european train control system a case study in formal
play

European Train Control System: A Case Study in Formal Verification e - PowerPoint PPT Presentation

Nov 12, 2023 •19 likes •769 views

European Train Control System: A Case Study in Formal Verification e Platzer 1 Jan-David Quesel 2 Andr 1 Carnegie Mellon University, Pittsburgh, PA 2 University of Oldenburg, Department of Computing Science, Germany International Conference on

  1. European Train Control System: A Case Study in Formal Verification e Platzer 1 Jan-David Quesel 2 Andr´ 1 Carnegie Mellon University, Pittsburgh, PA 2 University of Oldenburg, Department of Computing Science, Germany International Conference on Formal Engineering Methods (ICFEM), Rio de Janeiro, 2009 Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 1 / 19

  2. ETCS Control Verification Problem Hybrid System Continuous evolutions (differential equations) Discrete jumps (control decisions) τ. p τ. v z τ. a v a 6 3.0 2 5 2.5 1 2.0 4 1.5 3 4 t 1 2 3 1.0 2 � 1 0.5 1 4 t 4 t � 2 1 2 3 1 2 3 Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 2 / 19

  3. European Train Control System τ. p m . e ST SB Objectives Overview 1 Collision free 1 No static partitioning of track 2 Radio Block Controller (RBC) 2 Maximise throughput & manages movement authorities velocity (300 km/h) 3 2 . 1 ∗ 10 6 passengers/day dynamically 3 Moving block principle Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 3 / 19

  4. European Train Control System τ. p m . e ST SB Parametric Hybrid Systems continuous evolution along differential equations + discrete change m . e MA z τ. p v t τ. v Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 3 / 19

  5. European Train Control System τ. p m . e ST SB Parametric Hybrid Systems continuous evolution along differential equations + discrete change m . e MA z τ. p v t τ. v Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 3 / 19

  6. European Train Control System τ. p m . e ST SB Parametric Hybrid Systems continuous evolution along differential equations + discrete change m . e MA MA z z τ. p v v t τ. v Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 3 / 19

  7. European Train Control System τ. p m . e ST SB Parametric Hybrid Systems continuous evolution along differential equations + discrete change Parameters have nonlinear influence m . e MA MA Handle SB as free symbolic parameter? z z τ. p Challenge: verification (falsifying is “easy”) Which constraints for SB ? v v t τ. v ∀ m . e ∃ SB “train always safe” Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 3 / 19

  8. Differential Dynamic Logic (d L ) τ. v τ. p m . e Example → [ ]( ) Precondition Operation model Property Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 4 / 19

  9. Differential Dynamic Logic (d L ) τ. v τ. p m . e Example τ. v 2 ≤ 2 b ( m . e − τ. p ) → [ ]( τ. p ≤ m . e ) Precondition Operation model Property Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 4 / 19

  10. Differential Dynamic Logic (d L ) τ. v τ. p m . e Example τ. v 2 ≤ 2 b ( m . e − τ. p ) → [ τ. p ′ = τ. v , τ. v ′ = τ. a ]( τ. p ≤ m . e ) Precondition Operation model Property Continuous evolution: differential equation Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 4 / 19

  11. Differential Dynamic Logic (d L ) τ. v τ. p m . e Example τ. v 2 ≤ 2 b ( m . e − τ. p ) → [ τ. a := ∗ ; τ. p ′ = τ. v , τ. v ′ = τ. a ]( τ. p ≤ m . e ) Precondition Operation model Property Random assignment Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 4 / 19

  12. Differential Dynamic Logic (d L ) τ. v τ. p m . e Example τ. v 2 ≤ 2 b ( m . e − τ. p ) → [ τ. a := ∗ ; ? τ. a ≤ − b ; τ. p ′ = τ. v , τ. v ′ = τ. a ]( τ. p ≤ m . e ) Precondition Operation model Property Test Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 4 / 19

  13. 3D Movement Authorities τ. v τ. p Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  14. 3D Movement Authorities τ. v m . r τ. p Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  15. 3D Movement Authorities τ. v m . r τ. p m 1 . d m 1 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  16. 3D Movement Authorities τ. v m . r τ. p m 1 . d m 1 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  17. 3D Movement Authorities τ. v m . r m 2 . d τ. p m 2 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  18. 3D Movement Authorities τ. v m . r m 2 . d τ. p m 2 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  19. 3D Movement Authorities τ. v m . r m 3 . d τ. p m 3 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  20. 3D Movement Authorities τ. v m . r m 3 . d τ. p m 3 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  21. Separation Principle Lemma (Principle of separation by movement authorities) Each train respects its movement authority and the RBC partitions into disjoint movement authorities ⇒ trains can never collide. τ. p m . e ST SB Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 7 / 19

  22. Parametric Skeleton of ETCS Read from the informal specification. . . ETCS skel : ( train ∪ rbc ) ∗ train : spd ; atp ; drive : (? τ. v ≤ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ A ) spd ∪ (? τ. v ≥ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ 0) : if ( m . e − τ. p ≤ SB ∨ rbc . message = emergency ) τ. a := − b atp : t := 0; ( τ. p ′ = τ. v , τ. v ′ = τ. a , t ′ = 1 ∧ τ. v ≥ 0 ∧ t ≤ ε ) drive : ( rbc . message := emergency ) ∪ ( m := ∗ ; ? m . r > 0) rbc Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 8 / 19

  23. Parametric Skeleton of ETCS As transition system. . . m 0 := m m := ∗ τ. p ′ = τ. v , τ. v ′ = τ. a , t ′ = 1 rbc . message := emergency τ. v ≥ 0 ∧ t ≤ ε t := 0 τ. a := − b ? τ. v ≤ m . r ? − b ≤ τ. a ≤ A τ. a := ∗ ?( m . e − τ. p ≤ SB ∨ rbc . message = emergency ) ? m . e − τ. p ≥ SB ∧ ? τ. v ≥ m . r ?0 > τ. a ≥ − b τ. a := ∗ rbc . message � = emergency ) Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 8 / 19

  24. Parametric Skeleton of ETCS ETCS skel : ( train ∪ rbc ) ∗ : spd ; atp ; drive train spd : (? τ. v ≤ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ A ) ∪ (? τ. v ≥ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ 0) atp : if ( m . e − τ. p ≤ SB ∨ rbc . message = emergency ) τ. a := − b : t := 0; ( τ. p ′ = τ. v , τ. v ′ = τ. a , t ′ = 1 ∧ τ. v ≥ 0 ∧ t ≤ ε ) drive : ( rbc . message := emergency ) ∪ ( m := ∗ ; ? m . r > 0) rbc Task Verify safety Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 8 / 19

  25. Parametric Skeleton of ETCS ETCS skel : ( train ∪ rbc ) ∗ : spd ; atp ; drive train spd : (? τ. v ≤ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ A ) ∪ (? τ. v ≥ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ 0) atp : if ( m . e − τ. p ≤ SB ∨ rbc . message = emergency ) τ. a := − b : t := 0; ( τ. p ′ = τ. v , τ. v ′ = τ. a , t ′ = 1 ∧ τ. v ≥ 0 ∧ t ≤ ε ) drive : ( rbc . message := emergency ) ∪ ( m := ∗ ; ? m . r > 0) rbc Task Verify safety Specification [ ETCS skel ]( τ. p ≥ m . e → τ. v ≤ m . d ) Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 8 / 19

Recommend

Ten Diverse Formal Models for a CBTC Automatic Train Supervision System Franco Mazzanti ISTI CNR

Ten Diverse Formal Models for a CBTC Automatic Train Supervision System Franco Mazzanti ISTI CNR

MARS / VPT 2018 Thessaloniki, 20 April 2018 Ten Diverse Formal Models for a CBTC Automatic Train Supervision System Franco Mazzanti ISTI CNR Pisa Italy Origins of the study Define an ATS scheduling approach to achieve deadlock free train

532 views • 35 slides
A case study in formal system engineering with SysML Iulia Dragomir 1 , Iulian Ober 1 and David

A case study in formal system engineering with SysML Iulia Dragomir 1 , Iulian Ober 1 and David

A case study in formal system engineering with SysML Iulia Dragomir 1 , Iulian Ober 1 and David Lesens 2 1 IRIT - University of Toulouse 2 Astrium Space Transportation July 19, 2012 Iulia Dragomir (IRIT) A case study in formal system engineering

466 views • 46 slides
A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan

A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan

A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan Blanchard Nikolai Kosmatov Matthieu Lemerre Fr ed eric Loulergue FMICS 2015 June 22, 2015 CONTENTS Anaxagoros Virtual Memory Formal

590 views • 31 slides
Simulation Based Formal Verification of Onboard Software A Case Study SyLVer : System

Simulation Based Formal Verification of Onboard Software A Case Study SyLVer : System

Simulation Based Formal Verification of Onboard Software A Case Study SyLVer : System Level Verifier Toni Mancini, Annalisa Massini, Federico Mari , Igor Melatti, Ivano Salvo, Enrico Tronci Computer Science Department Sapienza University

668 views • 23 slides
Formal Verification of Train Control with Air Pressure Brakes Stefan Mitsch 1 Marco Gario 2

Formal Verification of Train Control with Air Pressure Brakes Stefan Mitsch 1 Marco Gario 2

Formal Verification of Train Control with Air Pressure Brakes Stefan Mitsch 1 Marco Gario 2 Christof J. Budnik 2 Michael Golm 2 e Platzer 1 Andr 1 Computer Science Department, Carnegie Mellon University 2 Siemens Corporate Technology, Princeton,

731 views • 52 slides
23 Advanced Topics 5: Multi-lingual Models Up until now, we have assumed that in the case of

23 Advanced Topics 5: Multi-lingual Models Up until now, we have assumed that in the case of

(c) Model Pivoting (a) Result Pivoting (b) Data Pivoting src pivot pivot trg src pivot pivot trg src pivot pivot trg train train train train train train train train train train train train src src-pivot pivot-trg

179 views • 5 slides
Positive Train Control June 28, 2018 PTC Overview Positive train control uses GPS, radio

Positive Train Control June 28, 2018 PTC Overview Positive train control uses GPS, radio

Positive Train Control June 28, 2018 PTC Overview Positive train control uses GPS, radio communications, and onboard and wayside computer equipment to enforce speed limits and authority limits should the operating engineer fail to take

647 views • 17 slides
Formal Verification of Curved Flight Collision Avoidance Maneuvers A Case Study Andr e

Formal Verification of Curved Flight Collision Avoidance Maneuvers A Case Study Andr e

Formal Verification of Curved Flight Collision Avoidance Maneuvers A Case Study Andr e Platzer Edmund M. Clarke Carnegie Mellon University, Computer Science Department, Pittsburgh, PA Formal Methods, FM, Eindhoven, November 2009 0.5 0.4

1.11k views • 71 slides
Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the

Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the

Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the Case Study found in the Assignment section of M005 and be ready to present your findings in a formal presentation in week 11. Each team member

319 views • 6 slides
Principle of case control studies Part II Selection of case and control Recall bias

Principle of case control studies Part II Selection of case and control Recall bias

Principle of case control studies Part II Selection of case and control Recall bias Advantage and limitation of case control study Piyanit Tharmaphornpilas MD, MPH The I nternational Field Epidemiology Training Program, Thailand Who

607 views • 12 slides
New Case Management System for Chancery Division Train inin ing g Webi binar nar August st

New Case Management System for Chancery Division Train inin ing g Webi binar nar August st

Hon. Dorothy Brown Office of the Clerk of the Circuit Court of Cook County, Illinois 1 Scheduling with the New Case Management System for Chancery Division Train inin ing g Webi binar nar August st 17, 2020 Scheduling with the New Case

537 views • 49 slides
Smart Freight Train A new subsystem of the European railway system IRFC Praha March 2017 1

Smart Freight Train A new subsystem of the European railway system IRFC Praha March 2017 1

Smart Freight Train A new subsystem of the European railway system IRFC Praha March 2017 1 What? The Smart Freight Train system Goal: The right information at the right time for the right person Provide real-time information to answer the

549 views • 7 slides
New Case Management System for County Division Train inin ing g Webi binar nar August st

New Case Management System for County Division Train inin ing g Webi binar nar August st

Hon. Dorothy Brown Office of the Clerk of the Circuit Court of Cook County, Illinois 1 Scheduling with the New Case Management System for County Division Train inin ing g Webi binar nar August st 12, 2020 Scheduling with the New Case

436 views • 33 slides
Global Information Systems The Case Study: Development of an Asian-European Business Portal

Global Information Systems The Case Study: Development of an Asian-European Business Portal

Global Information Systems The Case Study: Development of an Asian-European Business Portal Henri Pirkkalainen, Prof. Dr. Jan M. Pawlowski 09.09.2013 Contents Introduction Case Study Contents of the case study The process of the

693 views • 21 slides
Case study of Control of Intellectual Property (CIP) that uses I-TRIZ and idea generation Gen

Case study of Control of Intellectual Property (CIP) that uses I-TRIZ and idea generation Gen

J13 Case study of Control of Intellectual Property (CIP) that uses I-TRIZ and idea generation Gen Abiko (MINORU International Patent Office) 1. Purpose Through the case study of the small animal capture tool (rattrap), the method the

139 views • 11 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

912 views • 4 slides
AADL : a radar case study Back to radar case study Goal: to model a simple radar system

AADL : a radar case study Back to radar case study Goal: to model a simple radar system

AADL : a radar case study Back to radar case study Goal: to model a simple radar system Let us suppose we have the following requirements System implementation is composed by physical devices (Hardware entity): 1. antenna + processor +

589 views • 10 slides
Train Control & Monitoring System UNIFEs achievements and perspective ACRI/CENELEC

Train Control & Monitoring System UNIFEs achievements and perspective ACRI/CENELEC

Train Control & Monitoring System UNIFEs achievements and perspective ACRI/CENELEC conference Prague, 21 October 2011 Jean-Pierre Gilbert Alstom, Chief Architect, TCMS UNIFE TCMS Topical Group speaker www.unife.org Content 1. About

387 views • 20 slides
The European Order for Payment Overview & Case Study Dr John Ahern European Civil

The European Order for Payment Overview & Case Study Dr John Ahern European Civil

The European Order for Payment Overview & Case Study Dr John Ahern European Civil Procedure, Barcelona 7 & 8 July 2016 Regulation (EC) No. 1896/2006 Regulation (EU) 2015/2421 Objective and Purpose Article 1 & Art. 65 TEC (Art. 81

339 views • 18 slides
Lecture 5a: case Study DAC DAC in UNIX Access control policy by Unix: Authorizing

Lecture 5a: case Study DAC DAC in UNIX Access control policy by Unix: Authorizing

Lecture 5a: case Study DAC DAC in UNIX Access control policy by Unix: Authorizing requests that processes make to perform operations on files. File names are used in Unix to name most other system resources, too. All operations

878 views • 40 slides
Photobioreactor system case-study Tom a s Stan ek Tom a s Stan ek

Photobioreactor system case-study Tom a s Stan ek Tom a s Stan ek

Photobioreactor system case-study Tom a s Stan ek Tom a s Stan ek Photobioreactor system case-study Tom a s Stan ek Photobioreactor system case-study Overal description Various devices with some autonomous logic and

920 views • 48 slides
Chapter 4 TRANSMISSION CONTROL PROTOCOL (TCP): A CASE STUDY Abstract This chapter uses TCP

Chapter 4 TRANSMISSION CONTROL PROTOCOL (TCP): A CASE STUDY Abstract This chapter uses TCP

Chapter 4 TRANSMISSION CONTROL PROTOCOL (TCP): A CASE STUDY Abstract This chapter uses TCP peformance modeling as a case study to illustrate several of the performance evaluation methodologies introduced in the previous chapter. In particular,

521 views • 33 slides
A-train Commuter Rail Updated July 31, 2018 Presentation Overview DCTA A-train Commuter Rail

A-train Commuter Rail Updated July 31, 2018 Presentation Overview DCTA A-train Commuter Rail

Positive Train Control (PTC) Implementation on A-train Commuter Rail Updated July 31, 2018 Presentation Overview DCTA A-train Commuter Rail Facts DCTAs A -train Safety Record What is Positive Train Control? ETA-C Technology

359 views • 14 slides
Case Study 4 Excellent Blood Pressure Control Why is blood pressure control important ? The

Case Study 4 Excellent Blood Pressure Control Why is blood pressure control important ? The

Case Study 4 Excellent Blood Pressure Control Why is blood pressure control important ? The impact over years of the heart working at high pressure is : Thickening of the pumping muscle creates stiffness and impaired relaxation between

418 views • 10 slides

More recommend