Formal Verification of Train Control with Air Pressure Brakes Stefan Mitsch 1 Marco Gario 2 Christof J. Budnik 2 Michael Golm 2 e Platzer 1 Andr´ 1 Computer Science Department, Carnegie Mellon University 2 Siemens Corporate Technology, Princeton, NJ, USA Reliability, Safety and Security of Railway Systems November 15, 2017 S. Mitsch et al.—Formal Verification of Train Control 1 of 14
Railroad Safety: Train Separation and Train Control Interlocking S. Mitsch et al.—Formal Verification of Train Control 2 of 14
Railroad Safety: Train Separation and Train Control Interlocking S. Mitsch et al.—Formal Verification of Train Control 2 of 14
Railroad Safety: Train Separation and Train Control Train Movement authority separation � Interlocking S. Mitsch et al.—Formal Verification of Train Control 2 of 14
Railroad Safety: Train Separation and Train Control Train Movement authority separation � Interlocking S. Mitsch et al.—Formal Verification of Train Control 2 of 14
Railroad Safety: Train Separation and Train Control requires! Train Train separation control Interlocking S. Mitsch et al.—Formal Verification of Train Control 2 of 14
Railroad Safety: Train Separation and Train Control requires! Train Train separation control Interlocking Design provably safe train control considering physical train motion Federal Railroad Administration (FRA): motion and brake models No overshoot Limited undershoot S. Mitsch et al.—Formal Verification of Train Control 2 of 14
Railroad Safety: Train Separation and Train Control requires! Train Train separation control Interlocking Design provably safe train control considering physical train motion Federal Railroad Administration (FRA): motion and brake models No overshoot Limited undershoot But underspecified control conditions S. Mitsch et al.—Formal Verification of Train Control 2 of 14
Railroad Safety: Train Separation and Train Control requires! Train Train separation control Approach Interlocking Safe train separation requires verified train control and motion! Design provably safe train control considering physical train motion Federal Railroad Administration (FRA): motion and brake models No overshoot Limited undershoot But underspecified control conditions S. Mitsch et al.—Formal Verification of Train Control 2 of 14
Approach: Hybrid Systems Theorem Proving Analyze the physical effect of software Control Hybrid System Model Sensors Actuators Discrete computation + continuous physics 6 9 4 0 − 1 t − 3 t 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 S. Mitsch et al.—Formal Verification of Train Control 3 of 14
Approach: Hybrid Systems Theorem Proving Theorem proving ensures correct model Proof guarantees correct model KeYmaera X Proof Strategy Proof Hybrid System Control Model Conditions Main results for Certification : Proofs System architecture and implementation : Models Control engineering and testing : Control conditions S. Mitsch et al.—Formal Verification of Train Control 3 of 14
Train Motion and Brake Model t Accelerate Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al.—Formal Verification of Train Control 4 of 14
Train Motion and Brake Model t Accelerate Instant brake Limited, but almost instant effect Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al.—Formal Verification of Train Control 4 of 14
Train Motion and Brake Model t Accelerate Instant Air brake brake Brake effect increases, time depends on train length Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al.—Formal Verification of Train Control 4 of 14
Train Motion and Brake Model t Accelerate Instant Air brake brake v ′ = 1 � � , f a m Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al.—Formal Verification of Train Control 4 of 14
Train Motion and Brake Model t Accelerate Instant Air − F pb brake brake v ′ = 1 � � , f ′ a = j & − F pb ≤ f a f a m Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al.—Formal Verification of Train Control 4 of 14
Train Motion and Brake Model t Accelerate Instant Air − F pb brake brake � − ( F g + F r + F c ) + f a v ′ = 1 � , f ′ a = j & − F pb ≤ f a m Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al.—Formal Verification of Train Control 4 of 14
Train Motion and Brake Model t Accelerate Instant Air − F pb brake brake � − ( F g + F r + F c ) + f a x ′ = v , v ′ = 1 � , f ′ a = j & − F pb ≤ f a m Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al.—Formal Verification of Train Control 4 of 14
Train Motion and Brake Model t Accelerate Instant Air − F pb brake brake � − ( F g + F r + F c ) + f a x ′ = v , v ′ = 1 � , f ′ a = j & − F pb ≤ f a m Underspecified: What are safe control choices? How important is brake model fidelity? Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al.—Formal Verification of Train Control 4 of 14
Train Motion and Brake Model t Accelerate Instant Air Approach − F pb brake brake Formalize and verify control models Analyze their brake engage points � − ( F g + F r + F c ) + f a x ′ = v , v ′ = 1 � , f ′ a = j & − F pb ≤ f a m Underspecified: What are safe control choices? How important is brake model fidelity? Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. FRA/DOT/ORD-9/13 (2009) S. Mitsch et al.—Formal Verification of Train Control 4 of 14
Control Model extend e , d Track Control S. Mitsch et al.—Formal Verification of Train Control 5 of 14
Control Model extend e , d Track Control e , d Train Control Driver a − F pb S. Mitsch et al.—Formal Verification of Train Control 5 of 14
Control Model extend e , d Track Control e , d Train Control Driver a a − F pb Delay vs. air brake Actuators S. Mitsch et al.—Formal Verification of Train Control 5 of 14
Control Model extend e , d Track Control e , d Train Control Driver a a − F pb Delay vs. air brake Actuators f a , j Env. Motion S. Mitsch et al.—Formal Verification of Train Control 5 of 14
Formal Verification with d L : No Overshoot Correctness property: respect the speed limit safe ≡ ( z ≥ e → v ≤ 25) S. Mitsch et al.—Formal Verification of Train Control 6 of 14
Formal Verification with d L : No Overshoot Correctness property: respect the speed limit d safe ≡ ( z ≥ e → v ≤ d ) S. Mitsch et al.—Formal Verification of Train Control 6 of 14
Formal Verification with d L : No Overshoot Correctness property: respect the speed limit d safe ≡ ( z ≥ e → v ≤ d ) []safe S. Mitsch et al.—Formal Verification of Train Control 6 of 14
Formal Verification with d L : No Overshoot Correctness property: respect the speed limit d safe ≡ ( z ≥ e → v ≤ d ) �� � ∗ � ; ; safe S. Mitsch et al.—Formal Verification of Train Control 6 of 14
Formal Verification with d L : No Overshoot Correctness property: respect the speed limit d safe ≡ ( z ≥ e → v ≤ d ) �� � ∗ � ; ; safe ∪ d S. Mitsch et al.—Formal Verification of Train Control 6 of 14
Formal Verification with d L : No Overshoot Correctness property: respect the speed limit d safe ≡ ( z ≥ e → v ≤ d ) �� � ∗ � init → ; ; safe ∪ d S. Mitsch et al.—Formal Verification of Train Control 6 of 14
Formal Verification with d L : No Overshoot Correctness property: respect the speed limit d safe ≡ ( z ≥ e → v ≤ d ) �� � ∗ � � � ; init → ; safe ∪ ∪ d � �� � S. Mitsch et al.—Formal Verification of Train Control 6 of 14
Recommend
More recommend