Page 1
Differential Dynamic Logic and Differential Invariantsfor Hybrid Systems
Andre Platzer
[email protected]
Computer Science DepartmentCarnegie Mellon University, Pittsburgh, PA
http://symbolaris.com/
0.20.4
0.60.8
1.00.1
0.2
0.3
0.4
0.5
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 1 / 42
Page 2
How can we design computers that are
guaranteed to interact correctly with the
physical world?
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 2 / 42
Page 3
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 2 / 42
Page 4
Hybrid Systems Analysis: Car Control
Challenge (Hybrid Systems)
Fixed rule describing stateevolution with both
Continuous dynamics(differential equations)
Discrete dynamics(control decisions)
1 2 3 4t
-2
-1
1
2a
1 2 3 4t
0.5
1.0
1.5
2.0
2.5
3.0v
1 2 3 4t
1
2
3
4
5
6z
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 3 / 42
Page 5
Hybrid Systems Analysis is Important for . . .
0.20.4
0.60.8
1.00.1
0.2
0.3
0.4
0.5
x1
x2
y1
y2
d
ω e
ϑ
c
Q Q
QQ
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 4 / 42
Page 6
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 4 / 42
Page 7
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 4 / 42
Page 8
Differential Dynamic Logic for Hybrid Systems
differential dynamic logic
dL = FOLR
+ + HP
∀MA∃SB . . .
∀t≥0 . . .
z
v
MA
v 2 ≤ 2b(MA− z)
v ≤ 1 ∧ v 2 ≤ 2b(MA− z)
v ≤ 1 ∨ v 2 ≤ 2b(MA− z)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 5 / 42
Page 9
Differential Dynamic Logic for Hybrid Systems
differential dynamic logic
dL = FOLR + DL + HP
v 2 ≤ 2b
v 2 ≤ 2b
v 2 ≤ 2b
C → [ if(z > SB) a :=−b; z ′′ = a︸ ︷︷ ︸hybrid program
] v 2 ≤ 2b
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 5 / 42
Page 10
Differential Dynamic Logic for Hybrid Systems
differential dynamic logic
dL = FOLR + DL + HP
v 2 ≤ 2b
v 2 ≤ 2b
v 2 ≤ 2b
C → [ if(z > SB) a :=−b; z ′′ = a︸ ︷︷ ︸hybrid program
] v 2 ≤ 2b
Initialcondition
Systemdynamics
Postcondition
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 5 / 42
Page 11
Differential Dynamic Logic dL: Syntax
Definition (Hybrid program α)
x := θ | ?H | x ′ = f (x) & H | α ∪ β | α;β | α∗
Definition (dL Formula φ)
θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | [α]φ | 〈α〉φ
DiscreteAssign
TestCondition
DifferentialEquation
Nondet.Choice
Seq.Compose
Nondet.Repeat
AllReals
SomeReals
AllRuns
SomeRuns
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 6 / 42
Page 12
Differential Dynamic Logic dL: Syntax
Definition (Hybrid program α)
x := θ | ?H | x ′ = f (x) & H | α ∪ β | α;β | α∗
Definition (dL Formula φ)
θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | [α]φ | 〈α〉φ
DiscreteAssign
TestCondition
DifferentialEquation
Nondet.Choice
Seq.Compose
Nondet.Repeat
AllReals
SomeReals
AllRuns
SomeRuns
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 6 / 42
Page 13
Differential Dynamic Logic dL: Semantics
Definition (Hybrid program α)
ρ(x := θ) = {(v ,w) : w = v except [[x ]]w = [[θ]]v}ρ(?H) = {(v , v) : v |= H}
ρ(x ′ = f (x)) = {(ϕ(0), ϕ(r)) : ϕ |= x ′ = f (x) for some duration r}ρ(α ∪ β) = ρ(α) ∪ ρ(β)ρ(α;β) = ρ(β) ◦ ρ(α)
ρ(α∗) =⋃n∈N
ρ(αn)
Definition (dL Formula φ)
v |= θ1 ≥ θ2 iff [[θ1]]v ≥ [[θ2]]vv |= [α]φ iff w |= φ for all w with (v ,w) ∈ ρ(α)v |= 〈α〉φ iff w |= φ for some w with (v ,w) ∈ ρ(α)v |= ∀x φ iff w |= φ for all w that agree with v except for xv |= ∃x φ iff w |= φ for some w that agrees with v except for xv |= φ ∧ ψ iff v |= φ and v |= ψv |= ¬φ iff v |= φ does not hold
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 7 / 42
Page 14
Differential Dynamic Logic dL: Axiomatization
([:=]) [x := θ][(x)]φx ↔ [(x)]φθ
([?]) [?H]φ↔ (H → φ)
([′]) [x ′ = f (x)]φ↔ ∀t≥0 [x := y(t)]φ (y ′(t) = f (y))
([∪]) [α ∪ β]φ↔ [α]φ ∧ [β]φ
([;]) [α;β]φ↔ [α][β]φ
([∗]) [α∗]φ↔ φ ∧ [α][α∗]φ
(K) [α](φ→ ψ)→ ([α]φ→ [α]ψ)
(I) [α∗](φ→ [α]φ)→ (φ→ [α∗]φ)
(C) [α∗]∀v>0 (ϕ(v)→ 〈α〉ϕ(v − 1))→ ∀v (ϕ(v)→ 〈α∗〉∃v≤0ϕ(v))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 8 / 42
Page 15
Differential Dynamic Logic dL: Axiomatization
(G)φ
[α]φ
(MP)φ→ ψ φ
ψ
(∀)φ
∀x φ
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 8 / 42
Page 16
Differential Dynamic Logic dL: Axiomatization
(G)φ
[α]φ
(MP)φ→ ψ φ
ψ
(∀)φ
∀x φ
(B) ∀x [α]φ→ [α]∀x φ (x 6∈ α)
(V) φ→ [α]φ (FV (φ) ∩ BV (α) = ∅)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 8 / 42
Page 17
Soundness
Theorem (Soundness)
dL calculus is sound, i.e., all provable dL formulas are valid:
` φ implies � φ
What about the converse?
