Deductive Safety and Liveness Verification for Ordinary Differential - - PowerPoint PPT Presentation
Deductive Safety and Liveness Verification for Ordinary Differential Equations Yong Kiam Tan Computer Science Department, Carnegie Mellon University INRIA, 30th Apr 2020 1 / 34 Motivation: Cyber-Physical Systems (CPSs) Cyber-Physical System:
Deductive Safety and Liveness Verification for Ordinary Differential Equations
Yong Kiam Tan
Computer Science Department, Carnegie Mellon University
INRIA, 30th Apr 2020
1 / 34
Motivation: Cyber-Physical Systems (CPSs)
Cyber-Physical System: Discrete software controller: if (v > speed_limit) a := -1; //apply brakes else a := 0; //cruise × Testing control software on the real CPS is expensive and unsafe.
2 / 34
Motivation: Cyber-Physical Systems (CPSs)
Cyber-Physical System:
t v t x
Discrete software controller: if (v > speed_limit) a := -1; //apply brakes else a := 0; //cruise Continuous dynamics: x′ = v, v′ = a
× Testing control software on the real CPS is expensive and unsafe.
2 / 34
Motivation: Cyber-Physical Systems (CPSs)
Cyber-Physical System:
t v t x
Discrete software controller: if (v > speed_limit) a := -1; //apply brakes else a := 0; //cruise Continuous dynamics: x′ = v, v′ = a
× Testing control software on the real CPS is expensive and unsafe. Formal proofs give highest level of confidence in correctness of CPSs.
2 / 34
Outline
1
ODEs, Safety, and Liveness
2
ODE Safety Proofs
3
ODE Liveness Proofs
4
ODE Liveness Example
5
Conclusion
3 / 34
Outline
1
ODEs, Safety, and Liveness
2
ODE Safety Proofs
3
ODE Liveness Proofs
4
ODE Liveness Example
5
Conclusion
4 / 34
Correctness Specifications for CPSs
Safe: always drives below the speed limit
5 / 34
Correctness Specifications for CPSs
Safe: always drives below the speed limit Safe: always drives below the speed limit
5 / 34
Correctness Specifications for CPSs
Safe: always drives below the speed limit Live: eventually gets to its destination Safe: always drives below the speed limit ×Not live: stuck in a train repair bay
5 / 34
ODEs & Domain Constraints
x′ = y, y′ = (1 − x2)y − x Visualization: Van der Pol equations modeling an oscillating electrical circuit. ODE: Models for the continuous physics of CPSs
6 / 34
ODEs & Domain Constraints
x'=f(x)
Ordinary Differential Equation (ODE)
ODE: Models for the continuous physics of CPSs Analogy: Trains are driving on tracks given by ODE solutions.
6 / 34
ODEs & Domain Constraints
Q x'=f(x)
ODE with domain Q
ODE: Models for the continuous physics of CPSs Analogy: Trains are driving on tracks given by ODE solutions. Domain: Specifies the domain of definition for ODEs Analogy: Domains make description
6 / 34
Safety & Liveness for ODEs
Q P
Safety: [
ODE with domain Q
Train always stays in Pittsburgh (P) along its trajectory.
7 / 34
Safety & Liveness for ODEs
Q P
Q P
Safety: [
ODE with domain Q
Liveness:
Train always stays in Pittsburgh (P) along its trajectory. Train can eventually be driven to Pittsburgh (P).
7 / 34
Safety & Liveness for ODEs
Q P
Q P
Safety: ¬
ODE with domain Q
Liveness:
Train can not eventually be driven
Train can eventually be driven to Pittsburgh (P).
7 / 34
Safety & Liveness for ODEs
Q P
Q P
Safety: ¬
ODE with domain Q
Liveness: ¬[
ODE with domain Q
Train can not eventually be driven
Train does not always stay out of Pittsburgh (¬P).
7 / 34
Safety & Liveness for ODEs
Q P
Q P
Safety: ¬
ODE with domain Q
Liveness: ¬[
ODE with domain Q
This talk: Exploiting logical duality in proofs of ODE safety and liveness.
7 / 34
Safety & Liveness for ODEs
2
ODE Safety Proofs Rigorous proofs of ODE safety using ODE invariants.
Q P
Safety: ¬
ODE with domain Q
Liveness: ¬[
ODE with domain Q
This talk: Exploiting logical duality in proofs of ODE safety and liveness.
7 / 34
Safety & Liveness for ODEs
2
ODE Safety Proofs Rigorous proofs of ODE safety using ODE invariants.
3
ODE Liveness Proofs Rigorous proofs of ODE liveness using ODE safety. Safety: ¬
ODE with domain Q
Liveness: ¬[
ODE with domain Q
This talk: Exploiting logical duality in proofs of ODE safety and liveness.
7 / 34
Safety & Liveness for ODEs
2
ODE Safety Proofs Rigorous proofs of ODE safety using ODE invariants.
3
ODE Liveness Proofs Rigorous proofs of ODE liveness using ODE safety.
4
ODE Liveness Example An example application of formal ODE liveness arguments. Safety: ¬
ODE with domain Q
Liveness: ¬[
ODE with domain Q
This talk: Exploiting logical duality in proofs of ODE safety and liveness.
7 / 34
Outline
1
ODEs, Safety, and Liveness
2
ODE Safety Proofs
3
ODE Liveness Proofs
4
ODE Liveness Example
5
Conclusion
8 / 34
From ODE Safety to ODE Invariance
PA Pitt.
Pennsylvanian (PA) regional trains in Pittsburgh (P) always stay out of Canada (¬C): P → [x′ = f (x)]¬C
9 / 34
From ODE Safety to ODE Invariance
PA Pitt.
Pennsylvanian (PA) regional trains in Pittsburgh (P) always stay out of Canada (¬C): P → [x′ = f (x)]¬C
1 Trains in Pittsburgh are in Pennsylvania:
P → PA
9 / 34
From ODE Safety to ODE Invariance
PA Pitt.
Pennsylvanian (PA) regional trains in Pittsburgh (P) always stay out of Canada (¬C): P → [x′ = f (x)]¬C
1 Trains in Pittsburgh are in Pennsylvania:
P → PA
2 Trains in Pennsylvania are not in Canada:
PA → ¬C
9 / 34
From ODE Safety to ODE Invariance
PA Pitt.
Pennsylvanian (PA) regional trains in Pittsburgh (P) always stay out of Canada (¬C): P → [x′ = f (x)]¬C
1 Trains in Pittsburgh are in Pennsylvania:
P → PA
2 Trains in Pennsylvania are not in Canada:
PA → ¬C
3 PA regional trains always stay in-state:
PA → [x′ = f (x)]PA Claim: PA is an invariant of the ODE
9 / 34
From ODE Safety to ODE Invariance
PA Pitt.
Pennsylvanian (PA) regional trains in Pittsburgh (P) always stay out of Canada (¬C): P → [x′ = f (x)]¬C
1 Trains in Pittsburgh are in Pennsylvania:
P → PA
2 Trains in Pennsylvania are not in Canada:
PA → ¬C
3 PA regional trains always stay in-state:
PA → [x′ = f (x)]PA Claim: PA is an invariant of the ODE Idea 1: ODE safety questions reduce to ODE invariance questions.
9 / 34
Why take a logical approach? (ODE Safety)
Theorem (Completeness for invariants [LICS’18])
The differential dynamic logic (dL) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas. Takeaway: Logic yields a complete understanding of ODE invariance. Benefit: Powerful automation for ODE safety from sound foundations.
10 / 34
Why take a logical approach? (ODE Safety)
Theorem (Completeness for invariants [LICS’18])
The differential dynamic logic (dL) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas. Takeaway: Logic yields a complete understanding of ODE invariance. Benefit: Powerful automation for ODE safety from sound foundations.
3 PA regional trains always stay in-state:
PA → [x′ = f (x)]PA Claim: PA is an invariant of the ODE
10 / 34
Why take a logical approach? (ODE Safety)
Theorem (Completeness for invariants [LICS’18])
The differential dynamic logic (dL) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas. Polynomial ODEs (Non-Polynomial) Solutions x′ = x, x(0) = x0 x(t) = x0et x′ = y, y′ = −x, x(0) = 0, y(0) = 1 x(t) = sin t, y(t) = cos t x′ = y, y′ = (1 − x2)y − x Van der Pol equations (No polynomial solutions) How is this completeness result possible?
10 / 34
Differentiation versus Integration
(From xkcd: https://xkcd.com/2117/) “Differentiation is mechanics, integration is art.” ×Solving ODE ≈ integration Analyze ODE directly
11 / 34
ODE Invariance Proofs
PA Pitt.
3 PA regional trains always stay in-state:
PA → [x′ = f (x)]PA
12 / 34
ODE Invariance Proofs
PA p<0 p=0 p>0
If trains always drive into PA, none can leave it.
3 PA regional trains always stay in-state:
PA → [x′ = f (x)]PA
4 For PA≡ p ≤ 0, analyze the derivative p′:
[x′ = f (x)]p′ ≤ 0 →
PA
→ [x′ = f (x)] p ≤ 0
PA
12 / 34
ODE Invariance Proofs
p'≤0
t
p≤0
t
3 PA regional trains always stay in-state:
PA → [x′ = f (x)]PA
4 For PA≡ p ≤ 0, analyze the derivative p′:
[x′ = f (x)]p′ ≤ 0 →
PA
→ [x′ = f (x)] p ≤ 0
PA
12 / 34
ODE Invariance Proofs
PA
p'<0 p'=0 p''<0 p'=0 p''=0 p'''<0
x'=f(x)
Higher (Lie) derivatives completely characterize local liveness.
3 PA regional trains always stay in-state:
PA → [x′ = f (x)]PA
4 For PA≡ p ≤ 0, analyze the derivative p′:
[x′ = f (x)]p′ ≤ 0 →
PA
→ [x′ = f (x)] p ≤ 0
PA
Fact 1: Derivative tests are sound and complete for invariants [LICS’18]. Fact 2: Derivative tests analyze local liveness properties [LICS’18].
12 / 34
Why take a logical approach? (ODE Safety)
Theorem (Completeness for invariants [LICS’18])
The differential dynamic logic (dL) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas. Takeaway: Logic yields a complete understanding of ODE invariance. Benefit: Powerful automation for ODE safety from sound foundations. Idea 1: ODE safety questions reduce to ODE invariance questions. Idea 2: ODE invariance can be analyzed in logic using derivatives.
13 / 34
Outline
1
ODEs, Safety, and Liveness
2
ODE Safety Proofs
3
ODE Liveness Proofs
4
ODE Liveness Example
5
Conclusion
14 / 34
A Simple Liveness Refinement
Q: Can a train that reaches Pittsburgh (P) also reach Pennsylvania (PA)?
PA Pitt.
A: True for all trains reaching Pittsburgh since it is part of Pennsylvania.
15 / 34
A Simple Liveness Refinement
Q: Can a train that reaches Philadelphia (H) also reach Pittsburgh (P)?
PA Pitt. Phil.
A: Not true for all trains, only the specific one in the figure. × H → P ? x′ = f (x)H → x′ = f (x)P
15 / 34
A Simple Liveness Refinement
Q: Can a train that reaches Philadelphia (H) also reach Pittsburgh (P)?
PA Pitt. Phil.
A: Must be proved by analyzing ODEs describing the train track. [x′ = f (x) & ¬P]¬H
allowed to enter Pittsburgh
→
Philadelphia
→ x′ = f (x)P
Pittsburgh
15 / 34
A Simple Liveness Refinement
Q: Can a train that reaches Philadelphia (H) also reach Pittsburgh (P)?
PA Pitt. Phil.
A: Must be proved by analyzing ODEs describing the train track. [x′ = f (x) & ¬P]¬H
→
→ x′ = f (x)P
15 / 34
A Simple Liveness Refinement
Q: Can a train that reaches Philadelphia (H) also reach Pittsburgh (P)?
PA Pitt. Phil.
Key Idea: Liveness refinement steps exploit logical duality and are sound building blocks for understanding ODE liveness arguments [FM’19]. [x′ = f (x) & ¬P]¬H
→
→ x′ = f (x)P
15 / 34
Diamond Refinement Axioms
[x′ = f (x) & ¬P]¬H
→
→ x′ = f (x)P
⋀
16 / 34
Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
Q H
→
Q P H
16 / 34
Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
H
→
Q H
→
Q P H
16 / 34
Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
R
→
R P
→
Q R P
17 / 34
Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
to justify liveness refinement steps.
17 / 34
Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
to justify liveness refinement steps. x′ = f (x) & QH
K& [x′=f (x) & ¬P]¬H
17 / 34
Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
to justify liveness refinement steps. x′ = f (x) & RH
DR· [x′=f (x) & R]Q
K& [x′=f (x) & ¬P]¬H
Idea 2: Implication chains build complicated liveness arguments from simple building blocks.
17 / 34
Why take a logical approach? (ODE Liveness)
Understand the core principles behind ODE liveness proofs.
Surveyed Liveness Arguments Ref. Goals of surveyed paper Differential Variants [1] Liveness proofs for inequalities Bounded/Compact Eventuality [4, 5] Automatic SOS liveness proofs Set Lyapunov Functions [6] Finding basin of attraction Staging Sets + Progress [7] Indirect liveness proofs for P
[8] Synthesizing switching logic
Liveness arguments in the literature are used for a wide variety of purposes.
18 / 34
Why take a logical approach? (ODE Liveness)
Understand the core principles behind ODE liveness proofs.
Surveyed Liveness Arguments Ref. Without Domains With Domains Differential Variants [1]
×
Bounded/Compact Eventuality [4, 5]
× ×
Set Lyapunov Functions [6]
× ×
Staging Sets + Progress [7]
[8]
× × Several arguments have technical glitches, making them unsound (×).
18 / 34
Why take a logical approach? (ODE Liveness)
Understand the core principles behind ODE liveness proofs.
Surveyed Liveness Arguments Ref. Without Domains With Domains Differential Variants [1]
Bounded/Compact Eventuality [4, 5]
× ×
Set Lyapunov Functions [6]
× ×
Staging Sets + Progress [7]
[8]
× × Logic is a general framework for soundly () understanding ODE liveness. It also allows us to find and correct (× ) the technical glitches.
18 / 34
Why take a logical approach? (ODE Liveness)
Understand the core principles behind ODE liveness proofs.
Surveyed Liveness Arguments Ref. Without Domains With Domains Differential Variants [1]
Bounded/Compact Eventuality [4, 5]
× ×
Set Lyapunov Functions [6]
× ×
Staging Sets + Progress [7]
[8]
× × Yields sound generalizations of existing liveness arguments.
New Liveness Arguments Without Domains With Domains Higher Differential Variants
Why take a logical approach? (ODE Liveness)
Understand the core principles behind ODE liveness proofs.
Surveyed Liveness Arguments Ref. Without Domains With Domains Differential Variants [1]
Bounded/Compact Eventuality [4, 5]
× ×
Set Lyapunov Functions [6]
× ×
Staging Sets + Progress [7]
[8]
× × Yields sound generalizations of existing liveness arguments. Takeaway: Logic is a general framework for understanding ODE liveness. Benefit: Sound ODE liveness arguments and their generalizations. Key Idea: Liveness refinement steps exploit logical duality and are sound building blocks for understanding ODE liveness arguments [FM’19].
18 / 34
Outline
1
ODEs, Safety, and Liveness
2
ODE Safety Proofs
3
ODE Liveness Proofs
4
ODE Liveness Example
5
Conclusion
19 / 34
ODE Liveness Example: Train Model
P
Example: Train reaches Pittsburgh suburbs (P). For simplicity, no domain constraint. Model ODE: x′ = −y, y′ = 4x2
20 / 34
ODE Liveness Example: Proof Rule
Surveyed Liveness Arguments Ref. Goals of surveyed paper
[8] Synthesizing switching logic
Example derived proof rule: dVM
=
p = 0 ⊢ P p < 0 ⊢ p′ ≥ ε Γ, ε > 0, p ≤ 0 ⊢ x′ = f (x)P
21 / 34
ODE Liveness Example: Proof Rule
Surveyed Liveness Arguments Ref. Goals of surveyed paper
[8] Synthesizing switching logic
Example derived proof rule: dVM
=
p = 0 ⊢ P p < 0 ⊢ p′ ≥ ε Γ, ε > 0, p ≤ 0 ⊢ x′ = f (x)P Additional condition for soundness (missing in [8]): Either solution exists for sufficient duration or x′ = f (x) is globally Lipschitz continuous.
21 / 34
ODE Liveness Example: Proof Rule
Surveyed Liveness Arguments Ref. Goals of surveyed paper
[8] Synthesizing switching logic
Example derived proof rule: dVM
= Step 3
Step 1
Γ, ε > 0, p ≤ 0
Step 2
⊢ x′ = f (x)P Underlying refinement chain:
x′ = f (x), t′ = 1t > c
Step 1 K&
Step 2 K&
Step 3 K&
21 / 34
Proving Liveness for Train
x′ = f (x), t′ = 1t > 1.4
Step 1 K&
Step 2 K&
Step 3 K&
P
Intuition: Reduce liveness for (complicated) region P to (simple) circle.
