iStar Goal Model to Z Formal Model Translation and Model Checking of CBTC Moving Block Interlocking System
Abstract
1 Introduction
2 Background AND Concepts
2.1 iStar Model
2.2 Z Formal Specification
2.3 ProZ Model Checker
2.4 Communications-based Train Control System
2.5 Moving Block Interlocking System
3 iStar Modeling of CBTC Moving Block Interlocking System
3.1 iStar Strategic Dependency Model
3.2 iStar Strategic Rationale Model
4 FormaliZation of the iStar Goal Model
4.1 An Example of Formal Modeling of an iStar Goal Model
4.1.1 Free-type Definition.
4.1.2 Axiomatic Definition.
4.1.3 Initialization of the State.
4.1.4 State Schema of an Actor ATS.
4.2 Computing Limit of Movement Authority
5 Model Checking
5.1 Verification of LTL Properties
Specification 1 | A train’s speed should not exceed the block limit it received. |
LTL Formula | \(G (\lbrace trainLMA(T1) = Green\_Green \wedge trainLMASt(T1) = On \Rightarrow trainCurrentSpeed(T1) \ge UnrestrictedSpeed2 \wedge trainCurrentSpeed(T1) \le UnrestrictedSpeed1\rbrace)\) |
Specification 2 | To avoid a head-to-tail collision, the down train’s head and the up train’s tail cannot occupy the same position simultaneously. |
LTL Formula | \(G (\lbrace trainLMA(T1) \ne Red\_Red \wedge trainLMA(T2) \ne Red\_Red \Rightarrow trainHeadPos(\lbrace T2 \mapsto Front\rbrace) \ne trainHeadPos(\lbrace T1 \mapsto Rear\rbrace)\rbrace)\) |
Specification 3 | A switch point should be set in the right direction to prevent a derailment before allowing the train to resume its path. |
LTL Formula | \(G (\lbrace trainLMA(T1) = Yellow\_Yellow \wedge trainLMASt(T1) = On \Rightarrow (pointsofSubRoute \ (trainHeadPos \ (\lbrace T1 \mapsto Front\rbrace)) \cap lockedPoints) \ne \emptyset \rbrace)\) |
Specification 4 | Liveness requirements: if any train arrives at a route, it will finally conclude that route. |
LTL Formula | \(G ([EnableRoute] \Rightarrow F ([DisableRoute]))\) |
Specification 5 | A sub-route and switch points must be locked to move a train. |
LTL Formula | \(G (\lbrace trainSignal(T1) = Green\_Green \Rightarrow (enabledRtSegments \cap lockedSubroutes) = enabledRtSegments \wedge (lockedPoints = \lbrace P1, P2, P3, P4\rbrace)\rbrace)\) |
Specification 6 | If all sub-routes and points are unlocked, then the route must be disabled. |
LTL Formula | \(F ((\lbrace enabledRtSegments \cap lockedSubroutes = \emptyset \wedge lockedPoints = \emptyset \rbrace \Rightarrow e(DisableRoute)))\) |
Specification 7 | A point switch should not be locked until it receives a command to do so. |
LTL Formula | \((\lbrace (P1 \mapsto Lock) \notin pointLockSt\rbrace U \lbrace P1 \mapsto CDN \in pointCmd \vee P1 \mapsto CDR \in pointCmd\rbrace)\) |
Specification 8 | A point switch should be locked until it receives a command to unlock. |
LTL Formula | \((\lbrace P1 \mapsto Lock \in pointLockSt\rbrace U \lbrace P1 \mapsto CFN \in pointCmd \vee P1 \mapsto CFR \in pointCmd\rbrace)\) |
Specification 9 | Eventually, a train should stop only at the conflicting point. |
LTL Formula | \(F (\lbrace trainLMA(T2) = Red\_Red \Rightarrow trainHeadPos(\lbrace T1 \mapsto Rear\rbrace) \mapsto Occupied \in updateSegSt \vee end \mapsto Occupied \in updateSegSt\rbrace)\) |
Specification 10 | Eventually, point switches should be in concordance with each other. |
LTL Formula | \(F (\lbrace pointCmd(P1) = pointCmd(P2) \wedge pointPosSt(P1) = pointPosSt(P2) \wedge (pointCmd(P3) = pointCmd(P4) \wedge pointPosSt(P3) = pointPosSt(P4))\rbrace)\) |
Specification 11 | It is necessary to set point switches in the right direction and command them for locking. |
LTL Formula | \(G ((e(LockThePoint) \Rightarrow \lbrace (pointCmd(P1) = CDR \vee pointCmd(P1) = CDN) \vee (pointCmd(P3) = CDR \vee pointCmd(P3) = CDN) \vee (pointCmd(P2) = CDR \vee pointCmd(P2) = CDN) \vee (pointCmd(P4) = CDR \vee pointCmd(P4) = CDN)\rbrace))\) |
Specification 12 | To move a train, the signal must be extinguished (glow green light). |
LTL Formula | \(F (e (MoveTrain1) \Rightarrow \lbrace trainSignal(runningTrain) = Green\_Green\rbrace)\) |
Specification 13 | If a route is enabled, then all sub-routes of a route and point switches should be locked. |
LTL Formula | \(G ([EnableRoute] \Rightarrow X \lbrace enabledRtSegments \ne \emptyset \rbrace \Rightarrow e (LockSubRoute) \Rightarrow X \lbrace lockedSubroutes \ne \emptyset \rbrace \Rightarrow e(CommandPtPosToLockThePoint) \Rightarrow X \lbrace (pointCmd(P1) = CR \vee pointCmd(P1) = CN) \vee (pointCmd(P3) = CR \vee pointCmd(P3) = CN) \vee (pointCmd(P2) = CR \vee pointCmd(P2) = CN) \vee (pointCmd(P4) = CR \vee pointCmd(P4) = CN)\rbrace \Rightarrow e (LockThePoint) \Rightarrow F \lbrace lockedPoints \ne \emptyset \rbrace)\) |
Specification 14 | To unlock the point switch, first unlock sub-routes and then command them for unlocking. |
LTL Formula | \(G ((e(UnlockThePoint) \Rightarrow \lbrace pointCmd(P1) = CFR \vee pointCmd(P1) = CFN \vee (pointCmd(P3) = CFR \vee pointCmd(P3) = CFN) \vee (pointCmd(P2) = CFR \vee pointCmd(P2) = CFN) \vee (pointCmd(P4) = CFR \vee pointCmd(P4) = CFN)\rbrace))\) |
Specification 15 | Once a train enters the segment, we should mark it as occupied. |
LTL Formula | \(G ([SetFrontSegmentStatus] \Rightarrow X \lbrace updateSegSt (trainHeadPos(\lbrace runningTrain \mapsto Front\rbrace)) = Occupied\rbrace)\) |
6 Related Works
7 Conclusions
Appendix
A Z Formal Notation
A.1 Z Schema
A.2 Axiomatic Definition
A.3 Propositional Connectives
Notation | Name | Example | Description |
---|---|---|---|
\(\lnot\) | Negation | \(\lnot ponitLock\) | A formula ( \(\lnot ponitLock\) ) is false if and only if ponitLock is true. |
\(\wedge\) | Conjunction | \(ponitLock \wedge subRouteLock\) | A formula ( \(ponitLock \wedge subRouteLock\) ) is true if both ponitLock and subRouteLock are true, else it is false. |
\(\vee\) | Disjunction | \(ponitLock \vee subRouteLock\) | A formula ( \(ponitLock \vee subRouteLock\) ) is false if both ponitLock and subRouteLock are false, else it is true. |
\(\Rightarrow\) | Implication | \(ponitLock \Rightarrow subRouteLock\) | A formula ( \(ponitLock \Rightarrow subRouteLock\) ) is false if and only if ponitLock is true and subRouteLock is false, else it is true. |
\(\iff\) | Bi implication | \(ponitLock \iff subRouteLock\) | A formula ( \(ponitLock \iff subRouteLock\) ) is true if both ponitLock and subRouteLock have the same truth values, else it is false. |
A.4 Quantifiers
Notation | Name | Example | Description |
---|---|---|---|
\(\exists\) | Existential quantifier | \(\exists x: \mathbb {Z} | 0 \lt x @ (x * x) \lt 10\) | There exists a positive value of x, which has a square less than 10. |
\(\forall\) | Universal quantifier | \(\forall x: \mathbb {Z} | x \in \lbrace 1, 3, 5, 7, 9\rbrace @ x \lt 11\) | Every integer in the set {1, 3, 5, 7, 9} is less than 11. |
\(\exists _1\) | Unique existential quantifier | \(\exists _1 x: \mathbb {Z} | 0 \lt x @ x = 10\) | There is a unique positive value of x, equal to 10. |
A.5 Sets
Notation | Name | Example | Description |
---|---|---|---|
\(\in\) | Membership | \(route1 \in enabledRoutes\) | The formula ( \(route1 \in enabledRoutes\) ) is true if \(route1\) belongs to set \(enabledRoutes\) . |
\(\notin\) | Non-membership | \(route1 \notin enabledRoutes\) | The formula ( \(route1 \notin enabledRoutes\) ) is true only if \(route1\) is not a member of set \(enabledRoutes\) . |
\(\subseteq\) | Subset | \(disabledRoutes \subseteq enabledRoutes\) | The formula ( \(disabledRoutes \subseteq enabledRoutes\) ) is true if and only if each member of set \(disabledRoutes\) is also a member of set \(enabledRoutes\) . |
\(\subset\) | Proper subset | \(disabledRoutes \subset enabledRoutes\) | The formula ( \(disabledRoutes \subset enabledRoutes\) ) is true if and only if set disabledRoutes is not the same as set enabledRoutes and disabledRoutes is a subset of enabledRoutes. |
\(=\) | Equality | \(disabledRoutes = enabledRoutes\) | The formula ( \(disabledRoutes = enabledRoutes\) ) is true if and only if set \(disabledRoutes\) is a subset of \(enabledRoutes\) and \(enabledRoutes\) is a subset of disabledRoutes. |
\(\ne\) | Not equal | \(disabledRoutes \ne enabledRoutes\) | The formula ( \(disabledRoutes \ne enabledRoutes\) ) is true if and only if either set \(disabledRoutes\) is not a subset of \(enabledRoutes\) or \(enabledRoutes\) is not a subset of \(disabledRoutes\) . |
Notation | Name | Example | Description |
---|---|---|---|
\(\cup\) | Union | \(route1Segments \cup route2Segments\) \(= \lbrace segment1, segment2, segment3,\) \(segment4, segment5\rbrace\) | The formula ( \(route1Segments \cup route2Segments\) ) is the set obtained by merging all their members. |
\(\cap\) | Intersection | \(route1Segments \cap route2Segments\) \(= \lbrace segment3\rbrace\) | The formula ( \(route1Segments \cap route2Segments\) ) is the set that consists of members that belong to both set \(route1Segments\) and set \(route2Segments\) . |
\(\setminus\) | Set difference | \(route1Segments \setminus route2Segments\) \(= \lbrace segment1, segment2\rbrace\) | The formula ( \(route1Segments \setminus route2Segments\) ) is the set consisting of all those elements of \(route1Segments\) that are not in \(route2Segments\) . |
\(\bigcup\) | Generalized union | \(\bigcup \lbrace route1Segments, route2Segments,\) \(route3Segments\rbrace\) \(= \lbrace segment1, segment2,\) \(segment3, segment4, segment5,\) \(segment6\rbrace\) | The formula \(\bigcup \lbrace route1Segments, route2Segments,\) \(route3Segments\rbrace\) is the set that consists of all the elements that are members of at least one of the sets \(route1Segments\) , \(route2Segments\) , or \(route3Segments\) . |
\(\bigcap\) | Generalized intersection | \(\bigcap \lbrace route1Segments, route2Segments,\) \(route3Segments\rbrace\) \(= \lbrace segment3\rbrace\) | The formula \(\bigcap \lbrace route1Segments, route2Segments,\) \(route3Segments\rbrace\) is the set that consists of all the elements that belong to every set \(route1Segments\) , \(route2Segments\) , and \(route3Segments\) . |
A.6 Relations
A.7 Functions
A.8 Sequences
A.9 Arrays
References
Index Terms
- iStar Goal Model to Z Formal Model Translation and Model Checking of CBTC Moving Block Interlocking System
Recommendations
State-Based Model Checking of Event-Driven System Requirements
It is demonstrated how model checking can be used to verify safety properties for event-driven systems. SCR tabular requirements describe required system behavior in a format that is intuitive, easy to read, and scalable to large systems (e.g. the ...
Traceability and model checking to support safety requirement verification
FSE 2014: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software EngineeringEnsuring safety-critical software safety requires strict verification of the conformance between safety requirements and programs. Formal verification techniques, such as model checking and theorem proving, can be used to partially realize this ...
Elaborating Requirements Using Model Checking and Inductive Learning
The process of Requirements Engineering (RE) includes many activities, from goal elicitation to requirements specification. The aim is to develop an operational requirements specification that is guaranteed to satisfy the goals. In this paper, we ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 545Total Downloads
- Downloads (Last 12 months)545
- Downloads (Last 6 weeks)104
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in