Advertisement

A formal refinement-based analysis of the hybrid ERTMS/ETCS level 3 standard

  • Amel MammarEmail author
  • Marc Frappier
  • Steve Jeffrey Tueno Fotso
  • Régine Laleau
ABZ 2018
First Online:
  • 25 Downloads

Abstract

This paper presents a formal model of the case study proposed for the ABZ2018 conference, which concerns the Hybrid ERTMS/ETCS Level 3 Standard. This standard allows trains to communicate with a train supervisor to report their integrity and positions, thanks to an onboard train integrity monitoring system. The supervisor assigns trains a movement authority to control traffic and to avoid collisions. The standard also provides for trains that cannot communicate with the supervisor; these trains are detected by sensors on tracks and obey traffic signals set by the supervisor along the trackside. Using communication allows for a finer grain control of the tracks. Our model is derived using stepwise refinement with the Event-B method. We take into account the main features of the case study (VSS management, timers, ERTMS and non-ERTMS trains). Our model is decomposed into four refinements. All proof obligations have been discharged using the Rodin provers, except those related to the computation of the VSS state machine, which was found to be ambiguous (nondeterministic). Our model has been validated using ProB. The main safety property, which is that ERTMS trains do not collide, is proved. Our model focuses on the discrete control logic aspects of the case study.

Keywords

Hybrid ERTMS/ETCS level 3 standard Event-B method Formal modeling and verification Proof 
This is a preview of subscription content, log in to check access.

Notes

Acknowledgements

This research was supported in part by NSERC (Natural Sciences and Engineering Research Council of Canada) and the FORMOSE project funded by the French National Research Agency (ANR).

References

  1. 1.
    Abrial, J.: Modeling in Event-B. Cambridge University Press, Cambridge (2010)CrossRefGoogle Scholar
  2. 2.
    Hoang, T.S., Butler, M.J., Reichl, K.: The hybrid ERTMS/ETCS level 3 case study. In: Butler, M.J., Raschke, A., Hoang, T.S., Reichl, K. (eds.): Abstract State Machines, Alloy, B, TLA, VDM, and Z—6th International Conference, ABZ 2018, Southampton, UK, June 5-8, 2018, Proceedings. Volume 10817 of Lecture Notes in Computer Science, pp. 251–261. Springer, Berlin (2018)Google Scholar
  3. 3.
    EEIG ERTMS Users Group: Hybrid ERTMS/ETCS Level 3: Principles, Ref. 16E042 Version 1A. Technical report, Brussels, Belgium (2017)Google Scholar
  4. 4.
    EEIG ERTMS Users Group: Hybrid ERTMS/ETCS Level 3: Principles, Ref. 16E042 Version 1C. Technical report, Brussels, Belgium (2018)Google Scholar
  5. 5.
    Voisin, L., Abrial, J.: The Rodin platform has turned ten. In: Ameur, Y.A., Schewe, K. (eds.) Abstract State Machines, Alloy, B, TLA, VDM, and Z—4th International Conference, ABZ 2014, Toulouse, France, June 2–6, 2014. Proceedings. Volume 8477 of Lecture Notes in Computer Science, pp. 1–8. Springer, Berlin (2014)Google Scholar
  6. 6.
    Leuschel, M., Butler, M.J.: Prob: an automated analysis toolset for the B method. STTT 10(2), 185–203 (2008)CrossRefGoogle Scholar
  7. 7.
    Mammar, A., Frappier, M., Fotso, S.J.T., Laleau, R.: An Event-B model of the hybrid ERTMS/ETCS level 3 standard. In: Butler, M.J., Raschke, A., Hoang, T.S., Reichl, K. (eds.): Abstract State Machines, Alloy, B, TLA, VDM, and Z—6th International Conference, ABZ 2018, Southampton, UK, June 5-8, 2018, Proceedings. Volume 10817 of Lecture Notes in Computer Science, pp. 353–366. Springer, Berlin (2018)Google Scholar
  8. 8.
    Mammar, A., Frappier, M., Fotso, S.J.T., Laleau, R.: An Event-B Model of the Hybrid ERTMS/ETCS Level 3 Standard. http://info.usherbrooke.ca/mfrappier/abz2018-ERTMS-Case-Study (2018). Accessed Jan 2018
  9. 9.
    Abrial, J.: The B-Book—Assigning Programs to Meanings. Cambridge University Press, Cambridge (2005)zbMATHGoogle Scholar
  10. 10.
    Bouton, T., Oliveira, D.C.B.D., Déharbe, D., Fontaine, P.: veriT: an open, trustable and efficient SMT-solver. In: Schmidt, R.A. (ed.) Automated Deduction—CADE-22, 22nd International Conference on Automated Deduction, Montreal, Canada, August 2–7, 2009. Proceedings. Volume 5663 of Lecture Notes in Computer Science, pp. 151–156. Springer, Berlin (2009)CrossRefGoogle Scholar
  11. 11.
    Barrett, C., Tinelli, C.: CVC3. In: Damm, W., Hermanns, H. (eds.) Computer Aided Verification, 19th International Conference, CAV 2007, Berlin, Germany, July 3–7, 2007, Proceedings. Volume 4590 of Lecture Notes in Computer Science, pp. 298–302. Springer (2007)Google Scholar
  12. 12.
    Pnueli, A.: The temporal logic of programs. In: 18th Annual Symposium on Foundations of Computer Science, Providence, Rhode Island, USA, 31 October–1 November 1977, pp. 46–57. IEEE Computer Society (1977)Google Scholar
  13. 13.
    Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching time temporal logic. In: Grumberg, O., Veith, H. (eds.) 25 Years of Model Checking–History, Achievements, Perspectives. Volume 5000 of Lecture Notes in Computer Science, pp. 196–215. Springer, Berlin (2008)Google Scholar
  14. 14.
    Parnas, D.L., Madey, J.: Functional documents for computer systems. Sci. Comput. Program. 25(1), 41–61 (1995)CrossRefGoogle Scholar
  15. 15.
    Leuschel, M., Butler, M.J.: ProB: a model checker for B. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003: Formal Methods Europe, Pisa, Italy, September 8–14, 2003. Volume 2805 of LNCS, pp. 855–874. Springer, Berlin (2003)Google Scholar
  16. 16.
    Arcaini, P., Jezek, P., Kofron, J.: Modelling the hybrid ERTMS/ETCS level 3 case study in spin. In: Butler, M.J., Raschke, A., Hoang, T.S., Reichl, K. (eds.): Abstract State Machines, Alloy, B, TLA, VDM, and Z—6th International Conference, ABZ 2018, Southampton, UK, June 5-8, 2018, Proceedings. Volume 10817 of Lecture Notes in Computer Science, pp. 277–291. Springer, Berlin (2018)Google Scholar
  17. 17.
    Hansen, D., Leuschel, M., Schneider, D., Krings, S., Körner, P., Naulin, T., Nayeri, N., Skowron, F.: Using a formal B model at runtime in a demonstration of the ETCS hybrid level 3 concept with real trains. In: Butler, M.J., Raschke, A., Hoang, T.S., Reichl, K. (eds.): Abstract State Machines, Alloy, B, TLA, VDM, and Z—6th International Conference, ABZ 2018, Southampton, UK, June 5-8, 2018, Proceedings. Volume 10817 of Lecture Notes in Computer Science, pp. 292–306. Springer, Berlin (2018)Google Scholar
  18. 18.
    Cunha, A., Macedo, N.: Validating the hybrid ERTMS/ETCS level 3 concept with electrum. In: Butler, M.J., Raschke, A., Hoang, T.S., Reichl, K. (eds.): Abstract State Machines, Alloy, B, TLA, VDM, and Z—6th International Conference, ABZ 2018, Southampton, UK, June 5-8, 2018, Proceedings. Volume 10817 of Lecture Notes in Computer Science, pp. 307–321. Springer, Berlin (2018)Google Scholar
  19. 19.
    Abrial, J.: The ABZ-2018 case study with event-b. In: Butler, M.J., Raschke, A., Hoang, T.S., Reichl, K. (eds.): Abstract State Machines, Alloy, B, TLA, VDM, and Z—6th International Conference, ABZ 2018, Southampton, UK, June 5-8, 2018, Proceedings. Volume 10817 of Lecture Notes in Computer Science, pp. 322–337. Springer, Berlin (2018)Google Scholar
  20. 20.
    Dghaym, D., Poppleton, M., Snook, C.F.: Diagram-led formal modelling using iUML-b for hybrid ERTMS level 3. In: Butler, M.J., Raschke, A., Hoang, T.S., Reichl, K. (eds.): Abstract State Machines, Alloy, B, TLA, VDM, and Z—6th International Conference, ABZ 2018, Southampton, UK, June 5-8, 2018, Proceedings. Volume 10817 of Lecture Notes in Computer Science, pp. 338–352. Springer, Berlin (2018)Google Scholar
  21. 21.
    Fotso, S.J.T., Frappier, M., Laleau, R., Mammar, A.: Modeling the hybrid ERTMS/ETCS level 3 standard using a formal requirements engineering approach. In: Butler, M.J., Raschke, A., Hoang, T.S., Reichl, K. (eds.): Abstract State Machines, Alloy, B, TLA, VDM, and Z—6th International Conference, ABZ 2018, Southampton, UK, June 5-8, 2018, Proceedings. Volume 10817 of Lecture Notes in Computer Science, pp. 262–276. Springer, Berlin (2018)Google Scholar
  22. 22.
    Fotso, S.J.T., Frappier, M., Laleau, R., Mammar, A.: Modeling the Hybrid ERTMS/ETCS Level 3 Implementation through Goal Diagrams and Ontologies Using the FORMOSE Approach. http://info.usherbrooke.ca/mfrappier/abz2018-ERTMS-Case-Study-Formose (2018). Accessed Jan 2018
  23. 23.
    Fotso, S.J.T., Mammar, A., Laleau, R., Frappier, M.: Event-B expression and verification of translation rules between SysML/KAOS domain models and B system specifications. In: Butler, M.J., Raschke, A., Hoang, T.S., Reichl, K. (eds.): Abstract State Machines, Alloy, B, TLA, VDM, and Z—6th International Conference, ABZ 2018, Southampton, UK, June 5-8, 2018, Proceedings. Volume 10817 of Lecture Notes in Computer Science, pp. 55–70. Springer, Berlin (2018)Google Scholar
  24. 24.
    Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126(2), 183–235 (1994)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Dutertre, B., Sorea, M.: Modeling and verification of a fault-tolerant real-time startup protocol using calendar automata. In: FORMATS/FTRTFT. Volume 3253 of Lecture Notes in Computer Science, pp. 199–214. Springer, Berlin (2004)CrossRefGoogle Scholar
  26. 26.
    Berger, U., James, P., Lawrence, A., Roggenbach, M., Seisenberger, M.: Verification of the european rail traffic management system in real-time maude. Sci. Comput. Program. 154, 61–88 (2018)CrossRefGoogle Scholar
  27. 27.
    Cansell, D., Méry, D., Rehm, J.: Time constraint patterns for Event-B development. In: B. Volume 4355 of Lecture Notes in Computer Science, pp. 140–154. Springer, Berlin (2007)CrossRefGoogle Scholar
  28. 28.
    Sarshogh, M.R., Butler, M.J.: Specification and refinement of discrete timing properties in Event-B. ECEASST 46, 1–15 (2011)Google Scholar
  29. 29.
    Mammar, A., Laleau, R.: Modeling a landing gear system in Event-B. STTT 19(2), 167–186 (2017)CrossRefGoogle Scholar
  30. 30.
    Silva, R., Pascal, C., Hoang, T.S., Butler, M.J.: Decomposition tool for Event-B. Softw. Pract. Exp. 41(2), 199–208 (2011)CrossRefGoogle Scholar
  31. 31.
    Iliasov, A., Troubitsyna, E., Laibinis, L., Romanovsky, A.B., Varpaaniemi, K., Ilic, D., Latvala, T.: Supporting reuse in Event-B development: Modularisation approach. In: ASM Volume 5977 of Lecture Notes in Computer Science, pp. 174–188. Springer, Berlin (2010)CrossRefGoogle Scholar
  32. 32.
    Fathabadi, A.S., Butler, M.J., Rezazadeh, A.: Language and tool support for event refinement structures In Event-B. Formal Asp. Comput. 27(3), 499–523 (2015)MathSciNetCrossRefGoogle Scholar
  33. 33.
    Said, M.Y., Butler, M.J., Snook, C.F.: A method of refinement in UML-B. Softw. Syst. Model. 14(4), 1557–1580 (2015)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  • Amel Mammar
    • 1
    Email author
  • Marc Frappier
    • 2
  • Steve Jeffrey Tueno Fotso
    • 2
    • 3
  • Régine Laleau
    • 3
  1. 1.SAMOVAR, CNRS UMR 5157Télécom SudParis, Institut Polytechnique de ParisEvryFrance
  2. 2.GRIF, Département d’informatique, Faculté des sciencesUniversité de SherbrookeSherbrookeCanada
  3. 3.Université Paris-Est, LACL, UPEC, IUT Sénart FontainebleauFontainebleauFrance

Personalised recommendations

Cite article

Buy options