How to Explain Cyber-Physical Systems to Your Verifier Andr e - - PowerPoint PPT Presentation

How to Explain Cyber-Physical Systems to Your Verifier

Andr´ e Platzer

aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA

http://symbolaris.com/

0.2 0.4 0.6 0.8 1.0

0.1 0.2 0.3 0.4 0.5

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 1 / 39

Outline

1

Motivation

2

Differential Dynamic Logic dL

3

Axiomatization

4

Differential Cuts, Differential Ghosts & Differential Invariants Differential Invariants Differential Cuts Differential Ghosts

5

Survey

6

Applications Ground Robots

7

Summary

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 1 / 39

Outline

1

Motivation

2

Differential Dynamic Logic dL

3

Axiomatization

4

Differential Cuts, Differential Ghosts & Differential Invariants Differential Invariants Differential Cuts Differential Ghosts

5

Survey

6

Applications Ground Robots

7

Summary

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 1 / 39

Can you trust a computer to control physics?

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 2 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.3 0.2 0.1 0.1 0.2a 2 4 6 8 10 t 0.2 0.4 0.6 0.8

v

2 4 6 8 10 t 0.5 1.0 1.5 2.0 2.5

p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 3 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.3 0.2 0.1 0.1 0.2a 2 4 6 8 10 t 0.00002 0.00004 0.00006 0.00008

Ω

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 3 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 2 4 6 8

p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 4 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 4 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 4 3 2 1

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 1 2 3 4

p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 5 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 4 3 2 1

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 5 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0 1.2v 2 4 6 8 10 t 1 2 3 4 5 6 7p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 6 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 6 / 39

Outline

1

Motivation

2

Differential Dynamic Logic dL

3

Axiomatization

4

Differential Cuts, Differential Ghosts & Differential Invariants Differential Invariants Differential Cuts Differential Ghosts

5

Survey

6

Applications Ground Robots

7

Summary

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 6 / 39

Outline

1

Motivation

2

Differential Dynamic Logic dL

3

Axiomatization

4

Differential Cuts, Differential Ghosts & Differential Invariants Differential Invariants Differential Cuts Differential Ghosts

5

Survey

6

Applications Ground Robots

7

Summary

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 6 / 39

Complete Proof Theory of Hybrid Systems

Theorem (Complete Alignment) (JAR 2008, LICS’12)

hybrid = continuous = discrete (proof-theoretically)

System Continuous Discrete Hybrid

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 7 / 39

Complete Proof Theory of Hybrid Systems

Theorem (Complete Alignment) (JAR 2008, LICS’12)

hybrid = continuous = discrete (proof-theoretically)

System Continuous Discrete Hybrid Hybrid Theory Discrete Theory Contin. Theory

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 7 / 39

Complete Proof Theory of Hybrid Systems

Theorem (Complete Alignment) (JAR 2008, LICS’12)

hybrid = continuous = discrete (proof-theoretically)

System Continuous Discrete Hybrid Hybrid Theory Discrete Theory Contin. Theory

Corollary (Hybridization recipe)

Every verification technique can be hybridized. (add enough logic)

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 7 / 39

Logic for Hybrid Systems

differential dynamic logic

dL = FOLR z v MA v2 ≤ 2b(MA − z)

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 8 / 39

Logic for Hybrid Systems

differential dynamic logic

dL = FOLR + DL + HP v2 ≤ 2b v2 ≤ 2b v2 ≤ 2b C → [ if(z > SB) a := −b; z′′ = a

• hybrid program

] v2 ≤ 2b

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 8 / 39

Logic for Hybrid Systems

differential dynamic logic

dL = FOLR + DL + HP v2 ≤ 2b v2 ≤ 2b v2 ≤ 2b C → [ if(z > SB) a := −b; z′′ = a

• hybrid program

] v2 ≤ 2b Initial condition System dynamics Post condition

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 8 / 39

Differential Dynamic Logic dL: Syntax

Definition (Hybrid program α)

x := θ | ?H | x′ = f (x) & H | α ∪ β | α; β | α∗

Definition (dL Formula φ)

θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | [α]φ | αφ

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 9 / 39

Differential Dynamic Logic dL: Syntax

Definition (Hybrid program α)

x := θ | ?H | x′ = f (x) & H | α ∪ β | α; β | α∗

Definition (dL Formula φ)

θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | [α]φ | αφ Discrete Assign Test Condition Differential Equation Nondet. Choice Seq. Compose Nondet. Repeat All Reals Some Reals All Runs Some Runs

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 9 / 39

CPS Design & CPS Contracts in Programs

HP Reveal in layers Contracts Reason about CPS @requires ( vˆ2 ≤ 2∗b∗(m −x )) @requires ( v ≥ 0 ∧ A ≥ 0 ∧ b>0) @ensures ( x ≤ m) { i f ( vˆ2 ≤ 2∗b∗(m −x ) − (A+b )∗(A+2∗v )) { a := A; } else { a := −b ; } t := 0; {x’=v , v’=a , t ’=1 , v ≥ 0 ∧ t ≤ 1} }∗ @invariant ( vˆ2 ≤ 2∗b∗(m −x )) CPS Simulate for intuition CT Design-by-invariant

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 10 / 39

Outline

1

Motivation

2

Differential Dynamic Logic dL

3

Axiomatization

4

Differential Cuts, Differential Ghosts & Differential Invariants Differential Invariants Differential Cuts Differential Ghosts

