Conference Paper

Formal Proofs for the NYCT Line 7 (Flushing) Modernization Project

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

The New York City Transit Authority has included formal proofs at system level as part of the safety assessment for its New York subway Line 7 modernization project, based on the CBTC from Thales Toronto. ClearSy carries out these proofs. In this paper, we describe the expected results and benefits of such proofs. We also discuss the methodology, in particular the importance of obtaining a natural language precursor for proofs. This step is paramount to find the simplest reasons why the design ensures the wanted properties.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... About 30% of the Communication-Based Train Control (CBTC) systems worldwide contain software developed using the B formal method. Formal methods also play a role in safety cases and certification at the system level [26,25,4,5]. For autonomous systems, however, classical certification approaches have reached a major obstacle [6]. ...
... In Section 3 we present the formal B model of the system, which enables one to formalize and verify mitigating measures (solution 1), but also study the impact of undetected errors of the AI to be able to conduct solution 2 (which we tackle in Section 4). Therefore, we decide to use the formal B method [1] which was also used for other railway systems [26,25,4,5]. While this work focuses mostly on formally modelling and verifying the steering system and environment, we plan to address direct verification of the perception system in future work. ...
... Railway Systems. Formal methods, especially the B method have been used to model several railway systems such as Abrial's interlocking system [2], CBTC systems [26,25,4,5], and the Hybrid Level 3 system [11]. Similar to our approach, the main goal is to formally describe all behaviours in the railway system, and to verify/validate certain properties. ...
Chapter
Full-text available
The research project KI-LOK aims to develop a certification methodology for incorporating AI components into rail vehicles. In this work, we study how to safely incorporate an AI for obstacle detection into an ATO (automatic train operation) system for shunting movements. To analyse the safety of our system we present a formal B model comprising the steering and AI perceptions subsystems as well as the shunting yard environment. Classical model checking is applied to ensure that the complete system is safe under certain assumptions. We use SimB to simulate various scenarios and estimate the likelihood of certain errors when the AI makes mistakes.
... To accomplish the first task, we decided to derive a formal B model from the HL3 specification. The decision was based on diverse work (e.g., [7,[10][11][12][13][14][15]) which provided evidence that B is well suited for the railway domain. Moreover, first experiments were very promising: in a few days it was possible to model some simpler transitions of the HL3 specification. ...
... We think this approach, of using animation and custom visualisations at every stage of development-especially the early ones-should be more widely used for safety critical (e.g., SIL 4) projects in industry. For example, the specification engineer can take over some work of the testing team as he or she is able to interactively derive test cases from the model, 13 which are much more precise and consistent compared to the description of the scenarios contained in the HL3 specification. ...
... One event required 0.38, one 0.31 and one 0.27 s, probably due to garbage collection being triggered. 13 Note that we talk here about product and system-level tests and not just unit tests. tem into components. ...
Article
Full-text available
In this article, we present a concrete realisation of the ETCS hybrid level 3 concept, whose practical viability was evaluated in a field demonstration in 2017. Hybrid level 3 introduces virtual subsections as sub-divisions of classical track sections with trackside train detection. Our approach introduces an add-on for the radio block centre (RBC) of Thales, called virtual block function (VBF), which computes the occupation states of the virtual subsections using the train position reports, train integrity information, and the track occupation states. From the perspective of the RBC, the VBF behaves as an interlocking that transmits all signal aspects for virtual signals introduced for each virtual subsection to the RBC. We report on the development of the VBF, implemented as a formal B model executed at runtime using ProB and successfully used in a field demonstration to control real trains.
... Formal proof, instrumented with a formal method such as Event-B [1] and the accompanying software Atelier B, has been shown to be a powerful tool to perform rigorous safety analysis at the system level [6,5]. ...
Conference Paper
Full-text available
This paper describes a safety analysis effort on RATP’s communication-based train control (CBTC) system Octys. This CBTC is designed for multi-sourcing and brownfield deployment on an existing interlocking infrastructure. Octys is already in operation on several metro lines in Paris, and RATP plans its deployment on several other lines in the forthcoming years. Besides the size and complexity of the system, the main technical challenges of the analysis are to handle the existing interlocking functionalities without interfering with its design and to clearly identify the responsibilities of each subsystem supplier. The distinguishing aspect of this analysis is the emphasis put on intellectual rigor, this rigor being achieved by using formal proofs to structure arguments, then using the Atelier B tool to mechanically verify such proofs, encoded in the Event-B notation.
