Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - - PowerPoint PPT Presentation

11: Differential Equations & Proofs

Logical Foundations of Cyber-Physical Systems

Logical Foundations of Cyber-Physical Systems

André Platzer

André Platzer

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 1 / 24

Outline

1

Learning Objectives

2

Differential Invariants Recap: Ingredients for Differential Equation Proofs Soundness: Derivations Lemma Differential Weakening Equational Differential Invariants Differential Invariant Inequalities Disequational Differential Invariants Example Proof: Damped Oscillator Conjunctive Differential Invariants Disjunctive Differential Invariants Assuming Invariants

3

Differential Cuts

4

Soundness

5

Summary

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 2 / 24

Outline

1

Learning Objectives

2

Differential Invariants Recap: Ingredients for Differential Equation Proofs Soundness: Derivations Lemma Differential Weakening Equational Differential Invariants Differential Invariant Inequalities Disequational Differential Invariants Example Proof: Damped Oscillator Conjunctive Differential Invariants Disjunctive Differential Invariants Assuming Invariants

3

Differential Cuts

4

Soundness

5

Summary

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 2 / 24

Learning Objectives

Differential Equations & Proofs

CT M&C CPS discrete vs. continuous analogy rigorous reasoning about ODEs beyond differential invariant terms differential invariant formulas cut principles for differential equations axiomatization of ODEs differential facet of logical trinity understanding continuous dynamics relate discrete+continuous

• perational CPS effects

state changes along ODE

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 3 / 24

Differential Facet of Logical Trinity

Axiomatics Syntax Semantics Syntax defines the notation What problems are we allowed to write down? Semantics what carries meaning. What real or mathematical objects does the syntax stand for? Axiomatics internalizes semantic relations into universal syntactic transformations. How does the semantics of e ≥ ˜ e relate to semantics of e − ˜ e ≥ 0, syntactically? What about derivatives?

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 4 / 24

Outline

1

Learning Objectives

2

Differential Invariants Recap: Ingredients for Differential Equation Proofs Soundness: Derivations Lemma Differential Weakening Equational Differential Invariants Differential Invariant Inequalities Disequational Differential Invariants Example Proof: Damped Oscillator Conjunctive Differential Invariants Disjunctive Differential Invariants Assuming Invariants

3

Differential Cuts

4

Soundness

5

Summary

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 4 / 24

Differentials

Syntax e ::= x | x′ | c | e + k | e · k | (e)′ Semantics ω[

[(e)′] ] = ∑

x

ω(x′)∂[ [e] ] ∂x (ω)

Axioms

(e + k)′ = (e)′ +(k)′ (e · k)′ = (e)′ · k + e ·(k)′ (c())′ = 0

for constants/numbers c()

(x)′ = x′

for variables x ∈ V ODE

[ [x′ = f(x)&Q] ] = {(ϕ(0)|{x′}∁,ϕ(r)) : ϕ | = x′ = f(x)∧ Q

for some ϕ : [0,r] → S, some r ∈ R}

ϕ(z)(x′) = dϕ(t)(x)

dt

(z) ...

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 6 / 24

Differential Substitution Lemmas

Lemma (Differential lemma) (Differential value vs. Time-derivative)

If ϕ |

= x′ = f(x)∧ Q for duration r>0, then for all 0≤z≤r, FV(e) ⊆ {x}: ϕ(z)[ [(e)′] ] = dϕ(t)[ [e] ]

dt

(z) Lemma (Differential assignment) (Effect on Differentials)

If ϕ |

= x′ = f(x)∧ Q then ϕ | = P ↔ [x′ := f(x)]P Lemma (Derivations) (Equations of Differentials) (e + k)′ = (e)′ +(k)′ (e · k)′ = (e)′ · k + e ·(k)′ (c())′ = 0

for constants/numbers c()

(x)′ = x′

for variables x ∈ V

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 7 / 24

Differential Substitution Lemmas ❀ Proofs

Lemma (Differential lemma) (Differential value vs. Time-derivative)

If ϕ |

= x′ = f(x)∧ Q for duration r>0, then for all 0≤z≤r, FV(e) ⊆ {x}: ϕ(z)[ [(e)′] ] = dϕ(t)[ [e] ]

dt

(z) Lemma (Differential assignment) (Effect on Differentials)

DE [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q][x′ := f(x)]P

Lemma (Derivations) (Equations of Differentials) +′ (e + k)′ = (e)′ +(k)′ ·′ (e · k)′ = (e)′ · k + e ·(k)′

c′

(c())′ = 0

x′

(x)′ = x′

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 7 / 24

Soundness: Proof of Derivations Lemma

Lemma (Derivations) (Equations of Differentials) +′ (e + k)′ = (e)′ +(k)′ ·′ (e · k)′ = (e)′ · k + e ·(k)′

c′

(c())′ = 0

x′

(x)′ = x′

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 8 / 24

Soundness: Proof of Derivations Lemma

Lemma (Derivations) (Equations of Differentials) +′ (e + k)′ = (e)′ +(k)′ Proof. ω[ [(e + k)′] ] =

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 8 / 24

Soundness: Proof of Derivations Lemma

Lemma (Derivations) (Equations of Differentials) +′ (e + k)′ = (e)′ +(k)′ Proof. ω[ [(e + k)′] ] = ∑

x

ω(x′)∂[ [e + k] ] ∂x (ω)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 8 / 24

Soundness: Proof of Derivations Lemma

Lemma (Derivations) (Equations of Differentials) +′ (e + k)′ = (e)′ +(k)′ Proof. ω[ [(e + k)′] ] = ∑

x

ω(x′)∂[ [e + k] ] ∂x (ω) = ∑

x

ω(x′)∂([ [e] ]+[ [k] ]) ∂x (ω)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 8 / 24

Soundness: Proof of Derivations Lemma

Lemma (Derivations) (Equations of Differentials) +′ (e + k)′ = (e)′ +(k)′ Proof. ω[ [(e + k)′] ] = ∑

x

ω(x′)∂[ [e + k] ] ∂x (ω) = ∑

x

ω(x′)∂([ [e] ]+[ [k] ]) ∂x (ω) = ∑

x

ω(x′) ∂[ [e] ] ∂x (ω)+ ∂[ [k] ] ∂x (ω)

• André Platzer (CMU)

LFCPS/11: Differential Equations & Proofs LFCPS/11 8 / 24

Soundness: Proof of Derivations Lemma

Lemma (Derivations) (Equations of Differentials) +′ (e + k)′ = (e)′ +(k)′ Proof. ω[ [(e + k)′] ] = ∑

x

ω(x′)∂[ [e + k] ] ∂x (ω) = ∑

x

ω(x′)∂([ [e] ]+[ [k] ]) ∂x (ω) = ∑

x

ω(x′) ∂[ [e] ] ∂x (ω)+ ∂[ [k] ] ∂x (ω)

• = ∑

x

ω(x′)∂[ [e] ] ∂x (ω)+ ∑

x

ω(x′)∂[ [k] ] ∂x (ω)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 8 / 24

Soundness: Proof of Derivations Lemma

Lemma (Derivations) (Equations of Differentials) +′ (e + k)′ = (e)′ +(k)′ Proof. ω[ [(e + k)′] ] = ∑

x

ω(x′)∂[ [e + k] ] ∂x (ω) = ∑

x

ω(x′)∂([ [e] ]+[ [k] ]) ∂x (ω) = ∑

x

ω(x′) ∂[ [e] ] ∂x (ω)+ ∂[ [k] ] ∂x (ω)

• = ∑

x

ω(x′)∂[ [e] ] ∂x (ω)+ ∑

x

ω(x′)∂[ [k] ] ∂x (ω) = ω[ [(e)′] ]+ω[ [(k)′] ]

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 8 / 24

Soundness: Proof of Derivations Lemma

Lemma (Derivations) (Equations of Differentials) +′ (e + k)′ = (e)′ +(k)′ Proof. ω[ [(e + k)′] ] = ∑

x

ω(x′)∂[ [e + k] ] ∂x (ω) = ∑

x

ω(x′)∂([ [e] ]+[ [k] ]) ∂x (ω) = ∑

x

ω(x′) ∂[ [e] ] ∂x (ω)+ ∂[ [k] ] ∂x (ω)

• = ∑

x

ω(x′)∂[ [e] ] ∂x (ω)+ ∑

x

ω(x′)∂[ [k] ] ∂x (ω) = ω[ [(e)′] ]+ω[ [(k)′] ] = ω[ [(e)′ +(k)′] ]

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 8 / 24

Soundness: Proof of Derivations Lemma

Lemma (Derivations) (Equations of Differentials) +′ (e + k)′ = (e)′ +(k)′ Proof. ω[ [(e + k)′] ] = ∑

x

ω(x′)∂[ [e + k] ] ∂x (ω) = ∑

x

ω(x′)∂([ [e] ]+[ [k] ]) ∂x (ω) = ∑

x

ω(x′) ∂[ [e] ] ∂x (ω)+ ∂[ [k] ] ∂x (ω)

• = ∑

x

ω(x′)∂[ [e] ] ∂x (ω)+ ∑

x

ω(x′)∂[ [k] ] ∂x (ω) = ω[ [(e)′] ]+ω[ [(k)′] ] = ω[ [(e)′ +(k)′] ]

for all ω

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 8 / 24

Differential Substitution Lemmas ❀ Proofs

Lemma (Differential lemma) (Differential value vs. Time-derivative)

If ϕ |

= x′ = f(x)∧ Q for duration r>0, then for all 0≤z≤r, FV(e) ⊆ {x}: ϕ(z)[ [(e)′] ] = dϕ(t)[ [e] ]

dt

(z) Lemma (Differential assignment) (Effect on Differentials)

DE [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q][x′ := f(x)]P

Lemma (Derivations) (Equations of Differentials) +′ (e + k)′ = (e)′ +(k)′ ·′ (e · k)′ = (e)′ · k + e ·(k)′

c′

(c())′ = 0

x′

(x)′ = x′

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 9 / 24

Differential Weakening

t x Q

ν ω

r x′ = f(x)&Q

¬Q

ODE

[ [x′ = f(x)&Q] ] = {(ϕ(0)|{x′}∁,ϕ(r)) : ϕ | = x′ = f(x)∧ Q

for some ϕ : [0,r] → S, some r ∈ R}

ϕ(z)(x′) = dϕ(t)(x)

dt

(z)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 10 / 24

Differential Weakening

DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P) t x Q

ν ω

r x′ = f(x)&Q

¬Q

ODE

[ [x′ = f(x)&Q] ] = {(ϕ(0)|{x′}∁,ϕ(r)) : ϕ | = x′ = f(x)∧ Q

for some ϕ : [0,r] → S, some r ∈ R}

ϕ(z)(x′) = dϕ(t)(x)

dt

(z)

Differential equations cannot leave their domains.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 10 / 24

Differential Weakening

DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P) t x Q

ν ω

r x′ = f(x)&Q

¬Q Example (Bouncing ball)

DW ⊢ [x′ = v,v′ = −g &x ≥ 0]0 ≤ x

No need to solve any ODEs to prove that bouncing ball is above ground.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 10 / 24

Differential Weakening

DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P) t x Q

ν ω

r x′ = f(x)&Q

¬Q Example (Bouncing ball)

G ⊢ [x′ = v,v′ = −g &x ≥ 0](x ≥ 0 → 0 ≤ x) DW ⊢ [x′ = v,v′ = −g &x ≥ 0]0 ≤ x

No need to solve any ODEs to prove that bouncing ball is above ground.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 10 / 24

Differential Weakening

DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P) t x Q

ν ω

r x′ = f(x)&Q

¬Q Example (Bouncing ball)

R ⊢ x ≥ 0 → 0 ≤ x

G ⊢ [x′ = v,v′ = −g &x ≥ 0](x ≥ 0 → 0 ≤ x) DW ⊢ [x′ = v,v′ = −g &x ≥ 0]0 ≤ x

No need to solve any ODEs to prove that bouncing ball is above ground.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 10 / 24

Differential Weakening

DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P) t x Q

ν ω

r x′ = f(x)&Q

¬Q Example (Bouncing ball) ∗

R ⊢ x ≥ 0 → 0 ≤ x

G ⊢ [x′ = v,v′ = −g &x ≥ 0](x ≥ 0 → 0 ≤ x) DW ⊢ [x′ = v,v′ = −g &x ≥ 0]0 ≤ x

No need to solve any ODEs to prove that bouncing ball is above ground.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 10 / 24

Differential Weakening

Differential Weakening dW Γ ⊢ [x′ = f(x)&Q]P,∆ DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P) t x Q

ν ω

r x′ = f(x)&Q

¬Q Example (Bouncing ball) ∗

R ⊢ x ≥ 0 → 0 ≤ x

G ⊢ [x′ = v,v′ = −g &x ≥ 0](x ≥ 0 → 0 ≤ x) DW ⊢ [x′ = v,v′ = −g &x ≥ 0]0 ≤ x

No need to solve any ODEs to prove that bouncing ball is above ground.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 10 / 24

Differential Weakening

Differential Weakening dW Q ⊢ P

Γ ⊢ [x′ = f(x)&Q]P,∆

DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P) t x Q

ν ω

r x′ = f(x)&Q

¬Q Example (Bouncing ball) ∗

R ⊢ x ≥ 0 → 0 ≤ x

G ⊢ [x′ = v,v′ = −g &x ≥ 0](x ≥ 0 → 0 ≤ x) DW ⊢ [x′ = v,v′ = −g &x ≥ 0]0 ≤ x

No need to solve any ODEs to prove that bouncing ball is above ground.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 10 / 24

Differential Invariant Terms for Differential Equations

Differential Invariant dI

⊢ [x′ := f(x)](e)′ = 0

e = 0 ⊢ [x′ = f(x)&Q]e = 0 DI

• [x′ = f(x)]e = 0 ↔ e = 0
• ← [x′ = f(x)](e)′ = 0

DE [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q][x′ := f(x)]P DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 11 / 24

Differential Invariant Terms for Differential Equations

Differential Invariant dI Q ⊢ [x′ := f(x)](e)′ = 0 e = 0 ⊢ [x′ = f(x)&Q]e = 0 DI

• [x′ = f(x)&Q]e = 0 ↔ [?Q]e = 0
• ← [x′ = f(x)&Q](e)′ = 0

DE [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q][x′ := f(x)]P DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 11 / 24

Differential Invariant Terms for Differential Equations

Differential Invariant dI Q ⊢ [x′ := f(x)](e)′ = 0 e = 0 ⊢ [x′ = f(x)&Q]e = 0 DI

• [x′ = f(x)&Q]e = 0 ↔ [?Q]e = 0
• ← [x′ = f(x)&Q](e)′ = 0

DE [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q][x′ := f(x)]P DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P)

Proof (dI is a derived rule).

DI e = 0 ⊢ [x′ = f(x)&Q]e = 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 11 / 24

Differential Invariant Terms for Differential Equations

Differential Invariant dI Q ⊢ [x′ := f(x)](e)′ = 0 e = 0 ⊢ [x′ = f(x)&Q]e = 0 DI

• [x′ = f(x)&Q]e = 0 ↔ [?Q]e = 0
• ← [x′ = f(x)&Q](e)′ = 0

DE [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q][x′ := f(x)]P DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P)

Proof (dI is a derived rule).

DE

⊢ [x′ = f(x)&Q](e)′ = 0

DI e = 0 ⊢ [x′ = f(x)&Q]e = 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 11 / 24

Differential Invariant Terms for Differential Equations

Differential Invariant dI Q ⊢ [x′ := f(x)](e)′ = 0 e = 0 ⊢ [x′ = f(x)&Q]e = 0 DI

• [x′ = f(x)&Q]e = 0 ↔ [?Q]e = 0
• ← [x′ = f(x)&Q](e)′ = 0

DE [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q][x′ := f(x)]P DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P)

Proof (dI is a derived rule).

DW

⊢ [x′ = f(x)&Q][x′ := f(x)](e)′ = 0

DE

⊢ [x′ = f(x)&Q](e)′ = 0

DI e = 0 ⊢ [x′ = f(x)&Q]e = 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 11 / 24

Differential Invariant Terms for Differential Equations

Differential Invariant dI Q ⊢ [x′ := f(x)](e)′ = 0 e = 0 ⊢ [x′ = f(x)&Q]e = 0 DI

• [x′ = f(x)&Q]e = 0 ↔ [?Q]e = 0
• ← [x′ = f(x)&Q](e)′ = 0

DE [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q][x′ := f(x)]P DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P)

Proof (dI is a derived rule).

G,→R

⊢ [x′ = f(x)&Q](Q → [x′ := f(x)](e)′ = 0)

DW

⊢ [x′ = f(x)&Q][x′ := f(x)](e)′ = 0

DE

⊢ [x′ = f(x)&Q](e)′ = 0

DI e = 0 ⊢ [x′ = f(x)&Q]e = 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 11 / 24

Differential Invariant Terms for Differential Equations

Differential Invariant dI Q ⊢ [x′ := f(x)](e)′ = 0 e = 0 ⊢ [x′ = f(x)&Q]e = 0 DI

• [x′ = f(x)&Q]e = 0 ↔ [?Q]e = 0
• ← [x′ = f(x)&Q](e)′ = 0

DE [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q][x′ := f(x)]P DW [x′ = f(x)&Q]P ↔ [x′ = f(x)&Q](Q → P)

Proof (dI is a derived rule).

Q ⊢ [x′ := f(x)](e)′ = 0

G,→R

⊢ [x′ = f(x)&Q](Q → [x′ := f(x)](e)′ = 0)

DW

⊢ [x′ = f(x)&Q][x′ := f(x)](e)′ = 0

DE

⊢ [x′ = f(x)&Q](e)′ = 0

DI e = 0 ⊢ [x′ = f(x)&Q]e = 0

G P

[α]P

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 11 / 24

Differential Invariant Equations

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant dI e = k ⊢ [x′ = f(x)]e = k

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 12 / 24

Differential Invariant Equations

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant dI

⊢ [x′ := f(x)](e)′ = (k)′

e = k ⊢ [x′ = f(x)]e = k DI

• [x′ = f(x)]e = k ↔ e = k
• ← [x′ = f(x)](e)′ = (k)′

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 12 / 24

Differential Invariant Equations

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant dI

⊢ [x′ := f(x)](e)′ = (k)′

e = k ⊢ [x′ = f(x)]e = k

t k e

DI

• [x′ = f(x)]e = k ↔ e = k
• ← [x′ = f(x)](e)′ = (k)′

Proof (= rate of change from = initial value. Mean-value theorem).

dϕ(t)[

[e] ]

dt

(z) = ϕ(z)[ [(e)′] ] = ϕ(z)[ [(k)′] ] = dϕ(t)[ [k] ]

dt

(z)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 12 / 24

Differential Invariant Inequalities

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant dI

⊢ [x′ := f(x)](e)′ ≥ (k)′

e ≥ k ⊢ [x′ = f(x)]e ≥ k

t k e

DI

• [x′ = f(x)]e ≥ k ↔ e ≥ k
• ← [x′ = f(x)](e)′ ≥ (k)′

Proof (≥ rate of change from ≥ initial value. Mean-value theorem).

dϕ(t)[

[e] ]

dt

(z) = ϕ(z)[ [(e)′] ] ≥ ϕ(z)[ [(k)′] ] = dϕ(t)[ [k] ]

dt

(z)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 13 / 24

Differential Invariant Inequalities

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant dI

⊢ [x′ := f(x)](e)′ ≤ (k)′

e ≤ k ⊢ [x′ = f(x)]e ≤ k

t e k

DI

• [x′ = f(x)]e ≤ k ↔ e ≤ k
• ← [x′ = f(x)](e)′ ≤ (k)′

Proof (≤ rate of change from ≤ initial value. Mean-value theorem).

dϕ(t)[

[e] ]

dt

(z) = ϕ(z)[ [(e)′] ] ≤ ϕ(z)[ [(k)′] ] = dϕ(t)[ [k] ]

dt

(z)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 13 / 24

Differential Invariant Inequalities

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant dI

⊢ [x′ := f(x)](e)′ > (k)′

e > k ⊢ [x′ = f(x)]e > k

t k e

DI

• [x′ = f(x)]e > k ↔ e > k
• ← [x′ = f(x)](e)′ > (k)′

Proof (> rate of change from > initial value. Mean-value theorem).

dϕ(t)[

[e] ]

dt

(z) = ϕ(z)[ [(e)′] ] > ϕ(z)[ [(k)′] ] = dϕ(t)[ [k] ]

dt

(z)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 13 / 24

Differential Invariant Inequalities

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant dI

⊢ [x′ := f(x)](e)′ ≥ (k)′

e > k ⊢ [x′ = f(x)]e > k

t k e

DI

• [x′ = f(x)]e > k ↔ e > k
• ← [x′ = f(x)](e)′ ≥ (k)′

Proof (≥ rate of change from > initial value. Mean-value theorem).

dϕ(t)[

[e] ]

dt

(z) = ϕ(z)[ [(e)′] ] ≥ ϕ(z)[ [(k)′] ] = dϕ(t)[ [k] ]

dt

(z)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 13 / 24

Differential Invariant Inequalities

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant dI

⊢ [x′ := f(x)](e)′ = (k)′

e = k ⊢ [x′ = f(x)]e = k

t k e

DI

• [x′ = f(x)]e = k ↔ e = k
• ← [x′ = f(x)](e)′ = (k)′

Proof (= rate of change from = initial value. Mean-value theorem).

dϕ(t)[

[e] ]

dt

(z) = ϕ(z)[ [(e)′] ] = ϕ(z)[ [(k)′] ] = dϕ(t)[ [k] ]

dt

(z)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 14 / 24

Differential Invariant Inequalities

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant dI

⊢ [x′ := f(x)](e)′ = (k)′

e = k ⊢ [x′ = f(x)]e = k

t k e

DI

• [x′ = f(x)]e = k ↔ e = k
• ← [x′ = f(x)](e)′ = (k)′

Proof (= rate of change from = initial value. Mean-value theorem).

dϕ(t)[

[e] ]

dt

(z) = ϕ(z)[ [(e)′] ] = ϕ(z)[ [(k)′] ] = dϕ(t)[ [k] ]

dt

(z)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 14 / 24

Differential Invariant Inequalities

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant dI

⊢ [x′ := f(x)](e)′ = (k)′

e = k ⊢ [x′ = f(x)]e = k

t k e

DI

• [x′ = f(x)]e = k ↔ e = k
• ← [x′ = f(x)](e)′ = (k)′

Proof (= rate of change from = initial value. Mean-value theorem).

dϕ(t)[

[e] ]

dt

(z) = ϕ(z)[ [(e)′] ] = ϕ(z)[ [(k)′] ] = dϕ(t)[ [k] ]

dt

(z)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 14 / 24

Differential Invariant Inequalities

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant dI

⊢ [x′ := f(x)](e)′ = (k)′

e = k ⊢ [x′ = f(x)]e = k

t k e

DI

• [x′ = f(x)]e = k ↔ e = k
• ← [x′ = f(x)](e)′ = (k)′

Proof (= rate of change from = initial value. Mean-value theorem).

dϕ(t)[

[e] ]

dt

(z) = ϕ(z)[ [(e)′] ] = ϕ(z)[ [(k)′] ] = dϕ(t)[ [k] ]

dt

(z)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 14 / 24

Example: Differential Invariant Inequalities

ω2x2+y2≤c2 ⊢ [x′ = y,y′ = −ω2x − 2dωy &ω≥0∧ d≥0]ω2x2+y2≤c2

• x

y

1 2 3 4 5 6 1.5 1.0 0.5 0.5 1.0 André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 15 / 24

Example: Differential Invariant Inequalities: Oscillator

ω2x2+y2≤c2 ⊢ [x′ = y,y′ = −ω2x − 2dωy &ω≥0∧ d≥0]ω2x2+y2≤c2

• x

y

1 2 3 4 5 6 1.5 1.0 0.5 0.5 1.0

damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 15 / 24

Example: Differential Invariant Inequalities: Oscillator

ω≥0∧ d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0 ω2x2+y2≤c2 ⊢ [x′ = y,y′ = −ω2x − 2dωy &ω≥0∧ d≥0]ω2x2+y2≤c2

• x

y

1 2 3 4 5 6 1.5 1.0 0.5 0.5 1.0

damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 15 / 24

Example: Differential Invariant Inequalities: Oscillator

ω≥0∧ d≥0 ⊢ 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0 ω≥0∧ d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0 ω2x2+y2≤c2 ⊢ [x′ = y,y′ = −ω2x − 2dωy &ω≥0∧ d≥0]ω2x2+y2≤c2

• x

y

1 2 3 4 5 6 1.5 1.0 0.5 0.5 1.0

damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 15 / 24

Example: Differential Invariant Inequalities: Oscillator

∗ ω≥0∧ d≥0 ⊢ 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0 ω≥0∧ d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0 ω2x2+y2≤c2 ⊢ [x′ = y,y′ = −ω2x − 2dωy &ω≥0∧ d≥0]ω2x2+y2≤c2

• x

y

1 2 3 4 5 6 1.5 1.0 0.5 0.5 1.0

damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 15 / 24

Example: Differential Invariant Inequalities: Oscillator

∗ ω≥0∧ d≥0 ⊢ 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0 ω≥0∧ d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0 ω2x2+y2≤c2 ⊢ [x′ = y,y′ = −ω2x − 2dωy &ω≥0∧ d≥0]ω2x2+y2≤c2

• x

y

1 2 3 4 5 6 1.5 1.0 0.5 0.5 1.0

damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 15 / 24

Differential Invariant Conjunctions

Differential Invariant dI A∧ B ⊢ [x′ = f(x)](A∧ B)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 16 / 24

Differential Invariant Conjunctions

Differential Invariant dI

⊢ [x′ := f(x)]((A)′ ∧(B)′)

