European Train Control System: A Case Study in Formal Verification

  • André Platzer
  • Jan-David Quesel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5885)

Abstract

Complex physical systems have several degrees of freedom. They only work correctly when their control parameters obey corresponding constraints. Based on the informal specification of the European Train Control System (ETCS), we design a controller for its cooperation protocol. For its free parameters, we successively identify constraints that are required to ensure collision freedom. We formally prove the parameter constraints to be sharp by characterizing them equivalently in terms of reachability properties of the hybrid system dynamics. Using our deductive verification tool KeYmaera, we formally verify controllability, safety, liveness, and reactivity properties of the ETCS protocol that entail collision freedom. We prove that the ETCS protocol remains correct even in the presence of perturbation by disturbances in the dynamics. We verify that safety is preserved when a PI controlled speed supervision is used.

Keywords

formal verification of hybrid systems train control theorem proving parameter constraint identification disturbances 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Meyer, R., Faber, J., Hoenicke, J., Rybalchenko, A.: Model checking duration calculus: A practical approach. FACS 20(4–5), 481–505 (2008)MATHGoogle Scholar
  2. 2.
    Damm, W., Mikschl, A., Oehlerking, J., Olderog, E.R., Pang, J., Platzer, A., Segelken, M., Wirtz, B.: Automating verification of cooperation, control, and design in traffic applications. In: Jones, C.B., Liu, Z., Woodcock, J. (eds.) Formal Methods and Hybrid Real-Time Systems. LNCS, vol. 4700, Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Batt, G., Belta, C., Weiss, R.: Model checking genetic regulatory networks with parameter uncertainty. In: Bemporad, A., Bicchi, A., Buttazzo, G. (eds.) HSCC 2007. LNCS, vol. 4416, Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Alur, R., Henzinger, T.A., Ho, P.H.: Automatic symbolic verification of embedded systems. IEEE Trans. Software Eng. 22(3), 181–201 (1996)CrossRefGoogle Scholar
  5. 5.
    ERTMS User Group, UNISIG: ERTMS/ETCS System requirements specification. Version 2.2.2 (2002), http://www.era.europa.eu
  6. 6.
    Henzinger, T.A.: The theory of hybrid automata. In: LICS, IEEE CS Press, Los Alamitos (1996)Google Scholar
  7. 7.
    Mysore, V., Piazza, C., Mishra, B.: Algorithmic algebraic model checking II. In: Peled, D.A., Tsay, Y.-K. (eds.) ATVA 2005. LNCS, vol. 3707, pp. 217–233. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Frehse, G.: PHAVer: Algorithmic verification of hybrid systems past HyTech. In: Morari, M., Thiele, L. (eds.) HSCC 2005. LNCS, vol. 3414, pp. 258–273. Springer, Heidelberg (2005)Google Scholar
  9. 9.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50(5) (2003)Google Scholar
  10. 10.
    Platzer, A.: Differential dynamic logic for hybrid systems. J. Autom. Reasoning 41(2), 143–189 (2008)CrossRefMathSciNetGoogle Scholar
  11. 11.
    Platzer, A., Quesel, J.D.: KeYmaera: A hybrid theorem prover for hybrid systems. In: Armando, A., Baumgartner, P., Dowek, G. (eds.) IJCAR 2008. LNCS (LNAI), vol. 5195, pp. 171–178. Springer, Heidelberg (2008), http://symbolaris.com/info/KeYmaera.html CrossRefGoogle Scholar
  12. 12.
    Platzer, A., Quesel, J.D.: Logical verification and systematic parametric analysis in train control. In: Egerstedt, M., Mishra, B. (eds.) HSCC 2008. LNCS, vol. 4981, pp. 646–649. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Frehse, G., Jha, S.K., Krogh, B.H.: A counterexample-guided approach to parameter synthesis for linear hybrid automata. In: Egerstedt, M., Mishra, B. (eds.) HSCC 2008. LNCS, vol. 4981, pp. 187–200. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Tomlin, C., Lygeros, J., Sastry, S.: A Game Theoretic Approach to Controller Design for Hybrid Systems. Proceedings of IEEE 88, 949–969 (2000)CrossRefGoogle Scholar
  15. 15.
    Peleska, J., Große, D., Haxthausen, A.E., Drechsler, R.: Automated verification for train control systems. In: FORMS/FORMAT (2004)Google Scholar
  16. 16.
    Cimatti, A., Roveri, M., Tonetta, S.: Requirements validation for hybrid systems. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643. Springer, Heidelberg (2009)Google Scholar
  17. 17.
    Platzer, A., Quesel, J.D.: European train control system: A case study in formal verification. Report 54, SFB/TR 14 AVACS, ISSN: 1860-9821, avacs.org (2009)Google Scholar
  18. 18.
    Platzer, A., Clarke, E.M.: Computing differential invariants of hybrid systems as fixedpoints. Form. Methods Syst. Des. 35(1), 98–120 (2009) Special CAV 2008 issueCrossRefGoogle Scholar
  19. 19.
    Platzer, A.: Differential-algebraic dynamic logic for differential-algebraic programs. J. Log. Comput (2008), doi:10.1093/logcom/exn070Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • André Platzer
    • 1
  • Jan-David Quesel
    • 2
  1. 1.Computer Science DepartmentCarnegie Mellon UniversityPittsburgh
  2. 2.Department of Computing ScienceUniversity of OldenburgGermany

Personalised recommendations