Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical - - PowerPoint PPT Presentation

1

Sarah M. Loos and André Platzer Computer Science Department Carnegie Mellon University

Differential Refinement Logic

2

Verified Cyber-Physical Systems

[FM11]

3

[FM11, HSCC13]

xi xj p xk xl xm

Verified Cyber-Physical Systems

4

[FM11, ITSC11, ICCPS12, HSCC13, ITSC13]

xi xj p xk xl xm

Verified Cyber-Physical Systems

5

α ≤ β

Differential Refinement Logic (dRL)

Time-triggered vs. Event-triggered Verified Car Control

Roadmap

time∗ ≤ event∗

Proof Calculus

6

α ≤ β

Differential Refinement Logic (dRL)

Time-triggered vs. Event-triggered Verified Car Control

Roadmap

time∗ ≤ event∗

Proof Calculus

7

Refinement Relation

α ≤ β

8

Refinement Relation

α ≤ β

• (?φ; a := ∗ ∪ a := −B); x00 = a

⇤

• (?φ; a := θ ∪ a := −B); x00 = a & ψ

⇤

9

Refinement Relation

α ≤ β

• (?φ; a := ∗ ∪ a := −B); x00 = a

⇤

• (?φ; a := θ ∪ a := −B); x00 = a & ψ

⇤

10

Refinement Relation

α ≤ β

• (?φ; a := ∗ ∪ a := −B); x00 = a

⇤

• (?φ; a := θ ∪ a := −B); x00 = a & ψ

⇤

11

Refinement Relation

α ≤ β

• (?φ; a := ∗ ∪ a := −B); x00 = a

⇤

• (?φ; a := θ ∪ a := −B); x00 = a & ψ

⇤

12

Refinement Relation

α ≤ β

• (?φ; a := ∗ ∪ a := −B); x00 = a

⇤

• (?φ; a := θ ∪ a := −B); x00 = a & ψ

⇤

α ≤

13

Syntax of a dRL formula:

φ, ψ ::= θ1  θ2 | ¬φ | φ ^ ψ | 8xφ FOLR

So, what does dRL look like exactly?

14

Syntax of a dRL formula:

φ, ψ ::= θ1  θ2 | ¬φ | φ ^ ψ | 8xφ φ | [α]φ | hαiφ

So, what does dRL look like exactly?

dL

15

Syntax of a dRL formula:

φ, ψ ::= θ1  θ2 | ¬φ | φ ^ ψ | 8xφ φ | [α]φ | hαiφ φ | α  β + refinement

So, what does dRL look like exactly?

16

Syntax of a dRL formula: Syntax of a hybrid program:

φ, ψ ::= θ1  θ2 | ¬φ | φ ^ ψ | 8xφ φ | [α]φ | hαiφ φ | α  β

So, what does dRL look like exactly?

17

Syntax of a dRL formula: Syntax of a hybrid program:

φ, ψ ::= θ1  θ2 | ¬φ | φ ^ ψ | 8xφ φ | [α]φ | hαiφ φ | α  β ψ | α ∪ β | α; β | α⇤ α, β ::= x := θ | x0 = θ & ψ | ?ψ

So, what does dRL look like exactly?

18

Syntax of a dRL formula: Syntax of a hybrid program:

φ, ψ ::= θ1  θ2 | ¬φ | φ ^ ψ | 8xφ φ | [α]φ | hαiφ φ | α  β ψ | α ∪ β | α; β | α⇤ α, β ::= x := θ | x0 = θ & ψ | ?ψ

So, what does dRL look like exactly?

dRL extends by adding refinement directly into the grammar of formulas

19

Hybrid P Programs model cyber-physical systems

v w

α

Semantics of hybrid programs ρ(α) = {(v, w) : when starting in state and

then following transitions of , state can be reached.

v α w

}

[Platzer08]

20

Semantics of hybrid programs

[Platzer08]

v w

ρ(x := θ) =

iff except for the value of

v = w ρ(x

21

Semantics of hybrid programs

[Platzer08]

v w

ρ(x := θ) =

iff except for the value of

v = w ρ(x

v

?ψ

Iff holds in state

| = ψ

v

22

Semantics of hybrid programs

[Platzer08]

v w

ρ(x := θ) =

iff except for the value of

v = w ρ(x

v

?ψ

Iff holds in state

| = ψ

v v w

x0 = θ

x := y(t)

