Quantified Differential Temporal Dynamic Logic for Verifying Properties of Distributed Hybrid Systems^{†}^{†}thanks: This material is based upon work supported by the National Science Foundation under NSF CAREER Award CNS1054246, Grant Nos. CNS0926181, CNS0931985, and CNS1035800.
Abstract
We combine quantified differential dynamic logic (Qd) for reasoning about the possible behavior of distributed hybrid systems with temporal logic for reasoning about the temporal behavior during their operation. Our logic supports verification of temporal and nontemporal properties of distributed hybrid systems and provides a uniform treatment of discrete transitions, continuous evolution, and dynamic dimensionalitychanges. For our combined logic, we generalize the semantics of dynamic modalities to refer to hybrid traces instead of final states. Further, we prove that this gives a conservative extension of Qd for distributed hybrid systems. On this basis, we provide a modular verification calculus that reduces correctness of temporal behavior of distributed hybrid systems to nontemporal reasoning, and prove that we obtain a complete axiomatization relative to the nontemporal base logic Qd. Using this calculus, we analyze temporal safety properties in a distributed air traffic control system where aircraft can appear dynamically.
1 Introduction
Ensuring correct functioning of cyberphysical systems is among the most challenging and most important problems in computer science, mathematics, and engineering. Hybrid systems are common mathematical models for cyberphysical systems with interacting discrete and continuous behavior [6, 13]. Their behavior combines continuous evolution (called flow) characterized by differential equations and discrete jumps. However, not all relevant cyberphysical systems can be modeled as hybrid systems. Hybrid systems cannot represent physical control systems that are distributed or form a multiagent system, e.g., distributed car control systems [15] and distributed air traffic control systems [8]. Such systems form distributed hybrid systems [7, 16, 21, 22] with discrete, continuous, structural, and dimensionchanging dynamics. Distributed hybrid systems combine the challenges of hybrid systems and distributed systems. Correctness of safetycritical realtime and distributed hybrid systems depends on a safe operation throughout all states of all possible trajectories, and the behavior at intermediate states is highly relevant [1, 4, 6, 11, 13].
Temporal logics (TL) use temporal operators to talk about intermediate states [1, 9, 10, 23]. They have been used successfully in model checking [1, 3, 13, 14, 18] of finitestate system abstractions. State spaces of distributed hybrid systems, however, often do not admit equivalent finitestate abstractions [13, 18]. Instead of model checking, TL can also be used deductively to prove validity of formulas in calculi [5, 6]. Valid TL formulas, however, only express very generic facts that are true for all systems, regardless of their actual behavior. Hence, the behavior of a specific system first needs to be axiomatized declaratively to obtain meaningful results. Then, however, the correspondence between actual system operations and a declarative temporal representation may be questioned.
Very recently, a dynamic logic, called quantified differential dynamic logic (Qd) has been introduced as a successful tool for deductively verifying distributed hybrid systems [21, 22]. Qd can analyze the behavior of actual distributed hybrid system models, which are specified operationally. Yet, operational distributed hybrid system models are internalized within Qd formulas, and Qd is closed under logical operators. However, Qd only considers the behavior of distributed hybrid systems at final states, which is insufficient for verifying safety properties that have to hold all the time.
We close this gap of expressivity by combining Qd with temporal logic [9, 10, 23]. In this paper, we introduce a logic, called quantified differential temporal dynamic logic (QdTL), which provides modalities for quantifying over traces of distributed hybrid systems based on Qd. We equip QdTL with temporal operators to state what is true all along a trace or at some point during a trace. In this paper, we modify the semantics of the dynamic modality to refer to all traces of instead of all final states reachable with (similarly for ). For instance, the formula expresses that is true at each state during all traces of the distributed hybrid system . With this, QdTL can also be used to verify temporal statements about the behavior of at intermediate states during system runs. As in our nontemporal dynamic logic Qd [21, 22], we use quantified hybrid programs as an operational model for distributed hybrid systems, since they admit a uniform compositional treatment of interacting discrete transitions, continuous evolutions, and structural/dimension changes in logic.
As a semantical foundation for combined temporal dynamic formulas, we introduce a hybrid trace semantics for QdTL. We prove that QdTL is a conservative extension of Qd: for nontemporal specifications, trace semantics is equivalent to the nontemporal transition semantics of Qd [21, 22].
As a means for verification, we introduce a sequent calculus for QdTL that successively reduces temporal statements about traces of quantified hybrid programs to nontemporal Qd formulas. In this way, we make the intuition formally precise that temporal safety properties can be checked by augmenting proofs with appropriate assertions about intermediate states. Like in [21, 22], our calculus works compositionally. It decomposes correctness statements about quantified hybrid programs structurally into corresponding statements about its parts by symbolic transformation.
Our approach combines the advantages of Qd in reasoning about the behaviour of operational distributed hybrid system models with those of TL to verify temporal statements about traces. We show that QdTL is sound and relatively complete. We argue that QdTL can verify practical systems and demonstrate this by studying temporal safety properties in distributed air traffic control. Our primary contributions are as follows:

