LIU Jintao,TANG Tao,ZHAO Lin,LIU Yupeng

DOI: https://doi.org/10.3969/j.issn.1001-4632.2012.05.15

2012-01-01

Abstract:ETCS-2 presents the characteristics of complex hybrid.According to the handover protocol of Radio Block Center(RBC),the UML diagram of RBC handover protocol is given.Modeling is carried through on the RBC handover protocol in ETCS-2 train control system specification from the point of hybrid system based on differential dynamic logic.The established model of RBC handover protocol consists of train submodel,handover submodel and takeover submodel.According to model characteristics,differential invariants are structured and proved by KeYmaera to validate the safety and liveness of the model.Combining with the domain knowledge,the key constraints are analyzed and fed back to the initial model in order to refine the model.During model validation process,the constraints for handover safety and efficiency parameters are found.It's known from parameter constraints that RBC handover efficiency is influenced by both the discrete control time of RBC and the running state of the train.

Kai Yang,Zhenhua Duan,Cong Tian

DOI: https://doi.org/10.1016/j.entcs.2014.12.005

2014-01-01

Electronic Notes in Theoretical Computer Science

Abstract:Radio Block Center (RBC) is a core part of the Chinese Train Control System level 3 (CTCS-3) which is a protocol for safety critical systems. The correctness of the RBC handover protocol is one of the most important factors affecting the safety of systems. Hence, it is of great importance to ensure the correctness of the protocol. To this end, some formal methods have been used to model and verify the protocol. In this paper, we use Modeling, Simulation and Verification Language (MSVL) as the formal language to model and verify the protocol. The result shows that the behavior of RBC handover is consistent with the specification.

Lǚ Ji-dong,TANG Tao,JIA Hao

DOI: https://doi.org/10.3969/j.issn.1001-8360.2010.06.006

2010-01-01

Abstract:This paper analyzes the function and performance of the software of RBC subsystem of CTCS-3 for dedicated passenger railway lines,gives a semiotic semantic description of the RBC subsystem based on the theory of the timed automaton(TA),sets up the TER-QSR timed automaton network model and conducts si-mulation of the RBC subsystem with the UPPAAL verification tool to verify,the safety and bounded liveness of RBC and optimize the handover time of RBC.

Lei QIAN,Wen-sheng YU

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.10.048

2013-01-01

Computer Science

Abstract:We presented the analysis of railway crossing based on differential dynamic logic.When a train sends approaching signal and goes into the crossing,the limit of time spending in this period helps us identify safe ranges for the train speed control.We also illustrated modeling of this hybrid system using hybrid program and differential dynamic logic.Using the theorem prover KeYmaera,we formally verified hybrid safety properties of Railway Crossing about the train,and obtained the right speed control condition.

Jidong Lv,Tao Tang

DOI: https://doi.org/10.1109/csie.2009.49

2009-01-01

Abstract:This paper analyses the function and performance of the software of RBC (Radio Block Center) subsystem in CTCS (Chinese Train Control System) level 3. It describes the formalization of RBC subsystem based on the theory of Timed automata. EQRS timed automata network model is built and based on the simulation and analysis of RBC subsystem, the safety and BoundedLiveness of RBC is validated using UPPAAL validation tool.

Ehsan Ahmad,YunWei Dong,Brian Larson,JiDong Lü,Tao Tang,NaiJun Zhan

DOI: https://doi.org/10.1007/s11432-015-5346-2

2015-01-01

Science China Information Sciences

Abstract:Train control systems like most digital controllers are, by definition, hybrid systems as they interact with or try to control some aspects of the physical world. Detailed behavior modeling with constraints specification and formal verification, required for reliability prediction, is a great challenge for hybrid system designers. Train control systems further intensify this challenge with extensive interaction between computing units and their physical environment and their mutual dependence on each other. In this paper, we investigate behavior modeling and formal verification of Chinese Train Control System Level 3 (CTCS-3) using Architectural Analysis & Design Language (AADL) to cope with this challenge. AADL is an architecture description language for embedded systems and is based on model-based engineering paradigm. Along with structural modeling of embedded systems using the core language constructs, AADL also provides support for language extension through annex sublanguages. In system requirements specification document, the behavior of the CTCS-3 is specified as a set of basic operation scenarios that cooperate with each other to achieve safe and secure functionality of trains. Movement Authority (MA) scenario, explored in this paper, is considered as a basic and most crucial scenario to prevent trains from colliding with each other. The detailed discrete behavior of control system is modeled and verified using the Behavior Language for Embedded Systems with Software (BLESS) annex sublanguage of AADL, and the continuous behavior of train with the cyber–physical interaction (communication between train and control system) is modeled using the Hybrid annex sublanguage. The behavior of the MA scenario at system level is verified using the Hybrid Hoare Logic theorem prover. Behavior constraints are specified as assertions using first-order logic formulas augmented with a simple temporal operator.

Tianhua Xu,Tao Tang,Chunhai Gao,Baigen Cai

DOI: https://doi.org/10.1109/IVS.2009.5164402

2009-01-01

Abstract:We formally verify hybrid safety properties of Automatic Collision Avoidance System (ACAS) in the European Train Control System (ETCS). We present a formal requirements, design decision, discrete design and the real-time program for ACAS and verify correctness using compositional verification rules based Weakly monotonic time extension of DC* (WDC*). The advantage of compositional proof rule is that it decomposes a large system into more manageable pieces and to prove the correctness of the whole system from that of its immediate constituents. WDC* provides an essential simplification in reasoning about the design of real-time properties in ACAS by means of true synchrony hypothesis and the super-dense computation.

Liu Chao,Tang Tao

2011-01-01

Abstract:With the development of key technologies, train control system has become network-communicating safety related distributed system. In order to guarantee functions and performances of system meet the design requirements, it is essential to model and verify the specification during system development life cycle. The emergence of model transformation methodology in model-driven engineering bridges the gap between semi-formal modeling and formal verification, and builds links with model-based verification as well. This paper presents an approach to automatic model transformation and code generation atop Epsilon model management platform, and provides a case study of RBC hand-over scenarios described in train control system specification. In this case, system requirements are modeled via UML class and state machine diagram, which are then automatically transformed into SPIN/Promela formal language by means of model-model and model-text transformation via the ETL and EGL within Epsilon, to verify the correctness of hand-over design, accordingly the consistencies between system specification, functional design and model development are assured.

Xi Wang,Tao Tang,Shuo Liu

DOI: https://doi.org/10.1049/cp.2013.2439

2013-01-01

Abstract:In CBTC (Communications Based Train Control) system, interlocking is considered to be one of the most fundamental system which features in logic complexity and high safety demand. Traditionally, the development and verification of interlocking system is entirely a manual process which relies too much on designers' experience and some corner-case bugs may not be revealed. In order to solve these problems, our emphasis is paid on formal modeling and model-based verification. This paper introduces an innovative modeling approach to construct system model, express main safety properties, and execute formally verification using SCADE. This method is proven to be helpful for improving the quality and efficiency of interlocking software in practice.

Weigang Ma,Xinhong Hei

DOI: https://doi.org/10.1109/ICCASM.2010.5620084

2010-01-01

Abstract:A modeling and verification methodology is presented for railway interlocking system which is regarded as a safety-critical system. The methodology utilizes UML (Unified Modeling Language) to model the function requirement and FSM (Finite State Machine) to verify the safety requirements of the specification. The device specifications of railway interlocking system are modeled with UML, and dynamic behaviors of the device and whole system are modeled with FSM, the safety specification is translated LTL (Linear Temporal Logic) and analyzed with NuSMV. We try to show the feasibility of improving the reliability and reducing revalidation efforts when designing and developing a decentralized railway signaling system.

Qiong Song,Guoqiang Cai,Limin Jia

DOI: https://doi.org/10.1109/liss.2016.7854553

2016-01-01

Abstract:This paper based on the theory of reliability centered maintenance (RCM) techniques aimed to verify the analysis results obtained by GO-Bayes method. This paper addresses the problem of establishing Monte Carlo simulation model to simulate the braking system. Metro vehicle braking system has been selected as it is one of the most complex and high-technology systems among all devices of train vehicles with high requirement on safety. As a whole, GO-Bayes analytical method has the accurate results which are consistent with Monte Carlo simulation, with the increase of simulation, its results will be closer to analytical calculated value.

Xi Wang,Lei Ma,Tao Tang

DOI: https://doi.org/10.1177/1687814016649115

2016-01-01

Abstract:With the development of automatic control and communication technology, communication-based train control system is adopted by more and more urban mass transit system to automatically supervise the train speed to follow a desired trajectory. Taking reliability, availability, maintainability, and safety into consideration, 2 × 2-out-of-2 safety computer platform is usually utilized as the hardware platform of safety-critical subsystem in communication-based train control. To enhance the safety integrity level of safety computer platform, safety-related logics have to be verified before integrating them into practical systems. Therefore, a significant problem of developing safety computer platform is how to guarantee that system behaviors will satisfy the function requirements as well as responding to external events and processes within the limit of right time. Based on the qualitative and quantitative analysis of function and timing characteristics, this article introduces a formal modeling and verification approach for this real-time system. In the proposed method, timed automata network model for 2 × 2-out-of-2 safety computer platform is built, and system requirements are specified and formalized as computation tree logic properties which can be verified by UPPAAL model checker.

Yong-gang CHEN,Chun-ping DING

DOI: https://doi.org/10.13238/j.issn.1004-2954.2016.08.026

2016-01-01

Abstract:As a main scene of the Chinese Train Control System, RBC ( Radio Block Center ) level transition scene, whether it can switch successfully, will directly affect high-speed train operating efficiency and safety. By analyzing the formal verification method, the method of time-based industrial software engineering specification language of theorem proving ( Timed Rigorous Approach to Industrial Software Engineering Specification Language,TRSL) is selected. On the basis of the analysis of level transition process, interactive information figure is designed, state transition diagram is constructed, TRSL descriptions of the scene are implemented combined with domain modeling method, and finally the double verification of interaction correctness and real-time capability is fulfilled by means of inference rules and associated system features. The results show the consistence of the scene with system specifications in terms of functionality and instantaneity, and demonstrate the effectiveness, accuracy and versatility of the method, which may provide a new way and basis for the design, development and validation of train control system.

Weigang Ma,Xinhong Hei

DOI: https://doi.org/10.2991/iccasm.2012.212

2012-01-01

Abstract:A verification methodology is presented for railway interlocking system which is regarded as a safety-critical system.The methodology utilizes UML to model the function requirement and LTL to verify the safety requirements of the specification.The device specifications of railway interlocking system are modeled with UML, then translate into FSM.The safety specification is translated LTL and analyzed with NuSMV.We try to show the feasibility of improving the reliability and reducing revalidation efforts when designing and developing a decentralized railway signaling system.

KANG Renwei,WANG Junfeng,LU Jidong

DOI: https://doi.org/10.3969/j.issn.1673-0291.2012.06.012

2012-01-01

Abstract:In order to meet the interconnection and interoperability of railway lines and downgrade operation of train after equipment failures, level transition is required in the operation process. During transition process, improper receiving of level transition advance point and operation point balise information or unallowable train speed will lead to failure of level transition, which would d irectly endanger traffic safety. Therefore, it is necessary to analyze and verify transition process through formal modeling. This paper proposes UPPAAL-based modeling and verification methods of level transition process, establishes CTCS-2/CTCS-3 level transition process automata network model based on timed automata theory, which verifies the safety of level transition process.In addition, it puts forward improvement suggestions of the existing technical specifications.

Tengfei Li,Junfeng Sun,Xinjun Lv,Xiang Chen,Jing Liu,Haiying Sun

DOI: https://doi.org/10.1109/COMPSAC57700.2023.00279

2023-01-01

Abstract:Great achievements have improved the efficiency and effectiveness of formal verification fairly, such that it is now applicable to industrial-scale software. However, verifying a full software system is still considered too complex. In practice, industrial control software models to be verified may result in state space explosion. We propose a problem frame-based approach that takes the full software system as input and tries to decompose the full software model into some smaller modules. Our approach decomposes the whole safety requirements to sub safety requirements, and the verification problem of the whole model is projected to sub verification problem according to the decomposed safety requirements. The sub verification problems check the projected sub models against the the sub safety requirements. We carry out an extensive evaluation based on the trackside subsystems in rail transit. Verifying the decomposed model can lead to a significant performance gain, due to the fact that abstract models reduce too much state space.

Yuvaraj Selvaraj,Wolfgang Ahrendt,Martin Fabian

DOI: https://doi.org/10.48550/arXiv.2204.06873

2022-04-14

Abstract:The challenges in providing convincing arguments for safe and correct behavior of automated driving (AD) systems have so far hindered their widespread commercial deployment. Conventional development approaches such as testing and simulation are limited by non-exhaustive analysis, and can thus not guarantee correctness in all possible scenarios. Formal methods is an approach to provide mathematical proofs of correctness, using a model of a system, that could be used to give the necessary arguments. This paper investigates the use of differential dynamic logic and the deductive verification tool KeYmaera X in the development of an AD feature. Specifically, formal models and safety proofs of different design variants of a Decision & Control module for an in-lane AD feature are presented. In doing so, the assumptions and invariant conditions necessary to guarantee safety are identified, and the paper shows how such an analysis helps during the development process in requirement refinement and formulation of the operational design domain. Furthermore, it is shown how the performance of the different models is formally analyzed exhaustively, in all their allowed behaviors.

Systems and Control

Jie Qian,Jing Liu,Xiang Chen,Junfeng Sun

DOI: https://doi.org/10.1109/APSEC.2014.62

2014-01-01

Abstract:iCMTC is an advanced Communication Based Train Control system developed by CASCO Signal Ltd. For China's mass transit transportation. Some subsystems of iCMTC has been applied in Shanghai Metro Line 10. Zone Controller (ZC) is one of the subsystems of iCMTC. Modeling and verifying ZC is challenging due to the complexity of the block system and the behavior itself. We propose a formal approach to gradually specify the block system and lower complexity of the verification of ZC behavior. In recent years, there are many researches on railway systems. However, these studies use simple track networks, which makes them inadequate in industrial practice. To address this problem, we define specific block layouts (i.e., Double slip connection) as relations on sets. We also define mathematical properties of the relations so that the block system can be precisely described. For the purpose of reducing the complexity of verification, we propose an improved refinement mechanism based on the Event-B notation. Based on this refinement mechanism, we develop a Rodin plug-in to help us refine the system. We use this mechanism in modeling the ZC behavior, and achieve good results in automated proof. Several safety properties are considered and verified to ensure the safety and correctness of ZC.

Jie LIU,Xiao-hua YANG,Hua LIU,Qu-jin WU,Xing CHEN

DOI: https://doi.org/10.11731/j.issn.1673-193x.2015.05.006

2015-01-01

Abstract:Digital reactor control system is a typical real-time hybrid system involving the physical dynamic evolu-tion process of reactor against time and the discrete control process of computer .Differential dynamic logic is a new theory for hybrid system verification .A new method to construct safety verification model of digital reactor control system based on differential dynamic logic was put forward , so as to verify whether the interaction between discrete logic control in reactor control system and the physical continuous change process of reactor continuity can guarantee the safety requirement of reactor .It improves the safety properties of design on digital reactor control system .

牛儒,曹源,唐涛

DOI: https://doi.org/10.3969/j.issn.1001-8360.2009.04.010

2009-01-01

Abstract:The RBC(radio block center) handover protocol is one of the important factors affecting the control-proficiency,transportation ability,reliability and safety of the ETCS system.So the formalism of the qualities of the protocol is of great value to the establishment and improvement of the CTCS Level 3 system.We choose Stochastic Petri Net(SPN) as the formal language to analyze this protocol,which is proved more powerful to give out quantitative results compared with normal simulation methods.The current study has established the failure probability models of the handover procedure with two different train configurations,which captures the channel degradation,GSM-R cell switch and link failure.Besides,the study offers an analysis of the influence of different train velocities and RBC overlap on the successful probability of RBC handover.The study shows that the RBC handover protocol based on double mobile stations,which provides separate communication channels with each RBC during handover,proves to be of greater safety and be less sensitive to the influence of train velocities.