Modelling Value-oriented Legal Reasoning in LogiKEy

The logico-pluralist LogiKEy knowledge engineering methodology and framework is applied to the modelling of a theory of legal balancing in which legal knowledge (cases and laws) is encoded by utilising context-dependent value preferences. The theory obtained is then used to formalise, automatically evaluate, and reconstruct illustrative property law cases (involving appropriation of wild animals) within the Isabelle proof assistant system, illustrating how LogiKEy can harness interactive and automated theorem proving technology to provide a testbed for the development and formal verification of legal domain-specific languages and theories. Modelling value-oriented legal reasoning in that framework, we establish novel bridges between latest research in knowledge representation and reasoning in non-classical logics, automated theorem proving, and applications in legal reasoning.


Introduction
Law today has to reflect highly pluralistic environments in which a plurality of values, world-views and logics coexist. One function of modern, reflexive law is to enable the social interaction within and between such worlds (Lomfeld 2017;Teubner 1983). Any sound model of legal reasoning needs to be pluralistic, supporting different value systems, value preferences, and maybe even different logical notions, while at the same time reflecting the uniting force of law.
Adopting such a perspective, in this paper we apply the logico-pluralistic LOGIKEY knowledge engineering methodology and framework  to the modelling of a theory of value-based legal balancing, a discoursive grammar of justification (Lomfeld 2019), which we then employ to formally reconstruct and automatically assess, using the Isabelle/HOL proof assistant system, some illustrative property law cases involving the appropriation of wild animals (termed "wild animal cases"; cf. Bench-Capon and Sartor (2003), Berman and Hafner (1993), and Merrill and H. E. Smith (2017, Ch. II. A.1) for background). Lomfeld's discoursive grammar is encoded, for our purposes, as a logic-based domain-specific language (DSL) in which the legal knowledge embodied in statutes and case corpora becomes represented as context-dependent preferences among (combinations of) values constituting a pluralistic value system or ontology. This knowledge can thus be complemented by further legal and world knowledge, e.g., from legal ontologies (Casanovas et al. 2016;Hoekstra et al. 2009).
The LOGIKEY framework supports plurality at different layers; cf. Fig. 1. Classical higher-order logic (HOL) is fixed as a universal meta-logic  at the base layer (L0), on top of which a plurality of (combinations of) object logics can become encoded (layer L1). Employing these logical notions we can now articulate a variety of logic-based domain-specific languages (DSLs), theories and ontologies at the next layer (L2), thus enabling the modelling and automated assessment of different application scenarios (layer L3). These linked layers, as featured in the LOGIKEY approach, facilitate fruitful interdisciplinary collaboration between LOGIKEY, in this sense, fosters a division of labour among different specialist roles. For example, 'logic theorists' can concentrate on investigating the semantics and proof calculi for different object logics, while 'logic engineers' (e.g., with a computer science background) can focus on the encoding of suitable combinations of those formalisms in the meta-logic HOL and on the development and/or integration of relevant automated reasoning technology. Knowledge engineers can then employ these object logics for knowledge representation (by developing ontologies, taxonomies, controlled languages, etc.), while domain experts (ethicists, lawyers, etc.) collaborate with requirements elicitation and analysis, as well as providing domain-specific counseling and feedback. These tasks can be supported in an integrated fashion by harnessing (and extending) modern mathematical proof assistant systems (aka. interactive theorem provers), which thus become a testbed for the development of logics and ethico-legal theories.
The work reported below is a LOGIKEY-supported collaborative research effort involving two computer scientists (Benzmüller & Fuenmayor) together with a lawyer and legal philosopher (Lomfeld), who have joined forces with the goal of studying the computer-encoding and automation of a theory of value-based legal balancing: Lomfeld's discoursive grammar (Lomfeld 2019). A formally-verifiable legal domain-specific language (DSL) has been developed for the encoding of this theory (at LOGIKEY's layer L2). This DSL has been built on top of a suitably chosen objectlogical language: a modal logic of preferences (at layer L1), by drawing upon the representation and reasoning infrastructure integrated within the proof assistant Isabelle/HOL (layer L0). The resulting system is then employed for the assessment of legal cases in property law (at layer L3), which includes the formal modelling of background legal and world knowledge, as required to enable the verification of predicted legal case outcomes and the automatic generation of value-oriented logical justifications (backings) for them.
From a wider perspective, LOGIKEY aims at supporting the practical development of computational tools for legal and normative reasoning based on formal methods. One of the main drives for its development has been the introduction of automated reasoning techniques for the design, verification (offline & online), and control of intelligent autonomous systems, as a step towards explicit ethical agents (Moor 2009;Scheutz 2017). The argument here is that ethico-legal control mechanisms (such as ethical governors; cf. Arkin et al. (2009)) of intelligent autonomous systems should be understood and designed as knowledge-based systems, where the required ethical and legal knowledge becomes explicitly represented as a logical theory, i.e., as a set of formulas (axioms, definitions and theorems) encoded in a logic. We have set a special focus on the (re-)use of modern proof assistants based on HOL (Isabelle/HOL, HOL-Light, HOL4, etc.) and integrated automated reasoning tools (theorem provers and model generators) for the interactive development and verification of ethico-legal theories. To carry out the technical work reported in this paper, we have chosen to work with Isabelle/HOL, but the essence of our contributions can easily be applied to other proof assistants and automated reasoning systems for HOL.
Technical results concerning in particular our Isabelle/HOL encoding have been presented at the International Conference on Interactive Theorem Proving (ITP 2021) (Benzmüller and Fuenmayor 2021), and earlier ideas have been discussed at the Workshop on Models of Legal Reasoning (MLR 2020). In the present paper, we elaborate on these results and provide a more self-contained exposition, by giving further background information on Lomfeld's discoursive grammar, on the meta-logic HOL, and on the modal logic of preferences by van Benthem et al. (2009). More fundamentally, this paper presents the full picture, as framed by the underlying LOGIKEY framework, and highlights methodological insights, applications, and perspectives relevant to the AI & Law community. One of our main motivations is to help build bridges between recent research in knowledge representation and reasoning in non-classical logics, automated theorem proving, and applications in normative and legal reasoning.
Paper structure: After summarising Lomfeld's theory of value-based legal balancing in §2, we briefly depict the LOGIKEY development and knowledge engineering methodology in §3, and our meta-logic HOL in §4. We then outline our object logic of choice -a (quantified) modal logic of preferences -in §5, where we also present its encoding in the meta-logic HOL and formally verify the preservation of meta-theoretical properties using the Isabelle/HOL proof assistant. Subsequently, we model in §6 Lomfeld's legal theory and provide a custom-built DSL, which is again formally assessed using Isabelle/HOL. As an illustrative application of our framework, we present in §7 the formal reconstruction and assessment of well-known example legal cases in property law ("wild animal cases"), together with some considerations regarding the encoding of required legal and world knowledge. Related and further work is addressed in §8, and §9 concludes the article.
The Isabelle/HOL sources of our formalisation work are available at http:// logikey.org under Preference-Logics/EncodingLegalBalancing. They are also explained in some detail in the Appendix A.

A Theory of Legal Values: Discoursive Grammar of Justification
The case study with which we illustrate the LOGIKEY methodology in the present paper consists in the formal encoding and assessment on the computer of a theory of value-based legal balancing, as put forward by Lomfeld 2019. Lomfeld himself has played the role of the domain expert in our joint research, which from a methodological perspective, can be characterised as being both in part theoretical and in part empirical. Lomfeld's primary role has been to provide background legal domain knowledge and to assess the adequacy of our formalisation results, while informing us of relevant conceptual and legal distinctions that needed to be made. In a sense, this created a win-win situation in which both Lomfeld's theory and LOGIKEY's methodology have been put to the test. This section presents Lomfeld's theory and discusses some of its merits in comparison to related approaches.
Logical reconstructions quite often separate deductive rule application and inductive case-contextual interpretation as completely distinct ways of legal reasoning (cf. the overview in Prakken and Sartor (2015)). Understanding the whole process of legal reasoning as an exchange of opposing action-guiding arguments, i.e., practical argumentation (Alexy 1978;Feteris 2017), a strict separation between logically distinct ways of legal reasoning breaks down. Yet, a variety of modes of rule-based (Hage 1997;Modgil and Prakken 2018;Prakken 1997), case-based (Aleven 1997;Ashley 1990;Horty 2011) andvalue-based (Bench-Capon et al. 2005;Berman and Hafner 1993;Grabmair 2016) reasoning coexist in legal theory and (court) practice.
In line with current computational models combining these different modes of reasoning (e.g., Bench-Capon and Sartor 2003;Maranhão and Sartor 2019), we argue that a discourse theory of law can consistently integrate them in the form of a multilevel system of legal reasoning. Legal rules or case precedents can thus be translated into (or analysed as) the balancing of plural and opposing (socio-legal) values on a deeper level of reasoning (Lomfeld 2015).
There exist indeed some models for quantifying legal balancing, i.e., for weighing competing reasons in a case (e.g., Alexy 2003;Sartor 2010). We share the opinion that these approaches need to get "integrated with logic and argumentation to provide a comprehensive account of value-oriented reasoning" (Sartor 2018). Hence a suitable model of legal balancing would need to reconstruct rule subsumption and case distinction as argumentation processes involving conflicting values.
Here, the functional differentiation of legal norms into rules and principles reveals its potential (Alexy 2000;Dworkin 1978). Whereas legal rules have a binary all-ornothing validity driving out conflicting rules, legal principles allow for a scalable dimension of weight. Thus, principles could outweigh each other without rebutting the normative validity of colliding principles. Legal principles can be understood as a set of plural and conflicting values on a deep level of socio-legal balancing, which is structured by legal rules on an explicit and more concrete level of legal reasoning (Lomfeld 2015). The two-faceted argumentative relation is partly mirrored in the functional differentiation between goal-norms and action-norms (Sartor 2010) but should not be mixed up with a general understanding of principles as abstract rules (Raz 1972;Verheij et al. 1998) or as specific constitutional law elements (Barak 2012;Neves 2021).
In any event, if preferences between defeasible rules are reconstructed and justified in terms of preferences between underlying values, some questions about values necessarily pop up. In the words of Bench-Capon and Sartor (2003) Hence an encompassing approach for legal reasoning as practical argumentation needs not only a formal reconstruction of the relation between legal values (or principles) and legal rules, but also a substantial framework of values (a basic value system) that allows to systematise value comparison and conflicts as a discoursive grammar (Lomfeld 2015(Lomfeld , 2019 of argumentation. In this article we define a value system not as a "preference order on sets of values" (Weide et al. 2010) but as a pluralistic set of values which allow for different preference orders. The computational conceptualisation (as a formal logical theory) of such a set of representational primitives for a pluralist basic value system can then be considered as a value "ontology" (Gruber 1993(Gruber , 2009B. Smith 2003), which of course needs to be complemented by further ontologies for relevant background legal and world knowledge (see e.g. Casanovas et al. (2016) and Hoekstra et al. (2009)).
Combining the discourse-theoretical idea that legal reasoning is practical argumentation with a two-faceted model of legal norms, legal rules could be logically reconstructed as conditional preference relations between conflicting underlying value principles (Alexy 2000;Lomfeld 2015). The legal consequence of a rule thus implies the preference of value principle over value principle , noted > (e.g. health security outweighs freedom to move). 1 This value preference applies under the condition that the rule's prerequisites 1 and 2 hold. Thus, if the propositions 1 and 2 are true in a given situation (e.g. a virus pandemic occurs and voluntary shut down fails), then the value preference > obtains. This value preference can be said to weight or balance the two values and against each other. We can thus translate this concrete legal rule as a conditional preference relation between colliding value principles: More generally, and could also be structured as aggregates of value principles, whereas the condition of the rule can consist in a conjunction of arbitrary propositions. Moreover, it may well happen that, given some conditions, several rules become relevant in a concrete legal case. In such cases the rules determine a structure of legal balancing between conflicting plural value principles. Moreover, making explicit the underlying balancing of values against each other (as value preferences) helps to justify a legal consequence (e.g. sanctioned lock-down) or ruling in favour of a party (e.g. defendant) in a legal case.
But which value principles are to be balanced? How to find a suitable justification framework? Based on comparative discourse analyses in different legal systems, one can reconstruct a general dialectical (antagonistic) taxonomy of legal value principles used in (at least Western) legislation, legislative materials, cases, textbooks and scholar writings (Lomfeld 2015). The idea is to provide a plural and yet consistent system of basic legal values and principles, independent of concrete cases or legal fields, to justify legal decisions.
The proposed legal value system (Lomfeld 2019), see Fig. 2, is consistent with many existing taxonomies of antagonistic psychological (Rokeach 1973;Schwartz 1992), political (Eysenck 1954;Mitchell 2007) and economic values (Clark 1991). 2 In all social orders one can observe a general antinomy between individual and collective values. Ideal types of this fundamental dialectic are: the basic value of FREEDOM for the individual, and the basic value of SECURITY for the collective perspective. Another classic social value antinomy is between a functional-economic (utilitarian) and a more idealistic (egalitarian) viewpoint, represented in the ethical debate by the essential dialectic concerning the basic values of UTILITY versus EQUALITY. These four normative poles stretch an axis of value coordinates for the general value system construction. We thus speak of a normative dialectics, since each of the antagonistic basic values and related principles can (and in most situations will) collide with each other. (2019) Within this dialectical matrix eight more concrete legal value principles are identified. FREEDOM represents the normative basic value of individual autonomy and comprises the legal (value) principles of -more functional-individual choice or 'free will' (WILL) and -more idealistic-(self-)'responsibility' (RESP). The basic value of SECURITY addresses the collective dimension of public order and comprises the legal principles of -more functional-collective 'stability' (STAB) of a social system and -more idealistic-social trust or 'reliance' (RELI). The value of UTILITY means economic welfare on the personal and collective level and comprises the legal principles of collective overall welfare-maximisation, i.e., 'efficiency' (EFFI) and individual welfare-maximisation, i.e., economic benefit or 'gain' (GAIN). Finally, EQUALITY represents the normative ideal of equal treatment and equal allocation of resources and comprises the legal principles of -more individual-equal opportunity or procedural 'fairness' (FAIR) and -more collective-distributional equality or 'equity' (EQUI). This legal value system (or ontology) can consistently cover existing value sets from AI & Law accounts of value-oriented reasoning (e.g., Bench-Capon 2012; Berman and Hafner 1993; T. Gordon and Walton 2012;Sartor 2010), mostly exemplified by modelling famous common law property cases, in particular, "wild animal cases". A key feature of Lomfeld's discoursive grammar of dialectical values consists in its purely qualitative modelling of legal balancing in terms of context-dependent logic-based preferences among values, without any need for determining quantitative weights.

The LOGIKEY Methodology
LOGIKEY, as a methodology , refers to the principles underlying the organisation and the conduct of complex knowledge design and engineering processes, with a particular focus on the legal and ethical domain. Knowledge engineering refers to all the technical and scientific aspects involved in building, maintaining and using knowledge-based systems employing logical formalisms as a representation language. In particular, we speak of logic engineering to highlight those tasks directly related to the syntactic and semantic definition, as well as to the meta-logical encoding and automation, of different combinations of object logics. It is also LOGIKEY's objective to fruitfully integrate contributions from different research communities (such as interactive and automated theorem proving, non-classical logics, knowledge representation, and domain specialists) and to make them accessible at a suitable level of abstraction and technicality to practitioners in diverse fields.
A fundamental characteristic of the LOGIKEY methodology consists in the utilisation of classical higher-order logic (HOL, cf. Benzmüller and P. Andrews (2019)) as a general-purpose logical formalism in which to encode different (combinations of) object logics. This enabling technique is known as shallow 3 semantical embeddings (SSEs). HOL thus acts as the substrate in which a plurality of logical languages, organised hierarchically at different abstraction layers, become ultimately encoded and reasoned with. This in turn enables the provision of powerful tool support: we can harness mathematical proof assistants (e.g. Isabelle/HOL) as a testbed for the development of logics, and ethico-legal DSLs and theories. More concretely, off-the-shelf theorem provers and (counter-)model generators for HOL, as provided, e.g., in the interactive proof assistant Isabelle/HOL (Blanchette et al. 2016), are assisting the LOGIKEY knowledge & logic engineers (as well as domain experts) to flexibly experiment with underlying (object) logics and their combinations, with general and domain knowledge, and with concrete use cases-all at the same time. Thus, continuous improvements of these off-the-shelf provers, without further ado, leverage the reasoning performance in LOGIKEY.
The LOGIKEY methodology, cf. Fig. 1, has been instantiated in this article to support and guide the simultaneous development of the different modelling layers as depicted in Fig. 3, and which will be the subject of discussion in the following sections. According to the logico-pluralistic nature of LOGIKEY, only the lowest layer (L0), meta-logic HOL (cf. §4), remains fixed, while all other layers are subject to dynamic adjustments until a satisfying overall solution in the overall modelling process is reached. At the next layer (L1) we are faced with the choice of an object logic, in our case a modal logic of preference (cf. §5). A legal DSL (cf. §6), created after Lomfeld's discoursive grammar (cf. §2), further extends this object logic at a higher 3 Shallow semantical embeddings are different from deep embeddings of an object logic. In the latter case the syntax of the object logic is represented using an inductive data structure (e.g., following the definition of the language). The semantics of a formula is then evaluated by recursively traversing the data structure, and additionally a proof theory for the logic maybe be encoded. Deep embeddings typically require technical inductive proofs, which hinder proof automation, that can be avoided when shallow semantical embeddings are used instead. For more information on shallow and deep embeddings we refer to the literature (Gibbons and Wu 2014;Svenningsson and Axelsson 2013).

L0 -HOL LOGIKEY Methodology
Fig. 3 LOGIKEY development methodology as instantiated in the given context level of abstraction (layer L2). At the upper layer (layer L3), we use this legal DSL to encode and automatically assess some example legal cases ("wild animal cases") in property law (cf. §7) by relying upon previously encoded background legal and world knowledge. 4 The higher layers thus make use of the concepts introduced at the lower layers. Moreover, at each layer, the encoding efforts are guided by selected tests and 'sanity checks' in order to formally verify relevant properties of the encodings at and up to that level. It is worth noting that the application of our approach to deciding concrete legal cases reflects ideas in the AI & Law literature about understanding the solution of legal cases as theory construction, i.e., "building, evaluating and using theories" (Bench-Capon and Sartor 2003). 5 This multi-layered, iterative knowledge engineering process is supported in our LOGIKEY framework by adapting interactive and automated reasoning technology for HOL (as a meta-logic).
An important aspect thereby is that the LOGIKEY methodology foresees and enables the knowledge engineer to flexibly switch between the modelling layers and to suitably adapt the encodings also at lower layers if needed. The engineering process thus has backtracking points and several work cycles may be required; thereby the higher layers may also pose modification requests to the lower layers. Such demands, unlike in most other approaches, may also involve far-reaching modifications of the chosen logical foundations, e.g., in the particularly chosen modal preference logic.
The work we present in this article is in fact the result of an iterative, give-and-take process encompassing several cycles of modelling, assessment and testing activities, whereby a (modular) logical theory gradually evolves until eventually reaching a state of highest coherence and acceptability. In line with previous work on computational hermeneutics (Fuenmayor and Benzmüller 2019), we may then speak of arriving at a state of reflective equilibrium (Daniels 2020), as the end-point of an iterative process of mutual adjustment among (general) principles and (particular) judgements, where the latter are intended to become logically entailed by the former. It is also worth noting that the notion of reflective equilibrium has been introduced by the philosopher John Rawls in moral and political philosophy as a method for the development of his theory of justice (Rawls 1971), an analogous endeavour to ours in the present work. In fact, an earlier formulation of this approach is often credited to the philosopher Nelson Goodman, who proposed it as a method for the development of (inference rules for) deductive and inductive logical systems (Goodman 1955), again, very much in the spirit of LOGIKEY.

Meta-logic (L0) -Classical Higher-Order Logic
To keep this article sufficiently self-contained we briefly introduce a classical higherorder logic, termed HOL; more detailed information on HOL and its automation can be found in the literature (P. B. Andrews 1972a,b; Benzmüller and P. Andrews 2019; Benzmüller et al. 2004;Benzmüller and Miller 2014).
The notion of HOL used in this article refers to a simply typed logic of functions that has been put forward by Church (1940). Hence all terms of HOL get assigned a fixed and unique type, commonly written as a subscript (i.e., the term has as its type). HOL provides -notation, as an elegant and useful means to denote unnamed functions, predicates and sets; -notation also supports compositionality, a feature we heavily exploit to obtain elegant, non-recursive encoding definitions for our logic embeddings in the remainder. Types in HOL eliminate paradoxes and inconsistencies.
HOL comes with a set of simple types, which is freely generated from a set of basic types ⊇ { , } using the function type constructor (written as a rightassociative infix operator). For instance, , and are types. The type denotes a two-element set of truth-values and denotes a non-empty set of individuals. 6 Further base types may be added as the need arises.
The terms of HOL are inductively defined starting from typed constant symbols ( ) and typed variable symbols ( ) using -abstraction (( . ) ) and function application (( ) ), thereby obeying type constraints as indicated. Type subscripts and parentheses are usually omitted to improve readability, if obvious from the context or irrelevant. Observe that -abstractions introduce unnamed functions. For example, the function that adds 2 to a given argument can be encoded as ( . + 2), and the function that adds two numbers can be encoded as ( . ( . + )). 7 HOL terms of type are also called formulas. 8 6 In this article, we will actually associate type later on (cf. §5.2) with the domain of possible states/worlds. 7 Note that functions of more than one argument can be represented in HOL in terms of functions of one argument. In this case the values of these one-argument function applications are themselves functions, which are subsequently applied to the next argument. This technique, introduced by Schönfinkel (1924), is commonly called currying; cf. Benzmüller and P. Andrews (2019). 8 HOL formulas (layer L0) should not be confused with the object-logical formulas (layer L1); the latter will later be identified in §5.2 with HOL predicates of type → .
Moreover, to obtain a proper logic, we add ¬ , ∨ and Π ( ) (for each type ) as predefined typed constant symbols to our language and call them primitive logical connectives. Binder notation for quantifiers ∀ is used as an abbreviation for Π ( ) . . The primitive logical connectives are given a fixed interpretation as usual, and from them other logical connectives can be introduced as abbreviations. Material implication → and existential quantification ∃ , for example, may be introduced as shortcuts for ¬ ∨ and ¬∀ ¬ , respectively. Additionally, description or choice operators or primitive equality = (for each type ), abbreviated as = , may be added. Equality can also be defined by exploiting Leibniz' principle, expressing that two objects are equal if they share the same properties.
It is well known that, as a consequence of Gödel's Incompleteness Theorems, HOL with standard semantics is necessarily incomplete. In contrast, theorem proving in HOL is usually considered with respect to so-called general semantics (or Henkin semantics) in which a meaningful notion of completeness can be achieved (P. B. Andrews 1972a; Henkin 1950). Note that standard models are subsumed by Henkin general models such that valid HOL-formulas with respect to general semantics are also valid in the standard sense.
For the purposes of the present article, we shall omit the formal presentation of HOL semantics and of its proof system(s). We fix instead some useful notation for use in the remainder. We write  ⊨ HOL if formula of HOL is true in a Henkin general model ; ⊨ HOL denotes that is (Henkin) valid, i.e., that  ⊨ HOL for all Henkin models .

Object Logic (L1) -A Modal Logic of Preferences
Adopting the LOGIKEY methodology of §3 to support the given formalisation challenge, the first question to be addressed is: how to (initially) select the object logic at layer L1? The chosen logic not only must be expressive enough to allow the encoding of knowledge about the law (and the world), as required for the application domain (cf. our case study in §7), but must also provide the means to represent the kind of conditional value preferences featured in Lomfeld's theory (as described in §2). Importantly, it must also enable the adequate modelling of the notions of value aggregation and conflict, as featured in our legal DSL (discussed in §6). Our initial choice has been the family of modal logics of preference presented by van Benthem et al. (2009), which we abbreviate by  in the remainder.  has been put forward as a modal logic framework for the formalisation of preferences which also allows for the modelling of ceteris paribus clauses in the sense of "all other things being equal". This reading goes back to the seminal work of von Wright in the early 1960's (von Wright 1963). 9  appears well suited for effective automation using the SSEs approach, which has been an important selection criterion. This judgment is based on good prior ex-perience with SSEs of related (monadic) modal logic frameworks (Benzmüller andPaulson 2010, 2013), whose semantics employs accessibility relations between possible worlds/states, just as  does. We note, however, that this choice of (a family of) object logics () is just one out of a variety of logical systems which can be encoded as fragments of HOL employing the shallow semantical embedding approach; cf. . This approach also allows us 'upgrade' our object logic whenever necessary. In fact, we add quantifiers and conditionals to  in §5.4. Moreover, we may consider combining  with other logics, e.g., with normal modal logics by the mechanisms of fusion and product (Carnielli and Coniglio 2020), or, more generally, by algebraic fibring (Carnielli et al. 2008, Ch. 2-3). This illustrates a central objective of the LOGIKEY approach, namely that the precise choice of a formalisation logic (i.e., the object logic at L1) is to be seen as a parameter.
In the subsections below we start by informally outlining the family of modal logics of preferences  (hence postponing their formal definition to an appendix §A.1). We then discuss its embedding as a fragment of HOL using the SSE approach. As for §4, the technically and formally less interested reader may actually skip the content of these subsections and get back later.

The modal logic of preferences 
We sketch the syntax and semantics of  adapting the description from van Benthem et al. (2009) (we refer to the appendix §A.1 for more details).
The formulas of  are inductively defined as follows (where p ranges over a set Prop of propositional constant symbols): As usual in modal logic, van Benthem et al. (2009) give  a Kripke-style semantics, which models propositions as sets of states or 'worlds'.  semantics employs a reflexive and transitive accessibility relation ⪯ (resp., its strict counterpart ≺) to define the modal operators in the usual way. This relation is called a betterness ordering (between states or 'worlds').
For the sake of self-containedness, we summarize below the semantics of . A preference model  is a triple  = ⟨, ⪯, ⟩ where: (i)  is a set of worlds/states; (ii) ⪯ is a betterness relation (reflexive and transitive) on , where its strict subrelation ≺ is defined as: ≺ := ⪯ ∧  for all , ∈  (totality of ⪯, i.e., ⪯ ∨ ⪯ , is generally not assumed); (iii) is a standard modal valuation. Below we show the truth conditions for 's modal connectives (the rest being standard): Thus, ◊ ⪯ (resp., ◊ ≺ ) can informally be read as " is true in a state that is considered to be at least as good as (resp., strictly better than) the current state" and E can be read as "there is a state where is true".
Readers acquainted with Kripke semantics for modal logic will notice that  features normal S4 and K4 diamonds operators ◊ ⪯ and ◊ ≺ , together with a global existential modality E. We can thus give the usual reading to □ and ◊ as necessity and possibility, respectively.
Moreover, note that, since the strict betterness relation ≺ is not reflexive, it does not hold in general that □ ≺ → (modal axiom ). Hence we can also give a 'deontic reading' to ◊ ≺ and □ ≺ ; the former could then read as " is admissible/permissible" and the latter as " is recommended/obligatory". This deontic interpretation can be further strengthened so that the latter entails the former by extending  with the postulate □ ≺ → ◊ ≺ (modal axiom ), or alternatively, by postulating the corresponding (meta-logical) semantic condition, namely, that for each state there exists a strictly better one (seriality for ≺).
Observe that we use boldface fonts to distinguish standard logical connectives of  from their counterparts in HOL.
Similarly, eight different binary connectives for modelling preference statements between propositions can be defined in : These connectives arise from four different ways of 'lifting' the betterness ordering ⪯ (resp., ≺) on states to a preference ordering on sets of states or propositions.
Thus, different choices for a logic of preference are possible if we restrict ourselves to employing only a selected preference connective, where each choice provides the logic with particular characteristics, so that we can interpret preference statements between propositions (i.e., sets of states) in a variety of ways. As an illustration, according to the semantic interpretation provided by van Benthem et al. (2009), we can read ≺ as "every -state being better than every -state", and read ≺ as "every -state having a better -state" (and analogously for others).
In fact, the family of preference logics  can be seen as encompassing, in substance, the proposals by von Wright (1963) (variant ≺ ) and Halpern (1997) (variants ⪯ ∕≺ ). 10 As we will see later in §6, there are only four choices (⪯ ∕≺ and ⪯ ∕≺ ) of modal preference relations that satisfy the minimal conditions we impose for a logic of value aggregation. Moreover, they are the only ones which satisfy transitivity, a quite controversial property in the literature on preferences.
Last but not least, van Benthem et al. (2009) have provided 'syntactic' counterparts for these binary preference connectives as derived operators in the language of  (i.e., defined by employing the modal operators ◊ ⪯ (resp., ◊ ≺ ). We note these 'syntactic variants' in boldface font: The relationship between both, i.e., the semantically and syntactically defined families of binary preference connectives is discussed in van Benthem et al. (2009). In a nutshell, as regards the EE-and the AE-variants, both definitions (syntactic and semantic) are equivalent; concerning the EA-and the AA-variants, the equivalence only holds for a total ⪯ relation. In fact, drawing upon our encoding of  as presented in the next subsection §5.2, we have employed Isabelle/HOL for automatically verifying this sort of meta-theoretic correspondences; cf. Lines 4-12 in Fig. 11 in Appx. A.1.

