Ten Diverse Formal Models for a CBTC Automatic Train Supervision - PowerPoint PPT Presentation

MARS / VPT 2018 Thessaloniki, 20 April 2018 Ten Diverse Formal Models for a CBTC Automatic Train Supervision System Franco Mazzanti ISTI CNR Pisa Italy

Origins of the study Define an ATS scheduling approach to achieve deadlock free train dispatching. Trace-IT Case Study: a project defined CBTC scenario Investigate and experiment with a rich set of formal methods an tools to compose a survey on the ASTRail suggested use of formal methods in the railway field. Trace-IT case study re-used as one of the experiments. Official Disclaimer: The opinions and results discussed in this presentation reflects only the author’s view and the Shift2Rail Joint Undertaking is not responsible for any use that may be made of the presented information. Ten Diverse Formal Models … 2 Thessaloniki, 20 April 2018

The Trace-IT goal Ÿ We have a metro layout. Ÿ We have an automatic (unmanned) metro service. Ÿ Each train has its mission statically defined, provided to the ATS as static configuration data (timetable) Ÿ We have to design the logic of the ATS scheduling kernel, to successfully dispatch all the trains, leading them to destination avoiding deadlocks (also in case of arbitrary delays) Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The Trace-IT project demonstrator case study III Parco della Vittoria I green >> Via Roma 23 15 15 23 Via Accademia Piazza Università Via Verdi Piazza Dante Via Marco Polo BCA01 BCA02 BCA03 II I I I I II green red >> 9 20 1 1 3 4 6 7 10 16 24 3 4 6 7 9 10 13 13 16 20 24 yellow >> II red II II II III I 2 2 5 8 5 8 25 11 22 18 17 22 25 11 18 17 blue >> III IV Viale dei Giardini Vicolo Corto Vicolo Stretto Viale Monterosa 12 26 I 12 I I 26 yellow 31 28 27 30 31 27 30 28 II BCA04 II BCA05 blue 32 32 29 29 Ÿ 8 trains providing circular services Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

Itineraries vs circuits Piazza Università Segments correspond to BCA01 I BCA02 entry/exit itineraries of stations 3 4 6 II 5 Itineraries are composed of several track circuits Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

Handling the problem size Via Accademia Piazza Università Via Verdi BCA03 BCA01 BCA02 I I I SECTION 1 1 3 4 6 7 9 II II II 2 8 5 Parco della Vittoria III I Via Roma 15 23 Via Marco Polo Piazza Dante BCA03 II II I 20 9 10 13 16 24 II I III SECTION 2 22 25 11 18 17 III IV Viale dei Giardini BCA05 12 26 27 Vicolo Corto Vicolo Stretto Viale Monterosa BCA05 I I I SECTION 3 31 30 28 27 II BCA04 II 32 29 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The Section 2 layout and train missions. train0 1 23 train4 1 1 15 23 1 2 24 1 9 20 13 16 train5 10 24 1 3 3 train1 4 22 25 1 11 18 17 25 train6 5 train2 5 1 26 1 12 26 train7 6 27 train3 7 7 1 8 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The Section 2 layout and train missions. train0 1 23 1 1 15 23 2 9 20 13 16 10 24 3 4 22 25 11 18 17 5 12 26 6 27 7 8 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The Section 2 layout and train missions. 1 23 train4 15 23 1 2 9 20 13 16 10 24 3 3 4 22 25 11 18 17 5 12 26 6 27 7 8 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The Section 2 layout and train missions. 1 15 23 23 2 20 9 16 10 13 24 1 3 3 train1 4 22 25 11 18 17 5 12 26 6 27 7 8 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The Trace-IT case study 1 15 23 2 24 1 20 9 16 10 13 24 train5 3 4 22 25 11 18 17 5 12 26 6 27 7 8 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The Section 2 layout and train missions. 1 15 23 2 20 9 16 10 13 24 3 4 22 25 11 18 17 5 train2 5 1 12 26 6 27 7 8 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The Section 2 layout and train missions. 1 15 23 2 20 9 16 10 13 24 3 4 22 25 1 11 18 25 train6 17 5 12 26 6 27 7 8 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The Section 2 layout and train missions. 1 15 23 2 20 9 16 10 13 24 3 4 22 25 11 18 17 5 12 26 6 27 train3 7 7 1 8 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The Section 2 layout and train missions. 1 15 23 2 9 20 13 16 10 24 3 4 22 25 11 18 17 5 1 26 12 26 train7 6 27 7 8 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

A sample deadlock occurrence 1 1 15 23 2 1 9 20 1 13 16 10 24 3 4 1 1 1 1 22 25 11 18 17 5 1 12 26 6 27 7 8 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The Trace-IT solution 1 15 23 23 RA -- train0 [RA +1 <= 7] RA++ 2 20 9 1 16 10 10 13 24 3 A 4 22 25 11 18 17 5 12 26 6 RA = current occupation count 27 7 LA = max occupation count = 7 8 T0 = [1 , 9, 10, 13, 15, 20, 23] Mission for train0 A0 = [ 0, 0, 0, 1, 0, -1, 0] Region-A Constraints for train0 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The progression rule (e.g. for train0) T0 = [1 , 9, 10, 13, 15, 20, 23] Mission for train0 A0 = [ 0, 0, 0, 1, 0, -1, 0] Region-A Increments/Decr. for train0 P0 = n current progress point of train0 (index in T0) RA = n current degree of occupancy of region A LA = 7 maximum degree of occupancy for region A when <next endpoint of train0 is free> i.e. for all i: T0[P0+1] !=Ti[Pi] and <train0 move does not saturate any region> i.e. for all regions A, … : RA + A0[P0+1] <= LA the train can advance: i.e. P0 = P0+1, RA = RA+A0[P0] Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The reference structure of the model T0 = [1 , 9, 10, 13, 15, 20, 23]; A0 = [ 0, 0, 0, 1, 0, -1, 0]; B0 = [ 0, 0, 0, 1, 0, -1, 0]; … Global Constants T7 = [26, 22, 17, 18, 12, 27, 7]; A7 = [ 1, 0, 0, -1, 0, 0, 0]; B7 = [ 1, 0, 0, -1, 0, 0, 0]; LA = 7; LB =7 P0, P1, ..., P7 := 0; Global Variables RA:=1, RB :=1 Train0: [guard train0] / actions train0 Train Rules … Train7: [guard train7] / actions train7 Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The encoding of the model: UMC train0: s1 -> s1 {- [P0<6 & T0[P0+1] !=T5[P5] &…& T0[P0+1] !=T7[P7] & RA+A0[P0+1]<=LA & RB+B0[P0+1]<=LB] / P0 := P0+1; RA := RA+A0[P0]; RB := RB+B0[P0]; } … train7: s1 -> s1 {…} Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The encoding of the model: SPIN do :: atomic { (P0<6 && T0[P0+1] !=T1[P1] && … && T0[P0+1] !=T7[P7] && (RA+A0[P0+1])<=LA && (RB+B0[P0+1]<=LB) ) -> P0 = (P0+1); RA = RA+A0[P0]; RB = RB+B0[P0]; }; :: atomic { }; od; Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The encoding of the model: CADP/LNT loop select only if P0<6 and T0[P0+1] !=T1[P1] and … and T0[P0+1] !=T7[P7] and (RA+A0[P0+1])<=LA and (RB+B0[P0+1]<=LB) then MOVE (0 of Train_Number); P0 := (P0+1); RA := RA+A0[P0]; RB := RB+B0[P0]; end if [ ] only if … end select end loop Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The encoding of the model: ProB OPERATIONS move0 = PRE P0<6 & T0(P0+1) /=T1(P1) &…& T0(P0+1) /=T7(P7) & RA+A0(P0+1)<=LA & RB+B0(P0+1)<=LB THEN P0 := P0+1; RA := RA+A0(P0); RB := RB+B0(P0); END; move1 = … Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The encoding of the model: NuSMV/ nuXmv TRANS RUNNING=0 -> P0<6 && T0[P0+1] !=T1[P1] &…& T0[P0+1] !=T7[P7] & (RA+A0[P0+1])<=LA & (RB+B0[P0+1])<=LB ? next(P0)=(P0+1) & next(P1)=P1 &…& next(P7)=P7 & next(RA)= RA+A0[P0; next(RB)=RB+B0[P0]; : next(P0)=P0 &...& next(P7)=P7 & next(RA)=RA & next(RB)=RB … TRANS RUNNING=7 -> Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The encoding of the model: FDR4 / CSPm AllTrains (P0, P1, P2, P3, P4, P5, P6, P7, RA, RB) = ( P0 < 6 and el(T0,P0+1) != el(T1,P1) and … and el(T0,P0+1) != el(T7,P7) and RA + el(A0,P0+1) <= LA and RB + el(B0,P0+1) <= LB ) & move0 -> AllTrains(P0+1,P1,P2,P3,P4,P5,P6,P7, RA+el(A0,P0+1), RB+el(B0,P0+1)) [ ] ( P1 < 6 and … Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018

The encoding of the model: mCRL2 proc AllTrains(P0,P1,P2,P3,P4,P5,P6,P7:Nat, RA,RB: Int) = ( P0 < 6 && T0(P0+1) != T1(P1) &&… && T0(P0+1) != T7(P7) && RA+A0(P0+1) <= LA && RB+ B0(P0+1)<=LB ) & move(0) -> AllTrains(P0+1,P1,P2,P3,P4,P5,P6,P7, RA+A0(P0+1), RB+B0(P0+1)) [ ] ( P1 < 6 && … Ten Diverse Formal Models … 4 Thessaloniki, 20 April 2018