Formal Safety Analysis in Industrial Practice

  • Ilyas Daskaya
  • Michaela Huhn
  • Stefan Milius
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6959)


We report on a comparative study on formal verification of two level crossing controllers that were developed using Scade by a rail automation manufacturer. Deductive Cause-Consequence Analysis of Ortmeier et al. is applied for formal safety analysis and in addition, safety requirements are proven. Even with these medium size industrial case studies we observed intense complexity problems that could not be overcome by employing different heuristics like abstraction and compositional verification. In particular, we failed to prove a crucial liveness property within the Scade framework stating that an unsafe state will not be persistent. We finally succeeded to prove this property by combining abstraction and model transformation from Scade to UPPAAL timed automata. In addition, we found that the modeling style has a significant impact on the complexity of the verification task.


model-based development Scade Deductive Cause-Consequence Analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdulla, P.A., Deneux, J., Stålmarck, G., Ågren, H., Åkerlund, O.: Designing Safe, Reliable Systems Using Scade. In: Margaria, T., Steffen, B. (eds.) ISoLA 2004. LNCS, vol. 4313, pp. 115–129. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  2. 2.
    Alur, R., Courcoubetis, C., Dill, D.L.: Model-checking in dense real-time. Information and Computation 104(1), 2–34 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science 126, 183–235 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    André, C.: Semantics of S.S.M (safe state machine). Tech. Rep. UMR 6070, I3S Laboratory, University of Nice-Sophia Antipolis (2003)Google Scholar
  5. 5.
    Bozzano, M., Villafiorita, A.: Improving system reliability via model checking: The fsap/nusmv-sa safety analysis platform (2003)Google Scholar
  6. 6.
    CENELEC: EN 50128 – Railway Applications – Software for Railway Control and Protection Systems. European Standard (2001)Google Scholar
  7. 7.
    Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. The MIT Press, Cambridge (1999)Google Scholar
  8. 8.
    Daskaya, I.: Comparative Safety Analysis and Verification for Level Crossings. Master’s thesis, Technische Universität Braunschweig (2011)Google Scholar
  9. 9.
    DIN: EN 50126: Spezifikation und Nachweis der Zuverlässigkeit, Verfügbarkeit, Instandhaltbarkeit und Sicherheit, RAMS (1999)Google Scholar
  10. 10.
    DIN: EN 50129: Bahnanwendungen – Telekommunikationstechnik, Signaltechnik und Datenverarbeitungssysteme – Sicherheitsrelevante elektronische Systeme für Signaltechnik (2003)Google Scholar
  11. 11.
    Güdemann, M., Ortmeier, F., Reif, W.: Using deductive cause-consequence analysis (DCCA) with SCADE. In: Saglietti, F., Oster, N. (eds.) SAFECOMP 2007. LNCS, vol. 4680, pp. 465–478. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Halbwachs, N., Caspi, P., Raymond, P., Pilaud, D.: The synchronous dataflow programming language LUSTRE. Proceedings of the IEEE 79(9), 1305–1320 (1991)CrossRefGoogle Scholar
  13. 13.
    Hanisch, H.M., Pannier, T., Peter, D., Roch, S., Starke, P.: Modeling and formal verification of a modular level-crossing controller design (2000)Google Scholar
  14. 14.
    IEC 60812: Analysis techniques for system reliability (2006)Google Scholar
  15. 15.
    IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 3: Software requirements (1998), corrigendum (1999)Google Scholar
  16. 16.
    Joshi, A., Whalen, M.: Modelbased safety analysis: Final report. Tech. rep., NASA (2005)Google Scholar
  17. 17.
    Lamport, L.: What good is temporal logic. Information Processing 83, 657–668 (1983)Google Scholar
  18. 18.
    McDermid, J.A., Nicholson, M., Pumfrey, D.J., Fenelon, P.: Experience with the application of HAZOP to computer-based systems. In: 10th Annual Conference on Computer Assurance (Compass), pp. 37–48 (1995)Google Scholar
  19. 19.
    Ortmeier, F., Reif, W., Schellhorn, G.: Deductive cause consequence analysis (DCCA). In: Proc. IFAC World Congress. Elsevier, Amsterdam (2006)Google Scholar
  20. 20.
    UPPAAL 4.0: Small Tutorial (November 16, 2009),

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Ilyas Daskaya
    • 1
  • Michaela Huhn
    • 2
  • Stefan Milius
    • 1
  1. 1.Institut für Theoretische InformatikTechnische Universität BraunschweigBraunschweigGermany
  2. 2.Department of InformaticsClausthal University of TechnologyClausthal-ZellerfeldGermany

Personalised recommendations