Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - - PowerPoint PPT Presentation

04: Safety & Contracts

Logical Foundations of Cyber-Physical Systems

Logical Foundations of Cyber-Physical Systems

André Platzer

André Platzer

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 1 / 16

Outline

1

Learning Objectives

2

Quantum the Acrophobic Bouncing Ball

3

Contracts for CPS Safety of Robots Safety of Bouncing Balls

4

Logical Formulas for Hybrid Programs

5

Differential Dynamic Logic Syntax Semantics Notational Convention

6

Identifying Requirements of a CPS

7

Summary

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 2 / 16

Outline

1

Learning Objectives

2

Quantum the Acrophobic Bouncing Ball

3

Contracts for CPS Safety of Robots Safety of Bouncing Balls

4

Logical Formulas for Hybrid Programs

5

Differential Dynamic Logic Syntax Semantics Notational Convention

6

Identifying Requirements of a CPS

7

Summary

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 2 / 16

Learning Objectives

Safety & Contracts

CT M&C CPS rigorous specification contracts preconditions postconditions differential dynamic logic discrete+continuous analytic specification model semantics reasoning principles

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 3 / 16

Outline

1

Learning Objectives

2

Quantum the Acrophobic Bouncing Ball

3

Contracts for CPS Safety of Robots Safety of Bouncing Balls

4

Logical Formulas for Hybrid Programs

5

Differential Dynamic Logic Syntax Semantics Notational Convention

6

Identifying Requirements of a CPS

7

Summary

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 3 / 16

Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball) {x′ = v,v′ = −g}

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball) {x′ = v,v′ = −g}

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball) {x′ = v,v′ = −g &x ≥ 0}

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball) {x′ = v,v′ = −g &x ≥ 0};

if(x = 0) v :=−cv

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0) v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum Discovered a Crack in the Fabric of Time

Example (Quantum the Bouncing Ball)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0) v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum Discovered a Crack in the Fabric of Time

t x j 2 4 6 8 10 12 t0 t1 t2 t3 t4 t5 t6

Example (Quantum the Bouncing Ball)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0) v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum Discovered a Crack in the Fabric of Time

t x j 2 4 6 8 10 12 t0 t1 t2 t3 t4 t5 t6

t j 1 2 3 4 5 6 7 8 9 10 11 12 t0 t1 t2 t3 t4 t5 t6

Example (Quantum the Bouncing Ball)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0) v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum Learns to Deflate

t x 2 4 6 8 10 12

Example (Quantum the Bouncing Ball)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0) v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum Learns to Deflate

t x 2 4 6 8 10 12

Example (Quantum the Bouncing Ball)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)(v :=−cv ∪ v := 0)

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0) v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Outline

1

Learning Objectives

2

Quantum the Acrophobic Bouncing Ball

3

Contracts for CPS Safety of Robots Safety of Bouncing Balls

4

Logical Formulas for Hybrid Programs

5

Differential Dynamic Logic Syntax Semantics Notational Convention

6

Identifying Requirements of a CPS

7

Summary

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Safety of Robots

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 5 / 16

Safety of Robots

Three Laws of Robotics Isaac Asimov 1942

1

A robot may not injure a human being or, through inaction, allow a human being to come to harm.

2

A robot must obey the orders given to it by human beings, except where such orders would conflict with the First Law.

3

A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 5 / 16

Safety of Robots

Three Laws of Robotics Isaac Asimov 1942

1

A robot may not injure a human being or, through inaction, allow a human being to come to harm.

2

A robot must obey the orders given to it by human beings, except where such orders would conflict with the First Law.

3

A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

Three Laws of Robotics are not the answer. They are the inspiration!

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 5 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

ensures(0 ≤ x)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

ensures(0 ≤ x) ensures(x ≤ H)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) ensures(0 ≤ x) ensures(x ≤ H)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) requires(0 ≤ H) ensures(0 ≤ x) ensures(x ≤ H)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) requires(0 ≤ H) ensures(0 ≤ x) ensures(x ≤ H)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗@invariant(x ≥ 0)

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) requires(0 ≤ H) ensures(0 ≤ x) ensures(x ≤ H)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗@invariant(x ≥ 0)

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Outline

1

Learning Objectives

2

Quantum the Acrophobic Bouncing Ball

3

Contracts for CPS Safety of Robots Safety of Bouncing Balls

4

Logical Formulas for Hybrid Programs

5

Differential Dynamic Logic Syntax Semantics Notational Convention

6

Identifying Requirements of a CPS

7

Summary

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts are Not Enough

CPS contracts are crucial for CPS safety. We need to understand CPS programs and contracts and how we can convince ourselves that a CPS program respects its contract. Contracts are at a disadvantage compared to full logic. Logic is for Specification and Reasoning

1

Specification of a whole CPS program.

