1 - European Railway Agency

Transcription

1 - European Railway Agency
SERVICE CONTRACT ERA/2007/ERTMS/02
Feasibility study for the formal specification of
ETCS functions
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
1
RINA SpA – THE MAIN CONTRACTOR
REGISTRO ITALIANO NAVALE
RINA S.p.A.
MARINE DIVISION
CERTIFICATION DIVISION
RINA INDUSTRY
BRANCHES AND SUBSIDIARY COMPANIES
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
2
Main RINA services
•
Ship classification (Naval Division – DIN)
Assessment of the state of efficiency and preservation of ships
for insurance companies to enable them to evaluate the risks
related to vessels and their cargoes.
•
Certification (Certification and Services Division – DCI)
Certification of quality, environmental, occupational health and
safety, food safety, information security systems, ethical,
administrative responsibility, Best 4, medical devices, food
traceability, internet sites, personnel, EC marking, LCA/EPD,
products, railway sector, automotive sector, food sector,
greenhouse gas emissions.
•
Services for industry (RINA Industry S.r.l. – RIDY)
Assessment of conformity of plants, products, components,
materials, supplies to national and international standards as
well as to international specifications.
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
3
RINA main figures (31/12/2006)
130
125
TURNOVER
127
[M €]
115
112
[Units]
823
800
107
105
700
657
600
95
2004
23
2006
22,5
EBITDA
22
[M €]
21
500
400
200
18,3
18
212
134
166
146
100
17
2003
16
15
595
580
300
19,8
20
19
2005
748
741
714
100
90
960
STAFF
900
120
110
1000
2004
Trento, 9-10 Oct. 2008
2005
2006
2004
Abroad
2005
Italy
2006
Total
ERA: Feasibility study for the formal specification of ETCS functions
4
Profile and organisation of RINA/DCI
Notified Body for
Directives 96/49/EC
01/16/EC
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
5
RINA/DCI locations in Italy
Notified Body
main office
•
– Genova
•
Notified Body
branch office
Head Office
4 Area Offices
– Bologna, Milano, Roma, Taranto
•
11 Local Offices, 3 Audit
Station
– Ancona, Cagliari, Firenze(Prato),
Genova, Catania, Napoli, Palermo,
Pescara, Ravenna, Torino, Udine,
Venezia, Verona, Vibo Valentia
•
3 subsidiary companies
– SOA RINA: declaration of building
firms for public contracts
– ITA: test and analysis in the food and
health sectors
– SOGEA: training factory
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
6
The RINA international companies for industrial services
The DCI has 14 offices in countries with the greatest interest in commercial
exchange with Italy. Apart from Buenos Aires, Cordoba and Shanghai offices, the
service centres come under the following companies: RINA BRAZIL, RINA IBERIA,
RINA HELLAS, RINA TURKEY, RINA INDIA, RINA SHANGAY, RINA ROMANIA.
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
7
RINA Notified Body for Railway Interoperabilty
•
•
•
Since Sept. 2002 RINA has been appointed as Notified Body for all
sub-systems of Interoperability Directive 96/48/EC for high speed lines
by the Italian Ministry of Infrastructures and Transportations;
Since July 2005 RINA has been also appointed as Notified Body for
the Interoperability Directive 01/16/EC for conventional lines;
Main references as Notified Body:
– EC conformity certification both for Interoperability Constituents (e.g. Cab
Radios, Eurobalise equipment, rails, train wheels etc.) and for subsystems (e.g. Infrastructure and Energy sub-systems of Rome-Naples and
Turin-Novara HS lines, design of the main sub-systems of the Brenner
tunnel line Infrastructure, Energy, CCS, GSM-R Network in HS line MilanBologna);
– Functional and safety assessment of track-side components (LEU,
Eurobalise and BTM) of different manufacturers for use in the Italian ATP
system known as SCMT;
– Co-operation with other European Notified Bodies in the ERA Project
“Survey of Safety Approvals for the first ERTMS Implementations”
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
8
PARTNER INSTITUTE - FBK
•
Center for Scientific and Technological Research
– 280 researchers
• Missions: research and technology transfer
• Two main technological research centers
– Materials and Microsystems
– Information Technologies
• Organized in research units
–
–
–
–
–
–
–
–
Knowledge Representation
Service Oriented Architectures
Human Language Technologies
Vision
Audio and Acoustic
Interaction
Software Engineering
Embedded Systems
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
9
FBK location
Fondazione
Bruno Kessler
Trento
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
10
Fondazione Bruno Kessler
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
11
Fondazione Bruno Kessler
FBK premises - Trento
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
12
PARNER COMPANY – DR. GRABAND & PARTNER GmbH
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
13
DR. GRABAND & PARTNER GmbH
•
•
•
founded in 1986
independent service company
developed soon to one of the leading service
providers in the field of railway techniques
• team of highly qualified specialists
• actually about 75 employees (mostly engineers &
technicians)
• offering a wide range of services for technical and
operational interests of local and long-distance
railway traffic from development over assessment
to project planning and management
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
14
DR. GRABAND & PARTNER GmbH Locations
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
15
DR. GRABAND & PARTNER GmbH Organisation
Management
Head Office
Braunschweig
Registered Office
Berlin
Dipl.-Ing. Axel
Schulz-Klingner
Dipl.-Ing. Marcus Intze
Technical Consulting
Technical Planning
Software Engineering
Project Follow Up
Technical Planning
Dipl.-Ing. Klaus-Peter Zurek
Office Leipzig
Office Dresden
Safety Assessment
Trento, 9-10 Oct. 2008
Office München
ERA: Feasibility study for the formal specification of ETCS functions
16
G&P Reference Projects ERTMS / ETCS
• Preparation and Documentation of the Basic ETCS Specifications
for UIC within the ERRI A200 / A200.1 Working Groups
• Project Management of the ERRI A200.1 Working Group
• Hazard-Analyses within the ETCS 2000 Project based on
CENELEC-Norms
• In the Name of UIC Consulting Services to Indian Railways
concerning ERTMS, ETCS and GSM-R
• Project Audit of the ERTMS/ETCS HSL Mattstetten – Rothrist
(SBB)
• Several activities in the fields of System Validation & Verification,
Safety Assessment, Implementation and Accomplishment in
ERTMS/ETCS Projects, Risk Analyses (Industry, Railways)
• Study on the Implementation of Interoperability Directive 96/48/EC
(European Commission - DG TREN)
• Analyses in the frame of Cross-Acceptance for SNCF
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
17
Project Organisation and Steering Committee
RINA/QTL
Project Manager
Berardino Vittorini
RINA/QTL
Administrative Support
Alfredo Traverso
RINA/QTL
WPL-Federico Caruso
Trento, 9-10 Oct. 2008
FBK
WPL- Alessandro Cimatti
Angelo Susi
DR. GRABAND
& PARTNER
Axel Schulz-Klingner
ERA: Feasibility study for the formal specification of ETCS functions
18
Work Breakdown Structure
WP0
PMP + SC technical co-ordination
WP1 - Methodology
•
•
•
•
Formalisation process
Criteria for ETCS functions select.
Constrained natural language
Constrained UML diagrams
WP2 - Sw/Hw Specs
•
•
•
•
User FFFIS
RationalRose/NuSMV FFFIS
NuSMV customisation specs
Computer platform HW/Sw specs
WP4 – ETCS Functions
•
•
•
•
WP3 – Development
WP6 – ERA Assistance
•
•
•
•
User Interface
RationalRose/NuSMV Interface
NuSMV customisation
Hw/Sw integration
Selection of a preliminary set
Formalisation of the prelim. set
Selection of the final set
Formalisation of the final set
WP5 - V&V
•
•
•
•
Verification of the preliminary set
Tools validation
Verification of the final set
Validation of the methodology
• 3 weeks Training
• 6 months Assistance on demand
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
19
Goals of the Project
•
•
•
•
•
The implementation of a methodology for transcription of the ETCS
functional specifications by means of formal languages and their
formal verification with the use of suitable Hw and Sw tools;
The realisation of a prototype tool for formal specification and
verification and its application to a selected set of ETCS functions;
The demonstration of feasibility of the methodology by evaluation of
practicability, verification capability and performances of the prototype
and the best estimate of needs, effort and requirements for its
extension to the whole set of ETCS specifications;
The training and the assistance to ERA experts on the application of
the methodology as well as on the practical use of the prototype tool.
Suggestions for further improvements
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
20
WP1: Refinement of the fomalisation methodology
• WP leader:
• WP participants:
Angelo Susi (FBK)
Alessandro Cimatti (FBK)
Marco Roveri (FBK)
Stefano Tonetta (FBK)
Luca Macchi (RINA)
• Deleverable
– Methodology document
•
More details in FBK presentation
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
21
The fomalisation steps
• Classification of the Requirements in the ETCS specification
and informal review/interpretation (when needed)
• Definition of the set of concepts and diagrams in UML
language for each classified requirement, toghether with the
applicable set of constraints
• Model narrowing
• Automatic translation of the construct in a formal language
• Use of formal analysis for model verification and validation
• Analysis of the results of the formal analysis
•
More details in FBK presentation
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
22
WP2: Prototype specification
• WP leader:
• WP participants:
Alessandro Cimatti
Alessandro Cimatti (FBK)
Marco Roveri (FBK)
Roberto Cavada (FBK)
Deliverables:
– Specification of functionalities of the prototype
– Detailed specification of the sw component
– Implementation plan
•
More details in FBK presentation
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
23
Tool Architecture
RSA
Rational Software Architect
MS Word
Requisite Pro
RSA
Models
ETCS Plugins
RSA
View
MC
Frontend
UML2
EMF
More details in FBK presentation
NuSMV
Eclipse Plugins API
Eclipse Platform
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
24
WP3: Prototype implementation
• WP leader:
• WP participants:
Marco Roveri
Alessandro Cimatti (FBK)
Marco Pensallorto (FBK)
Sergio Mover (FBK)
Alessandro Mariotti (FBK)
Andrea Micheli (FBK)
Roberto Cavada (FBK)
Output
– Prototype software package integrated with RSA
– User and programmer documentation
–
More details in FBK presentation
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
25
A snapshot of the tool
Defining the
type of formal
analysis
More details in FBK presentation
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
26
WP 4 – Implementation of ETCS Functions
WP Leader:
WP participants:
Federico Caruso (RINA)
Luca Macchi (RINA)
Angelo Susi (FBK)
Axel Schulz-Klingner (GP)
Klaus-Peter Zurek (GP)
Outputs:
• Technical Report on selection of ETCS functions
(preliminary and final)
• Output files with structured and annotated ETCS
requirements and related UML Diagrams.
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
27
WP 4 – Implementation of ETCS Functions
Steps
•
•
•
•
•
Selection of the preliminary set of ETCS requirements among those
foreseen in the contract, possibly integrating them with other related
statements found in the SRS;
Capture of preliminary ETCS requirements, classification and structuring
by the use of RequisitePro and Microsoft-Word based texts;
Formalisation of the preliminary requirements in constrained UML
Diagram by the use of the IBM/RSA tool, integrated with textual
constraints written in CNL;
Interaction with the tools verification activities in order to check the
correctness and the feasibility of the formalisation;
Repetition, after consolidation of the methodology, of the above process
for the full set of preliminary set of ETCS requirements.
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
28
WP 4 – Implementation of ETCS Functions
Main criteria for the identification of a reduced set of ETCS functions for
the set up of the formalisation methodology
• Relevance of the chosen subset of specifications in the ETCS context;
• Exhaustiveness in terms of statement categories (i.e. including the
most important typologies of ETCS statements and in compliance with
the ERA demands;
• Feasibility of the full evaluation of the selected set of the SRS
requirements within the contractual time constraints.
• Significance of the examples for a final sound judgement of feasibility
of the proposed formalisation methodology.
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
29
WP 4 – Implementation of ETCS Functions (1)
Identification of representative set of ETCS functions for
implementation in the prototype (SRS - Subset026 v. 2.3.0)
•
•
•
High level functional architecture of an ETCS Level 2 system (SRS
Chap.2.5.3) and related trackside sub-system (SRS Chap.2.5.1) and onboard sub-system (SRS 2.5.2);
Track-train data exchange, related to train supervision, between an ETCS
Level 2 track-side sub-system and two or more train sub-systems in full
supervision operation;
Allocation of functions in the trackside sub-system for Level 2 application
as per Chap. 2.6.6.2.2 of SRS (e.g. “MA management” and “RBC-RBC
Handover”) and in the on-board sub-system as per Chap. 2.6.6.2.4 (e.g.
“MA management”, “Speed supervision” and “Generation of braking
curves);
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
30
WP 4 – Implementation of ETCS Functions (2)
•
Consistency of track-train exchanged data(SRS 3.4.4 and 3.16.2.3):
– Check of the linking data consistency on track-side;
– Check of the linking data consistency on-board;
– Check of the linking data consistency between track-side and on-board;
•
Determine the actual train speed and location (SRS 3.6.1-3.6.5):
– Determine train location referred to LRBG (as understood on-board and on
track-side in different operational conditions);
– Report train position according to request of the RBC, or in case of no RBC
request;
•
Manage Movement Authority (SRS 3.8):
– Request MA cyclically respect to approach of target point or MA timer
elapsing (SRS 3.8.2.3);
•
Supervise the train speed (SRS 3.13)
– Dynamic speed monitoring based on brake model, MRSP, MA data, gradient
profile, release speed etc.
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
31
WP 4 – Implementation of ETCS Functions
Train
Driver
JRU
Downloading
tool
FIS
FFFIS
FIS
ETCS
MMI
TIU
Jur. Recording
Onboard
STM
Kernel
FFFIS
Odometry
BTM
EURORADIO
LT M
FIS
FFFIS
GSMMobile
FFFIS
FFFIS
FIS
Natio nal
System
EUROBALIS E
EUROLOOP
(FFFIS)
FIS
EURORADIO
Radio
infill unit
(FFFIS)
GSM fixed
network
EURORADIO
(FIS)
RBC 1
FIS
Key
Management
Centre
FIS
Interlocking
and LEU
FIS
RBC 2
ETCS System Architecture
Trento, 9-10 Oct. 2008
Control Centre
ETCS
Trackside
ERA: Feasibility study for the formal specification of ETCS functions
32
1.
2.
3.
WP 4 – Main achievements (1)
Traceability: The traceability between the Subset026 text and the
different parts of the model is ensured by a close interaction between
RequisitePro and RSA. Possible comments, subjective interpretations
and the needed integrations of Subset026 statements (even though
minimised as much as possible) are also highlighted within
RequisitePro.
Multi-level Visibility: RSA allows for an easy visualisation and handling
(check, modification etc.) of the only desired parts of the final model
(roughly linked to a defined section of Subset026), despite of its huge
complexity, while keeping all the logical links with the rest of the
model. Some examples will be shown in the model presentation.
Incremental approach: The overall ETCS model is started up from the
most general definition of the System Architecture given in Chap. 2.
Some components are only modelled at their highest level of
abstraction while others, more fitted to the scope of this Project, are
worked out more and more deeply as long as new sentences and
definitions of Subset026 are elaborated. More details in the model
presentation.
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
33
WP4 – Main achievements (2)
4. Rules for classification of SRS statements:Definitions, Characteristics,
Attributes are modelled with Class Diagrams, while Functions or Activities
with State Charts. Explanations, Clarification, Summaries, Examples are
noticed for consideration in the verification and validation phase.
5. Constrained Natural Language (CNL), based on logical and arithmetical
formulations, for expressing special statements complementing the UML
diagrams.
6. Step by step approach: system modelling evolving with the sequence of
the sentences found in the defined chapters of Subset026 and with
subsequent integration of the model as soon as new related statements
are elaborated. Minimised interpretations/integrations based on
background knowledge!
7. Structured approach to the specifications: early discovery of lacks of
definitions and minor inconsistencies that could lead to mis-intepretations
(e.g. balise telegram reception). More details in the model verification.
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
34
WP 5 – Verification and Validation of the proposed Methodology
WP Leader:
WP participants:
Federico Caruso (RINA)
Luca Macchi (RINA)
Berardino Vittorini (RINA)
Axel Schulz-Klingner (GP)
Klaus-Peter Zurek (GP)
Angelo Susi (FBK)
Deliverables:
• Description of the defined Test Scenarios for model verifications;
• Traces of the model behaviour corresponding to the implemented Test
Scenarios;
• Output files with structured ETCS statements, related UML Diagrams,
formal specifications, selected problems and verification results.
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
35
Generalised Test scenario - Stretch of High Speed Railway Line with ETCS LEV2
RBC to RBC Handover
0 km
Trento, 9-10 Oct. 2008
50.0 km
ERA: Feasibility study for the formal specification of ETCS functions
36
WP 5 – Verification and Validation of the proposed Methodology
Basic steps of formal verification:
– Instantiation of the generalised ETCS model or of parts of it in well
defined “generalised scenarios” (e.g. two trains running over a
specified ETCS Lev. 2 line). Model verification by the use of
Sequence Diagrams or CNL statements or combinations of both.
– The “generalised scenarios” are characterised as much as possible
by the most suitable level of model narrowing (e.g. the whole
possible range of train speed rather than a finite set of values). This
overcomes the limitations of classical “test by scenarios” where
reduced combinations of test conditions are considered instead of
the actual infinite possible combinations of the real world.
– The model checker, while evaluating the behaviour of the
generalised test scenarios, provides a friendly way of tracing each
status reached by the model as well as the values assumed by its
parameters.
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
37
Main concepts of formal verifications
1. Generalised test scenarios for model verification based on
instantiations of the general ETCS model or of parts of it to typical
situations characterised by logical sequencing or predictable time
based events.
2. Consistency checking: formal verification of the existence of at least
one solution fulfilling the given properties and constraints of the
narrowed model.
3. Property checking: formal verification of fulfilment of special
properties (positive or negative) added to the model in all its
possible behaviours (e.g. an unsafe property – two trains on the
same position - added to the model for checking its safe behaviour)
4. Scenario checking: – matching of pre-defined events within a time
based sequence (e.g. change of a given model status or fulfilment of
a given combination of constraints).
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
38
WP 6 – Training and Assistance
WP Leader:
WP participants:
Federico Caruso (RINA)
Alessandro Cimatti (FBK)
Luca Macchi (RINA)
This WP is starting with this workshop involving ERA representatives as well as
representatives of Institutional Bodies involved with ETCS specification and test
activities.
Main aims:
– To train ERA experts and other interested experts in the use of the tool;
– To outline editorial review of the implemented ETCS specifications in order
to check the interpretation of some unclear statements
Deliverables:
– One two-days General Workshop (9-10 Oct. 2008)
– Three one-week training sessions (week 43, week 45 and week 48);
– Training material;
– Reports on interventions of technical assistance.
Participation:
– At discretion of ERA;
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
39
Project Time-schedule and milestones
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
40
We thank all of you for your kind attention
Please send any ideas, comments or suggestions to any one of us:
–
–
–
–
berardino.vittorini@rina.org
Federico.caruso@rina.org
cimatti@fbk.eu
Axel.Schulz-Klingner@graband-bs.de
Many thanks to FBK for hosting this meeting
Trento, 9-10 Oct. 2008
ERA: Feasibility study for the formal specification of ETCS functions
41