CN102722593A - Cyber physical system (CPS) attribute verification method based on differential algebra timing sequence dynamic logic (DATL) - Google Patents

Cyber physical system (CPS) attribute verification method based on differential algebra timing sequence dynamic logic (DATL) Download PDF

Info

Publication number
CN102722593A
CN102722593A CN2011103323078A CN201110332307A CN102722593A CN 102722593 A CN102722593 A CN 102722593A CN 2011103323078 A CN2011103323078 A CN 2011103323078A CN 201110332307 A CN201110332307 A CN 201110332307A CN 102722593 A CN102722593 A CN 102722593A
Authority
CN
China
Prior art keywords
constraint
datl
cps
formula
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011103323078A
Other languages
Chinese (zh)
Other versions
CN102722593B (en
Inventor
李必信
翟小祥
李加凯
朱敏
陈乔乔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southeast University
Original Assignee
Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southeast University filed Critical Southeast University
Priority to CN201110332307.8A priority Critical patent/CN102722593B/en
Publication of CN102722593A publication Critical patent/CN102722593A/en
Application granted granted Critical
Publication of CN102722593B publication Critical patent/CN102722593B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a cyber physical system (CPS) attribute verification method based on differential algebra timing sequence dynamic logic (DATL), and the method is used for performing system modeling, attribute regulation and attribute verification on a CPS. The key operation of the CPS attribute verification method comprises the following steps of: (1) performing system modeling on the CPS by using a differential algebra program on the basis of detailed analysis on the CPS to acquire an operation model of the system; (2) performing attribute regulation on the CPS to be verified by using DATL to acquire a DATL formula, wherein a time sequence behavior of the CPS is considered in the regulation process; and (3), verifying the acquired DATL formula by using sequent calculus in the DATL, wherein the whole calculus process is reasoned by continuously using the DATL rules, and finally the establishment of the DATL formula is achieved, i.e., the CPS attribute is met.

