Modal & Epistemic Logic

A Primer on Modal and Epistemic Logic

Joseph Catanzarite

Johns Hopkins University · Whiting School of Engineering

jcat@alumni.caltech.edu · jcatanz@gmail.com · jcatanz3@jh.edu

A self-contained reference tutorial. Work through each section in order. By the end you will have the formal machinery to read and construct modal logic proofs about Belief-Desire-Intention (BDI) agents.

motivation

Why do we need modal and epistemic logic?

Classical propositional and predicate logic are powerful tools, but they have a fundamental limitation for reasoning about AI agents: they only deal with what is true, not with what an agent believes, knows, or considers possible.

Consider these four sentences:

1. "It is raining." ← classical logic handles this fine: the statement is true or false

2. "Alice believes it is raining." ← classical logic has no operator for "believes"

3. "Bachelors are necessarily unmarried." ← classical logic has no way to distinguish necessary truth from contingent truth

4. "Bob knows that Alice believes it is raining." ← classical logic cannot express nested mental states at all

Sentences 2–4 involve modalities — ways in which something is true, or who holds it to be true. Modal logic adds the operators needed to handle them. Epistemic logic is a specialization of modal logic focused specifically on knowledge and belief.

Note on sentence 3: Classical logic can prove that "bachelors are unmarried" is true — given the definition of bachelor, it follows by logic. What it cannot express is the modal status of that truth: the distinction between something that is true as a matter of definition (could not be otherwise) versus something that happens to be true right now but could have been otherwise, like "it is raining." Modal logic adds that distinction.

Why agents specifically need this

An AI agent operating in the world must reason about:

Its own beliefs

"I believe the door is unlocked" — may be wrong

Knowledge vs belief

"I know I am in room A" vs "I think the key is here"

Other agents' beliefs

"Agent B believes the path is clear" — needed for coordination

Possibility vs necessity

"The exit might be north" vs "the exit must be north"

Classical logic cannot express any of these distinctions. Modal and epistemic logic can.

The relationship between modal logic and epistemic logic

These two terms appear throughout this tutorial, often without a clear statement of how they relate. Here it is, before anything else:

Modal logic — the general framework

Modal logic extends classical propositional logic with two operators — □ (necessarily) and ♢ (possibly) — and a semantics based on possible worlds. It is a general-purpose framework that can be applied to many different domains depending on how you interpret "accessible world."

Examples of modal logic applied to different domains:

Temporal logic — □ means "always in the future," ♢ means "sometime in the future"
Deontic logic — □ means "it is obligatory that," ♢ means "it is permitted that"
Dynamic logic — □ means "after every execution of a program," ♢ means "after some execution"
Epistemic logic — □ means "the agent knows/believes," ♢ means "the agent considers possible"

Epistemic logic — one application of modal logic

Epistemic logic is modal logic with a specific intended interpretation: the □ operator represents knowledge or belief, and the accessibility relation R encodes which worlds an agent considers possible given its current information.

It was developed by Jaakko Hintikka in 1962 specifically to reason formally about what agents know and believe — which is exactly what we need for the Belief-Desire-Intention (BDI) framework.

Epistemic logic inherits all the machinery of modal logic — possible worlds, accessibility relations, axioms — and adds the specific interpretation that makes □ mean "knows" or "believes," and ♢ mean "the agent considers it possible that."

□φ — "the agent knows φ" or "the agent believes φ": φ holds in every world the agent considers possible
♢φ — "the agent considers φ possible": φ holds in at least one world the agent considers possible

Since □ and ♢ are duals (♢φ ⟺ ¬□¬φ), "the agent considers φ possible" is equivalent to "the agent does not know/believe that φ is false."

The analogy: modal logic is the engine. Epistemic logic is one vehicle built on that engine. Temporal logic, deontic logic, and dynamic logic are other vehicles built on the same engine. You need to understand the engine — possible worlds, □, ♢, accessibility relations, axioms — before the vehicle makes sense. That is why this tutorial covers modal logic first (Sections 2–4) and epistemic logic second (Section 5).

Goal of this tutorial: build the formal machinery from scratch, with every term defined before it is used, so that you can read and write modal logic proofs about belief, knowledge, and rational agency in BDI systems.

foundations

Section 1 — propositional logic recap

Modal logic is built on top of classical propositional logic. This section establishes the foundation. Even if you know this material, pay attention to the ⊢ vs ⊨ distinction at the end — it is commonly confused and important for modal logic proofs.

Propositions

Definition — proposition

A proposition is any declarative statement that is either true or false, but not both. We use lowercase letters p, q, r or Greek letters φ (phi), ψ (psi) as placeholder names for propositions.

Is a proposition

"It is raining" — definitively true or false at any given moment

Is not a proposition

"Is it raining?" — a question has no truth value

Logical connectives

Connectives combine propositions to form new propositions:

Symbol	Name	Meaning	Example (p = "raining", q = "windy")
¬p	Negation	not p	"it is not raining"
p ∧ q	Conjunction	p and q — both must be true	"it is raining and windy"
p ∨ q	Disjunction	p or q — at least one must be true	"it is raining or windy (or both)"
p ⟹ q	Implication	if p then q	"if it is raining then carry an umbrella"
p ⟺ q	Biconditional	p if and only if q	"it is raining if and only if the ground is wet"

The material conditional ⟹ and its truth table

The implication p ⟹ q (read "if p then q") is defined by this truth table, where p and q are specific propositions with known truth values:

Let p = "it is raining" Let q = "the ground is wet" p q p ⟹ q ───────────────────────────────────────────────────── T T T raining and ground wet: consistent with the rule ✓ T F F raining but ground not wet: the rule is violated ✗ F T T not raining but ground wet: rule not triggered, ground wet for other reasons F F T not raining and ground not wet: rule not triggered

The only case where p ⟹ q is false is when p is true and q is false — the condition holds but the consequence fails.

An important note — why implication is defined as ¬p ∨ q: The material conditional p ⟹ q is not taken as a primitive in classical logic. Instead it is defined as ¬p ∨ q — "not-p or q." These two expressions have identical truth tables:

    p    q    ¬p ∨ q    p ⟹ q

    T    T     T         T

    T    F     F         F

    F    T     T         T

    F    F     T         T

Every row matches, so they are logically equivalent. The reason for defining implication this way is economy: ¬ and ∨ are more primitive operations, and by defining ⟹ in terms of them, the whole system needs fewer primitives. The cost is the vacuously true cases: when p is False, ¬p is True, so ¬p ∨ q is True regardless of q — with no meaningful connection between p and q required. Many philosophers and logicians find this unsatisfying, and alternative logics handle it differently. In classical propositional logic, accept it as a definition.

Aside — strict implication and the motivation for modal logic

The vacuous truth problem motivated C.I. Lewis in 1918 to propose strict implication as a better account of what we actually mean when we say "p implies q" in reasoning and argumentation.

Strict implication is written □(p ⟹ q) and means: in every accessible world, p ⟹ q holds. This uses the possible worlds semantics defined formally in Section 2: at world w, □(p ⟹ q) is true if and only if for every world w₁ such that wRw₁ (w₁ is accessible from w), the material conditional p ⟹ q is true in w₁.

This is substantially stronger than plain p ⟹ q. Here is why, using the same example throughout:

Let p = "it is raining" and q = "the ground is wet."

Plain p ⟹ q (material conditional, current world only): true today simply if it happens not to be raining — vacuously, with no required connection between rain and wet ground.

□(p ⟹ q) (strict implication, all accessible worlds): true only if in every world I consider possible, whenever it rains the ground is wet. This rules out any accessible world where it rains but the ground stays dry — even if the current world happens to be dry. There is no escape through a false antecedent in a world where the antecedent holds.

Strict implication expresses a law-like necessary connection rather than a coincidental truth, and it is one of the principal historical motivations for developing modal logic. The □ operator gives us a way to say not just that something is true, but that it holds necessarily — across all situations we consider possible. This distinction between what happens to be true and what must be true runs through everything in Sections 2–7 of this tutorial.

Note: strict implication has its own problems (the "paradoxes of strict implication"), which is why relevance logic and intuitionistic logic were developed as further alternatives. But for the purposes of this tutorial, strict implication is the key stepping stone from classical logic into modal logic.

Inference rules

Given true premises, inference rules produce new true conclusions. The two most important:

Modus Ponens

Premise 1: p ⟹ q Premise 2: p ───────────────── Conclusion: q

Example: "If it rains, carry an umbrella" + "It is raining" → "Carry an umbrella."

Modus Tollens

Premise 1: p ⟹ q Premise 2: ¬q ───────────────── Conclusion: ¬p

Example: "If it rains, ground is wet" + "Ground is not wet" → "It is not raining."

Two kinds of entailment: ⊢ and ⊨

These symbols look similar but mean different things. Confusing them is one of the most common errors in logic proofs.

Definition — Γ (capital gamma)

Γ is a set of propositions — a collection of statements treated as premises or assumptions. For example, Γ = {p, p⟹q, q⟹r} is a set of three propositions. Saying "all of Γ is true" means every proposition in the set is true simultaneously in the same situation.

Γ ⊢ φ — syntactic entailment

φ can be derived from Γ by applying inference rules. A formal proof exists. This is purely about symbol manipulation — no interpretation required.

Read as: "φ is provable from Γ."

Γ ⊨ φ — semantic entailment

φ is true in every assignment of truth values to propositions that makes all of Γ true. This is about meaning and truth, not symbol manipulation.

Read as: "φ is true in every assignment of truth values to propositions that makes all of Γ true" or "Γ logically implies φ."

A logical system is sound if Γ ⊢ φ guarantees Γ ⊨ φ — every provable statement is true. It is complete if Γ ⊨ φ guarantees Γ ⊢ φ — every true statement is provable. Classical propositional logic is both sound and complete.

Aside — Gödel's incompleteness theorems

We just said classical propositional logic is both sound and complete. This is a genuine theorem — but it only holds because propositional logic is a relatively weak system. For stronger systems, completeness breaks down in a fundamental way.

Gödel's First Incompleteness Theorem (1931): Any formal system that is (a) consistent — it cannot prove both φ and ¬φ — and (b) expressive enough to encode basic arithmetic, contains statements that are true but cannot be proved within that system.

In other words: for sufficiently powerful systems, Γ ⊨ φ does not guarantee Γ ⊢ φ. There exist true statements that no proof can reach.

Why propositional logic escapes this: Gödel's theorem requires the system to be expressive enough to talk about arithmetic — natural numbers, addition, multiplication. Propositional logic has no quantifiers and no variables ranging over numbers, so it cannot encode arithmetic at all. It is too weak to be caught by incompleteness. First-order predicate logic over arithmetic is where the theorem bites.

Gödel's Completeness Theorem (1929): One year before the incompleteness theorem, Gödel proved that first-order predicate logic itself — without arithmetic — is complete: every semantically valid formula is provable. The incompleteness appears when you add the axioms of arithmetic on top.

Connection to Section 6: Gödel's theorem gives a second, deeper reason why logical omniscience is unrealistic. Standard epistemic logic assumes agents know all consequences of their beliefs. But if an agent's beliefs include arithmetic, Gödel guarantees there are true consequences that are unprovable — no finite derivation can reach them. Konolige's bounded deduction model (Section 6) sidesteps both problems at once: by restricting to a finite rule set r, the agent is neither expected to know all consequences nor capable of deriving unprovable truths.

Given Γ = {"if the sensor fires then there is an obstacle" (p ⟹ q), "the sensor fired" (p)}. What can we conclude using Modus Ponens?

Modus Ponens: from (p ⟹ q) and p, we derive q. The sensor fired (p is true), and we know firing implies obstacle (p ⟹ q), so there is an obstacle (q is true). Both Γ ⊢ q (we can prove it by applying Modus Ponens) and Γ ⊨ q (it is true in every situation where both premises hold).

semantics

Section 2 — possible worlds semantics

Before introducing the modal operators □ and ♢, we need a precise account of what they mean — a semantics. The standard semantics, developed by Saul Kripke in 1963, is called possible worlds semantics. All modal logic terminology is defined here, before it is used anywhere else in this tutorial.

What is a possible world?

Definition — possible world

A possible world is a complete, consistent assignment of truth values to every proposition in the vocabulary under consideration — the fixed set of propositions relevant to the problem at hand. It describes one complete way things could be within that vocabulary. We use lowercase letters w, w₁, w₂, w' to name individual worlds. The actual world is the world that corresponds to reality as it currently is.

Think of a possible world as a row in a giant truth table — one that assigns True or False to every proposition simultaneously. The actual world is the row that matches reality right now. Other rows are other ways things could have been, or could be.

The three components of a Kripke model

Definition — Kripke model

A Kripke model M is a triple M = (W, R, V) consisting of three components defined below.

W — the set of possible worlds

W is a non-empty set. Each element of W is one possible world. Think of W as the nodes of a directed graph — one node per world.

R — the accessibility relation

R is a set of ordered pairs of worlds: R ⊆ W × W. If the pair (w, w₁) is in R, written wRw₁, we say "world w₁ is accessible from world w." Think of R as the directed edges of the graph — an arrow from w to w₁ means w₁ is accessible from w. Intuitively: an agent in world w considers world w₁ a possible situation given what it knows.

V — the valuation function

V assigns a truth value to every proposition in every world. For each proposition p and each world w, V(w, p) = True or False. Different worlds can assign different truth values to the same proposition — that is precisely what makes them different worlds.

A concrete example

Let p = "it is raining" and q = "Alice is carrying an umbrella."

In the actual world w₀: it is raining (p = True) and Alice is not carrying an umbrella (q = False). Alice is indoors and cannot see outside, so she does not know whether it is raining. Because she lacks this information, she considers two worlds possible from w₀ — one in which it is raining and one in which it is not:

w₀ — actual world

p (raining): TRUE

q (umbrella): FALSE

Alice is here

→

w₁ — accessible from w₀

p (raining): TRUE

q (umbrella): FALSE

→

w₂ — accessible from w₀

p (raining): FALSE

q (umbrella): FALSE

The arrows represent the accessibility relation R. Here w₀Rw₁ and w₀Rw₂ — Alice considers both w₁ and w₂ possible from her current position in w₀.

