Hybrid systems are mathematical models describing discrete and continuous dynamics, and interactions thereof [DoyenFPP18]. This flexibility makes them natural models of cyber-physical systems (CPSs) which feature interactions between discrete computational control and continuous physics [10.2307/j.ctt17kkb0d, Platzer18]. Formal verification of hybrid systems is of significant practical interest because the CPSs they model frequently operate in safety-critical settings. Verifying properties of the continuous dynamics is a key aspect of any such endeavor.
This paper focuses on deductive liveness verification for continuous dynamics described by ordinary differential equations (ODEs). We work with differential dynamic logic () [DBLP:conf/lics/Platzer12a, DBLP:journals/jar/Platzer17, Platzer18], a logic for deductive verification of hybrid systems, which lifts our results to the hybrid dynamical setting as well. Methods for proving liveness in the discrete setting are well-known: loop variants show that discrete loops eventually reach a desired goal, while temporal logic is used to specify and study liveness properties in concurrent and infinitary settings [DBLP:books/daglib/0077033, DBLP:journals/toplas/OwickiL82]. We focus on deducing liveness properties for ODEs, i.e., that ODE solutions eventually enter a desired goal region in finite time without leaving the domain of allowed (or safe) states. In the continuous setting, deduction of such liveness properties is hampered by several difficulties:
Solutions of ODEs may converge towards a goal without ever reaching it.
Solutions of (non-linear) ODEs may blow up in finite time, leaving insufficient time for the desired goal to be reached.
The goal may be reachable but only by leaving the domain constraint.
In contrast, invariance properties for ODEs are better understood [DBLP:conf/tacas/GhorbalP14, DBLP:conf/emsoft/LiuZZ11] and have a complete axiomatization [DBLP:conf/lics/PlatzerT18]. Motivated by the aforementioned difficulties, we present axioms enabling successive refinement of ODE liveness properties with a sequence of ODE invariance properties. This brings the full deductive power of ’s ODE invariance proof rules to bear on liveness proofs. Our approach is a general framework for understanding ODE liveness arguments. We survey several arguments from the literature and derive them all as (corrected) proof rules, see tab:survey. This logical presentation has two key benefits:
The proof rules are derived from sound axioms of , guaranteeing their correctness. Many of the surveyed arguments contain subtle soundness errors, see tab:survey. These errors do not diminish the surveyed work. Rather, they emphasize the need for an axiomatic, uniform way of presenting and analyzing ODE liveness arguments rather than ad-hoc approaches.
The approach identifies common underlying refinement steps behind liveness arguments. This library of building blocks enables sound development and justification of new ODE liveness proof rules, e.g., by generalizing individual refinement steps or by exploring different combinations of those steps.
|Source||Without Domain Constraints||With Domain Constraints|
|[DBLP:journals/logcom/Platzer10]||OK||(cor:atomicdvcmp)||if open/closed, initially false||(cor:atomicdvcmpQ)|
|[DBLP:conf/hybrid/PrajnaR05, DBLP:journals/siamco/PrajnaR07]||N/A||if conditions checked globally||(cor:prq)|
|[DBLP:journals/siamco/RatschanS10]||if compact||(cor:rs)||if compact||(cor:rsq)|
|[DBLP:conf/emsoft/TalyT10]||if globally Lipschitz||(cor:tt)||if globally Lipschitz||(cor:ttq)|
This section reviews the syntax and semantics of , focusing on its continuous fragment. A complete axiomatization for ODE invariants is presented in [DBLP:conf/lics/PlatzerT18], while full presentations of , including its discrete fragment, are in [DBLP:journals/jar/Platzer17, Platzer18].
The grammar of terms is as follows, where is a variable and is a rational constant. These terms are polynomials over the set of variables .
The grammar of formulas is as follows, where is a comparison operator and is a hybrid program:
The notation (resp. ) is used when there is a free choice between or (resp. or ). Other standard logical connectives, e.g., , are definable as in classical logic. Formulas not containing the modalities are formulas of first-order real arithmetic and are written as . The box () and diamond () modality formulas express dynamic properties of the hybrid program . We focus on continuous programs, where is given by a system of polynomial ODEs . Here, is an -dimensional system of differential equations, , over variables , where the LHS is the time derivative of and the RHS is a polynomial over variables . The domain constraint specifies the set of states in which the ODE is allowed to evolve continuously. When there is no domain constraint, i.e., is the formula , the ODE is written as .
When terms (or formulas) appear in contexts involving ODEs , it is sometimes necessary to restrict the set of free variables they are allowed to mention. These restrictions are always stated explicitly but we also indicate them as arguments111This understanding of variable dependencies is made precise using function and predicate symbols in ’s uniform substitution calculus [DBLP:conf/lics/PlatzerT18]. to the term (or formula) e.g., means the term does not mention any of variables free and means the formula may mention all of the variables .
States assign real values to each variable in ; the set of all states is written .
The semantics of polynomial term in state is the real value of the corresponding polynomial function evaluated at .
The semantics of formula is the set of states in which that formula is true.
The semantics of first-order logical connectives are defined as usual, e.g., .
For ODEs, the semantics of the modal operators is defined directly as follows.222See [DBLP:journals/jar/Platzer17, Platzer18] for a compositional definition of the semantics.
Let and (for some ), be the unique, right-maximal solution [Chicone2006, Walter1998] to the ODE with initial value :
[const=I,state=ω]x=x ϕ iff &for all 0 ≤τ¡ T where φ(ζ) ∈[const=I,state=ω] for all 0 ≤ζ≤τ:
[const=I,state=ω]x=xϕ iff &there exists 0 ≤τ¡ T such that :
&φ(τ) ∈[const=I,state=ω]ϕ and φ(ζ) ∈[const=I,state=ω] for all 0 ≤ζ≤τ
Informally, the box modality formula is true in initial state if all states reached by following the ODE from while remaining in the domain constraint satisfy postcondition . Dually, the diamond modality formula is true in initial state if some state which satisfies the postcondition is eventually reached in finite time by following the ODE from while staying in the domain constraint. This liveness property for ODEs is also called an eventuality property in the literature [DBLP:journals/siamco/PrajnaR07, DBLP:conf/fm/SogokonJ15].333The formula is a logical rendition of “eventuality” as defined in [DBLP:journals/siamco/PrajnaR07, DBLP:conf/fm/SogokonJ15] which requires that the domain constraint is satisfied at all times including at the endpoint where is eventually satisfied. The definition of “reachability” from [DBLP:conf/emsoft/TalyT10] is similar, but does not require to be satisfied at this endpoint.
Variables not occurring on the LHS of ODE remain constant along solutions of the ODE, with for all . Since only the values of change along the solution it may also be viewed geometrically as a trajectory in , dependent on the initial values of the constant parameters . Similarly, the value of terms and formulas depends only on the values of their free variables [DBLP:journals/jar/Platzer17]. Thus, terms (or formulas) whose free variables are all parameters for also have constant (truth) values along solutions of the ODE. For formulas that only mention free variables , can also be viewed geometrically as a subset of . Such a formula is said to characterize a (topologically) open (resp. closed, bounded, compact) set with respect to variables iff the set is topologically open (resp. closed, bounded, compact) with respect to the Euclidean topology. These topological conditions are used as side conditions for some of the axioms and proof rules in this paper. In app:proofcalc, a more general definition of these side conditions is given for formulas that mention parameters . These side conditions are decidable [Bochnak1998] when is a formula of first-order real arithmetic and there are simple syntactic criteria for checking if they hold, see app:proofcalc.
Formula is valid iff , i.e., is true in all states. If formula is valid, then the formula is an invariant of the ODE . Unfolding the semantics, this means that from any initial state satisfying , all states reached by the solution of the ODE from while staying in the domain constraint satisfy .
2.3 Proof Calculus
qear— notr—R notl—L orr—R orl—L andr—R andl—L implyr—R implyl—L equivr—R equivl—L id—id cut—cut weakenr—WR weakenl—WL existsr—R existsrinst—R alll—L alllinst—L allr—R existsl—L iallr—i iexistsr—i
All derivations are presented in a standard classical sequent calculus with all usual rules for manipulating logical connectives and sequents, e.g., orl+andr, and cut. The semantics of sequent is equivalent to the formula and a sequent is valid iff its corresponding formula is valid. Completed branches in a sequent proof are marked with . First-order real arithmetic is decidable [Bochnak1998] so we assume such a decision procedure and label proof steps with qear when they follow from real arithmetic. Axiom (schemata) are sound iff all instances of the axiom are valid. Proof rules are sound iff validity of all premises (above the rule bar) entails validity of the conclusion (below the rule bar).
The proof calculus is complete for invariants [DBLP:conf/lics/PlatzerT18], i.e., any true ODE invariant expressible in first-order real arithmetic can be proved in the calculus. We briefly recall the axioms and proof rules necessary for the paper here, leaving a complete listing to app:proofcalc. The proof rule dIcmp (below) uses the Lie derivative of polynomial with respect to the ODE , which is defined as follows, with higher Lie derivatives