differential dynamic logic and differential invariants for ...aplatzer/pub/diffop-slides.pdf ·...
TRANSCRIPT
![Page 1: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/1.jpg)
Differential Dynamic Logic and Differential Invariantsfor Hybrid Systems
Andre Platzer
Computer Science DepartmentCarnegie Mellon University, Pittsburgh, PA
http://symbolaris.com/
0.20.4
0.60.8
1.00.1
0.2
0.3
0.4
0.5
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 1 / 42
![Page 2: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/2.jpg)
How can we design computers that are
guaranteed to interact correctly with the
physical world?
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 2 / 42
![Page 3: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/3.jpg)
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 2 / 42
![Page 4: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/4.jpg)
Hybrid Systems Analysis: Car Control
Challenge (Hybrid Systems)
Fixed rule describing stateevolution with both
Continuous dynamics(differential equations)
Discrete dynamics(control decisions)
1 2 3 4t
-2
-1
1
2a
1 2 3 4t
0.5
1.0
1.5
2.0
2.5
3.0v
1 2 3 4t
1
2
3
4
5
6z
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 3 / 42
![Page 5: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/5.jpg)
Hybrid Systems Analysis is Important for . . .
0.20.4
0.60.8
1.00.1
0.2
0.3
0.4
0.5
x1
x2
y1
y2
d
ω e
ϑ
c
Q Q
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 4 / 42
![Page 6: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/6.jpg)
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 4 / 42
![Page 7: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/7.jpg)
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 4 / 42
![Page 8: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/8.jpg)
Differential Dynamic Logic for Hybrid Systems
differential dynamic logic
dL = FOLR
+ + HP
∀MA∃SB . . .
∀t≥0 . . .
z
v
MA
v 2 ≤ 2b(MA− z)
v ≤ 1 ∧ v 2 ≤ 2b(MA− z)
v ≤ 1 ∨ v 2 ≤ 2b(MA− z)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 5 / 42
![Page 9: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/9.jpg)
Differential Dynamic Logic for Hybrid Systems
differential dynamic logic
dL = FOLR + DL + HP
v 2 ≤ 2b
v 2 ≤ 2b
v 2 ≤ 2b
C → [ if(z > SB) a :=−b; z ′′ = a︸ ︷︷ ︸hybrid program
] v 2 ≤ 2b
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 5 / 42
![Page 10: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/10.jpg)
Differential Dynamic Logic for Hybrid Systems
differential dynamic logic
dL = FOLR + DL + HP
v 2 ≤ 2b
v 2 ≤ 2b
v 2 ≤ 2b
C → [ if(z > SB) a :=−b; z ′′ = a︸ ︷︷ ︸hybrid program
] v 2 ≤ 2b
Initialcondition
Systemdynamics
Postcondition
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 5 / 42
![Page 11: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/11.jpg)
Differential Dynamic Logic dL: Syntax
Definition (Hybrid program α)
x := θ | ?H | x ′ = f (x) & H | α ∪ β | α;β | α∗
Definition (dL Formula φ)
θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | [α]φ | 〈α〉φ
DiscreteAssign
TestCondition
DifferentialEquation
Nondet.Choice
Seq.Compose
Nondet.Repeat
AllReals
SomeReals
AllRuns
SomeRuns
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 6 / 42
![Page 12: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/12.jpg)
Differential Dynamic Logic dL: Syntax
Definition (Hybrid program α)
x := θ | ?H | x ′ = f (x) & H | α ∪ β | α;β | α∗
Definition (dL Formula φ)
θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | [α]φ | 〈α〉φ
DiscreteAssign
TestCondition
DifferentialEquation
Nondet.Choice
Seq.Compose
Nondet.Repeat
AllReals
SomeReals
AllRuns
SomeRuns
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 6 / 42
![Page 13: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/13.jpg)
Differential Dynamic Logic dL: Semantics
Definition (Hybrid program α)
ρ(x := θ) = {(v ,w) : w = v except [[x ]]w = [[θ]]v}ρ(?H) = {(v , v) : v |= H}
ρ(x ′ = f (x)) = {(ϕ(0), ϕ(r)) : ϕ |= x ′ = f (x) for some duration r}ρ(α ∪ β) = ρ(α) ∪ ρ(β)ρ(α;β) = ρ(β) ◦ ρ(α)
ρ(α∗) =⋃n∈N
ρ(αn)
Definition (dL Formula φ)
v |= θ1 ≥ θ2 iff [[θ1]]v ≥ [[θ2]]vv |= [α]φ iff w |= φ for all w with (v ,w) ∈ ρ(α)v |= 〈α〉φ iff w |= φ for some w with (v ,w) ∈ ρ(α)v |= ∀x φ iff w |= φ for all w that agree with v except for xv |= ∃x φ iff w |= φ for some w that agrees with v except for xv |= φ ∧ ψ iff v |= φ and v |= ψv |= ¬φ iff v |= φ does not hold
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 7 / 42
![Page 14: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/14.jpg)
Differential Dynamic Logic dL: Axiomatization
([:=]) [x := θ][(x)]φx ↔ [(x)]φθ
([?]) [?H]φ↔ (H → φ)
([′]) [x ′ = f (x)]φ↔ ∀t≥0 [x := y(t)]φ (y ′(t) = f (y))
([∪]) [α ∪ β]φ↔ [α]φ ∧ [β]φ
([;]) [α;β]φ↔ [α][β]φ
([∗]) [α∗]φ↔ φ ∧ [α][α∗]φ
(K) [α](φ→ ψ)→ ([α]φ→ [α]ψ)
(I) [α∗](φ→ [α]φ)→ (φ→ [α∗]φ)
(C) [α∗]∀v>0 (ϕ(v)→ 〈α〉ϕ(v − 1))→ ∀v (ϕ(v)→ 〈α∗〉∃v≤0ϕ(v))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 8 / 42
![Page 15: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/15.jpg)
Differential Dynamic Logic dL: Axiomatization
(G)φ
[α]φ
(MP)φ→ ψ φ
ψ
(∀)φ
∀x φ
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 8 / 42
![Page 16: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/16.jpg)
Differential Dynamic Logic dL: Axiomatization
(G)φ
[α]φ
(MP)φ→ ψ φ
ψ
(∀)φ
∀x φ
(B) ∀x [α]φ→ [α]∀x φ (x 6∈ α)
(V) φ→ [α]φ (FV (φ) ∩ BV (α) = ∅)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 8 / 42
![Page 17: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/17.jpg)
Soundness
Theorem (Soundness)
dL calculus is sound, i.e., all provable dL formulas are valid:
` φ implies � φ
What about the converse?
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 9 / 42
![Page 18: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/18.jpg)
Complete Proof Theory of Hybrid Systems
Theorem (Relative Completeness) (J.Autom.Reas. 2008)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to differential equations. Proof 15p
Theorem (Discrete Relative Completeness) (LICS’12)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to discrete dynamics. Proof +10p
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 10 / 42
![Page 19: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/19.jpg)
Complete Proof Theory of Hybrid Systems
Theorem (Continuous Relative Completeness) (J.Autom.Reas. 2008)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to differential equations. Proof 15p
Theorem (Discrete Relative Completeness) (LICS’12)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to discrete dynamics. Proof +10p
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 10 / 42
![Page 20: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/20.jpg)
Complete Proof Theory of Hybrid Systems
Theorem (Continuous Relative Completeness) (J.Autom.Reas. 2008)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to differential equations. Proof 15p
Theorem (Discrete Relative Completeness) (LICS’12)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to discrete dynamics. Proof +10p
System
Continuous Discrete
Hybrid
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 10 / 42
![Page 21: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/21.jpg)
Complete Proof Theory of Hybrid Systems
Theorem (Continuous Relative Completeness) (J.Autom.Reas. 2008)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to differential equations. Proof 15p
Theorem (Discrete Relative Completeness) (LICS’12)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to discrete dynamics. Proof +10p
System
Continuous Discrete
Hybrid
HybridTheory
DiscreteTheory
Contin.Theory
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 10 / 42
![Page 22: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/22.jpg)
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 10 / 42
![Page 23: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/23.jpg)
Air Traffic Control
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
![Page 24: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/24.jpg)
Air Traffic Control
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
![Page 25: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/25.jpg)
Air Traffic Control
Verification?
looks correct
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
![Page 26: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/26.jpg)
Air Traffic Control
Verification?
looks correct NO!
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
![Page 27: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/27.jpg)
Air Traffic Control
x1
x2
y1
y2
d
ω e
ς
x ′1 = −v1+v2 cosϑ+ ωx2
x ′2 = v2 sinϑ− ωx1
ϑ′ = $ − ω
Verification?
looks correct NO!
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
![Page 28: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/28.jpg)
Air Traffic Control
x1
x2
y1
y2
d
ω e
ς
x ′1 = −v1+v2 cosϑ+ ωx2
x ′2 = v2 sinϑ− ωx1
ϑ′ = $ − ω
Example (“Solving” differential equations)
x1(t) =1
ω$
(x1ω$ cos tω − v2ω cos tω sinϑ+ v2ω cos tω cos t$ sinϑ− v1$ sin tω
+ x2ω$ sin tω − v2ω cosϑ cos t$ sin tω − v2ω√
1− sinϑ2 sin tω
+ v2ω cosϑ cos tω sin t$ + v2ω sinϑ sin tω sin t$). . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
![Page 29: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/29.jpg)
Air Traffic Control
x1
x2
y1
y2
d
ω e
ς
x ′1 = −v1+v2 cosϑ+ ωx2
x ′2 = v2 sinϑ− ωx1
ϑ′ = $ − ω
Example (“Solving” differential equations)
∀t≥0
=
1
ω$
(x1ω$ cos tω − v2ω cos tω sinϑ+ v2ω cos tω cos t$ sinϑ− v1$ sin tω
+ x2ω$ sin tω − v2ω cosϑ cos t$ sin tω − v2ω√
1− sinϑ2 sin tω
+ v2ω cosϑ cos tω sin t$ + v2ω sinϑ sin tω sin t$). . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 11 / 42
![Page 30: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/30.jpg)
\forall R ts2.
( 0 <= ts2 & ts2 <= t2_0
-> ( (om_1)^-1
* (omb_1)^-1
* ( om_1 * omb_1 * x1 * Cos(om_1 * ts2)
+ om_1 * v2 * Cos(om_1 * ts2) * (1 + -1 * (Cos(u))^2)^(1 / 2)
+ -1 * omb_1 * v1 * Sin(om_1 * ts2)
+ om_1 * omb_1 * x2 * Sin(om_1 * ts2)
+ om_1 * v2 * Cos(u) * Sin(om_1 * ts2)
+ -1 * om_1 * v2 * Cos(omb_1 * ts2) * Cos(u) * Sin(om_1 * ts2)
+ om_1 * v2 * Cos(om_1 * ts2) * Cos(u) * Sin(omb_1 * ts2)
+ om_1 * v2 * Cos(om_1 * ts2) * Cos(omb_1 * ts2) * Sin(u)
+ om_1 * v2 * Sin(om_1 * ts2) * Sin(omb_1 * ts2) * Sin(u)))
^2
+ ( (om_1)^-1
* (omb_1)^-1
* ( -1 * omb_1 * v1 * Cos(om_1 * ts2)
+ om_1 * omb_1 * x2 * Cos(om_1 * ts2)
+ omb_1 * v1 * (Cos(om_1 * ts2))^2
+ om_1 * v2 * Cos(om_1 * ts2) * Cos(u)
+ -1 * om_1 * v2 * Cos(om_1 * ts2) * Cos(omb_1 * ts2) * Cos(u)
+ -1 * om_1 * omb_1 * x1 * Sin(om_1 * ts2)
+ -1
* om_1
* v2
* (1 + -1 * (Cos(u))^2)^(1 / 2)
* Sin(om_1 * ts2)
+ omb_1 * v1 * (Sin(om_1 * ts2))^2
+ -1 * om_1 * v2 * Cos(u) * Sin(om_1 * ts2) * Sin(omb_1 * ts2)
+ -1 * om_1 * v2 * Cos(omb_1 * ts2) * Sin(om_1 * ts2) * Sin(u)
+ om_1 * v2 * Cos(om_1 * ts2) * Sin(omb_1 * ts2) * Sin(u)))
^2
>= (p)^2),
t2_0 >= 0,
x1^2 + x2^2 >= (p)^2
==>Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
![Page 31: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/31.jpg)
\forall R t7.
( t7 >= 0
-> ( (om_3)^-1
* ( om_3
* ( (om_1)^-1
* (omb_1)^-1
* ( om_1 * omb_1 * x1 * Cos(om_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* (1 + -1 * (Cos(u))^2)^(1 / 2)
+ -1 * omb_1 * v1 * Sin(om_1 * t2_0)
+ om_1 * omb_1 * x2 * Sin(om_1 * t2_0)
+ om_1 * v2 * Cos(u) * Sin(om_1 * t2_0)
+ -1
* om_1
* v2
* Cos(omb_1 * t2_0)
* Cos(u)
* Sin(om_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Cos(u)
* Sin(omb_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Cos(omb_1 * t2_0)
* Sin(u)
+ om_1
* v2
* Sin(om_1 * t2_0)
* Sin(omb_1 * t2_0)
* Sin(u)))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
![Page 32: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/32.jpg)
* Cos(om_3 * t5)
+ v2
* Cos(om_3 * t5)
* ( 1
+ -1
* (Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4))^2)
^(1 / 2)
+ -1 * v1 * Sin(om_3 * t5)
+ om_3
* ( (om_1)^-1
* (omb_1)^-1
* ( -1 * omb_1 * v1 * Cos(om_1 * t2_0)
+ om_1 * omb_1 * x2 * Cos(om_1 * t2_0)
+ omb_1 * v1 * (Cos(om_1 * t2_0))^2
+ om_1 * v2 * Cos(om_1 * t2_0) * Cos(u)
+ -1
* om_1
* v2
* Cos(om_1 * t2_0)
* Cos(omb_1 * t2_0)
* Cos(u)
+ -1 * om_1 * omb_1 * x1 * Sin(om_1 * t2_0)
+ -1
* om_1
* v2
* (1 + -1 * (Cos(u))^2)^(1 / 2)
* Sin(om_1 * t2_0)
+ omb_1 * v1 * (Sin(om_1 * t2_0))^2
+ -1
* om_1
* v2
* Cos(u)
* Sin(om_1 * t2_0)
* Sin(omb_1 * t2_0)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
![Page 33: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/33.jpg)
+ -1
* om_1
* v2
* Cos(omb_1 * t2_0)
* Sin(om_1 * t2_0)
* Sin(u)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Sin(omb_1 * t2_0)
* Sin(u)))
* Sin(om_3 * t5)
+ v2
* Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)
* Sin(om_3 * t5)
+ v2
* (Cos(om_3 * t5))^2
* Sin(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)
+ v2
* (Sin(om_3 * t5))^2
* Sin(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)))
^2
+ ( (om_3)^-1
* ( -1 * v1 * Cos(om_3 * t5)
+ om_3
* ( (om_1)^-1
* (omb_1)^-1
* ( -1 * omb_1 * v1 * Cos(om_1 * t2_0)
+ om_1 * omb_1 * x2 * Cos(om_1 * t2_0)
+ omb_1 * v1 * (Cos(om_1 * t2_0))^2
+ om_1 * v2 * Cos(om_1 * t2_0) * Cos(u)
+ -1
* om_1
* v2
* Cos(om_1 * t2_0)
* Cos(omb_1 * t2_0)
* Cos(u)Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
![Page 34: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/34.jpg)
+ -1 * om_1 * omb_1 * x1 * Sin(om_1 * t2_0)
+ -1
* om_1
* v2
* (1 + -1 * (Cos(u))^2)^(1 / 2)
* Sin(om_1 * t2_0)
+ omb_1 * v1 * (Sin(om_1 * t2_0))^2
+ -1
* om_1
* v2
* Cos(u)
* Sin(om_1 * t2_0)
* Sin(omb_1 * t2_0)
+ -1
* om_1
* v2
* Cos(omb_1 * t2_0)
* Sin(om_1 * t2_0)
* Sin(u)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Sin(omb_1 * t2_0)
* Sin(u)))
* Cos(om_3 * t5)
+ v1 * (Cos(om_3 * t5))^2
+ v2
* Cos(om_3 * t5)
* Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)
+ -1
* v2
* (Cos(om_3 * t5))^2
* Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
![Page 35: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/35.jpg)
+ -1
* om_3
* ( (om_1)^-1
* (omb_1)^-1
* ( om_1 * omb_1 * x1 * Cos(om_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* (1 + -1 * (Cos(u))^2)^(1 / 2)
+ -1 * omb_1 * v1 * Sin(om_1 * t2_0)
+ om_1 * omb_1 * x2 * Sin(om_1 * t2_0)
+ om_1 * v2 * Cos(u) * Sin(om_1 * t2_0)
+ -1
* om_1
* v2
* Cos(omb_1 * t2_0)
* Cos(u)
* Sin(om_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Cos(u)
* Sin(omb_1 * t2_0)
+ om_1
* v2
* Cos(om_1 * t2_0)
* Cos(omb_1 * t2_0)
* Sin(u)
+ om_1
* v2
* Sin(om_1 * t2_0)
* Sin(omb_1 * t2_0)
* Sin(u)))
* Sin(om_3 * t5)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
![Page 36: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/36.jpg)
+ -1
* v2
* ( 1
+ -1
* (Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4))^2)
^(1 / 2)
* Sin(om_3 * t5)
+ v1 * (Sin(om_3 * t5))^2
+ -1
* v2
* Cos(-1 * om_1 * t2_0 + omb_1 * t2_0 + u + Pi / 4)
* (Sin(om_3 * t5))^2))
^2
>= (p)^2)
This is just one branch to prove
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 12 / 42
![Page 37: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/37.jpg)
Differential Invariants for Differential Equations
“Definition” (Differential Invariant)
“Formula that remains true in the direction of the dynamics”
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 13 / 42
![Page 38: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/38.jpg)
Differential Invariants for Differential Equations
“Definition” (Differential Invariant)
“Formula that remains true in the direction of the dynamics”
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 13 / 42
![Page 39: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/39.jpg)
Differential Invariants for Differential Equations
“Definition” (Differential Invariant)
“Formula that remains true in the direction of the dynamics”
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 13 / 42
![Page 40: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/40.jpg)
Differential Induction: Local Dynamics w/o Solutions
Definition (Differential Invariant) (J.Log.Comput. 2010)
F closed under total differentiation with respect to differential constraints
¬ ¬FF F χ
F
(χ→ F ′)
χ→ F
→[x ′ = θ&χ]F
(¬F ∧ χ→ F ′�)
[x ′ = θ&¬F ]χ
→〈x ′ = θ&χ〉F
d1 ≥ d2 → [x := a2 + 1;
d ′1 = −ωd2, d′2 = ωd1
] d1 ≥ d2
quantified nondeterminism/disturbance
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 14 / 42
![Page 41: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/41.jpg)
Differential Induction: Local Dynamics w/o Solutions
Definition (Differential Invariant) (J.Log.Comput. 2010)
F closed under total differentiation with respect to differential constraints
¬ ¬FF F
χ
F
(χ→ F ′)
χ→ F→[x ′ = θ&χ]F
(¬F ∧ χ→ F ′�)
[x ′ = θ&¬F ]χ
→〈x ′ = θ&χ〉F
d1 ≥ d2 → [x := a2 + 1;
d ′1 = −ωd2, d′2 = ωd1
] d1 ≥ d2
F → [α]F
F → [α∗]F
quantified nondeterminism/disturbance
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 14 / 42
![Page 42: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/42.jpg)
Differential Induction: Local Dynamics w/o Solutions
Definition (Differential Invariant) (J.Log.Comput. 2010)
F closed under total differentiation with respect to differential constraints
¬ ¬FF F χ
F
(χ→ F ′)
χ→ F→[x ′ = θ&χ]F
(¬F ∧ χ→ F ′�)
[x ′ = θ&¬F ]χ
→〈x ′ = θ&χ〉F
d1 ≥ d2 → [x := a2 + 1;
d ′1 = −ωd2, d′2 = ωd1
] d1 ≥ d2
quantified nondeterminism/disturbance
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 14 / 42
![Page 43: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/43.jpg)
Differential Induction: Local Dynamics w/o Solutions
Definition (Differential Invariant) (J.Log.Comput. 2010)
F closed under total differentiation with respect to differential constraints
¬ ¬FF F χ
F
(χ→ F ′)
χ→ F→[x ′ = θ&χ]F
(¬F ∧ χ→ F ′�)
[x ′ = θ&¬F ]χ→〈x ′ = θ&χ〉F
d1 ≥ d2 → [x := a2 + 1;
d ′1 = −ωd2, d′2 = ωd1
] d1 ≥ d2
