Quantified Differential Invariants Andr e Platzer Carnegie Mellon - PowerPoint PPT Presentation

Model for Distributed Hybrid Systems Q: How to model distributed hybrid systems Model (Distributed Hybrid Systems) Continuous dynamics (differential equations) ∀ i x ( i ) ′ = d ( i ) , d ( i ) ′ = f ( ω ( i ) , d ( i )) x ( j ) Discrete dynamics (control decisions) c ∀ i ω ( i ) := if .. then 0 else 2 Structural dynamics x ( i ) (communication/coupling) c ( i ) := negotiate(i,j) Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems Q: How to model distributed hybrid systems A: Quantified Hybrid Programs Model (Distributed Hybrid Systems) Continuous dynamics x ( n ) (differential equations) ∀ i x ( i ) ′ = d ( i ) , d ( i ) ′ = f ( ω ( i ) , d ( i )) x ( j ) Discrete dynamics (control decisions) c ∀ i ω ( i ) := if .. then 0 else 2 Structural dynamics x ( i ) (communication/coupling) c ( i ) := negotiate(i,j) Dimensional dynamics (appearance) Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems Q: How to model distributed hybrid systems A: Quantified Hybrid Programs Model (Distributed Hybrid Systems) Continuous dynamics x ( n ) (differential equations) ∀ i x ( i ) ′ = d ( i ) , d ( i ) ′ = f ( ω ( i ) , d ( i )) x ( j ) Discrete dynamics (control decisions) c ∀ i ω ( i ) := if .. then 0 else 2 Structural dynamics x ( i ) (communication/coupling) c ( i ) := negotiate(i,j) Dimensional dynamics (appearance) n := new Aircraft Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Quantified Differential Dynamic Logic Qd L : Syntax Definition (Quantified hybrid program α ) ∀ i : C x ( i ) ′ = θ (quantified ODE) � ∀ i : C x ( i ) := θ (quantified assignment) jump & test ? χ (conditional execution) α ; β (seq. composition) � α ∪ β (nondet. choice) Kleene algebra α ∗ (nondet. repetition) Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic Qd L : Syntax Definition (Quantified hybrid program α ) ∀ i : C x ( i ) ′ = θ (quantified ODE) � ∀ i : C x ( i ) := θ (quantified assignment) jump & test ? χ (conditional execution) α ; β (seq. composition) � α ∪ β (nondet. choice) Kleene algebra α ∗ (nondet. repetition) DATC ≡ ( ctrl ; fly ) ∗ x ( n ) ctrl ≡ ∀ i : A ω ( i ) := if ∀ j : A far ( i , j ) then 0 else 2 x ( j ) fly ≡ ∀ i : A x ( i ) ′′ = d ( i ) , d ( i ) ′ = f ( ω ( i ) , d ( i )) c x ( i ) Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic Qd L : Syntax Definition (Quantified hybrid program α ) ∀ i : C x ( i ) ′ = θ (quantified ODE) � ∀ i : C x ( i ) := θ (quantified assignment) jump & test ? χ (conditional execution) α ; β (seq. composition) � α ∪ β (nondet. choice) Kleene algebra α ∗ (nondet. repetition) DATC ≡ ( appear ; ctrl ; fly ) ∗ appear ≡ n := new A ; ?( ∀ j : A far ( j , n )) x ( n ) ctrl ≡ ∀ i : A ω ( i ) := if ∀ j : A far ( i , j ) then 0 else 2 x ( j ) fly ≡ ∀ i : A x ( i ) ′′ = d ( i ) , d ( i ) ′ = f ( ω ( i ) , d ( i )) c x ( i ) Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic Qd L : Syntax Definition (Quantified hybrid program α ) ∀ i : C x ( i ) ′ = θ (quantified ODE) � ∀ i : C x ( i ) := θ (quantified assignment) jump & test ? χ (conditional execution) α ; β (seq. composition) � α ∪ β (nondet. choice) Kleene algebra α ∗ (nondet. repetition) DATC ≡ ( appear ; ctrl ; fly ) ∗ appear ≡ n := new A ; ?( ∀ j : A far ( j , n )) x ( n ) ctrl ≡ ∀ i : A ω ( i ) := if ∀ j : A far ( i , j ) then 0 else 2 x ( j ) fly ≡ ∀ i : A x ( i ) ′′ = d ( i ) , d ( i ) ′ = f ( ω ( i ) , d ( i )) c new A is definable! x ( i ) Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic Qd L : Syntax Definition (Quantified hybrid program α ) ∀ i : C x ( i ) ′ = θ (quantified ODE) � ∀ i : C x ( i ) := θ (quantified assignment) jump & test ? χ (conditional execution) α ; β (seq. composition) � α ∪ β (nondet. choice) Kleene algebra α ∗ (nondet. repetition) DATC ≡ ( appear ; ctrl ; fly ) ∗ appear ≡ n := new A ; ?