A Propositional Dynamic Logic for Instantial Neighborhood Semantics

We propose a new perspective on logics of computation by combining instantial neighborhood logic INL\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathsf {INL}$$\end{document} with bisimulation safe operations adapted from PDL\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathsf {PDL}$$\end{document}. INL\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathsf {INL}$$\end{document} is a recent modal logic, based on an extended neighborhood semantics which permits quantification over individual neighborhoods plus their contents. This system has a natural interpretation as a logic of computation in open systems. Motivated by this interpretation, we show that a number of familiar program constructors can be adapted to instantial neighborhood semantics to preserve invariance for instantial neighborhood bisimulations, the appropriate bisimulation concept for INL\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathsf {INL}$$\end{document}. We also prove that our extended logic IPDL\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathsf {IPDL}$$\end{document} is a conservative extension of dual-free game logic, and its semantics generalizes the monotone neighborhood semantics of game logic. Finally, we provide a sound and complete system of axioms for IPDL\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathsf {IPDL}$$\end{document}, and establish its finite model property and decidability.


Introduction
In this paper, we introduce a new modal logic of computation, in the style of propositional dynamic logic, based on instantial neighborhood logic INL [6].The logic INL is based on a recent variant of monotone neighborhood semantics for modal logics, called instantial neighborhood semantics.In the standard neighborhood semantics, the box operator has the interpretation: p is true at a point if there exists a neighborhood in which all the elements satisfy the proposition p.So the box operator has a built-in fixed existential-universal quantifier pattern.In instantial neighborhood logic, we allow both universal and existential quantification over individual neighborhoods, so the basic modality has the form (p 1 , . . ., p n ; q).This formula is true at a point if there exists a neighborhood N in which all the elements satisfy the proposition q, and furthermore each of the propositions p 1 , . . ., p n are satisfied by some elements of N .INL is more expressive than monotone neighborhood logic, and comes with a natural associated notion of bisimulation together with a Hennessy-Milner theorem for finite models.It has a complete system of axioms, has the finite model property, is decidable and PSpace-complete.
Formally, our proposal is to extend the base language INL with bisimulation safe "program constructors", as in standard propositional dynamic logic of sequential programs (PDL).The usual repertoire here consists of choice, test, sequential composition and a Kleene star for program iteration.Similar additions have been studied extensively for the standard (monotone) neighborhood semantics, with constructors interpreted as ways of constructing complex games (this idea dates back to [19]).In the neighborhood setting, additional operations are available, including the dual construction.This is a very powerful device, and it is well known that dynamic game logic is not contained in any fixed level of the μ-calculus alternation hierarchy [8].
We think of our extended system of 'instantial PDL' (IPDL for short), as a dynamic logic for a richer notion of computation than sequential programs, which is sometimes referred to as open systems [2].In open systems, a computational process is viewed as an agent acting in an uncertain environment that affects the outcome of each action.That is, each action by the agent is followed by a response from the environment, which is not uniquely determined.This is in contrast with reactive systems, where the behaviour of the system is non-deterministic but completely determined by the actions of the agent [1].Many different logics for open systems have been proposed, perhaps the most well known being the alternating-time temporal logic ATL introduced by Alur et al. in [2].Dynamic game logic can be interpreted in a similar way, thinking of processes as "games against the environment".Game logic is usually interpreted with a neighborhood semantics, in which neighborhoods of "worlds" in a model are taken to represent powers of some player, i.e. goals that can be enforced by some action or strategy.Instantial neighborhood semantics introduces a more fine-grained perspective to this setting, with a more expressive language and a finer bisimulation concept than standard neighborhood bisimilarity, namely the instantial neighborhood bisimulations of [6].Since INL formulas allow existential quantification over individual neighborhoods, this language is suitable to describe not only what conditions an agent can enforce by some action, but allows more precise reasoning about exactly what possible outcomes may result from some action.Concretely, we introduce formulas of the following kind: a (ψ 1 , . . ., ψ n ; ϕ) expressing the following property about the system/program a: "the agent can act so as to ensure that ϕ holds, while allowing (for each i ∈ {1, . . ., n}) the possibility that the property ψ i may hold".In other words, instantial neighborhood logic has a natural interpretation as a simple yet expressive modal logic for computation in open systems.
However, on a computational interpretation, it is standard wisdom that one needs to extend the language to allow certain fixpoint constructions, since most specifications of systems that turn up in practice-safety, liveness, fairness etc.-involve fixpoints.There are many options available here, the most obvious one being to simply add unrestricted fixpoint operators as in the full modal μ-calculus.This route is already well understood: it was noted in [6] that INL is a coalgebraic modal logic in a completely standard sense, and so the μ-calculus extension of INL is a coalgebraic modal μ-calculus as in [14,22].Such coalgebraic μ-calculi have been quite extensively studied, with generic results on decidability and complexity, [11] and completeness [12,13].But there are also other versions of modal fixpoint logics, often corresponding to fragments of μ-calculi.Most notably these include propositional dynamic logics like PDL or game logic, and temporal logics like CTL or ATL.Thus an obvious point on the agenda, for further exploration of INL as a modal logic of computation, is to develop dynamic and temporal logic extensions of INL.This paper deals with the former, and sets up a propositional dynamic logic interpreted over instantial neighborhood semantics.

Overview of the Paper
We first introduce syntax and semantics of instantial neighborhood logic, and its extensions leading up to the full language IPDL, provide sound and complete systems of axioms, and establish bisimulation invariance and decidability.
The completeness proof for IPDL, including all program constructors considered, is based on the standard completeness proof for PDL (see [9] for an exposition), but involves non-trivial new features.In particular, the system requires two distinct induction rules, corresponding to a nested least fixpoint induction, and the model construction makes heavy use of a normal form for INL-formulas established in [6].Finally, we prove that our logic is a conservative extension of the dual-free fragment of dynamic game logic.
This paper is an extended version of a conference paper presented at LORI VI 2017 [5].The technical results presented here are the same as in that paper, but we have added full proofs.We have also added an example illustrating how the logic can be used to reason about open systems computation, and a discussion on the informal interpretation of the program operations in the language, relating this to the issue of bisimulation safety.

Syntax and Semantics
We start by reviewing the basic language for instantial neighborhood semantics.The only difference with [6] is that we interpret the language over labelled neighborhood structures, where labels play the same role as "atomic programs" in PDL.The syntax of INL is given by the following grammar: where a ranges over a fixed set A of atomic labels, and Ψ ranges over finite sets of formulas of INL.We deviate a bit from the syntax of [6] here in allowing Ψ to be a finite set rather than a tuple of formulas.We shall sometimes write a (ψ 1 , . . ., ψ n ; ϕ) rather than a ({ψ 1 , . . ., ψ n }; ϕ), in particular, we write a (ψ; ϕ) rather than a ({ψ}; ϕ), and a ϕ rather than a (∅; ϕ).
The modalities of INL have a number of interpretations.In the present setting, we interpret INL in terms of computation in open systems, so that the formula a (ψ 1 , . . ., ψ n ; ϕ) is informally interpreted as saying: "in the system a, the agent has an action to enforce the condition ϕ while simultaneously allowing possible outcomes satisfying each of the conditions ψ i ".
Example 1.Consider the following example: three separate servers are shared by a number of agents and protected by passwords available to the users.Each server can only be accessed by one user at a time.Taking the perspective of one of the agents, let A i stand for "the agent has access to server S i ", for i ∈ {1, 2, 3}, and let O i stand for "server S i is occupied".If we introduce a name σ for the system so described, then the following is true for each given user, in each given state of the system σ: This expresses that the user cannot log in to a server without blocking the other users from having access to that server.The following also holds: If server S 3 is available then the agent can access it while leaving servers S 1 and S 2 available to be occupied by other users.Note the distinction here: the user cannot guarantee that the servers S 1 ,S 2 will be available, they might be occupied by other users, but she can allow them to remain available.Finally, the following holds: This last example is perhaps less obvious: it says that the only way a user can make sure that at least one of the servers S 1 or S 2 will not be occupied by some other user is to log in to at least one of them herself.
For the formally precise semantics, formulas in INL will be interpreted over neighborhood structures.
Definition 2. We define the interpretations of all formulas in a neighborhood model M = (W, R, V ) as follows: -

. , k}
We write M, v ϕ for v ∈ [[ϕ]], and we write ϕ and say that ϕ is valid if, for every neighborhood model M and v ∈ W , we have M, v ϕ.We allow the notation [[−]] M to make explicit reference to the model in the background.
Neighborhood models come with a natural notion of bisimulation, introduced in a more general setting in [6].For this definition, the so called Egli-Milner lifting of a binary relation will play an important role: Definition 1.The Egli-Milner lifting of a binary relation R ⊆ X × Y , denoted R, is a relation from PX to PY defined by: ZRZ iff: 1.For all z ∈ Z there is some z ∈ Z such that zRz .
2. For all z ∈ Z there is some z ∈ Z such that zRz .We write R; S for the composition of relations R and S. It is well known that the Egli-Milner lifting preserves relation composition: R; S = R; S Definition 2. Let M = (W, R, V ) and M = (W , R , V ) be any neighborhood models.The relation B ⊆ W × W is said to be an instantial neighborhood bisimulation if for all uBu and all atomic labels a we have: Forth For all Z such that uR a Z, there is some Z such that u R a Z and ZBZ .
Back For all Z such that u R a Z there is some Z such that uR a Z and ZBZ .
We say that pointed models M, w and N, v are bisimilar, written M, w N, v, if there is an instantial neighborhood bisimulation B between M and N such that wBv.
It is easy to check that all formulas of INL are invariant for instantial neighborhood bisimilarity: for each formula ϕ of the language INL.

Axiomatization
We now turn to the task of axiomatizing the valid formulas of INL.Our system of axioms is a gentle modification of the axiom system for instantial neighborhood logic presented in [6].The axioms and rules consist of all propositional tautologies, plus the following schemas: Rules.

MP:
ϕ → ψ ϕ ψ Mon: It is routine to derive the usual rule of replacement of equivalents: where θ[ϕ/ψ] is the result of substituting some occurrences of the formula ψ by ϕ in θ.
We denote this system of axioms by Ax1 and write Ax1 ϕ to say that the formula ϕ is provable in this axiom system.We also write ϕ Ax1 ψ for Ax1 ϕ → ψ, and say that ϕ provably entails ψ.
Theorem 1.The system Ax1 is sound and complete for validity on neighborhood models.
The proof of this result is essentially the same as in [6], and will not be repeated here.Since the proof in [6] constructs a finite model for each consistent formula, we also get: expressing that a user cannot both log in to a server and leave it available to other users.This reduces, of course, to the fact that the formula A i → O i is true in every state: a server cannot be both accessed by a user and at the same time not occupied.So we can take this formula instead as an extra assumption.By replacing equivalent formulas we then get the implication: We can now apply the axiom (Un) to get the implication: Replacing equivalents again we get: But as an instance of (Bot) we have the implication: i.e. ¬ σ (¬O i ; A i ) as required.

Semantics and Basic Model Theory
In what follows we shall extend the language INL with program operations, corresponding to known operations from PDL.We also include the "dual choice" constructor from dynamic game logic.Of course, there are design choices to make here, and we need to set up criteria for what counts as a correct definition of each program operation.We shall follow these three: 1.The constructions should be as simple as possible.
2. Each operation should be a natural adaptation of the corresponding operation from PDL to the INL framework, with minimal modifications.
3. Most importantly: each operation should be bisimulation safe, i.e. the dynamic logic extending INL with all the program operations should remain invariant for instantial neighborhood bisimulations.
We first extend the language INL with four basic PDL-style operations: test, choice, parallel composition and sequential composition.The resulting language will be called dynamic instantial neighborhood logic, or (DINL).The syntax of DINL is defined by the following dual grammar.
The operation ∪ is interpreted as non-deterministic choice between two programs for the agent: π 1 ∪ π 2 means "either do π 1 or do π 2 ".The operation ∩ is intepreted as a choice between two programs for the environment: π 1 ∩ π 2 means "do π 1 and π 2 in parallell".Formally, the operation ∩ is similar to the parallell composition in concurrent PDL (see [15]).Finally, the operator ; is interpreted as sequential composition: π 1 ; π 2 means "first do π 1 then do π 2 ".We define the formal interpretation [[o]] of each operation o ∈ {∪, ∩, ; } in a neighborhood model M as a binary map from pairs of neighborhood relations to neighborhood relations, as follows:

The interpretation [[?]] of the test operator will be a map [[?]
] assigning a neighborhood relation to each subset Z of W , defined by: We defer a more detailed discussion of the informal interpretation of the program operations to Section 3.2.Note that For the sequential composition operator, this uses the well known fact that the Egli-Milner lifting is monotone, i.e.R ⊆ R whenever R ⊆ R .
Definition 3. Given a neighborhood model, we define the semantic interpretations of all formulas, and the neighborhood relations corresponding to all complex labels π, by the following mutual recursion: - The definitions of the dynamic operations stated abobve are tailored towards obtaining the following result: Proposition 2. All formulas of DINL are invariant for instantial neighborhood bisimulations.
Proof.We first prove the following claim, expressing bisimulation safety of the operations that we have introduced: Claim 1.Let B be an instantial neighborhood bisimulation between models M = (W, R, V ) and M = (W , R , V ).Then for any complex label π, such that every term of the form ϕ? appearing in π, ϕ is invariant for instantial neighborhood bisimulations, and for any u ∈ W and u ∈ W with uBu : Forth For all Z such that uR π Z, there is some Z such that u R π Z and ZBZ .
Back For all Z such that u R π Z there is some Z such that uR π Z and ZBZ .
We prove the Claim by induction on the complexity of labels.For atomic labels the result holds by definition.For the inductive steps, we only prove the "Forth" clause, as the "Back" clause follows by a symmetric argument.For the test operator, the result follows immediately from the assumption that every formula appearing in a sub-term of π is bisimulation invariant.
For choice, suppose (u, , say, the first holds.Then by the Forth clause for π 1 there is some Z with (u , Z ) ∈ R π 1 such that ZBZ .Since (u , Z ) ∈ R π 1 ∪π 2 also, we are done.
For dual choice, suppose (u, By the Forth condition for π 1 and π 2 we find sets We leave it to the reader to check that: Finally, for sequential composition, suppose there is a set But then, by the Forth condition for π 2 there must be some Z with (v , Z ) ∈ R π 2 and ZBZ .We immediately get Z ∈ F , as required.
We now show that: To see this, suppose first that w ∈ F .Then w ∈ Z for some Since Y BY there is some v ∈ Y such that vBv .By the Forth condition for π 2 there is some Z with ZBZ and (v , Z ) ∈ R π 2 .We get Z ∈ F , and there must be some w ∈ Z with wBw .But then w ∈ F , as required.
Conversely, suppose w ∈ F .Then w ∈ Z for some Z ∈ F .By definition of F , there is a Z ∈ F with ZBZ , and so there is some w ∈ Z with wBw .But then w ∈ F as required, and the claim is proved.
The proposition now follows from the claim by a routine argument.

Informal Interpretation
The neighborhood relation R π associated with a program term π in a neighborhood model M should be understood as follows: at each point w in a model, there is a certain family of available actions of type π that the agent can perform.
The conditions used in our actual definition of [[ ; ]] are weaker than this, essentially allowing the assigment S to be a relation rather than a function.The reason we cannot use the stricter version of the composition operation is due to a technical fact: the "functional" version of the sequential composition operation violates bisimulation safety!The example shown in Figure 1, displaying two bisimilar rooted models, explains this.
In Figure 1, points are represented by bullets, neighborhoods are represented by ellipses, the dashed lines represent the neighborhood relation R 1 and the dotted lines represent R 2 .In the model to the right, the root has a neighborhood {a, b} according to the functional composition of R 1 and R 2 , but not in the left model.Note that according to our "relational" definition of sequential composition, {a, b} is a neighborhood in both models.
A possible response to this problem would be to modify our notion of instantial neighborhood bisimulation so as to recover safety.However, this route does not seem attractive, as instantial neighborhood bisimulations provide the natural bisimulation concept for INL, the basis for our dynamic logic.One could let the technical point settle the matter: bisimulation safety seems to be a minimal requirement for compositional reasoning about behaviour of systems, and our sequential composition operator recovers bisimulation safety arguably in a simple and mathematically natural way.But we believe there is no need for such a purely technical motivation: properly understood the sequential composition operator we have proposed fits well with its intended interpretation, and with the idea of open systems in general.
The idea is that the behaviour of an agent interacting with a system may depend not only on the state of the system itself, but also on other parameters: the internal state of the agent itself for example, or the state of other processes that the agent is also interacting with.This feature of taking into account possible interactions with unspecified, "external" systems is part of the motivation behind existing logics for open systems like ATL (see [2]).For example, looking back to Example 1, the state of the system itself merely specifies which of the three servers are occupied by which agent.The internal state of each agent-which in this case is a human-may for example involve the agent's current state of knowledge, preferences, intentions etc.So when we consider the actions available to one of the agents, we think of both the system and each of the agents as starting in a given "initial" state which may change through the course of the computation, for example due to communication between the agents, or interaction with other systems.Therefore, in the special case of a composite action of the type π 1 ; π 2 executed at some state w, the action of the agent in the computation π 2 at a later state v resulting as the outcome of the computation π 1 might not be determined uniquely by the state v of the system.It may also depend on other parameters, which might change during the execution of π 1 .This accounts for the extra non-determinism involved in our sequential composition operator, where an action of type π 1 ; π 2 need not specify a unique response to each outcome of the first action.

