Showing papers by "André Platzer published in 2010"

Bayesian statistical model checking with application to Simulink/Stateflow verification

Abstract: We address the problem of model checking stochastic systems, i.e.~checking whether a stochastic system satisfies a certain temporal property with a probability greater (or smaller) than a fixed threshold. In particular, we present a novel Statistical Model Checking (SMC) approach based on Bayesian statistics. We show that our approach is feasible for hybrid systems with stochastic transitions, a generalization of Simulink/Stateflow models. Standard approaches to stochastic (discrete) systems require numerical solutions for large optimization problems and quickly become infeasible with larger state spaces. Generalizations of these techniques to hybrid systems with stochastic effects are even more challenging. The SMC approach was pioneered by Younes and Simmons in the discrete and non-Bayesian case. It solves the verification problem by combining randomized sampling of system traces (which is very efficient for Simulink/Stateflow) with hypothesis testing or estimation. We believe SMC is essential for scaling up to large Stateflow/Simulink models. While the answer to the verification problem is not guaranteed to be correct, we prove that Bayesian SMC can make the probability of giving a wrong answer arbitrarily small. The advantage is that answers can usually be obtained much faster than with standard, exhaustive model checking techniques. We apply our Bayesian SMC approach to a representative example of stochastic discrete-time hybrid system models in Stateflow/Simulink: a fuel control system featuring hybrid behavior and fault tolerance. We show that our technique enables faster verification than state-of-the-art statistical techniques, while retaining the same error bounds. We emphasize that Bayesian SMC is by no means restricted to Stateflow/Simulink models: we have in fact successfully applied it to very large stochastic models from Systems Biology.

Differential-algebraic Dynamic Logic for Differential-algebraic Programs

Abstract: We generalize dynamic logic to a logic for differential-algebraic (DA) programs, i.e. discrete programs augmented with first-order differential-algebraic formulas as continuous evolution constraints in addition to first-order discrete jump formulas. These programs characterize interacting discrete and continuous dynamics of hybrid systems elegantly and uniformly. For our logic, we introduce a calculus over real arithmetic with discrete induction and a new differential induction with which DA programs can be verified by exploiting their differential constraints algebraically without having to solve them. We develop the theory of differential induction and differential refinement and analyse their deductive power. As a case study, we present parametric tangential roundabout maneuvers in air traffic control and prove collision avoidance in our calculus.

Quantified differential dynamic logic for distributed hybrid systems

Abstract: We address a fundamental mismatch between the combinations of dynamics that occur in complex physical systems and the limited kinds of dynamics supported in analysis Modern applications combine communication, computation, and control They may even form dynamic networks, where neither structure nor dimension stay the same while the system follows mixed discrete and continuous dynamics We provide the logical foundations for closing this analytic gap We develop a system model for distributed hybrid systems that combines quantified differential equations with quantified assignments and dynamic dimensionality-changes We introduce a dynamic logic for verifying distributed hybrid systems and present a proof calculus for it We prove that this calculus is a sound and complete axiomatization of the behavior of distributed hybrid systems relative to quantified differential equations In our calculus we have proven collision freedom in distributed car control even when new cars may appear dynamically on the road

European Train Control System

Abstract: Complex physical systems have several degrees of freedom. They only work correctly when their control parameters obey corresponding constraints. Based on the informal specification of the European Train Control System (ETCS), we design a controller for its cooperation protocol. For the free parameters of the system, we successively identify constraints that are required to ensure collision freedom. We formally prove the parameter constraints to be sharp by characterising them equivalently in terms of reachability properties of the hybrid system dynamics. We use the calculus of our differential dynamic logic for hybrid systems and formally verify controllability, safety, liveness, and reactivity properties of the ETCS protocol that entail collision freedom. We prove that the ETCS protocol remains correct even in the presence of perturbation by disturbances in the dynamics.

Automated Theorem Proving for Hybrid Systems

Abstract: Designing and analyzing hybrid systems, which are models for complex physical systems, is expensive and error-prone. The dissertation presented in this article intro- duces a verification logic that is suitable for analyzing the behavior of hybrid systems. It presents a proof calculus and a new deductive verification tool for hybrid systems that has been used successfully to verify aircraft and train control.

Differential Dynamic Logics

Abstract: Designing and analyzing hybrid systems, which are models for complex physical systems, is expensive and error-prone. The dissertation presented in this article introduces a verification logic that is suitable for analyzing the behavior of hybrid systems. It presents a proof calculus and a new deductive verification tool for hybrid systems that has been used successfully to verify aircraft and train control.

Differential Temporal Dynamic Logic dTL

Abstract: We combine first-order dynamic logic for reasoning about the possible behaviour of hybrid systems with temporal logic for reasoning about the temporal behaviour during their operation. Our logic supports verification of hybrid programs with first-order definable flows and provides a uniform treatment of discrete and continuous evolution. For our combined logic, we generalise the semantics of dynamic modalities to refer to hybrid traces instead of final states. Further, we prove that this gives a conservative extension of our dynamic logic for hybrid systems. On this basis, we provide a modular verification calculus that reduces correctness of temporal behaviour of hybrid systems to nontemporal reasoning, and prove that we obtain a complete axiomatisation relative to the nontemporal base logic. Using this calculus, we analyse safety invariants in a train control system and symbolically synthesise parametric safety constraints.

Computing Differential Invariants as Fixed Points

Abstract: We introduce a fixed-point algorithm for verifying safety properties of hybrid systems with differential equations whose right-hand sides are polynomials in the state variables. In order to verify nontrivial systems without solving their differential equations and without numerical errors, we use differential induction as a continuous generalisation of induction, for which our algorithm computes the required differential invariants. As a means for combining local differential invariants into global system invariants in a sound way, our fixed-point algorithm works with differential dynamic logic as a compositional verification logic for hybrid systems. To improve the verification power, we further introduce a saturation procedure that refines the system dynamics successively by differential cuts with differential invariants until the property becomes provable. By complementing our symbolic verification algorithm with a robust version of numerical falsification, we obtain a fast and sound verification procedure. We verify roundabout manoeuvres in air traffic control and collision avoidance in train control.

Differential Dynamic Logic dℒ

Abstract: Hybrid systems are models for complex physical systems and are defined as dynamical systems with interacting discrete transitions and continuous evolutions along differential equations. With the goal of developing a theoretical and practical foundation for deductive verification of hybrid systems, we introduce a dynamic logic for hybrid programs, which is a program notation for hybrid systems. As a verification technique that is suitable for automation, we introduce a free-variable proof calculus with a novel combination of real-valued free variables and Skolemisation for lifting quantifier elimination for real arithmetic to dynamic logic. The calculus is compositional, i.e., it reduces properties of hybrid programs to properties of their parts. Our main result proves that this calculus axiomatises the transition behaviour of hybrid systems completely relative to differential equations. In a study with cooperating traffic agents of the European Train Control System, we further show that our calculus is well suited for verifying realistic hybrid systems with parametric system dynamics.

Deduction Modulo Real Algebra and Computer Algebra

Abstract: We show how deductive, real algebraic, and computer algebraic methods can be combined for verifying hybrid systems in an automated theorem proving approach. In particular, we highlight the interaction of deductive and algebraic reasoning that is used for handling the joint discrete and continuous behaviour of hybrid systems. Systematically, we derive a canonical tableau procedure modulo from the calculus of differential dynamic logic. We delineate the nondeterminisms in the tableau procedure carefully and analyse their practical impact in the presence of computationally expensive handling of real algebraic constraints. Based on experience with larger case studies, we analyse proof strategies for dealing with the practical challenges for integrated algebraic and deductive verification of hybrid systems. To overcome the complexity pitfalls of integrating real arithmetic, we propose the iterative background closure and iterative inflation order strategies, with which we achieve substantial computational improvements.

Real Analysis for Complex Systems.

Abstract: Formal verification techniques are used routinely in finite-state digital circuits. Theorem proving is also used successfully for infinite-state discrete systems. But many safety-critical computers are actually embedded in physical systems. Hybrid systems [1] model complex physical systems as dynamical systems with interacting discrete transitions and continuous evolutions along differential equations. They arise frequently in many application domains, including aviation, automotive, railway, and robotics. There is a well-understood theory for proving programs. But what about complex physical systems? How can we prove that a hybrid system works as expected, e.g., an aircraft does not crash into another one? This talk illustrates the complexities and pitfalls of hybrid systems verification. It describes a theoretical and practical foundation for deductive verification of hybrid systems called differential dynamic logic (dL). The proof calculus for this logic is interesting from a theoretical perspective, because it is a complete axiomatization of hybrid systems relative to differential equations. The approach is of considerable practical interest too. Its implementation in the theorem prover KeYmaera [7] has been used successfully to verify collision avoidance properties in the European Train Control System [8] and air traffic control systems [6]. The number of dimensions and nonlinearities in they hybrid dynamics of these systems is surprisingly tricky such that they are still out of scope for other verification tools. This talk is based on recent work [2, 3, 4]. More comprehensive details can be found in a corresponding book [5].

Differential-Algebraic Dynamic Logic DAL

Abstract: We generalise dynamic logic to a logic for differential-algebraic programs, i.e., discrete programs augmented with first-order differential-algebraic formulas as continuous evolution constraints in addition to first-order discrete jump formulas. These programs characterise interacting discrete and continuous dynamics of hybrid systems elegantly and uniformly, including systems with disturbance and differential-algebraic equations. For our logic, we introduce a calculus over real arithmetic with discrete induction and a new differential induction with which differential-algebraic programs can be verified by exploiting their differential constraints algebraically without having to solve them.We develop the theory of differential induction and differential refinement and analyse their deductive power. As an example, we present parametric tangential roundabout manoeuvres in air traffic control and prove collision avoidance in our calculus.

Air Traffic Collision Avoidance

Abstract: Aircraft collision avoidance manoeuvres are important and complex applications.Curved flight exhibits nontrivial continuous behaviour. In combination with the control choices during air traffic manoeuvres, this results in hybrid systems with challenging interactions of discrete and continuous dynamics. As a case study for demonstrating the scalability of logical analysis for hybrid systems with challenging dynamics, we analyse collision freedom of roundabout manoeuvres in air traffic control, where appropriate curved flight, good timing, and compatible manoeuvring are crucial for guaranteeing safe spatial separation of aircraft throughout their flight.We show that our DAL-based proof techniques can scale to curved flight manoeuvres required in aircraft control applications. Our logical analysis approach can be used successfully to verify collision avoidance of the tangential roundabout manoeuvre automatically, even for five aircraft. Moreover, we introduce a fully fly-able variant of the roundabout collision avoidance manoeuvre and verify safety properties by compositional verification in our calculus.