( ∀ j : A far ( j , n )) x ( n ) ctrl ≡ ∀ i : A ω ( i ) := if ∀ j : A far ( i , j ) then 0 else 2 x ( j ) fly ≡ ∀ i : A x ( i ) ′′ = d ( i ) , d ( i ) ′ = f ( ω ( i ) , d ( i )) c x ( i ) Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic Qd L : Syntax Definition (Qd L Formula φ ) ¬ , ∧ , ∨ , → , ∀ x , ∃ x , = , ≤ , + , · ( R -first-order part) [ α ] φ, � α � φ (dynamic part) ∀ i , j : A far ( i , j ) → [( appear ; ctrl ; fly ) ∗ ] ∀ i , j : A ( i = j ∨ ( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) − x 2 ( j )) 2 ≥ p 2 ) x ( n ) x ( j ) c x ( i ) Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Quantified hybrid program α : transition semantics ) ∀ i : C x ( i ) := θ v w Details x if w ( x )( v e ]) = v e i [ [ i ] i [ [ θ ] ] (for all e ) w and otherwise unchanged v t 0 Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Quantified hybrid program α : transition semantics ) ∀ i : C x ( i ) ′ = θ v w Details x ϕ ( t ) d ϕ ( t ) e w i [ [ x ( i )] ] ( ζ ) = ϕ ( ζ ) e i [ [ θ ] ] (for all e ) d t v t ∀ i x ( i ) ′ = θ Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Quantified hybrid program α : transition semantics ) α ; β v s w α β Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Quantified hybrid program α : transition semantics ) α ; β v s w α β Details x s w v t Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Quantified hybrid program α : transition semantics ) α ; β v s w α β Details x s v w t Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Quantified hybrid program α : transition semantics ) α ∗ v s 1 s 2 s n w α α α Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Quantified hybrid program α : transition semantics ) α ∗ v s 1 s 2 s n w α α α Details x v w t Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Quantified hybrid program α : transition semantics ) w 1 α v α ∪ β β w 2 Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Quantified hybrid program α : transition semantics ) w 1 α v α ∪ β β w 2 Details x v w 1 w 2 t Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Quantified hybrid program α : transition semantics ) ? χ if v | = χ v Details x no change if v | = χ v otherwise no transition t 0 Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Quantified hybrid program α : transition semantics ) if v �| = χ v Details x no change if v | = χ v otherwise no transition t 0 Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Qd L Formula φ ) φ v φ [ α ] φ φ Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Qd L Formula φ ) v φ � α � φ Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Qd L Formula φ ) [ α ] φ α -span v Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Qd L Formula φ ) [ α ] φ α -span v � β � φ β -span Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Qd L Formula φ ) � β � [ α ]-span [ α ] φ α -span v � β � φ β -span Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Quantified Differential Dynamic Logic Qd L : Semantics Definition (Qd L Formula φ ) � β � [ α ]-span [ α ] φ α -span v � β � φ β -span Details compositional semantics ⇒ compositional calculus! Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Outline (Verification Approach) Motivation 1 Quantified Differential Dynamic Logic Qd L 2 Design Syntax Semantics Proof Calculus for Distributed Hybrid Systems 3 Compositional Verification Calculus Air Traffic Control Derivations and Differentiation Soundness and Completeness Conclusions 4 Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Proof Calculus for Quantified Differential Dynamic Logic ∀ i ( i = u → φ ( θ )) φ ([ ∀ i x ( i ) := θ ] x ( u )) φ ∀ i x ( i ) := θ v w Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 10 / 21

