Formal Verification of Train Control with Air Pressure Brakes Stefan - - PowerPoint PPT Presentation

Formal Verification of Train Control with Air Pressure Brakes

Stefan Mitsch1 Marco Gario2 Christof J. Budnik2 Michael Golm2 Andr´ e Platzer1

1Computer Science Department, Carnegie Mellon University 2Siemens Corporate Technology, Princeton, NJ, USA

Reliability, Safety and Security of Railway Systems November 15, 2017

• S. Mitsch et al.—Formal Verification of Train Control

1 of 14

Railroad Safety: Train Separation and Train Control

Interlocking

• S. Mitsch et al.—Formal Verification of Train Control

2 of 14

Railroad Safety: Train Separation and Train Control

Interlocking

• S. Mitsch et al.—Formal Verification of Train Control

2 of 14

Railroad Safety: Train Separation and Train Control

Interlocking Train separation

• Movement

authority

• S. Mitsch et al.—Formal Verification of Train Control

2 of 14

Railroad Safety: Train Separation and Train Control

Interlocking Train separation

• Movement

authority

• S. Mitsch et al.—Formal Verification of Train Control

2 of 14

Railroad Safety: Train Separation and Train Control

Interlocking Train separation Train control requires!

• S. Mitsch et al.—Formal Verification of Train Control

2 of 14

Railroad Safety: Train Separation and Train Control

Interlocking Train separation Train control requires! Design provably safe train control considering physical train motion Federal Railroad Administration (FRA): motion and brake models No overshoot Limited undershoot

• S. Mitsch et al.—Formal Verification of Train Control

2 of 14

Railroad Safety: Train Separation and Train Control

Interlocking Train separation Train control requires! Design provably safe train control considering physical train motion Federal Railroad Administration (FRA): motion and brake models No overshoot Limited undershoot But underspecified control conditions

• S. Mitsch et al.—Formal Verification of Train Control

2 of 14

Railroad Safety: Train Separation and Train Control

Interlocking Train separation Train control requires! Design provably safe train control considering physical train motion Federal Railroad Administration (FRA): motion and brake models No overshoot Limited undershoot But underspecified control conditions Approach Safe train separation requires verified train control and motion!

• S. Mitsch et al.—Formal Verification of Train Control

2 of 14

Approach: Hybrid Systems Theorem Proving

Analyze the physical effect of software

Hybrid System Model Control Sensors Actuators

Discrete computation + continuous physics

1 2 3 4 5 6 7 −3 6 t 1 2 3 4 5 6 7 −1 4 9 t

• S. Mitsch et al.—Formal Verification of Train Control

3 of 14

Approach: Hybrid Systems Theorem Proving

Theorem proving ensures correct model

Proof guarantees correct model Proof Strategy Hybrid System Model KeYmaera X Control Conditions Proof

Main results for Certification: Proofs System architecture and implementation: Models Control engineering and testing: Control conditions

• S. Mitsch et al.—Formal Verification of Train Control

3 of 14

Train Motion and Brake Model

Accelerate t

Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009)

• S. Mitsch et al.—Formal Verification of Train Control

4 of 14

Train Motion and Brake Model

Accelerate Instant brake

Limited, but almost instant effect

t

Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009)

• S. Mitsch et al.—Formal Verification of Train Control

4 of 14

Train Motion and Brake Model

Accelerate Instant brake Air brake

Brake effect increases, time depends on train length

t

Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009)

• S. Mitsch et al.—Formal Verification of Train Control

4 of 14

Train Motion and Brake Model

Accelerate Instant brake Air brake t v′ = 1

m

• fa

,

Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009)

• S. Mitsch et al.—Formal Verification of Train Control

4 of 14

Train Motion and Brake Model

Accelerate Instant brake Air brake −Fpb t v′ = 1

m

• fa

, f ′

a = j & −Fpb≤fa

Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009)

• S. Mitsch et al.—Formal Verification of Train Control

4 of 14

Train Motion and Brake Model

Accelerate Instant brake Air brake −Fpb t v′ = 1

m

− (Fg + Fr + Fc) + fa , f ′

a = j & −Fpb≤fa

Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009)

• S. Mitsch et al.—Formal Verification of Train Control

4 of 14

Train Motion and Brake Model

Accelerate Instant brake Air brake −Fpb t x′ = v, v′ = 1

m

− (Fg + Fr + Fc) + fa , f ′

a = j & −Fpb≤fa

Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009)

• S. Mitsch et al.—Formal Verification of Train Control

4 of 14

Train Motion and Brake Model

Accelerate Instant brake Air brake −Fpb t x′ = v, v′ = 1

m

− (Fg + Fr + Fc) + fa , f ′

a = j & −Fpb≤fa

Underspecified: What are safe control choices? How important is brake model fidelity?

Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009)

• S. Mitsch et al.—Formal Verification of Train Control

4 of 14

Train Motion and Brake Model

Accelerate Instant brake Air brake −Fpb t x′ = v, v′ = 1

m

− (Fg + Fr + Fc) + fa , f ′

a = j & −Fpb≤fa

Underspecified: What are safe control choices? How important is brake model fidelity?

Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009)

Approach Formalize and verify control models Analyze their brake engage points

• S. Mitsch et al.—Formal Verification of Train Control

4 of 14

Control Model

Track Control extend e, d

• S. Mitsch et al.—Formal Verification of Train Control

5 of 14

Control Model

Track Control Train Control Driver e,d extend e, d a −Fpb

• S. Mitsch et al.—Formal Verification of Train Control

5 of 14

Control Model

Track Control Train Control Driver Actuators e,d a extend e, d a −Fpb Delay

• vs. air brake
• S. Mitsch et al.—Formal Verification of Train Control

5 of 14

Control Model

Track Control Train Control Driver Actuators Motion Env. e,d a fa,j extend e, d a −Fpb Delay

• vs. air brake
• S. Mitsch et al.—Formal Verification of Train Control

5 of 14

Formal Verification with dL: No Overshoot

Correctness property: respect the speed limit safe ≡ (z ≥ e → v ≤ 25)

• S. Mitsch et al.—Formal Verification of Train Control

6 of 14

Formal Verification with dL: No Overshoot

Correctness property: respect the speed limit safe ≡ (z ≥ e → v ≤ d)

d

• S. Mitsch et al.—Formal Verification of Train Control

6 of 14

Formal Verification with dL: No Overshoot

Correctness property: respect the speed limit safe ≡ (z ≥ e → v ≤ d)

d

[]safe

• S. Mitsch et al.—Formal Verification of Train Control

6 of 14

Formal Verification with dL: No Overshoot

Correctness property: respect the speed limit safe ≡ (z ≥ e → v ≤ d)

d

• ;

;

∗

safe

• S. Mitsch et al.—Formal Verification of Train Control

6 of 14

Formal Verification with dL: No Overshoot

Correctness property: respect the speed limit safe ≡ (z ≥ e → v ≤ d)

d

• d

∪ ; ;

∗

safe

• S. Mitsch et al.—Formal Verification of Train Control

6 of 14

Formal Verification with dL: No Overshoot

Correctness property: respect the speed limit safe ≡ (z ≥ e → v ≤ d)

d

init →

• d

∪ ; ;

∗

safe

• S. Mitsch et al.—Formal Verification of Train Control

6 of 14

Formal Verification with dL: No Overshoot

Correctness property: respect the speed limit safe ≡ (z ≥ e → v ≤ d)

d

init →

• d

∪

• ∪
• ;

;

∗

safe

• S. Mitsch et al.—Formal Verification of Train Control

6 of 14

Formal Verification with dL: No Overshoot

Correctness property: respect the speed limit safe ≡ (z ≥ e → v ≤ d)

d

init →

• d

∪

• ∪
• ;

;

∗

safe

≡ fa := ∗; ? − Fsb ≤ fa ≤ A; ?

• e − z ≥

(v2 − d2)m 2Fsb +

• A

Fsb + 1

• A

2m ε2 + vε

• ?
• e − z ≥

(v2 − d2)m 2Fsb +

• A

Fsb + 1

• A

2m ε2 + vε

• ?
• e − z ≥

(v2 − d2)m 2Fsb +

• A

Fsb + 1

• A

2m ε2 + vε

• (1)

∨slow− ∨ slow+ ∨ fast− ∨ fast+ ∨slow− ∨ slow+ ∨ fast− ∨ fast+ ∨slow− ∨ slow+ ∨ fast− ∨ fast+ (2) slow− slow− slow− ≡ ¬isFast(v) ∧ fa ≤ 0 ∧ e − z ≥ vε + mSlow(v) (3) slow+ slow+ slow+ ≡ [u := v+ faε m ]

• ¬isFast(u) ∧ fa ≥ 0 ∧ e − z ≥ vε +

faε2 2m + mSlow(u)

• (4)

fast− fast− fast− ≡ isFast(v) ∧ fa ≤ 0 ∧ e − z ≥ vε + mFast(v) (5) fast+ fast+ fast+ ≡ isFast(v) ∧ fa ≥ 0 ∧ e − z ≥ vε + faε2 2m + mFast

• v +

faε m

• (6)

isFast(v) isFast(v) isFast(v) ≡ v ≥ F 2

pb

2mJ mSlow(v) mSlow(v) mSlow(v) = 2 3 v 2mv/J mFast(v) mFast(v) mFast(v) = mv2 2Fpb + vFpb 2J − F 3

pb

24mJ2 (7)

• S. Mitsch et al.—Formal Verification of Train Control

6 of 14

Formal Verification with dL: No Overshoot

Correctness property: respect the speed limit safe ≡ (z ≥ e → v ≤ d)

d

init →

• d

∪

• ∪
• ;

;

∗

safe

≡ fa := ∗; ? − Fsb ≤ fa ≤ A; ?

• e − z ≥

(v2 − d2)m 2Fsb +

• A

Fsb + 1

• A

2m ε2 + vε

• ?
• e − z ≥

(v2 − d2)m 2Fsb +

• A

Fsb + 1

• A

2m ε2 + vε

• ?
• e − z ≥

(v2 − d2)m 2Fsb +

• A

Fsb + 1

• A

2m ε2 + vε

• (1)

∨slow− ∨ slow+ ∨ fast− ∨ fast+ ∨slow− ∨ slow+ ∨ fast− ∨ fast+ ∨slow− ∨ slow+ ∨ fast− ∨ fast+ (2) slow− slow− slow− ≡ ¬isFast(v) ∧ fa ≤ 0 ∧ e − z ≥ vε + mSlow(v) (3) slow+ slow+ slow+ ≡ [u := v+ faε m ]

• ¬isFast(u) ∧ fa ≥ 0 ∧ e − z ≥ vε +

faε2 2m + mSlow(u)

• (4)

fast− fast− fast− ≡ isFast(v) ∧ fa ≤ 0 ∧ e − z ≥ vε + mFast(v) (5) fast+ fast+ fast+ ≡ isFast(v) ∧ fa ≥ 0 ∧ e − z ≥ vε + faε2 2m + mFast

• v +

faε m

• (6)

isFast(v) isFast(v) isFast(v) ≡ v ≥ F 2

pb

2mJ mSlow(v) mSlow(v) mSlow(v) = 2 3 v 2mv/J mFast(v) mFast(v) mFast(v) = mv2 2Fpb + vFpb 2J − F 3

pb

24mJ2 (7)

Result Driving with verified control conditions ensures safety How to find conditions: Proofs!

• S. Mitsch et al.—Formal Verification of Train Control

6 of 14

Systematically Derive Safe Control Conditions in dL

Partial model, unknown condition ?true

• ; ?true ;
• safe
• S. Mitsch et al.—Formal Verification of Train Control

7 of 14

Systematically Derive Safe Control Conditions in dL

Partial model, unknown condition ?true

• ; ?true ;
• safe

Run and observe “parallel universe”

• ; ?[

]safe

• test for desired outcome

;

• safe

copy&paste

• S. Mitsch et al.—Formal Verification of Train Control

7 of 14

Systematically Derive Safe Control Conditions in dL

Partial model, unknown condition ?true

• ; ?true ;
• safe

Run and observe “parallel universe”

• ; ?[

]safe

• test for desired outcome

;

• safe

Obviously true but not helpful for implementation

• [

]safe → [ ]safe

• copy&paste
• S. Mitsch et al.—Formal Verification of Train Control

7 of 14

Systematically Derive Safe Control Conditions in dL

Partial model, unknown condition ?true

• ; ?true ;
• safe

Run and observe “parallel universe”

• ; ?[

]safe

• test for desired outcome

;

• safe

Obviously true but not helpful for implementation

• [

]safe → [ ]safe

• Symbolically execute program with dL
• safe(z + vt + fa

2mt2, v + fa mt) → [

]safe

• copy&paste
• ≡
• S. Mitsch et al.—Formal Verification of Train Control

7 of 14

Systematically Derive Safe Control Conditions in dL

Partial model, unknown condition ?true

• ; ?true ;
• safe

Run and observe “parallel universe”

• ; ?[

]safe

• test for desired outcome

;

• safe

Obviously true but not helpful for implementation

• [

]safe → [ ]safe

• Symbolically execute program with dL
• safe(z + vt + fa

2mt2, v + fa mt) → [

]safe

• Use program effects as control conditions
• ; ?safe(z + vt + fa

2mt2, v + fa mt) ;

safe

Implementable copy&paste

• ≡
• S. Mitsch et al.—Formal Verification of Train Control

7 of 14

Systematically Derive Safe Control Conditions in dL

Partial model, unknown condition ?true

• ; ?true ;
• safe

Run and observe “parallel universe”

• ; ?[

]safe

• test for desired outcome

;

• safe

Obviously true but not helpful for implementation

• [

]safe → [ ]safe

• Symbolically execute program with dL
• safe(z + vt + fa

2mt2, v + fa mt) → [

]safe

• Use program effects as control conditions
• ; ?safe(z + vt + fa

2mt2, v + fa mt) ;

safe

Implementable copy&paste

• ≡

Result Augment partial model with implementable control conditions derived by proof

• S. Mitsch et al.—Formal Verification of Train Control

7 of 14

Proof guarantees correct model Proof Strategy Hybrid System Model KeYmaera X Control Conditions Proof

No overshoot Verified models: safely control brake delay and air brakes Symbolic control conditions to select between free driving and braking

• S. Mitsch et al.—Formal Verification of Train Control

8 of 14

Proof guarantees correct model Proof Strategy Hybrid System Model KeYmaera X Control Conditions Proof

No overshoot + Limited undershoot Verified models: safely control brake delay and air brakes Symbolic control conditions to select between free driving and braking

• S. Mitsch et al.—Formal Verification of Train Control

8 of 14

Formal Verification with dL: Limited Undershoot

Correctness: when done braking, train is after undershoot limit efficient ≡ (brakesEngaged∧v ≤ d) → (z ≥ e−u) u

d

• S. Mitsch et al.—Formal Verification of Train Control

9 of 14

Formal Verification with dL: Limited Undershoot

Correctness: when done braking, train is after undershoot limit efficient ≡ (brakesEngaged∧v ≤ d) → (z ≥ e−u) u

d

Needs change in control priority No overshoot: braking allowed but spoils efficiency init →

• ∪

;

;

∗

efficient

• S. Mitsch et al.—Formal Verification of Train Control

9 of 14

Formal Verification with dL: Limited Undershoot

Correctness: when done braking, train is after undershoot limit efficient ≡ (brakesEngaged∧v ≤ d) → (z ≥ e−u) u

d

Needs change in control priority No overshoot: braking allowed but spoils efficiency Limited undershoot: only brake if necessary for safety init →

if (mustBrake)

else

;

;

∗

efficient

• S. Mitsch et al.—Formal Verification of Train Control

9 of 14

Proof guarantees correct model Proof Strategy Hybrid System Model KeYmaera X Control Conditions Proof

No overshoot + Limited undershoot Verified models: safely control brake delay and air brakes Symbolic control conditions to select between free driving and braking Control favors free driving for efficiency

• S. Mitsch et al.—Formal Verification of Train Control

10 of 14

Experiments

Compare brake engage distance to endpoint control assuming delayed brakes control assuming air brakes Instantiate symbolic models with concrete parameters from FRA

Parameter Value vs. lz Length Medium = 2 345ft (40 cars) short,long m Mass Loaded = 10 520klb (263 klb

car)

empty v Speed Fast = 60mph slow Fpb Emergency brake Loaded = 1 430klbf (35 750 lbf

car)

empty,unknown tappl Time 50 s length-dependent A Acceleration 5 mph

min =391.91klbf

fa Brake force 1.75 mph

min = 136.76klbf

ε Control cycle 100ms

Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009)

• S. Mitsch et al.—Formal Verification of Train Control

11 of 14

Experimental Results: Brake Engage Points

Slow Fast Loaded Empty Loaded Empty Cars 10 40 100 10 40 100 10 40 100 10 40 100 Brake force for unknown load Fpb = 23 338 Fpb = 23 338 Fpb = 23 338 lbf

car

Delay brakes 726 1,110 1,942 446 830 1,662 15,436 17,742 22,730 5,369 7,676 12,664 Air brakes 541 710 1,017 239 345 503 14,364 15,494 17,880 4,278 5,334 7,383 Difference 185 400 925 207 485 1,161 1,072 2,248 4,850 1,091 2,342 5,281 Brake force for known load, loaded: Fpb = 35 750 Fpb = 35 750 Fpb = 35 750 lbf

car , empty: Fpb = 10 575

Fpb = 10 575 Fpb = 10 575 lbf

car

Delay brakes 597 982 1,814 554 939 1,771 10,817 13,123 18,111 9,277 11,583 16,571 Air brakes 409 565 822 364 512 746 9,743 10,859 13,188 8,200 9,309 11,602 Difference 188 417 992 190 427 1,025 1,074 2,264 4,923 1,077 2,274 4,969

• S. Mitsch et al.—Formal Verification of Train Control

12 of 14

Experimental Results: Brake Engage Points

Slow Fast Loaded Empty Loaded Empty Cars 10 40 100 10 40 100 10 40 100 10 40 100 Brake force for unknown load Fpb = 23 338 Fpb = 23 338 Fpb = 23 338 lbf

car

Delay brakes 726 1,110 1,942 446 830 1,662 15,436 17,742 22,730 5,369 7,676 12,664 Air brakes 541 710 1,017 239 345 503 14,364 15,494 17,880 4,278 5,334 7,383 Difference 185 400 925 207 485 1,161 1,072 2,248 4,850 1,091 2,342 5,281 Brake force for known load, loaded: Fpb = 35 750 Fpb = 35 750 Fpb = 35 750 lbf

car , empty: Fpb = 10 575

Fpb = 10 575 Fpb = 10 575 lbf

car

Delay brakes 597 982 1,814 554 939 1,771 10,817 13,123 18,111 9,277 11,583 16,571 Air brakes 409 565 822 364 512 746 9,743 10,859 13,188 8,200 9,309 11,602 Difference 188 417 992 190 427 1,025 1,074 2,264 4,923 1,077 2,274 4,969

• S. Mitsch et al.—Formal Verification of Train Control

12 of 14

Experimental Results: Brake Engage Points

Air brake control conditions engage brakes considerably later Fast trains

Loaded Empty Cars 10 40 100 10 40 100 Brake force for known load, loaded: Fpb = 35 750 lbf

car, empty: Fpb = 10 575 lbf car

Delay brakes 10,817 13,123 18,111 9,277 11,583 16,571 Air brakes 9,743 10,859 13,188 8,200 9,309 11,602 Difference 1,074 2,264 4,923 1,077 2,274 4,969

Difference exceeds FRA requirement of at most 1000ft undershoot!

• S. Mitsch et al.—Formal Verification of Train Control

12 of 14

Summary

Theorem proving ensures correct model

Proof guarantees correct model Proof Strategy Hybrid System Model KeYmaera X Code Control Conditions Proof

No overshoot + Limited undershoot Proofs for certification Models and code for system architecture and implementation Control conditions for runtime monitoring and testing

• S. Mitsch et al.—Formal Verification of Train Control

13 of 14

Summary

Transfer safety of model to controller implementation

KeYmaera X Code Control Conditions Proof Sensors Control Monitor Actuators

Monitor desired effect + safe environment ModelPlex synthesizes and proves monitors for model compliance Runtime: ensure safety and detect anomalies Testing: generate and analyze test cases

Mitsch, S., Platzer, A.: ModelPlex: Verified runtime validation of verified cyber-physical system models. Formal Methods in System Design, 49(1), 2016.

• S. Mitsch et al.—Formal Verification of Train Control

13 of 14

www.keymaeraX.org Stefan Mitsch Computer Science Department, Carnegie Mellon University smitsch@cs.cmu.edu

• S. Mitsch et al.—Formal Verification of Train Control

14 of 14