differential dynamic logic for hybrid systemsi12 filediﬀerential dynamic logic for hybrid systems...

Differential Dynamic Logic for Hybrid Systems

Andre Platzer1,2

1University of Oldenburg, Department of Computing Science, Germany

2Carnegie Mellon University, Computer Science Department, Pittsburgh, PA, USA

KeY’07

Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 1 / 16

Outline

1 Motivation

2 Differential Logic dLDesign MotivesSyntaxTransition SemanticsSpeed Supervision in Train Control

3 Verification Calculus for dLSequent CalculusModular Combination by Side DeductionVerifying Speed Supervision in Train ControlSoundness

4 Conclusions & Future Work

Verifying Parametric Hybrid Systems

MAST SBnegot corrfar

Hybrid Systems

continuous evolution along differential equations + discrete change

Fix parameter SB = 10000 and hope?

Handle SB as free symbolic parameter?

Which constraints for SB?

∀MA∃SB [Train]safe

Hybrid Systems

∀MA∃SB [Train]safe

Parametric Hybrid Systems

∀MA∃SB [Train]safet

Parametric Hybrid Systems

differential dynamic logic

dL = DL + HP

Outline

1 Motivation

Outline

1 Motivation

dL Motives: Regions in First-order Logic

DL + HP

dL = FOL

+DL + HP

MA− z

v2 ≤ 2b(MA− z)

dL = FOL

+DL + HP

MA− z

v2 ≤ 2b(MA− z)

∀t after(train-runs(t))(v2 ≤ 2b(MA− z))

dL Motives: State Transitions in Dynamic Logic

dL = FOL+DL

MA− z

v2 ≤ 2b(MA− z)

∀t after(train-runs(t))(v2 ≤ 2b(MA− z))

[train-runs]v2 ≤ 2b(MA− z)

dL Motives: Hybrid Programs as Uniform Model

dL = FOL+DL + HP

[train-runs]v2 ≤ 2b(MA− z)

dL = FOL+DL + HP

[ ]v2 ≤ 2b(MA− z)

dL = FOL+DL + HP

recfsa

not compositional

dL = FOL+DL + HP

recfsa

not compositional

dL = FOL+DL + HP

recfsa

not compositional

Differential Logic dL: Syntax

Definition (Hybrid program α)

x ′ = f (x) (continuous evolution

within invariant region

)x := θ (discrete jump)?χ (conditional execution)α;β (seq. composition)α ∪ β (nondet. choice)α∗ (nondet. repetition)

ETCS ≡ (cor; drive)∗

cor ≡ (?MA− z < SB; a :=−b)

∪ (?MA− z ≥ SB; a := 0)

drive ≡ τ := 0; z ′′ = a

& v ≥ 0 ∧ τ ≤ ε

cor ≡ (?MA− z < SB; a :=−b)

∪ (?MA− z ≥ SB; a ≤ amax)

drive ≡ τ := 0; z ′′ = a

& v ≥ 0 ∧ τ ≤ ε

cor ≡ (?MA− z < SB; a :=−b)

drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1

& v ≥ 0 ∧ τ ≤ ε

x ′ = f (x) &χ (continuous evolution within invariant region)x := θ (discrete jump)?χ (conditional execution)α;β (seq. composition)α ∪ β (nondet. choice)α∗ (nondet. repetition)

cor ≡ (?MA− z < SB; a :=−b)

drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1

& v ≥ 0 ∧ τ ≤ ε

Definition (Formulas φ)

¬,∧,∨,→, ∀x ,∃x , =,≤, +, · (first-order part)[α]φ, 〈α〉φ (dynamic part)

ψ → [(cor ; drive)∗] z ≤ MA

All trains respect MA⇒ system safe

Differential Logic dL: Transition Semantics

Definition (Hybrid programs α: transition semantics)

v wx := θ

x.= val(v , θ)

v wx ′ = f (x)

x ′ = f (x)

v wx ′ = f (x)

x ′ = f (x)

v wx ′ = f (x)

x ′ = f (x)

v s1 s2 sn w

α α α

v s1 s2 sn w

α α α

α ∪ β

if v |= χ

[α]φ

α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

〈α〉φφ

α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

v α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

v α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

v α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

v α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

compositional semantics!

Outline

1 Motivation

Verification Calculus for dL

[x := θ]φ v w

x := θφ

∃t≥0 〈x := yx(t)〉φ〈x ′ = f (x)〉φ

v wx ′ = f (x)

x := yx(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x) &χ〉φ

v wx ′ = f (x) &χ

x := yx(t)x := yx (s)

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ

[x := θ]φ v w

x := θφ

∃t≥0 〈x := yx(t)〉φ〈x ′ = f (x)〉φ

v wx ′ = f (x)

x := yx(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x) &χ〉φ

v wx ′ = f (x) &χ

x := yx(t)x := yx (s)

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ

[x := θ]φ v w

x := θφ

∃t≥0 〈x := yx(t)〉φ〈x ′ = f (x)〉φ

v wx ′ = f (x)

φx := yx(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x) &χ〉φ

v wx ′ = f (x) &χ

x := yx(t)x := yx (s)

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ

[x := θ]φ v w

x := θφ

∃t≥0 〈x := yx(t)〉φ〈x ′ = f (x)〉φ

v wx ′ = f (x)

φx := yx(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x) &χ〉φ

v wx ′ = f (x) &χ

x := yx(t)x := yx (s)

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ

Modular Combination by Side Deduction

v > 0, z < MA ` v2 ≥ 2b(MA− z)

v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` 〈z ′ = v , v ′ = −b〉z ≥ MA

` v > 0 ∧ z < MA → 〈z ′ = v , v ′ = −b〉 z ≥ MA

v > 0, z < MA ` t≥0

v > 0, z < MA ` −b2 t2 + vt + z ≥ MA

v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA

startside

v > 0, z < MA ` v2 ≥ 2b(MA− z)

v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` 〈z ′ = v , v ′ = −b〉z ≥ MA` v > 0 ∧ z < MA → 〈z ′ = v , v ′ = −b〉 z ≥ MA

v > 0, z < MA ` t≥0

v > 0, z < MA ` −b2 t2 + vt + z ≥ MA

v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA

startside

v > 0, z < MA ` v2 ≥ 2b(MA− z)

v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA

QE not applicable!

v > 0, z < MA ` t≥0

v > 0, z < MA ` −b2 t2 + vt + z ≥ MA

v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA

startside

v > 0, z < MA ` v2 ≥ 2b(MA− z)

v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` t≥0

v > 0, z < MA ` −b2 t2 + vt + z ≥ MA

v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA

startside

v > 0, z < MA ` v2 ≥ 2b(MA− z)

v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` t≥0

v > 0, z < MA ` −b2 t2 + vt + z ≥ MA

v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA

startside

v > 0, z < MA ` v2 ≥ 2b(MA− z)

v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` t≥0

v > 0, z < MA ` −b2 t2 + vt + z ≥ MA

v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA

startside

v > 0, z < MA ` v2 ≥ 2b(MA− z)

v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` t≥0

v > 0, z < MA ` −b2 t2 + vt + z ≥ MA

v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA

v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA

startside

Verification Calculus for dLDynamic Rules

11 dynamic rules

(D1)φ ∧ ψ〈?φ〉ψ

(D2)φ→ ψ

[?φ]ψ

(D3)〈α〉φ ∨ 〈β〉φ〈α ∪ β〉φ

(D4)[α]φ ∧ [β]φ

[α ∪ β]φ

(D5)φ ∨ 〈α;α∗〉φ

〈α∗〉φ

(D6)φ ∧ [α;α∗]φ

[α∗]φ

(D7)〈α〉〈β〉φ〈α;β〉φ

(D8)φθ

〈x := θ〉φ

(D9)∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = θ&χ〉φ

(D10)∀t≥0 (χ→ [x := yx(t)]φ)

[x ′ = θ&χ]φ

(D11)` p ` [α∗](p → [α]p)

` [α∗]p

Verification Calculus for dLPropositional/Quantifier Rules

9 propositional rules + 4 quantifier rules

(P1)` φ¬φ `

(P2)φ `` ¬φ

(P3)φ ` ψ` φ→ ψ

(P4)φ, ψ `φ ∧ ψ `

(P5)` φ ` ψ` φ ∧ ψ

(P6)` φ ψ `φ→ ψ `

(P7)φ ` ψ `φ ∨ ψ `

(P8)` φ, ψ` φ ∨ ψ

(P9)φ ` φ

(F1)QE(∃x

∧i (Γi ` ∆i ))

Γ ` ∆,∃x φ

(F2)QE(∀x

∧i (Γi ` ∆i ))

Γ,∃x φ ` ∆

(F3)QE(∀x

∧i (Γi ` ∆i ))

Γ ` ∆,∀x φ

(F4)QE(∃x

∧i (Γi ` ∆i ))

Γ,∀x φ ` ∆

Verify Safety in Train Control

cor ≡ (?MA− z < SB; a :=−b)

∪ (?MA− z ≥ SB; a := 0)

drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1

& v ≥ 0 ∧ τ ≤ ε

cor ≡ (?MA− z < SB; a :=−b)

∪ (?MA− z ≥ SB; a := 0)

drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1

& v ≥ 0 ∧ τ ≤ ε

∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b

2t2 + vt + z; v :=−bt + v〉p)

p` [z′ = v, v′ = −b & v ≥ 0]pp` 〈a :=−b〉[drive]p

p, MA−z≥SB` v2 ≤ 2b(MA − εv − z)p, MA−z≥SB` ∀t≥0 (〈τ := t〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉∀t≥0 (〈τ := t + τ〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉[z′ = v, v′ = 0, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉〈τ := 0〉[z′ = v, v′ = a, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉[drive]p

p` [?MA−z≥SB; a := 0][drive]pp` [cor][drive]pp` [cor ; drive]p

v2 ≤ 2b(MA− εv − z)

SB ≥ εv + v2

SB ≥ v2

ab + 1

) (a2ε

2 + εv)

cor ≡ (?MA− z < SB; a :=−b)

