Ten Diverse Formal Models for a CBTC Automatic Train...
Transcript of Ten Diverse Formal Models for a CBTC Automatic Train...
![Page 1: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/1.jpg)
Franco Mazzanti ISTI CNR Pisa Italy
MARS / VPT 2018Thessaloniki, 20 April 2018
Ten Diverse Formal Models for a CBTC Automatic Train Supervision System
![Page 2: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/2.jpg)
Origins of the study
Thessaloniki, 20 April 2018Ten Diverse Formal Models … 2
Trace-IT
ASTRail
Define an ATS scheduling approach to achievedeadlock free train dispatching.
Case Study: a project defined CBTC scenario
Investigate and experiment with a rich set of formalmethods an tools to compose a survey on the suggested use of formal methods in the railway field.
Trace-IT case study re-used as one of the experiments.
Official Disclaimer: The opinions and results discussed in this presentation reflects only the author’s view and the Shift2Rail Joint Undertaking is not responsible for any use that may be made of the presented information.
![Page 3: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/3.jpg)
The Trace-IT goal
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
� We have a metro layout.
� We have an automatic (unmanned) metro service.
� Each train has its mission statically defined, provided to the ATS as static configuration data (timetable)
� We have to design the logic of the ATS scheduling kernel, to successfully dispatch all the trains, leading them to destinationavoiding deadlocks (also in case of arbitrary delays)
![Page 4: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/4.jpg)
The Trace-IT project demonstrator case study
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
yellow
blue >>
yellow >>
blue
red >>
green >>
green
red
Vicolo Corto
Via AccademiaBCA01
I
II
Piazza Università
I
II
BCA02Via Verdi
I
II
BCA03Piazza Dante
I
II
III
BCA05BCA04
I
II
I I
II
Vicolo Stretto
Via Marco PoloVia Roma
Viale dei Giardini
Parco della Vittoria
I
II
III I
II
III
IVViale Monterosa
5
7
8
10
11
12
15
16
1718
20
22
23
24
25
262728
29
3031
32
139641 3
2
31
25
23
201613
12
109
8
76
2728
29
30
32
5
43
2
1
26
24
2217
15
1811
� 8 trains providing circular services
![Page 5: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/5.jpg)
Itineraries vs circuits
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
BCA01Piazza Università
I
II
BCA023 4
5
6Segments correspond to entry/exit itineraries of stations
Itineraries are composed of several track circuits
![Page 6: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/6.jpg)
Handling the problem size
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
Via AccademiaBCA01I
II
Piazza UniversitàI
II
BCA02Via Verdi
I
II
3
2 5
1
BCA0374 6 9
BCA03 Piazza DanteI
II
IIIBCA05
Via Marco PoloVia Roma
Viale dei Giardini
Parco della Vittoria
I
II
III I
II
III
IV
10
11
12
15
16
1718
20
22
23
24
25
2627
9
Vicolo Corto BCA05
BCA04
I
II
I I
II
Vicolo Stretto Viale Monterosa
2728
29
3031
32
8
13
SECTION 2
SECTION 3
SECTION 1
![Page 7: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/7.jpg)
The Section 2 layout and train missions.
4
20
8
5
6
7
1
210
11
12
15
16
22
23
24
25
2627
93
4
train0
train2
train3
train1
train4
train6
train7
train5
1
1
1
1
1
1
1
11
3
5
7
23
24
25
26
13
18 17
Thessaloniki, 20 April 2018Ten Diverse Formal Models …
![Page 8: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/8.jpg)
4
20
8
5
6
7
1
210
11
12
15
16
22
23
24
25
26
27
93
4
train0 11 23
13
18 17
Thessaloniki, 20 April 2018Ten Diverse Formal Models …
The Section 2 layout and train missions.
![Page 9: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/9.jpg)
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
20
8
5
6
7
1
210
11
12
15
16
22
23
24
25
26
27
93
4
train41
3
23
13
18 17
The Section 2 layout and train missions.
![Page 10: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/10.jpg)
4
20
8
5
6
7
1
210
11
12
15
16
22
23
24
25
2627
93
4
train1 13
23
13
18 17
Thessaloniki, 20 April 2018Ten Diverse Formal Models …
The Section 2 layout and train missions.
![Page 11: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/11.jpg)
The Trace-IT case study
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
20
8
5
6
7
1
210
11
12
15
16
22
23
24
25
2627
93
4
train5124
13
18 17
![Page 12: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/12.jpg)
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
20
8
5
6
7
1
210
11
12
15
16
22
23
24
25
2627
93
4
train2 15
13
18 17
The Section 2 layout and train missions.
![Page 13: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/13.jpg)
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
20
8
5
6
7
1
210
11
12
15
16
22
23
24
25
2627
93
4 train6125
13
18 17
The Section 2 layout and train missions.