Truth conditions for modal formulas

We write M, w ⊨ φ to mean "formula φ is true in model M at world w." For classical connectives, truth is evaluated within each world exactly as in propositional logic. For modal operators:

Definition — truth of □φ at world w

M, w ⊨ □φ if and only if for every world w₁ such that wRw₁, M, w₁ ⊨ φ.
That is: φ is true in every world accessible from w.

Definition — truth of ♢φ at world w

M, w ⊨ ♢φ if and only if there exists a world w₁ such that wRw₁ and M, w₁ ⊨ φ.
That is: φ is true in at least one world accessible from w.

Applying these definitions to the Alice example. Notice the important distinction: the actual world w₀ tells us what is really true (it is raining, no umbrella), while the accessible worlds w₁ and w₂ represent what Alice considers possible given her limited information. Modal operators □ and ♢ range over the accessible worlds, not the actual world directly.

Actual world w₀: p = TRUE (raining), q = FALSE (no umbrella). Alice is here. Accessible worlds from w₀: w₁ and w₂ (both considered possible by Alice). M, w₀ ⊨ □p ? Is p true in ALL worlds accessible from w₀? w₁: p = TRUE ✓ w₂: p = FALSE ✗ — fails in w₂ Therefore: M, w₀ ⊨ □p is FALSE. Alice does not necessarily believe it is raining — even though it actually is raining in w₀. Her belief does not track the actual world because she considers w₂ (not raining) equally possible. M, w₀ ⊨ ♢p ? Is p true in AT LEAST ONE world accessible from w₀? w₁: p = TRUE ✓ — one witness is enough Therefore: M, w₀ ⊨ ♢p is TRUE. Alice considers it possible that it is raining. M, w₀ ⊨ □(¬q) ? Is ¬q true in ALL worlds accessible from w₀? w₁: q = FALSE, so ¬q = TRUE ✓ w₂: q = FALSE, so ¬q = TRUE ✓ Therefore: M, w₀ ⊨ □(¬q) is TRUE. In every world Alice considers possible, she has no umbrella. This matches the actual world too — but that is coincidental. □(¬q) is true because of the accessible worlds, not because of w₀ directly.

Validity

Definition — validity

A formula φ is valid, written ⊨ φ, if it is true at every world in every possible Kripke model. A valid formula is a tautology of modal logic — it holds no matter what. This is a much stronger claim than being true at one particular world in one particular model.

In the Alice example, what is the truth value of ♢(¬p) at world w₀? Here ¬p means "it is not raining."

TRUE. ♢(¬p) requires ¬p to be true in at least one accessible world. World w₂ is accessible from w₀ (w₀Rw₂) and has p = FALSE, making ¬p = TRUE in w₂. That single witness is sufficient for ♢. Note: the truth value of p in the actual world w₀ is irrelevant — we are asking about accessible worlds, not the actual world itself.

modal logic

Section 3 — modal logic

Now that possible worlds and the accessibility relation R are defined, we can give the modal operators □ and ♢ their full formal treatment. Their semantics were defined in Section 2. This section covers their syntax, their relationship to each other, and how they compose.

The two modal operators — formal definitions

□

Box — Necessity

□φ is true at world w if φ is true in every world w₁ such that wRw₁ — every world accessible from w.

Read as: "necessarily φ" or "in all accessible worlds, φ."

♢

Diamond — Possibility

♢φ is true at world w if there exists at least one world w₁ such that wRw₁ and φ is true in w₁.

Read as: "possibly φ" or "in some accessible world, φ."

The duality of □ and ♢

□ and ♢ are defined in terms of each other, just as ∀ (for all) and ∃ (there exists) are duals in predicate logic:

□φ ⟺ ¬♢¬φ "necessarily φ" is the same as "not possibly not-φ" ♢φ ⟺ ¬□¬φ "possibly φ" is the same as "not necessarily not-φ"

The analogy with quantifiers: □ behaves like ∀ (quantifying over all accessible worlds) and ♢ behaves like ∃ (quantifying over at least one accessible world). Just as ∀x P(x) ⟺ ¬∃x ¬P(x), we have □φ ⟺ ¬♢¬φ.

Examples — applying □ and ♢ to propositions

Let p = "the door is locked" and q = "the key is needed."

p "the door is locked" ¬p "the door is not locked" □p "the door is necessarily locked" — locked in every accessible world ♢p "the door is possibly locked" — locked in at least one accessible world ¬□p "it is not necessarily the case that the door is locked" □¬p "it is necessarily the case that the door is not locked" □(p ⟹ q) "necessarily, if the door is locked then the key is needed" ♢(p ∧ ¬q) "it is possible that the door is locked and the key is not needed"

Iterated modalities — □□φ and □♢φ

Modal operators can be nested. To understand what □□φ means, we need to trace through two steps of the accessibility relation.

Recall: wRw₁ means "world w₁ is accessible from world w" — there is a directed arrow from w to w₁ in the graph.

Definition — □□φ

□□φ is true at world w if and only if: for every world w₁ such that wRw₁, and for every world w₂ such that w₁Rw₂, φ is true in w₂.

In graph terms: φ holds at every world reachable from w via any intermediate world w₁ along arrows of R.

w — start

□□φ evaluated here

→
wRw₁

w₁ — one step

□φ must hold here

→
w₁Rw₂

w₂ — two steps

φ must hold here

Transitivity of R — and why it matters for □□φ

To understand why □□φ is a non-trivial claim, we need to understand what it means for R to be transitive — and what happens when it is not.

Definition — transitive relation

The accessibility relation R is transitive if whenever (w, w₁) ∈ R and (w₁, w₂) ∈ R, it follows that (w, w₂) ∈ R.
In graph terms: if there is an arrow from w to w₁ and an arrow from w₁ to w₂, then there is also a direct arrow from w to w₂.
Transitivity says: anything reachable in two steps is also reachable in one step directly.

If R is not transitive, there can exist worlds w, w₁, w₂ such that (w, w₁) ∈ R and (w₁, w₂) ∈ R but (w, w₂) ∉ R — w₂ is reachable from w by going through w₁, but there is no direct arrow from w to w₂.

Example — non-transitivity with Alice, Bob, and Carol

Imagine three people: Alice, Bob, and Carol. Alice can see Bob's computer screen. Bob can see Carol's computer screen. Alice cannot see Carol's screen directly.

Model this as three worlds representing what each person knows:

w = Alice's world — what Alice knows
w₁ = Bob's world — what Bob knows (accessible from w: Alice can see Bob's screen, so Alice considers Bob's world possible)
w₂ = Carol's world — what Carol knows (accessible from w₁: Bob can see Carol's screen, so Bob considers Carol's world possible)

The accessibility relation R contains: (w, w₁) and (w₁, w₂). But it does not contain (w, w₂) — Alice has no direct view of Carol's screen, so Alice does not consider Carol's world directly accessible.

R is not transitive in this model.

Now consider what □φ and □□φ mean at w:

□φ at w: φ holds in every world directly accessible from w. The only directly accessible world is w₁ (Bob's world). So □φ says: φ is true in Bob's world. It says nothing about Carol's world w₂, because (w, w₂) ∉ R.

