7.5 A topos of behavior types#
Now that we have discussed logic in a sheaf topos, we return to our motivating example, a topos of behavior types. We begin by discussing the topological space on which behavior types will be sheaves, a space called the interval domain.
Remark 7.75. Note that above, we were thinking very intuitively about time, e.g. when we discussed people being worried about the news. Now we will be thinking about time in a different way, but there is no need to change your answers or reconsider the intuitive thinking done above.
This section constantly references the original research in Temporal Type Theory by Spivak for more details (notice nearly the same PDF style as 7S). From that book:
Some of these temporal logics have very powerful model checkers that can produce a proof or counterexample in finite (though often exponential or doubly-exponential) time, and we make no such claim: our logic is wildly undecidable.
See also Temporal logic. For more on the paper, see Temporal Type Theory | Semantic Scholar. The paper does not seem to be actively developed; search βmontonicβ for a typo in the introduction.
7.5.1 The interval domain#
The interval domain πβ is a specific topological space, which we will use to model intervals of time. In other words, we will be interested in the category \(\textbf{Shv}(πβ)\) of sheaves on the interval domain.
To give a topological space, one must give a pair \((π, \textbf{Op})\), where \(π\) is a set of βpointsβ and \(\textbf{Op}\) is a topology on \(π\); see Definition 7.25. The set of points for πβ is that of all finite closed intervals:
\[ πβ β \{[π,π’] β β \enspace | \enspace π β€ π’\} \]For \(π < π\) in \(β\), let \(π_{[π,π]}\) denote the set \(π_{[π,π]} β \{[π,π’] β πβ \enspace | \enspace a < π β€ π’ < b\}\); these are called basic open sets.
For more on basic open sets, see Base (topology). From Temporal Type Theory:
Namely, for any \(r < s\), the corresponding basic open is \((r, s) β \{[d, u] \enspace | \enspace r < d β€ u < s\} β πβ\).
Moving back to the primary text:
The topology \(\textbf{Op}\) is determined by these basic open sets in that a subset \(π\) is open if it is the union of some collection of basic open sets.
Thus for example, \(π_{[0,5]}\) is an open set: it contains every \([π, π’]\) contained in the open interval \(\{π₯ β β \enspace | \enspace 0 < π₯ < 5\}\). Similarly \(π_{[4,8]}\) is an open set, but note that \(π_{[0,5]} βͺ π_{[4,8]} β π_{[0,8]}\). Indeed, the interval \([2, 6]\) is in the right-hand side but not the left.
βοΈ Exercise 7.76#
Explain why [2, 6] β \(π_{[0,8]}\)
Explain why [2, 6] β \(π_{[0,5]} βͺ π_{[4,8]}\)
See also Exercise 7.76.
Topos of behavior types#
Let \(\textbf{Op}\) denote the open sets of πβ, as described above, and let \(\textbf{BT} := \textbf{Shv}(πβ, \textbf{Op})\) denote the topos of sheaves on this space. We call it the topos of behavior types.
There is an important subspace of πβ, namely the usual space of real numbers β. We see β as a subspace of πβ via the isomorphism:
\[ β β \{[d,u] \in πβ \enspace | \enspace d = u\} \]
Notice that πβ is defined in terms of β, and now weβre trying to map β to a subspace of πβ. The set β and this subspace are not the same; the first is the original definition of β and the second is an infinite set of closed intervals that are essentially points. Letβs call the first β and the second \(β_s\) (for β as a subspace of πβ).
We discussed the usual topology on β in Example 7.26, but we also get a topology on β because it is a subset of πβ; i.e. we have the subspace topology as described in Exercise 7.32. These agree, as the reader can check.
βοΈ Exercise 7.77#
Show that a subset \(π β β\) is open in the subspace topology of \(β β πβ\) iff \(π β© β\) is open in the usual topology on \(β\) defined in Example 7.26.
See also Exercise 7.77.
7.5.2 Sheaves on πβ#
We cannot go into much depth about the sheaf topos \(\textbf{BT} = \textbf{Shv}(πβ, \textbf{Op})\), for reasons of space; we refer the interested reader to Section 7.6. In this section we will briefly discuss what it means to be a sheaf on πβ, giving a few examples including that of the subobject classifier.
What is a sheaf on πβ?#
A sheaf \(π\) on the interval domain \((πβ, \textbf{Op})\) is a functor \(π : \textbf{Op}^{op} β \textbf{Set}\): it assigns to each open set \(π\) a set \(π(π)\); how should we interpret this? An element \(π β π(π)\) is an βevent that takes place throughout the interval \(π\).β Given this \(π\)-event \(π \) together with an open subset of \(π β π\), there is a \(π\)-event \(π |_π\) that tells us what \(π \) is if we regard it as an event taking place throughout \(π\). If \(π = \bigcup_{πβπΌ} π_π\) and we can find matching \(π_π\)-events (\(π _π\)) for each \(π β πΌ\), then the sheaf condition (Definition 7.35) says that they have a unique gluing, i.e. a \(π\)-event \(π β π(π)\) that encompasses all of them: \(π |_{π_i} = π _π\) for each \(π β πΌ\).
We said in Section 7.5.1 that every open set π β πβ can be written as the union of basic open sets \(π_{[π,π]}\) . This implies that any sheaf π is determined by its values \(π(π_{[π,π]})\) on these basic open sets. The sheaf condition furthermore implies that these vary continuously in a certain sense, which we can express formally as:
\[ π(π_{[π,π]}) = \lim\limits_{π>0} π(π_{[πβπ,π+π]}) \]
The author may have meant to write \(\lim\limits_{πβ0}\) in this last equation.
However, rather than get into the details, we describe a few sorts of sheaves that may be of interest.
β Example 7.78#
For any set \(π΄\) there is a sheaf \(\mathtt{A} β \textbf{Shv}(πβ)\) that assigns to each open set \(π\) the set \(\texttt{A}(π) := π΄\). This allows us to refer to integers, or real numbers, or letters of an alphabet, as though they were behaviors. What sort of behavior is \(7 β β\)? It is the sort of behavior that never changes: itβs always seven. Thus \(\mathtt{A}\) is called the constant sheaf on \(π΄\).
See also Constant sheaf.
β Example 7.79#
Fix any topological space \((π, \textbf{Op}_π)\). Then there is a sheaf \(πΉ_π\) of local functions from \(πβ\) to \(π\). That is, for any open set \(π β \textbf{Op}_{πβ}\), we assign the set \(πΉ_π(π) := \{π: π β π \enspace | \enspace \text{π is continuous}\}\). There is also the sheaf \(πΊ_π\) of local functions on the subspace \(β β πβ\). That is, for any open set \(π β \textbf{Op}_{πβ}\), we assign the set \(πΊ_π(π) := \{ π : π β© β β π \enspace | \enspace \text{π is continuous}\}\).
See Sheaf (mathematics) for some mentions of a more general idea:
In mathematics, a sheaf (pl.: sheaves) is a tool for systematically tracking data (such as sets, abelian groups, rings) attached to the open sets of a topological space and defined locally with regard to them. For example, for each open set, the data could be the ring of continuous functions defined on that open set.
In many mathematical branches, several structures defined on a topological space \(X\) (e.g., a differentiable manifold) can be naturally localised or restricted to open subsets \(U β X\): typical examples include continuous real-valued or complex-valued functions,
Many examples of presheaves come from different classes of functions: to any \(U\), one can assign the set \(C^0(U)\) of continuous real-valued functions on \(U\). The restriction maps are then just given by restricting a continuous function on \(U\) to a smaller open subset \(V\), which again is a continuous function.
The presheaf consisting of continuous functions mentioned above is a sheaf. This assertion reduces to checking that, given continuous functions \(f_i: U_i β R\) which agree on the intersections \(U_i β© U_j\), there is a unique continuous function \(f: U β R\) whose restriction equals the \(f_i\).
βοΈ Exercise 7.80#
Letβs check that Example 7.79 makes sense. Fix any topological space \((π, \textbf{Op}_π)\) and any subset \(π β πβ\) of the interval domain. Define \(H_π(π) := \{ π : π β© R β π \enspace | \enspace \text{π is continuous}\}\).
Is \(π»_π\) a presheaf? If not, why not; if so, what are the restriction maps?
Is \(π»_π\) a sheaf? Why or why not?
See also Exercise 7.80.
β Example 7.81#
Another source of examples comes from the world of open hybrid dynamical systems. These are machines whose behavior is a mixture of continuous movementsβgenerally imagined as trajectories through a vector fieldβand discrete jumps. These jumps are imagined as being caused by signals that spontaneously arrive. Over any interval of time, a hybrid system has certain things that it can do and certain things that it cannot. Although we will not make this precise here, there is a construction for converting any hybrid system into a sheaf on πβ; we will give references in Section 7.6.
We refer to sheaves on πβ as behavior types because almost any sort of behavior one can imagine is a behavior type. Of course, a complex behavior typeβsuch as the way someone acts when they are in loveβwould be extremely hard to write down. But the idea is straightforward: for any interval of time, say a three-day interval \((π, π + 3)\), let \(πΏ(π, π + 3)\) denote the set of all possible behaviors a person who is in love could possibly do. Obviously itβs a big, unwieldy set, and no one would want to make it precise. But to the extent that one can imagine that sort of behavior as occurring through time, they could imagine the corresponding sheaf.
The subobject classifier as a sheaf on πβ.#
In any sheaf topos, the subobject classifier \(\Omega\) is itself a sheaf. It is responsible for the truth values in the topos. As we said in Section 7.4.1, when it comes to sheaves on a topological space \((π, \textbf{Op})\), truth values are open subsets \(π β \textbf{Op}\).
