Upload
lora-townsend
View
223
Download
3
Tags:
Embed Size (px)
Citation preview
Formal verification of safety communication protocol for ETCS
Chen Lijie
08.06.2011
Introduction Safety communication
protocol in ETCS CPN model of safety
communication protocol Formal verification of protocol Conclusions
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 2
Introduction
User requirement
System design
Verification
Necessity of verification
give certainty about satisfaction of a
required property
“ Jae-Dong Lee. Verification and conformance test generation of communication protocol for railway signalling systems. Computer Standards & Interfaces”
Conformance test
Necessity of verification
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 3
A communication system could be represented by Petri-net
Petri-net could be applied for verification of safety-critical system
ASK-CTL in CPN Tools is common method for model checking
IntroductionNecessity to apply Petri-net for verification
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 4
Safety communication protocol for ETCSImportance of safety for a communication system
The train ahead stops
If the following train does not receive the command that it should stop, it will go on running and collide with the train ahead
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 5
Safety communication protocol for ETCS
It is needed to add safety-related transmission
function upon the non-trusted channel
EURORADIO(commun
ication system in
ETCS) could include 3
layers
Application layer
Safety layer
Channel
Establish safety connection
Transmit any message
Process dataSafety communication
protocol is executed in
safety layer, functioned as
a safety-related
transmission system
Structure of communication system in ETCS
ETCS SUBSET 037
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 6
CPN model of safety communication protocolGeneral model of communication system
ETCS Specification subset 037
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 7
CPN model of safety communication protocolCPN model of safety logic in the protocol
ETCS Specification subset 037
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 8
Formal verification of protocol
Verification of domain-independent property – Boundedness, Liveness
Verify property independent of domain knowledge, including basic
property Petri-net model should satisfy.
Verification of domain-related property - Safety
Verify property related to domain knowledge, including property
safety communication protocol should satisfy.
Formal verification of protocol
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 9
Verification of boundedness
Definition 1. Petri net is a tuple PN = (S, T; F, M0). S is a finite set of places, T is a finite set
of transitions, F is a finite set of arcs which connect S and T, M0 is an initial marking. R(M0)
is a finite set of all reachable markings from M0. ∀M∈R(M0): M(S)≤B|B>0, S is bounded. If ∀s∈S is boundedness, PN is boundedness.
Definition 2. The net structure of PN can be denoted by a matrix A
A = [aij], aij = aij+ - aij
-, aij+ =
1, ( , )
0
i jif t p F
aij- =
1, ( , )
0
j iif p t F
A is called the incidence matrix of PN.
Definition 3. iff ∃Y: AY=0|∀y∈Y: y≥0, Y is one S-invariant of PN.
Basic definitions in Petri-net
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 10
Theorem. Set n as the number of Y. iff 1
n
ii
Y >0 (0≤ 𝒊≤ n), PN has boundedness.
Proof. Set Yn=1
n
ii
Y , then AYn=0. ∀ M0, ∀ M ∈ R(M0), ∃ X|X ≥ 0, M=M0+ATX,
MT=(M0+ATX)T=M0T+XTA, MTYn=M0
TYn+XTAYn
If XT≥0, AYn=0, then XTAYn=0. MTYn = M0TYn,
1
( )m
kk
M s Yn(k)=
01
( )m
jj
M s Yn(j)
Then M(sk) Yn(k)≤0
1
( )m
jj
M s Yn(j), k=1, 2, …, m
Namely, M(sk)≤(0
1
( )m
jj
M s Y(j))/Y(k), k=1, 2, …, m
Verification of boundednessTheorem for verification of boundedness
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 11
Y1 = [1, 1, 1, 1, 0]T
Verification of boundednessLow level petri net model of the protocol
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 12
Y2 = [0, 0, 0, 0, 1]T
Yn = [1, 1, 1, 1, 1]T > 0 The protocol model has boundedness
Verification of boundednessLow level petri net model of the protocol
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 13
Verification of livenessCode to query dead markings
Query the dead markings in state space
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 14
Verification of livenessCode to query invalid dead markings
Define possible valid terminal
markings
Query invalid terminal markings in dead markings
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 15
Verification of safetyCode to query unsafe state
Unsafe state: safety connection state is still disconnected when it should transmit data.
Query unsafe state in the entire state space
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 16
Something bad never happens: the case that safety connection fails
to establish never happens.
Safety requirement
Verification of safetyASK-CTL to query unsafe state
Judge if anti-proposition of function unsafe is true, namely if there does not exist state defined in unsafe
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 17
Conclusions
Petri-net is a suitable method to verify safety communication protocol.
A state representation of the safety communication protocol is developed
in the form of CPN. This allows Poseidon and Design/CPN tool to be used
for the verification.
By using a state space analysis it is proved that dead markings in the
protocol model are reasonable.
Design/CPN transforms the aim of verification into formal description and
verifies the model. As a result, it is found that the safety communication
protocol could never fail to establish safety connection.
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 18
References
[1] Euroradio FIS : class 1 requirements[EB/OL], 2003.[2] Jae-Dong Lee, Jae-Il Jung, Jae-Ho Lee, Jong-Gyu Hwang, Jin-Ho Hwang, Sung-Un Kim. Verification and conformance test generation of communication protocol for railway signalling systems. Computer Standards & Interfaces 29 (2007) 143–151[3] Jae-Ho Lee, Jong-Gyu Hwang, Gwi-Tae Park. Performance evaluation and verification of communication protocol for railway signaling systems. Computer Standards & Interfaces 27 (2005) 207–219[4] CENELEC, Railway Applications - Safety related communication in open transmission systems, EN 50159-2, 2001.[5] Jensen K. Coloured Petri nets. Basic concepts, analysis methods and practical use. Analysis methods, vol. 2. Monographs in theoretical computer science. Berlin: Springer; 1997 [2nd corrected printing. ISBN: 3-540-58276-2].[6] E. Nemeth, T.Bartha, Cs.Fazekas, K.M.Hangos. Verification of a primary-to-secondary leaking safety procedure in a nuclear power plant using coloured Petri nets. Reliability Engineering and System Safety 2009; 94: 942-953.
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 19
[7] Panagiotis Katsaros. A roadmap to electronic payment transaction guarantees and a Colored Petri Net model checking approach. Information and Software Technology 2009; 51: 235-257[8] Heiner M. Verification and optimization of control programs by Petri nets without state explosion. In: Proceedings of the second international workshop on manufacturing and Petri nets, held at the XVIII international conference on applications and theory of Petri nets (ICATPN’97), 1997. p. 69–84.[9] A. Cheng, S. Christensen, K.H. Mortensen, Model checking Colored Petri Nets exploiting strongly connected components, in: Proceedings of the International Workshop on Discrete Event Systems, Edinburgh, Scotland, UK, 1996, pp. 169–177
08.06.2011 | M. Eng. Chen Lijie | Formal verification of safety communication protocol for ETCSSlide 20
Welcome to Beijing