Proof Calculus for Quantified Differential Dynamic Logic ∀ i ( i = [ ∀ i x ( i ) := θ ] u → φ ( θ )) φ ([ ∀ i x ( i ) := θ ] x ( u )) φ ∀ i x ( i ) := θ v w Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 10 / 21

Proof Calculus for Quantified Differential Dynamic Logic ∀ i ( i = [ ∀ i x ( i ) := θ ] u → φ ( θ )) φ ([ ∀ i x ( i ) := θ ] x ( u )) φ ∀ i x ( i ) := θ v w ∀ i x ( i ) ′ = θ v w ∃ t ≥ 0 �∀ i S ( t ) � φ �∀ i x ( i ) ′ = θ � φ φ Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 10 / 21

Proof Calculus for Quantified Differential Dynamic Logic ∀ i ( i = [ ∀ i x ( i ) := θ ] u → φ ( θ )) φ ([ ∀ i x ( i ) := θ ] x ( u )) φ ∀ i x ( i ) := θ v w ∀ i x ( i ) ′ = θ v w ∃ t ≥ 0 �∀ i S ( t ) � φ �∀ i x ( i ) ′ = θ � φ φ ∀ i S ( t ) Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 10 / 21

Proof Calculus for Quantified Differential Dynamic Logic ∀ i ( i = [ ∀ i x ( i ) := θ ] u → φ ( θ )) φ ([ ∀ i x ( i ) := θ ] x ( u )) φ ∀ i x ( i ) := θ v w ∀ i x ( i ) ′ = θ v w ∃ t ≥ 0 �∀ i S ( t ) � φ �∀ i x ( i ) ′ = θ � φ φ ∀ i S ( t ) solve infinite-dimensional diff. eqn.? Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 10 / 21

Proof Calculus for Quantified Differential Dynamic Logic compositional semantics ⇒ compositional rules! Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 11 / 21

Proof Calculus for Quantified Differential Dynamic Logic w 1 φ α [ α ] φ ∧ [ β ] φ v α ∪ β [ α ∪ β ] φ β w 2 φ Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 11 / 21

Proof Calculus for Quantified Differential Dynamic Logic w 1 φ α [ α ] φ ∧ [ β ] φ v α ∪ β [ α ∪ β ] φ β w 2 φ α ; β [ α ][ β ] φ v s w [ α ; β ] φ α β [ α ][ β ] φ [ β ] φ φ Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 11 / 21

Proof Calculus for Quantified Differential Dynamic Logic w 1 φ α [ α ] φ ∧ [ β ] φ v α ∪ β [ α ∪ β ] φ β w 2 φ α ; β [ α ][ β ] φ v s w [ α ; β ] φ α β [ α ][ β ] φ [ β ] φ φ α ∗ φ ( φ → [ α ] φ ) φ φ φ → [ α ] φ [ α ∗ ] φ v w α α α Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 11 / 21