Embedding  in HOL
For the implementation of  we utilise the shallow semantical embeddings (SSE) technique, which encodes the language constituents of an object logic,  in our case, as expressions ( -terms) in HOL. A core idea is to model (relevant parts of) the semantical structures of the object logic explicitly in HOL. This essentially shows that the object logic can be unraveled as a fragment of HOL and hence automated as such. For (multi-)modal normal logics, like , the relevant semantical structures are relational frames constituted by sets of possible worlds/states and their accessibility relations.  formulas can thus be encoded as predicates in HOL taking possible worlds/states as arguments. 11 The detailed SSE of the basic operators of  in HOL is presented and formally tested in Appx. A.1. Further extensions to support reasoning with ceteris paribus clauses in  are studied there as well.
As a result, we obtain a combined, interactive and automated, theorem prover and model finder for  (and its extensions; cf. §5.4) realised within Isabelle/HOL. This is a new contribution, since we are not aware of any other existing implementation and automation of such a logic. Moreover, as we will demonstrate below, the SSE technique supports the automated assessment of meta-logical properties of the embedded logic in Isabelle/HOL, which in turn provides practical evidence for the correctness of our encoding.
The embedding starts out with declaring the HOL base type , which is denoting the set of possible states (or worlds) in our formalisation.  propositions are modelled as predicates on objects of type (i.e., as truth-sets of states/worlds) and, hence, they are given the type , which is abbreviated as in the remainder. The betterness relation ⪯ of  is introduced as an uninterpreted constant symbol ⪯ in HOL, and its strict variant ≺ is introduced as an abbreviation ≺ standing for the HOL term . . ( ≤ ∧ ¬( ≤ )). In accordance with van Benthem et al.
In a next step, the -type lifted logical connectives of  are introduced as abbreviations for -terms in the meta-logic HOL. The conjunction operator ∧ of , for example, is introduced as an abbreviation ∧ , which stands for the HOL term . .
, denoting the set 12 of all possible states in which both and hold. Analogously, for the negation we introduce an abbreviation ¬ which stands for .
. ¬( ). The operators ◊ ⪯ and ◊ ≺ use ⪯ and ≺ as guards in their definitions. These operators are introduced as shorthand ◊ ⪯ and ◊ ≺ abbreviating the HOL terms .
. ∃ ( ≺ ∧ ), respectively. ◊ ⪯ thus reduces to . ∃ ( ⪯ ∧ ), denoting the set of all worlds so that holds in some world that is at least as good as ; analogously for ◊ ≺ . Additionally, the global existential modality E is introduced as shorthand for the HOL term .
. ∃ ( ). The duals □ ⪯ , □ ≺ and A can easily be added so that they are equivalent to ¬◊ ⪯ ¬ , ¬◊ ≺ ¬ and ¬E ¬ respectively. Moreover, a special predicate ⌊ ⌋ (read is valid) for -type lifted  formulas in HOL is defined as an abbreviation for the HOL term ∀ ( ). The encoding of object logic  in meta-logic HOL is presented in full detail in Appendix A.1.
Remember again that in the LOGIKEY methodology the modeler is not enforced to make an irreversible selection of an object logic (L1) before proceeding with the formalisation work at higher LOGIKEY layers. Instead the framework enables preliminary choices at all layers which can easily be revised by the modeler later on if this is indicated by e.g. practical experiments.

Formally Verifying Encoding's Adequacy
A pen-and-paper proof of the faithfulness (soundness & completeness) of the SSE easily follows from previous results regarding the SSE of propositional multi-modal logics (Benzmüller and Paulson 2010) and their quantified extensions (Benzmüller and Paulson 2013); cf. also  and the references therein. We sketch such an argument below, as it provides an insight into the underpinnings of SSE for the interested reader.
By drawing upon the approach in Benzmüller and Paulson (2010), it is possible to define a mapping between semantic structures of the object logic  (preference models ) and the corresponding structures in HOL (general Henkin models   ), in such a way that where ⊢  denotes derivability in the (complete) calculus axiomatised by van Benthem et al. (2009). Observe that HOL(Γ) corresponds to HOL extended with the relevant types and constants plus a set Γ of axioms encoding  semantic conditions, e.g., reflexivity and transitivity of ⪯ . Soundness of the SSE (i.e., ⊨ HOL(Γ) ⌊ ⌋ implies ⊨  ) is particularly important since it ensures that our modelling does not give any 'false positives', i.e., proofs of  non-theorems. Completeness of the SSE (i.e., ⊨  implies ⊨ HOL(Γ) ⌊ ⌋) means that our modelling does not give any 'false negatives', i.e., spurious counterexamples. Besides the pen-and-paper proof, completeness can also be mechanically verified by deriving the -type lifted  axioms and inference rules in HOL(Γ); cf. Fig. 11 and Fig. 12 in Appx. A.1.
To gain practical evidence for the faithfulness of our SSE of  in Isabelle/HOL, and also to assess proof automation performance, we have conducted numerous experiments in which we automatically verify meta-theoretical results on  as presented by van Benthem et al. (2009). Note that these statements thus play a role analogous to that of a requirements specification document (cf. Fig. 11 and Fig. 12 in Appx. A.1).

Beyond : Extending the Encoding with Quantifiers and Conditionals
We can further extend our encoded logic  by adding quantifiers. This is done by identifying ∀ with the HOL term .∀ ( ) and ∃ with .∃ ( ); cf. binder notation in §4. This way quantified expressions can be seamlessly employed in our modelling at upper layers (as done exemplarily in §7). We refer the reader to Benzmüller and Paulson (2013) for a more detailed discussion (including faithfulness proofs) of SSEs for quantified (multi-)modal logics.
Moreover, observe that having a semantics based on preferential structures allows us to extend our logic with a (defeasible) conditional connective ⇒. This can be done in several closely related ways. As an illustration, drawing upon an approach by Boutilier (1994), we can further extend the SSE of  by defining the connective: ).
An intuitive reading of this conditional statement would be: "every -state has a reachable -state such that holds there in also in every reachable -state" (where we can interpret "reachable" as "at least as good"). This is equivalent, for finite models, to demanding that all 'best' -states are -states, cf. Lewis (1973). This can indeed be shown equivalent to the approach by Halpern (1997), who axiomatises a strict binary preference relation ≻ , interpreted as "relative likelihood". 13 For further discussion 13 In fact, Halpern (1997) variant corresponds to employing the preference relation ≺ discussed previously, augmented with an additional constraint to cope with infinite-sized countermodels to irreflexivity (building upon an approach by Lewis (1973)). Thus, ≻ (read: is more likely than ) iff every -state has a more likely -state, say , which dominates (i.e., no -state is more likely than ). Halpern (1997) goes on to define a conditional operator as follows: ⇒ ∶= ¬ ∨ (( ∧ ) ≻ ( ∧ ¬ )).
regarding the properties and applications of this -and other similar-preference-based conditionals we refer the interested reader to the discussions in van Benthem (2009) and Liu (2011, Ch. 3).

Domain Specific Language (L2) -Value-Oriented Legal Theory
In this section we incrementally define a domain-specific language (DSL) for reasoning with values in a legal context. We start by defining a "logic of value preferences" on top of the object logic  (layer L1). This logic is subsequently encoded in Isabelle/HOL, and in the process it becomes suitably extended with custom means to encode the discoursive grammar in §2. We thus obtain a HOL-based DSL formally modelling Lomfeld's theory. This formally-verifiable DSL is then put to the test using theorem provers and model generators.
Recall from the discussion of the discoursive grammar in §2 that value-oriented legal rules can become expressed as context-dependent preference statements between value principles (e.g. RELIance, STABility, WILL, etc.). Moreover, these value principles were informally associated to basic values. (i.e., FREEDOM, UTILITY, SECU-RITY and EQUALITY), in such a way as to arrange the first over (the quadrants of) a plane generated by two axes labelled by the latter. More specifically, each axis' pole is labelled by a basic value, with values lying at contrary poles playing somehow antagonistic roles (e.g. FREEDOM vs. SECURITY). We recall the corresponding diagram (Fig. 2) below for the sake of illustration:  (2019) Inspired by this theory, we model the notion of a (value) principle as consisting of a collection (in this case a set 14 ) of base values. Thus, by considering principles 14 Observe that in doing so we are simplifying Lomfeld's value theory to the effect that, e.g., STABility becomes identified with EFFIciency. This simplified model has proven sufficient for our modelling work in as structured entities, we can more easily define adequate notions of aggregation and conflict among them; cf. §6.
From a logical point of view it is additionally required to conceive value principles as truth-bearers, i.e., propositions. 15 We thus seem to face a dichotomy between, at the same time, modelling value principles as sets of basic values and modelling them as sets of worlds. In order to adequately tackle this modelling challenge we make use of the mathematical notion of a Galois connection. 16 For the sake of exposition, Galois connections are to be exemplified by the notion of derivation operators in the theory of Formal Concept Analysis (FCA), from which we took inspiration; cf. Ganter and Wille (2012). FCA is a mathematical theory of concepts and concept hierarchies as formal ontologies, which finds practical application in many computer science fields such as data mining, machine learning, knowledge engineering, semantic web, etc. 17

Some Basic FCA Notions
A formal context is a triple = ⟨ , , ⟩ where is a set of objects, is a set of attributes, and is a relation between and (usually called incidence relation), i.e., ⊆ × . We read ⟨ , ⟩ ∈ as "the object has the attribute ". Additionally we define two so-called derivation operators ↑ and ↓ as follows: ↑ is the set of all attributes shared by all objects from , which we call the intent of . Dually, ↓ is the set of all objects sharing all attributes from , which we call the extent of . This pair of derivation operators thus forms an antitone Galois connection between (the powersets of) and , and we always have that ⊆ ↑ iff ⊆ ↓.
A formal concept (in a context ) is defined as a pair ⟨ , ⟩ such that ⊆ , ⊆ , ↑ = , and ↓ = . We call and the extent and the intent of the concept ⟨ , ⟩, respectively. 18 Indeed ⟨ ↑↓, ↑⟩ and ⟨ ↓, ↓↑⟩ are always concepts. §7. A more granular encoding of principles is possible by adding a third axis to the value space in Fig. 4, thus allocating each principle to its own octant. 15 We recall that, from a modal logic perspective, a proposition is modelled as the set of 'worlds' (i.e., states or situations) in which it holds. Informally, we want to be able to express the fact that a given principle, say legal STABility, is being observed or respected in a particular situation, or, abusing modal logic jargon, that the principle is 'satisfied' in that 'world'. This can become further interpreted as providing a justification for why that world or situation is desirable. 16 An old mathematician's trick has been to employ -maybe unknowingly-Galois connections (resp. adjunctions) to relate two universes of mathematical objects with each other, in such a way that certain order structures become inverted (resp. preserved). In doing so, insights and results can be transferred from a well-known universe towards a less-known one, in order to gain information and help illuminate difficult problems; cf. the discussion in Erné (2004). 17 In particular, we want to highlight the potential of employing the powerful FCA methods, e.g., attribute exploration (Ganter et al. 2016), to prospective 'legal value mining' applications. 18 The terms extent and intent are reminiscent of the philosophical notions of extension and intension (comprehension) reaching back to the 17th century Logique de Port-Royal. The set of concepts in a formal context is partially ordered by set inclusion of their extents, or, dually, by the (reversing) inclusion of their intents. In fact, for a given formal context this ordering forms a complete lattice: its concept lattice. Conversely, it can be shown that every complete lattice is isomorphic to the concept lattice of some formal context. We can thus define lattice-theoretical meet and join operations on FCA concepts in order to obtain an algebra of concepts: 19

A Logic of Value Preferences
In order to enable the modelling of Lomfeld's legal theory as discussed in §2, we will enhance our object logic  with additional expressive means by drawing upon the FCA notions expounded above, and by assuming an arbitrary domain set  of basic values. A first step towards our legal DSL is to define a pair of operators ↑ and ↓ such that they form a Galois connection between the semantic domain  of worlds/states of  (as 'objects' ) and the set of basic values  (as 'attributes' ). By employing the operators ↑ and ↓ in an appropriate way, we can obtain additional well-formed  terms, thus converting our object logic  in a logic of value preferences. Details follow.

Principles, Values and Propositions
We introduce a formal context = ⟨, , ⟩ composed by the set of worlds , the set of basic values , and the (implicit) relation  ⊆  ×, which we might interpret, intuitively, in a teleological sense: ⟨ , ⟩ ∈  means that value provides reasons for the situation (world/state) to obtain. Now, recall that we aim at modelling value principles as sets of basic values (i.e., elements of 2  ), while, at the same time, conceiving of them as propositions (elements of 2  ). Indeed, drawing upon the above FCA notions allows us to overcome this dichotomy. Given the formal context = ⟨, , ⟩ we can define the pair of derivation operators ↑ and ↓ employing the corresponding definitions (1-2) above.
We can now employ these derivation operators to switch between the '(value) principles as sets of (basic) values' and the 'principles as propositions (sets of worlds)' perspectives. Hence, we can now -recalling the informal discussion of the semantics of the object logic  in §5 -give an intuitive reading for truth at a world in a preference model to terms of the form ↓; namely, we can read , ⊨ ↓ as "principle provides a reason for (state of affairs) to obtain". In the same vein, we can read  ⊨ → ↓ as "principle provides a reason for proposition being the case". 20

Value Aggregation
Recalling Lomfeld's theory, as discussed in §2, our logic of value preferences must provide means for expressing conditional preferences between value principles, according to the schema: As regards the preference relation (connective ≺), we might think that, in principle, any choice among the eight preference relation variants in  (cf. §5) will work. Let us recall, however, that Lomfeld's theory also presupposed some (no further specified) mechanism for aggregating value principles (operator ⊕); thus, the joint selection of both a preference relation and a aggregation operator cannot be arbitrary: they need to interact in an appropriate way. We explore first a suitable mechanism for value aggregation before we get back to this issue. Suppose that, for example, we are interested in modelling a legal case in which, say, the principle of "respect for property" together with the principle "economic benefit for society" outweighs the principle of "legal certainty". 21 A binary connective ⊕ for modelling this notion of together with, i.e., for aggregating legal principles (as reasons) must, expectedly, satisfy particular logical constraints in interaction with a (suitably selected) value preference relation ≺: For our purposes, the aggregation connectives are most conveniently defined using set union (FCA join), which gives us commutativity. As it happens, only the ≺ ∕⪯ and ≺ ∕⪯ variants from §5 satisfy the first two conditions. They are also the only 20 Observe that this can be written semi-formally as: for all in  we have that if , ⊨ then , ⊨ ↓, which can be interpreted as " provides a reason for all those worlds that satisfy ". 21 Employing Lomfeld's value theory this corresponds to RELIance together with personal GAIN outweighing STABility. variants satisfying transitivity. Moreover, if we choose to enforce the optional third aggregation principle (called "union property"; cf. Halpern (1997)), then we would be left with only one variant to consider, namely ≺ ∕⪯ . 22 In the end, after extensive computer-supported experiments in Isabelle/HOL we have identified the following candidate definitions for the value aggregation and preference connectives which satisfy our modelling desiderata: 23 -For the binary value aggregation connective ⊕ we have identified the following two candidates (both taking two value principles and returning a proposition): Observe that ⊕ 1 is based upon the join operation on the corresponding FCA formal concepts (see Def. 4). ⊕ 2 is a strengthening of the first, since ( ⊕ 2 ) ⊆ ( ⊕ 1 ). -For a binary preference connective ≺ between propositions we have as candidates: In line with the LOGIKEY methodology, we consider the concrete choices of definitions for ≺, ⊕, and even ⇒ (classical or defeasible) as parameters in our overall modelling process. No particular determination is enforced in the LOGIKEY approach, and we may alter any preliminary choices as soon as this appears appropriate. In this spirit we experimented with the listed different definition candidates for our connectives and explored their behaviour. We will present our final selection in §6.3.

Promoting Values
Given that we aim at providing a logic of value preferences for use in legal reasoning, we still need to consider the mechanism by which we can link legal decisions, together with other legally relevant facts, to values. We conceive of such a mechanism as a sentence schema, which reads intuitively as: "Taking decision in the presence of facts promotes (value) principle ". The formalisation of this schema can indeed be seen as a new predicate in the domain-specific language (DSL) that we have been gradually defining in this section. In the expression Promotes(F,D,P) we have that 22 Lacking any strong opinion regarding the correctness of transitivity or the union property, we have still chosen this latter variant for our case study in §7, since it offers several benefits for our current modelling purposes: it can be faithfully encoded in the language of  (van ) and its behaviour is well documented in the literature; cf. Halpern (1997), Liu (2008, Ch. 4 is a conjunction of facts relevant to the case (a proposition), is the legal decision, and is the value principle thereby promoted. 24 It is important to remark that, in the spirit of the LOGIKEY methodology, the definition above has arisen from the many iterations of encoding, testing and 'debugging' of the modelling of the 'wild animal cases' in §7 (until reaching a reflective equilibrium). We can still try to give this definition a somewhat intuitive interpretation, which might read along the lines of: "given the facts F, taking decision D is (necessarily) tantamount to (possibly) observing principle P", with the caveat that the (bracketed) modal expressions would need to be read in a non-alethic mood (e.g. deontically as discussed in §5.1).

Value Conflict
Another important idea inspired from Lomfeld's theory in §2 is the notion of value conflict. As discussed there (see Fig. 2), values are disposed around two axis of value coordinates, with values lying at contrary poles playing antagonistic roles. For our modelling purposes it makes thus sense to consider a predicate Conflict on worlds (i.e., a proposition) signalling situations where value conflicts appear. Taking inspiration from the traditional logical principle of ex contradictio sequitur quodlibet, which we may intuitively paraphrase, for the present purposes, as ex conflictio sequitur quodlibet, 25 we define Conflict as the set of those worlds in which all basic values become applicable: Of course, and in the spirit of the LOGIKEY methodology, the specification of such a predicate can be further improved upon by the modeller as the need arises.

Instantiation as a HOL-based Legal DSL
In this subsection we encode our logic of value preferences in HOL (recall discussion in §4), building incrementally on top of the corresponding HOL-encoding for our (extended) object logic  in §5.2. In the process, our encoding will be gradually extended with custom means to encode Lomfeld's legal theory (cf. §2). For the sake of illustrating a concrete, formally-verifiable modelling we also present in most cases the corresponding encoding in Isabelle/HOL (see also Appx. A.2).
In a preliminary step, we introduce a new base HOL-type c (for "contender") as an (extensible) two-valued type introducing the legal parties "plaintiff" (p) and " defendant" (d). For this we employ in Isabelle/HOL the keyword datatype, which has the advantage of automatically generating (under the hood) the adequate axiomatic constraints (i.e., the elements p and d are distinct and exhaustive).
We also introduce a function, suggestively termed other , with notation (⋅) −1 . This function is used to return for a given party the other one; i.e., p −1 = d and d −1 = p. Moreover, we add a ( -lifted) predicate For to model the ruling for a given party and postulate that it always has to be ruled for either one party or the other: For ↔ ¬For −1 .
As a next step, in order to enable the encoding of basic values, we introduce a four-valued datatype (' ) VAL (corresponding to our domain  of all values). Observe that this datatype is parameterised with a type variable ' . In the remainder we will always instantiate ' with the type (see discussion below).
We also introduce some convenient type-aliases: is introduced as the type for (characteristic functions of) sets of basic values. The reader will recall that this corresponds to the characterisation of value principles as given in the previous subsection (i.e., elements of 2  ).
It is important to note, however, that to enable the modelling of legal cases (plaintiff v. defendant) we need to further specify legal value principles with respect to a legal party, either plaintiff or defendant. For this we define := intended as the type for specific legal (value) principles (wrt. a legal party), so that they are functions taking objects of type c (either p or d) to sets of basic values.
We introduce useful set-constructor operators for basic values (⦃…⦄) and a superscript notation for specification wrt. a legal party. As an illustration, recalling the discussion in §2, we have that, e.g., the legal principle of STABility' wrt. the plaintiff (notation STAB p ) can be encoded as a two-element set of basic values (wrt. the plaintiff), i.e., ⦃SECURITY p, UTILITY p⦄.

The corresponding Isabelle/HOL encoding is:
After defining legal (value) principles as combinations (in this case: sets 26 ) of basic values (wrt. a legal party), we need to relate them to propositions (sets of worlds/states) in our logic . For this we employ the derivation operators introduced in §6, whereby each value principle (set of basic values) becomes associated with a proposition (set of worlds) by means of the operator ↓ (conversely for ↑). We encode this by defining the corresponding incidence relation, or, equivalently, a function  mapping worlds/states (type ) to sets of basic values (type = ( ) VAL ). We define ↓ so that, given some set of basic values , ↓ denotes the set of all worlds that are -related to every value in (analogously for ↑ ). The modelling in the Isabelle/HOL proof assistant is as follows: Thus we can intuitively read the proposition (set of worlds) denoted by STAB ↓ as (those worlds in which) "the legal principle of STABility is observed wrt. the plaintiff". For convenience, we introduce square brackets ([⋅]) as an alternative notation to ↓-postfixing in our DSL, so we have [ ] = ↓. Now, our concrete choice of an aggregation operator for values (out of the two options presented in §6.2) is ⊕ (2) , which thus becomes encodes in HOL as: Analogously, the chosen preference relation (≺) is the variant ≺ (i.e. ≺ (2) from the candidate modelling options discussed in §6), which, recalling §5.1, becomes equivalently encoded as any of the following: In a similar fashion, we encode in HOL the value-logical predicate Promotes as introduced in the previous subsection §6.2. The corresponding Isabelle/HOL encoding is shown below: We have similarly encoded the proposition Conflict in HOL.

Formally Verifying DSL's Adequacy
In this subsection we put our HOL-based legal DSL to the test by employing the automated tools integrated into Isabelle/HOL. In this process, the discoursive grammar, as well as the continuous feedback by our legal domain expert (Lomfeld), served the role of a requirements specification for the formal verification of the adequacy of our modelling. We briefly discuss some of the conducted tests as shown in Fig. 6; further tests are presented in Fig. 16 in Appx. A.2 and in Benzmüller and Fuenmayor (2021).
In accordance with the dialectical interpretation of the discoursive grammar (recall Fig. 2 in  §2), our modelling foresees that observing values (wrt. the same party) from two opposing value quadrants, say RESP & STAB, or RELI & WILL, entails a value conflict; theorem provers quickly confirm this as shown in Fig. 6 (Lines 4-5). Moreover, observing values from two non-opposed quadrants, such as WILL & STAB Note that the notion of value conflict has deliberately not been aligned with logical inconsistency, neither in the object logic  not in the meta-logic HOL. This way we can represent conflict situations in which, for instance, RELI and WILL (being conflicting values, see Line 5 in Fig. 6) are observed wrt. the plaintiff ( ), without leading to a logical inconsistency in Isabelle/HOL (thus avoiding 'explosion'). In Line 11 of Fig. 6, for example, Nitpick is called simultaneously in both modes in order to confirm the contingency of the statement; as expected both a model (cf. Fig. 7) and countermodel (not displayed here) for the statement are returned. This value conflict can also be spotted by inspecting the satisfying models generated by Nitpick. One of such models is depicted in Fig. 7, where it is shown that (in the given possible world Such model structures as computed by Nitpick are ideally communicated to (and inspected with) domain experts (Lomfeld in our case) early on and checked for plausibility, which, in case of issues, might trigger adaptions to the axioms and definitions. Such a process may require several cycles until arriving at a state of reflective equilibrium (recall the discussion from §3) and, as a useful side effect, it conveniently fosters cross-disciplinary mutual understanding.
Further tests in Fig. 6 (Lines 13-20) assess the behaviour of the aggregation operator ⊕ by itself, and also in combination with value preferences. For example, we test for a correct behaviour when 'strengthening' the right-hand side: if STAB is preferred over WILL, then STAB combined with, say, RELI is also preferred over WILL alone (Line 15). Similar tests are conducted for 'weakening' of the left-hand side. 28 27 Nitpick (Blanchette and Nipkow 2010) searches for, respectively enumerates, finite models or countermodels to a conjectured statement/lemma. By default Nitpick searches for countermodels, and model finding is enforced by stating the parameter keyword 'satisfy'. These models are given as concrete interpretations of relevant terms in the given context so that the conjectured statement is satisfied or falsified. 28 Further related tests are reported in Fig. 16 in Appx. A.2.

Applications (L3) -Assessment of Legal Cases
In this section we provide a concrete illustration of our reasoning framework by formally encoding and assessing two classic common law property cases concerning the appropriation of wild animals ("wild animal cases"): Pierson v. Post, and Conti v. AS-PCA. 29 Before starting with the analysis a word is in order about the support of our work by the tools Sledgehammer (Blanchette et al. 2016;Blanchette et al. 2013) and Nitpick (Blanchette and Nipkow 2010) in Isabelle/HOL. The ATP systems integrated via Sledgehammer in Isabelle/HOL include higher-order ATP systems, first-order ATP systems, and SMT (satisfiability modulo theories) solvers, and many of these systems in turn use efficient SAT solver technology internally. Indeed, proof automation with Sledgehammer and (counter)model finding with Nitpick were invaluable in supporting our exploratory modeling approach at various levels. These tools were very responsive in automatically proving (Sledgehammer), disproving (Nitpick), or showing consistency by providing a model (Nitpick). In the first case, references to the required axioms and lemmas were returned (which can be seen as a kind of abduction), and in the case of models and counter-models they often proved to be very readable and intuitive. In this section, we highlight some explicit use cases of Sledgehammer and Nitpick. They have been similarly applied at all levels as mentioned before.
We have split our analysis in layer L3 into two 'sub-layers' in order to highlight the separation between general legal & world knowledge (legal concepts and norms), from its 'application' to relevant facts in the process of deciding a case (factual/contextual knowledge). We shall first address the modelling of some background legal and world knowledge in §7.1, as minimally required in order to formulate each of our legal cases in the form of a logical Isabelle/HOL theory (cf. §7.2).

General Legal & World Knowledge
The realistic modelling of concrete legal cases requires further legal & world knowledge (LWK) to be taken into account. LWK is typically modelled in so called "upper" and "domain" ontologies. The question about which particular notion belongs to which category is difficult, and apparently there is no generally agreed answer in the literature. Anyhow, we introduce only a small and monolithic examplary logical Isabelle/HOL theory, 30 called "GeneralKnowledge", with a minimal amount of axioms and definitions as required to encode our legal cases. This LWK example includes a small excerpt of a much simplified "animal appropriation taxonomy", where we associate "animal appropriation" (kinds of) situations with the value preferences they imply (i.e., conditional preference relations as discussed in §2 and §6).
In a more realistic setting this knowledge base would be further split and structured similarly to other legal or general ontologies, e.g., in the Semantic Web (Casanovas et 29 Cf. Bench-Capon (2002), Berman and Hafner (1993), and Prakken (2002), and also T. F. Gordon and Walton (2006) for the significance of the Pierson v. Post case as a benchmark. 30 Isabelle documents are suggestively called "theories". They correspond to top-level modules bundling together related definitions, theories, proofs, etc. al. 2016; Hoekstra et al. 2009). Note, however, that the expressiveness in our approach, unlike in many other legal ontologies or taxonomies, is by no means limited to definite underlying (but fixed) logical language foundations. We could thus easily decide for a more realistic modelling, e.g. avoiding simplifying propositional abstractions. For instance, the proposition "appWildAnimal", representing the appropriation of one or more wild animals, can anytime be replaced by a more complex formula (featuring, e.g., quantifiers, modalities, and conditionals; see §5.4).
Next steps include interrelating notions introduced in our Isabelle/HOL theory "GeneralKnowledge" with values and value preferences, as introduced in the previous sections. It is here where the preference relations and modal operators of  as well as the notions introduced in our legal DSL are most useful. Remember that, at a later point and in line with the LOGIKEY methodology, we may in fact exchange  by an alternative choice of an object logic; or, on top of it, we may further modify our legal DSL, e.g., we might choose and assess alternative candidates for our connectives ≺ and ⊕; moreover, we may want to replace material implication → by a conditional implication to better support defeasible legal reasoning. 31 We now briefly outline the Isabelle/HOL encoding of our example LWK; see Fig. 17 in Appx. A.3 for the full details.
First, some non-logical constants that stand for kinds of legally relevant situations (here: of appropriation) are introduced, and their meaning is constrained by some postulates: Then the 'default' 32 legal rules for several situations (here: appropriation of animals) are formulated as conditional preference relations: 31 Remember that a defeasible conditional implication can be defined employing  modal operators; cf. §5.4. Alternatively we may also opt for an SSE of a conditional logic in HOL using other approaches as, e.g., in Benzmüller (2013). 32 We use of the term 'default' in the colloquial sense of 'fallback', noting however, that there exist in fact several (non-monotonic) logical systems aimed at modelling such a kind of defeasible, aka. "default", behaviour for rules/conditionals (i.e., meaning that they can be 'overruled'). One of them has been suggestively called "default logic". We refer to Koons (2017) for a discussion. In fact, and in the spirit of LOGIKEY, we could have also employed, for encoding these rules, a -defined defeasible conditional as discussed in §5.4. For the illustrative purposes of the present paper, and in view of the good performance of our present modelling, we did not yet find this step necessary.
For example, rule R2 could be read as: "In a wild-animals-appropriation kind of situation, observing STABility wrt. a party (say, the plaintiff) is preferred over observing WILL wrt. the other party (defendant)". If there is no more specific legal rule from a precedent or a codified statute then these 'default' preference relations determine the result. Of course, this default is not arbitrary but itself an implicit normative setting of the existing legal statutes or cases. Moreover, we can have rules conditioned on more concrete legal factors. 33 As a didactic example, the legal rule R4 states that the ownership (say, the plaintiff's) of the land on which the appropriation took place, together with the fact that the opposing party (defendant) acted out of malice implies a value preference of reliance and responsibility over stability. This rule has been chosen to reflect the famous common law precedent of Keeble v. Hickeringill (1704, 103 ER 1127cf. also Bench-Capon (2002) and Berman and Hafner (1993)).
As already discussed, for ease of illustration, terms like "appWildAnimal" are modelled here as simple propositional constants. In practice, however, they may later be replaced, or logically implied, by a more realistic modelling of the relevant situational facts, utilising suitably complex (even quantified; cf. §5.4) formulas depicting states of affairs to some desired level of granularity.
For the sake of modelling the appropriation of objects, we have introduced an additional base type in our meta-logic HOL (recall §4). The type (for 'entities') can be employed for terms denoting individuals (things, animals, etc.) when modelling legally relevant situations. Some simple vocabulary and taxonomic relationships (here: for wild and domestic animals) are specified to illustrate this.
As mentioned before, we have introduced some convenient legal factors into our example LWK to allow for the encoding of legal knowledge originating from precedents or statutes at a more abstract level. In our approach these factors are to be logically implied (as deductive arguments) from the concrete facts of the case (as exemplified in §A.4 below). Observe that our framework also allows us to introduce definitions for those factors for which clear legal specifications exist, such as property or 33 The introduction of legal factors is an established practice in the implementation of case-based legal systems (cf. Bench-Capon (2017) for an overview). They can be conceived -as we do-as propositions abstracted from the facts of a case by the analyst/modeler in order to allow for assessing and comparing cases at a higher level of abstraction. Factors are typically either pro-plaintiff or pro-defendant, and their being true or false (resp. present or absent) in a concrete case can serve to invoke relevant precedents or statutes.
possession. At the present stage, we will provide some simple postulates constraining factors' interpretation.
Recalling §6 we relate the introduced legal factors (and relevant situational facts) to value principles and outcomes by means of the Promotes predicate: 34 Finally, the consistency of all axioms and rules provided is confirmed by Nitpick.

