Mathematics of Modality

MATHEMATICS OF MODALITY
CSLI Lecture Notes No. 43
MATHEMATICS
OF
MODALITY
Robert Goldblatt
CSLI Publications
Center for the Study of Language and Information
Stanford, California
CSLI was founded early in 1983 by researchers from Stanford University, SRI
International, and Xerox PARC to further research and development of inte-
grated theories of language, information, and computation. CSLI headquar-
ters and the publication offices are located at the Stanford site.
CSLI/SRI International CSLI/Stanford CSLI/Xerox PARC
333 Ravenswood Avenue Ventura Hall 3333 Coyote Hill Road
Menlo Park, CA 94025 Stanford, CA 94305 Palo Alto, CA 94304
Copyright 1993
Center for the Study of Language and Information
Leland Stanford Junior University
Printed in the United States
01 00 99 98 97 96 95 94 93 54321
Library of Congress Cataloging-in-Publication Data
Goldblatt, Robert
Mathematics of modality / Robert Goldblatt.
p. cm. (CSLI lecture notes ; no. 43)
Includes bibliography and index.
ISBN 1-881526-24-0 (cloth) ISBN 1-881526-23-2 (paper)
1. Modality (Logic). I. Title. II. Series.
QA9.46.G66 1993
511.3-dc20 93-13522
CIP
"Metamathematics of Modal Logic" originally appeared in Reports on Mathematical

Logic, vol. 6, 41-78 (Part I), and vol. 7, 21-52 (Part II). Copyright 1976 by the Jagiel-
lonian University of Cracow. Reprinted by permission.
"Semantic Analysis of Orthologic" originally appeared in the Journal of Philosophical
Logic, vol. 3, 19-35. Copyright 1974 by D. Reidel Publishing Company, Dordrecht-
Holland. All Rights Reserved. Reprinted by permission of Kluwer Academic Publishers.
"Orthomodularity is Not Elementary" originally appeared in The Journal of Symbolic
Logic, vol. 49, 401-404. Copyright 1984 by The Association for Symbolic Logic. All
Rights Reserved. This reproduction by special permission.
"Arithmetical Necessity, Provability and Intuitionistic Logic" originally appeared in Theo-
ria, vol. 44, 38-46, 1978. Reprinted by permission.
"Diodorean Modality in Minkowski Spacetime" originally appeared in Studia Logica,
vol. 39, 219-236. Copyright 1980 by the Polish Academy of Sciences. Reprinted by
permission.
"Grothendieck Topology as Geometric Modality" originally appeared in Zeitsckrift fur
Mathematische Logik und Grundlagen der Mathematik, vol. 27, 495-529. Copyright
1981 VEB Deutscher Verlag der Wissenschaften Berlin. Reprinted by permission.
"The Semantics of Hoare's Iteration Rule" originally appeared in Studia Logica, vol. 41,
141-158. Copyright 1982 by the Polish Academy of Sciences. Reprinted by permission.
"An Abstract Setting for Henkin Proofs" originally appeared in Topoi, vol. 3, 37-41.
Copyright 1984 by D. Reidel Publishing Company, Dordrecht-Holland. Reprinted by
permission of Kluwer Academic Publishers.
"The McKinsey Axiom is Not Canonical" originally appeared in The Journal of Symbolic
Logic, vol. 56, 554-562. Copyright 1991 by The Association for Symbolic Logic. All
Rights Reserved. This reproduction by special permission.
Contents
Introduction 1
1 Metamathematics of Modal Logic 9
2 Semantic Analysis of Orthologic 81
3 Orthomodularity is not Elementary 99
4 Arithmetical Necessity, Provability and Intuitionistic
Logic 105
5 Diodorean Modality in Minkowski Spacetime 113
6 Grothendieck Topology as Geometric Modality 131
7 The Semantics of Hoare's Iteration Rule 173
8 An Abstract Setting for Henkin Proofs 191
9 A Framework for Infinitary Modal Logic 213
10 The McKinsey Axiom Is Not Canonical 231
11 Elementary Logics are Canonical and
Pseudo-Equational 243
Bibliography 259
Index 267
Introduction
Modal logic is the study of modalitieslogical operations that qualify

assertions about the truth of statements. For example, we may say that
a particular statement is necessarily true, or possibly true, ought to be
true, is known to be true, is believed to be true, has always been true,
will eventually be true, is demonstrably true, and so on.
The study of modalities is an ancient one, dating at least from Aris-
totle, but its most substantial progress has occurred in the last three
decades, since the introduction by Saul Kripke [52] of the use of re-
lational structures to provide a formal semantic analysis of languages
containing modalities. The rich diversity of form supplied by relational
structures has resulted in the method having a significant impact on a
wide range of disciplines, including the philosophy of language ("possi-
ble worlds" semantics), constructive mathematics (intuitionistic logic),
theoretical computer science (dynamic logic, temporal and other logics
for concurrency), and category theory (sheaf semantics). It has led to
the study of more "mathematically" motivated modalities, such as asser-
tions that a statement is provable in Peano arithmetic, or is true locally,
at the next state, along some branch of a tree, or after the computation
terminates.
This volume collects together a number of my papers on modal logic,
concerned with the general nature and capacity of Kripke semantics, its
relationship with the use of algebraic models and methods, and its appli-
cation to various mathematical modalities. The collection begins with
my doctoral thesis, and includes two completely new papers, one on
infinitary rules of inference (Chapter 9), and the other (Chapter 11)
about recent results on the relationship between modal logic and first-
order logic. Another paper (Chapter 8) on the "Henkin method" in
completeness proofs has been substantially extended to include discus-
sion of the Barcan formula in quantificational modal logic, and infinitary
2 MATHEMATICS OF MODALITY
propositioned logic. Other articles are concerned with quantum logic,

provability logic, the temporal logic of relativistic spacetime, modalities
in topos theory, and the logic of programs.
The papers have been reproduced as originally published, with cor-
rections, and in the original style, modified only by MgX's automatic
conventions regarding layout and numbering of chapters, sections, theo-
rems etc. A small amount of editing for uniformity has been undertaken,
but the notation and terminology is by no means systematic through-
out. The reader should bear in mind that the different chapters were
produced at various times over a period of almost twenty years, and are
written to be read independently.
Here now is an abstract of each of the chapters, with notes on any
changes that have been made for this edition.
1. Metamathematics of Modal Logic
The first 18 sections comprise the content of my doctoral thesis, with
the others being added for the published version [36, 37]. The work is
concerned to develop the general structure theory of set-theoretic models
(Kripke frames), analysing validity preserving operationshomomorph-
isms, substructures, disjoint unions, ultraproducts etc.and determin-
ing their relationship with algebraic models (modal algebras). This the-
ory is then applied to a range of questions about definability of classes of
models, the use of "canonical" models, and the correspondence with first-
order logic. Problems considered include: characterisations of classes of
frames that are modal axiomatic, i.e. the class of models of a set of
modal formulae; syntactic criteria for a logic to be determined by its
canonical model; first-order definability of modal formulae; conditions
under which a first-order definable class of frames is modal axiomatic.
I have added a paragraph at the beginning of Section 1.10, pointing
out the priority of the work of Jonsson and Tarski [48] on representa-
tion of Boolean algebras with operators. This provided, a decade before
Kripke's work, all that is needed to prove the completeness with respect
to set-theoretic semantics of several of the more well-known modal sys-
tems.
Apart from correction of misprints, the one significant change con-
cerns the description of the ultraproduct of KM-frames in Section 1.17
(cf. [37, p. 39]).
2. Semantic Analysis of Orthologic
3. Orthomodularity is Not Elementary
These two articles deal with quantum logicthe prepositional logic of
orthomodular lattices. The first develops a Kripke-style semantics for
INTRODUCTION 3
the logic of ortholattices, using orthogonality (irreflexive symmetric)

relations, establishing completeness, decidability via the finite model
property, and the existence of a translation into the Brouwerian modal
system. A limited extension of the modelling is then given for the or-
thomodular law.
The second article shows that this programme cannot lead to a
tractable modelling of orthomodularity: there is no elementary con-
dition on orthogonality relations that characterises the orthomodular
law. This is demonstrated by proving that a pre-Hilbert space is an ele-
mentary substructure, with respect to orthogonality, of its Hilbert space
completion. The paper concludes with a list of open problems about or-
thomodular logic, including most of the important questions one would
ask of a logical system. As far as I know, these are still unresolved.
4. Arithmetical Necessity, Provability and Intuitionistic Logic

The provability interpretation reads the modality D as "it is provable
in Peano arithmetic that". Here we modify this to "true and provable",
which is not the same thing in view of Godels Incompleteness Theorem
on the existence of true but unprovable statements.
Building on the fundamental work of Solovay [91], it is shown that
the modal logic corresponding to this interpretation is the system S4Grz
determined by finite partially-ordered Kripke models. Then by means
of the translation of intuitionistic logic into S4, an interpretation of non-
modal prepositional logic into formal arithmetic is obtained in which
precisely the intuitionistic theorems turn out to be arithmetically neces-
sary in the sense of being true in all models of Peano arithmetic.
5. Diodorean Modality in Minkowski Spacetime

Temporal logic studies such modalities as it will eventually be, it has
always been, it will be at the next moment, etc. Most research has con-
cerned linear time, focusing on the identification of the logics that result
when the temporal ordering is regarded alternatively as being discrete,
dense, or continuous.
Here the context is the non-linear ordering of four dimensional
Minkowski spacetime T 4 . It is shown that under the Diodorean reading
of "necessarily" as "now and forever", the resulting logic is the sys-
tem S4.2, and that the same applies to spacetime T n of any dimension
n > 1. This is achieved by constructing an elaborate sequence of validity-
preserving transformations leading from T71 to any finite S4.2-model.
Some discussion is given of other temporal orderings of spacetime,
including the possibility of distinguishing different dimensions by the
truth of certain formulae when the ordering is irreflexive.
The full temporal logic of T4, with past and future operators, has
still not been investigated, and there remain some challenging open ques-
tions, as indicated at the end of the article.
6. Grothendieck Topology as Geometric Modality

In the axiomatic approach to sheaf theory due to Lawvere and Tierney,
a Grothendieck topology on a category becomes a unary operator on the
"object of truth values" of a topos, hence a suitable entity for interpret-
ing a modality, which Lawvere suggested should be read "it is locally
the case that".
Here the prepositional modal logic defined by this interpretation is
axiomatised and proven to be decidable. This is done by developing
a modelling that combines the Kripke semantics for intuitionistic logic
with that for modal logic, and then using it to construct a suitable
characteristic topology on a topos.
The article includes an intuitive discussion of local truth as meaning
"truth at all nearby points" or "truth throughout some neighbourhood",
and on this basis formulates ,i variety of relational and neighbourhood
models, as well as considering related algebraic models (operators on
Heyting algebras).
Some associated logics are also discussed, including one arising from
the interpretation of double negation as meaning "it is cofinally the case
that".
7. The Semantics of Hoare's Iteration Rule

The modal logic of computer programs associates with each command
a a modality [a] that is read "after a terminates, it will be the case
that". This article examines the resulting logic for commands of the form
(while e do a), and focuses on the Iteration Rule due to to Hoare for
reasoning about the correctness of such programs. The exact semantic
content of Hoare's Rule is determined, and a completeness theorem given
(via the finite model property) which shows that additional principles
are needed to axiomatise the logic of while-commands.
In an earlier monograph [23] I developed an axiomatisation of the
program logic over a general first-order language, using an infinitary
analogue of Hoare's Rule. The first stage of this was a completeness the-
orem for a prepositional logic, using the same infinitary rule. However,
whereas this rule is unavoidable in general in the presence of quantifica-
tion, at the prepositional level the set of valid formulae is decidable and
can be given a finitary axiomatisation [23, p. 79]. This claim is verified
in detail here.
INTRODUCTION 5
8. An Abstract Setting for Henkin Proofs

There are many applications in model theory of the procedure of in-
ductively constructing a maximally consistent theory satisfying certain
prescribed closure conditions. An attempt is made to isolate the essence
of this methodology in terms of a principle, stated in the language of
abstract deducibility relations and inference rules, which specifies con-
ditions under which a consistent set of sentences can be consistently
enlarged to one that "decides" a given set of inferences.
In the original version of this article [24], the Abstract Henkin Princi-
ple was applied to give streamlined proof of completeness and omitting-
types theorems for first-order logic, and for quantificational logic with
infinitary conjunctions. For this edition further demonstrations of its
utility are given, in the form of a discussion of completeness for the Bar-
can formula in quantificational modal logic, and for propositional modal
logics with infinitary inference rules.
9. A Framework for Infinitary Modal Logic
There are natural modal logics that are complete (every consistent sen-
tence is satisfiable) but not strongly complete because they have con-
sistent sets of sentences that are not satisfiable. The problem arises of
extending such a logic to a strongly complete one by the addition of
infinitary inference rules. Similarly, we may ask for an axiomatisation
of the smallest logic that contains a given one and is closed under some
specified infinitary rules. Here a solution is provided in a general con-
text, and is given in terms of the proof theory and model theory of an
n-ary modality D(Ai,..., An), rather than just a unary connective.
For certain infinitary systems studied in Section 8.7, it was noted
as a consequence of the completeness theorem that maximally finitely
consistent sets having particular closure properties turn out to be fully
consistent and deductively closed. The theory of Chapter 9 gives an
account of this phenomenon that is purely proof-theoretic and prior to
any model-theoretic analysis.
10. The McKinsey Axiom is Not Canonical
The McKinsey axiom DOA > ODA was shown in Section 1.17 not
to be determined by any elementary (i.e. first-order definable) class of
Kripke frames. Here it is shown to have a model on its canonical frame
that falsifies it. This technical result, which was a long-standing open
problem, has conceptual significance for the relationship between modal
and first-order logic, as embodied in the question as to whether modal
logics validated by their canonical frames are precisely those determined
by an elementary class.
The McKinsey axiom is the simplest formula not belonging to a very

general syntactically defined class, devised by Sahlqvist [79] , whose mem-
bers are known to be elementary and canonical. Thus the import of this
article is that there is no natural way to extend Sahlqvist's scheme to
obtain a larger class of canonical formulae.
In the original paper [30] , the result that an elementary logic is canon-
ical was attributed to van Benthem [102], whereas it was in fact first
proven by Fine [15, Theorem 3], with van Benthem's contribution being
to extend the result to show that such a logic is preserved by "ultra-
filter extensions" of frames, which are the "completions" of Definition
11. Elementary Logics are Canonical and Pseudo-Equational

If a logic A is determined by some elementary class of Kripke frames,
then it is valid in its canonical frame FA [15, Theorem 3]. The conclusion
of this result is strengthened here in several ways. First, it is shown that
A is valid in any member of the class K-A of all models of the first-order
theory of FA, i.e. in any frame elementarily equivalent to FA. Then it
is shown that A is valid in any member of the class Mod &A of models of
the pseudo-equational theory of FA, a pseudo-equational sentence being
one of the form Vx</> with <j) constructed from atomic formulae using only
positive connectives and bounded quantifiers. On the way it is shown
that if 1C is any elementary class determining A, then A is valid in all
members of the class Mod &K. of models of the pseudo-equational theory
of /C, and indeed that
TA K.A C Mod<PA C Mod$K. C {f : T |= A},
with none of these set inclusions being an equality in general.
It remains unresolved at the point of writing as to whether every
canonical logic is determined by some elementary class of frames, and
so the final section explores a number of equivalent formulations of el-
ementarily in terms of stability properties of classes of general frames
with natural definability properties. The unresolved question is shown
to reduce to the problem of proving A is valid in all ultrapowers of FA .
Acknowledgements
My work has benefited from many interactions over the years with a
number of modal logicians who have contributed remarkably to the sub-
ject: Johan van Benthem, Robert Bull, Max Cresswell, Kit Fine, George
Hughes, Krister Segerberg, and Steve Thomason. I am grateful also to
INTRODUCTION 7
Wilf Malcolm for the inspiration of his teaching and for providing my
introduction to the world of models and ultraproducts.
The new material was written during tenure of a Visiting Fellow-
ship at the Centre for Information Science Research of the Australian
National University, supported also by a sabbatical grant from Victo-
ria University. I thank Professor Michael McRobbie for the conducive
facilities that were made available to me at the Centre.
I am indebted to Jason Christopher for carrying out the initial re-
formatting of the previously published papers. Finally, I want to record
my gratitude to Dikran Karagueuzian, friend and "faithful editor", for
making the project possible, and for furnishing a marvelous typesetting
and publishing environment within which to carry it out.
[email protected]
Waitangi Day, 1993
Metamathematics of Modal Logic
Contents
Introduction and Summary

1.1 Syntax
1.2 Modal Algebras and Kripke Frames
1.3 First-Order Frames
1.4 Subframes
1.5 Homomorphisms
1.6 Disjoint Unions
1.7 Ultraproducts
1.8 Compactness and Semantic Consequence
1.9 Descriptive Frames
1.10 The Categories of Descriptive Frames and Modal Algebras
1.11 Inverse Limits of Descriptive Frames
1.12 Modal Axiomatic Classes
1.13 Characteristic Models Revisited
1.14 d-Persistent Formulae
1.15 A General Characterisation Theorem
1.16 First-Order Definability
1.17 The Logic KM
1.18 Some Special Classes of Formulae
1.19 Replete Frames and Saturated Models.
1.20 17,4-Elementary Classes of Kripke Frames
Introduction and Summary

"The formal study of symbols of systems either in their relation to one
another (syntax) or in their relation to assigned meanings (semantics)
is called metamathematics...". (R. Feys and F. B. Fitch, Dictionary of
Symbols of Mathematical Logic, North-Holland, 1969.)
This study is concerned with the mathematical objects that provide in-
terpretations, or models, of formal prepositional languages. Historically
there have been two kinds of approach in this area. The first of these,
algebraic semantics, employs algebras, typically lattices with operators,
as models. Prepositional variables range over elements of the lattice,
and formal connectives correspond to its operators. In other words each
formula induces a polynomial function on any of its algebraic models.
Truth and validity of formulae are then defined in terms of designated
polynomial values.
The other approach is set-theoretic semantics. Here the models,
known as frames, carry structural features other than finitary opera-
tions, such as neighborhood systems and finitary relations. Formulae
are then interpreted as subsets of the frame in a manner constrained by
its particular structure.
These two kinds of model are closely related. Algebras may be con-
structed as subset lattices of frames. Frames may be obtained from
algebras through various lattice representations. Furthermore the syn-
tactical frame constructions in the Henkin style that are now widely
employed in set-theoretic semantics may be mirrored on the algebraic
level to recover the lattice representations.
The guiding theme of the present work is the relationship between
frame and algebra, and the relative strengths and limitations of the se-
mantical frameworks that these notions determine. The vehicle chosen
for this study is normal modal logic. It should however be stressed
from the outset that many of the concepts and results developed may
be parallelled in other areas, or even stated for an abstract formal lan-
guage. On the other hand modal logic provides a natural context for
the discussion given. It is the most widely investigated and best un-
derstood branch of non-classical propositional logic. Indeed it was here
that set-theoretic semantics began with the work of Saul Kripke [51, 52].
The significance of Kripke's method was quickly recognised, particularly
since he showed that different logics could be characterised by imposing
simple conditions on models. The 1960's saw these ideas being rapidly
applied to tense, deontic, epistemic, and intuitionist logics, and to oth-
ers besides. Currently they are proving relevant to such diverse areas
METAMATHEMATICS OF MODAL LOGIC 11
as the foundations of physics (quantum logic) and the study of natural

languages.
In 1966 E. J. Lemmon [59] conjectured that the method was com-
pletely general in its application, and that all modal logics possessed a
characteristic class of Kripke models. Recently this has been shown to
be false by Fine [13] and Thomason [97] who independently constructed
logics for which no such class exists. These results gave the first real
evidence that the Kripke modelling had its limitations, and have given
impetus to a new line of research that is concerned rather more with the
general nature of the discipline than with its particular applications.
It now seems that, in as much as formulae are interpreted as subsets
of models, modal logic is fundamentally of the same species as second
order quantificational logic. The Kripke models are then analogous to
the principal models of second order logic, in which all possible sets and
relations are present. As is well known, the exclusive use of principal
models results in non-compact and incomplete logics. It is only by the
introduction of secondary models, with restricted interpretations, that a
uniform completeness theorem can be obtained.
The first part of the present study (Sections 1-11) develops the gen-
eral structure theory of "first-order" frames. These are the secondary
models for modal logic. The initial emphasis is on validity preserving
constructions subframes, homomorphisms, disjoint unions, ultraprod-
ucts each of which corresponds to a polynomial-identity preserving
construction on modal algebras. This is followed by the examination of
a new kind of model the descriptive frame. These structures are de-
signed to provide an exact set-theoretic analogue to the modal algebra,
and indeed they give rise to a category that is dual to the category of
modal algebras. Because of this relationship, descriptive frames have
proven invaluable in solving a wide range of problems. The later form
the major pre-occupation of Sections 12-20. The problems considered
there include: characterisations of classes of frames that are modal ax-
iomatic, i.e. the class of models of a set of modal formulae; syntactic
criteria for a logic to be determined by its principal models; elementary
definability of modal formulae; conditions under which an elementary
class of frames is modal axiomatic.
Sections 1-18 comprise the content of my doctoral thesis, written at
the Victoria University of Wellington in late 1973 (Section 16 was rewrit-
ten in the light of subsequent developments). I would like to express my
gratitude to my supervisors, Professors M. J. Cresswell, G. E. Hughes,
and C. J. Seelye. To the various participants in the logic seminars at
VUW, and in particular Professor W. G. Malcolm, I am indebted for

many opportunities to discuss problems and results.
The development and presentation of much of what appears below
has benefited from some stimulating discussions and correspondence
with Professor S. K. Thomason.
1.1 Syntax
Modal logic is designed to formalise philosophical discourse about the
nature of necessity, possibility, and strict implication. A typical object
language for such an inquiry (and one that will remain fixed throughout
this chapter) has the following primitive symbols:
(i) a denumerable collection of prepositional variables (p, q, pi, qi,
etc.),
(ii) the Boolean connectives -i (negation), and A (conjunction),
(iii) the modal connective D (necessity),
(iv) brackets ( and ) .
The class <? of all (well-formed) formulae (wffs) of this language is de-
fined by the three formation rules:
(1) each variable is a wff,
(2) if a is a wff, so are ->a and Da,
(3) if a and J3 are wffs, so is (a A /3).
The Boolean connectives V (disjunction), > (material implication), <->
(material equivalence) and the modal O (possibility) are introduced as
the abbreviations
a V /3 for -i(-ia A -i/3)
a -> (3 for ->a V /3
a <- /3 for (a -> 0) A (/? - a)
Oa for -iQ-ia
(Brackets may be omitted where convenient, the convention for reading
formulae being that -i , D and O bind more strongly than V and A, the
latter binding more strongly than and <-.)
The syntactical study of formulae is concerned with formal relation-
ships between wffs, and focuses on the notion of derivability. In this
context a useful distinction can be made between axiom systems and
logics. An axiom system 5 has two basic componentsa set of wffs,
called axioms, and a set of rules of inference that govern operations al-
lowing certain formulae to be derived from others. A wff a is said to be
a theorem of S, written hgoj, if there exists in 5 a proof of a, i.e. a finite
sequence of wffs whose last member is a, and such that each member of
the sequence is either an axiom, or derivable from earlier members by
one of the rules of inference of 5.
A logic, on the other hand, can be thought of as a set A of wffs closed
under the application of certain inferential rules to its members. The
members of A are called yl-theorems, and in this case the symbolism
\~AOC indicates merely that a e A.
For example, if 5 is an axiom system, than an S-logic can be defined
as any set of wffs that includes all the axioms of 5 and is closed under
the rules of S. In general the intersection AS of all S-logics will be an
S-logic whose members are precisely those wffs for which there are proofs
in 5. This is often described by saying that S is an aziomatisation of
AS, or that AS is generated by 5.
Thus each axiom system has a corresponding logic (the set of its
theorems) and in some formal treatments little or no distinction is made
between the two. The converse however is not true. Not every logic is
axiomatisable. In any semantical framework, the set of wffs true in a
particular model will be a logic of some kind, for which, in some cases,
there may be no effectively specifiable generating procedure. A classic
example is the first-order theory of the standard model of arithmetic.
Definition 1.1.1 A modal logic is a set A C < satisfying
(i) A contains all tautologies of the classical prepositional calculus PC,
(ii) if a, (a > (3) 6 A, then /3 6 A (Modus Ponens),
(iii) if a A and ft is obtained from a by uniformly replacing some
variable by some other wff, then /3 A (Uniform Substitution).
The symbol K (for Kripke) denotes the logic axiomatised by the system
that has a standard basis for PC (including Modus Ponens and Uniform
Substitution as rules of inference) together with the axiom
D(p -> q) -> (Dp -> Hq)
and the rule of Necessitation:
from a to infer Da.
A logic is normal iff it contains K and is closed under Necessitation. If
F is a set of wffs, KF denotes the normal logic generated by adding the
members of F as extra axioms to the system that generates K.
Definition 1.1.2 Let A be a modal logic, F C $, and a $. Then a
is A-derivable from F, F\-/[ a iff there exist oti,... ,an 6 F such that
(ai A ... A an > a) G A. a is an A-theorem, \~A a, iff a . A. F is
A-consistent iff there is at least one wff not A-derivable from F, and
A-inconsistent otherwise. F is A-maximal iff F is A-consistent and
for each wff a, either a F or -<a 6 F. We denote by WA the class of

A-maximal subsets of $. For a $, \a\A = {x WA : a a;} and for
r c $, \r\A = f|{|aU : a e r } = {xWA:rcx}.
A proof of the following two (equivalent) results may be found in [59,
Section 0].
Theorem 1.1.3
(1) Every A-consistent set of wffs has an A-maximal extension.
(2) F \~A a iff \F\A C \oe\A (i.e. iff every A-maximal extension of F
contain a).
1.2 Modal Algebras and Kripke Frames

Having set up the basic syntactical machinery for modal logic, we turn
to the semantical study of formulae. This branch of metamathematics
is concerned with the assignment of meanings or interpretations to wffs,
and the setting out of conditions under which a wff is to be regarded
as being true or false. Modal algebraic semantics has its origins in the
work of McKinsey and Tarski [67, 68] and has been further developed
by Lemmon [57, 58].
Definition 1.2.1 A normal modal algebra (MA) is a structure
a = (A,n,',/},
where
(i) (A,n, ') is a Boolean algebra (BA), and
(ii) I is a unary operator on A satisfying l(a n b) = la n Ib, and II = 1,
where 1 is the unit element o/2l.
Now each wff a(pi, . . . ,pn) with n variables induces an n-ary polynomial
function [39, p. 37] ft* on 21 which may be defined inductively as follows:
! , . . , On) =
a is valid on 21 (21 j= a) iff h* = 1 identically on 21 (i.e. h* takes the

value 1 for all arguments in its domain). It is easy to see that every
polynomial on 21 is of the form /i^, for some a #, and that h* = h
identically iff 21 \= (a <-> 0) iff h%^p = 1 identically.
A logic A is said to be determined or characterised by a class

of MA's iff for any 0 6 $ , \-Aa iff 21 |= a for all 21 <.
That every logic is characterised by a single algebra is shown by the
following classic construction.
Definition 1.2.2 If A is a modal logic, then the Lindenbaum algebra
for A is the structure 2U = (A/i,(~\, ', /} defined as follows:
AA = {\\a\\A '&&$}, where

\\a\\A = {/? : a =A /?}, and a -A @ iff \~A a <-> (3
\\a\Â = lh"IU
JdMU) = ||Da|U
A proof that %A is well defined, characterises /I, and is an MA if 7l is a

normal logic, may be found in Lemmon [57, Section II] .
In an MA 21, a unary operator m corresponding to the modal con-
nective O may be defined by the equation ma = (l(a'))'
Theorem 1.2.3
(1) m(a(Jb) = maUmfe, where U is the join operation 0/21, i.e. a U f c =
(a'nb')'.
(2) mO = 0, where 0 = 1' is the least element o/2l.
(3) I and m are monotonic, i.e. a < b only if la < Ib and ma < mb,
where < is the lattice ordering o/2l.
(4) tiâ = 7no h%, where o denotes functional composition.
(5) /o = (m(o'))'.
Set-theoretic modelling of modal formulae seems to have been first
explicitly described by Saul Kripke [51, 52], and has subsequently been
developed by a number of authors (cf. [47, 59, 86]).
Definition 1.2.4 A Kripke frame (K-frame) is a structure T =
(W,R), where W is a non-empty set, the base-set or carrier of T,
and R is a binary relation on W.
A valuation V on T is a function that associates with each variable
p a subset V(p) of W. The domain of V is extended to all of $ by the
stipulations
(i) x V(a A /?) iff x 6 V(a) and x V(p)
(ii) xV(->a) i f f x $ V ( a )
(iii) x V(Oa) iff for all y, if xRy then y V(a); and hence
(iv) x V(Oa) iff for some y, xRy and y e V(a).

a is valid on f (T (= a) iff V(a) = W for all valuations V on T. a
is valid on a class C of frames (C \= a) iff T \= a for all f e .
determines or characterises a logic A iff for all a e <, h^ a iff < \=
a.
The intuitive content of 1.2.4 is that W is a set of "possible worlds" or

"states of affairs" and that worlds x and y are related (xRy) iff y is a
world accessible to x, a conceivable alternative state of affairs to a;. A
proposition is identified with the set V(a) of worlds in which it is true.
Clause (iii) then formalises the Leibnizian notion that a necessary truth
is one that holds in all conceivable states of affairs.
A proof that the logic K is determined by the class of all ff-frames
is given in [59, Section 2] and employs the following construction:
Definition 1.2.5 If A is a normal modal logic, the canonical K-
frame for A is the structure F% = (WA,RA), where
(i) WA is the class of A-maximal subsets of $, and
(ii) xRAy i f f { A $ : D A x } C y i f f {OA :Ay}Cx.
The canonical valuation VA is defined by VA(P) = \P\A (cf. 1.1.2).
Theorem 1.2.6 For all a e <?, Vâ) = \O\A-
Proof. See Section 2, p. 7, of [59]. D
It follows from 1.2.6 and 1.1.3 that iiA a then VA(a) ^ WA and
hence that any non-theorem of A is not valid on J-%. However, as we
shall see in Section 1.18, the converse is not always true, and so not all
normal logics are determined by their canonical AT-frames.
Definition 1.2.7 Two models (algebraic or set-theoretic) are seman-
tically equivalent iff they validate precisely the same modal wffs.
1.3 First-Order Frames

Connections between modal algebras and Kripke frames were studied
by E. J. Lemmon in [57], where it is shown that each AT-frame has a
semantically equivalent MA.
Definition 1.3.1 If F = (W,R) is a K-frame then F+ is the MA
(2^,0, -, IR), where 2W is the power set of W (the set of all subsets
f W), n and are set intersection and complementation respectively,
and for S C W,
1R(S) = {x e W : Vy(zRy ^y S)}.
That F+ satisfies 1.2.1 is easily checked. Note that

mR(S) = -lR(-S) = {x W : 3y(xRy and y e 5)}.
The operators IR and THR are of course interdefinable using -, and in
subsequent computations we will use whichever of them is most conve-
nient (in fact it usually turns out that m.R is easier to handle).
Theorem 1.3.2 Let a(p\, . . .pn) 6 # Then for any valuation V on F,
Proof. By induction on the length of a, using 1.2.1, 1.2.4, and 1.3.1 as

in the Lemma of [57, p. 61]. D
Corollary 1.3.3 T\= a iff F+\= a.
Proof. As in [57, Theorem 21], using 1.3.2. D
We see from 1.3.3 that any set-theoretic falsification of a wff gives rise
to an algebraic falsification of it, and so a wff is valid on all MA'S only
if it is valid on all .fi'-frames. To prove the converse, Lemmon showed,
by a refinement of Stone's Representation Theorem for JBA's, that any
MA can be isomorphically embedded in F+ for some /iT-frame T. In
this way an algebraic falsification of a wff gives rise to a set-theoretic
one.
Thus as far as the condition of validity over a class of structures
is concerned, the concepts of if-frame and modal algebra produce the
same class of wffs. However, there are limitations on the correspondences
described above. Kripke [53], in a review of Lemmon's work, pointed
out that there are wffs that are valid on a particular algebra, but not
valid on the associated frame of that algebra. The reason why this is
possible is that the algebra is isomorphic in general not to F+ , but only
to a subalgebra of it. In other words, the elements of the original algebra
correspond to some, but not all, subsets of the frame.
In an attempt to improve on Lemmon's work, D. C. Makinson [65]
devised a new kind of set-theoretic model, and showed that to each MA
T there was an equivalent model 21+ of his kind, and to each model f
there was an equivalent MA T+ . Furthermore, he proved
(1) 21 is isomorphic to (2l+) + ,
but that we do not in general have
(2) f is isomorphic to (J"+)+.
Thus, while MA's and Makinson's models are semantically equivalent,
they are not equivalent as mathematical objects. For the latter, at
least according to the definition provided by Category Theory, we would
require both (1) and (2) to hold.
Now Makinson's models involve a restriction on those subsets of a

frame that can serve as the interpretation of a wff. That a constraint
of this nature is needed would seem to be indicated by the above com-
ments on Lemmon's construction of the frame corresponding to an MA.
However, the models of [65] include reference to a set of valuations and
so their very definition is dependent on a particular object language. In
order to avoid this limitation, we adopt the following approach, due to
S. K. Thomason [96].
Definition 1.3.4 A (normal modal) frame is a structure
F=(W,R,P),
where
(i) (W, R) is a K-frame, and
(ii) P is a non-empty collection of subsets of W that is closed under l~l,
-, and 1R.
A valuation V on a frame T is a function as in 1.2.4 w^ the added
requirement
(iii) V(p) 6 P, for all variables p.
Condition (ii) then guarantees that
(iv) V(a) 6 P, all a$.
The definition of validity etc. remains as in 1.2.4-
Definition 1.3.5 If f' (W, R, P) is a frame, then F+ is the structure
(P,n,-, JK), an MA by 1.3.4(ii).
The statement of Theorem 1.3.2 continues to hold for the new defi-
nition of frame, valuation, and associated MA. Thus for the structures
of 1.3.5 we again have F semantically equivalent to T*.
A frame f is said to be full iff P = 2W. It is clear from 1.3.3 and the
above observations that the K-frame (W, R) is equivalent to the frame
(W, R, 2W), although formally they are not the same thing.
Example 1.3.6 If V is a valution on a K-iiame T = (W, R), then by
1.2.4, 1.3.1 and 1.3.4, fv = (W,R,Py) is frame, where Pv = {V(a) :
a $}. Since Py is countable ($ being denumerable), fy will not be
full if W is not finite.
In order to distinguish the modelling of 1.2.4 from that of 1.3.4,
Thomason [96] used the names second-order semantics for the former,
and first-order semantics for the latter (the motivation for this termi-
nology may be found in [96, p. 152]).
In Section 1.9 we will use first-order frames to develop a set-theoretic
structure that in relation to MA's satisfies all the requirements of equiv-
alence that have been discussed in the present section. Before doing that,
however, we examine a number of frame constructions that preserve the
validity of modal formulae.
1.4 Subframes
Our first observation about subobjects is effectively a reformulation of
the general algebraic fact that polynomial identities are preserved under
subalgebras.
Theorem 1.4.1 LetF=(W,R,P) and FI = (W,R,Pi) be frames with
PI C P. Then F \= a only if ^ \= a.
Proof. By hypothesis, and by 1.3.4(ii), J^ is a sub-M.A of F+, so
h%i+ = 1 identically only if hal = 1. The result then follows by the
equivalence of JF and T\ to F+ and F^ respectively. D
Our next concern is with frames whose base is a proper subset of the
base of a given frame. For this we need some preliminary definitions.
Definition 1.4.2 Let R be a binary relation on W . For each k N (the
set of natural numbers) we define the relation Rk C W2 by the inductive
scheme
xRy iff x =y
xRk+ly iff 3z(xRz and zRky).
Definition 1.4.3 IfRCW2, then W'CW is R-hereditary iff
ifx&W and xRy, then y W'.
It is readily seen that the intersection of a class of .R-hereditary sets
is itself .R-hereditary, and so for any W' C W there is a smallest R-
hereditary set W'R containing W.
Theorem 1.4.4 W'R = { y : 3x3k(x e W and xRky)}.
Proof. The right-hand set is ^-hereditary, contains W (by 1.4.2 with
k 0), and is contained in any other .R-hereditary set that contains W.
D
Definition 1.4.5 If F = (W,R,P) and F = (W',R',P') are frames,

then f is a subframe of T (written f C F) iff
(i) W is an R-hereditary subset ofW,
(ii) K = Rr\(W xW),
(iii) P* = { W ' n 5 : 5 6 P } .
Theorem 1.4.6 // W is an R-hereditary subset of W, and R' = R n
(W xW), then
(i) W - (W n 5) = W 0 (W - S),
(ii) (W ns)r\ (W n 50 = W n (s n SO,
(iii) rnK (W n 5) = W n mR(S),
(iv) iR,(W'nS) = w'niR(S).
Proof, (i) and (ii) are straightforward. For (iii), let x e m,Ri(W n 5).
Then x E.W and xR'y for some y EW'ftS. Then z.Rj/, and since y e 5,
x e mR(S). Conversely, if x G W n mfl(5) then x &W and zfty for
some i / 6 5 . Since W is fl-herditary, y e VP' (hence y e W n 5) and
so xR'y. Thus a; 6 mK(W D 5).
(iv) follows by (i), (iii) and 1.2.3(5). D
Corollary 1.4.7 If F = (W,R,P) is a frame and W C W is R-
hereditary, then FW = {W',R',Pw>) is a subframe of F, where R'
Rr\(W'x W) and Pw = {W n 5 : 5 6 P}.
Proof. The only requirement of 1.4.5 that is not automatically satisfied
is that FW is a frame, i.e. PW> is closed under n, ,and IK- But
this follows from 1.4.6 and the closure of P under the corresponding
operations. D
Corollary 1.4.8 Let {F% : i /} be a collection of subframes of F, and
W = flie/Wi. Then ifW'^, Fw> is a subframe o f F .
Proof. W is E-hereditary (each Wi being so), hence the result by 1.4.7.
D
1.4.8 states in effect that the intersection of subframes is a subframe,
so each W C W has a smallest subframe of F containing it. This sub-
frame is of course FW> (cf. 1.4.4,1.4.7), and will be called the subframe
f F generated by W. If W = {x} then FW will be written simply
as Fx, the subframe generated by x.
If (W,R) is a /f-frame and W C W, then (W',Rr\ (W x W1)}
is a substructure of (W,R), as that term is understood in the theory
of relational structures, but will not be regarded as a subframe unless
W is ^-hereditary. That 1.4.5 provides the appropriate subobjects for
modal logic is shown by the next result and its corollary.
Theorem 1.4.9 // F' C F, afa ... ,pn) $, and Si,..., Sn e P,
hC(W n 5i,..., W n 5n) - W n fc+(Si, - - ,5n).
Proof. By induction on the length of a, using 1.4.6. D
Corollary 1.4.10 // F' C F and F \= a then F' \= a.
Proof. It suffices to prove that F+ \= a only if F'+ \= a. If F'+ a,
there exist TI, ... ,Tn P' such that h+(Ti,... ,T n ) ^ W (W being
the unit element of P+). By 1.4.5(iii), for 1 < i < n there is Si P

such that Ti = W'n S4. Thus by 1.4.9, W r\h*(Si,..., Sn) ^ W, so
W < h^+(Sl,. . . , 5n). Hence h*(Si,. ..,Sn)^W, so ^+ P a. O
In the context of -ftT-frames, we have the following special case of
1.4.9.
Theorem 1.4.11 Let V be a valuation on (W,R), W C W, and
(W'R,R') the sub-K-frame generated by W (W'R is as in 1.4.4 and
R' = Rn(W'R x W'R)). Define Vw, by Vw,(p) = W'RnV(p), all variables
p. Then Vw.(a) = W'Rn V(a), all a 6 $.
The function Vw (above) will be called the valuation derived from
(generated by) V.
From now on, if no confusion arises, we will use the same symbol to
denote the binary relation on a frame and any of its subframes.
1.5 Homomorphisms
That subframes preserve validity (1.4.10) may in fact be established
indirectly from the preservation of polynomial identities under homo-
morphisms of algebras. For if P C T, then the map 5 i-> W n 5 is
by 1.4.5 and 1.4.6 an MA-homomorphism of F+ onto P+. There are
a number of other algebraic constructions that preserve identities (sub-
algebras, direct products, direct limits, ultraproducts) and, as we shall
see, each of these is associated with a particular frame construction. In
this section, it is shown that structure preserving maps between frames
are linked with sub-M^4's.
Definition 1.5.1 Ij T and P are frames, a map Q : W W is a
frame homomorphism of T into P iff
(1) xRy onlyifQ(x)R'Q(y),
(2) Q(x)R'z only if 3y(xRy and Q(y) = z),
(3) 5 e P' only i!Q~l(S) P, where Q~l(S) = {x e W : Q(x) S}.
If Q is surjective (onto, i.e. Q(W) = W), then P is a homomorphic
image of J~ (written P ^ f ) .
Q is an embedding iff it is injective (one-to-one) and satisfies
(4) S P =* 3T P'(Q(S) = Q(W) n T).
If Q is bijective (injective and onto) and Q~l is a homomorphism then Q
is an isomorphism, in which case f and P are isomorphic (f ^ P). An
isomorphism may alternatively be described as a surjective embedding.
Note that a bijective homomorphism need not be an isomorphism, e.g.
ii P 2W then the identity map from (W,R,2W) to (W,R,P) is a

bijective homomorphism whose inverse does not satisfy 1.5.1(3).
Theorem 1.5.2 // Q : T > T' is a frame homomorphism, then for
S,T CW
(i) Q-1(W'-S) = W-Q-l(S),
(ii) Q
(iii) Q
(iv) Q
Proof, (i) and (ii) are basic properties of inverses of set maps. For
(iii), let x Q'^niR^S)). Then Q(x) E mR>(S), so Q(x)R'z, for
some z 6 5. By 1.5.1(2), xRy for some y such that Q(y) = z, hence
y e Q-1^)- Thus a; m fl (Q- 1 (S)). Conversely, if a; mR(Q~l(S)),
xRy for some y e Q~1(S), i.e. Q(T/) S. But by 1.5.1(1), Q(x)R'Q(y),
so <5(cc) m fi /(5) and therefore i e <3~ 1 ( rn fl'(^'))-
(iv) follows by (i), (iii) and 1.2.3(5). D
Theorem 1.5.3 Let Q : T > T' be a homomorphism and FQ
(WQ,R',PQ) be the subframe of F' generated by Q(W). Then
(1) FQ is a homomorphic image of F under Q, and
(2) TQ = T if Q is an embedding.
Proof.
(1) By 1.5.1(2), Q(W) is an ^'-hereditary set, so WQ, the base of TQ,
is just Q(W) itself, so Q maps onto FQ. If S PQ, S = Q(W)r\T
for some T P' (1.4.7). Then Q~1(S) = Q~1(Q(W) n T) =
Q~l(Q(W)) n Q~l(T] = Wn Q~\T) = Q~l(T) e P by 1.5.1(3).
Thus Q : T J-g is a homomorphism.
(2) If Q is injective then (Q"1^1 = Q. The definition of embedding
then gives 5 e P only if (Q~1)~l(S) - Q(S) 6 PQ, so Q"1 is a ho-
momorphism. This, together with (1), yields Q as an isomorphism
between f and TQ .
D
Theorem 1.5.4 // Q : ? > T' is a homomorphism, a(pi, . . . ,pn) e ,

and Si,...,5 n e P', /ien
Proo/. By induction on the length of a, using 1.5.2. Note that 1.5.1(3)

is needed to ensure that the indicated argument appears in the domain
of/if. D
Corollary 1.5.5 // F ^ T and T \= a then T' \= a.

Proof. Let Q be a homomorphism from T onto f . Then
= Q(h^(Q-1(Si),...,Q~1(Sn))) (1.5.4)
- Q(W) (f+\=<*)
= W (Qonto).
Thus F+ \= a, so f (= a. D
Corollary 1.5.6 Isomorphic frames are semantically equivalent.
Theorem 1.5.7 If f is embeddable in F , then f \= a only if T |= a.
Proof. Let Q : T -> .F' be an embedding. Then JF' D TQ and FQ^T
(1.5.3). The result follows by 1.4.10 and 1.5.6. D
Theorem 1.4.1 may be regarded as a special case of 1.5.5, for in that
theorem the identity map is a homomorphism from T onto T\ .
We now show how frame homomorphisms give rise to structure pre-
serving maps of the associated ATA's.
Definition 1.5.8 If Q : T T' is a frame homomorphism, then Q+ :
T'+ - ^+ is defined by Q+(S) = Q~1(S), all S e P1 .
By 1.5.1(3), Q+ is indeed a mapping into P.
Theorem 1.5.9
(1) Q+ is an M A-homomorphism.
(2) Q+ is injective if Q is onto.
(3) Q+ is onto if Q is an embedding.
(4) Q+ is an M A-isomorphism if Q is a frame isomorphism.
Proof.
(1) An MA-homomorphism is a mapping of Myl's that preserves the
MA operators, so we have to show that Q+(S D T) = Q+(S) n
Q+(T), Q+(-S) = -Q+(S), and Q+(mR,(S)) = mR(Q+(S)).
But this is immediate from 1.5.8 and 1.5.2.
(2) Suppose Q+(S) - Q+(T), i.e. Q~l(S) = Q~l(T). Then Q(Q~l(S))
= Q(Q~l(T)). But as Q is onto, Q(Q~1(S)) = S, Q(Q-1(T)) = T,
whence S = T as required.
(3) Let S P. Then as Q is an embedding, Q(5) = Q(W) n T, for
some T 6 P'. Clearly S C Q~l(T). But if x Q"1^), Q(x)
T n Q(W) = Q(S), so Q(x) = Q(y) for some y e S. But Q is
injective, so x = y 6 S. Hence <2-1(T) = S, i.e. <5+(T) = S, and
<3+ is onto.
(4) Follows from (1) - (3). D
Theorem 1.5.5 may now be obtained indirectly from 1.5.9, for if T' is
a homomorphic image of f ', by 1.5.9 there is an injective homomorphism
from F'+ to f+ '. Thus F'+ is isomorphic to a sub- MA of .F+, and
polynomial identities are preserved under subalgebras and isomorphisms.
Similarly for 1.5.7, if f is embeddable in T' , by 1.5.9 f+ is a homo-
morphic image of F'+ , so validity is preserved in passing from the latter
to the former.
1.6 Disjoint Unions

In this section we examine the frame construction that corresponds to
direct products of MA'S.
Definition 1.6.1 Let \Ti : i 6 /} be a family of pairwise disjoint
frames, i.e. Wi l~l Wj = 0, for i ^ j E I. The disjoint union of
the J-{ 's is the frame
EieIK = (W,R,P),
where
(i) W = \JieIWi,
(ii) R = \JieIRi,
(iii) P={SCW -.SnWiZPi, alii /}.
Since the Wj's are disjoint, (iii) is equivalent to
(iv) 5 6 P iff there exists Si Pi, all i /, such that S = \JilSi.
In fact Si = SC\Wi, so the expression of 5 as \J Si is uniquely determined.
That ^.Fi is a frame, i.e. P is closed under D, , and mR, is shown
by the next theorem, whose proof follows easily from the disjointness of
the WVs and the fi^'s.
Theorem 1.6.2 Let S = \J Si, T = \jTi, where Si, T> Pi, all i I.
Then
(1) W - S = \JiI(Wi - Si),
(2) SnT = \Ji&I(Si^Ti),
(3) mR(S) = \JiJ(mRi(Si)). D
Theorem 1.6.3 // a(pi . . . ,p n ) e 3 ft, so the "only
if" part follows from 1.4.10. Conversely, suppose ft (= a, alH /. Then
for Sj = \JieISji P,
(Si , . . . , ) = \JieIht?(Su,...,SnJ (1.6.3)

= U i6/ Wi (as^+Na)
= W,
a. D
Theorem 1.6.5 (^^)+ zs
isomorphic to the direct product of the fam-
ily {ftt : / } of MA's.
Proof. Define Q : P > ne/^*> tne Cartesian product of the P;'s, by
Q(S)(i) = Si = SnWi, alii el.
By 1.6.1(iii), we indeed have Q(S) 6 II ^- By tne uniqueness of the
expression S = \JSi, Q is readily shown to be a bijection. The MA-
homomorphism properties of Q, with respect to the usual "point-wise"
definitions of operations on J] Pit follow from 1.6.2, e.g.
Q(mR(S))(i) = mR(S)nWi - m ft (5i) = mR,(Q(S)(i)) = m(Q(S))(i),
so Q(mR(S)) = m(Q(S)). D
Theorem 1.6.5, and the fact that an identity is satisfied by a direct
product of algebras iff it is satisfied by each of them, yield an alternative
proof of 1.6.4.
If {ft : i /} is a family of frames that are not pairwise disjoint, we
replace each ft by its isomorphic copy ft[ where
W{ = WiX {i}
(x, i)R'i(y, i) ifix
The disjoint union of the ft's is then defined to be the disjoint union of
the F"s. Clearly 1.6.4 continues to hold for this construction.
1.7 Ultraproducts
The theory of ultraproducts plays a central role in the model theory of
first-order quantificational logic. It forms the basis of many compactness
results and characterisations of semantic concepts, such as equivalence
of models, and elementary classes. The frame constructions associated
with ultraproducts of MA's are in fact ultraproducts themselves, and

prove, as we shall see, to be just as useful in the modal context as they
are for first-order logic.
Definition 1.7.1 Let 21 = (A,d, ') be a Boolean algebra. Then G C A
is an ultrafilter in 21 iff
(1) l e G ,
(2) i f a , a ' \ J b G, then b e G,
(3) exactly one of a, a' G, for all a A.
A sot satisfying (1) and (2) is known as a filter. A filter is proper iff it
does not contain the least element 0. Ultrafilters may alternatively be
defined as maximal proper filters, i.e. those not properly included in any
other proper filter. All filters G satisfy
(4) a , b & G i f f a C \ b e G ,
(5) ifaeG and a<b, then & G.
Condition (4), or the "only if" part of (4) together with (5), give alterna-
tive definitions of a filter. In the presence of (1) and (2), (3) is equivalent
to
(6) 0 G, andfora,beA,a(JbG only ifaeGorbeG.
An ultrafilter on a set / is, by definition, an ultrafilter in the BA
(27,n,-).
A set G C A has the finite intersection property (fip) iff the
lattice meet (n) of every finite subset of G is not equal to 0. The follow-
ing standard result will be used repeatedly to establish the existence of
ultrafilters.
Theorem 1.7.2 Any subset of a BA that has the fip is included in an
ultrafilter.
We begin our discussion of ultraproducts with the definition for K-
frames.
Definition 1.7.3 Let W, be a set, for all i e /, and G an ultrafilter on
I. An equivalence relation is defined on f]^,Wi, the Cartesian product
of the Wit by
f ~ 9 i f f { i : f ( i ) = g(i)}G.
If f is the ^-equivalence class of f 6 Hî, then the ultraproduct of
the Wi over G is the set WG = J] Wi/G = {/ : / e U.e/ wi\- V
7", = (Wi, R,} is a K-frame, all i /, then the ultraproduct of the f,
over G is the frame TG = flî/G - (Wc, Rc), where.
Intuitively, the elements of the ultrafilter G may be thought of as

sets that contain "almost all" members of /. Properties are then defined
to hold of FG iff they hold of almost all of the ^'s. A proof that ~ is an
equivalence relation and that RQ is well-defined may be found in Bell
and Slomson [4, p. 88].
Our definition of ultraproduct for first-order frames (Wi,Ri,Pi) is
an adaptation of the higher order ultraproduct construction presented
by Malcolm [66]. The basic idea is to define second-order individuals
as ~-equivalence classes of the Cartesian product of the P^, and then
by "normalising", to turn these into genuine subsets. The formal de-
velopment is facilitated by a preliminary description of ultraproducts of
modal algebras.
Definition 1.7.4 Let 21; = (Ai,C\, ',77^) be an MA, for each i I,
and G an ultrafilter on I. Define operations on Hie/-1^ *n the usual
point-wise manner:
= a(i)r\8(i)
mo-(i) = mi(a(i)), for a,0

Then the ultraproduct of the 21 's over G is the MA
where \\Ai/G is defined as in 1.7.3, and

ar\0 = an~0, ()'=?", m(a)-ma
Thus His/^W^ ig tne Quotient algebra of ILe/^> tne direct product
of the 2li's, with respect to the congruence ~ defined as in 1.7.3.
Theorem 1.7.5 Suppose Pi C 2W> , alii I. If f U Wit a H Pit
let [/, cr] = {i : f ( i ) 6 ff(i)}. Then if G is an ultrafilter on I,
(1) * f f , 9 l [ W i , f f Upi and f ~ g, then \Jta] eG iff \g,a] G;
(2) if a,8 UP,, then a ~ B iff for all f H ^ > [/,^] e G iff
Proof.
(1) Since / ~ g, A = {i : f ( i ) = g(i)} G. But [/,a] nAC\g,<r]t and
[g,ar] C\AC [/,CT], so the result follows by 1.7.1(4), (5).
(2) Let a ~ 0. Then A = {i : a(i] = 0(i)} & G. Then if / RWi,
[/, cr] n A C [f,6], and we proceed as in (1). For the converse, we
observe that I is partitioned into the disjoint sets A = {i : o~(i) =
6(i)}, B = {i : a(i) C 0(t)}, C = {i : 9(i) C a(t)}, so by 1.7.1,
exactly one of A, B, C is in G.
Now suppose not a ~ 9. Then A G. Suppose B G. Then for

i e B, there exists /; 9(i) - cr(i). Choose / 6 H W sucn tnat
/(t) = /i, all i 6 5. Then B C [/,<?], so [/,6>] G by 1.7.1(5). But
[f,a] C -B and -B i G (1.7.1(3)) so again by 1.7.1(5), [/, a} $ G.
Similarly if C 6 G we may construct an / such that [/, a] G and
[/,0]G.
D
Definition 1.7.6 Let Fi (W;,P^,P;) be a first-order frame, for all

i I, and G be ultrafilter on I. For a J] Pi/G, define S& C WG
(1.7.3) by
(7>y 1.7.5 this definition is unambiguous). The ultraproduct of the

Pi's over G is defined as the frame ?G - Uî/G = (WG,RG,PG),
where {WG,RG} is as in 1.7.3 and PG = {S : a fl pi}-
That PG is closed under n, , mnG is shown by
Theorem 1.7.7
(1) ir =
(2) S&n
(3) WG - Sd = S?
(4) rnRG(S,) = S^
where a n 6, a' , and ma are defined in 1.7 A.
Proof. (1) is the content of 1.7.5(2). (2) and (3) are established via
1.7.1(4) and 1.7.1(3). We shall give a detailed proof only for (4). Let / 6
mRa(St). Then fRGg for some g E S&. Then A = {i : f(i)Rig(i)} G
(1.7.3) and [g,o-] 6 G (1.7.6). But An \g,a\ C {i : f ( i ) mfl>(z))} =
[/, ma] (1.7.4, 1.7.5). Thus [/, ma] G, and so / 6 5^.
Conversely, let / e 5^. Then [/, ma] = {i : f ( i ) mRt(o-(i))}
G. For each i [/, ma], f(i)RiQi for some gi a(i). Choose g e H^
such that g(i) = gi all i [/, ma}. Then [/, mcr] C {i : f(i)Rig(i)} and
[/, ma] C [g, <r], so /-Ro9 and g e 5^, whence / mfl(, (5^). D
Corollary 1.7.8
Proo/. The map a > 5a is, by 1.7.7, an MA isomorphism from
onto PG. D
Wi
We shall see in Section 1.17 that, even if P; = 2 , all i 6 /, we may
still have PG ^ 2^. Thus, whereas the ultraproduct of a class of K-
frames is by definition (1.7.3) a K -frame, the ultraproduct of a class of
full first-order frames is a first-order frame that may not be full. So, for
ultraproducts at least, the distinction between .ftT-frames and full frames
becomes significant.
Our next two results hold for either kind of ultraproduct,
Theorem 1.7.9 Let Qi : Ti > T[ be a frame homomorphism, for each
i G /, and G an ultrafilter on I. Then there is a homomorphism from
TG to T'G which is onto if (almost all) of the Qi 's are onto.
Proof. The construction is a standard one in the theory of ultraproducts
(cf. [42, p. 107]). Let / WG. Define /* e R W< byj*(i) - &(/()),
all i 6 /. Then Q : WG -> WG, defined by Q(f) = /*, is the required
homomorphism. The only new feature, in the event that the frames
are of the first-order kind, is to check that Q satisfies 1.5.1(3). So let
S 1%, where o- e Upi Let 6(i) = Q~l(a(i)), all i e /. Then, as
each Qi satisfies 1.5.1(3), 6 Y[Pi, so Sg PG- But a straightforward
argument shows S = Q"1 (S^). D
Corollary 1.7.10 // each fi is embeddable in T[, FG is embeddable in

pi
re-
Proof. Suppose each Q, (above) is an embedding. Then Q : TG > F'G
is easily proved to be injective.
Now let Sa G PG- Then a(i) 6 Pi, all i e I, so there exists 9(i) G P'G
such that Qi(ff(i)} = Qi(Wi) n 0(i) (as Q is an embedding). But from
this one may show Q(S&) = Q(Wc) H Sg. Hence Q is an embedding. D
Corollary 1.7.11 If each Ti is (isomorphic to) a subframe of f(, then

TG is isomorphic to a subframe of T'G .
Proof. Since each subframe is embedded in any of its parent frames by
the identity map, the result follows by 1.7.10 and 1.5.3 D
Theorem 1.7.12 Let fi be a first-order frame, all i /, and G an

ultrafilter on I. If a(pi,.. -,pn) #, <7i,...,<r n l[Pi, and f l[Wi,
then
f e h$ (S- , . . . , 5- ) iff {i : f ( i ) 6 ft? (ffi (i), . . . , an(i))} 6 G.
Proof. By induction on a, the basis of which is given by the definition of
S&. We shall discuss only the case for the modal connective O, assuming
for convenience (as we often do) that n = 1, i.e. a has only one variable.
If / /ioi(S*) then fRcg, for some g e ha(S). Then by 1.7.3
and IH (induction hypothesis) we have A = {i : f(i)Rig(i)} G and
B = {i : g(i) e K (a(i))} G. But, as in 1.7.7(4), A n B C C =
f+
{i : /(i) hc?a(<r(i))}, so C 6 G. The converse follows also by a
modification of the proof of 1.7.7(4). D
The key fact about ultraproducts for first-order logic, known as Los's
Theorem, is that a sentence is valid on an ultraproduct of structures iff
it is valid on almost all of the structures themselves [4, pp. 90-91]. The
analogous result for modal logic follows from 1.7.12.
Corollary 1.7.13 // Ti is a first-order frame, all i 6 I, and G is an
ultrafilter on I, then for any a $, FQ |= a iff {i : J-{ \= a} G G.
Proof. Let A = {i : Ti \= a} - {i : T+ |= a}. Suppose A G. Then
clearly for any Sg- PG, f WG we have A C {i : f ( i ) g h^ (<r(i))},
so by 1.7.1(5) and 1.7.12, / 6 ha(S). Thus TG |= a.
Conversely, suppose A ^ G. Now for i A, Ti a, so there exists
fi Wi, <?i e Pi, such that fi ha' (ai). If /, a are chosen so that
JT+
f ( i ) = fi, <r(i) = o-i, all i i A, then {i : J ( i ) ha* (a(i))} C A, so by

1.7.1(5) and 1.7.12, / ft(SV), whence FG a. D
Corollary 1.7.13 may be indirectly derived from 1.7.8 and Los's The-
orem for modal algebras. The 'if part of 1.7.13 is not true in general for
ultraproducts of Jf-frames (cf. Section 1.17 for an example). However
we do have
Corollary 1.7.14 If Fi (Wi,Ri} is a K -frame, all i I, G an ultra-
filter on I, and a $, (Wo, RG) \= a only if {i : Ti (= a} G.
Proof. If {i: Ti\=a} i G, then {i : (Wi,Ri,Pi) |= a} G, where
Pi = 2W>, all i e /. By 1.7.13, (WG,RG,PG) a, hence by 1.4.1,
a. D
We end this section with a reformulation, in terms of valuations on
frames, of Theorem 1.7.12. This result holds also for ultraproducts of
-ff-frames.
Theorem 1.7.15 Let Vi be a valuation on Ti, all i /. If V is any
valuation on TG such that f V(p) iff {i : f ( i ) Vi(p)} e G, for all
variables p, then for any a 6 $, / e V(a) iff {i : f ( i ) Vi(a)} G.
1.8 Compactness and Semantic Consequence

Ultraproducts may be used in first-order logic to prove the Compact-
ness Theorem. In this section we use them to discuss the compactness
properties of two modal semantic consequence relations.
Definition 1.8.1 Let be a class of frames, F C <, and a 6 <. Then

(1) r |=o a() if/or a// F , T \= F only if F \= a
(where F\= T iff F\= p, all 0 T).
(2) T |= a() if/or a// J" e , and all valuations V on T, V(F) C V(a)
(wftere V(r) = f\{V(0) : j3 T}).
Theorem 1.8.2 T |= a() onfy i/T |=0 a().
Proof. Take V on jF C, where 7" j= F. Then V(r) = W. But as
T |= a(), y(r) C V(a), so V(a) = W. Since this holds for arbitrary
V,F\=a. Hence T (=0 a(C). D
The converse of 8.2 does not always hold. For example, let P =
{O(p V ->p)}, a DO(p V ->p). Then as Necessitation is validity-
preserving, F \=Q a() for any (. But let = {f}, where T =
(W,R,2W), with W = {0,1} and R = {{0,1}}. Then for any V on
^, ]/(r) = {0}, V(a) - {!}, so r * a().
Definition 1.8.3 F C $ is satisfiable on T iff for some valuation V
on J-, V(F) / 0. F is satisfiable in a class of frames iff it is satisfiable
on some frame in .
A logic A is strongly determined by iff for all F C $ , a $,
(1) ri-,1 a #/><*().
To make the distinction between this concept and that of 1.2.4 quite
explicit, we may sometimes say that simply determines A if for a 6 $,
(2) \~Aa ifjT\=a, all T 6 .
(1) is equivalent to
(!') F is A-consistent iff satisfiable in , for all a G 4*.
(2) is equivalent to
(2') a is A-consistent iff satisfiable in , for all a $
(where "a is yl-consistent" means {a} is yl-consistent).
Clearly A is simply determined by if it is strongly determined by .
We shall shortly present a sufficient condition for the converse to hold.
To do that however we need the following result, which may be regarded
as a modal version of the Compactness Theorem.
Theorem 1.8.4 Let be a class of first-order frames that is closed
under the formation of ultraproducts. Then
(1) T \= a() iff F' \= a() for some finite F C T,
(2) T |=o a() iff F' (= a() {or some finite F' C T.
Proof. (1) Sufficiency is trivial. For the converse, let I {i :

z is a finite subset of F}, and suppose that i a(), all i /. Then
for each i there exist ^ , Vi on .T7;, and some fi Wi such that
(i) ^ Vi(i) and
(ii) A i V-(a).
For /3 r, let Fp = {i : fi V((3)} and G0 = {Fp : /3 F}. Then
clearly by (i), {/3,7} F/jflF-y, so G0 has the fip and by 1.7.2 is included
in an ultrafilter G on I. Let FQ be the ultraproduct of the .TVs over G,
and define V on J"G by V(p) = S&, where a(i) = Vi(p), all i 6 /. Let
/(i) = /i, all i e 7.
Now for 0 F, {i : f ( i ) Vi(/3)} = F0 e G, so by 1.7.15, / V(/3).
Hence / e V(F). But by (ii), {i : f ( i ) e Vi(a)} = 0 G, so by 1.7.15
again / ^ V(a). Thus FJ^ a(To)- But is closed under ultraproducts,
so TG and therefore r a(C).
The proof of (2) follows similar lines, replacing (i) by (i)': T{ |= i,
and putting Fp = {i : Ti |= /3}. We then use Theorem 1.7.13 to obtain
fa N ^ n
It is clear from the construction just given, and from 1.7.15, that
1.8.4(1) continues to hold for a class of /C-frames closed under the
ultraproducts of 1.7.3. That 1.8.4(2) is not in general true for such
classes was shown by Thomason [95].
Corollary 1.8.5 Let <t be a class of frames closed under ultraproducts
( may be a class of first- order frames or a class of K-frames). Then
F C $ is satisfiable in iff every finite subset of F is satisfiable in <t.
Proof. Let _L= p A -<p. Then F is satisfiable in iff F . (), and so
the result follows from 1.8.4(1). D
Corollary 1.8.6 If A is a modal logic and <L is closed under ultraprod-

ucts, then simply determines A only if strongly determines A.
Proof. Suppose that 1.8.3(2') holds. For each finite A C F, let aA be
the conjunction of the members of A. Then A is yl-consistent iff a& is A-
consistent (1.1.2) iff QA is satisfiable in (1.8.3(2')) iff A is satisfiable in
(1.2.4(i)). Thus we have F C $ is yl-consistent iff each finite subset of
F is yl-consistent iff each finite subset of F is satisfiable in iff (by 1.8.5)
F is satisfiable in . Thus 1.8.3(1') holds and strongly determines A.
D
1.9 Descriptive Frames

We return now to the problem discussed in Section 1.3 of finding a con-
cept of "possible-worlds" model structure that is equivalent semantically
and mathematically to that of a modal algebra. The structures we de-
fine are obtained by imposing constraints on frames (W, R, P) that we
hope to show have some philosophical significance.
We recall that the members of P are called the propositions of the
frame, and that if x S, then proposition 5 is to be understood as being
true of the world x. Our first condition is a kind of converse to the thesis
that a proposition is determined by the set of worlds in which it is true.
It asserts that each world is uniquely determined by the propositions
true in that world. For, if two states of affairs are to be different there
must be something about one that does not hold of the other, and hence
a statement that is true of one and not the other. We formalise this as
follows:
For x e W, let Px = {S P : x 6 S}. Then our principle is
Axiom I. For all x, y G W, Px = Py only if x = y.
The interpretation of xRy is that y is a world accessible to x, in
which case anything necessarily true of x is true of y. We now wish to
assert the converse of this, viz. if all propositions necessarily true of x
are true of y, then y is a conceivable alternative state of affairs to x.
For, an individual living in world x could understand what y is like. He
could comprehend at least all those facts about y that correspond to
necessary truths of his own world. Thus we have
Axiom II. Ifx e IR(S) only i f y e S , for all S P, then xRy.
Our third and final constraint is concerned with the set Px, which
might be called the "truth-description" of x. Each Px is an ultrafilter
in F+, i.e.
(1) W 6 Px,
(2) S, -5 U T Px only if T Px,
(3) exactly one of 5, -S e Px, all S P.
Since the set -5 U T corresponds to the proposition "S1 implies T",
these conditions may be interpreted as stating that in any particular
world x: the universal proposition (W) is true; any proposition implied
by a true proposition is true; and exactly one of each proposition and
its negation (denial) is true. Our contention is that any collection of
propositions meeting these conditions must be the truth description of
some world. For, if a world is to be uniquely specified by the proposi-
tions true of it, then to make a consistent and exhaustive selection from
amongst all possible propositions is to describe a state of affairs that

state in which all the selected propositions obtain, and all the rejected
ones, the negations of selected ones, are false. We therefore have
Axiom III. Every ultrafilter in f+ is of the form Px for some
Definition 1.9.1
(1) A frame T = (W, R, P) is descriptive iff it satisfies Axioms I, II
and III.
(2) T is refined iff it satisfies I and II.
Refined frames were first defined and studied by Thomason [96].
Theorem 1.9.2 Any full frame is refined. Any finite full frame is de-
scriptive, but no infinite full frame can be descriptive.
Proof. Consider T = (W,R,P), where P = 2W . If x ^ y, then x
Px Py, whence Px ^ Py, and I holds. For II, suppose that not xRy.
Let S = {z : xRz}, then x IR(S) and y $. S. Thus T is refined.
It is a standard result that if W is finite then every ultrafilter on W
is principal and has singleton intersection, whence III holds. On the
other hand every infinite set has non-principal ultrafilters [4, p. 108]
with empty intersection, in which case III fails. D
Descriptive frames are extremely rich in structure. Axiom III is
reminiscent of the notion of convergence of ultrafilters, which in topology
is equivalent to compactness. In fact the set P, being closed under n
and containing W, is a base for a topology on W which is compact in
the presence of III. Axioms I and III make (W, P) a perfect reduced set
field in the sense of Sikorski [90, p. 20].
Theorem 1.9.3 Axiom III is equivalent, given P closed under n and
, to each of
IV Every subset of P with the fip has non-empty intersection;
and
VlfW- Uie/ Si, with Si 6 P alii 7, then W = (Ji6/0 Si for some
finite I0 C I.
Proof. Ill =J> IV. If P0 C P has the fip, by 1.7.2 P0 C G for some
ultrafilter G on f+ . By III, G = Px for some x W. Then clearly
IV => V. If W ^ Uie/o Si for all finite / C I, then ni6/0 -Si ^ 0,

hence PQ = {-Si : i 1} has the fip. But as P is closed under , PQ C
P, so by IV there exists x Dig/ po = Hie/ ~Si- Thus U e / s* +w-
V => III. Let G be an ultrafilter on F+ . If G ^ Px, all x 6 W, then

by 1.7.1(3) and closure of P under , for each x there exists Sx P
such that Sx Px and -Sx G. Then U x ew ^ ~ W> so by ^ tîere
exist oji, . . . , e W such that U;<n ^x ~ ^> hence Hi<n "So^ = 0.
But each Sxi G, so by 1.7.1(4) 0 G, which is in contradiction with
1.7.1(6). D
Theorem 1.9.4 Let T = (W,R,P) be a descriptive frame. Define
C = {r\Q--QtP}, r= {\JQ:QCP}.
Then
(1) (W, T) is a compact, Hausdorff topological space,
(2) seriff-se<;,
(3) T is closed under finite intersections and C under finite unions,
(4) Every finite set is in and every cofinite set in T,
(5) // S e ( and S C |Jig/ 5, w/iere Si & T all i & I, then S C \JieIoSi
for some finite IQ C I,
(6) If S &T and f|i/ 5i C 5, w/iere 5, 6 C all i e /, /zen flie/0 5, C 5
/or some /im'te JQ C I.
Proof.
(1) r is of course the class of open sets in the topology with P as base.
By Axiom I and the closure of P under , any two distinct points
of W are separated by disjoint r-open sets. Thus (W, T) is Haus-
dorff. Compactness is given by V (cf. 1.9.3).
(2) -(Uie/ &) = Hie/ ~sii and P is closed under -.
(3)
and P is closed under finite intersections. Similarly (p| 5^) U

(f)Tj) = HCî u TJ), and P is closed under finite unions.
(4) By Axiom I and the closure of P under , if x ^ y, there exists
5 P such that x 5 and y S. Thus {x} = (f| Px) C- Since
any finite set is a finite union of singletons, it follows from (3) that
every finite set is in (. Hence by (2) every confinite set is in r.
(5) By (2), C is the class of r-closed subsets of W. Then (5) follows
as the standard result that a closed subset of a compact space is
compact.
(6) May be derived from (5), (2) and De Morgan's Laws for set algebra.
D
Definition 1.9.5 IfRC W2, then for each ntNwe define 1% : 2W -+

1W inductively by
mR(S) is defined as -(1R((-S)).

For a a.
n times
The following properties are easily established.
Theorem 1.9.6
(2) U j "(&) = *S(U6/ $)

(3) 5 C T on/y / /(S) C /(r) and mnR(S) C mnR(T}.
(4) l"(S) = {x:xRny onlyifyS}.
n
(5) m^(5) = {x : xR y for some y S}.
(6) {S : x Jjj(S)} is c/osed under arbitrary intersections.
D
Theorem 1.9.7 If(W,R,P) is descriptive, then

(1) i/z lfl(S) on/y */J/ ?, aZ/ 5 e P, /ien xRny; or equivalently
(2) ifyeS only if x & m^(S), all S P, then xRny.
Proof. By induction on n.
For n = 0, suppose a; 6 S only if T/ 5, all 5 P, i.e. Pa; C PT/.
But Pa; is a maximal filter, so Pa; = Py, whence by Axiom I x = y, i.e.
xRy.
Now suppose the result holds for n, and that
(i) a;e/+1(S)onlyif2/eS.
Let Po = {5 e P : x fo(S)} U {m^(5) : y 5 P}. Then if P0 does
not have the fip, by 1.9.6(6) there is 5 P such that x 6 /ft(5), and
m^(5i) such that y 5 for i < m, some m, and
Hence by 1.9.6(3), 5 n m(S') = 0, where S' = fli<m Si. But then

S C -m(S"), so using 1.9.6(3),
But x IR(S), so x lft+l(-S'), thus by (i) y -S', which is impos-

sible as y 6 5'.
Therefore we conclude that P0 has the fip, whence by IV (1.9.3)
there exists z 6 fl-Po- Then by Axiom II, 77?, and the definition of P0,
we have xRz and 2.R2/, hence xRn+ly as required. D
Corollary 1.9.8 For all x W and n N, K = {t : xRni] C,.
Proof. If t i K%, by 1.9.7 there is St P such that x 6 Z(St) and
t < St. Let 5 = f|{5t : * #"} C- Then clearly 5 C fl. But by
1.9.6(1), x IR(B), so by 1.9.6(4), BCB. D
Corollary 1.9.9 For am/ 5 C W,
(1) *S(S) = UsDTec ) = Plscrer *SCT)/
(2) m(S) - risers n^CH = USD^C m fl( T )-
Proo/. We begin with the first part of (1). By 1.9.6(3)
Conversely if x e /^(5), PJ C 5 by 1.9.6(4). But R C (1-9-8) and

clearly x e %(!%). Hence a; e USDTSC Z H( T )-
For the second part of (2), we have
by 1.9.6(3). Conversely if x 6 m^(S), x/?ny for some y 5. Then

* e m^{2/}, and 5 D {y} 6 C by 1.9.4(4).
Now for the second part of (1),
IR(S) = -mnR(-S) = -(U-5DT6C mfl(T)) (above)
= ri-SDm - m fi( T ) = H-SDTec (-r) = Hscrer (T) (1-9-4(2)).
The first part of (2) follows similarly from the first part of (1). D
We end this section with some observations about the constructibility
of descriptive frames from given ones.
Theorem 1.9.10 The disjoint union of a finite number of descriptive
frames is descriptive, but a disjoint union of infinitely many frames is
never descriptive.
Proof. Let T be the disjoint union of disjoint descriptive frames F\
and JF2. Then W = Wi U W2, R = RI U #2 and P = {S U T : S
Pi and T P2}, so clearly Pi,P2 C P (since 0 PI n P2). Now for
Axiom I, suppose x ^ y. If x e Wi, y e W2, then Wl Px - Py,
so Px ^ Py. If x,y Wi, then as T\ satisfies I, there exists 5 PI
such that x 6 5, y $ S. Then S Px - Py. A similar result holds if
For II, suppose not xRy. If x, y W\, for some 5 P\ we have

x E 1^(8) and y $ S. Then clearly x 1R(S) and S P. If x Wi,
y W2, then a; fe(Wi) and r/ W\ P.
For III, suppose W = \JieI(Si U T-) where for all i /, Si PI
and T; e P2. Then W = (\JieI S^ U (U i e /7i), and since W is the
disjoint union of Wi and W2, Wi. = 11$. W2 = \JTi- But -î. ^2
satisfy V, so Wi = Uie/0 $> W2 = Uiej^. fr some nnite ô, J C /.
Then W = Ui6/ouj($ u T')- Hence ? satisfies V and therefore III by
1.9.3.
To complete the theorem we observe that if T is the disjoint union
of an infinite disjoint family \T{ : i /}, then W = Uie/W- Bu^
each Wi P, and since the VFi's are pairwise disjoint and non-empty
we cannot have W = Uie/0 Wt for any finite IQ C I. Hence T does not
satisfy V so cannot be descriptive. D
We note that the proof just given is easily adapted to show that the
disjoint union of any collection of refined frames is refined.
Theorem 1.9.11 An ultraproduct of refined frames is refined.
Proof. Let TG be the ultraproduct of the .TVs over an ultrafilter G on a
set /.
For Axiom I, suppose / ^ g. Then A = {i : f ( i ) ^ g ( i ) } G. For
i A, as Ti is refined there is <7; P; such that f ( i ) at, g(i) $. ai.
If a is such that a(i) = ai, all i A, then A C [/, a], so / 5^. But
[9,0-] Q -A $. G, so g $. S&. For II, suppose that not fRog- Then
B = {i : not f ( i ) R i g ( i } } G. For each i B there exists a(i) Pi
such that f ( i ) /^(^(i)) and g(i) ^ cr(i). Then, reasoning as above, we
obtain / lRc (Sa) PG and g i S*. D
Theorem 1.9.11 still goes through under the weaker hypothesis that
almost all .TVs are refined. However TG may not be descriptive even if
all .TVs are. For example, suppose that each J~i is finite and full, hence
descriptive by 1.9.2, but FG is infinite (such ultraproducts existone
will be displayed in Section 1.17). Let / WG- Define a(i) = {/(i)},
all i /, Then as each Ti is full, a \[Pi- But it is easily seen that
5,j = {/}, so each singleton subset of WQ is in PQ. Since WQ is infinite,
it follows that fa does not satisfy V, so is not descriptive.
1.10 The Categories of Descriptive Frames and

Modal Algebras
It was shown in Section 1.3 that each frame has a semantically equivalent
MA. Conversely, as will now be shown, each MA has a corresponding
frame that is descriptive. The construction is an adaptation of Lemmon

[58, Section III], which itself is an extension of Stone's Representation
Theorem for DA'S.
It should however be recognised that the fact that an MA is isomor-
phic to an algebra of a descriptive frame is due originally to Jonsson and
Tarski [48, Theorem 3.10], who developed a general theory of representa-
tion of additive n-ary operators on Boolean algebras in terms of n+ 1-ary
relations on sets. Modal algebras are essentially the case n ~ I of this
theory. Moreover, Theorem 3.5 of [48] showed that various elementary
properties of a binary relation (reflexivity, symmetry, transitivity, func-
tionality) are equivalent to satisfaction of certain MA-equations by the
algebra of the associated frame. Thus Jonsson and Tarski provided the
mathematical tools and results to give the completeness theorem with
respect to set-theoretic semantics of a number of the more well-known
modal logics. This development occurred more than a decade before the
work of Kripke, Lemmon et. alia., but was not taken up by the latter
authors.
Definition 1.10.1 7/21 = (A,r\, ',1) is an MA, then
a+ = {Wa,*a,-P a >,
where
Wia = {x : x is an ultrafilter on 21},
xR<&y iff {a: la &x} Cy iff {ma : a 6 y} C x,
p = {|o|a}, where |a|a = {x e Wa : a 6 x}.
That Pa is closed under n, -, IR^ is shown by the next theorem, which
is given by [58, Theorem 32].
Theorem 1.10.2
(i) \a\* = \b\*iffa = b.
(2) W* - |o|a = |a'|a-
(3) |a| a n|6| a = |an&| a .
(4) fe.(|o|a) = |/a|a.
Corollary 1.10.3 as (+)+.
Proof. The map a i-> \a\^ is by 1.10.1 and 1.10.2 an MA isomorphism
of A onto Pm. D
Corollary 1.10.4 211= a iff 21+ \= a.
Proof. Isomorphic MA's satisfy the same identities, so 21 |= a iff
(2t+)+ \= a (1.10.3) iff 21+ |= a (Section 1.3). D
Theorem 1.10.5 2l+ is a descriptive frame.

Proof. For I, suppose x ^ y 6 W<&. Then (using 1.7.1(3)) there is a A
such that a x, a $ y. Clearly it follows that |a|a P*x - P*y.
For II, suppose not xR<&y. Then for some a A, la x and a y.
Hence x |Za|a = fe^M81) (1.10.2) and y la]51 Pa. Axiom III is
established as in [90, p. 24], and we briefly repeat the argument. If G
is an ultrafilter on Pa, then by 1.7.1 and 1.10.2, g = {a : |a|m 6 G} is
an utrafilter on 21, i.e. g Wa. But |a|a e G i f f a e g i f f ^ e |a|a, so
G = P*g. D
Corollary 1.10.6 Every frame has a semantically equivalent descrip-
tive frame.
Proof. T is equivalent to f+ (Section 1.3) which by 1.10.4 and 1.10.5 is
equivalent to the descriptive frame (F+)+. D
For descriptive frames themselves we have the following strengthen-
ing of 1.10.6:
Theorem 1.10.7 If F is a descriptive frame, then f = (f+)+.
Proof. Since each Px is an ultrafilter on f+ , the correspondence Q :
x i> Px is by 1.10.1 a map of W into Wyr+. Q is injective by Axiom I
and onto by Axiom III. Furthermore
xRy iff {S e P : 1R(S) e Px} C Py (Axiom II, def. 1R)
iff PxRjr+Py (1.10.1)
iff Q(x}Rf+Q(y}.
To complete the proof that Q is an isomorphism, it suffices to show that
5 P iff Q(S) e Pr+ . But for any 5 6 P
: x S} = {Pa; : S Pa;} = I S f ,
so 5 e P only if Q(S) 6 Pf+ by 1.10.1. Conversely, if Q(S) e Pf+ ,
by 1.10.1 Q(S) = T\*+ = Q(T) for some T e P. But Q is bijective so
S = T e P. D
We saw in Section 5 that a frame homomorphism induces an MA
homomorphism of the corresponding MA's. A similar duality holds
between mappings of MA's and their corresponding descriptive frames.
Definition 1.10.8 Let if} : 21 (B be an MA homomorphism o/2l into
03. TTien V+ : 23+ -> 21+ defined, for x W<B, 6j/
4>+(x) = {a A: ipfa) 6 a;}.
This construction is a standard one in the representation theory of BA's
[90, Section 11]. That V+W is an ultrafilter in 21 follows from the
homomorphism properties of 1(1, e.g. exactly one of ip(a) and (^(a))' =

V>( a/ ) is in x, so exactly one of a, a' is in t^+(x). ip+ may alternately be
described as follows. By the isomorphism of 1.10.3 ip may be regarded
as a map from Pa to Pa. For x W<B, {S Pa : x ip(S)} is an
ultrafilter on Pa so, as 21+ is descriptive, is of the form Paj/ for some
y Wat. We then put
Theorem 1.10.9
(1) ip+ is a frame homomorphism
(2) tp is injective only if i/j+ is onto
(3) if) is onto only if ^+ is an embedding
(4) ip is an MA isomorphism only if ip+ is a frame isomorphism-
Proof.
(1) Suppose xR%y. Then for any a A, la V)+(:r) only if ip(lo,) =
l(il>(a)) x. Then as xR<sy, tp(a) y and so a ^+(j/). By 1.10.1
this implies ip+(x)R<ni(}+(y).
Now suppose V+W-Ra-z. The sets 2/1 = {a : la 6 a;} and y2 =
{i/>(b) ' b 6 z} are each closed under n (the latter since ^ is an
MA homomorphism and z is closed under n), so if j/o = J/i U 2/2
does not have the fip there exist a, ^>(6) such that la x, b z
and a < (V>(&))' = V(6')- Then la < l(ip(b')) = il>(l(V)). Then
V>(*(&')) x, so i(6') e ^+(x). Since ^+(i)-Ra^, we get b' e 0,
which is impossible as 6 z. Thus T/Q nas the fip, so by 1.7.2
2/o Q j/ for some y e VF. As j/ t C j/, we have xR<sy by 1.10.1. As
2/2 Q y, z C ijj+(y), whence by the maximality of z, ip+(y) = z.
Now if 5 Pm, 5 = |a|a for some a e A Then V+^-S1) =
^Hlttl 8 ) = {* = iM*) G |a|a} = {^ : a V+(*)} = {^ :
if>(a) 6 z} = iV'Ca)!33 6 -P53- Thus ip+ satisfies 1.5.1 and is a frame
homomorphism.
(2) Let x 6 W<&. Put y = {^(a) : a x}. If if) is injective then V( a ) 2/
iff a x. From this it follows easily that y W^ and ^+(y) a;.
(3) Suppose tp+(x) = ij)+(y). If ifi is onto, each element of 58 is of the
form i/} (a), some a. A. Then we have VK a ) ^ only if a T/J+(X),
only if a tjj+(y), only if VK a ) 3/- Thus a; C y, whence by
maximality x = y and ip+ is injective.
Now suppose |6|s P. As i/> is onto, 6 = ip(a), some a A.
But then, from the proof of (1), V+dâ)!) = V+W+^M 81 ) =
|a|m n ^ + (Wgj). Thus V;+ is an embedding.
(4) Follows from (l)-(3).
D
Since ip+ is a frame homomorphism, (i>+)+ is an MA homomorphism

of (2t+)+ into (2J+) + (1.5.9). But these two algebras are isomorphic to
21 and 05 respectively (1.10.3) so one might expect there to be some
relationship between (ip+)+ and the original map ip.
Theorem 1.10.10 For each MA 21, let V>a : 21 -> (21+ )+ be the iso-
morphism of 1.10.3. Then for any MA homomorphism ^ : 21 > QJ,
(V>+)+ 0^21 =^33 oil).
Proof. For any a .A,

(H a ) (1-10.3)
*) (1-5-8)
(proof of 1.10.9(1))
The analogous result for frame homomorphisms is

Theorem 1.10.11 For any descriptive frame f , let Qj? : f > (F+)
be the isomorphism of 1.10.7. Then for any frame homomorphism Q
r-^f,(Q+)+oQf = Qr,0Q.
Proof. For any x 6 W,
= (Q+)+(Px) (1.10.7)
= {SP' :Q+(S)Px} (1.10.8)
1
= {S 6 P' :xeC,)" (5)} (1 .5.8)
= {S e P':Q(x) 65}
). (1-10.7)
D
Now the identity map on any frame is a homomorphism, and the
composition of frame homomorphisms is a frame homomorphism, so the
collect 3 of all descriptive frames and homomorphisms between descrip-
tive frames forms a category in the sense of Pareigis [69, p. 1]. Similarly
the class 9JI of Mvl's and MA homomorphisms is a category. The corre-
spondence F >-> .F+, Q h-> Q+ defines functor ( )+ from S) to 2Tt that is
contravariant ([69, p. 7]; it is easily checked that (Qi o Q 2 ) + = Qj o Qf
and (idf)+ = idf+, where id denotes identity maps). Similarly, the con-
structions of 1.10.1 and 1.10.8 yield a contravariant functor ( )+ from
9JI to D. 1.10.10 shows that the collection of isomorphisms tp<n con-
stitutes a natural isomorphism between the composite functor (( )+) +
and the identity functor on JDl ([69, pp. 9, 18]). Similarly, by 1.10.11
the Q.F'S are a natural isomorphism between (( ) + )+ and the identity
functor on 2). Hence the categories 2) and 9Jt are dual to each other
([69, p. 18]).
Subcategories S' and 9tt' of 5) and 9JI may be formed by keeping the
same objects but retaining only isomorphisms as the maps. By inverting
these maps appropriately, we obtain covariant functors between >' and
9JI' whose composites are naturally isomorphic to the respective identity
functors. This means that the category of descriptive frames and frame
isomorphisms is equivalent ([69, p. 18]) to the category of MA's and
MA homomorphisms. It is in this sense that we assert the two kinds of
object are mathematically equivalent.
1.11 Inverse Limits of Descriptive Frames

It is known [39, p. 156] that polynomial identities are preserved un-
der direct limits of algebras. It might therefore be expected that the
analogous result holds for inverse limits of frames. However, it appears
that this construction can only be effectively carried out for descriptive
frames. The development we give depends heavily on the compactness
properties of the latter.
Definition 1.11.1 An inverse family of descriptive frames consists
of:
(1) a directed partially ordered set (I, <);
(2) a descriptive frame fi = (Wi,R^Pi) for each i e 7;
(3) frame homomorphisms QJ : Ti > Tj for all i > j, such that
Q^ o Qlj Qlk whenever i > j > k, and Q\ idw{
The inverse limit of the f{ 's is the structure Fx = (W , R , P) ,
where
fRx9ifff(i)Rlg(i)forallieI,
rl(S):SP>}, where
We show that F is a descriptive frame by the following sequence of

results:
Theorem 1.11.2
(1) ifi > j, Q] Qf = Qf, hence Q~~l(S) = Q^1 (Q]~l (S)) .
(2) ifk>i,j, Qr-l(S)nQ~-\T) = Q-l(Qkl-1
(3) P is afield of sets (i.e. closed under C\,).
(4) J- satisfies Axioms I, V of descriptive frames.
(5) Qf is a frame homomorphism.
(6)
(7) f is a frame.
(8) J- satisfies Axiom II and is a descriptive frame.
Proof.
(1) [39, p. 131].
(2) By (1) and distribution of Q~1 over n.
(3) Since -Q~l(S) = Q~l(-S) and Pi is closed under -, so is
poo If Qf-^S^Qf-^T) e P, choose some k > i,j (k ex-
ists by the directedness of <). As Q, Q* are homomophisms,
Ql-l(S),Q*-l(T) e Pk, so Q~l(S)^Q-l(T) 6 P by (2),
closure of Pk under n, and the definition of P.
(4) If / ^ g e W00, then for some i, f ( i ) + g(i). But Ti satisfies I,
so there is Si 6 Pi such that f ( i ) 6 Si, g(i) Si. Then clearly
Q" 1 (S)P / 00 -P 9 00 .
To prove V we appeal to the topological properties of descriptive
frames. By 1.9.4(1) each (Wi,Ti) is compact and Hausdorff, where
Ti is the topology with Pt as base. Hence by Theorem 3.6, p. 217,
of Eilenberg and Steenrod [11], W is a non-empty subset of J] Wi
that is compact in the subspace topology of the product topology
on n Wi. But if S e P, Qf-^S) = W n Q^S), where Q% is
the projection map on H Wi. Thus each member of P is open
in the subspace topology, hence by compactness V holds for P.
(5) That Q satisfies 1.5.1(1) and 1.5.1(3) follows easily from the def-
initions. For 1.5.1(2), let / W and suppose Q(f)RiZ, i.e.
f(i)RiZ. For each j 6 /, let Aj C Y[Wi contain those g such that
(i) g(i) = z,
(ii) Qi(9(j)) = 9(k) if j>k,
(iii) f(k)Rkg(k) if j>k.
Then if g e flje/^. bY ( m ) fR9, by (ii) g & W and by (i)
Q?(g) = z. We must therefore show there exists such a g.
Lemma 1. Aj = 0.
Proof. Take / > i,j. As Q\ is a homomorphism and f ( i )
Qli(f(l)), for some t 6 Wt we have f ( l ) R t t and Q((t) = z. Put
g(k) = Q((t) for all k <l. Then (i) holds with i = k, (iii) holds
as Qk is a homomorphism and j > k only if / > fc, and for (ii) we
have j > k only if Qjk(g(j)} = QKQ1^}} = Qlk(t) = g(k). Thus, if
we choose g(fc) arbitrarily if not k < I, we have g 6 Aj. D
Lemma 2. Aj is closed in H Wi.
Proof. We show that Aj is open, i.e. for g Aj there is an open

set A such that g A C -Aj. Now if g ^ Aj then g fails to satisfy
one of (i)-(iii) above.
(i) g(i) ^ z. As ^ satisfies Axiom I there is 5 Pi such that
fl() S, z i S. Let A = Q~\S). Then 0 6 4 , and if
/i 6 .A, /i(i) 6 S1, so /i(i) ^ z and hence h g Aj.
(ii) Q3k(g(j)) ^ g(k) for some k < j. Then there is S Pj. such
that g(k) e S, Qi(9(j)) 5. Let T = Qjk~l(-S) 6 P,. Then
g(j) T. Putting 4 = Qf-^T) n Q^C5). we have 9 A,
and h A only if h(k) 6 5, fc(j) e T, so Q J fc (/i(j)) gj(T) C
-5, whence Qjk(h(j)) ^ h(k) and therefore h Aj.
(iii) For some k < j, not f ( k ) R k g ( k ) . As T^ is descriptive,
for some 5 6 Pfc, ^(fc) e 5 and f(k) $ rnRk(S). Let
A = Q~-1(5). Then g 6 A, and ft 4 only if h(k) e S,
whence not f ( k ) R k h ( k ) and so h Aj.
a
Now clearly j > k only if Aj C Ak , so as < is directed it follows
from Lemmata 1 and 2 that {Aj : j e 7} is a family of closed sets
with the fip. By compactness this implies Hjg/ AJ ^ î which, as
explained, completes the proof that Qf is a homomorphism.
(6) From (5) and 1.5.2(iii).
(7) By (3), P is closed under n, . Since each P; is closed under m^ ,
(6) yields P closed under mft .
(8) If not fRg, for some i not f(i)Rig(i). Then as T% satisfies II,
there is S P such that g(i) e S, /(i) ^ mRi(S). Then 5 e
Q~-1(5) P, and / ^ Q-l(mR,(S)) = mR-(Qr(S)). Thus
^"^ satisfies II and this, together with (4) (and 1.9.3) completes
the proof that f is a descriptive frame.
D
For convenience we state the next theorem for functions with two-
placed arguments. It generalises easily to any polynomial.
Theorem 1.11.3 Ifa(p,q) e ,
whenever k > i,j.

Proof. By induction on a, using 1.11.2(1), (2), (3), (6). D
Corollary 1.11.4 T (= a if f% J= a for all i /.

Proof. If Ti \= a for all i I, then the argument of Q^0"1 in 1.11.3 is

always Wk (a suitable k can always be found by the directedness of <).
The result follows as Q?'1 (Wk) = W . D
Definition 1.11.5 A direct family of MA's consists of

(i) a set I direct by <;
(ii) an MA 21; = (A, n, ', /) for each i e /;
(iii) MA homomorphisms V] : &i > 2lj whenever i < j, such that
An equivalence relation is defined on (JAi, the (disjoint) union of the

Ai !s by:
if x e Ai,y e Aj, then x ~ y iff for some k > i,j, t}>l(x) =
Let AX = {[x] : x G U^} be the resulting set of equivalence classes,
and define
[x] n [y] = [iplk(x) n Vfc(j/)], for any k > i,j.
Then 2loo = (Aoo,n, ', /} is the direct limit of the 21^ 's. (A proof that
2loo is well denned is given in [39, p. 129]).
Now if {Fi : i e /} U {<3* : i > j} is an inverse family of descriptive

frames, then it is easily seen that {F* : i /} U {^*- : i < j} is a direct
family of MA's, where ty = Q{+ as in 1.5.8.
Theorem 1.11.6 // J-"00 is the inverse limit of the Ti 's, then ^roo+ is a
homomorphic image of the direct limit of the T^ 's. If each Q^ is onto,
the homomorphism is an isomorphism.
Proof. Define 9 : P^ -> P by: for S 6 \JPi
e([S}) = Q-l(S), where S e Pt.
To check that 6 is well-defined, suppose S ~ T with T Pj. By 1.11.5,
for some k > i,j, ^k(S) = VJ(T), i.e. Qf-1!^) - Q]-l(T) (1.5.8).
Then by 1.11.2,
Clearly 0 is onto. That 0 is an MA homomorphism may be shown using

1.11. 2 and 1.11.5, e.g.
0(m[5]) = 0[mRi(S)} (1.11.5)
(1.11.2(6))
Now if each Q] is onto, then each Q is onto [11, p. 218]. Then if

6([S\) = 0([T\), with 5 Pi, T 6 PJ, we have Q?0-1^) = Q^~l(T).
Choosing * > i,j, by 1.11.2(1) Q^-^Q^S)) = Q^^Cn).
But Q^ is onto, so it follows that Qi~l(S) = Q*"1^), whence S ~ T
and [S] = [T]. Thus 9 is injective. D
We note that 1.11.6 and the preservation of identities under direct
limits and homomorphisms, gives an alternative proof of 1.11.4.
1.12 Modal Axiomatic Classes

Definition 1.12.1 // T C <? , F* = {F e 1) : T \= a all a F}.
A class of descriptive frames is modal axiomatic iff it is F* for
some F C <. A class is modal elementary iff it is a* for some a $
(where a* = {a}*).
If A is a set of MA polynomial identities,
A* = {21 e m : 21 1= 6 all 6 E A}.
A class of MA's is equational iff it is A* for some A.
If X is a class of descriptive frames,
X+ = {21 e OH : 21 a f+ for some T e X}.
The purpose of this section is to characterise in terms of frame construc-
tions the modal axiomatic and modal elementary classes of descriptive
frames.
Theorem 1.12.2 Let X be a class of descriptive frames closed under
isomorphism. Then X is modal axiomatic iff X+ is equational.
Proof. Suppose X = F*. Define A - {(ha = 1) : a e F}. Since in
general T is semantically equivalent to J7+, clearly X+ C A*. Now let
21 e A*. But 21 S (21+)+ (1.10.3) and 21 is equivalent to 21+ (1.10.4).
Since 21+ is descriptive, 21+ F* = X, and so 21 X+. Thus X+ = A*
is equational.
Conversely, suppose X+ = A* for some A. As explained in 1.2.1,
each member of A may be presumed to be of the form ha = 1 for some
a 6 . Let P = {a : (ha = 1) e A}. If T X, F+ e X+ = A" so
X C F*. Now suppose T e F*. Then F+ e A* = X+, so F+ S g+ for
some Q X. But then (J 7+ )+ = (G+)+ so by 1.10.7 f ^ Q. Since X is

closed under isomorphism, f 6 X. Hence X = 71* is modal axiomatic.
D
To obtain our characterisation, we need two new concepts. We saw in
Section 1.9 that ultraproducts and infinite disjoint unions of descriptive
frames need not be descriptive. We therefore introduce
Definition 1.12.3 Let {Fi : i 1} be a collection of frames. Then
(1) the descriptive union of the Ti 's is the frame
E ?i ifIis finite
((E?i)+)+ if I is infinite.
(2) if G is an ultrafilter on I, the descriptive ultraproduct of the
Ti 's over G is the frame
G if TG e S
.F+)+ if FG$S).
By 1.10.5 we always have fg^Ff e 2). In general f is equivalent
semantically to (J- + )+ (1.10.6) so the new constructions are validity
preserving, i.e. 1.6.4 and 1.7.13 hold with f, F, in place of Fi, TG.
isomorphism. Then
(1) X is closed under subframes only if X+ is closed under homomorphic
images;
(2) X is closed under homomorphic images only if X+ is closed under
subalgebras;
(3) X is closed under finite disjoint unions only if X+ is closed under
finite direct products;
(4) X is closed under descriptive unions only if X+ is closed under
direct products;
(5) X is closed under onto inverse limits only if X+ is closed under
one-one direct limits.
Proof. A subframe (homomorphic image) of a descriptive frame need
not be descriptive, so by "X is closed under subframes (homomorphic
images)" we mean that if T e X and T\ C T (Tl =$ f} and ^ S,
then FI X.
Now in general if 21 X+, 21 = T+ for some T e X, so 21+ *
+
(f )+ ^ T (1.10.7) and since X is closed under S, 2t+ X.
(1) Suppose 21 6 X+ and *B is a homomorphic image of 21. Then by
1.10.9(3) and 1.5.3(2) 03+ is isomorphic to a subframe of 21+ X.
But X is closed under subframes and isomorphism, so 03+ 6 X.

Since (03+)+ S 53 (1.10.3), it follows that 03 X+.
(2) Suppose 03 is a sub-AL4 of 21 6 X+. By 1.10.9(2) (with ip = id<s)
03+ is a homomorphic image of 21+ e X. Thus 03+ X, so as in
(1), B e X + .
(3) Let {2li : t /} C X+. By 1.6.5 (21,+ )+ = Il((^+) + ) = 11^
(1.10.3) and each 2li+ 6 X. If / is finite, by hypothesis 2li+ 6 X,
(4) Suppose 21?+ e x. Then (2l+)+ =
(5) Let {21; : i 7} U {^>j : i < j} be a one-one direct family in X+ (i.e.

all the Vj's are injective). By 1.10.9 {2li+ : i /} U {Q* : i > j}
is an onto inverse family of descriptive frames (i.e. the <3*'s are
onto), where Q^ = (^)+- By hypotheses 21^, the inverse limit
of the 2li+'s, is in X. But by 1.11.6 (21+)+ is isomorphic to the
direct limit of the (2l;+)+'s, which by 1.10.3 is clearly isomorphic
to the direct limit of the 21; 's, and so the latter is in X+.
a
We note that the converses of Theorem 1.12.4 are all true. The
results as proven however suffice for the applications we have in mind.
Theorem 1.12.5 A class of descriptive frames is modal axiomatic iff it
is closed under subframes, homomorphic images, and descriptive unions.
Proof. We have seen that these three constructions preserve the validity
of modal wffs, and so necessity follows. For the converse, suppose X
is closed under the three given constructions and so by 1.12.4 X+ is
closed under subalgebras, homomorphic images and direct products. By
Birkhoff's Theorem on equational classes (cf. [39, p. 171]), it follows that
X+ is equational and therefore by 1.12.2 that X is modal axiomatic. D
To obtain a characterisation that does not involve the rather ad hoc
notion of descriptive union, we appeal to a result of Tarski [93] that
equational classes of algebras of finite type (which MA's are) are charac-
terised by closure under subalgebras, homomorphic images, finite direct
products, and unions of chains of algebras.
Theorem 1.12.6 A class of descriptive frames is modal axiomatic iff it
is closed under subframes, homomorphic images, finite disjoint unions,
and inverse limits.
Proof. We saw in 1.11.4 that inverse limits are validity preserving, so
necessity follows as before. For the converse, if X is closed under iso-
morphism and inverse limits, then in particular X is closed under onto
inverse limits, so by 1.12.4(5), X+ is closed under one-one direct limits.

But the union of a chain of algebras is isomorphic to a one-one direct
limit of algebras isomorphic to the members of the chain [50, p. 116].
Since by definition X+ is closed under isomorphism, it follows that X+
is closed under chain unions. The rest of the proof goes through, via
1.12.4 and Tarski's result, as for 1.12.5. D
We turn now to modal elementary classes.
Theorem 1.12.7 Let 91 be an equational class of MA's. Then the fol-
lowing are equivalent:
(1) 91 = <5* for some identity 8.
(2) c9l = {21 9JI: 21 91} is closed under ultraproducts.
Proof. (1) = (2): Suppose {21; : i E 1} C c9l and VI = 6*. Then
for any ultrafilter G on 7, {i : 21; (= 8} = 0 ^ G so by Los's Theorem
H 2l/G * 6, hence H %i/G & c9l.
(2) => (1): We have 91 equational, so 91 = 4* for some set of iden-
tities A. It follows that 91 and c9l are closed under isomorphism, and
by Los's Theorem that 91 is closed under ultraproducts. If further c9l
is closed under ultraproducts, then by [4, Theorem 7.3.11] 91 is an ele-
mentary class in the first order language of MA's, i.e. 91 = 6* for some
sentence 6 in this language. Thus A* =6*, so by the Compactness
Theorem for first order logic, AQ = 6* = 91 for some finite A0 C A.
But any finite set of MA identities is equivalent to a single identity
(91 (= (ha = 1) & (hp = 1) iff 911= (ft aA/3 = 1)), and so (1) follows.
D
Theorem 1.12.8 Let X be a class of descriptive frames that is modal

axiomatic. Then X is modal elementary iff X+ is closed under ultra-
products.
Proof. If X is modal axiomatic, then by 1.12.2 X+ is equational. But
by the proof of 1.12.2 we also have X = a* iff X+ = (ha = I)* and so
the result follows by 1.12.7. D

isomorphism. Then cX = {J" 6 1) : T X} is closed under descriptive
ultraproducts only if cX+ is closed under MA ultraproducts.
Proof. Suppose {21; : i 1} C cX+. By 1.10.3 there exists ^ 6 S
such that F? ^ 2l, all i /. Then Ti i X, or else 21; e X+. K G
is an ultrafilter on /, then by 1.7.8, f =U^/G H.%.i/G, whence
by 1.12.3(2) we have in general (^"G)+ - T[^/G- But by hypothesis
F$, e cX. Now if IlSli/G e X+, U%i/G S + for some Q &X. Thus
)+ * g+. But from this, as in the proof of 1.12.2, we get J X,

a contradiction. Hence n%i/G cX+. D
Theorem 1.12.10 A class X of descriptive frames is modal elementary

iff X is closed under subframes, homomorphic images, and descriptive
unions (or finite disjoint unions and inverse limits) and cX is closed
under descriptive ultraproducts.
Proof. Necessity uses 1.7.13 in addition to previous cases. Sufficiency
follows from 1.12.5, 1.12.6, 1.12.9 and 1.12.8. D
In order to consider modal axiomatic classes of nondescriptive frames
we recall that any frame T is semantically equivalent to (J"+)+, and so
any axiomatic class will contain one iff it contains the other. This con-
dition (which by 1.10.7 is automatically satisfied by a class of descrip-
tive frames closed under isomorphism) turns out to be precisely what is
needed to generalize our discussion. We leave it to the reader to modify
the preceding results of this section to obtain proofs of the following.
Theorem 1.12.11 A class X of (refined) frames is modal axiomatic iff
(1) T e X iff (F+)+ 6 X for any (refined) frame T, and
(2) X is closed under disjoint unions, (refined) subframes, and (refined)
homomorphic images.
Furthermore X is modal elementary iff it satisfies (I), (2) and
(3) the class of (refined) frames not in X is closed under ultraproducts.
1.13 Characteristic Models Revisited

We observed in Section 1.2 that the Lindenbaum algebra for any normal
modal logic determines that logic but that the canonical K-frame does
not always enjoy this property. The construction of 1.2.5 can however
be adapted to provide each logic with a characteristic model in the first-
order semantics.
Definition 1.13.1 If A is a normal logic, the canonical frame for A
is
FA = (WA,RA,PA),
where
(i) (WA,RA) is the canonical K-frame for A (cf. 1.2.5), and
(ii) PA - {\a\A : a $} (cf. 1.1.2).
Note that the canonical valuation VA(P) = \P\A of 1.2.5 is a valuation on
There is known to be (cf. Rasiowa and Sikorski [74, VII 9-10])

a bijective correspondence between yl-maximal sets and ultrafilters in
2U, the Lindenbaum algebra for A. This, together with the obvious
similarities between Definitions 1.13.1 and 1.10.1 leads to
Theorem 1.13.2 2U+ = FA
Proof. Define Q:WA^> W<nA by Q(x) = {\\a\\A : a x} (cf. 1.2.2). Q is
the bijection given in [74]. Using 1.10.1, 1.2.2 and 1.2.5, it follows easily
that xRAy iff Q(x)R<aAQ(y), and that for a 6 <?, Q(\a\A) = \ \\a\\A\**,
and hence that S Pi iff Q(S) Pm". D
Corollary 1.13.3 FA is descriptive.

Proof, 1.10.5 and the preservation of "descriptiveness" under isomor-
phism. D
Theorem 1.13.4 FA strongly determines A.

Proof. If not F \-A a, by 1.1.3 and 1.2.6 VA(F) < VA(a), hence by
1.8.2(2) r PA a(FA). On the other hand if P \-A a, then \-A f3 -> a
where /? is the conjunction of some finite subset of P. But 2l/i determines
A, so 2U \= ft -> a whence by 1.10.4 and 1.13.2, FA \= 0 -> a. Then for
any V on TA, V(F) C V(/3) C V(a), so P |= a(j^). D
As a further illustration of the structural properties of descriptive
frames, we include the following result.
Theorem 1.13.5 Let V be a valuation on a descriptive frame T =
(W,R,P). If Av = {a : V(a) = W}, then there is a homomorphism
from (W, R) onto the canonical K-frame for KAv.
Proof. Let (W',R') be the canonical frame for KAv. Define Q : W ->
W by Q(x) - {a : x V(a)}. Clearly Av C Q(x) and for any a $,
a G Q(i) iff -ia ^ <5(x), so Q(x) is KAv-m&ximal as required. To show
that Q is onto, let y be a .fiT<dv-maximal set. Put P0 = {V(a) : a 6 t/} C
F. Then PO is closed under finite Pi's, so if PO does not have the fip, for
some a 6 y, V(a) = 0, whence V(->a) = W, so ->a e Av and therefore
-ia G y, contrary to the -ftT/iti-consistency of y. Since ^ is descriptive,
it follows by 1.9.3IV that there exists x{]P0. Then clearly y C Q(x),
so by properties of maximal sets, Q(x) = y.
Now if xRy, Da Q(x) only if x 6 V(Da), only if y V'(a), only
if a Q(y). Hence Q(x)R'Q(y) (1.2.5(ii)).
Finally suppose Q(x)R'z, where 0 W. Let P0 = {5 P : a;
fe(5)} U {F(a) : a 2}. If P0 does not have the fip, there exist S P
such that a; e ln(S), and a 2 such that S C -V(a), so ifl(5) C
lR(-V(a)) = y(D-ia). Since a: / fl (5) we obtain x V((IHa), i.e.
D-IOJ Q(x). But Q(x)R'z, so -ia 6 z, contrary to the fact that a 6 z.

Hence there exists some y 6 P| PO- From the definition of PO we have, by
Axiom II, xRy and, as above, Q(y) = z. Thus Q is a homomorphism.
D
In the context of AT-frames, this result may be adapted as follows:
Theorem 1.13.6 Suppose T = (W,R) |= a, and V is a valuation on
T for which the frame TV = (W, R, Py) of 1.3.6 is descriptive. Then T
is isomorphic to a subframe of Tâ
Proof. Define Q : W - WKa by Q(x) = {/3 : x e V(/3)}. Since T |= a,
<3(z) is /fa-maximal as required. The proof of 1.13.5 shows that Q is
a homomorphism into Wxa- Now if x ^ y W, then by Axiom I,
since TV is descriptive there is some /8 6 $ such that a; e V(/3),?/ $
V(/3). Then /3 Q(x) - Q(y). Hence Q is injective, and so maps T
isomorphically into Tâ. D
In view of 1.13.6 we introduce
Definition 1.13.7 A logic A is super-complete for a class <t of K-
frames iff
(i) \-A a only if\=a,
and
(ii) every A-consistent set of wffs is satisfiable on some T <t by a
valuation V for which TV is descriptive.
Theorem 1.13.8 If Ka is super-complete, then Tâ |= a.
Proof. Suppose Ka is super-complete for a class of .^-frames. If
FK* ^ a then for some v on FKC, and x wKa, x < V(a). But then
by 1.4.11, Fx a, where Tx is the subframe of T$a generated by x.
Now x is ATa-consistent, so for some T there is a V on T such that
TV is descriptive, and for some t F, t 6 V(x). By 1.13.7(i) T (= a,
hence by 1.13.6 .F is isomorphic to J-Q C Tâ by a map Q. By 1.5.6,
TQ |= a. But by the maximality of x, x Q(t) TQ, and so Tx is a
subframe of JQ. Thus by 1.4.10, Tx |= a, a contradiction. D
Note that the above proof still works if Q is merely a homomorphism
(by 1.5.5). Hence 1.13.8 still holds if super complete is replaced by a
weaker notion obtained from 1.13.7 by requiring that TV satisfy only
Axioms II and III for descriptive frames.
1.14 d-Persistent Formulae

Much of the early work with possible worlds semantics was devoted to
establishing that various modal logics were determined by particular
classes of /C-frames that were specifiable by some reasonably simple

mathematical property, e.g. a first-order condition on binary relations.
This program has now been carried out for all the significant logics that
had been developed at the time of Kripke's work, and many more besides
(cf. [47, 59, 86]). Recently Thomson [97] and Fine [13] demonstrated
that there exist normal logics that are not determined by any class of
JsT-frames at all (thereby refuting a conjecture of Lemmon and Scott
[59]). Subsequently there has been a shift of emphasis in research into
modal logic. One of the major topics of current concern would seem to be
the adequacy of the second-order semantics. Which formulae axiomatise
logics with characteristic /f-frames? In this section we provide a partial
answer to that question.
Definition 1.14.1 a $ is d-persistent iff for all frames T =
(W,R,P), ifF\=aandF is descriptive, then (W,R) (= a. Let
D = {a 6 $ : a is d-persistent}.
For d-persistent formulae we have the following extension of the com-
pactness results of Section 1.8.
Theorem 1.14.2 // F C D and 8. is the class of all K-frames, then
r |=o a() only if F' \=0 a() for some finite F' C f.
Proof. If r" PQ <*(), all finite /"" C F, then using full frames we have
for all such F', F' J^0 (), where is the class of all first order frames.
Hence, by 1.8.4(2), there is T such that T (= F and not F |= a. By
1.10.6 it follows that there is a descriptive T1 = (W',R',P') such that
T1 (= T and T1 P a, hence (W',R') * a. But F C D, so, by 1.14.1,
(W',R?) (= T. Thus rô a(). D
Theorem 1.14.3 If F C D then the logic KF is strongly determined
by the K -frame T^r-
Proof. We have seen previously that A Y-KT ot only if VKF(A) <
VKr(a), whence A P a(F$r). But TKr (= F (1.13.4), TKr is de-
scriptive (1.13.3), and F C D, so by 1.14.1 T$r (= F. Thus all the
axioms of KF are valid on f^r Since the rules of inference of normal
logics are validity preserving on /^-frames, all the theorems of KF are
valid on T$r. So if A \~KT , then \~KT (3 -+ a, where f) is a conjunc-
tion of members of A. Then J~xr N ft ~* a> f rom which it follows, as
in the proof of 1.13.4, that A [= a(F%r). D
1.14.3 does not completely encompass our problem, since there are
logics with characteristic /^-frames and non-persistent axioms (cf. Sec-
tion 1.18). Nevertheless, the concept of d-persistence is a useful one, for
the properties of descriptive frames allow us to find wide-ranging syntac-
tic criteria that are sufficient for a formula to be valid on its associated
canonical frame.
Definition 1.14.4
(1) a 6 $ is constant iff h is a constant function on any MA 21,
i.e. iff V(a) V'(a) for any valuations on the same frame, a is
atomic iff it is either a variable or a constant wff.
(2) a is positive iff it is formed from atomic wffs using only A, V, D, O.
n denotes the set of positive wffs.
(3) a is a O-string iff for some k N and some variable p, a ~ Dkp.
Similarly, a O-string is a wff of the form O fc p. (Note that with
k = 0, each variable is both a O-string and a O-string). a 6 IT
is O -positive iff the only occurrences of D in a are within D-
strings. n<> denotes the class of <C> -positive wffs. Similarly, the
class IIa of D-positive wffs consists of those a II whose only
occurrences o/O are within O-strings.
The class of constant formulae can be described syntactically as follows:
Theorem 1.14.5 Let C be the smallest subset of $ satisfying
(i) every instance of a PC-tautology is in C,
(ii) a e C only if ->a, Da C,
(iii) a, /3 e C only ifa/\/3&C.
Then 0 E. $ is constant iff \~K 0 -* o. for some a C.
Proof. It is clear that each member of C is constant and therefore
anything deductively equivalent to a member of C is constant (because
VK (3 - a only if /$ = h%, any 21).
Conversely, for each variable p, let ap be a PC tautology. Suppose
that /? is constant. Let (3' be obtained by replacing each p in /3 by ap.
Then clearly /?' 6 C. If not !-# (3 <-> /?', by the completeness theorem for
K [59, Section 2] there exists a V on some /f-frame such that V(/3) ^
V(/?') Choose a valuation V on this frame such that V'(p) = W =
V(ap). Then a simple induction shows that V'(/3) = V(fi') ^ V(/3), so
/? is not constant, contrary to hypothesis. Thus (-#/?<- /3' as required.
D
We note that 1.14.5 would seem to be the "best possible" result, for
there are constant wffs not actually in C, e.g. (Dp A Dg) > D(p A g).
We saw in Section 1.10 that within isomorphism every descriptive
frame is 2l+ for some MA 21. Thus the question of d-persistence is
equivalent to that of determining which MA polynomial identities are
preserved in passing from an MA to the power-set algebra of its as-
sociated frame. This problem was considered for BA's with additive
operators by Jonsson and Tarski [48] (cf. also Section 2.8 of [42]). The-
orem 2.18 of [48] may be interpreted as proving d-persistence for any
wff constructed from atomic ones using only A, V, O. We now propose
to develop and expand the Jonsson- Tarski techniques to show that the
property is possessed by a much wider class of wffs.
Theorem 1.14.6 For any a II, ho, is a monotonic function, i.e.
a,i < hi only if ha(.. .a; . . .) < ha(. . .6, . ..).
Proof. By induction on a. From a < b we may infer a n c < b n c,
a U c < & U c, ma < mb, la < Ib. D
From now on we assume that T = (W, /?, P) is a descriptive frame, T
and are as in 1.9.4 and a <? has a single variable, i.e. ha is a one-place
function on F+ . The reason for the latter restriction is simply expository
clarity. All proofs may be adapted with only technical modifications to
wffs with any number of variables.
Theorem 1.14.7 If a II,
(1) For a r, ha(a) = U,o&6p M&),
(2) For a C, ha(a) = n a c b p M&)-
Proof.
(1) By 1.14.6 the result holds from right to left. We prove the converse
by induction on a.
(i) If a; hp(a) = a, by definition of T there is some b & P such
that b C a and x b = hp(b). If a is a constant wff, with
ha = 6 identically for some 6 C W, then t ha(a) = b only
if t e /ia(0) = b and a D 0 e P.
(ii) If t G ftaA/?(a) = ha (a) n hp(a) then by IH there exist bi, 62
P such that a D &i, a D & 2) * ha(bi) and t 6 hp(b2).
Then by 1.14.6 ha(bi) C ha(bi U6 2 ), Mfc) ^ M6i ^62), so
* /iaA/3(6i U 62) and a D 61 U 62 P.
(iii) If i /iav/3(a), then say t 6 ha(a), so by /ff, for some a D
6 P, t /i a (&) C hay/3(b).
(iv)
/i0a(a) = m fi (/i a (a))
= fi(UaD6 6 pM&)) (/H)
= UDfc 6 p(H(/la(6))) (1-9.6(2))
(v) If t ftna(o) = Ifl(/i(a)), then by /# and 1.9.9(1), for some

c C . * fo(c) and c C ha(a) = \Ja^bePha(b). But b
P only if ha(b) P, so by 1.9.4(5) there exist &!,...,&
such that a D 6; P, and c C /i a (6i) U ... U ha(bn) C

/ i 0 ( 6 i U . . . U 6 n ) (1.14.6) so t e k(c) C / i D a ( 6 i U . . . U 6 n ) a n d
a D 61 U ... U bn P.
(2) This is proven by a similar induction using 1.9.9(2) and 1.9.4(6).
D
Theorem 1.14.8
(1) I f a /To, then for all aCW, ha(a) = \Ja^b<;ha(b).
(2) If a e /7D, i/ien/or a// a C W, ha(a) = DaC6 6 r /l (6).
Proof.
(1) Again by 1.14.6, the inclusion from right to left follows. Conversely
(i) For D-strings:
The case for constant wffs is similar to 1.14.7(l)(i), but using

0eC
(ii) If i ha^(a) = ha(a) n hp(a), by IH there are 61,63 C
such that a D 61,62; e ft<*(6i) and i ^(62). Then, as
in 1.14.7(l)(ii), t ha^(bi U 6 2 ), and a D 61 U 62 C by
1.9.4(3).
The cases of V and D follow in the manner of 1.14.7(1).
(2) By a similar induction, using 1.9.9(2) for O-strings.
n
Theorem 1.14.9 If a 77, then for all aCW,
(1) ha(a) D
(2) Ma)c
(3) / l - , a ( o ) D
Proof.
(1) 1.14.6 and 1.14.7(2).
(2) 1.14.6 and 1.14.7(1).
(3) By (2), antitonicity of , and De Morgan's Laws.
n
Theorem 1.14.10 For all aCW,
(1) a e T/o only if ha(a) = UaD&ec(fi&CcepM c ))>
(2) a //D only if ha(a) = r\aCber(\JbDc^phc-(c))-
Proof.
(1) 1.14.8(1) and 1.14.7(2).
(2) 1.14.8(2) and 1.14.7(1).
D
Theorem 1.14.11 /? & $ is d-persistent if it is equivalent in K to an

a $ that satisfies any of the following:
(1) a 77,
(2) a = -17 with 7 II,
(3) a = 7 -> 6 with 7 Ho, 5 77,
(4) a = 7 > 6 with 7 II , 6 HQ ,
(5) a is a conjunction of wffs satisfying (l)-(4).
Proof. Let T = (W, R, P) be a descriptive frame with J- \= a. Then
(*) ha(a)=W, all a P.
(1) Let a 77. Then if a C W,
/) (n^ -J
lla\u>) (C\l&CcSP ha \(r}}
D IUaD&eCv!
I W'
// ~
by 1.14.9(1) and (*). (Note that for any a, a D 0 C , a C W P).
Thus (W, R, 2W) |= a as required.
(2) Similar to (1), using 1.14.9(3).
(3) If T (= 7 -> ft, /i7(a) C hs(a), all a P, so for any aCW,
i.e. by 1.14.10(1) and 1.14.9(1), 7i7(a) C /i6(a). Thus (W,7?) |=
(4) Similar to (3), using 1.14.9(2) and 1.4.10(2).

(5) f |= a A13 iff T |= a and .F |= 0 for any frame J".
D
It should be noted that (2) and (4) are obtainable as corollaries of
(1) and (3). If a 77, let a, the dual of a, be obtained by interchanging
V and A, D and O. Let a' be the result of negating all the variables in
a. Then a is semantically equivalent to a' (ha'(a) = ha(a')). But -<a
is equivalent to (a)', which is equivalent to a 77, so (1) implies (2).
Since a 77<> iff a 77a, (4) then follows from (3).
1.15 A General Characterization Theorem

Many of the logics with characteristic Ti'-frames are determined by
classes of frames that are definable by a first-order condition on binary
relations. Not all logics enjoy this property (Section 1.17). While not all
d-persistent formulae are first-order definable (and conversely, cf. Section

1.18), many of them do have elementary characterizations, as we shall
show by proving the first-order definability of an axiom schema devised
by Lemmon and Scott [59] that forms a special case of 1.14.11(3).
Definition 1.15.1 Let a(pi,... , p k ) be a positive formula and
n = (HI,. . .,nk}
a k-tuple of natural numbers. If (W, R) is a K-frame and
t = (t1,...,tk)Wk,
define a first-order condition Ra(x,t,n) on (W, R) by recursion as fol-
lows:
Rpi(x,t,n) iff t,Rn'x (i<k)
Ra/\p(x,t,n) iff Ra(x,t,n) and Rp(x,t,n)
Ravp(x,t,n) iff Ra(x,t,n] or R0(x,t,n)
Raa(x,t,n) iff for a l l y , xRy only if Ra(y,t,n)
#o a (a;,,n) iff for some y, xRy and Ra(y,t,n).
Given a pair n = (ni,...,nk) and m = (mi,...,mk) of k-tuples of
numbers, we define the Lemmon-Scott axiom a to be the wff
Omi D ni pi A ... A O mfc ankpk -> a(pi,... ,p fe ).
Corresponding to a is the condition
Ra :VxVt1...Vtk(xRmit1/\.../\xRmktk => Ra(x,t,n)).
Theorem 1.15.2 If V is a valuation on (W,R), Ra(x,t,n)and i,
V(On'pi) (i < k), then x e V(a).
Proof, By induction. If a = pi we have tiRnix, ti e V(nnipi) and hence
x V(pi). For the case of a = D/3, we have xRy only if Rp(y, t, n). But
ti 6 V(nn*pi) so by IH, xRy only if y e V(/3). Hence x e V(O/3). The
other cases are equally straightforward. D
Corollary 1.15.3 f= (W,R) \= a iff satisfies Ra.
Proof. Suppose x e V(f\i<k O mi D ni pi) for x 6 W and V any valuation
on T. Then there exist t~(i < k) such that xRm*ti and ti V(nnipi).
Since f satisfies Ra, we have Ra(x,t,n). Then by 1.15.2, x e V(a).
Thus x V(a%) for any x and V, hence T \= a. D
Theorem 1.15.4 For each ti (i < k), let Si = {y : tiRn>y}. Then
x 6 /i Q (Si,...,5fc) only if Ra(x,t,n).
Proof. If Q = pi, by the definition of/i pi , we have a; Si, whence tiRHix,
i.e. Rpi(x,t,n). If a; G /iQAj3(S), then x ha(S) and x /i^(S), whence
by IH, Ra(x,t,n) and Rp(x,t,n), so Ra^/}(x,t,n).
If x hoa(S), then xRy only if y ft(5) only if Ra(y,t,n) (IH).

Hence Raa(x,t,n).
The cases of V, O are similar. D
Corollary 1.15.5 T satisfies Ra if F \= a.
Proof. Suppose xRmiti (i < k). Choose a V such that V(pi) = Si as
in 1.15.4. Then U V(Dnipi), so x V(O m 'D n 'p;) for i < k. Since
T |= a, x V(a) = M^(Pi),---,^(Pfc)) (1-3-2). Hence by 1.15.4,
Ra(x,t,n). D
We shall now see that Corollary 1.15.5 holds for descriptive frames
as well as .RT-frames.
Theorem 1.15.6 IjT (W,R,P) is descriptive and a(pi,.. . p k ) II,
Ra(x, t, n) iff {ha(. .. a*...) : a< P onoUi e 1% (a;) (i < k)} C Px.
Proof. We give the proof for k 1.
(i) For a = p, we require tRnx iff {a P : i l(a)} C Px. But this is
given by 1.9.6 and 1.9.7.
(ii) If Rayp(x,t,n), then say Ra(x,t,n) (the case Rp(x,t,n) is anal-
ogous). Then t /(a) only if ha(a) Px (IH), only if
ha(a) U /i/3(a) = haV/3(a) Px.
Conversely, if not Ravp(x,t,n) then Ra(x,t,n) and Rp(x,t,n)
both fail. By /H there are a,b 6 P such that /(a), *(&) e Pt,
but ha(a),hp(b) < Px. Let c = a n 6 P. Then i /(c) =
I
R(O) n ifi(&). By 1.14.6 ha(c] C fta(a) and ^(c) C ^(6). So
feav/j(c) C ha(a) U ^(6) ^ Px (1.7.1(6)).
(iii) Suppose R<>a(x,t,n). Then for some y, xRy and Ra(y,t,n). Then
i I(a) only if j/ /ia(a) (/ff), only if a; m R (/i a (a)) = /i<>c(a)-
Conversely, suppose
(*) t /(a) only if /i O a(a) Pa;, all a P.
Let Po = {a P : x fe(a)} U {ft a (fe) : 6 P and t $(6)}.
Then if PO does not have the ftp there exist a,ha(bi),... ,ha(bn)
such that x IR(O), t l^(bi) (i < n) and a n (flisjnMM) = 0
. Then by 1.14.6, a n ha(b) = 0 , where b = fl^rA 6 P. Then
we have lR(a) C i/j(-/i a (&)) = ~h<>a(b). But iê fe(o), so a; ^
/i 0a (&). Since i /^(6) = Hi^n'flî)' this contradicts (*). Thus
PO has the fip, so by 1.9.3 IV there exists y f|-Po- Then from the
definition of PO, Axiom II, and IH, we have xRy and Ra(y,t,n).
Thus R<>a(x,t,n) as required.
The cases of A and D are straightforward and will be omitted. D
Corollary 1.15.7 // f |= a, and F is descriptive, then (W, R) satis-

fies Ra.
Proof. Let xRm'ti (i < k). Then if U e l^(on) (i < k), where a* P,
we have x m^ f (0^). Since T ^= a, we then get x ha(. . . a; . . .).
Thus by 1.15.6, Ra(x,t,n). D
Corollary 1.15.8 a is d-persistent.
Proof. 1.15.7 and 1.15.3. D
Corollary 1.15.9 Ka is strongly determined by the class of all K-
frames satisfying Rot.
Proof. 1.15.3, 1.14.3. D
Corollary 1.15.9 solves a conjecture of Lemmon and Scott. It is
indeed a wide-ranging result. The Lemmon-Scott axioms include as
special cases the Hintikka schemata of [59] , which Segerberg [86] observes
"cover most of the 'ordinary' systems in the literature."
1.16 First-Order Definability

Let fR be (the set of sentences of) the first-order language with equality
and a single binary predicate letter. The appropriate structures for this
language are precisely the /sT-frames (W, R). In this section we establish
conditions under which modally characterised classes of K-frames can
be axiomatised by sentences of *R. The converse problem will be taken
up in Section 1.20.
Definition 1.16.1 If a is a modal wff or an ^.-sentence, let &(a) =
{F 6 R : F |= a}, where 8. is the class of all K -frames.
(For a SH, T \= a means that a is true in J- in the standard
first-order sense (cf., e.g. ,[4, p. 56])).
If T is a set of wffs (^-sentences) let & (F) = { F 6 : T (= T} =
// X C ^ we write:
X EC (X is elementary) iff X = (a) for some a fH;
X 6 EC A (X is A- elementary) iff X is the intersection of a set of
elementary classes;
X e ECs (X is S-elementary) iff X is the union of elementary
classes;
X 6 ECsA (X is SA-elementary) iff X is the intersection of S-
elementary classes, or equivalently iffX is closed under first- order
semantic equivalence.
For modal characterisations, we write X E MEC iff X = fi(a) for some

a 6 <, and X MAC iff X = fi(r) for some FC&.
In what follows we will need the following facts about model classes
(here X denotes - X. Proofs may be found in [4, Chapter 7]).
(A) X EC iff X and -X are both closed under isomorphism and
ultraproducts.
(B) X EC A iff X is closed under isomorphism and ultraproducts and
-X is closed under ultrapowers.
(C) X ECs iff -X EC A iffX is closed under ultrapowers and -X
is closed under isomorphism and ultraproducts.
(D) X ECsA iff X and X are closed under isomorphism and ultra-
powers.
Theorem 1.16.2
(i) X MEC only if X is closed under ultraproducts.
(ii) X MAC only if X is closed under ultrapowers.
Proof.
(i) Suppose X = fi(a) for some a <P, {T{ : i /} C -X, and G is an
ultrafilter on /. Then {i : ft \= a} = 0 i G, so by 1.7.14 TG a,
whence J-Q X.
(ii) Suppose X = R(F) for some F C $, and f'/G is an ultrapower of
T e -X (i.e. TlfG = UFi/G where T{ = T a l i i e /). Since
J" ^ X, ^"^ a for some a T. Then as in (i), T1 fG a, whence
^/G J^ T and so ^ 7 /G e -X.
D
Corollary 1.16.3
(i) If X E MEC, then X 6 EC zjff X is closed under ultraproducts.
(ii) // X 6 M^4C, i/ien X 6 EC/i z^ X is closed under ultraproducts.
Proof.
(i) If X MEC (indeed if X MAC) then X and -X are closed
under isomorphism (1.5.6). The result then follows from 1.16.2(i)
and (A) above.
(ii) Similar to (i), using 1.16.2(ii) and (B).
D
Since /\-elementary classes are closed under ultraproducts, it follows
from 1.16.3(i) that any X MEC is Zi-elementary only if it is elemen-
tary. Recently this result has been improved by van Benthem [101] to
replace "Zi-elementary" by "U/i-elementary". We will present an alter-

native proof of this result, but first we undertake an analysis of MAC
classes, using
Theorem 1.16.4 Let X be a class of K -frames closed under isomor-
phism, subframes, disjoint unions and ultrapowers. Then X is closed
under ultraproducts.
Proof. Suppose { Ti : i /} C X and G is an ultrafilter on /. We define
first a map 0 : ft W{ -> ( Wi)1 , where
U ieJ Wi x {i}
is the disjoint union of the WVs (cf. Section 1.6). If / H Wi> we Pu^
6(f)(i) = ( f ( i ) , i ) . It is easy to see that / ^g only if 0(f) ~ 0(g) (cf.
1.7.3) and so the correspondence 6 : f i 6(f) is a well defined injec-
tion of HWi/G into (J^WiY/G. We leave it to the reader to verify
that 9 satisfies 1.5.1(1) and (2). Hence (1.5.3) 9 establishes an isomor-
phism from the ultraproduct TJ Jî/G onto a subframe of the ultrapower
(Y, Fi)1 /G of the disjoint union Y,î- The closure conditions assumed
to hold for X then give J] fi/G & X. D
Theorem 1.16.5 If X e MAC then the following are equivalent:

(i) X EC,
(ii) X
Proof. Obviously (i) implies (ii). To establish the converse it suffices by
(A) and (C) to show that X EC^ only if X is closed under ultraprod-
ucts. But X e MAC, so if X is also Z'-elementary it satisfies all of the
closure conditions in the hypothesis of 1.16.4. The required conclusion
is then given by that Theorem. D
Theorem 1.16.6 If X E. MAC then the following are equivalent:

(i) X EC A,
(ii) X e ECSA,
(iii) X is closed under ultrapowers,
(iv) X is closed under ultraproducts.
Proof. That (ii) follows from (i), and (iii) from (ii) is standard, (iv)
follows from (iii) by 1.16.4, since X MAC. Finally 1.16.3(ii) yields (i)
from (iv). D
Theorem 1.16.7 There exists an X MAC such that X e ECA but

X(EC.
Proof. Let X R(A), where A = {an n > 1} and for each positive
integer n, an is the sentence
Opi A . . . A Opn -> O(Opi A ... A Opn).
Each Qfra is a Lemmon- Scott axiom as defined in Section 1.15, and so by
1.15.1, 1.15.3 and 1.15.5, &(an) = (/?) where /? is the ^-sentence
Vz.yi, . ,( /\ xRyi => 3z(a;JZz &
Thus we have X = fi(B) where B = {(3n : n > 1} and so X

To show that X $ EC we observe first that an is derivable from a m
if m > n by simply identifying variables, from which it follows that
(1) (/?m)C (/?) ifm>n.
To show that this inclusion is proper, consider for each n the frame Tn =
(Wn, R), where Wn = {0, 1, . . . , n + 1}, and R is the codiagonal relation,
i.e. xRy iff x ^ y . Then 0 has the n + 1 ^-successors 1 , . . . , n + 1 . Since
these are the only successors of 0, and none of them is related to itself,
we see, with x = 0, that Tn /3 n +i- On the other hand if a; Wn has
n successors yi,...,yn then by the cardinality of Wn there exists in Wn
some z ^ x, y\ , . . . , yn. Then xRz and zRyi for i < n, whence Tn \= (3n.
It follows from (1) and the above example that
(2) X / R(pn), all n.
To complete the proof, suppose that X = &(B) 6 EC. Then by the
Compactness Theorem for first-order logic there is some finite BO C B
such that X = &(B0). Let n0 be the largest index of any any 0n 6 B0.
Then by (1)
which is a contradiction in view of (2). D

We thus see that the collection of MAC classes can be partitioned
into three categories: those satisfying the conditions of 1.16.5, those sat-
isfying 1.16.6 but not 1.16.5, and those having no first order semantic
description at all. However for MEC classes there are only two cate-
gories:
Theorem 1.16.8 (van Bentham [101]) If X MEC then the follow-
ing are equivalent:
(i) x e EC,
(ii) x e ECS,
(iii) X e ECA,
(iv) X e ECSA,
(v) X is closed under ultrapowers,

(vi) X is closed under ultraproducts.
Proof. If X MEC then X MAC, so the equivalence of (i) and (ii)
is given by 1.16.5, and the equivalence of (iii)-(vi) is 1.16.6. However
(i) implies (vi) in general, and the converse for X MEC is given by
1.16.3(1). D
1.17 The Logic KM

We come now to an application of the techniques developed so far to a
semantic analysis of the wff
M : DOp -> ODp,
one that has received considerable attention in the literature. In the
field of reflexive linear tense logic, M serves as an axiom for "ending"
or "beginning" time [85, p. 320]. The wff was used by Thomason [96] to
construct a consistent tense logic with no JC-frames at all. Lemmon and
Scott [59] showed that the logic K4M, where 4 denotes the transitivity
axiom Op D Dp, was (strongly) determined by the class of transitive
A'-frames satisfying
m : Vx3y(xRy and Vu;, z(yRw and yRz => w = z}).
They also established that KM itself was not determined by this condi-
tion, and left open the problem as to whether KM had a characteristic
class of -fiT-frames. An affirmative solution has recently been found by
Fine [14]. Of course a A'-frame validates M iff it satisfies
VS e 2wVx e W(Rx C mR(S) =>Rxn 1R(S) ^ 0),
so Fine's result may be interpreted as showing KM is simply determined
by the class of (finite) JC-frames satisfying this condition. In this section
we shall show that the condition cannot be replaced by a first-order one,
or even a set of first-order ones.
0
2
'O 3'O O O
Figure 1.17.1
Consider the class {Fn = (Wn,Rn) : n N} of finite K-frames, where

Fn is depicted in Figure 1.17.1. Formally we have Wn = WÛWÛW^,
where
Wl = {0}
Wl = {l,...,2n + l}
W* = {!',... ,(2n+l)'}
and Rn holds precisely in the cases
ORnj 1 < j < 2n + 1
IRnl', lRn2', (2n + l)Rn(2n + 1)' , (2n + l}Rn1'n
jRn(j - l)',jRn(j + 1)' K j < 2n + I
Now for any n N, Tn |= M. For clearly if Op is true at x W%, then

so is Op, hence M cannot be falsified at any point in W% U W%. But to
have M false at 0 we require p true at one and false at the other of the
two .Rn-successors of each point in W%- But because of the finiteness
and odd order of W%, no such valuation can be constructed.
Now let G be a non-principal ultrafilter on N, and FG the resulting
ultraproduct1. By Los's Theorem, any first-order (i.e. SH-expressible)
property that is true of almost all of the .Fn's will also be true of TQ-
Using this we can show that TQ is an infinite frame whose base set
WG is partitioned into three disjoint subsets WG, WG, Wj-,, where Wg
is a singleton whose member we continue to denote 0, WQ is the set
of .Re-successors of 0, and WQ is the set of .Re-successors of members
of WQ. Each member of WQ has itself as its only .R^-successor, and
is an .Re-successor of exactly two points from WG. Each member of
WQ has exactly two .Re-successors, and shares each of these with one
of two distinct points in WG that themselves have no .Re-successors in
common.
In fact WG U WG consists of an infinite collection of disjoint copies
of the graph depicted as follows.
1
The following description of the ultraproduct differs from that given in the original
version of this article, since the latter was not strictly correct, as pointed out by Bjarni
Jonsson.
It can then be seen that a valuation can be defined on Wa that has p

true at one and false at the other of the .Re-successors of each point
in WQ. In this valuation the wff M is false at 0. Accordingly we have
{n : Tn (= M} = N e G but To M, and hence:
Theorem 1.17.1 &(M) is not closed under ultraproducts, so is not
EGA, and M is not first-order definable. D
Note that the above construction gives the promised counter-example
to the converse of 1.7.14. Also, if f'n = (Wn,Rn,Pn) where Pn - 2Wn,
then {n : T'n (= M} = N 6 G, so by 1.7.13, (WG,RG,PG} (= M > and
so PG 7^ 2Wc Thus an ultraproduct of full frames need not be full.
Furthermore, this example is of the kind envisaged in the comments
after 1.9.11, and shows that an ultraproduct of descriptive frames can
be non-descriptive.
Now any logic has countably many non-theorems (since $ is denu-
merable) and so any characteristic class for a logic can be made countable
by retaining only one falsifying frame for each non-theorem. Further-
more, by the work on disjoint unions in Section 1.6, we may amalgamate
frames and preserve the characterisation. Thus since KM is determined
by a class of /('-frames, it will certainly be determined by such classes
other than (M) itself. We shall now prove that no such class can be
axiomatic.
For n N, let An C $ consist of the following wffs in the variables
Pa > , P2n+l, <7l, > <?2n+l
(I) Po
fc
(2) n ^po (i<fceN)
(3) --P! A ... A ->p2n+l
( 4 ) D fc H>! A . . . A - . p 2 n + l ) (2<fcGN)
(5) D(pi V . . . V p 2 n + i )
(6) Opi A ... A Op2n+i
(7) CHpiAp,-) (l<i^j<2n+l)
(8) D f c (giV...V 9 2 n + 1 ) (2<fcN)
(9) OV A . . . A O2(?2n+l
(10) Dfc-.(gi l\qj) (I O?i A O?2 A D(gi V q2))
(14) D(p2n+l -> O2n A Og2n+l A D^n V g 2 n+l))
(15) D(pj -> Oj-i A Oqj+i A n((/j_i V 9j+1)) (1< j < 2n + 1)
(16) ak(qj - O?j A Dqij) (1 < j < 2n + 1, 2 < fc e N).
Theorem 1.17.2 Let Tt = (W,R) be generated by t 6 W. If there

exists a V on ft for which t V(An), then Fn =4 Tt.
Proof.
Since t generates Ft, by 1.4.4
(17) for all z 6 W there is k N such that tRkx.
By (2), (17), x V(Po) iix^t. Hence by (1),
(18) V(Po) = {t}.
Now let S = {x: tRx}. By (1), (2),
(19) * 0 5.
By (3), (4), (17),
(20) V(Pj) C S for 1 < j < In + 1.
By (5), (20),
By (6),
(22) V(Pl) ? 0.
By (7), (20),
(23) V(Pi) n V(pj) = 0, for 1 < i ^ j < In + 1.
Hence by (20)-(23),
(24) the sets V(pi), . . . , V(p2n+i) partition S.
By similar reasoning, using (8)-(12) we obtain
(25) V(qi), ..., V(q2n+l) partition W - (S U { t } ) .
Thus by (19), (24), (25), for each x e W either
(i) for exactly one j < 2n + 1, x V(PJ),
or
(ii) for exactly one j < 2n + 1, x V(QJ),
and not both.
If (i), let Q(x) = j. If (ii), let Q(x) = j'. Then Q : W - Wn is a
well-defined surjective mapping. Now from (13)-(16) we deduce
(26) Each x V(p\) has alternatives in and only in (inn) V(q\) and
(fe).
(27) If 1 < j < In + 1, x V(PJ) has alternatives inn V(q^l) and
(28) x 6 V(p2n+i) has alternatives inn V(q2n) and

(29) x 6 V(gj) has alternatives inn V(qj), for 1 < j < 2n + 1.
Also by (5), (6),
(30) t has alternatives inn V(pi), . . . , V'^n+i)-
A checking of cases, using (26)-(30) shows that Q satisfies 1.5.1(1) and
1.5.1(2), so is a homomorphism from Ft onto Fn.
D
Theorem 1.17.3 An is KM -consistent.

Proof. Take V on fn such that V(PJ) = {j} for 0 < j < 2n + 1, and
Then it is readily shown that 0 V(An). If An is not KM-

consistent, then \~KM ""a, for a the conjunction of some finite subset of
An. But jFn is a KM-fia,me, so J"n (= ->a, whence 0 V(-ia), which is
impossible, as V(An) C V(a), whence 0 6 V(a). D
We are now ready for our second main result.
Theorem 1.17.4 Let be a class of K -frames. // simply determines
KM, then is not closed under ultraproducts.
Proof. Suppose determines KM and is closed under ultraproducts.
Then by 1.8.6 strongly determines KM. Hence by 1.8.3(1') and 1.17.3,
for each n 6 N there exists f , V on T , and some t V(An). Then
t Vt(An) where Vt is the valuation on ft derived from V (1.4.11).
Hence by 1.17.2 Tn ^Tt.
Now let * be the class of homomorphic images of subframes of
frames in . Then by the above Tn *, all n N. By 1.8.3(2),
|= M, so by 1.4.10 and 1.5.5, * \= M. Furthermore, since is closed
under ultraproducts, it follows from 1.7.9 and 1.7.11 that * is closed
under ultraproducts. Thus all ultraproducts of the fn's validate M,
which contradicts our earlier work. D
Corollary 1.17.5 //< determines KM then EC A, and hence <t $
EC.
Proof. By Los's Theorem, e EC A only if C is closed under ultraprod-
ucts. D
Corollary 1.17.6 // C (M) and EC4, i/ien J"fM ^ . /n
particular FKM does not satisfy m .
Proof. If C &(M) and ^M , then as each non-theorem of KM is
falsifiable on T^M it follows that determines KM. Hence by 1.17.5
^ EC A To complete the result we observe that the class of fsT-frames
satisfying m is an EC& subclass of (M). D
1.18 Some Special Classes of Formulae

In this section we explore the relationships between various classes of
wffs that are defined by special model-theoretic properties.
Definition 1.18.1 a G $ is r-persistent iff for every refined frame
F=(W,R,P),f\=a only if (W,R) \= a.
E = {a : a is r-persistent}
EI = {a : a is first-order definable}
SC = {a : KO. is super- complete for some C C }

SF {a : Ka is strongly determined by some <t C }
F = {a : Ka is simply determined by some <t C 8} .
Theorem 1.18.2
(1) E C D C AT = SC C SF C F.
(2) EcEi_r\D.
(3) 1 n F C SF, EI n F C N.
(4) EI is not comparable with any of D, N, SC, SF, F.
Proof.
(1) Recall that D is the class of d-persistent wffs. Since every descriptive
frame is refined, it is immediate that BCD (proper inclusion will
be shown in (2)). 1.14.3 gives D C N.
Now let J- be the canonical /if-frame for Ka and V the canonical
valuation. Then J-y is the canonical first-order frame, which is
descriptive (1.13.3) and satisfies every /fa-consistent set (1.1.3,
1.2.6). So if a N, Ka is supercomplete for Fâ, so a 6 SC.
The converse is 1.13.8. It follows easily from the definitions that
SC C SF C F. That the latter inclusion is proper is known, but
for the sake of completeness we include an example. Let a be the
conjunction of the wffs
(i) Dp-> DQp
(ii) (Op A O) -+ (O(p A q) V O(p A Og) V O(q A Op))
(iii) D(Dp -> p) - Dp.
Then /sTa is the logic K4.3W of [86], which is shown there to
be determined by the class of finite strictly linearly ordered K-
frames. Thus a F. Now if f is a fiT-frame such that T f= a
and x F, then one may show that Tx is a finite strict linear
ordering. Consider A {Okp : k e N}. If ^4' C A is finite, and
k is the largest number such that O fc p Z\', then A1 is satisfiable
at 0 on the /Ca-frame ({0, 1, . . . , fc}, <} when p is true everywhere.
Hence every finite subset of A is J^Q-consistent, and so A itself
is -fâ-consistent. But any strict linear ordering that satisfies A
must be infinite, so no Ka-frame can satisfy A. Hence a 0 SF.
(2) Let a E and let {Ti : i 1} C (a), with ft = (W^Ri). Then
if G is an ultrafilter on 7, {i : T( (= a} = / G, where 7^' =
(Wi,Ri,Pi) and ^ = 2Wi. By 1.7.13, J"G = (WG,RG,PG) \= a.
But each T[ is refined (1.9.2), so TG is refined (1.9.11). Since
a E, it follows that (WG,RG) \= a. This shows that R(a) is

closed under ultraproducts, so by 1.16.3 a E\. Together with
(1), we thus have E C E\ n D. To prove the inclusion proper, let
a = (i) A (ii) A (iii) where (i) and (ii) are as in (1), and (iii) = M.
Now, as Thomason [96] observes, if T is refined, F |= (i) iff -R ls
transitive, and T \= (ii) iff R is connected, (i.e. (xRy and xRz)
only if y = z, or yRz, or zRy).
Consider (N, <, P), where P is the class of finite or cofinite subsets
of N. This frame is refined and validates a, but (N, <) M,
whence (N, <) a [96, p. 154]. Thus a $ E.
Now the completeness proof of [59, Section 5] for the logic KM4
is readily adaptable to show (i) A (iii) D. But (ii) C D, so
a 6 .D. To show finally that a EX, we prove that (a) is the
class of transitive connected frames satisfying the condition m
mentioned at the beginning of Section 1.17. It is easy to see that
any such frame validates a. Conversely if f \= a, then F |= (i)
and J- |= (ii) so R is transitive and connected. Let x f. Then
Tx = (W, R) |= a, where fx C T is generated by x. Since R is
transitive, an equivalence relation is defined on W by
y ~ z iff (yRz and Z.RT/) or y = z.
Let Cy be the equivalence class of y (called the "cluster" of y in
[86]). Let = {Cy : y W}. Defining Cy < Cz iff yRz, (C, <) is
a linear ordering by (i) and (ii). If has no last member we may
choose 03 C such that 53 and its complement are both cofinal in
. Putting V(p) = (JOS, we then have ^ ^ ^(M) (cf- I96' P- 153D
and so fx a, a contradiction. Hence C has a last member, Cy
say. Since fx is transitive and generated by x, z/fa/. Now suppose
yRz and j/flw. Put V(p) = {z}. Then yffi only if tRy (as Cy is
last), only if tRz, only if t V(Op). Hence y e F(DOp). Since
J"x [= M there is some s such that y/?5 and s V(Dp). But
similar reasoning shows sRw, whence w V(p) = {z}, i.e. w = z.
We have therefore shown that JF satisfies m as required.
(3) If a EI n F, then a F so Ka is determined by some C ^(a).
But then clearly Ka is determined by (a) which is closed under
ultraproducts as a EI. By 1.8.6 we then have Ka strongly
determined by (a), whence a SF.
That EI n F C N has been shown by Fine [15] (cf. 1.20.15).
(4) Thomason [97] exhibits an a such that (W, R) |= a iff .R is reflexive
and transitive, whence a EI , but Jfa is not determined by any
class of .ftT-frames. Thus a is not in F, therefore by (1) is not in
any of D, N, or SF.
Fine [15] has shown that the wff a = ODp- (OD(pAg)vOD(pA

-ig)) is in N, hence by (1) is in SF and F, but is not in E\. The
proof that a 6 N may be carried through on any descriptive frame,
so we also have a D.
D
We note that a proof that E C EI was first given by Lachlan [54] using a
somewhat different method. The example in that paper which purports
to show the inclusion is proper would seem to be in error, since it involves
the wff (Dp > p), which is in E. For, by Axiom II, any refined frame
validating this wff has a reflexive relation, so its full extension validates
it as well.
1.19 Replete Frames and Saturated Models

This section introduces a new class of first-order frames that play a
special role in the discussion of axiomatic classes of K-frames.
Definition 1.19.1 I f f = (W,R,P) is a frame, then for each x W
we define MPx {rrifi(S) : x S}. T is replete iff it satisfies the
compactness condition IV (and hence III and V) of section 1.9, and
also
VI MPy C Px only if for some z,xRz and Pz Py.
The notion of replete frame adapts that of a "modally saturated model"
defined by Fine [15] in terms of valuations on /{'-frames.
Theorem 1.19.2
(i) Every finite frame is replete.
(ii) Every descriptive frame is replete.
Proof.
(i) Condition IV is trivial if W, hence P, is finite. For VI, suppose
MPy C Px, and let S = f}Py. Since Py is finite, S Py, whence
VR(S) Px, i.e. x E m/j(5). It follows that for some z, xRz and
z e S. Then Py C Pz, and so Py = Pz.
(ii) If T is descriptive it satisfies III, so to show T replete we need only
consider VI. But axiom II of descriptive frames may be written
as
MPy C Px only if xRy,
and with y = z this clearly implies VI.
D
The converse of 1.19.2(ii) is false (cf. the comments at the end of this
section). However a connection between the two kinds of frame is given
by
Theorem 1.19.3 For any replete frame T there is a descriptive frame
f such that T1 ^ T and T+ = T'+ .
Proof. Let T' = (F+)+. Then T1 is descriptive by 1.10.5, and F+ S fl+
by 1.10.3. To establish that T' =<; f we show that the map Q : x i-> Px,
as used in 1.10.7, is a surjective homomorphism according to 1.5.1. Since
T satisfies III, the proof that Q is onto follows exactly as in 1.10.7, as
does the proof of 1.5.1(1). 1.5.1(2) may be "read off" from VI and the
definition of T' (cf. 1.10.1). Finally to establish 1.5.1(3) we note that
every proposition of f is of the form \S\f+ for some S 6 P (1.10.1).
Then
+
) = {x : Px e \S\f+} = {x:S
and so Q - ^ S I ) e P. D
We come now to a method, based on some work of Fine [15], of
producing replete frames through a construction from classical model
theory. The map x i-> Px used in 1.19.3 is not even a modal homomor-
phism unless its domain has some special properties. Our construction
shows in effect that this map may always be factored through an elemen-
tary embedding followed by a modal homomorphism. The idea here is
to treat a first-order frame as a genuine model for a first-order language.
Definition 1.19.4 Let T = (W, R, P) be a frame, with P = {Si : i 1}
for some indexing set I. Let SK(7) be a first-order language obtained from
the language 9\ of Section 1.16 by the addition of a set {Si : i e 7} of
monadic predicate letters. Then T is a realisation o/!!H(7), and constants
may be added to fH(7) by taking each element of W to be a name for itself.
A set A of formulae o/?l(7) with at most one free variable is satis-
fiable in f iff there exists some a 6 W such that T (= <5[o] for all 6 A.
J- is 2-saturated iff whenever A is a set of formulae with at most one
free variable and at most one constant (the same for all members of A),
and such that every finite subset of A is satisfiable in T , then A itself
is satisfiable in T' .
Theorem 1.19.5 (Fine [15]) If f is a 2-saturated realisation of 91(7),
then T is a replete modal frame.
Proof. To prove 1.9.3IV, let Q be a subset of P and put AQ = {$() :
Si Q} for v some variable of SH. Then if Q has the fip, each finite
subset of AQ is satisfiable in f. Since T is 2-saturated, it follows that
there is some a 6 W such that a e Si for all Si E Q and hence f|Q ^ 0
as required. To prove VI, suppose MPb C Pa, for a,b e W, and let
A - (R(a,v)} U (Si(v) : Si Pb}, where /Z is the dyadic predicate
letter of the language 91. Since Pb is closed under finite intersections,
and by hypothesis b 5 only if a rafl(S), it follows that each finite
subset of A is satisfiable in T. But only one constant appears in A, so
we conclude that A is satisfiable by some c W . Then aRc and c Si
for all ,% e Pb, whence PC = P6. D
Definition 1.19.6
(i) For any first-order frame T = (W,R,P), the reduct of F is the
(ii) Two structures J-,F' are elementarily equivalent, F = }' , iff

they satisfy precisely the same first-order sentences.
Theorem 1.19.7 TQ |= a only ij T \= a.
Proof. By 1.4.1. D
Theorem 1.19.8 For any frame J- there is a replete frame J-' such that
Proof. By [4, Chapter 11], J- as a realisation of iH(/) has a 2-saturated

elementary extension F = (W',R',P'), with P' = {S< : i 6 /}. Now
for any realisation 0 of 51(7) we have the following R(/)-definability of
MA operations.
S, = Sj iff 0 |= Vw(5 l (u) - Sj(v))
S.HS^Sk iff ^^^(Si^^S^v)^ Sk(v))
Si = -Sj iff 0 h Vw(5i(w) ~ ->5j(t;))
j) iff 0 \=Vv(Si(v) ^ 3u(R(v,u) /\ Sj(u))).
Now ^" and f satisfy the same sentences, i.e. T = F' , and so J^Q = T'.
But the above sentences show that P' is closed under n, -, m^ (i.e. T'
is indeed a frame) and that the map 5; >> S^ is an MA isomorphism of
F+ and F'+ . Finally, 1.19.5 gives T' replete. D
Corollary 1.19.9 For any frame T there, exists a descriptive frame T'
such that f+ = F'+ and J-'Q is a homomorphic image of some K -frame
that is elementarily equivalent to F.
Proof. By 1.19.8 and 1.19.3. D
It should be noted that the construction of 1.19.8 will not in general
produce a descriptive frame, and so the homomorphism of 1.19.9 cannot
be avoided. To see this let f = (N, <}. Then if G is descriptive and
F+ S g+ we cannot have F0 = Q0. For by 1.10.7, if J"+ = Q+ then the
reduct of (.7r+)+ is isomorphic, and hence elementarily equivalent, to QQ.
But Thomason [98] has shown that the former satisfies the SK-sentence
Vv3u(R(v, u) A R(u,u)), and clearly this is not true of T.
1.20 S A-Elementary Classes of Kripke Frames

Throughout this section X will denote a class of jFT-frames. We write
X e ECsA (X is Z'-d-elementary) iff X is closed under the relation =
of elementary equivalence (1.19.6(ii)).
Our present aim is to use the results just obtained to establish some
significant properties of ECÂ classes. The key fact, immediate from
1.19.9, is
Theorem 1.20.1 If X ECÂ and X is closed under homomorphic
images, then F0 6 X only if there is a descriptive frame f such that
and ^ e X .
Definition 1.20.2
(i) 7/21 is an MA, the completion o/2l is the K -frame 2l# = (21+ )o,
i. e. the reduct of the descriptive frame 21+ .
(ii) Ij T (W, R) is a K-frame, the completion of T is the K -frame
F# = (f+)#. Thus T* = (W#,R#) where W* is the set of
ultrafilters on W, and xR#y iff for all S C W, y S only if
x mR(S}.
Theorem 1.20.3
(i) 2l# |= a only if 21 1= a.
(ii) T* \=a only if F \= a.
(iii) If T is a descriptive frame, then FQ = (f+)#.
Proof.
(i) 2t# f= a only if 21+ \= a (1.19.7), only if 21 \= a (1.10.4).
(ii) T* \= a only if F+ |= a (part (i)), only if T \= a (1.3.3).
(iii) T S (^+)+ (1.10.7), whence ^0 S ((^+)+) 0 = (F+}#.
D
If W is a class of MA's then HS(9l) denotes the class of all homomor-
phic images of subalgebras of members of 91 . For X a class of /C-frames
we put
X+ = {21 e OT : 21 S T+ for some T e X}.
Theorem 1.20.4 If X is closed under disjoint unions then tlS(X+) is
the smallest equational class of MA's containing X+ .
Proof. By [39, pp. 152 and 171] the equational class generated by X+
is HS(P(X + )), where P(X+) is the closure of X+ under direct prod-
ucts. But since X is closed under disjoint unions, Theorem 1.6.5 gives
x+. a
Theorem 1.20.5
(i) <a# X only t/a e HS(X+).
(ii) If X 6 ECsA and X is closed under homomorphic images and
subframes, then 21 HS(X + ) only /2t# G X.
Proof.
(i) 21 S (21+)+ C (2l#)+ (1.10.3, 1.20.2, 1.19.6).
(ii) Since 21 2 (21+)+, if 21 HS(A"+) then (21+)+ is a homomorphic
image of a subalgebra of (W, R)+, for some (W, R) X. Thus
there is some P C 2^ such that (2l+)+ is a homomorphic image
of (W,R,P)+. By 1.20.1 we may presume that (W,R,P) is de-
scriptive. But 21+ is descriptive, so by 1.10.9 and 1.10.7, 21+ is
embeddable in (W, R, P}. Then 2l# = (21+ )o is isomorphic to a
subframe of (W, R) X, whence our hypothesis gives 2l# X.
D
The above result gives access to the following characterisation of modal
axiomatic classes.
Theorem 1.20.6 If X <E ECSA, then X MAC iff
(i) X is closed under disjoint unions, homomorphic images and sub-
frames, and
(ii) f* e X only ifftX, for any K -frame F.
Proof. If X e MAC, (i) holds by 1.6.4, 1.5.5, and 1.4.10, and (ii) by
Conversely, suppose X ECÂ and that (i), (ii) hold. By 1.20.4

) = A* for some set A of MA polynomial identities. Let F& be
the set of modal wffs determined by A as in the proof 1.12.2. Then if
F e X, F+ X+, so F+ \= A and thus T |= PA. On the other hand if
T |= FA, then F+ \= A, so ^+ HS(X+). By 1.20.5(ii) we then have
(F+)# = T* X, whence by hypothesis (ii) f X. Thus X = FA,
and X is modal axiomatic. D
In order to discuss classes of frames characterised by a single modal
wff we need to introduce a new construction.
Definition 1.20.7 // {?i : i 1} is a family of K -frames, and G an
ultrafilter on I, then the completed ultraproduct of the Ti 's over G is
the K- frame
Theorem 1.20.8
(i) f#\=aonlyif{i:ri\=a}G.
(ii) JQ contains a substructure (not necessarily a subframe) isomorphic
toUfi/G (cf. 1.7.3).
Proof.
(i) ?%\=a only if U^/G\=a (1.20.7,1.20.3(1))
only if {i : T+ \= a} G (Los's Thm)
only if {i : ft |= a} 6 G (1.3.3).
(ii) For each i / take Ti to be (Wi.^P;} where P; = 2Wi, and
consider the ultraproduct J-Q = (WG,RG,PG) as defined in 1.7.6.
Now if (U^/G)+ = (W,R,P) then by 1.7.8 (W,R,P) = (7"+)+.
But TQ = (W, R), and so it suffices to find an appropriate map
from TG into (?)+. Now by 1.9.2 and 1.9.11, TG is a refined
frame and so satisfies axioms I and II of Section 1.9. But then the
proof of 1.10.7 shows that the map given there from TG to (F^j )+
has the required properties for our theorem.
D
Corollary 1.20.9 If X UC (i.e. X = 6* for some universal sentence

6 of fHj, then . - X is closed under completed ultraproducts.
Proof. By 1.20.8(ii), since UC classes are closed under substructures
and their complements are closed under ultraproducts. D
Theorem 1.20.10 If X ECSA, then X MEC iff
(i) X MAC and
(ii) . X is closed under completed ultraproducts.
Proof. If X E MEC then (i) is immediate and (ii) follows from 1.20.8(1)
by a similar argument to that used in 1.16.2. For the converse, if (i) and
(ii) hold and X e ECÂ, then we know from the proof of 1.20.6 that
X = r*A, where HSpf+) = A*. Let / be the set of all finite subsets
of .T/i, and suppose for all i / that J1^ ^ i*. Then for each i, since
FA Cj i* , there is a /-sT-frame ^ such that Ti |= i and Ti FA, whence
Ti ( X . Then for each i / we have F* (= i, so by the argument of
1.8.4 we may construct an ultrafilter G on / such that \\_f^" /G (= FA.
But then n ^/G HS(X+), so by 1.20.5(ii) F$ = (II J?/G)# e X,
contrary to the closure of ^ - X under completed ultraproducts. We

therefore conclude that for some finite i C FA, i* = F^ = X, so X = a*
where a is the conjunction of the members of i. Hence X e MEC. D
Since every EC class is ECÂ, 1-20.10 characterises those EC classes
that are MEC. Whether EC classes enjoy properties that allow the
conditions of 1.20.10 to be simplified is not known. We can only offer
Theorem 1.20.11 If X UC, then X 6 MEC iff X MAC.
Proof. By 1.20.9 and 1.20.10. D
As well as leading to a discussion of axiomatic classes, 1.20.5(ii) yields
some interesting consequences concerning logics whose models are SA-
elementary.
Definition 1.20.12 A normal modal logic A is canonical iff it is deter-
mined by its canonical Kripke frame FA (cf. 1.2.5). A is an ECsA logic
iff the class A* of all K-frames on which A is valid is SA-elementary.
We recall from Section 1.2 that any non-theorem of A is falsified by
FA , and so to show that A is canonical it suffices to prove FA (= A, or
even that FA \= F where F is some axiom set that generates A.
Theorem 1.20.13 // X is S A-elementary and closed under disjoint
unions, homomorphic images, and subframes, then X determines a logic
that is canonical.
Proof. By 1.20.4 HS(X+) = A* for some A. Let A be the logic KFA.
Now if T e X, F+ \= A and so F |= FA, whence X C F*A = A*. If
FA is the canonical .A-frame of 1.13.1, then by 1.13.4 FA (= FA so f\
HS(X+), and thus by 1.20.5(ii), (F%)# X. But FA is descriptive
(1.13.3) so by 1.20.3(iii) (FA)0 = F% X. Since X C 4*, and a i A
only if FA a, this implies that a A iff X \= a, i.e. X determines A.
In particular FA f= A, and A is canonical. D
Corollary 1.20.14 For any ECÂ logic A\ there is a canonical logic
A% such that A\ C A2 and A\ A%.
Proof. Let X = A\. Then X MAC by definition, and X e ECSA
by hypothesis. Let A2 be the logic KFA, where A* = HS(X+). Then
by the proof of 1.20.13, A-z is canonical and determined by X. Thus if
a 6 AI, X |= a and so a A2. Hence AI C A2. But the proof of 1.20.6
shows in fact that X = F^ A%, i.e. A\ A%. D
We note that if A\ is the incomplete logic of Thomason [97] then A^
above is the logic S4.
Corollary 1.20.15 Any ECÂ logic that is determined by some class
of Kripke frames is canonical.
Proof. If AI is determined at all by a class of /{"-frames then it is certainly

determined by A. Suppose further that AI is ECÂ and let A% be the
canonical logic then given by 1.20.14. If a 6 AI, A? (= a, so A\ j= a
and therefore a A\. Thus AI = A%, so yli is canonical. D
Corollary 1.20.15, which yields the second part of 1.18.2(3), was first
proven by Fine [15].
Semantic Analysis of Orthologic
Some physicists maintain that from a quantum-theoretic standpoint the

propositions pertaining to a physical system exhibit a non-standard log-
ical structure, and indeed that their associated algebra is an orthomod-
ular lattice, rather than a Boolean algebra as in the case of classical
systems. Consequently a new area of logical investigation has grown up
under the name of "quantum logic", of which one aspect is the study
of the prepositional logic characterised by the class of orthomodular
lattices.
In recent years we have seen the development of a powerful alter-
native to algebraic semantics for formal systemsnamely the "possible
worlds" model theory initiated by Saul Kripke. This approach was orig-
inally used to analyse modal systems, but it was soon realised that its
ramifications were far wider than that. It has subsequently been ap-
plied to many other kinds of intensional logic, including tense, deontic,
epistemic, intuitionist, and entailment systems, and is currently proving
relevant to the study of natural languages.
The purpose of this paper is to lay a foundation for an intensional
model theory for quantum logic. To do this we broaden the inquiry to
encompass what we shall call Orthologic. The minimal calculus in this
area is the system O, characterised by the class of ortholattices. This
logic will be shown to have a semantics reminiscent of the relational
structures of normal modal logic. These models are then used to es-
tablish a connection between O and the Brouwerian modal system that
parallels the McKinsey-Tarski translation of intuitionist logic into S4. A
discussion of filtration theory shows that O is decidable, and in the final
section of the paper we extend the analysis to obtain a characterisation
of quantum logic itself.
81
2.1 Syntax
The primitive symbols of our object language are (i) a denumerable
collection {pi : i < LJ} of propositional variables, (ii) the connectives ~
and A of negation and conjunction, (iii) parentheses ( and ). The set
<P of well-formed formulae (wffs) is constructed from these in the usual
way. The letters A, B, C etc. are used as metavariables ranging over
<. Parentheses may be omitted where convenient, the convention being
that ~ binds more strongly than A. The disjunction connective V is
introduced by the definitional abbreviation A V B =jf ~ (~ A A ~ B).
Our concern is to explore the relationships between two quite dif-
ferent ways of studying formulae. The semantical approach, to be ex-
plained in detail in the next section, has as its goal the assignment of
meanings or interpretations to wffs, and the setting out of conditions
under which a wff is to be true or false. The syntactical approach ex-
amines formal relationships between wffs, and focuses on the notion of
consequence or derivability of formulae. In this context we can distin-
guish between axiomatic systems, and logics. Given a formal language,
an axiom system S can be defined as an ordered pair (21, y\) where 21 is
a set of wffs of the language, called axioms, and $H is a set of rules of
inference that govern operations allowing certain formulae to be derived
from others. A wff A is said to be a theorem of S, written hs A, if there
exists in S a proof of A, i.e. a finite sequence of wffs whose last member
is A, and such that each member of the sequence is either an axiom, or
derivable from earlier members by one of the rules in 91.
A logic on the other hand can be thought of as a set L of formulae
closed under the application of certain inferential rules to its members.
The members of L are called L-theorems, and in this case the symbolism
HL A indicates merely that A 6 L.
For example, if S = (21,9t) is an axiom system, then an S-logic can
be defined as any set of wffs that includes the axiom set 21 and is closed
under the rules of 91. In general the intersection Ls of all S-logics will be
an S-logic, whose members are precisely those wffs for which there are
proofs in S. This is often described by saying that S is an axiomatisation
of Ls, or that Ls is generated by S.
Thus each axiom system has a corresponding logic (the set of its
theorems) and in some formal treatments little or no distinction is made
between the two. The converse however is not true. Not every logic is
axiomatisable. In any semantical framework the set of wffs true in a
particular model will be a logic of some kind, for which, in some cases,
there may be no effectively specifiable generating procedure. A classic
example is the first-order theory of the standard model of arithmetic.
SEMANTIC ANALYSIS OF ORTHOLOGIC 83
Now it is sometimes the case that, in studying the concept of de-

ducibility, we are concerned not so much with which formulae are the-
orems, but rather with which formulae can be derived when others are
taken as hypotheses. This, for example, would seem to be part of the
motivation behind systems of so-called natural deduction. Prom this
point of view one might conceive of a logic, not as a set of wffs, but as a
collection L of ordered pairs of wffs that satisfies certain closure condi-
tions, the idea being that the presence of the pair (A, B) in L indicates
that B can be inferred from A in L. To preserve the distinction we shall
call logics of this kind binary logics, and refer to logics of the first kind
(sets of wffs closed under certain rules) as unary logics.
Again by way of example, if S is an axiom system (or even a unary
logic) whose language includes an implication operator > for which the
Deduction Theorem holds, then we may associate with S the binary
logic of all pairs (A, B) such that (-5 A B. For languages of the kind
to be considered in this paper, that have no implication connective at
all, the notion of a binary logic becomes an extremely useful one for
syntactically generating classes of formulae.
In general, if L is a binary logic, we write A I-L B when (A, B) 6 L.
2.1.1 DEFINITION
An orthologic is a binary logic L such that, for all A, B, C <?,
#1. A I-L A
#2. AAB h L A
#3. AAB h-L B
#4. A t-L ~~A
#5. A I-L A
#6. A A ~A h L B
#7. if A I-L B and B h L C, then A h L C
#8. if A I-L B and A h L C, then A h L B A C
#9. if A I-L B, then ~ B h L ~ A.
It is easy to see that the intersection of any family of orthologics is an
orthologic, and hence that there is a smallest logic, which we call O, that
satisfies #1,..., #9. O is characterised by the class of ortholattices, in
the sense that A ho B iff v(A.) < v(B) for all valuations v on all or-
tholattices (a valuation on an ortholattice is a function from $ into the
lattice under which ~ and A are interpreted as orthocomplement and
lattice meet respectively). The necessity part of the above biconditional
is proved by showing that it holds for #1,..., #6 and is preserved by
# 7 , . . . , #9. Sufficiency may be established by showing that the Linden-
baum Algebra for O is an ortholattice (if $ is thought of as an algebra,
then the Lindenbaum Algebra for an orthologic L is the quotient algebra

/ = L , where A =L B iff A hL B and B hL A).
2.1.2 Definitions
Let L be an orthologic and F a non-empty set of wffs. A wff A is said
to be L-derivable from F, F !~L A, if there exist BI, ... , Bn 6 F such
that BI A ... A Bn I-L A. If A is L-derivable from {A V ~A} then we
simply say that A is L-derivable, or is an L-theorem, and write \~i A. F
is L-consistent if there is at least one wff not L-derivable from F, and
L-inconsistent otherwise. (It can be shown that F is L-consistent iff
for no A do we have both F HL A and F HL ~A.) F is L-full iff it is
L-consistent and closed under conjunction and L-derivability i.e. iff
(i) lor some A, not F I~L A,
(ii) if A T and A hL B then B e F,
(iii) A, B 6 T only if A A B e F.
2.1.3 Lemma
If x C $ is L-full, then
(i) A A B e x iff A x and B e x,
(ii) x h L A iff A x,
(iii) A V ~A e x, for all wffs A.
Proof.
(i) The 'if part is 2.1.2(iii), and the converse follows from #2 and #3
by 2.1.2(ii).
(ii) Since A HL A (#1), sufficiency follows from the definition of L-
derivability. Necessity uses 2.1.2(ii) and (iii).
(iii) By definition x is non-empty, so there exists B S x. But
B h L A V ~A
(use #6, #9, #4 and #7), so the result follows by 2.1.2(ii).
D
The basic result linking full sets and derivability is the following version
of Lindenbaum's Lemma.
2.1.4 Theorem
jf KL A iff A belongs to every L-full extension of F.
Proof. If r hL A, then there exist B l v .., En F such that
BI A . . . A Bn h L A.
If x is L-full and F C x, we have BI, . . . , Bn 6 x. Applying 2.1.2(iii)
and then 2.1.2(ii) we obtain A. E x.
For the converse, suppose A is not L-derivable from F. Let x = {B :

F HL B}. From #1, F C x, and by hypothesis A ^ x. Our proof will
therefore be complete if we can show that x is L-full. Now if B a; and
B h L C, there exist B l v . . ,Bn F such that BI A . . . A Bn h L B, hence
by #7, BI A . . . A Bn f-L C and so F h L C, i.e. C x. If on the other
hand B, C e x then there exist BI, . . . , B n , Ci, . . . , Cm 6 F such that
BI A ... A Bn h L B and Ci A . . . A Cm h L C. Letting
D = BI A . . . A Bn A Ci A ... A Cm
we have by #2, #3 and #7 that D h L B, D h L C, and so by #8, D h L
B A G . Thus F h L B A C and therefore B A C x. This shows that x
is closed under L-derivability and conjunction. Hence, since A $ x, A is
not L-derivable from x, and so x is L-consistent, and Theorem 2.1.4 is
established. D
It is interesting to note how direct the proof of 2.1.4 is, in that we are
able to define explicitly the required set x. In all other logical systems
that the author knows of the proof of Lindenbaum's Lemma involves
a complex induction over a fixed enumeration of $, or even worse, an
application of Zorn's Lemma. On the lattice theoretic level it can be
said that our full sets correspond to (proper) filters, whereas for systems
that include the distributive law the analogies are with prime or maximal
filters, the proof of whose existence requires some variant of the Axiom
of Choice.
The last result of this section will be used in our characterisation of
negation.
2.1.5 Lemma
If x is L-full and ~A x, then there exists an L-full set y
such that A y, and for all B, either ~B x or B ^ y.
Proof. Let y = {B : A hLB}. By #1, A y. Now let ~ B e x. Then
B 0 y, or else A KL B, whence ~ B KL ~ A by #9, and so by 2.1.2(ii),
~A 6 x, contrary to hypothesis. By 2.1.3(iii), A V ~ A x, i.e. ~(~A
A ~~A) x. By what we just proved it follows that ~ A A ~~A #
y. Proceeding in a similar manner to 2.1.4 we can show that y is closed
under conjunction and L-derivability, and hence that ~A A ~~A is not
L-derivable from y, i.e. y is L-consistent, and therefore L-full as required.
D
2.2 Semantics
2.2.1 Definition
>"={X, _L) is an orthoframe iff X is a non-empty set, the carrier
of F, and J. is an orthogonality relation on X, i.e. _L C X x X is
irreflexive and symmetric.
If x -L y then we say that x is orthogonal to y. If x is orthogonal to
every member of a subset Y of X then we say x is orthogonal to Y and
write a; -L Y. Y C X is said to be L-dosed iff for all x e X, x Y only
if there exists y X such that y -L Y and not x -L y (the converse is
always true by the symmetry of -L).
2.2.2 Definition
.M={X, _L, V) is an orthomodel on the frame (X, _L) iff V is a function
assigning to each prepositional variable p; a -L-closed subset V(pi) of X.
The truth of a wff A at x in M is denned recursively as follows. (Read
"A is true (holds) at x in X" for M \=x A).
(1) M K Pi iff x V( P i)
(2) M K A A B iff M (=x A and M (=x B
(3) M \=x ~A iff for all y, M \=y A only if x J. y.
Denoting the set {x X : M \=x A} by HAH^, we can rewrite the
above as
(2')
(3')
If F is a non-empty set of wffs, then we say F implies A at x in M,
denoted M: F \=x A, iff either there exists B r such that not M \=x
B, or else M \=x A. F M-implies A, M:F \= A, iff F implies A at all x
in M. If .F is a frame, r f -implies A, F:F \= A, iff M:F f= A for all
models M on T. If C is a class of frames, F it-implies A, :F \= A, iff
T-.r |= A for all T e C. If T={AV ~A} then we may simply write M
|= A, T |= A and so on, and speak of truth of A in M, F- validity of A
etc.
Let L be an orthologic. A class C of orthoframes is said to determine
L iff for all A, B $, A h L B iff :A \= B. strongly determines L iff
for all T and A, T hL A iff <L:F (= A.
The structures that we call orthoframes are not in fact new. They are
described as "orthogonality spaces" in Foulis and Randall [18]. That the
_L-closed subsets of an orthogonality space form an ortholattice under the
partial ordering of set inclusion is a result of long standing (cf. Birkhoff
[6, Section V.7]). What appears to be novel is the idea of using such
structures to provide models for a prepositional language. Furthermore,

an algebraic version of the completeness theorem set out below shows
that every ortholattice is, within isomorphism, a subortholattice of the
lattice of -L-closed subsets of some orthogonality space. Previous results
in this direction have either been confined to complete ortholattices (cf.
[18]) or else have involved a somewhat different notion of orthogonality
relation (MacLaren [62]).
Our models can be understood in the following way. X denotes a set
of possible outcomes of a number of operations carried out in the perfor-
mance of some experiment. Elements x and y are orthogonal iff they are
distinct outcomes of the same operation. Thus JL has the character of
an "alternativeness" relation as in modal logic. Whereas in the latter
a proposition is identified with the set of possible worlds in which it
is true, in our present context a proposition A, describing a physical
event, is identified with the set [[AH^ of outcomes that verify A. Our
truth stipulations then require that an outcome a; verifies the conjunction
of two propositions iff it verifies each of them separately, and negates
a proposition iff only outcomes orthogonal to x verify that proposition.
The requirement that V(p z ) be _L-closed constitutes a restriction on what
sets of outcomes may be identified with propositions or "events".
This interpretation, based largely on ideas expounded in Randall
and Foulis [73], is for the present intended merely as a convenient way
of thinking about models. Whether or not a description can be found
that has significance for quantum theory remains to be seen. Perhaps the
structures will contribute to a philosophical clarification of the notion
of an event. At any rate these issues are taken to be outside the scope
of this paper. Our emphasis throughout is on formal developments. We
believe that this attitude is justified, if only by the conviction that the
techniques available for handling frames and models are somewhat more
elegant, and often more directly applicable to technical problems, than
the corresponding algebraic methods. Hopefully the rest of the paper
will bear this out.
2.3 The Characterisation of O

In this section we show that the logic 0 is strongly determined by the
class 0 of all orthoframes. To this end we need a preliminary lemma.
2.3.1 Lemma
If M is an orthomodel, then for any A, the set [[AH^ is -L-closed.
Proof. By induction on the length of A. The result holds for HpiH^ by
the definition of orthomodel. Since the intersection of _L-closed sets is
-L-closed, it holds for A A B under the hypothesis that it holds for A

and B. For the case of negation, suppose x # \\~A\\M, i.e. not M \=x
~A. Then by 2.2.2(3) there exists y such that M ^y A and not x _L y.
Now if M [=z ~A, again by 2.2.2(3), and symmetry of -L, we have yLz.
Thus y -L IÂH^, and it follows that IhAy^ is 1-closed. D
There are a number of results in this paper that are established
by induction on the length of formulae. In most instances the case of
conjunction is straightforward and so we will present only that part of
the proof that involves negation. We also find it convenient to indicate
the application of an induction hypothesis by the letters IH.
2.3.2 Soundness Theorem for O
r h0 A only if e-.r \= A.
Proof. The proof, by induction on L-derivability, proceeds by showing
that the result holds for #1, . . . , #6, and is preserved by applications
of #7,. . . , #9. We consider only the less obvious cases.
#4. Let M K A. Then if M \=y A, by 2.2.2(3) y 1 x and hence
(symmetry) x L y. 2.2.2(3) again gives M \=x ~~A.
#5. Let M K A. Then M \=y A only if x J_ y, i.e. y 1 HAH^
only if a; -L y. But HAH^ is 1-closed (2.3.1) and therefore x
||A||^, i.e. M K A.
#6. If M \=x A A ~A then M \=x ~A and M \=x A whence x L x,
contrary to the irreflexivity of _L Thus not M \=x A A ~A for
any x in any M, so M : A A~A [= B for any B.
#9. Suppose 0:A |= B, and further that M \=x ~B. Then M \=y A
only itM\=yB (IH), only if x -L y. This shows that M K ~A.
D
2.3.3 Definition.
If L is an orthologic then the canonical orthomodel for L is the structure
where
XL = {x C <? : x is L-full},
x J-L y iff there exists A such that ~A x, A 6 y,
= {x XL: pi 6 x}.
2.3.4 Lemma
ML is indeed an orthomodel.
Proof. Let x 6 XL- Then for no A do we have ~A, A e x or else by

#6 x would be L-inconsistent. Hence not x XL x. If x XL y, for some
A we have ~A 6 x, A e y. Using #4 we conclude ~B E y, B G x,
where B=~A. Thus y XL x. Hence XL is an orthogonality relation. To
show VL(PI) is J-L-closed, suppose x & VL(PI), i-e. p* $ x. By #5, p;
x, whence by 2.1.5 there exists y 6 XL such that not x XL y and
~pi e y. Then if z V L (pi), Pi z and so j/ X L z. Thus j/ XL V L (pi)
as required. D
2.3.5 Fundamental Theorem for Orthologics

For all wffs A, and all x X L , ML \=x A iff A x.
Proof. By induction on the length of A. The case A=BAC is taken care
of by 2.1.3(1). Now suppose A=~B, and the result holds of B. Let ~B
6 x. Then if ML \=y B, B y (IH) and so x X L y. This, with 2.2.2(3),
yields MI \=x ~B. On the other hand, if ~B g x, by 2.1.5 there exists
y XL such that B e y , whence MI, \=y B (IH), but not x XL y- From
2.2.2(3) again we conclude that not MI, \=x ~B. D
2.3.6 Corollary
r I-L A iff ML . r (= A.
Proof. If T I-L A, BI A . . . A Bn h L A for some BI, . . . , Bn e -T. If A4L
\=x B for all B e r then in particular, by 2.3.5, BI, . . . , Bn x. By
2.1.2(11) and (iii) it follows that A x, hence by 2.3.5 ML f=^ A.
Conversely, if A is not L-derivable from F, by 2.1.4 there exists x
XL such that F C x and A g x. By 2.3.5, M L NX B for all B T, but
not ML \=x A. D
2.3.7 Strong Completeness for O

6 : r |= A only if F ho A.
Proof. Since, by 2.3.4, MQ is an orthomodel, 0 : F (= A only if Alo :
r (= A, and the result follows by 2.3.6. D
2.4 Translation into B

Let {qi : i < u} be a new collection of prepositional variables and
the set of wffs constructible from these by the Boolean connectives ->
and (negation and conjunction) and the modal D (necessity). Material
implication > and possibility O are introduced by the usual definitions.
The Brouwerian modal logic B can be defined as the smallest unary
logic, based on <?M> that includes all classical PC tautologies, all in-
stances of the schemata
D(A - B)-> (DA -> DB)
DA-> A
A - DOA
and is closed under Modus Ponens (from A and A > B to infer B) and
Necessitation (from A to infer DA).
2.4.1 Definition
Q = (X, R) is a B-frame if R is a proximity relation on X,
i.e. R C X x X is reflexive and symmetric.
Af = (X, R, V) is a B-model if V is a function assigning to each q; a
subset V(pi) of X. The truth stipulations for q^ and conjunction are as
in 2.2.2(1), (2). For negation and necessity we have
(i) Af \=x -"A iff not Af \=x A

(ii) Af \=x DA iff for all y, xRy only if Af ^=y A.
A number of basic metalogical facts are known about B, e.g. that it is
strongly determined by the class of B-frames, has the finite model prop-
erty for these structures, has infinitely many non-equivalent modalities,
and is not finitely axiomatisable with modus ponens as its sole rule of
inference. Apart from that, B represents an area of modal logic that has
attracted little attention. The results of this section may help to alter
that situation.
2.4.2 Definition
We recursively define a translation that associates with each A $ a
modal wff A* e $M as follows:
p* = DOqi all i < u
(A A B)* = A*- B*
(~A)* = D-.(A*)
2.4.3 Lemma
Let J- = (X, _L) and Q = (X, R) be an orthoframe and a B-frame
respectively, such that x _L y iff not xRy (clearly J. is an orthogonality
relation iff R is a proximity relation). If M and JV/" axe models on T and
Q such that for all i < w, and all x X, M ]=x p; iff Af \=x p*, then for
all A *, and all x 6 X, M \=x A iff M f= x A*.
Proof. Let A=~B and suppose the Lemma holds for B. Then
M \=x ~B iff for all y,M\=yE only i f x y

iff for all y, N \=y B* only if not xRy (IH)
iff for all y, xRy only if not A/" (=y B*
iff \=x D--(B*) (2.4.1(i),(ii))
D
2.4.4 Lemma
0 : T f= A only if 03 : F* \= A", where r* = {B* : B 6 T}
and 23 is the class of B-frames.
Proof. If not <B:.T* |= A*, there is a B-model M = (X, R, V) and some
t X such that M \=t B*, all B 6 r, but not A/" K A*- Let M = (X,
, V), where V'(p t ) = V(p*), and x 1 y iff not zR.7/. To show that
V'(pi) is -L-closed, suppose x V'(pi). Then not A/" |=x dOqi and so
there exists y such that xRy and not A/" )=,, <C>q;. Then if yRw, wRy
and so not A/" ^ DOq;, i.e. w V'(pi). Thus w V'(pi) only if
not yRw, i.e. y _L w. Hence y -L V'(pj) and, since xRy, not x -L y as
required. Thus A4 is an orthomodel satisfying the hypothesis of 2.4.3.
We therefore conclude that M \=t B for all Be F, and not M. \=t A,
hence not 9 : F |= A. D
2.4.5 Lemma
<B : T* (= A* only if 0 : F \= A.
Proo/. If not 6 : F \= A, there is an orthomodel M = (X, -L , V) and
some t X such that M \=t B, all B e T, but not X (=t A. Let M = (X,
R, V) be a B- model, where xRy iff not x 1. y, and V'(qi)=V(pi). Then
using the fact that V(p z ) is J--closed we deduce
M K Pi iff for all y, y 1 \\pt\\M only iixLy
iff for all y, xRy only if for some z, not t/ _L z
and =2
iff for all y, xRy only if for some z, yRz
and A/" |=z q,
iff M \=x DOq,
iff A/> s pJ.
Thus the hypothesis of 2.4.3 is satisfied, and we conclude A/" |=t B* for
all B e T, but not A^ \=t A*, hence not OS : F* |= A*. D
Using Lemmata 2.4.4, 2.4.5, our strong determination result for O,
and that of 8, we arrive at
2.4.6 Theorem
r ho A iff r* \-B A*.
2.5 Filtrations and Decidability

In this section we show that O has the finite model property (FMP) and,
being finitely axiomatisable, is therefore decidable. This result can in
fact be obtained indirectly from the results of the previous section, using
the fact that B has the FMP. We wish however to give a direct proof in
terms of orthoframes. Part of the reason for this is simply a desire to
see how filtration theory works in our present context. More significant
however is the recognition that some of the more complex schemata of
modal logic have only admitted to successful analysis through nitrations
of canonical models, and it seems quite likely that this approach will
play an important role in further studies of orthologic.
2.5.1 Definition
A set V of wffs is admissible iff
(i) if A V> and B is a subformula of A, then B V;
and
(ii) for all i < uj, pi V' only if ~p; ip.
2.5.2 Definition
Let M ~ (X, -L , V) be an orthomodel and ip an admissible set of wffs.
We define an equivalence relation on X as follows:
x y iff for all A V, M \=x A iff M (= A.
Putting [x] {y : x y} we define
X' = {[*] : x eX};
[x] _L' [y] iff there exists A such that ~A if), and either
(i) M (=x ~A and M \=y A, or
(ii) M \=y ~A and M \=x A;
V'(pi) = {[x] : Pi V and x V(Pl)}.
The structure M' (X', _L', V) is then called the filtration of M through
V>-
2.5.3 Lemma
M! is an orthomodel.
Proof. We note first that the above definitions are correctindependent
of the choice of equivalence class representative. _L' is symmetric by
definition. Furthermore by 2.2.2(3) and the symmetry of JL, [x] ' [y]
only if x _L y. From this, and the irreflexivity of -L, it follows that
-L' is irreflexive, and thus is an orthogonality relation. Now if p{ ^ V>
V'(pt) = 0 and so is J_'-closed. On the other hand if p^ e t/> and [x] (
V'(pi), then x $. V(p;), so there exists y X such that y V(pi) and

not x JL y. Thus M \=y ~p; and not [x] J.' [y]. Now if [z] 6 V'(p;), then
M |=2 pi. But ~pi e i/> (2.5.1(ii)) and so by 2.5.2, [y] J.' [2]. Hence
[y] J-' V'( Pi ) and V'( Pi ) is I'-closed. D
2.5.4 Filtration Theorem

For all A e V and x X, .M K A iff M' \=[x] A.
Proof. Let A = ~B and suppose M' |=[x] ~ B. Then if M \=y B,
M' if=[y] B (IH) and so [a;] 1' [y], whence x _L y. By 2.2.2(3) this implies
M K ~ B - Conversely let M \=x ~B. Then if M' \=[y] B, it follows
by IH that M ^=y B. But ~B 6 tjj and so by 2.5.2, [x] J_' [y]. Hence
.M hx] ~ B- D
2.5.5 Finite Model Property for O

Let A and B be wffs which together have k subwffs, including
/ prepositional variables. Then A ho B iff F:A. \= B for all
orthoframes T having at most 2 elements, where n = k + I.
Proof. Necessity follows from the Soundness Theorem 2.3.2. Conversely,
suppose that not A ho B. By 2.3.6, there exists x e XQ such that
Mo \=x A and not M \=x B. Let ijj be the smallest admissible set
including A and B, and M' the filtration of Aô through if>. By 2.5.4,
M' \=[x] A and not M' |=[z] B, hence not M' : A|= B. But clearly V
consists precisely of the subwffs of A and B, together with the negations
of those propositional variables occurring in A or B, i.e. ifr has at most n
members. Since each equivalence class x is determined uniquely by the
set Vi= {As V : -Mo NX A}, and ij) has at most 2 subsets, it follows
that the frame of M' has at most this many members, and our proof is
complete. D
2.5.6 Corollary
0 is decidable. D
2.6 An Approach to Quantum Logic

2.6.1 Definition
A quantum logic is an orthologic L such that, for any A,B $,
#10. AA(~AV(AAB))h L B.
We denote by Q the smallest quantum logic i.e. the intersection of all
quantum logics. It can be shown that Q bears the same relation to
orthomodular lattices that 0 bears to ortholattices.
In extending our analysis to quantum logics, one desirable outcome

would be a first-order condition on orthogonality relations such that
Q is strongly determined by the class of orthoframes satisfying that
condition1. An alternative approach would be to restrict the definition
of "model", to impose a constraint on the sets ||A||^ that characterises
the system. Rather than make such a restriction dependent on the object
language, we will build it into the frames themselves. Thus a frame
now has associated with it a particular collection of -1-closed subsets
of its carrier set, and models are obtained by selecting the values of
propositions from . Similar structures have been considered by Fine [12]
in connection with languages having propositional quantifiers, and there
are analogies with the "first-order" tense logic semantics of Thomason
[96].
Our next definition provides a natural refinement of the concept of
.L-closure.
2.6.2 Definition
If Y and Z are subsets of a frame (X, _L), then Y is -L- closed in Z iff for
all x 6 Z, x ^ Y only if there exists y E Z such that y _L Y and not
x _L y. (Thus J_-closed sets are precisely those that are -L-closed in X.)
2.6.3 Lemma
HM is any orthomodel, then HAH^ is -closed in \\Q\\M iff
M : BA(~BVA) |= A.
Proof. Suppose that M : BA(~BvA) (= A, x E\\E\\M, but x $ \\&\\M.
Using 2.2.2(2), we deduce that not M \=x ~BvA, i.e. not M \=x ~(B A
~A). By 2.2.2(3) there exists y such that M. \=y B A~A and not x L y.
Then M \=y E, i.e. y \\E\\M, and M \=y ~A, hence y 1 \\K\\M as
required.
Conversely, suppose that HAH^ is -L-closed in HBy^. If we have
M |=x BA~(BA~A), then by 2.2.2(2),(3) we conclude x \\E\\M and
(y PH^ and y _L H A H ^ ) only if x _L y. From 2.6.2 it follows that
x 6 ||A||M, i.e. M\=XA. D
2.6.4 Definition
J- = (X, -L, } is a quantum frame if (X, ) is an orthoframe and is a
non-empty collection of -L-closed subsets of X such that
(i) is closed under set intersection, and the operation * defined by
Y* = {x : x .L Y}
1
After this article was first published I discovered that no such condition exists.
The proof is given in the next chapter.
(ii) if Y, Z e , then Y C Z only if Y is .L-closed in Z.

M. (X, _L, , V) is a quantum model if V is a function assigning to
each pi a member of . The truth conditions remain as in 2.2.2.
2.6.5 Lemma
For any quantum model M, and any Ae , ||A||^ 6 ..
Proof. By induction on the length of A, using 2.6.4(1) and 2.2.2(2'), (3').
D
2.6.6 Lemma
All quantum models verify #10.
Proof. For any M we have M : AAB |= A, hence ||AAB||^ C HAH^.
Thus if M is a quantum model it follows by 2.6.5 and 2.6.4(ii) that
IIAABH^ is J_-closed in ||A||^, whence by 2.6.3,
M : AA(~AV(AAB)) (= AAB.
By the verification of #3 and #7, this yields
M : AA(~Av(AAB)) (= B.
D
2.6.7 Corollary (Soundness Theorem for Q)

F hq A only if ft : F \= A, where Q is the class of quantum frames. D
If L is an orthologic and A e $, we denote by |A|L the set {x XL : A
x}. Thus by 2.3.5, |A|L = HAH^ 1 -, where L is the canonical orthomodel
for L.
2.6.8 Definition
Let L be a quantum logic. The canonical quantum frame for L is the
structure Q\. = (XL, J-L, L) where XL and L are as in 2.3.3, and
L = {|A|L: Ae $}. A/L = (XL, J-L, ^L, VL) is the canonical quantum
model for L, where, as before, VL(PI) =|p t | L -
2.6.9 Lemma
^L is a quantum frame.
Proof. It is plain from our earlier work that |A|L n |B|L |AAB| L and
(|A| L )* = |~A|L, so 2.6.4(1) holds. To establish 2.6.4(11), suppose that
|A|L C |B|L, i.e. that \\k\\Mt- C \\B\\M^. By #10 and 2.3.6 we have ML :
BA(~BV(BAA))|= A. But clearly HBAAH^ 1 - = \\&\\ML, and so ML :
BA(~BVA)|= A. From 2.6.3 we conclude that |A|L=||A||-ML is -LL-closed
in \\B\\M^ = |B|L. D
2.6.10 Corollary (Fundamental Theorem for Quantum

Logics)
|A|L=: HAII^ = ||A||^, for all A 6 <?. D
We could at this point produce analogues to 2.3.6 and 2.3.7, and to-
gether with 2.6.7 conclude that Q is strongly determined by the class of
all quantum frames. However with our new structures, much stronger
results are possible. Our earlier methods provided each orthologic with
a characteristic model (.ML) but did not produce a characteristic frame,
or class of frames, except in the case of O. Whether every orthologic is
(strongly) determined by a class of orthoframes is as yet unknown, al-
though recent work by Thomason [97] on incompleteness in modal logic
suggests that the answer will probably be negative. For quantum logics
and quantum frames however the matter can be settled completely in
the affirmative.
2.6.11 Theorem
Let L be a quantum logic. Then F HL A iff L : F |= A.
Proof. If GL : r \= A, then A/L : F (= A, so ML : F \= A by 2.6.10.
F H L A then follows by 2.3.6. Conversely, if F \~L A, there exist AI, . . .,
An F such that AX A . . . A An FL A. Now let M be any model on / L -
For each i < u, \\pi\\M 6 L, so there exists B; such that HpiH^ = |Bi|L
= UBill^1-. For any wff C, let C' be the result of uniformly replacing
each pi occurring in C by B;. Clearly we then have AJ A . . . A A^ HL
A' and so by 2.3.6 and 2.6.10, A/L : A( A . . . A A^ |= A'. But a simple
induction shows that HC]^ = \\C'\\*L and so M : AI A . . . A An f=
A, whence M : F \= A. Since this holds for all models M on C/L, we
conclude L : F (= A. D
2.6.12 Corollary (Strong Completeness for Q)

ft : T (= A only if T h Q A. D
Theorem 2.6.11 shows in fact that every quantum logic L is strongly

determined by the class of quantum frames whose only member is Q\. .
We could of course, by deleting condition (ii) from 2.6.4, obtain a
new concept of frame for which every orthologic is strongly determined.
However the most interesting problem of all remains as yet unresolved.
Is there a class of orthoframes that determines Q?
Notes
I am indebted to my supervisor, Dr. M. J. Cresswell, for some very
helpful discussions and comments on the composition of this paper. I
would also like to acknowledge a debt to Mr. K. E. Pledger, through
whose involvement with quantum logic I first became interested in the
subject. He had earlier established algebraically a connection between
the logic of orthomodular lattices and an extension of B. The blame
for the techniques and results of this paper however lies solely with its
author.
I have a proof that any finite quantum frame is semantically equiv-
alent to one for which is the class of all _L-closed sets. Thus if Q has
the FMP for quantum frames it will be determined by a class of finite
orthoframes.
Orthomodularity is not Elementary
In this article it is shown that the property of orthomodularity of the lat-

tice of orthoclosed subspaces of a pre-Hilbert space P is not determined
by any first-order properties of the relation _L of orthogonality between
vectors in P. Implications for the study of quantum logic are discussed
at the end of the article.
The key to this result is the following:
(1) // ~H is a separable Hilbert space, and P is an infinite-dimensional
pre-Hilbert subspace of Ji, then (P, _L) and (Ti, J_) are elementarily
equivalent in the first-order language L? of a single binary relation.
Choosing P to be a pre-Hilbert space whose lattice of orthoclosed sub-
spaces is not orthomodular, we obtain our desired conclusion. In this
regard we may note the demonstration by Amemiya and Araki [2] that
orthomodularity of the lattice of orthoclosed subspaces is necessary and
sufficient for a pre-Hilbert space to be metrically complete, and hence be
a Hilbert space. Metric completeness being a notoriously non-elementary
property, our result is only to be expected (note also the parallel with the
elementary Inequivalence of the natural order (Q, <) of the rationals
and its metric completion to the reals (E, <)).
To derive (1), something stronger is proved, viz. that (P,-L) is an
elementary substructure of (H, _L). This is done by showing that any el-
ement of T~L can be moved inside P by an automorphism of H that leaves
fixed a prescribed finite subset of P. Familiarity is assumed with the
basic theory of Hilbert spaces, and for this purpose the very accessible
exposition of Berberian [5] has been followed.
Theorem 3.1. Let H be a separable Hilbert space, and P an infinite-

dimensional linear subspace of "H. Then if a i , . . . , an P and b H,
there exists an isomorphism T : "H > Ji such that T(di) = a; for I <
i < n, and T(b) P.
99
Proof. (By an isomorphism is meant a bijective linear transformation

that preserves inner products and hence leaves the orthogonality relation
invariant.)
Suppose that the QJ'S are ordered so that for some k < n, a\, . . . ,dk
is a linearly independent set with the same linear span as a,i,...,an.
Then orthonormalise to get an orthonormal set {x\, . . . ,Xk} C P with
this same linear span [5, p. 47].
As P is infinite-dimensional, there exists some x 6 P that is linearly
independent o f x i , . . . , X k - Theny = -(Za( x xi)xi) is a nonzero vector
in P that is orthogonal to each of xi,...,Xk. Putting c = \\y\\~ly, it
follows that {xi, . . . , Xfc, c} is an orthonormal subset of P.
Now if 6 P, the Theorem follows with T as the identity map on
Ti. Hence we may assume b P. But then b is linearly independent of
xi, . . . ,Xk and by the same process that produced c we may orthonor-
malise to obtain d ~H with {xi, . . . ,Xk,d} an orthonormal set having
the same span as {x\ , . . . , Xk , b} .
Now let M = the linear subspace of H generated by {xi, . . . , X k , d } ,
and A/" = the linear subspace of T~i generated by {x\, . . . , X k , c } . Then
A/" C P and M and A/", being of the same finite dimension, are isomorphic
by an isomorphism U : M > A/" that has U(xl] = n for 1 < i < k, and
U(d) = c. But for 1 < i < n, a; is a linear combination of #1, . . . , & ,
and so /(fflt) = a%. Also, by construction b M, so that U(b) P.
Now let
= {z U : z _L y for all y 6
be the annihilator of .M in Tt. Then A41 is topologically closed [5, p. 59]
and hence is a separable Hilbert space. Since M. is finite dimensional,
its orthogonal sum with ML is W [5, p. 66], i.e. Ti. = M A41, and so
as "H is infinite dimensional, .M1 must be infinite dimensional too.
Similarly, the annihilator A/"1 of A/" in H. is an infinite-dimensional
separable Hilbert space. Since any two such spaces are isomorphic [5,
p. 55], there exists an isomorphism V : M^ A/"1. Our desired map
T is then realised as the orthogonal sum of U and V. For, each w Ti
has a unique representation w = y + z with y M and 2 e ML [5,
p. 61]. We put T(w) = U(y) + V ( z ) . Using the fact that, likewise, w
has a unique representation y' + z' with y' 6 A/" and z' A/"1 , T may be
shown to be an isomorphism. Moreover, for 1 < i < n, a,i E M and so
T(oi) = t/K) - a,,

and finally, T(b) = U(b) P. D
ORTHOMODULARITY is NOT ELEMENTARY 101
Application to Quantum Logic.

A set-theoretic semantics for the prepositional logic of ortholattices
was developed in [33], using the notion of an orthoframe (X, _L) as a
nonempty set X carrying an irreflexive symmetric relation J_. Each sen-
tence is interpreted as a subset Y of X that is _L-closed, i.e. satisfies
y-1--1- = y, where in general ZL = {x : x _L z all z Z}. The set of
-L-closed subsets of X is a complete lattice under the partial ordering of
set inclusion, with set intersection as lattice meet, and ZL as orthocom-
plement of Z (Birkhoff [6, Section V.7]). The lattice is orthomodular if
it satisfies
(2) y C Z only if Z n y1 0.
If (2) holds, we will say that (X, J_) is an orthomodular frame. A pre-
Hilbert space P gives rise naturally to the orthoframe (7 ?+ ,), where
P+ is the set of nonzero vectors of P, and x i. y iff (x\y) = 0. Now an
isomorphism T : P > P preserves the zero vector, and hence acts on
P+ as a bijection that preserves inner products (x\y) and so has
xLy iff T(x)LT(y).
Thus if (p is any formula of the first-order language L2 of a single binary
relation, it follows that for any xi,...,xm inP,
(7? + ,l)^[:n,...,z m ] iff (P+,)t=v[T(xl),...,T(xm)}.
Applying this observation to Theorem 3.1 gives
Theorem 3.2. Let P be an infinite-dimensional subspace of a separable

Hilbert space H. Then if ip is any L2 formula, and 01,... ,an are ele-
ments of P such that for some b 6 "H, (H.+, _L) f= y [ f f l i , . . . ,o n ,6], then
there is some a 6 P such that (T~i+, _L) (= </?[ai,... ,a n ,a]. D
Theorem 3.2 gives a well-known criterion [4, p. 76] that ensures that if
P and Ji are as stated, then (P+,.) is an elementary substructure of
(7i+, J.). Hence the two structures satisfy exactly the same L2-sentences.
Now let P be the incomplete pre-Hilbert space of finitely nonzero
sequences of complex numbers, and Ti. the separable Hilbert space I2
of absolutely square-summable sequences [5, Chapter 11]. Then P is an
infinite-dimensional subspace of H, so (P+, J.) is elementarily equivalent
to (Ti+, JL). But the latter is orthomodular, while the former is not. To
see this, observe that adjunction of the zero vector to a -L-closed subset
of Ti+ turns it into a J_-closed subspace of 7i, and this process gives
an isomorphism between the lattices of -L-closed subsets of 7i+ and
closed subspaces of H (in H, "l-closed" and "(topologically) closed"
are equivalent). A proof that (2) holds for closed subspaces in ~H is

given by Halmos [41, p. 23], who describes it as a result which "our
geometric intuition makes obvious and desirable." The proof is indeed
conceptually natural: it obtains z G Z n YL as y x, where x is an
arbitrary member of Z Y, and y is a member of Y that minimizes
the distances from x to vectors in Y. The argument that shows such a
y to exist uses the metric completeness of Ji. Amemiya and Araki [2]
showed such a use of completeness to be unavoidable (cf. also Maeda and
Maeda [64, Theorem 34.9] or Varadarajan [104, pp. 182-183] for details),
by proving that if the lattice of _L-closed subspaces of P is orthomodular,
then P is complete. Their proof works for any pre-Hilbert space P, but
for our present purpose it suffices to apply it to the particular P cited
above to conclude that the class { ( X , J_) : (X, J.) is orthomodular} of
I/2-structures is not closed under elementary equivalence, and so is not
the class of models of any set of .^-sentences.
Implications for Quantum Logic.

The semantics based on orthoframes is inspired by the Kripke semantics
for prepositional modal logics that uses frames (X,R), with R a binary
relation on X. The development of this type of model has greatly en-
hanced the study of modal logics, because frames are easier to visualise
and manipulate than algebraic models (lattices with operators). One of
the more powerful techniques used is the construction for any logic of a
canonical model falsifying all its nontheorems by taking X as the set of
(maximal) theories of the logic.
But the real success of Kripke semantics is perhaps due to the sim-
plicity of its model characterisations. Most of the more important modal
logics were shown to have their frames defined by first-order conditions
on the relation R (reflexivity, symmetry, transitivity, linearity etc., cf.,
e.g., [59]). To show that a logic is characterised by a certain class of
frames it suffices to show that the class includes the frame of the canon-
ical model. If the class is ^-definable, then the question of characteri-
sation boils down to showing that the canonical frame satisfies a certain
first-order condition, or set of such conditions. This approach is in fact
quite general: it was shown by Fine [15] that if the class of all frames of
a modal logic is closed under elementary Inequivalence, and the logic
is characterised by some class of frames, then it is characterised by its
canonical frame.
Thus the results of this article indicate that the standard approach
is unavailable for the logic of orthomodular lattices, as there is no first-
order characterisation of orthomodularity for orthoframes. This is fur-
ther evidence of the intractability of quantum logic. It is perhaps the
ORTHOMODULARITY is NOT ELEMENTARY 103
first example of a natural and significant logic that leaves the usual meth-
ods defeated. There are some very basic questions about orthomodular
logic which, to my knowledge, remain unanswered:
Is it characterised by the class of orthomodular orthoframes?
Is it characterised by its canonical frame?
Does it have the finite-model property?
Is it decidable?
Arithmetical Necessity, Provability
and Intuitionistic Logic
4.1 Motivation
The interpretation of the modal operator D as "it is provable that"
seems to have been first considered by Godel [20], who observed that
there is a theorem-preserving translation of Heyting's intuitionistic logic
IL into the modal system S4. He "presumed" further that the translation
is deducibility-invariant, i.e., that a sentence is an IL-theorem precisely
when its translate is an S4-theorem. This was later verified by McKinsey
and Tarski [68].
A recent paper by Solovay [91] considers a number of provability
interpretations of modality, the most significant being "it is provable in
Peano arithmetic that". The basic idea is that if a is a sentence of Peano
Arithmetic (P), then Da denotes the sentence
(1) Bew( r a n ),
where r a n denotes the numeral of the Godel number of a, and Bew(x)
is the formula that expresses "x is the Godel number of a theorem of P."
Now the most well known reading of D is the alethic modality "it
is necessarily true that", and the most well known account of necessity
is the Leibnizian dictum that a necessary truth is one that is true in
all possible worlds. We can relate this to (1) by defining (as seems
eminently reasonable) a possible world for arithmetic to be a model of
P. A sentence a is then arithmetically necessary when it is true in all
P-models, which, by the Completeness Theorem, holds precisely when
P h a. Since the latter holds just in case P h Bew( r a n ), we obtain the
equivalence of
(2) a is arithmetically necessary
and
105
(3) Pi-Da.
There is however a major inadequacy in this analysis. A necessarily
true statement is in particular a true statement, and so for the alethic
interpretation we require the validity of the schema
(T) OA -> A.
But if validity is taken to mean derivability in P, as is done in [91], then
not all instances of this schema are valid. Indeed P h BewC'a"') > a
only in the event that P h a, as was shown by Lob [60]. The purpose of
this article is to offer a modified interpretation of D that leaves (2) and
(3) equivalent, but makes T valid. The modification is simply to take
Da as
(4) aABew( r a n ),
which has the apparent meaning "a is true and provable". Read like
that, (4) seems equivalent to "a is provable", i.e., to (1). However the
two are not the same, in view of the existence of true but unprovable
sentences of arithmetic. The precise situation is that each of (1) and
(4) is a P-theorem precisely when the other is (which is why (2) and (3)
remain equivalent), the two are materially equivalent in the standard
P-model, but this material equivalence is not in general itself provable
in P.
An interpretation of the language of modal logic will be developed
on the basis of (4), and then by axiomatising the resulting class of valid
sentences, and invoking the Godel-McKinsey-Tarski translations men-
tioned above, we will obtain a provability interpretation of IL in P, in
which an intuitionistic implication asserts the truth and provability of
a material implication, and an intuitionistic negation asserts that an
arithmetical sentence is false and refutable (inconsistent). Subsequently
we shall show that the arithmetically necessary non-modal sentences are
just the IL-theorems.
These results were obtained while the author held a position as Vis-
iting Scientist at Simon Fraser University. He would like to thank Dr.
S. K. Thomason for the hospitality afforded him at that time.
4.2 Method
Let $ be a modal prepositional language based on prepositional letters
Po>Pi,p2> -i the connectives A, V, ~, (all taken as primitive), and
the modal operator D. Define a translation A i- A from $ to $ by
stipulating
(5) Pi=pt,
ARITHMETICAL NECESSITY, PROVABILITY AND INTUITIONISTIC LOGIC 107
(6) (A t\ B) = A f\ B,
(7) (AV B) = A VB,
(8) (~Ar = ~(A),
(9) (A - B) = A -> B,
(10) (DA) = A A D(4).
We presume the reader is familiar with the notions of a frame f ~
(U,R), a model M = (U,R,V) based on F, the validity of a sentence
A on F, and the truth of A at a; in M, M\=XA. We recall only the key
clause
(11) M\=XDA iff for all y,xRy only if M\=yA.
(The details of these definitions may be found, e.g., in [86]).
Lemma 4.1. Let M. = (U,R,V) be a model with R reflexive. Define

M' = (U, S, V), where xSy if and only if xRy and x ^ y. Then for any
sentence A $, and any x e U
M\=XA iff M'^=XA.
Proof. By induction on the formation of A, the only non-trivial case
being A = OB, under the inductive hypothesis that the result holds
for B. Suppose M\=XOB. Then if xSy, we have xRy, so by (11)
M\=yB, whence by hypothesis M'\=yB. The analogue of (11) for M'
then gives M'\=XO(B). But also, since R is reflexive we have M\=XB,
hence M'\=XB. Altogether then M'\=XB A D(5), i.e., M'\=XA.
Conversely let M'\=XA and xRy. If x = y, then M'[=yB and so
by hypothesis M\=yB. But if x ^ y, xSy, so as M'\=XO(B) again we
get M\=yB. Thus, by (11), M\=XOB as required. D
Now the modal logic known in the terminology of Segerberg [86] as
K4W is axiomatisable by adjoining to a basis for PC the rule
(RN) From A to infer DA,
and the axiom schemata
(K) 0(A - B) -> (DA -* DB),
(4) DA - DD.4,
(W) D(DA - A) - DA.
It is shown in Chapter II 2 of [86] (and it follows also from the results of
[91]) that the K4W theorems are precisely those modal sentences valid
on all finite strictly ordered frames.
The system S4Grz (also known as Kl.l) has in addition to RN, K,
4, and T (which together define S4), the schema
(Grz) D(D(A - DA) -> A) -+ A

The S4Grz theorems are precisely those sentences valid on allfinitepar-
tially ordered frames [86, Chapter II, 3].
Theorem 4.1. For any modal sentence A,

S4Grzh,4 iff K 4 W h J 4 .
Proof. If S4Grz V- A then there is some M = (U, R, V) and some x U,
with M x A, U finite, and R a partial ordering. Let M' be as in
Lemma 4.1. Then M' x A, so A is not valid on the finite frame
(U, S), for which S is in fact a strict ordering. Hence K4W.K A.
Conversely if K4W V- A, then A is false at some point a; in a finite
strictly ordered model M - (U, S, V). Let M = (U, R, V), where xRy iff
xSy or x = y. Then clearly M' = A/", so by Lemma 4.1 A is not valid on
the frame (U,R), which is a finite partial ordering. Hence S4Grz.F A.
a
Now the provability interpretation of Solovay [91] is as follows: a *-
interpretation of ^ in Peano arithmetic is an assignment to each A <
of a P-sentence A* that satisfies
(12) (A^BY=A''^B\
(13) (AM BY = A*\JB*,
(14) (~AY = ~(A*),
(15) (A-* BY = A* ->*,
(16) (DA)* ^Bew( r A*" 1 ).
(Actually the connectives are not all treated as primitive in [91] - we have
done so here in order to later consider IL-interpretations.) A sentence
A is *-valid, denoted )=* A, iff under any înterpretation P I- A*. The
major result of [91] is that for any A e <?,
(17) K4W h A iff |=* A.
Combining Theorem 4.1 with (17) we then have
Theorem 4.2. For any A <,

S4Grzf- J 4 iff \=*A. D
Instead of dealing with the translation and the above definition of
interpretation we could, by combining the two, obtain a characterisation
of S4Grz-derivability directly in terms of interpretations in P. The new
kind of interpretation would satisfy (12)-(15), and in place of (16) would
have
(18) (DA)* =A* ABew( r 4* n ).

If A i- A* satisfies (12)-(16), then the assignment A H-> (A)* is an
interpretation of this new kind. In the other direction, if A H-> A*' satis-
fies (12)-(15) and (18), then putting p* = pi' and extending inductively
using (12)-(16) gives a înterpretation A H-> A* that has A*' = (A)*.
We leave it to the reader to verify the details of this.
We turn now to the interpretation of IL in P. Let & be the sublan-
guage of <? consisting of those sentences containing no occurrence of D.
Define a translation A H-> A" of & into $ by
(19) pr = nPi,
(20) (A/\B)' = A- /\B-,
(21) (AVB)-=A-VB~,
(22) (~A)~ = D-(A-),
(23) (A -> B)~ = O(A- -> B~).
Then a result of McKinsey and Tarski [68] is that for any A e !?,
(24) IL\-A iff S 4 h A - .
This can be strengthened, as observed by Grzegorczyk [40], to
(25) IL\-A iff S4Giz\-A~,
A straightforward method of proving (24), similar to our derivation of
Theorem 4.1 from Lemma 4.1, is given by Fitting [17]. The proof uses
the fact that IL and S4 are both determined by the class of frames whose
relation R is reflexive and transitive. That this approach yields (25) is
immediate from the observation that IL and S4Grz are both determined
by the class of finite partially ordered frames (it is the definition of
model based on a frame that distinguishes them - cf. Segerberg [84]).
Combining Theorem 4.2 with (25) we now have
Theorem 4.3. For any A !?,

IL\-A iff \=*(A-). O
Again the result may be analysed further and expressed in terms of
direct interpretations of >? in P. This time the interpretations satisfy
(12), (13) and
(26) p* = a.i A Bew(rain), for some P-sentence c^,
(27) (~A)* = ~(A*) A Bew( r ~(A*) n ),
(28) (A - BY = (A* - B*) A Bew(rA* -> B*"1).
There are other ways of translating IL into modal logic, and each yields
its own mode of interpreting !? in P. All of them lead to the same class
of valid sentences, viz., the IL-theorems. In the case of the original

translation of [20] and the two others in [68], p* can be any P-sentence
at all. We leave it to the reader to consult these works to determine how
the connectives are treated in these approaches.
4.3 The Case of the Standard Model

A modal sentence A $ will be called uj*-valid, w \=* A, if under all
înterpretations A* is true in the standard P-model (u,+, ), where u;
is the set of non-negative integers. The connection between this notion
and *-validity is
Lemma 4.2.
(i) \=* A only if u \=* A,
(ii) |=* A if and only if u |=* OA.
Proof.
(i) P h A* only if A* is true in w.
(ii) P h A* iff Bew( r ^* n ) is true in LJ.
D
Solovay [91] proves that
(29) w \=* A iff G' h A,
where G' is the modal system whose theorems form the smallest set of
sentences containing all K4W-theorems, and all instances of T, that is
closed under Modus Ponens. Combining (29) with Lemma 4.2(ii) and
(17) gives the apparently new
Theorem 4.4. K4W h A iff G' h OA. D
The reader has probably anticipated the next question - which <?-
sentences are valid in ui when interpreted according to (26)-(28)? He
or she may, however, be a little surprised at the answer: precisely the
IL-theorems are thus valid. In other words, any $- sentence that is valid
in w is valid in all P-models, and the only ^-sentences that are arith-
metically necessary in this latter sense are the intuitionistic theorems.
To see this we need
Lemma 4.3.
(i) For any A <, G' h (A A OA) <- DA.
(ii) For any A 6 A~ is immediate from T. To show that
S4Grz (- A~ D(A~) one can prove by induction that if M is
an S4Grz- model, then if M \=x (A~) and xRy then M \=y (A~).
(Alternatively the reader may develop a syntactic proof - the result
depends only on S4 principles.)
D
Corollary. For any A <P,

G' \- ((A~)) -> n((A-)).
Proof. By part (ii) of the Lemma, Theorem 4.1, and the fact that K4W C
G', we have
G'\-[A-
hence
i.e.,
Part (i) of the Lemma then gives the desired result. D
Theorem 4.5. For any A G !?,

I L h A iff \=*(A-) iff w K ( ^ - ) .
Proof. In view of Theorem 4.3 and Lemma 4.2(i), we need only prove
u f=* (A~) implies [=* (A~). But if u (=* (A~) then G' h (A~)
(29), whence by the above Corollary and PC we get G' h O((A~)).
Lemma 4.2(ii) and (29) then yield the result as stated. D
In the case of the three other IL-to-S4 translations mentioned earlier,
the analogue of Lemma 4.3(ii) does not hold (in particular it fails for
propositional letters, which are translated to themselves). However if
A i> A+ is one of these translations we do have
IL\-A iff S4Grzh J 4+,
and so by Theorem 4.2 and Lemma 4.2(ii), we have
(30) I L r - 4 iff K (A+) iff u (=*
By Theorem 4.5 and (30) we then have
(31) u |=* (A-) iff u |=*

This last result can also be obtained from the fact, noted in [68], that
which, reasoning as in the Corollary to Lemma 4.3, yields
and hence we get (31) by (29) and PC.
Problem
Let A = {A : u (=* A0} = {A : G' I- A0} be the set of modal
sentences valid in the standard model under interpretations satisfying
(18) in place of (16). A is recursive, since G' is, [91, 5], and by Theorem
4.1, S4Grz C A. The problem is to axiomatise A by adjoining a finite
number of schemata to S4Grz.
Postscript
A number of people have worked on the problems considered here.
George Boolos independently proved Theorem 4.1, while a proof that
IL h A iff K4W h (^4~) was previously given by A. Kuznetsov and
A. Muzavitski (cf. Proceedings of the IVth Soviet Union Conference on
Mathematical Logic, Kishiniev, 1976, p. 73, (in Russian)).
The above Problem has also been solved by Boolos (personal com-
munication, April 1979), by showing that A is just S4Grz itself! Thus
S4GrzF.4 iff w [=* 4,
or equivalently
A0 iff G'*rA.
Diodorean Modality in Minkowski
Spacetime
ABSTRACT. The Diodorean interpretation of modality reads the op-

erator D as "it is now and always will be the case that". In this article
time is modelled by the four-dimensional Minkowskian geometry that
forms the basis of Einstein's special theory of relativity, with "event"
y coming after event x just in case a signal can be sent from x to y at
a speed at most that of the speed of light (so that y is in the causal
future of x).
It is shown that the modal sentences valid in this structure are pre-
cisely the theorems of the well-known logic S4.2, and that this system
axiomatises the logics of two and three dimensional spacetimes as well.
Requiring signals to travel slower than light makes no difference to
what is valid under the Diodorean interpretation. However if the "is
now" part is deleted, so that the temporal ordering becomes irreflexive,
then there are sentences that distinguish two and three dimensions, and
sentences that can be falsified by approaching the future at the speed
of light, but not otherwise.
The Stoic logician Diodorus Chronus described the necessary as being

that which both is and will always be the case. This temporal interpre-
tation of modality has been exhaustively investigated by the methods
of contemporary formal logic within the context of linear temporal or-
derings (cf. Chapter II of [72] for a survey of this work). The present
paper is a contribution to the study of modalities in branching time, and
is concerned with the most significant of all non-linear time structures,
viz. the four-dimensional Minkowskian spacetime that forms the basis
of Einstein's theory of special relativity. Since the temporal ordering of
spacetime points is directed (indeed any two have a least upper bound)
it follows, as observed by Arthur Prior in [72, p. 203], that the associated
Diodorean modal logic contains the system S4.2. We shall prove that
it is in fact precisely S4.2, and that this holds also for two and three
dimensional spacetime.
113
The language of prepositional modal logic comprises sentences con-

structed from sentence letters p,q,r,... by Boolean connectives and the
modal D ("it will always be"). The connective O ("it will (at some
time) be") is denned as ~D~.
A time-frame is a structure T = (T, <) comprising a non-empty set
T of times (moments, instants, events) on which < is a reflexive and
transitive ordering. A frame is directed if any two elements of it have an
upper bound, i.e.
for all t, s T there exists a v T with t < v and s < v.
A T-valuation is a function V assigning to each sentence letter p a set
V(p) C T (the set of times at which p is true). The valuation is then
extended to all sentences via the obvious definitions for the Boolean
connectives, together with
t V(DA) iff t<s implies s & V(A).
Hence t V(OA) iff for some s V(A), t < s.
The reflexivity of < gives D the Diodorean "is and always will be"
interpretation. A sentence A is valid in T, T \= A, iff V(A) = T holds
for every T-valuation V.
A function / : T > T1 is a p-morphism from a frame T (T, <) to
a frame T' = (T', <') if it satisfies
PI: t<s implies f ( t ) <' f ( s ) ,
P2: f ( t ) <' v implies that there exists some s 6 T with t < s and
f ( s ) = v.
We write T - T to mean that there is a p-morphism from T to T
that is surjective (onto).
p-Morphism Lemma. // T - T', then for any sentence A, T \= A

only ijT (= A.
If T" C T is future-closed under <, i.e. whenever t T" and t < s
we have s e T', then T = (T',<) is called a subframe of T. By the
transitivity of <, for each t the set {s : t < s} is the base of a subframe,
called the subframe of T generated by t. In general an element 0 of T
is called an initial point of T if 0 < s holds for all s T. Thus ( is
an initial point of the subframe generated by t. A frame with an initial
point will be simply called a generated frame.
Subframe Lemma. // T' is a subframe of T, then for any sentence

A,T\=A only if T' \= A.
The logic S4.2 may be axiomatised as follows;
DIODOREAN MODALITY IN MINKOWSKI SPACETIME 115
Axioms: All instances of tautologies, and the schemata

I O(A -> B) -f (OA - DB)
II DA -> A
III DA -> DDA
IV ODA -> DOA
Rules: Modus Ponens, and Necessitation: From A derive OA.
Axiom I is valid on all frames, as is the rule of Necessitation, re-
gardless of the properties of <. The validity of II depends on reflexivity
of < , III requires transitivity, while IV is valid if < is directed. Thus
I-S4.2 A implies that A is valid on all directed frames. The following
strong version of the converse to this statement may be found in [86].
Completeness Theorem. //J / S4.2 A, then there is a finite generated

and directed frame T with T A.
We have not required that a frame be partially ordered, i.e. that < be
antisymmetric (indeed there is no sentence whose validity requires it).
Thus the equivalence relation defined on T" by
t K s iff t < s and s < t
will in general be non-trivial. The ^-equivalence classes are called the
clusters of T. They are ordered by putting
i<s iff t<s,
(where i is the cluster containing t etc.), and this is an antisymmetric
ordering. Thus we may conveniently visualise a frame as a partially-
ordered collection of clusters, with the relation < being universal within
each cluster.
An element oo of T is called final in T if t < oo holds for all t in T.
All such final points are ^-equivalent and so they form a single cluster.
Notice that if T is directed and finite then it must have at least one final
point. A unique final point can be adjoined to any frame T by forming
the frame T = (T U {oo}, <) where oo is some object not a member
of T, and the ordering is that of T extended by
{(s,oo) :s e T U J o o } } .
Notice that T is always directed, as the final point serves as upper
bound for any two elements.
The key to our characterisation of the logic of spacetime is the struc-
ture of the infinite binary-branching frame B = (B, <). The members
of B are the finite sequences of the form x = xix-2.. .xn, where each
Xi {0,1}. Such a sequence is of length n, denoted l(x) = n. We in-

clude the case n = 0, so that B contains the empty sequence x = 0. The
ordering is defined by specifying that for sequences x = x\xi . . . xn and
y = 2/12/2 ..-2/771 we have
x <y iff a: is an initial segment of y
iff
Thus B is partially-ordered, with 0 as initial point. The successors {y :
x < y} of x in B are just the sequences that extend x, and so x has
exactly two immediate successors, viz. xQ and xl (cf. Figure 5.1). We
shall also refer to l(x) as the level of x in 6.
In what follows we shall use the abbreviations
lr for 11... 1, and
r times
Or for 00 ... 0, where r > 0.

r times
oo n
Figure 5.1
The following result is due originally to Dov Gabbay, and was indepen-
dently discovered by Johan van Benthem. The construction we use in
the proof is that devised by the latter.
Theorem 5.1. I f T is any finite generated frame, then B - T.

Proof. We develop inductively an assignment of members of T to the
"nodes" of the binary tree B to obtain the desired p-morphism.
Step One: Let 0 be an initial point of the generated frame T . Assign
0 to the initial point 0 of B.
Inductive Step: Suppose that x B has been assigned an element t
of T, but that no /^-successor of x has received an assignment. Such a
point x that is used to initiate an inductive step will be called a primary
node of B for the p-morphism being defined.
Now let ti, . . . , tk be all of the <-future points (i.e. t < ti) of t in T.
Take the least j such that k + 1 < 2 J . This j is the bound of x: /3(x) = j.
Notice that k > 1, since at least t < t, and so j > 1.
Suppose l(x) = n. Then we assign t to all H-successors of x up to
and including level n + j (cf. Figure 5.2).
level n+j'+l
level n+y
level n+l
level n
Figure 5.2
Now let j / i , . . . , j/fc be any k of the 2^ successors of x at level n + j.

Assign t\ to one of the immediate successors of y\, and t to the other.
Assign 2 to one of the immediate successors of 7/2, and t to the other.
Continue this process up to yk, thereby giving assignments to 2fc of the
2J+1 successors of x at level n + j 4- 1. Let all the other nodes at this
level be assigned t (there are such nodes, as 2k < 2 J+1 ).
The nodes at levels n + l through n+j are designated as intermediate
nodes for the construction, while the nodes at level n + j + 1 are new
primary nodes. The inductive step is then repeated for each of the
latter, and so on. Since j > 1, the immediate successors of x at level

n + I must receive an assignment (in fact the same one as x). Hence
by induction, every member of B gets an assignment, and a function
/ : B > T may be defined by letting f ( x ) be the member of T assigned
to x. Since {t : 0 < t} = T, every member of T will be assigned at
least once already after the first inductive step, and so / is onto. To
prove clause PI of the p-morphism definition, observe that if x < y, and
f ( x ) t say, then y will be assigned a future point of t in T, hence
f ( x ) < f(y) (a rigorous argument would proceed by induction on the
level of y above x and use the transitivity of <).
For P2, suppose that f(x') < s, where f(x'} = t. If x' is primary
at level n, such as the x in Figure 5.2, then there is a point y at level
n + j + I that is assigned s, hence x' < y and f(y) = s. If however
x' is intermediate, then since all points at level n + j have at least one
successor at n + j + 1 that is assigned t, there will be some such primary
node z with x' < z and f ( z ) = t. Then by the argument of the previous
sentence, there will be a y with z < y, and hence x' < y, such that
f(y] = s. This completes the proof. D
We note in passing that the modal logic S4 has as basis the axioms
for S4.2 without the schema IV. It is well known that any non-theorem
for S4 is falsifiable on a finite generated (reflexive and transitive) frame,
and hence by Theorem 5.1 and the p-Morphism Lemma is falsifiable on
B. Thus for any sentence A we have
\-s*A iff B\=A,
so that B is a characteristic frame for S4.
It is apparent that the proof of Theorem 5.1 as given requires only
that k < 2J'. The reason for the stronger constraint is that we have
to refine the construction to ensure that / satisfies some combinatorial
conditions that will allow us to define a p-morphism on spacetime. In
the proof of Theorem 5.1 the chosen nodes 3 / 1 , . . . , r/k at level n + j will
be called special intermediate points. The other intermediate points are
ordinary. Then since there are 2 J > k + 1 points above x at level n + j -
(a) / can be defined so that for primary x the intermediate node rrCP is
ordinary (where j = 0(x)).
We then give the definition of / in the inductive step related to Figure
5.2 quite explicitly as follows:
if z is an intermediate point,
I'M Ipt f ( ? \ t f f r V
V / ^t'w J \*> ) v ~~ J \ * * / / J
and if z is at level n + j, then

(c) if z is ordinary, let /(zO) = f ( z l ) = t /(x), while

(d) if z = yi is special, let f(zO) = ti and f ( z \ ) = t.
Thus the only case in which an intermediate node has a different as-
signment to one of its immediate sucessors is when the node is a special
point z, and the successor is the primary point zO. Moreover in the
case of a primary point x the successors xO and xl at level n + 1 are
intermediate, as (3(x) > 1, and so (Figure 5.2) have the same /-value as
x. Altogether then we have that for any point z in B,
(e) f ( z ) = /(*!),
and
(f) if z is not a special intermediate point, then f(z) = f(zO).
From (e) we deduce that
(g) for all 2 e B and all r, f(z) = f ( z l r ) .
Next we consider nodes of the form xO r , for primary x. If r < j' =
f3(x), then xOr is intermediate and so has the same /-value as x by (b).
But by (a), xOr is not special, so by (f), /(x(P +1 ) = /(x(P) = /(x).
Since xCP+1 is primary, the argument may be repeated up to the next
level of primary points, and so by induction,
(h) if x is primary, then /(x) = /(xO r ), for all r.
Lemma 5.2. For any x B,

(i) if x is special, then /(x) = /(x!0 r ), all r; and
(ii) otherwise /(x) = /(xOF), all r.
Proof. For (i), if x is special then /(x) = /(xl) by (d), and since xl is
primary, /(xl) = /(xlO 7 ') by (h).
If however x is not special, then /(x) = /(xO) by (f), and then
/(xO) = /(xOF) by (g). D
Our next step is to produce a characteristic frame for S4.2 by placing
an infinite final cluster at the top of B. Let
12 = {oo 0 ,oo 1 ,...,oo n ,...}
be an infinite set of objects disjoint from B. Define a frame
by taking the ordering < to be that of B extended by

{ ( s , oon) : s e B U n and n e N}
where N = {0,1,2,...}. Then Bn has Q as its set of final points, with
oon oom for all n and m.
Theorem 5.3. // T is finite directed and generated, then Bn - T.

Proof. By Theorem 5.1 there is a p-morphism / : B - T. We lift this
map to B U f2. Since T is directed it has final points, and these form
a (non-empty) cluster, C say. We extend / by mapping fl onto C in
any surjective manner. Since the relevant frame orderings are universal
within C and J?, and each of these clusters consists of final points, it
is readily seen that such an extension of / yields the desired surjective
p-morphism. D
Applying the Completeness Theorem given above for S4.2 to Theo-
rem 5.3, we deduce
Corollary 5.4. For any sentence A,

1-84.2^4 iff Bn\=A. D
We turn now to the structure of spacetime itself. If x = (x\ , . . . , xn) is

an n-tuple of real numbers, let
p,(x) = x\+x\ + ...+ a_! - x2n.
Then by n- dimensional spacetime, for n > 2, we mean the frame
n
T = (ir,<),
where K is the set of all real n-tuples, and for x and y in En we have
x <y iff n(y - x) < 0 and xn < yn
iff E"=i^ ~ *)2 < (Vn ~ xn)2 and xn < yn.
Then T is a partially-ordered frame, which is directed. As an upper
bound of x and y we have, for example, z = (x\ , . . . , xn-\ , zn) , where
z
n = Yî=l(Xi ~ yi}2 + \Xn\ + \Vn\-
Theorem 5.5. T +1 - T.
Proof. Let / : (x\ , . . . , z n + i) >-> (x2, ..., xn+i) be the (surjective) pro-
jection map. Then if x < y T +1 , we have
Z)"=i(2/' ~ xi? ^ (Vn+i - Zn+i) 2 and xn+i < yn+i.
But then as (yi - xi)2 > 0,
and so f ( x ) < f ( y ) in T n , establishing PI for /.

For P2, if f ( x ) < y in T, where x = (xi,...,xn+i} and y
{2/2,..-,3/n+i}, let z = (xi,y2,.-.,yn+i) K +1 . Then zi - xi = 0,
so
_ V - r-12
(zn+l ~ Xn+i),
and xn+i < yn+i = zn+i- Thus x < z, and by definition f ( z ) = y.

Therefore / is the desired p-morphism. D
Minkowski spacetime is T4. The intended interpretation of x < y

is that a signal can be sent from "event" x to "event" y at a speed at
most that of the speed of light, and so y is in the "causal" future of x
(assuming a choice of coordinates that gives the speed of light as one
unit of distance per unit of time).
The frame T2 is depicted in Figure 5.3. For each point t = ( x , y )
in the plane, the future consists of all points on or above the upwardly
directed rays of slopes +1 and 1 emanating from t.
Figure 5.3
By performing the isometry of rotating the plane clockwise through 45

about the origin 0, the picture becomes that of Figure 5.4, in which the
future points of t are precisely those above and to the right of t. The
rotation is a bijective p-morphism (isomorphism of frames) and so from
now on we will identify T2 with the structure of Figure 5.4. This is done
largely to make the constructions to follow more tractable, but notice
that it reveals T2 as the direct product of the real linear frame (E, <)
with itself, as we now have
(*) (xi,yi) < ( x 2 , y 2 ) iff xi < x2 and yi < y2.
Futurexrf;
Figure 5.4
Now let Tg = {t : 0 < t} be the "first quadrant" of the plane,
consisting of all points with non-negative coordinates. A future-open
box in TO is a subset of the form [a, b) x [c, d) (cf. Figure 5.5).
'ms
Figure 5.5
Notice that any two members t, s of a future-open box have an upper
bound v within the box, and that v may be chosen to lie on the diagonal
line joining (a, c) to (6, d).
Theorem 5.6. Any future- open box is temporally isomorphic to T%.

Proof. It is a fact of classical analysis that there is a bijection / : [a, b) H->
[0, oo) = {e : 0 < e} that preserves order, i.e. has x < y iff f(x) < f(y).
Figure 5.6 displays one method of geometrically constructing /.
Figure 5.6
Likewise, there is an order-isomorphism g : [c,d) [0, oo). Then the

map ( x , y ) i- (f(x),g(y)) gives a bijection between [a,b) x [c,d) and TQ
that preserves the temporal ordering defined on each by (*). D
Corollary 5.7. Any two future-open boxes are temporally isomorphic.

a
From now on we focus on the structure of the unit box
Theorem 5.8. / - /?.

Proof. Here J? is considered as a frame in its own right, consisting of
an infinite set of points all related to each other by <. The idea of the
proof is that each oon is made to correspond to a subset An of / that is
cofinal with I, i.e.
for each t E I there is some s e An with t < s.
We can do this by making rational cofinal assignments up the diag-
onal of / to ooi,oo 2 ,..., and mapping everything else to OOQ (Figure
5.7). Thus we map (|, |),{|, f},... to ooi; (f, f), {,),... to oo2;
(|, f), {|f, ||),... to oo3; and so on. Formally, let 7ri,7r 2 ,... ,7r n ,... be
a listing without repetition of the prime numbers in order of increasing
magnitude, starting with TTI = 2. Then if ( x , y ) /,
(i) if x = y = 1 - ^r for some k > 1, put f ( ( x , y ) ) = oon,
and
(ii) otherwise put f ( ( x , y } ) = ooo.
(0,1)
Figure 5.7
That PI holds for / is immediate, as O is a cluster. But the cofinality

of the oon-assignments along the diagonal, together with the fact that
each point t in / has <-successors on the diagonal, guarantees that
An = /-1(oon) is cofinal with /. This cofinality ensures that / satisfies
P2. D
Theorem 5.9. I f T is finite generated and directed, then I - T.

Proof. By Theorem 5.3 there exists a p-morphism / : Bn - T. We
define a map g : I > -BU J? which will compose with / to give the desired
result. This is done by assigning each point in B U {00} a future-open
box contained in /, through a series of temporary and then permanent
labellings.
Step One: Temporarily assign the initial point 0 of B to /.
Inductive Step: Suppose x 6 B has been temporarily assigned a box
within /. Divide this box into four equal future-open boxes (Figure 5.8).
Permanently assign the lower left-hand box to x and the upper right-
hand one to oo. Temporarily assign the upper left-hand box to xO and
the lower right-hand one to xl.
When all members of B have inductively received permanent assign-
ments, the picture is as in Figure 5.9.
oo
xl
Figure 5.8
000[-|
00
00
001
OO
010
0
01 on
lOO-i
00
10 101
0
11 111
1/2 3/4 7/8 1
Figure 5.9
It is apparent that
(**) if z < y in B, then the box permanently assigned y lies inside the
one temporarily assigned z.
Lemma 5.10. If t G / belongs to the box assigned x B, then there

is some z B with f(x) = f ( z ) , and such that the box assigned z lies
entirely inside the I-future o f t .
Proof. As indicated in Figure 5.10, by taking r large enough we can
ensure that the boxes assigned z\ = xOlr and z<i = xlOr both lie inside
the future of t.
t*
xlO
xl
Figure 5.10
Then by Lemma 5.2, if is a special point for the construction of / as

in Theorem 5.1, we may take z = z? to fulfill Lemma 5.10, while if x is
not special, z = z\ meets our requirements. D
To continue with the proof of Theorem 5.9, we define a map g : I >
B U n as follows:
(i) the members of the future-open box permanently assigned x B in
Figure 5.9 are all mapped to x by g.
(ii) each box assigned oo in Figure 5.9 is mapped p-morphically onto J?
by g. This is done by the method of Theorem 5.8, noting Corollary
5.7.
Next a surjective map h : I T is defined by putting h(t) = /(<?()), for

all t /. To show that h satisfies Pi, suppose t < s in /. Then if h(s} is
final in T, immediately h(t) < h(s). If h(s) = f(g(s)) is not final, then
(cf. proof of Theorem 5.3) g(s) 17 and so g(s) 6 B. But since t < s,
the permanent 5-assignment to s will be a sequence extending the one
assigned to t (Figure 5.8), i.e. g(t) < g(s). But then f(g(t)) < f(g(s)),
as / satisfies PI.
For P2, suppose h(t] = f(g(t)) < v in T. If g(t) is a member of
B, then by Lemma 5.10 there exists some z 6 B that is assigned a box
entirely inside the future of t and that has f ( z ) = f(g(t)) < v. Since /
satisfies P2, there is some y B with z < y and f(y) = v. But then
(cf. (**)) the box assigned y also lies inside the future of t, and so if
we choose an element s from this box, so that g(s) = y, we have t < s
and h(s) = f(y) = v. On the other hand, if g(t) 6 Q, then h(t) is final
in T, and therefore so is v, hence v = f(oon) for some n. But by the
definition of g, t belongs to a box that is assigned oo in Figure 5.9, and
this box is mapped p-morphically onto J? by g. Hence there is some s
in this box with t < s and g(s) = oon, so h(s) = /(oon) = v as required.
This completes the proof of Theorem 5.9. D
Theorem 5.11. For any sentence A,

h54.24 iff T"|=A iff I\=A.
Proof. If hS4.2 A, then A is valid on all directed frames and thus in
particular on Tn. But if Tn \= A, application (n - 2 times) of the p-
Morphism Lemma to Theorem 5.5 gives T2 f= A. The Subframe Lemma
then gives TQ |= A, which in turn by Theorem 5.6 yields I \= A. To
complete the cycle of implications, observe by Theorem 5.9 that if / (= A
then A is valid on all finite generated and directed frames, and so by the
Completeness Theorem given earlier, A is a theorem of S4.2. D
Slower-Than-Light Signals
In T, define
x -< y iff [i(y x) < 0 and xn < yn-
Then x -< y holds just in case a signal can be sent from x to y at less
than the speed of light. The reflexive relation
x =<; y iff x y or x -<y
yields the same logic as before - we leave it to the reader to analyse the
above proof to verify that the valid sentences on (Tn, ^4) are precisely
the S4.2 theorems.
The End of Time

Amongst the possible future fates of our universe is that expansion will
eventually give way to contraction and collapse to a singularity. In this
event, any future-oriented path in spacetime will come to an end (the
singularity). Formally, this corresponds to the frame condition
(f) Vx3y(x < y & Vw(y < w > y w)).
In a directed partially-ordered frame there can be only one y as in (f),
namely a unique final point, for if y has no successors then an upper
bound for y and any other point can only be y itself.
The logic K2 extends the system S4.2 by the additional axiom schema
which is valid on frames satisfying (f). Conversely, the work of Segerberg

[83] may be used to show:
// A is not a K2-theorem, then A can be falsified on a fi-
nite generated directed frame whose final cluster has only one
member.
Thus K2 is characterised by the finite generated directed frames with a
unique final point. Any such frame T is a p-morphic image of 7, as
may be deduced from / - T. Indeed any p-morphism T\ - T can be
lifted to 7^ - T by mapping oo to the unique final point of T. We
leave it to the reader to use that observation to verify, for any sentence
A, that
F-K2 A iff (Tn) \= A iff 7 |= A iff B (= A.
Irreflexive Time
Tense logic, as a branch of modal logic, is generally taken to be concerned
with irreflexive orderings, so that a point is not considered to be in its
own future. In spacetime there are two natural strict orderings, viz. the
relation
x -< y iff n(y - x) < 0 and xn < yn
defined earlier, and
xay iff x ^ y and x < y.
(a is the relation "after" axiomatised by Robb in [75]).
The logic of these two orderings can be distinguished in terms of the
validity of modal sentences. There may be two propositions A and B
that are true in the future at two points that can only be reached by
travelling (in opposite directions) at the speed of light (cf. Figure 5.11).
Now
Figure 5.11
In this situation, will be true now, but never again, and hence
the sentence
is not valid when a is the temporal ordering. It is however valid under

-<, since a slower-than-light journey can always be made to go faster, so
we could wait some time and then travel at a greater speed to A and B
(Figure 5.12).
Now
Figure 5.12
These observations apply to Tn for all n > 2. However by pushing the

idea a little further we can produce a sentence whose truth is dimension-
dependent. For, in tftree-dimensional spacetime we can find at least three
points that can only be reached by travelling in different directions at
the speed of light. In T3, the future of t is represented by the upper half
of a right circular cone centered on t (Figure 5.13).
Figure 5.13
Thus in (T 3 ,a), and indeed in (T n ,a) for n > 3, we can falsify the-
following sentence (here i and j range over {1,2,3}):
A n(Pl A pi A Oft-))-
However this sentence is valid under -< for all n > 2, and is valid under
a in T2.
Problems
1. Axiomatise the logics corresponding to a and to -< in the various
dimensions.
2. Analyse the logic of discrete spacetime, i.e. when E is replaced by
the set Z of integers .
Notes
I am very much indebted to Johan van Benthem for a stimulating and
fruitful dialogue, without which I doubt that I would ever have com-
pleted this jigsaw puzzle.
The fact that S4.2 is the logic of the direct product of the real linear
frame (M,<) with itself was discovered independently by Valentin She-
htman (cf. [89]). Theorem 5.1 was also proved by A. G. Dragalin. More
details of these other works are given in the Editor's footnote to [22].
6
Grothendieck Topology as
Geometric Modality
A Grothendieck "topology" appears

most naturally as a modal operator
of the nature "it is locally the case
that".
F. W. LAWVERE
6.1 Introduction
The language of prepositional modal logic extends that of ordinary logic
by the additional of a single unary connective. This connective has a long
history of investigation in terms of modal interpretations of philosophical
interest, such as "it is necessarily the case that" (alethic mode), "it ought
to be the case that" (deontic mode), "it is known that" (epistemic), "it
will always be that" (temporal), and so on. Recently a number of in-
terpretations have been studied that are of more mathematical concern.
Thus we have "it is provable (or true and provable) in Peano arithmetic
that" (cf. [91] or [21]), and "whenever a certain program terminates, it
is the case that" (cf. [16]).
The present article is a contribution to the study of mathematical
modalities, and is concerned with what might be called the geometric
mode. The above quotation comes from the address [55] at which LAW-
VERB first announced the results of his work, with M. TIERNEY, on
axiomatic sheaf theoryan elementary (first order) treatment of the
notion of a Grothendieck topology on a category and its attendant cat-
egory of sheaves. In order to elucidate this claim we shall interpret
the formal modal language within elementary sites. An elementary site
comprises a topos with a topology O -^ f l . may be thought of
as a generalised universe of (perhaps non-extensional) sets, with 1 its
131
"set" of truth-values, and j a unary operator on truth-valueshence a

suitable entity for interpreting a modal connective. Using the "logic" of
, a notion of validity is defined, and by adapting the set-theoretic tech-
niques now generally employed in the study of intensional logics we are
able to axiomatise the class of sentences valid on all sites and establish
that it is recursive.
In order to carry out the program just sketched a Kripke-style se-
mantics will be developed on the basis of a wide-ranging discussion of
concepts of "local truth". Since the logic of topoi is in general intuition-
istic, we find ourselves working in non-classical modal logic. This area
has been explored to some extent before. For instance, BULL [7] provides
a philosophically motivated account of the alethic mode in relation to
intuitionism. Our approach to intuitionistic logic will however be to see
it, not so much as an exegesis of a constructivist theory of the meaning
of mathematical statements, but rather as the group of "laws" that arise
when one makes the natural generalisation of the "algebra of sets" to
the context of the open-set lattices associated with topological spaces.
Whether or not the models discussed below have any relevance to intu-
itionism is another matter. For the present we regard this as an exercise
in classical mathematics, dealing with abstract analogues of topologi-
cal ideas. The main lesson we take from what follows is that whereas
GROTHENDIECK'S original definition of a "topology" on a category arose
by an abstraction of the category-theoretic properties of the category of
open subsets of a space, the concept may also be seen to stem from a
generalisation of the concepts of "nearness" and "neighbourhood" from
classical topology.
The author is indebted to Professors S. K. THOMASON and DANA
SCOTT for the hospitality he received during the preparation and writing
of this article, which took place initially at the Mathematics Department
of Simon Fraser University, and later at the Mathematical Institute,
Oxford.
Note on Numbering: As with other chapters, sections are numbered
globally, so that the third section of this sixth chapter is numbered 6.3.
But we drop the chapter number from items within sections, so that the
fourth item of the third section is numbered 3.4, rather than 6.3.4.
6.2 Resume of Prepositional Models

We shall be dealing throughout with an object language in which sen-
tences are constructed from a denumerable set lô of sentence letters,
together with the constant J_ (False), by means of the connectives A
GROTHENDIECK TOPOLOGY AS GEOMETRIC MODALITY 133
(and), V (or), > (implies) and V (it is locally the case that). Negation,
the biconditional, and the constant T are defined by
~A = A->, A=B = (A^B)h(BÂ), T = ->l.
The set of all sentences will be denoted !?. <P denotes the subset of all
non-modal sentences, i.e. those with no occurrence of V.
The Kripke semantics for ^-sentences employs as its basic structure
a partially-ordered set (poset) P (P, C). For each p P we put
\p) = {q & P : p C. q}. A subset 5 C P is P-hereditary if it is closed
upwards under C, i.e. if p 5 implies [p) C 5. We put
P+ = {S C P : 5 is ^-hereditary}.
A model based on P is a pair A4 = (T3, V), where V : &Q > 73"1" is a
P- valuation assigning to each sentence letter TT !?o a 'P-hereditary set
V(ir) C P. The notion of a non-modal sentence A <P being true at a
point p in M, written M. \=p A, is defined inductively by:
(2.1) M (= P 7T i f f p e V(TT),
(2.2) not M hp-L,
(2.3) A1 (=p A A B iff A^ f= p A and M (=p B,
(2.4) X (=p yl V JB iff A^ (=p A or X |=p B,
(2.5) . M } = p A - > . B i f f p C < ? implies that M \=q A only if M \=q B.
Hence we also have
(2.6) M t=p ~A iff p C g implies that not Ai f= 9 A.
Putting M(A) = {p : M \= A}, these clauses become
(2.7)
(2.8)
(2.9)
(2.10) M(A VB) = M(A) U M(B),
(2.11)
(2.12)
where for S, T 6 P+
(2.13) 5|^T = { p : [ p ) n S C T } ,
and
(2.14) -.5 = 5 |=>0 = {p : [p) n 5 = 0}.
The set "P+ contains 0 and is closed under the operations n, U, t=>. From
this a straightforward induction shows that M (A) P+ , for all A <
[84, Lemma 2.1]. Sentence .4 is true in M, M h A, if M \=p A for all
p (i.e. M \= A iff M(A) = P). A is valid on the poset P, P f= A, if

M. \= A holds for all models M. based on P.
The sentences valid on all posets are precisely the theorems of intu-
itionistic logic. The requirement that M(A) be P- hereditary is needed
to ensure that all such theorems are P-valid.
Algebraic semantics for ^ uses the notion of a Heyting algebra
(HA). This is a structure H - (H, n,U, =,0), where (H,n,U) is a lat-
tice with least element 0, and => is an operation of relative pseudo-
complementation, satisfying
xr\y C z iff x C y => z,
where C is the usual lattice ordering given by
x Cy iff x H y = x iff x\Jy = y.
The element x => y is called the relative pseudo- complement^. p. c.) of x
in y. It is the greatest member of the set {z : x n z C ?/}.
Any HA has a greatest element 1, with 1 = (x => x) for any x H.
An Ti-valuation is a function V : iZ'o > #. Such a function is lifted
canonically to V : $ > H by stipulating that
(2.15) V() = 0,
(2.16) V(A A 5) = V(4) n V(B),
(2.17) V(yl V 5) = V(4) LJ
(2.18) V(4 -c B) = V(A)
and hence
where -> : H > H is defined by -13; = a; =^> 0 (x is called the pseudo-

complement of x).
Sentence A is H.- valid, H\= A, if V(A) = 1 for every ^-valuation V.
Now given a poset P, we obtain the corresponding algebra
of hereditary sets as above. P+ is in fact an HA with greatest element

P. The "P+'Valuations V : &Q > P"1" correspond exactly to the models
M. = (P, V] based on P. When such a valuation is extended to V : $ >
P+ by clauses (2.15)-(2.18) we find that for all A $,M(A) = V(A)
(using induction on (2.7)-(2.11)). Hence M \= A iff V(A) = P = 1.
Since this is true for all V, we have
(2.19) P\=AiSP+t=A, for all A <P.
From this it is immediate that a sentence valid on all HAs will be valid on
all posets and hence be an intuitionistic theorem. That all such theorems
are HA-valid is established by a routine analysis of the properties of HAs

(cf. [74]).
The construction of P+ assigns to each poset a semantically equiv-
alent HA. In general there is only a partial converse to this. Prom an
HA "H we obtain via the representation theory of Stone [92] the poset
H+ = (PH, C), where PH is the set of prime filters in H, and C is set in-
clusion. The function x H- {p P-H : x G p] is an isomorphism between
H and a subalgebra of the HA (H+)+ of W+-hereditary sets. From this
it can be shown that H+ \= A implies H |= A, but the converse need
not obtain. The construction does however give a proof that a sentence
valid on all posets will be valid on all HAs.
The class of Heyting algebras includes all Boolean algebras (BAs)
amongst its members. In the BA (2 x ,n, U) of all subsets of a set X,
the r.p.c. operation is given by S U T, where 5 = S U 0 = -*S is
the usual set complement {x 6 X : x (. S}. Now if T> is the class of
open sets of a topology on X, the lattice (D, D,U) will not in general
be closed under the operations -5 U T or -S. If however we consider
their nearest approximations in T> by defining S => T = (S L)T), and
hence ->S = (-5), where ( ) denotes the topological interior operation
associated with P, then (>, n, U, =>, 0) proves to be an HA. In this way
HA's are seen to be the natural generalisation to the topological context
of the Boolean algebra of subsets of a given set.
The collection P+ is in fact a topology on P, in terms of which we
find that S\=>T = (~S U T), and hence -iS = (-5), where (=> and
-i are as defined by (2.13) and (2.14). Thus S&T is the largest P-
hereditary subset of 5 U T and ->S is the largest hereditary set disjoint
from S.
P+ is a rather special topology in that it is P|-closed, i.e. closed under
arbitrary intersections. Also since p [p) E P+, and p C q iff q \p), we
find via the antisymmetry of C that P is a TO topology (distinct points
do not have identical neighbourhoods). Moreover these facts lead us to
observe that
p\2q iff p&S P+ implies q 6 5,
and so the collection P+ determines the partial-ordering C.
Conversely, if T> is any f|-closed topology on P, by putting T>p =
{S T>: p 5} we may define a relation C by
(2.20) p C q iff q {\Df iff Vp C T>q,
so that [p) = fl^V D- This relation is reflexive and transitive, and
will be antisymmetric iff T>p = T>q implies p = q, which is precisely
the TO condition. It is clear from (2.20) that the members of T> are
C-hereditary, so that T> C P+. But if 5 is ^-hereditary, we have

S = \J{\p) : p S] T> (since \p) > and T> is closed under arbitrary
unions, being a topology), yielding V P+.
Altogether then there is a bijective correspondence between partial-
orderings and f)-closed ô topologies on any set. The TO condition (anti-
symmetry) is not in fact essential to the model theory of $. It is however
possessed by most important models, and may always be imposed, by
passing to a quotient, without affecting the validity of ^-sentences. Since
it leads to a cleaner theory we shall assume it throughout.
6.3 Frames and Monads

There are two (at least) senses in which the word "local" is employed in
topology, and an analysis of these will lead us to extend the modelling
of Section 6.2 to provide an interpretation of the connective V.
6.3.1 Germs and Monads
Two functions / and g are said to be equivalent, or to have the same
germ, at a point p in the intersection of their domains if there is a
neighbourhood of p on which / and g assign the same values. Thus /
and g have the same germ at p when the statement "/ = g" is locally
true at p, i.e. true throughout some neighbourhood of p. Intuitively this
conveys the idea that / and g assign the same values to point "close"
to p.
Similarly, two sets S and T are equivalent at p if there is some neigh-
bourhood U of p with S n U = T n U. Again this means that 5 and
T are locally equal at p, i.e. that "5 = T" is true when relativised to
points close to p.
From these examples we extract the principles
(3.1) A is locally true at p iff A is true at all points close to p,
and
(3.2) A is locally true at p iff A is true throughout some neighbourhood
of p.
Informally, (3.1) and (3.2) are equivalent: a neighbourhood of p is any
set containing all points close to p, while the points close to p are just
those belonging to all neighbourhoods of p. Formally however there are,
in any topological space that is at least 2\, no points that are close to
p in this sense, and so we have to resort to formulation (3.2) (1\ means
that any point distinct from p lies outside at least one p-neighbourhood).
Thus whereas the germ of 5 at p is intuitively a subset of 5, namely the
collection of points in 5 that are close to p, formally this germ is denned
as the set of all sets that are equivalent to 5 at p. This situation can be
remedied in topological theories that admit infinitesimals. In the work
of Robinson [77] the germ of S at p is the intersection of 5 with the
monad of p, the latter being the set of points infinitely close to p.
6.3.2 Frames
We now introduce the concept of a frame as a structure P = (P, E,/j)
comprising a poset on which there is a function n : P > 2P assigning to
each p e P a subset n(p) C P (the monad of p) such that
(3.3) p C q implies n(q) C fi(p).
Writing p X q for q fi(p), (3.3) becomes
(3.4) p C g -< r implies p -< r.
The notion of a model Al = (P, V) based on P is defined as in Section
6.2, and truth in M at a point is defined for all ^-sentences using (2.1)-
(2.5) and the new clause
(3.5) M \=p VA iff /i(p) C M(A),
or equivalently
(3.6) M |=p VA iff p -< q implies M (=, A,
which formalises principle (3.1).
Defining j^ : P+ ^ P+ by jM(S) = {p : //(p) C S} which does
indeed make jM(S) P-hereditary by (3.3)we find that (cf. (3.5))
(3.7) M(VA)=jlt(M(A)),
and from this it can be shown that M(A) P+, for all A !?.
The notions A1 (= A and P (= A of truth in a model and validity on
a frame are again as for posets. Amongst the sentences that are valid
on all frames we cite
(3.8) V(A -> B) - (VA - VB),
(3.9) V A A V B - ^ V ( A A B ) ,
(3.10) VAVVB-+ V ( A V 5 ) ,
while amongst the validity-preserving rules there are
(3.11) if P\= A then P \=VA,
and
(3.12) if P \= A -> B then P (= VA -> VB.
The verification of these facts is left to the reader.
6.3.3 Increasing Frames
We say that /*, or more loosely P, is increasing if it satisfies
(3.13) /i(p) C [p), for all p P,

i.e.
(3.14) p X q implies p C q.
Then we have
(3.15) P is increasing i f f P \ = A ^ > VA.
Proof. Suppose that P is increasing and that M \=p A, i.e. p M(A),
for some model M on P. But M(A) e 75"1", and so [p) C M(A), whence
by (3.13) we get fi(p) C M(A) and so (3.5) gives M \=p VA. Thus
A > VA cannot be falsified on P.
Conversely suppose P f= A > Vyl and take a model with F(TT) =
[p) P"1". Then M \=p IT and hence M \=p VTT, giving /i(p) C M(ir) =
\p). D
6.3.4 Hereditary Monads

As noted in Section 6.2, the topology P+ (the upper order topology) is
Pj-closed, and so for each set U C P there is a smallest open (hereditary)
set U# containing U, given by
(3.16) U* = f}{S P+ : U C S}.
A more useful formula however is
(3.17) U# = \J{\p):PU},
so
(3.18) q U* iff 3p tf(p C g).
We can use # to show that there is no sentence whose "P-validity
is equivalent to the requirement that P have hereditary monads, i.e.
that n(p) e P+ for all p P. Given any model M = (P,C,/i,V),
put M* = (P, C,/i#,V), where /x # (p) = (n(p))#, for all p, so that
M*(P) ^"+- Then the reader may check that M# is indeed a model,
i.e. (3.3) holds for fi*. But for any S 6 P+ we have
M*(p) C 5 iff n(p) C S
in view of (3.16), from which we can show that M#(A) = M(A) for all
AesP.
Thus every frame is semantically equivalent to one with hereditary
monads.
6.3.5 Density
Defining p -i? q iff 3r(p X r -< q), it is evident that
(3.19) M \=p VVA iff p ^ q implies M \=q A.
We shall say that frame P is dense if it satisfies the condition

(3.20) p -< q implies p X 2 q.
P will be pseudo-dense if
(3.21) p -< q implies 3r(p -<2 r C g).
(3.22) "P is pseudo-dense iffP\= VVA -> VA
Proof.. The "only if" part is left to the reader. For its converse, let
5 = {r : p -<!2 r} and take a model on P that has M(n] = S* P+.
By (3.19) it follows that M (=p WTT so that the T7-validity of the
schema VV^4 VA yields .M \=p Vir. Now if p -< q, it must follow
that q e A4(7r), so (3.18) gives an r S with r C <j as required for
pseudo-density. D
Every dense frame is obviously peudo-dense, and the two notions
coincide when all monads are hereditary. A frame on which A > VA
and VV^4 VA are valid will be called a J-frame. These increas-
ing and (pseudo-)dense structures are our basic models for the logic of
Grothendieck topologies.
6.3.6 Limit Points
While "p -< q" is to mean "^ is close to p", we will for the most part
be interested in cases where we do not have p 6 n(p), i.e. p -< p. Thus
whereas the informal classical notion alluded to in relation to (3.1) and
(3.2) amounts to
(3.23) p -< q iff p is a closure point of {q} (i.e. iff all neighbourhoods of
p intersect {q}),
we have in mind something more like
(3.24) p -< q iff p is a limit point of {q} (i.e. every neighbourhood of p
intersects {q} at a point other than p).
If we use (3.24) as a definition of -< on a poset by taking neighbourhoods
in the sense of the order topology P+, then, as [p) is the smallest of all
p-neighbourhoods, we find that
(3.25) MP) = [P) - M-
equivalently
(3.26) p -< q iff p C q (i.e. p C q and p ^ q).
The resulting frame is increasing and has hereditary monads (n(p)& =
p,(p)). It will not always be dense however; for instance density of C
fails when P is finite.
It is noteworthy that on any finite poset with the definition (3.26)
the sentence
(3.27) (VA - A) - VA
is valid, since to falsify it at p requires an infinite ascending chain in [p).
(3.27) is not however valid on (uj, <), where < is the usual numerical
ordering of the natural numbers.
Whenever the condition
(3.28) p\2q implies p -< q
obtains, the sentence
(3.29) VA-*(B\/(B->A))
is valid, and conversely in the presence of hereditary monads. In general,
validity of (3.29) is equivalent to
(3.30) p e g implies 3r(p -< r C q),
i.e. [p) {p} C /i(p)#. To indicate the proof, suppose p C q, so that
p ^ [q), and take a model with A and 5 being distinct letters having
V(A) = p,(p)# and V(B) = (9). Then A4 (= VA but not M \=p B,
so by the validity of (3.29) we obtain M \=p B -> A. Since p C q and
.A/1 |=g B, it follows by (2.5) that M \=q A, hence q /x(p)# as required.
D
Returning now to the question of reflexivity of -<, we observe first
that validity of the schema VA A is equivalent to the frame condition
(3.31) 3 g ( p - < ? E p ) ,
which when MP)* = M(P) is itself equivalent to
(3.32) p -< p.
But when (i(p) is hereditary, p -< p iff [p) C /i(p). Noting that on an
increasing frame (3.31) implies (3.32), we conclude that VA A ("local
truth=truth") is valid just in case /i(p) = [p) for all p, i.e. just in case
(3.33) p-<q iff p C q.
6.3.7 Continuous Lattices
Let T> be a subtopology of the order topology on a poset (P, C). The
following definition is essentially that made by Scott [81] for a particular
T> in his work on continuous lattices:
(3.34) p(p) = [p),
where the interior is taken with respect to T>, so that
(3.35) p^q iff 3S V(q 5 C [p)).
This yields an increasing frame with hereditary monads. A sufficient
(though not necessary) condition for it to be dense, and hence a J-
frame, is that T> have a base of sets of the form [r). For if q [r) C [p)
with [r) D, then p -< r -< q. Such an example is provided by the model
of [82] for Lambda-calculus, where P 2U, C is set inclusion, and T> is
generated by all sets of the form [r) for finite r C w. In this case we
have
(3.36) p -< q iff p is a finite subset of q.
Of course if [r) 6 T> for even/ r, then T> = P+ and the construction
collapses to (3.33).
6.3.8 Cofinality
There is a standard Grothendieck
topology on any topos, namely dou-
ble negation, which is more appro-
priately put into words as "it is co-
finally the case that".
LAWVERE [55]
In general a subset R is said to be cofinal with a subset 5 of a poset

when each element of S has an element of R "above" it, i.e. when
(3.37) q S implies 3r R(q C r).
The treatment of double negation as a modal operator is best considered
in two parts. The link with cofinality comes from
(3.38) M \=p ~~,4 iff M(A) is cofinal with \p).
Proof.
M [=p ~~A iff p C q implies not M \=q ~A
iff p C q implies 3r(q C r and M \=r A)
iff q \p) implies 3r M(A)(q C r).
D
Now we have that the sentence
(3.39) VA -* A
is valid precisely on those frames satisfying
(3.40) n(p)# is cofinal with \p), for all p P.
Proof. To establish sufficiency of (3.40) suppose that M \=p VA, and
so fj,(p) C M(A). As /u(p)# is the smallest hereditary superset of A*(p),
this implies that /i(p)# C M(A). But then if n(p)# is cofinal with [p),
so too will be M(A), so by (3.38) we get M \=p ~~.A. Conversely,
putting V(A) - n(p)#, so that M \=p VA, the validity of (3.39) gives
M \=p ~~yl, and from this follows (3.40) by (3.38). D
The converse sentence
(3.41) A - + V A
is valid precisely on those frames that are both increasing and satisfy
(3.42) p -< q C r implies q = r,
i.e. the members of n(p) are ^.-maximal. That these conditions imply
validity of (3.41) is left to the reader to verify. For the other direction,
noting that the schema A > ~~yl is valid on all posets, we have that
validity of (3.41) implies that of A > VA, so the frame must be increas-
ing by (3.15). Also the schema ~~(A V ~A) is poset-valid, and so with
(3.41) yields validity of
(3.43) V(AV~A).
But this last sentence is precisely equivalent to (3.42). Once more we
shall only prove one direction: Take p -< q and let M(A) = [q) - {q}
P+. If (3.43) is P-valid then M \=p V(A V ~A), hence M (=, A V ~A.
But not M \=q A, so we must have M \=g ~A and thus ((2.12) and
(2.14)) [q) n M(A) = 0. But M(A) = [q) - {q} C [q), so this is only
possible if [q) {q} = 0, i.e. [q) = {q} as required.
Confining our attention now to frames with /x(p)# = [i(p), we see that if
p,(p) is cofinal with \p), all C-maximal members of \p) must be in ^(p).
Then any such frame that validates
(3.44) VA = ~~A
must by (3.42) satisfy
(3.45) p -< q iff q is a C-maximal member of (p).
However this condition is not always sufficient for (3.44). It is satisfied
vacuously by the frame (LJ, <, n) where /i(p) = 0 for all p, since there are
no <-maximal elements. But in any model on this frame V-L is true and
~~_L is false at all points (alternatively observe that (3.40) fails). On the
other hand, on a finite poset every element has a C-maximal successor,
and indeed the finite frames on which (3.44) is valid are precisely those
satisfying (3.45).
In Sections 6.6 and 6.8 we shall see how the various schemata we
have been discussing can be used to axiomatically generate the logics
determined by the structures that satisfy the frame conditions that cor-
respond to those schemata.
6.4 Neighbourhood Spaces and Congruences

In addition to the notion of a sentence or property obtaining locally at
a point, there is the idea of something holding locally of an object
typically a set or a space or a function. In general this refers to the
existence of an open cover with the property in question holding of each

member of the cover. Thus a topological space is said to be locally con-
nected if each of its open sets has an open cover of connected sets, while
a function is locally constant on its domain if that domain is covered by
open sets on each of which the (restricted) function is actually constant.
Suppose then that our poset (P, C) is the collection of open sets of
some topology, with p C q iff q C p. Let 7 be the function assigning to
each p 6 P the collection 7P C 2P of open covers of p, where 5 C P is a
cover of p iff p C \JS (i.e. \JS C. p). We use 7 to interpret the connective
V in the light of the above examples by putting
(4.1) M \=p VA iff 35 e 7P(S C M(A)).
Since jp will be closed under supersets, (4.1) is equivalent to
(4.2) M HP V4 iff M(A) 6 7P-
Alternatively, thinking of P simply as a point-set, with 7P a system
of "neighbourhoods" of p, then (4.1) and/or (4.2) formalise the "true
throughout some neighbourhood" approach to local truth embodied in
(3.2). Clause (4.2) is the basis of the neighbourhood semantics used in
classical modal logic. It is more general than the relational semantics
of (3.6). Since all sentences are being interpreted as hereditary sets,
we shall confine our attention to neighbourhoods in P+ (although the
theory can be carried through without this requirement).
6.4.1 Spaces
A neighbourhood space is a structure S (P, C,7), where 7 assigns to
each p P & collection jp C S+ (S+ being the C-hereditary sets) such
that
(4.3) p C q implies 7P C 7,.
The notion of a model M = (S, V) is evident, and truth in M is de-
fined as before for the non-modal connectives, with (4.2) being used to
interpret V. Putting
(4.4) J 7 (5) = {p : S 6 7p}
we have from (4.3) that j'7(5) is hereditary. Clause (4.2) can be re-
expressed as
(4.5) M(VA)=Ji(M(A))
and by induction we establish that, once again, M(A) 6 S+ for all
A 9.
Some of the sentences and rules of Section 6.3 that are frame-valid
can be falsified on certain spaces and their validity requires certain con-
straints on 7p. The sentence (3.9), i.e. VA A VB -> V(A A B), corre-
spends to the requirement that 7P be closed under finite intersections,

i.e.
(4.6) (R 7P and 5 7P) implies R H 5 7P,
while the validity of the rule
(3.12) if A -> B is valid then so is VA - VB
on S requires 7P to be closed under supersets in S+, i.e.
(4.7) (B 6 7P and R C 5 5+) implies 5 6 7P.
If 7P is non-empty and satisfies (4.6) and (4.7) then it is a filter. The
conjunction of (4.6) and (4.7) is equivalent to
(4.8) (R 7P and S 7P) iff RnS 7P.
S will be called a filter-space if each 7P is a filter.
The <S-validity of A > VA corresponds to the neighborhood condi-
tion
(4.9) [p) C S implies S 7P, for all S S+.
Proof. Assume (4.9) and suppose M |=p A. Then p M(A) S+,
so [p) C M(A). (4.9) then gives X(>1) 6 7P, whence M |=p VA.
Conversely, choose an M with M(A) = 5. If \p) C 5, then .M \=p A, so
<S |= A > V>1 yields .M |=p VA and then A1(A) = 5 7P as required.
D
Note that (4.9) implies
(4.10) \p) e 7p,
and that the converse is true when 7P is closed under <S+-supersets (4.7).
The space-condition for the density sentence WA > VA is
(4.11) J7(5) 7P implies 5 7P, for all S S+,
as the reader may verify using (4.5).
We shall say that 7 is a J-system, and S is a J-space, if each 7P is a
filter and A -> VA and VVA -> VA are 5-valid (i.e. (4.10) and (4.11)
hold).
6.4.2 Spaces From Frames
Let P - (P, C,/x) be a frame. Define 5^ = (P, ,7^), where
(4.12) 7 - {S P+ : n(p) C 5}.
Then the frame condition (3.3) implies that 7M satisfies (4.3), so S^ is
indeed a space. If M (P, V) is a model, put M1* = (<SM, V) to obtain
a bijection between P-based and <SM-based models. Since n(p) C 5 iff
S E 7 p , a straightforward induction shows for all A 9 that
(4.13) M t=p A i f f M * \=PA.