5

Survey

6

Applications Ground Robots

7

Summary

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 10 / 39

Proofs for Hybrid Systems

φθ

x

[x := θ]φ v w φθ

x

x := θ φ

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 11 / 39

Proofs for Hybrid Systems

φθ

x

[x := θ]φ v w φθ

x

x := θ φ ∀t≥0 [x := yx(t)]φ [x′ = f (x)]φ v w x′ = f (x) φ

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 11 / 39

Proofs for Hybrid Systems

φθ

x

[x := θ]φ v w φθ

x

x := θ φ ∀t≥0 [x := yx(t)]φ [x′ = f (x)]φ v w x′ = f (x) φ x := yx(t)

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 11 / 39

Proofs for Hybrid Systems

compositional semantics ⇒ compositional rules!

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 12 / 39

Proofs for Hybrid Systems

[α]φ ∧ [β]φ [α ∪ β]φ v w1 w2 α φ β φ α ∪ β

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 12 / 39

Proofs for Hybrid Systems

[α]φ ∧ [β]φ [α ∪ β]φ v w1 w2 α φ β φ α ∪ β [α][β]φ [α; β]φ v s w α; β [α][β]φ α [β]φ β φ

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 12 / 39

Proofs for Hybrid Systems

[α]φ ∧ [β]φ [α ∪ β]φ v w1 w2 α φ β φ α ∪ β [α][β]φ [α; β]φ v s w α; β [α][β]φ α [β]φ β φ φ (φ → [α]φ) [α∗]φ v w α∗ φ α φ → [α]φ α α φ

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 12 / 39

Outline

1

Motivation

2

Differential Dynamic Logic dL

3

Axiomatization

4

Differential Cuts, Differential Ghosts & Differential Invariants Differential Invariants Differential Cuts Differential Ghosts

5

Survey

6

Applications Ground Robots

7

Summary

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 12 / 39

Differential Cuts, Differential Ghosts & Differential Invariants

CUT!

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 12 / 39

Air Traffic Control

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 13 / 39

Air Traffic Control

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 13 / 39

Air Traffic Control

Verification?

looks correct

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 13 / 39

Air Traffic Control

Verification?

looks correct NO!

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 13 / 39

Air Traffic Control

x1 x2 y1 y2 d ω e ς ̺

   x′

1 = −v1+v2 cos ϑ + ωx2

x′

2 =

v2 sin ϑ − ωx1 ϑ′ = ̟ − ω   

Verification?

looks correct NO!

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 13 / 39

Air Traffic Control

x1 x2 y1 y2 d ω e ς ̺

   x′

1 = −v1+v2 cos ϑ + ωx2

x′

2 =

v2 sin ϑ − ωx1 ϑ′ = ̟ − ω   

Example (“Solving” differential equations)

x1(t) = 1 ω̟

• x1ω̟ cos tω − v2ω cos tω sin ϑ + v2ω cos tω cos t̟ sin ϑ − v1̟ sin tω

+ x2ω̟ sin tω − v2ω cos ϑ cos t̟ sin tω − v2ω

• 1 − sin ϑ2 sin tω

+ v2ω cos ϑ cos tω sin t̟ + v2ω sin ϑ sin tω sin t̟

• . . .

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 13 / 39

Air Traffic Control

x1 x2 y1 y2 d ω e ς ̺

   x′

1 = −v1+v2 cos ϑ + ωx2

x′

2 =

v2 sin ϑ − ωx1 ϑ′ = ̟ − ω   

Example (“Solving” differential equations)

∀t≥0 1 ω̟

• x1ω̟ cos tω − v2ω cos tω sin ϑ + v2ω cos tω cos t̟ sin ϑ − v1̟ sin tω

+ x2ω̟ sin tω − v2ω cos ϑ cos t̟ sin tω − v2ω

• 1 − sin ϑ2 sin tω

+ v2ω cos ϑ cos tω sin t̟ + v2ω sin ϑ sin tω sin t̟

• . . .

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 13 / 39

\forall R ts2. ( 0 <= ts2 & ts2 <= t2_0

• >

( (om_1)^-1 * (omb_1)^-1 * (

• m_1 * omb_1 * x1 * Cos(om_1 * ts2)

+ om_1 * v2 * Cos(om_1 * ts2) * (1 + -1 * (Cos(u))^2)^(1 / 2) + -1 * omb_1 * v1 * Sin(om_1 * ts2) + om_1 * omb_1 * x2 * Sin(om_1 * ts2) + om_1 * v2 * Cos(u) * Sin(om_1 * ts2) + -1 * om_1 * v2 * Cos(omb_1 * ts2) * Cos(u) * Sin(om_1 * ts2) + om_1 * v2 * Cos(om_1 * ts2) * Cos(u) * Sin(omb_1 * ts2) + om_1 * v2 * Cos(om_1 * ts2) * Cos(omb_1 * ts2) * Sin(u) + om_1 * v2 * Sin(om_1 * ts2) * Sin(omb_1 * ts2) * Sin(u))) ^2 + ( (om_1)^-1 * (omb_1)^-1 * (

• 1 * omb_1 * v1 * Cos(om_1 * ts2)

