Uniform Substitution for Dynamic Logic with Communicating Hybrid Programs

This paper introduces a uniform substitution calculus for $\mathsf{dL}_\text{CHP}$, the dynamic logic of communicating hybrid programs. Uniform substitution enables parsimonious prover kernels by using axioms instead of axiom schemata. Instantiations can be recovered from a single proof rule responsible for soundness-critical instantiation checks rather than being spread across axiom schemata in side conditions. Even though communication and parallelism reasoning are notorious for necessitating subtle soundness-critical side conditions, uniform substitution when generalized to $\mathsf{dL}_\text{CHP}$ manages to limit and isolate their conceptual overhead. Since uniform substitution has proven to simplify the implementation of hybrid systems provers substantially, uniform substitution for $\mathsf{dL}_\text{CHP}$ paves the way for a parsimonious implementation of theorem provers for hybrid systems with communication and parallelism.

1 Introduction Fig. 1: The proof rule is only sound under subtle side conditions (⋆⋆).
Hybrid systems and parallel systems are notoriously subtle to analyze.Combining both not only culminates these subtleties but is further complicated because parallel hybrid systems are interlocked by synchronization in a shared global time.The dynamic logic of communicating hybrid programs dL CHP [6] tames the complexity of parallel hybrid systems providing a compositional proof calculus that disentangles reasoning into purely discrete, continuous, and communication pieces.However, the calculus is subject to schematic side conditions whose implementation is generally error-prone causing large soundness-critical code bases [29].In particular, compositional reasoning about parallelism as in the idealized proof rule in Fig. 1 holds the challenge to exhaustively characterize all side conditions required to make all instances of this proof rule sound.Proof systems for discrete parallelism [1,18,26,35,44,46] already have complicated side conditions, but complexity only increases with continuous interactions in shared global time.
In order to compositionally support compositional reasoning for parallel hybrid systems, this paper generalizes Church's uniform substitution [7] and develops a uniform substitution calculus [29][30][31] for dL CHP .Uniform substitution modularizes the calculus itself enabling its parsimonious implementation.Although applicable to discrete parallelism, the dL CHP development resolves the inherent challenge that parallel hybrid systems always synchronize in time.
Uniform substitution adopts a finite list of concrete formulas as axioms instead of an infinite set of formulas via axiom schemata with side conditions.This enables theorem provers without the extensive algorithmic checks otherwise required for each schema to sort out unsound instances.Thanks to the proof rule US for uniform substitution, only sound instances derive from the axioms such that the parallel composition rule in dL CHP could be adopted almost literally as above, but with all the soundness-critical checking encapsulated solely in rule US.Thanks to US's checking, parallel systems reasoning even reduces to a single parallel injection axiom [α]ψ → [α β]ψ that merely describes the preservation of property ψ of one parallel component α in the parallel system α β.Proofs about α β reduce to a sequence of property embeddings with this axiom from local abstractions of the subcomponents, which combine soundly due to US.
Soundness checks in uniform substitution are ultimately determined by the binding structures as identified in the static semantics.The development of uniform substitution for dL CHP is, therefore, grounded in the following key observation: Communication and parallelism both cause additional binding structure that needs attention in the substitution process performed by rule US: (B I) Expressions depend on communication along (co)finite channel sets (besides finitely many free variables), which, by the core substitution principle [7], must not be introduced free into contexts where they are written.
(B II) Subprograms in a parallel context need to be restricted in the variables and channels written as compositional proof rules for parallelism require local abstractions of subprograms not depending on the internals of the context [35].
Grounded in the need for abstraction (B II), [α]ψ → [α β]ψ can only be adopted as a sound axiom schema if α and β do not share state, and if program β does not interfere with the contract ψ, i.e., (i) ψ has no free variables bound by β (with exceptions), and (ii) ψ does not depend on communication channels written by β (except for channels joint with α).This extensive side condition would need nontrivial soundness-critical implementations of dL CHP axiom schemata.Still, uniform substitution can be lifted with only small changes locally checking for clashes with written channels, and prohibited variables or channels.
The modularity of uniform substitution is the key to the parsimonious implementation [22] of the theorem prover KeYmaera X [10] for differential dynamic logic dL and differential game logic dGL [28], thus paving the way for a straightforward theorem prover implementation of dL CHP .Since dL CHP conservatively generalizes dL [6], its uniform substitution calculus inherits the complete [32] axiomatic treatment of differential equation invariants [29].

Dynamic Logic of Communicating Hybrid Programs
This section briefly recaps dL CHP [6], the dynamic logic of communicating hybrid programs (CHPs).It combines hybrid programs [27] with CSP-style communication and parallelism [14].By assumption-commitment (ac) reasoning [21,46,47], dL CHP allows compositional verification of parallelism in dL.For uniform substitution, function and predicate symbols, and program constants are added.

Syntax
The set of variables V = V R ∪ V N ∪ V T has real (V R ), integer (V N ), and trace (V T ) variables.For each x ∈ V R , the differential symbol x ′ is in V R , too.The designated variable µ ∈ V R represents the shared global time.The set of channel names is Ω.By convention x, y ∈ V R , n ∈ V N , h ∈ V T , ch ∈ Ω, and z ∈ V .Channel set Y ⊆ Ω is (co)finite.Vectorial expressions are denoted ē.Moreover, f M , g M are M-valued function symbols and p, q, r are predicate symbols, where argument sorts are annotated by : M 1 , . . ., M k .Finally, a, b are program constants.Trm Ω : ce 1 , ce 2 ::= f Ω (Y, ē) | chan(te) Real terms are polynomials in V R enriched with function symbols f R (Y, ē) (including constants c ∈ Q) only depending on communication along channels Y and terms ē, differential terms (θ) ′ , and val(te) and time(te), which access the value and the timestamp of the last communication in te, respectively.By convention, θ ∈ Q[V R ] denotes a pure polynomial in V R without (•) ′ , val(•), and time(•) as they occur in programs.For simplicity, we do not define Q[V R ] ⊂ Trm R as a fifth term sort but use the convention that function symbols g R can only be replaced with Q[V R ]-terms.Integer terms are variables n, function symbols f N (Y, ē) (including constants 0, 1), addition, and length |te| of trace term te. 4he function symbol f Ω (Y, ē) includes constants ch ∈ Ω, and chan(te) is channel access.Trace terms record the communication history of programs.They encompass variables h, function symbols f T (Y, ē) (including the empty trace ǫ), communication items ch, θ 1 , θ 2 with value θ 1 and timestamp θ 2 , projection te ↓ Y onto channels Y , and access te[ie] of the ie-th item in te.Where useful, op(ē) denotes built-in function symbols of fixed interpretation, e.g., • + •. dL CHP 's context-sensitive program and formula syntax presumes notions of free and bound variables (Section 2.3) defined on the context-free syntax: Definition 2 (Programs).Communicating hybrid programs are defined by the following grammar, where θ ∈ Q[V R ] is a polynomial in V R and χ ∈ FOL R is a formula of first-order real-arithmetic.In α β, the subprograms must not share state but can share time and history, i.e., BV(α The program constant a(|Y, z| ) restricts the written channels to Y ⊆ Ω and the bound variables to z ⊆ V R ∪ V T , where Y and z are (co)finite.Instead of a(|Y, z| ), write a if Y and z can be arbitrary.Assignment x := θ updates x to θ, nondeterministic assignment x := * assigns an arbitrary real value to x, and the test ?χdoes nothing if χ holds and aborts the computation otherwise.The continuous evolution {x ′ = θ&χ} follows the ODE x ′ = θ for any duration as long as formula χ is not violated.The global time µ evolves with every continuous evolution according to ODE µ ′ = 1.Sequential composition α; β executes β after α, choice α ∪ β executes α or β nondeterministically, α * repeats α zero or more times, ch(h)!θ sends θ along channel ch, and ch(h)?x receives a value into variable x along channel ch.The trace variable h records communication.
The formulas combine first-order dynamic logic with ac-reasoning.Predicate symbols p(Y, ē) depend on channels Y and terms ē.The ac-box [α] {A,C} ψ expresses that C holds after each communication event and ψ in the final state, for all runs of α whose incoming communication satisfies A. Other connectives ∨, →, ↔ and quantifiers ∃z ϕ ≡ ¬∀z ¬ϕ can be derived.The relations ∼ include = for all term sorts, ≥ on real and integer terms, and prefixing on trace terms.
By convention, the predicate symbol q R can only be replaced with formulas of first-order real arithmetic.It serves as placeholder for tests χ in CHPs.
Example 5.The cruise control from Example 3 is safe if its velocity stays in range [0, V ].This can be expressed with the formula ϕ → [ct * ve * ]ψ safe , where

