How to model and prove hybrid systems with KeYmaera: a tutorial on safety

The design of hybrid systems controllers requires one to handle both discrete and continuous functionalities in a single development framework. In this paper, we propose the design and verification of such controllers using a correct-by-construction approach. We use proof-based formal methods to model and verify the required safety properties of the given controllers. Both Event-B with Rodin, and hybrid programs and dynamic differential logic with KeYmaera are experimented on a common case study related to the modelling of a car controller. Finally, we discuss the lessons learnt from these experiments and draw the first steps towards a generic method for modelling hybrid systems in Event-B.

show abstract

“…The chosen case study deals with a stop sign controller proposed by Quesel et al in [17] (Sect. 5.3).…”

Section: Case-studymentioning

confidence: 99%

Proof-Based Approach to Hybrid Systems Development: Dynamic Logic and Event-B

Dupont¹,

Aït‐Ameur²,

Pantel³

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…As its decisions, ctrl lists that the car can either accelerate a := A or coast a := 0, while plant describes the motion of the car (position p changes according to velocity v, velocity v according to the chosen acceleration a). Details on dL are in the literature [10,11,12], including a tutorial on modeling and proving in KeYmaera [16].…”

Section: ?Fmentioning

confidence: 99%

KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems

Fulton

Mitsch

Quesel

et al. 2015

Lecture Notes in Computer Science

Self Cite

182

165

View full text Add to dashboard Cite

Abstract. KeYmaera X is a theorem prover for differential dynamic logic (dL), a logic for specifying and verifying properties of hybrid systems. Reasoning about complicated hybrid systems models requires support for sophisticated proof techniques, efficient computation, and a user interface that crystallizes salient properties of the system. KeYmaera X allows users to specify custom proof search techniques as tactics, execute these tactics in parallel, and interface with partial proofs via an extensible user interface. Advanced proof search features-and user-defined tactics in particular-are difficult to check for soundness. To admit extension and experimentation in proof search without reducing trust in the prover, KeYmaera X is built up from a small trusted kernel. The prover kernel contains a list of sound dL axioms that are instantiated using a uniform substitution proof rule. Isolating all soundness-critical reasoning to this prover kernel obviates the intractable task of ensuring that each new proof search algorithm is implemented correctly. Preliminary experiments suggest that a single layer of tactics on top of the prover kernel provides a rich language for implementing novel and sophisticated proof search techniques.

show abstract

“…Logic-based analysis of a given hybrid automaton has been thoroughly investigated by Platzer in [12] and became practically feasible by the tool KeYmaera [14]. This tool is an interactive theorem prover and allows the user to formally prove safety properties taken both discrete and continuous state variables into account.…”

Section: Motivationmentioning

confidence: 99%

A Control Flow Graph Based Approach to Make the Verification of Cyber-Physical Systems Using KeYmaera Easier

Baar

Staroletov

2018

Model. anal. inf. sist.

View full text Add to dashboard Cite

KeYmaera is an interactive theorem prover and is used to verify safety properties of cyber-physical systems (CPSs). It implements a Dynamic Logic for Hybrid Programs (HPs), while a HP models a CPS very precisely. Verifying properties of a given system in KeYmaera can become a challenge for a user since the proof is authored in a classical sequent calculus framework and a successful proof requires from the user intimate knowledge of the available calculus rules. Another barrier for widespread application of KeYmaera is the purely textual representation of current proof goals, what requires from the user very good training, experience, and patience. In this paper, we present an alternative verification approach based on KeYmaera, which drastically improves usability and minimizes user interaction. The main idea is to let the user annotate invariants and contracts to states of the hybrid automaton. Thus, the user can employ the graphical representation of the modelled system and is not bound to the purely textual form of hybrid programs as in KeYmaera. Based on the user-provided contracts, one can generate proof obligations, which are much simpler than the original proof goal in KeYmaera. The article is published in the authors’ wording.

show abstract

How to model and prove hybrid systems with KeYmaera: a tutorial on safety

Cited by 50 publications

References 55 publications

Proof-Based Approach to Hybrid Systems Development: Dynamic Logic and Event-B

Proof-Based Approach to Hybrid Systems Development: Dynamic Logic and Event-B

KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems

A Control Flow Graph Based Approach to Make the Verification of Cyber-Physical Systems Using KeYmaera Easier

Contact Info

Product

Resources

About