c 2012 IEEE. 2012 27th Annual ACM/IEEE Symposium on Logic in Computer Science The Complete Proof Theory of Hybrid Systems Andre´ Platzer Computer Science Department Carnegie Mellon University Pittsburgh, USA [email protected] Abstract—Hybrid systems are a fusion of continuous dynamical prove is true. Soundness should be sine qua non for formal systems and discrete dynamical systems. They freely combine verification, but is so complex for hybrid systems [7], [27] dynamical features from both worlds. For that reason, it has that it is often inadvertently forsaken. In logic, we can simply often been claimed that hybrid systems are more challenging than continuous dynamical systems and than discrete systems. ensure soundness by checking it locally per proof rule. We now show that, proof-theoretically, this is not the case. We More intriguingly, however, our logical setting also enables present a complete proof-theoretical alignment that interreduces us to ask the converse: is the proof calculus complete, i.e., can the discrete dynamics and the continuous dynamics of hybrid it prove all that is true? A corollary to Godel’s¨ incompleteness systems. We give a sound and complete axiomatization of hybrid theorem shows that hybrid systems do not have a sound systems relative to continuous dynamical systems and a sound and complete axiomatization of hybrid systems relative to dis- and complete calculus that is fully effective, because both crete dynamical systems. Thanks to our axiomatization, proving their discrete fragment and their continuous fragment alone properties of hybrid systems is exactly the same as proving are nonaxiomatizable since each can define integer arithmetic properties of continuous dynamical systems and again, exactly the [23, Theorem 2]. But logic can do better. The suitability same as proving properties of discrete dynamical systems. This of an axiomatization can still be established by showing fundamental cornerstone sheds light on the nature of hybridness and enables flexible and provably perfect combinations of discrete completeness relative to a fragment [8], [15]. This relative reasoning with continuous reasoning that lift to all aspects of completeness, in which we assume we were able to prove hybrid systems and their fragments. valid formulas in a fragment and prove that we can then Index Terms—proof theory; hybrid dynamical systems; differ- prove all others, also tells us how subproblems are related ential dynamic logic; axiomatization; completeness computationally. It tells us whether one subproblem dominates the others. Standard relative completeness [8], [15], however, I. INTRODUCTION which works relative to the data logic, is inadequate for hybrid Hybrid systems are dynamical systems that combine dis- systems, whose complexity comes from the dynamics, not the crete dynamics and continuous dynamics. They play an im- data logic, first-order real arithmetic, which is decidable [30]. portant role, e.g., in modeling systems that use computers In this paper, we answer an open problem about hybrid to control physical systems. Hybrid systems feature (iterated) systems proof theory [23]. We prove that differential dynamic difference equations for discrete dynamics and differential logic (dL), which is a logic of hybrid systems, has a sound equations for continuous dynamics. They, further, combine and complete axiomatization relative to its discrete fragment. conditional switching, nondeterminism, and repetition. The This is the first discrete relative completeness result for hybrid theory of hybrid systems concluded that very limited classes systems. of systems are undecidable [4], [6], [16]. Most hybrid systems Together with our previous result of a sound and complete research since focused on practical approaches for efficient axiomatization of hybrid systems relative to the continuous approximate reachability analysis for classes of hybrid systems fragment of dL [23], we obtain a complete alignment of the [3], [7], [13], [27]. Undecidability also did not stop researchers proof theories of hybrid systems, of continuous dynamical in program verification from making impressive progress. systems, and of discrete dynamical systems. Even though these This progress, however, concerned both the practice and the classes of dynamical systems seem to have quite different theory, where logic was the key to studying the theory beyond intuitive expressiveness, their proof theories actually align undecidability [8], [14], [15], [21], [28]. perfectly and make them (provably) interreducible. Our dL We take a logical perspective, with which we study the calculus can prove properties of hybrid systems exactly as logical foundations of hybrid systems and obtain interesting good as properties of continuous systems can be proved, proof-theoretical relationships in spite of undecidability. We which, in turn, our calculus can do exactly as good as discrete have developed a logic and proof calculus for hybrid systems systems can be proved. Exactly as good as any one of those [23], [25] in which it becomes meaningful to investigate subquestions can be solved, dL can solve all others. Relative to concepts like “what is true for a hybrid system” and “what the fragment for either system class, our dL calculus can prove can be proved about a hybrid system” and investigate how all valid properties for the others. It lifts any approximation for they are related. Our proof calculus is sound, i.e., all it can the fragment perfectly to all hybrid systems. This also defines ANDRE´ PLATZER THE COMPLETE PROOF THEORY OF HYBRID SYSTEMS 2 a relative decision procedure for dL sentences, because our [25]. We, e.g., write x0 = θ for the unrestricted differential completeness proofs are constructive. equation x0 = θ & true. We allow differential equation sys- On top of its theoretical value and the full provability tems and use vectorial notation. Vectorial assignments are alignment that our new result shows, our discrete complete- definable from scalar assignments (and ;). ness result is significant in that—in computer science and A state ν is a mapping from variables to R. Hence ν(x) 2 R verification—programs are closer to being understood than dif- is the value of variable x in state ν. The set of states is denoted ferential equations. Well-established and (partially) automated S. We denote the value of term θ in ν by [[θ]]ν . Each HP α is machinery exists for classical program verification, which, interpreted semantically as a binary reachability relation ρ(α) according to our result, has unexpected direct applications over states, defined inductively by: in hybrid systems. Completeness relative to discrete systems • ρ(x := θ) = f(ν; !): ! = ν except that [[x]]! = [[θ]]ν g increases the confidence that discrete computers can solve • ρ(?χ) = f(ν; ν): ν j= χg 0 0 hybrid systems questions at all. Conversely, control theory • ρ(x = θ & χ) = f('(0);'(r)) : '(t) j= x = θ and provides valuable tools for understanding continuous systems. '(t) j= χ for all 0 ≤ t ≤ r for a solution ' : [0; r] !S Previously, it had been just as hard to generalize discrete 0 def d'(ζ)(x) of any duration rg; i.e., with '(t)(x ) = dζ (t), computer science techniques to continuous questions as it has ' solves the differential equation and satisfies χ at all been to generalize continuous control approaches to discrete times [23] phenomena, let alone to the mixed case of hybrid systems. • ρ(α [ β) = ρ(α) [ ρ(β) Overall, our results provide a perfect link between both • ρ(α; β) = ρ(β) ◦ ρ(α) worlds and allow—in a sound and complete, and constructive ∗ [ n n+1 n 0 • ρ(α ) = ρ(α ) with α ≡ α ; α and α ≡ ?true. way—to combine the best of both worlds. dL allows discrete n2N reasoning as well as continuous reasoning within one single We refer to our book [25] for a comprehensive background. logic and proof system. The dL calculus links and transfers We also refer to [25] for an elaboration how the case r = one side of reasoning in a provably perfect (that is sound and 0 (in which the only condition is '(0) j= χ) is captured by complete) way to the other side. For whatever question about the above definition. To avoid technicalities, we consider only a hybrid system (or its fragments) a discrete approach is more polynomial differential equations, which are all smooth. natural or promising, dL lifts this reasoning in a perfect way to continuous systems, and to hybrid systems, and vice versa B. dL Formulas for any part where a continuous approach is more useful. The formulas of differential dynamic logic (dL) are defined This complete alignment of the proof theories is a funda- by the grammar (where φ, are dL formulas, θ1; θ2 terms, x mental cornerstone for understanding hybridness and relations a variable, α a HP): between discrete and continuous dynamics. In a nutshell, we show that we can proof-theoretically equate: φ, ::= θ1 ≥ θ2 j :φ j φ ^ j 8x φ j [α]φ “hybrid = continuous = discrete” The satisfaction relation ν j= φ is as usual in first-order logic (of real arithmetic) with the addition that ν j= [α]φ iff ! j= φ II. DIFFERENTIAL DYNAMIC LOGIC for all ! with (ν; !) 2 ρ(α). The operator hαi dual to [α] A. Regular Hybrid Programs is defined by hαiφ ≡ :[α]:φ. Consequently, ν j= hαiφ iff We use (regular) hybrid programs (HP) [23] as hybrid ! j= φ for some ! with (ν; !) 2 ρ(α). Operators =; >; ≤; <; system models. HPs form a Kleene algebra with tests [19]. _; !; $; 9x can be defined as usual in first-order logic. A dL The atomic HPs are instantaneous discrete jump assignments formula φ is valid, written φ, iff ν j= φ for all states ν. 1 x := θ, tests ?χ of a first-order formula χ of real arithmetic, C. Axiomatization and differential equation (systems) x0 = θ & χ for a continuous dL evolution restricted to the domain of evolution described by Our axiomatization of is shown in Fig.