2

Analytic inspection of its parts.

3

Argumentative relations between contracts and program parts. “Yes, this CPS program meets its contract, and here’s why . . . ”

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 7 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) requires(0 ≤ H) ensures(0 ≤ x) ensures(x ≤ H)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) ensures(x ≤ H)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

How to say post is true if(x = 0)v :=−cv

∗

after all HP runs?

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗ x≤H

x≤H x≤H x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

dL

[ ]x≤H

x≤H x≤H x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

dL

[α]x≤H

x≤H x≤H

α

x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗ [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗]

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗ [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](x ≤ H)

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗ [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](0 ≤ x) [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](x ≤ H)

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗ [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](0 ≤ x) [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](x ≤ H) [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](0≤x ∧ x≤H)

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗ [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](0 ≤ x) ∧[

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](x ≤ H) ↔ [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](0≤x ∧ x≤H)

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗ [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](0 ≤ x)

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

x=H → [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](0 ≤ x)

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Contracts for Quantum the Acrophobic Bouncing Ball

Example (Quantum the Bouncing Ball)

requires(x = H) Precondition: requires(0 ≤ H) x = H ∧ 0 ≤ H in FOL ensures(0 ≤ x) Postcondition: ensures(x ≤ H) 0 ≤ x ∧ x ≤ H in FOL

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

0≤x∧x=H → [

• {x′ = v,v′ = −g &x≥0};if(x=0)v :=−cv

∗](0 ≤ x)

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Outline

1

Learning Objectives

2

Quantum the Acrophobic Bouncing Ball

3

Contracts for CPS Safety of Robots Safety of Bouncing Balls

4

Logical Formulas for Hybrid Programs

5

Differential Dynamic Logic Syntax Semantics Notational Convention

6

Identifying Requirements of a CPS

7

Summary

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16

Differential Dynamic Logic: Syntax

Definition (Syntax of differential dynamic logic)

The formulas of differential dynamic logic are defined by the grammar: P,Q ::= e ≥ ˜ e | ¬P | P ∧ Q | P ∨ Q | P → Q | ∀x P | ∃x P | [α]P | αP

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 9 / 16

Differential Dynamic Logic: Syntax

Definition (Syntax of differential dynamic logic)

The formulas of differential dynamic logic are defined by the grammar: P,Q ::= e ≥ ˜ e | ¬P | P ∧ Q | P ∨ Q | P → Q | ∀x P | ∃x P | [α]P | αP Not And Or Imply All reals Some real All runs Some runs

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 9 / 16

Differential Dynamic Logic dL: Semantics

Definition (dL Formulas) ω [α]P

P P P

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 10 / 16

Differential Dynamic Logic dL: Semantics

Definition (dL Formulas) ω αP

P

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 10 / 16

Differential Dynamic Logic dL: Semantics

Definition (dL Formulas) ω α-span [α]P

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 10 / 16

Differential Dynamic Logic dL: Semantics

Definition (dL Formulas) ω α-span [α]P βP β-span

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 10 / 16

Differential Dynamic Logic dL: Semantics

Definition (dL Formulas) ω α-span [α]P βP β-span β[α]-span

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 10 / 16

Differential Dynamic Logic: Syntax & Semantics

Definition (Syntax of differential dynamic logic)

The formulas of differential dynamic logic are defined by the grammar: P,Q ::= e ≥ ˜ e | ¬P | P ∧ Q | P ∨ Q | P → Q | ∀x P | ∃x P | [α]P | αP

Definition (dL semantics) ([

[·] ] : Fml →℘(S))

[ [e ≥ ˜

e]

] = {ω : ω[ [e] ] ≥ ω[ [˜

e]

]} [ [¬P] ] = [ [P] ]∁ = S \[ [P] ] [ [P ∧ Q] ] = [ [P] ]∩[ [Q] ] [ [P ∨ Q] ] = [ [P] ]∪[ [Q] ] [ [P → Q] ] = [ [P] ]∁ ∪[ [Q] ] [ [αP] ] = [ [α] ]◦[ [P] ] = {ω : ν ∈ [ [P] ] for some ν : (ω,ν) ∈ [ [α] ]} [ [[α]P] ] = [ [¬α¬P] ] = {ω : ν ∈ [ [P] ] for all ν : (ω,ν) ∈ [ [α] ]} [ [∃x P] ] = {ω : ωr

x ∈ [

[P] ] for some r ∈ R} ωd

x (y) =

• d

if y=x

ω(y)

if y=x

[ [∀x P] ] = {ω : ωr

x ∈ [

[P] ] for all r ∈ R}

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 11 / 16

Differential Dynamic Logic: Syntax & Semantics

[ [P] ]

the set of states in which formula P is true

ω ∈ [ [P] ] formula P is true in state ω, alias ω | = P P

formula P is valid, i.e., true in all states ω, i.e., [

[P] ] = S Definition (dL semantics) ([

[·] ] : Fml →℘(S))

[ [e ≥ ˜

e]

] = {ω : ω[ [e] ] ≥ ω[ [˜

e]

]} [ [¬P] ] = [ [P] ]∁ = S \[ [P] ] [ [P ∧ Q] ] = [ [P] ]∩[ [Q] ] [ [P ∨ Q] ] = [ [P] ]∪[ [Q] ] [ [P → Q] ] = [ [P] ]∁ ∪[ [Q] ] [ [αP] ] = [ [α] ]◦[ [P] ] = {ω : ν ∈ [ [P] ] for some ν : (ω,ν) ∈ [ [α] ]} [ [[α]P] ] = [ [¬α¬P] ] = {ω : ν ∈ [ [P] ] for all ν : (ω,ν) ∈ [ [α] ]} [ [∃x P] ] = {ω : ωr

x ∈ [

[P] ] for some r ∈ R} [ [∀x P] ] = {ω : ωr

x ∈ [

[P] ] for all r ∈ R}

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 11 / 16

Differential Dynamic Logic: Syntax & Semantics

[ [P] ]

the set of states in which formula P is true

ω ∈ [ [P] ] formula P is true in state ω, alias ω | = P P

formula P is valid, i.e., true in all states ω, i.e., [

[P] ] = S ∃d [x := 1;x′=d]x≥0 and [x := x+1;x′=d]x≥0 and x′=dx≥0 Definition (dL semantics) ([

[·] ] : Fml →℘(S))

[ [e ≥ ˜

e]

] = {ω : ω[ [e] ] ≥ ω[ [˜

e]

]} [ [¬P] ] = [ [P] ]∁ = S \[ [P] ] [ [P ∧ Q] ] = [ [P] ]∩[ [Q] ] [ [P ∨ Q] ] = [ [P] ]∪[ [Q] ] [ [P → Q] ] = [ [P] ]∁ ∪[ [Q] ] [ [αP] ] = [ [α] ]◦[ [P] ] = {ω : ν ∈ [ [P] ] for some ν : (ω,ν) ∈ [ [α] ]} [ [[α]P] ] = [ [¬α¬P] ] = {ω : ν ∈ [ [P] ] for all ν : (ω,ν) ∈ [ [α] ]} [ [∃x P] ] = {ω : ωr

x ∈ [

[P] ] for some r ∈ R} [ [∀x P] ] = {ω : ωr

x ∈ [

[P] ] for all r ∈ R}

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 11 / 16

Differential Dynamic Logic: Syntax & Semantics

[ [P] ]

the set of states in which formula P is true

ω ∈ [ [P] ] formula P is true in state ω, alias ω | = P P

formula P is valid, i.e., true in all states ω, i.e., [

[P] ] = S ∃d [x := 1;x′=d]x≥0 and [x := x+1;x′=d]x≥0 and x′=dx≥0 Definition (dL semantics) ([

[·] ] : Fml →℘(S))

[ [e ≥ ˜

e]

] = {ω : ω[ [e] ] ≥ ω[ [˜

e]

]} [ [¬P] ] = [ [P] ]∁ = S \[ [P] ] [ [P ∧ Q] ] = [ [P] ]∩[ [Q] ] [ [P ∨ Q] ] = [ [P] ]∪[ [Q] ] [ [P → Q] ] = [ [P] ]∁ ∪[ [Q] ] [ [αP] ] = [ [α] ]◦[ [P] ] = {ω : ν ∈ [ [P] ] for some ν : (ω,ν) ∈ [ [α] ]} [ [[α]P] ] = [ [¬α¬P] ] = {ω : ν ∈ [ [P] ] for all ν : (ω,ν) ∈ [ [α] ]} [ [∃x P] ] = {ω : ωr

x ∈ [

[P] ] for some r ∈ R} [ [∀x P] ] = {ω : ωr

x ∈ [

[P] ] for all r ∈ R}

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 11 / 16

Notational Conventions: Precedence

Convention (Operator Precedence)

1

Unary operators (e.g., ∗, ¬, ∀x,∃x, [α],α) bind stronger than binary

2

∧ binds stronger than ∨, which binds stronger than →,↔

3

; binds stronger than ∪

4

Arithmetic operators +,−,· associate to the left

5

Logical and program operators associate to the right

Example (Operator Precedence) [α]P∧Q ≡ ([α]P)∧Q ∀x P∧Q ≡ (∀x P)∧Q ∀x P→Q ≡ (∀x P)→Q α;β ∪γ ≡ (α;β)∪γ α ∪β;γ ≡ α ∪(β;γ) α;β ∗ ≡ α;(β ∗)

P → Q → R ≡ P → (Q → R). But →,↔ expect explicit parentheses. Illegal: P → Q ↔ R P ↔ Q → R

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 12 / 16

Outline

1

Learning Objectives

2

Quantum the Acrophobic Bouncing Ball

3

Contracts for CPS Safety of Robots Safety of Bouncing Balls

4

Logical Formulas for Hybrid Programs

5

Differential Dynamic Logic Syntax Semantics Notational Convention

6

Identifying Requirements of a CPS

7

Summary

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 12 / 16

Quantum the Acrophobic Bouncing Ball

Example ( Bouncing Ball)

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 13 / 16

Quantum the Acrophobic Bouncing Ball

Example ( Bouncing Ball)

H=x≥0

→

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

0≤x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 13 / 16

Quantum the Acrophobic Bouncing Ball

Not if g < 0 in anti-gravity

Example ( Bouncing Ball)

H=x≥0

→

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

0≤x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 13 / 16

Quantum the Acrophobic Bouncing Ball

Example ( Bouncing Ball)

H=x≥0∧ g>0 →

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

0≤x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 13 / 16

Quantum the Acrophobic Bouncing Ball

Not if c > 1 for anti-damping

Example ( Bouncing Ball)

H=x≥0∧ g>0 →

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

0≤x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 13 / 16

Quantum the Acrophobic Bouncing Ball

Example ( Bouncing Ball)

1≥c≥0∧ H=x≥0∧ g>0 →

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

0≤x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 13 / 16

Quantum the Acrophobic Bouncing Ball

Not if v > 0 initial climbing

Example ( Bouncing Ball)

1≥c≥0∧ H=x≥0∧ g>0 →

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

0≤x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 13 / 16

Quantum the Acrophobic Bouncing Ball

Example ( Bouncing Ball)

v≤0∧ 1≥c≥0∧ H=x≥0∧ g>0 →

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

0≤x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 13 / 16

Quantum the Acrophobic Bouncing Ball

Not if v ≪ 0 initial dribbling

Example ( Bouncing Ball)

v≤0∧ 1≥c≥0∧ H=x≥0∧ g>0 →

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

0≤x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 13 / 16

Quantum the Acrophobic Bouncing Ball

Example ( Bouncing Ball)

v=0∧ 1≥c≥0∧ H=x≥0∧ g>0 →

• {x′ = v,v′ = −g &x ≥ 0};

if(x = 0)v :=−cv

∗

0≤x≤H

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 13 / 16

Ex: Runaround Robot

(x,y) (v,w) ω

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 14 / 16

Ex: Runaround Robot

(x,y) (v,w) ω

Example (Runaround Robot)

• (ω :=−1∪ω := 1∪ω := 0);

{x′ = v,y′ = w,v′ = ωw,w′ = −ωv} ∗

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 14 / 16

Ex: Runaround Robot

(x,y) (v,w) ω

Example (Runaround Robot) (x,y) = o →

• (ω :=−1∪ω := 1∪ω := 0);

{x′ = v,y′ = w,v′ = ωw,w′ = −ωv} ∗ (x,y) = o

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 14 / 16

Ex: Runaround Robot

(x,y) (v,w) ω

Example (Runaround Robot) (x,y) = o →

• (?Q−1;ω :=−1∪?Q1;ω := 1∪?Q0;ω := 0);

{x′ = v,y′ = w,v′ = ωw,w′ = −ωv} ∗ (x,y) = o

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 14 / 16

Outline

1

Learning Objectives

2

Quantum the Acrophobic Bouncing Ball

3

Contracts for CPS Safety of Robots Safety of Bouncing Balls

4

Logical Formulas for Hybrid Programs

5

Differential Dynamic Logic Syntax Semantics Notational Convention

6

Identifying Requirements of a CPS

7

Summary

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 14 / 16

Differential Dynamic Logic dL: Syntax

Definition (Hybrid program α) α,β ::= x := f(x) | ?Q | x′ = f(x)&Q | α ∪β | α;β | α∗ Definition (dL Formula P)

P,Q ::= e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | [α]P | αP

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 15 / 16

Differential Dynamic Logic dL: Syntax

Definition (Hybrid program α) α,β ::= x := f(x) | ?Q | x′ = f(x)&Q | α ∪β | α;β | α∗ Definition (dL Formula P)

P,Q ::= e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | [α]P | αP Discrete Assign Test Condition Differential Equation Nondet. Choice Seq. Compose Nondet. Repeat All Reals Some Reals All Runs Some Runs

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 15 / 16

Differential Dynamic Logic dL: Semantics

Definition (Hybrid program semantics) ([

[·] ] : HP →℘(S ×S))

[ [x := f(x)] ] = {(ω,ν) : ν = ω except ν[ [x] ] = ω[ [f(x)] ]} [ [?Q] ] = {(ω,ω) : ω ∈ [ [Q] ]} [ [x′ = f(x)] ] = {(ϕ(0),ϕ(r)) : ϕ | = x′ = f(x) for some duration r} [ [α ∪β] ] = [ [α] ]∪[ [β] ] [ [α;β] ] = [ [α] ]◦[ [β] ] [ [α∗] ] = [ [α] ]∗ =

• n∈N

[ [αn] ] Definition (dL semantics) ([

[·] ] : Fml →℘(S))

[ [e ≥ ˜

e]

] = {ω : ω[ [e] ] ≥ ω[ [˜

e]

]} [ [¬P] ] = [ [P] ]∁ [ [P ∧ Q] ] = [ [P] ]∩[ [Q] ] [ [αP] ] = [ [α] ]◦[ [P] ] = {ω : ν ∈ [ [P] ] for some ν : (ω,ν) ∈ [ [α] ]} [ [[α]P] ] = [ [¬α¬P] ] = {ω : ν ∈ [ [P] ] for all ν : (ω,ν) ∈ [ [α] ]} [ [∃x P] ] = {ω : ωr

x ∈ [

[P] ] for some r ∈ R}

compositional semantics

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 16 / 16

André Platzer. Logical Foundations of Cyber-Physical Systems. Springer, Switzerland, 2018. URL: http://www.springer.com/978-3-319-63587-3,

doi:10.1007/978-3-319-63588-0.

André Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics. Springer, Heidelberg, 2010.

doi:10.1007/978-3-642-14509-4.

André Platzer. Logics of dynamical systems. In LICS, pages 13–24, Los Alamitos, 2012. IEEE.

doi:10.1109/LICS.2012.13.

André Platzer. Differential dynamic logic for hybrid systems.

• J. Autom. Reas., 41(2):143–189, 2008.

doi:10.1007/s10817-008-9103-8.

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 16 / 16

André Platzer. A complete uniform substitution calculus for differential dynamic logic.

• J. Autom. Reas., 59(2):219–265, 2017.

doi:10.1007/s10817-016-9385-1.

André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 16 / 16