Hence it follows that
(4.14) P \= A iff S* \= A.
It is clear from (4.12) that S1* is always a filter-space.
(4.15) If P is a J -frame, then 5^ is a J '-space.
Proof. Let P be increasing and pseudo-dense. Then n(p) C \p), so by
(4.12), [p) e 7, giving (4.10). To derive (4.11), suppose j^(S) 7$,
i.e. fj,(p) C j'7n(5). We have to show that S 7^. But if q fi(p), by
pseudo-density there exist r, t with p -< r X i C 5. Then r 6 /z(p) and
so r j~/i>(S), i.e. /j(r) C 5. Then as e /x(r) we get t G 51, and finally
<? S since S P+. Thus we have fj,(p) C S as required. D
(4.14) and (4.15) together imply
(4.16) a sentence valid on all jT-spaces is valid on all J- frames.
In the converse direction, given S = (P, ,7), put P~< = (P, C,/i 7 ),
where
(4.17) f(p) = H7P.
This time (4.3) implies (3.3), making P'1 a frame. Applying this con-
struction to 7^ (4.12) just gives p,(p) back again. However applying the
construction (4.12) to /x7 may not recover 7 the new neighbourhood
system will always be made up of filters, even if S is not. But taking S
as a filter-space still does not make it equivalent to PJ . For example,
let S = (w, ,7), where for all p w,
7P = {[n) : n u}.
Since every non-empty iS-hereditary set is of the form [n) (i.e. S+ =
7P U {0}), 7P is a filter in 5+. But ^(p) = 0 for all p, so P"> (= VI.
However since A4(J_) = 0 ^ 7P, VJ. is not true at any point of any
model on S.
The converse to (4.16) will follow from the completeness theorems of
Section 6.6.
6.4.3 Grothendieck Topology
Let V be the collection of open sets of a topological space X, and T>(X) =
(V, D) the partial-ordering inverse to the set inclusion relation. The
Grothendieck topology associated with the category of sheaves over X is
given by the function assigning to each X>(X)-hereditary set 5 the set
(4.18) jv(S) = { p - D : p
of opens that 5 covers. This notion can be lifted to any complete Heyt-
ing algebra (CHA). A CHA is by definition an HA Ti in which every
subset S has a least upper-bound (join) |J 5. CHAs satisfy the infinite
distributive law
(4.19) (U S} n (U R) = LU sdWr n *)).
Now if U is a CHA with lattice ordering C, let H0 = (H, <) be the
inverse ordering to C, i.e. p < q iff q C p. Then for 5 e WQ", put
(4.20) jff(S) = {p e ff : p E |JS} = [LJS) in H+.
(4.21) IfS,Re H^ have pt\_\S and p^L\R, then p C |J(.R n 5).
Proof. Let <j denote the term on the right hand side of equation (4.19).
For each s 5 and r e R we have s < s n r and r < s fl r. But S
and .R are <-hereditary, and so 5 n r e Rr\ S, from which it follows
that s n r C \_\(R n ) Hence we may show that 9 E l\(R n S)- But
the hypothesis of (4.21) yields p C (|J 5) n (|J R) = q. (The proof of
(4.21) for T)(X) can be done by elementary set theory, without explicit
recourse to (4.19).) D
Now let us define a neighbourhood structure on H by putting
(4.22) rf = {SeH+:pC(JS}.
That p < q implies 7^ C 7^ is obvious, and so SH = (H, <,7 H ) is a
space, in which
(4.23) J7*(S) = J H ( S ) , for all S e H+ .
It is readily seen that 7^ is closed under supersets, and the import
of (4.21) is that it is closed under finite intersections. Thus SH is a
filter-space. Moreover, since \p) = {q : q C p} we have
(4.24)
which ensures that \p) 7^. Finally, if J 7 (S) 6 7^ then
P E \J{q : q E !_]?} = LHLJS) = U^ (4.24),
and so S e 7^.
Altogether then, 5H satisfies (4.10) and (4.11) and so is a ./-space.
If we construct its associated frame (4.17) by putting n(p) = f|7^> tne
definition of -< becomes
(4.25) p -< q iff VS 6 H$(p E |J S implies q e S).
Associated with ^ is the operation jM(5) = {p : /i(p) C 5}. It can be
shown that j^ is identical with the function jjj , i.e.
(4.26) n(p) C S iff p C U51 for all p 6 P and 5 S Wj,
precisely when W satisfies
(4.27) p = \
In the case of T>(X) we have p X q as in (4.25) when q belongs to every
hereditary open cover (decomposition) of p. Intuitively this makes q an
irreducible (indecomposable) open subset of p. In the discrete topology
~D(X) = 2X it means that q is a singleton subset of p. In the event that
V is an order topology, it means that q is a set of the form [x) for some
x p.
The condition (4.27) means that p is covered by its irreducible open
subsets. It is satisfied by all P|-closed topologies: given x 6 p, choose
from each hereditary cover of p a neighbourhood qx of x. Then the
intersection of all these qx 's is both an open set around x and an irre-
ducible subset of p. (4.27) also holds of the topology on 2" described
in Subsection 6.3.7, where each open set is a union of sets of the form
{q : r C q} for finite r C uj. The latter have the irreducibility property
we have been describing.
6.4.4 Cofinality
Let P = (P, C) be any poset. Then,
(4.28) the set 7^ = {S P+ : S is cofinal with \p)} is a filter on P+ .
Proof. 7 ^ 0, since it contains P, and it is easy to see that cofinality
is preserved under supersets. Next, take 5 and R in 7^. Then if q 6 [p)
there is some r e 5 with q C r. But then r e [p), so there is some t R
with r C t. Then qC.rC.teSr\R, and so we have shown 5 n R to be
cofinal with [p), giving the closure of 7^ under finite intersections. D
By (4.28) it follows that Sc = (P, C,7 C ) is a filter-space (why is (4.3)
satisfied?). Since [p) is cofinal with itself, it belongs to 7^. Moreover if
J 7 c(5) e 7 and p C. q there is some r in jfc(S) with q C r. But then 5
is cofinal with [r), so for some t 5 we have q C. r C t. This establishes
cofinality of 5 with [p), i.e. S 7^.
Altogether then we find that Sc is a J^-space. It is left to the reader
to verify that
(4.29) 5C (= V4 = ~~A
6.4.5 Topological Neighbourhood Systems
In a topological space (X, >) a set Y is a neighbourhood of p when there
is an open S T> with p 5 C Y. Open sets are characterised as
those that are neighbourhoods of all of their points. The axioms for the
system 7 of topological neighbourhoods are
(4.30) 7P is a filter,
(4.31) VF e 7P 35 7p[(tf S implies 5 6 7,) and S C Y],
(4.32) p E
(The set j^(Y) = {p : Y 6 7P} is then the interior Y of Y with respect
to>.)
Now the system 7^ on a jT-frame satisfies (4.30) and (4.31) for
(4.31) take S = //(p)*'. However while it is true that p e 5 6 S+
implies 5 e 7P, we do not require that J"-spaces satisfy (4.32) (which is
equivalent to the validity of VA > ,4). Thus it may be that p $ S e 7P
for some 5. In this case we may think of 5 as a punctured neighbourhood
of p, i.e. a set of the form R - {p}, where R is a neighbourhood of p.
These sets are sometimes used to define limit points: p is a limit point
of Y iff every punctured neighbourhood of p meets Y (cf. also Section
6.5).
Notice that in a J"-space satisfying (4.32) we have j'7(S) = S for all
5 e P+. Now classical logic is modelled by posets with the discrete
ordering (i.e. p C. q iff p ~ q), in which P+ 2 P . Thus on a discrete
poset (set) the only classically topological neighbourhood system that is
also a ./-system is the one inducing the discrete topology.
6.4.6 Topological Congruences

On a space S we can define a weak equality relation between hereditary
sets: two sets are locally equal if they are neighbourhoods of the same
points. Formally we define
(4.33) 5 ~7 R iff Vp 6 P(S <yp itt R e 7P)-
Then ~7 is an equivalence relation on S+ . If S is a J"-space, then
S C j7(5) (by (4.9), i.e. validity of A -> VA). Together with (4.11) and
the closure of 7P under supersets this gives 5 7P iff J 7 (S) e 7P, i.e.
(4.34) 5 ~7 J7(5).
The relation ~7 completely determines the neighbourhood system 7. To
see this, we first prove
(4.35) S ~7 R implies R C J 7 (5).
Proof. If p e R then R 6 7P. But then if 5 ~7 .R, S e 7P and so
p e J7(S). D
(4.34) and (4.35) together imply that J7(5) is the largest (union) of all
sets that are ~7-equivalent to S, i.e.
(4.36) ;7(5) = \J{R:S ~7 R}.
Recalling the definition of j7(5), this can be re-expressed as
(4.37) 5 7P iff 3fl(p fl ~7 5),
which characterises the p-neighbourhoods in terms of ~7. It also shows

how to define neighbourhoods in terms of a relation ~ between hered-
itary sets. It transpires that the properties required of such a relation
in order to produce a ^-system are that it be an equivalence relation
on S+ that is stable under the characteristically topological operations
of forming finite intersections and arbitrary unions, i.e.
(4.38) (5 ~ R and 5' ~ R') implies 5 n 5" ~ R n R',
and
(4.39) (Si ~ Ri for all i e /) implies \JilSi ~ Ui /^-
We shall call such an equivalence relation a topological congruence.
(4.40) ~7 is a topological congruence.
Proof. The derivation of the property (4.38) for ~7 is straightforward,
and follows from the filter characterisation (4.8). For the property (4.39),
suppose Si 7 Ri for all i 6 /. First we observe that (JSj C j f ( \ J R i ) .
For, if p (JSi then p Si0 for some ZQ /. But then Si0 7P,
and since Sj0 ^7 Ri0 this gives Rio e jp. But 7P is closed under S+-
supersets (4.7), so it follows that \jRi ~fp, i.e. p e jf(\J Ri) as required.
Now from \JSi C j 7 (Uî) and (4-7) we have that \JSi 7P implies
j7(U^?i) 7P and so (4.11) IjRi 7P. Interchanging the ^ and Sj in
this whole argument proves conversely that |J Rl 6 7P only if \J Si 7P.
Now let (P, C) be any poset and ~ be a topological congruence on

its class of hereditary sets. Define
(4.41) 5 7P- iff 3R(P eR^S).
If p 6 R ~ 5 and p C g, then g -R ~ 5, as R is C-hereditary, making
5 6 7^. Thus (4.3) holds, and S~ = (P, ^,7-) is a neighbourhood
space in which, by (4.41) and the definition (4.4) of j7 we see that
(4.42) j^(S) = (J{R:R~S}.
But by property (4.39) of topological congruences (with Si = S for all
i) this implies that
(4.43) S~^(S).
Now if p 6 R ~ S and p & R' ~ 5', then p R n R' ~ S n 5'. Also if
pR~Sa,ndSCS' 6 S+ , then p 6 fluS' ~ SuS' = 5'. Thus 7- is
closed under finite intersections and supersets, i.e. S~ is a filter-space.
Also p \p) ~ [p), putting [p) in 7^. Moreover, if j-,~(S) 7^ then
for some R 6 S+ , p e .R ~ J 7 =(5). Then (4.43) gives p e ^ ~ 5, i.e.
5 e 7^. Altogether we have proved
(4.44) S~ is a J-space. D
(4.45) R~Siff j^(R)=j^(S).

Proof. Suppose R ~ S. Then for any R' S we have by symmetry
and transitivity of ~ that R1 ~ R iff R1 ~ 5. Hence p 6 fl' ^ R iff
p R' ~S. This yields (4.42) p e J 7 =(^) iff P J 7 =(5). Conversely, if
j> (fl) = j> (5) then by (4.43), .R ~ j> (#) = J7* (5) ~ S. D
The upshot of (4.45) is that applying definition (4.33) to the sys-
tem 7- just gives back the relation ~. But (4.37) guarantees that the
neighbourhood system constructed from ~7 by (4.41) is just 7 again.
Hence
(4.46) The constructions 7 H-> ~7 and ~ i-> 7- <?we a bijection be-
tween J-neighbourhood systems and topological congruences on
any poset.
Examples of topological congruences abound. When ~ is the diag-
onal congruence, with R ~ 5 iff R 5, then 7P is simply the class
of hereditary sets that contain p, i.e. the neighbourhood system for the
order topology P+. In the Grothendieck topology construction of Sub-
section 6.4.3, 5 ~ R means that 5 and R cover the same open sets. In
the double-negation context (6.4.4) it means that 5 and R are mutually
cofinal, i.e. each is cofinal in the other. In the space <SM constructed from
a frame P = (P, C, //,) it means that S and R contain the same monads.
In particular, on the frame based on 2W described in 6.3.7 it means that
5 and R have the same finite members.
On any poset (P, C), if Y is any subset of P the conditions
(4.47) Y U R = Y U 5,
(4.48) Y n R = Y n S,
(4.49) R\=>Y = SfrY
(Y taken in the sense of the order topology) each define a topological
congruence on P+. We shall return to these examples in the next section.
6.5 Local Algebras

The appropriate algebraic modelling for the language & in our present
context is provided by structures = (W,j), where H is a Heyting
algebra with operator j : H > H, allowing interpretation of ^-sentences
by clauses (2.15)-(2.18) plus
(5.1) V(VA)=j(V(A)).
Then the notion of ^-validity, |= A, is denned for all modal sentences

as for W-validity.
Any frame P = (P, C,/i) gives rise to the structure ^ = (P+,j,j.).
In view of (3.7) we find that
(5.2) P\=A iff ^ |= A, for all Ae<P.
Similarly from a space S = (P, C, 7) we obtain the algebra 7 = (<f> + , j7)
(cf. (4.4)) and find from (4.5) that
(5.3) S\=A iff T |= A
= (Tt, j) will be called a local algebra when j is a local operator on
H. This means that j is
(5.4) inflationary: x C j(:c), for all x H;
(5.5) idempotent: j(j(x)) = j ( x ) , for all x H;
(5.6) multiplicative: j(x r\y) = j ( x ) n^(y), for all x,y H.
Clearly for inflationary j to be idempotent it suffices that it satisfy
(5.7) j ( j ( x ) ) C j(z).
The operator jM is always multiplicative, since n(p) C S n./? iff both
MP) Q $ and M(P) C /?. If A \M is P-valid then j^, is inflationary,
and if P (= VVA > V^4 then jM satisfies (5.7). Indeed we have
(5.8) M is a local algebra iff P is a J"-frame,
from which by (5.2) it follows that
(5.9 ) if A is valid on all local algebras, then A is valid on all J"-frames.
On a neighbourhood space 5, multiplicativity of j'7 corresponds to
the filter property (4.8). In the presence of (4.8), the 7P's are all non-
empty (and hence are filters) just in case
(5.10) P 7P, for all p,
which is equivalent to
(5.11)
i.e.
(5.12)
(5.12) is implied by the inflationary condition (S \= A -> VA). We
have
(5.13) 7 is a local algebra iff .S is a J-spa.ee,
and hence
(5.14) a sentence valid on all local algebras is valid on all ./-spaces.
Using the fact that x C y iff x l~l y = x, it is not hard to see that any
multiplicative operator is monotone, i.e. satisfies
(5.15) x C y only if j ( x ) C j(j/).
This property is useful in developing an even finer analysis of the rela-
tionships between the various structures we have been considering.
(5.16) There is a bijective correspondence between local operators and
topological congruences on P+ , for any poset P.
Proof. Given a congruence ~, the neighbourhood system 7- of (4.41)
yields a J'-space S- (4.44) whose associated operator
(4.42) j^(S) = \J{R:R~S]
is local by (5.13). Conversely, given a local operator j : P+ > P+, then
motivated by (4.45) we define
(5.17) R~jSiSj(R) = j ( S ) .
~j is obviously an equivalence relation. Multiplicativity of j makes it
stable under finite intersections. For unions, suppose Ri ^j Si, alH I.
Then using the inflationary property and (5.15) we have that for each
io e /, Rio C j(Rlo) = j(Sio) C j(\jSi). Hence we have (JR, C
j(\JSi). But then by (5.15) and (5.5) we get j(U ft) j(j(U)) =
j(\JSi). Interchanging the Ri and the Si yields j(\JSi) C j((JRi), and
so \JRi ^j \JSi as required. Thus ~j is a topological congruence.
(5.18) S -,- j ( S ) .
Proof, j is idempotent. D
(5.19) j ( S ) = (J{R:R ~, S}.
Proof. By (5.18), j ( S ) {R : R ~j S}, so j ( S ) C \J{R : R ~, 5}.
Conversely, if R ~^ 5 then R C j ( R ) - j ( S ) . D
In view of (4.45), (4.42), (5.19), the constructions ~ i-> j7^ and
j H-> ~j are mutually inverse, and this establishes (5.16). D
The laws (5.4)-(5.6) defining local operators were isolated by LAW-
VERE and TIERNEY in developing an abstract characterisation of the
notion of a "sheaf over a site" (cf. [55], [56], or [26, Chapter 14]). These
laws combine some of the properties of interior and closure operators
on standard topological spaces, and lead to a modal logic that differs
considerably from those that have been held significant in the context of
classical logic. In particular the schema A * VA is certainly not valid
when V is given any of the philosophical interpretations listed in the first
paragraph of this paper (cf. the next section for more information about
the behaviour of this schema over classical logic). But the naturalness
of the combination "inflationary, idempotent, and multiplicative" in the

present situation is evinced by the notion of a topological congruence. A
local operator is to be found precisely in the presence of such a relation
of equivalence (indistinguishability modulo certain properties), with the
role of that operator being (5.19) to assign to each open set the largest
open set that is equivalent to it.
The notion of topological congruence can be lifted to that of an
equivalence relation on a complete lattice that is stable under finite meets
fl and arbitrary joins [J. We shall call such relations |J- congruences. On
a CHA Ti. they are in bijective correspondence with the local operators
via the definitions
(5.20) x ~j y iff j ( x ) = j ( y ) , j ~ ( x ) = \_\{y = x ^ y}.
Given a particular p E H, then the conditions pU x = p U y , pn x =
p n y, and x => p = y => p each define a |J-congruence on Ji. The
corresponding local operators are, respectively,
(5.21) j(x)=pUx (= j(O)Ui),
(5.22) j(x)=p=*x,
(5.23) j ( x ) = (x => p) => p.
These three equations define local operators on any HA. In the case of
Boolean algebras it can be shown that the equation
(5.24) j ( x ) = j ( 0 ) U x
holds of any local operator [63, Chapter 2], so j must be of the type
(5.21).
The theory of local operators is set out in detail by MACNAB [63].
[J-congruences on CHAs were studied by DOWKER and PAPERT [10] and
shown to correspond to local operators in [63].
Punctured Neighbourhoods
We end this section with a re-examination of the idea of punctured neigh-
bourhood mentioned in Subsection 6.4.5.
Let (X, V) be a topological space and
(5.25) 7P = {Y C X : 3S <E T>(p S C Y)}
its associated (topological) neighbourhood system. We form a new sys-
tem by adding to 7P all the punctured neighbourhoods of p, to form
(5.26) Sp = 7p U {Z C X : 1Y e 1P(Z = Y - {p})}.
Then in fact
(5.27) 6P = {Z : 35 6 D(p 6 S and 5 - {p} C Z ) }
as may be seen from (5.25) and (5.26). For each open RT>, put
(5.28) js(R) = {p:R6p}
as usual. Then
(5.29) js(R) E -D, i.e. jg:T>^ V.
Proof. Let p e jg(R). We show that p is ^-interior to js(R). By (5.27)
there exists 5 e T> with p S and 5 - {p} C R. Then if q e S, either
(i) <? = P,and so q js(R), or (ii) q ^ p, and so q 6 5 - {p} C R, giving
R 8g (since R ~D), and again <j> 6 Js(R)- Thus we have p 5 C jg(R)
and S D, i.e. p lies in a >-open subset of js (R) as required. D
(5.30) js is inflationary.
Proof. If R e T> and p 6 7?, then fl - {p} C .R, so .R e <5P, hence
pjs(R).Th\nRCjs(R). D
(5.31) js(R) C 5 U (-5 U R) for all R, 5 D.
Proof. Let p e j g ( R ) , so that S" - {p} C R, for some 5' with p e 5' X>.
Then for any 5 P, if p < S, {p} C -S, so 5' = {p} U (5' - {p}) C
-5 U .R. But as p 6 S', this implies p (-5 U R) as required. D
The operator jg is not in all cases idempotent. To see this, observe
that if V = P+ is an order topology then the definition of 6 reduces to
(5.32) Sp = {Z : [p) - {p} C Z}.
Then on the order topology of (w, <) we see that jg([n + 1)) = [n), so
that, for example, js(js([2))) - js([2)) = {0} + 0. We shall see later (at
the end of Section 6.6) that in a sense the properties (5.30) and (5.31)
characterise all algebras of the type (T>,jg). Notice that 6P is a filter,
and so jg is always multiplicative.
6.6 Axiomatics and Completeness

In discussing syntax of & we shall follow (and assume) the account of
SEGERBERG [84], although with some variations in notation and termi-
nology.
A logic is a set L C \P that is closed under Detachment (Modus
Ponens), i.e. it satisfies
(6.1) (A L and A -> B L) implies B & L.
Often we write h/, A (A is an L-theorem) in place of A L. We denote
by I the logic known as Hey ting's intuitionistic logic, defined in [84,
p. 37].
An extension of / will be called a normal logic if it contains all

instances of the schema
(3.8) V(A -> B) -(VA - V5)
and is closed under the rule of Localisation:
(6.2) hi A implies h L VA,
IK denotes the smallest (intersection) of all normal logics. Its the-
orems are those sentences that are derivable in a finite number of steps
from /-axioms and/or (3.8) by the rules of Detachment and Localisation.
A class C of structures (frames, spaces, algebras ...) is said to deter-
mine a logic L if for all A 6 &,
(6.3) \-L A iff VS C(B \= A).
The "only if" part of (6.3) is expressed by saying that L is sound for C,
its converse by L being complete for C. We shall see that
(6.4) IK is determined by the class of all frames, as well as by the class
of all filter-spaces.
The smallest logic that extends IK and contains all instances of the
schemata
(6.5) A -> VA,
(6.6) VVA -> VA
will be called (as the reader has no doubt guessed) J. Notice that the
Localisation rule is implied in J by (6.5) and so J is a normal logic.
We shall prove
(6.7) J is determined by each of (i) the class of J-frames, (ii) the class
of J-spaces, and (iii) the class of local algebras.
In each of the results of (6.4) and (6.7) the "soundness" part is
straight-forward. It is simply a matter of checking that the relevant
axioms are valid on the structures referred to and that the relevant rules
preserve this property. Those cases not already discussed will for the
most part be left to the reader.
Most of the axioms we use are of a "positive" (negationless) charac-
ter, and much of the basic theory to follow is a replication of that for
classical modal logic.
An alternative axiomatisation for IK is obtained by adding to / the
schemata
(3.9) VAAVB-t- V(Af\B),
(6.8) VT,
together with the rule
(6.9) H L A -> B implies \-L VA -> VB.

Taken together, these correspond syntactically to the semantic condition
that 7 be filter-system. Details are left to the reader.
There are other ways to axiomatise J . Perhaps the simplest is to
add just the axioms (6.6), (6.8), and
(6.10) (A ->)-> (VA - VB)
to /. (6.10) is easily derived from (3.8) and (6.5). To show that this new
basis derives the one originally given for J we have to obtain (3.8) and
(6.5) from it. But since
h, A - (T - A),
from (6.10) we get
A -> (VT -> VA)
which is interderivable over I with
VT - (A -+ VA).
Prom this we detach (6.8) to get (6.5). Next, from (6.10) we derive in /
But as an instance of (6.10) we have

((A -> B) - VB) -> (V(A - 5) - VVS).
Applying Detachment to these last two, and then using (6.6), we derive
VA -> (V(A -> 5) - VB),
from which (3.8) follows.
It is interesting to note that in classical normal logics, i.e. those
having \~L A V ~A, the sentence VVA -> VA is derivable from the rest
of the basis for J '. On a classical (discrete) frame, where \p) = {p},
the "increasing" condition becomes n(p) C {p}, i.e. /x(p) is either {p}
or 0. Indeed the logic that extends IK by A V ~A and A > VA can
be shown to be determined by the two-element discrete frame having
P = 2 = {0, 1}, jx(O) = {0}, and /x(l) = 0. On this frame VVA -> VA
is valid. To see that it is not valid on all increasing frames, and hence not
derivable from A > VA over IK itself, we take the example P = (2, C,
At), where 0 C 1 but not I C O , /t(0) = {1} and At(l) = 0- This frame is
not pseudo-dense. The situation syntactically is that since
\-j ^VA - (VA - A),
in the presence of (6.5) we derive
~VA -> V(VA -> A),
hence by (3.8)
~VA -> (VVA - VA),

and so
VVA - (~VA -> VA).
But in classical logic (not in /) we have the theorem
(~VA - VA) -* VA
which would allow us then to derive (6.6). (The syntactic derivations of
this section were developed with the help of K. E. PLEDGER.)
If E C 9 and A #, then [84, p. 28] A is L-derivable from S, written

S hi A, if, and only if,
h L B! -> (B2 - ( . . . - > (Bn - A ) . . . )
holds for some n > 0 and some BI, ..,, Bn 6 S. Allowing n = 0 includes
the possibility that \~L A (i.e. 0 \~L A). A set p C <P is L-full if it contains
L, is closed under detachment, is L-consistent (i.e. not p \-L A, for some
A), and prime (i.e. A V 5 p only if A 6 p or B p). We put
(6.11) PL = {p C !? : p is L-full},
(6.12) |A|L = { p P L : A e p } ,
(6.13) |EU - {P Pi : C p} = n{|A|L : A S}.
In order to obtain our completeness theorem we need a generalisation
of the usual statement of LINDENBAUM'S Lemma, which itself employs
a generalised notion of derivability. If P C 9 we put S \-L F iff
(6.14) S h t A! V - - - V A m
holds for some AI, . . . , Am 6 T, with m > 1 (so that E h A as above
is the same as S h/, {A}). Then we have
(6.15) (LINDENBAUM'S Lemma) S h L T /f |S|L C U(|A|t : A e T}.
Proof. (We make free use of L-full-set properties as developed in [84].) If
S HL T, so that (6.14) holds for some Al,...,Am T, then if p e |S|i,
E C p, so that p h/, A i V - - - V A m , hence as p is full, A i V - -vA m e p. But
as p is prime this implies that for some i < m, p e |Aj|i C IJAerl^l^-
Conversely, suppose that not S hj, T, and let BO, . . . , B j , . . . be an
enumeration of ?. Put po = S,
= f p, U {B,} if not p, U {,} h L T
+1
\ Pj otherwise,
and p = U <wPj. By a straightforward adaptation of the proof of Lemma
2.2 of [84] it is shown that p e PL. Since S = p0 C p, p e |S|i. Moreover
if A e r then A 0 p, or else p l- A, hence PJ \~L A and so PJ h^ T for
some j. Thus p ^ U i l ^ U : A e T } . D
We now confine our attention to normal logics L. The canonical

L-frame is the structure
PL = (Pi, EL, XL),
where p C/, q iff P Q q (set inclusion) and p ^L qifi. {A: VA p} C q.
The condition (3.4) p C q XL r only if p XL F is obvious, so PL is
indeed a frame. Note that it has hereditary monads, where, putting
Vp = {A : VA 6 p}, the monad of p PL is
(6.16) nL(p) = {<?: Vp C 9} = |V P |L.
(6.17) Vp hi BiffVB p.
Proof. (As for classical logic, cf. [59].) If VB p, then B V p , hence
Vp h/, S. Conversely, suppose that
(6.18) \-LAl^(...-*(An^B)...)
for some n > 0, with Ai V p , for all z < n. If in fact HL B, then
\~L T 5. But T G Vp (as \~L VT), so we may always presume n > 1.
By Localisation (6.2), and then n applications of (3.8), (6.18) yields
(6.19) h L VAi - ( . . . - + (VA n -> V)...).
But Ai Vp, for i < n, hence VA, G p. By closure of p under Detach-
ment we get VB e p as required. D
The canonical L-model based on PL is ML = (PL,VL), where
VL(TT) = |TT| L = {p PL TT p}, for all TT <E >P0.
(6.20) For aH AV,ML\=PAiffAEp, i.e. ML(A) = \A\L.
Proof. By induction, as in Lemma 2.3 of [84]. We treat only the case
A = VB, under the inductive hypothesis that ML(B) = \B\L- We have
ML f=p VB iff nL(p) C ML(B] (3.5)
iff |Vp|i C \B\L (6.16), hypothesis
iff Vp h L B (6.15)
iff VBp (6.17).
n
As a corollary we get:
(6.21) PL \= A only if \-L A.
Proof. If PL |= A, then M L (^) = PL, i.e. |A|L = \P\i = |0U, and so
(6.15) 0 h L 4 as required. D
This corollary is the key to many completeness theorems. For, to
show that any C-valid sentence is an //-theorem, for some class C of
frames, we now know it suffices to show that PL C. Taking C as the
class of all frames, we have PJK C, giving the completeness theorem

for frames of (6.4) (for the filter-space version, observe that S^L (cf.
Subsection 6.4.2) is a filter-space and use (4.14)).
(6.22) Pj is a J-frame.
Proof. Let p -<j q, and take A p. Since \-j A > VA, A VA p.
By Detachment then, VA e p, and so A g. Thus p C g, and Pj^ is
increasing. Next we show that 'Pj- is dense. Suppose p ~(j q and let
r = {VB : B #q}. Then if V p Hj- T we have
(6.23) V p \-j VBi V V V5m
for some m, with VB{ F for all 1 V(4 V 5)
(since it is valid on all framesa syntactic proof is easy). Applying
(3.10) to (6.23) we get
(6.24) V p r - j V ^ i V ' - V S ) ,
and so by (6.17),
(6.25) VV(J3i V V Bm) 6 p.
The schema VVJ5 > VB may now be invoked to get
(6.26) V(Bj V V Bm) p.
But p -<j q, so (.Bi V V Bm) G <? and hence Bi e 9 for some z < m.
But this contradicts the fact that VBi -T-
The upshot of this argument is that it cannot be that V p \-j F, and
so by LINDENBAUM'S Lemma (6.15) there is some r 6 |VP| j, i.e. p -<j r,
that has r n T = 0. Then if V5 e r, VB ^ T, and so B e q. Hence
r ^ . D
The proof of (6.22) actually establishes something a little stronger,
viz.
(6.27) for any normal logic L, if \~L A > VA then PL is increasing,
while if \-L VV^4 > V^4 then PL is dense.
To establish the full content of (6.7) we begin with the readily established
soundness result that j7-theorems are valid on all local algebras. But
local algebra validity implies j7"-space validity (5.14), while the latter
implies frame validity (4.16). But by (6.22) and (6.21), J-frame validity
in turn implies theoremhood in J, and so all four notions coincide.
Notice that we have in fact constructed a "universal" determining
model of each type for J, since for all A !P we have
(6.28) \-j A iff Pj\=A iff Pj\=A iff S (= A.

We turn now to completeness theorems for logics generated by some
of the other schemata discussed in Section 6.3.
(6.29) // \-L VA -> ~~j4, then in PL, nL(p) is cofinal with \p) (cf.
(3.40)).
Proof. Suppose q \p), i.e. p C q. If V p U q h/,, then there exist
Bi,...,Bn q with V p \-L BI -* (Bi - > ( - (#n -)...). But
then V p h L 5 -U_, i.e. V p h L ~B, where B = BI A ... A Bn g- (if
V p ^L-L, we may take B T <?). Now applying result (6.17) we have
V~B 6 p. But hi V~B -> ~~~5, while h/ ~5 -> ~B, and so we
deduce that ~5 G p C qr. However B q, and so this contradicts the
L-consistency of 9. Thus it is not the case that V p U q h_L, so (6.15)
there exists r & PL with V p U q C r, so that # C L r and r ML(P) as
required. D
(6.30) //hi ~~^4 VA, i/ien "P^ is increasing and satisfies p -<L q C r
o n l y i f q = r (cf. (3.41), (3.42)).
Froo/. Since \-L A -* -4, it follows that h L A > VA. so PL is
increasing (6.27). Next, since h/ (.4 V ~A), we have h t V(,4 V ~A).
But then V(^4 V ~.4) p, all pe PL- So, if p XL q we have A V ~A e g
for all A &. Then if g C r and .4 0 g, we have ~A G g C r, so A ^ r
(or else r would be //-inconsistent), hence q = r. D
From (6.29) and (6.30) it follows that the logic IK + (VA = ~~A)
is determined by the class of frames satisfying the properties described
therein (soundness is given by (3.39)-(3.41): why are such frames
dense?). From the proof of (6.30) it follows that ~~^4 > V.A is equiva-
lent deductively (and semantically) over IK to (A > VA) f\(V(AV~A)).
From (6.29) we see that VA > ~~,4 is equivalent to V~,4 ~A (which
reduces to VA A only when \~L ~~>1 * A, i.e. when L is classical).
We leave it as an exercise for the reader to prove
(6.31) if L contains all instances of the schema
(3.29) VA-* (BV(B->A)),
then PL satisfies (3.28), i.e. p C q only if p -< q.
Now let N denote the logic IK + (3.29) + (A -> VA). Then PN deter-
mines N, since it is increasing and satisfies (3.28). However PN does
not satisfy the condition
(3.26) p^qittpCq,
for which N is sound, since PN has points with p -< p. To see this,
observe that F = {VA > A : A &} is TV-consistent, having a model in
the one-element TV-frame {0}, where 0 ~< 0. Any ./V-full extension p of JT

will have p -< p. To obtain a determining frame for N that satisfies (3.26)
we modify PN to replace reflexive points by a denumerable sequence
strictly ordered by -<. The simplest way to do this is to put
P*N = (PN x u,, C, x)
where (p, n) C (q,m) iff (i) p CAT q, or (ii) p = q and n = m, or (iii)
p = <? and p -<N q and n < m- while (p, n) -< (q,m) iff (i) p -<# g and
p ^ q, or (ii) p = q and p ~<N q and n < m. Then 7^ satisfies (3.26) and
is an ./V-frame. If / : PJV x u; > PAT is the projection map /(p, n) = p,
we have:
(6.32) for any model- M = (PN,V) based on PN, put M* = (P*N,V*),
where V*(n) = f-l(V(ir)); then for all A e ^ we have AT [=x A
iff M t= /(s) A.
It follows that
(6.33) P*N \= A implies PN |= A (and so \-N A),
giving our desired completeness theorem. (The construction of "P*N is
essentially the "bulldozer" technique of SEGERBERG [86].)
Representing Algebras.
The canonical frame construction can be translated into the language of
lattices to give a representation theory for algebras of the type = (H,j)
(cf. Section 6.5) extending that for HAs sketched in Section 6.2. Define
+ = (P-n, C , n j ) , where PH is the set of prime filters of H, and
q e Hj(p) iff {x : j ( x ) e p} C q.
Then the function {p : x p} is an HA-monomorphism of
into the set algebra +' defined prior to (5.2). In order that y> be a
j-operator homomorphism, which amounts to requiring that
j ( x ) e p iff /ij(p) C <p(o;),
it is necessary and sufficient that be an 7/f-algebra. This in turn
amounts to requiring that j be multiplicative and satisfy j(l) = 1. In
the event that is a local algebra, + will be a J'-frame.
Finally we consider algebras on which j is inflationary and satisfies
multiplicativity and
(6.34) j ( x ) C j / u ( 3 / = > x ) .
By (5.30) and (5.31) these include all algebras of the type CD,js), where
8 is the punctured-neighbourhood system associated with the topology
T>. Given any such algebra , + will be an ./V-frame and so we can
apply the P*N construction, as above, to + to get a frame of the type

0 = (PH x ui, C,C). Composing (f with the inverse to the projection
o + gives a monomorphism into the algebra of hereditary subsets
of Q. But by (5.32), the latter is simply the algebra (D,js), where T> is
the order topology on 0. Thus every TV-algebra can be represented as
a subalgebra of the algebra of open sets determined by the punctured-
neighbourhood system of a topology.
6.7 Sites Over Elementary Topoi

We come now to the interpretation of the modal language !? in ele-
mentary topoi with topologies in the sense of LAWVERE [55]. This will
provide us with a new concept of validity that characterises the sys-
tem J, and yields a formal explication of LAWVERE'S description of
Grothendieck topologies as modal operators. We presume in this (and
only this) section that the reader is familiar with category theory, and
with the basics of topos theory as expounded for instance in LAWVERE
[56], FREYD [19], KOCK and WRAITH [49], MAC LANE [61], or GOLD-
BLATT [26].
Let be an elementary topos with subobject classifier 1 -^1 Q.
J? is the "object" of truth-values for , and the basic property of the
arrow true is that for each -monic a >> d there is exactly one arrow
Xf ' d H (the character of /) that makes the diagram
/ . .,
a pullback. This establishes a bijection between subobjects of d and

elements of the set (d, SI) of ^-arrows of the form d > Q. In particular
the unique arrow 0 > 1 is monic in , and its character is known as
false: !-/?.
Let f? x fi -2+ O, n x ft -Û n, n x n -^ /?, be the "truth-
arrows" of corresponding to the connectives A, V, > (for definitions
cf. the above references). These arrows act as operators on (d,f2),
defining binary operations by
(7.1) hnk = r\o(h,k),
(7.2) / i U f c = U o ( / i , f c ) ,
(7.3) h^k = =>o ( h , k ) ,
where (h, k) is the product arrow of h and k:
fix fi ~fi
The structure ((d, fi), n, U, =>,falsed) thus defined proves to be a Heyt-

ing algebra, where the least element falsed is given by
d
falsed\. /false
n
A topology on is an arrow fi -i fi for which the diagrams
(7.4)
(7.5)
fix fi^ fi
(7.6) J*j| [j
fix fi^ fi
all commute. As shown by FREYD [19], commutativity of (7.4) is equiv-

alent in any topos to that of
(7.7)
"fi
A pair of the form j = ( , j ) will be called an elementary site. The

prime example has as the category of presheaves over a topological
space (X,T>), with j determined by the operator jt> of (4.18).
The map h H-> j o h is a local operator on j(d,ft). To see, for
example, why it is inflationary observe that
164 MATHEMATICS OP MODALITY
hn(joh) = H o ( h , j o h ) (7.1)
= no(ifi)j)o/i
= In o f t (7.4)
- h,
so that h C j o h. The idempotent and multiplicative properties of
h H-> j o ft are given by (7.5) and (7.6).
An Sj-valuation is a function V : <P0 - (!,/?) assigning to each
sentence letter TT a truth- value ("element" of fi) in , i.e. an arrow
V(TT) : 1 -> /?. This is lifted canonically to a function V : & -> (!,/?)
by putting
(7.8) V(_L) = /ofae,
(7.9) F(4 A 5) = V(A) D
(7.10) V(4 V 5) = V(A) U
(7.11) V(A - 5) = V(A) =
(7.12)
^4 is Ej-valid, j \= A, iff F(^4)=i?Tie for every j-valuation.

Clearly an f j-valuation is precisely the same thing as a valuation on
the local algebra j ( l , f l ) , and it follows from the foregoing that doing
topos-theoretic semantics in j is equivalent to local algebra semantics
i n j ( l , f 2 ) . Thus
(7.13) j \= A iff S j ( l , fj) (= A, for all A $>.
Prom this, by (6.7) we have
(7.14) \-j A only if j \= A, for all elementary sites j.
The main result of this section is the converse to (7.14), which is
derived using a special kind of topos constructed from a frame.
If P = (P, C) is a poset, then P may be construed as a category,
with at most one arrow p > q, for any p, q 6 P, this arrow existing just
in case p C q. Let Sef be the category of set-valued functors defined
on P. An object in this category is a functor F : P -^Set, assigning
each p e P a set Fp and each arrow p > q (when p C q) a set function
Fpq : Fp > Fq , such that
(7.15) Fpp is the identity function on Fp,
and the following diagram commutes whenever p C. q C r:
Fp
(7.16)
An arrow from functor F to functor G in Setp is a natural transformation

F A G, i.e. a family
(7.17) {Fp-4Gp:pP}
of functions (components of a) indexed by P, having the form shown in
(7.17), and such that the following diagram commutes whenever p C. q:
(7.18)
Informally F may be thought of as a "set" varying (growing) over the

"stages" p P, with the Fp?'s as "transition" maps between stages.
The similarity with the notion of Kripke-style model for elementary in-
tuitionistic logic is evident.
The relevance of these notions is that Setp is a topos. Its object of
truth-values f l : P -> Set has
(7.19) flp = [p)+ = the set of C-hereditary subsets of ([p), C).
For each S P+ and p P, let
(7.20) sp = [p)nse[p)+.
Then the functions S -> Sp provide the transitions of H. That is, if
p C q then
(7.21) npq(S) = Sq, for all S [p)+-
The terminal object 1 : P > Set of Setp has constant values l p = {0},
for all p G P. The arrow true: 1 /? has p-th component irwep : {0} >
[p)+ given by
(7.22) rwe p (0) = [p) = the largest element of [p)+.
The arrow false: 1 > /? is given by
(7.23) falsep(Q) = 0, for all p.
The truth-arrows n, U, =>, in Sef^ have as components the cor-
responding HA operations on the HAs f?p. Thus np is the operation
(S,R) >-* S n R, Up is (S,R) ^ SDR, and =>p is (5,Pt) -
(2.13) on [p)+.
Let us suppose further that P is a ^7-frame (P, C, p,). Then for each
p we define, for 5 6 [p)+,
(7.24) jp(S) = fe(5))p = {r : p C r and /x(r) C 5} [cf. (7.20)].
+
Then jp(S) is hereditary in [p) . We leave it to the reader to verify that
(7.25) jp : J?p > fip is a local operator on the Heyting algebra fip.
The right-hand side of equation (7.24) is in fact defined for any 5 P+.
The general situation is
(7.26) 0 M (S)) P = jp(Sp).
Proof.
JP(SP) = 3P(\p)nS) (7.20)
= b)n.Ub)nS) (7.24), (7.20)
^(5) (5.6)
(5.4)
(7.20).
D
From this, noting that p C q only if \q) C [p), we can prove that
(7.27) ifp C q then ^ p q ( j P ( S ) ) = jq(npq(S)), for S f i p .
Proof.
flPq(jP(S)) = [q)njp(S) (7.21)
= b)nb)n^(5) (7.24)
= [9)nj M (5) (above note)
= j,(5,) (7.26)
= j,(/?p,(S)) (7.21).
D
(7.27) asserts that the diagram
aj \npq
JO
cq i" O
+ jq
commutes whenever p E g, and so the family {jp : p 6 P} form the com-

ponents of a natural transformation jp : Q > fi, i.e. an arrow in Set**.
From (7.25) it can be shown that the diagrams (7.4)-(7.6) commute for
j-p (the components of a composite of natural transformations are the
composites of their corresponding components). Thus jp is a topology
on Sef', and so
(7.28) p = ( S e t ^ j j p ) is an elementary site.
It is interesting to note that the condition that P be increasing (hence

jp inflationary) is needed not only to prove its categorial version (7.4),
but also in the proof of (7.26) and hence (7.27). In other words it is
needed to show that jp is an arrow at all in Setp '. Thus the axiom
A > V^4, of little interest in classical modal logic, plays a crucial role
in the present theory.
The key to our completeness proof is that for any J'-frame P, we
have
(7.29) p \= A iff P\=A, for all A$.
Applying this to the canonical ^7-frame Pj gives
(7.30) Pff \=A iff Pj (= A iff \-j A [cf. (6.28)],
so that the canonical site pj determines J, and moreover any sentence
valid on all sites will be in particular py -valid, hence a J"-theorem.
As to the proof of (7.29), we already know (7.13) that
(7.31) S-p (= A iff P(l,fi) \=A,
while by (5.2) we have
(7.32) P\=A iff & = (P+,jlt)Â.
Since isomorphic local algebras validate the same sentences, our desider-
atum (7.29) follows from (7.31), (7.32) and
(7.33) there exists a local algebra isomorphism M = p(l,fi).
CTs
Proof. Given S P+, define 1 > J? to be the natural tranformation
whose p-ih component crp' : 0 * J?p has
(7.34) <rp5(0) = Sp,
(that as is natural follows since (Sp)q = Sq when p C q). Conversely,
given cr : 1 fi define Sa 6 P+ by
(7.35) Sr = \J{o-p(Q):pP}.
Then the functions 5 H-> <rs and a i-> 5CT, are mutually inverse and
provide the asserted isomorphism. The details of this for the Heyting
algebra part
P+ ^
are fully presented in GOLDBLATT [26]. For the present we show only
that 5 i-> as preserves the local operators, i.e.
(7.36) jp oas = ffirW, for all S P+.
D
Proof. The p-th component of jp o as is jp o ap. But

jpoaj(Q) = jp(Sp) (7.34)
- (j(S))p (7.26)
(5)
= < (0) (7.34)
so that jp o <js and o-^5) have identical components. This completes
the proof of (7.29) and hence of (7.30). D
With regard to the quotation of LAWVERE given in Subsection 6.3.8,
we note that for any topos , the pair
where -> -> is the composite of the negation truth arrow with itself, is
an elementary site (cf. e.g., FREYD [19]). In Setp the natural transfor-
mation -< has component -ip : Qp > /?p given by ->P(S) = (S (=>0)p. We
leave it to the reader to contemplate the details of
(7.37) if P is the canonical frame for the logic 1C = IK + (VA = -- A),
then for all A, \-IC A iff (Setp)^ \= A;
(7.38) \=IC A iff (-,-, \= A for all elementary topoi ).
6.8 Finite Models and Decidability

In this final section we establish that the set of jT-theorems is recursive
by showing J to have the finite model property. This means that each
non-theorem A of J is falsifiable on a finite j7-frame whose maximum
size is determined effectively by A. Since the concept of jT-frame is
decidable for finite structures, this gives a decision procedure for J-
theoremhood. One simply has to enumerate all finite JT-frames up to
a certain prescribed size and test A for validity on each of them. The
method of filtration of models that we use will be applied also to some
further completeness theorems, as well as to the decidability of the logic
1C.
Let M L be the canonical model of a normal logic L, and T C ty a set
of sentences closed under subsentences. Define an equivalence relation
~T on PL by
(8.1) p&Tq iff p<~\T = qr\T
iff VA 6 r(ML NP A iff ML \=q A).
Let
(8.2) \p\ = {q:p*r <?},
(8.3) Pr = {\p\:pePi.}.
Defining a further relation on PL by
(8.4) prq iff pC\r Cqftr

(so that p KT q iff prqrp), a well defined partial-ordering on PT is given
by
(8.5) \p\ C \q\ iff prq.
A valuation on (PT, C) is given by
(8.6) K(7r) = { | p | : 7 r e p n r } .
Then if -< is any relation on PT such that the following conditions obtain,
(8.7) PT = (-P T ,E,-<) is a frame (i.e. satisfies (3.4)),
(8.8) |p| -< \q\ implies {B :VB e pC\r} C q,
(8.9) p -<L <? implies |p| -< |g|,
we say that the model .MT = (PT, V T ) is a filtration of ML through r.
(8.10) Filtration Theorem.
For an?/ ^ 6 r and p PL, Aii |=p .A iff Mr \=\p\ A.
Proof. For any non-modal A e $ the proof is given by SEGERBERG [84,
Theorem 4.1]. For the inductive case A = VB, assuming the result for
B, we proceed as follows (exactly as for classical modal logic). First,
suppose that MT \=\p\ VB. Then if p -<L q, \P\ -< \q\ by (8.9), so
MT (=|,| B. The inductive hypothesis then gives ML (=9 B. Hence
ML \=P VB. Conversely, if the latter condition obtains, we have VB 6 p
(6.20). But T is closed under subsentences, so B V p n r. Then if
|p| -< \q\, (8.8) yields B 6 q, hence by (6.20) and the inductive hypothesis
Mr h=|,| B. This shows that MT (=|p| VB. D
We shall call T logically L-finite if there exists a finite subset TO of T
such that
(8.11) VA 6 rlA0 TO: \-L (A = A0).
TO will be called an L-base for T. Since
(8.12) \-LA = A0 iff |AU = |.4oU
(this follows from LINDENBAUM'S Lemma), we have that if T has L-base
TO,
(8.13)p T g iff pr\r0 = q<~\T0,
so that |p| i-> p n TO gives a well-defined injection of PT into the power
set of TO. Thus Mr will be finite with at most 2n elements, where n is
the cardinality of TO.
We observe next that filtrations of ML through T always exist, for
we may define
(8.14) |p| -< \q\ iff {B :VB 6 p H r } Cq
to get a relation satisfying (8.7)-(8.9). Since any other relation satisfying

(8.7)-(8.9) is (by (8.8)) contained in the one given by (8.14), the model
resulting from (8.14) is called the largest filtration of ML through T.
(8.15) Finite Model Property for IK.
\~IK A iff P \= A for every frame P of cardinality < 2n, where n
is the number of subsentences of A.
Proof. Soundness is clear. Conversely, if not \-JK A then for some
p e PIK, not MIK \=P A (6.20). Let T be the set of subsentences of
A, and MT the largest filtration of MIK through T. Then A is false in
Mr at \p\ (8.10), and the finite frame Pr has at most 2 elements since
T is an IK-base for itself. D
As well as giving decidability of IK, (8.15) has the corollary
(8.16) IK is determined by the class of finite frames.
For the decidability of J we need to consider a subrelation of (8.14),
defined by1
(8.17) \p\ -<' \q\ iff 3t e PL 3<f \q\ (prt and t ^L q').
(8.18) P'T = (PT, C, x') is a frame, and M'T = (P'T,VT) is a filtration of
ML through T.
Proof. To show P'T satisfies (3.4), suppose \p\ C \q\ -<' \r\. Then pC\ T C
q n T C t n T, for some t 6 PL, with t -<L r' for some r' \r\ ((8.5) and
(8.17)). But then prt and t -<L r', so that \p\ -<' \r'\ = \r\. Hence (8.7)
holds. For (8.8), if prt -<L <?', and VB &pr\r, then VB tr\r, and so
Bq'CiT = qr\T. Finally, for (8.9), if p -<L <7, then prp -<L Q, making
|p| -<' M. n
(8.19) If L contains the logic J, then P'T is a J-frame.
Proof. If |p| -<' \q\, there exists t with prt -<L q' for some q' 6E \q\. By
(6.27), PL is increasing, and so t C q'. But then we see that prtrq',
hence prq', so |p| C \q'\ = \q\. Thus P'T is increasing. Secondly, we
show that P'T is dense, using the fact (6.27) that PL is dense. For, if
prt -<L q, then there exists s PL, with t -</, s XL q. But prt ~<L s
gives |p| -<' |s|, while srs XL 9 gives |s| -<' |g|. D
The upshot of (8.19) is that any non-theorem of J is falsifiable on
a finite ./-frame, namely a filtration of Mj of the type P'T. Thus the
Finite Model Property Theorem holds exactly as stated in (8.15) with
J in place of IK. We also have now established that J is determined by
the class of all finite jr-frames.
'Definition (8.17) and its application have been modified from the original version
of this article, since the latter was incorrect.
It was pointed out in Section 6.3 that the finite frames for the logic
1C = IK + (VA = ~~,4) (which contains J) are precisely those satis-
fying
(3.45) p ~< q iff q is a C-maximal member of \p).
Our nitration definition can be used now to show that 1C is determined
by its finite frames.
(8.20) // \~i VA = ~~j4, and T is closed under negation ( i.e. B r
only if ~J5 e T), then P'T satisfies (3.45) and so is an IC-frame if
it is finite.
Proof. Prom (6.29) and (6.30) we know that PL is increasing, has HL(P)
cofinal with [p), and the members of ML(P) are maximal in [p). By
(8.19) we also have P'r increasing. Now suppose in P'T that \p\ -<' \q\,
with prt ~<L q for some t. Then if \q\ C \r\, we have q fl r C r n T. But
from the proof of (6.30) we have that V(BV~B) *, and so BV~B g,
for all B &. Then if B S r fir we must have B qC\r, or else ~B q,
and since T is closed under negation this would make ~B 6 q n T C r.
The latter is incompatible with B r. Thus r n r C g n r, making
|g| = |r|, and so |<?| is C-maximal in {|r| : \p\ C |r|}.
Conversely, suppose this last condition holds, i.e. that \p\ C \q\, and
(8.21) \q\ C |r| implies |g| = |r|.
Now in PL, fJ.L(q) is cofinal with [q), and since q G [<?) there must be
some r [q), i.e. 9 C r, with q -<L r. But then qC\r C rHr, i.e. \q\ C |r|,
so by (8.21) \q\ = \r\. However, since \p\ C \q\, we have prq -<L r, so
\p\ -<' |r| = |g|. This completes the derivation of (3.45) and the proof of
(8.20). D
In order to apply (8.20), we take r to be the closure under negation of
the set of subsentences of a given non-theorem A of 1C. Denoting this set
of subsentences by TA, it follows from the fact that h/ (~~~5 = ~B)
that T is logically /C-finite, and that
TO = TA U {~B : B TA} U { B : B TA}
is an /C-base for T. The filtration P'T of Al/c through T will be a finite
/C-frame with .M'T a falsifying model on it for A. Thus the Finite Model
Property holds for 1C with the upper bound in (8.15) modified to 23n.
Finally, we return once more to the limit point condition
(3.26) p -< q iff pCq.
Let FN denote the logic obtained by adjoining to IK the schemata
(3.29) VA -> (B V (B -> 4)),
172 MATHEMATICS OP MODALITY
(3.27)
Notice that since h/ A > (VA > A), we have \~FN A VA, so FN
contains the logic TV of Section 6.6: the latter, as shown there, being
determined by the frame condition (3.26). We are going to prove that
FN is determined by the class of finite frames satisfying this condi-
tion (soundness was noted in Section 6.3). To do this we reverse our
approach, so that instead of showing that a filtration has the relevant
frame condition, we prove that the condition implies the Filtration The-
orem.
(8.22) Let L be a normal logic containing FN and r a set of sentences
closed under subsentences and under the implication connective.
Then in the model M = CP T ,E>C) we have for all p PL and
Proof. The only new part is the inductive step A = VB, for which we
use the obvious fact (cf. (8.4), (8.5)) that
(8.23) \p\ C M iff pnrCgnr.
Now if ML \=p VB, then VB p (6.20). Then if \p\ E \q\ there exists
(8.23) some C q n r with C p. Since
(VB - (C V (C - B))) e p (3.29),
we then get (C -> B) 6 p. But r is closed under , so (C > B) 6
pC\r C q n T. Using C q we then get B q, whence by (6.20) and the
induction hypothesis, M \=\q\ B. This shows M \=\p\ VB. On the other
hand, suppose that not MI \=p VB, i.e. VB p. By the .FW-axiom
(3.27) it follows that (VB - B) p. But then by properties of XL,
and the semantic clause for > (2.5), there exists q PL with p C g,
VB 6 q, and B q. By induction hypothesis, .M |=|9| B fails. But
VB p, and so p n T C q n r, giving |p| C |g|. Thus X (=|p| VB fails.
This completes the proof of (8.22). D
Taking T now to be the closure of the set of subsentences of A under
>, then if not \~FN A the model M constructed from MFN as in (8.22)
will falsify A at some point and, by definition, will be based on an FN-
frame. But it is known from the work of DiEGO [9] that there exists
a primitive recursive function / such that if a is a set of sentences of
finite cardinality n, there are at most a finite number f ( n ) of sentences
constructible from a by the implication connective that are deductively
non-equivalent over /. Thus the T just described is logically finite, hence
M is finite. We see then that the Finite Model Property holds for FN,
with an upper-bound on the models of the form 2-^"'.
The Semantics of Hoare's Iteration
Rule
ABSTRACT. Hoare's Iteration Rule is a principle of reasoning that is

used to derive correctness assertions about the effects of implementing
a while-command. We show that the prepositional modal logic of this
type of command is axiomatised by Hoare's Rule in conjunction with
two additional axioms. The proof also establishes decidability of the
logic. The paper concludes with a discussion of the relationship between
the logic of "while" and Segerberg's axiomatisation of propositional
dynamic logic.
Introduction
The modal logic of programs proposed by PRATT [71] associates with
each command a a modal connective [a] that is read "after a termi-
nates...". Thus the symbolism
A-> [a]B
expresses the partial correctness assertion "if A is true (now), then after
a terminates B will be true". In these terms, the Iteration Rule intro-
duced by HOARE [45] for reasoning about while-commands takes the
following form:
if h e A A - [ a ] A ,
then h A > [while e do a](A A ->e).
The validity of this inference rule is based on the fact that a performance
of (while e do a) consists of a finite sequence of executions of a, leading
to a state in which e is false, with each execution starting in a state in
which e is true. The premiss of the rule asserts that the sentence A is
an invariant of each step in such a sequence, i.e. if it is true at the start
of the step, then it is still true when the step ends. Prom this the rule
173
infers that if A is true at the outset, then when the whole sequence is
finished we will have A still true, with e false.
The Iteration Rule has been used to establish the correctness of many
specifications of algorithms (cf. ALAGIC and ARBIB [1] for an introduc-
tion to this methodology). Examples have also been given (cf. WAND
[105]) of correctness assertions that it is incapable of deriving. A poten-
tial explanation of this phenomenon is that we really need an infinitary
inference rule to obtain certain assertions about while-commands, since
there are infinitely many possibilities for the length of a finite sequence,
and we need one premiss for each such possibility.
Another source of "incompleteness" of Hoare's Rule is that while it
allows us to draw conclusions about what happens if a while-command
terminates, it does not allow us to establish that it terminates. Thus,
for instance, we could use the Rule to infer that the command fails to
terminate, by deriving
[while e do a]false,
(where false is some constantly false, or contradictory, assertion), but
we cannot, as we shall see, use it to derive the sentence
(1) ->e ->[while e do ajfalse,
which expresses the valid principle that a while-command terminates if
its test expression is false.
In this article a completeness theorem for a prepositional logic of pro-
grams is presented which establishes that the meaning of (while e do a)
is exactly characterised by the Iteration Rule in consort with (1) and
(2) e ([while e do a\A [a][while & do a]A).
Hoare's Rule itself corresponds to the semantic principle that every ex-
ecution of (while e do a) consists of a sequence of the type described
above. (1) and (2) are needed for the other side of the coin, viz. that
every such sequence constitutes an execution of the command.
These results were first announced in GOLDBLATT [38]. In a subse-
quent monograph (GOLDBLATT [23]) the author has developed a com-
pleteness theorem for the program logic over a general first-order lan-
guage, using an infinitary analogue of Hoare's Rule. The first stage of
the proof is a completeness theorem for a propositional logic, using the
same infinitary rule. However, whereas this rule is unavoidable in gen-
eral in the presence of elementary quantification, at the propositional
level the set of valid formulae is decidable and can be given a finitary
axiomatisation. The burden of this article is to establish that fact. This
will be done in the context of a simplification: we overlook the dis-
tinction drawn in [23] between external and internal logic, i.e. between
THE SEMANTICS OF HOARE'S ITERATION RULE 175
the logical operations performed by the programmer in reasoning about

program behaviour, and those performed by the computer in evaluating
test expressions. Internal logic is the logic of the Boolean expression e
in (while e do a). It involves a "sequential" interpretation of connec-
tives, and a three-valued semantics to accomodate the possibility that
the computer may leave an expression undefined - e.g. when its evalu-
ation fails to terminate. On the other hand, external logic, which is a
version of "logic without existence assumptions" at the first-order level,
concerns modal formulae that express assertions about programs, and
is two-valued - such assertions either being the case or not. However
for this paper we will simplify matters by using a two-valued semantics
throughout. Readers are invited to satisfy themselves that the results
developed below extend to the logical system of Chapter 2 of [23].
Syntax
Our formal language contains the following syntactic categories:
Boolean variables: p Bvb
Program letters: ?r Prl
Boolean expressions: e e Bxp
Commands: a 6 Cmd
Formulae: A Fma
Bvb and Prl are two disjoint denumerable sets, from which Bxp, Cmd,
and Fma are generated by the BNF-style definitions
e ::= p \ false | ei 62
a ::= ir \ skip | abort | ai;Q2 | if e then a\ else a? \
ai or 02 | while e do a
A ::= p | false Al -> A2 \ [ a ] A .
Thus Bxp C Fma. From the material implication connective , and
the prepositional constant false, the standard Boolean connectives ->, A,
V, <-> are defined in the usual way. skip and abort are constants whose
meaning will be evident from the formal semantics to follow. (ai;a2) is
the composite of QI and 02, executed by doing a\ and then doing a 2 . (if
e then ai else a 2 ) is the conditional command executed by performing
a\ if e is true, and 0:2 otherwise. (QI or 0:2) is a non-deterministic
command executed by arbitrarily choosing to execute a\ or a%.
Semantics
A model is a structure M = (S, V,R(-)), where
(i) 5 is a non-empty set (of "states");

(ii) V is a valuation that assigns to each p G Bvb a subset V(p) of S;
(iii) R(-) is an operator that assigns to each a Cmd a binary relation
R(a) on S1.
The property "A is true (holds) at s in M", symbolised M \=s A, is
denned by induction on the number of symbols in A, as follows (the
prefix M may be dropped if it is clear which model is intended).
M \=, p iff 5 V(p)
M. s false (i.e. not M. |=s false)
M |=s AI -> AI iff M \=s AI implies M \=s A2
M\=s(a]A iff for all t G 5, sR(a)t implies M \=t A
(notice that the set {s : M \=s e} is determined, for any e G Bxp, by V
and does not depend at all on R(-)).
We say that A is true in M, denoted M. \= A, if A is true at every
s G 5 in M.
Our attention will be focused on models in which the properties of
R(a) reflect the intuitive meaning of the command a . To describe these
properties we introduce some notation about binary relations R on 5.
Restrictions: A] R { ( s , t ) : sRt and \=s A}
R\ A = { ( s , t ) :sRta,nd \=t A}
Composition: PoR = { ( s , t ) : for some u, sPuRt}
Equality : Es = {(s, s) : s G 5}
Iteration: R = ES
Rn+i = RnoR
Closure: R* = (Jn<u,Rn.
Now in any model there are standard set-theoretical operations that can
be applied to the subcommands of a and their interpretations to assign
to a a relation on S that corresponds to the intended way that a is to
be performed. This standard meaning of a will be denoted M(a), and
is defined as follows.
M (skip) = Es, i.e. sM(skip)t iff s - t ;
Ai(abort) = 0, i.e. not sM(abort)t for any s,t;
M(ai;a2) = R(ai) o -R(a 2 )
M ( i f e then Q! else a 2 ) = (e ] R(ai)} U (-<e ] R(a2)),
i or a 2 ) = R(a1)LlR(a2)
e do a) = (e] R(a))* \ -<e, i.e.
S.M(while e do a)t if, and only if, for some n , and some
s0,...,sn G 5, we have s0 s, sn t, and M 4 e, with
SiR(a)si+i and M \=Si e whenever 0 < i < n.
(For program letters we may take M(TT) R(K)).

A model is standard fora if M(a) = R(a), and standard, simpliciter,
if it is standard for all a 6 Cmd. Given 5, V, and R(TT) for all TT 6
Prl, we can systematically construct a standard model: proceeding by
induction on the length of a we define R(a) to be M(a) as given by
the above equations. In other words, once the /?(TT)'S are given the
standard-model structure is uniquely determined.
(3) Theorem. Let M. be a model in which
.R(while e do a) C M(while e do a).
Then M validates Hoare's Rule, i.e.
M \= e h A > [ a ] A only if
M \= A > [while e do a](A A ->e).
Proof. Let A be true at s in M. To show that [while e do a](A A ->e)
must then also be true at s we must show that if s.R(while e do a)t,
then A A ->e holds at t. But given such a t, the hypothesis on M. implies
that there exists a sequence s = s0, . , sn = t, for some n > 0, that has
the properties described in the definition of M (while e do a). But if
e A A > [ a ] A is true in M, then whenever rR(a)u, with A and e true
at r, we have A true at u. But then as A is true at SQ, it follows by
induction on i that A is true at Si for all i < n. In particular >1 is true
at sn = t as desired. Moreover, as e fails to hold at t, ->e is true there,
and hence so is A A -*e. D
Proof Theory
A logic is any set L of formulae that satisfies:
(i) L contains all instances of the schemata
Al: A->(B^>A)
A2: (A-+(B-+C)) ^ ((A ^ B)-> (A-+C))
A3: ^.4 -> A;
(ii) L is closed under Detachment, i.e.
A, (A -> B) e L only if B 6 L;
(iii) L contains all instances of
A4: [ a ] ( A ^ B)-* ( [ a ] A ^ ( a ] B ) ;
(iv) L is closed under the a - Termination Rule, for all a, i.e.
A 6 Lonly if [ a ] A e L.
As is well known, (1) and (2) provide an adequate basis for the classical
Prepositional Calculus (PC), so that every instance in Fma of a PC-
tautology belongs to L.
If X is a subset of Fma, we say that A is deducible from X in L,
in symbols X \~L A, if there is a finite sequence AI, ..., An of formulae
such that An A, and for alH < n either Ai X or Ai L, or there
are j, k Ai (so that Ai is deducible from Aj
and Ak by Detachment). As a special case of this relation, we put \-L A
if 0 )~L A, and observe that this obtains iff A L.
A set ^f is L-consiste.nl if Jf Fj, false, and L-maximal if it is In-
consistent and contains one of A and -i^4, for each A Fmo (this is
equivalent to requiring that X not be a subset of any other L-consistent
set).
The presence of PC in L suffices to establish the Deduction Theorem
for L:
XU{A}\-LB iff X \-L (A^B),
and this is used to prove, still only using PC, the result known as Lin-
denbaum's Lemma, viz.
Every L-consistent set has an L-maximal extension.
From this follows
(4) X \~L A iff A belongs to every L-maximal extension of X;
(5) \~L A iff A belongs to every L-maximal set.
The essential role of A4 and the a -Termination Rule in the proof theory
of L is to yield
(6) X\~i [a\A iff A belongs to every L-maximal extension of X(a) =
{B: [a}BEX}.
The Canonical Model

Let ML = (SL,VL,RL(-)}, where
(i) SL is the set of all L-maximal subsets of Fma;
(ii) VL(p) = {seSL:pes};
(iii) sRL(a)t iff s(a) Ct iff {B : [a}B s} C t.
The fundamental property of this model is that for any A E Fma, and
any s SL,
(7) ML \=SA iff A e s.
This is proven by induction on the length of A, with (4) and (6) being
invoked to show that
[a] A e s iff sRi(a)t implies A e t.
From (5) and (7) we obtain that in general,
\-L A iff ML f= A,
i.e. the formulae true in ML are precisely the L-theorems. Hence MI
is known as the canonical model for L.
ML as a Standard Model
The theory just outlined is by now standard material in the study of
prepositional modal logics, and the reader will find a full account of it,
with proofs, in e.g. LEMMON [59] or CHELLAS [8]. The usefulness of
the canonical model resides in the fact that in order to prove that L is
determined by a certain class C of models, i.e. that
t-L A iff for all M C, M\= A,
it suffices to show
(i) each member of C is an L-model; and
(ii) ML e C.
Now consider the following axiom schemata:
A5: [skip]^4 <- A
A6: [abortjfalse
A7: [ai;a 2 ]4<-+ [ai][a2]A
A8: [if e then QI else aÂ <-> (e [QI]^) A (->e > [a2]A)
A9: [QI or a.i]A <-> [a\]A A [a?] A.
It is readily seen that A5-A9 are true in all standard models. To show
then that these axioms characterise the standard-model conditions for
the commands they refer to, it suffices to show that if L contains all
instances of the axiom in question, then ML satisfies the corresponding
condition. We leave this as an exercise for the reader. The only case
that is not straightforward is to show that ML satisfies
in the presence of A7. A proof of this fact may be found in [88, 4] or

[32, Theorem 10.3].
The situation for while-commands is however rather different. If we
confine ourselves to finitary proof theory, then there is no way to make
ML standard for all while-commands. To see this, take a particular
Boolean variable p and program letter ?r and consider the set
X = {[7r]"p : n} U {-.[while p do 7r]false},

where
[ir]p = p, and
n+1
[7T] p = [7T][7r]>
Now in any model we have
(=s [TT]> iff sR(ir)nt implies (=t p,
so that in a standard model X cannot be satisfied, i.e. there is no point
5 at which all members of X are simultaneously true. For, if [ir}np
holds at s for all n, then (while p do TT) will not terminate if started
in s. But every finite subset of X can be satisfied in some standard
model. Adapting the example of SEGERBERG [88, 4], for each k [ while p do TT] false} holds at 0 in Mk-
Now if L is a logic generated by adding to A1-A9 any number of ax-
ioms and any number of finitary inference rules (i.e. ones taking finitely
many formulae as premisses), then a set will be L-consistent whenever
each of its finite subsets is. If all //-theorems are true in standard mod-
els, then for the above construction every finite subset of X is satisfied
in some L-model and so must be L-consistent. Hence X itself will be
L-consistent and so by Lindenbaum's Lemma will have an L-maximal
extension, say s. But then by (7), X is simultaneously satisfied at s in
ML, and so it follows that ML cannot be standard for the command
(while p do TT) (even though ML may well validate the Iteration Rule).
Filtrations
We wish to show that under certain conditions a logic is determined by
its standard models, i.e.
\~L A iff A is true in all standard L-models.
Now if PL A, then we know that ML is always a falsifying model for A,
but not in general a standard one. To remedy this defect we will use the
method of filtrations to "collapse" ML to a standard falsifying model
for A. This will produce a different falsifying model for each A, and
moreover a finite one whose size is effectively determined by the length
of A
Filtrations are constructed as follows. Let Z be a set of formulae
that is closed under subformulae. Then Z determines an equivalence
relation on SL by putting
s~t iff sC\Z ~tnZ.
Let \s\ = {t : s ~ t} be the 'equivalence class of 5, and put

S/Z={\s\:stSi.}.
The assignment of s n Z to \s\ is a well-defined injection of S/Z into the
power-set of Z. Thus if Z is finite, with say n members, then S/Z has
at most 2n members and is finite.
A valuation Vz is well-defined on S/Z by putting
<l f l l : P e s >
0
ifpez
'
otherwise.
(Actually, the definition of Vz(p) when p ^ Z is immaterial.) We shall
be concerned with truth of members of Z in models of the form
M = (S/Z,VZ,R(-)),
constructed by considering various definitions of R(a) on S/Z (hence
the definition of R(a) will only be significant for those a's that occur
in members of Z). For any model of this form, the following result is
evident.
(8) Theorem. // e 6 Bxp, and every Boolean variable in e belongs to
Z, then for any s SL,
es iff M (=|a| e, i.e.
ML \=se iff M \=\s\ e.
D
The next result is crucial to our analysis of the Iteration Rule below.
(9) Theorem. // Z is finite, then for any subset T of S/Z there is a
formula AT such that for all s Si,
AT s iff \s\ 6 T.
Proof. For each t E SL, let At be the conjunction of
(t r\ Z) \J {->A : A e Z -t}
(which is finite as Z is). The definition of At depends only on \t\, in that
At = As iff \t\ = \s\, and indeed
Ats iff \s\ = \t\.
Now if T 0, let AT be false to obtain our desired conclusion. Oth-
erwise, since S/Z is finite we may take T to be {\t\\,..., \tm\} for some
m > 1, and some t\,... ,tm 5^. Let AT then be
A tl V . . . V A t m ,
so that
AT s iff \s\ = \ti\ or . . . or \s\ = \tm\
as desired. D
Now let a be a command that occurs in Z. A relation R(a) on
S/Z will be called a filtration of RL (a) through Z if the following two
conditions hold.
I(a): sRL(a}t implies |s|fl(a)|t| ;
II(a): |s|#(a)|i| implies {A : [a]A s n Z} C t.
Such relations always exist. The smallest is given by
|s|.R(a)|| iff s'RL(a)t' for some s' ~ s and t' ~ t,
while the largest has
a\R(a)\t\ iff {A:[a]AesnZ}Ct.
A model of the form M = ( S / Z , V z , R ( - ) ) will be called a filtration of
ML through Z if R(a) is a nitration of RL(O) through Z for all a's that
occur in Z. The proof of the next result may be found, e.g., in [59, 3],
or [8, 3.5]. It extends Theorem (8) to include modalised formulae.
(10) Theorem. If M. is a filtration of ML through Z, then for any
A Z, and any s SL,
ML\=SA iff M\=\.\A.
Hence for all A Z,
MLÂ iff M^=A.
D
This result provides us with finite falsifying models: if FL A, then ML &
A, and so A is falsified by any filtration of ML through any (finite) Z
that contains A (e.g. Z could be the set of subformulae of A). In order
to show that the filtration satisfies some desired property we can then
make use of the properties of ML, as determined by the properties of
L itself. We will do this in the next result, which displays the essential
role of Hoare's Rule in the present theory of models.
(11) Theorem. Let L be a logic that is closed under Hoare's Iteration
Rule for the command (while e do a), i.e.
\~i e A A [a]A only if \~L A > [while e do a\(A A ->e).
Suppose that Z is finite, closed under subformulae, and contains all
Boolean variables appearing in e. Then if M is any model of the form
(S/Z,Vz,R(-)) that satisfies the condition l(a), we have
s^?i(while e do a)t only if \s\M(while e do a)\t\,
for alls,t SL.
Proof. Take a particular s SL and define a subset T of S/Z by putting
x T iff for some n > 0, \a\(e ] R(a))nx.

Then we have, for any i,
|s|Al(while e do a)|i| iff \t\ 6 T and M \=\t\ ->e.
Hence by Theorem (8),
(i) |s|.M(while e do a)|t| iff \t\ T and ->e t.
Now by Theorem (9) there is a formula A such that in general
A e t iff |t| e T.
We can now show that the formula (e A A > [a]j4) is in every ,-
maximal set, and hence is an L-theorem. To see this, we have to show
that if (e A A) u 6 SL, then [a]A e u. But if (e f\ A) & w, then e u
and A e M, and so |u| e T, i.e. |s|(e 1 .R(a))n|M| for some n. Thus if
uRL(a)t, for any i, then by I(a) we have |u|fl(a)|t|, and so by Theorem
(8) \u\(e 1 R(a))\t\. This means that \s\(e } R(a))n+1\t\, so that \t\ T,
and thus ^4 t. It follows that [a]A u as desired.
By the assumed closure condition on L, we conclude that the for-
mula A > [while e do a](A A ->e) is an L-theorem, and hence be-
longs to s. But A s, since \s\ G T (take n = 0), and thus we have
[while e do a](A A ->e) 5. This allows us to complete the Theorem,
since for any t, if sRL(\vhile e do a)t we can now infer that (Af\-<e) t,
giving .A t, whence \t\ 6 T, and also ->e t. By (i) this implies that
|s|.M(while e do a)\t\ as required. D
Theorem (11) can be used to obtain a simple semantic characterisa-
tion of the Iteration Rule: if H is the smallest logic that is closed under
the Rule, then the theorems of H are precisely those formulae that are
true in all models that satisfy
(12) .R(while e do a) C M(while e do a).
Theorem (3) established that in any such model the set of true formulae
is a logic that is closed under the Rule, and hence contains H. In
other words, any model satisfying (12) is an ff-model. To complete the
characterisation we have to show that if PH A, then A is falsified by
some model satisfying (12). For this model we take a filtration of MH
through the set ZA of subformulae of A in which R(a) is the smallest
filtration of RL(O) through ZA if a occurs in A, and 0 if not. The
definition of the smallest filtration given earlier, together with Theorem
(11), ensure that this model satisfies (12), as the reader may confirm.
Now the conclusion of Theorem (11) states that the relation
M. (while e do a)
satisfies the first of the two conditions necessary to make it a filtration

of Ri(while e do a). Criteria for the second condition are given by the
following result.
(13) Theorem. Let L be a logic that contains all instances of the
schemata
A10: e > ([while e do a]A > [a][while e do a]A)
All: ->e - ([while e do a]A - A).
Suppose that Z satisfies the closure condition
Cl: [while e do a]A Z only if [a][while e do a]A 6 Z.
Then if M is any model of the form (S/Z,Vz,R(-)) that satisfies the
condition ll(a), we have
\s\M(while e do a)|t| only if {A : [while e do a]A e s n Z} C t.
Proof. Let |s|.M(while e do a)\t\. Then for some n > 0 there exist
points | s o | , - - - ) | s n | , witn SQ = s, sn = t, M \t\ e, and |si|/?(a)|si+1|
and M \=\Si\ e whenever 0 < i < n.
Now let [while e do a]A s n Z. We wish to show that A t.
First we prove by induction on i that [while e do a]A st whenever
0 <i < n.
The case i = 0 holds by assumption. Next assume the result for
some i < n. But e 6 s by Theorem (8), and so as all instances of
A10 belongs to Si we get [a][while e do a]A Si- By Cl this last
formula is also in Z, and hence by II(a), since |s;|.R(a)|sj+i| we get
[while e do a]A Si+i as desired. In particular we can conclude that
[while e do a]A e sn = t. But by Theorem (8) once more, ->e t, and
so we can apply All to obtain A e t. D
The two Theorems 11 and 13 combine as follows.
(14) Theorem. Let L be a logic that is closed under the Iteration Rule
and contains AlO and All. Suppose that Z is finite, satisfies Cl, is
closed under subformulae, and contains all Boolean variables that occur
in e. Then in any model of the form M = (S/Z, Vz,R(-)), if R(a) is a
filtration of fit (a) through Z, then M (while e do a) is a filtration of
RL(while e do a) through Z. D
In order to obtain a full axiomatisation of the formulae true in all
standard models, we need analogues of Cl for the other types of com-
mands we are dealing with. If ML is standard for skip and abort
(when L contains A5 and A6) then A'f(skip) and M (abort) will be
filtrations of .Rt(skip) and Ri(abort), respectively, through Z. More-
over, if ML is standard for /3, where ft is any of (0:1:02), (ai or 02),
(if e then ai else a 2 ), then the property l(/3) will hold with M(/3) in
place of R(/3), provided that I(QI) and 1(0:2) hold. For the condition
!!(/?) to hold however, Z must satisfy further closure conditions, viz.
C2: [ai;a2]AeZ onlyit [ai][a2]AeZ;
C3: [ai or a2]A e Z only if [ai]A, [a2]A 6 Z;
C4: [if e then a\ else a2]A e Z only if [a\]A, [a2]A Z.
(15) Theorem. Suppose that L contains the schemata A7, A8, A9,
and Z satisfies C2, C3, C4- Then in any model M = (S/Z,VZ,R(-)),
if R(oti) and R(ot2) are filiations of RL(ai) and RL(a2) through Z,
respectively, then M(/3) is a filtration of RL(@) through Z, where /3 is
any of(ai;a2), (a\ or a2), or (if e then a\ else 0:2) with all Boolean
variables of e occurring in Z. D
To obtain a filtration that is a standard model, we define
ML/Z = (S/Z,VZlRz(-)),
where
(i) if a is a program letter, then Rz(a) is the least nitration of RL(OC)
through Z if a Z, and 0 otherwise;
(ii) if a Prl, Rz(oi) is inductively defined to be Mi/Z(a).
The idea here, as explained earlier, is that the .Rz(7r)'s, once given,
generate a uniquely determined standard model based on (S/Z,VZ),
and this is the model we take as Mi/Z. In fact the definition of Rz(ir)
is immaterial if TT $ Z, and otherwise it matters only that RZ(K) be
some nitration of RL(H). For then we have the following result, proved
by induction on the lengths of commands.
(16) Theorem. Let L contain all of A5-A10 and be closed under the
Iteration Rule. Then if Z satisfies C1-C4 and is finite, the standard
model ML/Z is a filtration of ML through Z. D
We denote by FPL (Finitary Program Logic) the smallest logic that
contains A5-A10 and is closed under the Iteration Rule. Then any
standard model is an FPL model. To show that FPL consists precisely
of the formulae true in all standard models, we have to show that any
non-theorem A of FPL is falsified by some standard model. But if Z
is a subset of Fma that contains A, is closed under subformulae and
satisfies C1-C4, then if Z is finite the standard model Mppi/Z will be
a finite filtration of MFPL through Z, and hence (by (10)) will falsify A
because the canonical model MFPL does. Our proof will therefore be
complete once we have established
(17) Theorem. For any formula A there exists a finite subset ZA of

Fma that contains A, is closed under subformulae, and satisfies C1-C4-
Proof. Define an ordering < on Fma by declaring B < C to hold iff one
of the following four cases obtains.
1. C is of the form [while e do a]D, and B is the formula
[a][while e do a]D.
2. C has the form [a;/?]>, and B is either [a][0]D 01 [0]D.
3. C is [a or 0]D, and B is either [a]D or [/3}D.
4. C is [if e then a else /3}D, and jB is either [a]D or [/?]D.
Let <* be the reflexive transitive closure (ancestral) of <, and for each
C E Fma, put
C* = {B:B<*C}.
Then by cases 1-4, C* satisfies C1-C4. Hence the set
Z* = \J{C* :C&Z},
for any Z C Fma, is an extension of Z that satisfies C1-C4. But if X is
any set of formulae that is closed under subformulae, then if B < D X,
inspection of cases 1-4 shows that X U {B} is closed under subformulae
as well (this is the point at which we need, in case 2, the extra formula
[P]D that is not required by C2). From this we can establish that in
general if Z is closed under subformulae then so too is Z U C* for any
C Z*, and hence so too is Z*.
Now let us take our given formula A, and put Z/A to be the finite
set of all subformulae of A. Then Z/A is closed under subformulae, and
so from all that we have said it follows that by letting
ZA = (Z/AY
we establish ZA as a set that contains A, is closed under subformulae,
and satisfies C1-C4. It remains then only to show that ZA is finite.
In fact we shall show that C* is finite for any C. Since Z/A is finite,
it will then follow that ZA is the union of finitely many finite sets, giving
our desired conclusion. The basis of the proof is that the relation < is
well-founded on C*. For, in general if B < D, then B and D are of
the form [<x]E and [fl]F, respectively, with a a proper subcommand of
0 and hence a subexpression of length strictly less than that of B. It
follows that there can be no infinitely descending < -chains. Moreover,
each formula has only finitely many immediate predecessors under <
(indeed at most two). In other words, under the relation <, C* is a
finitely-branching tree in which every path is finite. Hence, by Konig's
Lemma, there is an upper bound to the possible lengths of the paths,
and the tree is finite. D
THE SEMANTICS op HOARE'S ITERATION RULE 187
Decidability of FPL
Rather than simply appeal to the all-powerful Konig's Lemma to com-
plete the proof of Theorem (17), we continue the analysis to observe
that the proof itself indicates that the finite set ZA can be effectively
generated, given A, and its number of elements, denoted UA, thereby
effectively calculated. First of all, the set Z/A of subformulae can be
generated by direct inspection of A. Then each C* can be generated: if
C is of the form [a]B, then the size of C* is determined by the nature
and complexity of a , and the four cases making up the definition of <
provide a set of rules for generating C* as a finite tree. Otherwise, C*
is just {C}. In this way we obtain UA, and hence the upper bound 2nA
on the size of the model MFPL/ZA that has A true iff MFPL does.
We can now say that \TFPL A iff A is true in all models with at most
2nA elements. But then our analysis yields an algorithm for deciding
theoremhood in FPL, for the procedure of generating all of the standard
models up to a prescribed finite size and testing the truth of a given
formula in each of them is an effective one.
An Alternative Axiom
Although All is the natural axiom to use for the proof of Theorem (13),
in the presence of the Iteration Rule it can be weakened to
A12: -ie > -Awhile e do ajfalse,
which is the special case of All in which A is false. We have
(18) Theorem. If L is closed under the Iteration Rule and contains all
instances of A12, then L contains all instances of All.
Proof. We first show that
(i) [while e do a]->e, and
(ii) ->e > (A > [while e do a]A)
are always L-theorems in the presence of the Iteration Rule. For (i), if
A is any tautology (e.g. false > false) then the formula
e/\A -> [a]A
is true in all models, hence in ML, and so is an I/-theorem. Applying
the Iteration Rule, we conclude that
\-L A > [while e do a](A A ->e).
Since A is true in ML, so too then is [while e do a](A A ->e), and hence
[while e do a]->e, making the latter an L-theorem.
For (ii), given A we take B to be (->e A A), so that
e A - > [a]B
is an instance of a tautology, hence an L-theorem. Thus we get
\~L ->e A A > [while e do a](B A -ie).
From this it follows easily that (ii) is true in ML, and so is an L-theorem.
To show that All is an L-theorem it suffices to show that it is true
in ML, for which we can now use the fact that A12 and any instance of
(ii) are true in ML- The argument from here on is very general: it works
in any model. For, suppose that ->e is true at s. We wish to show that
([while e do a]A A) is also true at 5. So, let [while e do a]A hold at
s. Since A12 is true, there must exist a t with s.R(while e do a)t. Hence
we have A true at t. Now if A were not true at s, applying the instance
of (ii) that has ->A in place of A, we would get [while e do a\->A true
at 5, hence ->A true at t - a contradiction. Thus A must be true at s,
as needed to establish the truth of All. D
The reader is invited to develop a more "proof-theoretic" derivation
of All from A12 and the Iteration Rule.
An Infinitary Rule
Given e 6 Bxp, a e Cmd, and A E Fma, a sequence of formulae
An(e,a), for all n < LJ, is defined by putting
A0(e,a) = (-.e->A)
An+1(e,a) = (e->[a]An(e,a)).
Then in any model it is the case that
\=3An(e,a) iff (s(e ] R(a))nt and \=t -.e) implies \=t A.
Hence in any standard model we get
(=s [while e do a]A iff for all n, |=s An(e,a).
It follows that if ML were standard, then for any L-maximal set 5 we
would have
(19) [while e do a]A 6 s iff {An(e,a) : n < w} C s.
There are instances where s does not satisfy (19), as may be seen by
adapting the counter-example to the standardness of ML given earlier.
However by confining ourselves to those members of SL that do satisfy
(19), we can obtain a kind of canonical model for L that is standard.
For this we need to know that L is closed under various infinitary rules
that have premisses of the type An(e,a). To present these rules in a
systematic way we employ the device of admissible forms, which are
expressions $ generated by the recursive definition
$ ::= w | A > < | [a]$.

Each such <? has a unique (and innermost) occurrence of the letter w.
Replacing this occurrence by a formula B turns $ into a member of
Fma, which we denote $(B). Then the infinitary rule schema we have
in mind is
(20) If h $(An(e, a)) for all n < u, then h #([while e do a]A).
In Chapter 2 of [23], a canonical model construction is given for logics

that are closed under (20). But this rule preserves the property of truth
in standard models, and so it follows from the characterisation of this
article that FPL is itself closed under (20). In other words, as far as
generating the set of theorems is concerned, the infinitary (20) reduces
to the finitary Iteration Rule (the reader may enjoy the challenge of,
conversely, deriving the Iteration Rule from a suitable instance of (20)).
On the other hand, the difference between the two rules emerges at the
level of the deducibility relation "X \~i A". If we allowed the use of
(20) in deriving A from X, then more formulae would become derivable
from certain sets X than would be derivable with only the Iteration
Rule. Then we would have a logical system with the same theorems (i.e.
formulae derivable from 0) as FPL, but with fewer consistent sets of
formulae. For instance, the set X used earlier to show that ML was not
standard would no longer be consistent.
To put these observations in full perspective, we should note that the
commands studied in this paper are generated by primitive "program
letters" TT, rather than actual commands, such as assignments. Thus we
have been concerned with the logical structure, or form, of commands,
rather than the logic of actual commands. Similarly, the members of
Fma represent, not actual assertions about actual programs, but only
the prepositional "shape" of assertions. Actual programs have variables
in them that take values in various data types (numbers, strings, truth-
values). To study assertions about such programs we need to move to the
level of first-order languages with quantifiers for individual variables. At
this level the infinitary proof theory is unavoidable: not only does the set
of theorems become undecidable - it is not even effectively enumerable
(cf. [23] for details).
Segerberg's Axioms For Dynamic Logic

The language of prepositional dynamic logic PDL (cf. FISCHER AND
LADNER [16]) differs from the language of this paper in that the class of
commands is specified by
a :: IT \ abort | a\;a-z \ a\ or a^ \ Al \ a*.

Al is the command "test A" , with the standard model condition
and the characteristic axiom

\AT\B ~(A-+ B).
In our present language, el can be denned as
(if e then skip else abort).
a* is the non-deterministic command "do a some finite number of times"
and has the standard model condition
An axiomatisation of the P>L-formulae true in all standard models was

first announced by SEGERBERG [87], and the proof found independently
by PARIKH [70], Dov GABBAY (unpublished) and SEGERBERG [88]. The
construct a* is handled by two axioms:
(21) [a*]A->A/\[a][a*]A, and

(22) Af\[a*}(A->[a}A}-*[a.*}A.
(21) is an analogue for a* of the combination of our A10 and All, as

may be more clearly seen from the fact that the conjunction of AlO and
All is equivalent, by PC, to
[while e do a]A > (->e > A) A (e > [a][while e do a]A).
Axiom (22) plays a similar role to the Iteration Rule, and is itself re-
placeable by an analogous rule, viz.
(23) if \-A-+[a]A then \-A^[a*]A.
Any logic that contains (21) will contain (22) iff it is closed under (23).
To derive (23) from (22) is straightforward via the a* -Termination Rule.
For the converse, replace A in (23) by the whole of the antecedent of
(22) and apply principles that hold for all logics.
In PDL, the commands (if e then a else /?) and (while e do a)
are defined, respectively, as
((e?;a)or(-.e?;/3)), and ((e?;a)*;-.e?).
Using these definitions, our axiomatisation of FPL can be derived in
PDL.
8
An Abstract Setting for Henkin

Proofs
ABSTRACT. A general result is proved about the existence of max-

imally consistent theories satisfying prescribed closure conditions. The
principle is then used to give streamlined proofs of completeness and
omitting-types theorems, in which inductive Henkin-style constructions
are replaced by a demonstration that a certain theory "respects" a cer-
tain class of inference rules.
By a Henkin proof is meant an application of the technique introduced

by Henkin [43] for constructing maximally consistent theories that sat-
isfy certain prescribed closure conditions. The method is to build up
the desired theory by induction along an enumeration of some relevant
class of formulae, with choices being made at each inductive step to in-
clude certain formulae, in such a way that when the induction is finished
the theory has the properties desired. The character of this procedure
is neatly captured in a phrase of Sacks [78, p. 30], who attributes its
importance to the fact that it "takes account of decisions made at inter-
mediate stages of the construction".
In this article the Henkin method is used to derive a general principle
about the existence of maximal theories closed under abstract "inference
rules". This principle may then be used to give alternative proofs of
standard completeness and omitting-types theorems, proofs in which
the Henkin method is replaced by a demonstration that a certain theory
"respects" a certain class of inference rules. This alternative approach
is illustrated by a re-working of the completeness and omitting-types
theorems for first-order logic and countable fragments of LOOW , as well as
for the completeness of modal predicate logic with the Barcan formula,
and modal prepositional logic with infinitary inference rules.
191
8.1 The Abstract Henkin Principle

Consider a formal language that includes a constant false sentence -L,
and a negation connective -i. Let .
Let h be a subset of 2* x <P, i.e. a binary relation from the powerset
of $ to <. For F C $ and (p e <, write F h </> if (r, <p) belongs to h, and
F Y- (p otherwise. The relation h is called a deducibility relation on $ if
it satisfies
Dl: If r h y> and T C 4, then Z\ h </>;
D2: If v? F, then r h <p;
D3: If T h (p and T U {<p} h 1, then r h J_;
D4: T U {-.</?} h J_ iff T h <p.
A subset .T of < is called h-consistent if T F _L, and finitely h-
consistent if each finite subset of J1 is h-consistent in this sense. J" is max-
imally \--consistent if it is h-consistent but has no h-consistent proper
extension in $. Replacing "h-consistent" by "finitely h-consistent" in
this last definition yields the notion of F being maximally finitely h-
consistent.
Now from Dl it follows that any h-consistent set is finitely h-
consistent. The relation h is called finitary if, conversely, it satisfies
D5: Every finitely h-consistent set is h-consistent, i.e. if F h _L, then

for some finite /o C r, TO h J_.
If C is a collection of finitely h-consistent subsets of $ that is linearly
ordered by set inclusion, i.e. F C A or A C F for all F, A C, then the
union (JC of C is finitely h-consistent. This follows immediately from
the fact that any finite subset of U C is a subset of some F e C. Thus if
P = {AC$:rcA & ziis finitely h-consistent},
then under the partial ordering of set inclusion P fulfills the hypothesis
of Zorn's Lemma. From the latter we deduce
LINDENBAUM'S LEMMA. Every finitely h-consistent subset of $ has

a maximally finitely \--consistent extension in $. d
(Note that this result uses no properties of h other than the definitions
of the concepts referred to in the statement of the Lemma.)
An ordered pair (77, x) with U C $ and x 3> will be called an
inference in $. As motivation, the reader may care to think of H as a
set of "premises" and x as a "conclusion", but the notion of inference
AN ABSTRACT SETTING FOR HENKIN PROOFS 193
is quite abstract and applies to any such pair. A set F will be said to
respect the inference (II, x) when
(r I- <p, all </? e 77) implies r h \.
F is dosed under (II, x) if
n c r implies x e r.
F respects (is closed under) a set I of inferences if it respects (is closed
under) each member of J.
The cardinality of a set X will be denoted cardX. If K is a cardinal
number, then X is K-finite if cardX < K. A K-finite extension of X is a
set of the form X U Y with Y /t-finite. In other words a /t-finite extension
of X is a set obtained by adding fewer than K elements to X.
Theorem 8.1.1
Let h be a finitary deducibility relation on <&. If I is a set of inferences
in $ of cardinality K, and F is a \--consistent subset of $ such that
every K-finite extension of F respects J,
then F has a maximally h-consistent extension in $ that is closed under
T.
This theorem will be established by first separating out that part
of its content that does not involve Lindenbaum's Lemma. To do this
requires a further concept: a set F C $ will be said to decide (II, x) if
either x F, or for some if e II, -xp F.
F decides a set of inferences if it decides each member of the set.
The following result holds for any deducibility relation.
Lemma 8.1.2
(1) IfF decides (II, x) and F C A, then A decides (77, x).
(2) If F decides (II, x), then F respects (II, x).
(3) If F is finitely \--consistent, and F decides (II, x), then F is closed
under (II, x)-
(4) If F is \--consistent, and F respects (II, x), then for some ip 6 $,
F(J {tp} is \--consistent and decides (II,x)-
Proof.
(1) Immediate.
(2) Suppose r h (p, all V} h -L, i-e. T h 1. But then by Dl,
F U {->x} I- -L, and so by D4 again, F h x- Hence r h x-
(3) Suppose r decides (77,x), and 77 C r. Then if x i -T, -^ 6 F

for some ip 77 C T. Now by D2, {?/>} h ip, and so by D4,
{tp, -T0} I" -L- But -f^, ->î} C F, so then 7/1 is not finitely h-
consistent.
(4) If F(J {-p} is h-consistent for some <p. Otherwise, for all tp 6 77, F U {~v} h J_, and so by
D4, r h (p. But r respects (77, x), hence T h x- Since TV- , D3
then implies that F U {x} ^ -L, so the result follows with V> = X-
D
ABSTRACT HENKIN PRINCIPLE. Let \- be a finitary deducibility

relation on <?. If I is a set of inferences in $ of cardinality K, and F is
a \--consistent subset of$ such that
(*) every K-finite extension of F respects T,
then F has a \~-consistent extension A that decides I.
Note that by applying Lindenbaum's Lemma to the h-consistent ex-

tension A given by the conclusion of this result, an extension of F is
obtained that is maximally h-consistent (since h is finitary), decides I
by Lemma 8.1.2(1), and hence is closed under I by Lemma 8.1.2(3).
This argument proves Theorem 8.1.1.
To prove the Abstract Henkin Principle, let {(77a,xa) : a < K} be

an indexing of the members of I by the ordinals less than K. A sequence
{Aa : a < K} of extensions of F is then defined such that
(i) Aa is h-consistent;
(ii) /17 C /iQwhenever 7 < a;
(m) card(îa - F) < a, hence Aa is a K-finite extension of F;
and such that Aa+i decides (77 a ,Xa)- The definition proceeds by trans-
finite induction on a.
Case 1: If a = 0, put Aa = F, so that Aa is h-consistent by
assumption, and card(Zia - F) = 0 = a.
Case 2: Suppose a = /3 + 1, and assume inductively that Ap has
been defined such that (i)-(iii) hold with /3 in place of a. Then as Ap
is a K-finite extension of F, the hypothesis (*) on F implies that Ap
respects (Up,xp). Hence by Lemma 8.1.2(4), there is a if> & $ such that
Ap U {^} is h-consistent and decides (77^, xp)- Put Aa = Ap U {ip}, so
that (i) holds for a. Since Ap C Aa, and 7 < a iff 7 < /?, (ii) follows
readily. For (iii), since Aa - F C (Ap - F) U {^}, card(/\a - F) <
Case 3: Suppose a is a limit ordinal and that for all ft < a, Ap has
been denned to satisfy (i)-(iii). Put
A" = U,3<a As-
Then (ii) is immediate for a. For (i), observe that Aa is the union of a
chain of h-consistent, hence finitely [--consistent, sets Ap, and so Aa is
finitely h-consistent as in the proof of Lindenbaum's Lemma. But h is
finitary, so Aa is then h-consistent. For (iii), observe that
(Aa - r) = U
and note that by the inductive hypothesis, if /3 < a then ca,id(Ap F) <
/3 < a. Thus (Aa F) is the union of a collection of at most card a
sets, each of which has at most card a members. Hence ca,rd(Aa - F) <
carda < a.
This completes the definition of Aa for all a < K. Now put
Then by the argument of Case 3, A is a h-consistent extension of F.

Moreover, for each /? < a, Ap+\ decides (IIp,xp) by Case 2, and so A
decides (IIp,xp) by Lemma 8.1.2(1). D
8.2 The Countable Case

In the proof of the Abstract Henkin Principle, the assumption that h
is finitary is used only in Case 3, and in the final formation of A, to
show that the union of an increasing sequence of h-consistent sets is h-
consistent. But if K, is countable, then Case 3 does not arise. Case 2 is
iterated countably many times, and then A is constructed as the union of
the Aa's. Then if h is not finitary, A may not be h-consistent. However,
it will at least be finitely h-consistent, and this gives the following result.
COUNTABLE HENKIN PRINCIPLE. Let h be any deducibility re-

lation on $. If T is a countable set of inferences in $, and F is a
\--consistent subset of $ such that
(*) r U r respects I for all finite C $,
then F has a finitely \--consistent extension that decides T. D
(By Lindenbaum's Lemma, the extension of F deciding % in this result
can be taken to be maximally finitely h-consistent.)
The Countable Henkin Principle will be used below to prove an
omitting-types theorem for countable first-order languages, and the com-
pleteness theorem for countable fragments of LOQU,. The analysis given
here provides one way of "putting one's finger" on the role of countability
restrictions in such applications.
If the ambient formal language has a conjunction connective, allowing
the formation of the conjunction /\ S of any finite subset of $, then
a natural constraint on h would be to require that for all F C $, and all
y e *,
r u \- (f iff r u {A } i- 9.
A deducibility relation satisfying this condition will be called conjunc-
tive. Thus for a conjunctive deducibility relation, the hypothesis (*) in
the Countable Henkin Principle can be weakened to
F U {4>} respects J for all ip 6 .
Applications
8.3 Completeness for First-Order Logic

Let L be a set of relation, function, and individual-constant symbols, and
F a set of sentences in the first-order language of L that is consistent
under the standard deducibility relation of first-order logic.
The Completeness Theorem asserts that F has a model. To prove
this, a new language K = L U C is formed by adding to L a set C of new
individual constants of cardinality K, where K is the maximum of cardL
and NO- The usual construction of a model for F involves two phases.
Phase 1: F is extended by the "Henkin method" to a maximally
consistent set F* of K-sentences such that for each K-formula ip(x) with
at most one variable (x) free,
(a) if 3xp e r*, then <p(c) F* for some c C.
Phase 2: A model 21* is defined, based on the quotient set C/~,
where ~ is the equivalence relation
c ~ d iff (c = d ) e r * .
For each K-formula ip(xi,... ,xn), this model satisfies
(b) a*M[ci/~,...,c n /~] iff V(ci,...,c n )e.r.
In particular, 21* |= a iff a F*, where a is any K-sentence, so as
rcr*,2i* f=r.
The Abstract Henkin Principle of this article may be used to give
a succinct development of Phase 1. For this, let <? be the set of all
first-order sentences of K, and I- the standard (finitary) first-order de-
ducibility relation on $. Then F is h-consistent. The key property of h
that will be used is
(c) if A h v(c), and the constant c does not occur in A or <p(x), then
A \-
Now the closure condition (a) on F* in Phase 1 is equivalent to:
if <p(c) e r* for all c C, then Vx<p(x) r*,
i.e. to the closure of F* under the inference
Vc = (Mc):c6C},Va; V >(a;)).
Let I be the set of inferences <pc for all first-order K-formulae <p with
one free variable. The number of such formulae is K, since cardK = K.
Hence card J = K. Thus to prove the existence of F* it suffices to show
that if A is a K-finite subset of <, then
F U A respects 1.
But if card/i < K, then for any (p, card(^ U {tp}) < K, since K is infinite.
Hence fewer that K members of C appear in A U {(f}. But none of these
constants appear in F. Thus if
r U A h- y>(c) for all c C,
then
r U A h (p(c) for some c not occurring in F U A U {</?},
and so by (c),
8.4 Omitting Types

Let L be a countable language, and G the set of all first-order L-formulae
all of whose free variables are among xi,...,xn. A consistent subset S
of G is called an n-type if it has no proper consistent extension in G, or,
equivalently, if for each tp EL G, exactly one of if), ~^ belongs to S. An
L-structure 21 realises an n-type S if there are individuals ai, . . . ,on in
21 such that
21 1= (p[ai, . . . ,an] for all <p .
21 omits S if it does not realise S.
If r is a consistent set of L-sentences, then an n-type S is principal
over F if there is some </? such that
r h ^ - V for all ^ r.
The basic omitting-types theorem asserts that if S is not principal over
F, then JT has a model that omits S. The proof is a refinement of
the proof of the completeness theorem sketched above, and the required
model is the structure 21* given there.
To simplify the exposition, let be a 1-type. Since each individual
of 21* is of the form c/~ for some c 6 C, to ensure that 21* does not
realise S it suffices, by clause (b) of the description of 21* to show that
for each c 6 C there is some formula ip(x\) S such that ip(c) 0 F*.
Since -L ^ F*, this amounts to requiring, for each c C, that F* be
closed under the inference
I7c = (MO-'>},!).
Lemma 8.4.1 For any ^-sentence a, F(J {&} respects EC.
Proof, a may contain members of C other than c. To simplify the
notation again, let a contain just one C-constant, d, other than c.
Suppose that
ru{<T(c,d)}h v (c),
and hence
(d) rho-(c.d) -<p(c), forallî) S.
Then as c and d do not occur in F, it follows that
r I- Bx2a(x 1,2:2) - <P(XI), for all ip(xi) S.
But 3o:2<7 (#1,0:2) G, and so 3x2<r(xi,X2) & S, or else S would be
principal over F. Since is a 1-type, it follows that ->3x2&(xi, x2) ,
and so by (d),
F \- <r(c, d) - ->3:r2cr(c, x 2 ).
But
r h <r(c, d) -> 3x2(7(c, 12),
by a basic axiom of quantification logic, and so F \- cr(c, d) > _L, hence
ru{o-(c,d)}l-.
D
Now as C is countable, there are countably many rules of the form Sc-
Since the standard deducibility relation of first-order logic is conjunctive,
the lemma just proved applies to the Countable Henkin Principle and
yields, with Lindenbaum's Lemma, a maximally (--consistent extension
F* of F that is closed under Sc for all c C. But K is countable,
since L is countable, and so there are countably many inferences of the
form tp, for tp a K-formula with at most one free variable. Hence if
the latter inferences are added to the He's, there are still only countably
many inferences involved altogether, and so jT* can be taken to be closed
under each y>c as before.
In fact the whole argument can begin with a countable number of

types, not just one. Each type will contribute a countable number of
inferences of the form EC, and so, as a countable union of countable sets
is countable, this will still involve only countably many inferences alto-
gether. Thus with no extra work, other than these observations about
the sizes of sets of inferences, it may be concluded that any countable col-
lection of non-principal types is simultaneously omitted by some model
of T.
8.5 Completeness of Infinitary Logic

The infinitary logic LOOU, generated by a language L has a proper class of
individual variables, and a proper class of formulae obtained by allowing,
in addition to -up and Vv<p, formation of the conjunction f\ & of any set
\P of formulae (disjunction being definable by /\ and -> as usual).
The deducibility relation for infinitary logic has, in addition to the
defining properties of deducibility for first-order logic, the axiom schema
A # -> <f if (p for all (f> e #,
then
Each formula involved in the following discussion will be assumed to

have only a finite number of free variables. This restriction is justified
by the fact that it includes all subformulae of infinitary sentences.
A fragment of LOOW is a set L^ of Loo^-formulae that includes all
first-order L-formulae and is closed under ->,V, finite conjunctions, sub-
formulae, and substitution for variables of terms each of whose variables
appears in L^ (cf. [3, p. 84]).
A "weak" completeness theorem [3, Section III. 4] asserts that if LA
is a countable fragment of LOO^ and r1 is a set of L^-sentences that is
consistent, then jT has a model. To prove this, let C be a denumerable set
of new constants, K = LuC, and K^ the set of all formulae obtained from
formulae </? e L^ by replacing finitely many free variables by constants
c C. Then K^ is countable, and is the smallest fragment of K^^, which
contains LA- A crucial point to note is that each member of K^ contains
only finitely many constants from C.
Now let <? be the (countable) set of sentences in K^, and h the
restriction of the KooW-deducibility relation to $. To obtain a /"-model,
F is to be extended to a subset F* of $ for which the definition of the

model 21* can be carried through as for first-order logic, and for which
the condition
(b) a* M[CI /-,... >Cn /~] iff v(c!,...c n )er*
can be established for each formula ^(x-\.,...,xn) that belongs to KA-
Then 2t* will be a T-model, as F C T*.
In order for (b) to hold for all K^-formulae it is sufficient (and nec-
essary) that the following hold.
(i) F* is maximally finitely h-consistent: this is sufficient to ensure that
21* is well-defined; -.</? T* iff (p F*; T* for all <p 6 J1*; and if
V:r</? 6 r* then <p(c) 6 T* for all c e C.
1
(ii) r * is closed under the inference tp^ for each K^-formula ip with at
most one free variable.
(iii) If /\ !? e K A , and ? C T*, then /\ !? 6 T*, i.e. if A ^ 6 K A , then
r1* is closed under the inference (!?, /\!?).
Since K^ is countable, there are countably many inferences involved in
fulfilling (ii) and (iii). Hence by the Countable Henkin Principle, and
Lindenbaum's Lemma, it suffices to show that for all a 6 $, F U {a}
respects each such inference. The proof that .TU {a} respects ^ is just
as for first-order logic, since, as noted above, a has only finitely many
constants from C, while F has no such constants.
For an inference of the form (!?, /\ !?), observe that if
F U {a} h (p for all < p & ,
then
r h a -+ if for all ip !?,
so
hence
D
It is left as an exercise for the reader to formulate and derive an omitting-
types theorem for countable fragments of LOO^.
8.6 Completeness for the Barcan Formula

In modal first-order logic, formulae are generated from a language L by
means of the modal connective D in addition to the usual connectives
and quantifiers of classical first-order logic. One notion of model for this
logic is a structure of the form
where W is a non-empty set, R is a binary relation on W, and {21 :

w W} is a collection of classical first-order L-structures that are all
based on the same underlying set A, and all give the same interpretation
in A to any constant from L (cf. [94]). The relation
21 \=w vlv]
of satisfaction of formula (p at w in 21 by valuation v (OQ, . . . , an, . . .)
is defined by induction on the formation of (p. The key conditions are
21 \=w (p[v] iff 2lw (= tp[v], if (p is atomic;
21 \=w O<p[v] iff for all z such that wRz, 21 1=2 <p[v\\
21 \=w Vxnip[v] iff for all a A, 21 ^=w tp[v(n/a)],
where the sequence v(n/a) is identical to v except in having a as its n-th
term. The classical truth-functional connectives are treated as usual.
A formula (p is true in 21 if 21 \=w (p[v\ holds for all w W and all
valuations v. The Barcan formula
BF :
then turns out to be true in all models. For countable languages it was
shown in [94] that BF can be used as a schema to give an axiomatisation
of the set of sentences made true by this semantics. We will now show
how to formulate this completeness proof with the help of the Countable
Henkin Principle.
Let h be the finitary deducibility relation that results from extend-
ing the standard proof theory of first-order logic with identity by the
additional modal axioms BF and
K . n( (n<? -> avo,
Id: x ^ y -> Ox ^ y,
and the rule of Necessitation:
from if derive Otp.
Then the schema
Id+ : x = y > Ox = y,
is (--derivable.
Let F be a h-consistent set of sentences in the modal language gen-
erated by L. In order to construct a model (as above) that satisfies F
at some point, we proceed just as in Section 8.3 to form a new language
K = L U C, with C a new set of constants, and extend F to a maximally
consistent set F* of modal K-sentences that is closed under the rules y>c
for all modal K-formulae if with one free variable. Let Dg* be the set
{(c = d) : c,d 6 K & (c = d) e T*} U {(c d) : c,d K & (c = d) $ F*}
of all equations and inequalities between K-constants that are true of
the structure 21* described in Phase 2 of Section 8.3. We call Dg* the
diagram of/1*.
In general, a set A of sentences will be said to be ^-complete if it
respects all of the rules <f. A is V-closed if it is closed under these rules.
For maximally consistent A these two notions coincide, since A h (p if,
and only if, ip A.
Let Wp be the set of maximally consistent V-closed sets of modal
K-sentences that contain the diagram Dg*. Define a binary relation Rp
on Wp by putting
ARr6 iff {<p : Dip A} C 0.
Each A t^r determines a classical K-structure 2l/\, defined as for the
model 21* in Phase 2 of Section 8.3. Since Dg* C A we have
(c = d) e A iff (c = d) r*
for any c, d K, and this ensures that all structures 21^ are based on
the same set, and give the same interpretation to each constant c 6 K.
Put
2lr = (Wr,Rr,{*A A e Wr}>.
For each K-formula i^(x\,... ,), this model satisfies
(t) arKitf[ci/~,...,c n /~] iff V ( c i , . . . , O e A
From this it follows that 2lr |=r* -T, establishing the desired complete-
ness theorem.
The proof of (f) proceeds by induction, with V-closure taking care
of the case 1(1 "ix(p. For the case if> Otp, the part that is not
straightforward is to show
(t) // O<f $ A, then <p O for some 0 6 Wr with ARr9.
Lemma 8.6.1 // a set of modal K-sentences is V-complete, then so
is S U {a} for any modal ^-sentence a.
Proof, (cf. [44, Lemma, p. 3]) Suppose that tp has only x free, and
17 U {a} h <p(c)
for all c C. Then for all such c,
h a -> <p(c).
But a > >(c) = (<r -+ >)(<:), since cr is a sentence, so the V-completeness
of then implies
S h VX(CT -+ tp).
Hence
h tr
as cr does not have x free, and this gives
S U {<r} h
1
establishing that Z U {<r} respects the rule <p. D
The essential role of the Barcan formula in proving (J) is contained
in the following result.
Lemma 8.6.2 // a set of modal K-sentences is V-complete, then so
is
S/n = {(r: S\- Da}.
Proof, (cf. [94, p. 59]) Using the axiom K and the rule of Necessitation,
one shows that for any T/>,
v iff
Thus if Zyn I- <p(c) for all c e C, then for all such c we have S h
so the V-completeness of S implies S h Va;D<p. Hence by BF we infer
h DVzv?, and so /D h Vxtp. D
We are now in a position to prove (J), and thereby finish the complete-
ness proof. Assuming that L is countable, it follows that K, and hence
the set of K-sentences, is denumerable. Thus the Countable Henkin
Principle can be applied.
Suppose Dtp A. Let
00 = 4/Du {->}
6>0 is consistent, or else A/H h ip, implying that \3 so if a e Dg* then a A,
whence Do- & Aby the schemata Id and Id+, giving a G Z\/D C 6>0-
Now A is V-complete, so by Lemma 8.6.2, A/0 is V-complete. Then
by Lemma 8.6.1, 6>o is V-complete. But then applying Lemma 8.6.2
again, 6>o U {cr} is V-complete for all K-sentences a. Thus by the Count-
able Henkin Principle and Lindenbaum's Lemma, <9o has a maximally
consistent extension 0 that decides all inferences (p^.
Since Dg* C 6>0 and 0 is V-closed, we get 0 Wr. Since A/H C 6>0
we get ARr. Finally, since ~v e 0o> we nave V ^ - a
8.7 Infinitary Rules in Modal Logic

The Ancestral Rule
Consider a prepositional language which, in addition to the classical
truth-functional connectives, has two modalities D and H. An ancestral
model for this language is a structure
M = (W,R,V),
with R a binary relation on set W, and V a valuation assigning a subset
V(p) of W to each prepositional variable p. The relation M. \=w A of
truth of formula A at w in M it defined by
M \=w p iff w V(p);
MFWA_ i.e. not M \=W-L',
M 1= A - B iff M \=w A implies M (=, B;
M \=w OA iff for all z such that wRz, M \=z A;
M \=w mA iff for all z such that u>R*z, M \=z A,
where R* is the ancestral (reflexive transitive closure) of relation R. For
a set F of formulae we write M \=w F to mean that M \=w A holds for
all AT.
Formula A is true in M, M \= A, if M \=w A for all w W. The
set
{A : M \= A for all ancestral M}.
is a normal multimodal logic in the sense of [32, 5], and its properties
are well understood. It can be viewed as a fragment of the dynamic logic
analysed in 10 of [32], and is axiomatised by adding to a standard basis
for classical Prepositional Calculus the axioms
K: O(A -> B) - (OA -> DB),
Mix: A->AhD\*\A,
Ind : (A - DA) -> (A
and the rule of Necessitation for D and B:
from A derive OA and
The deducibility relation F h* A is defined to mean that for some n
there exist BO, ..., Bn-\ e F such that the formula
B0 -> (Bi - > ( . . - - (B n _j - 4) )
is derivable in the axiomatic system just described. When n = 0, i.e.
when A itself is so derivable, we write h* A. Then it can be proved that
h* A iff for all ancestral M, M \= A,
or equivalently,
every l-*-consistent formula is satisfiable (true at some point)

in an ancestral model.
Ancestral models define a natural semantic consequence relation \=*,
given by putting
r \=M A iff for all w & W, M \=w F implies M \=w A;
and then
r f=* A iff for all ancestral models M, r \=M A.
However, whereas the notion "h* A" proof-theoretically characterises
truth in ancestral models, the full deducibility relation F h* A is not
equivalent to F \=* A. While h* is finitary, (=* is not, and in general
F h* A implies F \=* A, but not conversely. To see this, consider
formulae of the form DnA, defined inductively by
aA
n+l
=A,
H A = DDM.
The Ancestral Rule is the set of all inferences of the form
(there are denumerably many such inferences, given denumerably many

formulae A).
This Rule is preserved by |=*, in the sense that
{ D M : n > 0 } \=M A
for all ancestral M. But we do not have {DM : n > 0} h* HA For
example, if p is a propositional variable, and
Fp = {D>:n>0}U{-.Ep},
then Fp is not satisfiable in any ancestral model, but each finite subset
of Fp is so satisfiable. Indeed if M is an ancestral model of the form
(w,R,V), with R the successor relation on u> and V(p) = {0, ...,m},
then
M (=0 {Onp :n<m}\J {-.Hp}.
Thus Fp \=*, but any finite F0 C Fp has F0 J^*.L, and so F0 F*-L
Hence every finite subset of Fp is h* -consistent. Since I-* is finitary, it
follows that Fp itself is [-"-consistent, so T P /*J_, and
(notice that this is essentially the same example as that used in the
previous chapter to show that the canonical model for Finitary Program
Logic is not standard).
The most common approach to completeness theorems in modal logic

is to build models whose points are maximally consistent sets of formu-
lae. If "consistent" here means h*-consistent, then this will not produce
ancestral models, since there will be points, such as those containing Fp,
which are not closed under the Ancestral Rule. The relation I-* is weaker
than (=*, so to proof-theoretically characterise the latter, h* will have to
be strengthened in some way, at least by adjoining the Ancestral Rule.
The effect will be to reduce the number of consistent sets, eliminating
such sets as Fp.
A General Approach
We will now take up the matter of adjoining infinitary rules to modal
logics in a general context, and return later to applying our results to
the Ancestral Rule.
Let ^ be the set of formulae of a countable prepositional language
that includes the classical truth-functional connectives and a modal con-
nective D. Consider the following properties of a relation h from 2* to
&
PC: F \- A if A is a tautological consequence of F.
CT: lfF\-B for all B A, and A h A, then F\- A.
DT: r U {A} h B implies r h A -> B.
IR: F \- B implies (A -> F) h A -> B,
where
(A -> T) = {A - C : C 6 T}.
BR: F\- A implies OF I- HA,
where
nr = {OB . B e r}.
Here PC stands for "Prepositional Calculus", CT for "Cut Rule", DT
for "Deduction Theorem", IR for "Implication Rule", and BR for "Box
Rule".
Lemma 8.7.1 // h satisfies PC, CT, and DT, then it satisfies IR, and
F h A -> B implies F U {A} h B.
Proof. Suppose F (- B. Since PC gives
(A -* F) U {A} \- C, for all C 6 -T,
it then follows by CT that (A -> F) U {A} h B. Hence by DT,
(A -+ F) h A -> B,
establishing IR.
Next, suppose r h A -> B. But by PC, F U {A} h C for all C 6 T,

so this yields F U {A} h A - 5 by CT. Since {A -> B, A} h 5 and
F\J{A}\-A (both by PC), CT then gives FU{A}\~B. D
We will write h A to mean that 0 h A, where 0 is the empty set of
formulae. Since D0 = 0, it follows that when h satisfies the Box Rule it
must also satisfy Necessitation:
if h A then h DA
Now fix a relation h satisfying PC, CT, DT, and BR (hence IR). Then
I- is a deducibility relation, since conditions D1-D4 of Section 8.1 can
be derived from PC, CT, and DT, as the reader may verify.
Let T be a countable subset of 2* x $, i.e. a countable set of inferences,
that is included in h:
(r, A) e J implies r h A
Let Jw be the smallest extension of J in 2^ x <P that satisfies IR and BR,
in the sense that
(r, A) e Jo- implies (D/1, D4), (B -+ F, B - A) J w -
Then Jw is countable, because $ is countable and so there are only
countably many instances of IR and BR that need be added to X to
obtain Tw. Also, since h satisfies IR and BR, it extends Jw:
(r, A) 6 Iu implies F \- A.
A set Zi of formulae will be called (I, \~)-saturated if
A is maximally finitely h-consistent, and
A is closed under J w , i.e.
if (r, A) Jw and r C A, then A A
Being maximally finitely h-consistent is enough to ensure that member-
ship of A reflects the classical truth-functions, i.e.
L^ A
-lAeA iff AD
A-* B e A iff Ae A implies B A
etc., but whether A is actually h-consistent, rather than finitely h-
consistent, is not evident. To show this it would be enough to show
that A was h-deductively closed, in the sense that
AhA implies A E A,
for then A h_L would give {_L} C A, contrary to A being finitely h-
consistent. But if A were not deductively closed, then A h A and
A $ A for some A. Hence ->A A, and so by D4, A h_L.
Thus the question as to whether a (I, h)-saturated A is h-consistent

is equivalent to the question as to whether A is h-deductively closed.
Prom the finite h-consistency of A we can conclude that A is finitely
h-deductively closed in the sense that
if AQ h A for some finite A0 C A, then A 6 A,
hence in particular
h A implies A e A,
but the question of full deductive closure is one that we will have to set
aside for now, and resolve later (cf. Corollary 8.7.7 and the discussion
following it).
Lemma 8.7.2 (Extension Lemma) Every \--consistent set of formulae
has a (I, \-)-saturated extension.
Proof. This is a direct application of the Countable Henkin Principle.
Let be h-consistent. Then for any formula A, we show that
U {A} respects Jw.
For if (F, C) E Iu and U {A} \- B for all B 6 F, then by DT
\- A - B for all B 6 F.
But
(A -> T) h A - C,
since Iw is closed under IR and contained in h. Hence by CT
h A - C,
whence by Lemma 8.7.1 T U {A} h C.
Thus indeed U {A} respects Jw. But h is conjunctive (by PC
and CT), so by the Countable Henkin Principle and then Lindenbaum's
Lemma, has a maximally finitely h-consistent extension that is Jw-
closed. D
Lemma 8.7.3 (Box Lemma) // F is (I, \-}-saturated and DA F,
then there exists a (I, \~)-saturated A with A A and
{B : OB T} C A.
Proof. In finitary modal logic, this result is obtained by showing that
the set
{fl : DB e T} U {-.A}
is h-consistent, and then applying a version of the Extension Lemma
to obtain the desired A (as in the proof of (}) in Section 8.6). Now if
this set were not h-consistent, then using the properties D4 and Dl of a
deducibility relation as well as BR we could conclude that F h HA. If
AN ABSTRACT SETTING FOR HBNKIN PROOFS 209
F were h-deductively closed, this would then contradict the assumption

that OA F. However we do not know at this stage whether F is in fact
h-deductively closed (cf, the discussion prior to the Extension Lemma).
Thus in the absence of an assumption that h is finitary, the Box
Lemma requires a more detailed analysis. The proof we give now is a
refinement of the proof of the Countable Henkin Principle, and for this
purpose it is convenient to use the dual modality O, given by OC =
-iD-iC. Two general facts that will be needed are
(i) If OB, OC e T, then O(B A C) 6 T;

(ii) If OC <E P, then for any B, one of O(C A B), O(C A ->B) is in F.
To prove (i), observe that PC and BR give

{OB,a-^(B AC)} h CHC,
so if OB, OC 6 T then D->C $. f, so finite h-deductive closure of T
implies D-i(B A C) F, hence ->D->(5 A C) F as desired.
The proof of (ii) is similar, using the fact that
{D-.(C A B), H->(C A -.)} h D--C.
Now let
FD = {B : HB e r}.
Then Fa is denumerable, since < is, and so FD\Jlu is denumerable. Let
We construct an increasing sequence

A) C C An C
of finite sets such that, for all n < u,
(in) if o- e rn, then an e ^n+i;

(3n) If ffn J w , then An+i decides an.
First put AQ = {->A}. Now -ÔA T, since D^ ^ T, and O->A 6 T
follows readily from this, giving (10).
Next, make the inductive assumption that An has been defined and
(!) holds. If <Tn 6 r n , then Dern F, so as O(/\Z\ n ) e T, result (i)
above implies O(&n A (/\ Zin)) 6 F. Thus putting
4n+1 = An U {<7n}
makes O(A^n+i) A so (l n +i) and (2 n ) are fulfilled, and (3n) holds
vacuously.
If however <jn e J w , let o-ra = (17,5). By (l n ) and result (ii),
either O((/\An) A B) e T or O((A^ n ) A-.B) e T.

If O((/\An) A B) 6 r, then putting /\n+1 = 4n U {B} makes (l n+ i)
true, and as B An+i, An+i decides (S,B), so (3n) is true.
Alternatively, when O((A An) A ->B) e jT, we have
- B r.
But
since (E,B) Iw and Iw satisfies IR and BR (indeed this is why we

needed to introduce Iw!). Since the (I, h)-saturated set F is closed
under !, there must then exist some C with D((A An) ~^> C) F,
whence O((A Ai) A ->C) 6 T. Hence putting An+i = An U {--C1} makes
(l n+1 ) and (3n) true.
This completes the definition of the A^s satisfying (l n )-(3 n ). Each
An is (--consistent, for if An \- then by PC and DT, I>(A An), hence
using Necessitation we get O->(/\ An) F. But in view of (l n ), this
contradicts the fact that F is finitely (--consistent.
It follows that
A = (Jn<^n
must be finitely h-consistent, and in view of (2n) have F^ C Au. More-
over by (3n), Au decides Jw. Hence the desired A can be taken to be any
maximally finitely h-consistent extension of Au. Since -<A AQ C A,
A $. A. 1u is decided by Au, and thus by A, so A is closed under Jw.
As -Tp C AU C A, this completes the proof of the Box Lemma. D
Ancestral Logic
We now return to the prepositional language of D and EL Let Ja be the
Ancestral Rule, i.e. the (denumerable) set of all inferences of the form
({DM:n>0},[*L4).
Define h to be the smallest relation from 2* to $ such that
(10) h a satisfies PC, CT, DT, and BR;
( 2 a ) ( F , A ) e I a implies r h" A;
(30) {A}l-a A/\A.
The last condition is a version of the axiom Mix. Using it, by PC, CT,
and BR, we can inductively derive
{mA} h OnA.
From this it follows that any (Ja,ha)-saturated set A satisfies
(40) SA e A iff {DM : n > 0} C A.
Lemma 8.7.4 (Soundness) // \-a A, then (=* A.

Proof. If M is an ancestral model, then (la)-(3a) hold when \-a is
replaced by \=M . Since h a is denned to be the smallest relation satisfying
these conditions, \-a A implies \=M A. D
Now consider the ancestral model
Ma = (Wa,Ra,Va),
where
. Wa = {A C $ : A is (X,H a )-saturated},
FRaA iff {B : DB e F} C A,
. V a ( p ) = {A & Wa : p e A}.
Lemma 8.7.5 (Truth Lemma) For any formula A, and any F 6 Wa,
Ma\=rA iff A r.
Proof. The case A = p holds by definition of Ma, the inductive cases
of the truth-functional connectives are given by the previously observed
membership properties of saturated sets, and the case of D follows from
the Box Lemma (8.7.3). For the case of H, use the fact that any ancestral
model satisfies
M \=w A iff for all n > 0, M \=w DM,
and apply (40). D
Theorem 8.7.6 (Completeness)
\-a A iff \=* A iff \=M" A.
Proof. It is evident that the implications hold from left to right. But if
Ya A, then U {-Â} is ha-consistent (D4), so is contained in some
r 6 Wa by the Extension Lemma 8.7.2. Then by Lemma 8.7.5,
Ma \=r and Ma r A,
and so T^" A. D
Corollary 8.7.7 If F is (l,h a ) - saturated, then F is ^-closed and
maximally \-a -consistent.
Proof. Suppose F h a A. Then F ^=M A by Soundness (8.7.4), and
Ma (=r r by Lemma 8.7.5, so Ma \=r A, hence A F.
Consequently if F were not ha-consistent, then F h a _L, whence J_e
F, contradicting the fact that F is finitely (-"--consistent. Thus F is h a -
consistent, and cannot have any l-a-consistent extensions, since it has
no finitely (-"-consistent extensions. D
A Better Approach ?
At the beginning of the discussion of the proof of the Box Lemma 8.7.3,
we observed that the proof would be rather short if we knew that (I, h)-
saturated sets were h-closed. We have just established that this is indeed
true in the (Ia,\-a) case, but the result was obtained as a corollary to
the Truth Lemma 8.7.5, which itself depends on the Box Lemma.
A similar analysis could be carried out for other infinitary modal
logics (i.e. other pairs (I, h)). In each case a model would be built out of
saturated sets, leading, via a Truth Lemma, to the proof-theoretic result
that maximally finitely consistent sets closed under certain inferences (I)
are in fact maximally consistent and deductively closed.
We might ask whether it is possible to obtain such a result by purely
proof-theoretic means. Can we make a syntactic construction that ex-
tends any h-consistent set to a maximally h-consistent T-closed set with-
out making a model-theoretic detour to get there ?
We will answer this question in the next chapter.
Related Principles
The Countable Henkin Principle is intimately related to the Principle
of Dependent Choice in set theory and the Rasiowa-Sikorski Lemma for
Boolean algebras. A discussion of these connections may be found in
[27].
A Framework for Infinitary Modal
Logic
9.1 Introduction
In prepositional modal logic there are certain systems, defined by a
notion of semantic consequence F (= A over some class C of models, for
which the following obtains.
(1) The set
{A: (= A}
of formulae true in all models from C is characterised by a finitary
proof relation K We have
hA iff \=A,
giving the completeness property:
every h-consistent formula is f=-satisfiable (i.e. satisfi-
able in some C-model).
(2) The relation F \= A is not compact: there are cases where F \= A
but A A for all finite f 0 C T. Then T U {-vl} is not |=-
satisfiable, but all of its finite subsets are. It follows that the
relation F (= A has no finitary proof theory, and so the relation h
of (1) is not strongly complete for (=: there are (--consistent sets
of sentences that are not j=-satisfiable.
Natural examples of this situation arise when there is a pair D,E] of
modal connectives for which the binary relation interpreting H in a
Kripke model is the reflexive transitive closure of the relation interpret-
ing D. We studied this in the Ancestral Logic of the previous chapter.
It also applies to Temporal Logic, where D means "at the next moment"
and SI means "from now on" [32, 9], as well as to Program Logic, where
213
D means "after program a terminates" and 00 makes the same assertion

about the iteration a* of a (cf. Chapter 7, or [32, 10]).
For logics of this type, the semantic relation |= can only be char-
acterised proof-theoretically by the use of infinitary rules of inference.
One approach to this is to construct models whose points are sets of for-
mulae that are maximally finitely consistent and closed under infinitary
rules. In the analysis we gave for Ancestral Logic it turned out, as a
consequence of the resulting completeness theorem, that these sets are
actually maximally consistent, not just finitely consistent, and deduc-
tively closed, not just finitely deductively closed.
The problem then suggests itself of making a purely proof-theoretic
construction of sets of this last type: maximally h-consistent sets with
specified closure properties, where h is a non-finitary proof relation.
This issue will now be taken up and resolved in a way that gives a
proof-theoretic explanation as to why certain maximally finitely con-
sistent sets turn out to be fully consistent and deductively closed (cf.
Corollary 9.3.6). To achieve this we develop in a general setting the ap-
proach first used for Program Logic in [23, Chapter 2], and work out the
details for an n-ary modality n(>li,..., An), rather than just a unary
connective.
Although Section 8.7 is recommended reading for motivation of what
follows, the present chapter has been written to be self-contained. This
has involved only a small amount of repetition.
9.2 Truth and Deducibility
Models
Let $ be the (denumerable) set of formulae of a prepositional language
that has a countable set of atomic variables, and whose connectives
include _L, >, and an n-ary connective D (and possibly others). The
other standard truth- functional connectives ->, A, V, <- are taken to be
defined in terms of J. and >, while O, the dual connective to D, is
given by
In order to handle formulae containing the connective D, we may use

substitutional notation. This if
we denote by C^[5] the formula

. . . ,Bi~i,B,Bi+i, . . . ,Bn),
A FRAMEWORK FOR INFINITARY MODAL LOGIC 215
obtained by replacing A by B in the indicated position in C.

To define models, we use structures
M = (W,R,\=),
where R is an n + 1-placed relation on the set W, and \= is a satisfaction
relation between points of W and formulae, i.e. a subset of W x <P. We
write
M \=WA
whenever the pair (w, A) belongs to the relation (=.
A structure M of this type will be called a model if
(ml) MWL i.e. not M \=WL;
(m2) M \=w A -> B iff M \=w A implies M \=w B;
(m3) M \=w O(Ai,... ,An) iff for all z\,..., zn such that
R(w, z\,..., zn) there exists
i < n with M \=Zi Ai\
and consequently
(m4) M \=w 0(^1,... ,An) iff there exist z\,..., zn such that
R(w, z\,..., zn) and for all
i < n, M (=Zi A{.
We put M \=w r if M \=w A for all A e F. Truth in the model M is
defined by
M\=A iff for all w W, M \=w A,
and semantic consequence is defined by
r\=M A iff for all w e W, M \=w F implies M \=w A.
Observe that if C = D(J3i,... ,Bi-i,A,Bi+i,..., J3n), then in any
model:
A1 (= A implies X \= C;
M |= CA\B -+ >] - (CU[B] -> CA[D]).
Note that the more common practice in modal logic is to define a model
as a structure (W, R, V), with V being a function that assigns a subset
V(p) of W to each atomic variable p. Then (ml)-(m3) serve to define
the relation M \=w A inductively, starting from the base
M \=w p iff w V(p).
Here we are taking a different approach because we wish to develop a
very general theory that allows our object language to have additional
unspecified connectives. (ml)-(m3) are the minimum conditions that M
must satisfy in order to be a model, but there may be other conditions
to be imposed, depending on which particular language or logical system
we apply the theory to.
For instance, if I is a, subset of 2* x <, then a model M will be called

1-sound if
(r, A) 6 J implies F \=M A
for all T C < and A <.
Typically here J will be the set of all instances of some rule of in-
ference, and so an J-sound model is one whose semantic consequence
relation preserves this rule.
Logics
In this chapter, a logic will mean a set A of formulae that includes all
tautologies and is closed under Detachment:
if A, (A->B)e A, then B e A.
A is a normal logic if it is closed under Necessitation:
A&A implies D(5i,... ,,-1, A,Bi+l,... ,Bn) 6 A,
and contains all instances of the schema
K: CA[B^D]-+(CA[B]->CA[D])
where C = D ( B i , . . . , -Bi_i, A, Bi+i,..., Bn) (when D is a unary modal-
ity, this is the standard definition of normality ([32, p. 20]).
From what we noted above about the truth relation M \= A, for any
model M the set
{A:M\=A}
of formulae true in M is a normal logic.
If A is any logic, then a A-model is a model M such that M \= A,
i.e. M \= A for all A e A. If I C 2* x <, then the set
AI = {A: M f= A for all J-sound yl-models .M}
is a normal logic that contains A and is closed under J:
if (r, A) e J and T C /LJ, then 4 AT.
We might ask for the exact relationship between A and AI. Is AX the
smallest normal logic extending A that is closed under I ? An answer
to that question will be given in Corollary 9.5.3.
A more general question concerns the semantic consequence relation
\=AI determined by A and J, where
T \=M A iff r\=M A for all J-sound ^-models M.
The problem is to axiomatise \=AI'- to give a purely proof-theoretic
characterisation of this relation. We will see that this can be done in a
very satisfactory way for countable J.
Deducibility
If A is a logic, then A is h A-deducible from F, F \-A A, if for some n
there exist B0, , Bn-i e F such that the formula
Bo -> (Si - ( ---- * (Bn-i -+ A) )
belongs to vl (in the case n = 0 this means that A ./I). We write hyi .4
when 0 \~A A. Hence
\-AA iff At A.
Consider the following properties of a relation h from 2* to #:
PC: F h A if .A is a tautological consequence of F.
CT: If r h B for all B <E A, &nd A\- A, then r h A.
DT: r U {4} I- B implies r h A -+ 5.
IR: r h B implies (A - T) h A -+ B,
where
(A - T) = {A -> C : C e T}.
BR: r h A implies
where O(B\.,. . . ,Bi-i,F,Bi+i,. . . , B n ) is the set
Here PC stands for "Prepositional Calculus", CT for "Cut Rule", DT

for "Deduction Theorem" , IR for "Implication Rule" , and BR for "Box
Rule".
For any model M, the semantic consequence relation \=M satisfies
all five of these properties. For any logic A, the yl-deducibility relation
\-A satisfies PC, CT, DT, and IR. h^ satisfies BR if, and only if, A is
normal.
Lemma 9.2.1 // H satisfies PC, CT, and DT, then it satisfies IR, and
F \- A -c B implies F U {A} h B.
Proof. (As for Lemma 8.7.1.) Suppose r t- B. Since PC gives
(A -> T) U {A} t- C, for all C F,
it then follows by CT that (A - F) U {A} h B. Hence by DT,
(A - T) h A -+ B,
establishing IR.
Next, suppose r h vl -^ B. But by PC, r U {A} h C for all C F,
so this yields r U {A} h A -* B by CT. Since {4 -> B, A} h B and
r U {A} h A (both by PC), CT then gives r U {A} h B. D
Let \~AI be the smallest relation from 2* to <? such that

\-AI extends \-A: P h/ A implies f HAZ A;
\~AI extends I: (F, A) J implies F \-A? A;
\-Ai satisfies CT, DT, and BR.
Then from the above, VAT also satisfies PC and IR. Our main result
(Theorem 9.5.2) is going to be that when A is normal and T is countable,
\~AI characterises \=AI'-
r VAI A iff r h/ii A.
Here are some properties of h/u that will be needed below.
Lemma 9.2.2
(1) A 6 r implies F \-AI A.
(2) (Monotonicity) // F \~AI A and F C A, then A h/u A.
(3) (Detachment) IfF\-Ai A and F\-Ax A-* B, then F \-AI B.
(4) // r \-AI A and F U {A} h AI _L, then F\-Ai.
(5) I f F u {-Â} \-AI , then F \-AX A.
Proof.
(1) If A G F then r \-A A by the tautology A > A. But \-Ai extends
bi.
(2) If T \-AI A and F C Z\, then A \-Ai B for all B 6 F by (1), so CT
yields A \-Ai A.
(3) We have {A, A B} \-Ai B, since h^j extends h^, so the desired
result follows by CT.
(4) If T \-AX A and T U {A} h AI _L, then T h/u A - by DT, so (3)
gives r hyii _L.
(5) If T U {-.A} h,n -L, then F \-AI Â -> by DT. Then apply the
tautology (->A ->) -> A and CT.
9.3 Theories
Let I be a subset of 2^ x $. Define Iw to be the smallest extension of 1
in 2* x $ that satisfies IR and BR, in the sense that if (F, A) e Z^ then
(B->r,B-> A) and
belong to Jw .
For any model At, the semantic consequence relation \=M satisfies
IR and BR. Hence if \=M extends I it must also extend Jw. In other
words, any I-sound model is T.a -sound.
Lemma 9.3.1 If I is countable, then so is la.

Proof. Let JQ = 1, and inductively let Jn+i be the result of adding to
Tn all pairs of the form (B -+ F, B A) and
for which (F,A) e !. Then Iw = U n<w !.

But if Jn is countable, then so is Jn+i, since $ is countable and so
there are only countably many pairs to be added to In to form In+i-
Thus if TO is countable, then Tw is a countable union of countable sets,
hence is countable. D
From now on let A be a fixed normal logic, and X a fixed countable

subset of 2* x <?. A Al-theory is a set A C $ such that
AC A;
A is closed under Detachment:
if A, (A - B) e A, then B e A;
9 A is closed under Jw :
if C A, and (, A)lw, then A A
The intersection of any collection of yU-theories is a /U-theory. This
implies that there is a smallest /U-theory, and we will prove (Corollary
9.5.3) that this is just AI itself.
Moreover, for any set F of formulae there is a smallest AJ-theory
that contains F. We describe the members of this theory in terms of
another relation \-\-j- from 2* to $. Define
F h+j A iff A e {}{A : F C A and A is a AJ-theory}.
Thus F \-\x A if, and only if, A belongs to every yU-theory containing
F. Consequently, AZ-theories are \~\x -closed: it is immediate from the
definitions that
if F is an Al-theory and F \-\T A, then A F.
This point will be important later, and will be used to prove that \-\T
and hyij are in fact the same relation.
Theorem 9.3.2 (Soundness) F V\T A implies F \=AI A.
Proof. Suppose F \-\T A. Let M be any J-sound /1-model and suppose
M [=w r. We have to show M \=w A. Put
A = {B:M^=WB}.
It is enough to show that A is a yU-theory containing F, for then as
F \-\x A we get A A as desired.
It is straightforward from our assumptions that F U A C A and A

is closed under Detachment. But as noted earlier, an Z-sound model is
2a,-sound, and from J^-soundness it follows that A is Jw-closed. D
Theorem 9.3.3 \~\x extends h/i and T, and satisfies CT, DT, and BR.
Proof.
(1) That F H/i A implies F \-\T A follows readily from the fact that
yU-theories contain A and are closed under Detachment.
(2) That (F, A) e J implies F \-\T A follows immediately from the fact
that /11-theories are closed under T.
(3) CT: If T \-\T B for all B A, and A \-\T A, then any yU-theory
containing F will contain A, and hence A. Thus F \-\x A.
(4) DT: Suppose F U {A} \-\T B. Let
AîC-.rÂ^C}.
We want to prove B A, so by our supposition it is enough to
show that A is a /U-theory containing FU {A}.
Now since C (A > C) is a tautology, it belongs to A, and this
leads to F h+j A -> C, hence C A in case that C e T or
C /I. Similarly, using the tautology A > A we get /4 A. Thus
/I U T U {A} C A
Next, to show that A is closed under Detachment, suppose C and
C > .D are in /I. Then the tautology
(A -> C) -> ((A - (C - >)) - (yl -I?))
1
leads to J hjj /4 > ), as desired.
Finally, to show A is closed under Xu, let (Z1, C) Jw and suppose
Z1 C A Then T hjz A -> for all D Z1. Hence any /U-theory
containing T will contain A > H. But
(A - 17,/4 -> (7) e J w ,
since Iw was defined to satisfy IR, so every /IT-theory containing
F will contain /I ^^ C, being J^-closed. Thus C 6 A.
This completes the proof that A is a yll-theory containing F\J{A},
and hence the proof that h Jj satisfies DT.
(5) BR: Suppose T \-+AI A. To show
D(î,..., Bi-i, r, Bi+i,..., Bn) \-AI C,
where C = D(Bi,... ,Bi-i,A,Bi+i,... ,Bn), take any /11-theory
S that contains D(Bi,..., B,_i, J1, Bi+i,..., Bn), and put
A={B:\3(B1,...,Bi-i,B,Bi+i,...,Bn)eS}.
We want to show C 6 S, i.e. A 6 A, so as F hjj A it suiBces to

show that A is a yll-theory containing F.
The definitions immediately give F C A. Since yl is normal, Ne-
cessitation implies that if B A then (^[B] /I, so C^[5] G S,
hence B 6 A Thus yl C A.
Also from normality, contains all instances of the schema
K: CA[B^D}^ (CA[B] -> CA[D]),
so as is closed under Detachment, this shows that if B D, B 6
/i, then CA[.D] S, whence D e A. Thus /i is closed under
Detachment.
Finally, to show that A is Z^-closed, suppose (0,D) Jw and
0 CA. Then CA[@] C , where
CU[0] = {C^[B] : B 0}.
But (C/i[@],CU[-D]) e Iw, since Jw satisfies BR, and S is Iw-
closed, so CA[] e S, hence D e Z\.
This completes the proof that \-\T satisfies BR, and hence the
proof of the Theorem.
D
Corollary 9.3.4 F \-Ai A implies F \-\T A.

Proof. \-Ai was denned to be the smallest relation satisfying the prop-
erties just proven for \-\-j- in the Theorem. D
Consistency
A set F is \-fix -consistent if F Y-AiL, and finitely \-Ai -consistent if each
finite subset of F is h/u-consistent. F is negation complete if
for all A , either A e F or ->A 6 F.
Lemma 9.3.5
(1) // F is finitely \-Ai -consistent, then so is one of F \J {A} and F \J
{~>A} for any A.
(2) // F is negation complete and finitely \-AI -consistent, then F is
closed under Detachment and contains A.
(3) // F is finitely \-AT -consistent, then F is maximally finitely \-Ai -
consistent if, and only if, it is negation complete.
Proof. Most of these are familiar results from standard (finitary) prepo-
sitional logic, but we go over the arguments to see just what properties
of the deducibility relation \~AT are involved.
(1) If the conclusion of (1) fails, T0 U {,4} \-AT _L and A U {-Â} \-AI J_
for some A and some finite subsets F0, PI of F. Then by DT and
Monotonicity (9.2.2(2)), we get
r0 U A \-AT A ->-L, and T0 U A \-AT Â ->J_ .
But as
by tautological consequence, applying CT leads to the conclusion

that FQ U A \TAI -L, so F is not finitely h/u -consistent.
(2) Let r be negation complete and finitely I-Ax -consistent. Then F is
closed under Detachment, for if A, A > B F but B F, then
->B F, so F contains the finite \-Ai -inconsistent set {A, A >
B^B}.
To show A C r, assume A & A. Then (-iA _L) /I, so {-"A} is
a finite h^j -inconsistent set. Hence ->A $. F, and so A G F.
(3) Let F be maximally finitely f-yij -consistent. Then for any formula
A, (1) implies that one of F U {A} and F U {->A} is equal to T,
hence one of A and -i^4 is in F. Thus 71 is negation complete.
Conversely, if F is finitely \-Ax -consistent and negation complete,
let r ^ /i. Then there exists A A with -iA e T, so 4 con-
tains the h^j -inconsistent set {A,->A}. Hence F has no finitely
I- AJ -consistent proper extensions, i.e. is maximally finitely \-AI-
consistent.
D
Corollary 9.3.6 // F is maximally finitely h/u -consistent and 1U-

closed, then F is a negation complete AX-theory that is \-Ax -closed and
(maximally) \-Aj -consistent.
Proof. If F is maximally finitely \-Ai -consistent and Jw-closed, then by
(3) and (2) of Lemma 9.3.5 it is also negation complete, contains A and
is closed under Detachment, so is a ylJ-theory.
Thus if T \-AI A, we have F \-+AI A by Corollary 9.3.4, so A F
because Al-theories are \-\T -closed. This shows that F is \-Ax -closed.
Consequently, if F were h/u -inconsistent, i.e. F \-Ai _L, then {.L} C
F, contrary to the fact that F is finitely \-Ai -consistent. Finally, F
has no proper \-AI -consistent extensions, since it has no proper finitely
\-Ai -consistent extensions. D
Maximal Theories
A maximal AX-theory is a yU-theory that is h^j -consistent and nega-
tion complete. Such a theory has no proper I-A% -consistent extensions,
and indeed has no proper finitely \- AT. -consistent extensions, by Lemma

9.3.5(3). Corollary 9.3.6 shows that a set is a maximal AZ-theoiy if, and
only if, it is maximally finitely \- AT. -consistent and 2^,-closed.
Lemma 9.3.7 (Extension Lemma) Every \-j\z -consistent set can be ex-
tended to a maximal Al-theory.
Proof. Suppose F is h^j -consistent, i.e. rV-j^L. Let

AO, . . . , An, ......
be an enumeration of the set <? of all formulae, and
(O,BQ), . . . ,(sm,Bm), ......
an enumeration of Jw, which is countable since I is (Lemma 9.3.1). Let
AQ F, so that AQ is h/u -consistent by hypothesis.
Now assume inductively that An has been defined, and is h/u-
consistent. If An \- AT. An, put
An+l = AnL\ {An},
so that An+i is h/u -consistent by Lemma 9.2.2(4).

If however An V- AT An, we have possible two cases. If An ^ Bm for
any m, put
An+l =An\J{->An},
which is hyjj -consistent by Lemma 9.2.2(5).
Alternatively, suppose An = Bm for some m. Then observe that
An (J {Ân} AI Bm
i.e.
or else by DT and the tautology (-<An > An) > An we would contradict
the assumption An- AI An.
But Sm \~ AX Bm, as \- AT. extends 1^ (since it extends J and satisfies
IR and BR). Hence by CT there must be some formula C G Sm with
Put
An+i = An\J{->An,^C},
which again is \-/a -consistent by Lemma 9.2.2(5).
This completes the inductive definition of the sets An, each of which
is VAT. -consistent. Now put
A
= Un<u,4n.
Then A is our desired extension of F. To see this, observe that A

is finitely \-AT -consistent, since any finite subset of A is contained in
some An and so must be h/u -consistent, or else by Monotonicity this

would contradict the \~AI-consistency of An. Also it is clear from the
construction that A is negation complete. Thus by Lemma 9.3.5(3), A
is maximally finitely \~AI -consistent.
The construction also guarantees that A is Z^-closed, for if Bm $ A,
where Bm = An, then An An+i, so An PAI An. But we arranged
in that case that -<C 6 An+i for some C Sm, so C $ A or else
->C, C e Ap for some p, contrary to \~AI -consistency of Ap.
Thus all told, A is a maximally finitely \-ja -consistent and Zw-closed
extension of F, and hence by Corollary 9.3.6 is a maximal h^j-theory.
D
We can now show that h/u and \~\x are identical:
Corollary 9.3.8 F \-\T A implies F \~AI A.
Proof. HTY-AT A, then F\J{Â} is \-Ai-consistent by Lemma 9.2.2(5),
so by the Extension Lemma there is some maximal AT-theory A with
F \J {-*A} C A. Then A $ A as A is (finitely) \~AI -consistent, so A is
a yU-theory which contains F but not .A, showing that F Y\x A. D
9.4 The Box Lemma

Our ultimate aim is to show that \-î axiomatises the semantic relation
f=Ar, and to do that we will build an I-sound A-model MAI based on
the set
WAI = {F : F is a /11-maximal theory}.
The n+1-placed relation RAI on WAI that interprets the n-ary modality
D is defined by specifying that
^(r.î,...,^)
is to hold if, and only if, for any formulae Ai,...,An,
if D(Ai,... ,An) F, then for some i < n, Ai Ai.
Using the dual modality O and negation completeness, this last condi-
tion is equivalent to:
if Ai Ai for all i < n, then O ( ^ i , . . . , An) F.
The satisfaction relation in MAI will have
M \=r A iff A F,
AI
so to prove M obeys model-condition (m3) we will need the following
result.
Lemma 9.4.1 (Box Lemma) // F 6 WAI and n(Ai,...,An) $ F,

then there exist Ai,...,An WAI such that RAI(F, AI,..., An) and
Ai $ Ai for all i <n.
In the case n = 1 the proof of this Lemma is quite direct: we simply
show that the set
{,4 : DA T} U {--A}
is h/ij -consistent, and apply the Extension Lemma to get the desired
A. If the set were not \-Ai -consistent, then {^4 : DA F} h AT. A, so
by BR, {OA-.OAeP} [-AI HA, whence F \-AX OA by Monotonicity.
But F is \-Ax -closed, so this contradicts the hypothesis OA ( F.
In the general case n > 1, the proof is more complicated because
we have to construct n maximal theories connected by the relation
RAI(F, A\,..., An). For finitary logics it is possible to systematically
build Ai,...,An one after the other (cf. [28, Theorem 2.2.1] for an al-
gebraic version of this). But here we have to ensure that the A^s are
all Jo, -closed, and it seems that to do this we need to inductively define
them all simultaneously. For this we will need the following technical
results.
Lemma 9.4.2
(1) // \-AI Bi -> d for all i < n, then
\-AI D ( B i , . . . ) B B ) - D ( C 1 , . . . ) C n ) .
(2) LetO(Bl,...,B^l,A,Bl+i,...,Bn)FWAI. Then
(i) The formula A is h^j -consistent.
(ii) For all B $, one of the formulae
O(Bi , . . . , J3t_i , A A B, Bl+l, ...,Bn),
is in F.
(3) // (S, C) e Jo, and
then
for some E S.
Proof.
(1) By BR, AI is a normal logic, so satisfies the rule of Necessitation
and contains the schema K. (1) can then be obtained by repeated
application of these.
(2)
D = D(-.Bi, . . . , -.Bi_i, -.
so that C = ->D.
(i) If yl is not hî -consistent, then "A, so by Necessitation
\-AI D. Then D f, as T is -closed, so C T as T is
hîi -consistent.
(ii) Tautologically we have
so by BR
A B], D^(A A -5)]} hyii D
Therefore if C F then > $ f, so one of the formulae
DÂ(Af\B] and DÂ[->(A/\->B)} must fail to be in F. Hence
the negation of one of these formulae is in F, which is the
desired conclusion.
(3) Let
and
so that H = ->FA[->(D A -.C)]. Then ^[-.(D A -.C1)] T, so

FA[(D A -iC) > C] ^ F (using an instance of result (1)). But
since (S,C) G Jw and Tu satisfies IR and BR,
(FA((D A -C) A C])
where
FA[(D A -.C) - T] = {FA[(D A -.C) - E] : E e 17}.
It follows that for some E , FA[(D A -.C) - ] ^ T, whence
A ->C A -iE)] F, which is the desired conclusion.
D
We are now ready to embark on the proof of the Box Lemma, starting
from the assumption
Let
BQ , . . . , Bm , ......
be an enumeration of the set $ of all formulae, and
an enumeration of 1a. The theories Ai,...,An 6 WAI are constructed

in such a way that each Ai is a union
\J{A? :m<Lj}
of finite sets A. Defining D to be the conjunction of the members of
A, we will show
For the base case m = 0, put A = {->Ai}. Then Df = ->Ai, so from

our initial hypothesis and negation completeness of F we have
(lo) 0(Z>;,...,A ? ,...,^)er.
Now make the inductive assumption on m that A has been defined
for all i with 1 < i < n, and that (l m ) holds. We proceed by an inner
induction on i to define A+1 for 1 < i < n in such a way that (l m +i)
is satisfied.
For 1 < j < n, we will prove that
(2,-) 0(D?+i,...,D+\D+11...,DZ)F.
Then (2n) is exactly (l m +i).
So, fix i with 1 1, or (1TO) when i = 1,
Lemma 9.4.2(2)(ii) ensures that
m+1
C-H <^>Cn
V L/ nm+l nm A p ryrn. nm\ C- F
(.1) V- 1 I ' - ' j - ^ i - l iL>i A "m) -î+li i-t'n / fc J
If Em ^ -,Cfc for any jfc < u, put Z\f +1 = Z\f U {Em}. Then Df+l =
D A Em, so (20 holds by (f).
If however Em = -iCfc for some fc, then from (f) and Lemma 9.4.2(3),
there exists E Sk such that
(i) 0(>r+1, . ,D+ 1 ,Dr A #m A -.,!, ...,>) e r.
Then put A?+l = A (J {Em, -.}, so that (J) implies (20-
This completes the induction on i with m fixed. But that takes care
of the induction on m, and completes the definition of A for all m 
and 1 < i < n.
Applying Lemma 9.4.2(2)(i) to (l m ) shows that each formula Df1 is
I" M -consistent, which implies that the set A is h/n -consistent. Defin-
ing
we then have that Ai, as the union of a chain of \-/\i -consistent sets, is
itself finitely h/n -consistent. Since the construction placed one of Bm
and ->-Bm in A+1, Ai is negation complete, and therefore maximally

finitely V AI -consistent. But it is also Tw-closed, for if (Sk, Ck) Iu with
Ck=Bm, and Ck < Ai, then Bm Af+l ,soEm~ -^Bm = ^Ck , and in
that case the construction arranged that for some E Zt, ~>E A+1 .
Hence E $ Ai.
Since Ai is maximally finitely \-Ax -consistent and J^-closed, it be-
longs to WAI (Corollary 9.3.6). Also A{ $ A{ as ->Ai A.
It remains to show RAI(F, A\ , . . . , An) to complete the Box Lemma.
So, let n(jE?i, . . .,Bn) r. We want Bi Ai for some i. If not, then
-i.Bi Ai for all i < n, so we can choose an m with -i5j 6 A for all
z < n. Then h^j D -^ ->Bi, hence h/u ^ - ->D?, so
by Lemma 9.4.2(1). But then D(^D^, . . . ,-/?") 6 T, which contra-

dicts (l m ).
n
9.5 Completeness
Let A be any normal logic, and I any countable subset of 2* x <. The
canonical Al-model is the structure
.MylI = {W MI ) # 1I ,|=) )
with WAI the set of maximal ylJ-theories, RAI defined as at the begin-
ning of Section 9.4, and |= denned by
MAI |=r A iff AzT.
That MAI satisfies model conditions (ml) and (m2) follows readily from
properties of maximal ylJ-theories. (m3) follows from the definition of
RAI and the Box Lemma 9.4.1.
Theorem 9.5.1 (Soundness) MAJ is an I-sound A-model.
Proof. If (, A) I and MAI \=r , then 27 C T, so as T is Tw-closed,
A 6 F, whence MAI \=r A. This shows J-soundness.
Also MAI \=r A for any F e WAI, as AC T. Hence MAI is a
yl-model. D
Theorem 9.5.2 If F C ^ and ^4 ^, ifte following are equivalent.

(1) r \-AI A.
(2) r f-+z A.
(3) r \=AI A.
MAI
(4) r \= A.
Proof. We have already shown that (1) and (2) are equivalent (9.3.4,
9.3.8), and that (2) implies (3) (9.3.2). That (3) implies (4) is immediate
because MAI is an J-sound /l-model.
To show (4) implies (1), suppose F'AI A. Then Tu {->A} is \~AI-
consistent (9.2.2(5)), so by the Extension Lemma 9.3.7 there is some
A e WAJ with r C A and A i A. Thus MAI \=A P and MAX PA A,
showing that rM A. D
Corollary 9.5.3
(1) AX is the smallest Al-theory.
(2) AX is the smallest normal logic extending A that is closed under X ^ .
(3) If X satisfies the rules IR and BR, then AX is the smallest normal
logic extending A that is closed under X.
Proof.
(1) Since
AX = {A: M (= A for all J-sound yl-models M},
and
T \=AI A iff r 1=^ A for all 1-sound yl-models M,
we have
A e AX iff 0 \=AI A.
Hence by the last Theorem,
A&AX iff 0 \-+AT A.
In other words
AX = fl{^ : A is a /11-theory}.
But AX is itself a /IJ-theory, since it contains A and is closed under
Detachment and Xw.
(2) Any normal logic that extends A and is closed under Jw is a AX-
theory, and so contains AX by (1).
(3) If J satisfies IR and BR, then Xu = X, so the result follows from (2).
D
Note
Development of the material of this chapter and Section 8.7 has benefited
from discussions with Krister Segerberg.
10
The McKinsey Axiom Is Not

Canonical
The logic KM is the smallest normal modal logic that includes the
McKinsey axiom
It is shown here that this axiom is not valid in the canonical frame for
KM, answering a question first posed in the Lemmon-Scott manuscript
[59].
The result is not just an esoteric counter-example: apart from inter-
est generated by the long delay in a solution being found, the problem
has been of historical importance in the development of our understand-
ing of intensional model theory, and is of some conceptual significance,
as will now be explained.
The relational semantics for normal modal logics first appeared in
[52], where a number of well known systems were shown to be char-
acterised by simple first-order conditions on binary relations (frames).
This phenomenon was systematically investigated in [59], which intro-
duced the technique of associating with each logic L a canonical frame
FL which invalidates every non-theorem of L. If, in addition, each L-
theorem is valid in PL, then L is said to be canonical. The problem of
showing that L is determined by some validating condition C, meaning
that the //-theorems are precisely those formulae valid in all frames sat-
isfying C, can be solved by showing that J~L satisfies C - in which case
canonicity is also established. Numerous cases were studied, leading to
the definition of a first-order condition Cv associated with each formula
(p of the form
where 9 is a positive modal formula.

It was proven in [35] (cf. also Section 1.15) that the condition Cv
231
is satisfied by the canonical frame for the logic with axiom (p. This
result was also obtained independently by Sahlqvist [79], who broadened
the class of formulae to which it applied, essentially by allowing the
antecedent of f to be any implication-free formula in which no variable
occurs positively in a subformula of the type Oî or (tpi V ip?) that
is itself within the scope of a D (cf. [80] for a recent discussion of the
result). The McKinsey axiom is the simplest formula not (equivalent to
one) meeting this criterion, and so the main result of the present paper
indicates that there is no natural way to extend Sahlqvist's scheme to
obtain a larger class of canonical formulae.
The class of all frames for KM is not elementary, i.e. is not char-
acterised by any set of first-order conditions. This was shown in [99]
by a Lowenheim-Skolem argument, and in [34], where failure of closure
under ultraproducts was demonstrated. The latter work was then ex-
tended [37, 17] to prove that any class of frames that determines KM
must fail to be closed under ultraproducts, and hence fail to be elemen-
tary (this material may be found in Section 1.17 of the present volume).
This suggests that it would not be easy to establish whether KM was
determined by its Kripke frames at all (Lemmon had conjectured in [59]
that every logic is thus determined, but this was shown not to be so by
Thomason [96, 97] and Fine [13]). That matter was soon resolved, how-
ever, by Fine [14], who gave completeness theorems for a general class of
formulae by an analysis of normal forms. In particular, he showed that
KM is determined by its finite frames, and is decidable.
The first general result about the connection between first-order de-
finability and canonicity appeared in [15]: if the class of all L-frames
determines L and is closed under first-order equivalence, then L is canon-
ical. An example was also given of a logic for which the converse is false.
It was also proved [15, Theorem 3] that if L is determined by some
elementary class, then L is canonical. This clarified the example just
mentioned, since that logic had been shown to be canonical by showing
that it was determined by a first-order condition which was satisfied by
the canonical frame, but not satisfied by all frames for the logic.
It is plausible to conjecture that the converse of Fine's latter result
is true, i.e. that
if L is canonical, then L is determined by some elementary
subclass of its frames
(an approach to this is sketched in [29], where the problem is reduced to
showing that if L is canonical, then L is preserved by ultrapowers of FI
- cf. Theorem 11.5.1 of this volume). Until now KM has been the one
potential obstacle to this conjecture, as the only logic that was known
THE McKiNSEY AXIOM Is NOT CANONICAL 233
not to be determined by any elementary class, but whose canonicity was

unresolved. If the conjecture is true, it will undoubtedly hold also for
other non-classical logics, including multi-modal systems and extensions
of intuitionistic propositional logic, and will provide a most satisfactory
explanation for the observed connections between intensional and first-
order logic.
Frames and Models

All modal formulae will be constructed from a fixed denumerable set
{pn : n < LJ} of propositional variables by the Boolean connectives
A, V, -i, >, and the modal D. O may be defined as -iD-i.
A frame is a structure f = (X,R), with R a binary relation on
non-empty set X. If x X, put Rx = {y X:xRy}. The members
of Rx are the R-alternatives of x. T is generated by a point g X if
X = {y:gR*y}, where R* is the reflexive transitive closure (ancestral)
of R.
A model M. = (X, R, V) on frame (X, R) is given by a valuation V
which assigns a set V(p) C X to every variable p. V(p) is to be thought
of as the set of points at which p is true. The satisfaction relation
"formula tp is true/satisfied at x in M" , written M \=x ip, is defined
inductively, with
M KP iff z e V(p),
M\=xUv iff RxC{y.M\=y<p},
and the Boolean connectives treated as usual, so that
M K O} 0.
(f is true in model M, M \= <p, if it is true at all points in M, and valid
in frame F , T \= (p, if it is true in all models on T .
Logics
A (normal modal) logic is a set L of formulae that contains all tautologies
and all instances of the schema
and is closed under Detachment (Modus Ponens), and the rule of Ne-
cessitation, i.e.
(f> e L implies Dtp L.
The intersection of any collection of logics is a logic, and so for any set
F of formulae there is a smallest logic containing J".
The members of a logic L are the L-theorems. An L-model is one
in which all L-theorems are true, and an L-frame is one in which all
L-theorems are valid.
A set F of formulae is L-consistent if ->(p L for any conjunction

(p of finitely many members of F. For this to hold it suffices that every
finite subset FQ of F be L-consistent. Hence it suffices that any such
finite FQ be satisfied at a point in some L-model (for the negation of
the conjunction of FQ is then false at that point, and so cannot be an
L-theorem).
There is only one logic that is not self-consistent, viz. the class of all
formulae. Setting this case aside, it may be assumed that there exist In-
consistent sets of formulae. Any such set can be extended to a maximally
L-consistent set, and the L-theorems are precisely those formulae that
belong to every maximally .L-consistent set.
The canonical L-frame is FL = (Xi,Ri), where XL is the set of
all maximally L-consistent sets of formulae, and FRiA iff {ip: Hip
F} C A. The canonical model ML on J~L is given by the valuation
VL(P) = {F XL'-P 6 F}. An inductive proof shows that ML \=r 9
iff ip F, for all formulae ip. Consequently ML \= <p iff 9 L, and so
FL |= (p implies that tp is an L-theorem. If the converse holds (</? L
implies FL \= <p), then L is called canonical.
Falsifying the McKinsey Axiom

KM is defined to be the smallest logic containing all instances of the
schema
(McK) DO OO<p,

although we will usually find it more convenient to use the equivalent
form
which is true at exactly the same points in all models. Since the set
{tp: F |= ip} of all formulae valid in a frame f is a logic, to prove that f
is a .fiTM-frame it suffices to show that F validates the schema McK.
Now an end-point of a frame T is defined to be a point e for which

Re {e}, i.e. eRy iff e y. In any model, a formula of the form Dip is
true at an end-point iff (p is true there. Thus the formula (Dip V D-K/?) is
always true at an end-point, and so McK cannot be falsified at any point
x with the property that there is an end-point in Rx. This property is
not however necessary for the truth of McK, as shown by the frame
depicted in Figure 10.1, which will be referred to as The Trellis.
Figure 10.1. The Trellis
Formally, this frame is defined as the structure T = (X, R), where

X = {g, TOi2,mi3,m23, 61,62,63},
and R is specified by
Ra = {m12,mi3,m23}, Rmii = {e^}, Rei = {ei}.
Each point x ^ g has an end-point in Rx, so can never falsify McK. But
in any model on T, for each formula <p) is true at g. Hence T is a ffM-frame, even
though R9 contains no end-points.
This argument will re-emerge in the main model construction below
(cf. Theorem 10.4). It could be paraphrased by saying that the alter-
natives of the generator g do not themselves have enough alternatives
to make <p true and false at enough points to falsify McK. A condition
under which enough alternatives do exist is given by the following result.
Theorem 10.1. Let T be a frame containing a point g with the property

that for any m R9 , Rm is an infinite set that is at least as large in
cardinality as R9 itself. Then T is not a KM-frame.
Proof. Let n be the cardinality of R3, and let {m.\:A < K] be an
indexing of the members of R9 by the ordinals A less than K. For each
A, distinct points m\o,m\i G R"1* will then be defined in such a way
that {m\o,m\i} and {m M o>"Vi} are disjoint whenever A ^ p, < K.
Then putting V(p) = {m\i\ A < K] defines a model on f in which p is
false at m\o, and true at mî, making (DpV D-ip) false at m^. Since
this holds for every member m\ of R9, O(Dp V D-ip) fails at g in this
model on f.
It remains then to show that the m\i can be defined as claimed. Fix
A < K, and suppose inductively that mî has been denned for all p, < A
and i 6 {0,1}, such that m^ ^ mvj whenever p, ^ v < A. Let
y\ ~ {m M o,"i M i:/i < A}.
Then if A is a finite ordinal, YA is a finite set, so as J?mx is infinite,
distinct points m\o,m\i can be selected from Rmx -Y\. If however A
is infinite, then the cardinality of Y\ is at most that of A, and hence is
less than K. But Rm> has cardinality at least K, so again the selection
of m\0,m\i e Rm* can be made to ensure that m^ ^ mvj for all
H 7^ v < A. Hence the construction extends to A, and so goes through
by induction. D
If the cardinal K in this proof is finite, then Rm need not be infinite:

the argument works if Rm is of size at least In. A more important
consequence for what follows is
Corollary 10.2. // a canonical frame FL contains a point g with the

property that for any m R9L, R is of cardinality 2 N , then FL is not
a KM-frame.
Proof. R3L has size at most 2 N , since XL itself cannot be bigger than
this, there being only countably many formulae. (Actually, it can be
shown that XL has exactly 2 N members.) D
The main work of this paper will be to show that TKM contains a point
g fulfilling the hypothesis of Corollary 10.2.
Atoms
An atom of length n is a formula a of the form
ao A A a n _i,
such that for all i < n, a; is either the variable pi or its negation ->pi.
Put |a| = n, so that |a| denotes the length of a. A partial ordering of
atoms a, /3 is defined by letting a < /3 iff a is an initial segment of /3,
i.e. iff |a| < \/3\ and a; = ft for all i < \a\.
For each atom a, three successor atoms a 1 ,a 2 ,a 3 are defined as
follows:
a1 = a A pn A pn+i
a2 = a/\pnt\ -ipn+i
a3 = Q A -ipn A pn+i
(a fourth successor could be defined using -<pn A ->pn+i , but this will not
be needed). Then the formula a* is
^ \/ (Oa'
Now let be the closure under successors of the set {po}- Hence (3
iff there is a finite sequence aQ = p0, . . . , a n , with an = /?, such that for
all k < n, ctk+i = ajj. for some i with 1 < i < 3. It follows that if a and
/? are distinct members of S with a < (3, then a1 < /3 for some i (this
fact will be crucial in the proof of Theorem 10.4). Put
* = {a*:a }.
Theorem 10.3. Let g be a point in a canonical frame FL such that

* U {DOpo} C g. Then for every m E R9L, R? is of cardinality 2 N .
Proof. Fix an m in R9L . Consider the notion of a sequence
a = (a0,...,an, ...... )
such that for all n, an is either pn or ->pn, and
(I n ) (<70 A Acr 2 n ) and O(cr0 A A <T 2n ) m.
Given such a cr, for each n there is some y 6 XL with mRiy and
(CTO A A <7 2 n) 2/- Hence the set
{<p:D</3 em}u{o- 0 ,...,o- 2 n }
is contained in y, and so is L-consistent. It follows that the set
{(/?: Hip 6 m} U {crn: n < w}
is L-consistent, and so extends to a point ma G XL- Then
mCT e 7?, and \an:n } C ma.
But any two such sequences a, a' that are distinct must have an provably
equivalent to -\a'n for some n, so that o~n ^ mai and hence m^ 7^ ma' .
Thus if it can be shown that there are 2 N <r's satisfying (I n ), then it
will follow that there are 2 N m CT 's in Rf.
To construct a cr, observe first that since DOpo g, Opo 6 ^T1-
Hence putting a0 Po gives
(Io) O-Q E and Oa0 e m.
Next, suppose inductively that <70, . - . , <J2n have been defined so that (ln)
holds. Let a - (CTO A A <72n). By (I n ), a Z1. Hence a* 6 Z1* C g, so
as
(Oa-> \J
l<i<j
But Oa G m, by (I n ), so there exist 1 < 3 with
Putting <72rl+fc = a 2n+fc for fc = 1, 2 then defines cr2n+1 , <727l+2 , and gives
(I n +i) (ffo A - - - A<r 2 ( n + i)) S and O(cr0 A A <7 2 (+i)) G m,

since is closed under successors, and (<TQ A A <J 2 ( n -f-i)) = a1.
Alternatively, since also Oct3 m, 02 n+ fc could be defined as cc2n+fc
and still satisfy (I^+i). But as i ^ j, the definition of successors implies
that c*2n+jfe ^ a2n+k fr some ^j and so this would give a different
extended sequence.
This demonstrates that infinite sequences a of the desired kind can
be defined by induction in such a way that at each inductive step there
are at least two choices as to how the sequence extends. Hence there are
2N ways of constructing such sequences a. D
Corollary 10.2 and Theorem 10.3 have reduced the problem of show-
ing that fi is not a JfM-frame to that of showing that S* U {DOpo}
is i-consistent. To deal with that requires a new model construction.
Trellis-Like Frames
A frame f = (X, R) will be called trellis-like if it fulfills the following
description.
(1) There is some g X such that X is the union of the three sets {g},
Rg, and E, where
and these three sets are mutually disjoint. In particular, g gen-

erates F. The members of R9 are called the middle points of T.
(2) E is the set of all end-points of 7", and for each m 6 R9 there is an
end-point in Rm.
Condition (2) implies that in a model on a trellis-like frame, McK is
true at any middle or end point. Hence by (1), in such a model McK
can only be false, if at all, at the generator g.
Returning now to S, for each n put
Sn = {a S: |a| < n}, and S*n = {a*:a }.
Theorem 10.4. For any n, there exists a model Mn, based on a trellis-
like KM -frame, such that %n+\ u {nOpo} is (simultaneously) satisfied
at the generator in Mn.
Proof. The construction takes place within S^n+3- Let
En = {a r2n+3: \a\ =2n + 3}.
The members of En will be the end-points of Mn. Members of the set
^2n+3 - En of atoms of length less than 2n + 3 will be referred to as
interior points.
If a 6 Stn+3 , a binary subtree starting at a is defined to be any set 0
satisfying
(1) aeec{peE2n+3:a<p};
(2) If a < 7 < /?, and /3 e 0, then 7 6 ; and
(3) If /? (9 and /? is an interior point, then exactly two of the successors
of (3 belong to 0.
Observe that if a is an end-point, i.e. a En, then {a} is, by this

definition, a binary subtree starting at a.
Let Mn be the set of all binary subtrees in 271+3 that start at the
shortest atom po- The members 0 of Mn will be the middle points of
Mn, and any such 0 will be related precisely to the end-points that
belong to 0. Note that there will always exist such end-points: any
binary subtree starting at po must contain members of length 2n +
3. Truth-values are assigned in Mn by making each a En act as
a valuation of its own variables, so that a becomes true at a.
Formally, let Tn = (Xn,Rn), and Mn - (Xn,Rn,Vn), where
aeEn:ak = pk}, for k < 2n + 3

) f o r f c > 2 n + 3,
and the relation Rn is specified by
R9n = Mn,
R = 6>n En, ioT0eMn,

R% = {a}, foraen.
This ensures that Fn is trellis-like. By definition of Vn, if a En then
Mn\=apk iff ak=pk,
for k < In + 3. Prom this it follows readily that
(i) Mn\=ap iff 0 < a ,
for all /3 -S^n+s- Hence, in particular, p0 is true at every end-point a

in Mn, so as Tn is trellis-like, DOpo is true at the generator gn.
Now let /3 -E-sn+i- To show that /?* is true at gn, suppose O/3 is
true in Mn at some middle point 0. Then /? is true at some a with
0Rna, i.e. a 0 n En. By (i), /3 < a. But |/8| < 2n + 1< |a| = 2n + 3,
so then /3* < a for some 1 < z < 3. By clause (2) of the definition of
binary subtree, /?* 0, so by (i), ft is true in Mn at a, making O/31
true at 0. Moreover, /3 is an interior point, and so by (3), there is some
j 7^ z such that QJ 6 0. But then by applying (3) repeatedly, a 7 may
be constructed with a3 < 7 0C\En. Then o^ is true at 7, whence OaJ
true at 0, in .Mn. This establishes that (3* is true at gn, and completes
the proof that -S^n+i U {Ôpo} is satisfied at the generator in Mn.
It remains to prove that Tn is a KM-frame, and for this it suffices
to show that if tp is any formula, and M. is any model based on J-"n, then
O(D< V O-p) is true in M. Since Fn is trellis-like, the only issue is
whether the latter formula is true at gn in M.
Lemma. For any formula (p and any a .E^n+s* there is a binary

subtree 0a starting at a such that <p has constant truth value on 0a C\En
in M.
Proof. This proceeds by reverse induction on the length of atom a. If
a is of maximal length in S^n+s, i-e. a 6 En, put 0Q = {a}. As noted
above, in this case 0Q is a binary subtree since a is an end-point. Also
tp has constant truth value on 0a n En = {a}.
Now suppose a is an interior point. Then the induction hypothesis
may be made that the Lemma holds for all members of Z^n+s of length
greater than |a|. In particular, it holds for the successors of a. Hence
for each 1 < i < 3, there is a binary subtree 0i starting at a1 such
that (p has constant truth- value on 0; n En in M. But then there
must exist 1 having constant truth-value on
0 n En = (0i n En) u (9j n En).
Hence the Lemma holds for a, and so, by induction, it holds in general.
n
Applying the Lemma in the case a = po, it follows that there is a
subtree 0 Mn such that (p has constant truth-value on 0 n En =
R in M. Thus in the model M, (Dip V D-K/J) is true at 0, and so
-up) is true at gn, as desired to complete the proof of Theorem

10.4. D
Corollary 10.5. KM is not canonical.

Proof. If F is any finite subset of S* U {DOpo}i then F is contained in
^2n+i u {DOpo} for some n, so is satisfied at a point of a A'M-model
(Mn), and hence is ATM-consistent.
It follows that S* U {DOpo} is itself A'M-consistent, and so extends
to a maximally ATM-consistent set g. Then by Corollary 10.2 and The-
orem 10.3, there is a model on TKM in which the McKinsey axiom is
false at g.
D
Readers with a predilection for combinatorics will be interested to

note that the essence of the proof, in Theorem 10.4, that Tn is a ATM-
frame resides in the following Ramsey-like property of trees:
given any 2-colouring of the leaves of a finite ternary tree T,

there is a binary subtree having the same height as T, with
all its leaves of the same colour.
In conclusion, I would like to thank Max Cresswell for many helpful

conversations, over the years, about this and related topics.
11
Elementary Logics are Canonical
and Pseudo-Equational
Let A be a normal prepositional modal logic that is elementary, i.e.

is determined by some first-order axiomatisable class of Kripke frames.
Then it is known that A is canonical, i.e. is validated by its canonical
frame FA (this was first shown in [15, Theorem 3]).
In this article we will prove a considerable strengthening and re-
finement of this result. First we show (Theorem 11.3.1) that if A is
elementary, then it is determined by the first-order theory of FA, i.e.
\-A A if, and only if, A is valid in all frames elementarily
equivalent to FA.
Then we introduce the class of pseudo-equational first-order sentences,
those which are preserved by the fundamental constructions of sub-
frames, bounded morphisms, and disjoint unions of frames. We prove
(Theorem 11.4.2) that if A is elementary, then it is determined by the
pseudo-equational theory of FA, i.e.
h/i A if, and only if, A is valid in all frames satisfying the
pseudo-equational sentences true of J-A.
The most significant question that remains unresolved in this area is
whether, conversely, every canonical logic is elementary (cf. the intro-
duction to the previous chapter for some discussion of the ramifications
of this question). One natural way to tackle the problem would be to
try to prove that if A is canonical then it is determined by the class KA
of frames elementarily equivalent to FA. Our results show that this is
indeed an appropriate strategy: if A is determined by any elementary
class at all, then it is determined by 1C A
In the later part of this article we examine further connections be-
243
tween elementarity and canonicity, involving closure properties of classes

of general frames (i.e. first-order frames in the sense of Section 1.3).
The analysis given here for modal logic can be extended to other
kinds of intensional logic, and generalises algebraically to give results
about the structure of varieties of Boolean algebras with operators. This
is developed in the paper [31].
11.1 Review of Operations on Frames

Recall that a Kripke frame T = (W, R} (or simply "frame" for now)
comprises a binary relation R on a set W, and that a model M = (F, V)
on J- is given by a valuation V assigning a subset V(p) of W to each
propositional variable p. The relation "formula A is true at point x in
model M", denoted M. \=x A, is defined in a way that is familiar from
other chapters. Then A is true in M, M \= A, if it is true at all points
of M. A is valid in frame f,F\=A, if is A is true in all models on T.
If A is a set of formulae, then we write J- \= A if every member of A is
valid in T.
(W',R') is a subframe of (W,R) if W C W, R' is the restriction of
R to W, and
if xRy and x 6 W, then y 6 W.
(Subframes are sometimes referred to as "generated subframes" in the
modal logic literature, and are called "inner substructures" in [31].)
A bounded morphism if : (W, R) > (W',R') is a function (y);
<p(x)R'z implies 3y(xRy and <p(y) z).
If (f> is surjective, then it is called a bounded epimorphism, and (W,R')
is a bounded epimorphic image of (W,R). (Bounded morphisms are
the "frame homomorphisms" of Chapter 1, and are also known as "p-
morphisms" in the literature.)
If {Fz : z Z} is a collection of frames, with fz = (WZ,RZ), then
frame T (W,R) is the bounded union of the .TVs if each Tz is a
subframe of .F, and W = \J{WZ : z Z}. T' is a disjoint union of the
.TVs if it is the union of a collection \T'Z : z 6 Z} of pairwise disjoint
isomorphic copies of the .TVs, i.e. T'z = J-z, and W'z n W'w 0 when
z ^ w Z. Then each T'z is a subframe of T', so f is the bounded
union of the T'zs.
Observe that if f is the bounded union of the .TVs, and f is their
disjoint union, then the isomorphisms T'z = Tz combine to give a func-
ELEMENTARY LOGICS ARE CANONICAL AND PSEUDO-EQUATIONAL 245
tion f J- which is a bounded epimorphism. Thus a bounded union

of structures is a bounded epimorphic image of their disjoint union.
For any set A of formulae, the class
Fr(A) = {T : T> A}
of all frames that validate A is closed under subframes, bounded epi-
morphic images (which includes isomorphic images) and disjoint unions.
Hence by the last observation of the previous paragraph, Fr(A) is closed
under bounded unions as well.
In order to handle these constructions more conveniently, we intro-
duce some notation for operations on a class K, of frames:
K, = the class of isomorphic images of subframes of members
of/C.
H/C = the class of bounded epimorphic images of members
of/C.
Ud K. = the class of disjoint unions of collections of frames iso-
morphic to members of K..
Ub/C = the class of bounded unions of collections of frames iso-
morphic to members of K,.
Pu K, = the class of isomorphic images of ultraproducts of collect-
ions of frames in /C.
Pw/C = the class of isomorphic images of ultrapowers of frames
in 1C.
Eu/C = the class of frames f having some ultrapower T-* /U iso-
morphic to a member of fC.
Eu/C is the class of ultraroots of K..
Lemma 11.1.1 For any class K, of frames,
(1) XX/C = X/C for X = H , S , U d , U b .
(2) Ud/C C Ub/C C MUd/C = MUb/C = UbH/C.
(3) XH/C CHX/C f o r X = , U d , P u , P w .
(4) Ud/C = Ud/C.
(5) SUb/C C U b S / C C H S U d / C = HSUb/C.
(6) Pu/C C Pu/C and Pw/C C Pw/C.
(7) Eu/C C Eu/C and HEu/C C EuH/C.
(8) If 1C = Fr(A] for some set A of formulae, then X/C = /C for X =
H,,Ud,Ub,Eu.
Proof. Some of these results are well-known, and the remainder are left
to the reader, who can find further discussion in [31, Theorem 2.1].
Note that (8) expresses the fact that validity of formulae is preserved
by bounded epimorphic images, subframes, disjoint and bounded unions,

and ultraroots. D
Lemma 11.1.2 For any class 1C of frames,
PuUb/CCUbPu/C.
Proof. This is given in Theorem 2.4 of [31], the argument being a gen-
eralisation of that of the proof of Lemma 3.5 of [29], which itself showed
thatPwUdCUbPu/C.
Let T be an ultraproduct Ylz FZ/U with each fz being a bounded
union \J{Fzj-. j e Jz} of subframes TZJ isomorphic to members of 1C.
We want to prove f 6 UbPu/f, and for this it suffices to show that
for each t T there is a subframe ft of f with t Ft Pu/C.
But if t e T, then t = ft/U for some ft Hz ?z- For each z Z,
since .Fz is the union of the J^j's there exists jzt Jz with /t(z) 6 -Tv^,
Let
z
Then the inclusion f3z .7>,zl > Hz -^"2 induces an injection tpt'-Gt *"> F
which proves to be a bounded morphism because each Tzjft is an inner
substructure of fz [29, p. 225]. Moreover, t is in the image oift. Hence
the desired ft is given by this image, which is a subframe of f and an
isomorphic copy of Qt 6 Pu/C. D
11.2 The Role of Ultrapowers

Let A be a normal propositional modal logic. A model M determines A
if the yl-theorems are precisely those formulae that are true in M:
I-A A iff M (= A.
Similarly, A is determined by a frame F, or by a class of frames 1C, if
the yl-theorems are precisely those formulae that are valid in J", or valid
in all members of 1C, respectively.
The canonical A-frame is FA = (WA,RA), with WA being the set of
all maximally /1-consistent sets of formulae, and, for x,y WA,
xRAy iff {A : UA x} C y.
The canonical A-modelis MA = (FA,VA), where
VA(p) = {xWA:pex}.
This model determines A, and consequently
FA\=A implies \~A A.
If the converse holds, i.e. if TA validates all yl-theorems, then A is called

a canonical logic.
Theorem 11.2.1 // a model M = ( f , V) determines A, then TA is a
bounded epimorphic image of an ultrapower J-J /U of J-.
Proof. This is an "ultrapowers version" of the construction due to Fine
[15], which is presented in Section 19 of Chapter 1 (cf. also Lemma 3.1
of [29] or 3.6 of [28]).
Given an ultrapower f3/U = (WJ/U,Ru) of F, define a model
Mu = {FJ/U, Vv) by declaring
Vu(p) = {f/U WJ/U : {j J : f(j) 6 V(p)} E U}.
Then it can be shown that for any formula A,
Mu^f/uA iff {jJ:M\=f(l)A}eU.
From this it follows that
M. \= A implies MU N A,
and hence in particular that Mu is an yl-model (Mu \= A), because M
is a yl-model. It also follows that for each w in M,
(t) M\=WA iff Mu\=fiA,
J
where w W /U is the function on J constantly equal to w.
Thus for each element x of fj/U, the set of formulas
V(x) = {A:MV K ^4}
is maximally vl-consistent, and therefore this construction defines a func-

tion ip : FJ /U > TA. It is readily shown that
xRuy implies tp(x)RAtp(y).
To show that tp is a bounded epimorphism we must show that it is
surjective and that
ip(x)RAF implies 3y(xRuy and ip(y) T).
For this purpose the ultrafilter U must be chosen appropriately to ensure
that the ultrapower FJ/U has certain saturation properties. To describe
these, we say that a set F of formulae is satisfiable in a given model if
there is some point in the model at which all members of F are true.
Putting
Or = {O(Ai A A An) : AI, ..., An T},
then the properties required of MU are:
if every finite subset of F is satisfiable in MU, then F is satisfiable
in MU',
if MU \=x O.T, then there exists y with xRjjy and MU \=y F.

It is explained in the above references that, by results of first-order
model-theory, a suitable U can indeed be found that ensures these prop-
erties hold for Mu (cf. [15, Lemma 8], [28, pp. 211-212]).
Thus if F WA, then each finite subset of F is yl-consistent, hence is
true at some point of M because M determines A, and so is true at some
point of MU by (f). This show that every finite subset of F is satisfiable
in MU- Hence by saturation there exists x WJ JU with Mu \=x F.
Then F C (p(x), and so <p(x) = F as F is maximally /1-consistent. It
follows that (f is surjective.
Finally, suppose that <p(x)RAF in MA. Then if AI, . . . , An 6 F, the
formula O(j4i A A An) belongs to <p(x), so is true in MU at x. Thus
\=x O-T, so by saturation there exists y WJ /U with xRuy and
\=y F. Then F C tp(y), and so <p(y) = F. D
Corollary 11.2.2 Let A be a normal prepositional modal logic.

(1) If A is determined by a class of frames 1C, then TA HPwUd/C.
(2) // A is determined by a class 1C that is closed under ultraproducts,
then TA HUb/C.
Proof.
(1) If formula A is not a yl-theorem, then as /C determines A there is
a vl-model MA = (Â,VA) with MA A and T&. 6 1C- Let
M = (F, V) be the disjoint union of the collection
{MA ' A is a formula and A ^4},
i.e. T is the disjoint union of the J^'s, and V(p) is the disjoint
union of the V^(p)'s. Then in general
M \= B iff for all A such that Y-A A, MA \= B,
so M is a yl-model, and M P A whenever Y-& A. Hence M de-
termines A. Thus by Theorem 11.2.1 there exists an ultrapower
f] /U of T and a bounded epimorphism from J-J /U onto J:A. In
other words, ?A is a bounded epimorphic image of an ultrapower
of a disjoint union of frames from /C.
(2) If Pu/C = /C, then applying Lemma 11.1.2, to result (1),
TA HPwUd/C C HPuUb/C C HUbPu/C = HUb/C.
D
11.3 The First-Order Theory of FA

A class AC of frames is elementary if it is first-order axiomatisable, i.e.
if it is the class of all models of some set of sentences in the first-order
language L2 (with identity) of a binary relation. A logic A is elementary
if it is determined by some elementary class of frames.
Two frames f and Q are elementarily equivalent, T = G, if they
satisfy exactly the same L2-sentences. For any logic A, the class
KA = {F:F = ?A}
of frames that are elementarily equivalent to TA is elementary: K.A is
the class of all models of the first-order theory
{a : a is an L2-sentence and TA |= a}
of the structure J-A.
There are a number of characterisations of elementary classes. Thus
K- is elementary if, and only if, it is closed under ultraproducts and
elementary equivalence. Alternatively, AC is elementary if, and only if, it
is closed under ultraproducts and ultraroots.
Thus the assumption that K- is Pu -closed is weaker than the assump-
tion that K. is elementary. However the assumption that a logic A is
determined by a Pu -closed class is not weaker than the assumption that
A is elementary, since the former implies the latter, as is shown by the
next result.
Theorem 11.3.1 If A is determined by some class of frames that is
closed under ultraproducts, then A is determined by the elementary class
K,j\-
Proof. Suppose 1C determines A and Pu/C = AC. Then by Corollary
11.2.2(2), there exists a frame Q UbAC and a bounded epimorphism
<p:G^FA.
Now let FelCA. Since F = FA, the Keisler-Shelah Ultrapower The-
orem states that there exist isomorphic ultrapowers F]/U = (FA)J /U
for some ultrafilter U. Then applying Lemma 11.1.2 to the correspond-
ing ultrapower of Q,
GJ/U e PwUbAC C UbPuAC = UbAC.
Since K is a class of yl-frames, and bounded unions preserve validity, this
yields QJ/U \= A. But the function <p lifts to a bounded epimorphism
QJ/U - (FA)J/U (taking f/U to (ip o /)//) so this in turn yields
(FAY'/U |= A. Then T3 fU |= A, as FJ/U ~ (FA)J/U, and hence
J- \= A because validity is preserved by ultraroots.
We have now established that every member of K.A validates A, i.e.
1CA C Fr(A). Since FA )CA, and the model MA on FA falsifies all

non-theorems of A, this shows that K-A determines A. D
It is noteworthy that in general K.A ^ 1C even when K, is elementary
(otherwise Theorem 11.3.1 would be rather uninteresting!). For example,
if 1C is the class of partial orderings (reflexive, transitive, antisymmetric
frames), then K. determines the logic A = S4. But the canonical S4-
frame is not antisymmetric, hence is in K.A but not 1C. Indeed in this
example 1C and K,A are disjoint elementary classes that each determine
the logic A.
11.4 The Pseudo-Equational Theory of FA

A formula in the first-order language l_2 of a binary relation is called
essentially atomic if it is constructed from amongst atomic formulae and
the constants -L and T using at most A (conjunction), V (disjunction),
and bounded universal and existential quantifiers
Vx(xRy - </>)
A <j>
with x ^ y.
An l-2-sentence will be called pseudo-equational if it is of the form
Vx(f> with (f> essentially atomic. Such sentences look nothing like equa-
tions of course, but the name is derived from the fact that their models
give rise to equational classes of modal algebras (cf. [31, 4]).
Any pseudo-equational sentence is preserved by H, , and Ud (hence
by Ub). Conversely, if a set of L2 -sentences is preserved by these three
operations, then it is logically equivalent to a set of pseudo-equational
sentences. This preservation theorem was first shown by van Benthem
[100, 103]. An alternative proof for more general relational structures
was developed in [28, 4], where the notion of bounded union was first
introduced.
For an arbitrary class of frames 1C, let $ be the pseudo-equational
theory of 1C, i.e. the set of all pseudo-equational sentences that are true
in all members of 1C, and let
be the class of all models of #/c- Then Mod&ic is an elementary class

containing 1C. By a careful analysis of the version of the preservation
theorem given in [28, 4], it can be shown that when fC is closed under
ultraproducts, then the members of Mod& can be constructed from K.
by operations that preserve validity of modal formulae. This analysis is
presented in detail in [31, 7], where it is shown that
/C implies Mod$K = EuUbEuUbEuHS /C.

Corollary 11.4.1 // A is determined by a class of frames K. that is
Proof. Suppose /C determines A and Pu/C = /C. Then by the result just
quoted, since modal validity is preserved by ffiu, Ub, H, and S, every
member of Mod!?/c validates A.
But by Corollary 11.2.2(2), TA 6 HUb/C. Since truth of pseudo-
equational sentences is preserved by bounded unions and bounded epi-
morphic images, this implies that FA G Mod^K.. Hence Mod\Pic deter-
mines A. D
We can now obtain the main result of this article. For a logic A,
let \I?A be the pseudo-equational theory of FA, i.e. the set of pseudo-
equational sentences that are true of the canonical frame of A. Since TA
is elementarily equivalent to all members of K./I, it follows that \PA is also
the pseudo-equational theory of the class 1C A Symbolically: 8^ = \P/cA .
Theorem 11.4.2 // A is determined by some class of frames that is
Mod$A of all models of the pseudo-equational theory of FA.
Proof. Suppose K, determines A and Pu/C = /C. Then by Corollary 11.4.1
all members of Mod &ic validate A, i.e.
Mod$K C Fr(A).
Also, by Corollary 11.2.2(2) TA HUb/C, so every pseudo-equational
sentence true throughout /C will be true in FA, i.e. $K. Q &A- Hence
Mod&A C Mod$K,
and thus altogether Mod&A Fr(A). Since TA e Mod&A by defini-
tion, it follows that ModÂ determines A. D
Counter Examples
Of course Theorem 11.4.2 is only an advance on Corollary 11.4.1 if there
are cases of a logic A, determined by some Pu -closed class /C, for which
Mod&A ~ Modîc- We saw in the proof of 11.4.2 that for such a logic
we have Mod&A Q Modîc, but in fact the converse of this last inclusion
does not always hold. This may be seen from the example of KMT, the
smallest normal modal logic that contains all formulae of the form
O((DA! -> At) A - - A (OAn -> An)).
KMT is studied in [46], where the following are shown.

(1) KMT is determined by the class /C# of all frames satisfying the
pseudo-equational condition
l(i) Vx3y(xRy/\yRy).
(2) The canonical KMT-hame ?KMT satisfies l(i) (hence KMT is
canonical).
(3) A frame (W, R) validates KMT if, and only if, for each x W the
set Rx = {y.xRy} is not finitely colourable.
Here a colouring is an assignment of colours to points in such a way
that if yRz then y and z are assigned different colours. Notice that
91 = (u>, <) is a KMT-fiame by (3), but fails l(i) and so is not in K.H-
Now let K<n be the class of all structures elementarily equivalent to
91. Then for (X, R) 6 K<x, each set Rx will be infinite and linearly
ordered by R, so cannot be finitely coloured. Thus by (3), all members
of K<n validate KMT.
Further, let 1C = K-u U K<X. Then 1C is the union of two elementary
classes, so is itself an elementary class, hence is Pu -closed. All members
of K. validate KMT, and 1C contains FKMT , so 1C determines KMT.
Since 91 1C, it is immediate that 91 e Mod&/c, i.e any pseudo-
equational sentence true throughout K. is true in 91. But 91 ^ Modty/i,
because <?/i is the pseudo-equational theory of the canonical frame
pKMT ^ wm-cjj js m H by (2). Hence the sentence l(i) is in &A but
not in $ since it fails in 01, and indeed 01 $& Thus in this example
we have
&K. &A and Mod$A C Mod<PK.
Next we show that the inclusion
Mod$K. CFr(A)
established in the proof of Corollary 11.4.1 is not in general an equality.
For this, let A be the smallest normal logic containing the schema
OO4 - (OO(A AB)V OD(A A -.)),
and let 1C be the class of all frames satisfying the sentence
VxVy(xRy > 3z(xRz A VuVv(zRu A zRv u = v A yRv))).
Then Fine [15] shows that TA /C C Fr(A), and so A is determined
by the elementary class 1C. Hence Mod\P/c C Fr(A) by 11.4.1. But it is
also shown in [15] that Fr(A) is not closed under elementary equivalence,
and so is not an elementary class. Since Modtf/c is an elementary class
by definition, we have Mod&K. ^ Fr(A).
Finally, consider the the inclusion
1C A C
asserting that any frame elementarily equivalent to J-A is a model of

the pseudo-equational theory of FA, which is true by definition. Now
take A to be S4 again. As mentioned at the end of Section 11.3, in
this case TA is not antisymmetric, and contains distinct points x, y with
xRAyRAx. By identifying such pairs we can collapse TA to an anti-
symmetric quotient frame Q which is a bounded epimorphic image of
TA. Then pseudo-equational sentences are preserved in passing from
TA to G, so g is a model of &A, i.e. Q . Mod&A. But Q $ K.A, i.e.
Q ^ FA, since the two structures are distinguished by the antisymmetry
condition.
Summary
The main results of the last two sections can be summarised by the
following statement.
// a logic A is determined by some class 1C of frames that is

closed under ultraproducts, then
TA e K.A C ModÂ C Mod$K C Fr(A),
with none of these set inclusions being an equality in general.
11.5 Stability Properties for General Frames

It remains an open question as to whether a canonical logic must be ele-
mentary. In the absence of a solution it is natural to look for alternative
versions of these notions, in the hope of finding some reformulation that
might allow their true relationship to be determined. We now consider
some such characterisations, based on preservation properties of general
frames.
By a general frame we will mean a structure f = (W,R,P), of the
type introduced in Definition 1.3.4 of Chapter 1, with (W, R) being a
Kripke frame, and P a non-empty collection of subsets of W closed under
the Boolean set operations and the operation
h(S) = {x W : Vy(xRy implies 2/65}.
A model M. = (F, V) on such a frame is given by a valuation V that
has V(p) P for all variables p. The notions of truth in M and validity
in f are then defined as usual.
A general frame is full if P = 2W. A Kripke frame (W, R) can be
identified with the full frame (W,R,2W), and we will usually present a
general frame in the form ( f , P ) , with T a Kripke frame.
The canonical general frame for a normal logic A is T-LA = (J-A, PA),
with TA the canonical Kripke frame for A, and
PA = {\A\:A is a formula},
where \A\ [x WA : A x}. This frame determines A:
\-A A iff HA |= A.
We identify a property of frames with the class IT of all frames having
that property. Some more interesting properties are:
The class of atomic frames, those having {x} P for all x W;
The class of image-closed frames, for which {y : xRy} P for all
z W-
The class of iterated-image-dosed frames, for which {y : xRny}
P for all x W and all n;
The class lid of definably- closed frames, for which P contains every
subset X of W that is Indefinable in the sense that there is some
l-2-formula (f>(v, v\, . . . ,vn) and some wi , . . . , wn W such that
X = {x W : {W, R} t= 4>[x, wi , - . . , wn}}.
Note that the Indefinable sets include all finite and cofinite sets, and
all sets of the form {y : xRny}.
All of the properties just listed are preserved by ultraproducts of
general frames, a notion that was described in Definition 1.7.6 of Chapter
1. Given a collection
of general frames, and an ultrafilter U on J, the associated ultraproduct

FU has the form ( Y [ j f j / U , P u ) , where TljFj/U is the ultraproduct
of the Kripke frames, and P\j is a collection of subsets of \\_jJ~jlU
defined from the ultraproduct of the P/s. The crucial property of this
construction is that for any modal formula A,
Fu\=A iff {j:fj\=A}EU
(cf. Corollary 1.7.13), a result that does not hold for ultraproducts of
Kripke frames. An immediate consequence of this property is that if
each TJ is a yl-frame, where A is some logic, or set of formulae, then Tv
is a yl-frame.
In the particular case of an ultrapower, when Tj T for all j J,
we get
(*) Fut=A iff f\=A.
If II is a class of frames, then a set A of formulae is li-stable if its validity
is preserved by full expansions of II-frames, which means that
if {/", P) \= A and ( J", P) 6 II (where f is a Kripke frame),

then T |= A.
Thus if HI C n 2 , then n2-stable formulae are Hj -stable.
If a logic A is Il-stable for some II that includes the canonical general
frame UA = (FA,PA), then since in general HA (= A it follows from II-
stability that FA |= A, i.e. that A is canonical. This observation is the
basis for the following characterisations of elementarity.
Theorem 11.5.1 For any normal logic A, the following are equivalent.
(1) A is determined by some class of Kripke frames that is closed under
ultraproducts.
(2) A is determined by the elementary class K.A of Kripke frames ele-
mentarily equivalent to TA .
(3) A is determined by the elementary class Mod&A of all models of the
pseudo-equational theory of J-A.
(4) A is Tl-stable for some class II of general frames that includes
(FA,PA) and is closed under ultrapowers.
(5) A is valid in all full ultrapowers (FA)J ' /U ofFA.
(6) A is canonical and H-stable for some class II of general frames that
includes the full frame FA and is closed under ultrapowers.
Proof. We have already established the equivalence of (1), (2), and (3).
(2) implies (4): Let II be the class of all ultrapowers of the general
frame (FA,PA). Then if { f , P } II, T is an ultrapower of the Kripke
frame FA, so F = FA, i.e. T 6 /C/i. Assuming K.& determines A then
gives F |= A. Hence A is Il-stable.
(4) implies (5): Let H satisfy (4). Since (FA,PA) \= A, any ultra-
power
((FA)J/U,(PA)J/U)
validates A by (*) above, and belongs to II by assumption, so
(FA)J/U \= A
by H-stability.
(5) implies (6): If (5) holds, then in particular A is validated by FA
(since TA = (FA}J /U when U is principal), hence A is canonical.
Then taking II to be the class of general ultrapowers of the full frame
FA , every member of II has the form
so H-stability is immediate from (5).

(6) implies (2): Let Q 1C A. It is enough to show Q (= A. But
since Q = FA, by the Keisler-Shelah Ultrapower Theorem there exist
isomorphic ultrapowers QJ /U = (FA)J /U for some ultrafilter U. Let

H = ((FA)J/U,(2wA)J/U).
Then assuming (6), we have TA \= A, hence U (= A by (*), and W e II
by the assumed property of II, whence (FA)J /U |= A by II-stability.
Then QJ /U \= A, so as validity is preserved by ultraroots, Q \= A as
desired. D
An illustration of condition (6) of Theorem 11.5.1 is given by the class
lid of general frames for which P contains all first-order definable subsets
of the underlying Kripke frame. Ud includes TA (since it includes all full
frames), and is closed under ultrapowers (indeed under ultraproducts).
Hence the Theorem implies
every canonical lid-stable logic A is determined by K,&.
There are however canonical logics that are determined by K-A but are
not ILj-stable. An example is K4M, the smallest normal logic to contain
the schemata
OA-* OOA,
The class Fr(K4M) of Kripke frames for KAM is the class of all tran-
sitive frames satisfying the (pseudo-equational) sentence
Vx3y(xRy A Vz(yRz > Vw(yRw > z = w)))
[103, Lemma 7.2]. The canonical /-sT4M-frame is in this class (as has
been known since [59]), so K4M is canonical and elementary. But if P
is the set of finite and cofinite subsets of w, then the frame (u>, <,P}
is in Hid [103, Lemma 9.16] and validates K4M, whereas (w, <) does
not validate the second of the above two schemata. Hence K4M is not
nd-stable.
Another illustration of 11.5.1(6) is given by considering the monadic
second-order language of a binary relation, which we will denote L|.
This extends 1-2 by adding quantifiable variables ranging over subsets of
a frame. A given general frame becomes an L|-structure by allowing P
to be the range of quantification of the set variables. It can be shown
that ultraproducts of general frames preserve truth of L^-sentences [103,
Theorem 4.12], in the same way that they preserve validity of modal
formulae. Thus if a class II of general frames is defined by some prop-
erty expressible by a set of L^-sentences, then II must be closed under
ultraproducts. We conclude from 11.5.1(4) that
if a logic A is H-stable for some L^-definable property H
possessed by (J-A,PA), then A is determined by /C/i;
and from 11.5.1(6) that
if a canonical logic A is U-stable for some L^-definable prop-

erty II possessed by FA, then A is determined by K.^.
The notion of II-stability an also be used to discuss the question as to
when the class Fr(A) of all Kripke frames validating A is an elementary
class. In general Fr(A) is closed under ultraroots (i.e. its complement is
closed under ultrapowers) so it will be an elementary class if, and only
if, it is closed under ultraproducts (cf. Corollary 1.16.3(ii) in Chapter
1). This implies
Theorem 11.5.2 Let II be any property of general frames that is pos-
sessed by all full frames and is preserved by ultraproducts. Then if A is
li-stable, it follows that Fr(A) is elementary. D
As special cases we can conclude that Fr(A) is elementary if A is ILj-
stable, or if it is Il-stable for some Lj-definable property that is possessed
by all full frames [103, Theorem 13.4].
Also it follows that if A is Il-stable, where II is as in the first sentence
of 11.5.2, and A is complete, i.e. is determined by some class of Kripke
frames, then A is canonical. This is because Fr(A) is then elementary by
11.5.2, and for a complete logic to be canonical it suffices that Fr(A) be
closed under elementary equivalence ( [15, Theorem 2], cf. also Corollary
1.20.15).
The most telling conclusion we can draw from Theorem 11.5.1 is that
in order to prove that a particular canonical logic A is elementary, it is
both necessary and sufficient to prove that A is valid in all ultrapowers
( J - A ) J J U of its canonical frame. This offers us both a method for proving
that A is elementary, by showing (FA)J/U (= A, and a way of showing
that it is not, by finding a counter example - an ultrapower of FA that
falsifies A. Neither approach seems easy, and it is perhaps a fitting way
to end this article, and this volume, by placing that challenge in front
of the reader.
Bibliography
[I] ALAGIC, S., AND M. A. ARBIB. The Design of Well-Structured

and Correct Programs. Springer-Verlag, 1978.
[2] AMEMIYA, I., AND H. ARAKI. A Remark on Piron's Paper. Publi-
cations of the Research Institute of Mathematical Sciences, Kyoto
University, Series A2, 2 (1966), 423-427.
[3] BARWISE, JON. Admissible Sets and Structures. Springer-Verlag,
Berlin, Heidelberg, 1975.
[4] BELL, J. L., AND A. B. SLOMSON. Models and Ultraproducts.
North-Holland, Amsterdam, 1969.
[5] BERBERIAN, S. K. Introduction to Hilbert Space. Oxford Univer-
sity Press, London, 1961.
[6] BlRKHOFF, G. Lattice Theory, third ed. American Mathematical
Society Colloquium Publications. American Mathematical Society,
Providence, R. I., 1966. no. 25.
[7] BULL, R. A. MIPC as the Formalisation of an Intuitionist Concept
of Modality. Journal of Symbolic Logic 31 (1966), 609-616.
[8] CHELLAS, B. F. Modal Logic: An Introduction. Cambridge Uni-
versity Press, 1980.
[9] DlEGO, A. Sur les Algebras de Hilbert. Collection de Logique
Mathernatiques, Serie A, 21 (1966). published in Paris.
[10] DOWKER, C. H., AND D. PAPERT. Quotient Frames and Sub-
spaces. Proceedings of the London Mathematical Society 16 (1966),
275-296.
[II] EILENBERG, S., AND N. STEENROD. Foundations of Algebraic
Topology. Princeton University Press, 1952.
259
[12] FINE, KIT. Prepositional Quantifiers in Modal Logic. Theoria 36

(1970), 336-346.
[13] FINE, K. An Incomplete Logic Containing S4. Theoria 40 (1974),
23-29.
[14] FINE, K. Normal Forms in Modal Logic. Notre Dame Journal of
Formal Logic 16 (1975), 229-234.
[15] FINE, K. Some Connections between Elementary and Modal
Logic. In Proceedings of the Third Scandinavian Logic Symposium,
ed. Stig Kanger. North-Holland, 1975, pp. 15-31.
[16] FISCHER, M. J., AND R. E. LADNER. Prepositional Dynamic
Logic of Regular Programs. Journal of Computer and Systems
Sciences 18 (1979), 194-211.
[17] FITTING, M. C. Intuitionistic Logic, Model Theory & Forcing.
North-Holland, 1969.
[18] FOULIS, D. J., AND C. H. RANDALL. Lexicographic Orthogonal-
ity. Journal of Combinatorial Theory 11 (1971), 157-162.
[19] FREYD, PETER. Aspects of Topoi. Bulletin of the Australian
Mathematical Society 7 (1972), 1-76.
[20] GODEL, K. Eine Interpretation des Intuitionistischen Aus-
sagenkalkiils. Ergebnisse eines mathematischen Kolloquiums 4
(1933). English translation in Kurt Godel, Collected Works, Vol-
ume 1, Solomon Feferman et. al. (eds.), Oxford University Press,
1986, 296-303.
[21] GOLDBLATT, ROB. Arithmetical Necessity, Provability, and Intu-
itionistic Logic. Theoria 44 (1978), 38-46.
[22] GOLDBLATT, ROBERT. Diodorean Modality in Minkowski Space-
time. Studio, Logica 39 (1980), 219-236.
[23] GOLDBLATT, ROBERT. Axiomatising the Logic of Computer
Programming, vol. 130 of Lecture Notes in Computer Science.
Springer-Verlag, 1982.
[24] GOLDBLATT, ROBERT. An Abstract Setting for Henkin Proofs.
Topoi 3 (1984), 37-41.
[25] GOLDBLATT, ROBERT. Orthomodularity is Not Elementary. The
Journal of Symbolic Logic 49 (1984), 401-404.
[26] GOLDBLATT, ROBERT. Topoi, second ed., vol. 98 of Studies in
Logic. North-Holland, Amsterdam, 1984.
BIBLIOGRAPHY 261
[27] GOLDBLATT, ROBERT. On the Role of the Baire Category The-

orem and Dependent Choice in the Foundations of Logic. The
[28] GOLDBLATT, ROBERT. Varieties of Complex Algebras. Annals of
Pure and Applied Logic 44 (1989), 173-242.
[29] GOLDBLATT, ROBERT. On Closure Under Canonical Embedding
Algebras. In Algebraic Logic, ed. H. Andreka, J.D. Monk, and
I. Nemeti. North-Holland, 1991, pp. 217-229. Colloquia Mathe-
matica Societatis Janos Bolyai 54.
[30] GOLDBLATT, ROBERT. The McKinsey Axiom is Not Canonical.
The Journal of Symbolic Logic 56 (1991), 554-562.
[31] GOLDBLATT, ROBERT. Elementary Generation and Canonicity for
Varieties of Boolean Algebras with Operators. Research Report
92-101, Mathematics Department, Victoria University of Welling-
ton, October 1992.
[32] GOLDBLATT, ROBERT. Logics of Time and Computation, sec-
ond ed., vol. 7 of CSLI Lecture Notes. Center for the Study of
Language and Information, Stanford University, 1992. Distributed
by University of Chicago Press.
[33] GOLDBLATT, R. I. Semantic Analysis of Orthologic. Journal of
Philosophical Logic 3 (1974), 19-35.
[34] GOLDBLATT, R. I. First-Order Definability in Modal Logic. Jour-
nal of Symbolic Logic 40 (1975), 35-40.
[35] GOLDBLATT, R. I. Solution to a Completeness Problem of Lem-
mon and Scott. Notre Dame Journal of Formal Logic 16 (1975),
405-408.
[36] GOLDBLATT, R. I. Metamathematics of Modal Logic, Part I.
Reports on Mathematical Logic 6 (1976), 41-78.
[37] GOLDBLATT, R. I. Metamathematics of Modal Logic, Part II.
Reports on Mathematical Logic 7 (1976), 21-52.
[38] GOLDBLATT, R. I. On the Incompleteness of Hoare's Rule for
While-commands. Notices of the American Mathematical Society
26, A-524 (1979).
[39] GRATZER, G. Universal Algebra. D. Van Nostrand, 1968.
[40] GRZEGORCZYK, A. Some Relational Systems and the Associated
Topological Spaces. Fundamenta Mathematicae 60 (1967), 223-
231.
[41] HALMOS, P. R. Introduction to Hilbert Space and the Theory of

Spectral Multiplicity. Chelsea, New York, 1975.
[42] HENKIN, H., J. D. MONK, AND A. TARSKI. Cylindric Algebras
I. North-Holland, 1971.
[43] HENKIN, LEON. The Completeness of the First-Order Functional
Calculus. Journal of Symbolic Logic 14 (1949), 159-166.
[44] HENKIN, LEON. A Generalisation of the Concept of u-
Completeness. Journal of Symbolic Logic 22 (1957), 1-14.
[45] HOARE, C. A. R. An Axiomatic Basis for Computer Program-
ming. Communications of the Association for Computing Machin-
ery 12 (1969), 576-580, 583.
[46] HUGHES, G. E. Every World Can See a Reflexive World. Studia
Logica 49 (1990), 175-181.
[47] HUGHES, G. E., AND M. J. CRESSWELL. An Introduction to
Modal Logic. Methuen, 1968.
[48] JONSSON, B., AND A. TARSKI. Boolean Algebras with Operators,
Part I. American Journal of Mathematics 73 (1951), 891-939.
[49] KOCK, A., AND G. B. WRAITH. Elementary Toposes, vol. 30 of
Aarhus Lecture Notes. Aarhus, 1971.
[50] KOPPERMAN, R. Model Theory and its Applications. Allyn and
Bacon, 1972.
[51] KRIPKE, S. A Completeness Theorem in Modal Logic. Journal of
Symbolic Logic 24 (1959), 1-14.
[52] KRIPKE, S. Semantic Analysis of Modal Logic I. Zeitschrift fur
Mathematische Logik und Grundlagen der Mathematik 9 (1963),
67-96.
[53] KRIPKE, S. Review of "Algebraic Semantics for Modal Logics,
Parts I and II". Mathematical Reviews 34 (1967), 5660-5661.
[54] LACHLAN, A. H. A Note on Thomason's Refined Structures for
Tense Logics. Theoria 40 (1974), 114-120.
[55] LAWVERE, F. W. Quantifiers and Sheaves. Actes des Congres
International des Mathematiques 1 (1970), 329-334.
[56] LAWVERE, F. W. Toposes, Algebraic Geometry, and Logic,
vol. 274 of Lecture Notes in Mathematics. Springer-Verlag, 1972.
[57] LEMMON, E. J. Algebraic Semantics for Modal Logics I. Journal
of Symbolic Logic 31 (1966), 46-65.
BIBLIOGRAPHY 263
[58] LEMMON, E. J. Algebraic Semantics for Modal Logics II. Journal

[59] LEMMON, E. J., AND D. SCOTT. Intensional Logic. Preliminary
draft of initial chapters by E. J. Lemmon, Stanford University
(finally published as An Introduction to Modal Logic, American
Philosophical Quarterly Monograph Series, no. 11 (ed. by Krister
Segerberg), Basil Blackwell, Oxford, 1977), July 1966.
[60] LOB, M. H. Solution of a Problem of Leon Henkin. The Journal
[61] MAC LANE, SAUNDERS. Sets, Topoi, and Internal Logic in Cate-
gories. In Logic Colloquium 1973, ed. H. E. Rose and J. C. Shep-
herdson. North-Holland, Amsterdam, 1975, pp. 119-134.
[62] MACLAREN, M. D. Atomic Orthocomplemented Lattices. Pacific
Journal of Mathematics 14 (1964), 597-612.
[63] MACNAB, D. S. An Algebraic Study of Modal Operators on
Heyting Algebras, with Applications to Topology and Sheafification.
PhD thesis, Aberdeen, 1976.
[64] MAEDA, F., AND S. MAEDA. Theory of Symmetric Lattices.
Springer-Verlag, Berlin, 1970.
[65] MAKINSON, D. C. A Generalisation of the Concept of Relational
Model for Modal Logic. Theoria 36 (1970), 331-335.
[66] MALCOLM, W. G. Ultraproducts and Higher Order Models. PhD
thesis, Victoria University of Wellington, 1972.
[67] McKiNSEY, J. C. C. A Solution of the Decision Problem for
the Lewis Systems S2 and S4 with an Application to Topology.
[68] MCKINSEY, J. C. C., AND A. TARSKI. Some Theorems about
the Sentential Calculi of Lewis and Heyting. Journal of Symbolic
Logic 13 (1948), 1-15.
[69] PAREIGIS, B. Categories and Functors. Academic Press, 1970.
[70] PARIKH, ROHIT. The Completeness of Propositional Dynamic
Logic. In Mathematical Foundations of Computer Science 1978.
Springer Verlag, 1978, pp. 403-415. Lecture Notes in Computer
Science 64.
[71] PRATT, V. R. Semantical Considerations on Floyd-Hoare Logic.
In Proceedings of the 17th Annual IEEE Symposium on Founda-
tions of Computer Science (October 1976), pp. 109-121.
[72] PRIOR, A. Past, Present, and Future. Clarendon Press, Oxford,

1967.
[73] RANDALL, C. H., AND D. J. FOULIS. An Approach to Empirical
Logic. American Mathematic Monthly 77 (1970), 363-374.
[74] RASIOWA, H., AND R. SIKORSKI. The Mathematics of Metamath-
ematics. PWN-Polish Scientific Publishers, Warsaw, 1963.
[75] ROBB, A. A. A Theory of Time and Space. Cambridge, 1914.
[76] ROBINSON, A. Non-Standard Analysis. North-Holland, 1966.
[77] ROBINSON, A. Germs. In Applications of Model Theory to Algebra,
Analysis, and Probability, ed. W. A. Luxembourg. Holt, Rinehart,
and Winston, 1969, pp. 138-149.
[78] SACKS, GERALD E. Saturated Model Theory. W. A. Bejamin,
Reading, Massachusetts, 1972.
[79] SAHLQVIST, H. Completeness and Correspondence in First and
Second Order Semantics for Modal Logic. In Proceedings of
the Third Scandinavian Logic Symposium, ed. S. Kanger. North-
Holland, 1975, pp. 110-143.
[80] SAMBIN, G., AND V. VACCARO. A New Proof of Sahlqvist's The-
orem on Modal Definability and Completeness. The Journal of
Symbolic Logic 54 (1989), 992-999.
[81] SCOTT, DANA. Continuous Lattices. In Toposes, Algebraic Ge-
ometry, and Logic, ed. F.W. Lawvere, vol. 274. Springer-Verlag,
1972. Lecture Notes in Mathematics, vol. 274.
[82] SCOTT, DANA. Lambda Calculus and Recursion Theory. In
Proceedings of the Third Scandinavian Logic Symposium, ed. Stig
Kanger. North-Holland, 1975, pp. 154-193.
[83] SEGERBERG, K. Decidability of S4.1. Theoria 34 (1968), 7-20.
[84] SEGERBERG, KRISTER. Prepositional Logics Related to Heyting's
and Johansson's. Theoria 34 (1968), 28-61.
[85] SEGERBERG, KRISTER. Modal Logics with Linear Alternative Re-
lations. Theoria 36 (1970), 301-322.
[86] SEGERBERG, KRISTER. An Essay in Classical Modal Logic, vol. 13
of Filosofiska Studier. Uppsala Universitet, 1971.
[87] SEGERBERG, KRISTER. A Completeness Theorem in the Modal
Logic of Programs. Notices of the American Mathematical Society
24 (1977), A-552.
BIBLIOGRAPHY 265
[88] SEGERBERG, KRISTER. A Completeness Theorem in the Modal

Logic of Programs. In Universal Algebra and Applications, ed.
T. Traczyck. PWN-Polish Scientific Publishers, Warsaw, 1982,
pp. 31-46. Banach Center Publications, vol. 9.
[89] SHEHTMAN, V. B. Modal Logics of Domains on the Real Plane.
Studia Logica 42 (1983), 63-80.
[90] SlKORSKl, R. Boolean Algebras, second ed. Springer-Verlag,
Berlin, 1964.
[91] SOLOVAY, R. Provability Interpretations of Modal Logic. Israel
Journal of Mathematics 25 (1976), 287-304.
[92] STONE, M. H. Topological Representation of Distributive Lat-
tices and Brouwerian Logics. Casopis pro Pestovani Matematiky
a Fysiky (1937), 1-25.
[93] TARSKI, A. Contributions to the Theory of Models III. Neder-
landse Aka. van Wetenschappen Proc. Ser. A 58 (1955), 56-64.
[94] THOMASON, R. H. Some Completeness Results for Modal Predi-
cate Calculi. In Philosophical Problems in Logic, ed. K. Lambert.
D. Reidel, 1970, pp. 56-76.
[95] THOMASON, S. K. Noncompactness in Propositional Modal Logic.
[96] THOMASON, S. K. Semantic Analysis of Tense Logic. Journal of
Symbolic Logic 37 (1972), 150-158.
[97] THOMASON, S. K. An Incompleteness Theorem in Modal Logic.
Theoria 40 (1974), 30-34.
[98] THOMASON, S. K. Categories of Frames for Modal Logic. Journal
[99] VAN BENTHEM, J. A. F. K. A Note on Modal Formulas and
Relational Properties. Journal of Symbolic Logic 40 (1975), 55-
58.
[100] VAN BENTHEM, J. A. F. K. Modal Correspondence Theory. PhD
thesis, University of Amsterdam, 1976.
[101] VAN BENTHEM, J. A. F. K. Modal Formulas are Either Elemen-
tary or not SA-Elementary. Journal of Symbolic Logic 41 (1976),
436-438.
[102] VAN BENTHEM, J. A. F. K. Some Kinds of Modal Completeness.
Studia Logica 39 (1980), 125-141.
[103] VAN BENTHEM, J. A. F. K. Modal Logic and Classical Logic.

Bibliopolis, Naples, 1983.
[104] VARADARAJAN, V. S. Geometry of Quantum Theory, vol. 1. Van
Nostrand, Princeton, 1968.
[105] WAND, MITCHELL. A New Incompleteness Result for Hoare's
System. Journal of the Association for Computing Machinery 25
(1978), 168-175.
Index
V-closed, 202 Box Lemma, 208, 225

V-complete, 202 Box Rule, 206, 217
Abstract Henkin Principle, 194 BR (Box Rule), 206, 217
admissible set, 92 Brouwerian logic, 89
algebraic semantics, 10
alternatives, 233 canonical frame, 16, 51,157, 234,
Ancestral Logic, 210 246
ancestral model, 204 first-order theory of, 249
Ancestral Rule, 205 canonical general frame, 254
arithmetically necessary, 105 canonical logic, 78, 231, 234, 243
atom, 236 canonical model, 158, 178, 234,
length of, 236 246
successor, 236 for AI, 228
atomic wff, 55 canonical orthomodel, 88
axiom system, 82 canonical quantum frame, 95
axioms, 12 canonical quantum model, 95
canonical site, 167
B, 89 canonical valuation, 16
Barcan formula, 201 CHA, 145
Bew, 105 character, 162
binary logic, 83 characterised, 15, 16
binary subtree, 239 closed under an inference, 193
Boolean expression, 175 cluster, 115
Boolean variable, 175 cofinal, 123
bounded cofinality, 141, 147, 159
epimorphic image, 244 colouring, 252
epimorphism, 244 command, 175
morphism, 244 Compactness Theorem, 31
quantifiers, 250 complete Hey ting algebra, 145
union, 244 complete logic, 155
267
completed ultraproduct, 76 descriptive frame, 34

completeness descriptive ultraproduct, 48
for first-order logic, 196 descriptive union, 48
for the Barcan Formula, 200 Detachment, 154, 177, 216
of infinitary logic, 199 determined, 15, 16, 86, 155, 246
completion, 75 simply, 31
components, 165 strongly, 31, 86
conjunctive deducibility relation, diagram, 202
196 direct family, 46
consistent, 13, 31, 84, 157, 178, direct limit, 46
192 directed frame, 114
L-, 234 disjoint union, 244
\-AI-, 221 DT (Deduction Theorem), 206,
finitely, 192 217
maximally, 192 duality, 42
maximally finitely, 192 dynamic logic, 189
constant wff, 55
Countable Henkin Principle, 195 EC, 61
CT (Cut Rule), 206, 217 ECA, 61
Cut Rule, 206, 217 elementarily equivalent, 74, 249
elementary class, 61, 249
d-persistent, 54 elementary logic, 243, 249
decidability elementary site, 131, 163
of J, 170 embedding, 21
of FN, 172 end of time, 128
of FPL, 187 end-point, 234
of 7C, 171 equational class, 47
of IK, 170 essentially atomic, 250
of 0, 93 Extension Lemma, 208, 223
decide an inference, 193 external logic, 174
deducibility relation, 192
conjunctive, 196 filter, 26, 144
finitary, 192 proper, 26
deducible, 178 filter-space, 144
I-/1-, 217 filtration, 92, 169, 182
Deduction Theorem, 178, 206, largest, 182
217 smallest, 182
deductively closed, 207 final point, 115
finitely, 208 finitary deducibility relation, 192
/1-elementary, 61 Finitary Program Logic, 185
dense frame, 139 finite intersection property, 26
derivable, 13, 84 finite model property, 91, 168
INDEX 269
finitely consistent, 192, 221 future-closed, 114

finitely deductively closed, 208 future-open box, 122
fip, 26
first-order frame, 18 G', 110
reduct of, 74 general frame, 253
first-order semantics, 18 canonical, 254
first-order theory, 249 generated subframe, 20, 114
FMP, 91 germ, 136
FN, 171 Grothendieck topology, 145
4, 107 Grz, 108
FPL, 185
fragment, 199 H, 183
frame, 18, 137 HA, 134
L-, 233 Henkin Principle
J-, 139 Abstract, 194
atomic, 254 Countable, 195
canonical, 16, 51, 157, 246 Henkin proof, 191
definably-closed, 254 hereditary, 19
dense, 139 hereditary set, 133
descriptive, 34 Heyting algebra, 134
directed, 114 complete, 145
first-order, 18 Heyting's intuitionistic logic, 154
full, 18, 253 homomorphic image, 21
full expansion of, 254 homomorphism, 21
general, 253
generated, 114, 233 /, 154
image-closed, 254 Iu, 207, 218
increasing, 137 J-sound, 216
iterated-image-closed, 254 1C, 168
Kripke, 15, 244 Id, 201
orthomodular, 101 idempotent, 151
pseudo-dense, 139 IK, 155
quantum, 94 IL, 105
real linear, 121 immediate successors, 116
refined, 34 Implication Rule, 206, 217
replete, 72 implies, 86
time-, 114 increasing frame, 137
trellis-like, 238 Ind, 204
frame homomorphism, 21 inference, 192
full expansion, 254 closed under an -, 193
full frame, 18, 253 decide an -, 193
full set, 84, 157 respect an -, 193
inflationary, 151 Localisation rule, 154

initial point, 114 locally equal, 148
interior operation, 135 locally true, 136
intermediate node, 117 logic, 13, 154, 177, 216
internal logic, 174 binary, 83
invariant, 173 canonical, 78, 231, 234, 243
inverse family, 43 elementary, 243, 249
inverse limit, 43 modal, 13
IR (Implication Rule), 206, 217 normal, 13, 154, 216, 233
irreflexive time, 128 quantum, 93
isomorphism, 21 super-complete, 53
Iteration Rule, 173 logically finite, 169
infinitary, 189
M, 65
J, 155 MA, 14
J-frame, 139 MAC, 62
J"-space, 144 maximal set, 13, 178
J"-system, 144 maximal theory, 222
maximally consistent, 192
K, 13, 201, 204, 216, 233 maximally finitely consistent, 192
/f-frame, 15 McK (=M), 234
K2, 128 McKinsey axiom, 231
K4M, 65, 256 MEC, 62
K4W, 107 metamathematics, 10
K-finite, 193 middle points, 238
KM, 65, 231 Minkowski spacetime, 121
KMT, 251 Mix, 204
Konig's Lemma, 186 modal algebra, 14
Kripke frame, 15, 244 modal axiomatic class, 47
modal elementary class, 47
largest filtration, 182 modal first-order logic, 200
Lemmon-Scott axiom, 59 modal logic, 13
length, 116 model, 175, 215, 233, 244
of an atom, 236 L-, 233
AI, 216 P-, 133
AZ-theoiy, 219 A-, 216
limit point, 139 ancestral, 204
Lindenbaum algebra, 15 canonical, 158, 246
Lindenbaum's Lemma, 84, 157, for modal first-order logic,
178, 192 201
local algebra, 151 on a space, 143
local operator, 151 quantum, 94
INDEX 271
standard, 177 positive wfF, 55

Modus Ponens, 13, 90 possible worlds, 16
monad, 137 primary node, 117
multiplicative, 151 prime, 157
principal type, 197
n-dimensional spacetime, 120 program letter, 175
n-type, 197 proof, 12, 82
natural transformation, 164 proper filter, 26
Necessitation, 13, 90, 201, 204, proposition, 16, 33
216, 233 proximity relation, 90
negation complete, 221 pseudo-complement, 134
neighbourhood, 136, 147 pseudo-dense frame, 139
punctured, 148, 153 pseudo-equational
topological, 147 sentence, 250
neighbourhood semantics, 143 theory, 250, 251
neighbourhood space, 143 punctured neighbourhood, 148,
normal logic, 13, 154, 216, 233 153
O, 83 Q, 93
omitting types, 197 quantum frame, 94
ordinary point, 118 canonical, 95
orthoframe, 86, 101 quantum logic, 93
orthogonal, 86 quantum model, 94
orthogonality relation, 86 canonical, 95
orthologic, 83
orthomodel, 86 r-persistent, 69
canonical, 88 real linear frame, 121
orthomodular, 101 reduct, 74
orthomodular frame, 101 refined frame, 34
relational semantics, 143
P (Peano Arithmetic), 105 relative pseudo-complement, 134
p-morphism, 114 replete frame, 72
p-Morphism Lemma, 114 respect an inference, 193
partial correctness, 173 rules of inference, 12
partial ordering, 115, 133
PC, 13, 206, 217 S4, 107, 250
PDL, 189 S4.2, 114
permanent assignment, 124 S4Grz, 107
_L-closed, 94 satisfaction, 201
Il-stable, 254 satisfiable, 31, 247
polynomial function, 14 saturated
poset, 133 (1,1-)-, 207
2-, 73 tense logic, 128

saturation, 247 Termination Rule, 177
second-order semantics, 18 theorem, 12, 13, 82, 84, 154
semantic consequence, 205 L-, 233
semantically equivalent, 16 theory
semantics AI-, 219
algebraic, 10 maximal AI-, 222
first-order, 18 smallest AI-, 229
second-order, 18 time-frame, 114
set-theoretic, 10 topological congruence, 149
set-theoretic semantics, 10 topology, 163
simply determined, 31 Trellis (Fig. 10.1), 234
site trellis-like frame, 238
canonical, 167 truth, 86
elementary, 163 truth in a model, 86, 176, 201,
slower-than-light, 127 204, 215, 233
smallest filtration, 182 truth-arrows, 162
sound,155 type, 197
spacetime omitting a -, 197
n-dimensional, 120 principal, 197
discrete, 130
Minkowski, 121 ultrafilter, 26
three-dimensional, 129 ultraproduct
special point, 118 completed, 76
stable descriptive, 48
H-, 254 of first-order frames, 28
standard model, 177 of Kripke frames, 26
strict ordering, 128 of modal algebras, 27
string, 55 ultraroots, 245
strongly determined, 31, 86 Uniform Substitution, 13
subframe, 19, 114, 244 upper order topology, 138
generated, 20, 114
Subframe Lemma, 114 valid
successor *-, 108
of an atom, 236 H-, 134
successors, 116 -, 150
immediate, 116 w*-, 110
super-complete, 53 j-, 164
in an orthoframe, 86
T, 106 on a JtT-frame, 16
TO topology, 135 on an algebra, 14
temporary assignment, 124 poset-, 134
INDEX 273
valuation, 176, 233, 244 canonical, 16

H-, 134 on a K-frame, 15
P-, 133 on a frame, 18
,-, 163
W, 107
CSLI Publications
Reports Principles of OBJ2 Kokichi Futatsugi,
Joseph A. Goguen, Jean-Pierre
The following titles have been published in Jouannaud, and Jose Meseguer
the CSLI Reports series. These reports CSLI-85-22
may be obtained from CSLI Publications,
Querying Logical Databases Moshe
Ventura Hall, Stanford, CA 94305-4115.
Vardi CSLI-85-23
Coordination and How to Computationally Relevant
Distinguish Categories Ivan Sag, Properties of Natural Languages
Gerald Gazdar, Thomas Wasow, and and Their Grammar Gerald Gazdar
Steven Weisler CSLI-84-3 and Geoff Pullum CSLI-85-24
Belief and Incompleteness Kurt An Internal Semantics for Modal
Konolige CSLI-84-4 Logic: Preliminary Report Ronald
Equality, Types, Modules and Fagin and Moshe Vardi CSLI-85-25
Generics for Logic Programming
The Situation in Logic-Ill:
Joseph Goguen and Jose Meseguer
Situations, Sets and the Axiom of
CSLI-84-5
Foundation Jon Barwise CSLI-85-26
Lessons from Bolzano Johan van
Benthem CSLI-84-6 Semantic Automata Johan van
Benthem CSLI-85-27
Self-propagating Search: A Unified
Theory of Memory Pentti Kanerva Restrictive and Non-Restrictive
CSLI-84-7 Modification Peter Sells CSLI-85-28
Reflection and Semantics in LISP Institutions: Abstract Model Theory
Brian CantweU Smith CSLI-84-8 for Computer Science J. A. Goguen
The Implementation of Procedurally and R. M. Burstall CSLI-85-30
Reflective Languages Jim des A Formal Theory of Knowledge and
Rivieres and Brian Cantwell Smith Action Robert C. Moore CSLI-85-31
CSLI-84-9 Finite State Morphology: A Review
Parameterized Programming Joseph of Koskenniemi (1983) Gerald
Goguen CSLI-84-10 Gazdar CSLI-85-32
Shifting Situations and Shaken The Role of Logic in Artificial
Attitudes Jon Barwise and John Intelligence Robert C. Moore
Perry CSLI-84-13 CSLI-85-33
Completeness of Many-Sorted Applicability of Indexed Grammars
Equational Logic Joseph Goguen to Natural Languages Gerald
and Jose Meseguer CSLI-84-15 Gazdar CSLI-85-34
Moving the Semantic Fulcrum Terry
Commonsense Summer: Final
Winograd CSLI-84-17
Report Jerry R. Hobbs, et al
On the Mathematical Properties of CSLI-85-35
Linguistic Theories C. Raymond
Perrault CSLI-84-18 Limits of Correctness in Computers
Brian Cantwell Smith CSLI-85-36
A Simple and Efficient
Implementation of Higher-order The Coherence of Incoherent
Functions in LISP Michael P. Discourse Jerry R. Hobbs and
Georgeff and Stephen F. Bodnar Michael H. Agar CSLI-85-38
CSLI-84-19 A Complete, Type-free
On the Axiomatization of "Second-order" Logic and Its
"if-then-else" Irene Guessarian and Philosophical Foundations
Jose Meseguer CSLI-85-20 Christopher Menzel CSLI-86-40
The Situation in Logic-II: Possible-world Semantics for
Conditionals and Conditional Autoepistemic Logic Robert C.
Information Jon Barwise CSLI-84-21 Moore CSLI-85-41
Deduction with Many-Sorted What is Intention? Michael E.
Rewrite Jose Meseguer and Joseph Bratman CSLI-86-69
A. Goguen CSLI-85-42 The Correspondence Continuum
On Some Formal Properties of Brian Cantwell Smith CSLI-87-71
Metarules Hans Uszkoreit and The Role of Prepositional Objects of
Stanley Peters CSLI-85-43 Belief in Action David J. Israel
Language, Mind, and Information CSLI-87-72
John Perry CSLI-85-44 Two Replies Jon Barwise CSLI-87-74
Constraints on Order Hans Uszkoreit Semantics of Clocks Brian Cantwell
CSLI-86-46 Smith CSLI-87-75
Linear Precedence in Discontinuous The Parts of Perception Alexander
Constituents: Complex Fronting Pentland CSLI-87-77
in German Hans Uszkoreit The Situated Processing of Situated
CSLI-86-47 Language Susan Stucky CSLI-87-80
A Compilation of Papers on Muir: A Tool for Language Design
Unification-Based Grammar Terry Winograd CSLI-87-81
Formalisms, Parts I and II Stuart Final Algebras, Cosemicomputable
M. Shieber, Fernando C.N. Pereira, Algebras, and Degrees of
Lauri Karttunen, and Martin Kay Unsolvability Lawrence S. Moss, Jose
CSLI-86-48 Meseguer, and Joseph A. Goguen
Noun-Phrase Interpretation Mats CSLI-87-82
Rooth CSLI-86-51 The Synthesis of Digital Machines
Noun Phrases, Generalized with Provable Epistemic
Quantifiers and Anaphora Jon Properties Stanley J. Rosenschein
Barwise CSLI-86-52 and Leslie Pack Kaelbling CSLI-87-83
Circumstantial Attitudes and An Architecture for Intelligent
Benevolent Cognition John Perry Reactive Systems Leslie Pack
CSLI-86-53 Kaelbling CSLI-87-85
A Study in the Foundations of Modular Algebraic Specification of
Programming Methodology: Some Basic Geometrical
Specifications, Institutions, Constructions Joseph A. Goguen
Charters and Parchments Joseph CSLI-87-87
A. Goguen and R. M. Burstall Persistence, Intention and
CSLI-86-54 Commitment Phil Cohen and Hector
Intentionality, Information, and Levesque CSLI-87-88
Matter Ivan Blair CSLI-86-56 Rational Interaction as the Basis for
Computer Aids for Comparative Communication Phil Cohen and
Dictionaries Mark Johnson Hector Levesque CSLI-87-89
CSLI-86-58 Models and Equality for Logical
A Sheaf-Theoretic Model of Programming Joseph A. Goguen and
Concurrency Luis F. Monteiro and Jose Meseguer CSLI-87-91
Fernando C. N. Pereira CSLI-86-62 Order-Sorted Algebra Solves the
Tarski on Truth and Logical Constructor-Selector, Mulitple
Representation and Coercion
Consequence John Etchemendy
Problems Joseph A. Goguen and Jose
CSLI-86-64
Meseguer CSLI-87-92
Categorial Unification Grammars Extensions and Foundations for
Hans Uszkoreit CSLI-86-66 Object-Oriented Programming
Generalized Quantifiers and Plurals Joseph A. Goguen and Jose Meseguer
Godehard Link CSLI-86-67 CSLI-87-93
Radical Lexicalism Lauri Karttunen L3 Reference Manual: Version 2.19
CSLI-86-68 William Poser CSLI-87-94
Change, Process and Events Carol B. Dispositional Logic and
Cleland CSLI-88-95 Commonsense Reasoning L. A.
One, None, a Hundred Thousand Zadeh CSLI-88-117
Specification Languages Joseph A. Intention and Personal Policies
Goguen CSLI-87-96 Michael Bratman CSLI-88-118
Constituent Coordination in HPSG Unification and Agreement Michael
Derek Freudian and David Goddeau Barlow CSLI-88-120
CSLI-87-97 Extended Categorial Grammar Suson
A Language/Action Perspective on Yoo and Kiyong Lee CSLI-88-121
the Design of Cooperative Work Unaccusative Verbs in Dutch and
Terry Winograd CSLI-87-98 the Syntax-Semantics Interface
Implicature and Definite Reference Annie Zaenen CSLI-88-123
Jerry R. Hobbs CSLI-87-99 Types and Tokens in Linguistics
Situation Semantics and Semantic Sylvain Bromberger CSLI-88-125
Interpretation in Determination, Uniformity, and
Constraint-based Grammars Relevance: Normative Criteria
Per-Kristian Halvorsen CSLI-87-101 for Generalization and Reasoning
Category Structures Gerald Gazdar, by Analogy Todd Davies
Geoffrey K. Pullum, Robert Carpenter, CSLI-88-126
Ewan Klein, Thomas E. Hukari, Modal Subordination and
Robert D. Levine CSLI-87-102 Pronominal Anaphora in
Cognitive Theories of Emotion Discourse Craige Roberts
Ronald Alan Nash CSLI-87-103 CSLI-88-127
Toward an Architecture for The Prince and the Phone Booth:
Resource-bounded Agents Martha Reporting Puzzling Beliefs Mark
E. Pollack, David J. Israel, and Crimmins and John Perry
Michael E. Bratman CSLI-87-104 CSLI-88-128
On the Relation Between Default Set Values for Unification-Based
and Autoepistemic Logic Kurt Grammar Formalisms and Logic
Konolige CSLI-87-105 Programming William Rounds
CSLI-88-129
Three Responses to Situation
Theory Terry Winograd CSLI-87-106 Fifth Year Report of the Situated
Language Research Program
Subjects and Complements in HPSG CSLI-88-130
Robert Borsley CSLI-87-107 Locative Inversion in Chichewa: A
Tools for Morphological Analysis Case Study of Factorization in
Mary Dalrymple, Ronald M. Kaplan, Grammar Joan Bresnan and Jonni
Lauri Karttunen, Kimmo Koskenniemi, M. Kanerva CSLI-88-131
Saini Shaio, Michael Wescoat An Information-Based Theory of
CSLI-87-108
Agreement Carl Pollard and Ivan
Fourth Year Report of the Situated A. Sag CSLI-88-132
Language Research Program Relating Models of Polymorphism
CSLI-87-111 Jose Meseguer CSLI-88-133
Events and "Logical Form" Stephen Psychology, Semantics, and Mental
Neale CSLI-88-113 Events under Descriptions Peter
Backwards Anaphora and Discourse Ludlow CSLI-89-135
Structure: Some Considerations Mathematical Proofs of Computer
Peter Sells CSLI-87-114 System Correctness Jon Barwise
Toward a Linking Theory of CSLI-89-136
Relation Changing Rules in LFG The X-bar Theory of Phrase
Lori Levin CSLI-87-115 Structure Andras Kornai and
Fuzzy Logic L. A. Zadeh CSLI-88-116 Geoffrey K. Pullum CSLI-89-137
Discourse Structure and Sheaf Semantics for Concurrent
Performance Efficiency in Interacting Objects Joseph
Interactive and Noninteractive A. Goguen CSLI-91-155
Spoken Modalities Sharon L. Oviatt Communication and Strategic
and Philip R. Cohen CSLI-90-138 Inference Prashant Parikh
The Contributing Influence of CSLI-91-156
Speech and Interaction on Some Shared Cooperative Activity Michael
Aspects of Human Discourse E. Bratman CSLI-91-157
Sharon L. Oviatt and Philip R. Cohen
CSLI-90-139 Practical Reasoning and Acceptance
in a Context Michael E. Bratman
The Connectionist Construction of CSLI-91-158
Concepts Adrian Cussins
CSLI-90-140 Planning and the Stability of
Sixth Year Report CSLI-90-141 Intention Michael E. Bratman
CSLI-91-159
Categorical Grammar Meets
Unification Johan van Benthem Logic and the Flow of Information
CSLI-90-142 Johan van Benthem CSLI-91-160
Point of View Edit Doron CSLI-90-143 Learning HCI Design: Mentoring
Project Groups in a Course on
Modal Logic as a Theory of Human-Computer Interaction
Information Johan van Benthem Brad Hartfield, Terry Winograd, and
CSLI-90-144 John Bennett CSLI-91-161
What Is Information? David Israel and How to Read Winograd's & Flores's
John Perry CSLI-91-145 Understanding Computers and
Fodor and Psychological Cognition Hugh McGuire
Explanations John Perry and David CSLI-92-162
Israel CSLI-91-146 In Support of a Semantic Account of
Decision Problems for Propositional Resultatives Adele E. Goldberg
Linear Logic Patrick Lincoln, John CSLI-92-163
Mitchell, Andre Scedrov, and Augmenting Informativeness and
Natarajan Shankar CSLI-91-147 Learnability of Items in Large
Annual Report 1989-90 CSLI-91-148 Computer Networks Clarisse S. de
Overloading Intentions for Efficient Souza CSLI-92-164
Practical Reasoning Martha Computers, Ethics, and Social
E. Pollack CSLI-91-149 Responsibility Terry Winograd
Introduction to the Project on CSLI-92-165
People, Computers, and Design A Semiotic Approach to User
Terry Winograd CSLI-91-150 Interface Language Design Clarisse
Ecological Psychology and Dewey's S. de Souza CSLI-92-166
Theory of Perception Tom Burke 1991 Annual Report CSLI-92-167
CSLI-91-151
Romance is so complex Christopher
The Language/Action Approach to Manning CSLI-92-168
the Design of Computer-Support
for Cooperative Work Finn Kensing Types, Tokens and Templates David
and Terry Winograd CSLI-91-152 M. Levy and Kenneth R. Olson
CSLI-92-169
The Absorption Principle and
E-Type Anaphora Jean Mark A System of Dynamic Modal Logic
Gawron, John Nerbonne, and Stanley Maarten de Rijke CSLI-92-170
Peters CSLI-91-153 Situation Theory and the Design of
Ellipsis and Higher-Order Interactive Information Systems
Unification Mary Dalrymple, Stuart Keith Devlin CSLI-92-171
M. Shieber, and Fernando Logic as Programming Johan van
C. N. Pereira CSLI-91-154 Benthem CSLI-92-172
An Architecture for Tuning Rules Word Order and Constituent Structure in
and Cases Yoshio Nakatami and German. Hans Uszkoreit. Lecture
David Israel CSLI-92-173 Notes No. 8. 0-937073-10-5 (paper),
The Linguistic Information in 0-937073-09-1 (cloth)
Dynamic Discourse Megumi Color and Color Perception: A Study in
Kameyama CSLI-92-174 Anthropocentric Realism. David
Epsilon Substitution Method for Russel Hilbert. Lecture Notes No. 9.
Elementary Analysis Grigori Mints 0-937073-16-4 (paper), 0-937073-15-6
and Sergei Tupailo CSLI-93-175 (cloth)
Information Spreading and Levels of Prolog and Natural-Language Analysis.
Representation in LFG Avery D. Fernando C. N. Pereira and Stuart M.
Andrews and Christopher D. Manning Shieber. Lecture Notes No. 10.
CSLI-93-176 0-937073-18-0 (paper), 0-937073-17-2
1992 Annual Report CSLI-93-177 (cloth)
Working Papers in Grammatical Theory
Lecture Notes and Discourse Structure: Interactions
The titles in this series are distributed by of Morphology, Syntax, and Discourse.
the University of Chicago Press and may M. lida, S. Wechsler, and D. Zee
be purchased in academic or university (Eds.) with an Introduction by Joan
bookstores or ordered directly from the Bresnan. Lecture Notes No. 11.
distributor at 11030 South Langley 0-937073-04-0 (paper), 0-937073-25-3
Avenue, Chicago, IL 60628 (USA) or by (cloth)
phone 1-800-621-2736, (312)568-1550.
Natural Language Processing in the 1980s:
A Manual of Intentional Logic. Johan van A Bibliography. Gerald Gazdar, Alex
Benthem, second edition, revised and Franz, Karen Osborne, and Roger
expanded. Lecture Notes No. 1. Evans. Lecture Notes No. 12.
0-937073-29-6 (paper), 0-937073-30-X 0-937073-28-8 (paper), 0-937073-26-1
(cloth) (cloth)
Emotion and Focus. Helen Fay Information-Based Syntax and Semantics.
Nissenbaum. Lecture Notes No. 2. Carl Pollard and Ivan Sag. Lecture
0-937073-20-2 (paper) Notes No. 13. 0-937073-24-5 (paper),
Lectures on Contemporary Syntactic 0-937073-23-7 (cloth)
Theories. Peter Sells. Lecture Notes
No. 3. 0-937073-14-8 (paper), Non-Weil-Founded Sets. Peter Aczel.
Lecture Notes No. 14. 0-937073-22-9
0-937073-13-X (cloth)
(paper), 0-937073-21-0 (cloth)
An Introduction to Unification-Based
Approaches to Grammar. Stuart M. Partiality, Truth and Persistence. Tore
Shieber. Lecture Notes No. 4. Langhohn. Lecture Notes No. 15.
0-937073-00-8 (paper), 0-937073-01-6 0-937073-34-2 (paper), 0-937073-35-0
(cloth) (cloth)
The Semantics of Destructive Lisp. Ian Attribute-Value Logic and the Theory of
A. Mason. Lecture Notes No. 5. Grammar. Mark Johnson. Lecture
0-937073-06-7 (paper), 0-937073-05-9 Notes No. 16. 0-937073-36-9 (paper),
(cloth) 0-937073-37-7 (cloth)
An Essay on Facts. Ken Olson. Lecture
Notes No. 6. 0-937073-08-3 (paper), The Situation in Logic. Jon Barwise.
0-937073-05-9 (cloth) Lecture Notes No. 17. 0-937073-32-6
(paper), 0-937073-33-4 (cloth)
Logics of Time and Computation. Robert
Goldblatt, second edition, revised and The Linguistics of Punctuation. Geoff
expanded. Lecture Notes No. 7. Nunberg. Lecture Notes No. 18.
0-937073-94-6 (paper), 0-937073-93-8 0-937073-46-6 (paper), 0-937073-47-4
(cloth) (cloth)
Anaphora and. Quantification in Situation Linguistic Individuals. Ahnerindo E.
Semantics. Jean Mark Gawron and Ojeda. Lecture Notes No. 31.
Stanley Peters. Lecture Notes No. 19. 0-937073-84-9 (paper), 0-937073-85-7
0-937073-48-4 (paper), 0-937073-49-0 (cloth)
(cloth) Computer Models of American Speech. M.
Prepositional Attitudes: The Role of Margaret Withgott and Prancine R.
Content in Logic, Language, and. Chen. Lecture Notes No. 32.
Mind. C. Anthony Anderson and 0-937073-98-9 (paper), 0-937073-97-0
Joseph Owens. Lecture Notes No. 20. (cloth)
0-937073-50-4 (paper), 0-937073-51-2 Verbmobil: A Translation System for
(cloth) Face-to-Face Dialog. Martin Kay,
Literature and Cognition. Jerry R. Hobbs. Mark Gawron, and Peter Norvig.
Lecture Notes No. 21. 0-937073-52-0 Lecture Notes No. 33. 0-937073-95-4
(paper), 0-937073-53-9 (cloth) (paper), 0-937073-96-2 (cloth)
The Language of First-Order Logic
Situation Theory and Its Applications, (including the Windows program,
Vol. 1. Robin Cooper, Kuniaki Mukai, Tarski's World). Jon Barwise and
and John Perry (Eds.). Lecture Notes John Etchemendy, third edition,
No. 22. 0-937073-54-7 (paper),
revised and expanded. Lecture Notes
0-937073-55-5 (cloth) No. 34. 0-937073-90-3 (paper)
The Language of First-Order Logic Turing's World. Jon Barwise and John
(including the Macintosh program, Etchemendy. Lecture Notes No. 35.
Tarski's World). Jon Barwise and 1-881526-10-0 (paper)
John Etchemendy, second edition,
revised and expanded. Lecture Notes Syntactic Constraints on Anaphoric
No. 23. 0-937073-74-1 (paper) Binding. Mary Dalrymple. Lecture
Notes No. 36. 1-881526-06-2 (paper),
Lexical Matters. Ivan A. Sag and Anna 1-881526-07-0 (cloth)
Szabolcsi, editors. Lecture Notes
No. 24. 0-937073-66-0 (paper), Situation Theory and Its Applications,
Vol. S. Peter Aczel, David Israel,
0-937073-65-2 (cloth)
Yasuhiro Katagiri, and Stanley Peters,
Tarski's World. Jon Barwise and John editors. Lecture Notes No. 37.
Etchemendy. Lecture Notes No. 25. 1-881526-08-9 (paper), 1-881526-09-7
0-937073-67-9 (paper) (cloth)
Situation Theory and Its Applications, Theoretical Aspects of Bantu Grammar.
Vol. 2. Jon Barwise, J. Mark Gawron, Mchombo, editor. Lecture Notes
Gordon Plotkin, Syun Tutiya, editors. No. 38. 0-937073-72-5 (paper),
Lecture Notes No. 26. 0-937073-70-9 0-937073-73-3 (cloth)
(paper), 0-937073-71-7 (cloth) Logic and Representation. Robert C.
Literate Programming. Donald E. Knuth. Moore. Lecture Notes No. 39.
Lecture Notes No. 27. 0-937073-80-6 1-881526-15-1 (paper), 1-881526-16-X
(paper), 0-937073-81-4 (cloth) (cloth)
Meanings of Words and Contextual
Normalization, Cut-Elimination and the Determination of Interpretation. Paul
Theory of Proofs. A. M. Ungar. Kay. Lecture Notes No. 40.
Lecture Notes No. 28. 0-937073-82-2 1-881526-17-8 (paper), 1-881526-18-6
(paper), 0-937073-83-0 (cloth) (cloth)
Lectures on Linear Logic. A. S. TVoelstra. Language and Learning for Robots.
Lecture Notes No. 29. 0-937073-77-6 Colleen Crangle and Patrick Suppes.
(paper), 0-937073-78-4 (cloth) Lecture Notes No. 41. 1-881526-19-4
A Short Introduction to Modal Logic. (paper), 1-881526-20-8 (cloth)
Grigori Mints. Lecture Notes No. 30. Hyperproof. Jon Barwise and John
0-937073-75-X (paper), 0-937073-76-8 Etchemendy. Lecture Notes No. 42.
(cloth) 1-881526-11-9 (paper)
Mathematics of Modality. Robert On What We Know We Don't Know.
Goldblatt. Lecture Notes No. 43. Sylvain Bromberger. 0-226-075400
1-881526-23-2 (paper), 1-881526-24-0 (paper), (cloth)
(cloth) The Proceedings of the Twenty-fourth
Feature Logics, Infinitary Descriptions, Annual Child Language Research
and Grammar. Bill Keller. Lecture Forum. Eve V. Clark, editor.
Notes No. 44. 1-881526-25-9 (paper), 1-881526-05-4 (paper), 1-881526-04-6
1-881526-26-7 (cloth) (cloth)
Japanese/Korean Linguistics, Vol. 2.
Other CSLI Titles Patricia M. Clancy, editor.
1-881526-13-5 (paper), 1-881526-14-3
Distributed by UCP (cloth)
Agreement in Natural Language: Arenas of Language Use. Herbert H.
Approaches, Theories, Descriptions. Clark. 0-226-10782-5 (paper), (cloth)
Michael Barlow and Charles A. Japanese/Korean Linguistics, Vol. 3.
Ferguson, editors. 0-937073-02-4 Sonja Choi, editor. 1-881526-21-6
(cloth) (paper), 1-881526-22-4 (cloth)
Papers from the Second International The Proceedings of the Eleventh West
Workshop on Japanese Syntax. Coast Conference on Formal
William J. Poser, editor. Linguistics (WCCFL 11).
0-937073-38-5 (paper), 0-937073-39-3 1-881526-12-7 (paper)
(cloth)
The Proceedings of the Seventh West Books Distributed by
Coast Conference on Formal
Linguistics (WCCFL 7). CSLI
0-937073-40-7 (paper) The Proceedings of the Third West Coast
The Proceedings of the Eighth West Coast Conference on Formal Linguistics
Conference on Formal Linguistics (WCCFL 3). 0-937073-44-X (paper)
(WCCFL 8). 0-937073-45-8 (paper) The Proceedings of the Fourth West Coast
The Phonology-Syntax Connection. Conference on Formal Linguistics
Sharon Inkelas and Draga Zee (Eds.) (WCCFL 4). 0-937073-43-1 (paper)
(co-published with The University of The Proceedings of the Fifth West Coast
Chicago Press). 0-226-38100-5 Conference on Formal Linguistics
(paper), 0-226-38101-3 (cloth) (WCCFL 5). 0-937073-42-3 (paper)
The Proceedings of the Ninth West Coast The Proceedings of the Sixth West Coast
Conference on Formal Linguistics Conference on Formal Linguistics
(WCCFL 9). 0-937073-64-4 (paper) (WCCFL 6). 0-937073-31-8 (paper)
Japanese/Korean Linguistics. Hajime Hausar Yau Da Kullum: Intermediate
Hoji, editor. 0-937073-57-1 (paper), and Advanced Lessons in Hausa
0-937073-56-3 (cloth) Language and Culture. William R.
Experiencer Subjects in South Asian Leben, Ahmadu Bello Zaria, Shekarau
Languages. Manindra K. Verma and B. Maikafi, and Lawan Danladi Yalwa.
K. P. Mohanan, editors. 0-937073-68-7 (paper)
0-937073-60-1 (paper), 0-937073-61-X Hausar Yau Da Kullum Workbook.
(cloth) William R. Leben, Ahmadu Bello
Grammatical Relations: A Zaria, Shekarau B. Maikafi, and Lawan
Cross-Theoretical Perspective. Danladi Yalwa. 0-93703-69-5 (paper)
Katarzyna Dziwirek, Patrick Farrell,
Errapel Mejias Bikandi, editors. Ordering Titles
0-937073-63-6 (paper), 0-937073-62-8
(cloth) Distributed by CSLI
The Proceedings of the Tenth West Coast Titles distributed by CSLI may be ordered
Conference on Formal Linguistics directly from CSLI Publications, Ventura
(WCCFL 10). 0-937073-79-2 (paper) Hall, Stanford, CA 94305-4115 or by
phone (415)723-1712, (415)723-1839. United Kingdom, Europe, Middle
Orders can also be placed by FAX East, and Africa (except South
(415)723-0758 or e-mail Africa): International Book Distributors,
(pubscsli .stanford.edu). Ltd., 66 Wood Lane End, Hemel
Hempstead HP4 3RG, England.
All orders must be prepaid by check or Telephone: 0442 231555. FAX: 0442
Visa or MasterCard (include card name, 55618.
number, and expiration date). California
residents add 8.25% sales tax. For Australia, New Zealand, South
shipping and handling, add $2.50 for first Pacific, Eastern Europe, South
book and $0.75 for each additional book; Africa, and India: The University of
$1.75 for first report and $0.25 for each Chicago Press, Foreign Sales Manager,
additional report. 5801 South Ellis Avenue, Chicago, Illinois
60637 U.S.A. Telephone: (312)702-0289.
For overseas shipping, add $4.50 for first FAX: (312)702-9756.
book and $2.25 for each additional book;
$2.25 for first report and $0.75 for each Japan: Libraries and individuals should
additional report. All payments must be place their orders with local booksellers.
made in U.S. currency. Booksellers should place orders with our
agent: United Publishers Services, Ltd.,
Kenkyu-sha Building, 9 Kanda Surugadai
Overseas Orders 2-chome, Chiyoda-ku, Tokyo, Japan.
The University of Chicago Press has Telephone: (03)291-4541.
offices worldwide which serve the China (PRC), Hong Kong, and
international community. Southeast Asia: Peter Ho Hing Leung,
Canada: David Simpson, 164 Hillsdale The America University Press Group,
Avenue East, Toronto, Ontario M4S ITS, P.O. Box 24279, Aberdeen Post Office,
Canada. Telephone: (416) 484-8296. Hong Kong.
Mexico, Central America, South Korea and Taiwan (ROC): The
America, and the Caribbean American University Press Group,
(including Puerto Rico): EDIREP, 3-21-18-206 Higashi-Shinagawa,
5500 Ridge Oak Drive, Austin, Texas Shinagawa-ku, Tokyo, 140 Japan.
78731 U. S. A. Telephone: (512)451-4464. Telephone: (813)450-2857. FAX:
(813)472-9706.

Mathematics of Modality

Uploaded by

Copyright:

Available Formats

Mathematics of Modality

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mathematics of Modality

Uploaded by

Copyright:

Available Formats

What is the book about based on the contents?

What is the book about based on the contents?

What organization founded CSLI and where are its headquarters located?

What organization founded CSLI and where are its headquarters located?

MATHEMATICS OF MODALITY

CSLI Lecture Notes No. 43

"Metamathematics of Modal Logic" originally appeared in Reports on Mathematical

Modal logic is the study of modalitieslogical operations that qualify

propositioned logic. Other articles are concerned with quantum logic,

the logic of ortholattices, using orthogonality (irreflexive symmetric)

4. Arithmetical Necessity, Provability and Intuitionistic Logic

5. Diodorean Modality in Minkowski Spacetime

6. Grothendieck Topology as Geometric Modality

7. The Semantics of Hoare's Iteration Rule

8. An Abstract Setting for Henkin Proofs

The McKinsey axiom is the simplest formula not belonging to a very

11. Elementary Logics are Canonical and Pseudo-Equational

Introduction and Summary

Introduction and Summary

as the foundations of physics (quantum logic) and the study of natural

VUW, and in particular Professor W. G. Malcolm, I am indebted for

for each wff a, either a F or -<a 6 F. We denote by WA the class of

1.2 Modal Algebras and Kripke Frames

a is valid on 21 (21 j= a) iff h* = 1 identically on 21 (i.e. h* takes the

A logic A is said to be determined or characterised by a class

AA = {\\a\\A '&&$}, where

A proof that %A is well defined, characterises /I, and is an MA if 7l is a

(iv) x V(Oa) iff for some y, xRy and y e V(a).

The intuitive content of 1.2.4 is that W is a set of "possible worlds" or

1.3 First-Order Frames

That F+ satisfies 1.2.1 is easily checked. Note that

Proof. By induction on the length of a, using 1.2.1, 1.2.4, and 1.3.1 as

Now Makinson's models involve a restriction on those subsets of a

Definition 1.4.5 If F = (W,R,P) and F = (W',R',P') are frames,

the unit element of P+). By 1.4.5(iii), for 1 < i < n there is Si P

ii P 2W then the identity map from (W,R,2W) to (W,R,P) is a

Theorem 1.5.4 // Q : ? > T' is a homomorphism, a(pi, . . . ,pn) e <i>,

Proo/. By induction on the length of a, using 1.5.2. Note that 1.5.1(3)

Corollary 1.5.5 // F ^ T and T \= a then T' \= a.

(4) Follows from (1) - (3). D

1.6 Disjoint Unions

Theorem 1.6.3 // a(pi . . . ,p n ) e <P , ond S,- = Uie/5J' P for 1 <

Proof. By induction on a using 1.6.2. D

(Si , . . . , ) = \JieIht?(Su,...,SnJ (1.6.3)

with ultraproducts of MA's are in fact ultraproducts themselves, and

Intuitively, the elements of the ultrafilter G may be thought of as

mo-(i) = mi(a(i)), for a,0

where \\Ai/G is defined as in 1.7.3, and

Now suppose not a ~ 9. Then A G. Suppose B G. Then for

Definition 1.7.6 Let Fi (W;,P^,P;) be a first-order frame, for all

(7>y 1.7.5 this definition is unambiguous). The ultraproduct of the

Corollary 1.7.10 // each fi is embeddable in T[, FG is embeddable in

Corollary 1.7.11 If each Ti is (isomorphic to) a subframe of f(, then

Theorem 1.7.12 Let fi be a first-order frame, all i /, and G an

f ( i ) = fi, <r(i) = o-i, all i i A, then {i : J ( i ) ha* (a(i))} C A, so by

1.8 Compactness and Semantic Consequence

Definition 1.8.1 Let be a class of frames, F C <, and a 6 <. Then

Proof. (1) Sufficiency is trivial. For the converse, let I {i :

Corollary 1.8.6 If A is a modal logic and <L is closed under ultraprod-

1.9 Descriptive Frames