We introduce a logic for specifying and verifying temporal properties of distributed hybrid systems.

We present a proof calculus for this logic, which, to the best of our knowledge, is the first verification approach that can handle temporal statements about distributed hybrid systems.

We prove that this compositional calculus is a sound and complete axiomatization relative to differential equations.

We verify temporal safety properties in a collision avoidance maneuver in distributed air traffic control, where aircraft can appear dynamically.
2 Related Work
Multiparty distributed control has been suggested for car control [15] and air traffic control [8]. Due to limits in verification technology, no formal analysis of temporal statements about the distributed hybrid dynamics has been possible for these systems yet. Analysis results include discrete message handling [15] or collision avoidance for two participants [8].
The importance of understanding dynamic/reconfigurable distributed hybrid systems was recognized in modeling languages SHIFT [7] and RCharon [16]. They focused on simulation/compilation [7] or the development of a semantics [16], so that no verification is possible yet.
Other processalgebraic approaches, like [27], have been developed for modeling and simulation. Verification is still limited to small fragments that can be translated directly to other verification tools like PHAVer or UPPAAL, which do not support distributed hybrid systems.
Our approach is completely different. It is based on firstorder structures and dynamic logic. We focus on developing a logic that supports temporal and nontemporal statements about distributed hybrid dynamics and is amenable to automated theorem proving in the logic itself.
Our previous work and other verification approaches for static hybrid systems cannot verify distributed hybrid systems. Distributed hybrid systems may have an unbounded and changing number of components/participants, which cannot be represented with any fixed number of dimensions of the state space.
Based on [24], Beckert and Schlager [2] added separate trace modalities to dynamic logic and presented a relatively complete calculus. Their approach only handles discrete state spaces. In contrast, QdTL works for hybrid programs with continuous and structural/dimensional dynamics.
Davoren and Nerode [6] extended the propositional modal calculus with a semantics in hybrid systems and examine topological aspects. In [5], Davoren et al. gave a semantics in general flow systems for a generalisation of [10]. In both cases, the authors of [6] and [5] provided Hilbertstyle calculi to prove formulas that are valid for all systems simultaneously using abstract actions.
The strength of our logic primarily is that it is a firstorder dynamic logic: it handles actual hybrid programs rather than only abstract actions of unknown effect. Our calculus directly supports verification of quantified hybrid programs with continuous evolution and structural/dimensional changes. Firstorder dynamic logic is more expressive and calculi are deductively stronger than other approaches [2, 17].
3 Syntax of Quantified Differential Temporal Dynamic Logic
As a formal logic for verifying temporal specifications of distributed hybrid systems, we introduce quantified differential temporal dynamic logic (QdTL). QdTL extends dynamic logic for reasoning about system runs [12] with manysorted firstorder logic for reasoning about all or some objects of a sort , e.g.,
the sort of all aircraft, and three other concepts:
Quantified hybrid programs. The behavior of distributed hybrid systems can be described by quantified hybrid programs [21, 22], which generalize regular programs from dynamic logic [12] to distributed hybrid changes. The distinguish feature of quantified hybrid programs is that they provide uniform discrete transitions, continuous evolutions, and structural/dimension changes along quantified assignments and quantified differential equations, which can be combined by regular control operations.
Modal operators. Modalities of dynamic logic express statements about all possible behavior of a system , or about the existence of a trace , satisfying condition . Unlike in standard dynamic logic, is a model of a distributed hybrid system. We use quantified hybrid programs to describe as in [21, 22]. Yet, unlike in standard dynamic logic [12] or quantified differential dynamic logic (Qd) [21, 22], is a trace formula in QdTL, and can refer to all states that occur during a trace using temporal operators.
