quantified differential dynamic logic for distributed hybrid systems › 4a5a ›...

Quantified Differential Dynamic Logicfor

Distributed Hybrid Systems

Andre Platzer

Carnegie Mellon University, Pittsburgh, PA

0.20.4

0.60.8

1.00.1

0.2

0.3

0.4

0.5

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 1 / 16

Outline

1 Motivation

2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics

3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and Completeness

4 Conclusions

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 1 / 16

Complex Physical Systems:

Hybrid Systems

Q: I want to verify my car

A: Hybrid systems Q: But there’s a lot of cars!

Challenge

(Hybrid Systems)

Continuous dynamics(differential equations)

Discrete dynamics(control decisions)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 2 / 16

Complex Physical Systems: Hybrid Systems

Q: I want to verify my car A: Hybrid systems

Q: But there’s a lot of cars!

Challenge (Hybrid Systems)

Continuous dynamics(differential equations)

Discrete dynamics(control decisions)

1 2 3 4t

-2

-1

1

2a

1 2 3 4t

0.5

1.0

1.5

2.0

2.5

3.0v

1 2 3 4t

1

2

3

4

5

6z

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 2 / 16

Complex Physical Systems: Hybrid Systems

Q: I want to verify my car A: Hybrid systems Q: But there’s a lot of cars!

Challenge (Hybrid Systems)

Continuous dynamics(differential equations)

Discrete dynamics(control decisions)

1 2 3 4t

-2

-1

1

2a

1 2 3 4t

0.5

1.0

1.5

2.0

2.5

3.0v

1 2 3 4t

1

2

3

4

5

6z

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 2 / 16

Complex Physical Systems:

Distributed Systems

Q: I want to verify a lot of cars

A: Distributed systems Q: But they move!

Challenge

(Distributed Systems)

Local computation(finite state automaton)

Remote communication(network graph)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 3 / 16

Complex Physical Systems: Distributed Systems

Q: I want to verify a lot of cars A: Distributed systems

Q: But they move!

Challenge (Distributed Systems)

Local computation(finite state automaton)

Remote communication(network graph)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 3 / 16

Complex Physical Systems: Distributed Systems

Q: I want to verify a lot of cars A: Distributed systems Q: But they move!

Challenge (Distributed Systems)

Local computation(finite state automaton)

Remote communication(network graph)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 3 / 16

Complex Physical Systems:

Distributed Hybrid Systems

Q: I want to verify lots of moving cars

A: Distributed hybrid systems Q: How?

Challenge

(Distributed Hybrid Systems)

Continuous dynamics(differential equations)

Discrete dynamics(control decisions)

Structural dynamics(remote communication)

Dimensional dynamics(appearance)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 4 / 16

Complex Physical Systems: Distributed Hybrid Systems

Q: I want to verify lots of moving cars A: Distributed hybrid systems

Q: How?

Challenge (Distributed Hybrid Systems)

Continuous dynamics(differential equations)

Discrete dynamics(control decisions)

Structural dynamics(remote communication)

Dimensional dynamics(appearance)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 4 / 16

Complex Physical Systems: Distributed Hybrid Systems

Q: I want to verify lots of moving cars A: Distributed hybrid systems

Q: How?

Challenge (Distributed Hybrid Systems)

Continuous dynamics(differential equations)

Discrete dynamics(control decisions)

Structural dynamics(remote communication)

Dimensional dynamics(appearance)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 4 / 16

Complex Physical Systems: Distributed Hybrid Systems

Q: I want to verify lots of moving cars A: Distributed hybrid systems Q: How?

Challenge (Distributed Hybrid Systems)

Continuous dynamics(differential equations)

Discrete dynamics(control decisions)

Structural dynamics(remote communication)

Dimensional dynamics(appearance)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 4 / 16

State of the Art:

Modeling and Simulation

No formal verification of distributed hybrid systems

Shift [DGV96] The Hybrid SystemSimulation ProgrammingLanguage

R-Charon [KSPL06] ModelingLanguage for ReconfigurableHybrid Systems

Hybrid CSP [CJR95] Semantics inExtended Duration Calculus

HyPA [CR05] Translate fragmentinto normal form.

χ process algebra [vBMR+06]Simulation, translation offragments to PHAVER, UPPAAL

Φ-calculus [Rou04] Semantics in richset theory

ACPsrths [BM05] Modeling languageproposal

OBSHS [MS06] Partial randomsimulation of objects

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 5 / 16

State of the Art: Modeling and Simulation

No formal verification of distributed hybrid systems

Shift [DGV96] The Hybrid SystemSimulation ProgrammingLanguage

R-Charon [KSPL06] ModelingLanguage for ReconfigurableHybrid Systems

Hybrid CSP [CJR95] Semantics inExtended Duration Calculus

HyPA [CR05] Translate fragmentinto normal form.

χ process algebra [vBMR+06]Simulation, translation offragments to PHAVER, UPPAAL

Φ-calculus [Rou04] Semantics in richset theory

ACPsrths [BM05] Modeling languageproposal

OBSHS [MS06] Partial randomsimulation of objects

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 5 / 16

State of the Art: Modeling and Simulation

No formal verification of distributed hybrid systems

Shift [DGV96] The Hybrid SystemSimulation ProgrammingLanguage

R-Charon [KSPL06] ModelingLanguage for ReconfigurableHybrid Systems

Hybrid CSP [CJR95] Semantics inExtended Duration Calculus

HyPA [CR05] Translate fragmentinto normal form.

χ process algebra [vBMR+06]Simulation, translation offragments to PHAVER, UPPAAL

Φ-calculus [Rou04] Semantics in richset theory

ACPsrths [BM05] Modeling languageproposal

OBSHS [MS06] Partial randomsimulation of objects

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 5 / 16

Contributions

1 System model and semantics for distributed hybrid systems: QHP

2 Specification and verification logic: QdL3 Proof calculus for QdL4 First verification approach for distributed hybrid systems

5 Sound and complete axiomatization relative to differential equations

6 Prove collision freedom in a (simple) distributed car control system,where new cars may appear dynamically on the road

7 Logical foundation for analysis of distributed hybrid systems

8 Fundamental extension: first-order x(i) versus primitive x

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 6 / 16

Outline

1 Motivation

2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics

3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and Completeness

4 Conclusions

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 6 / 16

Outline (Conceptual Approach)

1 Motivation

2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics

3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and Completeness

4 Conclusions

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 6 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics(differential equations)

Discrete dynamics(control decisions)

Structural dynamics(communication/coupling)

Dimensional dynamics(appearance)

n := newCar

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics(differential equations)

x ′′ = a

Discrete dynamics(control decisions)

Structural dynamics(communication/coupling)

Dimensional dynamics(appearance)

n := newCar

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics(differential equations)

x ′′ = a

Discrete dynamics(control decisions)

a := if .. thenA else−b

Structural dynamics(communication/coupling)

Dimensional dynamics(appearance)

n := newCar

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics(differential equations)

x ′′ = a

Discrete dynamics(control decisions)

a := if .. thenA else−b

Structural dynamics(communication/coupling)

Dimensional dynamics(appearance)

n := newCar

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics(differential equations)

x ′′ = a

Discrete dynamics(control decisions)

a := if .. thenA else−b

Structural dynamics(communication/coupling)

Dimensional dynamics(appearance)

n := newCar

(4) (4) (3) (3) (2) (2) (1) (1)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics(differential equations)

∀i

x(i)′′ = a(i)

Discrete dynamics(control decisions)

∀i

a(i) := if .. thenA else−b

Structural dynamics(communication/coupling)

Dimensional dynamics(appearance)

n := newCar

(4) (4) (3) (3) (2) (2) (1) (1)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics(differential equations)∀i x(i)′′ = a(i)

Discrete dynamics(control decisions)

