Huixing Fang,Jianqi Shi,Huibiao Zhu,Jian Guo,Kim Guldstrand Larsen,Alexandre David

DOI: https://doi.org/10.1007/s10009-014-0318-1

2014-05-27

International Journal on Software Tools for Technology Transfer

Abstract:For hybrid systems, hybrid automata-based tools are capable of verification, while Matlab Simulink/Stateflow is proficient in simulation. We propose a co-verification procedure, in which the verification tool SpaceEx/PHAVer and simulation tool Matlab are integrated to analyze and verify hybrid systems. For the application of this procedure, a platform screen door system (PSDS, a subsystem of the subway control system), is modeled with hybrid automata and Simulink/Stateflow charts, respectively. The models of PSDS are simulated by Matlab and verified by SpaceEx/PHAVer. The simulation and verification results indicate that the sandwiched situation can be avoided under time interval conditions. We improve the model with four trains and four stations on a subway line and analyze the urgent control scenario for the safety distance requirement. In this paper, the Simulink/Stateflow model is a refinement of the SpaceEx/PHAVer model, which is closer to a final implementation. Moreover, the two models are complementary for some features (e.g.,visualization of simulation, correctness proving by verification), stressing different aspects of the overall system and permitting complementary analysis techniques, i.e., verification versus simulation. We conclude that this integration procedure is competent in verifying subway control systems.

computer science, software engineering

Xi Wang,Lei Ma,Tao Tang

DOI: https://doi.org/10.1177/1687814016649115

2016-01-01

Abstract:With the development of automatic control and communication technology, communication-based train control system is adopted by more and more urban mass transit system to automatically supervise the train speed to follow a desired trajectory. Taking reliability, availability, maintainability, and safety into consideration, 2 × 2-out-of-2 safety computer platform is usually utilized as the hardware platform of safety-critical subsystem in communication-based train control. To enhance the safety integrity level of safety computer platform, safety-related logics have to be verified before integrating them into practical systems. Therefore, a significant problem of developing safety computer platform is how to guarantee that system behaviors will satisfy the function requirements as well as responding to external events and processes within the limit of right time. Based on the qualitative and quantitative analysis of function and timing characteristics, this article introduces a formal modeling and verification approach for this real-time system. In the proposed method, timed automata network model for 2 × 2-out-of-2 safety computer platform is built, and system requirements are specified and formalized as computation tree logic properties which can be verified by UPPAAL model checker.

Tengfei Li,Junfeng Sun,Xinjun Lv,Xiang Chen,Jing Liu,Haiying Sun

DOI: https://doi.org/10.1109/COMPSAC57700.2023.00279

2023-01-01

Abstract:Great achievements have improved the efficiency and effectiveness of formal verification fairly, such that it is now applicable to industrial-scale software. However, verifying a full software system is still considered too complex. In practice, industrial control software models to be verified may result in state space explosion. We propose a problem frame-based approach that takes the full software system as input and tries to decompose the full software model into some smaller modules. Our approach decomposes the whole safety requirements to sub safety requirements, and the verification problem of the whole model is projected to sub verification problem according to the decomposed safety requirements. The sub verification problems check the projected sub models against the the sub safety requirements. We carry out an extensive evaluation based on the trackside subsystems in rail transit. Verifying the decomposed model can lead to a significant performance gain, due to the fact that abstract models reduce too much state space.

Ehsan Ahmad,YunWei Dong,Brian Larson,JiDong Lü,Tao Tang,NaiJun Zhan

DOI: https://doi.org/10.1007/s11432-015-5346-2

2015-01-01

Science China Information Sciences

Abstract:Train control systems like most digital controllers are, by definition, hybrid systems as they interact with or try to control some aspects of the physical world. Detailed behavior modeling with constraints specification and formal verification, required for reliability prediction, is a great challenge for hybrid system designers. Train control systems further intensify this challenge with extensive interaction between computing units and their physical environment and their mutual dependence on each other. In this paper, we investigate behavior modeling and formal verification of Chinese Train Control System Level 3 (CTCS-3) using Architectural Analysis & Design Language (AADL) to cope with this challenge. AADL is an architecture description language for embedded systems and is based on model-based engineering paradigm. Along with structural modeling of embedded systems using the core language constructs, AADL also provides support for language extension through annex sublanguages. In system requirements specification document, the behavior of the CTCS-3 is specified as a set of basic operation scenarios that cooperate with each other to achieve safe and secure functionality of trains. Movement Authority (MA) scenario, explored in this paper, is considered as a basic and most crucial scenario to prevent trains from colliding with each other. The detailed discrete behavior of control system is modeled and verified using the Behavior Language for Embedded Systems with Software (BLESS) annex sublanguage of AADL, and the continuous behavior of train with the cyber–physical interaction (communication between train and control system) is modeled using the Hybrid annex sublanguage. The behavior of the MA scenario at system level is verified using the Hybrid Hoare Logic theorem prover. Behavior constraints are specified as assertions using first-order logic formulas augmented with a simple temporal operator.

