A Formal Methodology for Engineering Heterogeneous Railway Signalling Systems

Ph. D. Thesis.Over the last few decades, the safety assurance of cyber-physical systems has become one of the biggest challenges in the field of model-based system engineering. The challenge arises from an immense complexity of cyber-physical systems which have deeply intertwined physical, software and network system aspects. With significant improvements in a wireless communication and microprocessor technologies, the railway domain has become one of the frontiers for deploying cyber-physical signalling systems. However, because of the safety-critical nature of railway signalling systems, the highest level of safety assurance is essential. This study attempts to address the challenge of guaranteeing the safety of cyber-physical railway signalling systems by proposing a development methodology based on formal methods. In particular, this study is concerned with the safety assurance of heterogeneous cyber-physical railway signalling systems, which have emerged by gradually replacing outdated signalling systems and integrating mainline with urban signalling systems. The main contribution of this work is a formal development methodology of railway signalling systems. The methodology is based on the Event-B modelling language, which provides an expressive modelling language, a stepwise model development and a proof-based model verification. At the core of the methodology is a generic communication-based railway signalling Event-B model, which can be further refined to capture specific heterogeneous or homogeneous railway signalling configurations. In order to make signalling modelling more systematic we developed communication and hybrid railway signalling modelling patterns. The proposed methodology and modelling patterns have been evaluated on two case studies. The evaluation shows that the methodology does provide a system-level railway signalling modelling and verification method. This is crucial for verifying the safety of cyber-physical systems, as safety is dependent on interactions between different subsystems. However, the study has also shown that automatic formal verification of hybrid systems is still a major challenge and must be addressed in the future work in order to make this methodology more practical.(EPSRC and Siemens Rail Automation

Step-wise development of resilient ambient campus scenarios

This paper puts forward a new approach to developing resilient ambient applications. In its core is a novel rigorous development method supported by a formal theory that enables us to produce a well-structured step-wise design and to ensure disciplined integration of error recovery measures into the resulting implementation. The development method, called AgentB, uses the idea of modelling database to support a coherent development of and reasoning about several model views, including the variable, event, role, agent and protocol views. This helps system developers in separating various modelling concerns and makes it easier for future tool developers to design a toolset supporting this development. Fault tolerance is systematically introduced during the development of various model views. The approach is demonstrated through the development of several application scenarios within an ambient campus case study conducted at Newcastle University (UK) as part of the FP6 RODIN project. © 2009 Springer Berlin Heidelberg

Extended Model driven Architecture to B Method

International audienceModel Driven Architecture (MDA) design approach proposes to separate design into two stages: implementation independent stage then an implementation-dependent one. This improves the reusability, the reusability, the standability, the maintainability, etc. Here we show how MDA can be augmented using a formal refinement approach: B method. Doing so enables to gradually refine the development from the abstract specification to the executing implementation; furthermore it permits to prove the coherence between components in low levels even if they are implemented in different technologies

A Refinement Strategy for Hybrid System Design with Safety Constraints

Whenever continuous dynamics and discrete control interact, hybrid systems arise. As hybrid systems become ubiquitous and more and more complex, analysis and synthesis techniques are in high demand to design safe hybrid systems. This is however challenging due to the nature of hybrid systems and their designs, and the question of how to formulate and reason their safety problems. Previous work has demonstrated how to extend discrete modelling language Event-B with continuous supports to integrate traditional refinement in hybrid system design. In the same spirit, we extend previous work by proposing a strategy that can coherently refine an abstract hybrid system design with safety constraints down to the concrete one with implementable discrete control that can behave safely. Our proposal is validated on the design of a smart heating system, and we share with our experience

A Refinement Strategy for Hybrid System Design with Safety Constraints

International audienceWhenever continuous dynamics and discrete control interact, hybrid systems arise. As hybrid systems become ubiquitous and more and more complex, analysis and synthesis techniques are in high demand to design safe hybrid systems. This is however challenging due to the nature of hybrid systems and their designs, and the question of how to formulate and reason their safety problems. Previous work has demonstrated how to extend the discrete modeling language Event-B with continuous support to integrate traditional refinement in hybrid system design. In the same spirit, we extend previous work by proposing a strategy that can coherently refine an abstract hybrid system design with safety constraints down to a concrete one, integrated with implementable discrete control, that can behave safely. We demonstrate our proposal on a smart heating system that regulates room temperature between two references, and we share our experience