∀i a(i) := if .. thenA else−b

Structural dynamics(communication/coupling)

Dimensional dynamics(appearance)

n := newCar

(4) (4) (3) (3) (2) (2) (1) (1)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics(differential equations)∀i x(i)′′ = a(i)

Discrete dynamics(control decisions)

∀i a(i) := if .. thenA else−b

Structural dynamics(communication/coupling)

`(i) := carInFrontOf(i)

Dimensional dynamics(appearance)

n := newCar

(4) (4) (3) (3) (2) (2) (1) (1)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics(differential equations)∀i x(i)′′ = a(i)

Discrete dynamics(control decisions)

∀i a(i) := if .. thenA else−b

Structural dynamics(communication/coupling)

`(i) := carInFrontOf(i)

Dimensional dynamics(appearance)

n := newCar

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics(differential equations)∀i x(i)′′ = a(i)

Discrete dynamics(control decisions)

∀i a(i) := if .. thenA else−b

Structural dynamics(communication/coupling)

`(i) := carInFrontOf(i)

Dimensional dynamics(appearance)

n := newCarAndre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(s)′ = θ (quantified ODE)∀i : C x(s) := θ (quantified assignment)

}jump & test?χ (conditional execution)

α;β (seq. composition) }Kleene algebraα ∪ β (nondet. choice)

α∗ (nondet. repetition)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 8 / 16

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(s)′ = θ (quantified ODE)∀i : C x(s) := θ (quantified assignment)

}jump & test?χ (conditional execution)

α;β (seq. composition) }Kleene algebraα ∪ β (nondet. choice)

α∗ (nondet. repetition)

DCCS ≡ (ctrl ; drive)∗

appear ≡ n := newC ; ?(∀j : C far(j , n))

ctrl ≡ ∀i : C a(i) := if∀j : C far(i , j) thenA else−b

drive ≡ ∀i : C x(i)′′ = a(i)

newC is definable!

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 8 / 16

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(s)′ = θ (quantified ODE)∀i : C x(s) := θ (quantified assignment)

}jump & test?χ (conditional execution)

α;β (seq. composition) }Kleene algebraα ∪ β (nondet. choice)

α∗ (nondet. repetition)

DCCS ≡ (appear ; ctrl ; drive)∗

appear ≡ n := newC ; ?(∀j : C far(j , n))

ctrl ≡ ∀i : C a(i) := if∀j : C far(i , j) thenA else−b

drive ≡ ∀i : C x(i)′′ = a(i)

newC is definable!

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 8 / 16

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(s)′ = θ (quantified ODE)∀i : C x(s) := θ (quantified assignment)

}jump & test?χ (conditional execution)

α;β (seq. composition) }Kleene algebraα ∪ β (nondet. choice)

α∗ (nondet. repetition)

DCCS ≡ (appear ; ctrl ; drive)∗

appear ≡ n := newC ; ?(∀j : C far(j , n))

ctrl ≡ ∀i : C a(i) := if∀j : C far(i , j) thenA else−b

drive ≡ ∀i : C x(i)′′ = a(i)

newC is definable!

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 8 / 16

Quantified Differential Dynamic Logic QdL: Syntax

Definition (QdL Formula φ)

¬,∧,∨,→, ∀x ,∃x , =,≤, +, · (R-first-order part)[α]φ, 〈α〉φ (dynamic part)

∀i , j : C far(i , j)→ [(appear ; ctrl ; drive)∗] ∀i 6=j : C x(i) 6= x(j)

far(i , j) ≡ i 6= j → x(i) < x(j) ∧ v(i) ≤ v(j) ∧ a(i) ≤ a(j)

∨ x(i) > x(j) ∧ v(i) ≥ v(j) ∧ a(i) ≥ a(j) . . .

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 8 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v w∀i : C x(s) := θ

Details

t

x

0

v

wif w(x)(v e

i [[s]]) = v ei [[θ]] (for all e)

and otherwise unchanged

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v w∀i : C x(s)′ = θ

∧ χ

Details

t

x

χ

w

v

ϕ(t)

∀i x(s)′ = θ

dϕ(t)ei [[x(s)]]

dt(ζ) = ϕ(ζ)ei [[θ]] (for all e)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v s w

α;β

α β

Details

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v s w

α;β

α β

Details

t

x

s

v w

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v s w

α;β

α β

Details

t

x

s

v w

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v s1 s2 sn w

α∗

α α α

Details

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v s1 s2 sn w

α∗

α α α

Details

t

xv

w

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v

w1

w2

α

β

α ∪ β

Details

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v

w1

w2

α

β

α ∪ β

Details

t

xv w1

w2

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v

?χ

if v |= χ

if v 6|= χ

Details

t

x

0

v no change if v |= χotherwise no transition

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v

?χ

if v |= χ

if v 6|= χ

Details

t

x

0

v no change if v |= χotherwise no transition

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v[α]φ

φ

φ

φ

α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

]-sp

an

Details

compositional semantics ⇒ compositional calculus!

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v〈α〉φ

φ

α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

]-sp

an

Details

compositional semantics ⇒ compositional calculus!

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

]-sp

an

Details

compositional semantics ⇒ compositional calculus!

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

]-sp

an

Details

compositional semantics ⇒ compositional calculus!

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

]-sp

an

Details

compositional semantics ⇒ compositional calculus!

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

]-sp

an

Details

compositional semantics ⇒ compositional calculus!

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Outline (Verification Approach)

1 Motivation

2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics

3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and Completeness

4 Conclusions

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))

φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))

v w∀i x(s) := θ

φ

∃t≥0 〈∀i S(t)〉φ〈∀i x(s)′ = θ〉φ

v w∀i x(s)′ = θ

φ

∀i S(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x)〉φ

v wx ′ = f (x)

φ

x := yx(t)x := yx (s)

χ

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))

φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))

v w∀i x(s) := θ

φ

∃t≥0 〈∀i S(t)〉φ〈∀i x(s)′ = θ〉φ

v w∀i x(s)′ = θ

φ

∀i S(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x)〉φ

v wx ′ = f (x)

φ

x := yx(t)x := yx (s)

χ

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))

φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))

v w∀i x(s) := θ

φ

∃t≥0 〈∀i S(t)〉φ〈∀i x(s)′ = θ〉φ

v w∀i x(s)′ = θ

φ

∀i S(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x)〉φ

v wx ′ = f (x)

φ

x := yx(t)x := yx (s)

χ

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))

φ([∀i x(s) := θ︸ ︷︷ ︸]x(u))

v w∀i x(s) := θ

φ

∃t≥0 〈∀i S(t)〉φ〈∀i x(s)′ = θ〉φ

v w∀i x(s)′ = θ

φ

∀i S(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x)〉φ

v wx ′ = f (x)

φ

x := yx(t)x := yx (s)

χ

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = [A]u then∀i (s = [A]u → φ(θ)) elseφ(x([A]u))

φ([∀i x(s) := θ︸ ︷︷ ︸A

]x(u))

v w∀i x(s) := θ

φ

∃t≥0 〈∀i S(t)〉φ〈∀i x(s)′ = θ〉φ

v w∀i x(s)′ = θ

φ

∀i S(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x)〉φ

v wx ′ = f (x)

φ

x := yx(t)x := yx (s)

χ

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = [A]u then∀i (s = [A]u → φ(θ)) elseφ(x([A]u))

φ([∀i x(s) := θ︸ ︷︷ ︸A

]x(u))

v w∀i x(s) := θ

φ

∃t≥0 〈∀i S(t)〉φ〈∀i x(s)′ = θ〉φ

v w∀i x(s)′ = θ

φ

∀i S(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x)〉φ

v wx ′ = f (x)

φ

x := yx(t)x := yx (s)

χ

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = [A]u then∀i (s = [A]u → φ(θ)) elseφ(x([A]u))

φ([∀i x(s) := θ︸ ︷︷ ︸A

]x(u))

v w∀i x(s) := θ

φ

∃t≥0 〈∀i S(t)〉φ〈∀i x(s)′ = θ〉φ

v w∀i x(s)′ = θ

φ∀i S(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x)〉φ

v wx ′ = f (x)

φ

x := yx(t)x := yx (s)

χ

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

compositional semantics ⇒ compositional rules!

[α]φ ∧ [β]φ

[α ∪ β]φv

w1

w2

αφ

βφ

α ∪ β

[α][β]φ

[α;β]φv s w

α;β

[α][β]φα

[β]φβ

φ

φ (φ→ [α]φ)

[α∗]φ v w

α∗

φ

α

φ→ [α]φ

α α

φ

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 12 / 16

Proof Calculus for Quantified Differential Dynamic Logic

[α]φ ∧ [β]φ

[α ∪ β]φv

w1

w2

αφ

βφ

α ∪ β

[α][β]φ

[α;β]φv s w

α;β

[α][β]φα

[β]φβ

φ

φ (φ→ [α]φ)

[α∗]φ v w

α∗

φ

α

φ→ [α]φ

α α

φ

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 12 / 16

Proof Calculus for Quantified Differential Dynamic Logic

[α]φ ∧ [β]φ

[α ∪ β]φv

w1

w2

αφ

βφ

α ∪ β

[α][β]φ

[α;β]φv s w

α;β

[α][β]φα

[β]φβ

φ

φ (φ→ [α]φ)

[α∗]φ v w

α∗

φ

α

φ→ [α]φ

α α

φ

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 12 / 16

Proof Calculus for Quantified Differential Dynamic Logic

[α]φ ∧ [β]φ

[α ∪ β]φv

w1

w2

αφ

βφ

α ∪ β

[α][β]φ

[α;β]φv s w

α;β

[α][β]φα

[β]φβ

φ

φ (φ→ [α]φ)

[α∗]φ v w

α∗

φ

α

φ→ [α]φ

α α

φ

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 12 / 16

Deduction Modulo with Free Variables & Skolemization

∀i 6=j x(i)6=x(j) →∀j 6=k

QE

∀s≥0(−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i 6=j x(i)6=x(j) →∀j 6=k

QE

∀s≥0(−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i 6=j x(i)6=x(j) →∀j 6=k

QE

∀s≥0(−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i 6=j x(i)6=x(j) →∀j 6=k

QE

∀s≥0(−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i 6=j x(i)6=x(j) →∀j 6=k

QE

∀s≥0(−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i 6=j x(i)6=x(j) →∀j 6=k

QE

∀s≥0(−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i 6=j x(i)6=x(j) →∀j 6=k

QE

∀s≥0(−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i 6=j x(i)6=x(j) →∀j 6=k QE∀s≥0(−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i 6=j x(i)6=x(j) →∀j 6=k (x(j)≤x(k)∧v(j)≤v(k) ∨ x(j)≥x(k)∧v(j)≥v(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀X ,Y ,V ,W (X 6=Y → X≤Y∧V≤W ∨ X≥Y∧V≥W )

∀i 6=j x(i)6=x(j) →∀j 6=k (x(j)≤x(k)∧v(j)≤v(k) ∨ x(j)≥x(k)∧v(j)≥v(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀X ,Y ,V ,W (X 6=Y → X≤Y∧V≤W ∨ X≥Y∧V≥W )

∀i 6=j x(i)6=x(j) →∀j 6=k (x(j)≤x(k)∧v(j)≤v(k) ∨ x(j)≥x(k)∧v(j)≥v(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Actual Existence and Creation

Actual Existence Function

∃

(·)

∃

(i) =

{0 if i denotes a possible object

1 if i denotes an actively existing objects

[(∀j : C n := j);

?(

∃

(n) = 0);

∃

(n) := 1

]φ

[n := newC ]φ

∀i : C ! φ ≡ ∀i : C (

∃

(i) = 1→ φ)

∀i : C ! f (s) := θ ≡ ∀i : C f (s) := (if

∃

(i) = 1 then θ else f (s))

∀i : C ! f (s)′ = θ ≡ ∀i : C f (s)′ =

∃

(i)θ

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Actual Existence and Creation

Actual Existence Function

∃

(·)

∃

(i) =

{0 if i denotes a possible object

1 if i denotes an actively existing objects

[(∀j : C n := j);

?(

∃

(n) = 0);

∃

(n) := 1

]φ

[n := newC ]φ

∀i : C ! φ ≡ ∀i : C (

∃

(i) = 1→ φ)

∀i : C ! f (s) := θ ≡ ∀i : C f (s) := (if

∃

(i) = 1 then θ else f (s))

∀i : C ! f (s)′ = θ ≡ ∀i : C f (s)′ =

∃

(i)θ

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Actual Existence and Creation

Actual Existence Function

∃

(·)

∃

(i) =

{0 if i denotes a possible object

1 if i denotes an actively existing objects

[(∀j : C n := j);

?(

∃

(n) = 0);

∃

(n) := 1

]φ

[n := newC ]φ

∀i : C ! φ ≡ ∀i : C (

∃

(i) = 1→ φ)

∀i : C ! f (s) := θ ≡ ∀i : C f (s) := (if

∃

(i) = 1 then θ else f (s))

∀i : C ! f (s)′ = θ ≡ ∀i : C f (s)′ =

∃

(i)θ

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Actual Existence and Creation

Actual Existence Function

∃

(·)

∃

(i) =

{0 if i denotes a possible object

1 if i denotes an actively existing objects

[(∀j : C n := j); ?(

∃

(n) = 0);

∃

(n) := 1

]φ

[n := newC ]φ

∀i : C ! φ ≡ ∀i : C (

∃

(i) = 1→ φ)

∀i : C ! f (s) := θ ≡ ∀i : C f (s) := (if

∃

(i) = 1 then θ else f (s))

∀i : C ! f (s)′ = θ ≡ ∀i : C f (s)′ =

∃

(i)θ

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Actual Existence and Creation

Actual Existence Function

∃

(·)

∃

(i) =

{0 if i denotes a possible object

1 if i denotes an actively existing objects

[(∀j : C n := j); ?(

∃

(n) = 0);

∃

(n) := 1]φ

[n := newC ]φ

∀i : C ! φ ≡ ∀i : C (

∃

(i) = 1→ φ)

∀i : C ! f (s) := θ ≡ ∀i : C f (s) := (if

∃

(i) = 1 then θ else f (s))

∀i : C ! f (s)′ = θ ≡ ∀i : C f (s)′ =

∃

(i)θ

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Actual Existence and Creation

Actual Existence Function

∃

(·)

∃

(i) =

{0 if i denotes a possible object

1 if i denotes an actively existing objects

[(∀j : C n := j); ?(

∃

(n) = 0);

∃

(n) := 1]φ

[n := newC ]φ

∀i : C ! φ ≡ ∀i : C (

∃

(i) = 1→ φ)

∀i : C ! f (s) := θ ≡ ∀i : C f (s) := (if

∃

(i) = 1 then θ else f (s))

∀i : C ! f (s)′ = θ ≡ ∀i : C f (s)′ =

∃

(i)θ ( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Soundness and Completeness

Theorem (Relative Completeness)

QdL calculus is a sound & complete axiomatisation of distributed hybridsystems relative to quantified differential equations. Proof 16p.

Corollary (Proof-theoretical Alignment)

proving distributed hybrid systems = proving dynamical systems!

Corollary (Yes, we can!)

distributed hybrid systems can be verified by recursive decomposition

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 15 / 16

Soundness and Completeness

Theorem (Relative Completeness)

QdL calculus is a sound & complete axiomatisation of distributed hybridsystems relative to quantified differential equations. Proof 16p.

