System requirements analysis of train dispatching protocols with Ontological Hazard Analysis

Sieker B. Systemanforderungsanalyse von Bahnbetriebsverfahren mit Hilfe der Ontological Hazard Analysis am Beispiel des Zugleitbetriebs nach FV-NE. Bielefeld (Germany): Bielefeld University; 2010.The Ontological Hazard Analysis (OHA) is a specification and analysis method for system safety requirements, based on many small but rigorous refinement steps and causal analysis. This development sequence is applied to train-dispatching protocols as defined in the German railway standard FV-NE. Ontological Hazard Analysis is a method for safety-requirements derivation and analysis that allows for logical traceability of safety requirements through system development through to (at least) design. It uses formal refinement and requires methods from formal logics, in particular many-sorted logics that use a number of different axioms.Eisenbahnregelwerke sind traditionell in natürlicher Sprache verfasst. Dies führt zu zahlreichen Problemen beim Erstellen und Verifizieren von Lasten- und Pflichtenheften und bei der unzweideutigen Spezifikation von Systemen für ein bestimmtes Betriebsverfahren. Die Ontological Hazard Analysis ist eine Methode, mit der sich durch formale Verfeinerung ("Formal Refinement") vollständige Spezifikationen der Safety-Requirements erstellen lassen. Mit Hilfe des Model-Checkers SPIN werden weitere Eigenschaften des Systems geprüft, die keine Sicherheitsanforderungen sind. Die Ontological Hazard Analysis ist, anders als gängige andere Verfahren, in der Lage, für ein echtes Bahnbetriebsverfahren eine nahtlose Nachvollziehbarkeit (audit trail) von abstrakten Spezifikationen bis zum Quellcode - abgesehen von möglichen Compilerproblemen auch bis zum Objektcode - zu bieten, und dabei gleichzeitig logische, relative Vollständigkeit der Sicherheitsanforderungen (Safety Requirements) zu garantieren

Integration of analysis techniques in security and fault-tolerance

This thesis focuses on the study of integration of formal methodologies in security protocol analysis and fault-tolerance analysis. The research is developed in two different directions: interdisciplinary and intra-disciplinary. In the former, we look for a beneficial interaction between strategies of analysis in security protocols and fault-tolerance; in the latter, we search for connections among different approaches of analysis within the security area. In the following we summarize the main results of the research

An Automatic SPIN Validation of a Safety Critical Railway Control System

This paper describes an experiment in formal specification and validation performed in the context of an industrial joint project. The project involved an Italian company working in the field of railway engineering, Ansaldobreda Segnalamento Ferroviario, and the CNR Institutes IEI and CNUCE of Pisa. Within the project two formal models have been developed describing different aspects of a safety-critical system used in the management of medium-large railway networks. Validation of safety and liveness properties has been performed on both models. Safety properties have been checked primarily in presence of Byzantine faults as well as of silent faults embedded in the models themselves. Liveness properties have been more focused on a communication protocol used within the system. Properties have been specified by means of assertions or temporal logical formulae. We used Promela as specification language, while the verification was performed using the verification tool suite SPIN