A formal refinement-based analysis of the hybrid ERTMS/ETCS level 3 standard

This paper presents a formal model of the case study proposed for the ABZ2018 conference, which concerns the Hybrid ERTMS/ETCS Level 3 Standard. This standard allows trains to communicate with a train supervisor to report their integrity and positions, thanks to an onboard train integrity monitoring...

Full description

Saved in:
Bibliographic Details
Published in:International journal on software tools for technology transfer 2020-06, Vol.22 (3), p.333-347
Main Authors: Mammar, Amel, Frappier, Marc, Tueno Fotso, Steve Jeffrey, Laleau, RĂ©gine
Format: Article
Language:English
Subjects:
Abz 2018
Computer Science
Integrity
Railway tracks
Software Engineering
Software Engineering/Programming and Operating Systems
State machines
Supervisors
Theory of Computation
Timing devices
Traffic control
Traffic signals
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:This paper presents a formal model of the case study proposed for the ABZ2018 conference, which concerns the Hybrid ERTMS/ETCS Level 3 Standard. This standard allows trains to communicate with a train supervisor to report their integrity and positions, thanks to an onboard train integrity monitoring system. The supervisor assigns trains a movement authority to control traffic and to avoid collisions. The standard also provides for trains that cannot communicate with the supervisor; these trains are detected by sensors on tracks and obey traffic signals set by the supervisor along the trackside. Using communication allows for a finer grain control of the tracks. Our model is derived using stepwise refinement with the Event-B method. We take into account the main features of the case study (VSS management, timers, ERTMS and non-ERTMS trains). Our model is decomposed into four refinements. All proof obligations have been discharged using the Rodin provers, except those related to the computation of the VSS state machine, which was found to be ambiguous (nondeterministic). Our model has been validated using ProB . The main safety property, which is that ERTMS trains do not collide, is proved. Our model focuses on the discrete control logic aspects of the case study.
ISSN:1433-2779
1433-2787
DOI:10.1007/s10009-019-00543-1