CoasterX: A Case Study in Component-Driven Hybrid Systems Proof Automation

Similar documents
A COMPONENT-BASED APPROACH TO HYBRID SYSTEMS SAFETY VERIFICATION

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems

Lecture Notes on Proofs & Arithmetic

A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow

05: Dynamical Systems & Dynamic Axioms

February 2017 CMU-CS JKU-CIS School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213

Using Theorem Provers to Guarantee Closed-Loop Properties

Lecture Notes on Loop Variants and Convergence

Tactical contract composition for hybrid system component verification

Formal verification of One Dimensional Time Triggered Velocity PID Controllers Kenneth Payson 12/09/14

Lecture Notes on Ghosts & Differential Ghosts

Lecture Notes on Differential Equations & Differential Invariants

Roller Coaster Design Project Lab 3: Coaster Physics Part 2

Roller Coaster Physics: Energy and Forces

WHITE KNUCKLE RIDE AN INTRODUCTION TO DYNAMICS

Roller Coaster Dynamics 2: Energy Losses - 1

VeriPhy: Verified Controller Executables from Verified Cyber-Physical System Models

Recitation 4: Eventful Tactical KeYmaera X Proofs /15-624/ Logical Foundations of Cyber-Physical Systems

Kinematics. v (m/s) ii. Plot the velocity as a function of time on the following graph.

The TLA + proof system

Chapter 8. Dynamics II: Motion in a Plane

Physics 12. Unit 5 Circular Motion and Gravitation Part 1

Chapter 6. Applications of Newton s Laws

Models for Control and Verification

1. A baseball player throws a ball horizontally. Which statement best describes the ball's motion after it is thrown? [Neglect the effect of

A Logic of Proofs for Differential Dynamic Logic

LABORATORY V PREDICTING NON-REPETITIVE MOTION

Non-linear Interpolant Generation and Its Application to Program Verification

Uniform Substitution for Differential Game Logic

LECTURE 12: Free body diagrams

A Formally Verified Hybrid System for Safe Advisories in the Next-Generation Airborne Collision Avoidance System

Why Do Birds of Prey Fly in Circles? Does the Eagle Make It? p. 1/3

AP* Circular & Gravitation Free Response Questions

i. Indicate on the figure the point P at which the maximum speed of the car is attained. ii. Calculate the value vmax of this maximum speed.

Potential and Kinetic Energy: Roller Coasters Student Version

Characterizing Algebraic Invariants by Differential Radical Invariants

Combining Deduction and Algebraic Constraints for Hybrid System Analysis

Dynamic logic for Hybrid systems

15-424/ Recitation 1 First-Order Logic, Syntax and Semantics, and Differential Equations Notes by: Brandon Bohrer

Exercise 4) Newton's law of cooling is a model for how objects are heated or cooled by the temperature of an ambient medium surrounding them.

Uniform Circular Motion. Uniform Circular Motion

First-Year Engineering Program. Physics RC Reading Module

Formal Verification of a Controlled Flight Between Two Robots: A Case Study

Due Date: Thursday, September 13th, 11:59PM (no late days), worth 60 points

PHYSICS. Chapter 8 Lecture FOR SCIENTISTS AND ENGINEERS A STRATEGIC APPROACH 4/E RANDALL D. KNIGHT Pearson Education, Inc.

APPLIED MATHEMATICS IM 02

Physics 207 Lecture 9. Lecture 9

Name St. Mary's HS AP Physics Circular Motion HW

Chapter: Motion, Acceleration, and Forces

Algebra Based Physics Uniform Circular Motion

Physics 211 Week 4. Work and Kinetic Energy: Block on Incline (Solutions)

AP Physics Free Response Practice Dynamics

Physics 2210 Fall 2011 David Ailion EXAM 2

4 Axioms and Proof Rules for Differential Equations

What are two forms of Potential Energy that we commonly use? Explain Conservation of Energy and how we utilize it for problem-solving technics.

HybridSAL Relational Abstracter

AP Physics 1 Lesson 9 Homework Outcomes. Name

ANALYZING REAL TIME LINEAR CONTROL SYSTEMS USING SOFTWARE VERIFICATION. Parasara Sridhar Duggirala UConn Mahesh Viswanathan UIUC

velocity = displacement time elapsed

Chapter 7: Energy. Consider dropping a ball. Why does the ball s speed increase as it falls?

In this lecture we will discuss three topics: conservation of energy, friction, and uniform circular motion.

Cart on a Ramp. Evaluation Copy. Figure 1. Vernier Dynamics Track. Motion Detector Bracket

A Temporal Dynamic Logic for Verifying Hybrid System Invariants

Vector and Relative motion discussion/ in class notes. Projectile Motion discussion and launch angle problem. Finish 2 d motion and review for test

Physics 211 Week 5. Work and Kinetic Energy: Block on Ramp

Synthesizing from Components: Building from Blocks

Lecture Notes on Dynamical Systems & Dynamic Axioms

Circular Motion.

Central Force Particle Model

AP Q1 Practice Questions Kinematics, Forces and Circular Motion

Vectors. Scalars & vectors Adding displacement vectors. What about adding other vectors - Vector equality Order does not matter: i resultant A B

Equipment Marbles Stopwatch Block

Earth moves 30,000 m/s around sun

Chapter: Motion, Acceleration, and Forces

Chapter 5 Review : Circular Motion; Gravitation

Energy problems look like this: Momentum conservation problems. Example 8-1. Momentum is a VECTOR Example 8-2

Constraint Solving for Program Verification: Theory and Practice by Example

Verification and Synthesis. Using Real Quantifier Elimination. Ashish Tiwari, SRI Intl. Verif. and Synth. Using Real QE: 1

22: Axioms & Uniform Substitutions

Chapter 2: Motion a Straight Line

Proofs of Correctness: Introduction to Axiomatic Verification

B) v `2. C) `2v. D) 2v. E) 4v. A) 2p 25. B) p C) 2p. D) 4p. E) 4p 2 25

Honor Physics Final Exam Review. What is the difference between series, parallel, and combination circuits?

Need for Speed Tokyo Drift: Hotwheels Edition (A Drifting Control Case Study)

Name: Total Points: Physics 201. Midterm 1

AP Physics 1- Kinematics Practice Problems (version 2)

How will height of the bottom of a pendulum be affected if different weights are attached to the bottom of the pendulum?

for the initial position and velocity. Find formulas for v t and x t. b) Assuming x 0 = 0 and v 0 O 0, show that the maximum value of x t is x max

Name Class Page 1. Conservation of Energy at the Skate Park

physicsandmathstutor.com

Circular Motion PreTest

1. Two forces are applied to a wooden box as shown below. Which statement best describes the effect these forces have on the box?

Introductory Physics PHYS101

Physics 20 Amusement Park WEM

Chapter 8 Conservation of Energy. Copyright 2009 Pearson Education, Inc.

PHY131H1F Introduction to Physics I Review of the first half Chapters Error Analysis

Circular Motion Test Review

School of the Future * Curriculum Map for Physics I: Mechanics Teacher(s) Michael Zitolo

Potential and Kinetic Energy: Roller Coasters Student Advanced Version

Student Exploration: Roller Coaster Physics

Transcription:

CoasterX: A Case Study in Component-Driven Hybrid Systems Proof Automation Brandon Bohrer (joint work with Adriel Luo, Xuean Chuang, André Platzer) Logical Systems Lab Computer Science Department Carnegie Mellon University ADHS, Jul 7 2018 1 / 32

Roller Coasters are Safety-Critical Systems Top Thrill Steel Phantom Mindbender [BLCP18] Joker s Jinx Phantom s Revenge Fujin Raijin II Rollback Head Injury Derailment 2 / 32

Formal Proofs in dl Ensure Safe Designs Top Thrill Steel Phantom Mindbender Rollback Head Injury Derailment Pre [phys]post [BLCP18] Identify: Notion of safety Post (acc < acc hi ) 3 / 32

Formal Proofs in dl Ensure Safe Designs Top Thrill Steel Phantom Mindbender Rollback Head Injury Derailment Pre [phys]post [BLCP18] Identify: Notion of safety Post (acc < acc hi ) Safe conditions Pre (v = v 0 ) 3 / 32

Formal Proofs in dl Ensure Safe Designs Top Thrill Steel Phantom Mindbender Rollback Head Injury Derailment Pre [phys]post [BLCP18] Identify: Notion of safety Post (acc < acc hi ) Safe conditions Pre (v = v 0 ) Verify physical plant ({x =..., y =...}) 3 / 32

Design Verification Supplements Simulation Simulations typically used today [XXLY12, Wei15] Approach Pro Con Simulate Rich dynamics, easy Low rigor+precision Verify High rigor+precision Simple dynamics, hard 4 / 32

Verifying Physical Designs is a Challenge How do we verify models at scale? How do we make verification accessible to non-experts? 5 / 32

Verifying Plant Designs is Important 6 / 32

Component-Driven Proof Automation Enables Design Verification GUI Builder Component model CoasterX Backend dl fml. dl pf. KeYmaera X Prover Core (1700 Lines) [FMQ + 15] Goal Accessible Rigorous Scalable Solution High-level graphical modeling Formal proof checked by small prover core Proof scales by exploiting component structure 7 / 32

Track Sections are Components for Coasters Generic Component 8 / 32

Track Sections are Components for Coasters Generic Component Automatic Composition 8 / 32

Track Sections are Components for Coasters Generic Component Automatic Composition 8 / 32

Track Sections are Components for Coasters Generic Component Automatic Composition 8 / 32

Track Sections are Components for Coasters Generic Component Automatic Composition 8 / 32

Background: dl Formulas P, Q ::= P Q P xp θ 1 θ 2 [α]p Example: Pre [plant]post Construct P Q, P, xp θ 1 θ 2 [α]p Meaning First-order Logic Real arithmetic comparisons Safety: After α runs, P always holds 9 / 32

Background: Hybrid Programs α, β ::= {x = θ & P} α β α Construct Meaning {x = θ & P} Evolve x at continuous rate θ Evolution domain constraint P asserted continuously α β Choose either α or β nondeterministically α Loop α nondeterministically n 0 times 10 / 32

Velocity and Acceleration Bounds are Fundamental Rollback Head Injury Derailment 0 < v lo v a a hi a a hi [AST17] 11 / 32

Tracks are 2D 2D modeling greatly simplifies GUI Vertical and horizontal bounds only (no lateral bound) Ignores banking, wind, roll resistance (1-2%) 12 / 32

Conservative Bound Suffices for Phantom Top Thrill Steel Phantom Mindbender Joker s Jinx Phantom s Revenge Fujin Raijin II Rollback Head Injury Derailment (>) (<) (<) 13 / 32

Example plant {{x = 2/2 v, y = 2/2 v, v = 2/2 g & 0 x 100} {x = dx v, y = dy, v = dy g, dx = dy v/100 2, dy = dx v/100 2 & 100 x 200} {x = 2/2 v, y = 2/2 v, v = 2/2 g & 200 x 300}} 14 / 32

Example plant {{Line(...) & 0 x 100} {Arc(...) & 100 x 200} {Line(...) & 200 x 300}} 14 / 32

Example plant {{Line(...) & 0 x 100} {Arc(...) & 100 x 200} {Line(...) & 200 x 300}} 14 / 32

Example plant {{Line(...) & 0 x 100} {Arc(...) & 100 x 200} {Line(...) & 200 x 300}} 14 / 32

Individual Components are Modeled as ODEs Arc Segment: Arc def {x = v dx, y = v dy, v = dy g, dx = dy v/r, dy = dx v/r & InBounds(x 1, x 2, y 1, y 2 )} 15 / 32

Concrete Parameters are Plugged in From GUI Line Segment: Line def {x = v dx, y = v dy, v = dy g & InBounds(x 1, x 2, y 1, y 2 )} Subst Line(1, 0,...) def {x = v 1, y = v 0, v = 0 g & InBounds(0, 100, 200, 200)} 16 / 32

Composition is Modeled with Discrete Programs Let track sections sec i be component instances: sec i def Line(args i ) or Arc(args i ) and system model α: plant def (sec 1 sec n ) 17 / 32

Components Verified with Invariants and Solving Straight line is solvable, thus decidable. Arc needs invariant (energy conservation), proved manually: E = E 0 OnTrack [Arc] (E = E 0 OnTrack) 18 / 32

Instantiation is Verified by Substitution Conceptually simple step Greatly improves performance (20x in some cases) Line def {x = v dx, y = v dy, v = dy g & InBounds(x 1, x 2, y 1, y 2 )} Subst Line(1, 0,...) def {x = v 1, y = v 0, v = 0 g & InBounds(0, 100, 200, 200)} 19 / 32

Composition is Verified by Contract-Checking At boundary, invariants for both sections hold Checked with arithmetic solving + custom automation Example: J 1 (x = y) J 2 ( y 2 + (x 200) 2 = 100 2) 20 / 32

Analysis Distinguished 6 Safe/Unsafe Real Coasters Top Thrill Steel Phantom (6.5g) Backyard El Toro Phantom s Revenge (3.5g) Lil Phantom 21 / 32

This is the Largest dl Model Ever Stats: CoasterX Max Previous Max (Est.) Components 56 > 3 Fml size 52KB > 6.5KB Proof Steps 20M (29K w/ reuse) > 100K 22 / 32

Scalability is Quadratic Runtime vs. Problem Size 1500 time(s) 1000 500 0 37 57 107 # vars 192 (on a recent workstation) 232 256 23 / 32

Component Verification Cost Sometimes Matters Component Time # Steps Line 140s 900K Arc 4.5s 12.5K Automatic proof (Line) vastly slower than manual proof (Arcs) 24 / 32

Future Work 25 / 32

Advanced Dynamical Models Answer Deeper Questions Acceleration a a hi Rollback 0 < v lo v Stuck 0 < v lo v Friction Wind 26 / 32

Advanced 3D Design 2D Build Detect Simulate 3D 3D Modeling support enables lateral bounds and banking support 27 / 32

Rich Contracts Enable High-Impact Domains Transit networks: Contracts at intersections/switches Flight plans: Contracts at crossing points Rail Road UAV 28 / 32

Coasters Support Pedagogical Mission 15-424 CPS Foundations: Fun applications motivate students Course feeds into undergraduate research Initial stages were Adriel + Xuean s 15-424 course project GPWS Chute Pong Coaster Chess Baseball 29 / 32

Questions? Top Thrill Steel Phantom Backyard El Toro Phantom s Revenge Lil Phantom 30 / 32

References I ASTM, Standard Practice for Design of Amusement Rides and Devices, Standard, ASTM Intl., Sep 2017. Brandon Bohrer, Adriel Luo, Xuean Chuang, and André Platzer, CoasterX: A case study in component-driven hybrid systems proof automation, IFAC, 2018. Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus Völp, and André Platzer, KeYmaera X: An axiomatic tactical theorem prover for hybrid systems, CADE (Berlin) (Amy Felty and Aart Middeldorp, eds.), LNCS, vol. 9195, Springer, 2015, pp. 527 538. Nick Weisenberger, Coasters 101: An engineer s guide to roller coaster design, 2015. 31 / 32

References II Gening Xu, Hujun Xin, Fengyi Lu, and Mingliang Yang, Kinematics and dynamics simulation research for roller coaster multi-body system, Advanced Materials Research, vol. 421, Trans Tech Publications, 2012, pp. 276 280. 32 / 32

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback