IT 16 014
Examensarbete 15 hp
Mars 2016
Improving formal analysis of
computerised rail traffic control
systems using domain models
Karin Ahlman
Institutionen för informationsteknologi
Teknisk- naturvetenskaplig fakultet UTH-enheten Besöksadress: Ångströmlaboratoriet Lägerhyddsvägen 1 Hus 4, Plan 0 Postadress: Box 536 751 21 Uppsala Telefon: 018 – 471 30 03 Telefax: 018 – 471 30 00 Hemsida: http://www.teknat.uu.se/student
Abstract
Improving formal analysis of computerised rail traffic
control systems using domain models
Karin Ahlman
During the formal analysis of a computerized railway control system, it may be difficult to understand if a found counterexample to a requirement is a scenario which can happen in the real world or not. By putting sensible constraints on the inputs to the system, i.e. by defining a domain model for the system, some impossible scenarios are excluded from the formal analysis, which means that the formal analysis is simplified. This thesis presents a domain model for railway control systems, expressing constraints on how trains can behave in a railway network. The railway network is abstracted into a simple graph structure and the model is described in a temporal predicate logic using operators for the initial (I) and the next (X) value. The model is carefully defined in order not to introduce any unrealistic behavior.
Tryckt av: Reprocentralen ITC IT 16 014
Examinator: Olle Gällmo
Ämnesgranskare: Lars-Henrik Eriksson Handledare: Olav Bandmann
I X I X
•
• •
• •
• •
I X I X φ ::= P (t1, t2, ..., tn)| ¬φ | φ ∧ φ | φ ∨ φ | φ ⇒ φ | φ ⇔ φ | ∀xφ | ∃xφ | I(φ) | X(φ) x t1, t2, ..., tn P n≥ 1 ¬ ∀x ∃x ∧ ∨ ⇒ ⇔ := P (x) := φ φ P (x)⇔ φ
b1, b2, b3
b1 b2 b3 b1 b2 b3 b1 b2 b3
Occupied(bi) b1, b2, b3
Occupied(bi)⇔ bi
Occupied(b1)∧ ¬Occupied(b2)∧ ¬Occupied(b3)
¬(Occupied(b1)∧ Occupied(b2)∧ Occupied(b3))
Occupied(b1)
Occupied(b2) Occupied(b3)
I X P z P (z) P z X(P (z)) P (z) I(P (z)) P (z) A B x A(x) B(x) A(x) I(A(x)) := f alse X(A(x)) := A(x)∨ B(x) A(x) B(x) A(x) I X A(x) b1 b3 X ¬(Occupied(b1)∧ X(Occupied(b3))) M (x, y) := x y P P (a)↔ X(P (a)) a P F (x, y) := x y
B b bi Occ Occ(b)⇔ b Occ(bi) Occ(bi) N ext block N ext block(bi, bj)⇔ bi bj bj bi b1 b2 B ={b1, b2} N ext block(bi, bj) i = 1 j = 2 (B, N ext block) b1 b2 b3 b4 b5 b6 b7 b8 b9 b10
N ext block ∀b ∈ B [¬Next block(b, b)] b∈ B b End End(b) :=¬∃bi, bj∈ B bi�= bj∧
(N ext block(b, bi)∨ Next block(b∧ i, b)) (N ext block(b, bj)∨ Next block(bj, b))
Linear(b) :=∃!bi[N ext block(b, bi)]∧ ∃!bi[N ext block(bi, b)]
Even switch Odd switch
Even switch(b) :=∃!bi∃!bj∃!bk
bi�= bj∧ bi�= b∧ k∧ bj �= bk
N ext block(bi, b)∧ Next block(b, bj)∧ Next block(b, bk)
Odd switch(b) :=∃!bi∃!bj∃!bk
bi�= bj∧ bi�= b∧ k∧ bj �= bk
N ext block(bi, b)∧ Next block(bj, b)∧ Next block(b, bk)
Switch(b) := Even switch(b)∨ Odd switch(b)
b ∈ B
∀b ∈ B [End(b) ∨ Linear(b) ∨ Switch(b)]
F ork path bi bj F ork path(bi, bj) bi bj F ork path(bi, bj) :=∃bk bj�= bk∧
(N ext block(bi, bj)∧ Next block(b∨ i, bk)) (N ext block(bj, bi)∧ Next block(bk, bi))
b bi bj bi�= bj F ork path(b, bi) F ork path(b, bj)
F ork path(bi, bj) bi, bj ∈ B Switch(bi) bj
Locked in position(bi, bj) Locked in position(bi, bj)⇔ bi bi bj bi Open(bi, bj) Open(bi, bj) :=
(N ext block(bi, bj)∨ Next block(bj, bi))
∧
(F ork path(bi, bj)⇒ Locked in position(bi, bj))
∧
(F ork path(bj, bi)⇒ Locked in position(bj, bi))
bi bj
Locked in position(bi, bj)
F ork path(bi, bj) bi bj
Open bi bj
Open Locked in position
Locked in position
∀bi, bj, bk ∈ B [bj�= bk⇒ ¬(Locked in position(bi, bj)∧ Locked in position(bi, bk))]
∀bi, bj, bk∈ B [bj �= bk ⇒ ¬(Locked in position(bi, bj)∧ X(Locked in position(bi, bk)))]
bi
Locked in position(bi, bj) bi Locked in position(bi, bj)
Open bi Locked in position
Occ(b) b Occ(b) Occ(b) Occ(b)⇔ b (bi1, ..., bim) End(b) Occ(b)
b b (i) Occ(b) • b • b b Occ(b) b Occ(b) Occ(b) Occ(b) X(Occ(b)) b b b� b b b� b b b� b b� Occ(b�) Occ(b) X(Occ(b)) b b X(Occ(b�)) b� b b� b b�
Occ(b)
b b� b b� ∀b ∈ B Occ(b) �= X(Occ(b)) ⇒ End(b) ∨ ∃b�
Occ(b �)∧ Open(b, b�) ∧ X(Occ(b�)∧ Open(b, b�))
t1, ..., tl ti p1, ..., pm T P p∈ P P occ(p) P occ(p)⇔ p t Pt⊆ P t P osition f or(p, t)⇔ p t t∈ T Pt Pt:={p ∈ P | P osition for(p, t)}
N ext position(pi, pj) pj
pi
(P, N ext position) Pt
(Pt, N ext position|Pt) t∈ T
Pt
¬∃p ∈ P [∃ti, tj∈ T [P osition for(p, ti)∧ P osition for(p, tj)]]
N ext position
∀pi, pj∈ P [Next position(pi, pj)⇒ ∃t ∈ T [P osition for(t, pi)∧ P osition for(t, pj)]]
t t {p1, ..., p6} p1 p2 p3 p4 p5 p6 t N ext position P1 p1 p2 p3 p6 p5 p4 ti p P t occ(p, ti) P t occ
P t occ(p, t) := P occ(p)∧ P osition for(p, t)
P t occ ∀t ∈ T ∃!p ∈ Pt[P t occ(p, t)] ∀t ∈ T ∀pj, pk ∈ Pt P t occ(p∧ j, t) X(P t occ(pk, t)) ⇒ N ext position(p∨ j, pk) N ext position(pk, pj)
p∈ P
P osition
P osition(b, p)⇔ b p
∀b ∈ B [Occ(b) ⇔ ∃p ∈ P [P osition(b, p) ∧ P occ(p)]]
b p b p Occ t1 t2 Pt1 Pt2 p1 ∈ Pt1 p2 ∈ Pt2 p1 p2 b3 b1 b2 b3 b4 b5
b1 b2 b3 b4
p b
U tmost(b, p) := P osition(b, p)∧ ∃b�[(N ext block(b, b�)∨ Next block(b�, b))∧ ¬P osition(b�, p)]
p1 p2 b b p1 p2 ∀pi, pj ∈ P ∀b ∈ B pi�= pj∧ P occ(p∧ i) P occ(pj) ∧ P osition(b, p∧ i) P osition(b, pj) ⇒ U tmost(b, p∧ i) U tmost(b, pj)
Occ N ext block End Linear Even switch Odd switch Switch F ork path Locked in position Open
• I(Occ(b))
b ∀b ∈ B [I(Occ(b)) := F alse]
• Occ(b) := F alse
b∈ B
• Locked open(bi, bj) := T rue