Temporal operators. For QdTL, the temporal trace formula expresses that the formula holds all along a trace selected by or . For instance, the state formula says that the state formula holds at every state along at least one trace of . Dually, the trace formula expresses that holds at some point during such a trace. It can occur in a state formula to express that there is such a state in some trace of , or as to say that, along each trace, there is a state satisfying . In this paper, the primary focus of attention is on homogeneous combinations of path and trace quantifiers like or .
3.1 Quantified Hybrid Programs
QdTL supports a (finite) number of object sorts, e.g., the sort of all aircraft, or the sort of all cars. For continuous quantities of distributed hybrid systems like positions or velocities, we add the sort for real numbers. Terms of QdTL are built from a set of (sorted) function/variable symbols as in manysorted firstorder logic. For representing appearance and disappearance of objects while running QHPs, we use an existence function symbol that has value if object exists, and has value when object disappears or has not been created yet. We use with the usual notation and fixed semantics for real arithmetic. For we abbreviate by using vectorial notation and we use for elementwise equality.
As a system model for distributed hybrid systems, QdTL uses quantified hybrid programs (QHP) [21, 22]. The quantified hybrid programs occurring in dynamic modalities of QdTL are regular programs from dynamic logic [12] to which quantified assignments and quantified differential equation systems for distributed hybrid dynamics are added. QHPs are defined by the following grammar (, are QHPs, a term, a variable of sort , is a function symbol, is a vector of terms with sorts compatible to , and is a formula of firstorder logic):
The effect of quantified assignment is an instantaneous discrete jump assigning to simultaneously for all objects of sort . The QHP , for example, expresses that all cars of sort simultaneously increase their acceleration . The effect of quantified differential equation is a continuous evolution where, for all objects of sort , all differential equations hold and formula holds throughout the evolution (the state remains in the region described by ). The dynamics of QHPs changes the interpretation of terms over time: is intended to denote the derivative of the interpretation of the term over time during continuous evolution, not the derivative of by its argument . For to be defined, we assume is an valued function symbol. For simplicity, we assume that does not occur in . In most quantified assignments/differential equations is just . For instance, the following QHP expresses that all cars of sort drive by such that their position changes continuously according to their respective acceleration .
The effect of test is a skip (i.e., no change) if formula is true in the current state and abort (blocking the system run by a failed assertion), otherwise. Nondeterministic choice is for alternatives in the behavior of the distributed hybrid system. In the sequential composition , QHP starts after finishes ( never starts if continues indefinitely). Nondeterministic repetition repeats an arbitrary number of times, possibly zero times.
3.2 State and Trace Formulas
The formulas of QdTL are defined similarly to firstorder dynamic logic plus manysorted firstorder logic. However, the modalities and accept trace formulas that refer to the temporal behavior of all states along a trace. Inspired by CTL and [9, 10], we distinguish between state formulas, which are true or false in states, and trace formulas, which are true or false for system traces.
The state formulas of QdTL are defined by the following grammar ( are state formulas, is a trace formula, are terms of the same sort, is a variable of sort , and is a QHP):
We use standard abbreviations to define . Sorts have no ordering and only is allowed. For sort , we abbreviate by .
The trace formulas of QdTL are defined by the following grammar ( is a trace formula and is a state formula):
Formulas without and are nontemporal Qdformulas. Unlike in CTL, state formulas are true on a trace if they hold for the last state of a trace, not for the first. Thus, expresses that is true at the end of each trace of . In contrast, expresses that is true all along all states of every trace of . This combination gives a smooth embedding of nontemporal Qd into QdTL and makes it possible to define a compositional calculus. Like CTL, QdTL allows nesting with a branching time semantics [9], e.g., . In the following, all formulas and terms have to be welltyped. For short notation, we allow conditional terms of the form (where and have the same sort). This term evaluates to if the formula is true and to otherwise. We consider formulas with conditional terms as abbreviations, e.g., for (.
