25: distributed systems & hybrid systems - 15-424
TRANSCRIPT
25: Distributed Systems & Hybrid Systems15-424: Foundations of Cyber-Physical Systems
Andre Platzer
Carnegie Mellon University, Pittsburgh, PA
0.20.4
0.60.8
1.00.1
0.2
0.3
0.4
0.5
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 1 / 23
Outline
1 Motivation
2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics
3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and CompletenessQuantified Differential Invariants
4 Applications
5 Conclusions
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 1 / 23
Complex Physical Systems:
Hybrid Systems
Q: I want to verify my car
A: Hybrid systems Q: But there’s a lot of cars!
Challenge
(Hybrid Systems)
Continuous dynamics(differential equations)
Discrete dynamics(control decisions)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 2 / 23
Complex Physical Systems: Hybrid Systems
Q: I want to verify my car A: Hybrid systems
Q: But there’s a lot of cars!
Challenge (Hybrid Systems)
Continuous dynamics(differential equations)
Discrete dynamics(control decisions)
1 2 3 4t
-2
-1
1
2a
1 2 3 4t
0.5
1.0
1.5
2.0
2.5
3.0v
1 2 3 4t
1
2
3
4
5
6z
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 2 / 23
Complex Physical Systems: Hybrid Systems
Q: I want to verify my car A: Hybrid systems Q: But there’s a lot of cars!
Challenge (Hybrid Systems)
Continuous dynamics(differential equations)
Discrete dynamics(control decisions)
1 2 3 4t
-2
-1
1
2a
1 2 3 4t
0.5
1.0
1.5
2.0
2.5
3.0v
1 2 3 4t
1
2
3
4
5
6z
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 2 / 23
Complex Physical Systems:
Distributed Systems
Q: I want to verify a lot of cars
A: Distributed systems Q: But they move!
Challenge
(Distributed Systems)
Local computation(finite state automaton)
Remote communication(network graph)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 3 / 23
Complex Physical Systems: Distributed Systems
Q: I want to verify a lot of cars A: Distributed systems
Q: But they move!
Challenge (Distributed Systems)
Local computation(finite state automaton)
Remote communication(network graph)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 3 / 23
Complex Physical Systems: Distributed Systems
Q: I want to verify a lot of cars A: Distributed systems Q: But they move!
Challenge (Distributed Systems)
Local computation(finite state automaton)
Remote communication(network graph)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 3 / 23
Complex Physical Systems:
Distributed Hybrid Systems
Q: I want to verify lots of moving cars
A: Distributed hybrid systems Q: How?
Challenge
(Distributed Hybrid Systems)
Continuous dynamics(differential equations)
Discrete dynamics(control decisions)
Structural dynamics(remote communication)
Dimensional dynamics(appearance)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 4 / 23
Complex Physical Systems: Distributed Hybrid Systems
Q: I want to verify lots of moving cars A: Distributed hybrid systems
Q: How?
Challenge (Distributed Hybrid Systems)
Continuous dynamics(differential equations)
Discrete dynamics(control decisions)
Structural dynamics(remote communication)
Dimensional dynamics(appearance)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 4 / 23
Complex Physical Systems: Distributed Hybrid Systems
Q: I want to verify lots of moving cars A: Distributed hybrid systems
Q: How?
Challenge (Distributed Hybrid Systems)
Continuous dynamics(differential equations)
Discrete dynamics(control decisions)
Structural dynamics(remote communication)
Dimensional dynamics(appearance)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 4 / 23
Complex Physical Systems: Distributed Hybrid Systems
Q: I want to verify lots of moving cars A: Distributed hybrid systems Q: How?
Challenge (Distributed Hybrid Systems)
Continuous dynamics(differential equations)
Discrete dynamics(control decisions)
Structural dynamics(remote communication)
Dimensional dynamics(appearance)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 4 / 23
State of the Art: Modeling and Simulation
No formal verification of distributed hybrid systems
Shift [4] The Hybrid SystemSimulation ProgrammingLanguage
R-Charon [5] Modeling Language forReconfigurable Hybrid Systems
Hybrid CSP [6] Semantics inExtended Duration Calculus
HyPA [7] Translate fragment intonormal form.
χ process algebra [8] Simulation,translation of fragments toPHAVER, UPPAAL
Φ-calculus [9] Semantics in rich settheory
ACPsrths [10] Modeling languageproposal
OBSHS [11] Partial randomsimulation of objects
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 5 / 23
Contributions
1 System model and semantics for distributed hybrid systems: QHP
2 Specification and verification logic: QdL3 Proof calculus for QdL4 First verification approach for distributed hybrid systems
5 Sound and complete axiomatization relative to differential equations
6 Prove collision freedom in a (simple) distributed car control system,where new cars may appear dynamically on the road
7 Logical foundation for analysis of distributed hybrid systems
8 Fundamental extension: first-order x(i) versus primitive x
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 6 / 23
Outline
1 Motivation
2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics
3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and CompletenessQuantified Differential Invariants
4 Applications
5 Conclusions
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 6 / 23
Outline (Conceptual Approach)
1 Motivation
2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics
3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and CompletenessQuantified Differential Invariants
4 Applications
5 Conclusions
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 6 / 23
Model for Distributed Hybrid Systems
Q: How to model distributed hybrid systems
A: Quantified Hybrid Programs
Model (Distributed Hybrid Systems)
Continuous dynamics(differential equations)
Discrete dynamics(control decisions)
Structural dynamics(communication/coupling)
Dimensional dynamics(appearance)
n := newCar
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 7 / 23
Model for Distributed Hybrid Systems
Q: How to model distributed hybrid systems
A: Quantified Hybrid Programs
Model (Distributed Hybrid Systems)
Continuous dynamics(differential equations)
x ′′ = a
Discrete dynamics(control decisions)
Structural dynamics(communication/coupling)
Dimensional dynamics(appearance)
n := newCar
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 7 / 23
Model for Distributed Hybrid Systems
Q: How to model distributed hybrid systems
A: Quantified Hybrid Programs
Model (Distributed Hybrid Systems)
Continuous dynamics(differential equations)
x ′′ = a
Discrete dynamics(control decisions)
a := if .. thenA else−bStructural dynamics(communication/coupling)
Dimensional dynamics(appearance)
n := newCar
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 7 / 23
Model for Distributed Hybrid Systems
Q: How to model distributed hybrid systems
A: Quantified Hybrid Programs
Model (Distributed Hybrid Systems)
Continuous dynamics(differential equations)
x ′′ = a
Discrete dynamics(control decisions)
a := if .. thenA else−bStructural dynamics(communication/coupling)
Dimensional dynamics(appearance)
n := newCar
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 7 / 23
Model for Distributed Hybrid Systems
Q: How to model distributed hybrid systems
A: Quantified Hybrid Programs
Model (Distributed Hybrid Systems)
Continuous dynamics(differential equations)
x ′′ = a
Discrete dynamics(control decisions)
a := if .. thenA else−bStructural dynamics(communication/coupling)
Dimensional dynamics(appearance)
n := newCar
(4) (4) (3) (3) (2) (2) (1) (1)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 7 / 23
Model for Distributed Hybrid Systems
Q: How to model distributed hybrid systems
A: Quantified Hybrid Programs
Model (Distributed Hybrid Systems)
Continuous dynamics(differential equations)
∀i
x(i)′′ = a(i)
Discrete dynamics(control decisions)
∀i
a(i) := if .. thenA else−bStructural dynamics(communication/coupling)
Dimensional dynamics(appearance)
n := newCar
(4) (4) (3) (3) (2) (2) (1) (1)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 7 / 23
Model for Distributed Hybrid Systems
Q: How to model distributed hybrid systems
A: Quantified Hybrid Programs
Model (Distributed Hybrid Systems)
Continuous dynamics(differential equations)∀i x(i)′′ = a(i)
Discrete dynamics(control decisions)
∀i a(i) := if .. thenA else−bStructural dynamics(communication/coupling)
Dimensional dynamics(appearance)
n := newCar
(4) (4) (3) (3) (2) (2) (1) (1)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 7 / 23
Model for Distributed Hybrid Systems
Q: How to model distributed hybrid systems
A: Quantified Hybrid Programs
Model (Distributed Hybrid Systems)
Continuous dynamics(differential equations)∀i x(i)′′ = a(i)
Discrete dynamics(control decisions)
∀i a(i) := if .. thenA else−bStructural dynamics(communication/coupling)
`(i) := carInFrontOf(i)
Dimensional dynamics(appearance)
n := newCar
(4) (4) (3) (3) (2) (2) (1) (1)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 7 / 23
Model for Distributed Hybrid Systems
Q: How to model distributed hybrid systems A: Quantified Hybrid Programs
Model (Distributed Hybrid Systems)
Continuous dynamics(differential equations)∀i x(i)′′ = a(i)
Discrete dynamics(control decisions)
∀i a(i) := if .. thenA else−bStructural dynamics(communication/coupling)
`(i) := carInFrontOf(i)
Dimensional dynamics(appearance)
n := newCar
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 7 / 23
Model for Distributed Hybrid Systems
Q: How to model distributed hybrid systems A: Quantified Hybrid Programs
Model (Distributed Hybrid Systems)
Continuous dynamics(differential equations)∀i x(i)′′ = a(i)
Discrete dynamics(control decisions)
∀i a(i) := if .. thenA else−bStructural dynamics(communication/coupling)
`(i) := carInFrontOf(i)
Dimensional dynamics(appearance)
n := newCarAndre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 7 / 23
Quantified Differential Dynamic Logic QdL: Syntax
Definition (Quantified hybrid program α)
∀i :C x(i)′ = θ (quantified ODE)∀i :C x(i) := θ (quantified assignment)
}jump & test?Q (conditional execution)
α;β (seq. composition) }Kleene algebraα ∪ β (nondet. choice)
α∗ (nondet. repetition)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 8 / 23
Quantified Differential Dynamic Logic QdL: Syntax
Definition (Quantified hybrid program α)
∀i :C x(s)′ = θ (quantified ODE)∀i :C x(s) := θ (quantified assignment)
}jump & test?Q (conditional execution)
α;β (seq. composition) }Kleene algebraα ∪ β (nondet. choice)
α∗ (nondet. repetition)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 8 / 23
Quantified Differential Dynamic Logic QdL: Syntax
Definition (Quantified hybrid program α)
∀i :C x(s)′ = θ (quantified ODE)∀i :C x(s) := θ (quantified assignment)
}jump & test?Q (conditional execution)
α;β (seq. composition) }Kleene algebraα ∪ β (nondet. choice)
α∗ (nondet. repetition)
DCCS ≡ (ctrl ; drive)∗
appear ≡ n := newC ; ?(∀j :C far(j , n))
ctrl ≡ ∀i :C a(i) := if∀j :C far(i , j) thenA else−bdrive ≡ ∀i :C x(i)′′ = a(i)
newC is definable!
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 8 / 23
Quantified Differential Dynamic Logic QdL: Syntax
Definition (Quantified hybrid program α)
∀i :C x(s)′ = θ (quantified ODE)∀i :C x(s) := θ (quantified assignment)
}jump & test?Q (conditional execution)
α;β (seq. composition) }Kleene algebraα ∪ β (nondet. choice)
α∗ (nondet. repetition)
DCCS ≡ (appear ; ctrl ; drive)∗
appear ≡ n := newC ; ?(∀j :C far(j , n))
ctrl ≡ ∀i :C a(i) := if∀j :C far(i , j) thenA else−bdrive ≡ ∀i :C x(i)′′ = a(i)
newC is definable!
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 8 / 23
Quantified Differential Dynamic Logic QdL: Syntax
Definition (Quantified hybrid program α)
∀i :C x(s)′ = θ (quantified ODE)∀i :C x(s) := θ (quantified assignment)
}jump & test?Q (conditional execution)
α;β (seq. composition) }Kleene algebraα ∪ β (nondet. choice)
α∗ (nondet. repetition)
DCCS ≡ (appear ; ctrl ; drive)∗
appear ≡ n := newC ; ?(∀j :C far(j , n))
ctrl ≡ ∀i :C a(i) := if∀j :C far(i , j) thenA else−bdrive ≡ ∀i :C x(i)′′ = a(i)
newC is definable!
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 8 / 23
Quantified Differential Dynamic Logic QdL: Syntax
Definition (QdL Formula φ)
¬,∧,∨,→, ∀x ,∃x , =,≥, +, · (R-first-order part)[α]φ, 〈α〉φ (dynamic part)
∀i , j :C far(i , j)→
[(appear ; ctrl ; drive)∗] ∀i 6=j :C x(i) 6= x(j)
far(i , j) ≡ i 6= j → x(i) < x(j) ∧ v(i) ≤ v(j) ∧ a(i) ≤ a(j)
∨ x(i) > x(j) ∧ v(i) ≥ v(j) ∧ a(i) ≥ a(j) . . .
