RATP safety approach for railway signalling systems.pdf

25
RATP safety approach for railway signalling systems ReSIST summer School 2007 Pierre CHARTIER ReSIST summer Scho ol 2007 - Pierre CHARTIER - RATP safety approa ch for railway signallin g systems  Summary 1. Intr oduction 2. Har dware fault det ect ion 3. Soft war e fault avoidance 261

Transcript of RATP safety approach for railway signalling systems.pdf

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 1/25

RATP safety approach for

railway signalling systemsReSIST summer School 2007

Pierre CHARTIER

ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

 Summary

1. Introduction2. Hardware fault detection

3. Software fault avoidance

261

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 2/25

3ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Introduction

Global railway system

Rolling stock

Signalling / Traincontrol system

Infrastructure

Access / Evacuation

Operation / Maintenance

Environment

Station Track

1

Power supply

4ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

‣  Fire / explosion

‣  Derailment / overturning

‣  Panic

‣  Electrocution / burn

‣   Collision

‣  Individual accidents (fall, …)

‣  Others (terrorist attack, natural disaster, structure

breaking, …)

Introduction

Events to be feared at global system level 

1

262

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 3/25

5ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Introduction

Transport system overview (METEOR example)

1

1.  video in train

2.   Inter-phone in train

3.   video in platform

4.   Inter-phone in platform

5.   Platform screen doors

6.   onboard equipment

7.   transmission

8.   track-vehicle

communication

9.   interlocking

10.trackside equipment

11.operation control center 

6ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Main protection against collision and derailment

‣  Safety critical mission

Historically 2 types of system

‣  Interlocking

‣  Automatic train protection

Main safety measure : stop all trains and power off thetraction power supply

Introduction

Railway signalling system

1

263

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 4/25

7ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Introduction

RATP technical evolution

1970 1990 2000 20101980

Permanent ATPMetro

Permanent ATPRER - SACEM

ManlessMETEOR

CBTCOURAGAN

Fail-safeequipment

Coded processor

Safety-criticalsoftware

B formalmethod

SCADE

RedundantProcessors

1

ManlessL1

Electronicinterlocking

8ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Saturation of RER line A (80’s) SACEM project

‣  Objective :

To increase transport offer by raising train frequency

‣  But incompatibility between

 – train spacing reduction,

 – and traditional signaling

Introduction

 SACEM – RER A

1

264

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 5/25

9ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

 Automatic Train Protection‣  Control train spacing

‣  Control train speed

‣  Protect switching zones

‣  Switch between cab signal and trackside signalling

First safety-critical computing system in railways

Introduction

 SACEM – RER A

1

10ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

SACEM functions require the use of computers

Two main concerns :

‣  Detection of errors due to hardware

coded processor 

‣  Avoiding faults in software

formal methods

Introduction

 SACEM – RER A

1

265

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 6/25

Hardware fault detection

2

12ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

‣  Based on data and program encoding

‣  Encoding done automatically by specific tools

‣  Detect run-time errors

‣  If an error is detected, the hardware sets the system

in a fail-safe state

Hardware fault detection

Coded processor – main concepts

2

266

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 7/25

13ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Hardware fault detection

Coded processor onboard-wayside interface

2

Train ahead

Fail safe

Encoded processing

Encodedfixed data

Inputsencoding

Safety checkedoutputs

Signalling and switching equipment

Data processing

Present train

Wayside

Onboard   Inputsencoding

Safety checkedoutputs

Safety checking

Receiver Transmitter  

Dataprocessing

Transmitter Receiver  

14ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Hardware fault detection

Coded processor 

2

Fail safepower supply

Cabsignal

Fail-safe clock

Signature

Speed anddistancedetector 

Inputsencoding

Transmitter 

Receiver 

Output

Emergency braking

Informationfrom the cabin

Microprocessor 

Coded

treatments

Dated

signature

Dynamic controller 

Reference signature

PROM

Checking

of date

267

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 8/25

15ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Data X = functional part X.F and coded part X.C

X.F : NF bits and X.C : NC bits

Tasks for the computer 

‣   Acquisition and coding of the fail-safe inputs

‣  Processing the coded data

‣   Conversion of coded data into fail-safe outputs

‣  Setting the system into restrictive state in case of failure

Hardware fault detection

Coded processor – safety data encoding 

2

16ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Differents kinds of errors :

‣  Arithmetical error 

‣  Operator error 

‣  Operand error 

‣  Memory « non-refreshed » error 

‣  Branch error 

Hardware fault detection

Coded processor – detected errors (1)

2

268

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 9/25

17ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Components of the coded part

‣  Arithmetical error ==> remainder r kx

‣  Operator error ==> signature Bx

‣  Operand error ==> signature Bx

‣  memory « non refreshed » error ==> date D

‣  Branch error ==> compensation, tracer 

Hardware fault detection

Coded processor – detected errors (2)

2

18ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Hardware fault detection

Coded processor – architecture

2

Energy supply for

Vital outputs

Fail-safe

Inputs

CES :

Inputsencoding

CUC :CentralProcessing

Unit (coded)

CSS :Outputs

Conversion

CKD :

contrôle

Outputs checking

Coded data stream

Fail-safeOutputs

Safety

Clock 

269

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 10/25

19ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Hardware fault detection

Coded processor – Signature predetermination tool (OPS)

2

Run time code

Object code

OPS

Sources

COMPILER 

In uts

Signatures

LINKER 

Compensation

Tables

Signature calculated dynamically

Processor

CKDReferencesignature

(pre computed)

The OPS protects from the compiler failures,

therefore the compiler does not require specific qualification

20ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Setting of safety outputs

‣  rereading of outputs

Hardware fault detection

Coded processor – safety outputs

2

CKD stream

Computed

Outputs

Checking

Relay

NS1CES CUC

CKD

Safety Power

Supply

Fail-safe outputs

Basic PowerSupply

CSS

Safety

Inputs

270

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 11/25

21ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Hardware fault detection

Coded processor – safety integrity level 

2

Theoretical result:‣  Coded processor alone→ 10-12 h-1

‣  Including transmission between onboard and

trackside equipment→ 10-9 h-1

 Software fault avoidance

3

271

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 12/25

23ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

 ATP role

3

ATP’s command of 

emergency braking

emergency braking

speed limitation

Speed

cab signalling

Distancemouvement authority limit

24ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

Comunication-based train control (CBTC) systems

3

Data communication system (LAN, radio, inductive-loop…)

onboardequipment

cabsignallocalisation

system

interlockingequipment

power supply

platformequipment

operation control center 

zone

controller section A

zone

controller section BI/O interface

maintenance system

rolling stock

272

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 13/25

25ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

CBTC operation

3

zone

controller 

track circuit   virtual block

train Aposition

 AB   speed

profile

train B movementauthority limit

26ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

 Automatic Train Protection (ATP)

 Automatic Train Operation (ATO)

 Automatic Train Supervision (ATS)

Software fault avoidance

Comunication-based train control (CBTC) systems

3

273

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 14/25

27ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

1988 SACEM - First safety software in railways‣  Usual (unformal) software specification issues

 – lack of global approach with the system designer point of 

view

 – ambiguous, not legible, not coherent, not complete

‣   Validation issues

 – no certitude that the functionnal tests are sufficient

1998 First run of the subway line 14 Météor 

The B method is used to obtain :

‣   a reliable and exact software design from specifications to

runtime code

Software fault avoidance

Formal methods

3

28ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Goal

‣  To get a software which meets completely its functionnal

specification by construction

 Application fields

‣   Sequential code with no interruptions (real time aspects, low

level softwares, operating kernels are not taken into account)

Large spectrum language

‣  Unified framework and continuous process from specification to

code

Software fault avoidance

B formal method 

3

274

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 15/25

29ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

High level language‣  Abstract operators for specification needs

‣  Concrete instructions similar to ADA or C one’s

Model oriented approach

‣  Software = data + properties + operations

Refinement process

‣   Translation of the abstract machines into concrete modules,

and finally into code

Proof obligations

‣  Conditions to check to ensure a strict mathematical

construction of softwares

Software fault avoidance

B formal method 

3

30ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

‣  Only equipped train which is located and in automaticmode can have a target.

‣  The trains locations computed by the SWE must becorrect with the actual trains locations on the line.

Software fault avoidance

B formal method – examples of safety properties

3

275

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 16/25

31ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

B development process

3

Unformal Requirements

B formal specification

B refinement 1

B implementation

Code

B refinement  n

PROOF

PROOF

PROOF

PROOF

Automatic and

Manual code translation

Formal re-expression

32ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

B verification process

3

Unformal Requirements

B formal specification

B refinement 1

B implementation

Code

B refinement  n

Functionnal tests

Module tests

Integration tests

B proof obligations=exhaustive testing

276

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 17/25

33ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

B validation process

3

Unformal Requirements

B refinement 1

Code

B refinement   n

Only for Manual

translation

Formal

re-expression

B formal specification

B implementation

Proof 

 All requirements are traced

within the B model

Proof activities are checked

Code is exhaustively compared

with B implementation

34ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

 AtelierB© : An industrial tool to specify, refine, implement

and prove B modelsStatistics about Météor B model

‣  1150 B components

‣  115 000 lines of B code

‣  27 800 Proof Obligations (all proved)

‣  86 000 lines of « safe » ADA code

Software fault avoidance

B industrialisation

3

277

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 18/25

35ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Used by two railway leaders : SIEMENS and ALSTOM

Recent projects :

‣  Canarsie Line (New-York),

‣  North East Line (Singapour)

Projects size has increased more than twofold

Software fault avoidance

B today in railway industry

3

36ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

Route V1 to V2Q

Signals M (V2), H, KR, C

Switches 101, 201Signal M (V1)

Interlocking system

V2QV2

201

101

102

202

103

V1QV1

VR

VB

VA

VCZ on e 0 Z on e 2

Zone 1

Zone 13

Zone 4

Zone 3 Zone 5 Zone 7

Zone 6 Zone 8

Zone 9

Zone 10

Zone 11

Zone 12

Track circuit

3

278

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 19/25

37ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

Main technology onRATP network

‣  Fail-safe relays

‣  Man-machine interface

with button/switchcontrol panel

Increasing cost and

expensive reconfiguration

Relay interlocking 

3

38ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

Electronic interlocking 

3

Electronic interlocking

Graph interpreter real-time engine

Configuredinterlocking graphs

Waysideequipments

Genericsignalling rules

Site configuration

V2

Q

V2

20

1

1

01   1

02

2

02

1

03

V1

Q

V1

VR

VB

V A

V

C

Zo

ne

0

Zo

ne

2

Zo

ne

1

Zo

ne

13

Zo

ne

4

Zo

ne

3

Zo

ne

5

Zo

ne

7

Zo

ne

6

Zo

ne

8

Z

o

ne

9

Zo

ne

1

0

Zo

ne

11

Z

o

ne

1

2

Operator 

      o        f        f    -

        l        i      n      e

279

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 20/25

39ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Issue: how to be convinced that any combination of 

generic graphs for any site configuration is safe ?

‣  Heavy testing for both supplier and RATP on site

configuration

To reduce test effort for next interlocking sites, formal

proof of safety properties has been considered.

Software fault avoidance

Interlocking validation

3

40ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

Interlocking proof 

3

17 refinedproperties

e.g. If a train is moving towards a switchand if the signal is green,then the switch must not move.

Configuredproperties

Site configuration

Configuredinterlocking graphs

Proof engine

Collision

Derailment

Genericfeared events

Interlocking graphs

Validation

280

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 21/25

41ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

Interlocking proof process (1)

3

Translation process

Safety

properties

Configured

graphs

format 2

Translator 2  Configured

graphs

TECLA

2

Configured

graphs

format 1

Translator 1  Configured

graphs

TECLA

1

Configured

graphs +

properties

TECLA

2

Configuredgraphs +

properties

TECLA

1

+

+2

1

42ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

Interlocking proof process (2)

3

Equivalence

system

TECLA

Equivalence

constructor 

Proof engine

ProofLog

Proof Checker 

Evquivalence

OK/KO

Proof 

OK/KO

Proof engine

ProofLog

Proof Checker 

Properties

OK/KO

Proof 

OK/KO

Translation certificationProof certification

Configured

graphs +

properties

TECLA

2Configured

graphs +

properties

TECLA

1

281

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 22/25

43ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

The proof engine (from Prover Technology) is based on

combination of SAT techniques and other automatic

proof techniques.

Work in progress

‣  Feasibility is established

‣  Complete proof of a real interlocking configuration is

expected in a few months

Software fault avoidance

Interlocking proof 

3

44ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

For a few years, SCADE has found favour with railway

industry‣  fitted for designing command-control systems

‣  reduces developement cost

‣  facilitates communication between specialist

engineers and software engineers

Software fault avoidance

 Apparition of SCADE tools in railway industry

3

282

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 23/25

45ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

‣  based on a declarative synchronous language

Lustre, encapsulated in graphical representation

‣  Software = variables + equations

‣  Time is discrete (var n)N

clocks, temportal operators (pre, when, …)

‣  Equations between inputs and outputs

outn  = Φ(inn, …, inn-p, var n, …, var n-q)

Software fault avoidance

 SCADE brief overview

3

46ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

 SCADE proof process (1)

3

Translation process

Safety

properties

System

Code

Translator 2 System

TECLA

2

System

SCADE

Translator 1 System

TECLA

1

System +

properties

TECLA

2

System +properties

TECLA

1

+

+

2

1

283

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 24/25

47ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Software fault avoidance

 SCADE proof process (2)

3

Equivalence

system

TECLA

Equivalence

constructor 

Proof engine

ProofLog

Proof Checker 

Evquivalence

OK/KO

Proof 

OK/KO

Proof engine

ProofLog

Proof Checker 

Properties

OK/KO

Proof 

OK/KO

Translation certificationProof certification

System +

properties

TECLA

2

System +

properties

TECLA

1

48ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

Example of safety property :

‣  Two distinct trains must not cross their movement

autority limit

Work in progress

‣  Feasibility on a real site configuration

‣  System requirements specification coverage

‣  Method to complete proof when safety properties arenot totally proved

Software fault avoidance

 SCADE proof 

3

284

8/9/2019 RATP safety approach for railway signalling systems.pdf

http://slidepdf.com/reader/full/ratp-safety-approach-for-railway-signalling-systemspdf 25/25

49ReSIST summer School 2007 - Pierre CHARTIER - RATP safety approach for railway signalling systems

‣  reduce drastically test effort

‣  provide a high level of quality and safety for 

software

‣  are applicable to industrial software projects

‣  but have to take more into account the practical

aspects for using them (cost, competence, …)

Software fault avoidance

Formal methods …

3

Software fault avoidance

RATP renewal program: software development methods

3

SCADE

Redundant

processors

B method

Coded

processor 

Manless CBTCOURAGAN CBTC

L13

L3

L5

L5 WaySideEquipement

L1

L3