Formal Verification of Train Control with Air Pressure Brakes

Similar documents
Agents. Formalizing Task Environments. What s an agent? The agent and the environment. Environments. Example: the automated taxi driver (PEAS)

A Dependability Case Language for a Radiation Therapy System

Princess Nora University Faculty of Computer & Information Systems ARTIFICIAL INTELLIGENCE (CS 370D) Computer Science Department

Toward Plug and Play Medical Cyber-Physical Systems (Part 2)

CS 771 Artificial Intelligence. Intelligent Agents

Intelligent Agents. Chapter 2

Fatigue: Lessons Learned from NTSB Accident Investigations

Intelligent Agents. Chapter 2 ICS 171, Fall 2009

Human Factors Questionnaire measurement of engineer decision frequency

Improved Outer Approximation Methods for MINLP in Process System Engineering

Rational Agents (Chapter 2)

CS324-Artificial Intelligence

ICS 606. Intelligent Autonomous Agents 1. Intelligent Autonomous Agents ICS 606 / EE 606 Fall Reactive Architectures

Intelligent Agents. Outline. Agents. Agents and environments

Supervisory control synthesis

Agents and Environments

Artificial Intelligence Lecture 7

Chapter 2: Intelligent Agents

Vorlesung Grundlagen der Künstlichen Intelligenz

Potential Countermeasures to Mitigate Suicides on the Railroad Rights-of-Way

Kinematic and Dynamic Adaptation of

EBS IT Meeting September 2016

AI: Intelligent Agents. Chapter 2

LECTURE 5: REACTIVE AND HYBRID ARCHITECTURES

Intelligent Autonomous Agents. Ralf Möller, Rainer Marrone Hamburg University of Technology

The Colorado Bureau of Investigation s (CBI) Blood Alcohol Analyses Summary of Issues

Unifying Data-Directed and Goal-Directed Control: An Example and Experiments

Driver Alertness Detection Research Using Capacitive Sensor Array

Chapter 5 Car driving

Plan Recognition through Goal Graph Analysis

Intelligent Agents. CmpE 540 Principles of Artificial Intelligence

Agents. This course is about designing intelligent agents Agents and environments. Rationality. The vacuum-cleaner world

Basic knowledge about Drugs Week # 3

Artificial Intelligence. Intelligent Agents

APPLICATION FOR EMPLOYMENT-Non Salaried Position CITY OF RALSTON, NEBRASKA EQUAL OPPORTUNITY EMPLOYER

ACCESSIBILITY DETAILS FOR SIGNS

The Effect of Glare in Shnulated Night Driving

Intelligent Agents. Soleymani. Artificial Intelligence: A Modern Approach, Chapter 2

Robotic Dancing: Exploring Agents that use a Stratified Perceive- Decide-Act Cycle of Interaction

Drug and alcohol testing (including SAP) procedures are 49 CFR Part 40.

Lecture 5- Hybrid Agents 2015/2016

Agents. Environments Multi-agent systems. January 18th, Agents

Semiotics and Intelligent Control

Dear Applicant, If you have any questions, feel free to call (509) Sincerely, Steven Hansen WSU PD Assistant Chief

CMU SCS CMU SCS CMU SCS CMU SCS

Sewerage and Water Board Take-Home Vehicles

Artificial Intelligence CS 6364

Formal Verification of Cyber-Physical Systems

Intelligent Agents. BBM 405 Fundamentals of Artificial Intelligence Pinar Duygulu Hacettepe University. Slides are mostly adapted from AIMA

Artificial Intelligence Intelligent agents

Web-Mining Agents Cooperating Agents for Information Retrieval

CMS ISSUES FINAL CAH PROVIDER-BASED REGULATIONS

Developing World Model Data Specifications as Metrics for Sensory Processing for On-Road Driving Tasks

CIT Strategic Plan. November 2015 November 2017

Intelligent Agents. Instructor: Tsung-Che Chiang

Artificial Intelligence

Cannabis Legalization August 22, Ministry of Attorney General Ministry of Finance

What is AI? The science of making machines that: Think rationally. Think like people. Act like people. Act rationally

Ontologies for World Modeling in Autonomous Vehicles

CS 331: Artificial Intelligence Intelligent Agents

Structural assessment of heritage buildings

Intelligent Agents. Instructor: Tsung-Che Chiang

CS 331: Artificial Intelligence Intelligent Agents

a ~ P~e ýt7c4-o8bw Aas" zt:t C 22' REPORT TYPE AND DATES COVERED FINAL 15 Apr Apr 92 REPORT NUMBER Dept of Computer Science ' ;.

ANDREW J. RENTSCHLER, Ph.D. PROFESSIONAL BIOGRAPHICAL OUTLINE

Dynamic Slack Reclamation with Procrastination Scheduling in Real-Time Embedded Systems

22c:145 Artificial Intelligence

Lecture 2 Agents & Environments (Chap. 2) Outline

Getting the Payoff With MDD. Proven Steps to Get Your Return on Investment

Dr. Mustafa Jarrar. Chapter 2 Intelligent Agents. Sina Institute, University of Birzeit

Intelligent Agents. Russell and Norvig: Chapter 2

Ryan Carothers Detachment Commander Caledon OPP

EXCITE, ENGAGING CARDIO ADVANCED LED DISPLAY RUN User manual

Plan Recognition through Goal Graph Analysis

Embracing Complexity in System of Systems Analysis and Architecting

CS 331: Artificial Intelligence Intelligent Agents. Agent-Related Terms. Question du Jour. Rationality. General Properties of AI Systems

Environment CAUTION HEARING PROTECTION REQUIRED. Occupational Noise Exposure Requirements for Photographic Processing Facilities

CDL Drivers Controlled Substance and Alcohol Policy

Modelling Aspects of Longitudinal Control in an Integrated Driver Model:

DRIVER BEHAVIOUR STUDIES IN THE MOTORWAY OPERATIONS PLATFORM GRANT

Invited talk, 12th International Conference on Distributed Computing and Internet Technology (ICDCIT), Bhubaneswar, India, January 2016

Web-Mining Agents Cooperating Agents for Information Retrieval

Design of the Autonomous Intelligent Simulation Model(AISM) using Computer Generated Force

UNIVERSITY FOOD SERVICES, INC. POLICIES AND PROCEDURES REGARDING THE SALE AND SERVICE OF ALCOHOLIC BEVERAGES

SONOMA COUNTY LAW ENFORCEMENT CHIEFS ASSOCIATION

IDENTIFICATION OF THE PARAMETERS THAT INFLUENCE THE UNCERTAINTY SOURCES IN ORTOPHAEDIC IMPLANTS FATIGUE TESTS

Agents and State Spaces. CSCI 446: Artificial Intelligence

KECERDASAN BUATAN 3. By Sirait. Hasanuddin Sirait, MT

Outline for Chapter 2. Agents. Agents. Agents and environments. Vacuum- cleaner world. A vacuum- cleaner agent 8/27/15

BOARD CERTIFICATION PROCESS (EXCERPTS FOR SENIOR TRACK III) Stage I: Application and eligibility for candidacy

Alcohol & Drug Practice

DriveWise Driving Evaluation. Ann M. Hollis OTR/L

Artificial Intelligence Agents and Environments 1

Workshop on Hadron Beam Therapy of Cancer Erice, Sicily April 24-May

THE MELLANBY EFFECT. Why Impaired Individuals Should Not Be Allowed to Be Behind the Wheel By Miriam Norman

APPLICATION FOR ADMISSION (PLEASE PRINT CLEARLY)

Precise defect detection with sensor data fusion

Agents & Environments Chapter 2. Mausam (Based on slides of Dan Weld, Dieter Fox, Stuart Russell)

University of Bristol - Explore Bristol Research. Peer reviewed version. Link to publication record in Explore Bristol Research PDF-document

First Phase 3 Results Presented for a PD-1 Immune Checkpoint Inhibitor

Transcription:

Formal Verification of Train Control with Air Pressure Brakes Stefan Mitsch 1 Marco Gario 2 Christof J. Budnik 2 Michael Golm 2 André Platzer 1 1 Computer Science Department, Carnegie Mellon University 2 Siemens Corporate Technology, Princeton, NJ, USA Reliability, Safety and Security of Railway Systems November 15, 2017 S. Mitsch et al. Formal Verification of Train Control 1 of 14

Railroad Safety: Train Separation and Train Control Interlocking S. Mitsch et al. Formal Verification of Train Control 2 of 14

Railroad Safety: Train Separation and Train Control Interlocking S. Mitsch et al. Formal Verification of Train Control 2 of 14

Railroad Safety: Train Separation and Train Control Movement authority Train separation Interlocking S. Mitsch et al. Formal Verification of Train Control 2 of 14

Railroad Safety: Train Separation and Train Control Movement authority Train separation Interlocking S. Mitsch et al. Formal Verification of Train Control 2 of 14

Railroad Safety: Train Separation and Train Control Train requires! Train control separation Interlocking S. Mitsch et al. Formal Verification of Train Control 2 of 14

Railroad Safety: Train Separation and Train Control Train requires! Train control separation Interlocking Design provably safe train control considering physical train motion Federal Railroad Administration (FRA): motion and brake models No overshoot Limited undershoot S. Mitsch et al. Formal Verification of Train Control 2 of 14

Railroad Safety: Train Separation and Train Control Train requires! Train control separation Interlocking Design provably safe train control considering physical train motion Federal Railroad Administration (FRA): motion and brake models No overshoot Limited undershoot But underspecified control conditions S. Mitsch et al. Formal Verification of Train Control 2 of 14

Railroad Safety: Train Separation and Train Control Train requires! Train control separation Approach Interlocking Safe train separation requires verified train control and motion! Design provably safe train control considering physical train motion Federal Railroad Administration (FRA): motion and brake models No overshoot Limited undershoot But underspecified control conditions S. Mitsch et al. Formal Verification of Train Control 2 of 14

Approach: Hybrid Systems Theorem Proving Analyze the physical effect of software Proof Control Hybrid System Model Sensors Actuators Discrete computation + continuous physics 6 9 4 0 3 0 1 2 3 4 5 6 7 1 t 0 1 2 3 4 5 6 7 t S. Mitsch et al. Formal Verification of Train Control 3 of 14

Approach: Hybrid Systems Theorem Proving Proof Strategy Theorem proving ensures correct model Proof guarantees correct model KeYmaera X Proof Hybrid System Model Control Conditions Main results for Certification: Proofs System architecture and implementation: Models Control engineering and testing: Control conditions S. Mitsch et al. Formal Verification of Train Control 3 of 14

Train Motion and Brake Model t Accelerate Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al. Formal Verification of Train Control 4 of 14

Train Motion and Brake Model t Accelerate Instant brake Limited, but almost instant effect Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al. Formal Verification of Train Control 4 of 14

Train Motion and Brake Model Accelerate Instant brake Air brake Brake effect increases, time depends on train length t Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al. Formal Verification of Train Control 4 of 14

Train Motion and Brake Model t Accelerate Instant brake Air brake v = 1 ( m f a ), Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al. Formal Verification of Train Control 4 of 14

Train Motion and Brake Model t F pb Accelerate Instant brake Air brake v = 1 ( m f a ), f a = j & F pb f a Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al. Formal Verification of Train Control 4 of 14

Train Motion and Brake Model t F pb Accelerate Instant brake Air brake v = 1 m ( (Fg + F r + F c ) + f a ), f a = j & F pb f a Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al. Formal Verification of Train Control 4 of 14

Train Motion and Brake Model t F pb Accelerate Instant brake Air brake x = v, v = 1 m ( (Fg + F r + F c ) + f a ), f a = j & F pb f a Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al. Formal Verification of Train Control 4 of 14

Train Motion and Brake Model t F pb Accelerate Instant brake Air brake x = v, v = 1 m ( (Fg + F r + F c ) + f a ), f a = j & F pb f a Underspecified: What are safe control choices? How important is brake model fidelity? Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al. Formal Verification of Train Control 4 of 14

Train Motion and Brake Model t F pb Approach Accelerate Instant Air Formalize brakeand verify control brake models Analyze their brake engage points x = v, v = 1 m ( (Fg + F r + F c ) + f a ), f a = j & F pb f a Underspecified: What are safe control choices? How important is brake model fidelity? Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al. Formal Verification of Train Control 4 of 14

Control Model Track Control extend e, d S. Mitsch et al. Formal Verification of Train Control 5 of 14

Control Model Track Control extend e, d e,d Driver Train Control a F pb S. Mitsch et al. Formal Verification of Train Control 5 of 14

Control Model Track Control extend e, d e,d Train Control Driver a a F pb Actuators Delay vs. air brake S. Mitsch et al. Formal Verification of Train Control 5 of 14

Control Model Track Control extend e, d e,d Train Control Driver a a F pb Actuators f a,j Delay vs. air brake Env. Motion S. Mitsch et al. Formal Verification of Train Control 5 of 14

Formal Verification with dl: No Overshoot Correctness property: respect the speed limit safe (z e v 25) S. Mitsch et al. Formal Verification of Train Control 6 of 14

Formal Verification with dl: No Overshoot Correctness property: respect the speed limit safe (z e v d) d S. Mitsch et al. Formal Verification of Train Control 6 of 14

Formal Verification with dl: No Overshoot Correctness property: respect the speed limit safe (z e v d) d []safe S. Mitsch et al. Formal Verification of Train Control 6 of 14

Formal Verification with dl: No Overshoot Correctness property: respect the speed limit safe (z e v d) [ ( ; ; ) ] d safe S. Mitsch et al. Formal Verification of Train Control 6 of 14

Formal Verification with dl: No Overshoot Correctness property: respect the speed limit safe (z e v d) [ ( d ; ; ) ] d safe S. Mitsch et al. Formal Verification of Train Control 6 of 14

Formal Verification with dl: No Overshoot Correctness property: respect the speed limit safe (z e v d) [ ( init d ; ; ) ] d safe S. Mitsch et al. Formal Verification of Train Control 6 of 14

Formal Verification with dl: No Overshoot Correctness property: respect the speed limit safe (z e v d) [ ( ) ( ) ] init d ; ; safe }{{} d S. Mitsch et al. Formal Verification of Train Control 6 of 14

Formal Verification with dl: No Overshoot Correctness property: respect the speed limit safe (z e v d) [ ( ) ( ) ] init d ; ; safe }{{} d ( ( ) ( ) f a := ;? F sb f a A;? e z (v 2 d 2 )m A A + + 1 2F sb F sb 2m ε2 + vε ) slow slow + fast fast + (1) (2) slow isfast(v) f a 0 e z vε + mslow(v) (3) ( ) slow + [u := v+ faε m ] isfast(u) f a 0 e z vε + faε2 2m + mslow(u) fast isfast(v) f a 0 e z vε + mfast(v) (5) ( ) fast + isfast(v) f a 0 e z vε + faε2 2m + mfast v + faε (6) m F 2 pb isfast(v) v 2mJ mslow(v) = 2 2mv/J 3 v mfast(v) mfast(v) = mv 2 + vf pb 2F pb 2J (4) F 3 pb 24mJ 2 (7) S. Mitsch et al. Formal Verification of Train Control 6 of 14

Formal Verification with dl: No Overshoot Correctness property: respect the speed limit safe (z e v d) [ ( ) ( ) ] init d ; ; safe }{{} Result ( ( ) ( ) Driving f a := ; with? F sb verified f a A;? control e z (v 2 conditions d 2 )m A + + ensures A 1 2F sb F sb 2m ε2 + safety vε How to find conditions: Proofs! d ) slow slow + fast fast + (1) (2) slow isfast(v) f a 0 e z vε + mslow(v) (3) ( ) slow + [u := v+ faε m ] isfast(u) f a 0 e z vε + faε2 2m + mslow(u) fast isfast(v) f a 0 e z vε + mfast(v) (5) ( ) fast + isfast(v) f a 0 e z vε + faε2 2m + mfast v + faε (6) m F 2 pb isfast(v) v 2mJ mslow(v) = 2 2mv/J 3 v mfast(v) mfast(v) = mv 2 + vf pb 2F pb 2J (4) F 3 pb 24mJ 2 (7) S. Mitsch et al. Formal Verification of Train Control 6 of 14

Systematically Derive Safe Control Conditions in dl Partial [ model, unknown ] condition?true ;?true ; safe S. Mitsch et al. Formal Verification of Train Control 7 of 14

Systematically Derive Safe Control Conditions in dl Partial [ model, unknown ] condition?true ;?true ; safe Run [ and observe parallel ] universe ;?[ ]safe ; safe }{{} test for desired outcome copy&paste S. Mitsch et al. Formal Verification of Train Control 7 of 14

Systematically Derive Safe Control Conditions in dl Partial [ model, unknown ] condition?true ;?true ; safe Run [ and observe parallel ] universe ;?[ ]safe ; safe }{{} test for desired outcome Obviously [ ]( true but not helpful ) for implementation [ ]safe [ ]safe copy&paste S. Mitsch et al. Formal Verification of Train Control 7 of 14

Systematically Derive Safe Control Conditions in dl Partial [ model, unknown ] condition?true ;?true ; safe Run [ and observe parallel ] universe ;?[ ]safe ; safe }{{} test for desired outcome Obviously [ ]( true but not helpful ) for implementation [ ]safe [ ]safe Symbolically [ ]( execute program with dl ) safe(z + vt + fa 2m t2, v + fa m t) [ ]safe copy&paste S. Mitsch et al. Formal Verification of Train Control 7 of 14

Systematically Derive Safe Control Conditions in dl Partial [ model, unknown ] condition?true ;?true ; safe Run [ and observe parallel ] universe ;?[ ]safe ; safe }{{} test for desired outcome Obviously [ ]( true but not helpful ) for implementation [ ]safe [ ]safe copy&paste Symbolically [ ]( execute program with dl ) safe(z + vt + fa 2m t2, v + fa m t) [ ]safe Use program effects as control conditions [ ;?safe(z + vt + fa 2m t2, v + fa m t) ; ] safe Implementable S. Mitsch et al. Formal Verification of Train Control 7 of 14

Systematically Derive Safe Control Conditions in dl Partial [ model, unknown ] condition?true ;?true ; safe Run [ and observe parallel ] universe ;?[ ]safe ; safe }{{} test for desired outcome Result Obviously [ ]( true but not helpful for implementation Augment) partial model [ ]safe with implementable [ ]safe control conditions Symbolically [ ]( execute program derived by with proof dl ) safe(z + vt + fa 2m t2, v + fa m t) [ ]safe copy&paste Use program effects as control conditions [ ;?safe(z + vt + fa 2m t2, v + fa m t) ; ] safe Implementable S. Mitsch et al. Formal Verification of Train Control 7 of 14

Proof Strategy Hybrid System Model Proof guarantees correct model KeYmaera X Proof Control Conditions No overshoot Verified models: safely control brake delay and air brakes Symbolic control conditions to select between free driving and braking S. Mitsch et al. Formal Verification of Train Control 8 of 14

Proof Strategy Hybrid System Model Proof guarantees correct model KeYmaera X Proof Control Conditions No overshoot + Limited undershoot Verified models: safely control brake delay and air brakes Symbolic control conditions to select between free driving and braking S. Mitsch et al. Formal Verification of Train Control 8 of 14

Formal Verification with dl: Limited Undershoot Correctness: when done braking, train is after undershoot limit efficient (brakesengaged v d) (z e u) u d S. Mitsch et al. Formal Verification of Train Control 9 of 14

Formal Verification with dl: Limited Undershoot Correctness: when done braking, train is after undershoot limit efficient (brakesengaged v d) (z e u) Needs change in control priority No overshoot: braking allowed but spoils efficiency u d init [ (( ) ; ; ) ] efficient S. Mitsch et al. Formal Verification of Train Control 9 of 14

Formal Verification with dl: Limited Undershoot Correctness: when done braking, train is after undershoot limit efficient (brakesengaged v d) (z e u) u d Needs change in control priority No overshoot: braking allowed but spoils efficiency Limited undershoot: only brake if necessary for safety [ ((if ) ) ] init (mustbrake) else ; ; efficient S. Mitsch et al. Formal Verification of Train Control 9 of 14

Proof Strategy Hybrid System Model Proof guarantees correct model KeYmaera X Proof Control Conditions No overshoot + Limited undershoot Verified models: safely control brake delay and air brakes Symbolic control conditions to select between free driving and braking Control favors free driving for efficiency S. Mitsch et al. Formal Verification of Train Control 10 of 14

Experiments Compare brake engage distance to endpoint control assuming delayed brakes control assuming air brakes Instantiate symbolic models with concrete parameters from FRA Parameter Value vs. l z Length Medium = 2 345ft (40 cars) short,long m Mass Loaded = 10 520klb (263 klb car ) empty v Speed Fast = 60mph slow F pb Emergency brake Loaded = 1 430klbf (35 750 lbf car ) empty,unknown t appl Time 50 s length-dependent A Acceleration 5 mph =391.91klbf min f a Brake force 1.75 mph = 136.76klbf min ε Control cycle 100ms Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al. Formal Verification of Train Control 11 of 14

Experimental Results: Brake Engage Points Slow Fast Loaded Empty Loaded Empty Cars 10 40 100 10 40 100 10 40 100 10 40 100 Brake force for unknown load F pb = 23 338 car lbf Delay brakes 726 1,110 1,942 446 830 1,662 15,436 17,742 22,730 5,369 7,676 12,664 Air brakes 541 710 1,017 239 345 503 14,364 15,494 17,880 4,278 5,334 7,383 Difference 185 400 925 207 485 1,161 1,072 2,248 4,850 1,091 2,342 5,281 Brake force for known load, loaded: F pb = 35 750 car lbf F pb = 10 575 car lbf Delay brakes 597 982 1,814 554 939 1,771 10,817 13,123 18,111 9,277 11,583 16,571 Air brakes 409 565 822 364 512 746 9,743 10,859 13,188 8,200 9,309 11,602 Difference 188 417 992 190 427 1,025 1,074 2,264 4,923 1,077 2,274 4,969 S. Mitsch et al. Formal Verification of Train Control 12 of 14

Experimental Results: Brake Engage Points Slow Fast Loaded Empty Loaded Empty Cars 10 40 100 10 40 100 10 40 100 10 40 100 Brake force for unknown load F pb = 23 338 car lbf Delay brakes 726 1,110 1,942 446 830 1,662 15,436 17,742 22,730 5,369 7,676 12,664 Air brakes 541 710 1,017 239 345 503 14,364 15,494 17,880 4,278 5,334 7,383 Difference 185 400 925 207 485 1,161 1,072 2,248 4,850 1,091 2,342 5,281 Brake force for known load, loaded: F pb = 35 750 car lbf F pb = 10 575 car lbf Delay brakes 597 982 1,814 554 939 1,771 10,817 13,123 18,111 9,277 11,583 16,571 Air brakes 409 565 822 364 512 746 9,743 10,859 13,188 8,200 9,309 11,602 Difference 188 417 992 190 427 1,025 1,074 2,264 4,923 1,077 2,274 4,969 S. Mitsch et al. Formal Verification of Train Control 12 of 14

Experimental Results: Brake Engage Points Fast trains Air brake control conditions engage brakes considerably later Loaded Empty Cars 10 40 100 10 40 100 Brake force for known load, loaded: F pb = 35 750 lbf car, empty: F pb = 10 575 lbf car Delay brakes 10,817 13,123 18,111 9,277 11,583 16,571 Air brakes 9,743 10,859 13,188 8,200 9,309 11,602 Difference 1,074 2,264 4,923 1,077 2,274 4,969 Difference exceeds FRA requirement of at most 1000ft undershoot! S. Mitsch et al. Formal Verification of Train Control 12 of 14

Summary Proof Strategy Theorem proving ensures correct model Proof guarantees correct model KeYmaera X Proof Hybrid System Model Control Conditions Code No overshoot + Limited undershoot Proofs for certification Models and code for system architecture and implementation Control conditions for runtime monitoring and testing S. Mitsch et al. Formal Verification of Train Control 13 of 14

Summary Transfer safety of model to controller implementation roof guarantees correct model KeYmaera X Control Proof Control Conditions Code Sensors Monitor Actuators Monitor desired effect + safe environment ModelPlex synthesizes and proves monitors for model compliance Runtime: ensure safety and detect anomalies Testing: generate and analyze test cases Mitsch, S., Platzer, A.: ModelPlex: Verified runtime validation of verified cyber-physical system models. Formal Methods in System Design, 49(1), 2016. S. Mitsch et al. Formal Verification of Train Control 13 of 14

www.keymaerax.org Stefan Mitsch Computer Science Department, Carnegie Mellon University smitsch@cs.cmu.edu S. Mitsch et al. Formal Verification of Train Control 14 of 14

2024 © healthdocbox.com Privacy Policy | Terms of Service | Feedback