Franco Mazzanti ISTI CNR Pisa ItalyAlessio Ferrari ISTI CNR Pisa Italy
Giorgio O. Spagnolo ISTI CNR Pisa Italy
Forum Méthodes FormellesTolosa, 10 October 2017
Deadlock free dispatchingfor fleets of vehicles
Presentation
Tolosa, 10 October 2017Deadlock Free Dispatching … 2
Franco Mazzanti
http://fmt.isti.cnr.it/kandisti
yellow
blue >>
yellow >>
blue
red >>
green >>
green
red
Vicolo Corto
Via AccademiaBCA01
I
II
Piazza Università
I
II
BCA02Via Verdi
I
II
BCA03Piazza Dante
I
II
III
BCA05BCA04
I
II
I I
II
Vicolo Stretto
Via Marco PoloVia Roma
Viale dei Giardini
Parco della Vittoria
I
II
III I
II
III
IVViale Monterosa
5
7
8
10
11
12
15
16
1718
20
22
23
24
25
262728
29
3031
32
139641 3
2
31
25
23
201613
12
109
8
76
2728
29
30
32
5
43
2
1
26
24
2217
15
1811
Senior Researcher
http://fmt.isti.cnr.it
CONSIGLIO NAZIONALEDELLE RICERCHE
The original TRACE-IT goal:
Tolosa, 10 October 2017Presentation Title
Design an ATS (Automatic Train Supervision) System that:
- Controls the dispatching of a set trains on a railway layout- Handling a continuously running set of circular train missions- Preventing the occurrence of (partial) deadlocks.
4
Safety of the system is guaranteed by the ATP / Interlocking systems
What we have here is essentially a problem of (mission critical) liveness
The original case study
Tolosa, 10 October 2017Presentation Title
5
�We have a metro service: 8 trains providing circular services
[1,3,4,6,7,9,10,13,15,20,23,22,17,18,11,9,8,6,5,3,1][2,3,4,6,7,9,10,13,15,20,24,22,17,18,11,9,8,6,5,3,2]
[31,30,28,27,11,13,15,20,25,22,17,18,12,27,29,30,31]
[32,30,28,27,11,13,15,20,26,22,17,18,12,27,29,30,32]
yellow
blue >>
yellow >>
blue
red >>
green >>
green
red
Vicolo Corto
Via AccademiaBCA01
I
II
Piazza Università
I
II
BCA02Via Verdi
I
II
BCA03Piazza Dante
I
II
III
BCA05BCA04
I
II
I I
II
Vicolo Stretto
Via Marco PoloVia Roma
Viale dei Giardini
Parco della Vittoria
I
II
III I
II
III
IVViale Monterosa
5
7
8
10
11
12
15
16
1718
20
22
23
24
25
262728
29
3031
32
139641 3
2
31
25
23
201613
12
109
8
76
2728
29
30
32
5
43
2
1
26
24
2217
15
1811
4
Deadlock on basic sections
Tolosa, 10 October 2017Deadlock Free Dispatching … 14
Solution:No more than n-1 itineraries booked in any ring of lentgh n.
Deadlock on composite sections I
Tolosa, 10 October 2017Deadlock Free Dispatching … 20
Solution:No more than 3 itineraries bookedinside this section of size 5.
Deadlock on composite sections II
Tolosa, 10 October 2017Deadlock Free Dispatching … 27
Solution:No more than 5 itineraries booked inside this section of size 8
Tolosa, 10 October 2017Deadlock Free Dispatching … 28
[1 ,3, 4, 6, 7, 9, 10, 13, 15, 20 ,23, . . . ]
Extended missions
[(A++;AC++) 1, ([C<4];A--;C++) 3, 4, ([D<4];C--;AC--;D++) 6, 7, (D--) 9, . . .]
1 3
2
4
5
6 7
8
9 10
11
13
15
16
1718
20
22
23
24
25
12 262728
29
3031
32
A
B
C D
Discovering basic critical sections
Tolosa, 10 October 2017Deadlock Free Dispatching … 29
yellow
blue >>
yellow >>
blue
red >>
green >>
green
red
Vicolo Corto
Via AccademiaBCA01
I
II
Piazza Università
I
II
BCA02Via Verdi
I
II
BCA03Piazza Dante
I
II
III
BCA05BCA04
I
II
I I
II
Vicolo Stretto
Via Marco PoloVia Roma
Viale dei Giardini
Parco della Vittoria
I
II
III I
II
III
IVViale Monterosa
5
7
8
10
11
12
15
16
1718
20
22
23
24
25
262728
29
3031
32
139641 3
2
31
25
23
201613
12
109
8
76
2728
29
30
32
5
43
2
1
26
24
2217
15
1811
Basic critical sections (rings, bidirectional segments) can be discovered by an analysis of the possible missions.
Discovering composite critical sections
Tolosa, 10 October 2017Deadlock Free Dispatching … 30
We build a formal model of the system and use model checking techniquesto find all situations of deadlock in the composite sections.
B
1 3
2
4
5
6 7
8
9 10
11
13
15
16
1718
20
22
23
24
25
12 262728
29
3031
32
AC (max 3)A C D
The role of model checking
Tolosa, 10 October 2017Deadlock Free Dispatching … 31
Initial model(handling basic deadlocks)
Model Checking
New sections, counters,and updated missions
No more deadlocks or false positives
Newdeadlocks or
false positives
Validated ATS Data
Train Missions
The role of model checking
Tolosa, 10 October 2017Deadlock Free Dispatching … 32
In the TRACE-IT case study ATS data validation is done statically at configuration / reconfiguration time.
We have also experimented a dynamic automaticapproach using a custom ad hoc model checker.
System Decomposition
Tolosa, 10 October 2017Deadlock Free Dispatching … 33
Via AccademiaBCA01I
II
Piazza UniversitàI
II
BCA02Via Verdi
I
II
3
2 5
1
BCA0374 6 9
BCA03 Piazza DanteI
II
IIIBCA05
Via Marco PoloVia Roma
Viale dei Giardini
Parco della Vittoria
I
II
III I
II
III
IV
10
11
12
15
16
1718
20
22
23
24
25
2627
9
Vicolo Corto BCA05
BCA04
I
II
I I
II
Vicolo Stretto Viale Monterosa
2728
29
3031
32
8
13
References
Tolosa, 10 October 2017Deadlock Free Dispatching … 34
More details on the approach to deadlock avoidance:
Examples and comparisons of formal modelling and verification approaches using SPIN / SMV / UMC / MCRL2Mazzanti, F., Ferrari, A., Spagnolo, G.O. Experiments in Formal Modelling of a Deadlock Avoidance Algorithm for a CBTC SystemT. Margaria and B. Steffen (Eds) ISoLA 2016, Part II Lecture Notes in Computer Science - Volume 9953, 2016
Mazzanti, F., Spagnolo, G.O., Della Longa, S., Ferrari, A.Deadlock avoidance in train scheduling: A model checking approach9th International Conference on Formal Methods for Industrial Critical Systems, FMICS 2014;Lecture Notes in Computer Science - Volume 8718, 2014
Senior Researcher
Franco Mazzanti
THANK YOU!
ISTI CNR Via Moruzzi 1, Pisa , Italy
http://fmt.isti.cnr.it/~mazzanti
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No 777561
Call identifier: H2020-S2RJU-2017Topic: S2R-OC-IP2-01-2017 – Operational conditions of the signalling and automation systems; signalling system hazard analysis and GNSS SIS characterization along with
Formal Method application in railway field
CONTACTS
Top Related