KeYmaera X TutorialTactics and Proofs for Cyber-Physical Systems

Nathan Fulton Stefan Mitsch Andre Platzer

http://keymaeraX.org/

Computer Science DepartmentCarnegie Mellon University, Pittsburgh, PA

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 1 / 41

Outline

1 KeYmaera X OverviewTutorial Objectives

2 Differential Dynamic Logic for Hybrid SystemsSyntax: Notation for Verification QuestionsSemantics: Meaning of the SyntaxExample: Car Control DesignExample: Branching Structure

3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control

4 Differential Invariants for Differential EquationsDifferential InvariantsExample: Elementary Differential InvariantsExample: Ground Robots

5 Synthesize Monitors6 Case Studies7 Summary

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 1 / 41

Outline

1 KeYmaera X OverviewTutorial Objectives

2 Differential Dynamic Logic for Hybrid SystemsSyntax: Notation for Verification QuestionsSemantics: Meaning of the SyntaxExample: Car Control DesignExample: Branching Structure

3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control

4 Differential Invariants for Differential EquationsDifferential InvariantsExample: Elementary Differential InvariantsExample: Ground Robots

5 Synthesize Monitors6 Case Studies7 Summary

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 1 / 41

Correctness Questions in Cyber-Physical System Design

Safety The system must be safe under all circumstances

Liveness The system must reach a given goal

How do we make cyber-physical systems safe?

Extensive testing?Code reviews?

When are we done? How many test cases areenough? Did we cover all relevant tests?

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 2 / 41

Benefits of Logical Foundations for CPS V & V

Proofs LICS’12,JAR’16

Safety Formalize system properties: What is “Safe”? “Reach goal”?

Models Formalize system models, clarify behavior

Assumptions Make assumptions explicit rather than silently

Predictions Safety analysis predicts behavior for infinitely many cases

Constraints Reveal invariants, switching conditions, operating conditions

Design Invariants/proofs guide safe controller design

Byproducts

Analysis Determine design trade-offs & feasibility early arXiv

Synthesis Turn models into code & safety monitors ModelPlex

Certificate Proofs as evidence for certification CPP’16

Tools

KeYmaera X aXiomatic Tactical Theorem Prover for CPS CADE’15

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 3 / 41

An aXiomatic Tactical Theorem Prover for CPS

KeYmaera X http://keymaeraX.org/

CADE’15Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 4 / 41

An aXiomatic Tactical Theorem Prover for CPS

KeYmaera X http://keymaeraX.org/

Small Core Increases trust, modularity, enables experimentation (1652)

Tactics Bridging between small core and (Hilbert)powerful reasoning steps (Sequent)

Separation Tactics can make courageous inferencesCore establishes soundness

Search&Do Search-based tactics follow proof search strategiesConstructive tactics directly build a proof

Interaction Interactive proofs mixed with tactical proofs and proof search

Extensible Flexible for new algorithms, new tactics, new logics, newproof rules, new axioms, . . .

Customize Modular user interface, API

CADE’15Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 4 / 41

KeYmaera X Microkernel for Soundness

≈LOC

KeYmaera X 1 652KeYmaera 65 989

KeY 51 328Nuprl 15 000 + 50 000MetaPRL 8 196Isabelle/Pure 8 913Coq 16 538HOL Light 396

PHAVer 30 000HSolver 20 000SpaceEx 100 000Flow∗ 25 000dReal 50 000 + millionsHyCreate2 6 081 + user model analysis

Disclaimer: Self-reported estimates of the soundness-critical lines of code + rules

hybridprover

Java

generalmath

hybridverifier

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 5 / 41

CPS Analysis

Challenge (Hybrid Systems)

Fixed rule describing stateevolution with both

Discrete dynamics(control decisions)

Continuous dynamics(differential equations)

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

2 4 6 8 10t

-0.8

-0.6

-0.4

-0.2

0.2

a

2 4 6 8 10t

0.2

0.4

0.6

0.8

1.0

v

2 4 6 8 10t

2

4

6

8

p

px

py

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 6 / 41

CPS Analysis

Challenge (Hybrid Systems)

Fixed rule describing stateevolution with both

Discrete dynamics(control decisions)

Continuous dynamics(differential equations)

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

2 4 6 8 10t

-0.8

-0.6

-0.4

-0.2

0.2

a

2 4 6 8 10t

-1.0

-0.5

0.5

Ω

2 4 6 8 10t

-0.5

0.5

1.0

d

dx

dy

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 6 / 41

CPS Analysis

Challenge (Hybrid Systems)

Fixed rule describing stateevolution with both

Discrete dynamics(control decisions)

Continuous dynamics(differential equations)

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

2 4 6 8 10t

-4

-3

-2

-1

a

2 4 6 8 10t

0.2

0.4

0.6

0.8

1.0

v

2 4 6 8 10t

1

2

3

4

ppx

py

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 7 / 41

CPS Analysis

Challenge (Hybrid Systems)

Fixed rule describing stateevolution with both

Discrete dynamics(control decisions)

Continuous dynamics(differential equations)

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

2 4 6 8 10t

-4

-3

-2

-1

a

2 4 6 8 10t

-1.0

-0.5

0.5

Ω

2 4 6 8 10t

-0.5

0.5

1.0

d

dx

dy

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 7 / 41

CPSs are Multi-Dynamical Systems

dis

cre

te contin

uo

us

nondet

sto

chastic

advers

arial

CPS Dynamics

CPS are characterized by multiplefacets of dynamical systems.

CPS Compositions

CPS combines multiplesimple dynamical effects.

Descriptive simplification

Tame Parts

Exploiting compositionalitytames CPS complexity.

Analytic simplificationNathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 8 / 41

Learning Objectives

http://keymaeraX.org/

Use KeYmaera X to:

1 Model cyber-physical systems

2 Express safety/correctness properties

3 Find bugs in a system design

4 Identify safety constraints

5 Identify system invariants

6 Verify the final system design

7 Write automated proof tactics

8 Prove differential equations

9 Synthesize correct-by-construction runtime monitors

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 9 / 41

Outline

1 KeYmaera X OverviewTutorial Objectives

2 Differential Dynamic Logic for Hybrid SystemsSyntax: Notation for Verification QuestionsSemantics: Meaning of the SyntaxExample: Car Control DesignExample: Branching Structure

3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control

4 Differential Invariants for Differential EquationsDifferential InvariantsExample: Elementary Differential InvariantsExample: Ground Robots

5 Synthesize Monitors6 Case Studies7 Summary

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 9 / 41

Outline

1 KeYmaera X OverviewTutorial Objectives

2 Differential Dynamic Logic for Hybrid SystemsSyntax: Notation for Verification QuestionsSemantics: Meaning of the SyntaxExample: Car Control DesignExample: Branching Structure

3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control

4 Differential Invariants for Differential EquationsDifferential InvariantsExample: Elementary Differential InvariantsExample: Ground Robots

5 Synthesize Monitors6 Case Studies7 Summary

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 9 / 41

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

x 6= m ∧ b > 0︸ ︷︷ ︸init

→[(

(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]

x 6= m︸ ︷︷ ︸post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

[α]ϕ ϕα

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 10 / 41

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸ ︷︷ ︸init

→[(

(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]

x 6= m︸ ︷︷ ︸post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

[α]ϕ ϕα

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 10 / 41

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸ ︷︷ ︸init

→[(

(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]

x 6= m︸ ︷︷ ︸post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

[α]ϕ ϕα

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 10 / 41

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸ ︷︷ ︸init

→[(

(if(SB(x ,m)) a :=−b) ;

x ′ = v , v ′ = a

)∗]x 6= m︸ ︷︷ ︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

ODE

[α]ϕ ϕα

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 10 / 41

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸ ︷︷ ︸init

→[(

(if(SB(x ,m))

a :=−b

) ;

x ′ = v , v ′ = a

)∗]x 6= m︸ ︷︷ ︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

ODEassign

[α]ϕ ϕα

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 10 / 41

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸ ︷︷ ︸init

→[(

(if(SB(x ,m)) a :=−b)

;

x ′ = v , v ′ = a

)∗]x 6= m︸ ︷︷ ︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

ODEassigntest

[α]ϕ ϕα

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 10 / 41

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

x 6= m ∧ b > 0︸ ︷︷ ︸init

→[(

(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a

)∗]x 6= m︸ ︷︷ ︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

ODEassigntest

seq.compose

[α]ϕ ϕα

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 10 / 41

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

x 6= m ∧ b > 0︸ ︷︷ ︸init

→[

((if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a

)∗

]x 6= m︸ ︷︷ ︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

ODEassigntest

seq.compose

nondet.repeat

[α]ϕ ϕα

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 10 / 41

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸ ︷︷ ︸init

→

[((if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a

)∗]x 6= m︸ ︷︷ ︸

post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

all runs

[α]ϕ ϕα

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 10 / 41

CPS Analysis

Concept (Differential Dynamic Logic) (JAR’08,LICS’12)

[ ] x 6= m

x 6= m

x 6= m

x 6= m

x 6= m ∧ b > 0︸ ︷︷ ︸init

→[(

(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]

x 6= m︸ ︷︷ ︸post

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

all runs

[α]ϕ ϕα

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 10 / 41

Differential Dynamic Logic dL: Syntax

Definition (Hybrid program α)

x := f (x) | ?Q | x ′ = f (x) &Q | α ∪ β | α;β | α∗

Definition (dL Formula P)

e ≥ e | ¬P | P ∧ Q | ∀x P | ∃x P | [α]P | 〈α〉P

DiscreteAssign

TestCondition

DifferentialEquation

Nondet.Choice

Seq.Compose

Nondet.Repeat

AllReals

SomeReals

AllRuns

SomeRuns

Tableaux’07,JAutomReas’08,LICS’12Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 11 / 41

Differential Dynamic Logic dL: Syntax

Definition (Hybrid program α)

x := f (x) | ?Q | x ′ = f (x) &Q | α ∪ β | α;β | α∗

Definition (dL Formula P)

e ≥ e | ¬P | P ∧ Q | ∀x P | ∃x P | [α]P | 〈α〉P

DiscreteAssign

TestCondition

DifferentialEquation

Nondet.Choice

Seq.Compose

Nondet.Repeat

AllReals

SomeReals

AllRuns

SomeRuns

Tableaux’07,JAutomReas’08,LICS’12Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 11 / 41

Differential Dynamic Logic dL: Semantics

Definition (Hybrid program semantics) ([[·]] : HP→ ℘(S × S))

[[x := e]] = (ω, ν) : ν = ω except ν[[x ]] = ω[[e]][[?Q]] = (ω, ω) : ω ∈ [[Q]]

[[x ′ = f (x)]] = (ϕ(0), ϕ(r)) : ϕ |= x ′ = f (x) for some duration r[[α ∪ β]] = [[α]] ∪ [[β]]

[[α;β]] = [[α]] [[β]]

[[α∗]] =⋃n∈N

[[αn]]

Definition (dL semantics) ([[·]] : Fml→ ℘(S))

[[e ≥ e]] = ω : ω[[e]] ≥ ω[[e]][[¬P]] = [[P]]

[[P ∧ Q]] = [[P]] ∩ [[Q]][[〈α〉P]] = [[α]] [[P]] = ω : ν ∈ [[P]] for some ν : (ω, ν) ∈ [[α]][[[α]P]] = [[¬〈α〉¬P]] = ω : ν ∈ [[P]] for all ν : (ω, ν) ∈ [[α]][[∃x P]] = ω : ωr

x ∈ [[P]] for some r ∈ RNathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 12 / 41

Differential Dynamic Logic dL: Semantics

ω νx := e

t

x

0

ω

ν if ν(x) = ω[[e]]and ν(z) = ω(z) for z 6= x

ω νx ′ = f (x) &Q

t

x

Q

ν

ω

ϕ(t)

0 rx ′ = f (x) &Q

ω

?Q

if ω ∈ [[Q]]t

x

0

ω no change if ω ∈ [[Q]]otherwise no transition

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 13 / 41

Differential Dynamic Logic dL: Semantics

ω

ν1

ν2

α

β

α ∪ β

t

xω ν1

ν2

ω s ν

α ;β

α β t

x

s

ω ν

ω ω1 ω2 ν

α∗

α α α

α β α β α β

t

xω ν

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 13 / 41

Differential Dynamic Logic dL: Semantics

ω

ν1

ν2

α

β

α ∪ β

t

xω ν1

ν2

ω s ν

α ;β

α β t

x

s

ω ν

ω ω1 ω2 ν

α∗

α α α

α β α β α β

t

xω ν

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 13 / 41

Differential Dynamic Logic dL: Semantics

ω

ν1

ν2

α

β

α ∪ β

t

xω ν1

ν2

ω s ν

α ;β

α β t

x

s

ω ν

ω ω1 ω2 ν

(α;β)∗

α β α β α β t

xω ν

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 13 / 41

Differential Dynamic Logic dL: Semantics

Definition (dL Formulas)

ω[α]P

P

P

P

α-span

[α]P

〈β〉P

β-span

〈β〉[α

]-sp

an

compositional semantics ⇒ compositional proofs!

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 14 / 41

Differential Dynamic Logic dL: Semantics

Definition (dL Formulas)

ω〈α〉P

P

α-span

[α]P

〈β〉P

β-span

〈β〉[α

]-sp

an

compositional semantics ⇒ compositional proofs!

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 14 / 41

Differential Dynamic Logic dL: Semantics

Definition (dL Formulas)

ω α-span

[α]P

〈β〉P

β-span

〈β〉[α

]-sp

an

compositional semantics ⇒ compositional proofs!

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 14 / 41

Differential Dynamic Logic dL: Semantics

Definition (dL Formulas)

ω α-span

[α]P

〈β〉P

β-span

〈β〉[α

]-sp

an

compositional semantics ⇒ compositional proofs!

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 14 / 41

Differential Dynamic Logic dL: Semantics

Definition (dL Formulas)

ω α-span

[α]P

〈β〉P

β-span

〈β〉[α

]-sp

an

compositional semantics ⇒ compositional proofs!

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 14 / 41

Differential Dynamic Logic dL: Semantics

Definition (dL Formulas)

ω α-span

[α]P

〈β〉P

β-span

〈β〉[α

]-sp

an

compositional semantics ⇒ compositional proofs!

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 14 / 41

Ex: Car Control

Example ( Single car cars)

((

(

a := A

)

∪ a :=−b);

x ′ = v , v ′ = a

)∗

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 15 / 41

Ex: Car Control

Control decision: accelerate or brake

Example ( Single car cars)

(

(

(

a := A

)

∪ a :=−b); x ′ = v , v ′ = a

)∗

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 15 / 41

Ex: Car Control

Repeat control decisions

Example ( Single car cars)((

(

a := A

)

∪ a :=−b); x ′ = v , v ′ = a)∗

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 15 / 41

Ex: Car Control

Repeat control decisions

Example ( Single car cars)((

(

a := A

)

∪ a :=−b); x ′ = v , v ′ = a)∗

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 15 / 41

Ex: Car Control

Velocity bound v ≥ 0

Example ( Single car cars)((

(

a := A

)

∪ a :=−b); x ′ = v , v ′ = a& v ≥ 0)∗

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 15 / 41

Ex: Car Control

Accelerate not always safe

Example ( Single car cars)((

(

a := A

)

∪ a :=−b); x ′ = v , v ′ = a& v ≥ 0)∗

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 15 / 41

Ex: Car Control

Accelerate condition ?Q

depends on A

Example ( Single car cars)(((?Q; a := A) ∪ a :=−b); x ′ = v , v ′ = a& v ≥ 0

)∗

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 15 / 41

Ex: Car Control

Accelerate condition ?Q depends on A

Example ( Single car cars)(((?Q; a := 0) ∪ a :=−b); x ′ = v , v ′ = a& v ≥ 0

)∗

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 15 / 41

Ex: Car Control Properties time-triggered

Q ≡

2b(m − x) ≥ v2 +(A + b

)(Aε2 + 2εv

)

Example (Single car carε time-triggered)(((?Q; a := A) ∪ a :=−b); t := 0; x ′ = v , v ′ = a, t ′ = 1 & v ≥ 0 ∧ t ≤ ε

)∗Example ( Safely stays before traffic light m)

A ≥ 0 ∧ b > 0→ [carε] x ≤ m

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 16 / 41

Ex: Car Control Properties time-triggered

Q ≡ 2b(m − x) ≥ v2 +(A + b

)(Aε2 + 2εv

)

Example (Single car carε time-triggered)(((?Q; a := A) ∪ a :=−b); t := 0; x ′ = v , v ′ = a, t ′ = 1 & v ≥ 0 ∧ t ≤ ε

)∗Example ( Safely stays before traffic light m)

v2 ≤ 2b(m − x) ∧ A ≥ 0 ∧ b > 0→ [carε] x ≤ m

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 16 / 41

Ex: Car Control Properties time-triggered

Q ≡ 2b(m − x) ≥ v2 +(A + b

)(Aε2 + 2εv

)

Example (Single car carε time-triggered)(((?Q; a := A) ∪ a :=−b); t := 0; x ′ = v , v ′ = a, t ′ = 1 & v ≥ 0 ∧ t ≤ ε

)∗Example ( Live, can move everywhere)

ε > 0 ∧ A > 0 ∧ b > 0→ ∀p ∃m 〈carε〉 x ≥ p

1 2 3 4 5 6 7t

-2.5

-2.0

-1.5

-1.0

-0.5

0.0

0.5

a

1 2 3 4 5 6 7t

-2

0

2

4

6

v

m

1 2 3 4 5 6 7t

-2

0

2

4

6

8

10

x

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 16 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡

(?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡ (?Q;α) ∪ (?¬Q;β)

while(Q)α ≡

(?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Branching Transitions in Hybrid Programs

∪

?m−x≤SB

?m−x≥SB

a :=−b

a :=A

t := 0 x ′′ = a

t ′ = 1& t≤ε

if(Q)α elseβ ≡ (?Q;α) ∪ (?¬Q;β)

while(Q)α ≡ (?Q;α)∗; ?¬Q

Robot ≡ (ctrl ; drive)∗

ctrl ≡ (?m − x ≤ SB; a :=−b)

∪ (?m − x ≥ SB; a := A)

drive ≡ t := 0; (x ′ = v , v ′ = a, t ′ = 1

& v ≥ 0 ∧ t ≤ ε)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Outline

1 KeYmaera X OverviewTutorial Objectives

2 Differential Dynamic Logic for Hybrid SystemsSyntax: Notation for Verification QuestionsSemantics: Meaning of the SyntaxExample: Car Control DesignExample: Branching Structure

3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control

4 Differential Invariants for Differential EquationsDifferential InvariantsExample: Elementary Differential InvariantsExample: Ground Robots

5 Synthesize Monitors6 Case Studies7 Summary

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 17 / 41

Differential Dynamic Logic: Axiomatization

[:=] [x := e]P(x)↔ P(e)

[?] [?Q]P ↔ (Q → P)

[′] [x ′ = f (x)]P ↔ ∀t≥0 [x := y(t)]P (y ′(t) = f (y))

[∪] [α ∪ β]P ↔ [α]P ∧ [β]P

[;] [α;β]P ↔ [α][β]P

[∗] [α∗]P ↔ P ∧ [α][α∗]P

K [α](P → Q)→ ([α]P → [α]Q)

I [α∗](P → [α]P)→ (P → [α∗]P)

C [α∗]∀v>0 (P(v)→ 〈α〉P(v−1))→ ∀v (P(v)→ 〈α∗〉∃v≤0P(v))

equations of truth

LICS’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 18 / 41

Proofs for Hybrid Systems

compositional semantics ⇒ compositional rules!

[α ∪ β]P ↔ [α]P ∧ [β]P ω

ν1

ν2

αP

βP

α ∪ β

[α;β]P ↔ [α][β]P ω s ν

α;β

[α][β]Pα

[β]Pβ

P

P P → [α]P

[α∗]P ω ν

α∗

P

α

P → [α]P

α α

P

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 19 / 41

Proofs for Hybrid Systems

[α ∪ β]P ↔ [α]P ∧ [β]P ω

ν1

ν2

αP

βP

α ∪ β

[α;β]P ↔ [α][β]P ω s ν

α;β

[α][β]Pα

[β]Pβ

P

P P → [α]P

[α∗]P ω ν

α∗

P

α

P → [α]P

α α

P

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 19 / 41

Proofs for Hybrid Systems

[α ∪ β]P ↔ [α]P ∧ [β]P ω

ν1

ν2

αP

βP

α ∪ β

[α;β]P ↔ [α][β]P ω s ν

α;β

[α][β]Pα

[β]Pβ

P

P P → [α]P

[α∗]P ω ν

α∗

P

α

P → [α]P

α α

P

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 19 / 41

Proofs for Hybrid Systems

[α ∪ β]P ↔ [α]P ∧ [β]P ω

ν1

ν2

αP

βP

α ∪ β

[α;β]P ↔ [α][β]P ω s ν

α;β

[α][β]Pα

[β]Pβ

P

P P → [α]P

[α∗]P ω ν

α∗

P

α

P → [α]P

α α

P

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 19 / 41

Example Proof: Safe Braking

J(x , v) ≡ x ≤ m

J(x , v) ` v2 ≤ 2b(m − x)

QEJ(x , v) ` ∀t≥0 (−b2 t

2 + vt + x ≤ m)

[:=]J(x , v) ` ∀t≥0 [x :=−b2 t

2 + vt + x ]J(x , v)

[′] J(x , v) ` [x ′ = v , v ′ = −b]J(x , v)

[:=]J(x , v) ` [a :=−b][x ′ = v , v ′ = a]J(x , v)

[;] J(x , v) ` [a :=−b; (x ′ = v , v ′ = a)]J(x , v)

1 Γ ` ∆ shape of conjecture to prove sequent2 Γ is list of available assumptions antecedent3 ∆ needs to be proved from assumptions Γ succedent4 Proof reduces desired conclusion (at the bottom)

to premises with remaining subgoals (top) until no more subgoals (∗)Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Braking

J(x , v) ≡ x ≤ m

J(x , v) ` v2 ≤ 2b(m − x)

QEJ(x , v) ` ∀t≥0 (−b2 t

2 + vt + x ≤ m)

[:=]J(x , v) ` ∀t≥0 [x :=−b2 t

2 + vt + x ]J(x , v)

[′] J(x , v) ` [x ′ = v , v ′ = −b]J(x , v)

[:=]J(x , v) ` [a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) ` [a :=−b; (x ′ = v , v ′ = a)]J(x , v)

1 Γ ` ∆ shape of conjecture to prove sequent2 Γ is list of available assumptions antecedent3 ∆ needs to be proved from assumptions Γ succedent4 Proof reduces desired conclusion (at the bottom)

to premises with remaining subgoals (top) until no more subgoals (∗)Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Braking

J(x , v) ≡ x ≤ m

J(x , v) ` v2 ≤ 2b(m − x)

QEJ(x , v) ` ∀t≥0 (−b2 t

2 + vt + x ≤ m)

[:=]J(x , v) ` ∀t≥0 [x :=−b2 t

2 + vt + x ]J(x , v)

[′] J(x , v) ` [x ′ = v , v ′ = −b]J(x , v)[:=]J(x , v) ` [a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) ` [a :=−b; (x ′ = v , v ′ = a)]J(x , v)

1 Γ ` ∆ shape of conjecture to prove sequent2 Γ is list of available assumptions antecedent3 ∆ needs to be proved from assumptions Γ succedent4 Proof reduces desired conclusion (at the bottom)

to premises with remaining subgoals (top) until no more subgoals (∗)Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Braking

J(x , v) ≡ x ≤ m

J(x , v) ` v2 ≤ 2b(m − x)

QEJ(x , v) ` ∀t≥0 (−b2 t

2 + vt + x ≤ m)

[:=]J(x , v) ` ∀t≥0 [x :=−b2 t

2 + vt + x ]J(x , v)[′] J(x , v) ` [x ′ = v , v ′ = −b]J(x , v)

[:=]J(x , v) ` [a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) ` [a :=−b; (x ′ = v , v ′ = a)]J(x , v)

1 Γ ` ∆ shape of conjecture to prove sequent2 Γ is list of available assumptions antecedent3 ∆ needs to be proved from assumptions Γ succedent4 Proof reduces desired conclusion (at the bottom)

to premises with remaining subgoals (top) until no more subgoals (∗)Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Braking

J(x , v) ≡ x ≤ m

J(x , v) ` v2 ≤ 2b(m − x)

QEJ(x , v) ` ∀t≥0 (−b2 t

2 + vt + x ≤ m)[:=]J(x , v) ` ∀t≥0 [x :=−b

2 t2 + vt + x ]J(x , v)

