or traces) valid for that TS in some given language; and any behaviour prescribed by the S(P) can be expressed by a temporal formula p satisfied by that TS. The relations of identity and copy to be investigated in the following of this paper can now be illustrated in terms of the possible combinations of set-theoretic relations between the three terms S(P), L(P), I(P), as presented in Figure 5. Figure 5. View largeDownload slide Taxonomy of relations. Figure 5. View largeDownload slide Taxonomy of relations. The first one is the case of Identity: it expresses the relation of a computational artefact P with itself at any given time t; in this case there will be only one specification S(P), one language implementation L(P) and one instance of reference I(P). We do not consider here the case of diachronic identity and the corresponding ontological problem of whether a computational artefact is identical to itself at different times. A reason to do so is based on the consideration that a solid analysis of identity and copy for computational artefacts needs to avoid, in the first instance, the problems associated with their unreliability and continuous changes in the execution environment. Therefore, we assume here a principle of computational correctness, according to which any implementation I(P) will always correctly respect the behaviour prescribed by the corresponding S(P). Nonetheless, we suggest here briefly that the behavioural relation of a computational artefact with itself at different points in time, if altered by restriction of functionalities, or addition of (unintended) behaviours, may be considered in a similar vein to what is done below for the different relations of copy5. The second case is what we call Exact Copies: it refers to two instances I(P) and $$I(P)^{\prime }$$ of a computational artefact P with one single specification S(P), installed on two different machines M, N. We then say that $$I(P)^{\prime }$$ is an exact copy of I(P) when $$I(P)^{\prime }$$ manifests all and only the behaviours of I(P).6 In this case we can in fact distinguish two sub-cases: the two instances $$I(P),I(P)^{\prime \prime }$$ share the same implementations L(P) = L(P) in high-level programming languages; the two instances $$I(P),I(P)^{\prime \prime }$$ have different implementations $$L(P) \neq L(P)^{\prime }$$ in high-level programming languages. The third case is what we call Inexact Copies: it refers to two distinct computational artefacts P and $$P^{\prime }$$, with different specifications S(P) and $$S(P^{\prime })^{\prime }$$. We then say that $$P^{\prime }$$ is an inexact copy of P when $$P^{\prime }$$ manifests all the behaviours of P, i.e. such that $$S(P) \subset S(P^{\prime })^{\prime }$$. This relation is known, in the literature in formal methods, as system refinement. Refinements mappings are used since [1] to prove that a lower-level specification correctly implements a higher-level one in terms of (possibly infinite) state machines specifying safety and liveness requirements7. A system $$S^{\prime }$$ refines a system S if and only if the behaviours of S are a subset of the behaviours of $$S^{\prime }$$. Refinement can be understood as the process of developing a new system $$S^{\prime }$$ out of an old one S by preserving all the behaviours of the former and possibly adding new ones. Refinement can be modelled in terms of simulation as first introduced by [35]: informally, a simulation holds between two systems $$S^{\prime }$$ and S if we can relate each state of S to a state of $$S^{\prime }$$ so that two related states $$s,s^{\prime }$$ agree on their observations and every successor of s is related to some successor of $$s^{\prime }$$; accordingly, the relation $$S^{\prime } \leftarrow S$$, stating that S refines $$S^{\prime }$$ formally corresponds to the statement that S is simulated by $$S^{\prime }$$, or else that $$S^{\prime }$$ simulates S [20]. In the present work, we use simulation to model the slightly more specific case represented by the notion of inexact copy. In analogy with the case of exact copies, we can distinguish two sub-cases, on the basis of whether $$L(P)=L(P^{\prime })$$ or $$L(P)\neq L(P^{\prime })^{\prime }$$. The fourth case is what we call Approximate Copies: it refers to two distinct computational artefacts P and $$P^{\prime }$$, with different specifications $$S(P),S(P^{\prime })^{\prime }$$. We then say that $$P^{\prime }$$ is an approximate copy of P when $$P^{\prime }$$ manifests some of the behaviours of P, i.e. $$S(P) \cap S(P^{\prime })^{\prime }$$. Analogous to the case of exact and inexact copies, also for approximate copies we distinguish between approximate copies sharing the same high-level programming language implementation $$L(P)=L(P^{\prime })$$ and approximate copies having different implementations $$L(P)\neq L(P^{\prime })^{\prime }$$. In the next section we use process algebra to provide suitable formal definitions of the four relations defined above. Consequently, copy relations will be examined only considering the logic properties they satisfy, without taking into consideration the non-formal properties that nonetheless define them, including their intentional character. Indeed, it follows from the definition of exact copy above that it is an equivalent relation in that it clearly is reflexive, symmetric and transitive. In addition, as it will be shown in the details of Sections 6.5 and 6.7, inexact copy is a reflexive, asymmetric and transitive relation, whereas approximate copy is reflexive, symmetric but intransitive. However, according to [6], exception made for replicas, copy is an irreflexive, asymmetric and non-transitive relation. As highlighted in Section 2, the reason at the basis of the non-equivalence of copy lies in the intentional aspect of such relation. Whether exact copies are replicas or not properly depend on that intentional character of copies, i.e. it depends on whether copying is allowed by the producer. In case it is not, it can be said that exact copy, qua logic relation, is reflexive, symmetric and transitive, but they are irreflexive, asymmetric and non-transitive if the intentional aspect of creating illegal copies of an artefact is considered. The same holds for inexact and approximate copies: the former is reflexive, asymmetric and transitive, the latter reflexive, symmetric and intransitive, only qua logic relations. Whereas an analysis based on logic properties seems to be indispensable when a taxonomy of the copy relations for computational artefacts is to be provided, the intentional aspect of copy cannot be ignored when ethical and legal aspects of copying are considered. In particular, given two artefacts x and y for which $$R^{\prime }(x,y)$$, identifying the model and the copy between x and y is necessary when determining copyright infringement. 