Philippe Bon

Safety requirements and p-time Petri nets: A Level Crossing case study

Maximum staying time specifications often ensue from validity intervals and safety requirements. Therefore there is a need for modelling this kind of constraints. There are some studies in the state of the art dealing with train traffic modes with timed Petri net. Nevertheless, these kinds of results do not integrate the safety requirements we want to deal with. In this paper, we explain the reasons which lead us to use p-time Petri nets in order to model a well known case study: a level crossing benchmark. Level crossings are critical components of the European railway network. Nevertheless some accurate time specifications are used in order to fulfill some safety requirements. As the time specifications are difficult to deal with, this paper proposes to apply a dedicated modelling tool which can be found in the literature

From a Solution Model to a B Model for Verification of Safety Properties

In the context of safety requirement engineering, model transformation is a task of interest. Indeed, it allows us to keep all the requirements while switching from one point of view to another. The presented work assumes that a valid solution has been found and proposes an approach in order to build a valid implementation. As some fine dynamic properties are integrated into the specification, high-level Petri nets are used to specify and verify the solution. Then, considering an industrial railway context, the transformation of the Petri net model in order to provide an input to a B process is considered. This last consideration leads to a proposition of a systematic direct transformation of the Petri net model into abstract B machines. The approach is illustrated by a theoretical railway example. The limitations of this approach are discussed at the end of the paper and some prospects are detailed.

B Formal Validation of ERTMS/ETCS Railway Operating Rules

The B method is a formal specification method and a means of formal verification and validation of safety-critical systems such as railway systems. In this short paper, we use the B4MSecure tool to transform the UML models, fulfilling requirements of European Railway Traffic Management System ERTMS operating rules, into B specifications in order to formally validate them.

A Formal Model of Requirements

This paper introduces a methodology to analyze the safety of timed discrete event systems. Our case-study is the level crossing, a critical component for the safety of railway systems. First, our goal is to take out the forbidden state highlighted by a p-time Petri net modelling. This model deals with the requirements of the considered system and has to contain all the constraints that have to be respected. Then we describe a process identified as a solution for the system functioning. This method consists in exploring all the possible behaviors of the system by means of the construction of state classes. Finally, we check if the proposed process corresponds to the model of requirements previously built.

A Formal Modeling Methodology of the French Railway Interlocking System via HCPN

A railway interlocking system (RIS) plays a vital role in the safe transportation of a railway system. It is responsible for the safe routes of trains making sure that each train movement follows the other in a proper and safe sequence. Detailed verifications and evaluations are mandatory before deploying an RIS, since it is a safety critical system (SCS). But the increasing complexity of the RIS tends to limit the capability of the classic approval methods. As a result, the formalization of RIS becomes important to both the development of computer interlocking software and the third-party testing of the RIS facilities. Petri nets are a powerful formal tool that have been applied to many railway applications. Considering the large scale and the space complexity of interlocking systems, this paper introduces a feasible method for modeling the RIS by hierarchical colored Petri net (HCPN), which aim at providing a formal verification and logic evaluation of the French RIS. The paper describes how the signaling control logical and the railway road layout are specified and constructed into the HCPN. First, the architecture of RIS and the hierarchical structure of the model framework are introduced. Then, several basic RIS components are established as Petri nets to illustrate how to map RIS components into HCPN. As a case study, a section of a typical French station is modeled. It includes interlocking routes and signaling control principles. This paper takes place in the framework of the ANR project ‘PERFECT’. As this method has already received recognition from French railway experts, the future research contains consistency checking with some other parts of the specification, such as operation rules, which allows the authors to find out the crux of some existing problems and to discover some potential safety hazards.

A model pattern of railway interlocking system by Petri nets

The railway interlocking system (RIS) is one of the crucial parts of the railway transit safety. In the French railway domain, the computer-controlled relay-based interlocking systems are the dominant practice. Their complex sequences and consequent actions make it difficult to formally validate their safety properties. For such a system, detailed verification and validation of its specifications should be done at the end of the design phase. In practice, each station or yard in a railway line has its own interlocking system, which respects the same national standard but has a different facility formation. In order to effectively accomplish the validation tasks and reduce the error probability, this paper introduces a modelling pattern of the French railway interlocking system, which is a parameterized model respects the French national rules. It is a general reusable solution to this kind of problem and can be used in many different given contexts.

Functioning mode Management and formal assessment of safety

Abstract This paper presents a methodology to assist the safety assessment of timed discrete event systems. The methodology is illustrated on a level crossing case-study. It is a critical component for the safety of railway systems. The first step consists in decomposing the system functioning into different functioning modes. Then under specific assumptions, a model is provided for each functioning. Then, our goal is to take out the forbidden state highlighted by a p -time Petri net modelling. This model deals with the requirements of the considered system and has to contain all the constraints that have to be respected. Considering a proposed technological solution, its global functioning is also decomposed in several modes. As a latter, the model of the solution can be assessed, mode by mode. This assessment is achieved comparing the state classes deduced from the requirement model and the state classes of the proposed solution.

A set of design oriented scientific tools to assist abstract B machine specification

The B method is known to be efficient, as a process of certifiable software implementation building in the domain of guided transports. There is important work to be performed using the informal specification before entering the B process. The upstream requirement analysis may be assisted with some graphical tools using UML notations. Nevertheless, the main problem to be solved may be the choice of the adequate tool. Currently, there are several kinds of diagrams in the UML notation and they are partially redundant. Considering a more general point of view, a main human contribution is to choose the representation which is specifically adapted to the considered assessment problem.

Parallel verification of temporal properties using dynamic analysis

Verification methods can be classified according to two kinds of criteria: static or not - i.e. dynamic - and formal or not. This paper follows a work about verification of temporal properties using dynamic analysis. The approach proposes to transform an LTL property into a Büchi automaton and to run the automaton on an execution trace to be verified. Because traces are finite, the end of trace problem can be bypassed with computation of statistical information about the verified trace if and only if the property follows a predefined given pattern. For very big traces, this approach is well-adapted, but traces have to be sequentially verified. This paper proposes to parallelize the verification approach by splitting the execution trace and executing the Büchi automaton on each sub-trace separately analysable, which allows a significant time saving.

Industrial needs concerning the safety analysis of a French implementation of ERTMS

The study is based on an industrial expression pointing as usual way of performing a safety analysis: one consults the national railway accident database in order to evaluate the defense capacity of the system against scenarios of real past accidents. This first analysis can be complemented by considering the quasi accident scenarios. The data corresponding to this second step are critical because they correspond to industrial data which are not public. A first result of this study is the identification of a class of accident. The main argument is that the similarities of two accidents or quasi accident allow defining some critical elements of a typical class of accidents. A case study of an analysis of the accident that occurred in “St Romaine en Giers” is proposed. The corresponding documentation may be found in [1]. A second step towards a safe implementation assessment is the definition of a typical railway infrastructure. The idea is to play the scenario on an infrastructure embedding the main design assumptions which are used in the considered railway line. The specification of this infrastructure has to be detailed such a way that the simulation can be considered as realistic. Then, we are facing a security problem related to industrial confidentiality. It may be dangerous and consequently forbidden, to communicate safety critical information corresponding to an industrial infrastructure. The proposed solution is to identify a virtual infrastructure which is fully documented in order to be able to communicate. This infrastructure was named an “academic benchmark”, as it allows testing some technologies and scenarios avoiding all problems mentioned above [2]. The result of the study is the specification of a typical scenario that can be played on a typical infrastructure. Then, this system can be modelled using various modelling tools in order to assess various safety related aspect of the system [3]. Anyway, this academic benchmark is one of the main deliverable embedding most of the safety related industrial needs.