Model-checking ecological state-transition graphs

Model-checking is a methodology developed in computer science to automatically assess the dynamics of discrete systems, by checking if a system modelled as a state-transition graph satisfies a dynamical property written as a temporal logic formula. The dynamics of ecosystems have been drawn as state-transition graphs for more than a century, ranging from state-and-transition models to assembly graphs. Model-checking can provide insights into both empirical data and theoretical models, as long as they sum up into state-transition graphs. While model-checking proved to be a valuable tool in systems biology, it remains largely underused in ecology apart from precursory applications. This article proposes to address this situation, through an inventory of existing ecological STGs and an accessible presentation of the model-checking methodology. This overview is illustrated by the application of model-checking to assess the dynamics of a vegetation pathways model. We select management scenarios by model-checking Computation Tree Logic formulas representing management goals and built from a proposed catalogue of patterns. In discussion, we sketch bridges between existing studies in ecology and available model-checking frameworks. In addition to the automated analysis of ecological state-transition graphs, we believe that defining ecological concepts with temporal logics could help clarify and compare them.


S1.1 Syntax: writing models
The RR modelling language involves entities and rules [1,2]. Entities are the biotic and abiotic elements of an ecosystem, modelled as Boolean variables (on/off, noted as +/-). Rules define how entities values may evolve by applying an effect (assignment of entities values) depending on a guard (condition on entities values).
Fig S1.1 shows a toy version of our Borana model. Entities are declared first by giving each of them a name, an initial state ("+" for on, "-" for off, or "*" to allow both initial values), and a textual description. For instance, we declare entity Gr that is initially on and models the presence of grasses in the ecosystem. With respect to the version presented in the main text, we have added a control Fb that has an undefined initial state, so both Fb+ and Fb-are considered as initial states of the system. Entities declarations are organised into arbitrarily chosen categories (except for "rules" that is a reserved keyword). For instance, entity Gr is declared within category variables while entity Fb is declared within category controls. These categories are for information purposes only and have no consequence on the semantics.
Rules are listed after entities declarations and consist of two sides separated by ">>": the left-hand side is the guard, that is, the condition for the execution of the rule; the right-hand side is the effect, that is, the entities assignment that takes place upon execution of the rule. For instance, rule R1 specifies that if fire is not banned (Fb-) and grasses are present (Gr+) then high fire may occur, resulting in the disappearance of both shrubs and trees (Sh-and Tr-). Rules may be prefixed by arbitrary tags enclosed into square brackets, like "[high fire]" in rule R1. Just like comments, like "# R1", these tags play no role in the semantics, but contrasting with comments, they are attached to rules and are available from the tool so they can be referred to during analysis.

variables:
Gr+: Grasses Note that Tab 1 and S1 Table have been formatted to be more readable than the raw RR source code, but the latter is available as file "Borana model.rr" in S1 Notebook.

S1.2 Explicit semantics: executing rules and building STGs
The execution of an RR system is defined in terms of operational rules involving states, i.e. valuation of its entities, and transitions, that are executions (called firings) of the rules allowing to build new states from existing ones: • the initial states are defined from the declaration of the entities, either they are initially on/off, or both values are considered (like Fb* in Fig S1.1); • a rule is enabled when its guard is satisfied by the state and its effect is not already realised; • if no rule is enabled at a state, then this state is a deadlock; • firing a rule r enabled at a state s is made by applying the effect of r onto s, yielding a new state s = s, which is a transition noted by s r − → s ; • the states obtained by firing rules from a given state are called its successors.
If we note a state by the set of entities it valuates to on, the model defined in Fig S1. − → {Gr, Sh, Tr}. In the initial states, rule R3 is not enabled because its guard is not satisfied. Rules R1 and R2 are not enabled from the initial states either because in {Fb, Gr}, even is the guard is satisfied, the effect is already realised, and in {Gr} the guard is not satisfied.
An STG can be generated from an RR model by repeatedly applying the firing rules from the initial states and from all the newly obtained successor states. The STG obtained from our toy model is depicted in Fig S1.2 and is computed as follows:

S1.3 Symbolic semantics: building smaller STGs
Symbolic techniques efficiently build a compact representation of the set S of states of an RR model. Then, considering a partition C of S, we can build an STG whose nodes are the elements of C and whose edges are the transitions allowing to reach one such node from another. More precisely, for s ∈ S, we note by s C the component in C such that s ∈ s C . Then, the symbolic STG of an RR system with respect to C is the STG defined by: For example, the STG depicted in blue in Fig 6 is a symbolic STG whose components are the blue rounded boxes, each representing a vegetation class (indeed the vegetation classes form a partition, see S2 Table) and encompassing the explicit states it encloses. To draw this STG, we first symbolically computed the symbolic STG before enumerating the states enclosed within each component (see S1 Notebook).
The main benefit of such symbolic STG is that its components may be represented symbolically, and that its edges can be computed directly from the symbolic components. In doing so, a huge state-space may be represented efficiently by a small structure that can be seen as a hybrid object mixing symbolic components with explicit information about their relationship.
The simplest symbolic STG has a single component (C = {S}), and the most detailed symbolic STG has only singleton components (C = {{s} | s ∈ S}) which is equivalent to the explicit STG as defined above. Yet, we are mostly interested in something in between with sufficiently few components to remain human-readable, but with enough details to exhibit key aspects of the dynamics.