Embed Size (px)
Citation preview
Nondeterministic Stochastic Differential DynamicLogic
David Henriques Paulo Mateus André Platzer
July 21, 2015
AbstractComplex hybrid systems can have several sources of uncertainty. When mod-
elling systems, events that unpredictably or adversarially change the state of thesystem are typically modelled with nondeterministic transitions, whereas events towhich we can attribute some likelihood, either because of their fundamental na-ture or because of simplifying assumptions, are typically modelled as stochastic.Although logic and theorem proving have been successfully used to reason aboutthe possibility of events in nondeterministic hybrid systems and to reason about theprobability of events in fully stochastic hybrid systems, the interactions betweenboth kinds of uncertainty generate non-trivial dynamics and these approaches can-not be easily merged. Herein, we introduce Nondeterministic Stochastic Differen-tial Dynamic Logic (NSdL), a logical framework over nondeterministic stochastichybrid systems that allows for reasoning about the possible probabilities of events.We introduce models for Nondeterministic Stochastic Hybrid Systems and provethat the semantics for such models are measurable. We present compositional proofrules for the logic and prove their soundness. We exemplify the calculus with a ver-sion of an aircraft controller model that had previously been stripped of probabilismfor tractability reasons.
1 IntroductionLogic has historically been used as a powerful tool in the analysis and verification ofmodels for complex systems, most notably of discrete transition systems [5, 15]. Thissuccess motivated the development of logic techniques for dealing with more sophis-ticated models, like Hybrid Systems, which have interacting continuous and discretecomponents [19, 1, 21]. Often, the dynamics of Hybrid Systems are modelled usingnondeterministic transitions, representing possible changes in the state of the system.This abstraction is appropriate when we have qualitative notions about the possibilityof state change, but it eschews any quantitative information about the likelihood of thepossible behaviors of the system, which can lead to inaccurate conclusions.
With only nondeterministic approximations, repeated occurrence of best/worst-casescenarios, however unlikely, may be taken as evidence of a broken system. This excessof zeal may lead to the rejection of reasonable systems or to the inability of findingmeaningful counterexamples. In these cases, we can often get more detailed modelsby allowing probabilistic transitions that incorporate quantitative information. For ex-ample, if we use a nondeterministic approximation for modelling the reliability of aninternet connection, it would indeed be theoretically possible (although incredibly un-likely) that every single packet sent by one party is dropped by the network. In this case,
1
we would have no choice but to conclude that internet communication is unreliable, anadmittedly silly conclusion that is obviously an artefact of our poor choice of model.On the other hand, if we were modelling an attacker that chooses either to drop packetsor not, nondeterministic transitions would be the way to go, as a purely probabilisticdescription would lack the power to accurately model the intentions of agents.
In a hybrid systems setting, the introduction of stochastic dynamics is a difficult mat-ter, since the stochastic components can have non-trivial effects in the continuous anddiscrete transitions of the system. In [20], Stochastic Differential Dynamic Logic (SDL)was introduced to handle Stochastic Hybrid Systems, modelling continuous evolutionsas following Stochastic Differential Equations (SDEs) and discrete evolutions as the re-sults of discrete probabilistic experiments. SDL allows reasoning about probabilitiesof events, rather than their possibility. Unfortunately, SDL only admits reasoning overfully probabilisticmodels, where all transitions are either deterministic or probabilistic.In order to retain the capability of handling nondeterministic dynamics, as in Differen-tial Dynamic Logic, dL, ([19, 18]) and thus reason about the possible probabilities ofevents, we introduce Nondeterministic Stochastic Differential Dynamic Logic (NSdL)which combines features of dL and SDL.
Reintroducing nondeterminism in a probabilistic hybrid setting is especially chal-lenging since we not only have to analyze the subtle interactions between probabilismand nondeterminism, but we also have to consider the effect of these interactions on asetting with naturally continuous and discrete complex dynamics. Probability and non-determinism are hard to combine since reasoning about probabilities is inherently quan-titative and reasoning about nondeterminism is inherently qualitative. More fundamen-tally, “choices over distributions” and “distributions over choices” behave differently([16, 24]) and alternations of both kinds of behaviour quickly result in very complexobjects, so one cannot simply independently apply probabilistic machinery in proba-bilistic steps and nondeterministic machinery in nondeterministic steps ([6, 22, 16]).On the other hand, most models for continuous systems are either not suitable for com-positional reasoning, like hybrid automata [10], or deal with continuous time as anexternal resource, rather than an integrant part of the system that affects its behaviour,like continuous time Markov decision processes [7], for example.
In order to address the need for a suitablemodel that allows the description of nonde-terminsitc probabilistic continuous dynamics, we introduce a model for Nondetermin-istic Stochastic Hybrid Systems, called Nondeterministic Stochastic Hybrid Programs(NSHP). NSHPs are designed to be fully compositional, allowing complex systems tobe built and reasoned over by soundly combining information over smaller, simplerparts.
The semantics for the execution of a NSHP is a collection of potential probabil-ity measures over the Borel sets, each representing a possible distribution of states ofthe system during evolution. For example, given a fragment of execution driven by aSDE, the system will evolve continuously according to the stochastic process that is thesolution of the SDE. At each point in time, the actual position of the system will be ran-dom, following some probability distribution. However, we can choose when to stopthis execution, so there is the potential to nondeterministically choose from an infinitecollection of finishing distributions.
NSdL formulas incorporate the dynamics given by NSHPs and may make proba-bilistic and/or nondeterministic queries about the state of the system to establish theirvalidity. We identify reasoning principles that allow us to turn probabilistic queries intoalgebraic sentences, amenable to more standard logical techniques [23]. With theseideas in mind, we present compositional proof rules for the logic and prove their sound-
2
ness, which allows us to reason symbolically over these systems.Our most interesting contributions are:• We introduce a new model (NSHP), suitable for modelling NondeterministicStochastic Hybrid Systems, define compositional semantics for NSHP and provenecessary measurability results for these semantics.
• We present a new logic, NSdL, for specifying and verifying properties of Non-deterministic Stochastic Hybrid Systems modeled by NSHP.
• We present a calculus for NSdL that is a conservative extension of the calculusfor dL and prove its soundness.
• We extend the calculus with “creative” probabilistic cut rules that allow externalinformation to be incorporated in the proof system.
In short, this paper reports on significant results to deal with very challenging do-mains including nondeterministic, probabilistic and hybrid interacting components byfocusing on the composition of purely syntactic operations. To exemplify the calculus,we use these principles in a fragment of an aircraft controller model that had previouslybeen stripped of probabilism for tractability reasons [11].
2 PreliminariesIn this work, we assume some familiarity with basic measure and probability theory.Rigorous definitions of expressions like rectangle, measure, measurable set, measur-able function, integral w.r.t a measure, probability measure, σ-algebra, probabilityspace, random variable and stochastic process can be found in [8] and [12]. In ad-dition, we refer to [17] for a more in depth treatment of SDEs and to [3] for a more indepth treatment of semi-algebraic functions and real algebraic geometry.
2.1 Stochastic processes and stochastic differential equationsAs in SDL [20], we describe the continuous dynamics of the system using (continuous-time) stochastic processesXt which are solutions to given Stochastic Differential Equa-tions (SDE) of the form dXt = b(Xt)dt+σ(Xt)dWt. The drift coefficient b : Rd → Rddrives the non-stochastic continuous evolution of the process, while the diffusion coeffi-cient σ : Rd → Rd2 describes the influence of a Brownian motion (or Wiener) processW continuously acting onX . We assume that both b and σ are measurable and locallyLipschitz-continuous, that is
∀N∃C∀x,y|x|, |y| < N ⇒ |b(x)− b(y)| ≤ C|x− y|, |σ(x)− σ(y)| ≤ C|x− y|.
In this case, it is well known [17] that the SDE, constrained to X0 = Z, has a uniquesolution given by
Xt = Z +
∫ t
0
b(Xs)ds+
∫ t
0
σ(Xs)dWs.
with∫b(Xt)dt a standard Lebesgue integral and
∫σ(Xt)dWt an Itô integral process.
However, closed forms for these integrals are not always known.
3
2.2 Semi-algebraic functionsWe will work with semi-algebraic (SA) functions to describe many components in ourmodels: geometric and physical constraints, physical laws, probability distributions, allwill be represented by SA functions. SA functions are a broad class of functions thatincludes, for example, all rational functions defined by cases in rational intervals.
SA functions are defined over semi-algebraic sets, which in turn can be expressedas the satisfaction sets of formulas of first order logic (FOL) with real arithmetic. Wefollow the notational conventions in [3].
Definition 1. A semi-algebraic set of Rn is a subset of the forms⋃i=1
ri⋂j=1
{~x ∈ Rn : pi,j(~x) /i,j 0}
where pi,j are polynomials and /i,j ∈ {<,≤}.
Definition 2. A semi-algebraic function is a function f : S → T s.t. S ⊆ Rn andT ⊆ Rm are semi-algebraic sets and Graph(f) is a semi-algebraic set in Rn+m.
It is often useful to consider SA functions as level sets of polynomial expressions.
Proposition 1 ([3, Proposition 2.85]). Let f : S → Rm be a semi-algebraic functionon semi-algebraic set S ⊆ Rn. There exists a non-zero multidimensional polynomialP (−→x ,−→y ) s.t. for all −→x ∈ S, P (−→x , f(−→x )) = 0.
With this representation, the x variables are called the input variables and the yvariables are called the output variables. If the output variables can explicitly be isolatedin one side of the equality, we say that the function is explicitly defined. We will oftenuse o to denote the single output variable of an explicitly defined function.
The most important feature of SA functions is that their graph can always be repre-sented by the satisfaction set of some FOL formulas, and so they are representable inFOL. We will use the very powerful (albeit sometimes inefficient) machinery we havefor FOL ([23]) to reason about SA functions. We can combine simple SA functions intomore complex ones via their FOL representation, since arithmetical operations involv-ing SA functions are definable in FOL [3, section 2.5.2].
Proposition 2 ([3, §2.5.2]). There are effective algorithms that construct the FOL rep-resentations for f + g,−f , f × g, f/g if g 6= 0 and f ◦ g from the FOL representationsF and G of semi-algebraic functions f and g.
In order to avoid unnecessary verbosity, henceforth we will adopt the followingnotation.
Notation 1. When we say that f is a SA function we mean that f is a FOL formulathat represents a semi-algebraic function f . Likewise, we will denote by f + f the FOLformula representation of the semi-algebraic function f + g and similarly for otheralgebraic constructs.
It is often useful to decompose a SA function in several regions where the output isgiven by a single expression:
Definition 3. A FOL formula is said to be written in disjunctive normal form represen-tation (DNF) if it is in the form
∨rj=1
∧sji=1
(θj,i /i,j θ̂j,i
)for FO terms θj,i, θ̂i,j and
/i,j ∈ {<,≤}. Furthermore, it is said to be written in Disjoint DNF representation(DDNF) if it is in DNF form and the satisfaction sets of all disjuncts are disjoint.
4
Since FOL with real arithmetic allows quantifier elimination (QE) [23], we can re-duce any FOL with real arithmetic formula to an equivalent formula in DDNF repre-sentation by applications of QE and standard logical operations. DDNF can be usefulto re-write a function as the sum of several functions whose output is zero everywhereexcept in some region where the output is given by a single expression.
Proposition 3. Let f =∨fi be a SA function in DDNF. Then there are total SA func-
tions, T (fi) s.t. F is equivalent to∑i T (fi), Sat(fi) ⊆ Sat(T (fi)) (Sat(ϕ) denotes
the satisfaction set of ϕ) and for all inputs x1, ..., xn for which there are no outputsy1, ..., yn s.t. (x1, ..., xn, y1, ..., ym) ∈ Sat(fi), (x1, ..., xn, 0, ..., 0) ∈ Sat(T (fi)).
3 Nondeterministic Stochastic Hybrid ProgramsIn this sectionwe present nondeterministic stochastic hybrid programs (NSHP), amodelfor nondeterministic stochastic hybrid systems. The potential execution of a system isbroken down into primitive components: state switching (deterministic, nondetermin-istic or stochastic) and continuous dynamics, given by (possibly stochastic) differentialequations. These primitives are then combined to generate complex behavior.
3.1 SyntaxLetΣ be a signature for FOLwith real arithmetic. Like in dL ([19, 18]), wewill considera set of logical variables (V ) to be interpreted over the reals, which will be used forarithmetical reasoning and quantification. We also consider a set of function symbolsof arity 0, which we call state variables (Σstate ⊆ Σ) that denote the state of the non-probabilistic components of the hybrid system andmay change their value during systemevolution. In addition, we consider another set of function symbols of arity 0, calledprobabilistic variables (Σprob ⊆ Σ), to be interpreted over probability measures andthat represent distributions over possible configurations of the system.
Quantities that change nondeterministically will thus be represented by state vari-ables and quantities that change randomly according to some probability law will berepresented by probabilistic variables. Notice that, despite their names, state and prob-abilistic variables are function symbols of arity 0, not true variables. For example, wecannot quantify over state and probabilistic variables.
Wewill denote logical variables byxi,yi..., state variables byxi, yi, zi... and proba-bilistic variables byXi, Yi, Zi, . . . . We denote first-order terms by Θ (Θ ∈ Terms(Σ))and distinguish first-order terms that do not contain any probabilistic symbols (and thuspertain only to the nondeterministic state of the system) by denoting them with θ, i.e,θ ∈ Terms(Σ\Σprob). We denote vectors of variables by−→x , vectors of terms by b, ma-trices of terms by σ, first-order real arithmetic formulas by H and SA functions whereprobabilistic variables do not occur by f . Given this, the syntax for nondeterministicstochastic hybrid programs is given by
α, β ::= xi := θ | Xi := Θ | xi := ∗ | Xi ∼ f | Xi ��������� f | ?H |α+ β | λα⊕ γβ | α;β | α∗ | d
−→X = bdt+ σdW&H
The first five constructs, assignments, instantaneously assign new values to variables.xi := θ assigns to state variable xi the current value of term θ. This is used to establishrelations between state variables or to create an instantaneous “jump” in the state of thesystem. Xi := Θ serves the same purpose, but can establish relations between random
5
quantities. The probabilistic jump construct, Xi := Θ, thus associates to probabilisticvariableXi the probability measure obtained by transforming current distributions andstates according to Θ. We can not assign a probabilistic term Θ to a non-probabilisticvariable x because any part of a system that depends (even if parametrically) on randomquantities must itself behave probabilistically. Therefore x := Θ is not allowed as anassignment.
Nondeterministic assignment, xi := ∗, assigns some real value to xi. This assign-ment allows any value to be attributed to xi, making it ideal for modelling unknown non-deterministic transitions. Similarly, the probabilistic assignment constructs1, Xi ∼ fand Xi ��������� f , associate with Xi a new distribution (given explicitly by f ), independentfrom previously assigned measures. These new distributions can either be absolutelycontinuous in the case of Xi ∼ f or discrete mass distributions in the case of Xi ��������� f .Probabilistic assignments are similar to nondeterministic assignment in the sense thatthey allow us to set new values for variables independently from the state of the system.These assignments are ideal to model transitions for which we have some notion on thelikelihood the outcome.
?H is a test, a possibility of discontinuing a process that does not guarantee someproperty almost surely. This is useful to restrict physical impossibilities, for example,that would spuriously violate interesting properties.
Nondeterministic choice, α + β either behaves like α or β nondeterministicallywhereas probabilistic choice, λα ⊕ νβ behaves like α with probability λ and like βwith probability ν. This construct, together with both constructs for probabilistic as-signments, allows us to define mixed type random assignments by Lebesgue decompo-sition ([12]).
In sequential composition, α;β, NSHP α transitions take effect until they end (ifthey end) and then NSHP β is run. Repetition, α∗, allows α to repeat sequentially any(nondeterministically chosen) number of times.
Finally, stochastic continuous evolution, d−→X = bdt+σdW&H models an evolution
of the system along a SDE for a nondeterministic duration, as long as it stays withinH almost surely. Notice that, while this model does not allow control of the effectof stochastic noise in the system during an SDE evolution (the whole point of SDEmodelling is for this noise to be random, after all) it does allow arbitrary stopping timeswhere we may be able to change the dynamics of the system (by issuing new controls,for example). We assume that
−→X, b and σ are of matching dimensions.
3.2 Transition semantics for NSHPLike in dL, we present a possible worlds semantics for our logic ([14]). NSHP willbe the way by which we move from world to world. For a fixed first-order with realarithmetic interpretation I and environment η, a world is a pair, (ν, µ), where the stateν is a map ν ∈ RΣstate and the distribution µ is a probability measure over the Borelsets in RΣprob . Since each τ ∈ RΣprob , corresponds to a point in Rn, we will handle µas a distribution over the Borel sets in Rn.
We can now define the transition semantics, ρ(α), for NSHPs as a relation betweenworlds, called the transition relation. Two worlds (νi, µi), (νf , µf ) are related by thetransition relation ρ(α) if it is possible that, starting in (νi, µi) and following NSHP αwe end up in (νf , µf ). The semantics is defined by induction on the program structure:
1We will often useXi∼���������f to denote eitherXi ∼ f orXi ���������f when arguments follow for both.
6
Definition 4. Given an interpretation structure for first-order real arithmetic, I , andan environment η : V → R, the valuation of a NSHP α, denoted ρ(α) is a transitionrelation on the worlds of (Σ, V )2. Recall that by Carathéodory’s extension theorem, itsuffices to specify measures in hyper-rectangles ofRn to completely define the measure.
1. ((νi, µ), (νf , µ)) ∈ ρ(xi := θ) if νf = νi[xi 7→ JθKI,η,νi ].Assignments to state variables do not depend on probabilistic variables, only onother state variables. We transition from a state νi to a state νf if νf is a semanticmodification of νi that changes only the value of the variable xi to the value thatθ has in νi.
2. ((ν, µi), (ν, µf )) ∈ ρ(Xi := Θ) if, for all hyper-rectangles (I1, ..., In) ⊂ Rn,
µf (I1, ..., In) =
µi({−→ω : (ω1, ..., ωi−1, JΘKI,η,ν,τ−→ω , ωi+1, ..., ωn) ∈ (I1, ..., In)})
where τ−→ω : Σprob → R is s.t. τ−→ω (Xk) = ωk.Probabilistic assignment depends both on state variables and on probabilisticvariables. It changes the measure from µi to µf in such a way that the proba-bility of any event E w.r.t. µf is the same as the probability of the pre-image of Eby Θ (seen as a real function) w.r.t. µi. In other words, the probability of an eventE after assignment Θ becomes the probability of the events that are transformedinto E . By Carathéodory’s extension theorem, if we guarantee this property forall hyper-rectangles (I1, ..., In) ⊆ Rn, it extends to all events E .
3. ((νi, µ), (νf , µ)) ∈ ρ(xi := ∗) if there exists c ∈ R s.t. νf = νi[xi 7→ c].Nondeterministic assignments to state variables allow transitions to worlds thatchange the value of state variable xi (to any value) and otherwise leave valuesunchanged, as well as the measure.
4. ((ν, µi), (ν, µf )) ∈ ρ(Xi ∼ f) if f is a SA continuous cumulative distributionfunction in an input variable x (that is, a non-decreasing, continuous SA functions.t. lim
x→−∞JfKI,η[x7→x],ν = 0 and lim
x→∞JfKI,η[x7→x],ν = 1) without probabilistic
variables and, for all hyper-rectangles (I1, .., Ii−1, [a, b], ...In) ⊆ Rn,
µf (I1, .., Ii, ...In) =
µi(I1, .., Ii−1,R, Ii+1, ...In)× JfKI,η[x7→b],ν − JfKI,η[x7→a],ν
Absolutely continuous probability distribution assignments completely replacethe measure for variableXi in a way that respects cdf f , meaning that, w.r.t. µf ,the probability ofXi being less or equal to some value x is exactly f(x). All otherprobabilities remain unchanged. Notice that the semantics for this construct areonly defined if f is indeed a well defined cdf .
5. ((ν, µi), (ν, µf )) ∈ ρ(Xi ��������� f) if f is a SA non-negative function in an inputvariable x that is non-zero only for a finite number of values of x and such that∑{x:JfKI,η[x7→x],ν 6=0}JfKI,η[x7→x],ν = 1 and additionally, for all hyper-rectangles
(I1, .., Ii−1, [a, b], Ii+1, ...In) ⊆ Rn,
µf (I1, .., Ii, ...In) = µi(I1, .., Ii−1,R, Ii+1, ...In) ×∑x∈[a,b]
JfKI,η[x 7→x],ν
2In this definition, J.K will be used to denote standard FOL denotation of terms.
7
Discrete probability distribution assignments, similarly to absolutely continuousprobability assignments, replace the measure for variable Xi, leaving all otherprobabilities unchanged. The crucial difference is that the probability of Xi isnow given discretely: the i− th components of an event E now contributes prob-ability equal to the point-mass sum of all samples in Ei. For this construct, thesemantics are only defined if f is a finite density function.
6. ((νi, µi), (νf , µf )) ∈ ρ(λα ⊕ γβ) if λ + γ = 1 and ((νi, µi), (νf , µ)) ∈ ρ(α),((νi, µi), (νf , µ̂)) ∈ ρ(β) and µf = λµ+ γµ̂.Probabilistic choice behaves like α with probability λ and like β with probabilityγ. This is acheived by letting µf be the weighted sum of the distributions attainedby α and β individually. Notice that the final state νf must coincide after execut-ing either α or β, since otherwise the state would have probabilistic semantics3.These semantics reflect an important modeling decision: we are assuming that wedo not know in which branch of the⊕ we are. We know there was a probabilisticchoice on the branch, but we don’t know which was actually chosen.
7. ((ν, µ), (ν, µ) ∈ ρ(?H) if µ({−→ω : I, η, ν, τ−→ω FOL H}) = 1.Tests only have semantics if the satisfaction set of JHKI,η,ν has probability 1w.r.t µ, that is, JHKI,η,ν is almost sure. If a test fails, the program aborts andno further semantics is defined. It is important to disambiguate that a test doesnot abort the execution of specific outcomes that do not satisfy H , rescaling themeasure for the remaining outcomes. It either discontinues an entire possibleprobability distribution or allows it to proceed unchanged. Notice that if H hasno probabilistic variables then JHKI,η,ν is either true or false and its satisfactionset is either Rn or ∅, respectively. As expected, and keeping with the semanticsof dL, in the first case the test is passed because µ(Rn) = 1 and in the secondcase the test is failed because µ(∅) = 0 6= 1.
8. ρ(α+ β) = ρ(α) ∪ ρ(β).Nondeterministic choice allows the program to behave either as α or as β. If atransition is allowed for α then it is also allowed for α + β and if a transition isallowed for β then it is also allowed for α+ β.
9. ρ(α;β) = {((νi, µi), (νf , µf )) : there exists a world (ν, µ) s.t. ((νi, µi), (ν, µ)) ∈ρ(α) and ((ν, µ), (νf , µf )) ∈ ρ(β)}.A transition for a sequential composition for α and β is a transition by α from(νi, µi) to a stepping stone world (ν, µ) followed by a transition by β from (ν, µ)to (νf , µf ) . If either α or β have no transitions (because they don’t stop, orbecause they fail all tests), then α;β also has no transitions.
10. ((νi, µi), (νf , µf )) ∈ ρ(α∗) if there existsn ∈ N andworlds (νi, µi) = (ν0, µ0), ...,(νn, µn) = (νf , µf ) s.t. for all j ∈ {0, ..., n − 1}, ((νj , µj), (νj+1, µj+1)) ∈ρ(α).Nondeterministic repetition starting in (νi, µi) repeats any number of α transi-tions, stepping through intermediate states (νi, µi), ending up in (νf , µf ).
11. ((ν, µi), (ν, µf )) ∈ ρ(d−→X = bdt + σdW&H) if there exists T ∈ R+
0 and afunction f : t 7→ µt s. t.(a) µ0 = µi;
3It is possible to have α and β behaving differently in state variables anyway, by first "casting" thosevariables as probabilistic with a (deterministic) probabilistic assignmentXi := xi.
8
(b) (−→X t,Wt) is a (weak) solution to d
−→X t = LbMI,η,ν(
−→X t)dt+ LσMI,η,ν(
−→X t)dWt
with−→X 0 s.t. P (X0 ∈ B) = µi(B) for all Borel sets B;
(c) f respects the SDE, i.e., for s∈ [0, T ] and Borel setB, fs(B)=P (−→X s∈B);
(d) f respects the invariant, i.e., for s ∈ [0, T ], fs({−→ω : I, η, ν, τ−→ω FOLH}) = 1;
(e) for all Borel sets B, fT (B) = µf (B);where L.MI,η,ν : Terms→ (Rn → R) is inductively defined as• LxiMI,η,ν= η(xi) (as constant r.v.);• LcMI,η,ν= ν(c), c ∈ Σstate (as constant r.v.);• LXiMI,η,ν = Xi,Xi : Rn → R is the projection in the i-th coordinate.• LΘ1 + Θ2MI,η,ν = LΘ1MI,η,ν + LΘnMI,η,ν;• LΘ1 ×Θ2MI,η,ν = LΘ1MI,η,ν × LΘnMI,η,ν;
Stochastic differential evolution semantics are defined with the help of a flowfunction ft that mimics the behavior of the solution for the associated SDE. L.M isthe function that interprets probabilistic terms as functions (of probabilistic vari-ables) in a canonical way, allowing the SDE to be defined4. Notice that during anevolution, the (non-deterministic) state ν does not change and thus LbMI,η,ν andLσMI,η,ν remain the same functions throughout the whole evolution. Conditions2 and 3 guarantee that the flow function indeed has the same properties as the so-lution for the SDE for at least the Borel sets. Condition 4 ensures that the domaininvariant is always almost surely satisfied. We cannot demand anything strongerthan almost sure invariance since there is always the theoretical possibility ofleaving the domain, even if with probability 0. Conditions 1 and 5 are extremalconditions, that indicate that the starting and ending worlds are consistent withour flow. Notice that different values of T may yield different µf . While the evo-lution is stochastic, its stopping time is nondeterministic: the evolution may bearbitrarily long as long as it does not leave the domain with probability 1.
Remark 1. In probabilistic settings, the concept of assuming or asserting that someevent holds is often captured by conditioning. When defining the semantics of NSHPtests (?H) and domain restriction in SDEs (&H) we might be tempted to consider theseconstructs as conditioning operators over the events described byH , “blocking” eventsthat do not satisfy H and proportionately redistributing their probability by the eventsthat do satisfy H .
On the other hand, the intended semantics for tests in dL, as presented in [19, pp.42], is that of “state checks”, behaving like “a no-op if the formula is true at the cur-rent state; otherwise, like abort, it allows no transitions”. Since a world in our possible-worlds semantics comprises both a state and a distribution, “aborting” a process wouldmean discontinuing the world, not moving to a new world where the distribution con-forms with H . The difference between these interpretations is depicted in Figure 1.
In this work, in order to stay closer to the design of dL, we adopt the second pointof view. Another reason for this choice is that if evolution domain constraints (&H) inSDEs were to follow the “conditioning” semantics, the stochastic process that solvesthe SDE would need to be reconditioned at each point in time, which would affect theSDE evolution itself. This would require the development of a completely new theory ofdifferential evolutions in stochastic settings, which is outside of the scope of this work.
4In order to guarantee existence of solution, a small technical change is required: outside of the satisfactionset ofH , L.M is the constant function 0.
9
Figure 1: On the left: “abort failed executions” interpretation; On the right: “condition-ing” interpretation.
Example 1. Consider a signature with one probabilistic variable, X and semanticsI, η, ν, µi. Now consider the assignment X ∼ Unif(0, 1), where Unif(0, 1) is short-hand for the function f ≡ ((0 ≤ x ≤ 1)→ (o = x) ∧ ((x < 0)→ (o = 0)) ∧ ((x >1)→ (o = 1)), the FOL representation of the Uniform CDF between 0 and 1. In orderfor ((ν, µi), (ν, µf )) to be in ρ(X ∼ Unif(0, 1)), we would need that for all rectangles[a, b] ∈ R (see item 4. of Definition 4)
µf ([a, b])=µi(R)︸ ︷︷ ︸=1
×(JfKI,η[x7→a],ν−JfKI,η[x 7→b],ν)=
0 a,b<01 a,b>1
min{b,1}-max{a,0} o.w.
That is, µf is uniformly distributed between 0 and 1.
Example 2. Consider a signature with two probabilistic variables, X1 and X2 andsemantics I, η, ν, µi s.t µi is normally distributed forX1. Now consider the assignmentX2 := X2
1 + 1. In order for ((ν, µi), (ν, µf )) to be in ρ(X2 := X21 + 1) we would need
to have (see item 2. of Definition 4)
µf ([a, b], [c, d]) = µi({(ω1, ω2) : (ω1, ω21 + 1) ∈ ([a, b], [c, d])}).
This quantity is well-defined for all real values of a, b, c and d since the function g(x1, x2) =(x1, x
21+1) is continuous and therefore has ameasurable pre-image. Although handling
the pre-image of g is cumbersome, it is easy to show, for example, that µf ([2, 3],R) =µf ([2, 3], [5, 10]) = Φ(3) − Φ(2) or µf (R, [5, 10]) = µf ([−3,−2] ∪ [2, 3], [5, 10]) =2(Φ(3) − Φ(2)), where Φ is the CDF of the normal function, as expected. Figure 2depicts the projections of µi on X1 and of µf on X2 and evidences their relation.
Proposition 4. The transition function for NSHP is well-defined, meaning that it isindependent from representation and that all functions are defined on their arguments.In particular, any set definable with this syntax is indeed measurable.
10
Figure 2: Assignment X2 := X21 + 1 for X1 normally distributed.
4 Nondeterministic Stochastic Differential DynamicLogicThe formulas of nondeterministic stochastic differential dynamic logic follow a similarphilosophy and have a similar structure to those of dynamic logic [9, 13].
4.1 SyntaxThe formulas of NSdL are defined over function terms:
t, s ::= f |∫F | t+ s | t× s
where f stands for a real valued SA function with no probabilistic variables, F for areal valued SA function. Terms of the form
∫F represent queries about probabilistic
behavior in relation to the random variables. For instance, if F stands for the indicatorfunction of some setE,
∫F represents the probability of eventE (as a function of non-
probabilistic variables). On the other hand, if F stands for the identity function of someprobabilistic variable Xi,
∫F ≡
∫Xi represents its expected value and
∫Xi + Xj
represents the expected value of Xi +Xj . We define the syntax of NSdL formulas:
ϕ,ψ ::= H | t1 ≥ t2 | ¬ϕ | ϕ ∨ ψ | ∃x.ϕ | ∀x.ϕ | 〈α〉ϕ | [α]ϕ
where H is a FOL formula where no probabilistic variables occur. In NSdL, H andt1 ≥ t2 formulas fill the role of predicates in dL. The FOL constructs and formulashave the expectedmeaning and [α]ϕ and 〈α〉ϕ borrow their intuition from their dynamiclogic ([9]) counterparts: [α]ϕ holds if ϕ holds after any execution of NSHP α and 〈α〉ϕholds if ϕ holds after some execution of NSHP α.
4.2 SemanticsThe semantics for FOL terms and formulas that occur in formulas of NSdL coincideswith that of FOL, in the sense that if t (resp. ϕ) is a FO term (resp. formula), itsNSdL semantics coincides with its FO semantics. Defining a denotation for terms withprobabilistic variables will require more machinery.
Let F be a first-order real arithmetic function formula (with or without probabilisticvariables) with a single output variable o . Let τ : Σprob ∪ {o} → R be a partial
11
interpretation function that interprets the set of probabilistic and output variables toreal numbers. Fixing interpretation, environment and state, (I, η, ν), for all symbolsoutside of those in Σprob ∪{o}, the denotation of F under I, η, ν, τ , can be recursivelydefined as usual for FOL formulas.
It will be useful to regard the semantics (J.KI,η,ν,τ : {true, false}) as a functionover partial interpretations (λτ.J.KI,η,ν(τ) : (Σprob ∪{o} → R)→ {true, false}). Inaddition, for (I, η, ν) fixed and for a tuple (c1, ..., cn) ∈ Rn, we can define τ [c1, ..., cn](.) :Σprob ∪ {o} → R to be the partial interpretation s.t. τ [c1, ..., cn](Xi) = ci andJF KI,η,ν,τ [c1,...,cn] = true. This extension is uniquely defined because F is a SA func-tion and the value of τ [c1, ..., cn](o) is implicitly defined from the values c1, ...cn. Al-lowing c1, ..., cn to vary, we can now curry τ [x1, ..., xn](o) as τo(x1, ..., xn) . Thisallows us to define the denotation for
∫F under I, η, ν, µ as
J∫F KI,η,ν,µ =
∫τo(x1, ..., xn)dµ
if the integral on the right exists in sense of a Lebesgue integral over the measure µ.The denotation for +,× is as expected: Jt+ sKI,η,ν,µ = JtKI,η,ν,µ + JsKI,η,ν,µ and
Jt× sKI,η,ν,µ = JtKI,η,ν,µ × JsKI,η,ν,µ.One important feature of NSdL is that integral symbols that do not scope any prob-
abilistic variable are spurious, meaning that terms of the form∫F which do not con-
tain probabilistic variables simply represent the same semi-algebraic function as F . Inpractice, this simply means that, when F has no probabilistic variables, it is “seen as aconstant” w.r.t. integration on measure µ, as usual in calculus.
Lemma 5. Let F be an SA function without probabilistic variables. Then
J∫F KI,η,ν,µ =
∫τodµ = τo = JF KI,η,ν,µ
i.e.∫F and F represent the same semi-algebraic function.
Example 3. Suppose we have a single probabilistic variable, X , and consider the SAfunction F ≡ (o × X2 = 1). For a first-order real arithmetic interpretation I , anenvironment η and a world (ν, µ) s.t. µ([−∞, x]) = (max{−1,min{1, x}} + 1)/2(that is, µ is distributed with uniform distribution in [−1, 1]). We have
J∫F KI,η,µ =
∫R\{0}
1√|x|dµ
because, for each x ∈ R, JF KI,η,τ = true only if τo(x) = 1√|x|
and x 6= 0. Since
∫R
1√|x|dµ =
∫[−1,0)
1√−x
1
2dx+
∫(0,1]
1√x
1
2dx = 4
the semantics for∫F is J
∫F KI,η,µ = 4.
Example 4. Suppose we have a single probabilistic variable, X , and consider the SAfunction F ≡ (−1 ≤ X ≤ 1)→ (o = 1) ∧ ((X < −1) ∨ (X > 1))→ (o = 0), thatis, F is the indicator function ofX ∈ [−1, 1], henceforth abbreviated 1X∈[−1,1]. For afirst-order real arithmetic interpretation I , an environment η and µ s.t. µ([−∞, x]) =
12
(max{0,min{1, x}}) (that is, µ is distributed with uniform distribution in [0, 1], wehave
J∫1X∈[−1,1]KI,η,µ =
∫R\[−1,1]
0dµ+
∫[−1,1]
1dµ
because, for each x ∈ R, JF KI,η,τ = true only if τo(x) =
{1 if −1 ≤ x ≤ 10 ow .
Since ∫[−1,1]
1dµ =
∫[−1,0)
1× 0dx+
∫[0,1]
1× 1dx = 0 + 1
the semantics for∫F is J
∫F KI,η,µ = 1.
Example 5. Suppose we have a single probabilistic variable, X , and consider theSA function F ≡ (x ≥ 0) → (X2 + 1 = o) ∧ (x < 0) → (−X2 − 1 = o)and consider a first-order real arithmetic interpretation I , an environment η and µs.t. µ([−∞, x]) = 1
πarctan(x) + 12 , that is, µ is distributed with Cauchy distribu-
tion (despite its challenging distribution function, the density function for the Cauchydistribution is 1
(x2+1) , an amenable rational function.).In this situation, J
∫F KI,η,µ would yield the value of
∫R sgn(x)(x2 +1)dµ, because,
for each x ∈ R, JF KI,η,τx = true only if τo(x) = sgn(x)(x2 + 1). The integrandfunction sgn(x)(x2 + 1) is an odd function and the density of the Cauchy distributionis symmetrical, centered the origin, so it would be tempting to say that the value of thisintegral would be 0. However
∫R sgn(x)(x2 + 1)dµ does not have a value under the
Lebesgue definition of integral, because both its positive part(∫R sgn(x)(x2 + 1)dµ
)+and its negative part
(∫R sgn(x)(x2 + 1)dµ
)− yield∞. The semantics for this expres-sion is thus undefined5.Definition 5. The satisfaction relation between an interpretation for FOL with realarithmetic I , an environment η, a world (ν, µ) and a NSdL formula ϕ is defined as• I, η, (ν, µ) H if I, η, ν FOL H;• I, η, (ν, µ) t1 ≤ t2 if Jt1KI,η,(ν,µ) ≤ Jt2KI,η,(ν,µ);• I, η, (ν, µ) 〈α〉ϕ if there exists a world (νf , µf ) s.t. ((ν, µ), (νf , µf )) ∈ ρ(α)and I, η, (νf , µf ) ϕ;
• I, η, (ν, µ) [α]ϕ if for all worlds (νf , µf ) s.t. ((ν, µ), (νf , µf )) ∈ ρ(α) wehave I, η, (νf , µf ) ϕ;
• I, η, (ν, µ) ¬ϕ if I, η, (ν, µ) 6 ϕ;• I, η, (ν, µ) ϕ ∨ ψ if I, η, (ν, µ) ϕ or I, η, (ν, µ) ψ;• I, η, (ν, µ) ∃x.ϕ if I, η[x 7→ d], (ν, µ) ϕ for some d ∈ R;• I, η, (ν, µ) ∀x.ϕ if I, η[x 7→ d], (ν, µ) ϕ for all d ∈ R.
When the context is clear, we drop the interpretation or the environment symbols.Definition 6. A NSdL formula ϕ is valid, denoted |= ϕ, iff I, η, (ν, µ) ϕ for allI, η, (ν, µ). A formula ϕ is a global consequence of formulas φ1, ..., φn iff |= φi for alli implies |= ϕ. Similarly, φ is a local consequence of said formulas iff I, η, (ν, µ) φifor all i, then I, η, (ν, µ) ϕ.
5 Proof CalculusNSdL is intended for reasoning about sophisticated stochastic hybrid systems. However,semantic reasoning is often hard to do and prone to errors. In this section, we identify
5These subtle problems are detected and handled in formal integration, in Section 5 and in the Appendix.
13
syntactic reasoning principles that can be used to conclude properties of stochastic hy-brid systems modelled by NSHP.
We will present a proof calculus for NSdL as a Gentzen-style sequent calculus.Classical sequents are syntactic constructs of the form A1, ..., An ` B1, ..., Bk whereAi and Bi are formulas. Intuitively, the semantics of a sequent is the assertion thatif all Ai hold, at least one Bi must hold, i.e., the formula
∧Ai →
∨Bi holds. The
formulas on the right hand side of the ` symbol (the succedent) can thus be seen as theobjectives, since establishing any of them is sufficient to make the sequent hold. On theother hand, the formulas on the left hand side of the ` symbol (the antecedent), can beseen as preconditions since they all have to hold in order in order for the succedent tomatter at all.
In NSdL sequents we allow an additional set of restrictions in the antecedent. Thepurpose of this set is to limit which distributions must be considered to establish validityof the sequent; this is useful because after we assign a distribution for a given proba-bilistic variable in a NSHP, we can then use that restriction as a working assumption.
Definition 7. A probabilistic precondition is an expression of the form Xi ∼ f or ofthe form Xi ��������� f subject to the same restrictions as in Definition 4. Given a proba-bilistic precondition Xi ∼ f , interpretation I , environment η and world (ν, µ), we saythat (I, η, (ν, µ)) satisfies Xi ∼ f , denoted I, η, (ν, µ) Xi ∼ f if, for all x ∈ R,∫ x−∞ dµi = JfKI,η[x7→x],ν and given a probabilistic precondition Xi ��������� f we say thatI, η, (ν, µ) Xi ��������� f if, for all x ∈ R, µi({x}) = JfKI,η[x7→x],ν .
We now have all the equipment necessary to define NSdL sequents
Definition 8. A NSdL sequent is an expression of the form ∆; Γ ` Θ where ∆ isa set of probabilistic preconditions, Γ and Θ are sets of NSdL formulas. A sequent∆; Γ ` Θ is said to be valid if, for any interpretation I , environment η and world(ν, µ) s.t. I, η, (ν, µ) δ for all δ ∈ ∆ and I, η, (ν, µ) φ for all φ ∈ Γ, we haveI, η, (ν, µ) ψ for some ψ ∈ Θ.
Example 6. Consider the sequent
` 〈X ∼ Unif(0, 1)〉(∫1X∈[−1,1] ≥ 1)
where Unif(0, 1) is shorthand for the SA function describing the CDF of the uniformdistribution between 0 and 1 and 1X∈[−1,1] stands for the indicator function ofX beingbetween −1 and 1. This sequent is valid because for any I, η, (ν, µ) (which vacuouslysatisfies all the formulas in the (empty) antecedent) we have seen in Example 1 that((ν, µ), (ν, µf )) ∈ ρ(X ∼ Unif(0, 1)) for µf distributed uniformly between 0 and 1for variable X . We have also seen in Example 4 that I, η, (ν, µf )
∫1X∈[−1,1] ≥ 1.
Therefore, we have
I, η, (ν, µ) 〈X ∼ Unif(0, 1)〉(∫1X∈[−1,1] ≥ 1)
satisfying the consequent.
Example 7. A different way of looking at Example 6 is to consider the sequent
{X ∼ Unif(0, 1)}; {} ` (∫1X∈[−1,1] ≥ 1)
where we are using a probabilistic precondition to restrict the set of distributions thatneed to be considered. This sequent is valid because all I, η, (ν, µ) s.t. I, η(ν, µ)
14
X ∼ Unif(0, 1) must have µf distributed uniformly between 0 and 1 for variable X .For such I, η, (ν, µ), we have
I, η, (ν, µ) 〈X ∼ Unif(0, 1)〉(∫1X∈[−1,1] ≥ 1)
like before.
Scoping and admissible substitutions. In FOL, variable substitutions are said to beadmissible if they do not change variables that occur inside the scope of a quantifier.In dL, the notion of binding is extended to include variables x that are assigned to (asin x := θ) or that occur in a differential evolution containing x′ (as in x′ = θ). InNSdL, we must further extend this notion to include variables that appear in the l.h.s.of continuous probabilistic assignments, discrete probabilistic assignments and differ-ential stochastic evolutions. Additionally, the input variable of discrete and continuousprobabilistic assignments is also bound by the assignment. A variable bound by any ofthese constructs cannot be changed by a substitution function.
Careless consideration of the effects of scoping easily leads to unsound reasoningas shown in Example 8.
Example 8. Consider the formula
〈X ∼ Unif(0, 1)〉(∫1X∈[0,1] ≥ 1)→ 〈X ∼ Unif(1, 2)〉(
∫1X∈[−1,1] ≥ 1)
In order to reason about this formula we will consider the sequent
{}; {〈X ∼ Unif(0, 1)〉(∫1X∈[0,1] ≥ 1)} ` 〈X ∼ Unif(1, 2)〉(
∫1X∈[−1,1] ≥ 1)
Intuitively, this sequent is not valid because the formula in its antecedent is true but theone in its consequent is false. In light of the discussion before Definitions 7 and 8, andExamples 6 and 7 one could consider restricting the distribution over X and considerinstead the sequent6
{X ∼ Unif(0, 1)}; {∫1X∈[0,1] ≥ 1} ` 〈X ∼ Unif(1, 2)〉(
∫1X∈[−1,1] ≥ 1)
Once again we apply the same (unsound) reasoning to consider instead the sequent
{X ∼ Unif(0, 1), X ∼ Unif(1, 2)}; {∫1X∈[0,1] ≥ 1} `
∫1X∈[−1,1] ≥ 1
It is now obvious that we have a problem, since there can be no distribution that si-multaneously satisfies X ∼ Unif(0, 1) and X ∼ Unif(1, 2). This means that thesequent is trivially valid, which goes against our initial intuition. Perhaps even moreconfusingly, if we weaken the antecedent by removing the probabilistic preconditionX ∼ Unif(1, 2) (and therefore relax the restrictions on our models), we can show thatthe sequent
{X ∼ Unif(0, 1)}; {∫1X∈[0,1] ≥ 1} `
∫1X∈[−1,1] ≥ 1
is valid, this time without invoking vacuity arguments at all. Where did we go wrong?The problem stems from the fact that the two instances of probabilistic assignment
X ∼ Unif(0, 1) and X ∼ Unif(1, 2) bind different instances of the X variable6This step, as well as some of the following in this example, are unsound reasoning used to ilustrate
possible misconceptions.
15
and we are failing to acknowledge this fact. Let us repeat these reasoning steps, nowproperly taking scoping in consideration. We start from
{}; {〈X ∼ Unif(0, 1)〉(∫1X∈[0,1] ≥ 1)} ` 〈X ∼ Unif(1, 2)〉(
∫1X∈[−1,1] ≥ 1)
and restrict the probability distributions for the variables X bound in the assignmentX ∼ Unif(0, 1). We can mark this by renaming the bound variables to fresh proba-bilistic variable Y :
{Y ∼ Unif(0, 1)}; {∫1Y ∈[0,1] ≥ 1} ` 〈X ∼ Unif(1, 2)〉(
∫1X∈[−1,1] ≥ 1)
Once again we apply the same reasoning to consider instead the sequent
{Y ∼ Unif(0, 1), Z ∼ Unif(1, 2)}; {∫1Y ∈[0,1] ≥ 1} `
∫1Z∈[−1,1] ≥ 1
This sequent not valid because there is no probability distribution that satisfies boththe probabilistic precondition Z ∼ Unif(1, 2) and the formula
∫1Z∈[−1,1] ≥ 1, as
expected.
Remark 2. Example 8 shows an error that is intuitively similar to Skolemizing bothinstances of x in the formula ∃x.Φ1(x)→ ∃x.Φ2(x) with the same Skolem symbol. Infact, probabilistic preconditions serve a similar purpose to Skolem symbols and func-tions, “storing” information about a variable until such time when that information canbe used.
Probabilistic choice substitutions. The probabilistic choice operator, λα ⊕ γβ, isused in our paradigm to combine measures. It is tempting to suggest the followingrule 〈λ(Xi∼��������� f1) ⊕ γ(Xi∼��������� f2)〉ϕ = 〈Xλ
i∼��������� f1;Xγ
i∼���������F2;Xi := λXλ
i + γXγi 〉ϕ for
some fresh probabilistic variablesXλi , X
γi to handle these cases, as it seems that we are
positing thatXi behaves like f1 λ per cent of the cases and like f2 the remaining time.Unfortunately, this is not sound reasoning, as shown in Example 9.
Example 9. Let f1 denote a probability mass function that takes value −1 with prob-ability 1 (intuitively P(Xi = −1) = 1) and f2 denote a probability mass functionthat takes value 1 also with probability 1 (intuitively P(Xi = 1) = 1). If we use thesuggested rule for handling 1
2 (Xi ��������� f1) ⊕ 12 (Xi ��������� f2) we end up with the distribution
P(Xi = 0) = 1. However, the intended semantics for 12 (Xi ��������� f1)⊕ 1
2 (Xi ��������� f2) shouldyield
P(Xi = x) =
{12 , if x = −112 , if x = 1
and therefore the rule is unsound.
Instead, in order to handle this construct, we will mimic what we do when reasoningsemantically: first we “assume” that the l.h.s of the ⊕ was chosen (which happens withprobability λ) and consider the remaining dynamics in ϕ under that assumption; thenwe “assume” that the r.h.s. of the ⊕ was chosen (which happens with probability γ)and consider the remaining dynamics in ϕ. Afterwards, we take the weighted sum(weighted by λ and γ, respectively) of the results of each of these operations. Thisfollows exactly the reasoning behind the law of total expectation ([12]). There is oneadditional caveat: nondeterministic choices made in each of the branches of ⊕ mustbe the same because the l.h.s and the r.h.s of the ⊕ are not completely independent:they are both sub distributions of the distribution generated by the ⊕ operator. Thisphenomenon is evidenced in Example 10.
16
Example 10. Recall the probability mass functions fi and f2 as well as the Bernoullidistribution 1
2 (Xi ��������� f1)⊕ 12 (Xi ��������� f2) from Example 9. Suppose that the remaining of
the property to verify is ϕ ≡ 〈dXi = −1dt〉(∫1−1≤Xi≤0 = 1). Following the l.h.s. of
the⊕, there is a time (t = 0) for which the process is in [−1, 0] almost surely. Followingthe r.h.s. of the⊕, there is also a time (t = 1) for which he process is in [−1, 0] almostsurely. However, we do not get to choose which side of the ⊕ to pick, we are in bothsides in potentia. After performing 1
2 (Xi ��������� f1) ⊕ 12 (Xi ��������� f2) we are at position −1
with probability 12 and at position 1 with probability 1
2 . Now, if we wait t = 0 time unitswe will only be safe 1
2 of the times and if we wait t = 1 time units we will only be safe 12
of the times as well (both of which are insufficient to satisfy the property). There is nosingle time that satisfies both cases at the same time and thus the property is false.
With this idea in mind, the probabilistic choice substitution σλXi,1⊕λXi,2 (abbrevi-ated to σ below) is recursively defined for NSdL formulas, terms and NSHPs as
• σ(H) = H• σ(t1 ≥ t2) = σ(t1) ≥ σ(t2)• σ(〈α〉ϕ) = 〈σ(α)〉σ(ϕ)• σ([α]ϕ) = [σ(α)]σ(ϕ)
• σ(¬ϕ) = ¬σ(ϕ)• σ(ϕ ∨ ψ) = σ(ϕ) ∨ σ(ψ)• σ(∃x.ϕ) = ∃x.σ(ϕ)• σ(∀x.ϕ) = ∀x.σ(ϕ)
• σ(f) = f
• σ(∫F ) = λ×(
∫F )−→Xλ
−→X
+γ×(∫F )−→Xγ
−→X
• σ(t+ s) = σ(t) + σ(s)• σ(t× s) = σ(t)× σ(s)
• σ(xj := θ) = xj := θ
• σ(Xj := Θ) = Xλj := Θ
−→Xλ
−→X
;Xγj := Θ
−→Xγ
−→X
• σ(Xj∼��������� f) = Xλj∼��������� f ;Xγ
j∼��������� f
• σ(?H) =?H−→Xλ
−→X
; ?H−→Xγ
−→X
• σ(α+ β) = σ(α) + σ(β)
• σ(d−→X=bdt+σdW&H)=d(
−→Xλ,−→Xγ):=
(b−→Xλ−→X,b−→Xγ−→X
)dt+(σ−→Xλ−→X,σ−→Xγ−→X
)dW&σ(H)
• σ(λ′α⊕ γ′β) = λ′σ(α)⊕ γ′σ(β)• σ(α;β) = σ(α);σ(β)• σ(α∗) = (σ(α))∗
where probabilistic variable replacementsmust be admissible. These substitutionsmimicthe effect of running a NSHP in parallel for each of the two outcomes of the probabilisticchoice operator. Two new worlds are created, the λ-world, where we assume the l.h.s.of the probabilistic choice occurred and the γ-world, where we assume that the r.h.s. ofthe probabilistic choice occurred. The worlds do not interact except when nondetermin-istic decisions about the global state of the system have to be made: how to instantiatea logical variable in the scope of an ∃x., how many times to unroll an α∗ or when tostop an SDE evolution, for example. That is the reason why the SDEs have to run intandem in both worlds, unlike purely probabilistic constructs like probabilistic assign-ment which can happen sequentially. At the base level of function terms the two worldsmeet again to poll information about their distributions according to their likelihood.
Formal derivatives, antiderivatives and integration. Derivation, anti-derivation andintegration are semantic operations. However, it is often possible to compute the deriva-tive, anti-derivative or definite integral of a function by purely syntactic methods.
Proposition 6. Let F be a FOL representation for SA function f with output variableo. Let xi ∈ V ∪ Σstates ∪ Σprob and let all restrictions of xi be explicit. Then thereare (partial) syntactic transformations D(., xi), A(., xi) and I(., xi) s.t. that,• D(F, xi) is a FOL representation for ∂f
∂xiif D(F, xi) is defined;
17
• A(F, xi) is a FOL representation for F s.t. ∂F∂xi = f if A(F, xi) is defined;• I(A(F, xi), xi) is a FOL representation for
∫ +∞−∞ fdxi ifA(F, xi) and I(A(F, xi), xi)
are defined.
Details about these transformations can be found in the Appendix.
5.1 Proof calculus for NSdL: sequents and inference rulesWe now consider inference rules for reasoning about NSdL sequents. An inference ruletakes a tuple of premise sequents and, by analysing their syntax, returns a conclusionsequent. If we can prove that our set of rules is sound, then a sequence of inferencerules where we can prove all the premisses (called a derivation) is a formal proof of theconclusion.
The calculus rules for NSdL, where all substitutions are assumed to be admissibleare the rules presented in Figure 3 plus all the rules for dL ([19, section 2.5.2][18,section 4.1]) excluding rules [?] and 〈?〉 which are subsumed by more general rules inFigure 3. In order to improve readability, we omit sets of context formulas ∆,Γ and Θfrom the presentation of the rules so that a rule schema like
P1; Φ1 ` Ψ1 · · · Pn; Φ1 ` Ψ1
P0; Φ0 ` Ψ0(1)
means that∆ ∪P1; Γ ∪ Φ1 ` Θ ∪Ψ1 ... ∆ ∪Pn; Γ ∪ Φn ` Θ ∪Ψn
∆ ∪P0; Γ ∪ Φ0 ` Θ ∪Ψ0
is a rule of the calculus for any ∆,Γ,Θ. In addition, for all rules except cont and disc(which are applied at the atomic level for NSdL formulas),
P1; 〈J 〉Φ1 ` 〈J 〉Ψ1 ... Pn; 〈J 〉Φn ` 〈J 〉Ψn
P0; 〈J 〉Φ0 ` 〈J 〉Ψ0
is also a rule of the calculus for 〈J 〉, where J is any assignment construct. Finally, ifwe omit the `, it means that the rule can be applied in either side of the sequent.
Rules cont and disc are the main tools to deal with probabilistic reasoning as theymarginalize away one probabilistic variable at a time. Continuous variables are dealtwith using formal integration of the function of interest times the density function ofthe measure, mimicking the standard approach in probability theory. Discrete variablesare assumed to be written in DDNF (since they can always be rewritten in this form) tosimplify the presentation of the rule.
Rule noprob turns vacuous probabilistic statements into algebraic queries takingadvantage of Lemma 5. Rule δ can be used when there is no information about thedistribution over a probabilistic variable and thus our guarantees must hold for all po-tential distributions. The idea is that a property over some quantity only holds for allprobability distributions iff, it holds for all point-mass distributions, which is equivalentto saying that it holds for all potential concretizations of the variable.
Rule ≥ turns NSdL terms into FOL formulas, so that we can use standard FOLtechniques. The probabilistic assignment rules are used to store information about dis-tributions without allowing posterior assignments to change their meaning.
18
(cont){Xi ∼ f}; {} `
∫I(A(D(f,Xi)×G,Xi, Xi)) ≥ t
{Xi ∼ f}; {} `∫G ≥ t
1
(disc){Xi ���������
∨̇fi)}; {} `
∑i(T (fi)×G) ≥ t
{Xi ���������
∨̇fi)}; {} `
∫G ≥ t
1
(noprob)G ≥ t∫G ≥ t
2 (δ)∀x.(ϕx
Xi)
ϕ3 (≥)
∃o1,o2.(t1 ∧ t2 ∧ o1 ≥ o2)
t1 ≥ t24
([∼��������� ]){Z∼��������� f}; {} ` ϕZXi` [Xi∼��������� f ]ϕ
5 (〈∼��������� 〉){Z∼��������� f}; {} ` ϕZXi` 〈Xi∼��������� f〉ϕ
5
([P′])∀t ≥ 0(((∀0 ≤ t′ ≤ t)〈St′〉(
∫1H ≥ 1))→ 〈St〉ϕ)
[dX = bdt+ σdWt&H]ϕ6
(〈P′〉)∃t ≥ 0((∀0 ≤ t′ ≤ t)〈St′〉(
∫1H ≥ 1) ∧ 〈St〉ϕ)
〈dX = bdt+ σdWt&H〉ϕ6
(〈⊕〉)` 〈−→Xλ :=
−→X ;−→Xγ :=
−→X ;Xi,λ∼��������� f1;Xi,γ∼��������� f2〉σλXi,1⊕γXi,2(ϕ)
` 〈λ(Xi∼��������� f1)⊕ γ(Xi∼��������� f2)〉ϕ7
([⊕])` 〈λ(Xi∼��������� f1)⊕ γ(Xi∼��������� f2)〉ϕ` [λ(Xi∼��������� f1)⊕ γ(Xi∼��������� f2)]ϕ
(〈?〉)(∫1H ≥ 1) ∧ ϕ〈?H〉ϕ
([?])(∫1H ≥ 1)→ ϕ
[?H]ϕ
1if I, A andD are defined for the appropriate expressions and all variables in F and G are free.The rule also holds for t ≥
∫G with the obvious modification.
2if no probabilistic variables occur in G, i.e. G ∈ FOLΣstate . The rule also holds for t ≥∫G
with the obvious modification.3x is a fresh logical variable and all occurrences ofXi are free.4o1 (resp. o2) is the output variable in t1 (resp. t2) and no integral terms appear in t1 or t2.5where Z is a fresh probabilistic variable.6t and t′ are fresh logical variables and 〈St〉 is 〈(Z1∼��������� f1
t ; ...;Zk∼��������� fkt (x1);X1 :=
y1(t,−→Z ); ...;Xn := yn(t,
−→Z )〉 with Z1, ..., Zk auxiliary probabilistic variables and simulta-
neous solution y1, ..., yn of the respective SDE with constant symbols Xi as symbolic initialvalues.7−→Xλ,
−→Xγ are fresh probabilistic variables,
−→X are all probabilistic variables occurring in ϕ.
Figure 3: Additional proof rules for NSdL
Rules 〈P′〉, [P′] handle stochastic differential evolutions where solutions for saidevolutions can be found. These often require the introduction of fresh probabilisticvariables that mimic the impact of the diffusion, σ (see Example 11).
19
Rules 〈⊕〉, [⊕] create two copies of the current world (with auxiliary variables−→Xλ
and−→Xγ) and assign one of the probabilistic choice possibilities to each. Then the proba-
bilistic choice substitution ensures that these worlds run in parallel and poll their resultstogether in the end.
Rules for tests, 〈?〉, [?] are similar to their dL counterparts but now must hold al-most surely if probabilistic variables are involved. These tests discontinue the wholedistribution if it fails the test, not only the outcomes of the distribution that fail it.
Example 11. Consider the NSdL formula
ϕ ≡ 〈dX := c1dt+ c2dWt&True〉(∫X ≥ 0)
where c1 and c2 are constants. This formula models a very simple system: a free diffu-sion with trend c1 and stochastic noise of intensity c2. The formula is satisfied if thereis a time at which the expected value of the diffusion (
∫X) is non-negative. We will try
to derive(c1 > 0) ` ϕ.
It is well known ([17]) that the solution for this SDE is Xt=X0+c1t+N (0,t2). By anapplication of rule 〈P′〉, we get the sequent
(c1 > 0) ` ∃t ≥ 0.〈Z ∼ Φ(0, (c2 × t)2,x); X := X + c1 × t+ Z〉 (∫X ≥ 0)
where Z is a new probabilistic variable and Φ is the Normal CDF7. Rule (∃r) (see[19]) changes the goal to
(c1 > 0) ` (t ≥ 0)→ 〈Z ∼ Φ(0, (c2t)2,x);X := X + c1 × t + Z〉(
∫X ≥ 0).
A step of classical reasoning and rules 〈∼��������� 〉 and 〈:=〉 yield
{(Z ∼ Φ(0, (c2 × t)2,x)}; {(c1 > 0), (t ≥ 0)} ` (∫X + c1 × t + Z ≥ 0)
A single application of the cont rule7 for variable Z followed by weakening allows usto derive
{(c1 > 0), (t ≥ 0)} ` (∫X + c1 × t ≥ 0).
Since we have no information on the prior distribution of X , we have no option but touse the δ rule to get
{(c1 > 0), (t ≥ 0)} ` ∀x.(∫x + c1 × t ≥ 0).
Now we can use noprob to reduce our expression to
{(c1 > 0), (t ≥ 0)} ` ∀x.(x + c1 × t ≥ 0)
for which we can easily construct a derivation with the classical rules in [19, 18].
5.2 SoundnessA rule is said to be sound if the validity of all its premises implies the validity of theconclusion. A rule is said to be locally sound if its conclusion is true under I, η, µprovided all its premises are true under I, η, µ. Local soundness implies soundness.An important result for the calculus of NSdL is the following
7for this example, we disregard expressibility concerns, which will be discussed in Section 7.
20
Proposition 7. The calculus rules for NSdL shared with dL are sound.
Since theNSdL calculus imports the dL calculus (except for the variation of [?], 〈?〉):
Corollary 8. If ϕ is provable in dL then ϕ is provable in NSdL.
The new rules are also sound:
Proposition 9. The NSdL calculus is sound.
6 Veryfying Probabilistic Properties in ACAS X
We exemplify our calculus by considering an aircraft collision avoidance scheme basedon the one presented in [11]. Air traffic collision avoidance systems needs to compro-mise between conflicting requirements (like safety, cost or comfort). In [11], the safetytradeoffs of ACAS X are scrutinized by building an ideal safety advisor that only con-siders safety requirements and comparing it with the actual ACAS X advisor behavior.The model in [11] considers many interesting situations, but we are going to focus onthe following restricted scenario.
Two aircraft are moving towards each other in the horizontal direction and the con-trol issues an advise for one of them (the manoeuvering plane) to increase vertical ve-locity (relative to the other plane, the intruder) to some value vf > 0. In this scenario,it is assumed that the initial relative vertical velocity is negative, which means that themanoeuvering plane will accelerate in the vertical direction, describing a parabolic tra-jectory, until it reaches the target velocity, after which it moves up in a straight line (seeFigure 4, from [11]).
Figure 4: Trajectory of manoeuvering ship (red) and safe zone for intruder (green).Image from [11].
Since aircraft are assumed to be adimensional, a cylindrical safety puck is consideredaround the manoeuvering plane. If the intruder aircraft enters this puck, the system isconsidered to be unsafe.
21
We consider a vertical projection that reduces the problem to two dimensions (as in[11]) in such a way that the puck is seen as a rectangle centered in the manoeuveringplane with length equal to 2rp (twice the radius of the puck) and height equal to hp.In order to reduce the number of variables and simplify quantifier elimination proce-dures, most quantities will be relative. In particular x and z stand for relative horizontaland vertical position, respectively; vx and vz stand for relative horizontal and verticalvelocity, respectively; az stands for relative vertical acceleration.
Under these assumptions, the intruder plane is seen as a fixed point and, assumingwe can maintain at least a minimal acceleration amin, we can draw a safe region thatdescribes the points in space where the intruder can be.
In Figure 4, we can see this safe region delimited by the corners of the puck. Weassume that the planes start in some arbitrary safe position, described by the formula(in [11])
(−rp ≤ x ≤ −rp −
vx ∗ vzamin︸ ︷︷ ︸
l1
→ v2x × z<
amin
2(x+ rp)
2+ vx×vz×(x+rp)−v2x×hp︸ ︷︷ ︸r1
)
∧(−rp −
vx × vzamin
≤ x ≤ rp −vx × vzamin︸ ︷︷ ︸
l2
→ z < −v2z
2amin− hp︸ ︷︷ ︸
r2
)
∧(rp −
vx × vzamin
≤ x ≤ rp +vx(vz − vt)
amin︸ ︷︷ ︸l3
→ v2x × z <
a
2(x− rp)
2+ vx × vz × (x− rp)− v2x × hp︸ ︷︷ ︸
r3
)
∧(rp+
vx(vz − vt)amin
<r︸ ︷︷ ︸l4
→ vx×z<vt×(x−rp)− vx(vt − vz)2
2amin− vx × hp︸ ︷︷ ︸
r4
)
which defines the region under each numbered situation in Figure 4. We refer to [11]for a more detailed explanation of the scenario.
In the original ACAS X model, the intruder airplane was assumed to set a uni-form random acceleration. In [11], this capability was modelled by nondeterministi-cally changing the acceleration, a much weaker assumption. To offset this increasedcapability, additional restrictions had to be imposed on the dynamics. We will removethese restrictions and reintroduce the randomness.
We would like to prove
`(∧i
(li → ri) ∧ (x, hp, rp, vx > 0) ∧ (vz < 0) ∧ (M > m > 0)︸ ︷︷ ︸Pre
)→
[ (Az ∼ Unif(m,M);︸ ︷︷ ︸
SetP
X := x;Vz = vz;Z := z︸ ︷︷ ︸S
;
{d(X,Vz, Z) = (−Vx, Az,−Vz)dt+ 0dW
}︸ ︷︷ ︸
evo
](∫
1Z<−hp∨X>rp ≥ 0.99)
where Unif(m,M) is shorthand for the SA function ((m ≤ y ≤ M) → (o =M−yM−m ))∧((y < m)→ (o = 0))∧((y > M)→ (o = 1)) and where 1Z<−hp∨X>rp isshorthand for ((Z < −hp∨X > Rp)→ (o = 1))∧((z ≥ −hp∧X ≤ rp)→ (o = 0)).
22
The situation described in the above formula assumes that we start anywhere in thesafe region (defined in the Precondition). Then, a relative vertical acceleration is uni-formly chosen between values m and M (in SetP) and we allow the system to evolveany (nondeterministically chosen) amount of time according to standard ordinary dif-ferential equations for describing kinematics (in evo). The goal is that after any suchevolution there is at least 99% chance that either the intruder is still at least hp distanceunits below the manoeuvering plane or that the planes are still at least rp distance unitsfrom meeting horizontally (that is, the intruder is outside the grey box in Figure 4).8
Without further restrictions, this scenario is not safe. For example, maximum ac-celeration (M) can be smaller than minimum required acceleration (amin), which leadsto potential violations of the safe zone because the plane can never climb as fast as theprotocol requires. In this case, the safety of the system becomes dependent on how fastthe planes are approaching (vx) and how far apart they start (x). In the end, we will notbe able to prove that this system is safe (because it is not), but we will be able to extracta non-probabilistic relation between state variables that ensures safety. This incorpora-tion of probabilistic uncertainty into non-probabilistic algebraic relations is one of themain features of NSdL.
In Table 6, we present the proof fragment for this property until it is reduced toa single, unquantified, arithmetical expression that describes the geometry of initialconditions guaranteed to be safe. Since this formula is not a tautology, we can notcomplete the proof (which is expected, since the scenario is unsafe). We can, however,use the derivation fragment to find sufficient preconditions that would guarantee safety(actually any intermediary step, even the formula itself, is one such precondition).
6.1 Verification with probabilistic cuts
The previous example shows that, even in simple cases, we may automatically gen-erate complicated expressions that may be verbose and unintuitive. This is frequentin automatic deduction techniques since the context of application determines what isfundamental behavior and what is technical detail and the automatic deduction frame-work has no intuition of the setting. In order to ameliorate this problem, we may guidethe proof by adding external information about the system. In such cases, we reasonunder additional assumptions, provided that we can find a way of actually proving thatthe additional information is true. In classical reasoning, the use of such intermediaryassumptions is justified by cut rules:
(cut)` ϕ ϕ ` φ` φ
8The original model has no continuous stochastic effect on the continuous part of the movement. Whilewe could artificially introduce and deal with stochastic noise, we prefered to follow the original model.
23
`Pre→(( z
≥−
50v2 z
M+
99m
) ∧ x>rp×
(M
+99m
)−
100vxvz
M+
99m
+
√ hp(M
+99m
)+
50v2 z+z×M
+99z×m
(1/vx√
200)M
+m
) ∨(( z
<−
50v2 z
M+
99m
) ∧( h
p=−
50v2 z−z×
(M
+99m
)
M+
99m
) ∧( x>
rp×
(M
+99m
)−
100vxvz
M+
99m
)) ∨( ( z
<−
50v2 z
M+
99m
) ∧(hp>−
50v2 z−z×
(M
+99m
)
M+
99m
) ∧ x>rp×
(M
+99m
)−
100vxvz
M+
99m
+
√ hp(M
+99m
)+
50v2 z+z×M
+99z×m
(1/vx√
200)M
+m
) ∨(( z
<−
50v2 z
M+
99m
) ∧( h
p<−
50v2 z−z×
(M
+99m
)
M+
99m
) ∧(x>rp))
i∀{}
;{Pre,s
(T)≥
0)}`
((s(T
)>
0)∧
(rp<x
)∧
(vx≥
x−rp
s(T
))∧
(z<−
200hp+M×s(T
)2+
99m×s(T
)2+
200s(T
)vz
200
))∨
(s(T
)=
0)∨
((s(T
)>
0)∧
(rp<x
)∧
(vx<
x−rp
s(T
)))∨
((s(T
)>
0)∧
(rp≥x
)∧
(z<−
200hp+M×s(T
)2+
99m×s(T
)2+
200s(T
)vz
200
))
i∃{}
;{Pre,s(T
)≥
0)}`∃o
1,o2.(( (s
(T)<
0)∧
(o1
=0)∨( (s
(T)≥
0)∧
(−vxs(T
)+x>rp)∧
(o1
=1)) ∨
( (s(T
)≥
0)∧
(−vxs(T
)+x≤rp)∧
(m>
2×
(h−s(T
)×v+z)
s(T
)2
)∧
(o1
=1)) ∨
( (s(T
)≥
0)∧
(−vxs(T
)+x≤rp)∧
(m≤
2×
(h−s(T
)×v+z)
s(T
)2
≤M
)∧
(o1
=M−
2×
(h−s(T
)×v+z)
s(T
)2
M−m
)) ∨( (s
(T)≥
0)∧
(−vxs(T
)+x≤rp)∧
(2×
(h−s(T
)×v+z)
s(T
)2
>M
)∧
(o1
=0)) ∧
(o2
=0.9
9)∧
(o1≥
o2))
≥{}
;{Pre,s(T
)≥
0)}`( (s
(T)<
0)∧
(o1
=0)∨( (s
(T)≥
0)∧
(−vxs(T
)+x>rp)∧
(o1
=1)) ∨
( (s(T
)≥
0)∧
(−vxs(T
)+x≤rp)∧
(m>
2×
(h−s(T
)×v+z)
s(T
)2
)∧
(o1
=1)) ∨
( (s(T
)≥
0)∧
(−vxs(T
)+x≤rp)∧
(m≤
2×
(h−s(T
)×v+z)
s(T
)2
≤M
)∧
(o1
=M−
2×
(h−s(T
)×v+z)
s(T
)2
M−m
)) ∨( (s
(T)≥
0)∧
(−vxs(T
)+x≤rp)∧
(2×
(h−s(T
)×v+z)
s(T
)2
>M
)∧
(o1
=0)) ≥
(o2
=0.9
9)
cont
{ SetP} ;{ P
re,s(T
)≥0} `(
∫ ((z−v zs(T)−
Azs(T
)2
2<−h)∨(x−v xs(T)>r))∧(o
1=
1))∨((z−v zs(T)−
Azs(T
)2
2≥−h)∧(x−v xs(T)≤r)∧(o
1=
0))≥
(o2=
0.99))
〈∼ �� ��� ��� �〉
{} ;{Pre,s(T
)≥0} `〈S
etP〉( ∫ (
(z−v zs(T)−
Azs(T
)2
2<−h)∨(x−v xs(T)>r))∧(o
1=
1))∨((z−v zs(T)−
Azs(T
)2
2≥−h)∧(x−v xs(T)≤r)∧(o
1=
0))≥
(o2=
0.99))
〈:=〉
{} ;{Pre,s(T
)≥0} `〈S
etP〉〈S〉( ∫
((Z−Vzs(T)−
Azs(T
)2
2<−h)∨(X−Vxs(T)>r))∧(o
1=
1))∨((Z−Vzs(T)−
Azs(T
)2
2≥−h)∧(X−Vxs(T)≤r)∧(o
1=
0))≥
(o2=
0.99))
〈:=〉
{} ;{ Pre,s(T
)≥
0} `〈S
etP〉〈S〉〈X,Vz,Z
:=evs(s(T
))〉( ∫
(((Z
<−hp∨X>r p
)∧
(o1
=1))∨
((Z≥−hp∧X≤r p
)∧
(o1
=0))
)≥
(o2
=0.
99))
{} ;{ Pre,s(T
)≥
0} `〈S
etP〉〈S〉〈X,Vz,Z
:=evs(s(T
))〉( ∫
1Z<−hp∨X>rp≥
0.9
9)
∀r{} ;{ Pr
e} `〈SetP〉〈S〉∀t≥
0( 〈X,Vz,Z
:=evs(t)〉( ∫
1Z<−hp∨X>rp≥
0.9
9))
[P′ ]
{} ;{ Pre} `〈SetP〉〈S〉[ ev
o]( ∫1Z<−hp∨X>rp≥
0.99)
[∼ �� ��� ��� �],
[;],
[:=
]{} ;{ Pr
e} `[ SetP][ S;
evo]( ∫
1Z<−hp∨X>rp≥
0.99)
→r,
[;]
`Pre→[ SetP
;S;evo]( ∫
1Z<−hp∨X>rp≥
0.9
9)
Table6:A
deriv
ationfra
gmentfor
theAC
ASXmod
el
24
In the probabilistic case, we can similarly try to complete our proof by assumingthe occurrence of some stronger event, but at the cost of limiting our guarantees to theprobability of that event.
Proposition 10. Let 1E stand for the FOL representation of an indicator function foreventE, let F be a SA function and letH be a FOL formula. Then rules Pcut and Pcut’are sound
(Pcut)`∫1H ≥ t H ` E`∫1E ≥ t
(Pcut’)` F ≥ 0 H ` E `
∫F ∧H ≥ t
`∫F ∧ E ≥ t
In the case of our ACAS X scenario, rule Pcut can be used to shorten the derivationconsiderably:Example 12. Standard real closed field arithmetic can be used to show that (see [11])
{setP},{Pre,s(T ),Az>amin}`(z−vzs(T )−Azs(T )2
2 <−hp)∨(x−vxs(T )>rp)).
We can also produce the partial derivation
`(M−aminM−m ≥ 0.99
){}; {Pre, s(T ≥ 0)} ` (M−aminM−m ≥ 0.99){
setP}
;{Pre, s(T )≥0
}`(∫1Az>amin ≥ 0.99)
So, using these two formulas as the premisses in a Pcut rule we can actually prove thevalidity of the following extended safety property
Pre ∪(M − aminM −m
≥ 0.99
)→[SetP ; evo
](∫1Z<−hp∨X>rp ≥ 0.99
).
This is an interesting pre-condition because it shows that even if minimum accelerationis not guaranteed 100% of the cases, wemay still be acceptably safe. Notice that, despitelooking much simpler, this precondition is stronger (and harder to guarantee) than theone we had in Table 6. For example, we may be safe even with accelerations alwaysbelow amin, if the planes start sufficiently far away, which is captured in the complexprecondition of Table 6 but not in this one. We are trading precision for simplicity.
7 Conclusions and Future WorkIn this work, we introduce a verification logic for nondeterministic stochastic hybridsystems (NSdL) as well as a compositional model of nondeterministic stochastic hy-brid programs. We present a compositional proof calculus for a fragment of the logic,which conservatively extends dL [19]. We show that the semantics for NSdL are well-defined and that the calculus is sound. Finally, we consider a modification of a casestudy dealing with air collision avoidance protocols that had previously been stripped ofprobabilistic components [11]. We restore the probabilistic dynamics and find suitablepreconditions for the safety of the original system. A natural extension of this frame-work would be to go beyond the decidable fragment and consider elementary functionslike exp as primitive [2], which would allow interesting probability distributions to beexpressed at the cost of being unable to make progress over some first-order expres-sions. Another possible extension would be to consider conditioning operators [6]. Forexample, we can consider tests that filter out outcomes with some undesirable prop-erty and re-scale the measure of the remaining outcomes or alternatively just work withsubprobabilities for the outcomes that pass the test.
25
References[1] Erika Abraham, Ulrich Hannemann, and Martin Steffen. Verification of hybrid
systems: Formalization and proof rules in PVS. Technical Report TR-ST-01-1,Lehrstuhl für Software-Technologie, Institut für Informatik und Praktische Math-ematik, Christian-Albrechts-Universität zu Kiel, January 2001.
[2] BehzadAkbarpour and Lawrence C. Paulson. MetiTarski: An automatic prover forthe elementary functions. In Serge Autexier, John Campbell, Julio Rubio, VolkerSorge, Masakazu Suzuki, and Freek Wiedijk, editors, AISC/MKM/Calculemus,volume 5144 of Lecture Notes in Computer Science, pages 217–231. Springer,2008.
[3] Saugata Basu, Richard Pollack, and Marie-Françoise Roy. Algorithms in RealAlgebraic Geometry (Algorithms and Computation in Mathematics). Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2006.
[4] Jacek Bochnak, Michel Coste, and Marie-Françoise Roy. Real Algebraic Geome-try. Springer-Verlag New York, Inc., 1998.
[5] Edmund M. Clarke, Orna Grumberg, and Doron Peled. Model checking. MITPress, 2001.
[6] Friedrich Gretz, Nils Jansen, Benjamin Lucien Kaminski, Joost-Pieter Katoen,Annabelle McIver, and Federico Olmedo. Conditioning in probabilistic program-ming. CoRR, abs/1504.00198, 2015.
[7] Xianping Guo and Onesimo Hernandez-Lerma. Continuous-Time Markov Deci-sion Processes: Theory and Applications. Springer-Verlag, 2009.
[8] Paul Halmos. Measure Theory. Springer-Verlag New York, Inc., 1974.
[9] David Harel, Jerzy Tiuryn, and Dexter Kozen. Dynamic Logic. MIT Press, Cam-bridge, MA, USA, 2000.
[10] Thomas A. Henzinger. The theory of hybrid automata. In LICS, pages 278–292.IEEE Computer Society Press, 1996.
[11] Jean-Baptiste Jeannin, Khalil Ghorbal, Yanni Kouskoulas, Ryan Gardner, AuroraSchmidt, and Erik Zawadzki André Platzer. A formally verified hybrid systemfor the next-generation airborne collision avoidance system. In Christel Baier andCesare Tinelli, editors, TACAS, volume 9035 of LNCS, pages 21–36. Springer,2015.
[12] Alan Karr. Probability. Springer texts in statistics. Springer-Verlag, 1993.
[13] Dexter Kozen. A probabilistic PDL. J. Comput. Syst. Sci., 30(2):162–178, April1985.
[14] Saul Kripke. Semantical Considerations on Modal Logic. Acta Phil. Fennica,16:83–94, 1963.
[15] Ernst W. Mayr. An algorithm for the general petri net reachability problem. SIAMJ. Comput., 13(3):441–460, 1984.
26
[16] Annabelle McIver and Charles Carroll Morgan. Abstraction, refinement and prooffor probabilistic systems. Springer Science & Business Media, 2006.
[17] Bernt Øksendal. Stochastic Differential Equations: An Introduction with Appli-cations. Springer, 6th edition.
[18] André Platzer. Differential dynamic logic for hybrid systems. J. Autom. Reas.,41(2):143–189, 2008.
[19] André Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Com-plex Dynamics. Springer, Heidelberg, 2010.
[20] André Platzer. Stochastic differential dynamic logic for stochastic hybrid pro-grams, 2011.
[21] André Platzer and Edmund M. Clarke. The image computation problem in hybridsystems model checking. In Alberto Bemporad, Antonio Bicchi, and Giorgio C.Buttazzo, editors, Hybrid Systems: Computation and Control, 10th InternationalWorkshop, HSCC 2007, Pisa, Italy, April 3-5, 2007, Proceedings, volume 4416of Lecture Notes in Computer Science, pages 473–486. Springer, 2007.
[22] Micha Sharir, Amir Pnueli, and Sergiu Hart. Verification of probabilistic pro-grams. SIAM J. Comput., 13(2):292–314, 1984.
[23] Alfred Tarski. A decision method for elementary algebra and geometry. Universityof California Press, second edition, 1951.
[24] Daniele Varacca and Glynn Winskel. Distributing probability over non-determinism. Mathematical Structures in Computer Science, 16:87–113, 2 2006.
27
AppendixFormal derivatives, antiderivatives and integrationDerivation, anti-derivation and integration are semantic operations. However, in manycases, it is possible to compute the derivative, anti-derivative or definite integral of afunction by purely syntactic methods.
Definition 9. Let F be a SA function in DDNF with output variable o. The FormalDerivative of F in order to an input variable xi, denotedD(F, xi) is recursively definedas
D(φ, ω): Form(Σ)× V ars ∪ Σprob ∪ Σstates → Form(Σ)
• D(∨φj , xi) =
∨D(φj , xi)
• D(∧φj , xi) =
∧D(φj , xi)
• D((θ1 ≤ θ2), xi) = θ1 ≤ θ2
• D((θ1 < θ2), xi) = θ1 < θ2
• D((o = θ), xi) = (o = D(θ, xi))
And the Formal Derivative for termsD(θ, xi): Terms(Σ)× V ars ∪ Σprob ∪ Σstates → Terms(Σ)
• D(r, xi) = 0• D(xi, xi) = 1• D(z, xi) = 0, z 6= xi• D(θ1 + θ2, xi) = D(θ1, xi) +D(θ2, xi)
• D(θ1 − θ2, xi) = D(θ1, xi) −D(θ2, xi)
• D(θ1×θ2, xi) = D(θ1, xi)×θ2+θ1×D(θ2, xi)
Formal derivatives are defined for any SA function in DDNF with explicitly definedoutputs. Similarly, we can define formal antiderivatives.
Definition 10. Let F be a SA function in DDNF with output variable o. The FormalAntiderivative of F in order to an input variable xi, denoted A(F, xi) is recursivelydefined as
A(φ, xi): Form(Σ)× V ars ∪ Σprob ∪ Σstates → Form(Σ)
• A(∨φi, xi) =
∨A(φi, xi)
• A(∧φi, xi) =
∧A(φi, xi)
• A((θ1 ≤ θ2), xi) = θ1 ≤ θ2
• A((θ1 < θ2), xi) = θ1 < θ2
• A((o = θ), xi) = (o = A(θ2, xi))
And the Formal Antiderivative for termsA(θ, xi): Terms(Σ)× V ars ∪ Σprob ∪ Σstates → Terms(Σ)
• A(r, xi) = rxi• A(xi, xi) = x2
i /2• A(z, xi) = z × xi, z 6= xi• A(θ1+θ2, xi) = A(θ1, xi)+A(θ2, xi)
• A(θ1−θ2, xi) = A(θ1, xi)−A(θ2, xi)• A(θ1 × θ2, xi) = D(θ1, xi) × θ2 −A(A(θ1, xi)×D(θ2, xi))
Now, thanks to the Fundamental Theorem of Calculus, we can formally computeintegrals in order to some variable as long as restrictions on the integrand variable areexplicit9.
9Recall that in the FO representation of SA functions only rational function expressions are allowed. Sincerational functions are continuous in their domain, the application of the FTC is allowed.
28
Proposition 11. Let F be a SA function F with output variable o for whichA(F, xi) isdefined and let all restrictions of xi in the disjoint sum form of A(F, xi) (as in Propo-sition 3) be explicit. Let I : Forms(Σ) × V ars → Forms(Σ)be recursively definedas10:• I(
∑Gj , xi) =
∑I(Gj , xi)
• I(∨φj , xi) =
∨I(φj , xi)
• I(∧(θj1 . θj2) ∧
∧(o = θk) ∧ (xi . θ1) ∧ (θ2 . xi), xi) =
∧(θj1 . θj2) ∧
∧(o =
θk |θ1xi −θk |θ2xi )
• I(∧(θj1 . θ
j2)∧
∧(o = θk)∧ (xi . θ), xi) =
∧(θj1 . θ
j2)∧
∧(o = θk |−∞xi −θk |
θxi)
• I(∧(θj1 . θ
j2) ∧
∧(o = θk) ∧ (θ . xi), xi) =
∧(θj1 . θ
j2) ∧
∧(o = θk |θxi −θk |
∞xi).
Then, if I(., xi) is defined, I(A(F, xi), xi) is a FO representation for∫ +∞−∞ fdxi.
Proof of Proposition 4We need the following lemma:
Lemma 12. Semi-algebraic functions are Borel-measurable
Proof. Let f be a semi-algebraic function. We have to prove that f−1(B) is a Borelset for any Borel set B. Borel sets are generated by the rectangles of Rn ([12, pp. 22])and pre-images respect intersections and complements, which means we only have toprove that f−1(B) is a Borel set for any rectangle B. Rectangles are obviously semi-algebraic sets and the pre-image of a semi-algebraic set by a semi-algebraic function isa semi-algebraic set ([4, Proposition 2.2.7]). Since a semi-algebraic set is ([4, Defini-tion 2.1.4]) the finite union of finite intersections of the regions defined by polynomialinequalities (which are clearly Borel-measurable sets), semi-algebraic sets have to beBorel-measurable, proving the Lemma.
In order to prove the proposition, we have to prove that the measures presented in thesemantics are well-defined.• For the constructXi := Θ, we will use the fact that the inverse of semi-algebraic
functions is a semi-algebraic function ([4, Proposition 2.2.7]) and that semi-algebraic functions are Borel-measurable (Lemma 12). Let g be the polynomialthat is represented by Θ. Since g is semi-algebraic, so is g−1 and so the measurefor the pre-image of a rectangle is defined.
• For the constructXi ∼ f we use the fact that marginalizing a probability distribu-tion still yields a probability distribution and that the joint probability distributionof independent variables is the product of the respective probability distributions.On Xi, we have a probability distribution because the semantics is only definedif F is a continuous cumulative distribution.
• For the constructXi ��������� f we use the fact that marginalizing a probability distribu-tion still yields a probability distribution and that the joint probability distributionof independent variables is the product of the respective probability distributions.On Xi, we have a probability distribution because the semantics is only definedif F is a discrete distribution.
10θ |∞xi stands for substituting all occurrences of variable xi in θ by the symbol∞ and performing the wellknown limit of rational functions syntactic reductions: a∞m + b∞m 7→ (a + b)∞m, a∞m + b∞n 7→a∞m ifm > n, a∞m × b∞n 7→ ab∞m+n, (a∞m)n 7→ an∞m+n, a∞m/b∞n 7→ (a/b)∞m−n,a∞m 7→ 0 if m < 0, where the last reduction has lower priority than the others. If no more reductionsare possible and∞ occurs in the resulting term, the formal integration is left undefined. Notice that caseswhere the Lebesgue integral is undefined because of segments with infinite integral are detected by thesesubstitutions and no semantics are provided n these cases..
29
• For the construct ?H we simply use the fact that the satisfaction set ofH is semi-algebraic, and therefore Borel-measurable.
• The semantics for construct λα⊕γβ are well-defined directly from the Lebesguedecomposition theorem [8, pp134].
• For the construct d−→X = bdt + σdW&H we use the fact that, for t ∈ [0, T ],
the solution for an SDE is measurable with respect to the filtration (F)0≤s≤tgenerated by (Ws)0≤s≤t ([17, section 5.2]) (meaning that the pre image of anyBorel set is Ft-measurable).
• There is nothing to prove for the remaining constructs as they only rely on thecorrect definition of their components, which has already been proved.
Proof of Proposition 7The proofs for the rules for all unchanged constructs mimic the proofs in [19] ex-cept for 〈:=〉, which requires us to prove that the substitution agrees not only with thechange in state induced by an assignment but also the change in distribution. Assumethat I, η, ν, µ ` 〈Xi := Θ〉ϕ with ϕ a base formula of NSdL. We will prove thatI, η, ν, µ ` ϕ |θxi , assuming the substitution is admissible. If no terms of the form∫F occur in ϕ, the base term is simply a FOL formula (Lemma 5) and the proof from
[19] applies. Otherwise, we must prove that the semantics of terms of the form∫F
are maintained, that is, J∫F KI,η,µ′ = J
∫FΘXi
KI,η,µ with ((ν, µ), (ν, µ′) ∈ ρ(Xi = Θ).Let f be the semi-algebraic function represented by the FOL formula F . Considerfirst the simpler case where Θ only involves one variable y (y can be Xi or any othervariable, probabilistic or not) and let g(y) be the polynomial represented by Θ. Sinceg is a polynomial, it is piecewise invertible and since both f and g are integrable,∫f(X)dµX = lim||Pn||→0
∑ξi∈||P in||
f(ξi)µX(P in) where Pn = {P in}i∈N are par-titions of R. Take a sequence of increasingly finer partitions of diameter ∆n → 0, sothat ∫
f(X)dµXi = lim∆ij=[xi,xi+1]→0
∑∆ij
f(xi + xi+1
2)µXi([xi, xi+1]).
By definition of the transition semantics, this quantity is equal to
lim[xi,xi+1]→0
∑∆ij
f(xi + xi+1
2)µy(g−1([xi, xi+1])).
Now, since g is piecewise invertible, it has a finite number of local inverses g−1k s.t.
g−1([xi, xi+1]) =⋃k g−1k ([xi, xi+1])and, by additivity of the measure function, the
previous quantity equals
lim[xi,xi+1]→0
∑[xi,xi+1]
∑g−1i,k
f(xi + xi+1
2)µy(g−1
k ([xi, xi+1]))
= lim[xi,xi+1]→0
∑[xi,xi+1]
∑g−1i,k
f(xi + xi+1
2)µy([g−1
k (xi)︸ ︷︷ ︸ai,k
, g−1k (xi+1)︸ ︷︷ ︸bi,k
])
where [ai,k, bi,k] is the interval between ai,k and bi,k regardless of which one is greater.Now, we will turn this expression into a new definition of integral (in measure µy andpartition [ai,k, bi,k]). First we notice that g(ai,k) = xi and g(bi,k) = xi+1, thus we
30
have
lim[xi,xi+1]→0
∑[xi,xi+1]
∑g−1i,k
f(xi + xi+1
2)µy([ai,k, bi,k])
= lim[g(ai,k),g(bi,k)]→0
∑[ai,k,bi,k]
∑g−1i,k
f(g(ai,k) + g(bi,k)
2)µy([ai,k, bi,k])
since g−1k is continuous, |ai,k − bi,k| → 0 whenever |xi − xi+1| → 0 do. Since g is
continuous, g(ai,k)+g(bi,k)2 → g(ξi,k) where ξi,k is some point in [ai,k, bi,k]. Therefore
we have
lim[ai,k,bi,k]→0
∑[ai,k,bi,k]
∑g−1i,k
f(g(ξi,k))µy([ai,k, bi,k]) =
∫f(g(y))dµy
as intended. We can extend this proof to Θ involving multiple variables yi and then to totuples of Xi variables. Now, g−1
k ([xi, xi+1]) is not necessarily a rectangle anymore. Itis, however, a measurable set in µy1,...yn (Lemma 12) with a diameter that still vanisheswith ∆ which still allows us still to define the integral after the transformation g−1.
7.1 Proof of Corollary 8We still need to show that, for a dL formula ϕ, rules [?] and 〈?〉 in NSdL are equivalentto rules [?] and 〈?〉 in dL. This is immediate because, if no probabilistic variables occurinH ,
∫1H ≥ 1 is 1H ≥ 1 (Lemma 5) which holds exactly in the satisfaction set ofH .
Remark 3. Although we do not do so explicitly, rules [′] and 〈′〉 can also be subsumedby rules [P′] and 〈P′〉 by noticing that, for non-probabilistic initial values ofX0 and withσ = 0, the solution for dXt = b(Xt)dt+ σ(Xt)dWt;X0 = c is the stochastic processthat, for each t, is the constant random variable x(t), where x(.) is the solution for odex′ = b(x);x0 = c. We can get around the syntactic restriction that the variables inthe SDE must be probabilistic by replacing occurrences of x with a fresh probabilisticvariable X and assigning to X the value of x0 (with probability 1).
Proof of Proposition 9
cont Rule (cont) is locally sound. Let I, η, (ν, µ) ϕ∫I(A(D(F,Xi)×G,Xi),Xi)∫G
whereI(., Xi), D(., Xi) and I(., Xi) are defined and all variables (logical, state or prob-abilistic) in
∫G are free. Assume also that I, η, (ν, µ) Xi ∼ F , that is
µX([a, b]) = JF KI,η,ν(b)−JF KI,η,µ(a). By semantics of terms, J∫GKI,η,(ν,µ) =∫
τo(x1, ..., xn)dµ. By Fubini-Lebesgue theorem ([8]),∫τo(x1, ..., xn)dµ =∫ ∫
τo(x1, ..., xi−1, xi+1, xn)(xi)dµXdµΣprob\Xi . Letting ρ(Xi) be the densityfunction of Xi (which is absolutely continuous), the above expression equals∫ ∫
τo(−→x \xi)(xi)ρXi(−→x )dxidµΣprob\Xi = J
∫I(A(D(F,Xi)×G,Xi), Xi)K
because the expression for ρ(Xi) is given by D(F,Xi). The formal antideriva-tive (A(., Xi)) and integral I(A(., Xi)), by the fundamental theorem of calculus,yield the result of the inner integral. Now notice that the resulting expression doesnot depend onXi, so integrating over µΣprob\Xi or over µ yields the same result.
31
noprob The proof of (noprob) rule comes directly from Lemma 5.δ Let I, η, ν, µ ∀x.(ϕ)xXi with x not occurring in ϕ. We need to prove thatI, η, ν, µ ϕ. Consider a sequence (µn)n∈N of simple measures (measuresthat only take a finite number of values, for disjoint sets (see [12, chap 2])) s.t.µn → µXi . For example, we may take increasingly finer finite partitions ofR s.t. µn({med(∆)}) = µXi(∆). We have I, η, ν, µ[µXi 7→ µi] ϕ be-cause I, η, ν[x 7→ cj ], µ ϕx
Xifor each different value of cj that µi may take.
Since µn → µx, by continuity of probability, I, η, ν, µ[µXi 7→ µXi ] ϕ, i.e.I, η, ν, µ ϕ
≥ The ≥ rule comes from the semantics of denotation and standard comparisonoperations between SA functions.
〈∼��������� 〉 The probabilistic assignment rules are locally sound. Let I, η, (ν, µ) Xi ∼ f ,i.e. Then for all x ∈ R,
∫ x−∞ dµi = JfKI,η,ν(x) and that I, η, (ν, µ) ϕ. We
need to prove that I, η, (ν, µ) 〈Xi ∼ f〉ϕ, i.e., I, η, (ν, µ′) ϕ for some µ′ s.t.((ν, µ), (νµ′)) ∈ ρ(Xi ∼ f). By the semantics of ρ, µ′ must be s.t. for all x ∈ R,∫ x−∞ dµ′i = JfKI,η,ν(x), i.e. µ′ must be equal (in distribution) to µ and thereforeI, η, (ν, µ′) ϕ. The other probabilistic assignment constructs are similar.
〈P′〉 Rule 〈P′〉 is locally sound. Let (Xt = (y1(t, Zt), ..., yn(t, Zt)),Wt) be a solutionfor the SDE dXt = bdt+σdWt with symbolic initial valuesX1, ..., Xn. Let 〈St〉be the program
〈Z1∼��������� f1t ; ...;Zk∼��������� fkt ;X1 := y1(t,
−→Z ); ...;Xn := yn(t,
−→Z )〉.
Assume the premisses hold, i.e.
I, η, (ν, µ) ∃t ≥ 0((∀0 ≤ t′ ≤ t)〈St′〉(∫1χ ≥ 1) ∧ 〈St〉ϕ).
By assumption, there is r ∈ R+ s.t.
I, η[t 7→ r], (ν, µ) (∀0 ≤ t′ ≤ t)〈St′〉(∫1χ ≥ 1) ∧ 〈St〉ϕ)
that is, for all r′ ∈ [0, r],
I, η[t 7→ r, t′ 7→ r′], (ν, µ) 〈St′〉(∫1χ ≥ 1)
andI, η[t 7→ r, t′ 7→ r′], (ν, µ) 〈St〉ϕ.
We need to prove that I, η, (ν, µ) 〈dX = bdt + σdWt&χ〉. Instead we proveI, η[t 7→ r], (ν, µ) 〈dX = bdt+ σdWt&χ〉 since r dos not occur in the r.h.s.of the relation.Let f be a function from [0, r] to Borel measurable probability distributions overΣprob, s.t. (ν, ft) ∈ ρ(St) for environments ηr′ = η[t 7→ r, t′ 7→ r′] for r′ ∈[0, r]. It remains to be shown that f respects the conditions of Definition 4 fordX = bdt+ σdWt&χ. Indeed for r′ ∈ [0, r] and any Borel set B,
fr′(B) = µi[Z1, ..., Zk 7→ F 1r′ , ..., F
kr′ ](y
−11 (B), ..., y−1
n (B)) = P (−→X r′ ∈ B)
because y1, ..., yn is a solution for the SDE. In addition f respects the invariantbecause of the first condition of the hypothesis.Finally, µ = f0 because the solution y1, .., yn for t = 0 is exactly
−→X 0.
32
〈⊕〉 Let I, η, ν, µ 〈−→Xλ :=
−→X ;−→Xγ :=
−→X ;Xλ
i∼��������� f1;Xγ
i∼��������� f2〉σ(ϕ). We need to
prove that I, η, ν, µ 〈λXi∼��������� f1)⊕γXi∼��������� f2)〉ϕ. It’s useful to look at µ as threeindependent measures, µ = (µ−→
X, µ−→
Xλ , µ−→Xγ ) corresponding to the probabilisticvariables
−→X,−→Xλ,−→Xγ . From the transition semantics, if
I, η, ν, µ 〈−→Xλ :=
−→X ;−→Xγ :=
−→X ;Xλ
i∼��������� f1;Xγ
i∼��������� f2〉σ(ϕ)
thenI, η, ν, µ′ 〈Xλ
i∼��������� f1;Xγ
i∼��������� f2〉σ(ϕ)
where µ′ = (µ−→X, µ−→
X, µ−→
X); then I, η, ν, µ′′ σ(ϕ) where
µ′′ = (µ−→X, µ′−→
Xλ[µ′Xλi
7→ µF1], µ′−→
Xγ[µ′Xγi
7→ µF2])
with µF the distribution associated with the distribution function F . Notice that,since σ replaces all occurences of
−→X variables, only the last two components of
µ′′ are relevant for satisfaction of σ(ϕ).On the other hand, in order for I, η, ν, µ 〈λ(Xi∼��������� f1)⊕γ(Xi∼��������� f2)〉ϕwe musthave I, η, ν, µ̂ ϕ where µ̂ = (µ−→
X[µXi 7→ λµF1
+ γµF2], µ−→
Xλ , µ−→Xγ ). Noticethat, since ϕ has no occurrences of
−→Xλ or
−→Xγ variables, only the first component
of µ̂ is relevant for satisfaction of ϕ.We will now prove that given measures µ′′ and µ̂ The remaining of the proof isdone by induction on the structure of ϕ. If ϕ is:H Since no probabilistic variables appear in H , the measure component is
irrelevant. In addition, σ does not changeH . Therefore I, η, ν, µ′′ σ(H)iff I, η, ν, µ′′ H iff I, η, ν, µ̂ H .
t1 ≥ t2 We will show directly that the denotation of t under I, η, ν, µ̂ yields thesame value as the denotation of σ(t) under I, η, ν, µ′′. The relevant case isif t is
∫F for some SA function F .
Jσ(∫F )KI,η,ν,µ′′ = Jλ× (
∫F )−→Xλ
−→X
+ γ × (∫F )−→Xγ
−→X
KI,η,ν,µ′′
= I(λ)× J(∫F )−→Xλ
−→X
KI,η,ν,µ′′ + I(γ)× J(∫F )−→Xγ
−→X
KI,η,ν,µ′′
= I(λ)×∫τF−→Xλ−→X
o (−→x ,−→x λ,−→x γ)dµ′′+I(γ)×∫τF−→Xγ−→X
o (−→x ,−→x λ,−→x γ)dµ′′
since τF−→Xλ−→X
o does not depend on−→X or
−→Xγ variables,∫
τF−→Xλ−→X
o (−→x ,−→x λ,−→x γ)dµ′′ =
∫τF−→Xλ−→X
o (−→x λ)dµ′′−→Xλ
=
∫τF−→Xλ−→X
o (−→x λ\{xλi })(xλi )dµ′′−→Xλ\{Xλi }
dµ′′Xλi
=
∫τFo (−→x \{xi})(xi)dµ−→X\{Xi}dµF1
and similarly for∫τF−→Xγ−→X
o (−→x ,−→x λ,−→x γ)dµ′′. Joining this information we
33
get
Jσ(∫F )KI,η,ν,µ′′ =
I(λ)×∫τF−→Xλ−→X
o (−→x ,−→x λ,−→x γ)dµ′′ + I(γ)×∫τF−→Xγ−→X
o (−→x ,−→x λ,−→x γ)dµ′′
= I(λ)×∫τFo (−→x \{xi})(xi)dµ−→X\{Xi}dµF1
+
I(γ)
∫τFo (−→x \{xi})(xi)dµ−→X\{Xi}dµF2
=
∫τFo (−→x \{xi})(xi)dµ−→X\{Xi}dµλF1+γF2
=
∫τFo (−→x )dµ̂
= J∫F KI,η,ν,µ̂
ψ1 ∨ ψ2 I, η, ν, µ′′ σ(ψ1 ∨ ψ2) iff I, η, ν, µ′′ σ(ψ1) ∨ σ(ψ2) iff I, η, ν, µ′′ σ(ψ1) or I, η, ν, µ′′ σ(ψ2).If I, η, ν, µ′′ σ(ψ1), by induction, I, η, ν, µ̂ ψ1 and so I, η, ν, µ̂ ϕ ∨ ψ2. The other case is similar.
∃x.ψ I, η, ν, µ′′ σ(∃x.ψ) iff I, η, ν, µ′′ ∃x.σ(ψ) iff there is d ∈ R s.t.I, η[x 7→ d], ν, µ′′ σ(ψ). By induction I, η[x 7→ d], ν, µ̂ ψ iffI, η, ν, µ̂ ∃x.ψ.
〈α〉ψ I, η, ν, µ′′ σ〈α〉ψ iff I, η, ν, µ′′ 〈σ(α)〉σ(ψ). If we prove that µ̂f−→X
=
λµ′′f−→Xλ
+γµ′′f−→Xγ
for someµ′′f and µ̂f s.t. ((ν, µ′′), (νf , µ′′f )) ∈ ρ(σ(α)) and
((ν, µ̂), (νf , µ̂f )) ∈ ρ(α), the result will follow by induction hypothesis.We now prove that if µ′′ and µ̂ are s.t.
µ̂−→X
= λµ′′−→Xλ
+ γµ′′−→Xγ
thenµ̂f−→X
= λµ′′f−→Xλ
+ γµ′′f−→Xγ
for some µ′′f and µ̂f s.t.
((ν, µ′′), (νf , µ′′f )) ∈ ρ(σ(α)) and ((ν, µ̂), (νf , µ̂f )) ∈ ρ(α)
by induction on the structure of α. Let α be:xi := θ Assume ((ν, µ′′), (νf , µ
′′f )) ∈ ρ(σ(x := θ)), i.e. ((ν, µ′′), (νf , µ
′′f )) ∈
ρ(xi := θ), i.e. νf = ν[xi := JθKI,η,ν,µ′′ ] and µ′′ = µ′′f . On the otherhand, ((ν, µ̂), (νf , µ̂f )) ∈ ρ(x := θ), i.e. νf = ν[xi := JθKI,η,ν,µ′′ ] andµ̂ = µ̂′f so µ̂
f−→X
= λµ′′f−→Xλ
+ γµ′′f−→Xγ
because µ̂−→X
= λµ′′−→Xλ
+ γµ′′−→Xγ
.Xj := Θ Let g be the polynomial represented byΘ, gλ the polynomial represented by
Θ−→Xλ
−→X
(the same polynomial but in different variables) and gγ the polynomial
represented by Θ−→Xγ
−→X
.Assume that ((ν, µ′′), (νf , µ
′′f )) ∈ ρ(σ(Xj := Θ)) i.e.
((ν, µ′′), (νf , µ′′f )) ∈ ρ(Xλ
j := Θ−→Xλ
−→X
;Xγj := Θ
−→Xγ
−→X
)
i.e. ν = νf andµ′′f−→Xλ
(B) = µ′′−→Xλ
(g−1λ (B)) andµ′′
f−→Xγ
(B) = µ′′−→Xγ
(g−1γ (B))
for all Borel sets B.
34
Now let ((ν, µ̂), (νf , µ̂f )) ∈ ρ(X := Θ), i.e. ν = νf and µ̂f−→X
(B) =
µ̂−→X
(g−1(B)).Since µ̂−→
X= λµ′′−→
Xλ+ γµ′′−→
Xγ, then we must have
µ̂−→X
(g−1(B)) = λµ′′−→Xλ
(g−1λ (B)) + γµ′′−→
Xγ(g−1γ (B))
for all Borel sets B, i.e.
µ̂f−→X
(B) = λµ′′f−→Xλ
(B) + γµ′′f−→Xγ
(B)
for all Borel sets B.Xj ∼ f Assume that ((ν, µ′′), (νf , µ
′′f )) ∈ ρ(σ(Xi ∼ f), i.e.
((ν, µ′′), (νf , µ′′f )) ∈ ρ(Xλ
j ∼ f ;Xγj ∼ f)
i.e. ν = νf and for all rectangle R = (I1, ..., [a, b], ..., In) of Rn,
λµ′′f−→Xλ
(R) + γµ′′f−→Xγ
(R) =
λµ′′−→Xλ
(I1, ...,R, ..., In)(f(b)− f(a))+
γµ−→Xγ (I1, ...,R, ..., In)(f(b)− f(a)) =
(λµ′′−→Xλ
(I1, ...,R, ..., In) + γµ′′−→Xγ
(I1, ...,R, ..., In))(f(b)− f(a)) =
µ̂−→X
(I1, ...,R, ..., In)(f(b)− f(a)) = µ̂f−→X
(R)
for (νf , µ̂f ) ∈ ρ(Xj ∼ f).?H Assume that ((ν, µ′′), (ν, µ′′)) ∈ ρ(σ(?H)), that is ((ν, µ′′), (ν, µ′′)) ∈
ρ(?H−→Xλ
−→X
; ?H−→Xγ
−→X
) i.e. µ′′−→Xλ
({−→ω : I, η, ν, τ−→Xλ
ω H−→Xλ
−→X}) = 1 andµ′′−→
Xγ({−→ω :
I, η, ν, τ−→Xγ
ω H−→Xγ
−→X}) = 1 where we only need to extend the FOL inter-
pretation to−→Xλ (resp.
−→Hγ) and we only need to consider the measure in
these variables because H−→Xλ
−→X
(resp H−→Xγ
−→X
) only has variables in−→Xλ (resp.
−→Hγ).Now ((ν, µ̂), (ν, µ̂)) ∈ ρ(?H) because
µ̂−→X
({−→ω : I, η, ν, τ−→Xω H}) =
λµ′′−→Xλ
({−→ω : I, η, ν, τ−→Xλ
ω H−→Xλ
−→X})+
γµ′′−→Xγ
({−→ω : I, η, ν, τ−→Xγ
ω H−→Xγ
−→X}) = 1
d−→X = bdt+ σdW&H Assume that ((ν, µ′′), (ν, µ′′f )) ∈ ρ(σ(d
−→X = bdt+ σdW&H)), that is
((ν, µ′′), (ν, µ′′)) ∈ ρ(d(−→Xλ,−→Xγ) =
(b−→Xλ
−→X, b−→Xγ
−→X
)dt+ (σ−→Xλ
−→X
, σ−→Xγ
−→X
)dW&H−→Xλ
−→X∧H
−→Xγ
−→X
)
i.e. a flow f : t 7→ µ′′s satisfying the conditions of Definition 4. Noticethat, although the components in
−→Xλ and in
−→Xγ are independent, the re-
quirement of a single flow forces the solution (−→Xλ,−→Xγ)t to share the time
component t.
35
Now suppose ((ν, µ̂), (ν, µ̂f )) ∈ ρ(d−→X = bdt + σdW&H), which means
that there exists a flow f̂ : t 7→ µ̂s satisfying the conditions of Defini-tion 4. Since the evolutions in
−→Xλ and
−→Xγ are independent, (
−→Xλ,−→Xγ)t =
(−→Xλt ,−→Xγt ) with
−→Xλt solution of the SDE d
−→Xλ = b
−→Xλ
−→Xdt+σ
−→Xλ
−→X
dW&H−→Xλ
−→X
with initial distribution µ′′−→Xλ
i.e. µ′′−→Xs
(B) = P (−→Xλs ∈ B) (and respectively
for−→Xλt ).
Since µ̂−→X
= λµ′′−→Xλ
+γµ′′−→Xγ
, we have µ̂−→Xt
(B) = λµ′′−→Xλt
(B) +γµ′′−→Xγt
(B).α+ β Assume that ((ν, µ′′), (νf , µ
′′f )) ∈ ρ(σ(α+ β)), i.e.
((ν, µ′′), (νf , µ′′f )) ∈ ρ(σ(α) + σ(β)).
Then, either ((ν, µ′′), (νf , µ′′f )) ∈ ρ(σ(α)) or ((ν, µ′′), (νf , µ
′′f )) ∈ ρ(σ(β))
must hold. In the former case, by induction, there is (νf , µ̂f ) s.t.
((ν, µ̂), (νf , µ̂f )) ∈ ρ(α) and µ̂f−→X
= λµ′′f−→Xλ
+ γµ′′f−→Xγ
and therefore ((ν, µ̂), (νf , µ̂f )) ∈ ρ(α + β) has the desired property. Theother case is similar.
α;β Assume that ((ν, µ′′), (νf , µ′′f )) ∈ ρ(σ(α;β)), i.e. ((ν, µ′′), (νf , µ
′′f )) ∈
ρ(σ(α);σ(β)).There is (νg, µ
′′g ) s.t.
((ν, µ′′), (νg, µ′′g )) ∈ ρ(σ(α)) and ((νg, µ
′′g ), (νf , µ
′′f )) ∈ ρ(σ(β)).
By induction hypothesis (on α), there is (νg, µ̂g) s.t.
((ν, µ̂), (νg, µ̂g)) ∈ ρ(α) and µ̂g−→X
= λµ′′g−→Xλ
+ γµ′′g−→Xγ
since, by hypothesis µ̂−→X
= λµ′′−→Xλ
+ γµ′′−→Xγ
.Once again by induction hypothesis (on β), there is (νf , µ̂f ) ∈ ρ(β) s.t.
µ̂f−→X
= λµ′′f−→Xλ
+ γµ′′f−→Xγ
since µ̂g−→X
= λµ′′g−→Xλ
+ γµ′′g−→Xγ
.α∗ This is a simple adaptation of the previous argument.
〈?H〉 This rule was proved in the proof of Corollary 8.
Proof of Proposition 10Pcut Assume that the probability of event H in I, η, (ν.µ), i.e. J
∫1HKI,η,(ν,µ) is
greater or equal to JtKI,η,(ν,µ) and that JH → EKI,η,ν,τ , i.e., the satisfactionset of H is contained in the satisfaction set of E. By monotonicity of probabil-ity functions, the probability of event E11, J
∫1EKI,η,(ν.µ) must be at least the
probability of H .Pcut’ This is a simple generalization of the previous principle. Assume that JF KI,η,ν,τ ≥
0 for all environments, i.e., F represents a non-negative semi-algebraic function,f , that the the satisfaction set ofH is contained in the satisfaction set ofE. Then,since f × 1H ≥ f × 1E , J
∫F ∧HKI,η,(ν.µ) ≥ J
∫F ∧ EKI,η,(ν.µ)
11Recall that the satisfaction set of E, being semi-algebraic, is measurable.
36
