Logic & Proofs for Cyber-Physical Systems Andr e Platzer - PowerPoint PPT Presentation

Logic & Proofs for Cyber-Physical Systems Andr´ e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 1 / 27

Outline CPS are Multi-Dynamical Systems 1 Hybrid Systems Hybrid Games Stochastic Hybrid Systems Distributed Hybrid Systems Dynamic Logic of Multi-Dynamical Systems 2 Proofs for CPS 3 Theory of CPS 4 Soundness and Completeness Differential Invariants Differential Axioms Example: Elementary Differential Invariants Applications 5 Summary 6 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 1 / 27

Cyber-Physical Systems Analysis: Aircraft Example Which control decisions are safe for aircraft collision avoidance? Cyber-Physical Systems CPSs combine cyber capabilities with physical capabilities to solve problems that neither part could solve alone. Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 2 / 27

CPSs Promise Transformative Impact! Prospects: Safe & Efficient Pilot decision support Driver assistance Train protection Autopilots / UAVs Autonomous cars Robots near humans Prerequisite: CPSs need to be safe How do we make sure CPSs make the world a better place? Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 3 / 27

Can you trust a computer to control physics? Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 4 / 27

Can you trust a computer to control physics? 1 Depends on how it has been programmed 2 And on what will happen if it malfunctions Rationale 1 Safety guarantees require analytic foundations. 2 A common foundational core helps all application domains. 3 Foundations revolutionized digital computer science & our society. 4 Need even stronger foundations when software reaches out into our physical world. CPSs deserve proofs as safety evidence! Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 4 / 27

CPSs are Multi-Dynamical Systems CPS Dynamics CPS are characterized by multiple facets of dynamical systems. e o n c t t e i n r c u s o i u d s l a stochastic i r a s r nondet e v d a CPS Compositions Tame Parts CPS combines multiple Exploiting compositionality tames CPS complexity. simple dynamical effects. Descriptive simplification Analytic simplification Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 5 / 27

CPSs are Multi-Dynamical Systems hybrid systems HS = discrete + ODE e o n c t t e i n r c u s o i u d s hybrid games stochastic hybrid sys. HG = HS + adversary SHS = HS + stochastics l a stochastic i r a 0.3 s r nondet 0.2 e 0.1 v d 5 10 15 20 a � 0.1 � 0.2 � 0.3 distributed hybrid sys. DHS = HS + distributed Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 6 / 27

Dynamic Logics for Dynamical Systems differential dynamic logic [ α ] φ φ d L = DL + HP α e o n c t t e i n r c u s o i u d s differential game logic stochastic differential DL dG L = GL + HG Sd L = DL + SHP l a stochastic i r a s r nondet e v d � α � φ � α � φ a φ φ quantified differential DL Qd L = FOL + DL + QHP JAR’08,CADE’11,LMCS’12,LICS’12 LICS’12,CADE’15,TOCL’15 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 7 / 27

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) 3.5 3.0 2.5 ϕ [ α ] ϕ α 2.0 1.5 1.0 0.5 0.0 0 1 2 3 4 5 6 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m � x � = m x � = m ϕ [ α ] ϕ α x � = m 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m x ′ = v , v ′ = a ODE 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m x ′ = v , v ′ = a a := − b assign ODE 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m x ′ = v , v ′ = a ( if (SB( x , m )) a := − b ) test assign ODE 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) ϕ [ α ] ϕ α seq. compose ( if (SB( x , m )) a := − b ) ; x ′ = v , v ′ = a test assign ODE 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) ϕ [ α ] ϕ α seq. nondet. compose repeat � ( if (SB( x , m )) a := − b ) ; x ′ = v , v ′ = a � ∗ test assign ODE 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m �� ( if (SB( x , m )) a := − b ) ; x ′ = v , v ′ = a � ∗ � x � = m � �� � post all runs 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m �� ( if (SB( x , m )) a := − b ) ; x ′ = v , v ′ = a � ∗ � x � = m ∧ b > 0 → x � = m � �� � � �� � post init all runs 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 8 / 27

Differential Dynamic Logic d L : Syntax Definition (Hybrid program α ) x := f ( x ) | ? Q | x ′ = f ( x ) & Q | α ∪ β | α ; β | α ∗ Definition (d L Formula P ) e ≥ ˜ e | ¬ P | P ∧ Q | ∀ x P | ∃ x P | [ α ] P | � α � P Tableaux’07,JAutomReas’08,LICS’12 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 9 / 27

Differential Dynamic Logic d L : Syntax Discrete Differential Seq. Nondet. Test Nondet. Assign Equation Compose Repeat Condition Choice Definition (Hybrid program α ) x := f ( x ) | ? Q | x ′ = f ( x ) & Q | α ∪ β | α ; β | α ∗ Definition (d L Formula P ) e ≥ ˜ e | ¬ P | P ∧ Q | ∀ x P | ∃ x P | [ α ] P | � α � P All Some All Some Reals Reals Runs Runs Tableaux’07,JAutomReas’08,LICS’12 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems IJCAR’16 9 / 27