Verification And Validation In Railway Using Formal .
Using Formal Methods forVerification and Validation in RailwayKlaus Reichl
Klaus.Reichl@gmail.comComputer Hacker and Guitar PlayerLiving in ViennaKlaus.Reichl@thalesgroup.comSystem and Software ArchitectHandelskai 92A-1200 esgroup.com/austria2
Outline Railway Theory - The Norm A “Real” Model Excurse: ERTMS, ETCS and InterlockingModelling Formally Railway in ActionRailway Theory - The Standards Excurse: CENELEC StandardInterlocking Architecture and its ModelWhat comes next Plans for the near FutureKlaus Reichl - Formal Methods for Verification and Validation in Railway3
Bad Aibling 2016Klaus Reichl - Formal Methods for Verification and Validation in Railway4
Bad Aibling 2016 - Facts Head to head collision at 100 km/h eachTrains were equipped with the PZB (Punktförmige Zugbeeinflussung) train protectionsystem ( Indusi) Enforces line-side signaling and prevent drivers from accidentally pass signals in case ofdanger Main signals showing “stop” or are out of operation can be passed when subsidiary signalsoperated by the train dispatcher are setBoth trains received permission by means of a subsidiary signal due to human error150 people were on the trains, considerably fewer than normal because of Holidayseason 12 people died, 85 others were injuredKlaus Reichl - Formal Methods for Verification and Validation in Railway5
Excurse: CENELEC NormKlaus Reichl - Formal Methods for Verification and Validation in Railway6
CENELEC - a standard for (not only) RailwaysCENELEC/TC 9X is responsible for the development of European Standards forElectro Technical Applications related to the Rail Transport Industry of theEuropean Union. CENELEC is European (AREMA is the American counterpart)CENELEC includes Development Process beside RAMS and Hardware CENELEC EN 50128 Railway applications - Communications, signalling and processing systemsspecialises EN 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related SystemsKlaus Reichl - Formal Methods for Verification and Validation in Railway7
CENELEC railway standards for signallingEN 50126-1 :1999: The specification and demonstration of reliability, availability,maintainability and safety (RAMS).EN 50128:2011: Software for railway control and protection systems. Replaced2001 version.EN 50129:2003: Safety-related electronic systems for signalling. Replaced 1998version.EN 50159:2010: Safety-related communication in transmission systems. Replaced2001 version.Klaus Reichl - Formal Methods for Verification and Validation in Railway8
Safety Integrity Level Concept of Safety Integrity Level (SIL) based on the Tolerable Hazard RateSIL 4 is the most stringentTolerable Hazard RateTHR per hour and functionSafety Integrity Level (SIL). 10-9 THR 10-8410-8 THR 10-7310-7 THR 10-6210-6 THR 10-5110-5 THR 10-3 .0Klaus Reichl - Formal Methods for Verification and Validation in Railway9
The V-Model in CENELECKlaus Reichl - Formal Methods for Verification and Validation in Railway10
The V-Model in CENELEC - PhasesKlaus Reichl - Formal Methods for Verification and Validation in Railway11
The V-Model in CENELEC - MissionsKlaus Reichl - Formal Methods for Verification and Validation in Railway12
CENELEC Recommendations Formal Methods are “recommended” for SIL 1/2 and “highly recommended”for SIL 3/4 Formal Proof is “recommend” for SIL 1/2 and “highly recommended” for SIL3/4 Software Requirement Specification (Table A.2)Software Architecture (Table A.3)Modelling (Table A.17)Verification and Testing (Table A.5)Formal Proof of correctness of data is “highly recommended” for SIL 3/4 Data Preparation Techniques (Table A.11)Klaus Reichl - Formal Methods for Verification and Validation in Railway13
CENELEC on Formal Methods apply formal methods to requirements and high-level designs where most ofthe details are abstracted awayapply formal methods to only the most critical componentsanalyse models of software and hardware where variables are made discreteand ranges drastically reducedanalyse system models in a hierarchical manner that enables "divide andconquer"automate as much of the verification as possibleDescribed are CSP, CCS, HOL, LOTOS, OBJ, Temporal Logic, VDM, Z, B, ModelChecking and Formal ProofKlaus Reichl - Formal Methods for Verification and Validation in Railway14
CENELEC Tools QualificationSOI - System of Interest SIL Level Qualification and AssessmentEnabling System Tool Qualification, part of the Assessment T3 - Tools which produces code or data for SOI T2 - Tools which are used to verify and validate the SOI Test and Verification ToolsT1 - Other tools in the development process Code and Data GeneratorsEditorsGrey Zone - Build Tools, Statistics, .TVR (Tool Validation Report) as framework to Qualification ProcessKlaus Reichl - Formal Methods for Verification and Validation in Railway15
Back to modelling .Klaus Reichl - Formal Methods for Verification and Validation in Railway16
All Models are WrongGeorge Box 1976(https://en.wikipedia.org/wiki/All models are wrong#cite note-1). but Some are UsefulGeorge Box 1978Klaus Reichl - Formal Methods for Verification and Validation in Railway(https://en.wikipedia.org/wiki/All models are wrong#cite ref-2)17
Since all models are wrong. the scientist cannot obtain a "correct" one by excessiveelaboration. On the contrary following William of Occam heshould seek an economical description of natural phenomena.Just as the ability to devise simple but evocative models is thesignature of the great scientist so overelaboration andoverparameterization is often the mark of mediocrity.George Box 1976Klaus Reichl - Formal Methods for Verification and Validation in Railway18
All Models are Right. Most are UselessThaddeus Tarpey 2012Klaus Reichl - Formal Methods for Verification and Validation in th/211/)19
Fallacy of ReificationWhen an abstraction (the model) is treated as if it were a realconcrete entity. The fallacy of reification is commited over and over,believing the model represents the truth. instead of anapproximation. The model is not wrong but treating the model as theabsolute truth (i.e. reification) is wrong.Thaddeus Tarpey 2012Klaus Reichl - Formal Methods for Verification and Validation in Railway20
Model of a Classical InterlockingKlaus Reichl - Formal Methods for Verification and Validation in Railway21
22
23
Questions? Is the model right? Is the model useful? Is the model economically practical?Klaus Reichl - Formal Methods for Verification and Validation in Railway24
No Routes?No Station?No Flank Protection?Train Length?Train Integrity?Klaus Reichl - Formal Methods for Verification and Validation in Railway25
Questions? Is the model right? Is the model useful? Is the model economically practical?Klaus Reichl - Formal Methods for Verification and Validation in Railway26
Classical Signalling Conventional Optical Signals Optional Train ProtectionRoute Control - pre configured Priority Routes Alternative RoutesTrains (rather vehicles!) detected by Track CircuitElement Control Points and SignalsKlaus Reichl - Formal Methods for Verification and Validation in Railway27
Questions? Is the model right? Is the model useful? Is the model economically practical?Klaus Reichl - Formal Methods for Verification and Validation in Railway28
Is the Model Economically Practical? Great Demo for Customers (Little & Big Girls) Way too expensive Maintenance by “Ferro-Sexual” Hobbyists Not shareable Not movable However a small variant exists ;-)Klaus Reichl - Formal Methods for Verification and Validation in Railway29
Excurse: Some words on ERTMS, ETCSand InterlockingKlaus Reichl - Formal Methods for Verification and Validation in Railway30
ERTMS - European Rail Traffic Management SystemEuropean Union driven replacement to the different nationaltrain control and command systems in Europe. GSM-R (Global System for Mobiles - Railway) Communication between vehicles and line controllersETCS (European Train Control System) In-cab train control supplementing or replacing trackside signaling Interface to InterlockingsETML (European Traffic Management Layer) Operation management level to optimize train movements Augmentation to Interlockings by means of Remote Control andTraffic/Operational Management CentresKlaus Reichl - Formal Methods for Verification and Validation in Railway31