+ om_1 * omb_1 * x2 * Cos(om_1 * ts2) + omb_1 * v1 * (Cos(om_1 * ts2))^2 + om_1 * v2 * Cos(om_1 * ts2) * Cos(u) + -1 * om_1 * v2 * Cos(om_1 * ts2) * Cos(omb_1 * ts2) * Cos(u) + -1 * om_1 * omb_1 * x1 * Sin(om_1 * ts2) +

• 1

* om_1 * v2 * (1 + -1 * (Cos(u))^2)^(1 / 2) * Sin(om_1 * ts2) + omb_1 * v1 * (Sin(om_1 * ts2))^2 + -1 * om_1 * v2 * Cos(u) * Sin(om_1 * ts2) * Sin(omb_1 * ts2) + -1 * om_1 * v2 * Cos(omb_1 * ts2) * Sin(om_1 * ts2) * Sin(u) + om_1 * v2 * Cos(om_1 * ts2) * Sin(omb_1 * ts2) * Sin(u))) ^2 >= (p)^2), t2_0 >= 0, x1^2 + x2^2 >= (p)^2 ==> Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 14 / 39

\forall R t7. ( t7 >= 0

• >

( (om_3)^-1 * (

• m_3

* ( (om_1)^-1 * (omb_1)^-1 * (

• m_1 * omb_1 * x1 * Cos(om_1 * t2_0)

+

• m_1

* v2 * Cos(om_1 * t2_0) * (1 + -1 * (Cos(u))^2)^(1 / 2) + -1 * omb_1 * v1 * Sin(om_1 * t2_0) + om_1 * omb_1 * x2 * Sin(om_1 * t2_0) + om_1 * v2 * Cos(u) * Sin(om_1 * t2_0) +

• 1

* om_1 * v2 * Cos(omb_1 * t2_0) * Cos(u) * Sin(om_1 * t2_0) +

• m_1

* v2 * Cos(om_1 * t2_0) * Cos(u) * Sin(omb_1 * t2_0) +

• m_1

* v2 * Cos(om_1 * t2_0) * Cos(omb_1 * t2_0) * Sin(u) +

• m_1

* v2 * Sin(om_1 * t2_0) * Sin(omb_1 * t2_0) * Sin(u))) Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 14 / 39

* Cos(om_3 * t5) + v2 * Cos(om_3 * t5) * ( 1 +

• 1

* (Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4))^2) ^(1 / 2) + -1 * v1 * Sin(om_3 * t5) +

• m_3

* ( (om_1)^-1 * (omb_1)^-1 * (

• 1 * omb_1 * v1 * Cos(om_1 * t2_0)

+ om_1 * omb_1 * x2 * Cos(om_1 * t2_0) + omb_1 * v1 * (Cos(om_1 * t2_0))^2 + om_1 * v2 * Cos(om_1 * t2_0) * Cos(u) +

• 1

* om_1 * v2 * Cos(om_1 * t2_0) * Cos(omb_1 * t2_0) * Cos(u) + -1 * om_1 * omb_1 * x1 * Sin(om_1 * t2_0) +

• 1

* om_1 * v2 * (1 + -1 * (Cos(u))^2)^(1 / 2) * Sin(om_1 * t2_0) + omb_1 * v1 * (Sin(om_1 * t2_0))^2 +

• 1

* om_1 * v2 * Cos(u) * Sin(om_1 * t2_0) * Sin(omb_1 * t2_0) Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 14 / 39

+

• 1

* om_1 * v2 * Cos(omb_1 * t2_0) * Sin(om_1 * t2_0) * Sin(u) +

• m_1

* v2 * Cos(om_1 * t2_0) * Sin(omb_1 * t2_0) * Sin(u))) * Sin(om_3 * t5) + v2 * Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4) * Sin(om_3 * t5) + v2 * (Cos(om_3 * t5))^2 * Sin(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4) + v2 * (Sin(om_3 * t5))^2 * Sin(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4))) ^2 + ( (om_3)^-1 * (

• 1 * v1 * Cos(om_3 * t5)

+

• m_3

* ( (om_1)^-1 * (omb_1)^-1 * (

• 1 * omb_1 * v1 * Cos(om_1 * t2_0)

+ om_1 * omb_1 * x2 * Cos(om_1 * t2_0) + omb_1 * v1 * (Cos(om_1 * t2_0))^2 + om_1 * v2 * Cos(om_1 * t2_0) * Cos(u) +

• 1

* om_1 * v2 * Cos(om_1 * t2_0) * Cos(omb_1 * t2_0) * Cos(u) Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 14 / 39

+ -1 * om_1 * omb_1 * x1 * Sin(om_1 * t2_0) +

• 1

* om_1 * v2 * (1 + -1 * (Cos(u))^2)^(1 / 2) * Sin(om_1 * t2_0) + omb_1 * v1 * (Sin(om_1 * t2_0))^2 +

• 1

* om_1 * v2 * Cos(u) * Sin(om_1 * t2_0) * Sin(omb_1 * t2_0) +

• 1

* om_1 * v2 * Cos(omb_1 * t2_0) * Sin(om_1 * t2_0) * Sin(u) +

• m_1

* v2 * Cos(om_1 * t2_0) * Sin(omb_1 * t2_0) * Sin(u))) * Cos(om_3 * t5) + v1 * (Cos(om_3 * t5))^2 + v2 * Cos(om_3 * t5) * Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4) +

• 1

* v2 * (Cos(om_3 * t5))^2 * Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4) Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 14 / 39

