critical embedded systems - institut de recherche en ... · pdf fileembedded systems in...

Critical Embedded Systems for Rail Transport

28/08/13

P.Poisson

Alstom Transport

Bio

• Responsable du programme R&D dans la division Transport –Signalisation- Paris

• Coordinateur du programme de l’IRT SystemX pour Alstom Transport

• Parcours: − Alstom Transport -> ferroviaire − Océ -> Infographie − Schlumberger -> systèmes d’information − Statec -> automatismes industriels

• Compétences: − Informatique industrielle

• Définition des programmes

• Management d’activités R&D

• Process Engineering et outils

• Architecture des systèmes

• Systèmes d’Information

• Automatismes Industriels

2

Pascal Poisson

Embedded systems in Railway domain

Objectives of this presentation:

- Create awareness about the reality and the future of Embedded systems in the rail domain,

- How Engineering efforts can be contained.

Agenda:

• A few words about Rail domain

• Signaling: a large set of complex embedded systems

• Rail systems are safety critical

• Using Formal methods: A way to alleviate V&V activities

• Challenges of today and trends

May 2010

– 4 – Journée SysML – 13 Novembre 2012

Alstom: Four main activities

92,600 employees in 100 countries

Thermal Power sector Equipment & services for power generation

Transport sector Equipment & services for rail transport

Grid sector Equipment & services for power transmission

Renewable Power sector Equipment & services for power generation


Alstom Transport, the only railway multi-specialist

• The only manufacturer in the world to master all businesses of rail sector

• The most complete range of systems, equipments and services: Rolling Stock / Infrastructures / Signalling / Services / Turnkey transport systems

• N°1 in high and very high speed

• N°2 in urban transport (tramways, metros)

• N°2 in signalling

• N°2 in maintenance

24,700 employees in more than 60 countries

6

Rail Control market

€12,000 M

8% of Railway market

Rail Control market

Growth 3.0%

Rail: World Wide Maket size

8


Agenda:

A few words about Rail domain

Signaling: a large set of complex embedded systems

Rail systems are safety critical

Using Formal methods: A way to alleviate V&V activities

Challenges of today and trends

May 2010

9

Innovation opportunities in Rail applications

Main Lines Rail roads

Metro Tramways

National and International trafic • Standards first

Urban-Mass Transit • Mostly autonomous Systems • Performance first

• Open door to breakthroughs

10

on board RT systems

• Traction / breaking control

• Various servo-control systems

• Failure detection and maintenance systems

• Assisted or automatic driving –

• Safety management

• Traffic management

August 2008 -11

On board Signaling Systems

@ INTERNET

ACCES CCTV CCTV

MODEM MODEM

@ INTERNET

ACCES TICKETING

MMI

IO

MODULE

IO

MODULE

MODEM MODEM

ANTENNA

ONBOARD

CONTROL

MODULE

ODOMETER

TICKETING

ODOMETER

MMI

ANTENNA

ONBOARD

CONTROL

MODULE

Signaling systems of a train station

12

Topologie du système

de signalisation

Systèmes critiques

Systèmes de communication

Services aux passagers

Systèmes de maintenance

Opérateurs et systèmes de

Supervision

13

• Ensure Comfort of all

users through traffic

supervision, passenger

information,…

• Reduce

operational costs

through traffic and

asset management

What is Signalling ?

Signalling is at the heart of the transport system

• Ensure Safety of people and trains,

thanks to route control & Train

protection management

• Improve Availability of transport offer

PPE CBTC - Introduction - PPA Reminder

14 PPE CBTC - Introduction - PPA Reminder

Reminder: Global operation requirements

Transport efficiently passengers / freight from point A to point B enforcing :

• The appropriate safety level

• The correct route and speed

• The planned schedules

Whatever the conditions :

∙ Traffic density

∙ Perturbations and failures

A

B


Aligned with major signalling sub-systems

Priority

Catching each other

Speed

Schedules

Nose to nose

Routes

Block

Speed

Interlocking Automatic Train Control

Control Center


Interlocking and Route concept

Priority

Catching each other

Schedules

Nose to nose

Routes Block

Speed

Interlocking


Route concept

A route is a path from one signal to the next via a set of points

Interlocking shall ensure compatibility between routes

Route is a compromise as:

• Too few points in a long route reduces potential for other moves when the long route is set

• Too many points, routes are short and many signals are required.

