differential dynamic logic for hybrid systemsi12 filedifferential dynamic logic for hybrid systems...
TRANSCRIPT
![Page 1: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/1.jpg)
Differential Dynamic Logic for Hybrid Systems
Andre Platzer1,2
1University of Oldenburg, Department of Computing Science, Germany
2Carnegie Mellon University, Computer Science Department, Pittsburgh, PA, USA
KeY’07
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 1 / 16
![Page 2: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/2.jpg)
Outline
1 Motivation
2 Differential Logic dLDesign MotivesSyntaxTransition SemanticsSpeed Supervision in Train Control
3 Verification Calculus for dLSequent CalculusModular Combination by Side DeductionVerifying Speed Supervision in Train ControlSoundness
4 Conclusions & Future Work
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 1 / 16
![Page 3: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/3.jpg)
Verifying Parametric Hybrid Systems
RBC
MAST SBnegot corrfar
Hybrid Systems
continuous evolution along differential equations + discrete change
Fix parameter SB = 10000 and hope?
Handle SB as free symbolic parameter?
Which constraints for SB?
∀MA∃SB [Train]safe
t
z
v
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 2 / 16
![Page 4: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/4.jpg)
Verifying Parametric Hybrid Systems
RBC
MAST SBnegot corrfar
Hybrid Systems
continuous evolution along differential equations + discrete change
Fix parameter SB = 10000 and hope?
Handle SB as free symbolic parameter?
Which constraints for SB?
∀MA∃SB [Train]safe
t
z
v
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 2 / 16
![Page 5: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/5.jpg)
Verifying Parametric Hybrid Systems
RBC
MAST SBnegot corrfar
Parametric Hybrid Systems
continuous evolution along differential equations + discrete change
Fix parameter SB = 10000 and hope?
Handle SB as free symbolic parameter?
Which constraints for SB?
∀MA∃SB [Train]safet
z
v
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 2 / 16
![Page 6: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/6.jpg)
Verifying Parametric Hybrid Systems
RBC
MAST SBnegot corrfar
Parametric Hybrid Systems
continuous evolution along differential equations + discrete change
differential dynamic logic
dL = DL + HP
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 2 / 16
![Page 7: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/7.jpg)
Outline
1 Motivation
2 Differential Logic dLDesign MotivesSyntaxTransition SemanticsSpeed Supervision in Train Control
3 Verification Calculus for dLSequent CalculusModular Combination by Side DeductionVerifying Speed Supervision in Train ControlSoundness
4 Conclusions & Future Work
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 2 / 16
![Page 8: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/8.jpg)
Outline
1 Motivation
2 Differential Logic dLDesign MotivesSyntaxTransition SemanticsSpeed Supervision in Train Control
3 Verification Calculus for dLSequent CalculusModular Combination by Side DeductionVerifying Speed Supervision in Train ControlSoundness
4 Conclusions & Future Work
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 2 / 16
![Page 9: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/9.jpg)
dL Motives: Regions in First-order Logic
differential dynamic logic
dL =
FOL+
DL + HP
RBC
MAST SBnegot corrfar
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 3 / 16
![Page 10: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/10.jpg)
dL Motives: Regions in First-order Logic
differential dynamic logic
dL = FOL
+DL + HP
RBC
MAST SBnegot corrfar
MA− z
v
MA
v2 ≤ 2b(MA− z)
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 3 / 16
![Page 11: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/11.jpg)
dL Motives: Regions in First-order Logic
differential dynamic logic
dL = FOL
+DL + HP
RBC
MAST SBnegot corrfar
MA− z
v
MA
v2 ≤ 2b(MA− z)
∀t after(train-runs(t))(v2 ≤ 2b(MA− z))
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 3 / 16