Xiaohong Chen,Zhiwei Zhong,Zhi Jin,Min Zhang,Tong Li,Xiang Chen,Tingliang Zhou

DOI: https://doi.org/10.1109/re.2019.00040

2019-01-01

Abstract:Consistency verification of safety requirements is an important but still challenging task for safety-critical systems such as rail transit systems. That is mainly because requirements are typically written in natural language and with strong time constraints. Driven by the practical need from industry, in this paper we propose a systematic approach to specify safety requirements in a quasi-natural language and automatically verify their consistency using formal methods. Specifically, we define a domain specific language SafeNL to specify safety requirements, and then automatically transform them into formal constraints defined in the Clock Constraint Specification Language (CCSL). The transformed constraints can be automatically and efficiently verified by model checking. We conduct two practical case studies to analyze the safety requirements of an interlocking system in CASCO Signal Ltd. Results of the studies show the validity and utility of our approach can pragmatically contribute to industrial practice. We also report some lessons learned from case studies.

张学军,谢剑英,张苗苗

DOI: https://doi.org/10.3321/j.issn:1001-0920.2001.02.017

2001-01-01

Abstract:Aiming at reliability of programmable logic controller forcontinuous plants, an approach is presented to make the hybrid systems′ formal verification. The model is given out by using hybrid rectangular automata and the analysis of its quotient transition system′s reachability is presented. The principles of verification are given. The method is illustrated by an example of chemical process control.

Xiangjun Cheng,Peng Du

2012-01-01

Abstract:Current methods, for modeling urban traffic controlling system, are lack of formal description of system behaviors and cannot verify the specifications. The process of mid-block street crossing is a typical course which involves human behavior, vehicle behavior, traffic control behavior, and safety issue of transportation. This process has the character of sequential process with concurrent event. Description method for concurrent event and communication by Communication Sequential Processes (CSP) and basic notation, axiom, theorem and deducing rules of Duration Calculus (DC) are used for modeling. On the basis of analysis of mid-block street crossing, a formal model of the process of signal control based on CSP and DC is established. Through verification, the model satisfies the safety requirements.

Yan Zhang,Tao Tang,KePing Li,Jose Manuel Mera,Li Zhu,Lin Zhao,TianHua Xu

DOI: https://doi.org/10.1007/s11431-011-4562-2

2011-01-01

Abstract:In order to satisfy the safety-critical requirements, the train control system (TCS) often employs a layered safety communication protocol to provide reliable services. However, both description and verification of the safety protocols may be formidable due to the system complexity. In this paper, interface automata (IA) are used to describe the safety service interface behaviors of safety communication protocol. A formal verification method is proposed to describe the safety communication protocols using IA and translate IA model into PROMELA model so that the protocols can be verified by the model checker SPIN. A case study of using this method to describe and verify a safety communication protocol is included. The verification results illustrate that the proposed method is effective to describe the safety protocols and verify deadlocks, livelocks and several mandatory consistency properties. A prototype of safety protocols is also developed based on the presented formally verifying method.

Weigang Ma,Xinhong Hei

DOI: https://doi.org/10.2991/iccasm.2012.212

2012-01-01

Abstract:A verification methodology is presented for railway interlocking system which is regarded as a safety-critical system.The methodology utilizes UML to model the function requirement and LTL to verify the safety requirements of the specification.The device specifications of railway interlocking system are modeled with UML, then translate into FSM.The safety specification is translated LTL and analyzed with NuSMV.We try to show the feasibility of improving the reliability and reducing revalidation efforts when designing and developing a decentralized railway signaling system.

Weigang Ma,Xinhong Hei

DOI: https://doi.org/10.1109/ICCASM.2010.5620084

2010-01-01

Abstract:A modeling and verification methodology is presented for railway interlocking system which is regarded as a safety-critical system. The methodology utilizes UML (Unified Modeling Language) to model the function requirement and FSM (Finite State Machine) to verify the safety requirements of the specification. The device specifications of railway interlocking system are modeled with UML, and dynamic behaviors of the device and whole system are modeled with FSM, the safety specification is translated LTL (Linear Temporal Logic) and analyzed with NuSMV. We try to show the feasibility of improving the reliability and reducing revalidation efforts when designing and developing a decentralized railway signaling system.

