proving hybrid systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · proving hybrid...

Proving Hybrid Systems

Andre Platzer

[email protected]

Computer Science DepartmentCarnegie Mellon University, Pittsburgh, PA

0.20.4

0.60.8

1.00.1

0.2

0.3

0.4

0.5

Andre Platzer (CMU) Proving Hybrid Systems FMCAD 1 / 40

Outline

1 CPS are Multi-Dynamical SystemsHybrid SystemsHybrid Games

2 Dynamic Logic of Dynamical SystemsSyntaxSemanticsExample: Car Control Design

3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control

4 Theory of CPSSoundness and CompletenessDifferential InvariantsExample: Elementary Differential InvariantsDifferential Axioms

5 Applications6 Summary


http://symbolaris.com/andre.html

CPSs Promise Transformative Impact!

Prospects: Safe & Efficient

Driver assistanceAutonomous cars

Pilot decision supportAutopilots / UAVs

Train protectionRobots help people

Prerequisite: CPS need to be safe

How do we make sure CPS make the world a better place?



Can you trust a computer to control physics?

Rationale1 Safety guarantees require analytic foundations.

2 Foundations revolutionized digital computer science & our society.

3 Need even stronger foundations when software reaches out into ourphysical world.

Cyber-physical Systems

CPS combine cyber capabilities with physical capabilities to solve problemsthat neither part could solve alone.

How can we provide people with cyber-physical systems they can bet theirlives on? — Jeannette Wing


CPSs are Multi-Dynamical Systems

dis

cre

te contin

uo

us

nondet

sto

chastic

advers

arial

CPS Dynamics

CPS are characterized by multiplefacets of dynamical systems.

CPS Compositions

CPS combine multiplesimple dynamical effects.

Tame Parts

Exploiting compositionalitytames CPS complexity.



CPS Analysis

Challenge (Hybrid Systems)

Fixed rule describing stateevolution with both

Discrete dynamics(control decisions)

Continuous dynamics(differential equations)

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

2 4 6 8 10t

-0.8

-0.6

-0.4

-0.2

0.2

a

2 4 6 8 10t

0.2

0.4

0.6

0.8

1.0

v

2 4 6 8 10t

2

4

6

8

p

px

py



CPS Analysis





0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

2 4 6 8 10t

-0.8

-0.6

-0.4

-0.2

0.2

a

2 4 6 8 10t

-1.0

-0.5

0.5

Ω

2 4 6 8 10t

-0.5

0.5

1.0

d

dx

dy



CPS Analysis





0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

2 4 6 8 10t

-4

-3

-2

-1

a

2 4 6 8 10t

0.2

0.4

0.6

0.8

1.0

v

2 4 6 8 10t

1

2

3

4

ppx

py



CPS Analysis





0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

2 4 6 8 10t

-4

-3

-2

-1

a

2 4 6 8 10t

-1.0

-0.5

0.5

Ω

2 4 6 8 10t

-0.5

0.5

1.0

d

dx

dy



CPS Analysis: Other Agents

Challenge (Hybrid Games)

Game rules describing playchoices with



Adversarial dynamics(Angel vs. Demon )

2 4 6 8 10t

-0.6

-0.4

-0.2

0.2

0.4

a

2 4 6 8 10t

0.2

0.4

0.6

0.8

1.0

1.2

v

2 4 6 8 10t

1

2

3

4

5

6

7

p

px

py



CPS Analysis: Other Agents

Challenge (Hybrid Games)

Game rules describing playchoices with



Adversarial dynamics(Angel vs. Demon )

2 4 6 8 10t

-0.6

-0.4

-0.2

0.2

0.4

a

2 4 6 8 10t

-1.0

-0.5

0.5

Ω

2 4 6 8 10t

-0.5

0.5

1.0

d

dx

dy



CPSs are Multi-Dynamical Systems

dis

cre

te contin

uo

us

nondet

sto

chastic

advers

arial

hybrid systems

HS = discrete + ODE

stochastic hybrid sys.

SHS = HS + stochastics

5 10 15 20

-0.3

-0.2

-0.1

0.1

0.2

0.3

hybrid games

HG = HS + adversary

distributed hybrid sys.

DHS = HS + distributed



Dynamic Logics for Dynamical Systems

dis

cre

te contin

uo

us

nondet

sto

chastic

advers

arial

differential dynamic logic

dL = DL + HP[α]φ φ

α

stochastic differential DL

SdL = DL + SHP

〈α〉φφ

differential game logic

dGL = GL + HG

〈α〉φφ

quantified differential DL

QdL = FOL + DL + QHPJAR’08,CADE’11,LMCS’12,LICS’12 LICS’12,CADE’15,TOCL’15



http://dx.doi.org/10.1007/s10817-008-9103-8

http://dx.doi.org/10.1007/978-3-642-22438-6_34

http://reports-archive.adm.cs.cmu.edu/anon/2013/CMU-CS-13-100R.pdf

http://dx.doi.org/10.2168/LMCS-8(4:17)2012

http://dx.doi.org/10.1007/s10817-008-9103-8

http://dx.doi.org/10.1007/978-3-642-22438-6_34


http://dx.doi.org/10.1109/LICS.2012.64


http://dx.doi.org/10.1007/978-3-319-21401-6_32

http://arxiv.org/abs/1408.1980

Outline








CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

x 6= m ∧ b > 0︸︷︷︸init

→[(

(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]

x 6= m︸︷︷︸post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


x 6= m

x 6= m ∧ b > 0︸︷︷︸init

→[(

(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]


1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸︷︷︸init

→[(

(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]


1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


[ ]x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸︷︷︸init

→[(

(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]


1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


[ ]x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸︷︷︸init

→[(

(if(SB(x ,m)) a :=−b) ;

x ′ = v , v ′ = a

)∗]x 6= m︸︷︷︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

ODE

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


[ ]x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸︷︷︸init

→[(

(if(SB(x ,m))

a :=−b

) ;

x ′ = v , v ′ = a

)∗]x 6= m︸︷︷︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

ODEassign

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


[ ]x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸︷︷︸init

→[(

(if(SB(x ,m)) a :=−b)

;

x ′ = v , v ′ = a

)∗]x 6= m︸︷︷︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

ODEassigntest

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


x 6= m ∧ b > 0︸︷︷︸init

→[(

(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a

)∗]x 6= m︸︷︷︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

ODEassigntest

seq.compose

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


x 6= m ∧ b > 0︸︷︷︸init

→[

((if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a

)∗

]x 6= m︸︷︷︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

ODEassigntest

seq.compose

nondet.repeat

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


[ ]x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸︷︷︸init

→

[((if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a

)∗]x 6= m︸︷︷︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

xall runs

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


[ ]x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸︷︷︸init

→[(

(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]


1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


[ ]x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸︷︷︸init

→[(

(?¬SB(x ,m) ∪a :=−b) ; x ′ = v , v ′ = a)∗]


1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

nondet.choice

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


CPS Analysis


[ ]x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸︷︷︸init

→[(

(?¬SB(x ,m) ∪a :=−b) ; x ′ = v , v ′ = a)∗]


1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

nondet.choice

test

[α]φ φα



http://dx.doi.org/10.1007/s10817-008-9103-8


Hybrid Programs vs. Hybrid Automata

Want: Compositional verification

far

cls

brk

fsa

x 6= m

NotCompositional

far ≡ x ′ = v , v ′ = A&¬SB(x ,m)

brk ≡ x ′ = v , v ′ = −b & SB(x ,m) ∨ true

cls ≡ x ′ = v , v ′ = . . .& . . .

fsa ≡ x ′ = 0, v ′ = 0 & v = 0



Hybrid Programs vs. Hybrid Automata

Want: Compositional verification

far

cls

brk

fsa

cls x 6= m

NotCompositional

far ≡ x ′ = v , v ′ = A&¬SB(x ,m)

brk ≡ x ′ = v , v ′ = −b & SB(x ,m) ∨ true

cls ≡ x ′ = v , v ′ = . . .& . . .

fsa ≡ x ′ = 0, v ′ = 0 & v = 0



Differential Dynamic Logic dL: Syntax

Definition (Hybrid program a)

x := f (x) | ?Q | x ′ = f (x) &Q | a ∪ b | a; b | a∗

Definition (dL Formula P)

e1 ≥ e2 | ¬P | P ∧ Q | ∀x P | ∃x P | [a]P | 〈a〉P

DiscreteAssign

TestCondition

DifferentialEquation

Nondet.Choice

Seq.Compose

Nondet.Repeat

AllReals

SomeReals

AllRuns

SomeRuns



Differential Dynamic Logic dL: Semantics

Definition (Hybrid program semantics) ([[·]] : HP→ ℘(S × S))

[[x := f (x)]] = (v ,w) : w = v except [[x ]]w = [[f (x)]]v[[?Q]] = (v , v) : v ∈ [[Q]]

[[x ′ = f (x)]] = (ϕ(0), ϕ(r)) : ϕ |= x ′ = f (x) for some duration r[[a ∪ b]] = [[a]] ∪ [[b]]

[[a; b]] = [[a]] [[b]]

[[a∗]] =⋃n∈N

[[an]]

Definition (dL semantics) ([[·]] : Fml→ ℘(S))

[[e1 ≥ e2]] = v : [[e1]]v ≥ [[e2]]v[[¬P]] = ([[P]])

[[P ∧ Q]] = [[P]] ∩ [[Q]][[〈a〉P]] = [[a]] [[P]] = v : w ∈ [[P]] for some w (v ,w) ∈ [[a]][[[a]P]] = [[¬〈a〉¬P]] = v : w ∈ [[P]] for all w (v ,w) ∈ [[a]][[∃x P]] = v : v rx ∈ [[P]] for some r ∈ R



Differential Dynamic Logic dL: Transition Semantics

v wx := f (x)

t

x

0

v

w if w(x) = [[f (x)]]vand w(z) = v(z) for z 6= x

v wx ′ = f (x) &Q

t

x

Qw

v

ϕ(t)

0 rx ′ = f (x) &Q

v

?Q

if v ∈ [[Q]]t

x

0

v no change if v ∈ [[Q]]otherwise no transition




v

w1

w2

a

b

a ∪ b

t

xv w1

w2

v s w

a ; b

a b t

x

s

v w

v v1 v2 w

a∗

a a a

a b a b a b

t

xv w




v

w1

w2

a

b

a ∪ b

t

xv w1

w2

v s w

a ; b

a b t

x

s

v w

v v1 v2 w

(a; b)∗

a b a b a b t

xv w




Definition (dL Formulas)

v[a]P

P

P

P

a-span

[a]P

〈b〉P

b-span

〈b〉[a

]-sp

an

compositional semantics ⇒ compositional proofs!





v〈a〉P

P

a-span

[a]P

〈b〉P

b-span

〈b〉[a

]-sp

an






v a-span

[a]P

〈b〉P

b-span

〈b〉[a

]-sp

an




Ex: Car Control

Accelerate condition ?H

depends on A

Example ( Single car cars)(((?H; a := A) ∪ a :=−b); x ′ = v , v ′ = a& v ≥ 0

)∗

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x



Ex: Car Control Properties time-triggered

H ≡ 2b(m − x) ≥ v2 +(A + b

)(Aε2 + 2εv

)

Example (Single car carε time-triggered)(((?H; a := A) ∪ a :=−b); t := 0; x ′ = v , v ′ = a, t ′ = 1 & v ≥ 0 ∧ t ≤ ε

)∗Example ( Safely stays before traffic light m)

v2 ≤ 2b(m − x) ∧ A ≥ 0 ∧ b > 0→ [carε]x ≤ m

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x



http://symbolaris.com/info/ex/KeYmaera--lics4a-time-safe.jnlp

Ex: Car Control Properties time-triggered

H ≡ 2b(m − x) ≥ v2 +(A + b

)(Aε2 + 2εv

)

Example (Single car carε time-triggered)(((?H; a := A) ∪ a :=−b); t := 0; x ′ = v , v ′ = a, t ′ = 1 & v ≥ 0 ∧ t ≤ ε

)∗Example ( Live, can move everywhere)

ε > 0 ∧ A > 0 ∧ b > 0→ ∀p ∃m 〈carε〉 x ≥ p

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x



http://symbolaris.com/info/ex/KeYmaera--lics4b-time-live.jnlp

Outline








Differential Dynamic Logic: Axioms

[:=] [x := f ]p(x)↔ p(f )

[?] [?q]p ↔ (q → p)

[∪] [a ∪ b]p(x)↔ [a]p(x) ∧ [b]p(x)

[;] [a; b]p(x)↔ [a][b]p(x)

[∗] [a∗]p(x)↔ p(x) ∧ [a][a∗]p(x)

K [a](p(x)→ q(x))→ ([a]p(x)→ [a]q(x))

I [a∗](p(x)→ [a]p(x))→ (p(x)→ [a∗]p(x))

V p → [a]p

DS [x ′ = f ]p(x)↔ ∀t≥0 [x := x + ft]p(x)LICS’12,CADE’15




http://dx.doi.org/10.1007/978-3-319-21401-6_32

Proofs for Hybrid Systems

compositional semantics ⇒ compositional rules!

[a]p(x) ∧ [b]p(x)

[a ∪ b]p(x)v

w1

w2

ap(x)

bp(x)

a ∪ b

[a][b]p(x)

[a; b]p(x)v s w

a; b

[a][b]p(x)a

[b]p(x)b

p(x)

p(x) p(x)→ [a]p(x)

[a∗]p(x) v w

a∗

p(x)

a

p(x)→ [a]p(x)

a a

p(x)



Proofs for Hybrid Systems

[a]p(x) ∧ [b]p(x)

[a ∪ b]p(x)v

w1

w2

ap(x)

bp(x)

a ∪ b

[a][b]p(x)

[a; b]p(x)v s w

a; b

[a][b]p(x)a

[b]p(x)b

p(x)

p(x) p(x)→ [a]p(x)

[a∗]p(x) v w

a∗

p(x)

a

p(x)→ [a]p(x)

a a

p(x)



Example Proof: Safe Driving

J(x , v) ≡ x ≤ m

J(x , v) →v2 ≤ 2b(m − x)

QEJ(x , v) →∀t≥0 (−b2 t

2 + vt + x ≤ m)

[:=]J(x , v) →∀t≥0 [x :=−b2 t

2 + vt + x ]J(x , v)

[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)

[:=]J(x , v) →[a :=−b][x ′ = v , v ′ = a]J(x , v)

[;] J(x , v) →[a :=−b; (x ′ = v , v ′ = a)]J(x , v)

CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40


http://dx.doi.org/10.1007/978-3-319-21401-6_32


J(x , v) ≡ x ≤ m

J(x , v) →v2 ≤ 2b(m − x)

QEJ(x , v) →∀t≥0 (−b2 t

2 + vt + x ≤ m)

[:=]J(x , v) →∀t≥0 [x :=−b2 t

2 + vt + x ]J(x , v)

[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)

[:=]J(x , v) →[a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) →[a :=−b; (x ′ = v , v ′ = a)]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


J(x , v) ≡ x ≤ m

J(x , v) →v2 ≤ 2b(m − x)

QEJ(x , v) →∀t≥0 (−b2 t

2 + vt + x ≤ m)

[:=]J(x , v) →∀t≥0 [x :=−b2 t

2 + vt + x ]J(x , v)

[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)[:=]J(x , v) →[a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) →[a :=−b; (x ′ = v , v ′ = a)]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


J(x , v) ≡ x ≤ m

J(x , v) →v2 ≤ 2b(m − x)

QEJ(x , v) →∀t≥0 (−b2 t

2 + vt + x ≤ m)

[:=]J(x , v) →∀t≥0 [x :=−b2 t

2 + vt + x ]J(x , v)[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)




http://dx.doi.org/10.1007/978-3-319-21401-6_32


J(x , v) ≡ x ≤ m

J(x , v) →v2 ≤ 2b(m − x)

QEJ(x , v) →∀t≥0 (−b2 t

2 + vt + x ≤ m)[:=]J(x , v) →∀t≥0 [x :=−b

2 t2 + vt + x ]J(x , v)

[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)[:=]J(x , v) →[a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) →[a :=−b; (x ′ = v , v ′ = a)]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


J(x , v) ≡ x ≤ m

J(x , v) →v2 ≤ 2b(m − x)QEJ(x , v) →∀t≥0 (−b

2 t2 + vt + x ≤ m)

[:=]J(x , v) →∀t≥0 [x :=−b2 t





http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) →v2 ≤ 2b(m − x)QEJ(x , v) →∀t≥0 (−b

2 t2 + vt + x ≤ m)

[:=]J(x , v) →∀t≥0 [x :=−b2 t





http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)

QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t

2 − vt − x))

J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))

[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))

[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)

[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)

[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)


2 − vt − x))


[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))



[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)


2 − vt − x))


[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))



[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)


2 − vt − x))


[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))


[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)


2 − vt − x))


[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))

[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)


2 − vt − x))


[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)




http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A

2 t2 − vt − x))


[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t





http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)

J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A

2 t2 − vt − x))


[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t





http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m


previous proofs for braking and acceleration

J(x , v) →[a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)

[∪]J(x , v) →[a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)

[;] J(x , v) →[(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)

indJ(x , v) →[((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m




[∪]J(x , v) →[a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)

[;] J(x , v) →[(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) →[

((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m




[∪]J(x , v) →[a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →[(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) →[

((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m



J(x , v) →[a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)[∪]J(x , v) →[a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →[(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) →[

((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m


previous proofs for braking and accelerationJ(x , v) →[a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)


((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)



http://dx.doi.org/10.1007/978-3-319-21401-6_32


x

v

m


previous proofs for braking and accelerationJ(x , v) →[a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)


((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)

1 Proof is essentially deterministic “follow your nose”

2 Synthesize invariant J(, ) and parameter constraint SB

3 J(x , v) is a predicate symbol to prove only once and instantiate later



http://dx.doi.org/10.1007/978-3-319-21401-6_32

Outline








Complete Proof Theory of Hybrid Systems

Theorem (Sound & Complete) (J.Autom.Reas. 2008, LICS’12)

dL calculus is a sound & complete axiomatization of hybrid systemsrelative to either differential equations or discrete dynamics. Proof 25pp

Corollary (Complete Proof-theoretical Alignment & Bridging)

proving continuous = proving hybrid = proving discrete

JAutomReas’08,LICS’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 21 / 40


http://dx.doi.org/10.1007/s10817-008-9103-8


http://dx.doi.org/10.1007/s10817-008-9103-8







System

Continuous Discrete

Hybrid



http://dx.doi.org/10.1007/s10817-008-9103-8


http://dx.doi.org/10.1007/s10817-008-9103-8







System

Continuous Discrete

Hybrid

HybridTheory

DiscreteTheory

Contin.Theory



http://dx.doi.org/10.1007/s10817-008-9103-8


http://dx.doi.org/10.1007/s10817-008-9103-8


Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 22 / 40


http://dx.doi.org/10.1093/logcom/exn070

http://dx.doi.org/10.1007/978-3-540-70545-1_17

http://dx.doi.org/10.1007/s10703-009-0079-8


http://dx.doi.org/10.1007/978-3-642-32347-8_3


Differential Invariant

H → [x ′ := f (x)]F ′

F→[x ′ = f (x) &H]F

Differential Cut

F→[x ′ = f (x)]C F→[x ′ = f (x) &C ]F

F→[x ′ = f (x)]F

Differential Ghost

F ↔ ∃y G G→[x ′ = f (x), y ′ = g(x , y) &H]G

F→[x ′ = f (x) &H]F0 t

x

x ′= f(x)

y′ =

g(x,y)

inv

if new y ′ = g(x , y) has a global solution




Differential Invariant

H → [x ′ := f (x)]F ′

F→[x ′ = f (x) &H]F

Differential Cut

F→[x ′ = f (x) &H]C F→[x ′ = f (x) &H ∧ C ]F

F→[x ′ = f (x) &H]F

Differential Ghost

F ↔ ∃y G G→[x ′ = f (x), y ′ = g(x , y) &H]G

F→[x ′ = f (x) &H]F0 t

x

x ′= f(x)

y′ =

g(x,y)

inv

if new y ′ = g(x , y) has a global solution




∗

ω≥0 ∧ d≥0 →2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥ 0 ∧ d≥0 →[x ′ := y ][y ′ :=−ω2x − 2dωy ]2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 →[x ′ = y , y ′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)]ω2x2+y2≤c2

x

y1 2 3 4 5 6

-1.5

-1.0

-0.5

0.5

1.0




∗ω≥0 ∧ d≥0 →2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥ 0 ∧ d≥0 →[x ′ := y ][y ′ :=−ω2x − 2dωy ]2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 →[x ′ = y , y ′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)]ω2x2+y2≤c2

x

y1 2 3 4 5 6

-1.5

-1.0

-0.5

0.5

1.0




x2 + x3 − y2 − c = 0→ [x ′ = −2y , y ′ = −2x − 3x2] x2 + x3 − y2 − c = 0

SAS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 25 / 40


http://dx.doi.org/10.1007/978-3-319-10936-7_10


[x ′ = 2x4y+4x2y3−6x2y , y ′ = −4x3y2−2xy4+6xy2]x4y2+x2y4−3x2y2≤c

SAS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 26 / 40


http://dx.doi.org/10.1007/978-3-319-10936-7_10

Assuming Differential Invariance

¬ ¬FF F ¬ ¬FF F

H → [x ′ := f (x)]F ′

F→[x ′ = f (x) &H]F

F ∧ H → [x ′ := f (x)]F ′

F→[x ′ = θ&H]F

Example (Restrictions)

(unsound)

d2 − 2d + 1 = 0 →2de − 2e = 0

d2 − 2d + 1 = 0 →[d ′ := e][e ′ :=−d ]2dd ′ − 2d ′ = 0

d2 − 2d + 1 = 0 →[d ′ = e, e ′ = −d ]d2 − 2d + 1 = 0

0 y

x



Assuming Differential Invariance

¬ ¬FF F ¬ ¬FF F

H → [x ′ := f (x)]F ′

F→[x ′ = f (x) &H]F

F ∧ H → [x ′ := f (x)]F ′

F→[x ′ = θ&H]F

Example (Restrictions are unsound!)

(unsound)

d2 − 2d + 1 = 0 →2de − 2e = 0

d2 − 2d + 1 = 0 →[d ′ := e][e ′ :=−d ]2dd ′ − 2d ′ = 0

d2 − 2d + 1 = 0 →[d ′ = e, e ′ = −d ]d2 − 2d + 1 = 0

0 y

x




Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 28 / 40



http://dx.doi.org/10.1007/978-3-540-70545-1_17

http://dx.doi.org/10.1007/s10703-009-0079-8


http://dx.doi.org/10.1007/978-3-642-32347-8_3

Ex: Differential Cuts

∗

QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0

y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0

DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .

DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1

∗

QE 5y4y2 ≥ 0

[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0

DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0



http://symbolaris.com/info/ex/KeYmaera--nonlinear-diffcut.jnlp


∗

QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0

y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0

DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .

DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1

∗QE 5y4y2 ≥ 0

[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0

DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0





∗QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0

y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0

DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .

DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1

∗QE 5y4y2 ≥ 0

[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0

DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0




Differential Cuts

Differential Cut

F→[x ′ = f (x) &H]C F→[x ′ = f (x) &H ∧ C ]F

F→[x ′ = f (x) &H]F

Theorem (Gentzen’s Cut Elimination)

A→B ∨ C A ∧ C→B

A→Bcut can be eliminated

Theorem (No Differential Cut Elimination) (LMCS 2012)

Deductive power with differential cut exceeds deductive power without.DCI > DI

JLogComput’10,LMCS’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 30 / 40




Differential Equation Axioms & Differential Axioms

DW [x ′ = f (x) & q(x)]q(x)

DC

([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)

)← [x ′ = f (x) & q(x)]r(x)

DE [x ′ = f (x) & q(x)]p(x , x ′)↔ [x ′ = f (x) & q(x)][x ′ := f (x)]p(x , x ′)

DI [x ′ = f (x) & q(x)]p(x)←(q(x)→ p(x) ∧ [x ′ = f (x) & q(x)](p(x))′

)DG [x ′ = f (x) & q(x)]p(x)↔ ∃y [x ′ = f (x), y ′ = a(x)y + b(x) & q(x)]p(x)

DS [x ′ = f & q(x)]p(x)↔ ∀t≥0((∀0≤s≤t q(x + fs))→ [x := x + ft]p(x)

)[′:=] [x ′ := f ]p(x ′)↔ p(f )