Pierson v. Post
This famous legal case (T. F. Gordon and Walton 2006) can be succinctly described as follows: Pierson killed and carried off a fox which Post already was hunting with hounds on public land. The Court found for Pierson (1805, 3 Cai R 175).
For the sake of illustration we will consider in this subsection two modelling scenarios: in the first one a case is built to favour the defendant (Pierson); in the second one a case favouring the plaintiff (Post).

Ruling for Pierson
The formal modelling of an argument in favour of Pierson is outlined next. 35 First we introduce some minimal vocabulary: a constant of type (denoting the appropriated animal), and the relations pursue and capture between the animal and one of the parties (of type ). A background (generic) theory as well as the (contingent) case facts as suitably interpreted by Pierson's party are then stipulated: 34 We note that our normative assignment here is widely in accordance with classifications in the AI & Law literature (Bench-Capon 2012;Berman and Hafner 1993). 35 The entire formalisation of this argument is presented in Fig. 18 in Appx. A.4.
The aforementioned decision of the court for Pierson was justified by the majority opinion. The essential preference relation in the case is implied in the idea that appropriation of (free-roaming) wild animals requires actual corporal possession. The manifest corporal link to the possessor creates legal certainty, which is represented by the value STABility and outweighs the mere WILL to possess by the plaintiff; cf. the arguments of classic lawyers cited by the majority opinion: "pursuit alone vests no property" (Justinian), and "corporal possession creates legal certainty" (Pufendorf). According to Lomfeld's legal theory in §2 (cf. Fig. 2), this corresponds to a preference for the basic value SECURITY over FREEDOM. We can see that this legal rule R2, as introduced in the previous section ( §7.1) 36 is indeed employed by Isabelle/HOL's automated tools to prove that, given a suitable defendant's theory, the (contingent) facts imply a decision in favour of Pierson in all 'better' worlds (which we could even give a 'deontic' reading as some sort of recommendation): The previous 'one-liner' proof has indeed been automatically suggested by Sledgehammer (Blanchette et al. 2016;Blanchette et al. 2013) which we credit, together with the model finder Nitpick (Blanchette and Nipkow 2010), for doing the proof heavylifting in our work.
A proof argument in favour of Pierson that uses the same dependencies can also be constructed interactively using Isabelle's human-readable proof language Isar (Isabelle/Isar; cf. Wenzel (2007)). The individual steps of the proof are this time formulated with respect to an explicit world/situation parameter . The argument goes roughly as follows: 1. From Pierson's facts and theory we infer that in the disputed situation a wild animal has been appropriated: appWildAnimal 2. In this context, by applying the value preference rule R2, we get that observing STAB wrt. Pierson (d) is preferred over observing WILL wrt. Post (p): 3. The possibility of observing WILL wrt. Post thus entails the possibility of observing STAB wrt. Pierson: ⌊◊ ≺ [WILL ] → ◊ ≺ [STAB ]⌋ 4. Moreover, after instantiating the value promotion schema F1 ( §7.1) for Post ( ), and acknowledging that his pursuing the animal (Pursue ) entails his intention to possess (Intent ), we obtain (for the given situation ) a recommendation to 'align' any ruling for Post with the possibility of observing WILL wrt. Post: . Following the interpretation of the Promotes predicate given in §6, we can read this 'alignment' as involving both a logical entailment (left to right) and a justification (right to left); thus the possibility of observing WILL (wrt. Post) both entails and justifies (as a reason) a legal decision for Post. 5. Analogously, in view of Pierson's ( ) capture of the animal (Capture ), thus having taken possession of it (Poss ), we infer from the instantiation of value promotion schema F3 (for Pierson) a recommendation to align a ruling for Pierson with the possibility of observing the value principle STAB wrt. Pierson): (4) and (5)  The consistency of the assumed theory and facts (favouring Pierson) together with the other postulates from the previously introduced logical theories "GeneralKnowledge" and "ValueOntology" is verified by generating a (non-trivial) model using Nitpick (Line 38). Further tests confirm that the decision for Pierson (and analogously for Post) is compatible with the premises and, moreover, that for neither party value conflicts are implied.
We show next, how it is indeed possible to construct a case (theory) suiting Post using our approach.

Ruling for Post
We model a possible counterargument in favour of Post claiming an interpretation (i.e., a distinction in case law methodology) in that the animal, being vigorously pursued (with large dogs and hounds) by a professional hunter, is not "free-roaming". In doing this, the value preference ⌊[WILL ] ≺ [STAB ]⌋ (for appropriation of wild animals), as in the previous Pierson's argument, does not obtain. Furthermore, Post's party postulates an alternative (suitable) value preference for hunting situations.
Note that an alternative legal rule (i.e., a possible argument for overruling in case law methodology) is presented in Line 16 above, entailing a value preference of the value principle combination EFFIciency together with WILL over STABility: Following the argument put forward by the dissenting opinion in the original case (3 Cai R 175) we might justify this new rule (inverting the initial value preference in the presence of EFFI) by pointing to the alleged public benefit of hunters getting rid of foxes, since the latter cause depredations in farms.
Accepting these modified assumptions the deductive validity of a decision for Post can in fact be proved and confirmed automatically, again, thanks to Sledgehammer: Similar to above, a detailed, interactive proof for the argument in favour of Post has been encoded and verified in Isabelle/Isar. We have also conducted further tests confirming the consistency of the assumptions and the absence of value conflicts. 37 7.3 Conti v. ASPCA An additional illustrative case study we have modelled in our framework is Conti v. ASPCA (353 NYS 2d 288;cf. Bench-Capon et al. (2005)). In a nutshell: Chester, a parrot owned by the ASPCA, escaped and was recaptured by Conti. The ASPCA found this out and reclaimed Chester from Conti. The court found for ASPCA.
In this case, the court made clear that for domestic animals the opposite preference relation as the standard in Pierson's case applies. More specifically, it was ruled that for a domestic animal it is in fact sufficient that the owner did not neglect or stopped caring for the animal, i.e., give up the responsibility for its maintenance (RESP). This, together with ASPCA's reliance (RELI) in the parrot's property, outweighs Conti's corporal possession (STAB) of the animal: Observe that a corresponding rule had previously been integrated as R3 into our legal & world knowledge ( §7.1).
The plaintiff's theory and facts are encoded analogously to the previous case: Accepting these assumptions the deductive validity of a decision for the plaintiff (ASPCA) can again be proved and confirmed automatically (thanks to Sledgehammer): In an analogous manner to Pierson's case, an interactive proof in Isabelle/Isar has been encoded and verified, and the consistency of the assumptions and the absence of value conflicts has been confirmed. 38

Related and Further Work
Custom software systems for legal case-based reasoning have been developed in the AI & Law community, beginning with the influential HYPO system in the 1980s (Rissland and Ashley 1987); cf. also the survey paper by Bench-Capon (2017). In later years, there has been a gradual shift of interest from rule-based non-monotonic reasoning (e.g., logic programming) towards argumentation-based approaches (see Prakken and Sartor (2015) for an overview); however, we are not aware of any other work that uses higher-order theorem proving and proof assistants (the argumentation logic of Krause et al. (1995) is an early related effort that is worth mentioning). Another important aspect of our work concerns value-oriented legal reasoning and deliberation, where a considerable amount of work has been presented in AI & Law in response to the challenge posed by Berman and Hafner (1993). Our approach, based mainly on Lomfeld's (2015;2019) theory, has also been influenced by some of this work, in particular by Bench-Capon (2002), Bench-Capon and Sartor (2003), and Prakken (2002).
We are currently working towards further refining the modelling of Lomfeld's legal theory with the aim of providing more expressive (combinations of) object logics at LOGIKEY layer L1. In this regard, it is somehow remarkable that the use of material implication to encode rules has proven sufficient for the illustrative purposes of this paper. However, it is important to note that a more realistic modelling of legal cases must also provide mechanisms to deal with the inevitable emergence of conflicts and contradictions in normative reasoning (overruling, conflict resolution, etc.). In line with the LOGIKEY approach, we are working at introducing conditional connectives in our object logics with the aim of enabling defeasible (or default) reasoning. Such connectives can be introduced by reusing the modal operators of  (recalling the discussion in §5.4) or, alternatively, through the shallow semantical embedding (Benzmüller 2019) of a suitable conditional logic in HOL (Benzmüller 2017). Moreover, special kinds of paraconsistent (modal-like) Logics of Formal Inconsistency (Carnielli et al. 2021) can also be integrated into our modelling to enable the non-explosive representation of (and recovery from) contradictions by purely object-logical means (cf. Fuenmayor (2020) for a related encoding in Isabelle/HOL). In a similar vein, we think that some of the recent work that employs expressive deontic logics for value-based legal balancing (e.g. Maranhão and Sartor (2019) and the references therein) can be fruitfully integrated in our approach. It is the pluralistic nature of LOGIKEY, realised within a dynamic modelling framework (e.g. Isabelle/HOL), that enables and supports such improvements without requiring expensive technical adjustments to the underlying base reasoning technology. As a broader application scenario, we are currently proposing that ethico-legal value-oriented theories and ontologies should constitute a core ingredient to enable the computation, assessment and communication of rational justifications and explanations in the future ethico-legal governance of AI (Benzmüller and Lomfeld 2020). Thus, a sound and trustworthy implementation of any legally accountable 'moral machine' requires the development of formal theories and ontologies for the legal domain to guide and interconnect the encoding of concrete regulatory codes and legal cases. Understanding legal reasoning as dialectical practical argumentation, the pluralist interpretation of concrete legal rules arguably requires a complementary ethico-legal value-oriented theory such as, e.g., the discoursive grammar of justification by Lomfeld (2019), which we formally encoded in this paper. In this sense, some first positive evidence has been provided regarding challenges that we have previously identified with respect to the ethical-legal governance of future AI systems (Fuenmayor and Benzmüller 2020). Indeed, it was this broader vision that primarily motivated our work on value-oriented legal reasoning in the first place.

Conclusion
We illustrate the application of the LOGIKEY knowledge engineering methodology and framework to enable the interdisciplinary collaboration among different specialist roles. In the present case, they are a lawyer and legal philosopher (L.) and two computer scientists (B. and F.) who join forces with the aim of formally modelling a value-oriented legal theory (discoursive grammar by Lomfeld 2019) for the sake of providing means for computer-automated prediction and assessment of legal case decisions.
From a technical perspective, the core objective of this article has been to demonstrate that the LOGIKEY methodology appears indeed suitable for the task of valueoriented legal reasoning. As instantiated in the present work, the LOGIKEY methodology builds upon a HOL-encoding of a modal logic of preferences to model a domainspecific theory of value-based legal balancing. In combination with further legal and world knowledge this theory has been successfully employed for the formal encoding and computer-supported assessment, using the Isabelle/HOL system, of illustrative legal cases in property law ("wild animal cases").
It is the flexibility of the multi-layer modelling which is novel in our approach, in combination with a very rich support for automated reasoning in expressive, quantified classical and non-classical logics, thereby rejecting the idea that knowledge representation means should be limited prima facie to decidable logic frameworks, due to complexity or performance considerations. In the LOGIKEY approach, the choice of a particular object logic is deliberately left to the knowledge engineer. The range of options varies from well-manageable decidable logics to sophisticated quantified non-classical logics and combinations thereof, depending on what is best suited to handle a particular knowledge representation (and reasoning) task at hand.
From a legal perspective, the reconstruction of legal balancing is, already with classical argumentative tools, a non-trivial task, which is methodologically not yet settled (Sieckmann 2010). Here, our work proposed the structuring of legal balancing by means of a dialectical ethico-legal value system (discoursive grammar). Legal rules and their various interpretations can thus be represented within a unified yet plu-ralistic logic of value preferences. The integration of this logic and the value system within the dynamic HOL-based modelling environment allows us to experiment with different forms of interpretation. This enables us, not only to find more accurate reconstructions of legal argumentation, but also supports the modelling of value-based legal balancing, taking into account notions of value preference, aggregation, promotion and conflict; and also in a manner amenable to computer automation. The modelling of Lomfeld's legal theory in LOGIKEY enabled us to successfully predict (and to some extend justify) case outcomes by 'just using logic', employing qualitative value preferences without the necessity to bring in numbers and weights into the model.
From a general perspective, supporting interactive and automated value-oriented legal argumentation on the computer is a non-trivial challenge which we address, for reasons as defended, e.g., by Bench-Capon (2020), with symbolic AI techniques and formal methods. Motivated by recent pleas for explainable and trustworthy AI, our primary goal is to work towards the development of ethico-legal governors for future generations of intelligent systems, or more generally, towards some form of legally and ethically reasonable machines (Benzmüller and Lomfeld 2020) capable of exchanging rational justifications for the actions they take. While building up a capacity to engage in value-oriented legal argumentation is just one of a multitude of challenges this vision is faced with, it clearly constitutes an important stepping stone towards this ambitious long-term goal. binary preferences stated within the object language  (Lines 48-55). (ATP systems prove the metatheoretic correspondences between these semantic and syntactic definitions; cf. Lines 4-12 in Fig. 11.)  is extended by adding quantifiers (Lines 57-60); cf. (Benzmüller and Paulson 2013) for explanations on the SSE of quantified modal logics. Moreover, useful polymorphic operators for subset, union and intersection are defined (Lines 62-64).
The model finder Nitpick (Blanchette and Nipkow 2010) confirms the consistency of the introduced theory (Line 66) by generating and presenting a model for it (not shown here).
To gain practical evidence for the faithfulness of our SSE of  in Isabelle/HOL, and also to assess proof automation performance, we have conducted numerous experiments in which we automatically reconstruct meta-theoretical results on ; see Figs. 11-12.
Extending our SSE of  in HOL some further preference relations for  are defined in Fig. 10. These additional relations support ceteris paribus reasoning in . We give some explanations: Lines 5-13 Useful set theoretic notions are introduced as abbreviations for corresponding -terms in HOL. Lines 14-22  is further extended with (equality-based) ceteris paribus preference relations and modalities; here Γ represents a set of formulas that are assumed constant between two possible worlds to compare. Hence our variant can be understood as "these (given) things being equal"-preferences. This variant can be used for modelling von Wright's notion of ceteris paribus ("all other things being equal") preferences, eliciting an appropriate Γ by extra-logical means. Lines 26-33: Except for ≺ Γ , the remaining operators we define here were not explicitly defined by van ; however, their existence is tacitly suggested.
Meta-theoretical results on  as presented by van Benthem et al. (2009)  Lines 5-13 Correspondences between the semantically and syntactically defined preference relations are proved. Lines 15-22 It is proved that (e.g. inclusion and interaction) axioms for  follow as theorems in our SSE. This tests the faithfulness of the embedding in one direction. Lines 25-47 We continue the mechanical verification of theorems, and generate countermodels (not displayed here) for non-theorems of , thus putting our encoding to the test. Our results coincide with  The encoding of the legal DSL (value theory or ontology) is shown in Fig. 15. The new theory is termed "ValueOntology", and it imports theory "PreferenceLogicBasics" (and thus recursively also Isabelle/HOL's internal theory "Main"). As a preliminary, the legal parties plaintiff and defendant are introduced as an (extensible) two-valued datatype together with a function to obtain for a given party the other one ( −1 ) (Lines 4-5); and a predicate modelling the ruling for a party is also provided (Lines 7-8).
As regards the discoursive grammar value theory, a four-valued (parameterised) datatype is introduced (Line 10) as described in §2. Moreover, type-aliases (Lines 11-12) and set-constructor operators for values (Lines 14-15) are introduced for ease of presentation. The legal principles from §2 are introduced as combinations of those basic values (Lines 17-28). As an illustration, the principle STABility is encoded as a set composed of the basic values SECURITY and UTILITY.
Next, the incidence relation and operators ↑ and ↓, borrowed and adapted from formal concept analysis (FCA), are introduced (Lines 30-34).
We then define the aggregation operator ⊕ as ⊕ ∶= ( ↓∨ ↓); i.e., we select the second candidate as discussed in §2. And as our preference relation of choice we select the relation ≺ (Line 38).

Fig. 15
Encoding of the legal DSL (value ontology) Finally we introduce "Promotes" schema for encoding the promotion of value principles via legal decisions (Line 40) and we introduce a notion "Conflict " expressing a legal value conflict for a party (Lines 42-43).
The consistency of the theory is confirmed by Nitpick (Line 45). Tests on the modelling and encoding of the legal DSL are displayed in Fig. 16. Among others, we verify that the pair of operators for extension (↓) and intension (↑), cf. Formal Concept Analysis (Ganter and Wille 2012), constitute indeed a Galois connection (Lines 6-18), and we carry out some further tests on the value theory (extending the ones presented in §6) concerning value aggregation and consistency (Lines 20ff.).

Fig. 16
Formally verifying/testing the legal DSL or value ontology

A.3 Legal and World Knowledge
The encoding of the relevant legal & world knowledge (LWK) is shown in Fig. 17. The defined Isabelle/HOL theory is termed "GeneralKowledge" and imports the "ValueOntology" (and thus recursively also "PreferenceLogicBasics") theory. Lines 4-5 Declaration of logical constant symbols that stand for kinds of legally relevant situations. Lines 8-11 Meaning postulates for these kinds of legally relevant situations are introduced. Lines 14-16 Preference relations for these kinds of legally relevant situations are introduced. Lines 18-26 Some simple vocabulary is introduced and some taxonomic relations for wild and domestic animals are specified. Lines 28-36 Some relevant situational factors are declared and subsequently constrained by meaning postulates. Line 39 An example for a value preference conditioned on factors is specified. Lines 41-46 The situational factors are related with values and with ruling outcomes according to the notion of value promotion. Line 48 The model finder Nitpick is used to confirm the consistency of the introduced theory. The Isabelle/HOL encoding of two scenarios in the Pierson v. Post case is presented in Figs. 18 and 19.
In Fig. 18, which presents the initial ruling in favour of Pierson, the Isabelle/HOL theory is termed "Pierson" and imports the theory "GeneralKnowledge" (which recursively imports theories "ValueOntology" and "PreferenceLogicBasics").
Lines 5-19 (generic) theory and (contingent) facts suitable to the defendant (Pierson) are postulated. Lines 21-22 automated proof justifying the ruling for Pierson; the dependencies of the proof are shown. Lines 24-35 corresponding interactive proof (with the same dependencies as for the automated one) modelling the argument justifying the finding for Pierson. Lines 36-44 various checks for consistency of the assumptions and the absence of value conflicts. As a further illustration, we present in Fig. 19 a plausible counterargument by Post. The Isabelle/HOL theory is now termed "Post" and imports the theory "GeneralKnowledge" (which recursively imports theories "ValueOntology" and "PreferenceLogicBasics"). Lines 5-24 theory and facts suitable to the plaintiff (Post) are postulated. Lines 26-27 automated proof justifying the ruling for Post; the dependencies of the proof are shown. Lines 29-42 corresponding interactive proof (with the same dependencies as for the automated one) modelling the argument justifying the finding for Post. Lines 43-51 various checks for consistency of the assumptions and the absence of value conflicts.