A∧ B ⊢ [x′ = f(x)](A∧ B)

x v dist(x, v) ∧ slow(v)

DI

• [x′ = f(x)](A∧ B) ↔ (A∧ B)
• ← [x′ = f(x))]((A)′ ∧(B)′)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 16 / 24

Differential Invariant Conjunctions

Differential Invariant dI

⊢ [x′ := f(x)]((A)′ ∧(B)′)

A∧ B ⊢ [x′ = f(x)](A∧ B)

x v dist(x, v) ∧ slow(v)

DI

• [x′ = f(x)](A∧ B) ↔ (A∧ B)
• ← [x′ = f(x))]((A)′ ∧(B)′)

Proof (separately). ⊢ [x′ = f(x)](A)′

DIA ⊢ [x′ = f(x)]A

⊢ [x′ = f(x)](B)′

DIB ⊢ [x′ = f(x)]B

[]∧,WL

A∧ B ⊢ [x′ = f(x)](A∧ B)

[]∧ [α](P ∧ Q) ↔ [α]P ∧[α]Q

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 16 / 24

Quantum’s Back for a Differential Invariant Proof

2gx=2gH−v2 ⊢ [x′′ = −g &x≥0](2gx=2gH−v2 ∧ x≥0) No solutions but still a proof. Simple proof with simple arithmetic. Independent proofs for independent questions.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 17 / 24

Quantum’s Back for a Differential Invariant Proof

[]∧ 2gx=2gH−v2 ⊢ [x′′=−g &x≥0]2gx=2gH−v2

⊢ [x′′=−g &x≥0]x≥0

2gx=2gH−v2 ⊢ [x′′ = −g &x≥0](2gx=2gH−v2 ∧ x≥0) No solutions but still a proof. Simple proof with simple arithmetic. Independent proofs for independent questions.

[]∧ [α](P ∧ Q) ↔ [α]P ∧[α]Q

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 17 / 24

Quantum’s Back for a Differential Invariant Proof

[]∧

dI

x≥0 ⊢ [x′:=v][v′:=−g]2gx′ = −2vv′ 2gx=2gH−v2 ⊢ [x′′=−g &x≥0]2gx=2gH−v2

⊢ [x′′=−g &x≥0]x≥0

2gx=2gH−v2 ⊢ [x′′ = −g &x≥0](2gx=2gH−v2 ∧ x≥0) No solutions but still a proof. Simple proof with simple arithmetic. Independent proofs for independent questions.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 17 / 24

Quantum’s Back for a Differential Invariant Proof

[]∧

dI

[:=]

x≥0 ⊢ 2gv = −2v(−g) x≥0 ⊢ [x′:=v][v′:=−g]2gx′ = −2vv′ 2gx=2gH−v2 ⊢ [x′′=−g &x≥0]2gx=2gH−v2

⊢ [x′′=−g &x≥0]x≥0

2gx=2gH−v2 ⊢ [x′′ = −g &x≥0](2gx=2gH−v2 ∧ x≥0) No solutions but still a proof. Simple proof with simple arithmetic. Independent proofs for independent questions.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 17 / 24

Quantum’s Back for a Differential Invariant Proof

[]∧

dI

[:=] R

∗

x≥0 ⊢ 2gv = −2v(−g) x≥0 ⊢ [x′:=v][v′:=−g]2gx′ = −2vv′ 2gx=2gH−v2 ⊢ [x′′=−g &x≥0]2gx=2gH−v2

⊢ [x′′=−g &x≥0]x≥0

2gx=2gH−v2 ⊢ [x′′ = −g &x≥0](2gx=2gH−v2 ∧ x≥0) No solutions but still a proof. Simple proof with simple arithmetic. Independent proofs for independent questions.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 17 / 24

Quantum’s Back for a Differential Invariant Proof

[]∧

dI

[:=] R

∗

x≥0 ⊢ 2gv = −2v(−g) x≥0 ⊢ [x′:=v][v′:=−g]2gx′ = −2vv′ 2gx=2gH−v2 ⊢ [x′′=−g &x≥0]2gx=2gH−v2 dW x≥0 ⊢ x≥0

⊢ [x′′=−g &x≥0]x≥0

2gx=2gH−v2 ⊢ [x′′ = −g &x≥0](2gx=2gH−v2 ∧ x≥0) No solutions but still a proof. Simple proof with simple arithmetic. Independent proofs for independent questions.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 17 / 24

Quantum’s Back for a Differential Invariant Proof

[]∧

dI

[:=] R

∗

x≥0 ⊢ 2gv = −2v(−g) x≥0 ⊢ [x′:=v][v′:=−g]2gx′ = −2vv′ 2gx=2gH−v2 ⊢ [x′′=−g &x≥0]2gx=2gH−v2 dW

id

∗

x≥0 ⊢ x≥0

⊢ [x′′=−g &x≥0]x≥0

2gx=2gH−v2 ⊢ [x′′ = −g &x≥0](2gx=2gH−v2 ∧ x≥0) No solutions but still a proof. Simple proof with simple arithmetic. Independent proofs for independent questions.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 17 / 24

Differential Invariant Conjunctions

Differential Invariant dI

⊢ [x′ := f(x)]((A)′ ∧(B)′)

A∧ B ⊢ [x′ = f(x)](A∧ B)

x v dist(x, v) ∧ slow(v)

DI

• [x′ = f(x)](A∧ B) ↔ (A∧ B)
• ← [x′ = f(x))]((A)′ ∧(B)′)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 18 / 24

Differential Invariant Disjunctions

Differential Invariant dI

⊢ [x′ := f(x)]((A)′ ∨(B)′)

A∨ B ⊢ [x′ = f(x)](A∨ B)

x v dist(x, v) ∨ slow(v)

DI

• [x′ = f(x)](A∨ B) ↔ (A∨ B)
• ← [x′ = f(x))]((A)′ ∨(B)′)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 18 / 24

Differential Invariant Disjunctions

Differential Invariant dI

⊢ [x′ := f(x)]((A)′ ∨(B)′)

A∨ B ⊢ [x′ = f(x)](A∨ B)

x v dist(x, v) ∨ slow(v)

DI

• [x′ = f(x)](A∨ B) ↔ (A∨ B)
• ← [x′ = f(x))]((A)′ ∨(B)′)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 18 / 24

Differential Invariant Disjunctions

Differential Invariant dI

⊢ [x′ := f(x)]((A)′ ∧(B)′)

A∨ B ⊢ [x′ = f(x)](A∨ B)

x v dist(x, v) ∨ slow(v)

DI

• [x′ = f(x)](A∨ B) ↔ (A∨ B)
• ← [x′ = f(x))]((A)′ ∧(B)′)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 18 / 24

Differential Invariant Disjunctions

Differential Invariant dI

⊢ [x′ := f(x)]((A)′ ∧(B)′)

A∨ B ⊢ [x′ = f(x)](A∨ B)

x v dist(x, v) ∨ slow(v)

DI

• [x′ = f(x)](A∨ B) ↔ (A∨ B)
• ← [x′ = f(x))]((A)′ ∧(B)′)

Proof (separately). ∗

A ⊢ A∨B

⊢ [x′=f(x)](A)′

DIA ⊢ [x′=f(x)]A MR

A ⊢ [x′ = f(x)](A∨B)

∗

B ⊢ A∨B

⊢ [x′=f(x)](B)′

DIB ⊢ [x′=f(x)]B MR

B ⊢ [x′ = f(x)](A∨B)

∨L

A∨ B ⊢ [x′ = f(x)](A∨ B)

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 18 / 24

Differential Invariant Disjunctions

Differential Invariant dI

⊢ [x′ := f(x)]((A)′ ∧(B)′)

A∨ B ⊢ [x′ = f(x)](A∨ B)

x v dist(x, v) ∨ slow(v)

DI

• [x′ = f(x)](A∨ B) ↔ (A∨ B)
• ← [x′ = f(x))]((A)′ ∧(B)′)

Proof (separately). ∗

A ⊢ A∨B

⊢ [x′=f(x)](A)′

DIA ⊢ [x′=f(x)]A MR

A ⊢ [x′ = f(x)](A∨B)

∗

B ⊢ A∨B

⊢ [x′=f(x)](B)′

DIB ⊢ [x′=f(x)]B MR

B ⊢ [x′ = f(x)](A∨B)

∨L

A∨ B ⊢ [x′ = f(x)](A∨ B)

[]∧ [α](P ∧ Q) ↔ [α]P ∧[α]Q

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 18 / 24

Assuming Invariants

¬ ¬F

F F

¬ ¬F

F F

Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F F ∧ Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F loop F ⊢ [α]F F ⊢ [α∗]F

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 19 / 24

Assuming Invariants

¬ ¬F

F F

¬ ¬F

F F

Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F F ∧ Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F

Example (Restrictions)

v2 − 2v + 1 = 0 ⊢ [v′ = w,w′ = −v]v2 − 2v + 1 = 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 19 / 24

Assuming Invariants

¬ ¬F

F F

¬ ¬F

F F

Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F F ∧ Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F

Example (Restrictions)

v2 − 2v + 1 = 0 ⊢ [v′:=w][w′:=− v]2vv′ − 2v′ = 0 v2 − 2v + 1 = 0 ⊢ [v′ = w,w′ = −v]v2 − 2v + 1 = 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 19 / 24

Assuming Invariants

¬ ¬F

F F

¬ ¬F

F F

Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F F ∧ Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F

Example (Restrictions)

v2 − 2v + 1 = 0 ⊢ 2vw − 2w = 0 v2 − 2v + 1 = 0 ⊢ [v′:=w][w′:=− v]2vv′ − 2v′ = 0 v2 − 2v + 1 = 0 ⊢ [v′ = w,w′ = −v]v2 − 2v + 1 = 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 19 / 24

Assuming Invariants

¬ ¬F

F F

¬ ¬F

F F

Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F F ∧ Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F

Example (Restrictions)

v2 − 2v + 1 = 0 ⊢ 2vw − 2w = 0 v2 − 2v + 1 = 0 ⊢ [v′:=w][w′:=− v]2vv′ − 2v′ = 0 v2 − 2v + 1 = 0 ⊢ [v′ = w,w′ = −v]v2 − 2v + 1 = 0 w v

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 19 / 24

Assuming Invariants

¬ ¬F

F F

¬ ¬F

F F

Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F F ∧ Q → [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F

Example (Restrictions are unsound!)

(unsound) v2 − 2v + 1 = 0 ⊢ 2vw − 2w = 0 v2 − 2v + 1 = 0 ⊢ [v′:=w][w′:=− v]2vv′ − 2v′ = 0 v2 − 2v + 1 = 0 ⊢ [v′ = w,w′ = −v]v2 − 2v + 1 = 0 w v

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 19 / 24

Outline

1

Learning Objectives

2

Differential Invariants Recap: Ingredients for Differential Equation Proofs Soundness: Derivations Lemma Differential Weakening Equational Differential Invariants Differential Invariant Inequalities Disequational Differential Invariants Example Proof: Damped Oscillator Conjunctive Differential Invariants Disjunctive Differential Invariants Assuming Invariants

3

Differential Cuts

4

Soundness

5

Summary

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 19 / 24

Differential Cuts

Differential Cut F ⊢ [x′ = f(x)]F

Differential Cut

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 20 / 24

Differential Cuts

Differential Cut F ⊢ [x′ = f(x)]C F ⊢ [x′ = f(x)]F

Differential Cut

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 20 / 24

Differential Cuts

Differential Cut F ⊢ [x′ = f(x)]C F ⊢ [x′ = f(x)&C]F F ⊢ [x′ = f(x)]F

Differential Cut

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 20 / 24

Differential Cuts

Differential Cut F ⊢ [x′ = f(x)&Q]C F ⊢ [x′ = f(x)&Q ∧ C]F F ⊢ [x′ = f(x)&Q]F

Differential Cut

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 20 / 24

Differential Cuts

Differential Cut F ⊢ [x′ = f(x)&Q]C F ⊢ [x′ = f(x)&Q ∧ C]F F ⊢ [x′ = f(x)&Q]F

Differential Cut

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 20 / 24

Differential Cuts

Differential Cut F ⊢ [x′ = f(x)&Q]C F ⊢ [x′ = f(x)&Q ∧ C]F F ⊢ [x′ = f(x)&Q]F

Differential Cut

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 20 / 24

Differential Cuts

Differential Cut F ⊢ [x′ = f(x)&Q]C F ⊢ [x′ = f(x)&Q ∧ C]F F ⊢ [x′ = f(x)&Q]F

Differential Cut

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 20 / 24

Differential Cuts

Differential Cut F ⊢ [x′ = f(x)&Q]C F ⊢ [x′ = f(x)&Q ∧ C]F F ⊢ [x′ = f(x)&Q]F

Differential Cut

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 20 / 24

Differential Cuts

Differential Cut F ⊢ [x′ = f(x)&Q]C F ⊢ [x′ = f(x)&Q ∧ C]F F ⊢ [x′ = f(x)&Q]F

Differential Cut Proof (Soundness).

Let ϕ |

= x′ = f(x)∧ Q starting in ω ∈ [ [F] ]. ω ∈ [ [[x′ = f(x)&Q]C] ] by left premise.

Thus, ϕ |

= x′ = f(x)∧ Q ∧ C.

Thus, ϕ(r) ∈ [

[F] ] by second premise.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 20 / 24

Differential Cut Example: Increasingly Damped Oscillator

dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Differential Cut Example: Increasingly Damped Oscillator

dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2

• x

y

1 2 3 4 5 6

• 1.5
• 1.0
• 0.5

0.0 0.5 1.0

increasingly damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Differential Cut Example: Increasingly Damped Oscillator

dI ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0∧d≥0]ω2x2+y2≤c2 dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2

increasingly damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Differential Cut Example: Increasingly Damped Oscillator

dI ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0∧d≥0]ω2x2+y2≤c2 dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2 dI d≥0 ⊢ [x′ = y,y′ = −ω2x − 2dωy,d′=7&ω≥0]d≥0

increasingly damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Differential Cut Example: Increasingly Damped Oscillator

dI ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0∧d≥0]ω2x2+y2≤c2 dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2

[:=]ω≥0 ⊢ [d′:=7]d′≥0

dI d≥0 ⊢ [x′ = y,y′ = −ω2x − 2dωy,d′=7&ω≥0]d≥0

increasingly damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Differential Cut Example: Increasingly Damped Oscillator

dI ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0∧d≥0]ω2x2+y2≤c2 dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2

R ω≥0 ⊢ 7≥0 [:=]ω≥0 ⊢ [d′:=7]d′≥0

dI d≥0 ⊢ [x′ = y,y′ = −ω2x − 2dωy,d′=7&ω≥0]d≥0

increasingly damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Differential Cut Example: Increasingly Damped Oscillator

dI ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0∧d≥0]ω2x2+y2≤c2 dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2

∗

R ω≥0 ⊢ 7≥0 [:=]ω≥0 ⊢ [d′:=7]d′≥0

dI d≥0 ⊢ [x′ = y,y′ = −ω2x − 2dωy,d′=7&ω≥0]d≥0

ask increasingly damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Differential Cut Example: Increasingly Damped Oscillator

[:=]

ω≥0∧d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0

dI ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0∧d≥0]ω2x2+y2≤c2 dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2

∗

R ω≥0 ⊢ 7≥0 [:=]ω≥0 ⊢ [d′:=7]d′≥0

dI d≥0 ⊢ [x′ = y,y′ = −ω2x − 2dωy,d′=7&ω≥0]d≥0

increasingly damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Differential Cut Example: Increasingly Damped Oscillator

R

ω≥0∧d≥0 ⊢ 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

[:=]

ω≥0∧d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0

dI ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0∧d≥0]ω2x2+y2≤c2 dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2

∗

R ω≥0 ⊢ 7≥0 [:=]ω≥0 ⊢ [d′:=7]d′≥0

dI d≥0 ⊢ [x′ = y,y′ = −ω2x − 2dωy,d′=7&ω≥0]d≥0

increasingly damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Differential Cut Example: Increasingly Damped Oscillator

∗

R

ω≥0∧d≥0 ⊢ 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

[:=]

ω≥0∧d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0

dI ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0∧d≥0]ω2x2+y2≤c2 dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2

∗

R ω≥0 ⊢ 7≥0 [:=]ω≥0 ⊢ [d′:=7]d′≥0

dI d≥0 ⊢ [x′ = y,y′ = −ω2x − 2dωy,d′=7&ω≥0]d≥0

DC increasingly damped oscillator

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Differential Cut Example: Increasingly Damped Oscillator

∗

R

ω≥0∧d≥0 ⊢ 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

[:=]

ω≥0∧d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0

dI ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0∧d≥0]ω2x2+y2≤c2 dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2

∗

R ω≥0 ⊢ 7≥0 [:=]ω≥0 ⊢ [d′:=7]d′≥0

dI d≥0 ⊢ [x′ = y,y′ = −ω2x − 2dωy,d′=7&ω≥0]d≥0

init

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Differential Cut Example: Increasingly Damped Oscillator

∗

R

ω≥0∧d≥0 ⊢ 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

[:=]

ω≥0∧d≥0 ⊢ [x′:=y][y′:=−ω2x − 2dωy]2ω2xx′ + 2yy′ ≤ 0

dI ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0∧d≥0]ω2x2+y2≤c2 dC ω2x2+y2≤c2 ⊢ [x′=y,y′=−ω2x−2dωy,d′=7&ω≥0]ω2x2+y2≤c2

∗

R ω≥0 ⊢ 7≥0 [:=]ω≥0 ⊢ [d′:=7]d′≥0

dI d≥0 ⊢ [x′ = y,y′ = −ω2x − 2dωy,d′=7&ω≥0]d≥0

init Could repeatedly diffcut in formulas to help the proof

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 21 / 24

Ex: Differential Cuts

dC x3 ≥ −1∧ y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]x3 ≥ −1

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 22 / 24

Ex: Differential Cuts

dC x3 ≥ −1∧ y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]x3 ≥ −1 dI y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]y5 ≥ 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 22 / 24

Ex: Differential Cuts

dC x3 ≥ −1∧ y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]x3 ≥ −1

[:=]

⊢ [x′:=(x − 2)4 + y5][y′:=y2]5y4y′ ≥ 0

dI y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]y5 ≥ 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 22 / 24

Ex: Differential Cuts

dC x3 ≥ −1∧ y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]x3 ≥ −1

R

⊢ 5y4y2 ≥ 0

[:=]

⊢ [x′:=(x − 2)4 + y5][y′:=y2]5y4y′ ≥ 0

dI y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]y5 ≥ 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 22 / 24

Ex: Differential Cuts

dC x3 ≥ −1∧ y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]x3 ≥ −1

∗

R

⊢ 5y4y2 ≥ 0

[:=]

⊢ [x′:=(x − 2)4 + y5][y′:=y2]5y4y′ ≥ 0

dI y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]y5 ≥ 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 22 / 24

Ex: Differential Cuts

dI

x3 ≥ −1 ⊢ [x′ = (x − 2)4 + y5,y′ = y2 &y5 ≥ 0]x3 ≥ −1 ⊲

dC x3 ≥ −1∧ y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]x3 ≥ −1

∗

R

⊢ 5y4y2 ≥ 0

[:=]

⊢ [x′:=(x − 2)4 + y5][y′:=y2]5y4y′ ≥ 0

dI y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]y5 ≥ 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 22 / 24