5 Logical definition of identity for computational artefacts Process Algebra Theory [13], a formal theory for concurrent processes interpreted over process graphs (like a TS), is apt to formalize the notion of equivalence between structures. From a general point of view, two structures are said to be equivalent if and only if they can execute the same strings of transitions. In order to compare or relate two TSs, certain binary relations between states, called implementation relations, are introduced. There are several kinds of implementation relations: some, called strong relations, impose very strict constraints; others, called weak relations, impose more relaxed constraints. Two typical implementation relations are the bisimulation equivalence and the simulation preorder, which are two strong relations. The strongest equivalence relation is bisimulation; this notion requires not only that two structures be able to execute the same transitions, but also that they have the same branching structure and thus can simulate each other. Intuitively, bisimulation between two structures requires that every step of one structure be matched by one step of the other structure and vice versa. Bisimulation equivalence is a mutual, stepwise simulation. Definition 5.1 (Bisimulation) Given two labelled transition systems TS and $$TS^{\prime }$$ on a finite set of states S, a bisimulation between them denoted as $$TS \equiv TS^{\prime }$$ occurs when for each initial state $$s_{0}$$ in TS there is an initial state $$s^{\prime }_{0}$$ in $$TS^{\prime }$$ that establishes a bisimulation relation $$\equiv \left (s_{0},s^{\prime }_{0}\right )$$, and vice versa; $$\equiv \left (s_{0},s^{\prime }_{0}\right )$$ holds if and only if $$s_{0}$$ and $$s^{\prime }_{0}$$ have the same label and there is a successor state $$s^{\prime }_{1}$$ of $$s^{\prime }_{0}$$ in $$TS^{\prime }$$ for each successor state $$s_{1}$$ of $$s_{0}$$ in TS such that $$\equiv \left (s_{1},s^{\prime }_{1}\right )$$. In other words, a bisimulation between two states occurs when they have the same label and there is a successor state in the second structure for each successor state in the first structure, and vice versa, such that a bisimulation relation between the successors holds. A bisimulation between two structures occurs when for each initial state of one structure there is an initial state of the second structure that establishes a bisimulation relation. Bisimulation is an equivalence relation, i.e. it is a reflexive, symmetric and transitive relation. Bisimulation implies a number of properties over the related transition systems. For our purposes, it is essential to recall how the relation of bisimulation is defined over paths and temporal formulas: the former allows to compare identical behaviours, the latter identical properties. Let us start from defining identical paths8: Lemma 5.2 (Bisimulation on Paths) Given two bisimulation equivalent transition systems TS and $$TS^{\prime }$$, if $$\equiv \left (s_{i},s^{\prime }_{i}\right )$$, then for each (finite or infinite) path $$\pi =\left (s_{i}, s_{j}, \ldots \right )$$ of TS there exists a path $$\pi ^{\prime }=\big (s^{\prime }_{i}, s^{\prime }_{j}, \ldots \big )$$ of the same length in $$TS^{\prime }$$ and $$\equiv \big (s_{k},s^{\prime }_{k}\big )$$ for all k and vice versa. Recall that paths correspond to the transitions through labels indicated by traces, hence the following result holds9: Theorem 5.3 (Bisimulation implies trace equivalence) Two transition systems TS and $$TS^{\prime }$$, defined over the same set of atomic proposition AP, are said to be trace equivalent, if $$traces_{AP}(TS) = traces_{AP}(TS^{\prime })$$, where $$traces(TS)=\bigcup _{s\in I}traces(s)$$ denotes the set of traces starting at initial states of TS. It holds that $$TS \equiv TS^{\prime }$$ implies that $$traces_{AP}(TS) = traces_{AP}(TS^{\prime })$$. Bisimulation corresponds to equivalence of properties, as expressed by valid temporal formulas being satisfied by the corresponding structures. To introduce this known result, recall that $$\textbf{CTL}^{\ast }$$ is the superset of CTL where formulas containing temporal operators need not to be directly preceded by a quantifier. Theorem 5.4 (Bisimulation and $$\textbf{CTL}^{\ast }$$ equivalence) $$TS \equiv TS^{\prime }$$ iff $$TS \equiv _{CTL^{\ast }} TS^{\prime }$$, i.e. $$TS,s_{i}\vDash g \leftrightarrow TS^{\prime },s^{\prime }_{i}\vDash g$$, for any $$\textbf{CTL}^{\ast }$$ formula g. Bisimulation expresses therefore exactly that two structures have identical behaviours and satisfy identical structures. In order to be exploited to express identity of behaviour of a computational artefact with itself, we need to define bisimulation as a relation on its states as follows10: Definition 5.5 (Bisimulation as a Relation on States) Given a TS, a bisimulation on states of TS denoted by $$\equiv _{TS}$$ is a binary relation ≡ ⊆ S × S such that for all $$\equiv \left (s_{i}, s_{j}\right )$$ $$s_{i}$$ and $$s_{j}$$ have the same label; if there is a successor state $$s^{\prime }_{i}$$ of $$s_{i}$$, then there is a successor $$s^{\prime }_{j}$$ of $$s_{j}$$ such that $$\equiv \big (s^{\prime }_{i},s^{\prime }_{j}\big )$$ and if there is a successor state $$s^{\prime }_{j}$$ of $$s_{j}$$, then there is a successor $$s^{\prime }_{i}$$ of $$s_{i}$$ such that $$\equiv \big (s^{\prime }_{i},s^{\prime }_{j}\big )$$. We argue that a computational artefact P is identical to itself insofar as a bisimulation equivalence can be defined on the TS corresponding to S(P). This is shown in Figure 6 by two bisimilar TSs which are one the duplication of the other, as in a structure related to itself. In other words, we propose to identify relation R in (2) with $$\equiv _{TS}$$. Definition 5.6 (Identity as Bisimulation on States) TS is identical to itself in that the relation $$\equiv _{TS}$$ of bisimulation on its states can be defined. Figure 6. View largeDownload slide Two bisimilar TSs. Figure 6. View largeDownload slide Two bisimilar TSs. We understand identity at the level of specification as sameness of prescribed behaviours. The set of temporal properties corresponding to such behaviours is the set $$ G:=\left\{g \mid TS,s_{i}\vDash_{CTL^{\ast}} g\right\}$$ for each $$s_{i}\in TS$$, where TS is the formal translation of the specification S(P) for the computational artefact of interest. If the specification modelled by TS satisfies at each given time the same set of properties as expressed by G, then $$TS \equiv _{CTL^{\ast }} TS$$; then by Theorem 5.4 it holds TS ≡ TS, which means $$\equiv _{TS}$$. Conversely, the relation $$\equiv _{TS}$$ is a subset of S × S satisfied by all the pairs that are related by a transition in TS; this identifies exactly all behaviours of TS, hence is by definition behaviourally identical to the specification of TS. 5.1 Constraints on identity criteria We analyse here the constraints for identity satisfied by $$\equiv _{TS}$$. Non-vacuousness. The bisimulation on states relation $$\equiv _{TS}$$ is a significant, non-vacuous and determinable for the evaluation of identity of computational artefacts, as explicated in Definition 5.6: a computational artefact is identical to itself in that a bisimulation on the states of the artefact’s specification can be defined. Informativeness. $$\equiv _{TS}$$ contributes to specifying the nature of K in that bisimulation is preserved over different modes of presentation of the same structure, as given a TS, several bisimilar graphs can be used to represent it, including unwinding and duplication11. This means that given two different graphs, bisimulation allows one to ensure that the two graphs are bisimilar graphs for the same specification TS of a given programme P. Partial Exclusivity. K is defined as the set of objects that instantiates a defined set of computable functions which are here expressed as TSs, and bisimulation is an algebraic relation holding between them. Notice that TSs are cyclic graphs able to represent non-ending executions characterizing the so-called reactive software systems. It should be noted that also many physical processes can be represented by means of directed graphs, but a-cyclic ones, including causal processes [37]. Accordingly, bisimulation cannot be applied to non-computational processes. These processes are therefore excluded by our analysis and bisimulation is not a trivializing relation. Minimality. $$\equiv _{TS}$$ is the only one determinable induced by our identity criterion for computational artefacts. Definition 7 ensures that $$\equiv _{TS}$$ is both necessary and sufficient condition, as it associates two analytic concepts to one another. Noncircularity.