∪ (?MA− z ≥ SB; a := 0)

drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1

& v ≥ 0 ∧ τ ≤ ε

∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b

2t2 + vt + z; v :=−bt + v〉p)

v2 ≤ 2b(MA− εv − z)

SB ≥ εv + v2

SB ≥ v2

ab + 1

) (a2ε

2 + εv)

cor ≡ (?MA− z < SB; a :=−b)

∪ (?MA− z ≥ SB; a := 0)

drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1

& v ≥ 0 ∧ τ ≤ ε

∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b

2t2 + vt + z; v :=−bt + v〉p)

v2 ≤ 2b(MA− εv − z)

SB ≥ εv + v2

SB ≥ v2

ab + 1

) (a2ε

2 + εv)

cor ≡ (?MA− z < SB; a :=−b)

∪ (?MA− z ≥ SB; a := 0)

drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1

& v ≥ 0 ∧ τ ≤ ε

∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b

2t2 + vt + z; v :=−bt + v〉p)

inv ≡ v2 ≤ 2b(MA− z)

cor ≡ (?MA− z < SB; a :=−b)

∪ (?MA− z ≥ SB; a := 0)

drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1

& v ≥ 0 ∧ τ ≤ ε

∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b

2t2 + vt + z; v :=−bt + v〉p)

inv ≡ v2 ≤ 2b(MA− z)

MA− z

cor ≡ (?MA− z < SB; a :=−b)

∪ (?MA− z ≥ SB; a := 0)

drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1

& v ≥ 0 ∧ τ ≤ ε

∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b

2t2 + vt + z; v :=−bt + v〉p)

Verified ETCS Model

system :(poll; (negot ∪ (speedControl; atp; move))

)∗init : drive := 0; brake := 1

poll : SB := v2−d2

amaxb + 1

)(amax

2 ε2 + εv); ST := ∗

negot : (?m − z > ST ) ∪ (?m − z ≤ ST ; rbc)rbc : (vdes := ∗; ?vdes > 0) ∪ (state := brake)

∪(dold := d ; mold := m; m := ∗; d := ∗;

?d ≥ 0 ∧ d2old − d2 ≤ 2b(m −mold)

)speedCtrl : (?state = brake; a := −b)

∪(?state = drive;((?v ≤ vdes ; a := ∗; ?− b ≤ a ≤ amax)

∪(?v ≥ vdes ; a := ∗; ?0 > a ≥ − b)))

atp : (?m − z ≤ SB; a := −b) ∪ (?m − z > SB)move : t := 0; {z = v , v = a, t = 1, (v ≥ 0 ∧ t ≤ ε)}

Distance Profile

Soundness

Theorem (Soundness)

dL calculus is sound.

x ′ = f (x)

Side deductions

Proposition (Incompleteness)

The discrete or continuous fragments of dL are inherently incomplete.(Yet, reachability in hybrid systems is not semidecidable)

〈(x := x + 1)∗〉 x = n

〈s ′′ = −s, τ ′ = 1〉(s = 0 ∧ τ = n) s = sin

Outline

1 Motivation

Conclusions

dL = DL + HP

Deductively verify hybrid systems

Train control (ETCS) verification

Constructive deduction modulo by sidededuction

Verification tool HyKeY

Parameter discovery

Future Work

Prove relative completeness of dL/(ODE + Inv)

Dynamic reconfiguration of system structures

J. M. Davoren and A. Nerode.Logics for hybrid systems.Proceedings of the IEEE, 88(7):985–1010, July 2000.

M. Ronkko, A. P. Ravn, and K. Sere.Hybrid action systems.Theor. Comput. Sci., 290(1):937–973, 2003.

W. C. Rounds.A spatial logic for the hybrid π-calculus.In R. Alur and G. J. Pappas, editors, HSCC, volume 2993 of LNCS,pages 508–522. Springer, 2004.

C. Zhou, A. P. Ravn, and M. R. Hansen.An extended duration calculus for hybrid real-time systems.In R. L. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, editors,Hybrid Systems, volume 736 of LNCS, pages 36–59. Springer, 1992.

differential dynamic logic for hybrid systemsi12 filediﬀerential dynamic logic for hybrid systems...

Documents

authors -...

fuzzy logic hybrid system

signal-responsive hybrid biomaterials with built-in boolean...

hybrid logic in the calculus of structures · abstract...

robot manipulators tracking using hybrid fuzzy logic … ·...

a minimal hybrid logic for...

a hybrid of sliding mode control and fuzzy logic control...

optimal access guarantee in hybrid access femtocells using...

differential game logic - avacs · contributions logical...

comparison of fuzzy logic, ahp, fahp and hybrid fuzzy ahp...

fuzzy logic control of hybrid energy system

spartacus: a tableau prover for hybrid logic€¦ ·...

optimal fuzzy logic energy management strategy of hybrid...

universal logic gates via liquid-electronic hybrid divider

whitepaper-improve logic test with a hybrid atpg-bist...

spartacus: a tableau prover for hybrid logic -...

combining formal and informal methods in the...

fuzzy logic based driving pattern recognition for hybrid...

logic for distributed hybrid systems

foundations of logic programming in hybrid logics with...