If solves

y(t) x0 = θ

23

Semantics of hybrid programs

[Platzer08]

v w

ρ(x := θ) =

iff except for the value of

v = w ρ(x

v

?ψ

Iff holds in state

| = ψ

v v w

x0 = θ

x := y(t)

If solves

y(t) x0 = θ

v w

u α β α; β

24

Semantics of hybrid programs

[Platzer08]

v w

ρ(x := θ) =

iff except for the value of

v = w ρ(x

v

?ψ

Iff holds in state

| = ψ

v v w

x0 = θ

x := y(t)

If solves

y(t) x0 = θ

v w

u α β α; β

Etc…

25

Semantics of box modality

v | = [α]φ

Box Modality:

26

v

w1 w2 w3 v | = [α]φ

Box Modality:

φ φ

Semantics of box modality

α α

27

Refinement Relation:

v | = α ≤ β

Semantics of refinement

28

v

w1 w2 w3

Refinement Relation:

v | = α ≤ β

Semantics of refinement

α α

29

v

w1 w2 w3

Refinement Relation:

v | = α ≤ β ≤ β ≤ β ≤ β

Semantics of refinement

α α

30

v

w1 w2 w3

Refinement Relation:

v | = α ≤ β ≤ β ≤ β ≤ β

Semantics of refinement

α α

31

α ≤ β

Differential Refinement Logic (dRL)

Time-triggered vs. Event-triggered Verified Car Control

Roadmap

time∗ ≤ event∗

Proof Calculus

32

α ≤ β

Differential Refinement Logic (dRL)

Time-triggered vs. Event-triggered Verified Car Control

Roadmap

time∗ ≤ event∗

Proof Calculus

33

Combining refinement and box modality

34

Combining refinement and box modality

v

v | = G, v 6| = D for all G ∈ Γ, D ∈ ∆

35

v

w1 w2 w3

Combining refinement and box modality

v | = G, v 6| = D for all G ∈ Γ, D ∈ ∆

α α

36

v

w1 w2 w3 ≤ β ≤ β ≤ β

Combining refinement and box modality

v | = G, v 6| = D for all G ∈ Γ, D ∈ ∆

α α

37

v

w1 w2 w3 ≤ β ≤ β ≤ β

Combining refinement and box modality

v | = G, v 6| = D for all G ∈ Γ, D ∈ ∆

α α

38

v

w1 w2 w3 ≤ β ≤ β ≤ β

Combining refinement and box modality

φ φ φ v | = G, v 6| = D for all G ∈ Γ, D ∈ ∆

α α

39

v

w1 w2 w3 ≤ β ≤ β ≤ β φ φ

Combining refinement and box modality

v | = G, v 6| = D for all G ∈ Γ, D ∈ ∆ φ

α α

40

v w

Sequential Composition

α1; β1

41

v w

Sequential Composition

α1; β1

hi α2; β2?

42

v w

Sequential Composition

α1; β1

43

v w

u

Sequential Composition

α1; β1 α1 β1

44

v w

u

Sequential Composition

α1; β1 α1 β1 α2

45

v w

u

Sequential Composition

α1; β1 α1 β1 α2 β2?

46

v w

u

Sequential Composition

α1; β1 α1 β1 α2 β2

✗

47

v w

u

Sequential Composition

α1; β1 α1 β1 α2 β2

48

v w

u

Sequential Composition

α1; β1 α1 β1 α2 β2

49

v w

u

Sequential Composition

α1; β1 α1 β1 α2 β2

hi α2; β2

50

Differential Equations ? (x0 = 1) ≤ (x0 = 9)

51

Differential Equations x ∈ [x0, ∞) ? (x0 = 1) ≤ (x0 = 9)

52

Differential Equations x ∈ [x0, ∞) x ∈ [x0, ∞) ? (x0 = 1) ≤ (x0 = 9)

53

Differential Equations x ∈ [x0, ∞) x ∈ [x0, ∞) ? (x0 = 1) ≤ (x0 = 9) x0 =

54

Differential Equations

55

Differential Equations

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

56

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

Differential Equations

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

=

57

Differential Equations

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

58

α ≤ β

Differential Refinement Logic (dRL)

Time-triggered vs. Event-triggered Verified Car Control

Roadmap

time∗ ≤ event∗

Proof Calculus

59

α ≤ β

Differential Refinement Logic (dRL)

Time-triggered vs. Event-triggered Verified Car Control

Roadmap

time∗ ≤ event∗

Proof Calculus

60

Two Modeling Paradigms

Time-triggered

Discrete sensing

Event-triggered

Continuous sensing

61

Two Modeling Paradigms

Time-triggered

Discrete sensing

Event-triggered

Continuous sensing

62

Two Modeling Paradigms

Time-triggered

Discrete sensing Realistic, easy to implement Difficult to design controllers Challenging to verify

Event-triggered

Continuous sensing Unrealistic, hard to implement Easier to design controllers Easier to verify

63

Two Modeling Paradigms

Time-triggered

Discrete sensing Realistic, easy to implement Difficult to design controllers Challenging to verify

Event-triggered

Continuous sensing Unrealistic, hard to implement Easier to design controllers Easier to verify

α ≤

64

α ≤ β

Differential Refinement Logic (dRL)

Time-triggered vs. Event-triggered Verified Car Control

Roadmap

time∗ ≤ event∗

Proof Calculus

65

α ≤ β

Differential Refinement Logic (dRL)

Time-triggered vs. Event-triggered Verified Car Control

Roadmap

time∗ ≤ event∗

Proof Calculus

66

Local Lane Control using Refinement

Time-triggered [FM11] Event-triggered

Controllers satisfy refinement “Brake” for epsilon time “Accelerate” for epsilon time

Time-triggered (dRL)

67

Contributions

Differential Refinement Logic

Maintains a modular and hierarchical proof structure Abstracts implementation-specific designs Leverages iterative system design Prove time-triggered model refines event-triggered Encouraging evidence of reduced user interaction and

computation time

68

Appendix

69

We have proved that the refinement relation can be embedded in dL. As a result, dL and dRL are equivalent in terms of expressibility and provability.

Comparing dRL and dL

However, we can analyze dRL on familiar (challenging) case

• studies. We can consider:
• Number of proof steps
• Computation time
• Qualitative difficulty to complete proof
• Proof structure

70

Semantics of hybrid programs

[Platzer08]

ρ(x := θ) = ) = {(v, w) : w = v except [[x]]w = [[θ]]v}

v w

ρ(x := θ) =

iff except for the value of

v = w ρ(x

v

?ψ

Iff holds in state

| = ψ

v v w

x0 = θ

x := y(t)

ρ(x0 = θ) = {(ϕ(0), ϕ(t)) : ϕ(s) | = x0 = θ for all 0 ≤ s ≤ t}

ρ(?ψ) = ) = {(v, v) : v | = ψ}

If solves

y(t) x0 = θ

71

Semantics of hybrid programs

[Platzer08]

v w

u α β α; β ρ(α; β) = {(v, w) : (v, u) ∈ ρ(α), ( ), (u, w) ∈ ρ(β)}

72

Combining refinement and diamond modality

73

Nondeterministic Assignment

74

ρ(x := θ) = vJθKv

x

vJ

x

Nondeterministic Assignment

75

x := ∗

ρ(x := θ) = vJθKv

x

vJ

x

vJ

x

vd1

x

x := ∗ hi x : = ∗ h i

vd2

x

vd3

x

Nondeterministic Assignment

76

x := ∗

ρ(x := θ) = vJθKv

x

vJ

x

vJ

x

vd1

x

x := ∗ hi x : = ∗ h i

vd2

x

vd3

x

Nondeterministic Assignment

77

v w

α

…

α

α∗

Nondeterministic Repetition

α

78

v w

α

…

α

α∗

Nondeterministic Repetition

α β

79

v w

α

…

α

α∗

Nondeterministic Repetition

α β β?

80

v w

α

…

α

α∗

Nondeterministic Repetition

α β β?

81

v w

α

…

α

α∗

Nondeterministic Repetition

α β β

82

v w

α

…

α

α∗

Nondeterministic Repetition

α β β β?

83

v w

α

…

α

α∗

Nondeterministic Repetition

α β β β?

84

v w

α

…

α

α∗

Nondeterministic Repetition

α β β β

85

v w

α

…

α

α∗

Nondeterministic Repetition

α β β β β∗

86

Nondeterministic Repetition (KAT style)

87

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α

88

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α

89

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α

90

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α γ?

91

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α γ?

92

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α γ

93

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α γ γ?

94

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α γ γ?

95

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α γ γ?

96

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α γ γ

97

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α γ γ γ …

98

Nondeterministic Repetition (KAT style)

…

v

w1 w2 w3 w4 β α α γ γ γ γ …

99

Nondeterministic Repetition (KAT style)

β

v

w1

…

w2 w3 w4 α α

100

Nondeterministic Repetition (KAT style)

β γ γ

…

v

γ w1 w2 w3 w4 γ

…

α α

101

Proof Tree

102

Proof Tree

^ ` H(x) ^ I ` [time∗]φ

H(x) ^ I ` [event∗]φ H(x) ^ I ` time∗  event∗

∗

[

103

Proof Tree

H(x) ^ I ` [event∗]φ H(x) ^ I ` time∗  event∗ H(x) ^ I ` [time∗]φ ([])

104

H(x) ^ I ` [event∗]φ H(x) ^ I ` time∗  event∗ H(x) ^ I ` [time∗]φ ([])

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Proof Tree

105

H(x) ^ I ` [event∗]φ H(x) ^ I ` time∗  event∗ H(x) ^ I ` [time∗]φ ([])

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Proof Tree

Open goals

106

Time-triggered is safe Event-triggered is safe

^ ` H(x) ^ I ` [time∗]φ

Controllers satisfy refinement

` Safeε ! Safe

“Braking” is safe for time “Accelerating” is safe for time

Safeε(Sa(0)) ^ 0  t  ε ` H(Sa(t)) ε ε

H(Sc(0)) ^ 0  t  ε ` H(Sc(t))

H(x) ^ I ` [event∗]φ H(x) ^ I ` time∗  event∗ H(x) ^ I ` [time∗]φ ([])

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Open goals

Proof Tree

107

Time-triggered is safe Event-triggered is safe

^ ` H(x) ^ I ` [time∗]φ

Controllers satisfy refinement

` Safeε ! Safe

“Braking” is safe for time “Accelerating” is safe for time

Safeε(Sa(0)) ^ 0  t  ε ` H(Sa(t)) ε ε

Proof Tree

dL

H(Sc(0)) ^ 0  t  ε ` H(Sc(t))

108

Time-triggered is safe

^ ` H(x) ^ I ` [time∗]φ

Controllers satisfy refinement

` Safeε ! Safe

“Braking” is safe for time “Accelerating” is safe for time

Safeε(Sa(0)) ^ 0  t  ε ` H(Sa(t)) ε ε

Proof Tree

FOLR FOLR

Event-triggered is safe

dL

H(Sc(0)) ^ 0  t  ε ` H(Sc(t))

FOLR

109

dRL Proof Rules: Partial Order

Reflexive: Transitive: Antisymmetric:

110

dRL Proof Rules: KAT

111

dRL Proof Rules: Differential Equations

112

dRL Proof Rules: Structural

113

v

?ψ

Iff holds in state

| = ψ

v

ρ(?ψ) = ) = {(v, v) : v | = ψ}

Test

114

v w

x0 = θ

x := y(t)

ρ(x0 = θ) = {(ϕ(0), ϕ(t)) : ϕ(s) | = x0 = θ for all 0 ≤ s ≤ t}

If solves

y(t) x0 = θ

Differential Refinement

115

dRL Proof Rules: Differential Equations

v w

x0 = θ

x := y(t)

116

Kleene Algebra with Tests (KAT)

[Kozen97]

Kleene algebra with tests is a system for

manipulating programs that are equivalent.

KAT doesn’t have continuous dynamics, but we can

see that it is still relevant to hybrid programs

117

Verifying a specific local lane controller

118

Verifying a specific local lane controller

119

Designing proof search heuristics that exploit

refinement to automatically create more hierarchical proof structures.

Shifting the proof responsibility completely to

determining refinement.

Code synthesis – verifying that refinement relation is

satisfied with each transformation step.

Additional dRL applications

120

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Unrealistic, hard to implement Easier to design controllers Easier to verify Discrete sensing Realistic, easy to implement Difficult to design controllers Challenging to verify

(ctrl; dyn)∗

discrete controller continuous dynamics

121

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Unrealistic, hard to implement Easier to design controllers Easier to verify Discrete sensing Realistic, easy to implement Difficult to design controllers Challenging to verify

(ctrl; x0 = θ)⇤

discrete controller continuous dynamics

122

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Unrealistic, hard to implement Easier to design controllers Easier to verify Discrete sensing Realistic, easy to implement Difficult to design controllers Challenging to verify

discrete controller continuous dynamics

(ctrl; x0 = θ & H)⇤

123

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Unrealistic, hard to implement Easier to design controllers Easier to verify Discrete sensing Realistic, easy to implement Difficult to design controllers Challenging to verify

discrete controller ?

(ctrl; x0 = θ & H)⇤

124

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Unrealistic, hard to implement Easier to design controllers Easier to verify Discrete sensing Realistic, easy to implement Difficult to design controllers Challenging to verify

discrete controller ?

(ctrlt; x0 = θ & t & t ≤ ε)⇤

125

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Unrealistic, hard to implement Easier to design controllers Easier to verify Discrete sensing Realistic, easy to implement Difficult to design controllers Challenging to verify

(ctrlt; x0 = θ & t & t ≤ ε)⇤

126

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Unrealistic, hard to implement Easier to design controllers Easier to verify Discrete sensing Realistic, easy to implement Difficult to design controllers Challenging to verify

(ctrle; x0 = θ & & x + v2 2B ≤ S)⇤ (ctrlt; x0 = θ & t & t ≤ ε)⇤

127

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Discrete sensing

(ctrle; x0 = θ & & x + v2 2B ≤ S)⇤ (ctrlt; x0 = θ & t & t ≤ ε)⇤

128

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Discrete sensing

(ctrle; x0 = θ & & x + v2 2B ≤ S)⇤ (ctrlt; x0 = θ & t & t ≤ ε)⇤

& x + v2 2B ≤ S)

129

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Discrete sensing

(ctrle; x0 = θ & & x + v2 2B ≤ S)⇤ (ctrlt; x0 = θ & t & t ≤ ε)⇤

& x + v2 2B ≤ S)

& t ≤ ε)

130

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Discrete sensing

(ctrle; x0 = θ & & x + v2 2B ≤ S)⇤ (ctrlt; x0 = θ & t & t ≤ ε)⇤

& x + v2 2B ≤ S)

& t ≤ ε)

131

Event-triggered vs. Time-triggered

Event-triggered Time-triggered

Continuous sensing Discrete sensing

(ctrle; x0 = θ & & x + v2 2B ≤ S)⇤ (ctrlt; x0 = θ & t & t ≤ ε)⇤

& x + v2 2B ≤ S)

& t ≤ ε)

132

Event-triggered vs. Time-triggered

event-triggered time-triggered

; x0 = θ & E(x))⇤ ((?Safe; a := ∗) ∪ a := c; ; x0 = θ & t ≤ ε)⇤ ((?Safeε; a := ∗) ∪ a := c;

133

dRL Proof Rules: Independence

134

Motivation: Adaptive Cruise Control

135

Motivation: Adaptive Cruise Control

Low packet loss, small margin for error.

✗

✔

136

Motivation: Adaptive Cruise Control

✔

✗

Low packet loss, small margin for error. High packet loss, large margin for error.

✗

✔

137

Efficiency Analysis of ACC

1 2 3 4 5 6 7 8 9 10 0.4 0.5 0.6 0.7 0.8 0.9 1

Timeout T (seconds) Efficiency Controller efficiency Effa f Reception probability Effre c Overall effiency Eff

Eff(T ) =

Effassist(T ) = Effaf (T ) =

138

Modular Proof for Distributed Aircraft

8i 6= j : A

A kx(i) x(j)k p

To Prove:

Safe separation of aircraft.

xHiL xHjL p H L

xHiL xHiL xHiL xHjL p H L

dHiL dHjL p

= ⇒

xHiL xHiL

= ⇒

8i 6= j : A

∧

8 6 kd(i) d(j)k 2r + p

8i : A

8 kx(i) d(i)k  r

∧

139

“How can we provide people with cyber-physical systems they can bet their lives on?”

• - Jeanette Wing

140

Di Different ntial Dyna l Dynami mic L Logic: : Axioma matization

[:=] [x := θ]φ(x) ↔ φ(θ)

[Platzer08]

141

α ≤ β

Differential Refinement Logic (dRL)

• Proof rules
• Examples

Time-triggered vs. Event-triggered

event∗ time∗

Verified Car Control

Roadmap

Iterative System Design

?Event ?Time

x := ∗; x := ∗; x := θ

142

α ≤ β

Differential Refinement Logic (dRL)

• Proof rules
• Examples

Time-triggered vs. Event-triggered

event∗ time∗

Verified Car Control

Roadmap

Iterative System Design

?Event ?Time

x := ∗; x := ∗; x := θ

143

Verifying a specific local lane controller

144

Verifying a specific local lane controller

safeθ ≡

! + Ki(z) + Kd(vl − vf) ≡ af := Kp (xl − xf) − ⇣v2 2b − v2 2b + (A b + 1)(A 2 ε2 + εv) ⌘!