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 9 / 42
Page 18
Complete Proof Theory of Hybrid Systems
Theorem (Relative Completeness) (J.Autom.Reas. 2008)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to differential equations. Proof 15p
Theorem (Discrete Relative Completeness) (LICS’12)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to discrete dynamics. Proof +10p
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 10 / 42
Page 19
Complete Proof Theory of Hybrid Systems
Theorem (Continuous Relative Completeness) (J.Autom.Reas. 2008)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to differential equations. Proof 15p
Theorem (Discrete Relative Completeness) (LICS’12)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to discrete dynamics. Proof +10p
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 10 / 42
Page 20
Complete Proof Theory of Hybrid Systems
Theorem (Continuous Relative Completeness) (J.Autom.Reas. 2008)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to differential equations. Proof 15p
Theorem (Discrete Relative Completeness) (LICS’12)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to discrete dynamics. Proof +10p
System
Continuous Discrete
Hybrid
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 10 / 42
Page 21
Complete Proof Theory of Hybrid Systems
Theorem (Continuous Relative Completeness) (J.Autom.Reas. 2008)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to differential equations. Proof 15p
Theorem (Discrete Relative Completeness) (LICS’12)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to discrete dynamics. Proof +10p
System
Continuous Discrete
Hybrid
HybridTheory
DiscreteTheory
Contin.Theory
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 10 / 42
Page 22
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 10 / 42
Page 23
Air Traffic Control
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
Page 24
Air Traffic Control
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
Page 25
Air Traffic Control
Verification?
looks correct
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
Page 26
Air Traffic Control
Verification?
looks correct NO!
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
Page 27
Air Traffic Control
x1
x2
y1
y2
d
ω e
ς
x ′1 = −v1+v2 cosϑ+ ωx2
x ′2 = v2 sinϑ− ωx1
ϑ′ = $ − ω
Verification?
looks correct NO!
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
Page 28
Air Traffic Control
x1
x2
y1
y2
d
ω e
ς
x ′1 = −v1+v2 cosϑ+ ωx2
x ′2 = v2 sinϑ− ωx1
ϑ′ = $ − ω
Example (“Solving” differential equations)
x1(t) =1
ω$
(x1ω$ cos tω − v2ω cos tω sinϑ+ v2ω cos tω cos t$ sinϑ− v1$ sin tω
+ x2ω$ sin tω − v2ω cosϑ cos t$ sin tω − v2ω√
1− sinϑ2 sin tω
+ v2ω cosϑ cos tω sin t$ + v2ω sinϑ sin tω sin t$). . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
Page 29
Air Traffic Control
x1
x2
y1
y2
d
ω e
ς
x ′1 = −v1+v2 cosϑ+ ωx2
x ′2 = v2 sinϑ− ωx1
ϑ′ = $ − ω
Example (“Solving” differential equations)
∀t≥0
=
1
ω$
(x1ω$ cos tω − v2ω cos tω sinϑ+ v2ω cos tω cos t$ sinϑ− v1$ sin tω
+ x2ω$ sin tω − v2ω cosϑ cos t$ sin tω − v2ω√
1− sinϑ2 sin tω
+ v2ω cosϑ cos tω sin t$ + v2ω sinϑ sin tω sin t$). . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
Page 30
\forall R ts2.
( 0 <= ts2 & ts2 <= t2_0
-> ( (om_1)^-1
* (omb_1)^-1
* ( om_1 * omb_1 * x1 * Cos(om_1 * ts2)
+ om_1 * v2 * Cos(om_1 * ts2) * (1 + -1 * (Cos(u))^2)^(1 / 2)
+ -1 * omb_1 * v1 * Sin(om_1 * ts2)
+ om_1 * omb_1 * x2 * Sin(om_1 * ts2)
+ om_1 * v2 * Cos(u) * Sin(om_1 * ts2)
+ -1 * om_1 * v2 * Cos(omb_1 * ts2) * Cos(u) * Sin(om_1 * ts2)
+ om_1 * v2 * Cos(om_1 * ts2) * Cos(u) * Sin(omb_1 * ts2)
+ om_1 * v2 * Cos(om_1 * ts2) * Cos(omb_1 * ts2) * Sin(u)
+ om_1 * v2 * Sin(om_1 * ts2) * Sin(omb_1 * ts2) * Sin(u)))
^2
+ ( (om_1)^-1
* (omb_1)^-1
* ( -1 * omb_1 * v1 * Cos(om_1 * ts2)
+ om_1 * omb_1 * x2 * Cos(om_1 * ts2)
+ omb_1 * v1 * (Cos(om_1 * ts2))^2
+ om_1 * v2 * Cos(om_1 * ts2) * Cos(u)
+ -1 * om_1 * v2 * Cos(om_1 * ts2) * Cos(omb_1 * ts2) * Cos(u)
+ -1 * om_1 * omb_1 * x1 * Sin(om_1 * ts2)
+ -1
* om_1
* v2
* (1 + -1 * (Cos(u))^2)^(1 / 2)
* Sin(om_1 * ts2)
+ omb_1 * v1 * (Sin(om_1 * ts2))^2
+ -1 * om_1 * v2 * Cos(u) * Sin(om_1 * ts2) * Sin(omb_1 * ts2)
+ -1 * om_1 * v2 * Cos(omb_1 * ts2) * Sin(om_1 * ts2) * Sin(u)
+ om_1 * v2 * Cos(om_1 * ts2) * Sin(omb_1 * ts2) * Sin(u)))
^2
>= (p)^2),
t2_0 >= 0,
x1^2 + x2^2 >= (p)^2
==>Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
Page 31
\forall R t7.
( t7 >= 0
-> ( (om_3)^-1
* ( om_3
* ( (om_1)^-1
* (omb_1)^-1
* ( om_1 * omb_1 * x1 * Cos(om_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* (1 + -1 * (Cos(u))^2)^(1 / 2)
+ -1 * omb_1 * v1 * Sin(om_1 * t2_0)
+ om_1 * omb_1 * x2 * Sin(om_1 * t2_0)
+ om_1 * v2 * Cos(u) * Sin(om_1 * t2_0)
+ -1
* om_1
* v2
* Cos(omb_1 * t2_0)
* Cos(u)
* Sin(om_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Cos(u)
* Sin(omb_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Cos(omb_1 * t2_0)
* Sin(u)
+ om_1
* v2
* Sin(om_1 * t2_0)
* Sin(omb_1 * t2_0)
* Sin(u)))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
Page 32
* Cos(om_3 * t5)
+ v2
* Cos(om_3 * t5)
* ( 1
+ -1
* (Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4))^2)
^(1 / 2)
+ -1 * v1 * Sin(om_3 * t5)
+ om_3
* ( (om_1)^-1
* (omb_1)^-1
* ( -1 * omb_1 * v1 * Cos(om_1 * t2_0)
+ om_1 * omb_1 * x2 * Cos(om_1 * t2_0)
+ omb_1 * v1 * (Cos(om_1 * t2_0))^2
+ om_1 * v2 * Cos(om_1 * t2_0) * Cos(u)
+ -1
* om_1
* v2
* Cos(om_1 * t2_0)
* Cos(omb_1 * t2_0)
* Cos(u)
+ -1 * om_1 * omb_1 * x1 * Sin(om_1 * t2_0)
+ -1
* om_1
* v2
* (1 + -1 * (Cos(u))^2)^(1 / 2)
* Sin(om_1 * t2_0)
+ omb_1 * v1 * (Sin(om_1 * t2_0))^2
+ -1
* om_1
* v2
* Cos(u)
* Sin(om_1 * t2_0)
* Sin(omb_1 * t2_0)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
Page 33
+ -1
* om_1
* v2
* Cos(omb_1 * t2_0)
* Sin(om_1 * t2_0)
* Sin(u)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Sin(omb_1 * t2_0)
* Sin(u)))
* Sin(om_3 * t5)
+ v2
* Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)
* Sin(om_3 * t5)
+ v2
* (Cos(om_3 * t5))^2
* Sin(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)
+ v2
* (Sin(om_3 * t5))^2
* Sin(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)))
^2
+ ( (om_3)^-1
* ( -1 * v1 * Cos(om_3 * t5)
+ om_3
* ( (om_1)^-1
* (omb_1)^-1
* ( -1 * omb_1 * v1 * Cos(om_1 * t2_0)
+ om_1 * omb_1 * x2 * Cos(om_1 * t2_0)
+ omb_1 * v1 * (Cos(om_1 * t2_0))^2
+ om_1 * v2 * Cos(om_1 * t2_0) * Cos(u)
+ -1
* om_1
* v2
* Cos(om_1 * t2_0)
* Cos(omb_1 * t2_0)
* Cos(u)Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
Page 34
+ -1 * om_1 * omb_1 * x1 * Sin(om_1 * t2_0)
+ -1
* om_1
* v2
* (1 + -1 * (Cos(u))^2)^(1 / 2)
* Sin(om_1 * t2_0)
+ omb_1 * v1 * (Sin(om_1 * t2_0))^2
+ -1
* om_1
* v2
* Cos(u)
* Sin(om_1 * t2_0)
* Sin(omb_1 * t2_0)
+ -1
* om_1
* v2
* Cos(omb_1 * t2_0)
* Sin(om_1 * t2_0)
* Sin(u)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Sin(omb_1 * t2_0)
* Sin(u)))
* Cos(om_3 * t5)
+ v1 * (Cos(om_3 * t5))^2
+ v2
* Cos(om_3 * t5)
* Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)
+ -1
* v2
* (Cos(om_3 * t5))^2
* Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
Page 35
+ -1
* om_3
* ( (om_1)^-1
* (omb_1)^-1
* ( om_1 * omb_1 * x1 * Cos(om_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* (1 + -1 * (Cos(u))^2)^(1 / 2)
+ -1 * omb_1 * v1 * Sin(om_1 * t2_0)
+ om_1 * omb_1 * x2 * Sin(om_1 * t2_0)
+ om_1 * v2 * Cos(u) * Sin(om_1 * t2_0)
+ -1
* om_1
* v2
* Cos(omb_1 * t2_0)
* Cos(u)
* Sin(om_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Cos(u)
* Sin(omb_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Cos(omb_1 * t2_0)
* Sin(u)
+ om_1
* v2
* Sin(om_1 * t2_0)
* Sin(omb_1 * t2_0)
* Sin(u)))
* Sin(om_3 * t5)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
Page 36
+ -1
* v2
* ( 1
+ -1
* (Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4))^2)
^(1 / 2)
* Sin(om_3 * t5)
+ v1 * (Sin(om_3 * t5))^2
+ -1
* v2
* Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)
* (Sin(om_3 * t5))^2))
^2
>= (p)^2)
This is just one branch to prove
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
Page 37
Differential Invariants for Differential Equations
“Definition” (Differential Invariant)
“Formula that remains true in the direction of the dynamics”
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 13 / 42
Page 38
Differential Invariants for Differential Equations
“Definition” (Differential Invariant)
“Formula that remains true in the direction of the dynamics”
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 13 / 42
Page 39
Differential Invariants for Differential Equations
“Definition” (Differential Invariant)
“Formula that remains true in the direction of the dynamics”
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 13 / 42
Page 40
Differential Induction: Local Dynamics w/o Solutions
Definition (Differential Invariant) (J.Log.Comput. 2010)
F closed under total differentiation with respect to differential constraints