$$\equiv _{TS}$$ does not presuppose identity. Indeed, given any two distinct computational artefacts P and $$P^{\prime }$$, if $$S(P)=S(P^{\prime })$$ then $$S(P)\equiv S(P^{\prime })$$. This is the case of exact copies presented below. Non-totality. Given kind $$K=\{P,P^{\prime },\dots , P^{\circ }\}$$ of objects each satisfying a set of specifications in $$S=\{S(P), S(P^{\prime }),\dots ,S(P^{\circ })^{\circ }\}$$, the relation $$\equiv _{TS}$$ is a subset of K × K, namely $$ \equiv_{TS}\ =_{def}\left\{\left(S(P), S(P)), (S(P^{\prime})^{\prime}, S(P^{\prime})^{\prime}\right),\dots,\left(S(P^{\circ})^{\circ}, S(P^{\circ})^{\circ}\right)\right\} $$ Hence, all other pairs in K × K are not included by the relation $$\equiv _{TS}$$. K-maximality. $$\equiv _{TS}$$ is maximal with respect to K in that it is the only relation over K that for all S(P) with P ∈ K, returns all the pairs that satisfy identity. Uniqueness. $$\equiv _{TS}$$ is unique with respect to K, since every other relation which can be taken to satisfy an identity criterion cannot be considered independent of bisimulation, i.e. it can be at most equivalent to ≡. Trace inclusion and CTL* equivalence being some cases in point. One admissible alternative to evaluate the identity relation of computational artefacts that is also independent from bisimulation may be observational equivalence. However, supposing that two artefacts, while observed for a finite lapse of time, manifest the very same behaviours, one cannot conclude that the two artefacts are necessarily identical, as one cannot argue for generalizations on the basis of testing. Equivalence. $$\equiv _{TS}$$ is an equivalence relation12. Congruence. $$\equiv _{TS}$$ is congruent in that it implies $$\textbf{CTL}^{\ast }$$ equivalence: whatever is true of a TS according to a $$\textbf{CTL}^{\ast }$$ state formula is true of any bisimulation equivalent TS, including itself13. 6 Logical definition of copies for computational artefacts 6.1 Exact copies For the formal translation of the notion of exact copy, we still rely on the relation of bisimulation. According to this definition, two computational artefacts $$P,P^{\prime }$$ are exact copies if a bisimulation equivalence can be defined between the corresponding $$TS,TS^{\prime }$$ for the relevant $$S(P),S(P^{\prime })^{\prime }$$. In other words, we propose to identify relation $$R^{\prime }$$ in (3) for exact copies with ≡. Note how bisimulation is not only definable between two structures where one is a duplication of the other, but also where identical behaviours are present among distinct structures, see Figure 7. Theorem 6.1 (Exact Copy as Bisimulation) $$TS^{\prime }$$ is an exact copy of TS if and only if $$TS \equiv TS^{\prime }$$. Proof. From left to right consider the set of properties of TS as expressed by the set of formulas $$ G:=\big\{g \mid TS,s_{i}\vDash_{CTL*} g\big\}$$ for each $$s_{i}\in TS$$, where TS is the formal translation of the specification S(P) for the first computational artefact of interest; and the set of properties of $$TS^{\prime }$$ as expressed by the set of formulas $$ G^{\prime}:=\left\{g^{\prime} \mid TS^{\prime},s^{\prime}_{i}\vDash_{CTL*} g^{\prime}\right\}$$ for each $$s^{\prime }_{i}\in TS^{\prime }$$, where $$TS^{\prime }$$ is the formal translation of the specification $$S(P^{\prime })^{\prime }$$ for the second computational artefact of interest. Then, if $$G=G^{\prime }$$, then $$TS \equiv _{CTL*} TS^{\prime }$$ and by Theorem 5.4 it holds $$TS \equiv TS^{\prime }$$. From right to left the relation $$TS \equiv TS^{\prime }$$ is a subset of $$S\times S^{\prime }$$ satisfied only by the pairs that are related by a transition in TS as well as in $$TS^{\prime }$$; this identifies exactly all behaviours of both TS and $$TS^{\prime }$$, hence by definition it expresses behavioural identity of the specifications of TS and $$TS^{\prime }$$, which as such can be called exact copies. Figure 7. View largeDownload slide Two distinct bisimilar TSs. Figure 7. View largeDownload slide Two distinct bisimilar TSs. 6.2 Exact copy constraints We analyse here the constraints for exact copies satisfied by ≡. Non-vacuousness. Theorem 6.1 shows that the bisimulation relation $$TS \equiv TS^{\prime }$$ is a non-vacuous determinable to establish whether $$TS^{\prime }$$ is or is not an exact copy of TS. Informativeness. ≡ contributes to specifying the nature of K in that, given a TS representing I(P) and $$TS^{\prime }$$ representing $$I(P)^{\prime }$$, then for every computable function f valid according to K, if $$TS \equiv TS^{\prime }$$ then TS ⊧ g iff $$TS^{\prime } \models g$$ for any $$\textbf{CTL}^{\ast }$$ formula g expressing a property satisfied by a function f. Partial Exclusivity. The same observation as for Identity Criteria applies here. Minimality. The same observation as for Identity Criteria applies here. Noncircularity Bisimulation does not presuppose the relation of being an exact copy, indeed bisimulation also holds for identity, where $$I(P) = I(P)^{\prime }$$. Non-totality. Given I(P) and $$I(P)^{\prime }$$ which are exact copies, they are instances of the same specification S(P) and hence still satisfying only one pair in $$ \equiv\ =_{def}\left\{(S(P), S(P)), \left(S(P^{\prime})^{\prime}, S(P^{\prime})^{\prime}\right),\ldots,\big(S(P^{\circ})^{\circ}, S(P^{\circ})^{\circ}\big)\right\} $$ and hence it still is a subset of K × K. K-maximality. Given I(P) and $$I(P)^{\prime }$$ which are exact copies, they are instances of the same specification S(P) and hence still satisfying only one pair in $$ \equiv\ =_{def}\left\{(S(P), S(P)), \left(S(P^{\prime})^{\prime}, S(P^{\prime})^{\prime}\right),\ldots,\big(S(P^{\circ})^{\circ}, S(P^{\circ})^{\circ}\big)\right\} $$ which is the maximal partition over K returning all the identical specifications for exact copies. Uniqueness. ≡ is unique wrt K since every other relation which can be taken to satisfy an exact copy criterion cannot be considered independent of bisimulation. Trace inclusion and CTL equivalence being some cases in point. Equivalence. Assuming correctness of each exact copy with respect to the identical specification, ≡ is an equivalence relation14. Congruence. ≡ is congruent in that, given a TS representing the specification determining executions of I(P) and a $$TS^{\prime }$$ representing the specification determining executions of $$I(P)^{\prime }$$, TS and $$TS^{\prime }$$ are CTL* equivalent15. This analysis shows that bisimulation, both defined as $$\equiv _{TS}$$ for identity and as ≡ for exact copies, satisfies all constraints on identity illustrated in the literature. 6.3 Simulation An equivalence relation is a binary relation that must be reflexive, transitive and symmetric; if a binary relation between structures is only reflexive and transitive but not symmetric it generates a preorder. Whereas bisimulation is an equivalence relation requiring two bisimilar states to exhibit identical stepwise behaviours, the simulation relation is a preorder requiring only that one state be able to mimic all stepwise behaviours of the simulated state but not vice versa. This means that the simulating structure might perform transitions that are not performed by the simulated structure. The simulation relation can be formally defined in the following way: Definition 6.2 (Simulation) Given two labelled transition systems TS and $$TS^{\prime }$$ on a finite set of states, $$TS^{\prime }$$ is said to simulate TS denoted by $$TS \leq TS^{\prime }$$ when for every initial state $$s_{0}$$ in TS there is an initial state $$s^{\prime }_{0}$$ in $$TS^{\prime }$$ such that $$\leq \big (s_{0},s^{\prime }_{0}\big )$$ holds; $$\leq \big (s_{0},s^{\prime }_{0}\big )$$ holds if $$s_{0}$$ and $$s^{\prime }_{0}$$ have the same label and there is a successor state $$s^{\prime }_{1}$$ of $$s^{\prime }_{0}$$ in $$TS^{\prime }$$ for each successor state $$s_{1}$$ of $$s_{0}$$ in TS such that $$\leq \big (s_{1},s^{\prime }_{1}\big )$$. In Figure 8, we have a relation $$TS\leq TS^{\prime }$$: the structure $$TS^{\prime }$$ on the right is able to mimic all the stepwise behaviours of the structure TS on the left, in particular path $$\pi =(s_{0},s_{1},s_{2})$$ of TS is allowed by transitions a, b of $$TS^{\prime }$$, and path $$\pi =(s_{0},s_{1},s_{3})$$ of TS is allowed by transitions a, c of $$TS^{\prime }$$. The two systems are not in a bisimulation relation in that TS is not able to similarly mimic all behaviours of $$TS^{\prime }$$: in particular, at state denoted $$s_{1}$$ in TS, there is no deterministic choice to move to state denoted $$s_{2}$$ or to a state denoted $$s_{3}$$, but only deterministically to either one of such states. Note that it is essential here to specify whether the structures of reference are finite, as we are doing here by denoting states $$s_{2},s_{3}$$ as final. Figure 8. View largeDownload slide $$TS^{\prime }$$ on the right simulates TS on the left. Figure 8. View largeDownload slide $$TS^{\prime }$$ on the right simulates TS on the left. As for bisimulation, the simulation relation on finite structures implies a number of properties at the level of behaviours and properties. Let us start by considering the considerably weakened implication to path simulation16: Lemma 6.3 (Simulation on Paths) Given two transition systems TS and $$TS^{\prime }$$ such that $$TS \leq TS^{\prime }$$, if $$\leq \big (s_{i},s^{\prime }_{i}\big )$$, then for each (finite or infinite) path $$\pi =\big (s_{i}, s_{j}, \ldots \big )$$ of TS there exists a path $$\pi ^{\prime }=\big (s^{\prime }_{i}, s^{\prime }_{j}, \ldots \big )$$ of the same length in $$TS^{\prime }$$ and $$\leq \big (s_{k},s^{\prime }_{k}\big )$$ for all k. Note that, as expected, here the existence of identical paths is only induced in one direction, i.e. from the existence in the simulated structure to existence in the simulating structure. Accordingly, this implies trace inclusion17: Theorem 6.4 (Simulation implies trace inclusion) Two transition systems TS and $$TS^{\prime }$$, defined over the same set of atomic proposition AP, are said to satisfy trace inclusion, if $$traces_{AP}(TS) \subseteq traces_{AP}(TS^{\prime })$$, where $$traces(TS)=\bigcup _{s\in I}traces(s)$$ denotes the (finite) set of traces starting at initial states of TS. It holds that $$TS \leq TS^{\prime }$$ implies that $$traces_{AP}(TS) \subseteq traces_{AP}(TS^{\prime })$$. As the relation of trace inclusion presented above concerns finite traces, the properties of relevance are safety properties of the system. Let us see. If one defines the universal fragment of $$CTL^{\ast }$$, denoted $$\boldsymbol{\forall}\textbf{CTL}^{\ast }$$, as the temporal logic obtained by considering only universally quantified formula in $$CTL^{\ast }$$, then18 Theorem 6.5 (Simulation and $$\boldsymbol{\forall}\textbf{CTL}^{\ast }$$ equivalence) $$TS \leq TS^{\prime }$$ iff $$TS^{\prime },s^{\prime }_{i}\vDash g \rightarrow TS,s_{i}\vDash g$$, for any $$\boldsymbol{\forall}\textbf{CTL}^{\ast }$$ formula g. As an example, consider that in $$TS^{\prime }$$ from Figure 8, the state labelled by $$s_{0}$$ satisfies the formula G1 (where we take here the name of the state to express a corresponding propositional variable), which simulates the behaviour of the state labelled by $$s_{0}$$ in TS. Also, the state on the left branch labelled by $$s_{1}$$ in TS satisfies X2, while the state labelled by $$s_{1}$$ in $$TS^{\prime }$$ does not. Because $$\boldsymbol{\forall}\textbf{CTL}^{\ast }$$ describes properties that are quantified over all possible behaviours, and since every behaviour of $$TS^{\prime }$$ is a behaviour of TS, every $$\boldsymbol{\forall}\textbf{CTL}^{\ast }$$ formula satisfied by $$TS^{\prime }$$ must also hold true in TS. However, when a $$\boldsymbol{\forall}\textbf{CTL}^{\ast }$$ formula is not satisfied in $$TS^{\prime }$$, it may or may not be satisfied in TS. It is crucial that the behaviour inclusion of the simulated structure in the simulating structure concerns universally quantified formulas, i.e. expressing safety properties. A different situation concerns structures which admit infinite paths, by the presence of loops on states. Consider the two structures in Figure 9. In this case, $$TS\leq TS^{\prime }$$, but there is now an infinite path in TS, namely $$\pi =\{s_{0},s_{1},s_{1}...\}$$ such that the sequence of its states’ labels 01 is still included in $$TS^{\prime }$$. Theorem 6.6 (Simulation implies trace inclusion) Two transition systems TS and $$TS^{\prime }$$, defined over the same set of atomic proposition AP, are said to satisfy trace inclusion, if $$traces_{AP}(TS) \subseteq traces_{AP}(TS^{\prime })$$, where $$traces(TS)=\bigcup _{s\in I}traces(s)$$ denotes the (infinite) set of traces starting at initial states of TS. It holds that $$TS \leq TS^{\prime }$$ implies that $$traces_{AP}(TS) \subseteq traces_{AP}(TS^{\prime })$$. Figure 9. View largeDownload slide $$TS^{\prime }$$ on the right simulates TS on the left. Figure 9. View largeDownload slide $$TS^{\prime }$$ on the right simulates TS on the left. Let us now consider how this extends to other properties of the structures as expressed by temporal formulas. If one defines the existential fragment of $$\textbf{CTL}^{\ast }$$, denoted $$\boldsymbol{\exists}\textbf{CTL}^{\ast }$$, as the temporal logic obtained by considering only existentially quantified formula in $$\textbf{CTL}^{\ast }$$, then19 Theorem 6.7 (Simulation and $$\boldsymbol{\exists}\textbf{CTL}^{\ast }$$ equivalence) $$TS \leq TS^{\prime }$$ iff $$TS,s_{i}\vDash g \rightarrow TS^{\prime },s^{\prime }_{i}\vDash g$$, for any $$\boldsymbol{\exists}\textbf{CTL}^{\ast }$$ formula g. As an example, consider that in $$TS^{\prime }$$ from Figure 9, the state labelled by $$s_{1}$$ satisfies the formula F3 (again, using labels of states as variables for propositional formulas), while the state labelled by $$s_{1}$$ in the left branch of TS does not. Because $$\boldsymbol{\exists}\textbf{CTL}^{\ast }$$ describes properties that are quantified over some possible behaviours, and since every behaviour of TS is a behaviour of $$TS^{\prime }$$, some properties satisfied by TS must also hold true in $$TS^{\prime }$$. However, when an $$\boldsymbol{\exists}\textbf{CTL}^{\ast }$$ formula is not satisfied in TS, it may or may not be satisfied in $$TS^{\prime }$$. It is crucial that the behaviour inclusion of the simulated structure in the simulating structure concerns existentially quantified formulas, i.e. expressing liveness properties. 