145

Verifying a specific local lane controller

safeθ ≡

af := θ

146

Verifying a specific local lane controller

safeθ ≡ af := θ

147

Verifying a specific local lane controller −B ≤ θ ≤ A (θ > −b) → Safeε

safeθ ≡ af := θ

148

α ≤ β

Differential Refinement Logic (dRL)

• Proof rules
• Examples

Time-triggered vs. Event-triggered

event∗ time∗

Verified Car Control

Roadmap

Iterative System Design

?Event ?Time

x := ∗; x := ∗; x := θ

149

How Can We Prove Distributed Airspace?

150

How Can We Prove Distributed Airspace?

Sensor limits on aircraft are local.

151

How Can We Prove Distributed Airspace?

Sensor limits on aircraft are local.

152

How Can We Prove Distributed Airspace?

Sensor limits on aircraft are local.

153

How Can We Prove Distributed Airspace?

Sensor limits on aircraft are local. Sometimes a maneuver may look safe locally…

154

Sometimes a maneuver may look safe locally…

How Can We Prove Distributed Airspace?

Sensor limits on aircraft are local.

155 But is a terrible idea when implemented globally.

Sometimes a maneuver may look safe locally…

How Can We Prove Distributed Airspace?

Sensor limits on aircraft are local.

156 But is a terrible idea when implemented globally.

Sometimes a maneuver may look safe locally…

How Can We Prove Distributed Airspace?

Sensor limits on aircraft are local.

157 But is a terrible idea when implemented globally.

Sometimes a maneuver may look safe locally…

How Can We Prove Distributed Airspace?

Sensor limits on aircraft are local.

158 But is a terrible idea when implemented globally.

Sometimes a maneuver may look safe locally…

How Can We Prove Distributed Airspace?

Sensor limits on aircraft are local.

!

159

Assumptions and Requirements

• Safety: At all times, the aircraft must be separated by

distance greater than p.

• Aircraft trajectories must always be flyable.
• An arbitrary number of aircraft may enter the maneuver

at any time.

Requireme ment nts

• Aircraft maintain constant velocity.
• Sensors are accurate and have no delay.
• Collision avoidance maneuvers are executed on the 2D plane.

Assumptions ns

160

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0

d

2 4 6 8 10 t 1 2 3

p

2 4 6 8 10 t 0.2 0.1 0.1 0.2 0.3 0.4 0.5

Ω

d2

Hyb ybrid Dyna Dynami mics

d1 P1 P2

1 2 3 4 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

P2 P1

Aircraft are controlled by steering, through discrete changes in angular velocity .

0.5

Ω

161

• Leaves maneuverability to pilot discretion.
• Requires large buffer disc.
• Requires aircraft to return to the center of the

disc before completing avoidance maneuver.

2

m i n r

• i
• m

i n r

• i
• di

xi disci

Big Disc Control

[LoosRP13]

162

Big Disc Control

2

m i n r

• i
• m

i n r

• i
• di

xi disci

To Prove:

Init → [BigDisc]Safe

163

Big Disc Control

2

m i n r

• i
• m

i n r

• i
• di

xi disci

To Prove:

Init → [BigDisc]Safe

Safe ⌘ ( ⌘ (8i, j : A i 6= j ! k ! kx(i) x(j)k p)

164

Big Disc Control

2

m i n r

• i
• m

i n r

• i
• di

xi disci

Init → [BigDisc]Safe

165

Big Disc Control

2

m i n r

• i
• m

i n r

• i
• di

xi disci

Dubins Model for 2D motion [Dubins57]

Init → [BigDisc]Safe

h h

166

Big Disc Control

2

m i n r

• i
• m

i n r

• i
• di

xi disci

The disc does not move when in a collision avoidance maneuver

Init → [BigDisc]Safe

h h

167

Big Disc Control

2

m i n r

• i
• m

i n r

• i
• di

xi disci

All aircraft evolve simultaneously

Init → [BigDisc]Safe

h h

168

Big Disc Control

2

m i n r

• i
• m

i n r

• i
• di

xi disci

Init → [BigDisc]Safe

h h

169

Big Disc Control

2

m i n r

• i
• m

i n r

• i
• di

xi disci

Init → [BigDisc]Safe

h

170

Big Disc Control

2

m i n r

• i
• m

i n r

• i
• di

xi disci

Init → [BigDisc]Safe

• Ensures aircraft

control can engage CA maneuver.