¬ ¬FF F χ
F
(χ→ F ′)
χ→ F
→[x ′ = θ&χ]F
(¬F ∧ χ→ F ′�)
[x ′ = θ&¬F ]χ
→〈x ′ = θ&χ〉F
d1 ≥ d2 → [x := a2 + 1;
d ′1 = −ωd2, d′2 = ωd1
] d1 ≥ d2
quantified nondeterminism/disturbance
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 14 / 42
Page 41
Differential Induction: Local Dynamics w/o Solutions
Definition (Differential Invariant) (J.Log.Comput. 2010)
F closed under total differentiation with respect to differential constraints
¬ ¬FF F
χ
F
(χ→ F ′)
χ→ F→[x ′ = θ&χ]F
(¬F ∧ χ→ F ′�)
[x ′ = θ&¬F ]χ
→〈x ′ = θ&χ〉F
d1 ≥ d2 → [x := a2 + 1;
d ′1 = −ωd2, d′2 = ωd1
] d1 ≥ d2
F → [α]F
F → [α∗]F
quantified nondeterminism/disturbance
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 14 / 42
Page 42
Differential Induction: Local Dynamics w/o Solutions
Definition (Differential Invariant) (J.Log.Comput. 2010)
F closed under total differentiation with respect to differential constraints
¬ ¬FF F χ
F
(χ→ F ′)
χ→ F→[x ′ = θ&χ]F
(¬F ∧ χ→ F ′�)
[x ′ = θ&¬F ]χ
→〈x ′ = θ&χ〉F
d1 ≥ d2 → [x := a2 + 1;
d ′1 = −ωd2, d′2 = ωd1
] d1 ≥ d2
quantified nondeterminism/disturbance
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 14 / 42
Page 43
Differential Induction: Local Dynamics w/o Solutions
Definition (Differential Invariant) (J.Log.Comput. 2010)
F closed under total differentiation with respect to differential constraints
¬ ¬FF F χ
F
(χ→ F ′)
χ→ F→[x ′ = θ&χ]F
(¬F ∧ χ→ F ′�)
[x ′ = θ&¬F ]χ→〈x ′ = θ&χ〉F
d1 ≥ d2 → [x := a2 + 1;
d ′1 = −ωd2, d′2 = ωd1
] d1 ≥ d2
quantified nondeterminism/disturbance
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 14 / 42
Page 44
Differential Induction: Local Dynamics w/o Solutions
Definition (Differential Invariant) (J.Log.Comput. 2010)
F closed under total differentiation with respect to differential constraints
¬ ¬FF F χ
F
(χ→ F ′)
χ→ F→[x ′ = θ&χ]F
(¬F ∧ χ→ F ′�)
[x ′ = θ&¬F ]χ→〈x ′ = θ&χ〉F
Total differential F ′ of formulas?
d1 ≥ d2 → [x := a2 + 1;
d ′1 = −ωd2, d′2 = ωd1
] d1 ≥ d2
quantified nondeterminism/disturbance
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 14 / 42
Page 45
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)
→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
Page 46
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)
→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
Page 47
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
Page 48
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
Page 49
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
Page 50
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
Page 51
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
Page 52
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
Page 53
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
Page 54
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
Page 55
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
Page 56
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
Page 57
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = 4, a1 = −1, a0 = 5
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
Page 58
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = 4, a1 = −1, a0 = 6
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
Page 59
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = 4, a1 = −1, a0 = 7
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
Page 60
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = 4, a1 = −2, a0 = 5
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
Page 61
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = −4, a1 = 2, a0 = 8
3 prove ∀x (H→p′ = 0)
3 Problem: enumerating all polynomials takes a while . . .
4 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
Page 62
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = −4, a1 = 2, a0 = 8
3 prove ∀x (H→p′ = 0)
3 Instead: ∃a ∀x (H→p′ = 0)
4 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
Page 63
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = −4, a1 = 2, a0 = 8
3 prove ∀x (H→p′ = 0)
3 Instead: ∃a ∀x (H→p′ = 0)
4 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
Page 64
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
Page 65
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
Page 66
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
Page 67
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
Page 68
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
Page 69
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)Not Provable?
Wait! It’s true. Why not proved?
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
Page 70
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)Not Provable?
Wait! It’s true. Why not proved?
not single equation
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
Page 71
The Structure of Differential Invariants
Theorem (Closure properties of differential invariants) (LMCS 2012)
Closed under conjunction, differentiation, and propositional equivalences.
Theorem (Differential Invariance Chart) (LMCS 2012)
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 18 / 42
Page 72
Ex: Deconstructed Aircraft (II) Atomic
not valid
2(x2 + y 2 − 1)(−2yx + 2ey) = 0
2(x2 + y 2 − 1)(−y2x + e2y) + 2(e − x)(−y − (−y)) = 0
(−y ∂∂x + e ∂
∂y − y ∂∂e )((x2 + y 2 − 1)2 + (e − x)2
)= 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 − 1)2 + (e − x)2 = 0
Reduce to single equation, try again
Could Prove?
If only we could assume invariant Fduring its proof . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 19 / 42
Page 73
Ex: Deconstructed Aircraft (II) Atomic
not valid
2(x2 + y 2 − 1)(−2yx + 2ey) = 0
2(x2 + y 2 − 1)(−y2x + e2y) + 2(e − x)(−y − (−y)) = 0
(−y ∂∂x + e ∂
∂y − y ∂∂e )((x2 + y 2 − 1)2 + (e − x)2
)= 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 − 1)2 + (e − x)2 = 0
Reduce to single equation, try again
Could Prove?
If only we could assume invariant Fduring its proof . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 19 / 42
Page 74
Ex: Deconstructed Aircraft (II) Atomic
not valid
2(x2 + y 2 − 1)(−2yx + 2ey) = 0
2(x2 + y 2 − 1)(−y2x + e2y) + 2(e − x)(−y − (−y)) = 0
(−y ∂∂x + e ∂
∂y − y ∂∂e )((x2 + y 2 − 1)2 + (e − x)2
)= 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 − 1)2 + (e − x)2 = 0
Reduce to single equation, try again
Not Provable?
Wait! It’s true. Why not proved?
Could Prove?
If only we could assume invariant Fduring its proof . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 19 / 42
Page 75
Ex: Deconstructed Aircraft (II) Atomic
not valid
2(x2 + y 2 − 1)(−2yx + 2ey) = 0
2(x2 + y 2 − 1)(−y2x + e2y) + 2(e − x)(−y − (−y)) = 0
(−y ∂∂x + e ∂
∂y − y ∂∂e )((x2 + y 2 − 1)2 + (e − x)2
)= 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 − 1)2 + (e − x)2 = 0
Reduce to single equation, try again
Could Prove?
If only we could assume invariant Fduring its proof . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 19 / 42
Page 76
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
Page 77
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
Page 78
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
Page 79
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
Page 80
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
Page 81
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions are unsound!)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
Page 82
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
(x2 ≤ 0→ 2x · 1 ≤ 0)x2 ≤ 0 →[x ′ = 1]x2 ≤ 0
0 t
x x0 + t
x′ = 1
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
Page 83
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions are unsound!)
(x2 ≤ 0→ 2x · 1 ≤ 0)x2 ≤ 0 →[x ′ = 1]x2 ≤ 0
0 t
x x0 + t
x′ = 1
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
Page 84
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗
−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
Page 85
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗
−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
Page 86
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗
−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
Page 87
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗
−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
Page 88
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
Page 89
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
Page 90
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
Page 91
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
Page 92
Ex: Deconstructed Aircraft (III) Differential Cut
∗e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
Page 93
Ex: Deconstructed Aircraft (III) Differential Cut
∗e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Successful Proof
Lie & differential cuts separate aircraft
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
Page 94
Ex: Deconstructed Aircraft (IV) Smart
∗
−y2e + e2y = 0 ∧ −y = −y
−y ∂(e2+y2)∂e + e ∂(e2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
e2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](e2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 22 / 42
Page 95
Ex: Deconstructed Aircraft (IV) Smart
∗
−y2e + e2y = 0 ∧ −y = −y
−y ∂(e2+y2)∂e + e ∂(e2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
e2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](e2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 22 / 42
Page 96
Ex: Deconstructed Aircraft (IV) Smart
∗
−y2e + e2y = 0 ∧ −y = −y
−y ∂(e2+y2)∂e + e ∂(e2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
e2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](e2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 22 / 42
Page 97
Ex: Deconstructed Aircraft (IV) Smart
∗−y2e + e2y = 0 ∧ −y = −y
−y ∂(e2+y2)∂e + e ∂(e2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
e2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](e2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 22 / 42
Page 98
Ex: Deconstructed Aircraft (IV) Smart
∗−y2e + e2y = 0 ∧ −y = −y
−y ∂(e2+y2)∂e + e ∂(e2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
e2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](e2 + y 2 = 1 ∧ e = x)
Direct Proof
Smart invariant also separates aircraft?!
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 22 / 42
Page 99
Differential Cuts
φ→[x ′ = θ& H]C φ→[x ′ = θ& (H ∧ C )]φ
φ→[x ′ = θ& H]φ
Theorem (Gentzen’s Cut Elimination)
A→B ∨ C A ∧ C→B
A→Bcut can be eliminated
Theorem (No Differential Cut Elimination) (LMCS 2012)
Deductive power with differential cut exceeds deductive power without.DCI > DI
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 23 / 42
Page 100
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
Page 101
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
Page 102
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
Page 103
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
Page 104
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
Page 105
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
Page 106
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
Page 107
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
Page 108
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
Page 109
Differential Cuts
φ→[x ′ = θ& H]C φ→[x ′ = θ& (H ∧ C )]φ
φ→[x ′ = θ& H]φ
Theorem (Gentzen’s Cut Elimination)
A→B ∨ C A ∧ C→B
A→Bcut can be eliminated
Theorem (No Differential Cut Elimination) (LMCS 2012)
Deductive power with differential cut exceeds deductive power without.DCI > DI
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 25 / 42
Page 110
Differential Cuts
φ→[x ′ = θ& H]C φ→[x ′ = θ& (H ∧ C )]φ
φ→[x ′ = θ& H]φ
Theorem (Gentzen’s Cut Elimination)
A→B ∨ C A ∧ C→B
A→Bcut can be eliminated
Theorem (No Differential Cut Elimination) (LMCS 2012)
Deductive power with differential cut exceeds deductive power without.DCI > DI
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 25 / 42
Page 111
Differential Cuts
φ→[x ′ = θ& H]C φ→[x ′ = θ& (H ∧ C )]φ
φ→[x ′ = θ& H]φ
Theorem (Gentzen’s Cut Elimination)
A→B ∨ C A ∧ C→B
A→Bcut can be eliminated
Theorem (No Differential Cut Elimination) (LMCS 2012)
Deductive power with differential cut exceeds deductive power without.DCI > DI
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 25 / 42
Page 112
Ex: Exponentials
Counterexample ()
not valid
−x > 0
x ′ > 0
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 26 / 42
Page 113
Ex: Exponentials
Counterexample ()
not valid
−x > 0
x ′ > 0x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 26 / 42
Page 114
Ex: Exponentials
Counterexample ()
not valid
−x > 0x ′ > 0
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 26 / 42
Page 115
Ex: Exponentials
Counterexample (Cannot prove)
not valid−x > 0x ′ > 0
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 26 / 42
Page 116
Differential Auxiliaries
Example (Successful proof)
∗
x > 0↔ ∃y xy 2 = 1
∗
−xy 2 + 2xy y2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
Page 117
Differential Auxiliaries
Example (Successful proof)
∗
x > 0↔ ∃y xy 2 = 1
∗
−xy 2 + 2xy y2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
Page 118
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗
−xy 2 + 2xy y2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
Page 119
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗
−xy 2 + 2xy y2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
Page 120
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗
−xy 2 + 2xy y2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
Page 121
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗−xy 2 + 2xy y
2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
Page 122
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗−xy 2 + 2xy y
2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
Page 123
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗−xy 2 + 2xy y
2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
Page 124
Differential Auxiliaries
φ↔ ∃y ψ ψ→[x ′ = θ, y ′ = ϑ& H]ψ
φ→[x ′ = θ& H]φ
if y ′ = ϑ has solution y : [0,∞)→ Rn
Theorem (Auxiliary Differential Variables) (LMCS 2012)
Deductive power with differential auxiliaries exceeds deductive powerwithout.
DCI + DA > DCI
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 28 / 42
Page 125
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 28 / 42
Page 126
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 29 / 42
Page 127
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 29 / 42
Page 128
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 29 / 42
Page 129
Structure of Invariant Functions
Lemma (Structure of invariant functions)
Invariant functions of x ′ = θ& H form an R-algebra.
Corollary
Only need generating system of algebra.
p invariant,F function ⇒ F (p) invariant
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 30 / 42
Page 130
Structure of Invariant Functions
Lemma (Structure of invariant functions)
Invariant functions of x ′ = θ& H form an R-algebra.
Corollary
Only need generating system of algebra.
p invariant,F function ⇒ F (p) invariant
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 30 / 42
Page 131
Structure of Invariant Functions
Lemma (Structure of invariant functions)
Invariant functions of x ′ = θ& H form an R-algebra.
Corollary
Only need generating system of algebra.
p invariant,F function ⇒ F (p) invariant
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 30 / 42
Page 132
Structure of Invariant Equations
I=(Γ) := {p ∈ R[~x ] : � Γ→ [x ′ = θ& H]p = 0}DCI=(Γ) := {p ∈ R[~x ] : `DI=+DC Γ→ [x ′ = θ& H]p = 0}
Lemma (Structure of invariant equations)
DCI=(Γ) ⊆ I=(Γ) chain of differential ideals ((θ ·∇)p ∈ DCI=(Γ) for allp ∈ DCI=(Γ)). The varieties are generated by a single polynomial.
Proof.4 p ∈ DCI=(Γ) and r ∈ R[~x ] implies rp ∈ DCI=(Γ), because
(θ ·∇)(rp) = p(θ ·∇)r + r (θ ·∇)p︸ ︷︷ ︸0
= p︸︷︷︸0
(θ ·∇)r = 0
and Γ→ p = 0 implies Γ→ rp = 0
5 p = 0 ∧ q = 0 iff p2 + q2 = 0, differential, Hilbert basis theorem . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 31 / 42
Page 133
Structure of Invariant Equations
I=(Γ) := {p ∈ R[~x ] : � Γ→ [x ′ = θ& H]p = 0}DCI=(Γ) := {p ∈ R[~x ] : `DI=+DC Γ→ [x ′ = θ& H]p = 0}
Lemma (Structure of invariant equations)
DCI=(Γ) ⊆ I=(Γ) chain of differential ideals ((θ ·∇)p ∈ DCI=(Γ) for allp ∈ DCI=(Γ)). The varieties are generated by a single polynomial.
Proof.4 p ∈ DCI=(Γ) and r ∈ R[~x ] implies rp ∈ DCI=(Γ), because
(θ ·∇)(rp) = p(θ ·∇)r + r (θ ·∇)p︸ ︷︷ ︸0
= p︸︷︷︸0
(θ ·∇)r = 0
and Γ→ p = 0 implies Γ→ rp = 0
5 p = 0 ∧ q = 0 iff p2 + q2 = 0, differential, Hilbert basis theorem . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 31 / 42
Page 134
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 31 / 42
Page 135
Full Rank Assumptions
Theorem (. . . — sufficient)
(−→DI p)
H→n∧
i=1
(θ ·∇)pi =∑j
Qi ,jpj
n∧i=1
pi = 0→ [x ′ = f (x) & H]n∧
i=1
pi = 0
Theorem (Lie — necessary)
(←−DI p)
n∧i=1
pi = 0→ [x ′ = f (x) & H]n∧
i=1
pi = 0
H ∧n∧
i=1
pi = 0→n∧
i=1
(θ ·∇)pi = 0
Premises, conclusions equivalent if rank ∂pi∂xj
= n on H ∧∧ni=1 pi = 0.
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 32 / 42
Page 136
Full Rank Assumptions
Theorem (. . . — sufficient)
(−→DI p)
H→n∧
i=1
(θ ·∇)pi =∑j
Qi ,jpj
n∧i=1
pi = 0→ [x ′ = f (x) & H]n∧
i=1
pi = 0
Theorem (Lie — necessary)
(←−DI p)
n∧i=1
pi = 0→ [x ′ = f (x) & H]n∧
i=1
pi = 0
H ∧n∧
i=1
pi = 0→n∧
i=1
(θ ·∇)pi = 0
Premises, conclusions equivalent if rank ∂pi∂xj
= n on H ∧∧ni=1 pi = 0.
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 32 / 42
Page 137
Ex: Deconstructed Aircraft (III) Differential Cut
∗e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 33 / 42
Page 138
Ex: Deconstructed Aircraft (III) Differential Cut
∗e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Successful Proof
Lie & differential cuts separate aircraft
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 33 / 42
Page 139
Ex: Deconstructed Aircraft (III) Differential Cut
(∂(x2+y2−1)
∂x∂(x2+y2−1)
∂y∂(x2+y2−1)
∂e∂(e−x)
∂x∂(e−x)
∂y∂(e−x)
∂e
)=
(2x 2y 0−1 0 1
)Full rank 2 at invariant x2 + y 2 = 1
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 34 / 42
Page 140
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 34 / 42
Page 141
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 35 / 42
Page 142
Inverse Characteristic Method
Theorem (Inverse characteristic method)
(Sufficiently smooth) f is invariant function of x ′ = f (x) on H iff f solves
(θ ·∇)f = 0 on H
Proof.
⇐ Lie
If ODE too complicated, consider PDE instead???
Yes, but inverse characteristic PDE is simple (first-order, linear,homogeneous)
Makes rich PDE theory available for differential invariants
Oracle PDE solver sufficient
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 36 / 42
Page 143
Inverse Characteristic Method
Theorem (Inverse characteristic method)
(Sufficiently smooth) f is invariant function of x ′ = f (x) on H iff f solves
(θ ·∇)f = 0 on H
Proof.
⇐ Lie
If ODE too complicated, consider PDE instead???
Yes, but inverse characteristic PDE is simple (first-order, linear,homogeneous)
Makes rich PDE theory available for differential invariants
Oracle PDE solver sufficient
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 36 / 42
Page 144
Inverse Characteristic Method
Theorem (Inverse characteristic method)
(Sufficiently smooth) f is invariant function of x ′ = f (x) on H iff f solves
(θ ·∇)f = 0 on H
Proof.
⇐ Lie
If ODE too complicated, consider PDE instead???
Yes, but inverse characteristic PDE is simple (first-order, linear,homogeneous)
Makes rich PDE theory available for differential invariants
Oracle PDE solver sufficient
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 36 / 42
Page 145
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x
(4); 0
(2) − y 2 − 2ex + x2
(3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
Page 146
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x
(4); 0
(2) − y 2 − 2ex + x2
(3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
Page 147
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x
(4); 0
(2) − y 2 − 2ex + x2
(3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
Page 148
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x
(4); 0
(2) − y 2 − 2ex + x2
(3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
Page 149
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x(4); 0
(2) − y 2 − 2ex + x2 (3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
Page 150
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x(4); 0
(2) − y 2 − 2ex + x2 (3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
Page 151
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2
(4)
∧ d1 = −ωx2
(5)
∧ d2 = ωx1
(6)
d2 − ωx1
(5); 0
d1 + ωx2
(6); 0
d21 + 2ωx1d2 − ω2x2
1
(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
Page 152
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2
(4)
∧ d1 = −ωx2
(5)
∧ d2 = ωx1
(6)
d2 − ωx1
(5); 0
d1 + ωx2
(6); 0
d21 + 2ωx1d2 − ω2x2
1
(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
Page 153
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2
(4)
∧ d1 = −ωx2
(5)
∧ d2 = ωx1
(6)
d2 − ωx1
(5); 0
d1 + ωx2
(6); 0
d21 + 2ωx1d2 − ω2x2
1
(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
Page 154
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2
(4)
∧ d1 = −ωx2
(5)
∧ d2 = ωx1
(6)
d2 − ωx1
(5); 0
d1 + ωx2
(6); 0
d21 + 2ωx1d2 − ω2x2
1
(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
Page 155
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2 (4) ∧ d1 = −ωx2 (5) ∧ d2 = ωx1 (6)
d2 − ωx1(5); 0
d1 + ωx2(6); 0
d21 + 2ωx1d2 − ω2x2
1(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
Page 156
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2 (4) ∧ d1 = −ωx2 (5) ∧ d2 = ωx1 (6)
d2 − ωx1(5); 0
d1 + ωx2(6); 0
d21 + 2ωx1d2 − ω2x2
1(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
Page 157
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
Page 158
F¬F
F
c [α]�φ φα
〈α〉Pφ P(φ)
ψ → [α]φ
ψ → [α]φ ψ → [α]φ
ψ → [α]φ ψ → [α]φ
diffsatloopsat
Strategy
Rule Engine Proof
Input File
Rulebase
Mathematica
QEPCAD
Orbital
KeYmaera Prover Solvers
1
2 2
4 4
8 8
1616
16
∗
∗
16
8
4
2
1
cQ
Q
Q
for ∪ , ; ,:= do decompose
}repeat until fixedpoint
Details
for x ′ = . . . do diffsatfor α∗ do loopsat
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 39 / 42
Page 159
Successful Hybrid Systems Proofs
farneg
cor
recfsa
0 *
1
[SB := ((amax / b + 1) * ep * v + (v ^ 2 - d ^ 2) / (2 * b) + ((amax / b + 1) * amax * ep ^ 2) / 2)]
7
17
6
[?d >= 0 & do ^ 2 - d ^ 2 <= 2 * b * (m - mo) & vdes >= 0]
5
[vdes := *]
4
[d := *]
3
[m := *]
2
[mo := m]
[do := d]
8
[state := brake]
10
[?v <= vdes]
13
[?v >= vdes]
22
31
21
[{z‘ = v, v‘ = a, t‘ = 1, v >= 0 & t <= ep}]
18
28
17
[a := -b]
12
24
11
[?a >= 0 & a <= amax]
[a := *]
15
14
[?a <= 0 & a >= -b]
[a := *]
19
[t := 0]
*[?m - z <= SB | state = brake] [?m - z >= SB & state != brake]
x
y
c
c
Qxentry
exit
Q
y
c
Q Q
QQ
x1
x2
y1
y2
d
ω e
ϑ
cQx
Qy
Q
z
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 40 / 42
Page 160
Successful Hybrid Systems Proofs
ey
fy
xb(lx, ly) ex fx
(rx, ry)
(vx, vy)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 40 / 42
Page 161
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 40 / 42
Page 162
Differential Dynamic Logic and Differential Invariants
discrete
continuous stochastic
differential dynamic logic
dL = DL + HP[α]φ φ
α
Logic for hybrid systems++
Sound & complete / ODE
Differential invariants
No differential cut elimination
Differential auxiliaries
Algebra / differential ideal
Inverse characteristic PDE
KeYmaera
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 41 / 42
Page 163
LogicalFoundations
ofCyber-Physical
Systems
Logic
ModelChecking
TheoremProving
ProofTheory
Algebra
ComputerAlgebra Algebraic
Geometry
DifferentialAlgebra
Analysis
DifferentialEquations
DynamicalSystems
Differen-tiation
StochasticsStochasticDifferentialEquations
DynkinGeneratorSuper-
martingales
Numerics
NumericalIntegration
PolynomialInterpo-lation
WeierstraßApprox-imation
Algorithms
DecisionProcedures
ProofSearch
FixedpointLoops
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 42 / 42
Page 164
LogicalFoundations
ofCyber-Physical
Systems
Logic
ModelChecking
TheoremProving
ProofTheory
Algebra
ComputerAlgebra Algebraic
Geometry
DifferentialAlgebra
Analysis
DifferentialEquations
DynamicalSystems
Differen-tiation
StochasticsStochasticDifferentialEquations
DynkinGeneratorSuper-
martingales
Numerics
NumericalIntegration
PolynomialInterpo-lation
WeierstraßApprox-imation
Algorithms
DecisionProcedures
ProofSearch
FixedpointLoops
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 42 / 42