CoasterX: A Case Study in Component-DrivenHybrid Systems Proof Automation

Brandon Bohrer(joint work with Adriel Luo, Xuean Chuang, André Platzer)

Logical Systems LabComputer Science DepartmentCarnegie Mellon University

ADHS, Jul 7 2018

1 / 32

Roller Coasters are Safety-Critical Systems

Top Thrill Steel Phantom Mindbender

Joker’s Jinx Phantom’s Revenge Fujin Raijin II

Rollback Head Injury Derailment

[BLCP18]

2 / 32

Formal Proofs in dL Ensure Safe Designs

Top Thrill Steel Phantom Mindbender

Rollback Head Injury Derailment

[BLCP18]

⇓Pre→ [phys]Post

Identify:

• Notion of safety Post (acc < acchi)

• Safe conditions Pre (v = v0)Verify physical plant ({x ′ = . . . , y ′ = . . .})

3 / 32

Formal Proofs in dL Ensure Safe Designs

Top Thrill Steel Phantom Mindbender

Rollback Head Injury Derailment

[BLCP18]

⇓Pre→ [phys]Post

Identify:

• Notion of safety Post (acc < acchi)• Safe conditions Pre (v = v0)

Verify physical plant ({x ′ = . . . , y ′ = . . .})

3 / 32

Formal Proofs in dL Ensure Safe Designs

Top Thrill Steel Phantom Mindbender

Rollback Head Injury Derailment

[BLCP18]

⇓Pre→ [phys]Post

Identify:

• Notion of safety Post (acc < acchi)• Safe conditions Pre (v = v0)

Verify physical plant ({x ′ = . . . , y ′ = . . .})

3 / 32

Design Verification SupplementsSimulation

Simulations typically used today [XXLY12, Wei15]

Approach Pro Con

Simulate Rich dynamics, easy Low rigor+precisionVerify High rigor+precision Simple dynamics, hard

4 / 32

Verifying Physical Designs is a Challenge

• How do we verify models at scale?• How do we make verification accessible to non-experts?

5 / 32

Verifying Plant Designs is Important

⇓

6 / 32

Component-Driven Proof AutomationEnables Design Verification

GUI BuilderCoasterXBackend

KeYmaera XProver Core(1700 Lines)[FMQ+15]

Componentmodel

dL fml.

dL pf.

Goal Solution

Accessible High-level graphical modelingRigorous Formal proof checked by small prover coreScalable Proof scales by exploiting component structure

7 / 32

Track Sections are Components forCoasters

Generic Component

ww

Automatic Composition

8 / 32

Track Sections are Components forCoasters

Generic Componentww

Automatic Composition

8 / 32

Track Sections are Components forCoasters

Generic Componentww

Automatic Composition

8 / 32

Track Sections are Components forCoasters

Generic Componentww

Automatic Composition

8 / 32

Track Sections are Components forCoasters

Generic Componentww

Automatic Composition

8 / 32

Background: dL Formulas

P,Q ::= P ∧ Q | ¬P | ∀xP | θ1 ≥ θ2 | [α]P

Example: Pre→ [plant]Post

Construct Meaning

P ∧ Q, ¬P,∀xP First-order Logicθ1 ≥ θ2 Real arithmetic comparisons

[α]P Safety: After α runs, P always holds

9 / 32

Background: Hybrid Programs

α, β ::= · · · | {x ′ = θ & P} | α ∪ β | α∗

Construct Meaning

{x ′ = θ & P} Evolve x at continuous rate θEvolution domain constraint P asserted continuously

α ∪ β Choose either α or β nondeterministicallyα∗ Loop α nondeterministically n ≥ 0 times

10 / 32

Velocity and Acceleration Bounds areFundamental

Rollback Head Injury Derailment0 < vlo ≤ v |a| ≤ ahi |a| ≤ ahi

[AST17]

11 / 32

Tracks are 2D

• 2D modeling greatly simplifies GUI

• Vertical and horizontal bounds only (no lateral bound)• Ignores banking, wind, roll resistance (1-2%)

⇒

12 / 32

Conservative Bound Suffices for Phantom

Top Thrill Steel Phantom Mindbender

Joker’s Jinx Phantom’s Revenge Fujin Raijin II

Rollback Head Injury Derailment

(>) (

Example

plant ≡ {{x′ =√2/2 v, y′ =

√2/2 v, v′ = −

√2/2 g & 0 ≤ x ≤ 100}

∪ {x ′ = dx v , y ′ = dy , v ′ = −dy g , dx ′ = −dy v/100√

2,

dy ′ = dx v/100√

2 & 100 ≤ x ≤ 200}∪ {x ′ =

√2/2 v , y ′ = −

√2/2 v , v ′ =

√2/2 g & 200 ≤ x ≤ 300}}∗

14 / 32

Example

plant ≡ {{Line(. . .) & 0 ≤ x ≤ 100}∪ {Arc(. . .) & 100 ≤ x ≤ 200}∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗

14 / 32

Example

plant ≡ {{Line(. . .) & 0 ≤ x ≤ 100}∪ {Arc(. . .) & 100 ≤ x ≤ 200}∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗

14 / 32

Example

plant ≡ {{Line(. . .) & 0 ≤ x ≤ 100}∪ {Arc(. . .) & 100 ≤ x ≤ 200}∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗

14 / 32

Individual Components are Modeled asODEs

Arc Segment:

Arcdef≡ {x ′ = v · dx , y ′ = v · dy , v ′ = −dy · g ,

dx ′ = −dy · v/r , dy ′ = dx · v/r& InBounds(x1, x2, y1, y2)}

15 / 32

Concrete Parameters are Plugged in FromGUI

Line Segment:

Linedef≡ {x ′ = v · dx , y ′ = v · dy , v ′ = −dy · g

& InBounds(x1, x2, y1, y2)}

⇓Subst

Line(1, 0, . . .)def≡ {x ′ = v · 1, y ′ = v · 0, v ′ = −0 · g

& InBounds(0, 100, 200, 200)}

16 / 32

Composition is Modeled with DiscretePrograms

Let track sections seci be component instances:

secidef≡ Line(argsi ) or Arc(argsi )

and system model α:

plantdef≡ (sec1 ∪ · · · ∪ secn)∗

17 / 32

Components Verified with Invariants andSolving

• Straight line is solvable, thus decidable.• Arc needs invariant (energy conservation), proved manually:

E = E0 ∧OnTrack→ [Arc] (E = E0 ∧OnTrack)

18 / 32

Instantiation is Verified by Substitution

• Conceptually simple step• Greatly improves performance (20x in some cases)

Linedef≡ {x ′ = v · dx , y ′ = v · dy , v ′ = −dy · g

& InBounds(x1, x2, y1, y2)}

⇓Subst

Line(1, 0, . . .)def≡ {x ′ = v · 1, y ′ = v · 0, v ′ = −0 · g

& InBounds(0, 100, 200, 200)}

19 / 32

Composition is Verified byContract-Checking

• At boundary, invariants for both sections hold• Checked with arithmetic solving + custom automation

Example:J1 ≡ (x = y)

J2 ≡(y2 + (x − 200)2 = 1002

)

20 / 32

Analysis Distinguished 6 Safe/Unsafe RealCoasters

Top Thrill Steel Phantom (6.5g) Backyard

El Toro Phantom’s Revenge (3.5g) Lil’ Phantom

21 / 32

This is the Largest dL Model Ever

Stats:CoasterX Max Previous Max (Est.)

Components 56 > 3Fml size 52KB > 6.5KB

Proof Steps 20M (29K w/ reuse) > 100K

22 / 32

Scalability is Quadratic

37 57 107

192

232

256

0

500

1000

1500

# vars

tim

e(s)

Runtime vs. Problem Size

(on a recent workstation)

23 / 32

Component Verification Cost SometimesMatters

Component Time # StepsLine 140s 900KArc ≈4.5s ≈12.5K

Automatic proof (Line) vastly slower than manual proof (Arcs)

24 / 32

Future Work

25 / 32

Advanced Dynamical Models AnswerDeeper Questions

Acceleration|a| ≤ ahi

⇒

Rollback0 < vlo ≤ v

Stuck0 < vlo ≤ v

Friction Wind

26 / 32

Advanced 3D Design

2DBuild Detect Simulate

⇓

3D

3D Modeling support enables lateral bounds and banking support

27 / 32

Rich Contracts Enable High-ImpactDomains

• Transit networks: Contracts at intersections/switches• Flight plans: Contracts at crossing points

Rail Road UAV

28 / 32

Coasters Support Pedagogical Mission

• 15-424 CPS Foundations: Fun applications motivate students• Course feeds into undergraduate research• Initial stages were Adriel + Xuean’s 15-424 course project

GPWS Chute Pong

Coaster Chess Baseball

29 / 32

Questions?

Top Thrill Steel Phantom Backyard

El Toro Phantom’s Revenge Lil’ Phantom

30 / 32

References I

ASTM, Standard Practice for Design of Amusement Rides andDevices, Standard, ASTM Intl., Sep 2017.

Brandon Bohrer, Adriel Luo, Xuean Chuang, and AndréPlatzer, CoasterX: A case study in component-driven hybridsystems proof automation, IFAC, 2018.

Nathan Fulton, Stefan Mitsch, Jan-David Quesel, MarcusVölp, and André Platzer, KeYmaera X: An axiomatic tacticaltheorem prover for hybrid systems, CADE (Berlin) (Amy Feltyand Aart Middeldorp, eds.), LNCS, vol. 9195, Springer, 2015,pp. 527–538.

Nick Weisenberger, Coasters 101: An engineer’s guide to rollercoaster design, 2015.

31 / 32

References II

Gening Xu, Hujun Xin, Fengyi Lu, and Mingliang Yang,Kinematics and dynamics simulation research for roller coastermulti-body system, Advanced Materials Research, vol. 421,Trans Tech Publications, 2012, pp. 276–280.

32 / 32

AppendixAppendixFor Further Reading