Combining Deduction and Algebraic Constraints for Hybrid System Analysis

Size: px

Start display at page:

Download "Combining Deduction and Algebraic Constraints for Hybrid System Analysis"

Vivian Harper
5 years ago
Views:

1 Combining Deduction and Algebraic Constraints for Hybrid System Analysis André Platzer University of Oldenburg, Department of Computing Science, Germany Verify 07 at CADE 07 André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 1 / 23

2 Outline 1 otivation 2 Differential Logic dl Syntax Semantics Verification Calculus 3 Analysis of the European Train Control System 4 Combining Deduction and Algebraic Constraints Nondeterminisms in Branch Selection Nondeterminisms in Formula Selection Nondeterminisms in ode Selection Iterative Background Closure Strategy 5 Experimental Results 6 Conclusions & Future Work André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 1 / 23

3 Deductively Verifying Hybrid Systems André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 2 / 23

4 Deductively Verifying Hybrid Systems Hybrid Systems continuous evolution along differential equations + discrete change z v t André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 2 / 23

5 Deductively Verifying Hybrid Systems Hybrid Systems continuous evolution along differential equations + discrete change Standard paradigm: model checking HyTech, Checkate, PHAVer,... find bugs Verification is difficult, because of numerical issues, numerical approximation termination of abstraction refinement unbounded regions Parameter SB = 10000? André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 2 / 23 v z t

6 Deductively Verifying Hybrid Systems Hybrid Systems continuous evolution along differential equations + discrete change differential dynamic logic dl = DL + HP André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 2 / 23

7 Outline 1 otivation 2 Differential Logic dl Syntax Semantics Verification Calculus 3 Analysis of the European Train Control System 4 Combining Deduction and Algebraic Constraints Nondeterminisms in Branch Selection Nondeterminisms in Formula Selection Nondeterminisms in ode Selection Iterative Background Closure Strategy 5 Experimental Results 6 Conclusions & Future Work André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 2 / 23

8 Outline 1 otivation 2 Differential Logic dl Syntax Semantics Verification Calculus 3 Analysis of the European Train Control System 4 Combining Deduction and Algebraic Constraints Nondeterminisms in Branch Selection Nondeterminisms in Formula Selection Nondeterminisms in ode Selection Iterative Background Closure Strategy 5 Experimental Results 6 Conclusions & Future Work André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 2 / 23

9 Differential Logic dl: Syntax Definition (Hybrid program α) x = f (x) (continuous evolution) x := θ (discrete jump)?χ (conditional execution) α; β (seq. composition) α β (nondet. choice) α (nondet. repetition) André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 3 / 23

10 Differential Logic dl: Syntax Definition (Hybrid program α) x = f (x) (continuous evolution) x := θ (discrete jump)?χ (conditional execution) α; β (seq. composition) α β (nondet. choice) α (nondet. repetition) ETCS (ctrl ; drive) ctrl (?A z SB; a := b) (?A z SB; a :=...) drive z = a André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 3 / 23

11 Differential Logic dl: Syntax Definition (Formulas φ),,,, x, x, =,, +, (R-first-order part) [α]φ, α φ (dynamic part) ψ [(ctrl ; drive) ] z A All trains respect A system safe André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 3 / 23

12 Differential Logic dl: Semantics Definition (Formulas φ) φ v [α]φ φ φ α-transitions André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 4 / 23

13 Differential Logic dl: Semantics Definition (Formulas φ) v α φ φ α-transitions André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 4 / 23

14 Verification Calculus for Differential Logic dl Dynamic Rules 11 dynamic rules (D1) φ ψ?φ ψ (D5) φ α; α φ α φ (D2) φ ψ [?φ]ψ (D6) φ [α; α ]φ [α ]φ (D9) t 0 ( χ x := y x x = θ & χ φ (D3) α φ β φ α β φ (D7) α β φ α; β φ (D10) t 0 ( χ [x := y [x = θ & χ]φ (D4) [α]φ [β]φ [α β]φ (D8) φ θ x x := θ φ (D11) p [α ](p [α]p) [α ]p André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 5 / 23

15 Verification Calculus for dl Propositional/Quantifier Rules 9 propositional rules + 4 quantifier rules (P1) (P2) (P3) (F1) (F2) φ φ, ψ φ ψ (P4) (P7) φ φ ψ φ ψ φ φ ψ φ, ψ (P5) (P8) φ φ ψ φ ψ φ ψ φ ψ (P6) (P9) φ ψ φ ψ φ φ QE( x i (Γ i i )) QE( x i (F3) (Γ i i )) Γ, x φ QE( x Γ, x φ i (Γ i i )) QE( x i (F4) (Γ i i )) Γ, x φ Γ, x φ André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 6 / 23

16 Concise Theory! But End of the Story? André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 6 / 23

17 Outline 1 otivation 2 Differential Logic dl Syntax Semantics Verification Calculus 3 Analysis of the European Train Control System 4 Combining Deduction and Algebraic Constraints Nondeterminisms in Branch Selection Nondeterminisms in Formula Selection Nondeterminisms in ode Selection Iterative Background Closure Strategy 5 Experimental Results 6 Conclusions & Future Work André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 6 / 23

18 Analysing European Train Control System (ETCS) ψ [(ctrl ; drive) ] z A ctrl (?A z < SB; a := b) (?A z SB; a := 0) drive τ := 0; z = v, v = a, τ = 1 & v 0 τ ε André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 7 / 23

19 Analysing European Train Control System (ETCS) provable automatically using invariant! ψ [(ctrl ; drive) ] z A ctrl (?A z < SB; a := b) (?A z SB; a := 0) drive τ := 0; z = v, v = a, τ = 1 & v 0 τ ε... p, A z SB v 2 2b(A εv z) p, A z SB t 0 ( τ := t τ ε z := vt + p, A z SB τ := 0 t 0 ( τ := t + τ τ ε p, A z SB τ := 0 [z = v, v = 0, τ = 1 & p t 0 ( v := bt + v v 0 z := b 2 t2 + vt + z; v := bt + v p) p, A z SB a := 0 τ := 0 [z = v, v = a, τ p [z = v, v = b & v 0]p p, A z SB a := 0 [drive]p p a := b [drive]p p [?A z SB; a := 0][drive]p p [ctrl][drive]p p [ctrl ; drive]p André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 7 / 23

20 Full European Train Control System (ETCS) system : ( ) poll; (negot (speedcontrol; atp; move)) init : drive := 0; brake := 1 poll : SB := v 2 d 2 2b + ( a max b + 1 )( a max 2 ε2 + εv ) ; ST := negot : (?m z > ST ) (?m z ST ; rbc) rbc : (vdes := ;?vdes > 0) (state := brake) ( d old := d; m old := m; m := ; d := ;?d 0 dold 2 d 2 2b(m m old ) ) speedctrl : (?state ( = brake; a := b)?state = drive; ( (?v vdes ; a := ;? b a a max ) (?v v des ; a := ;?0 > a b) )) atp : (?m z SB; a := b) (?m z > SB) move : t := 0; {ż = v, v = a, ṫ = 1, (v 0 t ε)} André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 8 / 23

21 Full European Train Control System (ETCS) system : not provable automatically! ( 52 user interactions! ) poll; (negot (speedcontrol; atp; move)) init : drive := 0; brake := 1 poll : SB := v 2 d 2 2b + ( a max b + 1 )( a max 2 ε2 + εv ) ; ST := negot : (?m z > ST ) (?m z ST ; rbc) rbc : (vdes := ;?vdes > 0) (state := brake) ( d old := d; m old := m; m := ; d := ;?d 0 dold 2 d 2 2b(m m old ) ) speedctrl : (?state ( = brake; a := b)?state = drive; ( (?v vdes ; a := a max ) (?v v des ; a := b) )) atp : (?m z SB; a := b) (?m z > SB) move : t := 0; {ż = v, v = a, ṫ = 1, (v 0 t ε)} André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify 07 8 / 23

22 Full European Train Control System (ETCS) state = 0, 2 * b * (m - z) >= v ^ 2 - d ^ 2, v >= 0, d >= 0, v >= 0, ep > 0, b > 0, amax > 0, d >= 0 ==> v <= vdes -> \forall R a_3; ( a_3 >= 0 & a_3 <= amax -> ( m - z <= (amax / b + 1) * ep * v + (v ^ 2 - d ^ 2) / (2 * b) + (amax / b + 1) * amax * ep ^ 2 / 2 -> \forall R t0; ( t0 >= 0 -> \forall R ts0; (0 <= ts0 & ts0 <= t0 -> -b * ts0 + v >= 0 & ts0 + 0 <= ep) -> 2 * b * (m - 1 / 2 * (-b * t0 ^ * t0 * v + 2 * z)) >= (-b * t0 + v) ^ 2 - d ^ 2 & -b * t0 + v >= 0 & d >= 0)) & ( m - z > (amax / b + 1) * ep * v + (v ^ 2 - d ^ 2) / (2 * b) + (amax / b + 1) * amax * ep ^ 2 / 2 -> \forall R t2; ( t2 >= 0 -> \forall R ts2; (0 <= ts2 & ts2 <= t2 -> a_3 * ts2 + v >= 0 & ts2 + 0 <= ep) -> 2 * b * (m - 1 / 2 * (a_3 * t2 ^ * t2 * v + 2 * z)) >= (a_3 * t2 + v) ^ 2 - d ^ 2 & a_3 * t2 + v >= 0 & d >= 0))) André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

23 Practice Seems Disturbingly Bad! André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

24 Outline 1 otivation 2 Differential Logic dl Syntax Semantics Verification Calculus 3 Analysis of the European Train Control System 4 Combining Deduction and Algebraic Constraints Nondeterminisms in Branch Selection Nondeterminisms in Formula Selection Nondeterminisms in ode Selection Iterative Background Closure Strategy 5 Experimental Results 6 Conclusions & Future Work André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

25 odular Combination of Provers Deductive Prover ψ [α]φ R-Algebraic Elimination QE(Φ) Φ André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

26 odular Combination of Provers Deductive Prover ψ [α]φ key R-Algebraic Elimination QE(Φ) Φ André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

27 odular Combination of Provers Deductive Prover ψ [α]φ QE(key) key R-Algebraic Elimination QE(Φ) Φ André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

28 Tableaux Procedure for dl while t a b l e a u x T has open b r a n c h e s do B := s e l e c t B r a n c h (T) ( B nondeterminism ) := selectode (B) ( nondeterminism ) F := s e l e c t F o r m u l a s (B,) ( F nondeterminism ) i f = f o r e g r o u n d then B2 := r e s u l t o f a p p l y i n g a D r u l e or P r u l e to F i r e p l a c e B by B2 i n T e l s e send key F to background d e c i s i o n p r o c e d u r e QE r e c e i v e r e s u l t R from QE a p p l y a r u l e F3 F4 to T with QE r e s u l t R end i f end while André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

29 Tableaux Procedure for dl: Nondeterminisms Deductive Prover B ψ [α]φ F R-Algebraic Elimination QE(Φ) Φ André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

30 Tableaux Procedure for dl: Nondeterminisms Deductive Prover B ψ [α]φ F R-Algebraic Elimination QE(Φ) Φ B branch selection André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

31 Tableaux Procedure for dl: Nondeterminisms Deductive Prover B ψ [α]φ F R-Algebraic Elimination QE(Φ) Φ mode selection André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

32 Tableaux Procedure for dl: Nondeterminisms Deductive Prover B ψ [α]φ F R-Algebraic Elimination QE(Φ) Φ F formula selection André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

33 Tableaux Procedure for dl: Nondeterminisms Deductive Prover B ψ [α]φ F R-Algebraic Elimination QE(Φ) Φ no nondeterminism from closing substitutions André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

34 Tableaux Procedure for dl: Nondeterminisms Deductive Prover B ψ [α]φ F R-Algebraic Elimination QE(Φ) Φ uninterpreted FOL interpreted dl uninterpreted symbols interpreted symbols close by substitution close by arithmetic close needs backtracking equivalent QE elimination closing is cheap arithmetic is O(2 2n ) André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

35 Nondeterminisms in Branch Selection harmless because no closing substitutions B ψ [α]φ F André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

36 Nondeterminisms in Formula Selection In principle: simple Φ closes Ψ Φ closes B ψ [α]φ F André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

37 Nondeterminisms in Formula Selection In principle: simple Φ closes Ψ Φ closes In practice: irrelevant formulas distract QE considerably Partially necessary ETCS constraint: SB v 2 ( a ) ( a ) 2b + b ε2 + εv B ψ [α]φ F André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

38 Nondeterminisms in Formula Selection In principle: simple Φ closes Ψ Φ closes In practice: irrelevant formulas distract QE considerably B ψ [α]φ F t > 0, a + 1/tv 0, ε t, t 0, m z v 2 /(2b) + (a/b + 1)(a/2ε 2 + εv), 2b(m z) v 2, v 0, 2b(m z 0 ) v0 2, v 0 0, ε 0, b > 0, a 0 (at + v) 2 2b(m 1/2(at 2 + 2tv + 2z)) 24h André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

39 Nondeterminisms in Formula Selection In principle: simple Φ closes Ψ Φ closes In practice: irrelevant formulas distract QE considerably B ψ [α]φ F t > 0, a + 1/tv 0, ε t, t 0, m z v 2 /(2b) + (a/b + 1)(a/2ε 2 + εv), 2b(m z) v 2, v 0, 2b(m z 0 ) v0 2, v 0 0, (initial state) ε 0, b > 0, a 0 (at + v) 2 2b(m 1/2(at 2 + 2tv + 2z)) 24h André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

40 Nondeterminisms in Formula Selection In principle: simple Φ closes Ψ Φ closes In practice: irrelevant formulas distract QE considerably t > 0, a + 1/tv 0, ε t, t 0, m z v 2 /(2b) + (a/b + 1)(a/2ε 2 + εv), 2b(m z) v 2, v 0, B ψ [α]φ 1s F ε 0, b > 0, a 0 (at + v) 2 2b(m 1/2(at 2 + 2tv + 2z)) André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

41 Nondeterminisms in ode Selection In principle: only background closure, anything could close B ψ [α]φ F André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

42 Nondeterminisms in ode Selection In principle: only background closure, anything could close In practice: some QE never terminate B ψ [α]φ F André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

43 Nondeterminisms in ode Selection In principle: only background closure, anything could close In practice: some QE never terminate B ψ [α]φ F André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

44 Nondeterminisms in ode Selection In principle: only background closure, anything could close In practice: some QE never terminate B ψ [α]φ F eager: infeasible André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

45 Nondeterminisms in ode Selection In principle: only background closure, anything could close In practice: some QE never terminate B ψ [α]φ F lazy: waste eager: infeasible André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

46 Nondeterminisms in ode Selection In principle: only background closure, anything could close In practice: some QE never terminate B ψ [α]φ F lazy: waste eager: infeasible André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

47 Nondeterminisms in ode Selection In principle: only background closure, anything could close In practice: some QE never terminate Syntactic representational redundancy B ψ [α]φ F ψ v 2 2b(m z) ψ (z 0 v 0) ψ v 2 2b(m z) (z 0 v 0) redundant duplication or case distinction improvement? André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

48 Nondeterminisms in ode Selection In principle: only background closure, anything could close In practice: some QE never terminate Syntactic representational redundancy Semantic representational redundancy B ψ [α]φ F b v 2 /(2m 2z) m z z < m v 2 2b(m z) valid reduction but perfectly useless ( proof loops) André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

49 How to Navigate among Nondeterminisms? André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

50 Proof Strategy Priorities for Formula Selection accept QE if variable eliminated ensures progress and termination 1 arithmetic rules if variable eliminated 2 propositional rules P1 P4, P8 P9 on modalities 3 dynamic rules 4 splitting rules P5 P7 on modalities 5 arithmetic rules if variable eliminated 6 propositional rules P1 P9 on first-order formulas B ψ [α]φ F André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

51 Iterative Background Closure (IBC) Strategy B ψ [α]φ F background timeout André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

52 Iterative Background Closure (IBC) Strategy B ψ [α]φ F background timeout Periodical background arithmetic with increasing timeout after split Avoid splitting in average case Split prohibitively complicated cases André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

53 Outline 1 otivation 2 Differential Logic dl Syntax Semantics Verification Calculus 3 Analysis of the European Train Control System 4 Combining Deduction and Algebraic Constraints Nondeterminisms in Branch Selection Nondeterminisms in Formula Selection Nondeterminisms in ode Selection Iterative Background Closure Strategy 5 Experimental Results 6 Conclusions & Future Work André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

54 Full European Train Control System system : ( ) poll; (negot (speedcontrol; atp; move)) init : drive := 0; brake := 1 poll : SB := v 2 d 2 2b + ( a max b + 1 )( a max 2 ε2 + εv ) ; ST := negot : (?m z > ST ) (?m z ST ; rbc) rbc : (vdes := ;?vdes > 0) (state := brake) ( d old := d; m old := m; m := ; d := ;?d 0 dold 2 d 2 2b(m m old ) ) speedctrl : (?state ( = brake; a := b)?state = drive; ( (?v vdes ; a := ;? b a a max ) (?v v des ; a := ;?0 > a b) )) atp : (?m z SB; a := b) (?m z > SB) move : t := 0; {ż = v, v = a, ṫ = 1, (v 0 t ε)} André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

55 Full European Train Control System provable automatically with IBC! only 1 ( 52 user interaction + reduced verification) time! system : poll; (negot (speedcontrol; atp; move)) init : drive := 0; brake := 1 poll : SB := v 2 d 2 2b + ( a max b + 1 )( a max 2 ε2 + εv ) ; ST := negot : (?m z > ST ) (?m z ST ; rbc) rbc : (vdes := ;?vdes > 0) (state := brake) ( d old := d; m old := m; m := ; d := ;?d 0 dold 2 d 2 2b(m m old ) ) speedctrl : (?state ( = brake; a := b)?state = drive; ( (?v vdes ; a := a max ) (?v v des ; a := b) )) atp : (?m z SB; a := b) (?m z > SB) move : t := 0; {ż = v, v = a, ṫ = 1, (v 0 t ε)} André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

56 Preliminary Experimental Results Case Study Interactions IBC No IBC ETCS-binary 1 89s >8h ETCS-binary 2 <89s 1184s ETCS-binary 3 <89s 30s ETCS s ETCS 2 500s ETCS s ETCS-optimal 2 >3h ETCS-binary 1 89s ETCS s ETCS 2 271s Water tank 1 4.7s André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

57 Outline 1 otivation 2 Differential Logic dl Syntax Semantics Verification Calculus 3 Analysis of the European Train Control System 4 Combining Deduction and Algebraic Constraints Nondeterminisms in Branch Selection Nondeterminisms in Formula Selection Nondeterminisms in ode Selection Iterative Background Closure Strategy 5 Experimental Results 6 Conclusions & Future Work André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

58 Future Work ore experimental evaluation ore examples (currently: 4) Effect of strategy variations Guide variable selection André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

Conclusions differential dynamic logic dl = DL + HP Deductively

challenging nondeterminism Tremendous impact of Iterative

Verification tool HyKeY André Platzer (University of Oldenburg)

59 Conclusions differential dynamic logic dl = DL + HP Deductively verify hybrid systems Practical perspective Surprisingly challenging nondeterminism Tremendous impact of Iterative Background Closure (IBC) Train control (ETCS) verification Verification tool HyKeY André Platzer (University of Oldenburg) Combining Deduction & Algebraic Constraints / Hybrid Systems Verify / 23

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems André Platzer Jan-David Quesel University of Oldenburg, Department of Computing Science, Germany International Joint Conference on Automated Reasoning,