Quantified Differential Invariants Andr e Platzer Carnegie Mellon - - PowerPoint PPT Presentation

Quantified Differential Invariants

Andr´ e Platzer

Carnegie Mellon University, Pittsburgh, PA

0.2 0.4 0.6 0.8 1.0

0.1 0.2 0.3 0.4 0.5

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 1 / 21

Outline

1

Motivation

2

Quantified Differential Dynamic Logic QdL Design Syntax Semantics

3

Proof Calculus for Distributed Hybrid Systems Compositional Verification Calculus Air Traffic Control Derivations and Differentiation Soundness and Completeness

4

Conclusions

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 1 / 21

Complex Physical Systems:

Q: Verify my plane?

Challenge

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 2 / 21

Complex Physical Systems: Hybrid Systems

Q: Verify my plane? A: Hybrid systems

Challenge (Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions)

1 2 3 4 t 2 1 1 2 a

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 2 / 21

Complex Physical Systems: Hybrid Systems

Q: Verify my plane? A: Hybrid systems Q: But there’s lots of planes!

Challenge (Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions)

1 2 3 4 t 2 1 1 2 a

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 2 / 21

Complex Physical Systems:

Q: Verify lots of planes?

Challenge

a a a a

1 4 3 2

a a a a

1 4 3 2

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 3 / 21

Complex Physical Systems: Distributed Systems

Q: Verify lots of planes? A: Distributed systems

Challenge (Distributed Systems)

Local computation (finite state automaton) Remote communication (network graph)

a a a a

1 4 3 2

a a a a

1 4 3 2

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 3 / 21

Complex Physical Systems: Distributed Systems

Q: Verify lots of planes? A: Distributed systems Q: But they move!

Challenge (Distributed Systems)

Local computation (finite state automaton) Remote communication (network graph)

a a a a

1 4 3 2

a a a a

1 4 3 2

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 3 / 21

Complex Physical Systems:

Q: Verify lots of moving planes?

Challenge

c x y

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 4 / 21

Complex Physical Systems: Distributed Hybrid Systems

Q: Verify lots of moving planes? A: Distributed hybrid systems

Challenge (Distributed Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions) Structural dynamics (remote communication)

c x y

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 4 / 21

Complex Physical Systems: Distributed Hybrid Systems

Q: Verify lots of moving planes? A: Distributed hybrid systems

Challenge (Distributed Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions) Structural dynamics (remote communication) Dimensional dynamics (appearance)

c x y z

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 4 / 21

Complex Physical Systems: Distributed Hybrid Systems

Q: Verify lots of moving planes? A: Distributed hybrid systems Q: How?

Challenge (Distributed Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions) Structural dynamics (remote communication) Dimensional dynamics (appearance)

c x y z

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 4 / 21

State of the Art:

Shift [DGV96] The Hybrid System Simulation Programming Language R-Charon [KSPL06] Modeling Language for Reconfigurable Hybrid Systems Hybrid CSP [CJR95] Semantics in Extended Duration Calculus HyPA [CR05] Translate fragment into normal form. χ process algebra [vBMR+06] Simulation, translation of fragments to PHAVER, UPPAAL Φ-calculus [Rou04] Semantics in rich set theory ACPsrt

hs [BM05] Modeling language

proposal OBSHS [MS06] Partial random simulation of objects

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 5 / 21

State of the Art: Modeling and Simulation

Shift [DGV96] The Hybrid System Simulation Programming Language R-Charon [KSPL06] Modeling Language for Reconfigurable Hybrid Systems Hybrid CSP [CJR95] Semantics in Extended Duration Calculus HyPA [CR05] Translate fragment into normal form. χ process algebra [vBMR+06] Simulation, translation of fragments to PHAVER, UPPAAL Φ-calculus [Rou04] Semantics in rich set theory ACPsrt

hs [BM05] Modeling language

proposal OBSHS [MS06] Partial random simulation of objects

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 5 / 21

State of the Art: Modeling and Simulation

No formal verification of distributed hybrid systems Shift [DGV96] The Hybrid System Simulation Programming Language R-Charon [KSPL06] Modeling Language for Reconfigurable Hybrid Systems Hybrid CSP [CJR95] Semantics in Extended Duration Calculus HyPA [CR05] Translate fragment into normal form. χ process algebra [vBMR+06] Simulation, translation of fragments to PHAVER, UPPAAL Φ-calculus [Rou04] Semantics in rich set theory ACPsrt

hs [BM05] Modeling language

proposal OBSHS [MS06] Partial random simulation of objects

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 5 / 21

Outline

1

Motivation

2

Quantified Differential Dynamic Logic QdL Design Syntax Semantics

3

Proof Calculus for Distributed Hybrid Systems Compositional Verification Calculus Air Traffic Control Derivations and Differentiation Soundness and Completeness

4

Conclusions

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 5 / 21

Outline (Conceptual Approach)

1

Motivation

2

Quantified Differential Dynamic Logic QdL Design Syntax Semantics

3

Proof Calculus for Distributed Hybrid Systems Compositional Verification Calculus Air Traffic Control Derivations and Differentiation Soundness and Completeness

4

Conclusions

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 5 / 21

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

x

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions) Structural dynamics (communication/coupling)

x

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) x′ = d, d′ = f (ω, d) Discrete dynamics (control decisions) Structural dynamics (communication/coupling)

x

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) x′ = d, d′ = f (ω, d) Discrete dynamics (control decisions) ω := if .. then 0 else 2 Structural dynamics (communication/coupling)

c x y

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) x′ = d, d′ = f (ω, d) Discrete dynamics (control decisions) ω := if .. then 0 else 2 Structural dynamics (communication/coupling)

c

x(i) x(j)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) x′ = d, d′ = f (ω, d) Discrete dynamics (control decisions) ω := if .. then 0 else 2 Structural dynamics (communication/coupling)

c

x(i) x(j)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) x(i)′ = d(i), d(i)′ = f (ω(i), d(i)) Discrete dynamics (control decisions) ω(i) := if .. then 0 else 2 Structural dynamics (communication/coupling)

c

x(i) x(j)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) ∀i x(i)′ = d(i), d(i)′ = f (ω(i), d(i)) Discrete dynamics (control decisions) ∀i ω(i) := if .. then 0 else 2 Structural dynamics (communication/coupling)

c

x(i) x(j)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) ∀i x(i)′ = d(i), d(i)′ = f (ω(i), d(i)) Discrete dynamics (control decisions) ∀i ω(i) := if .. then 0 else 2 Structural dynamics (communication/coupling) c(i) := negotiate(i,j)

c

x(i) x(j)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) ∀i x(i)′ = d(i), d(i)′ = f (ω(i), d(i)) Discrete dynamics (control decisions) ∀i ω(i) := if .. then 0 else 2 Structural dynamics (communication/coupling) c(i) := negotiate(i,j) Dimensional dynamics (appearance)

c

x(i) x(j) x(n)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) ∀i x(i)′ = d(i), d(i)′ = f (ω(i), d(i)) Discrete dynamics (control decisions) ∀i ω(i) := if .. then 0 else 2 Structural dynamics (communication/coupling) c(i) := negotiate(i,j) Dimensional dynamics (appearance) n := new Aircraft

c

x(i) x(j) x(n)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 6 / 21

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(i)′ = θ (quantified ODE) ∀i : C x(i) := θ (quantified assignment)

• jump & test

?χ (conditional execution) α; β (seq. composition)

• Kleene algebra

α ∪ β (nondet. choice) α∗ (nondet. repetition)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(i)′ = θ (quantified ODE) ∀i : C x(i) := θ (quantified assignment)

• jump & test

?χ (conditional execution) α; β (seq. composition)

• Kleene algebra

α ∪ β (nondet. choice) α∗ (nondet. repetition) DATC ≡ (ctrl ; fly)∗ ctrl ≡ ∀i : A ω(i) := if ∀j : A far(i, j) then 0 else 2 fly ≡ ∀i : A x(i)′′ = d(i), d(i)′ = f (ω(i), d(i))

c

x(i) x(j) x(n)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(i)′ = θ (quantified ODE) ∀i : C x(i) := θ (quantified assignment)

• jump & test

?χ (conditional execution) α; β (seq. composition)

• Kleene algebra

α ∪ β (nondet. choice) α∗ (nondet. repetition) DATC ≡ (appear ; ctrl ; fly)∗ appear ≡ n := new A; ?(∀j : A far(j, n)) ctrl ≡ ∀i : A ω(i) := if ∀j : A far(i, j) then 0 else 2 fly ≡ ∀i : A x(i)′′ = d(i), d(i)′ = f (ω(i), d(i))

c

x(i) x(j) x(n)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(i)′ = θ (quantified ODE) ∀i : C x(i) := θ (quantified assignment)

• jump & test

?χ (conditional execution) α; β (seq. composition)

• Kleene algebra

α ∪ β (nondet. choice) α∗ (nondet. repetition) DATC ≡ (appear ; ctrl ; fly)∗ appear ≡ n := new A; ?(∀j : A far(j, n)) ctrl ≡ ∀i : A ω(i) := if ∀j : A far(i, j) then 0 else 2 fly ≡ ∀i : A x(i)′′ = d(i), d(i)′ = f (ω(i), d(i)) new A is definable!

c

x(i) x(j) x(n)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(i)′ = θ (quantified ODE) ∀i : C x(i) := θ (quantified assignment)

• jump & test

?χ (conditional execution) α; β (seq. composition)

• Kleene algebra

α ∪ β (nondet. choice) α∗ (nondet. repetition) DATC ≡ (appear ; ctrl ; fly)∗ appear ≡ n := new A; ?(∀j : A far(j, n)) ctrl ≡ ∀i : A ω(i) := if ∀j : A far(i, j) then 0 else 2 fly ≡ ∀i : A x(i)′′ = d(i), d(i)′ = f (ω(i), d(i))

c

x(i) x(j) x(n)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic QdL: Syntax

Definition (QdL Formula φ)

¬, ∧, ∨, →, ∀x , ∃x , =, ≤, +, · (R-first-order part) [α]φ, αφ (dynamic part) ∀i, j : A far(i, j) → [(appear ; ctrl ; fly)∗] ∀i, j : A (i = j ∨ (x1(i) − x1(j))2 + (x2(i) − x2(j))2 ≥ p2)

c

x(i) x(j) x(n)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 7 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics )

v w ∀i : C x(i) := θ

Details

t x v w if w(x)(ve

i [

[i] ]) = ve

i [

[θ] ] (for all e) and otherwise unchanged

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics )

v w ∀i : C x(i)′ = θ

Details

t x w v ϕ(t) ∀i x(i)′ = θ d ϕ(t)e

i [

[x(i)] ] dt (ζ) = ϕ(ζ)e

i [

[θ] ] (for all e)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics )

v s w α; β α β

Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics )

v s w α; β α β

Details

t x s v w

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics )

v s w α; β α β

Details

t x s v w

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics )

v s1 s2 sn w α∗ α α α

Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics )

v s1 s2 sn w α∗ α α α

Details

t x v w

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics )

v w1 w2 α β α ∪ β

Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics )

v w1 w2 α β α ∪ β

Details

t x v w1 w2

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics )

v ?χ if v | = χ

Details

t x v no change if v | = χ

• therwise no transition

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics )

v if v | = χ

Details

t x v no change if v | = χ

• therwise no transition

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 8 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ )

v [α]φ φ φ φ

Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ )

v αφ φ

Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ )

v α-span [α]φ

Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ )

v α-span [α]φ βφ β-span

Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ )

v α-span [α]φ βφ β-span β[α]-span

Details Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ )

v α-span [α]φ βφ β-span β[α]-span

Details

compositional semantics ⇒ compositional calculus!

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Outline (Verification Approach)

1

Motivation

2

Quantified Differential Dynamic Logic QdL Design Syntax Semantics

3

Proof Calculus for Distributed Hybrid Systems Compositional Verification Calculus Air Traffic Control Derivations and Differentiation Soundness and Completeness

4

Conclusions

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 9 / 21

Proof Calculus for Quantified Differential Dynamic Logic

∀i (i = u → φ(θ)) φ([∀i x(i) := θ]x(u)) v w ∀i x(i) := θ φ

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 10 / 21

Proof Calculus for Quantified Differential Dynamic Logic

∀i (i = [∀i x(i) := θ]u → φ(θ)) φ([∀i x(i) := θ]x(u)) v w ∀i x(i) := θ φ

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 10 / 21

Proof Calculus for Quantified Differential Dynamic Logic

∀i (i = [∀i x(i) := θ]u → φ(θ)) φ([∀i x(i) := θ]x(u)) v w ∀i x(i) := θ φ ∃t≥0 ∀i S(t)φ ∀i x(i)′ = θφ v w ∀i x(i)′ = θ φ