□□φ at w: in every world directly accessible from w (that is, w₁), φ holds in every world directly accessible from w₁ (that is, w₂). So □□φ requires φ to be true in Carol's world w₂.

In this non-transitive model, □φ and □□φ are genuinely different claims. □φ covers worlds one arrow away (w₁ only). □□φ covers worlds two arrows away (w₂ via w₁). Alice knowing something (□φ) does not imply Alice knowing that Bob knows it (□□φ), because Alice cannot see what Bob sees about Carol.

If R were transitive: the direct arrow (w, w₂) would exist. Then w₂ would already be in the set of worlds directly accessible from w, and □φ would already require φ to hold in w₂. The two-step and one-step accessible worlds would coincide, and □□φ would add nothing beyond □φ — they would be equivalent.

Axiom 4 (□φ ⟹ □□φ) is precisely the axiom that forces R to be transitive. By adopting Axiom 4, you are asserting: there are no two-step paths that are not also one-step paths. Every w₂ reachable in two steps is also reachable in one step directly. In agent terms: if an agent believes φ (in all worlds it can reach), then it also believes that it believes φ (φ holds in all worlds reachable from those worlds) — because transitivity collapses the two levels into one.

□φ φ holds in every world w₁ such that wRw₁ (one step from w) □□φ φ holds in every world w₂ such that w₁Rw₂, (two steps from w, for every w₁ such that wRw₁ via any intermediate w₁)

Which formula expresses "it is not possible that the agent fails to act"? Let f = "the agent fails to act."

¬♢f = "it is not possible that the agent fails to act." By the duality rule ¬♢φ ⟺ □¬φ, this equals □¬f = "necessarily, the agent does not fail to act" — i.e., the agent necessarily acts. Duality is a key tool in modal logic proofs: you can always rewrite □ in terms of ♢ and vice versa.

axioms

Section 4 — axioms and their meaning

The semantic meaning of □ and ♢ depends on the structure of the accessibility relation R. Different constraints on R give different valid formulas — these formulas are the axioms of the modal system. Adding axioms restricts which Kripke models are allowed.

The base system K

Every modal logic includes at minimum two rules:

Distribution axiom K: □(p ⟹ q) ⟹ (□p ⟹ □q) If necessarily (p implies q), and necessarily p, then necessarily q. This is just the modal version of Modus Ponens — it distributes □ over implication. Necessitation rule: if ⊨ φ then ⊨ □φ If φ is valid (a logical tautology — true in every world in every model), then □φ is also valid (φ holds in all accessible worlds everywhere).

What the necessitation rule does and does not allow

The necessitation rule applies only to logical tautologies — formulas that are true in every world in every possible model, regardless of how propositions are interpreted. It does not apply to propositions that merely happen to be true in the current world.

A logical tautology is a formula whose truth depends only on its logical structure, not on what the propositions mean. Examples:

p ∨ ¬p — "either p or not-p" — true in every world no matter what p means
p ⟹ p — "p implies p" — always true
(p ∧ q) ⟹ p — "if p and q then p" — always true

The necessitation rule allows us to conclude □(p ∨ ¬p) — "necessarily, either p or not-p." This is valid because p ∨ ¬p holds in every world in every model.

Now contrast this with a contingent truth — a proposition that happens to be true in the current world but is not guaranteed to be true in every world. Let p = "it is raining." Suppose it is raining right now, so p is true in the current world w. The necessitation rule does not allow us to conclude □p — "necessarily, it is raining." That would be absurd: it might not be raining in other accessible worlds, and probably is not raining in all of them.

The distinction in a single sentence: the necessitation rule licenses moving from logical necessity (true in every world in every model) to □, but not from contingent truth (true in this world right now) to □. Conflating these two is one of the most common errors when first working with modal logic.

These two rules alone define system K. They are necessary but not sufficient for reasoning about agent beliefs. We add further axioms for that.

The four main additional axioms

Name	Formula	Plain English	Constraint on R
T Truth axiom	□φ ⟹ φ	If φ is true in all accessible worlds, then φ is true in the current world.	R must be reflexive: for every world w, wRw. Every world is accessible from itself.
4 Positive introspection	□φ ⟹ □□φ	If φ holds in all worlds accessible from w, then φ also holds in all worlds accessible from those worlds.	R must be transitive: if wRw₁ and w₁Rw₂ then wRw₂. Two-step paths are also one-step paths.
5 Negative introspection	¬□φ ⟹ □¬□φ	¬□φ means: there exists at least one accessible world w₁ in which φ is false. □¬□φ means: in every accessible world w₁, there exists at least one world accessible from w₁ in which φ is false. The axiom says: if the agent does not believe φ, then in every world the agent considers possible, that non-belief persists. In agent terms: the agent is aware of its own non-beliefs. This is called negative introspection.	R must be Euclidean: if wRw₁ and wRw₂ then w₁Rw₂.
D Consistency	□φ ⟹ ♢φ	If φ holds in all accessible worlds, then φ holds in at least one accessible world. Necessary things are possible.	R must have the following property: for every world w in W, there exists at least one world w₁ in W such that wRw₁ — every world has at least one accessible world. R never dead-ends. This property is called serial in the mathematical literature — the relation continues indefinitely, with no world from which all paths stop. The practical meaning for agents: the agent always has at least one world it considers possible. Without this, an agent could have no accessible worlds at all, making □φ vacuously true for every φ simultaneously — including contradictions — making the belief system inconsistent.

Understanding Axiom T — worked example

Axiom T states: □φ ⟹ φ. In semantic terms: if φ is true in every world accessible from w, then φ is true in w itself. This requires w to be accessible from itself — i.e., wRw.

w — current world

φ: TRUE

wRw (self-loop) ← required by Axiom T

→

w₁ — also accessible

φ: TRUE

w₁Rw not required

Because wRw, world w is in its own set of accessible worlds. So "φ is true in all accessible worlds" includes "φ is true in w." Therefore □φ ⟹ φ holds. Without the self-loop, the current world might not be accessible from itself, and □φ could hold even if φ is false in w.

Understanding Axiom 4 — worked example

Axiom 4 states: □φ ⟹ □□φ.

Recall from Section 3: □□φ at world w means φ holds in every world w₂ reachable from w in two steps — i.e., every w₂ such that there exists w₁ with wRw₁ and w₁Rw₂.

Axiom 4 says: if φ holds in every world one step from w, then φ also holds in every world two steps from w. This is automatically true when R is transitive — because if wRw₁ and w₁Rw₂, transitivity gives wRw₂ directly, so w₂ is already among the one-step accessible worlds where φ holds.

□φ holds here

→
wRw₁

w₁

φ holds here

→
w₁Rw₂

w₂

φ must also hold (Axiom 4 guarantees this)

For agents: Axiom 4 means that if an agent believes φ (□φ), then the agent believes that it believes φ (□□φ). This is called positive introspection — the agent is aware of its own beliefs. It is essential for reasoning about the stability of intentions across accessible worlds, as we will see in Section 7.

Named modal logics — standard systems

Named modal logic systems follow a simple convention: the name lists the axioms added on top of the base system K. Each letter corresponds to one axiom:

Naming convention: K = base system (Distribution axiom + Necessitation rule) — always present T = add Axiom T: □φ ⟹ φ (reflexive R) D = add Axiom D: □φ ⟹ ♢φ (serial R) 4 = add Axiom 4: □φ ⟹ □□φ (transitive R) 5 = add Axiom 5: ¬□φ ⟹ □¬□φ (Euclidean R) So KD45 = base system K, plus Axiom D, plus Axiom 4, plus Axiom 5. KT45 = base system K, plus Axiom T, plus Axiom 4, plus Axiom 5.

The standard systems used in this tutorial are:

K = base system (Distribution axiom + Necessitation rule only) KT = K + Axiom T reflexive R KT4 = K + T + 4 reflexive + transitive R ← sometimes used for belief, but includes Axiom T so the actual world is always accessible (closer to knowledge) (called S4 in historical literature) KT45 = K + T + 4 + 5 reflexive + transitive + Euclidean R ← standard knowledge (called S5 in historical literature) KD45 = K + D + 4 + 5 R has at least one accessible world from each world (serial), plus transitive + Euclidean R ← weaker belief (allows false beliefs)

An agent system satisfies Axiom T. The agent necessarily believes (□) that "the exit is to the north" — meaning this holds in all accessible worlds. What can we conclude about the actual world?

Axiom T: □φ ⟹ φ. Since □(exit_north) holds, exit_north is true in the actual world. This is what distinguishes knowledge (truth guaranteed by Axiom T) from mere belief in a system without T (you can believe false things). Axiom T requires wRw — the actual world is accessible from itself — so "true in all accessible worlds" includes "true in the actual world."

epistemic logic

Section 5 — epistemic logic

As introduced in Section 0, epistemic logic is modal logic with a specific interpretation: the □ operator represents knowledge or belief, and the accessibility relation R encodes which worlds an agent considers possible given its information. It was developed by Jaakko Hintikka in 1962 and is the standard formal tool for reasoning about what agents know and believe. Everything from Sections 2–4 — possible worlds, the accessibility relation R, the operators □ and ♢, and the axioms — carries over directly. What changes is only the interpretation we give to those structures.

Two modal operators for two mental states

Definition — epistemic accessibility relation

The epistemic accessibility relation for agent i, written Rᵢᴷ, is the set of ordered pairs (w, w₁) such that agent i considers world w₁ possible from world w — given everything the agent knows. World w₁ is epistemically accessible from w for agent i if agent i cannot rule out w₁ based on its knowledge in w.

The epistemic accessibility relation satisfies Axiom T (it is reflexive: wRᵢᴷw for all w), which ensures that what the agent knows is actually true. It typically also satisfies Axioms 4 and 5, giving the full KT45 system for knowledge (also called S5 in the literature).

Definition — doxastic accessibility relation

The doxastic accessibility relation for agent i, written Rᵢᴮ, is the set of ordered pairs (w, w₁) such that agent i considers world w₁ possible from world w — given what the agent believes. World w₁ is doxastically accessible from w for agent i if world w₁ is consistent with the agent's beliefs in w.

The doxastic accessibility relation does not require Axiom T (it need not be reflexive). This means the actual world w need not be among the worlds the agent considers possible — the agent can hold false beliefs. It typically satisfies Axioms 4 and 5 but not T, giving the KD45 system for belief.

Both terms trace to ancient Greek, and the distinction between them maps precisely onto the formal distinction between knowledge and belief in epistemic logic:

Episteme (ἐπιστήμη) — knowledge: justified, certain, and true. Plato contrasted it with doxa in several dialogues, arguing that episteme is stable and reliable in a way that mere opinion is not. The words epistemic and epistemology (the branch of philosophy concerned with the nature and scope of knowledge) both derive from this root.
Doxa (δόξα) — opinion or belief: may be true or false, and need not be justified. The words doxastic and orthodox (literally "correct opinion") derive from this root.

The formal properties of the two accessibility relations in epistemic logic directly reflect this ancient philosophical distinction: the epistemic relation satisfies Axiom T (what is known is true — episteme is factive), while the doxastic relation does not (what is believed may be false — doxa is not factive).

Definition — Kᵢφ (agent i knows φ)

Kᵢφ is true at world w if φ is true in every world w₁ such that wRᵢᴷw₁, where Rᵢᴷ is the epistemic accessibility relation for agent i — the worlds agent i cannot rule out given its knowledge.
Because Rᵢᴷ satisfies Axiom T (reflexive), Kᵢφ ⟹ φ: what the agent knows is actually true in the current world.

Definition — Bᵢφ (agent i believes φ)

Bᵢφ is true at world w if φ is true in every world w₁ such that wRᵢᴮw₁, where Rᵢᴮ is the doxastic accessibility relation for agent i — the worlds consistent with the agent's beliefs.
Because Rᵢᴮ does not require Axiom T (not necessarily reflexive), Bᵢφ does not imply φ: the agent can believe false things. The actual world w need not be among the worlds the agent considers possible.

The crucial distinction — knowledge requires truth, belief does not

Knowledge: Kᵢφ ⟹ φ what you know must be true (Axiom T applies) Belief: Bᵢφ does not imply φ what you believe may be false (no Axiom T)

You believed it would be sunny today. It rained. Your belief was false — but it was still a genuine belief. If you had known it would be sunny, it would have been sunny. Knowledge is factive (truth-guaranteeing); belief is not.

Each agent has its own accessibility relation

In a multi-agent system with agents 1, 2, ..., n, each agent i has its own accessibility relation — Rᵢᴷ for knowledge or Rᵢᴮ for belief — on the set of worlds W. The relation encodes which worlds agent i considers possible from each world.

Definition — wRᵢᴷw₁ and wRᵢᴮw₁

The pair (w, w₁) is in agent i's epistemic accessibility relation Rᵢᴷ (or doxastic relation Rᵢᴮ). Read as: "from world w, agent i considers world w₁ possible given its knowledge (or beliefs)." In graph terms: there is a directed arrow labelled i from node w to node w₁. The superscript K or B indicates whether the relation encodes knowledge or belief.

Two agents in the same world can have completely different accessibility relations — they may consider different sets of worlds possible, because they have different information.

