European Train Control System

Complex physical systems have several degrees of freedom. They only work correctly when their control parameters obey corresponding constraints. Based on the informal specification of the European Train Control System (ETCS), we design a controller for its cooperation protocol. For the free parameters of the system, we successively identify constraints that are required to ensure collision freedom. We formally prove the parameter constraints to be sharp by characterising them equivalently in terms of reachability properties of the hybrid system dynamics. We use the calculus of our differential dynamic logic for hybrid systems and formally verify controllability, safety, liveness, and reactivity properties of the ETCS protocol that entail collision freedom. We prove that the ETCS protocol remains correct even in the presence of perturbation by disturbances in the dynamics.

[1]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[2]  Amir Pnueli,et al.  On the synthesis of a reactive module , 1989, POPL '89.

[3]  Thomas A. Henzinger,et al.  Automatic Symbolic Verification of Embedded Systems , 1996, IEEE Trans. Software Eng..

[4]  T. Henzinger The theory of hybrid automata , 1996, LICS 1996.

[5]  J. Lygeros,et al.  A game theoretic approach to controller design for hybrid systems , 2000, Proceedings of the IEEE.

[6]  S. Shankar Sastry,et al.  O-Minimal Hybrid Systems , 2000, Math. Control. Signals Syst..

[7]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[8]  Carla Piazza,et al.  Algorithmic Algebraic Model Checking II: Decidability of Semi-algebraic Model Checking and Its Applications to Systems Biology , 2005, ATVA.

[9]  Ernst-Rüdiger Olderog,et al.  Automating Verification of Cooperation, Control, and Design in Traffic Applications , 2007, Formal Methods and Hybrid Real-Time Systems.

[10]  Goran Frehse,et al.  PHAVer: algorithmic verification of hybrid systems past HyTech , 2005, International Journal on Software Tools for Technology Transfer.

[11]  Calin Belta,et al.  Model Checking Genetic Regulatory Networks with Parameter Uncertainty , 2007, HSCC.

[12]  Jochen Hoenicke,et al.  Model checking Duration Calculus: a practical approach , 2006, Formal Aspects of Computing.

[13]  André Platzer,et al.  KeYmaera: A Hybrid Theorem Prover for Hybrid Systems (System Description) , 2008, IJCAR.

[14]  Sumit Kumar Jha,et al.  A Counterexample-Guided Approach to Parameter Synthesis for Linear Hybrid Automata , 2008, HSCC.

[15]  Marco Roveri,et al.  Requirements Validation for Hybrid Systems , 2009, CAV.

[16]  André Platzer,et al.  European Train Control System: A Case Study in Formal Verification , 2009, ICFEM.