![Page 12: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/12.jpg)
dL Motives: State Transitions in Dynamic Logic
differential dynamic logic
dL = FOL+DL
+ HP
RBC
MAST SBnegot corrfar
MA− z
v
MA
v2 ≤ 2b(MA− z)
∀t after(train-runs(t))(v2 ≤ 2b(MA− z))
[train-runs]v2 ≤ 2b(MA− z)
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 3 / 16
![Page 13: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/13.jpg)
dL Motives: Hybrid Programs as Uniform Model
differential dynamic logic
dL = FOL+DL + HP
RBC
MAST SBnegot corrfar
[train-runs]v2 ≤ 2b(MA− z)
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 3 / 16
![Page 14: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/14.jpg)
dL Motives: Hybrid Programs as Uniform Model
differential dynamic logic
dL = FOL+DL + HP
RBC
MAST SBnegot corrfar
[ ]v2 ≤ 2b(MA− z)
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 3 / 16
![Page 15: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/15.jpg)
dL Motives: Hybrid Programs as Uniform Model
differential dynamic logic
dL = FOL+DL + HP
RBC
MAST SBnegot corrfar
far
neg
cor
recfsa
not compositional
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 3 / 16
![Page 16: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/16.jpg)
dL Motives: Hybrid Programs as Uniform Model
differential dynamic logic
dL = FOL+DL + HP
RBC
MAST SBnegot corrfar
far
neg
cor
recfsa
not compositional
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 3 / 16
![Page 17: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/17.jpg)
dL Motives: Hybrid Programs as Uniform Model
differential dynamic logic
dL = FOL+DL + HP
RBC
MAST SBnegot corrfar
far
neg
cor
recfsa
not compositional
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 3 / 16
![Page 18: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/18.jpg)
Differential Logic dL: Syntax
Definition (Hybrid program α)
x ′ = f (x) (continuous evolution
within invariant region
)x := θ (discrete jump)?χ (conditional execution)α;β (seq. composition)α ∪ β (nondet. choice)α∗ (nondet. repetition)
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 4 / 16
![Page 19: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/19.jpg)
Differential Logic dL: Syntax
Definition (Hybrid program α)
x ′ = f (x) (continuous evolution
within invariant region
)x := θ (discrete jump)?χ (conditional execution)α;β (seq. composition)α ∪ β (nondet. choice)α∗ (nondet. repetition)
ETCS ≡ (cor; drive)∗
cor ≡ (?MA− z < SB; a :=−b)
∪ (?MA− z ≥ SB; a := 0)
drive ≡ τ := 0; z ′′ = a
& v ≥ 0 ∧ τ ≤ ε
RBC
MAST SBnegot corrfar
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 4 / 16
![Page 20: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/20.jpg)
Differential Logic dL: Syntax
Definition (Hybrid program α)
x ′ = f (x) (continuous evolution
within invariant region
)x := θ (discrete jump)?χ (conditional execution)α;β (seq. composition)α ∪ β (nondet. choice)α∗ (nondet. repetition)
ETCS ≡ (cor; drive)∗
cor ≡ (?MA− z < SB; a :=−b)
∪ (?MA− z ≥ SB; a ≤ amax)
drive ≡ τ := 0; z ′′ = a
& v ≥ 0 ∧ τ ≤ ε
RBC
MAST SBnegot corrfar
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 4 / 16
![Page 21: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/21.jpg)
Differential Logic dL: Syntax
Definition (Hybrid program α)
x ′ = f (x) (continuous evolution
within invariant region
)x := θ (discrete jump)?χ (conditional execution)α;β (seq. composition)α ∪ β (nondet. choice)α∗ (nondet. repetition)
ETCS ≡ (cor; drive)∗
cor ≡ (?MA− z < SB; a :=−b)
∪ (?MA− z ≥ SB; a ≤ amax)
drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1
& v ≥ 0 ∧ τ ≤ ε
RBC
MAST SBnegot corrfar
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 4 / 16
![Page 22: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/22.jpg)
Differential Logic dL: Syntax
Definition (Hybrid program α)
x ′ = f (x) &χ (continuous evolution within invariant region)x := θ (discrete jump)?χ (conditional execution)α;β (seq. composition)α ∪ β (nondet. choice)α∗ (nondet. repetition)
ETCS ≡ (cor; drive)∗
cor ≡ (?MA− z < SB; a :=−b)
∪ (?MA− z ≥ SB; a ≤ amax)
drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1
& v ≥ 0 ∧ τ ≤ ε
RBC
MAST SBnegot corrfar
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 4 / 16
![Page 23: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/23.jpg)
Differential Logic dL: Syntax
Definition (Formulas φ)
¬,∧,∨,→, ∀x ,∃x , =,≤, +, · (first-order part)[α]φ, 〈α〉φ (dynamic part)
ψ → [(cor ; drive)∗] z ≤ MA
All trains respect MA⇒ system safe
RBC
MAST SBnegot corrfar
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 4 / 16
![Page 24: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/24.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v wx := θ
x.= val(v , θ)
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 25: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/25.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v wx ′ = f (x)
&χ
t
x
χ
w
v
ϕ(t)
x ′ = f (x)
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 26: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/26.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v wx ′ = f (x)
&χ
t
x
χ
w
v
ϕ(t)
x ′ = f (x)
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 27: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/27.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v wx ′ = f (x)
&χ
t
x
χw
v
ϕ(t)
x ′ = f (x)
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 28: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/28.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v s w
α;β
α β
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 29: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/29.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v s w
α;β
α β
t
x
s
v w
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 30: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/30.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v s w
α;β
α β
t
x
s
vw
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 31: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/31.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v s1 s2 sn w
α∗
α α α
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 32: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/32.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v s1 s2 sn w
α∗
α α α
t
xv
w
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 33: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/33.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v
w1
w2
α
β
α ∪ β
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 34: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/34.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v
w1
w2
α
β
α ∪ β
t
xv w1
w2
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 35: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/35.jpg)
Differential Logic dL: Transition Semantics
Definition (Hybrid programs α: transition semantics)
v
?χ
if v |= χ
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 5 / 16
![Page 36: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/36.jpg)
Differential Logic dL: Transition Semantics
Definition (Formulas φ)
v
[α]φ
φ
φ
φ
α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 6 / 16
![Page 37: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/37.jpg)
Differential Logic dL: Transition Semantics
Definition (Formulas φ)
v
〈α〉φφ
α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 6 / 16
![Page 38: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/38.jpg)
Differential Logic dL: Transition Semantics
Definition (Formulas φ)
v α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 6 / 16
![Page 39: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/39.jpg)
Differential Logic dL: Transition Semantics
Definition (Formulas φ)
v α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 6 / 16
![Page 40: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/40.jpg)
Differential Logic dL: Transition Semantics
Definition (Formulas φ)
v α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 6 / 16
![Page 41: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/41.jpg)
Differential Logic dL: Transition Semantics
Definition (Formulas φ)
v α-span
[α]φ
〈β〉φ
β-span
〈β〉[α
]-sp
an
compositional semantics!
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 6 / 16
![Page 42: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/42.jpg)
Outline
1 Motivation
2 Differential Logic dLDesign MotivesSyntaxTransition SemanticsSpeed Supervision in Train Control
3 Verification Calculus for dLSequent CalculusModular Combination by Side DeductionVerifying Speed Supervision in Train ControlSoundness
4 Conclusions & Future Work
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 6 / 16
![Page 43: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/43.jpg)
Verification Calculus for dL
φθx
[x := θ]φ v w
φθx
x := θφ
∃t≥0 〈x := yx(t)〉φ〈x ′ = f (x)〉φ
v wx ′ = f (x)
φ
x := yx(t)
∃t≥0 (χ ∧ 〈x := yx(t)〉φ)
〈x ′ = f (x) &χ〉φ
v wx ′ = f (x) &χ
φ
x := yx(t)x := yx (s)
χ
χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 7 / 16
![Page 44: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/44.jpg)
Verification Calculus for dL
φθx
[x := θ]φ v w
φθx
x := θφ
∃t≥0 〈x := yx(t)〉φ〈x ′ = f (x)〉φ
v wx ′ = f (x)
φ
x := yx(t)
∃t≥0 (χ ∧ 〈x := yx(t)〉φ)
〈x ′ = f (x) &χ〉φ
v wx ′ = f (x) &χ
φ
x := yx(t)x := yx (s)
χ
χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 7 / 16
![Page 45: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/45.jpg)
Verification Calculus for dL
φθx
[x := θ]φ v w
φθx
x := θφ
∃t≥0 〈x := yx(t)〉φ〈x ′ = f (x)〉φ
v wx ′ = f (x)
φx := yx(t)
∃t≥0 (χ ∧ 〈x := yx(t)〉φ)
〈x ′ = f (x) &χ〉φ
v wx ′ = f (x) &χ
φ
x := yx(t)x := yx (s)
χ
χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 7 / 16
![Page 46: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/46.jpg)
Verification Calculus for dL
φθx
[x := θ]φ v w
φθx
x := θφ
∃t≥0 〈x := yx(t)〉φ〈x ′ = f (x)〉φ
v wx ′ = f (x)
φx := yx(t)
∃t≥0 (χ ∧ 〈x := yx(t)〉φ)
〈x ′ = f (x) &χ〉φ
v wx ′ = f (x) &χ
φ
x := yx(t)x := yx (s)
χ
χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 7 / 16
![Page 47: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/47.jpg)
Modular Combination by Side Deduction
RBC
MAST SBnegot corrfar
v > 0, z < MA ` v2 ≥ 2b(MA− z)
v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` 〈z ′ = v , v ′ = −b〉z ≥ MA
` v > 0 ∧ z < MA → 〈z ′ = v , v ′ = −b〉 z ≥ MA
v > 0, z < MA ` t≥0
v > 0, z < MA ` −b2 t2 + vt + z ≥ MA
v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA
startside
QE
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 8 / 16
![Page 48: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/48.jpg)
Modular Combination by Side Deduction
RBC
MAST SBnegot corrfar
v > 0, z < MA ` v2 ≥ 2b(MA− z)
v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` 〈z ′ = v , v ′ = −b〉z ≥ MA` v > 0 ∧ z < MA → 〈z ′ = v , v ′ = −b〉 z ≥ MA
v > 0, z < MA ` t≥0
v > 0, z < MA ` −b2 t2 + vt + z ≥ MA
v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA
startside
QE
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 8 / 16
![Page 49: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/49.jpg)
Modular Combination by Side Deduction
RBC
MAST SBnegot corrfar
v > 0, z < MA ` v2 ≥ 2b(MA− z)
v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` 〈z ′ = v , v ′ = −b〉z ≥ MA` v > 0 ∧ z < MA → 〈z ′ = v , v ′ = −b〉 z ≥ MA
QE not applicable!
v > 0, z < MA ` t≥0
v > 0, z < MA ` −b2 t2 + vt + z ≥ MA
v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA
startside
QE
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 8 / 16
![Page 50: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/50.jpg)
Modular Combination by Side Deduction
RBC
MAST SBnegot corrfar
v > 0, z < MA ` v2 ≥ 2b(MA− z)
v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` 〈z ′ = v , v ′ = −b〉z ≥ MA` v > 0 ∧ z < MA → 〈z ′ = v , v ′ = −b〉 z ≥ MA
v > 0, z < MA ` t≥0
v > 0, z < MA ` −b2 t2 + vt + z ≥ MA
v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA
startside
QE
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 8 / 16
![Page 51: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/51.jpg)
Modular Combination by Side Deduction
RBC
MAST SBnegot corrfar
v > 0, z < MA ` v2 ≥ 2b(MA− z)
v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` 〈z ′ = v , v ′ = −b〉z ≥ MA` v > 0 ∧ z < MA → 〈z ′ = v , v ′ = −b〉 z ≥ MA
v > 0, z < MA ` t≥0
v > 0, z < MA ` −b2 t2 + vt + z ≥ MA
v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA
startside
QE
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 8 / 16
![Page 52: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/52.jpg)
Modular Combination by Side Deduction
RBC
MAST SBnegot corrfar
v > 0, z < MA ` v2 ≥ 2b(MA− z)
v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` 〈z ′ = v , v ′ = −b〉z ≥ MA` v > 0 ∧ z < MA → 〈z ′ = v , v ′ = −b〉 z ≥ MA
v > 0, z < MA ` t≥0
v > 0, z < MA ` −b2 t2 + vt + z ≥ MA
v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA
startside
QE
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 8 / 16
![Page 53: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/53.jpg)
Modular Combination by Side Deduction
RBC
MAST SBnegot corrfar
v > 0, z < MA ` v2 ≥ 2b(MA− z)
v > 0, z < MA ` ∃t≥0 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` 〈z ′ = v , v ′ = −b〉z ≥ MA` v > 0 ∧ z < MA → 〈z ′ = v , v ′ = −b〉 z ≥ MA
v > 0, z < MA ` t≥0
v > 0, z < MA ` −b2 t2 + vt + z ≥ MA
v > 0, z < MA ` 〈z :=−b2 t2 + vt + z〉z ≥ MA
v > 0, z < MA ` t ≥ 0 ∧ 〈z :=−b2 t2 + vt + z〉z ≥ MA
startside
QE
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 8 / 16
![Page 54: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/54.jpg)
Verification Calculus for dLDynamic Rules
11 dynamic rules
(D1)φ ∧ ψ〈?φ〉ψ
(D2)φ→ ψ
[?φ]ψ
(D3)〈α〉φ ∨ 〈β〉φ〈α ∪ β〉φ
(D4)[α]φ ∧ [β]φ
[α ∪ β]φ
(D5)φ ∨ 〈α;α∗〉φ
〈α∗〉φ
(D6)φ ∧ [α;α∗]φ
[α∗]φ
(D7)〈α〉〈β〉φ〈α;β〉φ
(D8)φθ
x
〈x := θ〉φ
(D9)∃t≥0 (χ ∧ 〈x := yx(t)〉φ)
〈x ′ = θ&χ〉φ
(D10)∀t≥0 (χ→ [x := yx(t)]φ)
[x ′ = θ&χ]φ
(D11)` p ` [α∗](p → [α]p)
` [α∗]p
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 9 / 16
![Page 55: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/55.jpg)
Verification Calculus for dLPropositional/Quantifier Rules
9 propositional rules + 4 quantifier rules
(P1)` φ¬φ `
(P2)φ `` ¬φ
(P3)φ ` ψ` φ→ ψ
(P4)φ, ψ `φ ∧ ψ `
(P5)` φ ` ψ` φ ∧ ψ
(P6)` φ ψ `φ→ ψ `
(P7)φ ` ψ `φ ∨ ψ `
(P8)` φ, ψ` φ ∨ ψ
(P9)φ ` φ
(F1)QE(∃x
∧i (Γi ` ∆i ))
Γ ` ∆,∃x φ
(F2)QE(∀x
∧i (Γi ` ∆i ))
Γ,∃x φ ` ∆
(F3)QE(∀x
∧i (Γi ` ∆i ))
Γ ` ∆,∀x φ
(F4)QE(∃x
∧i (Γi ` ∆i ))
Γ,∀x φ ` ∆
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 10 / 16
![Page 56: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/56.jpg)
Verify Safety in Train Control
ψ → [(cor ; drive)∗] z ≤ MA
cor ≡ (?MA− z < SB; a :=−b)
∪ (?MA− z ≥ SB; a := 0)
drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1
& v ≥ 0 ∧ τ ≤ ε
RBC
MAST SBnegot corrfar
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 11 / 16
![Page 57: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/57.jpg)
Verify Safety in Train Control
ψ → [(cor ; drive)∗] z ≤ MA
cor ≡ (?MA− z < SB; a :=−b)
∪ (?MA− z ≥ SB; a := 0)
drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1
& v ≥ 0 ∧ τ ≤ ε
RBC
MAST SBnegot corrfar
∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b
2t2 + vt + z; v :=−bt + v〉p)
p` [z′ = v, v′ = −b & v ≥ 0]pp` 〈a :=−b〉[drive]p
. . .
p, MA−z≥SB` v2 ≤ 2b(MA − εv − z)p, MA−z≥SB` ∀t≥0 (〈τ := t〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉∀t≥0 (〈τ := t + τ〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉[z′ = v, v′ = 0, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉〈τ := 0〉[z′ = v, v′ = a, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉[drive]p
p` [?MA−z≥SB; a := 0][drive]pp` [cor][drive]pp` [cor ; drive]p
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 11 / 16
![Page 58: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/58.jpg)
Verify Safety in Train Control
v2 ≤ 2b(MA− εv − z)
SB ≥ εv + v2
2b
QE
SB ≥ v2
2b +(
ab + 1
) (a2ε
2 + εv)
QE
ψ → [(cor ; drive)∗] z ≤ MA
cor ≡ (?MA− z < SB; a :=−b)
∪ (?MA− z ≥ SB; a := 0)
drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1
& v ≥ 0 ∧ τ ≤ ε
RBC
MAST SBnegot corrfar
∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b
2t2 + vt + z; v :=−bt + v〉p)
p` [z′ = v, v′ = −b & v ≥ 0]pp` 〈a :=−b〉[drive]p
. . .
p, MA−z≥SB` v2 ≤ 2b(MA − εv − z)p, MA−z≥SB` ∀t≥0 (〈τ := t〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉∀t≥0 (〈τ := t + τ〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉[z′ = v, v′ = 0, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉〈τ := 0〉[z′ = v, v′ = a, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉[drive]p
p` [?MA−z≥SB; a := 0][drive]pp` [cor][drive]pp` [cor ; drive]p
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 11 / 16
![Page 59: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/59.jpg)
Verify Safety in Train Control
v2 ≤ 2b(MA− εv − z)
SB ≥ εv + v2
2b
QE
SB ≥ v2
2b +(
ab + 1
) (a2ε
2 + εv)
QE
ψ → [(cor ; drive)∗] z ≤ MA
cor ≡ (?MA− z < SB; a :=−b)
∪ (?MA− z ≥ SB; a := 0)
drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1
& v ≥ 0 ∧ τ ≤ ε
RBC
MAST SBnegot corrfar
∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b
2t2 + vt + z; v :=−bt + v〉p)
p` [z′ = v, v′ = −b & v ≥ 0]pp` 〈a :=−b〉[drive]p
. . .
p, MA−z≥SB` v2 ≤ 2b(MA − εv − z)p, MA−z≥SB` ∀t≥0 (〈τ := t〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉∀t≥0 (〈τ := t + τ〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉[z′ = v, v′ = 0, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉〈τ := 0〉[z′ = v, v′ = a, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉[drive]p
p` [?MA−z≥SB; a := 0][drive]pp` [cor][drive]pp` [cor ; drive]p
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 11 / 16
![Page 60: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/60.jpg)
Verify Safety in Train Control
v2 ≤ 2b(MA− εv − z)
SB ≥ εv + v2
2b
QE
SB ≥ v2
2b +(
ab + 1
) (a2ε
2 + εv)
QE
ψ → [(cor ; drive)∗] z ≤ MA
cor ≡ (?MA− z < SB; a :=−b)
∪ (?MA− z ≥ SB; a := 0)
drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1
& v ≥ 0 ∧ τ ≤ ε
RBC
MAST SBnegot corrfar
∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b
2t2 + vt + z; v :=−bt + v〉p)
p` [z′ = v, v′ = −b & v ≥ 0]pp` 〈a :=−b〉[drive]p
. . .
p, MA−z≥SB` v2 ≤ 2b(MA − εv − z)p, MA−z≥SB` ∀t≥0 (〈τ := t〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉∀t≥0 (〈τ := t + τ〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉[z′ = v, v′ = 0, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉〈τ := 0〉[z′ = v, v′ = a, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉[drive]p
p` [?MA−z≥SB; a := 0][drive]pp` [cor][drive]pp` [cor ; drive]p
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 11 / 16
![Page 61: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/61.jpg)
Verify Safety in Train Control
inv ≡ v2 ≤ 2b(MA− z)
ψ → [(cor ; drive)∗] z ≤ MA
cor ≡ (?MA− z < SB; a :=−b)
∪ (?MA− z ≥ SB; a := 0)
drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1
& v ≥ 0 ∧ τ ≤ ε
RBC
MAST SBnegot corrfar
∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b
2t2 + vt + z; v :=−bt + v〉p)
p` [z′ = v, v′ = −b & v ≥ 0]pp` 〈a :=−b〉[drive]p
. . .
p, MA−z≥SB` v2 ≤ 2b(MA − εv − z)p, MA−z≥SB` ∀t≥0 (〈τ := t〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉∀t≥0 (〈τ := t + τ〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉[z′ = v, v′ = 0, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉〈τ := 0〉[z′ = v, v′ = a, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉[drive]p
p` [?MA−z≥SB; a := 0][drive]pp` [cor][drive]pp` [cor ; drive]p
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 11 / 16
![Page 62: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/62.jpg)
Verify Safety in Train Control
inv ≡ v2 ≤ 2b(MA− z)
MA− z
v
ψ → [(cor ; drive)∗] z ≤ MA
cor ≡ (?MA− z < SB; a :=−b)
∪ (?MA− z ≥ SB; a := 0)
drive ≡ τ := 0; z ′ = v , v ′ = a, τ ′ = 1
& v ≥ 0 ∧ τ ≤ ε
RBC
MAST SBnegot corrfar
∗p` ∀t≥0 (〈v :=−bt + v〉v ≥ 0 → 〈z :=− b
2t2 + vt + z; v :=−bt + v〉p)
p` [z′ = v, v′ = −b & v ≥ 0]pp` 〈a :=−b〉[drive]p
. . .
p, MA−z≥SB` v2 ≤ 2b(MA − εv − z)p, MA−z≥SB` ∀t≥0 (〈τ := t〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉∀t≥0 (〈τ := t + τ〉τ ≤ ε → 〈z := vt + z〉p)p, MA−z≥SB` 〈τ := 0〉[z′ = v, v′ = 0, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉〈τ := 0〉[z′ = v, v′ = a, τ ′ = 1 & τ ≤ ε]pp, MA−z≥SB` 〈a := 0〉[drive]p
p` [?MA−z≥SB; a := 0][drive]pp` [cor][drive]pp` [cor ; drive]p
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 11 / 16
![Page 63: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/63.jpg)
Verified ETCS Model
system :(poll; (negot ∪ (speedControl; atp; move))
)∗init : drive := 0; brake := 1
poll : SB := v2−d2
2b +(
amaxb + 1
)(amax
2 ε2 + εv); ST := ∗
negot : (?m − z > ST ) ∪ (?m − z ≤ ST ; rbc)rbc : (vdes := ∗; ?vdes > 0) ∪ (state := brake)
∪(dold := d ; mold := m; m := ∗; d := ∗;
?d ≥ 0 ∧ d2old − d2 ≤ 2b(m −mold)
)speedCtrl : (?state = brake; a := −b)
∪(?state = drive;((?v ≤ vdes ; a := ∗; ?− b ≤ a ≤ amax)
∪(?v ≥ vdes ; a := ∗; ?0 > a ≥ − b)))
atp : (?m − z ≤ SB; a := −b) ∪ (?m − z > SB)move : t := 0; {z = v , v = a, t = 1, (v ≥ 0 ∧ t ≤ ε)}
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 12 / 16
![Page 64: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/64.jpg)
Distance Profile
d
m
vdes
vdes
vdes
vdes
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 13 / 16
![Page 65: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/65.jpg)
Distance Profile
d
m
vdes
vdes
vdes
vdes
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 13 / 16
![Page 66: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/66.jpg)
Soundness
Theorem (Soundness)
dL calculus is sound.
x ′ = f (x)
Side deductions
Proposition (Incompleteness)
The discrete or continuous fragments of dL are inherently incomplete.(Yet, reachability in hybrid systems is not semidecidable)
〈(x := x + 1)∗〉 x = n
〈s ′′ = −s, τ ′ = 1〉(s = 0 ∧ τ = n) s = sin
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 14 / 16
![Page 67: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/67.jpg)
Outline
1 Motivation
2 Differential Logic dLDesign MotivesSyntaxTransition SemanticsSpeed Supervision in Train Control
3 Verification Calculus for dLSequent CalculusModular Combination by Side DeductionVerifying Speed Supervision in Train ControlSoundness
4 Conclusions & Future Work
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 14 / 16
![Page 68: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/68.jpg)
Conclusions
differential dynamic logic
dL = DL + HP
Deductively verify hybrid systems
Train control (ETCS) verification
Constructive deduction modulo by sidededuction
Verification tool HyKeY
Parameter discovery
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 15 / 16
![Page 69: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/69.jpg)
Future Work
Prove relative completeness of dL/(ODE + Inv)
Dynamic reconfiguration of system structures
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 16 / 16
![Page 70: Differential Dynamic Logic for Hybrid Systemsi12 fileDifferential Dynamic Logic for Hybrid Systems Andr´e Platzer1,2 1University of Oldenburg, Department of Computing Science, Germany](https://reader030.vdocuments.site/reader030/viewer/2022040417/5d565c5888c993e0768b8350/html5/thumbnails/70.jpg)
J. M. Davoren and A. Nerode.Logics for hybrid systems.Proceedings of the IEEE, 88(7):985–1010, July 2000.
M. Ronkko, A. P. Ravn, and K. Sere.Hybrid action systems.Theor. Comput. Sci., 290(1):937–973, 2003.
W. C. Rounds.A spatial logic for the hybrid π-calculus.In R. Alur and G. J. Pappas, editors, HSCC, volume 2993 of LNCS,pages 508–522. Springer, 2004.
C. Zhou, A. P. Ravn, and M. R. Hansen.An extended duration calculus for hybrid real-time systems.In R. L. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, editors,Hybrid Systems, volume 736 of LNCS, pages 36–59. Springer, 1992.
Andre Platzer (University of Oldenburg) Differential Dynamic Logic for Hybrid Systems KeY’07 16 / 16