Nested epistemic statements

Epistemic logic handles nested knowledge and belief naturally. This is essential for multi-agent reasoning and for the BDI formalization in Section 7:

Kᵢφ agent i knows φ KᵢKⱼφ agent i knows that agent j knows φ BᵢKⱼφ agent i believes that agent j knows φ Kᵢ(φ ⟹ Bⱼψ) agent i knows that if φ holds then agent j believes ψ Bᵢ(Bᵢφ) agent i believes that agent i believes φ (positive introspection: Axiom 4)

Standard epistemic systems

Knowledge system KT45 (also called S5 in the literature) Rᵢᴷ is reflexive, transitive, and Euclidean Kᵢφ ⟹ φ (truth) Kᵢφ ⟹ KᵢKᵢφ (positive introspection) ¬Kᵢφ ⟹ Kᵢ¬Kᵢφ (negative introspection) Belief system KD45 Rᵢᴮ has at least one accessible world from each world (serial), transitive, and Euclidean — but NOT reflexive Bᵢφ does not imply φ (false beliefs allowed) Bᵢφ ⟹ BᵢBᵢφ (positive introspection still holds) ¬Bᵢφ ⟹ Bᵢ¬Bᵢφ (negative introspection still holds)

BDI notation — common variants mapped to standard epistemic logic

Common notation	Standard notation	Meaning
□Bₐ	Bₐ(φ)	Agent a believes proposition B
♢Dₐ	Desₐ(D) with ♢Dₐ as feasibility constraint	Agent a desires D. Note: ♢Dₐ (D is achievable in at least one accessible world) is a necessary condition for rational desire, not a definition of it. Desire is a separate attitude — see Section 7.
□Iₐ	Intₐ(I)	Agent a is committed to intention I. □Iₐ is the semantic rendering: Iₐ holds in every world a considers possible. Intₐ(I) is the full BDI operator, which interprets as □Iₐ plus the rationality constraint Intₐ(I) ⟹ Desₐ(I) ∧ ¬Bₐ(¬I). The □ gives the possible-worlds truth conditions; the consistency condition gives the constraints on what it means to rationally hold an intention. Intₐ(I) is a BDI-specific operator, not reducible to □ or ♢ by the □ alone. Defined formally in Section 7.
Bel_a(φ)	Bᵃφ	Agent a believes φ
K(φ)	Kᵃφ	Agent a knows φ

Agent alice uses belief system KD45 (no Axiom T). She believes "the treasure is in room A." The treasure is actually in room B. Is this a contradiction in KD45?

No contradiction. KD45 does not include Axiom T, so Bᵢφ ⟹ φ does not hold. Alice's belief can be false — that is precisely what distinguishes belief (KD45) from knowledge (KT45). In KT45, Kᵢ(treasure_in_A) ⟹ treasure_in_A, making the scenario a contradiction. In KD45, Bᵢ(treasure_in_A) is perfectly consistent with the treasure actually being in room B.

limitations

Section 6 — the logical omniscience problem and bounded reasoning

Standard epistemic logic has a well-known and serious problem when applied to real agents: it implies agents are logically omniscient.

What logical omniscience means

In standard possible-worlds semantics, two properties follow automatically:

Necessitation rule: If ⊨ φ (φ is a tautology, valid in all models) then ⊨ Kᵢφ (every agent knows every tautology) Closure under logical consequence: If Kᵢφ and Kᵢ(φ ⟹ ψ) then Kᵢψ (agents automatically know all consequences of what they know)

The result: an agent that knows the axioms of arithmetic "knows" every provable theorem — including theorems that have never been proved and that mathematicians spend careers on. No real agent, human or artificial, works this way.

Aside — Gödel's incompleteness theorem and logical omniscience

Gödel's First Incompleteness Theorem (introduced in Section 1) gives a second, deeper reason why logical omniscience is unrealistic — beyond the obvious problem of infinite computation.

Standard epistemic logic assumes agents know all logical consequences of their beliefs. But if an agent's beliefs include the axioms of arithmetic, Gödel guarantees that some of those consequences are true but unprovable — no derivation of any finite length can reach them. So the assumption that agents know all consequences is not merely computationally unrealistic: it is logically impossible for any consistent system powerful enough to express arithmetic.

This means the logical omniscience problem has two distinct layers:

Layer 1 — computational: even for consequences that are provable, a real agent has finite time and memory and cannot derive all of them.

Layer 2 — logical (Gödel): for systems expressive enough to include arithmetic, some true consequences are not provable at all — no agent, no matter how powerful, can derive them within the system.

Konolige's bounded deduction model (below) addresses both layers at once: by restricting the agent to a finite rule set r applied to an explicit belief database Δ, the agent is neither expected to derive all provable consequences nor capable of reaching unprovable ones. The deductive closure close(Δ, r) is well-defined and reachable — though not necessarily finite, since some rule sets r can generate new propositions indefinitely.

For any realistic BDI agent: when formalizing a BDI proof using standard modal logic, you cannot simply assert □Bₐ and □Iₐ without acknowledging the logical omniscience problem. Acknowledge it explicitly and explain how you are restricting the agent's reasoning capacity — typically via Konolige's bounded deduction model.

Three approaches to addressing logical omniscience

Approach 1 — Konolige's deduction model: bounding the agent's inference

Replace the possible-worlds definition of belief with an explicit deduction structure:

Definition — deduction structure

A deduction structure for agent a is a pair d = (Δ, r) where:
Δ is a finite set of propositions that the agent explicitly holds as beliefs — the belief database.
r is a finite set of inference rules that the agent can apply — possibly a strict subset of all valid inference rules.

The agent a believes φ if and only if φ is derivable from Δ using only the rules in r: Belₐ(φ) ⟺ φ ∈ close(Δ, r) where close(Δ, r) = { φ | Δ ⊢ᵣ φ } = the set of all propositions derivable from Δ using rules r = the deductive closure of Δ under r

This directly models resource-bounded reasoning. The agent only "knows" what it can actually compute from its explicit beliefs using its available rules. Consequences that require rules not in r — or derivation chains too long to compute — are simply not in the agent's belief set.

Approach 2 — Levesque's explicit/implicit belief distinction

ExpBel(φ) — explicit belief: φ is directly stored in Δ (the belief database) ImpBel(φ) — implicit belief: φ is logically entailed by explicit beliefs but not stored Agents are only held responsible for what they explicitly believe, not for all logical consequences of their beliefs.

Approach 3 — Fagin and Halpern's awareness logic

Add an awareness set A(i, w) ⊆ {formulas} for agent i at world w. Agent i knows φ at w only if φ ∈ A(i, w) — the agent is "aware" of φ as a concept. This restricts omniscience by limiting which formulas the agent even considers.

How to apply Konolige's model in practice

Applying Konolige's model to BDI reasoning:

When formalizing a BDI agent, state explicitly that it operates under a bounded deduction structure (Δ, r). Belief □Bₐ and intention □Iₐ hold only within the deductive closure close(Δ, r) — not over all logical consequences. Agent a does not automatically know every consequence of its beliefs; only those reachable by applying the rules in r to the database Δ. This restricts BDI reasoning to resource-bounded, computationally tractable agents and avoids the logical omniscience problem.

An agent knows the axioms of Euclidean geometry. Under Konolige's deduction model, does it automatically believe every theorem of Euclidean geometry?

No. Under Konolige's model, Belₐ(φ) ⟺ φ ∈ close(Δ, r). The rule set r is finite and may not include all valid inference rules. Theorems requiring derivation steps not in r — or requiring too many steps — are simply not in the agent's belief set. This is the point: real computational agents have bounded inference capacity, and Konolige's model captures that directly.

synthesis

Section 7 — Belief-Desire-Intention (BDI) formalized in modal logic

This section brings together everything from Sections 1–6 to formalize the Belief-Desire-Intention (BDI) framework in modal logic. It develops the rationality principle — the formal statement that a rational agent with consistent beliefs, desires, and intentions will act to fulfill those intentions in every accessible world — and works through the derivation step by step.

