e

Introduction to KeYmaera: A Practical Guide for Hybrid Systems Verification

Written by

adm

in

Getting Started with KeYmaera: Step-by-Step Tutorial and Examples

What KeYmaera is

KeYmaera is a theorem prover for hybrid systems—systems combining continuous dynamics (differential equations) with discrete control. It checks safety and correctness properties by constructing formal proofs using differential dynamic logic (dL).

Quick setup (assumed: Windows/macOS/Linux)

  1. Download KeYmaera X from the official site (choose the latest release for your OS).
  2. Install Java (OpenJDK 11+ recommended).
  3. Extract/run the KeYmaera X application (or run the jar: java -jar keymaerax.jar).
  4. Open the GUI or use the command-line frontend.

First example: simple bouncing-ball safety

Model: a ball with height h, velocity v, gravity g, and a bounce that inverts v when h ≤ 0 with coefficient 0.8. Prove: the ball’s height never goes above initial max H_max.

  1. Formalize variables and dynamics:

    • Variables: h, v; parameter: g>0.
    • Continuous evolution: { h’ = v, v’ = -g & h ≥ 0 }.
    • Bounce (discrete): if h ≤ 0 then v := -0.8*v.

  2. Specify safety property in dL:

    • Precondition: 0 ≤ h ≤ H_max, v^2 ≤ 2g(H_max – h) (optional energy bound).
    • Program: ( {continuous evolution} ; (if h ≤ 0 then v := -0.8v) )
    • Postcondition: 0 ≤ h ≤ Hmax.

  3. Load the model in KeYmaera X, input the formula:

    Code
    { /dL formula representing the loop and safety */ }

    (Use the GUI example editor to paste the bouncing-ball template if available.)

  4. Run automatic proof steps:

    • Use the provided proof tactics: differential invariant search, symbolic simplifiers, and automated rules.
    • Inspect proof goals, apply differential invariant or choose an energy-based invariant like v^2 + 2gh ≤ 2gH_max.

  5. Complete proof:

    • Prove invariants for continuous evolution (use differential invariant proof rule).
    • Show discrete bounce preserves the invariant (algebraic update).
    • Close the loop with the Kleene star induction rule.

Guiding principles for proofs

  • Choose invariants capturing conserved or bounded quantities (energy-like expressions are common).
  • Use differential invariants rather than solving ODEs when closed-form solutions are complex.
  • Break complex systems into composable sub-systems and verify each part.
  • Leverage KeYmaera X’s automated tactics, but be prepared for manual guidance on tough goals.

Additional examples to try

  • Cruise-control: vehicle speed governed by piecewise controller and drag.
  • Thermostat: temperature dynamics with hysteresis control.
  • Simple car with braking: stop distance safety proofs.

Resources

  • KeYmaera X user manual and built-in examples (open the Examples menu).
  • Differential dynamic logic (dL) tutorials and papers for background on proof rules and invariants.
  • Community mailing lists and research papers with benchmark models.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts