A Decidable Multi-Agent Logic for Reasoning about Actions, Instruments, and Norms Kees van Berkel1, Tim Lyon1[0000−0003−3214−0828] and Francesco Olivieri2 1Institut für Logic and Computation, TU Wien, Vienna, Austria, {kees,lyon}@logic.at 2Data61-CSIRO, Brisbane, Australia, francesco.olivieri@data61.csiro.au Abstract. We formally introduce a novel, yet ubiquitous, category of norms: norms of instrumentality. Norms of this category describe which actions are obligatory, or prohibited, as instruments for certain purposes. We propose the Logic of Agency and Norms (LAN) that enables reasoning about actions, instrumentality, and normative principles in a multi-agent setting. Leveraging LAN, we formalize norms of instrumentality and compare them to two prevalent norm categories: norms to be and norms to do. Last, we pose principles relating the three categories and evaluate their validity vis-à-vis notions of deliberative acting. On a technical note, the logic will be shown decidable via the finite model property. Keywords: Agency logic * Action constants * Action logic * Andersonian reduction * Decidability * Deontic logic * Norms of instrumentality 1 Introduction The formal analysis of normative reasoning, roughly starting with the introduction of deontic logic in the 1950s [21], has been guided by the conviction that action and agency are pivotal components of normative reasoning [8,22]. In relation to this, an important development took place in the 1970s: the introduction of Propositional Dynamic Logic (PDL) [10]. Modal logics of PDL focus on the analysis of complex actions (or programs) and their relation to results. The framework was soon adapted to deontic reasoning [17] and it continues to receive attention to the present day [20]. The emphasis on action and agency in normative reasoning led to the distinction between two categories of norms: norms to be and norms to do [1,8]. Norms of the former category address states of affairs, without making reference to how such states of affairs are obtained by the agent. The latter category normatively prescribes actions to agents, yet, without specifying the possible outcomes that might be produced by the action. However, there is a third category of norms merging both approaches, which, to the best of our knowledge, has not yet been formally investigated. These norms prescribe a specific normative relation between an action and a goal, with the action serving as an instrument to achieve the goal. Such norms we will refer to as norms of instrumentality. Consider the following example: Although it is neither prohibited to use nonpublic information, nor is it prohibited to acquire financial profit on the stock market, it is in fact prohibited to use such information as an instrument to attain the latter. 2 Kees van Berkel, Tim Lyon and Francesco Olivieri The above principle is known as the law on 'insider trading' and belongs to this third category. Prohibitions of the form expressed above articulate which actions cannot be employed as instruments for achieving particular goals. Despite the ubiquity of normative constraints on instrumentality in legal, social, and ethical systems (e.g., protocols, rules of games, fairness constraints, etc.), an investigation of their philosophical ramifications in formal logic is absent. This work aims to provide the formal foundations for the analysis of norms of instrumentality. In [1], a formal investigation of the first two norm categories is provided. The formalism employed there brings together Anderson's reduction of norms of the first class [2] and Meyer's reduction of norms of the second class [17] in a single system of modal logic called PDeL (i.e. deontic PDL). The first is a reduction of deontic operators to alethic formulae containing violation constants (e.g., a result A is obligatory when ¬A strictly implies a violation). The second reduces deontic operators to formulae using action modalities and violation constants (e.g., an action ∆ is obligatory when not performing ∆ strictly implies a violation). In [4], a third reduction is discussed, where action modalities of PDL are reduced to alethic formulae containing action constants. The resulting logic facilitates reasoning about agent-dependent actions within the object language and formally captures different notions of instrumentality (in a non-normative setting). Decidability of this logic was left as an open problem. The current work brings together the three reductions found in [1] and [4], and introduces a Logic of Agency and Norms called LAN (Sect. 3). The resulting logic extends previous approaches by permitting us to reason with agent-dependent actions, as well as agent-dependent obligations and prohibitions, in multi-agent settings. The language of LAN will enable us to formally investigate the three norm categories; we will pose principles describing relations between the three categories and evaluate their validity vis-à-vis different notions of deliberative acting (Sect. 4). Last, we prove the decidability of LAN in App. A of the paper. 2 A Benchmark Example In order to understand the distinct nature of the three kinds of norms, we provide an example protocol serving as a benchmark in developing our formal framework. In Sect. 5, we formalize and analyze the protocol using our developed logic. A Hospital Health and Safety Protocol. The Health and Safety Committee of a public hospital in Vienna recently established a new set of guidelines to govern and redirect the behaviour of surgeons and nurses in the assistance and treatment of its patients. In particular, motivated by the increased awareness of the dangers of accidental self-inflicted wounds, caused by using sharp tools during surgery, the committee has proposed a new policy: namely, limiting the use of scalpels in surgery to surgeons and prohibiting assisting nurses the use of such instruments in the operation room. The protocol is summed up accordingly: P1 A surgeon is obliged to use the prescribed scalpel to bring about a necessary incision during surgery. A Decidable Logic for Reasoning about Actions, Instruments and Norms 3 P2 Assisting Nurses are not allowed to use scalpels during surgery when the situation is not dire.1 P3 Nurses and surgeons alike have the obligations to (i) promote the health of their patients and (ii) preserve hygiene safety in the operation room. First, we observe that the norm expressed by P1 is a norm belonging to the third, novel, category of norms of instrumentality ; that is, it describes a norm that specifically relates an action as an instrument to a particular outcome. P2 is a prohibition subsumed under norms to do, and holds independent of the instrument's intended purpose. P3 is an obligation pertaining to norms to be, and holds independent of the instruments used to obtain (i) and (ii). To stress the irreducibility of norms of instrumentality to norms to be and norms to do, consider the following: although a surgeon might be obliged to use a scalpel to ensure a required incision, it does not follow that she has the obligation to use scalpels independent of their intended purpose (some outcomes obtained by using scalpels could be prohibited), nor does it mean that she has the obligation to bring about the incision by any means necessary (some means could be prohibited). In fact, in case of P1, the surgeon has only the obligation to ensure the required incision by means of using the scalpel.2 To continue, the committee makes two assumptions in drafting the protocol: T1 The protocol resolves all normative issues in surgical situations by offering rules of conduct that ultimately provide ways out of any possible conflict. T2 The protocol assumes that the choices described, and suggested, to the agents can be consistently performed together. The committee is aware that sub-ideal situations can occur (e.g., whenever an employee (in)voluntarily violates an initial rule). Given T1, the committee provides the following principle which activates whenever P3 cannot be satisfied: E1 In case of failing to preserve hygiene standards during surgery (e.g., in the case of self-inflicted wounds) the employee in question is obliged to immediately leave the operation room and call the safety-emergency number. The purpose of the above rule is to ensure that damage in sub-ideal scenarios is controlled. Principle E1 prescribes measures to be taken in case of failure to 1 Notice that principle P2 incorporates a form of defeasible reasoning through explicit exception, for the present analysis of norms of instrumentality, the above will suffice. 