Formal Verification of a Controlled Flight Between Two ...aplatzer/pub/theses/apeterson.pdf · Formal Veri cation of a Controlled Flight Between Two Robots: A Case Study by Annika

Carnegie Mellon University

Senior Research Thesis

Formal Verification of a Controlled FlightBetween Two Robots: A Case Study

Author:

Annika Peterson

Supervisor:

Andre Platzer

A thesis submitted in partial fulfillment of the requirements

for Senior Research Honors Thesis

in the

School of Computer Science

May 2015

c© 2015 Annika Peterson

Abstract

Formal Verification of a Controlled Flight Between Two Robots: A Case Study

by Annika Peterson

Robots moving within controlled flight paths are complex systems that require formal verifica-

tion of collision avoidance. A flight path dependent upon a coded program requires confidence

of its ability to avoid crashing, which we show with a formal proof. Inspired by the controlled

flight of two robots within the Disney-Pixar film WALL·E, we have designed a controller for a

robot flying within a complex controlled flight path, a helix with another robot. We have for-

mally proven collision avoidance within the proof rules of differential dynamic logic, a logic for

hybrid systems consisting of discrete controlled steps and continuous physics, using a deductive

verification tool, KeYmaera, when this flight path is viewed in two dimensions as well as three

dimensions. We formally prove safety as well as an additional property that the two robots are

within some delta of each other. This case study also applies to aircraft collision avoidance and

unmanned aerial vehicles where unsafe operation is potentially fatal and similar 3D motion is

relevant.

Acknowledgements

“When you’re curious, you find lots of interesting things to do” – Walt Disney

As with anything we do, this thesis could not have come to be without the support and guidance

from many people. To my advisor Andre Platzer, thank you for your for continued guidance

and knowledge throughout my years at Carnegie Mellon and for helping me to explore the

fascinating world of WALL·E.

To Sarah Loos, Joao Martins, Stefan Mitsch, Khalil Ghorbal and the rest of the Logical

Systems Lab, thank you for helping me throughout this project and for introducing me to the

exciting world of Cyber-Physical Systems. You have enlightened me in many ways.

To Charlie Swanson, thank you for your initial work on this topic during our Foundations of

Cyber-Physical Systems course and for agreeing to investigate the inner workings of WALL·Ewith me. I would not have gone along this path without you and it was so much fun.

Thank you to the Semiconductor Research Corporation and the Carnegie Mellon University

Undergraduate Research Office for funding this research and for inspiring me to pursue research

during my undergraduate career.

To my amazing group of friends, thank you for your amazing support throughout this project

and throughout my time at Carnegie Mellon. Specifically, I would like to acknowledge Jennifer

Schneider, Melanie Danver, Laura Carroll, Anastassia Kornilova, Elizabeth Davis, Arielle Co-

hen, Bridget Hunt-Tobey, Celine Nguyen, Leslie Wines, Erik Pinter, and Vivek Nair for always

being there for me through every up and down of college. You have made the last four years

some of the best years of my life and I cannot thank you enough. I look forward to our next

adventure.

To my family whom I hold very dearly, thank you for always supporting me. To my siblings,

Meghan Peterson, Luc Peterson, Carl Peterson, and Colin Peterson, thank you for always being

beside me through everything, protecting and guiding me. Thank you for making me laugh when

I didn’t want to and seeing me through everything. To my grandmother, Shirley Peterson, and

my late grandfather, Dean Peterson, thank you for telling me to be whatever I want to be and

being there every step of the way, encouraging me in whatever I chose to pursuit. To my late

grandmother, Daisy Shores, thank you for showing me how to treasure every minute of life.

Finally, to my parents, Lee Peterson and Mary Helen Miller, thank you for filling my world

with books and computers, my life with love and happiness, and for showing me that no matter

what comes my way, I can accomplish anything. I am proud to be your daughter.

ii

Contents

Abstract i

Acknowledgements ii

1 Introduction 1

1.1 Overview of Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Prior Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.3 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Preliminaries 4

2.1 Differential Dynamic Logic (dL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2 dL Proof Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3 KeYmaera . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 WALL·E and EVE’s Helix Dance 8

3.1 Overview of the Helix Dance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.3 Physical Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.3.1 2D Physical Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.3.2 3D Physical Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.4 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.4.1 Property 1: Safety Property . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.4.2 Property 2: Love Property . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4 2D Model Formal Verification 18

4.1 WALL·E’s Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.2 Initial Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4.3 Safety Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.3.1 dL Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.3.2 Property Invariants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.4 Love Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.4.1 dL Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.4.2 Property Invariants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5 3D Model Formal Verification 26

5.1 Challenges for WALL·E’s Controller . . . . . . . . . . . . . . . . . . . . . . . . . 26

iii

Contents iv

5.1.1 Challenge 1: Accounting for WALL·E’s Multiple Choices . . . . . . . . . 26

5.1.2 Challenge 2: Limiting the Time Between Choices . . . . . . . . . . . . . . 27

5.2 Safety Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.2.1 dL Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.2.2 Informal Property Invariants . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3 Love Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.3.1 dL Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.4 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.4.1 Challenges to Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5.4.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

6 Conclusion 32

6.1 Summary of Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

6.2 Comparison with Prior Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

7 Outlook 33

7.1 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

7.2 Applications of Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

A Variable Definitions and Constraints 34

A.1 Variable Definitions and Constraints in Both Dimensions . . . . . . . . . . . . . . 34

A.2 Variable Definitions and Constraints Only in 2D . . . . . . . . . . . . . . . . . . 34


B 2D KeYmaera File 36

C 3D Physical Model Relative to Eve 38

Bibliography 41

List of Figures

1.1 Depiction of the Case Study Scene . . . . . . . . . . . . . . . . . . . . . . . . . . 1

3.1 Case Study Scene . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.2 Helix Flight Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.3 Possible Flight Paths for WALL·E . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.4 2D Model: Bird’s Eye View of Helix . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.5 3D Model: XY Plane’s Motion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.6 3D Model: Upward Motion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.7 The Multiple Definitions of Safety . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.8 2D Model: Possible Closeness Values . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.9 3D Model: Possible Closeness Values . . . . . . . . . . . . . . . . . . . . . . . . . 17

4.1 WALL·E and EVE’s Motion on a Straight Line . . . . . . . . . . . . . . . . . . . 19

4.2 WALL·E and EVE’s Motion on the Circle . . . . . . . . . . . . . . . . . . . . . . 19

4.3 The Circle Projection of the Helix . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5.1 WALL·E’s Choices for Climbing the Helix . . . . . . . . . . . . . . . . . . . . . . 27

5.2 WALL·E’s Linear Buffer Amount in All Three Directions . . . . . . . . . . . . . 28

5.3 Overestimating WALL·E’s movements . . . . . . . . . . . . . . . . . . . . . . . . 28

C.1 3D Model: XY Plane’s Motion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

C.2 3D Model: Upward Motion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

v

List of Tables

2.1 Hybrid Systems Logic Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2 Differental Dynamic Logic Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.3 Select dL Proof Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.4 Select dL Proof Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

A.1 Variable Definitions and Constraints in Both Dimensions . . . . . . . . . . . . . . 34



vi

Chapter 1

Introduction

Figure 1.1: Depiction of the Case Study SceneImage By: Joshua Wittman (tater-vader.deviantart.com)

Within this thesis, we will show a formal verification for a controlled flight path two robots

flying within a helix. As unmanned aerial vehicles increase in popularity, humans will continue

to interact with these vehicles in all situations. We ensure a formal logical proof of their safety

so that we can be sure about their safety and the safety of others. By requiring safety of these

robots, we can trust them to interact in our world without human intervention. The goal of

this thesis is to discuss a possible flight path, the helix, that two aircraft may use in a safe and

reasonable manner. This flight path is inspired by the Disney-Pixar film WALL·E. This flight

path has many important applcations as it does not require a lot of space within the plane,

but can ensure the robots hold for a reasonable amount of time. Through verification, we also

gain insights into proofs of other controlled robotics in similar paths or more complex holding

maneuvers.