+′ (f (x) + g(x))′ = (f (x))′ + (g(x))′

·′ (f (x) · g(x))′ = (f (x))′ · g(x) + f (x) · (g(x))′

′ [y := g(x)][y ′ := 1]((f (g(x)))′ = (f (y))′ · (g(x))′

)CADE’15



http://dx.doi.org/10.1007/978-3-319-21401-6_32

Differential Equation Axioms

Axiom (Differential Weakening) (CADE’15)

(DW) [x ′ = f (x) & q(x)]q(x)

t

x

q(x)

w

u

0 rx ′ = f (x) & q(x)

¬q(x)

Differential equations cannot leave their evolution domains. Implies:

[x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)](q(x)→ p(x)

)Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40


http://dx.doi.org/10.1007/978-3-319-21401-6_32


Axiom (Differential Cut) (CADE’15)

(DC)


)← [x ′ = f (x) & q(x)]r(x)

t

x

q(x)

w

u

0 rx ′ = f (x) & q(x)

DC is a cut for differential equations.DC is a differential modal modus ponens K.Can’t leave r(x), then might as well restrict state space to r(x).



http://dx.doi.org/10.1007/978-3-319-21401-6_32



(DC)


)← [x ′ = f (x) & q(x)]r(x)

t

x

q(x)

w

u

0 rx ′ = f (x) & q(x)

w

q(x)




http://dx.doi.org/10.1007/978-3-319-21401-6_32



(DC)


)← [x ′ = f (x) & q(x)]r(x)

t

x

q(x)

w

u

0 rx ′ = f (x) & q(x)

w




http://dx.doi.org/10.1007/978-3-319-21401-6_32



(DC)


)← [x ′ = f (x) & q(x)]r(x)

t

x

q(x)

w

u

0 rx ′ = f (x) & q(x)




http://dx.doi.org/10.1007/978-3-319-21401-6_32



(DC)


)← [x ′ = f (x) & q(x)]r(x)

t

x

q(x)

w

u

0 rx ′ = f (x) & q(x)

w




http://dx.doi.org/10.1007/978-3-319-21401-6_32


Axiom (Differential Invariant) (CADE’15)

(DI) [x ′ = f (x) & q(x)]p(x)←(q(x)→ p(x) ∧ [x ′ = f (x) & q(x)](p(x))′

)

t

x

q(x)

w

u

0 rx ′ = f (x) & q(x)

¬ ¬FF F

Differential invariant: p(x) true now and its differential (p(x))′ true alwaysWhat’s the differential of a formula???What’s the meaning of a differential term . . . in a state???



http://dx.doi.org/10.1007/978-3-319-21401-6_32


Axiom (Differential Effect) (CADE’15)

(DE) [x ′ = f (x) & q(x)]p(x , x ′)↔ [x ′ = f (x) & q(x)][x ′ := f (x)]p(x , x ′)

t

x

q(x)

w

u

0 rx ′ = f (x) & q(x)

x′

f (x)

Effect of differential equation on differential symbol x ′

[x ′ := f (x)] instantly mimics continuous effect [x ′ = f (x)] on x ′

[x ′ := f (x)] selects vector field x ′ = f (x) for subsequent differentials



http://dx.doi.org/10.1007/978-3-319-21401-6_32


Axiom (Differential Ghost) (CADE’15)

(DG) [x ′ = f (x) & q(x)]p(x)↔ ∃y [x ′ = f (x), y ′ = a(x)y + b(x) & q(x)]p(x)

t

x

q(x)

w

u

0 rx ′ = f (x) & q(x)y ′ = a(x)y + b(x)

Differential ghost/auxiliaries: extra differential equations that existCan cause new invariants“Dark matter” counterweight to balance conserved quantities



http://dx.doi.org/10.1007/978-3-319-21401-6_32


Axiom (Differential Solution) (CADE’15)

(DS) [x ′ = f & q(x)]p(x)↔ ∀t≥0((∀0≤s≤t q(x+fs))→ [x := x + ft]p(x)

)

t

x

q(x)

w

u

0 rx ′ = f (x) & q(x)

t

x

q(x)u

w

0 rx ′ = f & q(x)

Differential solutions: solve differential equationswith DG,DC and inverse companions



http://dx.doi.org/10.1007/978-3-319-21401-6_32

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials2 DE exports vector field, possibly after DW exports evolution domain3 CE+CQ reason efficiently in Equivalence or eQuational context4 G isolates postcondition5 [′:=] differential substitution uses vector field6 ·′ differential computations are axiomatic (US)

∗QE x3·x + x ·x3 ≥ 0

[′:=] [x ′ := x3]x ′·x + x ·x ′ ≥ 0G [x ′ = x3][x ′ := x3]x ′·x+x ·x ′≥0

∗·′ (f (x)·g(x))′ = (f (x))′·g(x)+f (x)·(g(x))′

US (x ·x)′ = (x)′·x + x ·(x)′

(x ·x)′ = x ′·x + x ·x ′CQ (x ·x)′ ≥ 0 ↔ x ′·x + x ·x ′ ≥ 0

(x ·x ≥ 1)′ ↔ x ′·x + x ·x ′ ≥ 0CE [x ′ = x3][x ′ := x3](x ·x ≥ 1)′DE [x ′ = x3](x ·x ≥ 1)′DI x ·x ≥ 1 →[x ′ = x3]x ·x ≥ 1



The Meaning of Primes

Differential Forms

[[(θ)′]]u = ???

[[(x2)′]]u

= [[2x ]]u ?

depends on the differential equation . . .

well-defined locally in an isolated state at all?

[[(θ)′]]u =∑x

u(x ′)∂[[θ]]I

∂x(u) =

∑x

u(x ′)∂[[θ]]uXx∂X

[[(θ)′]] = d [[θ]] =n∑

i=1

∂[[θ]]

∂x idx i

u(x ′) is the local shadow ofdx

dtif that existed

(θ)′ represents how θ changes locally, depending on x ′




Differential Forms

[[(θ)′]]u = ???

[[(x2)′]]u = [[2x ]]u ?



[[(θ)′]]u =∑x

u(x ′)∂[[θ]]I

∂x(u) =

∑x


[[(θ)′]] = d [[θ]] =n∑

i=1

∂[[θ]]

∂x idx i


dtif that existed





Differential Forms

[[(θ)′]]u = ???

[[(x2)′]]u = [[2x ]]u ?



[[(θ)′]]u =∑x

u(x ′)∂[[θ]]I

∂x(u) =

∑x


[[(θ)′]] = d [[θ]] =n∑

i=1

∂[[θ]]

∂x idx i


dtif that existed


→ R



The Meaning of Primes Differential Forms

[[(θ)′]]u = ???

[[(x2)′]]u = [[2x ]]u ?



[[(θ)′]]u =∑x

u(x ′)∂[[θ]]I

∂x(u) =

∑x


[[(θ)′]] = d [[θ]] =n∑

i=1

∂[[θ]]

∂x idx i

depends onstate u

tangentspace basis

cotangentspace basis

depends onu(x ′i ) = dx i


dtif that existed


→ R



The Meaning of Primes Differential Forms

[[(θ)′]]u = ???

[[(x2)′]]u = [[2x ]]u ?



[[(θ)′]]u =∑x

u(x ′)∂[[θ]]I

∂x(u) =

∑x


[[(θ)′]] = d [[θ]] =n∑

i=1

∂[[θ]]

∂x idx i


dtif that existed


→ R



Differential Substitution Lemmas

Lemma (Differential lemma)

If ϕ |= x ′ = f (x) ∧ Q for duration r > 0, then for all 0 ≤ ζ ≤ r :

Syntactic [[(η)′]]ϕ(ζ) =d[[η]]ϕ(t)

dt(ζ) Analytic

Lemma (Differential assignment)

If ϕ |= x ′ = f (x) ∧ Q then ϕ |= φ↔ [x ′ := f (x)]φ

Lemma (Derivations)

(θ + η)′ = (θ)′ + (η)′

(θ · η)′ = (θ)′ · η + θ · (η)′

[y := θ][y ′ := 1]((f (θ))′ = (f (y))′ · (θ)′

)for y , y ′ 6∈ θ

(f )′ = 0 for arity 0 functions/numbers f



Outline








Verified CPS Applications

-

-

-

x

y

c

c

Qxentry

exit

Q

y

c

Q Q

QQ

cQx

Q

y

Q

z

xHiL

xH jL

p xHkL

xHlL

xHmL

ICFEM’09,JAIS’14,TACAS’15,CAV’08,FM’09,HSCC’11,HSCC’13, TACAS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 36 / 40


http://dx.doi.org/10.1145/1967701.1967713

http://dx.doi.org/10.1145/2461328.2461350

http://dx.doi.org/10.1007/978-3-642-10373-5_13

http://dx.doi.org/10.2514/1.I010178

http://dx.doi.org/10.1007/978-3-662-46680-3_2

http://dx.doi.org/10.1007/978-3-540-70545-1_17

http://dx.doi.org/10.1007/978-3-642-05089-3_35

http://dx.doi.org/10.1145/1967701.1967713

http://dx.doi.org/10.1145/2461328.2461350

http://dx.doi.org/10.1007/978-3-642-54862-8_19


ey

fy

xb(lx, ly) ex fx

(rx, ry)

(vx, vy)

FM’11,LMCS’12,ICCPS’12,ITSC’11,ITSC’13,IJCAR’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 36 / 40


http://dx.doi.org/10.1109/ICCPS.2012.25

http://dx.doi.org/10.1109/ITSC.2011.6083138






http://dx.doi.org/10.1007/978-3-642-31365-3_34

http://dx.doi.org/10.1007/978-3-642-21437-0_6





http://dx.doi.org/10.1007/978-3-642-31365-3_34


0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

5 10 15 20

-0.3

-0.2

-0.1

0.1

0.2

0.3

-0.3 -0.2 -0.1 0.0 0.1 0.2 0.3

-0.3

-0.2

-0.1

0.0

0.1

0.2

0.3

0.2 0.4 0.6 0.8 1.0

1

1

-

HSCC’13,RSS’13,CADE’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 36 / 40


http://dx.doi.org/10.1145/2461328.2461369

http://roboticsproceedings.org/rss09/p14.pdf



http://dx.doi.org/10.1007/978-3-642-22438-6_34

http://dx.doi.org/10.1007/978-3-642-22438-6_34

http://dx.doi.org/10.1007/978-3-642-22438-6_34

http://dx.doi.org/10.1145/2461328.2461369


http://dx.doi.org/10.1007/978-3-642-22438-6_34

Verified CPS Applications By Undergrads

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

15-424/624 Foundations of Cyber-Physical Systems studentsAndre Platzer (CMU) Proving Hybrid Systems FMCAD 36 / 40


http://symbolaris.com/course/fcps14.html

Outline








KeYmaera X Kernel: Qualifies as a Microkernel

≈LOC

KeYmaera X 1 682KeYmaera 65 989

KeY 51 328HOL Light 396Isabelle/Pure 8 113Nuprl 15 000 + 50 000Coq 20 000

HSolver 20 000Flow∗ 25 000PHAVer 30 000dReal 50 000 + millionsSpaceEx 100 000HyCreate2 6 081 + user model analysis

Disclaimer: These self-reported estimates of the soundness-critical lines of code +rules are to be taken with a grain of salt. Different languages, capabilities, styles. . . Andre Platzer (CMU) Proving Hybrid Systems FMCAD 37 / 40




dL = DL + HP [α]φ φα

Multi-dynamical systems

Combine simple dynamics

Tame complexity

Logic & proofs for CPS

Theory of CPS

Applications

KeYmaera Prover

dis

cre

te contin

uo

us

nondet

sto

chastic

advers

arial



http://symbolaris.com/info/KeYmaera.html



dL = DL + HP [α]φ φα

Multi-dynamical systems

Combine simple dynamics

Tame complexity

Logic & proofs for CPS

Theory of CPS

Applications

KeYmaera Xd

iscre

te contin

uo

us

nondet

sto

chastic

advers

arial



http://keymaeraX.org/

http://keymaeraX.org/

Acknowledgments

Students and postdocs of the Logical Systems Lab at Carnegie MellonNathan Fulton, David Henriques, Sarah Loos, Joao Martins, Erik Zawadzki