+

• 1

* om_3 * ( (om_1)^-1 * (omb_1)^-1 * (

• m_1 * omb_1 * x1 * Cos(om_1 * t2_0)

+

• m_1

* v2 * Cos(om_1 * t2_0) * (1 + -1 * (Cos(u))^2)^(1 / 2) + -1 * omb_1 * v1 * Sin(om_1 * t2_0) + om_1 * omb_1 * x2 * Sin(om_1 * t2_0) + om_1 * v2 * Cos(u) * Sin(om_1 * t2_0) +

• 1

* om_1 * v2 * Cos(omb_1 * t2_0) * Cos(u) * Sin(om_1 * t2_0) +

• m_1

* v2 * Cos(om_1 * t2_0) * Cos(u) * Sin(omb_1 * t2_0) +

• m_1

* v2 * Cos(om_1 * t2_0) * Cos(omb_1 * t2_0) * Sin(u) +

• m_1

* v2 * Sin(om_1 * t2_0) * Sin(omb_1 * t2_0) * Sin(u))) * Sin(om_3 * t5) Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 14 / 39

+

• 1

* v2 * ( 1 +

• 1

* (Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4))^2) ^(1 / 2) * Sin(om_3 * t5) + v1 * (Sin(om_3 * t5))^2 +

• 1

* v2 * Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4) * (Sin(om_3 * t5))^2)) ^2 >= (p)^2)

This is just one branch to prove for aircraft . . .

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 14 / 39

Differential Invariants for Differential Equations

“Definition” (Differential Invariant)

“Formula that remains true in the direction of the dynamics”

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 15 / 39

Differential Invariants for Differential Equations

“Definition” (Differential Invariant)

“Formula that remains true in the direction of the dynamics”

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 15 / 39

Differential Invariants for Differential Equations

“Definition” (Differential Invariant)

“Formula that remains true in the direction of the dynamics”

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 15 / 39

Differential Invariants: Local Dynamics w/o Solutions

Definition (Differential Invariant) (J.Log.Comput. 2010)

F closed under total differentiation with respect to differential constraints

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 16 / 39

Differential Invariants: Local Dynamics w/o Solutions

Definition (Differential Invariant) (J.Log.Comput. 2010)

F closed under total differentiation with respect to differential constraints

¬ ¬F

F F

(χ → F ′) χ → F→[x′ = θ & χ]F F → [α]F F → [α∗]F

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 16 / 39

Differential Invariants: Local Dynamics w/o Solutions

Definition (Differential Invariant) (J.Log.Comput. 2010)

F closed under total differentiation with respect to differential constraints

¬ ¬F

F F χ

F

(χ → F ′) χ → F→[x′ = θ & χ]F

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 16 / 39

Differential Invariants: Local Dynamics w/o Solutions

Definition (Differential Invariant) (J.Log.Comput. 2010)

F closed under total differentiation with respect to differential constraints

¬ ¬F

F F χ

F

(χ → F ′) χ → F→[x′ = θ & χ]F (¬F ∧ χ → F ′

≫)

[x′ = θ & ¬F]χ→x′ = θ & χF

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 16 / 39

Differential Invariants: Local Dynamics w/o Solutions

Definition (Differential Invariant) (J.Log.Comput. 2010)

F closed under total differentiation with respect to differential constraints

¬ ¬F

F F χ

F

(χ → F ′) χ → F→[x′ = θ & χ]F (¬F ∧ χ → F ′

≫)

[x′ = θ & ¬F]χ→x′ = θ & χF Total differential F ′ of formulas?

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 16 / 39

Differential Invariants for Aircraft Roundabouts

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

x y c

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants for Aircraft Roundabouts

∂x−y2 ∂x1

x′

1 + ∂x−y2 ∂y1

y′

1 + ∂x−y2 ∂x2

x′

2 + ∂x−y2 ∂y2

y′

2 ≥ ∂p2 ∂x1 x′ 1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

x y c

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants for Aircraft Roundabouts

∂x−y2 ∂x1

x′

1 + ∂x−y2 ∂y1

y′

1 + ∂x−y2 ∂x2

x′

2 + ∂x−y2 ∂y2

y′

2 ≥ ∂p2 ∂x1 x′ 1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

x y c

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants for Aircraft Roundabouts

∂x−y2 ∂x1

d1 + ∂x−y2

∂y1

e1 + ∂x−y2

∂x2

d2 + ∂x−y2

∂y2

e2 ≥ ∂p2

∂x1 d1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

x y c

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants for Aircraft Roundabouts

2(x1 − y1)(d1 − e1) + 2(x2 − y2)(d2 − e2) ≥ 0

∂x−y2 ∂x1

d1 + ∂x−y2

∂y1

e1 + ∂x−y2

∂x2

d2 + ∂x−y2

∂y2

e2 ≥ ∂p2

∂x1 d1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

x y c

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants for Aircraft Roundabouts

2(x1 − y1)(d1 − e1) + 2(x2 − y2)(d2 − e2) ≥ 0

∂x−y2 ∂x1

d1 + ∂x−y2

∂y1

e1 + ∂x−y2

∂x2

d2 + ∂x−y2

∂y2

e2 ≥ ∂p2

∂x1 d1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

c x y d e x − y e d − e

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants for Aircraft Roundabouts

2(x1 − y1)(d1 − e1) + 2(x2 − y2)(d2 − e2) ≥ 0

∂x−y2 ∂x1

d1 + ∂x−y2

∂y1

e1 + ∂x−y2

∂x2

d2 + ∂x−y2

∂y2

e2 ≥ ∂p2

∂x1 d1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

c x y d e x − y e d − e

.. →[d′

1 = − ωd2, e′ 1 = − ωe2, x′ 2 = d2, d′ 2 = ωd1, ..]d1 − e1 = −ω(x2 − y2)

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants for Aircraft Roundabouts

2(x1 − y1)(−ω(x2 − y2)) + 2(x2 − y2)ω(x1 − y1) ≥ 0 2(x1 − y1)(d1 − e1) + 2(x2 − y2)(d2 − e2) ≥ 0

∂x−y2 ∂x1

d1 + ∂x−y2

∂y1

e1 + ∂x−y2

∂x2

d2 + ∂x−y2

∂y2

e2 ≥ ∂p2

∂x1 d1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

c x y d e x − y e d − e

.. →[d′

1 = − ωd2, e′ 1 = − ωe2, x′ 2 = d2, d′ 2 = ωd1, ..]d1 − e1 = −ω(x2 − y2)

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants for Aircraft Roundabouts

2(x1 − y1)(−ω(x2 − y2)) + 2(x2 − y2)ω(x1 − y1) ≥ 0 2(x1 − y1)(d1 − e1) + 2(x2 − y2)(d2 − e2) ≥ 0

∂x−y2 ∂x1

d1 + ∂x−y2

∂y1

e1 + ∂x−y2

∂x2

d2 + ∂x−y2

∂y2

e2 ≥ ∂p2

∂x1 d1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

c x y d e x − y e d − e

∂(d1−e1) ∂d1

d′

1 + ∂(d1−e1) ∂e1

e′

1 = − ∂ω(x2−y2) ∂x2

x′

2 − ∂ω(x2−y2) ∂y2

y′

2

.. →[d′

1 = − ωd2, e′ 1 = − ωe2, x′ 2 = d2, d′ 2 = ωd1, ..]d1 − e1 = −ω(x2 − y2)

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants for Aircraft Roundabouts

2(x1 − y1)(−ω(x2 − y2)) + 2(x2 − y2)ω(x1 − y1) ≥ 0 2(x1 − y1)(d1 − e1) + 2(x2 − y2)(d2 − e2) ≥ 0

∂x−y2 ∂x1

d1 + ∂x−y2

∂y1

e1 + ∂x−y2

∂x2

d2 + ∂x−y2

∂y2

e2 ≥ ∂p2

∂x1 d1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

c x y d e x − y e d − e

∂(d1−e1) ∂d1

d′

1 + ∂(d1−e1) ∂e1

e′

1 = − ∂ω(x2−y2) ∂x2

x′

2 − ∂ω(x2−y2) ∂y2

y′

2

.. →[d′

1 = − ωd2, e′ 1 = − ωe2, x′ 2 = d2, d′ 2 = ωd1, ..]d1 − e1 = −ω(x2 − y2)

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants for Aircraft Roundabouts

2(x1 − y1)(−ω(x2 − y2)) + 2(x2 − y2)ω(x1 − y1) ≥ 0 2(x1 − y1)(d1 − e1) + 2(x2 − y2)(d2 − e2) ≥ 0

∂x−y2 ∂x1

d1 + ∂x−y2

∂y1

e1 + ∂x−y2

∂x2

d2 + ∂x−y2

∂y2

e2 ≥ ∂p2

∂x1 d1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

c x y d e x − y e d − e

∂(d1−e1) ∂d1

(−ωd2) + ∂(d1−e1)

∂e1

(−ωe2) = − ∂ω(x2−y2)

∂x2

d2 − ∂ω(x2−y2)

∂y2

e2 .. →[d′

1 = − ωd2, e′ 1 = − ωe2, x′ 2 = d2, d′ 2 = ωd1, ..]d1 − e1 = −ω(x2 − y2)

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants for Aircraft Roundabouts

2(x1 − y1)(−ω(x2 − y2)) + 2(x2 − y2)ω(x1 − y1) ≥ 0 2(x1 − y1)(d1 − e1) + 2(x2 − y2)(d2 − e2) ≥ 0

∂x−y2 ∂x1

d1 + ∂x−y2

∂y1

e1 + ∂x−y2

∂x2

d2 + ∂x−y2

∂y2

e2 ≥ ∂p2

∂x1 d1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

c x y d e x − y e d − e

−ωd2 + ωe2 = −ω(d2 − e2)

∂(d1−e1) ∂d1

(−ωd2) + ∂(d1−e1)

∂e1

(−ωe2) = − ∂ω(x2−y2)

∂x2

d2 − ∂ω(x2−y2)

∂y2

e2 .. →[d′

1 = − ωd2, e′ 1 = − ωe2, x′ 2 = d2, d′ 2 = ωd1, ..]d1 − e1 = −ω(x2 − y2)

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants & Differential Cuts

2(x1 − y1)(−ω(x2 − y2)) + 2(x2 − y2)ω(x1 − y1) ≥ 0 2(x1 − y1)(d1 − e1) + 2(x2 − y2)(d2 − e2) ≥ 0

∂x−y2 ∂x1

d1 + ∂x−y2

∂y1

e1 + ∂x−y2

∂x2

d2 + ∂x−y2

∂y2

e2 ≥ ∂p2

∂x1 d1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

Proposition (Differential cut saturation)

C differential invariant of [x′ = θ & H]φ, then [x′ = θ & H]φ iff [x′ = θ & H ∧ C]φ −ωd2 + ωe2 = −ω(d2 − e2)

∂(d1−e1) ∂d1

(−ωd2) + ∂(d1−e1)

∂e1

(−ωe2) = − ∂ω(x2−y2)

∂x2

d2 − ∂ω(x2−y2)

∂y2

e2 .. →[d′

1 = − ωd2, e′ 1 = − ωe2, x′ 2 = d2, d′ 2 = ωd1, ..]d1 − e1 = −ω(x2 − y2)

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

Differential Invariants & Differential Cuts

2(x1 − y1)(−ω(x2 − y2)) + 2(x2 − y2)ω(x1 − y1) ≥ 0 2(x1 − y1)(d1 − e1) + 2(x2 − y2)(d2 − e2) ≥ 0

∂x−y2 ∂x1

d1 + ∂x−y2

∂y1

e1 + ∂x−y2

∂x2

d2 + ∂x−y2

∂y2

e2 ≥ ∂p2

∂x1 d1 . . .

[x′

1 = d1, d′ 1 = − ωd2, x′ 2 = d2, d′ 2 = ωd1, ..](x1 − y1)2 + (x2 − y2)2 ≥ p2

−ωd2 + ωe2 = −ω(d2 − e2)

∂(d1−e1) ∂d1

(−ωd2) + ∂(d1−e1)

∂e1

(−ωe2) = − ∂ω(x2−y2)

∂x2

d2 − ∂ω(x2−y2)

∂y2

e2 .. →[d′

1 = − ωd2, e′ 1 = − ωe2, x′ 2 = d2, d′ 2 = ωd1, ..]d1 − e1 = −ω(x2 − y2)

refine dynamics by differential cut

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 17 / 39

The Structure of Differential Invariants

Theorem (Closure properties of differential invariants) (LMCS 2012)

Closed under conjunction, differentiation, and propositional equivalences.

Theorem (Differential Invariance Chart) (LMCS 2012)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Theorem (Structure of invariant equations / differential cuts)(ITP’12)

Differential invariants and invariants form chain of differential ideals.

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 18 / 39

Differential Cuts: Change Dynamics, Not System

F→[x′ = θ & H]C F→[x′ = θ & (H ∧ C)]F F→[x′ = θ & H]F

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 19 / 39

Differential Cuts: Change Dynamics, Not System

F→[x′ = θ & H]C F→[x′ = θ & (H ∧ C)]F F→[x′ = θ & H]F

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 20 / 39

Differential Cuts: Change Dynamics, Not System

F→[x′ = θ & H]C F→[x′ = θ & (H ∧ C)]F F→[x′ = θ & H]F

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 20 / 39

Differential Cuts: Change Dynamics, Not System

F→[x′ = θ & H]C F→[x′ = θ & (H ∧ C)]F F→[x′ = θ & H]F

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 20 / 39

Differential Cuts: Change Dynamics, Not System

F→[x′ = θ & H]C F→[x′ = θ & (H ∧ C)]F F→[x′ = θ & H]F

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 20 / 39

Differential Cuts: Change Dynamics, Not System

F→[x′ = θ & H]C F→[x′ = θ & (H ∧ C)]F F→[x′ = θ & H]F

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 20 / 39

Differential Cuts: Change Dynamics, Not System

F→[x′ = θ & H]C F→[x′ = θ & (H ∧ C)]F F→[x′ = θ & H]F

Theorem (Gentzen’s Cut Elimination) (1935)

A→B ∨ C A ∧ C→B A→B cut can be eliminated

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 20 / 39

Differential Cuts: Change Dynamics, Not System

F→[x′ = θ & H]C F→[x′ = θ & (H ∧ C)]F F→[x′ = θ & H]F

Theorem (Gentzen’s Cut Elimination) (1935)

A→B ∨ C A ∧ C→B A→B cut can be eliminated

Theorem (No Differential Cut Elimination) (LMCS 2012)

Deductive power with differential cut exceeds deductive power without. DCI > DI

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 20 / 39

Differential Auxiliaries: Prove in Extra Dimensions

φ ↔ ∃y ψ ψ→[x′ = θ, y′ = ϑ & H]ψ φ→[x′ = θ & H]φ if y′ = ϑ has solution y : [0, ∞) → Rn

Theorem (Auxiliary Differential Variables) (LMCS 2012)

Deductive power with differential auxiliaries exceeds power without. DCI + DA > DCI t x x′ = θ

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 21 / 39

Differential Auxiliaries: Prove in Extra Dimensions

φ ↔ ∃y ψ ψ→[x′ = θ, y′ = ϑ & H]ψ φ→[x′ = θ & H]φ if y′ = ϑ has solution y : [0, ∞) → Rn

Theorem (Auxiliary Differential Variables) (LMCS 2012)

Deductive power with differential auxiliaries exceeds power without. DCI + DA > DCI t x x′ = θ y′ = ϑ

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 21 / 39

Differential Auxiliaries: Prove in Extra Dimensions

φ ↔ ∃y ψ ψ→[x′ = θ, y′ = ϑ & H]ψ φ→[x′ = θ & H]φ if y′ = ϑ has solution y : [0, ∞) → Rn

