How to model and prove hybrid systems with KeYmaera: a tutorial on safety

This paper is a tutorial on how to model hybrid systems as hybrid programs in differential dynamic logic and how to prove complex properties about these complex hybrid systems in KeYmaera, an automatic and interactive formal verification tool for hybrid systems. Hybrid systems can model highly nontrivial controllers of physical plants, whose behaviors are often safety critical such as trains, cars, airplanes, or medical devices. Formal methods can help design systems that work correctly. This paper illustrates how KeYmaera can be used to systematically model, validate, and verify hybrid systems. We develop tutorial examples that illustrate challenges arising in many real-world systems. In the context of this tutorial, we identify the impact that modeling decisions have on the suitability of the model for verification purposes. We show how the interactive features of KeYmaera can help users understand their system designs better and prove complex properties for which the automatic prover of KeYmaera still takes an impractical amount of time. We hope this paper is a helpful resource for designers of embedded and cyber–physical systems and that it illustrates how to master common practical challenges in hybrid systems verification.

[1]  André Platzer,et al.  Differential Dynamic Logic for Verifying Parametric Hybrid Systems , 2007, TABLEAUX.

[2]  P. Olver Nonlinear Systems , 2013 .

[3]  Peter Jonsson,et al.  Essential Convexity and Complexity of Semi-Algebraic Constraints , 2012, Log. Methods Comput. Sci..

[4]  André Platzer,et al.  The Complete Proof Theory of Hybrid Systems , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[5]  Thomas Sturm,et al.  REDLOG: computer algebra meets computer logic , 1997, SIGS.

[6]  Bernd Becker,et al.  A Symbiosis of Interval Constraint Propagation and Cylindrical Algebraic Decomposition , 2013, CADE.

[7]  André Platzer,et al.  Differential-algebraic Dynamic Logic for Differential-algebraic Programs , 2010, J. Log. Comput..

[8]  Peter Kazanzides,et al.  Certifying the safe design of a virtual fixture control algorithm for a surgical robot , 2013, HSCC '13.

[9]  André Platzer,et al.  Characterizing Algebraic Invariants by Differential Radical Invariants , 2014, TACAS.

[10]  Bernhard Beckert,et al.  Verification of Object-Oriented Software. The KeY Approach - Foreword by K. Rustan M. Leino , 2007, The KeY Approach.

[11]  Stefan Ratschan,et al.  Safety Verification of Hybrid Systems by Constraint Propagation Based Abstraction Refinement , 2005, HSCC.

[12]  Jean-Baptiste Jeannin,et al.  dTL2: Differential Temporal Dynamic Logic with Nested Temporalities for Hybrid Systems , 2014, IJCAR.

[13]  André Platzer,et al.  Lecture Notes on Foundations of Cyber-Physical Systems , 2014 .

[14]  Neda Saeedloei Logic Programming Foundations of Cyber-Physical Systems , 2010, ICLP.

[15]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[16]  Stephen Wolfram,et al.  The Mathematica Book , 1996 .

[17]  André Platzer,et al.  Quantified Differential Dynamic Logic for Distributed Hybrid Systems , 2010, CSL.

[18]  André Platzer,et al.  A Complete Axiomatization of Quantified Differential Dynamic Logic for Distributed Hybrid Systems , 2012, Log. Methods Comput. Sci..

[19]  Wang Yi,et al.  Uppaal in a nutshell , 1997, International Journal on Software Tools for Technology Transfer.

[20]  Christopher W. Brown QEPCAD B: a program for computing with semi-algebraic sets using CADs , 2003, SIGS.

[21]  Vaughan R. Pratt,et al.  Semantical consideration on floyo-hoare logic , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[22]  Edmund M. Clarke,et al.  Formal Verification of Curved Flight Collision Avoidance Maneuvers: A Case Study , 2009, FM.

[23]  Thomas A. Henzinger,et al.  Hybrid Systems: Computation and Control , 1998, Lecture Notes in Computer Science.

[24]  Thomas A. Henzinger,et al.  The theory of hybrid automata , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[25]  André Platzer,et al.  Analog and Hybrid Computation: Dynamical Systems and Programming Languages , 2014, Bull. EATCS.

[26]  S. Shankar Sastry,et al.  Conflict resolution for air traffic management: a study in multiagent hybrid systems , 1998, IEEE Trans. Autom. Control..

[27]  Yde Venema,et al.  Dynamic Logic by David Harel, Dexter Kozen and Jerzy Tiuryn. The MIT Press, Cambridge, Massachusetts. Hardback: ISBN 0–262–08289–6, $50, xv + 459 pages , 2002, Theory and Practice of Logic Programming.

[28]  Rajeev Alur,et al.  Formal verification of hybrid systems , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[29]  DammWerner,et al.  Exact and fully symbolic verification of linear hybrid automata with large discrete state spaces , 2012 .

[30]  Nedialko S. Nedialkov,et al.  Improving SAT Modulo ODE for Hybrid Systems Analysis by Combining Different Enclosure Methods , 2011, SEFM.

[31]  Henning Dierks,et al.  Exact and fully symbolic verification of linear hybrid automata with large discrete state spaces , 2012, Sci. Comput. Program..

[32]  André Platzer,et al.  Logics of Dynamical Systems , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[33]  George J. Pappas,et al.  Optimal Paths in Weighted Timed Automata , 2001, HSCC.

[34]  Kim G. Larsen,et al.  Minimum-Cost Reachability for Priced Timed Automata , 2001, HSCC.

[35]  Ernst-Rüdiger Olderog,et al.  Real-time systems - formal specification and automatic verification , 2008 .

[36]  Stefan Ratschan,et al.  Safety verification of hybrid systems by constraint propagation-based abstraction refinement , 2007, TECS.

[37]  André Platzer,et al.  Towards Formal Verification of Freeway Traffic Control , 2012, 2012 IEEE/ACM Third International Conference on Cyber-Physical Systems.

[38]  R. Decarlo,et al.  Perspectives and results on the stability and stabilizability of hybrid systems , 2000, Proceedings of the IEEE.

[39]  Stephen Wolfram,et al.  The Mathematica book, 5th Edition , 2003 .

[40]  Vaughan R. Pratt,et al.  SEMANTICAL CONSIDERATIONS ON FLOYD-HOARE LOGIC , 1976, FOCS 1976.

[41]  Antoine Girard,et al.  SpaceEx: Scalable Verification of Hybrid Systems , 2011, CAV.

[42]  André Platzer,et al.  The Structure of Differential Invariants and Differential Cut Elimination , 2011, Log. Methods Comput. Sci..

[43]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[44]  Martin Fränzle,et al.  Efficient Solving of Large Non-linear Arithmetic Constraint Systems with Complex Boolean Structure , 2007, J. Satisf. Boolean Model. Comput..

[45]  Pravin Varaiya,et al.  SHIFT: A Formalism and a Programming Language for Dynamic Networks of Hybrid Automata , 1996, Hybrid Systems.

[46]  Edmund M. Clarke,et al.  Computing Differential Invariants of Hybrid Systems as Fixedpoints , 2008, CAV.

[47]  Bruce H. Krogh,et al.  Using theorem provers to guarantee closed-loop system properties , 2012, 2012 American Control Conference (ACC).

[48]  André Platzer,et al.  From Safety to Guilty & from Liveness to Niceness , 2014 .

[49]  Edmund M. Clarke,et al.  Computing differential invariants of hybrid systems as fixedpoints , 2008, Formal Methods Syst. Des..

[50]  Chi-Tsong Chen,et al.  Linear System Theory and Design , 1995 .

[51]  Thomas A. Henzinger,et al.  Hybrid Automata: An Algorithmic Approach to the Specification and Verification of Hybrid Systems , 1992, Hybrid Systems.

[52]  Petros A. Ioannou,et al.  Intelligent cruise control: theory and experiment , 1993, Proceedings of 32nd IEEE Conference on Decision and Control.

[53]  André Platzer,et al.  Refactoring, Refinement, and Reasoning - A Logical Characterization for Hybrid Systems , 2014, FM.

[54]  Gerd Behrmann,et al.  Efficient Guiding Towards Cost-Optimality in UPPAAL , 2001, TACAS.

[55]  Jerzy Tiuryn,et al.  Dynamic logic , 2001, SIGA.

[56]  A. Tarski A Decision Method for Elementary Algebra and Geometry , 2023 .

[57]  James H. Davenport,et al.  Real Quantifier Elimination is Doubly Exponential , 1988, J. Symb. Comput..

[58]  André Platzer,et al.  Playing Hybrid Games with KeYmaera , 2012, IJCAR.

[59]  Eugene Asarin,et al.  The d/dt Tool for Verification of Hybrid Systems , 2002, CAV.

[60]  Stephan Merz,et al.  Model Checking , 2000 .

[61]  André Platzer,et al.  KeYmaera: A Hybrid Theorem Prover for Hybrid Systems (System Description) , 2008, IJCAR.

[62]  André Platzer,et al.  Adaptive Cruise Control: Hybrid, Distributed, and Now Formally Verified , 2011, FM.

[63]  André Platzer,et al.  European Train Control System: A Case Study in Formal Verification , 2009, ICFEM.

[64]  Goran Frehse,et al.  PHAVer: algorithmic verification of hybrid systems past HyTech , 2005, International Journal on Software Tools for Technology Transfer.

[65]  Jean-Baptiste Jeannin,et al.  A Formally Verified Hybrid System for the Next-Generation Airborne Collision Avoidance System , 2015, TACAS.

[66]  André Platzer,et al.  Logical Analysis of Hybrid Systems - Proving Theorems for Complex Dynamics , 2010 .

[67]  Xin Chen,et al.  Flow*: An Analyzer for Non-linear Hybrid Systems , 2013, CAV.

[68]  André Platzer,et al.  ModelPlex: verified runtime validation of verified cyber-physical system models , 2014, Formal Methods in System Design.

[69]  Robert L. Grossman,et al.  Timed Automata , 1999, CAV.

[70]  Lydia E. Kavraki,et al.  Hybrid systems: from verification to falsification by combining motion planning and discrete search , 2007, CAV.

[71]  Wolfram Burgard,et al.  Robotics: Science and Systems XV , 2010 .

[72]  André Platzer,et al.  Differential Dynamic Logic for Hybrid Systems , 2008, Journal of Automated Reasoning.

[73]  Thomas A. Henzinger,et al.  The Algorithmic Analysis of Hybrid Systems , 1995, Theor. Comput. Sci..

[74]  Nancy A. Lynch,et al.  Safety Verification of an Aircraft Landing Protocol: A Refinement Approach , 2007, HSCC.

[75]  A. Nerode,et al.  Logics for hybrid systems , 2000, Proceedings of the IEEE.

[76]  André Platzer,et al.  On Provably Safe Obstacle Avoidance for Autonomous Robotic Ground Vehicles , 2013, Robotics: Science and Systems.