Formal verification of safety protocol in train control system

  • Yan Zhang
  • Tao Tang
  • KePing Li
  • Jose Manuel Mera
  • Li Zhu
  • Lin Zhao
  • TianHua Xu


In order to satisfy the safety-critical requirements, the train control system (TCS) often employs a layered safety communication protocol to provide reliable services. However, both description and verification of the safety protocols may be formidable due to the system complexity. In this paper, interface automata (IA) are used to describe the safety service interface behaviors of safety communication protocol. A formal verification method is proposed to describe the safety communication protocols using IA and translate IA model into PROMELA model so that the protocols can be verified by the model checker SPIN. A case study of using this method to describe and verify a safety communication protocol is included. The verification results illustrate that the proposed method is effective to describe the safety protocols and verify deadlocks, livelocks and several mandatory consistency properties. A prototype of safety protocols is also developed based on the presented formally verifying method.


train control system safety communication protocol interface automata verification 


  1. 1.
    Heimdahl M P E. Safety and software intensive systems: challenges old and new. In: Conformance of Future of Software Engineering, 2007. Washington: IEEE Computer Society, 2007. 137–152CrossRefGoogle Scholar
  2. 2.
    Esposito R, Sanseviero A, Lazzaro A, et al. Formal verification of ERTMS euroradio safety critical protocol. In: Proceedings of FORMS 2003. Budapest: IEEE Computer Society, 2003. 21–29Google Scholar
  3. 3.
    Diao Y F, Wang B D. Risk analysis of flood control operation mode with forecast information based on a combination of risk sources. Sci China Tech Sci, 2010, 53(7): 1949–1956CrossRefGoogle Scholar
  4. 4.
    Chu Y Y, Zhang H, Shen S F, et al. Development of a model to generate a risk map in a building fire. Sci China Tech Sci, 2010, 53(10): 2739–2747CrossRefGoogle Scholar
  5. 5.
    Xu T H, Tang T, Gao C H, et al. Dependability analysis of the data communication system in train control system. Sci China Tech Sci, 2009, 52(9): 2605–2618MATHCrossRefGoogle Scholar
  6. 6.
    Gronbaek J, Madsen T K, Schwefel H P. Safe wireless communication solution for driver machine interface for train control systems. In: Proceedings of International Conference on Systems (ICONS 2008). Cancun: IEEE Computer Society, 2008. 208–213Google Scholar
  7. 7.
    Zhang Y, Tang T, Yan F. Study on model for analysis of CBTC data communication system (DCS) and its application (in Chinese). J China Railway Soc, 2011, 33(5): 60–65Google Scholar
  8. 8.
    Sinha P, Ren D Q. Formal verification of dependable distributed protocols. Inf Software Technol, 2003, 45(12): 873–888CrossRefGoogle Scholar
  9. 9.
    Clarke E M, Wing J M. Formal methods: state of the art and future directions. ACM Computing Surveys, 1996, 28(4): 626–643CrossRefGoogle Scholar
  10. 10.
    Lee J H, Hwang J G, Park G T. Performance evaluation and verification of communication protocol for railway signaling systems. Computer Standards & Interfaces, 2005, 27(3): 207–219CrossRefGoogle Scholar
  11. 11.
    Lee J D, Jung J I, Lee J H, et al. Verification and conformance test generation of communication protocol for railway signaling systems. Computer Standards & Interfaces, 2007, 29(2): 143–151MathSciNetCrossRefGoogle Scholar
  12. 12.
    Lee J H, Hwang J G, Shin D, et al. Development of verification and conformance testing tools for a railway signaling communication protocol. Computer Standards & Interfaces, 2009, 31(2): 362–371CrossRefGoogle Scholar
  13. 13.
    Katsaros P. A roadmap to electronic payment transaction guarantees and a Colored Petri Net model checking approach. Inf Software Technol, 2009, 51(2): 235–257MathSciNetCrossRefGoogle Scholar
  14. 14.
    Sinha P, Suri N. Modular composition of redundancy management protocols in distributed systems: an outlook on simplifying protocol level formal specification and verification. In: 21st International Conference on Distributed Computing Systems. Phoenix: IEEE Computer Society, 2001. 255–263Google Scholar
  15. 15.
    Sinha P, Suri N. On simplifying modular specification and verification of distributed protocols. In: Sixth IEEE International Symposium on High Assurance Systems Engineering. Boca Raton, Florida: IEEE Computer Society, 2001. 173–181Google Scholar
  16. 16.
    Ouzzif M, Erradi M, Mountassir H. Description of a teleconferencing floor control protocol and its implementation. Eng Appl Artif Intel, 2008, 21(3): 430–441CrossRefGoogle Scholar
  17. 17.
    Schäfer T, Knapp A, Merz S. Model checking UML state machines and collaborations. Elec Notes Theor Comp Sci, 2001, 55(3): 357–369CrossRefGoogle Scholar
  18. 18.
    Inverardi P, Muccini H, Pelliccione P. Automated check of architectural models consistency using SPIN. In: Proceeding of the 16th IEEE International Conference on Automated Software Engineering (ASE 2001). Los Alamitos: IEEE Computer Society, 2001. 346–349CrossRefGoogle Scholar
  19. 19.
    Alfaro L, Henzinger T A. Interface automata. In: 8th Eiropean Engineering Conference (ESEC) and 9th ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE-9). Vienna: ACM Press, 2001. 109–120Google Scholar
  20. 20.
    Alfaro L D, Henzinger T A. Interface theories for component-based design. In: Proceedings of the First International Workshop on Embedded Software. Tahoe City, CA: Springer, 2001. 148–165Google Scholar
  21. 21.
    Jin Y, Esser R, Lakos C, et al. Modular analysis of dataflow process networks. In: Joint European Conferences on Theory and Practice of Software. Warsaw: Springer, 2003. 184–199Google Scholar
  22. 22.
    Chakrabarti A, De Alfaro L, Henzinger T, et al. Interface compatibility checking for software modules. In: Proceedings of the 14th International Conference on Computer-Aided Verification. Copenhagen: Springer, 2002. 428–441CrossRefGoogle Scholar
  23. 23.
    Chakrabarti A, Alfaro L D, Henzinger T A, et al. Synchronous and bidirectional component interfaces. In: Proceedings of the 14th International Conference on Computer Aided Verification. Copenhagen: Springer, 2002. 414–427CrossRefGoogle Scholar
  24. 24.
    Lee E A, Xiong Y, Behavioral types for component-based design. Technical Report No. UCB/ERL M02/29, Berkeley, USA, 2002Google Scholar
  25. 25.
    Kapus T. Using mobile TLA as a logic for dynamic I/O automata. IEICE Trans Inf Syst, 2009, 92(8): 1515–1522CrossRefGoogle Scholar
  26. 26.
    Refsdal A, Stølen K. Extending UML sequence diagrams to model trust-dependent behavior with the aim to support risk analysis. Sci Comp Progr, 2008, 74(1–2): 34–42MATHCrossRefGoogle Scholar
  27. 27.
    Medvidovic N, Rosenblum D S, Redmiles D F, et al. Modeling software architectures in the Unified Modeling Language. ACM Trans Software Eng Methodol, 2002, 11(1): 2–57CrossRefGoogle Scholar
  28. 28.
    Li X D, Hu J, Bu L, et al. Consistency checking of concurrent models for scenario-based specifications. In: 12th International SDL Forum, SDL 2005: Model Driven, Grimstad. Berlin: Springer 2005. 1171–1180Google Scholar
  29. 29.
    Holzmann G J. The model checker SPIN. IEEE Trans Software Eng, 1997, 23(5): 279–295MathSciNetCrossRefGoogle Scholar
  30. 30.
    Wang Y, Wei J, Wang Z Y. Model checking distributed control systems based on software architecture (in Chinese). J Software, 2004, 15(6): 823–833MATHGoogle Scholar
  31. 31.
    Hu J, Yu X F, Zhang Y, et al. Checking component-based designs for scenario-based specifications (in Chinese). Chin J Comp, 2006, 29(4): 513–525Google Scholar
  32. 32.
    Bharadwaj R, Heitmeyer C L. Model checking complete requirements specifications using abstraction. Autom Software Eng, 1999, 6(1): 37–68CrossRefGoogle Scholar
  33. 33.
    Mikk E, Lakhnech Y, Siegel M, et al. Implementing statecharts in PROMELA/SPIN. In: Proceedings of the Second IEEE Workshop on Industrial Strength Formal Specification Techniques. Florida: IEEE Computer Society, 1998. 90–101Google Scholar
  34. 34.
    Lilius J, Paltor I P. VUML: a tool for verifying UML models. In: 14th IEEE International Conference on Automated Software Engineering (ASE’99). Florida: IEEE Computer Society, 1999. 255–258CrossRefGoogle Scholar
  35. 35.
    IEC, IEC 62280-2, Railway applications-communication, signaling and processing systems-part 2: safety-related communication in open transmission systems. New York: IEC, 2001Google Scholar
  36. 36.
    ERTMS/ETCS UNISIG Subset-037: Euroradio FIS. 2005
  37. 37.
    Zhang Y, Zhao X Q, Zheng W, et al. System safety property-oriented test sequences generating method based on model checking. WIT Trans Built Environ, 2010, 144(1): 747–759CrossRefGoogle Scholar
  38. 38.
    Zhang Y, Tang T, Ma L C, et al. Modeling and simulation of the security communication protocol based on the switched Ethernet (in Chinese). J China Railway Soc, 2010, 32(3): 43–48Google Scholar

Copyright information

© Science China Press and Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Yan Zhang
    • 1
  • Tao Tang
    • 1
  • KePing Li
    • 1
  • Jose Manuel Mera
    • 2
  • Li Zhu
    • 1
  • Lin Zhao
    • 1
  • TianHua Xu
    • 1
  1. 1.State Key Laboratory of Rail Traffic Control and SafetyBeijing Jiaotong UniversityBeijingChina
  2. 2.Railway Technologies Research CentreUniversidad Politécnica de MadridMadridSpain

Personalised recommendations