The Complete Proof Theory of Hybrid Systems Andr e Platzer - - PowerPoint PPT Presentation

The Complete Proof Theory of Hybrid Systems

Andr´ e Platzer

aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA

0.2 0.4 0.6 0.8 1.0

0.1 0.2 0.3 0.4 0.5

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 29

Hybrid Systems: e.g., Car Control

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Continuous dynamics (differential equations) Discrete dynamics (control decisions)

1 2 3 4 t 2 1 1 2 a 1 2 3 4 t 0.5 1.0 1.5 2.0 2.5 3.0 v 1 2 3 4 t 1 2 3 4 5 6 z

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 2 / 29

Hybrid Systems: e.g., Car Control

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Continuous dynamics (differential equations) Discrete dynamics (control decisions)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 2 / 29

Successful Hybrid Systems Proofs

far neg cor rec fsa

x y c

 

c

• x

e n t r y e x i t

• y

c

• x1

x2 y1 y2 d ω e ¯ ϑ ̟

c

• x
• y
• z

x Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 3 / 29

Successful Hybrid Systems Proofs

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 3 / 29

Proof theory: hybrid = continuous = discrete

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 4 / 29

Differential Dynamic Logic for Hybrid Systems

differential dynamic logic

dL = FOLR z v M v2 ≤ 2b(M − z)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 5 / 29

Differential Dynamic Logic for Hybrid Systems

differential dynamic logic

dL = FOLR + DL + HP v2 ≤ 2b v2 ≤ 2b v2 ≤ 2b C → [ if(z > SB) a := −b; z′′ = a

• hybrid program

] v2 ≤ 2b

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 5 / 29

Differential Dynamic Logic for Hybrid Systems

differential dynamic logic

dL = FOLR + DL + HP v2 ≤ 2b v2 ≤ 2b v2 ≤ 2b C → [ if(z > SB) a := −b; z′′ = a

• hybrid program

] v2 ≤ 2b Initial condition System dynamics Post condition

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 5 / 29

Differential Dynamic Logic dL: Syntax

Definition (Hybrid program α)

x := θ | ?H | x′ = f (x) & H | α ∪ β | α; β | α∗

Definition (dL Formula φ)

θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | [α]φ | αφ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 6 / 29

Differential Dynamic Logic dL: Syntax

Definition (Hybrid program α)

x := θ | ?H | x′ = f (x) & H | α ∪ β | α; β | α∗

Definition (dL Formula φ)

θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | [α]φ | αφ Discrete Assign Test Condition Differential Equation Nondet. Choice Seq. Compose Nondet. Repeat All Reals Some Reals All Runs Some Runs

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 6 / 29

Differential Dynamic Logic dL: Semantics

Definition (Hybrid program α)

ρ(x := θ) = {(v, w) : w = v except [ [x] ]w = [ [θ] ]v} ρ(?H) = {(v, v) : v | = H} ρ(x′ = f (x)) = {(ϕ(0), ϕ(r)) : ϕ | = x′ = f (x) for some duration r} ρ(α ∪ β) = ρ(α) ∪ ρ(β) ρ(α; β) = ρ(β) ◦ ρ(α) ρ(α∗) =

• n∈N

ρ(αn)

Definition (dL Formula φ)

v | = θ1 ≥ θ2 iff [ [θ1] ]v ≥ [ [θ2] ]v v | = [α]φ iff w | = φ for all w with (v, w) ∈ ρ(α) v | = αφ iff w | = φ for some w with (v, w) ∈ ρ(α) v | = ∀x φ iff w | = φ for all w that agree with v except for x v | = ∃x φ iff w | = φ for some w that agrees with v except for x v | = φ ∧ ψ iff v | = φ and v | = ψ v | = ¬φ iff v | = φ does not hold

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 7 / 29

Differential Dynamic Logic dL: Axiomatization

[:=] [x := θ]φ(x) ↔ φ(θ) [?] [?H]φ ↔ (H → φ) [′] [x′ = f (x)]φ ↔ ∀t≥0 [x := y(t)]φ (y′(t) = f (y)) [∪] [α ∪ β]φ ↔ [α]φ ∧ [β]φ [;] [α; β]φ ↔ [α][β]φ [∗] [α∗]φ ↔ φ ∧ [α][α∗]φ K [α](φ → ψ) → ([α]φ → [α]ψ) I [α∗](φ → [α]φ) → (φ → [α∗]φ) C [α∗]∀v>0 (ϕ(v) → αϕ(v − 1)) → ∀v (ϕ(v) → α∗∃v≤0 ϕ(v))

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 8 / 29

Differential Dynamic Logic dL: Axiomatization

G φ [α]φ MP φ → ψ φ ψ ∀ φ ∀x φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 8 / 29

Differential Dynamic Logic dL: Axiomatization

G φ [α]φ MP φ → ψ φ ψ ∀ φ ∀x φ B ∀x [α]φ → [α]∀x φ (x ∈ α) V φ → [α]φ (FV (φ) ∩ BV (α) = ∅)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 8 / 29

Differential Dynamic Logic dL: Axiomatization x′

0 = 1

[&] [x′ = f (x) & H]φ ↔ [x′ = f (x)]

• φ
• t

x H w φ x

′

= f ( x ) r

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 9 / 29

Differential Dynamic Logic dL: Axiomatization x′

0 = 1

[&] [x′ = f (x) & H]φ ↔ [x′ = f (x)]

• φ
• t

x H w ¬φ x

′

= f ( x ) r

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 9 / 29

Differential Dynamic Logic dL: Axiomatization x′

0 = 1

[&] [x′ = f (x) & H]φ ↔ [x′ = f (x)]

• [x′ = −f (x)](H) → φ
• t

x H w ¬φ ¬H revert flow, check H backwards x

′

= f ( x ) r

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 9 / 29

Differential Dynamic Logic dL: Axiomatization x′

0 = 1

[&] [x′ = f (x) & H]φ ↔ [x′ = f (x)]

• [x′ = −f (x)](H) → φ
• t

x H w ¬H revert flow, check H backwards x

′

= f ( x ) r x′ = −f (x)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 9 / 29

Differential Dynamic Logic dL: Axiomatization x′

0 = 1

[&] [x′ = f (x) & H]φ ↔ ∀t0=x0[x′ = f (x)]

• [x′ = −f (x)](x0 ≥ t0 → H) → φ
• t

x H w revert flow, time x0; check H backwards x

′

= f ( x ) t0 = x0 r x′ = −f (x)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 9 / 29

“There and Back Again” Axiom of dL

[&] [x′ = f (x) & H]φ ↔ ∀t0=x0[x′ = f (x)]

• [x′ = −f (x)](x0 ≥ t0 → H) → φ
• t

x H w revert flow, time x0; check H backwards x

′

= f ( x ) t0 = x0 r x′ = −f (x)

Lemma

Evolution domain axiomatizable

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 9 / 29

Soundness

Theorem (Soundness)

dL calculus is sound, i.e., all provable dL formulas are valid: ⊢ φ implies φ What about the converse?

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 10 / 29

Soundness

Theorem (Soundness)

dL calculus is sound, i.e., all provable dL formulas are valid: ⊢ φ implies φ What about the converse? (s := s + 2n + 1; n := n + 1)∗

• s = n2

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 10 / 29

Soundness

Theorem (Soundness)

dL calculus is sound, i.e., all provable dL formulas are valid: ⊢ φ implies φ What about the converse? (s := s + 2n + 1; n := n + 1)∗

• s = n2

x′ = 5

• x(t) = 5t + x0

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 10 / 29

Soundness

Theorem (Soundness)

dL calculus is sound, i.e., all provable dL formulas are valid: ⊢ φ implies φ What about the converse? (s := s + 2n + 1; n := n + 1)∗

• s = n2

x′ = 5

• x(t) = 5t + x0

x′ = x

• x(t) = x0et

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 10 / 29

Soundness

Theorem (Soundness)

dL calculus is sound, i.e., all provable dL formulas are valid: ⊢ φ implies φ What about the converse? (s := s + 2n + 1; n := n + 1)∗

• s = n2

x′ = 5

• x(t) = 5t + x0

x′ = x

• x(t) = x0et

x′′ = −x

• x(t) = x0 cos t + x′

0 sin t

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 10 / 29

Continuous Completeness

Theorem (Relative Completeness / Continuous)

dL calculus is a sound & complete axiomatization of hybrid systems relative to differential equations.

Proof Outline

φ iff TautFOD ⊢ φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 11 / 29

Continuous Completeness

Theorem (Relative Completeness / Continuous)

dL calculus is a sound & complete axiomatization of hybrid systems relative to differential equations.

Proof Outline

φ iff TautFOD ⊢ φ FOD = FOL + [x′ = f (x)]F

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 11 / 29

Continuous Completeness

Theorem (Relative Completeness / Continuous)

dL calculus is a sound & complete axiomatization of hybrid systems relative to differential equations.

Proof Outline

φ iff TautFOD ⊢ φ

Corollary (Proof-theoretical Alignment)

proving hybrid systems = proving continuous dynamical systems!

Corollary (Compositionality)

hybrid systems can be verified by recursive decomposition

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 11 / 29

Discrete Completeness

Theorem (Relative Completeness / Continuous)

dL calculus is a sound & complete axiomatization of hybrid systems relative to differential equations.

Proof Outline

φ iff TautFOD ⊢ φ

Theorem (Relative Completeness / Discrete)

dL calculus is a sound & complete axiomatization of hybrid systems relative to discrete dynamics.

Proof Outline

φ iff TautDL ⊢ φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 12 / 29

Discrete Completeness

Theorem (Relative Completeness / Continuous)

dL calculus is a sound & complete axiomatization of hybrid systems relative to differential equations.

Proof Outline

φ iff TautFOD ⊢ φ

Theorem (Relative Completeness / Discrete)

dL calculus is a sound & complete axiomatization of hybrid systems relative to discrete dynamics.

Proof Outline

φ iff TautDL ⊢ φ

Corollary (Complete Proof-theoretical Alignment)

hybrid = continuous = discrete

Corollary (Interdisciplinary Integrability)

“Discrete computer science + continuous control are integrable”

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 12 / 29

Proof of “hybrid = continuous = discrete”

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 13 / 29

Continuous Dynamics = Discrete Dynamics

[x′ = x 4]F t t0 x 1

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 14 / 29

Continuous Dynamics = Discrete Dynamics

[x′ = x 4]F [(x := x + hx 4)

∗

]F t t0 x 1 4 2 h = 4

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 14 / 29

Continuous Dynamics = Discrete Dynamics

[x′ = x 4]F ⇒ [(x := x + hx 4)

∗

]F t t0 x 1 ¬F 4 2 h = 4

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 14 / 29

Continuous Dynamics = Discrete Dynamics

[x′ = x 4]F [(x := x + hx 4)

∗

]F t t0 x 1 ¬F 4 h = 4 2 4 6 1 1.5 2.25 3.375 h = 2

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 14 / 29

Continuous Dynamics = Discrete Dynamics

[x′ = x 4]F [(x := x + hx 4)

∗

]F t t0 x 1 ¬F 4 h = 4 2 4 6 h = 2 1 2 3 4 5 6 1 1.25 1.56 1.95 2.44 3.05 3.81 4.76 h = 1

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 14 / 29

Continuous Dynamics = Discrete Dynamics

[x′ = x 4]F [(x := x + hx 4)

∗

]F t t0 x 1 ¬F 4 h = 4 2 4 6 h = 2 1 2 3 4 5 6 h = 1 h = 1

2

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 14 / 29

Continuous Dynamics = Discrete Dynamics

[x′ = x 4]F vs. [(x := x + hx 4)

∗

]F t t0 x 1 ¬F 4 h = 4 2 4 6 h = 2 1 2 3 4 5 6 h = 1 h = 1

2

e

t 4 Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 14 / 29

Continuous Dynamics = Discrete Dynamics

[x′ = x 4]F ⇒ [(x := x + hx 4)

∗

]F t t0 x 1 ¬F 4 h = 4 2 4 6 h = 2 1 2 3 4 5 6 h = 1 h = 1

2

e

t 4 Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 14 / 29

Continuous Dynamics = Discrete Dynamics

[x′ = x 4]F ⇐ [(x := x + hx 4)

∗

]F t t0 x 1 ¬F ¬F 4 h = 4 2 4 6 h = 2 1 2 3 4 5 6 h = 1 h = 1

2

e

t 4 Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 14 / 29

Discrete Euler Approximation Axiom ← − ∆

← − ∆ [x′ = f (x)]F ← ∃h0>0 ∀0<h<h0 [(x := x + hf (x))∗]F

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 15 / 29

Discrete Euler Approximation Axiom ← − ∆

← − ∆ [x′ = f (x)]F ← ∃h0>0 ∀0<h<h0 [(x := x + hf (x))∗]F

Example (Insufficient, not global)

x2 + y2 ≤ 1.1 → [x′ = y, y′ = −x]x2 + y2 ≤ 1.1

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 15 / 29

Discrete Euler Approximation Axiom ← − ∆

← − ∆ [x′ = f (x)]F ← ∃h0>0 ∀0<h<h0 [(x := x + hf (x))∗]F (closed)

Example (Unsound for open F, only in closure)

x = 1 ∧ y = 0 → [x′ = y, y′ = −x](x ≤ 0 → x2 + y2 > 1)

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 15 / 29

Discrete Euler Approximation Axiom ← − ∆

← − ∆ [x′ = f (x)]F ← ∃h0>0 ∀0<h<h0 [(x := x + hf (x))∗]F (closed)

Example (Insufficient, not global)

x2 + y2 ≤ 1.1 → [x′ = y, y′ = −x]x2 + y2 ≤ 1.1

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 15 / 29

Discrete Euler Approximation Axiom − → ∆ t′ = −1

− → ∆ [x′ = f (x)]F → ∀t≥0 ∃h0>0 ∀0<h<h0 [(x := x + hf (x))∗](t ≥ 0 → F)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 16 / 29

Discrete Euler Approximation Axiom − → ∆ t′ = −1

− → ∆ [x′ = f (x)]F → ∀t≥0 ∃h0>0 ∀0<h<h0 [(x := x + hf (x))∗](t ≥ 0 → F)

Example (Converse unsound for open F ← − ∆ for closed F)

x = 1 ∧ y = 0 → [x′ = y, y′ = −x](x ≤ 0 → x2 + y2 > 1)

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 16 / 29

Discrete Euler Approximation Axiom − → ∆ t′ = −1

− → ∆ [x′ = f (x)]F → ∀t≥0 ∃h0>0 ∀0<h<h0 [(x := x + hf (x))∗](t ≥ 0 → F) (open)

Example (Unsound for closed F, only holds in the limit)

x2 + y2 = 1 → [x′ = y, y′ = −x]x2 + y2 = 1

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 16 / 29

Discrete Euler Approximation Axiom ← → ∆ t′ = −1

← → ∆ [x′ = f (x)]F ↔ ∀t≥0∃ε>0∃h0>0∀0<h<h0[(x := x+hf (x))∗]

• t≥0→¬Uε(¬F)
• Andr´

e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 17 / 29

Discrete Euler Approximation Axiom ← → ∆ t′ = −1

← → ∆ [x′ = f (x)]F ↔ ∀t≥0∃ε>0∃h0>0∀0<h<h0[(x := x+hf (x))∗]

• t≥0→¬Uε(¬F)
• Example ()

x2 + y2 < 1.1 → [x′ = y, y′ = −x]x2 + y2 < 1.1

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 17 / 29

Discrete Euler Approximation Axiom ← → ∆ t′ = −1

← → ∆ [x′ = f (x)]F ↔ ∀t≥0∃ε>0∃h0>0∀0<h<h0[(x := x+hf (x))∗]

• t≥0→¬Uε(¬F)
• Example (Insufficient for closed F)

x2 + y2 ≤ 1 → [x′ = y, y′ = −x]x2 + y2 ≤ 1

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 17 / 29

Discrete Euler Approximation Axiom ← → ∆ t′ = −1

← → ∆ [x′ = f (x)]F (open) ↔ ∀t≥0∃ε>0∃h0>0∀0<h<h0[(x := x+hf (x))∗]

• t≥0→¬Uε(¬F)
• Example (Insufficient for closed F)

x2 + y2 ≤ 1 → [x′ = y, y′ = −x]x2 + y2 ≤ 1

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 17 / 29

← → ∆ Proof: Partial Covering for Solution, Approximation

2 4 6 8 20 20 40 60 80 100

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 18 / 29

← → ∆ Proof: Partial Covering for Solution, Approximation

2 4 6 8 20 20 40 60 80 100

domain for error bound covering of neighborhoods has finite subcovering since x([0, t]) compact

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 18 / 29

← → ∆ Proof: Partial Covering for Solution, Approximation

2 4 6 8 20 20 40 60 80 100

domain for error bound covering of neighborhoods has finite subcovering since x([0, t]) compact ⇒ ε neighborhoods safe

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 18 / 29

← → ∆ axiom for open F, but F may be closed

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 19 / 29

Discrete Euler Approximation Axiom ← → ∆ x′

0 = −1

← → ∆ [x′ = f (x)]F (open) ↔ ∀t≥0∃ε>0∃h0>0∀0<h<h0[(x := x+hf (x))∗]

• t≥0→¬Uε(¬F)
• Example (Insufficient for closed F)

x2 + y2 ≤ 1 → [x′ = y, y′ = −x]x2 + y2 ≤ 1

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 20 / 29

Closed Discrete Completeness (derivable)

˚ U [x′ = f (x)]F ↔ ∀ˇ ε>0 [x′ = f (x)]Uˇ

ε(F)

( ⇐ B,V,G,K)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 21 / 29

Closed Discrete Completeness (derivable)

˚ U [x′ = f (x)]F ↔ ∀ˇ ε>0 [x′ = f (x)]Uˇ

ε(F)

( ⇐ B,V,G,K)

Example (Closed Quantified Open)

x2 + y2 ≤ 1 → [x′ = y, y′ = −x]x2 + y2 ≤ 1

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 21 / 29

Closed Discrete Completeness (derivable)

˚ U [x′ = f (x)]F ↔ ∀ˇ ε>0 [x′ = f (x)]Uˇ

ε(F)

( ⇐ B,V,G,K)

Example (Closed Quantified Open)

x2 + y2 ≤ 1 → [x′ = y, y′ = −x]∀ˇ ε>0 x2 + y2 < 1 + ˇ ε

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 21 / 29

Closed Discrete Completeness (derivable)

˚ U [x′ = f (x)]F ↔ ∀ˇ ε>0 [x′ = f (x)]Uˇ

ε(F)

( ⇐ B,V,G,K)

Example (Closed Quantified Open)

x2 + y2 ≤ 1 → ∀ˇ ε>0 [x′ = y, y′ = −x]x2 + y2 < 1 + ˇ ε

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 21 / 29

← → ∆ axiom for open/closed F, but otherwise?

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 22 / 29

Locally Closed Discrete Completeness (derivable)

Example (Locally Closed Open, Closed)

O ∧ C → [x′ = y, y′ = −x](O ∧ C)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 23 / 29

Locally Closed Discrete Completeness (derivable)

[]∧ [α](O ∧ C) ↔ [α]O ∧ [α]C ( ⇐ K)

Example (Locally Closed Open, Closed)

O ∧ C → [x′ = y, y′ = −x](O ∧ C)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 23 / 29

Locally Closed Discrete Completeness (derivable)

[]∧ [α](O ∧ C) ↔ [α]O ∧ [α]C ( ⇐ K)

Example (Locally Closed Open, Closed)

O ∧ C → [x′ = y, y′ = −x]O ∧ [x′ = y, y′ = −x]C

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 23 / 29

Semialgebraic Discrete Completeness (derivable)

ˇ U [x′ = f (x)](O ∨ C) ↔ ∀ˇ ε>0 [x′ = f (x)](O ∨ Uˇ

ε(C))

( ⇐ B,V,G,K)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 24 / 29

Semialgebraic Discrete Completeness (derivable)

ˇ U [x′ = f (x)](O ∨ C) ↔ ∀ˇ ε>0 [x′ = f (x)](O ∨ Uˇ

ε(C))

( ⇐ B,V,G,K)

Example ((Open ∨ Closed) Quantified Open)

O ∨ C → [x′ = y, y′ = −x](O ∨ C)

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 24 / 29

Semialgebraic Discrete Completeness (derivable)

ˇ U [x′ = f (x)](O ∨ C) ↔ ∀ˇ ε>0 [x′ = f (x)](O ∨ Uˇ

ε(C))

( ⇐ B,V,G,K)

Example ((Open ∨ Closed) Quantified Open)

O ∨ C → [x′ = y, y′ = −x](O ∨ ∀ˇ ε>0 Uˇ

ε(C))

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 24 / 29

Semialgebraic Discrete Completeness (derivable)

ˇ U [x′ = f (x)](O ∨ C) ↔ ∀ˇ ε>0 [x′ = f (x)](O ∨ Uˇ

ε(C))

( ⇐ B,V,G,K)

Example ((Open ∨ Closed) Quantified Open)

O ∨ C → [x′ = y, y′ = −x]∀ˇ ε>0 (O ∨ Uˇ

ε(C))

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 24 / 29

Semialgebraic Discrete Completeness (derivable)

ˇ U [x′ = f (x)](O ∨ C) ↔ ∀ˇ ε>0 [x′ = f (x)](O ∨ Uˇ

ε(C))

( ⇐ B,V,G,K)

Example ((Open ∨ Closed) Quantified Open)

O ∨ C → ∀ˇ ε>0 [x′ = y, y′ = −x](O ∨ Uˇ

ε(C))

10 5 5 x 5 5 10 y 2 4 6 8 10 12 t 10 5 5 10 x y

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 24 / 29

← → ∆ axiom for semialgebraic F, but otherwise?

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 25 / 29

Discrete Completeness

Theorem (Relative Completeness / Continuous)

dL calculus is a sound & complete axiomatization of hybrid systems relative to differential equations.

Proof Outline 6p

φ implies TautFOD ⊢ φ

Theorem (Relative Completeness / Discrete)

dL calculus +← → ∆ is a sound & complete axiomatization of hybrid systems relative to discrete dynamics.

Proof Outline +5p

φ implies TautDL ⊢ φ

Proof Sketch.

Talked about 0-order semialgebraic Paper proves ∀, ∃ . . . Paper proves [α], α with hybrid system α . . . Paper proves nesting . . .

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 26 / 29

Equi-expressibility

Theorem (Equi-expressibility)

dL (constructively) expressible in FOD and in DL: ∀ ∀φ ∃ ∃φ♭ ∈ FOD φ ↔ φ♭ ∀ ∀φ ∃ ∃φ# ∈ DL φ ↔ φ# hybrid discrete continuous

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 27 / 29

Equi-expressibility

Theorem (Equi-expressibility)

dL (constructively) expressible in FOD and in DL: ∀ ∀φ ∃ ∃φ♭ ∈ FOD φ ↔ φ♭ ∀ ∀φ ∃ ∃φ# ∈ DL φ ↔ φ# hybrid discrete continuous

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 27 / 29

Equi-expressibility

Theorem (Equi-expressibility)

dL (constructively) expressible in FOD and in DL: ∀ ∀φ ∃ ∃φ♭ ∈ FOD φ ↔ φ♭ ∀ ∀φ ∃ ∃φ# ∈ DL φ ↔ φ# hybrid discrete continuous

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 27 / 29

Equi-expressibility

Theorem (Equi-expressibility)

dL (constructively) expressible in FOD and in DL: ∀ ∀φ ∃ ∃φ♭ ∈ FOD φ ↔ φ♭ ∀ ∀φ ∃ ∃φ# ∈ DL φ ↔ φ# hybrid discrete continuous

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 27 / 29

Equi-expressibility

Theorem (Equi-expressibility)

dL (constructively) expressible in FOD and in DL: ∀ ∀φ ∃ ∃φ♭ ∈ FOD φ ↔ φ♭ ∀ ∀φ ∃ ∃φ# ∈ DL φ ↔ φ# hybrid discrete continuous

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 27 / 29

Equi-expressibility

Theorem (Equi-expressibility)

dL (constructively) expressible in FOD and in DL: ∀ ∀φ ∃ ∃φ♭ ∈ FOD φ ↔ φ♭ ∀ ∀φ ∃ ∃φ# ∈ DL φ ↔ φ# hybrid discrete continuous

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 27 / 29

Equi-expressibility

Theorem (Equi-expressibility)

dL (constructively) expressible in FOD and in DL: ∀ ∀φ ∃ ∃φ♭ ∈ FOD φ ↔ φ♭ ∀ ∀φ ∃ ∃φ# ∈ DL φ ↔ φ# hybrid discrete continuous

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 27 / 29

Equi-expressibility

Theorem (Equi-expressibility)

dL (constructively) expressible in FOD and in DL: ∀ ∀φ ∃ ∃φ♭ ∈ FOD φ ↔ φ♭ ∀ ∀φ ∃ ∃φ# ∈ DL φ ↔ φ# hybrid discrete continuous

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 27 / 29

Relative Decidability

Theorem (Relative Decidability)

Validity of dL sentences is decidable relative to FOD or DL.

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 28 / 29

The Complete Proof Theory of Hybrid Systems

differential dynamic logic

dL = DL + HP [α]φ φ α

proof-theoretical alignment

hybrid = continuous = discrete

System Continuous Discrete Hybrid

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 29 / 29

The Complete Proof Theory of Hybrid Systems

differential dynamic logic

dL = DL + HP [α]φ φ α

proof-theoretical alignment

hybrid = continuous = discrete

System Continuous Discrete Hybrid Hybrid Theory Discrete Theory Contin. Theory

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 29 / 29

Andr´ e Platzer. The complete proof theory of hybrid systems. LICS, pages 541–550. IEEE 2012. Andr´ e Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics. Springer, 2010. Andr´ e Platzer. Differential dynamic logic for hybrid systems.

• J. Autom. Reas., 41(2):143–189, 2008.

Andr´ e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs.

• J. Log. Comput., 35(1): 309–352, 2010.

Andr´ e Platzer and Edmund M. Clarke. The image computation problem in hybrid systems model checking. In A. Bemporad, A. Bicchi, and G. Buttazzo, editors, HSCC, volume 4416 of LNCS, pages 473–486. Springer, 2007.

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w x := f (x)φ x := f (x) φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w x := f (x)φ φf (x)

x

x := f (x) φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w x := f (x)φ φf (x)

x

x := f (x) φ v w x′ = f (x)φ x′ = f (x) φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w x := f (x)φ φf (x)

x

x := f (x) φ v w x′ = f (x)φ ∃t≥0 x := yx(t)φ x′ = f (x) φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w x := f (x)φ φf (x)

x

x := f (x) φ v w x′ = f (x)φ ∃t≥0 x := yx(t)φ x′ = f (x) φ x := yx(t)

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w1 w2 [α ∪ β]φ α φ β φ α ∪ β

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w1 w2 [α ∪ β]φ [α]φ ∧ [β]φ α φ β φ α ∪ β

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w1 w2 [α ∪ β]φ [α]φ ∧ [β]φ α φ β φ α ∪ β v s w α; β [α; β]φ α [β]φ β φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w1 w2 [α ∪ β]φ [α]φ ∧ [β]φ α φ β φ α ∪ β v s w α; β [α; β]φ [α][β]φ α [β]φ β φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w1 w2 [α ∪ β]φ [α]φ ∧ [β]φ α φ β φ α ∪ β v s w α; β [α; β]φ [α][β]φ α [β]φ β φ v w α∗ [α∗]φ α φ → [α]φ α α φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w1 w2 [α ∪ β]φ [α]φ ∧ [β]φ α φ β φ α ∪ β v s w α; β [α; β]φ [α][β]φ α [β]φ β φ v w α∗ [α∗]φ φ α φ → [α]φ α α φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1

Proof by Symbolic Decomposition

v w1 w2 [α ∪ β]φ [α]φ ∧ [β]φ α φ β φ α ∪ β v s w α; β [α; β]φ [α][β]φ α [β]φ β φ v w α∗ [α∗]φ ∀cl(φ → [α]φ) ∧ φ α φ → [α]φ α α φ

Andr´ e Platzer (CMU) The Complete Proof Theory of Hybrid Systems LICS 1 / 1