Formal verification of safety communication protocol for ETCS Chen Lijie 08.06.2011 Introduction ...

Formal verification of safety communication protocol for ETCS

Chen Lijie

08.06.2011

Introduction Safety communication

protocol in ETCS CPN model of safety

communication protocol Formal verification of protocol Conclusions

08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 2

Introduction

User requirement

System design

Verification

Necessity of verification

give certainty about satisfaction of a

required property

“ Jae-Dong Lee. Verification and conformance test generation of communication protocol for railway signalling systems. Computer Standards & Interfaces”

Conformance test

Necessity of verification


A communication system could be represented by Petri-net

Petri-net could be applied for verification of safety-critical system

ASK-CTL in CPN Tools is common method for model checking

IntroductionNecessity to apply Petri-net for verification


Safety communication protocol for ETCSImportance of safety for a communication system

The train ahead stops

If the following train does not receive the command that it should stop, it will go on running and collide with the train ahead


Safety communication protocol for ETCS

It is needed to add safety-related transmission

function upon the non-trusted channel

EURORADIO(commun

ication system in

ETCS) could include 3

layers

Application layer

Safety layer

Channel

Establish safety connection

Transmit any message

Process dataSafety communication

protocol is executed in

safety layer, functioned as

a safety-related

transmission system

Structure of communication system in ETCS

ETCS SUBSET 037


CPN model of safety communication protocolGeneral model of communication system

ETCS Specification subset 037


CPN model of safety communication protocolCPN model of safety logic in the protocol

ETCS Specification subset 037


Formal verification of protocol

Verification of domain-independent property – Boundedness, Liveness

Verify property independent of domain knowledge, including basic

property Petri-net model should satisfy.

Verification of domain-related property - Safety

Verify property related to domain knowledge, including property

safety communication protocol should satisfy.

Formal verification of protocol


Verification of boundedness

Definition 1. Petri net is a tuple PN = (S, T; F, M0). S is a finite set of places, T is a finite set

of transitions, F is a finite set of arcs which connect S and T, M0 is an initial marking. R(M0)

is a finite set of all reachable markings from M0. ∀M∈R(M0): M(S)≤B|B>0, S is bounded. If ∀s∈S is boundedness, PN is boundedness.

Definition 2. The net structure of PN can be denoted by a matrix A

A = [aij], aij = aij+ - aij

-, aij+ =

1, ( , )

0

i jif t p F

aij- =

1, ( , )

0

j iif p t F

A is called the incidence matrix of PN.

Definition 3. iff ∃Y: AY=0|∀y∈Y: y≥0, Y is one S-invariant of PN.

Basic definitions in Petri-net


Theorem. Set n as the number of Y. iff 1

n

ii

Y >0 (0≤ 𝒊≤ n), PN has boundedness.

Proof. Set Yn=1

n

ii

Y , then AYn=0. ∀ M0, ∀ M ∈ R(M0), ∃ X|X ≥ 0, M=M0+ATX,

MT=(M0+ATX)T=M0T+XTA, MTYn=M0

TYn+XTAYn

If XT≥0, AYn=0, then XTAYn=0. MTYn = M0TYn,

1

( )m

kk

M s Yn(k)=

01

( )m

jj

M s Yn(j)

Then M(sk) Yn(k)≤0

1

( )m

jj

M s Yn(j), k=1, 2, …, m

Namely, M(sk)≤(0

1

( )m

jj

M s Y(j))/Y(k), k=1, 2, …, m

Verification of boundednessTheorem for verification of boundedness


Y1 = [1, 1, 1, 1, 0]T

Verification of boundednessLow level petri net model of the protocol


Y2 = [0, 0, 0, 0, 1]T

Yn = [1, 1, 1, 1, 1]T > 0 The protocol model has boundedness

Verification of boundednessLow level petri net model of the protocol


Verification of livenessCode to query dead markings

Query the dead markings in state space


Verification of livenessCode to query invalid dead markings

Define possible valid terminal

markings

Query invalid terminal markings in dead markings


Verification of safetyCode to query unsafe state

Unsafe state: safety connection state is still disconnected when it should transmit data.

Query unsafe state in the entire state space


Something bad never happens: the case that safety connection fails

to establish never happens.

Safety requirement

Verification of safetyASK-CTL to query unsafe state

Judge if anti-proposition of function unsafe is true, namely if there does not exist state defined in unsafe


Conclusions

Petri-net is a suitable method to verify safety communication protocol.

A state representation of the safety communication protocol is developed

in the form of CPN. This allows Poseidon and Design/CPN tool to be used

for the verification.

By using a state space analysis it is proved that dead markings in the

protocol model are reasonable.

Design/CPN transforms the aim of verification into formal description and

verifies the model. As a result, it is found that the safety communication

protocol could never fail to establish safety connection.


References

[1] Euroradio FIS ： class 1 requirements[EB/OL], 2003.[2] Jae-Dong Lee, Jae-Il Jung, Jae-Ho Lee, Jong-Gyu Hwang, Jin-Ho Hwang, Sung-Un Kim. Verification and conformance test generation of communication protocol for railway signalling systems. Computer Standards & Interfaces 29 (2007) 143–151[3] Jae-Ho Lee, Jong-Gyu Hwang, Gwi-Tae Park. Performance evaluation and verification of communication protocol for railway signaling systems. Computer Standards & Interfaces 27 (2005) 207–219[4] CENELEC, Railway Applications - Safety related communication in open transmission systems, EN 50159-2, 2001.[5] Jensen K. Coloured Petri nets. Basic concepts, analysis methods and practical use. Analysis methods, vol. 2. Monographs in theoretical computer science. Berlin: Springer; 1997 [2nd corrected printing. ISBN: 3-540-58276-2].[6] E. Nemeth, T.Bartha, Cs.Fazekas, K.M.Hangos. Verification of a primary-to-secondary leaking safety procedure in a nuclear power plant using coloured Petri nets. Reliability Engineering and System Safety 2009; 94: 942-953.


[7] Panagiotis Katsaros. A roadmap to electronic payment transaction guarantees and a Colored Petri Net model checking approach. Information and Software Technology 2009; 51: 235-257[8] Heiner M. Verification and optimization of control programs by Petri nets without state explosion. In: Proceedings of the second international workshop on manufacturing and Petri nets, held at the XVIII international conference on applications and theory of Petri nets (ICATPN’97), 1997. p. 69–84.[9] A. Cheng, S. Christensen, K.H. Mortensen, Model checking Colored Petri Nets exploiting strongly connected components, in: Proceedings of the International Workshop on Discrete Event Systems, Edinburgh, Scotland, UK, 1996, pp. 169–177


[email protected]!

Welcome to Beijing

Formal verification of safety communication protocol for ETCS Chen Lijie 08.06.2011 Introduction ...

Documents

Transcript of Formal verification of safety communication protocol for ETCS Chen Lijie 08.06.2011 Introduction ...