How to model and prove hybrid systems with KeYmaera: a tutorial on safety

Regular Paper

Abstract

This paper is a tutorial on how to model hybrid systems as hybrid programs in differential dynamic logic and how to prove complex properties about these complex hybrid systems in KeYmaera, an automatic and interactive formal verification tool for hybrid systems. Hybrid systems can model highly nontrivial controllers of physical plants, whose behaviors are often safety critical such as trains, cars, airplanes, or medical devices. Formal methods can help design systems that work correctly. This paper illustrates how KeYmaera can be used to systematically model, validate, and verify hybrid systems. We develop tutorial examples that illustrate challenges arising in many real-world systems. In the context of this tutorial, we identify the impact that modeling decisions have on the suitability of the model for verification purposes. We show how the interactive features of KeYmaera can help users understand their system designs better and prove complex properties for which the automatic prover of KeYmaera still takes an impractical amount of time. We hope this paper is a helpful resource for designers of embedded and cyber–physical systems and that it illustrates how to master common practical challenges in hybrid systems verification.

Keywords

KeYmaera tutorial Formal verification of hybrid systems Differential dynamic logic Automated theorem proving Introduction to hybrid system modeling and verification 

References

  1. 1.
    Alur, R., Courcoubetis, C., Henzinger, T.A., Ho, P.H.: Hybrid automata: an algorithmic approach to the specification and verification of hybrid systems. In: Grossman, R.L., Nerode, A., Ravn, A.P., Rischel, H. (eds.) Hybrid Systems. LNCS, vol. 736, pp. 209–229. Springer (1992)Google Scholar
  2. 2.
    Alur, R.: Formal verification of hybrid systems. In: Chakraborty, S., Jerraya, A., Baruah, S.K., Fischmeister, S. (eds.) EMSOFT. ACM, pp. 273–278. IEEE (2011)Google Scholar
  3. 3.
    Alur, R., Courcoubetis, C., Halbwachs, N., Henzinger, T.A., Ho, P.H., Nicollin, X., Olivero, A., Sifakis, J., Yovine, S.: The algorithmic analysis of hybrid systems. Theor. Comput. Sci. 138(1), 3–34 (1995)CrossRefMATHGoogle Scholar
  4. 4.
    Alur, R., La Torre, S., Pappas, G.J.: Optimal paths in weighted timed automata. Theor. Comput. Sci. 318(3), 297–322 (2004)CrossRefMATHGoogle Scholar
  5. 5.
    Aréchiga, N., Loos, S.M., Platzer, A., Krogh, B.H.: Using theorem provers to guarantee closed-loop system properties. In: Tilbury, D. (ed.) ACC. pp. 3573–3580 (2012)Google Scholar
  6. 6.
    Asarin, E., Dang, T., Maler, O.: The d/dt tool for verification of hybrid systems. In: Brinksma, E., Larsen, K.G. (eds.) CAV. LNCS, vol. 2404, pp. 365–370. Springer (2002)Google Scholar
  7. 7.
    Beckert, B., Hähnle, R., Schmitt, P.H. (eds.): Verification of Object-Oriented Software: The KeY Approach, LNCS, vol. 4334. Springer, Heidelberg (2007)Google Scholar
  8. 8.
    Behrmann, G., Fehnker, A., Hune, T., Larsen, K.G., Pettersson, P., Romijn, J., Vaandrager, F.W.: Minimum-cost reachability for priced timed automata. In: Benedetto, M.D.D., Sangiovanni-Vincentelli, A.L. (eds.) HSCC. LNCS, vol. 2034, pp. 147–161. Springer, (2001)Google Scholar
  9. 9.
    Behrmann, G., Fehnker, A.: Efficient guiding towards cost-optimality in UPPAAL. In: Margaria, T., Yi, W. (eds.) TACAS. LNCS, vol. 2031, pp. 174–188. Springer, Heidelberg (2001)Google Scholar
  10. 10.
    Brown, C.W.: QEPCAD B: A program for computing with semi-algebraic sets using CADs. SIGSAM Bull. 37(4), 97–108 (2003)CrossRefMATHGoogle Scholar
  11. 11.
    Chen, X., Ábrahám, E., Sankaranarayanan, S.: Flow*: An analyzer for non-linear hybrid systems. In: Sharygina, N., Veith, H. (eds.) CAV. LNCS, vol. 8044, pp. 258–263. Springer (2013)Google Scholar
  12. 12.
    Chen, C.T.: Linear System Theory and Design, 3rd edn. Oxford University Press, Oxford (1999)Google Scholar
  13. 13.
    Clarke Jr, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge (1999)Google Scholar
  14. 14.
    Damm, W., Dierks, H., Disch, S., Hagemann, W., Pigorsch, F., Scholl, C., Waldmann, U., Wirtz, B.: Exact and fully symbolic verification of linear hybrid automata with large discrete state spaces. Sci. Comput. Program. 77(10–11), 1122–1150 (2012)CrossRefMATHGoogle Scholar
  15. 15.
    Davenport, J.H., Heintz, J.: Real quantifier elimination is doubly exponential. J. Symb. Comput. 5(1/2), 29–35 (1988)CrossRefMathSciNetMATHGoogle Scholar
  16. 16.
    Davoren, J.M., Nerode, A.: Logics for hybrid systems. IEEE 88(7), 985–1010 (2000)CrossRefGoogle Scholar
  17. 17.
    de Moura, L.M., Bjørner, N.: Z3: An efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS. LNCS, vol. 4963, pp. 337–340. Springer (2008)Google Scholar
  18. 18.
    Deshpande, A., Göllü, A., Varaiya, P.: SHIFT: A formalism and a programming language for dynamic networks of hybrid automata. In: Antsaklis, P.J., Kohn, W., Nerode, A., Sastry, S. (eds.) Hybrid Systems. LNCS, vol. 1273, pp. 113–133. Springer, Heidelberg (1996)Google Scholar
  19. 19.
    Dolzmann, A., Sturm, T.: Redlog: computer algebra meets computer logic. ACM SIGSAM Bull. 31, 2–9 (1997)CrossRefGoogle Scholar
  20. 20.
    Eggers, A., Ramdani, N., Nedialkov, N., Fränzle, M.: Improving SAT modulo ODE for hybrid systems analysis by combining different enclosure methods. In: Barthe, G., Pardo, A., Schneider, G. (eds.) SEFM. LNCS, vol. 7041, pp. 172–187. Springer, Heidelberg (2011)Google Scholar
  21. 21.
    Fränzle, M., Herde, C., Teige, T., Ratschan, S., Schubert, T.: Efficient solving of large non-linear arithmetic constraint systems with complex boolean structure. JSAT 1(3–4), 209–236 (2007)Google Scholar
  22. 22.
    Frehse, G., Guernic, C.L., Donzé, A., Cotton, S., Ray, R., Lebeltel, O., Ripado, R., Girard, A., Dang, T., Maler, O.: SpaceEx: Scalable verification of hybrid systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV. LNCS, vol. 6806, pp. 379–395. Springer (2011)Google Scholar
  23. 23.
    Frehse, G.: PHAVer: algorithmic verification of hybrid systems past HyTech. In: Hybrid systems: computation and control. pp 263–294. Springer, Heidelberg (2008)Google Scholar
  24. 24.
    Ghorbal, K., Platzer, A.: Characterizing algebraic invariants by differential radical invariants. In: Ábrahám, E., Havelund, K. (eds.) TACAS. LNCS, vol. 8413, pp. 279–294. Springer, Heidelberg (2014)Google Scholar
  25. 25.
    Harel, D., Kozen, D., Tiuryn, J.: Dynamic Logic. MIT Press, Cambridge (2000)MATHGoogle Scholar
  26. 26.
    Henzinger, T.A.: The theory of hybrid automata. In: LICS. IEEE Computer Society pp. 278–292 (1996)Google Scholar
  27. 27.
    Henzinger, T.A., Ho, P.H., Wong-Toi, H.: HyTech: a model checker for hybrid systems. STTT 1(1–2), 110–122 (1997)CrossRefMATHGoogle Scholar
  28. 28.
    Ioannu, P., Xu, Z., Eckert, S., Clemons, D., Sieja, T.: Intelligent cruise control: theory and experiment. In: CDC. pp. 1885–1890 (1993)Google Scholar
  29. 29.