2 Notice that in the present example, we use a material tool to exemplify instruments. However, we stress that the notion of instrumentality is more general and refers to all actions serving goals; e.g., 'opening the window' is an instrument for 'changing the room's temperature' [22]. Following Von Wright [23], an action is a classified φinstrument-where φ is the purpose-whenever the action serves the purpose of φ. Consequently, although in the above example reference is made to a 'scalpel' (i.e. a tool) the instrument under consideration-serving the purpose of 'the incision being made'-is in fact the action 'using the scalpel (for the purpose of incision)'. See [4] for a philosophical discussion on different notions of instrumentality. 4 Kees van Berkel, Tim Lyon and Francesco Olivieri comply with other prescriptions. As can be seen, there is a close connection between principle E1 and what is called contrary-to-duty reasoning; that is, reasoning about secondary norms that arise from violating primary norms. We come back to this point during the formalization of the example in Sect. 5. Last, the committee desires that the above protocol is captured in a logical system, enabling them (i) to analyse the consistency of the protocol and (ii) to reason with the protocol whenever critical circumstances occur. As can be observed, the logical language must contain agents, actions, results and violations, in order to facilitate the formal distinction between the three norm categories. 3 Deontic Logic of Actions, Agency and Norms In what follows, we introduce the language, semantics and axiomatization of our Logic of Agency and Norms, henceforth, LAN (the logic will be a deontic extension of the machinery provided in [4]). As motivated in the introduction, we will employ a reductionist approach to norms via violation constants (following [17]) and to actions via action constants (following [4]). In order to reason with actions in a normative setting, we use a Boolean algebra of actions. The language of LAN will depend on this algebra of actions, which will enable us to talk about complex, compound actions as formulae in the object language. Definition 1 (Algebra of Actions ActLAN). Let Act = {δ1, ..., δn} be a set of atomic action-types and let δi ∈ Act. The language ActLAN of complex actiontypes ∆ is given via the following BNF grammar: ∆ ::= δi | ∆ ∪∆ | ∆ The operations ∪ and - represent disjunction and complement (resp.), allowing us to generate complex expressions such as 'closing-the-door or opening-thewindow' and 'not closing-the-window'. The conjunction operator & over actions is defined as∆1&∆2 := ∆1 ∪∆2. Let Agt = {α1, . . . , αn} be a set of agent labels; we say ∆αi is an agent-dependent action-type iff ∆ ∈ ActLAN and αi ∈ Agt. We let V ar = {p1, p2, . . . } be a countable set of propositional variables, and for any αi ∈ Agt, we let Witαi = {dαi1 , ..., dαin } be the set of propositional constants that witness the performance of atomic action-types δ1, ..., δn by αi (this is made formally precise in Def. 3). Let Wit be the union ⋃ αi∈AgtWit αi and note that |Witαi | = |Act| = n, for some n ∈ N. Also, we take vαi to be a propositional constant witnessing a norm violation for agent αi and let V io = {vαi | αi ∈ Agt } be the set of all agential violation constants. Last, we let Atoms = V ar ∪ Wit ∪ V io.3 Definition 2 (The Language LLAN). LLAN is given by the following BNF: φ ::= pi | vαj | d αj i | ¬φ | φ→ φ | φ | [N]φ where pi ∈ V ar, αj ∈ Agt, vαj ∈ V io and d αj i ∈Wit. 3 Following [1], to avoid paradoxes vαi is read as 'norm violation' instead of 'sanction'. A Decidable Logic for Reasoning about Actions, Instruments and Norms 5 In short, the operators ∧, ∨ and ≡ are defined in the usual way. Formulae of the form φ and [N]φ express, respectively, 'in all possible successor (future) states φ holds' and 'in the actual successor (future) state φ holds'. We take  and 〈N〉 as the duals of  and [N], respectively. Last, we take dαji and vαj to stand for 'agent αj has performed action δi' and 'agent αj has violated a norm', respectively. Following [4], we define a translation that maps agent-dependent action-types to formulae of LLAN, enabling us to reason with actions inside the logic: Definition 3 (Translation t between ActLAN and LLAN). – For any δi ∈ Act and αj ∈ Agt, t(δ αj i ) = d αj i , with d αj i ∈ LLAN. – For any ∆ ∈ ActLAN and αi ∈ Agt, t(∆αi) = ¬t(∆αi). – For any ∆,Γ ∈ ActLAN and αi, αj ∈ Agt, t(∆αi ∪ Γαj ) = t(∆αi) ∨ t(Γαj ). Consequently, from the above we can derive t(∆αi&Γαi) = t(∆αi) ∧ t(Γαi).4 To demonstrate the potential of LLAN, we present below the agency operators for would, could and will, as introduced in [4]. These operators will play a central role in determining an agent's compliance with the formalized example protocol in Sect. 5. We leave the introduction of normative operators to Sect. 4. (1) For any ∆ ∈ ActLAN and αi ∈ Agt, [∆αi ]wouldφ := (t(∆αi)→ φ) (2) For any ∆ ∈ ActLAN and αi ∈ Agt, [∆αi ]couldφ := (t(∆αi)→ φ)∧ t(∆αi) (3) For any ∆ ∈ ActLAN and αi ∈ Agt, [∆αi ]willφ := (t(∆αi)→ φ)∧〈N〉t(∆αi) The above operators capture different relations between actions and results obtained at successor states. The first notion is interpreted as 'currently, by performing the action ∆, agent αi would bring about φ' (i.e. ∆ suffices for guaranteeing φ). This definition, however, does not ensure that the agent can in fact perform ∆. The second definition extends the first by adding a notion of ability to it, reading 'currently, by performing action ∆, agent αi would bring about φ and agent αi could currently perform ∆'. The third notion connects the actual course of events with the possible actions available to the agent, stating that 'currently, by performing ∆, agent αi would bring about φ and agent αi will actually execute ∆'. (Note that (3) implies (2), and (2) implies (1) within the logic LAN; see Def. 4). The logic LAN is specified through a Hilbert-axiomatization presented in Def. 4. The axioms A1, A2, A4 and R1 specify that both  and [N] behave as normal modal operators. In addition, we make a few minimal assumptions for our logic: Axiom A3 ensures that every state has at most one actual successor. Axiom A4 guarantees that every actual future is also a possible future. Axiom A5 expresses that any list of available actions performable by different agents can be consistently performed together. Axiom A5 corresponds to clause T2 from the example of Sect. 2, and is an adaptation of the independence of agents principle (a pivotal condition for multi-agent STIT logics; see [3, Ch.7]). Last, for 4 We note in passing that one could define other action operators of PDL within the reduced logic LAN; for example 'composition' as [∆αi ;Γαi ]φ := [∆αi ][Γαi ]φ. 6 Kees van Berkel, Tim Lyon and Francesco Olivieri our deontic setting we adopt a weak contingency axiom with respect to agentdependent norm violations. This condition, captured through axiom A6, ensures that no agent αi can end up in a state at which norm violations cannot be avoided; i.e. if there is a violation possible, there is also a successor state in which the violation is avoided. This axiom corresponds to requirement T1 made in Sect. 2. For a discussion of the contingency axiom A6 we refer to [2,18]. Definition 4 (Axiomatization of LAN). A0 All propositional tautologies A1 (φ→ ψ)→ (φ→ ψ) A2 [N](φ→ ψ)→ ([N]φ→ [N]ψ) A3 〈N〉φ→ [N]φ A4 φ→ [N]φ A5 For any distinct