European Train Control System: A Case Study in Formal Verification

Platzer, André; Quesel, Jan-David

doi:10.1007/978-3-642-10373-5_13

Cited by 105 publications

(75 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In dL , we can, for example, use nondeterministic assignment from an interval to model sensor uncertainty and piece-wise constant actuator disturbance (e. g., as in [26]), or differential inequalities for actuator disturbance (e. g., as in [38]). Such models include nondeterminism about sensed values in the controller model and often need more complex physics models than differential equations with polynomial solutions.…”

Section: Monitoring In the Presence Of Expected Uncertainty And Distumentioning

confidence: 99%

“…The axiomatic-style prototype synthesizes correct-by-construction monitors and produces a proof of correctness during the synthesis without the need to recheck. To evaluate our method, we synthesize monitors for prior case studies of nondeterministic hybrid models of autonomous cars, train control systems, and robots (adaptive cruise control [20], intelligent speed adaptation [25], the European train control system [38], and ground robot collision avoidance [26]), see Table 2. For the model, we list the dimension in terms of the number of function symbols and state variables, as well as the size of the safety proof for proving (2), i. e., number of proof steps and the number of proof branches.…”

Section: Monitor Synthesismentioning

confidence: 99%

See 1 more Smart Citation

ModelPlex: verified runtime validation of verified cyber-physical system models

Mitsch

Platzer

2016

Form Methods Syst Des

Self Cite

View full text Add to dashboard Cite

Formal verification and validation play a crucial role in making cyber-physical systems (CPS) safe. Formal methods make strong guarantees about the system behavior if accurate models of the system can be obtained, including models of the controller and of the physical dynamics. In CPS, models are essential; but any model we could possibly build necessarily deviates from the real world. If the real system fits to the model, its behavior is guaranteed to satisfy the correctness properties verified with respect to the model. Otherwise, all bets are off. This article introduces ModelPlex, a method ensuring that verification results about models apply to CPS implementations. ModelPlex provides correctness guarantees for CPS executions at runtime: it combines offline verification of CPS models with runtime validation of system executions for compliance with the model. ModelPlex ensures in a provably correct way that the verification results obtained for the model apply to the actual system runs by monitoring the behavior of the world for compliance with the model. If, at some point, the observed behavior no longer complies with the model so that offline verification results no longer apply, ModelPlex initiates provably safe fallback actions, assuming the system dynamics deviation is bounded. This article, furthermore, develops a systematic technique to synthesize provably correct monitors automatically from CPS proofs in differential dynamic logic by a correct-by-construction approach, leading to verifiably correct runtime model validation. Overall, ModelPlex generates provably correct monitor conditions that, if checked to hold at runtime, are provably guaranteed to imply that the offline safety verification results about the CPS model apply to the present run of the actual CPS implementation.

show abstract

Section: Monitoring In the Presence Of Expected Uncertainty And Distumentioning

confidence: 99%

Section: Monitor Synthesismentioning

confidence: 99%

ModelPlex: verified runtime validation of verified cyber-physical system models

Mitsch

Platzer

2016

Form Methods Syst Des

Self Cite

View full text Add to dashboard Cite

show abstract

“…Moreover, our model allows physical entities on a freeway (e.g., incidents) to move opposite to the driving direction, which was assumed not to happen in [6]. Movement authorities, which are somewhat similar to speed limits, have been used in verifying the European train control system [23]. They are issued centrally at frequent intervals and trains are not allowed to move without frequent clearance.…”

Section: Related Workmentioning

confidence: 99%

Towards Formal Verification of Freeway Traffic Control

Mitsch

Loos

Platzer

2012

2012 IEEE/ACM Third International Conference on Cyber-Physical Systems

View full text Add to dashboard Cite

Abstract-We study how CPS technology can help improve freeway traffic by combining local car GPS positioning, traffic center control decisions, and communication to achieve more tightly coupled feedback control in intelligent speed adaptation. We develop models for an intelligent speed adaptation that respects variable speed limit control and incident management. We identify safe ranges for crucial design parameters in these systems and, using the theorem prover KeYmaera, formally verify safety of the resulting CPS models. Finally, we show how those parameter ranges can be used to decide trade-offs for practical system implementations even for design parameters that are not modeled formally.

show abstract

“…Other works related to the verification of ERTMS include [21,26,27]. The work in [27] applies theorem proving techniques to prove properties in European Train Control System specifications by means of manual encodings into Keymaera.…”

Section: Related Workmentioning

confidence: 99%

“…The work in [27] applies theorem proving techniques to prove properties in European Train Control System specifications by means of manual encodings into Keymaera. The work in [21] adopts model-based testing, complemented with abstract interpretation techniques, for the verification of a railway signaling system.…”

Section: Related Workmentioning

confidence: 99%

Formal Verification and Validation of ERTMS Industrial Railway Train Spacing System

Cimatti

Corvino

Lazzaro

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Formal verification and validation is a fundamental step for the certification of railways critical systems. Many railways safety standards (e.g. the CEN-ELEC EN-50126, EN-50128 and EN-50129 standards implement the mandatory safety requirements of IEC-61508-7 standard for Functional and Safety) currently mandate the use of formal methods in the design to certify correctness. In this paper we describe an industrial application of formal methods for the verification and validation of "Logica di Sicurezza" (LDS), the safety logic of a railways ERTMS Level 2 system developed by Ansaldo-STS. LDS is a generic control software that needs to be instantiated on a railways network configuration. We developed a methodology for the verification and validation of a critical subset of LDS deployed on typical realistic railways network configurations. To show feasibility, effectiveness and scalability, we have experimented with several state of the art symbolic software model checking techniques and tools on different network configurations. From the experiments, we have successfully identified an effective strategy for the verification and validation of our case study. Moreover, the results of experiments show that formal verification and validation is feasible and effective, and also scales reasonably well with the size of the configuration. Given the results, Ansaldo-STS is currently integrating the methodology in its internal Development and Verification & Validation Flow.

show abstract

European Train Control System: A Case Study in Formal Verification

Cited by 105 publications

References 23 publications

ModelPlex: verified runtime validation of verified cyber-physical system models

ModelPlex: verified runtime validation of verified cyber-physical system models

Towards Formal Verification of Freeway Traffic Control

Formal Verification and Validation of ERTMS Industrial Railway Train Spacing System

Contact Info

Product

Resources

About