Observational Semantics for Dynamic Logic with Binders

. The dynamic logic with binders D ↓ was recently introduced as a suitable formalism to support a rigorous stepwise development method for reactive software. The commitment of this logic concerning bisimulation equivalence is, however, not satisfactory: the model class semantics of speciﬁcations in D ↓ is not closed under bisimulation equivalence; there are D ↓ -sentences that distinguish bisimulation equivalent models, i.e., D ↓ does not enjoy the modal invariance property. This paper improves on these limitations by providing an observational semantics for dynamic logic with binders. This involves the deﬁnition of a new model category and of a more relaxed satisfaction relation. We show that the new logic D ↓∼ enjoys modal invariance and even the Hennessy-Milner property. Moreover, the new model category provides a categorical characterisation of bisimulation equivalence by observational isomorphism. Finally, we consider abstractor semantics obtained by closing the model class of a speciﬁcation SP in D ↓ under bisimulation equivalence. We show that, under mild conditions, abstractor semantics of SP in D ↓ is the same as observational semantics of SP in D ↓∼ .


Introduction
The study of logics and formal methods for rigorous development of reactive systems, i.e. systems which interact with their environment during the computation [1], is an active topic of research.Dynamic logic with binders, called D ↓ -logic, has been introduced in [7] as a logical framework which allows to express properties of reactive systems, from abstract safety and liveness requirements down to concrete specifications of the (recursive) structure of executable processes.D ↓ -logic combines in the same formalism modalities indexed by regular expressions of actions, as in Dynamic Logic [6], with binders of Hybrid Logic [4], which bind state variables to particular states and thus allow us to specify concrete processes.We have shown in [7] how the whole development process of reactive systems can be supported by stepwise refinement of D ↓ -specifications whose models are labelled transition systems with initial state.
However, the satisfaction relation used in D ↓ and its notion of isomorphism, the categorical formalisation of identity among objects, are too strict to allow proper behavioural abstraction.As it is well known, bisimulation equivalence is usually adopted to identify behaviourally equivalent systems.However, this is not reflected in the model category of D ↓ where model classes are closed under isomorphism but, in general, not under bisimulation equivalence.Thus D ↓logic does not enjoy the modal invariance property which requires that bisimilar models satisfy exactly the same logical sentences.
To find a solution, we draw an analogy to algebraic specifications of data types: Equational and first-order logic specifications do generally not support abstraction w.r.t.behaviourally equivalent data structures.This fact led to a significant number of studies proposing different solutions; see Chap. 8 in [10] for a summary.One idea, originally proposed by Reichel in [9], was to relax the satisfaction relation of first-order logic such that equations are not necessarily interpreted by the set-theoretic equality but by observational equality of elements; see, e.g., [5,2].We take up this idea and propose, in Sect.3, a new logic, called D ↓ ∼ , which has the same sentences and models as D ↓ but more relaxed notions of satisfaction and model morphism.The idea of satisfaction in D ↓ ∼ , called observational satisfaction, is that state variables x occurring in a formula can be interpreted by arbitrary states as long as they are bisimilar to the state to which x was bound before.This leads to observational semantics of a specification SP consisting of all models which observationally satisfy the axioms of SP .Model morphisms in D ↓ ∼ , called observational morphisms, capture the idea of simulation.We show that observational satisfaction of positive sentences is preserved by observational morphisms.Moreover, we show that models which are observationally isomorphic satisfy observationally the same sentences, i.e. we get modal invariance of sentences w.r.t.satisfaction and isomorphism in D ↓ ∼ .In Sect.4, we study relationships between isomorphism in D ↓ ∼ and bisimulation equivalence and prove that both concepts are indeed equivalent.Thus, we get (i) a categorical characterisation of bisimulation equivalence and (ii) the modal invariance property w.r.t.observational satisfaction and bisimulation equivalence, which solves our problem discussed above.But the new logic D ↓ ∼ allows us to go even a step further: We prove a Hennessy-Milner Theorem which shows that two image finite models satisfy in D ↓ ∼ the same sentences if and only if they are bisimilar -which in turn is equivalent to being isomorphic in D ↓ ∼ .
In Sect.5, we compare observational semantics of specifications in D ↓ ∼ with another possibility for behavioural abstraction called abstractor semantics.The idea of abstractor semantics goes again back to algebraic specifications where Sannella und Tarlecki have proposed to abstract from the "standard" model class of a specification by taking its closure under an appropriate equivalence relation; see [10].For reactive system specifications this means that we consider our original D ↓ -logic, specifications over D ↓ and their model classes (in terms of satisfaction in D ↓ ) but then abstract from a specification's model class by closing it under bisimulation equivalence.We investigate that observational se-mantics and abstractor semantics of reactive system specifications can be related completely analogously as it has been done for algebraic specifications of data types in [3].We show that both semantics coincide if and only if any model of a specification SP interpreted in D ↓ is also a model when SP is interpreted in 2 D ↓ -Logic: Background and Motivations