Example 1
Let be the sort of all cars. By , we denote the position of car , by its velocity and by its acceleration. Then the QdTL formula
says that, if all cars start at a point to the right of the origin and we only allow them to evolve as long as all of them have nonnegative velocity, then they always stay up to the right of the origin. In this case, the QHP just consists of a quantified differential equation expressing that the position of car evolves over time according to the velocity , which evolves according to its acceleration . The constraint expresses that the cars never move backwards, which otherwise would happen eventually in the case of braking . This formula is indeed valid, and we would be able to use the techniques developed in this paper to prove it.
4 Semantics of Quantified Differential Temporal Dynamic Logic
In standard dynamic logic [12] and the logic Qd [21, 22], modalities only refer to the final states of system runs and the semantics is a reachability relation on states: State is reachable from state using if there is a run of which terminates in when started in . For QdTL, however, formulas can refer to intermediate states of runs as well. Thus, the semantics of a distributed hybrid system is the set of its possible traces, i.e., successions of states that occur during the evolution of .
4.1 Trace Semantics of Quantified Hybrid Programs
A state associates an infinite set of objects with each sort , and it associates a function of appropriate type with each function symbol , including . For simplicity, also associates a value of appropriate type with each variable . The domain of and the interpretation of is that of real arithmetic. We assume constant domain for each sort : all states share the same infinite domains . Sorts are disjoint: . The set of all states is denoted by . The state agrees with except for the interpretation of variable , which is changed to . In addition, we distinguish a state to denote the failure of a system run when it is aborted due to a test that yields false. In particular, can only occur at the end of an aborted system run and marks that there is no further extension.
Distributed hybrid systems evolve along piecewise continuous traces in multidimensional space, structural changes, and appearance or disappearance of agents as time passes. Continuous phases are governed by differential equations, whereas discontinuities are caused by discrete jumps. Unlike in discrete cases [2, 24], traces are not just sequences of states, since distributed hybrid systems pass through uncountably many states even in bounded time. Beyond that, continuous changes are more involved than in pure realtime [1, 14], because all variables can evolve along different differential equations. Generalizing the realtime traces of [14], the following definition captures hybrid behavior by splitting the uncountable succession of states into periods that are regulated by the same control law. For discrete jumps, some periods are point flows of duration .
The (trace) semantics of quantified hybrid programs is compositional, that is, the semantics of a complex program is defined as a simple function of the trace semantics of its parts.
Definition 1 (Hybrid Trace)
A trace is a (nonempty) finite or infinite sequence of functions with respective durations (for ). A position of is a pair with and in the interval ; the state of at is . Positions of are ordered lexicographically by iff either , or and . Further, for a state , is the point flow at with duration . A trace terminates if it is a finite sequence and . In that case, the last state is denoted by last. The first state is denoted by first.
Unlike in [1, 14], the definition of traces also admits finite traces of bounded duration, which is necessary for compositionality of traces in . The semantics of quantified hybrid programs as the set of its possible traces depends on valuations of formulas and terms at intermediate states . The valuation of formulas will be defined in Definition 3. Especially, we use to denote the valuations of terms and formulas in state , i.e., in state with interpreted as .
Definition 2 (Trace Semantics of Quantified Hybrid Programs)
The trace semantics, , of a quantified hybrid program , is the set of all its possible hybrid traces and is defined inductively as follows:

and state is identical to except that at each position of : if for some object , then

is a function satisfying the following conditions. At each time , state is identical to , except that at each position for some object , then, at each time :

The differential equations hold and derivatives exist (trivial for ):

The evolution domains is respected:




; the composition of and is

, where for , as well as and .
4.2 Valuation of State and Trace Formulas
Definition 3 (Valuation of Formulas)
The valuation of state and trace formulas is defined respectively. For state formulas, the valuation with respect to state is defined as follows:

true iff ; accordingly for .

true iff true and true; accordingly for .

true iff true for all objects .

true iff true for some object .

true iff for each trace that starts in first, if is defined, then true.

true iff there is a trace starting in first such that is defined and true.
For trace formulas, the valuation with respect to trace is defined as follows:

If is a state formula, then last if terminates, whereas is not defined if does not terminate.

true iff true for all positions of with .

true iff true for some position of with .
As usual, a (state) formula is valid if it is true in all states. Further for (state) formula and state we write iff = true. We write iff = false. Likewise, for trace formula and trace we write iff = true and iff = false. In particular, we only write or if is defined, which it is not the case if is a state formula and does not terminate.
4.3 Conservative Temporal Extension
5 Safety Properties in Distributed Air Traffic Control
In air traffic control, collision avoidance maneuvers [8, 26] are used to resolve conflicting flight paths that arise during free flight. We consider the roundabout collision avoidance maneuver for air traffic control [26]. In the literature, formal verification of the hybrid dynamics of air traffic control focused on a fixed number of aircraft, usually two. In reality, many more aircraft are in the same flight corridor, even if not all of them participate in the same maneuver. They may be involved in multiple distributed maneuvers at the same time, however. Perfect global trajectory planning quickly becomes infeasible then. The verification itself also becomes much more complicated for three aircraft already. Explicit replication of the system dynamics times is computationally infeasible for larger . Yet, collision avoidance maneuvers need to work for an (essentially) unbounded number of aircraft. Because global trajectory planning is infeasible, the appearance of other aircraft into a local collision avoidance maneuver always has to be expected and managed safely. See Fig. 1 for a general illustration of roundaboutstyle collision avoidance maneuvers and the phenomenon of dynamic appearance of some new aircraft into the horizon of relevance.
The resulting flight control system has several characteristics of hybrid dynamics. But it is not a hybrid system and does not even have a fixed finite number of variables in a fixed finitedimensional state space. The system forms a distributed hybrid system, in which all aircraft fly at the same time and new aircraft may appear from remote areas into the local flight scenario. Let be the sort of all aircraft. Each aircraft has a position and a velocity vector . We model the continuous dynamics of an aircraft that follows a flight curve with an angular velocity by the (function) differential equation:
() 
This differential equation, which we denote by , is the standard equation for curved flight from the literature [26], but lifted to function symbols that are parameterized by aircraft . Now the quantified differential equation characterizes that all aircraft fly along their respective (function) differential equation according to their respective angular velocities at the same time. This quantified differential equation captures what no finitedimensional differential equation system could ever do. It characterizes the simultaneous movement of an unbounded, arbitrary, and even growing or shrinking set of aircraft.
Two aircraft and have violated the safe separation property if they falsify the following formula
which says that aircraft and are either identical or separated by at least the protected zone (usually 5mi). For the aircraft control system to be safe, all aircraft have to be safely separated, i.e., need to satisfy . It is crucial that this formula holds at every point in time during the system evolution, not only at its beginning or at its end. Hence, we need to consider temporal safety properties. For instance, QdTL can analyze the following temporal safety properties of a part of the distributed roundabout collision avoidance maneuver for air traffic control:
(1) 
(2) 
where , is a clock variable, and is some bounded time.
The temporal safety invariant in (1) expresses that the circle phase of roundabout maneuver always stays collisionfree indefinitely for an arbitrary number of aircraft. That is the most crucial part because we have to know the aircraft always remain safe during the actual roundabout collision avoidance circle. The condition characterizes compatible tangential maneuvering choices. Without a condition like , roundabouts can be unsafe [20]. For a systematic derivation of how to construct , we refer to the work [20]. As a variation of (1), the temporal safety property in (2) states that, for an arbitrary number of aircraft, the circle procedure of roundabout maneuver cannot produce collisions at any point in its bounded duration . This variation restricts the continuous evolution to take exactly time units (the evolution domain region restricts the evolution to and the subsequent test to ) and no intermediate state is visible as a final state anymore. Thus, the temporal modality in (2) is truly necessary. We will use the techniques developed in this paper to verify these temporal safety properties in the distributed roundabout flight collision avoidance maneuver.
6 Proof Calculus for Temporal Properties
In this section, we introduce a sequent calculus for verifying temporal specifications of distributed hybrid systems in QdTL. With the basic idea being to perform a symbolic decomposition, the calculus transforms quantified hybrid programs successively into simpler logical formulas describing their effects. Statements about the temporal behavior of a quantified hybrid program are successively reduced to corresponding nontemporal statements about the intermediate states.
6.1 Proof Rules
