European Train Control System

Chapter

Synopsis

Complex physical systems have several degrees of freedom. They only work correctly when their control parameters obey corresponding constraints. Based on the informal specification of the European Train Control System (ETCS), we design a controller for its cooperation protocol. For the free parameters of the system, we successively identify constraints that are required to ensure collision freedom. We formally prove the parameter constraints to be sharp by characterising them equivalently in terms of reachability properties of the hybrid system dynamics. We use the calculus of our differential dynamic logic for hybrid systems and formally verify controllability, safety, liveness, and reactivity properties of the ETCS protocol that entail collision freedom. We prove that the ETCS protocol remains correct even in the presence of perturbation by disturbances in the dynamics.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 256.
    Quesel, J.D.: A theorem prover for differential dynamic logic. Master’s thesis, University of Oldenburg, Department of Computing Science. Correct System Design Group (2007)Google Scholar
  2. 205.
    Meyer, R., Faber, J., Hoenicke, J., Rybalchenko, A.: Model checking duration calculus: A practical approach. Formal Aspects of Computing pp. 1–25 (2008). DOI 10.1007/s00165-008-0082-7Google Scholar
  3. 11.
    Alur, R., Henzinger, T.A., Ho, P.H.: Automatic symbolic verification of embedded systems. IEEE T. Software Eng. 22(3), 181–201 (1996)CrossRefGoogle Scholar
  4. 72.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50(5), 752–794 (2003). DOI 10.1145/876638.876643CrossRefMathSciNetGoogle Scholar
  5. 71.
    Cimatti, A., Roveri, M., Tonetta, S.: Requirements validation for hybrid systems. In: A. Bouajjani, O. Maler (eds.) CAV, LNCS, vol. 5643. Springer (2009). DOI 10.1007/ 978-3-642-02658-4_17Google Scholar
  6. 126.
    Frehse, G.: PHAVer: Algorithmic verification of hybrid systems past HyTech. In: Morari and Thiele [212], pp. 258–273. DOI 10.1007/b106766Google Scholar
  7. 91.
    Damm, W., Mikschl, A., Oehlerking, J., Olderog, E.R., Pang, J., Platzer, A., Segelken, M., Wirtz, B.: Automating verification of cooperation, control, and design in traffic applications. In: C.B. Jones, Z. Liu, J. Woodcock (eds.) Formal Methods and Hybrid Real-Time Systems, LNCS, vol. 4700, pp. 115–169. Springer (2007). DOI 10.1007/978-3-540-75221-9_6Google Scholar
  8. 117.
    ERTMS User Group: ERTMS/ETCS System requirements specification. http://www.era.europa.eu (2002)
  9. 127.
    Frehse, G.: PHAVer: algorithmic verification of hybrid systems past HyTech. STTT 10(3), 263–279 (2008). DOI 10.1007/s10009-007-0062-xCrossRefMathSciNetGoogle Scholar
  10. 245.
    Platzer, A., Quesel, J.D.: European Train Control System: A case study in formal verification. Tech. Rep. 54, Reports of SFB/TR 14 AVACS (2009). ISSN: 1860-9821, http://www.avacs.org.
  11. 27.
    Batt, G., Belta, C., Weiss, R.: Model checking genetic regulatory networks with parameter uncertainty. In: Bemporad et al. 41, pp. 61–75. DOI 10.1007/978-3-540-71493-4_8Google Scholar
  12. 242.
    Platzer, A., Quesel, J.D.: KeYmaera: A hybrid theorem prover for hybrid systems. In: Armando et al. [18], pp. 171–178. DOI 10.1007/978-3-540-71070-7_15Google Scholar
  13. 244.
    Platzer, A., Quesel, J.D.: European Train Control System: A case study in formal verification. In: K. Breitman, A. Cavalcanti (eds.) ICFEM, LNCS, vol. 5885, pp. 246–265. Springer (2009). DOI 10.1007/978-3-642-10373-5_13Google Scholar
  14. 156.
    Henzinger, T.A.: The theory of hybrid automata. In: LICS, pp. 278–292. IEEE Computer Society, Los Alamitos (1996)Google Scholar
  15. 249.
    Pnueli, A., Rosner, R.: On the synthesis of a reactive module. In: POPL, pp. 179–190 (1989). DOI 10.1145/75277.75293Google Scholar
  16. 294.
    Tomlin, C.J., Lygeros, J., Sastry, S.: A game theoretic approach to controller design for hybrid systems. Proc. IEEE 88(7), 949–970 (2000). DOI 10.1109/5.871303CrossRefGoogle Scholar
  17. 75.
    Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching-time temporal logic. In: D. Kozen (ed.) Logic of Programs, LNCS, vol. 131, pp. 52–71. Springer (1981)Google Scholar
  18. 217.
    Mysore, V., Piazza, C., Mishra, B.: Algorithmic algebraic model checking II: Decidability of semi-algebraic model checking and its applications to systems biology. In: Peled and Tsay [226], pp. 217–233. DOI 10.1007/11562948_18Google Scholar
  19. 128.
    Frehse, G., Jha, S.K., Krogh, B.H.: A counterexample-guided approach to parameter synthesis for linear hybrid automata. In: Egerstedt and Mishra [111], pp. 187–200. DOI 10.1007/978-3-540-78929-1_14Google Scholar
  20. 188.
    Lafferriere, G., Pappas, G.J., Sastry, S.: O-minimal hybrid systems. Mathematics of Control, Signals, and Systems 13(1), 1–21 (2000). DOI 10.1007/PL00009858MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.School of Computer ScienceCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations