Blackbox End-to-End Verification of Ground Robot Safety and Liveness

We formally prove end-to-end correctness of a ground robot implemented in a simulator. We use an untrusted controller supervised by a verified sandbox. Contributions include: (i) A model of the robot in differential dynamic logic, which specifies assumptions on the controller and robot kinematics, (ii) Formal proofs of safety and liveness for a waypoint-following problem with speed limits, (iii) An automatically synthesized sandbox, which is automatically proven to enforce model compliance at runtime, and (iv) Controllers, planners, and environments for the simulations. The verified sandbox is used to safeguard (unverified) controllers in a realistic simulated environment. Experimental evaluation of the resulting sandboxed implementation confirms safety and high model-compliance, with an inherent trade-off between compliance and performance. The verified sandbox thus serves as a valuable bidirectional link between formal methods and implementation, automating both enforcement of safety and model validation simultaneously.

[1]  George J. Pappas,et al.  Discrete abstractions of hybrid systems , 2000, Proceedings of the IEEE.

[2]  Xin Chen,et al.  A Benchmark Suite for Hybrid Systems Reachability Analysis , 2015, NFM.

[3]  Matthias Althoff,et al.  Online Verification of Automated Road Vehicles Using Reachability Analysis , 2014, IEEE Transactions on Robotics.

[4]  André Platzer,et al.  Logical Foundations of Cyber-Physical Systems , 2018, Springer International Publishing.

[5]  Hadas Kress-Gazit,et al.  LTLMoP: Experimenting with language, Temporal Logic and robot control , 2010, 2010 IEEE/RSJ International Conference on Intelligent Robots and Systems.

[6]  Paul B. Jackson,et al.  Direct Formal Verification of Liveness Properties in Continuous and Hybrid Dynamical Systems , 2015, FM.

[7]  Calin Belta,et al.  A Fully Automated Framework for Control of Linear Systems from Temporal Logic Specifications , 2008, IEEE Transactions on Automatic Control.

[8]  André Platzer,et al.  Formal verification of obstacle avoidance and navigation of ground robots , 2016, Int. J. Robotics Res..

[9]  André Platzer,et al.  On Provably Safe Obstacle Avoidance for Autonomous Robotic Ground Vehicles , 2013, Robotics: Science and Systems.

[10]  Matthias Althoff,et al.  A Formally Verified Motion Planner for Autonomous Vehicles , 2018, ATVA.

[11]  Tze Meng Low,et al.  High-Assurance SPIRAL: End-to-End Guarantees for Robot and Car Control , 2017, IEEE Control Systems.

[12]  Lui Sha,et al.  The Simplex architecture for safe online control system upgrades , 1998, Proceedings of the 1998 American Control Conference. ACC (IEEE Cat. No.98CH36207).

[13]  Ashish Kapoor,et al.  AirSim: High-Fidelity Visual and Physical Simulation for Autonomous Vehicles , 2017, FSR.

[14]  Antoine Girard,et al.  SpaceEx: Scalable Verification of Hybrid Systems , 2011, CAV.

[15]  André Platzer,et al.  VeriPhy: verified controller executables from verified cyber-physical system models , 2018, PLDI.

[16]  Eric Goubault,et al.  Formal Verification of Station Keeping Maneuvers for a Planar Autonomous Hybrid System , 2017, FVAV@iFM.

[17]  Richard M. Murray,et al.  Control design for hybrid systems with TuLiP: The Temporal Logic Planning toolbox , 2016, 2016 IEEE Conference on Control Applications (CCA).

[18]  Wolfram Burgard,et al.  The dynamic window approach to collision avoidance , 1997, IEEE Robotics Autom. Mag..

[19]  Ashish Tiwari,et al.  Switching logic synthesis for reachability , 2010, EMSOFT '10.

[20]  Lydia E. Kavraki,et al.  Motion planning with hybrid dynamics and temporal goals , 2010, 49th IEEE Conference on Decision and Control (CDC).

[21]  Nathan Fulton,et al.  KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems , 2015, CADE.

[22]  Paulo Tabuada,et al.  Correct-by-Construction Adaptive Cruise Control: Two Approaches , 2016, IEEE Transactions on Control Systems Technology.