22 / 34
Proving Liveness for Train
x′ = f (x), t′ = 1t > 1.4
Step 1 K&
Step 2 K&
Step 3 K&
r
K&
→
P r
Intuition: Reduce liveness for (complicated) region P to (simple) circle.
22 / 34
Proving Liveness for Train
x′ = f (x), t′ = 1t > 1.4
Step 1 K&
Step 2 K&
Step 3 K&
r
K&
→
r
Intuition: Train starts outside the disk so it must cross circle in order to reach inside the disk.
23 / 34
Proving Liveness for Train
x′ = f (x), t′ = 1t > 1.4
Step 1 K&
Step 2 K&
Step 3 K&
t = 0.0, r = 3.9 t = 0.3, r = 2.5 t = 0.7, r = 2.0 t = 1.0, r = 1.7 t = 1.4, r = 0.8
r
K&
→
r
Bad Idea: Solve and/or simulate ODEs from initial position.
24 / 34
Differentiation versus Integration
(From xkcd: https://xkcd.com/2117/) “Differentiation is mechanics, integration is art.” ×Solving ODE ≈ integration Analyze ODE directly
25 / 34
Proving Liveness for Train
x′ = f (x), t′ = 1t > 1.4
Step 1 K&
Step 2 K&
Step 3 K&
t ≥ 0.0, r ≤ 3.9 t ≥ 0.3, r ≤ 2.5 t ≥ 0.7, r ≤ 2.0 t ≥ 1.0, r ≤ 1.7 t ≥ 1.4, r ≤ 0.8
r
K&
→
r
Intuition: Symbolically analyze derivatives to lower bound time required to reach disk for the train.
26 / 34
Proving Liveness for Train
x′ = f (x), t′ = 1t > 1.4
Step 1 K&
Step 2 K&
Step 3 K&
r K&
→
r K&
→
r K&
→
P 27 / 34
Proving Liveness for Train
x′ = f (x), t′ = 1t > 1.4
Step 1 K&
Step 2 K&
Step 3 K&
r K&
→
r K&
→
r K&
→
P
Implication chain Train reaches Pittsburgh (P) if it can be driven for > 1.4 hours: x′ = f (x), t′ = 1t > 1.4 → x′ = f (x)P
27 / 34
Existence Properties
Idea 3: Basic ODE liveness properties can be justified by simple axioms assuming appropriate side conditions are met. GEx x′ = f (x), t′ = 1t > c ( )
Can drive train for > 1.4 hours
Train reaches Pittsburgh (P) if driven for > 1.4 hours
x′ = f (x)P
28 / 34
Existence Properties
Idea 3: Basic ODE liveness properties can be justified by simple axioms assuming appropriate side conditions are met. GEx x′ = f (x), t′ = 1t > c (if x′ = f (x) globally Lipschitz)
Not for x′ = −y, y′ = 4x2
Train reaches Pittsburgh (P) if driven for > 1.4 hours
x′ = f (x)P
28 / 34
Existence Properties
Idea 3: Basic ODE liveness properties can be justified by simple axioms assuming appropriate side conditions are met. GEx x′ = f (x), t′ = 1t > c (if x′ = f (x) globally Lipschitz)
P
Problem: Finite time blowup may prevent solutions from reaching goal. x′ = −y, y′ = 4x2
Goal reached
x2+y2
0.5 1 1.5 2 2.5 3 3.5 t 28 / 34
ODE Liveness Example: Proof Rule
Surveyed Liveness Arguments Ref. Goals of surveyed paper
[8] Synthesizing switching logic
Example derived proof rule: dVM
=
p = 0 ⊢ P p < 0 ⊢ p′ ≥ ε Γ, ε > 0, p ≤ 0 ⊢ x′ = f (x)P Additional condition for soundness (missing in [8]): Either solution exists for sufficient duration or x′ = f (x) is globally Lipschitz continuous.
29 / 34
A Common Technical Glitch
Surveyed Liveness Arguments Ref. Without Domains With Domains Differential Variants [1] Bounded/Compact Eventuality [4, 5]
×
Set Lyapunov Functions [6]
× ×
Staging Sets + Progress [7]
[8]
× × Several glitches (×) were due to insufficient technical assumptions about existence of solutions.
30 / 34
A Common Technical Glitch
Surveyed Liveness Arguments Ref. Without Domains With Domains Differential Variants [1]
×
Bounded/Compact Eventuality [4, 5]
×
Set Lyapunov Functions [6] Staging Sets + Progress [7]
[8]
Other errors (×) were due to more subtle issues but they were also caught through our approach.
30 / 34
Why take a logical approach? (ODE Liveness)
Understand the core principles behind ODE liveness proofs.
Surveyed Liveness Arguments Ref. Without Domains With Domains Differential Variants [1]
Bounded/Compact Eventuality [4, 5]
× ×
Set Lyapunov Functions [6]
× ×
Staging Sets + Progress [7]
[8]
× × Yields sound generalizations of existing liveness arguments. Takeaway: Logic is a general framework for understanding ODE liveness. Benefit: Sound ODE liveness arguments and their generalizations. Key Idea: Liveness refinement steps exploit logical duality and are sound building blocks for understanding ODE liveness arguments [FM’19].
31 / 34
Outline
1
ODEs, Safety, and Liveness
2
ODE Safety Proofs
3
ODE Liveness Proofs
4
ODE Liveness Example
5
Conclusion
32 / 34
Conclusion
This talk: Exploiting logical duality in proofs of ODE safety and liveness.
Theorem (Completeness for invariants [LICS’18])
The differential dynamic logic (dL) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas.
ODE Safety
Takeaway: Logic yields a complete understanding of ODE invariance. Benefit: Powerful automation for ODE safety from sound foundations.
33 / 34
Conclusion
This talk: Exploiting logical duality in proofs of ODE safety and liveness.
Theorem (Completeness for invariants [LICS’18])
The differential dynamic logic (dL) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas.
ODE Safety
Takeaway: Logic yields a complete understanding of ODE invariance. Benefit: Powerful automation for ODE safety from sound foundations.
Theorem (Completeness for Noetherian invariants [JACM])
The differential dynamic logic (dL) proof calculus is a sound and complete axiomatization for semi-Noetherian invariants of Noetherian ODEs.
33 / 34
Conclusion
This talk: Exploiting logical duality in proofs of ODE safety and liveness.
Ref. Without Domains With Domains [1]
[4, 5]
× ×
[6]
× ×
[7]
× ×
New Without Domains With Domains Higher Diff. Var.
[1] + [4, 5] + [7]
Takeaway: Logic is a general framework for understanding ODE liveness. Benefit: Sound ODE liveness arguments and their generalizations.
34 / 34
Conclusion
This talk: Exploiting logical duality in proofs of ODE safety and liveness.
Ref. Without Domains With Domains [1]
[4, 5]
× ×
[6]
× ×
[7]
× ×
New Without Domains With Domains Higher Diff. Var.
[1] + [4, 5] + [7]
Takeaway: Logic is a general framework for understanding ODE liveness. Benefit: Sound ODE liveness arguments and their generalizations.
Further Directions (In submission)
Theory: Formal deductive proofs of (global) existence of solutions. Practice: Implementation in KeYmaera X prover for hybrid systems.
