The RobustRailS Verification Tool Setfor Safety Verification of Interlocking Systems

Linh, H. Vu, Technical University of DenmarkAnne E. Haxthausen, Technical University of DenmarkJan Peleska, University of Bremen

RobustRailS Verification Method & Tools

38

Strækningshastigheden vil desuden kunne øges på enkelte strækninger, når der er installeret et nyt signalsystem, idet togkontrol og førerrumssignalering er en sikker-hedsmæssig forudsætning for strækningshastigheder over 120 km/t, jf. kapitel 6.

Det nye togkontrolsystem kan håndtere hastigheder på mere end 200 km/t. Det vil således være sporets udformning, der vil være begrænsende i forhold til hastigheds-opgraderinger. En række strækninger, hvor hastigheden i dag begrænses af signal-systemet, vil uden videre kunne anvendes ved den hastighed sporet giver mulighed for.

Togkontrolsystemet i ERTMS udfører de samme funktioner som det nuværende danske ATC system. Det vil således stadig være lokomotivføreren, som varetager styringen af toget. Togkontrolsystemet vil fortsat være en sikkerhedsfunktion, der nedbremser toget, hvis lokomotivføreren ikke reagerer korrekt på signalerne. 4.3.3 Teknisk udviklingsstade for ERTMS niveau 1 og 2

Fastlæggelsen af ERTMS-standarden for niveau 1 og 2 handler om, at der skal op-nås enighed om, hvilken løsning blandt fl ere allerede eksisterende løsninger, der skal være den fælles standard. Derefter skal det sikres, at de valgte løsninger for de forskellige funktioner kan fungere sammen. Fastlæggelsen af ERTMS-standarden handler således ikke om at udvikle nye løsninger, men om at opnå enighed om hvilke løsninger der skal anvendes og få produkterne til at fungere sammen. Problemstil-lingen er uafhængig af valget af ERTMS niveau 1 eller niveau 2.

ETCS

Akseltællere

Fast mærke

Sikrings-anlæg

Fjernstyrings-central

Radioblok-center

Eurobalise(Km-sten)

Eurobalise(Km-sten)

Togdetektering Sporskiftedrev

Trafikleder

GSM-R data

ERTMS niveau 2: Interoperabel jernbane uden ydre signaler

Figur 4.2ERTMS niveau 2: Interoperabel jernbane uden ydre signaler.

• Method and tool set for automated, formal safety verification of interlocking systems.• Were developed by Linh H. Vu, Anne Haxthausen, Jan Peleska, in collaboration with

the Danish railways in the RobustRailS. research project.• RobustRailS research project, 2012-2017:

• Funded by the Danish Innovation Fund.• Partners: 4 DTU departments, Bremen University, Banedanmark, Traffic

Authorities, DSB, DSB S-train.

• Goal: to develop methods for achieving punctual and safe railway operations

for the Danish Re-signaling Program implementing ERTMS/ETCS Level 2.

• methods for efficient safety verification• ...

2 RobustRailS Verification Tool Set 17.06.2019

Background: Challenges

• Errors in interlocking systems may have very severe consequences.

• Conventional specification & verification methods may be time consuming and notgive sufficient guaranties for correctness.

• Bugs typically first found during testing −→ expensive to fix.

• −→ Need to get it right from the beginning.

3 RobustRailS Verification Tool Set 17.06.2019

Smarter Specification and Verification Methods

:safe states :unsafe states

state space

reachable states

Use Formal Methods and Automation:

• strongly recommended by CENELEC 50128 for safety-critical software• efficient

• to avoid bugs• to catch bugs early, before implementation and test

−→ saves time and money

4 RobustRailS Verification Tool Set 17.06.2019

RobustRailS Verification Method & Tools

t10 t14t13t12mb10 mb14mb13

mb12mb11 mb15t20

mb21

mb20

t11

UPDOWN

b10 b14

(0) developor generate

route from to path points markerboards conflicts1a mb10 mb13 t10;t11;t12 t11:+;t13:- mb11;mb12;mb20 1b;2a;2b;3;4;5a;5b;6b;7

.

.

.7 mb20 mb11 t11;t10 t11:- mb10;mb12 1a;1b;2a;2b;3;5b;6a8 mb21 mb14 t13;t14 t13:- mb13;mb15 1b;2a;4;5a;5b;6a;6b

(step 2.1)generator

model

safetyrequirements

(step 2.2)Model checkerinvestigates:does modelmeet the

requirements?

⇥

X(step 1)static checker

⇥ X

Possible human manipulation

1.1 Input: track plan.

1.2 The tool automatically generates a route control table, if not provided.

1.3 The tool checks that the track plan and route control table are correct.

2.1 The tool generates

• a formal model of the behaviour of the interlocking system

• formal safety requirements (e.g no train collisions). x

2.2 A model checker (dis-)proves the model meets the requirements.

3.1 The tool generates test cases and a test oracle for software integration testing.

5 RobustRailS Verification Tool Set 17.06.2019

RobustRailS Verification Method & Tools

t10 t14t13t12mb10 mb14mb13

mb12mb11 mb15t20

mb21

mb20

t11

UPDOWN

b10 b14

(0) developor generate

route from to path points markerboards conflicts1a mb10 mb13 t10;t11;t12 t11:+;t13:- mb11;mb12;mb20 1b;2a;2b;3;4;5a;5b;6b;7

.

.

.7 mb20 mb11 t11;t10 t11:- mb10;mb12 1a;1b;2a;2b;3;5b;6a8 mb21 mb14 t13;t14 t13:- mb13;mb15 1b;2a;4;5a;5b;6a;6b

(step 2.1)generator

model

safetyrequirements

(step 2.2)Model checkerinvestigates:does modelmeet the

requirements?

⇥

X(step 1)static checker

⇥ X

Possible human manipulation

• Verification in three steps:• The static checking step is used to find errors in the control table.• The model checking step is used to find errors in the control algorithms.• The model-based testing step is used to find errors in the implemented system.

• Features:• “Model hiding”: Models automatically generated from domain-specific railway

specifications−→ can be used by railway engineers without background in formal methods.

• Verification based on induction reasoning using bounded model checkingpushes the limits for state space explosion.

6 RobustRailS Verification Tool Set 17.06.2019

Applications of the Method & Tools

t10 t14t13t12mb10 mb14mb13

mb12mb11 mb15t20

mb21

mb20

t11

UPDOWN

b10 b14

(0) developor generate

route from to path points markerboards conflicts1a mb10 mb13 t10;t11;t12 t11:+;t13:- mb11;mb12;mb20 1b;2a;2b;3;4;5a;5b;6b;7

.

.

.7 mb20 mb11 t11;t10 t11:- mb10;mb12 1a;1b;2a;2b;3;5b;6a8 mb21 mb14 t13;t14 t13:- mb13;mb15 1b;2a;4;5a;5b;6a;6b

(step 2.1)generator

model

safetyrequirements

(step 2.2)Model checkerinvestigates:does modelmeet the

requirements?

⇥

X(step 1)static checker

⇥ X

Possible human manipulation

• The Early Deployment Line, Roskilde - Næstved, in Denmark [Vu, Haxthausen,Peleska 2017]: Untitled map

Untitled layer

Roskilde Station

Gadstrup St.

Havdrup St.

Lille Skensved St.

Køge St.

Herfølge St.

Tureby St.

Haslev St.

Holme-Olstrup St.

Næstved St.

EDL

• Florence station in Italy [Fantechi, Haxthausen, Macedo 2017]:

7 RobustRailS Verification Tool Set 17.06.2019

Compositional Verification

• Suggested by Fantechi, Haxthausen, Macedo 2017-... .• Goal: to further increase the scalability of the verification method.• Idea: cut the interlocking logic of large layouts into separate, more manageable,

portions, so that proving safety of the portions implies safety of the whole.

t25 t28t26 t27B stationA station

E1

t7

E8

T1

t13

t11

E19

E26

T16 T19

E2

t5

E10

T2 t12

E17

E24

T15 T18

E3t9

E12

T3E15

E22

T14 T17

t8 t10

t6

• Experiments show: compositional verification is 2.5− 3× faster, uses 30− 40% lessmemory.

Early Deployment Line (EDL) in Denmark and Florence Station in ItalyUntitled map

Untitled layer

Roskilde Station

Gadstrup St.

Havdrup St.

Lille Skensved St.

Køge St.

Herfølge St.

Tureby St.

Haslev St.

Holme-Olstrup St.

Næstved St.

EDL

8 RobustRailS Verification Tool Set 17.06.2019

Thank you for your attention.

9 RobustRailS Verification Tool Set 17.06.2019