ETCS - European Train Control Level 0 - ETCS-fitted vehicles on non-ETCS route Level 1 - Cab signalling which can be superimposed on the existing signalling system Eurobalise radio beacons pick up signal aspects from the trackside signals via signal adapters and telegramcoders (STM - Specific Transmission Module)“Infill” Eurobalise or EuroLoop between the distant signal and main signal deliver new proceed aspectsLevel 2 - Cap signalling via digital radio-based system (Radio Block Center - RBC) Train driver observes tracksideMight be limited in speed by the last balises encounteredMovement Authority and other signal aspects are granted via radioBreaking curves implemented by the Onboard Unit (EVC - European Vital Computer)Level 3 - From Train Protection to full Radio-Based Train Spacing Trains find their position themselvesFixed blocks (potentially) replaced by Moving Blocks (breaking distance spacing)Reliable Train Integrity (End of Train device)Klaus Reichl - Formal Methods for Verification and Validation in Railway32
ETCS - European Train Control Level 0 - ETCS-fitted vehicles on non-ETCS route Level 1 - Cab signalling which can be superimposed on the existing signaling system Eurobalise radio beacons pick up signal aspects from the trackside signals via signal adapters and telegramcoders (STM - Specific Transmission Module)“Infill” Eurobalise or EuroLoop between the distant signal and main signal deliver new proceed aspectsLevel 2 - Cap signalling via digital radio-based system (Radio Block Center - RBC) Train driver observes tracksideMight be limited in speed by the last balises encounteredMovement Authority and other signal aspects are granted via radioBreaking curves implemented by the Onboard Unit (EVC - European Vital Computer)Level 3 - From Train Protection to full Radio-Based Train Spacing Trains find their position themselvesFixed blocks (potentially) replaced by Moving Blocks (breaking distance spacing) Reliable Train Integrity (End of Train device)Klaus Reichl - Formal Methods for Verification and Validation in RailwayGraphic: https://en.wikipedia.org/wiki/European Train Control System33
ETCS - European Train Control Level 0 - ETCS-fitted vehicles on non-ETCS route Level 1 - Cab signalling which can be superimposed on the existing signalling system Eurobalise radio beacons pick up signal aspects from the trackside signals via signal adapters and telegramcoders (STM - Specific Transmission Module)“Infill” Eurobalise or EuroLoop between the distant signal and main signal deliver new proceed aspectsLevel 2 - Cap signalling via digital radio-based system (Radio Block Center - RBC) Train driver observes tracksideMight be limited in speed by the last balises encounteredMovement Authority and other signal aspects are granted via radioBreaking curves implemented by the Onboard Unit (EVC - European Vital Computer)Level 3 - From Train Protection to full Radio-Based Train Spacing Trains find their position themselvesFixed blocks (potentially) replaced by Moving Blocks (breaking distance spacing)Reliable Train Integrity (End of Train device)Klaus Reichl - Formal Methods for Verification and Validation in RailwayGraphic: https://en.wikipedia.org/wiki/European Train Control System34
ETCS - European Train Control Level 0 - ETCS-fitted vehicles on non-ETCS route Level 1 - Cab signalling which can be superimposed on the existing signalling system Eurobalise radio beacons pick up signal aspects from the trackside signals via signal adapters and telegramcoders (STM - Specific Transmission Module)“Infill” Eurobalise or EuroLoop between the distant signal and main signal deliver new proceed aspectsLevel 2 - Cap signalling via digital radio-based system (Radio Block Center - RBC) Train driver observes tracksideMight be limited in speed by the last balises encounteredMovement Authority and other signal aspects are granted via radioBreaking curves implemented by the Onboard Unit (EVC - European Vital Computer)Level 3 - From Train Protection to full Radio-Based Train Spacing Trains find their position themselvesFixed blocks (potentially) replaced by Moving Blocks (breaking distance spacing)Reliable Train Integrity (End of Train device)Klaus Reichl - Formal Methods for Verification and Validation in RailwayGraphic: https://en.wikipedia.org/wiki/European Train Control System35
ETCS - European Train Control Virtual Signals - Movement Authority Train ProtectionRoute Control - computed In addition to pre configuredTrains (rather vehicles!) detected by Positioning LogicElement Control Points and Level CrossingsKlaus Reichl - Formal Methods for Verification and Validation in Railway36
Now really modelling .Klaus Reichl - Formal Methods for Verification and Validation in Railway37
Interlocking ArchitectureKlaus Reichl - Formal Methods for Verification and Validation in Railway38
Refinement StrategyKlaus Reichl - Formal Methods for Verification and Validation in Railway39
Refinement StrategyKlaus Reichl - Formal Methods for Verification and Validation in Railway40
Klaus Reichl - Formal Methods for Verification and Validation in Railway41
Klaus Reichl - Formal Methods for Verification and Validation in Railway42
Establishing a RouteKlaus Reichl - Formal Methods for Verification and Validation in Railway43
Establishing a Route (Locked by Another)Klaus Reichl - Formal Methods for Verification and Validation in Railway44
Closing a Signal after Track OccupancyKlaus Reichl - Formal Methods for Verification and Validation in Railway45
Questions? Is the model right? Is the model useful? Is the model economically practical?Klaus Reichl - Formal Methods for Verification and Validation in Railway46
No Flank Protection?Route Release is Crap!Waiting train could already move to platform “Gl 101”!Klaus Reichl - Formal Methods for Verification and Validation in Railway47
Questions? Is the model right? Is the model useful? Is the model economically practical?Klaus Reichl - Formal Methods for Verification and Validation in Railway48
Is the model useful? Allows to formulate Business Rules Domain Specific Language works well in Rodin TheoriesHazards can be translated to Guards and Invariants How to safely drive trains through the networkWhat can we optimizeWhat are the constraintsWhich situations need discussionData Models can be used for Verification and Validation Axioms on DataScenarios on given Topological and Geometric SituationsKlaus Reichl - Formal Methods for Verification and Validation in Railway49
Questions? Is the model right? Is the model useful? Is the model economically practical?Klaus Reichl - Formal Methods for Verification and Validation in Railway50
Is the model economically practical? Adding new Control Operations is painful Business Domain and Architecture is Mixed This should be done using an AdaptorProtocol to HMI adds Incidental ComplexityACK/NAK does not bring any valueShould be strictly decoupled for MaintainabilityModel is good for different Topologies, not for additional FunctionalityAdding new Features need Elaboration Unclear how to properly do Feature Driven DevelopmentHow to evolve the ModelKlaus Reichl - Formal Methods for Verification and Validation in Railway51
What we like to do about it .Klaus Reichl - Formal Methods for Verification and Validation in Railway52
Layered Architecture - Context MapArchitecture PrincipleKlaus Reichl - Formal Methods for Verification and Validation in RailwayDomain Model
The Plan . Rework Interlocking Model according to DDD Principles Put an Example Model into Open Source Use Domain Language as already definedAdopt towards “railML.org” Standards (railTOPOMODEL - http://www.railtopomodel.org/en/)“Railground” Project on github as playground (https://github.com/klar42/railground)Explains modelling principles for Railway ModelsInterested community can participateIntegrate Verification and Validation Strategies with Model-Driven Architectureand Design ECSEL EU ENABLE-S3 Project kicked-off June 2016Work on Verification and ValidationContinuous Integration (CI) on the models as major step forwardKlaus Reichl - Formal Methods for Verification and Validation in Railway54
SummaryOverview of (a bit) of the Railway Theory Norm, StandardsFeeling on how Railway Applications are Modelled Railway Domain Core, Generic Application, Station DataDistributed ProblemWhere is it driving at Model Integration with various Stakeholders from various DomainsKlaus Reichl - Formal Methods for Verification and Validation in Railway55
Klaus.Reichl@gmail.comComputer Hacker and Guitar PlayerLiving in ViennaThank You!Questions?Klaus.Reichl@thalesgroup.comSystem and Software ArchitectHandelskai 92A-1200 nsportation/rail-public-transport-056
ReferencesCENELEC- https://www.cenelec.eu/Thales- https://www.thalesgroup.com/enERTMS- http://www.ertms.net/ETCS- http://uic.org/ETCSThales Transportation- ation/ground-transportationrailML- https://www.railml.org/en/- http://www.railtopomodel.org/en/Polarsys Capella System Modelling- https://www.polarsys.org/capella/“railground” Playground Event-B Model- https://github.com/klar42/railgroundDDD- http://dddeurope.com/2016/#top- https://groups.google.com/forum/#!forum/dddcqrs57
License 2016 - Klaus Reichl - Klaus.Reichl@thalesgroup.com, Klaus.Reichl@gmail.comThis document is licensed under a Creative Commons Attribution 4.0Unported license. For more information about this license see https://creativecommons.org/licenses/by/4.0/ (In short, you can copy, redistribute,and adopt this work as long as you give proper attribution).Klaus Reichl - Formal Methods for Verification and Validation in Railway58
Formal Proof of correctness of data is “highly recommended” for SIL 3/4 Data Preparation Techniques (Table A.11) 13. Klaus Reichl - Formal Methods for Verification and Validation in Railway CENELEC on Formal Methods apply formal methods to requirements and high-level designs where most of
new approaches for verification and validation. 1.1. Role of Verification and Validation Verification tests are aimed at "'building the system right," and validation tests are aimed at "building the right system." Thus, verification examines issues such as ensuring that the knowledge in the system is rep-
Railway Telecoms REB DC Power 15 Railway Customer Information Systems 16 Station PA Systems 17 Networking Fundamentals 18 Railway Optical Fibre Cable Joint Preparation and Splicing 19 Railway Optical Fibre Testing and Result Analysis 20 Railway Cable Avoidance Tool (C.A.T &am
by acquiring knowledge of railway infrastructure from various other sources. First and foremost, we consulted one of the state of the art railway engineering textbooks, Modern Railway Track (Esveld, 2001). Additionally, we consulted RailML an existing standard for describing railway infrastructure assets, railway timetables, and railway .
(a) Railway Board (b) Railway Ministry (c) Both railway Board and Railway Ministry (d) None of these Answer: A 19. The headquarters of South-Central Railways is situated at (a) Mumbai (V.T) (b) Chennai (c) Secundrabad (d) Mumbai (Central) Answer: C 20. The headquarters of Northern Railway is at
verification and validation. 1.2 PURPOSE This System Validation and Verification Plan provide a basis for review and evaluation of the effectiveness of the AIV program and its proposed elements. In addition it is an input to the lower level verification. In this document it is proposed a scenario for the full requirements traceability throughout a
Validation of standardized methods (ISO 17468) described the rules for validation or re-validation of standardized (ISO or CEN) methods. Based on principles described in ISO 16140-2. -Single lab validation . describes the validation against a reference method or without a reference method using a classical approach or a factorial design approach.
Cleaning validation Process validation Analytical method validation Computer system validation Similarly, the activity of qualifying systems and . Keywords: Process validation, validation protocol, pharmaceutical process control. Nitish Maini*, Saroj Jain, Satish ABSTRACTABSTRACT Sardana Hindu College of Pharmacy, J. Adv. Pharm. Edu. & Res.
1850 Map showing proposed line of railway between Stoke-on-Trent and Leek Unidentified location with line of railway showing proposed culvert carrying Trent River under railway. Presumed north of Stoke - Biddulph Vale area. Maps.RLY.aa.1226 1 sheet - drawing, plan 1850 1853 "Conditions o