6.4 Inexact copies We use the simulation relation to characterize the relation of being an inexact copy. A computational artefact $$P^{\prime }$$ is an inexact copy of P if the $$TS^{\prime }$$ corresponding to $$S(P^{\prime })^{\prime }$$ displays all the universally valid behaviours of the TS corresponding to S(P). We thus propose to identify relation $$R^{\prime }$$ in (3) for inexact copies with ≤. Theorem 6.8 (Inexact Copy as Simulation) $$TS^{\prime }$$ is an inexact copy of TS if and only if $$TS \leq TS^{\prime }$$. Proof. Recall that we understand inexact copy at the level of specification as inclusion of prescribed behaviours. In view of Theorem 6.5, the set of all universally valid behaviours of the copied structure which is manifested by the copying structure, can be identified by the set of safety properties of the copying structure, namely with $$ \forall G^{\prime}:=\left\{g^{\prime} \mid TS^{\prime},s^{\prime}_{i}\vDash_{\forall CTL*} g^{\prime}\right\}\!. $$ Now the following inclusion relation holds: $$ \forall G\,^{\prime} \subseteq G:=\left\{g \mid TS,s_{i}\vDash_{CTL*} g\right\}\!. $$ The inclusion above expresses the fact that all safety properties of $$TS^{\prime }$$ are properties of TS, but it does not say anything of properties that are not satisfied by $$TS^{\prime }$$. For the left to right direction assume that $$TS^{\prime }$$ is an inexact copy of TS, in the sense of having all of its universally valid behaviours. This must be more precisely intended as saying that for every property that is always manifested by every behaviour of $$TS^{\prime }$$ then such behaviour is manifested by TS as well. Then if the specification modelled by $$TS^{\prime }$$ as $$G^{\prime }$$ is a subset of G for TS for the safety properties, then $$TS^{\prime },s^{\prime }_{i}\vDash g \rightarrow TS,s_{i}\vDash g$$, for any $$\boldsymbol{\forall}\textbf{CTL}^{\ast}$$ formula g, then by Theorem 6.5 it holds $$TS \leq TS^{\prime }$$. For the right to left direction assume there is a behaviour expressed as a formula g that is always displayed by every execution of P; then by definition $$TS,s\vDash g$$ and g is a $$\boldsymbol{\forall}\textbf{CTL}^{\ast }$$ formula. Assume moreover that there is some execution of $$P^{\prime }$$ that does not satisfy g, then by definition $$\exists s^{\prime }\in TS^{\prime }$$ such that $$TS^{\prime },s^{\prime }\vDash \neg g$$. By our assumption $$TS\leq TS^{\prime }$$ then by Theorem 6.4 the paths leading to behaviours of TS are paths leading to behaviours of $$TS^{\prime }$$, i.e. $$traces(TS)\subseteq traces(TS^{\prime })$$. Hence, TS has a state satisfying ¬g and also some path leading to g: therefore, it is not possible that a property satisfied by every behaviour of P be not a property of $$P^{\prime }$$, and hence if $$TS^{\prime }$$ simulates TS then it is an approximate copy of it. 6.5 Inexact copy constraints We analyse here which of the constraints analysed so far are satisfied by inexact copies in terms of the ≤ relation. Non-vacuousness. As above, the non-vacuousness of ≤ is assured by Theorem 6.8. Informativeness. Simulation contributes to specifying the nature of K in that, given TS representing I(P) and $$TS^{\prime }$$ representing $$I(P^{\prime })^{\prime }$$, if $$TS \leq TS^{\prime }$$ then there is a computable function f such that if $$TS^{\prime } \models g$$ then also TS ⊧ g, for some $$\boldsymbol{\forall}\textbf{CTL}^{\ast }$$ formula g expressing a safety property satisfied f. Clearly, the informativeness of ≤ over K offers more constraints than ≡ over K. Partial Exclusivity. The same observation as for bisimulation applies to simulation. Minimality. The same observation as for the Identity and Exact Copy Criteria applies here. Noncircularity. Simulation does not presuppose the relation of being an inexact copy. Indeed, given two artefacts $$P,P^{\prime }$$ and supposing $$TS\leq TS^{\prime }$$ (where TS represents P and $$TS^{\prime }$$ represents $$P^{\prime }$$), it does not necessarily mean that $$P^{\prime }$$ is an inexact copy of P. In the case where $$P^{\prime }$$ is an exact copy of P, or $$P^{\prime }$$ is identical to P, then TS ≡ TS from which it also follows $$TS\leq TS^{\prime }$$. Note however that being an inexact copy will not imply being either an exact copy or an identical artefact. Non-totality. Simulation is a preorder and as such is transitive but not symmetric. For any two $$S(P),S(P^{\prime })^{\prime }$$ with $$P, P^{\prime }\in K$$, the relation ≤ will hold in one direction but not in the other, hence ≤⊂ K × K. K-maximality. $$P^{\prime }$$ is an inexact copy of P when $$P^{\prime }$$ manifests all but not only the behaviours of P; as such, by definition, $$P^{\prime }$$ simulates P. However, one may define a wider relation $$P\preceq P^{\prime }$$ defining any additional property of $$P^{\prime }$$ which is not a property of P, such as a liveness property on $$TS^{\prime }$$. If $$P\preceq P^{\prime }$$ then $$P\leq P^{\prime }$$ but not vice versa, hence maximality fails. Uniqueness. Our criterion of interpretation for inexact copies is defined as behavioural inclusion analysed at the level of specifications, such that if $$P^{\prime }$$ is an inexact copy of P, then $$S(P) \subset S(P^{\prime })$$. This inclusion is analysed at the level of TSs, and given two such structures $$TS,TS^{\prime }$$ behavioural inclusion corresponds to simulation. Any other relation on structures preserving this criterion is either wider (e.g. bisimulation which implies simulation) or narrower (e.g. $$\boldsymbol{\forall}\textbf{CTL}$$ equivalence which is implied by simulation). As such, no other independent relation for inexact copies exists. Equivalence. Simulation satisfies reflexivity and transitivity but, as a preorder, it does not satisfy symmetry, hence it is not an equivalence relation. Congruence. By definition of $$P\leq P^{\prime }$$, all that is true of the simulated artefact P will be true of the simulating artefact $$P^{\prime }$$ but not vice versa. Hence, congruence is not satisfied by simulation. This analysis shows that the relation holding between inexact copies is weaker than identity, as Maximality, Equivalence and Congruence do not hold. 6.6 Approximate copy For the notion of approximate copy, recall that it refers to two distinct computational artefacts P and $$P^{\prime }$$, with different specifications $$S(P),S(P^{\prime })^{\prime }$$ such that $$P^{\prime }$$ is an approximate copy of P when $$P^{\prime }$$ manifests some of the behaviours of P, i.e. $$S(P) \cap S(P^{\prime })^{\prime }\neq \emptyset $$. This leaves in turn the possibility that each artefact presents behaviours not included in the other. To formalize this notion, we need to introduce a new set of relations, starting from the definition of simulation as a relation on states of a single TS20: Definition 6.9 (Simulation as a Relation on States) Given a TS, a simulation on states of TS is a binary relation ≤ ⊆ S × S such that for all $$\leq \big (s_{i}, s_{j}\big )$$ (1) $$s_{i}$$ and $$s_{j}$$ have the same label, and (2) if there is a successor state $$s^{\prime }_{i}$$ of $$s_{i}$$, then there is a successor $$s^{\prime }_{j}$$ of $$s_{j}$$ such that $$\leq \big (s^{\prime }_{i},s^{\prime }_{j}\big )$$. Recall that the quotient set of a set S, denoted S/ ∼, is the partition of S with respect to a relation ∼, such that two elements a, b ∈ S belong to the same partition if and only if they satisfy the relation ∼ at hand. In particular, we consider the simulation quotient of a TS, denoted by TS/ ≤ as the partition of a TS according to the simulation relation, i.e. a partition of paths of TS such that a path is in the partition if and only if TS simulates it. Formally21 Definition 6.10 (Simulation Quotient System) Given a TS, the simulation quotient transition system TS / ≤ is a set-theoretic structure $$TS/\!\leq =(S/\!