34 / 34
References I
[1] Andr´ e Platzer. 2010. Differential-algebraic Dynamic Logic for Differential-algebraic Programs. J. Log. Comput. 20, 1 (2010), 309–352. https://doi.org/10.1093/logcom/exn070 [2] Andr´ e Platzer and Yong Kiam Tan. 2018. Differential Equation Axiomatization: The Impressive Power of Differential Ghosts. In LICS, Anuj Dawar and Erich Gr¨ adel (Eds.). ACM, New York, 819–828. https://doi.org/10.1145/3209108.3209147 [3] Andr´ e Platzer and Yong Kiam Tan. 2020. Differential Equation Invariance Axiomatization. J. ACM 67, 1, Article Article 6 (2020), 66 pages. https://doi.org/10.1145/3380825 [4] Stephen Prajna and Anders Rantzer. 2005. Primal-Dual Tests for Safety and Reachability. In HSCC (LNCS), Manfred Morari and Lothar Thiele (Eds.), Vol. 3414. Springer, Heidelberg, 542–556. https://doi.org/10.1007/978-3-540-31954-2_35
1 / 5
References II
[5] Stephen Prajna and Anders Rantzer. 2007. Convex Programs for Temporal Verification of Nonlinear Dynamical Systems. SIAM J. Control Optim. 46, 3 (2007), 999–1021. https://doi.org/10.1137/050645178 [6] Stefan Ratschan and Zhikun She. 2010. Providing a Basin of Attraction to a Target Region of Polynomial Systems by Computation
4377–4394. https://doi.org/10.1137/090749955 [7] Andrew Sogokon and Paul B. Jackson. 2015. Direct Formal Verification of Liveness Properties in Continuous and Hybrid Dynamical Systems. In FM (LNCS), Nikolaj Bjørner and Frank S. de Boer (Eds.), Vol. 9109. Springer, Cham, 514–531. https://doi.org/10.1007/978-3-319-19249-9_32
2 / 5
References III
[8] Ankur Taly and Ashish Tiwari. 2010. Switching logic synthesis for
ACM, New York, 19–28. https://doi.org/10.1145/1879021.1879025 [9] Yong Kiam Tan and Andr´ e Platzer. 2019. An Axiomatic Approach to Liveness for Differential Equations. In FM (LNCS), Maurice ter Beek, Annabelle McIver, and Jos´ e N. Oliviera (Eds.), Vol. 11800. Springer, 371–388. https://doi.org/10.1007/978-3-030-30942-8_23
3 / 5
More Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
(if x′ = f (x) globally Lipschitz) BEx x′ = f (x), t′ = 1(¬B(x) ∨ t > c)
4 / 5
More Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
(if x′ = f (x) globally Lipschitz) BEx x′ = f (x), t′ = 1(¬B(x) ∨ t > c)
Idea 1: ODE safety has effective reasoning principles, so use ODE safety to justify refinement steps.
4 / 5
More Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
(if x′ = f (x) globally Lipschitz) BEx x′ = f (x), t′ = 1(¬B(x) ∨ t > c)
Idea 1: ODE safety has effective reasoning principles, so use ODE safety to justify refinement steps. Idea 2: Implication chains build complicated liveness arguments from simple building blocks.
4 / 5
More Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
(if x′ = f (x) globally Lipschitz) BEx x′ = f (x), t′ = 1(¬B(x) ∨ t > c)
Idea 1: ODE safety has effective reasoning principles, so use ODE safety to justify refinement steps. Idea 2: Implication chains build complicated liveness arguments from simple building blocks. Idea 3: Basic ODE liveness properties can be justified by simple axioms assuming appropriate side conditions are met.
4 / 5
More Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
(if x′ = f (x) globally Lipschitz) BEx x′ = f (x), t′ = 1(¬B(x) ∨ t > c)
Idea 1: ODE safety has effective reasoning principles, so use ODE safety to justify refinement steps. Idea 2: Implication chains build complicated liveness arguments from simple building blocks. Idea 3: Basic ODE liveness properties can be justified by simple axioms assuming appropriate side conditions are met. Idea 4: Reducing ODE liveness arguments to basic liveness refinements isolates and minimizes the possibility of soundness errors.
4 / 5
More Diamond Refinement Axioms
K& [x′ = f (x) & Q ∧ ¬P]¬H →
(if x′ = f (x) globally Lipschitz) BEx x′ = f (x), t′ = 1(¬B(x) ∨ t > c)
Idea 1: ODE safety has effective reasoning principles, so use ODE safety to justify refinement steps. Idea 2: Implication chains build complicated liveness arguments from simple building blocks. Idea 3: Basic ODE liveness properties can be justified by simple axioms assuming appropriate side conditions are met. Idea 4: Reducing ODE liveness arguments to basic liveness refinements isolates and minimizes the possibility of soundness errors. Key Idea: Liveness refinement steps exploit logical duality and are sound building blocks for understanding ODE liveness arguments [FM’19].
4 / 5
Local & Global Liveness for ODEs
Q P
Local Liveness: x′ = f (x) & P
Q P
(Global) Liveness: x′ = f (x) & QP Train immediately enters Pittsburgh (P). Train can eventually be driven to Pittsburgh (P).
5 / 5
Local & Global Liveness for ODEs
Q P
Local Liveness: x′ = f (x) & P
Q P
(Global) Liveness: x′ = f (x) & QP Fact: Local liveness is self-dual for real arithmetic formulas P [LICS’18]. x′ = f (x) & P ↔ ¬x′ = f (x) & ¬P
5 / 5