Hybrid dynamical systems describe the mixed discrete dynamics and continuous dynamics of cyber-physical systems such as aircraft, cars, trains, and robots. To justify correctness properties of the safety-critical control algorithms for their physical models, differential dynamic logic (▪) provides deductive specification and verification techniques implemented in the theorem prover ▪. The logic ▪ is useful for proving, e.g., that all runs of a hybrid dynamical system α satisfy safety property φ (i.e., ▪), or that there is a run of the hybrid dynamical system α ultimately reaching the desired goal φ (i.e., ▪). Logical combinations of ▪'s operators naturally represent safety, liveness, stability and other properties. Variations of ▪ serve additional purposes. Differential refinement logic (▪) adds an operator α≤β expressing that hybrid system α refines hybrid system β, which is useful, e.g., for relating concrete system implementations α to their abstract verification models β. Just like ▪, ▪ is a logic closed under all operators, which opens up systematic ways of simultaneously relating systems and their properties, of reducing system properties to system relations or, vice versa, reducing system relations to system properties. A second variant of ▪, differential game logic (▪), adds the ability of referring to winning strategies of players in hybrid games, which is useful for establishing correctness properties where the actions of different agents may interfere either because they literally compete with one another or because they may interact accidentally. In the theorem prover ▪, ▪ and its variations have been used for verifying ground robot obstacle avoidance, the Federal Aviation Administration's Next-Generation Airborne Collision Avoidance System ACAS X, and the Federal Railroad Administration's train control model.
Read full abstract