On proving that an unsafe controller is not proven safe
Cyber-physical systems are often safety-critical and their correctness is crucial, such as in the case of automated driving. Using formal mathematical methods is one way to guarantee correctness and improve safety. Although these methods have shown their usefulness, care must be taken because modell...
Saved in:
| Published in | Journal of logical and algebraic methods in programming Vol. 137; p. 100939 |
|---|---|
| Main Authors | , , , |
| Format | Journal Article |
| Language | English |
| Published |
01.02.2024
|
| Subjects | |
| Online Access | Get full text |
| ISSN | 2352-2208 2352-2216 |
| DOI | 10.1016/j.jlamp.2023.100939 |
Cover
Loading…
| Abstract | Cyber-physical systems are often safety-critical and their correctness is crucial, such as in the case of automated driving. Using formal mathematical methods is one way to guarantee correctness and improve safety. Although these methods have shown their usefulness, care must be taken because modelling errors might result in proving a faulty controller safe, which is potentially catastrophic in practice. This paper deals with two such modelling errors in differential dynamic logic, a formal specification and verification language for hybrid systems, which are mathematical models of cyber-physical systems. The main contributions are to provide conditions under which these two modelling errors cannot cause a faulty controller to be proven safe, and to show how these conditions can be proven with help of the interactive theorem prover KeYmaera X. The problems are illustrated with a real world example of a safety controller for automated driving, and it is shown that the formulated conditions have the intended effect both for a faulty and a correct controller. It is also shown how the formulated conditions aid in finding a loop invariant candidate to prove properties of hybrid systems with feedback loops. Furthermore, the relation between such a loop invariant and the characterisation of the maximal control invariant set is discussed. |
|---|---|
| AbstractList | Cyber-physical systems are often safety-critical and their correctness is crucial, such as in the case of automated driving. Using formal mathematical methods is one way to guarantee correctness and improve safety. Although these methods have shown their usefulness, care must be taken because modelling errors might result in proving a faulty controller safe, which is potentially catastrophic in practice. This paper deals with two such modelling errors in differential dynamic logic, a formal specification and verification language for hybrid systems, which are mathematical models of cyber-physical systems. The main contributions are to provide conditions under which these two modelling errors cannot cause a faulty controller to be proven safe, and to show how these conditions can be proven with help of the interactive theorem prover KeYmaera X. The problems are illustrated with a real world example of a safety controller for automated driving, and it is shown that the formulated conditions have the intended effect both for a faulty and a correct controller. It is also shown how the formulated conditions aid in finding a loop invariant candidate to prove properties of hybrid systems with feedback loops. Furthermore, the relation between such a loop invariant and the characterisation of the maximal control invariant set is discussed. |
| ArticleNumber | 100939 |
| Author | Ahrendt, Wolfgang Selvaraj, Yuvaraj Krook, Jonas Fabian, Martin |
| Author_xml | – sequence: 1 givenname: Yuvaraj orcidid: 0000-0003-2184-3069 surname: Selvaraj fullname: Selvaraj, Yuvaraj – sequence: 2 givenname: Jonas orcidid: 0000-0002-9810-4697 surname: Krook fullname: Krook, Jonas – sequence: 3 givenname: Wolfgang orcidid: 0000-0002-5671-2555 surname: Ahrendt fullname: Ahrendt, Wolfgang – sequence: 4 givenname: Martin orcidid: 0000-0003-1287-9748 surname: Fabian fullname: Fabian, Martin |
| BackLink | https://research.chalmers.se/publication/539378$$DView record from Swedish Publication Index |
| BookMark | eNo9kMtOwzAURL0oEqX0C9j4B1L8iBN7iSpeUqUugPXVtWPTRKkT2SmIv6cPxGqkmdFZnBsyi0P0hNxxtuKMV_fdqutxP64EE_LYMCPNjMyFVKIQgulrssy5Y-x41bWWfE7qbaRjGr7a-EmnHU4UIz3EjMFTN8QpDX3vE20zjcN0PvpIT-stuQrYZ7_8ywX5eHp8X78Um-3z6_phUzgp2FRUXAerpCoVZ4EJNMppY9EYJcpQas6NtY5VrAzBSy8UOhNYqGpR2brhzskFebtw87cfDxbG1O4x_cCALSSfPSa3A7fDfu9ThuxBlBW3okGwVjVQlkYAorCgG1nVjTQN6vpIlReqS0POyYd_LmdwEgkdnEXCSSRcRMpfkyNrqg |
| Cites_doi | 10.1007/s10703-016-0241-z 10.1007/s10009-015-0367-0 10.1109/MC.2021.3055883 10.1109/TIV.2022.3204574 10.1007/s10009-018-0502-9 |
| ContentType | Journal Article |
| DBID | AAYXX CITATION ABBSD ADTPV AOWAS D8T F1S ZZAVC |
| DOI | 10.1016/j.jlamp.2023.100939 |
| DatabaseName | CrossRef SWEPUB Chalmers tekniska högskola full text SwePub SwePub Articles SWEPUB Freely available online SWEPUB Chalmers tekniska högskola SwePub Articles full text |
| DatabaseTitle | CrossRef |
| DatabaseTitleList | |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| ExternalDocumentID | oai_research_chalmers_se_2461b2da_bb5d_4492_aa2b_8d367d39da87 10_1016_j_jlamp_2023_100939 |
| GroupedDBID | --M 0R~ 4.4 457 4G. 7-5 8P~ AAEDT AAEDW AAIKJ AAKOC AALRI AAOAW AATTM AAXKI AAXUO AAYFN AAYWO AAYXX ABBOA ABJNI ABMAC ABXDB ACDAQ ACGFS ACRLP ACVFH ADBBV ADCNI ADEZE ADVLN AEBSH AEIPS AEKER AENEX AEUPX AFJKZ AFPUW AFTJW AFXIZ AGCQF AGHFR AGRNS AGUBO AIALX AIEXJ AIGII AIIUN AIKHN AITUG AKBMS AKRWK AKYEP ALMA_UNASSIGNED_HOLDINGS AMRAJ ANKPU AOUOD AXJTR BKOJK BLXMC BNPGV CITATION EBS EFJIC EJD FDB FIRID FYGXN GBLVA GBOLZ HZ~ KOM M41 O9- OAUVE RIG ROL SPC SPCBC SSH SSV SSZ T5K ~G- ABBSD ADTPV AOWAS D8T EFKBS F1S ZZAVC |
| ID | FETCH-LOGICAL-c320t-618fb5354510f02a95c89ba99524f48119bbc0604ffe3e25ac9f0f6726b7d1cc3 |
| ISSN | 2352-2208 2352-2216 |
| IngestDate | Thu Aug 21 06:59:33 EDT 2025 Tue Jul 01 00:37:50 EDT 2025 |
| IsDoiOpenAccess | true |
| IsOpenAccess | true |
| IsPeerReviewed | true |
| IsScholarly | true |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-LOGICAL-c320t-618fb5354510f02a95c89ba99524f48119bbc0604ffe3e25ac9f0f6726b7d1cc3 |
| ORCID | 0000-0003-2184-3069 0000-0002-5671-2555 0000-0002-9810-4697 0000-0003-1287-9748 |
| OpenAccessLink | https://research.chalmers.se/publication/539378 |
| ParticipantIDs | swepub_primary_oai_research_chalmers_se_2461b2da_bb5d_4492_aa2b_8d367d39da87 crossref_primary_10_1016_j_jlamp_2023_100939 |
| ProviderPackageCode | CITATION AAYXX |
| PublicationCentury | 2000 |
| PublicationDate | 2024-02-01 |
| PublicationDateYYYYMMDD | 2024-02-01 |
| PublicationDate_xml | – month: 02 year: 2024 text: 2024-02-01 day: 01 |
| PublicationDecade | 2020 |
| PublicationTitle | Journal of logical and algebraic methods in programming |
| PublicationYear | 2024 |
| References | Kupferman (10.1016/j.jlamp.2023.100939_br0140) 2000; vol. 1877 Furia (10.1016/j.jlamp.2023.100939_br0240) 2010 Fulton (10.1016/j.jlamp.2023.100939_br0060) 2015 Doeser (10.1016/j.jlamp.2023.100939_br0110) 2020 Platzer (10.1016/j.jlamp.2023.100939_br0130) 2009 Mitsch (10.1016/j.jlamp.2023.100939_br0150) 2020 Platzer (10.1016/j.jlamp.2023.100939_br0100) 2012 Selvaraj (10.1016/j.jlamp.2023.100939_br0160) Selvaraj (10.1016/j.jlamp.2023.100939_br0030) 2022; 8 Selvaraj (10.1016/j.jlamp.2023.100939_br0180) Koopman (10.1016/j.jlamp.2023.100939_br0080) 2019 Mitsch (10.1016/j.jlamp.2023.100939_br0200) 2016; 49 Majumdar (10.1016/j.jlamp.2023.100939_br0220) 2019 Platzer (10.1016/j.jlamp.2023.100939_br0090) 2018; vol. 662 Quesel (10.1016/j.jlamp.2023.100939_br0170) 2016; 18 Bloem (10.1016/j.jlamp.2023.100939_br0210) 2014; vol. 157 Selvaraj (10.1016/j.jlamp.2023.100939_br0120) 2022 Müller (10.1016/j.jlamp.2023.100939_br0230) 2018; 20 Alur (10.1016/j.jlamp.2023.100939_br0050) 2011 Lee (10.1016/j.jlamp.2023.100939_br0010) 2006 Michael (10.1016/j.jlamp.2023.100939_br0020) 2021; 54 (10.1016/j.jlamp.2023.100939_br0040) 1996; vol. 1066 Benveniste (10.1016/j.jlamp.2023.100939_br0070) 1996 Mitsch (10.1016/j.jlamp.2023.100939_br0190) 2021; vol. 338 |
| References_xml | – volume: vol. 338 year: 2021 ident: 10.1016/j.jlamp.2023.100939_br0190 article-title: Implicit and explicit proof management in KeYmaera X – start-page: 3814 year: 2020 ident: 10.1016/j.jlamp.2023.100939_br0110 article-title: Invariant sets for integrators and quadrotor obstacle avoidance – start-page: 246 year: 2009 ident: 10.1016/j.jlamp.2023.100939_br0130 article-title: European train control system: a case study in formal verification – start-page: 41 year: 1996 ident: 10.1016/j.jlamp.2023.100939_br0070 article-title: Compositional and uniform modelling of hybrid systems – volume: 49 year: 2016 ident: 10.1016/j.jlamp.2023.100939_br0200 article-title: ModelPlex: verified runtime validation of verified cyber-physical system models publication-title: Form. Methods Syst. Des. doi: 10.1007/s10703-016-0241-z – ident: 10.1016/j.jlamp.2023.100939_br0160 – volume: 18 year: 2016 ident: 10.1016/j.jlamp.2023.100939_br0170 article-title: How to model and prove hybrid systems with KeYmaera: a tutorial on safety publication-title: Int. J. Softw. Tools Technol. Transf. doi: 10.1007/s10009-015-0367-0 – volume: 54 start-page: 15 year: 2021 ident: 10.1016/j.jlamp.2023.100939_br0020 article-title: Formal verification of cyberphysical systems publication-title: Computer doi: 10.1109/MC.2021.3055883 – volume: 8 start-page: 988 year: 2022 ident: 10.1016/j.jlamp.2023.100939_br0030 article-title: Formal development of safe automated driving using differential dynamic logic publication-title: IEEE Trans. Intell. Veh. doi: 10.1109/TIV.2022.3204574 – start-page: 527 year: 2015 ident: 10.1016/j.jlamp.2023.100939_br0060 article-title: KeYmaera X: an axiomatic tactical theorem prover for hybrid systems – start-page: 229 year: 2019 ident: 10.1016/j.jlamp.2023.100939_br0220 article-title: Environmentally-friendly GR(1) synthesis – volume: vol. 662 year: 2018 ident: 10.1016/j.jlamp.2023.100939_br0090 – year: 2006 ident: 10.1016/j.jlamp.2023.100939_br0010 article-title: Cyber-physical systems - are computing foundations adequate? – start-page: 34 year: 2019 ident: 10.1016/j.jlamp.2023.100939_br0080 article-title: Credible autonomy safety argumentation – start-page: 281 year: 2022 ident: 10.1016/j.jlamp.2023.100939_br0120 article-title: On how to not prove faulty controllers safe in differential dynamic logic – start-page: 273 year: 2011 ident: 10.1016/j.jlamp.2023.100939_br0050 article-title: Formal verification of hybrid systems – volume: vol. 1877 start-page: 92 year: 2000 ident: 10.1016/j.jlamp.2023.100939_br0140 article-title: Open systems in reactive environments: control and synthesis – ident: 10.1016/j.jlamp.2023.100939_br0180 – volume: 20 start-page: 615 year: 2018 ident: 10.1016/j.jlamp.2023.100939_br0230 article-title: Tactical contract composition for hybrid system component verification publication-title: Int. J. Softw. Tools Technol. Transf. doi: 10.1007/s10009-018-0502-9 – start-page: 13 year: 2012 ident: 10.1016/j.jlamp.2023.100939_br0100 article-title: Logics of dynamical systems – start-page: 277 year: 2010 ident: 10.1016/j.jlamp.2023.100939_br0240 article-title: Inferring loop invariants using postconditions – start-page: 21 year: 2020 ident: 10.1016/j.jlamp.2023.100939_br0150 article-title: A retrospective on developing hybrid system provers in the keymaera family: a tale of three provers – volume: vol. 1066 year: 1996 ident: 10.1016/j.jlamp.2023.100939_br0040 – volume: vol. 157 start-page: 34 year: 2014 ident: 10.1016/j.jlamp.2023.100939_br0210 article-title: How to handle assumptions in synthesis |
| SSID | ssj0001687831 ssib023362453 |
| Score | 2.2605085 |
| Snippet | Cyber-physical systems are often safety-critical and their correctness is crucial, such as in the case of automated driving. Using formal mathematical methods... |
| SourceID | swepub crossref |
| SourceType | Open Access Repository Index Database |
| StartPage | 100939 |
| SubjectTerms | Automated driving Formal verification Hybrid systems Loop invariant Theorem proving |
| Title | On proving that an unsafe controller is not proven safe |
| URI | https://research.chalmers.se/publication/539378 |
| Volume | 137 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV1Lb9QwELZge-FCeYpSQD5wK6kSx4nt4wpRLQ-1l1aUk-Vn22XJot1sD_x6_Ey0apF4XSIriaxk5tNkYn_zDQCvJW0IEQoXTBtaYN2UhVBEFkZrKmuGpdCBIHvczs7wh_PmfKTbhuqSXh6qH7fWlfyNV90551dfJfsHnh0mdSfc2PnXHZ2H3fG3fHwS-FXXseJJeK74waZbCzsw0Bdm5TuWd8s-3Gi6A3_1FwlpjoJBvnVx4XeUr1RqMR3Z5pHL9S1_7QJNeHEtViJsAX3ZhOEQwl1O_jUv0A-Z-9TT-3SI_J-XC3shxrmOhNc_TwVEWRE8LUggnDnMOW4hl9MVCJV0K8hGaZcbATuuHcwP5w7_Xj4U1Z63waLA0S1K2EkC6ZKry9BfZs3XhntNPIm04FI2mmPMEBcCSU513RJdMy0ouQt2kPuTQBOwM33_cXacgw6q3Sccp5wlLMy1lNDQx3J4kXFctVm5KnAEbzz1VnazpT0b8pXTB-B-8iucRtQ8BHdM9wjs5iYeMMX0x4CcdDCBCHoQQdHBCCI4ggheraEDEYwggv7qE3B29O707axI3TQKVaOyL9qKWtnULmOuSlsiwRpFmRSMNQhbTKuKSam8lJK1pjaoEYrZ0rYEtZLoSqn6KZh0y848A9BIrAhxf_5SlxgLIqQpa2YrjLz-G2n3wJtsBf49iqbwzCac82A07o3Go9H2wKdoqeHmf_L08_873T64N6L8BZj0q4156RLRXr5KUPoJt7WKWA |
| linkProvider | Elsevier |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=On+proving+that+an+unsafe+controller+is+not+proven+safe&rft.jtitle=Journal+of+logical+and+algebraic+methods+in+programming&rft.au=Selvaraj%2C+Yuvaraj&rft.au=Krook%2C+Jonas&rft.au=Ahrendt%2C+Wolfgang&rft.au=Fabian%2C+Martin&rft.date=2024-02-01&rft.issn=2352-2208&rft.volume=137&rft_id=info:doi/10.1016%2Fj.jlamp.2023.100939&rft.externalDocID=oai_research_chalmers_se_2461b2da_bb5d_4492_aa2b_8d367d39da87 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2352-2208&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2352-2208&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2352-2208&client=summon |