Description

A kind of CPS attribute verification method based on differential algebra sequential dynamic logic
Technical field
The present invention is a kind of information physics emerging system (CPS) attribute verification method based on differential algebra sequential dynamic logic (DATL), is mainly used in CPS is carried out modeling, the CPS attribute is carried out stipulations and checking.
Background technology
CPS is the system of a kind of integrated calculating and physical process.System utilizes embedded computer and network that physical process is monitored, and has feedback loop, and the physical process influence is calculated, and calculating influences physical process.Domestic and international research personnel have proposed certain methods and have verified the CPS attribute, and these methods mainly are divided into two types: model testing and theorem proving.Because it is abstract that CPS is not suitable for carrying out finite state of equal value, and because the limitation of digital approximation, the model testing method is more suitable for testing puppet rather than tests true for CPS.And, also exist a lot of problems for most of theorem proving methods.Such as mode μ calculation, this calculation to a special system, can only obtain finite information, as in propositional dynamic logic, uses the abstract movable a of unknown effects, and b, c come the behavior of explicitly descriptive system.Yet because the not intellectual of activity effect, this method can't be represented some typical C PS, like the dynamic of train control system or aircraft anti-collision system.
Differential sequential dynamic logic (dTL) is a kind of effective ways that are used for stipulations and checking CPS attribute.It uses combination process that CPS is carried out modeling, with the dTL formula CPS attribute is carried out stipulations, then with dTL calculation checking CPS attribute.DTL has considered the sequential behavior of CPS the CPS attribute being carried out stipulations and when checking, that is to say the mixing mark of its taking into account system and be not only end-state.As the combination process of dTL operation model the discrete transition of system and transition continuously are combined into the structuring control program, these programs are used the operational character of Kleene algebraically regular expression style.The differential equation in the combination process must be that this characteristic that can separate makes that the combination process ability to express is limited in polynomial arithmetic; And the differential equation that is used for CPS is dynamically carried out continuously modeling nearly all is a non-trivial, and this also just causes combination process to be not suitable for CPS is carried out modeling.Thereby the scope of the dTL CPS that can handle only to be confined to the corresponding differential equation be this type CPS system that can separate in polynomial expression,
Summary of the invention
The present invention uses the differential algebra program as operation model, and dTL is extended to DATL.The differential algebra program has made full use of the problem of finding the solution that the differential invariant is avoided the non-trivial differential equation, so DATL can carry out stipulations and checking to complicated more CPS attribute.
Technical matters: the purpose of this invention is to provide a kind of CPS attribute verification method based on DATL, use the method, can verify the CPS attribute of complicacy, whether certain attribute of strict theoretically proof CPS satisfies.Compare with differential sequential dynamic logic (dTL); The present invention can handle complicated more CPS attribute validation problem; Requiring the differential equation in its operation model like dTL must all be can separate in the polynomial expression; And DATL has utilized the differential invariant to avoid finding the solution the problem of the differential equation dexterously, makes DATL can not prove the correctness of attribute formula through finding the solution the differential equation.
Technical scheme: the present invention proposes a kind of CPS attribute verification method, be mainly used in CPS is carried out system modelling, attribute stipulations and attribute checking based on DATL.
The CPS attribute verification method concrete steps based on DATL that the present invention proposes are following:
Step 1). analyze CPS to be verified, to its modeling, obtain the operation model α of system with the differential algebra program,
Step 2). the attribute that analysis will be verified, to its stipulations, stipulations become the form of DATL formula with DATL; Shape such as ψ → [α] φ, wherein ψ representes precondition, [α] is the mode of operation model α; Expression is for the end-state of all execution tracks of α, and is the sequential operation symbol, expression any time or free position; [α] representes any intermediateness for all execution tracks of α, and certain constraint that φ indicates to satisfy.Whole formula ψ → [α] φ representes that if initial time ψ sets up for any intermediateness on all execution tracks of α, constraint φ sets up so,
Step 3). use the calculus of sequent of DATL, combine the rule of the calculation among the DATL, step 2) in DATL formula ψ → [α] φ of obtaining carry out reasoning and verify; Reasoning process is each rule of using; Derive a formula, then, reuse a rule induction and go out another formula; So carry out
Step 4). if the reasoning in the step 3) is derived axiom ax at last or is finished with *, and then reasoning process finishes, and the attribute that verify satisfies, verify,
Step 5). if the last derivation of the reasoning in the step 3) does not go out axiom ax or can not finish with *, and this method can not draw the conclusion whether attribute satisfies so,
Step 6). finish checking.
Beneficial effect: through the security of a concrete CPS instance-aircraft anti-collision system is verified; Show the present invention can verify dTL the CPS attribute that can not verify; And than the additive method except that dTL; DATL has also considered the sequential behavior of CPS, has verified the sequential attribute of CPS.
Description of drawings
Fig. 1 is to use the general flow chart of differential algebra sequential dynamic logic checking CPS.
Fig. 2 is the involved train control system figure of step 1) example in the embodiment.
Fig. 3 is all inference rule synoptic diagram of DATL, and wherein rule [J], < J>◇, [D], < D>◇ are cores of the present invention.
Figure a is an aircraft anti-collision system synoptic diagram.
Figure b is calculus of sequent process 1 synoptic diagram.
Figure c is calculus of sequent process 2 synoptic diagram.
Figure d is calculus of sequent process 3 synoptic diagram.
Embodiment
Below in conjunction with accompanying drawing and embodiment the present invention is further specified as follows:
Step 1). the CPS system that analysis will be verified, use the differential algebra program that system is carried out modeling, obtain the operation model α of system.Wherein, the definition of differential algebra program is as follows:
Differential algebra program (DAP) is the minimal set of following recursive definition:
6) if J is the DJ constraint, J is DAP so;
7) if D is the DA constraint, D is DAP so;
8) if α, β ∈ DAP, (α ∪ β) ∈ DAP so;
9) if α, β ∈ DAP, (α so; β) ∈ DAP;
10) if α ∈ is DAP, (α so *) ∈ DAP.
The DJ constraint is the minimal set of following recursive definition:
7) atomic formula of DJ constraint is the DJ constraint;
8) if A is the DJ constraint, then
Figure BSA00000600517300031
also is the DJ constraint;
9) if A; B is the DJ constraint; Then (A ∧ B); (A ∨ B), (A → B),
Figure BSA00000600517300032
also is the DJ constraint;
10) if A is the DJ constraint, then
Figure BSA00000600517300033
also is the DJ constraint;
11) have only limited number of time ground application 1)-4) symbol string that constitutes is only the DJ constraint;
12) the intrafascicular approximately assignment statement x:=θ of regulation DJ can not appear in the scope of
Figure BSA00000600517300041
.
The atomic formula of DJ constraint is the set as giving a definition:
3) assignment statement x:=θ is the atomic formula of DJ constraint, wherein x=(x 1, x 2..., x n), x 1, x 2..., x nBe respectively the individual variable symbol, θ=(θ 1, θ 2..., θ n), θ 1, θ 2..., θ nIt is respectively the item of DJ constraint;
4) establish R (x 1, x 2..., x n) be the n unit predicate symbol of DJ constraint, t 1, t 2..., t nBe n item of DJ constraint, then claim R (t 1, t 2..., t n) be the atomic formula of DJ constraint.
The item of DJ constraint is the minimal set of following recursive definition:
4) individual constant symbol, individual variable symbol are the items of DJ constraint;
5) if Be the n-ary function symbol, t 1, t 2..., t nBe the item of n DJ constraint, then
Figure BSA00000600517300043
It is the item of DJ constraint;
6) item of all DJ constraints all is that limited number of time uses 1), 2) obtain.
The definition of DA constraint:
DA constraint be defined in ∑ ∪ ∑ ' on the first order logic formula; Wherein ∑ is the set of state variable, function and predicate relation; ∑ ' be the set of the derivative x ' of state variable x in the ∑; And ∑ ' in symbol x ' can not appear in the scope of
Figure BSA00000600517300044
the intrafascicular approximately state variable x of DA might change that and if only if the intrafascicular approximately x of appearance ' of DA.
Suppose to have a CPS-train control system; This system is used to realize can not bump between any two trains, and specific strategy is: a lot of distributed RBC of control center are arranged in the system, each RBC be responsible for this zone in train mutual; And distribute in this zone one on each train and move and authorize MA; I.e. one section safety traffic distance, each train must be observed MA constantly, promptly must remain on constantly in the safety traffic distance.When initial; Train is in free travel phase-far stage, and when train driving was put ST to certain, train was to one section new MA of RBC request; If RBC has agreed the MA request of train; Train just gets into the next MA stage so, and if RBC has refused the MA request of train, train is put SB place at the latest forwardly and is begun to brake so.The distance of supposing train driving is z, and the MA distance that train is corresponding is m, and some SB is s to the distance of MA terminal point, and the present invention uses the differential algebra program to its modeling so, can obtain operation model α:
α ≡ (ctrl; Drive) *, wherein ctrl ≡ (? M-z≤s; A:=-b) ∪ (? M-z>=s; A:=A), drive ≡ τ :=0; (z '=v, v '=a, τ '=1&v>=0 ∧ τ≤ε).
Above-mentioned model representation: carry out ctrl earlier, carry out drive again, and then carry out ctrl, and then drive, so circulation is carried out.Wherein, ctrl representes if m-z≤s, and then degree of will speed up a is changed to-b, and this moment, train slowed down with acceleration-b, if ε, then degree of will speed up is changed to A, and this moment, train quickened with acceleration A; It is 0 that drive representes to put earlier time τ, and train is followed differential equation z '=v more then, and what v '=a, τ '=1&v>=0 ∧ τ≤ε represented dynamically goes, and ε representes this stage of train ε chronomere of going at most.
Step 2). use DATL that the CPS attribute that will verify is carried out stipulations, obtain the DATL formula.The form shape of DATL formula such as ψ → [α] φ; Wherein ψ representes precondition, and [α] is the mode of operation model α, and expression is for the end-state of all execution tracks of α; is the sequential operation symbol; Expression any time or free position, [α] representes any intermediateness for all execution tracks of α, and certain constraint that φ indicates to satisfy.Whole formula ψ → [α] φ representes that if initial time ψ sets up for any intermediateness on all execution tracks of α, constraint φ sets up so.
In the step 1), example uses DATL to system modelling through train control system is analyzed; Obtained operation model α, on this basis, if the security of checking train control system; Be that any two trains can not bump,, can know through analyzing train control system; If each train is all followed " all right sailing in its mobile mandate MA of any time ", so just can draw any two trains and can not bump.Therefore, the train control system security stipulations that can use DATL to verify are following:
ψ→[α]□z≤m
Be ψ → [(ctrl; Drive) *] z≤m
Step 3). use the calculus of sequent of DATL, combine the rule of the calculation among the DATL, step 2) in DATL formula ψ → [α] φ of obtaining carry out reasoning and verify; Reasoning process is each rule of using, and derives a formula, then; Reuse a rule induction and go out another formula; So carry out, to the last derive axiom ax, the inverse process of whole reasoning at this moment is exactly the proof procedure of formula.All inference rules of DATL are in Fig. 3.
On the basis of inference rule, DATL is just like drawing a conclusion:
If 1. regular shape like
Figure BSA00000600517300051
below inference rule also set up:
Figure BSA00000600517300052
be Γ wherein; Δ is formula arbitrarily, and J is the discrete collection that jumps.
If 2. regular shape like
Figure BSA00000600517300061
below inference rule also set up:
Figure BSA00000600517300062
be Γ wherein; Δ is formula arbitrarily, and J is the discrete collection that jumps.
Step 2) example in has provided the DATL formulate form of train control system security attribute, verify the train control system security attribute, the DATL formula that only needs the checking stipulations to obtain.Verify as follows:
Verify ψ → [(ctrl; Drive) *] z≤m, if the present invention can verify 1. ψ → φ, 2. φ → [(ctrl; Drive) *] φ, 3. φ → z≤m, wherein φ is an invariant, is illustrated in the variable of always all setting up in the operational process of system.
Make invariant φ ≡ v 2≤2b (m-z) ∧ b>0 ∧ A>=0 makes preliminary examination condition ψ ≡ φ ≡ v 21.≤2b (m-z) ∧ b>0 ∧ A>=0 then sets up; Because v 2>=0, so v 2≤2b (m-z) ∧ b>0 ∧ A>=0 → z≤m also sets up, and then 3. sets up; Use the calculus of sequent of DATL to verify 2. below, as follows:
Figure BSA00000600517300064
Calculus of sequent process 1
Figure BSA00000600517300071
Calculus of sequent process 2
Figure BSA00000600517300072
Calculus of sequent process 3
Above-mentioned calculus of sequent 1,2,3rd, checking formula φ [(ctrl; Drive) *] detailed process that φ sets up, wherein, process 1 is a main procedure, and process 2 is the continuous of process 1 with process 3, and calculation is from process 1 beginning, and first step service regeulations ind obtains
Figure BSA00000600517300073
Wherein α representes operation model (ctrl; Drive),
Figure BSA00000600517300074
Expression is for operation model (ctrl; Drive) any variable of lining; The second step service regeulations Obtain φ → [ctrl; Drive] φ; The 3rd step service regeulations → r obtains φ [ctrl; Drive] φ; The 4th step service regeulations [; ], obtain φ [ctrl] [drive] φ; The 5th step service regeulations [D] obtains φ [ctrl] [drive] φ; The 6th step was used two rules [∪], and ∧ r has obtained two φ of branch<a:=-b>[drive] φ and φ [? M-z>=s; A:=A] [drive] φ, the calculation of left branch finishes with * in process 2 at last; The right branch service regeulations [? ], → r obtains φ, m-z>=s<a:=A>[drive] φ, φ, m-z>=s<a:=A>The calculation process of [drive] φ is in process 3, and process 2 is the same with process 1 with process 3, uses a rule to obtain a formula at every turn, and then uses a rule to obtain another formula, knows at last and finishes with *, the meaning that expression is obviously set up; Obtaining at last of process 3 This is the constraint that the calculus of sequent process obtains, and expression needs only Set up the conclusion φ in the process 3 then, m-z>=s<a:=A>[drive] φ sets up, then conclusion φ the [(ctrl in the process 1; Drive) *] φ establishment.So far, φ [(ctrl; Drive) *] φ obtained proof, and derives φ [(ctrl; Drive) *] precondition set up of φ To sum up process 1,2,3 can draw as long as
Figure BSA00000600517300084
Set up, so φ [(ctrl; Drive) *] just establishment of φ, comprehensively 1. 2. 3. can draw formula ψ → [(ctrl again; Drive) *] z≤m establishment, here
Figure BSA00000600517300085
So the security of train control system has obtained checking, promptly any two trains can not bump at any time.
Step 4). if the reasoning in the step 3) is derived axiom ax at last or is finished with *, and then reasoning process finishes, and the attribute that verify satisfies, verify,
Step 5). if the last derivation of the reasoning in the step 3) does not go out axiom ax or can not finish with *, and this method can not draw the conclusion whether attribute satisfies so,
Step 6). finish checking.
For the great ability based on the CPS attribute verification method of differential algebra sequential dynamic logic is described; The present invention has chosen the aircraft anti-collision system more complicated more than train control system; Use differential algebra sequential dynamic logic DATL that the security of aircraft anti-collision system is verified that detailed step is following:
Step 1). labor aircraft anti-collision system, as follows:
Some airplane flights are arranged in the air, and their flight dynamically available one group of differential equation is represented.(*) flight of wherein any two airplane x of expression and y is dynamic, wherein (x 1, x 2, x 3), (y 1, y 2, y 3) represent the three-dimensional coordinate of aircraft x and aircraft y respectively; (d 1, d 2, d 3), (e 1, e 2, e 3) represent aircraft x and y respectively at the x axle, y axle, the axial speed of z; ω with
Figure BSA00000600517300091
Represent aircraft x and y angular velocity in the horizontal direction respectively; A and b represent aircraft x and the y acceleration in vertical direction respectively.
Figure BSA00000600517300092
If the distance between a certain moment aircraft x and the aircraft y is worth p less than certain, so just think that x and y have the danger that collides.At this moment, aircraft x, y should take certain strategy to avoid colliding.As scheme shown in a, the coordinate of known aircraft x is (x 1, x 2, x 3), exist a unique plane α parallel through this point with ground level, in like manner, through point (y 1, y 2, y 3) exist a unique plane β parallel with ground level.Aircraft y is projected to plane α go up (ignoring aircraft size itself), obtain a y ', this moment is round circle1 of certain existence on the α of plane, and the center of circle is made as c, and the three-dimensional coordinate of c is (c 1, c 2, x 3), and put x and put y ' on circle, as shown in Figure 1.In like manner on the β of plane, have a round circle2, the center of circle is c ', and the three-dimensional coordinate of c ' is (c 1, c 2, y 3), and some y is on circle.At this moment, the aircraft anti-collision system can be described as, and when the distance of aircraft x and y was worth p less than certain, the heading that aircraft x and y incite somebody to action in plane α and plane β was respectively separately changed into round circle1 and the tangential direction of justifying circle2.Dynamic flight a period of time according to the differential equation shown in (#) (annotates: because aircraft x and aircraft y are in whole collision avoidance process in plane α and plane β then; Highly be constant; So (#) omitted the differential equation of describing height), so far, the collision avoidance process finishes.Aircraft has got into the free flight state again.If after a period of time, run into the danger that collides once more, take same collision avoidance strategy to get final product.
