CoasterX: A Case Study in Component-Driven Hybrid Systems Proof - - PowerPoint PPT Presentation

CoasterX: A Case Study in Component-Driven Hybrid Systems Proof Automation

Brandon Bohrer (joint work with Adriel Luo, Xuean Chuang, Andr´ e Platzer)

Logical Systems Lab Computer Science Department Carnegie Mellon University

ADHS, Jul 7 2018

1 / 32

Roller Coasters are Safety-Critical Systems

Top Thrill Steel Phantom Mindbender Joker’s Jinx Phantom’s Revenge Fujin Raijin II

Rollback Head Injury Derailment

[BLCP18]

2 / 32

Formal Proofs in dL Ensure Safe Designs

Top Thrill Steel Phantom Mindbender

Rollback Head Injury Derailment

[BLCP18]

⇓

Pre → [phys]Post Identify:

• Notion of safety Post (acc < acchi)

3 / 32

Formal Proofs in dL Ensure Safe Designs

Top Thrill Steel Phantom Mindbender

Rollback Head Injury Derailment

[BLCP18]

⇓

Pre → [phys]Post Identify:

• Notion of safety Post (acc < acchi)
• Safe conditions Pre (v = v0)

3 / 32

Formal Proofs in dL Ensure Safe Designs

Top Thrill Steel Phantom Mindbender

Rollback Head Injury Derailment

[BLCP18]

⇓

Pre → [phys]Post Identify:

• Notion of safety Post (acc < acchi)
• Safe conditions Pre (v = v0)

Verify physical plant ({x′ = . . . , y′ = . . .})

3 / 32

Design Verification Supplements Simulation

Simulations typically used today [XXLY12, Wei15] Approach Pro Con Simulate Rich dynamics, easy Low rigor+precision Verify High rigor+precision Simple dynamics, hard

4 / 32

Verifying Physical Designs is a Challenge

• How do we verify models at scale?
• How do we make verification accessible to non-experts?

5 / 32

Verifying Plant Designs is Important ⇓

6 / 32

Component-Driven Proof Automation Enables Design Verification

GUI Builder CoasterX Backend KeYmaera X Prover Core (1700 Lines) [FMQ+15]

Component model

dL fml. dL pf. Goal Solution Accessible High-level graphical modeling Rigorous Formal proof checked by small prover core Scalable Proof scales by exploiting component structure

7 / 32

Track Sections are Components for Coasters

Generic Component

8 / 32

Track Sections are Components for Coasters

Generic Component

• Automatic Composition

8 / 32

Track Sections are Components for Coasters

Generic Component

• Automatic Composition

8 / 32

Track Sections are Components for Coasters

Generic Component

• Automatic Composition

8 / 32

Track Sections are Components for Coasters

Generic Component

• Automatic Composition

8 / 32

Background: dL Formulas

P, Q ::= P ∧ Q | ¬P | ∀xP | θ1 ≥ θ2 | [α]P Example: Pre → [plant]Post Construct Meaning P ∧ Q, ¬P, ∀xP First-order Logic θ1 ≥ θ2 Real arithmetic comparisons [α]P Safety: After α runs, P always holds

9 / 32

Background: Hybrid Programs

α, β ::= · · · | {x′ = θ & P} | α ∪ β | α∗ Construct Meaning {x′ = θ & P} Evolve x at continuous rate θ Evolution domain constraint P asserted continuously α ∪ β Choose either α or β nondeterministically α∗ Loop α nondeterministically n ≥ 0 times

10 / 32

Velocity and Acceleration Bounds are Fundamental Rollback Head Injury Derailment

0 < vlo ≤ v |a| ≤ ahi |a| ≤ ahi [AST17]

11 / 32

Tracks are 2D

• 2D modeling greatly simplifies GUI
• Vertical and horizontal bounds only (no lateral bound)
• Ignores banking, wind, roll resistance (1-2%)

⇒

12 / 32

Conservative Bound Suffices for Phantom

Top Thrill Steel Phantom Mindbender Joker’s Jinx Phantom’s Revenge Fujin Raijin II

Rollback Head Injury Derailment

(>) (<) (<)

13 / 32

Example

plant ≡ {{x′ = √ 2/2 v, y′ = √ 2/2 v, v′ = − √ 2/2 g & 0 ≤ x ≤ 100} ∪ {x′ = dx v, y′ = dy, v′ = −dy g, dx′ = −dy v/100 √ 2, dy′ = dx v/100 √ 2 & 100 ≤ x ≤ 200} ∪ {x′ = √ 2/2 v, y′ = − √ 2/2 v, v′ = √ 2/2 g & 200 ≤ x ≤ 300}}∗

14 / 32

Example

plant ≡ {{Line(. . .) & 0 ≤ x ≤ 100} ∪ {Arc(. . .) & 100 ≤ x ≤ 200} ∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗

14 / 32

Example

plant ≡ {{Line(. . .) & 0 ≤ x ≤ 100} ∪ {Arc(. . .) & 100 ≤ x ≤ 200} ∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗

14 / 32

Example

plant ≡ {{Line(. . .) & 0 ≤ x ≤ 100} ∪ {Arc(. . .) & 100 ≤ x ≤ 200} ∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗

14 / 32

Individual Components are Modeled as ODEs

Arc Segment: Arc

def

≡ {x′ = v · dx, y′ = v · dy, v′ = −dy · g, dx′ = −dy · v/r, dy′ = dx · v/r & InBounds(x1, x2, y1, y2)}

15 / 32

Concrete Parameters are Plugged in From GUI

Line Segment: Line

def

≡ {x′ = v · dx, y′ = v · dy, v′ = −dy · g & InBounds(x1, x2, y1, y2)} ⇓Subst Line(1, 0, . . .)

def

≡ {x′ = v · 1, y′ = v · 0, v′ = −0 · g & InBounds(0, 100, 200, 200)}

16 / 32

Composition is Modeled with Discrete Programs

Let track sections seci be component instances: seci

def

≡ Line(argsi) or Arc(argsi) and system model α: plant

def

≡ (sec1 ∪ · · · ∪ secn)∗

17 / 32

Components Verified with Invariants and Solving

• Straight line is solvable, thus decidable.
• Arc needs invariant (energy conservation), proved manually:

E = E0 ∧ OnTrack → [Arc] (E = E0 ∧ OnTrack)

18 / 32

Instantiation is Verified by Substitution

• Conceptually simple step
• Greatly improves performance (20x in some cases)

Line

def

≡ {x′ = v · dx, y′ = v · dy, v′ = −dy · g & InBounds(x1, x2, y1, y2)} ⇓Subst Line(1, 0, . . .)

def

≡ {x′ = v · 1, y′ = v · 0, v′ = −0 · g & InBounds(0, 100, 200, 200)}

19 / 32

Composition is Verified by Contract-Checking

• At boundary, invariants for both sections hold
• Checked with arithmetic solving + custom automation

Example: J1 ≡ (x = y) J2 ≡

• y2 + (x − 200)2 = 1002

20 / 32

Analysis Distinguished 6 Safe/Unsafe Real Coasters

Top Thrill Steel Phantom (6.5g) Backyard El Toro Phantom’s Revenge (3.5g) Lil’ Phantom

21 / 32

This is the Largest dL Model Ever

Stats: CoasterX Max Previous Max (Est.) Components 56 > 3 Fml size 52KB > 6.5KB Proof Steps 20M (29K w/ reuse) > 100K

22 / 32

Scalability is Quadratic

37 57 107 192 232 256 500 1000 1500 # vars time(s) Runtime vs. Problem Size

(on a recent workstation)

23 / 32

Component Verification Cost Sometimes Matters

Component Time # Steps Line 140s 900K Arc ≈4.5s ≈12.5K Automatic proof (Line) vastly slower than manual proof (Arcs)

24 / 32

Future Work

25 / 32

Advanced Dynamical Models Answer Deeper Questions

Acceleration |a| ≤ ahi ⇒ Rollback 0 < vlo ≤ v Stuck 0 < vlo ≤ v Friction Wind

26 / 32

Advanced 3D Design 2D

Build Detect Simulate ⇓

3D

3D Modeling support enables lateral bounds and banking support

27 / 32

Rich Contracts Enable High-Impact Domains

• Transit networks: Contracts at intersections/switches
• Flight plans: Contracts at crossing points

Rail Road UAV

28 / 32

Coasters Support Pedagogical Mission

• 15-424 CPS Foundations: Fun applications motivate students
• Course feeds into undergraduate research
• Initial stages were Adriel + Xuean’s 15-424 course project

GPWS Chute Pong Coaster Chess Baseball

29 / 32

Questions?

Top Thrill Steel Phantom Backyard El Toro Phantom’s Revenge Lil’ Phantom

30 / 32

References I

ASTM, Standard Practice for Design of Amusement Rides and Devices, Standard, ASTM Intl., Sep 2017. Brandon Bohrer, Adriel Luo, Xuean Chuang, and Andr´ e Platzer, CoasterX: A case study in component-driven hybrid systems proof automation, IFAC, 2018. Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus V¨

• lp, and Andr´

e Platzer, KeYmaera X: An axiomatic tactical theorem prover for hybrid systems, CADE (Berlin) (Amy Felty and Aart Middeldorp, eds.), LNCS, vol. 9195, Springer, 2015,

• pp. 527–538.

Nick Weisenberger, Coasters 101: An engineer’s guide to roller coaster design, 2015.

31 / 32

References II

Gening Xu, Hujun Xin, Fengyi Lu, and Mingliang Yang, Kinematics and dynamics simulation research for roller coaster multi-body system, Advanced Materials Research, vol. 421, Trans Tech Publications, 2012, pp. 276–280.

32 / 32