Logic & Proofs for Cyber-Physical Systems with KeYmaera X Andr - PowerPoint PPT Presentation

Logic & Proofs for Cyber-Physical Systems with KeYmaera X Andr´ e Platzer 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 1 / 29

Outline CPS are Multi-Dynamical Systems 1 Hybrid Systems / Games / Stochastic / Distributed Hybrid Systems Differential Dynamic Logic 2 Axioms and Proofs for CPS 3 Differential Invariants for Differential Equations 4 Differential Invariants Example: Elementary Differential Invariants Applications 5 Ground Robot Navigation Airborne Collision Avoidance System KeYmaera X Summary 6 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 1 / 29

Cyber-Physical Systems Analysis: Aircraft Example Which control decisions are safe for aircraft collision avoidance? Cyber-Physical Systems CPSs combine cyber capabilities with physical capabilities to solve problems that neither part could solve alone. Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 2 / 29

CPSs Promise Transformative Impact! Prospects: Safe & Efficient Pilot decision support Driver assistance Train protection Autopilots / UAVs Autonomous cars Robots near humans Prerequisite: CPSs need to be safe How do we make sure CPSs make the world a better place? Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 3 / 29

Can you trust a computer to control physics? Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 4 / 29

Can you trust a computer to control physics? 1 Depends on how it has been programmed 2 And on what will happen if it malfunctions Rationale 1 Safety guarantees require analytic foundations. 2 A common foundational core helps all application domains. 3 Foundations revolutionized digital computer science & our society. 4 Need even stronger foundations when software reaches out into our physical world. CPSs deserve proofs as safety evidence! Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 4 / 29

CPSs are Multi-Dynamical Systems CPS Dynamics CPS are characterized by multiple facets of dynamical systems. e o n c t t e i n r c u s o i u d s l a stochastic i r a s r nondet e v d a CPS Compositions Tame Parts CPS combines multiple Exploiting compositionality tames CPS complexity. simple dynamical effects. Descriptive simplification Analytic simplification Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 5 / 29

CPSs are Multi-Dynamical Systems hybrid systems HS = discrete + ODE e o n c t t e i n r c u s o i u d s hybrid games stochastic hybrid sys. HG = HS + adversary SHS = HS + stochastics l a stochastic i r a 0.3 s r nondet 0.2 e 0.1 v d 5 10 15 20 a � 0.1 � 0.2 � 0.3 distributed hybrid sys. DHS = HS + distributed Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 6 / 29

Dynamic Logics for Dynamical Systems differential dynamic logic [ α ] φ φ d L = DL + HP α e o n c t t e i n r c u s o i u d s differential game logic stochastic differential DL dG L = GL + HG Sd L = DL + SHP l a stochastic i r a s r nondet e v d � α � φ � α � φ a φ φ quantified differential DL Qd L = FOL + DL + QHP JAR’08,CADE’11,LMCS’12,LICS’12,LICS’12 TOCL’15,CADE’15,JAR’17,TOCL’17 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 7 / 29

Dynamic Logics for Dynamical Systems Dynamic Logics e o n t c t e i n r DL has been introduced for programs u c s o Pratt’76,Harel,Kozen i u d s Its real calling are dynamical systems DL excels at providing simple+elegant l a logical foundations for dynamical systems stochastic i r a s CPSs are multi-dynamical systems r nondet e v d DL for CPS are multi-dynamical a JAR’08,CADE’11,LMCS’12,LICS’12,LICS’12 TOCL’15,CADE’15,JAR’17,TOCL’17 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 7 / 29

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) 3.5 3.0 ϕ [ α ] ϕ 2.5 α 2.0 1.5 1.0 0.5 0.0 0 1 2 3 4 5 6 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 8 / 29

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m � x � = m x � = m ϕ [ α ] ϕ α x � = m 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 8 / 29

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 8 / 29

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m x ′ = v , v ′ = a ODE 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 8 / 29

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m x ′ = v , v ′ = a a := − b assign ODE 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 8 / 29

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m x ′ = v , v ′ = a ( if (SB( x , m )) a := − b ) test assign ODE 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 8 / 29

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) ϕ [ α ] ϕ α seq. compose ( if (SB( x , m )) a := − b ) ; x ′ = v , v ′ = a test assign ODE 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 8 / 29

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) ϕ [ α ] ϕ α seq. nondet. compose repeat � ( if (SB( x , m )) a := − b ) ; x ′ = v , v ′ = a � ∗ test assign ODE 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 8 / 29

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m �� ( if (SB( x , m )) a := − b ) ; x ′ = v , v ′ = a � ∗ � x � = m � �� � post all runs 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 8 / 29

CPS Analysis Concept (Differential Dynamic Logic) (JAR’08,LICS’12) x � = m x � = m ϕ [ α ] ϕ [ ] x � = m α x � = m �� ( if (SB( x , m )) a := − b ) ; x ′ = v , v ′ = a � ∗ � x � = m ∧ b > 0 → x � = m � �� � � �� � post init all runs 0.5 a 6 v x 10 m 7 t 0.0 1 2 3 4 5 6 8 4 � 0.5 6 � 1.0 2 4 � 1.5 2 7 t 0 � 2.0 1 2 3 4 5 6 7 t 0 1 2 3 4 5 6 � 2.5 � 2 � 2 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 8 / 29

Differential Dynamic Logic d L : Syntax Definition (Hybrid program α ) x := f ( x ) | ? Q | x ′ = f ( x ) & Q | α ∪ β | α ; β | α ∗ Definition (d L Formula P ) e ≥ ˜ e | ¬ P | P ∧ Q | ∀ x P | ∃ x P | [ α ] P | � α � P JAR’08,LICS’12,JAR’17 Andr´ e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM’17 9 / 29