Overview on D ↓
This section reviews D ↓ -logic introduced in [7] and proves additionally that satisfaction in D ↓ is preserved by isomorphism.D ↓ -logic is designed to express properties of reactive systems, from abstract safety and liveness properties down to concrete ones specifying the (recursive) structure of processes.It thus combines modalities indexed by regular expressions of actions, as in Dynamic Logic [6], and state variables with binders, as in Hybrid Logic [4].These motivations are reflected in its semantics.Differently from what is usual in modal logics, whose semantics is given by Kripke structures and satisfaction of formulas is evaluated globally, D ↓ models are reachable, labelled transition systems with initial states where satisfaction is evaluated.This reflects our focus on computations, i.e. on effective processes.In modal logic this corresponds to submodels of Kripke structures generated by a given point, which represents the initial state of computations.
Definition 1 (Models and model morphisms).Let A be a set of atomic actions.An A-model is triple (W, w 0 , R) where W is a set of states, w 0 ∈ W is the initial state and R = (R a ⊆ W × W ) a∈A is a family of transition relations such that, for each w ∈ W , there is a finite sequence of transitions R a k (w k−1 , w k ), 1 ≤ k ≤ n, with w k ∈ W , a k ∈ A, such that w 0 = w 0 and w n = w.Given two A-models M = (W, w 0 , R) and M = (W , w 0 , R ), a model morphism h : M → M is a function h : W → W such that h(w 0 ) = w 0 and, for each a ∈ A, if (w 1 , w 2 ) ∈ R a then (h(w 1 ), h(w 2 )) ∈ R a .
Lemma 1.The class of A-models and A-model morphisms define a category denoted by Mod D ↓ (A).The identity morphisms id M are the identity functions.
As usual, we say that two models M, M ∈ Mod D ↓ (A) are isomorphic, in symbols M iso M , if there is a pair of morphisms h : M → M and h The set of (composed) actions, Act(A), induced by a set of atomic actions A is given by α where a ∈ A. In the context of a finite set of atomic actions A = {a 1 , . . ., a n }, we may briefly write A for the complex action a 1 + . . .+ a n .For a set X of variables and an A-model M = (W, w 0 , R), a valuation is a function g : X → W .Given such a valuation g, a variable x ∈ X and a state w ∈ W , g[x → w] denotes the valuation with g[x → w](x) = w and g[x → w](y) = g(y) for any y ∈ X, y = x.
Definition 2 (Formulas and sentences).The set of A-formulas is given by where x ∈ X and α ∈ Act(A).An A-formula ϕ is called A-sentence if ϕ contains no free variables.Free variables are defined as usual with ↓, the only operator binding variables.
The binder operator ↓ x.ϕ assigns to variable x the current state of evaluation and evaluates ϕ.The operator @ x ϕ evaluates ϕ in the state assigned to x.To define the satisfaction relation formally we need to clarify how composed actions are interpreted in models.Let α ∈ Act(A) and M ∈ Mod D ↓ (A).The interpretation of α in M extends the interpretation of atomic actions by , with the operations •, ∪ and standing for relational composition, union and reflexive-transitive closure.Given an A-model M = (W, w 0 , R), w ∈ W and g : We write M, w |= ϕ if, for any valuation g : X → W , we have M, g, w |= ϕ.If ϕ is an A-sentence, then the valuation is irrelevant, i.e., M, g, w |= ϕ iff M, w |= ϕ.M satisfies an A-sentence ϕ, written M |= ϕ, if M, w 0 |= ϕ.
Hence, D ↓ -logic expresses properties of states reachable from the initial one.For instance, if A is finite, D ↓ is able to express liveness requirements such as "after the occurrence of an action a, an action b can be eventually realised " with [A * ; a] A * ; b tt, safety properties by sentences of the form [A * ]ϕ, in particular, deadlock freeness by [A * ] A tt. D ↓ -logic is also suited to express process structures and, thus, the implementation of abstract requirements.The binder operator is crucial for this.The ability to give names to visited states together with the modal features allows to express recursive process patterns.For instance, the following sentence captures processes with two states and alternating a and b transitions.
Definition 3 (Specification).A specification SP is a pair SP = (A, Φ) where A is a set of atomic actions and Φ is a set of A-sentences.
Definition 4 (Semantics).The semantics of a specification SP = (A, Φ) in D ↓ is given by the class of models Lemma 2. Let M = (W, w 0 , R) and M = (W , w 0 , R ) be two A-models and h : M → M an isomorphism.Then for any w ∈ W , valuation g : X → W and A-formula ϕ, we have Proof.The proof is performed by induction on the structure of A-formulas.The base cases ϕ = tt and ϕ = ff are trivial.
The proof for the remaining cases is straightforward.
Theorem 1.Let M and M be A-models such that M iso M .Then, for any A-sentence ϕ, we have Proof.Since ϕ has no free variables, it follows from Lemma 2, that for any w ∈ W , we have M, w |= ϕ iff M , h(w) |= ϕ where h is an isomorphism between M and M .In particular, since h(w 0 ) = w 0 , we have M, Corollary 1.For any specification SP , Mod (SP ) is closed under iso .

