15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Foundations of Cyber-Physical Systems
Andre Platzer
Carnegie Mellon University
Lecture 0

1 Overview
Cyber-physical systems (CPSs) combine cyber capabilities (computation and/or communication) with physical capabilities (motion or other physical processes). Cars, aircraft,
and robots are prime examples, because they move physically in space in a way that is
determined by discrete computerized control algorithms. Designing these algorithms
to control CPSs is challenging due to their tight coupling with physical behavior. At the
same time, it is vital that these algorithms be correct, since we rely on CPSs for safetycritical tasks like keeping aircraft from colliding. In this course we will strive to answer
the fundamental question posed by Jeannette Wing:
How can we provide people with cyber-physical systems they can bet their
lives on?
Students who successfully complete this course will:
Understand the core principles behind CPSs.
Develop models and controls.
Identify safety specifications and critical properties of CPSs.
Understand abstraction and system architectures.
Learn how to design by invariant.
Reason rigorously about CPS models.
Verify CPS models of appropriate scale.

A NDR E P LATZER 15-424 L ECTURE N OTES

L0.2

Foundations of Cyber-Physical Systems

Understand the semantics of a CPS model.

Develop an intuition for operational effects.
The cornerstone of our course design are hybrid programs (HPs), which capture relevant dynamical aspects of CPSs in a simple programming language with a simple
semantics. One important aspect of HPs is that they directly allow the programmer to
refer to real-valued variables representing real quantities and specify their dynamics as
part of the HP.
This course will give you the required skills to formally analyze the CPSs that are
all around us from power plants to pace makers and everything in between so that
when you contribute to the design of a CPS, you are able to understand important
safety-critical aspects and feel confident designing and analyzing system models. It
will provide an excellent foundation for students who seek industry positions and for
students interested in pursuing research.

2 Course Materials
Course material will be made available on the course web page.1 There also is an optional textbook:
Andre Platzer, Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, 2010.
More information on the design of the undergraduate course Foundations of CyberPhysical Systems can be found in the Course Syllabus.2

1
2

http://symbolaris.com/course/fcps13.html
http://symbolaris.com/course/15424-syllabus.pdf

15-424 L ECTURE N OTES

A NDR E P LATZER

Foundations of Cyber-Physical Systems

L0.3

3 Lectures
These course consists of the following sequence of lectures (lecture notes are hyperlinked):
1. Cyber-physical systems: introduction
2. Differential equations & domains
3. Choice & control
4. Safety & contracts
5. Dynamical systems & dynamic axioms
6. Truth & proof
7. Control loops & invariants
8. Events & delays
9. Proofs & arithmetic
10. Differential equations & differential invariants
11. Differential equations & proofs
12. Dynamic logic & dynamical systems
13. Differential invariants & proof theory
14. Ghosts & differential ghosts
15. Trains & proofs
16. Differential & temporal logic
17. Differential & temporal proofs
18. Virtual substitution & real equations
19. Virtual substitution & real arithmetic
20. Hybrid systems & games
21. Winning strategies & regions
22. Winning & proving hybrid games
23. Game proofs & separations
24. Logical theory & completeness
25. Logical foundations of CPS

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Differential Equations & Domains
Andre Platzer
Carnegie Mellon University
Lecture 2

1. Introduction
In the last lecture, we have learned about the characteristic features of cyber-physical systems (CPS): they combine cyber capabilities (computation and/or communication) with
physical capabilities (motion or other physical processes). Cars, aircraft, and robots are
prime examples, because they move physically in space in a way that is determined by
discrete computerized control algorithms. Designing these algorithms to control CPSs
is challenging due to their tight coupling with physical behavior. At the same time, it is
vital that these algorithms be correct, since we rely on CPSs for safety-critical tasks like
keeping aircraft from colliding.
Since CPS combine cyber and physical capabilities, we need to understand both to
understand CPS. It is not enough to understand both in isolation, though, because we
also need to understand how the cyber and the physics work together, i.e. what happens when they interface and interact, because this is what CPSs are all about.
You already have experience with models of computation and algorithms for the
cyber part of CPS, because you have seen the use of programming languages for computer programming in previous courses. In CPS, we do not program computers, but
program CPS instead. So we program computers that interact with physics to achieve
their goals. In this lecture, we study models of physics and the most elementary part of
how they can interact with cyber. Physics by and large is obviously a deep subject. But
for CPS one of the most fundamental models of physics is sufficient, that of ordinary
differential equations.
While this lecture covers the most important parts of differential equations, it is not
to be understood as doing complete diligence to the area of ordinary differential equations. You are advised to refer back to your differential equations course and follow the

15-424 L ECTURE N OTES

August 28, 2013

A NDR E P LATZER

L2.2

Differential Equations & Domains

supplementary information1 available on the course web page as needed during this
course. We refer to the book by Walter [Wal98] for details and proofs about differential equations. For further background on differential equations, we refer you to the
literature [Har64, Rei71, EEHJ96].
These lecture notes are based on material on cyber-physical systems, hybrid programs, and logic [Pla12, Pla10, Pla08, Pla07]. Cyber-physical systems play an important
role in numerous domains [PCA07, LS10, LSC+ 12] with applications in cars [DGV96],
aircraft [TPS98], robots [PKV09], and power plants [FKV04], chemical processes [RKR10,
KGDB10], medical models [GBF+ 11, KAS+ 11], and even an importance for understanding biological systems [Tiw11].
More information about CPS can be found in [Pla10, Chapter 1]. Differential equations and domains are described in [Pla10, Chapter 2.2,2.3] in more detail.

2. Differential Equations as Models of Continuous Physical

Processes
Differential equations model processes in which the (state) variables of a system evolve
continuously in time. A differential equation concisely describes how the system evolves
over time. It describes how the variables change locally, so it, basically, indicates the
direction in which the variables evolve at each point in space. Fig. 1 shows the respective directions in which the system evolves by a vector at each point and illustrates
one solution which follows those vectors everywhere. Of course, the figure would be
rather cluttered if we would literally try to indicate the vector at each and every point,
of which there are uncountably infinitely many. But this is a shortcoming only of our
illustration. Differential equations actually define such a vector for the direction of evolution at every point in space.

Figure 1: Vector field and one solution of a differential equation

http://symbolaris.com/course/fcps13-resources.html

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Domains

L2.3

As an example, suppose we have a car whose position is denoted by x. How the

value of variable x changes over time depends on how fast the car is driving. Let v
denote the velocity of the car. Since v is the velocity of the car, its position x changes
such that its derivative x is v, which we write by the differential equation x = v. This
differential equation is supposed to mean that the time-derivative of the position x is
the velocity v. So how x evolves depends on v. If the velocity is v = 0, then the position
x does not change at all. If v > 0, then the position x keeps on increasing. How fast x
increases depends on the value of v, bigger v give quicker changes in x.
Of course, the velocity v, itself, may also be subject to change over time. The car
might accelerate, so let a denote its acceleration. Then the velocity v changes with timederivative a, so v = a. Overall, the car then follows the differential equation (system):2
x = v, v = a
That is, the position x of the car changes with time-derivative v, which, in turn, changes
with time-derivative a.
What we mean by this differential equation, intuitively, is that the system has a vector
field where all vectors point into direction a. What does this mean exactly?

3. The Meaning of Differential Equations

We relate some intuitive concept to how differential equations describe the direction
of the evolution of a system as a vector field Fig. 1. But what exactly is a vector field?
What does it mean to describe directions of evolutions at every point in space? Could
these directions not possibly contradict each other so that the description becomes ambiguous? What is the exact meaning of a differential equation in the first place?
The only way to truly understand any system is to understand exactly what each
of its pieces does. CPSs are demanding and misunderstandings about their effect often
have far-reaching consequences. The physical impacts of CPSs do not leave much room
for failure, so we immediately want to get into the mood of consistently studying the
behavior and exact meaning of all relevant aspects of CPS.
An ordinary differential equation in explicit form is an equation y (t) = f (t, y) where y (t)
is meant to be the derivative of y with respect to time t. A solution is a differentiable
function Y which satisfies this equation when substituted in the differential equation,
i.e., when substituting Y (t) for y and the derivative Y (t) of Y at t for y (t).
Definition 1 (Ordinary differential equation). Let f : D Rn be a function on a domain D R Rn . The function Y : I Rn is a solution on the interval I R of the
initial value problem


y (t) = f (t, y)
(1)
y(t0 ) = y0
2

Note that the value of x changes over time, so it is really a function of time. Hence, the notation
x (t) = v(t), v (t) = a is sometimes used. It is customary, however, to suppress the argument t for time
and just write x = v, v = a instead.

15-424 L ECTURE N OTES

A NDR E P LATZER

L2.4

Differential Equations & Domains

with ordinary differential equation (ODE) y = f (t, y), if, for all t I
1. (t, Y (t)) D,
2. Y (t) exists and Y (t) = f (t, Y (t)),
3. Y (t0 ) = y0 .
If f : D Rn is continuous, then it is easy to see that Y : I Rn is continuously
differentiable. Similarly if f is k-times continuously differentiable then Y is k + 1-times
continuously differentiable. The definition is accordingly for higher-order differential
equations, i.e., differential equations involving higher-order derivatives y (n) (t) for n >
1.
Let us consider the intuition for this definition. A differential equation (system) can
be thought of as a vector field such as the one in Fig. 1, where, at each point, the vector
shows in which direction the solution evolves. At every point, the vector would correspond to the right-hand side of the differential equation. A solution of a differential
equation adheres to this vector field at every point, i.e., the solution (e.g., the solid line
in Fig. 1) locally follows the direction indicated by the vector of the right-hand side of
the differential equation. There are many solutions of the differential equation corresponding to the vector field illustrated in Fig. 1. For the particular initial value problem, however, a solution also has to start at the position y0 at time t0 and then follow
the differential equations or vector field from this point. In general, there could still be
multiple solutions for the same initial value problem.
Example 2. Some differential equations are easy to solve. The initial value problem


x (t) = 5
x(0) = 2
has a solution x(t) = 5t + 2. This can be checked easily by inserting the solution into
the differential equation and initial value equation:


(x(t)) = (5t + 2) = 5
x(0) = 5 0 + 2 = 2
Example 3. Consider the initial value problem


x (t) = 2x
x(1) = 3
which has a solution x(t) = 3e2(t1) . The test, again, is to insert the solution into the
(differential) equations of the initial value problems and check:


15-424 L ECTURE N OTES

(3e2(t1) ) = 6e2(t1) = 2x(t)

x(1) = 3e2(11) = 3

A NDR E P LATZER

Differential Equations & Domains

L2.5

Example 4. Consider the differential equation system z = v, v = a and the initial value
problem

z (t) = v(t)
v (t) = a

z(0) = z0
v(0) = v0

Note that this initial value problem is a symbolic initial value problem with symbols z0 , v0
as initial values (not specific numbers like 5 and 2.3). Moreover, the differential equation has a constant symbol a, and not a specific number like 0.6, in the differential
equation. In vectorial notation, the initial value problem with this differential equation
system corresponds to a vectorial system when we denote y(t) := (z(t), v(t)), i.e., with
dimension n = 2 in Def. 1:


 

z
v(t)

y (t) = v (t) =

 
 a

z
z0
y(0) =
(0) =
v0
v
The solution of this initial value problem is
a 2
t + v 0 t + z0
2
v(t) = at + v0
z(t) =

We can show that this is the solution by inserting the solution into the (differential)
equations of the initial value problems and checking:

( a2 t2 + v0 t + z0 ) = 2 a2 t + v0 = v(t)

(at + v0 ) = a

a 2

z(0) = 2 0 + v0 0 + z0 = z0
v(0) = a0 + v0 = v0

Example 5. Consider the differential equation system x = y, y = x and the initial

value problem

x (t) = y(t)
y (t) = x(t)

x(0) = 1
y(0) = 1
The solution of this initial value problem is

x(t) = cos(t) + sin(t)

y(t) = cos(t) sin(t)

15-424 L ECTURE N OTES

A NDR E P LATZER

L2.6

Differential Equations & Domains

We can show that this is the solution by inserting the solution into the (differential)
equations of the initial value problems and checking:

(cos(t) + sin(t)) =
(cos(t) sin(t)) =

x(0) =
y(0) =

sin(t) + cos(t) = y(t)

sin(t) cos(t) = x(t)

cos(0) + sin(0) = 1
cos(0) sin(0) = 1

Note 1 (Descriptive power of differential equations). As a general phenomenon, observe that solutions of differential equations can be much more involved than the differential equations themselves, which is part of the representational and descriptive power of
differential equations.

4. Domains of Differential Equations

Now we understand exactly what a differential equation is and how it describes a continuous physical process. In CPS, however, physical processes interact with cyber elements such as computers. When and how do physics and cyber elements interact? The
first thing we need to understand for that is how to describe when physics stops so that
the cyber elements take control of what happens next. Obviously, physics does not literally stop evolving, but rather keeps on evolving all the time. Yet, the cyber parts only
take effect every now and then. So, our intuition may imagine physics pauses for a
period of duration 0 and lets the cyber take action to influence the inputs that physics
is based on.
The cyber and the physics could interface in more than one way. Physics might
evolve and the cyber elements interrupt to inspect measurements about the state of
the system periodically to decide what to do next. Or the physics might trigger certain
conditions that cause cyber elements to compute their responses. Another way to look
at that is that a differential equation that a system follows forever without further intervention by anything would not describe a particularly well-controlled system. All those
ways have in common that our model of physics needs to come up with information
about when it stops evolving to give cyber a chance to perform its task.
This information is what is a called an evolution domain H of a differential equation,
which describes a region that the system cannot leave. If the system were ever about
to leave this region, it would stop evolving right away before it leaves the evolution
domain.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Domains

L2.7

Note 2. A differential equation x = f (x) with evolution domain H is denoted by

x = f (x) & H
This notation x = f (x) & H signifies that the system follows the differential equation
x = f (x) for any duration, but is never allowed to leave the region described by H. So the
system evolution has to stop while the state is still in H.
If, e.g., t is a time variable with t = 1, then x = v, v = a, t = 1 & t describes a
system that follows the differential equation at most until time t = and not any furdef

ther. The evolution domain H (v 0), instead, restricts the system x = v, v = a & v 0
to nonnegative velocities. Should the velocity ever become negative while following
the differential equation x = v, v = a, then the system stops before that happens.
In the scenario illustrated in Fig. 2, the system starts at time 0 inside the evolution
domain that is depicted as a shaded green region in Fig. 2. Then the system follows the
differential equation x = f (x) for any period of time, but has to stop before it leaves H.
Here, it stops at time r.
x

x)
x = f(
H

x)
x = f (
H
0

Figure 2: System x = f (x) & H follows the differential equation x = f (x) but cannot
leave the (shaded) evolution domain H.
In contrast, consider the scenario shown on the right of Fig. 2. The system is not
allowed to evolve until time s, becauseeven if the system is back in the evolution
domain H at that timeit has left the evolution domain H between time r and s (indicated by dotted lines), which is not allowed. Consequently, the continuous evolution
on the right of Fig. 2 will also stop at time r at the latest.
How can we properly describe the evolution domain H? We will need some logic for
that.

5. Continuous Programs: Syntax

After these preparations for understanding differential equations and domains, we
start developing a programming language for cyber-physical systems. Ultimately, this
programming language of hybrid programs will contain more features than just differential equations. But this most crucial feature is what we start with. This course develops
this programming language and its understanding and its analysis in layers one after

15-424 L ECTURE N OTES

A NDR E P LATZER

L2.8

Differential Equations & Domains

the other.
Continuous Programs. The first element of the syntax of hybrid programs is the
following.
Note 3. Version 1 of hybrid programs (HPs) are continuous programs. These are
defined by the following grammar ( is a HP, x a variable, a term possibly containing x,
and H a formula of first-order logic of real arithmetic):
::= x = & H
This means that a hybrid program consists of a single statement of the form x = & H.
In later lectures, we will add more statements to hybrid programs, but focus on differential equations for now. The formula H is called evolution domain constraint of the continuous evolution x = & H. Further x is allowed to be a vector of variables and, then,
is a vector of terms of the same dimension. This corresponds to the case of differential
equation systems such as:
x = v, v = a & (v 0 v 10)
Differential equations are allowed without an evolution domain constraint H as well,
for example:
x = y, y = x + y 2
which corresponds to choosing true for H, since the formula true is true everywhere
and imposes no condition on the state.
Terms. A rigorous definition of the syntax of hybrid programs also depends on defining what a term is and what a formula H of first-order logic of real arithmetic is. A
term is a polynomial term defined by the grammar (where , are terms, x a variable,
and c a rational number constant):
, ::= x | c | + |
This means that a term is either a variable x, or a rational number constant c Q,
or a sum of terms , , or a product of terms , . Subtraction is another useful
case, but it turns out that it is already included, because subtraction can be defined by
+ (1) .
First-order Formulas. The formulas of first-order logic of real arithmetic are defined
as usual in first-order logic, yet using the language of real arithmetic. The formulas
of first-order logic of real arithmetic are defined by the following grammar (where F, G
are formulas of first-order logic of real arithmetic, , are (polynomial) terms, and x a
variable):
F, G ::= = | | F | F G | F G | F G | F G | x F | x F

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Domains

L2.9

The usual abbreviations are allowed, such as for and < for ( ).

6. Continuous Programs: Semantics

Note 4 (Syntax vs. Semantics). Syntax just defines a notation. Its meaning is defined by
the semantics.

Terms. The meaning of a continuous evolution x = & H depends on understanding the meaning of terms . A term is a syntactic expression. Its value depends on
the interpretation of the variables contained in . What values those variables have
changes depending on the state of the CPS. A state is a mapping from variables to real
numbers. The set of states is denoted S.
Definition 6 (Valuation of terms). The value of term in state is denoted [[]] and
defined by induction on the structure of :
[[x]] = (x)

if x is a variable

[[c]] = c

if c is a rational constant

[[ + ]] = [[]] + [[]]
[[ ]] = [[]] [[]]
In particular, the value of a variable-free term like 4+52 does not depend on the state
. In this case, the value is 14. The value of a term with variables, like 4 + x 2, depends
on . Suppose (x) = 5, then [[4 + x 2]] = 14. If (x) = 2, then [[4 + x 2]] = 8.
First-order Formulas. Unlike for terms, the value of a logical formula is not a number
but instead true or false. Whether a logical formula evaluates to true or false depends
on the interpretation of its symbols. In first-order logic of real arithmetic, the meaning
of all symbols except variables is fixed. The meaning of terms and of formulas of firstorder logic of real arithmetic is as usual in first-order logic, except that + really means
addition, means multiplication, means greater or equals, and that the quantifiers x
and x quantify over the reals.
Let xd denote the state that agrees with state except for the interpretation of variable x, which is changed to the value d R:
(
d
if y is the variable x
xd (y) =
(y) otherwise
We write |= F to indicate that F evaluates to true in state and define it as follows.
Definition 7 (First-order logic semantics). The satisfaction relation |= F for a first-order
formula F of real arithmetic in state is defined inductively:

15-424 L ECTURE N OTES

A NDR E P LATZER

L2.10

Differential Equations & Domains

|= (1 = 2 ) iff [[1 ]] = [[2 ]] .

|= (1 2 ) iff [[1 ]] [[2 ]] .
|= F iff 6|= F , i.e. if it is not the case that |= F .
|= F G iff |= F and |= G.
|= F G iff |= F or |= G.
|= F G iff 6|= F or |= G.
|= F G iff ( |= F and |= G) or ( 6|= F and 6|= G).
|= x F iff xd |= F for all d R.
|= x F iff xd |= F for some d R.
If |= F , then we say that F is true at or that is a model of F . A formula F is valid,
written  F , iff |= F for all states . A formula F is a consequence of a set of formulas
, written  F , iff, for each : |= G for all G implies that |= F .
With this definition, we know how to evaluate whether a evolution domain H of a
continuous evolution x = & H is true in a particular state or not. If |= H, then H
holds in that state. Otherwise (i.e. if 6|= H), H does not hold in . Yet, in which states
do we need to check the evolution domain?
Continuous Programs. There is more than one way to define the meaning of a program, including defining a denotational semantics, an operational semantics, a structural operational semantics, an axiomatic semantics. For our purposes, what is most
relevant is how a hybrid program changes the state of the system. Consequently, the
semantics of HPs is based on which final states are reachable from which initial state.
It considers which (final) state is reachable by running a HP from an (initial) state
. Semantical models that expose more detail, e.g., about the internal states during the
run of an HP are possible [Pla10, Chapter 4] but not needed for our usual purposes.
If a differential equation starts in a state , the system could reach many possible
states when following this particular differential equation. Even though the solutions of
initial value problems (differential equation with an initial state) are unique under mild
conditions (Appendix B), they still do not lead to a single unique state. Which state one
ends up at when following a differential equation depends not only on the initial state
, but also on how long the system follows that differential equation. Consequently,
the meaning of a continuous program will invariably have to allow for many possible
reachable states. Recall that S denotes the set of states.
The meaning of an HP is given by a reachability relation () S S on states.
That is, (, ) () means that final state is reachable from initial state by running
HP . From any initial state , there might be many states that are reachable, so
many different for which (, ) (). Form other initial states , there might be

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Domains

L2.11

no reachable states at all for which (, ) (). So () is a proper relation, not a

function.
Note 5. The reachability relation (x = & H) of a continuous program holds for all
pairs of states that can be connected by a solution of the differential equation that is entirely
within H:
(x = & H) = {((0), (r)) : (t) |= H for all 0 t r
for a solution : [0, r] S of x = of any duration r R}.
The first line in the definition of (x = & H) means that the solution satisfies H at all
times. The second line means that solves the differential equation, which essentially
def

(t). Let
means that (t) |= x = for all 0 t r, when interpreting (t)(x ) = d()(x)
d
us elaborate what this means and explicitly consider differential equation systems:
Definition 8 (Semantics of continuous programs). (, ) (x1 = 1 , . . . , xn = n & H)
iff there is a flow of some duration r 0 along x1 = 1 , . . . , xn = n & H from state
to state , i.e. a function : [0, r] S such that:
(0) = , (r) = ;
respects the differential equations: For each variable xi , the valuation [[xi ]]() = ()(xi )
of xi at state () is continuous in on [0, r] and has a derivative of value [[i ]]()
at each time (0, r);
the value of other variables z 6 {x1 , . . . , xn } remains constant, that is, we have
[[z]]() = [[z]] for all [0, r];
and respects the invariant: () |= H for each [0, r].
Observe that this definition is explicit about the fact that variables without differential equations do not change during a continuous program. The semantics of HP is
explicit change: nothing changes unless (an assignment or) a differential equation specifies how. Also observe the explicit passing from syntax to semantics by the use of the
valuation function [[]] in Def. 8.

15-424 L ECTURE N OTES

A NDR E P LATZER

L2.12

Differential Equations & Domains

A. Existence Theorems
For your reference, this appendix contains a short primer on some important results
about differential equations [Pla10, Appendix B].
There are several classical theorems that guarantee existence and/or uniqueness of
solutions of differential equations (not necessarily closed-form solutions with elementary functions, though). The existence theorem is due to Peano [Pea90]. A proof can be
found in [Wal98, Theorem 10.IX].
Theorem 9 (Existence theorem of Peano). Let f : D Rn be a continuous function on an
open, connected domain D R Rn . Then, the initial value problem (1) with (t0 , y0 ) D
has a solution. Further, every solution of (1) can be continued arbitrarily close to the boundary
of D.
Peanos theorem only proves that a solution exists, not for what duration it exists.
Still, it shows that every solution can be continued arbitrarily close to the boundary of
the domain D. That is, the closure of the graph of the solution, when restricted to
[0, 0] Rn , is not a compact subset of D. In particular, there is a global solution on the
interval [0, ) if D = Rn+1 then.
Peanos theorem shows the existence of solutions of continuous differential equations
on open, connected domains, but there can still be multiple solutions.
Example 10. The initial value problem with the following continuous differential equation
p


y = 3 |y|
y(0) = 0
has multiple solutions:
y(t) = 0
 3
2 2
y(t) =
t
3
(
0
y(t) =

3
2
2
3 (t s)

for t s
for t > s

where s 0 is any nonnegative real number.

B. Existence and Uniqueness Theorems

As usual, C k (D, Rn ) denotes the space of k times continuously differentiable functions
from domain D to Rn .
If we know that the differential equation (its right-hand side) is continuously dif theorem gives a
ferentiable on an open, connected domain, then the Picard-Lindelof
stronger result than Peanos theorem. It shows that there is a unique solution (except,
of course, that the restriction of any solution to a sub-interval is again a solution). For

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Domains

L2.13

this, recall that a function f : D Rn with D R Rn is called Lipschitz continuous

with respect to y iff there is an L R such that for all (t, y), (t, y) D,
kf (t, y) f (t, y)k Lky yk.
f (t,y)
exists
y
f (t,y)
max(t,y)D k y k

If, for instance,

and is bounded on D, then f is Lipschitz continuous

with L =
by mean value theorem. Similarly, f is locally Lipschitz
continuous iff for each (t, y) D, there is a neighbourhood in which f is Lipschitz continuous. In particular, if f is continuously differentiable, i.e., f C 1 (D, Rn ), then f is
locally Lipschitz continuous.

Most importantly, Picard-Lindelofs

theorem [Lin94], which is also known as the
Cauchy-Lipschitz theorem, guarantees existence and uniqueness of solutions. As restrictions of solutions are always solutions, we understand uniqueness up to restrictions. A proof can be found in [Wal98, Theorem 10.VI]

Theorem 11 (Uniqueness theorem of Picard-Lindelof).

In addition to the assumptions of
Theorem 9, let f be locally Lipschitz continuous with respect to y (for instance, f C 1 (D, Rn )
is sufficient). Then, there is a unique solution of the initial value problem (1).

Picard-Lindelofs
theorem does not show the duration of the solution, but shows
theorem,
only that the solution is unique. Under the assumptions of Picard-Lindelofs
every solution can be extended to a solution of maximal duration arbitrarily close to
the boundary of D by Peanos theorem, however. The solution is unique, except that
all restrictions of the solution to a sub-interval are also solutions.
Example 12. The initial value problem


y = y2
y(0) = 1

1
has the unique maximal solution y(t) = 1t
on the domain t < 1. This solution cannot
be extended to include the singularity at t = 1.

The following global uniqueness theorem shows a stronger property when the domain is [0, a] Rn . It is a corollary to Theorems 9 and 11, but used prominently in
the proof of Theorem 11, and is of independent interest. A direct proof of the follow theorem can be found in [Wal98, Proposiing global version of the Picard-Lindelof
tion 10.VII].
Let f : [0, a] Rn Rn
Corollary 13 (Global uniqueness theorem of Picard-Lindelof).
be a continuous function that is Lipschitz continuous with respect to y. Then, there is a unique
solution of the initial value problem (1) on [0, a].

Exercises
Exercise 1. Review the basic theory of ordinary differential equations and examples.
Exercise 2. Review the syntax and semantics of first-order logic.

15-424 L ECTURE N OTES

A NDR E P LATZER

L2.14

Differential Equations & Domains

References
[DGV96]

u,
and Pravin Varaiya. SHIFT: A formalism
Akash Deshpande, Aleks Goll
and a programming language for dynamic networks of hybrid automata.
In Panos J. Antsaklis, Wolf Kohn, Anil Nerode, and Shankar Sastry, editors,
Hybrid Systems, volume 1273 of LNCS, pages 113133. Springer, 1996.

[EEHJ96] Kenneth Eriksson, Donald Estep, Peter Hansbo, and Claes Johnson. Computational Differential Equations. Cambridge University Press, 1996.
[FKV04]

G. K. Fourlas, K. J. Kyriakopoulos, and C. D. Vournas. Hybrid systems

modeling for power systems. Circuits and Systems Magazine, IEEE, 4(3):16
23, quarter 2004.

[GBF+ 11] Radu Grosu, Gregory Batt, Flavio H. Fenton, James Glimm, Colas Le Guernic, Scott A. Smolka, and Ezio Bartocci. From cardiac cells to genetic
regulatory networks. In Ganesh Gopalakrishnan and Shaz Qadeer, editors, CAV, volume 6806 of LNCS, pages 396411. Springer, 2011. doi:
10.1007/978-3-642-22110-1_31.
[Har64]

Philip Hartman. Ordinary Differential Equations. John Wiley, 1964.

[KAS+ 11] BaekGyu Kim, Anaheed Ayoub, Oleg Sokolsky, Insup Lee, Paul L. Jones,
Yi Zhang, and Raoul Praful Jetley. Safety-assured development of the gpca
infusion pump software. In Samarjit Chakraborty, Ahmed Jerraya, Sanjoy K. Baruah, and Sebastian Fischmeister, editors, EMSOFT, pages 155164.
ACM, 2011. doi:10.1145/2038642.2038667.
[KGDB10] Branko Kerkez, Steven D. Glaser, John A. Dracup, and Roger C. Bales. A
hybrid system model of seasonal snowpack water balance. In Karl Henrik
Johansson and Wang Yi, editors, HSCC, pages 171180. ACM, 2010. doi:
10.1145/1755952.1755977.
[Lin94]

Sur lapplication de la methode des approximations sucM. Ernst Lindelof.

cessives aux e quations differentielles ordinaires du premier ordre. Comptes
rendus hebdomadaires des seances de lAcademie des sciences, 114:454457, 1894.

[LS10]

Insup Lee and Oleg Sokolsky. Medical cyber physical systems. In Sachin S.
Sapatnekar, editor, DAC, pages 743748. ACM, 2010.

[LSC+ 12] Insup Lee, Oleg Sokolsky, Sanjian Chen, John Hatcliff, Eunkyoung Jee,
BaekGyu Kim, Andrew L. King, Margaret Mullen-Fortino, Soojin Park, Alex
Roederer, and Krishna K. Venkatasubramanian. Challenges and research directions in medical cyber-physical systems. Proc. IEEE, 100(1):7590, 2012.
doi:10.1109/JPROC.2011.2165270.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Domains

L2.15

[PCA07]

Leadership under challenge: Information technology R&D in a competitive

world. an assessment of the federal networking and information technology
R&D program. Presidents Council of Advisors on Science and Technology,
Aug 2007. http://www.ostp.gov/pdf/nitrd_review.pdf.

[Pea90]

Giuseppe Peano.
Demonstration de lintegrabilite des e quations
differentielles ordinaires. Mathematische Annalen, 37(2):182228, 1890.

[PKV09]

Erion Plaku, Lydia E. Kavraki, and Moshe Y. Vardi. Hybrid systems:

from verification to falsification by combining motion planning and discrete
search. Form. Methods Syst. Des., 34(2):157182, 2009.

[Pla07]

Andre Platzer. Differential dynamic logic for verifying parametric hybrid

systems. In Nicola Olivetti, editor, TABLEAUX, volume 4548 of LNCS, pages
216232. Springer, 2007. doi:10.1007/978-3-540-73099-6_17.

[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom.

Reas., 41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla10]

Andre Platzer.
Logical Analysis of Hybrid Systems: Proving Theorems
doi:10.1007/
for Complex Dynamics.
Springer, Heidelberg, 2010.
978-3-642-14509-4.

[Pla12]

Andre Platzer. Logics of dynamical systems. In LICS, pages 1324. IEEE,

2012. doi:10.1109/LICS.2012.13.

[Rei71]

William T. Reid. Ordinary Differential Equations. John Wiley, 1971.

[RKR10]

Derek Riley, Xenofon Koutsoukos, and Kasandra Riley. Reachability analysis of stochastic hybrid systems: A biodiesel production system. European
Journal on Control, 16(6):609623, 2010.

[Tiw11]

Ashish Tiwari. Logic in software, dynamical and biological systems. In

LICS, pages 910. IEEE Computer Society, 2011. doi:10.1109/LICS.2011.
20.

[TPS98]

Claire Tomlin, George J. Pappas, and Shankar Sastry. Conflict resolution

for air traffic management: a study in multi-agent hybrid systems. IEEE T.
Automat. Contr., 43(4):509521, 1998.

[Wal98]

Wolfgang Walter. Ordinary Differential Equations. Springer, 1998.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Choice & Control
Andre Platzer
Carnegie Mellon University
Lecture 3

1 Introduction
In the previous lecture, we have seen the beginning of cyber-physical systems, yet emphasized their continuous part in the form of differential equations x = . The sole interface between continuous physical capabilities and cyber capabilities was by way of
their evolution domain. The evolution domain H in a continuous program x = & H
imposes restrictions on how far or how long the system can evolve along that differential equation. Suppose a continuous evolution has succeeded and the system stops
following its differential equation, e.g., because the state would otherwise leave the
evolution domain. What happens now? How does the cyber take control? How do we
describe what the cyber elements compute and how they interact with physics?
This lecture extends the model of continuous programs for continuous dynamics to
the model of hybrid programs for hybrid dynamics.
This lecture is based on material on cyber-physical systems and hybrid programs
[Pla12b, Pla10, Pla08, Pla07].
Continuous programs x = & H are very powerful for modeling continuous processes. They cannoton their ownmodel discrete changes of variables, however.1
During the evolution along a differential equation, all variables change continuously
in time, because the solution of a differential equation is (sufficiently) smooth. Discontinuous change of variables, instead, needs a way for a discrete change of state. What
could be a model for describing discrete changes in a system?
1

There is a much deeper sense [Pla12a] in which continuous dynamics and discrete dynamics are quite
surprisingly close together. That understanding requires a lot more logic than we have at our disposal
at this stage of the course. It also leads to a full understanding of what constitutes the hybridness of
hybrid systems. Yet, its understanding does rest on the foundations of hybrid systems, which we need
to understand first.

15-424 L ECTURE N OTES

September 4, 2013

A NDR E P LATZER

L3.2

Choice & Control

There are many models for describing discrete change. You will have seen a number
of them already. CPSs combine cyber and physics. In CPS, we do not program computers, but program CPSs instead. As part of that, we program the computers that control
the physics. And programming computers amounts to using a programming language.
Of course, for programming an actual CPS, our programming language will ultimately
have to involve physics. But we have already seen continuous programs in the previous lecture for that very purpose. Whats missing is a way to program the discrete and
cyber aspects.
Does it matter which discrete programming language we choose as a basis? It could
be argued that the discrete programming language does not matter as much as the
hybrid aspects do. After all, there are many programming languages that are Turingequivalent, i.e. that compute the same functions. Yet even among them there are numerous differences for various purposes in the discrete case, which are studied in the
area of Programming Languages.
For the particular purposes of CPS, however, we will find further desiderata, i.e.
things that we expect from a programming language to be adequate for CPS. We will
develop what we need as we go.
More information about choice and control can be found in [Pla10, Chapter 2.2,2.3].

2 Discrete Programs and Sequential Composition

Discrete change happens in computer programs when they assign a new value to a
variable. The statement x := assigns the value of term to variable x. It leads to
a discrete, discontinuous change, because the value of x does not vary smoothly but
radically when assigning to x.
This gives us a discrete model of change, x := , in addition to the continuous model
of change, x = & H from the previous lecture. Now, we can model systems that are
either discrete or continuous. Yet, how can we model proper CPS that combine cyber
and physics and that, thus, simultaneously combine discrete with continuous dynamics?
One way how cyber and physics can interact is if a computer provides input to
physics. Physics may mention a variable like a for acceleration and a computer program sets its value depending on whether the computer program wants to accelerate
or brake. That is, cyber could set the values of actuators that affect physics.
In this case, cyber and physics interact in such a way that cyber first does something
and physics then follows. That corresponds to a sequential composition (; ) in which
first the HP on the left of ; runs and, when its done, the HP on the right of ; runs.
For example, the following HP
a := a + 1; x = v, v = a

(1)

will first let cyber perform a discrete change of setting a to a + 1 and then let physics
follow the differential equation x = a. The overall effect is that cyber increases a and
physics then lets x evolve with acceleration a (and increases velocity v with derivative

15-424 L ECTURE N OTES

A NDR E P LATZER

Choice & Control

L3.3

a). Thus, HP (1) models a situation where the desired acceleration is commanded once
to increase and the robot then moves with that acceleration. Note that the sequential
composition operator (;) has basically the same effect that it has in programming languages like Java or C0. It separates statements that are to be executed sequentially one
after the other. If you look closely, however, you will find a subtle difference in that
Java and C0 expect more ; than hybrid programs.
The HP in (1) executes control (it sets the acceleration for physics), but it has very
little choice. Actually no choice at all. So only if the CPS is very lucky will an increase
in acceleration be the right action to remain safe.

3 Decisions in Hybrid Programs

In general, a CPS may have to check conditions on the state to see which action to take.
One way of doing that is the use of an if-then-else, as in classical discrete programs.
if(v < 4) a := a + 1 else a := b;

(2)

x = v, v = a

This HP will check the condition v < 4 to see if the current velocity is still less then 4.
If it is, then a will be increased by 1. Otherwise, a will be set to b for some braking
deceleration constant b > 0. Afterwards, i.e. when the if-then-else statement has run to
completion, the HP will again evolve x with acceleration a along a differential equation.
The HP (2) takes only the current velocity into account to reach a decision on whether
to accelerate or brake. That is usually not enough information to guarantee safety, because a robot doing that would be so fixated on achieving its desired speed that it
would happily speed into any walls or other obstacles along the way. Consequently,
programs that control robots also take other state information into account, for example the distance x o to an obstacle o from the robots position x, not just its velocity
v:
if(x o > 5) a := a + 1 else a := b;
(3)
x = v, v = a
They could also take both distance and velocity into account for the decision:
if(x o > 5 v < 4) a := a + 1 else a := b;
x = v, v = a

(4)

Note 1 (Iterative design). As part of the labs of this course, you will develop increasingly
more intelligent controllers for robots that face increasingly challenging environments.
Designing controllers for robots or other CPS is a serious challenge. You will want to
start with simple controllers for simple circumstances and only move on to more advanced
challenges when you have fully understood and mastered the previous controllers, what
behavior they guarantee and what functionality they are still missing.

15-424 L ECTURE N OTES

A NDR E P LATZER

L3.4

Choice & Control

4 Choices in Hybrid Programs

What we learn from the above discussion is a common feature of CPS models: they
often include only some but not all detail about the system. And for good reasons, because full detail about everything can be overwhelming. A (somewhat) more complete
model of (4) might look as follows, with some further formula S as an extra condition
for checking whether to actually accelerate:
if(x o > 5 v < 4 S) a := a + 1 else a := b;
x = v, v = a

(5)

The extra condition S may be very complicated and often depends on many factors. It
could check to smooth the ride, optimize battery efficiency, or pursue secondary goals.
Consequently, (4) is not actually a faithful model for (5), because (4) insists that the
acceleration would always be increased just because x o > 5 v < 4, unlike (5), which
checks the additional condition S. Likewise, (3) certainly is no faithful model of (5). But
it looks simpler.
How can we describe a model that is simpler than (5) by ignoring the details of S yet
that is still faithful? What we want this model to do is characterize that the controller
may either increase acceleration by 1 or brake and that acceleration certainly only happens when x o > 5. But the model should make less commitment than (3) about
under which circumstances braking is chosen. So we want a model that allows braking under more circumstances than (3) without having to model precisely under which
circumstances that is. In order to simplify the system faithfully, we want a model that
allows more behavior than (3).
Note 2 (Abstraction). Successful CPS models often include relevant aspects of the system only and simplify irrelevant detail. The benefit of doing so is that the model and its
analysis becomes simpler, enabling us to focus on the critical parts without being bogged
down in tangentials. This is the power of abstraction, arguably the primary secret weapon
of computer science. It does take considerable skill, however, to find the best level of abstraction for a system. A skill that you will continue to sharpen through your entire career
as a computer scientist.
Let us take the development of this model this step by step. The first feature that the
controller of this model has is a choice. The controller can choose to increase acceleration or to brake, instead. Such a choice between two actions is denoted by the operator
:
(a := a + 1 a := b);
(6)
x = v, v = a
When running this hybrid program, the first thing that happens is a choice between
whether to run a := a + 1 or whether to run a := b. That is, the choice is whether to
increase a by 1 or whether to reset a to b for braking. After this choice (i.e. after the ;
operator), the system follows the usual differential equation x = a.

15-424 L ECTURE N OTES

A NDR E P LATZER

Choice & Control

L3.5

Note 3 (Nondeterministic ). The choice ( ) is nondeterministic. That is, every time

a choice runs, exactly one of the two choices, or , is chosen to run and the choice
is nondeterministic, i.e. there is no prior way of telling which of the two choices is going
to be chosen.
The HP (6) is a faithful abstraction of (5), because every way how (5) can run can be
mimicked by (6) so that the outcome of (6) corresponds to that of (5). Whenever (5)
runs a := a + 1, which happens exactly if x o > 5 v < 4 S is true, (6) only needs to
choose to run the left choice a := a + 1. Whenever (5) runs a := b, which happens exactly if x o > 5 v < 4 S is false, (6) needs to choose to run the right choice a := b.
So all runs of (5) are possible runs of (6). Furthermore, (6) is much simpler than (5),
because it contains less detail. It does not mention v < 4 nor the complicated extra
condition S. Yet, (6) is a little too permissive, because it suddenly allows the controller
to choose a := a + 1 even at close distance to the obstacle, i.e. even if x o > 5 is false.
That way, even if (5) was a safe controller, (6) is still an unsafe one.

5 Tests in Hybrid Programs

In order to make a faithful and not too permissive model of (5), we need to restrict the
permitted choices in (6) so that the acceleration choice a := a + 1 can only be chosen at
sufficient distance x o > 5. The way to do that is to use tests on the current state of
the system.
A test2 ?H is a statement that checks the value of a first-order formula H of real
arithmetic in the current state. If H holds in the current state, then the test passes,
nothing happens, yet the HP continues to run normally. If, instead, H does not hold in
the current state, then the test fails, and the system execution is aborted and discarded.
That is, when is the current state, then ?H runs successfully without changing the
state when |= H. Otherwise, i.e. if 6|= H, the run of ?H is aborted and not considered
any further.
The test statement can be used to change (6) around so that it allows acceleration only
at large distances while braking is still allowed always:


(?x o > 5; a := a + 1) a := b ;
(7)
x = v, v = a
The first statement of (7) is a choice ( ) between (?x o > 5; a := a + 1) and a := b. All
choices in hybrid programs are nondeterministic so any outcome is always possible.
In (7), this means that the left choice can always be chosen, just as well as the right
one. The first statement that happens in the left choice, however, is the test ?x o > 5,
which the system run has to pass to continue successfully. In particular, if x o > 5
is indeed true in the current state, then the system passes that test ?x o > 5 and the
2

In a more general context, tests are also known as challenges [Pla13].

15-424 L ECTURE N OTES

A NDR E P LATZER

L3.6

Choice & Control

execution proceeds to after the sequential composition (;) to run a := a + 1. If x o > 5

is false in the current state, however, the system fails the test ?x o > 5 and that run is
aborted and discarded. The right option to brake is always available, because it does
not involve any tests to pass.
Note 4 (Discarding failed runs). System runs that fail tests are discarded and not considered any further. It is as if those failed system execution attempts had never happened.
Yet, other execution paths may be successful. You can imagine finding them by backtracking the choices in the system run and taking alternative choices instead.
There are always two choices when running (7). Yet, which ones run successfully
depends on the current state. If the current state is at a far distance from the obstacle
(x o > 5), then both options of accelerating and braking will be possible. Otherwise,
only the braking choice runs without being discarded because of failing a test.
Comparing (7) with (5), we see that (7) is a faithful abstraction of the more complicated (5), because all runs of (5) can be mimicked by (7). Yet, unlike (6), the improved
HP (7) retains the critical information that acceleration is only allowed by (5) at sufficient distance x o > 5. Unlike (5), (7) does not restrict the cases where acceleration
can be chosen to those that also satisfy v < 4 S. Hence, (7) is more permissive than
(5). But (7) is also simpler and only contains crucial information about the controller.
Hence, (7) is a more abstract faithful model of (5) that retains the relevant detail. Studying the abstract (7) instead of the more concrete (5) has the advantage that only relevant
details need to be understood while irrelevant aspects can be ignored. It also has the
additional advantage that a safety analysis of the more abstract (7), which allows lots
of behavior, will imply safety of the special concrete case (5) but also implies safety
of other implementations of (7). For example, replacing S by a different condition in
(5) still gives a special case of (7). So if all behavior of (7) is safe, all behavior of that
different replacement will also already be safe. With a single verification result about
a more general, more abstract system, we can obtain verification for a whole class of
systems. This important phenomenon will be investigated in more detail in later parts
of the course.
Of course, which details are relevant and which ones can be simplified depends on
the analysis question at hand, a question that we will be better equipped to answer in
a later lecture. For now, suffice it to say that (7) has the relevant level of abstraction for
our purposes.

6 Repetitions in Hybrid Programs

The hybrid programs above were interesting, but only allowed the controller to choose
what action to take at most once. All controllers so far inspected the state in a test or in
an if-then-else condition and then chose what to do once, just to let physics take control
by following a differential equation. That makes for rather short-lived controllers. They
have a job only once in their lives. And most decisions they reach may end up being

15-424 L ECTURE N OTES

A NDR E P LATZER

Choice & Control

L3.7

bad ones. Say, one of those controllers, e.g. (7), inspects the state and finds it still okay to
accelerate. If it chooses a := a + 1 and then lets physics move in the differential equation
x = a, there will probably come a time at which acceleration is no longer such a great
idea. But the controller of (7) has no way to change its mind, because he has no more
choices and so no control anymore.
If the controller of (7) is supposed to be able to make a second control choice later after
physics has followed the differential equation for a while, then (7) can be sequentially
composed with itself:


(?x o > 5; a := a + 1) a := b ;
x = v, v = a;

(?x o > 5; a := a + 1) a := b ;

(8)

x = v, v = a

In (8), the cyber controller can first choose to accelerate or brake (depending on whether
x o > 5), then physics evolves along differential equation x = a for some while, then
the controller can again choose whether to accelerate or brake (depending on whether
x o > 5 holds in the state reached then), and finally physics again evolves along
x = a.
For a controller that is supposed to be allowed to have a third control choice, replication would again help:


(?x o > 5; a := a + 1) a := b ;
x = v, v = a;

(?x o > 5; a := a + 1) a := b ;

x = v, v = a;

(9)

(?x o > 5; a := a + 1) a := b ;

x = v, v = a

But this is neither a particularly concise nor a particularly useful modeling style. What
if a controller could need 10 control decisions or 100? Or what if there is no way of
telling ahead of time how many control decisions the cyber part will have to take to
reach its goal? Think of how many control decisions you might need when driving in a
car from the East Coast to the West Coast. Do you know that ahead of time? Even if you
do, do you want to model a system by explicitly replicating its controller that often?
Note 5 (Repetition). As a more concise and more general way of describing repeated
control choices, hybrid programs allow for the repetition operator , which works like the
in regular expressions, except that it applies to a hybrid program as in . It repeats
any number n N of times, by a nondeterministic choice.
Thus, a way of summarizing (7), (8), (9) and the infinitely many more n-fold replica-

15-424 L ECTURE N OTES

A NDR E P LATZER

L3.8

Choice & Control

tions of (7) for any n N, is by using a repetition operator:




(?x o > 5; a := a + 1) a := b ;

x = v, v = a

(10)

This HP can repeat (7) any number of times.

But how often does a nondeterministic repetition like (10) repeat then? That choice is
again nondeterministic.
Note 6 (Nondeterministic ). Repetition ( ) is nondeterministic. That is, can repeat
any number (n N) of times and the choice how often to run is nondeterministic,
i.e. there is no prior way of telling how often will be repeated.
Yet, every time the loop in (10) is run, how long does its continuous evolution take?
Or, actually, even in the loop-free (8), how long does the first x = a take before the
controller has its second choice? How long did the continuous evolution take in (7) in
the first place?
There is a choice in following a differential equation. Even if the solution of the
differential equation is unique (cf. lecture 2), it is still a matter of choice how long to
follow that solution. The choice is, as always in hybrid programs, nondeterministic.
Note 7 (Nondeterministic x = ). The duration of evolution of a differential equation
(x = & H) is nondeterministic (except that the evolution can never be so long that the
state leaves H). That is, x = & H can follow the solution of x = any amount of time
(0 r R) of times and the choice how long to follow x = is nondeterministic, i.e.
there is no prior way of telling how often x = will be repeated (except that it can never
leave H).

7 Syntax of Hybrid Programs

With the motivation above, we formally define hybrid programs [Pla12a, Pla10].
Definition 1 (Hybrid program). HPs are defined by the following grammar (,
are HPs, x a variable, a term possibly containing x, and H a formula of first-order
logic of real arithmetic):
, ::= x := | ?H | x = & H | | ; |
The first three cases are called atomic HPs, the last three compound. The test action ?H
is used to define conditions. Its effect is that of a no-op if the formula H is true in the
current state; otherwise, like abort, it allows no transitions. That is, if the test succeeds
because formula H holds in the current state, then the state does not change, and the
system execution continues normally. If the test fails because formula H does not hold

15-424 L ECTURE N OTES

A NDR E P LATZER

Choice & Control

L3.9

in the current state, then the system execution cannot continue, is cut off, and not considered any further.
Nondeterministic choice , sequential composition ; , and nondeterministic
repetition of programs are as in regular expressions but generalized to a semantics
in hybrid systems. Nondeterministic choice expresses behavioral alternatives between the runs of and . That is, the HP can choose nondeterministically to
follow the runs of HP , or, instead, to follow the runs of HP . The sequential composition ; models that the HP starts running after HP has finished ( never starts if
does not terminate). In ; , the runs of take effect first, until terminates (if it does),
and then continues. Observe that, like repetitions, continuous evolutions within
can take more or less time, which causes uncountable nondeterminism. This nondeterminism occurs in hybrid systems, because they can operate in so many different ways,
which is as such reflected in HPs. Nondeterministic repetition is used to express that
the HP repeats any number of times, including zero times. When following , the
runs of HP can be repeated over and over again, any nondeterministic number of
times (0).
Unary operators (including ) bind stronger than binary operators and let ; bind
stronger than , so ; (; ) and ; (; ). Further, ; ; ( ).

8 Semantics of Hybrid Programs

HPs have a compositional semantics [Pla12b, Pla10, Pla08]. Their semantics is defined
by a reachability relation. A state is a mapping from variables to R. The set of states is
denoted S. The value of term in is denoted by [[]] . Recall that |= H denotes that
first-order formula H is true in state (lecture 2).
Definition 2 (Transition semantics of HPs). Each HP is interpreted semantically
as a binary reachability relation () S S over states, defined inductively by
1. (x := ) = {(, ) : = except that [[x]] = [[]] }
2. (?H) = {(, ) : |= H}
3. (x = & H) = {((0), (r)) : (t) |= x = and (t) |= H for all 0 t r
def

for a solution : [0, r] S of any duration r}; i.e., with (t)(x ) = d()(x)
(t),
d
solves the differential equation and satisfies H at all times, see lecture 2.
4. ( ) = () ()
5. (; ) = () () = {(, ) : (, ) (), (, ) ()}
[
(n ) with n+1 n ; and 0 ?true.
6. ( ) =
nN

15-424 L ECTURE N OTES

A NDR E P LATZER

L3.10

Choice & Control

For graphical illustrations of the transition semantics of hybrid programs and example dynamics, see Fig. 1. On the left of Fig. 1, we illustrate the generic shape of the
transition structure () for transitions along various cases of hybrid programs from
state to state . On the right of Fig. 1, we show examples of how the value of a variable x may evolve over time t when following the dynamics of the respective hybrid
program .

15-424 L ECTURE N OTES

A NDR E P LATZER

Choice & Control

L3.11

x
x :=

if (x) = [[]]
and (z) = (z) for z 6= x

0
x

f (t)

= &H

r
= &H

?H

0
1

no change if |= H
otherwise no transition
t

Figure 1: Transition semantics (left) and example dynamics (right) of hybrid programs

15-424 L ECTURE N OTES

A NDR E P LATZER

L3.12

Choice & Control

Exercises
Exercise 1. Consider your favorite programming language and discuss in what ways
it introduces discrete change and discrete dynamics. Can it model all behavior that
hybrid programs can describe? Can your programming language model all behavior
that hybrid programs without differential equations can describe? How about the other
way around?
Exercise 2. Consider the grammar of hybrid programs. The ; in hybrid programs is
similar to the ; in Java and C0. If you look closely you will find a subtle difference.
Identify the difference and explain why there is such a difference.
Exercise 3. Sect. 3 considered if-then-else statements for hybrid programs. But they no
longer showed up in the grammar of hybrid programs. Is this a mistake?

References
[DBL12] Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, Dubrovnik, Croatia, June 2528, 2012. IEEE, 2012.
[Pla07]

Andre Platzer. Differential dynamic logic for verifying parametric hybrid systems. In Nicola Olivetti, editor, TABLEAUX, volume 4548 of LNCS, pages
216232. Springer, 2007. doi:10.1007/978-3-540-73099-6_17.

[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom. Reas.,
41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla10]

Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.

[Pla12a] Andre Platzer. The complete proof theory of hybrid systems. In LICS [DBL12],
pages 541550. doi:10.1109/LICS.2012.64.
[Pla12b] Andre Platzer. Logics of dynamical systems. In LICS [DBL12], pages 1324.
doi:10.1109/LICS.2012.13.
[Pla13]

Andre Platzer. A complete axiomatization of differential game logic for hybrid games. Technical Report CMU-CS-13-100R, School of Computer Science,
Carnegie Mellon University, Pittsburgh, PA, January, Revised and extended
in July 2013.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Safety & Contracts
Andre Platzer
Carnegie Mellon University
Lecture 4

1 Introduction
In the previous lectures, we have studied models of cyber-physical systems. Hybrid
programs provide a programming language for cyber-physical systems with the most
prominent features being differential equations and nondeterminism alongside the usual
classical control structures and discrete assignments. This gives powerful and flexible
ways of modeling even very challenging systems and very complex control principles.
This lecture will start studying ways of making sure that the resulting behavior meets
the required correctness standards.
In 15-122 Principles of Imperative Computation, you have experienced how contracts
can be used to make properties of programs explicit. You have seen how contracts can
be checked dynamically at runtime, which, if they fail, alert you right away to flaws in
the design of the programs. You have experienced first hand that it is much easier to
find and fix problems in programs starting from the first contract that failed in the middle of the program, rather than from the mere observation that the final output is not as
expected (which you may not notice either unless the output is checked dynamically).
Another aspect of contracts that you have had the opportunity to observe in Principles of Imperative Computation is that they can be used in proofs that show that every
program run will satisfy the contracts. Unlike in dynamic checking, the scope of correctness arguments with proofs extends beyond the (clever) test cases that have been
tried. Both uses of contracts, dynamic checking and rigorous proofs, are very helpful
to check whether a system does what we intend it to, as has been argued on numerous
occasions in various contexts in the literature, e.g., [Flo67, Hoa69, Pra76, Mey92, XJC09,
PCL11, Log11].
The principles of contracts help cyber-physical systems [Pla08, Pla10, Pla13, DLTT13]
as well. Yet, their use in proving may, arguably, be more important than their use in dy-

15-424 L ECTURE N OTES

September 9, 2013

A NDR E P LATZER

L4.2

Safety & Contracts

namic checking. The reason has to do with the physical impact of CPS and the (relative)
non-negotiability of the laws of physics. The reader is advised to imagine a situation
where a self-driving car is propelling him or her down the street. Suppose the cars
control software is covered with contracts all over, but all of them are exclusively for
dynamic checking, none have been proved. If that self-driving car speeds up to 100mph
on a 55mph highway and drives up very close to a car in front of it, then dynamically
checking the contract distance to car in front should be more than 1 meter does not
help. If that contract fails, the cars software would know that it made a mistake, but
it has become too late to do anything about it, because the brakes of the car will never
work out in time. So the car would be trapped in its own physics, in the sense that
it has run out of all safe control options. There are still effective ways of making use of
dynamic contract checking in CPS, but the design of those contracts then requires proof
to ensure that safety is always maintained.
For those reasons, this course will focus on the role of proofs as correctness arguments much more than on dynamical checking of contracts. Because of the physical
consequences of malfunctions, correctness requirements on CPS are also more stringent. And their proofs involve significantly more challenging arguments than in Principles of Imperative Computation. For those reasons, we will approach CPS proofs
with much more rigor than what you have seen in Principles of Imperative Computation. But that is a story for a later lecture. The focus of todays lecture will be to
understand CPS contracts and the first basics of reasoning about CPS.
This material is based on correctness specifications and proofs for CPS [Pla12c, Pla07,
Pla08, Pla10]. We will come back to more details in later lectures, where we will also
use the KeYmaera prover for verifying CPS [PQ08]. More information about safety and
contracts can be found in [Pla10, Chapter 2.2,2.3].

2 The Adventures of a Bouncing Ball

Lecture 3 considered hybrid programs that model a choice of increasing acceleration or
braking.



(?x o > 5; a := a + 1) a := b ;

(1)
x = v, v = a
That model did perform interesting control choices and we could continue to study
it in this lecture.
In order to sharpen our intuition about CPS, we will, however, study a very simple
but also very intuitive system instead. Once upon a time, there was a little bouncing
ball that had nothing else to do but bounce up and down the street until it was tired of
doing that (Fig. 1). The bouncing ball was not much of a CPS, because the poor bouncing ball does not actually have any interesting decisions to make. But it nevertheless
formed a perfectly reasonable hybrid system, because, after a closer look, it turns out
to involve discrete and continuous dynamics. The continuous dynamics is caused by

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.3

Figure 1: Sample trajectory of a bouncing ball (plotted as position over time)

gravity, which is pulling the ball down and makes it fall from the sky in the first place.
The discrete dynamics comes from the singular discrete event of what happens when
the ball hits the ground and bounces back up. There are a number of ways of modeling
the ball and its impact on the ground with physics. They include a whole range of different more or less realistic physical effects including gravity, aerodynamic resistance,
the elastic deformation on the ground, and so on and so on. But the little bouncing ball
didnt study enough physics to know anything about those effects. And so it had to go
about understanding the world in easier terms. It was a clever bouncing ball, though,
so it had experienced the phenomenon of sudden change and was trying to use that to
its advantage.
If we are looking for a very simple model of what the bouncing ball does, it is easier
to describe as a hybrid system. The ball at height h is falling subject to gravity:
h = g
When it hits the ground, which is assumed at height h = 0, the ball bounces back and
jumps back up in the air. Yet, as every child knows, the ball tends to come back up a
little less high than before. Given enough time to bounce around, it will ultimately lie
flat on the ground forever. Until it is picked up again and thrown high up in the air.
Let us model the impact on the ground as a discrete phenomenon and describe what
happens so that the ball jumps back up then. One attempt of understanding this could
be to make the ball jump back up rather suddenly by increasing its height by, say, 10
when it hit the ground h = 0:
h = g;
if(h = 0) h := h + 10

(2)

Such a model may be useful for other systems, but would be rather at odds with our
physical experience with bouncing balls, because the ball is indeed slowly climbing
back up rather than suddenly being way up in the air again.
The bouncing ball ponders about what happens when it hits the ground. It does not
suddenly get teleported to a new position above ground like (2) would suggest. Instead, the ball suddenly changes its direction. A moment ago, it used to fall down with
a negative velocity (i.e. one that is pointing down into the ground) and suddenly climbs

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.4

Safety & Contracts

back up with a positive velocity (pointing up into the sky). In order to be able to write
such a model, the velocity v will be made explicit in the bouncing balls differential
equation:
h = v, v = g;
(3)
if(h = 0) v := v
Of course, something happens after the bouncing ball reversed its direction because
it hit the ground. Physics continues until it hits the ground again.
h = v, v = g;
if(h = 0) v := v

(4)

h = v, v = g;
if(h = 0) v := v

Then, of course, physics moves on again, so the model actually involves a repetition:
h = v, v = g;
if(h = 0) v := v

(5)

Yet, the bouncing ball is now rather surprised. For if it follows that HP (5), it seems as
if it should always be able to come back up to its initial height again. Excited about that
possibility, it tries and tries again but never succeeds to bounce back up as high as it
was before. So there must be something wrong with the model in (5), the ball concludes
and sets out to fix (5).
Having observed itself rather carefully, the bouncing ball concludes that it feels slower
when bouncing back up than it used to be when falling on down. Indeed, it feels less
energetic on its way up. So its velocity must not only flip direction from down to up,
at a bounce, but also seems to shrink in magnitude. The bouncing ball swiftly calls the
corresponding damping factor c and quickly comes up with a better model of itself:
h = v, v = g;
if(h = 0) v := cv

(6)

Yet, running that model in clever ways, the bouncing ball observes that model (6)
could make it fall through the cracks in the ground. Terrified at that thought, the
bouncing ball quickly tries to set the physics right, lest it falls through the cracks in
space before it had a chance to fix its physics. The issue with (6) is that its differential
equation isnt told when to stop. Yet, the bouncing ball luckily remembers that this is
quite exactly what evolution domains were meant for. Above ground is what it wants
to remain, and so h 0 is what the ball asks dear physics to obey, since the table is of
rather sturdy built:
h = v, v = g & h 0;
(7)


if(h = 0) v := cv
Now, indeed, physics will have to stop evolving before gravity has made our little
bouncing ball fall through the ground. Yet, physics could still choose to stop evolving

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.5

while the ball is still high up in the sky. In that case, the ball will not yet be on the
ground and line 2 of (7) would have no effect because h 6= 0 still. This is not a catastrophe, however, because the loop in (7) could simply repeat, which would allow physics
to continue to evolve the differential equation further.
Quite happy with model (7) for itself, the bouncing ball goes on to explore whether
the model does what the ball expects it to do.

3 Postcondition Contracts for CPS

Hybrid programs are interesting models for CPS. They describe the behavior of a CPS,
ultimately captured by their semantics (), which is a reachability relation on states
(Lecture 3). Yet, reliable development of CPS also needs a way of ensuring that the
behavior will be as expected. So, for example, we may want the behavior of a CPS to
always satisfy certain crucial safety properties. A robot, for example, should never do
something unsafe like running over a human being.1
The little bouncing ball may consider itself less safety-critical, except that it may be
interested in its own safety. It still wants to make sure that it couldnt ever fall through
the cracks in the ground. And even though it would love to jump all the way up to the
moon, the ball is also terrified of big heights and would never want to jump any higher
than it was in the very beginning. So, when H denotes the initial height, the bouncing
ball would love to know whether its height will always stay within 0 h H when
following HP (7).
Scared of what otherwise might happen to it if 0 h H should ever be violated, the
bouncing ball decides to make its goals for the HP (7) explicit. Fortunately, the bouncing ball excelled in the course Principles of Imperative Computation and recalls that
contracts such as @requires and @ensures have been used in that course to make behavioral expectations for C0 programs explicit. Even though the bouncing ball clearly
does not deal with a C0 program, but rather a hybrid program, it still puts @ensures(F )
contracts in front of HP (7) to express that all runs of that HP are expected to lead only
to states in which logical formula F is true. The bouncing ball even uses @ensures
twice, once for each of its expectations.
@ensures(0 h)
@ensures(h H)
h = v, v = g & h 0;


if(h = 0) v := cv
1

(8)

Safety of robots has, of course, been aptly defined by Asimov [Asi42] with his Three Laws of Robotics:
1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
2. A robot must obey the orders given to it by human beings, except where such orders would conflict
with the First Law.
3. A robot must protect its own existence as long as such protection does not conflict with the First or
Second Law.
But their exact rendition in logic still remains a challenge.

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.6

Safety & Contracts

4 Precondition Contracts for CPS

Having learned from the Principles of Imperative Computation experience, the little
bouncing ball immediately starts thinking about whether the @ensures contracts in (8)
would, in fact, always be true after running that HP. After all, the bouncing ball would
really love to know that it can rely on that contract never failing.
Wondering about whether the @ensures contract in (8) would always succeed, the
bouncing ball notices that this would have to depend on what values the bouncing ball
starts with. It called H its initial height, but the HP (8) cannot know that. For one thing,
the contracts in(8) would be hard to fulfill if H = 5, because 0 h and h H can
impossibly both be true then.
So the bouncing ball figures it should demand a @requires contract with the precondition h = H to say that the height, h, of the bouncing ball is initially H. Because that
still does not (obviously) ensure that 0 h has a chance of holding, it requires 0 H
to hold initially:
@requires(h = H)
@requires(0 H)
@ensures(0 h)
@ensures(h H)

(9)

h = v, v = g & h 0;


if(h = 0) v := cv

5 Invariant Contracts for CPS

The little bouncing ball remembers the prominent role that invariants have played in
the course Principles of Imperative Computation. So, the ball ventures including an
invariant with its HP. In C0, invariants were associated with loops, e.g.
i = 0;
while (i < 10)
//@loop_invariant 0 <= i && i <= 10;
{
i++;
}
The bouncing ball, thus, figures that invariants for loops in HPs should also be associated with a loop, which is written for nondeterministic repetition. After a moments
thought, the bouncing ball decides that falling through the cracks in the ground is still

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.7

its biggest worry, so the invariant itd like to maintain is h 0:

@requires(h = H)
@requires(0 H)
@ensures(0 h)
@ensures(h H)

(10)

h = v, v = g & h 0;


if(h = 0) v := cv @invariant(h 0)
On second thought, the little bouncing ball is less sure what exactly the @invariant(F )
contract would mean for a CPS. So it decides to first give more thought to the proper
way of phrasing CPS contracts and what they mean.
We will get back to the @invariant(F ) construct in a later lecture.

6 Logical Formulas for Hybrid Programs

CPS contracts play a very useful role in the development of CPS models and CPS programs. Using them as part of their design right from the very beginning is a good idea,
probably even more crucial than it was in 15-122 Principles of Imperative Computation
for the development of C0 programs, because CPS have more stringent requirements
on safety.
Yet, we do not only want to program CPS, we also want to and have to understand
thoroughly what they mean, what their contracts mean, and how we convince ourselves that the CPS contracts are respected by the CPS program. It turns out that this
is where mere contracts are at a disadvantage compared to full logic. Logic allows not
only the specification of a whole CPS program, but also an analytic inspection of its
parts as well as argumentative relations between contracts and program parts.
Differential dynamic logic (dL) [Pla12c, Pla08, Pla12a, Pla07, Pla10] is the logic of hybrid systems that this courses uses for specification and verification of cyber-physical
systems. There are more aspects of logic for cyber-physical systems [Pla12c, Pla12b],
which will be studied (to some extent) in later parts of this course.
The most unique feature of differential dynamic logic for our purposes is that it allows us to refer to hybrid systems. Lecture 2 introduced first-order logic of real arithmetic.
Note 1 (Limits of first-order logic for CPS). First-order logic of real arithmetic is a
crucial basis for describing what is true and false about CPS, because it allows us to refer
to real-valued quantities like positions and velocities and their arithmetic relations. Yet,
that is not enough, because first-order logic describes what is true in a single state of a
system. It has no way of referring to what will be true in future states of a CPS, nor of
describing the relationship of the initial state of the CPS to the final state of the CPS.

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.8

Safety & Contracts

Recall that this relationship, (), is what ultimately constitutes the semantics of HP .
Note 2 (Differential dynamic logic principle). Differential dynamic logic (dL) extends
first-order logic of real arithmetic with operators that refer to the future states of a CPS in
the sense of referring to the states that are reachable by running a given HP. The logic dL
provides a modal operator [], parametrized by , that refers to all states reachable by HP
according to the reachability relation () of its semantics. This modal operator can be
placed in front of any dL formula . The dL formula
[]
expresses that all states reachable by HP satisfy formula .
The logic dL also provides a modal operator hi, parametrized by , can be placed in
front of any dL formula . The dL formula
hi
expresses that there is at least one state reachable by HP for which holds. The modalities [] and hican be used to express necessary or possible properties of the transition
behavior of .
An @ensures(E) postcondition for a HP can be expressed directly as a logical formula in dL:
[]E
So, the first CPS postcondition @ensures(0 h) for the bouncing ball HP in (8) can be
stated as a dL formula:


[ h = v, v = g & h 0; if(h = 0) v := cv ] 0 h
(11)
The second CPS postcondition @ensures(h H) for the bouncing ball HP in (8) can be
stated as a dL formula as well:


[ h = v, v = g & h 0; if(h = 0) v := cv ] h H
(12)
The logic dL allows all other logical operators from first-order logic, including conjunction (). So, the two dL formulas (11) and (12) can be stated together as a single dL
formula:


[ h = v, v = g & h 0; if(h = 0) v := cv ] 0 h
(13)


[ h = v, v = g & h 0; if(h = 0) v := cv ] h H

Stepping back, we could also have combined the two postconditions @ensures(0
h) and @ensures(h H) into a single postcondition @ensures(0 h h H). The
translation of that into dL would have gotten us an alternative way of combining both
statements about the lower and upper bound on the height of the bouncing ball into a
single dL formula:


[ h = v, v = g & h 0; if(h = 0) v := cv ] (0 h h H)
(14)

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.9

Which way of representing what we expect bouncing balls to do is better? Like (13) or
like (14)? Are they equivalent? Or do they express different things?

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.10

Safety & Contracts

It turns out that there is a very simple argument within the logic dL that shows that
(13) and (14) are equivalent. And not just that those two particular logical formulas are
equivalent but that the same equivalence holds for any dL formulas of this form. This
will be investigated formally in a later lecture, but it is useful to observe now already
to sharpen our intuition.
Having said that, do we believe dL formula (13) should be valid? Should (14) be
valid? Before we study this question in any further detail, the first question should be
what it means for a modal formula [] to be true. What is its semantics? Better yet,
what exactly is its syntax in the first place?

7 Syntax of Differential Dynamic Logic

The formulas of differential dynamic logic are defined like the formulas of first-order
logic of real arithmetic with the additional capability of using modal operators for any
hybrid program .
Definition 1 (dL formula). The formulas of differential dynamic logic (dL) are defined
by the grammar (where , are dL formulas, 1 , 2 (polynomial) terms, x a variable, a HP):
, ::= 1 = 2 | 1 2 | | | | | x | x | [] | hi
Operators >, , <, can be defined as usual, e.g., ( ) ( ).
We use the notational convention that unary operators (including and quantifiers
x, x and modalities [], hi)2 bind stronger than binary operators. In particular, quantifiers and modal operators bind strong, i.e. their scope only extends to the formula
immediately after. Thus, [] ([]) and x (x ) . In our
notation, we also let bind stronger than , which binds stronger than , . We also
associate to the right so that ( ). To avoid confusion, we
do not adopt precedence conventions between , but expect explicit parentheses.
So would be considered illegal and explicit parentheses are required to
distinguish ( ) from ( ) . Likewise would be considered illegal and explicit parentheses are required to distinguish ( ) from
( ) .

Quantifiers are only quite arguably understood as unary operators. Yet, x is a unary operator on
formulas while would be an operator with arguments of mixed syntactic categories. In a higher-order
context, it can also be understood more formally by understanding x as an operator on functions:
(x.). Similar cautionary remarks apply to the understanding of modalities as unary operators. The
primary reason for adopting this understanding is that it simplifies the precedence rules.

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.11

8 Semantics of Differential Dynamic Logic

For dL formulas that are also formulas of first-order real arithmetic (i.e. formulas without modalities), the semantics of dL formulas is the same as that of first-order real arithmetic. The semantics of modalities [] and hi quantifies over all ([]) or some (hi) of
the states reachable by following HP , respectively.
Definition 2 (dL semantics). The satisfaction relation |= for a dL formula in
state is defined inductively:
|= (1 = 2 ) iff [[1 ]] = [[2 ]] .
|= (1 2 ) iff [[1 ]] [[2 ]] .
|= iff 6|= , i.e. if it is not the case that |= .
|= iff |= and |= .
|= iff |= or |= .
|= iff 6|= or |= .
|= iff ( |= and |= ) or ( 6|= and 6|= ).
|= x iff xd |= for all d R.
|= x iff xd |= for some d R.
|= [] iff |= for all with (, ) ().
|= hi iff |= for some with (, ) ().
If |= , then we say that is true at or that is a model of . A formula is
valid, written  , iff |= for all states . A formula is a consequence of a set of
formulas , written  , iff, for each : ( |= for all ) implies that |= .

9 CPS Contracts in Logic

Now that we know what truth and validity are, lets go back to the previous question.
Is dL formula (13) valid? Is (14) valid? Indeed, they are equivalent, i.e. the dL formula
(13) (14)

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.12

Safety & Contracts

is valid. Expanding the abbreviations that is the following dL formula is valid:




[ h = v, v = g & h 0; if(h = 0) v := cv ] 0 h



[ h = v, v = g & h 0; if(h = 0) v := cv ] h H


[ h = v, v = g & h 0; if(h = 0) v := cv ] (0 h h H)

(15)

So if (13) is valid, then so should (14) be (Exercise 1). But is (13) valid?

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.13

Certainly, (13) is not true in a state where (h) < 0, because from that initial state,
no repetitions of the loop (which is allowed by nondeterministic repetition, Exercise 3),
def

will lead to a state = in which 6|= 0 h. Thus, (13) only has a chance of being
valid in initial states that satisfy further assumptions, including 0 h and h H. In
fact, that is what the preconditions were meant for in Sect. 4. How can we express a
precondition contract in a dL formula?
Preconditions serve a very different role than postconditions do. Postconditions of
HP are what we want to hold true after every run of . The meaning of a postcondition is what is rather difficult to express in first-order logic (to say the least). That
is what dL has modalities for. Do we also need any extra logical operator to express
preconditions?
The meaning of a precondition @requires(A) of a HP is that it is assumed to hold
before the HP starts. If A holds when the HP starts, then its postcondition @ensures(B)
holds after all runs of HP . What if A does not hold when the HP starts?
If precondition A does not hold initially, then all bets are off, because the person who
started the HP did not obey its requirements, which says that it should only be run
if its preconditions are met. The CPS contract @requires(A) @ensures(B) for a HP
promises that B will always hold after running if A was true initially when started.
Thus, the meaning of a precondition can be expressed easily using an implication
A []B

(16)

because an implication is valid if, in every state, its left-hand side is false or its righthand side true. The implication (16) is valid ( A []B), if, indeed, for every state
in which precondition A holds ( |= A), it is the case that all runs of HP lead to
states (with (, ) ()) in which postcondition B holds ( |= B). The dL formula
(16) does not say what happens in states in which the precondition A does not hold
( 6|= A).
How does formula (16) talk about the runs of a HP and postcondition B again? Recall
that the dL formula []B is true in exactly those states in which all runs of HP lead
only to states in which postcondition B is true. The implication in (16), thus, ensures
that this holds in all (initial) states that satisfy precondition A.
Note 5 (Contracts to dL Formulas). Consider a HP with a CPS contract using a single
@requires(A) precondition and a single @ensures(B) postcondition:
@requires(A)
@ensures(B)

This CPS contract can be expressed directly as a logical formula in dL:

A []B

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.14

Safety & Contracts

CPS contracts with multiple preconditions and multiple postconditions can directly
be expressed as a dL formula as well (Exercise 4).
Recall HP (10), which is shown here in a slightly simplified form:
@requires(0 h h = H)
@ensures(0 h h H)
h = v, v = g & h 0;


if(h = 0) v := cv

(17)

The dL formula expressing that the CPS contract for HP (17) holds is:



0 hh = H h = v, v = g & h 0; if(h = 0) v := cv
(0 hh H) (18)
So to find out whether (17) satisfies its CPS contract, we ask whether the dL formula
(18) is valid.
In order to find out whether such a formula is valid, i.e. true in all states, we need
some operational way that allows us to tell whether it is valid, because mere inspection of the semantics alone is not a particularly scalable way of approaching validity
question.

10 Identifying Requirements of a CPS

Before trying to prove any formulas to be valid, it is a good idea to check whether
all required assumptions have been found that are necessary for the formula to hold.
So let us scrutinize dL formula (18) and ponder whether there are any circumstances
under which it is not true. Even though the bouncing ball is a rather impoverished
CPS (it suffers from a disparate lack of control), its immediate physical intuition still
makes the ball an insightful example for illustrating how critical it is to identify the
right requirements.
Maybe the first thing to notice is that the HP mentions g, which is meant to represent
the standard gravity constant, but the formula (18) does not say. Certainly, if gravity
were negative (g < 0), bouncing balls would function rather differently. They would
suddenly be floating balls disappearing into the sky. So lets modify (18) to assume
g = 9.81:



0 hh = Hg = 9.81 h = v, v = g & h 0; if(h = 0) v := cv
(0 hh H)
(19)
Lets undo unnecessarily strict requirements right away, though. What would the
bouncing ball do if it were set loose on the moon instead of on Earth? Would it still
fall? Things are much lighter on the moon. Yet they still fall down ultimately, which
is again the phenomenon known as gravity, just with a different constant (1.6 on the
moon and 25.9 on Jupiter). Besides, none of those constants was particularly precise.
Earths gravity is more like 9.8067. The behavior of the bouncing ball depends on the
value of that parameter g.

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.15

Note 6 (Parameters). A common feature of CPS is that their behavior is subject to parameters, which can have quite a non-negligible impact. Yet, it is very hard to determine
precise values for parameters by measurements. When a particular concrete value for a parameter has been assumed to prove a property of a CPS, it is not clear whether that property
holds for the true system, which may in reality have a slightly different parameter value.
Instead of a numerical value for a parameter, our analysis can proceed by treating the
parameter as a symbolic parameter, i.e. a variable such as g, which is not assumed to hold
a specific numerical value like 9.81. Instead, we would only assume certain constraints
about the parameter, say g > 1 without choosing a specific value. If we then analyze
the CPS with this symbolic parameter g, all analysis results will continue to hold for any
concrete choice of g respecting its constraints (here g > 1). That results in a stronger
statement about the system, which is less fragile as it does not break down just because the
true g is 9.8067 rather than the previously assumed g = 9.81. Often times, those more
general statements with symbolic parameters can even be easier to prove than statements
about systems with specific magic numbers chosen for their parameters.
In light of these thoughts, we could assume 9 < g < 10 to be the gravity constant for
Earth. Yet, we can also just consider all bouncing balls on all planets in the solar system
or elsewhere at once by assuming only g > 0 instead of g = 9.81 as in (19), since this is
the only aspect of gravity that the usual behavior of a bouncing ball depends on:



0 hh = Hg > 0 h = v, v = g & h 0; if(h = 0) v := cv
(0 hh H)
(20)
Do we expect dL formula (20) to be valid, i.e. true in all states? What could go wrong?
The insight from modifying (18) to (19) and finally to (20) started with the observation
that (18) did not include any assumptions about g. It is worth noting that (20) also
does not assume anything about c. Bouncing balls clearly would not work as expected
if c > 1, because such anti-damping would cause the bouncing ball to jump back up
higher and higher and higher and ultimately as high up as the moon, clearly falsifying
(20). Consequently, (20) only has a chance of being true when assuming that c is not too
big:
0hh=H g >01>c0



h = v, v = g & h 0; if(h = 0) v := cv
(0 h h H) (21)
Is (21) valid now? Or does its truth depend on more assumptions that have not been
identified yet? Now, all parameters (H, g, c) have some assumptions in (21). Is there
some requirement we forgot about? Or did we find them all?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.16

Safety & Contracts

What about variable v? Why is there no assumption about it yet? Should there be
one? Velocity v changes over time. What is its initial value allowed to be? What could
go wrong?
Indeed, the initial velocity v of the bouncing ball could be positive (v > 0), which
would make the bouncing ball climb initially, clearly exceeding its initial height H. This
would correspond to the bouncing ball being thrown high up in the air in the beginning,
so that its initial velocity v is upwards from its initial height h = H. Consequently, (21)
has to be modified to assume v 0 holds initially:
0hh=H v 0g >01>c0



h = v, v = g & h 0; if(h = 0) v := cv
(0 h h H) (22)
Now theres finally assumptions about all parameters and variables of (22). That does
not mean that we found the right assumptions, yet, obviously, but is still a good sanity
check. Before wasting cycles on trying to prove or otherwise justify (22), lets try once
more whether we can find an initial state that satisfies all assumptions v 0 0
h h = H g > 0 1 > c 0 in the antecedent (i.e. left-hand side of the implication) of
(22) so that does not satisfy the succedent (i.e. right-hand side of implication) of (22).
Such an initial state falsifies (22) and would, thus, represent a counterexample.
Is there still a counterexample to (22)? Or have we successfully identified all assumptions so that it is now valid?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.17

Formula (22) still has a problem. Even if the initial state satisfies all requirements
in the antecedent of (22), the bouncing ball might still jump higher than it ought to,
i.e. higher than its initial height H. That happens if the bouncing ball has a very big
downwards velocity, so if v is a lot smaller than 0 (sometimes written v 0). If v is
a little smaller than 0, then the damping c will eat up enough the balls kinetic energy
so that it cannot jump back up higher than it was initially (H). But if v is a lot smaller
than 0, then it starts falling down with so much kinetic energy that the damping on the
ground does not slow it down enough, so the ball will come bouncing back higher than
it was originally. Under which circumstance this happens depends on the relationship
of the initial velocity and height to the damping coefficient.
We could explore this relationship in more detail. But it is actually easier to infer this
relationship by conducting a proof. So we modify (22) to simply assume v = 0 initially:
0hh=H v =0g >01>c0



h = v, v = g & h 0; if(h = 0) v := cv
(0 h h H) (23)
Is dL formula (23) valid now? Or does it still have a counterexample?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.18

Safety & Contracts

It seems like all required assumptions have been identified to make the dL formula
(23) valid so that the bouncing ball described in (23) satisfies the postcondition 0 h
H. But after so many failed starts and missing assumptions and requirements for the
bouncing ball, it is a good idea to prove (23) once and for all beyond any doubt.
In order to be able to prove dL formula (23), however, we need to investigate how
proving works. How can dL formulas be proved? And, since first-order formulas are
dL formulas as well, one part of the question will be: how can first-order formulas be
proved? How can real arithmetic be proved? How can requirements for the safety of
CPS be identified systematically? All these questions will be answered in this course,
but not all of them in this lecture.
In order to make sure we only need to worry about a minimal set of operators of dL
for proving purposes, lets simply (23) by getting rid of if-then-else (Exercise 7):
0hh=H v =0g >01>c0



h = v, v = g & h 0; (?h = 0; v := cv ?h 6= 0) (0 h h H) (24)
Observing the non-negligible difference between the original conjecture (19) and the
revised and improved conjecture (24), leads us to often adopt the following principle.

Note 7 (Principle of Cartesian Doubt). In 1641, Rene Descartes suggested an attitude

of systematic doubt where he would be skeptical about the truth of all believes until he
found reason that they were justified. This principle is now known as Cartesian Doubt or
skepticism.
We will have perfect justifications: proofs. But until we have found proof, it is often
helpful to adopt the principle of Cartesian Doubt in a very weak and pragmatic form.
Before setting out on the journey to prove a conjecture, we first scrutinize it to see if we
can find a counterexample that would make it false. For such a counterexample will not
only save us a lot of misguided effort in trying to prove a false conjecture, but also helps us
identify missing assumptions in conjectures and justifies the assumptions to be necessary.
Surely, if, without assumption A, a counterexample to a conjecture exists, then A must be
necessary.

11 Intermediate Conditions for CPS

Before proceeding any further with ways of proving dL formulas, lets simplify (24)
grotesquely by removing the loop:
0hh=H v =0g >01>c0


h = v, v = g & h 0; (?h = 0; v := cv ?h 6= 0) (0 h h H) (25)
Removing the loop clearly changes the behavior of the bouncing ball. It no longer
bounces particularly well. All it can do now is fall and, if it reaches the floor, have its

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.19

velocity reverted without actually climbing back up. So if we manage to prove (25),
we certainly have not shown the actual dL formula (24). But its a start, because the
behavior modeled in (25) is a part of the behavior of (24). So it is useful (and easier) to
understand (25) first.
The dL formula (25) has a number of assumptions 0 h h = H v = 0 g > 0 1 >
c 0 that can be used during the proof. It claims that the postcondition 0 h h H
holds after all runs of the HP in the [] modality. The top-level operator in the modality
of (25) is a sequential composition (;), for which we need to find a proof argument.3
The HP in (25) follows a differential equation first and then, after the sequential composition (;), proceeds to run a discrete program (?h = 0; v := cv ?h 6= 0). Depending
on how long the HP follows its differential equation, the intermediate state after the
differential equation and before the discrete program will be rather different.
Note 8 (Intermediate states of sequential compositions). This phenomenon happens
in general for sequential compositions ; . The first HP may reach a whole range of
states, which represent intermediate states for the sequential composition ; , i.e. states
that are final states for and initial states for . The intermediate states of ; are the
states in the semantics (; ) from Lecture 3:
(; ) = () () = {(, ) : (, ) (), (, ) ()}
Can we find a way of summarizing what all intermediate states between the differential equation and the discrete program of (25) have in common? They differ by how
long the CPS has followed the differential equation.
If the system has followed the differential equation of (25) for time t, then the resulting velocity v(t) at time t and height h(t) at time t will be
g
v(t) = gt, h(t) = H t2
2

(26)

This answer can be found by integrating or solving the differential equations. This
knowledge (26) is useful but it is not (directly) clear how to use it to describe what
all intermediate states have in common, because the time t in (26) is not available as
a variable in the HP (25).4 Can the intermediate states be described by a relation of
the variables that (unlike t) are actually in the system? That is, an (arithmetic) formula
relating h, v, g, H?
Before you read on, see if you can find the answer for yourself.

The way we proceed here to prove (25) is actually not the recommended way. Later on, we will see a
much easier way. But it is instructive to understand the more verbose approach we take first. This also
prepares us for the challenges that lie ahead when proving properties of loops.
Following these thoughts a bit further reveals how (26) can actually be used perfectly well to describe
intermediate states when changing the HP (25) a little bit. But working with solutions is still not the
way that gets us to the goal the quickest, usually.

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.20

Safety & Contracts

One way of producing a relation from (26) is to get the units aligned and get rid of
time t. Time drops out of the equation when squaring the identity for velocity:
g
v(t)2 = g 2 t2 , h(t) = H t2
2
and multiplying the identity for position by 2g:
g2 2
t
2
Then substituting the first equation into the second yields
v(t)2 = g 2 t2 ,

2gh(t) = 2gH 2

2gh(t) = 2gH v(t)2

This equation does not depend on time t, so we expect it to hold after all runs of the
differential equation irrespective of t:
2gh = 2gH v 2

(27)

We conjecture the intermediate condition (27) to hold in the intermediate state of the
sequential composition in (25). In order to prove (25) we can decompose our reasoning
into two parts. The first part will prove that the intermediate condition (27) holds after
all runs of the first differential equation. The second part will assume (27) to hold and
prove that all runs of the discrete program in (25) from any state satisfying (27) satisfy
the postcondition 0 h h H.
Note 9 (Intermediate conditions as contracts for sequential composition). For a
HP that is a sequential composition ; an intermediate condition is a formula that
characterizes the intermediate states in between HP and . That is, for a dL formula
A [; ]B
an intermediate condition is a formula E such that the following dL formulas are valid:
A []E

and

E []B

The first dL formula expresses that intermediate condition E characterizes the intermediate
states accurately, i.e. E actually holds after all runs of HP from states satisfying A. The
second dL formula says that the intermediate condition E characterizes intermediate states
well enough, i.e. E is all we need to know about a state to conclude that all runs of end up
in B. That is, from all states satisfying E (in particular from those that result by running
from a state satisfying A), B holds after all runs of .
For proving (25), we conjecture that (27) is an intermediate condition, which requires
us to prove the following two dL formulas:
0 h h = H v = 0 g > 0 1 > c 0 [h = v, v = g & h 0]2gh = 2gH v 2
2gh = 2gH v 2 [?h = 0; v := cv ?h 6= 0] (0 h h H)
(28)

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.21

Lets focus on the latter formula. Do we expect to be able to prove it? Do we expect it
to be valid?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.22

Safety & Contracts

The second formula of (28) claims that 0 h holds after all runs of ?h = 0; v := cv
?h 6= 0 from all states that satisfy 2gh = 2gH v 2 . That is a bit much to hope for,
however, because 0 h is not even ensured in the precondition of this second formula.
So the second formula of (28) is not valid. How can this problem be resolved? By
adding 0 h into the intermediate condition, thus, requiring us to prove:
0 h h = H v = 0 g > 0 1 > c 0 [h = v, v = g & h 0](2gh = 2gH v 2 h 0)
2gh = 2gH v 2 h 0 [?h = 0; v := cv ?h 6= 0] (0 h h H)
(29)
Proving the first formula in (29) requires us to handle differential equations, which
we will get to later. The second formula in (29) is the one whose proof is discussed first.

12 A Proof of Choice
The second formula in (29) has a nondeterministic choice ( ) as the top-level operator
in its [] modality. How can we prove a formula of the form
A [ ]B

(30)

Recalling its semantics from Lecture 3,

( ) = () ()
HP has two possible behaviors. It could run as HP does or as does. And it is
chosen nondeterministically which of the two behaviors happens. Since the behavior
of could be either or , proving (30) requires proving B to hold after and after
. More precisely, (30) assumes A to hold initially, otherwise (30) is vacuously true.
Thus, proving (30) allows us to assume A and requires us to prove that B holds after all
runs of (which is permitted behavior for ) and to prove that, assuming A holds
initially, that B holds after all runs of (which is also permitted behavior of ).
Note 10 (Proving choices). For a HP that is a nondeterministic choice , we can
prove
A [ ]B
by proving the following dL formulas:
A []B

and

A []B

Using these thoughts on the second formula of (29), we could prove that formula if
we would manage to prove both of the following dL formulas:
2gh = 2gH v 2 h 0 [?h = 0; v := cv] (0 h h H)
2gh = 2gH v 2 h 0 [?h 6= 0] (0 h h H)

15-424 L ECTURE N OTES

(31)

A NDR E P LATZER

Safety & Contracts

L4.23

13 Proofs of Tests
Consider the second formula of (31). Proving it requires us to understand how to handle a test ?H in a modality [?H]. The semantics of a test ?H from Lecture 3
(?H) = {(, ) : |= H}

(32)

says that a test ?H completes successfully without changing the state in any state in
which H holds (i.e. |= H) and fails to run in all other states (i.e. where 6|= H). How
can we prove a formula with a test:
A [?H]B

(33)

This formula expresses that from all initial states satisfying A all runs of ?H reach states
satisfying B. When is there a run of ?H at all? There is a run from state if and only
if H holds in . So the only cases to worry about those initial states that satisfy H
as, otherwise, the HP in (33) cannot execute at all by fails miserably so that the run is
discarded. Hence, we get to assume H holds, as the HP ?H does not otherwise execute.
In all states that the HP ?H reaches from states satisfying A, (33) conjectures that B
holds. Now, by (32), the final states that ?H reaches are the same as the initial state (as
long as they satisfy H so that HP ?H can be executed at all). That is, postcondition B
needs to hold in all states from which ?H runs (i.e. that satisfy H) and that satisfy the
precondition A. So (33) can be proved by proving
AH B

Note 11 (Proving tests). For a HP that is a test ?H, we can prove

A [?H]B
by proving the following dL formula:
AH B
Using this for the second formula of (31), Note 11 reduces proving the second formula
of (31)
2gh = 2gH v 2 h 0 [?h 6= 0] (0 h h H)
to proving
2gh = 2gH v 2 h 0 h 6= 0 0 h h H

(34)

Now we are left with arithmetic that we need to prove. Proofs for arithmetic and
propositional logical operators such as and will be considered in a later lecture.
For now, we notice that the formula 0 h in the right-hand side of seems justified

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.24

Safety & Contracts

by assumption h 0. And that h H does not exactly have a justification in (34),

because we lost the assumptions about H somewhere.
How could that happen? We used to know h H in (25). We also still knew about
it in the first formula of (29). But we let it disappear from the second formula of (29),
because we chose an intermediate condition that was too weak when constructing (29).
This is a common problem in trying to prove properties of CPS or of any other mathematical statements. One of our intermediate steps might have been too weak, so that
our attempt of proving it fails and we need to revisit how we got there. For sequential
compositions, this is actually a nonissue as soon as we move on (in the next lecture) to
a proof technique that is more useful than the intermediate conditions from Note 9. But
similar difficulties can arise in other parts of proof attempts.
In this case, the fact that we lost h H can be fixed by including it in the intermediate conditions, because it can be shown to hold after the differential equation still.
Other crucial assumptions have also suddenly disappeared in our reasoning. An extra
assumption 1 > c 0, for example, is crucially needed to justify the first formula of
(31). It is somewhat easier to see why that particular assumption can be added to the
intermediate contract without changing the argument much. The reason is that c never
ever changes during the system run.
Note 12. It is very difficult to come up with bug-free code. Just thinking about your
assumptions really hard does not ensure correctness, but we can gain confidence that our
system does what we want it to by proving that certain properties are satisfied.
Changing the assumptions and arguments in a hybrid program around during the search
for a proof of safety is something that happens frequently. It is easy to make subtle mistakes
in informal arguments such as I need to know C here and I would know C if I had included
it here or there, so now I hope the argument holds. This is one of many reasons why we
are better off if our CPS proofs are rigorous, because we would rather not end up in trouble
because of a subtle aw in a correctness argument. A formal proof calculus for differential
dynamic logic (dL) will help us avoid the pitfalls of informal arguments. The theorem
prover KeYmaera that you will use in this course implements a proof calculus for dL.
A related observation from our informal arguments in this lecture is that we desperately
need a way to keep an argument consistent as a single argument justifying one conjecture.
Quite the contrary to the informal loose threads of argumentation we have pursued in this
lecture for the sake of developing an intuition. Consequently, we will investigate what
constitutes an actual proof in subsequent lectures. A proof in which the relationship of
premises to conclusions via proof steps is rigorous.
Moreover, theres two loose ends in our arguments. For one, the differential equation
in (29) is still waiting for an argument that could help us prove it. Also, the assignment
in (31) still needs to be handled and its sequential composition needs an intermediate
contract.

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.25

Exercises
Exercise 1. Let A, B be dL formulas. Suppose A B is valid and A is valid. Is B valid?
Prove or disprove.
Exercise 2. Let A, B be dL formulas. Suppose A B is true in state and A is true in
state . That is, |= A B and |= A. Is B true in state ? Prove or disprove. Is B
valid? Prove or disprove.
Exercise 3. Let be an HP. Let be a state with 6|= . Does 6|= [ ] hold? Prove or
disprove.
Exercise 4. Suppose you have a HP with a CPS contract using multiple preconditions
A1 , . . . , An and multiple postconditions B1 , . . . , Bm :
@requires(A1 )
@requires(A2 )
..
.
@requires(An )
@ensures(B1 )
@ensures(B2 )
..
.
@ensures(Bm )

How can this CPS contract be expressed in a dL formula?

Exercise 5. For each of the following dL formulas, determine if they are valid, satisfiable,
and/or unsatisfiable:
1. [?x 0]x 0.
2. [?x 0]x 0.
3. [?x 0]x < 0.
4. [?true]true.
5. [?true]false.
6. [?false]true.
7. [?false]false.
8. [x = 1 & true]true.
9. [x = 1 & true]false.

15-424 L ECTURE N OTES

A NDR E P LATZER

L4.26

Safety & Contracts

10. [x = 1 & false]true.

11. [x = 1 & false]false.
12. [(x = 1 & true) ]true.
13. [(x = 1 & true) ]false.
14. [(x = 1 & false) ]true.
15. [(x = 1 & false) ]false.
Exercise 6. What would happen with the bouncing ball if c < 0? Consider a variation of
the arguments in Sect. 10 where instead of the assumption in (21), you assume c < 0. Is
the formula valid? What would happen with a bouncing ball of damping c = 1?
Exercise 7. We went from (23) to (24) by removing an if-then-else. Explain how this
works and justify why it is okay to do this transformation. It is okay to focus only on
this case, even though the argument is more general.
Exercise 8 (**). Sect. 11 used a mix of a systematic and ad-hoc approach for producing an
intermediate condition that was based on solving and combining differential equations.
Can you think of a more systematic rephrasing?

References
[Asi42]

Isaac Asimov. Runaround, 1942.

[DBL12]

Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, Dubrovnik, Croatia, June 2528, 2012. IEEE, 2012.

[DLTT13] Patricia Derler, Edward A. Lee, Stavros Tripakis, and Martin Torngren.
Cyber-physical system design contracts. In Chenyang Lu, P. R. Kumar, and
Radu Stoleru, editors, ICCPS, pages 109118. ACM, 2013.
[Flo67]

Robert W. Floyd. Assigning meanings to programs. In J. T. Schwartz, editor,

Mathematical Aspects of Computer Science, Proceedings of Symposia in Applied
Mathematics, volume 19, pages 1932, Providence, 1967. AMS.

[Hoa69]

Charles Antony Richard Hoare. An axiomatic basis for computer programming. Commun. ACM, 12(10):576580, 1969.

[Log11]

Francesco Logozzo. Practical verification for the working programmer with

codecontracts and abstract interpretation - (invited talk). In Ranjit Jhala
and David A. Schmidt, editors, VMCAI, volume 6538 of LNCS, pages 1922.
Springer, 2011. doi:10.1007/978-3-642-18275-4_3.

[Mey92]

Bertrand Meyer. Applying design by contract. Computer, 25(10):4051,

October 1992.

15-424 L ECTURE N OTES

A NDR E P LATZER

Safety & Contracts

L4.27

[PCL11]

Frank Pfenning, Thomas J. Cortina, and William Lovas. Teaching imperative

programming with contracts at the freshmen level. 2011.

[Pla07]

Andre Platzer. Differential dynamic logic for verifying parametric hybrid

systems. In Nicola Olivetti, editor, TABLEAUX, volume 4548 of LNCS, pages
216232. Springer, 2007. doi:10.1007/978-3-540-73099-6_17.

[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom. Reas.,
41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla10]

Andre Platzer.
Logical Analysis of Hybrid Systems: Proving Theorems
doi:10.1007/
for Complex Dynamics.
Springer, Heidelberg, 2010.
978-3-642-14509-4.

[Pla12a]

Andre Platzer. The complete proof theory of hybrid systems.

[DBL12], pages 541550. doi:10.1109/LICS.2012.64.

[Pla12b]

Andre Platzer. Dynamic logics of dynamical systems. CoRR, abs/1205.4788,

2012. arXiv:1205.4788.

[Pla12c]

Andre Platzer. Logics of dynamical systems. In LICS [DBL12], pages 1324.

doi:10.1109/LICS.2012.13.

[Pla13]

Andre Platzer. Teaching CPS foundations with contracts. In CPS-Ed, pages

710, 2013.

[PQ08]

Andre Platzer and Jan-David Quesel. KeYmaera: A hybrid theorem prover

for hybrid systems. In Alessandro Armando, Peter Baumgartner, and Gilles
Dowek, editors, IJCAR, volume 5195 of LNCS, pages 171178. Springer, 2008.
doi:10.1007/978-3-540-71070-7_15.

[Pra76]

Vaughan R. Pratt. Semantical considerations on Floyd-Hoare logic. In FOCS,

pages 109121. IEEE, 1976.

[XJC09]

Dana N. Xu, Simon L. Peyton Jones, and Koen Claessen. Static contract
checking for haskell. In Zhong Shao and Benjamin C. Pierce, editors, POPL,
pages 4152. ACM, 2009. doi:10.1145/1480881.1480889.

15-424 L ECTURE N OTES

In LICS

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Dynamical Systems & Dynamic Axioms
Andre Platzer
Carnegie Mellon University
Lecture 5

1 Introduction
Lecture 4 demonstrated how useful and crucial CPS contracts are for CPS. Their role
and understanding goes beyond dynamic testing, though. In CPS, proven CPS contracts are infinitely more valuable than dynamically tested contracts, because dynamical tests of contracts at runtime of a CPS generally leave open very little flexibility for
reacting to them in any safe way. After all, the failure of a contract indicates that some
safety condition that was expected to hold is not longer true. Unless provably sufficient
safety margin and fallback plans remain, the system is already in trouble then.1
Consequently, CPS contracts really shine in relation to how they are proved for CPS.
Understanding how to prove CPS contracts requires us to understand the dynamical
effects of hybrid programs in more detail. This deeper understanding of the effects of
hybrid program statements is not only useful for conducting proofs but also for developing and sharpening our intuition about hybrid programs for CPS. This phenomenon
illustrates a more general point that proof and effect (and/or meaning) are intimately
linked and that truly understanding effect is ultimately the same as, as well as a prerequisite to, understanding how to prove properties of that effect [Pla12c, Pla12a, Pla10].
You may have seen this point demonstrated amply already in other courses from the
Principles of Programming Languages group at CMU.
The route that we choose to get to this level of understanding is one that involves a
closer look at dynamical systems and Kripke models, or rather, the effect that hybrid
programs have on them. This will enable us to devise authoritative proof principles for
differential dynamic logic and hybrid programs [Pla12c, Pla12a, Pla10, Pla08]. While
there are many more interesting things to say about dynamical systems and Kripke
1

Although, in combination with formal verification, the Simplex architecture exploits this relationship of
dynamic contracts for safety purposes [SKSC98].

15-424 L ECTURE N OTES

September 11, 2013

A NDR E P LATZER

L5.2

Dynamical Systems & Dynamic Axioms

structures, this lecture will limit information to the truly essential parts that are crucial
right now and leave more elaboration for later lectures.
More information can be found in [Pla12b, Pla12c] as well as [Pla10, Chapter 2.3].

2 A Proof of Choice (Continued)

Recall the bouncing ball from Lecture 4, with repetition removed just to simplify the
discussion for illustration purposes:
0hh=H v =0g >01>c0


h = v, v = g & h 0; (?h = 0; v := cv ?h 6= 0) (0 h h H) (1)
In order to try to prove the above formula, we have convinced ourselves with a number of steps of argumentation that we should try to prove the following two formulas
(and many others):
0 h h = H v = 0 g > 0 1 > c 0 [h = v, v = g & h 0](2gh = 2gH v 2 g > 0)
2gh = 2gH v 2 g > 0 [?h = 0; v := cv ?h 6= 0] (0 h h H)
(2)
In our attempt of proving the latter formula, we used the following principle:
Note 1 (Proving choices). For a HP that is a nondeterministic choice , we can
prove
A [ ]B
(3)
by proving the following dL formulas:
A []B

and

A []B

Note 2 (Proving choices: proof-rule style). Note 1 is captured more concisely in the
following proof rule:
A []B A []B
(R1)
A [ ]B
If we can prove all premises (above rule bar) of a proof rule, then that proof rule infers the
conclusion (below rule bar).
Alas, the way we have been using proof rules so far is the other way around. We had been
looking at a formula such as the second formula of (2) that has the shape of the conclusion
of a rule such as R1. And then we went on trying to prove the premises of that proof rule
instead. This conclusion-to-premise style of using our proof rules is perfectly acceptable
and useful as well. Should we ever succeed in proving the premises of R1, that proof rule
would allow us to infer its conclusion too. In this way, proof rules are even useful in directing us at which formulas we should try to prove next: the premises of the instantiation
of that rule.

15-424 L ECTURE N OTES

A NDR E P LATZER

Dynamical Systems & Dynamic Axioms

L5.3

Using these thoughts on the second formula of (2), we could prove that formula using
proof rule R1 if we would manage to prove both of its premises, which, in this instance,
are the following dL formulas:
2gh = 2gH v 2 g > 0 [?h = 0; v := cv] (0 h h H)
2gh = 2gH v 2 g > 0 [?h 6= 0] (0 h h H)

(4)

Before proceeding with proofs of (4), revisit the reasoning that led to the principle in
Note 2. We said that (3) can be justified by proving that, when assuming A, all runs of
lead to states satisfying B and all runs of lead to B states. Is that argument reflected
directly in Note 2?
Kind of, but not quite, because there is a minor difference. Our informal argument
assumed A once and concluded both []B and []B from A. The principle captured in
Note 2 assumes A to prove []B and then, separately, assumes A again to prove []B.
These two arguments are clearly closely related, but still slightly different. Can we
formalize and follow the original argument directly somehow? Or is Note 2 our only
chance?
Following the original argument, we would argue that (3) holds by proving
A ([]B []B)
or, since the parentheses are superfluous according to the usual precedence rules:
A []B []B

(5)

Is there a direct way how we can justify going from (3) to (5)? Preferably one that
simultaneously justifies going from (3) to the formulas identified in Note 2 as well.
These considerations will take us to a more general and more elegant proof principle
than R1, to a more refined understanding of the behavior of nondeterministic choices,
and to a way of justifying proof rules as being sound.

3 Dynamic Axioms for Nondeterministic Choices

Recall the semantics of nondeterministic choices from Lecture 3:
( ) = () ()

(6)

Remember that () is a reachability relation on states, where (, ) () iff HP

can run from state to state . Let us illustrate graphically what (6) means:
According to (), a number of states i are reachable by running HP from some
initial state . According to (), a number of (possibly other) states i are reachable
by running HP from the same initial state . By (6), running from can give us
any of those possible outcomes. And there was nothing special about the initial state .
The same principle holds for all other states.

15-424 L ECTURE N OTES

A NDR E P LATZER

L5.4

Dynamical Systems & Dynamic Axioms

[] []

1
( )

Figure 1: Illustration of transition semantics of

Note 3 ( ). The nondeterministic choice can lead to exactly the states to which
either could take us or to which could take us or to which both could lead. The dynamic
effect of a nondeterministic choice is that running it at any time either results in a
behavior of or of . So both the behaviors of and are possible when running .
If we want to understand whether and where dL formula [ ] is true, we need to
understand which states the modality [ ] refers to. In which states does have to
be true so that [ ] is true in state ?
By definition of the semantics, needs to be true in all states that can reach
according to ( ) from for [ ] to be true in . Referring to (6) or looking at
Fig. 1, shows us that this includes exactly all states that can reach from according to
(), hence [] has to be true in . And that it also includes all states that can reach
from , hence [] has to be true in .
Consequently,
|= [] and |= []
(7)
are necessary conditions for
|= [ ]

(8)

That is, unless (7) holds, (8) cannot possibly hold. So (7) is necessary for (8). Are there
any states missing? Are there any states that (8) would require to satisfy , which (7)
does not already ensure to satisfy ? No, because, by (6), does not admit any
behavior that neither nor can exhibit. Hence (7) is also sufficient for (8), i.e. (7)
implies (8).
Thus, when adopting a more logical language again, this justifies:
|= [ ] [] []
This reasoning did not depend on the particular state but holds for all . Therefore,
 [ ] [] []
Exciting! We have just proved our first axiom to be sound:

15-424 L ECTURE N OTES

A NDR E P LATZER

Dynamical Systems & Dynamic Axioms

L5.5

Lemma 1 ([] soundness). The axiom of choice is sound, i.e. all its instances are valid:
([]) [ ] [] []
Nondeterministic choices split into their alternatives in axiom []. From right to left:
If all runs lead to states satisfying (i.e., [] holds) and all runs lead to states
satisfying (i.e., [] holds), then all runs of HP , which may choose between
following and following , also lead to states satisfying (i.e., [ ] holds). The
converse implication from left to right holds, because can run all runs of and all
runs of , so all runs of (and of ) lead to states satisfying if that holds for all runs
of [].
From now on, every time we see a formula of the form [ ], we can remember
that axiom [] knows a formula, namely [] [] that is equivalent to it. Of course,
whenever we find a formula of the form [ ], we also remember that axiom []
knows a formula, namely [] [] that is equivalent to it, just by instantiation of
axiom [].
Armed with this axiom [] at our disposal, we can now easily do a proof step from
(3) to (5) just by invoking the equivalence that [] justifies. Lets elaborate. We want to
prove:
A [ ]B
(3)
By [], or rather an instance of [] formed by using B for , we know:
[ ]B []B []B

(9)

Since (9) is a valid equivalence, replacing the place where the left-hand side of (9) occurs
in (3) by the right-hand side of (9) gives us a formula that is equivalent to (3):
A []B []B

(5)

After all, according to the valid equivalence (9) justified by axiom [], (5) can be obtained from (3) just by replacing a formula with one that is equivalent.
Actually, stepping back, the same argument can be made to go from (5) to (3) instead
of from (3) to (5). Both ways of using [] are perfectly fine. Although the direction
that gets rid of the operator tends to be much more useful, because it made progress
(getting rid of an HP operator). Yet axiom [] can also be useful in many more situations
than rule R1. For example, if want to prove a dL formula
[ ]A B
where [ ] is on the left-hand side of an implication, then axiom [] justifies that it is
enough to prove the following dL formula instead:
[]A []A B

15-424 L ECTURE N OTES

A NDR E P LATZER

L5.6

Dynamical Systems & Dynamic Axioms

This inference cannot be justified with proof rule R1, but would need a separate proof
rule such as
[]A []A B
(R3)
[ ]A B
Yet, axiom [] justifies both R1 and R3 and many other uses of splitting a boxed choice
into a conjunction. Axiom [] is, thus, more fundamental.
A general principle behind the dL axioms is most noticeable in axiom []. All equivalence axioms of dL are primarily intended to be used by reducing the formula on
the left to the (structurally simpler) formula on the right. Such a reduction symbolically decomposes a property of a more complicated system into separate properties
of easier fragments and . This decomposition makes the problem tractable and is
good for scalability purposes. For these symbolic structural decompositions, it is very
helpful that dL is a full logic that is closed under all logical operators, including disjunction and conjunction, for then both sides in [] are dL formulas again (unlike in
Hoare logic [Hoa69]). This also turns out to be an advantage for computing invariants
[PC08, PC09, Pla10], which will be discussed much later in this course.
The definition of soundness was not specific to axiom [], but applies to all dL axioms.

Definition 2 (Soundness). An axiom is sound iff all its instances are valid.

4 Dynamic Axioms for Assignments

Axiom [] allows us to understand and handle [ ] properties. If we find similar
axioms for the other operators of hybrid programs, then we have a way of handling
all other hybrid programs, too.
Consider discrete assignments. Recall from Lecture 4 that:
(x := ) = {(, ) : = except that [[x]] = [[]] }
x
(x := )

Lemma 3 ([:=] soundness). The assignment axiom is sound:

([:=]) [x := ](x) ()
Axiom [:=] is Hoares assignment rule. It uses substitutions to axiomatize discrete assignments. To show that (x) is true after a discrete assignment, axiom [:=] shows that
it has been true before, when substituting the affected variable x with its new value .

15-424 L ECTURE N OTES

A NDR E P LATZER

Dynamical Systems & Dynamic Axioms

L5.7

Formula () is obtained from (x) by substituting for x at all occurrences of x, provided x does not occur in the scope of a quantifier or modality binding x or a variable
of .
Note 7 (Bound variables). A modality containing x := or x outside the scope of tests
?H or evolution domain constraints binds x, because it may change the value of x. A
quantifier x or x also binds variable x.
Substitutions are defined as usual [Pla10, Chapter 2.5.1].

5 Dynamic Axioms for Differential Equations

Recall from Lecture 4 that
(x = & H) = {((0), (r)) : (t) |= x = and (t) |= H for all 0 t r
for a solution : [0, r] S of any duration r}

(x = )

(x := yx (t))
One possible approach of proving properties of differential equations is to work with
a solution if one is available (and expressible in the logic).
Lemma 4 ([ ] soundness). The solution axiom is sound:
([ ]) [x = ] t0 [x := y(t)]

where y (t) =

In axiom [ ], y() is the solution of the symbolic initial-value problem y (t) = , y(0) = x.
Solution y() is unique since is smooth (Lecture 2). Given such a solution y(), continuous evolution along differential equation x = can be replaced by a discrete assignment x := y(t) with an additional quantifier for the evolution time t. It goes without
saying that variables like t are fresh in [ ] and other axioms and proof rules. Notice that
conventional initial-value problems are numerical with concrete numbers x Rn as initial values, not symbols x [Wal98]. This would not be enough for our purpose, because
we need to consider all states in which the system could start, which may be uncountably many. That is why axiom [ ] solves one symbolic initial-value problem, instead,
because we could hardly solve uncountable many numerical initial-value problems.
What we have so far about the dynamics of differential equations does not yet help
us prove properties of differential equations with evolution domain constraints (a.k.a.
continuous programs) x = & H. It also does not yet tell us what to do if we cannot
solve the differential equation or if the solution is too complicated. We will get to that
matter in a much later lecture.

15-424 L ECTURE N OTES

A NDR E P LATZER

L5.8

Dynamical Systems & Dynamic Axioms

6 Dynamic Axioms for Tests

Recall from Lecture 4 that
(?H) = {(, ) : |= H}
(?H)
/

(?H)

if |= H

if 6|= H

Lemma 5 ([?] soundness). The test axiom is sound:

([?]) [?H] (H )
Tests in [?H] are proven by assuming that the test succeeds with an implication in
axiom [?], because test ?H can only make a transition when condition H actually holds
true. In states where test H fails, no transition is possible and the failed attempt to
run the system is discarded. If no transition exists, there is nothing to show for []
formulas, because their semantics requires to hold in all states reachable by running
, which is vacuously true if no states are reachable. From left to right, axiom [?] for dL
formula [?H] assumes that formula H holds true (otherwise there is no transition and
thus nothing to show) and shows that holds after the resulting no-op. The converse
implication from right to left is by case distinction. Either H is false, then ?H cannot
make a transition and there is nothing to show. Or H is true, but then also is true.

7 Dynamic Axioms for Sequential Compositions

For sequential compositions ; , Lecture 4 proposed the use of an intermediate condition E characterizing the intermediate states between and by way of the following
proof rule:
Note 10 (Intermediate conditions as contracts for sequential compositions: proof-rule
style). Intermediate condition contracts for sequential compositions are captured more
concisely in the following proof rule:
A []E E []B
A [; ]B
This proof rule is useful, but it has one blatant annoyance compared to R1 or let alone
the simplicity and elegance of []. When using proof rule R7 from the desired conclusion to the premises, it does not say how to choose the intermediate condition E. Using
R7 successfully requires us to find the right intermediate condition E, for if we dont,
the proof wont succeed as we have seen in Lecture 4. That is a bit much if we have to
invent a useful intermediate condition E for every single sequential composition.
(R7)

15-424 L ECTURE N OTES

A NDR E P LATZER

Dynamical Systems & Dynamic Axioms

L5.9

Fortunately, there is a much better way that we also identify by investigating the
dynamical system resulting from ; and its induced Kripke structure. Recall from
Lecture 4 that
(; ) = () () = {(, ) : (, ) (), (, ) ()}

(10)

(; )

[][]

()

[]

()

By its semantics, the dL formula [; ] is true in a state iff is true in all states that
; can reach according to (; ) from , i.e. all those states for which (, ) (; ).
Which states are those? And how do they relate to the states reachable by or by ?
They do not relate to those in a way that is as direct as for axiom []. But they still relate,
and they do so by way of (10).
Postcondition has to be true in all states reachable by ; from for [; ] to be
true at . By (10), those are exactly the states to which we can get by running from
an intermediate state to which we have gotten from by running . Thus, for [; ]
to be true at it is necessary that holds in all states to which we can get by running
from an intermediate state to which we can get by running from . Consequently,
[; ] is only true at if [] holds in all those intermediate states to which we can
get from by running . How do we characterize those states? And how can we then
express these thoughts in a single logical formula of dL?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L5.10

Dynamical Systems & Dynamic Axioms

If we want to express that [] holds in all states to which we can get to from by
running , then that is exactly what truth of dL formula [][] at means, because this
is the semantics of the modality [].
Consequently,
|= [][] [; ]
Reexamining our argument backwards, we see that the converse implication also holds
|= [; ] [][]
The same argument works for all , so both implications are even valid.
Lemma 6 ([;] soundness). The composition axiom is sound:
([;]) [; ] [][]
Proof. Since (; ) = () (), we have that (, ) (; ) iff (, ) () and
(, ) () for some intermediate state . Hence, |= [; ] iff |= [] for all
with (, ) (). That is |= [; ] iff |= [][].
Sequential compositions are proven using nested modalities in axiom [;]. From right to
left: If, after all -runs, it is the case that all -runs lead to states satisfying (i.e., [][]
holds), then all runs of the sequential composition ; lead to states satisfying (i.e.,
[; ] holds). The converse implication uses the fact that if after all -runs all -runs
lead to (i.e., [][]), then all runs of ; lead to (that is, [; ]), because the runs of
; are exactly those that first do any -run, followed by any -run. Again, it is crucial
that dL is a full logic that considers reachability statements as modal operators, which
can be nested, for then both sides in [;] are dL formulas.
Axiom [;] directly explains sequential composition ; in terms of a structurally simpler formula, one with nested modal operators but simpler hybrid programs. Again,
using axiom [;] by reducing occurrences of its left-hand side to its right-hand side decomposes the formula into structurally simpler pieces, thereby making progress. One
of the many ways of using axiom [;] is, therefore, captured in the following proof rule:
(R9)

A [][]B
A [; ]B

Comparing rule R9 to rule R7, the new rule R9 is much easier to apply, because it does
not require us to first provide an intermediate condition E like R7 would. It also does
not branch into two premises, which helps keeping the proof lean. Is there a way of
reuniting R9 with R7 by using the expressive power of dL?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Dynamical Systems & Dynamic Axioms

L5.11

Yes, indeed, there is a very smart choice for the intermediate condition E that makes
def

R7 behave almost as the more efficient R9 would. The clever choice E []B:
A [][]B []B []B
A [; ]B
which trivializes the right premise and makes the left premise identical to that of R9.

8 Unwinding Axioms for Loops

Recall from Lecture 4 that
[
(n )
( ) =

with n+1 n ; and 0 ?true

nN

( )

[ ]

()
[][ ]

()

()

( )
Lemma 7 ([ ] soundness). The iteration axiom is sound:
([ ]) [ ] [][ ]
Axiom [ ] is the iteration axiom, which partially unwinds loops. It uses the fact that
always holds after repeating (i.e., [ ]), if holds at the beginning (for holds
after zero repetitions then), and if, after one run of , holds after every number of
repetitions of , including zero repetitions (i.e., [][ ]). So axiom [ ] expresses that
[ ] holds iff holds immediately and after one or more repetitions of . The same
axiom [ ] can be used to unwind loops N N times, which corresponds to Bounded
Model Checking [CBRZ01]. If the formula is not valid, a bug has been found, otherwise
N increases. An obvious issue with this simple approach is that we can never stop
increasing N if the formula is actually valid, because we can never find a bug then. A
later lecture will discuss proof techniques for repetitions based on invariants that are
not subject to this issue. In particular, axiom [ ] is characteristically different from the
other axioms discussed in this lecture. Unlike the other axioms, [ ] does not exactly
get rid of the formula on the left-hand side. It just puts it in a different syntactic place,
which does not sound like much progress.2
2

With a much more subtle and tricky analysis, it is possible to prove that [ ] still makes progress [Pla13].
But this is out of scope for our course.

15-424 L ECTURE N OTES

A NDR E P LATZER

L5.12

Dynamical Systems & Dynamic Axioms

9 A Proof of a Bouncing Ball

Now that we have understood so many axioms and proof rules, let us use them to prove
the (single-hop) bouncing ball (1):
0hh=H v =0g >01>c0


h = v, v = g & h 0; (?h = 0; v := cv ?h 6= 0) (0 h h H) (1)
Before proceeding, lets modify the hybrid program subtly in tow ways so that theres
no more evolution domains, because we have not yet understood how to prove differential equations with evolution domains:
0hh=H v =0g >01>c0


h = v, v = g; (?h = 0; v := cv ?h 0) (0 h h H) (11)
To fit things on the page easily, abbreviate
def

Ah,v 0 h h = H v = 0 g > 0 1 > c 0

def

Bh,v 0 h h H
def

(h = g) (h = v, v = g)
With these abbreviations, (11) is
Ah,v [h = g; (?h = 0; v := cv ?h 0)]Bh,v
Let there be proof:
Ah,v t0 (H g2 t2 = 0 BH g t2 ,c(gt) ) (H g2 t2 0 BH g t2 ,gt )
2

2
[:=]
Ah,v t0 [h := H g2 t2 ] (h = 0 Bh,c(gt) ) (h 0 Bh,gt )


[:=]
Ah,v t0 [h := H g2 t2 ][v := gt] (h = 0 Bh,cv ) (h 0 Bh,v )


[;]
Ah,v t0 [h := H g2 t2 ; v := gt] (h = 0 Bh,cv,) (h 0 Bh,v )


[ ]
Ah,v [h = g] (h = 0 Bh,cv,) (h 0 Bh,v )


[:=]
Ah,v [h = g] (h = 0 [v := cv]Bh,v ) (h 0 Bh,v )


[?],[?]
Ah,v [h = g] [?h = 0][v := cv]Bh,v [?h 0]Bh,v


[;]
Ah,v [h = g] [?h = 0; v := cv]Bh,v [?h 0]Bh,v
[]
Ah,v [h = g][?h = 0; v := cv ?h 0]Bh,v
[;]
Ah,v [h = g; (?h = 0; v := cv ?h 0)]Bh,v

Since each of the steps in this proof are justified by using one of the dL axioms, the
conclusion at the very bottom of this derivation is proved if the premise at the very top
can be proved. That premise


g
g
Ah,v t0 (H t2 = 0 BH g t2 ,c(gt) ) (H t2 0 BH g t2 ,gt )
2
2
2
2

15-424 L ECTURE N OTES

A NDR E P LATZER

Dynamical Systems & Dynamic Axioms

L5.13

expands out to the following formula of first-order real arithmetic by expanding the
abbreviations
0hh=H v =0g >01>c0
g
g
g
t0 (H t2 = 0 0 H t2 H t2 H)
2
2
2


g 2
g
g
(H t 0 0 H t2 H t2 H)
2
2
2
In this case, this remaining premise can be easily seen to be valid. The first assumption
H g2 t2 = 0 . . . in the middle line directly implies the first conjunct of its right-hand
side
g
g
0 H t2 H t2 H
2
2
and reduces the second conjunct to 0 H, which the assumption in the first line assumed (0 h = H). Similarly, the first assumption H g2 t2 0 of the last line implies
the first conjunct of its right-hand side
g
g
0 H t2 H t2 H
2
2
and the second conjunct holds by assumption g > 0 from the first line and the real
arithmetic fact that t2 0.
How first-order logic and first-order real arithmetic formulas such as this one can be
proved in general, however, is an interesting topic for a later lecture. For now, we are
happy to report that we have just formally verified our very first CPS. Exciting! We
have found a proof of (11).
Okay, admittedly, the CPS we just verified was only a bouncing ball. And all we
know about it now is that it wont fall through the cracks in the ground nor jump high
up to the moon. But most big steps for mankind start with a small step by someone.
Yet, before we get too carried away, we first need to remember that (11) is just a
single-hop bouncing ball. So theres still an argument to be made about what happens
if the bouncing ball repeats. And a rather crucial argument too, because bouncing balls
let loose in the air tend not to jump any higher without hitting the ground first, which
is where the model (11) stops prematurely, because it is missing a repetition. So lets
put worrying about loops on the agenda for an upcoming lecture.
Yet, theres one more issue with the proof for the bouncing ball that we derived. It
works in a somewhat undisciplined chaotic way, by using dL axioms all over the place.
This liberal proof style can be useful for manual proofs and creative shortcuts. Albeit,
since the dL axioms are sound, even such a liberal proof is a proof. But liberal proofs
are also somewhat unfocused and non-systematic, which makes them unreasonable for
automation purposes and also tends to get people lost if the problems at hand are more
complex than the single-hop bouncing ball. That is the reason why we will investigate
more focused, more systematic, and more algorithmic proofs next.

15-424 L ECTURE N OTES

A NDR E P LATZER

L5.14

Dynamical Systems & Dynamic Axioms

10 Summary
The differential dynamic logic axioms that we have seen in this lecture are summarized
in Fig. 2. There are further axioms and proof rules of differential dynamic logic that
later lectures will examine [Pla12c, Pla12a].
Note 13. The following axioms of dL are sound:
[:=] [x := ](x) ()
[?] [?H] (H )
[ ] [x = ] t0 [x := y(t)]

(y (t) = )

[] [ ] [] []
[;] [; ] [][]
[ ] [ ] [][ ]

Figure 2: Summary of differential dynamic logic axioms from this lecture

Exercises
Exercise 1. Explain why the subtle transformation from (1) to (11) was okay in this case.
Exercise 2. Identify which of the assumptions of (11) are actually required for the proof
of (11). Which formulas could we have dropped from 0 h h = H v = 0 g >
0 1 > c 0 and still be able to prove
0 h h = H v = 0 g > 0 1 > c 0[h = g; (?h = 0; v := cv ?h 0)]0 h h H
Exercise 3. Develop an axiom for differential equations with evolution domains in a
style that is similar to [ ]. That is, develop an axiom for [x = & H]. As in [ ], you can
assume to have a unique solution for the corresponding symbolic initial-value problem.
Exercise 4. All axioms need to be proved to be sound. These lecture notes only did
a proper proof for [;]. Turn the informal arguments for the other axioms into proper
soundness proofs using the semantics of dL formulas.
Exercise 5. Would the following be a useful replacement for the [ ] axiom?
[ ] [ ]

15-424 L ECTURE N OTES

A NDR E P LATZER

Dynamical Systems & Dynamic Axioms

L5.15

References
[CBRZ01] Edmund M. Clarke, Armin Biere, Richard Raimi, and Yunshan Zhu.
Bounded model checking using satisfiability solving. Form. Methods Syst.
Des., 19(1):734, 2001.
[DBL12]

Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer

Science, LICS 2012, Dubrovnik, Croatia, June 2528, 2012. IEEE, 2012.

[Hoa69]

Charles Antony Richard Hoare. An axiomatic basis for computer programming. Commun. ACM, 12(10):576580, 1969.

[PC08]

Andre Platzer and Edmund M. Clarke. Computing differential invariants

of hybrid systems as fixedpoints. In Aarti Gupta and Sharad Malik, editors,
CAV, volume 5123 of LNCS, pages 176189. Springer, 2008. doi:10.1007/
978-3-540-70545-1_17.

[PC09]

Andre Platzer and Edmund M. Clarke. Computing differential invariants of hybrid systems as fixedpoints. Form. Methods Syst. Des., 35(1):98
120, 2009. Special issue for selected papers from CAV08. doi:10.1007/
s10703-009-0079-8.

[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom. Reas.,
41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla10]

Andre Platzer.
Logical Analysis of Hybrid Systems: Proving Theorems
doi:10.1007/
for Complex Dynamics.
Springer, Heidelberg, 2010.
978-3-642-14509-4.

[Pla12a]

Andre Platzer. The complete proof theory of hybrid systems. In LICS

[DBL12], pages 541550. doi:10.1109/LICS.2012.64.

[Pla12b]

Andre Platzer. Dynamic logics of dynamical systems. CoRR, abs/1205.4788,

2012. arXiv:1205.4788.

[Pla12c]

Andre Platzer. Logics of dynamical systems. In LICS [DBL12], pages 1324.

doi:10.1109/LICS.2012.13.

[Pla13]

Andre Platzer. A complete axiomatization of differential game logic for hybrid games. Technical Report CMU-CS-13-100R, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, January, Revised and extended in July 2013.

[SKSC98] Danbing Seto, Bruce Krogh, Lui Sha, and Alongkrit Chutinan. The Simplex
architecture for safe online control system upgrades. In ACC, volume 6,
pages 35043508, 1998.
[Wal98]

Wolfgang Walter. Ordinary Differential Equations. Springer, 1998.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Truth & Proof
Andre Platzer
Carnegie Mellon University
Lecture 6

1 Introduction
1

Lecture 5 investigated dynamic axioms for dynamical systems, i.e. axioms in differential dynamic logic (dL) that characterize operators of the dynamical systems that dL
describes by hybrid programs in terms of structurally simpler dL formulas. That lecture
did not show all important axioms yet, but still showed enough to prove a property of
a bouncing ball. Yet, theres more to proofs than just axioms. Proofs also have proof
rules for combining fragments of arguments into a bigger proof by proof steps.
Recall that our proof about the (single-hop) bouncing ball still suffered from at least
two issues. It was a sound proof and an interesting proof. But the way we had come up
with the proof was somewhat undisciplined, because we just applied axioms seemingly
at random at all kinds of places all over the logical formulas. After we see such a
proof, that is not a concern. But better structuring would help us find proofs more
constructively. The second issue was that the axioms for the dynamics that Lecture 5
showed us did not actually help in proving the propositional logic and arithmetic parts.
The lecture today addresses both issues by imposing more structure on proofs and,
as part of that, handle the operators of first-order logic that differential dynamic logic
inherits (propositional connectives such as , , ) and quantifiers , ). As part of the
structuring, we will make ample and crucial use of the dynamic axioms from Lecture
5. Yet, they will be used in a more structured way than so far.
These notes are based on [Pla08, Pla10, Chapter 2.5.2], where more information can
be found in addition to more information in [Pla10, Appendix A]. Sequent calculus is

By both sheer coincidence and by higher reason, the title of this lecture turns out to be closely related to
the subtitle of a well-known book on mathematical logic [And02], which summarizes the philosophy
we pursue here in a way that is impossible to improve upon any further: To truth through proof.

15-424 L ECTURE N OTES

September 16, 2013

A NDR E P LATZER

L6.2

Truth & Proof

discussed in more detail also in the handbook of proof theory [Bus98]. More resources
and background material on first-order logic is also listed on the course web page.

2 Truth and Proof

Truth is defined by the semantics of logical formulas. The semantics gives a mathematical meaning to formulas that, in theory, could be used to establish truth of a logical
formula. In practice, this is usually less feasible, for one thing, because quantifiers of
differential dynamic logic quantify over real numbers (after all their variables may represent real quantities like velocities and positions). Yet, there are infinitely many of
those, so determining the truth value of a universally quantified logical formula directly by working with its semantics is challenging since thatd require instantiating it
with infinitely many real numbers. The same matter is even more difficult for the hybrid dynamics involved in modalities of differential dynamic logic formulas, because
hybrid systems have so many possible behaviors.
Yet, we are still interested in establishing whether a logical formula is true. Or, actually, whether the formula is valid, since truth of a logical formula depends on the state
(cf. definition of |= in Lecture 4) whereas validity of a logical formula is independent of the state (cf. definition of  ), because validity means truth in all states.
The validity of logical formulas can be established by other means, namely by producing a proof of that formula. Like the formula itself, but unlike its semantics, a proof
is a syntactical object that is amenable, e.g., to representation and manipulation in a
computer. This finite syntactical argument represented in a proof witnesses validity
of a logical formula. Proofs can be produced in a machine. They can be stored to be
recalled as witnesses and evidence for the validity of their conclusion. And they can
be checked by humans or machines for correctness. They can also be inspected for analytic insights about the reasons for the validity of a formula, which goes beyond the
factual statement of validity. A proof justifies the judgment that a logical formula is
valid, which, without such a proof as evidence, is no more than an empty claim.
Truth and proof should be related intimately, because we would only want to accept
proofs that imply truth, i.e. proofs that imply their consequences to be valid if their
premises are. That is, proof systems should be sound to be reliable. The converse
question is that of completeness, whether all true formulas (again in the sense of valid)
can be proved, which turns out to be much more subtle.

3 Sequents
Sequent calculus was originally developed by Gerhard Gentzen [Gen35] for studying
properties of natural deduction calculi. Sequent calculus has been used very successfully for numerous other purposes since.
Sequents are essentially a standard form for logical formulas that is convenient for
proving purposes.

15-424 L ECTURE N OTES

A NDR E P LATZER

Truth & Proof

L6.3

Note 1. A sequent is of the form , where the antecedent and

W are
V succedent
finite sets of formulas. The semantics of is that of the formula .
For quantifier elimination rules, we will later make use of this fact by considering sequent as an abbreviation for the latter formula. Empty conjunctions are equivalent to true. Empty disjunctions are equivalent to false. Hence, the sequent A means
the same as the formula A. The empty sequent means the same as the formula false.
The antecedent can be thought of as the formulas we assume to be true, whereas
the succedent can be understood as formulas for which we want to show that at
least one of them is true assuming all formulas of are true. So for proving a sequent
, we assume all and want to show that one of the is true. For some simple
sequents like , , , we directly know that they are valid, because we can certainly
show if we assume (in fact, we will use this as an axiom). For other sequents, it is
more difficult to see whether they are valid (true under all circumstances) and it is the
purpose of a proof calculus to provide a means to find out.
The antecedent and succedent of a sequent are considered as sets. So the order of
formulas is irrelevant, so we implicitly adopt what is called the exchange rule and do
not distinguish between the following two sequents
, A, B

and

, B, A

and

D, C,

nor do we distinguish between

C, D,

Antecedent and succedent are considered as sets, not multisets, so we implicitly adopt
what is called the contraction rule and do not distinguish between the following two
sequents
, A, A
and
, A
nor do we distinguish between
C, C,

and

C,

The only structural rule of sequent calculus that we will find reason to use explicitly
in practice is the weakening proof rule (alias hiding proof rule) that can be used to remove
or hide formulas from the antecedent (Wl) or succedent (Wr), respectively:

(Wr)
,

(Wl)
,
Weakening rules are sound, since it is fine in structural logics to prove a sequent with
more formulas in the antecedent or succedent by a proof that uses only some of those
formulas. This is different in substructural logics such as linear logic.

15-424 L ECTURE N OTES

A NDR E P LATZER

L6.4

Truth & Proof

,
,
,
(l)
,

, ,
,
, ,
(l)
,

(r)

(r)

, ,
,
, ,
(l)
,

(r)

, ,
,
, ,
(l)
,

(r)

(ax)

, ,
, ,
(cut)

Figure 1: Propositional proof rules of sequent calculus

4 Propositional Proof Rules

For propositional logic, standard propositional rules rcut with the cut rule are listed
in Fig. 1. They decompose the propositional structure of formulas. Rules r and l use
simple dualities caused by the implicative semantics of sequents. Essentially, instead
of showing in the succedent, we assume the contrary in the antecedent with rule
r. In rule l, instead of assuming in the antecedent, we show the contrary in the
succedent. Rule r uses the fact that formulas are combined disjunctively in succedents,
rule l that they are conjunctive in antecedents. The comma between formulas in an
antecedent has the same effect as a conjunction, and the comma between formulas in
the succedent has the same effect as a disjunction. Rules l and r split the proof into
two cases, because conjuncts in the succedent can be proven separately (r) and, dually,
disjuncts of the antecedent can be assumed separately (l). For r we want to show
conjunction , so in the left branch we proceed to show , and, in addition,
in the right branch we show , , which, together, entail , . If, as in rule
l, we assume disjunction as part of the antecedent, then we do not know if we
can assume to hold or if we can assume to hold in the antecedent, but know only
that one of them holds. Hence, as in a case distinction, l considers both cases, the
case where we assume in the antecedent, and the case where we assume . If both
subgoals can be proven, this entails , . Rules r and l can be derived from
the equivalence of and . Rule r uses the fact that implication has the
same meaning as the sequent arrow of a sequent. Intuitively, to show implication
, rule r assumes (in the antecedent) and shows (in the succedent). Rule l
assumes an implication to hold in the antecedent, but we do not know if this
implication holds because is false, or because is true, so l splits into those two
branches.
The axiom rule ax closes a goal (there are no further subgoals, which we sometimes
mark explicitly), because assumption in the antecedent trivially entails in the
succedent (sequent , , is a simple syntactic tautology).
Rule cut is the cut rule that can be used for case distinctions: The right subgoal assumes any additional formula in the antecedent that the left subgoal shows in the

15-424 L ECTURE N OTES

A NDR E P LATZER

Truth & Proof

L6.5

succedent. Dually: regardless of whether is actually true or false, both cases are covered by proof branches. We only use cuts in an orderly fashion to derive simple rule
dualities and to simplify meta-proofs. In practical applications, cuts are not needed in
theory. But in practice, complex practical applications make use of cuts for efficiency
reasons. Cuts an be used, for example, to simplify arithmetic.
Even though we write sequent rules as if the principal formula (like in r,l)
were at the end of the antecedent or at the beginning of the succedent, respectively, the
sequent proof rules can be applied to other formulas in the antecedent or succedent,
respectively, because we consider their order to be irrelevant.

5 Proofs
The dL calculus has further proof rules. But before investigating those, let us first understand already what a proof is and what it means to prove a logical formula. The
same notion of proof and provability works for propositional logic as it does for differential dynamic logic, except that the latter has more proof rules.2
A formula is provable or derivable (in the dL calculus) if we can find a dL proof
for it that starts with axioms (rule ax) at the leaves and ends with a sequent at the
bottom and that has only used dL proof rules in between. While constructing proofs,
however, we would start with the desired goal at the bottom and work our way
backwards to the subgoals until they can be proven to be valid as axioms (ax). Once all
subgoals have been proven to be valid axioms, they entail their consequences, which,
recursively, entail the original goal . This property of preserving truth or preserving
entailment is called soundness. Thus, while constructing proofs, we work bottom-up
from the goal. When we have found a proof, we justify formulas from the axioms topdown to the original goal.
We write dL iff dL formula can be proved with dL rules from dL axioms. That
is, a dL formula is inductively defined to be provable in the dL sequent calculus if it is
the conclusion (below the rule bar) of an instance of one of the dL sequent proof rules,
whose premises (above the rule bar) are all provable. A formula is provable from a
set of formulas, denoted by dL , iff there is a finite subset 0 for which the
sequent 0 is provable.
Example 1. A very simple (in fact propositional) proof of the formula
v 2 10 b > 0 b > 0 ((v 0) v 2 10)

(1)

is shown in Fig. 2. The proof starts with the proof goal as a sequent at the bottom:
v 2 10 b > 0 b > 0 ((v 0) v 2 10).
and proceeds applying proof rules upwards.
The first (i.e., bottom most) proof step applies proof rule r to turn the implication () to the sequent level by moving the assumption into the antecedent. The next
2

There is one subtlety with quantifier elimination that

15-424 L ECTURE N OTES

A NDR E P LATZER

L6.6

Truth & Proof

ax

ax

v 2 10, b > 0 b > 0

l 2
v
r

10 b > 0 b > 0

v2

10, b > 0 (v 0), v 2 10

l 2
v

10 b > 0 (v 0), v 2 10

r 2
v

10 b > 0 (v 0) v 2 10

v 2 10 b > 0 b > 0 ((v 0) v 2 10)

v 2 10 b > 0 b > 0 ((v 0) v 2 10)

Figure 2: Simple propositional example proof

proof step applies rule r to split the proof into the left branch for showing that conjunct b > 0 follows from the assumptions in the antecedent and into the right branch
for showing that conjunct (v 0) v 2 10 follows from the antecedent also. On the
left branch, the proof closes with an axiom ax after splitting the conjunction on the
antecedent with rule l. We mark closed proof goals with , just to indicate that we did
not just stopped writing. The right branch closes with an axiom ax after splitting the
disjunction () in the succedent with rule r and then splitting the conjunction () in
the antecedent with rule l. Now that all branches of the proof have closed (with ax),
we know that all leaves at the top are valid, and, hence, since the premises are valid,
each application of a proof rule ensures that their respective conclusions are valid also.
By recursively following this derivation from the leaves at the top to the original root at
the bottom, we see that the original goal is valid and formula (1) is, indeed, true under
all circumstances (valid).
While this proof does not show anything particularly exciting, because it only uses
propositional rules, it shows how a proof can be built systematically in the dL calculus
and gives an intuition as to how validity is inherited from the premises to the conclusions.

6 Dynamic Proof Rules

Lecture 5 has shown axioms for dynamical systems that correspond to the operators
of hybrid programs in [] modalities of differential dynamic logic [Pla12]. These were
equivalence axioms which represent schemata of valid formulas such as
([]) [ ] [] []
How can such valid equivalences be used in the context of a sequent calculus? There is
more than one productive way to do that.
The dL axioms such as [] are primarily meant to be used for replacing the left-hand
side [ ] by the structurally simpler right-hand side [] [], because that direction of use assigns meaning to [ ] in logically simpler terms, i.e. as a structurally
simpler logical formula. The following two sequent proof rules allow replacements in
that direction for formulas in the antecedent ([]l) and succedent ([]r), respectively.

15-424 L ECTURE N OTES

A NDR E P LATZER

Truth & Proof

L6.7

[] [],
[ ],
, [] []
([]l)
, [ ]
The sequent proof rules []r,[]l are more systematic in that they orient the use of
the axiom [] in the direction that makes formulas structurally simpler. Without such
direction, proofs could apply axiom [] from left to right and then from right to left and
from left to right again forever without making any progress. That does not happen
with []r,[]l, because they cannot simply go back.3 Furthermore, the sequent rules
[]r,[]l focus the application of axiom [] to the top level of sequents. That is, []r,[]l
can only be used for formulas of the succedent or antecedent, respectively, that are
of the form [ ], not to any subformulas within that happen to be of this form.
Abiding both of those restrictions imposes more structure on the proof, compared to
the proof we produced in Lecture 5.
Reconsidering the contract-type rules from Lecture 4, we could have turned [] into
the following two sequent proof rules instead of into []r,[]l:
[], [],
(R14)
[ ],
, [], []
(R15)
, [ ]
These rules R14,R15 already split into separate subgoals (R14) or separate formulas
(R15), respectively. It would be fine to use sequent rules R14,R15 instead of []r,[]l,
and, in fact, earlier versions of KeYmaera did. The disadvantage of rules R14,R15 compared to []r,[]l is that rules R14,R15 have a less obvious relation to axiom [] and that
they are asymmetric (they both look surprisingly different). This nuisance is overcome
in []r,[]l, from which rules R14,R15 follow immediately with just one more application of rules r or l, respectively. Thus, []r,[]l are more elementary and more atomic
in that they isolate the proof-theoretical meaning of [ ], as opposed to already incorporating parts of the meaning of as well, which is what propositional rules r,l
are supposed to capture.
The other dL axioms from Lecture 5 translate into sequent calculus proof rules in the
same way. The dynamic modality rules transform a hybrid program into structurally
simpler logical formulas by symbolic decomposition.
For Fig. 3, we adopt a convention to simplify notation. Instead of rules []r,[]l, Fig. 3
shows a single symmetric rule [] that does not mention the sequent sign :
([]r)

[] []
[ ]
This is abbreviated notation to say that the same rule from a conclusion with a formula
[ ] in either antecedent or succedent can be proved from a premise with formula
3

Albeit, going back is still possible indirectly when using a reasonably creative cut. But that requires an
intentional extra effort to do so.

15-424 L ECTURE N OTES

A NDR E P LATZER

L6.8

Truth & Proof

[] [] in the antecedent or succedent, respectively. That is, we consider the symmetric rule [] as an abbreviation for the two rules []r,[]l. Fig. 3 lists a single symmetric rule [] but we pretend it had both rules []r,[]l. The same applies to the other
symmetric rules in Fig. 3, which each have a version of the rule for the antecedent and
a version of the rule for the succedent. The antecedent version of [;] is called [;]l, its
succedent version is called [;]r. The antecedent version of [ ] is called [ ]l, its succedent
version is called [ ]r and so on.
hihi
h; i
[][]
([;])
[; ]
hi hi
(hi)
h i
[] []
([])
[ ]
(h;i)

x
hih i
(h:=i)
h i
hx := i

[][ ]
x
([n ])
([:=])
[ ]
[x := ]


H
t0 (0tt hx := y(t)iH) hx := y(t)i 1

(h?i)
(h i)
h?Hi
hx = & Hi


t [x := y(t)]H) [x := y(t)]
H
t0
(0
t
1
([?])
([ ])
[?H]
[x = & H]

(hn i)

t and t are fresh logical variables and hx := y(t)i is the discrete assignment belonging to the solution y
of the differential equation with constant symbol x as symbolic initial value.

Figure 3: Dynamic proof rules of dL sequent calculus

Nondeterministic choices split into their alternatives (hi,[]). For rule []: If all
transitions lead to states satisfying (i.e., [] holds) and all transitions lead to states
satisfying (i.e., [] holds), then, all transitions of program that choose between
following and following also lead to states satisfying (i.e., [ ] holds). Dually
for rule hi, if there is an transition to a state (hi) or a -transition to a state
(hi), then, in either case, there is a transition of to (h i holds), because
can choose which of those transitions to follow. A general principle behind the
dL proof rules that is most noticeable in hi,[] is that these proof rules symbolically
decompose the reasoning into two separate parts and analyse the fragments and
separately, which is good for scalability. For these symbolic structural decompositions,
it is very helpful that dL is a full logic that is closed under all logical operators, including disjunction and conjunction, for then the premises in [],hi are dL formulas again
(unlike in Hoare logic [Hoa69]).
Sequential compositions are proven using nested modalities (h;i,[;]). For rule [;]: If
after all -transitions, all -transitions lead to states satisfying (i.e., [][] holds),
then also all transitions of the sequential composition ; lead to states satisfying
(i.e., [; ] holds). The dual rule h;i uses the fact that if there is an -transition, after
which there is a -transition leading to (i.e., hihi), then there is a transition of ;
leading to (that is, h; i), because the transitions of ; are just those that first do
any -transition, followed by any -transition.
Rules hn i,[n ] are the usual iteration rules, which partially unwind loops. Rule hn i

15-424 L ECTURE N OTES

A NDR E P LATZER

Truth & Proof

L6.9

uses the fact that holds after repeating (i.e., h i), if holds at the beginning
(for holds after zero repetitions then), or if, after one execution of , holds after
any number of repetitions of , including zero repetitions (i.e., hih i). So rule hn i
expresses that for h i to hold, must hold either immediately or after one or more
repetitions of . Rule [n ] is the dual rule expressing that must hold after all of those
combinations for [ ] to hold.
Tests are proven by showing (with a conjunction in rule h?i) or assuming (with an
implication in rule [?]) that the test succeeds, because test ?H can only make a transition
when condition H actually holds true. Thus, for dL formula h?Hi, rule h?i is used
to prove that H holds true (otherwise there is no transition and thus the reachability
property is false) and that holds after the resulting no-op. Rule [?] for dL formula
[?H], in contrast, assumes that H holds true (otherwise there is no transition and thus
nothing to show) and shows that holds after the resulting no-op.
Given first-order definable flows for their differential equations, proof rules h i,[ ]
handle continuous evolutions. These flows are combined in the discrete jump set x := y(t).
Given a solution x := y(t) for the differential equation system with symbolic initial values x1 , . . . , xn , continuous evolution along differential equations can be replaced by a
discrete jump hx := y(t)i with an additional quantifier for the evolution time t. The
effect of the constraint on H is to restrict the continuous evolution such that its solution x := y(t) remains in the evolution domain H at all intermediate times t t. This
constraint simplifies to true if the evolution domain restriction H is true, which makes
sense, because there are no special constraints on the evolution (other than the differential equations) if the evolution domain region is described by true, hence the full space
Rn . A notable special case of rules [ ] and h i is when the evolution domain H is true:
t0 hx := y(t)i
= 1 , . . , xn = n ]

[x1

t0 hx := y(t)i
= 1 , . . , xn = n i

(2)

hx1

7 Quantifier Proof Rules

(), x (x), 1
x (x),
, (), x (x) 1
(l)
, x (x)

(r)

1
2

(s(X1 , . . , Xn )), 2
x (x),
, (s(X1 , . . , Xn )) 2
(l)
, x (x)

(r)

is an arbitrary term, often a new (existential) logical variable X.

s is a new (Skolem) function and X1 , . . , Xn are all (existential) free logical variables of x (x).

Figure 4: Proof rules for first-order quantifiers

Rules r,l,r,l are standard proof rules for first-order logic. For explaining these
quantifier proof rules, let us first assume for a moment there are no (existential) free

15-424 L ECTURE N OTES

A NDR E P LATZER

L6.10

Truth & Proof

variables X1 , . . . , Xn (i.e. n = 0) and use what is known as the ground calculus.

The quantifier proof rules work much as in mathematics. Consider r, where we
want to show a universally quantified property. When a mathematician wants to show
a universally quantified property x (x) to hold, he could choose a fresh symbol s
(called Skolem function symbol) and prove that (s) holds (for s). Then the mathematician would remember that s was arbitrary and his proof did not assume anything
special about the value of s. So he would conclude that (s) must indeed hold for all s,
and that hence x (x) holds true. For example, to show that the square of all numbers
is nonnegative, a mathematician could start out by saying let s be an arbitrary number, prove s2 0 for s, and then conclude x (x2 0), since s was arbitrary. Proof rule
r essentially makes this reasoning formal. It chooses a new (function) symbol s and replaces the universally quantified formula in the succedent by a formula for s (with all
free logical variables X1 , . . . , Xn added as arguments, as we explain below). Notice,
of course, that it is important to choose a new symbol s that has not been used (in the
sequent) before. Otherwise, we would assume special properties about s that may not
be justified.
Consider r, where we want to show an existentially quantified property. When a
mathematician proves x (x), he could directly produce any witness for this existential property and prove that, indeed, (), for then he would have shown x (x) with
this witness. For example, to show that there is a number whose cube is less than its
square, a mathematician could start by saying let me choose 0.5 and show the property for 0.5. Then he could prove 0.53 < 0.52 , because 0.125 < 0.25, and conclude that
there, thus, is such a number, i.e., x (x3 < x2 ). Proof rule r does that. It allows the
choice of any term for x and accepts a proof of () as a proof of x (x). However
note that the claim is a witness may turn out to be wrong, for example, the choice
2 for x would be a bad start for attempting to show x (x3 < x2 ). Consequently, proof
rule r keeps both options () and x (x) in the succedent.4 If the proof with is successful, the sequent is valid and the part of the proof can be closed successfully. If the
proof with later turns out to be unsuccessful, another attempt can be used to prove
x (x), e.g., by applying r again with another attempt for a different witness 2 .
Rules l,l are dual to r,l. Consider l, where we have a universally quantified
formula in the assumptions (antecedent) that we can use, and not in the succedent,
which we want to show. In mathematics, when we know a universal fact, we can use
this knowledge for any particular instance. If we know that all positive numbers have
a square root, then we can also use the fact that 5 has a square root, because 5 is a
positive number. Hence from assumption x (x > 0 hasSqrt(x)) in the antecedent,
we can also assume instance 5 > 0 hasSqrt(5)). Rule l can produce an instance ()
for arbitrary terms of the assumption x (x). Since we may need the universal fact
x (x) for multiple instantiations with 1 , 2 , 3 during the proof, rule l keeps the
4

KeYmaera does not actually keep x (x) around in the succedent for rule r and, for a fundamental
reason [Pla08], does not have to. The same holds for rule l, where KeYmaera does not keep x (x)
around in the antecedent, because it does not have to. That means, however, that if you conjecture to
produce the right instance, and your conjecture turns out wrong during the proof, then you have to go
back in the proof and undo your instantiation with .

15-424 L ECTURE N OTES

A NDR E P LATZER

Truth & Proof

L6.11

assumption x (x) in the antecedent so that it can be used repeatedly.

Consider rule l in which we can use an existentially quantified formula from the
antecedent. In mathematics, if we know an existential fact, then we can give a name
to the object that we then know does exist. If we know that there is a smallest integer
less than 10 that is a square, we can call it s, but we cannot denote it by a different term
like 5, because 5 may be (and in fact is) the wrong answer. Rule l gives a fresh name
s (with all logical variables X1 , . . . , Xn as arguments) to the object that exists. Since it
does not make sense to give a different name for the same existing object later, x (x)
is removed from the antecedent when adding (s(X1 , . . . , Xn )).
There are two ways of using the proof rules in Fig. 4. One way is to avoid free variables Xi altogether and only choose ground terms without variables for instantiations
in r,l. Then the Skolem functions used in r,l have n = 0 free logical variables
X1 , . . . , Xn as arguments. This case is called a ground calculus, because free variables
are never used and all term instantiations are ground (no free variables).
The other way is to work with free variables and always use some fresh (existential) logical variable X for instantiation of every time r,l are used. This is a freevariable calculus [HS94, Fit96, FM99] where r,l are called -rules and r,l are called
+ -rules [HS94], which is an improvement of what is known as the -rule [Fit96, FM99].
This case is called a free-variable calculus, because instantiations are with free variables.
Later in the proof, these free variables can be requantified [Pla08]. The free variables
X1 , . . . , Xn in the Skolem terms keep track of the dependencies of symbols and prevent
instantiations where we instantiate X1 by a term such as s(X1 , . . . , Xn ) depending on
X1 . The ground calculus and free-variable calculus uses of Fig. 4 can also be mixed.

8 Real Arithmetic
We will see more details on the handling of real arithmetic in a later lecture. In a nutshell, QE() denotes the use of real arithmetic on formula . That is, for a formula of
first-order real arithmetic, QE() is a logical formula that is equivalent to but simpler,
because QE() is quantifier-free.
Theorem 2 (Quantifier elimination). The first-order theory of real arithmetic admits quantifier elimination that is, with each formula , a quantifier-free formula QE() can be associated
effectively that is equivalent (i.e., QE() is valid) and has no additional free variables or
function symbols. The operation QE is further assumed to evaluate ground formulas (i.e., without variables), yielding a decision procedure for closed formulas of this theory (i.e., formulas
without free variables).
Quantifier elimination yields, e.g., the following equivalence by real arithmetic:
QE(x (ax + b = 0)) (a 6= 0 b = 0).
Both sides are easily seen to be equivalent, i.e.
 x (ax + b = 0) (a 6= 0 b = 0)

15-424 L ECTURE N OTES

A NDR E P LATZER

L6.12

Truth & Proof

because a linear equation with nonzero inhomogeneous part has a solution iff its linear part is nonzero as well. Real arithmetic equivalences can be used in differential
dynamic logic to eliminate quantifiers (or otherwise simplify arithmetic).
With the rule i, we can reintroduce a universal quantifier for a Skolem term s(X1 , . . . , Xn ),
which corresponds to a previously universally quantified variable in the succedent or a
previously existentially quantified variable in the antecedent. The point of reintroducing the quantifier is that this makes sense when the remaining formulas are first-order
in the quantified variable so that they can be handled equivalently by quantifier elimination in real-closed fields. When we have proven the subgoal (with for all X) then
this entails the goal for the particular s(X1 , . . . , Xn ). In particular, when we remove a
quantifier with r,l to obtain a Skolem term, we can continue with other proof rules to
handle the dynamic modalities and then reintroduce the quantifier for the Skolem term
with i once quantifier elimination for real arithmetic becomes applicable.
The dual rule i can reintroduce an existential quantifier for a free logical variable
that was previously existentially quantified in the succedent or previously universally
quantified in the antecedent. Again, this makes sense when the resulting formula in
the premise is first-order in the quantified variable X so that quantifier elimination can
eliminate the quantifier equivalently. When we remove a quantifier with r,l to obtain
a free logical variable, we can continue using other proof rules to handle the dynamic
modalities and then reintroduce the quantifier for the free logical variable with i once
quantifier elimination is applicable.
V
QE(X i (i i )) 2
QE(X ((X) (X)))
1
(i)
(i)
(s(X1 , . . , Xn )) (s(X1 , . . , Xn ))
1 1 . . . n n
1
2

X is a new logical variable. Further, QE needs to be defined for the formula in the premise.
Among all open branches, free logical variable X only occurs in the branches i i . Further, QE
needs to be defined for the formula in the premise, especially, no Skolem dependencies on X can
occur.

Recall abbreviations from Lecture 5:

def

Ah,v 0 h h = H v = 0 g > 0 1 > c 0

def

Bh,v 0 h h H
def

(h = g) (h = v, v = g)
And the single-hop bouncing ball formula from Lecture 5:
Ah,v [h = g; (?h = 0; v := cv ?h 0)]Bh,v
We only consider a simpler formula instead:
Ah,v [h = g]Bh,v

15-424 L ECTURE N OTES

(3)

A NDR E P LATZER

Truth & Proof

L6.13

Let there be sequent proof:

ax
Ah,v , r0 0rr
l
Ah,v , r0, 0rr [h := H g2 s2 ]h 0
l
Ah,v , r0, 0sr [h := H g2 s2 ]h 0
r
Ah,v , r0
r
Ah,v
r
Ah,v
[ ]r
Ah,v
r

[:=]r

Ah,v , r0, H g2 s2 h 0 BH g r2 ,gt

2

Ah,v , r0, [h := H g2 s2 ]h 0 [h := H g2 r2 ]Bh,v

[h := H g2 r2 ]Bh,v
[h := H g2 r2 ]Bh,v
0sr [h := H g2 s2 ]h 0 [h := H g2 r2 ]Bh,v
r0 (0sr [h := H g2 s2 ]h 0 [h := H g2 r2 ]Bh,v )
t0 (0st [h := H g2 s2 ]h 0 [h := H g2 t2 ]Bh,v )
[h = g & h 0]Bh,v
Ah,v [h = g & h 0]Bh,v

We just wrote that the left premise closes by ax, except that
Ah,v , r0 0rr
is not exactly an instance of the ax rule, so even here we need simple arithmetic to
conclude that 0 r r is the same as r 0, at which point that premise turns into a
literal instance of ax
Ah,v , r0 r0
A full formal proof and a KeYmaera proof, thus, need an extra proof step of arithmetic
in the left premise.
The right premise is
g
Ah,v , r0, H s2 h 0 BH g r2 ,gt
2
2
which, when resolving abbreviations turns into
g
g
g
0 h h = H v = 0 g > 0 1 > c 0, r0, H s2 h 0 0 H r2 H r2 H
2
2
2
This sequent proves using r plus simple arithmetic for the left branch resulting from
r and a little more arithmetic on the right branch resulting from r. Finishing the
above sequent proof up as indicated shows that dL formula (3) is provable.

9 Instantiating Real Arithmetic

Providing instantiations for quantifier rules r,l can speed up real arithmetic decision
procedures. The proof in Sect. 8 instantiated the universal quantifier s for an evolution
domain constraint by the end point r of the time interval using quantifier proof rule l.
This is a very common simplification that usually speeds up arithmetic significantly. It
does not always work, because the instance one guesses may not always be the right
one. Even worse, there may not always be a single instance that is sufficient for the
proof, but that is a phenomenon that later lectures will examine.

15-424 L ECTURE N OTES

A NDR E P LATZER

L6.14

Truth & Proof

10 Weakening Real Arithmetic

Weakening rules Wl,Wr can be useful to hide irrelevant parts of a sequent to make sure
they do not be a distraction for real arithmetic decision procedures.
In the proof in Sect. 8, the left premise was
Ah,v , r0 0rr
The proof of this sequent did not make use of Ah,v at all. Here, the proof worked easily.
But if Ah,v were a very complicated formula, then proving the same sequent might
have been very difficult, because our proving attempts could have been distracted by
the presence of Ah,v . We might have applied lots of proof rules to Ah,v before finally
realising that the sequent proves because of r0 0rr alone.
The same kind of distraction can happen in decision procedures for real arithmetic,
sometimes shockingly so [Pla10, Chapter 5]. Consequently, it can sometimes save a lot
of proof effort to simplify irrelevant assumptions away as soon as they have become unnecessary. Fortunately, there already is a proof rule for that purpose called weakening,
which we can use on our example from the left premise in the proof of Sect. 8:
r0 0rr
Ah,v , r0 0rr

Wl

11 Summary
The differential dynamic logic sequent proof rules that we have seen in this lecture are
summarized in Fig. 5. They turn out to be sound [Pla08]. Yet, the notion of soundness
for axioms that we investigated in Lecture 5 does not directly apply to proof rules. We
will investigate soundness of the proof rules in Fig. 5 in a later lecture. There are further
proof rules of differential dynamic logic that later lectures will examine [Pla08].

References
[And02] Peter B. Andrews. An Introduction to Mathematical Logic and Type Theory: To
Truth Through Proof. Kluwer, 2nd edition, 2002.
[Bus98] Samuel R. Buss. An introduction to proof theory. In Samuel R. Buss, editor,
Handbook of Proof Theory, chapter 1, pages 178. Elsevier, 1998.
[Fit96]

Melvin Fitting. First-Order Logic and Automated Theorem Proving. Springer,

New York, 2nd edition, 1996.

[FM99] Melvin Fitting and Richard L. Mendelsohn. First-Order Modal Logic. Kluwer,
Norwell, MA, USA, 1999.

[Gen35] Gerhard Gentzen. Untersuchungen uber

das logische Schlieen. I. Math. Zeit.,
39(2):176210, 1935.

15-424 L ECTURE N OTES

A NDR E P LATZER

Truth & Proof

L6.15

,
,
,
(l)
,

, ,
,
, ,
(l)
,

(r)

, ,
,
, ,
(l)
,

(r)

hihi
h; i
[][]
([;])
[; ]
hi hi
(hi)
h i
[] []
([])
[ ]
(h;i)

, ,
,
, ,
(l)
,

(r)

(ax)

, ,
, ,
(cut)

(r)

(Wl)
,

(Wr)

hih i
x
(h:=i)
h i
hx := i

[][ ]
x
([n ])
([:=])
[ ]
[x := ]


H
t0 (0tt hx := y(t)iH) hx := y(t)i 1

(h?i)
(h i)
h?Hi
hx = & Hi


H
t0 (0tt [x := y(t)]H) [x := y(t)] 1

([?])
([ ])
[?H]
[x = & H]

(hn i)

(), x (x), 2
x (x),
, (), x (x) 2
(l)
, x (x)

(r)

QE(X ((X) (X))),

4
(i)
, (s(X1 , . . , Xn )) (s(X1 , . . , Xn )),

(s(X1 , . . , Xn )), 3
x (x),
, (s(X1 , . . , Xn )) 3
(l)
, x (x)

(r)

V
QE(X i (i i )), 5
(i)
, 1 1 , . . . , n n ,

t and t are fresh logical variables and hx := y(t)i is the discrete assignment belonging to the solution y
of the differential equation with constant symbol x as symbolic initial value.
2
is an arbitrary term, often a new (existential) logical variable X.
3
s is a new (Skolem) function and X1 , . . , Xn are all (existential) free logical variables of x (x).
4
X is a new logical variable. Further, QE needs to be defined for the formula in the premise.
5
Among all open branches, free logical variable X only occurs in the branches , i i , . Further,
QE needs to be defined for the formula in the premise, especially, no Skolem dependencies on X can
occur.
1

Figure 5: Some proof rules of the dL sequent calculus

15-424 L ECTURE N OTES

A NDR E P LATZER

L6.16

Truth & Proof

[Hoa69] Charles Antony Richard Hoare. An axiomatic basis for computer programming. Commun. ACM, 12(10):576580, 1969.
[HS94]

Reiner Hahnle and Peter H. Schmitt. The liberalized -rule in free variable
semantic tableaux. J. Autom. Reasoning, 13(2):211221, 1994.

[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom. Reas.,
41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla10]

Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.

[Pla12]

Andre Platzer. Logics of dynamical systems. In LICS, pages 1324. IEEE, 2012.
doi:10.1109/LICS.2012.13.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Control Loops & Invariants
Andre Platzer
Carnegie Mellon University
Lecture 7
1 Introduction
Lecture 3 on Choice & Control demonstrated how important control is in CPS and that
control loops are a very important feature for making this control happen. Without
loops, CPS controllers are limited to short finite sequences of control actions, which
are rarely sufficient. With loops, CPS controllers shine, because they can inspect the
current state of the system, take action to control the system, let the physics evolve,
and then repeat these steps in a loop over and over again to slowly get the state where
the controller wants the system to be. Think of programming a robot to drive on a
highway. Would you be able to do that without some means of repetition or iteration?
Probably not, because youll need to write a CPS program that monitors the traffic
situation frequently and reacts in response to what the other cars do on the highway.
Hybrid programs way of exercising repetitive control actions is the repetition operator that can be applied to any hybrid program . The resulting hybrid program
repeats any number of times, nondeterministically.
More information can be found in [Pla12b, Pla12a] as well as [Pla10, Chapter 2.5.2,2.5.4].

2 Control Loops
Recall the little acrophobic bouncing ball from Lecture 4 on Safety & Contracts.
@requires(0 h h = H v = 0)
@requires(g > 0 1 c 0)
@ensures(0 h h H)

(1)

h = v, v = g & h 0;


if(h = 0) v := cv

15-424 L ECTURE N OTES

September 18, 2013

A NDR E P LATZER

L7.2

Control Loops & Invariants

The contracts above have been augmented with the ones that we have identified in
Lecture 4 by converting the initial contract specification into a logical formula in differential dynamic logic and then identifying the required assumptions to make it true in
all states:
0hh=H v =0g >01c0



h = v, v = g & h 0; if(h = 0) v := cv
(0 h h H) (2)
Because we did not want to be bothered by the presence of the additional if-then-else
operator, which is not officially part of the minimal set of operators of dL, we simplified
(2) to:
0hh=H v =0g >01c0



h = v, v = g & h 0; (?h = 0; v := cv ?h 6= 0) (0 h h H) (3)
In Lecture 4, we had an informal understanding why (3) is valid (true in all states),
but no formal proof, albeit we proved a much simplified version of (3) in which we
simply threw away the loop. Ignorance is clearly not a correct way of understanding
loops. Lets make up for that now by properly proving (3) in the dL calculus.
Yet, before going for a proof, let us take a step back and understand the role of loops
in more general terms. Their semantics has been explored in Lecture 3 on Choice &
Control and more formally in Lecture 5 on Dynamical Systems & Dynamic Axioms.
The little bouncing ball had a loop in which physics and its bounce control alternated.
The bouncing ball desperately needs a loop for it wouldnt know ahead of time how
often it would bounce. When falling from great heights, it bounces quite a bit. The
bouncing ball also has a controller, albeit a rather impoverished one. All it could do is
inspect the current height, compare it to the ground floor (at height 0) and, if h = 0,
flip its velocity vector around after a little damping by factor c. That is not a whole lot
of flexibility for control choices, but the bouncing ball was still rather proud to serve
such an important role in controlling the bouncing balls behavior. Indeed, without the
control action, the ball would never bounce back from the ground but would keep on
falling foreverwhat a frightful thought for the acrophobic bouncing ball. On second
thought, the ball would not fall for very long without its controller, because of the
evolution domain h 0 for physics h = g & h 0, which would only allow physics
to evolve for time zero if the ball is already at height 0, because gravity would otherwise
try to pull it further down, except that h 0 wont have it. So, in summary, without the
bouncing balls control statement, it would simply fall and then lie flat on the ground
without time being allowed to proceed. That would not sound very reassuring and
certainly not as much fun as bouncing back up, so the bouncing ball is really quite
proud of its control.
This principle is not specific to the bouncing ball, but, rather, quite common in CPS.
The controller performs a crucial task, without which physics would not evolve in the
way that we want it to. After all, if physics did already always do what we want it
to without any input from our side, we would not need a controller in the first place.

15-424 L ECTURE N OTES

A NDR E P LATZER

Control Loops & Invariants

L7.3

Hence, control is crucial and understanding and analyzing its effect on physics one of
the primary responsibilities in CPS.
Before proving (3), we apply one more simplification that we have also done in Lecture 5, just to save space on the page. We boldly drop the evolution domain constraint
and make up for it by modifying the condition in the second test (Exercise 1):
0hh=H v =0g >01c0



h = v, v = g; (?h = 0; v := cv ?h 0) (0 h h H) (4)
Hold on, why is that okay? Doesnt our previous investigation say that the ball could
suddenly fall through the cracks in the floor if physics insists on evolving for hours
before giving the poor bouncing ball controller a chance to react? To make sure the
bouncing ball does not panic in light of this threat, solve Exercise 1 to investigate this.

3 Proofs of Loops
There is a loop in (4). As we have seen, its behavior is crucial to the bouncing ball. So
lets prove to understand what it does and to see whether we have to be just as nervous
as the bouncing ball about losing it to the earth (if postcondition 0 h is not ensured)
or to the sky (if h H is not ensured).
Abbreviations have served us well in trying to keep proofs onto one page.
def

Ah,v 0 h h = H v = 0 g > 0 1 c 0
def

Bh,v 0 h h H
def

(h = g) (h = v, v = g)
With these abbreviations, the bouncing ball formula (4) turns into:

Ah,v [(h = g; (?h = 0; v := cv ?h 0)) ]Bh,v

(4)

This formula is swiftly turned into the sequent at the top using proof rule r:
Ah,v [(h = g; (?h = 0; v := cv ?h 0)) ]Bh,v
r
Ah,v [(h = g; (?h = 0; v := cv ?h 0)) ]Bh,v
This leaves a loop to be worried about. Inspecting our dL proof rules from Lecture 6 on
Truth there is exactly one that addresses loops:
[][ ]
([ ])
[ ]
n

Using this one to continue the sequent derivation proceeds as follows:

15-424 L ECTURE N OTES

A NDR E P LATZER

L7.4

Ah,v
r
[n ]r

Control Loops & Invariants

Ah,v [h = g][?h = 0; v := cv ?h 0][(h = g; (?h = 0; v := cv ?h 0)) ]Bh,v

[;]r
Bh,v
Ah,v [h = g; (?h = 0; v := cv ?h 0)][(h = g; (?h = 0; v := cv ?h 0)) ]Bh,v
Ah,v Bh,v [h = g; (?h = 0; v := cv ?h 0)][(h = g; (?h = 0; v := cv ?h 0)) ]Bh,v
Ah,v [(h = g; (?h = 0; v := cv ?h 0)) ]Bh,v
The left subgoal that results from using r closes by very simple arithmetic. The
right subgoal is more of a challenge to prove. We can solve the differential equation
and proceed using [ ]r, which will produce a quantifier that r can handle and leaves us
with a sequent that we need to consider further to prove.

4 Loops of Proofs
After a lot of proof effort, the above sequent prove continues so that the modalities
. . . [h = g][?h = 0; v := cv ?h 0]
can be handled. But there is still a loop in the postcondition . How can we prove that
postcondition, then? Investigating our proof rules, there is exactly one that addresses
loops: [n ]r again. If we use [n ]r again, what will happen?
Recall from Lecture 5
[
(n )
with n+1 n ; and 0 ?true
( ) =
nN

( )

[ ]

()
[][ ]

()

()

( )
Lemma 1 ([ ] soundness). The iteration axiom is sound:
([ ]) [ ] [][ ]
Using proof rule [n ]r on the succedent of a sequent has the same effect as using axiom
[ ] from left-hand side to right-hand side. Axiom [ ] can be used to turn a formula
A [ ]B

(5)

into
A B [][ ]B
What happens if we use that axiom [ ] again?

15-424 L ECTURE N OTES

A NDR E P LATZER

Control Loops & Invariants

L7.5

Recall that, unlike sequent proof rules such as [n ]r, axioms do not say where they can
be used, so we might as well use them anywhere in the middle of the formula. Hence
using axiom [ ] on the inner loop yields:
A B [](B [][ ]B)
Lets do that again and use [ ] to obtain
A B [](B [](B [][ ]B))

(6)

This is all very interesting but wont exactly get us any closer to a proof, because we
could keep expanding the star forever that way. How do we ever break out of this
loop of never-ending proofs?
Before we get too disillusioned about our progress with [ ] so far, notice that (6) still
allows us to learn something about and whether it always satisfies B when repeating
. Since [ ] is an equivalence axiom, formula (6) still expresses the same thing as (5),
i.e. that B always holds after repeating when A was true in the beginning. Yet, (6)
explicitly singles out the first 3 runs of . Lets make this more apparent by recalling
([]) [](B ) []B []
Using this valid equivalence turns (6) into
A B []B [][](B [][ ]B)
Using [] again gives us
A B []B []([]B [][][ ]B)
Using [] once more gives
A B []B [][]B [][][][ ]B

(7)

Looking at it this way, (7) could be more useful than the original (5), because, even
though both are equivalent, (7) explicitly singles out the fact that B has to hold initially,
after doing once, after doing twice, and that [ ]B has to hold after doing three
times. Even if we are not quite sure what to make of the latter [][][][ ]B, because it
still involves a loop, we are quite certain how to understand and handle the first three:
A B []B [][]B

(8)

If this formula is not valid, then, certainly, neither is (7) and, thus, neither is the original
(5). Hence, if we find a counterexample to (8), we disproved (7) and (5). That can
actually be rather useful.
Yet, if (8) is still valid, we do not know whether (7) and (5) are, since they involve
stronger requirements (B holds after any number of repetitions of ). What can we do
then? Simply unroll the loop once more by using [ ] on (6) to obtain
A B [](B [](B [](B [][ ]B)))

15-424 L ECTURE N OTES

(9)

A NDR E P LATZER

L7.6

Control Loops & Invariants

Or, equivalently, use axiom [ ] on (7) to obtain the equivalent

A B []B [][]B [][][](B [][ ]B)

(10)

By sufficiently many uses of axiom [], (9) and (10) are both equivalent to
A B []B [][]B [][][]B [][][ ]B

(11)

which we can again examine to see if we can find a counterexample to the first part
A B []B [][]B [][][]B
If yes, we disproved (5), otherwise we use [ ] once more.
This process of iteratively unrolling a loop with either axiom [ ] or rule [n ]r is called
Bounded Model Checking and has been used very successfully, e.g., in the context of finitestate systems [CBRZ01]. The same principle can be useful to disprove properties of
loops in differential dynamic logic by unwinding the loop.

5 Breaking Loops for Proofs

Proving properties of loops by unwinding them forever with [n ]r is not a promising
strategy, unless we find that the conjecture is not valid after a number of unwindings.
One way or another, we will have to find a way to break the loop apart to complete our
reasoning.
Consider the formula (11) again that we got from (5) by unwinding the loop with
axiom [ ] a number of times and then flattening the formula with the help of []:
A B []B [][]B [][][]B [][][ ]B

(11)

Using r and r on (11) leads to

A [][][]B A [][][ ]B
A [][][]B [][][ ]B
A []B r
A [][]B [][][]B [][][ ]B
A B r
A []B [][]B [][][]B [][][ ]B
r
A B []B [][]B [][][]B [][][ ]B
r
A B []B [][]B [][][]B [][][ ]B
A [][]B

Let us summarize this notationally by the following

AB
r,r,r,r,r

A []B A [][]B A [][][]B A [][][ ]B

A B []B [][]B [][][]B [][][ ]B

to recall that there was a derivation involving one use of r and 4 uses of r from the
four premises to the single conclusion without saying which derivation it was exactly.
Mentioning r 4 times seems a bit repetitive, so simply abbreviate this as:
AB
r,r

A []B A [][]B A [][][]B A [][][ ]B

A B []B [][]B [][][]B [][][ ]B

15-424 L ECTURE N OTES

A NDR E P LATZER

Control Loops & Invariants

L7.7

How could we prove the premises? Sect. 4 investigated one way, which essentially
amounts to Bounded Model Checking. Can we be more clever and prove the same
premises in a different way? Preferably one that is more efficient?
There is to much we can do to improve the way we prove the first premise. We simply
have to bite the bullet and do it, armed with all our knowledge of arithmetic. But its
actually very easy at least for the bouncing ball. Besides, no dynamics has actually
happened yet in the first premise, so if we despair in proving this one, the rest cannot
become any easier either. For the second premise, there is not much that we can do,
because we will have to analyze the effect of the loop body running once at least in
order to be able to understand what happens if we run repeatedly.
Yet, whats with the third premise A [][]B? We could just approach it as is and
try to prove it directly using the dL proof rules. Alternatively, however, we could try
to take advantage of the fact that it is the same hybrid program that is running in the
first and the second modality. Maybe they should have something in common that we
can exploit as part of our proof?
How could that work? Can we possibly find something that the is true after the
first run of and is all we need to know about the state for []B to hold? Can we
characterize the intermediate state after the first and before the second ? Suppose
we manage to do that and identify a formula E that characterizes the intermediate state
in this way. How do we use intermediate condition E to simplify our proof?
Recall the intermediate condition contract version of the sequential composition proof
rule from Lecture 4 and Lecture 5.
(R4)

A []E E []B
A [; ]B

Lecture 5 ended up dismissing the intermediate contract rule R4 in favor of the more
general axiom
([;]) [; ] [][]
But, let us revisit R4 and see if we can learn something from its way of using intermediate condition E. The first obstacle is that the conclusion of R4 does not match the
form we need for A [][]B. Thats not a problem in principle, because we could use
axiom [;] backwards from right-hand side to left-hand side in order to turn A [][]B
into
A [; ]B
and then use rule R4. However, this is what we wanted to stay away from, because using the axioms both forwards and backwards can get our proof search into trouble because we might loop around trying to find a proof forever without making any progress
by simply using [;] forwards and then backwards and then forwards again and so on
until the end of time. That does not strike us as useful. Instead, well adopt a proof rule
that has some of the thoughts of R4 but is more general. It is called generalization:
[],
([]gen )
[],

15-424 L ECTURE N OTES

A NDR E P LATZER

L7.8

Control Loops & Invariants

Rule []gen on the third premise A [][]B with the intermediate condition E for
that we assume to have identified
[]gen

A []E
E []B
A [][]B

Let us try to use this principle to see if we can find a way to prove
A B [](B [](B [](B [][ ]B)))

AB
r

(9)

Using r and []gen a number of times for a sequence of intermediate conditions E1 , E2 , E3

derives:
E3 B E3 [][ ]B
E2 []E3 r
E3 B [][ ]B
E2 B []gen
E2 [](B [][ ]B)
E1 []E2 r
E2 B [](B [][ ]B)
E1 B []gen
E1 [](B [](B [][ ]B))
A []E1 r
E1 B [](B [](B [][ ]B))
[]gen
A [](B [](B [](B [][ ]B)))
A B [](B [](B [](B [][ ]B)))
r
A B [](B [](B [](B [][ ]B)))
This particular derivation is still not very useful because it still has a loop in one of
the premises, which is what we had originally started out with in (5) in the first place.
But the derivation hints at a useful way how we could possibly shortcut proofs. To lead
to a proof of the conclusion, the above derivation requires us to prove the premises
A []E1
E1 []E2
E2 []E3
as well as some other premises. What if all the intermediate conditions Ei were the
same? Lets assume they are all the same condition E, that is, E1 E2 E3 E. Then
most of the premises turn out to be the same:
EB
E []E
except for the two left-most and the right-most premise. Let us leverage this observation and develop a proof rule for which the same intermediate condition is used for all
iterates of the loop. Furthermore, we would even know the first premise
A []E
if we could prove that the precondition A implies E:
AE
because, we already have E []E.

15-424 L ECTURE N OTES

A NDR E P LATZER

Control Loops & Invariants

L7.9

6 Invariant Proofs of Loops

The condition E []E identified in the previous section seems particularly useful,
because it basically says that whenever the system starts in a state satisfying E, it will
stay in E. It sounds like the system couldnt get out of E either if it starts in E since
all that can do is to repeat some number of times. But every time we repeat , the
sequent E []E expresses that we cannot leave E that way.
The other condition that the previous section identified as crucial is E B. And,
indeed, if E does not imply the postcondition B that we have been interested in in the
first place, then E is not necessarily very useful to prove B.
Recall from Lecture 3
[
( ) =
(n )
with n+1 n ; and 0 ?true
nN

( )

[]

()
()
()
Lemma 2 (Induction). The induction rule is sound:
(ind )

, []
[ ],

First observe that the inductive invariant (which we called E in the previous examples)
occurs in all premises but not in the conclusion of ind . The first premise of ind says
that the initial state, about which we assume (and that does not hold), satisfies the
invariant . The second premise of ind shows that the invariant is inductive. That
is, whenever was true before running the loop body , then is always true again
after running . The third premise of ind shows that the invariant is strong enough
to imply the postcondition that the conclusion was interested in.
Rule ind says that holds after any number of repetitions of if an invariant holds
initially (left premise) and invariant remains true after one iteration of (middle
premise), and invariant finally implies the desired postcondition (right premise).
If is true after executing whenever has been true before (middle premise), then,
if holds in the beginning (left premise), will continue to hold, no matter how often
we repeat in [ ], which is enough to imply [ ] if implies .
Taking a step back, these three premises correspond exactly to the proof steps that 15122 Principles of Imperative Computation used to show that the contract of a function
with a @requires contract (and not ), @ensures contract , and a loop invariant
is correct. Now, we have this reasoning in a more general and formally more precisely
defined context.

15-424 L ECTURE N OTES

A NDR E P LATZER

L7.10

Control Loops & Invariants

7 A Proof of a Repetitive Bouncing Ball

@requires(0 h h = H v = 0)
@requires(g > 0 1 c 0)
@ensures(0 h h H)

(12)

h = v, v = g & h 0;


(?h = 0; v := cv ?h 0)) @invariant(2gh = 2gH v 2 h 0)
Let us again use abbreviations:
def

Ah,v 0 h h = H v = 0 g > 0 1 c 0
def

Bh,v 0 h h H
def

(h = . . . ) (h = v, v = g & h 0)
def

Eh,v 2gh = 2gH v 2 h 0

Note the somewhat odd abbreviation for the differential equation just to simplify notation. Also note the invariant Eh,v that we identified as an intermediate condition for
the single-hop bouncing ball in Lecture 4 on Safety & Contracts. After the considerations in Sect. 5, it should no longer be a big surprise why we try to use an intermediate
condition as an invariant. We are not sure whether this will work but it seems worth
trying.

Ah,v [(h = . . .; (?h = 0; v := cv ?h 0) ]Bh,v

Let there be proof.
Eh,v , h = 0 Eh,cv
Eh,v , h = 0 [v := cv]Eh,v
[?]r
Eh,v , h 0 Eh,v
Eh,v [?h = 0][v := cv]Eh,v
[?]r
[;]r
Eh,v [?h = 0; v := cv]Eh,v
Eh,v [?h 0]Eh,v
r
Eh,v [?h = 0; v := cv]Eh,v [?h 0]Eh,v
Eh,v [h = . . .]Eh,v []r
Eh,v [?h = 0; v := cv ?h 0]Eh,v
Eh,v Bh,v
[]gen

Eh,v [h = . . .][?h = 0; v := cv ?h 0]Eh,v

[;]r
Eh,v [h = . . .; (?h = 0; v := cv ?h 0]Eh,v
Ah,v [(h = . . .; (?h = 0; v := cv ?h 0) ]Bh,v
r
Ah,v [(h = . . .; (?h = 0; v := cv ?h 0) ]Bh,v
The remaining 5 premises are prove easily. The first premise Ah,v Eh,v proves easily
using h = H and v = 0:
[:=]r

Ah,v Eh,v
ind

0 h h = H v = 0 g > 0 1 c 0 2gh = 2gH v 2 h 0

Recalling the unusual abbreviations, the second premise Eh,v [h = . . .]Eh,v is
2gh = 2gH v 2 h 0 [h = v, v = g & h 0](2gh = 2gH v 2 h 0)

15-424 L ECTURE N OTES

A NDR E P LATZER

Control Loops & Invariants

L7.11

a proof whose pieces we have seen in previous lectures (Exercise 2). The third premise
Eh,v , h = 0 Eh,cv is
2gh = 2gH v 2 h 0, h = 0 2gh = 2gH (cv)2 h 0
which would prove easily if we knew c = 1. Do we know c = 1? No we do not know
c = 1, because we only assumed 1 c 0 in Ah,v . But we could prove this third
premise easily if we would change the definition of Ah,v around to include c = 1. Note
that even then, however, we still need to augment Eh,v to include c = 1 as well, since we
otherwise would have lost this knowledge before we need it in the third premise. The
fourth premise, Eh,v , h 0 Eh,v proves whatever the abbreviations stand for simply
using the axiom rule ax. Finally, the fifth premise Eh,v Bh,v , which is
2gh = 2gH v 2 h 0 0 h h H
proves easily with arithmetic as long as we know g > 0. This condition is already included in Ah,v . But we still managed to forget about that in our intermediate condition.
So, again, g > 0 should have been included in the invariant Eh,v , which should have
been defined as
def

Eh,v 2gh = 2gH v 2 h 0 c = 1 g > 0

Yet, only the last two conjuncts are trivial, because neither c nor g changes while the
little bouncing ball falls. We, unfortunately, still have to include it in the invariant. This
is one of the downsides of working with intermediate condition style proofs such as
what we get with rule []gen . Later lectures investigate significant simplifications for
this nuisance.
For the record, we now have a sequent proof of the undamped bouncing ball with
repetitions:
0hh=H v =0g >01=c


[ h = v, v = g & h 0; (?h = 0; v := cv ?h 0) ](0 h h H) (13)
Looking back, the contract in (12) has almost reflected this, but not quite, because the
@invariant contract forgot to capture the constant invariants c = 1 g > 0. And the
@requires contract forgot to require c = 1. Lets capture this contract, which we have
now verified by way of proving the corresponding dL formula (13):
@requires(0 h h = H v = 0)
@requires(g > 0 c = 1)
@ensures(0 h h H)
h = v, v = g & h 0;


(?h = 0; v := cv ?h 0)) @invariant(2gh = 2gH v 2 h 0 c = 1 g > 0)
(14)

15-424 L ECTURE N OTES

A NDR E P LATZER

L7.12

Control Loops & Invariants

8 Essentials of Induction & Cuts

The induction rule ind is very useful in practice. But there is a more elegant and more
essential way of stating the induction principle.
Lemma 3 (Induction). The induction rule is sound:
[]
(ind)
[ ]
def

def

ind is clearly a special case of ind , obtained by specializing = ., and ,

in which case the left and right premises of ind are provable directly by ax so that only
the middle premise remains. If ind is a special case of ind , why should we still prefer
ind from a perspective of essentials? Obviously, ind is more fundamental and easier.
But if this came at the cost of being less powerful, ind should still be preferred. It turns
out that ind is actually a special case of ind with a little extra work. This extra work
needs a bit of attention but is insightful.
Lets adopt the following variation of the generalization rule:
([]gen)

[] []

For example, using a cut with [ ], rule ind can be derived from ind and []gen
as follows (using weakening Wl,Wr without notice):

[]
[]gen

[ ] [ ]
,
[ ]
r
l
[ ],
, [ ] [ ],
cut

[ ],
ind

Hence ind is a derived rule, because it can be derived using ind and some other rules.
Thus, ind is not necessary in theory, but still useful in practice.
Yet, now, in order to derive rule ind out of the more fundamental ind, we had to add
the revised generalization rule []gen. Is that any easier? Well it is, because []gen actually makes []gen unnecessary by another smart argument using a cut with the desired
formula [].

[]gen
[] []
[],
Wr
Wl,Wr
[], [],
, [] [],
cut
[],
This leaves exactly the premises of rule []gen , making []gen a derived rule. Whenever
we need []gen , we could simply expand the proof out in the above form to reduce it
just a proof involving []gen and cut and weakening.
These are two illustrations how creative uses of cuts can suddenly make proves and
concepts easier. A phenomenon that we will see in action much more often in this
course.

15-424 L ECTURE N OTES

A NDR E P LATZER

Control Loops & Invariants

L7.13

Before you despair that you would have to derive ind and []gen every time you
need them: that is not the case. The theorem prover KeYmaera is very well aware of
how useful both versions of the proof rules are and has them at your disposal. For
theoretical investigations, however, as well as for understanding the truly fundamental
reasoning steps, it is instructive to see that ind and []gen are fundamental, while the
others are mere consequences.

Exercises
Exercise 1 (Give bouncing ball back its evolution domain). Explain why the transformation from (3) to (4) was okay in this case.
Exercise 2. Give a sequent proof for
2gh = 2gH v 2 h 0 [h = v, v = g & h 0](2gh = 2gH v 2 h 0)
Does this property also hold if we remove the evolution domain constraint h 0? That
is, is the following formula valid?
2gh = 2gH v 2 h 0 [h = v, v = g](2gh = 2gH v 2 h 0)
Exercise 3. To develop an inductive proof rule, we have started systematic unwinding
considerations from formula (9) in Sect. 5. In lecture, we started from the form (11)
instead and have seen that that takes us to the same inductive principle. Which of
the two ways of proceeding is more efficient? Which one produces less premises that
are distractions in the argument? Which one has less choices of different intermediate
conditions Ei in the first place?

References
[CBRZ01] Edmund M. Clarke, Armin Biere, Richard Raimi, and Yunshan Zhu.
Bounded model checking using satisfiability solving. Form. Methods Syst.
Des., 19(1):734, 2001.
[Pla10]

Andre Platzer.
Logical Analysis of Hybrid Systems: Proving Theorems
for Complex Dynamics.
Springer, Heidelberg, 2010.
doi:10.1007/
978-3-642-14509-4.

[Pla12a]

Andre Platzer. Dynamic logics of dynamical systems. CoRR, abs/1205.4788,

2012. arXiv:1205.4788.

[Pla12b]

Andre Platzer. Logics of dynamical systems. In LICS, pages 1324. IEEE,

2012. doi:10.1109/LICS.2012.13.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Events & Delays
Andre Platzer
Carnegie Mellon University
Lecture 8

1 Introduction
Lecture 3 on Choice & Control demonstrated the importance of control and loops in
CPS models, Lecture 5 on Dynamical Systems & Dynamic Axioms presented a way of
unwinding loops iteratively to relate repetition to runs of the loop body, Lecture 6 on
Truth & Proof showed a corresponding way of unwinding loops in sequent calculus,
and Lecture 7 on Control Loops & Invariants finally explained the central proof principle for loops based on induction.
That has been a lot of attention on loops, but there are even more things to be learned
about loops. Not by coincidence, because loops are one of the difficult challenges in
CPS. The other difficult challenge comes from the differential equations. If the differential equations are simple and there are no loops, CPS suddenly become easy (they are
even decidable).
This lecture will focus on how the two difficult parts of CPS interact: how loops interface with differential equations. That interface is ultimately the connection between the
cyber and the physical part, which, as we know since Lecture 2 on Differential Equations & Domains, is fundamentally represented by the evolution domain constraints
that determine when physics pauses to let cyber look and act.
Todays lecture focuses on two important paradigms for making cyber interface with
physics to form cyber-physical systems, which played an equally important role in
classical embedded systems. One paradigm is that of event-driven architecture, where
reactions to events dominate the behavior of the system. The other paradigm is timetriggered control, which use periodic actions to affect the behavior of the system. Both
paradigms fall out naturally from an understanding of the hybrid program principle
for CPS.
These lecture notes are loosely based on [Pla12b, Pla10].

15-424 L ECTURE N OTES

September 23, 2013

A NDR E P LATZER

L8.2

Events & Delays

2 The Need for Control

Having gotten accustomed to the little bouncing ball, this lecture will simply stick to
it. Yet, the bouncing ball asks for more action, for it had so far no choice but to wait
until it was at height h = 0. And when its patience paid off so that it finally observed
height h = 0, then its only action was to make its velocity bounce back up. Frustrated
by this limited menu of actions to choose from, the bouncing ball asks for a ping pong
paddle. Thrilled at the opportunities opened up by a ping pong paddle, the bouncing
ball first performs some experiments and then settles on using the ping pong paddle
high up in the air to push itself back down again. It had high hopes that proper control
exerted by the ping pong paddle would allow the ball to go faster without risking the
terrified moments inflicted on it by its acrophobic attitude to heights. Setting aside all

Munchausian
concerns about how effective ping pong paddles can be for the ball if
itself is in control of the paddle to be used on itself in light of Newtons third law about
opposing forces, let us investigate this situation regardless. After all, it has what it takes
to make control interesting: the dynamics of a physical system and decisions on when
to react how to the observed status of the system.
Lecture 7 developed a sequent proof of the undamped bouncing ball with repetitions:
0hh=H v =0g >01=c


[ h = v, v = g & h 0; (?h = 0; v := cv ?h 0) ](0 h h H) (1)

Figure 1: Sample trajectory of a bouncing ball (plotted as position over time)

With this basic understanding of (undamped) bouncing balls, lets examine how to
turn the bouncing ball into a ping pong ball using clever actuation of a ping pong paddle. The bouncing ball tried to actuate the ping pong paddle in all kinds of directions.
But it never knew where it was going to land if it tried the ping pong paddle sideways.
So it quickly gave up the thought of using the ping pong paddle sideways. The ball
got so accustomed to its path of going up and down on the spot. With the ping pong
paddle, it wanted to do the same, just faster.
By making the ping pong paddle move up and down, the bouncing ball ultimately
figured out that the ball would go back down fast as soon as it got a pat on the top by
the paddle. It also learned that the other direction turned out to be not just difficult but

15-424 L ECTURE N OTES

A NDR E P LATZER

Events & Delays

L8.3

also rather dangerous. Moving the ping pong paddle up when the ball was above it to
give it a pat on the bottom was tricky, but when it worked would even make the ball
fly up higher than before. Yet that is what the acrophobic bouncing ball did not enjoy
so much, so it tries to control the ping pong paddle so that the ball only bounces down,
never up.
As a height that the bouncing ball feels comfortable with, it chose 5 and so it wants
to establish 0 h 5 to always hold as its safety condition. The ball further puts the
ping pong paddle at a similar height so that it can actuate somewhere between 4 and 5.
It exercises great care to make sure it would every only move the paddle downwards
when the ball is underneath, never above. Thus, the effect of the ping pong paddle will
be to reverse the balls direction. For simplicity, the ball figures that being hit by a ping
pong paddle might have a similar effect as being hit by the floor, except with a possibly
different factor f > 0 instead of the damping coefficient c.1 So the paddle actuated this
way is simply assumed to have effect v := f v.
Taking these thoughts into account, the ball devises the following HP model and
conjectures safety expressed in the following dL formula:
0hh5v 0g >01c0f >0

h = v, v = g & h 0;
(?h = 0; v := cv ?4 h 5; v := f v ?h 0)

(2)



(0 h 5)

Having taken the Principle of Cartesian Doubt from Lecture 4 on Safety & Contracts
to heart, the aspiring ping-pong ball first scrutinizes conjecture (2) before setting out to
prove it. What could go wrong?
For one thing, (2) allows the right control options of using the paddle by ?4 h
5; v := f v but also always allows the wrong choice ?h 6= 0 when above ground. So if
the bouncing ball is unlucky, the HP in (2) could run so that the middle choice is never
chosen and, if the ball has a large downwards velocity v initially, it will jump back up
higher than 5 even if it was below 5 initially. That scenario falsifies (2) and a concrete
counterexample can be constructed correspondingly, e.g., from initial state with
1
(h) = 5, (v) = 1010 , (c) = , (f ) = 1, (g) = 10
2
How can the bouncing ball bugfix its control and turn itself into a proper ping pong
ball? The problem with the controller in (2) is that it permits too much choice, some
of which are unsafe. Restricting these choices and making them more deterministic is
what it takes to ensure the ping pong paddle is actuated as intended:
0hh5v 0g >01c0f >0

h = v, v = g & h 0;
(?h = 0; v := cv ?4 h 5; v := f v ?h 0 h < 4 h > 5)
1



(0 h 5)
(3)

The real story is quite a bit more complicated, but the bouncing ball does not know any better.

15-424 L ECTURE N OTES

A NDR E P LATZER

L8.4

Events & Delays

Recalling the if(E) else statement, the same system can be modeled equivalently:
0hh5v 0g >01c0f >0

h = v, v = g & h 0;
(?h = 0; v := cv ?h 6= 0; if(4 h 5) v := f v)



(0 h 5)

Or, even shorter as the equivalent

0hh5v 0g >01c0f >0

h = v, v = g & h 0;
if(h = 0) v := cv else if(4 h 5) v := f v

(4)



(0 h 5)

Is conjecture (4) valid?

Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Events & Delays

L8.5

3 Events in Control
The problem with (4) is that, even though it exercises the right control choice whenever
the controller runs, the model does not ensure the controller would run at all when
needed. The paddle control only runs after the differential equation stops. That is
guaranteed to happen when the ball bounces down to the ground (h = 0) but could
otherwise be any time. Recall from Lecture 2 that the semantics of differential equations
is nondeterministic. The system can follow a differential equation any amount of time
as long as it does not violate the evolution domain constraints. In particular, the HP in
(4) could miss the event 4 h 5 that the ping pong balls paddle control wanted to
react to. The system might simply skip over that region by following the differential
equation h = v, v = g & h 0 obliviously.
How can the HP from (4) be modified to make sure the event 4 h 5 is always
noticed and never missed?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L8.6

Events & Delays

The only way to prevent the system from following a differential equation for too
long is to restrict the evolution domain constraint, which is the predominant way to
make cyber and physical interact. Indeed, that is what the evolution domain constraint . . . & h 0 in (4) did in the first place. Even though this domain was introduced
for different reasons (first principle arguments that light balls never fall through solid
ground), its secondary effect was to make sure that the ground controller ?h = 0; v := cv
will never miss the right time to take action and reverse the direction of the ball from
falling to climbing.
Note 1 (Evolution domains detect events). Evolution domain constraints of differential
equations in hybrid programs can detect events. That is, they can make sure the system
evolution stops whenever an event happens on which the control wants to take action.
Without such evolution domain constraints, the controller is not necessarily guaranteed to
execute but may miss the event.
Following these thoughts further indicates that the evolution domain somehow ought
to be augmented with more constraints that ensure the interesting event 4 h 5 will
never be missed accidentally. How can this be done? Should the event be conjoined to
the evolution domain as follows
0hh5v 0g >01c0f >0

h = v, v = g & h 0 4 h 5;
if(h = 0) v := cv else if(4 h 5) v := f v



(0 h 5)

Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Events & Delays

L8.7

Of course not! This evolution domain would require the ball to always be at height
between 4 and 5, which is hardly the right model. How could the ball ever fall on the
ground and bounce back, this way? It couldnt.
Yet, on second thought, the way the event . . . & h = 0 got detected by the HP in the
first place was not by including h = 0 in the evolution domain constraint, but by including the inclusive limiting constraint . . . & h 0, which made sure the system could
perfectly well evolve outside this event domain h = 0, but that it couldnt just miss
the event rushing past h = 0. What would the inclusion of such an inclusivelimiting
constraint correspond to for the event 4 h 5?
When the ball is hurled up into the sky, the last point at which action has to be taken
to make sure not to miss the event 4 h 5 is h = 5. The corresponding inclusive
limiting constraint h 5 thus should be somewhere in the evolution domain constraint.
0hh5v 0g >01c0f >0

h = v, v = g & h 0 h 5;
if(h = 0) v := cv else if(4 h 5) v := f v

(5)



(0 h 5)

Is this the right model? Is dL formula (5) valid? Will its HP ensure that the critical event
4 h 5 will not be missed out on?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L8.8

Events & Delays

Formula (5) is valid. And, yet, (5) is not at all the appropriate formula to consider. It
is crucial to understand why.
So, formula (5) is valid. But why? Because all runs of the differential equation

h = v, v = g & h 0 h 5 remain within the safety condition 0 h 5 by construction. None of them are ever allowed to leave the region h 0 h 5, which, after
all, is their evolution domain constraint. So formula (5) is trivially safe. A more careful
argument involves that, every time around the loop, the postcondition holds trivially,
because the differential equations evolution constraint maintains it by definition, the
subsequent discrete control never changes the only variable h on which the postcondition depends. Hold on, the loop does not have to run but could be skipped over by
zero iterations as well. Yet, in that case, the precondition ensures the postcondition, so,
indeed, (5) is valid, but trivially so.
Note 2 (Non-negotiability of Physics). Usually, it is a good idea to make systems safe
by construction. For computer programs, that is a great idea. But we need to remember
that physics is unpleasantly non-negotiable. So if the only reason why a CPS model is
safe is because we forgot to model all relevant behavior of the real system, then correctness
statements about those inadequate models are not particularly applicable to reality.
One common cause for counterfactual models are too generous evolution domain constraints that rule out physically realistic behavior.
And that is what happened in (5). The bouncing ball got so carried away with trying
not to miss the event 4 h 5 that it forgot to include a behavior in the model that
happens after the event has happened. The evolution domain constraint . . . & h 0
came was in the system for physical reasons: to model the guaranteed bouncing back
on the ground and to prevent the ball from falling through the ground. We added the
evolution domain constraint h 5 for an entirely different reason. It came into play to
model what our controller does, and inaptly so, because our feeble attempt ruled out
physical behavior that could actually have happened in reality.
Lets make up for this by developing a model that has both behaviors, just in different
continuous programs so that the decisive event in the middle could not accidentally
have been missed.
0hh5v 0g >01c0f >0

((h = v, v = g & h 0 h 5) (h = v, v = g & h 5));


if(h = 0) v := cv else if(4 h 5) v := f v (0 h 5)

(6)

Now (6) has a much better model of events than the ill-advised (5). Is (6) valid?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Events & Delays

L8.9

When the ball is jumping up from the ground, the model in (6) makes it impossible for
the controller to miss the event 4 h 5, because the only evolution domain constraint
in the HP that applies at the ground is h 0 h 5. And that evolution domain stops
being true above 5. Yet, suppose the ping pong ball was jumping up from the ground
following the continuous program in the left choice and then stopped its evolution
at height h = 4.5, which always remains perfectly within the evolution domain h
0 h 5 and is, thus, allowed. Then, after the sequential composition between the
middle and last line of (6), the controller in the last line of (6) runs, notices that the
formula 4 h 5 for the event checking is true, and changes the velocity according
to v := f v, corresponding to the assumed effect of a pat with the paddle. That is
actually its only choice in such a state, because the controller is deterministic, much
unlike the differential equation. Consequently, the velocity has just become negative
since it was positive before as the ball was climbing up. So the loop can repeat and the
differential equation runs again. Yet, then the differential equation might evolve until
the ball is at height h = 4.25, which will happen since its velocity is negative. If the
differential equation stops then, the controller will run again, determine that 4 h 5
is true still and so take action to change the velocity to v := f v. That will, however,
make the velocity positive again, since it was previously negative as the ball was in the
process of falling. Hence, the ball will keep on climbing now, which, again, threatens
the postcondition 0 h 5. Will this falsify (6) or is it valid?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L8.10

Events & Delays

On second thought, that alone still will not cause the postcondition to evaluate to
false, because the only way the bouncing ball can evolve continuously from h = 4.25 is
still by the continuous program in the left choice of (6). And that differential equation
is restricted to the evolution domain h 0 h 5, which causes the controller to run
before leaving h 5. That is, the event 4 h 5 will again be noticed by the controller
so that the ball is ping pong paddle pats the ball back down.
However, the exact same reasoning applies also to the case where the ball successfully made it up to height h = 5, which is the height at which any climbing ball has
to stop its continuous evolution, because it would otherwise violate the evolution domain h 0 h 5. As soon as that happens, the controller runs, notices that the event
4 h 5 came true and reacts with a ping pong paddle to cause v := f v. If, now,
the loop repeats, yet the continuous evolution evolves for duration zero only, which is
perfectly allowed, then the condition 4 h 5 will still be true so that the controller
again notices this event and reacts with ping pong paddle v := f v. That will make
the velocity positive, the loop can repeat, the continuous program on the right of the
choice can be chosen since h 5 holds true, and then the bouncing ball can climb and
disappear into nothingness high up in the sky if only its velocity has been large enough.
Ergo, (6) is not valid. What a pity. And the bouncing ball would have to be afraid of
heights when following the control in (6). How can this problem be resolved?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Events & Delays

L8.11

The problem in (6) is that its left differential equation makes sure never to miss out
on the event 4 h 5 but its control may react to it multiple times. It is not even sure
whether each occasion of 4 h 5 should be called an event. But certainly repeated
reaction to the same event according to control (6) causes trouble.
One way of solving this problem is to change the condition in the controller to make
sure it only reacts to the 4 h 5 event when the ball is on its way up, i.e. when its
velocity is not negative. That is what the bouncing ball wanted to ensure in any case.
The ping pong paddle should only be actuated downwards when the ball is flying up.
These thoughts lead to the following variation:
0hh5v 0g >01c0f >0

((h = v, v = g & h 0 h 5) (h = v, v = g & h 5));


if(h = 0) v := cv else if(4 h 5 v 0) v := f v (0 h 5)

(7)

Because the paddle action v := f v will disable the condition v 0 for nonzero velocities, the controller in (7) can only react once to the event 4 h 5 to turn the
upwards velocity into a downwards velocity, scaled by f . Unlike in (6), this control
decision cannot be reverted inadvertently by the controller.
Is dL formula (7) valid?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L8.12

Events & Delays

In order to convince ourselves that the ping pong paddle control works as expected,
we simplify the assumptions in formula (7) so that they match the ones in our prior
proofs about bouncing balls in Lecture 7 on Control Loops & Invariants. Those additional assumptions are not all strictly necessary, but simplify the argument somewhat.
0h5v 01c0g >0f 0

((h = v, v = g & h 0 h 5) (h = v, v = g & h 5));


if(h = 0) v := cv else if(4 h 5 v 0) v := f v (0 h 5)

(8)

How could dL formula (8) be proved? The most critical element of a proof is finding
a suitable invariant. What could be the invariant for proving (8)?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Events & Delays

L8.13

The formula
5h0

(9)

is an obvious candidate for an invariant. If it is true, it trivially implies the postcondition 0 h 5 and it holds in the initial state. It is not inductive, though, because a state
that satisfies (9) could follow the right differential equation if it satisfies h 5. In that
case, if the velocity is positive, the invariant (9) would be violated immediately. Hence,
at the height h = 5, the control has to make sure that the velocity is negative, so that the
right differential equation in (8) has to stop immediately. Could (9) be augmented with
a conjunction v 0? No that would not work either, because the bounce on the ground
violates that invariant. In fact, the controller literally only ensures v 0 at the event,
which is detected at h = 5 at the latest. Indeed, the dL formula (7) can be proved in the
dL calculus using the invariant
5 h 0 (h = 5 v 0)
This invariant is just strong enough to remember the control choice at the event h =
5 and that the possible range of h is safe. Recall that (global) invariants need to be
augmented with the usual assumptions about the unchanged variables, like c 0 g >
0 f 0.
The model that (8) and the other controllers in this section adhere to is called eventdriven control or also event-driven architecture.
Note 3 (Event-driven control). One common paradigm for designing controllers is the
event-driven architecture, in which the controller runs in response to certain events that
happen in the system. The controller could possibly run under other circumstances as
wellwhen in doubt, the controller simply skips over without any effect if it does not want
to change anything about the behavior of the system. But event-driven controllers assume
they will run for sure whenever certain events in the system happen.
These events cannot be all too narrow, or else the system will not be implementable,
though. For example, it is nearly impossible to build a controller that reacts exactly at the
point in time when the height of the bouncing ball is h = 4.12345. Chances are high that
any particular execution of the system will have missed this particular height. Care must
be taken in event-driven design models also that the events do not inadvertently restrict the
evolution of the system to the behavioral cases outside or after the events have happened.
Those executions must still be verified.
Are we sure in model (8) that events are taken into account faithfully? That depends
on what exactly we mean by an event like 4 h 5. Do we mean that this event
happens for the first time? Or do we mean every time this event happens? If multiple successive runs of the ping pong balls controller see this condition satisfied, do
these count as the same or separate instances of that event happening? Comparing the
validity of (6) with the non-validity of (7) illustrates that these subtleties can have considerable impact on the system. Hence, a precise understanding of events and careful
modeling is required.

15-424 L ECTURE N OTES

A NDR E P LATZER

L8.14

Events & Delays

The controller in (8) only takes an action for event 4 h 5 when the ball is on the
way up. Hence, the evolution domain constraint in the right continuous evolution is
h 5. Had we wanted to model the occurrence of event 4 h 5 also when the ball
is on its way down, then we would have to have a differential equation with evolution
domain h 4 to make sure the system does not miss 4 h 5 when the ball is on its
way down either, without imposing that it would have to notice h = 5 already. This
could be achieved by splitting the evolution domain regions appropriately, but was not
necessary for (8) since it never reacts to balls falling down, only those climbing up.

Note 4. Events are a slippery slope and great care needs to be exercised to use them without
introducing an inadequate executional bias into the model.
There is a highly disciplined way of defining, detecting, and reacting to general
events in differential dynamic logic based on the there and back again axiom [Pla12a].
That is, however, much more complicated than the simpler account shown here.

4 Delays in Control
Event-driven control is a useful and intuitive model matching our expectation of having controllers react in response to certain critical conditions or events that necessitate
intervention by the controller. Yet, one of its difficulties is that event-driven control can
be hard or impossible to implement in reality. On a higher level of abstraction, it is very
intuitive to design controllers that react to certain events and change the control actuation in response to what events have happened. Closer to the implementation, this
turns out to be difficult, because actual computer control algorithms do not actually
run all the time, only sporadically every once in a while, albeit sometimes very often.
Implementing event-driven control faithfully would, in principle, require permanent
continuous monitoring of the state to check whether an event has happened. That is
not quite realistic.
Back to the drawing desk. Let us reconsider the original dL formula (4) that we
started out from for designing the event-driven version in (8).
0hh5v 0g >01c0f >0

h = v, v = g & h 0;
if(h = 0) v := cv else if(4 h 5) v := f v

(4)



(0 h 5)

This simplistic formula (4) turned out not to be valid, because its differential equation was not guaranteed to be interrupted when the event 4 h 5 happens. Consequently, (4) needs some other evolution domain constraint to make sure all continuous
evolutions are stopped at some point for the control to have a chance to react to situation changes. Yet, it should not be something like . . . & h 5 as in (8), because

15-424 L ECTURE N OTES

A NDR E P LATZER

Events & Delays

L8.15

continuously monitoring for h 5 requires permanent sensing of the height, which is

difficult to implement.
How else could the continuous evolution of physics be interrupted to make sure the
controller runs? By bounding the amount of time that physics is allowed to evolve before running the controller again. Before we can talk about time, the model needs to be
changed to include a variable, say t, that reflects the progress of time with a differential
equation t = 1.
0hh5v 0g =1>01c0f >0

t := 0; h = v, v = g, t = 1 & h 0 t 1;


if(h = 0) v := cv else if(4 h 5) v := f v (0 h 5)

(10)

In order to bound time by 1, the evolution domain now includes . . . & t 1 and the
variable t is reset to 0 by t := 0 right before the differential equation. Hence, t represents
a local clock measuring how long the evolution of the differential equation was. Its
bound of 1 ensures that physics gives the controller a chance to react at least once per
second. The system could very well stop the continuous evolution more often and
earlier, because there is no lower bound on t in (10). Also see Exercise 1.
Before going any further, lets take a step back to notice an annoyance in the way
the control in (10) was written. It is written in the style that the original bouncing ball
and the event-driven ping pong ball were phrased: continuous dynamics followed by
control. That has the unfortunate effect that (10) lets physics happen before control does
anything, which is not a very safe start. In other words, the initial condition would have
to be modified to assume the initial control was fine. That is a nuisance duplicating
part of the control into the assumptions on the initial state. Instead, lets switch the
statements around to make sure control always happens before physics.
0hh5v 0g =1>01c0f >0

if(h = 0) v := cv else if(4 h 5) v := f v;


t := 0; h = v, v = g, t = 1 & h 0 t 1 (0 h 5)

(11)

Now that dL formula (11) has an upper bound on the time it takes between two
subsequent control actions, is it valid?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L8.16

Events & Delays

Even though (11) ensures a bound on how long it may take at most until the controller
inspects the state and reacts, there is still a fundamental issue with (11). We can try to
prove (11) and inspect the non-provable cases in the proof to find out what the issue
is. The controller of (11) runs at least after one second (hence at least once per second)
and then checks whether 4 h 5. But if 4 h 5 was not true when the controller
ran last, there is no guarantee that it will be true when the controller runs next. In fact,
the ball might very well have been at h = 3 at the last controller run, then evolved
continuously to h = 6 within a second and so missed the event 4 h 5 that it was
supposed to detect (Exercise 2). Worse than that, the ping pong ball has then already
become unsafe.
For illustration, driving a car would be similarly unsafe if you would only open your
eyes once a second and monitor whether there is a car right in front of you. Too many
things could have happened in between that should have prompted you to brake.
Note 5 (Delays may miss events). Delays in controller reactions may cause events to
be missed that they were supposed to monitor. When that happens, there is a discrepancy
between an event-driven understanding of a CPS and the real time-triggered implementation. That happens especially for slow controllers monitoring small regions of a fast moving
system. This relationship deserves special attention to make sure the impact of delays on a
system controller cannot make it unsafe.
It is often a good idea to first understand and verify an event-driven design of a CPS
controller and then refine it to a time-triggered controller to analyze and verify that CPS
in light of its reaction time. Discrepancies in this analysis hint at problems that eventdriven designs will likely experience at runtime and they indicate a poor event abstraction.
How can this problem of (11) be solved? How can the CPS model make sure the
controller does not miss its time to take action? Waiting until 4 h 5 holds true is
not guaranteed to be the right course of action for the controller.
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Events & Delays

L8.17

The problem with (11) is that its controller is unaware of its own delay. It does not
take into account how the ping pong ball could have moved further before it gets a
chance to react next. If the ball is already close to the ping pong paddles intended
range of actuation, then the controller had better take action already if it is not sure
whether next time will still be fine.
The controller would be in trouble if, in its next control cycle after the continuous
evolution, h > 5. The continuous evolution can take at most 1 time unit, after which
the ball will be at position h + v g2 as we have observed in Lecture 4 by solving the
differential equation. We chose g = 1 for the time-triggered case, so the controller could
be in trouble in the next control cycle if h > 5 21 v holds now. Hence, the idea is to make
the controller now act based on how it estimates the state might have evolved until the
next control cycle. The difference of (6) vs. (7) in the event-driven case indicates that the
controller only wants to trigger action if the ball is flying up. Thus, making (11) aware
of the future in this way leads to:
0hh5v 0g =1>01c0f >0

1
if(h = 0) v := cv else if((h > 5 v) v 0) v := f v;
2



t := 0; h = v, v = g, t = 1 & h 0 t 1 (0 h 5)

(12)

Is conjecture (12) about its future-aware controller valid?

Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L8.18

Events & Delays

The controller in formula (12) has been designed based on the prediction that the
future may evolve for 1 time unit. If action will no longer be possible in 1 time unit,
because the event h 5 has passed in that future instant, the controller in (12) takes
action right now already. The issue with that is there is no guarantee that the ping
pong ball will fly for exactly 1 time unit before the controller is asked to act again (and
the postcondition is checked). The controller in (12) checks whether the ping pong ball
could be too far up after one time unit and does not intervene unless that is the case.
Yet, what if the ball flies for 12 time units? Clearly, if the ball will be safe after 1 time
unit, which is what the controller in (12) checks, it will also be save after just 12 time
unit, right?.
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Events & Delays

L8.19

Wrong! The ball may well be below 5 after 1 time unit but still could have been above
5 in between the current point of time and 1 time unit from now. Recall Fig. 1 to see how
this can happen.
In order to understand this further, we use the invariant that we have derived for the
bouncing ball in an earlier lecture and then used in Lecture 7 to prove (1).
2gh = 2gH v 2 h 0 c = 1 g > 0

(13)

We assume this invariant to hold in the beginning of the ping pong balls life and also
adopt the global assumptions c = 1 g = 1 f = 1 to simplify the arithmetic.
Substituting the critical height 5 for H in (13) for this instance of parameter choices
leads to the following condition which indicates that the ball could end up climbing too
high
2h > 2 5 v 2
(14)
Adding this condition to the controller (12) leads to:
2h = 2H v 2 0 h h 5 v 0 g = 1 > 0 1 = c 0 1 = f > 0

1
if(h = 0) v := cv else if((h > 5 v 2h > 2 5 v 2 ) v 0) v := f v;
2


t := 0; h = v, v = g, t = 1 & h 0 t 1 (0 h 5)

(15)

Is dL formula (15) about its time-triggered controller valid?

Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L8.20

Events & Delays

Formula (15) is almost valid. But it is still not valid for a very subtle reason. It is
great to have proof to catch those subtle issues. The controller in (15) takes action for
two different conditions on the height h. However, the ping pong paddle controller
actually only runs in (15) if the ball is not at height h = 0, for otherwise ground control
takes action of reversing the direction of the ball. Now, if the ball is flat on the floor
(h = 0) yet its velocity so incredibly high that it will rush past height 5 in less than
1 time unit, then the ping pong paddle controller will not have had a chance to react
before it is too late, because it does not run on the ground according to (15).
Fortunately, these thoughts already indicate how that problem can be fixed. By turning the nested if-then-else cascade into a sequential compositions of if-then that
will ensure the ping pong paddle controller to run for sure.
2h = 2H v 2 0 h h 5 v 0 g = 1 > 0 1 = c 0 1 = f > 0

1
if(h = 0) v := cv; if((h > 5 v 2h > 2 5 v 2 ) v 0) v := f v;
2


t := 0; h = v, v = g, t = 1 & h 0 t 1 (0 h 5)

(16)

Now, is formula (16) finally valid, please?

Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Events & Delays

L8.21

Yes, formula (16) is valid and can be proved with the invariant
2h = 2H v 2 h 0 h 5

(17)

Yet, is the controller in (16) useful? That is where the problem lies now. The condition
(14) checks whether the ping pong ball could possibly ever fly up to height 5. If this is
ever true, it might be true long before the bouncing ball approaches the critical control
cycle where ping pong paddle action needs to be taken. In fact, if (14) is ever true, it
will also be true in the beginning. After all, the formula (13), from which (14) derived,
is an invariant. That would cause the controller in (16) to take action right away even if
the ping pong ball is still close to the ground and far away from height 5. That would
make the ping pong ball safe, after all (16) is valid, but also rather conservative, and
would not allow the ping pong ball to bounce around as much as it would have loved
to. How can the controller in (16) be modified to resolve this problem?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L8.22

Events & Delays

Restrict the use of condition Exercise 1 to slow velocities to only make up for the
occasions that the first controller condition h > 5 21 v misses. Only with slow velocities
(v < 1) does the ball move so slowly that it is near its turning point to start falling down,
and only then could the first condition miss out on the ball being able to have evolve
above 5 before 1 time unit.
2h = 2H v 2 0 h h 5 v 0 g = 1 > 0 1 = c 0 1 = f > 0

1
if(h = 0) v := cv; if((h > 5 v 2h > 2 5 v 2 v < 1) v 0) v := f v;
2



t := 0; h = v, v = g, t = 1 & h 0 t 1 (0 h 5)
(18)
This dL formula is valid and provable with the same invariant (17) that was used to
prove (16). It has a much more aggressive controller than (16), though, so it is more
fun for the ping pong ball to bounce around with it. Recall that (global) invariants
need to be augmented with the usual assumptions about the unchanged variables, like
g = 1 1 = c 1 = f.
Note 6 (Time-triggered control). One common paradigm for designing controllers is
time-triggered control, in which controllers run periodically or pseudo-periodically with
certain frequencies to inspect the state of the system. Time-triggered systems are closer to
implementation than event-driven control. They can be harder to build, however, because
they invariably require the designer to understand the impact of delay on control decisions.
That impact is important in reality, however, and, thus, effort invested in understanding
the impact of time delays usually pays off in designing a safer system that is robust to
bounded time delays.

Exercises
Exercise 1. The HP in (11) imposes an upper bound on the duration of a continuous
evolution. How can you impose an upper bound 1 and a lower bound 0.5?
Exercise 2. Give an initial state for which the controller in (11) would skip over the event
without noticing it.
Exercise 3. The formula (18) with the time-triggered controller of reaction time at most
1 time unit is valid. Yet, if a ball is let loose a wee bit above ground with a very fast
negative velocity, couldnt it possibly bounce back and exceed the safe height 5 faster
than the reaction time of 1 time unit? Does that mean the formula ought to have been
falsifiable? No! Identify why and give a physical interpretation.
Exercise 4. The event-driven controller we designed in Sect. 3 monitored the event 4
h 5. The time-triggered controller in Sect. 4, however, ultimately only took the upper bound 5 into account. How and under which circumstances can you modify the
controller so that it really only reacts for the event 4 h 5.

15-424 L ECTURE N OTES

A NDR E P LATZER

Events & Delays

L8.23

Exercise 5. Devise a controller that reacts if the height changes by 1 when comparing
the height before the continuous evolution to the height after. Can you make it safe?
Can you implement it? Is it an event-driven or a time-triggered controller? How does
it compare to the controllers developed in this lecture?

References
[Pla10]

Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.

[Pla12a] Andre Platzer. The complete proof theory of hybrid systems. In LICS, pages
541550. IEEE, 2012. doi:10.1109/LICS.2012.64.
[Pla12b] Andre Platzer. Dynamic logics of dynamical systems. CoRR, abs/1205.4788,
2012. arXiv:1205.4788.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Proofs & Arithmetic
Andre Platzer
Carnegie Mellon University
Lecture 9

1 Introduction
Lecture 8 on Events & Delays discussed and developed two models for the ping pong
ball whose control was a ping pong paddle. First an event-driven controller and then a
time-triggered controller. Invariants have been identified in Lecture 8 but not proved.
This lecture will study proofs.
This lecture discusses:
What is a proof?
How does arithmetic happen in a proof?
Arithmetic hiding to weaken arithmetic
Instantiating arithmetic quantifiers to the extreme
Updates as delayed substitutions/assignments
Creative cuts for arithmetic
Substituting equations
If-then-else proofs
There are many more interesting things to be discussed about the mysteries of arithmetic and how real arithmetic properties themselves can be proved [PQR09, Pla10,
Appendix D]. That is a topic for a later lecture, though. This lecture focuses on how
arithmetic interfaces with proofs.

15-424 L ECTURE N OTES

September 25, 2013

A NDR E P LATZER

L9.2

Proofs & Arithmetic

2 Proving Events in Control

0h5v 01c0g >0f 0

((h = v, v = g & h 0 h 5) (h = v, v = g & h 5));


if(h = 0) v := cv else if(4 h 5 v 0) v := f v (0 h 5)

(1)

Lecture 8 on Events & Delays identified the following invariant for this system:
5 h 0 (h = 5 v 0)
This invariant is just strong enough to remember the control choice at the event h =
5 and that the possible range of h is safe. Recall that (global) invariants need to be
augmented with the usual assumptions about the unchanged variables, like c 0 g >
0 f 0.
def

0 h 5 (h = 5 v 0) 1 c 0 g > 0 f 0
Lets use some (slightly awkward) abbreviations to keep proofs onto one page.
def

Ah,v 2h = 2H v 2 0 h h 5 v 0 g = 1 1 = c 1 = f
def

Bh,v 0 h h H
def

h =..5 (h = v, v = g & h 0 h 5)
def

h =..5 (h = v, v = g & h 5)
def

if(h=0) .. if(h = 0) v := cv else

def

if(4, h5) .. if(4 h 5 v 0) v := f v

With these abbreviations, the event-driven ping pong ball formula (1) turns into:


Ah,v [ (h =..5 h =..5); if(h=0) ..if(4, h5) .. ]Bh,v
Lets set out to prove (1) by converting it into a sequent and applying dL proof rules:

l,r,ax
ind

[(h =..5 h =..5); if(h=0) ..if(4, h5) ..] l,r,ax

Ah,v
Bh,v

Ah,v [ (h =..5 h =..5); if(h=0) ..if(4, h5) .. ]Bh,v

r
Ah,v [ (h =..5 h =..5); if(h=0) ..if(4, h5) .. ]Bh,v

The left premise (initial case) and the right premise (use case) prove directly by splitting the conjunctions with l,r and then closing by axiom ax. The middle premise
(inductive step for preserving the invariant) requires more work:

15-424 L ECTURE N OTES

A NDR E P LATZER

Proofs & Arithmetic

L9.3

...
...

[h =..5][if(h=0) ..if(4, h5) ..]

[h =..5][if(h=0) ..if(4, h5) ..]
[]r

[h =..5 h =..5][if(h=0) ..if(4, h5) ..]

[;]r
[(h =..5 h =..5); if(h=0) ..if(4, h5) ..]
The right premise will be considered later. The left premise needs the solution of the
differential equation
g
def
h := ..(t) (h := h t2 vt; v := v gt)
2

(2)

The left premise continues as follows:

, t0, 0tt [h := ..(s)](h 0 h 5) [h := ..(t)][if(h=0) ..if(4, h5) ..]
, t0, 0st [h := ..(s)](h 0 h 5) [h := ..(t)][if(h=0) ..if(4, h5) ..]
r
, t0 0st [h := ..(s)](h 0 h 5) [h := ..(t)][if(h=0) ..if(4, h5) ..]


r
t0 0st [h := ..(s)](h 0 h 5) [h := ..(t)][if(h=0) ..if(4, h5) ..]


r

t0
0st
[h
:=
..(s)](h

5)

[h
:=
..(t)][if(h=0)
..if(4,
h5)
..]
[ ]r
[h =..5][if(h=0) ..if(4, h5) ..]
l

The top-most step instantiates the universal quantifier s in the antecedent by a smart
choice. That formula in the antecedent expresses that the evolution domain h 0 h 5
holds at all times s between 0 and the duration t of the continuous evolution. That may
very well be true, but what our thinking actually only depends on is that the evolution
domain still holds at the end time, t of the continuous evolution. The fact that the evolution domain was also true before is not so crucial for our argument here, so we simply
instantiate the universally quantifier variable s in the antecedent by the time endpoint
t using rule l.

15-424 L ECTURE N OTES

A NDR E P LATZER

L9.4

Proofs & Arithmetic

Note 1 (Extreme instantiation). The proof rule l for universal quantifiers in the antecedent as well as the rule r for existential quantifiers in the succedent allow instantiation
of the quantified variable x with any term .
, (), x (x) a
(l)
, x (x)
The way this rule is used in KeYmaera is with a direct use of weakening rule Wl to hide
the quantified formula:
, () b
(l)
, x (x)
This instantiation is very helpful if only a single instance is important for the argument. Often, an extremal value for x is all it takes for the proof.
This happens often for quantifiers coming from the handling of evolution domains in
proof rule [ ]r. The proof steps that often help then is instantiation of intermediate time s
by the end time t:

, t0 0tt, [x := y(t)]
l
, t0, 0tt [x := y(t)]H
l
, t0, 0st [x := y(s)]H
r
, t0
r

...
, t0, [x := y(t)]H [x := y(t)]
[x := y(t)]
[x := y(t)]
(0st [x := y(s)]H) [x := y(t)]


t0 (0st [x := y(s)]H) [x := y(t)]


t0 (0st [x := y(s)]H) [x := y(t)]

Similar instantiations can simplify arithmetic in other cases as well.

a
b

is an arbitrary term, often a new (existential) logical variable X.

is an arbitrary term, often a new (existential) logical variable X.

Continuing the above proof as explained in Note 1 recalls that h := ..(t) abbreviates
the solution (2) and leads to:
, t0, h g2 t2 vt 0, h g2 t2 vt 5
l
, t0, h g2 t2 vt 0 h g2 t2 vt 5
[:=]l
, t0, [h := ..(s)](h 0 h 5)
, t0, 0tt [h := ..(s)](h 0 h 5)

[h := ..(t)][if(h=0) ..if(4, h5) ..]

[h := ..(t)][if(h=0) ..if(4, h5) ..]
[h := ..(t)][if(h=0) ..if(4, h5) ..]
[h := ..(t)][if(h=0) ..if(4, h5) ..]

and abbreviate
This formula has gotten a bit lengthy, so abbreviate1 h g2 t2 vt by h
v gt by v. Hence,
v := v)
h := ..(t) (h := h;
But there also is a problem that we have not noticed before. Which proof rule do we
apply next? Sequent proof rules insist on being applied only to formulas on the top
level of the sequent, i.e. directly as a formula of the antecedent or directly to a formula
1

Abbreviating long terms or long formulas by short names can help simplify KeYmaera proofs as well.

15-424 L ECTURE N OTES

A NDR E P LATZER

Proofs & Arithmetic

L9.5

in the succedent. Except for splitting conjunctions in by l, the only other formula
to apply a proof rule to is the single formula in the succedent, which has a [] modality
with an assignment as the top-level operator. Thus, the only proof rule that applies is
[:=]r. Rule [:=]r substitutes the right-hand side of an assignment for the variable x
assigned to.
x
([:=])
[x := ]
For simple arithmetic and propositional formulas, it is obvious what such a substitution
does. It just replaces x by everywhere in the scope of the substitution. That is exactly
when using rule [:=]l in the antecedent in the above
what we have done with h := h
proof.
Yet, the above formula
[h := ..(t)][if(h=0) ..if(4, h5) ..]
in the succedent has a postcondition [if(h=0) ..if(4, h5) ..] with a modality. It is
for h in such a modality which
not necessarily entirely obvious how to substitute h
involves a HP. In this particular case, we could actually perform such a substitution
without much difficulty.
Even though such substitutions can be defined [Pla10, Chapter 2.5.1] with a little bit
of care, we usually stay away from using them.2

KeYmaera would even need to be persuaded to use these substitutions on HPs at all by setting the
advanced option update modalities.

15-424 L ECTURE N OTES

A NDR E P LATZER

L9.6

Proofs & Arithmetic

Note 2 (Excursion: Updates). For that reason, KeYmaera simply postpones the substitution resulting from an assignment according to rule [:=]r,[:=]l,h:=ir,h:=il if the postcondition is not a first-order formula but involves modalities with HPs. What this corresponds
to is, essentially to leave the assignment as is and apply proof rules to the postcondition,
but only in this particular case of assignments! Because that would be a bit confusing
without further notice, KeYmaera changes the notation slightly and turns an assignment
into what it calls an update.
(R4)

{x := }
[x := ]

(R5)

x
{x := }

The meaning of the formula {x := } in the premise of R4 is exactly the same as the
formula [x := ] in the conclusion of R4. The notation {x := } is only meant as a
reminder for the user that KeYmaera decided to put the handling of the assignment by
substitution on hold until the postcondition looks more civilized (meaning: first-order).
KeYmaera collects all the state changes in such an update (or a list of updates). KeYmaera
will then, essentially, just carry the {x := } around with it and apply the sequent proof
rules directly to postcondition until the substitution can be applied (R5) which will make
the update disappear again. Thus, KeYmaera splits the assignment rule [:=] into two parts:
R4 followed by R5.
More information on updates can be found in [Pla08, Pla10, Chapter 2.2,2.3,2.5].
and v and, hence h := ..(t) is just h :=
Recall that we use the abbreviated notation h
v := v.
h;
After using rule R4 to changing the assignment notation into an update notation (remember that this only changes notation because both are equivalent) the above sequent
reads
0, h
5 {h := h;
v := v}[if(h=0) ..if(4, h5) ..]
, t0, h
(3)
Before proceeding with any proof, we need to figure out what to do with the if-then-else
statements. Before doing any proofs, previous lectures, replaced if-then-else statements by other hybrid program statements, which is always possible. In this lecture,
we decide differently and develop a direct proof rule for if-then-else.
(H []) (H [])
(H hi) (H hi)
([if])
(hifi)
hif(H) else i
[if(H) else ]
When following up on a use of the [if] rule in the succedent of a sequent (call the
corresponding sequent rule [if]r) with propositional rules r,r, the sequent splits into
two cases as expected:3

These propositional steps following the [if]r rule are so useful that KeYmaera does them for you right
away. In fact, KeYmaera even jumps from the formula at the bottom directly to the two premises.

15-424 L ECTURE N OTES

A NDR E P LATZER

Proofs & Arithmetic

L9.7
, H []
, H []
r
H []
H []
(H []) (H [])
[if(H) else ],

r
r
[if]r

Indeed, the conjecture at the bottom says that we want to show that all behavior of
a system whose behavior branches by an if-then-else is safe (satisfies ). We do
not know which state we are in, except that we get to assume it satisfies (and the
negation of by the sequent semantics). So there are usually many possible states.
Hence, there is generally no way of knowing whether if-condition H evaluates to true
or false. Hence, we need to consider both options. If H evaluates to true, then runs, so
all behavior needs to be shown to be safe in that case (left premise). If H evaluates to
false, then runs instead, so all behavior needs to be shown to be safe (right premise).
Applying the [if]r rule two times to the sequent (3) yields 3 premises corresponding
to the 3 possible outcomes of the if-then-else statements (Exercise 1):
0, h
5, h
= 0 {h := h;
v := v}[v := cv]
, t0, h
0, h
5, h
6= 0, 4 h
5 v 0 {h := h;
v := v}[v := f v]
, t0, h

(4)

0, h
5, h
6= 0, (4 h
5 v 0) {h := h;
v := v}
, t0, h
Lets address the three branches separately. The first branch of (4) turns into the following using either [:=]r or R4 via R5:
0, h
5, h
= 0 {h := h;
v := c
, t0, h
v }
which gives the following by applying the update using R5 (can also be obtained directly by [:=]r):
0, h
5, h
=00h
5 (h
= 5 c
, t0, h
v 0) 1 c 0 g > 0 f 0
= 0 and implies 0 h
5 and h
=
That proves by arithmetic, because h
6 5 and the
4
other parts prove similarly.
The second branch of (4) turns by either [:=] or via R4 and R5 into:
0, h
5, h
6= 0, 4 h
5 v 0 {h := h;
v := f v}
, t0, h
which R5 turns into
0, h
5, h
6= 0, 4 h
5 v 0 0 h
5 (h
= 5 f v 0) 1 c 0 g > 0 f 0
, t0, h
5
which proves by arithmetic using that f 0 and v 0 as well as the fact that 4 h

trivially implies 0 h 5, which is obvious thanks to the abbreviations.

The third branch of (4) turns with [:=]r or R5 into:
0, h
5, h
6= 0, (4 h
5 v 0) 0 h
5 (h
= 5 v 0) 1 c 0 g > 0 f 0
, t0, h
4

Note how abbreviations simplify this proof step compared to what would have happened when ex
panding h.

15-424 L ECTURE N OTES

A NDR E P LATZER

L9.8

Proofs & Arithmetic

which a combination of propositional rules and/or arithmetic proves (Exercise!)

All this reasoning was for just the branch of the proof that came from the dynamics
h =..5. There is a second branch with the dynamics h =..5. In that one, the proof
is quite similar, except that it makes crucial use of the conjunct h = 5 v 0 of the
invariant . Without that condition available as an assumption from the invariant ,
the upper physics h =..5 would obviously violate the safety condition 0 h 5 if
the velocity at h = 5 were positive v > 0.
Stepping back, it is crucial to observe this general phenomenon. We have to be able
to assume the turning-point part h = 5 v 0 of invariant for the proof of the
upper dynamics h =..5. But we also need to prove that this turning-point invariant
h = 5 v 0 holds along with the rest of the invariant after all runs of the lower
physics h =..5. That is, this part of the invariant transports knowledge about the
behavior of the controller in the lower physics h =..5 to be used in the proof parts
about the upper physics h =..5.
Note 3 (Invariants transport knowledge). Invariants can be used to gather knowledge
about the individual bits and pieces of a system and make them accessible to the other parts.

15-424 L ECTURE N OTES

A NDR E P LATZER

Proofs & Arithmetic

L9.9

3 Proving Systems with Delays in Control

2h = 2H v 2 0 h h 5 v 0 g = 1 > 0 1 = c 0 1 = f > 0

1
if(h = 0) v := cv; if((h > 5 v 2h > 2 5 v 2 v < 1) v 0) v := f v; (5)
2


t := 0; h = v, v = g, t = 1 & h 0 t 1 (0 h 5)
Lecture 8 on Events & Delays identified the following invariant for this system:
2h = 2H v 2 h 0 h 5

(6)

although there was no proof yet. Recall that (global) invariants need to be augmented
with the usual assumptions about the unchanged variables, like g = 1 1 = c 1 = f .
So lets define the formula we conjecture to be an invariant as:
def

2h = 2H v 2 h 0 h 5 g = 1 1 = c 1 = f
With this invariant, (5) is provable in KeYmaera.

4 Cutting Real Arithmetic

The cut rule from Lecture 6 on Truth & Proof is not just a curiosity, but can be very
helpful in practice. It can speed up real arithmetic a lot when using a cut to replace a
difficult arithmetic formula by a simpler one that is sufficient for the proof.
For example, suppose (x) is a very complicated formula of first-order real arithmetic. Then proving the following formula
(x y)2 0 (x) (y)
by just real arithmetic will turn out to be surprisingly difficult and can take ages. Yet,
thinking about it, (x y)2 0 implies that y = x, which should make the rest of the
proof easy since, (x) should easily imply (y) if y = x. How do we exhibit a proof
based on these thoughts?
The critical idea to make such a proof work is to use cut for a creative cut with the
suitable arithmetic. So we choose y = x as the cut formula in cut and proceed as
follows:

ax
(x y)2 0 y = x
(x), y = x (x)
Wr
=r
(x y)2 0 y = x, (y)
(x), y = x (y)
Wl
Wl
2
2
(x y) 0, (x) y = x, (y)
(x y) 0, (x), y = x (y)
cut
(x y)2 0, (x) (y)
l
(x y)2 0 (x) (y)
r
(x y)2 0 (x) (y)
Indeed, the left premise proves easily using real arithmetic. The right premise proves
comparably easily as well. This proof uses proof rule =r that we discuss next.

15-424 L ECTURE N OTES

A NDR E P LATZER

L9.10

Proofs & Arithmetic

5 Applying Equations by Substitution

The above cut proof uses the following proof rule for applying an equation to a formula
by substituting the left-hand side x of an equation by its right-hand side . This
substitution is sound, because x is assumed to be equal to in the antecedent. The
same rule works applies to formulas that are in the antecedent (=l) as well as in the
succedent (=r). Obviously, the assumed equality x = has to be in the antecedent for
the rule to be sound.
, x = , x
, x = x ,
(=l)
(=r)
, x = ,
, x = ,
It would be okay to use the equation in the other direction for replacing all occurrences of by x, because the equation = x is equivalent to x = .

Exercises
Exercise 1. Explicitly complete the proof steps that lead from (3) to the 3 branches identified in the lecture notes by writing a proper sequent derivation. Recall how updates
are delayed substitutions and that they hang around until they can be applied.
Exercise 2. The sequent proof shown in these lecture notes is for the case coming from
the lower dynamics h =..5. This alone does not prove (1). Write a sequent proof for
the missing branches coming from the upper dynamics h =..5.
Exercise 3. Develop a sequent proof for the time-triggered ping pong ball (5). Is it easier
or more difficult than the proof for (1)?
Exercise 4. Relate the event-driven system proof for (1) discussed in lecture to the proof
that KeYmaera produces. What do they have in common? Where do they differ?

References
[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom. Reas.,
41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla10]

Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.

[PQR09] Andre Platzer, Jan-David Quesel, and Philipp Rummer.

Real world verification. In Renate A. Schmidt, editor, CADE, volume 5663 of LNCS, pages
485501. Springer, 2009. doi:10.1007/978-3-642-02959-2_35.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Differential Equations & Differential
Invariants
Andre Platzer
Carnegie Mellon University
Lecture 10

1 Introduction
Lecture 5 on Dynamical Systems & Dynamic Axioms gave us a first simple proof principle for differential equations if we find a representable solution of the differential equation. The axiom [ ] replaces properties of differential equations with suitably quantified
properties of solutions, with a universal quantifier over all durations of the solution.
Yet, that does not work for all differential equations, because only some of them have
explicit closed-form solutions, and, of those, only very few have solutions that are simple enough to be quantified over without leaving the decidable parts of the resulting
arithmetic.
Lecture 2 on Differential Equations & Domains allows many more differential equations to be part of CPS models than just the ones that happen to have simple solutions.
In fact, in a certain sense, most of the interesting differential equations do not possess
useful closed-form solutions. Todays lecture reinvestigates the way we prove properties of differential equations from a much more fundamental perspective, which will
lead to a way of proving properties of CPS with more general differential equations.
More details can be found in [Pla10a, Pla10b, Chapter 3.5] and also [Pla12b]. Differential invariants were originally conceived in 2008 [Pla10a, Pla08] and later used for an
automatic proof procedure for hybrid systems [PC08].

2 Global Descriptive Power of Local Differential Equations

Differential equations let physics evolve continuously for longer periods of time. They
describe such global behavior locally.

15-424 L ECTURE N OTES

September 30, 2013

A NDR E P LATZER

L10.2

Differential Equations & Differential Invariants

Note 1 (Local descriptions of global behavior by differential equations). The key

principle behind the descriptive power of differential equations is that they describe the
evolution of a continuous process over time using only a local description of the direction
into which the system evolves at any point in space. The solution of a differential equation
is a global description of how the system evolves, while the differential equation itself is a
local characterization.
This difference between local description and global behavior can be exploited for proofs.
The semantics of a differential equation was described in Lecture 2 as:
(x = & H) = {((0), (r)) : (t) |= x = and (t) |= H for all 0 t r
for a solution : [0, r] S of any duration r}
The solution describes the global behavior of the system, which is specified locally by
the right-hand side of the differential equation.
Lecture 2 has shown a number of examples illustrating the descriptive power of differential equations. That is, examples in which the solution was very complicated even
though the differential equation was rather simple. This is a strong property of differential equations: they can describe even complicated processes in simple ways. Yet,
that representational advantage of differential equations does not carry over into the
verification when verification is stuck with proving properties of differential equations
only by way of their solutions, which, by the very nature of differential equations, are
more complicated.
This lecture, thus, investigates ways of proving properties of differential equations
using the differential equations themselves, not their solutions. This technique is called
differential invariants [Pla10a, Pla12b].

3 Differential Equations vs. Loops

A programmatic way of developing an intuition for differential invariants leads through
a comparison of differential equations with loops [Pla12a]. This perhaps surprising relation can be made completely rigorous and is at the heart of a deep connection equating discrete and continuous dynamics proof-theoretically [Pla12a]. We will stay at the
surface of this connection but still leverage the relation of differential equations to loops
for our intuition.
To get started with relating differential equations to loops, compare
x =

vs.

(x = )

How does the differential equation x = compare to the same differential equation in a
loop (x = ) instead? Unlike the differential equation x = , the repeated differential
equation (x = ) can run the differential equation x = repeatedly. Albeit, on second

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Differential Invariants

L10.3

thought, does that get the repetitive differential equation (x = ) to any more states
than where the differential equation x = could evolve to?
Not really, because chaining lots of solutions of differential equations from a repetitive differential equation (x = ) together will give a single solution for the same differential equation x = that we could have followed just once all the way.1
Note 2 (Looping differential equations). (x = ) is equivalent to x = , i.e. both
have the same transition semantics. Differential equations are their own loop.2
In light of Note 2, differential equations look somewhat like loops. Like nondeterministic repetitions, differential equations might stop right away. Like nondeterministic repetitions, differential equations could evolve for longer or shorter durations. Like
in nondeterministic repetitions, the outcome of the evolution of the system so far determines what happens next. And, in fact, in a deeper sense, differential equations
actually really do correspond to loops [Pla12a].
With this rough relation in mind, lets advance the dictionary translating differential
equation phenomena into loop phenomena and back. The local description of a differential equation as a relation x = of the state to its derivative corresponds to the local
description of a loop by a repetition operator . The global behavior of a solution of a
differential equation x = corresponds to the full execution of a system that performs
a repetition in a loop . We also say that the local relation x = is the generator of
the global system solution and that the loop body is the generator of the global behavior of repetition of the loop, because both local generators tell us everything about
the system by way of their global interpretation as either differential or repetitive effect. Proving a property of a differential equation in terms of its solution corresponds
to proving a property of a loop by unwinding it (infinitely long) by axiom [n ] from
Lecture 5 on Dynamical Systems & Dynamic Axioms.
Now Lecture 7 on Control Loops & Invariants made the case that unwinding the iterations of a loop can be a rather tedious way of proving properties about the loop,
because there is no good way of ever stopping to unwind, unless a counterexample can
be found after a finite number of unwindings. Lecture 7 introduced induction with invariants instead to prove properties of loops, by, essentially, cutting the loop open and
arguing that the generic state after any run of the loop body has the same characterization as the generic state before. After all these analogous correspondences between
loops and differential equations, the obvious question is what the differential equation
analogue proof concept would be that corresponds to proofs by induction for loops,
which is the premier technique for proving loops.
Induction can be defined for differential equations using what is called differential
invariants [Pla10a, Pla12b]. The have a similar principle as the proof rules for induction
for loops. Differential invariants prove properties of the solution of the differential
1
2

This is related to classical results about the continuation of solutions, e.g., [Pla10b, Proposition B.1].
Beware not to confuse this with the case for differential equations with evolution domain constraints,
which is subtly different.

15-424 L ECTURE N OTES

A NDR E P LATZER

L10.4

Differential Equations & Differential Invariants

equation using only its local generator: the right-hand side of the differential equation.
Note 3 (Correspondence map between loops and differential equations).
loop
differential equation x =
can skip over
can evolve for duration 0
repeat any number n N of times
evolve for any duration 0 r R
effect depends on previous iteration
effect depends on past solution
local generator
local generator x =
full execution trace
global solution
n
proof by unwinding iterations [ ]
proof by solution [ ]
proof by induction with invariant ind
proofs by differential invariants
Recall from Lecture 7:
[
(n )
( ) =

with n+1 n ; and 0 ?true

nN

( )
F

()
(ind)

F []F
()

()

F, F []F F
[ ],

4 Intuition of Differential Invariants

Just as inductive invariants are the premier technique for proving properties of loops,
differential invariants [Pla10a, Pla12b] provide the primary inductive technique we use
for proving properties of differential equations (without having to solve them).
The core principle behind loop induction is that the induction step investigates the
local generator ands shows that it never changes the truth-value of the invariant F
(also see the core induction proof rule ind from Lecture 7). Let us try to establish the
same inductive principle, just for differential equations.
What does the local generator of a differential equation x = tell us about the evolution of a system? And how does it relate to the truth of a formula F all along the
solution of that differential equation? That is, to the truth of the dL formula [x = ]F
expressing that all runs of x = lead to states satisfying F . Fig. 1 depicts an example of
a vector field for a differential equation, a global solution (in red), and an unsafe region
F (shown in blue). The safe region F is the complement of the blue unsafe region F .
One way of proving that [x = ]F is true in a state would be to compute a solution from that state , check every point in time along the solution to see if it is in the
safe region F or the unsafe region F . Unfortunately, these are uncountably infinitely

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Differential Invariants

L10.5

Figure 1: Vector field and one solution of a differential equation that does not enter the
blue regions
many points in time to check. Furthermore, that only considers a single initial sate ,
so proving validity of a formula would require considering every of the uncountably
infinitely many possible initial states and computing a solution in each of them. That is
why this nave approach would not compute.
A similar idea can still be made to work when the symbolic initial-value problem can
be solved with a symbolic initial value x and a quantifier for time can be used, which
is what the solution axiom [ ] does. Yet, even that only works when a solution to the
symbolic initial-value problem can be computed and the arithmetic resulting from the
quantifier for time can be decided. For polynomial solutions, this works, for example. But polynomial come from very simple systems (called nilpotent linear differential
equation systems).
Reexamining the illustration in Fig. 1, we suggest an entirely different way of checking whether the system could ever lead to an unsafe state in F when following the
differential equation x = . The intuition is the following. If there were a vector in
Fig. 1 that points from a safe state in F to an unsafe state F (in the blue region), then
following that vector could get the system into an unsafe F . If, instead, all vectors
point from safe states to safe states in F , then, intuitively, following such a chain of
vectors will only lead from safe states to safe states. So if the system also started in a
safe state, it would stay safe.
Let us make this intuition rigorous to obtain a sound proof principle.

5 Deriving Differential Invariants

How can the intuition about directions of evolution of a logical formula F with respect
to a differential equation x = be made rigorous? We develop this step by step.
As an example, consider a conjecture about the rotational dynamics where d and e

15-424 L ECTURE N OTES

A NDR E P LATZER

L10.6

Differential Equations & Differential Invariants

represent the direction of a vector rotating clockwise in a circle of radius r (Fig. 2):
d2 + e2 = r2 [d = e, e = d]d2 + e2 = r2

(1)

The conjectured dL formula (1) is valid, because, indeed, if the vector (d, e) is initially at
e

r sin = e
d = r cos

Figure 2: One scenario for the rotational dynamics and relationship of vector (d, e) to
radius r and angle
distance r from the origin (0,0), then it will always be when rotating around the origin,
which is what the dynamics does. That is, the point (d, e) will always remain on the
circle of radius r. But how can we prove that? In this particular case, we could possibly
investigate solutions, which are trigonometric functions (although the ones shown in
Fig. 2 are not the only solution). With those solutions, we could perhaps find an argument why they stay at distance r from the origin. But the resulting arithmetic will be
unnecessarily difficult and, after all, the argument for why the simple dL formula (1)
is valid should be easy. And it is, after we have discovered the right proof principle as
this lecture will do.
First, what is the direction into which a continuous dynamical system evolves? The
direction is exactly described by the differential equation, because the differential equation describes in which direction the state evolves at every point in space. So the direction into which a continuous system obeying x = follows from state is exactly
described by the time-derivative of the state being the term , i.e. [[]] . Recall that term
can mention x and other variables so its value [[]] depends on the state .
Note 4. Proving dL formula [x = ]F does not require us to answer where the system
evolves to but how the evolution of the system relates to formula F and the set of states
in which F evaluates to true.
The logical formula F is built from atomic formulas that are comparisons of (polynomial or rational) terms. Let denote such a (polynomial) term in the variable (vector)

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Differential Invariants

L10.7

x. The semantics of a polynomial term in a state is the real number [[]] that it evaluates to. In which direction does the value of evolve when following the differential
equation x = for some time? That depends both on the term that is being evaluated
and on the differential equation x = that describes the evolution of x.
Directions of evolutions are described by derivatives, after all the differential equation x = describes that the time-derivative of x is . Lets derive some term of
interest and see what that tells us about how evolves over time. How can we derive
? The term could be built from any of the operators discussed in Lecture 2, to which
we now add division for rational terms to make it more interesting. Let denote the set
of all variables. Terms are defined by the grammar (where , are terms, x a variable,
and r a rational number constant):
, ::= x | r | + | | | /
It is, of course, important to take care that division / only makes sense in a context
where the divisor is guaranteed not to be zero in order to avoid undefinedness. Thus,
we only allow division to be used in a context where the divisor is ensured not to be
zero.
If is a sum a + b, its derivative is the derivative of a plus the derivative of b. If is
a product a b, its derivative is the derivative of a times b plus a times the derivative of
b. The derivative of a rational number constant r Q is zero.3 The other operators are
similar, leaving only the case of a single variable x. What is its derivative?
Before you read on, see if you can find the answer for yourself.

Of course, the derivative of real number constants r R is also zero, but only rational number constants
are allowed in the first-order logic of real arithmetic, more precisely, of real-closed fields.

15-424 L ECTURE N OTES

A NDR E P LATZER

L10.8

Differential Equations & Differential Invariants

The exact value of the derivative of x certainly depends on the state and on the evolution of the system. So for now, we just define the derivative of a variable x to be the
symbol x and consider what to do with it later.
Definition 1 (Derivation). The operator () that is defined as follows on terms is
called syntactic (total) derivation:
(r) = 0

(x) = x

(a + b) = (a) + (b)
(a b) = (a) (b)

for numbers r Q

(2a)

for variable x

(2b)

(a b) = (a) b + a (b)

(2c)
(2d)

(2e)

(a/b) = ((a) b a (b) )/b

(2f)

Even though the following names are not crucial for the understanding of this course,
lets briefly align Def. 1 with the algebraic structures from differential algebra [Kol72].
Case (2a) defines number symbols as differential constants, which do not change during
continuous evolution. Their total derivative is zero. Equation (2c) and the Leibniz or
product rule (2e) are defining conditions for derivation operators on rings. The derivative
of a sum is the sum of the derivatives (additivity or a homomorphic property with
respect to addition, i.e. the operator () applied to a sum equals the sum of the operator
applied to each summand) according to equation (2c). Furthermore, the derivative of a
product is the derivative of one factor times the other factor plus the one factor times the
derivative of the other factor as in (2e). Equation (2d) is a derived rule for subtraction
according to a b = a + (1) b and again expresses a homomorphic property, now
with respect to subtraction. In addition, equation (2b) uniquely defines operator ()
on the differential polynomial algebra spanned by the differential indeterminates x . It
says that we understand the differential symbol x as the derivative of the symbol x for
all state variables x . Equation (2f) canonically extends () to the differential field
of quotients by the usual quotient rule. As the base field R has no zero divisors4 , the
right-hand side of (2f) is defined whenever the original division a/b can be carried out,
which, as we assumed, is guarded by b 6= 0.
The derivative of a division a/b uses a division, which is where we need to make sure
not to accidentally divide by zero. Yet, in the definition of (a/b) , the division is by b2
which has the same roots that b has. So b = 0 b2 = 0 is valid for any term b. Hence,
in any context in which a/b was defined, its derivative (a/b) will also be.
Which of the terms should we derive when trying to prove (1)? Since that is not
necessarily clear so far, lets turn the formula (1) around and consider the following
equivalent dL formula instead, which only has a single nontrivial term to worry about:
d2 + e2 r2 = 0 [d = e, e = d]d2 + e2 r2 = 0
4

(3)

In this setting, R have no zero divisors, because the formula ab = 0 a = 0 b = 0 is valid, i.e. a
product is zero only if a factor is zero.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Differential Invariants

L10.9

Derivation of the relevant term d2 + e2 r2 in the postcondition of (3) gives

(d2 + e2 r2 ) = 2dd + 2ee 2rr

(4)

Def. 1 makes it possible to derive polynomial and rational terms. Deriving them with
the total derivative operator () does not result in a term over the signature of the
original variables in , but, instead, a differential term, i.e. a term over the extended
def

signature , where = {x : x } is the set of all differential symbols x

for variables x . In particular, the total derivative () of a polynomial term is
not a polynomial term, but may mention differential symbols such as x . All syntactic
elements of those differential terms are easy to interpret based on the semantics of terms
defined in Lecture 2, except for the differential symbols. What is the meaning of a
differential symbol x ?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L10.10

Differential Equations & Differential Invariants

6 The Meaning of Prime

The meaning [[x]] of a variable symbol x is defined by the state . The meaning of a
differential symbol x cannot be defined in a state , because derivatives do not even
exist in isolated points. Along a (differentiable) continuous evolution : [0, r] S of a
system, however, we can make sense of what x means. At any point in time [0, r]
along such a continuous evolution , the differential symbol x can be taken to mean
the time-derivative of the value [[x]]() of x at [Pla10a]:
Definition 2 (Differentially augmented state in differential state flow). The value
of x at time [0, r] of a differentiable function : [0, r] S of some duration
r R is defined as:
d(t)(x)
()
[[x ]]() =
dt
Intuitively, [[x ]]() is determined by considering how the value ()(x) = [[x]]() of x
changes along the function when we change time only a little bit. Visually, it
corresponds to the slope of the tangent at time ; see Fig. 3.
x

()(x)
x0
0

3
x = x

[[x ]] (

Figure 3: Differential state flow

Yet, what is the right-hand side in Def. 2, i.e. the time-derivative of the value of x
along at time ? For differentiable , that is always defined, but that does not mean
it would be computable. If, however, the continuous evolution is generated by a
differential equation x = , i.e. solves x = , then [[x ]]() can be described easily in
terms of that differential equation, because at any time [0, r] the time-derivative of
the value of x is [[]]() , by definition of what it means for to be a solution of x =
(cf. Lecture 2).
Now Def. 1 defines how to derive a term syntactically and Def. 2 defines how to interpret the differential symbols that occur in the total derivative () . When interpreting
all differential symbols as defined in Def. 2 for an evolution that follows the differential equation x = , this defines a value for the derivative () of any term along
that function . What does this value mean? How does it relate to how the value of
changes over time?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Differential Invariants

L10.11

When interpreting differential symbols by derivatives along a function , the value

of () at any time coincides with the analytic time-derivative of the value of at .
The following central lemma, which is the differential counterpart of the substitution
lemma, establishes the connection between syntactic derivation of terms and semantic differentiation as an analytic operation to obtain analytic derivatives of valuations
along differential state flows. It will allow us to draw analytic conclusions about the
behaviour of a system along differential equations from the truth of purely algebraic
formulas obtained by syntactic derivation. In a nutshell, the following lemma shows
that, along a flow, analytic derivatives of valuations coincide with valuations of syntactic derivations.
Lemma 3 (Derivation lemma). Let : [0, r] S be a differentiable function of duration r > 0. Then for all terms that are defined all along and all times [0, r]:
d [[]](t)
dt

() = [[() ]]()

where differential symbols are interpreted according to Def. 2. In particular, [[]]() is

continuously differentiable.
Proof. The proof is an inductive consequence of the correspondence of the semantics of
differential symbols and analytic derivatives along a flow (Def. 2). It uses the assumption that remains within the domain of definition of and is continuously differentiable in all variables of . In particular, all denominators are nonzero during .
If is a variable x, the conjecture holds immediately by Def. 2:
d [[x]](t)

d (t)(x)
() =
() = [[(x) ]]() .
dt
dt
The derivative exists, because is assumed to be differentiable.
If is of the form a + b, the desired result can be obtained by using the properties of analytic derivatives, synctactic derivations (Def. 1), and valuation of terms
(Lecture 2):
d
([[a + b]](t) )()
dt
d
= ([[a]](t) + [[b]](t) )()
dt
d
d
= ([[a]](t) )() + ([[b]](t) )()
dt
dt

= [[(a) ]]() + [[(b) ]]()

[[]] homomorphic for +

d
is a (linear) derivation
dt
by induction hypothesis

= [[(a) + (b) ]]()

[[]] homomorphic for +

= [[(a + b) ]]()

() is a syntactic derivation

15-424 L ECTURE N OTES

A NDR E P LATZER

L10.12

Differential Equations & Differential Invariants

The case where is of the form a b or a b is similar, using Leibniz product

rule (2e) or subtractivity (2d) of Def. 1, respectively.
The case where is of the form a/b uses (2f) of Def. 1 and further depends on
the assumption that b 6= 0 along . This holds as the value of is assumed to be
defined all along state flow .
The values of numbers r Q do not change during a state flow (in fact, they are
not affected by the state at all); hence their derivative is (r) = 0.
Lemma 3 shows that the value of the total derivative of a term coincides with the analytic derivative of the term, provided that differential symbols are interpreted according
to Def. 2. Along a differential equation x = , the differential symbols have a simple
interpretation, the interpretation determined by the differential equation. Putting these
thoughts together leads to replacing differential symbols with the corresponding righthand sides of their respective differential equations. That is, replacing left-hand sides
of differential equations with their right-hand sides.
Note 8. The direction into which the value of a term evolves as the system follows as
differential equation x = depends on the term and the differential equation x = that
locally describes the evolution of x.
The substitution property can be lifted to differential equations, i.e., differential equations can be used for equivalent substitutions along differential state flows respecting the corresponding differential constraints. In a nutshell, the following lemma can
be used to substitute right-hand sides of differential equations for the left-hand side
derivatives for flows along which these differential equations hold. For comparison,
the classical substitution property says that equals can be substituted for equals, i.e.,
left-hand sides of equations can be substituted by right-hand sides of equations within
formulas in which the equations hold.
Lemma 4 (Differential substitution property for terms). If : [0, r] S solves the
differential equation x = , i.e. |= x = , then |= () = () x for all terms , i.e.:

[[() ]]() = [[() x ]]()

for all [0, r]

Proof. The proof is a simple inductive consequence of Lemma 3 using that [[x ]]() = [[]]()
at each time in the domain of .
The operation mapping term to () x is called Lie-derivative of with respect to x = .
Differential substitution of the differential equation d = e, e = d from (3) into (4)
results in
e

(d2 + e2 r2 ) d d
e = (2dd + 2ee 2rr )d e = 2de + 2e(d) + 2rr

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Differential Invariants

L10.13

Oops, that did not make all differential symbols disappear, because r is still around,
since r did not have a differential equation in (3). Stepping back, what we mean by a
differential equation like d = e, e = d that does not mention r is that r is not supposed to change. If r is supposed to change during a continuous evolution, there has to
be a differential equation for r.
Note 10 (Explicit change). Hybrid programs are explicit change: nothing changes unless an assignment or differential equation specifies how (compare the semantics from Lecture 3). In particular, if a differential equation (system) x = does not mention z , then
z does not change during x = , so the original system x = and x = , z = 0 are
equivalent.
We will often assume z = 0 without further notice for variables z that do not change
during a differential equation.
Since (3) does not have a differential equation for r, Note 10 implies that its differential
equation d = e, e = d is equivalent to d = e, e = d, r = 0. Hence, when adding
zero derivatives for all unchanged variables, differential substitution of the differential
equation d = e, e = d along with the explicit-change assumption r = 0 into (4) gives
e

d 0
0

(d2 + e2 r2 ) d d
e r = (2dd + 2ee 2rr )d e r = 2de + 2e(d)

(5)

This is good news, because the last part of (5) is a standard term of first-order logic of
real arithmetic, because it no longer has any differential symbols. So we can make sense
of 2de+2e(d) and, by Lemma 4, its value along a solution of d = e, e = d is the same
as that of the derivative (d2 + e2 r2 ) , which, by Lemma 3 is the same as the value
of the time-derivative of the original term d2 + e2 r2 along such a solution. Simple
arithmetic shows that the term 2de + 2e(d) in (5) is 0. Consequently, by Lemma 3 and
Lemma 4, the time-derivative of the term d2 + e2 r2 in the postcondition of (3) is 0
along any solution of its differential equation:
d[[d2 + e2 r2 ]](t)
dt

Lem3

() = [[(d2 + e2 r2 ) ]]()
Lem4

0
= [[(d2 + e2 r2 ) d d
e r ]]()

(5)

= [[2de + 2e(d)]]() = 0

for all times . That means that the value of d2 + e2 r2 never changes during the
rotation, and, hence (3) is valid, because d2 + e2 r2 stays 0 if it was 0 in the beginning,
which is what (3) assumes.

7 Differential Invariant Terms

In order to be able to use the above reasoning as part of a sequent proof, we need to
capture arguments like these in a proof rule, preferably one that is more general than

15-424 L ECTURE N OTES

A NDR E P LATZER

L10.14

Differential Equations & Differential Invariants

this particular argument. The argument is not specific to the term d2 + e2 r2 but
works for any other term and for any differential equation x = . This would give us
a soundness proof for the following proof rule.
Lemma 5 (Differential invariant terms). The following special case of the differential
invariants proof rule is sound, i.e. if its premise is valid then so is its conclusion:
x = 0
(DI=0 )
= 0 [x = ] = 0
Proof. Assume the premise x = 0 to be valid, i.e. true in all states. In order to prove
that the conclusion = 0 [x = ] = 0 is valid, consider any state . Assume that
|= = 0, as there is otherwise nothing to show (sequent is trivially true since antecedent evaluates to false). If [0, r] is any time during any solution : [0, r] S of
any duration r R of x = beginning in initial state (0) = , then
d[[]](t)
dt

Lem3

Lem4

() = [[() ]]() = [[() x ]]()

premise

By antecedent, |= = 0, i.e. [[]] = 0, in the initial state = (0).

If the duration of is r = 0, we have (0) |= = 0 immediately, because |= = 0.
For duration r > 0, we show that = 0 holds all along the flow , i.e., () |= = 0 for
all [0, r].
Suppose there was a [0, r] with () |= 6= 0, which will lead to a contradiction.
The function h : [0, r] R defined as h(t) = [[]](t) satisfies the relation h(0) = 0 6= h(),
because h(0) = [[]](0) = [[]] and |= = 0 by antecedent of the conclusion. By Lemma 3,
h is continuous on [0, r] and differentiable at every (0, r). By mean value theorem,
there is a (0, ) such that dh(t)
dt () ( 0) = h() h(0) 6= 0. In particular, we can
dh(t)

conclude that dt () 6= 0. Now Lemma 3 implies that dh(t)

dt () = [[() ]]() 6= 0. This,
however, is a contradiction, because the premise implies that the formula () = 0 is
true in all states along , including () |= () = 0, which contradicts [[() ]] 6= 0.
This proof rule enables us to prove (3) easily in dLs sequent calculus:

2de + 2e(d) 0 = 0
0
(2dd + 2ee 2rr = 0)ed d
e r

DI=0 2
d

+ e2 r2 = 0 [d = e, e = d]d2 + e2 r2 = 0

d2 + e2 r2 = 0 [d = e, e = d]d2 + e2 r2 = 0

The line proof step that This is an exciting development, because, thanks to differential
invariants, the property (3) of a differential equation with a nontrivial solution has a
very simple proof that we can easily check.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Differential Invariants

L10.15

8 Summary
This lecture showed one simple special form of differential invariants: the form where
the differential invariants are terms whose value always stays 0 along all solutions of a
differential equation. The next lecture will investigate more general forms of differential invariants and more advanced proof principles for differential equations.
The most important insight of todays lecture was that complicated behavior of systems defined in terms of real analytic properties and semantics can be captured by
purely syntactical proof principles using derivations. The derivation lemma proved
that the values of syntactic derivations coincides with the analytic derivatives of the
values. The differential substitution lemma allowed us the intuitive operation of substituting differential equations into terms. Proving properties of differential equations
using these simple proof principles is much more civilized and effective than working with solutions of differential equations. The proofs are also computationally easier,
because the proof arguments are local.

Exercises
Exercise 1. What happens in the proof of Lemma 5 if there is no solution ? Show that
this is not a counterexample to proof rule DI=0 , but that the rule is sound in that case.

References
[Kol72] Ellis Robert Kolchin. Differential Algebra and Algebraic Groups. Academic Press,
New York, 1972.
[PC08]

Andre Platzer and Edmund M. Clarke. Computing differential invariants of

hybrid systems as fixedpoints. In Aarti Gupta and Sharad Malik, editors,
CAV, volume 5123 of LNCS, pages 176189. Springer, 2008. doi:10.1007/
978-3-540-70545-1_17.

[Pla08]

Andre Platzer. Differential Dynamic Logics: Automated Theorem Proving for Hybrid Systems. PhD thesis, Department of Computing Science, University of
Oldenburg, Dec 2008. Appeared with Springer.

[Pla10a] Andre Platzer. Differential-algebraic dynamic logic for differential-algebraic

programs. J. Log. Comput., 20(1):309352, 2010. doi:10.1093/logcom/exn070.
[Pla10b] Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.
[Pla12a] Andre Platzer. The complete proof theory of hybrid systems. In LICS, pages
541550. IEEE, 2012. doi:10.1109/LICS.2012.64.

15-424 L ECTURE N OTES

A NDR E P LATZER

L10.16

Differential Equations & Differential Invariants

[Pla12b] Andre Platzer. The structure of differential invariants and differential cut
elimination. Logical Methods in Computer Science, 8(4):138, 2012. doi:10.
2168/LMCS-8(4:16)2012.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Differential Equations & Proofs
Andre Platzer
Carnegie Mellon University
Lecture 11

1 Introduction
Lecture 5 on Dynamical Systems & Dynamic Axioms gave us a first simple proof principle for differential equations if we find a representable solution of the differential equation. The axiom [ ] replaces properties of differential equations with suitably quantified
properties of solutions, with a universal quantifier over all durations of the solution.
Yet, that does not work for all differential equations, because only some of them have
explicit closed-form solutions let alone solutions that are simple enough to be quantified over without leaving the decidable parts of the resulting arithmetic.
Lecture 2 on Differential Equations & Domains allows many more differential equations to be part of CPS models than just the ones that happen to have simple solutions.
In fact, in a certain sense, most of the interesting differential equations do not possess
useful closed-form solutions. Todays lecture reinvestigates the way we prove properties of differential equations from a much more fundamental perspective, which will
lead to a way of proving properties of CPS with more general differential equations.
More details can be found in [Pla10a, Pla10b, Chapter 3.5] and also [Pla12b]. Differential invariants were originally conceived in 2008 [Pla10a, Pla08] and later used for an
automatic proof procedure for hybrid systems [PC08].

2 Recall
Recall the following results from Lecture 10 on Differential Equations & Differential
Invariants:

15-424 L ECTURE N OTES

October 2, 2013

A NDR E P LATZER

L11.2

Differential Equations & Proofs

Definition 1 (Derivation). The operator () that is defined as follows on terms is

called syntactic (total) derivation:
(r) = 0

for numbers r Q

(1a)

for variable x

(1b)

(x) = x

(a + b) = (a) + (b)
(a b) = (a) (b)

(a b) = (a) b + a (b)

(1c)
(1d)

(1e)

(a/b) = ((a) b a (b) )/b

(1f)

Definition 2 (Differentially augmented state in differential state flow). The value

of x at time [0, r] of a differentiable function : [0, r] S of some duration
r R is defined as:
d(t)(x)
()
[[x ]]() =
dt
Lemma 3 (Derivation lemma). Let : [0, r] S be a differentiable function of duration r > 0. Then for all terms that are defined all along and all times [0, r]:
d [[]](t)
dt

() = [[() ]]()

where differential symbols are interpreted according to Def. 2. In particular, [[]]() is

continuously differentiable.
Lemma 4 (Differential substitution property for terms). If : [0, r] S solves the
differential equation x = , i.e. |= x = , then |= () = () x for all terms , i.e.:

[[() ]]() = [[() x ]]()

for all [0, r]

3 Differential Invariant Terms

Lecture 10 on Differential Equations & Differential Invariants proved soundness for
a proof rule for differential invariant terms, which can be used to prove normalized
invariant equations of the form = 0.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Proofs

L11.3

Lemma 5 (Differential invariant terms). The following special case of the differential
invariants proof rule is sound, i.e. if its premise is valid then so is its conclusion:
x = 0
(DI=0 )
= 0 [x = ] = 0

4 Proof by Generalization
So far, the argument captured in the differential invariant term proof rule DI=0 works
for
d2 + e2 r2 = 0 [d = e, e = d]d2 + e2 r2 = 0
(2)
with an equation d2 + e2 r2 = 0 normalized to having 0 on the right-hand side but
not for the original formula
d2 + e2 = r2 [d = e, e = d]d2 + e2 = r2

(3)

because its postcondition is not of the form = 0. Yet, the postcondition d2 + e2

r2 = 0 of (2) is trivially equivalent to the postcondition d2 + e2 = r2 of (3), just by
rewriting the polynomials on one side, which is a minor change. That is an indication,
that differential invariants can perhaps do more than what proof rule DI=0 already
knows about.
But before we pursue our discovery of what else differential invariants can do for us
any further, let us first understand a very important proof principle.
Note 6 (Proof by generalization). If you do not find a proof of a formula, it can sometimes
be easier to prove a more general property from which the one you were looking for follows.
This principle, which may at first appear paradoxical, turns out to be very helpful. In
fact, we have made ample use of Note 6 when proving properties of loops by induction.
The loop invariant that needs to be proved is usually more general than the particular
postcondition one is interested in. The desirable postcondition follows from having
proved a more general inductive invariant.
In its purest form, the principle of generalization is captured in the generalization rule
from Lecture 7 on Control Loops & Invariants. One of the forms of the generalization
rule is:
[],
([]gen )
[],
Instead of proving the desirable postcondition of (conclusion), proof rule []gen
makes it possible to prove the postcondition instead (left premise) and prove that
is more general than the desired (right premise). Generalization []gen can help
us prove the original dL formula (3) by first turning the postcondition into the form

15-424 L ECTURE N OTES

A NDR E P LATZER

L11.4

Differential Equations & Proofs

of the (provable) (2) and adapting the precondition using a corresponding cut with
d2 + e2 r2 = 0:

2de + 2e(d) 0 = 0
0

(2dd + 2ee 2rr = 0)ed d

e r
R 2
DI=0
2
2
2
2
2
2
2
2

2
d +e =r d +e r =0
d + e r = 0 [d = e, e = d]d + e2 r2 = 0
cut,Wl,Wr
2
2
2

d + e = r [d = e, e = d]d2 + e2 r2 = 0
[]gen
d2 + e2 = r2 [d = e, e = d]d2 + e2 = r2
r
2
d + e2 = r2 [d = e, e = d]d2 + e2 = r2
R

d2 + e 2 r 2 = 0 d2 + e 2 = r 2

This is a possible way of proving the original (3), but also unnecessarily complicated.
Differential invariants can prove (3) directly once we generalize proof rule DI=0 appropriately. For other purposes, however, it is still important to have the principle of
generalization Note 6 in our repertoire of proof techniques.

5 Equational Differential Invariants

There are more general logical formulas that we would like to prove to be invariants
of differential equations, not just the polynomial equations normalized such that they
are single terms equaling 0. Thinking back of the soundness proof for DI=0 in Lecture
10, the argument used involving the value of the left-hand side term h(t) = [[]](t) as
a function of time t. The same argument can be made by considering the difference
h(t) = [[ ]](t) instead to prove postconditions of the form = . How does the inductive step for formula = need to be define to make a corresponding differential
invariant proof rule sound? That is, for what premise is the following a sound proof
rule?
???
= [x = ] =
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Proofs

L11.5

Defining the total derivative of an equation = as

( = ) (() = () )
results in a sound proof rule by a simple variation of the soundness proof for DI=0 as
sketched above. The resulting proof rule
( = )x
(DI= )
= [x = ] =
for equational differential invariants captures the basic intuition that always stays
equal to if it has been initially (antecedent of conclusion) and the derivative of is
the same as the derivative of with respect to the differential equation x = . This
intuition is made precise by Lemma 3 and Lemma 4. Instead of going through a proper
soundness proof for DI= , however, lets directly generalize the proof principles further
and see if differential invariants can prove even more formulas for us. We will later
prove soundness for the general differential invariant rule, from which DI= derives as
a special case.
Example 6 (Rotational dynamics). The rotational dynamics d = e, e = d is complicated in that the solution involves trigonometric functions, which are generally outside
decidable classes of arithmetic. Yet, we can easily prove interesting properties about
it using DI and decidable polynomial arithmetic. For instance, DI= can directly prove
formula (3), i.e. that d2 + e2 = r2 is a differential invariant of the dynamics, using the
following proof:

2de + 2e(d) = 0
(2dd + 2ee = 0)ed d
e

DI 2
d

+ e2 = r2 [d = e, e = d]d2 + e2 = r2

d2 + e2 = r2 [d = e, e = d]d2 + e2 = r2

This proof is certainly much easier and more direct than the previous proof based on
[]gen .

6 Differential Invariant Inequalities

The differential invariant proof rules considered so far give a good (initial) understanding of how to prove equational invariants. What about inequalities? How can they be
proved?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L11.6

Differential Equations & Proofs

The primary question is again how to define the total derivative

( ) (() () )
Example 7 (Cubic dynamics). Similarly, differential induction can easily prove that 13 5x2
is an invariant of the cubic dynamics x = x3 ; see the proof in Fig. 7 for the dynamics
in Fig. 1. To apply the differential induction rule DI, we again form the total derivax
R

0 5 2x(x3 )
3

DI 1
3

(0 5 2xx )xx
5x2 [x = x3 ] 31 5x2
Figure 1: a Cubic dynamics proof

x0
0

3
x = x

t
1b: Cubic dynamics

tive of the differential invariant F 31 5x2 , which gives the differential expression
F ( 13 5x2 ) 0 5 2xx . Now, the differential induction rule DI takes into account that the derivative of state variable x along the dynamics is known. Substituting
3
the differential equation x = x3 into the inequality yields F xx 0 5 2xx3 , which is
a valid formula and closes by quantifier elimination with R.
Differential invariants that are inequalities are not just a minor variation of equational differential invariants, because they can prove more. That is, it can be shown
[Pla12b] that there are valid formulas that can be proved using differential invariant
inequalities but cannot be proved just using equations as differential invariants (DI= ).
So sometimes, you need to be prepared to look for inequalities that you can use as differential invariants. The converse is not true. Everything that is provable using DI= is
also provable using differential invariant inequalities [Pla12b], but you should still look
for equational differential invariants if they give easier proofs.
Strict inequalities can also be used as differential invariants when defining their total
derivatives as:
( < ) (() < () )
It is easy to see (Exercise 1) that the following slightly relaxed definition would also be
sound:
( < ) (() () )
Understanding that differential substitution is sound for formulas, i.e. replacing the
left-hand side of the differential equation by its right-hand side, requires a few more
thoughts now, because the equational differential substitution principle Lemma 4 does
not apply directly. The differential substitution principle not only works for terms,
however, but also for differential first-order formulas, i.e. first-order formulas in which
differential symbols occur:

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Proofs

L11.7

Lemma 8 (Differential substitution property for differential formulas). If : [0, r]

S solves the differential equation x = , i.e. |= x = , then |= D Dx for all differential first-order formulas D, i.e. first-order formulas over .
Proof. The proof is by using the Substitution Lemma [Pla10b, Lemma 2.2] for first-order
logic on the basis of [[x ]]() = [[]]() at each time in the domain of by Def. 2.
By Lemma 8, differential equations can always be substituted in along their solutions.
Hence, the focus on developing differential invariant proof rules is in defining appropriate total derivatives, since Lemma 8 shows how to handle differential symbols by
substitution.
Where do differential first-order formulas come from? They come from the analogue
of the total derivation operator on formulas. On formulas, the total derivation operator
applies the total derivation operator from Def. 1 to all terms in a first-order formula,
yet it also flips disjunctions into conjunctions and existential quantifiers into universal
quantifiers.

7 Disequational Differential Invariants

The case that is missing in differential invariant proof rules are for postconditions that
are disequalities 6= ? How can they be proved?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L11.8

Differential Equations & Proofs

By analogy to the previous cases, one might expect the following definition:
?

( 6= ) (() 6= () )

???

It is crucial for soundness of differential invariants tha ( 6= ) is not defined that

way! In the following counterexample, variable x can reach x = 0 without its derivative
ever being 0; again, see Fig. 2 for the dynamics. Of course, just because and start out
x0 + t

x
(unsound)
1 6= 0
x 6= 5 [x = 1]x 6= 5

x =
t

Figure 2: a Unsound attempt of using disequalities

2b: Linear dynamics

different, does not mean they would always stay different if they evolve with different
derivatives.
Instead, if and start out differently and evolve with the same derivatives, they
will always stay different. So the sound definition is slightly unexpected:
( 6= ) (() = () )

8 Conjunctive Differential Invariants

The next case to consider is where the invariant that we want to prove is a conjunction
F G. Lemma 8 takes care of how to handle differential substitution for the differential
equations, if only we define the correct total derivative of (F G) .
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Proofs

L11.9

To show that a conjunction F G is invariant it is perfectly sufficient to prove that

both are invariant. This can be justified separately, but is more obvious when recalling
the following equivalence from Lecture 7:
([]) []( ) [] []
which is valid for all hybrid programs , also when is just a differential equation.
Consequently, the total derivative of a conjunction is the conjunction of the total derivatives (i.e. () is a homomorphism for ):
(F G) (F ) (G)
Again, we will not develop a proper soundness argument, because it will follow from
the general differential invariant proof rule.
With a corresponding proof rule that enables us to do the following proof:

2de + 2e(d) 0 2de + 2e(d) 0

(2dd + 2ee 0 2dd + 2ee 0)ed d
e

DI 2
d

+ e2 r2 d2 + e2 r2 [d = e, e = d](d2 + e2 r2 d2 + e2 r2 )

Since the invariant d2 + e2 r2 d2 + e2 r2 is easily proved to be equivalent to d2 + e2 = r2 ,

the above proof gives yet another proof of (3) when combined with a corresponding use
of []gen .

9 Disjunctive Differential Invariants

The next case to consider is where the invariant that we want to prove is a disjunction
F G. Lemma 8 takes care of how to handle differential substitution for the differential
equations, if only we define the correct total derivative of (F G) . How?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L11.10

Differential Equations & Proofs

The total derivative of a conjunction is the conjunction of the total derivatives. So,
by analogy, it might stand to reason to define the total derivative of a disjunction as the
disjunction of the total derivatives.
?

(F G) (F ) (G)

???

Lets try it:

unsound
R

2de + 2e(d) = 0 5d + re 0
(2dd + 2ee = 0 r d + rd 0)ed d
e
d2 + e2 = r2 rd 0 [d = e, e = d, r = 5](d2 + e2 = r2 rd 0)

That would be spectacularly wrong, however, because the formula at the bottom is not
actually valid. We have no business of proving formulas that are not valid and if we
ever could, we would have found a serious unsoundness in the proof rules.
For soundness of differential induction, it is crucial that Def. 1 defines the total derivative (F G) of a disjunction conjunctively as (F ) (G) instead of as (F ) (G) . From
an initial state which satisfies |= F , and hence |= F G, the formula F G only
is sustained differentially if F itself is a differential invariant, not if G is. For instance,
d2 + e2 = r2 rd 0 is no invariant of the above differential equation, because rd 0
will be invalidated if we just follow the circle dynamics long enough. So if the disjunction was true because rd 0 was true in the beginning, it does not stay invariant.
In practice, splitting differential induction proofs over disjunctions can be useful if a
direct proof with a single differential invariant does not succeed:

ax
ax

A x

A A, B
B A, B
x
DI
r
r
DI
= ]A
= ]B
A

[x
A

B
B

[x
B
AB
[]gen
[]gen

A [x = ](A B)
B [x = ](A B)
l

A B [x = ](A B)
r
A B [x = ](A B)

10 Differential Invariants
Differential invariants are a general proof principles for proving invariants of formulas.
Summarizing what this lecture has discovered so far leads to a single proof rule for
differential invariants. That is why all previous proofs just indicated DI when using the
various special cases of the differential invariant proof rule to be developed next.
All previous arguments remain valid when the differential equation has an evolution
domain constraint H that it cannot leave by definition. In that case, the inductive proof
step can even assume the evolution domain constraint to hold, because the system, by
definition, is not allowed to leave it.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Proofs

L11.11

Definition 9 (Derivation). The operator () that is defined as follows on first-order

real-arithmetic formulas is called syntactic (total) derivation:
(F G) (F ) (G)

(F G) (F ) (G)

(x F ) x (F )
(x F ) x (F )

(a b) (a) (b)

(4a)

(4b)
(4c)
(4d)

accordingly for <, >, , =, but not 6=

(4e)

Furthermore, F x is defined to be the result of substituting for x in F . The

operation mapping F to (F ) x is called Lie-derivative of F with respect to x = .
That is, to replace the left-hand side of a differential equation by the right-hand side.
Lemma 10 (Differential invariants). The differential invariant rule is sound:
F, H F x F
H F x
(DI)
(DI)
F [x = & H]F
[x = & H],
The version DI can be derived easily from the more fundamental, essential form DI.
The basic idea behind rule DI is that the premise of DI shows that the total derivative F holds within evolution domain H when substituting the differential equations
x = into F . If F holds initially (antecedent of conclusion), then F itself always stays
true (succedent of conclusion). Intuitively, the premise gives a condition showing that,
within H, the total derivative F along the differential constraints is pointing inwards
or transversally to F but never outwards to F ; see Fig. 3 for an illustration. Hence,

F
F

Figure 3: Differential invariant F for safety

if we start in F and, as indicated by F , the local dynamics never points outside F ,
then the system always stays in F when following the dynamics. Observe that, unlike
F , the premise of DI is a well-formed formula, because all differential expressions are
replaced by non-differential terms when forming F x .
Proof. Assume the premise F x = 0 to be valid, i.e. true in all states. In order to prove
that the conclusion F [x = ]F is valid, consider any state . Assume that |= F , as

15-424 L ECTURE N OTES

A NDR E P LATZER

L11.12

Differential Equations & Proofs

there is otherwise nothing to show (sequent is trivially true since antecedent evaluates
to false). If [0, r] is any time during any solution : [0, r] S of any duration r R
of x = beginning in initial state (0) = , then it remains to be shown that (r) |= F .
By antecedent, |= F , in the initial state = (0).
If the duration of is r = 0, we have (0) |= F immediately, because |= F . For
duration r > 0, we show that F holds all along , i.e., () |= F for all [0, r].
We have to show that |= F [x = & H]F for all states . Let satisfy |= F as,
otherwise, there is nothing to show. We can assume F to be in disjunctive normal form
and consider any disjunct G of F that is true at . In order to show that F remains
true during the continuous evolution, it is sufficient to show that each conjunct of G
is. We can assume these conjuncts to be of the form 0 (or > 0 where the proof
is accordingly). Finally, using vectorial notation, we write x = for the differential
equation system. Now let : [0, r] (V R) be any solution of x = & H beginning
in (0) = . If the duration of is r = 0, we have (0) |= 0 immediately, because
|= 0. For duration r > 0, we show that 0 holds all along the solution ,
i.e., () |= 0 for all [0, r].
Suppose there was a [0, r] with () |= < 0, which will lead to a contradiction.
The function h : [0, r] R defined as h(t) = [[]]() satisfies the relation h(0) 0 > h(),
because h(0) = [[]](0) = [[]] and |= 0 by antecedent of the conclusion. By Lemma 3,
h is continuous on [0, r] and differentiable at every (0, r). By mean value theorem,
there is a (0, ) such that dh(t)
dt () ( 0) = h() h(0) < 0. In particular, since
dh(t)

0, we can conclude that dt () < 0. Now Lemma 3 implies that dh(t)

dt () = [[() ]]() < 0.
This, however, is a contradiction, because the premise implies that the formula H ( 0)
is true in all states along , including () |= H ( 0) . In particular, as is a solution for x = & H, we know that () |= H holds, and we have () |= ( 0) , which
contradicts [[() ]] < 0.
This proof rule enables us to prove (2) easily in dLs sequent calculus and all previous
proofs as well:

2de + 2e(d) 0
0
(2dd + 2ee 2rr )ed d
e r

DI 2
d

+ e2 r2 [d = e, e = d]d2 + e2 r2

15-424 L ECTURE N OTES

d2 + e2 r2 [d = e, e = d]d2 + e2 r2

A NDR E P LATZER

Differential Equations & Proofs

L11.13

11 Example Proofs
Example 11 (Quartic dynamics). The following simple dL proof uses DI to prove an
invariant of a quartic dynamics.

a 0 3x2 ((x 3)4 + a) 0

(x3)4 +a

a 0 (3x2 x 0)x
DI 3
x

1 [x = (x 3)4 + a & a 0]x3 1

Observe that rule DI directly makes the evolution domain constraint a 0 available as
an assumption in the premise, because the continuous evolution is never allowed to
leave it.
Example 12. Consider the dynamics x = y, y = 2 x 2dy of the damped oscillator
with the undamped angular frequency and the damping ratio d. See Fig. 4 for one
example of an evolution along this continuous dynamics. Figure 4 shows a trajectory
x

t
y

Figure 4: Trajectory and evolution of a damped oscillator

in the x, y space on the left, and an evolution of x over time t on the right. General
symbolic solutions of symbolic initial-value problems for this differential equation can
become surprisingly difficult. Mathematica, for instance, produces a long equation of
exponentials that spans 6 lines of terms just for one solution. A differential invariant
proof, instead, is very simple:

0 d 0 2 2 xy 2 2 xy 4dy 2 0
y

0 d 0 (2 2 xx + 2yy 0)x y

DI 2 2
x

2 x2dy

+ y 2 c2 [x = y, y = 2 x 2dy & ( 0 d 0)] 2 x2 + y 2 c2

Observe that rule DI directly makes the evolution domain constraint 0 d 0

available as an assumption in the premise, because the continuous evolution is never
allowed to leave it.

15-424 L ECTURE N OTES

A NDR E P LATZER

L11.14

Differential Equations & Proofs

12 Assuming Invariants
Lets make the dynamics more interesting and see what happens. Suppose there is a
robot at a point with coordinates (x, y) that is facing in direction (d, e). Suppose the
robot moves with constant (linear) velocity into direction (d, e), which is rotating as
before. Then the corresponding dynamics is:
x = d, y = e, d = e, e = d
because the derivative of the x coordinate is the component d of the direction and the
derivative of the y coordinate is the component e of the direction. If the rotation of
the direction (d, e) is faster or slower, the differential equation would be formed correspondingly. Consider the following conjecture:
(x 1)2 + (y 2)2 p2 [x = d, y = e, d = e, e = d](x 1)2 + (y 2)2 p2 (5)
This conjecture expresses that the robot at position (x, y) will always stay at distance p
from the point (1, 2) if it started there. Lets try to prove conjecture (5):
2(x 1)d + 2(y 2)e 0
(2(x 1)x + 2(y 2)y 0)dx ey
DI

(x 1)2 + (y 2)2 p2 [x = d, y = e, d = e, e = d](x 1)2 + (y 2)2 p2

Unfortunately, this differential invariant proof does not work. As a matter of fact, fortunately it does not work out, because conjecture (5) is not valid, so we will, fortunately,
not be able to prove it with a sound proof technique. Conjecture (5) is too optimistic.
Starting from some directions far far away, the robot will most certainly get too close to
the point (1,2). Other directions may be fine.
Inspecting the above failed proof attempt, we could prove (5) if we knew something
about the directions (d, e) that would make the remaining premise prove. What could
that be?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Proofs

L11.15

Certainly, if we knew d = e = 0, the resulting premise would prove. Yet, that case
is pretty boring because it corresponds to the point (x, y) being stuck forever. A more
interesting case in which the premise would easily prove is if we knew x 1 = e and
y 2 = d. In what sense could we know x 1 = e y 2 = d? Certainly, we would
have to assume this compatibility condition for directions versus position is true in the
initial state, otherwise we would not necessarily know the condition holds true where
we need it. So lets modify (5) to include this assumption:
x 1 = e y 2 = d (x 1)2 + (y 2)2 p2
[x = d, y = e, d = e, e = d](x 1)2 + (y 2)2 p2 (6)
Yet, where we need to know x 1 = e y 2 = d for the above sequent prove to
continue is in the middle of the inductive step. How could we make that happen?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L11.16

Differential Equations & Proofs

One step in the right direction is to convince ourselves that x 1 = e y 2 = d is

a differential invariant of the dynamics, so it holds always if it held in the beginning:

d = (d) e = e
(x = e y = d )dx ey ed d
e

DI

x 1 = e y 2 = d [x = d, y = e, d = e, e = d](x 1 = e y 2 = d)

This proves easily using differential invariants.

Now, how can this freshly proved invariant x 1 = e y 2 = d be made available
in the previous proof? Perhaps we could consider the conjunction of the invariant we
want with the invariant we need:
(x 1)2 + (y 2)2 p2 x 1 = e y 2 = d
That does not work (eliding the antecedent in the conclusion just for space reasons)
2(x 1)d + 2(y 2)e 0 d = (d) e = e
(2(x 1)x + 2(y 2)y 0 x = e y = d )dx ey ed d
e
DI

x 1 = e . . . [x = d, y = e, d = e, e = d]((x 1)2 + (y 2)2 p2 x 1 = e y 2 = d)

because the differential invariant proof rule DI does not make the invariant F available
in the antecedent of the premise.
In the case of loops, invariants can be assumed to hold before the loop body in the
induction step.
F []F
(ind)
F [ ]F
By analogy, we could augment the differential invariant proof rule DI similarly to
include F in the assumptions. Is that a good idea?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Proofs

L11.17

It looks tempting to suspect that rule DI could be improved by assuming the differential invariant F in the antecedent of the premise:
H F F x
(DI?? )
sound?
F [x = & H]F
After all, we really only care about staying safe when we are still safe. But implicit
properties of differential equations are a subtle business. Assuming F like in rule DI??
would, in fact, be unsound, as the following simple counterexample shows, which
proves an invalid property using the unsound proof rule DI?? :
(unsound)
(x y)2 0 2(x y)(1 y) 0
(x y)2 0 (2(x y)(x y ) 0)1x yy
(x y)2 0 [x = 1, y = y]((x y)2 0)
Assuming an invariant of a differential equation during its own proof is, thus, incorrect, even though it has been suggested numerous times in the literature. There
are some cases for which rule DI?? would be sound, but these are nontrivial [Pla10a,
Pla12b, Pla12a].

13 Differential Cuts
Instead, there is a complementary proof rule for differential cuts [Pla10a, Pla08, Pla12b,
Pla12a] that can be used to strengthen assumptions in a sound way:
[x = & H]C,
[x = & (H C)]F ,
(DC)
[x = & H]F,
The differential cut rule works like a cut, but for differential equations. In the right
premise, rule DC restricts the system evolution to the subdomain H C of H, which
changes the system dynamics but is a pseudo-restriction, because the left premise proves
that C is an invariant anyhow (e.g. using rule DI). Note that rule DC is special in that
it changes the dynamics of the system (it adds a constraint to the system evolution domain region), but it is still sound, because this change does not reduce the reachable
set. The benefit of rule DC is that C will (soundly) be available as an extra assumption
for all subsequent DI uses on the right premise (see, e.g., the use of the evolution domain constraint in Example 12). In particular, the differential cut rule DC can be used
to strengthen the right premise with more and more auxiliary differential invariants C
that will be available as extra assumptions on the right premise, once they have been
proven to be differential invariants in the left premise.
Proving (6) in a sound way is now easy using a differential cut DC by x 1 = e
y 2 = d:

15-424 L ECTURE N OTES

A NDR E P LATZER

L11.18

Differential Equations & Proofs

d = (d) e = e

x1=e y2=d 2(x 1)d + 2(y 2)e 0

(x = e y = d )x ey ed d
e
DI

x1=.. [x = d, . . .](x1=ey2=d)

DC

x1=e y2=d (2(x 1)x + 2(y 2)y 0)x ey

DI

(x1)2 +(y2)2 p2 [x = d, y = e, d = e, e = d & x1=ey2=d](x1)2 +(y2)2 p2

(x1)2 +(y2)2 p2 x1=ey2=d [x = d, y = e, d = e, e = d](x 1)2 + (y 2)2 p2

Using this differential cut process repeatedly has turned out to be extremely useful
in practice and even simplifies the invariant search, because it leads to several simpler
properties to find and prove instead of a single complex property [PC08, PC09, Pla10b].
Proof of Soundness of DC. For simplicity, consider only the case where H true. Rule
DC is sound using the fact that the left premise implies that every solution that satisfies x = also satisfies C all along the solution. Thus, if solution satisfies x = , it
also satisfies x = & C, so that the right premise entails the conclusion. The proof is
accordingly for the case

14 Differential Weakening
One simple but computable proof rule is differential weakening:
HF
(DW)
[x = & H]F,
This rule is obviously sound, because the system x = & H, by definition, can never
leave H, hence, if H implies F (i.e. the region H is contained in the region F ), then F is
an invariant, no matter what x = does. Unfortunately, this simple proof rule cannot
prove very interesting properties, because it only works when H is very informative.
It can, however, be useful in combination with stronger proof rules (e.g., differential
cuts).

15 Summary
This lecture introduced very powerful proof rules for differential invariants, with which
you can prove even complicated properties of differential equations in easy ways. Just
like in the case of loops, where the search for invariants is nontrivial, differential invariants also require some smarts (or good automatic procedures) to be found. Yet, once a
differential invariant has been identified, the proof follows easily.
Note 10 (Proof rules for differential equations).
HF
H F x
(DW)
(DI)

F [x = & H]F
[x = & H]F,
(DC)

[x = & H]C,
[x = & (H C)]F ,
[x = & H]F,

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Equations & Proofs

L11.19

Exercises
Exercise 1. We have chosen to define
( < ) (() < () )
Prove that the following slightly relaxed definition would also give a sound proof rule
for differential invariants:
( < ) (() () )
Exercise 2. We have defined
( 6= ) (() = () )
Suppose you remove this definition so that you can no longer use the differential invariant proof rule for formulas involving 6=. Can you derive a proof rule to prove such
differential invariants regardless? If so, how? If not, why not?

References
[PC08]

Andre Platzer and Edmund M. Clarke. Computing differential invariants of

hybrid systems as fixedpoints. In Aarti Gupta and Sharad Malik, editors,
CAV, volume 5123 of LNCS, pages 176189. Springer, 2008. doi:10.1007/
978-3-540-70545-1_17.

[PC09]

Andre Platzer and Edmund M. Clarke. Computing differential invariants of hybrid systems as fixedpoints. Form. Methods Syst. Des., 35(1):98
120, 2009. Special issue for selected papers from CAV08. doi:10.1007/
s10703-009-0079-8.

[Pla08]

Andre Platzer. Differential Dynamic Logics: Automated Theorem Proving for Hybrid Systems. PhD thesis, Department of Computing Science, University of
Oldenburg, Dec 2008. Appeared with Springer.

[Pla10a] Andre Platzer. Differential-algebraic dynamic logic for differential-algebraic

programs. J. Log. Comput., 20(1):309352, 2010. doi:10.1093/logcom/exn070.
[Pla10b] Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.
[Pla12a] Andre Platzer. A differential operator approach to equational differential invariants. In Lennart Beringer and Amy Felty, editors, ITP, volume 7406 of
LNCS, pages 2848. Springer, 2012. doi:10.1007/978-3-642-32347-8_3.
[Pla12b] Andre Platzer. The structure of differential invariants and differential cut
elimination. Logical Methods in Computer Science, 8(4):138, 2012. doi:10.
2168/LMCS-8(4:16)2012.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Differential Invariants & Proof Theory
Andre Platzer
Carnegie Mellon University
Lecture 14

1 Introduction
Lecture 10 on Differential Equations & Differential Invariants and Lecture 11 on Differential Equations & Proofs equipped us with powerful tools for proving properties of
differential equations without having to solve them. Differential invariants (DI) [Pla10a]
prove properties of differential equations by induction based on the right-hand side of
the differential equation, rather than its much more complicated global solution. Differential cuts (DC) [Pla10a] made it possible to prove another property C of a differential
equation and then change the dynamics of the system around so that it can never leave
region C. Differential cuts turned out to be very useful when stacking inductive properties of differential equations on top of each other, so that easier properties are proved
first and then assumed during the proof of the more complicated properties. Differential weakening (DW) [Pla10a] proves simple properties that are entailed by the evolution domain, which becomes especially useful after the evolution domain constraint
has been augmented sufficiently by way of a differential cut.
Just like in the case of loops, where the search for invariants is nontrivial, differential invariants also require some smarts (or good automatic procedures) to be found.
Once a differential invariant has been identified, the proof follows easily, which is a
computationally attractive property.
Finding invariants of loops is very challenging. It can be shown to be the only
fundamental challenge in proving safety properties of conventional discrete programs
[HMP77]. Likewise, finding invariants and differential invariants is the only fundamental challenge in proving safety properties of hybrid systems [Pla08, Pla10b, Pla12a].
A more careful analysis even shows that just finding differential invariants is the only
fundamental challenge for hybrid systems safety verification [Pla12a].

15-424 L ECTURE N OTES

October 16, 2013

A NDR E P LATZER

L14.2

Differential Invariants & Proof Theory

That is reassuring, because we know that the proofs will work1 as soon as we find
the right differential invariants. But it also tells us that we can expect the search for differential invariants (and invariants) to be challenging, because cyber-physical systems
are extremely challenging, albeit very important.
Since, at the latest after this revelation, we fully realize the importance of studying
and understanding differential invariants, we subscribe to developing a deeper understanding of differential invariants right away. The part of their understanding that
todays lecture develops is how various classes of differential invariants relate to each
other in terms of what they can prove. That is, are there properties that only differential
invariants of the form A can prove, because differential invariants of the form B cannot
prove them. Or are all properties provable by differential invariants of the form A also
provable by differential invariants of the form B.
These relations between classes of differential invariants tell us which forms of differential invariants we need to search for. A secondary goal of todays lecture besides this
theoretical understanding is the practical understanding of developing more intuition
about differential invariants and seeing them in action more thoroughly.
This lecture is based on [Pla12b]. In this lecture, we try to strike a balance between
comprehensive handling of the subject matter and core intuition. This lecture will
mostly focus on the core intuition of the heart of the proofs and leaves a more comprehensive argument and further study for articles [Pla12b]. Many proofs in this lecture are simplified and only prove the core argument, while leaving out other aspects.
Those very important further details are beyond the scope of this course and can be
found elsewhere [Pla12b]. For example, this lecture will not study whether indirect
proofs could conclude the same properties. With a more careful analysis [Pla12b], it
turns out that indirect proofs do not change the results reported in this lecture, but the
proofs become significantly more complicated and require a more precise choice of the
sequent calculus formulation. In this lecture, we will also not always prove all statements conjectured in a theorem. The remaining proofs can be found in the literature
[Pla12b].
Note 1 (Proof theory of differential equations). The results in this lecture are part of
the proof theory of differential equations. They are proofs about proofs, because they prove
relations between the provability of logical formulas with different (sequent) proof calculi.

2 Recap
Recall the following proof rules for differential equations from Lecture 11 on Differential Equations & Proofs:

Although it may still be a lot of work in practice to make the proofs work. At least they become possible.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Invariants & Proof Theory

L14.3

Note 2 (Proof rules for differential equations).

HF
H F x
(DW)
(DI)

F [x = & H]F
[x = & H]F,
(DC)

[x = & H]C,
[x = & (H C)]F ,
[x = & H]F,

With cuts and generalizations, earlier lectures have also shown that the following can
be proved:
A F F [x = & H]F F B
(1)
A [x = & H]B

3 Comparative Deductive Study

We study the relations of classes of differential invariants in terms of their relative deductive power. That is, we study whether some properties are only provable using
differential invariant from the class A, not using differential invariants from the class
B, or whether all properties provable with differential invariants from class A are also
provable with class B.
As a basis, we consider a propositional sequent calculus with logical cuts (which simplify glueing derivations together) and real-closed field arithmetic (we denote all uses
by proof rule R); see [Pla12b]. By DI we denote the proof calculus that, in addition,
has general differential invariants (rule DI with arbitrary quantifier-free first-order formula F ) but no differential cuts (rule DC). For a set {, >, =, , } of operators,
we denote by DI the proof calculus where the differential invariant F in rule DI is
further restricted to the set of formulas that uses only the operators in . For example,
DI =,, is the proof calculus that allows only and/or-combinations of equations to be
used as differential invariants. Likewise, DI is the proof calculus that only allows
atomic weak inequalities p q to be used as differential invariants.
We consider classes of differential invariants and study their relations. If A and B are
two classes of differential invariants, we write A B if all properties provable using
differential invariants from A are also provable using differential invariants from B.
We write A 6 B otherwise, i.e., when there is a valid property that can only be proven
using differential invariants of A \ B. We write A B if A B and B A. We write
A < B if A B and B 6 A. Classes A and B are incomparable if A 6 B and B 6 A.

4 Equivalences of Differential Invariants

First, we study whether there are equivalence transformations that preserve differential
invariance. Every equivalence transformation that we have for differential invariant
properties helps us with structuring the proof search space and also helps simplifying
meta-proofs.

15-424 L ECTURE N OTES

A NDR E P LATZER

L14.4

Differential Invariants & Proof Theory

Lemma 1 (Differential invariants and propositional logic). Differential invariants

are invariant under propositional equivalences. That is, if F G is an instance of a
propositional tautology then F is a differential invariant of x = & H if and only if G is.
Proof. Let F be a differential invariant of a differential equation system x = & H and
let G be a formula such that F G is an instance of a propositional tautology. Then G
is a differential invariant of x = & H, because of the following formal proof:

H G x
DI

G [x = & H]G
F [x = & H]F

The bottom proof step is easy to see using (1), because precondition F implies the new
precondition G and postcondition F is implied by the new postcondition G propositionally. Subgoal H G x is provable, because H F x is provable and G is defined
as a conjunction over all literals of G. The set of literals of G is identical to the set
of literals of F , because the literals do not change by using propositional tautologies.
Furthermore, we assumed a propositionally complete base calculus [Pla12b].
In subsequent proofs, we can use propositional equivalence transformations by Lemma 1.
In the following, we will also implicitly use equivalence reasoning for pre- and postconditions as we have done in Lemma 1. Because of Lemma 1, we can, without loss of
generality, work with arbitrary propositional normal forms for proof search.

5 Differential Invariants & Arithmetic

Not all logical equivalence transformations carry over to differential invariants. Differential invariance is not necessarily preserved under real arithmetic equivalence transformations.
Lemma 2 (Differential invariants and arithmetic). Differential invariants are not invariant under equivalences of real arithmetic. That is, if F G is an instance of a firstorder real arithmetic tautology then F may be a differential invariant of x = & H yet G
may not.
Proof. There are two formulas that are equivalent over first-order real arithmetic but,
for the same differential equation, one of them is a differential invariant, the other one
is not (because their differential structures differ). Since 5 0, the formula x2 52 is

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Invariants & Proof Theory

L14.5

equivalent to 5 x x 5 in first-order real arithmetic. Nevertheless, x2 52 is a

differential invariant of x = x by the following formal proof:

2x2 0
(2xx 0)x
x
DI 2
2

x 5 [x = x]x2 52
R

but 5 x x 5 is not a differential invariant of x = x:

not valid
0 x x 0
(0 x x 0)x
x
DI

5 x x 5 [x = x](5 x x 5)

When we want to prove the property in the proof of Lemma 2, we need to use the
principle (1) with the differential invariant F x2 52 and cannot use 5 x x 5.
By Lemma 2, we cannot just use arbitrary equivalences when investigating differential invariance, but have to be more careful. Not just the elementary real arithmetical equivalence of having the same set of satisfying assignments matters, but also the differential
structures need to be compatible. Some equivalence transformations that preserve the
solutions still destroy the differential structure. It is the equivalence of real differential
structures that matters. Recall that differential structures are defined locally in terms of
the behavior in neighborhoods of a point, not the point itself.
Lemma 2 illustrates a notable point about differential equations. Many different formulas characterize the same set of satisfying assignments. But not all of them have
the same differential structure. Quadratic polynomials have inherently different differential structure than linear polynomials even when they have the same set of solutions over the reals. The differential structure is a more fine-grained information.
This is similar to the fact that two elementary equivalent models of first-order logic
can still be non-isomorphic. Both the set of satisfying assignments and the differential structure matter for differential invariance. In particular, there are many formulas
with the same solutions but different differential structures. The formulas x2 0 and
x6 + x4 16x3 + 97x2 252x + 262 0 have the same solutions (all of R), but very different differential structure; see Fig. 1.
The first two rows in Fig. 1 correspond to the polynomials from the latter two cases.
The third row is a structurally different degree 6 polynomial with again the same set of
solutions (R) but a rather different differential structure. The differential structure also
depends on what value x assumes according to the differential equation. Fig. 1 illustrates that p alone can already have a very different characteristic even if the respective
sets of satisfying assignments of p 0 are identical.

15-424 L ECTURE N OTES

A NDR E P LATZER

L14.6

Differential Invariants & Proof Theory

p
8

p
15

6
4
10

2
-3

-2

-1

-2
-4
-3

-2

-1

-6

p
4000

3000
3000

2000
1000

2000

-3

-2

1000

-3

-2

-1

-1
-1000
-2000

20

30
25

10
20
15

-10

5
-2

-2

10

-20

Figure 1: Equivalent solutions (p 0 on the left) with different differential structure (p

plotted on the right)

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Invariants & Proof Theory

L14.7

We can, however, always normalize all atomic subformulas to have right-hand side
0, that is, of the form p = 0, p 0, or p > 0. For instance, p q is a differential invariant
if and only if q p 0 is, because p q is equivalent (in first-order real arithmetic)
to q p 0 and, moreover, for any variable x and term , (p q )x is equivalent to
(q p 0)x in first-order real arithmetic.

6 Differential Invariant Equations

For equational differential invariants, a.k.a. differential invariant equations, propositional operators do not add to the deductive power.
Proposition 3 (Equational deductive power [Pla10a, Pla12b]). The deductive power
of differential induction with atomic equations is identical to the deductive power of differential induction with propositional combinations of polynomial equations: That is, each
formula is provable with propositional combinations of equations as differential invariants
iff it is provable with only atomic equations as differential invariants:
DI = DI =,,
How could we prove that?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L14.8

Differential Invariants & Proof Theory

One direction is simple. Proving DI = DI =,, is obvious, because every proof using a differential invariant equation p1 = p2 also is a proof using a propositional combination of differential invariant equations. The propositional combination that just
consists of the only conjunct p1 = p2 .
The other way around DI = DI =,, is more difficult. If a formula can be proved
using a differential invariant that is a propositional combination of equations, such
as p1 = p2 q1 = q2 , how could it possibly be proved using just a single equation?

Note 6 (Proofs of equal provability). A proof of Proposition 3 needs to show that every
such provable property is also provable with a structurally simpler differential invariant.
It effectively needs to transform proofs with propositional combinations of equations as
differential invariants into proofs with just differential invariant equations. And, of course,
the proof of Proposition 3 needs to prove that the resulting equations are actually provably
differential invariants and prove the same properties as before.
Proof of Proposition 3. Let x = be the (vectorial) differential equation to consider. We
show that every differential invariant that is a propositional combination F of polynomial equations is expressible as a single atomic polynomial equation (the converse
inclusion is obvious). We can assume F to be in negation normal form by Lemma 1 (recall that negations are resolved and 6= can be assumed not to appear). Then we reduce F
inductively to a single equation using the following transformations:
If F is of the form p1 = p2 q1 = q2 , then F is equivalent to the single equation
(p1 p2 )(q1 q2 ) = 0. Furthermore, F x (p1 = p2 q1 = q2 )x directly implies




((p1 p2 )(q1 q2 )) = 0 x (p1 p2 )(q1 q2 ) + (p1 p2 )(q1 q2 ) = 0 x
If F is of the form p1 = p2 q1 = q2 , then F is equivalent to the single equation


(p1 p2 )2 + (q1 q2 )2 = 0. Furthermore, F x p1 = p2 q1 = q2 x implies





(p1 p2 )2 + (q1 q2 )2 =0 x 2(p1 p2 )(p1 p2 ) + 2(q1 q2 )(q1 q2 ) = 0 x
Note that the polynomial degree increases quadratically by the reduction in Proposition 3, but, as a trade-off, the propositional structure simplifies. Consequently, differential invariant search for the equational case can either exploit propositional structure
with lower degree polynomials or suppress the propositional structure at the expense
of higher degrees.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Invariants & Proof Theory

L14.9

7 Equational Incompleteness
Focusing exclusively on differential invariants with equations, however, reduces the
deductive power, because sometimes only differential invariant inequalities can prove
properties.
Proposition 4 (Equational incompleteness). The deductive power of differential induction with equational formulas is strictly less than the deductive power of general differential
induction, because some inequalities cannot be proven with equations.
DI = DI =,, < DI
DI 6 DI = DI =,,
DI > 6 DI = DI =,,
How could such a proposition be proved?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L14.10

Differential Invariants & Proof Theory

The proof strategy in Proposition 3 involved transforming proofs into proofs to prove
the inclusion DI = DI =,, . Could the same strategy prove Proposition 4? No, because we need to show the opposite! Proposition 4 conjectures DI 6 DI =,, , which
means that there are true properties that are only provable using a differential invariant
inequality p1 p2 and not using any differential invariant equations or propositional
combinations thereof.
For one thing, this means that we ought to find a property that a differential invariant
inequality can prove. That ought to be easy enough, because Lecture 11 on Differential
Equations & Proofs showed us how useful differential invariants are. But then a proof
of Proposition 4 also requires a proof why that very same formula cannot possibly ever
be proved with any way of using differential invariant equations or their propositional
combinations. That is a proof about nonprovability. Proving provability in proof theory
amounts to producing a proof (in sequent calculus). Proving nonprovability most certainly does not mean it would be enough to write something down that is not a proof.
After all, just because one proof attempt fails does not mean that others would not be
successful. You have experienced this while you were working on proving your labs
for this course. The first proof attempt might have failed miserably and was impossible
to ever work out. But, come next day, you had a better idea with a different proof, and
suddenly the same property turned out to be provable even if the first proof attempt
failed.
How could we prove that all proof attempts do not work?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Invariants & Proof Theory

L14.11

One way of showing that a logical formula cannot be proved is by giving a counterexample, i.e. a state which assigns values to the variables that falsify the formula. That is,
of course, not what can help us proving Proposition 4, because a proof of Proposition 4
requires us to find a formula that can be proved with DI (so it cannot have a counterexample, since it is valid), just cannot be proved with DI =,, . Proving that a valid
formula cannot be proved with DI =,, requires us to show that all proofs in DI =,,
do not prove that formula.
By analogy, recall sets. The way to prove that two sets M, N have the same number
of elements is to come up with a pair of functions : M N and : N M
between the sets and then prove that , are inverses of each other, i.e. ((y)) = y
and ((x)) = x for all x M, y N . Proving that two sets M, N do not have the
same number of elements works entirely differently, because that has to prove for all
pairs of functions : M N and : N M that there is is an x M such that
((x)) 6= x or an y N such that ((y)) 6= y. Since that is a lot of work, indirect
criteria such as cardinality or countability are often used instead, e.g. for proving that
the reals R and rationals Q do not have the same number of elements, because Q are
countable but R are not (by Cantors diagonal argument).
By analogy, recall vector spaces from linear algebra. The way to prove that two vector
spaces V, W are isomorphic is to think hard and construct a function : V W and
a function : W V and then prove that , are linear functions and inverses
of each other. Proving that two vector spaces V, W are not isomorphic works entirely
differently, because that has to prove that all pairs of functions : V W and :
W V are either not linear or not inverses of each other. Proving the latter literally
is a lot of work. So instead, indirect criteria are being used. One proof that V, W are
not isomorphic could show that both have different dimensions and then prove that
isomorphic vector spaces always have the same dimension, so V and W cannot possibly
be isomorphic.
Consequently, proving non-provability leads to a study of indirect criteria about
proofs of differential equations.
Note 8 (Proofs of different provability). Proving non-reducibility A 6 B for classes of
differential invariants requires an example formula that is provable in A plus a proof that
no proof using B proves . The preferred way of doing that is finding an indirect criterion
that all proofs in B possess but that does not have.
Proof of Proposition 4. Consider any term a > 0 (e.g., 5 or x2 + 1 or x2 + x4 + 2). The
following formula is provable by differential induction with the weak inequality x 0:

a0
DI
x 0 [x = a]x 0
R

It is not provable with an equational differential invariant. Any univariate polynomial

p that is zero on x 0 is the zero polynomial and, thus, p = 0 cannot be equivalent to

15-424 L ECTURE N OTES

A NDR E P LATZER

L14.12

Differential Invariants & Proof Theory

the half space x 0. By the equational deductive power theorem 3, the above formula
then is not provable with any Boolean combination of equations as differential invariant
either.
The other parts of the theorem are proved elsewhere [Pla12b].
It might be tempting to think that at least equational postconditions only need equational differential invariants for proving them. But that is not the case either [Pla12b].

8 Strict Differential Invariant Inequalities

We show that, conversely, focusing on strict inequalities also reduces the deductive
power, because equations are obviously missing and there is at least one proof where
this matters. That is, strict barrier certificates do not prove (nontrivial) closed invariants.
Formal definitions of open and closed sets come from real analysis (or topology).
Roughly: A closed set is one whose boundary belongs to the set. For example the solid
unit disk. An open set is one whose boundary does not belong to the set, for example
the unit disk without the circle of radius 1.
Proposition 5 (Strict barrier incompleteness). The deductive power of differential induction with strict barrier certificates (formulas of the form p > 0) is strictly less than the
deductive power of general differential induction.
DI > < DI
DI = 6 DI >
Proof. The following formula is provable by equational differential induction:

2xy + 2y(x) = 0
DI 2
x + y 2 = c2 [x = y, y = x]x2 + y 2 = c2
R

But it is not provable with a differential invariant of the form p > 0. An invariant of
the form p > 0 describes an open set and, thus, cannot be equivalent to the (nontrivial)
closed domain where x2 + y 2 = c2 . The only sets that are both open and closed in Rn
are and Rn .
The other parts of the theorem are proved elsewhere [Pla12b].

9 Differential Invariant Equations as Differential Invariant

Inequalities
Weak inequalities, however, do subsume the deductive power of equational differential
invariants. This is obvious on the algebraic level but we will see that it also does carry

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Invariants & Proof Theory

L14.13

over to the differential structure.

Proposition 6 (Equational definability). The deductive power of differential induction
with equations is subsumed by the deductive power of differential induction with weak
inequalities:
DI =,, DI
Proof. By Proposition 3, we only need to show that DI = DI . Let p = 0 be an equational differential invariant of a differential equation x = & H. Then we can prove
the following:

H (p = 0)x
DI

p = 0 [x = & H]p = 0

Then, the inequality p2 0, which is equivalent to p = 0 in real arithmetic, also is a

differential invariant of the same dynamics by the following formal proof:

H (2pp 0)x
DI

p2 0 [x = & H](p2 0)

The subgoal for the differential induction step is provable: if we can prove that H implies (p = 0)x , then we can also prove that H implies (2pp 0)x , because (p = 0)x
implies (2pp 0)x in first-order real arithmetic.
Note that the local state-based view of differential invariants is crucial to make the last
proof work. By Proposition 6, differential invariant search with weak inequalities can
suppress equations. Note, however, that the polynomial degree increases quadratically
with the reduction in Proposition 6. In particular, the polynomial degree increases quartically when using the reductions in Proposition 3 and Proposition 6 one after another
to turn propositional equational formulas into single inequalities. This quartic increase
of the polynomial degree is likely a too serious computational burden for practical purposes even if it is a valid reduction in theory.

10 Differential Invariant Atoms

Next we see that, with the notable exception of pure equations (Proposition 3), propositional operators increase the deductive power.

15-424 L ECTURE N OTES

A NDR E P LATZER

L14.14

Differential Invariants & Proof Theory

Theorem 7 (Atomic incompleteness). The deductive power of differential induction

with propositional combinations of inequalities exceeds the deductive power of differential
induction with atomic inequalities.
DI < DI ,,
DI > < DI >,,
Proof. Consider any term a 0 (e.g., 1 or x2 +1 or x2 +x4 +1 or (xy)2 +2). Then the formula x 0 y 0 [x = a, y = y 2 ](x 0 y 0) is provable using a conjunction in
the differential invariant:

a 0 y2 0
2

(x 0 y 0)ax yy
DI

x 0 y 0 [x = a, y = y 2 ](x 0 y 0)

By a sign argument similar to that in the proof of [Pla10a, Theorem 2] no atomic formula
is equivalent to x 0 y 0. Thus, the above property cannot be proven using a single
differential induction. The proof for a postcondition x > 0 y > 0 is similar.
The otherquite substantialparts of the proof are proved elsewhere [Pla12b].
Note that the formula in the proof of Theorem 7 is provable, e.g., using differential
cuts (DC) with two atomic differential induction steps, one for x 0 and one for y 0.
Yet, a similar argument can be made to show that the deductive power of differential
induction with atomic formulas (even when using differential cuts) is strictly less than
the deductive power of general differential induction; see [Pla10a, Theorem 2].

11 Summary
Fig. 2 summarizes the findings of this lecture and others reported in the literature [Pla12b].
We have considered the differential invariance problem, which, by a relative completeness argument [Pla12a], is at the heart of hybrid systems verification. To better understand structural properties of hybrid systems, we have identified and analyzed more
than a dozen (16) relations between the deductive power of several (9) classes of differential invariants, including subclasses that correspond to related approaches.
Our results require a symbiosis of elements of logic with real arithmetical, differential, semialgebraic, and geometrical properties. Future work includes investigating this
new field further that we call real differential semialgebraic geometry, whose development
has only just begun.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential Invariants & Proof Theory

DI ,,

DI

DI =

DI >

L14.15
DI ,=,,

DI =,,

DI

DI >,,

DI >,=,,

Figure 2: Differential invariance chart

Exercises
Exercise 1. Prove the relation DI > DI >,, .
Exercise 2. Prove the relation DI DI ,, .
Exercise 3. Prove the relation DI ,, DI ,=,, .
Exercise 4. Prove the relation DI =,, < DI ,, .
Exercise 5. Prove the relation DI >,, < DI >,=,, .

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Ghosts & Differential Ghosts
Andre Platzer
Carnegie Mellon University
Lecture 15

1 Introduction
Lecture 10 on Differential Equations & Differential Invariants and Lecture 11 on Differential Equations & Proofs equipped us with powerful tools for proving properties of
differential equations without having to solve them. Differential invariants (DI) [Pla10a]
prove properties of differential equations by induction based on the right-hand side of
the differential equation, rather than its much more complicated global solution. Differential cuts (DC) [Pla10a] made it possible to prove another property C of a differential
equation and then change the dynamics of the system around so that it can never leave
region C. Lecture 14 on Differential Invariants & Proof Theory studied some part of the
proof theory of differential equations and proved the differential invariance chart that
compares the deductive power of classes of differential invariants; see Fig. 1.
DI ,,

DI

DI =

DI >

DI ,=,,

DI =,,

DI

DI >,,

DI >,=,,

Figure 1: Differential invariance chart

It can be shown that differential cuts are a fundamental proof principle for differential
equations [Pla12], because some properties can only be proved with differential cuts.
Yet, it can also be shown that there are properties where even differential cuts are not
enough, but differential ghosts become necessary [Pla12]. Differential ghosts [Pla12],

15-424 L ECTURE N OTES

October 21, 2013

A NDR E P LATZER

L15.2

Ghosts & Differential Ghosts

spooky as they may sound, turn out to be a useful proof technique for differential equations.
This lecture is based on [Pla12, Pla10b].

2 Recap
Recall the following proof rules for differential equations from Lecture 11 on Differential Equations & Proofs:
Note 1 (Proof rules for differential equations).
H F x
HF
(DI)
(DW)

F [x = & H]F
[x = & H]F,
(DC)

[x = & H]C,
[x = & (H C)]F ,
[x = & H]F,

With cuts and generalizations, earlier lectures have also shown that the following can
be proved:
A F F [x = & H]F F B
(1)
A [x = & H]B

3 Arithmetic Ghosts
b
q := ; ?qc = b
q := ; ?qc = b c 6= 0
c
where q := is the nondeterministic assignment that assigns an arbitrary real number
to q.
q :=

b
x := 2+ +e
c

q := ; ?qc = b; x := 2+q+e

q := ; ?qc = bc 6= 0; x := 2+q+e

Here q is called an arithmetic ghost, because q is an auxiliary variable that is only in the
hybrid program for the sake of defining the quotient cb .

4 Nondeterministic Assignments & Ghosts of Choice

The HP statement x := is a nondeterministic assignment that assigns an arbitrary real
number to x. Comparing with the syntax of hybrid programs from Lecture 3 on Choice
& Control, however, it turns out that such a statement is not in the official language of
hybrid programs.
, ::= x := | ?H | x = & H | | ; |

(2)

What now?

15-424 L ECTURE N OTES

A NDR E P LATZER

Ghosts & Differential Ghosts

L15.3

One possible solution, which is the one taken in the implementation of KeYmaera
[PQ08], is to add the nondeterministic assignment x := as a statement to the syntax of
hybrid programs.
, ::= x := | . . . | x :=
Consequently, nondeterministic assignments need a semantics to become meaningful.
7. (x := ) = {(, ) : = except for the value of x, which can be any real number}
And nondeterministic assignments finally need proof rules so that they can be handled
in proofs.
x
x
(h:i)
([:])
hx := i
[x := ]
Another approach for adding nondeterministic assignments x := to hybrid programs is to consider whether we even have to do that. That is, to understand whether
x := is truly a new program construct or whether it can be defined in terms of the
other hybrid program statements from (2). Is x := definable by a hybrid program?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L15.4

Ghosts & Differential Ghosts

Nondeterministic assignment x := assigns any real number to x. One hybrid program that has the same effect of giving x any arbitrary real value [Pla10b, Chapter 3]
is:
def
x := x = 1 x = 1
(3)
That is not the only definition of x := , though. An equivalent definition is [Pla13]:
x :=

def

x = 1; x = 1

When working through the intended semantics of the left-hand side x := shown in
case 7 above and the actual semantics of the right-hand side of (3) according to Lecture
3, it becomes clear that both sides of (3) mean the same. Hence, the above definition (3)
capture the right concept. And, in particular, just like if-then-else, nondeterministic assignments do not really have to be added to the language of hybrid programs, because
they can already be defined. Likewise, no proof rules would have to be added for nondeterministic assignments, because there are already proof rules for the constructs used
in the right-hand side of the definition of x := in (3). Since the above proof rules for
x := are particularly easy, though, it is usually more efficient to include them directly,
which is what KeYmaera does.
What may, at first sight, appear slightly spooky about (3), however, is that the lefthand side x := is clearly an instant change in time where x changes its value instantaneously to some arbitrary new real number. That is less so for the right-hand side of
(3), which involves two differential equations, which take time to follow.
The clue is that this passage of time is not observable in the state of the system. Consequently, the left-hand side of (3) really means the same as the right-hand side of (3).
Remember from earlier lectures that time is not special. If a CPS wants to refer to time,
it would have a clock variable t with the differential equation t = 1. With such an addition, however, the passage of time t becomes observable in the value of variable t and,
hence, a corresponding variation of the right-hand side of (3) would not be equivalent
to x := (indicated by 6):
x :=

x = 1, t = 1 x = 1, t = 1

5 Differential-algebraic Ghosts
b
q = & qc = b
q = & qc = b c 6= 0
c
See [Pla10b, Chapter 3] for the meaning of the nondeterministic differential equation
q = .1
q =

x = 2 +
1

b
+e
c

x = 2 + q + e, q = & qc = b

x = 2 + q + e, q = & qc = bc 6= 0

It is the same as the differential-algebraic constraint d q = d, but differential-algebraic constraints have

not been introduced in this course so far.

15-424 L ECTURE N OTES

A NDR E P LATZER

Ghosts & Differential Ghosts

L15.5

Variable q is a differential-algebraic ghost in the sense of being an auxiliary variable in

the differential-algebraic equation for the sake of defining the quotient cb .
Together with the reduction of divisions in discrete assignments from Sect. 3, plus the
inside that divisions in tests and evolution domain constraints can always be rewritten
to division-free form, is a (sketchy) proof showing that hybrid programs and differential dynamic logic do not need divisions [Pla10b]. The advantage of eliminating divisions this way is that differential dynamic logic does not need special precautions for
divisions and that the handling of zero divisors is made explicit in the way the divisions
are eliminated from the formulas. In practice, however, it is still useful to use divisions,
yet great care has to be exercised to make sure that no inadvertent divisions by zero
could ever cause singularities.

6 Discrete Ghosts
Lemma 1 (Discrete ghosts). The following is a sound proof rule for introducing auxiliary
variables or (discrete) ghosts:
[y := ],
(IA)
,
where y is a new program variable.
That proof rule IA is sound can be argued based on the soundness of the substitution
axiom [:=] from Lecture 5 on Dynamical Systems & Dynamic Axioms. The assignment
axiom [:=] proves validity of
[y := ]
because the fresh variable y does not occur in .

7 Remember the Bouncing Ball

Recall the following sequent for the bouncing ball from Lecture 7 on Control Loops &
Invariants, which was based on an argument in Lecture 4 on Safety & Contracts.
2gh = 2gH v 2 h 0 [h = v, v = g & h 0](2gh = 2gH v 2 h 0)

(4)

The dL formula (4) can be proved using the solutions of the differential equation
with proof rule [ ]. dL formula (4) can also be proved using differential invariants, with
a differential cut and a use of differential weakening:

h 0 2gv = 2v(g)

ax
h 0 (2gh = 2vv )vh g
h 0 2gh = 2gH v 2 2gh = 2gH v 2 h 0
v
DI
DW
2gh = 2gH v 2 [h = g & h 0]2gh = 2gH v 2
2gh = 2gH v 2 [h = g & h 0 2gh = 2gH v 2 ](2gh = 2gH v 2 h 0)
DC
2
2gh = 2gH v [h = g & h 0](2gh = 2gH v 2 h 0)
R

Note that differential weakening (DW) works for proving the postcondition h 0, but
DI would not work, because the derivative of h 0 is v 0, which is not an invariant

15-424 L ECTURE N OTES

A NDR E P LATZER

L15.6

Ghosts & Differential Ghosts

of the bouncing ball since its velocity ultimately becomes negative when it is falling
according to gravity. Note that this proofs is very elegant and has notably easier arithmetic than the arithmetic we ran into when working with solutions of the bouncing ball
in earlier lectures.
The reason why this proof worked so elegantly is that the invariant 2gh = 2gH
v 2 h 0 was a very good choice that we came up with in a clever way in Lecture 4.
Is there a way to prove (4) without such a distinctively clever invariant that works as a
differential invariant right away? Yes, of course, because (4) can even be proved using
solutions [ ]. But it turns out that interesting things happen when we systematically try
to understand how to make a proof happen that does not use the solution rule [ ] and,
yet, still uses solution-based arguments. Can you conceive a way to do use solutions
for differential equations without invoking rule [ ]?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Ghosts & Differential Ghosts

L15.7

8 Differential Ghosts
2gh = 2gH v 2 [h = g & h 0](2gh = 2gH v 2 h 0)
Use the usual abbreviations:
def

Ah,v 2gh = 2gH v 2

def

Bh,v 2gh = 2gH v 2 h 0

def

(h = g) (h = v, v = g)

h 0 g = 1g
1
h 0 (v = t g)g
v t
Ah,v {v0 := v}[h = g, t = 1 & h 0 v = v0 tg]Bh,v
{v0 := v}[h = g, t = 1 & h 0]v = v0 tg
Ah,v {v0 := v}[h = g, t = 1 & h 0]Bh,v
Ah,v {v0 := v}[h = g & h 0]Bh,v
Ah,v [h = g & h 0]Bh,v
R

DI
DC

Ah,v

DA
IA

where the proof step marked DA omits the (here trivial) left premise of rule DA, which
proves because Bh,v t Bh,v is trivially valid in first-order logic, as the fresh t does
even occur in Bh,v here.
The right premise in the above proof proves as follows

h 0 v = v0 tg v = v0 2 g2 t
h 0 v = v0 tg (h = v0 t 2 g2 tt )vh 1t

{h0 := h, v0 := v}[h = g, t = 1 & h 0 v = v0 tg]h = h0 + v0 t g2 t2

Ah,v {h0 := h, v0 := v}[h = g, t = 1 & h 0 v = v0 tg]Bh,v
Ah,v {v0 := v}[h = g, t = 1 & h 0 v = v0 tg]Bh,v
ax

DI
DC

Ah,v

IA

The proof step marked DC has a second premise which is elided (marked by ) and
proves as follows:

h 0 v = v0 tg h = h0 + v0 t g2 t2 Bh,v
{h0 := h, v0 := v}[h = g, t = 1 & h 0 v = v0 tg h = h0 + v0 t g2 t2 ]Bh,v
R

DW

Ah,v

The arithmetic (marked R) can be proved with enough care, but it has a twist! First of
all, the arithmetic can be simplified substantially using the equality substitution rule =r
and subsequent weakening.
Wl
r
l,Wr
=r

2g(h0 + v0 t g2 t2 ) = 2gH (v0 tg)2

ax
g 2
2
h 0 2g(h0 + v0 t 2 t ) = 2gH (v0 tg)
h0h0
h 0 2g(h0 + v0 t g2 t2 ) = 2gH (v0 tg)2 h 0
h 0 v = v0 tg h = h0 + v0 t g2 t2 2g(h0 + v0 t g2 t2 ) = 2gH (v0 tg)2 h 0
h 0 v = v0 tg h = h0 + v0 t g2 t2 2gh = 2gH v 2 h 0

15-424 L ECTURE N OTES

A NDR E P LATZER

L15.8

Ghosts & Differential Ghosts

Observe how this use of equality substitution and weakening helped simplify the arithmetic complexity of the formula substantially and even helped to eliminate a variable
(v) right away. This can be useful to simplify arithmetic in many other cases as well.
The arithmetic in the left branch
g
2g(h0 + v0 t t2 ) = 2gH (v0 tg)2
2
expands by polynomial arithmetic and cancels as follows
2g(h0 + v0 t g2 t2 ) = 2gH v02 + 2v0 tg + t2 g 2
That leaves the remaining condition
2gh0 = 2gH v02
Indeed, this relation characterizes exactly how H, which turns out to have been the
maximal height, relates to the initial height h0 and initial velocity v0 . In the case of
initial velocity v0 = 0, this relation collapses to h0 = H.
For the case of the bouncing ball, this proof was unnecessarily complicated, because
the solution rule [ ] could have been used instead. But the same proof technique can
be useful in more complicated systems that do not have computable solutions, but in
which other relations between initial (or intermediate) and final state can be proved.
Lemma 2 (Differential ghosts). The following is a sound proof rule differential auxiliaries (DA) for introducing auxiliary differential variables or differential ghosts [Pla12]:
y , , [x = , y = & H],
(DA)
This
, [x = & H],
proves
where y new and y = , y(0) = y0 has a solution y : [0, ) Rn for each y0 .
Rule DA is applicable if y is a new variable and the new differential equation y =
has global solutions on H (e.g., because term satisfies a Lipschitz condition [Wal98,
Proposition 10.VII], which is definable in first-order real arithmetic and thus decidable).
Without that condition, adding y = could limit the duration of system evolutions
incorrectly. In fact, it would be sufficient for the domains of definition of the solutions
of y = to be no shorter than those of x. Soundness is easy to see, because precondition
implies for some choice of y (left premise). Yet, for any y, is an invariant of the
extended dynamics (right premise). Thus, always holds after the evolution for some
y (its value can be different than in the initial state), which still implies (left premise).
Since y is fresh and its differential equation does not limit the duration of solutions
of x on H, this implies the conclusion. Since y is fresh, y does not occur in H, and,
thus, its solution does not leave H, which would incorrectly restrict the duration of the
evolution as well.
Intuitively, rule DA can help proving properties, because it may be easier to characterize how x changes in relation to an auxiliary variable y with a suitable differential
equation (y = ).

15-424 L ECTURE N OTES

A NDR E P LATZER

Ghosts & Differential Ghosts

L15.9

xy 2 + 2xy y2 = 0
x

(x y 2 + x2yy = 0)x

x > 0 y xy 2 = 1

DA

y
2

DI

xy 2 = 1 [x = x, y = y2 ]xy 2 = 1

x > 0 [x = x]x > 0

It can be shown [Pla12] that there are properties such as this one that need differential
ghosts (or differential auxiliaries) to prove.

9 Axiomatic Ghosts
When neglecting wind, gravitation, and so on, which is appropriate for analysing cooperation in air traffic control [TPS98], the in-flight dynamics of an aircraft at x can be
described by the following differential equation system; see [TPS98] for details:
x1 = v cos

x2 = v sin

= .

(5)

That is, the linear velocity v of the aircraft changes both positions x1 and x2 in the
(planar) direction corresponding to the orientation the aircraft is currently heading
toward. Further, the angular velocity of the aircraft changes the orientation of the
aircraft.

y2

x2

d
x1

y1

Figure 2: Aircraft dynamics

Unlike for straight-line flight ( = 0), the nonlinear dynamics in (5) is difficult to analyse [TPS98] for curved flight ( 6= 0), especially due to the trigonometric expressions
which are generally undecidable. Solving (5) requires the Floquet theory of differential
equations with periodic coefficients [Wal98, Theorem 18.X] and yields mixed polynomial expressions with multiple trigonometric functions. A true challenge, however,
is the need to verify properties of the states that the aircraft reach by following these
solutions, which requires proving that complicated formulas with mixed polynomial
arithmetic and trigonometric functions hold true for all values of state variables and
all possible evolution durations. However, quantified arithmetic with trigonometric

functions is undecidable by Godels

incompleteness theorem [God31].

15-424 L ECTURE N OTES

A NDR E P LATZER

L15.10

Ghosts & Differential Ghosts

To obtain polynomial dynamics, we axiomatize the trigonometric functions in the

dynamics differentially and reparametrize the state correspondingly. Instead of angular
orientation and linear velocity v, we use the linear speed vector
d = (d1 , d2 ) := (v cos , v sin ) R2
p
which describes both the linear speed kdk := d21 + d22 = v and the orientation of the
aircraft in space; see Figs. 2 and 3. Substituting this coordinate change into differential
x2

d
v sin = d2
x1
d1 = v cos
Figure 3: Reparametrize for differential axiomatization
equations (5), we immediately have x1 = d1 and x2 = d2 . With the coordinate change,
we further obtain differential equations for d1 , d2 from differential equation system (5)
by simple symbolic differentiation:
d1 = (v cos ) = v cos + v( sin ) = (v sin ) = d2 ,
d2 = (v sin ) = v sin + v(cos )

(v cos ) =

d1 .

The middle equality holds for constant linear velocity (v = 0), which we assume, because only limited variations in linear speed are possible and cost-effective during the
flight [TPS98, LLL00] so that angular velocity is the primary control parameter in air
traffic control. Hence, equations (5) can be restated as the following differential equation F():
x1 = d1 , x2 = d2 , d1 = d2 , d2 = d1
y1

= e1 ,

y2

= e2 ,

e1

= e2 ,

e2

= e1

(F())
(G())

Differential equation F() expresses that position x = (x1 , x2 ) changes according to

the linear speed vector d = (d1 , d2 ), which in turn rotates according to . Simultaneous movement together with a second aircraft at y R2 having linear speed e R2
(also indicated with angle in Fig. 2) and angular velocity corresponds to the differential equation F(), G(). Differential equations capture simultaneous dynamics of
multiple traffic agents succinctly using conjunction.
By this differential axiomatization, we thus obtain polynomial differential equations.
Note, however, that their solutions still involve the same complicated nonlinear trigonometric expressions so that solutions still give undecidable arithmetic [Pla10b, Appendix
B]. Our proof calculus in this chapter works with the differential equations themselves
and not with their solutions, so that differential axiomatization helps.
The same technique helps when handling other special functions in other cases by
differential axiomatization.

15-424 L ECTURE N OTES

A NDR E P LATZER

Ghosts & Differential Ghosts

L15.11

10 Summary
The major lesson from todays lecture is that it can sometimes be easier to relate a variable to its initial value or to other quantities. Ghosts, in their various forms, let us
achieve that by adding auxiliary variables into the system dynamics. Sometimes such
ghosts are even necessary to prove properties. Although, as a workaround, it is also
sometimes possible to rewrite the original model so that it already includes the ghost
variables. The phenomenon that relations between state and ghost variables are sometimes easier to prove than just properties of state variables applies in either case. A
secondary goal of todays lecture is, again, developing more intuition and deeper understandings of differential invariants and differential cuts.

References

[God31]
Kurt Godel.
Uber
formal unentscheidbare Satze der Principia Mathematica
und verwandter Systeme I. Mon. hefte Math. Phys., 38:173198, 1931.
[LLL00] Carolos Livadas, John Lygeros, and Nancy A. Lynch. High-level modeling
and analysis of TCAS. Proc. IEEE - Special Issue on Hybrid Systems: Theory &
Applications, 88(7):926947, 2000.
[Pla10a] Andre Platzer. Differential-algebraic dynamic logic for differential-algebraic
programs. J. Log. Comput., 20(1):309352, 2010. doi:10.1093/logcom/exn070.
[Pla10b] Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.
[Pla12]

Andre Platzer. The structure of differential invariants and differential cut

elimination. Logical Methods in Computer Science, 8(4):138, 2012. doi:10.
2168/LMCS-8(4:16)2012.

[Pla13]

Andre Platzer. A complete axiomatization of differential game logic for hybrid games. Technical Report CMU-CS-13-100R, School of Computer Science,
Carnegie Mellon University, Pittsburgh, PA, January, Revised and extended
in July 2013.

[PQ08]

Andre Platzer and Jan-David Quesel. KeYmaera: A hybrid theorem prover

for hybrid systems. In Alessandro Armando, Peter Baumgartner, and Gilles
Dowek, editors, IJCAR, volume 5195 of LNCS, pages 171178. Springer, 2008.
doi:10.1007/978-3-540-71070-7_15.

[TPS98] Claire Tomlin, George J. Pappas, and Shankar Sastry. Conflict resolution for air
traffic management: a study in multi-agent hybrid systems. IEEE T. Automat.
Contr., 43(4):509521, 1998.
[Wal98] Wolfgang Walter. Ordinary Differential Equations. Springer, 1998.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Differential & Temporal Logics
Andre Platzer
Carnegie Mellon University
Lecture 16

1 Introduction
This course is devoted to the study of the Foundations of Cyber-Physical Systems
[Pla12c, Pla12b]. Lecture 3 on Choice & Control explained hybrid programs, a program notation for hybrid systems [Pla08, Pla10, Pla12c, Pla12a]. Lecture 4 on Safety &
Contracts defined differential dynamic logic [Pla08, Pla10, Pla12c, Pla12a] as a specification and verification logic for hybrid programs. Lecture 5 on Dynamical Systems
& Dynamic Axioms and subsequent lectures studied proof principles for differential
dynamic logic with which we can prove correctness properties of hybrid systems. In
your labs, you have demonstrated aptly how you can model, specify, and verify quite
sophisticated and challenging robots.
Yet, there was one rather puzzling phenomenon that we noticed in Lecture 4 only
then did not have a chance to consider any further. For a hybrid program and differential dynamic logic formula , the modal formula
[]
expresses that all final states reached by all runs of satisfy the logical formula . The
modal formula [] is, consequently, false exactly in those states from which can reach
a final state that violates the safety condition . Yet, what about states from which the
final state reached by running is safe but some intermediate state along the execution
of was not safe?
Shouldnt systems that violate safety conditino at an intermediate state be considered unsafe as well?
The short answer is: that depends.
Does it even make a difference whether we study intermediate states as well or only
worry about final states?

15-424 L ECTURE N OTES

October 28, 2013

A NDR E P LATZER

L16.2

Differential & Temporal Logics

The short answer is again: that depends.

What exactly it depends on and how to systematically approach the general case of
safety throughout the system execution is what todays lecture studies. The key to the
answer will be understanding the temporal behavior of hybrid programs. The hybrid
trace semantics of hybrid programs will also give us a deeper understanding of the
hybrid aspect of time in hybrid systems.
This lecture is based on [Pla10, Chapter 4], which is a significant extension of [Pla07].

2 Temporalizing Hybrid Systems

In order to be able to distinguish whether a CPS is safe at the end of its run or safe always throughout its run, differential dynamic logic dL will be extended with additional
temporal modalities. The resulting logic extends dL and is called differential temporal dynamic logic (dTL) [Pla10, Chapter 4]. The modal formula
[]
of dL [Pla08, Pla12c] expresses that all final states reached by all runs of satisfy the
logical formula . The same dL formula [] is allowed in the logic dTL and has the
same semantics [Pla10, Chapter 4]. The new temporal modal dTL formula
[]
instead, expresses that all states reached all along all traces of satisfy . Those two
modalities can be be used to distinguish systems that are always throughout from those
that are only safe in final states. For example, if the dTL formula
[] []
is true in an initial state , then the system will be safe (in the sense of satisfying )
in all final states reached after running from , but is not safe always throughout all
traces of all runs of from . Can that happen?
You should try to answer this question before it is discussed in a later part of these
lecture notes.

3 Syntax of Differential Temporal Dynamic Logic

The differential temporal dynamic logic dTL extends differential dynamic logic [Pla08,
Pla10, Pla12c] with temporal modalities for verifying temporal specifications of hybrid
systems. Hence, dTL has two kinds of modalities:
Modal operators. Modalities of dynamic logic express statements about all possible
behaviour ([]) of a system , or about the existence of a trace (hi), satisfying
condition . Unlike in standard dynamic logic, is a model of a hybrid system.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential & Temporal Logics

L16.3

The logic dTL uses hybrid programs to describe as in previous lectures. Yet,
unlike in standard dynamic logic [HKT00] or dL, is a trace formula in dTL, and
can refer to all states that occur during a trace using temporal operators.
Temporal operators. For dTL, the temporal trace formula  expresses that the formula holds all along a trace selected by [] or hi. For instance, the state formula hi says that the state formula holds at every state along at least one
trace of . Dually, the trace formula expresses that holds at some point during such a trace. It can occur in a state formula hi to express that there is such
a state in some trace of , or as [] to say that along each trace there is a state
satisfying . The primary focus of attention in todays lecture is on homogeneous
combinations of path and trace quantifiers like [] or hi.
The formulas of dTL are defined similarly to differential dynamic logic. However,
the modalities [] and hi accept trace formulas that refer to the temporal behavior of
all states along a trace. Inspired by CTL and CTL [EC82, EH86], dTL distinguishes
between state formulas, which are true or false in states, and trace formulas, which
are true or false for system traces. The sets Fml of state formulas and FmlT of trace
formulas with variables in are simultaneously inductively defined in Def. 1.
Definition 1 (dTL formula). The (state) formulas of differential temporal dynamic logic
(dTL) are defined by the grammar (where , are dTL state formulas, is a dTL
trace formula, 1 , 2 (polynomial) terms, x a variable, a HP):
, ::= 1 = 2 | 1 2 | | | | | x | x | [] | hi
The trace formulas of dTL are defined by the grammar (where is a dTL state formula):
::= |  |
Operators >, , <, can be defined as usual, e.g., ( ) ( ).
Formulas without  and are nontemporal formulas and have the same semantics as
the corresponding dL formulas. Unlike in CTL, dTL state formulas are true on a trace if
they hold for the last state of a trace, not for the first. Thus, dTL formula [] expresses
that is true at the end of each trace of , which is the same as the dL formula []. In
contrast, [] expresses that is true all along all states of every trace of . This combination gives a smooth embedding of nontemporal dL into dTL and makes it possible
to define a compositional calculus. Like CTL, dTL allows nesting with a branching time
semantics [EC82], e.g., [](x 2 hix 0).

4 Trace Semantics of Hybrid Programs

In differential dynamic dL [Pla08, Pla12c] from Lecture 4, modalities only refer to the
final states of system runs and the semantics is a reachability relation on states: State

15-424 L ECTURE N OTES

A NDR E P LATZER

L16.4

Differential & Temporal Logics

is reachable from state using system if there is a run of which terminates in

when started in . For dTL, however, formulas can refer to intermediate states of runs
as well. To capture this, we change the semantics of a hybrid system to be the set of
its possible traces, i.e., successions of states that occur during the evolution of . The
relation between the initial and the final state alone is not sufficient.
States define the values of system variables during a hybrid evolution. A state is a
map : R. In addition, we distinguish a separate state to denote the failure of a
system run when it is aborted due to a test ? that yields false. In particular, can only
occur at the end of an aborted system run and marks that no further extension of that
trace is possible because of a failed test. The set of all states is denoted by S.
Hybrid systems evolve along piecewise continuous traces in multi-dimensional space
as time passes. Continuous phases are governed by differential equations, whereas discontinuities are caused by discrete jumps in state space. Unlike in discrete cases [Pra79,
BS01], traces are not just sequences of states, since hybrid systems pass through uncountably many states even in bounded time. Beyond that, continuous changes are
more involved than in pure real time [ACD90, HNSY92], because all variables can
evolve along differential equations with different slopes. Generalizing the real-time
traces of [HNSY92], the following definition captures hybrid behaviour by splitting the
uncountable succession of states into periods i that are regulated by the same control
law. For discrete jumps, some of those periods are point flows of duration 0.
The (trace) semantics of hybrid programs is compositional, that is, the semantics of
a complex program is defined as a simple function of the trace semantics of its parts.
What a hybrid trace captures is the full temporal evolution of a hybrid system. Hybrid
systems can behave in different ways, so their trace semantics will be a set of hybrid
traces, each of which describes one particular temporal evolution over time. Time,
however, is hybridized to a pair (i, ) of a discrete time index i N and a real time
point R. A single time component R itself would an inadequate model of
time for hybrid systems, because hybrid systems can make progress by a discrete transition without continuous time passing. That happens whenever discrete controls take
action. Continuous time only passes during continuous evolutions along differential
equations. Discrete actions only make discrete time index i pass.
Definition 2 (Hybrid trace). A trace is a (nonempty) finite or infinite sequence
= (0 , 1 , 2 , . . . ) of functions i : [0, ri ] S with their respective durations ri R
(for i N). A position of is a pair (i, ) with i N and in the interval [0, ri ]; the
state of at (i, ) is i (). Positions of are ordered lexicographically by (i, ) (j, )
iff either i < j, or i = j and < . Further, for a state S, : 0 7 is the point
flow at with duration 0. A trace terminates if it is a finite sequence (0 , 1 , . . . , n )
and n (rn ) 6= . In that case, the last state n (rn ) is denoted by last . The first
state 0 (0) is denoted by first .
Unlike in [ACD90, HNSY92], the definition of traces also admits finite traces of bounded
duration, which is necessary for compositionality of traces in ; . The semantics of

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential & Temporal Logics

L16.5

hybrid programs as the set () of its possible traces depends on valuations [[]] of
formulas and terms at intermediate states . The valuation of terms and interpretations
of function and predicate symbols are as for real arithmetic (Lecture 4). The valuation
of formulas will be defined in Def. 6. Again, we use xd to denote the modification that
agrees with state on all variables except for the symbol x, which is changed to d R.
Definition 3 (Trace semantics of hybrid programs). The trace semantics, (), of a
hybrid program , is the set of all its possible hybrid traces and is defined inductively as follows:
1. (x := ) = {(
,
) : = except that [[x]] = [[]] for S}
2. (x = & H) = {() : (t) |= x = and (t) |= H for all 0 t r for a sodef

(t),
lution : [0, r] S of any duration r}; i.e., with (t)(x ) = d()(x)
d
solves the differential equation and satisfies H at all times, see Lecture 2.
: [[]] = false}
3. (?) = {(
) : [[]] = true} {(
, )

4. ( ) = () ()
5. (; ) = { : () , () when is defined};
the composition of = (0 , 1 , 2 , . . . ) and = (0 , 1 , 2 , . . . ) is

(0 , . . . , n , 0 , 1 , . . . )
:=

not defined

if terminates at n and last = first

if does not terminate
otherwise

S
6. ( ) = nN (n ), where n+1 := (n ; ) for n 1, as well as 1 := and
0 := (?true).
Time passes differently during discrete and continuous change. During continuous
evolution, the discrete step index i of positions (i, ) remains constant, whereas the
continuous duration remains 0 during discrete point flows. This permits multiple
discrete state changes to happen at the same (super-dense) continuous time, unlike in
other approaches [ACD90].
Example 4. For comparing the transition semantics of hybrid programs for dL from
Lecture 3 and the trace semantics of hybrid programs for dTL from Def. 3, consider the
following simple hybrid program :
a := 2a; a := a2 .
The transition semantics is just the relation between initial and final states:
() {(, ) : is like except that (a) = 4(a)2 }.

15-424 L ECTURE N OTES

A NDR E P LATZER

L16.6

Differential & Temporal Logics

In particular, the dL formula []a 0 is valid, because all final states have a square as
the value of a. In contrast, the trace semantics of retains all intermediate states:
() {(
, s,
) : s is like except s(a) = 2(a)
and is like s except (a) = s(a)2 = 4(a)2 }.
During these traces, a 0 does not hold at all states. If the trace starts with a positive
value ( |= a > 0), then it will become negative at the point flow s (where s |= a < 0),
yet recover to a positive value ( |= a > 0) at the end.
Example 5. The previous example only had discrete jumps, and, thus, the traces only
involved point flows. Now consider the hybrid program from the train context:
a := b; z = v, v = a; ?v 0; a := A; z = v, v = a.
The transition semantics of this program only considers successful runs to completion.
In particular, if A > 0, the velocity v will always be nonnegative at the end (otherwise
the test ?v 0 in the middle fails and the program aborts), because the last differential
equation will accelerate and increase the velocity again. Thus, the position z at the end
of the program run will never be smaller than at the beginning.
If, instead, we consider the trace semantics of , all intermediate states are in the set
of traces:
() {(0 , 1 , 1 , 2 , 3 , 2 ) : 1 = 0 [a 7 0 (b)] and
1 is a state flow of some duration r1 0 with 1 |= z = v v = a
starting in 1 (0) = 1 and ending in a state with 1 (r1 )(v) 0
and 2 = 1 (r1 ), 3 = 1 (r1 )[a 7 1 (r1 )(A)] and
2 is a state flow of some duration r2 0 with 2 |= z = v v = a
starting in 2 (0) = 3 and ending in state 2 (r2 )}
: 1 = 0 [a 7 0 (b)] and
{(0 , 1 , 1 , 2 , )
1 is a state flow of some duration r 0 with 1 |= z = v v = a
starting in 1 (0) = 1 and ending in a state with 1 (r)(v) < 0
further 2 = 1 (r)}.
The first set is the set of traces where the test ?v 0 in the middle succeeds and the
system continues. The second set (after the union) is the set of traces that are aborted
during their execution, because the middle test fails. Note that the traces in the
with
first set have two continuous flows 1 , 2 and four point flows 0 , 1 , 2 , 3 in each
trace. The traces in the second set have only one continuous flow 1 and three point
does not terminate and
flows 0 , 1 , 2 , because the subsequent aborting point flow
aborts all further execution. In the trace semantics, v < 0 is possible in the middle of
some traces, which is a fact that the transition semantics does not notice. Combining
traces for , that is, for
(a := 2a; a := a2 ) (a := b; z = v, v = a; ?v 0; a := A; z = v, v = a)

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential & Temporal Logics

L16.7

is just the union () () of the traces () and () from Examples 4 and 5. Note
that a 0 will hold at least once during every trace of , either in the beginning, or
after setting a := 2a or a := b, respectively, when we assume b > 0.

5 Semantics of State and Trace Formulas

In the semantics of dTL formulas, the dynamic modalities determine the set of traces
according to the trace semantics of hybrid programs, and, independently, the temporal modalities determine at which points in time the respective postcondition needs
to hold. The semantics of formulas is compositional and denotational, that is, the semantics of a complex formula is defined as a simple function of the semantics of its
subformulas.

15-424 L ECTURE N OTES

A NDR E P LATZER

L16.8

Differential & Temporal Logics

Definition 6 (dTL semantics). The satisfaction relation |= for a dTL (state) formula in state is defined inductively:
|= (1 = 2 ) iff [[1 ]] = [[2 ]] .
|= (1 2 ) iff [[1 ]] [[2 ]] .
|= iff 6|= , i.e. if it is not the case that |= .
|= iff |= and |= .
|= iff |= or |= .
|= iff 6|= or |= .
|= iff ( |= and |= ) or ( 6|= and 6|= ).
|= x iff xd |= for all d R.
|= x iff xd |= for some d R.
|= [] iff for each trace ()that starts in first = , if [[]] is defined,
then [[]] = true.
|= hi iff there is a trace () starting in first = such that [[]] is
defined and [[]] = true.
For trace formulas, the valuation [[]] with respect to trace is defined inductively
as:
1. If is a state formula, then [[]] = [[]]last if terminates, whereas [[]] is not
defined if does not terminate.
2. [[]] = true iff i () |= holds for all positions (i, ) of with i () 6= .
3. [[]] = true iff i () |= holds for some position (i, ) of with i () 6= .
As usual, a (state) formula is valid if it is true in all states. If |= , then we say that
dTL state formula is true at or that is a model of . A (state) formula is valid,
written  , iff |= for all states . A formula is a consequence of a set of formulas
, written  , iff, for each : ( |= for all ) implies that |= . Likewise, for
trace formula and trace we write |= iff [[]] = true and 6|= iff [[]] = false. In
particular, we only write |= or 6|= if [[]] is defined, which it is not the case if
is a state formula and does not terminate. The points where a dTL property has to
hold for the various combinations of temporal and dynamic modalities are illustrated
in Fig. 1.

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential & Temporal Logics

[]

L16.9


hi

[]

hi

[]

hi

n
Figure 1: Trace semantics of dTL formulas

15-424 L ECTURE N OTES

A NDR E P LATZER

L16.10

Differential & Temporal Logics

6 Conservative Temporal Extension

The following result shows that the extension by temporal operators that dTL provides
does not change the meaning of nontemporal dL formulas. The trace semantics given
in Def. 6 is equivalent to the final state reachability relation semantics given in Lecture
4 for the sublogic dL of dTL.
Proposition 7 (Conservative temporal extension [Pla10, Proposition 4.1]). The logic dTL
is a conservative extension of nontemporal dL, i.e., the set of valid dL formulas is the same
with respect to transition reachability semantics of dL (Lecture 4) as with respect to the trace
semantics of dTL (Def. 6).
The proof is by induction using that the reachability relation fits to the trace semantics. That is, the reachability relation semantics of hybrid programs agrees with the first
and last states of the traces in the trace semantics.
Lemma 8 (Trace relation [Pla10, Lemma 4.1]). For hybrid programs :
() = {(first , last ) : () terminates}.
In particular, the trace semantics from todays lecture fits seamlessly to the original
reachability semantics that was the basis for the previous lectures. The trace semantics exactly satisfies the objective of characterizing the same reachability relation between initial and final states, while, in addition, keeping a trace of all intermediate
states around. For nontemporal dTL formulas and for dL formulas, this full trace with
intermediate states is not needed, because the reachability relation between initial and
final states is sufficient to define the meaning For temporal dTL formulas, instead, the
trace is crucial to give a meaning to  and .

7 Summary
This lecture introduced a temporal extension of the logic dL and a trace semantics of
hybrid programs. This extends the syntax and semantics to the presence of temporal
modalities. The next lecture investigates how to prove temporal properties of hybrid
systems.

Exercises
Exercise 1. Can you give a formula of the following form that is valid?
[] []
Exercise 2. In which case does the temporal [] differ from the nontemporal [].

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential & Temporal Logics

L16.11

References
[ACD90]

Rajeev Alur, Costas Courcoubetis, and David L. Dill. Model-checking for

real-time systems. In LICS, pages 414425. IEEE Computer Society, 1990.

[BS01]

Bernhard Beckert and Steffen Schlager. A sequent calculus for first-order

dynamic logic with trace modalities. In Rajeev Gore, Alexander Leitsch,
and Tobias Nipkow, editors, IJCAR, volume 2083 of LNCS, pages 626641.
Springer, 2001.

[DBL12]

Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer

Science, LICS 2012, Dubrovnik, Croatia, June 2528, 2012. IEEE, 2012.

[EC82]

E. Allen Emerson and Edmund M. Clarke. Using branching time temporal logic to synthesize synchronization skeletons. Sci. Comput. Program.,
2(3):241266, 1982.

[EH86]

E. Allen Emerson and Joseph Y. Halpern. Sometimes and Not Never

revisited: on branching versus linear time temporal logic. J. ACM, 33(1):151
178, 1986.

[HKT00]

David Harel, Dexter Kozen, and Jerzy Tiuryn. Dynamic logic. MIT Press,
2000.

[HNSY92] Thomas A. Henzinger, Xavier Nicollin, Joseph Sifakis, and Sergio Yovine.
Symbolic model checking for real-time systems. In LICS, pages 394406.
IEEE Computer Society, 1992.
[Pla07]

Andre Platzer. A temporal dynamic logic for verifying hybrid system invariants. In Sergei N. Artemov and Anil Nerode, editors, LFCS,
volume 4514 of LNCS, pages 457471. Springer, 2007. doi:10.1007/
978-3-540-72734-7_32.

[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom.

Reas., 41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla10]

Andre Platzer.
Logical Analysis of Hybrid Systems: Proving Theorems
for Complex Dynamics.
Springer, Heidelberg, 2010.
doi:10.1007/
978-3-642-14509-4.

[Pla12a]

Andre Platzer. The complete proof theory of hybrid systems. In LICS

[DBL12], pages 541550. doi:10.1109/LICS.2012.64.

[Pla12b]

Andre Platzer. Dynamic logics of dynamical systems. CoRR, abs/1205.4788,

2012. arXiv:1205.4788.

[Pla12c]

Andre Platzer. Logics of dynamical systems. In LICS [DBL12], pages 1324.

doi:10.1109/LICS.2012.13.

15-424 L ECTURE N OTES

A NDR E P LATZER

L16.12
[Pra79]

Differential & Temporal Logics

Vaughan R. Pratt. Process logic. In POPL, pages 93100, 1979.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Differential & Temporal Proofs
Andre Platzer
Carnegie Mellon University
Lecture 17

1 Introduction
This lecture continues the study of temporal aspects of cyber-physical systems that Lecture 5 on Differential & Temporal Logics started. The trace semantics of hybrid programs as well as the semantics of differential temporal dynamic logic (dTL) [Pla10], a
temporal extension of differential dynamic logic dL [Pla08, Pla12], have been discussed
in said lecture.
This lecture is based on [Pla10, Chapter 4], which extends [Pla07].

2 Temporal Proof Rules

When extending a logic, it is not enough to extend just the syntax (Lecture 5) and semantics (Lecture 5). The proof rules also need to be extended to handle the new concepts, that is the temporal modalities of dTL.
This section shows a sequent calculus for verifying temporal specifications of hybrid
systems in differential temporal dynamic logic dTL. With the basic idea being to perform a symbolic decomposition, the calculus transforms hybrid programs successively
into simpler logical formulas describing their effects. Statements about the temporal behaviour of a hybrid program are successively reduced to corresponding nontemporal
statements about the intermediate states. This lecture shows a proof calculus for differential temporal dynamic logic dTL that inherits the proof rules of dL from previous
lectures and adds new proof rules for temporal modalities.
Inherited Nontemporal Rules The dTL calculus is presented in Fig. 1 and inherits the
(nontemporal) dL proof rules, i.e., the propositional, first-order, dynamic, and global

15-424 L ECTURE N OTES

October 30, 2013

A NDR E P LATZER

L17.2

Differential & Temporal Proofs

rules from dL. That is, it includes the propositional and quantifier rules from Lecture 6.
The dynamic rules (h;i[ ]) and global rules ([]gen,higen,ind,con) for handling nontemporal dynamic modalities are also inherited directly from Lecture 6. The only possible
exception is that [],hi can be generalised to apply to formulas of the form [ ]
where is an arbitrary trace formula, and not just a state formula as in dL. Thus, may
begin with  or , which is why the rules are repeated in this generalised form as []
and hi in Fig. 1.
Note 1.
([])
([; ])
([?])
([:=])
([ ])
([n ])
([ ])
1

[] [] 1
[ ]
[] [][]
[; ]

[?]
[x := ]
[x := ]
[x = ]
[x = ]
[; ]
[ ]
[ ][]
[ ]

(hi)
(h; i)
(h?i)
(h:=i)
(h i)
(hn i)
(h i)

hi hi 1
h i
hi hihi
h; i

h?i
hx := i
hx := i
hx = i
hx = i
h; i
h i
h ihi
h i

is a trace formula andunlike the state formulas and may thus begin with a temporal
modality  or .

Figure 1: Axiomatization of differential temporal dynamic logic dTL

Temporal Rules The new temporal rules in Fig. 1 for the dTL calculus successively
transform temporal specifications of hybrid programs into nontemporal dL formulas.
The idea underlying this transformation is to decompose hybrid programs and recursively augment intermediate state transitions with appropriate specifications. Also see
Fig. 2 for an illustration of the correspondence of a representative set of proof rules for
temporal modalities to the trace semantics of hybrid programs (Def. ??).
Rule [; ] decomposes invariants of ; (i.e., [; ] holds) into an invariant of
(i.e., []) and an invariant of that holds when is started in any final state of
(i.e., []([])). Its difference with the dL rule [;] thus is that the dTL rule [; ] also
checks safety invariant at the symbolic states in between the execution of and , and
recursively so because of the temporal modality . Again, see Fig. 2 for an illustration

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential & Temporal Proofs

L17.3

[x := ]
[x := ]

x :=

[x := ]
x = f (x)

[x = ]
[x = ]

s
x = f (x)

[] [][]
[; ]

s
[]


[] []
[ ]

; (if non-terminate)

 1

 2

[ ][]
[ ]

[]

Figure 2: Correspondence of temporal proof rules and trace semantics

15-424 L ECTURE N OTES

A NDR E P LATZER

L17.4

Differential & Temporal Proofs

of this proof principle.

Rule [:=] expresses that invariants of assignments need to hold before and after the
discrete change (similarly for [?], except that tests do not lead to a state change, so
holding before the test is all there is to it). Rule [ ] can directly reduce invariants of
continuous evolutions to nontemporal formulas as restrictions of solutions of differential equations are themselves solutions of different duration and thus already included
in the evolutions of x = . In particular, observe that the handling of differential equations within hybrid systems is fully encapsulated within the fragment of dynamic rules
from dL.
The (optional) iteration rule [n ] can partially unwind loops. It relies on rule [; ] and
is simpler than dL rule [n ], because the other rules will inductively produce a premise
that holds in the current state, because of the temporal modality . The dual rules
hi,h; i,h?i,h:=i,h i,hn i work similarly.
In dL (Lecture 7 on Control Loops & Invariants), the primary means for handling
loops are the invariant induction (ind) and variant convergence (con) rules. The logic
dTL takes a different, completely modular approach for verifying temporal properties
of loops based on the dL capabilities for verifying nontemporal properties of loops.
Rules [ ] and h i actually define temporal properties of loops inductively. Rule [ ] expresses that holds at all times during repetitions of (i.e., [ ]) iff, after repeating
any number of times, holds at all times during one execution of (i.e., [ ]([])).
See Fig. 2 for an illustration. Dually, h i expresses that holds at some time during
repetitions of (i.e., h i) iff, after some number of repetitions of , formula holds
at some point during one execution of (i.e., h i(hi)). In this context, the nontemporal modality h i can be thought of as skipping over to the iteration of during
which actually occurs, as expressed by the nested dTL formula hi. The inductive
definition rules [ ] and h i completely reduce temporal properties of loops to dTL
properties of standard nontemporal dL-modalities such that standard induction (ind)
or convergence rules (con) can be used for the outer nontemporal modality of the loop.
Hence, after applying the inductive loop definition rules [ ] and h i, the standard dL
loop invariant and variant rules can be used for verifying temporal properties of loops
without change, except that the postcondition contains temporal modalities.
Rules for handling [] and hi are discussed in [Pla10].

3 Temporal Bouncing Ball

Recall the bouncing ball that has served us so well in previous lectures.
(v 2 2g(H h) h 0 g > 0 H 0 1 > c 0) [ball](0 h H).

15-424 L ECTURE N OTES

(1)

A NDR E P LATZER

Differential & Temporal Proofs

L17.5

Use the abbreviations

ball h = v, v = g & h 0; (?h > 0 (?h = 0; v := cv))
g > 0 H 0 1 > c 0,
v 2 2g(H h) h 0
g
hh := ..(t)iF hh := h + vt t2 ; v := v tgiF.
2
When simplifying the ball dynamics to remove evolution domain constraints:
h = v, v = g; (?h > 0 (?h = 0; v := cv))
the proof for the simplified bouncing ball property without evolution domain constraint is shown in Fig. 3. The dL proof for the original bouncing ball property (1) with
an evolution domain constraint is shown in Fig. 4.

4 Verification Example
Recall the bouncing ball. The proofs from previous lectures or Fig. 4 can be generalized
easily to a proof of the temporal property
v 2 2g(H h) h 0 g > 0 H 0 1 > c 0

[(h = g & h 0; (?h > 0 (?h = 0; v := cv))) ](0 h H). (2)

The only aspect of the proof that changes is that the temporal proof rules in Fig. 1 are
used instead of the dynamic proof rules for dL, and that the resulting extra proof goals
for the invariance property at intermediate steps have to be proven.
In contrast, the proof in Fig. 3 for the simplified dynamics without evolution domain
restriction h 0 cannot be generalized to a proof of the temporal property
v 2 2g(H h) h 0 g > 0 H 0 1 > c 0

[(h = g; (?h > 0 (?h = 0; v := cv))) ](0 h H). (3)

This difference in provability is for good reasons. The property in (2) is valid, but the
property in (3) is not! While there was no noticeable semantical difference between
the nontemporal dL counterparts of the properties (2) versus (3), there is a decisive
difference between the corresponding temporal properties (3) and (2). Because there is
no evolution domain restriction in (3), its hybrid program does not prevent continuous
evolution to a negative height under the floor (h < 0), for which 0 h H does not
hold.
The reason for this discrepancy of the temporal version compared to the nontemporal
versions thus is that the nontemporal modalities do not see the temporary violation
of 0 h H. Such a temporary violation of 0 h during the continuous evolution
does not produce a successful run of the hybrid program, because it is blocked by

15-424 L ECTURE N OTES

A NDR E P LATZER

L17.6

Differential & Temporal Proofs

, , s0, h + vs

g 2
2s

= 0 (c(v gs))2 2g(H (h + vs g2 s2 )) h + vs g2 s2 0

h:=i

, , s0, hh := ..(s)ih = 0 hh := ..(s)ihv := cvi

[:=]

, , s0, hh := ..(s)ih = 0 hh := ..(s)i[v := cv]

, , s0 hh := ..(s)i(h = 0 [v := cv] )

[?]

, , s0 hh := ..(s)i[?h = 0][v := cv]

[;]

, , s0 hh := ..(s)i[?h = 0; v := cv]

, , s0, h + vs

h:=i

g 2
2s

> 0 (v gs)2 2g(H (h + vs g2 s2 )) h + vs g2 s2 0

, , s0, hh := ..(s)ih > 0 hh := ..(s)i

, , s0 hh := ..(s)i(h > 0

[?]

, , s0 hh := ..(s)i[?h > 0]

...

...
, , s0 hh := ..(s)i[?h > 0]

, , s0 hh := ..(s)i[?h = 0; v := cv]

, , s0 hh := ..(s)i([?h > 0] [?h = 0; v := cv] )

[]

, , s0 hh := ..(s)i[?h > 0 (?h = 0; v := cv)]

, s0 hh := ..(s)i[?h > 0 (?h = 0; v := cv)]

, t0 hh := ..(t)i[?h > 0 (?h = 0; v := cv)]

[ ]

, [h = g][?h > 0 (?h = 0; v := cv)]

[;]

, [h = g; (?h > 0 (?h = 0; v := cv))]

ind

, [(h = g; (?h > 0 (?h = 0; v := cv))) ](0hH)

[(h = g; (?h > 0 (?h = 0; v := cv))) ](0hH)

r,l

Figure 3: Bouncing ball proof (no evolution domain)

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential & Temporal Proofs

L17.7

, s0, , h + vs g2 s2 = 0 (c(v gs))2 2g(H (h + vs g2 s2 )) h + vs g2 s2 0

h:=i

, s0, , hh := ..(s)ih = 0 hh := ..(s)ihv := cvi

[:=]

, s0, , hh := ..(s)ih = 0 hh := ..(s)i[v := cv]

, s0, hh := ..(s)ih 0 hh := ..(s)i(h = 0 [v := cv] )

[?]

, s0, hh := ..(s)ih 0 hh := ..(s)i[?h = 0][v := cv]

[;]

, s0, hh := ..(s)ih 0 hh := ..(s)i[?h = 0; v := cv]

, s0, , h + vs

h:=i

g 2
2s

> 0 (v gs)2 2g(H (h + vs g2 s2 )) h + vs g2 s2 0

, s0, , hh := ..(s)ih > 0 hh := ..(s)i

, s0, hh := ..(s)ih 0 hh := ..(s)i(h > 0

[?]

, s0, hh := ..(s)ih 0 hh := ..(s)i[?h > 0]

...

...
. . . hh := ..(s)i[?h > 0]

, s0, hh := ..(s)ih 0 hh := ..(s)i[?h = 0; v := cv]

, s0, hh := ..(s)ih 0 hh := ..(s)i([?h > 0] [?h = 0; v := cv] )

[]

, s0, hh := ..(s)ih 0 hh := ..(s)i[?h > 0 (?h = 0; v := cv)]

, s0 hh := ..(s)ih 0 hh := ..(s)i[?h > 0 (?h = 0; v := cv)]

s0 (hh := ..(s)ih 0 hh := ..(s)i[?h > 0 (?h = 0; v := cv)] )

t0 (hh := ..(t)ih 0 hh := ..(t)i[?h > 0 (?h = 0; v := cv)] )

[ ]

[h = g & h 0][?h > 0 (?h = 0; v := cv)]

[;]

[h = g & h 0; (?h > 0 (?h = 0; v := cv))]

ind

[(h = g & h 0; (?h > 0 (?h = 0; v := cv))) ](0hH)

[(h = g & h 0; (?h > 0 (?h = 0; v := cv))) ](0hH)

Figure 4: Bouncing ball proof (with evolution domain)

15-424 L ECTURE N OTES

A NDR E P LATZER

L17.8

Differential & Temporal Proofs

the subsequent tests ?h = 0 and ?h > 0. A state with negative height fails both tests.
While this behaviour does not give a successful program transition of (, ) (ball)
by Lecture 3 so that the proof in Fig. 3 is correct, the behaviour still gives a valid trace
(ball) by Def. ??. This trace is a partial trace, because it ends in a failure state
, but it is still one of the traces that [ball](0 h H) quantifies over (quite unlike
[ball](0 h H), which only considers final states of successful traces).

5 Summary
This lecture showed a systematic way of specifying and verifying temporal properties
of hybrid systems. The focus was on safety properties that hold always throughout
the evolution of the system and are specified as [] with a mix of a temporal and
a dynamic modality instead of just a dynamic modality as in []. The difference is
that [] includes that safety condition holds at all intermediate states during all
traces of , whereas [] only specifies that holds at the end of each trace of . This
difference matters in systems that have more intermediate states than final states. The
difference is insignificant for systems that can stop anytime, because those will already include all intermediate states of longer system runs as the final state of a corresponding shorter system run. This has been the case in almost all systems studied in
this course and is frequently the case in practice.
The systematic way of ensuring safety always throughout the execution of hybrid
systems is the use of the dynamic and temporal modality [], which works whether
or not the system has the special structure that allows it to stop anytime. In a nutshell,
the temporal proof rules for [] properties lead to additional branches that correspond to the safety conditions at the respective intermediate state. It can be shown
that temporal dTL properties reduce to nontemporal dL properties completely [Pla10,
Chapter 4], justifying the intimate relation of temporal and nontemporal properties
That completeness result made crucial use of the clever form of the [ ] proof rule.
Other temporal modalities are more complicated but can either be handled directly
(in the case of hi) or by transformation [Pla10].

Exercises
Exercise 1. Can you give a formula of the following form that is valid?
[] []
Exercise 2. In which case does the temporal [] differ from the nontemporal [].
Exercise 3. Can you give a temporal box version of the differential invariant proof rule?

15-424 L ECTURE N OTES

A NDR E P LATZER

Differential & Temporal Proofs

L17.9

References
[Pla07] Andre Platzer. A temporal dynamic logic for verifying hybrid system invariants. In Sergei N. Artemov and Anil Nerode, editors, LFCS, volume 4514 of
LNCS, pages 457471. Springer, 2007. doi:10.1007/978-3-540-72734-7_32.
[Pla08] Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom. Reas.,
41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.
[Pla10] Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.
[Pla12] Andre Platzer. Logics of dynamical systems. In LICS, pages 1324. IEEE, 2012.
doi:10.1109/LICS.2012.13.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Virtual Substitution & Real Equations
Andre Platzer
Carnegie Mellon University
Lecture 18

1 Introduction
Cyber-physical systems are important technical concepts for building better systems
around us. Their safe design requires careful specification and verification, which this
course provides using differential dynamic logic and its proof calculus [Pla08, Pla10,
Pla12b]. The proof calculus for differential dynamic logic has a number of powerful
axioms and proof rules (especially in Lecture 5, Lecture 6, Lecture 11, and Lecture 15).
In theory, the only difficult problem in proving hybrid systems safety is finding their invariants or differential invariants [Pla08, Pla12a] (Lecture 14 on Differential Invariants
& Proof Theory). In practice, however, the handling of real arithmetic is another challenge that you have faced, even though the problem is easier in theory. How arithmetic
interfaces with proofs has already been discussed in Lecture 9 on Proofs & Arithmetic.
Todays lecture shows one technique for deciding interesting formulas of first-order real
arithmetic. Understanding how such techniques for real arithmetic work is interesting
for at least two reasons. First of all, it is important to understand why this miracle happens that something as complicated and expressive as first-order logic of real arithmetic
is decidable. But it is also helpful to get an intuition about how real arithmetic decision
procedures work. With such an understanding, you are better prepared to identify the
limitations of these techniques, learn when they are likely not to work out in due time,
and get a sense of what you can do to help arithmetic prove more complicated properties. For complex proofs, it is often very important to use your insights and intuitions
about the system to help the prover along to scale more.
These lecture notes are loosely based on [Wei97, Pla10, Appendix D]. They add substantial intuition and motivation that is helpful for following the technical development. More information about virtual substitution can be found in the literature [Wei97].
See, e.g., [PQR09, Pas11] for an overview of other techniques for real arithmetic.

15-424 L ECTURE N OTES

November 4, 2013

A NDR E P LATZER

L18.2

Virtual Substitution & Real Equations

2 Framing the Miracle

First-order logic is an expressive logic in which many interesting properties and concepts can be expressed, analyzed, and proven. It is certainly significantly more expressive than propositional logic, which is decidable by NP-complete SAT solving.
In classical (uninterpreted) first-order logic (FOL), no symbol (except possibly equality) has a special meaning. There are only predicate symbols p, q, r, . . . and function
symbols f, g, h, . . . whose meaning is subject to interpretation. And the domain that
quantifiers range over is subject to interpretation. In particular, a formula of first-order
logic is only valid if it holds true for all interpretations of all predicate and function
symbols and all domains.
In contrast, first-order logic of real arithmetic (FOLR or the theory of real-closed field
arithmetic FOLRCF [Pla10, Appendix D]) is interpreted, because its symbols have a special fixed interpretation. The only predicate symbols are =, , >, , <, 6= and they mean
exactly equality, greater-or-equals, greater-than, etc., and the only function symbols are
+, , , which mean exactly addition, subtraction, and multiplication of real numbers.
Furthermore, the quantifiers quantify over the set R of all real numbers.1
The first special interpretation for symbols that comes to mind may not necessarily
by the real numbers but maybe the natural numbers N with + for addition and for
multiplication on natural numbers and where quantifiers range over the natural numbers. That gives the first-order logic of natural numbers (FOLN ). Is FOLN easier or harder
than FOL? How do both compare to FOLR ? What would happen compared to FOLQ ,
the first-order logic of rational numbers? FOLQ is like FOLR and FOLN , except that the
rational numbers Q are used as the domain of quantification and interpretation of variables, rather than R and N, respectively. How do those different flavors of first-order
logic compare? How difficult is it to prove validity of logical formulas in each case?
Before you read on, see if you can find the answer for yourself.

Respectively over another real-closed field, but that has been shown not to change validity [Tar51].

15-424 L ECTURE N OTES

A NDR E P LATZER

Virtual Substitution & Real Equations

L18.3

Uninterpreted first-order logic FOL is semidecidable, because there is a (sound and

complete [God30])
proof procedure that is algorithmic and able to prove all true sentences of first-order logic [Her30]. The natural numbers are much more difficult. By

Godels
incompleteness theorem, first-order logic FOLN of natural numbers does not
have a sound and complete effective axiomatization. FOLN is neither semidecidable
nor cosemidecidable [Chu36]. There is neither an algorithm that can prove all valid formulas of FOLN nor one that can disprove all formulas of FOLN that are not valid. One
way of realizing the inherent challenge of the logic of natural numbers is to use that
not all questions about programs can be answered effectively (for example the halting
problem of Turing machines is undecidable) [Chu36, Tur37], in fact none can [Ric53].
Yet, a miracle happened. Alfred Tarski proved in 1930 [Tar31, Tar51] that reals are
much better behaved and that FOLR is decidable, even though this seminal result remained unpublished for many years and only appeared in full in 1951 [Tar51].
The first-order logic FOLQ of rational numbers, however, was shown to be undecidable [Rob49], even though rational numbers may appear to be so close to real numbers.
Rationals are lacking something important: completeness (in the topological sense).
Note 1 (Overview of validity problems of first-order logics).
Logic Validity
FOL
semidecidable
FOLN not semidecidable nor cosemidecidable
FOLQ not semidecidable nor cosemidecidable
FOLR decidable
FOLC decidable

3 Quantifier Elimination
Alfred Tarskis seminal insight for deciding real arithmetic is based on quantifier elimination, i.e. the successive elimination of quantifiers from formulas so that the remaining
formula is equivalent but structurally significantly easier. Why does eliminating quantifiers help? When evaluating a logical formula for whether it is true or false in a given
state (i.e. an assignment of real numbers to all its free variables), arithmetic comparisons and polynomial terms are easy, because all we need to do is plug the numbers in
and compute according to their semantics (recall Lecture 2). For example, for a state
with (x) = 2, we can easily evaluate the logical formula
x2 > 2 2x < 3 x3 < x2
to true just by plugging in 2 for x. But quantifiers are difficult, because they require
us to check for all possible values of a variable (in the case x F ) or to find exactly the
right value for a variable that makes the formula true (in the case of x F ). The easiest
formulas to evaluate are the ones that have no free variables (because then their value
does not depend on the state) and that also have no quantifiers (because then there are

15-424 L ECTURE N OTES

A NDR E P LATZER

L18.4

Virtual Substitution & Real Equations

no choices for the values of the quantified variables during the evaluation). Quantifier elimination can take a logical formula that is closed, i.e. has no free variables, and
equivalently remove its quantifiers, so that it becomes easy to evaluate the formula to
true or false. Quantifier elimination also works for formulas that still have free variables. Then it will eliminate all quantifiers in the formula but the original free variables
will remain in the resulting formula, unless it simplifies in the quantifier elimination
process.
Definition 1 (Quantifier elimination). A first-order theory admits quantifier elimination if, with each formula , a quantifier-free formula QE() can be associated
effectively that is equivalent, i.e. QE() is valid (in that theory).
Theorem 2 (Tarski [Tar51]). The first-order logic of real arithmetic admits quantifier
elimination and is, thus, decidable.
The operation QE is further assumed to evaluate ground formulas (i.e., without variables), yielding a decision procedure for closed formulas of this theory (i.e., formulas
without free variables). For a closed formula , all it takes is to compute its quantifierfree equivalent QE() by quantifier elimination. The closed formula is closed, so has
no free variables or other free symbols, and neither will QE(). Hence, as well as its
equivalent QE() are either equivalent to true or to false. Yet, QE() is quantifier-free,
so which one it is can be found out simply by evaluating the (variable-free) concrete
arithmetic in QE().
Example 3. Quantifier elimination uses the special structure of real arithmetic to express quantified arithmetic formulas equivalently without quantifiers and without using more free variables. For instance, QE yields the following equivalence:
QE(x (2x2 + c 5)) c 5.
In particular, the formula x (2x2 + c 5) is not valid, but only if c 5, as has been so
aptly described by the outcome of the above quantifier elimination result.
Example 4. Quantifier elimination can be used to find out whether a first-order formula
of real arithmetic is valid. Take x (2x2 + c 5), for example. A formula is valid
iff its universal closure is, i.e. the formula obtained by universally quantifying all free
variables. After all, valid means that a formula is true for all intepretations. Hence,
consider the universal closure c x (2x2 + c 5), which is a closed formula. Quantifier
elimination might, for example, lead to
QE(c x (2x2 +c 5)) QE(c QE(x (2x2 +c 5))) QE(c (c 5)) 100 55 5100 5
The resulting formula is still has no free variables but is now quantifier-free, so it can
simply be evaluated arithmetically. Since the conjunct 100 5 evaluates to false, the
universal closure c x (2x2 + c 5) is equivalent to false and, hence, the original formula x (2x2 + c 5) is not valid (although still satisfiable for c = 1).

15-424 L ECTURE N OTES

A NDR E P LATZER

Virtual Substitution & Real Equations

L18.5

The complexity of Alfred Tarskis decision procedure is non-elementary, i.e. cannot

n
2...

be bounded by any tower of exponentials 22

. Still, it was a seminal breakthrough
because it showed reals to be decidable at all. It was not until another seminal result in 1949 by Julia Robinson, who proved the rationals to be undecidable [Rob49]. It

Eng93] and a major breaktook many further advances [Sei54, Coh69, KK71, Hor83,
through by George Collins in 1975 [Col75] until more practical procedures had been
found [Col75, CH91, Wei97]. The virtual substitution technique shown in this lecture
has been implemented in Redlog [DS97], which has an interface for KeYmaera [PQ08].

4 Homomorphic Normalization
The first insight for defining quantifier elimination is to understand that the quantifier
elimination operation commutes with almost all logical connectives, so that QE only
needs to be defined for existential quantifiers. Especially, as soon as we understand
how to eliminate existential quantifiers, universal quantifiers can be eliminated as well
just by double negation.
QE(A B) QE(A) QE(B)

QE(A B) QE(A) QE(B)

QE(A) QE(A)

QE(x A) QE(x A)
These transformations isolate existential quantifiers for quantifier elimination. In particular, it is sufficient if quantifier elimination focuses on existentially quantified variables. When using the QE operation inside out, i.e. when using it repeatedly to eliminate the inner-most quantifier to a quantifier-free equivalent and then again eliminating the inner-most quantifier, the quantifier elimination is solved if only we manage to
solve it for x A with a quantifier-free formula A. If A is not quantifier-free, its quantifiers can be eliminated from inside out:
QE(x A) QE(x QE(A))

if A not quantifier-free

It is possible, although not necessary and not even necessarily helpful, to simply the
form of A as well. The following transformations transform the kernel of a quantifier
into negation normal form using deMorgans equivalences.
QE(x (A B)) QE(x A) QE(x B)

QE(x (A B)) QE(x (A B))

QE(x (A B)) QE(x (A B))

QE(x A) QE(x A)

15-424 L ECTURE N OTES

A NDR E P LATZER

L18.6

Virtual Substitution & Real Equations

Distributivity can be used to simplify the form of the quantifier-free kernel A to disjunctive normal form and split existential quantifiers over disjuncts:
QE(x (A (B C))) QE(x ((A B) (A C)))

QE(x ((A B) C)) QE(x ((A C) (B C)))

QE(x (A B)) QE((x A) (x B))

The remaining case to address is the case QE(x (A B)) where A B is a purely
conjunctive formula (yet it can have any number of conjuncts, not just two). Using the
following normalizing equivalences,
p=q pq =0

pq pq 0

p>q pq >0

p 6= q p q 6= 0

pq qp0

p<q qp>0

(p q) p < q

(p > q) p q

(p = q) p 6= q
(p 6= q) p = q

it is further possible to normalize all atomic formulas equivalently to one of the forms
p = 0, p > 0, p 0, p 6= 0. Since p 6= 0 p > 0 p < 0, disequations 6= are unnecessary
in theory as well (although they are useful in practice).

5 Substitution Base
Virtual substitution is a quantifier elimination technique that is based on substituting
extended terms into formulas virtually, i.e. without the extended terms2 actually occurring in the resulting constraints.
Note 4. Virtual substitution essentially leads to an equivalence of the form
_
At Fxt
x F

(1)

tT

for a suitable finite set T of extended terms that depends on the formula F and that gets
substituted into F virtually, i.e. in a way that results in standard real arithmetic terms,
not extended terms.
2

Being an extended real term really means it is not a real term, but somehow closely related. We will see
more concrete extended real terms and how to get rid of them again later.

15-424 L ECTURE N OTES

A NDR E P LATZER

Virtual Substitution & Real Equations

L18.7

Such an equivalence is how quantifier elimination can work. Certainly if the right-hand
side of (1) is true, then t is a witness for x F . The key to establishing an equivalence of
the form (1) is to ensure that if F has a solution (in the sense of x F being true), then F
must hold for one of the cases in T . That is, T must cover all representative cases. If we
def

were to choose all real numbers T = R, then (1) would be trivially valid, but then the
right-hand side is not a formula because it is uncountably infinitely long, which is even
worse than the quantified form on the left-hand side. But if a finite set T is sufficient for
the equivalence (1) and the extra formulas At are quantifier-free, then the right-hand
side of (1) is structurally simpler than the left-hand side, even if it may be (sometimes
significantly) less compact.
The various ways of virtually substituting various extended reals e into logical formulas equivalently without having to mention the actual extended reals is the secret of
virtual substitution. The first step is to see that it is enough to define substitutions only
on atomic formulas of the form p = 0, p < 0, p 0 (or, just as well, on p = 0, p > 0, p 0).
If denotes such an extended substitution of for x, then lifts to arbitrary first-order
formulas homomorphically3 as follows
(A B) A B
(A B) A B
(A) A

(y A) y A

if x 6= y and x 6

(y A) y A

(p = q) (p q = 0)

if x 6= y and x 6

(p < q) (p q < 0)

(p q) (p q 0)

(p > q) (q p < 0)

(p q) (q p 0)

(p 6= q) ((p q = 0))
This lifting applies the substitution to all subformulas, with minor twists on quantifiers for admissibility and normalization of atomic formulas into the forms p = 0, p < 0, p 0
for which has been assumed to already have been defined.

6 Term Substitutions
Consider a formula of the form
x (bx + c = 0 F )

(2)

where x does not occur in the terms b, c. Lets consider how a first mathematical solution to this formula might look like. The only solution that the conjunct bx + c = 0 has
3

With a caveat on admissibility for quantifiers to avoid capture of variables.

15-424 L ECTURE N OTES

A NDR E P LATZER

L18.8

Virtual Substitution & Real Equations

is x = c/b. Hence, the left conjunct in (2) only holds for x = c/b, so formula (2) can
only be true if F also holds for that single solution c/b in place of x. That is, formula
c/b
c/b
(2) holds only if Fx
does. Hence, (2) is equivalent to the formula Fx , which is
quantifier-free.
So, how can we eliminate the quantifier in (2) equivalently?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Virtual Substitution & Real Equations

L18.9

c/b

Most certainly, Fx
is quantifier-free. But it is not exactly always equivalent to (2)
and, thus, does not necessarily qualify as its quantifier eliminate form. Oh no! What
we wrote down is a good intuitive start, but does not make any sense at all if b = 0,
for then c/b would have been a rather ill-devised division by zero. Performing such
divisions by zero sounds like a fairly shaky start for an equivalence transformation such
as quantifier elimination. And certainly like a shaky start for anything that is supposed
to turn into a proof.
Lets start over. The first conjunct in (2) has the only solution x = c/b if b 6= 0. In
c/b
that case, indeed, (2) is equivalent to Fx , because the only way for (2) to be true
then is exactly when the second conjunct F holds for the solution of the first conjunct,
c/b
i.e. when Fx
holds. But there is, in general, no way of knowing whether evaluation
could yield b 6= 0 or not, because b might be a complicated polynomial term that is only
zero under some interpretations, not under all. Certainly if b is the zero polynomial, we
know for sure. Or if b is a polynomial that is never zero, such as a sum of squares plus
a positive constant. In general, if b = 0, then, the first conjunct in (2) has all numbers
for x as solutions if c = 0 and, otherwise, has no solution at all if c 6= 0. In the latter
case, b = 0, c 6= 0, (2) is false, because its first conjunct is already false. In the former
case, b = c = 0, however, the first conjunct bx + c = 0 is trivial and does not impose any
constraints on x, nor does it help for finding out a quantifier-free equivalent of (2). In
that case b = c = 0, the trivial constraint will be dropped and the remaining formula
will be considered recursively instead.
Note 5. In the non-degenerate case b 6= 0, (2) can be rephrased into a quantifier-free
equivalent over R as follows:


b 6= 0 x (bx + c = 0 F ) b 6= 0 Fxc/b
(3)
All it takes is, thus, the ability to substitute the term c/b for x in the formula F . The dic/b
vision c/b that will occur in Fx
for ordinary term substitutions can cause technical
annoyances but at least it is well-defined, because b 6= 0 holds in that context.

7 Square Root

Substitutions for Quadratics

Consider a formula of the form

x (ax2 + bx + c = 0 F )

(4)

where x doesnot occur in the terms a, b, c. The generic solution of its first conjunct
is x = (b b2 4ac)/(2a), but that, of course, again depends on whether a could
evaluate to zero, in which case linear solutions may be possible and the division by 2a
is most certainly not well-defined. Whether a could be zero may again sometimes be
hard to say when a is a polynomial term that has roots, but does not always evaluate to 0 either (which only the zero polynomial would). So lets be more careful
this time to find an equivalent formulation right away for all possible cases of a, b, c.

15-424 L ECTURE N OTES

A NDR E P LATZER

L18.10

Virtual Substitution & Real Equations

The cases to consider are where the first conjunct is either a constant equation (in
which case the equation is no interesting constraint on x) or a linear equation (in which
case x = c/b is the solution
Sect. 6) or a proper quadratic equation with a 6= 0 (in

2
which case x = (b b 4ac)/(2a) is the solution). The trivial equation 0 = 0 when
a = b = c = 0 is again useless, so another part of F would have to be considered in that
case, and the equation c = 0 for a = b = 0, c 6= 0 is again false.
When ax2 + bx = 0 is either a proper linear or a proper quadratic equation, its respective solutions single out the only points that can solve (4), so the only points in which
it remains to be checked whether the second conjunct F also holds.
Theorem 5 (Virtual substitution of quadratic equations). For a quantifier-free formula
F , the following equivalence is valid over R:
a 6= 0 b 6= 0 c 6= 0

x (ax2 + bx + c = 0 F )
a = 0 b 6= 0 Fxc/b

a 6= 0 b2 4ac 0 Fx(b+

b2 4ac)/(2a)

Fx(b

b2 4ac)/(2a)



(5)

The resulting formula on the right-hand side of the biimplication is quantifier-free and,
thus, sounds like it could be chosen for QE(x (ax2 + bx + c = 0 F )) as long as it is
not the case that a = b = c = 0.

Note 7. The important thing to notice, though, is that (b b2 4ac)/(2a) is not

exactly a polynomial term, not even a rational term, because it involves a square root .
Hence, (5) is not generally a formula of first-order real arithmetic.
Square roots are really not part of real arithmetic. But they can be defined, still, by

appropriate quadratures. For example, the positive root x = y can be defined as

x2 = y y 0. Lets find out how square roots such as (b b2 4ac)/(2a) can be

substituted into first-order formulas systematically without the need for square roots
in the resulting formula.
A square root expression is an expression of the form

(a + b c)/d
with polynomials a, b, c, d Q[x1 , . . . , xn ] of rational coefficients
in the variables x1 , . . . , xn
and, for well-definedness, d 6= 0. Square roots with the same d can be added and multiplied as expected:

(a + b c)/d + (a + b c )/d = ((ad + da ) + (bd + db ) c)/(dd )

((a + b c)/d) ((a + b c )/d ) = ((aa + bb c) + (ab + ba ) c)/(dd )

15-424 L ECTURE N OTES

A NDR E P LATZER

Virtual Substitution & Real Equations

L18.11

Substituting
(a + b c)/d for a variable x in a polynomial term p, thus, leads to a square

(a+b c)/d
root px
= (
a + b c)/d with the same c, because the arithmetic resulting from
evaluating the polynomial only requires addition and multiplication.
Note 8. This explains how a square root expression can be substituted in for a variable
in a polynomial. Yet, the result is still a square root expression, which cannot be written
down directly in first-order real arithmetic. Yet, as soon as a square root expression, say

(a + b c)/d, appears in an atomic formula of first-order real arithmetic, the square root
can be rephrased equivalently to disappear.
Assume d 6= 0 c 0 for well-definedness. For square-root-free expressions (b = 0)

with just divisions, i.e. (a + 0 c)/d, the following equivalences hold:

(a + 0 c)/d = 0 a = 0

(a + 0 c)/d 0 ad 0

(a + 0 c)/d < 0 ad < 0

(a + 0 c)/d 6= 0 ad 6= 0

Assume d 6= 0 c 0 for well-definedness. For square root expressions (a + b c)/d

with arbitrary b, the following equivalences hold:

(a + b c)/d = 0 ab 0 a2 b2 c = 0

(a + b c)/d 0 ad 0 a2 b2 c 0 bd 0 a2 b2 c 0

(a + b c)/d < 0 ad < 0 a2 b2 c > 0 bd 0 (ad < 0 a2 b2 c < 0)

(a + b c)/d 6= 0 ab > 0 a2 b2 c 6= 0

This defines the substitution of a square root (a + b c)/d for x into atomic formulas
when normalizing atomic formulas appropriately4 . The important thing to observe
is that the result of this substitution does not introduce square root expressions nor

divisions even though the square root expression (a + b c)/d had the square root c

and the division /d. Substitution of a square root (a + b c)/d for x into a (quantifierfree) first-order formula F then works as usual by substitution in all atomic
formulas

(a+b c)/d
.
(as defined in Sect. 5). Denote the result of such a substitution by Fx

It is crucial to note that

the virtual substitution of square root expression (a
+ b c)/d

(a+b c)/d
(a+b c)/d
is semantically equivalent to the result Fx
of the
for x in F giving Fx

literal substitution replacing x with (a + b c)/d, but operationally different, because

the virtual substitution never introduces square roots or divisions. Because of their
semantical equivalence, we use the same notation by abuse of notation.
Theorem
5 continues to hold when using the so-defined square root substitutions

(b b2 4ac)/(2a)

Fx
4

that make (5) a valid formula of first-order real arithmetic, without

E.g. f > g f g > 0 and f g g f

15-424 L ECTURE N OTES

A NDR E P LATZER

L18.12

Virtual Substitution & Real Equations

square root expressions. In particular, since the fraction c/b also is a (somewhat im
c/b
poverished) square root expression (c + 0 0 )/b, Fx
in (5) can be formed using the
square root substitution, so the quantifier-free right-hand side of (5) neither introduces
square roots nor divisions.
With this virtual substitution, the right-hand side of the biimplication (5) can be chosen as QE(x (ax2 + bx + c = 0 F )) if it is not the case that a = b = c = 0.
When using square root substitutions, divisions could, thus, also have been avoided
in the quantifier elimination (3) for the linear case. Thus, the right-hand side of (3) can
be chosen as QE(x (bx + c = 0 F )) if it is not the case that b = c = 0.
Before going any further, it is helpful to notice that virtual substitutions admit a
number of useful optimizations that make it more practical. For example, when sub
stituting a square root expression (a +b c)/d for a variable x in a polynomial p, the

(a+b c)/d
resulting square root expression px
= (
a + b c)/d has a higher power d = dk
where k is the degree of p in variable x, just by inspecting the above definitions of
addition and multiplication. Such larger powers of d can be avoided. Note the equivalences (pq 3 0) (pq 0) and, if q 6= 0, even (pq 2 0 (p 0) for arithmetic relations
{=, >, , 6=, <, }. Since d 6= 0 for well-definedness, the degree of d in the re(a+b c)/d
sult Fx
of the virtual substitution can be lowered to 0 or 1 depending on whether
it occurs as an even or odd power.
Example 6. Using this principle to check under which circumstance the quadratic equality from (4) evaluates to true requires a nontrivial number of computations to handle
the virtual substitution of the respective roots of ax2 + bx + c = 0 into F . What would
happen if we tried to apply the same virtual substitution coming from this equation to
ax2 + bx + c = 0 itself? Imagine, for example, that ax2 + bx + c = 0 shows up again in
F . Lets only consider the
case of quadratic solutions, i.e. where a 6= 0. And lets only
consider the root (b +
b2 4ac)/(2a). The other cases are left as an exercise. First
virtually substitute (b + b2 4ac)/(2a) into the polynomial ax2 + bx + c:

(b+ b2 4ac)/(2a)

=
=
=
=
=
=

(ax2 + bx + c)x
p
p
a((b + b2 4ac)/(2a))2 + b((b + b2 4ac)/(2a)) + c
p
p
a((b2 + b2 4ac + (b b) b2 4ac)/(4a2 )) + (b2 + b b2 4ac)/(2a) + c
p
p
(ab2 + ab2 4a2 c + (ab ab) b2 4ac)/(4a2 ) + (b2 + 2ac + b b2 4ac)/(2a)
p
((ab2 + ab2 4a2 c)2a + (b2 + 2ac)4a2 + ((ab ab)2a + b4a2 ) b2 4ac)/(4a2 )
p
(2a2 b2 + 2a2 b2 8a3 c + 4a2 b2 + 8a3 c + (2a2 b 2a2 b + 4a2 b) b2 4ac)/(4a2 )

(0 + 0 0)/1 = 0

So (ax2

(b+ b2 4ac)/(2a)
c)x

is the zero square

+ bx +
root expression? That is actually exactly as expected by construction, because (b b2 4ac)/(2a) is supposed to be the
root of ax2 + bx + c in the case where a 6= 0 b2 4ac 0. In particular, if ax2 + bx + c
occurs again in F as either an equation or inequality, its virtual substitute in the various

15-424 L ECTURE N OTES

A NDR E P LATZER

Virtual Substitution & Real Equations

L18.13

cases is

(b+ b2 4ac)/(2a)

(ax2 + bx + c = 0)x
2

(ax + bx + c
(ax2 + bx + c <
(ax2 + bx + c 6=

(b+ b2 4ac)/(2a)
0)x

(b+ b2 4ac)/(2a)
0)x

(b+ b2 4ac)/(2a)
0)x

((0 + 0 0)/1 = 0) (0 1 = 0) true

((0 + 0 0)/1 0) (0 1 0) true

((0 + 0 0)/1 < 0) (0 1 < 0) false

((0 + 0 0)/1 6= 0) (0 1 6= 0) false

And that makes sense as well. After all, the roots of ax2 + bx + c = 0 satisfy the weak
inequality ax2 + bx + c 0 but not the strict inequality ax2 + bx + c < 0. In particular, Theorem 5 could substitute the roots of ax2 + bx + c = 0 also into the full formula
ax2 + bx + c = 0 F under the quantifier, but the formula resulting from the left conjunct ax2 + bc + c = 0 will always simplify to true so that only the virtual substitution
into F will remain.

Exercises
Exercise 1. Example 6 showedthat ax2 + bx + c = 0 simplifies to true for the virtual
substitution of
the root (b + b2 4ac)/(2a). Show
that the same thing happens for
2
the root (b b 4ac)/(2a) and the root (c + 0 0)/b.

Exercise 2. Example 6 argued that thesimplification of ax2 + bx + c = 0 to true for the

virtual substitution of the root (b + b2 4ac)/(2a) is to be expected, because (b + b2 4ac)/(2a)

is a root of ax2 + bx + c = 0 in the case where a 6= 0 b2 4ac 0. Yet, what happens
in the case where the extra assumption a 6= 0 b2 4ac 0 does not hold? What is the
value of the virtual substitution in that case? Is that a problem? Discuss carefully!

References
[CH91]

George E. Collins and Hoon Hong. Partial cylindrical algebraic decomposition for quantifier elimination. J. Symb. Comput., 12(3):299328, 1991.

[Chu36] Alonzo Church. A note on the Entscheidungsproblem. J. Symb. Log., 1(1):40

41, 1936.
[Coh69] Paul J. Cohen. Decision procedures for real and p-adic fields. Communications
in Pure and Applied Mathematics, 22:131151, 1969.
[Col75]

George E. Collins. Hauptvortrag: Quantifier elimination for real closed fields

by cylindrical algebraic decomposition. In H. Barkhage, editor, Automata Theory and Formal Languages, volume 33 of LNCS, pages 134183. Springer, 1975.

[DBL12] Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, Dubrovnik, Croatia, June 2528, 2012. IEEE, 2012.

15-424 L ECTURE N OTES

A NDR E P LATZER

L18.14

Virtual Substitution & Real Equations

[DS97]

Andreas Dolzmann and Thomas Sturm. Redlog: Computer algebra meets

computer logic. ACM SIGSAM Bull., 31:29, 1997.

[Eng93] E. Engeler. Foundations of Mathematics: Questions of Analysis, Geometry and

Algorithmics. Springer, 1993.

[God30]
Kurt Godel.
Die Vollstandigkeit der Axiome des logischen Funktio Mon. hefte Math. Phys., 37:349360, 1930.
nenkalkuls.
[Her30] Jacques Herbrand. Recherches sur la theorie de la demonstration. Travaux de
la Societe des Sciences et des Lettres de Varsovie, Class III, Sciences Mathematiques
et Physiques, 33:33160, 1930.

[Hor83]
L. Hormander.
The Analysis of Linear Partial Differential Operators II, volume
257 of Grundlehren der mathematischen Wissenschaften. Springer, 1983.
[KK71]

Georg Kreisel and Jean-Louis Krivine. Elements of mathematical logic: Model

Theory. North-Holland, 2 edition, 1971.

[Pas11]

Grant Olney Passmore. Combined Decision Procedures for Nonlinear Arithmetics,

Real and Complex. PhD thesis, School of Informatics, University of Edinburgh,
2011.

[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom. Reas.,
41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla10]

Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.

[Pla12a] Andre Platzer. The complete proof theory of hybrid systems. In LICS [DBL12],
pages 541550. doi:10.1109/LICS.2012.64.
[Pla12b] Andre Platzer. Logics of dynamical systems. In LICS [DBL12], pages 1324.
doi:10.1109/LICS.2012.13.
[PQ08]

Andre Platzer and Jan-David Quesel. KeYmaera: A hybrid theorem prover

for hybrid systems. In Alessandro Armando, Peter Baumgartner, and Gilles
Dowek, editors, IJCAR, volume 5195 of LNCS, pages 171178. Springer, 2008.
doi:10.1007/978-3-540-71070-7_15.

[PQR09] Andre Platzer, Jan-David Quesel, and Philipp Rummer.

Real world verification. In Renate A. Schmidt, editor, CADE, volume 5663 of LNCS, pages
485501. Springer, 2009. doi:10.1007/978-3-642-02959-2_35.
[Ric53]

H. Gordon Rice. Classes of recursively enumerable sets and their decision

problems. Trans. AMS, 89:2559, 1953.

[Rob49] Julia Robinson. Definability and decision problems in arithmetic. J. Symb.

Log., 14(2):98114, 1949.

15-424 L ECTURE N OTES

A NDR E P LATZER

Virtual Substitution & Real Equations

L18.15

[Sei54]

Abraham Seidenberg. A new decision method for elementary algebra. Annals

of Mathematics, 60:365374, 1954.

[Tar31]

Alfred Tarski. Sur les ensembles definissables de nombres reels I. Fundam.

Math., 17:210239, 1931.

[Tar51]

Alfred Tarski. A Decision Method for Elementary Algebra and Geometry. University of California Press, Berkeley, 2nd edition, 1951.

[Tur37]

Alan M. Turing. Computability and lambda-definability.

2(4):153163, 1937.

J. Symb. Log.,

[Wei97] Volker Weispfenning. Quantifier elimination for real algebra the quadratic
case and beyond. Appl. Algebra Eng. Commun. Comput., 8(2):85101, 1997.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Virtual Substitution & Real Arithmetic
Andre Platzer
Carnegie Mellon University
Lecture 19

1 Introduction
Reasoning about cyber-physical systems and hybrid systems requires understanding
and handling their real arithmetic, which can be challenging, because cyber-physical
systems can have complex behavior. Differential dynamic logic and its proof calculus
[Pla08, Pla10, Pla12] reduce the verification of hybrid systems to real arithmetic. How
arithmetic interfaces with proofs has already been discussed in Lecture 9 on Proofs &
Arithmetic. How real arithmetic with linear and quadratic equations can be handled
by virtual substitution has been shown in Lecture 18 on Virtual Substitution & Real
Equations. Todays lecture shows how virtual substitution for quantifier elimination in
real arithmetic extends to the case of linear and quadratic inequalities.
These lecture notes are loosely based on [Wei97, Pla10, Appendix D]. They add substantial intuition and motivation that is helpful for following the technical development. More information about virtual substitution can be found in the literature [Wei97].
See, e.g., [PQR09, Pas11] for an overview of other techniques for real arithmetic.

2 Recall: Square Root

Substitutions for Quadratics

Recall the way to handle quantifier elimination for linear or quadratic equations from
Lecture 18 on Virtual Substitution & Real Equations:

15-424 L ECTURE N OTES

November 6, 2013

A NDR E P LATZER

L19.2

Virtual Substitution & Real Arithmetic

Theorem 1 (Virtual substitution of quadratic equations). For a quantifier-free formula

F , the following equivalence is valid over R:
a 6= 0 b 6= 0 c 6= 0

x (ax2 + bx + c = 0 F )
a = 0 b 6= 0 Fxc/b

a 6= 0 b2 4ac 0 Fx(b+

b2 4ac)/(2a)

Fx(b

b2 4ac)/(2a)



(1)

When using virtual substitutions of square roots from Lecture 18, the resulting formula on the right-hand side of the biimplication is quantifier-free and can be chosen
for QE(x (ax2 + bx + c = 0 F )) as long as it is not the case that a = b = c = 0. In
case a = b = c = 0, another formula in F needs to be considered for directing quantifier
elimination, because the equation ax2 + bx + c = 0 is noninformative if a = b = c = 0,
e.g. when a, b, c are the zero polynomials or even if they just have a common root.
The formula on the right-hand side of the biimplication in (1) is a formula in the
first-order logic of real arithmetic when using the virtual substitution of square root
expressions defined in Lecture 18.

3 Infinity Substitution
Theorem 1 address the case where the quantified variable occurs in a linear or quadratic
equation. It might only occur in inequalities, however. Consider a formula of the form
x (ax2 + bx + c 0 F )

(2)

Under
the respective

conditions on a, b, c from (1), the possible solutions c/b, (b +

d)/(2a), (b d)/(2a) from (1) continue to be options for solutions of (2), because
one way of satisfying the weak inequality ax2 + bx + c 0 is by satisfying the equation
ax2 + bx + c = 0. So if F is true for any of those solutions of the quadratic equation
(under the auspices of the additional constraints on a, b, c), then (2) holds as well.
Yet, if those points do not work out, the weak inequality in (2) allows for more possible solutions. For example, if a = 0, b > 0, then sufficiently small values of x would
satisfy 0x2 + bx + c 0. Also, if a < 0, then sufficiently small values of x would satisfy
ax2 + bx + c 0, because x2 grows faster than x and, thus the negative ax2 ultimately
overcomes any contribution of bx and c to the value of ax2 + bx + c. But that would
quickly diverge into the principle full substitution principle for the uninsightful case of
def

T = R from Lecture 18.

Now, one possibility of pursuing this line of thought may be to substitute smaller and
smaller values for x into (2) and see if that happens to work. There is a much better way
though. The only really small value that would have to be substituted into (2) to see if it

15-424 L ECTURE N OTES

A NDR E P LATZER

Virtual Substitution & Real Arithmetic

L19.3

happens to work is one that is so negative that it is smaller than all others: , which
is the lower limit of all negative real numbers. Alternatively, can be understood as
being always as negative as needed, i.e. more negative than anything else. Think of
as being built out of elastic rubber so that it always ends up being smaller when
being compared to any actual real number.
Let , be positive and negative infinities, respectively, i.e. choose extra elements
, 6 R with < r < for all r R. Formulas of real arithmetic can be substituted with for a variable x if the compactified reals R {, }. Yet, just like with
square root expressions, do not actually need to ever occur in the resulting formula,
because substitution of infinities can be defined differently. For example, (x + 5 > 0)
x
simplifies to false, while (x + 5 < 0)
x simplifies to true.
Note 2. Substitution of the infinity for x into an atomic formula for a polynomial
def Pn
i
p =
i=0 ai x with polynomials ai that do not contain x is defined by the following
equivalences (accordingly for substituting for x).
(p = 0)

n
^

ai = 0

(p < 0)
(p = 0)
(p 0)
x
x
x
(p <

0)
x

(p 6= 0)
x

(3)

i=0

@ (p) < 0
n
_

ai 6= 0

(4)
(5)
(6)

i=0

Lines (3) and (6) use that the only equation of real arithmetic that infinities satisfy is
the trivial equation 0 = 0. Line (4) uses the equivalence p 0 p < 0 p = 0. Line (5)
uses a simple inductive definition based on the degree, deg(p), in the variable x of the
polynomial p to characterize whether p is ultimately negative at (or for sufficiently
negative numbers):
def Pn
i
Note 3. Let p =
i=0 ai x with polynomials ai that do not contain x. Whether p is
ultimately negative (written @ (p) < 0) at is easy to characterize:
(
def p < 0
if deg(p) = 0
@ (p) < 0
P
n1
(1)n an < 0 (an = 0 @ ( i=0 ai xi ) < 0) if deg(p) > 0

Substitution of for x into an atomic formula is defined similarly, except that the sign
factor (1)n disappears. Substitution of or of for x into first-order formulas is
then defined as in Lecture 18.
Example 2. Using this principle to check under which circumstance the quadratic inequality from (2) evaluates to true yields the answer from our earlier ad-hoc analysis of

15-424 L ECTURE N OTES

A NDR E P LATZER

L19.4

Virtual Substitution & Real Arithmetic

what happens for sufficiently small values of x:

(ax2 + bx + c 0)x

(1)2 a < 0 a = 0 ((1)b < 0 b = 0 c < 0)

In the same way, the virtual substitution can be used to see under which circumstance F
would also evaluate to true for sufficiently small values of x, exactly when Fx holds.
Note that (at least if a 6= 0), the virtual substitution of for x would not make sense
to check (2) at, because in that case, the inequality ax2 + bx + c 0 is violated. That
would be different for an inequality such as ax2 + bx + c 0.

The crucial thing to note is again that the virtual substitution of infinities for x
in F giving Fx is semantically equivalent to the result Fx of the literal substitution
replacing x with , but operationally different, because the virtual substitution never
introduces actual infinities. Because of their semantical equivalence, we use the same
notation by abuse of notation.

4 Infinitesimal Substitutions
Theorem 1 address the case where the quantified variable occurs in a linear or quadratic
equation and the virtual substitution in Sect. 3 adds the case of sufficiently small values
for x. Consider a formula of the form
x (ax2 + bx + c < 0 F )

(7)

In this case, the roots from Theorem 1 will not help, because they satisfy the equation
ax2 + bx + c = 0 but not the strict inequality ax2 + bx + c < 0. The virtual substitution
of for x from Sect. 3 still makes sense to consider, because that one might satisfy F
and ax2 + bx + c < 0. If does not work, however, the solution of (7) could be near
one of the roots of ax2 + bx + c = 0, just slightly off so that ax2 + bx + c < 0 is satisfied.
How far off? Well, saying that exactly by any real number is again difficult, because any
particular real number might already have been too large in absolute value, depending
on the constraints in the remainder of F . Again, this calls for quantities that are always
as small as we need them to be.
Sect. 3 used a negative quantity that is so small that it is smaller than all negative
numbers and hence infinitely small (but infinitely large in absolute value). Analyzing
(7) needs positive quantities that are infinitely small and hence also infinitely small in
absolute value. Infinitesimals are positive quantities that are always smaller than all
positive real numbers, i.e. always as small as needed. Think of them as built out of
elastic rubber so that they always shrink as needed when compared with any actual
positive real number so that the infinitesimals end up being smaller than positive reals.
Another way of looking at infinitesimals is that they are the multiplicative inverses of
.
A positive infinitesimal > > 0 is positive and an extended real that is infinitesimal, i.e. positive but smaller than all positive real numbers ( < r for all r R with
r > 0). For all polynomials p R[x] \ {0}, R, the Taylor expansion of p around
evaluated at + can be used to show:

15-424 L ECTURE N OTES

A NDR E P LATZER

Virtual Substitution & Real Arithmetic

L19.5

1. p( + ) 6= 0
that is, infinitesimal are positive and always so small that they never yield roots
of any equation, except the trivial zero polynomial. Whenever it looks like there
might be a root, the infinitesimal just became a bit smaller. And nonzero univariate polynomials only have finitely many roots, so the infinitesimals will take care
to avoid them.
2. p() 6= 0 p()p( + ) > 0,
that is, p has constant sign on infinitesimal neighborhoods of nonroots . If the
neighborhood around is small enough (and for an infinitesimal it will be), then
the polynomial will not yet have changed sign then.
3. 0 = p() = p () = p () = = p(k1) () 6= p(k) () p(k) ()p( + ) > 0,
that is the first nonzero derivative of p at determines the sign of p in an infinitesimal neighborhood of .
Note 4. Substitution of an infinitesimal expression e + P
with a square root expression e
and a positive infinitesimal for x into a polynomial p = ni=0 ai xi with polynomials ai
that do not contain x is defined by the following equivalences.

(p = 0)e+
x

n
^

ai = 0

(8)

i=0

(p 0)xe+ (p < 0)xe+ (p = 0)xe+

(p < 0)xe+ (@ (p) < 0)ex

n
_
(p 6= 0)xe+
ai 6= 0

(9)
(10)
(11)

i=0

Lines (8) and (11) use that infinitesimals offsets satisfy no equation except the trivial
equation 0=0 (case 1). Line (9) again uses the equivalence p 0 p < 0 p = 0. Line
(10) checks that the sign of p at e is negative (which will make p inherit the same negative sign at e + by case 2) or will immediately become negative right away using a
recursive formulation of immediately becoming negative that uses higher derivatives
(which determine the sign by case 3). The lifting to arbitrary quantifier-free formulas
of real arithmetic is again by substitution into all atomic subformulas and equivalences
such as (p > q) (p q > 0) as defined in Lecture 18. Note that, for the case (p < 0)xe+ ,
the (non-infinitesimal) square root expression e gets virtually substituted in for x into
a formula @ (p) < 0, which characterizes whether p becomes negative immediately at
or after x (which will be substituted by e).

15-424 L ECTURE N OTES

A NDR E P LATZER

L19.6

Virtual Substitution & Real Arithmetic

Note 5. Whether p is immediately negative, i.e. negative itself or with a derivative p that
makes it negative on an infinitesimal interval, can be characterized recursively:
(
def p < 0
if deg(p) = 0
@ (p) < 0

p < 0 (p = 0 @ (p )) if deg(p) > 0

Example 3. Using this principle to check under
which circumstance the quadratic strict
evaluates
to
true
at
(b
+
b2 4ac)/(2a) + , i.e. right after its root
inequality
from
(7)

2
(b + b 4ac)/(2a), leads to the following computation.
@ (ax2 +bx+c) ax2 +bx+c < 0ax2 +bc+c = 0(2ax+b < 02ax+b = 02a < 0)
Hence,
2

(ax + bx + c <

(b+ b2 4ac)/(2a)+
0)x

(@ (ax + bx +

(b+ b2 4ac)/(2a)+
c))x

(b+ b2 4ac)/(2a)

(ax2 + bx + c < 0 ax2 + bc + c = 0 (2ax + b < 0 2ax + b = 0 2a < 0))x

01 < 00 = 0((0 < 0 4a2 0 (0 < 0 4a2 (b2 4ac) < 0)) 0| {z
= 0} |2a1{z< 0})
|
{z
}
...
(b+

2ax+b<0x

b2 4ac)/(2a)

2ax+b=0x

2a<0

4a2 0 4a2 (b2 4ac) < 0 2a < 0

(b+ b2 4ac)/(2a)

= 0 by
because the square root virtual substitution gives (ax2 + bx + c)x
construction (compare example from Lecture 18). The virtual substitution into the polynomial 2ax + b computes as follows:
(2ax + b)x(b

b2 4ac)/(2a)

p
b2 4ac)/(2a) + b
p
(2ab + 2a b2 4ac)/(2a) + b
p
(2ab + 2ab + 2a b2 4ac)/(2a)

2a (b

The resulting formula can be further simplified internally to

2

(ax + bx + c <

(b+ b2 4ac)/(2a)+
0)x

4a2 0 4a2 (b2 4ac) < 0 2a < 0 2a < 0

because the first conjunct 4a2 0 a = 0 and, with a = 0, the second conjunct sim0
plifies to 4a2 (b2 4ac)a = 0(b2 ) < 0, which is impossible in the reals. This answer
makes sense. Because, indeed, exactly if 2a < 0 will a quadratic
polynomial still evalu
ate to ax2 + bx + c < 0 right after its second root (b + b2 4ac)/(2a).
Formulas such as this one (2a > 0) are the result of a quantifier elimination procedure.
If the formula after quantifier elimination is either true or false, then you know for sure
that the formula is valid (true) or unsatisfiable (false), respectively. If the result of quantifier elimination is true, for example, KeYmaera can close proof branches (marked by

15-424 L ECTURE N OTES

A NDR E P LATZER

Virtual Substitution & Real Arithmetic

L19.7

proof rule R in our sequent proofs). Yet, quantifier elimination can also return other
formulas, such as 2a > 0, which are equivalent to the formula where quantifier elimination has been applied. In particular, they identify exactly under which circumstance
that respective quantified formula is true. This can be very useful for identifying the
missing assumptions to make a proof work and the corresponding statement true.
The crucial thing to note is again that the virtual substitution of infinitesimal expressions e + for x in F giving Fxe+ is semantically equivalent to the result Fxe+ of the
literal substitution replacing x with e + , but operationally different, because the virtual substitution never introduces actual infinitesimals. Because of their semantical
equivalence, we use the same notation by abuse of notation.
Computationally more efficient substitutions of infinitesimals have been reported
elsewhere [BD07].

5 Quantifier Elimination by Virtual Substitution

The following quantifier elimination technique works for formulas with a quantified
variable that occurs at most quadratically.
Theorem 4 (Virtual substitution of quadratic constraints [Wei97]). Let F be a quantifierfree formula in which all atomic formulas are of the form ax2 + bx + c 0 for x-free polydef

nomials a, b, c and {=, , <, 6=}, with corresponding discriminant d = b2 4ac.

Then x F is equivalent over R to the following quantifier-free formula:
Fx

ax2 +bx+c

o 
0 F

6=
}0)F
(ax2 +bx+c{ <

a = 0 b 6= 0 Fxc/b a 6= 0 d 0 (Fx(b+

d)/(2a)

a = 0 b 6= 0 Fxc/b+ a 6= 0 d 0 (Fx(b+

Fx(b

d)/(2a)+

Fx(b

Proof. The proof first considers the literal substitution of square root expressions, infinities, and infinitesimals and then, as a second step, uses that the virtual substitutions
that avoid square root expressions, infinities, and infinitesimals are equivalent.
The implication from the quantifier-free formula on the right-hand side (denoted G)
to x F is obvious, because each disjunct of the quantifier-free formula has a conjunct
of the form Fxt for some (extended) term t even if it may be a square root expression or
infinity or term involving infinitesimals.
The converse implication from x F to the quantifier-free formula depends on showing that the quantifier-free formula covers all possible representative cases and that the
accompanying constraints on a, b, c, d are actually necessary.

15-424 L ECTURE N OTES

d)/(2a)

A NDR E P LATZER

d)/(2a)+

L19.8

Virtual Substitution & Real Arithmetic

It is enough to prove this for the case where all variables in F except x have concrete numeric real values, because the equivalence holds iff it holds in all states . By a
fundamental property of real arithmetic called o-minimality, the set S(F ) of all real values for x that satisfy F forms a finite union of (pairwise disjoint) intervals, because the
polynomials in F only change signs at their roots, of which there only are finitely many
now that the polynomials have become univariate, i.e. with the only variable x, since
all free variables are evaluated to concrete real numbers in . Without loss of generality (by merging overlapping or adjacent intervals), we assume all those intervals to be
maximal, i.e. no bigger interval would satisfy F . So F actually changes its truth-value
at the lower and upper endpoints of these intervals (unless the interval is
unbounded).
The
endpoints
of
these
intervals
can
be
seen
to
be
of
the
form
c/b,
(b+
d)/(2a), (b

d)/(2a), , for any of the polynomials in F , because those polynomials are at

most quadratic and all roots of those polynomials are contained in that set. Hence, as
usual, c/b S(F ) implies a = 0, b 6= 0, because that is the only casewhere c/b satisfies F , which has
only at most quadratic polynomials, while (b + d)/(2a) S(F )
as well as (b d)/(2a) S(F ) both imply that a 6= 0 and discriminant d 0. So the
side conditions for the roots considered in the quantifier-free formula are necessary for
quadratic polynomials.
Now consider one interval I S(F ) (if there is none, x F is false). If I has no lower
bound, then Fx is true by construction (by Sect. 3, the virtual substitution Fx is
equivalent to the literal substitution Fx in -extended real arithmetic). Otherwise,
let R be the lower
bound of I. If I (I is closed at the lower bound), then is of
the form c/b, (b+ d)/(2a), (b d)/(2a) for some equation (ax2 + bx + c = 0) F
or weak inequality (ax2 + bx + c 0) F . Since the respective extra conditions on
a, b, c, d hold, the quantifier-free formula evaluates to true. If,
6 I (I is
otherwise,
open at the lower bound ), then is of the form c/b, (b + d)/(2a), (b d)/(2a)
for some disequation (ax2 + bx + c 6= 0) F or strict inequality (ax2 + bx + c < 0) F
and the interval
I cannot be a single
point. Thus, one of the infinitesimal increments
c/b+, (b+ d)/(2a)+, (b d)/(2a)+ is in I S(F ). Since the respective conditions a, b, c, d hold, the quantifier-free formula is again true. Hence, in either case, the
quantifier-free formula is equivalent to x F in state . Since the state giving concrete
real numbers to all free variables of x F was arbitrary, the same equivalence holds for
all , which means that the quantifier-free formula (call it G) is equivalent to x F . That
is G x F is valid, i.e.  G x F .
Optimizations are possible [Wei97] if there is only one quadratic occurrence of x,
and that occurrence is not in an equation. If that occurrence is an equation, Theorem 1
already showed what to do. If there is only one occurrence of a quadratic inequality,
the following variation works.

15-424 L ECTURE N OTES

A NDR E P LATZER

Virtual Substitution & Real Arithmetic

Note 7 ([Wei97]). Let

Ax2

L19.9

  

<
0 F be the only quadratic occurrence
+ Bx + C 6=

of x. In that case, x F is equivalent over R to the following quantifier-free formula:

A = 0 B 6= 0 FxC/B A 6= 0 FxB/(2A)

Fx Fx
_

0x2 +bx+c

o 
0 F

6=
}0)F
(0x2 +bx+c{ <

b 6= 0 Fxc/b

b 6= 0 (Fxc/b+ Fxc/b )

Further optimizations are possible if some signs of a, b are known, because several cases
in the quantifier-free expansion then become impossible and can be simplified to true
or false immediately. This helps simplify the formula in Theorem 4, because one of the
cases a = 0 versus a 6= 0 might drop. But it also reduces the number of disjuncts in
Fx , see Example 3, and in the virtual substitutions of square roots (Lecture 18) and of
infinitesimals (Sect. 4).
Theorem 4 also applies for polynomials of higher degrees in x if all those factor to
polynomials of at most quadratic degree in x [Wei97]. Degree reduction is also possible
by renaming based on the greatest common divisor of all powers of x that occur in
F . If a quantified variable x occurs only with degrees that are multiples of an odd
number d then virtual substitution can use x F (xd ) y F (y). If x only occurs with
degrees that are multiples of an even number d then x F (xd ) y (y 0 F (y)). The
cases with
infinitesimals + are only needed if x occurs in strict inequalities. The cases

(b+ d)/(2a)

Fx

are only needed if x occurs in equations or weak inequalities.

6 Summary
Virtual substitution is one technique for eliminating quantifiers in real arithmetic. It
works for linear and quadratic constraints and can be extended to some cubic cases
[Wei94]. Virtual substitution can be applied repeatedly from inside out to eliminate
quantifiers. In each case, however, virtual substitution requires the eliminated variable to occur with small enough degrees only. Even if that was the case initially, it
may stop to be the case after eliminating the innermost quantifier, because the degrees
of the formulas resulting from virtual substitution may increase. In that case, degree
optimizations and simplifications may sometimes work. If not, then other quantifier
elimination techniques need to be used, which are based on semialgebraic geometry or
model theory. Virtual substitution alone always works for mixed quadratic-linear formulas, i.e. those in which all quantified variables occur linearly except for one variable
that occurs quadratically. In practice, however, many other cases turn out to work well
with virtual substitution.

15-424 L ECTURE N OTES

A NDR E P LATZER

L19.10

Virtual Substitution & Real Arithmetic

Exercises
Exercise 1. Consider

x (ax2 + bx + c 0 F )

(12)

The virtual substitution of the roots of ax2 + bx + c = 0 according to Sect. 2 as well as

of according to Sect. 3 will lead to
Fx a = 0b 6= 0Fxc/b a 6= 0b2 4ac 0 Fx(b+

b2 4ac)/(2a)

Fx(b

b2 4ac)/(2a)

But when F is ax2 + bx + e < 0, then none of those cases necessarily works. Does that
mean the result of virtual substitution is not equivalent to (12)? Where is the catch in
this argument?

References
[BD07]

Christopher W. Brown and James H. Davenport. The complexity of quantifier

elimination and cylindrical algebraic decomposition. In Dongming Wang,
editor, ISSAC, pages 5460. ACM, 2007.

[Pas11]

Grant Olney Passmore. Combined Decision Procedures for Nonlinear Arithmetics,

Real and Complex. PhD thesis, School of Informatics, University of Edinburgh,
2011.

[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom. Reas.,
41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla10]

Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.

[Pla12]

Andre Platzer. Logics of dynamical systems. In LICS, pages 1324. IEEE, 2012.
doi:10.1109/LICS.2012.13.

[PQR09] Andre Platzer, Jan-David Quesel, and Philipp Rummer.

Real world verification. In Renate A. Schmidt, editor, CADE, volume 5663 of LNCS, pages
485501. Springer, 2009. doi:10.1007/978-3-642-02959-2_35.
[Wei94] Volker Weispfenning. Quantifier elimination for real algebra the cubic case.
In ISSAC, pages 258263, 1994.
[Wei97] Volker Weispfenning. Quantifier elimination for real algebra the quadratic
case and beyond. Appl. Algebra Eng. Commun. Comput., 8(2):85101, 1997.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Hybrid Systems & Games
Andre Platzer
Carnegie Mellon University
Lecture 20

1 Introduction
Hybrid systems have so far served us well throughout this course as a model for cyberphysical systems [Pla08, Pla10b]. Most definitely, hybrid systems can also serve as
models for other systems that are not cyber-physical per se, i.e. they are not built as
a combination of cyber and computing capabilities with physical capabilities. Some biological systems can be understood as hybrid systems, because they combine discrete
and continuous dynamics. Or physical processes in which things happen at very different speeds, so where there is a slow process about which a continuous understanding is
critical as well as a very fast process in which a discrete abstraction might be sufficient.
Neither of those examples are particularly cyber-physical. Yet, nevertheless, they can
have natural models as hybrid systems, because their fundamental characteristics is the
interaction of discrete and continuous dynamics, which is exactly what hybrid systems
are good for. Hence, despite their good match, not all hybrid systems are cyber-physical
systems.
The converse is not true either, though. Not all cyber-physical systems are hybrid
systems. The reason for that is usually not that cyber-physical systems would not involve both discrete and continuous dynamics, but, rather, that, in addition to those,
they involve also other dynamical aspects. It is a common phenomenon in cyberphysical systems that they involve several dynamical aspects, which is why they are
best understood as multi-dynamical systems, i.e. systems with multiple dynamical features [Pla12c, Pla12b, Pla11, Pla13]. And this does not only happen for cyber-physical
systems but also for other systems. Some applications imply require more dynamical
features than just discrete and continuous dynamics.
It is not going to be feasible to understand all those multi-dynamical system aspects
at once in todays lecture. But todays lecture is going to introduce one very fundamen-

15-424 L ECTURE N OTES

November 11, 2013

A NDR E P LATZER

L20.2

Hybrid Systems & Games

tal dynamical aspect: adversarial dynamics [Pla13]. Adversarial dynamics comes from
multiple players on a hybrid system that are allowed to make their respective choices
arbitrarily. The combination of discrete, continuous, and adversarial dynamics leads to
hybrid games. Unlike hybrid systems, hybrid games allow choices in the system dynamics to be resolved adversarially by different players with different objectives.
Hybrid games are certainly necessary in situations where multiple agents actively
compete. The canonical situation of a hybrid game would, thus, be RoboCup, where
two teams of robots play robot soccer, moving around physically in space, controlled
according to discrete computer decisions, and in active competition for scoring goals in
opposite directions on the field. It turns out that hybrid games also come up for reasons
of analytic competition, that is, where possible competition is assumed for the sake of
a worst-case analysis.
Consider lab 5, for example, where a robot is interacting with a roguebot. You are in
control of the robot, but somebody else is controlling the roguebot. Your objective is to
control your robot so that it will not collide with the roguebot. That means you need
to find some way of playing your control choices for your robot so that it will be safe
for all possible control choices that the roguebot might do, after all you do not exactly
know how the other roguebot is implemented. That could be considered as the robot
playing a hybrid game with the roguebot in which your robot is trying to safely avoid
collisions. The roguebot might behave sanely and tries to stay safe as well. But if your
robot causes a collision, because it chose an action that was bad for the roguebot, your
robot would certainly be faulty and sent back to the design table.
Alas, when you try to understand how you need to control your robot to stay safe,
it can be instructive to think about what the worst-case action of a roguebot might
be to make life difficult for you. And when your friendly course instructors try to
demonstrate for you under which circumstance a simulation of your robot controller
exhibits a faulty behavior, so that you can learn from the cases where your control does
not work, they might be playing a hybrid game with you. If your robot wins and stays
safe, this can very well be an indication of a strong robot design. But if your course
TAs win and show an unsafe trace, you still win, because you learn more about the
corner cases in your robot control design than when staring at simulation movies where
everything is just fair-weather control.
If you think carefully again about lab 2, where your robot was put on a highway and
had to find some way of being controlled to stay safe for all possible choices of the robot
in front of it, then you will find that a hybrid game interpretation might be in order for
that lab as well.
These lecture notes are based on [Pla13], where more information can be found on
logic and hybrid games.

2 Choices & Nondeterminism

15-424 L ECTURE N OTES

A NDR E P LATZER

Hybrid Systems & Games

L20.3

Note 1. Hybrid systems involve choices. They manifest evidently in hybrid programs as
nondeterministic choices whether to run HP or HP, in nondeterministic repetitions where the choice is how often to repeat , and in differential equations x = & H
where the choice is how long to follow that differential equation. All those choices, however,
have still been resolved in one way, i.e. by the same entity or player.
In which way the various choices are resolved depends on the context. In the box
modality [] of differential dynamic logic [Pla08, Pla10b, Pla12c], the choices are resolved in all possible ways so that the modal formula [] expresses that formula holds
for all ways how the choices in HP could resolve. In the diamond modality hi, instead, the choices are resolved in some way so that formula hi expresses that formula
holds for one way of resolving the choices in HP .
In particular, choices in helphi, because what this formulas calls for is some way
of making happen after . If has many possible behaviors, this is easier to satisfy.
Choices in hurt [], however, because this formula requires to hold for all those
choices. The more choices there are, the more difficult it is to make sure that holds
after every single combination of those choices.
Note 2. Choices in either help uniformly (when they occur in hi) or make things more
difficult uniformly (when they occur in []).
That is why these various forms of choices in hybrid programs have been called nondeterministic. They are unbiased. All possible resolutions of the choices in could
happen nondeterministically when running . Which possibilities we care about (all or
some) just depends on what the modal formula around it is that we consider.

3 Control & Dual Control

Another way of looking at the choices that are to be resolved during the runs of a hybrid
program is that they can be resolved by one player. Lets call her Angel. Whenever a
choice is about to happen (by running the statements , , or x = & H), Angel is
called upon to see how the choice is supposed to be resolved this time.
From that perspective, it sounds easy enough to add a second player. Lets call him
Demon. Only so far, Demon will probably be rather bored after a while, when he realizes
that he never actually gets to decide anything, because Angel has all the fun in choosing
how the hybrid program world unfolds. So to keep Demon entertained, we need to
introduce some choices that fall under Demons control.
One thing, we could do to keep Demon interested in playing along is to add a pair of
shiny new controls especially for him. They might be called for Demons choice
between or as well as for repetition of under Demons control as well as an
operation, say x = & H d , for continuous evolution under Demons reign. But that

15-424 L ECTURE N OTES

A NDR E P LATZER

L20.4

Hybrid Systems & Games

would cause a lot of attention to Demons control, which might make him feel overly
majestic. Lets not do that, because we dont want Demon to get any ideas.
Instead, we will find it sufficient to add just a single operator to hybrid programs: the
dual operator d . What d does is to give all control that Angel had in to Demon, and,
vice versa, all control that Demon had in to Angel. The dual operator, thus, is a little
bit like what happens when you turn a chessboard around by 180 in the middle of
the game. Whoever played the choices of player White before suddenly controls Black,
and whoever played Black now controls White. With just this single duality operator
it turns out that Demon still gets his own set of controls ( , , x = & H d ) by a
suitable nesting of operators, but we did not have to give him those controls specifically.
Yet, now those extra controls are not special but simply an aspect of a more fundamental
principle: duality.

4 Hybrid Games
Differential game logic (dGL) is a logic for studying properties of hybrid games. The
idea is to describe the game form, i.e. rules, dynamics, and choices of the particular
hybrid game of interest, using a program notation and to then study its properties by
proving the validity of logical formulas that refer to the existence of winning strategies
for objectives of those hybrid games. Even though hybrid game forms only describe
the game form with its dynamics and rules and choices, not the actual objective, they
are still simply called hybrid games. The objective for a hybrid game is defined in the
modal logical formula that refers to that hybrid game form.
Definition 1 (Hybrid games). The hybrid games of differential game logic dGL are
defined by the following grammar (, are hybrid games, x a vector of variables,
a vector of (polynomial) terms of the same dimension, H is a dGL formula or just
a formula of first-order real arithmetic):
, ::= x := | x = & H | ?H | | ; | | d
The only syntactical difference of hybrid games compared to hybrid programs for
hybrid systems from Lecture 3 on Choice & Control is that, unlike hybrid programs,
hybrid games allow the dual operator d . This minor syntactic change also requires
us to reinterpret the meaning of the other operators in a much more flexible way to
make sense of the presence of subgames within the games. The basic principle is that
whenever there used to be nondeterminism in the hybrid program semantics, there
will now be a choice of Angel in the hybrid game semantics. But dont be fooled. The
parts of a such hybrid game may still be hybrid games, in which players interact, rather
than just a single system running. So all operators of hybrid games still need a careful
understanding as games, not just d , because all operators can be applied to subgames.
The atomic games of dGL are assignments, continuous evolutions, and tests. In the
deterministic assignment game (or discrete assignment game) x := , the value of variable

15-424 L ECTURE N OTES

A NDR E P LATZER

Hybrid Systems & Games

L20.5

x changes instantly and deterministically to that of by a discrete jump without any

choices to resolve. In the continuous evolution game (or continuous game) x = & H, the
system follows the differential equation x = where the duration is Angels choice,
but Angel is not allowed to choose a duration that would, at any time, take the state
outside the region where formula H holds. In particular, Angel is deadlocked and loses
immediately if H does not hold in the current state, because she cannot even evolve for
duration 0 then without going outside H.1 The test game or challenge ?H has no effect on
the state, except that Angel loses the game immediately if dGL formula H does not hold
in the current state. The test game ?H challenges Angel and she loses immediately if
she fails. Angel does not win just because she passed the challenge ?H, but at least the
game continues. So passing challenges is a necessary condition to win games. Failing
challenges, instead, immediately makes Angel lose.
The compound games of dGL are sequential, choice, repetition, and duals. The sequential game ; is the hybrid game that first plays hybrid game and, when hybrid game
terminates without a player having won already (so no challenge in failed), continues by playing game . When playing the choice game , Angel chooses whether
to play hybrid game or play hybrid game . Like all the other choices, this choice is
dynamic, i.e. every time is played, Angel gets to choose again whether she wants
to play or this time. The repeated game plays hybrid game repeatedly and Angel chooses, after each play of that terminates without a player having won already,
whether to play the game again or not, albeit she cannot choose to play indefinitely but
has to stop repeating ultimately. Angel is also allowed to stop right away after zero
iterations of . Most importantly, the dual game d is the same as playing the hybrid
game with the roles of the players swapped. That is Demon decides all choices in d
that Angel has in , and Angel decides all choices in d that Demon has in . Players
who are supposed to move but deadlock lose. Thus, while the test game ?H causes
Angel to lose if formula H does not hold, the dual test game (or dual challenge) (?H)d
instead causes Demon to lose if H does not hold.
For example, if describes the game of chess, then d is chess where the players
switch sides. If , instead, describes the hybrid game corresponding to your lab 5 robot
model where you are controlling a robot and your course instructors are controlling the
roguebot, then d describes the dual game where you take control of the roguebot and
the course instructors are stuck with your robot controls.
The dual operator d is the only syntactic difference of dGL for hybrid games compared
to dL for hybrid systems [Pla08, Pla12a], but a fundamental one [Pla13], because it is
the only operator where control passes from Angel to Demon or back. Without d all
choices are resolved uniformly by Angel without interaction. The presence of d requires
a thorough semantic generalization throughout the logic.
1

Note that the most common case for H is a formula of first-order real arithmetic, but any dGL formula
will work. In [Pla13], evolution domain constraints H turn out to be unnecessary, because they can
be defined using hybrid games. In the ordinary differential equation x = , the term x denotes the
time-derivative of x and is a polynomial term that is allowed to mention x and other variables.
More general forms of differential equations are possible [Pla10a, Pla10b], but will not be considered
explicitly.

15-424 L ECTURE N OTES

A NDR E P LATZER

L20.6

Hybrid Systems & Games

5 Differential Game Logic

Hybrid games describe how the world can unfold when Angel and Demon interact
according to their respective control choices. They explain the rules of the game how
Angel and Demon interact, but not who wins the game, nor what the respective objectives of the players are.2 The winning conditions are specified by logical formulas of
differential game logic. Modal formulas hi and [] refer to hybrid games and the
existence of winning strategies for Angel and Demon, respectively, in a hybrid game
with a winning condition specified by a logical formula .
Definition 2 (dGL formulas). The formulas of differential game logic dGL are defined
by the following grammar (, are dGL formulas, p is a predicate symbol of arity
k, i are (polynomial) terms, x a variable, and is a hybrid game):
, ::= p(1 , . . . , k ) | 1 2 | | | x | hi | []
Other operators >, =, , <, , , , x can be defined as usual, e.g., x x .
The modal formula hi expresses that Angel has a winning strategy to achieve in
hybrid game , i.e. Angel has a strategy to reach any of the states satisfying dGL formula
when playing hybrid game , no matter what strategy Demon chooses. The modal
formula [] expresses that Demon has a winning strategy to achieve in hybrid game
, i.e. a strategy to reach any of the states satisfying , no matter what strategy Angel
chooses. Note that the same game is played in [] as in hi with the same choices
resolved by the same players. The difference between both dGL formulas is the player
whose winning strategy they refer to. Both use the set of states where dGL formula
is true as the winning states for that player. The winning condition is defined by the
modal formula, only defines the hybrid game form, not when the game is won, which
is what does. Hybrid game defines the rules of the game, including conditions on
state variables that, if violated, cause the present player to lose for violation of the
rules of the game. The dGL formulas hi and [] consider complementary winning
conditions for Angel and Demon.

6 Demons Controls
Angel has full control over all choices in each of the operators of hybrid games except
when the operator d comes into play. All choices within the scope of (an odd number
of) d belong to Demon, because d makes the players switch sides. Demons controls,
i.e. direct controls for Demon, can be defined using the duality operator d on Angels
controls.
Demonic choice between hybrid game and is , defined by (d d )d , in which
either the hybrid game or the hybrid game is played, by Demons choice. Demonic

repetition of hybrid game is , defined by ((d ) )d , in which is repeated as often

2

Except that players lose if they disobey the rules of the game by failing their respective challenges.

15-424 L ECTURE N OTES

A NDR E P LATZER

Hybrid Systems & Games

L20.7

as Demon chooses to. In , Demon chooses after each play of whether to repeat
the game, but cannot play indefinitely so he has to stop repeating ultimately. The dual
differential equation (x = & H)d follows the same dynamics as x = & H except that
Demon chooses the duration, so he cannot choose a duration during which H stops
to hold at any time. Hence he loses when H does not hold in the current state. Dual
assignment (x := )d is equivalent to x := , because it involves no choices.
Angels control operators and Demons control operators correspond to each other
by duality:
d

choice
repeat

x = evolve
?H
challenge

Demon Ops

Angel Ops

choice
repeat

d
x = evolve
?H d
challenge

7 Semantics
What is the most elegant way of defining a semantics for differential game logic? How
could a semantics be defined at all? First of all, the dGL formulas that are used in the
postconditions of dGL modal formulas hi and [] define the winning conditions for
the hybrid game . Thus, when playing the hybrid game , we need to know the set of
states in which the winning condition is satisfied. That set of states in which is true
is denoted [[]]I , which defines the semantics of .
The logic dGL has a denotational semantics. The dGL semantics defines, for each
formula , the set [[]]I of states in which is true. For each hybrid game and each
set of winning states X, the dGL semantics defines the set (X) of states from which
Angel has a winning strategy to achieve X in hybrid game , as well as the set (X)
of states from which Demon has a winning strategy to achieve X in .
A state is a mapping from variables to R. An interpretation I assigns a relation
I(p) Rk to each predicate symbol p of arity k. The interpretation further determines
the set of states S, which is isomorphic to a Euclidean space Rn when n is the number
of relevant variables. For a subset X S the complement S \ X is denoted X . Let
xd denote the state that agrees with state except for the interpretation of variable x,
which is changed to d R. The value of term in state is denoted by [[]] . The denotational semantics of dGL formulas will be defined in Def. 3 by simultaneous induction
along with the denotational semantics, () and (), of hybrid games, defined later,
because dGL formulas are defined by simultaneous induction with hybrid games. The
(denotational) semantics of a hybrid game defines for each interpretation I and each set of
Angels winning states X S the winning region, i.e. the set of states (X) from which
Angel has a winning strategy to achieve X (whatever strategy Demon chooses). The
winning region of Demon, i.e. the set of states (X) from which Demon has a winning
strategy to achieve X (whatever strategy Angel chooses) is defined later as well.

15-424 L ECTURE N OTES

A NDR E P LATZER

L20.8

Hybrid Systems & Games

Definition 3 (dGL semantics). The semantics of a dGL formula for each interpretation I with a corresponding set of states S is the subset [[]]I S of states in which
is true. It is defined inductively as follows
1. [[p(1 , . . . , k )]]I = { S : ([[1 ]] , . . . , [[k ]] ) I(p)}
2. [[1 2 ]]I = { S : [[1 ]] [[2 ]] }
3. [[]]I = ([[]]I )
4. [[ ]]I = [[]]I [[]]I
5. [[x ]]I = { S : xr [[]]I for some r R}
6. [[hi]]I = ([[]]I )
7. [[[]]]I = ([[]]I )
A dGL formula is valid in I, written I |= , iff [[]]I = S. Formula is valid,  ,
iff I |= for all interpretations I.

8 Operational Game Semantics (informally)

A graphical illustration of the choices when playing hybrid games is depicted in Fig. 1.
The nodes where Angel gets to decide are shown as diamonds , the nodes where Demon decides are shown as boxes . Circle nodes are shown when it depends on the
remaining hybrid game which player it is that gets to decide. Dashed edges indicate
Angels actions, solid edges would indicate Demons actions, while zigzag edges indicate that a hybrid game is played and the respective players move as specified by that
game. The actions are the choice of time for x = & H, the choice of playing the left
or the right game for a choice game , and the choice of whether to stop or repeat
in a repeated game . This principle can be made rigorous in an operational game semantics [Pla13], which conveys the intuition of interactive game play for hybrid games,
relates to game theory and descriptive set theory, but is also beyond the scope of these
lecture notes.
As an example, consider the filibuster formula:
h(x := 0 x := 1) ix = 0

(1)

It is Angels choice whether to repeat ( ), but every time Angel repeats, it is Demons
choice () whether to play x := 0 or x := 1. The game in this formula never deadlocks,
because every player always has a remaining move (here even two). But it may appear
as if the game had perpetual checks, because no strategy helps either player win the
game; see Fig. 2. How could that happen and what can be done about it?

15-424 L ECTURE N OTES

A NDR E P LATZER

Hybrid Systems & Games

stop

|=

sto
p

le
ft
t1

rii

ri1

..
.

r11

r1

..
.

..
.

s0

stop

..
.

s0

t0

..
.

..
.

..
.

..
.

si

rj r1

s1

ti

r1j

repeat

repeat

repeat

repeat

stop

tj

t1

stop

stop

si

r11

at

at

ht

s1

e
rep

rig

e
rep

sto
p

0
t

x :=

(0) (t) (r)

[[]]

x = & H

at
repe

x :=

L20.9

t1

tj

s1

si

t0

t1

tj

Figure 1: Operational game semantics for hybrid games of dGL

15-424 L ECTURE N OTES

A NDR E P LATZER

L20.10

Hybrid Systems & Games

at

sto
p

e
rep

stop

stop

eat
rep

eat
rep

stop

repeat

Figure 2: The filibuster game formula h(x := 0 x := 1) ix = 0 looks like it might be

non-determined and not have a truth-value (unless x = 0 initially) when the
strategies follow the thick actions. Angels action choices are illustrated by
dashed edges from dashed diamonds, Demons action choices by solid edges
from solid squares, and double lines indicate identical states with the same
continuous state and a subgame of the same structure of subsequent choices.
States where Angel wins are marked and states where Demon wins by .
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Hybrid Systems & Games

L20.11

The mystery of the filibuster game can solved when we remember that the game
still ultimately ought to stop. Angel is in charge of the repetition and she can decide
whether to stop or repeat. The filibuster game has no tests, so the winner only depends
on the final state of the game. Angel wins a game play if x = 0 holds in the final state
and Demon wins if x 6= 0 holds in the final state. What do the strategies indicated
in Fig. 2 do? They postpone the end of the game forever, hence there would never
be a final state in which it could be evaluated who won. That is, indeed, not a way
for anybody to win anything. Yet, Angel was in charge of the repetition , so it is
really her fault if the game never comes to a stop to evaluate who won. Consequently,
the semantics of hybrid games requires players to not repeat indefinitely. This will be
apparent in the actual semantics of hybrid games, which is defined as a denotational
semantics corresponding to winning regions.
It is of similar importance that the players cannot decide to follow a differential equation forever (duration ), because that would make

h(x = 1d ; x := 0) ix = 0

(2)

non-determined.

Exercises
Exercise 1. Single player hybrid games, i.e. d -free hybrid games, are just hybrid programs. For each of the following formulas, convince yourself that it has the same meaning, whether you understand it as a differential dynamic logic formula with a hybrid
systems or as a differential game logic formula with a hybrid game (that happens to
have only a single player):
hx := 0 x := 1ix = 0
[x := 0 x := 1]x = 0
h(x := 0 x := 1); ?x = 1ix = 0
[(x := 0 x := 1); ?x = 1]x = 0
h(x := 0 x := 1); ?x = 0ix = 0
[(x := 0 x := 1); ?x = 0]x = 0
h(x := 0 x := 1) ix = 0
[(x := 0 x := 1) ]x = 0
h(x := 0 x := x + 1) ix = 0
[(x := 0 x := x + 1) ]x = 0
Exercise 2. Consider the following dGL formulas and identify under which circum-

15-424 L ECTURE N OTES

A NDR E P LATZER

L20.12

Hybrid Systems & Games

stance they are true

h(x := x + 1; (x = x2 )d x := x 1) i (0 x < 1)

h(x := x + 1; (x = x2 )d (x := x 1 x := x 2)) i(0 x < 1)

(v := a v := a v := 0);
(w := b w := b w := 0);


x = v, y = w
(x y)2 1

Exercise 3. Is the following dGL formula valid? Can you identify some circumstances
under which it is true? Or some circumstances under which it is false?
D
( := 1 := 1 := 0);
( := 1 := 1 := 0);
(x1 = d1 , x2 = d2 , d1 = d2 , d2 = d1 , , y1 = e1 , y2 = e2 , e1 = e2 , e2 = e1 )d

 E

kx yk 1

References
[DBL12] Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, Dubrovnik, Croatia, June 2528, 2012. IEEE, 2012.
[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom. Reas.,
41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla10a] Andre Platzer. Differential-algebraic dynamic logic for differential-algebraic

programs. J. Log. Comput., 20(1):309352, 2010. doi:10.1093/logcom/exn070.
[Pla10b] Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.
[Pla11]

Andre Platzer. Stochastic differential dynamic logic for stochastic hybrid

programs. In Nikolaj Bjrner and Viorica Sofronie-Stokkermans, editors,
CADE, volume 6803 of LNCS, pages 431445. Springer, 2011. doi:10.1007/
978-3-642-22438-6_34.

[Pla12a] Andre Platzer. The complete proof theory of hybrid systems. In LICS [DBL12],
pages 541550. doi:10.1109/LICS.2012.64.
[Pla12b] Andre Platzer. Dynamic logics of dynamical systems. CoRR, abs/1205.4788,
2012. arXiv:1205.4788.

15-424 L ECTURE N OTES

A NDR E P LATZER

Hybrid Systems & Games

L20.13

[Pla12c] Andre Platzer. Logics of dynamical systems. In LICS [DBL12], pages 1324.
doi:10.1109/LICS.2012.13.
[Pla13]

Andre Platzer. A complete axiomatization of differential game logic for hybrid games. Technical Report CMU-CS-13-100R, School of Computer Science,
Carnegie Mellon University, Pittsburgh, PA, January, Revised and extended
in July 2013.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Winning Strategies & Regions
Andre Platzer
Carnegie Mellon University
Lecture 21

1 Introduction
This lecture continues the study of hybrid games and their logic, differential game logic
[Pla13], that Lecture 20 on Hybrid Systems & Games started.
These lecture notes are based on [Pla13], where more information can be found on
logic and hybrid games.

2 Semantics
What is the most elegant way of defining a semantics for differential game logic? How
could a semantics be defined at all? First of all, the dGL formulas that are used in the
postconditions of dGL modal formulas hi and [] define the winning conditions for
the hybrid game . Thus, when playing the hybrid game , we need to know the set of
states in which the winning condition is satisfied. That set of states in which is true
is denoted [[]]I , which defines the semantics of .
The logic dGL has a denotational semantics. The dGL semantics defines, for each
formula , the set [[]]I of states in which is true. For each hybrid game and each
set of winning states X, the dGL semantics defines the set (X) of states from which
Angel has a winning strategy to achieve X in hybrid game , as well as the set (X)
of states from which Demon has a winning strategy to achieve X in .
A state is a mapping from variables to R. An interpretation I assigns a relation
I(p) Rk to each predicate symbol p of arity k. The interpretation further determines
the set of states S, which is isomorphic to a Euclidean space Rn when n is the number
of relevant variables. For a subset X S the complement S \ X is denoted X . Let xd
denote the state that agrees with state except for the interpretation of variable x, which

15-424 L ECTURE N OTES

November 13, 2013

A NDR E P LATZER

L21.2

Winning Strategies & Regions

is changed to d R. The value of term in state is denoted by [[]] . The denotational

semantics of dGL formulas will be defined in Def. 1 by simultaneous induction along
with the denotational semantics, () and (), of hybrid games, defined later in Def. 2,
because dGL formulas are defined by simultaneous induction with hybrid games. The
(denotational) semantics of a hybrid game defines for each interpretation I and each set of
Angels winning states X S the winning region, i.e. the set of states (X) from which
Angel has a winning strategy to achieve X (whatever strategy Demon chooses). The
winning region of Demon, i.e. the set of states (X) from which Demon has a winning
strategy to achieve X (whatever strategy Angel chooses) is defined subsequently in
Def. 2 as well.
Definition 1 (dGL semantics). The semantics of a dGL formula for each interpretation I with a corresponding set of states S is the subset [[]]I S of states in which
is true. It is defined inductively as follows
1. [[p(1 , . . . , k )]]I = { S : ([[1 ]] , . . . , [[k ]] ) I(p)}
2. [[1 2 ]]I = { S : [[1 ]] [[2 ]] }
3. [[]]I = ([[]]I )
4. [[ ]]I = [[]]I [[]]I
5. [[x ]]I = { S : xr [[]]I for some r R}
6. [[hi]]I = ([[]]I )
7. [[[]]]I = ([[]]I )
A dGL formula is valid in I, written I |= , iff [[]]I = S. Formula is valid,  ,
iff I |= for all interpretations I.
Note that the semantics of hi cannot be defined as it would in dL via
[[hi]]I = { S : [[]]I for some with (, ) ()
First of all, the reachability relation (, ) () is only defined when is a hybrid
program, not when it is a hybrid game. But the deeper reason is that the above shape is
too harsh. Criteria of this shape would require Angel to single out a single state that
satisfies the winning condition [[]]I and then get to that state by playing from
. Yet all that Demon then has to do to spoil that plan is lead the play into a different
state (e.g., one in which Angel would also have won) but which is different from the
projected . More generally, winning into a single state is really difficult. Winning by
leading the play into one of several states that satisfy the winning condition is more
feasible. This is what the winning region ([[)]] is supposed to capture.

15-424 L ECTURE N OTES

A NDR E P LATZER

Winning Strategies & Regions

L21.3

3 Winning Regions
Def. 1 needs a definition of the winning regions () and () for Angel and Demon,
respectively, in the hybrid game . Rather than taking a detour for understanding those
by operational game semantics (as in Lecture 20), the winning regions of hybrid games
can be defined directly, giving a denotational semantics to hybrid games.
Definition 2 (Semantics of hybrid games). The semantics of a hybrid game is a
function () that, for each interpretation I and each set of Angels winning states
X S, gives the winning region, i.e. the set of states (X) from which Angel has
a winning strategy to achieve X (whatever strategy Demon chooses). It is defined
inductively as followsa
[[]]

1. x:= (X) = { S : x

X}

2. x = & H (X) = {(0) S : (r) X for some r R0 and (differentiable)

() = [[]]() for all 0 r}
: [0, r] S such that () [[H]]I and d (t)(x)
dt
3. ?H (X) = [[H]]I X
4. (X) = (X) (X)
5. ; (X) = ( (X))
6. d (X) = ( (X ))
The winning region of Demon, i.e. the set of states (X) from which Demon has
a winning strategy to achieve X (whatever strategy Angel chooses) is defined inductively as follows
[[]]

1. x:= (X) = { S : x

X}

2. x = & H (X) = {(0) S : (r) X for all r R0 and (differentiable)

: [0, r] S such that () [[H]]I and d (t)(x)
() = [[]]() for all 0 r}
dt
3. ?H (X) = ([[H]]I ) X
4. (X) = (X) (X)
5. ; (X) = ( (X))
6. d (X) = ( (X ))
a

The semantics of a hybrid game is not merely a reachability relation between states as for hybrid
systems [Pla12], because the adversarial dynamic interactions and nested choices of the players
have to be taken into account.

15-424 L ECTURE N OTES

A NDR E P LATZER

L21.4

Winning Strategies & Regions

This notation uses (X) instead of I (X) and (X) instead of I (X), because the interpretation I that gives a semantics to predicate symbols in tests and evolution domains is
clear from the context. Strategies do not occur explicitly in the dGL semantics, because
it is based on the existence of winning strategies, not on the strategies themselves.
Just as the semantics dL, the semantics of dGL is compositional, i.e. the semantics of
a compound dGL formula is a simple function of the semantics of its pieces, and the
semantics of a compound hybrid game is a function of the semantics of its pieces. Furthermore, existence of a strategy in hybrid game to achieve X is independent of any
game and dGL formula surrounding , but just depends on the remaining game itself and the goal X. By a simple inductive argument, this shows that one can focus on
memoryless strategies, because the existence of strategies does not depend on the context, hence, by working bottom up, the strategy itself cannot depend on past states and
choices, only the current state, remaining game, and goal. This also follows from a generalization of a classical result by Zermelo. Furthermore, the semantics is monotone,
i.e. larger sets of winning states induce larger winning regions.
Lemma 3 (Monotonicity [Pla13]). The semantics is monotone, i.e. (X) (Y ) and
(X) (Y ) for all X Y .
Proof. A simple check based on the observation that X only occurs with an even number of negations in the semantics. For example, X Y implies X Y , hence
(X ) (Y ), so d (X) = ( (X )) ( (Y )) = d (Y ).
Before going any further, however, we need to define a semantics for repetition,
which will turn out to be surprisingly difficult.

4 Examples
Consider the following examples and find out whether the formulas are valid or not.

h(x := x + 1; (x = x2 )d x := x 1) i (0 x < 1)

h(x := x + 1; (x = x2 )d (x := x 1 x := x 2)) i(0 x < 1)

Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Winning Strategies & Regions

L21.5

h(x := x + 1; (x = x2 )d x := x 1) i (0 x < 1)

2h(x := x + 1; (x = x2 )d (x := x 1 x := x 2)) i(0 x < 1)

5 Advance Notice Repetitions

The semantics of repetition in hybrid systems was
[
(n )
( ) =
nN

with n+1 n ; and 0 ?true.

So the obvious candidate for the semantics of repetition in hybrid games might be
?

(X) =

n (X)

n<

where is the first infinite ordinal (if you have never seen ordinals before, just read n <
as natural numbers n N). Would that give the intended meaning to repetition? Is
Angel forced to stop in order to win if the game of repetition would be played this way?
Yes, she would, because, even though there is no bound on the number of repetitions
that she can choose, for each natural number n, the resulting game n (X) is finite.
Would this definition capture the intended meaning of repeated game play?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L21.6

Winning Strategies & Regions

The issue is that each way of playing a repetition this way would require Angel to
choose a natural number n N of repetitions and expose this number to Demon when
playing n so that he would know how often Angel decided to repeat.
That would lead to what is called the advance notice semantics for , which requires
the players to announce the number of times that game S
will be repeated when the
n+1

loop begins. The advance notice semantics defines

(X)
as

n< n (X) where

T
n ; and 0 ?true and defines (X) as n< n (X). When playing , Angel,
thus, announces to Demon how many repetitions n are going to be played when the
game begins and Demon announces how often to repeat . This advance notice
makes it easier for Demon to win loops and easier for Angel to win loops , because the opponent announces an important feature of their strategy immediately as
opposed to revealing whether or not to repeat the game once more one iteration at a
time as in Def. 2. Angel announces the number n < of repetitions when starts.
The following formula, for example, turns out to be valid in dGL (see Fig. 1), but
would not be valid in the advance notice semantics:
x = 1 a = 1 h((x := a; a := 0) x := 0) ix 6= 1

(1)

If, in the advance notice semantics, Angel announces that she has chosen n repetitions
of the game, then Demon wins (for a 6= 0) by choosing the x := 0 option n 1 times
followed by one choice of x := a; a := 0 in the last repetition. This strategy would not
work in the dGL semantics, because Angel is free to decide whether to repeat after
each repetition based on the resulting state of the game. The winning strategy for (1)
indicated in Fig. 1(left) shows that this dGL formula is valid.
Since the advance notice semantics misses out on the existence of perfectly reasonable
winning strategies, dGL does not choose this semantics. Nevertheless, the advance
notice semantics can be a useful semantics to consider for other purposes [QP12].

6 -Strategic Semantics
The trouble with the semantics in Sect. 5 is that Angels move for the repetition reveals
too much to Demon, because Demon can inspect the remaining game n to find out
once and for all how long the game will be played before he has to do his first move.
Lets try to undo this. Another alternative choice for the semantics would have been
to allow only arbitrary finite iterations of the strategy function for computing the winning region by using the -strategic semantics, which defines
?

(X) = (X) =

n (X)

n<

along with a corresponding definition for (X). All we need to do for this is define
what it means to nest the winning region construction. For any winning condition

15-424 L ECTURE N OTES

A NDR E P LATZER

Winning Strategies & Regions

11

11

p
sto

11

e
rep

11

L21.7

at

0
11

...

2
11

11

11

stop
01

01

10

01

00

10

01

stop

10 01

00 00 00 00 00 00 10 01

00 00 10 01 00

repeat

00 00

01

stop

10

10 01 10

at

10

at

e
rep

01

e
rep

10

10 10
00 00

Figure 1: Game trees for x = 1 a = 1 h ix 6= 1 with game
(x := a; a := 0) x := 0 (notation: x, a). (left) valid in dGL by strategy repeat once and repeat once more if x = 1, then stop (right) false in advance notice semantics by the strategy n 1 choices of x := 0 followed by x := a; a := 0
once, where n is the number of repetitions Angel announced

15-424 L ECTURE N OTES

A NDR E P LATZER

L21.8

Winning Strategies & Regions

X S the iterated winning region of is defined inductively as:

def

0 (X) = X
def

+1 (X) = X ( (X))
Does this give the right semantics for repetition of hybrid games? Does it match
the existence of winning strategies that we were hoping to define? See Fig. 2 for an
illustration.

n (X) 3 (X) 2 (X) (X) X

Figure 2: Iteration n (X) of () from winning condition X.

Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Winning Strategies & Regions

L21.9

The surprising answer is no for a very subtle but also very fundamental reason. The
existence of winning strategies for does not coincide with the th iteration of . This
will be investigated further in the next lecture.

References
[Pla12] Andre Platzer. The complete proof theory of hybrid systems. In LICS, pages
541550. IEEE, 2012. doi:10.1109/LICS.2012.64.
[Pla13] Andre Platzer. A complete axiomatization of differential game logic for hybrid games. Technical Report CMU-CS-13-100R, School of Computer Science,
Carnegie Mellon University, Pittsburgh, PA, January, Revised and extended in
July 2013.
[QP12] Jan-David Quesel and Andre Platzer. Playing hybrid games with KeYmaera. In
Bernhard Gramlich, Dale Miller, and Ulrike Sattler, editors, IJCAR, volume 7364
of LNCS, pages 439453. Springer, 2012. doi:10.1007/978-3-642-31365-3_
34.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Winning & Proving Hybrid Games
Andre Platzer
Carnegie Mellon University
Lecture 22
1 Introduction
This lecture continues the study of hybrid games and their logic, differential game logic
[Pla13], that Lecture 20 on Hybrid Systems & Games and Lecture 21 on Winning Strategies & Regions started.
These lecture notes are based on [Pla13], where more information can be found on
logic and hybrid games.

2 Deficiencies of the -Strategic Semantics

Lecture 21 on Winning Strategies & Regions raised the question whether the semantics
of repetition could be defined by the -strategic semantics
[
?
n (X)
(X) = (X) =
n<

For winning condition X S the iterated winning region of is defined inductively:

def

0 (X) = X
def

+1 (X) = X ( (X))
Does this give the right semantics for repetition of hybrid games? Does it match the
existence of winning strategies that we were hoping to define?
Would the following dGL formula be valid in the -strategic semantics?

h(x := 1; x = 1d x := x 1) i (0 x < 1)

(1)

Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

November 18, 2013

A NDR E P LATZER

L22.2

Winning & Proving Hybrid Games

Abbreviate

h(x := 1; x = 1d |x :={z
x 1}) i (0 x < 1)
|
{z
}

{z

It is easy to see that ([0, 1)) = [0, ), because n ([0, 1)) = [0, n) for all n N by a
simple inductive proof (recall ):
1

([0, 1)) = [0, 1)

IH

n+1
n

([0, 1)) = [0, 1) (

([0, 1))) = [0, 1) ([0, n))

= [0, 1) ([0, n)) ([0, n)) = [0, 1) [1, n + 1) = [0, n + 1)

Consequently,
([0, 1)) =

n<

n ([0, 1)) =

[0, n) = [0, )

n<

Hence, the semantics would indicate that the hybrid game (1) can exactly be won
from all initial states in [0, ), that is, for all initial states that satisfy 0 x.
Unfortunately, this is quite some nonsense. Indeed, the hybrid game in dGL formula
(1) can be won from all initial states that satisfy 0 x. But it can also be won from
other initial states! So the -strategic semantics ([0, 1)) misses out on winning states.
It is way too small for a winning region. There are cases, where the -semantics is
minuscule compared to the true winning region and arbitrarily far away from the truth
[Pla13].
In (1), this -level of iteration of the strategy function for winning regions misses out
on Angels perfectly reasonable winning strategy first choose x := 1; x = 1d and then
always choose x := x 1 until stopping at 0 x < 1. This winning strategy wins from
every initial state in R, which is a much bigger set than ([0, 1)) = [0, ).
Now this is the final answer for the winning region of (1). In particular, the dGL
formula (1) is valid. Yet, is there a direct way to see that ([0, 1)) = [0, ) is not the
final answer for (1) without having to put the winning region computations aside and
constructing a separate ingenious winning strategy?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Winning & Proving Hybrid Games

L22.3

The crucial observation is the following. The fact ([0, 1)) = [0, ) shows that the
hybrid game in (1) can be won from all nonnegative initial values with at most (first
countably infinitely many) steps. Lets recall how the proof worked, which showed
n ([0, 1)) = [0, n) for all n N. Its inductive step basically showed that if, for whatever
reason (by inductive hypothesis really), [0, n) is in the winning region, then [0, n + 1)
also is in the winning region by simply applying () to [0, n).
How about doing exactly that again? For whatever reason (i.e. by the above argument), [0, ) is in the winning region. Doesnt that mean that ([0, )) should again
be in the winning region by exactly the same inductive argument above?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L22.4

Winning & Proving Hybrid Games

Note 1. Whenever a set Y is in the winning region (X) of repetition, then (Y ) also
should be in the winning region (X), because it is just one step away from Y and
could simply repeat once more.
Thus, the winning region () ([0, )) should also contain
([0, )) = ([0, )) ([0, )) = R [0, ) = R
Beyond that, the winning region cannot contain anything else, because R is the whole
state space. And, indeed, trying to use the winning region construction once more on
R does not change the result:
(R) = (R) (R) = R [0, ) = R
This result, then coincides with what the ingenious winning strategy above told us as
well: formula (1) is valid, because there is a winning strategy for Angel from every
initial state. Except that the repeated () winning region construction seems more
systematic than an ingenious guess of a smart winning strategy. So it gives a more
constructive and explicit semantics.
Lets recap. In order to find the winning region of the hybrid game described in (1),
it took us not just infinitely many steps, but more than that. After many iterations to
arrive at ([0, 1)) = [0, ), it took us one more step to arrive at
() ([0, 1)) = +1 ([0, 1)) = R
where we denote the number of steps we took overall by + 1, since it was one more
step than (first countable) infinitely many (i.e. many); see Fig. 1 for an illustration.
More than infinitely many steps to get somewhere are plenty. Even worse: there are
cases where even + 1 has not been enough of iteration to get to the repetition. The
number of iterations needed to find (X) could in general by much larger [Pla13].

+1 (X) (X) 3 (X) 2 (X) (X) X

Figure 1: Iteration +1 (X) of () from winning condition X = [0, 1) stops when applying () to the th infinite iteration (X).

15-424 L ECTURE N OTES

A NDR E P LATZER

Winning & Proving Hybrid Games

L22.5

The existence of the above winning strategy is only found at the level +1 ([0, 1)) =
([0, )) = R. Even though any particular use of the winning strategy in any game
play uses only some finite number of repetitions of the loop, the argument why it will
always work requires > many iterations of (), because Demon can change x to
an arbitrarily big value, so that many iterations of () are needed to conclude that
Angel has a winning strategy for any positive value of x. There is no smaller upper
bound on the number of iterations it takes Angel to win, in particular Angel cannot
promise as a bound on the repetition count, which is what the -semantics would
effectively require her to do. But strategies do converge after + 1 iterations.
Note 2. The -semantics is inappropriate, because it can be arbitrarily far away from
characterizing the winning region of hybrid games.

3 Characterizing Winning Repetitions

Is there a more immediate way of characterizing the winning region (X) of repetition?
Whenever a set Y is in the winning region (X) of repetition, then (Y ) also should
be in the winning region (X), because it is just one step away from Y and could
simply repeat once more. Thus,
Y (X) (Y ) (X)
def

In particular, the set Y = (X) itself is expected to satisfy

( (X)) (X)

(2)

because repeating once more from the winning region (X) of repetition of should
not give us any states that did not already have a winning strategy in . Consequently,
a set Z S only qualifies as a candidate for being the winning region (X) of repetition if
(Z) Z
(3)
That is, strategyzing along from Z does not give anything that Z would not already
know about.
So what is this set Z? Is there only one choice? Or multiple? If there are multiple
choices, which Z is it? Does such a Z always exist, even?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L22.6

Winning & Proving Hybrid Games

def

One such Z always exist, even though it may be rather boring. The empty set Z =
certainly satisfies () = , because it is rather hard to win a game that requires Angel
to enter the empty set of states to win.
But the empty set is maybe a bit small. The winning region (X) of repetition
of should at least contain the winning condition X, because the winning condition
X is particularly easy to reach from states in X that have already let Angel won by
simply suggesting Angel to repeat zero times. Consequently, the only Z that qualify as
a candidate for being (X) should satisfy (3) and
XZ

(4)

Both conditions (3) and (4) together can be summarized in a single condition as follows:

Note 3 (Prefixpoint). Every candidate Z for the winning region (X) satisfies:
X (Z) Z

(5)

Again: what is this set Z that satisfies (5)? Is there only one choice? Or multiple? If
there are multiple choices, which Z is it? Does such a Z always exist, even?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

Winning & Proving Hybrid Games

L22.7

One such Z certainly exists. The empty set does not qualify unless X = . The
set X itself is too small unless the game has no incentive to start repeating, because
def

(X) X. But the full space Z = S always satisfies (5) trivially. Now, the whole
space is a little big to call it Angels winning region independently of the hybrid game
. Even if the full space may very well be the winning region for some particularly Demonophobic Angel-friendly hybrid games like (1), it is hardly the right winning region
for any arbitrary . For example for Demons favorite game where he always wins,
(X) had better be , not S. Thus, the largest solution Z of (5) hardly qualifies.
So which solution Z of (5) should be the definition of (X) now?
Before you read on, see if you can find the answer for yourself.

15-424 L ECTURE N OTES

A NDR E P LATZER

L22.8

Winning & Proving Hybrid Games

Among the many Z that solve (5), the largest one is not informative, because the
largest Z simply degrades to S. So smaller solutions Z are preferable. How do multiple
solutions relate at all? Suppose Y, Z are both solutions of (5). That is
X (Y ) Y

(6)

X (Z) Z

(7)

Then, by monotonicity lemma, Lemma 3:

mon

(6),(7)

X (Y Z) X (Y ) (Z) Y Z

(8)

Hence, by (8), the intersection Y Z of solutions Y and Z of (5) also is a solution of (5):

Lemma 1 (Intersection closure). Whenever there are two solutions Y, Z of (5), a (possibly) smaller solution of (5) can be obtained by intersection Y Z.
So whenever there are two solutions Z1 , Z2 of (5), their intersection Y1 Z2 solves (5).
When theres yet another solution Z3 of (5), their intersection Y1 Y2 Y3 also solves
(5). Similarly for any larger family of solutions. If we keep on intersecting solutions,
we will arrive at smaller solutions until, some fine day, theres not going to be a smaller
one. This yields the smallest solution Z of (5) which can be characterized directly.
Among the many Z that solve (5), the smallest Z that solves (5) is informative and
can be used to define (X):
\
(X) = {Z S : X (Z) Z}
(9)
The set on the right-hand side of (9) is an intersection of solutions, thus, a solution by
Lemma 1 (or its counterpart for families of solutions). Hence (X) itself satisfies (5):
X ( (X)) (X)

(10)

Also compare this with what we argued earlier in (2). Could it be the case that the
inclusion in (10) is strict, i.e. not equals? No this cannot happen, because (X) is the
def

smallest. In detail, by (10), the set Z = X ( (X)) satisfies Z (X) and, thus,
by Lemma 3:
mon

X (Z) X ( (X)) = Z
Consequently, both inclusions hold, so (X) satisfies
X ( (X)) = (X)

(11)

That is, (X) is even a fixpoint solving the equation

X (Z) = Z

15-424 L ECTURE N OTES

(12)

A NDR E P LATZER

Winning & Proving Hybrid Games

L22.9

and it is the least fixpoint, i.e. the smallest Z solving the equation (12).
The fact that (X) is defined as the least of the fixpoints makes sure that Angel
only wins games by a well-founded number of repetitions. That is, she only wins a
repetition if she ultimately stops repeating, not by postponing termination forever. See
[Pla13] for more details.
It is also worth noting that it would still have been possible to make the iteration of
winning region constructions work out using the seminal fixpoint theorem of KnasterTarski. Yet, this requires the iterated winning region constructions to go significantly
transfinite [Pla13] way beyond .

4 Semantics of Hybrid Games

The semantics of differential game logic from Lecture 21 was still pending a definition
of the winning regions () and () for Angel and Demon, respectively, in the hybrid
game . Rather than taking a detour for understanding those by operational game semantics (as in Lecture 20), the winning regions of hybrid games can be defined directly,
giving a denotational semantics to hybrid games.
The only difference compared to the definition in Lecture 21 is the new case of repetition .

15-424 L ECTURE N OTES

A NDR E P LATZER

L22.10

Winning & Proving Hybrid Games

Definition 2 (Semantics of hybrid games). The semantics of a hybrid game is a

function () that, for each interpretation I and each set of Angels winning states
X S, gives the winning region, i.e. the set of states (X) from which Angel has
a winning strategy to achieve X (whatever strategy Demon chooses). It is defined
inductively as followsa
[[]]

1. x:= (X) = { S : x

X}

2. x = & H (X) = {(0) S : (r) X for some r R0 and (differentiable)

() = [[]]() for all 0 r}
: [0, r] S such that () [[H]]I and d (t)(x)
dt
3. ?H (X) = [[H]]I X
4. (X) = (X) (X)
5. ; (X) = ( (X))
T
6. (X) = {Z S : X (Z) Z}
7. d (X) = ( (X ))
The winning region of Demon, i.e. the set of states (X) from which Demon has
a winning strategy to achieve X (whatever strategy Angel chooses) is defined inductively as follows
[[]]

1. x:= (X) = { S : x

X}

2. x = & H (X) = {(0) S : (r) X for all r R0 and (differentiable)

: [0, r] S such that () [[H]]I and d (t)(x)
() = [[]]() for all 0 r}
dt
3. ?H (X) = ([[H]]I ) X
4. (X) = (X) (X)
5. ; (X) = ( (X))
S
6. (X) = {Z S : Z X (Z)}
7. d (X) = ( (X ))
a

The semantics of a hybrid game is not merely a reachability relation between states as for hybrid
systems [Pla12], because the adversarial dynamic interactions and nested choices of the players
have to be taken into account.

This notation uses (X) instead of I (X) and (X) instead of I (X), because the interpretation I that gives a semantics to predicate symbols in tests and evolution domains is
clear from the context. Strategies do not occur explicitly in the dGL semantics, because
it is based on the existence of winning strategies, not on the strategies themselves.

15-424 L ECTURE N OTES

A NDR E P LATZER

Winning & Proving Hybrid Games

L22.11

Just as the semantics dL, the semantics of dGL is compositional, i.e. the semantics of
a compound dGL formula is a simple function of the semantics of its pieces, and the
semantics of a compound hybrid game is a function of the semantics of its pieces. Furthermore, existence of a strategy in hybrid game to achieve X is independent of any
game and dGL formula surrounding , but just depends on the remaining game itself and the goal X. By a simple inductive argument, this shows that one can focus on
memoryless strategies, because the existence of strategies does not depend on the context, hence, by working bottom up, the strategy itself cannot depend on past states and
choices, only the current state, remaining game, and goal. This also follows from a generalization of a classical result by Zermelo. Furthermore, the semantics is monotone,
i.e. larger sets of winning states induce larger winning regions.
Monotonicity is what Lecture 21 looked into for the case of hybrid games without
repetition. But it continues to hold for general hybrid games.
Lemma 3 (Monotonicity [Pla13]). The semantics is monotone, i.e. (X) (Y ) and
(X) (Y ) for all X Y .
Proof. A simple check based on the observation that X onlyT
occurs with an even number of T
negations in the semantics. For example, (X) = {Z S : X (Z)
Z} {Z S : Y (Z) Z} = (Y ) if X Y . Likewise, X Y implies
X Y , hence (X ) (Y ), so d (X) = ( (X )) ( (Y )) = d (Y ).
Monotonicity implies that the least fixpoint in (X) and the greatest fixpoint in (X)
are well-defined [HKT00, Lemma 1.7]. The semantics of (X) is a least fixpoint, which
results in a well-founded repetition of , i.e. Angel can repeat any number of times but
she ultimately needs to stop at a state in X in order to win. The semantics of (X) is
a greatest fixpoint, instead, for which Demon needs to achieve a state in X after every
number of repetitions, because Angel could choose to stop at any time, but Demon still
wins if he only postpones X forever, because Angel ultimately has to stop repeating.
Thus, for the formula h i, Demon already has a winning strategy if he only has a
strategy that is not losing by preventing indefinitely, because Angel eventually has to
stop repeating anyhow and will then end up in a state not satisfying , which makes
her lose. The situation for [ ] is dual.

5 Hybrid Game Axioms

An axiomatization for differential game logic has been found in previous work [Pla13],
where we refer to for more details. The study of proof rules for differential game logic
will be deferred to next lecture. But its axioms can be discussed today.

15-424 L ECTURE N OTES

A NDR E P LATZER

L22.12

Winning & Proving Hybrid Games

Note 7 (Differential game logic axioms [Pla13]).

([]) [] hi
(h:=i) hx := i(x) ()
(h i) hx = i t0 hx := y(t)i

(y (t) = )

(h?i) h?Hi (H )
(hi) h i hi hi
(h;i) h; i hihi
(h i) hih i h i
(hd i) hd i hi

6 Determinacy
Every particular game play in a hybrid game is won by exactly one player, because
hybrid games are zero-sum and there are no draws. Hybrid games actually satisfy a
much stronger property: determinacy, i.e. that, from any initial situation, either one of
the players always has a winning strategy to force a win, regardless of how the other
player chooses to play.
If, from the same initial state, both Angel and Demon had a winning strategy for opposing winning conditions, then something would be terribly inconsistent. It cannot
happen that Angel has a winning strategy in hybrid game to get to a state where
and, from the same initial state, Demon supposedly also has a winning strategy in the
same hybrid game to get to a state where holds. After all, a winning strategy is
a strategy that makes that player win no matter what strategy the opponent follows.
Hence, for any initial state, at most one player can have a winning strategy for complementary winning conditions. This argues for the validity of  ([] hi), which
can also be proved (Theorem 4).
So it cannot happen that both players have a winning strategy for complementary
winning conditions. But it might still happen that no one has a winning strategy, i.e.
both players can let the other player win, but cannot win strategically themselves (recall, e.g., the filibuster example from Lecture 20, which first appeared as if no player
might have a winning strategy but then turned out to make Demon win). This does not
happen for hybrid games, though, because at least one (hence exactly one) player has a
winning strategy for complementary winning conditions from any initial state.

15-424 L ECTURE N OTES

A NDR E P LATZER

Winning & Proving Hybrid Games

L22.13

Theorem 4 (Consistency & determinacy [Pla13]). Hybrid games are consistent and
determined, i.e.  hi [].
Proof. The proof shows by induction on the structure of that (X ) = (X) for all
X S and all I with some set of states S, which implies the validity of hi []
def

using X = [[]]I .
[[]]

1. x:= (X ) = { S : x

6 X} = x:= (X) = x:= (X)

2. x = & H (X ) = {(0) S : (r) 6 X for some 0 r R and some (dif() = [[]]() and () [[H]]I for all
ferentiable) : [0, r] S such that d (t)(x)
dt
0 r} = x = & H (X), because the set of states from which there is no
winning strategy for Angel to reach a state in X prior to leaving [[H]]I along
x = & H is exactly the set of states from which x = & H always stays in X
(until leaving [[H]]I in case that ever happens).
3. ?H (X ) = ([[H]]I X ) = ([[H]]I ) (X ) = ?H (X)
4. (X ) = ( (X ) (X )) = (X ) (X ) = (X) (X) = (X)
5. ; (X ) = ( (X )) = ( (X) ) = ( (X)) = ; (X)
 T
T

{Z S : (X (Z) ) Z}
{Z S : X (Z) Z} =
6. (X ) =
 S
T
{Z S : (X (Z )) Z} = {Z S : Z X (Z)} = (X). 1
=
7. d (X ) = ( ((X ) ) ) = (X ) = d (X)

Exercises
Exercise 1. Explain how often you will have to repeat the winning region construction
to show that the following dGL formula is valid:

h(x := x + 1; x = 1d x := x 1) i (0 x < 1)
Exercise 2. Can you find dGL formulas for which the winning region construction takes
even longer to terminate? How far can you push this?
Exercise 3. Carefully identify how determinacy relates to the two possible understandings of the filibuster example discussed in an earlier lecture.
1

The penultimate equation follows from the -calculus equivalence Z.(Z) Z.(Z) and the
fact that least pre-fixpoints are fixpoints and that greatest post-fixpoints are fixpoints for monotone
functions.

15-424 L ECTURE N OTES

A NDR E P LATZER

L22.14

Winning & Proving Hybrid Games

Exercise 4. Prove the elided cases of Lemma 3.

Exercise 5. Find the appropriate soundness notion for the axioms of dGL and prove that
the axioms are sound.
Exercise 6. Write down a valid formula that characterizes an interesting game between
two robots.

References
[HKT00] David Harel, Dexter Kozen, and Jerzy Tiuryn. Dynamic logic. MIT Press, 2000.
[Pla12]

Andre Platzer. The complete proof theory of hybrid systems. In LICS, pages
541550. IEEE, 2012. doi:10.1109/LICS.2012.64.

[Pla13]

Andre Platzer. A complete axiomatization of differential game logic for hybrid games. Technical Report CMU-CS-13-100R, School of Computer Science,
Carnegie Mellon University, Pittsburgh, PA, January, Revised and extended
in July 2013.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Game Proofs & Separations
Andre Platzer
Carnegie Mellon University
Lecture 23

1 Introduction
This lecture continues the study of hybrid games and their logic, differential game logic
[Pla13]. Lecture 20 on Hybrid Systems & Games introduced hybrid games, Lecture 21
on Winning Strategies & Regions studied the winning region semantics, and Lecture
22 on Winning & Proving Hybrid Games identified the winning region semantics for
loops in hybrid games as well as a study of the axioms of hybrid games.
These lecture notes are based on [Pla13], where more information can be found on
logic and hybrid games.

2 Recall: Semantics of Hybrid Games

Recall the semantics of hybrid games and two results from Lecture 22 on Winning &
Proving Hybrid Games.

15-424 L ECTURE N OTES

November 20, 2013

A NDR E P LATZER

L23.2

Game Proofs & Separations

Definition 1 (Semantics of hybrid games). The semantics of a hybrid game is a

function () that, for each interpretation I and each set of Angels winning states
X S, gives the winning region, i.e. the set of states (X) from which Angel has
a winning strategy to achieve X (whatever strategy Demon chooses). It is defined
inductively as followsa
[[]]

1. x:= (X) = { S : x

X}

2. x = & H (X) = {(0) S : (r) X for some r R0 and (differentiable)

() = [[]]() for all 0 r}
: [0, r] S such that () [[H]]I and d (t)(x)
dt
3. ?H (X) = [[H]]I X
4. (X) = (X) (X)
5. ; (X) = ( (X))
T
6. (X) = {Z S : X (Z) Z}
7. d (X) = ( (X ))
The winning region of Demon, i.e. the set of states (X) from which Demon has
a winning strategy to achieve X (whatever strategy Angel chooses) is defined inductively as follows
[[]]

1. x:= (X) = { S : x

X}

2. x = & H (X) = {(0) S : (r) X for all r R0 and (differentiable)

: [0, r] S such that () [[H]]I and d (t)(x)
() = [[]]() for all 0 r}
dt
3. ?H (X) = ([[H]]I ) X
4. (X) = (X) (X)
5. ; (X) = ( (X))
S
6. (X) = {Z S : Z X (Z)}
7. d (X) = ( (X ))
a

The semantics of a hybrid game is not merely a reachability relation between states as for hybrid
systems [Pla12], because the adversarial dynamic interactions and nested choices of the players
have to be taken into account.

Lemma 2 (Monotonicity [Pla13]). The semantics is monotone, i.e. (X) (Y ) and

(X) (Y ) for all X Y .

15-424 L ECTURE N OTES

A NDR E P LATZER

Game Proofs & Separations

L23.3

Theorem 3 (Consistency & determinacy [Pla13]). Hybrid games are consistent and
determined, i.e.  hi [].

3 Hybrid Game Proofs

An axiomatization for differential game logic has been found in previous work [Pla13],
where we refer to for more details.
Note 4 (Differential game logic axiomatization [Pla13]).
([]) [] hi
(h:=i) hx := i(x) ()
(h i) hx = i t0 hx := y(t)i

(y (t) = )

(h?i) h?Hi (H )
(hi) h i hi hi
(h;i) h; i hihi
(h i) hih i h i
(hd i) hd i hi

hi hi
hi
(FP)
h i
[]
(ind)
[ ]
(M)

The proof rules FP and ind are equivalent in the sense that one can be derived from
the other in the dGL calculus [Pla13].
Example 4. The dual filibuster game formula from Lecture 20 proves easily in the dGL

15-424 L ECTURE N OTES

A NDR E P LATZER

L23.4

Game Proofs & Separations

calculus by going back and forth between players [Pla13]:

x = 0 0 = 0 1 = 0
h:=i
x = 0 hx := 0ix = 0 hx := 1ix = 0
hi
x = 0 hx := 0 x := 1ix = 0
hd i
x = 0 hx := 0 x := 1ix = 0
[]
x = 0 [x := 0 x := 1]x = 0
ind
x = 0 [(x := 0 x := 1) ]x = 0
hd i
x = 0 h(x := 0 x := 1) ix = 0
R

4 Soundness
Theorem 5 (Soundness [Pla13]). The dGL proof calculus in Fig. 4 is sound, i.e. all provable formulas are valid.
Proof. The full proof can be found in [Pla13]. We just consider a few cases to exemplify
the fundamentally more general semantics of hybrid games arguments compared to
hybrid systems arguments. To prove soundness of an equivalence axiom , show
[[]]I = [[]]I for all interpretations I with any set of states S.
hi [[h i]]I = ([[]]I ) = ([[]]I ) ([[]]I ) = [[hi]]I [[hi]]I = [[hihi]]I
h;i [[h; i]]I = ; ([[]]I ) = ( ([[]]I )) = ([[hi]]I ) = [[hihi]]I .
h?i [[h?Hi]]I = ?H ([[]]I ) = [[H]]I [[]]I = [[H ]]I
[] is sound by Theorem 3.
M Assume the premise is valid in interpretation I, i.e. [[]]I [[]]I . Then the
conclusion hi hi is valid in I, i.e. [[hi]]I = ([[]]I ) ([[]]I ) = [[hi]]I
by monotonicity (Lemma 2).

5 Separating Axioms
The axioms of differential game logic in Fig. 4 are sound for hybrid systems as well,
because every hybrid system is a (single player) hybrid game. With a few exceptions,
they look surprisingly close to the axioms for hybrid systems from Lecture 5. In order
to understand the fundamental difference between hybrid systems and hybrid games,
it is instructive to also investigate separating axioms, i.e. axioms of hybrid systems that
are not sound for hybrid games. Some of these are summarized in Fig. 1, referring to
[Pla13] for details.

15-424 L ECTURE N OTES

A NDR E P LATZER

Game Proofs & Separations

L23.5

K []( ) ([] [])

G

[]

1 2
[]1 []2 []

M[]

B hix x hi
I

M hi hi hi( )

(x 6 )

[] []

B x hi hix

(x 6 )

[ ]( []) ( [ ])

FA h i h i( hi)
Figure 1: Separating axioms: The axioms and rules on the left are sound for hybrid
systems but not for hybrid games. The related axioms on the right are sound
for hybrid games.

6 Repetitive Diamonds Convergence vs. Iteration

More fundamental differences between hybrid systems and hybrid games also exist
in terms of convergence rules, even if these have played a less prominent role in this
course so far. These differences are discussed in detail elsewhere [Pla13]. In a nutshell,
Harels convergence rule [HMP77] is not a separating axiom, because it is sound for
dGL, just unnecessary, and, furthermore, not even particularly useful for hybrid games
[Pla13]. The hybrid version of Harels convergence rule [Pla08] for dL reads as follows
(it assumes that v does not occur in ):
(con)

(v + 1) v + 1 > 0 hi(v)
, v (v) h iv0 (v),

The dL proof rule con expresses that the variant (v) holds for some real number v 0
after repeating sufficiently often if (v) holds for some real number at all in the beginning (antecedent) and, by premise, (v) can decrease after some execution of by 1 (or
another positive real constant) if v > 0. This rule can be used to show positive progress
(by 1) with respect to (v) by executing . Just like the induction rule ind is often used
with a separate premiss for the initial and postcondition check (ind from Lecture 7 on
Loops & Invariants), rule con is often used in the following derived form:
(con )

v (v),

15-424 L ECTURE N OTES

v>0 ((v) hi(v 1))

h i,

v0 (v)

A NDR E P LATZER

L23.6

Game Proofs & Separations

The following sequent proof shows how convergence rule con can be used to prove a
simple dL liveness property of a hybrid program:

con

R
x 0 n x < n + 1

x<n+2n+1>0 x1<n+1
h:=i
x < n + 2 n + 1 > 0 hx := x 1ix < n + 1
x 0 h(x := x 1) i0 x < 1
x 0 h(x := x 1) ix < 1
R

n0 x < n + 1 x < 1

Lets compare how dGL proves diamond properties of repetitions based on the iteration axiom h i.
Example 6 (Non-game system). The simple non-game dGL formula
x 0 h(x := x 1) i0 x < 1
is provable, shown in Fig. 2, where h i0 x < 1 is short for h(x := x 1) i(0 x < 1).

x (0 x < 1 p(x 1) p(x)) (x 0 p(x))

h:=i
x (0 x < 1 hx := x 1ip(x) p(x)) (x 0 p(x))
US
x (0 x < 1 hx := x 1ih i0 x < 1 h i0 x < 1) (x 0 h i0 x < 1)
h i,
x (0 x < 1 hx := x 1ih i0 x < 1 h i0 x < 1)
MP
x 0 h i0 x < 1
Figure 2: dGL Angel proof for non-game system Example 6
x 0 h(x := x 1) i0 x < 1
Example 7 (Choice game). The dGL formula
x = 1 a = 1 h(x := a; a := 0 x := 0) ix 6= 1
is provable as shown in Fig. 3, where is short for x := a; a := 0 x := 0 and
h( ) ix 6= 1 short for h(x := a; a := 0 x := 0) ix 6= 1:
Example 8 (2-Nim-type game). The dGL formula
x 0 h(x := x 1 x := x 2) i0 x < 2
is provable as shown in Fig. 3, where is short for x := x 1 x := x 2 and
h( ) i0x<2 short for h(x := x 1 x := x 2) i0 x < 2:
Example 9 (Hybrid game). The dGL formula

h(x := 1; x = 1d x := x 1) i0 x < 1
is provable as shown in Fig. 5, where the notation h( ) i0 x < 1 is short for

h(x := 1; x = 1d x := x 1) i(0 x < 1): The proof steps for use in h i that t 7 x + t
is the solution of the differential equation, so the subsequent use of h:=i substitutes 1
in for x to obtain t 7 1 + t. Recall from Lecture 22 that the winning regions for this
formula need > iterations to converge. It is still provable easily.

15-424 L ECTURE N OTES

A NDR E P LATZER

Game Proofs & Separations

L23.7

x (x 6= 1 p(a, 0) p(0, a) p(x, a)) (true p(x, a))

x (x 6= 1 hip(x, a) hip(x, a) p(x, a)) (true p(x, a))
hi,hd i
x (x 6= 1 h ip(x, a) p(x, a)) (true p(x, a))
US
x (x 6= 1 h ih( ) ix 6= 1 h( ) ix 6= 1) (true h( ) ix 6= 1)

h i,,MP
true h( ) ix 6= 1
R
x = 1 a = 1 h( ) ix 6= 1
h;i,h:=i

Figure 3: dGL Angel proof for choice game Example 7

x = 1 a = 1 h(x := a; a := 0 x := 0) ix 6= 1

x (0x<2 p(x 1) p(x 2) p(x)) (true p(x))

h:=i
x (0x<2 hip(x) hip(x) p(x)) (true p(x))
hi,hd i
x (0x<2 h ip(x) p(x)) (true p(x))
US

x (0x<2 h ih( ) i0x<2 h( ) i0x<2) (true h( ) i0x<2)

h i,,MP
true h( ) i0x<2
R
x 0 h( ) i0x<2
Figure 4: dGL Angel proof for 2-Nim-type game Example 8
x 0 h(x := x 1 x := x 2) i0 x < 2

x (0 x < 1 t0 p(1 + t) p(x 1) p(x)) (true p(x))

x (0 x < 1 hx := 1it0 hx := x + tip(x) p(x 1) p(x)) (true p(x))
h i
x (0 x < 1 hx := 1ihx = 1ip(x) p(x 1) p(x)) (true p(x))
d
h;i,h i
x (0 x < 1 hip(x) hip(x) p(x)) (true p(x))
hi
x (0 x < 1 h ip(x) p(x)) (true p(x))
US

x (0x<1 h ih( ) i0 x < 1 h( ) i0 x < 1) (true h( ) i0 x < 1)

h i,,MP
true h( ) i0 x < 1
h:=i

Figure 5: dGL Angel proof for hybrid game Example 9

h(x := 1; x = 1d x := x 1) i0 x < 1

15-424 L ECTURE N OTES

A NDR E P LATZER

L23.8

Game Proofs & Separations

7 There and Back Again Game

Quite unlike in hybrid systems and (poor test) differential dynamic logic [Pla08, Pla12],
every hybrid game containing a differential equation x = & H with evolution domain constraints H can be replaced equivalently by a hybrid game without evolution
domain constrains (even using poor tests, i.e. each test ?H uses only first-order formulas H). Evolution domains are definable in hybrid games and can, thus, be removed
equivalently.
Lemma 10 (Domain reduction [Pla13, Pla12]). Evolution domains of differential equations are definable as hybrid games: For every hybrid game there is an equivalent hybrid
game that has no evolution domain constraints, i.e. all continuous evolutions are of the
form x = .
Proof. For notational convenience, assume the (vectorial) differential equation x = (x)
to contain a clock x0 = 1 and that t0 and z are fresh variables. Then x = (x) & H(x) is
equivalent to the hybrid game:
t0 := x0 ; x = (x); (z := x; z = (z))d ; ?(z0 t0 H(z))

(1)

See Fig. 6 for an illustration. Suppose the current player is Angel. The idea behind
x, z

= ( x)

z := x
H

= (z)
r
t0 := x0

Angel plays forward game, reverts flow and time

x0 ;
Demon checks H in backwards game until initial
t0

Figure 6: There and back again game: Angel evolves x forwards in time along
x = (x), Demon checks evolution domain backwards in time along
z = (z) on a copy z of the state vector x
game equivalence (1) is that the fresh variable t0 remembers the initial time x0 , and
Angel then evolves forward along x = (x) for any amount of time (Angels choice).
Afterwards, the opponent Demon copies the state x into a fresh variable (vector) z that
he can evolve backwards along (z = (z))d for any amount of time (Demons choice).
The original player Angel must then pass the challenge ?(z0 t0 H(z)), i.e. Angel
loses immediately if Demon was able to evolve backwards and leave region H(z) while
satisfying z0 t0 , which checks that Demon did not evolve backward for longer than
Angel evolved forward. Otherwise, when Angel passes the test, the extra variables t0 , z
become irrelevant (they are fresh) and the game continues from the current state x that
Angel chose in the first place (by selecting a duration for the evolution that Demon
could not invalidate).

15-424 L ECTURE N OTES

A NDR E P LATZER

Game Proofs & Separations

L23.9

Lemma 10 can eliminate all evolution domain constraints equivalently in hybrid games
from now on. While evolution domain constraints are fundamental parts of standard
hybrid systems [Hen96, HKPV95, ACHH92, Pla08], they turn out to be mere convenience notation for hybrid games. In that sense, hybrid games are more fundamental
than hybrid systems, because they feature elementary operators.

Exercises
Exercise 1 (***). The following formula was proved using dGLs hybrid games type proof
rules in Fig. 2
x 0 h(x := x 1) i0 x < 1
Try to prove it using the convergence rule con instead.

References
[ACHH92] Rajeev Alur, Costas Courcoubetis, Thomas A. Henzinger, and Pei-Hsin Ho.
Hybrid automata: An algorithmic approach to the specification and verification of hybrid systems. In Robert L. Grossman, Anil Nerode, Anders P.
Ravn, and Hans Rischel, editors, Hybrid Systems, volume 736 of LNCS,
pages 209229. Springer, 1992.
[Hen96]

Thomas A. Henzinger. The theory of hybrid automata. In LICS, pages

278292, Los Alamitos, 1996. IEEE Computer Society. doi:10.1109/LICS.
1996.561342.

[HKPV95] Thomas A. Henzinger, Peter W. Kopke, Anuj Puri, and Pravin Varaiya.
Whats decidable about hybrid automata? In Frank Thomson Leighton
and Allan Borodin, editors, STOC, pages 373382. ACM, 1995. doi:10.
1145/225058.225162.
[HMP77]

David Harel, Albert R. Meyer, and Vaughan R. Pratt. Computability and

completeness in logics of programs (preliminary report). In STOC, pages
261268. ACM, 1977.

[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom.

Reas., 41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla12]

Andre Platzer. The complete proof theory of hybrid systems. In LICS, pages
541550. IEEE, 2012. doi:10.1109/LICS.2012.64.

[Pla13]

Andre Platzer. A complete axiomatization of differential game logic for

hybrid games. Technical Report CMU-CS-13-100R, School of Computer
Science, Carnegie Mellon University, Pittsburgh, PA, January, Revised and
extended in July 2013.

15-424 L ECTURE N OTES

A NDR E P LATZER

15-424: Foundations of Cyber-Physical Systems

Lecture Notes on
Logical Theory & Completeness
Andre Platzer
Carnegie Mellon University
Lecture 24

1 Introduction
This course has studied a number of logics, first-order logic FOL in Lecture 2, differential dynamic logic dL [Pla08, Pla10a, Pla12c, Pla12b] in Lecture 3 and Lecture 4 and
following, differential temporal dynamic logic dTL [Pla07, Pla10a, Chapter 4] in Lecture 16 and 17, as well as differential game logic dGL [Pla13] since Lecture 22. There are
other logics for cyber-physical systems that have not been included in this course, but
share similar principles for further dynamical aspects. Such logics include quantified
differential dynamic logic QdL for distributed hybrid systems [Pla10b, Pla12a], which
are systems that are simultaneously distributed systems and hybrid systems, as well as
stochastic differential dynamic logic SdL for stochastic hybrid systems [Pla11], which
simultaneously involve stochastic dynamics and hybrid dynamics. Logics play a stellar
role not just in cyber-physical systems, but also many other contexts. Other important
logics include propositional logic, restrictions of first-order logic to certain theories,
such as first-order logic of real arithmetic [Tar51], and higher-order logic [And02]. But
there are numerous other important and successful logics.
In this lecture, we take a step back and study some common important concepts
in logic. This study will necessarily be hopelessly incomplete for lack of time. But it
should give you a flavor of important principles and concepts in logic that we have
not already run across explicitly in earlier lectures of this course. We will also have the
opportunity to apply these more general concepts to cyber-physical systems and learn
more about them in the next lecture.

A NDR E P LATZER 15-424 L ECTURE N OTES

L24.2

Logical Theory & Completeness

2 Soundness
The most important parts of a logic L are the following. The logic L defines what
the syntactically well-formed formulas are. Every well-formed formula carries meaning,
which the semantics of formulas in L defines. The semantics defines a relation  between
sets of formulas and formulas, in which  holds iff is a semantic consequence
of the set of formulas , i.e. is true (usually written |= ) in every interpretation
for which all formulas are true. The most important case for our purposes is
the case = of validity, in which case  holds iff is valid, i.e. true ( |= ) in all
interpretations of L. An interpretation in which is true (i.e. |= ) is also called a
model of .
For the case of first-order logic FOL, Lecture 2 defined both their syntax and semantics. The syntax and semantics of differential dynamic logic dL has been defined in
Lecture 3 and Lecture 4.
The syntax of a logic L defines what we can write down that carries meaning. The
semantics of a logic L then defines what the meaning of the syntactic formulas is. The
semantics, in particular, defines which formulas express true facts about the world,
either in a particular interpretation or about the world in general (for valid formulas,
which are true regardless of the interpretation). Yet, the semantics is usually highly
ineffective, so that it cannot be used directly to find out whether a formula is valid. Just
think of formulas in differential dynamic logic that express safety properties of hybrid
systems. It would not get us very far if we were to try to establish the truth of such
a formula by literally computing the semantics (which includes executing the hybrid
system) in every initial state, of which there are uncountably infinitely many.
Instead, logics come with proof calculi that can be used to establish validity of logical
formulas in the logic L. Those proof calculi comprised axioms (Lecture 5) and proof rules
(Lecture 6 and others), which can be combined to prove or derive logical formulas of the
logic L. The proof calculus of the logic L defines a relation between sets of formulas
and formulas, in which holds iff is provable from the set of formulas . That is,
there is a proof of in the proof calculus of L that uses only assumptions from . The
most important case for our purposes is again = , in which case holds iff is
provable in the proof calculus of L, i.e. there is a proof of .
Of course, only some formulas of L are provable, not all of them. The formula p p
should not be provable in any proper logic, because it is inconsistently false and, thus,
cannot possibly be valid.
We could have written down any arbitrary axiom, or we could have accidentally had
a typo in the axioms. So a crucial question we have to ask (and have asked every time
we introduced an axiom in other lectures of this course) is whether the axioms and
proof rules are sound. In a nutshell, a proof calculus is sound if all provable formulas
are valid.

15-424 L ECTURE N OTES

A NDR E P LATZER

Logical Theory & Completeness

L24.3

Theorem 1 (Soundness [Pla08, Pla10a, Pla12b]). The proof calculus of differential dynamic logic is sound, i.e. , which means that implies  for all dL formulas .
That is, all provable dL formulas are valid.
The significance of soundness is that, whatever formula we derive by using the dL
proof rules and axioms, we can rest assured that it is valid, i.e. true in all states. In
particular, it does not matter how big and complicated the formula might be, we know
that it is valid as long as we have a proof for it. About the axioms, we can easily
convince ourselves using a soundness proof why they are valid, and then conclude
that all provable formulas are also valid, because they follow from sound axioms by
sound proof rules.
Note 2 (Necessity of soundness). Soundness is a must for otherwise we could not trust
our own proofs.

3 Soundness Challenge for CPS

What good would it do to analyze safety of a CPS using a technique that is as faulty as
the original CPS? If an unsound analysis technique says that a CPS is correct, we are,
fundamentally, not much better off than without any analysis, because all we can conclude is that we did not find problems, not that there are none.1 After all, an unsound
analysis technique could say correct, which might turn out to be a lie because the
correctness statement itself was not valid.
Note 3 (Challenge of soundness). In a domain that is as challenging as cyber-physical
systems and hybrid systems, it is surprisingly easy for analysis techniques to become unsound due to subtle flaws. Necessary conditions for soundness and the numerical decidability frontier have been identified in the literature [PC07, Col07]. The crux of the matter
is that hybrid systems are subject to a numerical analogue of the halting problem of Turing
machines [PC07].
There is a shockingly large number of approaches that, for subtle reasons, are subject to the unsoundness resulting from non-observance of the conditions identified in
[PC07, Col07]. Consequently, such approaches need some of the additional assumptions identified in [PC07, Col07] to have a chance to become sound.

Notwithstanding of the fact that unsound analysis techniques can still be very useful in practice, especially if they identify problems in system designs. Yet, we should exercise great care in concluding
anything from unsound techniques that have not found a problem. As has been aptly phrased by
Dijkstra [Dij70]: Program testing can be used to show the presence of bugs, but never to show their
absence!

15-424 L ECTURE N OTES

A NDR E P LATZER

L24.4

Logical Theory & Completeness

4 First-Order Logic
Even though this course primarily studied extensions of first-order logic by dynamic
modalities for hybrid systems instead of pure first-order logic, the sequent proof rules
of propositional logic and quantifiers (instantiation and Skolemization) give a suitable
proof calculus for first-order logic. And this suitability of the proof calculus for firstorder logic is a much stronger statement than soundness.
Soundness is the question whether all provable formulas are valid and is a minimal
requirement for proper logics. Completeness studies the converse question whether all
valid formulas are provable.
The first-order logic proof calculus can be shown to be both sound and complete,

albeit in a different
which is a result that originates from Godels
PhD thesis [God30],
form.
Theorem 2 (Soundness & completeness of first-order logic). First-order logic is sound,
i.e. , which means that implies  for all first-order formulas (all provable
formulas are valid). First-order logic is complete, i.e.  , which means that  implies for all first-order formulas (all valid formulas are provable). In particular, the
provability relation and the validity relation  coincide for first-order logic: = . The
same holds in the presence of a set of assumptions , i.e. iff  .
This lecture will not set out for a direct proof of this result, because the techniques
used for those proofs are interesting but would lead us too far astray. An indirect justification for what makes first-order logic so special that Theorem 2 can hold will be
discussed later.
The following central result about compactness of first-order logic is of similar importance. Compactness is involved in most proofs of Theorem 2, but also easily follows
from Theorem 2.
Theorem 3 (Compactness of first-order logic). First-order logic is compact, i.e.
 A E  A for some finite E

(1)

Proof. By Theorem 2, = . By completeness, semantic compactness theorem (1) is

equivalent to the syntactic compactness theorem:
A E A for some finite E

(2)

Condition (2) is obvious, because provability implies that there is a proof, which can,
by definition, only use finitely many assumptions E .
Compactness is equivalent to the finiteness property, which, for that reason, is usually simply referred to as compactness:

15-424 L ECTURE N OTES

A NDR E P LATZER

Logical Theory & Completeness

L24.5

Corollary 4 (Finiteness). First-order logic satisfies the finiteness property, i.e.

has a model all finite E have a model

(3)

Proof. Compactness (Theorem 3) implies the finiteness property. The key observation
is that has no model iff  false, because if has no model, then false holds in all
models of of which there are none. Conversely, the only chance for false to hold in all
models of is if there are no such models, since false never holds. By Theorem 3,
 false finite E E  false
Hence,
has a model 2 false finite E E 2 false all finite E have a model
It is worth noting that, conversely, the finiteness property implies compactness.
 A {A} has no model
some finite E {A} has no model

by finiteness

E  A for some finite E

The last equivalence uses that we might as well include A in E, because if E has no
model then neither does E {A}.

5 Skolem-Herbrand-Lowenheim
Theory
The value of a logical formula is subject to interpretation in the semantics of the logic.
In a certain sense maybe the most nave interpretation of first-order logic interprets all
terms as themselves. Such an interpretation I is called Herbrand model. It stubbornly
interprets a term f (g(a), h(b)) in the logic as itself: [[f (g(a), h(b))]]I = f (g(a), h(b)). And
likewise for all other ground terms.
That may sound like a surprising and stubborn interpretation. But, even more surprisingly, it is not at all an uninsightful one, at least for first-order logic. So insightful,
that it even deserves a name: Herbrand models. Certainly, it is one of the many permitted interpretations.
Definition 5 (Herbrand Model). An interpretation I is called Herbrand model if it
has the free semantics for ground terms, i.e.:
1. The domain D is the ground terms (i.e. terms without variables) Trm0 ()
over
2. I(f ) : Dn D; (t1 , . . . , tn ) 7 f (t1 , . . . , tn ) for each function symbol f of
arity n

15-424 L ECTURE N OTES

A NDR E P LATZER

L24.6

Logical Theory & Completeness

Let be a set of closed universal formulas. Trm0 ()() is the set of all ground term
instances of the formulas in , i.e. with (all possible) ground terms in Trm0 () instantiated for the variables of the universal quantifier prefix.
Trm0 ()() = {(t1 , t2 , . . . , tn ) : (x1 x2 . . . xn (x1 , x2 , . . . , xn ))
t1 , . . . , tn Trm0 (), for any n N}
That is, for any n N and for any formula
x1 x2 . . . xn (x1 , x2 , . . . , xn )
in and for any ground terms t1 , . . . , tn Trm0 (), the set Trm0 ()() contains the
following ground instance of :
(t1 , t2 , . . . , tn )
Theorem 6 (Herbrand [Her30]). Let be a (suitable) set of first-order formulas (i.e.
closed universal formulas without equality and with signature having at least one
constant).
has a model has a Herbrand model
ground term instances Trm0 ()() of have a model
Using the Herbrand theorem twice gives:
has a model ground term instances Trm0 ()() of have a Herbrand model
Corollary 7. Validity in first-order logic is semidecidable.
Proof. For suitable first-order formulas F (i.e. F satisfies the assumptions of Theorem 6), semidecidability follows from the following reductions:
F valid F unsatisfiable
Trm0 ()(F ) have no model

by Theorem 6

some finite subset of Trm ()(F ) has no Herbrand model by Corollary 4

Thus, it remains to consider the assumptions in Theorem 6 whether first-order formulas
that are not suitable can be turned into formulas that are suitable. First of all, can be
assumed without loss of generality to have at least one constant symbol for, otherwise, a
constant can be added to without changing validity of F . Furthermore, a formula F is
valid iff its universal closure is, where the universal closure of a formula F is obtained
by prefixing F with universal quantifiers x for each variable x that occurs free in
F . Finally, existential quantifiers in first-order formula F can be removed without
affecting satisfiability by Skolemization, which introduces new function symbols much
like the quantifier proof rules from Lecture 6 did.

15-424 L ECTURE N OTES

A NDR E P LATZER

Logical Theory & Completeness

L24.7

Note 10 (Limitations of Herbrand models). Herbrand models are not the cure for everything in first-order logic, because they unwittingly forget about the intimate relationship
of the term 2 + 5 to the term 5 + 2 and, for that matter, to the term 8 1. All those terms
ought to denote the same identical object, but end up denoting different ground terms in
Herbrand models. In particular, a Herbrand model would not mind at all if a unary predicate p would hold of 2 + 5 but not hold for 5 + 2 even though both ought to denote the same
object. Thus, Herbrand models are a little weak in arithmetic, but otherwise incredibly
powerful.
Herbrands theorem has a second form with a close resemblance to the core arguments of quantifier elimination in first order logic of real arithmetic from Lecture 18
and Lecture 19.
Theorem 8 (Herbrands theorem: Herbrand disjunctions [Her30]). For a quantifierfree formula (x) of a free variable x without equality
x (x) valid (t1 ) (tn ) valid for some n N and ground terms t1 , . . . , tn
Proof. The proof follows directly from Theorem 6 and Corollary 4:
x (x) valid
x (x) unsatisfiable
x (x) has no model
Trm0 ()(x (x)) has no model

by Theorem 6

{(t) : t ground term} has no model

by definition

{(t1 ), . . . , (tn )} has no model for some t1 , . . . , tn and some n

by Corollary 4

(t1 ) (tn ) has no model for some n and some t1 , . . . , tn

(t1 ) (tn ) valid for some n and some t1 , . . . , tn
Theorem 8 holds for first-order formulas with multiple existential quantifiers. More
general forms of the Herbrand theorem hold for arbitrary first-order formulas that are
not in the specific form assumed above [Her30].
These more general Herbrand theorems wont be necessary for us, because, for validity purposes, first-order formulas can be turned into the form x1 . . . xn (x1 , . . . , xn )
with quantifier-free (x1 , . . . , xn ) by introducing new function symbols for the universal quantifiers using essentially the quantifier proof rules from Lecture 6:2
2

The new function symbols are usually called Skolem functions and the process called Skolemization,

because Thoralf Skolem introduced them in the first correct proof of the Skolem-Lowenheim
theorem
[Sko20]. Strictly speaking, however, Herbrand functions and Herbrandization are the more adequate
names, because Jacques Herbrand introduced this dual notion for the first proof of the Herbrand theorem [Her30]. Skolemization and Herbrandization are duals. Skolemization preserves satisfiability
while Herbrandization preserves validity.

15-424 L ECTURE N OTES

A NDR E P LATZER

L24.8

(r)
1

Logical Theory & Completeness

(s(X1 , . . , Xn )), 1
x (x),

(l)

, (s(X1 , . . , Xn )) 1
, x (x)

s is a new (Skolem-Herbrand) function and X1 , . . , Xn are all (existential) free logical variables
of x (x).

The clou about quantifier rules r,l is that they preserve validity. By soundness,
if their premiss is valid then so is their conclusion. Yet, in the case of rules r,l the
converse actually holds as well. If their conclusion is valid then so is their premiss.
For rule r, for example, the conclusion says that (x) holds for all values of x in all
interpretations where holds and does not. Consequently, in those interpretations,
(s(X1 , . . , Xn )) holds whatever the interpretation of s is, because s is a fresh function
symbol, which, thus, does not appear in , .
Lemma 9 (Herbrandization). With each first-order logic formula , a formula
x1 . . . xn (x1 , . . . , xn )
with quantifier-free (x1 , . . . , xn ) can be associated effectively that is valid if and only if
is. The formula x1 . . . xn (x1 , . . . , xn ) uses additional function symbols that do not
occur in .
Theorem 8 enables a second, more straightforward proof of the semidecidability of
the validity problem of first-order logic:
Proof of Corollary 7. The semidecision procedure for validity of first-order logic formulas proceeds as follows:
1. Herbrandize to obtain a formula x1 . . . xn (x1 , . . . , xn ) by Lemma 9, which
preserves validity.
2. Enumerate all m N and all ground terms tji (1 j n, 1 i m), over the
new signature.
a) If the propositional formula
(t11 , . . . , tn1 ) (t1m , . . . , tnm )
is valid, then so is x1 . . . xn (x1 , . . . , xn ) and, hence, is valid.
By Theorem 8 and Lemma 9, the procedure terminates for all valid first-order formulas.
The procedure in this proof will always succeed but it enumerates the ground terms
for instantiation rather blindly, which can cause for quite a bit of waiting. Nevertheless, refinements of this idea lead to very successful automated theorem proving techniques for first-order logic known as instance-based methods [BT10], which restrict the
instantiation to instantiation-on-demand in various ways to make the procedure more
goal-directed. There are also many successful automatic theorem proving procedures

15-424 L ECTURE N OTES

A NDR E P LATZER

Logical Theory & Completeness

L24.9

for first-order logic that are based on different principles, including tableaux and resolution [Fit96].

6 Back to CPS
First-order logic is beautiful, elegant, expressive, and simple. Unfortunately, however,
it is not expressive enough for hybrid systems [Pla10a, Pla12b, Pla13]. As soon as we
come back to studying hybrid systems, the situation gets more difficult. And that is
not by accident, but, instead, a fundamental property of first-order logic and of hybrid
characterized first-order logic in a way that limits which propsystems. Per Lindstrom
erties stronger logics could possess [Lin69]. Hybrid systems themselves are also known
not to be semidecidable.
Given that differential dynamic logic talks about properties of hybrid systems, and
Turing machines are a special case, undecidability is not surprising. We show a very
simple standalone proof of incompleteness by adapting a proof for programs, e.g.,
[Pla10c].
Theorem 10 (Incompactness). Differential dynamic logic is not compact.
Proof. It is easy to see that there is a set of formulas that has no model even though all
finite subsets have a model, consider:
{h(x := x + 1) ix > y} {(x + n > y) : n N}
Hence, differential dynamic logic does not have the finiteness property, which is equivalent to compactness (Corollary 4).
Since soundness and completeness imply compactness (see proof of Theorem 3), incompactness implies incompleteness3 , because dL is sound. An explicit proof is as
follows:
Theorem 11 (Incompleteness [Pla08]). Differential dynamic logic has no effective sound
and complete calculus.
Proof. Suppose there was an effective sound and complete calculus for dL. Consider
a set of formulas that has no model in which all finite subsets have a model, which
exists by Theorem 10. Then  0 > 1 is valid, thus provable by completeness. But since
the proof is effective, it can only use finitely many assumptions E . Thus E  0 > 1
by soundness. But then the finite set E has no model, which is a contradiction.

Strictly speaking, incompleteness only follows for effective calculi. Relative soundness and completeness
can still be proved for dL [Pla08, Pla10a, Pla12b], which gives very insightful characterizations of the
challenges and complexities of hybrid systems.

15-424 L ECTURE N OTES

A NDR E P LATZER

L24.10

Logical Theory & Completeness

Having said these negative (but necessary) results about differential dynamic logic
(and, by classical arguments, any other approach for hybrid systems), lets return to the
surprisingly amazing positive properties that differential dynamic logic possesses.
For one thing, the basis of differential dynamic logic is the first-order logic of real
arithmetic, not arbitrary first-order logic. This enables a particularly pleasant form of
Herbrand disjunctions resulting from quantifier elimination in real arithmetic (recall
Lecture 18 and Lecture 19).
Definition 12 (Quantifier elimination). A first-order theory admits quantifier elimination if, with each formula , a quantifier-free formula QE() can be associated
effectively that is equivalent, i.e. QE() is valid (in that theory).
Theorem 13 (Tarski [Tar51]). The first-order logic of real arithmetic admits quantifier
elimination and is, thus, decidable.
Also recall from Lecture 18 and Lecture 19 that the quantifier-free formula QE() is
constructed by substitution or virtual substitution from , with some side constraints
on the parameter relations. The quantifier-elimination instantiations are more useful
than Theorem 8, because the required terms for instantiation can be computed effectively and the equivalence holds whether or not the original formula was valid. This
makes it possible to use the proof calculus of differential dynamic logic to synthesize
constraints on the parameters to make an intended conjecture valid [Pla10a].

Exercises
Exercise 1. The arguments for incompleteness and incompactness of dL hardly depend
on dL, but, rather, only on dLs ability to characterize natural numbers. Incompleteness
and incompactness hold for other logics that characterize natural numbers due to a

Both the discrete and the continuous fragment of dL

famous result of Godel
[God31].
can characterize the natural numbers [Pla08].
1. Show that the natural numbers can be characterized in the discrete fragment of
dL, i.e. only using assignments and repetition.
2. Then go on to show that the natural numbers can also be characterized in the
continuous fragment of dL, i.e. using only differential equations.
3. Conclude from this that both the discrete and the continuous fragment of dL are
not compact, nor is any other logic that can characterize the natural numbers.

15-424 L ECTURE N OTES

A NDR E P LATZER

Logical Theory & Completeness

L24.11

References
[And02] Peter B. Andrews. An Introduction to Mathematical Logic and Type Theory: To
Truth Through Proof. Kluwer, 2nd edition, 2002.
[BT10]

Peter Baumgartner and Evgenij Thorstensen. Instance based methods - a brief

overview. KI, 24(1):3542, 2010.

[Col07] Pieter Collins. Optimal semicomputable approximations to reachable and

invariant sets. Theory Comput. Syst., 41(1):3348, 2007. doi:10.1007/
s00224-006-1338-3.
[DBL12] Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, Dubrovnik, Croatia, June 2528, 2012. IEEE, 2012.
[Dij70]

Edsger Wybe Dijkstra. Structured programming. In John Buxton and Brian

Randell, editors, Software Engineering Techniques. NATO Software Engineering
Conference 1969. NATO Scientific Committee, 1970.

[Fit96]

Melvin Fitting. First-Order Logic and Automated Theorem Proving. Springer,

New York, 2nd edition, 1996.

[God30]
Kurt Godel.
Die Vollstandigkeit der Axiome des logischen Funktio Mon. hefte Math. Phys., 37:349360, 1930.
nenkalkuls.

[God31]
Kurt Godel.
Uber
formal unentscheidbare Satze der Principia Mathematica
und verwandter Systeme I. Mon. hefte Math. Phys., 38:173198, 1931.
[Her30] Jacques Herbrand. Recherches sur la theorie de la demonstration. Travaux de
la Societe des Sciences et des Lettres de Varsovie, Class III, Sciences Mathematiques
et Physiques, 33:33160, 1930.
[Lin69]

Per Lindstrom.
On extensions of elementary logic. Theoria, 35:111, 1969.
doi:10.1111/j.1755-2567.1969.tb00356.x.

[PC07]

Andre Platzer and Edmund M. Clarke. The image computation problem

in hybrid systems model checking. In Alberto Bemporad, Antonio Bicchi,
and Giorgio Buttazzo, editors, HSCC, volume 4416 of LNCS, pages 473486.
Springer, 2007. doi:10.1007/978-3-540-71493-4_37.

[Pla07]

Andre Platzer. A temporal dynamic logic for verifying hybrid system invariants. In Sergei N. Artemov and Anil Nerode, editors, LFCS, volume 4514 of
LNCS, pages 457471. Springer, 2007. doi:10.1007/978-3-540-72734-7_32.

[Pla08]

Andre Platzer. Differential dynamic logic for hybrid systems. J. Autom. Reas.,
41(2):143189, 2008. doi:10.1007/s10817-008-9103-8.

[Pla10a] Andre Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Complex
Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4.

15-424 L ECTURE N OTES

A NDR E P LATZER

L24.12

Logical Theory & Completeness

[Pla10b] Andre Platzer. Quantified differential dynamic logic for distributed hybrid
systems. In Anuj Dawar and Helmut Veith, editors, CSL, volume 6247 of
LNCS, pages 469483. Springer, 2010. doi:10.1007/978-3-642-15205-4_36.
[Pla10c] Andre Platzer. Theory of dynamic logic. Lecture Notes 15-816 Modal
Logic, Carnegie Mellon University, 2010. URL: http://www.cs.cmu.edu/
~fp/courses/15816-s10/lectures/25-DLtheo.pdf.
[Pla11]

Andre Platzer. Stochastic differential dynamic logic for stochastic hybrid

programs. In Nikolaj Bjrner and Viorica Sofronie-Stokkermans, editors,
CADE, volume 6803 of LNCS, pages 431445. Springer, 2011. doi:10.1007/
978-3-642-22438-6_34.

[Pla12a] Andre Platzer. A complete axiomatization of quantified differential dynamic logic for distributed hybrid systems. Logical Methods in Computer Science, 8(4):144, 2012. Special issue for selected papers from CSL10. doi:
10.2168/LMCS-8(4:17)2012.
[Pla12b] Andre Platzer. The complete proof theory of hybrid systems. In LICS [DBL12],
pages 541550. doi:10.1109/LICS.2012.64.
[Pla12c] Andre Platzer. Logics of dynamical systems. In LICS [DBL12], pages 1324.
doi:10.1109/LICS.2012.13.
[Pla13]

Andre Platzer. A complete axiomatization of differential game logic for hybrid games. Technical Report CMU-CS-13-100R, School of Computer Science,
Carnegie Mellon University, Pittsburgh, PA, January, Revised and extended
in July 2013.

[Sko20] Thoralf Skolem.

Logisch-kombinatorische Untersuchungen uber
die

Erfullbarkeit
oder Beweisbarkeit mathematischer Satze nebst einem The
orem uber
dichte Mengen.
Videnskapsselskapet Skrifter, I. Matematisknaturvidenskabelig Klasse, 6:136, 1920.
[Tar51]

Alfred Tarski. A Decision Method for Elementary Algebra and Geometry. University of California Press, Berkeley, 2nd edition, 1951.

15-424 L ECTURE N OTES

A NDR E P LATZER