1

Chapter 1. Introduction 2

1.1 Overview of Problem

This thesis consists of a formal verification of a controller for a robot flying within a helix with

another robot. During the Disney-Pixar film WALL·E, WALL·E and EVE celebrate finding

each other by dancing in a helix through space. This helix path requires WALL·E and EVE to

make certain correct decisions to maintain its shape and in order to ensure two properties that

we wish to verify. The first property is the safety property which states that WALL·E and EVE

never collide. This is the most important property as without it, we do not have a safe protocol

for robots traveling in this pattern. The second property is that WALL·E and EVE are always

close by each other. This second property ensures that EVE does not fly away and thus lose

WALL·E but remains safe. We will verify both properties using differential dynamic logic and

a formal verification tool, KeYmaera.

The significance of this research applies to holding paths for aircraft or unmanned aerial

vehicles, and this verification will apply to any controlled vehicle interacting with another vehicle

that is flying in a helix with it. For instance, given Amazon’s idea to begin to deliver goods to

people via unmanned aerial vehicles, or UAVs, and Google’s Project Wing [1], this research will

be even more useful to verify these UAVs act reasonably and responsibly with their environment.

Since Amazon will want to ensure delivery times are consistent, but may be unable to land or

stop moving and hover while waiting for landing, they will have to be able to maintain a holding

pattern for some undetermined amount of time while staying above the location of delivery and

keeping goods together. This research will help to provide a safe holding pattern for them to

use in this case and expand the number of safe protocols that have already been verified.

1.2 Prior Work

Prior work in this area consists of verifying other holding protocols for aircraft and vehicles

moving in the plane. Within “A Formally Verified Hybrid System for the Next-generation

Airborne Collision Avoidance System”, Jeannin et. al discuss the current Airbonne Collison

Avoidance System and dicuss a reduction of the 3D dynamics of flight to 2D Dynamics [2].

Similarly, Platzer and Clarke discuss curved flight and mid-air roundabout maneuvers with

in “Formal Verification of Curved Flight Collision Avoidance Maneuvers: A Case Study” and

discuss an aircraft maneuver that exists within a plane [3]. Additional prior work in this area

includes Johnon and Mitra’s work on aircraft landing protocols using many aircraft [4] and

Ghorbal et. al relative approach to an inflight aircraft collison avoidance [5].

However, these verifications are mainly within a plane and, thus only occur in two dimen-

sions. We propose expanding the number of safety protocols with this helix pattern and we

also propose the expansion of protocols into the third dimension allowing more freedom for the

Chapter 1. Introduction 3

aircraft in their choices. This thesis aims to provide insights into continued expansion of the

safety protocols in three dimensions and ways to correctly model and view these protocols.

1.3 Outline

This thesis is structured as the following. The second chapter describes and defines hybrid

systems and differential dynamic logic. Chapter three describes the physical models for the

helix and the differential equations for both WALL·E and EVE. Chapter four provides the

verification proof for the model in two dimensions, while chapter five describes the challenges

for verification within three dimensions. Chapters six and seven then conclude the thesis and

relate it back to prior work and offer insights for future work.

Chapter 2

Preliminaries

Cyber-Physical Systems is the combination of computers and physics to solve problems. Within

Cyber-Physical Systems, people must be able to trust computers to safely interact with and

control physics even though computers are only given control at discrete time stamps. In order

to formally verify properties, we use differential dynamic logic (or the combination of continuous

dynamics with discrete control and logical syntax) to prove safety properties of computers acting

within the physical world. In this chapter, we describe hybrid systems and outline the rules of

differential dynamic logic. Afterwards, we introduce and briefly outline some of the proof rules

we utilize in later chapters and introduce KeYmaera, the verification tool we utilized.

2.1 Differential Dynamic Logic (dL)

Differential Dynamic Logic (dL) [6] is the formalization of the logic of hybrid systems, or systems

that are both discrete and continuous. Hybrid systems are defined as the combination of first

order logic over the real numbers, continuous evolution, and discrete choices. The first order

logic for hybrid systems is the same as regular first order logic. However, for hybrid systems all

terms can be real times and therefore, the logic is defined over the real numbers.

Table 2.1 summarizes the continuous and discrete logical syntax for hybrid systems:

4

Chapter 2. Preliminaries 5

Table 2.1: Hybrid Systems Logic Syntax

Name Syntax Change in States

Discrete Assignment x := θ Assigns variable x to the value θNondeterministic Assignment x := ∗ Assigns x to any real value

Test Condition ?H Tests that the condition H is met.If not, the trace is aborted

Differential Equation x′ = f(x)&H Allows x to evolve with respect tothe differential equation within theevolution domain of H, a first orderlogic formula

Nondeterministic Choice α ∪ β Choice between α and βSequential Composition α;β Follows α then β in sequence

Nondeterministic Repetition α∗ Repeats the HP α n times for n ∈ N

Throughout dL we discuss transitioning from states to states as defined in Table 2.1. More

of a dicussion of the transition of hybrid systems can be found in both [6] and [7]. Table

2.2 describes the syntax and semantics of dL, which describes the truth semantics for hybrid

systems:

Table 2.2: Differental Dynamic Logic Syntax

Name Syntax Semantics

First Order Logic Formula θ = n|θ ≥ n|θ > n|¬F |F ∧G|F ∨G|

F → G|F ↔ G|∀xF |∃xF

True when the given first or-der logic operation is true,where F,G are first order logicformulas and θ, n, x ∈ V

Box Modality [α]φ True if for all states reachableby the hybrid program α, φ istrue in that state

Diamond Modality 〈α〉φ True if there is at least onestates reachable by the hybridprogram α where φ is true inthat state

Table 2.2 discusses which states are reachable through a series of transitions by hybrid

programs as defined in Table 2.1. The sematnics for dL relies on the set of states that a

program can reach, as described in [8] and [9].


2.2 dL Proof Rules

In order to prove aspects of dL , we can apply proof rules in a sequent calculus as defined in [6].

In this section, we will introduce the most important proof rules that we apply in the sequent

proofs found in chapter 4. Table 2.3 describes several important dL proof rules, using Γ, φ, ψ,∆

and H as dL formulas. More rules that are used within KeYmaera and this proof can be found

here.

Table 2.3: Select dL Proof Rules

Proof Name Sequent Calculus Rule

Imply Left→ left

Γ ` φ,∆ Γ, ψ ` ∆

Γ, φ→ ψ ` ∆

Imply Right→ right

Γ, φ ` ψ,∆Γ ` φ→ ψ,∆

Test[?]

H → ψ

[?H]ψ

Induction’ind’

Γ ` φ,∆ φ ` [α]φ φ ` ψΓ ` [α∗]ψ,∆

ODE Solve1[’]∀t ≥ 0((∀0 ≤ s ≤ t[x := y(s)]H)→ [x := y(t)]φ)

[x′ = θ&H]φ

Table 2.4 describes an informal description for each of the proof rules found in Table 2.3:

Table 2.4: Select dL Proof Rules

Proof Name Informal Description

Imply Left In order for utilize ψ, φ → ψ must be true, whichrequires a proof split. We verify that φ is true firstand then we are able to use ψ to verify δ

Imply Right Since φ→ ψ is on the right side of the sequent proof,we can assume φ and use it to show ψ,∆

Test A test protects the program from continuing. There-fore ψ can only be true if H is true and therefore, weget H → ψ

Induction’ This rule describes the mathematical induction tech-nique using an invariant φ which we verify stays thesame through the running of α, therefore it must forall runs of α and we can use it to imply ψ

ODE Solve ODE solve verifies that the solution is true for allstates it can be in it and that φ is true once we haveevolved, only as long as we evolved within the con-straint H

The last proof technique that we will discuss is the differential invariants. Differential

invariants are the differential equivalent to the induction invariant. To show that the differential

1Where t and s are fresh logical variables and y is the solution to the differential equation of x

http://symbolaris.com/info/KeYmaera-cheat.pdf


equation perserves the invariant, we differentiate the invariant and apply the rules as described

in [7] in the differential equations & differential invariants lecture.

2.3 KeYmaera

Claims in this thesis have been formally verified within KeYmaera. KeYmaera is an automated

and interactive proof verification system which allows users to formally verify properties within

the constraints of differential dynamic logic [10]. KeYmaera applies known axioms and theorems

in order to aid the user in proving the system. KeYmaera utilizes interactive proof steps and

automated proof rules in proving hybrid systems. KeYmaera has aided people in formally

verifying aircraft maneuvers [3], trains [11], and surgical robots [12] among many other properties

within cyber-physical systems. KeYmaera is available online here. Throughout this thesis, we

used KeYmaera version 3.6.17.

http://symbolaris.com/info/KeYmaera.html

Chapter 3

WALL·E and EVE’s Helix Dance

Figure 3.1: Case Study SceneImage By: Joshua Wittman (tater-vader.deviantart.com)

The Disney-Pixar film, WALL·E, follows the life of the robot WALL·E as he meets another

robot EVE and goes on adventures to find her and bring humans and EVE back to Earth.

WALL·E falls in love with EVE and when EVE leaves Earth to return to the humans, follows

her in hopes of finding her. WALL·E and EVE celebrate finding each other by dancing in a helix

through space [13]. Within this thesis, we model and verify this path, which has two properties

that require verification. The first property is the safety property which states that WALL·Eand EVE never collide. The second property is that WALL·E and EVE are always close by

each other. This second property ensures that EVE does not fly away and thus lose WALL·Eagain while still remaining safe. We will verify both properties using differential dynamic logic

and KeYmaera.

8

Chapter 3. WALL·E and EVE’s Helix Dance 9

3.1 Overview of the Helix Dance

WALL·E and EVE fall in love with each other. In order to celebrate, they dance. EVE is an

advanced robot, and thus her flight path is well-defined as she is able to fly in a consistent

manner. However since WALL·E was created hundreds of years before EVE, he must use a fire

extinguisher to fly and, therefore, must choose his acceleration to maintain his flight path and

follow EVE. The flight path that they choose is a helix. Figure 3.2 depicts a possible flight path

for WALL·E and EVE.

Figure 3.2: Helix Flight Path

Within this path, WALL·E has two main choices he must make. WALL·E must choose

whether to accelerate or brake and he must choose which way he points the fire extinguisher,

which decides how fast he turns around the helix. For instance, if he chooses to point the fire

extinguisher straight downward, he will just climb straight up the helix, but if he chooses to

point inward, he will move around the helix making tight cycles as he slowly ascends. In doing

so, WALL·E tries to maintain his flight pattern with EVE, while staying close to EVE and not

hitting her.

Figure 3.3 depicts possible flight paths WALL·E can choose in the 2D projection of the helix,

which is a circle around which both WALL·E and EVE move. WALL·E must make the correct

choices in order to ensure both properties. We propose and verify a controller for WALL·E that

ensures he maintains this flight path while also ensuring safety and closeness.


Figure 3.3: Possible Flight Paths for WALL·E

3.2 Motivation

WALL·E and EVE’s helix dance and controller applies to holding paths for aircraft or unmanned

aerial vehicles, and this verification will apply to any controlled vehicle interacting with another

vehicle that is flying in a helix with it. For instance, given Amazon’s idea to begin to deliver

goods to people via unmanned aerial vehicles, or UAVs, and Google’s Project Wing [1], this

research will be even more useful to verify these UAVs act reasonably and responsibly with their

environment. Since Amazon will want to ensure delivery times are consistent and reliable, but

may be unable to land or stop moving and hover while waiting for landing, they will have to be

able to maintain a holding pattern for some undetermined amount of time while staying above

the location of delivery and keeping goods together. This research will help to provide a safe

holding pattern for them to use in this case and expand the number of safe protocols that have

already been verified [4], [14], [3].

In addition, by studying how well we are able to control WALL·E in this complex 3D pattern,

we are able to gain insights into proofs of other controlled robotics in similar paths. Similarly,

we are able to model the complex mathematics and increase the number of proof structures

within Cyber-Physical Systems. This is particularly important as we gain insights into other

proof techniques for more advanced holding maneuvers, for instance the ability to have more

than two aircraft, or UAVs, interacting at the same time.

3.3 Physical Model

The flight path of WALL·E and EVE is a helix centered at the origin. In this section, we describe

the physical representations of this motion in both two and three dimensions. We represent the

sizes of WALL·E and EVE as circles centered at a point with radii rw and re encompassing

their sizes. Since EVE is more advanced than WALL·E, she is able to fly at a constant velocity.


WALL·E must use a fire extinguisher to fly and therefore, choose to acceleration or brake.

WALL·E has two choices for acceleration, which we denote as a ∈ {−B,A}.

3.3.1 2D Physical Model

In the 2D model, we ensure that WALL·E and EVE are always on the same circle of the helix.

Therefore, they always have the same z values. In order to ensure this, we ensure that both of

the z values change according to:

z′e = dze (3.1)

z′w = dzw (3.2)

dze = dzw (3.3)

Equations 3.1 and 3.2 combined with equation 3.3 ensures that if WALL·E and EVE start

at the same z value, they will always be on the same z value as they change at the same rate.

Figure 3.4: 2D Model: Bird’s Eye View of Helix

Therefore, the helix structure that WALL·E and EVE are on can be viewed as seen in Figure

3.4, which is WALL·E and EVE rotating around a circle in the xy plane. We model the circular

motion in polar coordinates where both WALL·E and EVE are at a radius r. Therefore, we get

the following sets of equations for WALL·E’s and EVE’s motion:

θ′w = ωw (3.4)

ω′w ∈ {−B,A} (3.5)

θ′e = ωe (3.6)


All other variables not mentioned above are constants and, therefore, have no differential

equations. Equations 3.4 and 3.6 both describe how WALL·E and EVE’s angular velocity

changes their theta positions. Since both of them are always at radius r, which is ensured since

r has no differential equation, this describes how WALL·E and EVE change and move around

the circle. Since EVE has a constant velocity, this is her only differential equation. WALL·E’s

velocity changes with respect to equation 3.5, which changes based on WALL·E’s choice of

acceleration from the set {−B,A}. Therefore, these equations describe the complete physical

model for the 2D case.

3.3.2 3D Physical Model

In the 3D model, we can no longer assume that WALL·E and EVE are always on the same circle

of the helix. Therefore, we must look at all three directions. We will examine the xy plane’s

motion first. Figure 3.5 depicts the motion in the xy plane:

Figure 3.5: 3D Model: XY Plane’s Motion

In the xy plane, WALL·E and EVE’s position is described by the following equations, where

θ is the measure of the angle from the x axis, α is the direction that WALL·E and EVE are


facing as they move around the circle and is also measured from the x axis, and i ∈ {w, e}:

xi = r cos(θi) (3.7)

yi = r sin(θi) (3.8)

αi = π + θi (3.9)

vixy = rωi (3.10)

αi is π+ θi as WALL·E and EVE are always tangent to the circle at the radius. The above

equations then result in the following differential equations describing the motion of WALL·Eand EVE:

θ′i = ωi =vir

(3.11)

x′i = −vi sin(θi) (3.12)

y′i = vi cos(θi) (3.13)

α′i = ωi (3.14)

Figure 3.6 depicts the upward motion of WALL·E and EVE and how their linear velocities

affect both the xy plane and the z plane:

Figure 3.6: 3D Model: Upward Motion


In figure 3.6, we see how the xy plane and the z motion are inherently linked through the

linear velocity vectors. Therefore, we get that the velocities are:

z′i = viz (3.15)

viz = vi sin(βi) (3.16)

vixy = vi cos(βi) (3.17)

WALL·E and EVE have two values that affect their motion up and down the helix, the

amount of acceleration they choose and the value of βi. βi depicts how fast both WALL·E and

EVE move around the circle versus how high they climb up the helix, where βi is between 0

and π (so that both WALL·E and EVE are always moving upwards on the helix). Since EVE is

moving with a constant velocity, we also assume her ve and βe are constant values and therefore,

do not change. However, WALL·E’s motion is described by the following equations:

v′w = a (3.18)

a ∈ {−B,A} (3.19)

βw describes how WALL·E positions the fire extinguisher and only changes at each time-step

and thus has no continuouse dynamics. Therefore, when WALL·E makes his choice of βw, that

choice continues until he makes a new choice. All other variables are constants, and therefore,

have no differential equations and these equations describe the complete physical model for the

3D case.

3.4 Objective

Our objective is to take the above physical models and create controllers for WALL·E such that

we are able to ensure two properties about the system. The two properties are listed below.

3.4.1 Property 1: Safety Property

The most important part of verifying the system is safety. Safety within any environment is

important as we want to ensure that WALL·E and EVE make safe choices. With respect to the

helix pattern, we assume EVE moves with a constant velocity, so we strive to create a controller

for WALL·E with respect to his choices of acceleration that ensures he never gets within EVE’s

radius and hits her.


How exactly we write down safety depends on the physical model and the corresponding

dimension that we are in. Figure 3.7 depicts two distinct cases for the positions of WALL·Eand EVE.

(a) (b)

Figure 3.7: The Multiple Definitions of Safety

In figure 3.7a, we see a situation in which WALL·E and EVE are safe in both 2D and 3D

cases. However, in figure 3.7b, we see a situation where WALL·E and EVE are safe in 3D, but

in 2D would be at the same point in the circle projection of the helix and, therefore, unsafe.

Thus, the safety property must depend on which coordinate system we are in.

3.4.2 Property 2: Love Property

The second property of the helix dance is the idea that WALL·E and EVE should always be

within some delta of each other. We call this the love property as it stems from the idea that

WALL·E and EVE love each other and want to stay close. However, this is important cause

we want to ensure that WALL·E does not just choose to go in the completely other direction

from EVE. While he would be sure to be safe in this case, as he is always moving away from

EVE, he is not within this delta of EVE (since the distance between him and EVE is constantly

increasing). This additional property puts additional constraints on WALL·E’s controller, thus

requiring a more complex controller.

Closeness as its own property also requires some definitions upon what is considered close.

Figure 3.8 depicts some possibilities for the definition of closeness in 2D:


Figure 3.8: 2D Model: Possible Closeness Values

Figure 3.8 depicts four different quantities that can be defined as the distance between

WALL·E and EVE. The blue value is the arc distance between them, which depicts the distance

WALL·E must travel to be at the same place as EVE . The green value is the Euclidean distance

between WALL·E and EVE and is at most the diameter of the helix. The red value and the

purple value are the x and y distances respectfully. Each of the above values are possible

distances we can measure for closeness and each of them have their pros and cons. In general,

we will choose to use either the arc length or the Euclidean distance between WALL·E and EVE

as it most accurately describes the amount of space between WALL·E and EVE and includes

both the x and y distances. The Euclidean distance is a chord of the circle and therefore, is

shorter than the actual distance between WALL·E and EVE, which can lead to underestimating

the true distance between them.

Similarly, Figure 3.9 depicts some possibilities for the definition of closeness in 3D:


Figure 3.9: 3D Model: Possible Closeness Values

In 3D, we have all the possibilities for the 2D case as well as those shown in Figure 3.9. The

pink line represents the height difference between WALL·E and EVE. Using this measurement

for closeness helps to ensure that WALL·E and EVE are always close together while moving up

the ladders of the helix, however the dark green line respresents the Euclidean distance between

WALL·E and EVE in 3D which includes the information in the z direction as well as the xy

direction. Thus, the most accurate description of closeness in 3D is the Euclidean distance.

Any of the above choices or some combination of them can be used for describing the

closeness property.

3.5 Summary

We have two physical models that we can apply to the motion of WALL·E and EVE. The 2D

physical model represents the helix pattern as the 2D projection on the xy plane and consists

of WALL·E and EVE moving around a circle of radius r. The 3D physical model is the whole

helix path and includes the z direction. The two models present challenges in verifcation of

both safety and the love property. The next two chapters discuss this vertifcation.

Chapter 4

2D Model Formal Verification

Section 3.3.1 describes the 2D model that we used to represent WALL·E and EVE moving

around the helix. In this model, we look at the 2D projection of WALL·E and EVE moving

around a circle. In the following chapter, we describe the controller we created to ensure both

the safety property and the love property. We then continue to describe the dL of both properties

and the invariants required to prove them. For verification, we assume WALL·E gets to make

a choice at distinct times and using induction and the ideal choices, WALL·E can ensure both

properties for any time interval.

4.1 WALL·E’s Controller

At every timestep, WALL·E makes a choice about his acceleration. We assume that WALL·Emakes these choices at most every T seconds (he can make a choice before T seconds are up,

but the maximum time between his choices is T ), which means he must be sure that he is safe

for all of the T seconds until he makes his next decision. We also assume that WALL·E only

moves around in one direction, in order to ensure this, we only let WALL·E brake while his

velocity is greater than zero. In creating WALL·E’s controller, we want to ensure that when

WALL·E chooses to accelerate, he has enough room to do so without hitting EVE and also

will have enough room to make a choice the next timestep around (which is at least enough

space to brake to a stop). An example is shown in Figure 4.1 which depicts WALL·E and EVE

moving in a straight line, where WALL·E travels at most the purple distance in one timestep

and maintains a buffer of the red dotted line to ensure he can brake to a stop on the next

timestep. If EVE’s motion, given by the green line, gives WALL·E enough space for both the

purple and the red line, his controller will accelerate.

18

Chapter 4. 2D Model Formal Verification 19

Figure 4.1: WALL·E and EVE’s Motion on a Straight Line

We can extend this picture to the 2D case by wrapping the line around the circle. Since we

are in polar coordinates, the arc length is the same as looking at the new θ values and we get

the resulting Figure 4.2 and equations 4.1, 4.2, and 4.3.

Figure 4.2: WALL·E and EVE’s Motion on the Circle

θwnew = θw + ωwT +AT 2

2(4.1)

θenew = θe + ωeT (4.2)

buf = re + rw +(ωw +AT )2

2B(4.3)

Equations 4.1 and 4.2 dictate the max new positions both WALL·E and EVE can have after

T seconds given that WALL·E chooses to accelerate with value A. In order to ensure that

WALL·E has room to accelerate without hitting EVE, we must ensure that EVE’s new position

is still greater than WALL·E’s new position (we assume without loss of generality that EVE

always has a greater θ than WALL·E). Equation 4.3 is a buffer that WALL·E must maintain

to ensure safety and represents the space that WALL·E must maintain from EVE in order to

accommodate the combined sizes of WALL·E and EVE (re + rw) and the space that WALL·E


must take to brake if he accelerates to a stop in the next time step((ωw+AT )2

2B

). He also must

be sure that that his new position minus EVE’s new position is still within one circle of each

other (otherwise, we are not sure that EVE and WALL·E are on the same circle and WALL·Ecould have hit EVE on the way around).

Combining the above principles, we get the following hybrid program for WALL·E’s con-

troller that ensures safety:

Theorem 4.1.

WE ≡(?((buf < newe − neww) (4.4)

∧ (newe − neww < θcircle)); a := A) (4.5)

∪ (a := −B); (4.6)

t := 0; (4.7)

(θ′w = ωw, ω′w = a, z′w = dzw, θ

′e = ωe, z

′e = dze, t

′ = 1 (4.8)

&(t ≤ T ∧ ωw ≥ 0)) (4.9)

Theorem 4.1 can be broken up into six parts. Equation 4.4 ensures that if WALL·E chooses

to accelerate, he maintains the buffer distance required of him by equation 4.3, while equation

4.5 ensures that WALL·E and EVE are still on the same circle afterwards. Equation 4.6 ensures

that WALL·E always has a safe choice to make, in this case he can always choose to brake to a

stop. Equation 4.7 and 4.9 ensures that WALL·E is able to make a new choice every T seconds

and cannot brake past 0. Equation 4.8 is the physical model as described in section 3.3.1.

4.2 Initial Conditions

In order to verify both properties, we must have initial conditions that imply our invariants and

our properties are true at the beginning of their dance. There are two types of initial conditions

that we require. First, we require that all the variable constraints given in Appendix A in Tables

A.1 and A.2 are true initially so that the system is well-defined.

Second, we ensure that all the lemmas and properties are true initially so that WALL·E is

able to make a choice at the beginning. Specifically, we assume without loss of generality that

EVE starts out ahead of WALL·E on the circle and therefore is always ahead of WALL·E on the

circle in terms of θ, which is shown in lemma 4.3 as well as assuming lemmas 4.4 and lemmas

4.5 so WALL·E is able to make a safe choice at the beginning of the helix.


4.3 Safety Property

The safety property that we wish to verify is that WALL·E and EVE never collide. The most

important property to verify for this system is safety as we do not want WALL·E and EVE to

hit each other.

4.3.1 dL Property

In the 2D case, safety means that since the circle’s radius is constant, that the differences in θ

between WALL·E and EVE must always be greater than their combined sizes. This ensures that

the buffer between them is great enough to accommodate their combined sizes. Since WALL·Eand EVE are points along the circle and we represent their sizes as circles surrounding those

points with radii rw and re respectfully, we must ensure that the differences in the arc lengths,

the θ values, is always at least the size of rw + re. Theorem 4.2 ensures this property.

Theorem 4.2. Throughout all timesteps of the hybrid program given in 4.1, it is always true

that in the ending state, rw + re < θe − θw is true. Formally, where I is defined as the initial

conditions given above and WE ≡ 4.1:

I → [WE∗](rw + re < θe − θw)

Proof. We prove this property using the lemmas listed below that describe the property’s invari-

ants. The KeYmaera file used can be found in Appendix B. The proof file, 2D safety.proof,

can be found here. This property was verified in KeYmaera, version number 3.6.17, and required

264 proof nodes, 18 proof branches, and 48 interactive steps.

4.3.2 Property Invariants

In order to prove that WALL·E never hits EVE, we have the following three lemmas:

Lemma 4.3. Throughout all timesteps of the hybrid program given in 4.1, it is always true that

0 < θe−θw. Formally, we want to prove the following dL formula, where I ≡ B > 0, A > 0, T >

0, φ ≡ 0 < θe − θw and WE ≡ 4.1:

I ∧ φ→ [WE∗]φ

Proof. The proof file, 2D safety.proof, which can be found here, verifies this lemma in order

to prove theorem 4.2. This property was verified in KeYmaera 3.6.17.

http://www.andrew.cmu.edu/user/apeterso/thesis/2D_safety.proof



Lemma 4.3 ensures that EVE is always ahead of WALL·E on the circle. This is guaranteed

by the fact that EVE starts off ahead of WALL·E on the circle and the fact that WALL·E can

never past EVE on the circle without hitting her.


re + rw + θ2w2B < θe − θw. Formally, we want to prove the following dL formula, where I are the

initial conditions and WE ≡ 4.1:

I ∧ re + rw + θ2w2B < θe − θw → [WE∗]re + rw + θ2w

2B < θe − θw



Lemma 4.4 ensures that there is a safe distance between WALL·E and EVE at all times.

re + rw ensures that WALL·E and EVE are separated by at least their size distance, while θ2w2B

ensures WALL·E can always brake to a stop at any point without hitting EVE. This lemma is

ensured by equation 4.4 as WALL·E does not accelerate unless he is sure that he can maintain

this distance.


re + rw + θ2w2B < θcircle. Formally, we want to prove the following dL formula, where I are the

initial conditions and WE ≡ 4.1:

I ∧ re + rw + θ2w2B < θcircle → [WE∗]re + rw + θ2w

2B < θcircle



Lemma 4.5 ensures that WALL·E and EVE are always on the same circle of the helix. This

property is given by equation 4.5 and is required so that we know that WALL·E did not pass

EVE and only ”looks” safe after hitting her.

Lemmas 4.3 and 4.4 combined with the initial conditions implies the safety property and is

ensured by the buffer test (equation 4.4 in theorem 4.1 of the controller). Lemma 4.5 ensures

that WALL·E and EVE are on the same circle, thus we know that only looking at the differences

in θ values is valid. Combining these three lemmas (and A > 0 and B > 0), we imply theorem

4.2 is true at any point in the system.




4.4 Love Property

In order to ensure that WALL·E and EVE are always within some delta of each other, we must

ensure the distance between them is always less than or equal to some value. In the 2D case,

we want to ensure that WALL·E and EVE are always within a delta of 2r (or the size of the

circle) of each other.

4.4.1 dL Property

By construction of the 2D case, WALL·E and EVE are always at the same z value. Therefore,

their distance is the distance between WALL·E and EVE on the circle. The worst case is when

they are on opposite sides of the circle. Therefore, we get the following property, which ensures

they are always within 2r of each other:

Theorem 4.6. For all timesteps, it is true that θe − θw < θcircle. Formally, we want to prove

the following dL formula, where I are the initial conditions and WE ≡ 4.1:

I ∧ θe − θw < θcircle → [WE∗]θe − θw < θcircle

By ensuring that WALL·E and EVE are both on the same circle, then by the fact that both

WALL·E and EVE are on the circle and at radius r, they must always be within 2r of each

other and, thus, theorem 4.6 ensures the love property.

4.4.2 Property Invariants

There are two lemmas we have to prove the love property:

Lemma 4.7. WALL·E and EVE are always on the circle of the helix, where we define the circle

of the helix as given in Figure 4.3. Formally we want to prove the following dL formula, where

WE ≡ 4.1:

rade = r ∧ radw = r → [WE∗]rade = r ∧ radw = r

The circle of the helix is defined as the circle projection of the helix onto the xy plane and

is of radius r:

Proof. We will show this through the use of differential invariants.


Figure 4.3: The Circle Projection of the Helix

*axrade = r, radw = r ` rade = r

*` 0 = 0

` (rade = r)′DI

rade = r, radw = r ` [WE∗]rade = r

*axrade = r, radw = r ` radw = r

*` 0 = 0

` (radw = r)′DI

rade = r, radw = r ` [WE∗]radw = r∧r

rade = r, radw = r ` [WE∗]rade = r ∧ radw = r∧l

rade = r ∧ radw = r ` [WE∗]rade = r ∧ radw = r

Thus, lemma 4.7 is satisfied. The second lemma we must verify is that WALL·E and EVE

are always at the same z value.

Lemma 4.8. WALL·E and EVE are always at the same z value. Formally we want to prove

the following dL formula, where WE ≡ 4.1:

ze = zw → [WE∗]ze = zw

Proof. We will show this through the use of differential invariants.

*axze = zw ` ze = zw

*` (dzw = dzw)

` (ze = zw)′DI

ze = zw ` [WE∗]ze = zw

Thus, they are always at the same z value of the helix and lemma 4.8 is satisfied.

Since we know that WALL·E and EVE are both on the same circle of radius r and at the

same z value, we know that their arc length differences is at most the size of the circle, θcircle

and thus theorem 4.6 is satisfied.


4.5 Summary

We have formally proven collison avoidance and the love property within the two dimension

physical model presented. We have proposed and verified a controller for WALL·E that en-

sures both the safety property and the love property that is required for WALL·E in the circle

projection.

Chapter 5

3D Model Formal Verification

Section 3.3.2 describes the 3D model that we used to present WALL·E and EVE moving around

the helix. At the writing of this thesis, we have been unable to formally verify the properties

within three dimensions. However, within this chapter, we discuss what we know must be

required by the WALL·E’s controller and how to define both the safety and the closeness prop-

erties. We discuss the challenges faced with verifying both of these properties together and

finish the chapter with a discussion of lessons learned in the verification and suggest avenues

for future work.

5.1 Challenges for WALL·E’s Controller

Within this section, we will present the unique requirements that arise from the 3D model and

describe how they contribute to the challenges that we face in verification.

5.1.1 Challenge 1: Accounting for WALL·E’s Multiple Choices

In the 3D model, WALL·E has two choices he must make at every timestep. Unlike the 2D

model, WALL·E makes a choice about his acceleration and which direction he points the fire

extinguisher. The addition of the choice of how to apply this acceleration must be accounted

for in the controller.

Figure 5.1 depicts some choices he can make for his fire extinguisher and how his helix

changes with each choice. Each color represents a choice for the β value as described in Figure

3.6 that WALL·E can make at any time. All of the colors represent the same amount of time

and the same choice for acceleration. The black line represents when WALL·E chooses to have

a β value of 0 and completely turn only in the xy plane. The green line represents the other

extreme where WALL·E chooses only to accelerate upward. The blue and red lines represent

26


an angle of π3 and π

6 respectively and depict how WALL·E’s choice can dramatically alter his

position over time.

Figure 5.1: WALL·E’s Choices for Climbing the Helix

This leads us to our first requirement for WALL·E’s controller. Any controller that WALL·Euses to make his decision must account for him choosing to accelerate fully either into the circle

or fully upward and must account for the inherent linking of all three directions. As EVE moves

with a constant velocity and a constant β value, we know how much she climbs and how much

she goes around the circle at any point. However, due to how dL is defined, we do not have

access to the arc length distances that EVE and WALL·E move around. These values, which

include sin and cos are not easily written down in dL. Thus,WALL·E’s controller must account

for this challenge by measuring the distance differently.

Figure 5.2 depicts the distance WALL·E would travel linearly if he traveled only in one

direction. This distance creates a bounding box that WALL·E should ensure he is safe within.

He must be sure that if he accelerates within this box that he does not hit EVE in the process.

This bounding box, however, presents our next challenge to WALL·E’s controller.

5.1.2 Challenge 2: Limiting the Time Between Choices

Figure 5.2 shows WALL·E’s controller attempting to bound his choices to account for WALL·E’s

choice in β value. However, as Figure 5.3 depicts, this distance can overestimate the distance


Figure 5.2: WALL·E’s Linear Buffer Amount in All Three Directions

in the xy plane greatly.

Figure 5.3: Overestimating WALL·E’s movements

In Figure 5.3 we illustrate three distances WALL·E could calculate. Depending on how big

T is, WALL·E could calculate a linear distance that is too big. Each of the linear distances is

shown with their cooresponding true arclength that WALL·E travels in time T . The red line

indicates a huge overestimation of where WALL·E will go, while the green line indicates a T

time that is pretty close to the true distance WALL·E travels. In order to have a good enough


approximation, any controller of WALL·E must balance this overestimation issue and thus limit

WALL·E to making choices quickly by making T small.

The following sections describe how to discuss the safety property and the closeness property

and how these challenges arise during verification of the system.

5.2 Safety Property

As in the 2D case, the most important property that we should verify is that WALL·E and EVE

never collide.

5.2.1 dL Property

In all three dimensions, the safety property changes how it is defined. In order to ensure that

WALL·E and EVE are separated by the correct distance in all three directions, we will use the

Euclidean distance as described in section 3.4.2. Therefore, we present the following conjecture

to represent this property in dL:

Conjecture 5.1. Throughout all timesteps of the hybrid program, it is always true that the

distance between WALL·E and EVE is greater than their combined sizes. Formally, we want to

prove that for any hybrid program controller, which will we denote as WE with initial conditions

I, that:

I → [WE∗]((ze − zw)2 + (ye − yw)2 + (xe − xw)2 ≥ (re + rw)2

5.2.2 Informal Property Invariants

This section describes a possible invariant that would be required for any controller that

WALL·E has. In order to ensure safety, WALL·E must be able to calculate where EVE will

be during his evolution and ensure that he does not pass her, which leads us to the following

lemma:

Lemma 5.2. If WALL·E begins behind EVE, then throughout all timesteps, he must stay behind

EVE. Formally, we want to prove the following dL formula, where I are the initial conditions

and WE is a controller for WALL·E:

I ∧ zw ≤ ze → [WE∗]zw ≤ ze


Proof. Assume for sake of contradiction that WALL·E is able to pass EVE on the helix structure.

In order to do this, WALL·E must accelerate past her in some fashion. However, the only point

he knows is where EVE will be the ending time. He is unable to calculate easily all of her points

throughout the timestamp. Therefore, he cannot be sure that he is safe just from the fact that

he is safe when he is above her. Thus any safe controller is unable to tell that he is safe during

the passing and we have reached a contradiction. Thus if WALL·E begins behind EVE, he must

stay behind EVE in order to ensure safety.

5.3 Love Property

As in the 2D case, we want to ensure that WALL·E and EVE are within some delta of each

other. However, in this case, we are not sure they are on the same circle and therefore, cannot

be sure that they are within this delta based on the physical model alone. Thus, we must ensure

this in the controller.

5.3.1 dL Property

We will use the Euclidean distance as described in section 3.4.2 to discuss the distance between

WALL·E and EVE. We want to ensure that this distance is always less than or equal to some

maxdistance value where maxdistance > rw+re as described in Appendix A. Therefore, we present

the following conjecture to represent this property in dL:

Conjecture 5.3. Throughout all timesteps of the hybrid program, it is always true that the

distance between WALL·E and EVE is less than the max distance. Formally, we want to prove

that for any hybrid program controller, which will we denote as WE with initial conditions I,

that:

I → [WE∗]((ze − zw)2 + (ye − yw)2 + (xe − xw)2 ≤ max2distance

Conjecture 5.3 ensures that the Euclidean distance betweenWALL·E and EVE are always

within this delta.

5.4 Lessons Learned

The following section describes the challenges we faced with respect to vertification of these

properties and the lessons that we have learned from these challenges.


5.4.1 Challenges to Verification

When verifying conjectures 5.1 and 5.3, there are challenges that occur. While either one is

easy to verify by itself, it is hard to create and verify a joint controller for both properities. For

instance, conjecture 5.1 will be satisfied if it is true initally and WALL·E does not move or if

it is true initially and WALL·E moves down the helix rather than up it while EVE moves up.

In both causes WALL·E will never hit EVE as they are moving away from each other, but the

delta between them increases and conjecture 5.3 will eventually be broken. Therefore, WALL·Emust ensure both at the same time. However, by the overestimation for safety that is described

in 5.3, we face the challenge that we overestimate how close we actually get to EVE and can,

with repeated intervals, violate conjecture 5.3.

5.4.2 Future Work

For future work and avenues for verification, we suggest simplifying the system in two ways.

First, in Appendix C we introduce the physical model relative to EVE’s constant motion. This

reduces the number of variables in the proof by half and links WALL·E and EVE’s motion in

an easier to understand way. This is similar to the approach taken in [15] and helps to create a

model that relys on EVE’s motion inherently. Secondly, with this physical model, future work

could be to make a controller that matches EVE’s motion exactly and a second controller that

tries instead to strive for the perfect controller. Therefore, EVE is is no longer an issue in

calculating the distance, and thus we cannot over or underestimate, as we are only concerned

with getting close enough to this perfect controller and are ensured that once we get close

enough the perfect controller ensures the two properties.

5.5 Summary

In this chapter, we discussed the challenges for WALL·E in ensuring he is both safe and close

to EVE in 3D. Unlike in the 2D case, where we are ensured that we are close enough to EVE

by the design of the physical model, WALL·E must have a controller that ensures this property.

However, by ensuring safety, WALL·E can overestimate his distances and break the closeness

property.

Chapter 6

Conclusion

6.1 Summary of Contributions

In this thesis, we present a formal vertification for a controller for WALL·E while he dances

with EVE in a helix centered at the origin. In 2D, where the helix is pictured as the circle

projection onto the xy plane, we have utilized KeYmaera and differential dynamic logic, to

verify a controller we designed and ensure two properties. We have ensured that WALL·E and

EVE are safe within their dance, which is our safety property, and that at all times they are

within some delta of each other, which is our love property.

In 3D, we have presented proposed solutions for visualizing the physical motion of WALL·Eand EVE both in section 3.3.2 and Appendix A and have discussed the challenges faced while

verifying these properties. By doing so, we have shown the difficulty in increasing the dimensions

for known protocols.

6.2 Comparison with Prior Work

The prior work presented in section 1.2 depicted protocols for collison avoidance that existed

mainly in two dimensions. Within this thesis, we have examined the difficulties of expanding

those protocols into 3D and have added an additional 2D safe protocol. This thesis, therefore,

has the following main contributions:

1. We have formally verified and created a new protocol for two robots moving in a circle

within the plane.

2. We have discussed and proposed solutions for expanding this protocol to three dimen-

sions and have expanded the overall knowledge about the difficulties presented in three

dimensional verification.

32

Chapter 7

Outlook

7.1 Future Work

Future work on this subject should expand the protocol to master both the safety property

and closeness property in three dimensions. In particular, a controller for WALL·E that allows

WALL·E the greatest freedom in choosing both his acceleration and his β value and allows

WALL·E to make choices without being constrainted by overestimation or underestimation.

Appendix C offers a way of representing the system that allows for this freedom to be written

in a way that is easier to verify. In this system, there are inherent invariants about WALL·E’s

motion that stem from the fact that WALL·E and EVE are moving around a circle. Combining

these with both a limiting factor on T , in order to reduce the affect of the challenge described

in section 5.1.1 is a good avenue to continue this work.

7.2 Applications of Results

The results in this thesis are applicable to aircraft avoidence. We have proven that two aircraft

moving a circle are able to have a verified controller that allows them both to move in the

circle. We have provided a controller that allows for motion within the xy plane and made

progress on the limitations for a controller in the 3D space. These results will greatly expand

the possibilities for UAVs working within the realm of humans and aircraft containing humans.

This thesis has increased the number of holding patterns that are safe.

33

Appendix A

Variable Definitions and Constraints

This appendix gives tables for all the variable definitions and their constraints for the system.

The constraints listed below are required so that the system is well-defined and verification is

possible. We apply these contraints to the verification to ensure that we are proving a well-

defined system. To illustrate the following variables, please refer to Figures 3.4, 3.5, and 3.6.

A.1 Variable Definitions and Constraints in Both Dimensions

Table A.1: Variable Definitions and Constraints in Both Dimensions

Variable Constraint Definition of Constraint

A > 0 Acceleration is forwardB > 0 Allows −B to be the braking accelerationT > 0 The time between choices is positiver > 0 The helix they are on is of positive sizerw > 0 WALL·E has a positive sizere > 0 EVE has a positive size

A.2 Variable Definitions and Constraints Only in 2D

Table A.2: Variable Definitions and Constraints Only in 2D


ωw ≥ 0 WALL·E is moving forward or stoppedωe > 0 EVE is moving upwards on the helixθw ≥ 0 Angle measurement is positiveθe ≥ 0 Angle measurement is positive

θcircle > 0 The circle is of positive sizedzw > 0 WALL·E is moving up the helixdze > 0 EVE is moving up the helix

34

Appendix A. Variable Definitions and Constraints 35

A.3 Variable Definitions and Constraints Only in 3D

Table A.3: Variable Definitions and Constraints Only in 3D


vw ≥ 0 WALL·E is moving forward or stoppedve > 0 EVE is moving upwards on the helix

v2w = v2wz+ v2wxy

WALL·E’s velocities are part of a right triangle

v2e = v2ez + v2exy WALL·E’s velocities are part of a right triangle

0 ≤ βi ≤ π βi is always the amount the velocity is pointing upward.This ensures that a negative braking acceleration pointsdownward

0 ≤ θi ≤ 2 ∗ π θi accurates describes the angle around a circlemaxdistance > rw + rw The delta between WALL·E and EVE should be greater than

their combined sizes

Appendix B

2D KeYmaera File

\programVariables{

R A; /* walle’s maximum acceleration */

R B; /* walle’s maximum braking */

R T; /* Time-trigger limit on evolution */

R t; /* time */

R theta_w; /* Position of walle in y direction */

R z_w; /* Position of walle in z direction */

R dz_w; /* Unit vector in direction of travel, z direction */

R r_w; /* Over-approximation on radius of walle */

R omega_w; /* Angular velocity of walle */

R a; /* Linear acceleration of walle */

R theta_e; /* Position of eve in y direction */

R z_e; /* Position of eve in z direction */

R dz_e; /* Unit vector in direction of travel, z direction */

R r_e; /* Over-approximation on radius of eve */

R omega_e; /* Angular velocity of eve */

R theta_circle; /* The theta that represents a circle */

}

\problem{

(

36

Appendix B. 2D KeYmaera File 37

omega_w >= 0 & omega_e > 0 &

0 < theta_e - theta_w & theta_e - theta_w < theta_circle &

T > 0 & A > 0 & B > 0 & r_w > 0 & r_e > 0 &

dz_w > 0 & dz_e = dz_w &

theta_e - theta_w > ((r_e + r_w) + (((omega_w + A*T)^2)/(2*B))) &

((r_e + r_w) + (((omega_w + A*T)^2)/(2*B))) < theta_circle

)

->

\[(

((?(((r_e + r_w) + (((omega_w + A*T)^2)/(2*B)) <

theta_e + omega_e*T - (theta_w + omega_w*T + ((A*T^2)/2)))

& (theta_e + omega_e*T - (theta_w + omega_w*T + ((A*T^2)/2))) <

theta_circle);

a := A)

++

a := -B);

t := 0;

{

theta_w’ = omega_w, z_w’ = dz_w, omega_w’ = a,

theta_e’ = omega_e, z_e’ = dz_e,

t’ = 1, t <= T, omega_w >= 0

}

)*@invariant(omega_w >= 0 & B > 0 & A > 0 & 0 < theta_e - theta_w &

theta_e - theta_w > ((r_e + r_w) + (((omega_w)^2)/(2*B))) &

((r_e + r_w) + (((omega_w)^2)/(2*B)) < theta_circle)

)

\]( theta_e - theta_w > (r_e + r_w)

)

}

Appendix C

3D Physical Model Relative to Eve

This appendix presents a rewriting of physical model presented in 3.3.2 relative to EVE’s moving

frame. The absolute frame equations are repeated below along with the figures that illustrate

their motion:

xi = r cos(θi) (C.1)

yi = r sin(θi) (C.2)

αi = π + θi (C.3)

vixy = rωi (C.4)

θ′i = ωi =vir

(C.5)

x′i = −vi sin(θi) (C.6)

y′i = vi cos(θi) (C.7)

α′i = ωi (C.8)

z′i = viz (C.9)

viz = vi sin(βi) (C.10)

vixy = vi cos(βi) (C.11)

38

Appendix C. 3D Physical Model Relative to Eve 39

Figure C.1: 3D Model: XY Plane’s Motion

Figure C.2: 3D Model: Upward Motion

Appendix C. 3D Physical Model Relative to Eve 40

Therefore, combining these, we get the following equations for WALL·E’s motion relative

to EVE:

x = r − r cos(θe − θw) (C.12)

y = r sin(θe − θw) (C.13)

z = ze − zw (C.14)

α = π − (θe − θw) (C.15)

x′ = sin(θe − θw)(vexy − vwxy) (C.16)

y′ = cos(θe − θw)(vexy − vwxy) (C.17)

z′ = vez − vwz (C.18)

α′ =−vexy + vwxy

r(C.19)

viz = vi sin(βi) (C.20)

vixy = vi cos(βi) (C.21)

(C.22)

The above rewriting reduces the number of variables in the verification by half and helps

to reduce the number of cases within a verification proof. It also inherently makes the distance

between WALL·E and EVE, the distance x, y, z are from the origin as the origin is always EVE’s

location.

Bibliography

[1] C. de Looper. (2014) Google project wing takes flight, but will package delivery program

ever take off? [Online]. Available: http://www.techtimes.com/articles/14518/20140831/

google-project-wing-takes-flight-will-package-delivery-program-take.html

[2] J.-B. Jeannin, K. Ghorbal, Y. Kouskoulas, R. Gardner, A. Schmidt, and E. Z. A. Platzer,

“A formally verified hybrid system for the next-generation airborne collision avoidance

system,” in TACAS, ser. LNCS, C. Baier and C. Tinelli, Eds., vol. 9035. Springer, 2015,

pp. 21–36.

[3] A. Platzer and E. M. Clarke, “Formal verification of curved flight collision avoidance ma-

neuvers: A case study,” vol. 5850, pp. 547–562, 2009.

[4] T. T. Johnson and S. Mitra, “Parametrized verification of distributed cyber-physical sys-

tems: An aircraft landing protocol case study,” 2014 ACM/IEEE International Conference

on Cyber-Physical Systems (ICCPS), vol. 0, pp. 161–170, 2012.

[5] K. Ghorbal, J.-B. Jeannin, E. P. Zawadzki, A. Platzer, G. J. Gordon, and P. Capell,

“Hybrid theorem proving of aerospace systems: Applications and challenges,” Journal of

Aerospace Information Systems, vol. 11, pp. 702–713.

[6] A. Platzer, Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics.

Heidelberg: Springer, 2010.

[7] ——. (2013) 15-424: Foundations of cyber-physical systems (fa’13). [Online]. Available:

http://symbolaris.com/course/fcps13/fcps13.pdf

[8] ——, “Differential dynamic logic for hybrid systems.” J. Autom. Reas., vol. 41, no. 2, pp.

143–189, 2008.

[9] ——, “The complete proof theory of hybrid systems,” School of Computer Science, Carnegie

Mellon University, Pittsburgh, PA, Tech. Rep. CMU-CS-11-144, November 2011.

[10] J.-D. Quesel, S. Mitsch, S. Loos, N. Arechiga, and A. Platzer, “How to model and prove

hybrid systems with KeYmaera: A tutorial on safety,” STTT, 2015.

41

http://www.techtimes.com/articles/14518/20140831/google-project-wing-takes-flight-will-package-delivery-program-take.html

http://www.techtimes.com/articles/14518/20140831/google-project-wing-takes-flight-will-package-delivery-program-take.html

http://symbolaris.com/course/fcps13/fcps13.pdf

Bibliography 42

[11] A. Platzer and J.-D. Quesel, “European Train Control System: A case study in formal veri-

fication,” in ICFEM, ser. LNCS, K. Breitman and A. Cavalcanti, Eds., vol. 5885. Springer,

2009, pp. 246–265.

[12] Y. Kouskoulas, D. W. Renshaw, A. Platzer, and P. Kazanzides, “Certifying the safe design

of a virtual fixture control algorithm for a surgical robot,” in Hybrid Systems: Computation

and Control (part of CPS Week 2013), HSCC’13, Philadelphia, PA, USA, April 8-13, 2013,

C. Belta and F. Ivancic, Eds. ACM, 2013, pp. 263–272.

[13] A. Stanton and P. Docter, “WALL·E,” Walt Disney Pictures and Pixar Animation

Studios, June 2008. [Online]. Available: http://movies.disney.com/wall-e

[14] S. Umeno and N. Lynch, “Safety verification of an aircraft landing protocol: A

refinement approach,” in Hybrid Systems: Computation and Control, ser. Lecture

Notes in Computer Science, A. Bemporad, A. Bicchi, and G. Buttazzo, Eds.

Springer Berlin Heidelberg, 2007, vol. 4416, pp. 557–572. [Online]. Available:

http://dx.doi.org/10.1007/978-3-540-71493-4 43

[15] K. Ghorbal, A. Sogokon, and A. Platzer, “A hierarchy of proof rules for checking differential

invariance of algebraic sets,” in VMCAI, ser. LNCS, D. D’Souza, A. Lal, and K. G. Larsen,

Eds., vol. 8931. Springer, 2015, pp. 431–448.

http://movies.disney.com/wall-e

http://dx.doi.org/10.1007/978-3-540-71493-4_43

Documents

Formal Verification of a Controlled Flight Between Two ...aplatzer/pub/theses/apeterson.pdf · Formal Veri cation of a Controlled Flight Between Two Robots: A Case Study by Annika