Corollary (Proof-theoretical Alignment)

proving distributed hybrid systems = proving dynamical systems!

Corollary (Yes, we can!)

distributed hybrid systems can be verified by recursive decomposition

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 15 / 16

Soundness and Completeness

Theorem (Relative Completeness)

QdL calculus is a sound & complete axiomatisation of distributed hybridsystems relative to quantified differential equations. Proof 16p.

Corollary (Proof-theoretical Alignment)

proving distributed hybrid systems = proving dynamical systems!

Corollary (Yes, we can!)

distributed hybrid systems can be verified by recursive decomposition

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 15 / 16

Outline

1 Motivation

2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics

3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and Completeness

4 Conclusions

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 15 / 16

Conclusions

quantified differential dynamic logic

QdL = FOL + DL + QHP[α]φ φ

α

Distributed hybrid systems everywhere

System model and semantics

Logic for distributed hybrid systems

Compositional proof calculus

First verification approach

Sound & complete / diff. eqn.

Simple distributed car control verified

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 16 / 16

Conclusions

quantified differential dynamic logic

QdL = FOL + DL + QHP[α]φ φ

α

Distributed hybrid systems everywhere

System model and semantics

Logic for distributed hybrid systems

Compositional proof calculus

First verification approach

Sound & complete / diff. eqn.

Simple distributed car control verified

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 16 / 16

Jan A. Bergstra and C. A. Middelburg.Process algebra for hybrid systems.Theor. Comput. Sci., 335(2-3):215–280, 2005.

Zhou Chaochen, Wang Ji, and Anders P. Ravn.A formal description of hybrid systems.In Rajeev Alur, Thomas A. Henzinger, and Eduardo D. Sontag,editors, Hybrid Systems, volume 1066 of LNCS, pages 511–530.Springer, 1995.

Pieter J. L. Cuijpers and Michel A. Reniers.Hybrid process algebra.J. Log. Algebr. Program., 62(2):191–245, 2005.

Akash Deshpande, Aleks Gollu, and Pravin Varaiya.SHIFT: A formalism and a programming language for dynamicnetworks of hybrid automata.In Panos J. Antsaklis, Wolf Kohn, Anil Nerode, and Shankar Sastry,editors, Hybrid Systems, volume 1273 of LNCS, pages 113–133.Springer, 1996.

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 16 / A

Joao P. Hespanha and Ashish Tiwari, editors.Hybrid Systems: Computation and Control, 9th InternationalWorkshop, HSCC 2006, Santa Barbara, CA, USA, March 29-31, 2006,Proceedings, volume 3927 of LNCS. Springer, 2006.

Fabian Kratz, Oleg Sokolsky, George J. Pappas, and Insup Lee.R-Charon, a modeling language for reconfigurable hybrid systems.In Hespanha and Tiwari [HT06], pages 392–406.

Jose Meseguer and Raman Sharykin.Specification and analysis of distributed object-based stochastic hybridsystems.In Hespanha and Tiwari [HT06], pages 460–475.

Andre Platzer.Quantified differential dynamic logic for distributed hybrid systems.In Anuj Dawar and Helmut Veith, editors, CSL, volume 6247 of LNCS,pages 469–483. Springer, 2010.

Andre Platzer.

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 16 / A

A complete axiomatization of quantified differential dynamic logic fordistributed hybrid systems.Logical Methods in Computer Science, 2012.Special issue for selected papers from CSL’10.

William C. Rounds.A spatial logic for the hybrid π-calculus.In Rajeev Alur and George J. Pappas, editors, HSCC, volume 2993 ofLNCS, pages 508–522. Springer, 2004.

D. A. van Beek, Ka L. Man, Michel A. Reniers, J. E. Rooda, andRamon R. H. Schiffelers.Syntax and consistent equation semantics of hybrid Chi.J. Log. Algebr. Program., 68(1-2):129–210, 2006.

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 16 / A