α1, ..., αn∈Agt and not necessarily distinct ∆1, ...,∆n∈ActLAN, ( t(∆ α1 1 ) ∧ ... ∧ t(∆αnn ))→ (t(∆ α1 1 ) ∧ ... ∧ t(∆αnn )) A6 For any αj ∈ Agt, vαj → ¬vαj R0 Modus Ponens: `LAN φ and `LAN φ→ ψ imply `LAN ψ R1 Necessitation: `LAN φ implies `LAN φ A derivation of φ in LAN from a set Σ, written Σ `LAN φ, is defined in the usual way (See [5, Def. 4.4]). When Σ = ∅, we say φ is a theorem, and write `LAN φ. The corresponding relational frames for LAN are those of [4], modified to a deontic setting using violation constants: Definition 5 (Relational LAN Frames and Models). An LAN-frame is a tuple F = (W, {W d αj i : d αj i ∈ LLAN}, {Wvαj : vαj ∈ LLAN}, R,RN), such that: I W is a non-empty set of worlds w, v, u, . . . such that: (R1) For each d αj i ∈Wit, Wdαji ⊆W . (R2) For each vαj ∈ V io, Wvαj ⊆W . I R,RN ⊆W ×W are binary relations between worlds in W such that: (R3) For all w, u, v ∈W , if wRNu and wRNv, then u = v. (R4) For all w, v ∈W , if wRNv, then wRv. (R5) For all w ∈W and for all 1 ≤ i, j,≤ n, if there are (not necessarily distinct) action-types ∆1, ...,∆n such that for 1 ≤ i ≤ n there is a world ui ∈ W , for which wRui and ui ∈ Wt(∆αii ), then there is a world v ∈W such that wRv and v ∈Wt(∆α11 ) ∩ ... ∩Wt(∆αnn ). † (R6) For all w ∈ W and all αj ∈ Agt, if there exists a v ∈ W such that wRv and v ∈Wvαj , then there is a world u ∈W for which wRu and u ∈W−Wvαj . (†) For an arbitrary ∆αi , s.t. ∆ ∈ ActLAN and αi ∈ Agt, we define Wt(∆αi ) using the following recursive clauses: Wt(δαii ) = Wdαii , Wt(∆αi ) = W−Wt(∆αi ) and Wt(∆αi∪Γαj ) = Wt(∆αi ) ∪Wt(Γαj ). An LAN-model is a tuple M = (F, V ) where F is an LAN-frame and V is a valuation function mapping propositional atoms to subsets of W , that is V : Atoms 7→ P(W ), for which the following two restrictions hold: A Decidable Logic for Reasoning about Actions, Instruments and Norms 7 I V (dαji ) = Wdαji , for any d αj i ∈ LLAN. I V (vαj ) = Wvαj , for any v αj ∈ LLAN. Let CLANf be the class of LAN-frames. (NB. One can easily show that C LAN f 6= ∅.) The relation R represents transitions between successive states. Whereas transitions represented by R capture possible transitions from the current state, the relation RN represents the actual transition from the current state. The only restrictions imposed are: there is at most one actual future (R3) and the actual future must be one of the possible futures (R4) (cf. A3 and A4 of Def. 4, resp.). The concept of 'actual future' is taken as state-dependent, which enables reasoning about states that would lie in the actual future of a counterfactual state (e.g., 'although it is Monday, if it would have been Thursday today, then it would actually be Friday tomorrow'; see [4]). Next, condition (R5) ensures that any combination of actions performed by distinct agents is consistent (cf. A5 of Def. 4). Condition (R6) enforces that, if there is a possible future in which a norm violation occurs for some agent, then there is also an alternative future available in which a norm violation is avoided for that agent (cf. A6 of Def. 4). The semantics of LLAN is defined accordingly: Definition 6 (Semantics for LLAN). Let M be an LAN-model and w ∈ W of M . The satisfaction of a formula φ ∈ LLAN in M at w is inductively defined as: (1) M,w  χ iff w ∈ V (χ), for any χ ∈ Atoms (2) M,w  ¬φ iff M,w 2 φ (3) M,w  φ→ ψ iff M,w 2 φ or M,w  ψ (4) M,w  φ iff for all v ∈W s.t. wRv we have M,v  φ (5) M,w  [N]φ iff for all v ∈W s.t. wRNv, we have M,v  φ The semantic clauses for the dual operators  and 〈N〉, as well as global truth, validity and semantic entailment are defined as usual (see [5]). (NB. propositional constants for actions and violations maintain their semantic interpretation in all models over a frame. See [4] for a discussion.) The adequacy of LAN is directly obtained through a slight modification of the soundness and completeness proofs for the logic of actions and expectations presented in [4] (i.e. we substitute expectation constants for violation constants). Theorem 1 (Adequacy [4]). For all φ ∈ LLAN, we have that φ is an LAN theorem if and only if φ is valid with respect to the frame class CLANf . Furthermore, the logic LAN is decidable and has the finite model property: Theorem 2 (Finite Model Property). LAN has the finite (tree) model property (FMP), i.e. every satisfiable formula is satisfiable on a finite, treelike model. Proof. The proof is presented in App. A at the end of this paper. Corollary 1 (Decidability). The satisfiability problem of LAN is decidable. 8 Kees van Berkel, Tim Lyon and Francesco Olivieri As a closing comment, we observe that the decidability of LAN obtained here, implies decidability of the logic of actions and expectations, left as an open problem in [4] (this can be affirmed through a quick comparison of the axiomatizations). 4 Norms, Ability and Deliberation in LAN The logic LAN allows us to reason about both actions and results. We can distinguish three different types of normative statements: normative statements about (1) results, (2) actions, and (3) actions in relation to results. We refer to the first two categories as norms to be and norms to do, respectively, and to the third category as norms of instrumentality. The latter category articulates which actions must or must not be employed as instruments for obtaining particular goals (see [4,23] for a discussion of different notions of instrumentality). In this section, we demonstrate the expressive power of LAN through formalizing the aforementioned three categories, and use our formalization to investigate the dependencies between the different norm types. With this, we take a first step towards a formal analysis of norms of instrumentality. In the following section, we apply the attained notions to a formal analysis of our case study. Before moving to our formal investigation, we need to establish some desiderata concerning the three norm-types and their interdependencies. First, we notice that according to [1], it is generally agreed upon that the categories of norms to be and norms to do cannot be completely reduced to one another. In Sect. 2 we discussed principle P1 of the protocol and argued that, in the case of obligations, norms of instrumentality are neither an instance of the former nor the latter category and, consequently, must be regarded as a category proper (the 'insider trading' example from Sect. 1 demonstrates the case for prohibitions). Still, we can identify several reasonable principles expressing certain interdependencies between the three categories: D1 If a result is prohibited, then it will be prohibited regardless of the action used in obtaining it (i.e. prohibited given any action). D2 If an action is prohibited, then its performance is prohibited irrespective of its outcome (i.e. prohibited given any outcome). D3 If it is obligatory to perform a certain action to obtain a particular result (instrumentality), then it must be prohibited to not perform the action, as well as prohibited to not bring about the result. In addition to the above, we will consider two pivotal principles from the realm of normative agency and investigate their effect on the three norm categories. The first is expressed as the no vacuously satisfied norms principle which states that all norms should be violable (see D4 below). This desideratum imposes a deliberate component on all norms (cf. Anderson's contingency principles [2,18] and Belnap and Horty's notion of deliberative agency [3,15].) As a second principle, we adopt a generalized variant of the 'ought implies can' principle- accredited to Immanuel Kant [16, A548/B576]-to which we will refer as the A Decidable Logic for Reasoning about Actions, Instruments and Norms 9 norm implies can principle. We will make a further distinction within the principle by considering two interpretations of the term 'can' (cf. [7] and [23] for different notions of ability). First, we take 'can' to denote 'possible' (D5 below). Second, we interpret 'can' as the stronger agentive notion of 'ability' (D6 below). D4 Norms must be violable: If X is prohibited (obligatory), then (the negation of) X must be possible. D5 Norms must be satisfiable: If X is obligatory (prohibited), then (the negation of) X must be possible. D6 Norms must be agentively satisfiable: If X is obligatory (prohibited), then the agent must have the ability to guarantee (the negation of) X. (NB. Where X can be substituted for a result or an action.) Clauses D5 and D6 express, respectively, the weak and strong norm implies can principle. We emphasize that for prohibitions (obligations), in order to fulfill (defy) its duty, an agent must ensure the opposite of what is forbidden (obligatory). In the following sections, we will see that the D1-D3 break down when we consider them together with the above deliberation constraints on norms D4-D6. 4.1 Norms to be In what follows, we will use the symbol F to refer to what is forbidden and we will use O to denote what is obligatory. Adapting Anderson's deontic reduction [2], we formally define the first category of norms to be (i.e. forbidden to be and and ought to be, respectively) in accordance with principle D4 as follows: F1. F[>αi ]φ := (φ→ vαi) ∧ φ O1. O[>αi ]φ := (¬φ→ vαi) ∧ ¬φ We interpret F[>αi ]φ as 'φ is forbidden to become the case for agent αi, iff (i) every possible transition to φ would mean a norm violation for agent αi and (ii) φ is possible' and we read O[>αi ]φ as 'φ ought to become the case for agent αi, iff (i) every possible transition to ¬φ would mean a norm violation for agent αi and (ii) ¬φ is possible'. The first conjunct (i) of F1 and O1 corresponds to Anderson's reduction (referred to as the reduction clause), whereas the second conjunct (ii) captures that the norm can be violated (referred to as the violation clause of principle D4). We take >αi to represent αi's vacuously satisfied action: that is, >αi := (δ1 ∪ δ1)αi (cf. the universal action [17]). We take ⊥αi := (δ1&δ1)αi to denote the impossible action, used in definitions F1′ and O1′ below. We may extend the above formalizations to define norms to be in accordance with the more stringent principle D6. We write F′ and O′ to indicate what is forbidden and what is obligatory, respectively, within this paradigm:5 5 Notice, since ActLAN represents a Boolean algebra of actions built over a finite number of actions types from Act, there are only finitely many equivalence classes 10 Kees van Berkel, Tim Lyon and Francesco Olivieri F1′. F′[>αi ]φ := (φ→ vαi) ∧ φ ∧ ∨ [[∆αi ]]∈[[Act∗LAN]] (t(∆αi)→ ¬φ) O1′. O′[>αi ]φ := (¬φ→ vαi) ∧ ¬φ ∧ ∨ [[∆αi ]]∈[[Act∗LAN]] (t(∆αi)→ φ) The norms F′[>αi ]φ and O′[>αi ]φ are similar to F[>αi ]φ and O[>αi ]φ in that they contain a reduction clause and a violation clause. However, in addition they also contain a norm implies ability clause. This additional third clause expresses that (iii) 'there exists an action available to the agent that would serve as a suitable instrument for satisfying the norm' (cf. the 'would' operator, Sect. 3). Principle D4 is explicitly satisfied by definition F1, O1, F1′, and O1′, whereas the latter two also explicitly satisfy D6. What is more, in LAN we derive that all four definitions satisfy D5 too. This result is obtained through the following reasoning: Suppose F[>αi ]φ. By definition, φ holds. Through basic LAN reasoning and the reduction clause, vαi holds and, by applying axiom A6, we obtain ¬vαi . Last, from LAN reasoning and the reduction clause we can derive ¬φ. Similar arguments can be given for the remaining norms. Hence, we obtain the following LAN theorem: F[>αi ]φ ∨ O[>αi ]φ ∨ F′[>αi ]φ ∨ O′[>αi ]φ→ ( φ ∧ ¬φ) In other words, in LAN we derive that norms to be range over contingent stateof-affairs; i.e. the norms can be both satisfied and violated. We refer to this result as the contingency property of norms (cf. [2,18]). 4.2 Norms to do With respect to the second category of norms to do, we adopt Meyer's reduction [17] to the LAN setting and formally define our forbidden to do and ought to do operators, respectively, as follows: F2. F[∆αi ]> := (t(∆αi)→ vαi) ∧ t(∆αi) O2. O[∆αi ]> := (¬t(∆αi)→ vαi) ∧ ¬t(∆αi) We read F[∆αi ]> as 'the performance of ∆ is forbidden for agent αi, iff (i) every possible performance of ∆ would mean a norm violation for agent αi and (ii) ∆ can be performed by αi' and we interpret O[∆ αi ]> as '∆ ought to be performed by agent αi, iff (i) every possible performance of ∆ would mean a [[∆αi ]] := {Γαi | `LAN t(Γαi) ≡ t(∆αi)} of equivalent actions. We let [[Act∗LAN]] in F1′ and O1′ represent the set of all such equivalence classes minus the class [[⊥αi ]] of all impossible actions. Additionally, since obligatory or forbidden results are central to norms to be, as opposed to obligatory or forbidden actions, we impose the following restriction on F1, O1, F1′ and O1′: the formula φ is free of action constants from Wit. Without this restriction, norms to do could be seen as instances of norms to be-i.e. norms to bring about the witness of a performed action as a result-thus contradicting the observations made in [1] about the irreducibility of the two. A Decidable Logic for Reasoning about Actions, Instruments and Norms 11 norm violation for agent αi and (ii) ∆ can be performed by αi'. We take > to represent the vacuously satisfied result; that is, we say that the norm applies independent of its result. The reduction clause (i) of F2 and O2 corresponds to Meyer's deontic reduction, whereas clause (ii) captures the norm's deliberative nature by requiring the possibility of norm violation. The above, together with axiom A6, implies that also norms to do have the desired contingency characteristics; i.e. the following is an LAN theorem: F[∆αi ]> ∨ O[∆αi ]> → ( t(∆αi) ∧ ¬t(∆αi)) However, the distinction between D5 and D6 breaks down for norms to do: the implied contingency clause in these norms directly incorporates the notion of ability. This is due to our interpretation of actions, which corresponds to the use of actions in PDeL [1,17]; i.e. when an agent has an action at its disposal this means that it has the ability to guarantee its performance. Hence, in the current framework these two notions equate. 4.3 Norms of instrumentality So far, the first two categories have been formally defined on the basis of their converged interpretation in the literature (e.g., [1,8]) and extended with deliberative clauses. How should we formally capture the third, novel category of norms of instrumentality? The above analyses would suggest a definition comprising at least a reduction clause and a violation clause. However, with respect to norms of instrumentality this twofold reading does not suffice. Let us first consider the obligations belonging to norms of instrumentality. First, recall that we take as instruments those actions that are suitable for serving a particular purpose. Hence, for an agent to be committed to such an obligation, we require that the prescribed action is in fact an instrument for bringing about the desired result; i.e. the action would guarantee the envisaged outcome. Observe that, given this reading, the strong norm implies can principle is immediately satisfied: i.e. the agent must be able to produce the desired result through the desired action. Hence, for the third category, we opt for a formalization that directly incorporates the agential notion of would (cf. Sect. 3). Second, we need to identify what it means for an agent to violate an obligation of the third category: If an agent αi has the obligation to employ ∆ (as an instrument) to obtain φ, then αi violates this obligation whenever either αi does not perform ∆ (independent of whether αi produced φ) or αi does not bring about φ (independent of whether αi performed ∆). On the basis of the above two observations, we thus say that 'an agent αi has the obligation to employ ∆ as an instrument to obtain φ iff (i) performing ∆ or bringing about ¬φ would lead to a norm violation for agent αi, (ii) such a norm violation is possible through ¬φ or ∆, and (iii) the performance of ∆ by αi would ensure φ (i.e. ∆ is a φ-instrument for αi).' We formally define this norm as follows: O3. O[∆αi ]φ := (¬(t(∆αi) ∧ φ)→ vαi) ∧ ¬(t(∆αi) ∧ φ) ∧(t(∆αi)→ φ) 12 Kees van Berkel, Tim Lyon and Francesco Olivieri Notice that, in the three conjuncts of definition O3 we recognize (i) the reduction clause, (ii) the violation clause, and (iii) the ability clause, respectively. Moreover, as with F1, O1, F1′, and O1′ we stipulate that φ must be free of action constants from Wit (in both O3 and F3). Should we give a similar reading for prohibitions of this category? The answer is not straightforward. Let us reconsider the example from Sect. 1: 'it is prohibited to use non-public information as an instrument to attain financial profit on the stock market'. We say that an agent αi violates this prohibition whenever αi uses non-public information and consequently attains financial profit from it. However, should we additionally require that αi is only subject to this prohibition whenever αi has the strict ability to guarantee financial profit through using non-public information? The answer seems to be negative: we also desire to include cases in which αi accidentally obtains financial profit on the stock market through using non-public information.6 Nevertheless, in adopting the strong norm implies can principle we still require that the agent must have the ability to avoid violating the prohibition in question, thus satisfying its duty. Putting the above together, we say that 'agent αi is prohibited to employ action ∆ as an instrument for the purpose φ, iff (i) in every case in which ∆ has been performed and φ has been successfully ensured, a norm violation has occurred, (ii) the norm can in fact be violated and, most importantly, (iii) either αi has the ability to avoid performing ∆ or there is an action to αi's disposal that is a suitable instrument for avoiding φ.' Formally, this is expressed accordingly: F3. F[∆αi ]φ := ((t(∆αi) ∧ φ)→ vαi) ∧ (t(∆αi) ∧ φ) ∧ θ where θ := ¬t(∆αi) ∨ ∨ [[Γαi ]]∈[[Act∗LAN]] (t(Γαi)→ ¬φ) The first two conjuncts of F3 correspond to the reduction and violation clause, respectively. The additional third conjunct explicitly stipulates the ability and instrumentality relations which enable the agent in question to fulfil its duty. Let us discuss the interaction between the proposed definitions of norms of instrumentality and the list of desiderata presented at the beginning of this section. First, we observe that the second conjuncts of F3, ensuring the prohibition's deliberative nature, invalidates principles D1 and D2. That is, an LAN-model can be constructed to show the following are satisfiable for some ∆αi and φ: F[>αi ]φ ∧ ¬F[∆αi ]φ, F′[>αi ]φ ∧ ¬F[∆αi ]φ, and F[∆αi ]> ∧ ¬F[∆αi ]φ The inconsistency of F3 with principles D1 and D2 can be understood as follows: a prohibition to bring about a result (action) should not imply that the result (action) must be avoided given any action (result), but only relative to those 6 The assumption avoids risk by forbidding acts that possibly produce violations; e.g. 'it is forbidden to injure someone with a sharp tool, independent of the ability to guarantee the injury'. However, one could consider inclusion of instrumentality clauses for prohibitions when analyzing responsibility. We leave this for future work. A Decidable Logic for Reasoning about Actions, Instruments and Norms 13 actions (results) possible. In other words, impossible combinations of actions and results are not forbidden because they are inviolable. Observe that D1 and D2 can be salvaged by abandoning principles D4, D5 and D6. Second, as for the other two norm categories, definitions O3 and F3 imply the desired LAN theorem concerning the contingency of instrumentality norms: O[∆αi ]φ ∨ F[∆αi ]φ→ ( (t(∆ αi) ∧ φ) ∧ ¬(t(∆αi) ∧ φ) ) Third, as stated by principle D3, when an agent αi has the obligation to ensure φ, but only specifically through performing ∆, we would like to be able to derive that for αi the state of affairs ¬φ, as well as the performance of ∆, is prohibited. However, this principle only holds in our context when we forgo the weak norm implies can principle. In other words, by omitting the violation clause (ii) (and therefore the implied contingency property) of definitions F1, F1′, F2, and O3, we obtain the following LAN theorems, satisfying principle D3: O[∆αi ]φ→ (F[>αi ]¬φ ∧ F[∆αi ]>) and O[∆αi ]φ→ (F′[>αi ]¬φ ∧ F[∆αi ]>) That in the present setting definition O3 is incompatible with principle D3, follows from the observation that impossible combinations of actions and states of affairs cannot be violated and, thus, will not classify as deliberative norms. As a final remark, we believe that clause (iii) is pivotal for norms of instrumentality: That is, we do not want to commit agents to a cause whose outcome is merely accidental (i.e. uncontrollable). This would be too stringent. Instead, we desire that the envisaged outcome is a proper consequence of the agent's behaviour. In other words, when the agent has also the ability to fulfill its duty-i.e. guarantee that the action under consideration leads to the desired outcome- only then the agent can be demanded to ensure the outcome by performing the action. This claim is in line with principle D6, the strong, agentive reading of norm implies can where 'can' denotes 'ability' or 'choice' (cf. [3,7,15]). Given such a clause, our definitions avoid the overburdening of an agent by not committing the agent to a cause it cannot effectively fulfill. The following LAN theorems capture the strong norm implies can reading of O3 and F3: F[∆αi ]φ→ [∆αi ]couldφ and O[∆αi ]φ→ [∆αi ]couldφ In conclusion, the final definitions-i.e. F1, F1′, F2, F3, O1, O1′, O2 and O3-are based on (i) Anderson's and Meyer's reduction, (ii) the no vacuously satisfied norms principle (of which the weak norm implies can principle was a logical consequence in LAN), and (iii) the strong norm implies can (i.e. ability) principle for norms of instrumentality. We saw that, by adopting principles enforcing minimal deliberative criteria on norms (i.e. D4 and D5), we canceled basic dependencies between the three categories (i.e. D1, D2 and D3). In Tab. 1 we gathered some LAN theorems that bear significance to the present analysis. For example, in losing the norm implies can principle altogether, we obtain interdependencies such as V 1−V 3 of Tab. 1 first column. That O[∆αi ]φ implies O[∆αi ]> with complete clauses (V 2) is (in part) due to the ability clause, which 14 Kees van Berkel, Tim Lyon and Francesco Olivieri Only clause (i) Complete clauses V1. F∗[>αi ]φ→ F[∆αi ]φ and F[∆αi ]> → F[∆αi ]φ yes no V2. O[∆αi ]φ→ O∗[>αi ]φ and O[∆αi ]φ→ O[∆αi ]> yes no, yes (resp.) V3. O∗[>αi ]φ→ F[∆αi ]¬φ and O[∆αi ]> → F[∆αi ]φ yes no V4. F∗[>αi ]φ→ O[∆αi ]¬φ and F[∆αi ]> → O[∆αi ]φ no no V5. F∗[>αi ]φ ≡ O∗[>αi ]¬φ and F[∆αi ]> ≡ O[∆αi ]> yes yes V6. O[∆αi ]φ→ F∗[>αi ]¬φ ∧ F[∆αi ]> yes no V7. O[∆αi ]φ ≡ O[∆αi ]> ∧ O∗[>αi ]φ yes no V8. F∗[>αi ]φ ∧ F[∆αi ]> → F[∆αi ]φ yes no Table 1. Formulae based on F1-F3, O1-O3, F1′ and O1′ considered with only the reduction clause (i) and considered with all clauses of the given definition. 'Yes' means the formula is a theorem for all ∆αi and φ; 'no' means otherwise. We let F∗ ∈ {F,F′} and O∗ ∈ {O,O′}. ensures the violation clause necessary for the implied norm to do. The dependencies described by V 4 and V 5 are invariant to deliberation. Last, V 6−V 8 express some dependencies between combinations of norms. Still, further investigation of the proposed definitions and interdependencies is required. The present analysis establishes a first step towards such an investigation by exhibiting the expressive power of the logic LAN. Let us now formally address our case study. 5 The Benchmark Example Revisited In what follows, we apply our formal machinery to the example of Sect. 2. We formalize the protocol in LAN by making use of definitions F1-F3 and O1-O3, and apply it to two concrete situations where an agent must invoke the protocol to make a decision. Our formalization will be used to demonstrate that the protocol is insufficient relative to its assumed aims (i.e. T1 and T2 of Sect. 2). We close by discussing the source of the aforementioned failure, arguing how the protocol and corresponding logic could be extended to repair such deficiencies. For the formalization of the protocol, we take sur and nur to denote the agents 'surgeon' and 'nurse', respectively. The action language consists of the atoms scalp, leave and call, respectively describing 'using a scalpel', 'leaving the operation room' and 'calling the safety-emergency number'. Let incis, operation, dire, health, safety nur and safety sur be propositional atoms denoting 'the incision is made', 'the situation is an operation', 'the situation is dire', 'the patient's health is promoted', 'hygiene safety is promoted from the nurse's perspective' and 'hygiene safety is promoted from the surgeon's perspective', respectively. Consider the following possible formalization of the protocol: P1. (operation ∧ O[>sur]incis)→ O[scalpsur]incis P2. (operation ∧ ¬dire)→ F[scalpnur]> A Decidable Logic for Reasoning about Actions, Instruments and Norms 15 P3. O[>nur]health ∧ O[>nur]safety nur and O[>sur]health ∧ O[>sur]safety sur E1. ¬safety nur→ (O[leavenur]> ∧ O[callnur]>) and ¬safety sur→ (O[leavesur]> ∧ O[callsur]>) As an example of how to interpret the formulae above, we read P2 as: 'if there is an operation and the situation is not dire, then the nurse is prohibited to use the scalpel (irrespective of its outcome)'. We are currently interested in whether the protocol is consistent, and whether it can provide agents with sufficient tools to solve normative issues (in situations relevant to our example). Concerning the former, consistency will be shown via the construction of a model for P1-P3 and E1 (below). Regarding the latter, let us consider some possible situations. Situation 1. In the operation room Anna, the head-surgeon, and a nurse named Bill are performing a tonsillectomy on a patient (i.e. the patient's tonsils are to be removed). Anna must make a final highly demanding dissection, involving both hands, when she realizes that another crucial incision had to be made using the harmonic scalpel (a scalpel that simultaneously cauterizes tissue). Since Anna is preoccupied and unable to do it, she appeals in this dire situation to Bill, asking whether he could make the other necessary incision with the harmonic scalpel, thus ensuring the patient's health. The situation is formalized accordingly: (i) operation ∧ dire ∧ [scalpsur]will> (ii) [scalpnur]wouldincis (iii) [scalp nur ]would¬health (iv) (incis→ health) Bill is aware of the new protocol: he knows he is not allowed to use scalpels in regular situations but remembers his duty to the patient's health too. What should Bill do? The protocol tells Bill that he has the obligation to promote the patient's health (i.e. O[>nur]health, follows from P3). Since the surgical situation is dire (i) principle P2 does not apply. What is more, since using the scalpel to make the incision is Bill's only way to promote the patient's health- by (ii)-(iv)-Bill in fact has the obligation to make the incision with the scalpel; that is, the following is valid: (i) ∧ (ii) ∧ (iii) ∧ (iv) ∧ P1 ∧ P2 ∧ P3 ∧ E1→ O[scalpnur]incis Consequently, Bill is not prohibited from using the scalpel (i.e. ¬F[scalpnur]> follows from definition O3, LAN reasoning and V5). Furthermore, to see whether Bill complies with the protocol when he actually brings about the incision with the scalpel-i.e. (v) [scalpnur]willincis- consider the corresponding LAN-model in Fig. 1. Namely, the model shows that Bill's behaviour (v), together with the formalized protocol P1-P3 and E1 and the present situation (i)-(iv), can be consistently represented together with Bill's actual norm compliance; i.e. (vi) 〈N〉¬vnur. For that reason, Bill's decision to make the incision using the scalpel preserves the state of compliance (nevertheless, as expected, it can still be the case that, due to some other action of Bill's, a violation is generated). (See [12] for a discussion of protocol consistency, compliance 16 Kees van Berkel, Tim Lyon and Francesco Olivieri w operation, dire u health, incis scalpnur, scalpsur ¬vnur, ¬vsur v ¬health, ¬incis ¬scalpnur, ¬scalpsur vnur, vsur x ¬health, ¬incis ¬scalpnur, scalpsur vnur, vsur z health, incis scalpnur, ¬scalpsur ¬vnur, vsur    , [N] Fig. 1. An LAN-model satisfying P1-P3, E1 and (i)-(v); that is, showing the consistency of the protocol and Bill's actual behaviour with Bill being compliant in situation 1. and model checking.) Conversely, if Bill actually decides to not use the scalpel, a norm violation will be inevitable; that is, the following is valid: (i)∧ (ii)∧ (iii)∧ (iv)∧P1∧P2∧P3∧E1∧ [scalpnur]will> → [scalpnur]willvnur Last, we note that Figure 1 also shows the consistency of the formalized protocol. Situation 2. Let us continue the above example: right before Bill performs the procedure involving the scalpel, Bill accidentally hits his own arm with the harmonic scalpel and inflicts a painful wound. Bill and Anna know, since Bill has now violated his obligation (P3) to preserve the required hygiene safety, that he is obliged (E1) to immediately leave the operation room and call the safetyemergency number for assistance. However, Anna observes that the necessary incision still has to be made in order to secure the agent's health, so she concludes that Bill must stay and assist her immediately without further ado. The situation is formalized accordingly: (vii) ¬safety nur (viii) [leavenur]would¬health First, we observe that given E1 and (vii), Bill has the obligation to leave (i.e. O[leavenur]>). However, through (viii), the act of leaving would imply that Bill violates his obligation to preserve the patient's health (i.e. O[>nur]health). In fact, the current situation and the formalized protocol are inconsistent; namely, (vii)-(viii), together with P1-P3 and E1, would render in LAN that Bill has an obligation to leave and to not leave (i.e. O[leavenur&leave nur ]>). This inconsistency depends on the assumption T1 (cf. (R6) of Def. 5), which is the committee's assumption that there is a way out to every possible dilemma. In conclusion, the formalism tells us that the protocol is current inadequate. The source of the conflict that arises in the second situation above relates to Chisholm's Paradox [9] and the issue of contrary-to-duty (CTD) reasoning. Principle E1, in fact, can be seen as a contrary-to-duty obligation and the present system suffers from the similar problem of detachment as the initial paradox does. In brief, a contrary-to-duty obligation is a specific obligation that comes into force whenever a primary obligation has been violated. What is more, their A Decidable Logic for Reasoning about Actions, Instruments and Norms 17 purpose is to (partially) restore compliance with the norm system (e.g, [11]). They are often referred to as secondary obligations, to denote the fact that they depend upon the possibility of violating primary obligations (cf. [9,19]). Such a violation is always possible when employing norms F1-F3, O1-O3, F1′, and O1′ with LAN due to the contingency requirements addressed in Sect. 4. An extension of our formalism to adequately account for such reasoning, is outside the scope of this paper, and so, we leave this to future work. 6 Conclusion In this work, we provided the sound and complete logic LAN that brings together Anderson's reduction of norms to be and Meyer's reduction of norms to do. We introduced a new category of norms-norms of instrumentality-and analyzed its relationships with the former two classes vis-à-vis different notions of deliberative action. The technical contribution of this work consists in proving the finite model property and decidability of LAN. Since the non-normative logic presented in [4] is an instance of LAN, we also answered the open problem for that logic's decidability. These results show that LAN has the potential to be employed in automated reasoning with norms relating agency, actions and results. In comparing the present logic with state of the art frameworks, we see three possible directions for future work. First, as mentioned in Sect. 5, a natural way to extend our framework would be to incorporate normative reasoning about subideal scenarios, involving a notion of contrary-to-duty norms that are primarily designed to bring the agent back into a state of compliance with the system. We aim to address this issue and analyze its relation to the three norm categories. Second, our current analysis omitted consideration of permissions. The behaviour of permissions in relation to the three norm categories is not immediately clear. For example, although the notion of a weak permission appears equivalent to the dual of an unconditional obligation in the form of O1 or O2, the concept of strong permission seems to require explicit formulations in permissive form (cf. [13]). Moreover, as argued in [13,14], the traditional way of representing permissions as duals of obligations is an over-simplification that cannot adequately model many real-life scenarios. We plan to extend our formalism to incorporate such permissions. Last, since the logic LAN encompasses the Andersonian reductions analysed in [17], but uses a third reduction using action constants, we plan to devote future work to investigating the logic's relation to the deontic action logic PDeL. Acknowledgments. Work funded by projects: FWF I2982, FWF W1255-N23, FWF Y544-N2, and WWTF MA16-028. References 1. d'Altan, P., Meyer, J.J., Wieringa, R.J.: An integrated framework for ought-to-be and ought-to-do constraints. Artificial Intelligence and Law, 4.2 pp.77-111 (1996) 18 Kees van Berkel, Tim Lyon and Francesco Olivieri 2. Anderson, A.R., Moore, O.K.: The formal analysis of normative concepts. American Sociological Review 22.1, pp.9–17 (1957) 3. Belnap, N., Perloff, M., and Xu, M.: Facing the Future. Agents and Choices in our Indeterminist World. Oxford University Press, Oxford (2001) 4. Berkel, K. van, Pascucci, M.: Notions of instrumentality in agency logic. In: PRIMA 2018: Principles and Practice of Multi-Agent Systems, pp.403–419. Springer International Publishing, Cham (2018) 5. Blackburn, P., de Rijke, M., Venema, Y.: Modal logic. Cambridge University Press, Cambridge (2001) 6. Broersen, J.: Deontic epistemic stit logic distinguishing modes of mens rea. Journal of Applied Logic 9(2), pp.137–152. Elsevier (2011) 7. Brown, M.A.: On the logic of ability. Journal of philosophical logic, vol. 17.1, pp.1–26 (1988) 8. Castañeda, H.N: On the Semantics of the Ought-To-Do. In: Semantics of Natural Language. Synthese Library, vol 40. Springer, pp.675–694 (1972) 9. Chisholm, R: Contrary-To-Duty Imperatives and Deontic Logic. In: Analysis, vol 24, pp.33–36 (1963) 10. Fischer, M., and Ladner, R.: Propositional dynamic logic of regular programs. Journal of Computer and System Sciences, vol.18(2), p.194–211 (1979) 11. Governatori, G.: Practical Normative Reasoning with Defeasible Deontic Logic. Reasoning Web International Summer School. Springer, Cham, pp.1-25 (2018) 12. Governatori, G., Hashmi, M.: No time for compliance. In: 19th International Enterprise Distributed Object Computing Conference. IEEE pp.9–18. (2015) 13. Governatori, G., Olivieri, F., Rotolo, A., Scannapieco, S.: Computing Strong and Weak Permissions in Defeasible Logic. Journal of Philosophical Logic 42.6, pp.799– 829 (2013) 14. Hansson, S. O.: The varieties of permission. In: Handbook of deontic logic and normative systems, (ed.) Gabbay, D., Horty, J., Parent, X., van der Meyden, R., & van der Torre, L. . College Publications, pp.195–240 (2013) 15. Horty, J.: Agency and Deontic Logic. Oxford University Press, Oxford (2001) 16. Kant, I.: Critique of Pure Reason. Cambridge University Press (2000) 17. Meyer, J.J.Ch.: A different approach to deontic logic: deontic logic viewed as a variant of dynamic logic. Notre dame journal of formal logic 29.1, pp.109-136 (1988) 18. Pascucci, M.: Anderson's Restriction of Deontic Modalities to Contingent Propositions. Theoria 83.4, pp.440-470 (2017) 19. Prakken, H., Sergot, Marek.: Dyadic Deontic Logic and Contrary-to-Duty Obligations. Defeasible Deontic Logic, pp.223–262. Springer Netherlands (1997) 20. Prisacariu, C., Schneider, G.: A dynamic deontic logic for complex contracts. The Journal of Logic and Algebraic Programming, 81(4), pp.458-490 (2012) 21. von Wright, G.H.: Deontic logic. Mind 60.237, pp.1-15 (1951) 22. von Wright, G.H.: An Essay in Deontic Logic and the General Theory of Action. Amsterdam: North Holland Publishing Company (1968) 23. von Wright, G. H.: The Varieties of Goodness. Routledge & Kegan Paul, fourth impression, London and Henley (1972) A Finite Model Property and Decidability In this appendix, we provide the main technical contribution of this paper: we show that LAN is decidable (Cor. 1), via proving the finite model property (FMP) A Decidable Logic for Reasoning about Actions, Instruments and Norms 19 for the logic (Thm. 2). Our strategy is, accordingly: first, we show that every satisfiable formula is satisfiable on a treelike model (Lem. 1). Second, we show that the depth of the treelike model can be bounded (Lem. 2). Last, we prove that the breadth of the model can be bounded (Lem. 3). Lemma 1. Every formula φ ∈ LLAN satisfiable on a LAN-model, is satisfiable at the root of a treelike LAN-model. Proof. Let M = (W, {Wdαij : d αi j ∈ LLAN}, {Wvαi : vαi ∈ LLAN}, R,RN, V ) be a LAN-model with w ∈W and assume M,w |= φ (i.e. φ is satisfiable). To show that φ is satisfiable at the root of a treelike model we evoke an unraveling procedure similar to the one in [5, Ch. 2.1]. We define the treelike model M t as follows: M t = (W t, {W t d αi j : dαij ∈ LLAN}, {W tvαi : vαi ∈ LLAN}, Rt, RtN, V t), where – W t ⊆ ⋃ n∈NW n is the set of all finite sequences (w,w1, ..., wn) s.t. wRw1, w1Rw2, ..., wn−1Rwn; – For each αi ∈ Agt and each dαij ∈ Witαi , W tdαij ⊆ W t is the set of all finite sequences (w,w1, ..., wn) s.t. wn ∈Wdαij ; – For each αi ∈ Agt, W tvαi ⊆W t is the set of all finite sequences (w,w1, ..., wn) s.t. wn ∈Wvαi ; – For all w,u ∈ W t, wRtu iff w = (w,w1, ..., wn), u = (w,w1..., wn, wn+1), and wnRwn+1; – For all w,u ∈ W t, wRtNu iff w = (w,w1, ..., wn), u = (w,w1..., wn, wn+1), and wnRNwn+1; – For all w ∈W t, w = (w,w1, ..., wn) ∈ V t(p) iff wn ∈ V (p). The model M t is clearly treelike. Further, Prop. 2.14 and 2.15 of [5] imply: (1) For any formula ψ ∈ LLAN, each u ∈W , and each u ∈W t of the form (w,w1, ..., u), we have that M,u |= ψ iff M t,u |= ψ. This result, together with the assumption M,w |= φ, implies M t, (w) |= φ, where (w) is the root of the treelike model M t. To complete the proof, we must argue that M t is a LAN-model, i.e., it satisfies conditions (R3)-(R6) of Def. 5: (R3) Let w,u,v ∈ W t and suppose wRtNu and wRtNv. By definition of RtN we get (i) w is a sequence of the form (w,w1, ..., wn), (ii) u is a sequence (w,w1, ..., wn, wn+1), (iii) v is a sequence (w,w1, ..., wn, w ′ n+1), (iv) wnRNwn+1, and (v) wnRNw ′ n+1. Since the original model M satisfies (R3), it follows from (iv) and (v) that wn+1 = w ′ n+1, which, together with (ii) and (iii), implies u = v. (R4) Let w,u ∈W t and assume wRtNu. By definition of RtN we get (i) w is a sequence of the form (w,w1, ..., wn), (ii) u is a sequence (w,w1, ..., wn, wn+1), and (iii) wnRNwn+1. Since the original model M satisfies (R4), it follows from (iii) that wnRwn+1, which, together with (i) and (ii), implies wR tu. (R5) Let w ∈ W t and Agt = {α1, ..., αn}. Suppose there are (not necessarily distinct) action-types ∆1, ...,∆n ∈ ActLAN s.t. for 1 ≤ i ≤ n there exist ui ∈ W t s.t. wRtui and ui ∈ W tt(∆αii ). It follows that w is of the 20 Kees van Berkel, Tim Lyon and Francesco Olivieri form (w,w1, ..., wn) and each ui is of the form (w,w1, ..., wn, ui) with wnRui. The model M satisfies condition (R5), and hence there exists a world v ∈ W s.t. wnRv and v ∈ Wt(∆α11 ) ∩ * * * ∩ Wt(∆αnn ). By definition of M t, we have v = (w,w1, ..., wn, v) ∈W t, implying that wRtv and v ∈W tt(∆α11 )∩* * *∩W t t(∆αnn ) . (R6) Let w ∈ W t and αi ∈ Agt. Assume there is a v ∈ W t s.t. wRtv and v ∈W tvαi . This implies w = (w,w1, ..., wn) and v = (w,w1, ..., wn, v) with wnRv. Since M satisfies (R6), there is a u s.t. wnRu and u ∈W −Wvαi . By definition of M t, there is a u = (w,w1, ..., wn, u) ∈W t s.t. wRtu and u ∈W t −W tvαi . For the second transformation we define the following auxiliary concepts: Definition 7 (Degree deg(*)). The modal degree is recursively defined as: – deg(p) = deg(dαij ) = deg(v αi) = 0; – deg(¬φ) = deg(φ); – deg(φ→ ψ) = max{deg(φ), deg(ψ)}; – deg( φ) = deg(φ) = deg(〈N〉φ) = deg([N]φ) = deg(φ) + 1. Definition 8 (Height height(*) and Depth). Let M be a treelike model. We define the height of a node w in M recursively as follows: – height(w) = 0, if w is the root of M ; – height(w) = height(u) + 1, if uRw in M . The depth of M is the maximum height among all the worlds in M . Lemma 2. Every formula φ satisfiable at the root of a treelike LAN-model, is satisfiable at the root of a treelike LAN-model with finite depth (specifically, with a depth equal to deg(φ)). Proof. Let M = (W, {Wdαij : d αi j ∈ LLAN}, {Wvαi : vαi ∈ LLAN}, R,RN, V ) be a treelike LAN-model with root w ∈ W and assume M,w |= φ. We first construct a treelike model Md of finite depth by restricting the depth of Md to deg(φ) and argue that φ is satisfiable at the root w of Md. We define Md as follows: Md = (W d, {W d d αi j : dαij ∈ LLAN}, {W dvαi : vαi ∈ LLAN}, Rd, RdN, V d), where – For all w ∈W , w ∈W d iff height(w) ≤ deg(φ); – For all dαij ∈ LLAN, W ddαij = Wd αi j ∩W d; – For all vαi ∈ LLAN, W dvαi = Wvαi ∩W d; – Rd = R ∩ (W d ×W d); – RdN = RN ∩ (W d ×W d); – For all p ∈ V ar, V d(p) = V (p) ∩W d. The model Md is treelike with finite depth. Further, Lem. 2.33 in [5] gives us: (2) For any formula ψ ∈ LLAN s.t. deg(ψ) ≤ deg(φ) and any world u ∈W d s.t. height(u) ≤ deg(φ)− deg(ψ), M,u |= ψ iff Md, u |= ψ. A Decidable Logic for Reasoning about Actions, Instruments and Norms 21 From (2) we conclude that Md, w |= φ. Last, we show that Md is a LAN-model: (R3) Let w, u, v ∈ W d and assume wRdNu and wRdNv. By definition of Md, we know that w, u, v ∈ W and that wRNu and wRNv. Since the original model M satisfies property (R3), we have that u = v. (R4) Let w, u ∈W d and assume wRdNu. By definition ofMd, we get w, u ∈W and wRNu. Since M satisfies property (R4), it follows that wRu. By the fact that w, u ∈W d and the definition of Md, we obtain wRdu. (R5) Let w ∈W d and Agt = {α1, ..., αn}. Suppose there are (not necessarily distinct) complex action-types ∆1, ...,∆n ∈ ActLAN s.t. for 1 ≤ i ≤ n there exist ui ∈W d s.t. wRdui and ui ∈W dt(∆αii ). By definition of M d, it follows that wRui holds for each i ∈ {1, ..., n} with height(ui) ≤ deg(φ). Since M satisfies (R5), we know there exists a v ∈ W s.t. wRv and v ∈ Wt(∆α11 ) ∩ * * * ∩Wt(∆αnn ). We know v ∈ W d since height(v) = height(ui) ≤ deg(φ), which implies wRdv and v ∈W d t(∆ α1 1 ) ∩ * * * ∩W d t(∆αnn ) by definition of Md. (R6) Let w ∈ W d and αi ∈ Agt. Assume there exists a v ∈ W d s.t. wRdv and v ∈ W dvαi . By definition of Md, we know that wRv holds with height(v) ≤ deg(φ). Since M satisfies (R6), we know there exists a u ∈ W s.t. wRu and u ∈ W −Wvαi . Since height(u) = height(v) ≤ deg(φ), it follows that u ∈ W d, wRdu, and u ∈W d −W dvαi . Lemma 3. Every formula φ satisfiable at the root of a treelike LAN-model with finite depth equal to deg(φ), is satisfiable at the root of a treelike LAN-model with finite depth and finite branching (i.e., φ is satisfiable on a finite model). Proof. Let M = (W, {Wdαij : d αi j ∈ LLAN}, {Wvαi : vαi ∈ LLAN}, R,RN, V ) be a treelike LAN-model with depth equal to deg(φ) with root w ∈ W and assume M,w |= φ. Let V ar(φ) be the set of propositional variables occurring in φ. We define the set Atoms as V ar(φ) ∪ Wit ∪ {vαi : αi ∈ Agt}. By Prop. 2.29 in [5], we know there are only a finite number of modal formulae (up to logical equivalence) built from the finite set Atoms with degree less than or equal to deg(φ). We use Θ to denote this collection of (equivalence classes of) formulae. Using Θ, we first provide a selection procedure, similar to Thm. 2.34 of [5], to construct a finite model Mf and show that the root of this model satisfies φ. Last, we show that Mf is indeed a LAN-model. We construct Mf as follows: Mf = (W f , {W f d αi j : dαij ∈ LLAN}, {W f vαi : v αi ∈ LLAN}, Rf , RfN, V f ), where – W f is the set obtained from the selection procedure (below); – For all dαij ∈ LLAN, W f d αi j = Wdαij ∩W f ; – For all vαi ∈ LLAN, W fvαi = Wvαi ∩W f ; – Rf = R ∩ (W f ×W f ); – RfN = RN ∩ (W f ×W f ); – For all p ∈ V ar, V f (p) = V (p) ∩W f . Selection Procedure. We build our domain W f by selecting a sequence of states S0, S1, ..., Sdeg(φ) up to a height of deg(φ), where S0 = {w}. Each subscript i 22 Kees van Berkel, Tim Lyon and Francesco Olivieri of Si represents that the states contained in the associated set are at a height of i in the original model M . Suppose that the sets S0, S1, ..., Si have already been chosen; we now explain how to select the set Si+1 with i + 1 ≤ deg(φ). For each formula ψ ∈ Θ equivalent to a formula of the form χ or 〈N〉χ with deg(ψ) ≤ deg(φ)− i s.t. M,u |= ψ for some u ∈ Si ⊆W , we choose a v ∈W s.t. uRv (or, uRNv, depending on the modality in ψ) and M, v |= χ. We define the domain W f = S0 ∪ S1 ∪ ... ∪ Sdeg(φ). The next statement is a consequence of this selection procedure [5, pp. 76-77]: (3) For any formula ψ ∈ Θ s.t. deg(ψ) ≤ deg(φ) and any world u ∈W f s.t. height(u) ≤ deg(φ)− deg(ψ), M,u |= ψ iff Mf , u |= ψ. From (3), together with M,w |= φ, φ ∈ Θ, deg(φ) ≤ deg(φ), w ∈ W f, and height(w) ≤ deg(φ), we infer Mf , w |= φ. We show that Mf is an LAN-model: (R3) Let w, u, v ∈ W f and assume wRfNu and wR f Nv. By definition of M f , wRNu and wRNv hold. Since the model M satisfies (R3), we obtain u = v. (R4) Let w, u ∈ W f and assume wRfNu. By definition of Mf , wRNu must hold. Since the original model M satisfies (R4), we have wRu, and because Rf is the set R restricted to W f , which contains w and u, we infer wRfu. (R5) Let w ∈W f and let Agt = {α1, ..., αn}. Suppose there are (not necessarily distinct) complex action-types ∆1, ..., ∆n ∈ ActLAN s.t. for all 1 ≤ i ≤ n there exists a ui ∈ W f s.t. wRfui and ui ∈ W ft(∆αii ). By definition of M f , this implies wRui, ui ∈ Wt(∆αii ), and height(ui) ≤ deg(φ) for each i ∈ {1, ..., n}. Since M satisfies (R5), we know that there exists a v such that wRv and v ∈ Wt(∆α11 ) ∩ * * * ∩ Wt(∆αnn ), i.e., M,w |= ( ∧ 1≤i≤n t(∆ αi i )). Observe that because height(w) + 1 = height(ui) ≤ deg(φ) that 1 ≤ deg(φ), implying that ( ∧ 1≤i≤n t(∆ αi i )) ∈ Θ, because deg( ∧ 1≤i≤n t(∆ αi i )) = 0. Consequently, by the selection procedure a v′ ∈ W such that wRv′ and M, v′ |= ∧ 1≤i≤n t(∆ αi i ) must have been selected and placed in Sheight(v′). Hence, there exists a v ′ ∈ W f s.t. wRfv′ and v′ ∈W f t(∆ α1 1 ) ∩ * * * ∩W f t(∆αnn ) . (R6) Let w ∈W f , αi ∈ Agt, and assume there is a v ∈W f s.t. wRfv and v ∈ W fvαi . By definition of M f we infer wRv and v ∈Wvαi with height(v) ≤ deg(φ); hence, there exists a u ∈W s.t. wRu and u ∈W−Wvαi with height(u) ≤ deg(φ). It follows that M,w |= ¬vαi . Since height(w) = height(v) + 1 ≤ deg(φ), we know that 1 ≤ deg(φ), and so, ¬vαi ∈ Θ. By the selection procedure, a u′ ∈W s.t. wRu′ and u′ ∈ W −Wvαi must have been chosen and placed in Sheight(u); hence, u′ ∈W f , wRfu′, and u′ ∈W f −W fvαi . Theorem 2. LAN has the finite (tree) model property, i.e., every satsifiable formula is satisfiable on a finite, treelike model. Proof. Follows from Lem. 1, 2, and 3. Corollary 1. The satisfiability problem of LAN is decidable. Proof. By [5, Thm. 6.15], we know that if a normal modal logic is finitely axiomatizable and has the FMP, then it is decidable, which is the case for LAN.