\leq , \{\tau \}, T_{\leq }, I_{\leq }, F_{\leq }, AP, L_{\leq })$$ where S / ≤ is the set of states obtained by partition according to the simulation relation by TS; $$\{\tau \}$$ is any set of finite transitions’ labels; $$T_{\leq }$$ is the quotiented transition relation such that if $$T_{a\in A}(s,s^{\prime })$$ then $$T_{\tau }([s]_{\leq },[s^{\prime }]_{\leq })$$, where A is the original finite set of transitions’ labels of TS; $$I_{\leq } =\{[s]_{\leq } \mid s \in I\}$$ is the set of states obtained by the partition according to simulation by TS on its initial states, where I is the original finite set of initial states of TS; $$F_{\leq } = \{[s]_{\leq } \mid s \in F\}$$ is the set of states obtained by the partition according to simulation by TS on its final states, where F is the original finite set of final states of TS; AP is a finite set of states’ labels; $$L_{\leq }$$ is the function labelling states such that $$L_{\leq }([s]_{\leq })=L(s)$$. It is obvious that the elements of a simulation quotient are all the behaviours that a system can simulate and therefore all its own behaviours. As an example, examine Figure 10, showing the elements of $$TS^{\prime }/\!\leq $$ from the $$TS^{\prime }$$ in Figure 8, i.e. its paths $$\pi ,\pi ^{\prime }$$. Figure 10. View largeDownload slide Elements of $$TS^{\prime }/\!\leq $$ from Figure 8, $$\pi $$ on the left and $$\pi ^{\prime }$$ on the right. Figure 10. View largeDownload slide Elements of $$TS^{\prime }/\!\leq $$ from Figure 8, $$\pi $$ on the left and $$\pi ^{\prime }$$ on the right. Consider now a new $$TS^{\prime \prime }$$ such that $$\pi \leq TS^{\prime \prime }$$, see Figure 11. According to our intuition, $$P^{\prime }$$ is an approximate copy of P when $$P^{\prime }$$ manifests some of, and potentially more than, the behaviours of P, while also P is in the same relation to $$P^{\prime }$$. The simulation from Figure 12 instantiates it precisely, as it allows $$TS^{\prime \prime }$$ to have more behaviours than TS, and it also allows TS to have more behaviours than $$TS^{\prime \prime }$$, as the latter simulates only some of its own behaviours. Figure 11. View largeDownload slide $$TS^{\prime \prime }$$ on the right simulates $$\pi $$ on the left. Figure 11. View largeDownload slide $$TS^{\prime \prime }$$ on the right simulates $$\pi $$ on the left. Figure 12. View largeDownload slide $$TS^{\prime \prime }$$ on the right approximates TS on the left. Figure 12. View largeDownload slide $$TS^{\prime \prime }$$ on the right approximates TS on the left. This relation is captured precisely as follows: Theorem 6.11 (Approximate copy) $$TS^{\prime }$$ is an approximate copy of TS, denoted by $$TS\approx TS^{\prime }$$ iff $$\exists \pi ^{\prime } \in TS^{\prime }/\leq $$ such that $$\pi ^{\prime } \leq TS$$. Proof. Let us denote with $$G^{\prime }/\!\leq $$ the consequence set of $$TS^{\prime }/\!\leq $$, i.e. $$ G^{\prime}/\!\leq :=\left\{g^{\prime} \mid TS^{\prime}/\!\leq,\pi^{\prime} \vDash_{CTL*} g^{\prime}\right\}\!. $$ Then, the relation of approximate copy expressed as a relation between the sets of properties of $$TS, TS^{\prime }$$ is given by $$ G \subset G^{\prime}/\!\leq:=\big\{g \mid T(S)\vDash_{CTL*} g\big\} \subset \left\{g^{\prime} \mid TS^{\prime}/\!\leq,\pi^{\prime} \vDash_{CTL*} g^{\prime}\right\} $$ and the theorem is reformulated by saying that $$ G \subset G^{\prime}/\!\leq \ \textrm{iff}\ \exists \pi^{\prime} \in TS^{\prime}/\leq \ \textrm{such that}\ \pi^{\prime} \leq TS. $$ We now prove this double implication. From left to right if the specification modelled by TS as G is a proper subset of $$G^{\prime }/\!\leq $$ for $$TS^{\prime }/\!\leq $$, then ∃g ∈ G such that $$\exists \pi \in TS$$ such that $$\pi \vDash _{\forall CTL^{\ast }}g \wedge \exists \pi ^{\prime } \in TS^{\prime }/\leq $$ such that $$\pi ^{\prime } \vDash g$$, $$\exists g^{\prime } \in G^{\prime }/\leq $$ such that $$\exists \pi ^{\prime } \in TS^{\prime }/\leq $$ such that $$\pi ^{\prime } \vDash _{\forall CTL^{\ast }}g^{\prime } \wedge \forall \pi \in TS \pi \nvDash g^{\prime }$$. Then by Theorem 6.5, the first condition above presents a witness for $$\exists \pi \in TS^{\prime }/\leq $$ such that $$\pi \leq TS$$. From right to left recall that we informally define approximate copies as satisfying two conditions they share some behaviours; they do not share every behaviour (in either direction). Then, if there is a path in the simulation quotient of $$TS^{\prime }$$ which is simulated by TS, then by Definition 6.2 every state in such a path has an equivalent state in TS. Then this path expresses exactly the common behaviours of TS and $$TS^{\prime }$$, satisfying the first of the conditions above. But this does not say anything about behaviours that are not satisfied by TS (which could be satisfied by $$TS^{\prime }$$) or about behaviours that are satisfied by $$TS^{\prime }$$ (but are not by TS, as the simulation involves only a path of the former). Hence, also the second condition above is satisfied and the two structures are one an approximate copy of the other. It should be noted that by the right to the left direction above ≈ is a symmetric relation and thereby also $$S(P^{\prime })^{\prime }$$ simulates a non-empty subset of the simulation partitions of S(P). This also captures the idea, highlighted in the philosophy of technology (for instance in [6]), that when $$P^{\prime }$$ is a copy of P, $$I(P^{\prime })^{\prime }$$ presents some similarities with I(P), i.e. the behaviours corresponding to the simulated partitions. Notice however that Theorem 6.11 focuses on prescribed behaviours at the formal specification LoA, not on implemented observable behaviours. This allows to avoid common problems connected to the similarity relations, in particular their high-context dependency [19]. Determining whether two computational artefacts are similar on the basis of the similarity of observed behaviours may not always turn to be revealing in that some of the resulting behaviours may depend on contextual factors, especially the operating environment. 6.7 Approximate copy constraints We analyse here which of the constraints for the identity criteria are satisfied by approximate copies in terms of the ≈ relation, expressed in turn as simulation between a computational artefact and an element of the simulation quotient of another artefact. Non-vacuousness. As above, Theorem 6.11 shows that ≈ is a significant determinable to evaluate approximate copies of computational artefacts. Informativeness. Simulation over a partition contributes to specifying the nature of K in that, given a TS representing I(P) and $$TS^{\prime }$$ representing $$I(P^{\prime })^{\prime }$$, if $$TS \approx TS^{\prime }$$ then for some computable function f valid according to K, if $$TS \approx TS^{\prime }$$ then TS ⊧ g iff $$TS^{\prime } \models g$$ for at least one CTL* formula g expressing a property satisfied by the function f. Clearly, the informativeness of ≈ over K offers more constraints than ≤ over K. Partial Exclusivity. The same applies as for the inexact copy relation above. Minimality. The same observations made above for identity, exact and inexact copies applies here. Noncircularity. Simulation over partition does not presuppose the relation of being an approximate copy. Indeed, given two artefacts $$P,P^{\prime }$$ where $$P^{\prime }$$ is an exact copy of P, or $$P^{\prime }$$ is identical to P, then $$P\equiv P^{\prime }$$, which implies $$P\leq P^{\prime }$$ which in turn implies $$P\approx P^{\prime }$$. Note however that being an approximate copy will not imply being an inexact copy, which in turn will not imply being either an exact copy or an identical artefact. Non-totality. The same applies as for the inexact copy relation