CoasterX: A Case Study in Component-Driven Hybrid Systems Proof - PowerPoint PPT Presentation

CoasterX: A Case Study in Component-Driven Hybrid Systems Proof Automation Brandon Bohrer (joint work with Adriel Luo, Xuean Chuang, Andr´ e Platzer) Logical Systems Lab Computer Science Department Carnegie Mellon University ADHS, Jul 7 2018 1 / 32

Roller Coasters are Safety-Critical Systems Top Thrill Steel Phantom Mindbender [BLCP18] Joker’s Jinx Phantom’s Revenge Fujin Raijin II Rollback Head Injury Derailment 2 / 32

Formal Proofs in d L Ensure Safe Designs [BLCP18] Top Thrill Steel Phantom Mindbender Rollback Head Injury Derailment ⇓ Pre → [ phys ] Post Identify: • Notion of safety Post ( acc < acc hi ) 3 / 32

Formal Proofs in d L Ensure Safe Designs [BLCP18] Top Thrill Steel Phantom Mindbender Rollback Head Injury Derailment ⇓ Pre → [ phys ] Post Identify: • Notion of safety Post ( acc < acc hi ) • Safe conditions Pre ( v = v 0 ) 3 / 32

Formal Proofs in d L Ensure Safe Designs [BLCP18] Top Thrill Steel Phantom Mindbender Rollback Head Injury Derailment ⇓ Pre → [ phys ] Post Identify: • Notion of safety Post ( acc < acc hi ) • Safe conditions Pre ( v = v 0 ) Verify physical plant ( { x ′ = . . . , y ′ = . . . } ) 3 / 32

Design Verification Supplements Simulation Simulations typically used today [XXLY12, Wei15] Approach Pro Con Simulate Rich dynamics, easy Low rigor+precision Verify High rigor+precision Simple dynamics, hard 4 / 32

Verifying Physical Designs is a Challenge • How do we verify models at scale? • How do we make verification accessible to non-experts? 5 / 32

Verifying Plant Designs is Important ⇓ 6 / 32

Component-Driven Proof Automation Enables Design Verification KeYmaera X Prover Core d L fml. GUI Builder (1700 Lines) CoasterX [FMQ + 15] Backend Component d L pf. model Goal Solution Accessible High-level graphical modeling Rigorous Formal proof checked by small prover core Scalable Proof scales by exploiting component structure 7 / 32

Track Sections are Components for Coasters Generic Component 8 / 32

Track Sections are Components for Coasters Generic Component � � � Automatic Composition 8 / 32

Track Sections are Components for Coasters Generic Component � � � Automatic Composition 8 / 32

Track Sections are Components for Coasters Generic Component � � � Automatic Composition 8 / 32

Track Sections are Components for Coasters Generic Component � � � Automatic Composition 8 / 32

Background: d L Formulas P , Q ::= P ∧ Q | ¬ P | ∀ xP | θ 1 ≥ θ 2 | [ α ] P Example: Pre → [ plant ] Post Construct Meaning P ∧ Q , ¬ P , ∀ xP First-order Logic θ 1 ≥ θ 2 Real arithmetic comparisons [ α ] P Safety: After α runs, P always holds 9 / 32

Background: Hybrid Programs α, β ::= · · · | { x ′ = θ & P } | α ∪ β | α ∗ Construct Meaning { x ′ = θ & P } Evolve x at continuous rate θ Evolution domain constraint P asserted continuously α ∪ β Choose either α or β nondeterministically α ∗ Loop α nondeterministically n ≥ 0 times 10 / 32

Velocity and Acceleration Bounds are Fundamental Rollback Head Injury Derailment 0 < v lo ≤ v | a | ≤ a hi | a | ≤ a hi [AST17] 11 / 32

Tracks are 2D • 2D modeling greatly simplifies GUI • Vertical and horizontal bounds only (no lateral bound) • Ignores banking, wind, roll resistance (1-2%) ⇒ 12 / 32

Conservative Bound Suffices for Phantom Top Thrill Steel Phantom Mindbender Joker’s Jinx Phantom’s Revenge Fujin Raijin II Rollback Head Injury Derailment ( > ) ( < ) ( < ) 13 / 32

Example √ √ √ plant ≡ {{ x ′ = 2 / 2 v , y ′ = 2 / 2 v , v ′ = − 2 / 2 g & 0 ≤ x ≤ 100 } √ ∪ { x ′ = dx v , y ′ = dy , v ′ = − dy g , dx ′ = − dy v / 100 2 , √ dy ′ = dx v / 100 2 & 100 ≤ x ≤ 200 } √ √ √ ∪ { x ′ = 2 / 2 v , y ′ = − 2 / 2 v , v ′ = 2 / 2 g & 200 ≤ x ≤ 300 }} ∗ 14 / 32

Example plant ≡ {{ Line( . . . ) & 0 ≤ x ≤ 100 } ∪ { Arc( . . . ) & 100 ≤ x ≤ 200 } ∪ { Line( . . . ) & 200 ≤ x ≤ 300 }} ∗ 14 / 32

Example plant ≡ {{ Line( . . . ) & 0 ≤ x ≤ 100 } ∪ { Arc( . . . ) & 100 ≤ x ≤ 200 } ∪ { Line( . . . ) & 200 ≤ x ≤ 300 }} ∗ 14 / 32

Example plant ≡ {{ Line( . . . ) & 0 ≤ x ≤ 100 } ∪ { Arc( . . . ) & 100 ≤ x ≤ 200 } ∪ { Line( . . . ) & 200 ≤ x ≤ 300 }} ∗ 14 / 32

Individual Components are Modeled as ODEs Arc Segment: def ≡ { x ′ = v · dx , y ′ = v · dy , v ′ = − dy · g , Arc dx ′ = − dy · v / r , dy ′ = dx · v / r & InBounds ( x 1 , x 2 , y 1 , y 2 ) } 15 / 32

Concrete Parameters are Plugged in From GUI Line Segment: def ≡ { x ′ = v · dx , y ′ = v · dy , v ′ = − dy · g Line & InBounds ( x 1 , x 2 , y 1 , y 2 ) } ⇓ Subst def ≡ { x ′ = v · 1 , y ′ = v · 0 , v ′ = − 0 · g Line(1 , 0 , . . . ) & InBounds (0 , 100 , 200 , 200) } 16 / 32

Composition is Modeled with Discrete Programs Let track sections sec i be component instances: def sec i ≡ Line( args i ) or Arc( args i ) and system model α : def (sec 1 ∪ · · · ∪ sec n ) ∗ plant ≡ 17 / 32

Components Verified with Invariants and Solving • Straight line is solvable, thus decidable. • Arc needs invariant (energy conservation), proved manually: E = E 0 ∧ OnTrack → [Arc] ( E = E 0 ∧ OnTrack ) 18 / 32

Instantiation is Verified by Substitution • Conceptually simple step • Greatly improves performance (20x in some cases) def ≡ { x ′ = v · dx , y ′ = v · dy , v ′ = − dy · g Line & InBounds ( x 1 , x 2 , y 1 , y 2 ) } ⇓ Subst def ≡ { x ′ = v · 1 , y ′ = v · 0 , v ′ = − 0 · g Line(1 , 0 , . . . ) & InBounds (0 , 100 , 200 , 200) } 19 / 32

Composition is Verified by Contract-Checking • At boundary, invariants for both sections hold • Checked with arithmetic solving + custom automation Example: J 1 ≡ ( x = y ) y 2 + ( x − 200) 2 = 100 2 � � J 2 ≡ 20 / 32

Analysis Distinguished 6 Safe/Unsafe Real Coasters Top Thrill Steel Phantom (6.5g) Backyard El Toro Phantom’s Revenge (3.5g) Lil’ Phantom 21 / 32

This is the Largest d L Model Ever Stats: CoasterX Max Previous Max (Est.) Components 56 > 3 Fml size 52KB > 6.5KB Proof Steps 20M (29K w/ reuse) > 100K 22 / 32

Scalability is Quadratic Runtime vs. Problem Size 1500 1000 time(s) 500 0 37 57 107 192 232 256 # vars (on a recent workstation) 23 / 32

Component Verification Cost Sometimes Matters Component Time # Steps Line 140s 900K Arc ≈ 4.5s ≈ 12.5K Automatic proof (Line) vastly slower than manual proof (Arcs) 24 / 32

Future Work 25 / 32

Advanced Dynamical Models Answer Deeper Questions ⇒ Acceleration Stuck Rollback | a | ≤ a hi 0 < v lo ≤ v 0 < v lo ≤ v Friction Wind 26 / 32

Advanced 3D Design 2D Build Detect Simulate ⇓ 3D 3D Modeling support enables lateral bounds and banking support 27 / 32

Rich Contracts Enable High-Impact Domains • Transit networks: Contracts at intersections/switches • Flight plans: Contracts at crossing points Rail Road UAV 28 / 32

Coasters Support Pedagogical Mission • 15-424 CPS Foundations: Fun applications motivate students • Course feeds into undergraduate research • Initial stages were Adriel + Xuean’s 15-424 course project GPWS Chute Pong Coaster Chess Baseball 29 / 32

Questions? Top Thrill Steel Phantom Backyard El Toro Phantom’s Revenge Lil’ Phantom 30 / 32

References I ASTM, Standard Practice for Design of Amusement Rides and Devices , Standard, ASTM Intl., Sep 2017. Brandon Bohrer, Adriel Luo, Xuean Chuang, and Andr´ e Platzer, CoasterX: A case study in component-driven hybrid systems proof automation , IFAC, 2018. Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus V¨ olp, and Andr´ e Platzer, KeYmaera X: An axiomatic tactical theorem prover for hybrid systems , CADE (Berlin) (Amy Felty and Aart Middeldorp, eds.), LNCS, vol. 9195, Springer, 2015, pp. 527–538. Nick Weisenberger, Coasters 101: An engineer’s guide to roller coaster design , 2015. 31 / 32

References II Gening Xu, Hujun Xin, Fengyi Lu, and Mingliang Yang, Kinematics and dynamics simulation research for roller coaster multi-body system , Advanced Materials Research, vol. 421, Trans Tech Publications, 2012, pp. 276–280. 32 / 32