![Page 14: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/14.jpg)
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
20
8
5
6
7
1
210
11
12
15
16
22
23
24
25
2627
93
4
train3 17
13
18 17
The Section 2 layout and train missions.
![Page 15: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/15.jpg)
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
20
8
5
6
7
1
210
11
12
15
16
22
23
24
25
2627
93
4
train7126
13
18 17
The Section 2 layout and train missions.
![Page 16: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/16.jpg)
A sample deadlock occurrence
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
20
8
5
6
7
1
210
11
12
15
16
22
23
24
25
2627
93
4
13
18 17
1
1
1
1
1
11 1
![Page 17: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/17.jpg)
The Trace-IT solution
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
T0 = [1 , 9, 10, 13, 15, 20, 23] Mission for train0A0 = [ 0, 0, 0, 1, 0, -1, 0] Region-A Constraints for train0
20
8
5
6
7
1
210
11
12
15
16
22
23
24
25
26
27
93
4
train0
23
13
18 17
110
RA = current occupation countLA = max occupation count = 7
A [RA +1 <= 7] RA++ RA --
![Page 18: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/18.jpg)
The progression rule (e.g. for train0)
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
T0 = [1 , 9, 10, 13, 15, 20, 23] Mission for train0A0 = [ 0, 0, 0, 1, 0, -1, 0] Region-A Increments/Decr. for train0P0 = n current progress point of train0 (index in T0)
when <next endpoint of train0 is free> i.e. for all i: T0[P0+1] !=Ti[Pi]
and <train0 move does not saturate any region>i.e. for all regions A, … : RA + A0[P0+1] <= LA
the train can advance: i.e. P0 = P0+1, RA = RA+A0[P0]
RA = n current degree of occupancy of region ALA = 7 maximum degree of occupancy for region A
![Page 19: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/19.jpg)
The reference structure of the model
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
T0 = [1 , 9, 10, 13, 15, 20, 23];A0 = [ 0, 0, 0, 1, 0, -1, 0]; B0 = [ 0, 0, 0, 1, 0, -1, 0]; …T7 = [26, 22, 17, 18, 12, 27, 7];A7 = [ 1, 0, 0, -1, 0, 0, 0]; B7 = [ 1, 0, 0, -1, 0, 0, 0]; LA = 7; LB =7
Global Constants
Global Variables P0, P1, ..., P7 := 0;RA:=1, RB :=1
Train RulesTrain0: [guard train0] / actions train0
…Train7: [guard train7] / actions train7
![Page 20: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/20.jpg)
The encoding of the model: UMC
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
train0: s1 -> s1 {- [P0<6 & T0[P0+1] !=T5[P5] &…& T0[P0+1] !=T7[P7] &
RA+A0[P0+1]<=LA & RB+B0[P0+1]<=LB] / P0 := P0+1; RA := RA+A0[P0]; RB := RB+B0[P0];
}…
train7: s1 -> s1 {…}
![Page 21: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/21.jpg)
The encoding of the model: SPIN
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
do :: atomic { (P0<6 && T0[P0+1] !=T1[P1] && … && T0[P0+1] !=T7[P7] &&
(RA+A0[P0+1])<=LA && (RB+B0[P0+1]<=LB) ) ->P0 = (P0+1); RA = RA+A0[P0]; RB = RB+B0[P0]; };
:: atomic { };
od;
![Page 22: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/22.jpg)
The encoding of the model: CADP/LNT
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
loopselect
only ifP0<6 and T0[P0+1] !=T1[P1] and … and T0[P0+1] !=T7[P7] and
(RA+A0[P0+1])<=LA and (RB+B0[P0+1]<=LB) then
MOVE (0 of Train_Number);P0 := (P0+1); RA := RA+A0[P0]; RB := RB+B0[P0];
end if[ ]
only if…
end selectend loop
![Page 23: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/23.jpg)
The encoding of the model: ProB
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
OPERATIONS
move0 = PRE
P0<6 & T0(P0+1) /=T1(P1) &…& T0(P0+1) /=T7(P7) &RA+A0(P0+1)<=LA & RB+B0(P0+1)<=LB
THENP0 := P0+1; RA := RA+A0(P0); RB := RB+B0(P0);
END;
move1 = …
![Page 24: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/24.jpg)
The encoding of the model: NuSMV/ nuXmv
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
TRANSRUNNING=0 ->
P0<6 && T0[P0+1] !=T1[P1] &…& T0[P0+1] !=T7[P7] & (RA+A0[P0+1])<=LA & (RB+B0[P0+1])<=LB
? next(P0)=(P0+1) & next(P1)=P1 &…& next(P7)=P7 &next(RA)= RA+A0[P0; next(RB)=RB+B0[P0];
: next(P0)=P0 &...& next(P7)=P7 & next(RA)=RA & next(RB)=RB
…
TRANSRUNNING=7 ->
![Page 25: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/25.jpg)
The encoding of the model: FDR4 / CSPm
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
AllTrains (P0, P1, P2, P3, P4, P5, P6, P7, RA, RB) =
( P0 < 6 andel(T0,P0+1) != el(T1,P1) and … and el(T0,P0+1) != el(T7,P7) andRA + el(A0,P0+1) <= LA and RB + el(B0,P0+1) <= LB
) &move0 ->
AllTrains(P0+1,P1,P2,P3,P4,P5,P6,P7, RA+el(A0,P0+1), RB+el(B0,P0+1))
[ ]( P1 < 6 and
…
![Page 26: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/26.jpg)
The encoding of the model: mCRL2
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
proc AllTrains(P0,P1,P2,P3,P4,P5,P6,P7:Nat, RA,RB: Int) =
( P0 < 6 &&T0(P0+1) != T1(P1) &&… && T0(P0+1) != T7(P7) &&RA+A0(P0+1) <= LA && RB+ B0(P0+1)<=LB
) &move(0) ->
AllTrains(P0+1,P1,P2,P3,P4,P5,P6,P7, RA+A0(P0+1), RB+B0(P0+1))
[ ]( P1 < 6 &&
…
![Page 27: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/27.jpg)
The encoding of the model: TLAplus
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
Move0 == /\P0 < 6 /\ T0[P0+2] /=T1[P1+1] /\ … /\ T0[P0+2] /=T7[P7+1] /\RA + A0[P0+2] <= LA /\ RB + B0[P0+2] <= LB /\P0' = (P0+1) /\RA' = RA+A0[P0+2] /\ RB' = RB+B0[P0+2] /\
UNCHANGED <<P1,P2,P3,P4,P5,P6,P7>>
Move1 ==…
Next == Move0 \/ Move1 \/ Move2 \/ Move3 \/ Move4 \/ Move5 \/ Move6 \/ Move7
![Page 28: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/28.jpg)
Considerations:
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
So what ????
![Page 29: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/29.jpg)
Considerations:
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
Blackboard models / Event-Condition-Action models / can have a commonGuard-Transition models / reference baseline
![Page 30: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/30.jpg)
Considerations:
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
Diversity in tool selection / model encodingmore trustable verification results
Blackboard models / Event-Condition-Action models / can have a commonGuard-Transition models / reference baseline
![Page 31: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/31.jpg)
Considerations:
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
Blackboard models / Event Condition Action models / can have a common baselineGuard Transition models /
Diversity in tool selection / model encodingmore trustable verification resultsbetter exploitation of the verification features of multiple
existing frameworks.
e.g. Branching vs. Linear vs. Refinements vs. Compositional
e.g. tool. friendliness vs. ability to deal with very large models
e.g. timed vs untimed
![Page 32: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/32.jpg)
Further Works:
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
More frameworks taken into consideration:Simulink / SCADE / SAL / UPPAAL / ….
More features compared:
Code Generation?
Report Generation?
Language Expressiveness
Time Retated Aspects?
Probability?Modularity
Simulation?
Model-based Testing?
Standard input format?
Inport/Export
Maturity
Industrial Diffusion
Customer Support
Cost
Certification
Documentation
![Page 33: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/33.jpg)
Official Formal Disclaimer:
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
The opinions and results discussed in this presentation reflectonly the author’s view and the Shift2Rail Joint Undertaking is not
responsible for any use that may be made of the presented information.
This work has received funding from the S2RJU under the European Union’s Horizon 2020 research and innovation programme under grant agreement No 777561.
![Page 34: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/34.jpg)
Senior Researcher
Franco Mazzanti
THANK YOU!
ISTI CNR Via Moruzzi 1, Pisa , Italy
http://fmt.isti.cnr.it/~mazzanti
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No 777561
Call identifier: H2020-S2RJU-2017Topic: S2R-OC-IP2-01-2017 – Operational conditions of the signalling and automation systems; signalling system hazard analysis and GNSS SIS characterization along with
Formal Method application in railway field
CONTACTS
![Page 35: Ten Diverse Formal Models for a CBTC Automatic Train ...refal.botik.ru/vpt/vpt2018/MARS-VPT-2018-Mazzanti_Ferrari_presentation.pdf · We have an automatic (unmanned) metro service.](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e436632a94d0141904aeb1e/html5/thumbnails/35.jpg)
The incremental design/verification approach:
4 Thessaloniki, 20 April 2018Ten Diverse Formal Models …
Initial model(handling basic deadlocks)
Model Checking
New sections, counters,and updated missions
No more deadlocks or false positives
Newdeadlocks or
false positives
Validated ATS Data
Train Missions