bi, bj ∈ B bj bk bi bk bi • n≥ 2 ∀b ∈ B ∃b �∈ B Locked in position(b, b �) ∧ ¬X(Locked in position(b, b�)) ⇒ ¬∃b�∈ B [XX(Locked in position(b, b�))] ∧ ... ∧ ¬∃b�∈ B [XX...X(Locked in position(b, b�))] X n • bi bj bk b�i b�j b�k
Locked open(bi, bj)⇔ Locked open(b�i, b�j)
∧
• N ext block(b∧ i, bj) N ext block(bj, bk) ∧ Occ(b∧ j) ¬X(Occ(bj)) ⇒ ¬ Occ(bi)∧ Open(b∧ j, bi) Occ(bk)∧ Open(bj, bk) • N ext block(b∧ i, bj) N ext block(bj, bk) ∧ ¬Occ(b∧ j) X(Occ(bj)) ⇒ ¬ X(Occ(bi)∧ Open(b∧ j, bi)) X(Occ(bk)∧ Open(bj, bk)) b1, ..., bn N ext block(bi, bj) bi, bj b b Occ(bi) bi∈ B bi ∀b ∈ B [¬I(Occ(b))] ⇒ ¬Occ(bi) bi bi bi Occ
• •
t1, ..., tn ti
B ={b1, ..., bn}
N ext block N ext block
N ext block N ext block(bi, bj) bi bj bj bi End(b) b Linear(b) b Even switch(b) b Odd switch(b) b Switch(b) b F ork path(bi, bj) bi bj
End(b) :=¬∃bi, bj ∈ B
bi�= bj∧
(N ext block(b, bi)∨ Next block(b∧ i, b)) (N ext block(b, bj)∨ Next block(bj, b))
Linear(b) :=∃!bi[N ext block(b, bi)]∧ ∃!bi[N ext block(bi, b)]
Even switch(b) :=∃!bi∃!bj∃!bk
bi�= bj∧ bi �= b∧ k∧ bj �= bk
N ext block(bi, b)∧ Next block(b, bj)∧ Next block(b, bk)
Odd switch(b) :=∃!bi∃!bj∃!bk
bi�= bj∧ bi�= b∧ k∧ bj�= bk
N ext block(bi, b)∧ Next block(bj, b)∧ Next block(b, bk)
Switch(b) := Even switch(b)∨ Odd switch(b)
F ork path(bi, bj) :=∃bk
bj�= bk∧
(N ext block(bi, bj)∧ Next block(b∨ i, bk)) (N ext block(bj, bi)∧ Next block(bk, bi))
Occ Locked in position
Occ(b) b Locked in position(bi, bj) bi bi bj bi Open(bi, bj) bi bj Open(bi, bj) :=
(N ext block(bi, bj)∨ Next block(bj, bi))
∧
(F ork path(bi, bj)⇒ Locked in position(bi, bj))
∧
(F ork path(bj, bi)⇒ Locked in position(bj, bi))
∀b ∈ B [¬Next block(b, b)]
∀b ∈ B [End(b) ∨ Linear(b) ∨ Switch(b)]
∀bi, bj, bk ∈ B [bj�= bk⇒ ¬(Locked in position(bi, bj)∧ Locked in position(bi, bk))]
∀bi, bj, bk∈ B [bj �= bk ⇒ ¬(Locked in position(bi, bj)∧ X(Locked in position(bi, bk)))]
∀b ∈ B
Occ(b) �= X(Occ(b)) ⇒ End(b) ∨ ∃b�
Occ(b �)∧ Open(b, b�) ∧ X(Occ(b�)∧ Open(b, b�))
P ={p1, ..., pm} T ={t1, ..., tl} P osition f or(p, t) p t N ext position(pi, pj) pj pi P occ(p) p P t occ(p, t) p t
P t occ(p, t) := P occ(p)∧ P osition for(p, t)
¬∃p ∈ P [∃ti, tj ∈ T [P osition for(p, ti)∧ P osition for(p, tj)]]
∀pi, pj∈ P [Next position(pi, pj)⇒ ∃t ∈ T [P osition for(t, pi)∧ P osition for(t, pj)]]
∀t ∈ T ∃!p ∈ Pt[P t occ(p, t)] ∀t ∈ T ∀pj, pk∈ Pt P t occ(p∧ j, t) X(P t occ(pk, t)) ⇒ N ext position(p∨ j, pk) N ext position(pk, pj)
P osition(b, p) b p
U tmost(b, p) b p
U tmost(b, p) := P osition(b, p)∧ ∃b�[(N ext block(b, b�)∨ Next block(b�, b))∧ ¬P osition(b�, p)]
∀b ∈ B [Occ(b) ⇔ ∃p ∈ P [P osition(b, p) ∧ P occ(p)]] ∀pi, pj∈ P ∀b ∈ B pi�= pj∧ P occ(p∧ i) P occ(pj) ∧ P osition(b, p∧ i) P osition(b, pj) ⇒ U tmost(b, p∧ i) U tmost(b, pj)