... Product Certification: Product certification is another area where formal verification has gained a foothold recently, e.g. [20]. Some of the recent and upcoming versions of safety standards and other regulatory measures support and even encourage the use of formal proofs to reason about product properties [4]. ...
Conference Paper
Full-text available
The paper summarizes our experiences in applying formal verification using the explicit-state model checker SPIN and combining it with a model-based testing approach to support the validation of embedded software. The discussed example covers a crucial part of the firmware of the fault-tolerant programmable logic controller Siemens SIMATIC S7-400H. The chosen approach is outlined and obstacles that were faced during the project are discussed. The paper advocates why formal verification is not suitable as a standalone method in industrial projects. Rather it must be combined with an appropriate validation method such as testing to maximize the benefits from the combination of both approaches. In this case, formal verification complements code or design model reviews, and testing benefits from the availability of correct formal models provided during verification process. Published at IEEE Xplore: http://ieeexplore.ieee.org/document/7381822/
... This enlargement allows one to perform fail-ure studies right from the beginning in a large system development. Event-B has been used to perform system level safety studies in the Railways (Sabatier 2012), allowing to formally verify part of the whole system specification, hence contributing to improve the overall level of confidence of the railways system being built. ...
Conference Paper
Full-text available
Safety-critical systems and software require particular care when their parameters have to be verified and validated, as any mistake may lead to a catastrophic scenario during their operating use. A recent technique, called formal data validation, enables an improvement in the level of confidence of the verifica-tion/validation process by associating a formal data model to the parameters, and by formally checking that these parameters fit within the model. This paper reports on the development and use of such tools for industrial railway applications.
... The railway interlocking problem has long been studied by the Formal Methods community, and our work builds upon prior approaches to the modelling and verification of railways. Prominent studies from the B community include [20,33,3] whilst [35,28] are classical contributions from process algebra and [10] uses techniques from Algebraic Specification. On a lower abstraction layer, [7,18,16,5] verify the safety of interlocking programs with logical approaches. ...
Article
Full-text available
We describe a novel framework for modelling railway interlockings which has been developed in conjunction with railway engineers. The modelling language used is CSP||B. Beyond the modelling we present a variety of abstraction techniques which make the analysis of medium- to large-scale networks feasible. The paper notably introduces a covering technique that allows railway scheme plans to be decomposed into a set of smaller scheme plans. The finitisation and topological abstraction techniques are extended from previous work and are given formal foundations. All three techniques are applicable to other modelling frameworks besides CSP||B. Being able to apply abstractions and simplifications on the domain model before performing model checking is the key strength of our approach. We demonstrate the use of the framework on a real-life, medium-size scheme plan.
... This enlargement allows one to perform failure studies right from the beginning in a large system development. Event-B has been used to perform system level safety studies in the Railways [12], allowing to formally verify part of the whole system specification, hence contributing to improve the overall level of confidence of the railways system being built. However, if the verification of Event-B system specification or B software specification is quite easily reachable by semi-automated proof 2 , verifying embedded data against properties 3 may turn to be a nightmare in case of large data sets. ...
Article
Full-text available
This article presents industrial experience of validating large data sets against specification written using the B / Event-B mathematical language and the ProB model checker.
... This paper shows that the methodology developed is easily reusable, and extends to more complex track features and their associated safety requirements. Our safety properties are proved using model-checking [3], whereas other approaches [1] [6] establish similar properties through formal proof, or through a combination of This paper is electronically published in Electronic Notes in Theoretical Computer Science URL: www.elsevier.nl/locate/entcs proof and model-checking [5]. ...
Conference Paper
Full-text available
This paper extends recent work in verifying railway systems through CSP || B modelling and analysis. In particular we consider the Double Junction case study, a more complex example than we have considered previously, which involves a crossover of two tracks, two related sets of points, and open ends where trains enter and exit the system. We are able to apply the general control system previously developed, and instantiate the model with the track topology and control tables of this particular example. We are able to verify safety (collision-freedom) properties automatically using ProB, and to identify sequences of events that lead to safety violations in alternative models.
Thesis
Full-text available
Today, tremendous changes have been occurred in the transportation industry due to the expansion of the Internet of Things, big data, and wireless sensor networks. As a result, intelligent transportation systems have been developed. Considering the high importance of the railway transportation systems and their important role in passenger and cargo transportation, various methods have been presented to connect them to the intelligent transportation system. One of the systems that play an essential role in rail transport lines is the signalling system, which is responsible for ensuring the safety of train movement, and has undergone many changes with the introduction of the concepts of the Internet of Things, big data, and wireless sensor networks. The attention of the companies producing these systems and many researchers in this field has been directed to this concept. In the field of providing intelligent transportation systems, a definitive method has not been designed to guarantee the safety, security, and stability of these systems at the same time, and as a result, until these issues are resolved, these systems cannot be used in the rail industry. In this dissertation, firstly, a method of estimating the speed and position of the trains through Kalman and Consensus filters, as well as the design of speed and position profiles, is described and the stability of this method has been investigated. The concept of Lyapunov method is used for the stability analysis in normal conditions, and also, in the case of the loss of the information packets received from the wireless sensor networks have been investigated. In the following, a railway control and signalling system based on the Internet of Things has been proposed. By using the proposed system, all rail lines of a city or a country can be gathered in a centralized control center and all lines can be controlled by this center. Due to the access to the information on all the railway lines, it is possible to safely control the movement of trains on the lines, by optimizing the travel time of the passengers, operating costs, and wear and tear of the trains, and adopting the optimal strategy to determine the movement strategy and the number of the trains needed on each line at different times. In the following, to verify the proposed system, according to the safety standards related to signalling systems (CENELEC EN-5012x), the formal methods have been used. One of these methods recommended in the EN-50128 standard is the Event-B method, and as a result, this method is suitable to determine the accuracy of system’s performance. In this dissertation, the proposed IoT-based signalling system has been modeled and verified using the Event-B method. Also, the ProB model checker has been used to evaluate the modeling and verification process of the proposed system.
Chapter
Full-text available
System safety is based on the implementation of technical and organisational principles to ensure that a feared event cannot occur more frequently than expected. Such a demonstration, so-called safety case, relies on domain specific standards which capitalise on experience gained after decades of development and operation. For more than a decade, the threat of human attacks aimed at disrupting the operation of such systems has become more acute. In the railways, communications between on board and track-side equipment are naturally subject to targeted attacks aimed at reducing the availability of the equipment or disrupting its operational safety to the point of creating accidents. This paper aims to sketch the range of logical and hardware attacks practised today that could be used in the future to attack railway systems to make them less available or less secure. It also presents a combination of techniques and technologies that, assisted by formal methods, can reduce the chances of success of such attacks.Keywordsformal methodscybersecuritysafety
Chapter
The B method is a formal method to design software components and to prove that they are compliant with some formalized requirements, giving a way to build safety-critical programs. However, the correctness of the obtained programs obviously rely on the correctness of those formalized software requirements. Using the CLEARSY Safety Platform, a vital processing solution developed by CLEARSY (SIL4 certified, Certifer 9594/0262) with native B capabilities, we demonstrate here a method to develop vital software with formal proofs directly attached to the key system properties. For instance, a train localization system is proven regarding the property stating that the computed location interval shall always contain the actual train. Such proofs become possible by combining software variables with variables representing physical entities and their timed evolution, thanks to the guaranteed time and deadlines of the CLEARSY Safety Platform. Thus, we avoid the problem of ensuring the correctness of a complex set of formalized software requirements by directly ensuring the wanted system properties. Assumptions and properties for the non-software parts are included in the same B model used to develop the software on the CLEARSY Safety Platform.KeywordsFormal modellingSystem reliability
Chapter
The B landscape can be confusing to formal methods outsiders, especially due to the fact that it is partitioned into classical B for software and Event-B for systems modelling. In this article we shed light on commonalities and differences between these formalisms, based on our experience in building tools that support both of them. In particular, we examine not so well-known pitfalls. For example, despite sharing a common mathematical foundation in predicate logic, set theory and arithmetic, there are formulas that are true in Event-B and false in classical B, and vice-versa.
Chapter
During the last five years, Event-B formal modelling has been successfully applied to various railway systems to demonstrate safety early in the design process or once systems are in operation. This approach is aimed at formalising a safety reasoning instead of modelling every bit of the system. This approach is intrinsically fit to scale up to large systems (or system of systems), hence able to handle centralised or distributed systems.
Conference Paper
Since several years, ClearSy has driven large projects about using formal proofs at system level in the railway domain. The fundamental goal in these projects is to extract the rigorous reasoning establishing that the considered system ensures its requested properties, and to assert that this reasoning is correct and fully expressed. In this paper, we give feedback about the methodology used in all these projects, about the differences made by whether the concerned system is currently under design or already existing and about the benefits obtained. The formal proofs are performed using Event-B, with the Atelier-B toolkit.
Conference Paper
The paper presents a tool-supported approach to graphically editing scheme plans and their safety verification. The graphical tool is based on a Domain Specific Language which is used as the basis for transformation to a CSP\parallel B formal model of a scheme plan. The models produced utilise a variety of abstraction techniques that make the analysis of large scale plans feasible. The techniques are applicable to other modelling languages besides CSP\parallel B. We use the ProB tool to ensure the safety properties of collision, derailment and run-through freedom.
Article
The safety analysis of interlocking railway systems involves verifying freedom from collision, derailment and run-through (that is, trains rolling over wrongly-set points). Typically, various unrealistic assumptions are made when modelling trains within networks in order to facilitate their analyses. In particular, trains are invariably assumed to be shorter than track segments; and generally only a very few trains are allowed to be introduced into the network under consideration. In this paper we propose modelling methodologies which elegantly dismiss these assumptions. We first provide a framework for modelling arbitrarily many trains of arbitrary length in a network; and then we demonstrate that it is enough with our modelling approach to consider only two trains when verifying safety conditions. That is, if a safety violation appears in the original model with any number of trains of any and varying lengths, then a violation will be exposed in the simpler model with only two trains. Importantly, our modelling framework has been developed alongside – and in conjunction with – railway engineers. It is vital that they can validate the models and verification conditions, and – in the case of design errors – obtain comprehensible feedback. We demonstrate our modelling and abstraction techniques on two simple interlocking systems proposed by our industrial partner. As our formalization is, by design, near to their way of thinking, they are comfortable with it and trust it.
Article
Full-text available
The paper summarises the main features concerning the definition of an efficient odometry algorithm to be used in modern automatic train protection and control (ATP/ATC) systems. The availability of a reliable speed and travelled distance estimation is essential for the efficiency and the safety of the whole system. The first essential step in odometric subsystem design is the choice of the sensors, whose output signals will be used for velocity estimation. Then a suitable procedure fusing sensor signals has to be defined as a function of number and type of sensors and accuracy and safety targets. In the paper, the main features of an innovative solution will be summarised and its performance will be presented, in terms of precision in speed and travelled distance estimation.
Article
Tribute Foreword Introduction Part I. Mathematics: 1. Mathematical reasoning 2. Set notation 3. Mathematical objects Part II. Abstract Machines: 4. Introduction to abstract machines 5. Formal definition of abstract machines 6. Theory of abstract machines 7. Constructing large abstract machines 8. Examples of abstract machines Part III. Programming: 9. Sequencing and loop 10. Programming examples Part IV. Refinement: 11. Refinement 12. Constructing large software systems 13. Examples of refinement Appendixes Index.
Book
A practical text suitable for an introductory or advanced course in formal methods, this book presents a mathematical approach to modelling and designing systems using an extension of the B formal method: Event-B. Based on the idea of refinement, the author's systematic approach allows the user to construct models gradually and to facilitate a systematic reasoning method by means of proofs. Readers will learn how to build models of programs and, more generally, discrete systems, but this is all done with practice in mind. The numerous examples provided arise from various sources of computer system developments, including sequential programs, concurrent programs and electronic circuits. The book also contains a large number of exercises and projects ranging in difficulty. Each of the examples included in the book has been proved using the Rodin Platform tool set, which is available free for download at www.event-b.org.