Figure BSA00000600517300093
With the differential algebra program the whole process of aircraft flight is carried out modeling here, institute's established model is trm *, wherein * representes to repeat trm, trm concrete as (~), and trm comprises 3 stages: the free flight stage (representing with free); The course change stage (suppose this moment in stage completion, do not consider time delay, represent) with tang; The limited flight stage, (with respect to free flight, promptly aircraft flight must satisfy dynamic F (ω, 0; 0) ∧ G (ω, 0,0)).Wherein, φ representes the distance of aircraft x and aircraft y more than or equal to p, d:=ω (x-c) Be d 1ω (the x of :=- 2-c 2), d 2:=ω (x 1-c 1) write a Chinese character in simplified form e:=ω (y-c) Be e 1ω (the y of :=- 2-c 2), e 2:=ω (y 1-c 1) write a Chinese character in simplified form.
Figure BSA00000600517300101
Step 2). the operation model that has drawn the aircraft anti-collision system in the step 1) is trm *, use DATL to the aircraft anti-collision system security carry out stipulations, obtain DATL formula ψ ≡ φ → [trm *] φ.
Step 3). the security of aircraft anti-collision system is the validity of aircraft collision avoidance strategy, verify the security of anti-collision system, just verifies the validity of collision avoidance strategy.Step 2) be DATL formula ψ ≡ φ → [trm in the security attribute stipulations *] φ, this formula is represented that φ sets up and is contained [trm *] φ also sets up.[trm *] φ sets up and to be illustrated in differential algebra program trm *Any execution route on all states under φ all set up.Just, formula ψ represent if the distance of two airplanes more than or equal to p, then at trm *Any time of carrying out, the distance of this two airplane is still more than or equal to p.Just, if under the original state, the distance of two airplanes is more than or equal to p; After free flight after a while,, then carry out the collision avoidance strategy if distance equals p; And then free flight, in whole process, the distance that always all satisfies two airplanes is more than or equal to this constraint of p.
Calculus of sequent with DATL proves formula ψ below:
At first, the present invention lists the rule that the calculation process will be used, and is as follows,
Figure BSA00000600517300102
Figure BSA00000600517300103
Figure BSA00000600517300104
Figure BSA00000600517300105
Figure BSA00000600517300107
Figure BSA00000600517300108
Figure BSA00000600517300109
Figure BSA000006005173001010
Figure BSA000006005173001011
Figure BSA000006005173001012
Figure BSA00000600517300111
Figure BSA00000600517300112
Figure BSA00000600517300113
As scheme shown in the b, the present invention is write as formula ψ the form φ → [trm that is suitable for calculus of sequent *] φ, service regeulations → r obtains φ [trm then *] φ, in like manner re-use rule [*] with [; ] obtain φ [trm *] [free] [tang] [F (ω, 0,0) ∧ G (ω, 0,0)] φ.Because F (ω, 0,0) ∧ G (ω, 0,0) is the DA constraint, so service regeulations [D] obtains φ [trm *] [free] [tang] [F (ω, 0,0) ∧ G (ω, 0,0)] φ.Similar, successively service regeulations [; ], [] gen, [DR '],
Figure BSA00000600517300114
Obtain φ [trm *] (true), this formula is obviously set up, so the left branch calculation of figure b finishes, represent with *.And the right branch φ [tang of figure b calculation process; F (ω, 0,0) ∧ G (ω, 0,0)] φ service regeulations [] gen obtains two branches: φ [tang] (φ ∧ T) and φ ∧ T [F (ω, 0,0) ∧ G (ω, 0,0)] φ, wherein T is the differential invariant, can obtain through the Fixed-Point Algorithm among the DATL, tries to achieve
Figure c and figure d are the continuous of figure a calculation process 1, just scheme the right branch of a.Figure c the calculation process be similar to figure b, successively service regeulations [; ];
Figure BSA00000600517300115
[:=]; ∧ r, ax finishes with * at last.
Figure d left branch has used regular DI to obtain
Figure BSA00000600517300116
Wherein, α ≡ F (ω, 0,0) ∧ G (ω, 0,0),
Figure BSA00000600517300117
Expression
Figure BSA00000600517300118
TF ' (ω, 0,0) ∧ G (ω, 0,0)Be
Figure BSA00000600517300119
Write a Chinese character in simplified form, the expression with the x among the T ' 1', x 2', d 1', d 2', y 1', y 2', e 1', e 2' replace to d respectively 1, d 2,-ω d 2, ω d 1, e 1, e 2,-ω e 2, ω e 1
T′≡(d 1-e 1)′=-ω(x 2-y 2)′∧(d 2-e 2)′=ω(x 1-y 1)′
≡d′ 1-e′ 1=-ω(x′ 2-y′ 2)∧d′ 2-e′ 2=ω(x′ 1-y′ 1),
T′ F(ω,0,0)∧G(ω,0,0)≡-ωd 2+ωe 2=-ω(d 2-e 2)∧ωd 1-ωe 1=ω(d 1-e 1)≡true。
In like manner,
φ′ F(ω,0,0)∧G(ω,0,0)≡(2(x 1-y 1)(x 1-y 1)′+2(x 2-y 2)(x 2-y 2)′+2(x 3-y 3)(x 3-y 3)′≥0) F(ω,0,0)∧G(ω,0,0)
≡(2(x 1-y 1)(x′ 1-y′ 1)+2(x 2-y 2)(x′ 2-y′ 2)+2(x 3-y 3)(x′ 3-y′ 3)≥0) F(ω,0,0)∧G(ω,0,0)
≡2(x 1-y 1)(d 1-e 1)+2(x 2-y 2)(d 2-e 2)+2(x 3-y 3)(0-0)≥0
≡2(x 1-y 1)(d 1-e 1)+2(x 2-y 1)(d 2-e 2)≥0
Because T ≡ d-e=ω (x-y) ≡ d 1-e 1=-ω (x 2-y 2) ∧ d 2-e 2=ω (x 1-y 1),
So,
φ′ F(ω,0,0)∧G(ω,0,0)≡2(x 1-y 1)(-ω(x 2-y 2))+2(x 2-y 2)ω(x 1-y 1)=0≥0
≡true
So two branches of the calculation process of figure d all finish with *.
To sum up, above-mentioned calculation process verification formula ψ ≡ φ → [trm *] correctness of φ, just verified the security of aircraft anti-collision system.
Step 4). because the calculus of sequent in the step 3) finishes with axiom ax or with * at last, so aircraft anti-collision system security attribute has obtained checking, whole verification process finishes.
Rule [J], < J>◇, [D], the proof of < D>◇ is following:
Figure BSA00000600517300121
Proof: according to the different structure of J, we are proof rule [J] inductively.
1) as J-shaped such as x:=θ, we need proof
Figure BSA00000600517300122
dTL to provide proof.
2) as J-shaped such as θ 1>=θ 2, we need proof
Figure BSA00000600517300123
Be known v ' φ and
V ' [θ 1>=θ 2] the φ establishment, demonstrate,prove v ' [θ 1>=θ 2] φ establishment,
The conclusion that makes then will prove becomes σ ' φ
And &sigma; = { ( v ^ ) : Val ( v , &theta; 1 ) &GreaterEqual; Val ( v , &theta; 2 ) } &cup; { ( v ^ , &Lambda; ^ ) : Val ( v , &theta; 1 ) Val ( v , &theta; 2 ) } ,
If val (v, θ 1)>=val (v, θ 2), then The conclusion that proves becomes
Figure BSA00000600517300127
Promptly
V ' φ, and known v ' φ sets up, and must demonstrate,prove,
If val (v, θ 1)<val (v, θ 2), then The conclusion that proves is obviously set up.
To θ 12, θ 1≤θ 2, θ 1<θ 2, θ 1>θ 2Situation in like manner can demonstrate,prove.
3) When the J-shaped like?
Figure BSA00000600517300129
We need to prove?
Figure BSA000006005173001210
Mark semanteme by the DJ constraint thirdly can be known:
Figure BSA000006005173001211
iff? and?
Figure BSA000006005173001213
That?
Figure BSA000006005173001214
iff?
Figure BSA000006005173001215
and?
Figure BSA000006005173001216
Promptly
Figure BSA000006005173001217
iff
Figure BSA000006005173001218
must demonstrate,prove.
4) When the J-like?
Figure BSA00000600517300131
we need to prove?
Figure BSA00000600517300132
Similarly 3) permit.
5) When the J-shaped like?
Figure BSA00000600517300133
We need to prove?
Figure BSA00000600517300134
Semantic the 5th of mark by the DJ constraint can be known:
iff?
Figure BSA00000600517300136
I.e.
Figure BSA00000600517300137
iff
Figure BSA00000600517300138
Promptly
Figure BSA00000600517300139
must demonstrate,prove.
6) When the J-shaped like?
Figure BSA000006005173001310
We need to prove?
Figure BSA000006005173001311
Semantic the 6th of mark by the DJ constraint can be known:
Figure BSA000006005173001312
iff?
Figure BSA000006005173001313
I.e.
Figure BSA000006005173001314
iff
Figure BSA000006005173001315
iff?
Figure BSA000006005173001316
Promptly iff
Figure BSA000006005173001318
must demonstrate,prove.
7) we need proof
Figure BSA000006005173001320
wherein like
Figure BSA000006005173001319
when J-shaped; Middle x replaces with arbitrary value θ with
Figure BSA000006005173001322
in
Figure BSA000006005173001321
expression
Semantic the 7th of mark by the DJ constraint can be known:
Figure BSA000006005173001323
iff is for all possible vx;
Figure BSA000006005173001324
arranged set up
I.e.
Figure BSA000006005173001325
iff
Figure BSA000006005173001326
I.e.
Figure BSA000006005173001327
iff
Figure BSA000006005173001328
Promptly
Figure BSA000006005173001329
iff must demonstrate,prove.
8) we need proof
Figure BSA000006005173001332
wherein like
Figure BSA000006005173001331
when J-shaped;
Figure BSA000006005173001333
expression with in x replace in like manner 7 with certain value θ) can demonstrate,prove.
To sum up 1) to 8) can know that
Figure BSA000006005173001335
sets up.
Proof: according to the different structure of J, we are proof rule < J>◇ inductively.
1) as J-shaped such as x:=θ, we need proof
Figure BSA000006005173001337
DTL has provided proof [1].
2) as J-shaped such as θ 1>=θ 2, we need proof Be known v ' φ perhaps
V '<θ 1>=θ 2>φ sets up, and demonstrate,prove v '<θ 1>=θ 1>◇ φ sets up,
The conclusion that makes then will prove becomes σ ' ◇ φ
And &sigma; = { ( v ^ ) : Val ( v , &theta; 1 ) &GreaterEqual; Val ( v , &theta; 2 ) } &cup; { ( v ^ , &Lambda; ^ ) : Val ( v , &theta; 1 ) Val ( v , &theta; 2 ) } ,
If val (v, θ<sub >1</sub>)>=val (v, θ<sub >2</sub>), then<img file="BSA00000600517300144.GIF" he="55" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="215" />V ' in the precondition<θ<sub >1</sub>>=θ<sub >2</sub>>φ becomes v ' φ, so precondition v ' φ or v '<θ<sub >1</sub>>=θ<sub >2</sub>>φ sets up and is equivalent to v ' φ establishment, and the conclusion that will prove becomes<img file="BSA00000600517300145.GIF" he="56" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="241" />Be v ' φ, and known v ' φ set up, and must demonstrate,prove;
If val (v, θ 1)<val (v, θ 2), then
Figure BSA00000600517300146
The conclusion that proves is obviously set up.
To θ 12, θ 1≤θ 2, θ 1<θ 2, θ 1>θ 2Situation in like manner can demonstrate,prove.
3) When the J-shaped like?
Figure BSA00000600517300147
We need to prove?
Figure BSA00000600517300148
Mark semanteme by the DJ constraint thirdly can be known:
Figure BSA00000600517300149
iff?
Figure BSA000006005173001410
and?
Figure BSA000006005173001411
That?
Figure BSA000006005173001412
iff?
Figure BSA000006005173001413
and?
Figure BSA000006005173001414
Promptly
Figure BSA000006005173001415
iff
Figure BSA000006005173001416
must demonstrate,prove.
4) When the J-like?
Figure BSA000006005173001417
we need to prove?
Figure BSA000006005173001418
Similarly 3) permit.
5) When the J-shaped like? We need to prove?
Semantic the 5th of mark by the DJ constraint can be known:
iff?
Figure BSA000006005173001422
I.e. iff
Promptly iff
Figure BSA000006005173001426
must demonstrate,prove.
6) When the J-shaped like?
Figure BSA000006005173001427
we need to prove?
Figure BSA000006005173001428
Semantic the 6th of mark by the DJ constraint can be known:
Figure BSA000006005173001429
iff?
Figure BSA000006005173001430
I.e.
Figure BSA000006005173001431
iff
Figure BSA000006005173001432
iff?
Promptly
Figure BSA000006005173001434
iff
Figure BSA000006005173001435
must demonstrate,prove.
7) we need proof
Figure BSA000006005173001437
wherein like
Figure BSA000006005173001436
when J-shaped; Middle x replaces with arbitrary value θ with in
Figure BSA000006005173001438
expression
Semantic the 7th of mark by the DJ constraint can be known:
Figure BSA00000600517300151
iff is for all possible vx;
Figure BSA00000600517300152
arranged set up
I.e.
Figure BSA00000600517300153
iff
I.e.
Figure BSA00000600517300155
iff
Promptly
Figure BSA00000600517300157
iff
Figure BSA00000600517300158
must demonstrate,prove.
8) we need proof
Figure BSA000006005173001510
wherein like
Figure BSA00000600517300159
when J-shaped; expression with
Figure BSA000006005173001512
in x replace in like manner 7 with certain value θ) can demonstrate,prove.
To sum up 1) to 8) can know that sets up.
Figure BSA000006005173001514
Proof: suppose
Figure BSA000006005173001515
and then have a mark
Figure BSA000006005173001516
first σ=v, and
Figure BSA000006005173001518
had
Figure BSA000006005173001519
Can know for position (0 of σ existence by ; η); η ∈ [0; R],
Figure BSA000006005173001521
arranged
Figure BSA000006005173001522
D to being defined on [0, η] sets up.
Figure BSA000006005173001523
again
∴?
∴?
∴?
Figure BSA000006005173001526
Figure BSA000006005173001527
must demonstrate,prove.
Proof: suppose
Figure BSA000006005173001529
Known?
Figure BSA000006005173001530
is equivalent to?
Figure BSA000006005173001531
is equivalent to
∵?
∴?
Figure BSA000006005173001534
∴?
Figure BSA000006005173001535
∴?
Figure BSA000006005173001536
∴?
Figure BSA000006005173001537
Figure BSA000006005173001538
< D>◇ φ must demonstrate,prove.

Claims (4)

1. the CPS attribute verification method based on differential algebra sequential dynamic logic is characterized in that, with differential algebra sequential dynamic logic DATL information physics emerging system CPS is carried out system modelling, attribute stipulations and attribute checking, comprises the steps:
Step 1) is analyzed CPS to be verified, to its modeling, obtains the operation model α of system with the differential algebra program;
Step 2) analyze the CPS attribute that will verify, to its stipulations, stipulations become the form of DATL formula with DATL; This form is shape such as ψ → [α] φ, wherein:
ψ representes precondition; [α] is the mode of operation model α, and expression is for the end-state of all execution tracks of α; is the sequential operation symbol, expression any time or free position; [α] representes any intermediateness for all execution tracks of α; Certain constraint that φ indicates to satisfy; Whole formula ψ → [α] φ representes that if initial time ψ sets up for any intermediateness on all execution tracks of α, constraint φ sets up so;
Step 3) is used the calculus of sequent of DATL; In conjunction with the calculation among DATL rule, to step 2) in DATL formula ψ → [α] φ of obtaining carry out the reasoning checking, reasoning process is: use a calculation rule at every turn; Derive a formula; Then, reuse a calculation rule induction and go out another formula, so carry out;
If axiom ax is derived in the reasoning in the step 4) step 3) at last, then reasoning process finishes, and the attribute that verify satisfies, and verifies;
If the last derivation of the reasoning in the step 5) step 3) does not go out axiom ax, this CPS attribute verification method based on differential algebra sequential dynamic logic can not draw the conclusion whether attribute satisfies so,
Step 6) finishes checking.
2. according to the said method of claim 1; It is characterized in that for DATL; Said step 2) in to the stipulations of CPS attribute; When stipulations, consider the sequential behavior of CPS; The sequential behavior is represented with
Figure FSA00000600517200011
or ◇ in the DATL formula; Wherein ◇ is corresponding with
Figure FSA00000600517200012
, representes a certain moment or a certain state.
3. according to the said method of claim 1, it is characterized in that the calculus of sequent in the said step 3) for DATL; The characteristics of this calculation are the formula from proving; Use the progressively reasoning of calculation rule, up to deriving axiom ax, and the inverse process of whole reasoning is exactly the proof procedure of this formula.
4. according to the said method of claim 1, it is characterized in that in the said step 1) that the differential algebra program defines as follows:
A, differential algebra program DAP are the minimal set of following recursive definition:
1) if J is the DJ constraint, J is DAP so;
2) if D is the DA constraint, D is DAP so;
3) if α, β ∈ DAP, (α ∪ β) ∈ DAP so;
4) if α, β ∈ DAP, (α so; β) ∈ DAP;
5) if α ∈ is DAP, (α so *) ∈ DAP;
B, DJ constraint are the minimal set of following recursive definition:
1) atomic formula of DJ constraint is the DJ constraint;
2) if A is the DJ constraint, then also is the DJ constraint;
3) if A; B is the DJ constraint; Then (A ∧ B); (A ∨ B), (A → B),
Figure FSA00000600517200022
also is the DJ constraint;
4) if A is the DJ constraint, then
Figure FSA00000600517200023
also is the DJ constraint;
5) have only limited number of time ground application 1)-4) symbol string that constitutes is only the DJ constraint;
6) the intrafascicular approximately assignment statement x:=θ of regulation DJ can not appear in the scope of ;
The atomic formula of c, DJ constraint is the set as giving a definition:
1) assignment statement x:=θ is the atomic formula of DJ constraint, wherein x=(x 1, x 2..., x n), x 1, x 2..., x nBe respectively the individual variable symbol, θ=(θ 1, θ 2..., θ n), θ 1, θ 2..., θ nIt is respectively the item of DJ constraint;
2) establish R (x 1, x 2..., x n) be the n unit predicate symbol of DJ constraint, t 1, t 2..., t nBe n item of DJ constraint, then claim R (t 1, t 2..., t n) be the atomic formula of DJ constraint;
The item of d, DJ constraint is the minimal set of following recursive definition:
1) individual constant symbol, individual variable symbol are the items of DJ constraint;
2) if
Figure FSA00000600517200025
Be the n-ary function symbol, t 1, t 2..., t nBe the item of n DJ constraint, then
Figure FSA00000600517200031
is the item of DJ constraint;
3) item of all DJ constraints all is that limited number of time uses 1), 2) obtain.
The definition of e, DA constraint:
DA constraint be defined in ∑ ∪ ∑ ' on the first order logic formula; Wherein ∑ is the set of state variable, function and predicate relation; ∑ ' be the set of the derivative x ' of state variable x in the ∑; And ∑ ' in symbol x ' can not appear in the scope of
Figure FSA00000600517200032
the intrafascicular approximately state variable x of DA might change that and if only if the intrafascicular approximately x of appearance ' of DA.
The semantic τ of mark (α) of definition 8 (mark of DAP is semantic) .DAP α is the set of all possible mark of α, and recursively definition is as follows:
Figure FSA00000600517200033
iff
Figure FSA00000600517200034
wherein J represent DJ constraint; According to the different structure of J, can be divided into following several kinds of situation again:
1)
Figure FSA00000600517200035
iff?val(ω,x)=val(v,θ).
2)
Figure FSA00000600517200036
iff?val(v,θ 1)≥val(v,θ 2).
3)
Figure FSA00000600517200037
iff
Figure FSA00000600517200038
and
Figure FSA00000600517200039
are true.
4)
Figure FSA000006005172000310
iff established or
Figure FSA000006005172000312
established.
5) iff is not established.
6)
Figure FSA000006005172000315
iff
Figure FSA000006005172000316
is not established or
Figure FSA000006005172000317
established.
7)
Figure FSA000006005172000318
Iff has for all possible vx
Figure FSA000006005172000319
Set up, wherein v xExpression is except the value of x, and the value of the state variable among the value of all the other state variables and the v is identical.
8)
Figure FSA000006005172000320
Iff is for certain v x, have
Figure FSA000006005172000321
Set up.
2.
Figure FSA000006005172000322
is a differential enhanced situation stream; For ζ ∈ [0 arbitrarily; R] (duration r>=0);
Figure FSA000006005172000323
arranged and for all variable z that can not changed by D,
Figure FSA000006005172000324
arranged here D represent the DA constraint.
3.τ(α∪β)=τ(α)∪τ(β).
4. τ (α; β)={ σ ο ζ: σ ∈ τ (α), ζ ∈ τ (β) is when σ ο ζ has been defined }, wherein, σ=(σ 0, σ 1, σ 2...) and ζ=(ζ 0, ζ 1, ζ 2...) and combination be defined as
Figure FSA000006005172000325
5. τ (α *)=∪ N ∈ Nτ (α n), n>=1 o'clock wherein, α N+1:=(α nα), and α 1:=α, α 0:=(? True).
CN201110332307.8A 2011-10-28 2011-10-28 Cyber physical system (CPS) attribute verification method based on differential algebra timing sequence dynamic logic (DATL) Expired - Fee Related CN102722593B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110332307.8A CN102722593B (en) 2011-10-28 2011-10-28 Cyber physical system (CPS) attribute verification method based on differential algebra timing sequence dynamic logic (DATL)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110332307.8A CN102722593B (en) 2011-10-28 2011-10-28 Cyber physical system (CPS) attribute verification method based on differential algebra timing sequence dynamic logic (DATL)

Publications (2)

Publication Number Publication Date
CN102722593A true CN102722593A (en) 2012-10-10
CN102722593B CN102722593B (en) 2014-08-06

Family

ID=46948354

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110332307.8A Expired - Fee Related CN102722593B (en) 2011-10-28 2011-10-28 Cyber physical system (CPS) attribute verification method based on differential algebra timing sequence dynamic logic (DATL)

Country Status (1)

Country Link
CN (1) CN102722593B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103699762A (en) * 2014-01-15 2014-04-02 苏州大学 CPS (Cyber-Physical System) attribute verification method based on statistical model checking (SMC)
CN104657610A (en) * 2015-02-13 2015-05-27 南京邮电大学 Temporal logic robustness assessment method for information physical fusion system
CN107561932A (en) * 2017-07-25 2018-01-09 东南大学 CPS anti-collision control methods based on differential dynamic logic
CN113051714A (en) * 2021-03-01 2021-06-29 南京航空航天大学 CPS-oriented mu calculation real value performance evaluation method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100299651A1 (en) * 2009-05-19 2010-11-25 Nec Laboratories America, Inc. Robust testing for discrete-time and continuous-time system models
CN102104522A (en) * 2011-01-14 2011-06-22 徐立中 Real-time communication optimizing method and equipment orienting to cyber-physical system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100299651A1 (en) * 2009-05-19 2010-11-25 Nec Laboratories America, Inc. Robust testing for discrete-time and continuous-time system models
CN102104522A (en) * 2011-01-14 2011-06-22 徐立中 Real-time communication optimizing method and equipment orienting to cyber-physical system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103699762A (en) * 2014-01-15 2014-04-02 苏州大学 CPS (Cyber-Physical System) attribute verification method based on statistical model checking (SMC)
CN103699762B (en) * 2014-01-15 2016-09-28 苏州大学 A kind of CPS attribute verification method based on statistical model detection
CN104657610A (en) * 2015-02-13 2015-05-27 南京邮电大学 Temporal logic robustness assessment method for information physical fusion system
CN104657610B (en) * 2015-02-13 2017-11-17 南京邮电大学 A kind of information physical emerging system sequential logic robustness appraisal procedure
CN107561932A (en) * 2017-07-25 2018-01-09 东南大学 CPS anti-collision control methods based on differential dynamic logic
CN113051714A (en) * 2021-03-01 2021-06-29 南京航空航天大学 CPS-oriented mu calculation real value performance evaluation method

Also Published As

Publication number Publication date
CN102722593B (en) 2014-08-06

Similar Documents

Publication Publication Date Title
Neurohr et al. Criticality analysis for the verification and validation of automated vehicles
Katz et al. Towards proving the adversarial robustness of deep neural networks
Yang et al. A novel car-following control model combining machine learning and kinematics models for automated vehicles
Althoff et al. Automatic generation of safety-critical test scenarios for collision avoidance of road vehicles
Chalaki et al. Zero-shot autonomous vehicle policy transfer: From simulation to real-world via adversarial learning
Zou et al. Verifying Chinese train control system under a combined scenario by theorem proving
Raman et al. Reactive synthesis from signal temporal logic specifications
CN102722593B (en) Cyber physical system (CPS) attribute verification method based on differential algebra timing sequence dynamic logic (DATL)
Schmidt et al. Can you trust your autonomous car? interpretable and verifiably safe reinforcement learning
Majzik et al. Towards system-level testing with coverage guarantees for autonomous vehicles
Zhao et al. Formal certification methods for automated vehicle safety assessment
Schütt et al. SceML: A graphical modeling framework for scenario-based testing of autonomous vehicles
Huang et al. Toward robust vehicle platooning with bounded spacing error
CN102436375A (en) Characters per second (CPS) Modeling and verification method based on model transformation
Aréchiga et al. Using verified control envelopes for safe controller design
Qian et al. Modeling and verification of zone controller: The SCADE experience in china's railway systems
He et al. Fear-neuro-inspired reinforcement learning for safe autonomous driving
Hou et al. Twin scenarios establishment for autonomous vehicle digital twin empowered SOTIF assessment
Tuo et al. An approach for safety analysis of cyber-physical system based on model transformation
Armstrong et al. Algebraic principles for rely-guarantee style concurrency verification tools
Fremont et al. Safety in autonomous driving: Can tools offer guarantees?
Wimmler et al. Concurrent design of vehicle tires and axles
Wang et al. Hybrid online model-based testing for communication-based train control systems
Zhong et al. Towards safe ai: Sandboxing dnns-based controllers in stochastic games
CN102426522B (en) CPS (Cyber Physical Systems) modeling and verification method based on transformation from Hybrid UML (Unified Modeling Language) to DAP (Differential-Algebraic Program)

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20140806

Termination date: 20171028