Haifeng Wang,Bin Ning,Tan Chen,Shengjie Tang,Yong Zhang,Ming Chai

DOI: https://doi.org/10.1109/itsc.2018.8569792

2018-01-01

Abstract:Train control system is designed for ensuring the safety of trains in rail operation, and route safety is a key problem of train control. Due to its safety-critical nature and complicated circumstance, train control system is a typical large-scale and complex system. To address the serious challenge of route safety verification in the system development, this paper proposes a novel method by integrating the function model and the fail-safe fault model of train control. According to the fail-safe principle of railway signaling, with the help of Scade formalism, route safety properties are expressed into a fault tree. The two models are investigated for compatibility and, interlinkage constrains are discussed. Then integration rules are defined to combine the fault tree model and the function model into one lumping model, on which the safety verification is performed using Fault Tree Analysis (FTA). To illustrate how to apply the approach, examples are carried out on a part of WuGuang high-speed railway line in China. The results show that the proposed method has a good performance and meets the critical requirements of route safety verification for train control system.

Jidong LV,Tao TANG,Kaicheng LI,Haifeng WANG

DOI: https://doi.org/10.3969/j.issn.1005-8451.2017.01.003

2017-01-01

Abstract:The high speed train control system is a core equipment,which plays an important role in assuring safety and improving efficiency in railway.How to verify the correctness of the functions of system in order to improve the safety is especially important.In this article,the process calculus based method called hybrid communication sequential process(HCSP) was introduced.The formal description to the train control system was taken by HCSP.For typical scenarios,the scenarios of registration and start up were modeled by HCSP.By introducing transition rules,the corresponding model transformation was carried out.The model checking tool UPPAAL was used to simulate and verify the function.The results showed that the model was correct and the method was feasible.

Fei Yan,Tao Tang

DOI: https://doi.org/10.1109/icves.2007.4456386

2007-01-01

Abstract:The safety of control systems are becoming increasingly important as computers pervade them on which human life depends. In rail transportation fields, this has become more complex and the methods to ensure the correctness of train control system have been slow in development. The failure to meet time deadline can have serious or even fatal consequences. This paper presents a new method for performing this verification task. In the proposed method the real-time system is modeled by Timed Automata Network (TAN) and verified by model checking which explores the state space to determine whether the system satisfies a given specification. The case study of ATP (Automatic Train Protection) shows how the method can assist in designing more efficient and reliable real-time systems. Firstly, the state transitions and multi-tasks ATP onboard model will be modeled with Timed Automata Network (TAN) model, and then the time sequences of each task are expressed in UML Sequence Diagrams. Finally, the timing characteristics will be verified to meet the requirement by SMV model checker. A major conclusion of the survey is that formal methods, while still immature in some respects, can be used successfully to model and verify real-time concurrent systems.

zhang yu,dong yunwei,feng wenlong,huang mengxing

DOI: https://doi.org/10.13328/j.cnki.jos.005214

2017-01-01

Abstract:Cyber-Physical System(CPS) tightly integrates control software and embedded components, incorporating software with control domains. CPSs are pervasive and often mission-critical, therefore, they must have high level of security. With the extensive use of information technology, embedded control software plays a greater role in such systems. The close interactions between control software and embedded components demand co-verification. In this paper, an automata-theoretic approach is presented to co-verification. Co-verification, which verifies control software and embedded components together, is essential to establish the correctness of a complete system. The foundation of this approach is a unified model for co-verification and reachability analysis of the model. The LTL formula is converted into a Büchi automata, which is interleaved with the execution of the unified model under analysis. An online-capture offline-replay approach is proposed to improve the usefulness for formal verification. Case studies on a suite of realistic examples show that the presented approach has major potential in verifying system level properties, therefore improving the high-assurance of system.

Yupeng Liu,Tao Tang,Jintao Liu,Lin Zhao,Tianhua Xu

DOI: https://doi.org/10.1109/ISADS.2011.15

2011-01-01

Abstract:The RBC (Radio Block Center) handover is an important part of European Train Control System level 2 which is a typical safety-critical hybrid system. In this paper, we build a formal model of RBC handover procedure using Differential Dynamic Logic, which is a first-order dynamic logic for specifying and verifying hybrid systems, and identify some constraints that are necessary for ensuring safety of train control, including collision avoidance as well as derailment avoidance. Moreover, we formally verify the safety-related properties of our model with deductive verification tool KeYmaera. The experimental results show the validity and feasibility of the method. Meanwhile, the safety constraints and safety-related properties verified in the paper can be helpful to the practical application of train control.

Xian Li,Ming Chai,Lin Zhao,Tao Tang,Tianhua Xu

DOI: https://doi.org/10.1109/isads.2011.18

2011-01-01

Abstract:When verifying the safety of ETCS, testing and formal methods have limitations to some degree. Runtime verification is effective to detect deviation between the current and the expected system behaviors. To improve the accuracy of runtime monitoring, 4-valued LTL (Linear Time Logic) semantics and formula rewriting based algorithm are proposed. Furthermore, approximation technique is presented for 4-valued LTL formulae to make the verification procedure high efficient. Finally, the method is applied to the European Train Control System (ETCS) by monitoring several scenario traces. The experimental results show that the 4-valued LTL semantics are able to generate the most accurate verification outcomes. It can also be found that the approximation technique improves the verification efficiency apparently in some cases.

LI Yang,CHENG Jian-hua,FANG Ding-yi,CHEN Xiao-jiang,FENG Jian

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.04.034

2008-01-01

Abstract:Distributed system is one type of typical concurrent systems.In concurrent system,safety and liveness are the two main characteristics which should be most concerned and ensured in its application.However,we have to face the problems,in concurrent system modeling and formal verification,such as tedious description,complex and difficult understanding,and it is more serious because of the low efficiency in model checking when it is much large(with a great number of the processes).Combining the features of good modularity in Compositional Reachability Analysis(CRA) and high efficiency in Labeled Transition System(LTS),an efficient model verification method is proposed.Three theorems for safety and liveness verification of concurrent systems are proved,and the relevant effective verification algorithms are derived.The feasibility of the algorithms is indicated through a simplified example.

Huixing Fang,Jifeng He,Qiwen Xu,Huibiao Zhu,Longfei Zhu

2015-01-01

Abstract:Hybrid systems arise in real-time and embedded control systems with the interactions emerged between continuous physical environment and discrete digital controllers. In this paper, we propose an approach for the verification of hybrid systems which are constructed by a hybrid parallel modelling language, where the interaction between the controller and the environment is synchronized by signals. The proof rules with respect to the modelling language are illustrated in the style of Hoare triples. For an application of our approach, a water tank model is produced as a sequential hybrid model, then we verify the model with the satisfiability according to a design requirement. Moreover, for parallel hybrid model, a case of subway control system involving overlapping metro lines is presented and verified with respect to the collision avoidance requirement.

Fei Yan,Tao Tang

DOI: https://doi.org/10.1109/wcica.2008.4592925

2008-01-01

Abstract:The next few years will see distributed real-time computer systems playing an important role in control systems of high-dependability applications, such as rail transportation. In these applications a failure in the temporal domain can be as critical as a failure in the value domain. In rail transportation, train control system has become more complex and the methods to ensure its correctness of have been considered outmoded. The safety of train control system is becoming increasingly important as computers pervade them on which human life depends and the failure to meet time deadline can have serious or even fatal consequences. This paper proposes a formal modeling and verification approach for real-time system. In the proposed method the real-time system is modeled by timed automata network (TAN) and verified by model checking which explores the state space to determine whether the system satisfies a given specification. The case study of ATP (automatic train protection) shows how the method can assist in designing more efficient and reliable real-time systems. Firstly, automatic train protection (ATP) system and timed automata network (TAN) model is proposed; secondly, the state transitions and multi-tasks ATP onboard model was modeled with TAN model, and then the time sequences of each task are expressed in UML sequence diagrams. Finally, the timing characteristics was verified to meet the requirement by UPPAAL model checker. A major conclusion of the survey is that formal methods, while still immature in some respects, can be used successfully to model and verify real-time systems.

Ming Chai,Haifeng Wang,Hongjie Liu,Jidong Lv,Qian Hu

DOI: https://doi.org/10.1109/itsc.2019.8917282

2019-01-01

Abstract:The communications-based train control (CBTC) is a typical safety-critical system that protects and directs train operations in urban rail transit. It is suggested to provide on-going safety protections for the automatic train protection, which is a kernel function of the CBTC. Runtime verification is a technique for monitoring system executions against safety requirements. A particular challenge in implementing of a runtime verification system for the CBTC is the appropriate monitor specification. This paper presents a novel dynamic monitoring generation method to the problem. The train control procedures of the CBTC is formalized by parametric hybrid automata (PHA), which introduces notations of parametric expressions for flow, transition conditions and invariants. With an observation, the PHA is instantiated to a standard hybrid automaton. The monitor specification is then generated automatically by calculating the reachable set of the automaton with respect to some selected safety-related properties. The presented method is evaluated in a hard-ware in the loop CBTC platform, which is developed with realistic engineering data of Beijing Yizhuang metro line. The experiment results show that the approach is feasible, and various dangerous of the CBTC system are prevented from developing into accidents of train collisions.