Wumei Tang,Bin Ning,Tianhua Xu,Lin Zhao

DOI: https://doi.org/10.1109/iccet.2010.5486079

2010-01-01

Abstract:The Chinese train control system level 3 (CTCS-3) system requirement specification required to be high-quality should satisfy the quality attributes, such as correctness, completeness, consistency, and traceability. In order to prove that these quality attributes are satisfied, we present a scenario-based approach using UML sequence diagram and model checking to modeling and verify the specification. The mapping between scenario and sequence diagram ensures correctness of the modeling, and enhances the traceability of the verification. The expressiveness of sequence diagram and the precise semantics of model checker are outstanding and proved in practical applications. The formal techniques used in this paper provide a certain level of confidence because of their rigor and completeness.

W. Tang,B. Ning,T. Xu,L. Zhao

DOI: https://doi.org/10.2495/cr100691

2010-01-01

Abstract:The high quality System Requirement Specification (SRS) is at the heart of the design and development of the European Train Control System level 2 (ETCS L2) with high safety and efficiency. However, the SRS, written in natural language with a shortage of rigorous mathematic foundation, makes it difficult to meet the high quality attributes of SRS, such as correctness, completeness and consistency. In order to tackle the above problems, the integration of a scenario-based model with a formal method, which is recommended to model and verify safety critical system (e.g., train control system), is proposed to improve the quality of the SRS for ETCS L2. First, the relevant operational scenarios are extracted from the SRS, then the corresponding UML sequence diagrams are constructed and finally the sequence diagrams are verified by the formal analysis tool (i.e., NuSMV) through a series transformation rules from UML sequences to NuSMV. The output analysis results facilitate improvement of the SRS qualities. Within the above modeling and verification process, the key mapping relationship is presented to ensure the consistency and traceability between the UML sequence model and the NuSMV specification.

XIE Yu-fei,TANG Tao,XU Tian-hua,ZHAO Lin

DOI: https://doi.org/10.3969/j.issn.1001-8360.2011.07.011

2011-01-01

Abstract:The specifications of the CTCS-3 train control system is the basis of design and development of the CTCS-3 train control system,and it is crucial for realization of good interoperability and high efficiency and security of the system.However,specifications compiled by experience or intuitive thought inevitably bring about defects or hidden dangers.So it is necessary to carry out modeling and formal verification of the system specifications.The paper proposes the method of modeling and formal verification of the CTCS-3 train control system specifications.The method establishes a track chain of the system specifications,model,model checking tools and verification results so as to ensure the consistency of the system specifications,models and program codes.Our practice has proved that this method is feasible and efficient.

Ehsan Ahmad,YunWei Dong,Brian Larson,JiDong Lü,Tao Tang,NaiJun Zhan

DOI: https://doi.org/10.1007/s11432-015-5346-2

2015-01-01

Science China Information Sciences

Abstract:Train control systems like most digital controllers are, by definition, hybrid systems as they interact with or try to control some aspects of the physical world. Detailed behavior modeling with constraints specification and formal verification, required for reliability prediction, is a great challenge for hybrid system designers. Train control systems further intensify this challenge with extensive interaction between computing units and their physical environment and their mutual dependence on each other. In this paper, we investigate behavior modeling and formal verification of Chinese Train Control System Level 3 (CTCS-3) using Architectural Analysis & Design Language (AADL) to cope with this challenge. AADL is an architecture description language for embedded systems and is based on model-based engineering paradigm. Along with structural modeling of embedded systems using the core language constructs, AADL also provides support for language extension through annex sublanguages. In system requirements specification document, the behavior of the CTCS-3 is specified as a set of basic operation scenarios that cooperate with each other to achieve safe and secure functionality of trains. Movement Authority (MA) scenario, explored in this paper, is considered as a basic and most crucial scenario to prevent trains from colliding with each other. The detailed discrete behavior of control system is modeled and verified using the Behavior Language for Embedded Systems with Software (BLESS) annex sublanguage of AADL, and the continuous behavior of train with the cyber–physical interaction (communication between train and control system) is modeled using the Hybrid annex sublanguage. The behavior of the MA scenario at system level is verified using the Hybrid Hoare Logic theorem prover. Behavior constraints are specified as assertions using first-order logic formulas augmented with a simple temporal operator.

Jidong LV,Tao TANG,Kaicheng LI,Haifeng WANG

DOI: https://doi.org/10.3969/j.issn.1005-8451.2017.01.003

2017-01-01

Abstract:The high speed train control system is a core equipment,which plays an important role in assuring safety and improving efficiency in railway.How to verify the correctness of the functions of system in order to improve the safety is especially important.In this article,the process calculus based method called hybrid communication sequential process(HCSP) was introduced.The formal description to the train control system was taken by HCSP.For typical scenarios,the scenarios of registration and start up were modeled by HCSP.By introducing transition rules,the corresponding model transformation was carried out.The model checking tool UPPAAL was used to simulate and verify the function.The results showed that the model was correct and the method was feasible.

Yuan CAO,Tao TANG,Dan LUO,Jiancheng MU

DOI: https://doi.org/10.3969/j.issn.0258-2724.2010.04.015

2010-01-01

Abstract:To verify the correctness of a train control system design in the development stage, a formal method, which is based on RAISE (rigorous approach to industrial software engineering) and can be used for system modeling, description and verification, was proposed. For the tracking operation between two trains of CTCS-3 (China train control system level 3), domain models of the system were established by adopting feature-oriented domains. After extending and improving the domain models using RAISE specification language (RSL), a final description of the tracking operation between two trains was formed. With the axioms described by RSL and reasoning rules of RAISE, the system design of CTCS-3 was verified correct in the context of tracking scene between two trains.

L(U) Ji-dong,TANG Tao

DOI: https://doi.org/10.3969/j.issn.1001-8360.2011.06.010

2011-01-01

Abstract:The high-speed train control system is a typical distributed real-time system,in which time constraints are mainly focused on the operation scenarios between subsystems.The extension of the temporal logic can not meet all needs of describing the properties of the distributed real-time system.The scenarios of the train control system are often described in terms of the deadline,time-out and wait until and so on.Insufficiency exists in the above formal descriptions and also in verification along with intensification of the complexity of the system.In this paper,the modeling and verification methods suitable for the scenarios of the train control system are introduced.Firstly,HCSP is used to model the distributed real-time system.Secondly,the HCSP models are transformed to the TA models according to transition rules.Finally,automatic verification is accomplished with the checking tool UPPAAL.The effectiveness of the proposed modeling and verification methods are proved through simulation and analysis of RBC handover scenarios.

LIU Jintao,TANG Tao,XU Tianhua,ZHAO Lin

2011-01-01

Abstract:With the method which integrated UML with symbolic model checking,the formal verification of CTCS-3 level system requirement specification was carried out.The UML model of requirement specification was extended and abstracted using event and visible-variable abstraction methods.According to the transformation rules,the NuSMV model of requirement specification was established.Verification for domain independent and domain dependent properties of NuSMV model was elaborated.Additionally,the approach of the counterexample was proposed for tracking,locating and correcting errors.Taking the mode switch in the requirement specification for example,the proposed formal verification method was adopted for the verification of mode switch.The result of verification shows that mode switch can satisfy the requirements of liveness,transition,non-deadlock,determinacy and safety.The process of verification shows that the method which integrates UML with symbolic model checking is suitable for the verification of CTCS-3 level system requirement specification.

Huixing Fang,Jifeng He,Qiwen Xu,Huibiao Zhu,Longfei Zhu

2015-01-01

Abstract:Hybrid systems arise in real-time and embedded control systems with the interactions emerged between continuous physical environment and discrete digital controllers. In this paper, we propose an approach for the verification of hybrid systems which are constructed by a hybrid parallel modelling language, where the interaction between the controller and the environment is synchronized by signals. The proof rules with respect to the modelling language are illustrated in the style of Hoare triples. For an application of our approach, a water tank model is produced as a sequential hybrid model, then we verify the model with the satisfiability according to a design requirement. Moreover, for parallel hybrid model, a case of subway control system involving overlapping metro lines is presented and verified with respect to the collision avoidance requirement.

Xiaohong Chen,Zhiwei Zhong,Zhi Jin,Min Zhang,Tong Li,Xiang Chen,Tingliang Zhou

DOI: https://doi.org/10.1109/re.2019.00040

2019-01-01

Abstract:Consistency verification of safety requirements is an important but still challenging task for safety-critical systems such as rail transit systems. That is mainly because requirements are typically written in natural language and with strong time constraints. Driven by the practical need from industry, in this paper we propose a systematic approach to specify safety requirements in a quasi-natural language and automatically verify their consistency using formal methods. Specifically, we define a domain specific language SafeNL to specify safety requirements, and then automatically transform them into formal constraints defined in the Clock Constraint Specification Language (CCSL). The transformed constraints can be automatically and efficiently verified by model checking. We conduct two practical case studies to analyze the safety requirements of an interlocking system in CASCO Signal Ltd. Results of the studies show the validity and utility of our approach can pragmatically contribute to industrial practice. We also report some lessons learned from case studies.

Yuan, L.,Tang, T.,Li, K.

DOI: https://doi.org/10.1109/ISADS.2011.17

2011-01-01

Abstract:The importance of the specification of train control system is increasingly recognized and gained more attention in signalling field in China as the specification is the basis to ensure that the signalling system supplied by manufacturer meet the requirements of the railway administration, for example, the requirement for the interoperability of the system. The specifications which are described in natural language are probably deficient and it is inadequate that the specifications are checked only based on the experience of experts. In this paper, a modelling method was applied on the description and the verification of the System Requirement Specification, SRS, of train control system. The Specification and Description Language, SDL, was used to describe the functional behavior of the onboard equipment which is defined in the SRS. First, we defined the principles of modelling which are summarized for the purpose of the interoperability validation. Then, we applied a top-down hierarchical approach to model the functional behavior. The model started from the system level to describe the interface and refined in the block level to show the interaction of system scenarios and detailed the state transition and the working processes of the system in the process level. Debugged the SDL model, we validated the model in Telelogic Tau tool to find the problems of the SRS. The results showed that the ambiguous terms and the incompatible descriptions of the SRS can be found. It can be helpful for the modification of the SRS and the quality of train control system further.

Zhao Xianqiong,Li Kaicheng,Tang Tao,Yuan Lei

DOI: https://doi.org/10.3969/j.issn.1000-7458.2010.08.002

2010-01-01

Abstract:CTCS-3 is a typically safety-critical system.For a safety-critical system,it is vital that there is security risks in its System Requirement Specification(SRS).The SRS of CTCS-3 is covered by 14 operational scenarios,so it is reasonable and necessary to analyze these operational scenarios.This paper propose a method to analyze and verify the operational scenarios on the basis of UML and CSP and take the RBC exchange scenario as a study case to verify its aliveness,dead-lock,live-lock,deterministic property and part of safety property.

Haotong Xu,Kaicheng Li,Lei Yuan,Qiang Fu

DOI: https://doi.org/10.1117/12.2652804

2022-01-01

Abstract:In order to meet the needs of railway operations in western China, the development of Chinese New Train Control System (CTCS-N) has been launched. To obtain complete and correct system requirements for CTCS-N early in system development, this paper applies the scenario-based requirements analysis method in software engineering to the requirements analysis of CTCS-N. This method takes the system operation scenario as input, analyzes the behaviors of the scenario based on ontology theory, and extracts the system requirements contained in the scenario based on SWRL (Semantic Web Rule Language) reasoning rules. Furthermore, the timed automata (TA) network model is constructed for requirement verification. Based on the design of the CTCS-N architecture, the above method is used to analyze the requirements based on the train integrity monitoring scenario as an example. The result shows that the method can effectively obtain the system requirements and provides a reference for the requirements development of CTCS-N.

Yi Zhang,Kaicheng Li,Guodong Wei,Lei Yuan,Fei Wang

DOI: https://doi.org/10.1117/12.2652694

2022-01-01

Abstract:Formal methods are used to improve the credibility and correctness of scenarios in Chinese Train Control Systems (CTCS). At present, there are few formal studies on the high-speed Automatic Train Operation system that developed from CTCS-3 level high-speed railway technology. In this paper, we adopt a new formal method, Alvis, which combines the advantages of high-level programming language and graphical modeling and select the interzone TSRS handover scene in high-speed railway ATO system as the research object. The messaging behaviors of the scene are analyzed using UML sequence diagrams, and an Alvis model of the system is built, which is converted into an smv model supporting the formal validation of the model checking tool nuXmv. The real-time performance of the extracted messaging was verified on demand, inconsistency between technical specifications and actual operational scenarios was identified and solution was provided. The results of this method can provide some reference for the technical promotion of ATO train control system in China.

Yong Zhang,Haifeng Wang,Ming Chai,Ruijun Cheng

DOI: https://doi.org/10.1109/mits.2019.2953506

IF: 5.293

2021-01-01

IEEE Intelligent Transportation Systems Magazine

Abstract:The train control data is crucial for the safe operation of trains. However, the correctness of train control data relies too much on expert experience in the field of railways due to the complex railway line situations. To address this problem, a graph theory based data model is proposed to describe the signals and track sections of critical train control route information. Then, the correctness verification theorems for route data are proposed by applying the mathematical formalism representation. Furthermore, a verification theorem is proposed to check the correctness of the single route data. In addition, another theorem is proposed for ensuring the correctness of invasion insulated track sections data. Theorems for different kinds of conflicting routes are also proposed to verify the conflict relations between routes. Finally, a case study is presented to illustrate our proposed modeling and verification method. The results show that the proposed verification method is feasible to CTCS-3, which can implement the data verification process in a formal way.

Jie Qian,Jing Liu,Xiang Chen,Junfeng Sun

DOI: https://doi.org/10.1109/APSEC.2014.62

2014-01-01

Abstract:iCMTC is an advanced Communication Based Train Control system developed by CASCO Signal Ltd. For China's mass transit transportation. Some subsystems of iCMTC has been applied in Shanghai Metro Line 10. Zone Controller (ZC) is one of the subsystems of iCMTC. Modeling and verifying ZC is challenging due to the complexity of the block system and the behavior itself. We propose a formal approach to gradually specify the block system and lower complexity of the verification of ZC behavior. In recent years, there are many researches on railway systems. However, these studies use simple track networks, which makes them inadequate in industrial practice. To address this problem, we define specific block layouts (i.e., Double slip connection) as relations on sets. We also define mathematical properties of the relations so that the block system can be precisely described. For the purpose of reducing the complexity of verification, we propose an improved refinement mechanism based on the Event-B notation. Based on this refinement mechanism, we develop a Rodin plug-in to help us refine the system. We use this mechanism in modeling the ZC behavior, and achieve good results in automated proof. Several safety properties are considered and verified to ensure the safety and correctness of ZC.

Tianhua Xu,Tao Tang,Chunhai Gao,Baigen Cai

DOI: https://doi.org/10.1109/IVS.2009.5164402

2009-01-01

Abstract:We formally verify hybrid safety properties of Automatic Collision Avoidance System (ACAS) in the European Train Control System (ETCS). We present a formal requirements, design decision, discrete design and the real-time program for ACAS and verify correctness using compositional verification rules based Weakly monotonic time extension of DC* (WDC*). The advantage of compositional proof rule is that it decomposes a large system into more manageable pieces and to prove the correctness of the whole system from that of its immediate constituents. WDC* provides an essential simplification in reasoning about the design of real-time properties in ACAS by means of true synchrony hypothesis and the super-dense computation.

Peng Zhang,Zhenhua Duan,Cong Tian

DOI: https://doi.org/10.1109/cscwd.2013.6580942

2013-01-01

Abstract:This paper presents an approach to simulate and verify the CTCS-3 (Chinese Train Control System 3) protocol with a Modeling, Simulation and Verification Language (MSVL) which is an executable subset of Projection Temporal Logic (PTL). First, the syntax and semantics of PTL and MSVL are briefly introduced. Then, CTCS-3 protocol is briefly presented and a simplified CTCS-3 protocol described by an MSVL program is given, and the property to be verified is specified by a Propositional Projection Temporal Logic (PPTL) formula. Finally, the simulation is conducted by means of the interpreter of MSVL. A dynamic graph showing behavior of train is depicted. Based on the graph, we can verify whether or not the protocol satisfies the property.

Lei Yuan,Shiying Yang,Dewang Chen,Kaicheng Li

DOI: https://doi.org/10.4304/jsw.9.6.1553-1560

2014-01-01

Abstract:Chinese Train Control System level three (CTCS-3) is a major technical system in Chinese high-speed rail and Train Control System (TCC) is indispensable component in the CTCS-3. Current researches on TCC are mainly based on the simulation, which cannot ensure that all conditions in TCC are tested. This paper presents a hierarchical modeling method and uses time automation (TA) to model the TCC software. We take the design of the active balise telegram editing, a major part in the TCC software, as an example. At first, the process of the active balise telegram editing is analyzed to obtain a hierarchical diagram containing several layers. Then, TA is employed to build one TA model for each layer. Lastly, we use UPPAAL (a model validation tool, developed by Uppsala University and Aalborg University) to construct a network of the TA models to verify the active balise telegram editing. The verification results demonstrate that this modeling method is feasible and the model can meet the functional requirements of the TCC software.

Lei Bu,Xin Chen,Linzhang Wang,Xuandong Li

IF: 4.755

2011-01-01

Clinical Orthopaedics and Related Research

Abstract:Communication Based Train Control (CBTC) system is the state-of-the-art train control system. In a CBTC system, to guarantee the safety of train operation, trains communicate with each other intensively and adjust their control modes autonomously by computing critical control parameters, e.g. velocity range, according to the information they get. As the correctness of the control parameters generated are critical to the safety of the system, a method to verify these parameters is a strong desire in the area of train control system. In this paper, we present our ideas of how to model and verify the control parameter calculations in a CBTC system efficiently. - As the behavior of the system is highly nondeterministic, it is difficult to build and verify the complete behavior space model of the system online in advance. Thus, we propose to model the system according to the ongoing behavior model induced by the control parameters. - As the parameters are generated online and updated very quickly, the verification result will be meaningless if it is given beyond the time bound, since by that time the model will be changed already. Thus, we propose a method to verify the existence of certain dangerous scenarios in the model online quickly. To demonstrate the feasibility of these proposed approaches, we present the composed linear hybrid automata with readable shared variables as a modeling language to model the control parameters calculation and give a path-oriented reachability analysis technique for the scenario-based verification of this model. We demonstrate the model built for the CBTC system, and show the performance of our technique in fast online verification. Last but not least, as CBTC system is a typical CPS system, we also give a short discussion of the potential directions for CPS verification in this paper.