Relational Differential Dynamic Logic

In the field of quality assurance of hybrid systems, Platzer’s differential dynamic logic (dL) is widely recognized as a deductive verification method with solid mathematical foundations and sophisticated tool support. Motivated by case studies provided by our industry partner, we study a relational extension of dL, aiming to formally prove statements such as “an earlier engagement of the emergency brake yields a smaller collision speed.” A main technical challenge is to combine two dynamics, so that the powerful inference rules of dL (such as the differential invariant rules) can be applied to such relational reasoning, yet in such a way that we relate two different time points. Our contributions are a semantical theory of time stretching, and the resulting synchronization rule that expresses time stretching by the syntactic operation of Lie derivative. We implemented this rule as an extension of KeYmaera X, by which we successfully verified relational properties of a few models taken from the automotive domain.

Hybrid Systems and their Verification.With the ever increasing degree of digitalisation and automation, cyber-physical systems (CPS) are becoming exceedingly common in industry.This trend is accompanied by a similar increase in the research efforts directed towards CPS.The biggest concern is sparked by many safety-critical applications involving CPS, such as automated driving.The quality assurance of CPS thus poses a pressing socio-economical challenge.
On the other hand, quality assurance of CPS also poses academic challenges, namely in the combination of continuous (physical) dynamics and discrete (digital) control, commonly referred to as a hybrid system.Significant research effort has been directed towards hybrid systems, bringing together the control theory community, focusing on the continuous dynamics, and the formal methods community, focusing on analysis of discrete (mainly software) systems.
As a rule of thumb, one can classify the techniques used in the formal methods community into model checking approaches, based on automata and fully automated, and deductive verification approaches, based on logic and either automated or interactive.
The state space of a continuous dynamics involved in a hybrid system is generally uncountable.This poses a natural barrier for the application of model checking techniques, which rely on state space exploration, to hybrid systems.The study of discrete abstraction of continuous (hybrid) dynamics, such as approximate bisimulation derived from Lyapunov functions [1], has been largely motivated by this difficulty.
The deductive verification approach, on the other hand, does not suffer from infinite state space as free variables allow logical formulas to hold in infinitely many states.Thus, changing the semantic domain to, for instance, sets of reals, does not harm the validity of the formal deduction.The challenge remains, however, in designing a deductive system that would provide powerful and versatile reasoning principles for said continuous dynamics while maintaining concise and intuitive syntax.
The challenge has been met by André Platzer and his differential dynamic logic dL [4].dL achieves systematic and intuitive syntax by extension of the dynamic logic with differential equations treated as programs.Numerous essential proof principles about differential equations are captured by the proof rules of dL, notably the differential invariant (DI) and side deduction rules.dL has become a general platform accommodating a large variety of techniques, e.g.Darboux inequality rule introduced in [5], which relies on techniques from real algebraic geometry.Additionally, KeYmaera X [2] is an advanced tool facilitating access to dL via an interactive prover with a graphical user interface and several automation heuristics.
Relational Reasoning on Hybrid Systems.We aim at opening a new direction in deductive verification of hybrid systems.Our motivation comes chiefly from the following example, encountered amid industry collaboration.
Let C and C ♯ be two cars with the following dynamics, where x, x ♯ and v, v ♯ denote their positions and velocities, respectively.
Our question is then, given the same starting conditions, x = x ♯ = 0 and v = v ♯ = 0, and an equally distant obstacle at position x = x ♯ = 1, which car has the greater collision speed?
Hatched areas represent the traveled distances at moment of impact (x = x ♯ = 1).The coveted v ≤ v ♯ follows from the closed-form solutions of the differential equations (1), v = √ 2 and v ♯ = 2.More precisely, our aim is to ascertain the natural claim that the car C ♯ , which accelerates harder, has a higher collision speed.
Starting from x = x ♯ = v = v ♯ = 0 and following the two dynamics in (1), we obtain v ≤ v ♯ when x = x ♯ = 1. ( The differential dynamic logic dL presents itself as a suitable platform for a formal and modular proof of the claim.
Although an ad-hoc proof may be easily conducted with the use of the closed-form solutions of the dynamics, see Figure 1, we prefer to avoid relying on closed-form solutions, which may not be always available.Instead, local reasoning, without reliance on the global properties of the dynamics, is desirable.
The aforementioned differential invariant (DI) rule is a powerful tool for local reasoning in dL.Informally, the rule expresses the following argument: given д(x) nonnegative, if the time derivative of д along the dynamics (expressed as the Lie derivative) is nonnegative, then д(x) stays nonnegative regardless of the length of the execution of the dynamics.The DI rule can thus be viewed as the loop invariant method for continuous dynamics, reducing the global safety property to local reasoning on the Lie derivative.
It turns out, however, that such local relational reasoning comparing two different dynamics is not easy in dL.We are thus compelled to use the relational (binary) alternative to the (unary) invariants, that is, (bi)simulations.We develop a theory of simulations and related notions in continuous dynamics and propose concise proof rules integrating this theory into dL.
Our Contribution.The technical contribution we make is twofold.On the one hand, we propose solid theoretical foundation for relational reasoning in dL.This includes study and formalisation of the concept of relational reasoning on continuous dynamics within the differential dynamic logic itself, as well as definition of simulations between continuous dynamics.We further obtain soundness for relational reasoning, leading to a syntactic proof rule (SIM).
On the other hand, as the theory does not provide hints as to how one finds a suitable simulation, we a propose provide a method for synthesis of time stretch functions, which give rise to simulations.We incorporate time stretching into dL by the means of the following proof rule (TS), where δ, δ ♯ are the original dynamics with evolution domains Q, Q ♯ and L denotes the Lie derivative.

TS
The TS rule synchronises the two dynamics into the dynamics δ A , reducing the relational reasoning to common dL proof obligations, thus enabling the use of the existing advanced proof rules in dL.
Apart from the two main rules SIM and TS, we identified several other proof rules while developing our case studies.We thus introduce an additional set of dL rules useful for relational reasoning as well as the differential inductive invariant (DII) rule.DII serves a similar purpose as the DI rule, however, includes the target inequality in the invariant of the dynamics at the cost of slightly stronger demand on the Lie derivative.Although the rules appear new to us, their derivation might be possible using the comprehensive calculus in [3].
Finally, we employ the introduced rules to prove the example property (2) as well as more complex examples inspired by industry collaboration.The case studies conducted illustrate the strength of the TS rule and offer alternative approaches to its application.' Relational Reasoning in Industry Practice.As already hinted, we are lead to believe in practical significance of our contribution as it is motivated by examples from industry.This claim is further accentuated in the following.
(i) Our methods are highly suited for monotonicity properties in the form of the following proof aim, where M(p) is a parametrised model.
Such monotonicity properties abound in real-world examples, e.g.product lines, such as Euro car segments A-F.(ii) Compared to relational reasoning, e.g.monotonicity, proofs of non-relational safety specifications tend to be significantly more complex, requiring inspection of all details of the system.We thus expect relational reasoning to reduce the effort in scaling deductive methods to real-world examples.(iii) Especially if applied to a monotonicity property, relational reasoning has a potential to serve as a powerful test-case reduction technique.Shall the real-world system be too complex for deductive verification of its safety property, one has little choice but to rely on empirical quality assurance methods, i.e. testing.Thus, by deductively establishing a monotonicity property as in (3), one can spare all the test cases for p's smaller than the extreme case M(p max ).

Figure 1 :
Figure 1: An ad-hoc proof of the claim in (2)