Formal Verification of Train Control with Air Pressure Brakes
Train control technology enhances the safety and efficiency of railroad operation by safeguarding the motion of trains to prevent them from leaving designated areas of operation and colliding with other trains. It is crucial for safety that the trains engage their brakes early enough in order to make sure they never leave the safe part of the track. Efficiency considerations, however, also require that the train does not brake too soon, which would limit operational suitability. It is surprisingly subtle to reach the right tradeoffs and identify the right control conditions that guarantee safe motion without being overly conservative.
In pursuit of an answer, we develop a hybrid system model with discrete control decisions for acceleration, brakes, and with continuous differential equations for their physical effects on the motion of the train. The resulting hybrid system model is systematically derived from the Federal Railway Administration model for flat terrain by conservatively neglecting minor forces.
The main contribution of this paper is the identification of a controller with control constraints that we formally verify to always guarantee collision freedom in the FRA model. The safe braking behavior of a train is influenced not only by the train configuration (e.g., train length and mass), but also by physical characteristics (e.g., brake pressure propagation and reaction time). We formalize train control safety properties in differential dynamic logic and prove the correctness of the train control models in the theorem prover KeYmaera X.
- 2.Ahmad, H.A.: Dynamic braking control for accurate train braking distance estimation under different operating conditions (2013)Google Scholar
- 3.Bohrer, B., Rahli, V., Vukotic, I., Völp, M., Platzer, A.: Formally verified differential dynamic logic. In: Bertot, Y., Vafeiadis, V. (eds.) Certified Programs and Proofs - 6th ACM SIGPLAN Conference, Cp. 2017, Paris, France, January 16–17, 2017, pp. 208–221. ACM (2017)Google Scholar
- 4.Bonacchi, A., Fantechi, A., Bacherini, S., Tempestini, M., Cipriani, L.: Validation of railway interlocking systems by formal verification, a case study. In: Counsell, S., Núñez, M. (eds.) SEFM 2013. LNCS, vol. 8368, pp. 237–252. Springer, Cham (2014). doi: 10.1007/978-3-319-05032-4_18 CrossRefGoogle Scholar
- 6.Brossaeu, J., Ede, B.M.: Development of an adaptive predictive braking enforcement algorithm. Technical report FRA/DOT/ORD-9/13, Federal Railroad Administration (2009)Google Scholar
- 7.Cimatti, A., Corvino, R., Lazzaro, A., Narasamdya, I., Rizzo, T., Roveri, M., Sanseviero, A., Tchaltsev, A.: Formal verification and validation of ERTMS industrial railway train spacing system. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 378–393. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31424-7_29 CrossRefGoogle Scholar
- 8.Cimatti, A., Giunchiglia, F., Mongardi, G., Romano, D., Torielli, F., Traverso, P.: Model checking safety critical software with spin: an application to a railway interlocking system. In: Ehrenberger, W. (ed.) SAFECOMP 1998. LNCS, vol. 1516, pp. 284–293. Springer, Heidelberg (1998). doi: 10.1007/3-540-49646-7_22 CrossRefGoogle Scholar
- 15.Heitmeyer, C.L., Lynch, N.A.: The generalized railroad crossing: a case study in formal verification of real-time systems. In: RTSS, pp. 120–131. IEEE Computer Society (1994)Google Scholar
- 17.Iliasov, A., Romanovsky, A.: Formal analysis of railway signalling data. In: HASE 2016, pp. 70–77. IEEE Computer Society (2016)Google Scholar
- 18.Ortmeier, F., Reif, W., Schellhorn, G.: Formal safety analysis of a radio-based railroad crossing using deductive cause-consequence analysis (DCCA). In: Cin, M., Kaâniche, M., Pataricza, A. (eds.) EDCC 2005. LNCS, vol. 3463, pp. 210–224. Springer, Heidelberg (2005). doi: 10.1007/11408901_15 CrossRefGoogle Scholar
- 21.Platzer, A.: Logics of dynamical systems. In: LICS, pp. 13–24. IEEE (2012)Google Scholar
- 24.Polivka, A., Ede, B.M., Drapa, J.: North american joint positive train control project. Technical report DOT/FRA/ORD-09/04 (2009)Google Scholar
- 25.Zou, L., Lv, J., Wang, S., Zhan, N., Tang, T., Yuan, L., Liu, Y.: Verifying chinese train control system under a combined scenario by theorem proving. In: Cohen, E., Rybalchenko, A. (eds.) VSTTE 2013. LNCS, vol. 8164, pp. 262–280. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54108-7_14 CrossRefGoogle Scholar