Khalil Ghorbal, Jean-Baptiste Jeannin, Stefan Mitsch



http://www.ls.cs.cmu.edu/

How to trust a computer to control physics

Recipe

1 CPS promise a transformative impact

2 CPS have to be safe to make the world a better place

3 Safety needs a safety analysis

4 Analytic tools for CPS have to be sound

5 Sound analysis needs sound and strong foundations

6 Foundations themselves have to be challenged, e.g., by applications

7 Logic has a lot to offer for CPS

8 CPS bring excitement and new challenges to logic


LogicalFoundations

ofCyber-Physical

Systems

Logic

TheoremProving

ProofTheory

ModalLogic Model

Checking

Algebra

ComputerAlgebra

RAlgebraicGeometry

DifferentialAlgebra

LieAlgebra

Analysis

DifferentialEquations

CarathedorySolutions

ViscosityPDE

Solutions

DynamicalSystems

Stochastics Doob’sSuper-

martingales

Dynkin’sInfinitesimalGenerators

DifferentialGenerators

StochasticDifferentialEquations

Numerics

HermiteInterpolation

WeierstraßApprox-imation

ErrorAnalysis

NumericalIntegration

Algorithms

DecisionProcedures

ProofSearch

Procedures

Fixpoints& Lattices

ClosureOrdinals


LogicalFoundations

ofCyber-Physical

Systems

Logic

TheoremProving

ProofTheory

ModalLogic Model

Checking

Algebra

ComputerAlgebra

RAlgebraicGeometry

DifferentialAlgebra

LieAlgebra

Analysis

DifferentialEquations

CarathedorySolutions

ViscosityPDE

Solutions

DynamicalSystems

Stochastics Doob’sSuper-

martingales

Dynkin’sInfinitesimalGenerators

DifferentialGenerators

StochasticDifferentialEquations

Numerics

HermiteInterpolation

WeierstraßApprox-imation

ErrorAnalysis

NumericalIntegration

Algorithms

DecisionProcedures

ProofSearch

Procedures

Fixpoints& Lattices

ClosureOrdinals


http://symbolaris.com/lahs/


([:=]) [x := f ]p(x)↔ p(f )

([?]) [?q]p ↔ (q → p)

([∪]) [a ∪ b]p(x)↔ [a]p(x) ∧ [b]p(x)

([;]) [a; b]p(x)↔ [a][b]p(x)

([∗]) [a∗]p(x)↔ p(x) ∧ [a][a∗]p(x)

(K) [a](p(x)→ q(x))→ ([a]p(x)→ [a]q(x))

(I) [a∗](p(x)→ [a]p(x))→ (p(x)→ [a∗]p(x))

(V) p → [a]p

(DS) [x ′ = f ]p(x)↔ ∀t≥0 [x := x + ft]p(x)LICS’12,CADE’15




http://dx.doi.org/10.1007/978-3-319-21401-6_32


(G)p(x)

[a]p(x)

(∀)p(x)

∀x p(x)

(MP)p → q p

q

(CT)f (x) = g(x)

c(f (x)) = c(g(x))

(CQ)f (x) = g(x)

p(f (x))↔ p(g(x))

(CE)p(x)↔ q(x)

C (p(x))↔ C (q(x))

LICS’12,CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 2 / 9



http://dx.doi.org/10.1007/978-3-319-21401-6_32

Differential Equation Axioms & Differential Axioms

(DW) [x ′ = f (x) & q(x)]q(x)

(DC)


)← [x ′ = f (x) & q(x)]r(x)

(DE) [x ′ = f (x) & q(x)]p(x , x ′)↔ [x ′ = f (x) & q(x)][x ′ := f (x)]p(x , x ′)

(DI) [x ′ = f (x) & q(x)]p(x)←(q(x)→ p(x) ∧ [x ′ = f (x) & q(x)](p(x))′

)(DG) [x ′ = f (x) & q(x)]p(x)↔ ∃y [x ′ = f (x), y ′ = a(x)y + b(x) & q(x)]p(x)

(DS) [x ′ = f & q(x)]p(x)↔ ∀t≥0((∀0≤s≤t q(x + fs))→ [x := x + ft]p(x)

)([′:=]) [x ′ := f ]p(x ′)↔ p(f )

(+′) (f (x) + g(x))′ = (f (x))′ + (g(x))′

(·′) (f (x) · g(x))′ = (f (x))′ · g(x) + f (x) · (g(x))′

(′) [y := g(x)][y ′ := 1]((f (g(x)))′ = (f (y))′ · (g(x))′

)CADE’15



http://dx.doi.org/10.1007/978-3-319-21401-6_32

Andre Platzer.Logics of dynamical systems.In LICS [17], pages 13–24.doi:10.1109/LICS.2012.13.

Andre Platzer.Foundations of cyber-physical systems.Lecture Notes 15-424/624, Carnegie Mellon University, 2014.URL: http://www.cs.cmu.edu/~aplatzer/course/fcps14/fcps14.pdf.

Andre Platzer.Logical Analysis of Hybrid Systems: Proving Theorems for ComplexDynamics.Springer, Heidelberg, 2010.doi:10.1007/978-3-642-14509-4.

Andre Platzer.Differential dynamic logic for hybrid systems.J. Autom. Reas., 41(2):143–189, 2008.



http://www.cs.cmu.edu/~aplatzer/course/fcps14/fcps14.pdf

http://www.cs.cmu.edu/~aplatzer/course/fcps14/fcps14.pdf

http://dx.doi.org/10.1007/978-3-642-14509-4

doi:10.1007/s10817-008-9103-8.

Andre Platzer.A uniform substitution calculus for differential dynamic logic.In Amy Felty and Aart Middeldorp, editors, CADE, volume 9195 ofLNCS, pages 467–481. Springer, 2015.doi:10.1007/978-3-319-21401-6_32.

Andre Platzer.Differential game logic.ACM Trans. Comput. Log., 2015.To appear. Preprint at arXiv 1408.1980.doi:10.1145/2817824.

Andre Platzer.The complete proof theory of hybrid systems.In LICS [17], pages 541–550.doi:10.1109/LICS.2012.64.

Andre Platzer.


http://dx.doi.org/10.1007/s10817-008-9103-8

http://dx.doi.org/10.1007/978-3-319-21401-6_32

http://dx.doi.org/10.1145/2817824


A complete axiomatization of quantified differential dynamic logic fordistributed hybrid systems.Log. Meth. Comput. Sci., 8(4):1–44, 2012.Special issue for selected papers from CSL’10.doi:10.2168/LMCS-8(4:17)2012.

Andre Platzer.Stochastic differential dynamic logic for stochastic hybrid programs.In Nikolaj Bjørner and Viorica Sofronie-Stokkermans, editors, CADE,volume 6803 of LNCS, pages 431–445. Springer, 2011.doi:10.1007/978-3-642-22438-6_34.

Andre Platzer.Differential-algebraic dynamic logic for differential-algebraic programs.J. Log. Comput., 20(1):309–352, 2010.doi:10.1093/logcom/exn070.

Andre Platzer and Edmund M. Clarke.Computing differential invariants of hybrid systems as fixedpoints.In Aarti Gupta and Sharad Malik, editors, CAV, volume 5123 ofLNCS, pages 176–189. Springer, 2008.Andre Platzer (CMU) Proving Hybrid Systems FMCAD 3 / 9


http://dx.doi.org/10.1007/978-3-642-22438-6_34


doi:10.1007/978-3-540-70545-1_17.

Andre Platzer and Edmund M. Clarke.Computing differential invariants of hybrid systems as fixedpoints.Form. Methods Syst. Des., 35(1):98–120, 2009.Special issue for selected papers from CAV’08.doi:10.1007/s10703-009-0079-8.

Andre Platzer.The structure of differential invariants and differential cut elimination.Log. Meth. Comput. Sci., 8(4):1–38, 2012.doi:10.2168/LMCS-8(4:16)2012.

Andre Platzer.A differential operator approach to equational differential invariants.In Lennart Beringer and Amy Felty, editors, ITP, volume 7406 ofLNCS, pages 28–48. Springer, 2012.doi:10.1007/978-3-642-32347-8_3.

Khalil Ghorbal, Andrew Sogokon, and Andre Platzer.


http://dx.doi.org/10.1007/978-3-540-70545-1_17

http://dx.doi.org/10.1007/s10703-009-0079-8


http://dx.doi.org/10.1007/978-3-642-32347-8_3

Invariance of conjunctions of polynomial equalities for algebraicdifferential equations.In Markus Muller-Olm and Helmut Seidl, editors, SAS, volume 8723 ofLNCS, pages 151–167. Springer, 2014.doi:10.1007/978-3-319-10936-7_10.

Khalil Ghorbal and Andre Platzer.Characterizing algebraic invariants by differential radical invariants.In Erika Abraham and Klaus Havelund, editors, TACAS, volume 8413of LNCS, pages 279–294. Springer, 2014.doi:10.1007/978-3-642-54862-8_19.

Proceedings of the 27th Annual ACM/IEEE Symposium on Logic inComputer Science, LICS 2012, Dubrovnik, Croatia, June 25–28, 2012.IEEE, 2012.


http://dx.doi.org/10.1007/978-3-319-10936-7_10

http://dx.doi.org/10.1007/978-3-642-54862-8_19

Outline

7 Differential Radical InvariantsDifferential Radical Invariants

8 ACAS X



Differential Radical Invariants

Theorem (Differential radical invariant characterization)

h = 0→N−1∧i=0

(h(i))p

x ′ = 0

h = 0→ [x ′ = p]h = 0

characterizes all algebraic invariants, where N = ord′√

(h), i.e.

(h(N))p

x ′ =N−1∑i=0

gi (h(i))

p

x ′ (gi ∈ R[x ])

Corollary (Algebraic Invariants Decidable)

Algebraic invariants of algebraic differential equations are decidable.

with Khalil Ghorbal TACAS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 4 / 9


http://dx.doi.org/10.1007/978-3-642-54862-8_19

Case Study: Longitudinal Dynamics of an Airplane

Study (6th Order Longitudinal Flight Equations)

u′ = Xm − g sin(θ)− qw axial velocity

w ′ = Zm + g cos(θ) + qu vertical velocity

x ′ = cos(θ)u + sin(θ)w range

z ′ = − sin(θ)u + cos(θ)w altitude

θ′ = q pitch angle

q′ = MIyy

pitch rate2 4 6 8 10 12 14

x

2

4

6

8

10

12

z

X : thrust along u Z : thrust along w M : thrust moment for wg : gravity m : mass Iyy : inertia second diagonal



http://dx.doi.org/10.1007/978-3-642-54862-8_19

Case Study: Longitudinal Dynamics of an Airplane

Result (DRI Automatically Generates Invariant Functions)

Mz

Iyy+ gθ +

(X

m− qw

)cos(θ) +

(Z

m+ qu

)sin(θ)

Mx

Iyy−(Z

m+ qu

)cos(θ) +

(X

m− qw

)sin(θ)

− q2 +2Mθ

Iyy



http://dx.doi.org/10.1007/978-3-642-54862-8_19

Case Study: Dubins Dynamics of 2 Airplanes

Result (DRI Automatically Generates Invariants)

ω1 = 0∧ω2 = 0→ v2 sinϑx = (v2 cosϑ− v1)y > p(v1 + v2)

ω1 6= 0∨ω2 6= 0→ −ω1ω2(x2 + y2) + 2v2ω1 sinϑx + 2(v1ω2 − v2ω1 cosϑ)y

+ 2v1v2 cosϑ > 2v1v2 + 2p(v2|ω1|+ v1|ω2|) + p2|ω1ω2|

-

-

-

- - -

-

-

JAIS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 7 / 9


http://dx.doi.org/10.2514/1.I010178

Outline

7 Differential Radical InvariantsDifferential Radical Invariants

8 ACAS X



Airborne Collision Avoidance System ACAS X: Verify

Developed by the FAA to replace current TCAS in aircraft

Approximately optimizes Markov Decision Process on a grid

Advisory from lookup tables with numerous 5D interpolation regions

1 Identified safe region for each advisory symbolically

2 Proved safety for hybrid systems flight model in KeYmaera

TACAS’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 8 / 9


http://dx.doi.org/10.1007/978-3-662-46680-3_2

Airborne Collision Avoidance System ACAS X: Compare

ACAS X table comparison shows safe advisory in 97.7% of the648,591,384,375 states compared (15,160,434,734 counterexamples).

ACAS X issues DNC advisory, which induces collision unless corrected

TACAS’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 9 / 9


http://dx.doi.org/10.1007/978-3-662-46680-3_2

proving hybrid systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · proving hybrid...

Documents