Semantics
A trace τ = (τ 1 , ..., τ k ) is a finite chronological sequence of communication events τ i = ch i , d i , s i , where ch i ∈ Ω, and d i ∈ R is the communicated value, and The sets of traces, recorded traces, and states are denoted T , T rec , and S, respectively. For An interpretation I assigns a function The projection ṽ = v ↓ Y ensures that f (Y, ē) only depends on Y , i.e., the communication in v along channels Y ∁ does not matter.The differentials (θ) ′ have a semantics describing the local rate of change of θ [29].
The interpretation I(a(|Y, z| )) ⊆ D of a program constant a(|Y, z| ) is a prefixclosed and total set of chronological computations that (i) only communicate along (write) channels Y and (ii) only bind variables z.More precisely, for all (v, τ, w) ∈ I(a(|Y, z| )), we have (i) τ ↓ Y ∁ = ǫ, and (ii For states w α , w β , the merged state w α ⊕ w β is ⊥ if one of the substates w α or w β is ⊥.Otherwise, w α ⊕ w β = w α on BV(α) and w α ⊕ w β = w β on BV(α) ∁ (or, equivalently by syntactic well-formedness, on BV(β) ∁ and BV(β), respectively).If Y is the set of all channel names occurring in α, we write τ ↓ α for τ ↓ Y .
The semantics is indeed constructed prefix-closed, total, and chronological.Communication τ of α 1 α 2 is implicitly characterized via its subsequences for the subprograms.By τ = τ ↓ (α 1 α 2 ), there is no non-causal communication.Joint communication and the whole computation are synchronized in global time by the projections and by w α1 = w α2 on {µ, µ ′ }, respectively.Likewise, by projection, communication is synchronously recorded by trace variables.Definition 8 (Formula semantics).The satisfaction Iv φ of a dL CHP formula φ in interpretation I and state v is inductively defined as follows: Where U ϕ for a set of interpretation-state pairs U and any formula ϕ if Iv ϕ for all Iv ∈ U .In particular, ∅ ϕ.
In item 6 and 7, reachable worlds are built from states v and w, and communication τ , as change of state and communication are observable.The strict prefix ≺ for the assumption in case (commit) in item 6 excludes (when A ≡ C) the circularity that commitment C can be shown in states where it is assumed.

Static Semantics
In the uniform substitution process, checks of free and bound variables, as well as accessed and written channels, separate sound from unsound axiom instantiations.As parallelism requires fine-grained control over channels, the static semantics for dL [29] is lifted to a communication-aware static semantics for dL CHP .It uses accessed channels to characterize the subsequence of a communication trace influencing truth of a formula even more precisely than free variables.
To precisely grasp free and bound variables, and accessed and written channels, Def. 9 gives a semantic characterization.In this section, formulas are considered truth-valued, i.e., Iv[ Definition 9 (Static semantics).For term or formula e, and program α, free variables FV(e) and FV(α), bound variables BV(α), accessed channels CN(e), and written channels CN(α) form the static semantics.
and there is no (ṽ, τ , w) ∈ I[[α]] such that τ = τ and w = w on {z} ∁ } The already subtle static semantics of hybrid systems [29] becomes even more subtle with communication and parallelism.For example, CHPs (silently) synchronize with the global time µ, which is free and bound in ODEs, and the differential µ ′ is bound, i.e., µ ∈ FV({x ′ = θ & χ}) and µ, µ ′ ∈ BV({x ′ = θ & χ}) if the evolution has a run of non-zero duration, regardless of whether µ occurs in x.Since reachable worlds of CHPs consist of communication and state, bound variables BV(α) of program α compare v with the state-trace concatenation w • τ instead of missing τ .Consequently, h ∈ BV(ch(h)!θ) ⊆ FV(ch(h)!θ), which also reflects that the initial communication never gets lost.All proofs for this section and computable overapproximations of the static semantics are in Appendix A.
Lemma 10 (Bound effect property).The sets BV(α) and CN(α) are the smallest sets with the bound effect property for program α.
By the following communication-aware coincidence property, terms and formulas only depend on their free variables, which for trace variables can be further refined to the subtraces whose channels are accessed.This subtrace-level precision is crucial in the soundness proof of the parallel injection axiom as it allows to drop β from [α β]ψ only if β does not write channels of ψ that are not also written by α.The signature Σ(•) of an expression denotes all occurring symbols.Lemma 11 (Coincidence for terms and formulas).The sets FV(e) and CN(e) are the smallest sets with the communication-aware coincidence property for term or formula e.That is, if v ↓ CN(e) = ṽ ↓ CN(e) on FV(e) and I = J on Σ(e), then Iv[[e]] = J ṽ[[e]].In particular, for formula φ: Iv φ iff J ṽ φ.
Programs communicate but do not depend on the recorded history, thus the coincidence property for programs is not communication-aware.However, programs can produce the same communication starting from coinciding states.

Uniform Substitution for dL CHP
In dL CHP , a uniform substitution [29] σ maps function and predicate symbols to terms (of equal sort) and formulas, respectively, while substituting the arguments of the symbol for their placeholders in the replacement, and program constants are mapped to CHPs.For example, σ = {f (•) → • + 1, a → ch(h)?v; {x ′ = v}} replaces all occurrences of function symbol f with • + 1 while the reserved 0-ary function symbol • marks the positions for the parameter of f in the replacement.Moreover, σ replaces the program constant a with the program ch(h)?v; {x ′ = v}.
The key to sound uniform substitution is that new free variables must not be introduced into a context where they are bound [7].In the presence of communication, likewise, new channel access must not be introduced into contexts where the channel is written (B I).For parallelism, substitution must not reveal internals of the parallel context to the local abstraction of a subprogram (B II), and must not violate state disjointness.The one-pass approach [31] used for dL CHP postpones these checks and simply applies the substitution recursively while collecting written variables and channels as taboo set, thus operates linearly in the input.Clashes between the taboo, and new free variables and channel access are only checked locally at the replacement site.Likewise, clashes between the permitted channels and variables of a program constant, and its replacement program are checked locally.All proofs for this section are in Appendix B.
The substitution operator σ U,W Z (α) for program α takes an input taboo U ⊆ V ∪ Ω and a parallel context W ⊆ V , and returns, if defined, the substitution result and a set of output taboos Z ⊆ V ∪ Ω.For terms and formulas, the substitution operator σ U only takes a taboo U ⊆ V ∪Ω as input.The substitution process clashes, i.e., prevents unsound instantiation, if it were to introduce a free variable or accessed channel into a context where it is bound (B I) or if it were to write variables and channels violating abstraction (B II).Moreover, substitution preserves well-formedness of programs and formulas, i.e., substitution clashes if replacements were to violate well-formedness.The side condition (FV(σf (•)) ∪ CN(σf (•))) ∩ U = ∅ implements locally that the replacement for f must not introduce free parameters that are tabooed by U (B I).The substitution {• → σ U (e ↓ Y )} ∅ is responsible for the argument e, 6where ∅ suffices as the taboo U is already checked on e ↓ Y .By the projection, e↓Y only depends on channels Y .Quantification ∀z taboos the bound variable z.Program α in a box or ac-box has an empty parallel context ∅.
The substitution σ U,W Z (α) computes the output taboo Z by adding the written variables and channels of program α to U , e.g., real variable x for assignment x := θ and for receiving ch(h)?x additionally channel ch and trace variable h.The output taboo Z is passed to ac-formulas and postconditions of boxes and ac-boxes for recursive checks for clashes w.r.t.(B I).Crucially for soundness, Lemma 13 below proves that σ U,W Z (•) correctly computes the output taboo Z.The taboo U ∪W passed to nested expressions contains the parallel context W to prevent free variables in replacements of function and predicate symbols that are bound in parallel.This prepares the substitution process to preserve the syntax restrictions for parallel composition from previous work [6]. 7Substitution for evolution {x ′ = θ & χ} considers that the global time µ, µ ′ is always implicitly bound regardless of whether it occurs in x, x ′ .The fixpoint notation σ Z,W Z (α) for the replacement of repetition α * ensures that the output taboo of the first iteration is tabooed in the subsequent iterations [31].Computing the parallel context of α and β in case α β requires one additional pass for both subprograms because what they potentially bind after substitution adds to the parallel context of the respective other subprogram.
Lemma 13 (Correct output taboo).Application σ U,W Z (α) of uniform substitution retains input taboo U and correctly adds the bound variables and written channels of program α, i.e., The side condition of σ U,W Z (a(|Y, z| )) maintains local abstraction of subprograms (B II) because the replacement cannot bind more than a(|Y, z| ), thus cannot bind variables and channels of an abstraction that is independent of a(|Y, z| ).This also preserves state-disjointness (well-formedness) of parallel programs.

Semantic Effect of Uniform Substitution
The key ingredients for proving soundness of uniform substitution are Lemma 16 and 17 below.They prove that the effect of the syntactic transformation applied by uniform substitution can be equally mimicked by semantically modifying the interpretation of function and predicate symbols, and program constants.This adjoint interpretation σ * w I for interpretation I and state w changes how symbols are interpreted according to their syntactic replacements in the substitution σ.Definition 14 (Adjoint substitution).For interpretation I and state w, the adjoint interpretation σ * w I changes the meaning of function and predicate symbols, and program constants according to the substitution σ evaluated in state w: We follow the observation for dGL [31] that the more liberal one-pass substitution requires stronger coincidence between the substitution and the adjoint on neighborhoods of the original state.Where the dGL soundness proof has succeeded by a neighborhood semantics of state on taboos, the dL CHP proof succeeds with a generalization to a neighborhood semantics of state and communication on taboos.The neighborhood of a state consists of its variations: The proofs of Lemma 16 and 17 follow a lexicographic induction on the structure of substitution, and term, formula, or program.In Lemma 17, the induction is mutual for formulas and programs.Lemma 17 (Semantic uniform substitution).The formula φ and the program α have equal truth value and semantics, respectively, over U -variations under uniform substitution σ U and adjoint interpretation σ * w I, i.e., 1. for all U -variations v of w:

Uniform Substitution Proof Rule
The proof rule US for uniform substitution is the single point of truth for the sound instantiation of axioms (plus renaming of bound variables [29] and written channels, e.g., [x := θ]ψ(x) to [y := θ]ψ(y) and [ch(h)?x]ψ(ch) to [dh(h)?x]ψ(dh)).Soundness of the rule, i.e., that validity of its premise implies validity of the conclusion, immediately follows from Lemma 17.Since the substitution process starts with no taboos, σ(φ) is short for σ ∅ (φ).If the substitution clashes, i.e., σ ∅ (φ) is not defined, then rule US is not applicable.
Theorem 18 (US is sound).The proof rule US is sound.
Unlike dL [29] and dGL [31], dL CHP has a context-sensitive syntax for programs and formulas (see Def. 2 and Def. 4).By Proposition 19, uniform substitution, however, preserves syntactic well-formedness.Since all axioms in Section 4 will be well-formed, only well-formed formulas can be derived in dL CHP .
Proposition 19 (US preserves well-formedness).The result σ U (φ) (if defined) of applying uniform substitution to a well-formed formula φ is well-formed.

Axiomatic Proof Calculus
Figure 3 presents a sound proof calculus for dL CHP .The significant difference to dL CHP 's schematic calculus [6] is that it completely abandons soundness-critical side conditions, internalizing them syntactically in the axioms.Only axiom [] WA was adjusted to obtain a symbolic representation and an ac-version K AC of modal modus ponens is included.Now, distribution of ac-boxes over conjuncts [] AC ∧ and ac-monotonicity M[•] AC derive from K AC ,thus are dropped.Except for the small changes soundness is inherited from the schematic axioms [6].All proofs and supplementary material for this section are in Appendix C.
Algebraic laws for reasoning about traces [6] can be easily adapted to uniform substitution as well.Decidable first-order real arithmetic [41] and Presburger arithmetic [33] have corresponding oracle proof rules [6].
Remark 20.To obtain a truly finite list of axioms from Fig. 3, symbolic (co)finite sets can be finitely axiomatized as a boolean algebra together with extensionality, which can be unrolled to a finite disjunction for (co)finite sets (see Appendix C).
a Replacements for function symbol g R and predicate symbol q R are restricted to polynomials in V R and first-order real arithmetic, respectively.
The operator wf abbreviates well-formed parallel composition (see above).The axiom [] WA can weaken assumptions.Its slight change compared to dL CHP 's schematic calculus [6] exploits that the compositionality condition W A is only required for a's reachable worlds.Interestingly, dL CHP 's monotonicity rule M[•] AC [6] does not derive from modal modus ponens K AC and Gödel generalization G AC in analogy to dL [29] but needs W[] AC handling monotonicity of assumptions, which does not fit into G AC because necessitating the assumption in G AC would render the derivation of [α] { T ,T} T by G AC impossible.Axioms using postcondition P ≡ p(Y, z), e.g., in [;] AC , allow any replacement of P since accessed channels Y ⊆ Ω and free variables z ⊆ V R ∪ V T can be arbitrary.Replacements of assumptions R ≡ r(Y, h) and commitments Q ≡ q(Y, h) can instead only mention trace variables h ⊆ V T bound in their context.This reflects that trace variables are the only interface between the program α and the ac-formulas A and C in an ac-box [α] {A,C} ψ (well-formedness).
Theorem 21 (Soundness).The proof calculus for dL CHP presented in Fig. 3 is sound as an instantiation of the schematic calculus [6].
Clashes.Clashes sort out unsound instantiations of axioms.Unlike in dL and dGL [29,31] whose clashes are solely due to tabooed variables in terms and formulas, clashes in dL CHP can also be due to tabooed channels, and even due to taboos in programs.For example, the substitution below, where Y = {ch, dh}, and z ≡ h, y, and R ≡ r(Y ), and Q ≡ q(Y ).Writing channel ch in the replacement for b would break the local abstraction of a as ch is accessed in ψ but not written in the replacement for a, thus the clash indeed sorts out an unsound instantiation.
Also note that by the operator wf for well-formed parallel composition, the recorder variable h can be shared without causing a clash above.However, clashes prevent instantiation that would violate syntactic well-formedness of programs (Def.2) by binding the same state variable in parallel: Well-formedness of programs and formulas is ensured in the axioms by wellformed parallel composition wf and limitation to trace variables h in R j ≡ r j (Y, h) and Q j ≡ q j (Y, h) in ac-boxes [α] {Rj ,Q j } ψ in Fig. 3, respectively.By Proposition 19, uniform substitution always preserves well-formedness.
Example 22.The proof tree below decomposes safety (Example 5) of cruise control (Example 3) into safety 1 of controller ct and branch 2 to be continued to safety of the vehicle ve.The lower subproof introduces the ac-formulas

Related Work
Uniform substitution for differential dynamic logic dL [29] generalizes Church's uniform substitution for first-order logic [7, §35, 40].Unlike the lifting from dL to differential game logic dGL [30], dL CHP generalizes into the complementary direction of communication and parallelism.Unlike schematic calculi [2,18,26,44,46], whose treacherous schematic simplicity relies on encoding all subtlety of parallel systems in significant soundness-critical side conditions, our development builds upon a minimalistic non-schematic parallel injection axiom and sound instantiation encapsulated in uniform substitution.This provides a new, more atomic and more modular understanding of parallel systems overcoming the root cause for large soundness-critical prover kernels [5,8,11,15,17,36].Usage of uniform substitution reduced the kernel of the theorem prover KeYmaera from 105 kLOC to 2 kLOC in KeYmaera X [22].We expect dL CHP 's integration into KeYmaera X to stay in the same order of magnitude.
To the best of our knowledge, assumption-commitment reasoning [21,46] 8 has no tool support, which might be due to vast implementation effort.The latter can be underpinned by analogy with tools [5,8,15,17,36] for verification of sharedvariables concurrency, some of which use rely-guarantee reasoning [36,39].Unlike uniform substitution for dL CHP that enables a straightforward implementation of a small prover kernel, they all rely on large soundness-critical code bases.Unlike refinement checking for CSP [11] and discrete-time CSP [4], dL CHP supports safety properties of dense-time hybrid systems.Contrary to our goal of small prover kernels, implementations of model checkers [11] are inherently large.
Beyond embeddings of concurrency reasoning for discrete systems into proof assistants [3,24,25,38], dL CHP can verify parallel hybrid systems synchronizing in shared global time.The latter imposes even more complicated binding structures than parallel or hybrid systems alone but dL CHP 's uniform substitution calculus continues to manage them in a modular way.
The recent tool HHLPy [37] for hybrid CSP (HCSP) [16] is limited to the sequential fragment.Unlike extending HHLPy to parallelism, which would require extensive soundness-critical side conditions and a treatment of the duration calculus, integrating dL CHP into KeYmaera X [10] boils down to adding a finite list of concrete object level formulas as axioms and only small changes to the uniform substitution process.In contrast to dL CHP 's compositional parallel systems calculus [6], HCSP calculi [12,19,42] are non-compositional [6] as they either unroll exponentially many interleavings from the operational semantics [12,42] or can only decompose independent parallel components [19] causing limited ability to reason about complex systems.Former HCSP tools [43,45] only implement a non-compositional calculus [19] reinforcing the significance of our approach for managing parallel hybrid systems reasoning.Other hybrid process algebras defer to model checkers for reasoning [9,20,40].Further discussion of dL CHP is in [6].

Conclusion
This paper introduced a sound one-pass uniform substitution calculus for the dynamic logic of communicating hybrid programs dL CHP thereby mastering the significant challenge of developing simple sound proof calculi for parallel hybrid systems with communication.Uniform substitution can separate even notoriously complicated binding structures from parallelism with communication in multi-dynamical logics into axioms and their instantiation.In the case of dL CHP , this applies to channel access in predicates and the need for local abstraction of subprograms in parallel statements, and it even turns out that uniform substitution can maintain a context-sensitive syntax along the way.Thanks to uniform substitution, parallel systems reasoning reduces to multiple uses of an asymmetric parallel injection axiom.Now, with uniform substitution a straightforward implementation of dL CHP in KeYmaera X is only one step away.

A Details of the Static Semantics
This appendix reports proofs of the bound effect property and coincidence lemmas given in Section 2.3.Moreover, sound syntactical overapproximations of the static semantics from previous work [6]

⊓ ⊔
The following lemma prepares the proof of the communication-aware coincidence property (Lemma 11) for terms and formulas: Y , then τ ′′ ∈ T τ Y0 exists such that τ ′′ ↓{ch} ∁ = τ ′ ↓{ch} ∁ .Proof.For ρ = ch, a, s , we define Ω(ρ) = ch.Moreover, we identify the item ch with the singleton {ch}.Now, the proof is by induction on the structure of τ ′ : ] for all I. Let S X,Y be a set of states between v and ṽ according to variables X ⊆ V and channels Y ⊆ Ω as follows: ] for all X ⊆ FV(e) ∁ , and Y ⊆ CN(e) ∁ , and v ′ ∈ S X,Y .Therefore, we increase the sets X and Y starting from ∅ for both, where v ′ may differ from ṽ, by lexicographic induction on X and Y till we reach X = FV(e) ∁ and Y = CN(e) ∁ .This suffices for Iv[[e]] = I ṽ[[e]] because v ∈ S FV(e) ∁ ,CN(e) ∁ by the premise that v ↓ CN(e) = ṽ ↓ CN(e) on FV(e).
⊓ ⊔ The static semantics of Def. 9 is not computable [34].Def.24-29 adapt sound overapproximations of the static semantics computed from the syntactical structure [6] to dL CHP .The definitions add the cases for function and predicate symbols, and program constants, which were only introduced in this paper.
Crucially, the bound effect property and the coincidence lemmas apply for overapproximations of the static semantics as well.Thus, the overapproximations can be soundly used in an implementation of uniform substitution.

B Soundness of Uniform Substitution
This appendix reports the soundness proof of uniform substitution for dL CHP (Theorem 21) and a proof that uniform substitution preserves the syntactic wellformedness of formulas (Proposition 19).Moreover, Theorem 32 given in this section enables the instantiation of axiomatic proof rules by uniform substitution.

Proof (of Lemma 13).
The proof is by induction on the structure of program α and generalizes the corresponding proof for dGL [31, Lemma 13], where U 0 is short for U ∪ W and BP(•) = BV(•) ∪ CN(•) denotes all bound parameters: 3. Let op(e 1 , . . ., e k ) be a concrete function.For 1 the uniform substitution σ U,∅ Z (α) be defined, and v be a U -variation of w.Then o • τ is a Z-variation of w.
Proof.Since v is a U -variation of w (Def.15), we have and by the bound effect property (Lemma 10), we obtain By mentioning Y , the program constant a(|Y, z| ) signals that a synchronizes along all the channels Y .9Synchronization forces the parallel context to agree with the local program on the communication along the synchronized channels.Uniform substitution must preserve synchronization as otherwise the parallel context could unsoundly perform additional communication.
For example, the substitution σ = {a → ?T, b → ch(h)!θ} would turn the valid formula stating that if the initial history contains one ch-communication ([?T]|h↓ch| = 1), there is still only one after sending along ch by ch(h)!θ .The problem is that the replacement for a no longer forces the replacement for b to synchronize along ch.Where b could only communicate along ch if it agreed on this communication with a, the replacement for b unsoundly can perform additional communication independent of the replacement for a.
Uniform substitution (see Fig. 2) preserves synchronization by the side condition CN(σa) = Y for replacing program constants a(|Y, z| ).The standard intuition for uniform substitution would suggest that CN(σa) ⊆ Y suffices since this already prevents the local replacement of a to unsoundly bind accessed channels.
] because v is a (U ∪∅)-variation of w.Since variation is monotone in the variation set, v is a (U ∪BV(σ U,∅ Z (α))∪CN(σ U,∅ Z (α)))-variation of w.Moreover, by the bound effect property (Lemma 10), we have τ ↓CN(σ U,∅ Z (α) Since v is a (U ∪ W )-variation of w and v = u on BV(σ U,W Z0 (α)) ∁ by the bound effect property, we obtain w is added to U during an additional first pass over α as indicated by the fixpoint notation  Lemma 10.Then either z ∈ V R \ {µ, µ ′ } such that z ∈ BV(β) by well-formedness of α β or z ∈ {µ, µ ′ } such that the programs must agree upon the value of z in their final states.If z ∈ BV(β), then v(z) = o α (z) since z ∈ X obs such that z ∈ BV(σ(α)) in contradiction to z ∈ X.Therefore, z ∈ X ∩ X obs such that X ∩ X obs = ∅.Otherwise, if z ∈ {µ, µ ′ }, the final states agree upon the value of z.Thus, Once the uniform substitution lemmas from Section 3.1 are proven, the soundness proof of uniform substitution (Theorem 18) is easy: Proof (of Theorem 18).Let the premise φ be valid, i.e., J ṽ φ for all pairs J ṽ of interpretation and state.For proving the conclusion, let Iv be any pair of interpretation and state.By validity of the premise, thus σ Besides the instantiation of axioms by US, Theorem 32 even allows instantiation of axiomatic proof rules using uniform substitution.The rule must be locally sound, i.e., validity of the premises in any interpretation implies validity of the conclusion under this interpretation.
Theorem 32 (Sound uniform substitution for rules).If the inference INF is locally sound, so is the inference US-INF: Proof (of Proposition 19).The proof is by simultaneous induction on the structure of programs and formulas.It uses the abbreviation The only program with context-sensitive syntax is parallel composition, thus atomic programs are trivially well-formed and other compound programs are well-formed since by IH, their subprograms are well-formed.Now, let α β be well-formed.Then ( , are defined, and by IH, they are well-formed.By Lemma 34, For formulas, the ac-box is the only interesting case.Let [α] {A,C} ψ be wellformed.Then (FV(A) ∪ FV(C)) ∩ BV(α) ⊆ V T .Moreover, let σ U ([α] {A,C} ψ) be defined.For χ ∈ {A, C}, we obtain by Lemma 33 that FV(σ , which is by Lemma 13 smaller or equal to which equals FV(χ) ∩ BV(σ U,∅ Z (α)), which is by Lemma 33 smaller or equal to FV(χ) ∩ BV(α), which is smaller or equal to V T by the premise.

C Details of the Axiomatic Calculus
This appendix reports a soundness proof for dL CHP 's axiomatization (see Fig. 3).Moreover, Corollary 35 gives derivations of ac-monotonicity M[•] AC and distribution of boxes over conjuncts [] AC ∧.Finally, algebraic laws for reasoning about trace terms [6] are lifted to uniform substitution.
Proof (of Theorem 21).Since the axioms of Fig. 3 are instances of their schematic versions (except for K AC and [] WA ), they are sound as the schematic axioms are sound [6].In particular, note that axioms [ǫ] AC and [ ] AC internalize the side conditions of the schematic calculus correctly.For the newly added axiom K AC and the changed axiom [] WA , soundness proofs are provided below.Recall that R j ≡ r j (Y, h), and Q j ≡ q j (Y, h), and P j ≡ p j (Y, z).[6] can be derived.Let R j ≡ r j (Y, h), and Q j ≡ q j (Y, h), and P j ≡ p j (Y, z).
Proof.The proof is by derivation in the calculus.The sequent-style deduction is justified since sequent-style rules can be derived in a Hoare-style calculus.