Axiomatization
Our axiom system for DINL takes the sound and complete axioms for INL as its base, and extends it with reduction axioms for the test, choice, parallel composition and sequential composition operators.The axioms and rules are listed below; note that the INL axioms and the axioms for frame constraints are now stated for arbitrary complex labels π rather than just atoms a.

Rules (MP) and (Mon)
We denote this system by Ax2 and write Ax2 ϕ to say that formula ϕ is provable in this axiom system.We also write ϕ Ax2 ψ for Ax2 ϕ → ψ.We shall sometimes drop the reference to Ax2 to keep notation cleaner.For (Pa), suppose that M, w π 1 ∩ π 2 (Ψ; ϕ).Then there is some set as required.The converse direction of (Pa) is proved in a similar manner.Next, we consider the case of sequential composition.For one direction of the equivalence, suppose that M, w π 1 ; π 2 (ψ 1 , . . ., ψ n ; ϕ).Then there is some set Z with (w, By definition of the composition operator, we find a set Y with (w, Y ) ∈ R π 1 and a family of sets

Program Iteration and the Language IPDL
We now introduce the final operation that we consider here, a Kleene star for finite iteration.This operation generalizes the game iteration operation from game logic.The corresponding language will be denoted by IPDL, read "instantial PDL", and is given by the following dual grammar: The operation (−) * is interpreted as finite iteration: π * means "repeat π a finite number of times".More specifically, we think consider action of type π * to be a long term strategy of the agent, such that each possible execution of this strategy consists of finitely many actions of type π.
For the formal semantic interpretation of the Kleene star, it will be useful to first define the relation skip by: We define a relation R [ξ] for each ordinal ξ by induction: We define [[ * ]]R as R [ξ] , with ξ the smallest ordinal satisfying R [ξ] = R [ξ+1] .
It is easy to see that this is a standard least fixpoint construction-and in particular, we have: Proposition 4. Let W be a finite set and R ⊆ W × P(W ).Then: Proposition 4 does not hold for arbitrary models: unlike for PDL, the closure ordinal of the least fixpoint for the Kleene star may appear above ω.yet this does not contradict the reading of the Kleene star as finite iteration.The situation is analogous to the case of the μ-calculus formula: μx.x which can be thought of as expressing that "all computations are finite".It is well known that the closure ordinal of the least fixpoint of this formula can be higher than ω, which just means the formula may be true although the statement "all computations have length ≤ k" is false for all k.Similarly, the formula π * ϕ expresses that the condition ϕ can be forced by an action that only ever produces finitely many computations of type π, while there may be no finite upper bound on the number of iterations of π required.Definition 5.The semantics of IPDL-formulas in a neighborhood model M = (W, R, V ) is given by the following inductive clauses: Proposition 5.All formulas of IPDL are invariant for instantial neighborhood bisimulations.
The proof of this rests on a bisimulation safety argument, and the step for the Kleene star involves using the bisimulation safety of union and sequential composition to prove the appropriate back-and-forth conditions for each approximant R [ξ] π of the least fixpoint R π * = [[ * ]]R π .We omit the details.

Axiomatization
Our axiomatization for IPDL is given below.

Kleene Star
Finally we add axioms and rules for iteration.The Kleene star is a least fixpoint construction, and a standard approach to axiomatizing least fixpoints is to use one fixpoint axiom and one induction rule (see [17]).
The fixpoint axiom Fix is stated as follows: We will actually need two induction rules: The reason that we require two distinct induction rules can be seen as follows: the reduction axioms for IPDL should be interpreted as encoding a recursive translation of the language IPDL into the modal μcalculus (interpreted on instantial neighborhood models).When we pass by formulas involving the Kleene-star in this translation, the translation will not surprisingly involve least fixpoint operators, and the induction rules then correspond to the Kozen-Park induction rules for least fixpoint operators.This step of the translation is trickier than the step for the Kleene star in a translation of PDL into the μ-calculus (see [10]), and requires use of nested least fixpoint variables.To illustrate, if a is an atomic game term and p, q are propositional variables, then the formula a * (p; q) translates to: μx.(p ∧ q) ∨ a (x; μy.q ∨ a y) Note however that the fixpoint variables here are nested in a "weak" sense: the variable y occurs inside the scope of the outer fixpoint variable x, but is independent of it in the sense that there is no free occurrence of x in the scope of the variable binder μy.
Note also that the second induction axiom only involves a single instantial formula ψ.This is because we can "pre-process" an arbitrary formula π * (ψ 1 , . . ., ψ n ; ϕ) by applying the axiom (Fix), and then the composition axiom (Cmp) to the formula π ; π * (ψ 1 , . . ., ψ n ; ϕ) to obtain the formula: where each occurrence of π * is followed by at most one instantial formula.
We denote this axiom system as Ax3 and write ϕ Ax3 ψ for Ax3 ϕ → ψ.We will also sometimes drop the index Ax3, simply writing ϕ or ϕ ψ.
Theorem 5.The axiom system Ax3 is sound and complete for validity over neighborhood models.
We begin by checking soundness: Proposition 6. (Soundness) If ϕ is provable in Ax3 then it is valid over all neighborhood models.
Proof.We focus on proving soundness of the two induction rules.For the first induction rule, suppose that the formulas ϕ → γ and π γ → γ are valid.Suppose that M, u π * ϕ.Then there is some . By definition of R π * it suffices to prove, by induction on an ordinal ξ, that for all u, Z: then either Z = {u} or there is a set Y and a family of sets In the first case we get M, u ϕ, hence M, u γ.In the second case it follows that there is, for each v ∈ Y , some Z v such that (v, Z v ) ∈ R For the second induction rule, suppose that the formulas (ψ ∧ ϕ) → γ and π (γ; ϕ) → γ are valid.Suppose that M, u π * (ψ; ϕ).Then there is some suffices to prove, by induction on an ordinal ξ, that for all u, Z: In the first case we get M, u ψ ∧ ϕ, and therefore M, u γ.In the second case it follows that there is, for each v ∈ Y , some π , and so, by the induction hypothesis we get w γ.
as required.Finally, the induction step for limit ordinals is again immediate, by the definition of R [ξ] π as the union of all R [ρ] π for ρ < ξ.For the completeness proof, we rely heavily on the following lemma, proved in a slightly different version in [6]: fix a finite and subformula closed set of formulas Σ.An atom over Σ is a maximal consistent subset of Σ, and we denote the set of atoms over Σ by At(Σ).Given any atom w ∈ At(Σ), let w be its conjunction, and let Z = { w | w ∈ Z} for a set of atoms Z.
Lemma 1.Let π (Ψ; ϕ) be any formula such that each formula in Ψ ∪ {ϕ} is a boolean combination of formulas in Σ.Then π (Ψ; ϕ) is provably equivalent to a disjunction of formulas of the form π Z; Z for Z ⊆ At(Σ) being some set of atoms with w ϕ for each w ∈ Z and for all ψ ∈ Ψ there is some v ∈ Z with v ψ.
Proof.The required argument is very similar to [6].
We shall also need an adapted concept of Fischer-Ladner closure: Definition 3. A set Σ of formulas is said to be Fischer-Ladner closed if the following clauses hold: and the main connective of ϕ is not ¬, then the formula ¬ϕ is in Σ.
− Any subformula of a formula in Σ is in Σ.
Lemma 2. Every formula ϕ is a member of some finite Fischer-Ladner closed set of formulas.
Proof.The proof for this result is standard, see for example [9].
Lemma 3. Let Z be a set of atoms in At(Σ) and let θ be any formula (not necessarily in Σ).Then we have θ Z if, and only if, every atom that is consistent with θ is also consistent with Z.
Proof.The direction from left to right is trivial.From right to left we reason by contraposition: suppose that θ Z. Then by Lindenbaum's lemma there is a maximal consistent set of formulas Γ containing θ and ¬ Z. Then Γ ∩ Σ is an atom, and is clearly consistent with θ.But it cannot be consistent with Z: since any two distinct atoms are mutually inconsistent, this could only be the case if in fact Γ ∩ Σ ∈ Z, which implies that Γ ∩ Σ Z. Since Γ ∩ Σ ∈ Γ we would then get Z ∈ Γ, and since we had ¬ Z ∈ Γ this is a contradiction since Γ was consistent.Definition 4. Given any label π, we define the relation S Σ π ⊆ At(Σ) × P(At(Σ)) by setting (w, Z) ∈ S Σ π iff w ∧ π Z; Z is consistent with respect to the system Ax3.The canonical neighborhood model over Σ, denoted C, Σ is defined as the triple (W Σ , R Σ , V Σ ) where W Σ is the set of atoms over Σ, R Σ a = S Σ a for each atomic label a, and The key lemma in the completeness proof, which is proved using the induction rules for the Kleene star, is the following: Suppose first that w is consistent with Z. Then w must be in Z, and since (w, {w}) ∈ skip ⊆ [[ * ]](S Σ π ), w is consistent with γ[∅, Z] as required.Next, suppose that w is consistent with π γ[∅, Z].By Lemma 1 there must be some set Z such that w is consistent with π Z ; Z and u γ[∅, Z] for each u ∈ Z .We get that (w, Z ) ∈ S Σ π , and furthermore for each u ∈ Z there must be some π ) and hence we obtain: and since ∅ ⊆ u∈Z Z u ⊆ Z, we get w consistent with γ[∅, Z] as required.
Next, consider the case where Z ⊆ Z is a singleton {s}.We write γ[s, Z] rather than γ[{s}, Z].We must show that π * s; Z γ[s, Z], and we use Lemma 3 as before.By the second induction rule, it suffices to prove that The first statement is similar to the proof that Z γ[∅, Z] so we leave it out.For the second part, suppose that the atom w is consistent with the formula π γ[s, Z]; π * Z .By the previous argument (i.e. for the case where Z = ∅) we get so by (Mon) we find that w is consistent with π ) and hence we obtain the required inclusion: Finally, let Z ⊆ Z be an arbitrary non-empty set, and suppose w is consistent with π * Z ; Z , where Z = {s 1 , . . ., s n }.Then by the axiom (Fix), w is consistent with the formula So it now suffices to prove that: Once again, the first claim follows by a familiar argument using skip ⊆ [[ * ]](S Σ π ).For the second claim, it suffices by axiom (Cmp) to prove that: But, using the previous arguments together with the rule (Mon), we find that it suffices to prove: We show that every atom consistent with the formula on the left-hand side is also consistent with the formula on the right-hand side.Suppose that w is consistent with the formula π (γ[s 1 ; Z], . . ., γ[s n ; Z]; γ[∅, Z]).By Lemma 1 there must be some set Y such that w is consistent with π Y ; Y , u γ[∅, Z] for each u ∈ Y , and for each i ∈ {1, . . ., n} we have ) and hence we obtain: as required.
Lemma 4 is needed to prove Lemma 5 below, by induction on the complexity of program terms.Say that a label π is safe if, for every formula γ such that the term γ? appears in π, we have that γ ∈ Σ and furthermore, γ ∈ w iff C Σ , w γ for each w ∈ At(Σ).
Lemma 5.For every safe label π, we have Proof.By induction on the complexity of safe labels.For γ?, the result follows from the safety assumption and the observation that We omit the easy argument for ∪.For ∩, suppose that w ∧ π 1 ∩ π 2 Z; Z is consistent.Then there are sets Z 1 , Z 2 such that Z = Z 1 ∪ Z 2 such that: For composition, suppose that atom w is consistent with the formula π 1 ; π 2 Z; Z , where Z = {v 1 , . . ., v n }.Then w is consistent with by the axiom (Cmp).For each i ∈ {1, . . ., m} let δ i be the disjunction of the set of all formulas u such that u is an atom with (u, U ) ∈ S Σ π 2 for some set of atoms U with v i ∈ U and U ⊆ Z, and let θ be the disjunction of all formulas u such that u is an atom with (u, U ) ∈ S Σ π 2 for some U ⊆ Z.We first claim that: To see this, let the maximum modal depth of formulas in Σ be k, and let F 2+k Σ be the set of all formulas of modal depth at most 2 + k, such that only labels appearing in formulas in Σ may appear in formulas in F 2+k Σ .Let an extended atom be a maximal consistent subset of F 2+k Σ .Since there are only finitely many formulas in F 2+k Σ up to provable equivalence, there are at most finitely many extended atoms, and for each extended atom e we can form the conjunction e of all formulas in e "up to logical equivalence", picking one conjunct from each logical equivalence class.Since both formulas π 1 π 2 v 1 ; Z , . . ., π 2 v n ; Z ; π 2 Z and π 1 (δ 1 , . . ., δ n ; θ) are of modal depth ≤ 2 + k, it suffices to prove that every extended atom e which contains the following formula: also contains: So let e be an extended atom containing the first of these two formulas.Once again, a proof similar to that of Lemma  Z ∈ e .So we show that π 2 Z θ: recall that θ was the disjunction of all formulas u such that u is an atom with (u, U ) ∈ S Σ π 2 for some U ⊆ Z.We show that any atom u consistent with π 2 Z is consistent with θ also, from which the desired conclusion follows using Lemma 3.But if u is consistent with π 2 Z then by Lemma 1 we find a subset U ⊆ Z such that u is consistent with π 2 U, U .Then (u , U) ∈ S Σ π 2 , hence u must be consistent with θ as required.Similarly one can show that e → δ i for each e ∈ E such that π 2 v i ; Z ∈ e (since e ∩ Σ is an atom consistent with π 2 v i ; Z ).Therefore, we get: by (Mon), whence π 1 (δ 1 , . . ., δ n ; θ) belongs to e as well.So w is consistent with the formula π 1 (δ 1 , . . ., δ n ; θ), and by Lemma 1 there is a set Q of atoms such that w is consistent with π 1 Q; Q , s θ for each s ∈ Q and for each i ∈ {1, . . ., n} there is t i ∈ Q such that t i δ i .It follows from this that for each s ∈ Q there is some U s ⊆ Z such that (s, U s ) ∈ S Σ π 2 , and for each i ∈ {1, . . ., n} there is some For atomic labels the claim holds by definition of R Σ a = S Σ a .For the case of iteration, as an example, we have: The other cases are similar.
Using Lemma 5 we can prove a truth lemma for the canonical model: Lemma 6.For every atom w and any ψ ∈ Σ, we have the equivalence (C Σ , w) ψ if and only if ψ ∈ w.
Proof.By induction on the complexity of ψ.Note that the induction hypothesis for subformulas of ψ guarantees that every label appearing in ψ is safe.The only interesting cases are formulas of the form π (Ψ; ϕ).
For right to left, suppose π (Ψ; ϕ) ∈ w.By Lemma 1 we find a set Z of atoms such that π Z, Z is consistent with w, hence (w, Z) ∈ S Σ π , and such that Ψ ⊆ Z and ϕ ∈ Z.By Lemma 5 we get (w, Z) ∈ R Σ π , and the induction hypothesis applied to the formulas in Ψ ∪ {ϕ} now readily yields C Σ , w π (Ψ; ϕ) as required.For left to right, it suffices to show that for all formulas π (Ψ; ϕ) ∈ Σ, all sets of atoms Z and all atoms w such that (w, Z) ∈ R Σ π , ϕ ∈ Z and Ψ ⊆ Z, we have π (Ψ; ϕ) ∈ w.The required result then follows by applying the induction hypothesis to Ψ, ϕ.We prove the claim by induction on the complexity of the label π, assuming that π is a safe label.
If π is an atomic label a then we have a , so w is consistent with a Z; Z .From this we can easily derive that w is consistent with a (Ψ; ϕ) by an argument combining the rule (Mon) and the axiom (Weak), given that ϕ ∈ Z and Ψ ⊆ Z. Since a (Ψ; ϕ) ∈ Σ and w is an atom it follows that a (Ψ; ϕ) ∈ w as required.
The induction steps for the constructions of test, choice, parallel composition and sequential composition are straightforward, making use of Fischer-Ladner closure of Σ at each step.
We now focus on the case of the Kleene star.Suppose that there is some Z such that (w, Z) ∈ R Σ π * , ϕ ∈ Z and Ψ ⊆ Z.By Proposition 4 there is some natural number n with (w, Z) ∈ (R Σ π ) [n] , so we reason by induction on n.That is, we show that for all w, Z, Ψ, ϕ and all n ∈ ω, if (w, Z) ∈ (R Σ π ) [n] , ϕ ∈ Z and Ψ ⊆ Z, then π * (Ψ; ϕ) ∈ w.
Proof of Theorem 5. Suppose the formula ϕ is not provable, so that ¬ϕ is consistent.By Lemma 2, ¬ϕ belongs to some finite Fischer-Ladner closed set Σ and since ¬ϕ is consistent it belongs to some atom w.Hence ϕ / ∈ w and by Lemma 6 we have C Σ , w ϕ.So ϕ is not valid.
We note that as a corollary to the completeness proof, which produces a finite model of effectively bounded size for a consistent formula, we get: Theorem 6. IPDL has the finite model property and is decidable.