In Fig. 2, we present a proof calculus for QdTL that inherits the proof rules of Qd from [21, 22] and adds new proof rules for temporal modalities. We use the sequent notation informally for a systematic proof structure. A sequent is of the form , where the antecedent and succedent are finite sets of formulas. The semantics of is that of the formula and will be treated as an abbreviation. As usual in sequent calculus, the proof rules are applied backwards from the conclusion (goal below horizontal bar) to the premises (subgoals above bar).
6.1.1 Inherited Nontemporal Rules
The QdTL calculus inherits the (nontemporal) Qd proof rules. For propositional logic, standard rules ax–cut are listed in Fig. 2. Rules – work similar to those in [12]. Rules handle continuous evolutions for quantified differential equations with firstorder definable solutions. Rules – handle discrete changes for quantified assignments. Axiom ex expresses that, for sort , there always is a new object that has not been created yet (), because domains are infinite. The quantifier rules r–i combine quantifier handling of manysorted logic based on instantiation with theory reasoning by quantifier elimination (QE) for the theory of reals. The global rules gen, gen are Gödel generalization rules and ind is an induction schema for loops with inductive invariant [12]. Similarly, con generalizes Harel’s convergence rule [12] to the hybrid case with decreasing variant [19]. DI and DC are rules for quantified differential equations with quantified differential invariants [21, 22]. Notice that can be generalized to apply to formulas of the form where is an arbitrary trace formula, and not just a state formula as in Qd. Thus, may begin with and , which is why the rules are repeated in this generalized form as and in Fig. 2.
6.1.2 Temporal Rules
The new temporal rules in Fig. 2 for the QdTL calculus successively transform temporal specifications of quantified hybrid programs into nontemporal Qd formulas. The idea underlying this transformation is to decompose quantified hybrid programs and recursively augment intermediate state transitions with appropriate specifications.
Rule decomposes invariants of (i.e., holds) into an invariant of (i.e., ) and an invariant of that holds when is started in any final state of (i.e., ). Its difference with the Qd rule thus is that the QdTL rule also checks safety invariant at the symbolic states in between the execution of and , and recursively so because of the temporal modality . Rule expresses that invariants of quantified assignments need to hold before and after the discrete change (similarly for , except that tests do not lead to a state change, so holding before the test is all there is to it). Rule can directly reduce invariants of continuous evolutions to nontemporal formulas as restrictions of solutions of quantified differential equations are themselves solutions of different duration and thus already included in the continuous evolutions of . The (optional) iteration rule can partially unwind loops. It relies on rule . The dual rules ,,,,, work similarly. Rules for handling and are discussed in Section 8.
The inductive definition rules and completely reduce temporal properties of loops to QdTL properties of standard nontemporal Qd modalities such that standard induction (ind) or convergence (con) rules, as listed in Fig. 2, can be used for the outer nontemporal modality of the loop. Hence, after applying the inductive loop definition rules and , the standard Qd loop invariant and variant rules can be used for verifying temporal properties of loops without change, except that the postcondition contains temporal modalities.
6.2 Soundness and Completeness
The following result shows that verification with the QdTL calculus always produces correct results about the safety of distributed hybrid systems, i.e., the QdTL calculus is sound.
Theorem 6.1 (Soundness of QdTL)
The QdTL calculus is sound, i.e., every QdTL (state) formula that can be proven is valid.
The verification for temporal safety ( or ), temporal liveness ( or ), and nontemporal ( or ) fragments of distributed hybrid systems has three independent sources of undecidability. Thus, no verification technique can be effective. Hence, QdTL cannot be effectively axiomatizable. Both its discrete and its continuous fragments alone are subject to Gödel’s incompleteness theorem [19]. The fragment with only structural and dimensionchanging dynamics is not effective either, because it can encode twocounter machines.
Qd has been proved to be complete relative to quantified differential equations [21, 22]. Due to the modular construction of the QdTL calculus, we can lift the relative completeness result from Qd to QdTL. We essentially show that QdTL is complete relative to Qd, which directly implies that QdTL calculus is even complete relative to an oracle for the fragment of QdTL that has only quantified differential equations in modalities. Again, we restrict our attention to homogeneous combinations of path and trace quantifiers like or .
Theorem 6.2 (Relative Completeness of QdTL)
The calculus in Fig. 2 is a complete axiomatization of QdTL relative to quantified differential equations.
This result shows that both temporal and nontemporal properties of distributed hybrid systems can be proven to exactly the same extent to which properties of quantified differential equations can be proven. It also gives a formal justification that the QdTL calculus reduces temporal properties to nontemporal Qd properties.
7 Verification of Distributed Air Traffic Control Safety Properties
Continuing the distributed air traffic control study from Section 5, the QdTL proofs of the temporal safety invariant in (1) and the temporal safety property in (2) are presented in Fig. 3 and Fig. 4, respectively (for the purpose of simplifying the presentation, we ignore typing information for aircraft in the proof, because it is clear from the context). Note that temporal and nontemporal properties of the maneuver cannot be proven using any hybrid systems verification technique, because the dimension is parametric and unbounded and may even change dynamically during the remainder of the maneuver. The single proof in Fig. 3 or Fig. 4 corresponds to infinitely many proofs for systems with aircraft for all .
Our proofs show that the distributed roundabout maneuver always safely avoids collisions for arbitrarily many aircraft (even with dynamic appearance of new aircraft). The above maneuver still requires all aircraft in the horizon of relevance to participate in the collision avoidance maneuver. In fact, we can show that this is unnecessary for aircraft that are far enough away and that may be engaged in other roundabouts. Yet, this is beyond the scope of this paper.