european train control system a case study in formal
play

European Train Control System: A Case Study in Formal Verification e - PowerPoint PPT Presentation

Nov 12, 2023 •19 likes •769 views

European Train Control System: A Case Study in Formal Verification e Platzer 1 Jan-David Quesel 2 Andr 1 Carnegie Mellon University, Pittsburgh, PA 2 University of Oldenburg, Department of Computing Science, Germany International Conference on

  1. European Train Control System: A Case Study in Formal Verification e Platzer 1 Jan-David Quesel 2 Andr´ 1 Carnegie Mellon University, Pittsburgh, PA 2 University of Oldenburg, Department of Computing Science, Germany International Conference on Formal Engineering Methods (ICFEM), Rio de Janeiro, 2009 Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 1 / 19

  2. ETCS Control Verification Problem Hybrid System Continuous evolutions (differential equations) Discrete jumps (control decisions) τ. p τ. v z τ. a v a 6 3.0 2 5 2.5 1 2.0 4 1.5 3 4 t 1 2 3 1.0 2 � 1 0.5 1 4 t 4 t � 2 1 2 3 1 2 3 Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 2 / 19

  3. European Train Control System τ. p m . e ST SB Objectives Overview 1 Collision free 1 No static partitioning of track 2 Radio Block Controller (RBC) 2 Maximise throughput & manages movement authorities velocity (300 km/h) 3 2 . 1 ∗ 10 6 passengers/day dynamically 3 Moving block principle Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 3 / 19

  4. European Train Control System τ. p m . e ST SB Parametric Hybrid Systems continuous evolution along differential equations + discrete change m . e MA z τ. p v t τ. v Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 3 / 19

  5. European Train Control System τ. p m . e ST SB Parametric Hybrid Systems continuous evolution along differential equations + discrete change m . e MA z τ. p v t τ. v Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 3 / 19

  6. European Train Control System τ. p m . e ST SB Parametric Hybrid Systems continuous evolution along differential equations + discrete change m . e MA MA z z τ. p v v t τ. v Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 3 / 19

  7. European Train Control System τ. p m . e ST SB Parametric Hybrid Systems continuous evolution along differential equations + discrete change Parameters have nonlinear influence m . e MA MA Handle SB as free symbolic parameter? z z τ. p Challenge: verification (falsifying is “easy”) Which constraints for SB ? v v t τ. v ∀ m . e ∃ SB “train always safe” Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 3 / 19

  8. Differential Dynamic Logic (d L ) τ. v τ. p m . e Example → [ ]( ) Precondition Operation model Property Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 4 / 19

  9. Differential Dynamic Logic (d L ) τ. v τ. p m . e Example τ. v 2 ≤ 2 b ( m . e − τ. p ) → [ ]( τ. p ≤ m . e ) Precondition Operation model Property Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 4 / 19

  10. Differential Dynamic Logic (d L ) τ. v τ. p m . e Example τ. v 2 ≤ 2 b ( m . e − τ. p ) → [ τ. p ′ = τ. v , τ. v ′ = τ. a ]( τ. p ≤ m . e ) Precondition Operation model Property Continuous evolution: differential equation Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 4 / 19

  11. Differential Dynamic Logic (d L ) τ. v τ. p m . e Example τ. v 2 ≤ 2 b ( m . e − τ. p ) → [ τ. a := ∗ ; τ. p ′ = τ. v , τ. v ′ = τ. a ]( τ. p ≤ m . e ) Precondition Operation model Property Random assignment Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 4 / 19

  12. Differential Dynamic Logic (d L ) τ. v τ. p m . e Example τ. v 2 ≤ 2 b ( m . e − τ. p ) → [ τ. a := ∗ ; ? τ. a ≤ − b ; τ. p ′ = τ. v , τ. v ′ = τ. a ]( τ. p ≤ m . e ) Precondition Operation model Property Test Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 4 / 19

  13. 3D Movement Authorities τ. v τ. p Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  14. 3D Movement Authorities τ. v m . r τ. p Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  15. 3D Movement Authorities τ. v m . r τ. p m 1 . d m 1 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  16. 3D Movement Authorities τ. v m . r τ. p m 1 . d m 1 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  17. 3D Movement Authorities τ. v m . r m 2 . d τ. p m 2 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  18. 3D Movement Authorities τ. v m . r m 2 . d τ. p m 2 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  19. 3D Movement Authorities τ. v m . r m 3 . d τ. p m 3 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  20. 3D Movement Authorities τ. v m . r m 3 . d τ. p m 3 . e Vectorial MA m = ( d , e , r ): Beyond point m . e train not faster than m . d . Train should try not to keep recommended speed m . r Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 6 / 19

  21. Separation Principle Lemma (Principle of separation by movement authorities) Each train respects its movement authority and the RBC partitions into disjoint movement authorities ⇒ trains can never collide. τ. p m . e ST SB Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 7 / 19

  22. Parametric Skeleton of ETCS Read from the informal specification. . . ETCS skel : ( train ∪ rbc ) ∗ train : spd ; atp ; drive : (? τ. v ≤ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ A ) spd ∪ (? τ. v ≥ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ 0) : if ( m . e − τ. p ≤ SB ∨ rbc . message = emergency ) τ. a := − b atp : t := 0; ( τ. p ′ = τ. v , τ. v ′ = τ. a , t ′ = 1 ∧ τ. v ≥ 0 ∧ t ≤ ε ) drive : ( rbc . message := emergency ) ∪ ( m := ∗ ; ? m . r > 0) rbc Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 8 / 19

  23. Parametric Skeleton of ETCS As transition system. . . m 0 := m m := ∗ τ. p ′ = τ. v , τ. v ′ = τ. a , t ′ = 1 rbc . message := emergency τ. v ≥ 0 ∧ t ≤ ε t := 0 τ. a := − b ? τ. v ≤ m . r ? − b ≤ τ. a ≤ A τ. a := ∗ ?( m . e − τ. p ≤ SB ∨ rbc . message = emergency ) ? m . e − τ. p ≥ SB ∧ ? τ. v ≥ m . r ?0 > τ. a ≥ − b τ. a := ∗ rbc . message � = emergency ) Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 8 / 19

  24. Parametric Skeleton of ETCS ETCS skel : ( train ∪ rbc ) ∗ : spd ; atp ; drive train spd : (? τ. v ≤ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ A ) ∪ (? τ. v ≥ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ 0) atp : if ( m . e − τ. p ≤ SB ∨ rbc . message = emergency ) τ. a := − b : t := 0; ( τ. p ′ = τ. v , τ. v ′ = τ. a , t ′ = 1 ∧ τ. v ≥ 0 ∧ t ≤ ε ) drive : ( rbc . message := emergency ) ∪ ( m := ∗ ; ? m . r > 0) rbc Task Verify safety Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 8 / 19

  25. Parametric Skeleton of ETCS ETCS skel : ( train ∪ rbc ) ∗ : spd ; atp ; drive train spd : (? τ. v ≤ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ A ) ∪ (? τ. v ≥ m . r ; τ. a := ∗ ; ? − b ≤ τ. a ≤ 0) atp : if ( m . e − τ. p ≤ SB ∨ rbc . message = emergency ) τ. a := − b : t := 0; ( τ. p ′ = τ. v , τ. v ′ = τ. a , t ′ = 1 ∧ τ. v ≥ 0 ∧ t ≤ ε ) drive : ( rbc . message := emergency ) ∪ ( m := ∗ ; ? m . r > 0) rbc Task Verify safety Specification [ ETCS skel ]( τ. p ≥ m . e → τ. v ≤ m . d ) Andr´ e Platzer, Jan-David Quesel ETCS: A Case Study in Formal Verification ICFEM 2009 8 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ten Diverse Formal Models for a CBTC Automatic Train Supervision System Franco Mazzanti ISTI CNR

Ten Diverse Formal Models for a CBTC Automatic Train Supervision System Franco Mazzanti ISTI CNR

MARS / VPT 2018 Thessaloniki, 20 April 2018 Ten Diverse Formal Models for a CBTC Automatic Train Supervision System Franco Mazzanti ISTI CNR Pisa Italy Origins of the study Define an ATS scheduling approach to achieve deadlock free train

532 views • 35 slides
A case study in formal system engineering with SysML Iulia Dragomir 1 , Iulian Ober 1 and David

A case study in formal system engineering with SysML Iulia Dragomir 1 , Iulian Ober 1 and David

A case study in formal system engineering with SysML Iulia Dragomir 1 , Iulian Ober 1 and David Lesens 2 1 IRIT - University of Toulouse 2 Astrium Space Transportation July 19, 2012 Iulia Dragomir (IRIT) A case study in formal system engineering

466 views • 46 slides
A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan

A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan

A Case Study on Formal Verification of the Anaxagoros Paging System with Frama-C Allan Blanchard Nikolai Kosmatov Matthieu Lemerre Fr ed eric Loulergue FMICS 2015 June 22, 2015 CONTENTS Anaxagoros Virtual Memory Formal

590 views • 31 slides
Simulation Based Formal Verification of Onboard Software A Case Study SyLVer : System

Simulation Based Formal Verification of Onboard Software A Case Study SyLVer : System

Simulation Based Formal Verification of Onboard Software A Case Study SyLVer : System Level Verifier Toni Mancini, Annalisa Massini, Federico Mari , Igor Melatti, Ivano Salvo, Enrico Tronci Computer Science Department Sapienza University

668 views • 23 slides
Formal Verification of Train Control with Air Pressure Brakes Stefan Mitsch 1 Marco Gario 2

Formal Verification of Train Control with Air Pressure Brakes Stefan Mitsch 1 Marco Gario 2

Formal Verification of Train Control with Air Pressure Brakes Stefan Mitsch 1 Marco Gario 2 Christof J. Budnik 2 Michael Golm 2 e Platzer 1 Andr 1 Computer Science Department, Carnegie Mellon University 2 Siemens Corporate Technology, Princeton,

731 views • 52 slides
23 Advanced Topics 5: Multi-lingual Models Up until now, we have assumed that in the case of

23 Advanced Topics 5: Multi-lingual Models Up until now, we have assumed that in the case of

(c) Model Pivoting (a) Result Pivoting (b) Data Pivoting src pivot pivot trg src pivot pivot trg src pivot pivot trg train train train train train train train train train train train train src src-pivot pivot-trg

179 views • 5 slides
Positive Train Control June 28, 2018 PTC Overview Positive train control uses GPS, radio

Positive Train Control June 28, 2018 PTC Overview Positive train control uses GPS, radio

Positive Train Control June 28, 2018 PTC Overview Positive train control uses GPS, radio communications, and onboard and wayside computer equipment to enforce speed limits and authority limits should the operating engineer fail to take

647 views • 17 slides
Formal Verification of Curved Flight Collision Avoidance Maneuvers A Case Study Andr e

Formal Verification of Curved Flight Collision Avoidance Maneuvers A Case Study Andr e

Formal Verification of Curved Flight Collision Avoidance Maneuvers A Case Study Andr e Platzer Edmund M. Clarke Carnegie Mellon University, Computer Science Department, Pittsburgh, PA Formal Methods, FM, Eindhoven, November 2009 0.5 0.4

1.11k views • 71 slides
Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the

Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the

Ricardo Semler Case Study Briefing Advance notice: Leading Change Case Study Please read the Case Study found in the Assignment section of M005 and be ready to present your findings in a formal presentation in week 11. Each team member

319 views • 6 slides
Principle of case control studies Part II Selection of case and control Recall bias

Principle of case control studies Part II Selection of case and control Recall bias

Principle of case control studies Part II Selection of case and control Recall bias Advantage and limitation of case control study Piyanit Tharmaphornpilas MD, MPH The I nternational Field Epidemiology Training Program, Thailand Who

607 views • 12 slides
New Case Management System for Chancery Division Train inin ing g Webi binar nar August st

New Case Management System for Chancery Division Train inin ing g Webi binar nar August st

Hon. Dorothy Brown Office of the Clerk of the Circuit Court of Cook County, Illinois 1 Scheduling with the New Case Management System for Chancery Division Train inin ing g Webi binar nar August st 17, 2020 Scheduling with the New Case

537 views • 49 slides
Smart Freight Train A new subsystem of the European railway system IRFC Praha March 2017 1

Smart Freight Train A new subsystem of the European railway system IRFC Praha March 2017 1

Smart Freight Train A new subsystem of the European railway system IRFC Praha March 2017 1 What? The Smart Freight Train system Goal: The right information at the right time for the right person Provide real-time information to answer the

549 views • 7 slides
New Case Management System for County Division Train inin ing g Webi binar nar August st

New Case Management System for County Division Train inin ing g Webi binar nar August st

Hon. Dorothy Brown Office of the Clerk of the Circuit Court of Cook County, Illinois 1 Scheduling with the New Case Management System for County Division Train inin ing g Webi binar nar August st 12, 2020 Scheduling with the New Case

436 views • 33 slides
Global Information Systems The Case Study: Development of an Asian-European Business Portal

Global Information Systems The Case Study: Development of an Asian-European Business Portal

Global Information Systems The Case Study: Development of an Asian-European Business Portal Henri Pirkkalainen, Prof. Dr. Jan M. Pawlowski 09.09.2013 Contents Introduction Case Study Contents of the case study The process of the

693 views • 21 slides
Case study of Control of Intellectual Property (CIP) that uses I-TRIZ and idea generation Gen

Case study of Control of Intellectual Property (CIP) that uses I-TRIZ and idea generation Gen

J13 Case study of Control of Intellectual Property (CIP) that uses I-TRIZ and idea generation Gen Abiko (MINORU International Patent Office) 1. Purpose Through the case study of the small animal capture tool (rattrap), the method the

139 views • 11 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

910 views • 4 slides
for Automated Rail Transport and Driver-less cars applications Francesco Rispoli Imperia, 5 July

for Automated Rail Transport and Driver-less cars applications Francesco Rispoli Imperia, 5 July

Breakthrough Satellite Technologies for Automated Rail Transport and Driver-less cars applications Francesco Rispoli Imperia, 5 July 2017 1 Rail Transport systems are already higly automated The European challenge: interoperability different

1.12k views • 48 slides
Bank of America Merrill Lynch Global Transportation Conference May 16, 2013 John P. Rathbone

Bank of America Merrill Lynch Global Transportation Conference May 16, 2013 John P. Rathbone

Bank of America Merrill Lynch Global Transportation Conference May 16, 2013 John P. Rathbone Executive Vice President Finance and Chief Financial Officer 1 Norfolk Southern Update System Overview Technology / Productivity First

778 views • 61 slides
Promises & Challenges of Video Data Sharing: Perspectives from the Databrary Digital Library

Promises & Challenges of Video Data Sharing: Perspectives from the Databrary Digital Library

Promises & Challenges of Video Data Sharing: Perspectives from the Databrary Digital Library NICHD U01-HD-076595, NSF BCS-1238599, SRCD Karen E. Adolph New York University Preview Behavior is essential for understanding typical &

968 views • 70 slides
Indoor/ Outdoor Pedestrian Navigation with an Embedded GPS/ RFID/ Self- contained Sensor System

Indoor/ Outdoor Pedestrian Navigation with an Embedded GPS/ RFID/ Self- contained Sensor System

Indoor/ Outdoor Pedestrian Navigation with an Embedded GPS/ RFID/ Self- contained Sensor System Masakatsu Kourogi, Nobuchika Sakata, Takashi Okuma and Takeshi Kurata National Institute of Advanced Industrial Science and Technology (AIST)

519 views • 23 slides
Mass Surveillance and Artificial Intelligence New Legal Challenges John Danaher NUI Galway

Mass Surveillance and Artificial Intelligence New Legal Challenges John Danaher NUI Galway

Mass Surveillance and Artificial Intelligence New Legal Challenges John Danaher NUI Galway while any locomotive is in motion, shall precede such locomotive on foot by not less than sixty yards, and shall carry a red flag constantly

471 views • 20 slides
2014 TRANSPORTATION AND ROAD IMPROVEMENT BOND CITIZENS GENERAL OBLIGATION BOND OVERSIGHT

2014 TRANSPORTATION AND ROAD IMPROVEMENT BOND CITIZENS GENERAL OBLIGATION BOND OVERSIGHT

Status Report March 2017 2014 TRANSPORTATION AND ROAD IMPROVEMENT BOND CITIZENS GENERAL OBLIGATION BOND OVERSIGHT COMMITTEE Summary The $500 million 2014 San Francisco Transportation and Road Improvement General Obligation Bond was

414 views • 7 slides
Llyfrgell Genedlaethol Cymru = The National Library of Wales Cymorth chwilio | Finding Aid -

Llyfrgell Genedlaethol Cymru = The National Library of Wales Cymorth chwilio | Finding Aid -

Llyfrgell Genedlaethol Cymru = The National Library of Wales Cymorth chwilio | Finding Aid - [Railway Lantern Slides] () Cynhyrchir gan Access to Memory (AtoM) 2.3.0 Generated by Access to Memory (AtoM) 2.3.0 Argraffwyd: Mai 09, 2017 Printed:

228 views • 4 slides
towards cost reduction Sr DFM/BRC System Improvements - Engg Construction and Maintenance of

towards cost reduction Sr DFM/BRC System Improvements - Engg Construction and Maintenance of

System Improvements towards cost reduction Sr DFM/BRC System Improvements - Engg Construction and Maintenance of Quarters at BOOT Mode. Construction of Boundary wall next to track in city areas on PPP mode with advertising

1.67k views • 74 slides

More recommend