15-819/18-879: Logical Analysis of Hybrid Systems
18: European Train Control System Verification
André Platzer
[email protected]
Carnegie Mellon University, Pittsburgh, PA
0.8
1.0
0.2
0.4
0.6
0.5
0.4
0.3
0.2
0.1
André Platzer (CMU)
LAHS/18: ETCS Verification
1 / 18
Outline
1
Train Control
Separation Principle
Parametric ETCS
2
Parametric European Train Control System
Controllability
Reactivity
Refined Control
Safety
Liveness
3
Enhancements
4
Summary
André Platzer (CMU)
LAHS/18: ETCS Verification
1 / 18
Outline
1
Train Control
Separation Principle
Parametric ETCS
2
Parametric European Train Control System
Controllability
Reactivity
Refined Control
Safety
Liveness
3
Enhancements
4
Summary
André Platzer (CMU)
LAHS/18: ETCS Verification
1 / 18
Hybrid Systems Analysis: Train Control
Challenge
Hybrid Systems
Continuous dynamics
(differential equations)
Discrete dynamics
(control decisions)
a
2
1
1
2
3
-1
4
t
z
v
3.0
6
2.5
5
2.0
4
1.5
3
1.0
2
1
0.5
1
-2
André Platzer (CMU)
2
3
4
t
LAHS/18: ETCS Verification
1
2
3
4
t
2 / 18
Hybrid Systems Analysis: Train Control
Challenge
Hybrid Systems
Continuous dynamics
(differential equations)
Discrete dynamics
(control decisions)
1
More than computers:
André Platzer (CMU)
no NullPointerException 6⇒ safe
LAHS/18: ETCS Verification
2 / 18
Hybrid Systems Analysis: Train Control
Challenge
Hybrid Systems
Continuous dynamics
(differential equations)
Discrete dynamics
(control decisions)
1
More than computers:
2
More than physics:
André Platzer (CMU)
no NullPointerException 6⇒ safe
braking control v 2 ≤ 2b(m − z) 6⇒ safe
LAHS/18: ETCS Verification
2 / 18
Hybrid Systems Analysis: Train Control
Challenge
Hybrid Systems
Continuous dynamics
(differential equations)
Discrete dynamics
(control decisions)
1
More than computers:
2
More than physics:
3
Joint dynamics requires:
André Platzer (CMU)
no NullPointerException 6⇒ safe
braking control v 2 ≤ 2b(m − z) 6⇒ safe
v2
a 2 ε2
a
a
SB ≥
+
+ εv + ε2 + εv . . .
2b
2b
b
2
LAHS/18: ETCS Verification
2 / 18
Hybrid Systems Analysis: Train Control
Challenge
Hybrid Systems
Continuous dynamics
(differential equations)
Discrete dynamics
(control decisions)
v
0
z
André Platzer (CMU)
m
LAHS/18: ETCS Verification
2 / 18
Hybrid Systems Analysis: Train Control
Challenge
Hybrid Systems
Continuous dynamics
(differential equations)
Discrete dynamics
(control decisions)
v
0
z
André Platzer (CMU)
m
LAHS/18: ETCS Verification
2 / 18
Hybrid Systems Analysis: Train Control
Challenge
Hybrid Systems
Continuous dynamics
(differential equations)
Discrete dynamics
(control decisions)
v
0
z
André Platzer (CMU)
m
LAHS/18: ETCS Verification
2 / 18
Hybrid Systems Analysis: Train Control
Challenge
Hybrid Systems
Continuous dynamics
(differential equations)
Discrete dynamics
(control decisions)
v
0
z
André Platzer (CMU)
m
LAHS/18: ETCS Verification
2 / 18
Hybrid Systems Analysis: Train Control
Challenge
Hybrid Systems
Continuous dynamics
(differential equations)
Discrete dynamics
(control decisions)
v
0
z
André Platzer (CMU)
m
← SB →
LAHS/18: ETCS Verification
2 / 18
Hybrid Systems Analysis: Train Control
Challenge
Hybrid Systems
Continuous dynamics
(differential equations)
Discrete dynamics
(control decisions)
v
0
z
SB ≥
André Platzer (CMU)
m
← SB →
v2
2b
+
a 2 ε2
2b
a
a
+ εv + ε2 + εv
b
2
LAHS/18: ETCS Verification
2 / 18
European Train Control System
τ.p
Objectives
ST
SB
m.e
Overview
1
Collision free
1
No static partitioning of track
2
Maximise throughput &
velocity (300 km/h)
2
Radio Block Controller (RBC)
manages movement authorities
dynamically
3
Moving block principle
3
2.1 ∗ 106 passengers/day
André Platzer (CMU)
LAHS/18: ETCS Verification
3 / 18
European Train Control System
τ.p
ST
SB
m.e
Parametric Hybrid Systems
continuous evolution along differential equations + discrete change
m.e
MA
τ.pz
τ.v
v
André Platzer (CMU)
LAHS/18: ETCS Verification
t
3 / 18
European Train Control System
τ.p
ST
SB
m.e
Parametric Hybrid Systems
continuous evolution along differential equations + discrete change
m.e
MA
τ.pz
τ.v
v
André Platzer (CMU)
LAHS/18: ETCS Verification
t
3 / 18
European Train Control System
τ.p
ST
SB
m.e
Parametric Hybrid Systems
continuous evolution along differential equations + discrete change
m.e
MA
τ.pz
τ.v
v
André Platzer (CMU)
LAHS/18: ETCS Verification
t
3 / 18
Differential Dynamic Logic (dL)
τ.v
τ.p
m.e
Example
→[
Precondition
André Platzer (CMU)
](
Operation model
LAHS/18: ETCS Verification
)
Property
4 / 18
Differential Dynamic Logic (dL)
τ.v
τ.p
m.e
Example
τ.v 2 ≤ 2b(m.e − τ.p) → [
Precondition
André Platzer (CMU)
](τ.p ≤ m.e)
Operation model
LAHS/18: ETCS Verification
Property
4 / 18
Differential Dynamic Logic (dL)
τ.v
τ.p
m.e
Example
τ.v 2 ≤ 2b(m.e − τ.p) → [
Precondition
τ.p 0 = τ.v , τ.v 0 = τ.a](τ.p ≤ m.e)
Operation model
Property
Continuous evolution:
differential equation
André Platzer (CMU)
LAHS/18: ETCS Verification
4 / 18
Differential Dynamic Logic (dL)
τ.v
τ.p
m.e
Example
τ.v 2 ≤ 2b(m.e − τ.p) → [τ.a := ∗;
Precondition
τ.p 0 = τ.v , τ.v 0 = τ.a](τ.p ≤ m.e)
Operation model
Property
Random assignment
André Platzer (CMU)
LAHS/18: ETCS Verification
4 / 18
Differential Dynamic Logic (dL)
τ.v
τ.p
m.e
Example
τ.v 2 ≤ 2b(m.e − τ.p) → [τ.a := ∗; ?τ.a ≤ −b; τ.p 0 = τ.v , τ.v 0 = τ.a](τ.p ≤ m.e)
Precondition
Operation model
Property
Test
André Platzer (CMU)
LAHS/18: ETCS Verification
4 / 18
3D Movement Authorities
τ.v
τ.p
Vectorial MA m = (d, e, r ):
Beyond point m.e train not faster than m.d.
Train should try to keep recommended speed m.r
André Platzer (CMU)
LAHS/18: ETCS Verification
5 / 18
3D Movement Authorities
τ.v
m.r
τ.p
Vectorial MA m = (d, e, r ):
Beyond point m.e train not faster than m.d.
Train should try to keep recommended speed m.r
André Platzer (CMU)
LAHS/18: ETCS Verification
5 / 18
3D Movement Authorities
τ.v
m.r
m1 .d
τ.p
m1 .e
Vectorial MA m = (d, e, r ):
Beyond point m.e train not faster than m.d.
