Formal Safety Analysis in Industrial Practice

We report on a comparative study on formal verification of two level crossing controllers that were developed using SCADE by a rail automation manufacturer. Deductive Cause-Consequence Analysis of Ortmeier et al. is applied for formal safety analysis and in addition, safety requirements are proven. Even with these medium size industrial case studies we observed intense complexity problems that could not be overcome by employing different heuristics like abstraction and compositional verification. In particular, we failed to prove a crucial liveness property within the SCADE framework stating that an unsafe state will not be persistent. We finally succeeded to prove this property by combining abstraction and model transformation from SCADE to UPPAAL timed automata. In addition, we found that the modeling style has a significant impact on the complexity of the verification task.

[1]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[2]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[3]  Parosh Aziz Abdulla,et al.  Designing Safe, Reliable Systems Using Scade , 2004, ISoLA.

[4]  Marco Bozzano,et al.  Improving System Reliability via Model Checking: The FSAP/NuSMV-SA Safety Analysis Platform , 2003, SAFECOMP.

[5]  Leslie Lamport,et al.  What Good is Temporal Logic? , 1983, IFIP Congress.

[6]  Stephan Merz,et al.  Model Checking , 2000 .

[7]  Gerd Behrmann,et al.  IFAC World Congress , 2005 .

[8]  Rajeev Alur,et al.  Model-Checking in Dense Real-time , 1993, Inf. Comput..

[9]  Hans-Michael Hanisch,et al.  Modeling and Verification of a Modular Level-Crossing Controller Design , 1999 .

[10]  Charles André,et al.  Semantics of S . S . M . ( Safe State Machine ) , 2003 .

[11]  Frank Ortmeier,et al.  Deductive cause-consequence analysis (DCCA) , 2005 .

[12]  R. Bell,et al.  IEC 61508: functional safety of electrical/electronic/ programme electronic safety-related systems: overview , 1999 .

[13]  Tiziana Margaria,et al.  Leveraging Applications of Formal Methods, First International Symposium, ISoLA 2004, Paphos, Cyprus, October 30 - November 2, 2004, Revised Selected Papers , 2006, ISoLA.

[14]  Frank Ortmeier,et al.  Using Deductive Cause-Consequence Analysis (DCCA) with SCADE , 2007, SAFECOMP.

[15]  John A. McDermid,et al.  Experience with the application of HAZOP to computer-based systems , 1995, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[16]  David Clark,et al.  Safety and Security Analysis of Object-Oriented Models , 2002, SAFECOMP.