Ex: Differential Cuts

[:=]

y5 ≥ 0 ⊢ [x′:=(x − 2)4 + y5][y′:=y2]3x2x′ ≥ 0

dI

x3 ≥ −1 ⊢ [x′ = (x − 2)4 + y5,y′ = y2 &y5 ≥ 0]x3 ≥ −1 ⊲

dC x3 ≥ −1∧ y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]x3 ≥ −1

∗

R

⊢ 5y4y2 ≥ 0

[:=]

⊢ [x′:=(x − 2)4 + y5][y′:=y2]5y4y′ ≥ 0

dI y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]y5 ≥ 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 22 / 24

Ex: Differential Cuts

R

y5 ≥ 0 ⊢ 3x2((x − 2)4 + y5) ≥ 0

[:=]

y5 ≥ 0 ⊢ [x′:=(x − 2)4 + y5][y′:=y2]3x2x′ ≥ 0

dI

x3 ≥ −1 ⊢ [x′ = (x − 2)4 + y5,y′ = y2 &y5 ≥ 0]x3 ≥ −1 ⊲

dC x3 ≥ −1∧ y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]x3 ≥ −1

∗

R

⊢ 5y4y2 ≥ 0

[:=]

⊢ [x′:=(x − 2)4 + y5][y′:=y2]5y4y′ ≥ 0

dI y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]y5 ≥ 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 22 / 24

Ex: Differential Cuts

∗

R

y5 ≥ 0 ⊢ 3x2((x − 2)4 + y5) ≥ 0

[:=]

y5 ≥ 0 ⊢ [x′:=(x − 2)4 + y5][y′:=y2]3x2x′ ≥ 0

dI

x3 ≥ −1 ⊢ [x′ = (x − 2)4 + y5,y′ = y2 &y5 ≥ 0]x3 ≥ −1 ⊲

dC x3 ≥ −1∧ y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]x3 ≥ −1

∗

R

⊢ 5y4y2 ≥ 0

[:=]

⊢ [x′:=(x − 2)4 + y5][y′:=y2]5y4y′ ≥ 0

dI y5 ≥ 0 ⊢ [x′ = (x − 2)4 + y5,y′ = y2]y5 ≥ 0

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 22 / 24

Outline

1

Learning Objectives

2

Differential Invariants Recap: Ingredients for Differential Equation Proofs Soundness: Derivations Lemma Differential Weakening Equational Differential Invariants Differential Invariant Inequalities Disequational Differential Invariants Example Proof: Damped Oscillator Conjunctive Differential Invariants Disjunctive Differential Invariants Assuming Invariants

3

Differential Cuts

4

Soundness

5

Summary

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 22 / 24

Soundness Proof: Differential Invariants

Lemma (Differential lemma) (Differential value vs. Time-derivative) ϕ | = x′ = f(x)∧ Q for r > 0 ⇒ ∀

0≤z≤r ϕ(z)[

[(e)′] ] = dϕ(t)[ [e] ]

dt

(z)

Differential Invariant DI

• [x′ = f(x)]e ≥ 0 ↔ e ≥ 0
• ← [x′ = f(x)](e)′ ≥ 0

t k e

Proof (≥ rate of change from ≥ initial value. Case r = 0 is easier.)

h(t)

def

= ϕ(t)[ [e] ] is differentiable on [0,r] if r > 0 by diff. lemma.

dh(t) dt

(z) = dϕ(t)[ [e] ]

dt

(z) = ϕ(z)[ [(e)′] ] ≥ 0 by lemma + assume for all z.

h(r)− h(0)

• ≥0

= (r − 0)

>0

dh(t) dt

(ξ)

• ≥0

≥ 0 by mean-value theorem for some ξ.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 23 / 24

Outline

1

Learning Objectives

2

Differential Invariants Recap: Ingredients for Differential Equation Proofs Soundness: Derivations Lemma Differential Weakening Equational Differential Invariants Differential Invariant Inequalities Disequational Differential Invariants Example Proof: Damped Oscillator Conjunctive Differential Invariants Disjunctive Differential Invariants Assuming Invariants

3

Differential Cuts

4

Soundness

5

Summary

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 23 / 24

Summary: Differential Invariants for Differential Equations

Differential Weakening Q ⊢ F

Γ ⊢ [x′ = f(x)&Q]F

t x Q w u r x′ = f(x) & Q ¬Q

Differential Invariant Q ⊢ [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F Differential Cut F ⊢ [x′ = f(x)&Q]C F ⊢ [x′ = f(x)&Q ∧ C]F F ⊢ [x′ = f(x)&Q]F

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 24 / 24

Summary: Differential Invariants for Differential Equations

Differential Weakening Q ⊢ F

Γ ⊢ [x′ = f(x)&Q]F

t x Q w u r x′ = f(x) & Q ¬Q

Differential Invariant Q ⊢ [x′ := f(x)](F)′ F ⊢ [x′ = f(x)&Q]F Differential Cut F ⊢ [x′ = f(x)&Q]C F ⊢ [x′ = f(x)&Q ∧ C]F F ⊢ [x′ = f(x)&Q]F DW [x′ = f(x)&Q]F ↔ [x′ = f(x)&Q](Q → F) DI

• [x′ = f(x)&Q]F ↔ [?Q]F
• ← (Q → [x′ = f(x)&Q](F)′)

DC

• [x′ = f(x)&Q]F ↔ [x′ = f(x)&Q ∧ C]F
• ← [x′ = f(x)&Q]C

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 24 / 24

André Platzer. Logical Foundations of Cyber-Physical Systems. Springer, Switzerland, 2018. URL: http://www.springer.com/978-3-319-63587-3,

doi:10.1007/978-3-319-63588-0.

André Platzer. A complete uniform substitution calculus for differential dynamic logic.

• J. Autom. Reas., 59(2):219–265, 2017.

doi:10.1007/s10817-016-9385-1.

André Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics. Springer, Heidelberg, 2010.

doi:10.1007/978-3-642-14509-4.

André Platzer. Logics of dynamical systems. In LICS, pages 13–24, Los Alamitos, 2012. IEEE.

doi:10.1109/LICS.2012.13.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 24 / 24

André Platzer. Differential-algebraic dynamic logic for differential-algebraic programs.

• J. Log. Comput., 20(1):309–352, 2010.

doi:10.1093/logcom/exn070.

André Platzer. The structure of differential invariants and differential cut elimination.

• Log. Meth. Comput. Sci., 8(4:16):1–38, 2012.

doi:10.2168/LMCS-8(4:16)2012.

André Platzer. A differential operator approach to equational differential invariants. In Lennart Beringer and Amy Felty, editors, ITP, volume 7406 of LNCS, pages 28–48, Berlin, 2012. Springer.

doi:10.1007/978-3-642-32347-8_3.

André Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11 24 / 24