    Jeannin, J.B., Ghorbal, K., Kouskoulas, Y., Gardner, R., Schmidt, A., Platzer, E.Z.A.: A formally verified hybrid system for the next-generation airborne collision avoidance system. In: Baier, C., Tinelli, C. (eds.) TACAS. LNCS. Springer, Heidelberg (2015)Google Scholar
  30. 30.
    Jeannin, J.B., Platzer, A.: dTL\(^2\): Differential temporal dynamic logic with nested temporalities for hybrid systems. In: Demri, S., Kapur, D., Weidenbach, C. (eds.) IJCAR. LNCS, vol. 8562, pp. 292–306. Springer, Heidelberg (2014)Google Scholar
  31. 31.
    Khalil, H.K.: Nonlinear Systems, 3rd edn. Prentice Hall, Upper Saddle River (2001)Google Scholar
  32. 32.
    Kouskoulas, Y., Renshaw, D.W., Platzer, A., Kazanzides, P.: Certifying the safe design of a virtual fixture control algorithm for a surgical robot. In: Belta, C., Ivancic, F. (eds.) HSCC, pp. 263–272. ACM. New York, USA (2013)Google Scholar
  33. 33.
    Larsen, K.G., Pettersson, P., Yi, W.: UPPAAL in a nutshell. STTT 1(1+2), 134–152 (1997)CrossRefMATHGoogle Scholar
  34. 34.
    Loos, S.M., Platzer, A., Nistor, L.: Adaptive cruise control: Hybrid, distributed, and now formally verified. In: Butler, M., Schulte, W. (eds.) FM. LNCS, vol. 6664, pp. 42–56. Springer, Heidelberg (2011)Google Scholar
  35. 35.
    Loup, U., Scheibler, K., Corzilius, F., Ábrahám, E., Becker, B.: A symbiosis of interval constraint propagation and cylindrical algebraic decomposition. In: Bonacina, M.P. (ed.) CADE. LNCS, vol. 7898, pp. 193–207. Springer, Heidelberg (2013)Google Scholar
  36. 36.
    Mitsch, S., Ghorbal, K., Platzer, A.: On provably safe obstacle avoidance for autonomous robotic ground vehicles. In: Newman, P., Fox, D., Hsu, D. (eds.) Robotics: Science and Systems (2013)Google Scholar
  37. 37.
    Mitsch, S., Loos, S.M., Platzer, A.: Towards formal verification of freeway traffic control. In: Lu, C. (ed.) ICCPS. pp. 171–180. IEEE (2012)Google Scholar
  38. 38.
    Mitsch, S., Platzer, A.: Modelplex: Verified runtime validation of verified cyber-physical system models. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV. LNCS, vol. 8734, pp. 199–214. Springer, Heidelberg (2014)Google Scholar
  39. 39.
    Mitsch, S., Quesel, J.D., Platzer, A.: From safety to guilty and from liveness to niceness. In: 5th Workshop on Formal Methods for Robotics and Automation (2014)Google Scholar
  40. 40.
    Mitsch, S., Quesel, J.D., Platzer, A.: Refactoring, refinement, and reasoning - a logical characterization for hybrid systems. In: Jones, C.B., Pihlajasaari, P., Sun, J. (eds.) FM. LNCS, vol. 8442, pp. 481–496. Springer, Heidelberg (2014)Google Scholar
  41. 41.
    Olderog, E.R., Dierks, H.: Real-Time Systems: Formal Specification and Automatic Verification. Cambridge University Press, Cambridge (2008)CrossRefGoogle Scholar
  42. 42.
    Online KeYmaera tutorial videos. http://video.symbolaris.com
  43. 43.
    Plaku, E., Kavraki, L.E., Vardi, M.Y.: Hybrid systems: from verification to falsification by combining motion planning and discrete search. Form. Methods Syst. Des. 34(2), 157–182 (2009)Google Scholar
  44. 44.
    Platzer, A., Clarke, E.M.: Formal verification of curved flight collision avoidance maneuvers: A case study. In: Cavalcanti, A., Dams, D. (eds.) FM. LNCS, vol. 5850, pp. 547–562. Springer, Heidelberg (2009)Google Scholar
  45. 45.
    Platzer, A., Quesel, J.D.: European Train Control System: A case study in formal verification. In: Breitman, K., Cavalcanti, A. (eds.) ICFEM. LNCS, vol. 5885, pp. 246–265. Springer (2009)Google Scholar
  46. 46.
    Platzer, A., Quesel, J.D.: KeYmaera: A hybrid theorem prover for hybrid systems. In: Armando, A., Baumgartner, P., Dowek, G. (eds.) IJCAR. LNCS, vol. 5195, pp. 171–178. Springer (2008)Google Scholar
  47. 47.
    Platzer, A.: Differential dynamic logic for verifying parametric hybrid systems. In: Olivetti, N. (ed.) TABLEAUX. LNCS, vol. 4548, pp. 216–232. Springer (2007)Google Scholar
  48. 48.
    Platzer, A.: Foundations of cyber-physical systems. Lecture Notes CMU, Carnegie Mellon University. Pittsburgh, PA, USA (2014). http://symbolaris.com/course/fcps14/fcps14.pdf
  49. 49.
    Platzer, A.: Logics of dynamical systems. In: LICS. pp. 13–24. IEEE (2012)Google Scholar
  50. 50.
    Platzer, A.: Quantified differential dynamic logic for distributed hybrid systems. In: Dawar, A., Veith, H. (eds.) CSL. LNCS, vol. 6247, pp. 469–483. Springer (2010)Google Scholar
  51. 51.
    Platzer, A.: The complete proof theory of hybrid systems. In: LICS. pp. 541–550. IEEE (2012)Google Scholar
  52. 52.
    Platzer, A.: Differential dynamic logic for hybrid systems. J. Autom. Reas. 41(2), 143–189 (2008)CrossRefMathSciNetMATHGoogle Scholar
  53. 53.
    Platzer, A., Clarke, E.M.: Computing differential invariants of hybrid systems as fixedpoints. Form. Methods Syst. Des. 35(1), 98–120 (2009)CrossRefMATHGoogle Scholar
  54. 54.
    Platzer, A.: Differential-algebraic dynamic logic for differential-algebraic programs. J. Log. Comput. 20(1), 309–352 (2010)CrossRefMathSciNetMATHGoogle Scholar
  55. 55.
    Platzer, A.: Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  56. 56.
    Platzer, A.: A complete axiomatization of quantified differential dynamic logic for distributed hybrid systems. Log. Methods Comput. Sci. 8(4), 1–44 (2012). special issue for selected papers from CSL’10Google Scholar
  57. 57.
    Platzer, A.: The structure of differential invariants and differential cut elimination. Log. Methods Comput. Sci. 8(4), 1–38 (2012)Google Scholar
  58. 58.
    Platzer, A.: Analog and hybrid computation: dynamical systems and programming languages. Bull. EATCS 114, 151–200 (2014)MathSciNetGoogle Scholar
  59. 59.
    Pratt, V.R.: Semantical considerations on Floyd-Hoare logic. In: FOCS. pp. 109–121. IEEE Computer Society (1976)Google Scholar
  60. 60.
    Quesel, J.D., Platzer, A.: Playing hybrid games with KeYmaera. In: Gramlich, B., Miller, D., Sattler, U. (eds.) IJCAR. LNCS, vol. 7364, pp. 439–453. Springer, Heidelberg (2012)Google Scholar
  61. 61.
    Ratschan, S., She, Z.: Safety verification of hybrid systems by constraint propagation-based abstraction refinement. ACM Trans. Embed. Comput. Syst. 6(1), 1–23 (2007)Google Scholar
  62. 62.
    Tarski, A.: A Decision Method for Elementary Algebra and Geometry, 2nd edn. University of California Press, Berkeley (1951)MATHGoogle Scholar
  63. 63.
    Tomlin, C., Pappas, G.J., Sastry, S.: Conflict resolution for air traffic management: a study in multi-agent hybrid systems. IEEE T. Autom. Contr. 43(4), 509–521 (1998)CrossRefMathSciNetMATHGoogle Scholar
  64. 64.
    Umeno, S., Lynch, N.A.: Safety verification of an aircraft landing protocol: A refinement approach. In: Bemporad, A., Bicchi, A., Buttazzo, G.C. (eds.) HSCC. LNCS, vol. 4416, pp. 557–572. Springer, Heidelberg (2007)Google Scholar
  65. 65.
    Wolfram, S.: The Mathematica book, 5th edn. Wolfram-Media, Champaign, IL (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  1. 1.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations