Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - PowerPoint PPT Presentation

04: Safety & Contracts Logical Foundations of Cyber-Physical Systems André Platzer Logical Foundations of Cyber-Physical Systems André Platzer André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 1 / 16

Outline Learning Objectives 1 Quantum the Acrophobic Bouncing Ball 2 3 Contracts for CPS Safety of Robots Safety of Bouncing Balls Logical Formulas for Hybrid Programs 4 5 Differential Dynamic Logic Syntax Semantics Notational Convention 6 Identifying Requirements of a CPS Summary 7 André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 2 / 16

Outline Learning Objectives 1 Quantum the Acrophobic Bouncing Ball 2 3 Contracts for CPS Safety of Robots Safety of Bouncing Balls Logical Formulas for Hybrid Programs 4 5 Differential Dynamic Logic Syntax Semantics Notational Convention 6 Identifying Requirements of a CPS Summary 7 André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 2 / 16

Learning Objectives Safety & Contracts rigorous specification contracts preconditions postconditions differential dynamic logic CT M&C CPS discrete+continuous model semantics analytic specification reasoning principles André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 3 / 16

Outline Learning Objectives 1 Quantum the Acrophobic Bouncing Ball 2 3 Contracts for CPS Safety of Robots Safety of Bouncing Balls Logical Formulas for Hybrid Programs 4 5 Differential Dynamic Logic Syntax Semantics Notational Convention 6 Identifying Requirements of a CPS Summary 7 André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 3 / 16

Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g } André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g } André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g & x ≥ 0 } ; if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum Discovered a Crack in the Fabric of Time Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum Discovered a Crack in the Fabric of Time x j 12 10 8 6 4 2 t t 0 t 1 t 2 t 3 t 4 t 5 t 6 Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum Discovered a Crack in the Fabric of Time x j 12 11 j 10 9 12 8 10 7 6 8 5 6 4 3 4 2 2 1 t t t 0 t 1 t 2 t 3 t 4 t 5 t 6 t 0 t 1 t 2 t 3 t 4 t 5 t 6 Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum Learns to Deflate x 12 10 8 6 4 2 t Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum Learns to Deflate x 12 10 8 6 4 2 t Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 )( v := − cv ∪ v := 0 ) André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Outline Learning Objectives 1 Quantum the Acrophobic Bouncing Ball 2 3 Contracts for CPS Safety of Robots Safety of Bouncing Balls Logical Formulas for Hybrid Programs 4 5 Differential Dynamic Logic Syntax Semantics Notational Convention 6 Identifying Requirements of a CPS Summary 7 André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 4 / 16

Safety of Robots André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 5 / 16

Safety of Robots Three Laws of Robotics Isaac Asimov 1942 A robot may not injure a human being or, through inaction, allow a 1 human being to come to harm. A robot must obey the orders given to it by human beings, except where 2 such orders would conflict with the First Law. A robot must protect its own existence as long as such protection does 3 not conflict with the First or Second Law. André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 5 / 16

Safety of Robots Three Laws of Robotics Isaac Asimov 1942 A robot may not injure a human being or, through inaction, allow a 1 human being to come to harm. A robot must obey the orders given to it by human beings, except where 2 such orders would conflict with the First Law. A robot must protect its own existence as long as such protection does 3 not conflict with the First or Second Law. Three Laws of Robotics are not the answer. They are the inspiration! André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 5 / 16

Contracts for Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) ensures ( 0 ≤ x ) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) ensures ( 0 ≤ x ) ensures ( x ≤ H ) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) requires ( x = H ) ensures ( 0 ≤ x ) ensures ( x ≤ H ) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) requires ( x = H ) requires ( 0 ≤ H ) ensures ( 0 ≤ x ) ensures ( x ≤ H ) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) requires ( x = H ) requires ( 0 ≤ H ) ensures ( 0 ≤ x ) ensures ( x ≤ H ) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ @invariant ( x ≥ 0 ) if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts for Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) requires ( x = H ) requires ( 0 ≤ H ) ensures ( 0 ≤ x ) ensures ( x ≤ H ) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ @invariant ( x ≥ 0 ) if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Outline Learning Objectives 1 Quantum the Acrophobic Bouncing Ball 2 3 Contracts for CPS Safety of Robots Safety of Bouncing Balls Logical Formulas for Hybrid Programs 4 5 Differential Dynamic Logic Syntax Semantics Notational Convention 6 Identifying Requirements of a CPS Summary 7 André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 6 / 16

Contracts are Not Enough CPS contracts are crucial for CPS safety. We need to understand CPS programs and contracts and how we can convince ourselves that a CPS program respects its contract. Contracts are at a disadvantage compared to full logic. Logic is for Specification and Reasoning Specification of a whole CPS program. 1 Analytic inspection of its parts. 2 Argumentative relations between contracts and program parts. 3 “Yes, this CPS program meets its contract, and here’s why . . . ” André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 7 / 16

Contracts for Quantum the Acrophobic Bouncing Ball Example (Quantum the Bouncing Ball) requires ( x = H ) requires ( 0 ≤ H ) ensures ( 0 ≤ x ) ensures ( x ≤ H ) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ if ( x = 0 ) v := − cv André Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 8 / 16