Interlocking


To ensure that a route can be set or released, Interlocking uses train detection device to check track occupancy

Route element : Train detection

Junction Box

Pair of wheeldetectors

Axle counterBlock Computer

Block limit

Interlocking

Axles

Track Circuits

Track is divided into electrical sections, with a transmitter and a receiver

Train axles are shunting the rails, preventing the transmitted signal to be detected by the receiver

Axle Counters

Each track section is defined by 2 or more counting heads with wheel detectors

An evaluator unit counts/decounts axles entering/leaving the section

Axle counters deliver the count result to the Interlocking

Track is clear when result is 0

Interlocking


ATC and Block concept

Priority

Catching each other

Schedules

Nose to nose

Routes Block

Speed

Automatic Train Control


From tokens to blocks

Basic: when a train leaves the station the entire interstation is locked for it

First enhancement, to allow a second train but to keep distance

Second enhancement, to put as much trains as possible

• Hypothesis for sizing the blocks: •Safe distance between two trains should at least equal to the braking distance •Preceeding train is supposed to be stopped •Distance is calculated for the worst case braking



Third enhancement, to provide protection (ATP) using Speed Code

From signal blocks with ATP to ATC block

In this case: speed limit is sent from track to train (usually through tracks) • Speed limit is computed automatically according to occupation of preceding blocks • On-board equipment will receive speed limit and control train accordingly if needed • Size of blocks still shall be defined according to braking distance • Train location is still done by trackside

Fourth enhancement, to provide protection (ATP) using « Distance To Go » concept

In this case: the train will target a stopping point that it will not cross • Train received information regarding upfront constraints (signals, blocks….) • Train locates itself on the track (using beacons, odometer…) • On-board computer compute a braking curve not to go past closer constraint


0 km/h

60 km/h 30 km/h


Block operation : determines line capacity

• Headway : Blocks determine the “headway” or line throughput of trains

• Each block can detect Trains with its own track circuit or axle counters

• Only 1 Train in each Block

• Red signals mean “Stop”, Yellow light is a warning (depends on IXL principles)

Headway (minutes)

Direction of traffic

Track Circuits

Signal red


23

From Fixed Block to Moving Block


Track Circuit Track Circuit Track Circuit

DISTANCE TO GO

Authorised speed

Stopping point

40 Distance to Go Breaking Curve

Gain

Additional Gain

Automatic Protection CBTC MOVING BLOCK

40 Stopping Point

Moving Block Breaking Curve

40

0

Track Circuit

Speed Code

Speed Code Breaking Curve

Track Circuit Track Circuit

Stopping Point

Speed profile

SPEED CODE

End of Authority



Basic Traffic control and schedule

Priority

Catching each other

Schedules

Nose to nose

Routes Block

Speed

Control Center


Schedule concept in railways

• Traffic control is needed to optimize use of track by trains

• Traffic control runs train only when route can be set to avoid unexpected delays and traffic jams.

• In metros, trains can run following a time table, or respecting a headway

• In case of perturbation control room operator has to have the possibility to modify the traffic

Control Center

26

Time-table versus Headway


2 min 2 min 3 min 3 min

09:53 10:28 12:05 13:57

2 min

• Regulation based on time-table

• Regulation based on headway

Control Center


Conclusion – Signaling basic concepts

To fullfill global needs, rail industry has developed three major concepts:

Control Center


Interlocking

• Route: this is the path that is assigned to a train to go from A to B. Route ensure the basic protection

• Block: this is the concept that permit a safe separation between succeeding trains

• Schedule: this is the concept that permit to make train circulation without stopping for freeing a occupied section of the track


• Agenda:






May 2010

Reference Standard: CENELEC

The EN 50126 standard covers the specification and demonstration of safety for all railway applications, at all levels:

− from complete railway routes − to major systems − to individual and combined sub-systems − to components within these major systems, including those

containing software and hardware.

• the standard also addresses Reliability, Availability, and Maintainability (RAM) when it contributes to Safety.

• EN 50126 is the entry point of parent standard for the other European standards for the railway domain:

− EN 50128: Software, recent update 2011, most constraining − EN 50129: Electronics

Augus008 -29

Safety level is specified

• The safety of a system = the property that the rate of failures with potentially dangerous consequences is low enough to globally reduce the risk (i.e. the probability of injuries, fatalities, damages) to a specified acceptable value.