above. K-maximality. $$P^{\prime }$$ is an approximate copy of P when $$P^{\prime }$$ manifests some but not only the behaviours of P; as such, by definition, $$P\approx P^{\prime }$$. However, one may define a wider relation defining any additional property of $$P^{\prime }$$ which is not a property of P, such as for the case of simulation $$P\leq P^{\prime }$$. If $$P\leq P^{\prime }$$ then $$P\approx P^{\prime }$$ but not vice versa, hence maximality fails. Uniqueness. Our criterion of interpretation for approximate copies is defined as partial behavioural inclusion analysed at the level of specifications, such that if $$P^{\prime }$$ is an approximate copy of P, then $$S(P) \cap S(P)\neq \emptyset $$. This inclusion is analysed at the level of TS, and given such two structures $$TS,TS^{\prime }$$ partial behavioural inclusion corresponds to simulation over partition. Any other relation on structures preserving this criterion is wider (e.g. simulation which implies simulation over partition). As such, no other independent relation for approximate copies exists. Equivalence. Simulation over partition satisfies reflexivity and symmetry. As explained below, simulation over partition does not satisfy transitivity. Hence, it is not an equivalence relation. Congruence. By definition of $$P\approx P^{\prime }$$, not all that is true of the approximated artefact P will be true of the approximating artefact $$P^{\prime }$$, nor vice versa. Hence, congruence is not satisfied by simulation over partition. This analysis shows that, as in the case of the relation of being an inexact copy, the relation of being an approximate copy does not satisfy Maximality, Equivalence and Congruence. Approximate copies do not satisfy transitivity or, more precisely, they satisfy intransitivity: $$\neg \forall x\forall y \forall z ((y$$ ⇜ $$x) \wedge (z$$ ⇜ $$y) \rightarrow (z$$ ⇜ $$x)). \qquad\qquad\qquad(4)$$ To see this, reconsider the example from Figure 12, which proves that $$TS^{\prime \prime }$$ on the right is an approximate copy of TS on the left. Now it is not difficult to design a new $$TS^{\prime \prime \prime }$$, of which TS is an approximation, but which is not approximated by $$TS^{\prime \prime }$$, see Figure 13. However, this does not need to be the case, as a similarly easy example shows instead a $$TS^{\prime \prime \prime \prime }$$ approximated by both TS and $$TS^{\prime \prime }$$, see Figure 14. Figure 13. View largeDownload slide An example of non-transitive approximation is as follows: TS at the bottom approximates $$TS^{\prime \prime }$$ on the top right, which approximates $$TS^{\prime \prime \prime }$$ on the top left, while TS does not approximate $$TS^{\prime \prime \prime }$$. Figure 13. View largeDownload slide An example of non-transitive approximation is as follows: TS at the bottom approximates $$TS^{\prime \prime }$$ on the top right, which approximates $$TS^{\prime \prime \prime }$$ on the top left, while TS does not approximate $$TS^{\prime \prime \prime }$$. Figure 14. View largeDownload slide An example of transitive approximation is as follows: TS at the bottom approximates $$TS^{\prime \prime }$$ on the top right and $$TS^{\prime \prime \prime }$$ on the top left. Figure 14. View largeDownload slide An example of transitive approximation is as follows: TS at the bottom approximates $$TS^{\prime \prime }$$ on the top right and $$TS^{\prime \prime \prime }$$ on the top left. 7 Future developments and applications This paper addressed the ontological question on identity criteria put forward by [16] for computational artefacts. We argued that the identity relation x = y between computational artefacts x and y can be defined in terms of a bisimulation equivalence, in that such formal relation satisfies all the constraints required by identity criteria for natural objects and technical artefacts. The paper also addressed the ontological question with respect to the copy relation between computational artefacts x and y, by defining it in terms of a simulation preorder. The exact, inexact and approximate copy relations have been here understood as progressive weakenings of the identity relation, on the basis of the constraints being satisfied or violated by the different copy relations. The choice of analysing identity of computational artefacts at the formal specification level turns out to be useful also to address the epistemological question on identity and copy. Indeed, establishing whether S(x) ≡ S(y) or S(x) ≤ S(y) for computational artefacts x and y, can be algorithmically checked. It is known that checking bisimulation equivalence or simulation order is polynomially solvable problems, while checking trace equivalence is a PSPACE-complete problem. Clearly, complexity issues arising from such decision problems should be analysed for non-trivial system specifications and for the relevant behaviours. Defining a mechanical solution to the problem of whether a given computational artefact is or is not a—approximate or even inexact—copy of an original one is compelling in computer ethics [22], especially in connection with the issue of defining copyright, or patent infringement. Indeed, defining copies at the programme specification level is helpful in those many cases in which infringement has to be evaluated among programmes written in different programming languages [42]. In addition, the epistemological question for the copy relation is also connected to the problem of determining whether second-order properties, including safety and reliability, are preserved through copies. Our distinction among exact, inexact and approximate copies; and the corresponding formal relation between bisimulation and $$CTL^{\ast }$$ equivalence; and between simulation and $$\forall CTL^{\ast }$$ equivalence, provides a conceptual and formal framework wherein the problem can be advanced and examined. Acknowledgements The initial version of this work has been made possible thanks to a Visiting Professorship granted to Giuseppe Primiero by the University of Sassari in 2017. Both authors are grateful for the opportunity given. The final version of this work has been realized in the context of the Research Project ANR-17-CE38-0003-01 (ANR-Agence Nationale de la Recherche) titled ‘What is a (computer) programme: Historical and Philosophical Perspectives’. Footnotes 1  Issues arise here in connection with the problem of how functions, qua human intentions, can constrain the structural substratum [14]. Addressing this problem requires a proper theory of functions [23, 47]. 2  For this example see [34, pp. 8–9]. 3  See [2, p. 96]. 4  See [2, p. 98]. Note that an infinite trace over a transition system with terminal states is a trace with a self-loop on its terminal state. 5  For an approach to software theory change which can be assumed to model such transformation of specification see [39]. 6  This case has been investigated in the Philosophy of Technology literature as the relation of perfect copies and replicas, see [6, p. 215]. 7  See Section 6.3 for a definition of safety and liveness properties. 8  See [2, p. 454]. 9  See [2, p. 456]. 10  See [2, p. 456]. 11  For these definitions, see e.g. [9, p. 172]. 12  See [2, Lemma 7.8, p. 453]. 13  See [2, Definition 7.17, part 2, p. 468]. 14  See [2, Lemma 7.8, p. 453]. 15  See [2, Definition 7.17, part 2, p. 468]. 16  See [2, p. 504]. 17  See [2, p. 512]. 18  See [2, p. 517–519]. 19  See [2, p. 520]. 20  See [2, p. 506]. 21  See [2, p. 508]. References [1] M. Abadi and L. Lamport . The existence of refinement mappings . Theoretical Computer Science , 82 , 253 -- 284 , 1991 . Google Scholar CrossRef Search ADS [2] C. Baier and J.-P. Katoen . Principles of Model Checking . MIT Press , 2008 . [3] D. L. Baxter . Many-one identity . Philosophical Papers , 17 , 193 -- 216 , 1988 . Google Scholar CrossRef Search ADS [4] M. Carrara , S. Gaio and M. Soavi . Artifact kinds, identity criteria, and logical adequacy . In Artefact Kinds: Ontology and The Human-made World , M. Franssen, P. Kroes, T. Reydon and P. E. Vermaas, eds , pp. 85 -- 101 . Springer , 2014 . [5] M. Carrara and P. Giaretta . Identity criteria and sortal concepts . In Proceedings of the International Conference on Formal Ontology in Information Systems-Volume 2001 , pp. 234 -- 243 . Association for Computing Machinery , 2001 . [6] M. Carrara and M. Soavi . Copies, replicas, and counterfeits of artworks and artefacts . The Monist , 93 , 414 -- 432 , 2010 . Google Scholar CrossRef Search ADS [7] B. Chandrasekaran . Functional representation and causal processes . Advances in Computers , 38 , 73 -- 143 , 1994 . Google Scholar CrossRef Search ADS [8] B. Chandrasekaran and J. R. Josephson . Function in device representation . Engineering with Computers (London) , 16 , 162 -- 177 , 2000 . Google Scholar CrossRef Search ADS [9] E. M. Clarke Jr . , O. Grumberg and D. A. Peled . Model Checking. MIT Press , Cambridge, MA, USA , 1999 . [10] D. Davidson . The individuation of events. In Essays in Honor of Carl G. Hempel , pp. 216 -- 234 . Springer , 1969 . [11] L . Floridi . The method of levels of abstraction . Minds and Machines , 18 , 303 -- 329 , 2008 . Google Scholar CrossRef Search ADS [12] L . Floridi , N. Fresco and G. Primiero . On malfunctioning software . Synthese , 192 , 1199 -- 1220 , 2015 . Google Scholar CrossRef Search ADS [13] W. Fokkink . Introduction to Process Algebra . Texts in Theoretical Computer Science. An EATCS Series . Springer , 2000 . [14] M. Franssen , G.-J. Lokhorst and I. van de Poel . Philosophy of Technology . In The Stanford Encyclopedia of Philosophy, Fall 2015 edn., E. N. Zalta ed . Metaphysics Research Lab , Stanford University , 2015 . [15] G. Frege . On concept and object . In Beaney, M., (ed.) , 1997 , The Frege Reader , Oxford : Basil Blackwell . [16] G. Frege . The Foundations of Arithmetic a Logico-Mathematical Enquiry into The Concept of Number . Basil Blackwell , Oxford , 1953 . English translation by J. L. Austin . [17] N. Fresco and G. Primiero . Miscomputation . Philosophy & Technology , 26 , 253 -- 272 . 2013 . Google Scholar CrossRef Search ADS [18] N. Goodman . Languages of Art: An Approach to a Theory of Symbols . Hackett Publishing , 1968 . [19] N. Goodman . Problems and Projects . Bobbs-Merrill , Indianapolis , 1972 . [20] N. Gorogiannis and M. Ryan . Minimal refinements of specifications in model and termporal logics . Formal Aspects of Computing , 19 , 35 -- 62 , 2007 . Google Scholar CrossRef Search ADS [21] D. H. Hick and R. Schmücke . The Aesthetics and Ethics of Copying . Bloomsbury Academic , 2016 . [22] D. G. Johnson and K. Miller . Computer Ethics . Pearson , New York , 2008 . [23] P. Kroes . Engineering and the dual nature of technical artefacts . Cambridge Journal of Economics , 34 , 51 -- 62 , 2009 . Google Scholar CrossRef Search ADS [24] P. Kroes . Technical Artefacts: Creations of Mind and Matter: A Philosophy of Engineering Design, vol. 6. Springer Science & Business Media , 2012 . [25] P. P. Kroes and A. A. Meijers . The dual nature of technical artefacts . Studies in History and Philosophy of Science , 37 , 1 , 2006 . Google Scholar CrossRef Search ADS PubMed [26] F. Kröger and S. Merz . Temporal Logic and State Systems . Springer , 2008 . [27] D. Lewis . On the Plurality of Worlds . Basil Blackwell , Oxford , 1986 . [28] D. Lewis . Parts of Classes . Basil Blackwell , Oxford , 1991 . [29] L. B. Lombard . Events: A Metaphysical Study . Routledge & Kegan Paul Books , London , 1986 . [30] E. J. Lowe . What is a criterion of identity? The Philosophical Quarterly (1950-) , 39 , 1 -- 21 , 1989 . Google Scholar CrossRef Search ADS [31] E. J. Lowe . Objects and criteria of identity . In A Companion to the Philosophy of Language , B. Hale and C. Wright, eds , pp. 990 -- 1012 . Blackwell Publishers Ltd. , Oxford , 1997 . [32] E. J. Lowe . The Possibility of Metaphysics: Substance, Identity, and Time . Clarendon Press , 1998 . [33] A. A. Meijers . The relational ontology of technical artifacts . In The Empirical Turn in the Philosophy of Technology , P. Kroes and A. Meijers, eds. Elsevier , Amsterdam , 2000 . [34] C. A. Middelburg . A short introduction to process theory . 2016 . CoRR abs/1610.01412 . [35] R. Milner . An algebraic definition of simulation between programs . In Proceedings of the 2nd International Joint Conference on Artificial Intelligence, IJCAI ’71, San Francisco, CA, USA, pp. 481 -- 489 . Morgan Kaufmann Publishers Inc ., 1971 . [36] H. Noonan and B. Curtis . Identity . In The Stanford Encyclopedia of Philosophy, Spring 2017 edn., E. N. Zalta ed. Metaphysics Research Lab , Stanford University , 2017 . [37] J. Pearl . Causality: Models, Reasoning and Inference , 2nd edn. Cambridge University Press , New York, NY, USA , 2009 . [38] G. Primiero . Information in the philosophy of computer science . In The Routledge Handbook in the Philosophy of Information, L. Floridi ed. , pp. 90 -- 106 . Routledge , 2016 . [39] G. Primiero and F. Raimondi . Software theory change for resilient near-complete specifications . In Proceedings of the 6th International Conference on Ambient Systems, Networks and Technologies(ANT 2015), the 5th International Conference on Sustainable Energy Information Technology (SEIT-2015), London, UK, June 2–5, 2015, E. M. Shakshuki ed. , pp. 988 -- 995 . Procedia Computer Science, vol. 52. Elsevier , 2015 . [40] W. V. Quine . On what there is . The Review of Metaphysics , 2 , 21 -- 38 , 1948 . [41] W. V. O. Quine . Pursuit of Truth . Harvard University Press , 1990 . [42] W. J. Rapaport . Philosophy of Computer Science . Draft , 2017 . [43] R. B. Stone and K. Wood . Development of a functional basis for design . ASME Journal of Mechanical Design , 122 , 359 -- 370 , 1999 . Google Scholar CrossRef Search ADS [44] R . Turner . Programming languages as technical artifacts . Philosophy & Technology , 27 , 377 -- 397 , 2014 . Google Scholar CrossRef Search ADS [45] R . Turner and N. Angius . The philosophy of computer science . In The Stanford Encyclopedia of Philosophy, Spring 2017 edn., E. N. Zalta ed. Metaphysics Research Lab , Stanford University , 2017 . [46] A. Tzouvaras . Significant parts and identity of artifacts . Notre Dame Journal of Formal Logic , 34 , 445 -- 452 , 1993 . Google Scholar CrossRef Search ADS [47] P. E. Vermaas and W. Houkes . Ascribing functions to technical artefacts: a challenge to etiological accounts of functions . The British Journal for the Philosophy of Science , 54 , 261 -- 289 , 2003 . Google Scholar CrossRef Search ADS [48] D. Wiggins . Sameness and Substance Renewed . Cambridge University Press , 2001 . [49] T. Williamson . Identity and Discrimination . Basil Blackwell , Oxford , 1990 . [50] C. Wright . Frege’s Conception of Numbers as Objects . Aberdeen University Press , Aberdeen , 1983 . © The Author(s) 2018. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices) For permissions, please e-mail: journals. permissions@oup.com
TI - The logic of identity and copy for computational artefacts
JF - Journal of Logic and Computation
DO - 10.1093/logcom/exy012
DA - 2018-09-01
UR - https://www.deepdyve.com/lp/oxford-university-press/the-logic-of-identity-and-copy-for-computational-artefacts-MdSII0g0Oz
SP - 1293
EP - 1322
VL - 28
IS - 6
DP - DeepDyve
ER -