Air Traffic Control Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control Verification? looks correct Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control Verification? looks correct NO! Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control ς y 2 ̺ ω e x 2 d x 1 y 1  x ′  1 = − v 1 + v 2 cos ϑ + ω x 2 x ′ 2 = v 2 sin ϑ − ω x 1     ϑ ′ = ̟ − ω Verification? looks correct NO! Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control ς y 2 ̺ ω e x 2 d x 1 y 1  x ′  1 = − v 1 + v 2 cos ϑ + ω x 2 x ′ 2 = v 2 sin ϑ − ω x 1     ϑ ′ = ̟ − ω Example (“Solving” differential equations) 1 � x 1 ( t ) = x 1 ω̟ cos t ω − v 2 ω cos t ω sin ϑ + v 2 ω cos t ω cos t ̟ sin ϑ − v 1 ̟ sin t ω ω̟ 1 − sin ϑ 2 sin t ω � + x 2 ω̟ sin t ω − v 2 ω cos ϑ cos t ̟ sin t ω − v 2 ω � + v 2 ω cos ϑ cos t ω sin t ̟ + v 2 ω sin ϑ sin t ω sin t ̟ . . . Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control ς y 2 ̺ ω e x 2 d x 1 y 1  x ′  1 = − v 1 + v 2 cos ϑ + ω x 2 x ′ 2 = v 2 sin ϑ − ω x 1     ϑ ′ = ̟ − ω Example (“Solving” differential equations) 1 � ∀ t ≥ 0 x 1 ω̟ cos t ω − v 2 ω cos t ω sin ϑ + v 2 ω cos t ω cos t ̟ sin ϑ − v 1 ̟ sin t ω ω̟ 1 − sin ϑ 2 sin t ω � + x 2 ω̟ sin t ω − v 2 ω cos ϑ cos t ̟ sin t ω − v 2 ω � + v 2 ω cos ϑ cos t ω sin t ̟ + v 2 ω sin ϑ sin t ω sin t ̟ . . . Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Differential Invariants for Differential Equations Idea (Differential Invariant) Formula that remains true in the direction of the dynamics Andr´ e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs. J. Log. Comput. , 35(1): 309–352, 2010. Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 13 / 21

Differential Invariants for Differential Equations Idea (Differential Invariant) Formula that remains true in the direction of the dynamics Andr´ e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs. J. Log. Comput. , 35(1): 309–352, 2010. Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 13 / 21

Differential Invariants for Differential Equations Idea (Differential Invariant) Formula that remains true in the direction of the dynamics Andr´ e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs. J. Log. Comput. , 35(1): 309–352, 2010. Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 13 / 21

Differential Invariants for Differential Equations Idea (Differential Invariant) Formula that remains true in the direction of the dynamics R 2 but R ∞ ?? Andr´ e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs. J. Log. Comput. , 35(1): 309–352, 2010. Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 13 / 21

Differential Induction: Local Dynamics w/o Solutions Definition (Differential Invariant) F closed under total differentiation with respect to differential constraints ¬ F F Details ( χ → F ′ ) χ → F → [ x ′ = θ ∧ χ ] F Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 14 / 21

Differential Induction: Local Dynamics w/o Solutions Definition (Differential Invariant) F closed under total differentiation with respect to differential constraints ¬ F F Details ( χ → F ′ ) χ → F → [ x ′ = θ ∧ χ ] F Total differential F ′ of formulas ? Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 14 / 21

Quantified Differential Invariants Definition (Quantified Differential Invariant) Quantified formula F closed under total differentiation with respect to quantified differential constraints Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 15 / 21

Derivations and Differentiation Definition (Syntactic total derivation D ) D ( r ) = 0 if r a number symbol D ( x ( i )) = x ( i ) ′ if x : C → R , C � = R D ( a + b ) = D ( a ) + D ( b ) D ( a · b ) = D ( a ) · b + a · D ( b ) D ( a / b ) = ( D ( a ) · b − a · D ( b )) / b 2 Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 16 / 21

Derivations and Differentiation Definition (Syntactic total derivation D ) D ( r ) = 0 if r a number symbol D ( x ( i )) = x ( i ) ′ if x : C → R , C � = R D ( a + b ) = D ( a ) + D ( b ) D ( a · b ) = D ( a ) · b + a · D ( b ) D ( a / b ) = ( D ( a ) · b − a · D ( b )) / b 2 D ( a ≥ b ) ≡ D ( a ) ≥ D ( b ) accordingly for >, = D ( F ∧ G ) ≡ D ( F ) ∧ D ( G ) D ( ∀ i F ) ≡ ∀ i D ( F ) Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 16 / 21

