Formal verification of safety communication protocol for ETCS

1. Introduction • Safety communication protocol in ETCS • CPN model of safety communication protocol • Formal verification of protocol • Conclusions Formal verification of safety communication protocol for ETCS Chen Lijie 08.06.2011

2. Introduction Necessity of verification User requirement Necessity of verification give certainty about satisfaction of a required property System design Verification Conformance test “Jae-Dong Lee. Verification and conformance test generation of communication protocol for railway signalling systems. Computer Standards & Interfaces”

3. Introduction Necessity to apply Petri-net for verification A communication system could be represented by Petri-net Petri-net could be applied for verification of safety-critical system ASK-CTL in CPN Tools is common method for model checking

4. Safety communication protocol for ETCS Importance of safety for a communication system If the following train does not receive the command that it should stop, it will go on running and collide with the train ahead The train ahead stops

5. Safety communication protocol for ETCS Structure of communication system in ETCS Safety communication protocol is executed in safety layer, functioned as a safety-related transmission system Application layer It is needed to add safety-related transmission function upon the non-trusted channel Process data EURORADIO(communication system in ETCS) could include 3 layers Establish safety connection Safety layer Channel Transmit any message ETCS SUBSET 037

6. CPN model of safety communication protocol General model of communication system ETCS Specification subset 037

7. CPN model of safety communication protocol CPN model of safety logic in the protocol ETCS Specification subset 037

8. Formal verification of protocol Formal verification of protocol Verification of domain-independent property – Boundedness, Liveness Verify property independent of domain knowledge, including basic property Petri-net model should satisfy. Verification of domain-related property - Safety Verify property related to domain knowledge, including property safety communication protocol should satisfy.

9. Verification of boundedness Basic definitions in Petri-net

10. Verification of boundedness Theorem for verification of boundedness

11. Verification of boundedness Low level petri net model of the protocol Y1 = [1, 1, 1, 1, 0]T

12. Verification of boundedness Low level petri net model of the protocol Y2= [0, 0, 0, 0, 1]T Yn = [1, 1, 1, 1, 1]T > 0 The protocol model has boundedness

13. Verification of liveness Code to query dead markings • Query the dead markings in state space

14. Verification of liveness Code to query invalid dead markings • Define possible valid terminal markings Query invalid terminal markings in dead markings

15. Verification of safety Code to query unsafe state Unsafe state: safety connection state is still disconnected when it should transmit data. Query unsafe state in the entire state space

16. Verification of safety ASK-CTL to query unsafe state Safety requirement Something bad never happens: the case that safety connection fails to establish never happens. Judge if anti-proposition of function unsafe is true, namely if there does not exist state defined in unsafe

17. Conclusions A state representation of the safety communication protocol is developed in the form of CPN. This allows Poseidon and Design/CPN tool to be used for the verification. Petri-net is a suitable method to verify safety communication protocol. By using a state space analysis it is proved that dead markings in the protocol model are reasonable. Design/CPN transforms the aim of verification into formal description and verifies the model. As a result, it is found that the safety communication protocol could never fail to establish safety connection.

18. References [1] Euroradio FIS：class 1 requirements[EB/OL], 2003. [2] Jae-Dong Lee, Jae-Il Jung, Jae-Ho Lee, Jong-Gyu Hwang, Jin-Ho Hwang, Sung-Un Kim. Verification and conformance test generation of communication protocol for railway signalling systems. Computer Standards & Interfaces 29 (2007) 143–151 [3] Jae-Ho Lee, Jong-Gyu Hwang, Gwi-Tae Park. Performance evaluation and verification of communication protocol for railway signaling systems. Computer Standards & Interfaces 27 (2005) 207–219 [4] CENELEC, Railway Applications - Safety related communication in open transmission systems, EN 50159-2, 2001. [5] Jensen K. Coloured Petri nets. Basic concepts, analysis methods and practical use. Analysis methods, vol. 2. Monographs in theoretical computer science. Berlin: Springer; 1997 [2nd corrected printing. ISBN: 3-540-58276-2]. [6] E. Nemeth, T.Bartha, Cs.Fazekas, K.M.Hangos. Verification of a primary-to-secondary leaking safety procedure in a nuclear power plant using coloured Petri nets. Reliability Engineering and System Safety 2009; 94: 942-953.

19. [7] PanagiotisKatsaros. A roadmap to electronic payment transaction guarantees and a Colored Petri Net model checking approach. Information and Software Technology 2009; 51: 235-257 [8] Heiner M. Verification and optimization of control programs by Petri nets without state explosion. In: Proceedings of the second international workshop on manufacturing and Petri nets, held at the XVIII international conference on applications and theory of Petri nets (ICATPN’97), 1997. p. 69–84. [9] A. Cheng, S. Christensen, K.H. Mortensen, Model checking Colored Petri Nets exploiting strongly connected components, in: Proceedings of the International Workshop on Discrete Event Systems, Edinburgh, Scotland, UK, 1996, pp. 169–177

20. Welcome to Beijing chen@iva.ing.tu-bs.de! 