Formal verification of safety communication protocol for ETCS

1
Formal verification of safety communication
protocol for ETCS

• Introduction
• Safety communication protocol in ETCS
• CPN model of safety communication protocol
• Formal verification of protocol
• Conclusions

• Chen Lijie
• 08.06.2011

2
Introduction
Necessity of verification
User requirement
Necessity of verification give certainty about
satisfaction of a required property
System design
Verification
Conformance test
Jae-Dong Lee. Verification and conformance
test generation of communication protocol for
railway signalling systems. Computer Standards
Interfaces
3
Introduction
Necessity to apply Petri-net for verification
A communication system could be represented by
Petri-net
Petri-net could be applied for verification of
safety-critical system
ASK-CTL in CPN Tools is common method for model
checking
4
Safety communication protocol for ETCS
Importance of safety for a communication system
If the following train does not receive the
command that it should stop, it will go on
running and collide with the train ahead
The train ahead stops
5
Safety communication protocol for ETCS
Structure of communication system in ETCS
Safety communication protocol is executed in
safety layer, functioned as a safety-related
transmission system
It is needed to add safety-related transmission
function upon the non-trusted channel
Application layer
Process data
EURORADIO(communication system in ETCS) could
include 3 layers
Establish safety connection
Safety layer
Channel
Transmit any message
ETCS SUBSET 037
6
CPN model of safety communication protocol
General model of communication system
ETCS Specification subset 037
7
CPN model of safety communication protocol
CPN model of safety logic in the protocol
ETCS Specification subset 037
8
Formal verification of protocol
Formal verification of protocol
Verification of domain-independent property
Boundedness, Liveness
Verify property independent of domain knowledge,
including basic property Petri-net model should
satisfy.
Verification of domain-related property - Safety
Verify property related to domain knowledge,
including property safety communication protocol
should satisfy.
9
Verification of boundedness
Basic definitions in Petri-net
10
Verification of boundedness
Theorem for verification of boundedness
11
Verification of boundedness
Low level petri net model of the protocol
Y1 1, 1, 1, 1, 0T
12
Verification of boundedness
Low level petri net model of the protocol
Y2 0, 0, 0, 0, 1T
Yn 1, 1, 1, 1, 1T gt 0
The protocol model has boundedness
13
Verification of liveness
Code to query dead markings
Query the dead markings in state space
14
Verification of liveness
Code to query invalid dead markings
Define possible valid terminal markings
Query invalid terminal markings in dead markings
15
Verification of safety
Code to query unsafe state
Unsafe state safety connection state is still
disconnected when it should transmit data.
Query unsafe state in the entire state space
16
Verification of safety
ASK-CTL to query unsafe state
Safety requirement
Something bad never happens the case that safety
connection fails to establish never happens.
Judge if anti-proposition of function unsafe is
true, namely if there does not exist state
defined in unsafe
17
Conclusions
A state representation of the safety
communication protocol is developed in the form
of CPN. This allows Poseidon and Design/CPN tool
to be used for the verification.
Petri-net is a suitable method to verify safety
communication protocol.
By using a state space analysis it is proved that
dead markings in the protocol model are
reasonable.
Design/CPN transforms the aim of verification
into formal description and verifies the model.
As a result, it is found that the safety
communication protocol could never fail to
establish safety connection.
18
References
1 Euroradio FISclass 1 requirementsEB/OL,
2003. 2 Jae-Dong Lee, Jae-Il Jung, Jae-Ho Lee,
Jong-Gyu Hwang, Jin-Ho Hwang, Sung-Un Kim.
Verification and conformance test generation of
communication protocol for railway signalling
systems. Computer Standards Interfaces 29
(2007) 143151 3 Jae-Ho Lee, Jong-Gyu Hwang,
Gwi-Tae Park. Performance evaluation and
verification of communication protocol for
railway signaling systems. Computer Standards
Interfaces 27 (2005) 207219 4 CENELEC, Railway
Applications - Safety related communication in
open transmission systems, EN 50159-2,
2001. 5 Jensen K. Coloured Petri nets. Basic
concepts, analysis methods and practical use.
Analysis methods, vol. 2. Monographs in
theoretical computer science. Berlin Springer
1997 2nd corrected printing. ISBN
3-540-58276-2. 6 E. Nemeth, T.Bartha,
Cs.Fazekas, K.M.Hangos. Verification of a
primary-to-secondary leaking safety procedure in
a nuclear power plant using coloured Petri nets.
Reliability Engineering and System Safety 2009
94 942-953.
19
7 Panagiotis Katsaros. A roadmap to electronic
payment transaction guarantees and a Colored
Petri Net model checking approach. Information
and Software Technology 2009 51
235-257 8 Heiner M. Verification and
optimization of control programs by Petri nets
without state explosion. In Proceedings of the
second international workshop on manufacturing
and Petri nets, held at the XVIII international
conference on applications and theory of Petri
nets (ICATPN97), 1997. p. 6984. 9 A. Cheng,
S. Christensen, K.H. Mortensen, Model checking
Colored Petri Nets exploiting strongly connected
components, in Proceedings of the International
Workshop on Discrete Event Systems, Edinburgh,
Scotland, UK, 1996, pp. 169177
20
chen_at_iva.ing.tu-bs.de! ?
Welcome to Beijing