Train should try to keep recommended speed m.r
André Platzer (CMU)
LAHS/18: ETCS Verification
5 / 18
3D Movement Authorities
τ.v
m.r
m1 .d
τ.p
m1 .e
Vectorial MA m = (d, e, r ):
Beyond point m.e train not faster than m.d.
Train should try to keep recommended speed m.r
André Platzer (CMU)
LAHS/18: ETCS Verification
5 / 18
3D Movement Authorities
τ.v
m.r
m2 .d
m2 .e
τ.p
Vectorial MA m = (d, e, r ):
Beyond point m.e train not faster than m.d.
Train should try to keep recommended speed m.r
André Platzer (CMU)
LAHS/18: ETCS Verification
5 / 18
3D Movement Authorities
τ.v
m.r
m2 .d
m2 .e
τ.p
Vectorial MA m = (d, e, r ):
Beyond point m.e train not faster than m.d.
Train should try to keep recommended speed m.r
André Platzer (CMU)
LAHS/18: ETCS Verification
5 / 18
3D Movement Authorities
τ.v
m3 .d
m.r
τ.p
m3 .e
Vectorial MA m = (d, e, r ):
Beyond point m.e train not faster than m.d.
Train should try to keep recommended speed m.r
André Platzer (CMU)
LAHS/18: ETCS Verification
5 / 18
3D Movement Authorities
τ.v
m3 .d
m.r
τ.p
m3 .e
Vectorial MA m = (d, e, r ):
Beyond point m.e train not faster than m.d.
Train should try to keep recommended speed m.r
André Platzer (CMU)
LAHS/18: ETCS Verification
5 / 18
Separation Principle
Lemma (Principle of separation by movement authorities)
Each train respects its movement authority and
the RBC partitions into disjoint movement authorities
⇒ trains can never collide.
τ.p
André Platzer (CMU)
ST
SB
LAHS/18: ETCS Verification
m.e
6 / 18
Separation Principle
Lemma (Principle of separation by movement authorities)
Each train respects its movement authority and
the RBC partitions into disjoint movement authorities
⇒ trains can never collide.
Proof.
André Platzer (CMU)
LAHS/18: ETCS Verification
6 / 18
Separation Principle
Lemma (Principle of separation by movement authorities)
Each train respects its movement authority and
the RBC partitions into disjoint movement authorities
⇒ trains can never collide.
Proof.
To simplify notation, assume trains are points.
André Platzer (CMU)
LAHS/18: ETCS Verification
6 / 18
Separation Principle
Lemma (Principle of separation by movement authorities)
Each train respects its movement authority and
the RBC partitions into disjoint movement authorities
⇒ trains can never collide.
Proof.
To simplify notation, assume trains are points.
Consider any point in time ζ.
André Platzer (CMU)
LAHS/18: ETCS Verification
6 / 18
Separation Principle
Lemma (Principle of separation by movement authorities)
Each train respects its movement authority and
the RBC partitions into disjoint movement authorities
⇒ trains can never collide.
Proof.
To simplify notation, assume trains are points.
Consider any point in time ζ.
For n ∈ N, let z1 , . . . , zn be positions of all the trains 1 to n at ζ.
André Platzer (CMU)
LAHS/18: ETCS Verification
6 / 18
Separation Principle
Lemma (Principle of separation by movement authorities)
Each train respects its movement authority and
the RBC partitions into disjoint movement authorities
⇒ trains can never collide.
Proof.
To simplify notation, assume trains are points.
Consider any point in time ζ.
For n ∈ N, let z1 , . . . , zn be positions of all the trains 1 to n at ζ.
Let Mi be the MA-range, i.e., the set of positions on the track for
which train i has currently been issued MA.
André Platzer (CMU)
LAHS/18: ETCS Verification
6 / 18
Separation Principle
Lemma (Principle of separation by movement authorities)
Each train respects its movement authority and
the RBC partitions into disjoint movement authorities
⇒ trains can never collide.
Proof.
To simplify notation, assume trains are points.
Consider any point in time ζ.
For n ∈ N, let z1 , . . . , zn be positions of all the trains 1 to n at ζ.
Let Mi be the MA-range, i.e., the set of positions on the track for
which train i has currently been issued MA.
Suppose there was a collision at time ζ.
André Platzer (CMU)
LAHS/18: ETCS Verification
6 / 18
Separation Principle
Lemma (Principle of separation by movement authorities)
Each train respects its movement authority and
the RBC partitions into disjoint movement authorities
⇒ trains can never collide.
Proof.
To simplify notation, assume trains are points.
Consider any point in time ζ.
For n ∈ N, let z1 , . . . , zn be positions of all the trains 1 to n at ζ.
Let Mi be the MA-range, i.e., the set of positions on the track for
which train i has currently been issued MA.
Suppose there was a collision at time ζ.
Then zi = zj at ζ for some i, j ∈ N.
André Platzer (CMU)
LAHS/18: ETCS Verification
6 / 18
Separation Principle
Lemma (Principle of separation by movement authorities)
Each train respects its movement authority and
the RBC partitions into disjoint movement authorities
⇒ trains can never collide.
Proof.
To simplify notation, assume trains are points.
Consider any point in time ζ.
For n ∈ N, let z1 , . . . , zn be positions of all the trains 1 to n at ζ.
Let Mi be the MA-range, i.e., the set of positions on the track for
which train i has currently been issued MA.
Suppose there was a collision at time ζ.
Then zi = zj at ζ for some i, j ∈ N.
However, by assumption, zi ∈ Mi and zj ∈ Mj at ζ, thus Mi ∩ Mj 6= ∅,
André Platzer (CMU)
LAHS/18: ETCS Verification
6 / 18
Separation Principle
Lemma (Principle of separation by movement authorities)
Each train respects its movement authority and
the RBC partitions into disjoint movement authorities
⇒ trains can never collide.
Proof.
To simplify notation, assume trains are points.
Consider any point in time ζ.
For n ∈ N, let z1 , . . . , zn be positions of all the trains 1 to n at ζ.
Let Mi be the MA-range, i.e., the set of positions on the track for
which train i has currently been issued MA.
Suppose there was a collision at time ζ.
Then zi = zj at ζ for some i, j ∈ N.
However, by assumption, zi ∈ Mi and zj ∈ Mj at ζ, thus Mi ∩ Mj 6= ∅,
This contradicts the assumption of disjoint MA.
André Platzer (CMU)
LAHS/18: ETCS Verification
6 / 18
Model/State Variables
Train τ :
RBC + MA:
τ.v Position
m.e End of Authority
τ.v Speed
m.d Speed limit
τ.a Acceleration
m.r Recommended speed
(t model time)
rbc.message Channel
Parameters:
SB Start Braking
ST Start Talking
b Braking power/deceleration
a Maximum acceleration
ε Maximum cycle time
∆ Maximum expected
communication delay
André Platzer (CMU)
LAHS/18: ETCS Verification
7 / 18
Parametric Skeleton of ETCS
Read from the informal specification. . .
ETCSskel : (train ∪ rbc)∗
train
: spd; atp; drive
spd
: (?τ.v ≤ m.r ; τ.a := ∗; ? − b ≤ τ.a ≤ a)
∪(?τ.v ≥ m.r ; τ.a := ∗; ? − b ≤ τ.a ≤ 0)
atp
: if(m.e − τ.p ≤ SB ∨ rbc.message = emergency) τ.a := −b
drive
: t := 0; (τ.p 0 = τ.v , τ.v 0 = τ.a, t 0 = 1 ∧ τ.v ≥ 0 ∧ t ≤ ε)
rbc
: (rbc.message := emergency) ∪ (m := ∗; ?m.r > 0)
André Platzer (CMU)
LAHS/18: ETCS Verification
8 / 18
Parametric Skeleton of ETCS
As transition system. . .
m0 := m
m := ∗
τ.p 0 = τ.v ,
τ.v 0 = τ.a, t 0 = 1
τ.v ≥ 0 ∧ t ≤ ε
rbc.message := emergency
t := 0
τ.a := −b
?τ.v ≤ m.r
τ.a := ∗
? − b ≤ τ.a ≤ A
?(m.e − τ.p ≤ SB∨
rbc.message = emergency )
?τ.v ≥ m.r
André Platzer (CMU)
τ.a := ∗
?0 > τ.a ≥ −b
LAHS/18: ETCS Verification
?m.e − τ.p ≥ SB∧
rbc.message 6= emergency )
8 / 18
Parametric Skeleton of ETCS
ETCSskel : (train ∪ rbc)∗
train
: spd; atp; drive
spd
: (?τ.v ≤ m.r ; τ.a := ∗; ? − b ≤ τ.a ≤ a)
∪(?τ.v ≥ m.r ; τ.a := ∗; ? − b ≤ τ.a ≤ 0)
atp
: if(m.e − τ.p ≤ SB ∨ rbc.message = emergency) τ.a := −b
drive
: t := 0; (τ.p 0 = τ.v , τ.v 0 = τ.a, t 0 = 1 ∧ τ.v ≥ 0 ∧ t ≤ ε)
rbc
: (rbc.message := emergency) ∪ (m := ∗; ?m.r > 0)
Example (Taks)
Verify safety
André Platzer (CMU)
LAHS/18: ETCS Verification
8 / 18
Parametric Skeleton of ETCS
ETCSskel : (train ∪ rbc)∗
train
: spd; atp; drive
spd
: (?τ.v ≤ m.r ; τ.a := ∗; ? − b ≤ τ.a ≤ a)
∪(?τ.v ≥ m.r ; τ.a := ∗; ? − b ≤ τ.a ≤ 0)
atp
: if(m.e − τ.p ≤ SB ∨ rbc.message = emergency) τ.a := −b
drive
: t := 0; (τ.p 0 = τ.v , τ.v 0 = τ.a, t 0 = 1 ∧ τ.v ≥ 0 ∧ t ≤ ε)
rbc
: (rbc.message := emergency) ∪ (m := ∗; ?m.r > 0)
Example (Taks)
Verify safety
Specification
[ETCSskel ](τ.p ≥ m.e → τ.v ≤ m.d)
André Platzer (CMU)
LAHS/18: ETCS Verification
8 / 18
Parametric Skeleton of ETCS
ETCSskel : (train ∪ rbc)∗
train
: spd; atp; drive
spd
: (?τ.v ≤ m.r ; τ.a := ∗; ? − b ≤ τ.a ≤ a)
∪(?τ.v ≥ m.r ; τ.a := ∗; ? − b ≤ τ.a ≤ 0)
atp
: if(m.e − τ.p ≤ SB ∨ rbc.message = emergency) τ.a := −b
drive
: t := 0; (τ.p 0 = τ.v , τ.v 0 = τ.a, t 0 = 1 ∧ τ.v ≥ 0 ∧ t ≤ ε)
rbc
: (rbc.message := emergency) ∪ (m := ∗; ?m.r > 0)
Example (Taks)
Verify safety
Specification
[ETCSskel ](τ.p ≥ m.e → τ.v ≤ m.d)
Issue
Lots of counterexamples!
André Platzer (CMU)
LAHS/18: ETCS Verification
8 / 18
Iterative Control Refinement Process
τ.v
τ.p
m.e
m.d
André Platzer (CMU)
LAHS/18: ETCS Verification
9 / 18
Iterative Control Refinement Process
τ.v
τ.p
m.e
m.d
1
Controllability discovery
André Platzer (CMU)
LAHS/18: ETCS Verification
9 / 18
Iterative Control Refinement Process
τ.v
τ.p
m.e
m.d
1
Controllability discovery
André Platzer (CMU)
LAHS/18: ETCS Verification
9 / 18
Iterative Control Refinement Process
τ.v
τ.p
m.e
m.d
1
Controllability discovery
André Platzer (CMU)
LAHS/18: ETCS Verification
9 / 18
Iterative Control Refinement Process
τ.v
τ.p
m.e
m.d
SB
1
Controllability discovery
2
Control refinement
André Platzer (CMU)
LAHS/18: ETCS Verification
9 / 18
Iterative Control Refinement Process
τ.v
τ.p
m.e
m.d
SB
1
Controllability discovery
2
Control refinement
André Platzer (CMU)
LAHS/18: ETCS Verification
9 / 18
Iterative Control Refinement Process
τ.v
τ.p
m.e
m.d
SB
1
Controllability discovery
2
Control refinement
André Platzer (CMU)
LAHS/18: ETCS Verification
9 / 18
Iterative Control Refinement Process
τ.v
Reaction time ε
τ.p
m.e
m.d
SB
1
Controllability discovery
2
Control refinement
André Platzer (CMU)
LAHS/18: ETCS Verification
9 / 18
Iterative Control Refinement Process
τ.v
τ.p
m.e
m.d
SB
1
Controllability discovery
2
Control refinement
3
Repeat
2
until safety can be proven
André Platzer (CMU)
LAHS/18: ETCS Verification
9 / 18
Iterative Control Refinement Process
τ.v
τ.p
m.e
m.d
SB
1
Controllability discovery
2
Control refinement
3
Repeat
4
Liveness check
2
until safety can be proven
André Platzer (CMU)
LAHS/18: ETCS Verification
9 / 18
Outline
1
Train Control
Separation Principle
Parametric ETCS
2
Parametric European Train Control System
Controllability
Reactivity
Refined Control
Safety
Liveness
3
Enhancements
4
Summary
André Platzer (CMU)
LAHS/18: ETCS Verification
9 / 18
ETCS Controllability
τ.v
τ.v 2 − m.d 2 ≤ 2b(m.e − τ.p)
τ.p
m.e
m.d
Proposition (Controllability)
[τ.p 0 = τ.v , τ.v 0 = −b ∧ τ.v ≥ 0](τ.p ≥ m.e → τ.v ≤ m.d)
≡ τ.v 2 − m.d 2 ≤ 2b(m.e − τ.p)
André Platzer (CMU)
LAHS/18: ETCS Verification
(C)
10 / 18
ETCS RBC Controllability
X
NEW EOA
NEW EOA
X
EOA
NEW EOA
Proposition (RBC Controllability)
m.d ≥ 0 ∧ b > 0 → [m0 := m; rbc]
m0 .d 2 − m.d 2 ≤ 2b(m.e − m0 .e) ∧ m0 .d ≥ 0 ∧ m.d ≥ 0 ↔
∀τ (hm := m0 iC) → C
André Platzer (CMU)
LAHS/18: ETCS Verification
11 / 18
ETCS Reactivity
τ.v
Reaction time ε
τ.p
m.e
m.d
SB
Proposition (Reactivity)
∀m.e ∀τ.p m.e − τ.p ≥ SB ∧ C → [τ.a := a; drive] C
a
τ.v 2 − m.d 2 a
≡ SB ≥
+
+1
ε2 + ε τ.v
2b
b
2
André Platzer (CMU)
LAHS/18: ETCS Verification
12 / 18
Refined ETCS Control
ETCSr : (train ∪ rbc)∗
train : spd; atp; drive
spd : (?τ.v ≤ m.r ; τ.a := ∗; ? − b ≤ τ.a ≤ A)
∪(?τ.v ≥ m.r ; τ.a := ∗; ?0 > τ.a ≥ −b)
a 2
2
2
a
+
+
1
ε
+
ε
τ.v
atp : SB := τ.v −m.d