Motivations
Let us recall the well-known notion of bisimulation between transition systems: Two A-models M and M are called bisimulation equivalent, denoted by M ≡ M , if there exists a bisimulation between M and M .It is well known that bisimulation equivalence is indeed an equivalence relation on the class of Amodels.Moreover, if M ≡ M , then there exists a greatest bisimulation between M and M , which we denote by ∼ M M .Bisimulation equivalence plays a central role in the analysis and development of reactive systems.It can be taken as the standard behavioural equivalence between processes in the sense that, given two bisimulation equivalent processes, it should be irrelevant for the correctness of an implementation which one is chosen to realise a given system specification.The notion of bisimulation equivalence plays also an important role in the theory of modal logics: the satisfaction in most of modal logics is invariant w.r.t.bisimulation equivalence, i.e. bismulation equivalent models satisfy the same sentences.However, this is not the case for the logic D ↓ .In order to see that, let us consider the two {a}-models M and M presented in Fig. 1 and the specification SP = ({a}, {↓ x. a x}).It is easy to see that M ∈ Mod (SP ) and M ∈ Mod (SP ).However, M ≡ M which shows that D ↓ does not obey the implementation principle from above.From the logic, point of view it illustrates that D ↓ does not enjoy of the modal invariance property.∼ observationally isomorphic models satisfy observationally the same sentences; i.e. we get modal invariance w.r.t.observational isomorphism and the relaxed (observational) satisfaction relation.

Observational Models Category
We introduce a new category of models for a set A of atomic actions.The objects of this category are, as in D ↓ , reachable (labelled) transition systems with initial states.However, we introduce a new kind of model morphism, called observational morphism.Such morphisms are not functions but relations which abstract away the difference between states with an observationally equal behaviour.For this purpose, we consider for any A-model M = (W, w 0 , R) the observational equality relation ∼ M ⊆ W × W , which is defined as the greatest bisimulation ∼ M M between M and M4 .Then an observational morphism h : M → M is a relation between the state spaces of two A-models M and M containing their initial states which has the following properties: (1) h is a simulation relation such that any transition in M is simulated by a transition in M with the same label (i.e.observational morphisms satisfy the "zig" condition of a bisimulation), (2) h preserves observational equality of states from M to M and (3) h is closed under the observational equalities ∼ M and ∼ M of M and M resp.These properties are expressed by the three conditions in the subsequent definition.We note that observational morphisms could be equivalently defined by morphisms between the quotient structures of M and M considered later on in Def.10.We prefer, however, to give a direct definition on the state spaces of M and M since those models are actually the representations of concrete implementations and not their quotient structures.
Definition 6 (Observational morphisms).Let M = (W, w 0 , R) and M = (W , w 0 , R ) be two A-models.An observational morphism h : M → M is a relation h ⊆ W × W containing (w 0 , w 0 ) such that the following conditions are satisfied: By the definition of composed actions and their interpretation as relations the simulation condition 1 of Def. 6 can be lifted to composed actions: Remark 1. Condition 1 of Def. 6 implies that for any α ∈ Act(A) and any Proof.This is a direct consequence of the reachability of states.On the one hand, we have (w 0 , w 0 ) ∈ h.The induction step corresponds to 1 of Def. 6.Also it is clear that relational composition is associative.
For each A-model M, 1 M = ∼ M is an observational morphism M → M: Since ∼ M is a bisimulation it satisfies 1 of Def. 6.Since ∼ M is the greatest bisimulation on M it is closed under composition and therefore, taking into account that ∼ M is an equivalence relation, it satisfies 2 and 3. Finally, because of the closure property 3 of Def. 6, it is obvious that, for any observational For A-models M and M we write M iso ∼ M whenever M and M are observationally isomorphic in the category Mod D ↓ ∼ (A).The next lemma states a useful property which shows that the inverse of an observational isomorphism h : M → M in the category Mod D ↓ ∼ (A) is just the inverse relation of h.
Lemma 4. Let M = (W, w 0 , R) and M = (W , w 0 , R ) be two A-models and h : M → M an observational isomorphism with inverse h −1 : M → M. Then for all w ∈ W and w ∈ W the following holds: (w, w ) ∈ h if and only if (w , w) ∈ h −1 .
Proof.For the proof we use Lem. 3 and condition 3 of Def. 6. Assume (w, w ) ∈ h.Since h −1 : M → M is an observational morphism it is total, by Lem. 3. Hence, there exists v ∈ W such that (w , v) ∈ h −1 .By the isomorphism property we have h Since h −1 : M → M satisfies 3 of Def. 6, (w , v) ∈ h −1 and v ∼ M w implies (w , w) ∈ h −1 .The converse direction is proved analogously by using again condition 3 of Def. 6.
As a consequence of Lem. 4, we can show that observational isomorphisms satisfy the "zag" condition of a bisimulation.Lemma 5. Let M = (W, w 0 , R) and M = (W , w 0 , R ) be two A-models and h : M → M an observational isomorphism.Then the following holds: For any a ∈ A, w ∈ W , w , v ∈ W such that (w, w ) ∈ h: Proof.Assume (w, w ) ∈ h and (w , v ) ∈ R a .Let h −1 be the inverse of h.Then, by Lem. 4, (w , w) ∈ h −1 .Since h −1 satisfies condition 1 of Def. 6, there is a v ∈ W such that (w, v) ∈ R a and (v , v) ∈ h −1 .By Lem. 4, (v, v ) ∈ h and we are done.
As an example, consider the two {a}-models M and M in Fig. 1.The relation h = {(w 0 , w 0 ), (w 0 , w 1 )} is an observational isomorphism between M and M .We have also seen in Sect.2.2 that M and M are bisimilar.In fact, we will show later, in Sect.4, that observational isomorphism coincides with bisimulation equivalence.

Observational Satisfaction
We are now ready to generalise the satisfaction relation of D ↓ -logic to take into account observational abstraction.We use the same formulas as in D ↓ , which were called A-formulas for a given set A of atomic actions.But now, in the logic D ↓ ∼ , the observational satisfaction of an A-formula allows to interpret variables x by states which are not identical but only observationally equal to the current valuation of x.
Definition 7 (Observational satisfaction).Let M = (W, w 0 , R) be an Amodel, w ∈ W and g : X → W a valuation.The observational satisfaction of an A-formula ϕ in state w of M w.r.t.valuation g, denoted by M, g, w |= ∼ ϕ, is defined analogously to the satisfaction as shown in Sect.2.1, with the exception of M, g, w |= ∼ x iff g(x) ∼ M w.
As an example, we consider the {a}-model M in Fig. 1 for which we have: M |= ∼ ↓ x. a x.This is true since the a-transition reaches state w 1 which is observationally equal to state w 0 .
Using the observational satisfaction relation we can equip specifications, as defined in Def. 3, with an observational semantics.Definition 8 (Observational semantics).The observational semantics of a specification SP = (A, Φ) is given by the class of models In the following we want to analyse relationships between observational satisfaction and observational morphisms.First, we show that observational satisfaction of positive A-sentences is preserved by observational morphisms; see Thm. 3. Then we show that observational satisfaction of arbitrary A-sentences is preserved and reflected in the case of observational isomorphisms; see Thm. 4.

Definition 9 (Positive formulas and sentences). An A-formula (A-sentence)
ϕ is a positive A-formula (A-sentence), if it does not contain negation ¬ and the box operator [.].Lemma 6.Let M = (W, w 0 , R) and M = (W , w 0 , R ) be two A-models and h : M → M an observational morphism.Then for any w ∈ W, w ∈ W with (w, w ) ∈ h, for any valuations g : X → W , g : X → W with (g(x), g (x)) ∈ h for all x ∈ X, and for any positive A-formula ϕ, we have Proof.The proof is performed by induction on the structure of positive Aformulas.
The base cases ϕ = tt and ϕ = ff are trivial.
Step follows from condition 2 of Def. 6 and the assumptions (g(x), g (x)) ∈ h and (w, w Step follows from the Induction Hypothesis, since (g(y), g (y)) ∈ h for all y ∈ X and (w, The cases ϕ = φ ∧ φ and ϕ = φ ∨ φ are straightforward by Induction Hypothesis.
Theorem 3. Let M and M be two A-models and h : M → M an observational morphism.Then, for any positive A-sentence ϕ, we have Proof.Since ϕ is a sentence, it follows from Lemma 6, that for any w ∈ W, w ∈ W with (w, w ) ∈ h, we have: Let us now consider the case in which h is an observational isomorphism.
Lemma 7. Let M = (W, w 0 , R) and M = (W , w 0 , R ) be two A-models and h : M → M an observational isomorphism.Then for any w ∈ W, w ∈ W with (w, w ) ∈ h, for any valuations g : X → W , g : X → W with (g(x), g (x)) ∈ h for all x ∈ X, and for any A-formula ϕ, we have Proof.The proof is performed by induction on the structure of the formulas.The base case ϕ = tt is trivial and for ϕ = ff we note that neither M, g, w |= ∼ ff nor M, g, w |= ∼ ff holds.
Case ϕ = x : The proof is performed as for Lem.6 with the addition that the "⇒" step (step ) holds also in the opposite direction for the following reason: Let h −1 be the inverse of h.Since (g(x), g (x)) ∈ h and (w, w ) ∈ h we obtain, by Lem. 4, that (g (x), g(x)) ∈ h −1 and (w , w) ∈ h −1 .Now we can apply condition 2 of Def. 6 for h −1 such that g (x) ∼ M w implies g(x) ∼ M w.
Cases ϕ = ↓ x. φ and ϕ = @ x φ : The proof is performed as for Lem.6 with the addition that the "⇒" steps hold also in the opposite direction since now the Induction Hypothesis holds also in the other direction.
Case ϕ = α φ : The proof is performed as for Lem.6 with the addition that the "⇒" step holds also in the opposite direction.To see this, we know by Lem. 5 that the "zag" condition of a bisimulation holds for h and for atomic actions a ∈ A. It is straightforward to prove that then the "zag" condition holds also for structured actions α ∈ Act(A).Taking into account the I.H. we are done.
The cases ϕ = ¬φ, ϕ = φ∧φ and ϕ = φ∨φ are straightforward by Induction Hypothesis.The case ϕ = [α]φ can be shown either by using the I.H. or by taking into account that the box operator can be expressed by negation and diamond.Theorem 4. Let M, M be two A-models such that M iso ∼ M .Then, for any A-sentence ϕ, we have Proof.The proof is completely analogous to the proof of Thm. 3, using Lem.7 instead of Lem. 6.
Corollary 2. For any specification SP , its observational semantics M od ∼ (SP ) is closed under iso ∼ .
The next theorem establishes a connection between the observational satisfaction in D ↓ ∼ and the satisfaction in D ↓ .It relies on the construction of the quotient M/∼ of an A-model M that identifies observationally equal (i.e.bisimilar) states.
This follows from the (zig) property of ∼ M .This fact can be generalised to composed actions α ∈ Act(A).
Sentences are observationally satisfied by an A-model M, if and only if they are satisfied by its quotient M/∼: Theorem 5.For any A-model M and for any A-sentence ϕ, Proof.For the proof we show, more generally, that for any w ∈ W , valuation g : X → W and A-formula ϕ, where g/∼: X → W is defined by (g/∼)(x) = [g(x)].The proof can be performed by induction over the structure of A-formulas.For the base formulas ϕ = x, we have: For the case ϕ = α φ, we have: Step : The direction "⇒" is trivial using v = v and the Induction Hypothesis.For the direction "⇐" assume ([w], [v ]) ∈ (R/∼) α for some v .By Remark 2 we know that there exists v ).By Ind. Hyp.we get M, g, v |= ∼ φ.Since (w, v) ∈ R α , we have M, g, w |= ∼ α φ.
The remaining cases are straightforward.

Recovering Modal Invariance for Bisimulation
Thm. 4 of the last section shows modal invariance of sentences in the D ↓ ∼ -logic.In this section we will transfer this result to the case in which bisimulation equivalence is used instead of an observational isomorphism.In fact, this is a consequence of our general result (Thm.6) that bisimulation equivalence can be characterised as an isomorphism in the category Mod D ↓ ∼ (A).Finally, we can even prove a Hennessy-Milner-Theorem for observational satisfaction; see Thm.The next lemma provides the basis for proving the converse of Cor. 3 which will lead to a Hennessy-Milner Theorem w.r.t.D ↓ ∼ -logic (if models are image finite).Lemma 9. Let M, M be two image finite 5 A-models and w ∈ W , w ∈ W two states such that, for any A-sentence ϕ, Then, there is a relation h ⊆ W × W such that (w, w ) ∈ h and h satisfies the conditions "zig" and "zag" of a bisimulation; cf.Def. 5.

Proof. Let us consider the relation
Obviously, (w, w ) ∈ h.In order to prove "zig" we follow the strategy adopted in [8] for the proof of the so-called Hennessy-Milner Theorem.Planning to derive a contradiction, let us suppose there exists (u, u ) ∈ h, a ∈ A and v ∈ W with (u, v) ∈ R a , for which there is not a v ∈ W such that (u , v ) ∈ R a and (v, v ) ∈ h. ( By assumption, M is image finite and hence the set R a [u ] := {v 1 , . . ., v k } of a-successors of u in M is finite.It is also not empty since (u, u ) ∈ h.By (1), for each i ∈ {1, . . ., k} there is a formula ϕ i such that Hence, we have Therefore h satisfies "zig".One can show analogously that h satisfies "zag".

Relating Abstractor and Observational Semantics
Another possibility to provide an abstract semantics for a specification SP is to consider all models that are bisimulation equivalent to a "standard" model of SP , i.e. to a model of SP in the logic D ↓ .This semantics is called abstractor semantics.In this section we investigate relationships between abstractor semantics and observational semantics.It turns out that results obtained in the framework of algebraic specifications, see [3], can be transferred to our logics D ↓ and D ↓ ∼ for reactive systems' specifications as well.
Definition 11 (Abstractor semantics).The abstractor semantics of a specification SP = (A, Φ) is given by the class of models Part 1. of the next theorem shows that observational semantics is a subclass of abstractor semantics.The converse does, in general, not hold.It may even be the case that standard models of a specification, which always belong to the abstractor semantics, do not belong to the observational semantics.This happens, if axioms of a specification contradict the observational equality between states.In order to illustrate this, let us consider the specification SP = {a}, {↓ x. a ¬x} .If we consider the model M with two states depicted in Fig. 1, we have that M |= ↓ x. a ¬x but M |= ∼ ↓ x. a ¬x since the state w 1 reached by the atransition from w 0 is observationally equal to w 0 but the negation ¬x would forbid this.Hence, M ∈ Mod (SP ) but M ∈ Mod ∼ (SP ).If, however, the axioms of a specification SP have the form that all models of SP in D ↓ belong to the observational semantics of SP in D ↓ ∼ , then part 2. of the next theorem shows that abstractor and observational semantics coincide."⇐:" For this direction, assume M ∈ Mod (SP ).Hence, M ∈ Abs ≡ (SP ).By assumption Mod ∼ (SP ) = Abs ≡ (SP ) and hence M ∈ Mod ∼ (SP ).
Finally we want to discuss the relationship of observational semantics with abstractor semantics in the context of fully abstract models.An A-model M is fully abstract if the observational equality ∼ M coincides with the set-theoretic equality of states.The fully abstract semantics of a specification SP = (A, Φ) in D ↓ is given by the class of its fully abstract models Our final result shows that this class coincides with the observational semantics of a specification.A similar result has been obtained for algebraic specifications in [3].Proof.The proof of the inclusion "⊆" is the same as for part 1 in Thm. 8 taking into account that M/∼ is fully abstract.It remains to show Abs fa ≡ (SP ) ⊆ Mod ∼ (SP ).Let M ∈ Abs fa ≡ (SP ).Then M ≡ N for some N ∈ Mod fa (SP ).Since N |= Φ and N is fully abstract, we have N |= ∼ Φ.Since M ≡ N we get, by Cor. 3, that M |= ∼ Φ. Hence M ∈ Mod ∼ (SP ).

Conclusion
This paper follows the motivations of [7] on the definition of a logic to develop reactive systems in a stepwise manner from abstract requirements specifications to concrete specifications of processes.In this context, the quest for a more liberal semantics appeared that is closed under behavioural equivalence.Following ideas from algebraic specifications of data structures, we have proposed a new logic for specifications of reactive systems, called D ↓ ∼ , which satisfies both the modal invariance property and a Hennessy-Milner Theorem.The key to achieve this was a new, relaxed satisfaction relation, which allows interpreting state variables up to bisimilarity.
There are several interesting research questions to be pursued on the basis of D ↓ ∼ .For instance, we want to investigate how D ↓ ∼ can be extended to an institution.A preliminary study shows that a straightforward extension using functions σ : A → A between action sets as signature morphisms would not work.The reason is that A may introduce new actions that distinguish, in some A -models, states which are observationally equal when using only actions in A. Then the satisfaction condition of an institution would not be valid.Therefore we must investigate adjustments on signatures, signature morphisms and models to establish the satisfaction condition.Another interesting extension to follow concerns the incorporation of weak bisimulations which would allow further behavioural abstraction w.r.t.silent transitions.

Lemma 3 .
Observational morphisms are total relations.

Theorem 2 .
The class of A-models together with observational morphisms form a category, denoted by Mod D ↓ ∼ (A).For each M ∈ Mod D ↓ ∼ (A), the identity morphism 1 M is the observational equality ∼ M .Proof.Observational morphisms are closed under composition of relations: Given two observational morphisms h : M → M and h : M → M , their composition h • h : M → M is the relation {(w, w )| there exists w s.t.(w, w ) ∈ h and (w , w ) ∈ h }.It is straightforward to show, by standard set-theoretic reasoning, that h • h satisfies the conditions 1 -3 of Def. 6 since h and h do so.

7 . 8 .Corollary 4 .
Lemma Let M = (W, w 0 , R) and M = (W , w 0 , R ) be two A-models.If M ≡ M , then M iso ∼ M .Proof.Since M ≡ M we can consider the greatest bisimulation relation ∼ M Corollary 3. Let M, M be two A-models such that M ≡ M .Then for any A-sentence ϕ, we haveM |= ∼ ϕ iff M |= ∼ ϕ.As an example, we consider the two bisimilar {a}-models M and M in Fig.1for which we have: M |= ∼ ↓ x. a x and M |= ∼ ↓ x. a x.For any specification SP , its observational semantics Mod ∼ (SP ) is closed under ≡.Proof.Direct consequence of Corollary 3.
Mod fa (SP ) = {M ∈ Mod (SP ) | M is fully abstract}.If we consider all A-models which are bisimulation equivalent to some fully abstract model of a specification we get the classAbs fa ≡ (SP ) = {M ∈ Mod D ↓ (A) | M ≡ N for some N ∈ Mod fa (SP )}.