\(\textbf{BT}\) is the topos of sheaves on the space \((πβ, \textbf{Op})\), as defined in Section 7.5.1. As always, the subobject classifier \(\Omega\) assigns to any \(π β \textbf{Op}\) the set of open subsets of \(π\), so these are the truth values. But what do they mean? The idea is that every proposition, such as βBob likes the weatherβ returns an open set \(π\), as if to respond that Bob likes the weather ββ¦throughout time period \(π\).β Letβs explore this just a bit more.
Suppose Bob likes the weather throughout the interval \((0, 5)\) and throughout the interval \((4, 8)\). We would probably conclude that Bob likes the weather throughout the interval (0, 8). But what about the more ominous statement βa single pair of eyes has remained watching position \(π\).β Then just because itβs true on \((0, 5)\) and on \((4, 8)\), does not imply that itβs been true on \((0, 8)\): there may have been a change of shift, where one watcher was relieved from their post by another watcher. As another example, consider the statement βthe stock market did not go down by more than 10 points.β This might be true on \((0, 5)\) and true on \((4, 8)\) but not on \((0, 8)\). In order to capture the semantics of statements like theseβstatements that take time to evaluateβwe must use the space πβ rather than the space β.
7.5.2 Safety proofs in temporal logic#
We now have at least a basic idea of what goes into a proof of safety, say for autonomous vehicles, or airplanes in the national airspace system. In fact, the underlying ideas of this chapter came out of a project between MIT, Honeywell Inc., and NASA (q.v. Abstraction, Composition and Contracts). The background for the project was that the National Airspace System consists of many different systems interacting: interactions between airplanes, each of which is an interaction between physics, humans, sensors, and actuators, each of which is an interaction between still more basic parts. The same sort of story would hold for a fleet of autonomous vehicles, as in the introduction to this chapter.
Suppose that each of the systemsβat any levelβis guaranteed to satisfy some property. For example, perhaps we can assume that an engine is either out of gas, has a broken fuel line, or is following the orders of a human driver or pilot. If there is a rupture in the fuel line, the sensors will alert the human within three seconds, etc. Each of the components interact with a number of different variables. In the case of airplanes, a pilot interacts with the radio, the positions of the dials, the position of the thruster, and the visual data in front of her. The componentβhere the pilotβis guaranteed to keep these variables in some relation: βif I see something, I will say somethingβ or βif the dials are in position \(\mathtt{bad\_pos}\), I will engage the thruster within 1 second.β We call these guarantees behavior contracts.
All of the above can be captured in the topos \(\textbf{BT}\) of behavior types. The variables are behavior types: the altimeter is a variable whose value \(π β β_{β₯0}\) is changing continuously with respect to time. The thruster is also a continuously-changing variable whose value is in the range \([0, 1]\), etc.
The guaranteed relationshipsβbehavior contractsβare given by predicates on variables. For example, if the pilot will always engage the thruster within one second of the display dials being in position \(\mathtt{bad\_pos}\), this can be captured by a predicate \(π : \mathtt{dials} Γ \mathtt{thrusters} β \Omega\). While we have not written out a formal language for \(π\), one could imagine the predicate \(π(π·,π)\) for \(π·: \mathtt{dials}\) and \(π: \mathtt{thrusters}\) as:
\[ β(π‘ : β ). @_π‘ \left(\mathtt{bad\_pos}(π·)\right) β β(π : β). (0 < π < 1) β§ β(π': β ). 0 β€ π' β€ 5 β @_{π‘+π+π'} \left(\mathtt{engaged}(π)\right) \hspace{4em} (7.82) \]Here \(@_π‘\) is a modality, as we discussed in Definition 7.69; in fact it turns out to be one of type 3. from Proposition 7.71, but we cannot go into that. For a proposition \(π\), the statement \(@_π‘(π)\) says that \(π\) is true in some small enough neighborhood around \(π‘\). So (7.82) says βstarting within one second of whenever the dials say that we are in a bad position, Iβll engage the thrusters for five seconds.β
Given an actual playing-out-of-events over a time period \(π\), i.e. actual section \(π· β \mathtt{dials}(π)\) and section \(π β \mathtt{thrusters}(π)\), the predicate Eq. (7.82) will hold on certain parts of \(π\) and not others, and this is the truth value of \(π\). Hopefully the pilot upholds her behavior contract at all times she is flying, in which case the truth value will be \(\mathtt{true}\) throughout that interval π. But if the pilot breaks her contract over certain intervals, then this fact is recorded in \(\Omega\).
The logic allows us to record axioms like that shown in Eq. (7.82) and then reason from them: e.g. if the pilot and the airplane, and at least one of the three radars upholds its contract then safe separation will be maintained. We cannot give further details here, but these matters have been worked out in detail in Temporal Type Theory; see Section 7.6.