;
2b
b
2
: if(m.e − τ.p ≤ SB ∨ rbc.message = emergency) τ.a := −b
drive : t := 0; (τ.p 0 = τ.v , τ.v 0 = τ.a, t 0 = 1 ∧ τ.v ≥ 0 ∧ t ≤ ε)
rbc : (rbc.message := emergency )
∪ m0 := m; m := ∗;
?m0 .d 2 − m.d 2 ≤ 2b(m.e − m0 .e) ∧ m.r ≥ 0 ∧ m.d ≥ 0
André Platzer (CMU)
LAHS/18: ETCS Verification
13 / 18
Refined ETCS Control
ETCSr : (train ∪ rbc)∗
train : spd; atp; drive
spd : (?τ.v ≤ m.r ; τ.a := ∗; ? − b ≤ τ.a ≤ A)
∪(?τ.v ≥ m.r ; τ.a := ∗; ?0 > τ.a ≥ −b)
a 2
2
2
a
+
+
1
ε
+
ε
τ.v
atp : SB := τ.v −m.d
;
2b
b
2
: if(m.e − τ.p ≤ SB ∨ rbc.message = emergency) τ.a := −b
drive : t := 0; (τ.p 0 = τ.v , τ.v 0 = τ.a, t 0 = 1 ∧ τ.v ≥ 0 ∧ t ≤ ε)
rbc : (rbc.message := emergency )
∪ m0 := m; m := ∗;
?m0 .d 2 − m.d 2 ≤ 2b(m.e − m0 .e) ∧ m.r ≥ 0 ∧ m.d ≥ 0
Specification
τ.v 2 − m.d 2 ≤ 2b(m.e − τ.p) → [ETCSr ](τ.p ≥ m.e → τ.v ≤ m.d)
André Platzer (CMU)
LAHS/18: ETCS Verification
13 / 18
Refined ETCS Control
ETCSr : (train ∪ rbc)∗
Necessary for safety
train : spd; atp; drive
spd : (?τ.v ≤ m.r ; τ.a := ∗; ? − b ≤ τ.a ≤ A)
∪(?τ.v ≥ m.r ; τ.a := ∗; ?0 > τ.a ≥ −b)
a 2
2
2
a
+
+
1
ε
+
ε
τ.v
atp : SB := τ.v −m.d
;
2b
b
2
: if(m.e − τ.p ≤ SB ∨ rbc.message = emergency) τ.a := −b
drive : t := 0; (τ.p 0 = τ.v , τ.v 0 = τ.a, t 0 = 1 ∧ τ.v ≥ 0 ∧ t ≤ ε)
rbc : (rbc.message := emergency )
∪ m0 := m; m := ∗;
?m0 .d 2 − m.d 2 ≤ 2b(m.e − m0 .e) ∧ m.r ≥ 0 ∧ m.d ≥ 0
Specification
τ.v 2 − m.d 2 ≤ 2b(m.e − τ.p) → [ETCSr ](τ.p ≥ m.e → τ.v ≤ m.d)
André Platzer (CMU)
LAHS/18: ETCS Verification
13 / 18
ETCS Safety
EOA
Proposition (Safety)
C→
[ETCS](τ.p ≥ m.e → τ.v ≤ m.d)
André Platzer (CMU)
LAHS/18: ETCS Verification
14 / 18
ETCS Liveness
EOA
NEW EOA
NEW EOA
Proposition (Liveness)
τ.v ≥ 0 ∧ ε > 0 → ∀P hETCSr i τ.p ≥ P
André Platzer (CMU)
LAHS/18: ETCS Verification
15 / 18
Outline
1
Train Control
Separation Principle
Parametric ETCS
2
Parametric European Train Control System
Controllability
Reactivity
Refined Control
Safety
Liveness
3
Enhancements
4
Summary
André Platzer (CMU)
LAHS/18: ETCS Verification
15 / 18
Safety Despite Disturbances
So far: no wind, friction, etc.
Direct control of the acceleration
André Platzer (CMU)
LAHS/18: ETCS Verification
16 / 18
Safety Despite Disturbances
So far: no wind, friction, etc.
Issue
Direct control of the acceleration
This is unrealistic!
André Platzer (CMU)
LAHS/18: ETCS Verification
16 / 18
Safety Despite Disturbances
So far: no wind, friction, etc.
Issue
Direct control of the acceleration
This is unrealistic!
Solution Take disturbances into account.
Theorem
ETCS is controllable, reactive, and safe in the presence of disturbances.
André Platzer (CMU)
LAHS/18: ETCS Verification
16 / 18
Safety Despite Disturbances
So far: no wind, friction, etc.
Issue
Direct control of the acceleration
This is unrealistic!
Solution Take disturbances into account.
Theorem
ETCS is controllable, reactive, and safe in the presence of disturbances.
τ.v
τ.p
m.e
m.d
André Platzer (CMU)
LAHS/18: ETCS Verification
16 / 18
Safety Despite Disturbances
So far: no wind, friction, etc.
Issue
Direct control of the acceleration
This is unrealistic!
Solution Take disturbances into account.
Theorem
ETCS is controllable, reactive, and safe in the presence of disturbances.
Proof sketch
The system now contains τ.a − l ≤ τ.v 0 ≤ τ.a + u instead of τ.v 0 = τ.a.
; We cannot solve the differential equations anymore.
; Use differential invariants for approximation. For details see later.
Platzer, A.:
Differential-algebraic dynamic logic for differential-algebraic programs.
J. Log. Comput. 20(1) (2010) DOI 10.1093/logcom/exn070.
André Platzer (CMU)
LAHS/18: ETCS Verification
16 / 18
Realistic Speed Control
So far
Almost completely non-deterministic control.
André Platzer (CMU)
LAHS/18: ETCS Verification
17 / 18
Realistic Speed Control
So far
Issue
Almost completely non-deterministic control.
This is unrealistic!
André Platzer (CMU)
LAHS/18: ETCS Verification
17 / 18
Realistic Speed Control
So far
Issue
Almost completely non-deterministic control.
This is unrealistic!
Solution
Verify proportional-integral (PI) controllers used in trains.
Controller
Truncate
v0−v
v0−v
a
In
−7
Step
PI Output
−b
min
9
1
s
Out1
max
Plant
Speed
A
Acceleration
André Platzer (CMU)
LAHS/18: ETCS Verification
17 / 18
Realistic Speed Control
So far
Issue
Almost completely non-deterministic control.
This is unrealistic!
Solution
Verify proportional-integral (PI) controllers used in trains.
Controller
Truncate
v0−v
v0−v
a
In
−7
Step
−b
PI Output
min
9
1
s
Out1
max
Plant
Speed
A
Acceleration
K*u
[1.679 0.0008; 1 0]*u
1
v0−v
min
K*u
1
a
[0.1995 0.000024; 1 0]*u
s
André Platzer (CMU)
1
s
LAHS/18: ETCS Verification
17 / 18
Realistic Speed Control
So far
Issue
Almost completely non-deterministic control.
This is unrealistic!
Solution
Verify proportional-integral (PI) controllers used in trains.
Controller
Truncate
a
v0−v
v0−v
In
−7
Step
−b
PI Output
min
9
1
s
Out1
max
Plant
Speed
A
Acceleration
1
v0−v
1
a
K*u
s
1
s
Differential equation system
τ.v 0 = min a, max −b, `(τ.v − m.r ) − i s − c m.r ∧ s 0 = τ.v − m.r
André Platzer (CMU)
LAHS/18: ETCS Verification
17 / 18
Realistic Speed Control
So far
Issue
Almost completely non-deterministic control.
This is unrealistic!
Solution
Verify proportional-integral (PI) controllers used in trains.
Theorem
The ETCS system remains safe when speed is controlled by a PI controller.
Proof sketch
Cannot solve differential equations really. Use differential invariants! For details
see later.
Platzer, A.:
Differential-algebraic dynamic logic for differential-algebraic programs.
J. Log. Comput. 20(1) (2010) DOI 10.1093/logcom/exn070.
André Platzer (CMU)
LAHS/18: ETCS Verification
17 / 18
Outline
1
Train Control
Separation Principle
Parametric ETCS
2
Parametric European Train Control System
Controllability
Reactivity
Refined Control
Safety
Liveness
3
Enhancements
4
Summary
André Platzer (CMU)
LAHS/18: ETCS Verification
17 / 18
Summary
τ.p
ST
SB
m.e
Formally verified a major case study with KeYmaera:
discovered necessary
safety constraints
controllability, reactivity,
safety and liveness
properties
Extensions for ETCS
with disturbances and
for ETCS with PI control
André Platzer (CMU)
LAHS/18: ETCS Verification
18 / 18