M[•]
in the following, where Prop marks propositional reasoning.
[] AC ∧: The implication (→) can be easily derived using rule M[•] AC .The other direction is derived below, where Prop marks propositional reasoning.The proof uses currying Curry, which can can be easily derived by Prop.
Algebra of Traces.Fig. 4 gives simple algebraic laws for step-wise simplification of trace terms.In contrast to the schematic algebra of traces in our previous report [6], the laws in Fig. 4 are flat axioms without side conditions.The axioms use that a symbolic representation of (co)finite sets can be given and finitely axiomatized, especially in axiom ↓ ∩, axiom ↓∈, and axiom ↓ ∈.
Fig. 4: Axiomatic algebra of traces Axiomatization of (Co)finite Sets.Strictly speaking, the calculus in Fig. 3 still has schematic occurrences of (co)finite sets.As suggested by Remark 20, this is easily fixed using symbolic (co)finite sets together with a non-schematic axiomatization.The class C(E 1 , . . ., E n ) of (co)finite sets over the (co)finite sets E 1 , . . ., E n of atoms, has the following syntax where e i ∈ E i is any atom for any 1 ≤ i ≤ n, symbol ⊥ Set represents the empty set, ⊤ i Set represents all atoms of E i for 1 ≤ i ≤ n, and ∩ and \ are set intersection and set difference, respectively.Other operators like union ∪ can be defined.The class occurring in dL CHP is C(Ω, V R , V N , V T ).
In formulas, (co)finite sets can be compared C Equality is axiomatized in terms of the extensionality principle as usual:

Example 3 .
Finally, α β executes α and β in parallel synchronized in global time µ.The program ct * ve * models a simplified cruise control [23].The vehicle ve repeatedly receives a target velocity v tr ve from the controller ct along channel tar.The target v tr ct sent by ct is in range [0, V ].Hence, ve's velocity v ve stays in range [0, V ] within the ǫ > 0 time units till the next communication if v ve ∈ [0, V ] held initially.The evolution {t ′ = 1} allows passage of time in ct.ct ≡ v tr ct := * ; ?(0 ≤ v tr ct ≤ V ); tar(h)!v tr ct ; {t ′ = 1} ve ≡ tar(h)?v tr ve ; a ve := v tr ve − v ve ǫ ; t 0 := µ; {v ′ ve = a ve & µ − t 0 ≤ ǫ} Definition 4 (Formulas).Formulas are defined by the grammar below for relations ∼, terms e 1 , e 2 ∈ Trm of equal sort, and z ∈ V .Moreover, the ac-formulas are unaffected by state change in α, i.e., (FV and a relation I(p : M 1 , . . ., M k ) ⊆ × k i=1 M i to each k-ary predicate symbol p. Definition 6 (Term Semantics).The valuation Iv[[e]] ∈ R ∪ N ∪ Ω ∪ T of term e in interpretation I and state v is defined as follows:
schematic calculi for ac-reasoning, axiom [ ] AC internalizes the noninterference property [6, Def.7] that determines valid instances of formula [α] {A,C} ψ → [α β] {A,C} ψ (1) purely syntactically.To focus on noninterference, a(|Y a , za | ) wf b(|Y b , zb | ) abbreviates well-formed parallel composition a(|Y a , za | ) b(|Y b , (z b ∩ z∁ a )∪{µ, µ ′ }∪V T | ) using operator wf for program constants a(|Y a , za | ), b(|Y b , zb | ).This notation ensures disjoint parallel state except for the global time µ, µ ′ and recorder variables V T .Intuitively, axiom [ ] AC restricts β in equation (1) such that α overapproximates the behavior of α β influencing A, C, or ψ.For this purpose, noninterference internalized in b(|Y b ∩ (Y ∁ ∪ Y a ), z∁ | ) forbids b to bind variables z that are free in the postcondition p(Y, z), and Y ∁ forbids b to bind channels Y (except for channels Y a written by a because joint parallel communication can already be observed from a, too).The cut with Y b allows downscaling of the channels b has to bind.Since parallel programs always agree on the global time µ, µ ′ and the communication recorded by trace variables V T , the operator wf allows their sharing even if z∁ disallows it.Note that Y a and Y , and za and z may overlap.Despite its asymmetric shape, axiom [ ] AC decomposes [α β](φ∧ψ) into [α]φ and [β]ψ (if they mutually do not interfere) via independent proofs for [α β]φ and [α β]ψ, which drop either α or β by [ ] AC modulo commutativity.