[′] J(x , v) ` [x ′ = v , v ′ = −b]J(x , v)[:=]J(x , v) ` [a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) ` [a :=−b; (x ′ = v , v ′ = a)]J(x , v)

1 Γ ` ∆ shape of conjecture to prove sequent2 Γ is list of available assumptions antecedent3 ∆ needs to be proved from assumptions Γ succedent4 Proof reduces desired conclusion (at the bottom)

to premises with remaining subgoals (top) until no more subgoals (∗)Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Braking

J(x , v) ≡ x ≤ m

J(x , v) ` v2 ≤ 2b(m − x)QEJ(x , v) ` ∀t≥0 (−b

2 t2 + vt + x ≤ m)

[:=]J(x , v) ` ∀t≥0 [x :=−b2 t

2 + vt + x ]J(x , v)[′] J(x , v) ` [x ′ = v , v ′ = −b]J(x , v)

[:=]J(x , v) ` [a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) ` [a :=−b; (x ′ = v , v ′ = a)]J(x , v)

1 Γ ` ∆ shape of conjecture to prove sequent2 Γ is list of available assumptions antecedent3 ∆ needs to be proved from assumptions Γ succedent4 Proof reduces desired conclusion (at the bottom)

to premises with remaining subgoals (top) until no more subgoals (∗)Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Braking

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) ` v2 ≤ 2b(m − x)QEJ(x , v) ` ∀t≥0 (−b

2 t2 + vt + x ≤ m)

[:=]J(x , v) ` ∀t≥0 [x :=−b2 t

2 + vt + x ]J(x , v)[′] J(x , v) ` [x ′ = v , v ′ = −b]J(x , v)

[:=]J(x , v) ` [a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) ` [a :=−b; (x ′ = v , v ′ = a)]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Accelerating

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) ` ¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)

QEJ(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t

2 − vt − x))

J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))

[:=]J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))

[′] J(x , v) ` ¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)

[:=]J(x , v) ` ¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)

[;] J(x , v) ` ¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

[?] J(x , v) ` [?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

[;] J(x , v) ` [?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Accelerating

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) ` ¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)

QEJ(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t

2 − vt − x))

J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))

[:=]J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))

[′] J(x , v) ` ¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)

[:=]J(x , v) ` ¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)

[;] J(x , v) ` ¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

[?] J(x , v) ` [?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) ` [?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Accelerating

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) ` ¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)

QEJ(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t

2 − vt − x))

J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))

[:=]J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))

[′] J(x , v) ` ¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)

[:=]J(x , v) ` ¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)

[;] J(x , v) ` ¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) ` [?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) ` [?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Accelerating

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) ` ¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)

QEJ(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t

2 − vt − x))

J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))

[:=]J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))

[′] J(x , v) ` ¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)

[:=]J(x , v) ` ¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) ` ¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) ` [?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) ` [?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Accelerating

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) ` ¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)

QEJ(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t

2 − vt − x))

J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))

[:=]J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))

[′] J(x , v) ` ¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)[:=]J(x , v) ` ¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) ` ¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) ` [?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) ` [?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Accelerating

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) ` ¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)

QEJ(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t

2 − vt − x))

J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))

[:=]J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))[′] J(x , v) ` ¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)

[:=]J(x , v) ` ¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) ` ¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) ` [?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) ` [?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Accelerating

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) ` ¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)

QEJ(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t

2 − vt − x))

J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))

[:=]J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))[′] J(x , v) ` ¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)

[:=]J(x , v) ` ¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) ` ¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) ` [?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) ` [?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Accelerating

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) ` ¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)

QEJ(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t

2 − vt − x))

J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))

[:=]J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))[′] J(x , v) ` ¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)

[:=]J(x , v) ` ¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) ` ¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) ` [?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) ` [?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Accelerating

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)

J(x , v) ` ¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)QEJ(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A

2 t2 − vt − x))

J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))

[:=]J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))[′] J(x , v) ` ¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)

[:=]J(x , v) ` ¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) ` ¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) ` [?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) ` [?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Accelerating

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)

J(x , v) ` ¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε

2 − vε− x)QEJ(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A

2 t2 − vt − x))

J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))

[:=]J(x , v) ` ¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t

2 + vt + x ]J(x , v))[′] J(x , v) ` ¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)

[:=]J(x , v) ` ¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) ` ¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) ` [?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) ` [?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Driving

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)

∗

QE previous proofs for braking and acceleration

J(x , v) ` [a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)

[∪]J(x , v) ` [a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)

[;] J(x , v) ` [(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)

indJ(x , v) ` [((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Driving

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)

∗

QE previous proofs for braking and acceleration

J(x , v) ` [a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)

[∪]J(x , v) ` [a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)

[;] J(x , v) ` [(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) ` [

((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Driving

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)

∗

QE previous proofs for braking and acceleration

J(x , v) ` [a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)

[∪]J(x , v) ` [a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) ` [(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) ` [

((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Driving

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)

∗

QE previous proofs for braking and acceleration

J(x , v) ` [a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)[∪]J(x , v) ` [a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) ` [(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) ` [

((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Driving

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)

∗

QE previous proofs for braking and accelerationJ(x , v) ` [a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)

[∪]J(x , v) ` [a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) ` [(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) ` [

((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Example Proof: Safe Driving

x

v

m

J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)

∗QE previous proofs for braking and acceleration

J(x , v) ` [a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)[∪]J(x , v) ` [a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) ` [(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) ` [

((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε

)∗]J(x , v)

1 Proof is deterministic “follow your nose”.

2 Synthesize invariant J(x , v) and parameter constraint SB.

3 J(x , v) is a predicate symbol to prove only once and instantiate later.

4 First looking at proofs of smaller pieces is often effective.

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Outline

1 KeYmaera X OverviewTutorial Objectives

2 Differential Dynamic Logic for Hybrid SystemsSyntax: Notation for Verification QuestionsSemantics: Meaning of the SyntaxExample: Car Control DesignExample: Branching Structure

3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control

4 Differential Invariants for Differential EquationsDifferential InvariantsExample: Elementary Differential InvariantsExample: Ground Robots

5 Synthesize Monitors6 Case Studies7 Summary

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 20 / 41

Differential Dynamic Logic: Axiomatization

[:=] [x := e]P(x)↔ P(e)

[?] [?Q]P ↔ (Q → P)

[′] [x ′ = f (x)]P ↔ ∀t≥0 [x := y(t)]P (y ′(t) = f (y))

[∪] [α ∪ β]P ↔ [α]P ∧ [β]P

[;] [α;β]P ↔ [α][β]P

[∗] [α∗]P ↔ P ∧ [α][α∗]P

K [α](P → Q)→ ([α]P → [α]Q)

I [α∗](P → [α]P)→ (P → [α∗]P)

C [α∗]∀v>0 (P(v)→ 〈α〉P(v−1))→ ∀v (P(v)→ 〈α∗〉∃v≤0P(v))

equations of truth

LICS’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 21 / 41

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 22 / 41

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 22 / 41

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 22 / 41

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 22 / 41

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 22 / 41

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 22 / 41

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 22 / 41

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 22 / 41

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 22 / 41

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

0 t

x

x ′= f (x)

y′ =

g(x, y

)

inv

DI= DI=,∧,∨

DI> DI>,∧,∨

DI≥ DI≥,∧,∨

DI

DI≥,=,∧,∨

DI>,=,∧,∨

Logic

Provabilitytheory

Math

Character-istic PDE

JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 22 / 41

Differential Invariants for Differential Equations

Differential Invariant

Q ` [x ′ := f (x)](F )′

F ` [x ′ = f (x) &Q]F

Differential Cut

F ` [x ′ = f (x)]C F ` [x ′ = f (x) &C ]F

F ` [x ′ = f (x)]F

Differential Ghost

F ↔ ∃y G G ` [x ′ = f (x), y ′ = g(x , y) &Q]G

F ` [x ′ = f (x) &Q]F0 t

x

x′ = f(x)

y′ =

g(x,y)

inv

if new y ′ = g(x , y) has a global solution

JLogComput’10,LMCS’12, LICS’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 23 / 41

Differential Invariants for Differential Equations

Differential Invariant

Q ` [x ′ := f (x)](F )′

F ` [x ′ = f (x) &Q]F

Differential Cut

F ` [x ′ = f (x) &Q]C F ` [x ′ = f (x) &Q∧C ]F

F ` [x ′ = f (x) &Q]F

Differential Ghost

F ↔ ∃y G G ` [x ′ = f (x), y ′ = g(x , y) &Q]G

F ` [x ′ = f (x) &Q]F0 t

x

x′ = f(x)

y′ =

g(x,y)

inv

if new y ′ = g(x , y) has a global solution

JLogComput’10,LMCS’12, LICS’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 23 / 41

Differential Invariants for Differential Equations

Differential Invariant

Q ` [x ′ := f (x)](F )′

F ` [x ′ = f (x) &Q]F

Differential Cut

F ` [x ′ = f (x) &Q]C F ` [x ′ = f (x) &Q∧C ]F

F ` [x ′ = f (x) &Q]F

Differential Ghost

F ↔ ∃y G G ` [x ′ = f (x), y ′ = g(x , y) &Q]G

F ` [x ′ = f (x) &Q]F0 t

x

x′ = f(x)

y′ =

g(x,y)

inv

if new y ′ = g(x , y) has a global solution

JLogComput’10,LMCS’12, LICS’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 23 / 41

Differential Invariants for Differential Equations

Differential Invariant

Q ` [x ′ := f (x)](F )′

F ` [x ′ = f (x) &Q]F

Differential Cut

F ` [x ′ = f (x) &Q]C F ` [x ′ = f (x) &Q∧C ]F

F ` [x ′ = f (x) &Q]F

Differential Ghost

F ↔ ∃y G G ` [x ′ = f (x), y ′ = g(x , y) &Q]G

F ` [x ′ = f (x) &Q]F0 t

x

x′ = f(x)

y′ =

g(x,y)

inv

if new y ′ = g(x , y) has a global solution

JLogComput’10,LMCS’12, LICS’12,JAR’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 23 / 41

Differential Invariants for Differential Equations

∗

ω≥0 ∧ d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0 ∧ d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x − 2dωy &ω≥0 ∧ d≥0]ω2x2+y2≤c2

- - -

-

-

-

x

y1 2 3 4 5 6

-1.5

-1.0

-0.5

0.5

1.0

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 24 / 41

Differential Invariants for Differential Equations

∗

ω≥0 ∧ d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0 ∧ d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x − 2dωy &ω≥0 ∧ d≥0]ω2x2+y2≤c2

- - -

-

-

-

x

y1 2 3 4 5 6

-1.5

-1.0

-0.5

0.5

1.0

damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 24 / 41

Differential Invariants for Differential Equations

∗

ω≥0 ∧ d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0 ∧ d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x − 2dωy &ω≥0 ∧ d≥0]ω2x2+y2≤c2

- - -

-

-

-

x

y1 2 3 4 5 6

-1.5

-1.0

-0.5

0.5

1.0

damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 24 / 41

Differential Invariants for Differential Equations

∗

ω≥0 ∧ d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0 ∧ d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x − 2dωy &ω≥0 ∧ d≥0]ω2x2+y2≤c2

- - -

-

-

-

x

y1 2 3 4 5 6

-1.5

-1.0

-0.5

0.5

1.0

damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 24 / 41

Differential Invariants for Differential Equations

∗ω≥0 ∧ d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0 ∧ d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x − 2dωy &ω≥0 ∧ d≥0]ω2x2+y2≤c2

- - -

-

-

-

x

y1 2 3 4 5 6

-1.5

-1.0

-0.5

0.5

1.0

damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 24 / 41

Differential Invariants for Differential Equations

∗ω≥0 ∧ d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0 ∧ d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x − 2dωy &ω≥0 ∧ d≥0]ω2x2+y2≤c2

- - -

-

-

-

x

y1 2 3 4 5 6

-1.5

-1.0

-0.5

0.5

1.0

damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 24 / 41

Differential Cuts for Differential Equations

∗

ω≥0∧d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0∧d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0∧d≥0]ω2x2+y2≤c2

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0]ω2x2+y2≤c2

∗

ω≥0 ` 7≥0

ω≥0 ` [d ′:=7] d ′≥0

d≥0 ` [x ′ = y , y ′ = −ω2x − 2dωy , d ′=7 &ω≥0] d≥0

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 25 / 41

Differential Cuts for Differential Equations

∗

ω≥0∧d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0∧d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0∧d≥0]ω2x2+y2≤c2

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0]ω2x2+y2≤c2

- - -

-

-

-

x

y1 2 3 4 5 6

-1.5

-1.0

-0.5

0.0

0.5

1.0

∗

ω≥0 ` 7≥0

ω≥0 ` [d ′:=7] d ′≥0

d≥0 ` [x ′ = y , y ′ = −ω2x − 2dωy , d ′=7 &ω≥0] d≥0

increasingly damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 25 / 41

Differential Cuts for Differential Equations

∗

ω≥0∧d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0∧d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0∧d≥0]ω2x2+y2≤c2

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0]ω2x2+y2≤c2

∗

ω≥0 ` 7≥0

ω≥0 ` [d ′:=7] d ′≥0

d≥0 ` [x ′ = y , y ′ = −ω2x − 2dωy , d ′=7 &ω≥0] d≥0

increasingly damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 25 / 41

Differential Cuts for Differential Equations

∗

ω≥0∧d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0∧d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0∧d≥0]ω2x2+y2≤c2

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0]ω2x2+y2≤c2

∗

ω≥0 ` 7≥0

ω≥0 ` [d ′:=7] d ′≥0

d≥0 ` [x ′ = y , y ′ = −ω2x − 2dωy , d ′=7 &ω≥0] d≥0

increasingly damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 25 / 41

Differential Cuts for Differential Equations

∗

ω≥0∧d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0∧d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0∧d≥0]ω2x2+y2≤c2

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0]ω2x2+y2≤c2

∗

ω≥0 ` 7≥0

ω≥0 ` [d ′:=7] d ′≥0

d≥0 ` [x ′ = y , y ′ = −ω2x − 2dωy , d ′=7 &ω≥0] d≥0

increasingly damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 25 / 41

Differential Cuts for Differential Equations

∗

ω≥0∧d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0∧d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0∧d≥0]ω2x2+y2≤c2

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0]ω2x2+y2≤c2

∗

ω≥0 ` 7≥0

ω≥0 ` [d ′:=7] d ′≥0

d≥0 ` [x ′ = y , y ′ = −ω2x − 2dωy , d ′=7 &ω≥0] d≥0

increasingly damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 25 / 41

Differential Cuts for Differential Equations

∗

ω≥0∧d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0∧d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0∧d≥0]ω2x2+y2≤c2

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0]ω2x2+y2≤c2

∗ω≥0 ` 7≥0

ω≥0 ` [d ′:=7] d ′≥0

d≥0 ` [x ′ = y , y ′ = −ω2x − 2dωy , d ′=7 &ω≥0] d≥0

DC

increasingly damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 25 / 41

Differential Cuts for Differential Equations

∗

ω≥0∧d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0∧d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0∧d≥0]ω2x2+y2≤c2

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0]ω2x2+y2≤c2

∗ω≥0 ` 7≥0

ω≥0 ` [d ′:=7] d ′≥0

d≥0 ` [x ′ = y , y ′ = −ω2x − 2dωy , d ′=7 &ω≥0] d≥0

increasingly damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 25 / 41

Differential Cuts for Differential Equations

∗

ω≥0∧d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0∧d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0∧d≥0]ω2x2+y2≤c2

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0]ω2x2+y2≤c2

∗ω≥0 ` 7≥0

ω≥0 ` [d ′:=7] d ′≥0

d≥0 ` [x ′ = y , y ′ = −ω2x − 2dωy , d ′=7 &ω≥0] d≥0

increasingly damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 25 / 41

Differential Cuts for Differential Equations

∗ω≥0∧d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0∧d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0∧d≥0]ω2x2+y2≤c2

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0]ω2x2+y2≤c2

∗ω≥0 ` 7≥0

ω≥0 ` [d ′:=7] d ′≥0

d≥0 ` [x ′ = y , y ′ = −ω2x − 2dωy , d ′=7 &ω≥0] d≥0

increasingly damped oscillator

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 25 / 41

Differential Cuts for Differential Equations

∗ω≥0∧d≥0 ` 2ω2xy + 2y(−ω2x − 2dωy) ≤ 0

ω≥0∧d≥0 ` [x ′:=y ][y ′:=−ω2x − 2dωy ] 2ω2xx ′ + 2yy ′ ≤ 0

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0∧d≥0]ω2x2+y2≤c2

ω2x2+y2≤c2 ` [x ′ = y , y ′ = −ω2x−2dωy , d ′=7 &ω≥0]ω2x2+y2≤c2

∗ω≥0 ` 7≥0

ω≥0 ` [d ′:=7] d ′≥0

d≥0 ` [x ′ = y , y ′ = −ω2x − 2dωy , d ′=7 &ω≥0] d≥0

Could repeatedly diffcut in formulas to help the proof

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 25 / 41

Motion in 2D Plane: Don’t Collide with Obstacles

How to always get such motion collision-free?

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 26 / 41

Motion in 2D Plane: Don’t Collide with Obstacles

c

p = (x , y)

r

How to always get such motion collision-free?

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 26 / 41

Motion in 2D Plane: Don’t Collide with Obstacles

c

p = (x , y)

r

How to always get such motion collision-free?

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 26 / 41

Motion in 2D Plane: Don’t Collide with Obstacles

c

p = (x , y)

r

How to always get such motion collision-free?

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 26 / 41

Motion in 2D Plane: Don’t Collide with Obstacles

c

p = (x , y)

r

How to always get such motion collision-free?

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 26 / 41

Motion in 2D Plane: Don’t Collide with Obstacles

c

p = (x , y)

r

How to always get such motion collision-free?

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 26 / 41

Motion in 2D Plane: Don’t Collide with Obstacles

c

p = (x , y)

r

How to always get such motion collision-free?

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 26 / 41

Motion in 2D Plane: Don’t Collide with Obstacles

c

p = (x , y)

r

How to always get such motion collision-free?

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 26 / 41

Motion in 2D Plane: Don’t Collide with Obstacles

c

p = (x , y)

r

How to always get such motion collision-free?

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 26 / 41

Motion in 2D Plane: Don’t Collide with Obstacles

c

p = (x , y)

r

How to always get such motion collision-free?

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 26 / 41

2D Planar Car Model

State

Position p

Curve center c

Curve radius r

Orientation d

Translational velocity x ′ = v

Rotational velocity θ′ = ω

Control cycle duration ε

Differential Axiomatization

New variables for (undecidable)transcendental functions

dx = cos(θ), dy = sin(θ)

d ′x = cos(θ)′ = − sin(θ)θ′ = −ωdy

c

p

p

r

d

dx = cos θ

sin θ = dy

p after time ε

trajectory (length vε)

ωε

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 27 / 41

2D Planar Car Model

State

Position p

Curve center c

Curve radius r

Orientation d

Translational velocity x ′ = v

Rotational velocity θ′ = ω

Control cycle duration ε

Differential Axiomatization

New variables for (undecidable)transcendental functions

dx = cos(θ), dy = sin(θ)

d ′x = cos(θ)′ = − sin(θ)θ′ = −ωdy

c

p

p

r

d

dx = cos θ

sin θ = dy

p after time ε

trajectory (length vε)

ωε

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 27 / 41

2D Planar Car Model

State

Position p

Curve center c

Curve radius r

Orientation d

Translational velocity x ′ = v

Rotational velocity θ′ = ω

Control cycle duration ε

Differential Axiomatization

New variables for (undecidable)transcendental functions

dx = cos(θ), dy = sin(θ)

d ′x = cos(θ)′ = − sin(θ)θ′ = −ωdy

c

p

p

r

d

dx = cos θ

sin θ = dy

p after time ε

trajectory (length vε)

ωε

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 27 / 41

2D Planar Car Model

State

Position p

Curve center c

Curve radius r

Orientation d

Translational velocity x ′ = v

Rotational velocity θ′ = ω

Control cycle duration ε

Differential Axiomatization

New variables for (undecidable)transcendental functions

dx = cos(θ), dy = sin(θ)

d ′x = cos(θ)′ = − sin(θ)θ′ = −ωdy

c

p

p

r

d

dx = cos θ

sin θ = dy

p after time ε

trajectory (length vε)

ωε

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 27 / 41

2D Planar Car Model

State

Position p

Curve center c

Curve radius r

Orientation d

Translational velocity x ′ = v

Rotational velocity θ′ = ω

Control cycle duration ε

Differential Axiomatization

New variables for (undecidable)transcendental functions

dx = cos(θ), dy = sin(θ)d ′x = cos(θ)′ = − sin(θ)θ′ = −ωdy

c

p

p

r

d

dx = cos θ

sin θ = dy

p after time ε

trajectory (length vε)

ωε

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 27 / 41

2D Car Model as Hybrid Program

c

p

r

d

dx

dyωε

Example: 2D Car with Brake, Accelerate, Steer

Q ≡ 2b‖p −m‖ ≥ v2 + (A + b)(Aε2 + 2εv)( (a :=−b∪ a := A; ω := ∗; r := ∗; ?r 6= 0 ∧ rω = v ; m := ∗; ?Q

);

t := 0;

p′ = vd , v ′ = a, d ′ = ωd⊥, ω′ =a

r, t ′ = 1 & v ≥ 0 ∧ t ≤ ε

)∗

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 28 / 41

2D Car Model as Hybrid Program

c

p

r

d

dx

dyωε

Example: 2D Car with Brake, Accelerate, Steer

Q ≡ 2b‖p −m‖ ≥ v2 + (A + b)(Aε2 + 2εv)(

(a :=−b∪ a := A; ω := ∗; r := ∗; ?r 6= 0 ∧ rω = v ; m := ∗; ?Q

);

t := 0;

p′ = vd , v ′ = a, d ′ = ωd⊥, ω′ =a

r, t ′ = 1 & v ≥ 0 ∧ t ≤ ε

)∗

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 28 / 41

2D Car Model as Hybrid Program

c

p

r

d

dx

dyωε

Example: 2D Car with Brake, Accelerate, Steer

Q ≡ 2b‖p −m‖ ≥ v2 + (A + b)(Aε2 + 2εv)

( (a :=−b∪ a := A; ω := ∗; r := ∗; ?r 6= 0 ∧ rω = v ; m := ∗; ?Q

);

t := 0;

p′ = vd , v ′ = a, d ′ = ωd⊥, ω′ =a

r, t ′ = 1 & v ≥ 0 ∧ t ≤ ε

)∗

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 28 / 41

2D Car Model as Hybrid Program

c

p

r

d

dx

dyωε

Example: 2D Car with Brake, Accelerate, Steer

Q ≡ 2b‖p −m‖ ≥ v2 + (A + b)(Aε2 + 2εv)( (a :=−b∪ a := A; ω := ∗; r := ∗; ?r 6= 0 ∧ rω = v ; m := ∗; ?Q

);

t := 0;

p′ = vd , v ′ = a, d ′ = ωd⊥, ω′ =a

r, t ′ = 1 & v ≥ 0 ∧ t ≤ ε

)∗

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 28 / 41

Intuition for Car’s Differential Invariants

Differential Invariants:

Time goes forward: t ≥ 0

Velocity follows acceleration: v = old(v) + at

Stay on the circle: ‖d‖ = 1

Stay close to position: ‖p − old(p)‖ ≤ vt − a2 t

2need both

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 29 / 41

Intuition for Car’s Differential Invariants

Differential Invariants:

Time goes forward: t ≥ 0

Velocity follows acceleration: v = old(v) + at

Stay on the circle: ‖d‖ = 1

Stay close to position: ‖p − old(p)‖ ≤ vt − a2 t

2need both

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 29 / 41

Intuition for Car’s Differential Invariants

Differential Invariants:

Time goes forward: t ≥ 0

Velocity follows acceleration: v = old(v) + at

Stay on the circle: ‖d‖ = 1

Stay close to position: ‖p − old(p)‖ ≤ vt − a2 t

2need both

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 29 / 41

Intuition for Car’s Differential Invariants

Differential Invariants:

Time goes forward: t ≥ 0

Velocity follows acceleration: v = old(v) + at

Stay on the circle: ‖d‖ = 1

Stay close to position: ‖p − old(p)‖ ≤ vt − a2 t

2need both

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 29 / 41

Intuition for Car’s Differential Invariants

Differential Invariants:

Time goes forward: t ≥ 0

Velocity follows acceleration: v = old(v) + at

Stay on the circle: ‖d‖ = 1

Stay close to position: ‖p − old(p)‖ ≤ vt − a2 t

2

need both

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 29 / 41

Intuition for Car’s Differential Invariants

Differential Invariants:

Time goes forward: t ≥ 0

Velocity follows acceleration: v = old(v) + at

Stay on the circle: ‖d‖ = 1

Stay close to position: ‖p − old(p)‖ ≤ vt − a2 t

2need both

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 29 / 41

Intuition for Car’s Differential Invariants

Differential Invariants:

Time goes forward: t ≥ 0

Velocity follows acceleration: v = old(v) + at

Stay on the circle: ‖d‖ = 1

Stay close to position: ‖p − old(p)‖∞ ≤ vt − a2 t

2

supremum norm overapproximates circle with box (easier arithmetic)

need both

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 29 / 41

Outline

1 KeYmaera X OverviewTutorial Objectives

2 Differential Dynamic Logic for Hybrid SystemsSyntax: Notation for Verification QuestionsSemantics: Meaning of the SyntaxExample: Car Control DesignExample: Branching Structure

3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control

4 Differential Invariants for Differential EquationsDifferential InvariantsExample: Elementary Differential InvariantsExample: Ground Robots

5 Synthesize Monitors6 Case Studies7 Summary

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 29 / 41

Formal Verification in CPS Development

Real CPS

Proof

ReachabilityAnalysis

. . .

Verification Results

safe

Challenge

Verification results about modelsonly apply if CPS fits to the model

; Verifiably correct runtime model validation

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 30 / 41

Formal Verification in CPS Development

Real CPS

Model α∗

Control αctrl

v := v + 1

Plant αplant

x ′ = v

sense act

abstract

Proof

ReachabilityAnalysis

. . .

Verification Results

safe

safe

Challenge

Verification results about modelsonly apply if CPS fits to the model

; Verifiably correct runtime model validation

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 30 / 41

Formal Verification in CPS Development

Real CPS

Model α∗

Control αctrl

v := v + 1

Plant αplant

x ′ = v

sense act

abstract

Proof

ReachabilityAnalysis

. . .

Verification Results

safe

safe

Challenge

Verification results about modelsonly apply if CPS fits to the model

; Verifiably correct runtime model validation

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 30 / 41

ModelPlex Runtime Model Validation

ModelPlex ensures that verification results about modelsapply to CPS implementations

i−1 i i+1Model α ctrl plant

...

model adequate? control safe? until next cycle?

turnpredict

Contributions

Verification results about models transfer to CPS whenvalidating model compliance

Compliance with model is characterizable in logic

Compliance formula transformed by proof toexecutable monitor

Correct-by-construction provably correct runtimemodel validation

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 31 / 41

ModelPlex Runtime Model Validation

ModelPlex ensures that verification results about modelsapply to CPS implementations

i−1 i i+1Model α ctrl plant

...

model adequate? control safe? until next cycle?

turnpredict

Contributions

Verification results about models transfer to CPS whenvalidating model compliance

Compliance with model is characterizable in logic

Compliance formula transformed by proof toexecutable monitor

Correct-by-construction provably correct runtimemodel validation

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 31 / 41

ModelPlex at Runtime ...

ModelPlex

Sensors

Controller

ComplianceMonitor

Fallback

Actuators

“Simplex for Models”

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 32 / 41

ModelPlex at Runtime ...

ModelPlex

Sensors

Controller

ComplianceMonitor

Fallback

Actuators

Compliance Monitor Checks CPS for compliance with model at runtime

Model Monitor: model adequate?Controller Monitor: control safe?Prediction Monitor: until next cycle?

Fallback Safe action, executed when monitor is not satisfied (veto)

Challenge What conditions do the monitors need to check to be safe?

“Simplex for Models”

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 32 / 41

Characterizing State Relations in Logic ...

When are two states linked through a run of model α?

i−1 i

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init i−1 ∈ [[A]] Safe i ∈ [[S ]]

Model α

⊆

Offline

(i−1, i) ∈ [[α]]Semantical: reachability relation of α

m Lemma

(i−1, i) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m⇑(i−1, i) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Characterizing State Relations in Logic ...

When are two states linked through a run of model α?

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical: reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Characterizing State Relations in Logic ...

When are two states linked through a run of model α?

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical: reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Characterizing State Relations in Logic ...

When are two states linked through a run of model α?

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Characterizing State Relations in Logic ...

When are two states linked through a run of model α?

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m

⇑

(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Characterizing State Relations in Logic ...

When are two states linked through a run of model α?

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m

⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Logical Reductions for Model Safety Transfer ...

Logic reduces CPS safety to runtime monitor with offline proof

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m

⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Logical Reductions for Model Safety Transfer ...

Logic reduces CPS safety to runtime monitor with offline proof

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]]

Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m

⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Logical Reductions for Model Safety Transfer ...

Logic reduces CPS safety to runtime monitor with offline proof

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m

⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Logical Reductions for Model Safety Transfer ...

Logic reduces CPS safety to runtime monitor with offline proof

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m

⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Logical Reductions for Model Safety Transfer ...

Logic reduces CPS safety to runtime monitor with offline proof

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m

⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Logical Reductions for Model Safety Transfer ...

Logic reduces CPS safety to runtime monitor with offline proof

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m

⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Logical Reductions for Model Safety Transfer ...

Logic reduces CPS safety to runtime monitor with offline proof

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m

⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Logical Reductions for Model Safety Transfer ...

Logic reduces CPS safety to runtime monitor with offline proof

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m

⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Logical Reductions for Model Safety Transfer ...

Logic reduces CPS safety to runtime monitor with offline proof

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α

⊆

Offline

(ω, ν) ∈ [[α]]Semantical:

reachability relation of α

m Lemma

(ω, ν) |= 〈α〉(x = x+)Logical dL:

exists a run of α to astate where x = x+

m

⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

Logical Reductions for α∗ Model Safety Transfer ...

Logic reduces CPS safety to runtime monitor with offline proof

ω ν

a prior state char-acterized by x−

a posterior statecharacterized by x+

Not initial state.Model repeats. . .

dL proof A→ [α∗]S

Init ω ∈ [[A]] Safe ν ∈ [[S ]]

Model α∗

⊆

Offline

(ω, ν) ∈ [[α∗]]Semantical:

reachability relation of α∗

m Lemma

(ω, ν) |= 〈α∗〉(x = x+)Logical dL:

exists a run of α∗ toa state where x = x+

m

⇑(ω, ν) |= F (x−, x+)Arithmetical:

dL proof

check at runtime (efficient)

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 33 / 41

ModelPlex Runtime Model Validation

ModelPlex ensures that verification results about modelsapply to CPS implementations

i−1 i i+1Model α ctrl plant

...

model adequate? control safe? until next cycle?

turnpredict

Contributions

Verification results about models transfer to CPS whenvalidating model compliance

Compliance with model is characterizable in logic

Compliance formula transformed by proof toexecutable monitor

Correct-by-construction provably correct runtimemodel validation

RV’14,FMSD’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 34 / 41

Outline

1 KeYmaera X OverviewTutorial Objectives

2 Differential Dynamic Logic for Hybrid SystemsSyntax: Notation for Verification QuestionsSemantics: Meaning of the SyntaxExample: Car Control DesignExample: Branching Structure

3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control

4 Differential Invariants for Differential EquationsDifferential InvariantsExample: Elementary Differential InvariantsExample: Ground Robots

5 Synthesize Monitors6 Case Studies7 Summary

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 34 / 41

Verified CPS Applications

www.lfcps.org/course/

-

-

-

x

y

c

c

Qxentry

exit

Q

y

c

Q Q

QQ

cQx

Q

y

Q

z

xHiL

xH jL

p xHkL

xHlL

xHmL

ICFEM’09,JAIS’14,TACAS’15,EMSOFT’15,CAV’08,FM’09,HSCC’11,HSCC’13,TACAS’14Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 35 / 41

Verified CPS Applications

www.lfcps.org/course/

ey

fy

xb(lx, ly) ex fx

(rx, ry)

(vx, vy)

FM’11,LMCS’12,ICCPS’12,ITSC’11,ITSC’13,IJCAR’12Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 35 / 41

Verified CPS Applications

www.lfcps.org/course/

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

5 10 15 20

-0.3

-0.2

-0.1

0.1

0.2

0.3

-0.3 -0.2 -0.1 0.0 0.1 0.2 0.3

-0.3

-0.2

-0.1

0.0

0.1

0.2

0.3

0.2 0.4 0.6 0.8 1.0

1

1

-

HSCC’13,RSS’13,CADE’12Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 35 / 41

Verified CPS Applications www.lfcps.org/course/

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

0 1 2 3 4 5 60.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

15-424/624/824 Foundations of Cyber-Physical Systems studentsNathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 35 / 41

Airborne Collision Avoidance System ACAS X: Verify

Developed by the FAA to replace current TCAS in aircraft

Approximately optimizes Markov Decision Process on a grid

Advisory from lookup tables with numerous 5D interpolation regions

1 Identified safe region for each advisory symbolically

2 Proved safety for hybrid systems flight model in KeYmaera X

TACAS’15,EMSOFT’15,STTT’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 36 / 41

Airborne Collision Avoidance System ACAS X: Compare

ACAS X table comparison shows safe advisory in 97.7% of the648,591,384,375 states compared (15,160,434,734 counterexamples).