Formalizing the three BDI states

Notation note — accessibility relations in this tutorial

Three notations for accessibility relations appear across sections, each appropriate to its context:

R and wRw₁ (Sections 2–4) — the general single-agent case, before any specific agent is named.
Rᵢᴷ / Rᵢᴮ and wRᵢᴷw₁ / wRᵢᴮw₁ (Section 5) — multi-agent epistemic logic, distinguishing epistemic (knowledge) and doxastic (belief) accessibility relations for agent i.
Rₐ and wRₐw₁ (this section) — the BDI formalization for a specific agent named a. In this section, Rₐ is a doxastic accessibility relation — the worlds agent a considers possible given its beliefs. It satisfies KD45: serial, transitive, and Euclidean, but not reflexive. False beliefs are explicitly permitted: the actual world w need not be among the worlds a considers possible.

All three mean the same underlying thing: the set of worlds the agent considers possible from the current world. The notation changes only to match the name of the agent in each context.

Definition — Beliefs, Desires, Intentions in modal logic

Let a be an agent. Let B, D, I be propositions representing the content of a's belief, desire, and intention respectively. Let w be the current world and Rₐ be a's accessibility relation — the set of worlds a considers possible from w.

Notational convention: the subscript a on Bₐ, Iₐ, Dₐ, Desₐ, Intₐ indicates that these are the propositional contents as held by agent a — distinguishing them from another agent's belief, intention, or desire in a multi-agent system. The propositions B, I, D themselves are plain propositions (goal states, facts about the world). The subscript a marks whose mental state we are describing. So □Bₐ means "the proposition Bₐ — B as held by agent a — is true in all worlds a considers possible," which is equivalent to saying "agent a believes B."

Beliefs: □Bₐ In every world w₁ that a considers possible (every w₁ such that wRₐw₁), agent a believes the proposition B is true in w₁ according to a's model of the world. The actual world w need not be among the worlds a considers possible (system KD45, no Axiom T), so B may be false in the actual world even though a believes B. False beliefs are explicitly permitted. Desires: Desₐ(D) a wants to bring about D. Desire cannot be expressed using □ or ♢ alone, because those operators describe what the agent believes is the case — not what the agent wants to be the case. Wanting is a different kind of mental attitude, requiring its own operator (Desₐ) with its own semantics, separate from the belief accessibility relation Rₐ. Feasibility constraint: ♢Dₐ must hold — D is true in at least one world w₁ such that wRₐw₁. a is a rational agent and only desires what it considers achievable. But ♢Dₐ is a necessary condition for desire, not a definition of it: considering D possible does not mean wanting D. Intentions: □Iₐ Iₐ is true in every world w₁ such that wRₐw₁. Agent a is committed to I — the intention holds in all worlds a considers possible. Note: □Iₐ is the semantic definition of holding intention I. A separate rationality constraint (the BDI consistency condition, defined below) further requires: Intₐ(I) ⟹ Desₐ(I) ∧ ¬Bₐ(¬I). These are two distinct statements — the first defines what □Iₐ means in possible worlds terms; the second is a coherence condition on what it means to rationally hold an intention.

Why desire is not simply ♢Dₐ

A common notation error is to write ♢Dₐ for desire. But ♢Dₐ means "D is possible — D holds in at least one world a considers accessible." Possibility and desire are entirely different attitudes. An agent can consider it possible that it will rain without desiring rain at all. Conversely, an agent might desire something it considers impossible — though a rational agent would not.

Desire properly belongs to deontic logic — from the ancient Greek deon (δέον), meaning "that which is binding" or "duty" — the modal logic of goals, obligations, and permissions, where operators mean "it ought to be the case that" or "it is desired that," not "it is possible that." A full BDI formalization uses a separate desire operator Desₐ(D), not reducible to □ or ♢ without additional machinery.

The correct relationship is: ♢Dₐ is a necessary condition for rational desire — a rational agent Desₐ(D) only if ♢Dₐ also holds (the agent considers D achievable). But necessity is not sufficiency: ♢Dₐ does not imply Desₐ(D). We use Desₐ(D) for desire and note the feasibility constraint ♢Dₐ separately wherever it is needed.

The BDI consistency condition

This is the formal link between intentions and the other BDI states, due to Cohen and Levesque (1990):

Intₐ(φ) ⟹ Desₐ(φ) ∧ ¬Bₐ(¬φ) Reading each part: Intₐ(φ) "Agent a intends φ" Desₐ(φ) "Agent a desires φ" you must want what you intend ¬Bₐ(¬φ) "Agent a does not believe ¬φ" you must not believe your intention is impossible (because Bₐ(¬φ) would mean a believes φ cannot hold)

This gives us a fundamental containment relationship between the sets of intentions and desires. Let I denote the set of all things agent a currently intends, and D the set of all things agent a currently desires. Then:

I ⊆ D The set of current intentions is a subset of the set of current desires. Every intention must be backed by a corresponding desire — you cannot intend something you do not desire. The reverse does not hold: D is typically much larger than I, since an agent can desire many things simultaneously, including things that are mutually incompatible, aspirational, or low priority. Intentions are the subset of desires the agent has committed to acting on now, filtered for consistency and feasibility.

How does an agent form an intention? — Cohen & Levesque (1990)

The BDI consistency condition tells us what must be true once an intention is held. But how does an agent arrive at an intention in the first place? Intention formation is the upstream process that produces the premises □Bₐ, Desₐ(D), and □Iₐ that the BDI rationality derivation takes as given.

In the Cohen & Levesque formalization, intention formation is not modeled as a single operator — it is captured by the conditions under which Intₐ(I) becomes true. Roughly: the agent adopts Intₐ(I) when it has Desₐ(I), believes I is achievable (¬Bₐ(¬I)), and has selected I from competing desires via its planning process. Each of these maps directly onto a condition:

Feasibility: the agent believes I is achievable — ¬Bₐ(¬I) holds. If the agent believes I is impossible, rational intention formation is blocked. This is exactly the ¬Bₐ(¬I) term in the consistency condition.
Selection via the planning process: the agent's planning process filters competing desires and selects a consistent, executable subset to commit to. An agent cannot simultaneously intend everything it desires if those desires conflict — D may contain mutually incompatible desires; I must not. The planning process is what performs this selection, producing the I ⊆ D containment.
Commitment: once selected, the agent stops deliberating about whether to pursue I and begins deliberating about how. Bratman (1987) calls this "settling the question." The commitment then persists — the agent does not abandon I merely because a competing desire arises, unless I is achieved or believed to have become impossible.

The BDI rationality derivation operates entirely downstream of this process. It takes the formed intention □Iₐ as a premise and reasons about what a rational agent does next — it does not model how the agent got there. Understanding intention formation clarifies why the BDI consistency condition has the shape it does: each term directly encodes one of the conditions above.

The rationality principle

Definition — Act(a, I)

Act(a, I) is a proposition meaning "agent a performs an action directed at fulfilling intention I." It is true in world w if agent a executes, in w, an action whose goal is to bring about the state described by proposition I. Act(a, I) is the bridge between the agent's cognitive states and observable behavior.

The rationality principle connects all three BDI components to action. It is important to understand the distinct role each plays:

Belief Bₐ — world model

Bₐ is not merely a feasibility check. It is the agent's model of the current state of the world, which informs how Act(a, I) is selected. An agent that believes the door is locked will choose a different action to fulfill "reach the other room" than one that believes the door is open. Belief guides action selection.

Desire Desₐ(I) — motivation

Desire provides the motivational grounding for action. The agent acts to fulfill I because it desires the goal state that I brings about. Without desire, the agent would be mechanically executing intentions with no motivational basis. Desire is what makes the agent want to act.

Intention Iₐ — commitment

Intention is the agent's commitment to act on a desire. It filters competing desires and commits the agent to a specific course of action. The agent does not just want I — it has decided to pursue I and will persist until I is achieved or believed impossible.

Act(a, I) — behavior

The observable output: the action the agent performs in the world. It is determined jointly by what the agent believes (Bₐ), what it desires (Desₐ(I)), and what it is committed to (Iₐ).

Full rationality principle: □Bₐ ∧ Desₐ(I) ∧ □Iₐ ⟹ □(Act(a, I)) If a holds beliefs Bₐ in every world it considers possible (□Bₐ), desires the goal state I (Desₐ(I)), and is committed to intention I in every world it considers possible (□Iₐ), then a rational agent performs an action Act(a, I) in every accessible world. The conclusion □(Act(a, I)) follows directly from the premises: because □Bₐ and □Iₐ already assert that Bₐ and Iₐ hold in every accessible world w₁, the rationality principle fires at each w₁ individually, giving Act(a, I) at each w₁. By the definition of □, that is exactly □(Act(a, I)). Note: Bₐ plays two roles: (1) Feasibility: a does not believe I is impossible — ¬Bₐ(¬I) from the BDI consistency condition (2) Action guidance: a uses Bₐ as a model of the world to select which specific action will bring about I in the current situation. Implicit feasibility constraint: ¬Bₐ(¬I) is not a separate premise of the rationality principle — it is guaranteed implicitly by □Iₐ via the BDI consistency condition (Intₐ(I) ⟹ Desₐ(I) ∧ ¬Bₐ(¬I)). Whenever the agent holds intention I, it is already a rational requirement that the agent does not believe I to be impossible. The rationality principle inherits this constraint automatically; you do not need to assert ¬Bₐ(¬I) as an additional premise in your proof.

Provenance of the rationality principle

The formulation above is a pedagogical simplification inspired by Cohen & Levesque (1990) and Rao & Georgeff (1991), not a verbatim theorem from the literature. The canonical results in those papers use a richer temporal logic layer — operators like BEFORE, UNTIL, and HAPPENS — because intention and action play out over time: an agent commits to pursuing I until it is achieved or believed impossible, not just in a single snapshot of accessible worlds. That temporal machinery is beyond the scope of this tutorial. The principle as stated here captures the core idea faithfully at the level of standard modal logic. Do not cite it as a named theorem with a specific page reference.

The BDI rationality statement — formalized

Natural language: "If agent a believes B, desires D, and intends I, then a must rationally act to fulfill I in all accessible worlds." Let: B = the proposition a believes D = the proposition a desires I = the proposition a intends Act(a, I) = "agent a performs an action directed at fulfilling intention I" (defined formally above, before the rationality principle) Premises: (1) □Bₐ a believes B — B holds in every world w₁ such that wRₐw₁ (2) Desₐ(D) a desires D — D is a goal state a wants to bring about. Feasibility constraint: ♢Dₐ holds — D is achievable in at least one world w₁ such that wRₐw₁. Note: ♢Dₐ is a necessary condition for rational desire, not a definition of it. (3) □Iₐ a intends I — I holds in every world w₁ such that wRₐw₁ Conclusion: (4) □(Act(a, I)) a acts to fulfill I in every accessible world Full formula: (□Bₐ ∧ Desₐ(D) ∧ □Iₐ) ⟹ □(Act(a, I)) where Desₐ(D) carries the feasibility constraint ♢Dₐ as a rational requirement.

The derivation

What this derivation is — and is not

The rationality principle — (□Bₐ ∧ Desₐ(I) ∧ □Iₐ) ⟹ □(Act(a, I)) — cannot be derived from modal logic alone. It is a defining axiom of rational agency in the BDI framework: it states what we mean by calling an agent rational. It is not proven from more primitive truths — it is adopted as a definition.

What the derivation does accomplish is demonstrate that the conclusion follows from this axiom together with:

the BDI consistency condition, which derives Desₐ(I) and ¬Bₐ(¬I) from □Iₐ
the I ⊆ D containment, which derives Desₐ(I) from Desₐ(D)
the semantics of □, which licenses the universalization to □(Act(a, I))

When presenting this formally, state: "The rationality principle is adopted as a defining axiom of rational agency in the BDI framework. The derivation demonstrates that the conclusion follows from this axiom together with the BDI consistency condition and the semantics of □."

State the premises

Unpack each □ premise using the truth condition: □φ is true at w if and only if φ is true in every world w₁ such that wRₐw₁. Apply this to: (1) □Bₐ (2) Desₐ(D) (3) □Iₐ

Derive Desₐ(I) from Desₐ(D) via I ⊆ D

From the containment relation: I ⊆ D — every intention is backed by a corresponding desire. Since I ∈ D, Desₐ(I) follows directly from Desₐ(D). This closes the gap between the desire premise (stated for D) and the rationality principle (which requires Desₐ(I)).

Apply the BDI consistency condition to □Iₐ

From the BDI consistency condition: Intₐ(I) ⟹ Desₐ(I) ∧ ¬Bₐ(¬I). Since □Iₐ holds, the consistency condition applies in every accessible world w₁, giving both Desₐ(I) (consistent with step 2) and ¬Bₐ(¬I) — the agent does not believe I is impossible. This feasibility constraint is implicit in holding the intention; it does not need to be asserted as a separate premise.

Apply the rationality principle at each accessible world

In every world w₁ such that wRₐw₁: Bₐ holds (from □Bₐ), Desₐ(I) holds (step 2), and Iₐ holds (from □Iₐ). All three conjuncts of the rationality principle are satisfied. By Modus Ponens: (□Bₐ ∧ Desₐ(I) ∧ □Iₐ) ⟹ Act(a, I)

Universalize to obtain □(Act(a, I)) ∎

From step 4, Act(a, I) holds in every world w₁ such that wRₐw₁. By the definition of □, this is exactly □(Act(a, I)). This is the conclusion: (□Bₐ ∧ Desₐ(I) ∧ □Iₐ) ⟹ □(Act(a, I)) ∎

Logical omniscience — address for any realistic agent

For any realistic BDI agent, state explicitly that it operates under a bounded deduction structure (Δ, r) per Konolige's model (Section 6). The premises □Bₐ and □Iₐ hold only within the deductive closure close(Δ, r) — not over all logical consequences. Agent a does not automatically know every consequence of its beliefs; only those derivable by applying the finite rule set r to the belief database Δ.

This tutorial has covered the full formal machinery of modal and epistemic logic. You have the syntax of modal operators (Section 3), their semantics via possible worlds (Section 2), the axioms and what they mean for the accessibility graph (Section 4), the knowledge/belief distinction (Section 5), the bounded reasoning framework (Section 6), and the BDI formalization (Section 7). These tools are sufficient to formalize and reason about any BDI agent operating in a multi-agent environment.