Comparison with Game Logic
We now show that IPDL can, in a precise sense, be viewed as a language extension of dual-free game logic, called GL here for short.Formally, formulas of GL and game terms are defined by the following dual grammar: with Prop a fixed set of propositional variables and A a set of atomic games, both assumed to be countably infinite.Note that GL is a syntactic fragment of IPDL.Here, ∪ is interpreted as "angelic choice" (choice for Player I), ∩ is interpreted as "demonic choice" (choice for Player II), ; is sequential game composition and * is finite game iteration (controlled by Player I).
Semantics of game logic formulas are given by neighborhood frames, with the extra constraint that the family of neighborhoods associated with a world is upwards closed under set inclusion: Definition 5. A neighborhood frame (W, R) is said to be a monotonic power frame if the following condition holds for each a ∈ A: A monotonic power model is a neighborhood model whose underlying frame is a monotonic power frame.
To provide a semantics for formulas in a model, we need to interpret the game constructors.In what follows, we shall use double vertical lines − for semantic denotations of formulas in GL and game constructors in monotonic neighborhood models, as distinct from our semantics for PDL presented earlier, that used square denotation brackets [[−]].
More precisely, using the format introduced in [3], we define operations on the lattice N W = P(W × P(W )) of neighborhood relations over W : Finally, we define * R to be the least fixpoint in the lattice N W of the monotone map F defined by: where skip ↑ = {(w, Z) ∈ W × P(W ) | w ∈ Z}.We can now set up the semantics of GL.Fixing a monotonic power model M, we define the interpretation of every formula ϕ and the neighborhood relations R π corresponding to each game term π in the obvious way, so that in particular we have For a monotonic power model M = (W, R, V ) and u ∈ W we shall also write M, u ϕ for u ∈ ϕ .Since semantic interpretations are always defined relative to a model, if necessary we shall use the notation − M rather than − to make it clear which model M is being referred to.We write ϕ if M, u ϕ for every pointed monotone power model (M, u).
We can now state precisely how IPDL extends dual-free game logic: Theorem 7. IPDL is a conservative extension of GL.That is, for every GL-formula ϕ, we have that ϕ iff ϕ Proof.For every neighborhood model M, we define a monotonic power model M ↑ as follows: let M = (W, R, V ).We define the monotonic power (w, Z) ∈ F ξ skip ↑ iff there is some Z ⊆ Z such that (w, Z ) ∈ (R π ) [ξ]  The result then follows by considering ξ such that R π * = (R π ) [ξ] and γ such that S π * = F γ skip ↑ .Next, pick some ρ greater than both γ and ξ.Then we are done, because we have R π * = R and F ξ+1 skip ↑ , applying the "inner" induction hypothesis to F ξ skip ↑ , applying the "outer" induction hypothesis to S π , and then repeating and combining the previous arguments for ∪ and ; .Finally, limit ordinals κ are handled by simply noting that R [κ] π = ξ<κ (R π ) [ξ] and F κ skip ↑ = ξ<κ F ξ skip ↑ .
We can now prove Theorem 7. Suppose ϕ is a formula of GL and ϕ.Then since every monotonic power frame is a neighborhood frame, we get M, w ϕ for every pointed monotonic power model (M, w).But if M is a monotonic power model, we have M ↑ = M, so it follows from Claim 2 that M, w ϕ for every pointed monotonic power model as well.Hence ϕ.
Conversely, suppose ϕ, so that ϕ is valid on every monotonic power frame.Then for any neighborhood model M and every state w in W , we have M ↑ , w ϕ, so M, w ϕ by Claim 2. Hence ϕ as required.
In other words: the formulas of IPDL that are valid on arbitrary neighborhood frames form a conservative extension of the GL-formulas that are valid over monotonic power frames.

Concluding Remarks
In this paper, we have introduced a new propositional dynamic logic IPDL defined over instantial neighborhood logic, as a tool for exploring a new perspective on open systems computation.We found program operations that respect a natural notion of bisimulation in this setting, and we axiomatized the complete logic, which presented some non-trivial and interesting deviations from the usual proof format for PDL.Finally, we positioned our logic with respect to related views of computation by completely clarifying its relation to Parikh's dual-free game logic.
Our system fits in a broader technical context.Various extensions of our base language would make sense, notably, the addition of least and greatest fixpoint operators.Just as standard PDL can be translated into the modal μ-calculus, our logic IPDL can be translated into the extension of INL with fixpoints, a translation that is implicit in our axiom system for IPDL.The fixpoint extension of INL is very well behaved from a co-algebraic perspective.As shown in [6], INL is a coalgebraic modal logic corresponding to a weak pullback preserving functor-the double covariant powerset functor-that additionally preserves finite sets.This means that the μ-calculus extension of INL inherits a number of properties that hold in much wider generality.In particular, it has the finite model property and it is decidable [22], and a sound and complete system of axioms is available [12].However, as usual, such general results need not transfer to natural fragments that zoom in more closely on computation.Examples are Reynold's highly non-trivial completeness proof for CTL * [21], or Parikh's game logic, which still lacks a complete system of axioms.A closer comparison for our system would be coalgebraic PDL, [18], but there the coalgebraic type functor is a monad.By contrast, this is not the case for INL1 .Still, there is work to be done.For instance, our sequential program composition resembles the standard Kleisli composition for the powerset functor-we leave these issues to future investigation.
These are not the only connections to be clarified.In follow-up work, we intend to show that IPDL can also throw new light on other logical systems for computation, such as concurrent PDL ( [7,15,20]), and that it can contribute to a more fine-structured analysis of game equivalence and powers of players, linking up with game theory (see [4], for which an extended followup manuscript is in preparation).The relationship between IPDL and the alternating-time temporal logics ATL and ATL * also remains to be explored.Standard ATL describes abilities of players to force conditions on (potentially infinite) computations by some strategy.An INL-like extension of ATL could then allow reasoning involving more complex quantification over infinite computations, involving both universal and existential quantification over the set of computations that are compatible with a given strategy.

Theorem 2 .
The logic INL has the finite model property and is decidable.

Example 2 .
Continuing from Example 1, we recall the formula: Each such action α corresponds to a neighborhood Z ∈ R π [w], and Z represents the possible outcomes of the action α, as determined by the response of the environment.The interpretations of choice ∪ and dual choice ∩ should thus be clear: an action of type π 1 ∪π 2 is simply an action of either type π 1 or π 2 , and so the definition of [[∪]] as union of neighborhood relations is the natural one.For dual choice, an action α of type π 1 ∩ π 2 consists of an action β 1 of type π 1 and an action β 2 of type π 2 , where the action actually performed is determined by the environment.So a possible outcome of the action α is either a possible outcome of β 1 or one of β 2 .This directly leads to the formal interpretation [[∩]] of ∩ as it has been defined.The interpretation of the test operator is a straightforward adaption of the usual PDL-definition, and motivated in the same manner.The less straightforward case is the sequential composition operation.Initially it seems clear what an action of type π 1 ; π 2 at a given state w should be: it is an action β 1 of type π 1 followed by an action β v 2 of type π 2 performed at each possible outcome state v of the action β 1 at w.A possible outcome of such an action α at w should then be an outcome of one of the actions β v 2 , where v is a possible outcome of the first action β 1 .With this interpretation, one would expect the following definition, setting (w, Z) ∈ R 1 [[ ; ]]R 2 iff there is some set Y and a function S : Y → PW such that:

Figure 1 .
Figure 1.Failure of bisimulation safety

π
and Z v ⊆ F ⊆ [[ϕ]].By the induction hypothesis we get Y ⊆ [[γ]].But then M, u π γ, hence M, u γ as required.Finally, the induction step for limit ordinals is almost immediate, by the definition of R [ξ] π as the union of all R [ρ] π for ρ < ξ.

Lemma 4 .
For each label π, we have S Σ π * ⊆ [[ * ]](S Σ π ).Proof.Since the set of atoms is finite, we can use the characterization of the Kleene star operation on finite models given by Proposition 4. Suppose that (w, Z) ∈ S Σ π * , meaning that ¬( w∧ π * Z; Z .Let γ[Z] be the disjunction of all formulas v for (v, Z) ∈ [[ * ]](S Σ π ).We want to show that π * Z; Z γ[Z].It will then follow that w ∧ γ[Z] is consistent, and clearly since w is an atom this can only happen if w is already a disjunct of γ[Z] which means that (w, Z) ∈ [[ * ]](S Σ π ) as desired.More generally, for Z ⊆ Z let γ[Z , Z] be the disjunction of all formulas v where v is an atom such that (v, Z ) ∈ [[ * ]](S Σ π ) and Z ⊆ Z ⊆ Z for some set Z .We will show that π * Z ; Z γ[Z , Z].The special case for the formula γ[Z, Z] = γ[Z] then yields the desired result.We first prove the claim for the case of Z = ∅.We have π * ∅; Z = π * ∅; Z = π * Z So we want to show that π * Z γ[∅, Z], and by the first induction rule it suffices to prove that Z γ[∅, Z] and π γ[∅, Z] γ[∅, Z].Now, since γ[∅, Z] is a disjunction of conjunctions of atoms, it follows from Lemma 3 that, for any formula θ, we have that θ γ[∅, Z] iff every atom that is consistent with θ is also consistent with γ[∅, Z].
w and Z = {w} since w is an atom and Z a set of atoms.Hence S Σ γ? = {(w, {w}) | γ ∈ w} and the result follows from the definition of [[?]].For the Kleene star, by Lemma 4 we have S Σ π * ⊆ [[ * ]](S Σ π ) for each label π.Similarly we may prove:
1, shows that the formula π 1 π 2 v 1 ; Z , . . ., π 2 v n ; Z ; π 2 Z is equivalent to a disjunction of formulas of the form π 1 E, E where E is a set of extended atoms such that π 2 Z ∈ E and π 2 v i ; Z ∈ E for each i ∈ {1, . . ., n}.So one of these disjuncts π 1 E, E belongs to e. Furthermore, it is not hard to show that e → θ for each e ∈ E: if e ∈ E then π 2