May 2010

SIL definition ( Safety Integrity Level)

For continuous operation (Probability of Failure per Hour):

SIL PFH PFH (power) RRF

1 0.00001-0.000001 10−5 - 10−6 100,000-1,000,000

2 0.000001-0.0000001

10−6 - 10−7 1,000,000-10,000,000

3 0.0000001-0.00000001

10−7 - 10−8 10,000,000-100,000,000

4 0.00000001-0.000000001

10−8 - 10−9 100,000,000-1,000,000,000

RRF: Risk Reduction Failure

Development Cycle ruled by safety cycle

August 2008 -31

Consider Safety Implications of Project · Review Safety Policy & Safety Targets

Perform Preliminary Hazard Analysis · Establish Safety Plan · Define Tolerability of Risk Criteria

Perform System Hazard & Safety Risk Analysis · Set-Up Hazard Log · Perform Risk Assessment

Specify System Safety Requirements · Define Safety Acceptance Criteria · Define Safety Related Functional Requirements · Establish Safety Management

Implement Safety Plan by Review, Analysis, Testing and Data Assessment, addressing: · Hazard Log · Hazard Analysis & Risk Assessment · Justify Safety Related Design Decisions

Establish Commissioning Program · Implement Commissioning Program · Prepare Application Specific Safety Case

From Generic product to customer case

August 2008 -32

Context: Railway signalling system development

User Need

System specification

Architecture

Design

Implementation

Verification

Validation

Commissioning

Safety critical development process: “Traditional V-Cycle”

Context: Railway signalling system development

Preliminary Hazard Analysis (PHA)

System Hazard Analysis (SHA)

Subsystem Hazard Analysis

Hw / Sw Hazard Analysis

Safety Review

Verification report

Validation report

Certification

Safety critical development process: “Safety Activities”

Assisted safety analysis integrated to the design cycle

May 2010


Model Based Approach

System Design with SysML

From document base SE to model based SE

(SysML)

Build DSL for safety activities

(PHA – FMEA)

Safety early validation with formal modelling

(Altarica)

Traceability


Specification with SysML

Three viewpoints • Operational • Functional : Activities Hierarchy • Constructional: Blocks Hierarchy

Allocation

Iterative process over the constructional hierarchy

CBTC

ATS IXL ZC CC

CC Vital CC

NonVital

Hw Sw Hw Sw

.

.

.

.

.

.


Illustration of System Eng. Concepts in SysML

• Operational viewpoint − Environment of the

system − Context of use

• Functional viewpoint (Function = Activity) − FBS − Functions behaviour

SysML representation of SE concepts



Safety Process & Safety DSL


(SysML)


(PHA – FMEA)


(Altarica)

Traceability


Hazards Analysis on SysML System Specification

PHA Accident Cases

ATS – SHA (FMEA) Effects of functions failures

IXL – SHA (FMEA)

ZC – SHA (FMEA)

CC – SHA (FMEA)

CC NV – SHA (FMEA)

CC V – SHA (FMEA)

FMEA Hw

SwEEA

FMEA Hw

SwEEA Causes

Consequences


Hazard analysis with the DSL


PHA – SHA modelling concepts

PHA

• Identify accident scenarios

SHA

• Exhaustive analysis of all function failures

Products

Functions

BARRIER

reducing the

Accident

Occurence

Operating

Rules

X

Operational

Context

HAZARD X X

BARRIER

reducing the

Accident

Severity

ACCIDENTConsequences of

the ACCIDENT

Conditions

Zone

Mode

Phase

BARRIER

Safety

Requirements

DSL for PHA & SHA interoperable with SysML



Traceability between SysML and Safety DSL


(SysML)


(PHA – FMEA)


(Altarica)

Traceability


Traceability inside Safety model : Failure decomposition

Failures at level i+1 are causes of failures at level i

Failures of low level functions develop to system accidents:

System level

Subsystem level

Low level function Sw failure

Accident

Subsys failure


Propagation of errors

Error are propagated through dataflow links

An erroneous value as input can be the cause of a failure



Formal semantic for safety DSL

Automatic translation


(SysML)


(PHA – FMEA)


(Altarica)

Traceability


Formal semantic for Safety DSL

Why?

− To generate the fault trees, − To compute the sequences, − To preform early validation of the system safety;

What?

− Guarded Transition System: Altarica (Thesis – Point, G. 2000)

How?

− Control flow (event, guard): to model the occurrences of failures, − Data flow: to study errors propagation;


Altarica overview

Textual Syntax to describe GTS

(Garded Transition Systems)

• Hierarchy of Nodes

• Node

• Sub-Nodes

• Data Flow connectors (in/out)

• Events

• States

• Transitions

• Assertions http://altarica.labri.fr


Translation - Overview


• Agenda:






May 2010

Cenelec: expected production and evidences

May 2010

33 artefacts to produce!

Formal Methods

• Demonstrate mathematically that what is produced is equivalent to the intent and is totally deterministic.

• Various techniques are used:

• e.g.: symbolic analysis ( conversion of an expected behavior into automata where paths from root to leaves can be analyzed thus demonstrating inconsistencies or under specifications

• In this session B language is briefly introduced

August 2008 -52

53

Analyse symbolique: synoptique fonctionnel

– 54 – MBAT

Concretely – Step 1

• Specify the system architecture using composite structures

• Specify interactions between components using sequence diagrams

– 55 – MBAT



• Specify interactions between components using sequence diagrams • Combining operators • Data constraint • Timed constraint

– 56 – MBAT




• Translate into a formal

representation (Timed Input Output Symbolic Transition System) – Seamless integration

– 57 – MBAT






• Symbolic execution and projection

A non empty trace ensures a feasible interface

– 58 – MBAT

Concretely – Step 34 • Specify the system architecture using composite structures




• Symbolic execution and projection

• Generate test input sequence for a given component from unitary behavior

– 59 – MBAT

Test execution algorithm (process)

1. Submit to SUT (System Under Test) a sequence of inputs and waiting delays

2. Test execution on SUT produces output sequence and delays

3. Output sequences is merged with input sequences to form input output traces

4. Resulting traces are analyzed in order to provide verdicts

C2

timed input sequence timed output sequence

merge():

timed input-output sequence

C2

<0.5 ms

verdict computation():

• Pass

• WeakPass

• Inconc

• Fail

Diversity Testbed (industrial environment)

Présentation de la méthode B

August 2008 -60

Positionnement du B Système ( Event B)

August 2008 -61

Positionnement du B logiciel

August 2008 -62

Références B Logiciel

August 2008 -63

Références Event B

August 2008 -64

Notion de base

August 2008 -65

Démarche B-Logiciel

August 2008 -66

Principe de preuve

August 2008 -67

Démarche B-Système

August 2008 -68

Cycle de conception traditionnel

August 2008 -69

Cycle de conception B : Validation par preuves formelles

August 2008 -70

Bénéfice de la méthode

August 2008 -71

Comparaison avec d’autres langages

August 2008 -72

Outils de conception

August 2008 -73

Enseignement du B

August 2008 -74


• Agenda:






May 2010

FSF

Deux thématiques:

Plateforme d’exécution Haut niveau d’exigence RAMS

Maitrise de l’exécution d’applicatifs multi-critiques sur multi-cœur

Pré-certification

Démonstrateur préindustriel (TRL 6)

Conception système/logiciel Cadre d’architecture système en adéquation avec les métiers

Conception software composant avec chaine de génération dédié au déploiement sur la plateforme

Validation et vérification continue

Outils et cadres méthodologiques matures (TRL 5 -> 7)

Objectifs

76

Signaling system is a combining of distributed systems in a system of systems

77

CBTC

• Une plateforme d’exécution avec architecture de sécurité • Un produit « logiciel de contrôle embarqué » avec composants de criticités différentes

Contrôle & opération

IXL Supervision

SIL4 exec. product

IXL software

SIL2 exec.

product

supervision software

SIL4 exec. product

C&O software

embarqué

SIL4 exec.

ctrl software

sol

ATO ATP

AP

A new generation of Systems is born: Cooperation of Autonomous Systems

May 2010

…..With an ultimate goal to get autonomous vehicles moving towards their destination in an optimized traffic

May 2010

Alike cars in traffic, each train can keep a safe distance from the vehicle in front, and trace its route to reach the destination in time…. safely

Des défis passionnants en vue…..

• Les systèmes ferroviaires sont en pleine mutation.

• Les systèmes embarqués devront porter l’intelligence de la mobilité des véhicules en sûreté de fonctionnement.

• La complexité résultante nécessite un environnement Engineering à la hauteur des challenges industriels

• La multimodalité et les ouvertures du marché vont accroitre les besoins

May 2010

• Questions

May 2010

www.alstom.com

critical embedded systems - institut de recherche en ... · pdf fileembedded systems in...

Documents