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 8 / 23
Quantified Differential Dynamic Logic QdL: Syntax
Definition (QdL Formula φ)
¬,∧,∨,→, ∀x ,∃x , =,≥, +, · (R-first-order part)[α]φ, 〈α〉φ (dynamic part)
∀i , j :C far(i , j)→ [(appear ; ctrl ; drive)∗] ∀i 6=j :C x(i) 6= x(j)
far(i , j) ≡ i 6= j → x(i) < x(j) ∧ v(i) ≤ v(j) ∧ a(i) ≤ a(j)
∨ x(i) > x(j) ∧ v(i) ≥ v(j) ∧ a(i) ≥ a(j) . . .
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 8 / 23
Quantified Differential Dynamic Logic QdL: Syntax
Definition (QdL Formula φ)
¬,∧,∨,→, ∀x ,∃x , =,≥, +, · (R-first-order part)[α]φ, 〈α〉φ (dynamic part)
∀i , j :C far(i , j)→ [(appear ; ctrl ; drive)∗] ∀i 6=j :C x(i) 6= x(j)
far(i , j) ≡ i 6= j → x(i) < x(j) ∧ v(i) ≤ v(j) ∧ a(i) ≤ a(j)
∨ x(i) > x(j) ∧ v(i) ≥ v(j) ∧ a(i) ≥ a(j) . . .
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 8 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (Quantified hybrid program α: transition semantics)
v w∀i :C x(s) := θ
t
x
0
v
wif w(x)(v ei [[s]]) = v ei [[θ]] (for all e)
and otherwise unchanged
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 9 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (Quantified hybrid program α: transition semantics)
v w∀i :C x(s)′ = θ
&Q
t
x
Q
w
v
ϕ(t)
∀i x(s)′ = θ
dϕ(t)ei [[x(s)]]
dt(ζ) = ϕ(ζ)ei [[θ]] (for all e)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 9 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (Quantified hybrid program α: transition semantics)
v s w
α;β
α β
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 9 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (Quantified hybrid program α: transition semantics)
v s w
α;β
α β
t
x
s
v w
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 9 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (Quantified hybrid program α: transition semantics)
v s w
α;β
α β
t
x
s
v w
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 9 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (Quantified hybrid program α: transition semantics)
v s1 s2 sn w
α∗
α α α
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 9 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (Quantified hybrid program α: transition semantics)
v s1 s2 sn w
α∗
α α α
t
xv
w
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 9 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (Quantified hybrid program α: transition semantics)
v
w1
w2
α
β
α ∪ β
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 9 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (Quantified hybrid program α: transition semantics)
v
w1
w2
α
β
α ∪ β
t
xv w1
w2
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 9 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (Quantified hybrid program α: transition semantics)
v
?Q
if v |= Q
if v 6|= Q
t
x
0
v no change if v |= Qotherwise no transition
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 9 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (Quantified hybrid program α: transition semantics)
v
?Q
if v |= Q
if v 6|= Q
t
x
0
v no change if v |= Qotherwise no transition
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 9 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (QdL Formula φ)
v[α]φ
φ
φ
φ
α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
compositional semantics ⇒ compositional calculus!
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 10 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (QdL Formula φ)
v〈α〉φ
φ
α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
compositional semantics ⇒ compositional calculus!
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 10 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (QdL Formula φ)
v α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
compositional semantics ⇒ compositional calculus!
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 10 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (QdL Formula φ)
v α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
compositional semantics ⇒ compositional calculus!
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 10 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (QdL Formula φ)
v α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
compositional semantics ⇒ compositional calculus!
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 10 / 23
Quantified Differential Dynamic Logic QdL: Semantics
Definition (QdL Formula φ)
v α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
compositional semantics ⇒ compositional calculus!
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 10 / 23
Outline (Verification Approach)
1 Motivation
2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics
3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and CompletenessQuantified Differential Invariants
4 Applications
5 Conclusions
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 10 / 23
Proof Calculus for Quantified Differential Dynamic Logic
∀i (i = u → φ(θ))
φ([∀i x(i) := θ]x(u)) v w∀i x(s) := θ
φ
if∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))
φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))
∀t≥0 [∀i x(i) := xi (t)]φ
[∀i x(i)′ = θ]φ
v w∀i x(i)′ = θ
φ
∀i x(i) := xi (t)
∃t≥0 (Q ∧ 〈x := yx(t)〉φ)
〈x ′ = θ〉φ
v wx ′ = θ
φ
x := yx(t)x := yx (s)
Q
Q ≡ ∀0≤s≤t 〈x := yx(s)〉Q
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 11 / 23
Proof Calculus for Quantified Differential Dynamic Logic
∀i (i = u → φ(θ))
φ([∀i x(i) := θ]x(u)) v w∀i x(s) := θ
φ
if∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))
φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))
∀t≥0 [∀i x(i) := xi (t)]φ
[∀i x(i)′ = θ]φ
v w∀i x(i)′ = θ
φ
∀i x(i) := xi (t)
∃t≥0 (Q ∧ 〈x := yx(t)〉φ)
〈x ′ = θ〉φ
v wx ′ = θ
φ
x := yx(t)x := yx (s)
Q
Q ≡ ∀0≤s≤t 〈x := yx(s)〉Q
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 11 / 23
Proof Calculus for Quantified Differential Dynamic Logic
∀i (i = [∀i x(i) := θ]u → φ(θ))
φ([∀i x(i) := θ]x(u)) v w∀i x(s) := θ
φ
if∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))
φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))
∀t≥0 [∀i x(i) := xi (t)]φ
[∀i x(i)′ = θ]φ
v w∀i x(i)′ = θ
φ
∀i x(i) := xi (t)
∃t≥0 (Q ∧ 〈x := yx(t)〉φ)
〈x ′ = θ〉φ
v wx ′ = θ
φ
x := yx(t)x := yx (s)
Q
Q ≡ ∀0≤s≤t 〈x := yx(s)〉Q
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 11 / 23
Proof Calculus for Quantified Differential Dynamic Logic
∀i (i = [∀i x(i) := θ]u → φ(θ))
φ([∀i x(i) := θ]x(u)) v w∀i x(s) := θ
φ
if ∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))
φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))
∀t≥0 [∀i x(i) := xi (t)]φ
[∀i x(i)′ = θ]φ
v w∀i x(i)′ = θ
φ
∀i x(i) := xi (t)
∃t≥0 (Q ∧ 〈x := yx(t)〉φ)
〈x ′ = θ〉φ
v wx ′ = θ
φ
x := yx(t)x := yx (s)
Q
Q ≡ ∀0≤s≤t 〈x := yx(s)〉Q
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 11 / 23
Proof Calculus for Quantified Differential Dynamic Logic
∀i (i = [∀i x(i) := θ]u → φ(θ))
φ([∀i x(i) := θ]x(u)) v w∀i x(s) := θ
φ
if ∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))
φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))
∀t≥0 [∀i x(i) := xi (t)]φ
[∀i x(i)′ = θ]φ
v w∀i x(i)′ = θ
φ
∀i x(i) := xi (t)
∃t≥0 (Q ∧ 〈x := yx(t)〉φ)
〈x ′ = θ〉φ
v wx ′ = θ
φ
x := yx(t)x := yx (s)
Q
Q ≡ ∀0≤s≤t 〈x := yx(s)〉Q
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 11 / 23
Proof Calculus for Quantified Differential Dynamic Logic
∀i (i = [∀i x(i) := θ]u → φ(θ))
φ([∀i x(i) := θ]x(u)) v w∀i x(s) := θ
φ
if ∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))
φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))
∀t≥0 [∀i x(i) := xi (t)]φ
[∀i x(i)′ = θ]φ
v w∀i x(i)′ = θ
φ
∀i x(i) := xi (t)
∃t≥0 (Q ∧ 〈x := yx(t)〉φ)
〈x ′ = θ〉φ
v wx ′ = θ
φ
x := yx(t)x := yx (s)
Q
Q ≡ ∀0≤s≤t 〈x := yx(s)〉Q
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 11 / 23
Proof Calculus for Quantified Differential Dynamic Logic
∀i (i = [∀i x(i) := θ]u → φ(θ))
φ([∀i x(i) := θ]x(u)) v w∀i x(s) := θ
φ
if ∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))
φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))
∀t≥0 [∀i x(i) := xi (t)]φ
[∀i x(i)′ = θ]φ
v w∀i x(i)′ = θ
φ
∀i x(i) := xi (t)
∃t≥0 (Q ∧ 〈x := yx(t)〉φ)
〈x ′ = θ〉φ
v wx ′ = θ
φ
x := yx(t)x := yx (s)
Q
Q ≡ ∀0≤s≤t 〈x := yx(s)〉Q
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 11 / 23
Proof Calculus for Quantified Differential Dynamic Logic
∀i (i = [∀i x(i) := θ]u → φ(θ))
φ([∀i x(i) := θ]x(u)) v w∀i x(s) := θ
φ
if ∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))
φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))
∀t≥0 [∀i x(i) := xi (t)]φ
[∀i x(i)′ = θ]φ
v w∀i x(i)′ = θ
φ
∀i x(i) := xi (t)
∃t≥0 (Q ∧ 〈x := yx(t)〉φ)
〈x ′ = θ〉φ
v wx ′ = θ
φ
x := yx(t)x := yx (s)
Q
Q ≡ ∀0≤s≤t 〈x := yx(s)〉Q
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 11 / 23
Proof Calculus for Quantified Differential Dynamic Logic
∀i (i = [∀i x(i) := θ]u → φ(θ))
φ([∀i x(i) := θ]x(u)) v w∀i x(s) := θ
φ
if ∃i s = [A]u then∀i (s = [A]u → φ(θ)) elseφ(x([A]u))
φ([∀i x(s) := θ︸ ︷︷ ︸A
]x(u))
∀t≥0 [∀i x(i) := xi (t)]φ
[∀i x(i)′ = θ]φ
v w∀i x(i)′ = θ
φ
∀i x(i) := xi (t)
∃t≥0 (Q ∧ 〈x := yx(t)〉φ)
〈x ′ = θ〉φ
v wx ′ = θ
φ
x := yx(t)x := yx (s)
Q
Q ≡ ∀0≤s≤t 〈x := yx(s)〉Q
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 11 / 23
Proof Calculus for Quantified Differential Dynamic Logic
∀i (i = [∀i x(i) := θ]u → φ(θ))
φ([∀i x(i) := θ]x(u)) v w∀i x(s) := θ
φ
if ∃i s = [A]u then∀i (s = [A]u → φ(θ)) elseφ(x([A]u))
φ([∀i x(s) := θ︸ ︷︷ ︸A
]x(u))
∀t≥0 [∀i x(i) := xi (t)]φ
[∀i x(i)′ = θ]φ
v w∀i x(i)′ = θ
φ
∀i x(i) := xi (t)
∃t≥0 (Q ∧ 〈x := yx(t)〉φ)
〈x ′ = θ〉φ
v wx ′ = θ
φ
x := yx(t)x := yx (s)
Q
Q ≡ ∀0≤s≤t 〈x := yx(s)〉Q
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 11 / 23
Proof Calculus for Quantified Differential Dynamic Logic
∀i (i = [∀i x(i) := θ]u → φ(θ))
φ([∀i x(i) := θ]x(u)) v w∀i x(s) := θ
φ
if ∃i s = [A]u then∀i (s = [A]u → φ(θ)) elseφ(x([A]u))
φ([∀i x(s) := θ︸ ︷︷ ︸A
]x(u))
∀t≥0 [∀i x(i) := xi (t)]φ
[∀i x(i)′ = θ]φ
v w∀i x(i)′ = θ
φ∀i x(i) := xi (t)
∃t≥0 (Q ∧ 〈x := yx(t)〉φ)
〈x ′ = θ〉φ
v wx ′ = θ
φ
x := yx(t)x := yx (s)
Q
Q ≡ ∀0≤s≤t 〈x := yx(s)〉Q
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 11 / 23
Proof Calculus for Quantified Differential Dynamic Logic
compositional semantics ⇒ compositional rules!
[α]φ ∧ [β]φ
[α ∪ β]φv
w1
w2
αφ
βφ
α ∪ β
[α][β]φ
[α;β]φv s w
α;β
[α][β]φα
[β]φβ
φ
φ (φ→ [α]φ)
[α∗]φ v w
α∗
φ
α
φ→ [α]φ
α α
φ
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 12 / 23
Proof Calculus for Quantified Differential Dynamic Logic
[α]φ ∧ [β]φ
[α ∪ β]φv
w1
w2
αφ
βφ
α ∪ β
[α][β]φ
[α;β]φv s w
α;β
[α][β]φα
[β]φβ
φ
φ (φ→ [α]φ)
[α∗]φ v w
α∗
φ
α
φ→ [α]φ
α α
φ
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 12 / 23
Proof Calculus for Quantified Differential Dynamic Logic
[α]φ ∧ [β]φ
[α ∪ β]φv
w1
w2
αφ
βφ
α ∪ β
[α][β]φ
[α;β]φv s w
α;β
[α][β]φα
[β]φβ
φ
φ (φ→ [α]φ)
[α∗]φ v w
α∗
φ
α
φ→ [α]φ
α α
φ
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 12 / 23
Proof Calculus for Quantified Differential Dynamic Logic
[α]φ ∧ [β]φ
[α ∪ β]φv
w1
w2
αφ
βφ
α ∪ β
[α][β]φ
[α;β]φv s w
α;β
[α][β]φα
[β]φβ
φ
φ (φ→ [α]φ)
[α∗]φ v w
α∗
φ
α
φ→ [α]φ
α α
φ
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 12 / 23
Deduction Modulo with Free Variables & Skolemization
∀i 6=j x(i)6=x(j) →∀j 6=k
QE
∀s≥0(−b2 s
2+v(j)s+x(j) 6= −b2 s
2+v(k)s+x(k))
∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s
2 + v(j)s + x(j) 6= −b2 s
2 + v(k)s + x(k))
∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t
2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 13 / 23
Deduction Modulo with Free Variables & Skolemization
∀i 6=j x(i)6=x(j) →∀j 6=k
QE
∀s≥0(−b2 s
2+v(j)s+x(j) 6= −b2 s
2+v(k)s+x(k))
∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s
2 + v(j)s + x(j) 6= −b2 s
2 + v(k)s + x(k))
∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t
2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)
∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 13 / 23
Deduction Modulo with Free Variables & Skolemization
∀i 6=j x(i)6=x(j) →∀j 6=k
QE
∀s≥0(−b2 s
2+v(j)s+x(j) 6= −b2 s
2+v(k)s+x(k))
∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s
2 + v(j)s + x(j) 6= −b2 s
2 + v(k)s + x(k))
∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t
2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)
∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 13 / 23
Deduction Modulo with Free Variables & Skolemization
∀i 6=j x(i)6=x(j) →∀j 6=k
QE
∀s≥0(−b2 s
2+v(j)s+x(j) 6= −b2 s
2+v(k)s+x(k))
∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s
2 + v(j)s + x(j) 6= −b2 s
2 + v(k)s + x(k))
∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t
2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)
∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 13 / 23
Deduction Modulo with Free Variables & Skolemization
∀i 6=j x(i)6=x(j) →∀j 6=k
QE
∀s≥0(−b2 s
2+v(j)s+x(j) 6= −b2 s
2+v(k)s+x(k))
∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s
2 + v(j)s + x(j) 6= −b2 s
2 + v(k)s + x(k))
∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t
2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)
∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 13 / 23
Deduction Modulo with Free Variables & Skolemization
∀i 6=j x(i)6=x(j) →∀j 6=k
QE
∀s≥0(−b2 s
2+v(j)s+x(j) 6= −b2 s
2+v(k)s+x(k))
∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s
2 + v(j)s + x(j) 6= −b2 s
2 + v(k)s + x(k))
∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t
2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)
∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 13 / 23
Deduction Modulo with Free Variables & Skolemization
∀i 6=j x(i)6=x(j) →∀j 6=k
QE
∀s≥0(−b2 s
2+v(j)s+x(j) 6= −b2 s
2+v(k)s+x(k))
∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s
2 + v(j)s + x(j) 6= −b2 s
2 + v(k)s + x(k))
∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t
2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)
∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 13 / 23
Deduction Modulo with Free Variables & Skolemization
∀i 6=j x(i)6=x(j) →∀j 6=k QE∀s≥0(−b2 s
2+v(j)s+x(j) 6= −b2 s
2+v(k)s+x(k))
∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s
2 + v(j)s + x(j) 6= −b2 s
2 + v(k)s + x(k))
∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t
2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)
∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 13 / 23
Deduction Modulo with Free Variables & Skolemization
∀i 6=j x(i)6=x(j) →∀j 6=k (x(j)≤x(k)∧v(j)≤v(k) ∨ x(j)≥x(k)∧v(j)≥v(k))
∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s
2 + v(j)s + x(j) 6= −b2 s
2 + v(k)s + x(k))
∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t
2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)
∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 13 / 23
Deduction Modulo with Free Variables & Skolemization
∀X ,Y ,V ,W (X 6=Y → X≤Y∧V≤W ∨ X≥Y∧V≥W )
∀i 6=j x(i)6=x(j) →∀j 6=k (x(j)≤x(k)∧v(j)≤v(k) ∨ x(j)≥x(k)∧v(j)≥v(k))
∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s
2 + v(j)s + x(j) 6= −b2 s
2 + v(k)s + x(k))
∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t
2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)
∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 13 / 23
Deduction Modulo with Free Variables & Skolemization
∀X ,Y ,V ,W (X 6=Y → X≤Y∧V≤W ∨ X≥Y∧V≥W )
∀i 6=j x(i)6=x(j) →∀j 6=k (x(j)≤x(k)∧v(j)≤v(k) ∨ x(j)≥x(k)∧v(j)≥v(k))
∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s
2 + v(j)s + x(j) 6= −b2 s
2 + v(k)s + x(k))
∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)
∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s
2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t
2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)
∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)
∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 13 / 23
Actual Existence and Creation
Actual Existence Function
∃
(·)
∃
(i) =
{0 if i denotes a possible object
1 if i denotes an actively existing objects
[(∀j :C n := j);
?(
∃
(n) = 0);
∃
(n) := 1
]φ
[n := newC ]φ
∀i :C ! φ ≡
∀i :C (
∃
(i) = 1→ φ)
∀i :C ! f (s) := θ ≡
∀i :C f (s) := (if
∃
(i) = 1 then θ else f (s))
∀i :C ! f (s)′ = θ ≡
∀i :C f (s)′ =
∃
(i)θ
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 14 / 23
Actual Existence and Creation
Actual Existence Function
∃
(·)
∃
(i) =
{0 if i denotes a possible object
1 if i denotes an actively existing objects
[(∀j :C n := j);
?(
∃
(n) = 0);
∃
(n) := 1
]φ
[n := newC ]φ
∀i :C ! φ ≡
∀i :C (
∃
(i) = 1→ φ)
∀i :C ! f (s) := θ ≡
∀i :C f (s) := (if
∃
(i) = 1 then θ else f (s))
∀i :C ! f (s)′ = θ ≡
∀i :C f (s)′ =
∃
(i)θ
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 14 / 23
Actual Existence and Creation
Actual Existence Function
∃
(·)
∃
(i) =
{0 if i denotes a possible object
1 if i denotes an actively existing objects
[(∀j :C n := j);
?(
∃
(n) = 0);
∃
(n) := 1
]φ
[n := newC ]φ
∀i :C ! φ ≡
∀i :C (
∃
(i) = 1→ φ)
∀i :C ! f (s) := θ ≡
∀i :C f (s) := (if
∃
(i) = 1 then θ else f (s))
∀i :C ! f (s)′ = θ ≡
∀i :C f (s)′ =
∃
(i)θ
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 14 / 23
Actual Existence and Creation
Actual Existence Function
∃
(·)
∃
(i) =
{0 if i denotes a possible object
1 if i denotes an actively existing objects
[(∀j :C n := j); ?(
∃
(n) = 0);
∃
(n) := 1
]φ
[n := newC ]φ
∀i :C ! φ ≡
∀i :C (
∃
(i) = 1→ φ)
∀i :C ! f (s) := θ ≡
∀i :C f (s) := (if
∃
(i) = 1 then θ else f (s))
∀i :C ! f (s)′ = θ ≡
∀i :C f (s)′ =
∃
(i)θ
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 14 / 23
Actual Existence and Creation
Actual Existence Function
∃
(·)
∃
(i) =
{0 if i denotes a possible object
1 if i denotes an actively existing objects
[(∀j :C n := j); ?(
∃
(n) = 0);
∃
(n) := 1]φ
[n := newC ]φ
∀i :C ! φ ≡
∀i :C (
∃
(i) = 1→ φ)
∀i :C ! f (s) := θ ≡
∀i :C f (s) := (if
∃
(i) = 1 then θ else f (s))
∀i :C ! f (s)′ = θ ≡
∀i :C f (s)′ =
∃
(i)θ
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 14 / 23
Actual Existence and Creation
Actual Existence Function
∃
(·)
∃
(i) =
{0 if i denotes a possible object
1 if i denotes an actively existing objects
[(∀j :C n := j); ?(
∃
(n) = 0);
∃
(n) := 1]φ
[n := newC ]φ
∀i :C ! φ ≡
∀i :C (
∃
(i) = 1→ φ)
∀i :C ! f (s) := θ ≡
∀i :C f (s) := (if
∃
(i) = 1 then θ else f (s))
∀i :C ! f (s)′ = θ ≡
∀i :C f (s)′ =
∃
(i)θ
( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 14 / 23
Actual Existence and Creation
Actual Existence Function
∃
(·)
∃
(i) =
{0 if i denotes a possible object
1 if i denotes an actively existing objects
[(∀j :C n := j); ?(
∃
(n) = 0);
∃
(n) := 1]φ
[n := newC ]φ
∀i :C ! φ ≡ ∀i :C (
∃
(i) = 1→ φ)
∀i :C ! f (s) := θ ≡ ∀i :C f (s) := (if
∃
(i) = 1 then θ else f (s))
∀i :C ! f (s)′ = θ ≡ ∀i :C f (s)′ =
∃
(i)θ ( ) ( )
(2) (2) (1) (1) (3) (3) (4) (4)
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 14 / 23
Soundness and Completeness
Theorem (Relative Completeness)
QdL calculus is a sound & complete axiomatisation of distributed hybridsystems relative to quantified differential equations. Proof 16p.
Corollary (Proof-theoretical Alignment)
proving distributed hybrid systems = proving dynamical systems!
Corollary (Yes, we can!)
distributed hybrid systems can be verified by recursive decomposition
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 15 / 23
Soundness and Completeness
Theorem (Relative Completeness)
QdL calculus is a sound & complete axiomatisation of distributed hybridsystems relative to quantified differential equations. Proof 16p.
Corollary (Proof-theoretical Alignment)
proving distributed hybrid systems = proving dynamical systems!
Corollary (Yes, we can!)
distributed hybrid systems can be verified by recursive decomposition
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 15 / 23
Quantified Differential Invariants
Theorem (Quantified Differential Invariant) (HSCC’11)
(QdI)Q→[∀i :C f (i)′ := θ]F ′
F→[∀i :C f (i)′ = θ&Q]Fis sound
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 16 / 23
A Simple Proof with Quantified Differential Invariants
true
∀i :C 6x(i)2(x(i)2 + x(i)4 + 2) ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C 6x(i)2x(i)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C (2x(i)3)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2](∀i :C 2x(i)3 ≥ 0)′
∀i :C 2x(i)3 ≥ 1 →[∀i :C x(i)′ = x(i)2 + x(i)4 + 2]∀i :C 2x(i)3 ≥ 1
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 17 / 23
A Simple Proof with Quantified Differential Invariants
true
∀i :C 6x(i)2(x(i)2 + x(i)4 + 2) ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C 6x(i)2x(i)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C (2x(i)3)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2](∀i :C 2x(i)3 ≥ 0)′
∀i :C 2x(i)3 ≥ 1 →[∀i :C x(i)′ = x(i)2 + x(i)4 + 2]∀i :C 2x(i)3 ≥ 1
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 17 / 23
A Simple Proof with Quantified Differential Invariants
true
∀i :C 6x(i)2(x(i)2 + x(i)4 + 2) ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C 6x(i)2x(i)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C (2x(i)3)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2](∀i :C 2x(i)3 ≥ 0)′
∀i :C 2x(i)3 ≥ 1 →[∀i :C x(i)′ = x(i)2 + x(i)4 + 2]∀i :C 2x(i)3 ≥ 1
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 17 / 23
A Simple Proof with Quantified Differential Invariants
true
∀i :C 6x(i)2(x(i)2 + x(i)4 + 2) ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C 6x(i)2x(i)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C (2x(i)3)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2](∀i :C 2x(i)3 ≥ 0)′
∀i :C 2x(i)3 ≥ 1 →[∀i :C x(i)′ = x(i)2 + x(i)4 + 2]∀i :C 2x(i)3 ≥ 1
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 17 / 23
A Simple Proof with Quantified Differential Invariants
true
∀i :C 6x(i)2(x(i)2 + x(i)4 + 2) ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C 6x(i)2x(i)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C (2x(i)3)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2](∀i :C 2x(i)3 ≥ 0)′
∀i :C 2x(i)3 ≥ 1 →[∀i :C x(i)′ = x(i)2 + x(i)4 + 2]∀i :C 2x(i)3 ≥ 1
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 17 / 23
A Simple Proof with Quantified Differential Invariants
true
∀i :C 6x(i)2(x(i)2 + x(i)4 + 2) ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C 6x(i)2x(i)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2]∀i :C (2x(i)3)′ ≥ 0
[∀i :C x(i)′ := x(i)2 + x(i)4 + 2](∀i :C 2x(i)3 ≥ 0)′
∀i :C 2x(i)3 ≥ 1 →[∀i :C x(i)′ = x(i)2 + x(i)4 + 2]∀i :C 2x(i)3 ≥ 1
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 17 / 23
Outline
1 Motivation
2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics
3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and CompletenessQuantified Differential Invariants
4 Applications
5 Conclusions
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 17 / 23
Driver’s License Test for Robotic Cars?
Proof!
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 18 / 23
Driver’s License Test for Robotic Cars?
Proof!
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 18 / 23
Driver’s License Test for Robotic Cars? Proof!
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 18 / 23
Car Control: Local Lane Control Challenge
Challenge: Local lane dynamics
A car controller for a differential equationrespects separation of local lane.
Follower car maintains safe distance to leader:
f � `→ [(ai := ctrl; x ′′i = ai )∗] f � `
f � ` ≡ (xf ≤ x`) ∧ (f 6= `)→
(x` > xf +v2f
2b−
v2`
2B∧ x` > xf ∧ vf ≥ 0 ∧ v` ≥ 0)
t0 t1 t2 t3 t4
-B
-b
0
A
BRAKING / ACCELERATION leader
follower
t0 t1 t2 t3 t4
VELOCITY
t0 t1 t2 t3 t4
TIME
POSITION
t0 t1 t2 t3 t4
t0 t1 t2 t3 t4
t0 t1 t2 t3 t4
A
0
-b
-B
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 19 / 23
Car Control: Local Lane Control Challenge
Challenge: Local lane dynamics
A car controller for a differential equationrespects separation of local lane.
Follower car maintains safe distance to leader:
f � `→ [(ai := ctrl; x ′′i = ai )∗] f � `
f � ` ≡ (xf ≤ x`) ∧ (f 6= `)→
(x` > xf +v2f
2b−
v2`
2B∧ x` > xf ∧ vf ≥ 0 ∧ v` ≥ 0)
t0 t1 t2 t3 t4
-B
-b
0
A
BRAKING / ACCELERATION leader
follower
t0 t1 t2 t3 t4
VELOCITY
t0 t1 t2 t3 t4
TIME
POSITION
t0 t1 t2 t3 t4
t0 t1 t2 t3 t4
t0 t1 t2 t3 t4
A
0
-b
-B
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 19 / 23
Car Control: Local Lane Control Challenge
Challenge: Local lane dynamics
A car controller for a differential equationrespects separation of local lane.
Follower car maintains safe distance to leader:
f � `→ [(ai := ctrl; x ′′i = ai )∗] f � `
f � ` ≡ (xf ≤ x`) ∧ (f 6= `)→
(x` > xf +v2f
2b−
v2`
2B∧ x` > xf ∧ vf ≥ 0 ∧ v` ≥ 0)
t0 t1 t2 t3 t4
-B
-b
0
A
BRAKING / ACCELERATION leader
follower
t0 t1 t2 t3 t4
VELOCITY
t0 t1 t2 t3 t4
TIME
POSITION
t0 t1 t2 t3 t4
t0 t1 t2 t3 t4
t0 t1 t2 t3 t4
A
0
-b
-B
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 19 / 23
Car Control: Local Lane Control Challenge
Challenge: Local lane dynamics
A car controller for a differential equationrespects separation of local lane.
Follower car maintains safe distance to leader:
f � `→ [(ai := ctrl; x ′′i = ai )∗] f � `
f � ` ≡ (xf ≤ x`) ∧ (f 6= `)→
(x` > xf +v2f
2b−
v2`
2B∧ x` > xf ∧ vf ≥ 0 ∧ v` ≥ 0)
t0 t1 t2 t3 t4
-B
-b
0
A
BRAKING / ACCELERATION leader
follower
t0 t1 t2 t3 t4
VELOCITY
t0 t1 t2 t3 t4
TIME
POSITION
t0 t1 t2 t3 t4
t0 t1 t2 t3 t4
t0 t1 t2 t3 t4
A
0
-b
-B
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 19 / 23
Car Control: Global Lane Control Challenge
Challenge: Global lane dynamics
All controllers for arbitrarily manydifferential equations respectseparation globally on lane.
Each car safe behind all others
! !
[(∀i a(i) := ctrl; ∀i x(i)′′ = a(i))∗]∀i , j i � j
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 20 / 23
Car Control: Global Lane Control Challenge
Challenge: Global lane dynamics
All controllers for arbitrarily manydifferential equations respectseparation globally on lane.
Each car safe behind all others
! !
[(∀i a(i) := ctrl; ∀i x(i)′′ = a(i))∗]∀i , j i � j
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 20 / 23
Car Control: Global Lane Control Challenge
Challenge: Global lane dynamics
All controllers for arbitrarily manydifferential equations respectseparation globally on lane.
Each car safe behind all others
! !
[(∀i a(i) := ctrl; ∀i x(i)′′ = a(i))∗]∀i , j i � j
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 20 / 23
Car Control: Local Highway Control Challenge
Challenge: Local highway dynamics
All controllers for arbitrarily manydifferential equations respectseparation locally on highway.
For each lane: all controllers for thedifferential equations respectseparation even if cars appear ordisappear.
Each car safe behind all others, even ifnew cars appear or disappear.
!
[(n := newC ; ∀i a(i) := ctrl; ∀i x(i)′′ = a(i))∗]∀i , j i � j
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 21 / 23
Car Control: Local Highway Control Challenge
Challenge: Local highway dynamics
All controllers for arbitrarily manydifferential equations respectseparation locally on highway.
For each lane: all controllers for thedifferential equations respectseparation even if cars appear ordisappear.
Each car safe behind all others, even ifnew cars appear or disappear.
!
[(n := newC ; ∀i a(i) := ctrl; ∀i x(i)′′ = a(i))∗]∀i , j i � j
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 21 / 23
Car Control: Local Highway Control Challenge
Challenge: Local highway dynamics
All controllers for arbitrarily manydifferential equations respectseparation locally on highway.
For each lane: all controllers for thedifferential equations respectseparation even if cars appear ordisappear.
Each car safe behind all others, even ifnew cars appear or disappear.
!
[(n := newC ; ∀i a(i) := ctrl; ∀i x(i)′′ = a(i))∗]∀i , j i � j
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 21 / 23
Car Control: Local Highway Control Challenge
Challenge: Local highway dynamics
All controllers for arbitrarily manydifferential equations respectseparation locally on highway.
For each lane: all controllers for thedifferential equations respectseparation even if cars appear ordisappear.
Each car safe behind all others, even ifnew cars appear or disappear.
!
[(n := newC ; ∀i a(i) := ctrl; ∀i x(i)′′ = a(i))∗]∀i , j i � j
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 21 / 23
Car Control: Global Highway Control Challenge
Challenge: Global highway dynamics
All controllers for arbitrarilymany differential equationsrespect separation globally onhighway.
All controllers for the differentialequations respect separationeven if cars switch lanes.
On all lanes, all car safe behindall others on their lanes, even ifcars switch lanes.
!
[∀l (n := newC ; ∀i a(i) := ctrl; ∀i x(i)′′ = a(i))∗]∀l ∀i , j i � j
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 22 / 23
Car Control: Global Highway Control Challenge
Challenge: Global highway dynamics
All controllers for arbitrarilymany differential equationsrespect separation globally onhighway.
All controllers for the differentialequations respect separationeven if cars switch lanes.
On all lanes, all car safe behindall others on their lanes, even ifcars switch lanes.
!
[∀l (n := newC ; ∀i a(i) := ctrl; ∀i x(i)′′ = a(i))∗]∀l ∀i , j i � j
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 22 / 23
Car Control: Global Highway Control Challenge
Challenge: Global highway dynamics
All controllers for arbitrarilymany differential equationsrespect separation globally onhighway.
All controllers for the differentialequations respect separationeven if cars switch lanes.
On all lanes, all car safe behindall others on their lanes, even ifcars switch lanes.
!
[∀l (n := newC ; ∀i a(i) := ctrl; ∀i x(i)′′ = a(i))∗]∀l ∀i , j i � j
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 22 / 23
Car Control: Global Highway Control Challenge
Challenge: Global highway dynamics
All controllers for arbitrarilymany differential equationsrespect separation globally onhighway.
All controllers for the differentialequations respect separationeven if cars switch lanes.
On all lanes, all car safe behindall others on their lanes, even ifcars switch lanes.
!
[∀l (n := newC ; ∀i a(i) := ctrl; ∀i x(i)′′ = a(i))∗]∀l ∀i , j i � j
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 22 / 23
Outline
1 Motivation
2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics
3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and CompletenessQuantified Differential Invariants
4 Applications
5 Conclusions
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 22 / 23
Conclusions
quantified differential dynamic logic
QdL = FOL + DL + QHP[α]φ φ
α
Distributed hybrid systems everywhere
System model and semantics
Logic for distributed hybrid systems
Compositional proof calculus
First verification approach
Sound & complete / diff. eqn.
Quantified differential invariants
Distributed car control verified
Distributed aircraft control verified
dis
cre
te contin
uo
us
no
nd
et
sto
chastic
advers
arial
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 23 / 23
Conclusions
quantified differential dynamic logic
QdL = FOL + DL + QHP[α]φ φ
α
Distributed hybrid systems everywhere
System model and semantics
Logic for distributed hybrid systems
Compositional proof calculus
First verification approach
Sound & complete / diff. eqn.
Quantified differential invariants
Distributed car control verified
Distributed aircraft control verified
dis
cre
te contin
uo
us
no
nd
et
sto
chastic
advers
arial
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 23 / 23
Andre Platzer.A complete axiomatization of quantified differential dynamic logic fordistributed hybrid systems.Log. Meth. Comput. Sci., 8(4):1–44, 2012.Special issue for selected papers from CSL’10.
Andre Platzer.Quantified differential dynamic logic for distributed hybrid systems.In Anuj Dawar and Helmut Veith, editors, CSL, volume 6247 of LNCS,pages 469–483. Springer, 2010.
Andre Platzer.Quantified differential invariants.In Emilio Frazzoli and Radu Grosu, editors, HSCC, pages 63–72.ACM, 2011.
Akash Deshpande, Aleks Gollu, and Pravin Varaiya.SHIFT: A formalism and a programming language for dynamicnetworks of hybrid automata.
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 0 / 0
In Panos J. Antsaklis, Wolf Kohn, Anil Nerode, and Shankar Sastry,editors, Hybrid Systems, volume 1273 of LNCS, pages 113–133.Springer, 1996.
Fabian Kratz, Oleg Sokolsky, George J. Pappas, and Insup Lee.R-Charon, a modeling language for reconfigurable hybrid systems.In Hespanha and Tiwari [12], pages 392–406.
Zhou Chaochen, Wang Ji, and Anders P. Ravn.A formal description of hybrid systems.In Rajeev Alur, Thomas A. Henzinger, and Eduardo D. Sontag,editors, Hybrid Systems, volume 1066 of LNCS, pages 511–530.Springer, 1995.
Pieter J. L. Cuijpers and Michel A. Reniers.Hybrid process algebra.J. Log. Algebr. Program., 62(2):191–245, 2005.
D. A. van Beek, Ka L. Man, Michel A. Reniers, J. E. Rooda, andRamon R. H. Schiffelers.Syntax and consistent equation semantics of hybrid Chi.
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 0 / 0
J. Log. Algebr. Program., 68(1-2):129–210, 2006.
William C. Rounds.A spatial logic for the hybrid π-calculus.In Rajeev Alur and George J. Pappas, editors, HSCC, volume 2993 ofLNCS, pages 508–522. Springer, 2004.
Jan A. Bergstra and C. A. Middelburg.Process algebra for hybrid systems.Theor. Comput. Sci., 335(2-3):215–280, 2005.
Jose Meseguer and Raman Sharykin.Specification and analysis of distributed object-based stochastic hybridsystems.In Hespanha and Tiwari [12], pages 460–475.
Joao P. Hespanha and Ashish Tiwari, editors.Hybrid Systems: Computation and Control, 9th InternationalWorkshop, HSCC 2006, Santa Barbara, CA, USA, March 29-31, 2006,Proceedings, volume 3927 of LNCS. Springer, 2006.
Andre Platzer (CMU) FCPS / 25: Distributed Systems & Hybrid Systems 0 / 0