quantified nondeterminism/disturbance
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 14 / 42
![Page 44: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/44.jpg)
Differential Induction: Local Dynamics w/o Solutions
Definition (Differential Invariant) (J.Log.Comput. 2010)
F closed under total differentiation with respect to differential constraints
¬ ¬FF F χ
F
(χ→ F ′)
χ→ F→[x ′ = θ&χ]F
(¬F ∧ χ→ F ′�)
[x ′ = θ&¬F ]χ→〈x ′ = θ&χ〉F
Total differential F ′ of formulas?
d1 ≥ d2 → [x := a2 + 1;
d ′1 = −ωd2, d′2 = ωd1
] d1 ≥ d2
quantified nondeterminism/disturbance
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 14 / 42
![Page 45: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/45.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)
→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
![Page 46: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/46.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)
→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
![Page 47: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/47.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
![Page 48: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/48.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
![Page 49: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/49.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
![Page 50: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/50.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
![Page 51: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/51.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)
equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(
p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
![Page 52: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/52.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
![Page 53: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/53.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
![Page 54: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/54.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 15 / 42
![Page 55: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/55.jpg)
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
![Page 56: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/56.jpg)
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
![Page 57: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/57.jpg)
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = 4, a1 = −1, a0 = 5
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
![Page 58: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/58.jpg)
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = 4, a1 = −1, a0 = 6
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
![Page 59: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/59.jpg)
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = 4, a1 = −1, a0 = 7
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
![Page 60: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/60.jpg)
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = 4, a1 = −2, a0 = 5
3 prove ∀x (H→p′ = 0)
34 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
![Page 61: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/61.jpg)
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = −4, a1 = 2, a0 = 8
3 prove ∀x (H→p′ = 0)
3 Problem: enumerating all polynomials takes a while . . .
4 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
![Page 62: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/62.jpg)
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = −4, a1 = 2, a0 = 8
3 prove ∀x (H→p′ = 0)
3 Instead: ∃a ∀x (H→p′ = 0)
4 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
![Page 63: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/63.jpg)
Lie Generates Invariants
Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Corollary (Invariant polynomials with R ∩Q coefficients r.e.)
Invariant polynomial function p ∈ (R ∩Q)[x ] of x ′ = f (x) on open H r.e.
Proof (Direct Method).
1 for pdef= a2x2 + a1x + a0
2 with a2 = −4, a1 = 2, a0 = 8
3 prove ∀x (H→p′ = 0)
3 Instead: ∃a ∀x (H→p′ = 0)
4 Still enumerate polynomial degrees . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 16 / 42
![Page 64: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/64.jpg)
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
![Page 65: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/65.jpg)
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
![Page 66: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/66.jpg)
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
![Page 67: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/67.jpg)
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
![Page 68: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/68.jpg)
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
![Page 69: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/69.jpg)
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)Not Provable?
Wait! It’s true. Why not proved?
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
![Page 70: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/70.jpg)
Ex: Deconstructed Aircraft (I) Directly
not valid
−2xy + 2ey = 0
(−y)2x + e2y = 0 ∧ −y = −y
−y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)Not Provable?
Wait! It’s true. Why not proved?
not single equation
c
x
y
d
e
x−y
ed− e
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 17 / 42
![Page 71: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/71.jpg)
The Structure of Differential Invariants
Theorem (Closure properties of differential invariants) (LMCS 2012)
Closed under conjunction, differentiation, and propositional equivalences.
Theorem (Differential Invariance Chart) (LMCS 2012)
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 18 / 42
![Page 72: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/72.jpg)
Ex: Deconstructed Aircraft (II) Atomic
not valid
2(x2 + y 2 − 1)(−2yx + 2ey) = 0
2(x2 + y 2 − 1)(−y2x + e2y) + 2(e − x)(−y − (−y)) = 0
(−y ∂∂x + e ∂
∂y − y ∂∂e )((x2 + y 2 − 1)2 + (e − x)2
)= 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 − 1)2 + (e − x)2 = 0
Reduce to single equation, try again
Could Prove?
If only we could assume invariant Fduring its proof . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 19 / 42
![Page 73: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/73.jpg)
Ex: Deconstructed Aircraft (II) Atomic
not valid
2(x2 + y 2 − 1)(−2yx + 2ey) = 0
2(x2 + y 2 − 1)(−y2x + e2y) + 2(e − x)(−y − (−y)) = 0
(−y ∂∂x + e ∂
∂y − y ∂∂e )((x2 + y 2 − 1)2 + (e − x)2
)= 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 − 1)2 + (e − x)2 = 0
Reduce to single equation, try again
Could Prove?
If only we could assume invariant Fduring its proof . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 19 / 42
![Page 74: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/74.jpg)
Ex: Deconstructed Aircraft (II) Atomic
not valid
2(x2 + y 2 − 1)(−2yx + 2ey) = 0
2(x2 + y 2 − 1)(−y2x + e2y) + 2(e − x)(−y − (−y)) = 0
(−y ∂∂x + e ∂
∂y − y ∂∂e )((x2 + y 2 − 1)2 + (e − x)2
)= 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 − 1)2 + (e − x)2 = 0
Reduce to single equation, try again
Not Provable?
Wait! It’s true. Why not proved?
Could Prove?
If only we could assume invariant Fduring its proof . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 19 / 42
![Page 75: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/75.jpg)
Ex: Deconstructed Aircraft (II) Atomic
not valid
2(x2 + y 2 − 1)(−2yx + 2ey) = 0
2(x2 + y 2 − 1)(−y2x + e2y) + 2(e − x)(−y − (−y)) = 0
(−y ∂∂x + e ∂
∂y − y ∂∂e )((x2 + y 2 − 1)2 + (e − x)2
)= 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 − 1)2 + (e − x)2 = 0
Reduce to single equation, try again
Could Prove?
If only we could assume invariant Fduring its proof . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 19 / 42
![Page 76: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/76.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
![Page 77: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/77.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
![Page 78: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/78.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
![Page 79: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/79.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
![Page 80: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/80.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
![Page 81: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/81.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions are unsound!)
x2 − 6x + 9 = 0 →y2x − 6y = 0
x2 − 6x + 9 = 0 →y ∂(x2−6x+9)∂x − x ∂(x2−6x+9)
∂y = 0
x2 − 6x + 9 = 0 →[x ′ = y , y ′ = −x ]x2 − 6x + 9 = 0
0 y
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
![Page 82: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/82.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions)
(x2 ≤ 0→ 2x · 1 ≤ 0)x2 ≤ 0 →[x ′ = 1]x2 ≤ 0
0 t
x x0 + t
x′ = 1
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
![Page 83: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/83.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
(H → F ′)
(H → F )→[x ′ = θ& H]F
(F ∧ H → F ′)
(H → F )→[x ′ = θ& H]F
Example (Restrictions are unsound!)
(x2 ≤ 0→ 2x · 1 ≤ 0)x2 ≤ 0 →[x ′ = 1]x2 ≤ 0
0 t
x x0 + t
x′ = 1
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 20 / 42
![Page 84: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/84.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗
−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
![Page 85: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/85.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗
−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
![Page 86: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/86.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗
−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
![Page 87: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/87.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗
−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
![Page 88: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/88.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
![Page 89: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/89.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
![Page 90: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/90.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
![Page 91: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/91.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗
e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
![Page 92: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/92.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
![Page 93: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/93.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Successful Proof
Lie & differential cuts separate aircraft
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 21 / 42
![Page 94: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/94.jpg)
Ex: Deconstructed Aircraft (IV) Smart
∗
−y2e + e2y = 0 ∧ −y = −y
−y ∂(e2+y2)∂e + e ∂(e2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
e2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](e2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 22 / 42
![Page 95: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/95.jpg)
Ex: Deconstructed Aircraft (IV) Smart
∗
−y2e + e2y = 0 ∧ −y = −y
−y ∂(e2+y2)∂e + e ∂(e2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
e2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](e2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 22 / 42
![Page 96: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/96.jpg)
Ex: Deconstructed Aircraft (IV) Smart
∗
−y2e + e2y = 0 ∧ −y = −y
−y ∂(e2+y2)∂e + e ∂(e2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
e2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](e2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 22 / 42
![Page 97: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/97.jpg)
Ex: Deconstructed Aircraft (IV) Smart
∗−y2e + e2y = 0 ∧ −y = −y
−y ∂(e2+y2)∂e + e ∂(e2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
e2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](e2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 22 / 42
![Page 98: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/98.jpg)
Ex: Deconstructed Aircraft (IV) Smart
∗−y2e + e2y = 0 ∧ −y = −y
−y ∂(e2+y2)∂e + e ∂(e2+y2)
∂y = 0 ∧ −y ∂e∂e = −y ∂x
∂x
e2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](e2 + y 2 = 1 ∧ e = x)
Direct Proof
Smart invariant also separates aircraft?!
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 22 / 42
![Page 99: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/99.jpg)
Differential Cuts
φ→[x ′ = θ& H]C φ→[x ′ = θ& (H ∧ C )]φ
φ→[x ′ = θ& H]φ
Theorem (Gentzen’s Cut Elimination)
A→B ∨ C A ∧ C→B
A→Bcut can be eliminated
Theorem (No Differential Cut Elimination) (LMCS 2012)
Deductive power with differential cut exceeds deductive power without.DCI > DI
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 23 / 42
![Page 100: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/100.jpg)
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
![Page 101: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/101.jpg)
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
![Page 102: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/102.jpg)
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
![Page 103: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/103.jpg)
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
![Page 104: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/104.jpg)
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
![Page 105: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/105.jpg)
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
![Page 106: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/106.jpg)
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
![Page 107: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/107.jpg)
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
![Page 108: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/108.jpg)
Ex: Differential Cuts
∗
y 5 ≥ 0 →2x2((x − 3)4 + y 5) ≥ 0
y 5 ≥ 0 →2x2x ′ ≥ 0
x3 ≥ −1 →[x ′ = (x − 3)4 + y 5, y ′ = y 2 & y 5 ≥ 0]x3 ≥ −1 .
x3 ≥ −1 ∧ y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]x3 ≥ −1
∗
5y 4y 2 ≥ 0
5y 4y ′ ≥ 0
y 5 ≥ 0 →[x ′ = (x − 3)4 + y 5, y ′ = y 2]y 5 ≥ 0
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 24 / 42
![Page 109: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/109.jpg)
Differential Cuts
φ→[x ′ = θ& H]C φ→[x ′ = θ& (H ∧ C )]φ
φ→[x ′ = θ& H]φ
Theorem (Gentzen’s Cut Elimination)
A→B ∨ C A ∧ C→B
A→Bcut can be eliminated
Theorem (No Differential Cut Elimination) (LMCS 2012)
Deductive power with differential cut exceeds deductive power without.DCI > DI
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 25 / 42
![Page 110: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/110.jpg)
Differential Cuts
φ→[x ′ = θ& H]C φ→[x ′ = θ& (H ∧ C )]φ
φ→[x ′ = θ& H]φ
Theorem (Gentzen’s Cut Elimination)
A→B ∨ C A ∧ C→B
A→Bcut can be eliminated
Theorem (No Differential Cut Elimination) (LMCS 2012)
Deductive power with differential cut exceeds deductive power without.DCI > DI
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 25 / 42
![Page 111: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/111.jpg)
Differential Cuts
φ→[x ′ = θ& H]C φ→[x ′ = θ& (H ∧ C )]φ
φ→[x ′ = θ& H]φ
Theorem (Gentzen’s Cut Elimination)
A→B ∨ C A ∧ C→B
A→Bcut can be eliminated
Theorem (No Differential Cut Elimination) (LMCS 2012)
Deductive power with differential cut exceeds deductive power without.DCI > DI
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 25 / 42
![Page 112: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/112.jpg)
Ex: Exponentials
Counterexample ()
not valid
−x > 0
x ′ > 0
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 26 / 42
![Page 113: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/113.jpg)
Ex: Exponentials
Counterexample ()
not valid
−x > 0
x ′ > 0x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 26 / 42
![Page 114: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/114.jpg)
Ex: Exponentials
Counterexample ()
not valid
−x > 0x ′ > 0
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 26 / 42
![Page 115: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/115.jpg)
Ex: Exponentials
Counterexample (Cannot prove)
not valid−x > 0x ′ > 0
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 26 / 42
![Page 116: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/116.jpg)
Differential Auxiliaries
Example (Successful proof)
∗
x > 0↔ ∃y xy 2 = 1
∗
−xy 2 + 2xy y2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
![Page 117: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/117.jpg)
Differential Auxiliaries
Example (Successful proof)
∗
x > 0↔ ∃y xy 2 = 1
∗
−xy 2 + 2xy y2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
![Page 118: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/118.jpg)
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗
−xy 2 + 2xy y2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
![Page 119: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/119.jpg)
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗
−xy 2 + 2xy y2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
![Page 120: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/120.jpg)
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗
−xy 2 + 2xy y2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
![Page 121: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/121.jpg)
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗−xy 2 + 2xy y
2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
![Page 122: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/122.jpg)
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗−xy 2 + 2xy y
2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
![Page 123: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/123.jpg)
Differential Auxiliaries
Example (Successful proof)
∗x > 0↔ ∃y xy 2 = 1
∗−xy 2 + 2xy y
2 = 0
x ′y 2 + x2yy ′ = 0
xy 2 = 1 →[x ′ = −x , y ′ = y2 ]xy 2 = 1
x > 0 →[x ′ = −x ]x > 0
0 t
xx0
x0e−t
x ′= −x
y′ =
y2
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 27 / 42
![Page 124: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/124.jpg)
Differential Auxiliaries
φ↔ ∃y ψ ψ→[x ′ = θ, y ′ = ϑ& H]ψ
φ→[x ′ = θ& H]φ
if y ′ = ϑ has solution y : [0,∞)→ Rn
Theorem (Auxiliary Differential Variables) (LMCS 2012)
Deductive power with differential auxiliaries exceeds deductive powerwithout.
DCI + DA > DCI
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 28 / 42
![Page 125: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/125.jpg)
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 28 / 42
![Page 126: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/126.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 29 / 42
![Page 127: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/127.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 29 / 42
![Page 128: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/128.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 29 / 42
![Page 129: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/129.jpg)
Structure of Invariant Functions
Lemma (Structure of invariant functions)
Invariant functions of x ′ = θ& H form an R-algebra.
Corollary
Only need generating system of algebra.
p invariant,F function ⇒ F (p) invariant
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 30 / 42
![Page 130: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/130.jpg)
Structure of Invariant Functions
Lemma (Structure of invariant functions)
Invariant functions of x ′ = θ& H form an R-algebra.
Corollary
Only need generating system of algebra.
p invariant,F function ⇒ F (p) invariant
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 30 / 42
![Page 131: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/131.jpg)
Structure of Invariant Functions
Lemma (Structure of invariant functions)
Invariant functions of x ′ = θ& H form an R-algebra.
Corollary
Only need generating system of algebra.
p invariant,F function ⇒ F (p) invariant
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 30 / 42
![Page 132: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/132.jpg)
Structure of Invariant Equations
I=(Γ) := {p ∈ R[~x ] : � Γ→ [x ′ = θ& H]p = 0}DCI=(Γ) := {p ∈ R[~x ] : `DI=+DC Γ→ [x ′ = θ& H]p = 0}
Lemma (Structure of invariant equations)
DCI=(Γ) ⊆ I=(Γ) chain of differential ideals ((θ ·∇)p ∈ DCI=(Γ) for allp ∈ DCI=(Γ)). The varieties are generated by a single polynomial.
Proof.4 p ∈ DCI=(Γ) and r ∈ R[~x ] implies rp ∈ DCI=(Γ), because
(θ ·∇)(rp) = p(θ ·∇)r + r (θ ·∇)p︸ ︷︷ ︸0
= p︸︷︷︸0
(θ ·∇)r = 0
and Γ→ p = 0 implies Γ→ rp = 0
5 p = 0 ∧ q = 0 iff p2 + q2 = 0, differential, Hilbert basis theorem . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 31 / 42
![Page 133: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/133.jpg)
Structure of Invariant Equations
I=(Γ) := {p ∈ R[~x ] : � Γ→ [x ′ = θ& H]p = 0}DCI=(Γ) := {p ∈ R[~x ] : `DI=+DC Γ→ [x ′ = θ& H]p = 0}
Lemma (Structure of invariant equations)
DCI=(Γ) ⊆ I=(Γ) chain of differential ideals ((θ ·∇)p ∈ DCI=(Γ) for allp ∈ DCI=(Γ)). The varieties are generated by a single polynomial.
Proof.4 p ∈ DCI=(Γ) and r ∈ R[~x ] implies rp ∈ DCI=(Γ), because
(θ ·∇)(rp) = p(θ ·∇)r + r (θ ·∇)p︸ ︷︷ ︸0
= p︸︷︷︸0
(θ ·∇)r = 0
and Γ→ p = 0 implies Γ→ rp = 0
5 p = 0 ∧ q = 0 iff p2 + q2 = 0, differential, Hilbert basis theorem . . .
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 31 / 42
![Page 134: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/134.jpg)
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 31 / 42
![Page 135: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/135.jpg)
Full Rank Assumptions
Theorem (. . . — sufficient)
(−→DI p)
H→n∧
i=1
(θ ·∇)pi =∑j
Qi ,jpj
n∧i=1
pi = 0→ [x ′ = f (x) & H]n∧
i=1
pi = 0
Theorem (Lie — necessary)
(←−DI p)
n∧i=1
pi = 0→ [x ′ = f (x) & H]n∧
i=1
pi = 0
H ∧n∧
i=1
pi = 0→n∧
i=1
(θ ·∇)pi = 0
Premises, conclusions equivalent if rank ∂pi∂xj
= n on H ∧∧ni=1 pi = 0.
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 32 / 42
![Page 136: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/136.jpg)
Full Rank Assumptions
Theorem (. . . — sufficient)
(−→DI p)
H→n∧
i=1
(θ ·∇)pi =∑j
Qi ,jpj
n∧i=1
pi = 0→ [x ′ = f (x) & H]n∧
i=1
pi = 0
Theorem (Lie — necessary)
(←−DI p)
n∧i=1
pi = 0→ [x ′ = f (x) & H]n∧
i=1
pi = 0
H ∧n∧
i=1
pi = 0→n∧
i=1
(θ ·∇)pi = 0
Premises, conclusions equivalent if rank ∂pi∂xj
= n on H ∧∧ni=1 pi = 0.
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 32 / 42
![Page 137: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/137.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 33 / 42
![Page 138: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/138.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
∗e = x → − 2yx + 2xy = 0
e = x →(−y)2x + e2y = 0
e = x → − y ∂(x2+y2)∂x + e ∂(x2+y2)
∂y = 0
. . . →[x ′ = −y , y ′ = e, e ′ = −y & e = x ](x2 + y 2 = 1 ∧ e = x)
∗−y = −y
−y ∂e∂e = −y ∂x
∂x
e = x →[x ′ = −y , y ′ = e, e ′ = −y ]e = x .
x2 + y 2 = 1 ∧ e = x →[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1 ∧ e = x)
Successful Proof
Lie & differential cuts separate aircraft
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 33 / 42
![Page 139: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/139.jpg)
Ex: Deconstructed Aircraft (III) Differential Cut
(∂(x2+y2−1)
∂x∂(x2+y2−1)
∂y∂(x2+y2−1)
∂e∂(e−x)
∂x∂(e−x)
∂y∂(e−x)
∂e
)=
(2x 2y 0−1 0 1
)Full rank 2 at invariant x2 + y 2 = 1
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 34 / 42
![Page 140: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/140.jpg)
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 34 / 42
![Page 141: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/141.jpg)
Equational Differential Invariants
Theorem (Lie)
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
) equivalence if H open
F¬F
invariantequation
321
0
invariantfunction
H → p′ = 0
(H → p = 0)→[x ′ = θ& H]p = 0
H→p′ = 0
∀c(p = c → [x ′ = f (x) & H]p = c
)Corollary (Decidable invariant polynomials)
Decidable whether polynomial p invariant function of x ′ = f (x) on open H
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 35 / 42
![Page 142: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/142.jpg)
Inverse Characteristic Method
Theorem (Inverse characteristic method)
(Sufficiently smooth) f is invariant function of x ′ = f (x) on H iff f solves
(θ ·∇)f = 0 on H
Proof.
⇐ Lie
If ODE too complicated, consider PDE instead???
Yes, but inverse characteristic PDE is simple (first-order, linear,homogeneous)
Makes rich PDE theory available for differential invariants
Oracle PDE solver sufficient
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 36 / 42
![Page 143: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/143.jpg)
Inverse Characteristic Method
Theorem (Inverse characteristic method)
(Sufficiently smooth) f is invariant function of x ′ = f (x) on H iff f solves
(θ ·∇)f = 0 on H
Proof.
⇐ Lie
If ODE too complicated, consider PDE instead???
Yes, but inverse characteristic PDE is simple (first-order, linear,homogeneous)
Makes rich PDE theory available for differential invariants
Oracle PDE solver sufficient
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 36 / 42
![Page 144: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/144.jpg)
Inverse Characteristic Method
Theorem (Inverse characteristic method)
(Sufficiently smooth) f is invariant function of x ′ = f (x) on H iff f solves
(θ ·∇)f = 0 on H
Proof.
⇐ Lie
If ODE too complicated, consider PDE instead???
Yes, but inverse characteristic PDE is simple (first-order, linear,homogeneous)
Makes rich PDE theory available for differential invariants
Oracle PDE solver sufficient
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 36 / 42
![Page 145: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/145.jpg)
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x
(4); 0
(2) − y 2 − 2ex + x2
(3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
![Page 146: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/146.jpg)
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x
(4); 0
(2) − y 2 − 2ex + x2
(3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
![Page 147: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/147.jpg)
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x
(4); 0
(2) − y 2 − 2ex + x2
(3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
![Page 148: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/148.jpg)
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x
(4); 0
(2) − y 2 − 2ex + x2
(3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
![Page 149: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/149.jpg)
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x(4); 0
(2) − y 2 − 2ex + x2 (3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
![Page 150: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/150.jpg)
Ex: Deconstructed Aircraft (IV)
Example (Generate Differential Invariants)
x2 + y 2 = 1 ∧ e = x→[x ′ = −y , y ′ = e, e ′ = −y ](x2 + y 2 = 1︸ ︷︷ ︸(3)
∧ e = x︸ ︷︷ ︸(4)
)
(1) − e + x(4); 0
(2) − y 2 − 2ex + x2 (3); −2ex + 2x2 − 1
(4); −2e2 + 2e2 − 1 = − 1
; Differential invariants: − e + x = 0, − y 2 − 2ex + x2 = −1
Example (Inverse Characteristic PDE)
; − y∂f
∂x+ e
∂f
∂y− y
∂f
∂e= 0
; f (x , y , e) = g(
x − e︸ ︷︷ ︸(1)
,1
2(x2 − 2ex − y 2︸ ︷︷ ︸
(2)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 37 / 42
![Page 151: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/151.jpg)
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2
(4)
∧ d1 = −ωx2
(5)
∧ d2 = ωx1
(6)
d2 − ωx1
(5); 0
d1 + ωx2
(6); 0
d21 + 2ωx1d2 − ω2x2
1
(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
![Page 152: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/152.jpg)
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2
(4)
∧ d1 = −ωx2
(5)
∧ d2 = ωx1
(6)
d2 − ωx1
(5); 0
d1 + ωx2
(6); 0
d21 + 2ωx1d2 − ω2x2
1
(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
![Page 153: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/153.jpg)
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2
(4)
∧ d1 = −ωx2
(5)
∧ d2 = ωx1
(6)
d2 − ωx1
(5); 0
d1 + ωx2
(6); 0
d21 + 2ωx1d2 − ω2x2
1
(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
![Page 154: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/154.jpg)
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2
(4)
∧ d1 = −ωx2
(5)
∧ d2 = ωx1
(6)
d2 − ωx1
(5); 0
d1 + ωx2
(6); 0
d21 + 2ωx1d2 − ω2x2
1
(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
![Page 155: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/155.jpg)
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2 (4) ∧ d1 = −ωx2 (5) ∧ d2 = ωx1 (6)
d2 − ωx1(5); 0
d1 + ωx2(6); 0
d21 + 2ωx1d2 − ω2x2
1(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
![Page 156: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/156.jpg)
Ex: Aircraft
Example (Generate Differential Invariants)
F ∧ ω 6= 0→[x ′1 = d1, x′2 = d2, d
′1 = −ωd2, d
′2 = ωd1]F
F ≡ d21 + d2
2 = ω2p2 (4) ∧ d1 = −ωx2 (5) ∧ d2 = ωx1 (6)
d2 − ωx1(5); 0
d1 + ωx2(6); 0
d21 + 2ωx1d2 − ω2x2
1(6); d2
1 + 2d22 − ω2x2
1(5); d2
1 + 2d22 − d2
2(4); ω2p2
Example (Inverse Characteristic PDE)
; d1∂f
∂x1+ d2
∂f
∂x2− ωd2
∂f
∂d1+ ωd1
∂f
∂d2= 0
; f (x1, x2, d1, d2) = g(
d2 − ωx1︸ ︷︷ ︸(1)
,d1 + ωx2
ω︸ ︷︷ ︸(2)
,1
2(d2
1 + 2ωd2x1 − ω2x21︸ ︷︷ ︸
(3)
))
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
![Page 157: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/157.jpg)
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 38 / 42
![Page 158: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/158.jpg)
F¬F
F
c [α]�φ φα
〈α〉Pφ P(φ)
ψ → [α]φ
ψ → [α]φ ψ → [α]φ
ψ → [α]φ ψ → [α]φ
diffsatloopsat
Strategy
Rule Engine Proof
Input File
Rulebase
Mathematica
QEPCAD
Orbital
KeYmaera Prover Solvers
1
2 2
4 4
8 8
1616
16
∗
∗
16
8
4
2
1
cQ
Q
Q
for ∪ , ; ,:= do decompose
}repeat until fixedpoint
Details
for x ′ = . . . do diffsatfor α∗ do loopsat
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 39 / 42
![Page 159: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/159.jpg)
Successful Hybrid Systems Proofs
farneg
cor
recfsa
0 *
1
[SB := ((amax / b + 1) * ep * v + (v ^ 2 - d ^ 2) / (2 * b) + ((amax / b + 1) * amax * ep ^ 2) / 2)]
7
17
6
[?d >= 0 & do ^ 2 - d ^ 2 <= 2 * b * (m - mo) & vdes >= 0]
5
[vdes := *]
4
[d := *]
3
[m := *]
2
[mo := m]
[do := d]
8
[state := brake]
10
[?v <= vdes]
13
[?v >= vdes]
22
31
21
[{z‘ = v, v‘ = a, t‘ = 1, v >= 0 & t <= ep}]
18
28
17
[a := -b]
12
24
11
[?a >= 0 & a <= amax]
[a := *]
15
14
[?a <= 0 & a >= -b]
[a := *]
19
[t := 0]
*[?m - z <= SB | state = brake] [?m - z >= SB & state != brake]
x
y
c
c
Qxentry
exit
Q
y
c
Q Q
x1
x2
y1
y2
d
ω e
ϑ
cQx
Qy
Q
z
x
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 40 / 42
![Page 160: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/160.jpg)
Successful Hybrid Systems Proofs
ey
fy
xb(lx, ly) ex fx
(rx, ry)
(vx, vy)
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 40 / 42
![Page 161: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/161.jpg)
Outline
1 Motivation2 Differential Dynamic Logic dL
SyntaxSemanticsAxiomatizationSoundness and Completeness
3 Differential InvariantsAir Traffic ControlEquational Differential InvariantsStructure of Differential InvariantsDifferential CutsDifferential Auxiliaries
4 Structure of Invariant Functions / Equations5 Differential Invariants and Assumptions6 Inverse Characteristic Method7 Survey8 Summary
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 40 / 42
![Page 162: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/162.jpg)
Differential Dynamic Logic and Differential Invariants
discrete
continuous stochastic
differential dynamic logic
dL = DL + HP[α]φ φ
α
Logic for hybrid systems++
Sound & complete / ODE
Differential invariants
No differential cut elimination
Differential auxiliaries
Algebra / differential ideal
Inverse characteristic PDE
KeYmaera
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 41 / 42
![Page 163: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/163.jpg)
LogicalFoundations
ofCyber-Physical
Systems
Logic
ModelChecking
TheoremProving
ProofTheory
Algebra
ComputerAlgebra Algebraic
Geometry
DifferentialAlgebra
Analysis
DifferentialEquations
DynamicalSystems
Differen-tiation
StochasticsStochasticDifferentialEquations
DynkinGeneratorSuper-
martingales
Numerics
NumericalIntegration
PolynomialInterpo-lation
WeierstraßApprox-imation
Algorithms
DecisionProcedures
ProofSearch
FixedpointLoops
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 42 / 42
![Page 164: Differential Dynamic Logic and Differential Invariants for ...aplatzer/pub/diffop-slides.pdf · Complete Proof Theory of Hybrid Systems Theorem (Continuous Relative Completeness)](https://reader033.vdocuments.mx/reader033/viewer/2022060218/5f06b1f77e708231d419461b/html5/thumbnails/164.jpg)
LogicalFoundations
ofCyber-Physical
Systems
Logic
ModelChecking
TheoremProving
ProofTheory
Algebra
ComputerAlgebra Algebraic
Geometry
DifferentialAlgebra
Analysis
DifferentialEquations
DynamicalSystems
Differen-tiation
StochasticsStochasticDifferentialEquations
DynkinGeneratorSuper-
martingales
Numerics
NumericalIntegration
PolynomialInterpo-lation
WeierstraßApprox-imation
Algorithms
DecisionProcedures
ProofSearch
FixedpointLoops
Andre Platzer (CMU) Differential Dynamic Logic and Differential Invariants ITP’12 42 / 42