• Aircraft can flyably

remain within disc

171

Big Disc Control

2

m i n r

• i
• m

i n r

• i
• di

xi disci

Init → [BigDisc]Safe

172

Big Disc Control

2

m i n r

• i
• m

i n r

• i
• di

xi disci

h

✔

Init → [BigDisc]Safe

173

• Deterministic control makes it well suited for UAVs.
• Smaller discs allow aircraft to fly closer together.
• Aircraft may exit maneuver as soon as it is safe to

do so.

Small Discs Control

xi xj p xk xl xm

[PallottinoSBF07, LoosRP13]

174

xi xj p xk xl xm

Small Discs Control

175

xi xj p xk xl xm h

✔

Small Discs Control

176

Cha halle lleng nges Cont ntributions ns

CPS needs verification Infinite, continuous, and

evolving state space,

Continuous dynamics Discrete control

decisions

Distributed dynamics Arbitrary number of

aircraft

Emergent behaviors

Theorem proving is

powerful for verifying distributed dynamics

Non-linear flight paths and

flyable maneuvers

Compositionality – using

small problems to solve the big ones

Hierarchical proofs Undergraduates can

understand and verify hybrid systems!

Conclusions

m i n r

• i
• m

i n r

• i
• di

xi disci xi xj p xk xl xm

R∞

177

178

References (page 1)

Sarah M. Loos, David Renshaw, and André Platzer. Formal Verification of Distributed Aircraft

• Controllers. In Calin Belta and Franjo Ivancic, editors, Hybrid Systems: Computation and Control

(HSCC), 2013. André Platzer and Jan-David Quesel. KeYmaera: A hybrid theorem prover for hybrid systems. In Alessandro Armando, Peter Baumgartner, and Gilles Dowek, editors, IJCAR, volume 5195 of LNCS, pages 171-178. Springer, 2008 Platzer, André. "Differential dynamic logic for hybrid systems." Journal of Automated Reasoning 41.2 (2008): 143-189. Nikos Aréchiga, Sarah M. Loos, André Platzer, and Bruce H. Krogh. Using theorem provers to guarantee closed-loop system properties. In the American Control Conference, ACC, Montréal, Canada, 2012. Stefan Mitsch, Sarah M. Loos, and André Platzer. Towards Formal Verification of Freeway Traffic

• Control. In the International Conference on Cyber-Physical Systems, ICCPS, Beijing, China, 2012.

Lucia Pallottino, Vincenzo Giovanni Scordio, Antonio Bicchi, and Emilio Frazzoli. "Decentralized cooperative policy for conflict resolution in multivehicle systems." Robotics, IEEE Transactions on 23, no. 6, pages 1170-1183, 2007.

179

References (page 2)

Akshay Rajhans, Ajinkya Bhave, Sarah M. Loos, Bruce H. Krogh, André Platzer, and David Garlan. Using parameters in architectural views to support heterogeneous design and verification. In the IEEE Conference on Decision and Control and European Control Conference. 2011. Sarah M. Loos and André Platzer. Safe Intersections: At the Crossing of Hybrid Systems and

• Verification. In the International IEEE Conference on Intelligent Transportation Systems, ITSC 2011,

Washington, D.C., USA, Proceedings, 2011. David Renshaw, Sarah M. Loos, and André Platzer. Distributed theorem proving for distributed hybrid

• systems. In the International Conference on Formal Engineering Methods, ICFEM’11, Durham, United

Kingdom, Proceedings, LNCS. Springer, 2011. Sarah M. Loos, André Platzer, and Ligia Nistor. Adaptive cruise control: Hybrid, distributed, and now formally verified. In the 17th International Symposium on Formal Methods, FM, Limerick, Ireland, Proceedings, LNCS. Springer, 2011. André Platzer. Quantified differential dynamic logic for distributed hybrid systems. In Computer Science

• Logic. Volume 6247 of LNCS. Springer, 2010.

Dubins, L.E. On curves of minimal length with a constraint on average curvature, and with prescribed initial and terminal positions and tangents. Am J Math 79(3), pages 497–516, 1957.