Derivations and Differentiation Definition (Syntactic total derivation D ) D ( r ) = 0 if r a number symbol D ( x ( i )) = x ( i ) ′ if x : C → R , C � = R D ( a + b ) = D ( a ) + D ( b ) D ( a · b ) = D ( a ) · b + a · D ( b ) D ( a / b ) = ( D ( a ) · b − a · D ( b )) / b 2 D ( a ≥ b ) ≡ D ( a ) ≥ D ( b ) accordingly for >, = D ( F ∧ G ) ≡ D ( F ) ∧ D ( G ) D ( ∀ i F ) ≡ ∀ i D ( F ) i = j ∨ ( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) − x 2 ( j )) 2 ≥ p 2 � � P ≡ ∀ i , j : A i ′ = j ′ ∧ 2( x 1 ( i ) − x 1 ( j ))( x 1 ( i ) ′ − x 1 ( j ) ′ ) � ⇒ D ( P ) ≡ ∀ i , j : A + 2( x 2 ( i ) − x 2 ( j ))( x 2 ( i ) ′ − x 2 ( j ) ′ ) ≥ 0 � Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 16 / 21

Derivations and Differentiation Definition (Syntactic total derivation D ) D ( r ) = 0 if r a number symbol D ( x ( i )) = x ( i ) ′ if x : C → R , C � = R D ( a + b ) = D ( a ) + D ( b ) D ( a · b ) = D ( a ) · b + a · D ( b ) D ( a / b ) = ( D ( a ) · b − a · D ( b )) / b 2 D ( a ≥ b ) ≡ D ( a ) ≥ D ( b ) accordingly for >, = D ( F ∧ G ) ≡ D ( F ) ∧ D ( G ) D ( ∀ i F ) ≡ ∀ i D ( F ) i = j ∨ ( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) − x 2 ( j )) 2 ≥ p 2 � � P ≡ ∀ i , j : A i ′ = j ′ ∧ 2( x 1 ( i ) − x 1 ( j ))( x 1 ( i ) ′ − x 1 ( j ) ′ ) � ⇒ D ( P ) ≡ ∀ i , j : A + 2( x 2 ( i ) − x 2 ( j ))( x 2 ( i ) ′ − x 2 ( j ) ′ ) ≥ 0 � Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 16 / 21

Derivations and Differentiation Syntactic derivation D ( · ) coincides with analytic differentiation: Lemma (Derivation lemma) Valuation is a differential homomorphism: for all flows ϕ all ζ ∈ [0 , r ] d ϕ ( t )[ [ θ ] ] ( ζ ) = ¯ ϕ ( ζ )[ [ D ( θ )] ] d t Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 17 / 21

Derivations and Differentiation Syntactic derivation D ( · ) coincides with analytic differentiation: Lemma (Derivation lemma) Valuation is a differential homomorphism: for all flows ϕ all ζ ∈ [0 , r ] d ϕ ( t )[ [ θ ] ] ( ζ ) = ¯ ϕ ( ζ )[ [ D ( θ )] ] d t Locally understand QDE as quantified assignments: Lemma (Quantified differential substitution principle) = ∀ i : C f ( i ) ′ = θ ∧ χ , then ϕ | = υ = [ ∀ i : C f ( i ) ′ := θ ] υ for all υ . If ϕ | Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 17 / 21

Derivations and Differentiation Syntactic derivation D ( · ) coincides with analytic differentiation: Lemma (Derivation lemma) Valuation is a differential homomorphism: for all flows ϕ all ζ ∈ [0 , r ] d ϕ ( t )[ [ θ ] ] ( ζ ) = ¯ ϕ ( ζ )[ [ D ( θ )] ] d t Locally understand QDE as quantified assignments: Lemma (Quantified differential substitution principle) = ∀ i : C f ( i ) ′ = θ ∧ χ , then ϕ | = υ = [ ∀ i : C f ( i ) ′ := θ ] υ for all υ . If ϕ | Theorem (Quantified Differential Invariant) χ → [ ∀ i : C f ( i ) ′ := θ ] D ( F ) ( QDI ) is sound F → [ ∀ i : C f ( i ) ′ = θ ∧ χ ] F Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 17 / 21

A Simple Proof with Quantified Differential Invariants ∀ i : C 2 x ( i ) 3 ≥ 1 → [ ∀ i : C x ( i ) ′ = x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 2 x ( i ) 3 ≥ 1 Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 18 / 21

A Simple Proof with Quantified Differential Invariants [ ∀ i : C x ( i ) ′ := x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 2( x ( i ) 3 ) ′ ≥ 0 ∀ i : C 2 x ( i ) 3 ≥ 1 → [ ∀ i : C x ( i ) ′ = x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 2 x ( i ) 3 ≥ 1 Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 18 / 21

A Simple Proof with Quantified Differential Invariants [ ∀ i : C x ( i ) ′ := x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 6 x ( i ) 2 x ( i ) ′ ≥ 0 [ ∀ i : C x ( i ) ′ := x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 2( x ( i ) 3 ) ′ ≥ 0 ∀ i : C 2 x ( i ) 3 ≥ 1 → [ ∀ i : C x ( i ) ′ = x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 2 x ( i ) 3 ≥ 1 Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 18 / 21

A Simple Proof with Quantified Differential Invariants ∀ i : C 6 x ( i ) 2 ( x ( i ) 2 + x ( i ) 4 + 2) ≥ 0 [ ∀ i : C x ( i ) ′ := x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 6 x ( i ) 2 x ( i ) ′ ≥ 0 [ ∀ i : C x ( i ) ′ := x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 2( x ( i ) 3 ) ′ ≥ 0 ∀ i : C 2 x ( i ) 3 ≥ 1 → [ ∀ i : C x ( i ) ′ = x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 2 x ( i ) 3 ≥ 1 Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 18 / 21

A Simple Proof with Quantified Differential Invariants true ∀ i : C 6 x ( i ) 2 ( x ( i ) 2 + x ( i ) 4 + 2) ≥ 0 [ ∀ i : C x ( i ) ′ := x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 6 x ( i ) 2 x ( i ) ′ ≥ 0 [ ∀ i : C x ( i ) ′ := x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 2( x ( i ) 3 ) ′ ≥ 0 ∀ i : C 2 x ( i ) 3 ≥ 1 → [ ∀ i : C x ( i ) ′ = x ( i ) 2 + x ( i ) 4 + 2] ∀ i : C 2 x ( i ) 3 ≥ 1 Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 18 / 21

Differential Induction for Aircraft Roundabouts [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y c x Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts i ′ = j ′ ∧ 2( x 1 ( i ) − x 1 ( j ))( x 1 ( i ) ′ − x 1 ( j ) ′ ) + 2( x 2 ( i ) − x 2 ( j ))( x 2 ( i ) ′ − x 2 ( j ) ′ ) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y c x Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts i ′ = j ′ ∧ 2( x 1 ( i ) − x 1 ( j ))( x 1 ( i ) ′ − x 1 ( j ) ′ ) + 2( x 2 ( i ) − x 2 ( j ))( x 2 ( i ) ′ − x 2 ( j ) ′ ) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y c x Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts 0 = 0 ∧ 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y c x Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 0 = 0 ∧ 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y c x Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 0 = 0 ∧ 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y e y − c x e x d − e d Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 0 = 0 ∧ 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y e y − c x e x d − e d [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )] d 1 ( i ) − d 1 ( j ) = − ω ( x 2 ( i Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts 2( x 1 ( i ) − x 1 ( j ))( − ω ( x 2 ( i ) − x 2 ( j ))) + 2( x 2 ( i ) − x 2 ( j )) ω ( x 1 ( i ) − x 1 ( j )) ≥ 0 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 0 = 0 ∧ 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y e y − c x e x d − e d [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )] d 1 ( i ) − d 1 ( j ) = − ω ( x 2 ( i Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts 2( x 1 ( i ) − x 1 ( j ))( − ω ( x 2 ( i ) − x 2 ( j ))) + 2( x 2 ( i ) − x 2 ( j )) ω ( x 1 ( i ) − x 1 ( j )) ≥ 0 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 0 = 0 ∧ 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y e y − c x e x d − e d d 1 ( i ) ′ − d 1 ( j ) ′ = − ω ( x 2 ( i ) ′ − x 2 ( j ) ′ ) [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )] d 1 ( i ) − d 1 ( j ) = − ω ( x 2 ( i Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts 2( x 1 ( i ) − x 1 ( j ))( − ω ( x 2 ( i ) − x 2 ( j ))) + 2( x 2 ( i ) − x 2 ( j )) ω ( x 1 ( i ) − x 1 ( j )) ≥ 0 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 0 = 0 ∧ 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y e y − c x e x d − e d d 1 ( i ) ′ − d 1 ( j ) ′ = − ω ( x 2 ( i ) ′ − x 2 ( j ) ′ ) [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )] d 1 ( i ) − d 1 ( j ) = − ω ( x 2 ( i Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts 2( x 1 ( i ) − x 1 ( j ))( − ω ( x 2 ( i ) − x 2 ( j ))) + 2( x 2 ( i ) − x 2 ( j )) ω ( x 1 ( i ) − x 1 ( j )) ≥ 0 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 0 = 0 ∧ 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y e y − c x e x d − e d − ω d 2 ( i ) − − ω d 2 ( j ) = − ω ( d 2 ( i ) − d 2 ( j )) [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )] d 1 ( i ) − d 1 ( j ) = − ω ( x 2 ( i Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts 2( x 1 ( i ) − x 1 ( j ))( − ω ( x 2 ( i ) − x 2 ( j ))) + 2( x 2 ( i ) − x 2 ( j )) ω ( x 1 ( i ) − x 1 ( j )) ≥ 0 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 0 = 0 ∧ 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) y e y − c x e x d − e d − ω d 2 ( i ) + ω d 2 ( j ) = − ω ( d 2 ( i ) − d 2 ( j )) − ω d 2 ( i ) − − ω d 2 ( j ) = − ω ( d 2 ( i ) − d 2 ( j )) [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )] d 1 ( i ) − d 1 ( j ) = − ω ( x 2 ( i Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction & Differential Cuts 2( x 1 ( i ) − x 1 ( j ))( − ω ( x 2 ( i ) − x 2 ( j ))) + 2( x 2 ( i ) − x 2 ( j )) ω ( x 1 ( i ) − x 1 ( j )) ≥ 0 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 0 = 0 ∧ 2( x 1 ( i ) − x 1 ( j ))( d 1 ( i ) − d 1 ( j )) + 2( x 2 ( i ) − x 2 ( j ))( d 2 ( i ) − d 2 ( j )) ≥ 0 [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )]( x 1 ( i ) − x 1 ( j )) 2 + ( x 2 ( i ) Proposition (Differential cut) F differential invariant of [ ∀ i x ( i ) ′ = θ ∧ H ] φ , then [ ∀ i x ( i ) ′ = θ ∧ H ] φ [ ∀ i x ( i ) ′ = θ ∧ H ∧ F ] φ iff − ω d 2 ( i ) + ω d 2 ( j ) = − ω ( d 2 ( i ) − d 2 ( j )) − ω d 2 ( i ) − − ω d 2 ( j ) = − ω ( d 2 ( i ) − d 2 ( j )) [ ∀ ix 1 ( i ) ′ = d 1 ( i ) , d 1 ( i ) ′ = − ω d 2 ( i ) , x 2 ( i ) ′ = d 2 ( i ) , d 2 ( i ) ′ = ω d 1 ( i )] d 1 ( i ) − d 1 ( j ) = − ω ( x 2 ( i Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21