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 10 / 21

Proof Calculus for Quantified Differential Dynamic Logic

∀i (i = [∀i x(i) := θ]u → φ(θ)) φ([∀i x(i) := θ]x(u)) v w ∀i x(i) := θ φ ∃t≥0 ∀i S(t)φ ∀i x(i)′ = θφ v w ∀i x(i)′ = θ φ ∀i S(t)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 10 / 21

Proof Calculus for Quantified Differential Dynamic Logic

∀i (i = [∀i x(i) := θ]u → φ(θ)) φ([∀i x(i) := θ]x(u)) v w ∀i x(i) := θ φ ∃t≥0 ∀i S(t)φ ∀i x(i)′ = θφ v w ∀i x(i)′ = θ φ ∀i S(t) solve infinite-dimensional diff. eqn.?

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 10 / 21

Proof Calculus for Quantified Differential Dynamic Logic

compositional semantics ⇒ compositional rules!

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 11 / 21

Proof Calculus for Quantified Differential Dynamic Logic

[α]φ ∧ [β]φ [α ∪ β]φ v w1 w2 α φ β φ α ∪ β

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 11 / 21

Proof Calculus for Quantified Differential Dynamic Logic

[α]φ ∧ [β]φ [α ∪ β]φ v w1 w2 α φ β φ α ∪ β [α][β]φ [α; β]φ v s w α; β [α][β]φ α [β]φ β φ

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 11 / 21

Proof Calculus for Quantified Differential Dynamic Logic

[α]φ ∧ [β]φ [α ∪ β]φ v w1 w2 α φ β φ α ∪ β [α][β]φ [α; β]φ v s w α; β [α][β]φ α [β]φ β φ φ (φ → [α]φ) [α∗]φ v w α∗ φ α φ → [α]φ α α φ

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 11 / 21

Air Traffic Control

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control

Verification?

looks correct

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control

Verification?

looks correct NO!

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control

x1 x2 y1 y2 d ω e ς ̺

   x′

1 = −v1+v2 cos ϑ + ωx2

x′

2 =

v2 sin ϑ − ωx1 ϑ′ = ̟ − ω   

Verification?

looks correct NO!

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control

x1 x2 y1 y2 d ω e ς ̺

   x′

1 = −v1+v2 cos ϑ + ωx2

x′

2 =

v2 sin ϑ − ωx1 ϑ′ = ̟ − ω   

Example (“Solving” differential equations)

x1(t) = 1 ω̟

• x1ω̟ cos tω − v2ω cos tω sin ϑ + v2ω cos tω cos t̟ sin ϑ − v1̟ sin tω

+ x2ω̟ sin tω − v2ω cos ϑ cos t̟ sin tω − v2ω

• 1 − sin ϑ2 sin tω

+ v2ω cos ϑ cos tω sin t̟ + v2ω sin ϑ sin tω sin t̟

• . . .

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Air Traffic Control

x1 x2 y1 y2 d ω e ς ̺

   x′

1 = −v1+v2 cos ϑ + ωx2

x′

2 =

v2 sin ϑ − ωx1 ϑ′ = ̟ − ω   

Example (“Solving” differential equations)

∀t≥0 1 ω̟

• x1ω̟ cos tω − v2ω cos tω sin ϑ + v2ω cos tω cos t̟ sin ϑ − v1̟ sin tω

+ x2ω̟ sin tω − v2ω cos ϑ cos t̟ sin tω − v2ω

• 1 − sin ϑ2 sin tω

+ v2ω cos ϑ cos tω sin t̟ + v2ω sin ϑ sin tω sin t̟

• . . .

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 12 / 21

Differential Invariants for Differential Equations

Idea (Differential Invariant)

Formula that remains true in the direction of the dynamics Andr´ e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs.

• J. Log. Comput., 35(1): 309–352, 2010.

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 13 / 21

Differential Invariants for Differential Equations

Idea (Differential Invariant)

Formula that remains true in the direction of the dynamics Andr´ e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs.

• J. Log. Comput., 35(1): 309–352, 2010.

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 13 / 21

Differential Invariants for Differential Equations

Idea (Differential Invariant)

Formula that remains true in the direction of the dynamics Andr´ e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs.

• J. Log. Comput., 35(1): 309–352, 2010.

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 13 / 21

Differential Invariants for Differential Equations

Idea (Differential Invariant)

Formula that remains true in the direction of the dynamics R2 but R∞?? Andr´ e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs.

• J. Log. Comput., 35(1): 309–352, 2010.

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 13 / 21

Differential Induction: Local Dynamics w/o Solutions

Definition (Differential Invariant)

F closed under total differentiation with respect to differential constraints

F

¬F

Details

(χ → F ′) χ → F→[x′ = θ ∧ χ]F

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 14 / 21

Differential Induction: Local Dynamics w/o Solutions

Definition (Differential Invariant)

F closed under total differentiation with respect to differential constraints

F

¬F

Details

(χ → F ′) χ → F→[x′ = θ ∧ χ]F Total differential F ′ of formulas?

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 14 / 21

Quantified Differential Invariants

Definition (Quantified Differential Invariant)

Quantified formula F closed under total differentiation with respect to quantified differential constraints

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 15 / 21

Derivations and Differentiation

Definition (Syntactic total derivation D)

D(r) = 0 if r a number symbol D(x(i)) = x(i)′ if x : C → R, C = R D(a + b) = D(a) + D(b) D(a · b) = D(a) · b + a · D(b) D(a/b) = (D(a) · b − a · D(b))/b2

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 16 / 21

Derivations and Differentiation

Definition (Syntactic total derivation D)

D(r) = 0 if r a number symbol D(x(i)) = x(i)′ if x : C → R, C = R D(a + b) = D(a) + D(b) D(a · b) = D(a) · b + a · D(b) D(a/b) = (D(a) · b − a · D(b))/b2 D(a ≥ b) ≡ D(a) ≥ D(b) accordingly for >, = D(F ∧ G) ≡ D(F) ∧ D(G) D(∀i F) ≡ ∀i D(F)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 16 / 21

Derivations and Differentiation

Definition (Syntactic total derivation D)

D(r) = 0 if r a number symbol D(x(i)) = x(i)′ if x : C → R, C = R D(a + b) = D(a) + D(b) D(a · b) = D(a) · b + a · D(b) D(a/b) = (D(a) · b − a · D(b))/b2 D(a ≥ b) ≡ D(a) ≥ D(b) accordingly for >, = D(F ∧ G) ≡ D(F) ∧ D(G) D(∀i F) ≡ ∀i D(F) P ≡ ∀i, j : A

• i = j ∨ (x1(i) − x1(j))2 + (x2(i) − x2(j))2 ≥ p2

⇒ D(P) ≡ ∀i, j : A

• i′ = j′ ∧ 2(x1(i) − x1(j))(x1(i)′ − x1(j)′)

+ 2(x2(i) − x2(j))(x2(i)′ − x2(j)′) ≥ 0

• Andr´

e Platzer (CMU) Quantified Differential Invariants HSCC 16 / 21

Derivations and Differentiation

Definition (Syntactic total derivation D)

D(r) = 0 if r a number symbol D(x(i)) = x(i)′ if x : C → R, C = R D(a + b) = D(a) + D(b) D(a · b) = D(a) · b + a · D(b) D(a/b) = (D(a) · b − a · D(b))/b2 D(a ≥ b) ≡ D(a) ≥ D(b) accordingly for >, = D(F ∧ G) ≡ D(F) ∧ D(G) D(∀i F) ≡ ∀i D(F) P ≡ ∀i, j : A

• i = j ∨ (x1(i) − x1(j))2 + (x2(i) − x2(j))2 ≥ p2

⇒ D(P) ≡ ∀i, j : A

• i′ = j′ ∧ 2(x1(i) − x1(j))(x1(i)′ − x1(j)′)

+ 2(x2(i) − x2(j))(x2(i)′ − x2(j)′) ≥ 0

• Andr´

e Platzer (CMU) Quantified Differential Invariants HSCC 16 / 21

Derivations and Differentiation

Syntactic derivation D(·) coincides with analytic differentiation:

Lemma (Derivation lemma)

Valuation is a differential homomorphism: for all flows ϕ all ζ ∈ [0, r] d ϕ(t)[ [θ] ] dt (ζ) = ¯ ϕ(ζ)[ [D(θ)] ]

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 17 / 21

Derivations and Differentiation

Syntactic derivation D(·) coincides with analytic differentiation:

Lemma (Derivation lemma)

Valuation is a differential homomorphism: for all flows ϕ all ζ ∈ [0, r] d ϕ(t)[ [θ] ] dt (ζ) = ¯ ϕ(ζ)[ [D(θ)] ] Locally understand QDE as quantified assignments:

Lemma (Quantified differential substitution principle)

If ϕ | = ∀i : C f (i)′ = θ ∧ χ, then ϕ | = υ = [∀i : C f (i)′ := θ]υ for all υ.

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 17 / 21

Derivations and Differentiation

Syntactic derivation D(·) coincides with analytic differentiation:

Lemma (Derivation lemma)

Valuation is a differential homomorphism: for all flows ϕ all ζ ∈ [0, r] d ϕ(t)[ [θ] ] dt (ζ) = ¯ ϕ(ζ)[ [D(θ)] ] Locally understand QDE as quantified assignments:

Lemma (Quantified differential substitution principle)

If ϕ | = ∀i : C f (i)′ = θ ∧ χ, then ϕ | = υ = [∀i : C f (i)′ := θ]υ for all υ.

Theorem (Quantified Differential Invariant)

(QDI) χ→[∀i : C f (i)′ := θ]D(F) F→[∀i : C f (i)′ = θ ∧ χ]F is sound

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 17 / 21

A Simple Proof with Quantified Differential Invariants

∀i : C 2x(i)3 ≥ 1 →[∀i : C x(i)′ = x(i)2 + x(i)4 + 2]∀i : C 2x(i)3 ≥ 1

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 18 / 21

A Simple Proof with Quantified Differential Invariants

[∀i : C x(i)′ := x(i)2 + x(i)4 + 2]∀i : C 2(x(i)3)′ ≥ 0 ∀i : C 2x(i)3 ≥ 1 →[∀i : C x(i)′ = x(i)2 + x(i)4 + 2]∀i : C 2x(i)3 ≥ 1

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 18 / 21

A Simple Proof with Quantified Differential Invariants

[∀i : C x(i)′ := x(i)2 + x(i)4 + 2]∀i : C 6x(i)2x(i)′ ≥ 0 [∀i : C x(i)′ := x(i)2 + x(i)4 + 2]∀i : C 2(x(i)3)′ ≥ 0 ∀i : C 2x(i)3 ≥ 1 →[∀i : C x(i)′ = x(i)2 + x(i)4 + 2]∀i : C 2x(i)3 ≥ 1

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 18 / 21

A Simple Proof with Quantified Differential Invariants

∀i : C 6x(i)2(x(i)2 + x(i)4 + 2) ≥ 0 [∀i : C x(i)′ := x(i)2 + x(i)4 + 2]∀i : C 6x(i)2x(i)′ ≥ 0 [∀i : C x(i)′ := x(i)2 + x(i)4 + 2]∀i : C 2(x(i)3)′ ≥ 0 ∀i : C 2x(i)3 ≥ 1 →[∀i : C x(i)′ = x(i)2 + x(i)4 + 2]∀i : C 2x(i)3 ≥ 1

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 18 / 21

A Simple Proof with Quantified Differential Invariants

true ∀i : C 6x(i)2(x(i)2 + x(i)4 + 2) ≥ 0 [∀i : C x(i)′ := x(i)2 + x(i)4 + 2]∀i : C 6x(i)2x(i)′ ≥ 0 [∀i : C x(i)′ := x(i)2 + x(i)4 + 2]∀i : C 2(x(i)3)′ ≥ 0 ∀i : C 2x(i)3 ≥ 1 →[∀i : C x(i)′ = x(i)2 + x(i)4 + 2]∀i : C 2x(i)3 ≥ 1

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 18 / 21

Differential Induction for Aircraft Roundabouts

[∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

x y c

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts

i′ = j′ ∧ 2(x1(i) − x1(j))(x1(i)′ − x1(j)′) + 2(x2(i) − x2(j))(x2(i)′ − x2(j)′) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

x y c

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts

i′ = j′ ∧ 2(x1(i) − x1(j))(x1(i)′ − x1(j)′) + 2(x2(i) − x2(j))(x2(i)′ − x2(j)′) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

x y c

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts

0 = 0 ∧ 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

x y c

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts

2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 0 = 0 ∧ 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

x y c

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts

2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 0 = 0 ∧ 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

c x y d e x − y e d − e

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts

2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 0 = 0 ∧ 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

c x y d e x − y e d − e

[∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)]d1(i) − d1(j) = −ω(x2(i

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts

2(x1(i) − x1(j))(−ω(x2(i) − x2(j))) + 2(x2(i) − x2(j))ω(x1(i) − x1(j)) ≥ 0 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 0 = 0 ∧ 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

c x y d e x − y e d − e

[∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)]d1(i) − d1(j) = −ω(x2(i

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts

2(x1(i) − x1(j))(−ω(x2(i) − x2(j))) + 2(x2(i) − x2(j))ω(x1(i) − x1(j)) ≥ 0 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 0 = 0 ∧ 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

c x y d e x − y e d − e

d1(i)′ − d1(j)′ = −ω(x2(i)′ − x2(j)′) [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)]d1(i) − d1(j) = −ω(x2(i

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts

2(x1(i) − x1(j))(−ω(x2(i) − x2(j))) + 2(x2(i) − x2(j))ω(x1(i) − x1(j)) ≥ 0 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 0 = 0 ∧ 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

c x y d e x − y e d − e

d1(i)′ − d1(j)′ = −ω(x2(i)′ − x2(j)′) [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)]d1(i) − d1(j) = −ω(x2(i

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts

2(x1(i) − x1(j))(−ω(x2(i) − x2(j))) + 2(x2(i) − x2(j))ω(x1(i) − x1(j)) ≥ 0 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 0 = 0 ∧ 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

c x y d e x − y e d − e

− ωd2(i) − − ωd2(j) = −ω(d2(i) − d2(j)) [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)]d1(i) − d1(j) = −ω(x2(i

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction for Aircraft Roundabouts

2(x1(i) − x1(j))(−ω(x2(i) − x2(j))) + 2(x2(i) − x2(j))ω(x1(i) − x1(j)) ≥ 0 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 0 = 0 ∧ 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

c x y d e x − y e d − e

−ωd2(i) + ωd2(j) = −ω(d2(i) − d2(j)) − ωd2(i) − − ωd2(j) = −ω(d2(i) − d2(j)) [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)]d1(i) − d1(j) = −ω(x2(i

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction & Differential Cuts

2(x1(i) − x1(j))(−ω(x2(i) − x2(j))) + 2(x2(i) − x2(j))ω(x1(i) − x1(j)) ≥ 0 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 0 = 0 ∧ 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i)

Proposition (Differential cut)

F differential invariant of [∀i x(i)′ = θ ∧ H]φ, then [∀i x(i)′ = θ ∧ H]φ iff [∀i x(i)′ = θ ∧ H ∧ F]φ −ωd2(i) + ωd2(j) = −ω(d2(i) − d2(j)) − ωd2(i) − − ωd2(j) = −ω(d2(i) − d2(j)) [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)]d1(i) − d1(j) = −ω(x2(i

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Differential Induction & Differential Cuts

2(x1(i) − x1(j))(−ω(x2(i) − x2(j))) + 2(x2(i) − x2(j))ω(x1(i) − x1(j)) ≥ 0 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 0 = 0 ∧ 2(x1(i) − x1(j))(d1(i) − d1(j)) + 2(x2(i) − x2(j))(d2(i) − d2(j)) ≥ 0 [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)](x1(i) − x1(j))2 + (x2(i) −ωd2(i) + ωd2(j) = −ω(d2(i) − d2(j)) − ωd2(i) − − ωd2(j) = −ω(d2(i) − d2(j)) [∀ix1(i)′ = d1(i), d1(i)′ = − ωd2(i), x2(i)′ = d2(i), d2(i)′ = ωd1(i)]d1(i) − d1(j) = −ω(x2(i refine dynamics by differential cut

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 19 / 21

Soundness and Completeness

Theorem (Relative Completeness)

QdL calculus is a sound & complete axiomatisation of distributed hybrid systems relative to quantified differential equations.

Proof 16p. Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 20 / 21

Soundness and Completeness

Theorem (Relative Completeness)

QdL calculus is a sound & complete axiomatisation of distributed hybrid systems relative to quantified differential equations.

Proof 16p.

Corollary (Proof-theoretical Alignment)

proving distributed hybrid systems = proving dynamical systems!

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 20 / 21

Soundness and Completeness

Theorem (Relative Completeness)

QdL calculus is a sound & complete axiomatisation of distributed hybrid systems relative to quantified differential equations.

Proof 16p.

Corollary (Proof-theoretical Alignment)

proving distributed hybrid systems = proving dynamical systems!

Corollary (Yes, we can!)

distributed hybrid systems can be verified by recursive decomposition

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 20 / 21

Outline

1

Motivation

2

Quantified Differential Dynamic Logic QdL Design Syntax Semantics

3

Proof Calculus for Distributed Hybrid Systems Compositional Verification Calculus Air Traffic Control Derivations and Differentiation Soundness and Completeness

4

Conclusions

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 20 / 21

Conclusions ¬ ¬F

F F

quantified differential dynamic logic

QdL = FOL + DL + QHP [α]φ φ α Quantified differential invariants Verify quantified differential equations Logic for distributed hybrid systems Compositional proof calculus Sound & complete / diff. eqn. First verification approach Verified appearance of aircraft

c

x(i) x(j) x(n)

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 21 / 21

Conclusions ¬ ¬F

F F

quantified differential dynamic logic

QdL = FOL + DL + QHP [α]φ φ α Quantified differential invariants Verify quantified differential equations Logic for distributed hybrid systems Compositional proof calculus Sound & complete / diff. eqn. First verification approach Verified appearance of aircraft

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 21 / 21

Jan A. Bergstra and C. A. Middelburg. Process algebra for hybrid systems.

• Theor. Comput. Sci., 335(2-3):215–280, 2005.

Zhou Chaochen, Wang Ji, and Anders P. Ravn. A formal description of hybrid systems. In Rajeev Alur, Thomas A. Henzinger, and Eduardo D. Sontag, editors, Hybrid Systems, volume 1066 of LNCS, pages 511–530. Springer, 1995. Pieter J. L. Cuijpers and Michel A. Reniers. Hybrid process algebra.

• J. Log. Algebr. Program., 62(2):191–245, 2005.

Akash Deshpande, Aleks G¨

• ll¨

u, and Pravin Varaiya. SHIFT: A formalism and a programming language for dynamic networks of hybrid automata. In Panos J. Antsaklis, Wolf Kohn, Anil Nerode, and Shankar Sastry, editors, Hybrid Systems, volume 1273 of LNCS, pages 113–133. Springer, 1996.

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 21 / 21

Jo˜ ao P. Hespanha and Ashish Tiwari, editors. Hybrid Systems: Computation and Control, 9th International Workshop, HSCC 2006, Santa Barbara, CA, USA, March 29-31, 2006, Proceedings, volume 3927 of LNCS. Springer, 2006. Fabian Kratz, Oleg Sokolsky, George J. Pappas, and Insup Lee. R-Charon, a modeling language for reconfigurable hybrid systems. In Hespanha and Tiwari [HT06], pages 392–406. Jos´ e Meseguer and Raman Sharykin. Specification and analysis of distributed object-based stochastic hybrid systems. In Hespanha and Tiwari [HT06], pages 460–475. William C. Rounds. A spatial logic for the hybrid π-calculus. In Rajeev Alur and George J. Pappas, editors, HSCC, volume 2993 of LNCS, pages 508–522. Springer, 2004.

• D. A. van Beek, Ka L. Man, Michel A. Reniers, J. E. Rooda, and

Ramon R. H. Schiffelers.

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 21 / 21

Syntax and consistent equation semantics of hybrid Chi.

• J. Log. Algebr. Program., 68(1-2):129–210, 2006.

Andr´ e Platzer (CMU) Quantified Differential Invariants HSCC 21 / 21