Theorem (Auxiliary Differential Variables) (LMCS 2012)

Deductive power with differential auxiliaries exceeds power without. DCI + DA > DCI t x x′ = θ y′ = ϑ ψ

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 21 / 39

Outline

1

Motivation

2

Differential Dynamic Logic dL

3

Axiomatization

4

Differential Cuts, Differential Ghosts & Differential Invariants Differential Invariants Differential Cuts Differential Ghosts

5

Survey

6

Applications Ground Robots

7

Summary

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 21 / 39

Family of Differential Dynamic Logics

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 22 / 39

Family of Differential Dynamic Logics

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

differential dynamic logic

dL = DL + HP [α]φ φ α

stochastic differential DL

SdL = DL + SHP αφ φ

differential game logic

dGL = GL + HG αφ φ

quantified differential DL

QdL = FOL + DL + QHP

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 22 / 39

¬ ¬F

F F χ

F

[α]φ φ α αPφ P(φ)

ψ → [α]φ ψ → [α]φ ψ → [α]φ ψ → [α]φ ψ → [α]φ

Strategy Rule Engine Proof Input File Rule base Mathematica QEPCAD Orbital KeYmaera Prover Solvers

16 8 4 2 1

c

• ∪

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 23 / 39

Successful Hybrid Systems Proofs

far neg cor rec fsa

x y c

 

c

• x

e n t r y e x i t

• y

c

• x1

x2 y1 y2 d ω e ¯ ϑ ̟

c

• x
• y
• z

x Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 24 / 39

Successful Hybrid Systems Proofs

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 24 / 39

Successful Hybrid Systems Proofs

c

• x
• y
• z

2minri

m i n r

• i
• di

xi disci xi xj p xk xl xm

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

5 10 15 20 0.3 0.2 0.1 0.1 0.2 0.3

0.2 0.4 0.6 0.8 1.0 1 1

• 0.3

0.2 0.1 0.0 0.1 0.2 0.3 Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 24 / 39

Outline

1

Motivation

2

Differential Dynamic Logic dL

3

Axiomatization

4

Differential Cuts, Differential Ghosts & Differential Invariants Differential Invariants Differential Cuts Differential Ghosts

5

Survey

6

Applications Ground Robots

7

Summary

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 24 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.3 0.2 0.1 0.1 0.2a 2 4 6 8 10 t 0.2 0.4 0.6 0.8

v

2 4 6 8 10 t 0.5 1.0 1.5 2.0 2.5

p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 25 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.3 0.2 0.1 0.1 0.2a 2 4 6 8 10 t 0.00002 0.00004 0.00006 0.00008

Ω

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 25 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 2 4 6 8

p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 26 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 26 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 4 3 2 1

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 1 2 3 4

p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 27 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 4 3 2 1

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 27 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0 1.2v 2 4 6 8 10 t 1 2 3 4 5 6 7p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 28 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 28 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.3 0.2 0.1 0.1 0.2a 2 4 6 8 10 t 0.2 0.4 0.6 0.8

v

2 4 6 8 10 t 0.5 1.0 1.5 2.0 2.5

p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 29 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.3 0.2 0.1 0.1 0.2a 2 4 6 8 10 t 0.00002 0.00004 0.00006 0.00008

Ω

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 29 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

ar := −b ∪ (ar := ∗; ? − b ≤ ar ≤ A)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.3 0.2 0.1 0.1 0.2a 2 4 6 8 10 t 0.2 0.4 0.6 0.8

v

2 4 6 8 10 t 0.5 1.0 1.5 2.0 2.5

p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 30 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

ar := −b ∪ (ar := ∗; ? − b ≤ ar ≤ A)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.3 0.2 0.1 0.1 0.2a 2 4 6 8 10 t 0.00002 0.00004 0.00006 0.00008

Ω

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 30 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

ar := −b ∪ (ar := ∗; ? − b ≤ ar ≤ A; ωr := ∗; ? − Ω ≤ ωr ≤ Ω; ?SafeCtrl) ∪ (?vr = 0; ar := 0; ωr := 0)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 2 4 6 8

p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 31 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

ar := −b ∪ (ar := ∗; ? − b ≤ ar ≤ A; ωr := ∗; ? − Ω ≤ ωr ≤ Ω; ?SafeCtrl) ∪ (?vr = 0; ar := 0; ωr := 0)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 31 / 39

Robot: Motion Dynamics

translational ODE p′

r = vrdr

v′

r = ar

rotational DAE ω′

rpr − pc = ar

dx

r ′ = −ωrdy r

dy

r ′ = ωrdx r

pc pr dr dx

r

dy

r

Example (Differential invariants)

1 Move on circle:

pr − pc = ωd⊥

r

2 Stay in the box:

pr − p0∞ ≤ vrt + ar

2 t2

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 32 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Moving obstacles: distance

• n current curve not enough

Dynamic obstacles (other agents) Avoid collisions (define safety)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 4 3 2 1

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 1 2 3 4

p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 33 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Moving obstacles: distance

• n current curve not enough

Dynamic obstacles (other agents) Avoid collisions (define safety)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 4 3 2 1

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 33 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Passive safety: no active collision while moving Dynamic obstacles (other agents) Avoid collisions (passive safety)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.7 0.6 0.5 0.4 0.3 0.2 0.1