ACAS X issues DNC advisory, which induces collision unless corrected

TACAS’15,EMSOFT’15,STTT’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 37 / 41

Airborne Collision Avoidance System ACAS X: Refine

Conservative, so too many counterexamples

Settle for: safe for a little while, with safe future advisory possibility

Safeable advisory: a subsequent advisory can safely avoid collision

1 Identified safeable region for each advisory symbolically

2 Proved safety for hybrid systems flight model in KeYmaera X

STTT’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 38 / 41

Airborne Collision Avoidance System ACAS X: Compare

ACAS X table comparison shows safeable advisory in more of the648,591,384,375 states compared (31 to 899 106 counterexamples).

ACAS X issues Maintain advisory instead of CL1500

STTT’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 39 / 41

Airborne Collision Avoidance System ACAS X: Compare

ACAS X table comparison shows safeable advisory in more of the648,591,384,375 states compared (31 to 899 106 counterexamples).

ACAS X issues Maintain advisory instead of CL1500

STTT’16Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 39 / 41

Outline

1 KeYmaera X OverviewTutorial Objectives

2 Differential Dynamic Logic for Hybrid SystemsSyntax: Notation for Verification QuestionsSemantics: Meaning of the SyntaxExample: Car Control DesignExample: Branching Structure

3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control

4 Differential Invariants for Differential EquationsDifferential InvariantsExample: Elementary Differential InvariantsExample: Ground Robots

5 Synthesize Monitors6 Case Studies7 Summary

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 39 / 41

KeYmaera X Tool Architecture

KeYmaera X Kernel (soundness-critical, Scala)Real Quantifier Elimination

Bound Renaming

Propositional Sequent Calculus with Skolemization

Differential Equation Solving

...

Uniform Substitution

Wrappers for Kernel Primitives

CombinatorsdL Tactics

Proof Strategiesuses

Scheduler

Simplified Proof Tree View

REST-APIProof View ModelsTactics

Execution

Proof Log

KeYmaera X Web UI (JavaScript)

Axio

mati

c C

ore

HyD

RA

Serv

er

Use

r In

terf

ace

Tact

ical

Pro

ver

Proof Storingstores

controls

executes tactics on tools/ CPU cores

start/stop/pause/resume

Searching

Scala-API

managescombines

Proof Tree

Axioms

Proof Tree Simplificationobserves

executes

Proof Certificates

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 40 / 41

KeYmaera X Theorem Prover for Hybrid Systems

differential dynamic logic

dL = DL + HP

FCPS courseSTTT’16 tutorialBook

Multi-dynamical systems

Compositional

Logic & proofs for CPS

Small soundness core

Proof by pointing

Interactive proof clicking

Tactical proof programming

Proof search tactics

Flexible + modular API

Find bugs + bug fixes

KeYmaera X

http://keymaeraX.org/

dis

cre

te contin

uo

us

nondet

sto

chastic

advers

arial

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 41 / 41

Andre Platzer.Logics of dynamical systems.In LICS [17], pages 13–24.doi:10.1109/LICS.2012.13.

Andre Platzer.A complete uniform substitution calculus for differential dynamic logic.

J. Autom. Reas., 2016.doi:10.1007/s10817-016-9385-1.

Stefan Mitsch and Andre Platzer.ModelPlex: Verified runtime validation of verified cyber-physicalsystem models.Form. Methods Syst. Des., 49(1):33–74, 2016.Special issue of selected papers from RV’14.doi:10.1007/s10703-016-0241-z.

Nathan Fulton and Andre Platzer.

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 0 / 0

A logic of proofs for differential dynamic logic: Toward independentlycheckable proof certificates for dynamic logics.In Jeremy Avigad and Adam Chlipala, editors, Proceedings of the2016 Conference on Certified Programs and Proofs, CPP 2016, St.Petersburg, FL, USA, January 18-19, 2016, pages 110–121. ACM,2016.doi:10.1145/2854065.2854078.

Andre Platzer.Logic & proofs for cyber-physical systems.In Nicola Olivetti and Ashish Tiwari, editors, IJCAR, volume 9706 ofLNCS, pages 15–21. Springer, 2016.doi:10.1007/978-3-319-40229-1_3.

Andre Platzer.Differential dynamic logic for hybrid systems.J. Autom. Reas., 41(2):143–189, 2008.doi:10.1007/s10817-008-9103-8.

Andre Platzer.Differential game logic.

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 0 / 0

ACM Trans. Comput. Log., 17(1):1:1–1:51, 2015.doi:10.1145/2817824.

Andre Platzer.The complete proof theory of hybrid systems.In LICS [17], pages 541–550.doi:10.1109/LICS.2012.64.

Andre Platzer.Differential-algebraic dynamic logic for differential-algebraic programs.J. Log. Comput., 20(1):309–352, 2010.doi:10.1093/logcom/exn070.

Andre Platzer and Edmund M. Clarke.Computing differential invariants of hybrid systems as fixedpoints.Form. Methods Syst. Des., 35(1):98–120, 2009.Special issue for selected papers from CAV’08.doi:10.1007/s10703-009-0079-8.

Andre Platzer.The structure of differential invariants and differential cut elimination.

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 0 / 0

Log. Meth. Comput. Sci., 8(4):1–38, 2012.doi:10.2168/LMCS-8(4:16)2012.

Andre Platzer.A differential operator approach to equational differential invariants.In Lennart Beringer and Amy Felty, editors, ITP, volume 7406 ofLNCS, pages 28–48. Springer, 2012.doi:10.1007/978-3-642-32347-8_3.

Jean-Baptiste Jeannin, Khalil Ghorbal, Yanni Kouskoulas, RyanGardner, Aurora Schmidt, Erik Zawadzki, and Andre Platzer.A formally verified hybrid system for the next-generation airbornecollision avoidance system.In Christel Baier and Cesare Tinelli, editors, TACAS, volume 9035 ofLNCS, pages 21–36. Springer, 2015.doi:10.1007/978-3-662-46681-0_2.

Jean-Baptiste Jeannin, Khalil Ghorbal, Yanni Kouskoulas, RyanGardner, Aurora Schmidt, Erik Zawadzki, and Andre Platzer.Formal verification of ACAS X, an industrial airborne collisionavoidance system.

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 0 / 0

In Alain Girault and Nan Guan, editors, EMSOFT, pages 127–136.IEEE, 2015.doi:10.1109/EMSOFT.2015.7318268.

Jean-Baptiste Jeannin, Khalil Ghorbal, Yanni Kouskoulas, AuroraSchmidt, Ryan Gardner, Stefan Mitsch, and Andre Platzer.A formally verified hybrid system for safe advisories in thenext-generation airborne collision avoidance system.STTT, 2016.doi:10.1007/s10009-016-0434-1.

Andre Platzer.Logical Analysis of Hybrid Systems: Proving Theorems for ComplexDynamics.Springer, Heidelberg, 2010.doi:10.1007/978-3-642-14509-4.

Proceedings of the 27th Annual ACM/IEEE Symposium on Logic inComputer Science, LICS 2012, Dubrovnik, Croatia, June 25–28, 2012.IEEE, 2012.

Nathan Fulton, Stefan Mitsch, Andre Platzer KeYmaera X Tutorial: Tactics & Proofs for Cyber-Physical Systems FM’16 0 / 0