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 0.5 1.0 1.5 2.0 2.5 3.0 3.5

p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 34 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Passive safety: no active collision while moving Dynamic obstacles (other agents) Avoid collisions (passive safety)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.7 0.6 0.5 0.4 0.3 0.2 0.1

a

2 4 6 8 10 t 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 34 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Passive friendly safety: don’t cause unavoidable collision Dynamic obstacles (other agents) Avoid collisions (friendly safety)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 1.4 1.2 1.0 0.8 0.6 0.4 0.2

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 1 2 3 4p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 35 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Passive friendly safety: don’t cause unavoidable collision Dynamic obstacles (other agents) Avoid collisions (friendly safety)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 1.4 1.2 1.0 0.8 0.6 0.4 0.2

a

2 4 6 8 10 t 1 2 3 4

Ω

2 4 6 8 10 t 1.0 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 35 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Sensor failure: Uncertainty of fallback to dead reckoning

2 4 6 8 10 t 0.05 0.10 0.15 0.20

∆

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 1.0 0.5 0.5 1.0a 2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 2 4 6 8 10p

px py Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 36 / 39

Hybrid Systems Analysis

Challenge (Hybrid Systems)

Sensor failure: Uncertainty of fallback to dead reckoning

2 4 6 8 10 t 0.05 0.10 0.15 0.20

∆

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 1.0 0.5 0.5 1.0a 2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 36 / 39

Robot Invariants and Constraints

Safety Invariant + Safe Control (RSS’13) static pr − po∞ > v 2

r

2b + A b + 1 A 2 ε2 + εvr

• passive

vr = 0 ∨ pr − po∞ > v 2

r

2b +V vr b + A b + 1 A 2 ε2 + ε(vr + V )

• + sensor U

ˆ pr − po∞ > v 2

r

2b + V vr b + A b + 1 A 2 ε2 + ε(vr + V )

• + Up

+ disturb. U pr − po∞ > v 2

r

2bUm + V vr bUm + A bUm + 1 A 2 ε2 + ε(vr + V )

• + failure

ˆ pr − po∞ > v 2

r

2b + V vr b + A b + 1 A 2 ε2 + ε(v + V )

• + Up + g∆

friendly pr − po∞ > v 2

r

2b + V 2 2bo + V vr b + τ

• +

A b + 1 A 2 ε2 + ε(vr + V )

• Andr´

e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 37 / 39

Outline

1

Motivation

2

Differential Dynamic Logic dL

3

Axiomatization

4

Differential Cuts, Differential Ghosts & Differential Invariants Differential Invariants Differential Cuts Differential Ghosts

5

Survey

6

Applications Ground Robots

7

Summary

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 37 / 39

How to Explain Cyber-Physical Systems to Your Verifier

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

differential dynamic logic

dL = DL + HP [α]φ φ α Logic for hybrid systems Logic + distributed hybrid systems Logic + stochastic hybrid systems Compositional proofs Sound & complete / ODE Differential invariants KeYmaera

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 38 / 39

Logical Foundations

• f

Cyber-Physical Systems

Logic

Model Checking Theorem Proving Proof Theory Modal Logic

Algebra

Computer Algebra Algebraic Geometry Differential Algebra Lie Algebra

Analysis

Differential Equations Dynamical Systems Differ- entiation Limit Processes

Stochastics

Stochastic Differential Equations Differential Generators Dynkin’s Infinitesimal Generators Doob’s Super- martingales

Numerics

Error Analysis Numerical Quadrature Hermite Interpolation Weierstraß Approx- imation

Algorithms

Decision Procedures Proof Search Fixpoints & Lattices Closure Ordinals

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 39 / 39

Logical Foundations

• f

Cyber-Physical Systems

Logic

Model Checking Theorem Proving Proof Theory Modal Logic

Algebra

Computer Algebra Algebraic Geometry Differential Algebra Lie Algebra

Analysis

Differential Equations Dynamical Systems Differ- entiation Limit Processes

Stochastics

Stochastic Differential Equations Differential Generators Dynkin’s Infinitesimal Generators Doob’s Super- martingales

Numerics

Error Analysis Numerical Quadrature Hermite Interpolation Weierstraß Approx- imation

Algorithms

Decision Procedures Proof Search Fixpoints & Lattices Closure Ordinals

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 39 / 39

Outline

8

Proof Calculus

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 0 / 1

Differential Dynamic Logic: Axiomatization

[:=] [x := θ][(x)]φx ↔ [(x)]φθ [?] [?H]φ ↔ (H → φ) [′] [x′ = f (x)]φ ↔ ∀t≥0 [x := y(t)]φ (y′(t) = f (y)) [∪] [α ∪ β]φ ↔ [α]φ ∧ [β]φ [;] [α; β]φ ↔ [α][β]φ [∗] [α∗]φ ↔ φ ∧ [α][α∗]φ K [α](φ → ψ) → ([α]φ → [α]ψ) I [α∗](φ → [α]φ) → (φ → [α∗]φ) C [α∗]∀v>0 (ϕ(v) → αϕ(v − 1)) → ∀v (ϕ(v) → α∗∃v≤0 ϕ(v))

Andr´ e Platzer (CMU) How to Explain Cyber-Physical Systems to Your Verifier VSTTE’13 1 / 1